You'll cycle back here to move laterally in the subnet.
Host scan for targets; crawl website to find domains and subdomains; brute force subdomain lookup and vhost; inspect SSL certificate for subdomain; retrieve WHOIS information for a domain.
Don't forget that subdomain also have subdomains!
Take notes of patterns in names or IPs.
Port scan first; service scan found ports; banner grab the port without fingerprint match.
Don't forget only connect-scan work over tunnels!
Take notes of patterns and versions of ports and services. Sysadmin tend to reuse same software and configuration.
Encountered LDAP or Active Directory, launch enum4linux you might find users and objects.
Take notes of domains, users, groups, policies.
Navigate website for employees, authors, contact data, interesting notes; CeWL to generate word list specific to a website.
Capture Ping, HTTP request, SMB connect, FTP connect, Responder, or any other port with Bash, NC or Powershell.
Show firewall status and it's rules; create new rule for your reverse/bind shell.
Don't forget sysadmin are lasy-ass and usually configures firewall port both-direction for running services. Meaning that if port 3306 is open inbound, it probably open for outbound connection too.
Take notes of connectivity and firewall rules.
Where are you?, Who are you? What are your permissions? What can you access? What can you manipulate?
...whoami, id, passwd, sudoers, groups, sudo -l, SUID, GUID
Take notes of your privilege and retrieve your password if you can.
Who's there with you, what are the level of security
Take notes of other users, their permissions and their password if you can retrieve them.
What's running on the system that you could abuse
OS stuff, pspy, docker, lxc, hyper-v
Got you hand on some credential? Try to connect to all the services
...SSH, rdesktop, xfreerdp, evil-winrm, impacket-smbexec, chisel, NC, Invoke-PowerShellTcp, Web shell, impacket-smbserver