Service Enumeration

Deep enumeration extracts detailed information from discovered services to identify misconfigurations, credentials, and attack vectors for exploitation. Each protocol requires specific tools and techniques.

Tip

Thorough enumeration is the foundation of successful exploitation. Spend time here to identify all potential attack vectors before moving to exploitation.
flowchart TD A[Enumeration] --> B[Network Services] A --> C[Active Directory] A --> D[Databases] B --> B1[SMB - Shares] B --> B2[DNS - Records] C --> C1[LDAP - Users/Groups] C --> C2[Kerberos - SPNs] D --> D1[MSSQL] D --> D2[MySQL/PostgreSQL] style A fill:#00ff00,stroke:#000,color:#000 style C1 fill:#a855f7,stroke:#000,color:#000 style C2 fill:#a855f7,stroke:#000,color:#000

Enumeration Guides

SMB Enumeration

Port 445

Enumerate SMB shares, users, and sensitive files. Null session testing, spidering, and relay attack setup.

smbclient nxc enum4linux-ng

LDAP & Active Directory

Port 389/636

Query LDAP for users, groups, computers, GPOs, trusts. PowerView, ldapdomaindump, and windapsearch.

ldapsearch PowerView ldapdomaindump

Kerberos Enumeration

Port 88

User enumeration, AS-REP roasting, Kerberoasting, and delegation discovery. Kerbrute, Rubeus, and Impacket.

Kerbrute GetUserSPNs Rubeus

DNS Enumeration

Port 53

Zone transfers, SRV records, ADIDNS poisoning, and reverse lookups. DNSrecon and adidnsdump.

dig DNSrecon adidnsdump

Database Enumeration

Port 1433/3306

MSSQL, MySQL, PostgreSQL enumeration. xp_cmdshell, linked servers, and credential extraction.

mssqlclient mysql psql

Cloud & Hybrid

Azure/M365

Azure tenant discovery, M365 endpoint enumeration, service principal mapping, and cloud credential discovery from internal network.

AADInternals ROADtools az cli

Enumeration Workflow

Information

Start with unauthenticated enumeration, then escalate with any credentials discovered. Each service may reveal credentials for others.

Recommended Order

  1. SMB - Null sessions, shares, sensitive files
  2. DNS - Zone transfers, SRV records, host discovery
  3. LDAP - Users, groups, password policies
  4. Kerberos - AS-REP roast, Kerberoast, delegation
  5. Databases - Default creds, linked servers, command execution

Quick Reference

Service Ports Quick Win Tools
SMB 445, 139 nxc smb -u '' -p '' --shares
LDAP 389, 636 ldapdomaindump -u 'user' -p 'pass' ldap://DC
Kerberos 88 kerbrute userenum -d DOMAIN users.txt
DNS 53 dig @DC DOMAIN AXFR
MSSQL 1433 nxc mssql -u user -p pass -x whoami

Related Topics

SMB Enumeration

LDAP & Active Directory

Kerberos Enumeration

nxc Cheatsheet

Impacket Cheatsheet