Network Enumeration Handbook
Master network scanning with the Network Enumeration Handbook. Get essential enumeration commands for all major protocols to elevate your security testing.
Subdomains Discovery & Enumeration
- Amass. In-depth attack surface mapping and asset discovery.
- Sublist3r. Fast subdomains enumeration tool for penetration testers.
SMB Server Message Block
Server Message Block (SMB) is a network file-sharing protocol that allows computers on the same network to share files, printers, and serial ports. It operates on a client-server model, enabling applications to read, create, and update files on a remote server, functioning primarily within Windows environments but also supporting Linux via Samba.
Enumerate live hosts.
1
nxc smb $IP/24
Guest Logon Enumeration
Guest logon enumeration is a critical technique for identifying exposed shares and system information in environments where strict access controls are neglected or legacy configurations persist. In a corporate Windows or Active Directory setting, this allows an auditor to quickly pinpoint "low-hanging fruit" such as unprotected file servers or sensitive backup directories that are inadvertently open to anyone on the network. By successfully identifying a Guest: True status, you can bypass the need for valid domain accounts to begin harvesting internal data, making it a vital first step in internal penetration tests to demonstrate the risk of unauthorized data exposure.
Starting in 2025, NetExec introduced a streamlined way to verify guest login status without needing to provide credentials. To use this feature, ensure your installation is updated and modify your
~/.nxc/nxc.conffile by settingcheck_guest_accounttotrue. Once this configuration is saved, you can simply runnxc smb $IPwithout any login details; if guest access is permitted on the target, the output will clearly indicate Guest: True.
Below commands will help to check manually. Please make sure password is empty.
1
2
nxc smb $IP -u 'a' -p ''
nxc smb $IP -u 'a' -p '' --shares
While using password with
NXCif no output appears, please check your password.
Null Session Enumeration
Null session enumeration allows an unauthenticated attacker to query a Windows machine (typically via RPC or SMB) without a username or password, which is highly effective in older or misconfigured Active Directory environments for mapping the network. By establishing this "anonymous" connection, you can often extract sensitive data such as user lists, group memberships, and share names, providing the initial blueprint needed for lateral movement or password spraying attacks.
1
2
3
4
5
nxc smb $IP -u '' -p ''
nxc smb $IP -u '' -p '' --shares
nxc smb $IP -u '' -p '' --pass-pol
nxc smb $IP -u '' -p '' --users
nxc smb $IP -u '' -p '' --groups
Same can be done with SMBCLIENT and RPCCLIENT.
1
smbclient -N -U "" -L \\$IP
1
2
rpcclient -N -U "" -L \\$IP
rpcclient $> enumdomusers
WinRM (Windows Remote Management) - 5985,5986
Windows Remote Management (WinRM) is a Microsoft tool that lets IT professionals manage and run commands on remote computers. It is Microsoft’s version of the standard WS-Management protocol. WinRM uses standard web protocols (HTTP or HTTPS) to let you manage Windows machines from a distance.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Basic connection
evil-winrm -i $target -u $username -p 'password'
# With domain
evil-winrm -i $target -u 'DOMAIN\username' -p 'password'
# Using hash (Pass-the-Hash)
evil-winrm -i $target -u $username -H 'NTHASH'
# Using SSL (port 5986)
evil-winrm -i $target -u $username -p 'password' -S
# With custom port
evil-winrm -i $target -u $username -p 'password' -P 5985
Please visit the following sites for more trick and techniques. 5985,5986 - Pentesting WinRM WinRM (Windows Remote Management)
SNMP (Simple Network Management Protocol) - 161/UDP, 162/UDP
Simple Network Management Protocol (SNMP) is a standard internet protocol used to monitor, organize, and configure managed devices across IP networks. It allows administrators to track system status and modify settings on equipment like routers, switches, servers, printers, and workstations. By exposing system variables that detail configuration and performance, SNMP enables management applications to remotely query or update device behavior.
Connect
Network administrators usually manage SNMP-enabled hardware through command-line interfaces (CLIs), which dispatch requests directly to the device’s internal agent.
SNMPWALK
snmpwalk is a command-line application that uses SNMP GETNEXT requests to query a network entity for a tree of information.
1
2
3
4
5
6
7
8
9
# For SNMPv1/v2c (most common for pentesting due to weaker security)
snmpwalk -c <community_string> -v1 <target_ip>
snmpwalk -c <community_string> -v2c <target_ip>
# Example: Walking the entire MIB tree
snmpwalk -c public -v2c 192.168.1.1
# Example: Walking a specific OID
snmpwalk -c public -v2c 192.168.1.1 .1.3.6.1.2.1.1.1.0 # sysDescr
Enumeration
It is recommended to install the following to see whats does mean each OID gathered from the device:
1
2
3
4
apt-get install snmp-mibs-downloader
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.conf
If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:
1
2
3
4
5
6
7
8
9
10
11
12
13
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
snmpbulkwalk -c public -v2c 10.10.11.136 .
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
nmap --script "snmp* and not snmp-brute" <target>
braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID
Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :
1
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
Please visit the following sites for more trick and techniques. 161,162,10161,10162/udp - Pentesting SNMP, SNMP (Simple Network Management Protocol)
Understanding Application
Questions
- How does the app pass data?
- How/Where does the app talk about users?
- Does the site have multi-tenancy or user levels?
- Does the site have unique threat model?
- Has there been past security research & vulnerabilities?
- How does the app handle: XSS, CSRF, Injection …
Library
Web Technologies
We can the following two extensions/tools to peek into the tech stack used by the site.
- Whatruns
Extension - Wappalyzer
Extension - Webanalyze
CommandLine
Port Scans
Content Discovery
- ApiLeaks Scanning APK file for URIs, endpoints & secrets.
- Scavenger - BurpSuite extension for content discovery.
- Gap - BurpSuite extension helps with parameter and paths.
- Source2Url - Parse source code directories and output list of URLs that are then sent through a proxy.
- GetAllUrls
GAU. Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl. - XnLinkFinder A python tool used to discover endpoints, potential parameters, a target specific wordlist for a given target and secrets.
- HAKRAWLER. Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.