Enumeration tries to find as much specific information as possible, using both active scans and passive methods. This is typically different than OSINT, because that is entirely passive. It is useful to know the systems and defensive measures. The goal is to find all possible methods.
Principles
- Consider all points of view
- Distinguish what you can and can’t see
- Understand the target through additional methods
Questions
- What can you see?
- Why can you see it?
- What do you gain from it?
- How can you use it?
- What do you not see?
- Why can you not see things?
Layers
- Internet Presence
- Target systems
- Gateway
- Network systems
- Accessible Services
- Functionality of targets
- Processes
- Dependencies between systems
- Privileges
- Reach of privileges
- OS Setup
- System management and internal info
Common Things to Check
- SSL Certs
- IoT Devices
- DNS records:
dig - AWS/GCP/Azure
- Possible infrastructure with domain.glass, GrayHatWarfare,
- Social sites for company and empolyees
- FTP Protocol
- Anonymous users
- SMB Protocol
rpcclient- SMBMap
- CrackMapExec
- enum4linux-ng
- NFS Protocol
- DNS Server
fuf
- SMTP Protocol
- Default Nmap scripts
smtp-open-relayscript
- Default Nmap scripts
- IMAP Protocol/POP3 Protocol
- SNMP Protocol
- MySQL