Module 04: Enumeration

Lab Tasks

Ethical hackers or penetration testers use several tools and techniques to enumerate the target
network. Recommended labs that will assist you in learning various enumeration techniques include:
1. Perform NetBIOS enumeration
o Perform NetBIOS enumeration using Windows command-line utilities
o Perform NetBIOS enumeration using NetBIOS Enumerator
o Perform NetBIOS enumeration using an NSE Script
2. Perform SNMP enumeration
o Perform SNMP enumeration using snmp-check
o Perform SNMP enumeration using SoftPerfect Network Scanner
3. Perform LDAP enumeration
o Perform LDAP enumeration using Active Directory Explorer (AD Explorer)
4. Perform NFS enumeration
o Perform NFS enumeration using RPCScan and SuperEnum
5. Perform DNS enumeration
o Perform DNS enumeration using zone transfer
o Perform DNS enumeration using DNSSEC zone walking
6. Perform RPC, SMB, and FTP enumeration
o Perform RPC and SMB enumeration using NetScanTools Pro
o Perform RPC, SMB, and FTP enumeration using Nmap
7. Perform enumeration using various enumeration tools
o Enumerate information using Global Network Inventory
o Enumerate network resources using Advanced IP Scanner
o Enumerate information from Windows and Samba host using Enum4linux

Lab 1: Perform NetBIOS Enumeration

Task 1: Perform NetBIOS Enumeration using Windows Command-
Line Utilities

Nbtstat helps in troubleshooting NETBIOS name resolution problems. The nbtstat command
removes and corrects preloaded entries using several case-sensitive switches. Nbtstat can be used to
enumerate information such as NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables
for both the local and remote computers, and the NetBIOS name cache.
Net use connects a computer to, or disconnects it from, a shared resource. It also displays
information about computer connections.
Here, we will use the Nbtstat, and Net use Windows command-line utilities to perform NetBIOS
enumeration on the target network.
We will use a Windows Server 2019 (10.10.10.19) machine to target a Windows 10 (10.10.10.10)
machine.
1. Click Windows Server 2019 to switch to the Windows Server 2019 machine.
2. Click  Ctrl+Alt+Delete  to activate the machine. By default, Administration user
profile is selected, click Pa$$w0rd to paste the password in the Password field and
press Enter to login.
Alternatively, you can also click Pa$$w0rd under Windows Server 2019 machine
thumbnail in the Resources pane or Click Type Text | Type Password button under
Commands (thunder icon) menu.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and
devices on the network.
3. Open a Command Prompt window.
4. Type nbtstat -a [IP address of the remote machine] (in this example, the target IP
address is 10.10.10.10) and press Enter.
In this command, -a displays the NetBIOS name table of a remote computer.
5. The result appears, displaying the NetBIOS name table of a remote computer (in
this case, the WINDOWS10 machine), as shown in the screenshot.
6. In the same Command Prompt window, type nbtstat -c and press Enter.
In this command, -c lists the contents of the NetBIOS name cache of the remote
computer.
7. The result appears, displaying the contents of the NetBIOS name cache, the table of
NetBIOS names, and their resolved IP addresses.
It is possible to extract this information without creating a null session (an
unauthenticated session).
8. Now, type net use and press Enter. The output displays information about the
target such as connection status, shared folder/drive and network information, as shown
in the screenshot.
 9. This concludes the demonstration of performing NetBIOS enumeration using
Windows command-line utilities such as Nbtstat and Net use.

