Cyber Security Types of Enumeration (original) (raw)

Last Updated : 22 Nov, 2025

Enumeration is the process of scanning a target system, network, or application and collecting information on it while in the process. This step is critical in the reconnaissance phase of ethical hacking or penetration testing, where the aim is to find out some of the weaknesses within the target. Enumeration includes asking the system questions to get information such as usernames, machine names, shares, services, and other assets. The information that can be collected during the enumeration phase can be utilized by an attacker to understand the structure and security of the targeted system so that the attacker would understand what comes next.

**Types Of Enumeration

In this section, we will be discussing the various types of Enumerations.

**1. NetBIOS(Network Basic Input Output System) Enumeration

NetBIOS name is an exceptional 16 ASC used to distinguish the organization gadgets over TCP/IP, 15 characters are utilized for the device name, and the sixteenth character is saved for the administration or name record type.
Programmers utilize the NetBIOS enumeration to get a rundown of PCs that have a place with a specific domain, a rundown of offers on the individual hosts in the organization, and strategies and passwords.
Microsoft doesn't support the NetBIOS name goal for Internet Protocol Version 6.
The initial phase in specifying a Windows framework is to exploit the NetBIOS API. It was initially an Application Programming Interface(API) for custom programming to access LAN assets. Windows utilizes NetBIOS for document and printer sharing.
A hacker who finds a Windows OS with port 139 open can verify what assets can be accessed or seen on the far off framework. In any case, to count the NetBIOS names, the distant framework probably empowered document and printer sharing. This sort of enumeration may empower the programmer to peruse or keep in touch with the distant PC framework, contingent upon the accessibility of offers, or dispatch a DoS.
NetBIOS name list:

**Name	**NetBIOS Code	**Type
	<00>	UNIQUE
	<00>	GROUP
	<03>	UNIQUE
	<03>	UNIQUE
	<20>	UNIQUE
	<1D>	GROUP
	<1B>	UNIQUE

**Nbtstat Utility: In Windows, it shows NetBIOS over TCP/IP (NetBT) convention insights, NetBIOS name tables for both the neighborhood and distant PCs, and the NetBIOS name reserve. This utility allows a resuscitate of the NetBIOS name cache and the names selected with Windows Internet Name Service. The sentence structure for Nbtstat:

nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]

The table appeared beneath shows different Nbtstat boundaries:

Parameters

-a RemoteName
-A IPAddress
-c
-n
-r
-RR
-s
-S
Interval

**2. SNMP(Simple Network Management Protocol) Enumeration:

SNMP enumeration is a cycle of specifying client records and gadgets on an objective framework utilizing SNMP. SNMP comprises a manager and a specialist. Specialists are embedded on each organization gadget, and the manager is installed on a separate PC.
SNMP holds two passwords to get to and design the SNMP specialist from the administration station. The Read Community String is public by default and permits review of gadget/framework setup. The Read/Write Community String is private by default and permits far-off altering of configuration.
Hackers utilize these default network strings to remove data about a gadget. Hackers list SNMP to remove data about organization resources, for example, hosts, switches, gadgets, shares, and so on, and network data, for example, ARP tables, routing tables, traffic, and so on.
SNMP utilizes distributed architecture containing SNMP agents, managers, and a few related parts. Commands related to SNMP include: GetRequest, GetNextRequest, GetResponse, SetRequest, Trap.

