What is Enumeration?
Enumeration is the third phase of a penetration test. The ultimate purpose of enumeration is to get even more information about the target system and things such as routing tables, users or groups, etc. We have already seen that FootPrinting was about getting information, enumeration was about getting more information and enumeration is literally rounding up all of that information. Enumeration is active and does involve some scanning. This phase is about finalising the big picture and everything we will be doing in this phase will touch the target environment.
How do we do Enumeration?
We have a target and about that target we want to know a few things. Enumeration is there to finalise the big picture of all the information we gather about the target. We would like to know the things such as –
- Names – Server names, user names, network names, service names, etc.
- Services – What services are running in the environment like whether they are running Microsoft exchange for mail, or oracle or any other service?
- Network map – We want to get a network showing all the IP addresses and information about LAN and WAN.
- Users/ Groups – This makes the gaining access phase easier because if we have a username, we then have to get the password only.
- Routing information – To help build the network map.
- Operating Systems – List of OSs running on the target system.
- Applications running
Figure 1 – What are we looking for?
Now we will have a look at how we start getting this information. We will have a look at protocols that give us information we want.
- NTP(Network Time Protocol)
- LDAP (AD) – Lightweight Directory Access Protocol (Active Directory)
- SMTP ( Simple Mail Transfer Protocol)
- SNMP (Simple Network Management Protocol)
- DNS ( Domain Name System)
Figure 2 – Enumeration Protocols
Now we will look at the ports that we need to scan for –
- 53 – DNS
- 135 – Microsoft World Client-Server Communication Protocol
- 137 – NETBIOS browsing request port
- 139 , 445 – Common Internet File System
- 161 – SNMP, 162 – SNMP Trap
- 3368 – Global Catalog
- 389 – LDAP, 663 – LDAP over SSL
Figure 3. Ports
What are the goals of Enumeration?
- Finalise the details about the big picture.
- It also helps to finalise the path we will take to execute the attack in later phase.
- The information we ideally want at the end of this phase include –
- A list of devices and their roles and configurations.
- A network map – internal/ external/ wireless.
- A list of applications with version numbers.
- A list of people that work for or at the target.
Any information about the target no matter how insignificant it may seem could prove to be vital down the line. So we should collect and document everything.
What are the tools used in Enumeration?
- Default password lists
- smbclient and try to establish a Null Session
- netdiscover with macof
Ethical Hacking Tutorial – Enumeration Theory Video: