MSC 2 SEM 3

PAPER 1

ENUMERATION
Vulnerability Assessment and Penetration Testing (VAPT) are two tests
done in order to secure an organization. Vulnerability Assessment includes
searching for vulnerabilities and penetration testing includes exploiting the
vulnerabilities with the use of manual or automated testing.
The following steps are followed in the process of VAPT
1.
2.
3.
4.
5.
6.

Reconnaissance
Scanning & Enumeration
Gaining Access
Maintaining Access
Clearing Tracks
Leaving Backdoors

Enumeration is defined as the process of extracting user names,

machine names, network resources, shares, and services from a system. In
the enumeration phase, the attacker creates active connections to the
system and performs directed queries to gain more information about the
target. The

attacker

uses

the gathered information

to

identify

the

vulnerabilities or weak points in system security and then tries to exploit

them. Enumeration techniques are conducted in an intranet environment. It
involves making active connections to the target system. It is possible that
the attacker stumbles upon a remote IPC share, such as IPC $ in Windows,
that can be probed with a null session allowing shares and accounts to be
Enumerated.
Penetration testing is much more than just running exploits against
vulnerable systems. In fact a penetration test begins before penetration
testers have even made contact with the victim systems.
As an expert ethical hacker and penetration tester you must know how
to enumerate target networks and extract lists of computers, user names,
user groups, ports, operating systems, machine names, network resources,
and services using various enumeration techniques.
Information Enumerated by Intruders includes:
Niranjana.S.Karandikar

Page 1

MSC 2 SEM 3

PAPER 1

Network resources and shares

Users and groups
Routing tables
Auditing and service settings
Machine names
Applications and banners
SNMP and DNS details
Through enumeration, an attacker may gather sensitive information of
organizations if the security is not strong. He or she may then use that
sensitive information to hack and break into the organization's network. If an
attacker breaks into the organization, then the organization potentially faces
huge losses in terms of information, service, or finance. Therefore, to avoid
these kinds of attacks, every organization must test its own security. Testing
the security of an organization legally against enumeration is called
enumeration pen testing. Enumeration pen testing is conducted with the
help of the data collected in the reconnaissance phase.
As a pen tester, conduct enumeration penetration tests to check
whether the target network is revealing any sensitive information that may
help an attacker to perform a well-planned attack. Apply all types of
enumeration techniques to gather sensitive information such as user
accounts, IP address, email contacts, DNS, network resources and shares,
application information, and much more. Try to discover as much information
as

possible

regarding

the

target.

This

helps

you

determine

the

vulnerabilities/weaknesses in the target organization's security.

Steps in Enumeration
Step l
Find the network range
If you want to break into an organization's network, you should know the
network range first. This is because if you know the network range, then you
can mask yourself as a user falling within the range and then try to access
Niranjana.S.Karandikar

Page 2

MSC 2 SEM 3

PAPER 1

the network. So the first step in enumeration pen testing is to obtain

information about network range. You can find the network range of target
organization with the help of tools such as Whois Lookup.
Step 2
Calculate the subnet mask
Once you find the network rage of the target network, then calculate the
subnet mask required for the IP range using tools such as Subnet Mask
Calculator. You can use the calculated subnet mask as an input to many of
the ping sweep and port scanning tools for further enumeration, which
includes discovering hosts and open ports.
Step 3
Undergo host discovery
Find the important servers connected to the Internet using tools such as
Nmap. The Nmap
syntax to find the servers connected to Internet is as follows: nmap - sP
<network range> . In place of the network range, enter the network range
value obtained in the first step.
Step 4
Perform port scanning
It is very important to discover the open ports and close them if they are not
required. This is because open ports are the doorways for an attacker to
break into a target's security
perimeter. Therefore, perform port scanning to check for the open ports on
the nodes. This
can be accomplished with the help of tools such as Nmap.
Step 5
Perform DNS enumeration
Perform DNS enumeration to locate all the DNS servers and their records.
The DNS servers

Niranjana.S.Karandikar

Page 3

MSC 2 SEM 3

PAPER 1

provide information such as system names, user names, IP addresses, etc.

