Summary

Footprinting is part of the enumeration process. In order to get a grasp on the target, we need to try to gather as much information about the target’s properties, so future attacks will succeed.

General

Principles

  • Do not blind jump at everything you see, but take your time to understand the target completely.
  • Follow these three principles:
No.Principle
1.There is more than meets the eye. Consider all points of view.
2.Distinguish between what we see and what we do not see.
3.There are always ways to gain more information. Understand the target.

Methodology

  • There is no standardized methodology. The approach one takes will dynamically vary with experience.
  • The following encompasses the six most essential obstacles in our path. For each of the six layers, we only need to find one weakness, even tough there most likely will be several if there is at least one.
LayerDescriptionInformation Categories
1. Internet PresenceIdentification of internet presence and externally accessible infrastructure.Domains, Subdomains, vHosts, ASN, Netblocks, IP Addresses, Cloud Instances, Security Measures
2. GatewayIdentify the possible security measures to protect the company’s external and internal infrastructure.Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare
3. Accessible ServicesIdentify accessible interfaces and services that are hosted externally or internally.Service Type, Functionality, Configuration, Port, Version, Interface
4. ProcessesIdentify the internal processes, sources, and destinations associated with the services.PID, Processed Data, Tasks, Source, Destination
5. PrivilegesIdentification of the internal permissions and privileges to the accessible services.Groups, Users, Permissions, Restrictions, Environment
6. OS SetupIdentification of the internal components and systems setup.OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files

Infrastructure Based

Domain Information

TODO

Cloud Resources

TODO

Staff

TODO

Host Based

FTP

TODO

SMB

TODO

NFS

TODO

DNS

TODO

SMTP

TODO

IMAP / POP3

TODO

SNMP

TODO

MySQL

TODO

MSSQL

TODO

Oracle TNS

TODO

IPMI

TODO

Remote Management Protocols

Linux

TODO

Windows

TODO

Cheat Sheet

Infrastructure-based Enumeration

CommandDescription
curl -s https://crt.sh/\?q\=<target-domain>\&output\=json | jq .Certificate transparency.
for i in $(cat ip-addresses.txt);do shodan host $i;doneScan each IP address in a list using Shodan.

Host-based Enumeration

FTP
CommandDescription
ftp <FQDN/IP>Interact with the FTP service on the target.
nc -nv <FQDN/IP> 21Interact with the FTP service on the target.
telnet <FQDN/IP> 21Interact with the FTP service on the target.
openssl s_client -connect <FQDN/IP>:21 -starttls ftpInteract with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@<target>Download all available files on the target FTP server.
SMB
CommandDescription
smbclient -N -L //<FQDN/IP>Null session authentication on SMB.
smbclient //<FQDN/IP>/<share>Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP>Interaction with the target using RPC.
samrdump.py <FQDN/IP>Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP>Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -ASMB enumeration using enum4linux.
NFS
CommandDescription
showmount -e <FQDN/IP>Show available NFS shares.
mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolockMount the specific NFS share.umount ./target-NFS
umount ./target-NFSUnmount the specific NFS share.
DNS
CommandDescription
dig ns <domain.tld> @<nameserver>NS request to the specific nameserver.
dig any <domain.tld> @<nameserver>ANY request to the specific nameserver.
dig axfr <domain.tld> @<nameserver>AXFR request to the specific nameserver.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>Subdomain brute forcing.
SMTP
CommandDescription
telnet <FQDN/IP> 25
IMAP/POP3
CommandDescription
curl -k 'imaps://<FQDN/IP>' --user <user>:<password>Log in to the IMAPS service using cURL.
openssl s_client -connect <FQDN/IP>:imapsConnect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:pop3sConnect to the POP3s service.
SNMP
CommandDescription
snmpwalk -v2c -c <community string> <FQDN/IP>Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list <FQDN/IP>Bruteforcing community strings of the SNMP service.
braa <community string>@<FQDN/IP>:.1.*Bruteforcing SNMP service OIDs.
MySQL
CommandDescription
mysql -u <user> -p<password> -h <FQDN/IP>Login to the MySQL server.
MSSQL
CommandDescription
mssqlclient.py <user>@<FQDN/IP> -windows-authLog in to the MSSQL server using Windows authentication.
IPMI
CommandDescription
msf6 auxiliary(scanner/ipmi/ipmi_version)IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)Dump IPMI hashes.
Linux Remote Management
CommandDescription
ssh-audit.py <FQDN/IP>Remote security audit against the target SSH service.
ssh <user>@<FQDN/IP>Log in to the SSH server using the SSH client.
ssh -i private.key <user>@<FQDN/IP>Log in to the SSH server using private key.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=passwordEnforce password-based authentication.
Windows Remote Management
CommandDescription
rdp-sec-check.pl <FQDN/IP>Check the security settings of the RDP service.
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP>Log in to the RDP server from Linux.
evil-winrm -i <FQDN/IP> -u <user> -p <password>Log in to the WinRM server.
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>"Execute command using the WMI service.
Oracle TNS
CommandDescription
./odat.py all -s <FQDN/IP>Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus <user>/<pass>@<FQDN/IP>/<db>Log in to the Oracle database.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txtUpload a file with Oracle RDBMS.