Network Enumeration

Overview

Network service enumeration is the process of actively querying discovered services to extract version information, configuration details, user accounts, and data. It follows host discovery and port scanning — once you know what ports are open, enumeration determines what's running and how it's configured.

Each protocol has unique enumeration techniques. A service's default behavior, supported commands, and common misconfigurations define what information is accessible without credentials and what requires authentication.

Topics in This Section

• DNS Enumeration — Record discovery, zone transfers, subdomain brute-forcing
• FTP Enumeration — Anonymous access, directory listing, file extraction, bounce scanning
• NTP Enumeration — Peer lists, monlist client disclosure, time sync for Kerberos
• POP3/IMAP Enumeration — Mail server identification, mailbox access, NTLM info
• Rsync Enumeration — Module listing, anonymous file access, write testing
• SMTP Enumeration — User enumeration (VRFY/EXPN/RCPT TO), open relay, NTLM info
• SNMP Enumeration — Community strings, MIB walks, user/process/network extraction
• SSH Enumeration — Version-to-OS mapping, auth methods, algorithm enumeration
• Telnet Enumeration — Banner analysis, default credentials, NTLM info
• TFTP Enumeration — Blind file retrieval, config extraction, PXE boot files

General Approach

1. Start with DNS — it maps the attack surface before touching anything else
2. Enumerate unauthenticated services first — SNMP, FTP anonymous, TFTP, rsync modules
3. Extract credentials and usernames — SMTP user enumeration, SNMP user OIDs, leaked configs
4. Use discovered credentials across services — a password from FTP may work on SSH, SMTP, or web apps
5. Check TLS certificates — SMTP STARTTLS, FTPS, IMAPS, and POP3S certificates leak internal hostnames
6. Document NTLM disclosures — SMTP, POP3, IMAP, and Telnet NTLM info scripts reveal internal domain names on Exchange/Windows