Table Of Contents
- Common Ports
- Common Ports
- Health Care Protocol & Ports
- Scada Protocols & Ports
- TTL Fingerprinting
- IPv4
- Classful IPv4 Ranges
- Reserved Private Ranges
- Subnetting
- Calculating Subnet Range
- IPv6
- Broadcast Addresses
- Interface Addresses
- IPV6 Tools
- Networking
- Cisco Commands
- SNMP Tools
- DNSRecon & NMap Reverse DNS
COMMON PORTS
COMMON PORTS
| PORT# | SERVICE | | | PORT# | SERVICE |
|---|---|---|---|---|
| 20 | FTP (Data Connection) | | | 514 | Syslog |
| 21 | FTP (Control Connection) | | | 520 | RIP |
| 22 | SSH/SCP | | | 546-547 | DHCPv6 |
| 23 | Telnet | | | 587 | SMTP |
| 25 | SMTP | | | 902 | VMWare Server |
| 49 | TACACS | | | 1080 | Socks Proxy |
| 53 | DNS | | | 1194 | Open VPN |
| 67-68 | DHCP/BOOTP | | | 1433-1434 | MS-SQL |
| 69 | TFTP (UDP) | | | 1521 | Oracle |
| 80 | HTTP | | | 2049 | NFS |
| 88 | Kerberos | | | 3128 | Squid Proxy |
| 110 | POP3 | | | 3306 | MySQL |
| 111 | RPC | | | 3389 | RDP |
| 123 | NTP (UDP) | | | 5060 | SIP |
| 135 | Windows RPC | | | 5222-5223 | XMPP/Jabber |
| 137-138 | NetBIOS | | | 5432 | Postgres SQL |
| 139 | SMB | | | 5666 | Nagios |
| 143 | IMAP4 | | | 5900 | VNC |
| 161-162 | SNMP (UDP) | | | 6000-6063 | X11 |
| 179 | BGP | | | 6129 and 6133 | DameWare |
| 201 | AppleTalk | | | 6665-6669 | IRC |
| 389 | LDAP | | | 9001 | Tor |
| 443 | HTTPS | | | 9001 | HSQL |
| 445 | SMB | | | 9090-9091 | Openfire |
| 500 | ISAKMP (UDP) | | | 9100 | HP JetDirect |
HEALTH CARE PROTOCOLS & PORTS
| PORT# | SERVICE | | | PORT# | SERVICE |
|---|---|---|---|---|
| 20 | FTP (Data Connection) | | | 49 | TACACS |
| 21 | FTP (Control Connection) | | | 53 | DNS |
| 22 | SSH/SCP | | | 67-68 | DHCP/BOOTP |
| 23 | Telnet | | | 69 | TFTP (UDP) |
| 25 | SMTP | | | - | - |
SCADA PROTOCOLS & PORTS
| PORT# | SERVICE | | | PORT# | SERVICE |
|---|---|---|---|---|
| 20 | FTP (Data Connection) | | | 502 | Modbus TCP |
| 21 | FTP (Control Connection) | | | 1089-1091 | Foundation Fieldbus HSE (UDP/TCP) |
| 22 | SSH/SCP | | | 2222 | Ethernet/IP (UDP) |
| 23 | Telnet | | | 4000 | ROC Plus (UDP/TCP) |
| 25 | SMTP | | | 4840 | OPC UA Discovery Server |
| 49 | TACACS | | | 4840 | OPC UA Discovery Server |
| 53 | DNS | | | 20000 | DNP3 (UDP/TCP) |
| 67-68 | DHCP/BOOTP | | | 34962-34964 | PROFINET (UDP/TCP) |
| 69 | TFTP (UDP) | | | 34980 | EtherCAT (UDP) |
| 80 | OPC UA XML | | | 44818 | Ethernet/IP (UDP/TCP) |
| 102 | ICCP | | | 47808 | BACnet/IP (UDP) |
| 443 | OPC UA XML | | | 55000-55003 | FL-net (UDP) |
TTL FINGERPRINTING
| TTL | OS | | | TTL | OS |
|---|---|---|---|---|
| 128 | Windows | | | 255 | Network |
| 64 | Linux | | | 255 | Solaris |
IPv4
CLASSFUL IPV4 RANGES
| CLASS | RANGE |
|---|---|
| Class A Range | 0.0.0.0 – 127.255.255.255 |
| Class B Range | 128.0.0.0 – 191.255.255.255 |
| Class C Range | 192.0.0.0 – 223.255.255.255 |
| Class D Range | 224.0.0.0 – 239.255.255.255 |
| Class E Range | 240.0.0.0 – 255.255.255.255 |
RESERVED PRIVATE RANGES
| CLASS | RANGE |
|---|---|
| Class A Range | 10.0.0.0 – 10.255.255.255 |
| Class B Range | 172.16.0.0 – 172.31.255.255 |
| Class C Range | 192.168.0.0 - 192.168.255.255 |
| Loopback Range | 127.0.0.0 – 127.255.255.255 |
SUBNETTING
| CIDR | SUBNET-MASK | USABLE-HOSTS |
|---|---|---|
| /31 | 255.255.255.254 | 0 Useable Hosts |
| /30 | 255.255.255.252 | 2 Hosts |
| /29 | 255.255.255.248 | 6 Hosts |
| /28 | 255.255.255.240 | 14 Hosts |
| /27 | 255.255.255.224 | 30 Hosts |
| /26 | 255.255.255.192 | 62 Hosts |
| /25 | 255.255.255.128 | 126 Hosts |
| /24 | 255.255.255.0 | 254 Hosts |
| /23 | 255.255.254.0 | 510 Hosts |
| /22 | 255.255.252.0 | 1022 Hosts |
| /21 | 255.255.248.0 | 2046 Hosts |
| /20 | 255.255.240.0 | 4094 Hosts |
| /19 | 255.255.224.0 | 8190 Hosts |
| /18 | 255.255.192.0 | 16382 Hosts |
| /17 | 255.255.128.0 | 32766 Hosts |
| /16 | 255.255.0.0 | 65534 Hosts |
| /15 | 255.254.0.0 | 131070 Hosts |
| /14 | 255.252.0.0 | 262142 Hosts |
| /13 | 255.248.0.0 | 524286 Hosts |
| /12 | 255.240.0.0 | 1048574 Hosts |
| /11 | 255.224.0.0 | 2097150 Hosts |
| /10 | 255.192.0.0 | 4194302 Hosts |
| /9 | 255.128.0.0 | 8388606 Hosts |
| /8 | 255.0.0.0 | 16777214 Hosts |
CALCULATING SUBNET RANGE
- More info at: https://www.calculator.net/ip-subnet-calculator.html
- Given: 1.1.1.101/28
- /28 = 255.255.255.240 netmask
- 256 – 240 = 16 = subnet ranges of 16, i.e.
