Footprinting (Just Do Formatting)
Introduction
Enumeration is the most critical phase of any penetration testing process. It is also dynamic, meaning there isn’t a static step-by-step guide to follow. However, the diagram below provides a general idea of the enumeration process.

Infrastructure Based Enumeration
One common starting point is examining the SSL certificate of a company's main website, which may reveal useful information. Tools like crt.sh can help uncover various subdomains.
#Collect the subodomains of a specific domain.
curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u
Google Dorking is another useful technique for discovering valuable information such as files, subdomains, and cloud resources.
2 Tools that can help automate the process are https://domain.glass/ and https://grayhatwarfare.com/.
Finally finding out company employees can help understand the infrastructure of a company. For example, reading job postings can help identfy what technologies are used. The recon process can be done also on the employees which can open another attack vector.
Identifying company employees can offer insights into the company’s infrastructure. For example, analyzing job postings may reveal the technologies in use. Reconnaissance on employees can also expose new attack vectors.
Host Based Enumeration
In this module popular protocols that will most likely be encountered in a penetration test will be examined.
File Transfer Protocol (FTP)
File Transfer Protocol is a protocol that's used to transfer files, it operates on TCP ports 21 (Control) and 20 (Data). FTP is considered a clear-text protocol which means it can be sniffed and there are different commands and status codes for it.
Trivial File Transfer Protocol (TFTP) is a simpler version of FTP, it uses UDP and doesn't provide user authentication.
There are many FTP servers that are avaliable, one of the most common on linux based distributions is vsFTPd. The vsFTPd config file can be found is located in
/etc/vsftpd.conf
Nmap can be used to footprint FTP using many of the avaliable scripts.
#Important Configurations for vsFTPd:
anonymous_enable=YES #Allows anonymous login.
anon_upload_enable=YES #Allow anonymous upload.
no_anon_password=YES #Don't ask anonymous for password.
local_enable=YES #Enable local users to login
hide_ids=YES #Hide the ID of the users/groups when listing directories (Will show as FTP)
#FTP commands
ftp <IP Address> #Access a server over FTP
#Show more details when interacting with the server
debug
trace
ls -R #Recursive directory listing
GET <File> #Downloads a file.
PUT <File> #Uploads a file.
#Download all the files from an FTP server
wget -m --no-passive ftp://<Username>:<Password>@<Server IP Address>
Server Message Block
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.
SMB was originally developed by Microsoft for Windows systems but then Samba which is an implementation of Common Internet File System (CIFS) network protocol which is a dialect of SMB was released as an alternative for Linux/Unix systems.
Tools like rpcclient can help us enumrate an smb server.
Other tools that automate the whole enumration process for smb servers include:
smbmap
CrackMapExec
enum4linux-ng
#List smb shares
smbclient -L //<IP-Address>
#To Access a share
smbclient //<IP-Address>/<Share-Name>
#Some Useful commands
smbstatus #List the kind of logs for the smb server (e.g. users who accessed the share)
help #List the commands available in the share
#rpcclient commands
rpcclient -U "" <IP-Address> #Connect to the smb server
netshareenumall #Enumrate all available shares
enumdomusers #Enumrate users
Network File Share (NFS)
Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local.
NFS uses a completely different protocol from SMB meaning that NFS clients cannot communicate directly with SMB servers.
#To show available NFS shares
showmount -e <IP-Address>
#To mount the NFS share locally
sudo mount -t nfs <IP-Address>:/ <Folder-To-Mount-To> -o nolock
#To unmount the NFS share
sudo umount <NFS-Share-Path>
Domain Name Server (DNS)
DNS is a system for resolving computer names into IP addresses, and it does not have a central database.

There exist multiple DNS servers with different purposes. There is also different DNS records each with their own purpose and use.
DNS is mainly unencrypted. However, there are some solutions now for encrypting DNS queries.
DNS can be used to enumrate new attack vectors like other subdomains or IP Addresses. Attacks like zone transfer can also be tried.
Tools like dnsenum can be used to automate the enumration on a DNS.
#Zone transfer using dig
dig axfr <Domain-Name> @<IP-Address>
#Subdomain enum using dnsenum
dnsenum --dnsserver <IP-Address> --enum -p 0 -s 0 -o <Output-File> -f <Bruteforcing-Wordlist> <Domain-Name>
Simple Mail Transfer Protocol (SMTP)
The Simple Mail Transfer Protocol (SMTP) is a protocol for sending emails in an IP network. It can be used between an email client and an outgoing mail server or between two SMTP servers. SMTP is often combined with the IMAP or POP3 protocols, which can fetch emails and send emails.
SMTP works unencrypted without further measures and transmits all commands, data, or authentication information in plain text. To bypass the issues that might occur because of this, ESMTP which uses TLS was developed.
