You are here: no valid credentials, no shell, nothing has landed. External or initial network position.

The intended path is almost always a service you under-enumerated or a credential you haven’t built yet. Breadth first.

▶️ Next moves (in order)

  1. Confirm the full attack surface. Every in-scope host, all TCP ports, top UDP. A missed port is a missed path. → Enumeration_Methodology · Nmap_Service_Enumeration · Nmap_Host_Port_Scanning
  2. Unauthenticated AD. Null sessions, RID brute, user enumeration via Kerberos, password policy. → AD_Initial_Enumeration · AD_Password_Policy_UserList
  3. SMB anonymous / null. List shares, read what’s readable, mirror it offline. → SMB_Ports_139_445 · Attacking_SMB · Credential_Hunting_Network_Shares
  4. Other services that leak without creds.FTP_Port_21 / Attacking_FTP (anon) · NFS_Ports_111_2049 (exports) · SNMP_UDP_161 (community strings) · DNS_Port_53 / DNS_Zone_Transfers · SMTP_Ports_25_465_587 (user enum) · IMAP_POP3_Ports · Oracle_TNS_Port_1521 · MSSQL_Port_1433 · MySQL_Port_3306
  5. Web surface. Fingerprint, find vhosts/subdomains and hidden content, identify known apps, then attack the class. → Web_Fingerprinting · Virtual_Hosts · Subdomain_Bruteforcing · Ffuf_Directory_Page_Recursive · Common_Apps_Discovery_Notable · Common_Apps_Tomcat_Jenkins
  6. Build a user list, then spray. Names from OSINT/SMTP/RID/Kerberbrute → controlled spray within lockout policy. → AD_Password_Spraying_AD · Password_Attacks_Spraying_Stuffing
  7. Default and weak creds on every login surface you found (web apps, DBs, management ports).

⚠️ Common stalls

  • Only scanned the top ports, or skipped UDP entirely.
  • Never tried null/guest/anonymous on SMB, FTP, NFS, LDAP.
  • Read (Guest) from NetExec as a success — it isn’t.
  • Didn’t fuzz virtual hosts / subdomains, so the real app stayed hidden.
  • Tunnel-visioned one host while the foothold was on another.
  • Had usernames but never built and sprayed a list.

⏱️ Stop condition

You’ve done one full clean pass — every in-scope host full-port scanned, every service’s unauthenticated angle tried, web vhosts/content fuzzed, a user list built and sprayed — and nothing landed. Stop re-running the same scans. The gap here is almost always breadth (a missed host, port, vhost, or service), not a technique you haven’t tried on the host in front of you. Re-confirm scope, widen wordlists once, re-read every banner and output for a detail you skipped, then move to building an identity (OSINT/SMTP names → spray). Don’t grind one target.

🔀 Route on