Skip to content
Default Port Lists
Enumeration tools and techniques – The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
General Enumeration Tools
nmap
nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
nmap -A -sS -PN -n –script:all ip_address –reason
grep “appears to be up” nmap_saved_filename | awk -F\( ‘{print $2}’ | awk -F\) ‘{print $1}’ > ip_list
netcat
nc -v -n IP_Address port
nc -v -w 2 -z IP_Address port_range/port_number
amap
amap -bqv 192.168.1.1 80
amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] …]
xprobe2
sinfp
nbtscan
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
hping
scanrand
unicornscan
unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:’ ] IP_ADDRESS/ CIDR_NET_MASK: S-E
netenum
netenum network/netmask timeout
fping fping -a -d hostname/ (Network/Subnet_Mask)
Firewall Specific Tools
firewalk
firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
ftester
host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
Active Hosts
Open TCP Ports
Closed TCP Ports
Open UDP Ports
Closed UDP Ports
Service Probing
SMTP Mail Bouncing
Banner Grabbing
Other
HTTP
Commands
JUNK / HTTP/1.0
HEAD / HTTP/9.3
OPTIONS / HTTP/1.0
HEAD / HTTP/1.0
Extensions
WebDAV
ASP.NET
Frontpage
OWA
IIS ISAPI
PHP
OpenSSL
HTTPS
Use stunnel to encapsulate traffic.
SMTP
POP3
FTP
If banner altered, attempt anon logon and execute: ‘quote help’ and ‘syst’ commands.
ICMP Responses
Type 3 (Port Unreachable)
Type 8 (Echo Request)
Type 13 (Timestamp Request)
Type 15 (Information Request)
Type 17 (Subnet Address Mask Request)
Responses from broadcast address
Source Port Scans
TCP/UDP 53 (DNS)
TCP 20 (FTP Data)
TCP 80 (HTTP)
TCP/UDP 88 (Kerberos)
Firewall Assessment
Firewalk
TCP/UDP/ICMP responses
OS Fingerprint
© Chi Tran | Security Research