What is Enumeration?

Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network. In the enumeration phase, the attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system. It allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment.

Enumeration allows you to collect the following information:

• Network resources
• SNMP and FQDN details
• Network shares
• Machine names
• Routing tables
• Users and groups
• Audit and service settings
• Applications and banners

During enumeration, attackers may stumble upon a remote IPC share, such as IPC$ in Windows, which they can probe further for null sessions to collect information about other shares and system accounts.
The previous modules highlighted how attackers gather necessary information about a target without really getting on the wrong side of the legal barrier. However, enumeration activities may be illegal depending on the organization policies and any laws that are in effect. As an ethical or pentester, you should always acquire proper authorization before performing enumeration.

Related Product : Certified Ethical Hacker | CEH Certification

Techniques for Enumeration

To extract information about a target :

Extract user names using email IDs

Every email address contains two parts: the user name and the domain name. The structure of an email address is username@domainname. Consider abc@gmail.corn; in this email address, the “abc” (the string of characters preceding the ‘@’ symbol) is the user name and “gmail.com” (the string of characters following the ‘@’ symbol) is the domain name.

Extract information using default passwords

Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often neglect to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases the task of an attacker in enumerating and exploiting the target system.

Brute force Active Directory

Microsoft Active Directory is susceptible to a username enumeration at the time of user-supplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the “logon hours” feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid user names. An attacker who succeeds in extracting valid user names can conduct a brute-force attack to crack the respective passwords.

Extract information using DNS Zone Transfer

A network administrator can use DNS Zone Transfer to replicate Domain Name System (DNS) data across a number of DNS servers, or to back up DNS files. The administrator needs to execute a specific zone transfer request to the name server. If the name server permits zone transfer, it will convert all the DNS names and IP addresses, hosted by that server to ASCII text.
If the network administrators did not configure the DNS server properly, the DNS Zone transfer is an effective method to obtain information about the organization’s network. This information may include lists of all named hosts, sub-zones, and related IP addresses. A user can perform DNS zone transfer using nslookup.

• Extract user groups from Windows

To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command line method.

• Extract user names using SNMP

Attack-s can easily guess the read-only or read-write community strings using the SNMP AD to extract user names.

Also Read : What is SNMP Enumeration?

What is NetBIOS?

NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.

NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.

NetBIOS Enumeration Explained:

NetBIOS software runs on port 139 on the Windows operating system. File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system. An attacker can perform the below on the remote machine.

  1. Choose to read or write to a remote machine depending on the availability of shares
  2. Launch a Denial of Service (DoS) attack on the remote machine
  3. Enumerate password policies on the remote machine

NetBIOS Enumeration Tools:

  1. nbtstat
  2. SuperScan

What is SNMP?

SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.

SNMP Passwords are:

  1. Read Community string are public, and the configuration of the device can be viewed with this password
  2. Read/Write community string is private, and the configuration of the device can be modified using this password.

SNMP uses a virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains a tree-like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.

SNMP Enumeration:

Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:

  1. Information about network resources such as routers, shares, devices, etc.
  2. ARP and routing tables
  3. Device-specific information
  4. Traffic statistics etc.

SNMP Enumeration Tools:

  1. OpUtils
  2. SolarWinds

What is LDAP?

LDAP Stands for Light Weight Directory Access Protocol and it is an Internet protocol for accessing distributed directory services like Active Directory or OpenLDAP etc. A directory service is a hierarchical and logical structure for storing records of users. LDAP is based on client and server architecture. LDAP transmits over TCP and information is transmitted between client and server using Basic Encoding Rules (BER).

LDAP Enumeration:

LDAP supports anonymous remote query on the Server. The query will disclose sensitive information such as usernames, address, contact details, Department details, etc.

LDAP Enumeration Tools:

  1. Softerra LDAP Administrator
  2. Jxplorer

What is NTP?

NTP stands for Network Time protocol designed to synchronize clocks of networked computers. NTP can achieve accuracies of 200 milliseconds or better in local area networks under ideal conditions. NTP can maintain time to within ten milliseconds (1/100 second) over the Internet. NTP is based on agent-server architecture where agent queries the NTP server, and it works on User Datagram Protocol (UDP) and well-known port 123.

NTP Enumeration:

An attacker can enumerate the following information by querying NTP server.

  1. List of hosts connected to the NTP server
  2. Internal Client IP addresses, Hostnames and Operating system used.

NTP Enumeration Tools:

  1. Ntptrace
  2. Ntpdc

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol and it is designed for electronic mail (E-Mail) transmissions. SMTP is based on client-server architecture and works on Transmission Control Protocol (TCP) on well-known port number 25. SMTP uses Mail Exchange (MX) servers to send the mail to via the Domain Name Service, however, should an MX server not detected; SMTP will revert and try an A or alternatively SRV records.

SMTP Enumeration:

SMTP provides three built-in commands

  • VRFY– validate users on the SMTP servers
  • EXPN– Delivery addresses of aliases and mailing lists
  • RCPT TO– Defines the recipients of the message

SMTP servers respond differently to the commands mentioned above, and SMTP enumeration is possible due to varied responses. Attackers can determine the valid users on the SMTP servers with the same technique.

SMTP Enumeration Tools:

  1. NetScan Tools Pro
  2. SMTP User Enum

What is DNS?

DNS stands for Domain Name Service, and it is primarily designed as hierarchical decentralized distributed naming systems for computers, services, or any resource connected to the network. DNS resolves hostnames to its respective IP addresses and vice versa. DNS internally maintains a database for storing the records. The following are the most commonly used record types in DNS.

  • Start of Authority (SOA),
  • IP addresses (A and AAAA),
  • SMTP mail exchangers (MX),
  • Nameservers (NS),
  • Pointers for reverse DNS lookups (PTR), and
  • Domain name aliases (CNAME)

DNS works on both UDP and TCP on well-known port number 53. It uses UDP for resolving queries and TCP for zone transfers. DNS zone transfer allows DNS databases to replicate the portion of the database from the primary server to the secondary server. DNS zone transfer must only be allowed by other validated secondary DNS servers acting as clients.

DNS Enumeration:

DNS enumeration is possible by sending zone transfer request to the DNS primary server pretending to be a client. It reveals sensitive domain records in response to the request.

DNS Enumeration Tools:

  1. Nslookup
  2. DNS Dumpster
  3. DNS Recon

The most common technique used to search users names and machine name of the target system which hacker do most to find victims. Infosavvy gives training on Certified Ethical Hacking in which covers one module on Enumeration. Do CEHv10 Training and Certification from Infosavvy in Banglore Location.

People also ask Question
1. What is the default password policy Active Directory?
2. What does Do not allow anonymous enumeration of SAM accounts default?
3. Where are password requirements in Active Directory?
4. Do not allow any shares to be accessed anonymously?

Learn CEH & Think like hacker

This Blog Article Written by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


94 thoughts on “What is Enumeration?”

  1. Hello There. I found your blog using msn. This is a very well written article.
    I will make sure to bookmark it and return to read more of your useful info.
    Thanks for the post. I will certainly comeback.

  2. excellent put up, very informative. I ponder why the opposite experts of this sector don’t
    understand this. You should proceed your writing.
    I am confident, you have a great readers’ base already!

  3. Hi my family member! I want to say that this article is awesome, great written and include almost all significant
    infos. I’d like to see extra posts like this .

  4. Its such as you read my thoughts! You seem to understand a lot
    about this, such as you wrote the guide in it or something.
    I believe that you just can do with some percent to drive the message house a
    little bit, but instead of that, that is magnificent blog.

    An excellent read. I will certainly be back.

  5. It’s actually a cool and useful piece of information. I am satisfied that you shared this useful info with us.
    Please stay us up to date like this. Thanks for sharing.

  6. I like the valuable info you provide in your articles.
    I will bookmark your weblog and check again here frequently.
    I am quite certain I’ll learn many new stuff right here!

    Good luck for the next!

  7. Sweet blog! I found it while surfing around on Yahoo News.
    Do you have any tips on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there!

  8. My brother recommended I may like this website. He was once totally right.
    This post truly made my day. You cann’t imagine simply how so much time I
    had spent for this info! Thanks!

  9. Spot on with this write-up, I seriously believe that this website needs far more attention. I’ll probably be
    back again to read through more, thanks for the information!

  10. I’m not that much of a internet reader to be
    honest but your sites really nice, keep it up! I’ll go ahead and
    bookmark your site to come back in the future.
    All the best

  11. I think this is one of the most important info for me.
    And i am glad reading your article. But should remark on few general things,
    The web site style is wonderful, the articles is really excellent :
    D. Good job, cheers

  12. This is a great tip especially to those fresh
    to the blogosphere. Brief but very accurate info… Thank you for sharing this one.
    A must read article!

Leave a Comment