Enumeration Cheatsheets

Without data, you’re just another person with an opinion.

Edwards Deming

Recent Posts

Enumerating NFS Shares (Port 2049)

NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality. Note: In Linux […]

Enumerating WinRM (Port 5985)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 5985 on a machine. This list is far from exhaustive and will be updated as time progresses. Getting a Shell w/ EvilWinRM You can download this tool from Github at the following location.https://github.com/Hackplayers/evil-winrm With that tool […]

Enumerating DNS (Port 53)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses. Enumerating Hostname of Server Run the following commands to see if you can make the server leak its own […]

Enumerating LDAP Port (389)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 389 on a machine. This list is far from exhaustive and will be updated as time progresses. Let’s start by performing a search with simple authentication: ldapsearch -h <targetIP> -x If you get results back, let’s […]

Enumerating IPSEC IKE/ISAKMP Ports (500, 4500, etc.)

If you find UDP ports 500 or 4500, the box is likely running some sort of IPSEC VPN tunnel. This post intends to serve as a guide for enumerating these ports and a list of tools that can help you. Table of Contents Helpful Commands Installing IPSEC VPN Client on Linux Installing IPSEC VPN Client […]

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous. ftp <ipAddress> You can perform banner grabbing w/ the following Metasploit module. use auxiliary/scanner/ftp/ftp_version You can perform brute force with the following Metasploit module. use auxiliary/scanner/ftp/ftp_login Transferring Files If you have valid credentials, you can use the following […]

Enumerating HTTP Ports (80, 443, 8080, etc.)

When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers. Web Application – WordPress, CMS, Drupal, etc. Web Technologies – Node.js, PHP, Java, etc. Web Server – Apache, IIS, Nginx, etc. Database – MySQL, MariaDB, […]

Enumerating SMB and RPC for Pentesting (Ports 445, 139)

Using NMAP Scan for popular RCE exploits.sudo nmap -p 139,445 –script smb-vuln* <ip-addr> -oA nmap/smb-vuln Identify the SMB/OS version. nmap -v -p 139,445 –script=smb-os-discovery.nse <ip-addr> Using SMBMAP To list out the shares and associated permissions with Anonymous Access:smbmap -H <ip-addr> To list out the shares recursively:smbmap -R <sharename> -H <ip-addr> To list shares as an […]


Stay Involved

Get new content delivered directly to your inbox.