FTP – Nmap Scanning
| Category | Details |
|---|---|
| Description | Use Nmap to scan an FTP service on a target IP, with version detection and script scanning enabled. |
| Key Features | – Service version detection (-sV) – FTP port scanning (-p21) – Default scripts execution (-sC) – Aggressive scan (-A) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -p21 -sC -A <Ip>– Detect open ports and services, including FTP – Collect version information and OS details using Nmap scripts – Use the information gathered for further network mapping or exploitation testing |
| FTP-Anon Script | The ftp-anon script checks for anonymous FTP access, revealing publicly accessible FTP servers. Use with nmap --script=ftp-anon -p21 <IP> to detect anonymous login capabilities. |
SMB – Nmap Scanning and SMB Tools
| Category | Details |
|---|---|
| Description | A collection of tools and commands to enumerate and gather information from SMB services on a target system. |
| Key Features | – Service version detection (-sV) – Default script execution (-sC) – SMB port scanning (-p139, 445) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -sC -p139,445 <Ip>– Detect open SMB ports and services – Gather version and OS information through Nmap scripts |
| Additional Tools | – rpcclient -U " " <ip>: Query SMB servers for users, shares, and permissions.– smbmap -H <ip>: Scan SMB shares for accessible resources.– enum4linux ./enum4linux <ip> -A: Enumerate SMB services for users, shares, and groups. |
FTP – Nmap Scanning
| Category | Details |
|---|---|
| Description | Use Nmap to scan an FTP service on a target IP, with version detection and script scanning enabled. |
| Key Features | – Service version detection (-sV) – FTP port scanning (-p21) – Default scripts execution (-sC) – Aggressive scan (-A) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -p21 -sC -A <Ip>– Detect open ports and services, including FTP – Collect version information and OS details using Nmap scripts – Use the information gathered for further network mapping or exploitation testing |
| FTP-Anon Script | The ftp-anon script checks for anonymous FTP access, revealing publicly accessible FTP servers. Use with nmap --script=ftp-anon -p21 <IP> to detect anonymous login capabilities. |
SMB – Nmap Scanning and SMB Tools
| Category | Details |
|---|---|
| Description | A collection of tools and commands to enumerate and gather information from SMB services on a target system. |
| Key Features | – Service version detection (-sV) – Default script execution (-sC) – SMB port scanning (-p139, 445) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -sC -p139,445 <Ip>– Detect open SMB ports and services – Gather version and OS information through Nmap scripts |
| Additional Tools | – rpcclient -U " " <ip>: Query SMB servers for users, shares, and permissions.– smbmap -H <ip>: Scan SMB shares for accessible resources.– enum4linux ./enum4linux <ip> -A: Enumerate SMB services for users, shares, and groups. |
NFS – Nmap Scanning and NFS Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on NFS services, including service discovery and share mounting. |
| Key Features | – NFS port scanning (-p111, 2049) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -p111,2049 -sV -sC <Ip>– Identify NFS services and open ports – Use the rpcinfo NSE script to list all active RPC services on the target |
| Additional Tools | – nmap --script=rpcinfo -p111 <ip>: Retrieves a list of currently running RPC services.– showmount -e <ip>: Displays available NFS shares. |
DNS – Dig Commands for Footprinting
| Category | Details |
|---|---|
| Description | A set of DNS queries and techniques for discovering domain information, versioning, and zone transfers using dig. |
| Key Features | – DNS querying for NS records – Version information extraction (version.bind) – Zone transfer (AXFR) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform DNS queries using dig to retrieve various DNS record types and information from the target server. |
| Additional Commands | – dig ns <domain> @<ip>: Query for name server (NS) records of a domain.– dig CH TXT version.bind <ip>: Retrieve version information from the target DNS server.– dig any <domain> @<ip>: Query for all available DNS records.– dig axfr <domain> @<ip>: Attempt a zone transfer to expose all DNS records. |
