Ethical Hacking Scanning and Enumeration

After reconnaissance, an ethical hacker moves from passive observation to active investigation. Scanning and enumeration involve directly probing the target to discover live hosts, open ports, running services, software versions, and user accounts. This phase builds a detailed technical inventory of the target environment.

Think of reconnaissance as reading a building's blueprints from the city planning office. Scanning is walking around the building, testing every door handle, and checking which windows are open.

The Difference Between Scanning and Enumeration

Scanning identifies what is there — which hosts are alive, which ports are open, which operating systems are running. Enumeration digs deeper into what was found — extracting user lists, share names, service details, and configuration data from identified open services.

Host Discovery: Finding Live Systems

Before scanning ports, an ethical hacker needs to know which IP addresses have active systems listening. Sending detailed port scans to thousands of dead IP addresses wastes time.

Ping Sweep

A ping sweep sends an ICMP echo request (a "ping") to every IP address in a range. Any host that responds is alive. Organizations often block ICMP at their firewall, making ping sweeps unreliable against hardened targets.

Nmap Host Discovery

Nmap can discover live hosts without a full port scan using the -sn flag (previously called -sP). It sends a combination of ICMP, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests — a mix of probes that is harder to block entirely than a simple ping.

nmap -sn 192.168.1.0/24

This scans the entire 192.168.1.0/24 subnet and returns a list of live hosts.

Port Scanning with Nmap

Nmap (Network Mapper) is the most widely used port scanning tool in both ethical hacking and network administration. It identifies open ports, running services, and operating systems.

Types of Port Scans

Scan TypeNmap FlagHow It WorksBest Used When
TCP SYN Scan (Stealth)-sSSends SYN, reads response, never completes handshakeDefault; fast and less likely to be logged
TCP Connect Scan-sTCompletes full TCP handshakeWhen you lack root/admin privileges
UDP Scan-sUSends UDP packets; no connection requiredFinding DNS, SNMP, DHCP services
Null Scan-sNSends packets with no flags setEvading some stateless firewalls
Xmas Scan-sXSets FIN, PSH, and URG flags simultaneouslyFirewall evasion testing

Service Version Detection

Knowing a port is open is only the start. Service version detection identifies exactly what software is running and its version number. Outdated versions frequently have known, exploitable vulnerabilities.

nmap -sV 192.168.1.10

This returns output like: "Port 22/tcp open — OpenSSH 7.4." A quick search for "OpenSSH 7.4 CVE" will then show every known vulnerability for that specific version.

Operating System Detection

Nmap uses differences in how operating systems implement the TCP/IP stack to fingerprint the OS. This helps the ethical hacker select the correct exploits, since Windows and Linux vulnerabilities are completely different.

nmap -O 192.168.1.10

Aggressive Scan

The aggressive scan combines OS detection, version detection, script scanning, and traceroute in a single command. It produces maximum information but also generates heavy traffic that intrusion detection systems will likely detect.

nmap -A 192.168.1.10

Nmap Scripting Engine (NSE)

Nmap includes a scripting engine with hundreds of pre-built scripts that extend its capabilities far beyond port scanning. NSE scripts can check for specific vulnerabilities, enumerate services, and test for misconfigurations automatically.

Categories of NSE scripts include:

  • auth — Test for default or empty credentials on services
  • vuln — Check for specific known vulnerabilities
  • brute — Run brute-force attacks against login services
  • discovery — Gather additional information about services and hosts

To run all vulnerability detection scripts against a host:

nmap --script vuln 192.168.1.10

Enumeration: Extracting Details from Open Services

Once open ports and services are identified, enumeration extracts specific information from each service. Different services leak different types of data.

SMB Enumeration (Windows File Sharing)

SMB (Server Message Block) is the Windows file-sharing protocol running on port 445. Misconfigured SMB servers reveal:

  • Shared folder names and their access permissions
  • Domain name and workgroup information
  • User account names
  • Operating system version

Tools: enum4linux, smbclient, Nmap SMB scripts.

enum4linux -a 192.168.1.10

SNMP Enumeration

SNMP (Simple Network Management Protocol) runs on UDP port 161. Network devices like routers and switches use SNMP for remote monitoring. When misconfigured with the default community string "public," SNMP exposes:

  • Device hardware and software inventory
  • Network interface details and traffic statistics
  • Running processes and installed software
  • User accounts on the system

Tool: snmpwalk

snmpwalk -v2c -c public 192.168.1.1

LDAP Enumeration

LDAP (Lightweight Directory Access Protocol) powers Active Directory on Windows networks. Port 389 (LDAP) or 636 (LDAPS over SSL). An unauthenticated LDAP query against an unprotected domain controller can return:

  • Complete list of user accounts and email addresses
  • Group memberships (who is an administrator)
  • Computer accounts on the domain
  • Organizational unit structure

Banner Grabbing

When a service accepts a connection, it often responds with a banner — a short text message announcing its software name and version. Banner grabbing captures this response.

nc -v 192.168.1.10 22

A typical SSH banner response: "SSH-2.0-OpenSSH_7.4 Debian-10+deb9u7." This reveals the software, version, and underlying operating system — all in a single connection attempt.

Vulnerability Scanning

Vulnerability scanners automate the process of checking discovered services against databases of known vulnerabilities. They do not exploit vulnerabilities — they identify and report them.

Nessus

Nessus is the most widely used vulnerability scanner in professional penetration testing. It scans systems, checks them against its database of over 130,000 known vulnerabilities, and produces a prioritized report sorted by severity. The free version (Nessus Essentials) allows scanning up to 16 IP addresses.

OpenVAS

OpenVAS is a free, open-source vulnerability scanner maintained by Greenbone Networks. It provides comparable coverage to Nessus and integrates well with lab environments running on Kali Linux.

Scanning Diagram: Building the Target Map

Scanning builds a picture layer by layer, like an archaeologist brushing dirt off a buried artifact:

  • Layer 1 — Hosts: Which IP addresses are alive? (ping sweep)
  • Layer 2 — Ports: Which doors are open on each host? (port scan)
  • Layer 3 — Services: What is running behind each open door? (version detection)
  • Layer 4 — Details: What do those services reveal about users, shares, and config? (enumeration)
  • Layer 5 — Vulnerabilities: Which of those services have known weaknesses? (vulnerability scan)

Each layer builds on the previous one and narrows the list of high-value attack targets for the exploitation phase.

Key Points

  • Scanning identifies live hosts, open ports, and running services; enumeration extracts detailed information from those services.
  • Nmap is the primary tool for port scanning and supports multiple scan types suited to different detection requirements.
  • Service version detection and OS fingerprinting tell you exactly what software is running so you can match it to known vulnerabilities.
  • SMB, SNMP, and LDAP enumeration are particularly valuable on enterprise networks and reveal user accounts, configurations, and internal structure.
  • Vulnerability scanners like Nessus and OpenVAS automate checking services against known vulnerability databases.
Previous lessons
Back to courses
Next lessons

Leave a Comment