You can extract all this information with the help of the Windows utility
nslookup.
Step 6
Perform NetBIOS enumeration
Perform NetBIOS enumeration to identify the network devices over TCP/IP
and to obtain a list of computers that belong to a domain, a list of shares on
individual hosts, and policies and passwords. You can perform NetBIOS
enumeration with the help of tools such as SuperScan, Hyena, and
WinFingerprint.
Step 7
Perform SNMP enumeration
Perform SNMP enumeration by querying the SNMP server in the network. The
SNMP server may reveal information about user accounts and devices. You
can perform SNMP enumeration using tools such as OpUtils and SolarWinds
IP Network Browser.
Step 8
Perform Unix/Linux enumeration
Perform Unix/Linux enumeration using tools such as Enum4linux. You can use
commands such as showmount, Finger , rpfinfo (RPC), and rpcclient etc .to
enumerate UNIX network resources.
Step 9
Perform LDAP enumeration
Perform LDAP enumeration by querying the LDAP service. By querying the
LDAP service you can enumerate valid user names, departmental details,
and address details. You can use this information to perform social
engineering and other kinds of attacks. You can perform LDAP enumeration
using tools such as Softerra LDAP Administrator.
Step 10
Perform NTP enumeration

Niranjana.S.Karandikar

Page 4

MSC 2 SEM 3

PAPER 1

Perform NTP enumeration to extract information such as host connected to

NTP server, client IP address, OS running of client systems, etc. You can
obtain this information with the help of commands such as ntptrace, ntpdc,
and ntpq.
Step 11
Perform SMTP enumeration
Perform SMTP enumeration to determine valid users on the SMTP server. You
can use tools
such as NetScanTools Pro to query the SMTP server for this information.
Step 12
Document all the findings
The last step in every pen test is documenting all the findings obtained
during the test. You
should analyze and suggest countermeasures for your client to improve their
security.

The following techniques are used in Enumeration

Banner Grabbing
Banner grabbing is an activity that is used to determine information
about services that are being run on a remote computer. This technique can
be useful to administrators in cataloging their systems, and ethical hackers
can also use it during penetration tests. Malicious hackers also use banner
grabbing, since the technique can reveal compromising information about
the services that are running on a system. The technique works by using
Telnet, or a proprietary program, to establish a connection with a remote
machine, after which a bad request is sent. That will cause a vulnerable host
to respond with a banner message, which may contain information that a
hacker could use to further compromise a system.
Niranjana.S.Karandikar

Page 5

MSC 2 SEM 3

PAPER 1

In a computer networking context, the term banner typically refers to a

message that a service transmits when another program connects to it.
Default banners often consist of information about a service, such as the
version number. The banner for a hypertext transfer protocol (HTTP) service
will typically show the type of server software, version number, when it was
modified last, and other similar information. When a program such as Telnet
is used to intentionally gather this information, it is usually referred to as
banner grabbing.
A few different types of software, including Telnet, NetCat and various
proprietary programs, can be used to perform banner grabbing. Telnet is a
type of network protocol that is used to establish a virtual terminal
connection with a remote host. Most operating systems (OSes) come with
the ability to establish Telnet sessions, so that is one of the primary ways
that banner grabbing is performed. Whether Telnet or another program is
used, banners are grabbed by connecting to a host, and then sending a
request to a port that is associated with a particular service, such as port 80
for HTTP.

FTP Enumeration
FTP is File Transfer Protocol. It runs on TCP port 21. It is Less used now. It
allows upload of (malicious) files and often allows anonymous access using
any email address.
Type ftp ip address port number
Get banner and determine access. Exploit it!
Countermeasures

Turn off FTP when not in use.

Secure FTP (SFTP) uses SSH and FTP Secure (FTPS) uses SSL.
Use HTTP for public information access.

TELNET Enumeration
Telnet is a network protocol used on the Internet or local area networks to
provide a bidirectional interactive text-oriented communication facility using
a virtual terminal connection. It runs on port 23 TCP. Used for remote access.
Niranjana.S.Karandikar

Page 6

MSC 2 SEM 3

PAPER 1

It transmits data in clear text. It often displays host system information and
even if it doesn't, the prompt may reveal system information. May be used
for attacking accounts if lockout not used. May reveal valid usernames from
login attempts.
Countermeasures:

Turn off
Use secure shell (SSH) instead
Modify banner messages
Modify error messages
Account locking/drop connection on login failure.

