Enumerate
- DNS Enumeration
whois hostname
whois ipaddress
host ipaddress
dig hostname A
dig hostname MX
dig hostname NS
dig hostname TXT
dig hostname CNAME
dig hostname SOA
dig axfr @nameserver hostname
dig -x ipaddress
dig +dnssec hostname
python sublist3r.py -d hostname
amass enum -d hostname
subfinder -d hostname -o subfinder_output.txt
assetfinder --subs-only hostname | tee assetfinder_output.txt
gobuster dns -d hostname -w /usr/share/wordlists/dns/subdomains-top1million-5000.txt -o gobuster_dns_output.txt
- Network Scanning
nmap -sS -p- -A -T4 hostname
nmap -sS -p- -A -T4 --script vuln,smb-enum-shares,smb-enum-users,dns-brute,http-title,http-headers,snmp-info,mysql-info hostname
nmap -sU -p- -T4 hostname
nmap -O hostname
nmap -sV hostname
nmap -A hostname
nmap -sn ipaddress/24
Other tools:
- hping3
- loic
- slowloris
- Web Application Scanning
nikto -h http://hostname -output nikto_report.txt
dirb http://hostname /usr/share/dirb/wordlists/common.txt
wapiti -u http://hostname -f html -o wapiti_report.html
arachni http://hostname --output-only-positives --report-save-path=arachni_report.afr
zap.sh -cmd -quickurl http://hostname -quickout report.html -port 8190
- SSL/TLS Analysis
sslscan hostname
./testssl.sh --html --outprefix testssl_report hostname
sslyze --regular hostname
- SMB Enumeration
smbmap -H ipaddress
enum4linux -a ipaddress
- SNMP Enumeration
snmpwalk -c public -v1 ipaddress
snmpcheck -t ipaddress -c public
- SMTP Enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t hostname
- HTTP Header Analysis
curl -v http://hostname
http -v http://hostname
- Banner Grabbing
nc -v hostname port
telnet hostname port
- OSINT Tools
theHarvester -d hostname -b all -f theharvester_report.html
recon-ng
marketplace install all
modules load recon/domains-hosts/hackertarget
options set SOURCE hostname
run
- Cloud Enumeration
python3 cloud_enum.py -k keyword
- Email Harvesting
python SimplyEmail.py -all -e domain.com
- Additional Tools and Commands
nessuscli agent link --key=your_key --groups=your_group --name=your_name --url=https://your_nessus_server:8834
openvasmd --create-task --name "Scan Task" --comment "Scan Task" --target your_target_id
openvasmd --start-task your_task_id
msfconsole
use auxiliary/scanner/http/http_version
set RHOSTS hostname
run
Others
- hping3
- loic
- slowloris
- Metasploit Framework
- Wireshark
- Burp Suite
Most of this textbook type of enumeration is easily identified, IP address identified and blocked, especially a port scan. Instead move straight to email attacks, ransomware, phishing attacks. For example if you are scammed by a website, they will post their payment providers and that sets the stage for both ransonware and phishing attacks.