Join us

Explaining Enumeration and Its Types


Enumeration is fundamentally checking. An attacker sets up a functioning associated with the objective host. The weaknesses are then tallied and evaluated. It is done mostly to look for assaults and dangers to the objective framework. Enumeration is utilized to gather usernames, hostnames, IP addresses, passwords, arrangements, and so on.

At the point when a functioning connection with the objective host is set up, hackers oversee the objective framework. They at that point take private data and information. Now and again, aggressors have additionally been discovered changing the setup of the objective frameworks.

How the connection is set up to the host decides the information or data the attacker will have the option to get to.

Types Of Enumeration

In this section, we will be discussing the various types of Enumerations.

  1. NetBIOS(Network Basic Input Output System) Enumeration:
  • NetBIOS name is an exceptional 16 ASCII character string used to distinguish the organization gadgets over TCP/IP, 15 characters are utilized for the gadget name and the sixteenth character is saved for the administration or name record type.
  • Programmers utilize the NetBIOS enumeration to get a rundown of PCs that have a place with a specific domain, a rundown of offers on the individual hosts in the organization, and strategies and passwords.
  • NetBIOS name goal isn’t supported by Microsoft for Internet Protocol Version 6.
  • The initial phase in specifying a Windows framework is to exploit the NetBIOS API. It was initially an Application Programming Interface(API) for custom programming to get to LAN assets. Windows utilizes NetBIOS for document and printer sharing.
  • A hacker who finds a Windows OS with port 139 open, can verify what assets can be gotten to or seen on the far-off framework. In any case, to count the NetBIOS names, the distant framework probably empowered document and printer sharing. This sort of enumeration may empower the programmer to peruse or keep in touch with the distant PC framework, contingent upon the accessibility of offers, or dispatch a DoS.
  • NetBIOS name list:

NameNetBIOS CodeType<host name><00>UNIQUE<domain><00>GROUP<host name><03>UNIQUE<username><03>UNIQUE<host name><20>UNIQUE<domain><1D>GROUP<domain><1B>UNIQUE

  • nbtstat Utility: In Windows, it shows NetBIOS over TCP/IP (NetBT) convention insights, NetBIOS name tables for both the neighborhood and distant PCs, and the NetBIOS name reserve. This utility allows a resuscitate of the NetBIOS name cache and the names selected with Windows Internet Name Service. The sentence structure for Nbtstat:

The table appeared beneath shows different Nbtstat boundaries:

Parameters-a RemoteName-A IPAddress-c-n-r-RR-s-SInterval

  1. SNMP(Simple Network Management Protocol) Enumeration:
  • SNMP enumeration is a cycle of specifying client records and gadgets on an objective framework utilizing SNMP. SNMP comprises a manager and a specialist; specialists are inserted on each organization gadget, and the trough is introduced on a different PC.
  • SNMP holds two passwords to get to and design the SNMP specialist from the administration station. Read Community String is public of course; permits review of gadget/framework setup. Read/Write people group string is private of course; permits far off altering of arrangement.
  • Hackers utilize these default network strings to remove data about a gadget. Hackers list SNMP to remove data about organization assets, for example, has, switches, gadgets, shares, and so on, and network data, for example, ARP tables, directing tables, traffic, and so forth.
  • SNMP utilizes dispersed engineering containing SNMP agents, managers, and a few related parts. Orders related with SNMP include: GetRequest, GetNextRequest, GetResponse, SetRequest, Trap.

Given below is the communication between the SNMP agent and manager:

