## folders and files - create folders for each host - create sub-folders for enum, loot, files, exploits - store nmap scans in enum - create notes.txt for quick reference - open ports and associated services+version numbers - interesting, non-default shares if available - credentials - top level credentials files with colon delimiter - use for password spraying - breakout into users and passwords files - run cut or awk command on ":" delimiter - field 1/$1 = users - field 2/$2 = passwords - `cat creds.txt | cut -d ':' -f 1 > users - `cat creds.txt | cut -d ':' -f 2 > passwords OR - `awk -F : '{print $1}' creds.txt > users - `awk -F : '{print $2}' creds.txt > passwords ## recon - run broad nmap scan to reveal open ports - run narrow nmap scan with scripts on open ports only - occasionally run again if typical ports aren't shown such as smb, rpc on initial windows host for AD scenario - add resolvable names to /etc/hosts file for quality of life -