# Footprinting ## Cheatsheet {% file src="" %} The cheat sheet is a useful command reference for this module. ## Infrastructure-based Enumeration | **Command** | **Description** | | ------------------------------------------------------------------- | -------------------------------------------- | | `curl -s https://crt.sh/\?q\=\&output\=json \| jq .` | Certificate transparency. | | `for i in $(cat ip-addresses.txt);do shodan host $i;done` | Scan each IP address in a list using Shodan. | *** ## Host-based Enumeration ### **FTP** | **Command** | **Description** | | --------------------------------------------------------- | ----------------------------------------------------------------------- | | `ftp ` | Interact with the FTP service on the target. | | `nc -nv 21` | Interact with the FTP service on the target. | | `telnet 21` | Interact with the FTP service on the target. | | `openssl s_client -connect :21 -starttls ftp` | Interact with the FTP service on the target using encrypted connection. | | `wget -m --no-passive ftp://anonymous:anonymous@` | Download all available files on the target FTP server. | ### **SMB** | **Command** | **Description** | | ------------------------------------------------- | --------------------------------------------------------- | | `smbclient -N -L //` | Null session authentication on SMB. | | `smbclient ///` | Connect to a specific SMB share. | | `rpcclient -U "" ` | Interaction with the target using RPC. | | `samrdump.py ` | Username enumeration using Impacket scripts. | | `smbmap -H ` | Enumerating SMB shares. | | `crackmapexec smb --shares -u '' -p ''` | Enumerating SMB shares using null session authentication. | | `enum4linux-ng.py -A` | SMB enumeration using enum4linux. | ### **NFS** | **Command** | **Description** | | --------------------------------------------------------- | -------------------------------------------- | | `showmount -e ` | Show available NFS shares. | | `mount -t nfs :/ ./target-NFS/ -o nolock` | Mount the specific NFS share to ./target-NFS | | `umount ./target-NFS` | Unmount the specific NFS share. | ### **DNS** | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | `dig ns @` | NS request to the specific nameserver. | | `dig any @` | ANY request to the specific nameserver. | | `dig axfr @` | AXFR request to the specific nameserver. | | `dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list ` | Subdomain brute forcing. | ### **SMTP** | **Command** | **Description** | | --------------------- | --------------- | | `telnet 25` | | ### **IMAP/POP3** | **Command** | **Description** | | ------------------------------------------------------ | --------------------------------------- | | `curl -k 'imaps://' --user :` | Log in to the IMAPS service using cURL. | | `openssl s_client -connect :imaps` | Connect to the IMAPS service. | | `openssl s_client -connect :pop3s` | Connect to the POP3s service. | ### **SNMP** | **Command** | **Description** | | ------------------------------------------------- | --------------------------------------------------- | | `snmpwalk -v2c -c ` | Querying OIDs using snmpwalk. | | `onesixtyone -c community-strings.list ` | Bruteforcing community strings of the SNMP service. | | `braa @:.1.*` | Bruteforcing SNMP service OIDs. | ### **MySQL** | **Command** | **Description** | | ------------------------------------------- | -------------------------- | | `mysql -u -p -h ` | Login to the MySQL server. | ### **MSSQL** | **Command** | **Description** | | ----------------------------------------------- | -------------------------------------------------------- | | `mssqlclient.py @ -windows-auth` | Log in to the MSSQL server using Windows authentication. | ### **IPMI** | **Command** | **Description** | | ---------------------------------------------- | ----------------------- | | `msf6 auxiliary(scanner/ipmi/ipmi_version)` | IPMI version detection. | | `msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)` | Dump IPMI hashes. | **Linux Remote Management** | **Command** | **Description** | | ----------------------------------------------------------- | ----------------------------------------------------- | | `ssh-audit.py ` | Remote security audit against the target SSH service. | | `ssh @` | Log in to the SSH server using the SSH client. | | `ssh -i private.key @` | Log in to the SSH server using private key. | | `ssh @ -o PreferredAuthentications=password` | Enforce password-based authentication. | **Windows Remote Management** | **Command** | **Description** | | ------------------------------------------------------------- | ----------------------------------------------- | | `rdp-sec-check.pl ` | Check the security settings of the RDP service. | | `xfreerdp /u: /p:"" /v:` | Log in to the RDP server from Linux. | | `evil-winrm -i -u -p ` | Log in to the WinRM server. | | `wmiexec.py :""@ ""` | Execute command using the WMI service. | **Oracle TNS** | **Command** | **Description** | | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | `./odat.py all -s ` | Perform a variety of scans to gather information about the Oracle database services and its components. | | `sqlplus /@/` | Log in to the Oracle database. | | `./odat.py utlfile -s -d -U -P --sysdba --putFile C:\\insert\\path file.txt ./file.txt` | |