Enumeration Cheatsheets

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login

Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>

Enumeration Cheatsheets

Enumerating HTTP Ports (80, 443, 8080, etc.)

When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers.

  • Web Application – WordPress, CMS, Drupal, etc.
  • Web Technologies – Node.js, PHP, Java, etc.
  • Web Server – Apache, IIS, Nginx, etc.
  • Database – MySQL, MariaDB, PostgreSQL, etc.
  • OS – Ubuntu Linux, Windows Server, etc.

Using Curl

Pulling out internal/external links from source code.
curl <address> -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

To view just HTTP Links:
curl -s <address> | grep -Eo '(href|src)=".*"' | sed -r 's/(href|src)=//g' | tr -d '"' | sort

Strip out the HTML code from source-code of webpage.
curl <address> -s -L | html2text -width '99' | uniq

Check for contents of robots.txt.
curl <address>/robots.txt -s | html2text

Using Nikto

To perform a scan.
sudo nikto -host=http://<address>/

Using Ferox Buster

If you’re looking for a “Set it and forget it” solution to content discovery, Ferox Buster is your tool.

feroxbuster --url http://<address>/

Using Gobuster

First, lets start with an initial scan on the address using a default wordlist. We’ll have it return results for most response codes.

For invalid HTTPS certificates, you can include -k to any of these commands to bypass cert checks.

gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -x txt,php,html

After common finishes, I like to use the following to dig deeper.

gobuster dir -u http://<address>/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -s '200,204,301,302,307,403,500' -e -x txt,html,php,asp

Depending on the application, I may wish to use the Raft wordlist instead.
gobuster dir -u http://<address>/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -s '200,204,301,302,307,403,500' -e -x txt,html,php,asp -o gobust/root.dir

We can also leverage the following wordlist to look for CGI URLs.

gobuster dir -u http://<address>/ -w /usr/share/dirb/wordlists/vulns/cgis.txt -s '200,204,301,302,307,403,500' -e

Note: If you start getting spammed with a particular response code, you can remove that from the -s flag.

If you find a cgi-bin directory, you may want to consider scanning it for .sh files. If one is found, see if you the machine is vulnerable to shellshock. There is an nmap script that can identify the vulnerability, but it isn’t always reliable. May be beneficial to run it through a tool like Burp to look at the requests.

Using Dirsearch

This is a tool you can get from Github. It provides much of the same functionality as Gobuster.

The following syntax will run the tool to enumerate php and html files. It will exclude responses w/ code 400, 401, and 403.

python3 dirsearch.py -u http://url.tld -e php,html -x 400,401,403

Using WFuzz

Subdomain Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/

Valid User Enumeration. Check out the post I made on this topic over at https://infinitelogins.com/2020/09/07/bruteforcing-usernames-w-wfuzz/

Enumerating valid parameters in URLs. You can run the following command to try and brute-force valid parameter names.
wfuzz -u http://<address>/?FUZZ=index -w /usr/share/seclists/Discovery/Web-Content/common.txt

Enumeration Checklist

Once you feel you’ve enumerated everything, just check your work against this list to make sure you’re not missing anything.

  • Did you brute force directories?
    • Did your brute force search recursively?
    • Did your brute force include file extensions?
    • Is your brute force case-sensitive?

  • Did you enumerate the hostname of the box and updated your /etc/hosts file to include it?
    • Did you enumerate subdomains?
    • Did you brute force directories when browsing to it via hostname?

  • Did you review every webpage on the box for clues?
    • Did you review the source code?
    • Are there usernames hidden anywhere?
    • Are there specific version details provided?

  • Did you check for vulnerable technologies?
    • If you’re able to enumerate version information, did you searchsploit and/or research for public exploits?
    • What about for PHP or ASP?
    • What about for WordPress or Drupal?
    • What about for Apache or IIS?
    • Can you use a specific tool like WPSCAN to enumerate further?

  • Did you find a login page?
    • Can you enumerate multiple users on it?
    • Can you brute-force it?
    • Can you perform an injection attack (SQL, XSS, etc.)?
  • If there is HTTPS on the page, did you check the certificate for details?
    • Does the cert contain specific email addresses?
    • Does the cert contain information about a hostname of the box?
    • Is the cert valid on other domain-names?

  • Are there other ports running HTTP or HTTPS that you need to repeat all of this on?
Enumeration Cheatsheets

Enumerating SMB, RPC, and NetBIOS for Pentesting (Ports 445, 135-139)

This post contains various commands and methods for performing enumeration of the SMB, RPC, and NetBIOS services. This article will be expanded upon as time goes on.

