Our first port of call after our information gathering is to begin some scans and enumerations to figure out what's what on our target(s). One of the fundamental ways we can do this is to use Nmap a very well known too used for Network Mapping.
There is plenty of documentation both on the internet, and built into the tool on the CLI which will explain how to use it effectively, so this won't be an in-depth guide, but more of a "useful commands and things to remember".
The Basics
One of the main scans I like to use is as follows:
sudo nmap -sS -sC -sV -O -Pn -p- $target -vv
This scan says: Scan every port on the target with a TCP / Stealth Scan , scan for known vunlerabilities, scan for services and test any script scans for results. Treat every port as though it's online and responding, even if it's not, and give me a verbose readout (show me on the terminal the progress as the scan goes.
Something that can be useful to remember is that it's worth adjusting the speed and complexity of the scan if there are no results. Try scanning slower, using only one or two options, scanning only top/common ports. It seems to be a bit of an art to get it quite right for the host you are attempting to scan.
Nessus is a remote vulnerability scanning tool, one which is widely regarded as one of the most utilised tool across the professional cybersecurity industry.
It can indicate, among other things, vulnerabilities which may be leveraged for DOS (Denial of Service), sensitive information exposure, default credential setups, misconfigurations, remote shells and remote code execution.
This nowhere near covers what this tool is capable of, and from initial experimentation seems to be an easy enough resource to learn to use - at least at a surface level.
To learn more go to tenable.com .
As stated above, this is by no means an exhaustive guide to enumeration. Many sites, the manuals, and cheatsheets exist to cover all of that, and can do a much better job. See below for links to some of these. Put them to use and build the experience of NMAP, nessus and other tools as you go.
https://stationx.net/nmap-cheat-sheet - As it suggests, a cheatsheet for commands.
https://linux.die.net - The official NMAP manual pages.
https://www.liquidweb.com/kb/using-nmap-pro-tips-and-tricks/ - Some useful advice and hints in using NMAP successfully.
https://tenable.com - The home of Nessus and more on the CyberSecurity space.