Enumerate

  • DNS Enumeration

whois hostname

whois ipaddress

host ipaddress

dig hostname A

dig hostname MX

dig hostname NS

dig hostname TXT

dig hostname CNAME

dig hostname SOA

dig axfr @nameserver hostname

dig -x ipaddress

dig +dnssec hostname

python sublist3r.py -d hostname

amass enum -d hostname

subfinder -d hostname -o subfinder_output.txt

assetfinder --subs-only hostname | tee assetfinder_output.txt

gobuster dns -d hostname -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt -o gobuster_dns_output.txt

  • Network Scanning

nmap -sS -p- -A -T4 hostname

nmap -sS -p- -A -T4 --script vuln,smb-enum-shares,smb-enum-users,dns-brute,http-title,http-headers,snmp-info,mysql-info hostname

nmap -sU -p- -T4 hostname

nmap -O hostname

nmap -sV hostname

nmap -A hostname

nmap -sn ipaddress/24

Other tools:

  1. hping3
  2. loic
  3. slowloris
  • Web Application Scanning

nikto -h http://hostname -output nikto_report.txt

dirb http://hostname /usr/share/dirb/wordlists/common.txt

wapiti -u http://hostname -f html -o wapiti_report.html

arachni http://hostname --output-only-positives --report-save-path=arachni_report.afr

zap.sh -cmd -quickurl http://hostname -quickout report.html -port 8190

  • SSL/TLS Analysis

sslscan hostname

./testssl.sh --html --outprefix testssl_report hostname

sslyze --regular hostname

  • SMB Enumeration

smbmap -H ipaddress

enum4linux -a ipaddress

  • SNMP Enumeration

snmpwalk -c public -v1 ipaddress

snmpcheck -t ipaddress -c public

  • SMTP Enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t hostname

  • HTTP Header Analysis

curl -v http://hostname

http -v http://hostname

  • Banner Grabbing

nc -v hostname port

telnet hostname port

  • OSINT Tools

theHarvester -d hostname -b all -f theharvester_report.html

recon-ng

marketplace install all

modules load recon/domains-hosts/hackertarget

options set SOURCE hostname

run

  • Cloud Enumeration

python3 cloud_enum.py -k keyword

  • Email Harvesting

python SimplyEmail.py -all -e domain.com

  • Additional Tools and Commands

nessuscli agent link --key=your_key --groups=your_group --name=your_name --url=https://your_nessus_server:8834

openvasmd --create-task --name "Scan Task" --comment "Scan Task" --target your_target_id

openvasmd --start-task your_task_id

msfconsole

use auxiliary/scanner/http/http_version

set RHOSTS hostname

run

Others

  • hping3
  • loic
  • slowloris
  • Metasploit Framework
  • Wireshark
  • Burp Suite

Most of this textbook type of enumeration is easily identified, IP address identified and blocked, especially a port scan. Instead move straight to email attacks, ransomware, phishing attacks. For example if you are scammed by a website, they will post their payment providers and that sets the stage for both ransonware and phishing attacks.

  

📝 📜 ⏱️ ⬆️