What is Enumeration?

Every attack starts with enumeration, which is the process of collecting as much information as possible about a target machine. This information can include technical details, users who may be associated with the target, and information about the target organization. From there, you’ll focus on identifying vulnerabilities that you can exploit, ideally to gain initial access to the box.
In this chapter, we’ll explore techniques for gathering information about a victim’s network and websites. In the process, you’ll learn about the basics of TCP/IP and performing network scans using Nmap. We’ll then cover the enumeration of SMB shares, virtual hosts, and directories using a variety of techniques. In the chapter’s exercises, you’ll gather useful information about two Hack The Box machines: Archetype and ForwardSlash
Every attack on a computing device aims to achieve the attacker's specific objective. If the aim is to steal information from a system, this objective could be satisfied by compromising a website and accessing a database using vulnerabilities in the site's application code. If the objective is to take over a network to extract a range of data and surveil employees, the attacker might look for ways to gain access to a machine, establish persistence, move laterally to other machines on the network, and elevate privileges.
In all cases, the attacker will exploit vulnerabilities they’ve uncovered through extensive and careful enumeration of details about the target. The more an attacker knows about a target, the more vulnerabilities the attacker may uncover. They’ll also gain information that will help them exploit these vulnerabilities.
In an engagement with a customer, ethical hackers usually start this process with a clear scope that explains what the customer's goals are. Your customer may want to simply identify vulnerabilities in a specific set of applications and verify how critical they are. Or they may want the penetration tester to exploit the vulnerabilities to see how far attackers could get into a network and what they could potentially do. This established scope will also determine what machines and networks the attacker is allowed to target and which are deemed out of bounds. The consistent goal, however, is to identify vulnerabilities whose exploitation could lead to a compromise of the confidentiality, integrity, or availability of the organization's digital systems and information.
We can break enumeration down into a set of different gathering techniques, namely gathering technical information, information about people, and information about the organization. Gathering technical information involves understanding the layout of networks, the machines that run on those networks, the interactions between machines, as well as those between users and machines. For each machine, you’ll try to determine what software and services are running, their versions numbers, and their configurations. This is because the vulnerabilities you’ll try to exploit will be related to a particular version or misconfiguration of some software.
Information about people in an organization may reveal their roles in that organization, what systems or information they may have access to, and their general level of privilege. A systems administrator, for example, is more likely to have high-privilege administrative accounts than a clerk in the HR department. On the other hand, the clerk may have direct access to the HR system, which your attack might aim to target.
Knowledge of the organization may reveal context that is useful to the attacker. The attacker may be after companies in a specific industry, for example. Also, organizations in a particular sector may use specific hardware and software. Furthermore, knowing about the organizational structure may reveal information about the hierarchy of people working in that organization.
You can gather information either actively and passively. While this distinction can be murky, passive information-gathering essentially means you haven’t touched, poked, or prodded the target in any way. Gathering Open Source Intelligence (OSINT) about a target by using an Internet search engine is considered a passive technique. OSINT is any intelligence about a target that is gathered from publicly available information. On the other hand, scanning a network by sending packets to it and observing the replies is an active information-gathering technique. The difference is that the target could actually notice that you’re gathering this information; worse still, the actual process of gathering information could impact the target in an adverse way, for example by crashing software or a machine inadvertently.