10. Close all open windows and document all the acquired information.

Task 2: Perform NetBIOS Enumeration using NetBIOS Enumerator

NetBIOS Enumerator is a tool that enables the use of remote network support and several other
techniques such as SMB (Server Message Block). It is used to enumerate details such as NetBIOS
names, usernames, domain names, and MAC addresses for a given range of IP addresses.
Here, we will use the NetBIOS Enumerator to perform NetBIOS enumeration on the target network.
We will use a Windows 10 machine to target Windows Server 2016 and Windows Server
2019 machines.
1. Click Windows 10 to switch to the Windows 10 machine, click  Ctrl+Alt+Delete .
Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine
thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands
(thunder icon) menu.
2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password in
the Password field and press Enter to login.
Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in
the Resources pane or Click Type Text | Type Password button under Commands
(thunder icon) menu.
If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and
devices on the network.
3. In the Windows 10 machine, navigate to D:\CEH-Tools\CEHv11 Module 04
Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator and double-
click NetBIOS Enumerater.exe.
If the Open - File Security Warning pop-up appears, click Run.
4. The NetBIOS Enumerator main window appears, as shown in the screenshot.
5. Under IP range to scan, enter an IP range in the from and to fields and click
the Scan button to initiate the scan (In this example, we are targeting the IP
range 10.10.10.15-10.10.10.20).
6. NetBIOS Enumerator scans for the provided IP address range. On completion, the
scan results are displayed in the left pane, as shown in the screenshot.

7. The Debug window section in the right pane shows the scanning range of IP

addresses and displays Ready! after the scan is finished.
8. Click on the expand icon (+) to the left of the 10.10.10.16 and 10.10.10.19 IP
addresses in the left pane of the window. Then click on the expand icon to the left
of NetBIOS Names to display NetBIOS details of the target IP address, as shown in the
screenshot.
 9. This concludes the demonstration of performing NetBIOS enumeration using
NetBIOS Enumerator. This enumerated NetBIOS information can be used to strategize
an attack on the target.

10. Close all open windows and document all the acquired information.

Task 3: Perform NetBIOS Enumeration using an NSE Script

NSE allows users to write (and share) simple scripts to automate a wide variety of networking tasks.
NSE scripts can be used for discovering NetBIOS shares on the network. Using the nbstat NSE script,
for example, you can retrieve the target’s NetBIOS names and MAC addresses. Moreover, increasing
verbosity allows you to extract all names related to the system.
Here, we will run the nbstat script to enumerate information such as the name of the computer and
the logged-in user.

1. Click Windows 10 to switch to the Windows 10 machine, click on the Start button

on the left-bottom corner of Desktop and launch Nmap - Zenmap GUI from the
applications, as shown in the screenshot.
Or
Double-click Nmap-Zenmap GUI shortcut present on the Desktop.
2. The Zenmap window appears. In the Command field, type the command nmap -
sV -v --script nbstat.nse [Target IP Address] (in this example, the target IP address
is 10.10.10.16) and click Scan.
-sV detects the service versions, -v enables the verbose output (that is, includes all hosts
and ports in the output), and --script nbtstat.nse performs the NetBIOS enumeration.
3. The scan results appear, displaying the open ports and services, along with their
versions. Displayed under the Host script results section are details about the target
system such as the NetBIOS name, NetBIOS user, and NetBIOS MAC address, as shown
in the screenshot.
4. In the Command field of Zenmap, type nmap -sU -p 137 -script nbstat.nse
[Target IP Address] (in this case, the target IP address is 10.10.10.16) and click Scan.
-sU performs a UDP scan, -p specifies the port to be scanned, and --script
nbtstat.nse performs the NetBIOS enumeration.
5. The scan results appear, displaying the open NetBIOS port (137) and, under
the Host script results section, NetBIOS details such as NetBIOS name, NetBIOS user,
and NetBIOS MAC of the target system, as shown in the screenshot.
 6. This concludes the demonstration of performing NetBIOS enumeration using an
NSE script.

7. Other tools may also be used to perform NetBIOS enumeration on the target
network such as Global Network Inventory (http://www.magnetosoft.com), Advanced
IP Scanner (http://www.advanced-ip-scanner.com), Hyena (https://www.systemtools.co
m), and Nsauditor Network Security Auditor (https://www.nsauditor.com).

8. Close all open windows and document all the acquired information.

Lab 2: Perform SNMP Enumeration

Task 1: Perform SNMP Enumeration using snmp-check

snmp-check is a tool that enumerates SNMP devices, displaying the output in a simple and reader-
friendly format. The default community used is “public.” As an ethical hacker or penetration tester, it
is imperative that you find the default community strings for the target device and patch them up.
Here, we will use the snmp-check tool to perform SNMP enumeration on the target IP address
We will use a Parrot Security (10.10.10.13) machine to target a Windows Server 2016 (10.10.10.16)
machine.
1. Click Parrot Security to switch to the Parrot Security machine.
2. In the login page, the attacker username will be selected by default. Enter
password as toor in the Password field and press Enter to log in to the machine.
If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
 If a Question pop-up window appears asking you to update the machine, click No to
close the window.

3. Click the MATE Terminal icon at the top of the Desktop window to open

a Terminal window.
Before starting SNMP enumeration, we must first discover whether the SNMP port is
open. SNMP uses port 161 by default; to check whether this port is opened, we will first
run Nmap port scan.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.

5. In the [sudo] password for attacker field, type toor as a password and

press Enter.
The password that you type will not be visible.
6. Now, type cd and press Enter to jump to the root directory.
7. In the Parrot Terminal window, type nmap -sU -p 161 [Target IP address] (in this
example, the target IP address is 10.10.10.16) and press Enter.
-sU performs a UDP scan and -p specifies the port to be scanned.
8. The results appear, displaying that port 161 is open/filtered and being used by
SNMP, as shown in the screenshot.
9. We have established that the SNMP service is running on the target machine. Now,
we shall exploit it to obtain information about the target system.

10. In the Parrot Terminal window, type snmp-check [Target IP Address] (in this

example, the target IP address is 10.10.10.16) and press Enter.

11. The result appears as shown in the screenshot. It reveals that the extracted SNMP
port 161 is being used by the default “public” community string.
If the target machine does not have a valid account, no output will be displayed.
12. The snmp-check command enumerates the target machine, listing sensitive
information such as System information and User accounts.
13. Scroll down to view detailed information regarding the target network under the
following sections: Network information, Network interfaces, Network
IP and Routing information, and TCP connections and listening ports.
14. Similarly, scrolling down reveals further sensitive information
on Processes, Storage information, File system information, Device
information, Share, etc.
15. This concludes the demonstration of performing SNMP enumeration using the
snmp-check.

16. Close all open windows and document all the acquired information.
Task 2: Perform SNMP Enumeration using SoftPerfect Network
Scanner

SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve
practically any information about network devices via WMI (Windows Management Instrumentation),
SNMP, HTTP, SSH, and PowerShell.
The program also scans for remote services, registries, files, and performance counters. It can check
for a user-defined port and report if one is open, and is able to resolve hostnames as well as auto-
detect your local and external IP range. SoftPerfect Network Scanner offers flexible filtering and
display options, and can export the NetScan results to a variety of formats, from XML to JSON. In
addition, it supports remote shutdown and Wake-On-LAN.
Here, we will use the SoftPerfect Network Scanner to perform SNMP enumeration on a target
system.

1. Click Windows Server 2019 to switch to the Windows Server 2019 machine.

2. Navigate to Z:\CEHv11 Module 04 Enumeration\SNMP Enumeration Tools\
SoftPerfect Network Scanner and double-click netscan_setup.exe.
If a User Account Control pop-up appears, click Yes.
3. When the Setup - SoftPerfect Network Scanner window appears, click Next and
follow the installation steps to install SoftPerfect Network Scanner, using all default
settings.

4. On completion of the installation, click Finish.

Ensure that the Launch SoftPerfect Network Scanner option is selected.
5. When the Welcome to the Network Scanner wizard appears, click Continue.
6. The SoftPerfect Network Scanner GUI window will appear, as shown in the
screenshot.
7. In the Options menu, click Remote SNMP…. The SNMP pop-up window will
appear.

8. Click the Mark All/None button to select all the items available for SNMP scanning
and close the window.
9. To scan your network, enter an IP range in the IPv4 From and To fields (in this
example, the target IP address range is 10.10.10.5-10.10.10.20), and click the Start
Scanning button.
10. The status bar at the lower-right corner of the GUI displays the status of the scan.

11. The scan results appear, displaying the active hosts in the target IP address range,
as shown in the screenshot.
12. To view the properties of an individual IP address, right-click a particular IP address
(in this example, 10.10.10.16) and select Properties, as shown in the screenshot.
13. The Properties window appears, displaying the Shared Resources and Basic
Info of the machine corresponding to the selected IP address.
14. Close the Properties window.

