# Enumeration Quick Start

Goal is to enumerate services quickly. Triage open services for the the ones likely to hit paydirt. Tools like autorecon or legion can help with this.

# Enumerating Ports

# Nmap

nmap -sC -sV -oN quick_scan               # Quick Scan                  
nmap -sC -sV -p- -oN all_ports            # Full TCP
nmap -sC -sV --script vuln -oN vuln_scan  # Quick Vulnscan
sudo nmap -sU -p- -oN udp_scan            # Full UDP scan

# Manual

nc -nv 25                                 # Manual Banner Grab 
nc -nvC 119                                # interacting with services that expect CRLF

# web (80,443)

There is more detailed info in the dedicated web section.

NOTE: do yourself a favor and try default passwords like admin@foo.com:admin etc.

Add a site to your hosts file to help expose websites on virtual hosts.

echo " foobar.htb" >> /etc/hosts

# gobuster

Directory discovery:

gobuster dir -u -w /usr/share/wordlists/dirb/common.txt

File discovery:

gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -x php,html,txt -k
gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -x sh,cgi,pl
gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -t 100 -x .txt,.php,.sql,.php5,.html,.htm,.png,.bak,.tmp

Useful switches:

  • -e Print the full URLs in your console
  • -u The target URL
  • -w Path to your wordlist
  • -U and -P Username and Password for Basic Auth
  • -p Proxy to use for requests
  • -c Specify a cookie for simulating your auth

# FFuF

Directory discovery by using the FUZZ keyword at the end of URL (-u):

ffuf -w /path/to/wordlist -u https://target/FUZZ
ffuf -w /usr/share/wordlists/dirb/big.txt -u -t 200 -c

File discovery:

ffuf -w /usr/share/wordlists/dirb/big.txt -u -t 200 -c -e .txt


ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://example.com -H "Host: FUZZ.example.com" -fw 5338
  • -c Colorize output.
  • -u URL
  • -t threads
  • -w wordlist
  • -e extension
  • -fw filter words (filter out documents with a specific wordcount)

more info: https://github.com/ffuf/ffuf

# sqlmap

sqlmap -u --crawl=1                # sqlmap crawl  
sqlmap -u --dbms=mysql --dump      # sqlmap dump database
sqlmap -u --dbms=mysql --os-shell  # sqlmap shell
# sqlmap with cookie and ssl
sqlmap -u --cookie="PHPSESSID=ajfda" --level=5 --risk-3 --batch --force-ssl

# ftp - TCP 21

run version through searchsploit to see if any vulnerabilities. Look for anonymous logins (nmap -sC can help with this). Credentials can often be found on ftp servers.

If nothing move on...

# ssh - TCP 22

run version through searchsploit

# smtp - TCP 25

telnet 25             # Telnet to manually run commands

# enumerate usernames with metasploit smtp_enum module
msfconsole -q -x 'setg RHOSTS;   
use auxiliary/scanner/smtp/smtp_enum; run;      
use auxiliary/scanner/smtp/smtp_relay; run;     
use auxiliary/scanner/smtp/smtp_version; run;'   

# DNS - UDP/TCP 53

# testing DNS

dig  @ example.local

# dnszone transfer

dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain

#fierce will Try to do a zone transfer against every authoritative name server and if this doesn't work, it'll launch a dictionary attack
fierce --domain <DOMAIN> --dns-servers <DNS_IP> 

# Kerberos TCP/88

./kerbrute userenum --dc -d example.local userlist.txt -t 100    #enumerate users using kerbrute


# POP3 - TCP/110


nc -nvC 110
(UNKNOWN) [] 110 (pop3) open
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 
USER testuser
PASS password
+OK Welcome testuser
+OK 2 1807
1 420
2 6971
+OK Message follows


  USER uid           Log in as "uid"
  PASS password      Substitue "password" for your actual password
  STAT               List number of messages, total mailbox size
  LIST               List messages and sizes
  RETR n             Show message n
  DELE n             Mark message n for deletion
  RSET               Undo any changes
  QUIT               Logout (expunges messages if no RSET)
  TOP msg n          Show first n lines of message number msg

# NFS - TCP 111 TCP 2049

mounting NFS share

sudo apt install nfs-common        # Install dependencies if needed
mkdir /tmp/mount                   # create mount dir in /tmp (will be removed after restart)
/usr/sbin/showmount -e # list shares
sudo mount -t nfs /tmp/mount/ -nolock

# SMB - TCP 139 TCP 445


crackmapexec smb                    # gives alot if info about smb share
crackmapexec smb -u 'guest' -p ''   # see if guest can mount share 


Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.

enum4linux -A


smbclient -N -L //                   # List shares: -N no auth, -L list available shares
smbclient // -U username%password  # mount share IT with supplied username and password
smbclient // -U suit -p 139    # mount secret share as user suit on port 139
smbclient -N //               # mount backup share anonymously 
mask "";recurse ON;prompt OFF;mget *             # Download an entire share once logged in

Enumerate shares with smbmap

smbmap -H -u foo -p bar  

With nmap

nmap --script smb-vuln* -p 445                               # look for vulnerabilities            
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse  # enumerate users

# RPC - TCP 445

check to see if we can enumerate users with RPC client

rpcclient -U "" -N
rpcclient $>


  • enumdomusers - get a list of users
  • enumdomgroups - list groups
  • querygroup 0x200 - query groups, for example domain admins
  • querygroupmem 0x200 - query group membership
  • queryuser 0x1f4 - query users

NOTE: It's helpful to make a users list with this information.