1 - Initial Enum - JA Smith

# Passive Recon 1. Gather public info - DNS, [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/WHOIS|1 - WHOIS]], [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/5 - Certificate Transparency Logs|Certificate Transparency Logs]], company structure 2. Search for public data leaks - Google Dorks, GitHub, Pastebin # Active Recon 1. Discover all active hosts on target network - TCP/UDP host discovery: `nmap TARGET -sn` - ICMP sweep - `fping -asgg 10.10.x.x/16` - `for i in {1..254};do (ping -c 1 172.16.1.$i | grep "bytes from" &);done` - ARP scan - Add discovered hosts to `hosts.txt` and `/etc/hosts` 2. For each active host, scan all TCP/UDP ports - Document all open ports ```bash nmap -p- TARGET --min-rate 2000 -Pn --open sudo nmap -p- -sU TARGET --min-rate 2000 -Pn ``` 3. Run a detailed `nmap` scan based on open ports - `nmap -p<comma_separated_list> TARGET -sC -sV -O` - Perform manual `nc` banner grabbing - Document services and versions 4. Check file share services for anonymous login and cred files - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/FTP (20,21)|FTP (20,21)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/SMB (139,445)|SMB (139,445)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/NFS (111,2049)|NFS (111,2049)]] 5. Perform tailored enum on all services - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/DNS (53)|DNS (53)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/SMTP (25,465,587)|SMTP (25,465,587)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/IMAP (143,993) & POP3 (110,995)|IMAP (143,993) & POP3 (110,995)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/MySQL (3306)|MySQL (3306)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/MSSQL (1433)|MSSQL (1433)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Oracle TNS (1521)|Oracle TNS (1521)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Linux Remote Mgmt (SSH, Rsync, R-Services)|Linux Remote Mgmt (SSH, Rsync, R-Services)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Windows Remote Mgmt (RDP, WinRM, WMI)|Windows Remote Mgmt (RDP, WinRM, WMI)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/IPMI (623)|IPMI (623)]] 6. Check for vulns in discovered service versions - Use both `searchsploit` AND Google - Document discovered vulns 7. If a webserver is present, move to [[5 - CPTS/1 - Methodologies/2 - Webserver Enum|Webserver Enum]]