Mastering Port Penetration: From Scanning to Exploitation

0x00 Background

During recent penetration tests I discovered that targeting ports can significantly improve efficiency, which led to the creation of this article.

Key points to consider during port penetration:

Port banner information Services running on the port Common default ports for applications

nmap is the most common tool for gathering this information, though specialized scanners for ports such as 3389 or 1433 can also be used.

Service Default Ports

Well‑Known Ports (0‑1023) are tightly bound to specific services.

Registered Ports (1024‑49151) are loosely bound to services.

Dynamic/Private Ports (49152‑65535) are not assigned to any service.

These ports can be altered to deceive attackers, but that does not guarantee security.

Attackers may also use other methods to target these ports, and many malware families use specific ports (not covered here).

Brute‑Force

Brute‑force attacks require minimal technical skill; their effectiveness depends on network speed and hardware. With strong dictionaries and social engineering, brute‑force can be extremely powerful, though limited hardware or dictionaries may reduce success. Many modern services now limit brute‑force attempts, requiring alternative techniques.

0x01 Practical Tests

File Sharing Service Ports

FTP Service

Two deployment methods:

System‑provided FTP (e.g., IIS or default Linux FTP servers)

Third‑party FTP software (e.g., Serv‑U, lightweight FTP servers)

Default ports: 20 (data), 21 (control), 69 (TFTP).

Attack methods:

Brute‑force tools: OWASP Bruter (https://sourceforge.net/projects/worawita/), Metasploit FTP module.

Common credentials: anonymous (empty password), FTP/FTP, USET/pass. Unauthenticated access may exist on some LANs. FTP transmits data in clear text, making it sniffable. Certain vulnerable VSFTPD versions contain a backdoor that opens a shell on port 6200 when a special username suffix is added.

NFS Service

Network File System allows resource sharing over TCP/IP. Configuration can be unrestricted, user‑restricted, IP‑restricted, or certificate‑based (v2.x).

Default port: 2049.

Attack methods: unauthorized access due to misconfigured permissions; attacks are relatively rare.

Samba Service

Provides file sharing between Windows and Linux.

Default ports: 137 (NetBIOS Name Service), 139 (NetBIOS Session Service).

Attack methods: brute‑force weak passwords (hydra), unauthorized public user access, remote code execution vulnerabilities (e.g., CVE‑2019‑0240).

LDAP Protocol

Lightweight Directory Access Protocol; widely used and vulnerable to injection and unauthorized access due to misconfiguration.

Default port: 389.

Attack methods: blind injection, unauthorized access.

Remote Connection Service Ports

SSH Service

Common on Linux servers, network devices, and security appliances; often left with default configuration.

Default port: 22.

Attack methods: brute‑force weak passwords, exploitation of known vulnerabilities (e.g., CVE‑2018‑15473).

Telnet Service

Rare today but still present on many devices (Cisco, H3C, Sangfor, etc.).

Default port: 23.

Attack methods: weak‑password brute‑force, sniffing on LAN.

Windows Remote Desktop (RDP)

Used for remote GUI access to Windows machines.

Default port: 3389.

Attack methods: brute‑force, CVE‑2019‑0708 (BlueKeep) and other RDP vulnerabilities.

VNC Service

Cross‑platform remote control tool.

Default ports: 5900+display (e.g., 5901, 5902).

Attack methods: weak‑password brute‑force, authentication bypass, DoS (CVE‑2015‑5239), privilege escalation (CVE‑2013‑6886).

PcAnywhere Service

Remote control tool similar to VNC.

Default port: 5632.

Attack methods: privilege escalation, DoS.

Web Application Service Ports

IIS Service

Default ports: 80, 81, 443.

Attack methods: PUT file upload, short filename leakage, parsing vulnerabilities.

Apache/Tomcat/Nginx/Axis2

Default ports: 80, 8080.

Attack methods: weak‑password brute‑force on admin panels, HTTP slow‑loris attacks.

