Introduction to Enumeration Attack

Introduction to Enumeration Attack

We are living inside a hyper-connected network, just a few clicks away from all the resources and services which were nothing but a dream just a few decades ago. This amount of convenience however does not come without its fair share of dangers and challenges. This article deals with the challenges of cyber security and aims to provide a concise visualization of the field of Enumeration Attacks in particular.

Why is it important?

Being aware of the common security issues and vulnerabilities, understanding their mechanisms, and fortifying appropriate protections are crucial steps for maintaining a stable, secure, and resilient system.

One of the most common forms of attacks in the cyber security world is an Enumeration Attack. Enumeration means gathering information and gaining control over a system. Technically, an enumeration attack is a process where a hacker uses brute-force methods to check if certain data is present on a web server or not. This information is further used to get to more sensitive information and commit larger frauds.

Fig 1: Penetration testing flow

Primary information attackers look for:

Usernames – The primary objective of username enumeration is to validate the presence of as many usernames as possible in a web server. A list of confirmed usernames provides a faster route to track accounts guarded by weak passwords. This method can also be used to confirm emails which can be the same as usernames for many users.

Passwords – Attackers use automated tools to check frequently used and weak passwords against a set of confirmed usernames and gain control of accounts on finding a match.

Hostnames & IP addresses – DNS enumeration reveals the expanse of an organization by enumerating the number of domains or sub-domains.

SNMP and DNS details – SNMP and DNS enumeration reveal critical information about specific devices allowing attackers to copy or alter organization data.

Fig 2: DNS and SNMP

Routing tables – By enumeration an attacker can retrieve information about specific types of routing table objects like routes, destinations, and next hops.

User Groups – Enumerating local group information on remote machines can provide vital insights for further attacks.

Application and Banners – Banner Grabbing is a process by which an attacker discovers network hosts, running services, applications, and their versions on the open ports.

Fig 3: RIB, User groups and Banner

Fig 4: Types of Enumeration

Fig 5: Ports to Enumerate

NetBIOS (Network Basic Input Output System) Enumeration:

NetBIOS name is an exceptional sixteen ASCII character string used to distinguish the organization gadgets over TCP/IP. Fifteen characters are used for gadget names and the sixteenth character is used for the administration or name record type. The prime purpose of NetBIOS is allowing applications residing on different devices to establish sessions for accessing shared resources such as files and identify one another over a local area network (LAN).

Attackers can use the NetBIOS enumeration to obtain the following:

  • List of computers that belong to a particular domain.

  • Policies and passwords

  • List of shares of the individual hosts on the network.

On finding an open port 139 in Windows OS, an attacker can verify the assets that can be seen on the distant framework. A programmer can examine and stay connected to the framework depending upon accessibility settings.

Tools used:

  • Nbtstat Utility: It is used to find protocol statistics, name cache details, and NetBIOS name table.

  • Superscan:It is a Graphical User Interface (GUI) tool used to enumerate windows machines.

  • Net view: A Command line tool to single out shared resources over a network.

  • Hyena: It shows shares and user login names for Windows servers and domain controllers.


  • Disable SMB and NetBIOS.

  • Use a network firewall.

  • Prefer Windows firewall or software firewalls.

  • Disable sharing.

SNMP(Simple Network Management Protocol) Enumeration:

SNMP or Simple Network Management Protocol is an application layer protocol that uses UDP protocol for maintaining and managing routers, hubs, and switches on an IP network. SNMP is a common protocol for operating systems like Windows, Linux, and UNIX servers as well as network devices like routers or switches.

SNMP holds two passwords to access and configure the SNMP agent from the management station:

  • Read community string: It is public by default and allows viewing of device or system configuration.

  • Read/write community string: It is private by default and allows remote access of configuration.

Attackers take advantage of the default network strings to remove the data of a device. Attackers list SNMP to remove data about organization assets like switches, gadgets, shares, and network data such as ARP tables, directing tables, traffic, etc.

Tools used:

  • OpUtils Network Monitoring Toolset

  • SolarWinds

  • Command-line tools like SNMP-WALK, SNMP-CHECK


  • Stop the SNMP administration.

  • Change the default network string names if stopping SNMP administration is not possible.

  • Use the most advanced and secure version of SNMP.

LDAP (Lightweight Directory Access Protocol) Enumeration:

The LDAP protocol is used to access directory listings within Active Directory or from other Directory Services. LDAP can be related to DNS to help integrate quick lookups and fast resolution of queries. LDAP generally runs on port 389 and generally abides by a distinct set of rules (RFC). LDAP service can be queried anonymously and useful data like valid usernames, addresses, departmental details can be identified which could be used in a brute force or social engineering attack.

Several LDAP enumeration tools allow registry postings inside Active Directory or other catalog administrations. Attackers use these devices to identify data such as usernames, addresses, and division subtleties from various LDAP workers.

Tools used:

  • Jxplorer

  • LDAP Admin Tool

  • Active Directory Explorer


  • Use SSL technology to encrypt the traffic.

  • Select a unique username (unrelated to email address) and activate account lockout (limit number of invalid login attempts).

NTP (Network Time Protocol) Enumeration:

The Network Time Protocol is a protocol for synchronizing time across a network, especially while using Directory Services. It utilizes UDP port 123. NTP enumeration generates details such as lists of hosts connected to NTP server, IP addresses, system names, and operating systems running on the client system in a network. Attackers query NTP workers to assemble significant data. NTP enumeration tools screen the working of SNTP and NTP workers present in the organization and help in configuration and confirmation of availability from the time customer to the NTP workers.

