# Enumeration Principles - enumeration includes information gathering using active (scans) and passive (use of third-party providers) methods - OSINT is separate from enumeration - info can be gathered from domains, IP addresses, accessible services, and other sources - goal = find all ways to get at a system not simply getting onto the system - map out a target's external and internal structure; understand its defensive posture 1 - there is more than meets the eye; consider all POVs 2 - distinguish b/t what we see and what we don't see 3 - there are always more ways to gain more info; understand the target # Enumeration Methodology | Layer | Description | Info Categories | | ----------------------------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | 1. Internet Presence (infra) | identify internet presence and externally accessible infrastructure | domains, subdomains, vHosts, ASN, netblocks, IP addresses, cloud instances, security measures | | 2. Gateway (infra) | identify possible security measures that do (or should) protect external and internal infrastructure | Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare | | 3. Accessible Services (host) | identify accessible interfaces and services that are hosted externally or internally | Service Type, Functionality, Configuration, Port, Version, Interface\| | | 4. Processes (host) | identify internal processes, sources, and destinations associated with the services | PID, Processed Data, Tasks, Source, Destination | | 5. Privileges (OS) | identify internal permissions and privileges to the accessible services. | Groups, Users, Permissions, Restrictions, Environment | | 6. OS Setup (OS) | identify internal components and systems setup | OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files |