📋Master Port Enumeration Cheat Sheet¶
1️⃣ Port 53 (DNS)¶
🔹 Zone Transfer Attempt¶
dig axfr @<TARGET-IP> <domain>
Look for:
-
Full DNS zone dump (hostnames, internal IPs, server names)
-
Naming conventions that leak environment details
-
Potential sensitive hosts (like "backup", "admin", "dev")
🔹 Basic DNS Queries¶
dig @<TARGET-IP> any <domain>
Look for:
-
A records, MX records, SRV records
-
VPN or remote-access services
-
External-facing web apps or portals
💡 Zone transfer = jackpot. Partial info from ANY query still helps.
2️⃣ Port 88 (Kerberos)¶
🔹 Kerberos Pre-Auth Scan¶
nmap --script krb5-enum-users -p88 <TARGET-IP> --script-args krb5-enum-users.realm='<REALM>'
Look for:
-
Usernames (especially service accounts)
-
Accounts WITHOUT "requires pre-auth" (AS-REP roasting potential)
🔹 AS-REP Roasting¶
After usernames found:
- Try requesting TGTs without pre-auth.
💡 Some AD misconfigs allow user enumeration even anonymously.
3️⃣ Port 135 (MSRPC)¶
🔹 RPC Enumeration¶
rpcdump.py <TARGET-IP>
Look for:
-
efsrpcpipe = possible PetitPotam attack -
spoolsspipe = possible PrinterBug attack -
samr= enumerate users, groups, domain info -
Other exposed RPC pipes
💡 RPC is often ignored and it's a goldmine if misconfigured.
4️⃣ Ports 139 / 445 (NetBIOS / SMB)¶
🔹 Anonymous share listing¶
smbclient -L //<TARGET-IP> -N
Look for:
-
Shares allowing guest/everyone access
-
Shares like
BACKUP,ADMIN$,C$ -
Sensitive filenames (passwords, backups)
🔹 Enum4Linux-ng¶
enum4linux-ng <TARGET-IP>
Look for:
-
Domain/NetBIOS names
-
User and share lists
-
Password policies
-
Computer accounts
🔹 Nmap SMB vuln check¶
nmap -p139,445 --script smb-enum-shares,smb-enum-users,smb-os-discovery,smb-vuln* <TARGET-IP>
Look for:
-
Old vulnerabilities (MS08-067, EternalBlue, SMBGhost)
-
SMB signing status (off = NTLM relay possible)
💡 If SMB signing is disabled, NTLM relay is a real play.
5️⃣ Ports 389 / 636 / 3268 / 3269 (LDAP / LDAPS / Global Catalog)¶
🔹 LDAP Search¶
ldapsearch -x -H ldap://<TARGET-IP> -b "dc=example,dc=com"
Look for:
-
Users and their attributes (servicePrincipalName, pwdLastSet, description)
-
Groups like Domain Admins
-
Computer objects
-
GPP password remnants
💡 If LDAP anonymous bind works, you’re inside the house.
6️⃣ Port 464 (Kerberos Password Service)¶
🔹 Skip unless:
- You found usernames and want to try password change abuse.
💡 Not usually directly exploitable without credentials.
7️⃣ Port 593 (RPC over HTTP)¶
🔹 Enumerate¶
nmap -p593 --script=rpcinfo <TARGET-IP>
Look for:
-
Active HTTP RPC bindings
-
Services like DCOM or Print Spooler
💡 Rarely directly vulnerable, but may expose RPC pipes.
7️⃣Microsoft SQL Server (Port 1433)¶
Service Info Check¶
nmap -sV -p1433 --script ms-sql-info <TARGET-IP>
Manual Login Attempt (no password)¶
sqsh -S <TARGET-IP> -U sa
Bruteforce SQL Login (small list)¶
hydra -L /usr/share/seclists/Usernames/sql-server-usernames.txt -P /usr/share/seclists/Passwords/Common-Credentials/best110.txt -t 4 -f mssql://<TARGET-IP>
8️⃣ Port 3389 (RDP)¶
🔹 RDP Security Settings¶
nmap -p3389 --script rdp-enum-encryption <TARGET-IP>
Look for:
-
Encryption level
-
NLA enabled or not
-
Weak ciphers
🔹 Screenshot (optional)¶
nmap -p3389 --script rdp-screenshot <TARGET-IP>
Look for:
-
Login screen info
-
Visible domain
💡 No NLA or weak encryption? Brute forcing may work.
9️⃣ Port 5120 (Barracuda BBS)¶
🔹 Banner grabbing¶
nc -nv <TARGET-IP> 5120
Look for:
-
Product/version info
-
Default credential hints
-
Vulnerable software versions
💡 Often misconfigured or unpatched.
🔟 Ports 5985 / 47001 (WinRM / HTTPAPI)¶
🔹 Confirm Service¶
curl -i http://<TARGET-IP>:5985/wsman
curl -i http://<TARGET-IP>:47001/wsman
Look for:
-
Auth methods (Basic, NTLM, Kerberos)
-
Domain or hostnames
🔹 Header probing¶
nmap -p5985,47001 --script http-headers,http-title <TARGET-IP>
Look for:
-
Server type and software
-
Verbose or leaking headers
💡 WinRM open + creds = Remote PowerShell access.
1️⃣1️⃣ Port 7680 (Pando / Windows Update Delivery Optimization)¶
🔹 Banner Grabbing¶
nc -nv <TARGET-IP> 7680
Look for:
-
Windows Delivery Optimization
-
Unexpected headers
💡 Low value unless relayable or leaking.
1️⃣2️⃣ Port 9389 (Active Directory Web Services)¶
🔹 Enumerate if possible¶
nmap -p9389 --script adsi-search --script-args 'adsi-search.base=""' <TARGET-IP>
Look for:
-
Confirm ADWS is running
-
Try authenticated queries later if usernames found
💡 Usually needs creds to enumerate much.
1️⃣3️⃣ Octopus Tentacle (Port 10934)¶
Banner Grab¶
nc -nv <TARGET-IP> 10934
Service Version Detection¶
nmap -sV -p10934 <TARGET-IP>
SSL Certificate Check¶
openssl s_client -connect <TARGET-IP>:10934