šŸ„· Enumeration Cheat Sheet for the 25 most used protocols: From DNS to ElasticSearch

Enumeration is critical to pass the OSCP or when performing a pentest. Learn how to do it properly.

#1: DNS Enumeration

nmap -T4 -sS -p 53 $IP/24

Enumerate ALL DNS records! Maybe hidden hosts in network recon

dig -t all target1 target2 target3 @$DNSSERVER

DNS recon (brute force subdomains):

dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt

Wordlists: https://github.com/rbsec/dnscan

DNS zoneĀ transfer

perl fierce.pl -dns $DOMAIN. -search $HOST
dnsrecon -d $DOMAIN -t axfr

#2: NetBIOS Enumeration

nbtscan -r $IP/24
enum4linux -a $IP
nmblookup -A $IP

#3: SMB / SAMBA Enumeration

nmap --script smb-os-discovery --open -p 139 $IP
nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
smbmap.py -H $IP
smbmap.py -H $IP -u Guest -R
smbmap.py -H $IP --upload $FILE $SHARE

Recursive download:

smbget -a smb://$IP/$FILE -R

Enumerate Users:

python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP

Enumerate shares:

crackmapexec --shares $IP/24

To list shares:

smbclient -L $IP


smbmap -H $IP

To connect to a share (shell style):

smbclient //$IP/wwwroot

#4: RPC over DC Enumeration

Also known as Null Sessions.

rpcclient -U "" -c enumdomusers $IP
rpcclient -U "" $IP -N -c "lsaquery"
rpcclient -U "" $IP -N -c "lookupnames Guest"
rpcclient -U "" $IP -N -c "lookupnames Administrator"

Afterwards check https://github.com/trustedsec/ridenum.git

#5: RPC Enumeration

Look for port 111 rpcbind

rpcinfo $IP
rpcinfo -p $IP

#6: Operating System (OS) Enumeration

xprobe2 $IP
nmap -O $IP

#7: Windows Server Domain Controllers (DC) Enumeration

nmap -sS -T4 -p 3268 --open $IP/24

How to recognize a DC in a windows environment

DC Method 1:Ā Netbios

If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:

  • For unique names: <1B> Domain Master Browser (PDC)

  • For group names: <1C> Domain Controllers for a domain

DC Method 2: Global CatalogĀ Service

  • Use nmap

  • As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).

  • Attention: LDAP protocol uses 389 and 636 (SSL).

DC MethodĀ #3

From the Windows machine:

echo %logonserver%
nltest /dclist:$DOMAIN

DC MethodĀ #4

msf> use post/windows/gather/enum_domain
msf> set SESSION 1
msf> run

#8: HTTP Enumeration

The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.

nmap --open -sV -p 80,8080,443,8000 -O $IP/24

Virtual domains

nmap --open --script=hostmap -p 80 $IP

TRACE method:

nmap --open --script=http-trace -p 80 $IP

Enumerate userdir:

nmap --open --script=http-userdir-enum $IP

Nikto scanner:

nikto -host http://$IP

Dirb scanner:

dirb http://$IP

For WordPress (wpscan):

docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --stealthy --url https://$DOMAIN/
docker run -it --rm wpscanteam/wpscan --url https://$DOMAIN/ --enumerate u

For Joomla:

joomscan http://$IP

Gobuster (https://github.com/OJ/gobuster):

gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt
gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html

Use -k flag to not verify digital certificates in a https session.

#9: WebDAV Enumeration

davtest -cleanup -url http://$IP
cadaver http://$IP
    dav:/> put webshell.txt
    dav:/> copy webshell.txt ws.asp

#10: SNMP Enumeration

nmap -p 161 --script snmp-enum $IP
snmp-check $IP

Very useful:

snmp-check -v2c -c public $IP
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP
onesixtone -w 0 $IP

For scanning:

onesixtyone -c $COMMUNITY -i $IP_LIST_FILE

For enumeration low level (MIB):

snmpwalk -c public -v1 $IP

SNMP on different port:

snmpwalk -v 2c -c public $IP:666
snmp-check -p 6492 $IP

#11: LDAP Enumeration

ldapsearch -H ldap://$IP/
ldapsearch -x -h $IP -s base

#12: SSH Enumeration

nmap --script ssh-hostkey -p 22 --open -sS $IP/24
ssh-keyscan $IP
./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all

#13: FTP Enumeration

nmap --script=ftp* $IP

#14: SMTP Enumeration

nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24

#15: TFTP Enumeration

nmap --open -sU -p 69 $IP/24

#16: NFS Enumeration

showmount -e $IP
showmount -a $IP
mount.nfs $IP:$DIR $LOCALDIR

#17: NTP Enumeration

Show clients that have queried this server:

ntpdc -n -c monlist $IP
nmap -sU -p 123 --script=ntp-info $IP

#18: SSL/TLS Enumeration

sslscan $IP
nmap -sV --script ssl-enum-ciphers -p 443 $IP

#19: Redis-server Enumeration

(printf "info\r\n"; sleep 1) | netcat $IP 6379

#20: SSDP server Enumeration

tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900

#21: Avahi-daemon / mDNS Enumeration

dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP

#22: Mongo Enumeration

mongo --host $IP

#23: RDP Enumeration

Use rdp-sec-check tool: https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl

#24: Memcached Enumeration

echo "stats" | netcat $IP 11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211

#25: Elasticsearch Enumeration

echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat $IP 9200






Leave a Reply

Your email address will not be published. Required fields are marked *