Network Enumeration — NetBIOS, SNMP, LDAP, and SMB Techniques

What Is Network Enumeration and Why Does It Matter?

Network enumeration is the process of actively querying discovered services to extract usernames, group memberships, network shares, and system configurations. The MITRE ATT&CK framework classifies enumeration under the Discovery tactic (TA0007), with techniques including Account Discovery (T1087), Network Share Discovery (T1135), and Permission Groups Discovery (T1069). NIST SP 800-115 identifies enumeration as a critical step between scanning and exploitation.

Network enumeration is the process of actively connecting to target systems and extracting detailed information — usernames, group memberships, network shares, service configurations, and application details. It bridges the gap between scanning (which tells you what ports are open) and exploitation (which requires knowing exactly what is behind those ports).

If scanning is like knowing which doors in a building are unlocked, enumeration is like walking through those doors, reading the nameplates on every desk, checking the file cabinets, and mapping out who works where and what they have access to. You are directly interacting with services, extracting information they are willing to share — often more than they should.

Understanding enumeration is critical for multiple reasons:

• Penetration testers use enumeration to build a complete picture of the target environment before attempting exploitation. Usernames become brute-force targets, shares reveal sensitive files, and service details expose specific vulnerabilities.
• SOC analysts must recognise enumeration activity in logs and IDS alerts — unusual LDAP queries, SNMP walks, and null session attempts are indicators of reconnaissance.
• Certification exams including CompTIA Security+ SY0-701 and CEH v13 test enumeration techniques, protocols, and defensive measures extensively.
• System administrators need to understand what information their services expose to prevent unnecessary data leakage.

This page covers the major enumeration types — NetBIOS, SNMP, LDAP, DNS, SMB, and NFS — with practical commands and defensive guidance.

When I first ran enum4linux against a deliberately misconfigured Samba server in my lab, the output stunned me. In seconds, I had a complete list of usernames, group memberships, password policies, and shared folders — all from a single command against a service that was “just a file share.” I realised that enumeration is not about fancy exploits or complex tools. It is about asking the right questions to services that answer too freely. That lesson shaped how I think about service hardening: the question is always “what information is this service giving away to anyone who asks?”

Ethical and legal warning: Enumeration involves actively querying target systems and extracting information. Only enumerate systems you own or have explicit written authorisation to test. Unauthorised enumeration can violate computer crime laws in most jurisdictions, including the Criminal Code Act 1995 (Australia). Practise in your home lab or on authorised platforms.

Quick Answer

Network enumeration actively queries open services (SMB, SNMP, LDAP, DNS, NFS) to extract usernames, shares, group memberships, password policies, and system configurations. Key tools include enum4linux (SMB), snmpwalk (SNMP), ldapsearch (LDAP), and dig (DNS zone transfers). Enumeration bridges the gap between port scanning and exploitation — it turns “port 445 is open” into a complete list of users, shares, and misconfigurations.

What Do Real-World Enumeration Attacks Look Like?

The MITRE ATT&CK framework documents enumeration techniques across dozens of real-world threat groups, including APT28 (T1087 Account Discovery) and FIN7 (T1135 Network Share Discovery). Enumeration is a standard phase in both offensive and defensive security operations.

Scenario	What enumeration reveals	Why it matters
Penetration test	Usernames, shares, group memberships, service versions, and misconfigurations	Provides the specific targets and attack paths for exploitation
Active Directory assessment	All users, groups, organisational units, group policies, and trust relationships	Maps the entire domain for privilege escalation and lateral movement planning
Vulnerability management	SNMP-exposed device configurations, software inventories, and network topology	Identifies assets and configurations that automated scanners might miss
Incident response	What accounts exist, what shares are accessible, and what services are running on compromised systems	Helps determine the scope of a compromise and potential data exposure
Compliance audit	Whether services expose information that violates security policies (null sessions, public shares, default SNMP strings)	Validates that hardening standards are properly implemented

How Does Network Enumeration Work?

NIST SP 800-115 distinguishes enumeration from scanning by its depth: scanning identifies open ports and service banners, while enumeration actively queries those services to extract detailed configuration data, user accounts, and access permissions.

Key Definition

Enumeration is the process of establishing active connections to target services and issuing protocol-specific queries to extract detailed information — usernames, group memberships, network shares, password policies, running processes, and system configurations. Unlike scanning, which determines what services are running, enumeration determines what those services reveal to anyone who asks.

Beginners often confuse enumeration with scanning. The key distinction is the depth and specificity of information extracted.