SMTP – Nmap Scanning and SMTP Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on SMTP services, including service discovery and open relay checks. |
| Key Features | – SMTP port scanning (-p25) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sC -sV -p25 <Ip>– Identify open SMTP ports and services – Use the SMTP Open Relay NSE script to check if the SMTP server is vulnerable to open relay attacks. |
| Additional Tools | – nmap --script smtp-open-relay -p25 <ip>: Test if the target server allows mail relaying. |
FTP – Nmap Scanning
| Category | Details |
|---|---|
| Description | Use Nmap to scan an FTP service on a target IP, with version detection and script scanning enabled. |
| Key Features | – Service version detection (-sV) – FTP port scanning (-p21) – Default scripts execution (-sC) – Aggressive scan (-A) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -p21 -sC -A <Ip>– Detect open ports and services, including FTP – Collect version information and OS details using Nmap scripts – Use the information gathered for further network mapping or exploitation testing |
| FTP-Anon Script | The ftp-anon script checks for anonymous FTP access, revealing publicly accessible FTP servers. Use with nmap --script=ftp-anon -p21 <IP> to detect anonymous login capabilities. |
SMB – Nmap Scanning and SMB Tools
| Category | Details |
|---|---|
| Description | A collection of tools and commands to enumerate and gather information from SMB services on a target system. |
| Key Features | – Service version detection (-sV) – Default script execution (-sC) – SMB port scanning (-p139, 445) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -sC -p139,445 <Ip>– Detect open SMB ports and services – Gather version and OS information through Nmap scripts |
| Additional Tools | – rpcclient -U " " <ip>: Query SMB servers for users, shares, and permissions.– smbmap -H <ip>: Scan SMB shares for accessible resources.– enum4linux ./enum4linux <ip> -A: Enumerate SMB services for users, shares, and groups. |
NFS – Nmap Scanning and NFS Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on NFS services, including service discovery and share mounting. |
| Key Features | – NFS port scanning (-p111, 2049) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -p111,2049 -sV -sC <Ip>– Identify NFS services and open ports – Use the rpcinfo NSE script to list all active RPC services on the target |
| Additional Tools | – nmap --script=rpcinfo -p111 <ip>: Retrieves a list of currently running RPC services.– showmount -e <ip>: Displays available NFS shares. |
DNS – Dig Commands for Footprinting
| Category | Details |
|---|---|
| Description | A set of DNS queries and techniques for discovering domain information, versioning, and zone transfers using dig. |
| Key Features | – DNS querying for NS records – Version information extraction (version.bind) – Zone transfer (AXFR) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform DNS queries using dig to retrieve various DNS record types and information from the target server. |
| Additional Commands | – dig ns <domain> @<ip>: Query for name server (NS) records of a domain.– dig CH TXT version.bind <ip>: Retrieve version information from the target DNS server.– dig any <domain> @<ip>: Query for all available DNS records.– dig axfr <domain> @<ip>: Attempt a zone transfer to expose all DNS records. |
SMTP – Nmap Scanning and SMTP Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on SMTP services, including service discovery and open relay checks. |
| Key Features | – SMTP port scanning (-p25) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sC -sV -p25 <Ip>– Identify open SMTP ports and services – Use the SMTP Open Relay NSE script to check if the SMTP server is vulnerable to open relay attacks. |
| Additional Tools | – nmap --script smtp-open-relay -p25 <ip>: Test if the target server allows mail relaying. |
IMAP/POP3 – Nmap Scanning for Email Retrieval Protocols
| Category | Details |
|---|---|
| Description | Techniques to enumerate IMAP and POP3 services using Nmap for identifying open ports, versions, and potential vulnerabilities. |
