📋 Enumeration Checklists
Step-by-step guides to help structure your recon and enumeration process efficiently.
➡️ Environment: See 00_environment_setup
🔍 General Enumeration
- Ping the target (if ICMP allowed)
- Run full TCP port scan:
nmap -sS -p- -T4 -oA allports $IP - Run script + version scan on open ports:
nmap -sC -sV -T4 -oA services $IP - Identify running services and versions
- Check for hidden services (non-standard ports)
🌐 Web Enumeration
- Identify tech stack:
whatweb,nikto, browser dev tools - Directory brute-force:
ffuf,gobuster - Parameter fuzzing:
ffuf -X GET -u "$URL/index.php?FUZZ=test" - Test for LFI, RFI, SQLi, XSS manually
- Check for upload forms (bypass MIME checks)
🧑💻 SMB / Windows Enum
- List shares:
smbclient -L \\$IP\ -N - Enumerate users and shares:
enum4linux-ng -A $IP - Use
rpcclient,crackmapexec,smbmapfor deeper checks - Check for anonymous access
🐧 Linux Enum (Post-Access)
-
id,whoami,sudo -l -
uname -a,cat /etc/os-release - Check SUID/SGID files, writable directories
- Cron jobs, PATH issues, running processes
🪟 Windows Enum (Post-Access)
-
systeminfo,whoami /priv - Check registry for autoruns, stored creds
- Enumerate network shares
-
winPEAS,Seatbelt
Next: 11_payload_generators