Enumeration is the phase where a penetration tester moves from "I know something is there" to
"I know exactly what is running, who has access, and how it is configured." It is the bridge
between passive reconnaissance and active exploitation — and getting it right is what separates
a surface-level scan from a real assessment.
In this write-up I walk through a full enumeration exercise I ran against an isolated lab
environment: ping sweep, stealth SYN scan with OS detection, Windows enumeration with
enum4linux, SNMP walking, and a roundup of GUI tools. Every command is real, every screenshot
is from the actual session.
The Problem This Solves
You have identified a target network. Now what? Raw connectivity is not enough. You need to
know which hosts are alive, what OS they run, which services are exposed, who the local users
are, what the password policy looks like, and whether SNMP is leaking system internals. Each of
those questions maps to a different tool and a different technique. This post covers all of them
in one place.
Lab Environment
| Machine | Role | IP Address |
|---|---|---|
| Kali Linux 2026.1 | Attacker | 192.168.1.4 |
| Metasploitable2 | Linux Target | 192.168.1.3 |
| Windows 7 / Windows 10 | Windows Target | 192.168.1.5 / 192.168.1.6 |
Network: 192.168.1.0/24 — fully isolated NAT network inside VirtualBox.
Step 1 — Ping Sweep: Finding Live Hosts
Before anything else, I need to know which machines are actually on the network. Nmap's -sP
flag (ping scan only) sweeps the entire subnet without touching any ports.
sudo nmap -sP 192.168.1.0/24
What came back:
Nmap scan report for 192.168.1.1 → Gateway
Nmap scan report for 192.168.1.2 → Live host
Nmap scan report for 192.168.1.3 → Metasploitable2 (MAC: 08:00:27:EF:BD:E4)
Nmap scan report for 192.168.1.4 → Kali (no MAC shown — local machine)
Four hosts alive. Metasploitable2 confirmed at 192.168.1.3.
Step 2 — Stealth SYN Scan with OS Detection
Now I want the full picture on the target: open ports, service versions, and OS fingerprint. The
-sSV flags combine a SYN stealth scan with version detection. -O adds OS fingerprinting.
sudo nmap -sSV -O 192.168.1.3
A SYN scan sends a SYN packet and waits for SYN/ACK — it never completes the three-way
handshake, so many older logging systems miss it entirely.
Key results:
| Port | Service | Version |
|---|---|---|
| 21/tcp | FTP | vsftpd 2.3.4 |
| 22/tcp | SSH | OpenSSH 4.7p1 |
| 23/tcp | Telnet | Linux telnetd |
| 80/tcp | HTTP | Apache 2.2.8 |
| 3306/tcp | MySQL | 5.0.51a |
| 5432/tcp | PostgreSQL | 8.3.0–8.3.7 |
| 5900/tcp | VNC | Protocol 3.3 |
| 1524/tcp | Backdoor | Metasploitable root shell |
OS Details:
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.33
Network Distance: 1 hop
Service Info: metasploitable.localdomain, irc.Metasploitable.LAN
Metasploitable2 is deliberately over-exposed — that is the point of the VM — but the scan
output shows exactly the kind of data an attacker would use to prioritize entry points.
Step 3 — Windows Enumeration with enum4linux
Enum4linux is a wrapper around several Samba tools (nmblookup, net, rpcclient,
smbclient) that automates the extraction of Windows/Samba information over SMB.
Target: Windows 7 VM at 192.168.1.5
Credentials used: khalif / admin
Enumerate Users
enum4linux -u khalif -p admin -U 192.168.1.5
Users found:
| Account | RID | Description |
|---|---|---|
| Administrator | 0x1f4 | Built-in admin account |
| dummytestwin7 | 0x3e9 | Test account |
| Guest | 0x1f5 | Built-in guest account |
| khalif | 0x3e8 | Local user |
The domain/workgroup resolved to WORKGROUP with a NULL SID — meaning this machine is
not joined to a domain.
Enumerate Password Policy
enum4linux -u khalif -p admin -P 192.168.1.5
Policy extracted:
| Setting | Value |
|---|---|
| Minimum password length | None (0) |
| Password complexity | Disabled |
| Password history length | None |
| Maximum password age | 41 days 23 hours |
| Account lockout duration | 30 minutes |
| Reset lockout counter | 30 minutes |
| Lockout threshold | None |
| Forced logoff time | Not set |
No complexity requirement and no minimum length is a serious misconfiguration — trivially
crackable passwords are allowed by policy.
Enumerate Groups
enum4linux -u khalif -p admin -G 192.168.1.5
Built-in groups found:
- Administrators (RID 0x220) — members:
WINDOWS07\Administrator,WINDOWS07\khalif - Users (RID 0x221) — members:
NT AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,WINDOWS07\khalif,WINDOWS07\dummytestwin7 - Guests (RID 0x222) — member:
WINDOWS07\Guest - IIS_IUSRS, Event Log Readers, Performance Log Users, Performance Monitor Users, Distributed COM Users
Notably, khalif sits in both Users and Administrators — a privilege issue worth flagging
in any real assessment.
Enumerate Shares
enum4linux -u khalif -p admin -S 192.168.1.5
Shares found:
| Share | Type | Comment | Access |
|---|---|---|---|
| ADMIN$ | Disk | Remote Admin | DENIED |
| C$ | Disk | Default share | DENIED |
| IPC$ | IPC | Remote IPC | N/A |
All administrative shares were present but mapping was denied — which is the expected behavior
for non-domain environments without explicit share permissions granted.
