Enumeration

Enumeration phase tools. Fuzzing, Discovery, ...

Wordlists

Seclists
- Subdomain enumeration: /Discovery/DNS (subdomain*)
- Pages, Extensions, Directory, Parameters: /Discovery/Web-Content (directory-list*.txt, web-extensions.txt, burp-parameter-names.txt)
- LFI wordlist: /Fuzzing/LFI
Crunch Word list generator

Port mapping

Nmap

Flag Description

Flag	Description
`-sC`	Run scripts
`-sV`	Version scan
`-p <ports>`	Specify ports. Can be a list, can contain ranges
`-p-`	Scan all 65535 ports
`--script=<script name> -sC`	Run a specific script from `usr/share/nmap/scripts`
`-A`	Enable OS detection, version detection, script scanning, and traceroute (Loud)
`--open`	Show only open ports
`-oA <name_of_files>`	Save in all output formats with prefix of `name_of_files`
`-sn`	Disables port scanning
`-iL <file>`	Scans a list of hosts from a file
`--reason`	Displays the reason for specific result.
`--packet-trace`	Shows all packets sent and received
`-F`	Fast Scan. Top 100 ports
`--top-ports=10`	Scans the specified top ports that have been defined as most frequent.
`-n`	Disable DNS resolution
`--disable-arp-ping`	Disables ARP ping.
`--stats-every=5s`	Shows status every 5 seconds
`-v` or `-vv`	Verbositiy level, increasing
`-A`	Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.
`--min-rate <number>`	Speed optimization parameter
`-T <0-5>`	Aggressiveness
`--source-port 53`	Performs the scans from specified source port.
`--script-updatedb`	Update scripts DB

-sC

Run scripts

-sV

Version scan

-p <ports>

Specify ports. Can be a list, can contain ranges

-p-

Scan all 65535 ports

--script=<script name> -sC

Run a specific script from usr/share/nmap/scripts

-A

Enable OS detection, version detection, script scanning, and traceroute (Loud)

--open

Show only open ports

-oA <name_of_files>

Save in all output formats with prefix of name_of_files

-sn

Disables port scanning

-iL <file>

Scans a list of hosts from a file

--reason

Displays the reason for specific result.

--packet-trace

Shows all packets sent and received

-F

Fast Scan. Top 100 ports

--top-ports=10

Scans the specified top ports that have been defined as most frequent.

-n

Disable DNS resolution

--disable-arp-ping

Disables ARP ping.

--stats-every=5s

Shows status every 5 seconds

-v or -vv

Verbositiy level, increasing

-A

Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.

--min-rate <number>

Speed optimization parameter

-T <0-5>

Aggressiveness

--source-port 53

Performs the scans from specified source port.

--script-updatedb

Update scripts DB

Some useful nmap scripts (/usr/share/nmap/scripts/):

smb-os-discovery.nse (usually on -p 445)
http-enum (example on port -p 80)

Some nmap usages examples:

-p 21 --packet-trace -Pn -n --disable-arp-ping to scan port 21 and get a detailed information for the packet as the answer

Scan types

Flag Description

Flag	Description
`-PE`	Performs the ping scan by using 'ICMP Echo requests' against the target. Usually in combination with `--disable-arp-ping` to disable ARP Scanning
`-sS`	(Default as Root) SYN Scan
`-sT`	(Default as non-Root) TCP Scan
`-sU`	Performs a UDP scan.
`-sV`	Performs a service scan.
`-sA`	TCP ACK scan (hard to filter)
`-Pn`	Disable the ICMP echo requests (avoid checking if host is alive)

-PE

Performs the ping scan by using 'ICMP Echo requests' against the target. Usually in combination with --disable-arp-ping to disable ARP Scanning

-sS

(Default as Root) SYN Scan

-sT

(Default as non-Root) TCP Scan

-sU

Performs a UDP scan.

-sV

Performs a service scan.

-sA

TCP ACK scan (hard to filter)

-Pn

Disable the ICMP echo requests (avoid checking if host is alive)

Types of ports states

open

This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.

closed

When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.

filtered

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

unfiltered

This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.

open|filtered

If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.

closed|filtered

This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

XML (-oX) output to HTML tool: xsltproc

Fuzzing

Ffuf

Typical Usage

ffuf -w ./SecLists/example.txt:FUZZ -u http://domain.com/FUZZ

Recursive search

-recursion -recursion-depth 1

File extension

-e .php

Setting and/or fuzz headers (example: VHosts)

-H "Host: FUZZ.domain.com"

Filter or Match

-f*
-m*

Example: Filter (remove) by response size anything of size 600

-fs 600

HTTP Verb

-X POST

Data

-d ""

Ignore comments

-ic

Colorize output

-c

Output to file

-o <file_name>

PHP Config file defualt positions

X.Y is the php version

Nginx: /etc/php/X.Y/fpm/php.ini

Apache: /etc/php/X.Y/apache2/php.ini

SNMP

Simple Networking Management Protocol

Can provide information such as process parameters, routing information, versions and services bound to interfaces

snmpwalk is used to interact with it

Example: snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

onesixtyone can bruteforce the community string names

Example with included bruteforce file: onesixtyone -c dict.txt 10.129.42.254

Gobuster

DNS, vhost, and directory brute-forcing

Directory mode

gobuster dir option

Flag	Description
-u <URL>	Defines the target URL
-w <path_to_wordlist>	Defines the wordlist

Flag

Description

-u <URL>

Defines the target URL

-w <path_to_wordlist>

Defines the wordlist

DNS mode

Flag Description

Flag	Description
-d <domain>	Defines the target domain
-w <path_to_wordlist>	Defines the wordlist (example: `SecLists/Discovery/DNS/namelist.txt`)

-d <domain>

Defines the target domain

-w <path_to_wordlist>

Defines the wordlist (example: SecLists/Discovery/DNS/namelist.txt)

FTP

If it has SSL we can use openssl to connect:

openssl s_client -connect 10.129.14.136:21 -starttls ftp

Custom Wordlist Generation (CeWL)

GitHub - digininja/CeWL: CeWL is a Custom Word List GeneratorGitHub

Others

Webserver banner: Find in header, can use curl -IL
EyeWitness
Whatweb: handy tool and contains much functionality to automate web application enumeration

PreviousPentesting Machine NextNMAP Scan types explained

Last updated 2 months ago