- Reconnaissance. Passive and Active
-
Research:
- Passive - Shodan, LinkedIn, Facebook, X (Twitter), Instagram
- Subdomains, open directiorires, IP and URL addresses - gobuster, ffuf, dirbuster, theHarvester
- Open Ports - nmap, masscan, rustscan
- Software
- OS
- Version
- API
- Mails - hunter.io
- OSINT Framework. A web-based interface to the common tools and resources for open-source intelligence
- Exploitation - get first access
- Post Expotaion - get root or administrator access
- Clean up your tracks
- Reporting
- External Network Reconnaissance
- Primary Access Attacks
- Access Consolidation
- Privilege Escalation
- Bypassing the demilitarized zone and Network Restrictions
- Traffic Pivoting to Other Segments
- Internal Network Reconnaissance
- Infrastructure Network Takeover
- Evasion and Counter-Detection
- 21 — ftp
- 22 — ssh
- 23 — telnet
- 80, 8000, 8001, 8002, 8004, 8006, 8007, 8008, 8080, 8888 — http
- 88 — kerberos (Kerberos Key Distribution Center) - the presence of this port helps identify a domain controller on the network
- 135 - MSRPC (Microsoft RPC) - used in Microsoft "client-server" applications (e.g., Exchange) to perform various operations in the OS with proper credentials
- 137 - NETBIOS-NS (NetBIOS Name Service) - allows querying the domain name and MAC address of a machine
- 143 — imap
- 389 — ldap (Lightweight Directory Access Protocol) - this port provides various possibilities, including credential brute-forcing and accessing LDAP through vulnerability exploitation.
- 443, 8443, 9443 — https
- 445 — smb (Server Message Blocks over IP) - the SMB protocol has several vulnerabilities and flaws in different versions that can lead to code execution, session hijacking, and accessing data on file servers
- 623, 49152 — ipmi
- 636 — ldaps
- 873 — rsync
- 1099 — websphere
- 1433, 1434 — mssql (Microsoft SQL Server) - the MSSQL service allows access to database management and, more importantly, executing arbitrary code on a Windows machine if we have an account for database access
- 1500 — tivoli_storage_manager
- 1540, 1541 — 1С
- 2001, 2010 — ibm_http
- 2181 — zookeeper
- 2222 — ansible
- 2375, 2376 — docker
- 2379 — k8s etcd
- 2809, 9043, 9060, 9080, 9501, 9502, 9503 — websphere
- 5558, 5559 — websphere_java_messaging_serevice
- 7873 — websphere_rds_client
- 8879 — websphere_soap
- 3306 — mysql
- 3389 — rdp (Remote Desktop Protocol) - the Remote Desktop service has various vulnerabilities in its history, including ones that lead to arbitrary code execution (e.g., BlueKeep), and is vulnerable to MiTM attacks that allow accessing the service on behalf of the victim
- 4678 — cisco smart install
- 4899 — radmin
- 5800 — 5810,5900,5901 — vnc
- 5432, 5433 — postgresql
- 5555 — hp_data_protector
- 5557 — citrix
- 5666 — nagious
- 8291 — mikrotik
- 10050, 10051 — zabbix
- 7001 — weblogic
- 9000 — clickhouse
- 27017, 27018 — mongodb
- 50013 — sap
- 1521 — 1527 — oracle
- 3200 — 3299 — sap
- 4786 — cisco_smart_install
- 9200, 9300 — elasticsearch
- 5985, 5986 — winrm
- 50070 — hdfs_ui
- 6443 — k8s
- 8111 — click_house
- 8500, 8501 — consul
- 8200, 8201 — vault
- 10250, 10255 — k8s