System enumeration aims at unveiling as much low-level technical information as possible, such as network registration, domain name registration, IP addresses and system names, corporate websites, virtual hosts, DNS entries, system configurations, administrative issues, types of servers and software used, physical server locations, production and development systems, possible usernames and passwords, and trust relationships between systems.
It amazes many people as to how much of this type of information is available on the Internet, and all you need to know is where to look and how to use an Internet search engine. Network registration information can be found via a number of public WHOIS databases, such as RIPE, ARIN, and APNIC, and can be accessed either via a web browser or via the WHOIS Linux utility. These databases allow users to determine what IP addresses your organization has been allocated, contact information revealing names, email addresses, phone numbers, physical addresses for the organization, and sometimes even the corporate DNS servers.
An attacker can then use this information to increase their knowledge about the organization's systems by performing reverse lookups on the enumerated IP addresses. This allows them to determine names of systems, websites, domain names, and subdomain names, which lead to virtual hosts and email addresses being discovered.
Email addresses are especially useful to attackers as they provide a point of contact for social engineering; they reveal the email address format of the organization allowing additional email addresses to be predicted; and they allow phishing attacks to be carried out and can possibly be used to derive usernames for internal and external systems.
Internal system and software types and versions, as well as detailed system configurations, are often found by looking at websites such as forums, blogs, newsgroups, mailing lists, web logs, intrusion logs, and job databases. This is generally caused by employees carelessly posting internal system information to these websites from their corporate email addresses in an attempt to get assistance in troubleshooting that new internal server that just isn't working properly.
So before attackers have even connected to your network, they have likely built up a profile of your organization, your personnel, and your internal systems, allowing them to develop a much more directed and precise attack. This attack may be in the form of social engineering, exploiting a misconfigured web server, or simply logging into external services with gathered authentication credentials.
Was this article helpful?