Basic Enumeration

Host Enumeration

Live host enumeration with cmd.exe

for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "TTL="

Hostname enumeration with host (Linux)

Uses DNS reverse lookups to find hostnames for IP in a range. In this example it will scan the subnet 10.10.10.0/24.

for ip in $(seq 1 254); do host 10.10.10.$ip; done | grep -v "not found"

Port Scanning

Nmap

A basic bash script for doing enumeration based on a list of IPs gathered from a ping sweep of a network.

#!/bin/bash
nmap -sn -oN ip_list 192.168.1.0/24
cat ip_list | while read ip
do
nmap -sCV -p- -vvv -oA $ip.map $ip
done

The options I regularly use are:

Flag

Purpose

-p-

A shortcut which tells nmap to scan all ports

-vvv

Gives very verbose output so I can see the results as they are found, and also includes some information not normally shown

-sC

Equivalent to --script=default and runs a collection of nmap enumeration scripts against the target

-sV

Does a service version scan

-oA $name

Saves all three formats (standard, greppable, and XML) of output with a filename of $name

NmapAutomator

NmapAutomator by @21y4d (https://github.com/21y4d/nmapAutomator) is a great tool for automating your basic enumeration. I highly recommend learning how to do it manually so you know what is happening behind the scenes. Very noisy tool. Best for CTF-type environments and not real Red Team engagements.

Port scanning with netcat

Not recommended to scan all ports as it will take a very long time. Better to use this for targeted scans of a few ports, and only when better tools are not available.

TCP:

nc -n -vv -w 1 -z $ip 1-65535 | grep "open"

UDP:

nc -n -v -u -z -w 1 $ip 1-65535 | grep "open"

Masscan

https://github.com/robertdavidgraham/masscan

Masscan is an incredibly fast network scanner. Using this to find open ports, then sending the results to nmap to do a more thorough enumeration could speed things up. Masscan requires sudo privileges to run.

sudo masscan -p 0-65535 10.10.10.0/24 --rate=1000

SMB/Samba

NetBIOS

sudo nbtscan -r 10.10.10.0/24

Does a NBT name scan using source port 137 (-r).

Last updated

Was this helpful?