Scanning tells you: “Port 445 (SMB) is open on 192.168.1.10, running Windows.”

Enumeration tells you: “The SMB service on 192.168.1.10 has users admin, jsmith, and backup_svc. The C$ and Finance$ shares are accessible. The password policy requires 8 characters with no lockout threshold. The OS is Windows Server 2019 Build 17763.”

Enumeration actively queries services to extract every piece of information they are willing to provide. The more a service is misconfigured, the more it reveals.

Enumeration Types by Protocol

Protocol	Port(s)	What you can extract	Key tools
NetBIOS	137-139	Computer names, domain/workgroup, logged-in users, MAC addresses	nbtstat, nbtscan, nmblookup
SNMP	161/UDP	System info, running processes, installed software, network interfaces, routing tables	snmpwalk, snmp-check, onesixtyone
LDAP	389, 636	Users, groups, organisational units, group policies, computer objects	ldapsearch, windapsearch, ldapdomaindump
DNS	53	Hostnames, subdomains, mail servers, zone transfer data	dig, nslookup, dnsenum, dnsrecon
SMB	445	Shares, users, groups, password policies, OS details	enum4linux, smbclient, crackmapexec, rpcclient
NFS	2049	Exported file systems, mount permissions	showmount, nfsstat

Step-by-Step: Enumeration Methodology

DocHowTo

Goal: Systematically extract usernames, shares, group memberships, password policies, and service configurations from all discovered services. Time: 30–90 minutes per target host depending on the number of enumerable services. Prerequisites: Port scan results identifying open enumerable ports (137-139, 161, 389, 445, 636, 2049, 53), Kali Linux or equivalent with enumeration tools installed.

A structured approach ensures thorough enumeration without missing critical information.

1. Review scan results. Start with your port scanning output. Identify which enumerable services are running (SMB, SNMP, LDAP, DNS, NFS, etc.).

2. Enumerate NetBIOS/SMB first. On Windows-centric networks, NetBIOS and SMB enumeration reveals the most information — usernames, shares, password policies, and domain details.

3. Check for SNMP. If UDP port 161 is open, attempt SNMP enumeration with common community strings. SNMP can reveal entire system configurations if default strings are in use.

4. Query LDAP. If ports 389 or 636 are open, LDAP queries can extract the complete Active Directory structure — every user, group, and computer object.

5. Attempt DNS zone transfers. If port 53 is open, check whether the DNS server allows zone transfers. A successful transfer gives you a complete list of all hostnames and IP addresses in the domain.

6. Check NFS exports. If port 2049 is open, check what file systems are exported and whether they are mountable without authentication.

7. Compile and correlate. Combine all enumerated data into a comprehensive target map. Usernames from SMB, hostnames from DNS, and configurations from SNMP together build a complete picture.

Enumeration Methodology

Visual Explanation

Network Enumeration Methodology

Systematically extract information from every discovered service

Pause

Review Scans

Identify targets

Open ports list

Service versions

OS fingerprints

NetBIOS / SMB

Windows enumeration

Users and groups

Shares and permissions

Password policies

SNMP / LDAP

Deep extraction

System configurations

AD objects

Network topology

DNS / NFS

Supporting services

Zone transfers

Hostname mapping

NFS exports

Compile Results

Build target map

Username list

Share inventory

Attack path planning

Idle

How Does Enumeration Fit Into a Security Architecture?

The MITRE ATT&CK Discovery tactic (TA0007) maps enumeration techniques to specific protocol layers and services, providing a standardised taxonomy for both offensive testing and defensive detection. Understanding which layer each protocol operates at helps you prioritise and organise your enumeration approach.

Enumeration targets services at different layers of the network stack. Understanding which layer each protocol operates at helps you prioritise and organise your enumeration approach.

Enumeration Protocols by Layer

Visual Explanation

Enumeration Types by Protocol Layer

Each protocol layer exposes different types of information to enumeration

Pause

Application Layer

LDAP (users, groups, GPOs), SNMP (configs, processes), HTTP (directories, headers)

Session / Presentation

SMB (shares, sessions, users), NetBIOS (names, domains, MACs), NFS (exports)

Transport Layer

TCP banner grabbing (service versions), UDP service probing (SNMP, DNS)

Network Layer

DNS (hostnames, zone data, mail servers), ICMP (host discovery)

Idle

What Does Enumeration Look Like in Practice?

