Nmap shows 22, 80, 445 open. You have 30 minutes. What is the best prioritization?
Start with web (80) + SMB (445) quick enum in parallel notes; keep SSH for post-foothold/creds.
Nmap shows 80 open but browser redirects to a hostname you can’t resolve. Next step?
Add the hostname to /etc/hosts pointing to the target IP and retry.
Nmap shows 445 open but SMB share listing fails anonymously. What do you do?
Enumerate for null-session info, check SMB signing/auth requirements, and pivot to credential discovery elsewhere.
Web server responds 403 on /. You suspect hidden content. Best next step?
Run content discovery with appropriate extensions and check robots.txt, sitemap, and vhosts.
HTTP returns 200 but app is blank until a cookie is set. Next step?
Inspect headers/cookies with proxy, follow auth/session flow, then enumerate authenticated paths if possible.
Service banners conflict (Apache vs nginx). What’s best?
Trust behavior: verify with HTTP responses, headers, and TLS/certs; document uncertainty.
You get “filtered†for all ports on one host. Other hosts scan fine. What do you check?
Host-specific firewall rules or rate limiting; try slower scan and verify target reachability.
Directory brute forcing returns many 301 redirects. How do you avoid missing real content?
Follow redirects and normalize trailing slashes; ensure tool handles 301/302 correctly.
You suspect an API exists but no docs. Best enum approach?
Look for /api paths, JS files, OpenAPI/Swagger endpoints, and intercept app calls via proxy.
SNMP is open (161/udp). What’s a safe next step?
Try read-only community strings (authorized) and enumerate system/network info via SNMP queries.
SMTP is open (25). What’s a useful enumeration goal?
Identify server type and whether user enumeration/relay is possible (within rules).
You find a subdomain that resolves to the same IP but different app. What should you do?
Treat it as separate vhost: enumerate its unique paths/auth and document.
Your scans trigger WAF/IDS blocks on web. What’s next?
Reduce rate, adjust user-agent/concurrency, and focus on manual low-noise enumeration.
