π‘οΈ Methodology Checklist
- Layer 1 β Internet presence: domains, IPs, ASNs, cloud assets
- Layer 2 β Gateway: firewall, WAF, load balancer identification
- Layer 3 β Accessible services: open ports, running services, versions
- Layer 4 β Service specifics: banners, configs, default creds
- Layer 5 β OS: fingerprint OS type and version
- Layer 6 β Processes: running services, scheduled tasks
- Layer 7 β Privileges: current context, escalation opportunities
- Document all findings per layer before proceeding to next
π― Operational Context
Think Dumber First: Enumeration is iterative β each finding opens new attack surface. Work layer by layer: internet presence β DNS β hosts β services β applications β credentials. Never skip a layer because βthereβs nothing thereβ β one open SNMP port revealing a community string can cascade into full domain compromise.
When you land here: Beginning an engagement or exploring a new target. Apply the enumeration pyramid: start wide (passive OSINT), progressively narrow (active service scan), then deep (service exploitation). Document every finding immediately β memory is unreliable in complex engagements.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (No specific commands β framework reference) |
π¬ Deep Dive & Workflow
Overview
Enumeration requires a standardized methodology to avoid omitting critical aspects. It is divided into three categories:
- Infrastructure-based enumeration
- Host-based enumeration
- OS-based enumeration
The 6 Layers of Enumeration
Think of these as walls β find the gap, donβt smash through blindly.
| Layer | Name | Goal | Information Categories |
|---|---|---|---|
| 1 | Internet Presence | Identify all externally accessible infrastructure | Domains, Subdomains, Netblocks, ASN, Cloud |
| 2 | Gateway | Identify protection measures | Firewalls, DMZ, IDS/IPS, WAF, Proxies, VPN |
| 3 | Accessible Services | Understand services, versions, configs | Service Type, Port, Version, Interfaces |
| 4 | Processes | Internal tasks, data flow | PID, Processed Data, Tasks, Source/Destination |
| 5 | Privileges | Permissions, users, restrictions | Groups, Users, Permissions, Restrictions |
| 6 | OS Setup | System config and security posture (internal only) | OS Type, Patch Level, Network Config, Sensitive Files |
Note: Layers 1 and 2 generally apply to external testing only. Internal (AD) tests often start at Layer 3.
The Labyrinth Mindset
- Penetration testing is a labyrinth β find the specific gaps that lead inside.
- Not every gap leads to the goal β pick the right path.
- βThere is nearly always a way in.β
Methodology vs. Cheat Sheets
- Methodology: What and Why β systematic procedures that remain consistent regardless of tools.
- Cheat Sheet: How β specific commands and tools that change over time.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Enumeration complete but no attack surface found | Wrong scope or too narrow enumeration | Expand to UDP, check HTTP on all ports (not just 80/443), test all discovered subdomains individually |
| Too many open services to prioritize | Large attack surface | Priority order: RCE-class (SMB, RDP, web apps with uploads) β auth services β informational; start with highest-impact services |
| Enumeration shows services but all well-hardened | No obvious misconfigs | Pivot to credential attacks (spray, default creds) and CVE-based exploits on specific software versions |
| Results inconsistent between runs | VPN instability affecting scan accuracy | Run all scans twice; take union of results; mark inconsistent results for manual verification |
| Enumeration stalls waiting for slow scans | UDP/full-port scans taking very long | Run scans in parallel: TCP full-port + UDP top-20 + web fingerprinting simultaneously |
π Reporting Trigger
Finding Title: (Enumeration methodology is documented in the engagement methodology section, not as a vulnerability finding. Any gaps in enumeration coverage should be disclosed as assessment limitations.)