In this article we will understand the key concepts of Enumeration from an ethical hacking point of view. We will learn about the fundamentals of penetration testing, and how enumeration forms a part of it. We will also explore the other concepts - types of Enumeration, Techniques to perform enumeration and tools to support the process. We will be discussing the goals and services and the process of NetBIOS enumeration and Scanning enumeration.
What is penetration testing?
Penetration testing or Ethical hacking is a simulation of cyber-attacks to a computer system or application or infrastructure to detect vulnerabilities, if any. Penetration testing provides great insights on the list of vulnerabilities which we can categorize and rank as high, medium and low. We fix these vulnerabilities depending on the business requirement and timelines.
Let us understand the various phases of penetration testing
Description of Enumeration
Enumeration is the phase 3 of the Penetration Testing or Ethical Hacking. It is a process of gaining complete access to the system by compromising the vulnerabilities identified in the first two phases. The Scanning stage only helps to identify the vulnerabilities to a certain extent, but Enumeration helps us learn the complete details such as users, groups and even system level details – routing tables. This phase of the Ethical hacking is to gain end-to-end knowledge of what will be tested in the target environment. Tools are deployed to gain complete control over the system.
Significance of Enumeration
Enumeration is the most critical aspect of Ethical hacking. The metrics, outcomes, results are used directly in testing the system in the next steps of penetration testing. Enumeration helps us to decipher the detailed information – Hostnames, IP tables, SNMP and DNS, Application, Banners, Audit configurations and service settings. The significance of Enumeration is that it systematically collects details. This allows pentesters to completely examine the systems. The pentesters collect information about the weak links during the enumeration phase of ethical hacking.
Enumeration helps in finding the attack Vectors and threats.
Enumeration Classification
We can perform enumeration on the following:
Enumeration and its types – Tool box
Enumeration as a process extracts the user names, machine names, network resources, shares and services from the ecosystem. There is a robust toolbox that helps the enumeration process become scalable. This is a mix of software and hardware systems. There are free and commercial software tools for the enumeration. The hardware tools are mainly the key loggers and special wireless hardware. The pentesters find the right and optimum way to reach the various components of the systems.
Techniques for Enumeration
Types of information enumerated by intruders:
The types of the information enumerated by intruders are the following:
Network source
Users and groups
Routing tables
Audit settings
Service configuration settings
The various machine names
Applications
Banners
SNMP details
DNS details
Services and Port to Enumerate
What are the goals of the Enumeration?
Goal 1 – To map the end-to-end details that we need to check after the enumeration step
Goal 2 - The ways to execute the attacks in the upcoming phases
Goal 3 – Identify all the information we need to do the execution in future testing
Goal 4 – Compile a list of devices with configuration for testing
Goal 5 – Complete the network map to finalize the steps for testing
Goal 6 – Compile the list of people who support the testing
Goal 7 – Collect even irrelevant information that might still be significant in the future
Process of Enumeration
Tools supporting Enumeration| Tool | Use | Service |
|---|
| Nmap | Network mapper | Used to discover port and service information on a target |
| Nessus | Service and vulnerability scanner. | Used to identify vulnerable services |
| WPScan | WordPress vulnerability scanner | Used to identify vulnerable WordPress applications |
| Searchsploit | CLI tool for exploit.db for exploits | Used to look up exploits for services. |
| GoBuster | Web directory brute forcer | Used to discover directories on web servers. |
| Dig | Domain Information Groper | Used to query DNS servers |
| Nmblookup | SMB share lookup. | Used to find any open and exposed SMB shares |
| Dnsenum |
| Used to enumerate DNS information |
Port – Scanning Enumeration
Port scanning is the most common form of enumeration. This is used to discover the various services which can exploit the systems. This includes all the systems that are connected to LAN or accessing the network via the modem which runs the services. We can find out what services are running, who are the owners of these services and if any of them requires a separate authentication
Port scanning techniques
| S.No | Technique | Process |
|---|
| 1. | Address Resolution Protocol (ARP) scan | - Series of ARP broadcasts are sent, and the value for the target IP address field is incremented in each broadcast packet to discover active devices on the local network segment
- This scan helps us to map out the entire network
|
| 2. | Vanilla TCP connect scan | Basic scanning that uses system call of an operating system to open a connection to every port |
| 3. | TCP SYN (Half Open) scan | - Most common type of scan
- a technique that a malicious hacker uses to determine the state of a communications port without establishing a full connection
|
| 4. | TCP FIN Scan | This scan can remain undetected through most firewalls, packet filters, and other scan detection programs |
| 5. | STEALTH SCANNING – NULL, X-MAS | This scan crafts the packets flags in a way as if we are trying to induce some type of response from the target without actually going through the handshaking process and establishing a connection |
| 6. | UDP ICMP Port Scan | This scan is used to find high number ports, especially in Solaris systems. The scan is slow and unreliable. |
| 7. | TCP Reverse Ident Scan | This scan discovers the username of the owner of any TCP connected process on the targeted system. It helps an attacker to use the ident protocol to discover who owns the process by allowing connection to open ports |
NetBIOS Enumeration
Net BIOS – Network Basic Input Output System
NetBIOS helps in computer communication with LAN for sharing files and printers.
They are primarily used for identifying the network devices.
The naming is 16 characters – 15 characters for the device and the 16th denotes the service it runs.
Attackers use the NetBIOS for scanning the list of computers per domain, policies and passwords and other shares in the network.
Tools used – Nbtstat, superscan, Net View, Hyena
Looking to enhance your IT skills? Discover the power of ITIL v4 Specialist courses. Elevate your career with expert guidance. Join now!
Conclusion
Enumeration is defined as the process of extracting usernames, machine names, network information and other services. Enumeration forms a critical step in the ethical hacking process, as obtaining the complete information is needed for the further steps – maintaining access and covering tracks. There are many techniques of enumeration which we have covered in this article. There are various tools depending on the use case available for enumeration including port scanning and NetBIOS.
