Penetration testing

Process: Scanning and enumeration

Irfan Shakeel
November 25, 2016 by
Irfan Shakeel

In an environment of global connection and cyber terrorism, the protection of information assets is vital to every private business, public organization, and individuals. In this paper, we will discuss different methods through which we can identify vulnerabilities and how attackers are using those methods against us. Furthermore, techniques to prevent the information loss are also being discussed.

The enumeration in information security

Enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Techniques for enumeration

There are many ways to collect data, such as network users, routing tables and Simple Network Management Protocol (SNMP) information. Let's discuss the possible ways an attacker might enumerate a target network and what countermeasure can be taken to prevent these.

  • Extract User Names Using Email IDs:

Usually, email ID contains two parts; the one is Username, and the other is Domain name. The structure of the email address is "username@domainname." For instance, is an email ID, then xyz (Character preceding the '@' symbol) is the user name and (Character proceeding the '@' symbol) is the domain name.

  • Extracting Information Using the Default Passwords:

There are many online resources that publish many default passwords assigned by the manufacturer for their products. Often users forget to change the default passwords that help an attacker to enumerate their data easily.

  • Brute Force Active Directory:

Microsoft Active Directory is susceptible to a username enumeration weakness at the time of user-supplied input validation. This is the consequence of a design error in the application. Attacker takes benefits from it and exploits the weakness to enumerate valid usernames.

  • Extract Username Using SNMP:

By using SNMP APIs, attackers can guess the strings through which they can extract required username.

  • Extract Information Using DNS Zone Transfer:

An Attacker can get valuable topological information about the target's internal network using DNS zone transfer.

Services and ports to enumerate:

  • TCP 53: DNS Zone Transfer:

DNS zone transfer relies on TCP 53 port rather than UDP 53. The TCP protocol helps to maintain a consistent DNS database between DNS servers. DNS server always uses TCP protocol for the zone transfer.

  • TCP 137: NetBIOS Name Service (NBNS):

NBNS, also known as Windows Internet Name Service (WINS), maintain a database of the NetBIOS names for hosts and the corresponding IP address the host is using.

  • UDP 161: Simple Network Management Protocol (SNMP):

You can use the SNMP protocol for various devices and applications including firewall and routers to communicate logging and management information with remote monitoring application.

  • TCP/UDP 389: Lightweight Directory Access Protocol (LDAP):

You can use the LDAP Internet protocol, Microsoft Active Directory and as well as some email programs to look up contact information from a server.

  • TCP 25: Simple Mail Transfer Protocol (SMTP):

SMTP allows email to move across the internet and across the local internet. It runs on the connection-oriented service provided by Transmission Control Protocol (TCP) and uses port 25.

Port scanning

Port scanning is one of the most popular techniques that attacker uses to discover services, which can exploit the systems. All the systems connected to the LAN or accessing network via a modem which runs services that listen to well-known ports.

By using port scanning, we can explore information such as: What services are running, what users own those services, is anonymous login are supported, whether certain network services require authentication and other related details.

Port scanning techniques

There are various port scanning techniques available. The well-known tools like Nmap and Nessus have made port scanning process automated. The scanning technique includes:

  • Address Resolution Protocol (ARP) scan:

In this technique, a series of ARP broadcast is sent, and the value for the target IP address field is incremented in each broadcast packet to discover active devices on the local network segment. This scan helps us to map out the entire network.

  • Vanilla TCP connect scan:

It is the basic scanning technique that uses connect system call of an operating system to open a connection to every port that is available.

  • TCP SYN (Half Open) scan:

SYN scanning is a technique that a malicious hacker uses to determine the state of a communications port without establishing a full connection. These scans are called half open because the attacking system doesn't close the open connections.

  • TCP FIN Scan:

This scan can remain undetected through most firewalls, packet filters, and other scan detection programs. It sends FIN packets to the targeted system and prepares a report for the response it received.

  • TCP Reverse Ident Scan:

This scan discovers the username of the owner of any TCP connected process on the targeted system. It helps an attacker to use the ident protocol to discover who owns the process by allowing connection to open ports.

  • TCP XMAS Scan:

It is used to identify listening ports on the targeted system. The scan manipulates the URG, PSH and FIN flags of the TCP header.