SMTP Enumeration
Simple Mail Transport Protocol works on port number 25 TCP.SMTP is a
service that can be found in most infrastructure penetration tests. This
service can help the penetration tester to perform username enumeration
via the EXPN and VRFY commands if these commands have not been
disabled by the system administrator. There are a number of ways which this
enumeration through the SMTP can be achieved and there will be explained
in this article.
The role of the EXPN command is to reveal the actual address of users
aliases and lists of email and VRFY which can confirm the existance of names
of valid users.
The SMTP enumeration can be performed manually through utilities like
telnet and netcat or automatically via a variety of tools like metasploit,nmap
and smtp-user-enum.
Countermeasures

Configure to turn off VRFY and EXPN, or

Configure to require authentication/privileges to use them

DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their
corresponding

Niranjana.S.Karandikar

Page 7

MSC 2 SEM 3

PAPER 1

records for an organization. A company may have both internal and external
DNS servers
that can yield information such as usernames, computer names, and IP
addresses of
potential target systems. There are a lot of tools that can be used to gain
information for
performing DNS enumeration. The examples of tool that can be used for DNS
enumeration
are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and
Whois. To
enumerate DNS, you must have understanding about DNS and how it works.
The list of DNS record provides an overview

of types of resource records

(database records) stored in the zone files of the Domain Name

System

(DNS). The DNS implements a distributed, hierarchical, and redundant

database for information associated with Internet domain names and
addresses. In these domain servers, different record types are used for
different purposes. The following list describes the common DNS record
types and their use:

A (address)Maps a host name to an IP address

SOA (Start of Authority)Identifies the DNS server responsible for the

domain
information
CNAME (canonical name)Provides additional names or aliases for the

address
record
MX (mail exchange)Identifies the mail server for the domain
SRV (service)Identifies services such as directory services
PTR (pointer)Maps IP addresses to host names
NS (name server)Identifies other name servers for the domain

DNS Zone Transfer is typically used to replicate DNS data across a number of
DNS servers,
or to back up DNS files. A user or server will perform a specific zone transfer
request from a name server If the name server allows zone transfers to
Niranjana.S.Karandikar

Page 8

MSC 2 SEM 3

PAPER 1

occur, all the DNS names and IP addresses hosted by the name server will
be returned in human-readable ASCII text.

TFTP Enumeration
Trivial File Transfer Protocol (TFTP) runs on port number 69 is a simple,
lock-step, file transfer protocol which allows a client to get or put a file onto a
remote host. One of its primary uses is in the early stages of nodes booting
from a Local Area Network. TFTP has been used for this application because
it is very simple to implement. It May allow download of sensitive file (e.g.,
/etc/passwd, /etc/shadow, network device configuration files, etc.)
Countermeasures
Turn off, if possible
Wrap in TCP wrapper to restrict access
Limit access to /tftpboot/ directory
Block at border firewall

HTTP Enumeration
Hyper Text Transfer Protocol runs on TCP port 80. While enumerating the
HTTP method can be found out as well as web pages for offline viewing can
also be downloaded.
Countermeasures

Change the banner and use IIS Lockdown tool which disables features
which are not necessary.

MSRPC Enumeration
Microsoft Remote Procedure Call (MSRPC) runs on TCP 135. RPC is a
portmapper for windows. It gives list of services with version and
IP/protocol/port info. The following tool can be used for enumerating MSRPC
--Winfingerprint tool (sourceforge)
Countermeasures

Restrict outside access

Require use of VPN for external access
Use OWA (Outlook Web Access) for remote mail access

SNMP Enumeration

Niranjana.S.Karandikar

Page 9

MSC 2 SEM 3

PAPER 1

Simple Network Management Protocol

runs on UDP 161. Simple Network

Management Protocol (SNMP) is an "Internet-standard protocol for managing

devices on IP networks". Devices that typically support SNMP include routers,
switches, servers, workstations, printers, modem racks and more.
Countermeasures

Remove or disable SNMP agents on hosts

Use obscure community names (e.g., NOT public or private)

Block port 161 at all perimeter network access devices

Restrict access to specific IP addresses

Use SNMPv3 (more secure)

