There is more than meets the eye. Consider all points of view.
2.
Distinguish between what we see and what we do not see.
3.
There are always ways to gain more information. Understand the target.
**This are the 6 layers that we try to pass in the enumeration process:**
1. Internet Presence (domains, subdomains, IP adresses, Hosts, Cloud instances)
2. Gateway (firewalls, IPS/IDS, Network segemntation, cloudflare)
3. Acessible Services (Service Type, Ports, Version)
4. Process (PID, Tasks, Destiantion)
5. Privileges (Groups, Users, Permisions, Restrictions, Envirements)
6. OS Setup (OS type, Patch level, Network Config, Config Files, OS Envirement)
***
## Cheatsheet for this module
### Infrastructure-Based Enumeration
| Command | Description |
| ------------------------------------------------------- | -------------------------------------------- |
| curl -s \| jq . | Certificate transparency. |
| for i in $(cat ip-addresses.txt);do shodan host $i;done | Scan each IP address in a list using Shodan. |
***
### Host-Based Enumeration
#### FTP
| Command | Description |
| ------------------------------------------------------ | ----------------------------------------------------------------------- |
| ftp \ | Interact with the FTP service on the target. |
| nc -nv \ 21 | Interact with the FTP service on the target. |
| telnet \ 21 | Interact with the FTP service on the target. |
| openssl s\_client -connect \:21 -starttls ftp | Interact with the FTP service on the target using encrypted connection. |
| wget -m --no-passive ftp\://anonymous:anonymous@ | Download all available files on the target FTP server. |
#### SMB
| Command | Description |
| ------------------------------------------------ | --------------------------------------------------------- |
| smbclient -N -L //\ | Null session authentication on SMB. |
| smbclient //\/ | Connect to a specific SMB share. |
| rpcclient -U "" \ | Interaction with the target using RPC. |
| samrdump.py \ | Username enumeration using Impacket scripts. |
| smbmap -H \ | Enumerating SMB shares. |
| crackmapexec smb \ --shares -u '' -p '' | Enumerating SMB shares using null session authentication. |
| enum4linux-ng.py \ -A | SMB enumeration using enum4linux. |
#### NFS
| Command | Description |
| ------------------------------------------------- | ------------------------------------------------ |
| showmount -e \ | Show available NFS shares. |
| mount -t nfs \:/ ./target-NFS/ -o nolock | Mount the specific NFS share.umount ./target-NFS |
| umount ./target-NFS | Unmount the specific NFS share. |
#### DNS
| Command | Description |
| ------------------------------------------------------------------------------------------------- | ---------------------------------------- |
| dig ns \ @ \ | NS request to the specific nameserver. |
| dig any \@ \ | ANY request to the specific nameserver. |
| dig axfr \ @ \ | AXFR request to the specific nameserver. |
| dnsenum --dnsserver --enum -p 0 -s 0 -o found\_subdomains.txt -f \~/subdomains.list \ | Subdomain brute forcing. |
#### SMTP
| Command | Description |
| -------------------- | ----------- |
| telnet \ 25 | Connect |
#### IMAP/POP3
| | |
| ------------------------------------------- | --------------------------------------- |
| curl -k 'imaps\://\' --user : | Log in to the IMAPS service using cURL. |
| openssl s\_client -connect \:imaps | Connect to IMAP service |
| openssl s\_client -connect \:pop3s | Connect to POP3 service |
#### SNMP
| Command | Description |
| ------------------------------------------------ | --------------------------------------------------- |
| snmpwalk -v2c -c \ | Querying OIDs using snmpwalk. |
| onesixtyone -c community-strings.list \ | Bruteforcing community strings of the SNMP service. |
| braa @\:.1.\* | Bruteforcing SNMP service OIDs. |
#### MySQL
| Command | Descripotion |
| ------------------------- | -------------------------- |
| mysql -u -p -h \ | Login to the MySQL server. |
#### MSSQL
| Command | Description |
| ---------------------------------------- | -------------------------------------------------------- |
| mssqlclient.py @\ -windows-auth | Log in to the MSSQL server using Windows authentication. |
#### IPMI
| Command | Description |
| --------------------------------------------- | ------------------------------------------ |
| msf6 auxiliary(scanner/ipmi/ipmi\_version) | msf6 auxiliary(scanner/ipmi/ipmi\_version) |
| msf6 auxiliary(scanner/ipmi/ipmi\_dumphashes) | Dump IPMI hashes. |
#### Linux Remote Management
| Command | Description |
| ---------------------------------------------------- | ----------------------------------------------------- |
| ssh-audit.py \ | Remote security audit against the target SSH service. |
| ssh @\ | Log in to the SSH server using the SSH client. |
| ssh -i private.key @\ | Log in to the SSH server using private key. |
| ssh @\ -o PreferredAuthentications=password | Enforce password-based authentication. |
**Windows Remote Management**
| Command | Description |
| -------------------------------------------------------------- | ----------------------------------------------- |
| rdp-sec-check.pl \ | Check the security settings of the RDP service. |
| xfreerdp /u:\ /p:"password" /v:\ | Log in to the RDP server from Linux. |
| evil-winrm -i \ -u \ -p \ | Log in to the WinRM server. |
| wmiexec.py \ :\@\ "\" | Execute command using the WMI service. |
#### Oracle TNS
| Command | Description |
| -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
| ./odat.py all -s \ | Perform a variety of scans to gather information about the Oracle database services and its components. |
| sqlplus \/\@\/\ | Log in to the Oracle database. |
| ./odat.py utlfile -s \ -d \ -U \ -P \ --sysdba --putFile C:\insert\path file.txt ./file.txt | Upload a file with Oracle RDBMS. |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://digitalgarden.batamladen.com/notes/certificates/cpts/footprinting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.