Scanning and enumeration techniques and tools

Scanning vs. Enumeration: Phases, Techniques & Passive/Active Breakdown

To clearly distinguish between scanning and enumeration, we'll break them into two separate phases, then categorize techniques as passive or active.

1. Scanning Phase

Goal: Discover live hosts, open ports, services, and potential vulnerabilities.

Sub-Phases & Techniques

Scanning Type

Passive Techniques

Active Techniques

Network Scanning (Host Discovery)

- Shodan/Censys searches - Passive DNS lookups (SecurityTrails) - ARP cache snooping (if already on network)

- ARP scans (arp-scan -l) - ICMP ping sweeps (nmap -sn) - TCP ping scans (nmap -PS80,443)

Port Scanning (Service Discovery)

- Analyzing firewall logs - Searching leaked scan data (e.g., BinaryEdge)

- TCP SYN scan (nmap -sS) - TCP Connect scan (nmap -sT) - UDP scan (nmap -sU)

Vulnerability Scanning (Weakness Detection)

- Searching Exploit-DB for service versions - Checking CVE databases (NVD)

- NSE scripts (nmap --script vuln) - Nessus/OpenVAS scans - Automated vuln scanners (Nikto for web)

2. Enumeration Phase

Goal: Extract detailed info (users, shares, configs, app data) from discovered services.

Common Enumeration Techniques

Enumeration Type

Passive Techniques

Active Techniques

Banner Grabbing

- Searching Shodan for service banners - Reviewing cached HTTP responses (Google/Archive.org)

- Netcat/Telnet connections (nc 192.168.1.1 80) - Nmap service detection (nmap -sV)

NetBIOS/SMB Enumeration

- Reviewing public SMB leaks (VirusTotal)

- enum4linux - smbclient -L //target - nmap --script smb-enum-shares

SNMP Enumeration

- Checking default community strings in logs

- snmpwalk -c public -v1 target - onesixtyone (brute-force communities)

LDAP Enumeration

- Searching public directory leaks

- ldapsearch queries - nmap --script ldap-search

NTP Enumeration

- Checking NTP pool leaks

- ntpdc -c monlist target (old) - nmap --script ntp-info

SMTP Enumeration

- Checking breached email lists

- smtp-user-enum - nmap --script smtp-enum-users

Key Takeaways

  1. Scanning → Finds what exists (hosts, ports, services).

    • Passive: No direct interaction (OSINT, cached data).

    • Active: Direct probing (Nmap, Nessus).

  2. Enumeration → Extracts useful data (users, shares, configs).

    • Passive: Leaked data, historical records.

    • Active: Direct queries (LDAP, SMB, SNMP).

When to Use Which?

  • Passive → Early recon, avoiding detection.

  • Active → Post-recon, deeper exploitation prep.

PreviousScanning and enumeration toolsNextGaining access (attacking a system)

Last updated