Post

Network Enumeration Handbook: See Everything

Learn how to harness the power of Nuclei, a fast, customizable vulnerability scanner from ProjectDiscovery. This guide walks you through installation, template usage, and practical examples to help automate security testing across web applications and infrastructure with ease.

Posted Updated
Network Enumeration Handbook: See Everything - Cover Image
Network Enumeration Handbook: See Everything - Cover Image
By bericontraster
2 min read
Network Enumeration Handbook: See Everything

SMB Server Message Block

Server Message Block (SMB) is a network file-sharing protocol that allows computers on the same network to share files, printers, and serial ports. It operates on a client-server model, enabling applications to read, create, and update files on a remote server, functioning primarily within Windows environments but also supporting Linux via Samba.

Enumerate live hosts.

1

nxc smb $IP/24

Guest Logon Enumeration

Guest logon enumeration is a critical technique for identifying exposed shares and system information in environments where strict access controls are neglected or legacy configurations persist. In a corporate Windows or Active Directory setting, this allows an auditor to quickly pinpoint "low-hanging fruit" such as unprotected file servers or sensitive backup directories that are inadvertently open to anyone on the network. By successfully identifying a Guest: True status, you can bypass the need for valid domain accounts to begin harvesting internal data, making it a vital first step in internal penetration tests to demonstrate the risk of unauthorized data exposure.

Starting in 2025, NetExec introduced a streamlined way to verify guest login status without needing to provide credentials. To use this feature, ensure your installation is updated and modify your ~/.nxc/nxc.conf file by setting check_guest_account to true. Once this configuration is saved, you can simply run nxc smb $IP without any login details; if guest access is permitted on the target, the output will clearly indicate Guest: True.

Below commands will help to check manually. Please make sure password is empty.

1
2

nxc smb $IP -u 'a' -p '' 
nxc smb $IP -u 'a' -p '' --shares

While using password with NXC if no output appears, please check your password.

Null Session Enumeration

Null session enumeration allows an unauthenticated attacker to query a Windows machine (typically via RPC or SMB) without a username or password, which is highly effective in older or misconfigured Active Directory environments for mapping the network. By establishing this "anonymous" connection, you can often extract sensitive data such as user lists, group memberships, and share names, providing the initial blueprint needed for lateral movement or password spraying attacks.

1
2
3
4
5

nxc smb $IP -u '' -p ''
nxc smb $IP -u '' -p '' --shares
nxc smb $IP -u '' -p '' --pass-pol
nxc smb $IP -u '' -p '' --users
nxc smb $IP -u '' -p '' --groups

Same can be done with SMBCLIENT and RPCCLIENT.

1

smbclient -N -U "" -L \\$IP

1
2

rpcclient -N -U "" -L \\$IP
rpcclient $> enumdomusers
enumeration
guide pentesting vulnerability-scanning
This post is licensed under CC BY 4.0 by the author.