Service Enumeration

Infrastructure Enumeration

Check Certificate transparency

curl -s https://crt.sh/\?q\=<target-domain>\&output\=json | jq .

Scan IP Addresses using Shodan

for i in $(cat ip-addresses.txt);do shodan host $i;done

Scan Domain using whois

whois <Domain> 

Service-Based Enumeration

FTP Enumeration

# Interact with FTP service
ftp <IP>                                                 
# Interact with FTP through NC
nc -nv <IP> 21                                           
# Interact with FTP through telnet
telnet <IP> 21                                           
# Interact with FTP through openssl
openssl s_client -connect <IP>:21 -starttls ftp          
# Download all files on FTP
wget -m --no-passive ftp://anonymous:anonymous@<target>  

SSH Enumeration

# Security audit/check against the target SSH service
ssh-audit.py <IP>
# Log in to the SSH server using the SSH client.
ssh <user>@<IP>
# Log in to the SSH server using private key.
chmod 600 <key>
ssh -i <key> <user>@<IP>
# (Pre-OpenSSH 7.7) User enumeration
hydra -L users.txt -p invalidpass ssh://<IP>

DNS Enumeration

# NS Request to the target
dig ns <domain.tld> @<nameserver>      
# ANY Request to the target     
dig any <domain.tld> @<nameserver>          
# AXFR Zone transfer to the target
dig axfr <domain.tld> @<nameserver>         
# MX Request to the target
dig mx <domain.tld> @<nameserver>           
# TXT Request to the target
dig txt <domain.tld> @<nameserver>          
# Enumerate subdomains with dnsenum
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

SMB Enumeration

# Null session authentication on SMB
smbclient -N -L //<IP>
# Connect to a specific SMB share
smbclient //<IP>/<share>
# Enumerating SMB shares.
smbmap -H <IP>
# SMB enumeration using enum4linux
enum4linux <FQDN/IP> -A
Enumerating SMB shares using null session authentication.
crackmapexec smb <FQDN/IP> --shares -u '' -p ''
# Username enumeration using Impacket

NFS Enumeration

# Show available NFS shares
showmount -e <IP>
# Mount the specific NFS share to ./NFS
mount -t nfs <IP>:/<share> ./NFS/ -o nolock
# Unmount the specific NFS share
umount ./target-NFS

IMAPS/POP3 Enumeration

# Log in to the IMAPS service using curl
curl -k 'imaps://<IP>' --user <user>:<passwd>
# Connect to the IMAP service through openssl
openssl s_client -connect <FQDN/IP>:imaps
# Connect to the POP3s service through openssl
openssl s_client -connect <FQDN/IP>:pop3s

SMTP Enumeration

# Interact with SMTP using telnet
telnet <IP> 25

SNMP Enumeration

# Querying OIDs using snmpwalk
snmpwalk -v2c -c <community string> <IP>
# Bruteforcing community strings of the SNMP service
onesixtyone -c community-strings.list <FQDN/IP>
# Bruteforcing SNMP service OIDs
braa <community string>@<FQDN/IP>:.1.*

MySQL Enumeration

# Login to the MySQL server
mysql -u <user> -p<password> -h <FQDN/IP>
# Scan MySQL Server using nmap scripts
nmap -p3306 -sC --script=mysql-info,mysql-users,mysql-enum <IP>
# (Authenticated) Scan MySQL Server using nmap scripts
nmap -p3306 --script=mysql-enum,mysql-databases,mysql-variables --script-args='mysqluser=root,mysqlpass=toor' <TARGET> 

MSSQL Enumeration

# Log in to the MSSQL server using Windows authentication
mssqlclient.py <user>@<FQDN/IP> -windows-auth
# Scan MSSQL using nmap scripts
nmap -p1433 --script=ms-sql-info,ms-sql-empty-password,ms-sql-brute <TARGET>

IPMI Enumeration

# IPMI version detection using Metasploit
msf6 auxiliary(scanner/ipmi/ipmi_version)
# Dump IPMI hashes using Metasploit
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes)

WnRM Enumeration

# Perform a security check/audit
rdp-sec-check.pl <IP>
# Log in to the RDP server from Linux
xfreerdp /u:<user> /p:"<password>" /v:<IP>
# Log in to the WinRM server
evil-winrm -i <IP> -u <user> -p <password>
# User validity check using CrackMapExec (null session or password spray)
crackmapexec winrm <target> -u <usersfile> -p '<passwd>' --no-bruteforce
# Check Single-User 
crackmapexec winrm <target> -u <user> -p '<passwd>'