Common Ports/Services and Their Usage Entire OSCP Guide (2023)

I will try to make this chapter a reference library. Therefore, you can easily refer to this chapter on how to use certain general services. I will only cover the most common ones as there are quite a few.

This is amazing. If there are ports here that you can't find, read this guide.

Port XXX - unknown service

If you opened a port with an unknown service, you can do this to find out what the service might be.

map -d 8000

Porto 21 - FTP

Connect to FTP server to list software and version

ftp 21

Many FTP servers allow anonymous users. They can be misconfigured, granting too much access, and can also require certain vulnerabilities to work. So always try to login withanonymous: anonymous.

Think binary and ASCII mode!

If you upload a binary file, you must set the FTP server to binary mode, otherwise the file will be corrupted and you will not be able to use it. The same applies to text files. Use ASCII mode for them! you just wrotetracksyASCIIto change modes.

Porto 22 - SSH

SSH is such an old and fundamental technology that most modern versions are heavily beefed up. You can find out the SSH version by checking it with nmap or connecting to itNorth Caroline.

NC 22

It returns something like this: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu1

This banner is defined in RFC4253 in Chapter 4.2 Protocol Version Exchange. registry version string must be defined as follows:Trial version SSH software version SP notes CR LFWhere comments are optional. And SP stands for Space and CR (Carriage Return) and LF (Line Feed). Therefore, comments must always be separated by a space.

Porto 23 - Telnet

Telnet is considered insecure primarily because it does not encrypt its traffic. Also, a quick search on Exploit-DB shows that there are different RCE vulnerabilities in different versions. It might be worth checking out.

brutal violence

You can also brute force it like this:

hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt telnet

Porto 25 - SMTP

SMTP is a server-to-server service. User receives or sends email through IMAP or POP3. These messages are then forwarded to the SMTP server, which forwards the email to another server. The SMTP server has a database of all emails that can receive or send emails. We can use SMTP to query this database for potential email addresses. Please note that we cannot retrieve emails from SMTP. We can only send emails.

Here are possible commands.

HELO - EHLO - Extended SMTP. STARTTLS - SMTP communicates using an unencrypted protocol. When starting the TLS session, we encrypt the traffic.RCPT - Recipient's address.DATA - Initiates the transfer of message content.RSET - Used to cancel the current email transaction.MAIL - Specifies the sender's email address . QUIT - Terminates the connection. HELP - Ask for help screen. AUTH - Used to authenticate the client with the server. VRFY - Asks the server if the user's mailbox exists.

a bro

We can use this service to find out which usernames are in the database. This can be done as follows.

nc 25 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)VRFY root252 2.0.0 rootVRFY roooooot550 5.1.1 <roooooot>: Recipient rejected: User unknown in local address table

Here we can identify the usersource🇧🇷 butsourceit was rejected.

VRFY,SPENTyRCPTcan be used to identify users.

Telnet is sometimes a little friendlier. so always use

Telnet 25


Of course, this process can be automated.

search commands

nmap -script smtp-comandos.nse


The command will look like this.-METROfor mode.-Tto the list of users.-tto the target

smtp-user-enum -M VRFY -U /root/sectools/SecLists/Benutzernamen/Namen/namen.txt -t
mode ............. VRFY Worker processes ............ 5 username file ............ / root /sectools /SecLists/Usernames/Names/names.txtTarget count .......... 1Username count .......... 8607Target TCP port ......... .25Time query limit. ............ 5 sec target domain ............ ######## Scan started in Sun ######## 192,168. 1.103: Bin exists192.168.1.103: Irc exists192.168.1.103: Mail exists192.168.1.103: Man exists192.168.1.103: System exists######## Verification completed Sun 19 Jun 11:06 :51 2016 #########5 results. 8607 queries in 112 seconds (76.8 queries/sec)


Can also be done with Metasploit

msf > useauxiliary/scanner/smtp/smtp_enum msfauxiliary(smtp_enum) >show optionsModule options (auxiliary/scanner/smtp/smtp_enum): Name Current setting Description required ---- ------------ - - - -------- ----------- RHOSTS yes The destination address range or CIDR identifier RPORT 25 yes the destination port THREADS 1 yes the number of concurrent threads UNIX ONLY true yes Microsoft bypass prohibited servers in Testing Unix users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file containing a list of possible user accounts.

Here are the docs for SMTP

Porto 69 - TFTP

This is an FTP server, but it uses UDP.

Porto 80 - HTTP

Information about web vulnerabilities can be found in the next chapter.HTTP: web vulnerabilities.