The tools and commands below are documented in NIST SP 800-115 and tested on CompTIA Security+ SY0-701 and CEH v13. Each protocol-specific section shows the exact commands penetration testers use in real engagements.

Practise these commands in your home lab against intentionally vulnerable machines. Metasploitable 2, Kioptrix, and Active Directory lab environments are ideal for enumeration practice.

NetBIOS Enumeration

# Query NetBIOS name table for a target
nbtstat -A 192.168.1.100     # Windows
nmblookup -A 192.168.1.100   # Linux

# Scan a subnet for NetBIOS names
nbtscan 192.168.1.0/24

# List shared resources using net view (Windows)
net view \\192.168.1.100

SMB Enumeration with enum4linux

# Full enumeration — users, shares, groups, password policy, OS info
enum4linux -a 192.168.1.100

# Enumerate users only
enum4linux -U 192.168.1.100

# Enumerate shares only
enum4linux -S 192.168.1.100

# Enumerate group memberships
enum4linux -G 192.168.1.100

# Enumerate password policy
enum4linux -P 192.168.1.100

SMB Enumeration with smbclient and rpcclient

# List available shares (null session — no credentials)
smbclient -L //192.168.1.100 -N

# Connect to a specific share
smbclient //192.168.1.100/sharename -N

# Enumerate users via RPC null session
rpcclient -U "" -N 192.168.1.100
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> getdompwinfo
rpcclient $> querydispinfo

SNMP Enumeration

# Walk the entire SNMP tree with default community string
snmpwalk -v2c -c public 192.168.1.100

# Get system description
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.1.1

# Enumerate running processes
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.25.4.2.1.2

# Enumerate installed software
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.25.6.3.1.2

# Enumerate network interfaces
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.2.2.1.2

# Brute-force community strings
onesixtyone -c /usr/share/wordlists/community_strings.txt 192.168.1.100

LDAP Enumeration

# Anonymous LDAP search for naming contexts
ldapsearch -x -H ldap://192.168.1.100 -s base namingContexts

# Enumerate all users in the domain
ldapsearch -x -H ldap://192.168.1.100 -b "DC=example,DC=com" "(objectClass=user)" sAMAccountName

# Enumerate all groups
ldapsearch -x -H ldap://192.168.1.100 -b "DC=example,DC=com" "(objectClass=group)" cn member

# Enumerate computer objects
ldapsearch -x -H ldap://192.168.1.100 -b "DC=example,DC=com" "(objectClass=computer)" cn operatingSystem

DNS Enumeration

# Attempt DNS zone transfer
dig axfr @192.168.1.100 example.com

# Query specific record types
dig @192.168.1.100 example.com MX   # Mail servers
dig @192.168.1.100 example.com NS   # Name servers
dig @192.168.1.100 example.com TXT  # TXT records (SPF, DKIM, etc.)

# Reverse DNS lookup
dig -x 192.168.1.100 @192.168.1.100

# Automated DNS enumeration
dnsenum example.com
dnsrecon -d example.com -t axfr

NFS Enumeration

# List exported file systems
showmount -e 192.168.1.100

# Mount an exported share (if permissions allow)
mkdir /tmp/nfs_mount
sudo mount -t nfs 192.168.1.100:/exported_share /tmp/nfs_mount

What Are the Limitations of Network Enumeration?

NIST SP 800-115 notes that enumeration effectiveness depends heavily on service configuration — properly hardened systems reveal minimal information, while misconfigured services may expose the entire domain structure. Modern security controls increasingly limit what unauthenticated queries can extract.

Factor	Limitation	How to handle it
Null session restrictions	Modern Windows versions disable null sessions by default	Attempt null sessions but do not rely on them; authenticated enumeration is more reliable
SNMP v3 encryption	SNMPv3 with authentication and encryption prevents community string enumeration	Check for SNMPv1/v2c fallback; if only v3 is configured, you need valid credentials
DNS zone transfer restrictions	Most properly configured DNS servers deny zone transfers to unauthorised hosts	Use brute-force subdomain enumeration as an alternative (slower but still effective)
Firewall filtering	Firewalls may block enumeration ports or rate-limit connections	Verify which ports are accessible from your position; adjust techniques accordingly
Account lockout	Authenticated enumeration attempts may trigger lockout on incorrect credentials	Use null sessions or anonymous access first; check lockout policy before trying credentials
IDS detection	Enumeration tools generate distinctive traffic patterns that IDS rules match	Accept that enumeration will be detected on monitored networks; coordinate with the client

A common beginner mistake is running every enumeration tool at once without understanding what each one does. Start with the protocol-specific information from your port scan, target only the services that are actually running, and methodically work through each one. Scattered, unfocused enumeration wastes time and generates unnecessary noise.

