The purpose of this network service methodology is to create a quick mind-map for useful tools associated with quick enumeration network services. It takes most of the recommended tooling from hacktricks and condeses in a single linked document with emphases on logical executions of tools in a "unorded psuedo-code" format. While the focus is on tools that can be implemented in automated scripts, it also provides links to manual methodology and information mainly featured in hacktricks. It also features additional network services obtained throughout my capstone research project Pentester Toolchain (https://github.com/ngimb64/Pentester-Toolchain) and will continue to be updated with custom scripts obtained on github or created myself. If your not familiar I also highly recommend checking out hacktricks (https://book.hacktricks.xyz/welcome/readme), considering it was incredibly helpful in putting together this document and the default configuration script for Pentester Toolchain and features lots of great information on offensive security beyond the scope of network penetration testing.

Other sources that provided valuable service informaton not found in hacktricks are found below:

https://cheatsheet.haax.fr/network/services-enumeration/
https://0xffsec.com/handbook/
https://pentestsector.com/docs/1.0/overview

Additional information on network pentesting methodology can be found here

https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network

FTP (20, 21) SSH (22) Telnet (23) SMTP (25, 465, 587, 2525) Whois (43) TACACS+ (49) Finger (79) HTTP/HTTPS (80, 443, 8080, 8443) POP3/POP3 over TLS (110, 995) Ident (113) NNTP/NNTPS (119, 433) IMAP/IMAP over TLS (143, 993) SNMP Smux (199) Checkpoint Firewall (264) SMB (445) Modbus (502) Rexec (512) Rlogin (513) Rsh (514) Line Printer Daemon (515) Apple Filing Protocol (548) RTSP (554) Cups (631) Rsync (873) Java RMI (1050, 1098, 1099) Microsoft SQL Server (1433) Oracle Database Server (1521) Point-to-Point Tunneling Protocol (1723) Mosquito (1883) Oracle XML DB FTP (2100) Compaq/HP Insight Manager (2301, 2381) Docker (2375, 2376) Squid (3128) ISCSI (3260) SAPRouter (3299) MySQL (3306) RDP (3389) Distcc (3632) Subversion (3690) Erlang Port Mapper Daemon (4369) RSIP (4555) Cisco Smart Install (4786) Docker Registry (5000) Android Debug Bridge (5037, 5555) Postgresql (5432, 5433) Redshift (5439) VNC (5800, 5900) WinRM (5985, 5986) X11 (6000) Redis (6379) Java Debug Wire (8000) Apache Jserv (8009) InfluxDB (8086) Splunkd (8089) Bitcoin (8333, 18333, 18444, 38333) HyperSQL Database (9001) Apache Casandra (9042, 9160) Raw Printing (9100) Elasticsearch (9200) Network Data Management Protocol (10000) Memcache (11210) RabbitMQ Management (15672) GlusterFS (24007, 24008, 24009, 49152) MongoDB (27017, 27018) Tiller (44134) SAP 50000-8, 50010 Hadoop (50030, 50060, 50070, 50075, 50090)

UDP

DHCP (67) TFTP (69) Rusersd (1026) WS-Discovery (3702) mDNS (5353) BACNet (47808)

TCP/UDP

DNS (53) Kerberos (88) Rpcbind (111) NTP (123) MSRPC (135) Netbios (137, 138, 139) SNMP (161, 162, 10161, 10162) IRC (194, 529, 6667) LDAP (389, 636) IPsec / IKE VPN / Point-to-Point Tunnel Protocol (500, 1723) Intelligent Platform Management Interface (623) Windows domain (1030, 1032, 1033, 1038) Socks Proxy (1080) Oracle Intelligent Agent (1748, 1754, 1808, 1809) NFS (2049) RSIP (4555) Kibana (5601) RabbitMQ (5671, 5672) CouchDB (5984, 6984) EthernetIP (44818)

