Vulnerability Assessment and Penetration Testing (VAPT) are two tests
done in order to secure an organization. Vulnerability Assessment includes
searching for vulnerabilities and penetration testing includes exploiting the
vulnerabilities with the use of manual or automated testing.
The following steps are followed in the process of VAPT

Scanning & Enumeration
Gaining Access
Maintaining Access
Clearing Tracks
Leaving Backdoors

Enumeration is defined as the process of extracting user names,
machine names, network resources, shares, and services from a system. In
the enumeration phase, the attacker creates active connections to the
system and performs directed queries to gain more information about the
target. The



the gathered information




vulnerabilities or weak points in system security and then tries to exploit
them. Enumeration techniques are conducted in an intranet environment. It
involves making active connections to the target system. It is possible that
the attacker stumbles upon a remote IPC share, such as IPC $ in Windows,
that can be probed with a null session allowing shares and accounts to be
Penetration testing is much more than just running exploits against
vulnerable systems. In fact a penetration test begins before penetration
testers have even made contact with the victim systems.
As an expert ethical hacker and penetration tester you must know how
to enumerate target networks and extract lists of computers, user names,
user groups, ports, operating systems, machine names, network resources,
and services using various enumeration techniques.
Information Enumerated by Intruders includes:

Page 1

conduct enumeration penetration tests to check whether the target network is revealing any sensitive information that may help an attacker to perform a well-planned attack. Therefore. IP address. then you can mask yourself as a user falling within the range and then try to access Niranjana. Enumeration pen testing is conducted with the help of the data collected in the reconnaissance phase. then the organization potentially faces huge losses in terms of information.Karandikar Page 2 .MSC 2 SEM 3 PAPER 1 Network resources and shares Users and groups Routing tables Auditing and service settings Machine names Applications and banners SNMP and DNS details Through enumeration. This helps you determine the vulnerabilities/weaknesses in the target organization's security. Steps in Enumeration Step l Find the network range If you want to break into an organization's network. As a pen tester. email contacts. He or she may then use that sensitive information to hack and break into the organization's network. This is because if you know the network range. Apply all types of enumeration techniques to gather sensitive information such as user accounts. or finance.S. service. If an attacker breaks into the organization. to avoid these kinds of attacks. DNS. Testing the security of an organization legally against enumeration is called enumeration pen testing. you should know the network range first. every organization must test its own security. network resources and shares. and much more. an attacker may gather sensitive information of organizations if the security is not strong. application information. Try to discover as much information as possible regarding the target.

The DNS servers Niranjana. then calculate the subnet mask required for the IP range using tools such as Subnet Mask Calculator. In place of the network range. This can be accomplished with the help of tools such as Nmap. perform port scanning to check for the open ports on the nodes. This is because open ports are the doorways for an attacker to break into a target's security perimeter. Therefore. Step 5 Perform DNS enumeration Perform DNS enumeration to locate all the DNS servers and their records.sP <network range> . Step 3 Undergo host discovery Find the important servers connected to the Internet using tools such as Nmap.Karandikar Page 3 . So the first step in enumeration pen testing is to obtain information about network range. The Nmap syntax to find the servers connected to Internet is as follows: nmap . You can find the network range of target organization with the help of tools such as Whois Lookup. Step 2 Calculate the subnet mask Once you find the network rage of the target network. Step 4 Perform port scanning It is very important to discover the open ports and close them if they are not required.MSC 2 SEM 3 PAPER 1 the network.S. You can use the calculated subnet mask as an input to many of the ping sweep and port scanning tools for further enumeration. which includes discovering hosts and open ports. enter the network range value obtained in the first step.

Step 10 Perform NTP enumeration Niranjana. You can perform NetBIOS enumeration with the help of tools such as SuperScan. You can perform SNMP enumeration using tools such as OpUtils and SolarWinds IP Network Browser. and address details. departmental details. Finger . You can perform LDAP enumeration using tools such as Softerra LDAP Administrator. and rpcclient etc . You can use commands such as showmount. a list of shares on individual hosts. Step 6 Perform NetBIOS enumeration Perform NetBIOS enumeration to identify the network devices over TCP/IP and to obtain a list of computers that belong to a domain.Karandikar Page 4 . IP addresses. Step 7 Perform SNMP enumeration Perform SNMP enumeration by querying the SNMP server in the network.MSC 2 SEM 3 PAPER 1 provide information such as system enumerate UNIX network resources. You can use this information to perform social engineering and other kinds of attacks. user names. By querying the LDAP service you can enumerate valid user names. Step 9 Perform LDAP enumeration Perform LDAP enumeration by querying the LDAP service. Hyena. and policies and passwords. etc. The SNMP server may reveal information about user accounts and devices. rpfinfo (RPC). Step 8 Perform Unix/Linux enumeration Perform Unix/Linux enumeration using tools such as Enum4linux. and WinFingerprint.S. You can extract all this information with the help of the Windows utility nslookup.

The technique works by using Telnet. and ntpq. ntpdc. You should analyze and suggest countermeasures for your client to improve their security. to establish a connection with a remote machine. You can obtain this information with the help of commands such as ntptrace.MSC 2 SEM 3 PAPER 1 Perform NTP enumeration to extract information such as host connected to NTP server. Niranjana. Step 12 Document all the findings The last step in every pen test is documenting all the findings obtained during the test. since the technique can reveal compromising information about the services that are running on a system. etc.S. Step 11 Perform SMTP enumeration Perform SMTP enumeration to determine valid users on the SMTP server. This technique can be useful to administrators in cataloging their systems. OS running of client systems. which may contain information that a hacker could use to further compromise a system. and ethical hackers can also use it during penetration tests. That will cause a vulnerable host to respond with a banner message. You can use tools such as NetScanTools Pro to query the SMTP server for this information.Karandikar Page 5 . after which a bad request is sent. client IP address. Malicious hackers also use banner grabbing. The following techniques are used in Enumeration Banner Grabbing Banner grabbing is an activity that is used to determine information about services that are being run on a remote computer. or a proprietary program.

Type ftp ip address port number Get banner and determine access. Used for remote access. including Telnet. it is usually referred to as banner grabbing. It allows upload of (malicious) files and often allows anonymous access using any email address. so that is one of the primary ways that banner grabbing is performed. When a program such as Telnet is used to intentionally gather this information. Most operating systems (OSes) come with the ability to establish Telnet sessions.MSC 2 SEM 3 PAPER 1 In a computer networking context.S.Karandikar Page 6 . banners are grabbed by connecting to a host. It runs on TCP port 21. such as the version number. A few different types of software. NetCat and various proprietary programs. Whether Telnet or another program is used. the term banner typically refers to a message that a service transmits when another program connects to it. version number. FTP Enumeration FTP is File Transfer Protocol. can be used to perform banner grabbing. Exploit it! Countermeasures    Turn off FTP when not in use. It runs on port 23 TCP. and then sending a request to a port that is associated with a particular service. Default banners often consist of information about a service. Secure FTP (SFTP) uses SSH and FTP Secure (FTPS) uses SSL. Use HTTP for public information access. and other similar information. TELNET Enumeration Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is Less used now. Niranjana. such as port 80 for HTTP. when it was modified last. Telnet is a type of network protocol that is used to establish a virtual terminal connection with a remote host. The banner for a hypertext transfer protocol (HTTP) service will typically show the type of server software.

It often displays host system information and even if it doesn't. SMTP Enumeration Simple Mail Transport Protocol works on port number 25 TCP.MSC 2 SEM 3 PAPER 1 It transmits data in clear text. May be used for attacking accounts if lockout not used. or Configure to require authentication/privileges to use them DNS Enumeration DNS enumeration is the process of locating all the DNS servers and their corresponding Niranjana. Countermeasures   Configure to turn off VRFY and EXPN. the prompt may reveal system information. The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existance of names of valid users.nmap and smtp-user-enum.SMTP is a service that can be found in most infrastructure penetration tests. This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator.Karandikar Page 7 . The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit.S. May reveal valid usernames from login attempts. Countermeasures:      Turn off Use secure shell (SSH) instead Modify banner messages Modify error messages Account locking/drop connection on login failure. There are a number of ways which this enumeration through the SMTP can be achieved and there will be explained in this article.

In these domain servers.Karandikar Page 8 . hierarchical. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The examples of tool that can be used for DNS enumeration are NSlookup. DNSstuff. and redundant database for information associated with Internet domain names and addresses. computer names. The following list describes the common DNS record types and their use:   A (address)—Maps a host name to an IP address SOA (Start of Authority)—Identifies the DNS server responsible for the   domain information CNAME (canonical name)—Provides additional names or aliases for the      address record MX (mail exchange)—Identifies the mail server for the domain SRV (service)—Identifies services such as directory services PTR (pointer)—Maps IP addresses to host names NS (name server)—Identifies other name servers for the domain DNS Zone Transfer is typically used to replicate DNS data across a number of DNS servers. The DNS implements a distributed. To enumerate DNS. American Registry for Internet Numbers (ARIN). you must have understanding about DNS and how it works. There are a lot of tools that can be used to gain information for performing DNS enumeration. A user or server will perform a specific zone transfer request from a “name server” If the name server allows zone transfers to Niranjana. and Whois.S.MSC 2 SEM 3 PAPER 1 records for an organization. different record types are used for different purposes. or to back up DNS files. A company may have both internal and external DNS servers that can yield information such as usernames. and IP addresses of potential target systems.

) Countermeasures  Turn off. if possible  Wrap in TCP wrapper to restrict access  Limit access to /tftpboot/ directory  Block at border firewall HTTP Enumeration Hyper Text Transfer Protocol runs on TCP port 80. etc. /etc/passwd. Countermeasures  Change the banner and use IIS Lockdown tool which disables features which are not necessary.MSC 2 SEM 3 PAPER 1 occur.g. While enumerating the HTTP method can be found out as well as web pages for offline viewing can also be downloaded. It gives list of services with version and IP/protocol/port info. RPC is a portmapper for windows. The following tool can be used for enumerating MSRPC --Winfingerprint tool (sourceforge) Countermeasures    Restrict outside access Require use of VPN for external access Use OWA (Outlook Web Access) for remote mail access SNMP Enumeration Niranjana. all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text. TFTP Enumeration Trivial File Transfer Protocol (TFTP) runs on port number 69 is a simple. It May allow download of sensitive file (e. file transfer protocol which allows a client to get or put a file onto a remote host. network device configuration files.Karandikar Page 9 . One of its primary uses is in the early stages of nodes booting from a Local Area Network. MSRPC Enumeration Microsoft Remote Procedure Call (MSRPC) runs on TCP 135.. TFTP has been used for this application because it is very simple to implement. /etc/shadow.S. lock-step.

command execution. Countermeasures ▪ Remove or disable SNMP agents on hosts ▪ Use obscure community names (e. switches. Countermeasures  Turn off  Block port 79  Restrict access  Restrict info given Vulnerability Scanners Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting. Simple Network Management Protocol (SNMP) is an "Internet-standard protocol for managing devices on IP networks".g. The following tools can be used for Enumeration: NMAP Methodology  Perform scans to find hosts with NetBIOS ports open (135.137-139. directory traversal and insecure server configuration. printers.MSC 2 SEM 3 PAPER 1 Simple Network Management Protocol runs on UDP 161.S. SQL injection. 445) Niranjana. modem racks and more. workstations. servers. Devices that typically support SNMP include routers.. idle times and user infomation given from public file information.It reveals logged-in users. NOT “public” or “private”) ▪ Block port 161 at all perimeter network access devices ▪ Restrict access to specific IP addresses ▪ Use SNMPv3 (more secure) ▪ Set Registry to permit only authorized access FINGER Enumeration Finger runs on TCP/UDP 79 .Karandikar Page 10 . A large number of both commercial and open source tools are available and and all these tools have their own strengths and weaknesses.

Restrict anonymous bypass routine and also password checking: a.MSC 2 SEM 3   PAPER 1 Do an nbtstat scan to find generic information (computer names. and there are no spaces between the double quotes).X. Confirm it by issuing a general net use command to see connected null sessions from your host.X.X\IPC$ /u:”” (where X. Checks for user accounts with passwords that are same as the Usernames in lower case. The tool's features include extensive Windows host enumeration capability. Superscan results comprise of the following:       Performing Enumeration Types: Null Session MAC Address Work Station Type Users Groups Niranjana. type net use \\X. Global groups and user accounts 2. The purpose of NetBIOS enumeration is to gather information.S. Local groups and user accounts c. Methodology  Perform a NetBIOS enumeration.X. SuperScan SuperScan is a TCP port scanner. Create a Null Session to these hosts to gain more information Perform nmap -O scan Run the command nbtstat -A IPAddress In the command prompt. and resolver. NetBIOS enumeration is carried out to obtain:  List of computers that belong to a domain  List of shares on the individual hosts on the network  Find out Policies and passwords Overview of NetBIOS Enumeration 1. ]MAC addresses) on the hosts.X is die address of die host machine. Checks for user accounts with blank passwords b. and UDP scanning.Karandikar Page 11 . Account lockout threshold b.X. pinger. TCP SYN scanning. user names. such as: a.

MSC 2 SEM 3    PAPER 1 Domain Account Policies Registry Enumerating NetBIOS Using the NetBIOS Enumerator Tool This       tool scans a range of IP addresses for the following: Machine Name NetBIOS Names User Name Domain MAC Address Round Trip Time (RTT) Enumerating a Network Using SoftPerfect Network Scanner SoftPerfect Network Scanner is a free multi-threaded IP.Karandikar Page 12 . Toolset includes best-ofbreed solutions that work sit/ply and precisely. without extraneous. performance. NetBIOS. NetBIOS enumeration is carried out to detect:    This     Hardware MAC addresses across routers Hidden shared folders and writable ones Internal and external IP address tool scans a range of IP addresses for the following: IP Address Host Names MAC Address Response Time Enumerating a Network Using Solar Winds Toolset The Solar Winds Toolset provides the tools yon need ns a network engineer or network consultant to get your job done.S. and bandwidth measurements you want. providing the diagnostic. unnecessary features. Solar Winds scans an IP Address for the following:    Interfaces Services Accounts Niranjana. and SNMP scanner with a modern interface and many advanced features.

processes. This             tool helps in the following: Users information in the system Services running in the system Local Connections Users Local Group Shares Sessions Services Events User Rights Performance Registry References      CEH v8 slides. expo/ting job scheduling. open files. printers and print jobs. messaging. computers. disk Page 13 . and printing are all supported. groups (both local and global). including right mouse click popup context menus for all objects. shares.S.hackillusion. user rights. sessions. devices. services.blogspot.sans. Management of http://tutorialof. events.MSC 2 SEM 3     PAPER 1 Shares Hub Ports TCP/IP Network Routes Enumerating the System Using Hyena Hyena uses an Explorer-style interface for operations. domains. files.html http://www.html http://www. EC Council