Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
13 views5 pages

Footprinting Module Cheat Sheet

This document is a comprehensive cheat sheet for footprinting techniques, detailing various commands used for infrastructure-based and host-based enumeration across different services such as FTP, SMB, NFS, DNS, SMTP, IMAP/POP3, SNMP, MySQL, MSSQL, IPMI, and remote management protocols. Each command is accompanied by a brief description of its purpose and usage. The cheat sheet serves as a quick reference for security professionals conducting reconnaissance on target systems.

Uploaded by

mohamed.trigui279
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views5 pages

Footprinting Module Cheat Sheet

This document is a comprehensive cheat sheet for footprinting techniques, detailing various commands used for infrastructure-based and host-based enumeration across different services such as FTP, SMB, NFS, DNS, SMTP, IMAP/POP3, SNMP, MySQL, MSSQL, IPMI, and remote management protocols. Each command is accompanied by a brief description of its purpose and usage. The cheat sheet serves as a quick reference for security professionals conducting reconnaissance on target systems.

Uploaded by

mohamed.trigui279
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

FOOTPRINTING

CHEAT SHEET
Infrastructure-based Enumeration

Command Description

curl -s https://crt.sh/\?q\=<target- Certificate transparency.


domain>\&output\=json | jq .

for i in $(cat ip-addresses.txt);do shodan Scan each IP address in a list


host $i;done using Shodan.

Host-based Enumeration
FTP

Command Description

ftp <FQDN/IP> Interact with the FTP service on the


target.

nc -nv <FQDN/IP> 21 Interact with the FTP service on the


target.

telnet <FQDN/IP> 21 Interact with the FTP service on the


target.

openssl s_client -connect <FQDN/IP>:21 - Interact with the FTP service on the
starttls ftp target using encrypted connection.
Command Description

wget -m --no-passive Download all available files on the


ftp://anonymous:anonymous@<target> target FTP server.

SMB

Command Description

smbclient -N -L //<FQDN/IP> Null session authentication on SMB.

smbclient //<FQDN/IP>/<share> Connect to a specific SMB share.

rpcclient -U "" <FQDN/IP> Interaction with the target using RPC.

samrdump.py <FQDN/IP> Username enumeration using Impacket


scripts.

smbmap -H <FQDN/IP> Enumerating SMB shares.

crackmapexec smb <FQDN/IP> --shares Enumerating SMB shares using null


-u '' -p '' session authentication.

enum4linux-ng.py <FQDN/IP> -A SMB enumeration using enum4linux.

NFS

Command Description

showmount -e <FQDN/IP> Show available NFS shares.

mount -t nfs <FQDN/IP>:/<share> ./target- Mount the specific NFS share to


NFS/ -o nolock ./target-NFS

umount ./target-NFS Unmount the specific NFS share.

DNS
Command Description

dig ns <domain.tld> @<nameserver> NS request to the


specific nameserver.

dig any <domain.tld> @<nameserver> ANY request to the


specific nameserver.

dig axfr <domain.tld> @<nameserver> AXFR request to the


specific nameserver.

dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o Subdomain brute


found_subdomains.txt -f ~/subdomains.list <domain.tld> forcing.

SMTP

Command Description

telnet <FQDN/IP> 25

IMAP/POP3

Command Description

curl -k 'imaps://<FQDN/IP>' --user <user>: Log in to the IMAPS service using


<password> cURL.

openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS service.

openssl s_client -connect <FQDN/IP>:pop3s Connect to the POP3s service.

SNMP

Command Description

snmpwalk -v2c -c <community string> Querying OIDs using snmpwalk.


<FQDN/IP>

onesixtyone -c community-strings.list Bruteforcing community strings of the


<FQDN/IP> SNMP service.
Command Description

braa <community string>@<FQDN/IP>:.1.* Bruteforcing SNMP service OIDs.

MySQL

Command Description

mysql -u <user> -p<password> -h <FQDN/IP> Login to the MySQL server.

MSSQL

Command Description

mssqlclient.py <user>@<FQDN/IP> - Log in to the MSSQL server using Windows


windows-auth authentication.

IPMI

Command Description

msf6 auxiliary(scanner/ipmi/ipmi_version) IPMI version detection.

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) Dump IPMI hashes.

Linux Remote Management

Command Description

ssh-audit.py <FQDN/IP> Remote security audit against the


target SSH service.

ssh <user>@<FQDN/IP> Log in to the SSH server using


the SSH client.

ssh -i private.key <user>@<FQDN/IP> Log in to the SSH server using


private key.
Command Description

ssh <user>@<FQDN/IP> -o Enforce password-based


PreferredAuthentications=password authentication.

Windows Remote Management

Command Description

rdp-sec-check.pl <FQDN/IP> Check the security settings of the


RDP service.

xfreerdp /u:<user> /p:"<password>" /v: Log in to the RDP server from


<FQDN/IP> Linux.

evil-winrm -i <FQDN/IP> -u <user> -p Log in to the WinRM server.


<password>

wmiexec.py <user>:"<password>"@<FQDN/IP> " Execute command using the WMI


<system command>" service.

Oracle TNS

Command Description

./odat.py all -s <FQDN/IP> Perform a variety of scans to


gather information about the
Oracle database services and
its components.

sqlplus <user>/<pass>@<FQDN/IP>/<db> Log in to the Oracle database.

./odat.py utlfile -s <FQDN/IP> -d <db> -U Upload a file with Oracle


<user> -P <pass> --sysdba --putFile RDBMS.
C:\\insert\\path file.txt ./file.txt

You might also like