Penetration Testing: Enumeration

penetration testingOnce you have hardened your system and network, it is always a good idea to scan, or penetration test, your own systems for weaknesses that may already exist or may develop. Changes are constantly made to production systems. In addition, malicious users are constantly discovering and exploiting new weaknesses. Penetration testing your own network will help you see potential weaknesses through the eyes of an attacker and will help you to close the holes.

During the scanning phase of penetration testing, you will begin to gather information about your network’s purpose: specifically, what ports, and possibly what services, it offers. Information gathered during this phase is traditionally also used to determine the operating system (or firmware version) of the target devices. The list of active targets gathered from the footprinting phase is used as the target list for this phase. You can specify any host within your approved ranges, but you may lose time trying to scan a system that perhaps does not exist, or may not be reachable from your network location.

Penetration Testing: The Enumeration Process

In penetration testing, enumeration is the process of listing and identifying the specific services and resources that are offered by a network. You perform enumeration by starting with a set of parameters, like an IP address range, or a specific Domain Name Service (DNS) entry, and the open ports on the system. You goal for enumeration is a list of services that are known and reachable from your source. From these services, you move further into deeper scanning, including security scanning and testing. Terms such as banner grabbing and fingerprinting fall under the category of enumeration. The most common tools associated with enumeration include nmap and amap.


An example of successful enumeration would be to start with host 10.0.0.10, and TCP port 22 open. After enumeration, you should be able to state that OpenSSH is running, and what version of OpenSSH is running along with the protocol versions. Moving into fingerprinting, ideal results would tell what version of Linux/Unix is running, and what version of the kernel is running. Often your enumeration will not get to this level of detail, but you should set that as your goal.

Keeping good notes is also important during penetration testing, and is important during this phase as well. If the tool you are using cannot output a log follow, make sure you use tools like tee, which allow you to direct the output of a command to a log file. Sometimes you may also want to know the exact flags or switches you used when you ran a tool, or what the verbose output was.

You can perform enumeration using either active or passive methods. Proxy methods may also be considered passive, as the information you gather will be from a third source, rather than intercepted from the target itself. But a truly passive scan should not involve any data being sent from the host system. Active methods are the more familiar ones in which you send certain types of packets and then receive packets in return.


Once enumeration is complete, you will have a list of targets that you will use for the next stage: scanning. You need to have specific services that are running, versions of these services, and any host or system fingerprinting that you could determine. Moving forward without this information could hamper your further efforts in exploitation.

External Links:

Penetration Testing at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy