1

Enumeration Basics — Active, Passive & Semi-Passive

Enumeration is the process of identifying and scanning network ranges and hosts that belong to a target in order to map out the attack surface. Both attackers and defenders perform enumeration — attackers to find weaknesses, defenders to understand their own exposure.

Active enumeration
Direct connection to target
Data is transmitted back and forth between the scanner and the target. Fastest and most comprehensive. Easily detected by IDS/IPS — every probe leaves a trace. Attacker can be traced back to their source IP.
Semi-passive enumeration
Sparse, timed probes
Uses dispersed attempts with significant delays between probes. Still touches the target, but slowly enough that many IDS rules miss the pattern. Trades speed for stealth. Attacker uses timing delays (--scan-delay, -T0) to avoid detection.
Passive enumeration
No direct contact
Collect data from the network without touching the target. Uses network sniffers (Wireshark, Zeek/Bro, p0f) or public sources. A single SYN packet observed passively can reveal OS, browser, uptime, and connection type. Completely undetectable by the target.
Passive tools — what they reveal: Zeek/Bro (in Security Onion) can identify software names and versions from passing traffic (e.g. Apache 2.4, Microsoft IIS 10.0) — no probes sent. p0f can fingerprint the operating system, browser, connection type, and system uptime from a single SYN packet. Passive defenders use network taps or port mirrors to collect traffic for analysis.
2

OSINT, Footprinting & Fingerprinting

Three types of information gathering that support enumeration — each at a different level of detail. These terms are used interchangeably in the field, but the exam distinguishes them.

OSINT
Open Source Intelligence
Searching publicly available information — DNS records, IP address registrations, WHOIS data, public website content, social media, and company information. No direct contact with the target. Tools: Maltego, Recon-ng, Shodan.
Footprinting
Network layout mapping (broad)
Maps the overall layout of a network — IP address ranges, routing topology, DNS namespaces, subdomains, and hostnames. Think of it as drawing the major highways on a map without showing individual buildings. Nmap discovery scan (-sn) is a footprinting tool.
Fingerprinting
Single host in depth
Detailed analysis of a single host — open ports, OS type and version, running services and applications, file shares, uptime, device type. Like showing every building on a map. Nmap -sV and -A are fingerprinting scans.
Exam distinction: Footprinting = network-level (multiple hosts, broad overview). Fingerprinting = host-level (single system, deep detail). These terms are used interchangeably by practitioners but are distinct for the exam. When you see "footprint", think network map. When you see "fingerprint", think individual machine deep-dive.
3

Nmap — Discovery Scans

Nmap (Network Mapper) is the world's most popular enumeration tool — a versatile open-source port scanner used for topology, host, service, and OS discovery. A discovery scan (footprinting) identifies which hosts are alive on a network before the deeper port-level fingerprinting begins.

Nmap discovery scan examples
# Default scan: ping + TCP ACK to 80/443 + 1000-port scan (not stealthy)
$ nmap 192.168.1.0/24

# Host discovery ONLY — suppress port scan (-sn = no port scan)
$ nmap -sn 192.168.1.0/24

# List scan — reverse DNS lookup only, no probes sent (passive-ish)
$ nmap -sL 10.0.0.0/24

# TCP SYN ping to port 80 (bypasses ICMP block)
$ nmap -PS80 10.0.0.1

# Slow timing for stealth (T0=slowest, T5=fastest, T3=default)
$ nmap -T0 --scan-delay 5s 10.0.0.0/24

# Output to grepable file (use -oN for normal, -oX for XML)
$ nmap -sS -p 80 10.10.10.10-12 -oG output_nmap.txt
Stealthiness is relative: A well-configured IDS/IPS can detect most Nmap scanning regardless of flags. "Stealthy" scans reduce detection probability, not eliminate it. As a defender, your job is to configure your IDS to catch scanning activity from unauthorised sources — while whitelisting your own scanning hosts.
4

Nmap — Port Scans, Port States & Fingerprinting

Port states

OPEN
An application is actively accepting connections on this port. This is what you want on a web server's port 80 — and what you don't want on a workstation's port 80 unless you're running a web server. Open ports = potential attack surface.
CLOSED
Port responds with a RST (reset) packet — reachable, but no application is listening. Not a vulnerability by itself, but tells the attacker the host is alive and the OS is likely present.
FILTERED
Nmap cannot determine if the port is open or closed — probes are being blocked. Strong indicator of a firewall. Nmap receives no response or an ICMP error.
UNFILTERED
Port is accessible but state is indeterminate. Not very common. Seen with ACK scans.
OPEN|FILTERED
Cannot determine if open or filtered. Common result with UDP and IP protocol scans. A SYN scan usually resolves this ambiguity.
CLOSED|FILTERED
Cannot distinguish closed from filtered. Seen with TCP Idle scans (-sI). Less common than the others.

Fingerprinting — deep host analysis

Nmap fingerprinting — combined scan
# Service version detection only
$ nmap -sV 10.10.10.10
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4
80/tcp open http Apache httpd 2.4.18 (Ubuntu)

# OS detection (requires root)
$ nmap -O 10.10.10.10
OS: Linux 3.2 - 4.6

# Aggressive — combines -sV, -O, traceroute, NSE scripts (-A)
$ nmap -A -T4 scanme.nmap.org

# Combined: SYN scan + versioning + OS across IP range
$ nmap -sS -sV -O 10.10.10.10-12
# Results include: open ports, service/version, OS, MAC address
CPE — Common Platform Enumeration
How Nmap knows which OS and service is running — it compares the response packets to a database of known signatures (CPE). Developed by MITRE. Each OS and service version responds slightly differently to probes.
NSE — Nmap Scripting Engine
Extends Nmap using Lua scripts. Available scripts at nmap.org. Capabilities: OS detection, Windows account discovery, vulnerability detection, web server probing, geolocation traceroute. Use with --script [name] flag.
5

Nmap — Complete Scan Reference Table

Flag Scan Name Description Stealth
-snHost Discovery / Ping ScanDiscover live hosts. Suppresses port scanning. Sends ping + TCP ACK to 80/443. Use for footprinting only.Moderate
-sLList ScanLists IP range and performs reverse DNS queries. No direct probes to hosts. Most passive of all scans.High (passive-ish)
-PSTCP SYN PingSends SYN to specified ports instead of ICMP ping. Bypasses ICMP-blocking firewalls. Doesn't complete handshake.Moderate
-sSTCP SYN (Half-Open)Sends SYN, gets SYN-ACK, never sends ACK. Fast, doesn't complete the connection. Requires root/admin access.Moderate-High
-sTTCP Connect (Full)Completes full 3-way handshake. Slower, more detectable. Used when root access is unavailable.Low
-sUUDP ScanSends UDP packets and waits for response or timeout. Slower than TCP scans. No handshake protocol.Moderate
-sNNull ScanSends packet with no TCP flags set (header = 0x00). Unexpected — most IDS flags this immediately.Low
-sFFIN ScanSends unexpected FIN packet (normally used to end sessions). IDS will flag. Used to probe certain firewall rules.Low
-sXXmas ScanSets FIN + PUSH + URG flags — "lights up like a Christmas tree." Extremely noisy. Used to test if defenders are monitoring.Very Low
-sITCP Idle (Zombie)Uses a third "zombie" host to conduct the scan, hiding the true scanner's identity. Stealthy but complex to set up.High
-sVVersion DetectionProbes open ports to determine service name and version. Slower than basic scan. Requires open ports first.Moderate
-OOS DetectionAnalyzes TCP/IP stack responses to guess OS type and version. Requires root/admin. Uses CPE database.Moderate
-AAggressiveCombines -sV + -O + traceroute + default NSE scripts. Maximum information, very noisy.Low
-pPort RangeSpecify which ports to scan. Example: -p 80,443,22. Reduces noise by not scanning all 1000 defaults.
-T0 to T5Timing TemplatesT0=slowest/stealthiest; T5=fastest/noisiest; T3=default. Lower = more pauses between probes = harder to detect.
-f / --mtuFragmentationSplits TCP headers across multiple IP datagrams. Harder for older IDS to reassemble and inspect.Moderate-High
-oN / -oX / -oGOutput FormatsSave results: -oN=normal text, -oX=XML (SIEM-friendly), -oG=grepable (for grep/scripting). Essential for large scans.
CySA+ exam approach to Nmap: You don't need to memorise every flag for the CySA+ exam (PenTest+ requires that). You DO need to understand: what a SYN scan is (-sS), the difference between -sV (version) and -O (OS), what -sn does (host discovery only), the six port states, and how to read Nmap output. Practice reading scan results — you will see them in scenario questions.
6

hping3 — Packet Crafting Tool

hping3 is an open-source spoofing tool that allows a tester to craft custom network packets of any type and size. Unlike Nmap (which sends fixed probe types), hping lets you build any packet you want — making it useful for both fingerprinting/enumeration and testing firewall/IDS configurations.

hping3 — example commands
# Send one SYN packet to port 80 (stealthy host detect)
$ hping3 -S -p 80 -c 1 192.168.1.1

# Send ACK packet instead (bypasses some SYN-blocking firewalls)
$ hping3 -A -p 80 -c 1 192.168.1.1

# TCP timestamp to determine system uptime (send 2 packets)
$ hping3 -c 2 -S -p 80 --tcp-timestamp 192.168.1.1
↑ long uptime = system may not be patched (reboots update patches)

