Posted in Security



Enumeration Is More Likely A Internal Process Than External. In This Process The Attacker Establishes An Active Connection With The Victim And Tries To Discover As Much Attack Vectors As Possible, Which Can Be Used To Exploit The Systems Further.

Many Of The Protocols Do Not Encrypt Data While Traveling Across The Network So We Can Sniff In A Network In Order To Gather More Data.

Enumeration Is Used To Gather Following Data :

   • Running Services
• Service Version
• Hostnames
• IP Adresses
• Operating System
• Network Resources
• SNMP Data
• IP Tables
• Passwords Policies
• Users and Groups
• Networks and shared paths
• Route Tables
• Applications and Banners
• Points Of Entry

Enumeration Depends On The Services That The Systems Offer, Following Services Is Used To Enumerate System.

NTP Enumeration 

Network Time Protocol Is A Protocol Designed To Synchronize Clocks Of Networked Computers. Now Obviously These Computers Talking To Each Other To Synchronize Their Time, Which Opens Them Up For Enumeration. NTP Uses UDP Port 123.

Hosts & IP Adresses
Sys Name & OS

nmap -sU -p 123 –script=ntp-info <target>

Monlist Is A Remote Command In Older Version Of NTP That Sends The Requester A List Of The Last 600 Hosts Who Have Connected To That Server. For Attackers The Monlist Query Is A Great Reconnaissance Tool. For A Localized NTP Server It Can Help To Build A Network Profile.

nmap -sU -p 123 -Pn -n –script=ntp-monlist <target>

SNMP Enumeration 

The Simple Network Management Protocol Is Used To Manage And Monitor Hardware Devices Connected To A Network. If Passwords Are Not Changed They Can Be Used By An Attacker To Enumerate SNMP As SNMP Manager.

User Accounts And Devices

nmap -sU -p 137 –script snmp-brute <target>

SMB Enumeration 

The Server Message Block Protocol Is a Network File Sharing Protocol That Allows Applications on a Computer to Read and Write to Files and to Request Services From Server Programs in a Computer Network. The SMB Protocol Can Be Used on Top of Its TCP/IP Protocol or Other Network Protocols. Using the SMB Protocol, User Can Access Files or Other Resources at a Remote Server. This Allows Applications to Read, Create, and Update Files on the Remote Server. It Can Also Communicate With Any Server Program That Is Set Up to Receive an SMB Client Request.

nmap -p 445 –script smb-os-discovery
nmap -sV -p 445 –script smb-brute

Active Directory Enumeration 

Enumerating Windows Active Directory Via LDAP (Lightweight Directory Access Protocol), TCP/UDP 389 And 3268. Active Directory Contains User Accounts And Additional Information About Accounts On Windows PC’s.


BGP Enumeration 

BGP Is designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.
BGP Is Used By Routers To Help Them Guide Packets To Their Destinations. It makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is involved in making core routing decisions. It Can Be Used To Find All The Networks Associated With A Particular Corporation.

nmap –script asn-query –script-args dns= <target>


SMTP Enumeration 

SMTP Is A Protocol Which Is Used To Deliver Emails Across The Internet, SMTP Protocol Moves Your Email Using DNS MX Records To Identify Server That It Needs To Forward Or Store An Email, It Also Works Very Closely With MTA (Mail Transfer Agents) To Make Sure It Sends An Email To Right Computer As Well As Right Email Inbox.

Once The Email Gets Inside Of Our Network It Typically Uses Protocol (POP, IMAP) To Deliver The Email Internally, But Externally On The Internet It Uses SMTP.
By Simply Sending An Email Message To A Non-Existent Address At A Target Domain Often Reveals Useful Internal Network Information Through A Non-Delivery Notification (NDN).

