Service Enumeration
Infrastructure Enumeration
Check Certificate transparency
curl -s https://crt.sh/\?q\=<target-domain>\&output\=json | jq .Scan IP Addresses using Shodan
for i in $(cat ip-addresses.txt);do shodan host $i;doneScan Domain using whois
whois <Domain> Service-Based Enumeration
FTP Enumeration
# Interact with FTP service
ftp <IP>
# Interact with FTP through NC
nc -nv <IP> 21
# Interact with FTP through telnet
telnet <IP> 21
# Interact with FTP through openssl
openssl s_client -connect <IP>:21 -starttls ftp
# Download all files on FTP
wget -m --no-passive ftp://anonymous:anonymous@<target> SSH Enumeration
# Security audit/check against the target SSH service
ssh-audit.py <IP>
# Log in to the SSH server using the SSH client.
ssh <user>@<IP>
# Log in to the SSH server using private key.
chmod 600 <key>
ssh -i <key> <user>@<IP>
# (Pre-OpenSSH 7.7) User enumeration
hydra -L users.txt -p invalidpass ssh://<IP>DNS Enumeration
# NS Request to the target
dig ns <domain.tld> @<nameserver>
# ANY Request to the target
dig any <domain.tld> @<nameserver>
# AXFR Zone transfer to the target
dig axfr <domain.tld> @<nameserver>
# MX Request to the target
dig mx <domain.tld> @<nameserver>
# TXT Request to the target
dig txt <domain.tld> @<nameserver>
# Enumerate subdomains with dnsenum
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>SMB Enumeration
# Null session authentication on SMB
smbclient -N -L //<IP>
# Connect to a specific SMB share
smbclient //<IP>/<share>
# Enumerating SMB shares.
smbmap -H <IP>
# SMB enumeration using enum4linux
enum4linux <FQDN/IP> -A
Enumerating SMB shares using null session authentication.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''
# Username enumeration using ImpacketNFS Enumeration
# Show available NFS shares
showmount -e <IP>
# Mount the specific NFS share to ./NFS
mount -t nfs <IP>:/<share> ./NFS/ -o nolock
# Unmount the specific NFS share
umount ./target-NFSIMAPS/POP3 Enumeration
# Log in to the IMAPS service using curl
curl -k 'imaps://<IP>' --user <user>:<passwd>
# Connect to the IMAP service through openssl
openssl s_client -connect <FQDN/IP>:imaps
# Connect to the POP3s service through openssl
openssl s_client -connect <FQDN/IP>:pop3sSMTP Enumeration
# Interact with SMTP using telnet
telnet <IP> 25SNMP Enumeration
# Querying OIDs using snmpwalk
snmpwalk -v2c -c <community string> <IP>
# Bruteforcing community strings of the SNMP service
onesixtyone -c community-strings.list <FQDN/IP>
# Bruteforcing SNMP service OIDs
braa <community string>@<FQDN/IP>:.1.*MySQL Enumeration
# Login to the MySQL server
mysql -u <user> -p<password> -h <FQDN/IP>
# Scan MySQL Server using nmap scripts
nmap -p3306 -sC --script=mysql-info,mysql-users,mysql-enum <IP>
# (Authenticated) Scan MySQL Server using nmap scripts
nmap -p3306 --script=mysql-enum,mysql-databases,mysql-variables --script-args='mysqluser=root,mysqlpass=toor' <TARGET> MSSQL Enumeration
# Log in to the MSSQL server using Windows authentication
mssqlclient.py <user>@<FQDN/IP> -windows-auth
# Scan MSSQL using nmap scripts
nmap -p1433 --script=ms-sql-info,ms-sql-empty-password,ms-sql-brute <TARGET>IPMI Enumeration
# IPMI version detection using Metasploit
msf6 auxiliary(scanner/ipmi/ipmi_version)
# Dump IPMI hashes using Metasploit
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)WnRM Enumeration
# Perform a security check/audit
rdp-sec-check.pl <IP>
# Log in to the RDP server from Linux
xfreerdp /u:<user> /p:"<password>" /v:<IP>
# Log in to the WinRM server
evil-winrm -i <IP> -u <user> -p <password>
# User validity check using CrackMapExec (null session or password spray)
crackmapexec winrm <target> -u <usersfile> -p '<passwd>' --no-bruteforce
# Check Single-User
crackmapexec winrm <target> -u <user> -p '<passwd>'Last updated