What Is Enumeration in Ethical Hacking?

Read it in 7 Mins

Last updated on
10th Nov, 2022
02nd Nov, 2020
What Is Enumeration in Ethical Hacking?

In this article we will understand the key concepts of Enumeration from an ethical hacking point of view. We will learn about the fundamentals of penetration testing, and how enumeration forms a part of it. We will also explore the other concepts - types of Enumeration, Techniques to perform enumeration and tools to support the process. We will be discussing the goals and services and the process of NetBIOS enumeration and Scanning enumeration.  

What is penetration testing? 

Penetration testing or  Ethical hacking is a simulation of cyber-attacks to a computer system or application or infrastructure to detect vulnerabilities, if any. Penetration testing provides great insights on the list of vulnerabilities which we can categorize and rank as high, medium and low. We fix these vulnerabilities depending on the business requirement and timelines. 

Let us understand the various phases of penetration testing 

Phases of Penetration Testing
Description of Enumeration 

Enumeration is the phase 3 of the Penetration Testing or Ethical Hacking. It is a process of gaining complete access to the system by compromising the vulnerabilities identified in the first two phases. The Scanning stage only helps to identify the vulnerabilities to a certain extentbut  Enumeration helps us learn the complete details such as users, groups and even system level details – routing tables. This phase of the Ethical hacking is to gain end-to-end knowledge of what will be tested in the target environment. Tools are deployed to gain complete control over the system. 

Significance of Enumeration 

Enumeration is the most critical aspect of Ethical hacking. The metrics, outcomes, results are used directly in testing the system in the next steps of penetration testing.  Enumeration helps us to decipher the detailed information – Hostnames, IP tables, SNMP and DNS, Application, Banners, Audit configurations and service settings. The significance of Enumeration is that it systematically collects details. This allows pentesters to completely examine the systems.  The pentesters collect information about the weak links during the enumeration phase of ethical hacking.  

Enumeration helps in finding the attack Vectors and threats. 

Enumeration Classification 

We can perform enumeration on the following: 

Enumeration Classification

Enumeration and its types – Tool box 

Enumeration as a process extracts the user names, machine names, network resources, shares and services from the ecosystem.  There is a robust toolbox that helps the enumeration process become scalable. This is a mix of software and hardware systems.  There are free and commercial software tools for the enumeration. The hardware tools are mainly the key loggers and special wireless hardware. The pentesters find the right and optimum way to reach the various components of the systems. 

Techniques for Enumeration 

Techniques for Enumeration

Types of information enumerated by intruders: 

The types of the information enumerated by intruders are the following: 

  1. Network source 

  1. Users and groups 

  1. Routing tables 

  1. Audit settings 

  1. Service configuration settings 

  1. The various machine names 

  1. Applications 

  1. Banners 

  1. SNMP details 

  1. DNS details 

Services and Port to Enumerate 

Services and Port to Enumerate

What are the goals of the Enumeration? 

Goal 1 – To map the end-to-end details that we need to check after the enumeration step 

Goal 2  - The ways to execute the attacks in the upcoming phases 

Goal 3 – Identify all the information we need to do the execution in future testing 

Goal 4 – Compile a list of devices with configuration for testing 

Goal 5 – Complete the network map to finalize the steps for testing 

Goal 6 – Compile the list of people who support the testing 

Goal 7 – Collect even irrelevant information that might still be significant in the future 

Process of Enumeration 

Process of Enumeration
Tools supporting Enumeration

NmapNetwork mapperUsed to discover port and service information on a target
NessusService and vulnerability scanner.Used to identify vulnerable services
WPScanWordPress vulnerability scannerUsed to identify vulnerable WordPress applications
SearchsploitCLI tool for exploit.db for exploitsUsed to look up exploits for services.
GoBusterWeb directory brute forcerUsed to discover directories on web servers.
DigDomain Information GroperUsed to query DNS servers
NmblookupSMB share lookup.Used to find any open and exposed SMB shares  
Used to enumerate DNS information  

Port – Scanning Enumeration 

Port scanning is the most common form of enumeration. This is used to discover the various services which can exploit the systems. This includes all the systems that are connected to LAN or accessing the network via the modem which runs the services.  We can find out what services are running, who are the owners of these services and if any of them  requires a separate authentication

Port scanning techniques 

S.No  Technique  Process  
1.Address Resolution Protocol (ARP) scan
  • Series of ARP broadcasts are sent, and the value for the target IP address field is incremented in each broadcast packet to discover active devices on the local network segment
  • This scan helps us to map out the entire network 
2.Vanilla TCP connect scanBasic scanning that uses system call of an operating system to open a connection to every port
3.TCP SYN (Half Open) scan
  • Most common type of scan
  • a technique that a malicious hacker uses to determine the state of a communications port without establishing a full connection
4.TCP FIN ScanThis scan can remain undetected through most firewalls, packet filters, and other scan detection programs
5.STEALTH SCANNING – NULL, X-MASThis scan crafts the packets flags in a way as if we are trying to induce some type of response from the target without actually going through the handshaking process and establishing a connection
6.UDP ICMP Port ScanThis scan is used to find high number ports, especially in Solaris systems. The scan is slow and unreliable.
7.TCP Reverse Ident ScanThis scan discovers the username of the owner of any TCP connected process on the targeted system. It helps an attacker to use the ident protocol to discover who owns the process by allowing connection to open ports

NetBIOS Enumeration 

Net BIOS – Network Basic Input Output System 

NetBIOS helps in computer communication with LAN for sharing files and printers. 

They are primarily used for identifying the network devices. 

The naming is 16 characters – 15 characters for the device and the 16th denotes the service it runs. 

Attackers use the NetBIOS for scanning the list of computers per domain, policies and passwords and other shares in the network. 

Tools used – Nbtstatsuperscan, Net View, Hyena 


Enumeration is defined as the process of extracting usernames, machine names, network information and other services. Enumeration forms a critical step in the ethical hacking process, as obtaining the complete information is needed for the further steps – maintaining access and covering tracks. There are many techniques of enumeration which we have covered in this article. There are various tools depending on the use case available for enumeration including port scanning and NetBIOS. 


Anand V

Blog Author

Anand V is an independent consultant with more than 23 plus years of experience. He is currently working in areas of Artificial  Intelligence ,Cybersecurity, Blockchain and IoT.