Forum Thread: Exploits for Open Ports

Hello guys,

Well, in a LAN cenário, lets say we do some reccon and we find a host with those normal ports opened like
135 -msrpc
139- netbios
445 - microsoft ds

among others,

is there any new exploits and good articles about this matter?

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

3 Responses

if you are not noob enough like me , then get latest updates from ,
you can search for latest valnus and exploits ,shellcodes from this site ,

If you are like me i search the ports and its exploits on google

Well, it all depends. Rerun the scan with

nmap -sV -O <host> and report what it returns. You could try ms08-067-netapi for XP, or EternalBlue for most x64 windows targets (Unless you have some better code, like I just finished ;) ), or for linux targets you could try some Samba exploits (though from the portscan, windows looks more likely.)

My recommendation is try, say, ms17-010-eternalblue - it's the most versatile windows SMB exploit I've seen in my time.

The reason for my noncommital answer is because you haven't supplied anything such as Version or Operating System information. If you added those flags to nmap, I could tell you everything short of if the victim was vulnerable (technically there's an nmap command for that too for both ms08-067 and ms17-010, which are easy to find if you're good with find, or locate | grep) I, and especially you, don't have enough information to determine if the host can be exploited.

It may be the case that it's say, Windows 10 bleeding edge, which is not vulnerable to any remote code execution exploit that I know of. Probably the NSA has something, but since neither of us work for the government, we can ignore that. In order to exploit it, your best bet is either social engineering the user to install a backdoor (If you do this, do yourself a favor and don't do anything generated by Metasploit, even if it's encoded and has shikata-ga-nai in place or whatever. AV will sniff it instantly. Trust me on this one.) or comprimising another computer (Say, the Domain Administrator) and using credentials found to log in over SMB and extracting files (but you won't be able to execute code, unless it's vulnerable to psexec or something) or, yknow, just logging in at the actual interface when nobody's looking.


Share Your Thoughts

  • Hot
  • Active