WebLogic

Default port: 7001.

Attack methods: weak‑password brute‑force (e.g., system/weblogic), console webshell deployment, Java deserialization, source code leakage, SSRF.

JBoss

Default ports: 8080 (plus 1098, 1099, 4444, 4445, 8009, 8083, 8093).

Attack methods: weak‑password brute‑force, remote code execution, Java deserialization.

WebSphere

Default ports: 9080/9081 (applications), 9090 (admin console).

Attack methods: weak‑password brute‑force, arbitrary file read (CVE‑2014‑0823), Java deserialization.

GlassFish

Default ports: 8080 (HTTP), 3700 (IIOP), 4848 (admin console).

Attack methods: weak‑password brute‑force, arbitrary file read, authentication bypass.

Jenkins

Default ports: 8080, 8089.

Attack methods: weak‑password brute‑force, unauthorized access, Java deserialization.

Resin

Default port: 8080.

Attack methods: directory traversal, remote file read.

Jetty

Default port: 8080.

Attack methods: remote shared buffer overflow.

Lotus

Default port: 1352.

Attack methods: weak‑password brute‑force, information leakage, XSS.

Database Service Ports

MySQL

Default port: 3306.

Attack methods: weak‑password brute‑force, authentication bypass (CVE‑2012‑2122), DoS via malicious queries, phpMyAdmin default credentials.

MSSQL

Default ports: 1433 (database), 1434 (monitor).

Attack methods: weak‑password brute‑force, system user login.

Oracle

Default ports: 1521 (database), 1158 (EMCTL), 8080 (XDB), 210 (XDB FTP).

Attack methods: weak‑password brute‑force, injection, vulnerability exploitation.

PostgreSQL

Default port: 5432.

Attack methods: weak‑password brute‑force.

MongoDB

Default port: 27017.

Attack methods: weak‑password brute‑force, unauthorized access.

Redis

Default port: 6379.

Attack methods: weak‑password brute‑force, unauthorized access combined with SSH key escalation.

SysBase

Service port: 5000, listener 4100, backup 4200.

Attack methods: weak‑password brute‑force, command injection.

DB2

Default port: 5000.

Attack methods: security restriction bypass (CVE‑2015‑1922).

Email Service Ports

SMTP

Default ports: 25 (SMTP), 465 (SMTPS).

Attack methods: weak‑password brute‑force, unauthorized relay.

POP3

Default ports: 109 (POP2), 110 (POP3), 995 (POP3S).

Attack methods: weak‑password brute‑force, unauthorized access.

IMAP

Default ports: 143 (IMAP), 993 (IMAPS).

Attack methods: weak‑password brute‑force, misconfiguration.

Common Network Protocol Ports

DNS

Default port: 53.

Attack methods: zone transfer exploitation.

DHCP

Default ports: 67/68, 546 (failover).

Attack methods: DHCP hijacking.

SNMP

Default port: 161.

Attack methods: weak‑password brute‑force.

Other Ports

Zookeeper

Default port: 2181.

Attack methods: unauthorized access.

Zabbix

Default port: 8069.

Attack methods: remote command execution.

Elasticsearch

Default ports: 9200, 9300.

Attack methods: unauthorized access, remote command execution, file traversal, low‑version webshell injection.

Linux R Services (rlogin/rsh)

Default ports: 512 (rexec), 513 (rlogin), 514 (rsh).

Attack methods: remote login using rlogin.

RMI

Default ports: 1090, 1099.

Attack methods: remote command execution via Java deserialization.

Rsync

Default port: 873.

Attack methods: unauthorized access, local privilege escalation (rsync runs as root).

Socket Proxy

Default port: 1080.

Usually used as a pivot; brute‑force of proxy credentials may be attempted.

0x02 Summary

Two concluding sentences summarizing port penetration techniques.

Author: MrM (original source: http://33h.co/9nhta)