Default Ports: 

SMTP Server (Outgoing Messages) 
Non-Encrypted – AUTH – Port: 25 (or 587)
Secure (TLS) – StartTLS – Port: 587
Secure (SSL) – SSL – Port: 465
POP3 Server (Incoming Messages) 
Non-Encrypted – AUTH – Port: 110
Secure (SSL) – SSL – Port: 995
VRFY  Verify, If A User Exists
EXPN  Expand, Show All Recipients Of An address
RCPT TO  Sets The Destination Address Of The Email

FINGER Enumeration 

Finger Is A Utility In Linux Operating System, By Using It You Can Check The Information Of Any User From Remote Or Local Command Line Interface.

TFTP Enumeration 

Trivial File Transport Protocol Uses Udp Which Is Not Secure. It Pros And Sys Admins Typically Use TFTP For Transfer Files Remotely , Remotetly Boot System And Backup Conf, Files. By Sniffing On A TFTP Traffic We Can All Of This.

RPC Enumeration 

Remote Procedure Call (RPC) Is A Protocol That One Program Can Use To Request A Service From A Program Located In Another Computer On A Network Without Having To Understand The Network’s Details. By Querying An MSRPC Endpoint We Can Get List Of Services That Is Running On The Target System.

NetBIOS Enumeration 

NetBIOS (Network Basic Input/Output System) Is A Program That Allows Applications On Different Computers To Communicate Within A Local Area Network (LAN). NetBIOS Software Runs On Port 139 On Windows Operating System. File And Printer Service Needs To Be Enabled To Enumerate NetBIOS.
SSH Enumeration 

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.


nmap –script ssh2-enum-algos target

OS Fingerprinting 

The Process Of Determining The Operating System Used By A Host On A Network. By Analysing Packets From A Host On A Network By Following :
 IP TTL values
 IP ID values
 TCP Window size
 TCP Options SYN and SYN+ACK
 DHCP Requests
 ICMP Requests
 HTTP Packets (User-Agent field).
 Running Services
 Open Port Patterns.
Banner Grabbing
Banner Grabbing Provides Important Information About What  Type And Version Of Software Is Running. Telnet Is An Easy Way To Do This Banner Grabbong For FTP, SMTP, HTTP, And Others.
Telnet <Target>

Some Extra Enumration  Scripts : 

HOSTMAP : nmap -p 80 –script hostmap-bfk.nse
TRACEROUTE : nmap –traceroute –script traceroute-                            geolocation.nse -p 80

FTP : nmap –script ftp-brute -p 21

      ftp <ftp server ip/>
SSH  : nmap –script ssh2-enum-algos <target>

HTTP : nmap -sV –script=http-userdir-enum <target>
nmap –script http-enum
nmap –script -http-enum –script-args http-                      enum.basepath=’pub/’
nmap –script http-title -sV -p 80

TELNET : nmap -p 23 <ip> –script telnet-encryption

TFTP : nmap -sU -p 69 –script tftp-enum.nse –script-args
tftp-enum.filelist=customlist.txt <host>

RPN : nmap –script=msrpc-enum <target>
Enumeration Countermeasures
  • Disable Directory Indexing That Don’T Contain Index.Html Or (Default.Asp).
  • Use Robots.txt To  Prevent Indexing On Search Engine.
  • Use A Centralized Network Admin Contact Detail  In WHOIS Databases  To Prevent Social Engineering Attacks.
  • Disallow DNS Zone Transfers To Untrusted Hosts
  • Remove Nonpublic IP Address And Hostname Details In DNS Zone Files
  • PTR Records Should Only Be Used If Absolutely Needed (For SMTP Mail Servers And Other CriticaL Systems That Need To Resolve Both Ways).
  • Ensure That Unnecessary Records (E.G. HINFO) Don’T Appear In DNS Zone Files.
  • Configure SMTP Servers To Not Send Non-Delivery Notifications To Prevent Attackers From Enumerating The Internal Mail Servers And Configuration.
  • Consider And Review Your IPV6 Networks And DNS Configuration (If Any).
Tools :

Linux :

Windows :




NetBIOS Enumerator


Sid2Username (User2SID, SID2User)

JXplorer (Open source LDAP Browser)

MIB Browser (SNMP Managment Information Base)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s