MSC 2 SEM 3

PAPER 1

ENUMERATION
Vulnerability Assessment and Penetration Testing (VAPT) are two tests done in
order to secure an organization. Vulnerability Assessment includes searching for
vulnerabilities and penetration testing includes exploiting the vulnerabilities with the use
of manual or automated testing.
The following steps are followed in the process of VAPT
1. Reconnaissance
2. Scanning & Enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
6. Leaving Backdoors
Enumeration is defined as the process of extracting user names, machine names,
network resources, shares, and services from a system. In the enumeration phase, the
attacker creates active connections to the system and performs directed queries to gain
more information about the target. The attacker uses the gathered information to identify
the vulnerabilities or weak points in system security and then tries to exploit them.
Enumeration techniques are conducted in an intranet environment. It involves making
active connections to the target system. It is possible that the attacker stumbles upon a
remote IPC share, such as IPC $ in Windows, that can be probed with a null session
allowing shares and accounts to be Enumerated.
Penetration testing is much more than just running exploits against vulnerable
systems. In fact a penetration test begins before penetration testers have even made
contact with the victim systems.
As an expert ethical hacker and penetration tester you must know how to
enumerate target networks and extract lists of computers, user names, user groups, ports,
operating systems, machine names, network resources, and services using various
enumeration techniques.
Information Enumerated by Intruders includes:
Niranjana.S.Karandikar

Page 1

MSC 2 SEM 3

PAPER 1

Network resources and shares

Users and groups
Routing tables
Auditing and service settings
Machine names
Applications and banners
SNMP and DNS details
Through enumeration, an attacker may gather sensitive information of
organizations if the security is not strong. He or she may then use that sensitive
information to hack and break into the organization's network. If an attacker breaks into
the organization, then the organization potentially faces huge losses in terms of
information, service, or finance. Therefore, to avoid these kinds of attacks, every
organization must test its own security. Testing the security of an organization legally
against enumeration is called enumeration pen testing. Enumeration pen testing is
conducted with the help of the data collected in the reconnaissance phase.
As a pen tester, conduct enumeration penetration tests to check whether the target
network is revealing any sensitive information that may help an attacker to perform a wellplanned attack. Apply all types of enumeration techniques to gather sensitive information
such as user accounts, IP address, email contacts, DNS, network resources and shares,
application information, and much more. Try to discover as much information as possible
regarding the target. This helps you determine the vulnerabilities/weaknesses in the target
organization's security.

Steps in Enumeration
Step l
Find the network range
If you want to break into an organization's network, you should know the network range
first. This is because if you know the network range, then you can mask yourself as a user
falling within the range and then try to access the network. So the first step in enumeration
pen testing is to obtain information about network range. You can find the network range
of target organization with the help of tools such as Whois Lookup.
Niranjana.S.Karandikar

Page 2

MSC 2 SEM 3

PAPER 1

Step 2
Calculate the subnet mask
Once you find the network rage of the target network, then calculate the subnet mask
required for the IP range using tools such as Subnet Mask Calculator. You can use the
calculated subnet mask as an input to many of the ping sweep and port scanning tools for
further enumeration, which includes discovering hosts and open ports.
Step 3
Undergo host discovery
Find the important servers connected to the Internet using tools such as Nmap. The Nmap
syntax to find the servers connected to Internet is as follows: nmap - sP <network range> .
In place of the network range, enter the network range value obtained in the first step.
Step 4
Perform port scanning
It is very important to discover the open ports and close them if they are not required. This
is because open ports are the doorways for an attacker to break into a target's security
perimeter. Therefore, perform port scanning to check for the open ports on the nodes. This
can be accomplished with the help of tools such as Nmap.
Step 5
Perform DNS enumeration
Perform DNS enumeration to locate all the DNS servers and their records. The DNS servers
provide information such as system names, user names, IP addresses, etc. You can extract
all this information with the help of the Windows utility nslookup.
Step 6
Perform NetBIOS enumeration
Perform NetBIOS enumeration to identify the network devices over TCP/IP and to obtain a
list of computers that belong to a domain, a list of shares on individual hosts, and policies
and passwords. You can perform NetBIOS enumeration with the help of tools such as
SuperScan, Hyena, and WinFingerprint.
Step 7
Perform SNMP enumeration