Given below is the communication between the SNMP agent and manager:

Communication between SNMP agent And Manager

SNMP Enumeration tools are utilized to examine a solitary IP address or a scope of IP addresses of SNMP empowered organization gadgets to screen, analyze, and investigate security dangers. Instances of this sort of instruments incorporate NetScanTolls Pro, SoftPerfect Network Scanner, SNMP Informant, and so forth

**3. LDAP Enumeration:

Lightweight Directory Access Protocol is an Internet Protocol for getting to dispersed registry administrations.
Registry administrations may give any coordinated arrangement of records, regularly in a hierarchical and sensible structure, for example, a corporate email index.
A customer starts an LDAP meeting by associating with a Directory System Agent on TCP port 389 and afterward sends an activity solicitation to the DSA.
Data is sent between the customer and the worker utilizing Basic Encoding Rules.
Programmers query the LDAP service to gather information such as valid usernames, addresses, department details, and so on, which can be further used to perform attacks.
There are numerous LDAP enumeration apparatuses that entrance the registry postings inside Active Directory or other catalog administrations. Utilizing these devices, assailants can identify data, for example, substantial usernames, addresses, division subtleties, and so forth from various LDAP workers.
Examples of these kinds of tools include LDAP Admin Tool, Active Directory Explorer, LDAP Admin, etc.

LDAP

LDAP Enumeration

**4. NTP Enumeration:

Network Time Protocol is intended to synchronize clocks of arranged PCs.
It utilizes UDP port 123 as its essential method for correspondence.
NTP can check time to inside 10 milliseconds (1/100 seconds) over the public web.
It can accomplish correctness of 200 microseconds or better in a neighborhood under ideal conditions.
Executives regularly disregard the NTP worker regarding security. Be that as it may, whenever questioned appropriately, it can give important organization data to the programmers.
Hackers inquiries NTP workers to assemble significant data, for example, a list of hosts associated with NTP workers, Clients' IP addresses in an organization, their framework names and Oss, and Internal IPs can likewise be gotten if NTP worker is in the demilitarized zone.
NTP enumeration tools are utilized to screen the working of SNTP and NTP workers present in the organization and furthermore help in the configuration and confirmation of availability from the time customer to the NTP workers.

file

NTP Enumeration

**5. SMTP Enumeration:

Mail frameworks ordinarily use SMTP with POP3 and IMAP that empowers clients to spare the messages in the worker letter drop and download them once in a while from the mainframe.
SMTP utilizes Mail Exchange (MX) workers to coordinate the mail through DNS. It runs on TCP port 25.
SMTP provides 3 built-in commands: VRFY, EXPN, RCPT TO.
These servers respond differently to the commands for valid and invalid users from which we can determine valid users on SMTP servers.
Hackers can legitimately associate with SMTP through telnet brief and gather a rundown of substantial clients on the mainframe.
Hackers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc., or by using tools such as Metasploit, Nmap, NetScanTools Pro, etc.

smtp_enumeration

SMTP Enumeration

**6. DNS Enumeration using Zone Transfer:

It is a cycle for finding the DNS worker and the records of an objective organization.
A hacker can accumulate significant organization data, for example, DNS worker names, hostname, machine names, usernames, IPs, and so forth of the objectives.
In DNS Zone Transfer enumeration, a hacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.
In order to execute a zone transfer, the hacker sends a zone transfer request to the DNS server pretending to be a client, the DNS then sends a portion of its database as a zone to you. This zone may contain a ton of data about the DNS zone organization.

1_malicious_actor

DNS Enumeration

**7. IPsec Enumeration:

IPsec utilizes ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to make sure about the correspondence between virtual private organization (VPN) end focuses.
Most IPsec-based VPNs use the Internet Security Association and Key Management Protocol, a piece of IKE, to establish, arrange, alter, and erase Security Associations and cryptographic keys in a VPN climate.
A straightforward checking for ISAKMP at the UDP port 500 can demonstrate the presence of a VPN passage.
Hackers can research further utilizing an apparatus, for example, IKE-output to identify the delicate information including encryption and hashing calculation, authentication type, key conveyance calculation, and so forth.

ipsec_enumeration

IPSec Enumeration

**8. VoIP(Voice over IP) Enumeration:

VoIP uses the SIP (Session Initiation Protocol) protocol to enable voice and video calls over an IP network.
SIP administration by and large uses UDP/TCP ports 2000, 2001, 5050, 5061.
VoIP enumeration provides sensitive information such as VoIP gateway/servers, IP-PBX systems, client software, and user extensions.
This information can be used to launch various VoIP attacks such as DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony, VoIP phishing, etc.

