Footprinting

No.	Principle
1.	There is more than meets the eye. Consider all points of view.
2.	Distinguish between what we see and what we do not see.
3.	There are always ways to gain more information. Understand the target.

This are the 6 layers that we try to pass in the enumeration process:

1. Internet Presence (domains, subdomains, IP adresses, Hosts, Cloud instances)

2. Gateway (firewalls, IPS/IDS, Network segemntation, cloudflare)

3. Acessible Services (Service Type, Ports, Version)

4. Process (PID, Tasks, Destiantion)

5. Privileges (Groups, Users, Permisions, Restrictions, Envirements)

6. OS Setup (OS type, Patch level, Network Config, Config Files, OS Envirement)

---

Cheatsheet for this module

Infrastructure-Based Enumeration

Command	Description
curl -s https://crt.sh/?q=&output=json | jq .	Certificate transparency.
for i in $(cat ip-addresses.txt);do shodan host $i;done	Scan each IP address in a list using Shodan.

---

Host-Based Enumeration

FTP

Command	Description
ftp <FQDN/IP>	Interact with the FTP service on the target.
nc -nv <FQDN/IP> 21	Interact with the FTP service on the target.
telnet <FQDN/IP> 21	Interact with the FTP service on the target.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp	Interact with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@	Download all available files on the target FTP server.

SMB

Command	Description
smbclient -N -L //<FQDN/IP>	Null session authentication on SMB.
smbclient //<FQDN/IP>/	Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP>	Interaction with the target using RPC.
samrdump.py <FQDN/IP>	Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP>	Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''	Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A	SMB enumeration using enum4linux.

NFS

Command	Description
showmount -e <FQDN/IP>	Show available NFS shares.
mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o nolock	Mount the specific NFS share.umount ./target-NFS
umount ./target-NFS	Unmount the specific NFS share.

DNS

Command	Description
dig ns <domain.tld> @ <nameserver>	NS request to the specific nameserver.
dig any <domain.tld>@ <nameserver>	ANY request to the specific nameserver.
dig axfr <domain.tld> @ <nameserver>	AXFR request to the specific nameserver.
dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>	Subdomain brute forcing.

SMTP

Command	Description
telnet <FQDN/IP> 25	Connect

IMAP/POP3

curl -k 'imaps://<FQDN/IP>' --user :	Log in to the IMAPS service using cURL.
openssl s_client -connect <FQDN/IP>:imaps	Connect to IMAP service
openssl s_client -connect <FQDN/IP>:pop3s	Connect to POP3 service

SNMP

Command	Description
snmpwalk -v2c -c <FQDN/IP>	Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list <FQDN/IP>	Bruteforcing community strings of the SNMP service.
braa @<FQDN/IP>:.1.*	Bruteforcing SNMP service OIDs.

MySQL

Command	Descripotion
mysql -u -p -h <FQDN/IP>	Login to the MySQL server.

MSSQL

Command	Description
mssqlclient.py @<FQDN/IP> -windows-auth	Log in to the MSSQL server using Windows authentication.

IPMI

Command	Description
msf6 auxiliary(scanner/ipmi/ipmi_version)	msf6 auxiliary(scanner/ipmi/ipmi_version)
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)	Dump IPMI hashes.

Linux Remote Management

Command	Description
ssh-audit.py <FQDN/IP>	Remote security audit against the target SSH service.
ssh @<FQDN/IP>	Log in to the SSH server using the SSH client.
ssh -i private.key @<FQDN/IP>	Log in to the SSH server using private key.
ssh @<FQDN/IP> -o PreferredAuthentications=password	Enforce password-based authentication.

Windows Remote Management

Command	Description
rdp-sec-check.pl <FQDN/IP>	Check the security settings of the RDP service.
xfreerdp /u:<user> /p:"password" /v:<FQDN/IP>	Log in to the RDP server from Linux.
evil-winrm -i <FQDN/IP> -u <user> -p <password>	Log in to the WinRM server.
wmiexec.py <user> :<password>@<FQDN/IP> "<system command>"	Execute command using the WMI service.

Oracle TNS

Command	Description
./odat.py all -s <FQDN/IP>	Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus <user>/<password>@<FQDN/IP>/<db>	Log in to the Oracle database.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\insert\path file.txt ./file.txt	Upload a file with Oracle RDBMS.