Normally, when we think of port 80, we only think of vulnerabilities in the http interface, the website. But with.htaccessWe can password protect specific directories. If that's the case, here's a way to brute force it.

(Video) OSCP Complete Study Guide

Password protected directory with htaccess

Step 1

Create a directory that you want to protect with a password. Create a .htaccess block in that directory. Contents of .htaccess:

AuthType BasicAuthName "Password protected area"AuthUserFile /var/www/html/test/.htpasswdRequire valid-user

Create a .htpasswd file

htpasswd -cb .htpasswd Test Adminservice Apache2 restart

This will now create a file called .htpasswd with username: test and password: admin

If the directory does not show a login prompt, you may need to change itapache2.confLaw Suit. Also:

<directory /var/www/html/test> AllowOverride AuthConfig</directory>

brutal violence

Now that we know how this works, we can try to brute force him with Medusa.

água-viva -h -u admin -P listwords.txt -M http -m DIR:/test -T 10

Porto 88 – Kerberos

Kerberos is a protocol used for network authentication. *Nix and Windows use different versions. However, if you see a machine with port 88 open, you can be pretty sure it's a Windows domain controller.

If you already have a login for a user in that domain, you can escalate that privilege.

Ver: MS14-068

Porto 110 - Pop3

This service is used to retrieve emails from an email server. So the server that has this port open is probably a mail server, and other clients on the network (or outside) are accessing this server to check their mail.

telnet 110BENUTZER[Email protected]PASS admin# List all emailslist# Get email number 5 e.g. retr 5

Porto 111 - Rpcbind

RFC: 1833

Rpcbind can help us find NFS shares. So pay attention to nfs. Get a list of services running with RPC:

rpcbind -p

Porto 119 - NNTP

network timestamp. Time is used to synchronize. When a computer is running this server, it can act as a time synchronization server. Therefore, other machines query this machine for the exact time.

An attacker could use this to change the time. Which can lead to denial of service and general chaos.

Porto 135 - MSRPC

This is the Windows RPC port.


nmap --script=msrpc-enum
msf > use exploit /windows/dcerpc/ms03_026_dcom

Samba is a service that allows users to share files with other machines. It is interoperable, which means you can share things between Linux and Windows systems. A Windows user only sees an icon for a folder that contains some files. Although the folder and files actually exist on a Linux server.

To connect

For Linux users, you can login to the smb share with smbclient as follows:

smbclient -L // \\\\\\ipc$ -U juan smbclient //$ -U juan

If you don't provide a password, just hit Enter. The server can show the different shares and server versions. This can be useful information when looking for exploits. There are tons of exploits for smb.

So for a Linux user, smb is a lot like ftp or nfs.

Here's a good guide to configuring Samba:, %20Einfach%20und%20kurz%20Weg!

mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "// Share" /mnt/cifs

Connect to PSExec

If you have credentials, you can easily login with psexec. You can use the standalone binary or the Metasploit module.

Usar exploit/windows/smb/psexec

scan with nmap

Scan to smb with Nmap

nmap -p 139.445

There are several NSE scripts that can be useful, for example:

