Service Enumeration
Deep enumeration extracts detailed information from discovered services to identify misconfigurations, credentials, and attack vectors for exploitation. Each protocol requires specific tools and techniques.
Tip
Thorough enumeration is the foundation of successful exploitation. Spend time here to
identify all potential attack vectors before moving to exploitation.
flowchart TD
A[Enumeration] --> B[Network Services]
A --> C[Active Directory]
A --> D[Databases]
B --> B1[SMB - Shares]
B --> B2[DNS - Records]
C --> C1[LDAP - Users/Groups]
C --> C2[Kerberos - SPNs]
D --> D1[MSSQL]
D --> D2[MySQL/PostgreSQL]
style A fill:#00ff00,stroke:#000,color:#000
style C1 fill:#a855f7,stroke:#000,color:#000
style C2 fill:#a855f7,stroke:#000,color:#000
Enumeration Guides
SMB Enumeration
Port 445Enumerate SMB shares, users, and sensitive files. Null session testing, spidering, and relay attack setup.
smbclient CrackMapExec enum4linux-ng
LDAP & Active Directory
Port 389/636Query LDAP for users, groups, computers, GPOs, trusts. PowerView, ldapdomaindump, and windapsearch.
ldapsearch PowerView ldapdomaindump
Kerberos Enumeration
Port 88User enumeration, AS-REP roasting, Kerberoasting, and delegation discovery. Kerbrute, Rubeus, and Impacket.
Kerbrute GetUserSPNs Rubeus
DNS Enumeration
Port 53Zone transfers, SRV records, ADIDNS poisoning, and reverse lookups. DNSrecon and adidnsdump.
dig DNSrecon adidnsdump
Database Enumeration
Port 1433/3306MSSQL, MySQL, PostgreSQL enumeration. xp_cmdshell, linked servers, and credential extraction.
mssqlclient mysql psql
Enumeration Workflow
Information
Start with unauthenticated enumeration, then escalate with any credentials discovered.
Each service may reveal credentials for others.
Recommended Order
- SMB - Null sessions, shares, sensitive files
- DNS - Zone transfers, SRV records, host discovery
- LDAP - Users, groups, password policies
- Kerberos - AS-REP roast, Kerberoast, delegation
- Databases - Default creds, linked servers, command execution
Quick Reference
| Service | Ports | Quick Win Tools |
|---|---|---|
| SMB | 445, 139 | crackmapexec smb -u '' -p '' --shares |
| LDAP | 389, 636 | ldapdomaindump -u 'user' -p 'pass' ldap://DC |
| Kerberos | 88 | kerbrute userenum -d DOMAIN users.txt |
| DNS | 53 | dig @DC DOMAIN AXFR |
| MSSQL | 1433 | crackmapexec mssql -u user -p pass -x whoami |