Services

Overview Adobe Experience Manager (AEM) is an enterprise content management system widely used by Fortune 500 companies for managing digital marketing content, assets, and websites. It is built on Apache Sling, Apache Felix (OSGi), and uses a JCR (Java Content Repository) backend called Apache Jackrabbit CRX. From a security perspective, AEM is one of the richest targets in enterprise web application testing: default credentials, dozens of exposed servlets, Dispatcher bypass techniques, data extraction via QueryBuilder, and paths to RCE make it a recurring finding in red team engagements. ...

Overview Apache Solr is an open-source enterprise search platform built on Apache Lucene. It is commonly exposed internally and occasionally externally in corporate environments, cloud deployments, and data pipelines. Its rich HTTP API and Java internals make it a high-value target: unauthenticated admin panels, multiple deserialization vectors, SSRF handlers, and template injection have all led to full server compromise. Default Ports: Port Service 8983 Solr HTTP API / Admin UI 9983 Solr inter-node communication (SolrCloud) 2181 ZooKeeper (embedded SolrCloud) Recon and Fingerprinting Service Detection nmap -sV -p 8983,9983 TARGET_IP nmap -sV -p 8983 --script http-title,http-headers TARGET_IP Admin Panel Access The Solr Admin UI is located at: ...

Overview Apache ZooKeeper is a distributed coordination service used by Hadoop, Kafka, Solr, HBase, and many other distributed systems. It stores configuration data, distributed locks, service registry information, and other coordination state in a hierarchical namespace called “znodes.” When exposed without authentication, ZooKeeper is a goldmine: credentials, internal topology, cluster configuration, and secrets are frequently stored in plaintext znodes. Default Ports: Port Service 2181 ZooKeeper client port (primary) 2182 ZooKeeper TLS client port 2888 Peer-to-peer communication 3888 Leader election 8080 AdminServer HTTP API (ZK 3.5+) Recon and Fingerprinting Service Detection nmap -sV -p 2181,2182,2888,3888,8080 TARGET_IP nmap -sV -p 2181 --script zookeeper-info TARGET_IP Four Letter Words (4LW Commands) ZooKeeper supports short text commands sent directly over TCP. These are often accessible without authentication: ...

Overview Eclipse Jetty is a widely deployed Java-based HTTP server and servlet container. It is commonly embedded in products such as Jenkins, SonarQube, Elasticsearch, and many enterprise Java applications. Jetty’s long history has produced several significant path traversal vulnerabilities, particularly around URL encoding and request parsing, leading to unauthorized access to WEB-INF contents, web.xml files, and sensitive application configuration. Default Ports: Port Service 8080 HTTP 8443 HTTPS 8009 AJP (if configured) Recon and Fingerprinting Service Detection nmap -sV -p 8080,8443 TARGET_IP nmap -p 8080 --script http-headers,http-title,http-server-header TARGET_IP Version Fingerprinting # Server header reveals Jetty version curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "Server:" # X-Powered-By header curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "X-Powered-By" # Error page fingerprinting curl -s http://TARGET_IP:8080/nonexistent_page_12345 | grep -i jetty # Robots.txt / sitemap curl -s http://TARGET_IP:8080/robots.txt curl -s http://TARGET_IP:8080/sitemap.xml Directory and Path Discovery # Common Jetty paths for path in "/" "/index.html" "/WEB-INF/" "/WEB-INF/web.xml" "/META-INF/" "/favicon.ico" "/.well-known/" "/test/" "/examples/" "/demo/"; do CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://TARGET_IP:8080$path") echo "$CODE : http://TARGET_IP:8080$path" done CVE-2021-28164 — Path Traversal CVSS: 5.3 Medium Affected: Jetty 9.4.37.v20210219 to 9.4.38.v20210224 Type: Path traversal in URI handling CWE: CWE-22 ...

Overview Enovia is Dassault Systèmes’ Product Lifecycle Management (PLM) application running on the 3DEXPERIENCE platform. It is deployed in aerospace, defense, automotive, pharmaceutical, and manufacturing industries. The platform manages CAD models, BOMs (Bills of Materials), engineering workflows, regulatory compliance documentation, and sensitive intellectual property. From a security perspective, 3DEXPERIENCE has a large REST API attack surface, complex access control, and numerous default configurations that can lead to unauthorized data access. ...

Overview IBM MQ (formerly MQSeries, WebSphere MQ) is an enterprise message-oriented middleware platform used in banking, finance, and large enterprise environments for reliable, transactional message delivery between applications. Exposed IBM MQ ports can enable attackers to enumerate queues, read and inject messages into business-critical message flows, and potentially escalate to application-level compromise. The protocol is binary but well-documented; several tools exist for security testing. End of Support Notice (2026): IBM MQ 9.1 and 9.2 have reached End of Support. CVE-2021-38920 and similar vulnerabilities disclosed during their support window are critical for organizations still running these versions, as no further patches will be released. Current supported versions are 9.3 LTS and 10.0. If the target is running 9.1 or 9.2, treat all known CVEs as unpatched. ...

