Enumeration

Cheatsheet

Snippet

Recon

Enumeration

Network Based Enumeration

If Windows (dropping pings) add -Pn to scans

Basic scan

nmap $TARGET_IP

Service version detection

nmap -sV $TARGET_IP

List available nmap scripts

ls /usr/share/nmap/scripts

SMB Enumeration

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $TARGET_IP

HTTP Enumeration

Gobuster

gobuster dir -u http://$TARGET_IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Nikto - TODO

Check:

• sitemap.xml
• robots.txt

SMTP Enumeration

smtp-user-enum -M VRFY -U users.txt -t 10.1.1.1
smtp-user-enum -M VRFY -u bob -t 10.1.1.1

Linux Enumeration

Automated

My favourite: LinPEAS
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

LinEnum

wget https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

SUID3NUM - find Suid files

wget https://github.com/Anon-Exploiter/SUID3NUM/raw/master/suid3num.py
python suid3num

Windows

TODO

Subdomain Enumeration

• https://searchdns.netcraft.com
• https://dnsdumpster.com/

---

Last update: 2021-09-01