Enumeration

Lab Manual

Hacking with

THE DOCUMENT INCLUDES ADDITIONAL

PRACTICALS WHICH MAY OR MAY NOT BE COVERED
IN THE COURSE
 INDEX
S. No. Practical Name Page No.
1 NetBIOS Enumeration 1
2 Enumerating Linux operating system with enum4linux tool 2
3 Nmap enumeration commands 6
4 DNS Enumeration 8
5 DNS Enumeration with dnsrecon 9
6 DNS dictionary attack 10
7 DNS enumeration with fierce 11
8 Creating wordlist using CUPP (Common User Password Profiler) 12
9 Creating wordlist using crunch 14
10 Cracking Login Credentials using Hydra tool 15
 Practical 1: NetBIOS Enumeration
In windows execute the following command.
nbtstat –A target IP
This command will display the connected devices NetBIOS names.

The following command is used to display cached information of NETBIOS

nbtstat –c

In Kali Linux open a terminal and execute the below command

nbtscan <network range>

Page | 1
 Practical 2: Enumerating Linux operating system with enum4linux
tool
Enum4linux is used to enumerate Linux machines. This tool works only in a LAN environment. It is
used to extract a number of user accounts, user names, length of the password and last time when
password changed. Let us consider Metasploitable OS (Linux) as a target and perform
enumeration.

Page | 2
This command is used to grab users list of targeted machine.

We can use -S option to extract file sharing details from the target system

Page | 3
-P option of enum4linux helps in identifying target system’s password length(Password policy
information).

Page | 4
Page | 5
 Practical 3: Nmap enumeration commands
In the terminal, execute locate *.nse
The above command lists nmap scripts that can be used to perform enumeration.

SMB enumeration with NMAP Script

Shares Enumeration with NMAP Script

Page | 6
OS Enumeration with NMAP Script

Enumerating Algorithms with NMAP script

Page | 7
 Practical 4: DNS Enumeration
Execute the following command to perform DNS enumeration on given domain.
dnsenum example.com

Page | 8
 Practical 5: DNS Enumeration with dnsrecon
Execute the following command to extract VOIP server’s information.
dnsrecon -t srv -d example.com
-t option specifies the type of attack, -d specifies the domain name and srv is used to identify
services running on target DNS server and axfr can identify zone transfer details of a given domain.

Page | 9
 Practical 6: DNS dictionary attack
atk6-dnsdict6 is used to extract sub-domains along with IP address details.

Page | 10
 Practical 7: DNS enumeration with fierce
The fierce tool works as similar to the dnsdict6 tool and contains 2280 keywords to perform a
brute-force attack on target and confirm sub-domains.
Execute the following command:
fierce -dns juggyboy.com

Page | 11
 Practical 8: Creating wordlist using CUPP(Common User Password
Profiler)
To install cupp on Kali Linux, execute the following command

The above cupp.py command with option -i starts an interactive session for creating a wordlist
based on information provided.

Page | 12
After creating the wordlist, we can find the wordlist file in cupp directory

Page | 13
 Practical 9: Creating wordlist using crunch
a crunch is a popular tool for creating a wordlist based on given words, letters, numbers
and specials characters.
In the following command, first 4 represents the minimum length of the word and second 4
represents the maximum length of the word
Note: Make sure to verify the number of lines and file size before crunch starts creating a
wordlist.

Page | 14
 Practical 10: Cracking Login Credentials using Hydra tool
After performing port scanning using nmap, we have identified that the target is running ftp
service.

Execute the following command that starts hydra and performs a brute force attack using
username and password files on the target.
Hydra -s 21 -v -L /root/Desktop/users.txt -P /root/Desktop/pass.txt -t 60 192.168.0.103 ftp
On a successful match of the login id and password for a particular service, it displays a
confirmation message as shown below.

To run a graphical version of Hydra, follow the steps shown in below images

Page | 15
Page | 16
Page | 17
Page | 18
Page | 19