Basic Enumeration
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Host Enumeration
Live host enumeration with cmd.exe
Hostname enumeration with host
(Linux)
host
(Linux)Uses DNS reverse lookups to find hostnames for IP in a range. In this example it will scan the subnet 10.10.10.0/24.
Port Scanning
Nmap
A basic bash script for doing enumeration based on a list of IPs gathered from a ping sweep of a network.
The options I regularly use are:
| Purpose |
| A shortcut which tells nmap to scan all ports |
| Gives very verbose output so I can see the results as they are found, and also includes some information not normally shown |
| Equivalent to |
| Does a service version scan |
| Saves all three formats (standard, greppable, and XML) of output with a filename of |
NmapAutomator
NmapAutomator by @21y4d (https://github.com/21y4d/nmapAutomator) is a great tool for automating your basic enumeration. I highly recommend learning how to do it manually so you know what is happening behind the scenes. Very noisy tool. Best for CTF-type environments and not real Red Team engagements.
Port scanning with netcat
Not recommended to scan all ports as it will take a very long time. Better to use this for targeted scans of a few ports, and only when better tools are not available.
TCP:
UDP:
Masscan
https://github.com/robertdavidgraham/masscan
Masscan is an incredibly fast network scanner. Using this to find open ports, then sending the results to nmap to do a more thorough enumeration could speed things up. Masscan requires sudo
privileges to run.
SMB/Samba
NetBIOS
Does a NBT name scan using source port 137 (-r
).
Last updated