Hi Medium! This is the Enumeration part.
In this chapter we are going to discover the following topics:

  • Why Enumeration?
  • Enumeration techniques
  • Enumeration Tools on Linux and Windows
  • Summary


The most important phase before attacking a target is “Reconnaissance”.The more effort the attacker put in during this phase the more likely he guarantee the attack success. Before the weaponization phase (gaining access) there are 4 phases in reconnaissance:

  1. Scanning
  2. Enumeration
  3. Vulnerability assessment.

During the enumeration phase, the attacker creates an active connection with the target and tries to gain information about it, these pieces of information will help him to identify a system attack point that will help to accomplish the vulnerability assessment phase. We should not confuse between this phase and the phase where we conduct information gathering about servers and operating systems running on them.

Enumeration is defined as the process of helping the attacker to collect information about:

  • Shares
  • Users, groups
  • Machine names
  • Routing tables
  • Applications and banners
  • Auditing and service settings
  • SNMP and DNS details.

1. Why Enumeration?

As I said in the previous section, the enumeration is one of the important steps. It helps us to identify the vulnerabilities present in the target system. this information will help us to set our strategy and our future steps to succeed in our attack easily and effectively.

2. Enumeration techniques

There are too many different techniques used for enumeration. We are going to explore the most used and adequate ones. During the phase before “scanning”, we already knew what ports are open so partially we know what we are going to enumerate:

+ Extracting usernames using email ID:

If an attacker can extract email ID’s using different techniques he can automatically get usernames, most of the companies give their users’ special emails, for example, we take the company name “XYZ”, and a worker name “David Alex“, his email will be: david.alex@XYZ.com. Automatically all worker emails will be in the same form and we will extract worker names in one click.

+ Extract information using the default password:

Now we have usernames, it’s just the time to try a default password. Most of the users are too lazy and don’t make the effort to create a new password every 3 months, so they automatically use their username or they just add their year of birth for example, and such information can be found on social media. We should not forget network devices like routers, servers, and switches when trying to identify default passwords.

+ Brute Force Active Directory:

Active Directory is one of the important and primary targets for an attacker; the Active directory is a centralized service that provides identification and authentication for network devices using windows. Having access to this server can partially cover a big part of the Enumeration phase.

Brute force attacks on a server can probably be stopped by security devices. That’s why this attack should be fully educated; in most cases, the attacker would brute force the Active directory using a dictionary.

+ Extract information from LDAP (TCP/UDP 389)

Lightweight Directory Access Protocol is an application protocol that allows the sharing of information on the network; this protocol can be useful as a central place to store usernames and passwords that will help the different applications to connect to LDAP in order to validate users. Such a protocol will help us to gather information about users, systems, networks, services, and applications throughout the network.

+ Global Catalog Service

In a network where we found several Active Directory services, the Global Catalog Service is a central directory automatically built on the basis of partial copies of information from the various directories. Global Catalog Service can provide users’ information and the most searchable catalog of all objects in every domain.

+ Extract usernames using SNMP (UDP 161) (SNMP trap 162)

Simple Network Management Protocol is an internet standard to collect and organize information about all the managed devices in the network, where the attacker can find all log data stored in the SNMP management server or he can scan the SNMP trap alert messages sent over the network that holds information about devices status.SNMP gathers too much information like usernames, Managed Device, and Network Management System.

+ Extract information using DNS Zone transfer (TCP 53)

DNS Zone transfer is an operation between primary and secondary DNS servers in order to synchronize the records for a domain, those transfers can give the attacker information about the internal topology of the network.

+ Extract information using SMTP (TCP 25)

Simple Mail Transfer Protocol is an internet standard for email transmission that can be found in most infrastructures, this will help us to enumerate user names.

+ Extract information using SMB (TCP 139)

Server Message Block is a protocol that helps us to share files in the LAN between windows devices. Such protocol helps to enumerate IP address, NetBIOS computer name, services available, logged in username, and MAC addresses.

+ Extract information using Microsoft RPC Endpoint Mapper (TCP 135)

Microsoft Remote Procedure manages most of the processes related to network protocols and communication, which will help us to enumerate a list of all registered programs, the RPC program number, supported version numbers, port number and protocol, and program’s name.

+ Extract information using NetBIOS Name Service NBNS (TCP 137)

It’s a service used by Windows Internet Name Service who is responsible for establishing session connections between different windows devices on the network, this service maintains a database that holds hostnames and the corresponding IP address. NBNS doesn’t support IPv6.

+ Extract information using NTP Enumeration (UDP 123)

Network Time Protocol is responsible for clock synchronization between computer systems and trusted time servers. This technique may provide valuable information as a list of connected hosts to the NTP server, clients' IP addresses as their system names and OSs, internal IPs if the NTP server is in the DMZ (demilitarized zone).

3. Enumeration Tools on Linux and Windows

In this section, we will talk about most tools used for enumeration and we will identify their uses:

+ SMTP Enumeration

- NetScanTools Pro, a windows tool with a graphic interface, is an Email Generator and Email relay testing tool.

- SMTP-user-enum it’s a tool that enumerates OS-level user accounts on Solaris via the SMTP service.

- Metasploit offers an “auxiliary/scanner/SMTP/smtp_enum” module that helps to enumerate usernames.

+ NetBIOS Enumeration

- Nbtstat is a tool in Windows that displays protocols’ statistics, NetBIOS name tables, and name cache.

- SuperScan is a tool in Windows that scans ports and resolves hostnames.

- Hyana is a tool that shows user login names for Windows servers and domain controllers.

- Net view: a command-line tool to identify shared resources on a network

+ SNMP Enumeration

- Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3.

- OpUtils it’s a tool for Windows and Linux that helps to monitor, diagnose, and troubleshoot IT resources.

- SNMP-check allows enumerating the SNMP devices and places the output in a human-readable format.

+ LDAP Enumeration

- LDAP Admin Tool or JXplorer: is a cross-platform LDAP browser and editor can be used to search, read and edit any standard LDAP directory, can be used on Linux, Windows, and many different OS.

- Windapsearch is a Python script to help enumerate users, groups, and computers from a Windows domain through LDAP queries

+ NTP Enumeration

- ntptrace command on Linux to trace a chain of NTP servers

- ntpdc — ntpq command on Linux to monitor the operation of the NTP daemon.

+ DNS Enumeration

- NSlookup one of the oldest DNS querying tools to obtain a domain name, IP address mapping, and another DNS record.

- host or dig (domain information groper) are commands on Linux that helps to query DNS Server and perform a DNS lookup.

+ SMB enumeration

- SMBMap allows users to enumerate share drives across an entire domain.

+ Other Enumeration tools can be helpful on Kali

- The harvester gathers emails, subdomains, hosts, employee names, open ports, and banners from different public sources like PGP key servers and SHODAN.

- Enum4linux is a tool to enumerate information from Windows and Samba systems.

- Devploit is a simple python script for Information Gathering.

- Red Hawk v2 is an all in one tool for Information Gathering.

- Metagoofil is a tool that utilizes the Google search engine to get metadata from the documents available in the target domain.


This chapter was a lightweight overview of the enumeration process. We started introducing the importance of enumeration we listed the different Enumeration techniques. Later we dived into specifying the different tools that we can use to attend to our objectives.