Posted on

NTP enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important in pen testing and what are the various types of enumeration. In this blogpost, you will learn about NTP enumeration.

What is NTP?

NTP stands for Network Time Protocol. Network Time protocol is used to synchronize clocks of networked computers. In simple words, NTP is used to maintain same time on all the computers of the same network. NTP runs on UDP port 123.

What information does NTP enumeration reveal?

NTP enumeration can reveal valuable information such as list of hosts connected to the NTP server, their IP addresses, system names, target server’s operating system etc.

How to perform NTP enumeration?

There are many tools to perform enumerate NTP but for this article, let’s see how to perform it using Nmap scripting engine. Yes, Nmap has specific scripts to enumerate NTP. One such script is “ntp-info.nse”. The “ntp-info.nse” script reveals time and configuration variables from the NTP server. Let’s see how to use it.

As you can see, the above script gives us information not only about the target server’s operating system but also the version of the kernel running etc. Another script “ntp-monlist.nse” can be used to retrieve NTP server’s monitor data.

Posted on

DNS enumeration for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about DNS enumeration. In our previous blogpost, you learnt what is enumeration and why is it performed, what are its uses and types of enumeration.

What is DNS enumeration?

DNS enumeration is the process of locating the DNS server and viewing its records. By performing this enumeration, an attacker can collect valuable information about the network such as DNS server names, hostnames, machine names, user names, IP addresses etc. You can learn more about the importance of DNS server in DNS Footprinting.

How to perform DNS enumeration?

There are a number of tools that can be used to perform this enumeration. Let’s see some of them.

1. Linux host command

The host command in Linux can be used to perform DNS lookup of a domain. It can be used to retrieve IP address information from domain name and vice versa. See the image below.

We can also query for specific types of records from the DNS server using ‘host’ command. Here are the various records of a DNS server.

Let’s query for mail servers and name servers as shown below.

2. dig

The dig (Domain Information Groups) command is tool for interrogating DNS servers. Just like host command, Dig can be used to perform DNS lookups and query DNS servers. For example, if we want to query for the name servers of a particular domain, we can do this as shown below.

Similarly, we can also query for mail servers and name servers as shown below.

Posted on

Enumeration guide for beginners

Hello, aspiring Ethical Hackers. This blogpost is an enumeration guide for beginners. The phase of enumeration actually comes after the port scanning stage in Ethical Hacking.

What is Enumeration?

In Enumeration, an attacker or a Pen Tester performs calculated queries to gather more detailed information about the target. Usually, enumeration is performed on the services running on the target (open ports) with the purpose of gaining access to the target system.

What information does enumeration reveal?

Enumeration can reveal valuable information like Network shares, usernames and passwords, version of the application running, users and groups, machine names, service settings and other network resources.

Which services can be enumerated?

Although all services running on the target system can be enumerated upon, there are some specific services which are regularly enumerated to retrieve useful information. They are,  

  1. DNS (Port 53)
  2. Microsoft RPC (Port 153)
  3. NetBIOS Name Service (NBNS) (Port 137)
  4. NetBIOS Session Service (SMB over NetBIOS)
  5. SMB Over TCP (Port 445)
  6. Network Time Protocol (NTP) (Port 123)
  7. Simple Network Management Protocol (SNMP) (Port 161)
  8. Lightweight Directory Access Protocol (LDAP) (Port 389)
  9. Simple Mail Transfer Protocol (SMTP) (Port 25)

Let’s learn about each of these services in detail.


Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol that is used to send email. It is mostly used by email clients but most of the organizations have their own Email Servers to send mail. Enumerating SMTP Service can reveal the list of valid users on the SMTP Servers. Learn how to perform SMTP enumeration.

2. DNS

The function of Domain Name Service (DNS) is explained in our article DNS Footprinting. Enumerating DNS servers can reveal network information like host names, other DNS server names, machine names, IP addresses, potential targets and in some cases usernames too. Learn how to perform DNS enumeration.

3. NetBIOS

NetBIOS service allows programs and computers on a local area network to communicate with each other. These include services like files, printers and device shares. Enumerating NetBIOS can reveal information like list of computers in a specific domain, lists of shares, policies and Passwords etc. Learn how to perform NetBIOS enumeration.

4. SMB

Just like NetBIOS, Server Message Block (SMB) is a protocol that allows applications and computers in a local network talk to each other. The only difference between them is that NetBIOS is an API whereas SMB is a protocol. Starting from Windows 2000, SMB which earlier ran on top of NetBIOS was made to operate on top of TCP and it got a dedicated port 445.

It also enables network services like file, printer and device sharing. Enumerating SMB service can reveal information like host names, lists shares, checking for null session, users, operating system details, password policies, info groups and printers connected etc. Learn how to perform SMB enumeration.

5. NTP

Network Time Protocol (NTP) is a protocol designed to synchronize clocks of all computers on the same network. Enumerating NTP can reveal information about hosts connected to the NTP server and IP addresses of the machines in the network etc. Learn how to perform NTP enumeration.


Simple Network Management Protocol (SNMP) is a protocol that is used to monitor and manage computer systems in the same network. Enumerating SNMP can reveal information about network resources like hosts, routes, shares, ARP tables, routing tables, etc. Learn how to perform SNMP enumeration.


Lightweight Directory Access Protocol (LDAP) is an internet protocol that is used to access information from directories like Active Directory. Enumerating LDAP can reveal information such as valid usernames, addresses and other details. Learn how to perform LDAP enumeration.

