Enumerate detailed information on a target such as users, services, shares in order to plan an approach to exploitation.
- [Voiceover] Enumeration is the process of identifying usernames, system addresses, network resources, shares, services, and other characteristics of a target. It happens through open source intelligence, and also by direct probing of a target's system. Enumeration occurs after scanning, and is part of the overall information gathering or reconnaissance activity. Testers need to be methodical in their approach to ethical hacking. And this means structured preparation for testing a target system.
For example, the tester may wish to do the following before starting any vulnerability testing: Extract usernames using enumeration, gather information about the host using null sessions, perform port enumeration using scanning tools, enumerate user accounts, and perform enumeration through special protocols, such as SNMP and RPC. The reason for doing enumeration is to understand the target before testing it, and to obtain information to enable testing.
For example, one outcome from this might be to identify a user account or system account for potential use in penetrating the target. It isn't necessary to find a system administrator account because most account privileges can be escalated once access has been achieved. I look at enumeration in four parts: Firstly, I look at what are typically local host enumeration techniques, and then look at remote host enumeration. I look at how we can enumerate paths and systems on the internet at scale, and then look at some specific enumeration tools for port scanning, and enumerating network services such as SMTP and (mumbles).
I won't, however, cover the enumeration of website pages, as this will be fully covered in the Ethical Hacking Web Testing course. There are some standard services which are useful targets when performing enumeration, and which we'll look at further as we go through this course. DNS is the Domain Name Service, which runs on port 53 and is used to translate system names to IP addresses, and can sometimes be used to extract bulk translation data in what is known as a DNS zone transfer; SMTP, the Simple Mail Transfer Protocol, on port 25, is used to send email, but can be used to extract or infer email addresses; the RPC Endpoint Mapper, on port 135, which is used to access RPC services; the NetBIOS Name Service, on port 137, to enumerate NetBIOS objects; and the NetBIOS Session Service on port 139, which enables SMB queries over NetBIOS; the Simple Network Management Protocol on port 161, used to manage hosts remotely; the Lightweight Directory Access Protocol service on port 389, which stores user and group information; and SMB, running over TCP on port 445.
An overview of the CEH exam, blueprint, and eligibility criteria can be found at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- What is enumeration?
- Understanding NetBIOS, SMB, SAMBA, and RPC
- Profiling hosts
- Investigating interfaces
- Enumerating SMB
- Enumerating SNMP and RPC
- Enumerating the Internet
- Working with other enumeration tools