Skip to content

Latest commit

 

History

History
115 lines (87 loc) · 4.49 KB

Footprinting.md

File metadata and controls

115 lines (87 loc) · 4.49 KB
Raw

Infrastructure-based Enumeration

Command Description
curl -s https://crt.sh/\?q\=<target-domain>\&output\=json | jq . Certificate transparency.
for i in $(cat ip-addresses.txt);do shodan host $i;done Scan each IP address in a list using Shodan.

Host-based Enumeration

FTP
Command Description
ftp <FQDN/IP> Interact with the FTP service on the target.
nc -nv <FQDN/IP> 21 Interact with the FTP service on the target.
telnet <FQDN/IP> 21 Interact with the FTP service on the target.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp Interact with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@<target> Download all available files on the target FTP server.
SMB
Command Description
smbclient -N -L //<FQDN/IP> Null session authentication on SMB.
smbclient //<FQDN/IP>/<share> Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP> Interaction with the target using RPC.
samrdump.py <FQDN/IP> Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP> Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p '' Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux.
NFS
Command Description
showmount -e <FQDN/IP> Show available NFS shares.
mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock Mount the specific NFS share.umount ./target-NFS
umount ./target-NFS Unmount the specific NFS share.
DNS
Command Description
dig ns <domain.tld> @<nameserver> NS request to the specific nameserver.
dig any <domain.tld> @<nameserver> ANY request to the specific nameserver.
dig axfr <domain.tld> @<nameserver> AXFR request to the specific nameserver.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> Subdomain brute forcing.
SMTP
Command Description
telnet <FQDN/IP> 25
IMAP/POP3
Command Description
curl -k 'imaps://<FQDN/IP>' --user <user>:<password> Log in to the IMAPS service using cURL.
openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:pop3s Connect to the POP3s service.
SNMP
Command Description
snmpwalk -v2c -c <community string> <FQDN/IP> Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list <FQDN/IP> Bruteforcing community strings of the SNMP service.
braa <community string>@<FQDN/IP>:.1.* Bruteforcing SNMP service OIDs.
MySQL
Command Description
mysql -u <user> -p<password> -h <FQDN/IP> Login to the MySQL server.
MSSQL
Command Description
mssqlclient.py <user>@<FQDN/IP> -windows-auth Log in to the MSSQL server using Windows authentication.
IPMI
Command Description
msf6 auxiliary(scanner/ipmi/ipmi_version) IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) Dump IPMI hashes.
Linux Remote Management
Command Description
ssh-audit.py <FQDN/IP> Remote security audit against the target SSH service.
ssh <user>@<FQDN/IP> Log in to the SSH server using the SSH client.
ssh -i private.key <user>@<FQDN/IP> Log in to the SSH server using private key.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=password Enforce password-based authentication.
Windows Remote Management
Command Description
rdp-sec-check.pl <FQDN/IP> Check the security settings of the RDP service.
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> Log in to the RDP server from Linux.
evil-winrm -i <FQDN/IP> -u <user> -p <password> Log in to the WinRM server.
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" Execute command using the WMI service.
Oracle TNS
Command Description
./odat.py all -s <FQDN/IP> Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus <user>/<pass>@<FQDN/IP>/<db> Log in to the Oracle database.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt Upload a file with Oracle RDBMS.