← back to blog
5 min read
  • #writeup
  • #ejpt
  • #security
  • #enumeration
  • #lab

eJPT prep, my enumeration checklist

A practical first pass for any box: what I check before I touch a single exploit. Notes from eJPT prep.

When I first started doing practice boxes, I wanted to jump straight to the fun part: the exploit. That was a mistake. Every box I rushed, I got stuck, because I had skipped the boring part where all the actual answers live. So I built myself a checklist, and now I run it in the same order every single time before I touch a single exploit. This is that checklist, written out exactly as I follow it while studying for the eJPT.

I am not certified yet. I am still working through the material. So read this as study notes from someone learning the methodology, not as advice from an examiner. If I get the order wrong somewhere, that is me learning in public.

The one rule: enumerate first, exploit last

The thing that took me too long to accept is that enumeration is most of the work. On the boxes I have done, finding the way in is usually 80 percent careful looking and 20 percent actually running the exploit. If you do the looking properly, the exploit is often obvious by the time you get there. If you skip it, you end up guessing, and guessing wastes hours.

So the goal of the first pass is not to break in. The goal is to build a complete picture of what is running and where. Nothing else.

Step 1: full port scan

I never trust a default scan. Nmap only scans the top 1000 ports by default, and the box I need is sometimes sitting on a weird high port. So my first move is a full TCP sweep across all 65535 ports.

nmap -p- --min-rate 1000 -T4 10.10.10.10 -oN ports.txt

-p- scans every port. --min-rate 1000 keeps it from crawling. -oN writes the output to a file, which matters for note-taking later. I let this run and read the results before doing anything else.

Step 2: service and version detection on what is open

Once I know which ports are actually open, I run a focused scan only on those ports to find out what is listening and what version it is.

nmap -sC -sV -p 22,80,139,445 10.10.10.10 -oN services.txt

-sV does version detection. -sC runs the default safe scripts, which often hand you small details for free, like an FTP banner or an SMB OS guess. I only feed it the ports I found open in step 1, so it finishes fast. Version numbers go straight into my notes, because a specific version is the fastest path to a known issue.

Step 3: enumerate each service, one at a time

Now I go service by service. This is the real work. I do not move to the next port until I have squeezed the current one.

Web (80, 443, 8080, and friends)

Web is where I find the most, so I slow down here. First I just open it in a browser and read it like a normal person. Then I look closer:

  • View the page source and look for comments, hidden fields, and references to paths.
  • Check the response headers for the server, framework, and any version leaks.
  • Look for a robots.txt, which sometimes lists directories the owner did not want indexed.
curl -I http://10.10.10.10

Then I brute force for directories and files that are not linked anywhere:

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

-w is the wordlist, -x adds file extensions to try on each word. ffuf and feroxbuster do the same job if you prefer them. If the box runs a known app, I check its version against what I scanned in step 2.

SMB (139, 445)

When I see 139 or 445, I go for shares and box details. enum4linux pulls a lot at once: shares, users, and OS info.

enum4linux -a 10.10.10.10

Then I try to list and connect to shares directly with a null session first, since open shares show up surprisingly often on practice boxes:

smbclient -L //10.10.10.10/ -N
smbclient //10.10.10.10/share -N

-L lists shares, -N tries with no password. If a share is readable, I look through it for config files, credentials, or anything that names a user.

FTP (21)

For FTP, the first thing I check is whether anonymous login is allowed, because it is a common and easy miss.

ftp 10.10.10.10

At the login prompt I try anonymous as the username and a blank or any password. If it lets me in, I list everything and pull down anything that looks useful. Even when the files are not exploitable, they sometimes carry a username or a hint that helps elsewhere.

Step 4: note-taking discipline

This is the part I almost left out, and it is the part that actually changed my results. I keep one file per box, open the whole time, and I write down every open port, every version, every directory I find, and every credential or username I come across. When I find something interesting but cannot use it yet, I write it down anyway and move on.

The reason is simple: a username from an FTP share might be the way into SMB, and a version from a web header might be the thing I needed two steps later. If it is not written down, I lose it, and then I am re-scanning ports I already scanned an hour ago.

Wrapping up

That is the whole first pass: full port scan, version detection, then patient per-service enumeration, all of it written down. None of it is exploitation, and that is the point. By the time I have done this honestly, the way in is usually staring back at me from my own notes.

I am still studying, so this checklist keeps changing as I learn what I missed. I have been collecting the cleaned-up versions of these notes, with the exact commands and flags, in my eJPT Field Notes if you want them in one place: aldowebsitellc.xyz/shop/ejpt-field-notes.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.