Resources

• Enumeration Mind Map - Ignitetechnologies

Host Discovering

ARP Scan

arp-scan -l eth0
Scan for hosts in the same network of the specifeid interface.

netdiscover -r [TARGET_NETWORK]/24
Return MAC address of this network.

MASSCAN

masscan [TARGET_NETWORK]/24 -p 443
Host discovering scan.

Port Scan

NMAP

nmap -sn [TARGET_NETWORK]/24
Do not do port scan: scan for hosts (ARP, ICMP, TCP/UDP Ping).

nmap -sV -sC [TARGET_IP]
Ports services + Default script.

SMB Scan

SMBCLIENT

smbclient -L [TARGET_IP] --no-pass
List Shares anonymously.

smbclient -L [TARGET_IP] -U myUser
List Shares with a user.

smbclient //[TARGET_IP]/mySmbShare
Connect to a Share.

NMAP

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [TARGET_IP]
Search for SMB Shares.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [TARGET_IP]
Enumerate rpcbind.

ENUM4LINUUX

enum4linux -S [TARGET_DOMAIN]
List Samba Share.

Subdomains Fuzz

ASSETFINDER

go install github.com/tomnomnom/assetfinder@latest

assetfinder [TARGET_DOMAIN]
Find subdomains and some that could be related.

assetfinder --subs-only [TARGET_DOMAIN]
Find only subdomains (stay in the scope).

OWASP-AMAS

go install github.com/OWASP/Amass/v3/...@master

amass enum -d [TARGET_DOMAIN]
Find subdomains.

DNSRECON

dnsrecon -t brt -d [TARGET_DOMAIN]
Find subdomains (brute force).

SUBLIST3R

sublist3r.py -d [TARGET_DOMAIN]
Find subdomains (using search engines).

Web Paths Fuzz

Word Lists

• /usr/share/wordlists/drib/big.txt/ <- Really Good
• /usr/share/wordlists/dirb/common.txt/ ← Fast
• /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/← Medium

Known Paths

• Tomcat -> /manager
• Liferay -> /admin ?
• Durpal-> /admin ou /drupal
• Typo3 -> /typo3/
• Matomo -> /administrator ?
• Joomla -> /administrator
• Kentico -> /cms -> /CMSPages/logon.aspx
• October -> /backend -> /backend/backend/auth/signin
• Umbraco -> /umbraco/ -> /umbraco/login.aspx
• Laravel -> /admin -> /admin/auth/login

GOBUSTER

gobuster dir -u http://[TARGET_IP]:[TARGET_PORT] -w myWordList -x php,txt,html
Search files.

gobuster dir -u http://[TARGET_IP]:[TARGET_PORT] -w myWordList
Search folders.

FUFF

fuff -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt:FUZZ -u http://[TARGET_DOMAIN]/FUZZ
Web Path FUZZ.

WFUZZ

wfuzz -c -z file,myWordList http://[TARGET_IP]:[TARGET_PORT]/FUZZ
Fuzz Folders.

API Fuzz

WFUZZ

wfuzz -c -z file,myWordList http://[TARGET_IP]:[TARGET_PORT]/api/file?parameter=FUZZ
Fuzz GET Parameter (ex: API).

Virutals Hosts Fuzz

FUFF

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.[TARGET_DOMAIN]" -u http://[TARGET_DOMAIN] -fs 2395
Virtual Host FUZZ.

User Fuzz

FUFF

ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://[TARGET_DOMAIN]/signup -mr "username already exists"
User Enumeration.