Notes

Sec7 - Scanning & Enumeration

2 min read

Introduction to Enumeration

Active probing to discover services, users, and devices, building on OSINT to detail the target landscape.

OS & Service Discovery

  • Identify operating systems and active services
  • Tools: Nmap, Zenmap
  • Demo: Map discovered OS/services to known CVEs

Protocol Enumeration

  • Network Layer
    • ICMP: Ping sweeps to find live hosts (nmap -sn)
    • IPSec: Probe ciphers & configs
  • Transport Layer
    • TCP: Half-open SYN scans (nmap -sS)
    • UDP: Enumerate via nmap -sU, Netcat
  • Application Layer
    • HTTP/HTTPS: Server tech (Burp Suite, Nikto)
    • SNMP: snmpwalk, SNMPenum
    • SMB: Shares & ACLs (smbclient)
    • RDP, SSH: Version enumeration, brute-force windows

DNS Enumeration

  • Tools: dig, nslookup, dnsrecon, dnsenum
  • Techniques:
    • Zone Transfers (dig AXFR)
    • Query MX, NS, SRV records
    • Reverse DNS (dig -x IP)
    • Brute-force subdomains with wordlists
    • Online: VirusTotal, DNS Dumpster

Directory Enumeration

  • Tools: Gobuster, DirBuster, Dirsearch
  • Use custom wordlists from recon data
  • Inspect robots.txt, HTTP codes (403, 404), directory listings
  • Techniques: URL fuzzing, SSI injection

Host Enumeration

  • Discover hosts via ping, TCP scans
  • OS fingerprinting (nmap -O)
  • Bypass firewalls: -PA, -PU, -PS, -Pn
  • Credentialed scans: Nessus with valid creds

User Enumeration

  • Windows: net user, Get-LocalUser, Meterpreter (getuid, ps)
  • Linux: cat /etc/passwd, cat /etc/shadow, id
  • AD: PowerShell (Get-ADDomain, Get-ADComputer, Get-ADGroupMember)

Email Enumeration

  • SMTP: VRFY, EXPN via telnet
  • Tools: theHarvester, social-media scraping, Have I Been Pwned, WHOIS
  • Craft phishing campaigns to validate addresses

Permission Enumeration

  • Windows: PowerView (Get-NetShare, Get-ObjectAcl)
  • Unix: ls -l, getfacl
  • DB: sqlmap for user/role privileges
  • Shares: SMBMap, CrackMapExec
  • Cloud: aws iam list-users, Azure PowerShell

Wireless Device Enumeration

  • War driving: Aircrack-ng, Kismet, Wifite
  • Map WAPs via WiGLE; filter by security status
  • Amplify range with high-gain antennas

Secrets Enumeration

  • Hunt for credentials: cloud keys, API keys, passwords, tokens
  • Tools: Pacu (AWS), Burp Suite (session tokens)
  • Techniques: brute-force, password spraying, session hijacking

Web Enumeration

  • WAF fingerprinting to uncover origin IP
  • Web crawling (DirBuster) and manual probes (sitemaps, plugins)
  • Identify hidden admin panels and misconfigurations

Attack Path Mapping

  • Chart potential attack chains from entry to target
  • Tools: BloodHound (AD), MITRE ATT&CK mapping
  • Document steps: entry point, lateral movement, techniques used, defenses bypassed
  • Collaborate with IT to refine and update path maps

Summary: Scanning & enumeration convert reconnaissance into actionable intelligence—identifying hosts, services, users, and vulnerabilities to plan precise attack paths.

Graph View