Footprinting

No.
Principle

1.

There is more than meets the eye. Consider all points of view.

2.

Distinguish between what we see and what we do not see.

3.

There are always ways to gain more information. Understand the target.

This are the 6 layers that we try to pass in the enumeration process:

  1. Internet Presence (domains, subdomains, IP adresses, Hosts, Cloud instances)

  2. Gateway (firewalls, IPS/IDS, Network segemntation, cloudflare)

  3. Acessible Services (Service Type, Ports, Version)

  4. Process (PID, Tasks, Destiantion)

  5. Privileges (Groups, Users, Permisions, Restrictions, Envirements)

  6. OS Setup (OS type, Patch level, Network Config, Config Files, OS Envirement)


Cheatsheet for this module

Infrastructure-Based Enumeration

Command
Description

curl -s https://crt.sh/?q=&output=json | jq .

Certificate transparency.

for i in $(cat ip-addresses.txt);do shodan host $i;done

Scan each IP address in a list using Shodan.


Host-Based Enumeration

FTP

Command
Description

ftp <FQDN/IP>

Interact with the FTP service on the target.

nc -nv <FQDN/IP> 21

Interact with the FTP service on the target.

telnet <FQDN/IP> 21

Interact with the FTP service on the target.

openssl s_client -connect <FQDN/IP>:21 -starttls ftp

Interact with the FTP service on the target using encrypted connection.

wget -m --no-passive ftp://anonymous:anonymous@

Download all available files on the target FTP server.

SMB

Command
Description

smbclient -N -L //<FQDN/IP>

Null session authentication on SMB.

smbclient //<FQDN/IP>/

Connect to a specific SMB share.

rpcclient -U "" <FQDN/IP>

Interaction with the target using RPC.

samrdump.py <FQDN/IP>

Username enumeration using Impacket scripts.

smbmap -H <FQDN/IP>

Enumerating SMB shares.

crackmapexec smb <FQDN/IP> --shares -u '' -p ''

Enumerating SMB shares using null session authentication.

enum4linux-ng.py <FQDN/IP> -A

SMB enumeration using enum4linux.

NFS

Command
Description

showmount -e <FQDN/IP>

Show available NFS shares.

mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o nolock

Mount the specific NFS share.umount ./target-NFS

umount ./target-NFS

Unmount the specific NFS share.

DNS

Command
Description

dig ns <domain.tld> @ <nameserver>

NS request to the specific nameserver.

dig any <domain.tld>@ <nameserver>

ANY request to the specific nameserver.

dig axfr <domain.tld> @ <nameserver>

AXFR request to the specific nameserver.

dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

Subdomain brute forcing.

SMTP

Command
Description

telnet <FQDN/IP> 25

Connect

IMAP/POP3

curl -k 'imaps://<FQDN/IP>' --user :

Log in to the IMAPS service using cURL.

openssl s_client -connect <FQDN/IP>:imaps

Connect to IMAP service

openssl s_client -connect <FQDN/IP>:pop3s

Connect to POP3 service

SNMP

Command
Description

snmpwalk -v2c -c <FQDN/IP>

Querying OIDs using snmpwalk.

onesixtyone -c community-strings.list <FQDN/IP>

Bruteforcing community strings of the SNMP service.

braa @<FQDN/IP>:.1.*

Bruteforcing SNMP service OIDs.

MySQL

Command
Descripotion

mysql -u -p -h <FQDN/IP>

Login to the MySQL server.

MSSQL

Command
Description

mssqlclient.py @<FQDN/IP> -windows-auth

Log in to the MSSQL server using Windows authentication.

IPMI

Command
Description

msf6 auxiliary(scanner/ipmi/ipmi_version)

msf6 auxiliary(scanner/ipmi/ipmi_version)

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)

Dump IPMI hashes.

Linux Remote Management

Command
Description

ssh-audit.py <FQDN/IP>

Remote security audit against the target SSH service.

ssh @<FQDN/IP>

Log in to the SSH server using the SSH client.

ssh -i private.key @<FQDN/IP>

Log in to the SSH server using private key.

ssh @<FQDN/IP> -o PreferredAuthentications=password

Enforce password-based authentication.

Windows Remote Management

Command
Description

rdp-sec-check.pl <FQDN/IP>

Check the security settings of the RDP service.

xfreerdp /u:<user> /p:"password" /v:<FQDN/IP>

Log in to the RDP server from Linux.

evil-winrm -i <FQDN/IP> -u <user> -p <password>

Log in to the WinRM server.

wmiexec.py <user> :<password>@<FQDN/IP> "<system command>"

Execute command using the WMI service.

Oracle TNS

Command
Description

./odat.py all -s <FQDN/IP>

Perform a variety of scans to gather information about the Oracle database services and its components.

sqlplus <user>/<password>@<FQDN/IP>/<db>

Log in to the Oracle database.

./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\insert\path file.txt ./file.txt

Upload a file with Oracle RDBMS.

Last updated