Welcome to the Enumeration module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.


Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. The gathered information is used to identify the vulnerabilities or weak points in system security and try to exploit them in the system gaining phase.

Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as many attack vectors as possible, which can be used to exploit the systems further.

Enumeration can be used to gain information on

  • Network shares

  • SNMP data, if they are not secured properly

  • IP tables

  • Usernames of different systems

  • Passwords policies lists

Enumerations depend on the services that the systems offer. They can be −

  • DNS enumeration

  • NTP enumeration

  • SNMP enumeration

  • Linux/Windows enumeration

  • SMB enumeration


NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. There are different types of commands and tools to enumerate netBIOS.


  • Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache.

  • This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information.

  • This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

  • To display all the NETBIOS name tables of the Remote Windows Computer

    nbtstat -a 10.10.10.x



Domain master browser



Domain controller



Master browser for subnet






Domain name



Service running on system



Server service running

NETBIOS Enumerator

  • NetBIOS Enumerator tool is a GUI based windows tool used to enumerate the information of the windows remote machine

  • Pass the IP range to scan and then the work starts


Port 137 is utilized by the NetBIOS Name service.

Port 139 is used by SMB dialects that communicate over NetBIOS.

nmap -sV -v --script nbstat.nse
nmap -sU -p 137 --script nbstat.nse


Simple Network Management Protocol (SNMP) is a networking protocol used for the management and monitoring of network-connected devices in Internet Protocol networks. It is an application layer protocol in the OSI model framework. Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP).

Simple Network Management Protocol (SNMP) lives on Port number: 161


  • snmp-check is a tool used to check whether the respective server is vulnerable to SNMP Attacks.

  • If the server is vulnerable then the snmp-check enumerate the information of that machine.

snmp-check 10.10.10.x

SoftPerfect Network Scanner

  • SNMP SoftPacket Network Scanner is a GUI based windows tool.

  • Steps to initialize:

    • Click options menu → Remote SNMP→ Mark All/None.

    • Pass the IPV4 Range on the input field and start scanning.


LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.

Lightweight Directory Access Protocol (LDAP) lives on Port number: 389

Lightweight Directory Access Protocol / Secure (LDAP/S) lives on Port number: 636

AD Explorer

  • AD Explorer is a Windows tool used to enumerate a domain that has LDAP misconfiguration.

  • Use this tool to get the data of the Active Directory.

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.


The Network File System (NFS) is a mechanism for storing files on a network. It is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local.

Network File System (NFS) runs on port number: 2049

Nmap Script

nmap -p 2049 10.10.10.x


  • Super Enum is a Linux based tool

  • Steps:

    • Create a file "Target.txt" and add the target IP address.

    • Run script

RPC Scan

  • Tool to communicate with RPC services and check misconfigurations on NFS shares

  • RPC Scan is a Linux based tool

python3 rpc-scan.py --rpc


DNS, or the Domain Name System, translates human-readable domain names (for example, www.google.com) to machine-readable IP addresses (for example,

  • A few example tools for DNS Enumeration are:

    • Dig

    • nslookup

    • dnsrecon


In distributed computing, a remote procedure call is when a computer program causes a procedure to execute in a different address space, which is coded as if it were a normal procedure call, without the programmer explicitly coding the details for the remote interaction.

Remote Procedure Calls (RPC) lives on port number: 111


In computer networking, Server Message Block, one version of which was also known as Common Internet File System, is a communication protocol for providing shared access to files and printers between nodes on a network. It also provides an authenticated inter-process communication mechanism.

Simple Message Block (SMB) lives on port number: 139, 445

Nmap Scripts

nmap -p 445 --script smb-enum 10.10.10.x
nmap -p 139 --script smb-enum-shares 10.10.10.x
nmap -p 139 --script smb-double-pulsar-backdoor 10.10.10.X


SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

smbmap -R tmp -H 10.10.10.x


smbclient is a client that can 'talk' to an SMB/CIFS server. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

smbclient -L \\

My suggestion is to use Nmap to discover the SMP, RPC, FTP

Global Network Inventory

Global Network Inventory is a powerful and flexible software and hardware inventory system that can be used as an audit scanner in an agent-free and zero deployment environment. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc.

This tool is a GUI based windows tool that has the ability to enumerate lots of information and display it to us.

If you are done with all the tools and have no clue about the target then go with this tool.


Enum4linux is an enumeration tool capable of detecting and extracting data from Windows and Linux operating systems, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discovering the following: Password policies on a target. The operating system of a remote target.

enum4linux -A
enum4linux -u guru -p cloudflare -n 10.10.10.x
enum4linux -u guru -p cloudflare -U 10.10.10.x
enum4linux -u guru -p cloudflare -o 10.10.10.x
enum4linux -u guru -p cloudflare -P 10.10.10.x
enum4linux -u guru -p cloudflare -G 10.10.10.x
enum4linux -u guru -p cloudflare -S 10.10.10.x

    • -U -> Enumerate the users on the share
    • -o -> Enumerate the Operating System of the share
    • -P -> Enumerate the password policy of the share
    • -G -> Enumerate the Group policy of the share
    • -S -> Enumerate the Shared policy of the share

Last updated