Overview IBM WebSphere Application Server (WAS) is an enterprise Java EE application server widely deployed in large financial institutions, insurance companies, and government agencies. It is frequently found in legacy environments running outdated versions. WebSphere’s administrative console, SOAP-based management interface, and complex deployment history have produced numerous security vulnerabilities including path traversal, authentication bypass, SOAP deserialization, and SSRF. Default Ports: Port Service 9060 WAS Admin Console (HTTP) 9043 WAS Admin Console (HTTPS) 9080 Application HTTP 9443 Application HTTPS 8880 SOAP management port 8879 RMI port (alternative/complement to 8880 SOAP) 2809 IIOP bootstrap 9353 SIB service integration bus 7276 High Availability Manager 9810 Node Agent bootstrap port (clustered/ND environments) Recon and Fingerprinting nmap -sV -p 9060,9043,9080,9443,8880 TARGET_IP nmap -p 9080 --script http-title,http-headers TARGET_IP # Admin console discovery curl -sv http://TARGET_IP:9060/ibm/console/ 2>&1 | grep -iE "websphere|ibm|console" curl -sv https://TARGET_IP:9043/ibm/console/ -k 2>&1 | grep -iE "websphere|ibm|console" # Version from error pages curl -s http://TARGET_IP:9080/nonexistent_$(date +%s) | grep -i websphere # HTTP headers curl -I http://TARGET_IP:9080/ Version Detection Endpoints # SOAP management API — get version curl -s -k "https://TARGET_IP:8880/ibm/console/secure/isAlive.jsp" # IBM console status curl -s -k "https://TARGET_IP:9043/ibm/console/login.do" # Admin console for port in 9060 9043; do CODE=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET_IP:$port/ibm/console/") echo "Port $port: $CODE" done # IBMWebAS server header curl -s -I http://TARGET_IP:9080/ | grep -i "ibm\|websphere" CVE-2020-4534 — Path Traversal CVSS: 6.1 Medium Affected: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 (before specific fix packs) Type: Path traversal / open redirect CWE: CWE-22 ...

Overview Java RMI (Remote Method Invocation) is Java’s built-in mechanism for executing methods on objects in remote JVMs. The RMI registry, by default on port 1099, acts as a directory service for remote objects. Because RMI uses Java serialization for all object transport, exposed RMI endpoints are classic deserialization attack surfaces. When paired with outdated Commons Collections, Spring, or other library gadget chains, unauthenticated RCE is frequently achievable. RMI-IIOP extends this over the CORBA IIOP protocol. ...

Overview JBoss Application Server (now WildFly) is a Java EE-compliant application server developed by Red Hat. Legacy JBoss installations (versions 3.x through 6.x) are infamous for unauthenticated remote code execution, primarily through exposed management consoles and Java deserialization vulnerabilities. Versions 4.x and 5.x in particular are found frequently in legacy enterprise environments and are among the most exploitable services during penetration tests. Default Ports: Port Service 8080 HTTP / Web Console / JMX Console 8443 HTTPS 4444 JBoss Remoting / JNDI 4445 JBoss Remoting (secondary) 1099 RMI Registry 8009 AJP Connector 9990 WildFly Admin Console (newer versions) 9999 WildFly Management Native Recon and Fingerprinting nmap -sV -p 8080,8443,4444,4445,1099,9990 TARGET_IP nmap -p 8080 --script http-title,http-headers,http-server-header TARGET_IP # Check for JBoss headers curl -sv http://TARGET_IP:8080/ 2>&1 | grep -iE "server:|X-Powered-By:|jboss" # Version from status page curl -s http://TARGET_IP:8080/status curl -s http://TARGET_IP:8080/web-console/ServerInfo.jsp # Error page fingerprint curl -s http://TARGET_IP:8080/nopage_$(date +%s) | grep -i "jboss\|jbossas\|wildfly" Sensitive URLs to Probe # JMX Console (unauthenticated in JBoss 4.x by default) curl -sv http://TARGET_IP:8080/jmx-console/ # Web Console curl -sv http://TARGET_IP:8080/web-console/ # Admin Console curl -sv http://TARGET_IP:8080/admin-console/ # JBoss WS curl -sv http://TARGET_IP:8080/jbossws/ # Management API (WildFly/JBoss 7+) curl -sv http://TARGET_IP:9990/management # Invoker servlet curl -sv http://TARGET_IP:8080/invoker/JMXInvokerServlet curl -sv http://TARGET_IP:8080/invoker/EJBInvokerServlet CVE-2017-12149 vs CVE-2015-7501 — Endpoint Distinction These two CVEs are frequently conflated. They use the same ysoserial CommonsCollections gadgets but target different endpoints with different underlying components: ...

Overview Modbus is a serial communication protocol developed in 1979 for use with PLCs (Programmable Logic Controllers). It has become a de facto standard in industrial communication and is widely deployed in ICS (Industrial Control Systems) and SCADA environments. Modbus/TCP exposes the protocol over TCP port 502 and, critically, has no built-in authentication or encryption. Any device that can reach port 502 can read sensor data, write to coils and registers, and potentially manipulate physical processes. ...

Overview MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for IoT devices, sensor networks, and machine-to-machine communication. It runs over TCP and is commonly deployed in smart home systems, industrial IoT, healthcare devices, fleet management, and building automation. MQTT brokers are frequently exposed with no authentication, and even when authentication is enabled, it is often transmitted in cleartext. Unauthenticated MQTT access can expose sensitive sensor data, device commands, and organizational operational data. ...

Overview Oracle Database exposes a TNS (Transparent Network Substrate) Listener on port 1521 that acts as the gateway for all database connections. The listener process, when misconfigured or running a vulnerable version, can be exploited for information disclosure, poisoning attacks, SID brute forcing, and full database access through default credentials. Oracle databases are among the highest-value targets in enterprise pentests due to the sensitive business data they contain. Default Ports: ...

Overview Oracle WebLogic Server is a Java EE application server widely deployed in enterprise and financial sector environments. It is one of the most targeted middleware products due to its proprietary T3 protocol, IIOP support, and long history of critical deserialization vulnerabilities. WebLogic CVEs frequently receive CVSS 9.8 scores and have been used in ransomware deployment, cryptomining campaigns, and APT lateral movement. Default Ports: Port Service 7001 HTTP (Admin Console, T3, IIOP — all multiplexed) 7002 HTTPS (Admin Console, T3S, IIOPS) 7003 HTTP (managed servers) 7004 HTTPS (managed servers) 7070 HTTP alternative 4007 Coherence cluster 5556 Node Manager T3 and IIOP on 7001: Both T3 and IIOP are multiplexed on port 7001. Connection filters that block T3 often do not block IIOP. Test both protocols independently. ...

Overview RabbitMQ is a widely deployed open-source message broker implementing AMQP, MQTT, and STOMP protocols. Its management plugin exposes an HTTP API and web UI on port 15672. The notorious default credentials (guest/guest) and comprehensive management REST API make exposed RabbitMQ instances a frequent finding in internal penetration tests. Access to the management interface allows full enumeration of virtual hosts, queues, exchanges, bindings, and message interception/injection. Default Ports: Port Service 5672 AMQP (unencrypted) 5671 AMQP over TLS 15672 Management HTTP API / Web UI 15671 Management HTTPS 25672 Erlang distribution (inter-node) 4369 EPMD (Erlang Port Mapper Daemon) 1883 MQTT plugin 61613 STOMP plugin 15674 STOMP over WebSocket 15692 Prometheus metrics (no auth by default) Recon and Fingerprinting Step 0 — Prometheus Metrics Endpoint (Pre-Authentication Intel) Before attempting any credentials, check the Prometheus metrics endpoint. It is enabled by the rabbitmq_prometheus plugin and by default requires no authentication: ...

Overview RTSP (Real Time Streaming Protocol, RFC 2326) is an application-layer protocol for controlling media streaming servers. It is used extensively in IP cameras, NVRs (Network Video Recorders), DVRs, media servers, and surveillance infrastructure. RTSP is commonly found on port 554 and is frequently misconfigured to allow unauthenticated stream access. Exposed RTSP streams are a significant privacy and security risk in corporate, industrial, and residential environments. Default Ports: Port Service 554 RTSP (standard) 8554 RTSP (alternative) 8080 RTSP over HTTP tunneling 1935 RTMP (related streaming protocol) Protocol Overview RTSP is a stateful protocol that uses HTTP-like methods: ...

Overview CVE-2020-0796, commonly known as SMBGhost (also referred to as CoronaBlue or EternalDarkness), is a pre-authentication remote code execution vulnerability in the SMBv3 (Server Message Block version 3.1.1) compression handling subsystem of the Windows TCP/IP network stack. With a CVSS score of 10.0, it affects Windows 10 versions 1903 and 1909, and the Windows Server Semi-Annual Channel releases version 1903 and 1909. This vulnerability is wormable — it can propagate without user interaction, similar to EternalBlue (MS17-010). Unlike EternalBlue, SMBGhost targets a newer protocol version and requires no prior knowledge of the target system. ...

Overview Swagger UI is the most widely deployed tool for visualizing and interacting with REST API specifications. When encountered during an infrastructure penetration test, a Swagger UI endpoint represents a complete map of an application’s API attack surface: all endpoints, parameters, data models, authentication schemes, and sometimes internal paths are exposed. Beyond information disclosure, several attack vectors specific to Swagger UI and OpenAPI spec handling — including SSRF via configUrl, XSS via spec injection, and authentication bypass — make it a high-priority finding. ...

Overview Telnet (TELetype NETwork, RFC 854) is a decades-old protocol operating on TCP port 23 that provides an unencrypted bidirectional text communication channel. In 2026, Telnet continues to appear in pentests and red team engagements — on embedded devices, industrial controllers, medical devices, network equipment, IoT sensors, smart building systems, and legacy operational technology. It also appears on Linux servers still running inetutils-telnetd, where a critical authentication bypass was disclosed in early 2026. ...