Enumeration

In the enumeration stage, each and every application, system, or network identified in the previous stage (recon) will be scanned for different attack surfaces—for example, files and directory enumeration in the case of a web application, and ports and services in the case of a network device. This stage will help the tester to identify the attack vectors. An attack vector is a path or method for the attacker to gain access or penetrate the target system; in this case, the pen tester. The most common attack vectors used are phishing emails, malware, and unpatched vulnerabilities. 

A pen tester can perform file and directory enumeration, HTTP method enumerations, host enumeration, and a few other enumeration methods to find an insertion point where vulnerabilities might exist. In a white box test, this stage doesn't really play an important role as all the information and details are already given to the tester, but it doesn't mean that you should not go through with this stage. It's always a good practice to perform enumeration and scanning, even when all the details are provided. This will help the tester to find obsolete attack paths that are not supported by the application but may help the tester to penetrate the network.

This stage is very crucial for the black box and gray box test as all the information that was retrieved by performing reconnaissance on the target system or application is identified by the pen tester. Enumeration could become a tedious process if done manually, so there are publicly available tools and some Metasploit modules that can be used to enumerate applications quickly.

The following is a list of tools that can be used to perform enumeration on a web application:

  • Files and directory enumeration: Dirsearch, dirb, dirbuster, Metasploit Framework, BurpSuite, gobuster, and so on
  • HTTP protocol supported methods enumeration: Nmap, BurpSuite, Metasploit Framework, wfuzz, and so on
  • Testing for rate limiting: BurpSuite, ffuf, wfuzz, and so on

Let's now look at vulnerability assessment.