by Enumeration
Enumeration is the process of using various techniques that query a device or service for information about its configuration and resources. It is a common step in active reconnaissance and crucial to penetration testing. Once you have connected to a host, you can interrogate it for details that will reveal additional attack vectors. The outcome of enumeration can often be used to directly exploit the system and penetrate deeper into the network. Often, enumeration can be done remotely. Although some enumeration can be done without a credential, it is usually much more successful if you can first log in. In many cases, the credential can be that of an average user, and need not be privileged. Techniques that perform enumeration can help you discover information that includes, but is not limited to:
- Operating system details
- User and group names
- Email addresses and contact information
- Password hashes (and sometimes passwords)
- Host names, domain information, and IP addresses
- Volumes and shares
- Services
- Policies and audit settings
- Configuration settings
- Routing, MAC, and neighbor tables
- Installed applications
- Patch levels
- Components and drivers
- Printers and print jobs
- Running processes
- Registry keys
- Event log records
- DNS and SNMP information
Banner Grabbing
One of the easiest things you can do to enumerate information is to perform banner grabbing. This involves attempting to open a session with a service and getting the service to identify itself. You can use telnet, Nmap, Netcat, and other tools to grab banners from services such as FTP, SSH, HTTP, SMTP, POP3, IMAP4, DNS, Telnet, Microsoft-DS, Microsoft netbios-ssn, and more. Acquiring these banners can help you focus your attacks on specific services.
Below are some example commands you can use to banner grab. After issuing the command, the service will either respond with information about itself, or wait for more input from you. Depending on the tool and the protocol, you will need to send input that the service knows how to respond to. You may also need to break out of the connection. You can sometimes do this by pressing Ctrl+C or Enter a few times. With Nmap, you don’t need to break out of the session. Just wait a few seconds for the scan to complete. Nmap also has a script for banner grabbing.
Here are some examples of banner grabbing:
telnet <target IP> <port number>After making the connection, press Ctrl+] to break, then enter quit.
nc -vv <target IP> <port number>Here is an example of using an HTTP GET request to elicit the web server type and version in Linux:
echo -en "GET / HTTP/1.0\n\n\n"|nc www.technoherder.com 80|grep Server
nmap -sV <target IP> -p <port number>This NSE script attempts to grab banners from every service it can discover on a host:
nmap -sV --script=banner <target>
Note: When 301’s occur, you’ll want to watch for error handling so that the browser header can be updated.
Windows Host Enumeration
When enumerating Windows hosts, there are a number of tools you can use. Some of the more popular ones include:
- Built-in commands and utilities
- Nmap
- rpcclient
- Metasploit
You can use these tools to enumerate OS version, users, groups, shares, files, services, hardware, Registry keys, configurations, privileges, policies, and more. If you are already logged in to the target, you can run local commands to query the operating system directly. If not, some tools allow you to make a remote connection. In some cases, you do not need to use a privileged account to obtain good information. Prior to Windows Server 2003, you could even make a connection without a user name and password.
The following tables list some common commands for enumeration. Most of the built-in command-line commands are actually executables in themselves, but are designed to be used in a command prompt. Some of these commands have options for manipulating the data as well.
| Built-in Command-Line Command | Result |
| dir /h | Get help with the dir command. |
| dir *.xlsx /s | Search the current directory and all subdirectories for Excel spreadsheets. |
| ipconfig /all | Show all IP information for all interfaces. |
| ipconfig /displaydns | Display resolved DNS names. |
| arp -a | Display the ARP cache. |
| route print | Display the route table. |
| net user | List all users on this machine. |
| net localgroup administrators | List all members of the local administrators group. |
| net share | List all shares on this machine. |
| PowerShell Cmdlet | Result |
| Get-Command | List all installed PowerShell cmdlets. |
| Get-Command Get-* | List all cmdlets that start with “Get”. |
| Get-LocalUser | List all local users on the machine. |
| Get-LocalGroup | List all local groups on the machine. |
| Get-LocalGroupMember <group name> | List all members of the given group. |
| Get-Website | List websites on the machine. |
| Get-ChildItem | List items and child items in a folder or Registry key. |
| Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.txt -File -Recurse -ErrorAction SilentlyContinue | Select-String password | Starting from C:\ recursively search every Word, Excel, and text file for the word “password”, and display the path, file name, line number, and text on that line. |
Note: To learn more about PowerShell, visit https://mva.microsoft.com/learning-path/powershell-beginner-12.
Nmap
Common ways to use Nmap for host enumeration are to fingerprint the operating system and interrogate its services. You can also use NSE scripts for enumeration. Here are some examples:
nmap -O 192.168.1.50
nmap -sV 192.168.1.20
nmap --script=smb-os-discovery <target>rpcclient
Rpcclient has over 200 commands for enumeration and configuration. It runs on Linux and works against both Windows and Linux Samba computers. If you are not already logged onto the target, you must first make a connection, providing a password when prompted. Administrative or SYSTEM level privileges (from a compromised host) will give you the best results.