- 1.1.1.0
- 1.1.1.16
- 1.1.1.32...
- Range where given IP falls: 1.1.1.96 – 1.1.1.111
IPv6
BROADCAST ADDRESSES
| ADDRESS | TYPE |
|---|---|
| link-local nodes | ff02::1 |
| node-local routers | ff01::2 |
| link-local routers | ff02::2 |
| site-local routers | ff05::2 |
INTERFACE ADDRESSES
| ADDRESS | TYPE |
|---|---|
| link-local | fe80:: |
| routable | 2001:: |
| IPv4 compatible IPv6 (Example: ::192.168.1.2) | ::a.b.c.d |
| IPv4 mapped IPv6 (Example: ::FFFF:129.144.52.38) | ::ffff:a.b.c.d |
| Global Unicast | 2000::/3 |
| Unique Local | FC00::/7 |
IPV6 TOOLS
- More info at: https://github.com/vanhauser-thc/thc-ipv6
Remote Network DoS
rsmurf6 <INTERFACE_NAME> <REMOTE_IPV6>
SOCAT tunnel IPv6 through IPv4 tools
socat TCP-LISTEN:<LISTEN_PORT>,reuseaddr,fork TCP6:[<IPv6_ADDRESS>]:<SEND_TO_PORT>
NETWORKING
CISCO COMMANDS
- Note: Most commands below show the various prompts at which the commands are executed. For example: #, (config)#, (config-if)#, etc. Most of these prompts end in # before the command is typed in.
Enter privileged exec mode -- (Known as Enable mode. Prompt will change to '#')
> enable
Enter global configuration mode
# configure terminal
Configure FastEthernet 0/0
(config)# interface fa0/0
Add IP to fa0/0
(config-if)# ip addr <IP_ADDRESS> <SUBNET_MASK>
Configure vty line
(config)#line vty 0 4
Set telnet password
(config-line)# login
(config-line)# password <PASSWORD>
Open sessions
#show session
IOS version
#show version
Available files
#dir file systems
File information
#dir all-filesystems
List deleted, undeleted files and files with errors
#dir /all
Config loaded in mem
#show running-config
Config loaded at boot
#show startup-config
Interfaces
#show ip interface brief
Detailed interface info
#show interface <INTERFACE_NAME>
Routes
#show ip route
Access lists
#show access-lists
No limit on output
#terminal length 0
Replace start config with running config
#copy running-config startup-config
Backup the running configuration to an external TFTP server
#copy running-config tftp
SNMP TOOLS
List Windows running services
snmpwalk -c public -v1 <IP_ADDRESS> 1 | grep hrSWRunName | cut -d" " –f4
List Windows open TCP ports
snmpwalk -c public -v1 <IP_ADDRESS> 1 | grep tcpConnState |cut -d" " -f6 |sort -u
List Windows installed software
snmpwalk -c public -v1 <IP_ADDRESS> 1 | grep hrSWInstalledName
List Windows users
snmpwalk -c public -v1 <IP_ADDRESS> 1.3 | grep 77.1.2.25 | cut -d -f4
DNSRECON & NMAP REVERSE DNS
- More info at: https://github.com/darkoperator/dnsrecon
Reverse lookup for IP range
dnsrecon.py -t rvl -r <CIDR_IP_RANGE> -n <DNS_IP_ADDRESS>
Retrieve standard DNS records
dnsrecon.py -t std -d <DOMAIN_NAME>
Enumerate subdomains
dnsrecon.py -t brt -d <DOMAIN_NAME> -D <HOSTS>
DNS zone transfer
dnsrecon.py -d <DOMAIN_NAME> -t axfr
Reverse DNS lookup and output parser
nmap -R -sL -Pn -dns-servers <DNS_SERVER_IP> <IP_RANGE> | awk ‘{if(($1" "$2" "$3)=="Nmap scan report")print$5" "$6}’ | sed ‘s/(//g’ | sed ‘s/)//g’ > <OUTPUT_PATH>