Posted on

OS Fingerprinting for beginners

Hello, aspiring Ethical Hackers. In this blogpost you will learn about OS Fingerprinting. Before you learn about OS fingerprinting, you should know what exactly is Fingerprinting. Fingerprinting is a form of biometrics that identifies a person with their fingerprint. Why Fingerprint? Because GOD has created humans in such a way that two people (no matter how much population rises) have same fingerprints.

What is OS Fingerprinting?

Just like every human has his own fingerprint, operating systems too have a unique fingerprint. Windows systems have a unique fingerprint whereas Linux systems have their unique fingerprint. The process of determining this fingerprint to determine the operating system of the target is known as Operating System fingerprinting.

What is this required?

If a hacker or pen tester can find out the operating system of the target system, he/she can know which vulnerabilities to exploit or which payloads to design to gain access to the target system (For example, Windows need EXE payloads whereas Linux systems require .sh payloads.

Types of OS Fingerprinting

os fingerprinting

Active OS Fingerprinting

In Active OS Fingerprinting, specially crafted packets are sent to the target system and its responses are analyzed to determine the operating system of target computers. This interaction can be as simple as a ping or a scanner like Nmap. Using ping, we can detect a target operating system by observing the Time To Live (TTL) values as shown below.

Time To Live (TTL) is the amount of time or “hops” that a packet is set to exist inside a network before discarded by a router. In simple words, it is the period of time that a packet or data should exist on a network before being discarded. This value differs from operating system to operating system. Here are the default TTL values of some operating systems. You can know about the default TTL values of more operating systems here.

Another way to perform Active Foot printing is by sending specially crafted packets to the target system. Among all Ethical Hackers use Nmap for OS fingerprinting.

Passive OS Fingerprinting

Although Active Fingerprinting is very effective and accurate at determining the target’s operating system, it is very noisy and can be easily spotted by Cyber security teams. Passive fingerprinting is a more effective way of detecting target system’s OS. Moreover, there is no chance of Firewalls blocking this type of fingerprinting. How is it possible?

In passive OS fingerprinting, a sample of packets coming from the target we are interested in are analyzed. For this purpose, we use a Packet Capture API. It relies on guessing the target OS by observing their TCP/IP implementation. Apart from TTL, this type of fingerprinting will observe window size, Don’t Fragment (DF) bit and Type Of Service (TOS).

Posted on

Port scanning techniques for beginners

Hello aspiring Ethical Hackers. In our previous blogpost you learnt what is a port? what is port scanning etc. In this blogpost, you will learn about different port scanning techniques that are be used to determine if a port is open or not. Ethical Hackers and Penetration Testers use different port scanning techniques to determine if a port is open or not. Unless a port is open, you cannot enumerate the service running on it for further exploitation. So, using a wrong port scanning technique can give you a wrong result.

In order to understand the various port scanning techniques, readers need to first understand how TCP communication takes place between programs and applications. You have read in our article on OSI model that the Transport Layer is responsible for reliable data transfer between end systems. You have also read two protocols are used for data transfer between devices and applications. They are Transmission Control Protocol (TCP) and user Datagram Protocol (UDP).

Transmission Control Protocol is a reliable connection-oriented protocol that ensures that data is transmitted accurately and completely between programs and applications.

How TCP communication takes place?

To make sure that data is transmitting correctly and completely, Transmission Control Protocol (TCP) uses various flags in the headers. These flags are given below.

TCP Three-Way Handshake

Before sending data using TCP, two devices establish a connection using a Three-Way handshake which is shown below.

  1. A client sends a TCP packet to the Server with SYN flag set.
  2. The Server responds with a TCP packet with both SYN and ACK flags set.
  3. The client replies to the packet with a TCP packet with ACK flag set.

After this 3-way handshake, both client and Server start sending and receiving data. Now, that you understood how a TCP communication works it’s time to see different port scanning techniques.

1. TCP Connect Scan (-sT)

In this type of scan, NMAP sends a TCP packet to a port with the SYN flags set. If the port is open, the target responds with a SYN/ACK flag set to packet. Then Nmap sends ACK packet. If the port is closed, the target sends a RST packet. If the target doesn’t respond, the port can be considered filtered.

2. SYN or Half-Open Scan (-sS)

In a SYN scan, Nmap sends a SYN packet to the target port. If the port is open, the target sends a “SYN/ACK” set packet. Then Nmap instead of sending a packet with ACK flag set, sends a packet with RST flag set to terminate the connection. Since the Three-way handshake is not complete, it is known as “half-open” scan. Similarly, since the TCP connection is not complete it is not logged and hence considered a stealthy scan. Also, unlike TCP connect scan this scan is fast.

3. ACK Scan (-sA)

Unlike the above two scans, this scan is not used to determine if a port is open or not. In fact, it is used to determine firewall rulesets.  In this scan, Nmap sends a packet with ACK flag set to the target port. Here, both open and closed ports send a packet with RST flag set. These ports are labelled as unfiltered. If the ACK packet is dropped, the port is labelled as filtered.

4. NULL Scan (-sN)

In this scan, Nmap doesn’t set any flags while sending a packet to the target. If no response is received, the port is assigned as open/filtered. If an RST flag is received from the target port, the port is considered closed and if any ICMP unreachable error 3, code,1,2, 9,10 or 13 is received, it is considered as filtered.

5. FIN Scan (-sF)

In this scan, Nmap sends a packet with FIN flag set to the target. The result is same as that of NULL scan.

6. XMAS Scan (-sX)

In this type of scan, NMAP sets FIN, PSH and URG flags to the packet and sends it to target port. The result is same as that of Null scan & FIN scan.

Since the packet is lighted up like a Christmas tree when these 3 flags are set, it is known as XMAS scan. Learn about different port scan results.