CPTS Guide - 3. Footprinting
Footprinting
Footprinting is the initial phase in penetration testing, focused on gathering as much information as possible about the target system. This section covers both infrastructure-based and host-based enumeration commands used to gather public data or interact directly with services.
Infrastructure-based Enumeration
Certificate Transparency
1
curl -s https://crt.sh/?q=<target-domain>&output=json | jq .
Retrieves SSL/TLS certificate information for a domain using crt.sh and formats the output with jq.
Shodan
1
for i in $(cat ip-addresses.txt); do shodan host $i; done
Iterates through a list of IPs and performs Shodan lookups for each to gather public data.
Host-based Enumeration
FTP
1
2
3
4
5
6
7
8
9
ftp <FQDN/IP> # Connects to an FTP server on the target system.
nc -nv <FQDN/IP> 21 # Uses netcat to interact with the FTP service on port 21.
telnet <FQDN/IP> 21 # Opens a Telnet session to communicate with the FTP service on port 21.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp # Initiates a secure connection to the FTP service using STARTTLS.
wget -m --no-passive ftp://anonymous:anonymous@<target> # Mirrors (downloads) all files accessible to anonymous FTP users.
Interact with FTP using various tools or download data anonymously.
SMB
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -N -L //<FQDN/IP> # Lists available SMB shares using null session (no authentication).
smbclient //<FQDN/IP>/<share> # Connects to a specified SMB share on the target.
rpcclient -U "" <FQDN/IP> # Interacts with Windows RPC services using a null session.
samrdump.py <FQDN/IP> # Uses Impacket to enumerate users via the Security Account Manager (SAM) over RPC.
smbmap -H <FQDN/IP> # Lists shared SMB directories and access levels.
crackmapexec smb <FQDN/IP> --shares -u '' -p '' # Checks SMB shares for access using null authentication with CrackMapExec.
enum4linux-ng.py <FQDN/IP> -A # Performs extensive SMB enumeration using Enum4Linux-NG.
Commands for SMB enumeration, accessing shares, and retrieving user info.
NFS
1
2
3
4
5
showmount -e <FQDN/IP> # Displays exported NFS shares from the target system.
mount -t nfs <FQDN/IP>:/<share> ./target-NFS/ -o nolock # Mounts an NFS share to the local directory for access.
umount ./target-NFS # Unmounts the previously mounted NFS share.
Mount and inspect NFS shares.
DNS
1
2
3
4
5
6
7
dig ns <domain.tld> @<nameserver> # Queries a DNS server for name server (NS) records for a domain.
dig any <domain.tld> @<nameserver> # Performs a DNS ANY query, requesting all available DNS records.
dig axfr <domain.tld> @<nameserver> # Attempts a DNS zone transfer from the specified nameserver.
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> # Brute-forces DNS subdomains using dnsenum with a custom wordlist.
Use dig and dnsenum for DNS zone transfers and subdomain brute-forcing.
SMTP
1
telnet <FQDN/IP> 25
Opens a Telnet session to interact with the SMTP service.
IMAP/POP3
1
2
3
4
5
curl -k 'imaps://<FQDN/IP>' --user <user>:<password> # Authenticates to an IMAPS server using cURL.
openssl s_client -connect <FQDN/IP>:imaps # Establishes a secure connection to an IMAPS server.
openssl s_client -connect <FQDN/IP>:pop3s # Establishes a secure connection to a POP3S server.
Check email services over encrypted protocols.
SNMP
1
2
3
4
5
snmpwalk -v2c -c <community string> <FQDN/IP> # Performs a walk on SNMP OIDs to enumerate system information.
onesixtyone -c community-strings.list <FQDN/IP> # Brute-forces SNMP community strings using a wordlist.
braa <community string>@<FQDN/IP>:.1.* # Scans SNMP OIDs using braa to brute-force data.
Query SNMP services for accessible information.
MySQL
1
mysql -u <user> -p<password> -h <FQDN/IP>
Log into a MySQL server using credentials.
MSSQL
1
mssqlclient.py <user>@<FQDN/IP> -windows-auth
Log into a MSSQL server using Windows authentication.
IPMI
1
2
3
msf6 auxiliary(scanner/ipmi/ipmi_version) # Detects the IPMI version using Metasploit's scanner module.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) # Extracts password hashes from the IPMI interface.
IPMI version check and hash dumping.
Linux Remote Management
1
2
3
4
5
6
7
ssh-audit.py <FQDN/IP> # Performs a security audit on the target SSH service.
ssh <user>@<FQDN/IP> # Connects to a remote machine using SSH.
ssh -i private.key <user>@<FQDN/IP> # Authenticates to SSH using a private key file.
ssh <user>@<FQDN/IP> -o PreferredAuthentications=password # Forces SSH to use password-based authentication.
SSH auditing and login methods.
Windows Remote Management
1
2
3
4
5
6
7
rdp-sec-check.pl <FQDN/IP> # Checks the RDP service on the target for weak security settings.
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> # Connects to an RDP service from a Linux system using xfreerdp.
evil-winrm -i <FQDN/IP> -u <user> -p <password> # Logs into a target using Windows Remote Management (WinRM).
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" # Executes a system command via WMI using Impacket's wmiexec.
Interact with RDP, WinRM, and WMI services.
Oracle TNS
1
2
3
4
5
./odat.py all -s <FQDN/IP> # Performs multiple enumeration tasks against Oracle DB using ODAT.
sqlplus <user>/<pass>@<FQDN/IP>/<db> # Logs into Oracle SQL database using sqlplus.
./odat.py utlfile -s <FQDN/IP> -d <db> -U <user> -P <pass> --sysdba --putFile C:\insert\path file.txt ./file.txt # Uploads a file to the Oracle database server using the utl_file function.
Enumeration and file interaction with Oracle databases.
Conclusion
Footprinting and enumeration are essential for building a strong understanding of a target system. With these tools and commands, you can effectively discover services, gather metadata, and begin forming an attack plan. Know what each command does and use them with intention. This phase is the foundation of everything that follows.