원클릭으로
port-service-discovery
Nmap scan for MySQL, Redis, FTP, SSH, internal API services.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Nmap scan for MySQL, Redis, FTP, SSH, internal API services.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | port-service-discovery |
| description | Nmap scan for MySQL, Redis, FTP, SSH, internal API services. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3, masscan, subfinder, httpx, nuclei |
| metadata | {"tags":["recon","port-scan","mysql","FTP","SSH","internal-api"],"category":"recon","related_skills":["deep-invade","wp-mass-recon","cross-attack-chains","staging-subdomain-hunt","xmlrpc-exploitation"]} |
Fast port scanning with nmap to discover exposed services (MySQL, FTP, SSH, SMTP, internal APIs, Redis, MongoDB) on WordPress and web targets. MySQL on port 3306 open to the internet is one of the rarest but most critical findings — confirmed on patientportal.com (healthcare SaaS). Port scanning reveals the infrastructure layer that HTTP-based recon misses.
deep-invade Phase 6 on a high-value target.terminal tool with nmap (available on worker container).# Fast top-100 port scan (30 seconds)
nmap -F --open -T4 TARGET -oN nmap_fast.txt
# Top 1000 ports (2-3 minutes)
nmap --top-ports 1000 --open -T4 TARGET -oN nmap_1000.txt
# Service version detection on open ports
nmap -sV -p $(grep 'open' nmap_fast.txt | cut -d/ -f1 | tr '\n' ',') TARGET
# Firewall bypass: fragment packets
nmap -f -F TARGET
| Port | Service | Finding Severity |
|---|---|---|
| 3306 | MySQL | Critical (if open to internet) |
| 27017 | MongoDB | Critical (if no auth) |
| 6379 | Redis | Critical (if no auth) |
| 5432 | PostgreSQL | High |
| 1433 | MS SQL Server | High |
| 21 | FTP | High (anonymous login?) |
| 22 | SSH | Info (check for weak auth) |
| 8080/8081/8082/8084 | Internal APIs | High (backend services exposed) |
| 9200 | Elasticsearch | High (data exposure) |
| 25/587 | SMTP | Medium (open relay?) |
| 110/143/993 | POP3/IMAP | Info |
| 8443 | HTTPS alt (admin panels) | Medium |
| 9090 | Prometheus/Cockpit | Medium |
| 3000 | Grafana/Node.js dev | Medium |
TARGET="$1"
OUTDIR="/root/output/ports"
mkdir -p "$OUTDIR"
echo "[*] Fast scan (top 100 ports) on $TARGET..."
nmap -F --open -T4 --max-retries 1 --host-timeout 60s "$TARGET" -oN "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null
echo "[*] Open ports:"
grep 'open' "$OUTDIR/${TARGET}_fast.nmap" || echo " None found"
TARGET="$1"
OUTDIR="/root/output/ports"
# Get comma-separated list of open ports
OPEN_PORTS=$(grep '^[0-9]' "$OUTDIR/${TARGET}_fast.nmap" | awk -F/ '{print $1}' | tr '\n' ',' | sed 's/,$//')
if [[ -n "$OPEN_PORTS" ]]; then
echo "[*] Service detection on ports: $OPEN_PORTS"
nmap -sV --version-intensity 5 -p "$OPEN_PORTS" "$TARGET" -oN "$OUTDIR/${TARGET}_services.nmap" 2>/dev/null
echo "[*] Services:"
grep 'open' "$OUTDIR/${TARGET}_services.nmap"
else
echo "[-] No open ports found"
fi
TARGET="$1"
OUTDIR="/root/output/ports"
echo "[*] Critical exposure assessment:"
# MySQL (3306)
if grep -q '3306.*open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[CRITICAL] MySQL 3306 OPEN — attempting banner grab..."
# Try to get MySQL version
mysql_info=$(timeout 5 nc -w 3 "$TARGET" 3306 </dev/null 2>/dev/null | head -1)
[[ -n "$mysql_info" ]] && echo " Banner: $mysql_info"
# Test for no-auth MySQL
echo " Testing anonymous access..."
