Scanning and Enumeration Armoury


I have been reading some of the tutorials on this Forum and there is some great content, although I think I can still add some value to the community. There is an amazing list of tools here: Services & Tools [Wiki], but it is very overwhelming and you see these all over the internet.

Kali, Parrot and BackBox (and yes, any other Pen Test distro*) has some great tools that can be utilised for scanning and enumeration. To ensure you don’t miss that low hanging fruit or potential vulnerability, you really need to make sure you scan using multiple type’s options (on any tool).

At risk of pointing out the obvious, if you are using the following just as an example, nmap vs nmap –sV –O –script vuln you will be provided with completely different results. Even then you will be missing so much due to only scanning the most popular ports and not all 65,535*. Further to this, it won’t cover all of the TCP and the UDP ports you are interested in…

I could spend some time to “almost” copy the content on this forum and just add some scans that I do, but there is little point in that as I automate a lot of my work by using some great open source scripts. I do this to limit the risk of human error and get rid of the typos or the 2am “oh I forgot to run that moment”. Here are my two favourites that I considered “Life changing” (Life changing…too much?).

Disclaimer: I did not create these tools.

  1. Reconnoitre by Codeingo

This tool is based heavily upon the work made public in Mike Czumak’s (T_v3rn1x) OSCP review along with considerable influence and code taken from Re4son’s mix-recon. Virtual host scanning is originally adapted from teknogeek’s work which is heavily influenced by jobertabma’s virtual host discovery script. Further Virtual Host scanning code has been adapted from a project by Tim Kent.

Built into this tool is a great enumeration finding tool where you will be advised (reminded) on what other tools should be run to provide you with more information based off of the original findings.

  • More Nmap if needed
  • Nikto
  • Curl
  • W3m
  • Dirb
  • Dirbuster
  • Gobuster

(It will also assist and advise on password cracking but that is out of scope for this topic)

  1. Dirsearch by Maurosoria

Dirsearch is a simple command line tool designed to brute force directories and files in websites. I find it quicker and more reliable than gobuster and dirb based on the wordlists I use or available to hand.

I have some more great scripts that help with my CTF work, but it would be great to see what other people use and start a small repository of our trusted “best of breed tool sets”.

(P.S if anyone has an active HTB team I am interested in joining)


(Presumptuous Commoner) #2

0x00sec has a HTB team, in fact. It’s open to VIP members, so keep posting, commenting, liking, and being a generally active member, and we’d love to have another body on the team!



That’s amazing news. I’m not one for self promoting, so if I think of anything else of value to contribute I will be sure to share it.


(Presumptuous Commoner) #4

Hey, contributing doesn’t have to mean dropping shiny exploits, awesome war stories, or new tools. It can be offering comments, kudos, advice, constructive criticism, etc. Basically, just be a member of the community. That’s all we’re really looking; active members, not eternal lurkers (no offense to the eternal lurkers out there; we love you, too.)

Oh, and thanks for the post. Bookmarking some new tools now!


(Leader & Offsec Engineer & Forum Daddy) #5

Aaaaamen! :pray:

This is exactly right.