voip_enumeration

VoIP Enumeration

**9. RPC Enumeration:

Remote Procedure Call permits customers and workers to impart in disseminated customer/worker programs.
Counting RPC endpoints empower aggressors to recognize any weak administrations on these administration ports.
In networks ensured by firewalls and other security establishments, this portmapper is regularly sifted. Along these lines, hackers filter high port reaches to recognize RPC administrations that are available to coordinate an assault.

portmapper_response

RPC Enumeration

**10. Unix/Linux User Enumeration:

One of the most vital steps for conducting an enumeration is to perform this kind of enumeration. This provides a list of users along with details like username, hostname, start date and time of each session, etc.
We can use command-line utilities to perform Linux user enumeration like who, w, users, finger, etc.

file

Linux Enumeration

**11. SMB Enumeration:

SMB list is significant expertise for any pen-tester. Prior to figuring out how to count SMB, we should initially realize what SMB is. SMB represents server message block.
It's a convention for sharing assets like records, printers, by and large, any asset which should be retrievable or made accessible by the server. It fundamentally runs on port 445 or port 139 relying upon the server.
It is quite accessible in windows, so windows clients don't have to arrange anything extra as such other than essential set up. In Linux in any case, it is somewhat extraordinary. To make it work for Linux, you have to introduce a samba server since Linux locally doesn't utilize SMB convention.
Clearly, some kind of confirmation will be set up like a username and secret word, and just certain assets made shareable. So dislike everybody can get to everything, a solid confirmation.
The main evident defect is utilizing default certifications or effectively guessable and sometimes even no verification for access of significant assets of the server. Administrators should make a point to utilize solid passwords for clients who need to get to assets utilizing SMB. The subsequent blemish is the samba server. Samba servers are infamous for being hugely vulnerable.

smb_enumeration

SMB Enumeration

Mitigation Of Different Types Of Enumeration

**There are several countermeasures which can be taken into account for the mitigation of several kinds of enumeration:

**1. NetBIOS Enumeration:

Disable SMB and NetBIOS.
Use a network firewall.
Prefer Windows firewall/ software firewalls.
Disable sharing.

**2. SNMP Enumeration:

Eliminate the specialist or shut off the SNMP administration.
In the event that stopping SNMP isn't a choice, at that point change the default network string names.
Move up to SNMP3, which encodes passwords and messages.
Actualize the Group Policy security alternative.

**3. LDAP Enumeration:

Utilize SSL technology to encrypt the traffic.
Select a username unique in relation to your email address and empower account lockout.

**4. NTP Enumeration:

Configure MD5 Layer.
Configure NTP Authentication.
Upgrade NTP version.

**5. SMTP Enumeration:

Ignore email messages to unknown recipients.
Disable open relay feature.
Breaking point the number of acknowledged associations from a source to forestall brute force exploits.
Not to include sensitive mail server and localhost information in mail responses.

**6. DNS Enumeration Using Zone Transfer:

Incapacitate the DNS Zone moves to the untrusted hosts.
Make sure that the private hosts and their IP addresses are not published in DNS zone files of the public DNS server.
Use premium DNS regulation services that hide sensitive information such as host information from the public.
Utilize standard organization administrator contacts for DNS enlistment to maintain a strategic distance from social designing assaults.
Avoid publishing Private IP address information into the zone file.
Disable Zone Transfer for untrusted hosts.
Hide Sensitive information from public hosts.