Step 4 — SNMP Enumeration with snmpwalk
SNMP (Simple Network Management Protocol) is a protocol designed for monitoring and managing
network devices. When misconfigured — specifically when using the default community string
public — it hands over a remarkable amount of system information to anyone who asks.
First, check if port 161 (SNMP UDP) is open:
nmap -sU -p 161 127.0.0.1
If you want to practice locally, install snmpd on Kali:
sudo apt update
sudo apt install snmpd
sudo service snmpd start
Then walk the MIB tree:
snmpwalk -v 2c -c public 127.0.0.1
What snmpwalk returned (selected highlights):
iso.3.6.1.2.1.1.1.0 = STRING: "Linux kali 6.18.12+kali-amd64 #1 SMP..."
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "kali"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 EA 05 02 16 34 24 00 2D 07 00
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-6.18.12+kali-amd64 root=/dev/sda1 ro quiet splash"
In a real engagement, SNMP with public or private as community strings can expose running
processes, installed software, network interfaces, routing tables, and more — all without
authentication.
Step 5 — GUI Tools for Windows Enumeration
Advanced IP Scanner
Scanned 192.168.1.1-255. Found 2 alive hosts visible from the Windows VM. Simple, clean
output with hostname, IP, manufacturer, and MAC address columns. Good for quick host discovery
when you want a point-and-click interface.
Hyena
Hyena connected to the local workstation (\\WINDOWS10) and enumerated 5 local user
accounts. The left panel exposes Drives, Local Connections, Users, Local Groups, Printers,
Shares, Services, Events, Registry, and WMI — essentially everything you could pull from the
command line, wrapped in a tree-view GUI. Useful for comprehensive local system auditing.
SuperScan
SuperScan 4.1 scanned 192.168.1.1–254 and found 4 live hosts. Notable result for
192.168.1.3 (Metasploitable2): 78 open UDP ports detected, including 67, 68, 69, 111, 123,
137, 138, 161, 445, 500, 514, 520, 1009, 1024–1028, 2049, 2140, 4500, and many
ephemeral ports. This confirms SNMP (161) and NFS (2049) exposure on the target.
SoftPerfect Network Scanner
SoftPerfect returned all 4 hosts with MAC addresses and automatically resolved hostnames for
two of them: METASPLOITABLE (192.168.1.3) and Windows10 (192.168.1.6). Response times
were near-zero for local hosts. Clean and fast — my preferred tool for a quick visual inventory.
ADExplorer
ADExplorer requires a Domain Controller. Since the test machine was a standalone workgroup
machine, it returned: "The specified domain either does not exist or could not be contacted."
This is expected behavior — ADExplorer is the right tool when you are assessing an environment
with Active Directory, not a workgroup setup.
How to Verify Your Results
| Check | Command / Action |
|---|---|
| Confirm Metasploitable2 IP |
ping 192.168.1.3 from Kali |
| Verify open ports | nmap -sSV 192.168.1.3 |
| Confirm SNMP is running | nmap -sU -p 161 <target> |
| Validate enum4linux output | Cross-check users against net user on Windows target |
| Verify shares exist | smbclient -L //192.168.1.5 -U khalif |
What I Learned
Running these tools back-to-back in sequence — rather than in isolation — made a few things
obvious that are easy to miss when you read about them separately.
Enumeration is cumulative. The ping sweep gives you a host list. The SYN scan turns that
list into a service map. Enum4linux takes one host from that map and extracts users, groups,
and policy. Each step feeds the next.
SNMP is underestimated. A single snmpwalk against a device with a default community
string returns kernel version, hostname, boot parameters, uptime, and interface information
without any authentication. Most people think of it as "network monitoring" — attackers think of
it as a free intelligence feed.
Passive vs. active matters. The SYN scan is stealthy in the sense that it does not complete
the TCP handshake, but it still generates network traffic. On a monitored network, a sweep of
this scale would trigger alerts. Knowing where each tool sits on the visibility spectrum matters
when you are planning an engagement.
Tool redundancy has value. SuperScan, SoftPerfect, and Advanced IP Scanner all found live
hosts — but they presented different detail levels. Having multiple tools confirm the same finding
increases confidence. And occasionally one will catch something another missed.
Common Mistakes
| Mistake | What Actually Happens | Fix |
|---|---|---|
Running nmap without sudo
|
SYN scan falls back to TCP connect scan — more detectable | Always use sudo for -sS
|
| Wrong CIDR on ping sweep | Misses hosts or scans outside your network | Double-check with ip addr before scanning |
Using default public community string assumption |
Some targets use private or custom strings |
Try snmpwalk with multiple community strings |
Forgetting -U flag is case-sensitive in enum4linux |
May return no results or auth errors | Use lowercase flags exactly as documented |
| Expecting ADExplorer to work on workgroup machines | It requires a Domain Controller | Only use ADExplorer in AD environments |
| Treating open shares as accessible | ADMIN$ and C$ showed up but mapping was denied | Enumeration ≠ access — verify with explicit mount attempts |
Conclusion
Enumeration is not a single tool or a single command — it is a phase. You layer your findings:
network topology from the ping sweep, service exposure from the SYN scan, identity data from
enum4linux, system internals from SNMP, and a visual confirmation from GUI tools. By the end
of this exercise, I had a full picture of every host on the network, the OS details of the Linux
target, the user accounts and password policy of the Windows target, and the SNMP tree of a
local system.
The real skill is knowing which tool to reach for at each stage — and knowing what to do with
the output once you have it.