Brute force resources

wordlist generation tools
- Crunch
- Cewl
- Cupp (https://github.com/Mebus/cupp)
- Pydictor (https://github.com/LandGrey/pydictor)
wordlists
for additional information on brute forcing https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force

Note: I only mention nmap nse scripts and metasploit options because they are both easily looked up on the machine. The nmap nse scripts can found at https://nmap.org/nsedoc/scripts/ and simply use Ctrl+f and search for the service name or abbreviation. Metasploit has a search function that has filtering capabilites for easy lookup. For example to search for http modules of the auxiliary type use search http type:auxiliary. Within the auxiliary there are multiple types of submodules, to search for http scanners for enumeration use search scanner/http type:auxiliary, the gather submodules can be useful for enumeration as well

FTP

attempt anonymous connection or connection via browser ftp <ip>
attempt to download all files wget -m ftp://anonymous:anonymous@<ip> wget -m --no-passive ftp://anonymous:anonymous@<ip>
banner grab nc -vn <ip> <port> OR telnet -n <ip> <port>
certificate grab openssl s_client -connect <ip>:<port> -starttls ftp
nmap nse scripts / metasploit options
if further brute forcing
- use hydra hydra -t 1 -l <username> -P <password wordlist> -vV <ip> ftp OR
- use ncrack ncrack -T 5 -p 21 --user <username> -P <password wordlist> <ip> OR
- use medusa medusa -u <username> -P <password wordlist> -h <ip> -M ftp
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp

SSH

banner grab nc -vn <ip> <port>
nmap nse scripts / metasploit options
If brute forcing
- use hydra hydra -v -V -u -l <username> -P <password wordlist> -t 1 -u <ip> ssh OR
- use ncrack ncrack -T 5 -p 22 --user <username> -P <password wordlist> <ip> OR
- use medusa medusa -u <username> -P <password wordlist> -h <ip> -M ssh OR
- use patador patator ssh_login host=<ip> port=22 user=<username> 0=<password wordlist> password=FILE0 -x ignore:mesg='Authentication failed'
once access is gained, keys can be generated for persistence or existing keys can used to pivot
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh

Telnet

banner grab nc -vn <ip> 23
nmap nse scripts / metaspoit options
if brute forcing
- use hydra hydra -l <username> -P <password wordlist> -t 32 <ip> telnet OR
- use ncrack ncrack -T 5 -p 23 --user <username> -P <password wordlist> <ip> OR
- use medusa medusa -u <username> -P <password wordlist> -h <ip> -M telnet

SMTP

banner grab nc -vn <ip> 25
nmap nse scripts / metasploit options
if SMTPS (secure connection) openssl s_client -crlf -connect smtp.<domain>:465 openssl s_client -starttls smtp -crlf -connect smtp.<domain>:587
finding mx servers dig +short mx <domain>
if initial enum shows allowed VRFY method, connect
- users can be enumerated with NetBrute (https://github.com/ngimb64/NetBrute)
use hydra if brute forcing hydra -l <username> -P <password wordlist> <ip> smtp -v with SSL: hydra -l <username> -P <password wordlist> -s 587 <ip> -S -v -V
use mailspoof (https://github.com/serain/mailspoof) to identify weak SPF and DMARC policies
if credentials are already obtained, evolution can be used to extract user email data from server
for manual enumeration and addional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp

Whois

run whois and pipe the echoed domain name to netcat banner grab: whois -h <ip> -p 43 <domain> && echo <domain> | nc -vn <ip> 43
the WHOIS service always needs to use a database to store and extract the information. So, a possible SQLInjection could be present when querying the database from some information provided by the user. For example doing: whois -h <ip> -p 43 "a') or 1=1#" you could be able to extract all the information saved in the database.

