Enumeration Hacking: Definition, classification, and goals

What is Enumeration Hacking?


Enumeration is defined as a process that establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

Enumeration is used to gather the following:

  • Usernames, group names
  • Hostnames
  • Network shares and services
  • IP tables and routing tables
  • Service settings and audit configurations
  • Application and banners
  • SNMP and DNS details


Enumeration is phase 3 of the Penetration Testing or Ethical Hacking. It is a process of gaining complete access to the system by compromising the vulnerabilities identified in the first two phases. The Scanning stage only helps to identify the vulnerabilities to a certain extent, but  Enumeration helps us learn the complete details such as users, groups, and even system-level details – routing tables. This phase of Ethical hacking is to gain end-to-end knowledge of what will be tested in the target environment. Tools are deployed to gain complete control over the system. 

About Penetration Testing

Penetration testing or  Ethical hacking is a simulation of cyber-attacks to a computer system or application or infrastructure to detect vulnerabilities if any. Penetration testing provides great insights on the list of vulnerabilities that we can categorize and rank as high, medium, and low. We fix these vulnerabilities depending on the business requirement and timelines.

Significance of Enumeration 

Enumeration is the most critical aspect of Ethical hacking. The metrics, outcomes, results are use directly in testing the system in the next steps of penetration testing.  Enumeration helps us to decipher the detailed information – Hostnames, IP tables, SNMP and DNS, Application, Banners, Audit configurations, and service settings. The significance of Enumeration is that it systematically collects details. This allows pentesters to completely examine the systems.  The pentesters collect information about the weak links during the enumeration phase of ethical hacking.  

It helps in finding the attack Vectors and threats. 

Enumeration classification

There are mainly 8 types of enumeration:

  1. NetBios enumeration
  2. SNMP enumeration
  3. LDAP enumeration
  4. NTP enumeration
  5. SMTP enumeration
  6. DNS enumeration
  7. Windows enumeration
  8. UNIX/Linux enumeration

The rest of the document explains each one of the above enumeration types, as well as tools and controls for preventing the same.

1. NetBIOS(Network Basic Input Output System) Enumeration: 

  • NetBIOS name is an exceptional 16 ASCII character string used to distinguish the organization gadgets over TCP/IP, 15 characters are utilized for the gadget name and the sixteenth character is saved for the administration or name record type.
  • Programmers utilize the NetBIOS enumeration to get a rundown of PCs that have a place with a specific domain, a rundown of offers on the individual hosts in the organization, and strategies and passwords.
  • The initial phase in specifying a Windows framework is to exploit the NetBIOS API. It was initially an Application Programming Interface(API) for custom programming to get to LAN assets. Windows utilizes NetBIOS for document and printer sharing.
  • A hacker who finds a Windows OS with port 139 open, can verify what assets we can get to or seen on the far off framework. In any case, to count the NetBIOS names, the distant framework probably empowered document and printer sharing. This sort of enumeration may empower the programmer to peruse or keep in touch with the distant PC framework, contingent upon the accessibility of offers, or dispatch a DoS.

2. SNMP(Simple Network Management Protocol) Enumeration: 

  • SNMP enumeration is a cycle of specifying client records and gadgets on an objective framework utilizing SNMP. SNMP comprises a manager and a specialist; specialists are inserted on each organization gadget, and the trough is introduced on a different PC.
  • SNMP holds two passwords to get to and design the SNMP specialist from the administration station. Read Community String is public of course; permits review of gadget/framework setup. Read/Write people group string is private of course; permits far off altering of arrangement.
  • Hackers utilize these default network strings to remove data about a gadget. Hackers list SNMP to remove data about organization assets, for example, has, switches, gadgets, shares, and so on, and network data, for example, ARP tables, directing tables, traffic, and so forth.
  • SNMP utilizes dispersed engineering containing SNMP agents, managers, and a few related parts. Orders related with SNMP include: GetRequest, GetNextRequest, GetResponse, SetRequest, Trap.
  • SNMP Enumeration tools are utilized to examine a solitary IP address or a scope of IP addresses of SNMP empowered organization gadgets to screen, analyze, and investigate security dangers. Instances of this sort of instruments incorporate NetScanTolls Pro, SoftPerfect Network Scanner, SNMP Informant, and so forth

