Scribd
Upload
3 views

Network PT Commands 5 (1)

The document outlines various network scanning techniques and tools using Nmap and Metasploit for identifying vulnerabilities across multiple ports and services. It includes commands for scanning HTTP, FTP, SMTP, RDP, SMB, and other protocols, along with specific scripts to enumerate versions and detect vulnerabilities. The document serves as a comprehensive guide for penetration testing and security assessments on target IP addresses.

Uploaded by

giwesof158
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
3 views

Network PT Commands 5 (1)

The document outlines various network scanning techniques and tools using Nmap and Metasploit for identifying vulnerabilities across multiple ports and services. It includes commands for scanning HTTP, FTP, SMTP, RDP, SMB, and other protocols, along with specific scripts to enumerate versions and detect vulnerabilities. The document serves as a comprehensive guide for penetration testing and security assessments on target IP addresses.

Uploaded by

giwesof158
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

use auxiliary/scanner/http/http_login

use auxiliary/scanner/http/http_version
use auxiliary/scanner/smtp/smtp_version
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
use auxiliary/scanner/ftp/ftp_login
nmap -p143 --script=banner 10.0.5.40

nmap -p110 --script=banner 10.0.5.4


nmap -p110 --script=banner 10.0.0.95

nmap -p 3389 --script rdp-ntlm-info http://172.16.21.126


nmap -p 3389 --script rdp-enum-encryption 172.16.21.126
run
set RHOSTS 172.16.21.126
nmap --script=msrpc-enum 172.16.21.126
nmap -sV -Pn 172.16.21.126
sslscan 172.16.21.126
nmap -sV --script=http-enum 172.16.21.126
nmap -sV -Pn --script ssl-enum-ciphers -p 443 172.16.21.126
./testssl.sh 172.16.3.124
sslscan 172.16.21.126
kindly map UDID with the same
to see vulnerabilites found in db
>db_nmap target IP -p ports
>analyze
>vulns
Port 53
nmap -sn <ip> --script dns-blacklist
nmap -T4 -A -p 53 IP
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-
snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>
nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-
enum.domains=example.com <target>
nmap -sV -p 53 -v --script dns-recursion <target>

use(auxiliary/scanner/dns/dns_amp)

Port 88
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='DOMAIN
NAME' IP
auxiliary(gather/kerberos_enumusers)

Port 135
nmap --script=msrpc-enum
nmap 172.16.2.162 --script=msrpc-enum
use exploit/multi/misc/msf_rpc_console
D:\rpctools> rpdump p 172.16.2.63
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]

Port 139
nmap -T4 -A -p 80 172.16.2.162
nmap -T4 -A -p 139 172.16.2.162
auxiliary(scanner/netbios/nbname)
Port 389
nmap -n -sV --script "ldap* and not brute" IP
auxiliary(gather/ldap_hashdump)

Port 443
nmap -sV --script ssl-enum-ciphers -p 443 <host>
nmap -sV -p 443 --script vuln IP
nmap -sV -p 443 --script ssl-cert IP
nmap -p 443 --script ssl-ccs-injection <target>
nmap -p 443 --script http-cisco-anyconnect <target>

Port 445
nmap --script smb-enum-shares.nse -p445 IP
nmap -p 445 --script smb2-security-mode IP
nmap --script smb-vuln* -p 445 IP
nmap -T4 -A -p 445 IP
nmap -sV -p 445 --script smb-os-discovery IP
exploit(windows/smb/ms17_010_eternalblue)
smb version
search bluekeep

Port 5000
nmap -p 5000 --script=default <target_ip>
nmap -p 5000 --script vuln <target>
nmap -p 5000 --script=http-enum <target>

Port 5001
nmap -p 5001 --script=socks-open-proxy <target>
nmap -p 5001 --script vuln <target>

Port 5510
nmap -p 5001 --script vuln <target>

Port 6690

Port 3261
nmap -p 3261 --script=default <target_ip>

Port 1865
nmap -sV -p 1865 IP

Port 3263
nmap -p 3263 --script=vuln <target_ip>

Port 3389 (TESTSSL)


nmap -O -p 3389 --script rdp-ntlm-info
nmap -p 3389 --script rdp-enum-encryption 172.16.21.126
nmap -Pn -sV --script=rdp-vuln-ms12-020.nse 172.16.21.126
auxiliary(scanner/rdp/cve_2019_0708_bluekeep)
auxiliary(scanner/rdp/rdpscanner)
search MS17-010

Port 8443
nmap --script=ssl-enum-ciphers -p 8443 <target>

use 3
set RHOSTS 172.16.3.42
ping BCBMUMEVW01
Port 49161
exploit(multi/misc/msf_rpc_console)

Port 49155
auxiliary/scanner/oracle/oracle_login

Port 3900,3911,53048 (Gsoap 2.7)


nmap --script=http-title,http-headers -p 3900,3911,53048 <target>
nmap --script=vuln -p 3910,3911,53048 <target>
nmap -sV -p 3910,3911,53048 -v --script http-enum 10.10.1.179
nmap --script=http-headers -p 3910,3911,53048 <target>

port 1433 (MSSQL)


use auxiliary/admin/mssql/mssql_enum
use auxiliary/admin/mssql/mssql_ntlm_stealer
use auxiliary/scanner/mssql/mssql_login
use exploit/windows/mssql/mssql_linkcrawler

Port 22 SSH
nmap --script ssh2-enum-algos 10.27.9.1
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" <target>
nmap -sV -sC <target>
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst \
--script-args ssh-brute.timeout=4s <target>
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" IP
nmap IP --script ssh-hostkey --script-args ssh_hostkey=all

Port 9100
nmap -sV -p 9007 10.10.1.200

use auxiliary/scanner/ssh/ssh_
use auxiliary/scanner/ssh/ssh_login
use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS 172.16.2.162
sessions -i 1
run
set USER_FILE /home/kali/Desktop/sshusername.txt
set VERBOSE true
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt

Port 21 FTP
nmap --script ftp-brute -p 21 172.16.3.166
nmap -sV -sC IP
use auxiliary/scanner/ftp/anonymous
use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ftp/ftp_version
use exploit/multi/handler
back
FTPPASS [email protected]
FTPUSER anonymous
use auxiliary/scanner/ftp/ftp_version

Port 80 HTTP
nmap -sV --script=http-enum IP
nmap --script http-auth [--script-args http-auth.path=/login] -p80 IP
nmap --script http-brute -p 80 <host>
nmap --script http-auth [--script-args http-auth.path=/login] -p80 <host>
nmap --script http-methods <target>
use auxiliary/scanner/http/http_login
use auxiliary/scanner/http/cert nmap -p 443 172.16.1.15 -sV --script=ssl-cert
use auxiliary/scanner/http/dir_listing
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/http_version
set RHOSTS 172.16.2.162
http://172.16.21.221/webdav
use auxiliary/scanner/http/nginx_source_disclosure
nmap -p445 --script smb-vuln-ms17-010 172.16.2.37
use windows/smb/ms17_010_eternalblue
nmap -A -p 172.16.2.52
use auxiliary/scanner/http/robots_txt

Port 9100
nmap -sV --script pjl-ready-message -p <PORT> <IP>

Port 631
nmap -p 631 <ip> --script cups-info

Port 515
nmap -sV -p 515 --script=default <target>
nmap -sV --script=port-states <target>

Port 111 rpcbind


showmount -e 172.16.3.27
nmap -sSUC -p111 172.16.3.29

SMTP 25
use auxiliary/scanner/smtp/smtp_version
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS 172.16.3.166
run

msrpc/netbios-ssn
sudo nmap -sU -sV -T4 --script nbstat.nse -p139 -Pn -n 172.16.2.220
nmap 172.16.21.221 --script=msrpc-enum
rpcinfo -p 172.16.21.41
rpcdump 192.16.21.221
use exploit/multi/misc/msf_rpc_console
nmap -sC -p 139 -sV 172.16.3.166
msfconsole
use exploit/windows/smb/ms17_010_eternalblue

kali
nmap -O -p 3389 --script rdp-ntlm-info 172.16.21.44
msfconsole
RDP 3389
ls /usr/share/nmap/scripts | grep rdp
nmap -Pn --script=rdp-vuln-ms12-020.nse 172.16.2.63

SMB
nmap -p 445 -A 172.16.2.221
ifconfig
nmap -sS -Pn -A -p 445 172.16.1.15
search scanner/smb
use 12
set THREADS 254
use auxiliary/scanner/smb/smb_version
3389 ms-wbt-server
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 172.16.3.44
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -
T4 172.16.1.15

imap use auxiliary/scanner/imap/imap_version


use auxiliary/scanner/imap/imap_version
use auxiliary/scanner/imap/imap_version

3306 MySQL
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/imap/imap_version

1433 mssql
nmap -d --script ms-sql-info -p 1433 172.16.21.41
firewall (cisco asa) external fortigate

set RHOSTS 172.16.21.47

Port 5900
nmap -sV --script=realvnc-auth-bypass <target>

You might also like