Enumeration | ethical hacking enumeration techniques
Enumeration
Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system.
In this phase, the attacker creates an active connection to the system and performs directed queries to realize more information about the target.
The gathered information is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining phase.
In this phase, the attacker creates an active connection to the system and performs directed queries to realize more information about the target.
The gathered information is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining phase.
Types of information enumerated by an attacker:
- Network Resource and shares
- Users and Groups
- Routing tables
- Auditing and Service settings
- Machine names
- Applications and banners
- SNMP and DNS details
Services and Ports to Enumerate:
DNS Zone Transfer: TCP 53:
It depends on TCP 53 port rather than of UDP 53.DNS Zone transfer always uses a TCP protocol to communicate with a DNS server. TCP protocol helps make a consistent DNS database with the DNS server.
NetBIOS Name Service TCP 137: (NBNS):
NBNS, also referred to as WINS (Windows Internet Name Service), maintains a database of the NetBIOS names for hosts and therefore the IP addresses host is using in correspondence.
Simple Network Management Protocol (SNMP): UDP 161:
SNMP protocol used in many applications and devices, use for logging and maintaining information in Remote application and also used in routers and switches to maintain communications.
Lightweight Directory Access Protocol (LDAP): TCP/UDP 389:
It is used to enumerate contact information about the server.
it can be used with Microsoft active directory and some other email programs.
Simple Mail Transfer Protocol (SMTP): TCP 25:
SMTP allows email to maneuver across the web and across the local internet.TCP provides connection-oriented services to make communication of SMTP.
It depends on TCP 53 port rather than of UDP 53.DNS Zone transfer always uses a TCP protocol to communicate with a DNS server. TCP protocol helps make a consistent DNS database with the DNS server.
NetBIOS Name Service TCP 137: (NBNS):
NBNS, also referred to as WINS (Windows Internet Name Service), maintains a database of the NetBIOS names for hosts and therefore the IP addresses host is using in correspondence.
Simple Network Management Protocol (SNMP): UDP 161:
SNMP protocol used in many applications and devices, use for logging and maintaining information in Remote application and also used in routers and switches to maintain communications.
Lightweight Directory Access Protocol (LDAP): TCP/UDP 389:
It is used to enumerate contact information about the server.
it can be used with Microsoft active directory and some other email programs.
Simple Mail Transfer Protocol (SMTP): TCP 25:
SMTP allows email to maneuver across the web and across the local internet.TCP provides connection-oriented services to make communication of SMTP.
We will see each of these ports running the service and how to get information out of it and find any vulnerability and exploits..
1)DNS Enumeration-
In the process of DNS Enumeration, we can find Very useful data such as usernames, computer names and IP addresses as you can see it in practice using DNSenum.
DNS records are stored in a zone file are have resource records (database) in them.
DNS Zone transfer is the process used to get all of the store's data.
DNS zone transfer sends a request to the DNS server to transferring DNS data if the DNS server allows it all the data will send by it, this data is in a readable format.
There are lots of tools for DNS enumeration but today I will show you my personal fav.
DNS records are stored in a zone file are have resource records (database) in them.
DNS Zone transfer is the process used to get all of the store's data.
DNS zone transfer sends a request to the DNS server to transferring DNS data if the DNS server allows it all the data will send by it, this data is in a readable format.
There are lots of tools for DNS enumeration but today I will show you my personal fav.
•dnsenum
![]() |
DNS subdomain brute-forcing |
![]() |
DNS enumeration using dnsenum |
- dnsrecon
![]() |
dnsrecon |
Countermeasures:
- using premium registration services can minimize the risk.
Zone transfer requests from untrusted hosts must be disabled. - In publicly assessed DNS server does not reference IP addresses in reference files.
NetBIOS Enumeration
NetBIOS represents Network Basic Input and Output System used widely. It Allows PC correspondence over the LAN and enables them to share printers and files.
It must be interesting on a system, constrained to 16 chars where 15 chars are utilized for the gadget name and the sixteenth character is held for recognizing the sort of administration running or name record type. NetBIOS names are used to identify network devices over TCP/IP connection on windows
Aggressors utilize the NetBIOS list to acquire:
- Rundown of PCs that have a place with a domain
- Rundown of offers on the individual has on the system
- Strategies and passwords
Tools to NetBIOS Enumeration- nbtscan, nbtstat and all in one Nmap..
Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS..
![]() |
Nmap NetBIOS script |
prevention measure for scanning of shared NetBIOS resources
there is a very easy solution for preventing scanning of NETBIOS credentials and resources is to keep it shut down.shutting it down might cause some problems but it is worth it from losing credentials to an attacker.
if it's really necessary to use then do not use default names in NETBIOS ( Any application using default names and password is 100% chances of getting hacked)
- SNMP Enumeration
SNMP is quite a common protocol used in many operating systems like Linux, Ubuntu and Microsoft servers. it is enabled in them as well as network devices such as switches and routers.
SNMP use UDP protocol connect and manage with switches routers and hubs on the IP network.
By using SNMP Enumeration number credentials cam be extracted like users, passwords, devices on the system, system names and groups, etc.
SNMP use UDP protocol connect and manage with switches routers and hubs on the IP network.
By using SNMP Enumeration number credentials cam be extracted like users, passwords, devices on the system, system names and groups, etc.
for SNMP enumeration best thing to use is Metasploit framework
need to use snmp_enum module.
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > show actions
...actions...
msf auxiliary(snmp_enum) > set ACTION < action-name >
msf auxiliary(snmp_enum) > show options
...show and set options...
msf auxiliary(snmp_enum) > run
Countermeasures:
- use a more secure version (SNMPv3).
in perimeter network access devices we can block port 161 to avoid it getting scanned.
use policy such as ' additional restrictions for anonymous connections' which is a user policy security option.
do not allow fishy IP addresses to access.
disable or remove SNMP agents on hosts.
LDAP Enumeration
The Lightweight Directory Access Protocol (LDAP) may be a protocol wont to locate directory listings inside Active Directory both from different Directory Services. LDAP points to be attached to the domain name System to permit combined fast lookups and quick analysis of queries. It is plausible to question the LDAP assistance, seldom anonymously to work out a much data that would put a smile on the face of a tester, brute force or social engineering attack. can extract valid usernames, user details, addresses
LDAP generally runs on port 389
A directory is typically compiled during a hierarchical and logical format, rather just like the levels of management and employees during a company.
LDAP generally runs on port 389
A directory is typically compiled during a hierarchical and logical format, rather just like the levels of management and employees during a company.
Tools:
LDAP Browser editor
JXplorer
JXplorer
Countermeasures:
- lockout after certain entries.
- using SSL encryption technology for the traffic.
- It's very easy to find username with the help of email addresses, so keep in mind that use different username and Email names.
- Use NTLM or Basic authentication to limit access to known users only so no one makes unauthorized access.
Conclusion
In Scanning, we did scan all ports and found out whats services and its versions are working out there and in this post, we have seen how to enumerate those services and get the information we want to exploit and vulnerability analysis..
So the point here is it's not scanning and enumeration it is scanning with enumeration.
these enumeration techniques used by ethical hackers, bug bounty and cybersecurity experts..
Happy hacking..