What Interview Questions Should You Expect About Enumeration?

CompTIA Security+ SY0-701 and CEH v13 both test candidates on enumeration protocols, the distinction between scanning and enumeration, and defensive countermeasures. Interviewers for penetration testing and SOC analyst roles regularly assess practical enumeration knowledge.

Enumeration questions test whether you understand the difference between broad scanning and targeted information extraction.

Q1: What is the difference between scanning and enumeration?

Strong answer: “Scanning identifies which hosts are alive and which ports are open — it tells you the attack surface exists. Enumeration goes deeper by actively querying those open services to extract specific information like usernames, shares, group memberships, and service configurations. Scanning gives you the doors; enumeration tells you what is behind them.”

Q2: What is a null session and why is it a security risk?

Strong answer: “A null session is an unauthenticated connection to a Windows SMB service — you connect without providing a username or password. If null sessions are allowed, an attacker can enumerate usernames, shares, group memberships, and password policies without any credentials at all. This gives attackers a complete map of the domain. Modern Windows versions restrict null sessions by default, but legacy configurations and misconfigurations still allow them.”

Q3: You discover SNMP is running with the community string ‘public’ on a network device. What is the risk?

Strong answer: “The community string ‘public’ is the default read-only string for SNMP. If it has not been changed, anyone can query the device for its complete configuration — system information, network interfaces, routing tables, running processes, and installed software. If the read-write community string ‘private’ is also default, an attacker could modify the device’s configuration remotely. The immediate recommendation is to change community strings to non-guessable values and restrict SNMP access to authorised management stations by IP.”

Q4: How would you enumerate users in an Active Directory environment?

Strong answer: “I would use multiple approaches: LDAP queries with ldapsearch to enumerate user objects, SMB enumeration with enum4linux or crackmapexec for null session user listing, RPC queries with rpcclient for domain user enumeration, and Kerberos user enumeration with kerbrute which can identify valid usernames without triggering authentication failures. Each method has different requirements and detection profiles, so using multiple approaches gives the most complete picture.”

How Is Enumeration Used in Real Security Operations?

The MITRE ATT&CK framework provides detection guidance for every Discovery technique, enabling SOC teams to build targeted detection rules for enumeration activity. Recognising enumeration patterns in logs and IDS alerts is a core SOC analyst competency.

Day-One SOC Scenarios

As a new SOC analyst, enumeration activity appears in several common alert categories:

• SNMP scanning alerts. IDS rules detect SNMP queries from unexpected source addresses or with default community strings. These indicate someone is probing network devices for information.
• Null session attempts. Windows Security Event IDs 4624 (Logon Type 3) and 4625 (Failed Logon) with null credentials indicate SMB enumeration attempts against domain controllers and file servers.
• DNS zone transfer attempts. DNS server logs showing AXFR requests from non-authorised IP addresses indicate someone attempting to dump the complete DNS zone.
• LDAP reconnaissance. Unusual LDAP query patterns — especially queries for all user objects or group memberships — from non-administrative workstations suggest enumeration activity.

Australian Context

The ASD Essential Eight and ACSC ISM address the services commonly targeted by enumeration:

• Restrict administrative privileges — limits what information authenticated enumeration can extract by ensuring standard users do not have access to sensitive directory information.
• Harden operating system configurations — the ISM recommends disabling null sessions, restricting anonymous access, changing default SNMP community strings, and disabling zone transfers to unauthorised hosts.
• Application control — prevents execution of enumeration tools on endpoints within the network.

Australian organisations handling government data classified at PROTECTED or above must follow specific ISM controls for SNMP management (using SNMPv3 with authentication and encryption), LDAP security (requiring authentication for all queries), and DNS hardening (restricting zone transfers and implementing DNSSEC). The SOCI Act requires critical infrastructure operators to manage risks that enumeration-exposed information could create.

Summary and Key Takeaways

Network enumeration transforms open ports into detailed intelligence about users, shares, configurations, and potential attack paths.

