22, 161, 162 - SSH, SNMP

Port 22 - SSH

nmap -v -n -Pn -p22 <IP Address>

nmap -v -n -Pn -p22 -sV <IP Address>

nmap -v -n -Pn -p22 -sC <IP Address>

nmap -v -n -Pn -p22 --script ssh2-enum-algos <IP Address>

Nmap Scripts

locate .nse | grep ssh

/usr/share/nmap/scripts/ssh-auth-methods.nse
/usr/share/nmap/scripts/ssh-brute.nse
/usr/share/nmap/scripts/ssh-hostkey.nse
/usr/share/nmap/scripts/ssh-publickey-acceptance.nse
/usr/share/nmap/scripts/ssh-run.nse
/usr/share/nmap/scripts/ssh2-enum-algos.nse
/usr/share/nmap/scripts/sshv1.nse
nmap -v -n -Pn -p22 --script ssh-brute --script-args userdb=<username-list>,passdb=<password-file> <Target IP>

Metasploit Modules

auxiliary/scanner/ssh/ssh_login

Port 161,162 - SNMP

# Snmp Port Open or Not
sudo nmap -n -Pn -sU -p161 192.168.56.2

# Default Script Scan
sudo nmap -n -Pn -sU -p161 -sC 192.168.56.2

# Brute force community string
sudo nmap -n -Pn -sU -p161 --script snmp-brute 192.168.56.2 --script-args snmp-brute.communitiesDB=<dictionary location>

# Metasploit Module
auxiliary/scanner/snmp/snmp_enum
auxiliary/scanner/snmp/snmp_enumusers
auxiliary/scanner/snmp/snmp_login

Nmap Scripts

locate .nse | grep snmp
/usr/share/nmap/scripts/snmp-brute.nse
/usr/share/nmap/scripts/snmp-hh3c-logins.nse
/usr/share/nmap/scripts/snmp-info.nse
/usr/share/nmap/scripts/snmp-interfaces.nse
/usr/share/nmap/scripts/snmp-ios-config.nse
/usr/share/nmap/scripts/snmp-netstat.nse
/usr/share/nmap/scripts/snmp-processes.nse
/usr/share/nmap/scripts/snmp-sysdescr.nse
/usr/share/nmap/scripts/snmp-win32-services.nse
/usr/share/nmap/scripts/snmp-win32-shares.nse
/usr/share/nmap/scripts/snmp-win32-software.nse
/usr/share/nmap/scripts/snmp-win32-users.nse

snmpwalk

snmpwalk -v1 -c public 192.168.56.2

snmpset

snmpset -v1 -c private 192.168.56.2 iso.3.6.1.2.1.1.1.0 s hacked

snmpget

snmpget -v1 -c private 192.168.56.2 iso.3.6.1.2.1.1.1.0