| Key Features | – Port scanning for POP3 and IMAP (-p110,143,993,995) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using sudo nmap -sV -sC -p110,143,993,995 <Ip>– Detect open ports for POP3, IMAP, POP3S, and IMAPS. – Gather version details and run default scripts to identify vulnerabilities. |
| Analysis | Analyze results to determine service configurations and identify misconfigurations. |
FTP – Nmap Scanning
| Category | Details |
|---|---|
| Description | Use Nmap to scan an FTP service on a target IP, with version detection and script scanning enabled. |
| Key Features | – Service version detection (-sV) – FTP port scanning (-p21) – Default scripts execution (-sC) – Aggressive scan (-A) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -p21 -sC -A <Ip>– Detect open ports and services, including FTP – Collect version information and OS details using Nmap scripts – Use the information gathered for further network mapping or exploitation testing |
| FTP-Anon Script | The ftp-anon script checks for anonymous FTP access, revealing publicly accessible FTP servers. Use with nmap --script=ftp-anon -p21 <IP> to detect anonymous login capabilities. |
SMB – Nmap Scanning and SMB Tools
| Category | Details |
|---|---|
| Description | A collection of tools and commands to enumerate and gather information from SMB services on a target system. |
| Key Features | – Service version detection (-sV) – Default script execution (-sC) – SMB port scanning (-p139, 445) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sV -sC -p139,445 <Ip>– Detect open SMB ports and services – Gather version and OS information through Nmap scripts |
| Additional Tools | – rpcclient -U " " <ip>: Query SMB servers for users, shares, and permissions.– smbmap -H <ip>: Scan SMB shares for accessible resources.– enum4linux ./enum4linux <ip> -A: Enumerate SMB services for users, shares, and groups. |
NFS – Nmap Scanning and NFS Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on NFS services, including service discovery and share mounting. |
| Key Features | – NFS port scanning (-p111, 2049) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -p111,2049 -sV -sC <Ip>– Identify NFS services and open ports – Use the rpcinfo NSE script to list all active RPC services on the target |
| Additional Tools | – nmap --script=rpcinfo -p111 <ip>: Retrieves a list of currently running RPC services.– showmount -e <ip>: Displays available NFS shares. |
DNS – Dig Commands for Footprinting
| Category | Details |
|---|---|
| Description | A set of DNS queries and techniques for discovering domain information, versioning, and zone transfers using dig. |
| Key Features | – DNS querying for NS records – Version information extraction (version.bind) – Zone transfer (AXFR) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform DNS queries using dig to retrieve various DNS record types and information from the target server. |
| Additional Commands | – dig ns <domain> @<ip>: Query for name server (NS) records of a domain.– dig CH TXT version.bind <ip>: Retrieve version information from the target DNS server.– dig any <domain> @<ip>: Query for all available DNS records.– dig axfr <domain> @<ip>: Attempt a zone transfer to expose all DNS records. |
SMTP – Nmap Scanning and SMTP Tools
| Category | Details |
|---|---|
| Description | A set of tools and techniques to perform footprinting on SMTP services, including service discovery and open relay checks. |
| Key Features | – SMTP port scanning (-p25) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using nmap -sC -sV -p25 <Ip>– Identify open SMTP ports and services – Use the SMTP Open Relay NSE script to check if the SMTP server is vulnerable to open relay attacks. |
| Additional Tools | – nmap --script smtp-open-relay -p25 <ip>: Test if the target server allows mail relaying. |
IMAP/POP3 – Nmap Scanning for Email Retrieval Protocols
| Category | Details |
|---|---|
| Description | Techniques to enumerate IMAP and POP3 services using Nmap for identifying open ports, versions, and potential vulnerabilities. |
| Key Features | – Port scanning for POP3 and IMAP (-p110,143,993,995) – Service version detection (-sV) – Default script execution (-sC) |