Tacacs+

use a tool called loki to intercept and brute force tacas+ login key, resulting in access to network infrastructure and the ability to intercept and decrypt the LANs network traffic
for more information https://book.hacktricks.xyz/network-services-pentesting/49-pentesting-tacacs+

Finger

banner grab nc -vn <ip> <port>
user enumeration list users - finger @<ip> get user info - finger <user>@<ip>
- if brute forcing finger-user-enum (https://github.com/pentestmonkey/finger-user-enum)
nmap nse scripts / metasploit options
for additional information
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-finger
- https://0xffsec.com/handbook/services/finger/

HTTP/HTTPS

banner grab nc -v <domain>
cert grab openssl s_client -connect <domain>:443
vuln check with analyzer tools stealthy - whatweb -a 1 <url> aggresive - whatweb -a 3 <url> webtech -u <url> webanalyze -host <url> -crawl 2
nmap nse scripts / metasploit options
automatic scanners nikto -host <url> whatweb -a 4 <url> wapiti -u <url> W3af nuclei -ut && nuclei -target
CMS scanners cmsmap -F -d <url> wpscan --force update -e --url <url> joomscan --ec -u <url> joomlavs.rb (https://github.com/rastating/joomlavs)
initial checks (pages of interest)
- /robots.txt
- /sitemap.xml
- /crossdomain.xml
- /clientaccesspolicy.xml
- /.well-known/
- Check out comments in main/secondary pages for information leakage
SSL/TLS Vulnerabilities ./testssl.sh <ip>:<port> (https://github.com/drwetter/testssl.sh)
if brute forcing
- HTTP basic auth
  - use hydra hydra -L <username wordlist> -P <password wordlist> <domain> http-get <auth web path> OR
  - use medusa medusa -h <ip> -u <username> -P <password wordlist> -M http -m DIR:<auth web path> -T 10
- HTTP post form
  - use hydra hydra -L <username wordlist> -P <password wordlist> <domain> http-post-form "<auth web path>:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
if brute forcing cms cmsmap -f W/J/D/M -u a -p a <proto>://<domain>

for additional methodolgy details, check out https://book.hacktricks.xyz/network-services-pentesting/pentesting-web

POP3

banner grab nc -nv <ip> <port>
cert grab openssl s_client -connect <ip>:<port> -crlf -quiet
nmap nse scripts / metaspoit options
use hydra if further brute forcing hydra -l <username> -P <password wordlist> -f <ip> pop3 -V with SSL: hydra -S -v -l <username> -P <password wordlist> -s 995 -f <ip> pop3 -V

Ident

Netcat banner grabbing for a more manual approach
nmap nse scripts
if brute forcing use ident-user-enum tool (https://github.com/pentestmonkey/ident-user-enum)

NNTP/NNTPS

banner grab telnet <ip> <port> OR nc -n <ip> <port>
cert grab openssl s_client -crlf -connect <ip>:<port>
nmap nse script /metasploit options
for additional information
- https://0xffsec.com/handbook/services/nntp/
- https://cheatsheet.haax.fr/network/services-enumeration/119_nntp/

IMAP

banner grab nc -nv <ip> <port>
cert grab openssl s_client -connect <ip>:><port> -quiet
nmap nse scripts / metaspoit options
if brute forcing
- use hydra hydra -l <username> -P <password wordlist> -f <ip> imap -V with SSL: hydra -S -v -l -P -s 993 -f imap -V OR
- use nmap nmap -sV --script imap-brute -p <port> <ip>
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap

Smux

run snmpwalk snmpwalk -c public -v1 -t 10 <ip>

Checkpoint-Firewall

Run metasploit script under auxilary/gather/checkpoint_hostname

SMB

nmap nse scripts / metaspoit options
without credentials nbtscan <ip> smbmap -H <ip> smbmap -H <ip> -u null -p null smbmap -H <ip> -u guest smbclient -N -L //<ip> smbclient -N //<ip>/ --option="client min protocol"=LANMAN1 rpcclient <ip> rpcclient -U "" <ip> crackmapexec smb <ip> crackmapexec smb <ip> --pass-pol -u "" -p "" crackmapexec smb <ip> --pass-pol -u "guest" -p "" GetADUsers.py -dc-ip <ip> "<domain>/" -all GetNPUsers.py -dc-ip <ip> -request "<domain>/" -format hashcat GetUserSPNs.py -dc-ip <ip> -request "<domain>/" getArch.py -target <ip>
with credentials smbmap -H <ip> -u <username> -p <password> smbclient "\\\\<ip>\\\" -U <username> -W <domain> -l <ip> smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash <hash> crackmapexec smb <ip> -u <username> -p <password> --shares GetADUsers.py <domain>/<username>:<password> -all GetNPUsers.py <domain>/<username>:<password> -request -format hashcat GetUserSPNs.py <domain>/<username>:<password> -request
if brute forcing
- use hydra hydra -t 1 -V -f -l <username> -P <password wordlist> <ip> smb OR
- use nmap nmap --script smb-brute -p <port> <ip>
for additional information

Modbus

use nmap nse script / metasploit options nmap --script modbus-discover -p <port> <ip>

Rexec

if brute forcing
- use hydra hydra -l <username> -P <password wordlist> rexec://<ip> -v -V OR
- use nmap nmap --script rexec-brute -p <port> <ip> OR
- use metasploit module auxiliary/scanner/rservices/rexec_login

Rlogin

attempt remote login rlogin <ip> -l <username>
if brute forcing
- use hydra hydra -l <username> -P <password wordlist> rlogin://<ip> -v -V OR
- use nmap nmap --script rlogin-brute -p <port> <ip> OR
- metasploit module auxiliary/scanner/rservices/rlogin_login

Rsh

execute command on remote system rsh <ip> <command> rsh <ip> -l <domain>\<user> <command> rsh <domain>/<user>@<ip> <command> rsh <domain>\\<user>@<ip> <command>
if brute forcing
- use hydra hydra -L <username wordlist> rsh://<ip> -v -V OR
- use metasploit module auxiliary/scanner/rservices/rsh_login
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-rsh

Line-Printer-Daemon

use lpdprint.py and lpdtest.py from PRET (https://github.com/RUB-NDS/PRET) lpdprint.py <hostname> <file> lpdtest.py <hostname> get <file> lpdtest.py <hostname> put <file> lpdtest.py <hostname> rm <file> lpdtest.py <hostname> in '<synax>' lpdtest.py <hostname> mail <mailer name>@<mail host>.local
for additional information
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-printers
- https://0x00sec.org/t/an-introduction-to-printer-exploitation/3565

Apple-Filing-Protocol

nmap vuln script nmap -sV --script "afp-* and not brute" -p <port> <ip>
use metasploit afp_server_info script in auxiliary/scanner/afp
if brute forcing
- use nmap nmap -p <port> --script afp-brute <ip> OR
- use metasploit module auxiliary/scanner/afp/afp_login

RTSP

nmap vuln scripts / metasploit options
if brute forcing use hydra hydra -l <username> -P <password wordlist> <ip> rtsp
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/554-8554-pentesting-rtsp

Cups

nmap nse scripts
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp

Rsync

run nmap nse scripts / metasploit options
manual enumeraton with netcat nc -vn <ip> <port>
- return printed banner
- enter #list to enumerate
- retry process with enumerated share names insted of #list
if brute forcing use nmap nmap -sV --script rsync-brute --script-args userdb=<username wordlist>,passdb=<password wordlist> -p 873 <ip>
for additional information https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync

Java-RMI

nmap nse scripts / metasploit modules
This scanner tool helps identify RMI vulnerabilities (https://github.com/qtc-de/remote-method-guesser)
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi

Microsoft-SQL-Server

nmap nse scripts / metaspoit options
if brute forcing
- use crackmapexec crackmapexec mssql <ip> -d <domain> -u <username wordlist> -p <password wordlist> OR
- use hydra hydra -L <username wordlist> –P <password wordlist> <ip> mssql OR
- use medusa medusa -h <ip> –U <username wordlist> –P <password wordlist> –M mssql OR
- use nmap nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=<domain>,userdb=<username wordlist>,passdb=<password wordlist>,ms-sql-brute.brute-windows-accounts <ip> OR
- use metasploit module auxiliary/scanner/mssql/mssql_login
for manual methoodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server

Oracle-Database-Server

nmap nse scripts / metaspoit options
if brute forcing
- use hydra hydra -P <password wordlist> -t <threads> -s <port> <host.victim> oracle-listener OR
- use nmap nmap --script oracle-brute -p <port> --script-args oracle-brute.sid=<sid> <ip> OR
- use metasploit module scanner/oracle/oracle_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener

Mosquito

the manual method
- download this client (https://github.com/bapowell/python-mqtt-client-shell)
- refer to this for more (https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquitto)
if brute forcing
- use ncrack ncrack mqtt://<ip> --user <username> -P <password wordlist> -V OR
- use metasploit module auxiliary/scanner/mqtt/connect
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquitto

Oracle-XML-DB

metasploit options

Compaq/HP-Insight-Manager

for information https://book.hacktricks.xyz/network-services-pentesting/pentesting-compaq-hp-insight-manager

Docker

nmap nse scripts / metaspoit options
test connection to container: docker -H <ip>:<port> ps -a
download kali image docker -H <ip>:<port> pull kalilinux/kali
double check if image was downloaded properly: docker -H <ip>:<port> images
running the container: docker -H <ip>:<port> run -itd --name <container name> -v /:/ mnt <image id>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/2375-pentesting-docker

Squid

use the Squid Pivoting Open Port Scanner (SPOSE) https://github.com/aancw/spose python spose.py --proxy http://<ip>:3128 --target <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/3128-pentesting-squid

ISCSI

nmap nse script nmap -sV --script=iscsi-info -p 3260 <ip>
run iscsiadm to attempt mount that would be located in /etc/iscsi/nodes/ iscsiadm -m discovery -t sendtargets -p <ip>:3260
if brute forcing use nmap nmap -sV --script iscsi-brute --script-args userdb=<username wordlist>,passdb=<password wordlist< -p 3260 <IP>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/3260-pentesting-iscsi

SAPRouter

metasploit options
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/3299-pentesting-saprouter

MySQL

nmap nse scripts / metaspoit options
if brute forcing
- use hydra hydra -L <usernames wordlist> -P <password wordlist> <ip> mysql OR
- use medusa medusa -h <IP/Host> -u <username wordlist> -P <password wordlist> <-f | stop on first success attempt> -t <threads> -M mysql OR
- use metasploit module auxiliary/scanner/mysql/mysql_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysql

RDP

nmap nse scripts / metaspoit options
if brute forcing
- use hydra hydra -V -f -L <username wordlist> -P <password wordlist> rdp://<ip> OR
- use ncrack ncrack -vv --user <username wordlist> -P <password wordlist> rdp://<ip>
use crowbar or cain can also be used for brute forcing
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-rdp

Distcc

nmap nse scripts / metasploit options
for additional information https://book.hacktricks.xyz/network-services-pentesting/3632-pentesting-distcc

Subversion

banner grab nc -vn <ip> <port>
metasploit options
enumeraiton svn ls svn://<ip> svn log svn://<ip> svn checkout svn://<ip> svn up -r 2
if brute forcing use nmap nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 <host>

Erlang-Port-Mapper-Daemon

nmap nse scripts nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd

RSIP

for manual methodology https://cheatsheet.haax.fr/network/services-enumeration/4555_rsip/

Cisco-Smart-Install

metasploit options
run SIETpy3 script to attempt to retrieve configuration of network device (https://github.com/Sab0tag3d/SIETpy3)
for additional information https://book.hacktricks.xyz/network-services-pentesting/4786-cisco-smart-install

