| Command | Description |
|---|---|
| `curl -s https://crt.sh/\\?q\\=<target-domain>\&output\=json | jq .` |
for i in $(cat ip-addresses.txt);do shodan host $i;done |
Scan each IP address in a list using Shodan. |
| Command | Description |
|---|---|
ftp <FQDN/IP> |
Interact with the FTP service on the target. |
nc -nv <FQDN/IP> 21 |
Interact with the FTP service on the target. |
telnet <FQDN/IP> 21 |
Interact with the FTP service on the target. |
openssl s_client -connect <FQDN/IP>:21 -starttls ftp |
Interact with the FTP service on the target using encrypted connection. |
wget -m --no-passive <ftp://anonymous>:anonymous@<target> |
Download all available files on the target FTP server. |
| Command | Description |
|---|---|
smbclient -N -L //<FQDN/IP> |
Null session authentication on SMB. |
smbclient //<FQDN/IP>/<share> |
Connect to a specific SMB share. |
rpcclient -U "" <FQDN/IP> |
Interaction with the target using RPC. |
samrdump.py <FQDN/IP> |
Username enumeration using Impacket scripts. |
smbmap -H <FQDN/IP> |
Enumerating SMB shares. |
crackmapexec smb <FQDN/IP> --shares -u '' -p '' |
Enumerating SMB shares using null session authentication. |
enum4linux-ng.py <FQDN/IP> -A |
SMB enumeration using enum4linux. |
| Command | Description |
|---|---|
showmount -e <FQDN/IP> |
Show available NFS shares. |
mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock |
Mount the specific NFS share.umount ./target-NFS |
umount ./target-NFS |
Unmount the specific NFS share. |
| Command | Description |
|---|---|
dig ns <domain.tld> @<nameserver> |
NS request to the specific nameserver. |
dig any <domain.tld> @<nameserver> |
ANY request to the specific nameserver. |
dig axfr <domain.tld> @<nameserver> |
AXFR request to the specific nameserver. |
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> |
Subdomain brute forcing. |
| Command | Description |
|---|---|
telnet <FQDN/IP> 25 |
| Command | Description |
|---|---|
curl -k 'imaps://<FQDN/IP>' --user <user>:<password> |
Log in to the IMAPS service using cURL. |
openssl s_client -connect <FQDN/IP>:imaps |
Connect to the IMAPS service. |
openssl s_client -connect <FQDN/IP>:pop3s |
Connect to the POP3s service. |
| Command | Description |
|---|---|
snmpwalk -v2c -c <community string> <FQDN/IP> |
Querying OIDs using snmpwalk. |
onesixtyone -c community-strings.list <FQDN/IP> |
Bruteforcing community strings of the SNMP service. |
braa <community string>@<FQDN/IP>:.1.* |
Bruteforcing SNMP service OIDs. |
| Command | Description |
|---|---|
mysql -u <user> -p<password> -h <FQDN/IP> |
Login to the MySQL server. |