From Discovery to Enumeration

The Strategic Pentester's Cheatsheet: From Discovery to Enumeration

This cheatsheet provides a strategic, multi-phase workflow for network enumeration during a penetration test. The methodology progresses from broad, quiet discovery to in-depth analysis, now incorporating multiple tool options for each task.

Phase 1: Host Discovery (Finding Live Targets)

Strategy: The goal is to identify live hosts without triggering alerts. Start with methods that are less likely to be logged, like ARP on a local network, before moving to ICMP or TCP/UDP-based discovery.

LAN Discovery (Fast & Reliable):

Use Case: You are on the local network. This is the most effective method.

Tools:

# Nmap (Recommended)
# -PR: ARP Scan | -sn: "Ping Scan" (disables port scan)
sudo nmap -sn -PR 192.168.1.0/24 -oA discovery_arp

# arp-scan (Very Fast)
sudo arp-scan -l

Standard Network Discovery:

Use Case: Scanning external networks or internal subnets where ARP is not possible.

Tools:

# Nmap (Recommended for flexibility)
# -PS: TCP SYN to common ports | -PA: TCP ACK | -PU: UDP
# This combination bypasses many simple firewall rules that block only ICMP.
sudo nmap -sn -PS80,443 -PA22 -PU53 10.10.10.0/24 -oA discovery_standard

# fping (Fast ICMP sweep)
fping -a -g 10.10.10.0/24 2>/dev/null

Assume All Hosts Are Up (When Blocked):

Use Case: A restrictive firewall is dropping your discovery probes. This is slow but necessary.

Method:

# -Pn: Skips host discovery entirely and attempts to port scan every IP.
# This is an Nmap flag, not a standalone tool.
# Combine this with the scanning techniques in Phase 2.

Phase 2: Port Scanning (Mapping the Attack Surface)

Strategy: Employ a multi-step approach. Use ultra-fast scanners like masscan to find open ports, then feed those results into nmap for deep analysis. This is far more efficient than running a full nmap scan from the start.

Step 1: Fast Initial Port Scan:

Purpose: Quickly identify open ports across large IP ranges.

Tools:

# Masscan (Fastest)
# Finds open ports and saves them to a list.
masscan -p1-6553d5 --rate=100000 -iL targets.txt --output-format list -oG masscan.grep

# Nmap (Fast Mode)
sudo nmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL targets.txt -oA scan_fast

Step 2: Detailed Service & Script Scan (On Discovered Ports):
- Purpose: This is the main enumeration scan. It runs version detection, default scripts, and OS detection on the specific ports you found open.
- Tool:
  # Nmap is the best tool for this job. # Use the port list from Masscan or the fast Nmap scan. # --open: Only scan ports reported as open. sudo nmap -sV -sC -O -p<PORTS> --open <target> -oA scan_detailed
Step 3: UDP Scan (As Needed):
- Purpose: UDP is slow to scan. Only run this if you suspect key UDP services are in use (e.g., DNS, SNMP, Kerberos).
- Tool:
  # Nmap is the standard for UDP scanning. sudo nmap -sU -sV --top-ports 50 <target> -oA scan_udp

Phase 3: Service-Specific Enumeration (Deep Dive)

Strategy: Now that you have a list of open ports and versions, attack each service with specialized tools and scripts. Always check for anonymous/guest access and known misconfigurations first.

Authentication & Directory Services

LDAP (389, 636):

Tools: nmap, ldapsearch

# Nmap (Safe enumeration)
nmap -p 389,636 --script "ldap* and not brute" <target>
# ldapsearch (Manual query)
ldapsearch -x -h <target> -s base namingcontexts

Kerberos (88):

Tools: nmap, kerbrute, impacket-GetNPUsers

# Nmap (Username enumeration)
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <target>
# Kerbrute (Faster username enumeration)
kerbrute userenum --dc <target> -d DOMAIN users.txt

SMB (139, 445):

Tools: crackmapexec, enum4linux-ng, smbclient, smbmap

# 1. Initial check for null sessions and shares (fast)
crackmapexec smb <target> -u '' -p '' --shares
# 2. Deep enumeration (slower, more comprehensive)
enum4linux-ng -A <target>
# 3. Nmap vulnerability scan
nmap -p 139,445 --script="smb-enum-*,smb-vuln*" <target>

Remote Access & Management

SSH (22):

Tools: nmap, ssh-audit

# Nmap (Get host key, auth methods, algorithms)
nmap -p 22 --script=ssh-hostkey,ssh-auth-methods,ssh2-enum-algos <target>
# ssh-audit (Check for weak crypto)
ssh-audit <target>

RDP (3389):

Tools: nmap, xfreerdp

# Nmap (Check for vulnerabilities and encryption)
nmap -p 3389 --script=rdp-ntlm-info,rdp-enum-encryption,rdp-vuln-ms12-020 <target>
# xfreerdp (Attempt to connect)
xfreerdp /v:<target>

WinRM (5985, 5986):

Tools: nmap, evil-winrm

nmap -p 5985,5986 --script=http-winrm-info,wsman-info <target>
evil-winrm -i <target> -u <user> -p <pass>

VNC (5900):

Tools: nmap

# Check for weak authentication and gather screen information
nmap -p 5900 --script=vnc-info,vnc-title <target>

FTP (21):

Tools: nmap, ftp (client)

# Nmap (Check for anon login and backdoors)
nmap -p 21 --script "ftp* and not brute" <target>
# Manual connection test
ftp <target> # User: anonymous, Pass: anonymous

NFS (2049):

Tools: nmap, showmount

# Nmap (List shares)
nmap -p 2049 --script=nfs-showmount,nfs-ls <target>
# showmount (Native tool)
showmount -e <target>

RSync (873):

Tools: nmap, rsync

# Nmap (Check for unauthenticated modules)
nmap -p 873 --script=rsync-list-modules <target>
# rsync (Attempt to list a module)
rsync rsync://<target>/

Web & Application Services (Expanded)

Strategy: Web enumeration is a deep discipline. Start with fingerprinting to understand the technology stack. Then, aggressively search for hidden content. Finally, scan for common vulnerabilities based on your findings.

