Hacking Common Services

A cheat sheet and reference guide for ethically hacking common services across diverse systems.

May 25, 2025

SMB

SMBMap

smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u victim -p password

smbclient

smbclient -L 10.10.10.10
smbclient -L //10.10.10.10/tmp
smbclient -U "" //10.10.10.10/anon
smbclient -U "Username" 10.10.10.10/share-name
smbclient -N //10.10.10.10/tmp --option='client min protocol=NT1'

Nmap SMB Scripts

nmap -p 445 10.10.10.10 --script smb-os-discovery.nse
nmap -p 139,445 10.10.10.10 --script smb-vuln-*

NetBIOS Enumeration

nbtscan -r 10.10.10.0/24

rpcclient

rpcclient -U "" -N 10.10.10.10
rpcclient -U "Username" 10.10.10.10
> enumdomusers
> enumalsgroups domain
> queryuser <RID>

enum4linux

enum4linux 10.10.10.10

Brute Forcing

hydra -L users.txt -P passwords.txt 10.10.10.10 smb -V

CrackMapExec

crackmapexec smb <target-ip>
crackmapexec smb <target-ip> -u 'username' -p 'password'
crackmapexec smb <target-ip> --shares
crackmapexec smb <target-ip> --sessions
crackmapexec smb <target-ip> -u 'username' -H 'hash'

# cme
cme smb TARGET -u user -p password

Impacket

impacket-smbclient user:pass@TARGET

SMTP

Netcat

nc -nv 192.168.50.8 25
VRFY root
EXPN mailinglist@example.com

PowerShell

Test-NetConnection -Port 25 -ComputerName 192.168.50.8

Manual SMTP Commands

HELO myname
VRFY user@example.com
MAIL FROM:<test@example.com>
RCPT TO:<recipient@example.com>
DATA
Subject: Test email
This is a test.
.

SNMP

snmpwalk -c public -v1 $IP
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25
onesixtyone -c community -i ip_list.txt

FTP

Anonymous Access

ftp <target-ip>
> anonymous

Banner Grabbing

nc <target-ip> 21

Brute Forcing

medusa -h <target-ip> -U userlist.txt -P passwordlist.txt -M ftp

Download All Files

wget -r ftp://Anonymous:pass@$IP

Nmap FTP Scripts

nmap -p 21 --script=ftp-* <target-ip>

SSH

Banner Grabbing

nc <target-ip> 22

Brute Forcing

hydra -l username -P password_list.txt ssh://<target-ip>

SSH Key Login

ssh -i id_rsa user@target-ip

SSH Tunneling

ssh -L 10000:127.0.0.1:10000 user@10.10.10.10

Crack SSH Private Key

ssh2john id_rsa > id_rsa_for_john.txt
john --wordlist=/path/to/wordlist.txt id_rsa_for_john.txt

DNS

Record Queries

dig +short @10.10.10.10 A www.example.com
host -t mx www.example.com
nslookup mail.example.com
whois example.com

Zone Transfers

dig axfr @dns-server domain.com
nslookup
> set type=AXFR
> server ns1.domain.com
> domain.com

Subdomain Enumeration

fierce -dns domain.com
sublist3r -d domain.com
amass enum -d domain.com

DNS Brute Forcing

gobuster dns -d domain.com -w /path/to/wordlist.txt
nmap --script dns-brute --script-args dns-brute.domain=domain.com

Record Types

dig mx domain.com
dig ns domain.com
dig txt domain.com
dig cname sub.domain.com
dig srv domain.com

dnsrecon

dnsrecon -d domain.com -t std
-d domain.com -t axfr
-d domain.com -t brt -D /path/to/wordlist.txt
-r 192.168.1.0-192.168.1.255

dnsenum

dnsenum domain.com

HTTP

Brute-Force Login (Hydra)

hydra -l user -P wordlist.txt <IP> http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid login"

Nmap HTTP Scripts

ls /usr/share/nmap/scripts/http*
nmap $IP --script=http-*

ToxSec - Bug Bounty Hunting

Discussion about this post