Network Enumeration

Phase 1: Host Discovery (Finding Live Targets)

Strategy: Identify live hosts without triggering alerts. Start with methods that are less likely to be logged, like ARP on a local network, before moving to ICMP or TCP/UDP-based discovery.

• LAN Discovery (Fast & Reliable):

  • Use Case: You are on the local network. This is the most effective method.

  • Tools:

# Nmap (Recommended)
# -PR: ARP Scan | -sn: "Ping Scan" (disables port scan)
sudo nmap -sn -PR 192.168.1.0/24 -oA discovery_arp
        
# arp-scan (Very Fast)
sudo arp-scan -l

• Standard Network Discovery:

  • Use Case: Scanning external networks or internal subnets where ARP is not possible.

  • Tools:

# Nmap (Recommended for flexibility)
# -PS: TCP SYN to common ports | -PA: TCP ACK | -PU: UDP
# This combination bypasses many simple firewall rules that block only ICMP.
sudo nmap -sn -PS80,443 -PA22 -PU53 10.10.10.0/24 -oA discovery_standard

• Assume All Hosts Are Up (When Blocked):

  • Use Case: A restrictive firewall is dropping your discovery probes. This is slow but necessary.

  • Method:

# -Pn: Skips host discovery entirely and attempts to port scan every IP.
# This is an Nmap flag, not a standalone tool.
# Combine this with the scanning techniques in Phase 2.

Phase 2: Port Scanning (Mapping the Attack Surface)

Strategy: Employ a multi-step approach. Use ultra-fast scanners like masscan to find open ports, then feed those results into nmap for deep analysis. This is far more efficient than running a full nmap scan from the start.

• Step 1: Fast Initial Port Scan:

  • Purpose: Quickly identify open ports across large IP ranges.

  • Tools:

# Masscan (Fastest)
# Finds open ports and saves them to a list.
masscan -p1-6553d5 --rate=100000 -iL targets.txt --output-format list -oG masscan.grep
        
# Nmap (Fast Mode)
sudo nmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL targets.txt -oA scan_fast

• Step 2: Detailed Service & Script Scan (On Discovered Ports):

  • Purpose: This is the main enumeration scan. It runs version detection, default scripts, and OS detection on the specific ports you found open.

  • Tool:

# Nmap is the best tool for this job.
# Use the port list from Masscan or the fast Nmap scan.
# --open: Only scan ports reported as open.
sudo nmap -sV -sC -O -p<PORTS> --open <target> -oA scan_detailed

• Step 3: UDP Scan (As Needed):

  • Purpose: UDP is slow to scan. Only run this if you suspect key UDP services are in use (e.g., DNS, SNMP, Kerberos).

  • Tool:

# Nmap is the standard for UDP scanning.
sudo nmap -sU -sV --top-ports 50 <target> -oA scan_udp

Phase 3: Service-Specific Enumeration (Deep Dive)

Strategy: Now that you have a list of open ports and versions, attack each service with specialised tools and scripts. Always check for anonymous/guest access and known misconfigurations first.

Authentication & Directory Services

• LDAP (389, 636):

  • Tools: nmap, ldapsearch

# Nmap (Safe enumeration)
sudo nmap -p 389,636 --script "ldap* and not brute" <target>
# ldapsearch (Manual query)
ldapsearch -x -h <target> -s base namingcontexts

• Kerberos (88):

  • Tools: nmap, kerbrute, impacket-GetNPUsers

# Nmap (Username enumeration)
sudo nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <target>
# Kerbrute (Faster username enumeration)
kerbrute userenum --dc <target> -d DOMAIN users.txt

• SMB (139, 445):

  • Tools: crackmapexec, enum4linux-ng, smbclient, smbmap

# 1. Initial check for null sessions and shares (fast)
crackmapexec smb <target> -u '' -p '' --shares
# 2. Deep enumeration (slower, more comprehensive)
enum4linux-ng -A <target>
# 3. Nmap vulnerability scan
sudo nmap -p 139,445 --script="smb-enum-*,smb-vuln*" <target>

Remote Access & Management

• SSH (22):

  • Tools: nmap, ssh-audit

# Nmap (Get host key, auth methods, algorithms)
sudo nmap -p 22 --script=ssh-hostkey,ssh-auth-methods,ssh2-enum-algos <target>
# ssh-audit (Check for weak crypto)
ssh-audit <target>

• RDP (3389):

  • Tools: nmap, xfreerdp

# Nmap (Check for vulnerabilities and encryption)
sudo nmap -p 3389 --script=rdp-ntlm-info,rdp-enum-encryption,rdp-vuln-ms12-020 <target>
# xfreerdp (Attempt to connect)
xfreerdp /v:<target>   
## WinRM (5985, 5986):
## Tools: `nmap`, `evil-winrm`
sudo nmap -p 5985,5986 --script=http-winrm-info,wsman-info <target>
evil-winrm -i <target> -u <user> -p <pass>

• VNC (5900):

  • Tools: nmap

# Check for weak authentication and gather screen information
nmap -p 5900 --script=vnc-info,vnc-title <target>

File Transfer & Sharing

• FTP (21):

  • Tools: nmap, ftp (client)

# Nmap (Check for anon login and backdoors)
sudo nmap -p 21 --script "ftp* and not brute" <target>
# Manual connection test
ftp <target> # User: anonymous, Pass: anonymous

• NFS (2049):

  • Tools: nmap, showmount

# Nmap (List shares)
sudo nmap -p 2049 --script=nfs-showmount,nfs-ls <target>
# showmount (Native tool)
showmount -e <target>

• RSync (873):

  • Tools: nmap, rsync

# Nmap (Check for unauthenticated modules)
sudo nmap -p 873 --script=rsync-list-modules <target>
# rsync (Attempt to list a module)
rsync rsync://<target>/

Web & Application Services (Expanded)

Strategy: Web enumeration is a deep discipline. Start with fingerprinting to understand the technology stack. Then, aggressively search for hidden content. Finally, scan for common vulnerabilities based on your findings.

