🛡️ Methodology Checklist
- Never assume: verify every finding independently
- Take notes during enumeration — not after
- Use OSINT before sending packets to target
- Enumerate methodically across all layers before exploiting
- Do not tunnel-vision on one finding — maintain full coverage
- Ask: “What can this service tell me?” before “How do I exploit this?”
- Review notes for cross-references before moving to exploitation
🎯 Operational Context
Think Dumber First: Information is infinite — enumeration ends when you run out of time, not possibilities. Timebox each layer: 30 min passive OSINT → 30 min DNS/host discovery → 60 min service scanning → then attack phase. The goal is enough information to identify attack paths, not complete knowledge of the target.
When you land here: Establishing approach for a new engagement. Apply: Never assume (verify every finding), question everything (why is this port open?), and use the right tool for each layer. Multiple sources = higher confidence in findings.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (No specific commands — conceptual foundation) |
🔬 Deep Dive & Workflow
Definition
Enumeration is the systematic process of gathering information through active (scanning, direct interaction) and passive (third-party providers, OSINT) methods.
- Enumeration vs. OSINT: OSINT is strictly passive. Enumeration involves direct interaction with the target.
- The Loop: Enumeration is cyclical — gathered data reveals new data, continuously refining the target map.
The Mindset: “Map, Don’t Dig”
“Our goal is not to get at the systems but to find all the ways to get there.”
The Mistake: Jumping to noisy attacks (brute-forcing SSH/RDP) without understanding the infrastructure leads to:
- Getting blacklisted/blocked.
- Wasted time.
- Missed opportunities (overlooking non-obvious paths).
The Treasure Hunter Analogy: Don’t grab a shovel and dig holes (brute force). Study the map, understand the terrain, bring the right tools.
The 3 Core Principles
- There is more than meets the eye — consider all points of view.
- Distinguish between what we see and what we do not see — absence of evidence is data.
- There are always ways to gain more information — if stuck, you likely lack information, not hacking ability.
Critical Thinking Questions
Visible (What is there?)
- What can we see? Why is it visible (intentional or accidental)?
- What image does this create of the infrastructure?
- How can we use it?
Invisible (What is missing?)
- What can we not see?
- Why can we not see it? (Firewall? Obscurity? Not installed?)
- What does this absence tell us about their security posture?
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Overthinking scope results in no actual attacks | Analysis paralysis from too much data | Set a timebox for enumeration phase; start attacking highest-confidence findings while enumeration continues |
| Team members using different enumeration tools producing inconsistent results | No standardized toolset | Agree on standard toolchain before engagement; use shared methodology document |
| Passive recon reveals too much information to process | OSINT data overload | Filter by relevance to scope; prioritize recent data; focus on technical indicators not biographical details |
| Enumeration principle conflicts with client’s time constraints | Thorough enum requires more time | Prioritize highest-risk attack vectors first; document incomplete enumeration as assessment limitation |
| Multiple enumeration paths lead to same dead end | Waste of time from non-systematic approach | Follow the pyramid model: complete each layer fully before descending; avoid jumping between layers |
📝 Reporting Trigger
Finding Title: (Enumeration principles are methodology — not a vulnerability. Document your enumeration approach and any deliberate scope limitations in the assessment methodology section.)