Initial Enumeration

One checklist for all

Nmap Scan

1. Full port TCP Scan

2. Top 100 or 1000 ports UDP Scan - Specially SNMP port

3. SNMP helps reveal following things ->

   -> Use this command to get juicy information such as passwords and stuff -> snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

   -> It provides actual versions of all services or processes running on the target

   -> Provides potential usernames as well

Web Enumeration

1. Enumerate Web server version, library versions & other versions for known vulnerabilities.

   Example - Apache 2.4.49 (vulnerable to Path Traversal & RCE)

2. Add any domain that you find via email or any other means to the /etc/hosts file!!

3. Throw all the web-titles discovered in the NMAP scan on Google for exploits.

4. Run multiple wordlists for Directory busting ->

   dirb/common.txt

   seclists/raft-wordlists like -> raft-medium-directories.txt

   dirbuster/directory-list-2.3-medium.txt

5. Run exiftool on all docs like .doc, .pdf, etc. to gather usernames or other information!!

6. Use the same username & passwords on different services and web portals!!

7. If there is a domain name being used, then look for subdomains using ->

   wfuzz -u https://streamio.htb -H "Host: FUZZ.streamio.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 315

8. If given hint about it, perform PHISHING!

9. In worst case scenario, use usernames listed on the website for bruteforcing open services or login pages!! (ONLY IN WORST CASE SCENARIO)

New Port Enumeration

1. Try telnet into the port -------> Run "help"

2. Try nc into the port -------> Run "help"