# Week 6: Enumeration

**Enumeration for the win** - The intent of this lesson is to provide an overview of basic enumeration tactics and then dive deep into specific tools used for common ports found in penetration testing. For example, if we find port 80 open on a scan (HTTP), we will likely want to know what service is running and enumerate that service for potential exploits at a high level. At a deep level, we will want to explore the app with tools such as Nikto, Dirbuster/Dirb, and Burp Suite to really enumerate the app where tools like Nmap and Nessus fail to go deep enough.<br>

## Notes

If you see a test page, it indicates poor hygiene.

Unless it's a web app assessment, you don't need to discuss headers e.g. (from nikto)\
\+ The anti-clickjacking X-Frame-Options header is not present.\
\+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\
\+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type\
\
Want to do a bruteforce attack on SSH at some point to make sure their SIM catches it\
\
Penetration Tester - make a lot of noise\
Red Team - try not to trigger anything<br>

### HTB: OneTwoSeven - Retired

```
$ nmap -T4 -p- <ip>
$ nmap -sU -T4 <ip>

open ports: 22,80, 60080

$ nmap -A -T4 -p22,80,60080

# cannot access filtered port at 10.10.10.133:60080, so add to local DNS file

$ gedit /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.133    onetwoseven.htb

........
```

### smbclient

```
smbclient -L \\\\10.10.10.4
smbclient \\\\10.10.10.4\\IPC$
```

### searchsploit

```
searchsploit apache 1.3
searchsploit apache 1.3.20 //more specific but would hide 1.3.X vulns
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/pentest/courses/beginner-network-pentesting/week-6-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.