  • SNMP Enumeration tools are utilized to examine a solitary IP address or a scope of IP addresses of SNMP empowered organization gadgets to screen, analyze, and investigate security dangers. Instances of this sort of instrument incorporate NetScanTolls Pro, SoftPerfect Network Scanner, SNMP Informant, and so forth
  1. LDAP Enumeration:
  • Lightweight Directory Access Protocol is an Internet Protocol for getting to dispersed registry administrations.
  • Registry administrations may give any coordinated arrangement of records, regularly in a hierarchical and sensible structure, for example, a corporate email index.
  • A customer starts an LDAP meeting by associating with a Directory System Agent on TCP port 389 and afterward sends an activity solicitation to the DSA.
  • Data is sent between the customer and the worker utilizing Basic Encoding Rules.
  • Programmer inquiries LDAP administration to assemble information such as substantial usernames, addresses, division subtleties, and so on that can be additionally used to perform assaults.
  • There are numerous LDAP enumeration apparatuses that entrance the registry postings inside Active Directory or other catalog administrations. Utilizing these devices, assailants can identify data, for example, substantial usernames, addresses, division subtleties, and so forth from various LDAP workers.
  • Examples of these kinds of tools include LDAP Admin Tool, Active Directory Explorer, LDAP Admin, etc.
  1. NTP Enumeration:
  • Network Time Protocol is intended to synchronize clocks of arranged PCs.
  • It utilizes UDP port 123 as its essential method for correspondence.
  • NTP can check time to inside 10 milliseconds (1/100 seconds) over the public web.
  • It can accomplish correctness of 200 microseconds or better in a neighborhood under ideal conditions.
  • Executives regularly disregard the NTP worker regarding security. Be that as it may, whenever questioned appropriately, it can give important organization data to the programmers.
  • Hackers inquiries NTP workers to assemble significant data, for example, a list of hosts associated with NTP workers, Clients’ IP addresses in an organization, their framework names and Oss, and Internal IPs can likewise be gotten if NTP worker is in the demilitarized zone.
  • NTP enumeration tools are utilized to screen the working of SNTP and NTP workers present in the organization and help in the configuration and confirmation of availability from the time customer to the NTP workers.
  1. SMTP Enumeration:
  • Mail frameworks ordinarily use SMTP with POP3 and IMAP that empower clients to spare the messages in the worker letter drop and download them once in a while from the mainframe.
  • SMTP utilizes Mail Exchange (MX) workers to coordinate the mail through DNS. It runs on TCP port 25.
  • SMTP provides 3 built-in commands: VRFY, EXPN, and RCPT TO.
  • These servers respond differently to the commands for valid and invalid users from which we can determine valid users on SMTP servers.
  • Hackers can legitimately associate with SMTP through telnet brief and gather a rundown of substantial clients on the mainframe.
  • Hackers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc., or by using tools such as Metasploit, Nmap, NetScanTools Pro, etc.
  1. DNS Enumeration using Zone Transfer:
  • It is a cycle for finding the DNS worker and the records of an objective organization.
  • A hacker can accumulate significant organizational data, for example, DNS worker names, hostname, machine names, usernames, IPs, and so forth of the objectives.
  • In DNS Zone Transfer enumeration, a hacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.
  • To execute a zone transfer, the hacker sends a zone transfer request to the DNS server pretending to be a client; the DNS then sends a portion of its database as a zone to you. This zone may contain a ton of data about the DNS zone organization.
  1. IPsec Enumeration:
  • IPsec utilizes ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to make sure about the correspondence between virtual private organization (VPN) end focuses.
  • Most IPsec-based VPNs use the Internet Security Association and Key Management Protocol, a piece of IKE, to establish, arrange, alter, and erase Security Associations and cryptographic keys in a VPN climate.
  • A straightforward checking for ISAKMP at the UDP port 500 can demonstrate the presence of a VPN passage.
  • Hackers can research further utilizing an apparatus, for example, IKE-output to identify the delicate information including encryption and hashing calculation, authentication type, key conveyance calculation, and so forth.
  1. VoIP(Voice over IP) Enumeration:
  • VoIP uses the SIP (Session Initiation Protocol) protocol to enable voice and video calls over an IP network.
  • SIP administration by and large uses UDP/TCP ports 2000, 2001, 5050, and 5061.
  • VoIP enumeration provides sensitive information such as VoIP gateway/servers, IP-PBX systems, client software, and user extensions.
  • This information can be used to launch various VoIP attacks such as DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony, VoIP phishing, etc.
  1. RPC Enumeration:
  • Remote Procedure Call permits customers and workers to impart in disseminated customer/worker programs.
  • Counting RPC endpoints empower aggressors to recognize any weak administrations on these administration ports.
  • In networks ensured by firewalls and other security establishments, this portmapper is regularly sifted. Along these lines, hackers filter high port reaches to recognize RPC administrations that are available to coordinate an assault.
  1. Unix/Linux User Enumeration:
  • One of the most vital steps for conducting an enumeration is to perform this kind of enumeration. This provides a list of users along with details like username, hostname, start date and time of each session, etc.
  • We can use command-line utilities to perform Linux user enumeration like users, rwho, finger, etc.
  1. SMB Enumeration:
  • SMB list is significant expertise for any pen-tester. Before figuring out how to count SMB, we should initially realize what SMB is. SMB represents server message block.
  • It’s a convention for sharing assets like records, printers, and by and large, any asset which should be retrievable or made accessible by the server. It fundamentally runs on port 445 or port 139 relying upon the server.
  • It is quite accessible in windows, so windows clients don’t have to arrange anything extra as such other than essential setup. In Linux in any case, it is somewhat extraordinary. To make it work for Linux, you have to introduce a samba server since Linux locally doesn’t utilize SMB convention.
  • Some kind of confirmation will be set up like a username and secret word, and just certain assets made shareable. So dislike everybody can get to everything, a solid confirmation.
  • The main evident defect is utilizing default certifications or effectively guessable and sometimes even no verification for access of significant assets of the server. Administrators should make a point to utilize solid passwords for clients who need to get to assets utilizing SMB. The subsequent blemish is the samba server. Samba servers are infamous for being hugely vulnerable.