Step 1: Initial Recon & Fingerprinting:

Purpose: Identify web server software, frameworks, and technologies. Manually inspect headers and source code.

Tools:

# whatweb (Best for identifying technologies)
whatweb http://<target>

# curl (Inspect headers)
curl -I -s http://<target>

# Nmap (Get title, headers, and run basic scripts)
nmap -p 80,443 --script=http-title,http-server-header,http-sitemap-generator <target>

# Netcat (Grab a simple banner)
nc <target> 80
# > GET / HTTP/1.1
# > Host: <target>

Step 2: Content Discovery (Directory & Subdomain Fuzzing):

Purpose: Find hidden pages, directories, API endpoints, and virtual hosts.

Tools:

# ffuf (Fastest for directory/subdomain fuzzing)
ffuf -c -w /path/to/wordlist.txt -u http://<target>/FUZZ -fc 404

# gobuster (Popular alternative for directories)
gobuster dir -u http://<target> -w /path/to/wordlist.txt

# wfuzz (Highly versatile fuzzer for parameters, etc.)
wfuzz -c -w /path/to/wordlist.txt --hc 404 http://<target>/FUZZ

Step 3: CMS & Framework Specific Scanning:

Purpose: Use specialized tools if a specific CMS like WordPress is identified.

Tools:

# wpscan (WordPress scanner)
# --enumerate u (users), ap (all plugins), at (all themes)
wpscan --url http://<target> --enumerate u,ap,at --api-token <YOUR_API_TOKEN>

Step 4: Automated Vulnerability Scanning:

Purpose: Scan for common vulnerabilities like SQLi, XSS, and misconfigurations.

Tools:

# Nuclei (Modern, fast, template-based scanner)
nuclei -u http://<target>

# Nikto (Classic web server misconfiguration scanner)
nikto -h http://<target>

# sqlmap (The go-to tool for detecting and exploiting SQL injection)
# Crawl the site and test all forms
sqlmap -u "http://<target>" --crawl=1 --forms --batch

# Nmap (Web vulnerability scripts)
nmap -p 80,443 --script http-vuln* <target>

Step 5: Manual Interaction & Data Transfer:

Purpose: Download files for offline analysis or interact with the server manually.

Tools:

# wget (Recursive download of a website)
wget --recursive --no-parent http://<target>/

# curl (Download a specific file)
curl -o output.html http://<target>/index.html

Databases

MySQL (3306), MSSQL (1433), PostgreSQL (5432):

Tools: nmap, native clients (mysql, sqlcmd, psql)

# Nmap (Safe info gathering)
nmap -p 3306 --script "mysql* and not brute" <target>
nmap -p 1433 --script "ms-sql* and not brute" <target>
nmap -p 5432 --script "pgsql* and not brute" <target>

Redis (6379) & Elasticsearch (9200):

Tools: nmap

# Check for unauthenticated access and grab server info
nmap -p 6379 --script=redis-info <target>
nmap -p 9200 --script=http-elasticsearch-info <target>

Core Network Services

DNS (53):

Tools: nmap, dig, dnsrecon

# Nmap (Check for zone transfers, recursion)
nmap -p 53 --script dns-zone-transfer,dns-recursion,dns-nsid <target>
# Dig (Manual zone transfer attempt)
dig axfr @<target> <domain>

SNMP (UDP 161):

Tools: nmap, snmpwalk, snmp-check

# Nmap (Enumerate with 'public' community string)
sudo nmap -sU -p 161 --script "snmp* and not brute" <target>
# snmp-check (Comprehensive enumeration)
snmp-check -t <target>

SMTP (25, 465, 587):

Tools: nmap, netcat

# Nmap (Enumerate users and check for open relay)
nmap -p 25,465,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay <target>

Phase 4: Strategic Scans & Workflows

Strategy: Combine the phases into repeatable workflows for different scenarios.

External Pentest Workflow (Stealthy -> Detailed):
1. nmap -sn -PS80,443 -PA22 <target_range> -oA external_hosts
2. masscan -p1-65535 --rate=5000 -iL external_hosts.nmap -oG masscan.grep
3. Extract IPs and ports from masscan.grep.
4. nmap -sV -sC -O -p<PORTS> -iL <targets_with_open_ports> -oA external_detailed
5. Begin deep enumeration from Phase 3 on discovered services.
Internal Pentest Workflow (Fast & Comprehensive):
1. nmap -sn -PR <target_range> -oA internal_hosts
2. nmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL internal_hosts.nmap -oA internal_fast_scan
3. nmap -sV -sC -O --script="smb-enum-*,smb-vuln*,vuln" -iL internal_hosts.nmap -oA internal_full_enum
4. Use tools like crackmapexec and enum4linux-ng on discovered Windows hosts.

PreviousEnumeration Checklist NextPenetration Testing Cheatsheet

Last updated 3 months ago

The Strategic Pentester's Cheatsheet: From Discovery to Enumeration

Phase 1: Host Discovery (Finding Live Targets)

Phase 2: Port Scanning (Mapping the Attack Surface)

Phase 3: Service-Specific Enumeration (Deep Dive)

Authentication & Directory Services

Remote Access & Management

File Transfer & Sharing

Web & Application Services (Expanded)

Databases

Core Network Services

Phase 4: Strategic Scans & Workflows