Post

Network Enumeration Handbook

Master network scanning with the Network Enumeration Handbook. Get essential enumeration commands for all major protocols to elevate your security testing.

Network Enumeration Handbook

Subdomains Discovery & Enumeration

  1. Amass. In-depth attack surface mapping and asset discovery.
  2. Sublist3r. Fast subdomains enumeration tool for penetration testers.

SMB Server Message Block

Server Message Block (SMB) is a network file-sharing protocol that allows computers on the same network to share files, printers, and serial ports. It operates on a client-server model, enabling applications to read, create, and update files on a remote server, functioning primarily within Windows environments but also supporting Linux via Samba.

Enumerate live hosts.

1
nxc smb $IP/24

Guest Logon Enumeration

Guest logon enumeration is a critical technique for identifying exposed shares and system information in environments where strict access controls are neglected or legacy configurations persist. In a corporate Windows or Active Directory setting, this allows an auditor to quickly pinpoint "low-hanging fruit" such as unprotected file servers or sensitive backup directories that are inadvertently open to anyone on the network. By successfully identifying a Guest: True status, you can bypass the need for valid domain accounts to begin harvesting internal data, making it a vital first step in internal penetration tests to demonstrate the risk of unauthorized data exposure.

Starting in 2025, NetExec introduced a streamlined way to verify guest login status without needing to provide credentials. To use this feature, ensure your installation is updated and modify your ~/.nxc/nxc.conf file by setting check_guest_account to true. Once this configuration is saved, you can simply run nxc smb $IP without any login details; if guest access is permitted on the target, the output will clearly indicate Guest: True.

Below commands will help to check manually. Please make sure password is empty.

1
2
nxc smb $IP -u 'a' -p '' 
nxc smb $IP -u 'a' -p '' --shares

While using password with NXC if no output appears, please check your password.

Null Session Enumeration

Null session enumeration allows an unauthenticated attacker to query a Windows machine (typically via RPC or SMB) without a username or password, which is highly effective in older or misconfigured Active Directory environments for mapping the network. By establishing this "anonymous" connection, you can often extract sensitive data such as user lists, group memberships, and share names, providing the initial blueprint needed for lateral movement or password spraying attacks.

1
2
3
4
5
nxc smb $IP -u '' -p ''
nxc smb $IP -u '' -p '' --shares
nxc smb $IP -u '' -p '' --pass-pol
nxc smb $IP -u '' -p '' --users
nxc smb $IP -u '' -p '' --groups

Same can be done with SMBCLIENT and RPCCLIENT.

1
smbclient -N -U "" -L \\$IP
1
2
rpcclient -N -U "" -L \\$IP
rpcclient $> enumdomusers

WinRM (Windows Remote Management) - 5985,5986

Windows Remote Management (WinRM) is a Microsoft tool that lets IT professionals manage and run commands on remote computers. It is Microsoft’s version of the standard WS-Management protocol. WinRM uses standard web protocols (HTTP or HTTPS) to let you manage Windows machines from a distance.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Basic connection
evil-winrm -i $target -u $username -p 'password'

# With domain
evil-winrm -i $target -u 'DOMAIN\username' -p 'password'

# Using hash (Pass-the-Hash)
evil-winrm -i $target -u $username -H 'NTHASH'

# Using SSL (port 5986)
evil-winrm -i $target -u $username -p 'password' -S

# With custom port
evil-winrm -i $target -u $username -p 'password' -P 5985

Please visit the following sites for more trick and techniques. 5985,5986 - Pentesting WinRM WinRM (Windows Remote Management)

SNMP (Simple Network Management Protocol) - 161/UDP, 162/UDP

Simple Network Management Protocol (SNMP) is a standard internet protocol used to monitor, organize, and configure managed devices across IP networks. It allows administrators to track system status and modify settings on equipment like routers, switches, servers, printers, and workstations. By exposing system variables that detail configuration and performance, SNMP enables management applications to remotely query or update device behavior.

Connect

Network administrators usually manage SNMP-enabled hardware through command-line interfaces (CLIs), which dispatch requests directly to the device’s internal agent.

SNMPWALK

snmpwalk is a command-line application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

1
2
3
4
5
6
7
8
9
# For SNMPv1/v2c (most common for pentesting due to weaker security)
snmpwalk -c <community_string> -v1 <target_ip>
snmpwalk -c <community_string> -v2c <target_ip>

# Example: Walking the entire MIB tree
snmpwalk -c public -v2c 192.168.1.1

# Example: Walking a specific OID
snmpwalk -c public -v2c 192.168.1.1 .1.3.6.1.2.1.1.1.0 # sysDescr

Enumeration

It is recommended to install the following to see whats does mean each OID gathered from the device:

1
2
3
4
apt-get install snmp-mibs-downloader
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.conf

If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:

1
2
3
4
5
6
7
8
9
10
11
12
13
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
snmpbulkwalk -c public -v2c 10.10.11.136 .

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all

snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]

nmap --script "snmp* and not snmp-brute" <target>

braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID

Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :

1
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

Please visit the following sites for more trick and techniques. 161,162,10161,10162/udp - Pentesting SNMP, SNMP (Simple Network Management Protocol)

Understanding Application

Questions

  1. How does the app pass data?
  2. How/Where does the app talk about users?
  3. Does the site have multi-tenancy or user levels?
  4. Does the site have unique threat model?
  5. Has there been past security research & vulnerabilities?
  6. How does the app handle: XSS, CSRF, Injection …

Library

Web Technologies

We can the following two extensions/tools to peek into the tech stack used by the site.

  1. Whatruns Extension
  2. Wappalyzer Extension
  3. Webanalyze CommandLine

Port Scans

  1. Nmap
  2. Naabu
  3. Rustscan

Content Discovery

  1. ApiLeaks Scanning APK file for URIs, endpoints & secrets.
  2. Scavenger - BurpSuite extension for content discovery.
  3. Gap - BurpSuite extension helps with parameter and paths.
  4. Source2Url - Parse source code directories and output list of URLs that are then sent through a proxy.
  5. GetAllUrls GAU. Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
  6. XnLinkFinder A python tool used to discover endpoints, potential parameters, a target specific wordlist for a given target and secrets.
  7. HAKRAWLER. Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
This post is licensed under CC BY 4.0 by the author.