# Traceroute using TCP packets (bypasses ICMP-blocking firewalls)
$ hping3 --traceroute -S -p 80 192.168.1.1
Host detection & firewall testing
Craft specific packet types (SYN, ACK, FIN, RST) to probe individual ports. Useful when Nmap's standard probes are blocked — choose any packet type to bypass firewall rules.
Timestamping
Determine system uptime. A server up for a year likely hasn't been rebooted for patching. Long uptime = vulnerability indicator. Uses TCP timestamp option.
Traceroute
Use TCP or UDP packets instead of ICMP for traceroute — bypasses firewalls that block ICMP echo replies. Maps the network path to a target when standard traceroute fails.
DoS / Fragmentation
Legacy: can send fragmented packets or crafted oversized packets. Most modern systems are immune. Still relevant for legacy ICS/SCADA or embedded systems that haven't been updated.
7

Other Enumeration Tools — Angry IP, Maltego, Responder, Recon-ng

Angry IP Scanner
GUI network scanner — ping sweep + port check
Open-source GUI tool for quickly scanning an IP range to identify live hosts, hostnames, open ports, OS, and running services. Good for ping sweeps during containment/recovery to identify affected systems. Also useful for finding rogue or unauthorised devices on a network.
IOC if found on non-admin machines
Maltego
OSINT visualisation and data mining
Gathers and visualises data from DNS, WHOIS, social media (Twitter/Facebook/LinkedIn), and custom data feeds. Shows relationships between IP addresses, email addresses, domain names, and organisations as a visual graph. Excellent for identifying C2 server relationships and phishing campaign infrastructure.
Tool itself is not an IOC — its output reveals threats
Responder
LLMNR/NetBIOS/MDNS poisoning tool
Part of Kali Linux. Poisons NetBIOS/LLMNR/MDNS name resolution responses — when a Windows host can't reach DNS and broadcasts a name query, Responder answers with the attacker's IP. Victims connect to the attacker's machine (MITM). Enables password hash capture for offline cracking. Defender use: analysis mode monitors traffic without responding.
IOC: LLMNR/NetBIOS traffic on networks where DNS should be used
Recon-ng
OSINT framework / modular reconnaissance
Open-source intelligence and enumeration framework used by both pen testers and analysts. Module-based architecture similar to Metasploit. Automates collection from public sources: WHOIS, DNS, search engines, social media, breach databases. Produces structured data for further analysis.
Tool itself is not an IOC
Responder — how the attack works: Windows checks hosts file → DNS → then broadcasts LLMNR/NetBIOS asking "who has this name?". Responder intercepts that broadcast and says "I do" — returning the attacker's IP. The victim's Windows machine then authenticates to the attacker, sending its NTLMv2 hash. That hash can be cracked offline or used in a pass-the-hash attack. Mitigation: disable LLMNR and NetBIOS in Group Policy.
8

Wireless Assessment — Aircrack-ng & Reaver

Aircrack-ng Suite — WEP/WPA cracking
A suite of four tools for wireless security testing:

Airmon-ng — enables/disables monitor mode on wireless card (required first step for passive capture)

Airodump-ng — captures wireless frames, identifies APs (MAC) and clients (MAC), captures handshakes

Aireplay-ng — injects frames to force reauthentication — deauthenticates clients so you can capture the reconnection handshake

Aircrack-ng — cracks WEP keys (100% reliable) or WPA/WPA2 by brute-forcing the 4-way handshake

Mitigation: Use WPA2/WPA3 with a long, strong password (defeats dictionary attacks). Use RADIUS/802.1X for enterprise networks (certificate-based auth, defeats Aircrack-ng completely).
Reaver — WPS PIN Brute Force
Brute-forces the Wi-Fi Protected Setup (WPS) PIN on routers with WPS enabled.

Why WPS is weak: The WPS PIN is 8 digits split into two independent 4-digit halves. Each half can be brute-forced separately — 10,000 + 10,000 = 20,000 combinations. Modern hardware can try all combinations quickly.

Rate limiting mitigation: Adding a 30-second delay between PIN attempts extends attack time from minutes to days — but a determined attacker still gets in if WPS is enabled.

Best mitigation: DISABLE WPS on all access points. The convenience feature is not worth the security risk. No WPS = no WPS attack.
9

Credential Testing — Hashcat & John the Ripper

Once hashes are collected (via SAM dump, Responder capture, or network sniffing), they can be cracked offline to recover plaintext passwords. Two primary tools: Hashcat uses GPU acceleration for maximum speed; John the Ripper is simpler to use for basic hash types.

