Active Reconnaissance

Active Reconnaissance


Enumeration is the process of using various techniques that query a device or service for information about its configuration and resources. It is a common step in active reconnaissance and crucial to penetration testing. Once you have connected to a host, you can interrogate it for details that will reveal additional attack vectors. The outcome of enumeration can often be used to directly exploit the system and penetrate deeper into the network. Often, enumeration can be done remotely. Although some enumeration can be done without a credential, it is usually much more successful if you can first log in. In many cases, the credential can be that of an average user, and need not be privileged. Techniques that perform enumeration can help you discover information that includes, but is not limited to:

  • Operating system details
  • User and group names
  • Email addresses and contact information
  • Password hashes (and sometimes passwords)
  • Host names, domain information, and IP addresses
  • Volumes and shares
  • Services
  • Policies and audit settings
  • Configuration settings
  • Routing, MAC, and neighbor tables
  • Installed applications
  • Patch levels
  • Components and drivers
  • Printers and print jobs
  • Running processes
  • Registry keys
  • Event log records
  • DNS and SNMP information

Banner Grabbing

One of the easiest things you can do to enumerate information is to perform banner grabbing. This involves attempting to open a session with a service and getting the service to identify itself. You can use telnet, Nmap, Netcat, and other tools to grab banners from services such as FTP, SSH, HTTP, SMTP, POP3, IMAP4, DNS, Telnet, Microsoft-DS, Microsoft netbios-ssn, and more. Acquiring these banners can help you focus your attacks on specific services.

Below are some example commands you can use to banner grab. After issuing the command, the service will either respond with information about itself, or wait for more input from you. Depending on the tool and the protocol, you will need to send input that the service knows how to respond to. You may also need to break out of the connection. You can sometimes do this by pressing Ctrl+C or Enter a few times. With Nmap, you don’t need to break out of the session. Just wait a few seconds for the scan to complete. Nmap also has a script for banner grabbing.

Here are some examples of banner grabbing:

telnet <target IP> <port number>

After making the connection, press Ctrl+] to break, then enter quit.

nc -vv <target IP> <port number>

Here is an example of using an HTTP GET request to elicit the web server type and version in Linux:

echo -en "GET / HTTP/1.0\n\n\n"|nc 80|grep Server
Banner grabbing with netcat
nmap -sV <target IP> -p <port number>

This NSE script attempts to grab banners from every service it can discover on a host:

nmap -sV --script=banner <target>
Nmap NSE banner script example

Note: When 301’s occur, you’ll want to watch for error handling so that the browser header can be updated.

Windows Host Enumeration

When enumerating Windows hosts, there are a number of tools you can use. Some of the more popular ones include:

  • Built-in commands and utilities
  • Nmap
  • rpcclient
  • Metasploit

You can use these tools to enumerate OS version, users, groups, shares, files, services, hardware, Registry keys, configurations, privileges, policies, and more. If you are already logged in to the target, you can run local commands to query the operating system directly. If not, some tools allow you to make a remote connection. In some cases, you do not need to use a privileged account to obtain good information. Prior to Windows Server 2003, you could even make a connection without a user name and password.

The following tables list some common commands for enumeration. Most of the built-in command-line commands are actually executables in themselves, but are designed to be used in a command prompt. Some of these commands have options for manipulating the data as well.

Built-in Command-Line CommandResult
dir /hGet help with the dir command.
dir *.xlsx /sSearch the current directory and all subdirectories for Excel spreadsheets.
ipconfig /allShow all IP information for all interfaces.
ipconfig /displaydnsDisplay resolved DNS names.
arp -aDisplay the ARP cache.
route printDisplay the route table.
net userList all users on this machine.
net localgroup administratorsList all members of the local administrators group.
net shareList all shares on this machine.
PowerShell CmdletResult
Get-CommandList all installed PowerShell cmdlets.
Get-Command Get-*List all cmdlets that start with “Get”.
Get-LocalUserList all local users on the machine.
Get-LocalGroupList all local groups on the machine.
Get-LocalGroupMember <group name>List all members of the given group.
Get-WebsiteList websites on the machine.
Get-ChildItemList items and child items in a folder or Registry key.
Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.txt -File -Recurse -ErrorAction SilentlyContinue | Select-String passwordStarting from C:\ recursively search every Word, Excel, and text file for the word “password”, and display the path, file name, line number, and text on that line.

Note: To learn more about PowerShell, visit


Common ways to use Nmap for host enumeration are to fingerprint the operating system and interrogate its services. You can also use NSE scripts for enumeration. Here are some examples:

nmap -O
nmap -sV
nmap --script=smb-os-discovery <target>

Rpcclient has over 200 commands for enumeration and configuration. It runs on Linux and works against both Windows and Linux Samba computers. If you are not already logged onto the target, you must first make a connection, providing a password when prompted. Administrative or SYSTEM level privileges (from a compromised host) will give you the best results.

Here is an example of using rpcclient to enumerate server information and user accounts on the target. Enter these commands separately:

rpcclient <target IP> -U <username>
lookupnames administrator

Now use the lookupsids command to discover new users by Security ID (SID). Copy the administrator’s SID and change the last set of numbers to 1000. Increment from there.

Note: The administrator SID always ends in 500. Even if you rename the administrator account, this number will never change.


Metasploit also has several enumeration modules. Just like the rpcclient lookupsids command, the smb_lookupsid Metasploit module will enumerate users based on a brute forcing of possible SIDs. In the following example, the credentials of a standard (non-privileged) user named moo are used against a particular host. Since user relative IDs (RIDs) start at 1000, the example sets a range of 1000 to 1100, searching for the first 100 user accounts that were created.

use /auxiliary/scanner/smb/smb_lookupsid
set SMBUser moo
set SMBPass Pa22w0rd
set MinRID 1000
set MaxRID 1100

Linux Host Enumeration

As with Windows, there are many tools and local Linux commands you can use to enumerate information. For example, once you compromise a Linux machine in Metasploit, you can use the post/linux/enum_system module to get information about the system. Additional enumeration modules include:

  • enum_configs
  • enum_network
  • enum_protections
  • enum_users_history

You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts and rpcclient commands against the target. For example:

nmap -O
nmap -sV
nmap --script=smb-os-discovery
rpcclient -U ""

If you prefer to use built-in Bash commands, there is a very wide range to choose from. The following table lists just a few you can choose from. Some require root privilege. If you receive a “Permission denied” error, start the command with sudo and supply the root password when prompted.

Note: Commands may vary between Linux distributions.

Local Linux Bash CommandResult
uname -aShow all available system information.
hostnameShow computer host name.
routeShow route table.
arpShow ARP cache.
ifconfigShow interface configuration, including IP address.
netstat -antpShow TCP listening ports and socket status.
netstat -anupShow UDP listening ports and socket status.
iptables -LDisplay any firewall rules.
mountShow mounted storage devices or file systems.
dpkg -lList all packages installed on the system.
apache2 -vList information about Apache2 web server.
mysql –versionList information about MySQL.
df -aShow disk information.
cat /etc/*-releaseShow distribution information.
cat /proc/cpuinfoShow information about the CPU.
cat /etc/resolv.confList DNS servers host is using.
cat /etc/network/interfacesList interface IP configuration.
cat /etc/passwdList all users on the system.
cat /etc/groupList all groups on the system.
cat /etc/shadowShow user hashes (privileged command).
usersList currently logged in users.
wList currently logged in users and their processes.
lastlogShow when all users last logged in.
whoamiShow current user name.
idShow current user information.
sudo -lList programs current user can run as root.
find | headFind all files in the current directory and sub-directories.
find / -iname *.txtFind all txt files (case insensitive) in /.
find / -type f -exec grep -l “password” {} \;List file names containing the word “password”.
find . -type f -name “.*”Find all hidden files.

Service and Application Enumeration

Many system administrators aren’t fully aware of all the services running on their network. Besides default processes that run on every host, users can also install software that requires a service as a prerequisite. A common example is MSSQL Server, which is part of many popular desktop applications. These include backup software, network monitoring applications, certification testing systems, enterprise malware managers, conferencing systems, project management tools, and drawing and coding applications.

The following table summarizes common services that are targeted for enumeration, along with tool examples.

