Scribd Logo
Upload

Welcome to Scribd!

  • 13 views

    3 Footprinting Module Cheat Sheet

    Uploaded by

    reptile-curvy-lend

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    3 Footprinting Module Cheat Sheet

    Uploaded by

    reptile-curvy-lend
    13 views5 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    13 views5 pages

    3 Footprinting Module Cheat Sheet

    Uploaded by

    reptile-curvy-lend

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 5

    FOOTPRINTING

    CHEAT SHEET
    Infrastructure-based Enumeration

    Command Description

    curl -s https://crt.sh/\?q\=<target- Certificate transparency.


    domain>\&output\=json | jq .

    for i in $(cat ip-addresses.txt);do shodan Scan each IP address in a list


    host $i;done using Shodan.

    Host-based Enumeration
    FTP

    Command Description

    ftp <FQDN/IP> Interact with the FTP service on the target.

    nc -nv <FQDN/IP> 21 Interact with the FTP service on the target.

    telnet <FQDN/IP> 21 Interact with the FTP service on the target.

    openssl s_client -connect Interact with the FTP service on the target
    <FQDN/IP>:21 -starttls ftp using encrypted connection.

    wget -m --no-passive Download all available files on the target


    ftp://anonymous:anonymous@<target> FTP server.

    SMB
    Command Description

    smbclient -N -L //<FQDN/IP> Null session authentication on SMB.

    smbclient //<FQDN/IP>/<share> Connect to a specific SMB share.

    rpcclient -U "" <FQDN/IP> Interaction with the target using RPC.

    samrdump.py <FQDN/IP> Username enumeration using Impacket


    scripts.

    smbmap -H <FQDN/IP> Enumerating SMB shares.

    crackmapexec smb <FQDN/IP> --shares Enumerating SMB shares using null session
    -u '' -p '' authentication.

    enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux.

    NFS

    Command Description

    showmount -e <FQDN/IP> Show available NFS shares.

    mount -t nfs <FQDN/IP>:/<share> ./target- Mount the specific NFS share.umount


    NFS/ -o nolock ./target-NFS

    umount ./target-NFS Unmount the specific NFS share.

    DNS

    Command Description

    dig ns <domain.tld> @<nameserver> NS request to the


    specific nameserver.

    dig any <domain.tld> @<nameserver> ANY request to the


    specific nameserver.

    dig axfr <domain.tld> @<nameserver> AXFR request to the


    specific nameserver.
    Command Description

    dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o Subdomain brute


    found_subdomains.txt -f ~/subdomains.list <domain.tld> forcing.

    SMTP

    Command Description

    telnet <FQDN/IP> 25

    IMAP/POP3

    Command Description

    curl -k 'imaps://<FQDN/IP>' --user <user>: Log in to the IMAPS service using


    <password> cURL.

    openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS service.

    openssl s_client -connect <FQDN/IP>:pop3s Connect to the POP3s service.

    SNMP

    Command Description

    snmpwalk -v2c -c <community string> Querying OIDs using snmpwalk.


    <FQDN/IP>

    onesixtyone -c community-strings.list Bruteforcing community strings of the


    <FQDN/IP> SNMP service.

    braa <community Bruteforcing SNMP service OIDs.


    string>@<FQDN/IP>:.1.*

    MySQL

    Command Description
    Command Description

    mysql -u <user> -p<password> -h <FQDN/IP> Login to the MySQL server.

    MSSQL

    Command Description

    mssqlclient.py <user>@<FQDN/IP> - Log in to the MSSQL server using Windows


    windows-auth authentication.

    IPMI

    Command Description

    msf6 auxiliary(scanner/ipmi/ipmi_version) IPMI version detection.

    msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) Dump IPMI hashes.

    Linux Remote Management

    Command Description

    ssh-audit.py <FQDN/IP> Remote security audit against the


    target SSH service.

    ssh <user>@<FQDN/IP> Log in to the SSH server using the


    SSH client.

    ssh -i private.key <user>@<FQDN/IP> Log in to the SSH server using private


    key.

    ssh <user>@<FQDN/IP> -o Enforce password-based


    PreferredAuthentications=password authentication.

    Windows Remote Management

    Command Description
    Command Description

    rdp-sec-check.pl <FQDN/IP> Check the security settings of the


    RDP service.

    xfreerdp /u:<user> /p:"<password>" /v: Log in to the RDP server from


    <FQDN/IP> Linux.

    evil-winrm -i <FQDN/IP> -u <user> -p Log in to the WinRM server.


    <password>

    wmiexec.py <user>:"<password>"@<FQDN/IP> " Execute command using the WMI


    <system command>" service.

    Oracle TNS

    Command Description

    ./odat.py all -s <FQDN/IP> Perform a variety of scans to gather


    information about the Oracle
    database services and its
    components.

    sqlplus <user>/<pass>@<FQDN/IP>/<db> Log in to the Oracle database.

    ./odat.py utlfile -s <FQDN/IP> -d <db> -U Upload a file with Oracle RDBMS.


    <user> -P <pass> --sysdba --putFile
    C:\\insert\\path file.txt ./file.txt

    You might also like