It looks like you're looking for a practical hands-on session for Comprehensive Network

Scanning and Comprehensive Enumeration in Hours 3 and 4. Below is a structured approach

to both sessions, covering key tools, commands, and techniques for effective scanning and
enumeration:

Hour 3: Practical on Comprehensive Network Scan

The goal of this session is to understand how to conduct a comprehensive network scan to
gather valuable information about the target network infrastructure, such as open ports, services,
OS details, and vulnerabilities.

Tools Required:

 Nmap: For network scanning and service enumeration.

 Masscan: For quick, large-scale network scans.
 Netcat: For banner grabbing and testing open ports.
 Nessus/OpenVAS: For vulnerability scanning.

1. Initial Network Discovery with Nmap

1. Perform a basic port scan to discover open ports:

nmap -p- <target-ip>

This command scans all ports (1-65535) on the target IP.

2. Service Version Detection: Once open ports are discovered, perform service version
detection to gather details about services running on those ports:

nmap -sV <target-ip>

3. OS Fingerprinting: Try to identify the operating system of the target system using:

nmap -O <target-ip>

4. Service and Application Enumeration: Use Nmap’s scripts to enumerate services in

detail. For example, scanning for web application vulnerabilities:

nmap --script http-vuln* -p 80,443 <target-ip>

5. Vulnerability Scanning: Use Nmap’s scripting engine to check for vulnerabilities:

nmap --script vuln <target-ip>

2. Fast Network Discovery with Masscan

 Masscan is a high-speed scanner that can scan large networks much faster than Nmap.
For example, scanning a subnet for HTTP servers:

masscan <target-network> -p80 --rate=10000

(The --rate flag controls the speed of the scan.)

3. Banner Grabbing with Netcat

 Netcat can be used to manually grab banners from services to get additional information:

nc <target-ip> 80

(This connects to port 80 and will often return a banner from web servers.)

4. Vulnerability Scanning with Nessus or OpenVAS

1. Using Nessus: Nessus is a robust vulnerability scanner. Launch the web interface
(usually on port 8834) and configure a scan for the target. Choose from predefined scan
templates like "Basic Network Scan" or create a custom scan.
2. Using OpenVAS: OpenVAS is an open-source vulnerability scanner. Similar to Nessus,
configure a scan using its web interface to check for vulnerabilities on the target.

Hour 4: Practical on Comprehensive Enumeration

The goal of this session is to conduct comprehensive enumeration, focusing on gathering

information about users, services, shares, and vulnerabilities within a network.

Tools Required:

 Enum4Linux: For SMB enumeration.

 Nmap: For service-specific enumeration.
 LDAPSearch: For LDAP enumeration.
 Netcat: For banner grabbing and testing services.
 Hydra: For brute-forcing login credentials.
1. SMB Enumeration with Enum4Linux

1. Enumerate shares on an SMB-enabled target:

enum4linux -S <target-ip>

This command retrieves information about available shares on the target.

2. Enumerate users on an SMB service:

enum4linux -U <target-ip>

This lists the users within the SMB service (Windows file sharing).

3. Retrieve additional information like groups and operating system details:

enum4linux -a <target-ip>

2. LDAP Enumeration with ldapsearch

1. Search for users and other objects in an LDAP directory:

ldapsearch -x -h <target-ip> -b "dc=example,dc=com"

"(objectclass=person)"

This command returns a list of people in the directory.

2. Get a list of LDAP groups:

ldapsearch -x -h <target-ip> -b "dc=example,dc=com"

"(objectclass=group)"

3. DNS Enumeration with Nmap

1. Perform DNS enumeration using Nmap:

nmap --script dns-brute -p 53 <target-ip>

This runs a brute force subdomain enumeration script against the target DNS server.

2. Perform DNS zone transfer (if misconfigured):

nmap --script=dns-zone-transfer -p 53 <target-ip>

This checks whether the DNS server will allow zone transfers, which could expose
valuable domain information.
4. SMTP Enumeration

1. Check for open SMTP relays that can be used to send emails:

smtp-user-enum -M VRFY -U userlist.txt -t <target-ip>

This attempts to verify users by sending VRFY commands to the SMTP server.

5. Active Directory Enumeration

1. BloodHound: Use BloodHound to identify attack paths within Active Directory

environments.
o Run the BloodHound tool to collect data about users, groups, and permissions.
2. PowerView: PowerView is a PowerShell tool for enumerating Active Directory
environments.
o For example, use PowerView to find domain admins:

Get-NetGroup -GroupName "Domain Admins"

6. Linux Enumeration

1. LinEnum: Use LinEnum for Linux-based systems to collect system information.

o Run LinEnum with the following:

wget
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnu
m.sh
chmod +x LinEnum.sh
./LinEnum.sh

2. Manual Enumeration: Look for user accounts, groups, and running processes. Useful
commands include:
o cat /etc/passwd (view users)
o ps aux (view running processes)
o find / -name '*.bak' (look for backup files)

7. Windows Enumeration

1. Net user: In Windows environments, the net user command can reveal user accounts.

net user
 2. PowerShell: Use PowerShell to enumerate user accounts or groups:

Get-LocalUser
Get-LocalGroup

8. Best Practices for Enumeration

 Use Multiple Tools: Different tools may provide different perspectives on the same
target.
 Stay Stealthy: Perform enumeration in a non-intrusive way to avoid detection by
IDS/IPS systems.
 Minimize Impact: Ensure that your enumeration activities do not disrupt services or
cause performance degradation.

9. Ethics and Legal Considerations

 Always ensure you have explicit permission to perform enumeration on the target
network.
 Document your findings thoroughly and responsibly.
 Report any sensitive or confidential information appropriately, following legal and
organizational protocols.

Practical Takeaway:

By the end of Hours 3 and 4, you should have:

1. Conducted comprehensive network scans to identify services, operating systems, and

vulnerabilities.
2. Performed detailed enumeration of key services (SMB, LDAP, DNS, SMTP, etc.) to
gather user, share, and service information.
3. Applied best practices for enumeration, ensuring efficiency and stealth.
4. Understand the ethical and legal considerations involved in performing network
enumeration.