# Assessment Methodologies Locate endpoints on a network: Identify vulnerabilities in services: Scan services & versions with nmap. searchsploit (to search for exploits & vulnerabilities) [NATIONAL VULNERABILITIES DATABASE](https://nvd.nist.gov/) nmap scripts: locate /usr/share/nmap/scripts | grep service msf: db\_autopwn making db\_nmap before or analyze command and then vuln Identify the OS of an objective: nmap -O rpcclient -U “” -N IPobj -> srvinfo smb-os-discovery (script nmap) enum4linux -O IPobj enum4linux -S IPobj nc IPobj 22 (the SSH service tells you the O.S.) Identify open ports & services from an objective nmap -sS -p- -n -Pn --open IPobj nmap -sV -p 21,22,etc -n -Pn --open IPobj metasploit (search portscan or db\_nmap) Extract information from Open Source Platforms: In the webpage. robots.txt (hidden directories of the web server) Source code (it may be hidden things) Sitemap.xml/sitemaps.xml (facilitates the index of the web for the browser) whois xwebpage (to extract information of the website: when it was registered, who owns it, what hosting company were registered through, CIDR =network range; Orgname= name of the organization) Netcraft.com > services > internet data mining > internet research tools (combine whois, if there are SSL or TLS, the web technologies of the website, the name servers) dnsrecon -d xpage.com (identify the records of a particular domain; NS = name server addresses; MX = mail service address (the “postman”); A=IPv4 address; AAAA=IPv6 address; TXT=txtrecord) dnsdumpster.com sublist3r -d xpage.com (search for subdomains using OSINT) ![](https://lh3.googleusercontent.com/hNZrcUklkDhjRrY2fQnhwa88Ds259CnvnEMlS3e1J261n04P5Eykh_YVAWCyDiMUikLDdtuGBGJa3M2gS1AfWa_sO-8Xaa83wmhzWeYXvA8JVuRyTOZxxlJ2WNh6syGweUdDDHzLrIrzm0vGNkDIQiV6YPdOyXCC9lxrm_wtu7DrTdhAUDSulFh66LF9AA) Compile technical information from open sources: In the webpage may be information. whatweb -a=1 xpage.com (enumerate technologies doing a stealth scan) wafw00f xpage.com (can add the -a parameter) Recopilar correos electrónicos de fuentes públicas: In the webpage may be information. theHarvester -d xpage.com -b google,linkedin,yahoo,dnsdumpster,duckduckgo,crtsh (search for emails doing OSINT, found mails can be used to search on leaked passwords databases like the below, because sometimes the users use to reutilice passwords). [HaveIbeenPwned](https://haveibeenpwned.com/) [BreachDirectory](https://breachdirectory.org/) (the best) Evaluate information & criticality or impact of vulnerabilities: [NATIONAL VULNERABILITIES DATABASE](https://nvd.nist.gov/) [MITRE SEARCH CVE LIST](https://cve.mitre.org/cve/search_cve_list.html) Nessus or OpenVAS exploit-db or searchsploit Search in google “service version CVE” SCAP scan & STIGVIEWER (scan the PC and evaluate the vulnerabilities that it have). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sezioss-gitbook.gitbook.io/ejptv2cheatsheet/assessment-methodologies/assessment-methodologies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.