#External Focused Enumeration
Enumerate directories and files exposed by a web application.
gobuster dir -u https://target -w wordlist.txtFuzz URL paths to identify hidden endpoints and parameters.
ffuf -u https://target/FUZZ -w wordlist.txtEnumerate HTTP methods supported by a web server.
curl -X OPTIONS https://targetIdentify application routes and behaviors by inspecting responses.
curl -s https://target | lessEnumerate API routes and versions.
ffuf -u https://api.target/FUZZ -w api.txtEnumerate GraphQL schema via introspection.
curl -X POST https://target/graphql -d '{"query":"{__schema{types{name}}}"}'Enumerate exposed login endpoints and auth flows.
ffuf -u https://target/FUZZ -w auth.txtTest for username enumeration via authentication responses.
hydra -L users.txt -p invalid target http-post-formEnumerate OAuth / SSO endpoints and providers.
curl https://target/.well-known/openid-configurationEnumerate SMTP capabilities and authentication methods.
nmap -p 25,465,587 --script smtp-enum-users <target>Enumerate SSH configuration and auth methods.
nmap -p 22 --script ssh-auth-methods,ssh2-enum-algos <target>Enumerate RDP configuration and security level.
nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info <target>Enumerate Azure blob containers.
az storage container list --account-name targetEnumerate exposed Google Cloud storage buckets.
gsutil ls gs://bucket-nameEnumerate public cloud storage permissions.
aws s3 ls s3://bucket-name#Internal Focused Enumeration
Enumerate SMB users, shares, policies, and OS information.
enum4linux -a <target>List available SMB shares without authentication.
smbclient -L //target -NEnumerate SMB targets for users, shares, and permissions.
crackmapexec smb <target>Enumerate SMB shares across a subnet.
crackmapexec smb 10.0.0.0/24 --sharesEnumerate domain information anonymously if permitted.
ldapsearch -x -h <target>Enumerate domain users, groups, and policies via LDAP.
crackmapexec ldap <target>Collect comprehensive AD relationship data for graph analysis.
bloodhound-python -d domain.local -u user -p pass -c AllEnumerate domain users with valid credentials.
crackmapexec smb target -u user -p pass --usersStart an RPC client session (anonymous if permitted).
rpcclient -U "" targetList domain users through RPC calls (run inside rpcclient).
enumdomusersList domain groups (inside rpcclient)
enumdomgroupsIdentify kernel and OS version information.
uname -aDisplay current user identity and group memberships.
idList sudo privileges available to the current user.
sudo -lIdentify running processes and services.
ps auxList listening services and open ports.
ss -lntupIdentify SUID binaries
find / -perm -4000 2>/dev/nullList system-wide cron jobs
ls -la /etc/cron*Search for credentials in configuration files
# Searches for the term password.
grep -Ri "password" /etc 2>/dev/nullDisplay detailed user, group, and privilege information.
whoami /allEnumerate local user accounts.
CMD:
net userPowerShell:
Get-LocalUser | Select Name,Enabled,LastLogonList members of the local administrators group.
CMD:
net localgroup administratorsPowerShell:
Get-LocalGroupMember -Group "Administrators"Enumerate domain users.
CMD:
net user /domainPowerShell:
Get-ADUser -Filter *Display system information including patch level.
systeminfoEnumerate scheduled tasks.
CMD:
schtasks /query /fo LIST /vPowerShell:
# Identifies scheduled tasks running with elevatied Privs
Get-ScheduledTask | Where-Object { $_.Principal.RunLevel -eq "Highest" }Enumerate Services for path misconfiguration
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """#Notes
Enumeration assumes intent and often credentials.
Expect higher signal and higher detection than recon.
This phase feeds directly into exploitation and lateral movement.