Skip to content
CEH Practical Guide

🔠 Enumeration

Enumeration is the process of gathering information about a target’s services and users.

NetBIOS

Section titled “NetBIOS”

NetBIOS is a network protocol that allows applications on different computers to communicate over a network.

nbstat

Section titled “nbstat”
Terminal window
# Display name table
nbtstat -a TARGET


# Display cache
nbtstat -c TARGET


# Display information
net use TARGET

nmap

Section titled “nmap”
Terminal window
# NetBIOS name service
nmap -p 137 --script nbstat TARGET

Other tools

Section titled “Other tools”
nbtenum NetBIOS enumeration tool

SNMP

Section titled “SNMP”

SNMP (Simple Network Management Protocol) is a protocol used to manage and monitor network devices.

It is used to gather information about devices on a network, such as their status, performance, and configuration.

nmap

Section titled “nmap”
Terminal window
# SNMP server details
nmap -p 161 --script snmp-sysdescr TARGET


# SNMP running processes
nmap -p 161 --script snmp-processes TARGET


# SNMP running applications
nmap -p 161 --script snmp-win32-software TARGET


# SNMP network interfaces
nmap -p 161 --script snmp-interfaces TARGET

snmpwalk

Section titled “snmpwalk”
Terminal window
# SNMPv1 scan
snmpwalk -v1 -c public TARGET


# SNMPv2c scan
snmpwalk -v2c -c public TARGET

snmp-check

Section titled “snmp-check”
Terminal window
snmp-check TARGET

Other tools

Section titled “Other tools”
SoftPerfect Network Scanner SNMP, HTTP, and SSH enumeration tool

LDAP

Section titled “LDAP”

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information.

It is used to gather information about users, groups, and other objects in a directory.

ldapsearch

Section titled “ldapsearch”
Terminal window
# LDAP enumeration
ldapsearch -x -h TARGET -s base "(objectClass=*)"

nmap

Section titled “nmap”
Terminal window
# LDAP enumeration
nmap -p 389 --script ldap-search TARGET


# LDAP brute force login
nmap -p 389 --script ldap-brute --script-args userdb=users.txt,passdb=pass.txt TARGET

Python

Section titled “Python”
import ldap3


server = ldap3.Server('TARGET')
conn = ldap3.Connection(server, user='user', password='pass')
conn.bind()


conn.search('dc=example,dc=com', '(objectClass=*)')
for entry in conn.entries:
    print(entry)

Other tools

Section titled “Other tools”
Active Directory Explorer Active Directory enumeration tool from Sysinternals

NFS

Section titled “NFS”

NFS (Network File System) is a protocol used to share files over a network.

showmount

Section titled “showmount”
Terminal window
# Show NFS shares
showmount -e TARGET

Other tools

Section titled “Other tools”
SuperEnum Enumeration tool for NFS and SMB
RPCScan RPC enumeration tool

DNS

Section titled “DNS”

DNS (Domain Name System) is a protocol used to resolve domain names to IP addresses.

dig

Section titled “dig”
Terminal window
# Enumerate nameservers
dig ns TARGET

nslookup

Section titled “nslookup”
Terminal window
# Enumerate nameservers
nslookup -type=ns TARGET

Other tools

Section titled “Other tools”
dnsrecon DNS enumeration tool

SMTP

Section titled “SMTP”

SMTP (Simple Mail Transfer Protocol) is a protocol used to send and receive email.

nmap

Section titled “nmap”
Terminal window
# SMTP enumeration
nmap -p 25 --script smtp-enum TARGET

Other tools

Section titled “Other tools”
Global Network Inventory Network inventory and monitoring tool
Advanced IP Scanner A free network scanner for Windows
enum4linux Linux tool for enumerating information from Windows and Samba systems