External Enumeration and Recon

I can’t explain how frustrating it is to spend hours on a box just to realized that you missed something small. This was a huge problem for me starting out, but as I got more experience it became a lot easier. I wrote a basic external enumeration and recon guide for people new to HTB. Hope it gives you at least a starting point.


Also, feel free to add your own tips in this thread. I know what I wrote surely wasn’t all encompassing.

All good info, thanks for sharing

@VbScrub My pleasure. Just paying it forward.

@Conda looks pretty awesome to me.

Only things I’d consider:

  1. Run nikto against sites - its always worth a background scan while you do other things as it may find some oddities and can return directories faster than dirb/gobuster/dirbuster etc.

  2. Check SSL/TLS certs - the details may give clues about usernames or subdomains.

  3. Depending on the level of detail, if a DB server comes up in the NMAP scan its worth digging in deeped.

@TazWake Appreciate the feedback. I’ll definitely add those things. Great points!