# This typically requires mysql client; note methodology
echo " Manual check: mysql -h $TARGET -u root --skip-ssl"
echo " Manual check: mysql -h $TARGET -u admin --skip-ssl"
fi
# MongoDB (27017)
if grep -q '27017.*open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[CRITICAL] MongoDB 27017 OPEN"
echo " Manual check: mongosh mongodb://$TARGET:27017"
fi
# Redis (6379)
if grep -q '6379.*open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[HIGH] Redis 6379 OPEN — testing no-auth access..."
redis_test=$(timeout 5 bash -c "echo -e 'PING\r\nINFO\r\n' | nc -w 3 '$TARGET' 6379 2>/dev/null")
if echo "$redis_test" | grep -q "PONG"; then
echo " [CRITICAL] Redis NO AUTH — full access!"
echo " Response: $(echo "$redis_test" | head -5)"
else
echo " Redis requires auth (or connection failed)"
fi
fi
# Internal API ports (8080-8089)
for port in 8080 8081 8082 8084 8088 8443 3000 5000 9000 9090; do
if grep -q "${port}.*open" "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[HIGH] Port $port OPEN — probing HTTP..."
http_code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 "http://$TARGET:$port/" 2>/dev/null)
if [[ "$http_code" != "000" ]]; then
echo " HTTP $http_code on port $port"
title=$(curl -sk --max-time 5 "http://$TARGET:$port/" 2>/dev/null | grep -oP '<title>\K[^<]+')
[[ -n "$title" ]] && echo " Title: $title"
# Check for Swagger/API docs
for api_path in "swagger.json" "api-docs" "swagger-ui.html" "graphql" "actuator/health"; do
api_code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 "http://$TARGET:$port/$api_path")
[[ "$api_code" == "200" ]] && echo " [API] http://$TARGET:$port/$api_path (HTTP 200)"
done
fi
fi
done
# FTP (21) — check for anonymous login
if grep -q '21.*open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[HIGH] FTP 21 OPEN — testing anonymous login..."
anon_test=$(timeout 10 bash -c "echo -e 'anonymous\nanonymous\n' | nc -w 3 '$TARGET' 21 2>/dev/null")
if echo "$anon_test" | grep -qi "230"; then
echo " [CRITICAL] Anonymous FTP login successful!"
elif echo "$anon_test" | grep -qi "530\|331"; then
echo " Anonymous FTP: requires auth"
fi
fi
# SSH (22) — check for weak ciphers
if grep -q '22.*open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo ""
echo "[INFO] SSH 22 OPEN"
ssh_banner=$(timeout 5 nc -w 3 "$TARGET" 22 </dev/null 2>/dev/null | head -1)
[[ -n "$ssh_banner" ]] && echo " Banner: $ssh_banner"
fi
TARGET="$1"
OUTDIR="/root/output/ports"
# If no ports found in top-100, expand to top-1000
if ! grep -q 'open' "$OUTDIR/${TARGET}_fast.nmap" 2>/dev/null; then
echo "[*] No ports in top-100, scanning top-1000..."
nmap --top-ports 1000 --open -T4 --max-retries 1 --host-timeout 120s "$TARGET" -oN "$OUTDIR/${TARGET}_1000.nmap" 2>/dev/null
OPEN=$(grep 'open' "$OUTDIR/${TARGET}_1000.nmap")
if [[ -z "$OPEN" ]]; then
# Try SYN scan with fragmentation for firewall evasion
echo "[*] Still nothing — trying fragmented SYN scan..."
nmap -f -sS -F --open -T4 "$TARGET" -oN "$OUTDIR/${TARGET}_frag.nmap" 2>/dev/null
fi
fi
TARGET="$1"
echo "[*] WAF/CDN detection:"
# Check for Cloudflare
cf_header=$(curl -skI --max-time 5 "https://$TARGET/" 2>/dev/null | grep -i "cf-ray\|cloudflare")
[[ -n "$cf_header" ]] && echo " Cloudflare detected"
# Check for AWS CloudFront
cf_header=$(curl -skI --max-time 5 "https://$TARGET/" 2>/dev/null | grep -i "x-amz-cf\|cloudfront")
[[ -n "$cf_header" ]] && echo " AWS CloudFront detected"
# Check origin IP (bypass CDN)
echo "[*] Historical DNS records for origin IP discovery:"
# SecurityTrails, DNSDumpster, etc. — use web_extract for these
echo " Manual: securitytrails.com/domain/$TARGET/dns/a"
echo " Manual: dnsdumpster.com"
# Try direct IP connection (if known)
# curl -sk --resolve "$TARGET:443:ORIGIN_IP" "https://$TARGET/"
-sS (SYN scan) is available. If running from a non-root context, use -sT (TCP connect).-T2 (polite timing) and --max-retries 1 on sensitive targets.caching_sha2_password). Banner may be empty.curl with various Host headers.nmap -sV).PONG to PING command.