From Discovery to Enumeration
The Strategic Pentester's Cheatsheet: From Discovery to Enumeration
This cheatsheet provides a strategic, multi-phase workflow for network enumeration during a penetration test. The methodology progresses from broad, quiet discovery to in-depth analysis, now incorporating multiple tool options for each task.
Phase 1: Host Discovery (Finding Live Targets)
Strategy: The goal is to identify live hosts without triggering alerts. Start with methods that are less likely to be logged, like ARP on a local network, before moving to ICMP or TCP/UDP-based discovery.
LAN Discovery (Fast & Reliable):
Use Case: You are on the local network. This is the most effective method.
Tools:
# Nmap (Recommended) # -PR: ARP Scan | -sn: "Ping Scan" (disables port scan) sudo nmap -sn -PR 192.168.1.0/24 -oA discovery_arp # arp-scan (Very Fast) sudo arp-scan -l
Standard Network Discovery:
Use Case: Scanning external networks or internal subnets where ARP is not possible.
Tools:
# Nmap (Recommended for flexibility) # -PS: TCP SYN to common ports | -PA: TCP ACK | -PU: UDP # This combination bypasses many simple firewall rules that block only ICMP. sudo nmap -sn -PS80,443 -PA22 -PU53 10.10.10.0/24 -oA discovery_standard # fping (Fast ICMP sweep) fping -a -g 10.10.10.0/24 2>/dev/null
Assume All Hosts Are Up (When Blocked):
Use Case: A restrictive firewall is dropping your discovery probes. This is slow but necessary.
Method:
# -Pn: Skips host discovery entirely and attempts to port scan every IP. # This is an Nmap flag, not a standalone tool. # Combine this with the scanning techniques in Phase 2.
Phase 2: Port Scanning (Mapping the Attack Surface)
Strategy: Employ a multi-step approach. Use ultra-fast scanners like masscan to find open ports, then feed those results into nmap for deep analysis. This is far more efficient than running a full nmap scan from the start.
Step 1: Fast Initial Port Scan:
Purpose: Quickly identify open ports across large IP ranges.
Tools:
# Masscan (Fastest) # Finds open ports and saves them to a list. masscan -p1-6553d5 --rate=100000 -iL targets.txt --output-format list -oG masscan.grep # Nmap (Fast Mode) sudo nmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL targets.txt -oA scan_fast
Step 2: Detailed Service & Script Scan (On Discovered Ports):
Purpose: This is the main enumeration scan. It runs version detection, default scripts, and OS detection on the specific ports you found open.
Tool:
# Nmap is the best tool for this job. # Use the port list from Masscan or the fast Nmap scan. # --open: Only scan ports reported as open. sudo nmap -sV -sC -O -p<PORTS> --open <target> -oA scan_detailed
Step 3: UDP Scan (As Needed):
Purpose: UDP is slow to scan. Only run this if you suspect key UDP services are in use (e.g., DNS, SNMP, Kerberos).
Tool:
# Nmap is the standard for UDP scanning. sudo nmap -sU -sV --top-ports 50 <target> -oA scan_udp
Phase 3: Service-Specific Enumeration (Deep Dive)
Strategy: Now that you have a list of open ports and versions, attack each service with specialized tools and scripts. Always check for anonymous/guest access and known misconfigurations first.
Authentication & Directory Services
LDAP (389, 636):
Tools:
nmap,ldapsearch# Nmap (Safe enumeration) nmap -p 389,636 --script "ldap* and not brute" <target> # ldapsearch (Manual query) ldapsearch -x -h <target> -s base namingcontexts
Kerberos (88):
Tools:
nmap,kerbrute,impacket-GetNPUsers# Nmap (Username enumeration) nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <target> # Kerbrute (Faster username enumeration) kerbrute userenum --dc <target> -d DOMAIN users.txt
SMB (139, 445):
Tools:
crackmapexec,enum4linux-ng,smbclient,smbmap# 1. Initial check for null sessions and shares (fast) crackmapexec smb <target> -u '' -p '' --shares # 2. Deep enumeration (slower, more comprehensive) enum4linux-ng -A <target> # 3. Nmap vulnerability scan nmap -p 139,445 --script="smb-enum-*,smb-vuln*" <target>
Remote Access & Management
SSH (22):
Tools:
nmap,ssh-audit# Nmap (Get host key, auth methods, algorithms) nmap -p 22 --script=ssh-hostkey,ssh-auth-methods,ssh2-enum-algos <target> # ssh-audit (Check for weak crypto) ssh-audit <target>
RDP (3389):
Tools:
nmap,xfreerdp# Nmap (Check for vulnerabilities and encryption) nmap -p 3389 --script=rdp-ntlm-info,rdp-enum-encryption,rdp-vuln-ms12-020 <target> # xfreerdp (Attempt to connect) xfreerdp /v:<target>
WinRM (5985, 5986):
Tools:
nmap,evil-winrmnmap -p 5985,5986 --script=http-winrm-info,wsman-info <target> evil-winrm -i <target> -u <user> -p <pass>
VNC (5900):
Tools:
nmap# Check for weak authentication and gather screen information nmap -p 5900 --script=vnc-info,vnc-title <target>
File Transfer & Sharing
FTP (21):
Tools:
nmap,ftp(client)# Nmap (Check for anon login and backdoors) nmap -p 21 --script "ftp* and not brute" <target> # Manual connection test ftp <target> # User: anonymous, Pass: anonymous
NFS (2049):
Tools:
nmap,showmount# Nmap (List shares) nmap -p 2049 --script=nfs-showmount,nfs-ls <target> # showmount (Native tool) showmount -e <target>
RSync (873):
Tools:
nmap,rsync# Nmap (Check for unauthenticated modules) nmap -p 873 --script=rsync-list-modules <target> # rsync (Attempt to list a module) rsync rsync://<target>/
Web & Application Services (Expanded)
Strategy: Web enumeration is a deep discipline. Start with fingerprinting to understand the technology stack. Then, aggressively search for hidden content. Finally, scan for common vulnerabilities based on your findings.
