Enumeration in Cyber Security! Everything that you need to understand.


What is Enumeration?

  • In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target.
  • Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources
  •  Enumeration techniques are conducted in an intranet environment.

Information Enumerated by Intruders

  • Network resources
  •  Network shares
  • Routing tables
  • Audit and service settings
  •  SNMP and DNS details
  •  Machine names
  • Users and groups
  • Applications and banners

Techniques for Enumeration

  • Extract user names using email IDs
  •  Extract information using the default passwords
  •  Extract user names using SNMP
  •  Brute force Active Directory
  •  Extract user groups from Windows
  •  Extract information using DNS Zone Transfer

Service and Ports to Enumerate

TCP/UDP 53: DNS Zone Transfer

TCP/UDP 135: Microsoft RPC Endpoint Mapper

UDP 137: NetBIOS Name Service (NBNS)

TCP 139: NetBIOS Session Service (SMB over NetBIOS)

TCP/UDP 445: SMB over TCP (Direct Host)

UDP 161: Simple Network Management Protocol (SNMP)

TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)

TCP/UDP 3268: Global Catalog Service

TCP 25: Simple Mail Transfer Protocol (SMTP)

NetBIOS Enumeration

  • NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and 16th character is reserved for the service or name record type.
  •  Attackers use the NetBIOS enumeration to obtain:
    •  List of computers that belong to a domain
    •  List of shares on the individual hosts in the network
    • Policies and passwords
  • Nbtstat
  • nbtscan in Kali

NetBIOS Enumeration: Tools

# SuperScan:

  • SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver.


  • Hyena is a GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for Windows servers and domain controllers.
  •  It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.


  • Winfingerprint determines OS, enumerate users, groups, shares, SIDs, transports, sessions, services, service pack and hotfix level, date and time, disks, and open TCP and UDP ports.

SNMP Enumeration

  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
  • SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
  •  SNMP holds two passwords to access and configure the SNMP agent from the management station:
    •  Read community string: It is public by default; allows viewing of device/system configuration.
    • Read/write community string: It is private by default; allows remote editing of configuration

SNMP Enumeration: snmp-check example

Scan the target host ( using the public SNMP community string (-c public)

root@kali:~# snmp-check -c public

snmp-check v1.9 – SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni

(www.nothink.org) [+]

Try to connect to using SNMPv1 and community ‘public’

SNMP Enumeration: Tools

# OpUtils: OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and troubleshoot their IT resources.

#Engineer’s Toolset:

  • Engineer’s Toolset performs network discovery on a single subnet or a range of subnets using ICMP and SNMP.
  • It scans a single IP, IP address range, or subnet and displays network devices discovered in real time

LDAP Enumeration

  • Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services.
  •  Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
  •  A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA.
  •  Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.

LDAP Enumeration: Example

# Exploiting LDAP Server with NULL https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/

NTP Enumeration

  • Network Time Protocol (NTP) is designed to synchronize clocks of networked computers
  • It uses UDP port 123 as its primary means of communication
  •  Attacker queries NTP server to gather valuable information such as:
    •  List of hosts connected to NTP server 4
    • Clients IP addresses in a network, their system names and Oss

SMTP Enumeration

  • SMTP provides 3 built-in-commands:
    •  VRFY: Validates users
    •  EXPN: Tells the actual delivery addresses of aliases and mailing lists
    • RCPT TO: Defines the recipients of the message
  • SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server
  •  Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.

SMTP Enumeration: Example1 (telnet)

SMTP Enumeration: Example2 (msf)

SMTP Enumeration: Example3 (smtp-user-enum)

# Example https://www.hackingarticles.in/4-ways-smtp-enumeration/

Facebook Comments