Docker-Registry

if brute forcing use hydra hydra -L <username wordlist> -P <password wordlist> 10.10.10.10 -s <port> https-get /v2/
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/5000-pentesting-docker-registry

Android-Debug-Bridge

for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/5555-android-debug-bridge

Postgresql

metasploit options
if brute forcing
- use hydra hydra -L <username wordlist> –P <password wordlist> <ip> postgres OR
- use ncrack ncrack –v –U <username wordlist> –P <password wordlist> <ip>:<port> OR
- use medusa medusa -h <ip> –U <username wordlist> –P <password wordlist> –M postgres OR
- use nmap nmap -sV --script pgsql-brute --script-args userdb=<username wordlist>,passdb=<password wordlist> -p <port> <ip> OR
- use metasploit module auxiliary/scanner/postgres/postgres_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql

Redshift

Enumerate the AWS Redshift clusters aws redshift describe-clusters
for additional information https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum

VNC

nmap vuln scripts / metaspoit options
if brute forcing
- use hydra hydra -L <username wordlist> –P <password wordlist> -s <port> <ip> vnc OR
- use ncrack ncrack -V --user <username> -P <password wordlist> <ip>:<port> OR
- use medusa medusa -h <ip> –u <username> -P <password wordlist> –M vnc OR
- use nmap nmap -sV --script pgsql-brute --script-args userdb=<username wordlist>,passdb=<password wordlist> -p <port> <ip> OR
- use metasploit module auxiliary/scanner/vnc/vnc_login
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-vnc

WinRM

if brute forcing
- use crackmap crackmapexec winrm <ip> -d <domain> -u <username wordlist> -p <password wordlist> OR
- use metasploit module auxiliary/scanner/winrm/winrm_login
if endpoint has an ipv6 address evil-winrm can be used to connect (https://github.com/Hackplayers/evil-winrm)
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/5985-5986-pentesting-winrm

X11

nmap nse script / metasploit options
for additional information https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11

Redis

nmap nse scripts / metasploit options
if brute forcing
- use hydra hydra –P <password wordlist> redis://<ip>:<port> OR
- use nmap nmap --script redis-brute -p <port> <ip> OR
- use metasploit modules auxiliary/scanner/redis/redis_login
for manual methodoloogy and additional information https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

Java-Debug-Wire

nmap nse scripts
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol

Apache-Jserv

nmap nse scripts / metasploit options
if brute forcing use nmap nmap --script ajp-brute -p <port> <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp

InfluxDB

metasploit options
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/8086-pentesting-influxdb

Splunkd

if brute forcing use metasploit module auxiliary/scanner/http/splunk_web_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/8089-splunkd

Bitcoin

nmap nse scripts

HyperSQL-Database

for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/9001-pentesting-hsqldb

Apache-Casandra

nmap nse scripts
if brute forcing use nmap nmap --script cassandra-brute -p <port> <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/cassandra

Raw-Printing

nmap nse script / metasploit options
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/9100-pjl

Elasticsearch

metasploit options
If brute forcing use hydra hydra -L <username wordlist> -P <password wordlist> localhost -s <port> http-get /
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/9200-pentesting-elasticsearch

Network-Data-Management-Protocol

nmap nse scripts / metasploit options

Memcache

nmap nse scripts / metasploit options
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/11211-memcache

RabbitMQ-Management

if web management console is available in browser use hydra http methodology to brute force web portal
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/15672-pentesting-rabbitmq-management

GlusterFS

get the name of the GlusterFS remote shares gluster --remote-host=<ip> volume list
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs

MongoDB

nmap nse scripts
if brute forcing use metasploit module auxiliary/scanner/mongodb/mongodb_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/27017-27018-mongodb

Tiller

for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/44134-pentesting-tiller-helm

