SNMP Enumeration Kali by snmpwalk tool and snmpenum

MODULE 6:- Enumeration

  1. Secure Socket Layer SSL analysis with sslstrip in Kali Linux
  2. SNMP Enumeration Kali by snmpwalk tool and snmpenum
  3. nbtscan and nmap “nbtstat -s” For SMB scanning

SNMP Enumeration by Kali Linux

SNMP Enumeration Kali Linux by snmpwalk tool is a Free and best snmp monitoring software tools based on windows and linux. Snmp tools are used to scan and monitor the snmp network. I this article you will learn about commands. snmpenum tools for kali linux also used to enumeration.

What is SNMP?

The Simple Network Management Protocol is used to manage and monitor hardware devices connected to a network. It is managed by network management software.To utilize SNMP in this fashion you need three distinct components:

  • Network Management System
  •  SNMP Agents: A Device that can communicate each other by using snmp protocol
  •  Managed devices

Management Information Base (MIB)

The managed devices records information and by use of the deployed agent communicates with the overarching Network Management System. This information is stored in a Management Information Base (MIB).

It is dangerous as it is a clear text protocol and as such could potentially provide valuable information to an attacker
You may have heard of Community Strings, the default are Public and Private. Should you be utilising this in your domain, these should be changed as they are the first strings that an attacker will try to gain information about your network and more dangerously, control over your hardware.

SNMP Traps

Another term of note is SNMP Traps, this is generally when a device has been configured to receive pre-configured alerts/ information from other clients. It uses UDP Port 161 to communicate.

What is SNMP Enumeration Kali?

It is process of using SNMPwalk tool to enumerate user accounts and devices on a target system. SNMP has two passwords to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string, its for changing or editing the configuration on the device.

By default read community string is public and read/write community string is private. If these passwords are not changed they can be used by an attacker do snmp enumeration Kali linux as SNMP Manager. If the default password is not as above other default passwords can be found on

SNMP enumeration Kali Linux snmpwalk tool

Snmpenum and snmpwalk tool

Open post
nbtscan and nmap nbtstat For SMB scanning

nbtscan and nmap “nbtstat -s” For SMB scanning

MODULE 6:- Enumeration

  1. Secure Socket Layer SSL analysis with sslstrip in Kali Linux
  2. SNMP Enumeration Kali by snmpwalk tool and snmpenum
  3. nbtscan and nmap “nbtstat -s” For SMB scanning

SMB network scans by nbtscan scanner

nbtscan is a free network scanning software it is find out vulnerability after scanning network. it generate scanning files, contains the IP Address and other information of netbios block. it is amazing network scanning tools in kali Linux used for network security auditing and finding out vulnerability. 

SMB  enumeration

SMB enumeration is a technique to get all entities related NetBIOS, If the pentester is working at windows environment then he reveal the NetBIoS information through the nbtscan.

nbtscan for Linux

The nbtscan tool will generate a report that contains the IP address, NetBIOS computer name, services available, logged in username, and MAC address of the corresponding machines. The NetBIOS name is useful if you want to access the service provided by the machine using the NetBIOS protocol that is connected to an open share. Be careful as using this tool will generate a lot of traffic and it may be logged by the target machines. (Kali Linux- Assuring Security by Penetration Testing – Allen, Lee)

Nbtscan Usages

To see the available options for nbtscan just type nbtscan –h in the command line console.

Following options are available with nbtscan

                -v     verbose output. Print all names received from each host

                -d     dump packets. Print whole packet contents.

                -e     Format output in /etc/hosts format.

                -l      Format output in lmhosts format. Cannot be used with -v, -s or -h options.

                -t timeout    wait timeout milliseconds for response. Default 1000.

                -b bandwidth     Output throttling. Slow down output, it uses no more that bandwidth bps.

                                          Useful on slow links, so that ougoing queries don’t get dropped.

                -r    use local port 137 for scans. Win95 boxes respond to this only. You need to be root to                          use this option on Unix.

                -q    Suppress banners and error messages,

                -s separator        Script-friendly output. Don’t print column and record headers, separate                                                fields with separator.

                -h                      Print human-readable names for services. Can only be used with -v option.

                -m retransmits  Number of retransmits. Default 0.

                -f filename          Take IP addresses to scan from file filename. -f – makes nbtscan take IP                                              addresses from stdin.

                <scan_range>   what to scan. Can either be single IP like or range of                                                         addresses in one of two form 


Examples How to use nbtsccan

nbtscan -r

                Scans the whole C-class network.


                Scans a range from to

nbtscan -v -s :

                Scans C-class network. Prints results in script-friendly format using colon as field separator

nbtscan -f iplist

                Scans IP addresses specified in file iplist.

Enumerate smb by nbtstat script in nmap

User Summary

Attempts to retrieve the target’s NetBIOS names and MAC address.

By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays all names the system thinks it owns.

Example Usage

sudo nmap -sU –script nbstat.nse -p137 <host>

nbtstat -s

Nmap options for Firewall IDS evasion in Kali Linux

MODULE 5:- Scanning Network and Vulnerability

  1. Introduction of port Scanning – Penetration testing
  2. TCP IP header flags list
  3. Examples of Network Scanning for Live Host by Kali Linux
  4. important nmap commands in Kali Linux with Example
  5. Techniques of Nmap port scanner – Scanning
  6. Nmap Timing Templates – You should know
  7. Nmap options for Firewall IDS evasion in Kali Linux
  8. commands to save Nmap output to file
  9. Nmap Scripts in Kali Linux
  10. 10 best open port checker Or Scanner
  11. 10 hping3 examples for scanning network in Kali Linux
  12. How to Install Nessus on Kali Linux 2.0 step by step
  13. Nessus scan policies and report Tutorial for beginner
  14. Nessus Vulnerability Scanner Tutorial For beginner

What is a firewall?

Firewall is a software or hardware to protect private network from public network. If hacker make activity to scan network, these methods are discarded by Firewall. so this is most important for hackers and Pentester to scan the network without being caught. If you can bypass firewall then you are safe. In this tutorial you will learn how to bypass and test firewall.

Best nmap options to bypass firewall

During penetration testing, you may encounter a system that is using firewall and IDS to protect the system. If you just use the default settings, your action may get detected or you may not get the correct result from Nmap. The following options may be used to help you evade the firewall/IDS:

• -f (fragment packets):

This purpose of this option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header.

• –mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit.

• -D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

• –source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

• –data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

• –max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

• –scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. You may also experiment with other Nmap options for evasion as explained in the Nmap manual (

Scroll to top