Set Registry to permit only authorized access

FINGER Enumeration
Finger runs on TCP/UDP 79 .It reveals logged-in users, idle times and user
infomation given from public file information.
Countermeasures

Turn off

Block port 79

Restrict access

Restrict info given

Vulnerability Scanners
Vulnerability Scanners are the automated tools that scan web applications to
look for known security vulnerabilities such as cross-site scripting, SQL
injection, command execution, directory traversal and insecure server
configuration. A large number of both commercial and open source tools are
available and and all these tools have their own strengths and weaknesses.
The following tools can be used for Enumeration:

NMAP
Methodology

Perform scans to find hosts with NetBIOS ports open (135,137-139, 445)

Niranjana.S.Karandikar

Page 10

MSC 2 SEM 3

PAPER 1

Do an nbtstat scan to find generic information (computer names, user

names, ]MAC addresses) on the hosts.
Create a Null Session to these hosts to gain more information

Perform nmap -O scan

Run the command nbtstat -A IPAddress
In the command prompt, type net use \\X.X.X.X\IPC$ /u: (where X.X.X.X is
die address of die host machine, and there are no spaces between the
double quotes).
Confirm it by issuing a general net use command to see connected null
sessions from your host.

SuperScan
SuperScan is a TCP port scanner, pinger, and resolver. The tool's features
include extensive Windows host enumeration capability, TCP SYN scanning,
and UDP scanning.
Methodology
Perform a NetBIOS enumeration. NetBIOS enumeration is carried out to
obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Find out Policies and passwords
Overview of NetBIOS Enumeration
1. The purpose of NetBIOS enumeration is to gather information, such as:
a. Account lockout threshold
b. Local groups and user accounts
c. Global groups and user accounts
2. Restrict anonymous bypass routine and also password checking:
a. Checks for user accounts with blank passwords
b. Checks for user accounts with passwords that are same as the
Usernames in lower case.
Superscan results comprise of the following:

Performing Enumeration Types:

Null Session
MAC Address
Work Station Type
Users
Groups

Niranjana.S.Karandikar

Page 11

MSC 2 SEM 3

PAPER 1

Domain
Account Policies
Registry

Enumerating NetBIOS Using the NetBIOS Enumerator Tool

This

tool scans a range of IP addresses for the following:

Machine Name
NetBIOS Names
User Name
Domain
MAC Address
Round Trip Time (RTT)

Enumerating a Network Using SoftPerfect Network Scanner

SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS, and
SNMP scanner with a modern interface and many advanced features.
NetBIOS enumeration is carried out to detect:

This

Hardware MAC addresses across routers

Hidden shared folders and writable ones
Internal and external IP address
tool scans a range of IP addresses for the following:
IP Address
Host Names
MAC Address
Response Time

Enumerating a Network Using Solar Winds Toolset

The Solar Winds Toolset provides the tools yon need ns a network
engineer or network consultant to get your job done. Toolset includes best-ofbreed solutions that work sit/ply and precisely, providing the diagnostic,
performance, and bandwidth measurements you want, without extraneous,
unnecessary features.
Solar Winds scans an IP Address for the following:

Interfaces
Services
Accounts

Niranjana.S.Karandikar

Page 12

MSC 2 SEM 3

PAPER 1

Shares
Hub Ports
TCP/IP Network
Routes

Enumerating the System Using Hyena

Hyena uses an Explorer-style interface for operations, including right
mouse click popup context menus for all objects. Management of users,
groups (both local and global), shares, domains, computers, services,
devices, events, files, printers and print jobs, sessions, open files, disk space,
user rights, messaging, expo/ting job scheduling, processes, and printing are
all supported.
This

tool helps in the following:

Users information in the system
Services running in the system
Local Connections
Users
Local Group
Shares
Sessions
Services
Events
User Rights
Performance
Registry

References

CEH v8 slides, EC Council

http://www.hackillusion.com/what-is-enumeration-in-ethical-hacking/
http://tutorialof.blogspot.in/p/enumeration.html
http://www.ehacking.net/2011/04/scanning-and-enumeration-secondstep-of.html
http://www.sans.org/reading-room/whitepapers/hackers/fundamentalscomputer-hacking-956

Niranjana.S.Karandikar

Page 13