© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_3

3. Enumeration

Ahmed Sheikh1  
Miami, FL, USA

Enumeration involves connecting to a system, so it takes port scanning to the next level. Since enumeration is a more intrusive part of testing, you must have the organization’s permission as an ethical hacker. You are attempting to retrieve information and gain access to servers by using the employee logon accounts. In this chapter, you will learn about enumeration techniques, how to establish a null session, and how to identify enumeration countermeasures. You will learn about important concepts involving active and passive enumeration.

By the end of this chapter, you will be able to
  1. 1.

    Explain enumeration techniques.

  2. 2.

    Recognize how to establish a null session.

  3. 3.

    Identify enumeration countermeasures.

  4. 4.

    Perform active and passive enumeration.


Steps to Compromise a System

Enumeration is the first step in compromising a system. The attacker is actively connecting to the target to obtain information. From there, the attacker tries to identify the password. Once the attacker gains access to the system using an account, they try to get administrator privileges. The attacker installs applications that provide information about the target and hides them so that an administrator cannot identify them. The attacker erases any trace of the path they have used.

There are six basic steps involved with compromising a system:
  1. 1.


  2. 2.

    Password cracking

  3. 3.

    Privilege escalation

  4. 4.

    Trace holding

  5. 5.

    File hiding

  6. 6.

    Application execution



Enumeration is listed as step one in comprising a system and is a process that involves making active connections to the target. The type of enumerated information can be grouped into four categories: network resources and shares, users and groups, auditing settings, and application banners.

To authenticate, the operating system requires a user account. Windows also supports a unique type of user called the null user (Figure 3-1). A null has no username or password, but it can be used to access certain information on a network. A null is capable of enumerating account names and shares.
Figure 3-1

Null user

With a null session, no user and password credentials are given. It is an anonymous connection to the network share IPC$. To establish a null session, type the command-line command shown below in the command prompt. From a null session, attackers can call APIs and use Remote Procedure Calls to get information on passwords, users, and services. Countermeasures include using filter ports, disabling SMB services, inspecting HKLM, configuring security policies, and restricting remote access.

net use \$ "" /user:""

Starting with Windows Vista and Server 2008, null sessions are not available and cannot be enabled even by the administrator.

NetBIOS Basics

A NetBIOS name (https://searchnetworking.techtarget.com/definition/NetBIOS) can be 16 characters, 15 of which are for the computer name. The final character is reserved for a hexadecimal character that identifies the service running on the computer. NetBIOS is an API that resource-sharing protocols can access in order to refer to computers by name. Computer names are not routable.

The progression stages of setting up NetBIOS are listed as follows:
  1. 1.

    A Windows programming interface that enables computers to communicate over a local area network (LAN)

  2. 2.

    Files and printers can be shared.

  3. 3.

    Utilizes UDP ports 137 (server service), 138 (datagram service), and 139 (TCP) ports (session service)

  4. 4.

    A 15-character limit applies to NetBIOS names, which are computer names assigned to a system.

  5. 5.

    On a network , a NetBIOS name must be unique.


Command-Line Tools

The Windows operating system has several command-line tools built into it. It is recommended that you take a look at the various parameters and switches available.
  • netstat displays network connections, routing tables, and network protocol statistics.

  • nbstat is a diagnostic tool for NetBios and is used to troubleshoot NetBios name resolution problems.

SNMP Enumeration

Simple Network Management Protocol (https://networkencyclopedia.com/simple-network-management-protocol-snmp/) is used to maintain and manage routers , hubs, and switches. It is an application layer protocol. An attacker is interested in the Master Information Base (MIB) because that is where the data is stored that describes the resources being monitored.
  • Agents allocated to managed systems and network management stations

  • Process information acquired

  • A MIB is set up with the resources to be monitored.

  • The default community string comprises the characters PUBLIC.

  • The attacker seeks a target host with SNMP enabled and a default community string.

  • For enumeration, built-in SNMP objects will be visible.

It is essential that you do not install the management and monitoring component if it is not going to be used. Important SNMP enumeration countermeasures are as follows:
  • Limit access to null session shares.

  • Delete the SNMP agent or turn the SNMP service off.

  • Alter the community string.

  • Enforce the group policy security option.

Discovering Hosts with Windows Command Line Tools

Tools like nmap, zenmap, tcpdump, and Wireshark allow you to enumerate hosts , but there are some commands built into Windows that can also be used. Table 3-1, includes a list of commands used during Task 2 to enumerate Windows hosts.
Table 3-1

Commands Used During Task 2 to Enumerate Windows Hosts



net view

Enumerates the machines within the same workgroup

net view/domain

Enumerates all workgroups and domains

net view/domain: workgroup

Enumerates the machine in the workgroup WORKGROUP

net view/domain: XYZcompany

Enumerates the machines in the workgroup XYZcompany

Discovering Hosts with Metasploit

There are a large number of scanners within Metasploit . Use the search scanner command to list them. An ARP sweep can target a network, as shown in Figure 3-2. The Netbios scanner can get a list of computer names, as shown in Figure 3-3.
Figure 3-2

Arp sweep

Figure 3-3

Netbios scan

Using Cain

Cain is a password recovery tool (https://resources.infosecinstitute.com/topic/password-cracking-using-cain-abel/) for various types of passwords , such as network, computer, wireless, etc. You can scan all hosts in the subnet by using the MAC Address Scanner (Figure 3-4). By selecting each one and selecting Resolve Host Name, the results are displayed (Figure 3-5).
Figure 3-4

Setting up a scan with Cain

Figure 3-5

Cain scan results


Enumeration is the part of the testing process that requires permission from the organization. In this chapter, you learned about specific enumeration techniques, how to establish a null session, and various enumeration countermeasures. You also learned the differences between active and passive enumeration.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.