Mitigation Of Different Types Of Enumeration

Several countermeasures can be taken into account for the mitigation of several kinds of enumeration:

  1. NetBIOS Enumeration:
  • Disable SMB and NetBIOS.
  • Use a network firewall.
  • Prefer Windows firewall/ software firewalls.
  • Disable sharing.
  1. SNMP Enumeration:
  • Eliminate the specialist or shut off the SNMP administration.
  • If stopping SNMP isn’t a choice, at that point change the default network string names.
  • Move up to SNMP3, which encodes passwords and messages.
  • Actualize the Group Policy security alternative.
  1. LDAP Enumeration:
  • Utilize SSL technology to encrypt the traffic.
  • Select a username unique to your email address and empower account lockout.
  1. NTP Enumeration:
  • Configure MD5 Layer.
  • Configure NTP Authentication.
  • Upgrade the NTP version.
  1. SMTP Enumeration:
  • Ignore email messages to unknown recipients.
  • Disable the open relay feature.
  • The breaking point is the number of acknowledged associations from a source to forestall brute force exploits.
  • Not to include sensitive mail server and localhost information in mail responses.
  1. DNS Enumeration Using Zone Transfer:
  • Incapacitate the DNS Zone moves to the untrusted hosts.
  • Make sure that the private hosts and their IP addresses are not published in the DNS zone files of the public DNS server.
  • Use premium DNS regulation services that hide sensitive information such as host information from the public.
  • Utilize standard organization administrator contacts for DNS enlistment to maintain a strategic distance from social designing assaults.
  • Avoid publishing Private IP address information into the zone file.
  • Disable Zone Transfer for untrusted hosts.
  • Hide Sensitive information from public hosts.
  1. IPsec Enumeration:
  • Preshared keys utilized with both fundamental and forceful mode IKE key trade components are available to sniffing and disconnected savage power granulating assaults to bargain the shared mystery. You should utilize advanced testaments or two-factor validation components to refute these dangers.
  • Pre-shared keys and forceful mode IKE uphold is a catastrophe waiting to happen. On the off chance that you should uphold forceful mode IKE, utilize advanced declarations for verification.
  • Forcefully firewall and channel traffic coursing through VPN encrypted tunnel so that, in case of a trade-off, network access is restricted. This point is particularly significant while giving versatile clients network access, instead of branch workplaces.
  • Where conceivable, limit inbound IPsec security relationship to explicit IP addresses. This guarantees that regardless of whether an aggressor bargains a preshared key, she can only with significant effort access the VPN.
  1. VoIP(Voice over IP) Enumeration:
  • This hack can be smothered by actualizing SIPS (SIP over TLS) and confirming SIP queries and reactions (which can incorporate uprightness insurance).
  • The utilization of SIPS and the verification of reactions can stifle many related hacks including eavesdropping and message or client pantomime.
  • The utilization of digest confirmation joined with the utilization of TLS between SIP telephones and SIP intermediaries can give a station through which clients can safely validate inside their SIP domain.
  • Voicemail messages can be changed over to message records and parsed by ordinary spam channels. This can just shield clients from SPIT voicemails.
  1. RPC Enumeration:
  • Try not to run rexd, users, or rwalld RPC administrations, since they are of negligible utilization and give aggressors both valuable data and direct admittance to your hosts.
  • In high-security conditions, don’t offer any RPC administrations to the public Internet. Because of the unpredictability of these administrations, almost certainly, zero-day misuse contents will be accessible to assailants before fixed data is delivered.
  • To limit the danger of inner or confided-in hacks against vital RPC administrations, (for example, NFS segments, including statd, lockd, and mountd), introduce the most recent seller security patches.
  • Forcefully channel egress traffic, where conceivable, to guarantee that regardless of whether an assault against an RPC administration is effective, an associate back shell can’t be brought forth to the hacker.
  1. Unix/Linux User Enumeration:
  • Keep the kernel fixed and refreshed.
  • Never run any service as root except if truly required, particularly the web, information base, and record mainframes.
  • SUID digit ought not to be set to any program that lets you get to the shell.
  • You should never set the SUID cycle on any record supervisor/compiler/mediator as an aggressor can undoubtedly peruse/overwrite any documents present on the framework.
  • Try not to give sudo rights to any program which lets you break into the shell.
  1. SMB Enumeration:
  • Impair SMB convention on Web and DNS mainframes.
  • Debilitate SMB convention web confronting mainframes.
  • Handicap ports TCP 139 and TCP 445 are utilized by the SMB convention.
  • Restrict anonymous access through the RestrictNull Access parameter from the Windows Registry.

Thank you for reading my article

And if you like it give me a follow.

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!


Arth Kumar


Hi I am Arth, A Python and Wix developer Also Interested in Generative Art(intagram:coder_kumar) If you want a good looking personal website Contact Me
User Popularity



Total Hits