Enumeration Cheat Sheet
Introduction
Welcome to the blog’s Enumeration Cheat Sheet! I will be actively updating it through commits as needed
Scanning
| Scanning | Description |
|---|---|
| Service Scanning | |
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.10 -oG allPorts |
Nmap custom basic port scan redirecting the output to a fiile called allPorts |
nmap -sCV -p21,22,80 10.10.10.10 |
Nmap basic recon scripts scan over speccific ports |
nmap --script smb-os-discovery.nse -p21,22,80 10.10.10.10 |
Run an nmap script on an IP |
nmap -sV --script=banner -p21,22,80 10.10.10.10 |
Run a nmap script for Banner Grabbing |
locate scripts/citrix |
List various available nmap scripts |
masscan -p21,22,80 -Pn 10.10.10.10/16 --rate=10000 |
Valid alternative to nmap |
arp-scan -I eth0 --localnet --ignoredups |
ARP scan in the local network. |
netdiscover |
Util to perform a scan in the local network. |
echo '' > /dev/tcp/10.10.10.10/ |
Communications to /dev/tcp, an alternative to ICMP |
| Web Enumeration | |
gobuster dir -u http://10.10.10.10/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt |
Run a directory scan on a website using 20 threats |
curl -IL https://10.10.10.10 |
Grab website banner |
whatweb 10.10.10.10 |
List details about the webserver/certificates |
whatweb --no-errors 10.10.10.10/16 |
Web App enumeration across a network |
ctrl+u |
View page source code (in Firefox) |
openssl s_client -connect test.local:443 |
Inspect the site’s SSL certificate |
sslscan test.local |
Scan to search vulns in a HTTPS site |
| Other Services Enumeration | |
smbclient -L -N //10.10.10.10 |
List SMB Shares |
smbmap -H //10.10.10.10 |
List SMB Shares and its permissions |
smbclient //10.10.10.10/share -N |
Connect to an SMB share as ‘guest’ to see files |
smbclient //10.10.10.10/share -U user password |
|
netcat 10.10.10.10 8080 |
Banner Grabbing |
ftp -p 10.10.10.10 |
Connecting to FTP as Anonymous |
snmpwalk -v 2c -c public 10.10.10.10 1.3.6.1.2.1.1.5.0 |
Scan SNMP on an IP |
onesixtyone -c dict.txt 10.10.10.10 |
Brute force SNMP secret string |
OSINT
OS Version
| Ubuntu | OpenSSH | Apache | nginx |
|---|---|---|---|
| 14.04 - trusty [LTS] | 6.6p1 | 2.4.7 | 1.4.6 |
| 14.10 - utopic | 6.6p1 | 2.4.10 | 1.6.2 |
| 15.04 - vivid | 6.7p1 | 2.4.12 | 1.6.2 |
| 15.10 - wily | 6.9p1 | 2.4.12 | 1.6.2 |
| 16.04 - xenial [LTS] | 7.2p1 | 2.4.18 | 1.10.0 |
| 16.10 - yakketty | 7.2p1 | 2.4.18 | 1.10.0 |
| 17.04 - zesty | 7.4p1 | 2.4.25 | 1.12.0 |
| 17.10 - artful | 7.6p1 | 2.4.27 | 1.13.3 |
| 18.04 - bionic [LTS] | 7.6p1 | 2.4.29 | 1.14.0 |
| 18.10 - cosmic | 7.7p1 | 2.4.34 | 1.16.0 |
| 19.04 - disco | 7.9p1 | 2.4.35 | 1.16.0 |
| 19.10 - eoan | 7.9p1 | 2.4.41 | 1.17.3 |
| 20.04 - focal [LTS] | 8.2p1 | 2.4.41 | 1.18.0 |
| 20.10 - groovy | 8.2p1 | 2.4.46 | 1.18.0 |
| 21.04 - hirsute | 8.4p1 | 2.4.48 | 1.20.1 |
| 21.10 - impish | 8.4p1 | 2.4.51 | 1.20.1 |
| 22.04 - jammy [LTS] | 8.9p1 | 2.4.52 | 1.18.0 |
| 22.10 - kinetic | 8.9p1 | 2.4.52 | 1.22.0 |
| 23.04 - junar | 9.0p1 | 2.4.54 | 1.24.0 |
| 23.10 - mantic | 9.3p1 | 2.4.57 | 1.24.0 |
| 24.04 - noble [LTS] | 9.6p1 | 2.4.58 | 1.24.0 |
| 24.10 - oracular | 9.7p1 | 2.4.62 | 1.26.0 |
| 25.04 - plucky | 9.9p1 | 2.4.63 | 1.26.3 |
| Debian | OpenSSH | nginx |
|---|---|---|
| 8 - Jessie | 6.7p1 | 1.6.2 |
| 9 - Stretch | 7.4p1 | 1.10.3 |
| 10 - Buster | 7.9p1 | 1.42.2 |
| 11 - Bullseye | 8.4p1 | 1.8.0 |
| 12 - Bookworm | 9.2p1 | 1.22.1 |
| Red Hat / CentOS | OpenSSH | Apache |
|---|---|---|
| 5 | 5.3p1 | 2.2.3 |
| 6 | 6.6p1 | 2.2.15 |
| 7 | 7.4p1 | 2.4.6 |
| 8 | 8.0p1 | 2.4.37 |
| 9 | 9.1p1 | 2.4.53 |
| Windows | IIS |
|---|---|
| Windows 10 / Server 2016 and later | Microsoft IIS httpd 10.0 |
| Windows 8.1 / Server 2012 R2 | Microsoft IIS httpd 8.5 |
| Windows 7 / Server 2008 R2 | Microsoft IIS httpd 7.5 |
| Windows XP (x64) / Server 2003 | Microsoft IIS httpd 6.0 |
Default Web Roots
| Web Server | Root |
|---|---|
| Apache | /var/www/html/ |
| nginx | /usr/local/nginx/html/ |
| IIS | C:\inetpub\wwwroot\ |
| XAMPP | C:\xampp\htdocs\ |