SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Enumeration Checklist

This checklist is designed for pentesters targeting modern applications, cloud environments, and hybrid infrastructures. It emphasises automation, cloud-native services, and DevSecOps practices while maintaining a focus on thorough reconnaissance and vulnerability discovery.

Reconnaissance & Discovery

Target Identification

  • IP Address & Hostname Resolution: Identify target IPs, domains, and subdomains.

  • WHOIS & DNS Metadata: Gather domain registration details (WHOIS), SSL/TLS certificates (crt.sh, Censys), and DNS records (A, MX, TXT, CNAME).

    • Tools: dig, dnsdumpster, dnsrecon, fierce.

  • Subdomain Enumeration: Discover subdomains via brute-forcing, certificate transparency logs, and OSINT.

    • Tools: Amass, Sublist3r, Subfinder, Assetfinder.

  • Reverse DNS Lookup: Map IPs to domains.

    • Tools: nslookup, dnsrecon.

Network Mapping

  • Host Discovery: Confirm live hosts using ping sweeps, ARP scans, or non-ping methods.

    • Tools: nmap -sn, fping, masscan.

  • Traceroute: Map network paths to identify infrastructure components.

    • Tools: traceroute, mtr.

  • Topology Mapping: Visualise network layout and relationships.

    • Tools: nmap --traceroute, Zenmap.

Network & Service Enumeration

Port Scanning

  • Comprehensive Scans: Identify open ports and services (TCP/UDP).

    • Types: TCP Connect (-sT), SYN (-sS), UDP (-sU), Specific Ports (-p).

    • Tools: nmap, masscan, unicornscan.

  • Service Version Detection: Fingerprint services and versions.

    • Tools: nmap -sV, nmap --script=banner.

  • Script Scanning: Run protocol-specific NSE scripts for deeper insights.

    • Tools: nmap --script=default,safe.

Service-Specific Enumeration

  • HTTP/HTTPS: Identify web servers, frameworks, and technologies.

    • Tools: WhatWeb, Wappalyzer, Burp Suite, gobuster, dirb.

    • Tasks: Directory brute-forcing, virtual host enumeration, CORS misconfiguration checks.

  • SMB: Enumerate shares, users, and policies.

    • Tools: smbmap, smbclient, enum4linux-ng.

  • SMTP: Check for open relays and user enumeration.

    • Tools: nmap --script=smtp*, smtp-user-enum.

  • SSH: Identify versions and attempt default/weak credential checks.

    • Tools: nmap --script=ssh*, hydra, medusa.

  • DNS: Attempt zone transfers and brute-force subdomains.

    • Tools: dnsenum, fierce, dnsrecon.

  • Database Services (MySQL, Postgres, MSSQL): Check for default credentials and misconfigurations.

    • Tools: nmap --script=mysql*,postgres*,mssql*, sqlmap.

  • LDAP: Enumerate directory services for user and group data.

    • Tools: ldapsearch, nmap --script=ldap*.

  • RDP/VNC: Identify remote desktop services and weak configurations.

    • Tools: nmap --script=rdp*,vnc*, hydra.

  • SNMP: Extract device info and community strings.

    • Tools: snmpwalk, onesixtyone, nmap --script=snmp*.

System & Application Enumeration

Operating System Detection

  • OS Fingerprinting: Identify OS and versions via TCP/IP stack analysis.

    • Tools: nmap -O, p0f, netdiscover.

  • TTL Analysis: Infer OS based on Time-To-Live values.

  • SMB OS Detection: Extract OS details via SMB protocols.

    • Tools: smbclient, enum4linux-ng.

Web Application Enumeration

  • Web Server & CMS Detection: Identify web servers (Apache, Nginx) and CMS platforms (WordPress, Drupal, Joomla).

    • Tools: WhatWeb, WPScan, JoomScan, Droopescan.

  • API & Endpoint Discovery: Enumerate REST, GraphQL, and WebSocket endpoints.

    • Tools: Burp Suite, Postman, graphql-map, wscat.

  • Source Code Analysis: Extract comments, API keys, and hidden parameters from HTML/JS.

    • Tools: Burp Suite, LinkFinder, EyeWitness.

  • Framework Detection: Identify frameworks (Django, Laravel, etc.) and misconfigurations.