PortProtocol and ServiceTool ExamplesComments
TCP 21FTP FTP file serverTelnet & FTP clients, nmap ftp-anon.nse, ftp-brute.nse, Metasploit modules: ftp/anonymous, ftp_login, ftp_version.Identify FTP servers, versions, and authentication requirements (including anonymous logins).
TCP 22SSH SSH servernmap, PuTTY/SSH clients, nmap ssh-brute.nse, ssh-run.nse, Metasploit modules: ssh_login, ssh_login_pubkey.Linux servers, routers, switches, other network devices, jailbroken iPhones.
TCP 23telnet Telnet serverPuTTY/telnet clients, nmap telnet-brute.nse, telnet-ntlm-info.nse, Metasploit telnet_login, telnet_version modules.Linux servers, routers, switches, other network devices.
TCP 25SMTP Email serverPuTTY/telnet clients, nmap smtp-enum-users.nse, smtp-commands.nse, smtp-open-relay.nse, smtp-brute.nse, Metasploit smtp_enum, smtp_version modules.Extract email addresses. Enumerate SMTP server information. Search for open relays.
TCP 53DNS DNSdig, nslookup, nmap dns-brute.nse, Metasploit enum_dns module.Elicit DNS zone transfers. Discover DNS subdomains.
TCP 80HTTP Web serverPuTTY/telnet clients, dirbuster, nmap http-enum.nse, http-title.nse, http-sitemap-generator.nse, Metasploit modules: http_cert, dir_listing, dir_scanner, dir_webdav_unicode_bypass,enum_wayback, files_dir, http_login, http/ssl, http_version, webdav_scanner, webdav_website_content.Manually request web pages, enumerate directories, files, WebDAV features, versions, and more.
TCP 135, TCP 111RPC Microsoft DCE/RPC Locator Service, *nix portmapper servicenmap rpcinfo.nse, rpc-grind.nse, msrpc-enum.nse, Metasploit dcerpc modules: endpoint_mapper, hidden, management, tcp_dcerpc_auditor.Query and manipulate Remote Procedure Call (RPC)-based services such as Windows DCOM, and *nix NFS, nlockmgr, quotad, and mountd.
TCP 137NetBIOS NetBIOS Name Servicenbtscan, nmap smb-enum-shares.nse, smb-enumdomains.nse, smb-os-discovery.nse.List NetBIOS computer, user, group, workgroup, and domain names, domain controller roles, file and print sharing services, Microsoft Exchange services.
TCP 139SMB NetBIOS Session Service (SMB file and print service)enum.exe (Windows),, smbclient, nmap smb-enum-shares.nse, smb-os-discovery.nse, Metasploit modules: smb_enumshares, smb/smb2, smb_version.Retrieve directory information, list and transfer files. NSE scripts might not work on newer machines.
UDP 161SNMP SNMPgetif, SolarWinds NPM, PRTG, WhatsUp Gold, Nagios Core, Spiceworks, Observium, nmap snmp-info.nse, snmp-brute.nse, snmp-interfaces.nse, snmp-processes.nse, Metasploit snmp modules: snmp_enum, snmp_enumusers, snmp_enumshares, snmp_login.Obtain information on dozens of data objects depending on device. Targets must have SNMP agent enabled; you must know the community string devices are using (can be sniffed).
TCP/UDP 389LDAP Microsoft Active DirectoryActive Directory Users and Computers, ntdsutil.exe, OpenLDAP, LDAP Admin, LDP.exe, nmap ldap-search.nse, Metasploit module: enum_ad_computers.Retrieve a wide range of information from Active Directory. Non-privileged users can query Active Directory for nearly all information. To capture password hashes, copy the database file ntds.dit using ntdsutil.exe, then use Windows Password Recovery Tool to extract the hashes.
TCP 445RPC Microsoft-DS Active Directory and SMB file sharingrpcclient, Metasploit smb_login, smb_enumusers, & smb/psexec modules, nmap NSE smb-enum-* scripts, enum.exe, user2sid.exe, sid2user.exe, PowerShell, pstools.Retrieve a very wide range of Microsoft computer and domain information.
TCP 1433SQL SQL Servernmap mysql-info.nse, Metasploit modules: mssql_ping, mssql_enum, enum_domain_accounts, enum_sql_logins.Locate and enumerate information including logins from Microsoft and MySQL SQL servers.

Guidelines for Active Reconnaissance

Here are some guidelines you can follow to enumerate targets.

  • Remember that you can enumerate information from network devices as well as computers.
  • Banner grab to obtain quick information from a network service.
  • Use different tools such as Nmap, Netcat, or telnet for flexibility and different results when banner grabbing.
  • If possible, obtain a credential (preferably administrator) that you can use during enumeration.
  • For maximum flexibility, log on to the host you want to enumerate, then run native commands or a tool such as rpcclient or Metasploit.
  • If you must enumerate remotely, conduct a port scan to discover targets.
  • When enumerating Windows hosts, use tools such as the command prompt (cmd.exe) to access a wide range of commands. You can also use PowerShell, rpcclient, and Metasploit.
  • When enumerating Linux hosts, use the Bash prompt to access a wide range of tools. You can also use Metasploit.
  • When enumerating different services, select a tool that is designed for the ports and protocols you are targeting.
  • Scan the network for both SMB and NFS shares.
  • Try creating a null session to older hosts that provide SMB shares.
  • Choose an enumeration tool that is configured to use the protocol.
  • Start website enumeration by attempting to open a browser to well-known website directories.
  • Use tools such as Nmap scripts or Dirbuster to help enumerate directories on websites.
  • Use a variety of tools, as not all tools or scripts work with all targets.

Leave a Reply

Your email address will not be published. Required fields are marked *