ls -l /usr/share/nmap/scripts/smb*
-rw-r--r-- 1 root root 45K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-brute.nse-rw-r--r-- 1 root root 4,8K 24 de janeiro de 2016 / usr/ share/nmap/scripts/smb-enum-domains.nse-rw-r--r-- 1 root root 5.8K Jan 24, 2016 /usr/share/nmap/scripts/smb-enum- groups.nse - rw-r --r-- 1 root root 7,9 KB Jan 24, 2016 /usr/share/nmap/scripts/smb-enum-processes.nse-rw-r--r-- 1 root root 12 KB Jan 24, 2016 /usr/share/ nmap/scripts/smb-enum-sessions.nse-rw-r--r-- 1 root root 6.8K 24 de janeiro de 2016 /usr/share/nmap /scripts/smb-enum -shares. nse-rw-r-- r-- 1 root root 13K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-enum-users.nse-rw-r-- r-- 1 root root 1,7 K 24 de janeiro , 2016 /usr/share/nmap/ scripts/smb-flood.nse-rw-r--r-- 1 root root 7.3 K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-ls .nse-rw -r--r-- 1 root root 8,6 K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-mbenum.nse- . rw-r--r-- 1 root root 7,0 K 24 de janeiro de 2016 /usr /share/nmap/scripts/smb-os-discovery .nse-rw-r--r -- 1 root root 5.0K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb -print-text.nse-rw-r--r-- 1 root root 63K 24 de janeiro de 2016 /usr/share /nmap /scripts/smb-psexec.nse-rw-r--r-- 1 root root 5.0 K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-security-mode.nse -rw-r-; -r -- 1 root root 2,4 KB 24 de janeiro de 2016 /usr/share/nmap/scripts/ smb-server-stats.nse-rw-r--r-- 1 root root 14 KB 24 de janeiro de 2016 / usr/share/ nmap/scripts/smb-system-info.nse-rw-r--r-- 1 root root 1.5K 24 de janeiro de 2016 /usr/share/nmap/scripts/smbv2-enabled.nse -rw-r --r -- 1 root root 7,5 KB 24 de janeiro de 2016 /usr/share/nmap/ scripts/smb-vuln-conficker.nse-rw-r--r-- 1 root root 6 ,5 KB 24 de janeiro de 2016 /usr/ share /nmap/scripts/smb-vuln-cve2009-3103.nse-rw- r--r-- 1 root root 6.5 K 24 de janeiro de 2016 /usr/ share/nmap/scripts/smb-vuln-ms06-025. nse- rw-r--r-- 1 root root 5.4 K Jan 24, 2016 /usr/share/nmap/scripts/smb-vuln-ms07-; 029.nse-rw-r--r-- 1 root root 5,7K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb -vuln -ms08-067.nse-rw-r--r-- 1 root root 5.5K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-vuln-ms10 -054.nse-rw-r-; -r- - 1 root root 7,2 K 24 de janeiro de 2016 /usr/share/nmap/scripts/smb-vuln-ms10-061.nse-rw-r--r-- 1 root root 4,5 K 24 de janeiro de 2016 / usr/share /nmap/scripts/smb-vuln-regsvc-dos.nse
nmap -p 139.445 --script smb-enum-shares.nse smb-os-discovery.nse


nbtscan -r

Sometimes there might be some errors so run it a few times to make sure it finds all users.


Enum4linux can be used to enumerate Windows and Linux machines with SMB shares.

The "do it all" option:

enum4linux -a

Information here:


You can also use rpcclient to list the share.

Connect to a null session. In other words, no users. This only works for older Windows servers.

rpcclient -U ""

Once connected, you can enter commands like


Porto 143/993 - IMAP

You can use IMAP to access emails stored on this server. So imagine you are on a network at work, the emails you receive are not stored on your computer, but on a specific email server. Whenever you check your inbox, your email client (like Outlook) gets the emails from the email server using imap.

(Video) The Absolute Beginner’s Roadmap to OSCP in 2021

IMAP is very similar to pop3. But with IMAP, you can access your email from different devices. With pop3, you can only access from one device.

Port 993 is the secure port for IMAP.

Porto 161 e 162 - SNMP

simple network management protocol

SNMP 1,2 and 2c protocols do not encrypt their traffic. Therefore, it can be intercepted to steal credentials.

SNMP is used to manage devices on a network. It has strange terminology. For example, instead of using the word password, the word community is used. But it's more or less the same. A shared community string/password is public.

You can have read-only access to snmp. Often only with the community chainAdvertising.

common community chains

private public community

Here is a longer list of common community strings:

MIB - Management Information Base

SNMP stores all data in the management information base. The MIB is a tree-like database. Different branches contain different information. So one branch might contain username information and another might be running processes. The "leaf" or endpoint is the actual data. If you have read access to the database, you can read either end of the tree. This can be used with snmpwalk. It traverses the entire database tree and generates the content.

to walk

snmpwalk -c public -v1 #community string and which version

This command generates a lot of information. A lot, and most of it won't be relevant to us and a lot of it we won't really understand. Therefore, it is better to order the information that interests you. These are the locations of the things we are interested in: System Processes Running Programs Process Path 4 Storage Units 1.3.6. Software name User accounts Local TCP ports

Now we can use it to query the data we really want.


snmp check

This is a little easier to use and with much better output.

snmp check -t -c público

Find open ports - Nmap

Since SNMP uses UDP, we need to use it-sonBandera.

nmap -iL ips.txt -p 161.162 -sU --open -vvv -oG snmp-nmap.txt

one sixty

With onesixtyone you can test open ports but also brute force community strings. I've had more success with onesixtyone than nmap. So it's better to use both.


There are some SNMP modules in Metasploit that you can use. snmp_enum can show usernames, services and other things.