Tools used:

  • PRTG Network Monitor

  • Nmap

  • Command-line tools like ntptrace, ntpdc, ntpq.


  • Configure MD5 Layer.

  • Configure NTP Authentication and upgrade NTP version.

SMTP (Simple Mail Transport Protocol) Enumeration:

SMTP uses Mail Exchange (MX) workers to coordinate mails through DNS and runs on TCP port 25. The servers respond differently to the commands for valid and invalid users from which valid users on SMTP servers can be listed. Attackers can associate with SMTP through telnet briefs and analyze several clients.

Built-in SMTP commands are:

  • VRFY: Used for validating users.

  • EXPN: Shows the actual delivery address of aliases and mailing lists.

  • RCPT TO: Define the recipients of messages.

Tools used:

  • NetScanTools Pro

  • Metasploit

  • Nmap

  • Telnet


  • Emails from suspicious addresses should be left unattended.

  • Disable open relay feature.

  • Sensitive mail server and localhost information must be excluded from mail responses.

DNS (Domain Name System) Enumeration using Zone Transfer:

DNS enumeration can be used to gather usernames, computer names, and IP addresses of potential target systems. DNS record sheds light on the types of resource records (database records) stored in the zone files. DNS Zone Transfer is used to replicate DNS data across several DNS servers or to back up DNS files. Attackers can request a DNS zone transfer in disguise of a client. If anonymous zone transfers are allowed, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text. An attacker can accumulate tons of organizational data including DNS worker names, hostname, machine names, usernames, IPs, etc.

Tools used:

  • Nslookup

  • Maltego

  • Dnsrecon


  • Disable Zone Transfer for untrusted hosts.

  • Care must be taken such that private hosts and their IP addresses are not published in DNS zone files of the public DNS server.

  • Premium DNS regulation services must be used which will hide sensitive information such as host information from the public.

  • Standard organization administrator contacts must be used for DNS enlistment to maintain a strategic distance from social designing assaults.

Windows Enumeration:

This is a common type of enumeration where a hacker attacks desktop workstations running on Windows OS. With this files can be accessed or altered thereby hampering confidentiality. Attackers, in some cases, can change the configuration of the desktop or OS.

Tools used:

  • DumpSec

  • GetAcct

  • NBTscan


  • Use built-in protection like Windows Defender SmartScreen, Credential Guard, Device Guard, Windows Defender Antivirus, UEFI Secure Boot, Early Launch Anti Malware, etc.

  • Activate Enterprise certificate pinning.

  • Block untrusted fonts.

Unix/Linux Enumeration:

This type of enumeration is done for UNIX/Linux systems which can be used to fetch valuable information like usernames, system addresses, network resources, shares, and other target characteristics. Command-line utilities to perform Linux user enumeration are users, rwho, finger, etc.


  • The kernel must be fixed and refreshed.

  • No service must be run as root barring extreme cases, especially the web, information base, and record mainframes.

  • The SUID digit must not be set to any program that leads to the shell.

IPsec Enumeration:

The existence of a Virtual Private Network (VPN) passage can be identified by checking for ISAKMP (Internet Security Association and Key Management Protocol) at the UDP port 500. Encryption and hashing calculation, authentication type, key conveyance calculation, and other data can be noted on further investigation.

Fig 6: IPsec


  • Pre-shared keys and forceful mode IKE uphold must be avoided. Advance testaments or two-factor validation must be implemented for these vulnerabilities.

  • Forcefully firewall and channel traffic via VPN encrypted tunnel thereby restricting network access in case of trade-off.

  • Limit inbound IPsec security relationship to explicit IP addresses.

VoIP (Voice over IP) Enumeration:

VoIP uses the SIP (Session Initiation Protocol) protocol for enabling voice and video calls over an IP network. VoIP enumeration reveals VoIP gateway, VoIP servers, client software, IP-PBX systems, and user extensions data that can lead to DoS, session hijacking, VoIP phishing, caller ID spoofing, Spamming over Internet Telephony, and other attacks.


  • The utilization of SIPS and verification of reactions can stop many attacks.

  • Voicemail messages can be changed over to message records and parsed by ordinary spam channels. This can just shield clients from SPIT voicemails.

RPC (Remote Procedure Call) Enumeration:

Remote Procedure Call is a software communication protocol that allows a program to request a service from another program from another device over a network without the knowledge of the network itself. Any weak administrations can be revealed on the administration ports by counting RPC endpoints. Thus available ports can be identified to prepare an attack.


  • Running rexd, users or rwalld RPC administrations can be avoided.

  • Allowing RPC administrations to the public Internet must be restricted.

  • The introduction of the most recent seller security patches makes systems more robust.

SMB (Server Message Block) Enumeration:

SMB is a convention for sharing any asset which can be accessed by the server. Default certifications, common and even no verification process gives access to significant assets of the server which makes this a vital enumeration point. Samba servers (for LINUX systems) are infamous for being vulnerable.


  • Restricting anonymous access through the RestrictNull Access parameter from the Windows Registry.

  • TCP 139 and TCP 445 used by the SMB convention must be deactivated.

  • Impair SMB convention on Web and DNS mainframes.

  • Debilitate SMB convention web confronting mainframes.


The primary challenge for modern developers is providing fast, hassle-free user experience backed by robust security protocols. Moving forward usability and safety must go hand in hand. As technologies and businesses become more data-driven, protecting user data has become one of the top priorities of any organization. The discussion presented, hopefully, will provide the necessary information on Enumeration attack to students and pentesters alike.