Enumeration Techniques Lab

Master network service enumeration and information gathering

What is Enumeration?

Enumeration is the process of extracting detailed information about network resources, shares, users, groups, and services from target systems. It goes beyond simple scanning to actively query services for valuable intelligence.

Key Difference: While scanning identifies open ports and services, enumeration extracts detailed information like usernames, shares, configurations, and system details.

Why Enumeration Matters

Identifies potential attack vectors through service misconfigurations
Reveals user accounts and group memberships for privilege escalation
Discovers shared resources and network topology
Gathers OS and application version information
Maps trust relationships and domain structures

Port Reference Quick Guide

137-139

NetBIOS

Name Service, Session

445

SMB

File Sharing

161/162

SNMP

Network Management

389

LDAP

Directory Services

123

NTP

Time Sync

2049

NFS

Network File System

SMTP

Email Transfer

Enumeration Targets

Protocol	Information Gathered	Common Tools
NetBIOS	Computer names, workgroups, MAC addresses	nbtstat, nbtscan, nmap
SMB	Shares, users, groups, policies	smbclient, enum4linux, smbmap
SNMP	System info, network configs, routing tables	snmpwalk, snmp-check, onesixtyone
LDAP	User accounts, groups, organizational units	ldapsearch, ldapenum, AD Explorer
NTP	System time, connected clients, versions	ntpdc, ntpq, ntp-scan
NFS	Exported shares, mount points, permissions	showmount, nfsstat, rpcinfo
SMTP	Valid email addresses, user accounts	smtp-user-enum, telnet, metasploit

Enumeration Protocols Deep Dive

Click on each protocol to explore detailed enumeration techniques, commands, and best practices.

NetBIOS

TCP/UDP 137-139

Windows file and printer sharing protocol. Reveals computer names, workgroups, and MAC addresses.

SMB

TCP 445, 137-139

Server Message Block for file sharing. Enumerates shares, users, groups, and system policies.

SNMP

UDP 161/162

Simple Network Management Protocol. Extracts detailed system configurations using community strings.

LDAP

TCP 389/636

Lightweight Directory Access Protocol. Queries Active Directory for users, groups, and OUs.

NTP

UDP 123

Network Time Protocol. Reveals time sync info, connected peers, and system uptime.

NFS

TCP 2049

Network File System. Shows exported directories and mount permissions.

SMTP

TCP 25

Simple Mail Transfer Protocol. Validates user accounts through VRFY and EXPN commands.

Interactive Command Builder

Select a protocol and configure your enumeration command. The tool will generate the proper syntax and simulate output.

Select Protocol:

NetBIOS

SMB

SNMP

LDAP

NTP

NFS

SMTP

Select Tool:

Target IP/Hostname:

Enumeration Methodology

Follow this systematic approach to conduct thorough and organized enumeration.

1. Network Discovery

Identify live hosts and open ports using Nmap, Masscan, or similar tools

2. Service Identification

Determine running services and versions on discovered ports

3. Protocol-Specific Enumeration

Apply targeted enumeration based on identified services (NetBIOS, SMB, SNMP, etc.)

4. Data Collection

Gather usernames, shares, configurations, and system information

5. Analysis & Documentation

Organize findings, identify vulnerabilities, and document attack surface

6. Exploitation Planning

Use enumerated data to plan targeted attacks and privilege escalation

Best Practices

Start Passive: Use non-intrusive techniques before active enumeration
Document Everything: Keep detailed notes of commands, outputs, and findings
Verify Findings: Cross-reference information from multiple sources
Respect Scope: Only enumerate systems within authorized scope
Automate Wisely: Use scripts for repetitive tasks but understand each command
Monitor Traffic: Be aware of detection mechanisms and adjust techniques

Common Pitfalls to Avoid

Relying on default community strings (public/private) without trying custom wordlists
Ignoring null sessions and anonymous access opportunities
Not checking for SMB signing disabled or weak NTLM configurations
Overlooking LDAP anonymous binds in Active Directory environments
Failing to enumerate DNS for zone transfers and subdomain discovery

Enumeration Command Cheat Sheet

Quick reference for the most essential enumeration commands across all protocols.

NetBIOS Enumeration

nbtstat -A 192.168.1.100

Display NetBIOS name table of remote computer

nbtstat -c

Show NetBIOS name cache with IP addresses

nbtscan -r 192.168.1.0/24

Scan network range for NetBIOS information

nmap -sV -p 137-139 --script nbstat.nse 192.168.1.100

Nmap NetBIOS enumeration with NSE script

SMB Enumeration

smbclient -L //192.168.1.100 -N

List shares with null session

enum4linux -a 192.168.1.100

Complete SMB enumeration (users, shares, groups)

smbmap -H 192.168.1.100

Enumerate shares and permissions

net view \\192.168.1.100 /ALL

Windows command to view all shares

SNMP Enumeration

snmpwalk -v2c -c public 192.168.1.100

Walk entire MIB tree with public community string

snmp-check 192.168.1.100 -c public

Comprehensive SNMP enumeration tool

onesixtyone -c community.txt -i hosts.txt

Brute force SNMP community strings

nmap -sU -p 161 --script snmp-* 192.168.1.100

Nmap SNMP enumeration scripts

LDAP Enumeration

ldapsearch -x -h 192.168.1.100 -b "dc=domain,dc=com"

Anonymous LDAP search for domain info

ldapsearch -x -h 192.168.1.100 -b "dc=domain,dc=com" "(objectClass=user)"

Enumerate all user objects

nmap -p 389 --script ldap-search 192.168.1.100

Nmap LDAP enumeration script

NTP Enumeration

ntpq -c readlist 192.168.1.100

Query NTP server variables

ntpq -c peers 192.168.1.100

List NTP peer connections

ntpdc -c monlist 192.168.1.100

Show last 600 clients (CVE-2013-5211)

nmap -sU -p 123 --script ntp-info 192.168.1.100

Nmap NTP enumeration

NFS Enumeration

showmount -e 192.168.1.100

List exported NFS shares

rpcinfo -p 192.168.1.100

Query RPC services on target

nmap -p 2049 --script nfs-* 192.168.1.100

Nmap NFS enumeration scripts

mount -t nfs 192.168.1.100:/share /mnt/nfs

Mount discovered NFS share

SMTP Enumeration

smtp-user-enum -M VRFY -U users.txt -t 192.168.1.100

Verify user accounts via VRFY command

nmap -p 25 --script smtp-enum-users 192.168.1.100

Nmap SMTP user enumeration

telnet 192.168.1.100 25
VRFY root

Manual SMTP user verification

nc 192.168.1.100 25
EXPN all

Expand mailing list members

General Enumeration

nmap -sV -sC -p- 192.168.1.100

Comprehensive service version detection

nikto -h http://192.168.1.100

Web server vulnerability scanning

enum4linux -a 192.168.1.100

All-in-one Windows enumeration

dnsenum domain.com

DNS enumeration and zone transfers

Enumeration Mastery Quiz

Test your knowledge of enumeration techniques. Answer all 12 questions to earn 75 XP!