  • TCP ACK Scan:

It is used to identify active websites that may not respond to standard ICMP pings. The attacker uses this method to determine the port status by acknowledgment received.

  • UDP ICMP Port Scan:

This scan is used to find high number ports, especially in Solaris systems. The scan is slow and unreliable.


Every publicly accessible server is vulnerable to port scans. There is no certain way to defeat port scan, while we can prevent this. Port scan is a general technique that ethical hackers also uses to determine the security flaws in the system. It depends on the purpose for which this technique is being used. But, the question is, how to prevent attackers to stealing our information?

One way to limit the information gained from port scans is to close unnecessary services on the targeted systems. Another way to limit the information given to port scanners is to employ TCP Wrappers, where applicable. Whereas, TCP Wrapper gives flexibility to the administrator to permit or deny access to the services based on IP addresses or domain names.

Additionally, another way to limit the loss of information through port scanning is to utilize PortSentry offered by Psionic. PortSentry detects connection requests on a number of selected ports. It is customizable and can be configured to ignore a certain number of attempts. The administrator can select what ports PortSentry will listen to for connection requests and a number of invalid requests. The administrator will list ports that their system is not supporting.

Port scanning tools

There are many port scanners that black hat hackers and ethical hacker use for their purposes. The most popular port scanners are following:


It is the best-known port scanner that is free and open source utility for network and security auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) the target machine is running, what type of packet filters/firewalls are in use, and other characteristics.

Angry IP Scanner

It is an open-source and cross-platform network scanner also known as IPscan designed to be fast and simple to use. It scans ports, IP addresses and provides many other features as well. It is supported on Linux, Windows, and Mac OS X, and other platforms as well.


Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. Unicornscan provides many features that include:

  • Asynchronous stateless TCP scanning with all variations of TCP Flags.
  • Asynchronous stateless TCP banner grabbing
  • Asynchronous protocol-specific UDP Scanning (sending enough of a signature to elicit a response).
  • Active and Passive remote OS, application, and component identification by analyzing responses.
  • Relational database output
  • Custom module support
  • Customized data-set views


It is a network scanner that doesn't require any configuration to start scanning. The various features provided by AutoScan includes:

  • Automatic network discovery
  • TCP/IP Scanner
  • Wake on LAN functionality
  • Multi-threaded Scanner
  • Port scanner
  • Low surcharge on the network
  • VNC Client
  • Telnet Client
  • SNMP scanner
  • Simultaneous subnetworks scan without human intervention
  • Real-time detection of any connected equipment
  • Supervision of any equipment (router, server, firewall)
  • Supervision of any network service (SMTP, HTTP, pop)
  • Automatic detection of known operatic system (brand and version), you can also add any unknown equipment to the database


Banner grabbing and operating system identification, also be defined as fingerprinting the TCP/IP stack, is the process that allows the hacker to identify particularly vulnerable or high-value targets on the network.

Many email and web servers respond to a Telnet connection with the name and version of the software that enables an attacker in fingerprinting the OS and application software. There are two categories in which fingerprint is further divided, Active stack and Passive Stack Fingerprinting.

The OS fingerprinting helps us to design better and implement security controls in networks and local machines. Additionally, effective OS fingerprinting is a vital penetration testing skill.

Active stack fingerprinting

It is the most common form of fingerprinting that involves sending data to a system to see how the system responds. Different operating system vendors implement the TCP stack differently, and their responses differ from each other, based on the operating system. The responses are then compared to a database to determine the operating system.

The Active stack fingerprinting is easily detectable, as it frequently attempts to connect with the same target system.

Passive stack fingerprinting

Passive stack fingerprinting is a bit complicated task that involves examining traffic on the network to determine the operating system rather than generating network traffic by sending packets to them. It uses sniffing techniques instead of scanning techniques. Passive Stack Fingerprinting remains undetected by an IDS or another security system but is less accurate than active fingerprinting.

Fingerprinting techniques

Fingerprinting techniques are based on detecting modification in packets produced by different operating systems.

Common techniques are based on analyzing:

  • IP TTL values.
  • IP ID values.
  • TCP Window size.
  • TCP Options (generally, in TCP SYN and SYN+ACK packets).
  • DHCP requests.
  • ICMP requests.
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analyzing:

  • Running services.
  • Open port patterns.


There are different tools that are being used for Active Stack and Passive Stack Fingerprinting.

Active Fingerprinting Tools:

  • Nmap:

Nmap is the network discovering tools that many systems and network administrators found useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Passive Fingerprinting Tools:

  • NetworkMiner:

It is a Network Forensic Analysis Tool for Windows. It is used to detect operating systems, sessions, hostnames, open ports, etc. The main purpose of NetworkMiner is to collect data that can be used as forensic evidence about hosts on the network rather than to collect data regarding the traffic on the network.

  • P0f:

It is a versatile passive OS fingerprinting tool that is used to identify the remote system, how far it is located, and its uptime. It also detects certain types of packet filters and the name of the ISP, while remaining Passive as it does not generate any network traffic.


  • Satori:

Satori is one of the most frequently used passive fingerprinting programs that uses multiple protocols for OS identification. It is available in both Windows and Linux platforms.


Preventing OS Fingerprinting is only necessary in those cases where malicious reconnaissance is a concern. The basic step is to make sure that external hosts are not able to directly scan internal targets. Whereas, ICMP should only be allowed if our firewall maintains state-full connections for ICMP in the same way almost all firewalls do for TCP.

TCP/IP parameters can be modified to make the device look like another OS. This will cause script type of scans to be fooled, but not deter a skilled attacker. So, the best way to prevent from OS Fingerprinting is to perform scans against your own network to harden the application in all aspects of security.

Vulnerability analysis

A vulnerability is a weakness that allows an attacker to reduce a system's information assurance. The vulnerability is the combination of three activities: a system weakness or flaw, attacker access to the flaw, and attacker proficiency to exploit the flaw.

Vulnerability analysis that is also known as vulnerability assessment is a process that defines vulnerabilities in a computer system, program or network infrastructure. Vulnerability assessment is used to evaluate the actual effectiveness of the system.

Risks are the potential concerns and effects of unaddressed vulnerabilities. Some of the risks associated with that vulnerability include loss of data, hours or days of site downtime and the staff time needed to rebuild a server after it's been compromised.

The process to identify the vulnerability in a system involves following steps:

  • Understand Common Attacks:

Attacks on your system, server or network comes in many different ranges. In many cases, the attacker doesn't even know who they are attacking, but there are instances of networks or organizations that are specifically targeted. Learning these details will give you the necessary perspective to proceed.

  • Inventory your vulnerabilities:

This process involves the creation of a complete list of potential vulnerabilities that are highly sensitive to your system. Additionally, take special care to identify anything unknown about your network.

  • Use vulnerability scanning tools:

There are many tools available to assess the vulnerabilities in our systems. From that many are free to use while others are paid due to advanced features. These tools check for open ports, unpatched software, and other weaknesses. Some of these programs focus on a specific machine, while others can scan your entire network.

  • Assess the risks:

The vulnerabilities on your network represent an unbearable risk of data loss that is highly costly and requires time to recover. The resulting loss and the chance of exploitation of potential vulnerability determines the risk involved. It will help to manage and prepare for any exploitation incident.

Vulnerability mapping

Vulnerability Mapping is the process in which we can scan entire workplace to provide a detailed map showing where vulnerable network devices are located and what encryption based attacks would hack into them. Once these vulnerable perimeter devices have been discovered, they can easily be fixed or replaced depending on attack vector before leading to a data security breach.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


  • The vulnerability mapping allows us to perform multiple security checks in an automated fashion using a tool.
  • It gives us a prior knowledge of the potential vulnerability with complete detail of where it is located on a network, which helps us to resolve that specific vulnerability in less time.
  • Complete infrastructure is scanned in this process which enables us to assess the risk in real time.
  • It also provides the list of possible attacks that can be done to the vulnerability, so that we fix or replace that device that may lead to a data security breach.
  • The automated tool helps us to generate reports more quickly that enable us to respond effectively.

We can't eliminate the fact that each and every system is vulnerable when connected to the internet or intranet. We can't assure information security, but we can reduce the risk of information loss by adopting and performing different methods to identify the vulnerabilities prior than the attacker. This will help us to respond on time and will also reduce the impact of that attack.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.