π‘οΈ Methodology Checklist
- Run Nmap full port scan:
nmap -p- -sV -sC -oA scan [TARGET] - Enumerate each discovered service using protocol-specific commands
- Check all default credentials for discovered services
- Attempt anonymous/null session access on SMB, FTP, LDAP
- Enumerate DNS for zone transfers and subdomain brute-force
- Check SNMP community strings:
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt [TARGET] - Scan UDP ports for SNMP/IPMI/TFTP:
nmap -sU -top-ports 100 [TARGET] - Compile all service versions for CVE research
π― Operational Context
Think Dumber First: This cheatsheet is your engagement launch pad. Run the nmap strategy phases in sequence. Never skip the UDP scan β SNMP on 161 and IPMI on 623 are frequently the keys to full compromise. For each service found, cross-reference with the relevant protocol-specific note.
When you land here: Starting a new target. Phase 1: host discovery. Phase 2: full TCP. Phase 3: UDP key ports. Phase 4: service-specific scripts. Then protocol-specific enumeration of each discovered service.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u | Extract subdomains from CT logs |
for sub in $(cat subdomains.txt); do host $sub; done | Resolve subdomain list to IPs |
for i in $(cat ip-addresses.txt); do shodan host $i; done | Shodan passive scan on IP list |
dig ns [DOMAIN] @[TARGET_IP] | Identify authoritative nameservers |
dig axfr [DOMAIN] @[TARGET_IP] | Attempt zone transfer |
dig CH TXT version.bind [TARGET_IP] | Query Bind DNS server version |
for sub in $(cat [WORDLIST]); do dig $sub.[DOMAIN] @[TARGET_IP] | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a found_subdomains.txt; done | Subdomain brute-force |
dnsenum --dnsserver [TARGET_IP] --enum -p 0 -s 0 -o subdomains.txt -f [WORDLIST] [DOMAIN] | Automated DNS enumeration |
site:amazonaws.com intext:"[COMPANY]" | Google dork β AWS S3 buckets |
site:blob.core.windows.net intext:"[COMPANY]" | Google dork β Azure blobs |
| Command | Tactical Outcome |
|---|---|
sudo nmap -p- --min-rate 1000 -T4 [TARGET_IP] -oN all_ports.nmap | Fast full TCP scan |
sudo nmap -sV -sC -p [PORTS] [TARGET_IP] -oA detailed_scan | Detailed scan on open ports |
sudo nmap -sU -p 161 [TARGET_IP] | UDP scan for SNMP |
| Command | Tactical Outcome |
|---|---|
sudo nmap -sV -p21 -sC -A [TARGET_IP] | FTP vulnerability scan |
openssl s_client -connect [TARGET_IP]:21 -starttls ftp | FTP SSL cert grab |
wget -m --no-passive ftp://anonymous:anonymous@[TARGET_IP] | Recursive FTP download |
smbclient -N -L //[TARGET_IP] | List SMB shares (null session) |
smbclient //[TARGET_IP]/[SHARE] -U [USER] | Connect to SMB share |
smbmap -H [TARGET_IP] | Map SMB share permissions |
nxc smb [TARGET_IP] --shares -u '[USER]' -p '[PASS]' | NXC SMB enumeration |
./enum4linux-ng.py [TARGET_IP] -A | Full SMB/RPC automated enum |
rpcclient -U "" [TARGET_IP] | RPC null session |
showmount -e [TARGET_IP] | List NFS exports |
sudo mount -t nfs [TARGET_IP]:[PATH] [LOCAL] -o nolock | Mount NFS share |
sudo useradd -u [UID] [USER] && sudo su - [USER] | UID impersonation for NFS |
| Command | Tactical Outcome |
|---|---|
smtp-user-enum -M VRFY -U [WORDLIST] -t [TARGET_IP] -w 20 | SMTP user enumeration |
sudo nmap [TARGET_IP] -p25 --script smtp-open-relay -v | Open relay check |
openssl s_client -connect [TARGET_IP]:993 | Connect to IMAPS |
curl -k 'imaps://[TARGET_IP]' --user [USER]:[PASS] -v | List IMAP mailboxes |
| Command | Tactical Outcome |
|---|---|
onesixtyone -c snmp.txt [TARGET_IP] | SNMP community string brute-force |
snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1 | Full SNMP tree dump |
snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1.2.1.25.4.2.1.4 | Running process args (cred leak) |
mysql -u [USER] -p[PASS] -h [TARGET_IP] | MySQL connect |
sudo nmap --script ms-sql-info,ms-sql-ntlm-info -p1433 [TARGET_IP] | MSSQL info scan |
impacket-mssqlclient [USER]:[PASS]@[TARGET_IP] -windows-auth | MSSQL connect |
sudo nmap -p1521 --script oracle-sid-brute [TARGET_IP] | Oracle SID brute-force |
./odat.py all -s [TARGET_IP] -d [SID] | ODAT Oracle scan |
sqlplus [USER]/[PASS]@[TARGET_IP]/[SID] as sysdba | Oracle SYSDBA connect |
sudo nmap -sU --script ipmi-version -p623 [TARGET_IP] | IPMI version detection |
hashcat -m 7300 ipmi_hashes.txt [WORDLIST] | Crack IPMI RAKP hashes |
| Command | Tactical Outcome |
|---|---|
./ssh-audit.py [TARGET_IP] | SSH algorithm weakness analysis |
nc -nv [TARGET_IP] 873 | List Rsync modules |
rsync -av rsync://[TARGET_IP]/[SHARE] ./local_copy | Download Rsync share |
./rdp-sec-check.pl [TARGET_IP] | RDP security check |
xfreerdp3 /u:[USER] /p:"[PASS]" /v:[TARGET_IP] | RDP connect from Linux |
evil-winrm -i [TARGET_IP] -u [USER] -p '[PASS]' | WinRM PowerShell shell |
wmiexec.py [USER]:"[PASS]"@[TARGET_IP] "[CMD]" | WMI command execution |
π¬ Deep Dive & Workflow
Infrastructure Scanning
File & Network Sharing
Email & Communications
Databases & Management
Remote Management
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Phase 2 full TCP scan misses ports found manually | Rate too high for this target | Run confirmation scan on missed ports: nmap -p [PORTS] -sV --max-retries 5 |
| UDP Phase 3 returns all βopen | filteredβ | ICMP unreachables blocked |
| Phase 4 scripts all timeout | Target has network-level protection | Add --script-timeout 30s; test scripts individually on specific ports |
| Cheatsheet commands work in lab but not engagement | Environment-specific differences (firewall, VPN) | Adjust flags per environment; document any tool failures in methodology notes |
| Too many services found to enumerate in time | Large attack surface | Priority: database services β file shares β remote management β web apps β other |
π Reporting Trigger
Finding Title: (Cheatsheet is operational reference β findings documented from cheatsheet-guided enumeration become individual report entries by service type.)