🥷 Enumeration Cheat Sheet for the 25 most used protocols: From DNS to ElasticSearch
Enumeration is critical to pass the OSCP or when performing a pentest. Learn how to do it properly.
#1: DNS Enumeration
nmap -T4 -sS -p 53 $IP/24
Enumerate ALL DNS records! Maybe hidden hosts in network recon
dig -t all target1 target2 target3 @$DNSSERVER
DNS recon (brute force subdomains):
dnsrecon -d $IP -t brt -D /usr/share/wordlists/dnsmap.txt
dnsenum $DOMAIN
fierce -dns $DOMAIN -wordlist dictionary.txt
Wordlists: https://github.com/rbsec/dnscan
DNS zone transfer
host -la $DOMAIN. $DNSSERVER
perl fierce.pl -dns $DOMAIN. -search $HOST
dig axfr $TARGET @$DNSSERVER
dnsrecon -d $DOMAIN -t axfr
#2: NetBIOS Enumeration
nbtscan -r $IP/24
enum4linux -a $IP
nmblookup -A $IP
#3: SMB / SAMBA Enumeration
nmap --script smb-os-discovery --open -p 139 $IP
nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml
smbmap.py -H $IP
smbmap.py -H $IP -u Guest -R
smbmap.py -H $IP --upload $FILE $SHARE
Recursive download:
smbget -a smb://$IP/$FILE -R
Enumerate Users:
python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP
Enumerate shares:
crackmapexec --shares $IP/24
To list shares:
smbclient -L $IP
or,
smbmap -H $IP
To connect to a share (shell style):
smbclient //$IP/wwwroot
#4: RPC over DC Enumeration
Also known as Null Sessions.
rpcclient -U "" -c enumdomusers $IP
rpcclient -U "" $IP -N -c "lsaquery"
rpcclient -U "" $IP -N -c "lookupnames Guest"
rpcclient -U "" $IP -N -c "lookupnames Administrator"
Afterwards check https://github.com/trustedsec/ridenum.git
#5: RPC Enumeration
Look for port 111 rpcbind
rpcinfo $IP
rpcinfo -p $IP
#6: Operating System (OS) Enumeration
xprobe2 $IP
nmap -O $IP
#7: Windows Server Domain Controllers (DC) Enumeration
nmap -sS -T4 -p 3268 --open $IP/24
How to recognize a DC in a windows environment
DC Method 1: Netbios
If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:
For unique names: <1B> Domain Master Browser (PDC)
For group names: <1C> Domain Controllers for a domain
DC Method 2: Global Catalog Service
Use nmap
As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).
Attention: LDAP protocol uses 389 and 636 (SSL).
DC Method #3
From the Windows machine:
echo %logonserver%
nltest /dclist:$DOMAIN
DC Method #4
msf> use post/windows/gather/enum_domain
msf> set SESSION 1
msf> run
#8: HTTP Enumeration
The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.
nmap --open -sV -p 80,8080,443,8000 -O $IP/24
Virtual domains
nmap --open --script=hostmap -p 80 $IP
TRACE method:
nmap --open --script=http-trace -p 80 $IP
Enumerate userdir:
nmap --open --script=http-userdir-enum $IP
Nikto scanner:
nikto -host http://$IP
Dirb scanner:
dirb http://$IP
For Wordpress (wpscan):
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --stealthy --url https://$DOMAIN/
docker run -it --rm wpscanteam/wpscan --url https://$DOMAIN/ --enumerate u
For Joomla:
joomscan http://$IP
Gobuster (https://github.com/OJ/gobuster):
gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt
gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html
Use -k flag to not verify digital certificates in a https session.
#9: WebDAV Enumeration
davtest -cleanup -url http://$IP
cadaver http://$IP
dav:/> put webshell.txt
dav:/> copy webshell.txt ws.asp
#10: SNMP Enumeration
nmap -p 161 --script snmp-enum $IP
snmp-check $IP
Very useful:
snmp-check -v2c -c public $IP
python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP
onesixtone -w 0 $IP
For scanning:
onesixtyone -c $COMMUNITY -i $IP_LIST_FILE
For enumeration low level (MIB):
snmpwalk -c public -v1 $IP
SNMP on different port:
snmpwalk -v 2c -c public $IP:666
snmp-check -p 6492 $IP
#11: LDAP Enumeration
ldapwhoami
ldapsearch -H ldap://$IP/
ldapsearch -x -h $IP -s base
#12: SSH Enumeration
TOOLS/enumSSH
nmap --script ssh-hostkey -p 22 --open -sS $IP/24
ssh-keyscan $IP
./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all
#13: FTP Enumeration
nmap --script=ftp* $IP
#14: SMTP Enumeration
nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24
#15: TFTP Enumeration
nmap --open -sU -p 69 $IP/24
#16: NFS Enumeration
showmount -e $IP
showmount -a $IP
mount.nfs $IP:$DIR $LOCALDIR
#17: NTP Enumeration
Show clients that have queried this server:
ntpdc -n -c monlist $IP
nmap -sU -p 123 --script=ntp-info $IP
#18: SSL/TLS Enumeration
sslscan $IP
nmap -sV --script ssl-enum-ciphers -p 443 $IP
#19: Redis-server Enumeration
(printf "info\r\n"; sleep 1) | netcat $IP 6379
#20: SSDP server Enumeration
tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900
#21: Avahi-daemon / mDNS Enumeration
dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP
#22: Mongo Enumeration
mongo --host $IP
#23: RDP Enumeration
Use rdp-sec-check tool: https://github.com/portcullislabs/rdp-sec-check/blob/master/rdp-sec-check.pl
#24: Memcached Enumeration
echo "stats" | netcat $IP 11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211
#25: Elasticsearch Enumeration
echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat $IP 9200