**7. IPsec Enumeration:

Preshared keys utilized with both fundamental and forceful mode IKE key trade components are available to sniffing and disconnected savage power granulating assaults to bargain the shared mystery. You should utilize advanced testaments or two-factor validation components to refute these dangers.
Pre-shared keys and forceful mode IKE uphold is a catastrophe waiting to happen. On the off chance that you should uphold forceful mode IKE, utilize advanced declarations for verification.
Forcefully firewall and channel traffic coursing through VPN encrypted tunnel so that, in case of a trade-off, network access is restricted. This point is particularly significant while giving versatile clients network access, instead of branch workplaces.
Where conceivable, limit inbound IPsec security relationship to explicit IP addresses. This guarantees that regardless of whether an aggressor bargains a preshared key, she can only with significant effort access the VPN.

**8. VoIP (Voice over IP) Enumeration:

This hack can be smothered by actualizing SIPS (SIP over TLS) and confirming SIP queries and reactions (which can incorporate uprightness insurance).
The utilization of SIPS and the verification of reactions can stifle many related hacks including eavesdropping and message or client pantomime.
The utilization of digest confirmation joined with the utilization of TLS between SIP telephones and SIP intermediaries can give a station through which clients can safely validate inside their SIP domain.
Voicemail messages can be changed over to message records and parsed by ordinary spam channels. This can just shield clients from SPIT voicemails.

**9. RPC Enumeration:

Try not to run rexd, users, or rwalld RPC administrations, since they are of negligible utilization and give aggressors both valuable data and direct admittance to your hosts.
In high-security conditions, don't offer any RPC administrations to the public Internet. Because of the unpredictability of these administrations, almost certainly, zero-day misuse contents will be accessible to assailants before fixed data is delivered.
To limit the danger of inner or confided in hacks against vital RPC administrations, (**for example, NFS segments, including statd, lockd, and mountd), introduce the most recent seller security patches.
Forcefully channel egress traffic, where conceivable, to guarantee that regardless of whether an assault against an RPC administration is effective, an associate back shell can't be brought forth to the hacker.

**10. Unix/Linux User Enumeration:

Keep the kernel fixed and refreshed.
Never run any service as root except if truly required, particularly the web, information base, and record mainframes.
SUID digit ought not to be set to any program which lets you getaway to the shell.
You should never set SUID cycle on any record supervisor/compiler/mediator as an aggressor can undoubtedly peruse/overwrite any documents present on the framework.
Try not to give sudo rights to any program which lets you break to the shell.

**11. SMB Enumeration:

Impair SMB convention on Web and DNS mainframes.
Debilitate SMB convention web confronting mainframes.
Handicap ports TCP 139 and TCP 445 utilized by the SMB convention.
Restrict anonymous access through the RestrictNull Access parameter from the Windows Registry.

How Enumeration Gives an Attacker Access to Sensitive Data?

Enumeration is a strong tool in the context of an adversary since the latter gets the possibility to collect as many specific data as possible in relation to the object under attack. Once a connection with the target host is established, the attacker can extract sensitive data such as:

**Usernames and Passwords: Sometimes, through gaining knowledge of the passwords and username, an attacker can easily penetrate into several systems.
**Network Shares and Resources: Knowledge about shared folder, files and devices is good news to the attacker as they can take advantage of that or even gain further hold.
**Configuration Settings: Additional, one may discover misconfigurations in security settings that gives the attackers, potential points of entry.
**System Architecture Details: Getting to know the actual structure of the used system allows the attacker to better adapt in his actions.

The Enumeration Step of Security Testing

In security testing especially in penetration testing enumeration is an important phase that follows reconnaissance. In this phase, which often involves whistle blowing, testers escalate their function and seek to obtain as much information about the target system as they can. The end product is to look for the blind spots that can be exploited by a malicious user in order to compromise the system.

**Key activities in the enumeration phase include:

**Identifying User Accounts: Finding legitimate usernames and if possible, the passwords to go with them.
**Mapping Network Resources: Identifying hidden resources, services and device on the network.
**Extracting Configuration Data: They involve collecting information on the settings of the system, established security policies as well as the security measures in place.
**Detecting Running Services: Gleaning service running and open ports which are potential gateway for an attack.