[ Pen Testing ] :: Step by Step: Enumeration


Okay, by now you’ve spent hours, days or weeks stealthily footprinting your scope. Since this is pen testing, you’ve been mighty careful not to exceed your scope, right? So let’s talk tools and techniques.

See https://security.stackexchange.com/questions/168247/reduce-noise-when-penetration-testing for an extensive list of tools.



Local Linux Enumeration & Privilege Escalation Cheatsheet: an item-by-item list of tests performed by LinEnum:


Quiet Scanning With Nmap

Generally when dealing with network IPS and client-side active defenses:

nmap -sS, -sC -f, T2 or 3, –osscan-limit, –version-light, and maybe -iR

-sS is a SYN scan: Note that the “stealth” scan (-sS) is NOT a silent scan!

-sC calls default scripts (equivalent to script=default)

-f forces packets to be fragmented

–osscan-limit limits OS scanning to promising targets

–version-light limits scanning to the most likely probes

-iR chooses targets at random

Discovery Options

Perform a ping scan only

nmap -sP [target]

Don’t ping

nmap -PN [target]


nmap -PS [target]

TCP ACK ping

nmap -PA [target]

UDP ping

nmap -PU [target]

SCTP Init Ping

nmap -PY [target]

ICMP echo ping

nmap -PE [target]

ICMP Timestamp ping

nmap -PP [target]

ICMP address mask ping

nmap -PM [target]

IP protocol ping

nmap -PO [target]

ARP ping

nmap -PR [target]


nmap --traceroute [target]

Force reverse DNS resolution

nmap -R [target]

Disable reverse DNS resolution

nmap -n [target]

Alternative DNS lookup

nmap --system-dns [target]

Manually specify DNS servers

nmap --dns-servers [servers] [target]

Create a host list

nmap -sL [targets]

Firewall Evasion in Nmap

–>Read the lowdown from the creator of Nmap:

Also see this excellent cheat sheet: https://cs.lewisu.edu/~klumpra/camssem2015/nmapcheatsheet1.pdf)

Fragment packets: break them up so they slip by. Some IDSs reassemble packets and will reject your suspicious traffic anyway.

nmap -f [target]

Specify a specific MTU:

nmap –mtu [MTU] [target]

Specify a specific TTL:

nmap –ttl [TTL] [target]

Use a decoy: think about where responses will go. IDS might report a half-dozen port scans from unique IP addresses, but won’t know which IP was scanning and which were decoys.

nmap -D <decoy1>[,<decoy2>][,ME][,...] 

Idle (zombie) scan: this will be slow but very quiet, and can discover hidden hosts

nmap -sI [zombie] [target]

Manually specify a source port: a common misconfiguration is trusting traffic based only on the source port number.

nmap --source-port [port] [target] # or -g [port]

Append random data: these are not the packets you’re looking for

nmap --data-length [size] [target]

Randomize target scan order: guess what, it’s the default

nmap --randomize-hosts [target]

Spoof Your MAC Address

nmap –spoof-mac [MAC|0|vendor] [target]

Send bad checksums

nmap –badsum [target]

Find and use Nmap scripts:

locate *.nse
locate *vuln*.nse
# Usage: nmap --script <scriptname> <host ip>
nmap --script smb-check-vulns-nse

Nmap Web Dashboard and Reporting:

Change Your MAC

And when you get shunned, change your MAC address, as I show you here:

Adon90’s Pentest Compilation

Information: https://github.com/adon90/pentest_compilation?fbclid=IwAR2gmDQdj88V3PXSkyLLkklxG0WOd-tdEW8eIUYLubh0saR9TRGQydOxojc#windows

Installation (If you followed the Kali Setup lesson you’ve already got this):

git clone https://github.com/adon90/pentest_compilation.git

The outline below is adapted from Adon90’s suggestions on the Github page.

Generic Enumeration

Full Portscanning

In real pen testing, you’ve got to hide like a roach. One little sound and the IDS cat’s going to play you to death. So you have two options: use Nmap as quietly as possible (see above), or use other, quieter tools. Both options may make you bang your head (and change your MAC address a lot).

HTTP Enumeration

Use dirsearch (it’s noisy.)

dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old

Perform banner inspection: (Quiet, if you don’t overdo it.)

telnet http://example.com 80

Review source code of the pages on the site. (Silent.)

Bruteforce logins forms with a CeWL-based dictionary. (Noisy.) Here’s how to generate one:

Use SearchSploit (with accurate application name and version):
(Silent because it’s local on your machine.)

Test all paths with exploits, and mangle paths to find hidden resources.

Always intercept with Burp!

Scan websites with Nikto. (Noisy as hell.)
General info: https://cirt.net/nikto2
Usage: https://cirt.net/nikto2-docs/usage.html#id2780332

Attempt LFI, RFI, SQL, RCE, XXE, SSRF injections. (Go slow and it’s not too noisy.)

Try uploading files with the PUT method on all directories. (Ditto.)

Change POST body encoding with Burp.

Bruteforce parameter names. Again, Burp is your friend.

Use dirb, dirbuster, dirsearch, gobuster with cookie once authenticated