    • Tools: Wappalyzer, WhatWeb, BuiltWith.

  • CORS & Security Headers: Check for misconfigured CORS and missing security headers.

    • Tools: Burp Suite, curl, nmap --script=http*.

User Enumeration

  • Brute-Force Attacks: Test for weak/default credentials on exposed services (SSH, RDP, HTTP, etc.).

    • Tools: hydra, medusa, patator.

  • User Discovery: Enumerate valid usernames via service-specific methods (e.g., SMTP VRFY, web forms).

    • Tools: smtp-user-enum, Burp Intruder.

  • Social Engineering: Leverage OSINT for user-related data (LinkedIn, GitHub, email leaks).

    • Tools: theHarvester, Maltego, Hunter.io.

Cloud & Modern Infrastructure Enumeration

Cloud Service Enumeration

  • AWS: Identify misconfigured S3 buckets, EC2 instances, and IAM roles.

    • Tools: awscli, S3Scanner, CloudEnum.

  • Azure: Check for exposed Blob Storage, VMs, and Azure AD misconfigurations.

    • Tools: MicroBurst, Azurite.

  • Google Cloud: Enumerate GCS buckets and exposed services.

    • Tools: GCPBucketBrute, CloudEnum.

  • Cloud Metadata Exploitation: Attempt to access instance metadata for cloud provider details.

    • Tools: curl (e.g., http://169.254.169.254/), CloudSploit.

Container & Virtualization

  • Docker/Kubernetes: Enumerate containers, pods, and misconfigured orchestrators.

    • Tools: kubectl, docker, Kube-Hunter, Trivy.

  • Virtualisation: Identify hypervisors (VMware, Hyper-V) and their configurations.

    • Tools: nmap --script=vmware*, virt-what.

Vulnerability Scanning

Automated Vulnerability Scans

  • General Scanners: Identify CVEs and misconfigurations.

    • Tools: Nessus, OpenVAS, Nexpose.

  • Web Scanners: Focus on web-specific vulnerabilities (XSS, SQLi, etc.).

    • Tools: Nikto, OWASP ZAP, Burp Suite Pro.

  • Container Scanners: Scan Docker images and Kubernetes clusters for vulnerabilities.

    • Tools: Trivy, Clair, Anchore.

  • Nmap NSE Scripts: Run vulnerability-specific scripts.

    • Tools: nmap --script=vuln.

Manual Vulnerability Checks

  • Validate automated findings manually.

  • Test for business logic flaws, authentication bypasses, and privilege escalation.

  • Tools: Burp Suite, Postman, sqlmap.

External Intelligence & OSINT

External Recon

  • Shodan/Censys: Identify exposed devices, services, and IoT endpoints.

    • Tools: Shodan CLI, Censys CLI.

  • Code Repositories: Search for leaked credentials, API keys, or sensitive data in GitHub, GitLab, or Bitbucket.

    • Tools: GitRob, TruffleHog, GitLeaks.

  • Pastebin & Dark Web: Check for leaked credentials or data dumps.

    • Tools: Pastebin Scrapers, OnionScan.

Mobile & IoT Enumeration

  • Mobile Apps: Decompile APKs/IPAs and analyse APIs.

    • Tools: MobSF, Frida, Apktool, JD-GUI.

  • IoT & Firmware: Enumerate Bluetooth, Zigbee, or firmware vulnerabilities.

    • Tools: Binwalk, Firmadyne, BlueZ.

Infrastructure Components

  • Firewall & IDS/IPS: Detect and fingerprint security devices.

    • Tools: nmap --script=firewall*, hping3.

  • VPN & Load Balancers: Identify VPN endpoints and load balancer configurations.

    • Tools: ike-scan, nmap --script=http-vhosts.

  • WAF Detection: Identify Web Application Firewalls and their rules.

    • Tools: wafw00f, WhatWaf.

Automation & Notes

  • Automated Recon Tools: Run comprehensive recon frameworks for efficiency.

    • Tools: Recon-ng, SpiderFoot, AutoRecon, Sn1per.

  • Notes & Observations: Document anomalies, hidden parameters, error messages, and potential attack vectors.

    • Tools: Obsidian, CherryTree, Notion.

PreviousPentesting CheatsheetNextFrom Discovery to Enumeration

Last updated