Table of Contents
Welcome to my new post regarding Enumeration tools! In this post I’ve compiled some tools we can use for enumeration. There are many more tools available online, but these are the one’s I prefer to use.
The tools mentioned below are mainly used for network enumeration. This list does not contain Linux/Windows enumeration tools.
Enumeration is often considered as a critical phase in Penetration testing, as the outcome of enumeration can be used directly for exploiting the system.
Below is the list of some of the tools used for enumeration…
Network Mapper (Nmap) is a security scanner, used to discover hosts and services on a computer network, thus building a map of the network. The tool was written by Gordon Lyon.
Features of Nmap:
- Host discovery
- Port Scanning
- Version Detection
- OS detection
- Scriptable interaction with the target - using Nmap Scripting Engine(NSE) and Lua programming language.
||Ping sweep the network.|
||Full TCP port scan with service version detection.|
||Agressive scan (-A) with faster speed (-T4). Agressive scan is a combination of OS detection (-O), version scanning (-sV) and script scanning (-sC)|
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Scan from a file
||Scans a list of IP addresses|
Nmap output can be stored in a file in various formats, such as normal, XML and grepable format. The flags use are:
||Normal Nmap format|
||s|<rIpt kIddi3 format|
||Output in three major formats at once|
||Creates files with three major formats at once|
Never run port scans blindly!
Always think of the traffic implications of your scans, and their possible effect on the target machines.
Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. Nikto is written in Perl language.
||Perform nikto scan against target Save output in a file|
|msf+||Log to Metasploit|
|nbe||Nessus NBE format|
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
Dirbuster comes pre-installed in Kali Linux and many other Penetration Testing distros.
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
- WPScan can be used to enumerate a Wordpress URL, find installed plugins, detect if the plugin is out of date.
- WPScan can also be used to bruteforce login forms on a Wordpress URL.
||Scan for the given URL|
||Store output in a file|
||Brute force usernames from the file|
||Provide wordlist for the password bruteforcer|
Dnsenum is multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
Some of the operations
- Get the host’s addresses (A record)
- Get the nameservers
- Get the MX record
- Perform axfr queries on nameservers and get BIND VERSION
- Perform reverse lookups on netranges
dnsenum -o mydomain.xml example.com
The above command will enumerate for the domain example.com and store the output in mydomain.xml file in XML format.