Quick Commands

FTP

---

Command	Description
ftp <FQDN/IP>	Interact with the FTP service on the target.
nc -nv <FQDN/IP> 21	Interact with the FTP service on the target.
telnet <FQDN/IP> 21	Interact with the FTP service on the target.
openssl s_client -connect <FQDN/IP>:21 -starttls ftp	Interact with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@	Download all available files on the target FTP server.

SMB

---

Command	Description
smbclient -N -L //<FQDN/IP>	Null session authentication on SMB.
smbclient //<FQDN/IP>/	Connect to a specific SMB share.
rpcclient -U "" <FQDN/IP>	Interaction with the target using RPC.
samrdump.py <FQDN/IP>	Username enumeration using Impacket scripts.
smbmap -H <FQDN/IP>	Enumerating SMB shares.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''	Enumerating SMB shares using null session authentication.
enum4linux-ng.py <FQDN/IP> -A	SMB enumeration using enum4linux.

NFS

---

Command	Description
showmount -e <FQDN/IP>	Show available NFS shares.
mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o nolock	Mount the specific NFS share.umount ./target-NFS
umount ./target-NFS	Unmount the specific NFS share.

DNS

---

Command	Description
dig ns <domain.tld> @	NS request to the specific nameserver.
dig any <domain.tld> @	ANY request to the specific nameserver.
dig axfr <domain.tld> @	AXFR request to the specific nameserver.
dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

SMTP

---

Command	Description
telnet <FQDN/IP> 25

IMAP/POP3

---

Command	Description
curl -k 'imaps://<FQDN/IP>' --user :	Log in to the IMAPS service using cURL.
openssl s_client -connect <FQDN/IP>:imaps	Connect to the IMAPS service.
openssl s_client -connect <FQDN/IP>:pop3s	Connect to the POP3s service.

SNMP

---

Command	Description
snmpwalk -v2c -c <FQDN/IP>	Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list <FQDN/IP>	Bruteforcing community strings of the SNMP service.
braa @<FQDN/IP>:.1.*	Bruteforcing SNMP service OIDs.

MySQL

---

Command	Description
mysql -u -p -h <FQDN/IP>	Login to the MySQL server.

MSSQL

---

Command	Description
mssqlclient.py @<FQDN/IP> -windows-auth	Log in to the MSSQL server using Windows authentication.

IPMI

---

Command	Description
msf6 auxiliary(scanner/ipmi/ipmi_version)	IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)	Dump IPMI hashes.

Linux Remote Management

---

Linux Remote Management Protocols

Command	Description
ssh-audit.py <FQDN/IP>	Remote security audit against the target SSH service.
ssh @<FQDN/IP>	Log in to the SSH server using the SSH client.
ssh -i private.key @<FQDN/IP>	Log in to the SSH server using private key.
ssh @<FQDN/IP> -o PreferredAuthentications=password	Enforce password-based authentication.

Windows Remote Management

---

Windows Remote Management Protocols

Command	Description
rdp-sec-check.pl <FQDN/IP>	Check the security settings of the RDP service.
xfreerdp /u: /p:"" /v:<FQDN/IP>	Log in to the RDP server from Linux.
evil-winrm -i <FQDN/IP> -u -p	Log in to the WinRM server.
wmiexec.py :""@<FQDN/IP> ""	Execute command using the WMI service.

Oracle TNS

---

Command	Description
./odat.py all -s <FQDN/IP>	Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus /@<FQDN/IP>/	Log in to the Oracle database.
./odat.py utlfile -s <FQDN/IP> -d -U -P --sysdba --putFile C:\insert\path file.txt ./file.txt	Upload a file with Oracle RDBMS.