HomeWriteupsResourcesCheatsheets

Service Enumeration

FTP - 21

LogoPage not found - HackTricksbook.hacktricks.xyz

Using hydra

Bruteforcing Credentials

Telnet - 23

Logo23 - Pentesting Telnet - HackTricksbook.hacktricks.xyz

NetBios - 137, 138, 139

Logo137,138,139 - Pentesting NetBios - HackTricksbook.hacktricks.xyz

Ports

Port
Protocol
Service

137

UDP

NetBIOS Name Service (NBNS)

138

UDP

NetBIOS Datagram Service (NDS)

139

TCP

NetBIOS over TCP/IP (NBT)

Using Nbtstat - Windows

Windows Command Line Utility

Check for local cache

Using nmap

Logonbstat NSE script — Nmap Scripting Engine documentationnmap.org

  • -sV - Version Enumeration

  • -sU - UDP scan

SMB - 139, 445

Server Message Block

LogoPage not found - HackTricksbook.hacktricks.xyz
LogoPWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuff

Methodology

Look out for

  • Network File Shares

  • Logged in User Details

  • Workgroups

  • Security Level Information

  • Domains and Services

Ports

Port
Protocol
Service

137

UDP

NetBIOS Name Service (NBNS) by SMB

138

UDP

NetBIOS Datagram Service (NDS) by SMB

139

TCP

SMB in conjunction with NetBIOS over TCP/IP (NBT)

445

TCP

Primary Port

Services Examples

  • netbios-ssn

  • microsoft-ds

Using enum4linux

Using nmap

To List All Scripts for SMB

To list all scripts by Nmap for SMB enumeration

OS Discovery

Logosmb-os-discovery NSE script — Nmap Scripting Engine documentationnmap.org

Enumerating Shares

Logosmb-enum-shares NSE script — Nmap Scripting Engine documentationnmap.org

Enumerating Users

Logosmb-enum-users NSE script — Nmap Scripting Engine documentationnmap.org

Enumerating Groups

Logosmb-enum-groups NSE script — Nmap Scripting Engine documentationnmap.org

Enumerating Services

Logosmb-enum-services NSE script — Nmap Scripting Engine documentationnmap.org

Enumerating Security Level

Exploitation

Unexpected error with integration github-files: Integration is not installed on this space

Using smbclient

  • smbclient -L - List shares on a machine using NULL Session

  • smbclient -L <target_IP> -U username%password - List shares on a machine using a valid username + password

  • smbclient //<target>/<share$> -U username%password - Connect to a valid share with username + password

RDP - 3389

Logo3389 - Pentesting RDP - HackTricksbook.hacktricks.xyz

Methodology

  1. Check for running services on the target and confirm if RDP is running on any open port.

  2. Use Metasploit to confirm the services running is RDP.

  3. Use hydra to brute force the login credentials.

  4. Use RDP tools to login into the victim's machine.

Using Metasploit

Confirming RDP

Using Hydra

Bruteforcing login credentials

Using xfreerdp

Creating RDP session with xfreerdp

SNMP - 161, 162, 10161, 10162

LogoPage not found - HackTricksbook.hacktricks.xyz

Methodology

  1. Look out for default UDP ports used by SNMP: 161, 162, 10161, 10162.

  2. Identify the processes running on the target machine using nmap scripts.

  3. List valid community strings of the server using nmap scripts.

  4. List valid community strings of the server by using snmp_login Metasploit Module.

  5. List all the interfaces of the machine. Use appropriate nmap Script.

Using snmp-check

Using nmap

Identifying Processes

Logosnmp-processes NSE script — Nmap Scripting Engine documentationnmap.org

Identifying Interfaces

Logosnmp-interfaces NSE script — Nmap Scripting Engine documentationnmap.org

Using Metasploit

Identifying Valid Community Strings

PreviousNetwork Scanning and EnumerationNextSystem Hacking

Last updated

Was this helpful?