1 - Initial Enum - JA Smith

# Passive Recon 1. Gather public info - DNS, [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/1 - WHOIS|WHOIS]], [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/5 - Certificate Transparency Logs|Certificate Transparency Logs]], company structure 2. Search for public data leaks - [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/8 - Search Engine Discovery|Google Dorks]], GitHub, Pastebin, [[5 - CPTS/3 - CPTS Notes/9 - Info Gathering (web)/9 - Web Archives|Web Archives]] # Active Recon 1. Discover all active hosts on target network - TCP/UDP host discovery: `nmap TARGET -sn` - ICMP sweep - `fping -asgg 10.10.x.x/16` - `for i in {1..254};do (ping -c 1 172.16.1.$i | grep "bytes from" &);done` - ARP scan - Add discovered hosts to `hosts.txt` and `/etc/hosts` 2. For each active host, scan all TCP/UDP ports - Document all open ports ```bash nmap -p- TARGET --min-rate 2000 -Pn -oN nmap/light cat nmap/light | grep -vi "nmap" | grep / | cut -d'/' -f 1 | sed -z 's/\n/,/g; s/,$/\n/' #create a comma separated list of ports for the below detailed nmap scan nmap --top-ports 1000 -sU TARGET ``` 3. Run a detailed `nmap` scan based on open ports - Document services and versions - Also perform manual `nc` banner grabbing ```bash nmap -p<comma_separated_list> TARGET -sC -sV -O -oA nmap/detailed ``` 4. Check file share services for anonymous login and cred files - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/FTP (20,21)|FTP (20,21)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/SMB (139,445)|SMB (139,445)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/NFS (111,2049)|NFS (111,2049)]] - Common anonymous login creds: - `"":""` - `guest:""` - `admin:admin` - `admin:""` - `anonymous:anonymous` - `anonymous:""` - `backup:backup` - `ftp:ftp` - `guest:guest` 5. Perform tailored enum on all services - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/DNS (53)|DNS (53)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/SMTP (25,465,587)|SMTP (25,465,587)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/IMAP (143,993) & POP3 (110,995)|IMAP (143,993) & POP3 (110,995)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/SNMP (161,162)|SNMP (161,162)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/MySQL (3306)|MySQL (3306)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/MSSQL (1433)|MSSQL (1433)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Oracle TNS (1521)|Oracle TNS (1521)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Linux Remote Mgmt (SSH, Rsync, R-Services)|Linux Remote Mgmt (SSH, Rsync, R-Services)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/Windows Remote Mgmt (RDP, WinRM, WMI)|Windows Remote Mgmt (RDP, WinRM, WMI)]] - [[5 - CPTS/3 - CPTS Notes/2 - Footprinting/1 - Service Enumeration/IPMI (623)|IPMI (623)]] - LDAP (389,636,3268,3269) - See [https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ldap.html](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ldap.html) 6. Check for vulns in discovered service versions - Use `searchsploit` **AND** Google **AND** `msf` - Document discovered vulns 7. If a webserver is present, move to [[5 - CPTS/1 - Methodologies/2 - Webserver Enum|Webserver Enum]]