Puerto 199 - Schmux

Porto 389/636 - LDAP

Lightweight directory access protocol. This port is normally used for directories. Directory here means a phone book instead of a folder. The Ldap directory can be thought of a bit like the Windows registry. A database tree. Ldap is sometimes used to store user information. LDAP is most commonly used in corporate structures. Web applications can use LDAP for authentication. If this is the case, implementation is possible.ldap injectionswhich are similar to sqlinjections.

Sometimes you can access LDAP with an anonymous login, or in other words without a session. This can be useful as you can find some valuable data about users.

ldapsearch -h -p 389 -x -b "dc=misitioweb,dc=com"

When a client connects to the Ldap directory, he can use it to query, add, or delete data.

Port 636 is used for SSL.

There are also Metasploit modules for Windows 2000 SP4 and Windows XP SP0/SP1

Porto 443 - HTTPS

Okay, this is just a reminder to always check for SSL vulnerabilities like Heartbleed. For more information on exploiting web applications, see the chapter on client-side vulnerabilities.

bleeding heart

OpenSSL 1.0.1 to 1.0.1f are vulnerable. OpenSSL 1.0.1g is NOT vulnerable. The OpenSSL 1.0.0 branch is NOT vulnerable. The OpenSSL 0.9.8 branch is NOT vulnerable

First, we need to examine whether the https page is vulnerablebleeding heart

We can do it as follows.

sudo sslscan

or with a nmap script

nmap -sV --script=ssl-heartbleed

You could exploit the vulnerability in several different ways. There's a module for that in the Burp Suite, and Metasploit has a module for that too.

Use auxiliar/escáner/ssl/openssl_heartbleedset RHOSTS verbose truerun.

You now have a stream of random data, some of which may be of interest to you.




Read the certificate.

  • Does it contain names that may be useful?
  • correct virtual host

RTSP (Real Time Streaming Protocol) is a stateful protocol built on top of TCP, which is generally used to stream images. Many commercial IP cameras work on this port. They usually have a GUI interface, so pay attention to that.

Port 587 - broadcast

Outgoing SMTP port

(Video) Absolute Beginner's Roadmap to the Updated OSCP

If Postfix is ​​running on it, it may be vulnerable to shellshock

Porto 631 - mugs

The Common UNIX Printing System has become the standard for sharing printers on a Linux network. When run, your priv-esc enum usually shows port 631 openliquid state🇧🇷 You can login here:http://localhost:631/admin

They authenticate to operating system users.

find version. Checktazas-config --version🇧🇷 If that doesn't work, navigate tohttp://localhost:631/impresorasand look at the CUPS version in your browser's title bar.

There are vulnerabilities for this, so check your search graph.

Port 993 - Encrypted Imap

The default port for the imap protocol.

Port 995 - Encrypt POP3

Port 995 is the default port forpostal protocol.The protocol is used for clients to connect to the server and download their emails locally. Typically you will see this port open on mx servers. Servers for sending and receiving emails.

Related ports: 110 is unencrypted POP3.

25, 465

Porto 1025: NFS o IIS

I've seen them open on a Windows computer. But nothing heard him.

Porto 1030/1032/1033/1038

I believe they are used by RPCs on Windows domains. I still haven't found a use for them. However, it may indicate that the target is part of a Windows domain. I'm not sure.

Porto 1433 – MSSQL

Default port for Microsoft SQL.

sqsh -S -EE.UU.
# How to run the following date command after loginxp_cmdshell'Given'to walk

Many of the verification mechanisms in Metasploit require authentication. But some don't.

Use helper/scanner/mssql/mssql_ping.

brute force.


If you have credentials, look for other modules on Metasploit.

Port 1521 - Oracle Database


tnscmd10g-Version -h -h

Brute force or ISD


Connect to the database withsqlplus


Ports 1748, 1754, 1808, 1809 - Oracles

These are also ports used by Oracle on Windows. oracles operateintelligent agent.

Porto 2049 - NFS

Network File System This is a service that allows users to access specific parts of a remote file system. If it's set incorrectly, it could mean you're giving too many users access.

If the service is on its default port, you can run this command to see what the filesystem is sharing

showmount -e

You can then mount the filesystem on your computer with the following command

montar /tmp/NFSmontar -t /tmp/NFS

Now we can go to /tmp/NFS and check /etc/passwd and add and remove files.

This can be used to escalate privileges if not configured correctly. Read the chapter on privilege escalation in Linux.

Porto 2100: Oracle XML-DB

There are some exploits for this, so check them out. You can use standard Oracle users to access it. You can use the normal FTP protocol to access it.

