Enumeration tools

1. NBTscan

   Start by downloading NBTscan from this Web site. Create a directory to extract NBTscan, e.g. security\nbtscan and extract the files as shown in this example. This tools is used at the command prompt. The uses of NBTscan are shown here.

2. DumpSec

   Download DumpSec from its web site. Create a directory security\dumpsec. Extract the file and install it in the directory security\dumpsec. DumpSec is a graphical tool which allows you to dump the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. You click on the Report tab, Select Computer (enter IP number) and select what items you want in the report. You receive an output as in this example.

3. Legion

   Download Legion from its archive location and install it in security\legion. Legion let you scan IP ranges or lists for shares, as shown in class. Once you obtain the IP block of the target organization, you use Legion to look for shared resources: files, directories, printers, etc.

4. Nat

   Download Nat from its ftp location. Create a directory to extract Nat, e.g. security\nat and extract the files in this directory. This tool is used at the command prompt, as shown in class. More detail on its use is available here.

5. SMBScanner

   Download SMBScanner from this Web site. Create a directory to extract SMBScanner, e.g. security\SMBScanner and extract the files in this directory. SMBScanner allows you to check for Microsoft SMB (SAMBA) shares in a range of IP addresses. It is a graphical tool and has an on-line help.

6. NBTDump

   Download NBTDump from this Web site. Create a directory to extract nbtdump, e.g. security\nbtdump and save the file in this directory (it is uncompressed). NBTdump lists NetBIOS information from Windows NT, Windows 2K, XP and Linux/UNIX Samba servers such as shares, user accounts with comments etc and the password policy as shown in this example.

7. Enum

   Download Enum from its Web site. Create a directory to extract Enum, e.g. security\enum and extract the files in this directory. In the download rename the file from enum.tar.gz (a valid name in UNIX but not in Windows) to enumtar.gz and uncompress it. You are not done yet: you will have a file enumtar which you should rename to enum.tar and uncompress it a second time, when enum.exe and other files will be created. Enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts. This tool is used at the command prompt, and more detail on its use is shown here. Note: your anti-virus may block its download. If it is the case pause the anti-virus, download and install it, then resume the anti-virus software.

8. Netcat

   Download Netcat from its Web site. Create a directory to extract Netcat, e.g. security\netcat and extract the files in this directory. In the simplest usage, "nc host port" creates a TCP connection to the given port on the given target host. Your standard input is then sent to the host, and anything that comes back across the connection is sent to your standard output. This tool is used at the command prompt, and you can see a tutorial, and more details here.

This page is maintained by Al Bento who can be reached at abento@ubalt.edu. This page was last updated on September 12 , 2007. Although we will attempt to keep this information accurate, we can not guarantee the accuracy of the information provided.