3. LDAP Enumeration:

  • Lightweight Directory Access Protocol is an Internet Protocol for getting to dispersed registry administrations.
  • LDAP supports anonymous remote queries on the server. The query will disclose sensitive information such as usernames, address, contact details, department details and so on.
  • Use SSL to encrypt LDAP communication.
  • Use Kerberos to restrict the access to known users.
  • Enable account lockout to restrict brute-forcing.
  • Examples of these kinds of tools include LDAP Admin Tool, Active Directory Explorer, LDAP Admin, etc.

4. NTP Enumeration:

  • Network Time Protocol is intended to synchronize clocks of arranged PCs.
  • It utilizes UDP port 123 as its essential method for correspondence.
  • NTP can check time to inside 10 milliseconds (1/100 seconds) over the public web.
  • It can accomplish correctness of 200 microseconds or better in a neighborhood under ideal conditions.
  • Executives regularly disregard the NTP worker regarding security. Be that as it may, whenever questioned appropriately, it can give important organization data to the programmers.
  • Hackers inquiries NTP workers to assemble significant data. For example, a list of hosts associated with NTP workers, Clients’ IP addresses in an organization, their framework names and Oss, and Internal IPs can likewise be gotten if NTP worker is in the demilitarized zone.
  • NTP enumeration tools are utilized to screen the working of SNTP and NTP workers present in the organization and furthermore help in the configuration and confirmation of availability from the time customer to the NTP workers.

5. SMTP Enumeration:

  • Mail frameworks ordinarily use SMTP with POP3 and IMAP that empowers clients to spare the messages in the worker letter drop and download them once in a while from the mainframe.
  • SMTP utilizes Mail Exchange (MX) workers to coordinate the mail through DNS. It runs on TCP port 25.
  • SMTP provides 3 built-in commands: VRFY, EXPN, RCPT TO.
  • These servers respond differently to the commands for valid and invalid users from which we can determine valid users on SMTP servers.
  • Hackers can legitimately associate with SMTP through telnet brief and gather a rundown of substantial clients on the mainframe.
  • Hackers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc., or by using tools such as Metasploit, Nmap, NetScanTools Pro, etc.

6. DNS Enumeration using Zone Transfer:

  • It is a cycle for finding the DNS worker and the records of an objective organization.
  • A hacker can accumulate significant organization data, for example, DNS worker names, hostname, machine names, usernames, IPs, and so forth of the objectives.
  • In DNS Zone Transfer enumeration, a hacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.
  • In order to execute a zone transfer, the hacker sends a zone transfer request to the DNS server pretending to be a client; the DNS then sends a portion of its database as a zone to you. This zone may contain a ton of data about the DNS zone organization.

7. Windows Enumeration

Windows operating systems are enumerated using this type of enumeration. The attacker uses tools from Sysinternals to achieve this. This is the most basic enumeration happening, and the hackers attack desktop workstations. This means that the confidentiality of the files is no longer maintained. You can access any file and alter it. In some cases, hackers may also change the configuration of the desktop or operating system.

It can be prevented by using a Windows firewall, etc. A firewall is a very basic application that acts as a scanner and blocks any foreign signals trying to establish a connection with the system.

8. Unix/Linux User Enumeration:

  • One of the most vital steps for conducting an enumeration is to perform this kind of enumeration. This provides a list of users along with details like username, hostname, start date and time of each session, etc.
  • We can use command-line utilities to perform Linux user enumeration like rusers, rwho, finger, etc.

What are the goals of the Enumeration? 

1. To map the end-to-end details that we need to check after the enumeration step 

2. The ways to execute the attacks in the upcoming phases 

3. Identify all the information we need to do the execution in future testing 

4. Compile a list of devices with configuration for testing 

5. Complete the network map to finalize the steps for testing 

6. Compile the list of people who support the testing  7. Collect even irrelevant information that might still be significant in the future 

Spread the love

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *