03 - Enumeration
#Overview
Enumeration is the most critical phase of any penetration test. This is where you actively probe discovered systems to map the attack surface: open ports, running services, OS versions, network topology, and accessible resources. Poor enumeration is the number one reason testers miss attack paths that would otherwise lead to compromise.
Enumeration bridges the gap between passive reconnaissance and active exploitation. Where reconnaissance tells you what exists, enumeration tells you how it works and where it's vulnerable.
#Methodology
The enumeration workflow follows a structured funnel -- start broad, then progressively narrow into specific services:
Network Discovery --> Port Scanning --> Service Enumeration --> Web Enumeration --> Local Enumeration
(live hosts) (open ports) (version/banners) (dirs/vhosts) (local context)
#Phase 1: Network Discovery
Identify all live hosts in the target scope. Prefer stealth over speed -- ICMP sweeps are noisy; TCP ACK/SYN scans on common ports are quieter.
#Phase 2: Port Scanning
For each live host, determine which TCP and UDP ports are open. Begin with a fast top-1000 scan, then deep-scan interesting hosts on all 65535 ports.
#Phase 3: Service Enumeration
For each open port, identify the service name, version, and configuration. Banner grabbing, service-specific probes, and NSE scripts form the core of this step. The output feeds directly into vulnerability assessment.
#Phase 4: Web Enumeration
If web servers are discovered (80/443/8080/8443 and beyond), enumerate directories, virtual hosts, API endpoints, and the technology stack. Web applications are the most common initial access vector in modern pentests.
#Phase 5: Local Enumeration
Once on a system, enumerate the local environment: users, groups, installed software, scheduled tasks, permissions, and network interfaces. This phase overlaps with post-exploitation and privilege escalation.
#Enumeration Flow: External vs Internal
#External Enumeration (from outside the network)
nmap discovery --> port scan (TCP + UDP top ports) --> service fingerprinting --> web directory brute-force --> exposed service assessment
Focus is on ingress points: web applications, VPN gateways, exposed RDP/SSH, cloud storage, and email services.
#Internal Enumeration (assumed breach or after foothold)
SMB/RPC enumeration --> LDAP/AD queries --> SNMP walks --> network share discovery --> internal service scanning
Focus shifts to lateral targets: domain controllers, file servers, database servers, internal web apps, and network segmentation gaps.
#Linux vs Windows Target Differences
| Aspect | Linux Targets | Windows / AD Targets |
|---|---|---|
| OS identification | /etc/os-release, kernel version | systeminfo, ver, registry |
| Service management | systemd, init.d | Services MMC, sc query, WMI |
| User enumeration | /etc/passwd, getent passwd | net user, LDAP queries, BloodHound |
| Network shares | NFS, Samba | SMB/CIFS (net share, smbclient) |
| Authentication | SSH keys, PAM modules | Kerberos, NTLM, cached credentials |
| Scheduled tasks | cron, systemd timers | Task Scheduler, schtasks |
#What's in This Section
| File | Covers |
|---|---|
nmap-port-scanning.md | Scan types (-sS/-sT/-sU/-sA), timing, NSE scripts, output formats, firewall/IDS evasion, mass-scanning strategies |
smb-enumeration.md | SMB share enumeration, null sessions, smbclient/smbmap/crackmapexec, SMB signing detection |
ldap-enumeration.md | Anonymous binds, domain info dumps, user/group enumeration, ldapsearch/ldapdomaindump |
rpc-enumeration.md | RPC client usage, rpcclient commands, enumdomusers/enumdomgroups, srvinfo |
snmp-enumeration.md | SNMP community string brute-force, MIB tree walking, snmpwalk, onesixtyone, snmp-check |
web-enumeration.md | Directory/file brute-force (gobuster/ffuf/dirb), virtual host discovery, technology fingerprinting (WhatWeb/Wappalyzer), API endpoint discovery |
dns-zone-transfers.md | Attempting AXFR, detailed DNS record analysis, reverse lookups |
wmi-enumeration.md | WMI queries, wmic, Impacket's wmiexec, remote WMI enumeration |
local-enumeration.md | Post-foothold system enumeration, users, groups, installed software, running processes, network config, PATH abuse |
#Cross-References
- 02-reconnaissance -- Passive recon should be complete before beginning active enumeration
- 04-vulnerability-assessment -- Enumeration output is the direct input to vulnerability identification
- Automated AD Enumeration Playbook -- Hit a Domain Controller? Run one script that sweeps the whole AD attack surface and saves results to organized files
#Quick Reference: Enumeration Command Cheatsheet
# Host Discovery
nmap -sn 192.168.1.0/24
# Full Port Scan
nmap -sC -sV -p- -oA full_scan 10.10.10.10
# SMB Enumeration
smbclient -L //10.10.10.10 -N
crackmapexec smb 10.10.10.10 --shares
# LDAP Enumeration
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=com"
# Web Enumeration
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# SNMP Walk
snmpwalk -v2c -c public 10.10.10.10