# Footprinting ### Infrastructure-based Enumeration | **Command** | **Description** | | ------------------------------------------------------------------- | -------------------------------------------- | | `curl -s https://crt.sh/\?q\=\&output\=json \| jq .` | Certificate transparency. | | `for i in $(cat ip-addresses.txt);do shodan host $i;done` | Scan each IP address in a list using Shodan. | *** ### Host-based Enumeration **FTP** | **Command** | **Description** | | --------------------------------------------------------- | ----------------------------------------------------------------------- | | `ftp ` | Interact with the FTP service on the target. | | `nc -nv 21` | Interact with the FTP service on the target. | | `telnet 21` | Interact with the FTP service on the target. | | `openssl s_client -connect :21 -starttls ftp` | Interact with the FTP service on the target using encrypted connection. | | `wget -m --no-passive ftp://anonymous:anonymous@` | Download all available files on the target FTP server. | **SMB** | **Command** | **Description** | | ------------------------------------------------- | --------------------------------------------------------- | | `smbclient -N -L //` | Null session authentication on SMB. | | `smbclient ///` | Connect to a specific SMB share. | | `rpcclient -U "" ` | Interaction with the target using RPC. | | `samrdump.py ` | Username enumeration using Impacket scripts. | | `smbmap -H ` | Enumerating SMB shares. | | `crackmapexec smb --shares -u '' -p ''` | Enumerating SMB shares using null session authentication. | | `enum4linux-ng.py -A` | SMB enumeration using enum4linux. | **NFS** | **Command** | **Description** | | --------------------------------------------------------- | ------------------------------------------------ | | `showmount -e ` | Show available NFS shares. | | `mount -t nfs :/ ./target-NFS/ -o nolock` | Mount the specific NFS share.umount ./target-NFS | | `umount ./target-NFS` | Unmount the specific NFS share. | **DNS** | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | `dig ns @` | NS request to the specific nameserver. | | `dig any @` | ANY request to the specific nameserver. | | `dig axfr @` | AXFR request to the specific nameserver. | | `dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list ` | Subdomain brute forcing. | **SMTP** | **Command** | **Description** | | --------------------- | --------------- | | `telnet 25` | | **IMAP/POP3** | **Command** | **Description** | | ------------------------------------------------------ | --------------------------------------- | | `curl -k 'imaps://' --user :` | Log in to the IMAPS service using cURL. | | `openssl s_client -connect :imaps` | Connect to the IMAPS service. | | `openssl s_client -connect :pop3s` | Connect to the POP3s service. | **SNMP** | **Command** | **Description** | | ------------------------------------------------- | --------------------------------------------------- | | `snmpwalk -v2c -c ` | Querying OIDs using snmpwalk. | | `onesixtyone -c community-strings.list ` | Bruteforcing community strings of the SNMP service. | | `braa @:.1.*` | Bruteforcing SNMP service OIDs. | **MySQL** | **Command** | **Description** | | ------------------------------------------- | -------------------------- | | `mysql -u -p -h ` | Login to the MySQL server. | **MSSQL** | **Command** | **Description** | | ----------------------------------------------- | -------------------------------------------------------- | | `mssqlclient.py @ -windows-auth` | Log in to the MSSQL server using Windows authentication. | **IPMI** | **Command** | **Description** | | ---------------------------------------------- | ----------------------- | | `msf6 auxiliary(scanner/ipmi/ipmi_version)` | IPMI version detection. | | `msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)` | Dump IPMI hashes. | **Linux Remote Management** | **Command** | **Description** | | ----------------------------------------------------------- | ----------------------------------------------------- | | `ssh-audit.py ` | Remote security audit against the target SSH service. | | `ssh @` | Log in to the SSH server using the SSH client. | | `ssh -i private.key @` | Log in to the SSH server using private key. | | `ssh @ -o PreferredAuthentications=password` | Enforce password-based authentication. | **Windows Remote Management** | **Command** | **Description** | | ------------------------------------------------------------- | ----------------------------------------------- | | `rdp-sec-check.pl ` | Check the security settings of the RDP service. | | `xfreerdp /u: /p:"" /v:` | Log in to the RDP server from Linux. | | `evil-winrm -i -u -p ` | Log in to the WinRM server. | | `wmiexec.py :""@ ""` | Execute command using the WMI service. | **Oracle TNS** | **Command** | **Description** | | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | `./odat.py all -s ` | Perform a variety of scans to gather information about the Oracle database services and its components. | | `sqlplus /@/` | Log in to the Oracle database. | | `./odat.py utlfile -s -d -U -P --sysdba --putFile C:\\insert\\path file.txt ./file.txt` | Upload a file with Oracle RDBMS. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/htb-cpts/initial-acces/footprinting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.