Skip to main content
7r00t Cybersecurity
  1. Cheatsheets/

Enumeration

Network and service enumeration techniques for penetration testing
Table of Contents

Network Scanning
#

Nmap
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Quick scan
nmap -p- --min-rate 10000 10.10.10.10

# Service version detection
nmap -p 22,80,443 -sV 10.10.10.10

# OS detection
nmap -O 10.10.10.10

# Aggressive scan
nmap -A -p- 10.10.10.10

# Script scan
nmap -sC -sV -p 22,80,443 10.10.10.10

# UDP scan
nmap -sU --top-ports 20 10.10.10.10

# Stealth scan
nmap -sS -p- 10.10.10.10

# All ports, fast
nmap -p- --min-rate 5000 -oN nmap.txt 10.10.10.10

Masscan
#

1
2
3
4
5

# Fast port scan
masscan -p1-65535 10.10.10.10 --rate=10000

# Specific ports
masscan -p80,443,8080 10.10.10.0/24 --rate=1000

Service Enumeration
#

HTTP/HTTPS (Port 80/443)
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Nikto scan
nikto -h http://10.10.10.10

# Whatweb
whatweb http://10.10.10.10

# Directory enumeration
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt

# Subdomain enumeration
gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Technology detection
wafw00f http://10.10.10.10

SMB (Port 445)
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Enumerate shares
smbclient -L //10.10.10.10 -N

# Connect to share
smbclient //10.10.10.10/share -U username

# Enumerate with credentials
smbmap -H 10.10.10.10 -u username -p password

# Recursive listing
smbmap -H 10.10.10.10 -u username -p password -R

# Enum4linux
enum4linux -a 10.10.10.10

# CrackMapExec
crackmapexec smb 10.10.10.10 -u username -p password --shares

FTP (Port 21)
#

1
2
3
4
5
6
7

# Anonymous login
ftp 10.10.10.10
# Username: anonymous
# Password: anonymous

# Nmap FTP scripts
nmap -p 21 --script ftp-* 10.10.10.10

SSH (Port 22)
#

1
2
3
4
5
6
7
8

# Banner grabbing
nc 10.10.10.10 22

# Enumerate users
ssh-audit 10.10.10.10

# Nmap SSH scripts
nmap -p 22 --script ssh-* 10.10.10.10

DNS (Port 53)
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Zone transfer
dig axfr @10.10.10.10 domain.com

# Reverse lookup
dig -x 10.10.10.10 @10.10.10.10

# Enumerate subdomains
dnsrecon -d domain.com -t axfr

# DNS enumeration
dnsenum domain.com

LDAP (Port 389/636)
#

1
2
3
4
5
6
7
8

# Anonymous bind
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=com"

# Enumerate users
ldapsearch -x -H ldap://10.10.10.10 -b "dc=domain,dc=com" "(objectClass=user)"

# With credentials
ldapsearch -x -H ldap://10.10.10.10 -D "cn=admin,dc=domain,dc=com" -w password -b "dc=domain,dc=com"

SNMP (Port 161)
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Enumerate community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.10

# Walk SNMP tree
snmpwalk -v2c -c public 10.10.10.10

# Enumerate users
snmpwalk -v2c -c public 10.10.10.10 1.3.6.1.4.1.77.1.2.25

# Enumerate processes
snmpwalk -v2c -c public 10.10.10.10 1.3.6.1.2.1.25.4.2.1.2

RDP (Port 3389)
#

1
2
3
4
5
6
7
8

# Check if RDP is enabled
nmap -p 3389 --script rdp-enum-encryption 10.10.10.10

# Screenshot
nmap -p 3389 --script rdp-screenshot 10.10.10.10

# Brute force
crowbar -b rdp -s 10.10.10.10/32 -u admin -C passwords.txt

MySQL (Port 3306)
#

1
2
3
4
5
6
7
8

# Connect
mysql -h 10.10.10.10 -u root -p

# Nmap scripts
nmap -p 3306 --script mysql-* 10.10.10.10

# Enumerate databases
mysql -h 10.10.10.10 -u root -p -e "SHOW DATABASES;"

MSSQL (Port 1433)
#

1
2
3
4
5
6
7
8

# Connect with impacket
impacket-mssqlclient username:password@10.10.10.10

# Nmap scripts
nmap -p 1433 --script ms-sql-* 10.10.10.10

# Enumerate with sqsh
sqsh -S 10.10.10.10 -U username -P password

NFS (Port 2049)
#

1
2
3
4
5
6
7
8

# Show exports
showmount -e 10.10.10.10

# Mount share
mount -t nfs 10.10.10.10:/share /mnt/nfs

# List shares
nmap -p 111 --script nfs-* 10.10.10.10

Active Directory
#

Domain Enumeration
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Enumerate domain users
net user /domain

# Enumerate domain groups
net group /domain

# Enumerate domain controllers
nltest /dclist:domain.com

# PowerView (PowerShell)
Import-Module PowerView.ps1
Get-NetDomain
Get-NetUser
Get-NetGroup
Get-NetComputer

BloodHound
#

1
2
3
4
5
6
7

# Collect data (SharpHound)
.\SharpHound.exe -c All

# Collect with Python
bloodhound-python -d domain.com -u username -p password -ns 10.10.10.10 -c All

# Import to BloodHound and analyze

Kerberos
#

1
2
3
4
5
6
7
8

# Enumerate users (Kerbrute)
kerbrute userenum -d domain.com --dc 10.10.10.10 users.txt

# AS-REP Roasting
impacket-GetNPUsers domain.com/ -usersfile users.txt -dc-ip 10.10.10.10

# Kerberoasting
impacket-GetUserSPNs domain.com/username:password -dc-ip 10.10.10.10 -request

Web Application
#

Technology Detection
#

1
2
3
4
5
6
7
8
9

# Wappalyzer (browser extension)
# WhatWeb
whatweb http://10.10.10.10

# Builtwith
# BuiltWith (online tool)

# Retire.js (JavaScript libraries)
retire --js --jspath http://10.10.10.10

API Enumeration
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Discover API endpoints
gobuster dir -u http://10.10.10.10/api -w /usr/share/wordlists/dirb/common.txt

# Fuzz API parameters
wfuzz -c -z file,params.txt http://10.10.10.10/api/FUZZ

# Test API methods
curl -X GET http://10.10.10.10/api/endpoint
curl -X POST http://10.10.10.10/api/endpoint -d '{"key":"value"}'
curl -X PUT http://10.10.10.10/api/endpoint -d '{"key":"value"}'
curl -X DELETE http://10.10.10.10/api/endpoint

WordPress
#

1
2
3
4
5
6
7
8

# WPScan
wpscan --url http://10.10.10.10 --enumerate u,p,t

# Enumerate users
wpscan --url http://10.10.10.10 --enumerate u

# Brute force
wpscan --url http://10.10.10.10 -U admin -P passwords.txt

Automated Tools
#

1
2
3
4
5
6
7
8

# AutoRecon
autorecon 10.10.10.10

# Nmapautomator
./nmapAutomator.sh 10.10.10.10 All

# Reconnoitre
reconnoitre -t 10.10.10.10 -o output --services

[PROTOCOL] Start with broad scans, then focus on interesting services
[TIP] Always save scan results for later reference