• Step 1: Initial Recon & Fingerprinting:

  • Purpose: Identify web server software, frameworks, and technologies. Manually inspect headers and source code.

  • Tools:

# whatweb (Best for identifying technologies)
whatweb http://<target>
        
# curl (Inspect headers)
curl -I -s http://<target>
        
# Nmap (Get title, headers, and run basic scripts)
sudo nmap -p 80,443 --script=http-title,http-server-header,http-sitemap-generator <target>
        
# Netcat (Grab a simple banner)
nc <target> 80
# > GET / HTTP/1.1
# > Host: <target>

• Step 2: Content Discovery (Directory & Subdomain Fuzzing):

  • Purpose: Find hidden pages, directories, API endpoints, and virtual hosts.

  • Tools:

# ffuf (Fastest for directory/subdomain fuzzing)
sudo ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<target>/FUZZ -fc 404
        
# gobuster (Popular alternative for directories)
sudo gobuster dir -u http://<target> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
        
# wfuzz (Highly versatile fuzzer for parameters, etc.)
sudo wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hc 404 http://<target>/FUZZ

• Step 3: CMS & Framework Specific Scanning:

  • Purpose: Use specialised tools if a specific CMS like WordPress is identified.

  • Tools:

# wpscan (WordPress scanner)
# --enumerate u (users), ap (all plugins), at (all themes)
wpscan --url http://<target> --enumerate u,ap,at --api-token <YOUR_API_TOKEN>

• Step 4: Automated Vulnerability Scanning:

  • Purpose: Scan for common vulnerabilities like SQLi, XSS, and misconfigurations.

  • Tools:

# Nuclei (Modern, fast, template-based scanner)
sudo nuclei -u http://<target>
        
# Nikto (Classic web server misconfiguration scanner)
nikto -h http://<target>
        
# sqlmap (The go-to tool for detecting and exploiting SQL injection)
# Crawl the site and test all forms
sqlmap -u "http://<target>" --crawl=1 --forms --batch
        
# Nmap (Web vulnerability scripts)
sudo nmap -p 80,443 --script http-vuln* <target>

• Step 5: Manual Interaction & Data Transfer:

  • Purpose: Download files for offline analysis or interact with the server manually.

  • Tools:

# wget (Recursive download of a website)
wget --recursive --no-parent http://<target>/
        
# curl (Download a specific file)
curl -o output.html http://<target>/index.html

Databases

• MySQL (3306), MSSQL (1433), PostgreSQL (5432):

  • Tools: nmap, native clients (mysql, sqlcmd, psql)

# Nmap (Safe info gathering)
sudo nmap -p 3306 --script "mysql* and not brute" <target>
sudo nmap -p 1433 --script "ms-sql* and not brute" <target>
sudo nmap -p 5432 --script "pgsql* and not brute" <target>

• Redis (6379) & Elasticsearch (9200):

  • Tools: nmap

# Check for unauthenticated access and grab server info
sudo nmap -p 6379 --script=redis-info <target>
sudo nmap -p 9200 --script=http-elasticsearch-info <target>

Core Network Services

• DNS (53):

  • Tools: nmap, dig, dnsrecon

# Nmap (Check for zone transfers, recursion)by fingerprinting the technology stack to understand it
sudo nmap -p 53 --script dns-zone-transfer,dns-recursion,dns-nsid <target>
# Dig (Manual zone transfer attempt)
dig axfr @<target> <domain>

• SNMP (UDP 161):

  • Tools: nmap, snmpwalk, snmp-check

# Nmap (Enumerate with 'public' community string)
sudo nmap -sU -p 161 --script "snmp* and not brute" <target>
# snmp-check (Comprehensive enumeration)
snmp-check -t 8 <target>

• SMTP (25, 465, 587):

  • Tools: nmap, netcat

# Nmap (Enumerate users and check for open relay)
sudo nmap -p 25,465,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay <target>

Phase 4: Strategic Scans & Workflows

Strategy: Combine the phases into repeatable workflows for different scenarios.

• External Pentest Workflow (Stealthy -> Detailed):

1. sudo nmap -sn -PS80,443 -PA22 <target_range> -oA external_hosts
2. masscan -p1-65535 --rate=5000 -iL external_hosts.nmap -oG masscan.grep
3. Extract IPs and ports from `masscan.grep`
4. sudo nmap -sV -sC -O -p<PORTS> -iL <targets_with_open_ports> -oA external_detailed
5. Begin deep enumeration from Phase 3 on discovered services

• Internal Pentest Workflow (Fast & Comprehensive):

1. sudo nmap -sn -PR <target_range> -oA internal_hosts
2. sudo nmap -sS --top-ports 1000 -T4 --min-rate 1000 -iL internal_hosts.nmap -oA internal_fast_scan
3. sudo nmap -sV -sC -O --script="smb-enum-*,smb-vuln*,vuln" -iL internal_hosts.nmap -oA internal_full_enum
4. Use tools like `crackmapexec` and `enum4linux-ng` on discovered Windows hosts.