Using NMAP

Scan for popular RCE exploits.
sudo nmap -p 139,445 --script smb-vuln* <ip-addr> -oA nmap/smb-vuln

Identify the SMB/OS version.
nmap -v -p 139,445 --script=smb-os-discovery.nse <ip-addr>

Enumerate users once you have valid credentials:
sudo nmap --script=smb-enum-users -p 445 --script-args smbuser=<user>,smbpass=<password>


To scan a subnet for list of hostnames:
nbtscan -v <targetRange>


To list out the shares and associated permissions with Anonymous Access:
smbmap -H <ip-addr>

To list out shares recursively from hosts in a file and enumerate OS:

smbmap.py --host-file <targets.txt> -v -R -g

To list out the shares recursively:
smbmap -R <sharename> -H <ip-addr>

To list shares as an authenticated user:
smbmap -d <domain> -u <username> -p <password> -H <ip-addr>

To list the shares as a Guest user, just provide a username that doesn’t exist.
smbmap -u DoesNotExist -H <ip-addr>

To download a particular file.
smbmap -R <sharename> -H <ip-addr> -A <filename> -q


To list out the shares:
smbclient -L \\\\<ip-addr>

To connect to shares:
sudo smbclient \\\\<ip-addr>\\<share>

Downloading files:
Once connected, you can download files. You’ll want to disable interactive prompts and turn recursive mode ON.

smb: /> prompt
smb: /> recurse

smb: /> mget *


Testing for Null or Authenticated Sessions:
To test for null sessions, you can use the following command. If it connects, then you’ll be able to issue rpc client commands for further enumeration.
rpcclient -U "" -N [ip]

Have valid credentials? Use them to connect:
rpcclient -U <user>

Once connected, there are various queries you can run.

To enumerate printers:

To enumerate users and groups:

The above command will output user/group RIDs. You can pass those into further queries like:
querygroup <RID>
querygroupmem <RID>
queryuser <RID>


The following command will attempt to establish a null session with the target and then use RPC to extract useful information.
enum4linux -a [ip]

Example output is long, but some highlights to look for:

  • Listing of file shares and printers.
  • Domain/Workgroup information.
  • Password policy information.
  • RID cycling output to enumerate users and groups.


Bruteforcing credentials:
use auxiliary/scanner/smb/smb_login
set PASS_FILE /usr/share/seclists/Passwords/Common-Credentials/best15.txt
set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
set RHOSTS <ipAddr>

Mounting SMB Shares in Linux

The following command will mount the remote file-share to /mnt/smb/ (this directory must exist first) and prompt you for the password.
mount -t cifs -o username=<user> //<targetIP>/<shareName> /mnt/smb/

Another way to mount a share from Linux is as follows:
sudo mount.cifs //<targetIP>/share /mnt/share username=,password=


Viewing file permissions, owners, and ACLs of shares.
smbcacls -N '//<targetIP>/<shareName>' /<childDir>

To use this recursively, you can use a for loop in Bash.
cd <mountedShare>
for i in $(ls); do echo $1; smbcacls -N '//<targetIP>/<shareName>' /$i; done

Enumeration from Windows Utilities

To get the Name Table:
nbtstat -A <targetIP>

To see a list of running shares:
net view <targetIP>

You can map a share to a drive letter, such as K:
net use K: \\<targetIP>\share

Testing for null session:
net use \\<targetIP>\IPC$ "" /u:""

Various Additional Tools:

  • WinFingerPrint
  • Nat10Bin
  • DumpSec

Gaining a Shell

Once you have valid credentials on the machine, or a valid NTLM hash, you can leverage the following guide to gain a shell.

Enumerating SMB Version

If your tools aren’t working to enumerate the version, you can establish a connection via smbclient and then extract the Samba/SMB version through a packetcapture. To automate the process, you can use the script available at https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh

Troubleshooting Common Errors:

protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

This error occurs because your modern tools are not able to communicate to older, insecure protocols. You just need to tell your smbd daemon to use the weaker and more insecure protocols.

Note: If you are using smbd in real life for file and printer sharing, I don’t recommend leaving you system like this.

Open the following files in your favorite text editor.


Find the Global section, and add the following line.

client min protocol = LANMAN1

With that line added, restart your smdb service and you should now be able to connect.

service smbd restart