Network Enumeration

Objectives: Network Enumeration

Network Enumeration Labs - Full Notes

Network Enumeration Labs - Full Notes

Prepared by: MWALA_LEARN

Lab 4-01: Perform NetBIOS Enumeration using Windows Command-Line Utilities

Scenario

FinanceSafe Inc., a financial services company, hired SecureDES Consultants, a cybersecurity firm, to evaluate its network security. The company is concerned that enabled NetBIOS services on Windows servers may expose sensitive data such as customer portals, employee applications, and financial databases.

Solution

As a penetration tester or Certified Ethical Hacker, you will perform NetBIOS enumeration using Windows command-line utilities like nbtstat and net view. This allows you to discover active systems, NetBIOS names, shared resources, and user information without authentication.

Step-by-Step Commands

  1. Open Command Prompt on Windows 10 VM: Search cmd in Windows Search and open it.
  2. Execute nbtstat -a [IP address] to view the NetBIOS name table of a remote system.
  3. Execute nbtstat -c to list the NetBIOS name cache.
  4. Execute net use to display network connections and shared resources.
Real-Life Example: Discovering that a finance server has shared folders named FinanceReports could alert you that sensitive financial data may be exposed to unauthorized users.

Lab 4-02: Perform SNMP Enumeration using SnmpWalk

Scenario

TechCore Systems relies heavily on network devices like routers and switches with SNMP enabled. Misconfigured SNMP settings could expose network configuration and sensitive information to attackers.

Solution

Use SnmpWalk to collect information such as ARP tables, routing tables, device settings, and active hosts.

Commands

sudo su
apt-get install snmp
snmpwalk -v1 -c public [Target IP]
snmpwalk -v2c -c public [Target IP]
Example: Enumerating SNMP could reveal the admin username of a router, which if weak, could be exploited for unauthorized access.

Lab 4-03: LDAP Enumeration using Active Directory Explorer (AD Explorer)

Scenario

GlobalTech Solutions uses Active Directory (AD) to manage user accounts and network resources. Misconfigured LDAP settings can reveal sensitive information like usernames and server names.

Solution

Using AD Explorer, connect to the LDAP server (port 389) to enumerate users, groups, and directory structure.

Commands

  1. Download AD Explorer: https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
  2. Connect to Windows Server 2025 IP using your credentials.
  3. Expand directory objects (DC=CEH, CN=Users) to view user accounts.
  4. Right-click displayName to modify or inspect user properties.

Lab 4-04: Perform NFS Enumeration using RPCScan and SuperEnum

Scenario

CodeStream Innovations uses NFS servers for file sharing. Misconfigured NFS services could expose directories and client information.

Solution

Use RPCScan to check RPC services and SuperEnum to enumerate open ports including NFS (port 2049).

Commands

nmap -p 2049 [Target IP]
git clone https://github.com/p4pentest/SuperEnum.git
cd SuperEnum
echo "[Target IP]" >> Target.txt
./superenum
git clone https://github.com/hegusung/RPCScan.git
cd RPCScan
python3 rpc-scan.py [Target IP] --rpc
Example: Detecting that NFS port 2049 is open can alert admins that unauthorized access to shared project files is possible.

Lab 4-05: DNS Enumeration using Zone Transfer

Scenario

MarketEdge Solutions wants to prevent attackers from discovering hostnames and internal IPs via DNS misconfigurations.

Solution

Use dig and nslookup to attempt zone transfers and gather DNS information.

Commands

dig ns [Target Domain]
dig @[NameServer] [Target Domain] axfr
nslookup
set querytype=soa
ls -d [Name Server]

Lab 4-06: SMTP Enumeration using Nmap

Scenario

DataLink Solutions uses an internal SMTP server. Enumeration could reveal valid users and facilitate phishing.

Commands

nmap -p 25 --script=smtp-enum-users [Target IP]
nmap -p 25 --script=smtp-open-relay [Target IP]
nmap -p 25 --script=smtp-commands [Target IP]
Example: Identifying email users via SMTP enumeration could lead to targeted phishing campaigns if accounts are not secured.

Lab 4-07: Enumeration using Global Network Inventory

Scenario

FinEdge Solutions wants full visibility of its Windows and Linux infrastructure, including services, BIOS, NetBIOS, users, and software.

Solution

Download and install Global Network Inventory, scan target IP, and collect detailed system information.

Lab 4-08: Enumeration using ShellGPT

Scenario

Using AI-assisted tools to automate network enumeration, analyze data, and detect patterns traditional tools might miss.

Commands

sgpt --shell "Perform NetBIOS enumeration on target IP 10.0.2.15"
sgpt --shell "Get NetBIOS info for IP 10.0.2.15 and display the associated names"
sgpt --shell "Enumerate NetBIOS on target IP 10.0.2.15 with nmap"
sgpt --chat enum --shell "Perform SNMP enumeration on target IP 10.0.2.15 using SnmpWalk"
sgpt --chat enum --shell "Perform SMTP enumeration on target IP 10.0.2.15"
sgpt --chat enum --shell "Use Nmap to perform DNS Enumeration on target domain www.certifiedhacker.com"

Differences Among Enumeration Techniques

Technique Purpose Real-Life Analogy
NetBIOS Enumeration Gather Windows computer names, shared folders, and users Like checking office names on doors to know who works where
SNMP Enumeration Collect network device info (routers, switches) Like checking control room panels for all machine statuses
LDAP Enumeration Extract Active Directory users, groups, servers Like reading a company directory to know all employees and departments
NFS Enumeration List shared files and folders on NFS servers Like checking communal file cabinets in a shared office
DNS Enumeration Identify hostnames and IP addresses Like looking at a phone directory to find contacts and addresses
SMTP Enumeration Discover valid email addresses Like seeing a public mailing list to know everyone’s email
Global Network Inventory Detailed audit of entire network and system details Like a full inventory of all devices, software, and configurations in an office
AI/ShellGPT Enumeration Automated, intelligent enumeration across multiple protocols Like having an AI assistant checking all doors, files, and devices simultaneously

Sample Questions & Answers

  1. Q: What is NetBIOS enumeration used for?
    A: It is used to discover Windows computer names, shared folders, and user information on a LAN without authentication.
  2. Q: What ports does NetBIOS use?
    A: UDP 137 (Name Service), UDP 138 (Datagram Service), TCP 139 (Session Service).
  3. Q: How does SNMP enumeration help attackers?
    A: It reveals network devices, routing tables, ARP tables, and configuration, which could allow unauthorized access.
  4. Q: Why is LDAP enumeration sensitive?
    A: It exposes usernames, emails, departments, and server details, which could be used for targeted attacks.
  5. Q: Which port is used for NFS enumeration?
    A: Port 2049.
  6. Q: How can DNS zone transfers be exploited?
    A: If enabled, attackers can get all hostnames, IP addresses, and domain structure, mapping the target’s network.
  7. Q: Name one SMTP enumeration method.
    A: Using Nmap scripts like smtp-enum-users to identify valid email accounts.
  8. Q: How does Global Network Inventory differ from NetBIOS enumeration?
    A: Global Network Inventory gives a full network and system audit, including BIOS, OS, services, users, and shares, whereas NetBIOS only lists computer names, shares, and users.
  9. Q: Give an example of real-life use of AI in enumeration.
    A: ShellGPT can automate scanning all IPs, analyzing results, and suggesting attack vectors without manually running each tool.
  10. Q: What is the difference between active and passive enumeration?
    A: Active enumeration interacts directly with the target (e.g., SNMP walks, NetBIOS scans), potentially detectable. Passive enumeration collects info without direct interaction (e.g., public DNS records, WHOIS).

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 1::

β¬… ➑