Finds subdomains of a web server
nmap -sn -Pn --script=hostmap-crtsh <target>combine various sources for subdomain enum
amass enum -src -brute -min-for-recursive 2 -d <target>passive subdomain enumeration tool
subfinder -d <target>
enumerating information
# enumerate username
enum4linux -u <target>
# enumerate all
enum4linux -a <target>Samba is a service to share files with other machines
smbclient -L <ip>
smbclient --list <ip>enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nsecheck smb vulnerable
nmap --script=smb-check-vulns.nse <ip> -p 445connect to shares
smbclient -L <ip>\\ShareName -U <username> -p 445nc <ip> 25
VRFY rootcheck SMTP vunerable
nmap -script smtp-commands.nse <ip>cat /etc/exportsenumerating mountable shares
showmount -e <ip>
locate *nfs*.nse
nmap --script nfs-showmount.nse <ip>