Here is an example of using rpcclient to enumerate server information and user accounts on the target. Enter these commands separately:
rpcclient <target IP> -U <username>
?
srvinfo
lookupnames administrator
Now use the lookupsids command to discover new users by Security ID (SID). Copy the administrator’s SID and change the last set of numbers to 1000. Increment from there.
Note: The administrator SID always ends in 500. Even if you rename the administrator account, this number will never change.
Metasploit
Metasploit also has several enumeration modules. Just like the rpcclient lookupsids command, the smb_lookupsid Metasploit module will enumerate users based on a brute forcing of possible SIDs. In the following example, the credentials of a standard (non-privileged) user named moo are used against a particular host. Since user relative IDs (RIDs) start at 1000, the example sets a range of 1000 to 1100, searching for the first 100 user accounts that were created.
use /auxiliary/scanner/smb/smb_lookupsid
set SMBUser moo
set SMBPass Pa22w0rd
set MinRID 1000
set MaxRID 1100
set RHOSTS 192.168.74.50
Linux Host Enumeration
As with Windows, there are many tools and local Linux commands you can use to enumerate information. For example, once you compromise a Linux machine in Metasploit, you can use the post/linux/enum_system module to get information about the system. Additional enumeration modules include:
- enum_configs
- enum_network
- enum_protections
- enum_users_history
You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts and rpcclient commands against the target. For example:
nmap -O 192.168.1.20
nmap -sV 192.168.1.20
nmap --script=smb-os-discovery 192.168.1.20
rpcclient -U "" 192.168.1.20
If you prefer to use built-in Bash commands, there is a very wide range to choose from. The following table lists just a few you can choose from. Some require root privilege. If you receive a “Permission denied” error, start the command with sudo and supply the root password when prompted.
Note: Commands may vary between Linux distributions.
| Local Linux Bash Command | Result |
| uname -a | Show all available system information. |
| hostname | Show computer host name. |
| route | Show route table. |
| arp | Show ARP cache. |
| ifconfig | Show interface configuration, including IP address. |
| netstat -antp | Show TCP listening ports and socket status. |
| netstat -anup | Show UDP listening ports and socket status. |
| iptables -L | Display any firewall rules. |
| mount | Show mounted storage devices or file systems. |
| dpkg -l | List all packages installed on the system. |
| apache2 -v | List information about Apache2 web server. |
| mysql –version | List information about MySQL. |
| df -a | Show disk information. |
| cat /etc/*-release | Show distribution information. |
| cat /proc/cpuinfo | Show information about the CPU. |
| cat /etc/resolv.conf | List DNS servers host is using. |
| cat /etc/network/interfaces | List interface IP configuration. |
| cat /etc/passwd | List all users on the system. |
| cat /etc/group | List all groups on the system. |
| cat /etc/shadow | Show user hashes (privileged command). |
| users | List currently logged in users. |
| w | List currently logged in users and their processes. |
| lastlog | Show when all users last logged in. |
| whoami | Show current user name. |
| id | Show current user information. |
| sudo -l | List programs current user can run as root. |
| find | head | Find all files in the current directory and sub-directories. |
| find / -iname *.txt | Find all txt files (case insensitive) in /. |
| find / -type f -exec grep -l “password” {} \; | List file names containing the word “password”. |
| find . -type f -name “.*” | Find all hidden files. |
Service and Application Enumeration
Many system administrators aren’t fully aware of all the services running on their network. Besides default processes that run on every host, users can also install software that requires a service as a prerequisite. A common example is MSSQL Server, which is part of many popular desktop applications. These include backup software, network monitoring applications, certification testing systems, enterprise malware managers, conferencing systems, project management tools, and drawing and coding applications.
The following table summarizes common services that are targeted for enumeration, along with tool examples.
