2.5 Enumeration

What Enumeration Is

Enumeration is the active extraction of named resources — user accounts, group memberships, shares, services, routing tables, and configuration — from services that scanning already found. Where scanning answers "which ports are open?", enumeration answers "who and what is behind them?". It establishes direct, authenticated-or-unauthenticated connections to services and issues directed queries, so it is firmly active and logged.

Enumeration is high value because it converts a generic open port into concrete attack inputs: a confirmed username list feeds password-spraying, a writable share feeds lateral movement, an SNMP dump hands over the network topology. The exam ties each enumeration technique to its protocol and port, so anchor your study on the protocol/port pairings below.

Keep the phase boundaries straight, because CEH tests them: scanning finds open ports, banner grabbing/version detection names the software, and enumeration extracts the named resources inside those services. Enumeration is the bridge from "port 445 is open" to "the host has a Backups$ share and a svc_sql service account." Everything below assumes you are authorised — the same queries a blue team runs to audit exposure are what an attacker runs to weaponise it.

NetBIOS, SMB, and SNMP

NetBIOS enumeration targets the legacy Windows naming service on UDP 137 (name), UDP 138 (datagram), TCP 139 (session). Tools like nbtstat -A <ip> and nbtscan return the NetBIOS name table — computer name, workgroup/domain, logged-on user, and services — and a NetBIOS suffix (e.g. <20> = file-sharing service).

SMB enumeration over TCP 445 (modern SMB) and 139 lists shares, users, OS version, and password policy. The historic risk is the null session — an unauthenticated IPC$ connection (net use \\target\IPC$ "" /u:"") that older Windows allowed, leaking user and share lists. Tools: enum4linux, smbclient, rpcclient.

SNMP enumeration uses UDP 161 (queries), 162 (traps) to read a device's MIB (Management Information Base). The fatal default is the community string: read-only public and read-write private. With a valid string, snmpwalk/snmp-check dump interfaces, routes, ARP and TCP tables, running processes, installed software, and user accounts. SNMPv1/v2c send these strings in cleartext; SNMPv3 adds authentication and encryption.

LDAP, SMTP, DNS, NTP, and the Countermeasures

LDAP enumeration queries directory services — especially Active Directory — on TCP/UDP 389 (LDAP) and 636 (LDAPS). Anonymous or weakly authenticated binds via ldapsearch or tools like ldapdomaindump reveal users, groups, organisational units (OUs), and policies — a goldmine for AD attacks. The Global Catalog adds TCP 3268/3269, and tools such as enum4linux, BloodHound (collected via SharpHound), and PowerView turn raw directory data into attack-path graphs.

Related Windows services: RPC on TCP 135 and the RPC endpoint mapper are common enumeration footholds, and MSRPC over SMB underpins much of the user/share listing.

SMTP enumeration abuses three mail commands on TCP 25 to confirm valid users before phishing or spraying:

• VRFY — verify a username exists.
• EXPN — expand a mailing list to its members.
• RCPT TO — accept/reject reveals whether a mailbox exists.

DNS enumeration over port 53 includes the zone transfer (AXFR over TCP 53), which on a misconfigured server dumps every record in the zone, plus subdomain brute-forcing. NTP enumeration on UDP 123 (ntpdc, ntpq monlist) can leak the list of hosts/clients that synced with a server, exposing internal IPs.

Countermeasures table

The unifying defensive principle across all of these: disable services you do not need, replace every default credential/community string, and restrict verbose or anonymous responses — that single posture cuts exposure across NetBIOS, SMB, SNMP, LDAP, and SMTP at once.

Three more enumeration vectors round out the CEH module. IPsec enumeration probes VPN gateways on UDP 500 (IKE) to fingerprint the VPN and its supported transforms. VoIP enumeration targets SIP on UDP/TCP 5060/5061, where banner and extension scanning reveals the PBX, firmware, and valid extensions for toll-fraud or eavesdropping. RPC/SMB enumeration via the endpoint mapper on TCP 135 lists the dynamic ports of running services.

Across every vector the detective control is the same: any unauthenticated query that returns a list of internal resources is enumeration in progress, and a default-deny posture plus authenticated-only directory/management access shrinks what those queries can ever return. For the exam, pair each protocol with both its port and the one countermeasure that most directly neutralises it — that mapping is the highest-yield thing to memorise in this section.