• Enumeration is not scanning. Scanning finds open doors; enumeration extracts everything behind them. It is the bridge between discovery and exploitation.
• SMB/NetBIOS enumeration is often the most rewarding on Windows networks — usernames, shares, password policies, and group memberships from a single tool.
• SNMP with default community strings is a critical misconfiguration. “public” and “private” are the first strings every attacker tries.
• DNS zone transfers give attackers a complete hostname map if the server is not properly restricted. Always restrict transfers to authorised secondary servers only.
• LDAP enumeration against Active Directory can reveal the entire domain structure — users, groups, computers, and policies.
• Defence is about reducing information exposure. Disable null sessions, change default strings, restrict anonymous access, and harden every service to reveal only what is necessary.
• Every enumeration finding is a hardening recommendation. If you can extract it without credentials, so can an attacker.

Individual results vary. Career timelines, salary outcomes (source: BLS and CyberSeek, as of 2025), and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Scanning Networks for the port discovery phase that precedes enumeration
• Footprinting and Reconnaissance for passive information gathering before active enumeration
• System Hacking for exploiting the information that enumeration reveals
• Networking Basics for the protocol fundamentals that enumeration targets

Frequently Asked Questions

What is network enumeration?

Network enumeration is the active process of connecting to target systems to extract detailed information — usernames, group memberships, network shares, service configurations, password policies, and application details. It goes beyond port scanning by querying services for the specific data they expose.

What is the difference between enumeration and scanning?

Scanning discovers which hosts are alive and which ports are open. Enumeration actively queries those open services to extract specific information. Scanning tells you SMB is running on port 445; enumeration extracts the complete user list, share names, and password policy from that SMB service.

What is a null session?

A null session is an unauthenticated SMB connection to a Windows system — connecting without a username or password. If allowed, it enables extraction of usernames, shares, groups, and password policies without any credentials. Modern Windows versions restrict null sessions by default, but misconfigurations still occur.

What is SNMP enumeration?

SNMP enumeration uses the Simple Network Management Protocol to query devices for system information, running processes, installed software, network interfaces, and routing tables. It requires knowing the community string (password). Default strings like 'public' (read) and 'private' (read-write) are the first ones attackers try.

What is a DNS zone transfer?

A DNS zone transfer (AXFR) replicates the complete DNS zone data — all hostnames, IP addresses, mail servers, and other records — from a DNS server to a requesting client. It is designed for replication between authorised DNS servers but if unrestricted, any attacker can request the complete zone, mapping every hostname in the domain.

What is enum4linux?

enum4linux is a Linux tool for enumerating information from Windows and Samba systems via SMB and RPC. It automates the extraction of users, shares, groups, password policies, and OS details. A single command (enum4linux -a target) performs comprehensive SMB enumeration. enum4linux-ng is the updated Python3 version.

How do I defend against SNMP enumeration?

Change default community strings from 'public' and 'private' to complex, non-guessable values. Use SNMPv3 with authentication and encryption instead of v1/v2c. Restrict SNMP access to specific management station IP addresses using access control lists. Disable SNMP entirely on devices that do not require remote management.

What is LDAP enumeration?

LDAP enumeration queries a Lightweight Directory Access Protocol server — typically Active Directory — to extract users, groups, organisational units, computer objects, and group policy information. If anonymous LDAP binds are allowed, this information is available without credentials.

What information can NFS enumeration reveal?

NFS (Network File System) enumeration uses showmount to list exported file systems and their access permissions. If exports are misconfigured with broad access (e.g., allowing any host to mount), attackers can mount remote file systems and access files directly without authentication.

How do I practise enumeration safely?

Set up a home lab with Metasploitable 2 (intentionally misconfigured SMB, SNMP, and NFS), a Windows Active Directory lab (for LDAP and SMB enumeration), and VulnHub machines. TryHackMe rooms like 'Enumerating Active Directory' and Hack The Box machines provide legal targets with enumeration challenges.

Related sections

Scanning Networks

The port discovery phase that identifies which services are available for enumeration.

Explore System Hacking

Exploit the usernames, shares, and misconfigurations that enumeration reveals.

Explore Footprinting and Reconnaissance

Passive information gathering that feeds into active enumeration.

Explore

More resources

enum4linux-ng Documentation

The updated Python3 version of enum4linux — comprehensive SMB and RPC enumeration for Windows and Samba targets.

Visit HackTricks — Pentesting SMB

Practical guide to SMB enumeration techniques, tools, and common misconfigurations for penetration testers.

Visit SANS SNMP Enumeration Cheat Sheet

Quick-reference for SNMP OIDs, community string brute-forcing, and common enumeration commands.

Visit

---

Technical content verified in March 2026 against CompTIA Security+ SY0-701 exam objectives, CEH v13 syllabus, enum4linux-ng, and NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment).