Intro
Enumeration blends passive discovery with active validation. OSINT stays passive and should be treated apart. The objective is a clean map of exposure, not access.
Enumeration Principles
We ask why something is visible and what it implies about the target, then compare that with what is missing or hidden to avoid assumption driven decisions.
- Multiple viewpoints reduce blind spots by forcing you to compare independent signals before deciding what to probe.
- Visible facts outweigh assumptions because they can be verified and repeated under the same conditions.
- More context improves accuracy and keeps the test focused on the most relevant assets and interfaces.
Enumeration Methodology
We use six layers to structure external work. The layers move from public presence to OS setup. This keeps testing organized.
Layer No.1: Internet Presence
Identify reachable systems, domains, and public interfaces that matter to scope and business exposure. Start passive, then validate carefully with minimal activity.
Layer No.2: Gateway
Map perimeter defenses like WAFs, VPNs, and segmentation. This layer explains what is filtered or monitored at the edge. It shapes safe testing paths and timing.
Layer No.3: Accessible Services
Enumerate exposed services, versions, and expected roles in context. Learn normal behavior before deeper probing or attacks to reduce noise.
Layer No.4: Processes
Services transform inputs into internal actions and tasks. Tracing sources and destinations reveals dependencies. Those dependencies often contain weak links.
Layer No.5: Privileges
Services run as users with defined permissions and roles. Those rights determine what can happen after access. Document them early to plan escalation safely.
Layer No.6: Operating System Setup
Internal access reveals patch levels and configuration state. This explains why weaknesses persist in real systems. Capture configs and sensitive paths carefully.
Infrastructure-Based Enumeration
This section merges theory with practical validation steps. Start passive and confirm with minimal active checks. Every asset should be tied to ownership and scope.
Domain and Online Presence
Domain data defines the surface and exposed services for most organizations. Certificates and DNS records reveal vendors and platforms.
curl -s https://crt.sh/?q=inlanefreight.com&output=json | jq .
Certificate transparency often reveals historical hostnames. Validate candidate names with DNS before scanning anything to keep discovery quiet and focused.
Cloud Resources
Cloud assets appear in DNS, provider hostnames, and search. Misconfigured buckets remain common, so validate ownership before any deeper interaction.
intext:CompanyName inurl:amazonaws.com
Subdomain naming can reveal storage or app endpoints.
Look for patterns like s3, blob, or storage in names.
Confirm provider ownership before collecting evidence.
People
People OSINT reveals stacks and priorities through hiring data and public repos. Use these signals to focus enumeration where it matters.
- LinkedIn shows roles and skills for stack hints.
- Xing provides regional hiring data and vendors.
- GitHub can expose repos and tokens quickly.
Host-Based Enumeration
Host enumeration targets exposed services and configurations. Combine protocol theory with short, high-signal commands. Prioritize issues that enable direct access or leaks.
FTP and TFTP
FTP uses TCP 21 and transmits in clear text by default. Anonymous access and weak isolation are common problems. TFTP is UDP based and has no authentication at all.
sudo nmap -sV -sC -p21 10.129.14.136
ftp 10.129.14.136
Default configs live in /etc/vsftpd.conf on Linux systems.
Review local users and anonymous upload permissions to gauge
risk before testing.
cat /etc/vsftpd.conf | grep -v "#"
cat /etc/ftpusers
SMB and SAMBA (SMB for Linux)
SMB exposes shares over TCP 139 and 445 in most networks. Samba is the Unix implementation and behaves similarly. Guest access and writable shares are the main risks.
smbclient -N -L //10.129.14.128
Review smb.conf to understand share paths and permissions.
If guest write is enabled, treat it as a critical finding.
Loose masks can expose sensitive data to all users.
cat /etc/samba/smb.conf
NFS
NFS exports directories for Unix clients using RPC services. Authentication is often weak or absent in older setups. Export options can make the difference between safe and unsafe.
sudo mount -t nfs 10.129.14.128:/share ./target-NFS -o nolock
no_root_squash allows root access across the export, which is
severe when paired with rw. Validate export settings before
mounting, and keep mounts read-only when possible.