Niranjana.S.Karandikar

Page 3

MSC 2 SEM 3

PAPER 1

Perform SNMP enumeration by querying the SNMP server in the network. The SNMP
server may reveal information about user accounts and devices. You can perform SNMP
enumeration using tools such as OpUtils and SolarWinds IP Network Browser.
Step 8
Perform Unix/Linux enumeration
Perform Unix/Linux enumeration using tools such as Enum4linux. You can use commands
such as showmount, Finger , rpfinfo (RPC), and rpcclient etc .to enumerate UNIX network
resources.
Step 9
Perform LDAP enumeration
Perform LDAP enumeration by querying the LDAP service. By querying the LDAP service
you can enumerate valid user names, departmental details, and address details. You can
use this information to perform social engineering and other kinds of attacks. You can
perform LDAP enumeration using tools such as Softerra LDAP Administrator.
Step 10
Perform NTP enumeration
Perform NTP enumeration to extract information such as host connected to NTP server,
client IP address, OS running of client systems, etc. You can obtain this information with the
help of commands such as ntptrace, ntpdc, and ntpq.
Step 11
Perform SMTP enumeration
Perform SMTP enumeration to determine valid users on the SMTP server. You can use tools
such as NetScanTools Pro to query the SMTP server for this information.
Step 12
Document all the findings
The last step in every pen test is documenting all the findings obtained during the test. You
should analyze and suggest countermeasures for your client to improve their security.

Niranjana.S.Karandikar

Page 4

MSC 2 SEM 3

PAPER 1

The following techniques are used in Enumeration

Banner Grabbing
Banner grabbing is an activity that is used to determine information about services
that are being run on a remote computer. This technique can be useful to administrators in
cataloging their systems, and ethical hackers can also use it during penetration tests.
Malicious hackers also use banner grabbing, since the technique can reveal compromising
information about the services that are running on a system. The technique works by using
Telnet, or a proprietary program, to establish a connection with a remote machine, after
which a bad request is sent. That will cause a vulnerable host to respond with a banner
message, which may contain information that a hacker could use to further compromise a
system.
In a computer networking context, the term banner typically refers to a message
that a service transmits when another program connects to it. Default banners often consist
of information about a service, such as the version number. The banner for a hypertext
transfer protocol (HTTP) service will typically show the type of server software, version
number, when it was modified last, and other similar information. When a program such as
Telnet is used to intentionally gather this information, it is usually referred to as banner
grabbing.
A few different types of software, including Telnet, NetCat and various proprietary
programs, can be used to perform banner grabbing. Telnet is a type of network protocol
that is used to establish a virtual terminal connection with a remote host. Most operating
systems (OSes) come with the ability to establish Telnet sessions, so that is one of the
primary ways that banner grabbing is performed. Whether Telnet or another program is
used, banners are grabbed by connecting to a host, and then sending a request to a port
that is associated with a particular service, such as port 80 for HTTP.

FTP Enumeration
FTP is File Transfer Protocol. It runs on TCP port 21. It is Less used now. It allows upload of
(malicious) files and often allows anonymous access using any email address.
Type ftp ip address port number
Get banner and determine access. Exploit it!
Niranjana.S.Karandikar

Page 5

MSC 2 SEM 3

PAPER 1

Countermeasures

Turn off FTP when not in use.

Secure FTP (SFTP) uses SSH and FTP Secure (FTPS) uses SSL.

Use HTTP for public information access.

TELNET Enumeration
Telnet is a network protocol used on the Internet or local area networks to provide a
bidirectional interactive text-oriented communication facility using a virtual terminal
connection. It runs on port 23 TCP. Used for remote access. It transmits data in clear text. It
often displays host system information and even if it doesn't, the prompt may reveal
system information. May be used for attacking accounts if lockout not used. May reveal
valid usernames from login attempts.
Countermeasures:

Turn off

Use secure shell (SSH) instead

Modify banner messages

Modify error messages

Account locking/drop connection on login failure.

SMTP Enumeration
Simple Mail Transport Protocol works on port number 25 TCP.SMTP is a service that can be
found in most infrastructure penetration tests. This service can help the penetration tester
to perform username enumeration via the EXPN and VRFY commands if these commands
have not been disabled by the system administrator. There are a number of ways which
this enumeration through the SMTP can be achieved and there will be explained in this
article.
The role of the EXPN command is to reveal the actual address of users aliases and lists of
email and VRFY which can confirm the existance of names of valid users.
The SMTP enumeration can be performed manually through utilities like telnet and netcat
or automatically via a variety of tools like metasploit,nmap and smtp-user-enum.
Countermeasures

Niranjana.S.Karandikar

Page 6

MSC 2 SEM 3

Configure to turn off VRFY and EXPN, or

Configure to require authentication/privileges to use them

PAPER 1

DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding
records for an organization. A company may have both internal and external DNS servers
that can yield information such as usernames, computer names, and IP addresses of
potential target systems. There are a lot of tools that can be used to gain information for
performing DNS enumeration. The examples of tool that can be used for DNS enumeration
are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois. To
enumerate DNS, you must have understanding about DNS and how it works.
The list of DNS record provides an overview of types of resource records (database
records) stored in the zone files of the Domain Name System (DNS). The DNS implements a
distributed, hierarchical, and redundant database for information associated with Internet
domain names and addresses. In these domain servers, different record types are used for
different purposes. The following list describes the common DNS record types and their
use:

A (address)Maps a host name to an IP address

SOA (Start of Authority)Identifies the DNS server responsible for the domain

information

CNAME (canonical name)Provides additional names or aliases for the address

record

MX (mail exchange)Identifies the mail server for the domain

SRV (service)Identifies services such as directory services

PTR (pointer)Maps IP addresses to host names

NS (name server)Identifies other name servers for the domain

DNS Zone Transfer is typically used to replicate DNS data across a number of DNS servers,
or to back up DNS files. A user or server will perform a specific zone transfer request from
a name server If the name server allows zone transfers to occur, all the DNS names and
IP addresses hosted by the name server will be returned in human-readable ASCII text.

Niranjana.S.Karandikar

Page 7

MSC 2 SEM 3

PAPER 1

TFTP Enumeration
Trivial File Transfer Protocol (TFTP) runs on port number 69 is a simple, lock-step,
file transfer protocol which allows a client to get or put a file onto a remote host. One of its
primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has
been used for this application because it is very simple to implement. It May allow
download of sensitive file (e.g., /etc/passwd, /etc/shadow, network device configuration
files, etc.)
Countermeasures
Turn off, if possible
Wrap in TCP wrapper to restrict access
Limit access to /tftpboot/ directory
Block at border firewall

HTTP Enumeration
Hyper Text Transfer Protocol runs on TCP port 80. While enumerating the HTTP method
can be found out as well as web pages for offline viewing can also be downloaded.
Countermeasures

Change the banner and use IIS Lockdown tool which disables features which are not
necessary.

MSRPC Enumeration
Microsoft Remote Procedure Call (MSRPC) runs on TCP 135. RPC is a portmapper for
windows. It gives list of services with version and IP/protocol/port info. The following tool
can be used for enumerating MSRPC --Winfingerprint tool (sourceforge)
Countermeasures

Restrict outside access

Require use of VPN for external access

Use OWA (Outlook Web Access) for remote mail access

SNMP Enumeration
Simple Network Management Protocol runs on UDP 161. Simple Network Management
Protocol (SNMP) is an "Internet-standard protocol for managing devices on IP networks".
Devices that typically support SNMP include routers, switches, servers, workstations,
printers, modem racks and more.
Countermeasures

Remove or disable SNMP agents on hosts

Niranjana.S.Karandikar

Page 8

MSC 2 SEM 3

PAPER 1

Use obscure community names (e.g., NOT public or private)

Block port 161 at all perimeter network access devices

Restrict access to specific IP addresses

Use SNMPv3 (more secure)

Set Registry to permit only authorized access

FINGER Enumeration
Finger runs on TCP/UDP 79 .It reveals logged-in users, idle times and user infomation
given from public file information.
Countermeasures

Turn off

Block port 79

Restrict access

Restrict info given

Vulnerability Scanners
Vulnerability Scanners are the automated tools that scan web applications to look for
known security vulnerabilities such as cross-site scripting, SQL injection, command
execution, directory traversal and insecure server configuration. A large number of both
commercial and open source tools are available and and all these tools have their own
strengths and weaknesses.
The following tools can be used for Enumeration:

NMAP
Methodology

Perform scans to find hosts with NetBIOS ports open (135,137-139, 445)
Do an nbtstat scan to find generic information (computer names, user names, ]MAC
addresses) on the hosts.
Create a Null Session to these hosts to gain more information

Perform nmap -O scan

Run the command nbtstat -A IPAddress
In the command prompt, type net use \\X.X.X.X\IPC$ /u: (where X.X.X.X is die address of
die host machine, and there are no spaces between the double quotes).

Niranjana.S.Karandikar

Page 9

MSC 2 SEM 3

PAPER 1

Confirm it by issuing a general net use command to see connected null sessions from your
host.

SuperScan
SuperScan is a TCP port scanner, pinger, and resolver. The tool's features include extensive
Windows host enumeration capability, TCP SYN scanning, and UDP scanning.
Methodology
Perform a NetBIOS enumeration. NetBIOS enumeration is carried out to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Find out Policies and passwords
Overview of NetBIOS Enumeration
1. The purpose of NetBIOS enumeration is to gather information, such as:
a. Account lockout threshold
b. Local groups and user accounts
c. Global groups and user accounts
2. Restrict anonymous bypass routine and also password checking:
a. Checks for user accounts with blank passwords
b. Checks for user accounts with passwords that are same as the Usernames in
lower case.
Superscan results comprise of the following:

Performing Enumeration Types:

Null Session
MAC Address
Work Station Type
Users
Groups
Domain
Account Policies
Registry

Enumerating NetBIOS Using the NetBIOS Enumerator Tool

This tool scans a range of IP addresses for the following:
Machine Name

NetBIOS Names

User Name

Niranjana.S.Karandikar

Page 10

MSC 2 SEM 3

Domain

MAC Address

Round Trip Time (RTT)

PAPER 1

Enumerating a Network Using SoftPerfect Network Scanner

SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS, and SNMP
scanner with a modern interface and many advanced features.
NetBIOS enumeration is carried out to detect:
Hardware MAC addresses across routers
Hidden shared folders and writable ones
Internal and external IP address
This tool scans a range of IP addresses for the following:
IP Address
Host Names
MAC Address
Response Time

Enumerating a Network Using Solar Winds Toolset

The Solar Winds Toolset provides the tools yon need ns a network engineer or
network consultant to get your job done. Toolset includes best-of-breed solutions that
work sit/ply and precisely, providing the diagnostic, performance, and bandwidth
measurements you want, without extraneous, unnecessary features.
Solar Winds scans an IP Address for the following:

Interfaces
Services
Accounts
Shares
Hub Ports
TCP/IP Network
Routes

Enumerating the System Using Hyena

Hyena uses an Explorer-style interface for operations, including right mouse click
popup context menus for all objects. Management of users, groups (both local and global),
shares, domains, computers, services, devices, events, files, printers and print jobs,
Niranjana.S.Karandikar

Page 11

MSC 2 SEM 3

PAPER 1

sessions, open files, disk space, user rights, messaging, expo/ting job scheduling, processes,
and printing are all supported.
This tool helps in the following:
Users information in the system
Services running in the system
Local Connections
Users
Local Group
Shares
Sessions
Services
Events
User Rights
Performance
Registry

References

CEH v8 slides, EC Council

http://www.hackillusion.com/what-is-enumeration-in-ethical-hacking/
http://tutorialof.blogspot.in/p/enumeration.html
http://www.ehacking.net/2011/04/scanning-and-enumeration-second-step-of.html
http://www.sans.org/reading-room/whitepapers/hackers/fundamentals-computerhacking-956

Niranjana.S.Karandikar

Page 12