Footprinting

Infrastructure-based Enumeration

# Certificate Transparency
curl -s https://crt.sh/\?q\=domain.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

# grep for accessible subdomains
for i in $(cat subdomainlist);do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4;done

# Scan each IP address in a list using Shodan
for i in $(cat ip-addresses.txt);do shodan host $i;done

# Cloud Resources
https://domain.glass
https://buckets.grayhatwarfare.com

# Google dorking
intext:domain.com inurl:blob.core.widows.net
intext:domain.com inurl:amazonaws.com

Host-based Enumeration

FTP

# Interact with the FTP service on the target.
ftp <FQDN/IP>
nc -nv <FQDN/IP> 21
telnet <FQDN/IP> 21

# Interact with the FTP service on the target using encrypted connection.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp

# Download all available files on the target FTP server.
wget -m --no-passive ftp://anonymous:anonymous@<target>

SMB

# Null session authentication on SMB.
smbclient -N -L //<FQDN/IP>

# Connect to a specific SMB share.
smbclient //<FQDN/IP>/<share> 

# Interaction with the target using RPC.
rpcclient -U "" <FQDN/IP> 
srvinfo   # Server information.
enumdomains   # Enumerate all domains that are deployed in the network.
querydominfo   # Provides domain, server, and user information of deployed domains.
netshareenumall   # Enumerates all available shares.
netsharegetinfo <share>   # Provides information about a specific share.
enumdomusers   # Enumerates all domain users.
queryuser <RID>   # Provides information about a specific user.

# Username enumeration using Impacket scripts.
samrdump.py <FQDN/IP> 

# Enumerating SMB shares.
smbmap -H <FQDN/IP> 

# Enumerating SMB shares using null session authentication.
crackmapexec smb <FQDN/IP> --shares -u '' -p '' 

# SMB enumeration using enum4linux.
enum4linux-ng.py <FQDN/IP> -A

NFS

# Nmap
sudo nmap --script nfs* <FQDN/IP> -sV -p111,2049

# Show available NFS shares.
showmount -e <FQDN/IP> 

# Mount the specific NFS share to ./target-NFS
sudo mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock 

# Unmount the specific NFS share.
umount ./target-NFS

DNS

# NS request to the specific nameserver.
dig ns <domain.tld> @<nameserver>

# ANY request to the specific nameserver.
dig any <domain.tld> @<nameserver> 

# AXFR request to the specific nameserver.
dig axfr <domain.tld> @<nameserver> 

# Subdomain brute forcing.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

SMTP

telnet <FQDN/IP> 25

IMAP/POP3

#  use Evolution for GUI
# Log in to the IMAPS service using cURL.
curl -k 'imaps://<FQDN/IP>' --user <user>:<password> 

# Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:imaps
# IMAPS Commands examples
1 LOGIN username password    # User's login.
1 LIST "" *    # Lists all directories.
1 CREATE "INBOX"    # Creates a mailbox with a specified name.
1 DELETE "INBOX"    # Deletes a mailbox.
1 RENAME "ToRead" "Important"    # Renames a mailbox.
1 LSUB "" *    # Returns a subset of names from the set of names that the User has declared as being active or subscribed.
1 SELECT INBOX    # Selects a mailbox so that messages in the mailbox can be accessed.
1 UNSELECT INBOX    # Exits the selected mailbox.
1 FETCH <ID> all    # Retrieves data associated with a message in the mailbox.
1 CLOSE    # Removes all messages with the Deleted flag set.
1 LOGOUT    # Closes the connection with the IMAP server.

# Connect to the POP3s service.
openssl s_client -connect <FQDN/IP>:pop3s
# POP3s Commands examples
USER username    # Identifies the user.
PASS password    # Authentication of the user using its password.
STAT    # Requests the number of saved emails from the server.
LIST    # Requests from the server the number and size of all emails.
RETR id    # Requests the server to deliver the requested email by ID.
DELE id    # Requests the server to delete the requested email by ID.
CAPA    # Requests the server to display the server capabilities.
RSET    # Requests the server to reset the transmitted information.
QUIT    # Closes the connection with the POP3 server.

