Enumeration is a technique used in information technology to identify and enumerate all possible elements or elements of a system, network, or application. It is often used in penetration testing and cybersecurity assessment to gather information about a target system, such as usernames, IP addresses, and other assets. The purpose of enumeration is to identify vulnerabilities and weak points in the system, which can then be exploited by an attacker. In IT, enumeration refers to the process of identifying and enumerating all elements of a particular system, such as user names, network hosts, IP addresses, and other resources. Enumeration is often performed during penetration testing or ethical hacking as part of the information gathering phase. Information obtained through enumeration can be used to identify potential vulnerabilities in the system, which can then be targeted by an attacker. In addition, enumeration can also help identify misconfigurations, unpatched systems, or other exploitable security flaws.
This is an important step in the overall security assessment process because it provides valuable information about the target system, allowing more informed security decisions to be made. Enumeration in the context of IT refers to the process of extracting information from a target system by actively interacting with it. This may include listing user accounts, network services, and other resources available on the system or network. Enumeration is often used by attackers as a way to gather information that can be used to launch further attacks, such as guessing passwords or finding unpatched vulnerabilities. However, it can also be used by security professionals to identify potential vulnerabilities and improve security measures.
Scan all machines on a given network or subnet. List all live hosts. Determine open ports on a given node. Find out if any port has firewall restrictions. List all services running on the port along with their respective versions.
Machine with Windows Server 2012 or 2016. Kali Linux machine. Another version of Windows (7, 8, 10 or Server).
You can ping scan in Nmap using only ping scan ( -sp) for the entire subnet. A ping on Nmap will scan all the nodes on the subnet and start displaying all the up and running hosts along with their respective MAC addresses and device information.
Open a new terminal window on Kali Linux and type:
First, I’ll use the ping command on a given subnet range to check if the hosts are alive. The goal is to ping every single host in the given range with clean output for it. Part of the clean output is that when we use the ping command they return a bunch of strings, the goal is to remove all the unnecessary information and stick to just the IP addresses.
We only need the second line of this output, which starts with “64 bytes(…)”, which contains the IP address of the active host.
Ping the IP 5 times;
grep first chars of string string (64 bytes…);
Cut the spaces in 4 pieces to reach the IP string;
Use the translate command to trim/remove the “:” character;
Export results to a .txt file;
It is more convenient to accept the first three octets entered by the user, and the last octet to be a cycle (1–254). Example Input: 192.168.1 The script below is very simple, with one conditional statement to capture valid user input, a loop through the subnet range, and a one-line command that uses the user input with a loop variable.
Now select an IP address from the results and run a hidden synchronous scan on Nmap.
SYN scanning is the standard and most popular scanning option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network that is not hindered by intrusive firewalls.
Version detection collects information about a specific service running on an open port, including the product name and version number. This information can be critical in identifying an entry point for an attack Nmap will perform a hidden scan with version detection along with OS detection.
Means -oN output/export the results to a text file to be saved in your home directory called Enumeration.txt.
The snmp_enum module in Metasploit allows you to identify and enumerate information about a device that supports Simple Network Management Protocol (SNMP). It retrieves information about the hardware, software, and network resources on the system. By default, the public community string is used for access, but there are also read and read/write community strings that can be configured. These community strings, which serve as passwords, can be vulnerable to attacks unless administrators change them. SNMP enumeration can reveal information about network resources such as hosts, routers and devices, as well as network information such as ARP tables, routing tables.
Connected devices. Hostname and information. Domain. Equipment and storage information. Software components. General memory.
A Kali Linux machine (the attacker). Windows Server 2012 / 2016 (victim/target). Ubuntu BeeBox (victim/target).
First we need to find out if the SNMP port is open. SNMP uses port 161 by default. To verify this information, we first need to run an Nmap port scan.
There are many tools at your disposal to perform SNMP enumeration. The tutorial demonstrates two ways to do the same thing: with Metasploit і snmp-check .
Both methods list information about the target machine and return the same exhaustive list of system information.
IP of the host
System operation time
Enum4linux — is a tool used to list information from Windows and Samba systems. It uses a combination of methods including SMB (Server Message Block), WMI (Windows Management Instrumentation), and SNMP (Simple Network Management Protocol) to gather information about the target system, including users, groups, shares, and other system configuration information. Enum4linux is commonly used by security professionals for information gathering and intelligence during penetration testing and vulnerability assessment.
Connected devices. Hostname and information. Domain. Equipment and storage information. Software components Common memory.
Kali Linux (attacker). Windows Server 2012 R2 (Targeted).
Enum4linux first starts enumerating workgroups/domains and displays all results. It lists users with corresponding RIDs as shown below:
This option lists the target system and lists its OS details as shown below:
This option lists the target system and displays all password policy information as shown below:
This option lists the target system and displays Group Policy information, showing domain groups, membership, local groups, and more.
This option lists information about the sharing policy of the target machine.
Global Network Inventory — is a software tool for network inventory and asset management. It is used to track hardware, software, and licenses on an organization’s network. This helps maintain accurate and up-to-date information about devices and assets on the network, making it easier for IT administrators to manage and monitor them. This tool can be used for network mapping, software auditing, hardware inventory and license tracking.
Advanced IP Scanner — a fast, reliable and easy-to-use network scanner for Windows. It can scan your local network as well as remote networks for a variety of devices, including Windows, Linux, and Mac computers, as well as mobile devices and printers. The scanner can get detailed information about each device, including IP address, MAC address, hostname, etc. Additionally, it can run scheduled network scans and export scan results to various file formats for easy reporting and analysis.
Hyena — provides advanced Active Directory (AD) reporting with built-in tools for custom queries, filtering, object property management, advanced attribute management, and many other AD administration features.
SuperScan — is a free Windows-based network scanner developed by Foundstone, now part of McAfee. It allows you to scan TCP and UDP ports on the network, detect open and closed ports, and identify the operating system and services running on the scanned devices. SuperScan has not been updated for many years and is considered obsolete. However, there are other similar tools that offer more features and are updated regularly.
SoftPerfect Network Scanner — a popular and widely used network scanning tool for Windows and macOS. It is used to scan network devices, identify and detect open ports, and gather information about operating systems, hardware, and software installed on scanned devices. SoftPerfect Network Scanner also provides some advanced features, such as remote shutdown, wake-up over a local network, and the ability to create custom reports. It is often used by network administrators and IT professionals to manage and troubleshoot network infrastructure.
Провідник Active Directory (AD Explorer) — is a Windows tool developed by Microsoft that allows you to view and manage objects in an Active Directory domain. It provides a graphical user interface (GUI) that enables you to explore the hierarchical structure of the Active Directory database, view and change attribute values of Active Directory objects, and perform advanced searches of Active Directory data. AD Explorer is a powerful Active Directory domain management tool commonly used by IT professionals and system administrators to troubleshoot, maintain, and verify the security of Active Directory domains.