SAP

for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-sap

Hadoop

nmap nse scrips
for additional information https://book.hacktricks.xyz/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop

DHCP

nmap nse scripts

TFTP

nmap nse scripts / metasploit options
if brute forcing use metasploit module auxiliary/scanner/tftp/tftpbrute
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/69-udp-tftp

Rusersd

nmap nse scrips
rusers system tool rusers -l <ip>

WS-Discovery

nmap nse scripts / metasploit options
for additional information https://book.hacktricks.xyz/network-services-pentesting/3702-udp-pentesting-ws-discovery

mDNS

nmap nse scripts / metasploit options
use Pholus to send mDNS requests to enumerate LAN python3 pholus3.py eth0 -rq -stimeout 10
for additional information https://book.hacktricks.xyz/network-services-pentesting/5353-udp-multicast-dns-mdns

BACNet

nmap nse scripts / metasploit options
for manual enumeration and additional information https://book.hacktricks.xyz/network-services-pentesting/47808-udp-bacnet4

DNS

run dns recon dnsrecon -r 127.0.0.0/24 -n <ip> -d <domain> dnsrecon -r 127.0.1.0/24 -n <ip> -d <domain> dnsrecon -r <network>/<CIDR> -n <ip> -d <domain>
run nslookup nslookup <ip> OR <domain>
dns zone transfer dig axfr @<ip> dig axfr @<ip> <domain> fierce -dns <domain>
run dig active directory enumeration dig -t _gc._<domain> && dig -t _ldap._<domain> && dig -t _kerberos._<domain> && dig -t _kpasswd._<domain>
run nmap nse scripts / metasploit options
for manual methodology and more information https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

Kerberos

run nmap nse scripts / metasploit options
get list of user service principal names GetUserSPNs.py -request -dc-ip <ip> <domain>/svc_tgs
if brute forcing use kerbrute (https://github.com/ropnop/kerbrute)
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88

Rpcbind

get rpc info through whois and netcat whois -h <ip> -p 43 <domain name> && echo <domain name> | nc -vn <ip> 43
use nmap nse scripts / metasploit options nmap -sSUC -p <port> <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind

NTP

nmap nse scripts / metasploit options
run ntpq ntpq -c readlist <ip> ntpq -c readvar ntpq -c peers ntpq -c associations ntpdc -c monlist ntpdc -c listpeers ntpdc -c sysinfo `
for additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-ntp

MSRPC

nmap nse scripts / metasploit options
for manual methodology and additional information

Netbios

run nmblookup nmblookup -A <ip>
run nbtscan nbtscan <ip>/30
nmap nse scripts / metasploit options
for additional information
- https://book.hacktricks.xyz/network-services-pentesting/137-138-139-pentesting-netbios
- https://0xffsec.com/handbook/services/netbios/

SNMP

run snmp-check snmp-check <ip>
nmap nse scripts / metasploit modules
run snmpwalk snmpwalk -c public -v1 <ip> 1
if brute forcing
- use hydra hydra -P <commmunity wordlist> <ip> snmp OR
- use onesixtyone onesixtyone -c <community wordlist> <ip> OR
- use nmap nmap -sU --script snmp-brute <ip> --script-args snmp-brute.communitiesdb=<community wordlist> OR
- use metasploit module auxiliary/scanner/snmp/snmp_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

IRC

banner grab nc -vn <ip> <port>
cert grab openssl s_client -connect <ip>:<port> -quiet
nmap nse scripts / metasploit options
if brute forcing use nmap nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=<username wordlist>,passdb=<password wordlist> -p <port> <ip>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-irc

LDAP

nmap nse scripts / metasploit options
run base ldapsearch ldapsearch -H ldap://<ip> -x
run ldapsearch naming context dump ldapsearch -H ldap://<ip> -x -s base namingcontexts
if brute forcing use nmap nmap --script ldap-brute -p <port> <IP>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap

IPsec/IKE-VPN/PPTP

use ike-scan ike-scan --dport=1723 --auth=1 <ip> ike-scan --dport=1723 --auth=3 <ip> ike-scan --dport=1723 --auth=64221 <ip>
- check out first link for addtional option examples
nmap scan nmap -Pn -ssV -p1723 <ip>
use thc-pptp-bruter if brute forcing
- Download .deb package at (https://http.kali.org/pool/main/t/thc-pptp-bruter/)
- install via sudo dpkg -i thc-pptp-bruter*.deb
- cat <wordlist> | thc-pptp-bruter -u <username> <ip>
if brute forcing key use psk-crack psk-crack <hash file> psk-crack -b 5 <ip> psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" <ip> psk-crack -d wordlist.txt <ip>
for manual methodology and additional information

Intelligent-Platform-Management-Interface

nmap nse scripts / metasploit options
if brute forcing use metasploit module auxiliary/scanner/ipmi/ipmi_dumphashes
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/623-udp-ipmi

Socks-Proxy

nmap nse scripts
if brute forcing use nmap nmap -vvv -sCV --script socks-brute --script-args userdb=<username wordlist>,passdb=<password wordlist>,unpwndb.timelimit=30m -p <port> <ip>
for additional information https://book.hacktricks.xyz/network-services-pentesting/1080-pentesting-socks

NFS

nmap nse scripts / metasploit options
get the available shares showmount -e <ip>
manually mount share mount -t nfs -o ver=2 <ip>:<mount path> <local mount>
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting

RSIP

for manual methodology https://cheatsheet.haax.fr/network/services-enumeration/4555_rsip/

Kibana

for additional information https://book.hacktricks.xyz/network-services-pentesting/5601-pentesting-kibana

RabbitMQ

nmap nse scripts / metasploit options nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <host>
if brute forcing use metasploit module auxiliary/scanner/amqp/amqp_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/5671-5672-pentesting-amqp

CouchDB

nmap vuln scripts / metasploit options
if brute forcing
- use hydra hydra -L <username wordlist> -P <password wordlist> localhost -s <port> http-get / OR
- use metasploit module auxiliary/scanner/couchdb/couchdb_login
for manual methodology and additional information https://book.hacktricks.xyz/network-services-pentesting/5984-pentesting-couchdb

EthernetIP

nmap nse scripts
run cpppo python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a <ip>
for additional information https://book.hacktricks.xyz/network-services-pentesting/44818-ethernetip

Files

Service Methodology.md

Latest commit

History

Service Methodology.md

File metadata and controls

Table of Contents

TCP

UDP

TCP/UDP

Brute force resources

FTP

SSH

Telnet

SMTP

Whois

Tacacs+

Finger

HTTP/HTTPS

POP3

Ident

NNTP/NNTPS

IMAP

Smux

Checkpoint-Firewall

SMB

Modbus

Rexec

Rlogin

Rsh

Line-Printer-Daemon

Apple-Filing-Protocol

RTSP

Cups

Rsync

Java-RMI

Microsoft-SQL-Server

Oracle-Database-Server

Mosquito

Oracle-XML-DB

Compaq/HP-Insight-Manager

Docker

Squid

ISCSI

SAPRouter

MySQL

RDP

Distcc

Subversion

Erlang-Port-Mapper-Daemon

RSIP

Cisco-Smart-Install

Docker-Registry

Android-Debug-Bridge

Postgresql

Redshift

VNC

WinRM

X11

Redis

Java-Debug-Wire

Apache-Jserv

InfluxDB

Splunkd

Bitcoin

HyperSQL-Database

Apache-Casandra

Raw-Printing

Elasticsearch

Network-Data-Management-Protocol

Memcache

RabbitMQ-Management

GlusterFS

MongoDB

Tiller

SAP

Hadoop

DHCP

TFTP

Rusersd