ENUMERATION

Enumeration Concepts

Enumeration is the phase 3 of the Penetration Testing or Ethical Hacking. It is a process of gaining
complete access to the system by compromising the vulnerabilities identified in the first two phases.

● In the enumeration phase, attacker creates active connections to system and performs
directed queries to gain more information.
● Uses this information to identify system attack points and perform password attacks.
● Conducted in an intranet environment.
Enumeration Classification
 Techniques for Enumeration

● Extract user names using email IDs

● Extract user names using SNMP

● Extract user groups from windows

● Extract information using the default passwords

● Brute force active directory.

● Extract information using DNS Zone Transfer

Popular Ports to Enumerate
 NetBIOS Enumeration

❏ NetBIOS name is a unique 16 ASCII string used to identify the network devices (15 of it are

device name, 16 is reserved for service or name record type)

❏ Nbtstat utility displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables/cache.

❏ Attackers use the enumeration tools to obtain .

● List of computers that belong to a domain.

● List of shares on the individual hosts in the network.

● Policies and passwords.

 SNMP Enumeration

❖ SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP

❖ SNMP contains a manager and agent. Agents are embedded on every network, manager installed on a

seperate computer.
❖ SNMP has two passwords:

Attacker uses default community strings to extract information.

Uses it to extract information about network resources such as hosts, routers, devices, shares

➔ Management Information Base (MIB)

MIB is a virtual database containing formal description of all the network objects managed using SNMP
SNMP contains two passwords that you can use for configuring as well as for accessing the SNMP

agent from the management station. The two SNMP passwords are:

● Read community string: Configuration of the device or system can be viewed with the help of this

password These strings are public

● Read/write community string: Configuration on the device can be changed or edited using this

password

● These strings are private When the community strings are left at the default setting, attackers

take the opportunity and find the loopholes in it.

● Then, the attacker can uses these default passwords for changing or viewing the configuration

of the device or system.

● Attackers enumerate SNMP to extract information about network resources such as hosts,

routers, devices, shares, etc. and network information such as ARP tables, routing tables,

device specific information, and traffic statistics.

 LDAP Enumeration

● The Lightweight Directory Access Protocol (LDAP) is used to access directory listings within an

Active Directory or from other directory services.

● It usually runs on the port 389 and other similar protocols.

● You can anonymously query the LDAP service.

● The query will disclose sensitive information such as user names, addresses, departmental details,

server names, etc., which can be used by the attacker for launching the attack.
Enumeration using Default password
 Enumeration using Email id

Email IDs customarily contain two parts – user name and domain name. Character preceding the @
symbol refers to the user name that attackers can utilize to guess valid users based on a BRUTE
FORCE ATTACK and also using Email Tracker Pro.

Tracing an email using email header can reveal the following information :

1. Destination and sender’s IP address.

2. Sender’s mail server.
3. Time and date information.
4. Authentication system information of sender is mail server.
 DNS Zone Transfer Enumeration

❖ It is a process of locating the DNS server and the records of a target network.

❖ An attacker can gather valuable network information such as DNS server names, hostnames,

machine names, user names, IP addresses of the potential targets, etc.

❖ In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file

for a domain from a DNS server

NTP ENUMERATION
● NTP is a network protocol designed to synchronize clocks of networked computer systems. NTP

is important when using Directory Services.

● It uses UDP port 123 as its primary means for communication. NTP can maintain time to within

10 milliseconds (1/100 seconds) over the public Internet.

● It can achieve accuracies of 200 microseconds or better in local area networks under ideal

conditions.

● Through NTP enumeration, you can gather information such as lists of hosts connected to NTP

server, IP addresses, system names, and OSs running on the client systems in a network
 SMTP Enumeration

SMTP Enumeration allows you to determine valid users on the SMTP server. This is accomplished with
the help of three built-in SMTP commands.

The three commands are:

> VRFY - This command is used for validating users

>EXPN - This command tells the actual delivery address of aliases and mailing lists

>RCPT TO - It defines the recipients of the message SMTP servers respond differently to VRFY, EXPN,
and RCPT TO commands for valid and invalid users.

Thus, by observing the SMTP server response to these commands, one can easily determine valid users
on the SMTP server
Enumeration Countermeasures