It can be accessed via ftp. Some default passwords here: Version:

Default logins: sys: sysscott: tiger

Puerto 3268 - globalcatLdap

Porto 3306 – MySQL

Always try the following:

Benutzername: root

password: root

(Video) Open Ports to Look For - OSCP Advice

mysql --host= -u root -pmysql -h <Nome do host> -u rootmysql -h <Nome do host> -u[Email protected]mysql -h <Nome do host> -u ""@localhosttelnet 3306

You'll probably see this a lot:

ERROR 1130 (HY000): Host '' cannot connect to this MySQL server

This is because mysql is configured to allow only the root user to login from This is a reasonable security measure to protect the database.

configuration files

gato /etc/my.cnf

MySQL command cheat sheet

climb a shell

You can also use mysql to load a shell

increased privileges

If mysql is started as root, you may have the option of using it to increase your privileges.

MYSQL UDF INJECTION:íz-usando-mysql-user-defined-functions-and-setuid-binaries/

find passwords for mysql

You can gain access to a shell by loading a reverse shell. And then you have to escalate your privilege. One way to do this is to search the database and see what usernames and passwords are available. Maybe someone challenges a password?

So the first step is to find the database credentials. They are usually found in a configuration file on the web server. In Joomla, for example, they can be found at:


In this file you will find the

<?phpclass JConfig {guerra$mailfrom ='[Email protected]';guerra$pornombre ='Testbenutzer';guerra$send email ='/usr/sbin/sendmail';guerra$password ='miContraseña1234';guerra$sitename ='Trial';guerra$MetaDesc ='Joomla! - the dynamic portal engine and content management system';guerra$Metaclaves ='Joomla, Joomla';guerra$offline_message ='This site is under maintenance. Please, come back later.'; }

Porta 3339: interface web do Oracle

Port 3389: Remote Desktop Protocol

This is a proprietary protocol developed by Windows to enable remote desktop.

sign up like this

rdesktop -u Gast -p Gast -g 94%

brutal violence like this

ncrack -vv --user Administrador -P /root/passwords.txt rdp://


This is classified by Microsoft as an RCE vulnerability. But there is no POC for this online. You can only run DOS on a machine with this exploit.

Puerto 4445 – Upnotifyp

I didn't find anything here. Try to connect to netcat and visit in browser.

Porta 4555 - RSIP

I saw that this port is used by Apache James Remote Configuration.

There is an exploit for version 2.3.2

Puerto 47001 – Windows-Remoteverwaltungsdienst


Port 5357 – WSDAPI

Porto 5722 - DFSR

The Distributed File System Replication (DFSR) service is a state-based, multi-master file replication engine that automatically copies file and folder updates between computers that are part of a common replication group. DFSR was added in Windows Server 2003 R2.

Not sure what can be done with this port. However, if it is open, the computer in question may be a domain controller.

Porto 5900 - VNC

VNC is used to get a screen to a remote host. But some of them have some feats.

You can use vncviewer to connect to a vnc service. Vncviewer is integrated into Kali.

The default port is 5900. You don't need to set a username. VNC runs as a specific user, so when you use VNC it assumes that user. Also note that the password is not the user's password on the device. If you have given and cracked the user password on a computer, it doesn't mean you can log in with it. To find VNC password you can use post-exploit module metasploit/meterpreter which downloads VNC passwords

backgrounduse post/windows/recopilación/credenciales/vncset session Xexploit


If you cannot type ctrl-alt-del (Kali can take this as input to Kali).


Metasploit Scanner

You can force VNC to login.


Use auxiliar/escáner/vnc/vnc_loginset rhosts

Search without authentication

Execute helper/escáner/vnc/vnc_none_authset rhosts

Porto 8080

Because this port is used by many different services. They are divided like this.

male cat

Tomcat suffers from default passwords. There's even a module in Metasploit that lists common Tomcat passwords. And another module to exploit it and provide a shell.

Porto 9389 -

Active Directory Administrative Center is installed by default on Windows Server 2008 R2 and is available on Windows 7 if you install Remote Server Administration Tools (RSAT).


1. OSCP Prep v2: 3 OSCP-Similar HTB Machines in less than 30 Minutes(No Metasploit,Manual Exploitation)
2. How to Prepare for OSCP | OSCP Guide | OSCP Path | OSCP Roadmap
(Ankit Chauhan)
(The Cyber Union)
4. What Preparation Do You Need Before Doing OSCP in 2022?
(The XSS rat)
5. The Heist: An Offensive Security Demo
(Evolve Security)
6. Identifying Exploits Quickly for the OSCP exam
(Andy Li)
Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated: 04/21/2023

Views: 5826

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.