SNMP

# Bruteforcing community strings of the SNMP service.
onesixtyone -c community-strings.list <FQDN/IP>
nmap -sU <FQDN/IP> -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=snmp.txt

# Querying OIDs using snmpwalk.
snmpwalk -v2c -c <community string> <FQDN/IP>

# Bruteforcing SNMP service OIDs.
braa <community string>@<FQDN/IP>:.1.*

MySQL

# Login to the MySQL server.
mysql -u <user> -p<password> -h <FQDN/IP>

MSSQL

# MSSQL Ping in Metasploit
auxiliary/scanner/mssql/mssql_ping

# NMAP MSSQL Script Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 IP

# Log in to the MSSQL server using Windows authentication.
mssqlclient.py <user>@<FQDN/IP> -windows-auth

IPMI

# Nmap
sudo nmap -sU --script ipmi-version -p 623 IP

# IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_version)

# Dump IPMI hashes.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)

Linux Remote Management

# Remote security audit against the target SSH service.
ssh-audit.py <FQDN/IP>

# Log in to the SSH server using the SSH client : -v optional for verbosity
ssh [-v] <user>@<FQDN/IP>

# Log in to the SSH server using private key.
ssh -i private.key <user>@<FQDN/IP>

# Enforce password-based authentication.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=password

# Scanning for Rsync
sudo nmap -sV -p 873 <FQDN/IP>

# Probing for Accessible Shares
nc -nv <FQDN/IP> 873

# Enumerating an Open Share
rsync -av --list-only rsync://127.0.0.1/dev

# Sync the file to attack host
rsync -av rsync://127.0.0.1/dev

Windows Remote Management

# Nmap
nmap -sV -sC 10.129.201.248 -p3389 --script rdp*

# Check the security settings of the RDP service.
rdp-sec-check.pl <FQDN/IP>

# Log in to the RDP server from Linux.
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> 
rdesktop -u user <FQDN/IP>

# Log in to the WinRM server.
# Windows PS
Test-WSMan <FQDN/IP>
#Linux
evil-winrm -i <FQDN/IP> -u <user> -p <password> 

# Execute command using the WMI service.
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>"

Oracle TNS

# Perform a variety of scans to gather information about the Oracle database services and its components.
./odat.py all -s <FQDN/IP> 

# Log in to the Oracle database.
sqlplus <user>/<pass>@<FQDN/IP>/<db>

# Upload a file with Oracle RDBMS.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt

PreviousNetwork Enumeration with Nmap NextFile Transfers

Last updated 13 days ago

# Certificate Transparency curl -s https://crt.sh/\?q\=domain.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u # grep for accessible subdomains for i in $(cat subdomainlist);do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4;done # Scan each IP address in a list using Shodan for i in $(cat ip-addresses.txt);do shodan host $i;done # Cloud Resources https://domain.glass https://buckets.grayhatwarfare.com # Google dorking intext:domain.com inurl:blob.core.widows.net intext:domain.com inurl:amazonaws.com

# Interact with the FTP service on the target. ftp <FQDN/IP> nc -nv <FQDN/IP> 21 telnet <FQDN/IP> 21 # Interact with the FTP service on the target using encrypted connection. openssl s_client -connect <FQDN/IP>:21 -starttls ftp # Download all available files on the target FTP server. wget -m --no-passive ftp://anonymous:anonymous@<target>

# Null session authentication on SMB. smbclient -N -L //<FQDN/IP> # Connect to a specific SMB share. smbclient //<FQDN/IP>/<share> # Interaction with the target using RPC. rpcclient -U "" <FQDN/IP> srvinfo # Server information. enumdomains # Enumerate all domains that are deployed in the network. querydominfo # Provides domain, server, and user information of deployed domains. netshareenumall # Enumerates all available shares. netsharegetinfo <share> # Provides information about a specific share. enumdomusers # Enumerates all domain users. queryuser <RID> # Provides information about a specific user. # Username enumeration using Impacket scripts. samrdump.py <FQDN/IP> # Enumerating SMB shares. smbmap -H <FQDN/IP> # Enumerating SMB shares using null session authentication. crackmapexec smb <FQDN/IP> --shares -u '' -p '' # SMB enumeration using enum4linux. enum4linux-ng.py <FQDN/IP> -A

# Nmap sudo nmap --script nfs* <FQDN/IP> -sV -p111,2049 # Show available NFS shares. showmount -e <FQDN/IP> # Mount the specific NFS share to ./target-NFS sudo mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock # Unmount the specific NFS share. umount ./target-NFS

# NS request to the specific nameserver. dig ns <domain.tld> @<nameserver> # ANY request to the specific nameserver. dig any <domain.tld> @<nameserver> # AXFR request to the specific nameserver. dig axfr <domain.tld> @<nameserver> # Subdomain brute forcing. dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

# use Evolution for GUI # Log in to the IMAPS service using cURL. curl -k 'imaps://<FQDN/IP>' --user <user>:<password> # Connect to the IMAPS service. openssl s_client -connect <FQDN/IP>:imaps # IMAPS Commands examples 1 LOGIN username password # User's login. 1 LIST "" * # Lists all directories. 1 CREATE "INBOX" # Creates a mailbox with a specified name. 1 DELETE "INBOX" # Deletes a mailbox. 1 RENAME "ToRead" "Important" # Renames a mailbox. 1 LSUB "" * # Returns a subset of names from the set of names that the User has declared as being active or subscribed. 1 SELECT INBOX # Selects a mailbox so that messages in the mailbox can be accessed. 1 UNSELECT INBOX # Exits the selected mailbox. 1 FETCH <ID> all # Retrieves data associated with a message in the mailbox. 1 CLOSE # Removes all messages with the Deleted flag set. 1 LOGOUT # Closes the connection with the IMAP server. # Connect to the POP3s service. openssl s_client -connect <FQDN/IP>:pop3s # POP3s Commands examples USER username # Identifies the user. PASS password # Authentication of the user using its password. STAT # Requests the number of saved emails from the server. LIST # Requests from the server the number and size of all emails. RETR id # Requests the server to deliver the requested email by ID. DELE id # Requests the server to delete the requested email by ID. CAPA # Requests the server to display the server capabilities. RSET # Requests the server to reset the transmitted information. QUIT # Closes the connection with the POP3 server.

# Bruteforcing community strings of the SNMP service. onesixtyone -c community-strings.list <FQDN/IP> nmap -sU <FQDN/IP> -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=snmp.txt # Querying OIDs using snmpwalk. snmpwalk -v2c -c <community string> <FQDN/IP> # Bruteforcing SNMP service OIDs. braa <community string>@<FQDN/IP>:.1.*

# MSSQL Ping in Metasploit auxiliary/scanner/mssql/mssql_ping # NMAP MSSQL Script Scan nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 IP # Log in to the MSSQL server using Windows authentication. mssqlclient.py <user>@<FQDN/IP> -windows-auth

# Remote security audit against the target SSH service. ssh-audit.py <FQDN/IP> # Log in to the SSH server using the SSH client : -v optional for verbosity ssh [-v] <user>@<FQDN/IP> # Log in to the SSH server using private key. ssh -i private.key <user>@<FQDN/IP> # Enforce password-based authentication. ssh <user>@<FQDN/IP> -o PreferredAuthentications=password # Scanning for Rsync sudo nmap -sV -p 873 <FQDN/IP> # Probing for Accessible Shares nc -nv <FQDN/IP> 873 # Enumerating an Open Share rsync -av --list-only rsync://127.0.0.1/dev # Sync the file to attack host rsync -av rsync://127.0.0.1/dev

# Nmap nmap -sV -sC 10.129.201.248 -p3389 --script rdp* # Check the security settings of the RDP service. rdp-sec-check.pl <FQDN/IP> # Log in to the RDP server from Linux. xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> rdesktop -u user <FQDN/IP> # Log in to the WinRM server. # Windows PS Test-WSMan <FQDN/IP> #Linux evil-winrm -i <FQDN/IP> -u <user> -p <password> # Execute command using the WMI service. wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>"

# Perform a variety of scans to gather information about the Oracle database services and its components. ./odat.py all -s <FQDN/IP> # Log in to the Oracle database. sqlplus <user>/<pass>@<FQDN/IP>/<db> # Upload a file with Oracle RDBMS. ./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt