№3. Ethical Hacking Labs. Enumeration

12 April 2023 9 minutes Author: Endpool

IT Asset Disclosure: The Art of Enumeration

Enumeration is a technique used in information technology to identify and enumerate all possible elements or elements of a system, network, or application. It is often used in penetration testing and cybersecurity assessment to gather information about a target system, such as usernames, IP addresses, and other assets. The purpose of enumeration is to identify vulnerabilities and weak points in the system, which can then be exploited by an attacker. In IT, enumeration refers to the process of identifying and enumerating all elements of a particular system, such as user names, network hosts, IP addresses, and other resources. Enumeration is often performed during penetration testing or ethical hacking as part of the information gathering phase. Information obtained through enumeration can be used to identify potential vulnerabilities in the system, which can then be targeted by an attacker. In addition, enumeration can also help identify misconfigurations, unpatched systems, or other exploitable security flaws.

This is an important step in the overall security assessment process because it provides valuable information about the target system, allowing more informed security decisions to be made. Enumeration in the context of IT refers to the process of extracting information from a target system by actively interacting with it. This may include listing user accounts, network services, and other resources available on the system or network. Enumeration is often used by attackers as a way to gather information that can be used to launch further attacks, such as guessing passwords or finding unpatched vulnerabilities. However, it can also be used by security professionals to identify potential vulnerabilities and improve security measures.

Enumeration services

Removal of user names, network resources, shared resources and services from the system.


Scan all machines on a given network or subnet. List all live hosts. Determine open ports on a given node. Find out if any port has firewall restrictions. List all services running on the port along with their respective versions.


Machine with Windows Server 2012 or 2016. Kali Linux machine. Another version of Windows (7, 8, 10 or Server).

Ping Sweep – Nmap

You can ping scan in Nmap using only ping scan ( -sp)  for the entire subnet. A ping on Nmap will scan all the nodes on the subnet and start displaying all the up and running hosts along with their respective MAC addresses and device information.

Open a new terminal window on Kali Linux and type:

Ping Sweep – Bash

1. Check the one-line command to get only IP addresses

First, I’ll use the ping command on a given subnet range to check if the hosts are alive. The goal is to ping every single host in the given range with clean output for it. Part of the clean output is that when we use the ping command they return a bunch of strings, the goal is to remove all the unnecessary information and stick to just the IP addresses.

We only need the second line of this output, which starts with “64 bytes(…)”, which contains the IP address of the active host.

Breakdown of a one-line command (by channel):

  1. Ping the IP 5 times;

  2. grep first chars of string string (64 bytes…);

  3. Cut the spaces in 4 pieces to reach the IP string;

  4. Use the translate command to trim/remove the “:” character;

  5. Export results to a .txt file;

2. Conversion into a script

It is more convenient to accept the first three octets entered by the user, and the last octet to be a cycle (1–254). Example Input: 192.168.1 The script below is very simple, with one conditional statement to capture valid user input, a loop through the subnet range, and a one-line command that uses the user input with a loop variable.

Run a Stealth Syn Scan

Now select an IP address from the results and run a hidden synchronous scan on Nmap.

SYN scanning is the standard and most popular scanning option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network that is not hindered by intrusive firewalls.

Stealth Syn Scan with version and OS detection

Version detection collects information about a specific service running on an open port, including the product name and version number. This information can be critical in identifying an entry point for an attack Nmap will perform a hidden scan with version detection along with OS detection.

Means -oN output/export the results to a text file to be saved in your home directory called Enumeration.txt.

Using the SNMPsnmp_enum enumeration

The snmp_enum module in Metasploit allows you to identify and enumerate information about a device that supports Simple Network Management Protocol (SNMP). It retrieves information about the hardware, software, and network resources on the system. By default, the public community string is used for access, but there are also read and read/write community strings that can be configured. These community strings, which serve as passwords, can be vulnerable to attacks unless administrators change them. SNMP enumeration can reveal information about network resources such as hosts, routers and devices, as well as network information such as ARP tables, routing tables.


Connected devices. Hostname and information. Domain. Equipment and storage information. Software components. General memory.


A Kali Linux machine (the attacker). Windows Server 2012 / 2016 (victim/target). Ubuntu BeeBox (victim/target).

Check SNMP port status

First we need to find out if the SNMP port is open. SNMP uses port 161 by default. To verify this information, we first need to run an Nmap port scan.

List community string

There are many tools at your disposal to perform SNMP enumeration. The tutorial demonstrates two ways to do the same thing: with Metasploit і snmp-check .

Both methods list information about the target machine and return the same exhaustive list of system information.

These tools support the following enumerations:

  • IP of the host

  • Host name

  • Equipment description

  • SNMP runtime

  • System operation time

  • Domain

  • MAC addresses

  • Running processes

  • User accounts

Enumeration of Windows and Samba with Enum4linux

Enum4linux — is a tool used to list information from Windows and Samba systems. It uses a combination of methods including SMB (Server Message Block), WMI (Windows Management Instrumentation), and SNMP (Simple Network Management Protocol) to gather information about the target system, including users, groups, shares, and other system configuration information. Enum4linux is commonly used by security professionals for information gathering and intelligence during penetration testing and vulnerability assessment.


Connected devices. Hostname and information. Domain. Equipment and storage information. Software components Common memory.


Kali Linux (attacker). Windows Server 2012 R2 (Targeted).

Get user information

Enum4linux first starts enumerating workgroups/domains and displays all results. It lists users with corresponding RIDs as shown below:

Get information about the OS

This option lists the target system and lists its OS details as shown below:

Get information about the password policy

This option lists the target system and displays all password policy information as shown below:

Get information about the group

This option lists the target system and displays Group Policy information, showing domain groups, membership, local groups, and more.

Get Share information

This option lists information about the sharing policy of the target machine.

GUI tools for enumeration on Windows

Global network inventory

Global Network Inventory — is a software tool for network inventory and asset management. It is used to track hardware, software, and licenses on an organization’s network. This helps maintain accurate and up-to-date information about devices and assets on the network, making it easier for IT administrators to manage and monitor them. This tool can be used for network mapping, software auditing, hardware inventory and license tracking.

click here

Advanced IP Scanner

Advanced IP Scanner — a fast, reliable and easy-to-use network scanner for Windows. It can scan your local network as well as remote networks for a variety of devices, including Windows, Linux, and Mac computers, as well as mobile devices and printers. The scanner can get detailed information about each device, including IP address, MAC address, hostname, etc. Additionally, it can run scheduled network scans and export scan results to various file formats for easy reporting and analysis.

click here


Hyena — provides advanced Active Directory (AD) reporting with built-in tools for custom queries, filtering, object property management, advanced attribute management, and many other AD administration features.

click here


SuperScan — is a free Windows-based network scanner developed by Foundstone, now part of McAfee. It allows you to scan TCP and UDP ports on the network, detect open and closed ports, and identify the operating system and services running on the scanned devices. SuperScan has not been updated for many years and is considered obsolete. However, there are other similar tools that offer more features and are updated regularly.

click here

SoftPerfect NetworkScanner

SoftPerfect Network Scanner — a popular and widely used network scanning tool for Windows and macOS. It is used to scan network devices, identify and detect open ports, and gather information about operating systems, hardware, and software installed on scanned devices. SoftPerfect Network Scanner also provides some advanced features, such as remote shutdown, wake-up over a local network, and the ability to create custom reports. It is often used by network administrators and IT professionals to manage and troubleshoot network infrastructure.

click here


Провідник Active Directory (AD Explorer) — is a Windows tool developed by Microsoft that allows you to view and manage objects in an Active Directory domain. It provides a graphical user interface (GUI) that enables you to explore the hierarchical structure of the Active Directory database, view and change attribute values of Active Directory objects, and perform advanced searches of Active Directory data. AD Explorer is a powerful Active Directory domain management tool commonly used by IT professionals and system administrators to troubleshoot, maintain, and verify the security of Active Directory domains.

click here

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.