| Supported Platforms | Windows, Linux, macOS |
| Footprinting Process | – Perform an Nmap scan using sudo nmap -sV -sC -p110,143,993,995 <Ip>– Detect open ports for POP3, IMAP, POP3S, and IMAPS. – Gather version details and run default scripts to identify vulnerabilities. |
| Analysis | Analyze results to determine service configurations and identify misconfigurations. |
SNMP – Service Footprinting Techniques
| Category | Details |
|---|---|
| Description | Methods for discovering and enumerating SNMP services, identifying misconfigurations, and extracting valuable system information. |
| Key Features | – Utilize snmpwalk to enumerate OIDs and system information. – Use onesixtyone for community string brute-forcing. – Employ braa to query OIDs for detailed enumeration. – Leverage SecLists wordlists for custom community string discovery. |
| Supported Platforms | Linux, macOS |
| Footprinting Process | 1. Scan with Nmap: Perform an SNMP-specific scan using nmap -sU -p 161 <ip>2. Enumerate with snmpwalk: Query SNMP OIDs to retrieve system information. Command: snmpwalk -v2c -c public <ip>3. Brute-force Community Strings: Use onesixtyone to identify valid community strings. Command: onesixtyone -c /path/to/seclists/snmp.txt <ip>4. OID Brute-forcing with Braa: Extract additional information by brute-forcing OIDs. Command: braa public@<ip> |
MySQL
| Category | Details |
|---|---|
| Command | mysql -u <user> -p<password> -h <FQDN/IP> |
| Description | Login to the MySQL server. |
MySQL
| Category | Details |
|---|---|
| Command | mysql -u <user> -p<password> -h <FQDN/IP> |
| Description | Login to the MySQL server. |
MSSQL
| Category | Details |
|---|---|
| Command | mssqlclient.py <user>@<FQDN/IP> |
| Description | Log in to the MSSQL server using Windows authentication. |
IPMI
| Category | Details |
|---|---|
| Command | msf6 auxiliary(scanner/ipmi/ipmi_version) |
| Description | IPMI version detection. |
| Additional Command | msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) |
| Description | Dump IPMI hashes. |
MySQL
| Category | Details |
|---|---|
| Command | mysql -u <user> -p<password> -h <FQDN/IP> |
| Description | Login to the MySQL server. |
MSSQL
| Category | Details |
|---|---|
| Command | mssqlclient.py <user>@<FQDN/IP> |
| Description | Log in to the MSSQL server using Windows authentication. |
IPMI
| Category | Details |
|---|---|
| Command | msf6 auxiliary(scanner/ipmi/ipmi_version) |
| Description | IPMI version detection. |
| Additional Command | msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) |
| Description | Dump IPMI hashes. |
Linux Remote Management
| Category | Details |
|---|---|
| Command | ssh-audit.py <FQDN/IP> |
| Description | Remote security audit against the target SSH service. |
SSH
| Category | Details |
|---|---|
| Command | ssh <user>@<FQDN/IP> |
| Description | Log in to the SSH server using the SSH client. |
| Command | ssh -i private.key <user>@<FQDN/IP> |
| Description | Log in to the SSH server using private key. |
| Command | ssh <user>@<FQDN/IP> -o PreferredAuthentications=password |
| Description | Enforce password-based authentication. |
Windows Remote Management (WinRM)
| Category | Details |
|---|---|
| Command | rdp-sec-check.pl <FQDN/IP> |
| Description | Check the security settings of the RDP service. |
| Command | xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> |
| Description | Log in to the RDP server from Linux. |
| Command | evil-winrm -i <FQDN/IP> -u <user> -p <password> |
| Description | Log in to the WinRM server. |
| Command | wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" |
| Description | Execute command using the WMI service. |
Oracle TNS
| Category | Details |
|---|---|
| Command | ./odat.py all -s <FQDN/IP> |
| Description | Perform a variety of scans to gather information about the Oracle database services and its components. |
| Command | sqlplus <user>/<pass>@<FQDN/IP>/<db> |
| Description | Log in to the Oracle database. |
| Command | ./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\\insert\\path file.txt ./file.txt |
| Description | Upload a file with Oracle RDBMS. |
Leave a Reply