DNS
DNS reveals structure, providers, and internal naming schemes across the target environment. Use safe queries first and record authoritative answers.
dig soa inlanefreight.com
Zone transfers (AXFR) copy full DNS zones between servers. If open, they expose all hostnames in the target domain. Only attempt against authorized name servers.
dig axfr inlanefreight.htb @10.129.14.128
SMTP
SMTP sends mail over ports 25 and 587, often with STARTTLS. Open relay and user enumeration are common weaknesses. Use safe test flows to avoid sending real mail.
sudo nmap -p25 --script smtp-open-relay 10.129.14.128
If relaying is open to everyone, spoofing and abuse are easy. Commands like HELO, EHLO, and VRFY can expose usernames. Document any relay or enumeration exposure carefully.
IMAP/POP3
IMAP supports folders and sync while POP3 is simpler retrieval. Both may expose plaintext logins if TLS is not enforced. Check banners and required authentication modes.
sudo nmap -sV -sC -p110,143,993,995 10.129.14.128
openssl s_client -connect 10.129.14.128:993
IMAP commands like LOGIN, LIST, and FETCH are enough for
validation, while POP3 uses USER, PASS, and STAT. Verbose
auth logging can leak passwords in server logs.
SNMP
SNMP exposes device metadata and can allow configuration changes. Community strings are clear text in v1 and v2c. Prefer v3 when authentication is enabled and limit queries to essentials.
snmpwalk -v2c -c public 10.129.14.128
The MIB defines the data tree, and OIDs point to each object.
Read-write access without auth is critical, especially when a
default community like public or private is accepted.
MySQL
MySQL is common in web stacks and should not be internet exposed. Weak credentials and unsafe file export settings are frequent. Start with connection checks and read-only queries.
mysql -u root -pP4SSw0rd -h 10.129.14.128
Use SHOW DATABASES and SHOW TABLES to map schema safely.
Errors can reveal query logic or injection weaknesses. Review
bind settings to confirm whether the service is exposed.
SHOW DATABASES;
MSSQL
MSSQL integrates with Windows authentication and Active Directory. TLS is often optional by default, which increases risk. Confirm access methods and prefer encrypted connections where possible.
python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth
System databases like master, model, and msdb describe the
instance structure. Weak sa credentials and self-signed certs
remain common issues in internal environments.
Oracle TNS
Oracle TNS connects clients to Oracle databases over TCP 1521.
Configs live in tnsnames.ora and listener.ora. Enumeration
starts with listener discovery and SID checks.
sudo nmap -p1521 -sV --script oracle-sid-brute 10.129.204.235
sqlplus scott/tiger@10.129.204.235/XE
IPMI
IPMI provides out-of-band control even when the OS is down. Default credentials still appear in real deployments. Exposed BMCs should be treated as high-impact findings.
sudo nmap -sU --script ipmi-version -p 623 10.129.42.195
| Product | Username | Password |
|---|---|---|
| Dell iDRAC | root | calvin |
| HP iLO | Administrator | randomized 8-character string of numbers and uppercase letters |
| Supermicro IPMI | ADMIN | ADMIN |
IPMI 2.0 can leak password hashes during RAKP auth. Those hashes can be cracked offline, so restrict exposure to trusted networks.
Remote Management Protocols
Remote management enables admin control at scale. Misconfigs here often lead to direct access, so validate auth and encryption first.
Linux
SSH is the primary Linux remote protocol on TCP 22. It supports
password and key authentication, but weak settings enable brute
force. Always review sshd_config before testing.
cat /etc/ssh/sshd_config
./ssh-audit.py 10.129.14.132
Rsync exposes modules on TCP 873 and can allow anonymous listing. Legacy R-Services rely on host trust and remain risky if present. Check trust files and open ports during internal tests.
rsync -av --list-only rsync://127.0.0.1/dev
Windows
Windows uses RDP, WinRM, and WMI for remote management. Each has different auth and TLS requirements, so verify configuration first. RDP often lacks NLA in older environments, increasing risk.
nmap -sV -sC -p3389 --script rdp* 10.129.201.248
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
WMI provides deep system control and is commonly used post-access. Treat it as sensitive and use it only with explicit authorization. Log all actions and output for reporting.
/usr/share/doc/python3-impacket/examples/wmiexec.py Cry0l1t3:"P455w0rD!"@10.129.201.248 "hostname"
Interesting Tools
These sources speed up passive enrichment and validation. Use them before active scanning to reduce noise. Keep results within scope and document sources.
- Shodan provides banners for internet hosts.
- domain.glass highlights DNS history and hosting clues.
- GrayHatWarfare surfaces bucket leaks.
Reference
This article is based on my personal study notes from the Information Security Foundations track.
Full repository: https://github.com/lameiro0x/pentesting-path-htb