Enumeration is not really a step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate. So with that, one could argue that this is the most critical skill to develop.
At the start of our engagement, we need to orient ourselves and carry out enough enumeration so that we understand the target enough to:
Uncover the full attack surface
Begin our attacks
Overcome weak defenses
Ensure we don’t miss things
The below checklist is a good starting point if you want to carry out thorough enumeration but not entirely sure where to begin. Work through them, take good notes, and you’ll be setting yourself up to work efficiently and for success.
What functionality exists? Consider its intended use, user roles, access controls, etc.
What entry points exist? E.g. URLs, user inputs, etc.
Can we map the application? I.e. Understand the directory and file structure.
What is running server-side?
Other things we may consider:
How are sessions handled?
Is it worth looking more closely at the data flow? This is useful in larger and more complex applications.