| Port | Protocol and Service | Tool Examples | Comments |
| TCP 21 | FTP FTP file server | Telnet & FTP clients, nmap ftp-anon.nse, ftp-brute.nse, Metasploit modules: ftp/anonymous, ftp_login, ftp_version. | Identify FTP servers, versions, and authentication requirements (including anonymous logins). |
| TCP 22 | SSH SSH server | nmap, PuTTY/SSH clients, nmap ssh-brute.nse, ssh-run.nse, Metasploit modules: ssh_login, ssh_login_pubkey. | Linux servers, routers, switches, other network devices, jailbroken iPhones. |
| TCP 23 | telnet Telnet server | PuTTY/telnet clients, nmap telnet-brute.nse, telnet-ntlm-info.nse, Metasploit telnet_login, telnet_version modules. | Linux servers, routers, switches, other network devices. |
| TCP 25 | SMTP Email server | PuTTY/telnet clients, nmap smtp-enum-users.nse, smtp-commands.nse, smtp-open-relay.nse, smtp-brute.nse, Metasploit smtp_enum, smtp_version modules. | Extract email addresses. Enumerate SMTP server information. Search for open relays. |
| TCP 53 | DNS DNS | dig, nslookup, nmap dns-brute.nse, Metasploit enum_dns module. | Elicit DNS zone transfers. Discover DNS subdomains. |
| TCP 80 | HTTP Web server | PuTTY/telnet clients, dirbuster, nmap http-enum.nse, http-title.nse, http-sitemap-generator.nse, Metasploit modules: http_cert, dir_listing, dir_scanner, dir_webdav_unicode_bypass,enum_wayback, files_dir, http_login, http/ssl, http_version, webdav_scanner, webdav_website_content. | Manually request web pages, enumerate directories, files, WebDAV features, versions, and more. |
| TCP 135, TCP 111 | RPC Microsoft DCE/RPC Locator Service, *nix portmapper service | nmap rpcinfo.nse, rpc-grind.nse, msrpc-enum.nse, Metasploit dcerpc modules: endpoint_mapper, hidden, management, tcp_dcerpc_auditor. | Query and manipulate Remote Procedure Call (RPC)-based services such as Windows DCOM, and *nix NFS, nlockmgr, quotad, and mountd. |
| TCP 137 | NetBIOS NetBIOS Name Service | nbtscan, nmap smb-enum-shares.nse, smb-enumdomains.nse, smb-os-discovery.nse. | List NetBIOS computer, user, group, workgroup, and domain names, domain controller roles, file and print sharing services, Microsoft Exchange services. |
| TCP 139 | SMB NetBIOS Session Service (SMB file and print service) | enum.exe (Windows), enum4linux.pl, smbclient, nmap smb-enum-shares.nse, smb-os-discovery.nse, Metasploit modules: smb_enumshares, smb/smb2, smb_version. | Retrieve directory information, list and transfer files. NSE scripts might not work on newer machines. |
| UDP 161 | SNMP SNMP | getif, SolarWinds NPM, PRTG, WhatsUp Gold, Nagios Core, Spiceworks, Observium, nmap snmp-info.nse, snmp-brute.nse, snmp-interfaces.nse, snmp-processes.nse, Metasploit snmp modules: snmp_enum, snmp_enumusers, snmp_enumshares, snmp_login. | Obtain information on dozens of data objects depending on device. Targets must have SNMP agent enabled; you must know the community string devices are using (can be sniffed). |
| TCP/UDP 389 | LDAP Microsoft Active Directory | Active Directory Users and Computers, ntdsutil.exe, OpenLDAP, LDAP Admin, LDP.exe, nmap ldap-search.nse, Metasploit module: enum_ad_computers. | Retrieve a wide range of information from Active Directory. Non-privileged users can query Active Directory for nearly all information. To capture password hashes, copy the database file ntds.dit using ntdsutil.exe, then use Windows Password Recovery Tool to extract the hashes. |
| TCP 445 | RPC Microsoft-DS Active Directory and SMB file sharing | rpcclient, Metasploit smb_login, smb_enumusers, & smb/psexec modules, nmap NSE smb-enum-* scripts, enum.exe, user2sid.exe, sid2user.exe, PowerShell, pstools. | Retrieve a very wide range of Microsoft computer and domain information. |
| TCP 1433 | SQL SQL Server | nmap mysql-info.nse, Metasploit modules: mssql_ping, mssql_enum, enum_domain_accounts, enum_sql_logins. | Locate and enumerate information including logins from Microsoft and MySQL SQL servers. |
Guidelines for Active Reconnaissance
Here are some guidelines you can follow to enumerate targets.
- Remember that you can enumerate information from network devices as well as computers.
- Banner grab to obtain quick information from a network service.
- Use different tools such as Nmap, Netcat, or telnet for flexibility and different results when banner grabbing.
- If possible, obtain a credential (preferably administrator) that you can use during enumeration.
- For maximum flexibility, log on to the host you want to enumerate, then run native commands or a tool such as rpcclient or Metasploit.
- If you must enumerate remotely, conduct a port scan to discover targets.
- When enumerating Windows hosts, use tools such as the command prompt (cmd.exe) to access a wide range of commands. You can also use PowerShell, rpcclient, and Metasploit.
- When enumerating Linux hosts, use the Bash prompt to access a wide range of tools. You can also use Metasploit.
- When enumerating different services, select a tool that is designed for the ports and protocols you are targeting.
- Scan the network for both SMB and NFS shares.
- Try creating a null session to older hosts that provide SMB shares.
- Choose an enumeration tool that is configured to use the protocol.
- Start website enumeration by attempting to open a browser to well-known website directories.
- Use tools such as Nmap scripts or Dirbuster to help enumerate directories on websites.
- Use a variety of tools, as not all tools or scripts work with all targets.