3.3. Port Information

3.3.1. Common ports and their vulnerabilities

  • FTP (21/TCP)

    • Default username and password anonymous:anonymous

    • Brute-force password cracking

    • VSFTP backdoor

  • SSH (22/TCP)

    • Some versions of SSH have vulnerabilities that can enumerate usernames

    • Brute-force password cracking

  • Telent (23/TCP)

    • Brute-force password cracking

    • Sniffing and grabbing plaintext passwords

  • SMTP (25/TCP)

    • Forgery sender without authentication

  • DNS (53/UDP)

    • Domain Transfer Vulnerability

    • DNS Hijacking

    • DNS cache poisoning

    • DNS spoofing

    • SPF / DMARC Check

    • DDoS

      • DNS Query Flood

      • DNS bounce

    • DNS tunnel

  • DHCP 67/68

    • Hijack/Spoof

  • TFTP (69/TCP)

  • HTTP (80/TCP)

  • Kerberos (88/TCP)

    • Mainly used to monitor KDC ticket requests

    • Forgery of gold and silver notes

  • POP3 (110/TCP)

    • Brute-force

  • RPC (135/TCP)

    • wmic service utilization

  • NetBIOS (137/UDP & 138/UDP)

    • unauthorized access

    • weak password

  • NetBIOS / Samba (139/TCP)

    • unauthorized access

    • weak password

  • SNMP (161/TCP)

    • Public weak password

  • LDAP (389/TCP)

    • For authorization verification services on domains

    • anonymous access

    • injection

  • HTTPS (443/TCP)

  • SMB (445/TCP)

    • Windows protocol suite, the main function is file sharing service

    • net use \\192.168.1.1 /user:xxx\username password

  • Linux Rexec (512/TCP & 513/TCP & 514/TCP)

    • weak password

  • Rsync (873/TCP)

    • unauthorized access

  • RPC (1025/TCP)

    • NFS anonymous access

  • Java RMI (1090/TCP & 1099/TCP)

    • Deserialization Remote Command Execution Vulnerability

  • MSSQL (1433/TCP)

    • weak password

    • Differential Backup GetShell

    • SA Privilege Escalation

  • Oracle (1521/TCP)

    • weak password

  • NFS (2049/TCP)

    • Improper permission settings

    • showmount <host>

  • ZooKeeper (2171/TCP & 2375/TCP)

    • no authentication

  • Docker Remote API (2375/TCP)

    • Unrestricted IP / TLS authentication not enabled

    • http://docker.addr:2375/version

  • MySQL (3306/TCP)

    • weak password

    • log write WebShell

    • UDF Privilege Escalation

    • MOF Privilege Escalation

  • RDP / Terminal Services (3389/TCP)

    • weak password

  • Postgres (5432/TCP)

    • weak password

    • execute system commands

  • VNC (5900/TCP)

    • weak password

  • CouchDB (5984/TCP)

    • unauthorized access

  • WinRM (5985/TCP)

    • Implementation of WS-Management by Windows

    • It needs to be started manually on Vista, and the service is enabled by default in Windows Server 2008

  • Redis (6379/TCP)

    • No or weak password

    • Absolute path to write WebShell

    • Scheduled Task Bounce Shell

    • Write SSH public key

    • Master-slave replication RCE

    • Windows write startup items

  • Kubernetes API Server (6443/TCP && 10250/TCP)

    • https://Kubernetes:10250/pods

  • JDWP (8000/TCP)

    • remote command execution

  • ActiveMQ (8061/TCP)

  • Jenkin (8080/TCP)

    • unauthorized access

  • Elasticsearch (9200/TCP)

    • code execution

    • http://es.addr:9200/_plugin/head/

    • http://es.addr:9200/_nodes

  • Memcached (11211/TCP)

    • unauthorized access

  • RabbitMQ (15672/TCP & 15692/TCP & 25672/TCP)

  • MongoDB (27017/TCP)

    • No or weak password

  • Hadoop (50070/TCP & 50075/TCP)

    • unauthorized access

In addition to the possible problems listed above, if the services exposed on the public Internet are not the latest version, there may be vulnerabilities that have already been disclosed.

3.3.2. Common port scanning techniques

3.3.2.1. Full Scan

The scanning host attempts to establish a regular connection with a port of the target host using the three-way handshake. If the connection is successfully established, the port is in an open state, otherwise it is in a closed state.

A full scan is simple to implement and can be done with low privileges. But there will be a lot of obvious records in the traffic log.

3.3.2.2. Half Scan

Half scan is also called SYN scan. In half scan, only SYN data segment is sent. If the response is RST, the port is in a closed state, and if the response is SYN/ACK, the port is in a listening state. However, this method requires higher privileges, and most firewalls now have begun to deal with this scanning method.

3.3.2.3. FIN Scan

FIN scan is to send a FIN packet to the target. If it is an open port, it will return an RST packet, and a closed port will not return a packet. This way, you can determine whether the port is open.

This method is not in the state of the TCP three-way handshake, so it will not be recorded, and it is more subtle than SYN scanning.

3.3.3. Web Services

  • Jenkins

    • unauthorized access

  • Gitlab

    • Corresponding version CVE

  • Zabbix

    • Improper permission settings