Table of Contents


Introduction

Welcome to my new post regarding Enumeration tools! In this post I’ve compiled some tools we can use for enumeration. There are many more tools available online, but these are the one’s I prefer to use.
The tools mentioned below are mainly used for network enumeration. This list does not contain Linux/Windows enumeration tools.

Enumeration

abraham-lincoln-quote

Enumeration is often considered as a critical phase in Penetration testing, as the outcome of enumeration can be used directly for exploiting the system.
Below is the list of some of the tools used for enumeration…

Nmap

Network Mapper (Nmap) is a security scanner, used to discover hosts and services on a computer network, thus building a map of the network. The tool was written by Gordon Lyon.

Features of Nmap:

  • Host discovery
  • Port Scanning
  • Version Detection
  • OS detection
  • Scriptable interaction with the target - using Nmap Scripting Engine(NSE) and Lua programming language.

Nmap usage

Command Description
nmap -sn 10.11.1.0/24 Ping sweep the network.
nmap -p- -sV 10.11.1.0/24 Full TCP port scan with service version detection.
nmap -v -A -T4 10.11.1.0/24 Agressive scan (-A) with faster speed (-T4). Agressive scan is a combination of OS detection (-O), version scanning (-sV) and script scanning (-sC)
Agressive scan timings are faster, but could yeild inaccurate results!

T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.

Scan from a file

Command Description
nmap -iL ip-address-list.txt Scans a list of IP addresses

Output formats

Nmap output can be stored in a file in various formats, such as normal, XML and grepable format. The flags use are:

Flag Description
-oN Normal Nmap format
-oG Grepable format
-oX XML format
-oS s|<rIpt kIddi3 format
-oA Output in three major formats at once

Example

Command Description
nmap -A -oA my-scan 10.11.1.0/24 Creates files with three major formats at once
Never run port scans blindly!

Always think of the traffic implications of your scans, and their possible effect on the target machines.


Nikto

Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. Nikto is written in Perl language.

Usage

Command Description
nikto -h 10.11.1.4 -Format txt -o my-output.txt Perform nikto scan against target Save output in a file

Formats Available

Format Description
csv Comma-separated-value
htm HTML Format
msf+ Log to Metasploit
nbe Nessus NBE format
txt Plain text
xml XML Format

Dirbuster

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

Dirbuster comes pre-installed in Kali Linux and many other Penetration Testing distros.

Dirbuster

Note: Alternatives to dirbuster are gobuster and dirsearch.


Wpscan

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Source: http://wpscan.org/

  • WPScan can be used to enumerate a Wordpress URL, find installed plugins, detect if the plugin is out of date.
  • WPScan can also be used to bruteforce login forms on a Wordpress URL.

Usage

Command Description
wpscan -u <ip> Scan for the given URL
wpscan -u <ip> --enumerate u Enumerate users
wpscan -u <ip> --log output.txt Store output in a file
wpscan -u <ip> --usernames <wordlist> Brute force usernames from the file
wpscan -u <ip> -U admin -w <wordlist> Provide wordlist for the password bruteforcer

Dnsenum

Dnsenum is multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Some of the operations

  • Get the host’s addresses (A record)
  • Get the nameservers
  • Get the MX record
  • Perform axfr queries on nameservers and get BIND VERSION
  • Perform reverse lookups on netranges

Usage

dnsenum -o mydomain.xml example.com

The above command will enumerate for the domain example.com and store the output in mydomain.xml file in XML format.


Share the fun!