Pentest Methodology & Recon · intermediate · ~12 min
Enumerate common services for detail, and know which tool fits which job.
Enumeration interrogates each discovered service (HTTP dirs/vhosts, SMB shares, FTP anon, SSH, DNS, SNMP, NFS, databases) for detail. Core tools: Nmap, Netcat, Gobuster/ffuf, WhatWeb, dig, curl (and Masscan, carefully).
Footholds come from enumeration detail, not the bare port list — an open SMB port matters once you enumerate a readable share. Knowing the right tool per service makes this phase efficient; knowing their noise keeps you in scope.
Enumerate per service. Different probes for HTTP/SMB/FTP/SSH/DNS/SNMP/NFS/DB. Brute force is active. Directory/vhost discovery is noisy and logged. Tool fit. Nmap (scan), ffuf/gobuster (web brute), netcat (manual), dig (DNS), curl (HTTP). Masscan caution. Extremely fast; only where authorized.
Scanning finds services; enumeration interrogates each one for the detail that leads to a foothold. The mantra is "enumerate, then enumerate again."
| Tool | Job |
|---|---|
| Nmap | Port/service/OS scanning, NSE scripts |
| Masscan | Very fast port sweeps — lab/authorized only; easy to overwhelm networks |
| Netcat | Manual connect, banner grab, quick checks |
| Gobuster / ffuf | Directory, file, and vhost brute forcing |
| WhatWeb / Wappalyzer | Web tech fingerprinting |
| dig / nslookup | DNS queries |
| curl | Crafting raw HTTP requests |
Enumeration brute force (directories, vhosts) is active and noisy — keep it in scope and rate-limited. Masscan especially can saturate a network; use it carefully and only where authorized.
Enumeration turns "port open" into "here's the way in" by interrogating each service in depth, with a tool matched to each. It's active and noisy, so keep it scoped and rate-limited — and treat Masscan with particular care.