Step 1: Initial Recon & Fingerprinting:
Purpose: Identify web server software, frameworks, and technologies. Manually inspect headers and source code.
Tools:
# whatweb (Best for identifying technologies) whatweb http://<target> # curl (Inspect headers) curl -I -s http://<target> # Nmap (Get title, headers, and run basic scripts) nmap -p 80,443 --script=http-title,http-server-header,http-sitemap-generator <target> # Netcat (Grab a simple banner) nc <target> 80 # > GET / HTTP/1.1 # > Host: <target>
Step 2: Content Discovery (Directory & Subdomain Fuzzing):
Purpose: Find hidden pages, directories, API endpoints, and virtual hosts.
Tools:
# ffuf (Fastest for directory/subdomain fuzzing) ffuf -c -w /path/to/wordlist.txt -u http://<target>/FUZZ -fc 404 # gobuster (Popular alternative for directories) gobuster dir -u http://<target> -w /path/to/wordlist.txt # wfuzz (Highly versatile fuzzer for parameters, etc.) wfuzz -c -w /path/to/wordlist.txt --hc 404 http://<target>/FUZZ
Step 3: CMS & Framework Specific Scanning:
Purpose: Use specialized tools if a specific CMS like WordPress is identified.
Tools:
# wpscan (WordPress scanner) # --enumerate u (users), ap (all plugins), at (all themes) wpscan --url http://<target> --enumerate u,ap,at --api-token <YOUR_API_TOKEN>
Step 4: Automated Vulnerability Scanning:
Purpose: Scan for common vulnerabilities like SQLi, XSS, and misconfigurations.
Tools:
# Nuclei (Modern, fast, template-based scanner) nuclei -u http://<target> # Nikto (Classic web server misconfiguration scanner) nikto -h http://<target> # sqlmap (The go-to tool for detecting and exploiting SQL injection) # Crawl the site and test all forms sqlmap -u "http://<target>" --crawl=1 --forms --batch # Nmap (Web vulnerability scripts) nmap -p 80,443 --script http-vuln* <target>
Step 5: Manual Interaction & Data Transfer:
Purpose: Download files for offline analysis or interact with the server manually.
Tools:
# wget (Recursive download of a website) wget --recursive --no-parent http://<target>/ # curl (Download a specific file) curl -o output.html http://<target>/index.html
Databases
MySQL (3306), MSSQL (1433), PostgreSQL (5432):
Tools:
nmap, native clients (mysql,sqlcmd,psql)# Nmap (Safe info gathering) nmap -p 3306 --script "mysql* and not brute" <target> nmap -p 1433 --script "ms-sql* and not brute" <target> nmap -p 5432 --script "pgsql* and not brute" <target>
Redis (6379) & Elasticsearch (9200):
Tools:
nmap# Check for unauthenticated access and grab server info nmap -p 6379 --script=redis-info <target> nmap -p 9200 --script=http-elasticsearch-info <target>
Core Network Services
DNS (53):
Tools:
nmap,dig,dnsrecon# Nmap (Check for zone transfers, recursion) nmap -p 53 --script dns-zone-transfer,dns-recursion,dns-nsid <target> # Dig (Manual zone transfer attempt) dig axfr @<target> <domain>
SNMP (UDP 161):
Tools:
nmap,snmpwalk,snmp-check# Nmap (Enumerate with 'public' community string) sudo nmap -sU -p 161 --script "snmp* and not brute" <target> # snmp-check (Comprehensive enumeration) snmp-check -t <target>
SMTP (25, 465, 587):
Tools:
nmap,netcat# Nmap (Enumerate users and check for open relay) nmap -p 25,465,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay <target>
Phase 4: Strategic Scans & Workflows
Strategy: Combine the phases into repeatable workflows for different scenarios.
External Pentest Workflow (Stealthy -> Detailed):
nmap -sn -PS80,443 -PA22 <target_range> -oA external_hostsmasscan -p1-65535 --rate=5000 -iL external_hosts.nmap -oG masscan.grepExtract IPs and ports from
masscan.grep.nmap -sV -sC -O -p<PORTS> -iL <targets_with_open_ports> -oA external_detailedBegin deep enumeration from Phase 3 on discovered services.
Internal Pentest Workflow (Fast & Comprehensive):
nmap -sn -PR <target_range> -oA internal_hostsnmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL internal_hosts.nmap -oA internal_fast_scannmap -sV -sC -O --script="smb-enum-*,smb-vuln*,vuln" -iL internal_hosts.nmap -oA internal_full_enumUse tools like
crackmapexecandenum4linux-ngon discovered Windows hosts.
Last updated