# General Enumeration

## SSH Version

If the machine allows SSH, then looking at the OpenSSH version will give you an idea of when the machine was last updated.&#x20;

Also, if the machine was never updated (like in HackTheBox), then you can match the release date of the OpenSSH version to a Linux version. For example, if the machine is an Ubuntu machine, then you can look at which version of Ubuntu was latest when that release of OpenSSH was latest.

## Port Scanning

Port scanning is an important part of enumerating the services that are running on a network machine.

### Nmap

Normal TCP scan:

```
nmap -sC -sV -p- -vvv hostname_here 
```

UDP scan &#x20;

```
nmap -sU -sC -sV -p- -vvv hostname_here
```

{% embed url="<https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/>" %}

Common flags:

* `-p-` : Scan all ports
* `-vvv` : Maximum verbosity
* `-sV` : Service detection
* `-A` : Detect all things, including services and OS
* `-sC` : Scan using default **safe** scripts
* `-Pn` : Scan a host even if it doesn't respond to pings
* `-6`: Scan an IPv6 address

Stealth scans:

{% embed url="<https://nmap.org/bennieston-tutorial/>" %}

Finding nmap scripts:

```
locate *.nse
```

## AutoRecon

Autorecon is a script for automating your network enumeration activities. It can save you a lot of time and make sure you don't forget to enumerate anything you should.

Installation:

```
sudo apt install python3-pip
sudo python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git
```

Simple usage:

```
sudo autorecon target_hostname
```

I have customized AutoRecon to my needs. I host my custom AutoRecon plugins [here](https://github.com/heinosasshallik/infosec-knowledge/tree/master/scripts/autorecon_plugins). When I run AutoRecon, I separately scan for directories using a huge wordlist, and then scan for files with a smaller wordlist and a few manually selected file extensions:

```
sudo $(which autorecon) target_hostname \
  --single-target \     
  --output autorecon \
  --dirbuster.tool gobuster \
  --dirbuster.wordlist "/home/x90slide/resources/infosec-knowledge/wordlists/web_content/combined_directories.txt" \
  --dirbuster.ext "" \
  --dirbuster-manual-extensions.wordlist "/home/x90slide/resources/infosec-knowledge/wordlists/web_content/combined_words.txt"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://heinosass.gitbook.io/leet-sheet/network-hacking/untitled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.