• Netbios Enumeration using Global Network Inventory (GNI) (lots of detail)
    • Nmap – Get a null session
    • Advanced IP Scanner – (quick and easy)
    • Superscan (not great)
    • Hyena – Enumerate local machine
    • NetBios Enumerator – Another tool the same may show logged in usernames)
    • Soft Perfect Network Scanner – Shows shared folders
    • SNMP Enumeration – Good stuff
    • ADexplorer
    • Enum4linux – Linux tool to get Windows and Samba info


Use GNI to scan servers ONCE compromised for details

From windows box

A.      Open GNI – Ip Range Scan – Enter iprange – (Need admin login details possibly for access to all servers)

B.       When scan complete view results

C.      Usefull info could be Machine name, MAC Address, OS installed, BIOS information, NetBIOS, complete details of NetBIOS applications are displayed, User Groups tab shows user account details by work group, Users tab shows user accounts present in the machine, users' last logon time, and log in counts,  Services section give the details of the services installed on the machine, Installed Software section displays details of software installed on the machine.


From windows box

A.      Run Zenmap – input ip of target – scan

B.       Look for Ports 135,139,445 to see if running NETBIOS

C.      Launch Command Prompt and type nbtstat –A (ip of target) and press Enter to perform nbtstat scan on port 139 

D.      Type net use command to view the created null sessions/shared folders from your Target

E.       Issue the following list of commands to create a null session.

F.       Type net use \\\e ““\user:””, and press Enter.

G.      type net use \\\e ““/user:””, and press Enter.


CEH Suggested way of enumerarting anything

From Kali box (although doesn’t matter if windows)

A.      Ping Sweep nmap –sP ENTER

B.      Choose specific target and do Stealthy Syn scan – nmap –sS (lists all open ports)

C.      To enumerate the versions of the obtained services, type nmap -sSV -O, and press Enter. Nmap performs the scan and displays the versions of the services, along with an OS fingerprint

D.      Type nmap -sSV -O -oN Enumeration.txt, and press Enter. This ouputs results to Enumeration.txt




From windows box

H.      Run Advanced IP scanner – input ip range – scan

I.         Click Expand icon on the menu bar to view the machine details

J.        Now, you have the IP address, Name, MAC address, and Manufacturer information of the victim machine.


From windows box

A.      Run Superscan – Windows Enumeration Tab – Enter Target ip – Enumerate


From windows box

A.      Run Hyena – Gives indepth look at server you are on

NETBIOS Enumerator

From windows box

A.      Run NETBIOS Enumerator – Enter ip range – scan

B.       Attackers may use the information obtained, such as enumerated usernames, and perform password guessing techniques to crack a user account

Soft Perfect Network Scanner

From windows box

A.      Run Soft Perfect Network Scanner – Enter ip range – scan

B.       Right click each target for properties. Can use this to connect if they are vunerable


SNMP Enumeration – IF PORT 161 is open

From Kali box

A.      Open Terminal – type nmap –sU –p 161 To check port 161 is open

B.       Type nmap -sU -p 161 --script=snmp-brute and press Enter. The snmp-brute script will extract the SNMP community string from the target machine.

C.      type msfconsole and press Enter to launch the Metasploit Framework.

D.      At the msf command line, type use auxiliary/scanner/snmp/snmp_login and press Enter.

E.       Type show options and press Enter to see the configurebles for the module

F.       Type set RHOSTS and press Enter to specify the target host.

G.      Type exploit and press Enter to run the module. (Should get a Login Successful message in the terminal.)

H.      Type use auxiliary/scanner/snmp/snmp_enum and press Enter

I.         type set RHOSTS and press Enter.

J.        Type exploit and press Enter

K.       Analyze all text should you

    1. Connected Devices
    2. Hostname and information
    3. Domain
    4. Hardware and storage information
    5. Software Components
    6. Total Memory



From windows box

A.      Run ADexplorer – Enter ip address of target – Enter

B.       Here you can use any of the User Account that have Administrative privileges from Active Directory machine, to access or modify the attributes using ADExplorer.

For example you can use CEH\Jason account, which is a member of Administrators, in the Active Directory machine and its password is qwerty to connect the Active Directory machine using ADExplorer.

C.      You can modify attributes here


Enum4linux – need admin creds to target

From kali box

A.      Open a terminal

B.       enum4linux -u martin -p apple -U and press Enter. The command shows the details of the target system

C.      Type enum4linux -u martin -p apple -o and press Enter to gather the OS information of the target machine.

D.      Type enum4linux -u martin -p apple -P and press Enter to get the Password Policy Information of the target machine

E.       Type enum4linux -u martin -p apple -G and press Enter to get the Groups information of the target machine.

F.       Type enum4linux -u martin -p apple -S and press Enter to get the Share Policy Information of the target machine