Common early failure modes with information gathering:
The big lesson here is to be careful and methodical about your time. The recommendation here is to use time boxing for tasks to both avoid rabbit holes and make sure you spend enough time on information gathering.
Another suggestion: Create (and update) a network map by hand to keep track of where you are in the information gathering & attack process.
filecap: Check the privileges attached to a file in Linux.
--open flag to only report back machines with open ports (use in conjunction with
uniq in Linux is like
sort -u, except that it doesn’t sort (it just removes duplicates).
When performing enumeration with nmap, it’s best to apply vulnerability scanning scripts incrementally. For example, if SMB user enumeration fails, most of the other SMB vulnerability scanning scripts will themselves be non-functional. Proceeding incrementally may take long for wide-open hosts, but will actually save time in (more) realistic scenarios where some security has been applied.
--script-help flag to pull a given script’s documentation header.
-iL flag to pull a list of IPs to scan from a file.