#To enumrate users on an SMTP server
smtp-user-enum -M VRFY -U <Users-Word-List> -t <Server-IP-Address>
Internet Message Access Protocol (IMAP) & Post Office Protocol (POP3)
IMAP is a network protocol for the online management of emails on a remote server. The protocol is client-server-based and allows synchronization of a local email client with the mailbox on the server, providing a kind of network file system for emails.
POP3, on the other hand, does not have the same functionality as IMAP, and it only provides listing, retrieving, and deleting emails as functions at the email server.
#To interact with an POP3 server
openssl s_client -connect <IP-Address>:pop3s
#To interact with an IMAP server
openssl s_client -connect <IP-Address>:imaps
#To find a community string for IMAP
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <IP-Address>
#After finding a community string
snmpwalk -v2c -c backup 10.129.203.179
#IMAP Commands
1 LOGIN <Username> <Password> #Login as User
1 LIST "" * #Lists all the directories
1 SELECT <Directory-Name> #Selects a directory so that its messages can be accessed
1 FETCH <ID> all #Displays the data of the message
1 FETCH <ID> (UID RFC822.SIZE BODY.PEEK[]) #Displays the body of the message
#POP3 Commands
USER <Username> #Set the user
PASS <Password> #Login for the set user
LIST #Lists the number and size of all emails
RETR <ID> #Retrieve the email with the ID specified
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol (SNMP) was created to monitor network devices. In addition, this protocol can also be used to handle configuration tasks and change settings remotely.
For the SNMP client and server to exchange the respective values, the available SNMP objects must have unique addresses known on both sides.
To ensure that SNMP access works across manufacturers and with different client-server combinations, the Management Information Base (MIB) was created. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy.
An OID represents a node in a hierarchical namespace. A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined. The longer the chain, the more specific the information. Many nodes in the OID tree contain nothing except references to those below them.
SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify network data. Another main flaw of SNMPv1 is that it does not support encryption, meaning that all data is sent in plain text and can be easily intercepted.
Regarding security, SNMPv2 is on par with SNMPv1 and has been extended with additional functions from the party-based SNMP no longer in use.
The security has been increased enormously for SNMPv3 by security features such as authentication using username and password and transmission encryption (via pre-shared key) of the data.
For footprinting SNMP, we can use tools like snmpwalk, onesixtyone, and braa. Snmpwalk is used to query the OIDs with their information. Onesixtyone can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator.
snmpwalk -v2c -c public <IP-Address>
onesixtyone -c <IP-Address>
MySQL
MySQL is an open-source SQL relational database management system developed and supported by Oracle.
#MySQL connection
mysql -u <Username> -p<Password> -h <IP-Address>
#MySQL Syntax
show databases; #List databases
use <Database>; #Use database
show tables; #List the tables of the used database
show columns from <Table>; #List the columns from the table specified
select * from <Table>; #List everything in the table
select * from <Table> where <Column> = "<String>"; #Filter on a specific column
Microsoft SQL (MSSQL)
Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system which is closed source and was initially written to run on Windows operating systems.
MSSQL has default system databases that can help us understand the structure of all the databases that may be hosted on a target server.
master
#Connects to a MSSQL server
python3 mssqlclient.py <Username>@<IP-Address> -windows-auth
#List the databases in the server
select name from sys.databases
Oracle TNS
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.
Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service.
Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases.
In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID.
#To scan an Oracle TNS using odat
./odat.py all -s <Host>
#To connect to a database
sqlplus <Username>/<Password>@<IP-Address>/<SID>
Intelligent Platform Management Interface (IPMI)
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring.
It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system.
During internal penetration tests, we often find BMCs where the administrators have not changed the default password.
Linux Remote Management Protocols
SSH
Secure Shell (SSH) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port TCP 22.
One of the tools we can use to fingerprint the SSH server is ssh-audit
Rsync
Rsync is a fast and efficient tool for locally and remotely copying files. It can be used to copy files locally on a given machine and to/from remote hosts.
R-Services
R-Services are a suite of services hosted to enable remote access or issue commands between Unix hosts over TCP/IP.
R-services were the de facto standard for remote access between Unix operating systems until they were replaced by the Secure Shell (SSH) protocols and commands due to inherent security flaws built into them.
Windows Remote Management Protocols
Remote Desktop Protocol (RDP)
The Remote Desktop Protocol (RDP) is a protocol developed by Microsoft for remote access to a computer running the Windows operating system.
RDP-Sec-Check is a script that can be used to test for RDP security misconfigurations.
Even though RDP is mainly a Windows protocol, tools like xfreerdp, rdesktop, or Remmina can be used on Linux to interact with RDP.
Windows Remote Management (WinRM)
The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line.
Evil-winrm is a tool that can be used to test WinRM.
Windows Management Instrumentation (WMI)
Windows Management Instrumentation (WMI) is Microsoft's implementation and also an extension of the Common Information Model (CIM), core functionality of the standardized Web-Based Enterprise Management (WBEM) for the Windows platform.
WMI allows read and write access to almost all settings on Windows systems.
wmiexec.py from the Impacket toolkit can be used for testing this protocol.
Last updated