While doing pentest it is important that you know the service that end machine is running. No matter what the victim machine OS (Linux/Windows) is we can use nmap to reveal the open ports and services.
Lets start by doing simple nmap:
# nmap 10.10.10.10 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:34 EST Nmap scan report for 10.10.10.10 Host is up (0.18s latency). Not shown: 995 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1042/tcp filtered afrog 1433/tcp open ms-sql-s
If you do nmap and IP only then it will show above result with port and the service it runs. If you want more verbose then you can use following nmap command
# nmap -sC -sV 10.10.10.10 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:44 EST Nmap scan report for 10.10.10.10 Host is up (0.18s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00 | ms-sql-ntlm-info: | Target_Name: CLI | NetBIOS_Domain_Name: CLI | NetBIOS_Computer_Name: CLIENT | DNS_Domain_Name: CLI.LOCAL | DNS_Computer_Name: CLIENT.CLI.LOCAL | DNS_Tree_Name: CLI.LOCAL |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2019-03-03T15:44:21 |_Not valid after: 2049-03-03T15:44:21 |_ssl-date: 2019-03-03T15:45:38+00:00; 0s from scanner time. Host script results: | ms-sql-info: | 10.10.10.10:1433: | Version: | name: Microsoft SQL Server | number: 14.00.1000.00 | Product: Microsoft SQL Server |_ TCP port: 1433 | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-03-03 10:45:39 |_ start_date: N/A
By doing this you will be able to grab the banner and run default scripts. To know more about the above option and other option I encourage you to check nmap manual page.
By default nmap only scans top 1000 ports. To scan all ports you can use ‘-p-‘ option as below:
# nmap 10.10.10.10 -p-
I have not included the result here. Think it as your task to do.
If you want to know the default service in each port and by chance if you are a ubuntu user then you can open /etc/services file to know about it. Here, in above result we can see 139 and 445 which is SMB port. Another interesting port might be mssql port which is 1433. We can further dig more on it using other tools available.
Note: If you are going to test mssql in ubuntu then you can use sqlectron which is lightweight simple mssql cross platform client .