Hashcat
GPU-accelerated hash cracking
Uses GPU (not CPU) for mathematical processing — GPUs are purpose-built for the parallel arithmetic that makes hash cracking fast. A 25-GPU rig (2012) cracked 348 billion NTLM hashes/second. A standard laptop can do ~364,000 hashes/second. Supports brute-force and dictionary attacks. Modern hashes (SHA-256) are more resilient but not immune to large GPU rigs.
John the Ripper
Classic password cracker
Open-source password cracker. For Linux: use unshadow /etc/passwd /etc/shadow > password.txt to combine shadow files, then john password.txt to crack. john --show password.txt displays cracked passwords. Simple default password like "toor" cracks in seconds.
John the Ripper — cracking Linux /etc/shadow
# Step 1: Combine /etc/passwd and /etc/shadow into one file
# unshadow /etc/passwd /etc/shadow > password.txt

# Step 2: Run John against the combined file
# john password.txt
Loaded 1 password hash (sha512crypt [SHA512 256/256 AVX2 4x])
toor (root) <-- cracked instantly, weak password!

# Step 3: Show cracked passwords
# john --show password.txt
root:toor:0:0:root:/root:/bin/bash

# Hashcat one-liner: -m=hash type, -a=attack mode, -o=output file
$ hashcat -m 1000 -a 0 -o cracked.txt hashes.txt wordlist.txt
-m 1000 = NTLM hash type -a 0 = dictionary attack
Defender takeaway: If an attacker gets your password hashes, they don't need to crack them for Pass the Hash — but if they do crack them, they have the plaintext password for reuse everywhere the user applied the same password. Ensure: long, unique passwords per service; MFA everywhere; monitor for SAM dump attempts (Event ID 4661, 4625); disable LLMNR/NetBIOS to prevent Responder captures.

Exam

Quick Reference Cheat Sheet

Enumeration types
Active = direct connection, fast, easily detected. Semi-passive = sparse timed probes, slower, harder to detect. Passive = no probes (sniff only), undetectable. Passive tools: Wireshark, Zeek/Bro, p0f. One SYN packet can reveal OS, browser, uptime via p0f.
Footprinting vs. fingerprinting
Footprinting = broad network-level map (IP ranges, DNS, topology). Fingerprinting = deep single-host analysis (OS, services, versions, ports). Nmap -sn = footprinting. Nmap -sV / -A = fingerprinting. Exam distinguishes them even though field uses them interchangeably.
Key Nmap flags
-sn (host discovery only). -sS (SYN/half-open, needs root). -sT (full connect, no root). -sU (UDP). -sV (service version). -O (OS detection). -A (aggressive = all). -sN/-sF/-sX (Null/FIN/Xmas = very noisy). -T0 to T5 (timing). -p (port range). -oG/-oN/-oX (output).
Port states
Open = application accepting connections (investigate on non-servers). Closed = RST response, no app (host is alive). Filtered = no response, firewall present. Unfiltered = reachable but unknown state. Open|Filtered = UDP/IP scan ambiguity. Closed|Filtered = TCP idle scan ambiguity.
Nmap stealth guide
Most stealthy: -sI (zombie) > -sL (list/passive) > -sS -T0 --scan-delay (slow SYN). Least stealthy: -sX (Xmas) > -sN (Null) > -sF (FIN) > -A (aggressive). A well-tuned IDS catches most scans regardless of flag. Whitelist your own scanning hosts in IDS rules.
hping3
Packet crafting — send any TCP/UDP/ICMP packet type you choose. -S (SYN), -A (ACK), -c (count). Uses: host detection, firewall rule testing, traceroute via TCP, system uptime via TCP timestamp. DoS/fragmentation legacy — mostly ineffective on modern systems.
Other tools
Angry IP Scanner = GUI ping sweep + port check, good for incident containment. Maltego = OSINT visual graph (DNS/WHOIS/social media). Responder = poisons LLMNR/NetBIOS → MITM → captures NTLMv2 hashes. Mitigation: disable LLMNR and NetBIOS. Recon-ng = modular OSINT framework.
Wireless tools
Aircrack-ng suite: Airmon-ng (monitor mode) → Airodump-ng (capture) → Aireplay-ng (deauth/inject) → Aircrack-ng (crack). WEP = always crackable. WPA2 + long strong password = very resistant. RADIUS/802.1X = defeats Aircrack entirely. Reaver: brute-forces WPS PIN (20,000 combos). Fix: DISABLE WPS.
Credential testing
John the Ripper: unshadow /etc/passwd /etc/shadow → john file.txt → john --show file.txt. Hashcat: GPU-accelerated, hashcat -m [type] -a [mode] -o output.txt hashes.txt wordlist.txt. GPU rigs crack 348B NTLM hashes/second. Modern SHA-256 more resilient. For exam: know hashcat = brute force/dictionary hash cracker.