15. To view the shared folders, note the scanned hosts that have a + node before them.
Expand the node to view all the shared folders.
In this example, we are targeting the Windows Server 2016 machine (10.10.10.16).
16. Right-click the selected host, and click Open Device. A drop-down list appears,
containing options that allow you to connect to the remote machine over HTTP, HTTPS,
FTP, and Telnet.
 If the selected host is not secure enough, you may use these options to connect to the
remote machines. You may also be able to perform activities such as sending a message
and shutting down a computer remotely. These features are applicable only if the
selected machine has a poor security configuration.
17. This concludes the demonstration of performing SNMP enumeration using the
SoftPerfect Network Scanner.

18. You can also use other SNMP enumeration tools such as Network Performance
Monitor (https://www.solarwinds.com), OpUtils (https://www.manageengine.com), PRT
G Network Monitor (https://www.paessler.com), Engineer’s
Toolset (https://www.solarwinds.com), and WhatsUp®
Gold (https://www.ipswitch.com) to perform SNMP enumeration on the target network.

19. Close all open windows and document all the acquired information.

Lab 3: Perform LDAP Enumeration

Task 1: Perform LDAP Enumeration using Active Directory

Explorer (AD Explorer)

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. It can
be used to navigate an AD database easily, define favorite locations, view object properties and
attributes without having to open dialog boxes, edit permissions, view an object’s schema, and
execute sophisticated searches that can be saved and re-executed.
Here, we will use the AD Explorer to perform LDAP enumeration on an AD domain and modify the
domain user accounts.

1. In the Windows Server 2019 machine, navigate to Z:\CEHv11 Module 04

Enumeration\LDAP Enumeration Tools\Active Directory Explorer and double-
click ADExplorer.exe.

2. The Active Directory Explorer License Agreement window appears; click Agree.

3. The Connect to Active Directory pop-up appears; type the IP address of the target
in the Connect to field (in this example, we are targeting the Windows Server
2016 machine: 10.10.10.16) and click OK.
4. The Active Directory Explorer displays the active directory structure in the left
pane, as shown in the screenshot.
5. Now, expand DC=CEH, DC=com, and CN=Users by clicking “+” to explore domain
user details.
6. Click any username (in the left pane) to display its properties in the right pane.
7. Right-click any attribute in the right pane (in this case, displayName) and
click Modify… from the context menu to modify the user’s profile.
8. The Modify Attribute window appears. First, select the username under
the Value section, and then click the Modify… button. The Edit Value pop-up appears.
Rename the username in the Value data field and click OK to save the changes.
 9. You can read and modify other user profile attributes in the same way.

10. This concludes the demonstration of performing LDAP enumeration using AD

Explorer.

11. You can also use other LDAP enumeration tools such as Softerra LDAP
Administrator (https://www.ldapadministrator.com), LDAP Admin
Tool (https://www.ldapsoft.com), LDAP Account Manager (https://www.ldap-account-
manager.org), LDAP Search (https://securityxploded.com),
and JXplorer (http://www.jxplorer.org) to perform LDAP enumeration on the target.

12. Close all open windows and document all the acquired information.

Lab 4: Perform NFS Enumeration

Task 1: Perform NFS Enumeration using RPCScan and SuperEnum

RPCScan communicates with RPC (remote procedure call) services and checks misconfigurations on
NFS shares. It lists RPC services, mountpoints,and directories accessible via NFS. It can also
recursively list NFS shares. SuperEnum includes a script that performs a basic enumeration of any
open port, including the NFS port (2049).
Here, we will use RPCScan and SuperEnum to enumerate NFS services running on the target
machine.
Before starting this lab, it is necessary to enable the NFS service on the target machine (Windows
Server 2019). This will be done in steps 1-6.
1. In the Windows Server 2019 machine, click the Start button at the bottom-left
corner of Desktop and open Server Manager.

2. The Server Manager main window appears. By default, Dashboard will be selected;

click Add roles and features.
3. The Add Roles and Features Wizard window appears. Click Next here and in
the Installation Type and Server Selection wizards.

4. The Server Roles section appears. Expand File and Storage Services and select the

checkbox for Server for NFS under the File and iSCSI Services option, as shown in the
screenshot. Click Next.
In the Add features that are required for Server for NFS? pop-up window, click
the Add Features button.
5. In the Features section, click Next. The Confirmation section appears;
click Install to install the selected features.
6. The features begin installing, with progress shown by the Feature
installation status bar. When installation completes, click Close.
7. Having enabled the NFS service, it is necessary to check if it is running on the target
system (Windows Server 2019). In order to do this, we will use Parrot
Security machine.

8. Click Parrot Security to switch to the Parrot Security machine.

9. Click the MATE Terminal icon at the top-left corner of the Desktop window to
open a Terminal window.
10. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.
11. In the [sudo] password for attacker field, type toor as a password and
press Enter.
The password that you type will not be visible.
12. Now, type cd and press Enter to jump to the root directory.
13. In the terminal window, type nmap -p 2049 [Target IP Address] (in this
case, 10.10.10.19) and press Enter.
14. The scan result appears indicating that port 2049 is opened, and the NFS service is
running on it, as shown in the screenshot.

15. Type cd SuperEnum and press Enter to navigate to the SuperEnum folder.

16. Type echo "10.10.10.19" >> Target.txt and press Enter to create a file having a
target machine's IP address (10.10.10.19).
You may enter multiple IP addresses in the Target.txt file. However, in this task we are
targeting only one machine, the Windows Server 2019 (10.10.10.19). The IP address
may vary in your lab environment.
17. Type ./superenum and press Enter. Under Enter IP List filename with path,
type Target.txt, and press Enter.
If you get an error running the ./superenum script, type chmod +x superenum and
press Enter, then repeat Step 17.
18. The script starts scanning the target IP address for open NFS and other.
The scan will take approximately 15-20 mins to complete.
19. After the scan is finished, scroll down to review the results. Note that port 2049 is
open and the NFS service is running on it.
20. You can also observe the other open ports and the services running on them.

21. In the terminal window, type cd .. and press Enter to return to the root directory.
22. Now, we will perform NFS enumeration using RPCScan. To do so, type cd
RPCScan and press Enter
23. Type python3 rpc-scan.py [Target IP address] --rpc (in this case, the target IP
address is 10.10.10.19, the Windows Server 2019 machine); press Enter.
--rpc: lists the RPC (portmapper); the target IP address may differ in your lab
environment.
24. The result appears, displaying that port 2049 is open, and the NFS service is running
on it.
 25. This concludes the demonstration of performing NFS enumeration using
SuperEnum and RPCScan.

26. Close all open windows and document all the acquired information.

Lab 5: Perform DNS Enumeration

Task 1: Perform DNS Enumeration using Zone Transfer

DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS
server to a secondary DNS server. In most cases, the DNS server maintains a spare or secondary
server for redundancy, which holds all information stored in the main server.
If the DNS transfer setting is enabled on the target DNS server, it will give DNS information; if not, it
will return an error saying it has failed or refuses the zone transfer.
Here, we will perform DNS enumeration through zone transfer by using the dig (Linux-based
systems) and nslookup (Windows-based systems) tool.

1. We will begin with DNS enumeration of Linux DNS servers.

2. Click Parrot Security to switch to the Parrot Security machine.

3. Click the MATE Terminal icon at the top-left corner of the Desktop window to
open a Terminal window.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and
press Enter to run the programs as a root user.
5. In the [sudo] password for attacker field, type toor as a password and
press Enter.
The password that you type will not be visible.
6. Now, type cd and press Enter to jump to the root directory.
7. A Parrot Terminal window appears. In the terminal window, type dig ns [Target
Domain] (in this case, the target domain is www.certifiedhacker.com); press Enter.
In this command, ns returns name servers in the result
8. The above command retrieves information about all the DNS name servers of the
target domain and displays it in the ANSWER SECTION, as shown in the screenshot.
On Linux-based systems, the dig command is used to query the DNS name servers to
retrieve information about target host addresses, name servers, mail exchanges, etc.
9. In the terminal window type dig @[[NameServer]] [[Target Domain]] axfr (in this
example, the name server is ns1.bluehost.com and the target domain
is www.certifiedhacker.com); press Enter.
In this command, axfr retrieves zone information.
10. The result appears, displaying that the server is available, but that the Transfer
failed., as shown in the screenshot.
After retrieving DNS name server information, the attacker can use one of the servers to
test whether the target DNS allows zone transfers or not. In this case, zone transfers are
not allowed for the target domain; this is why the command resulted in the message:
 Transfer failed. A penetration tester should attempt DNS zone transfers on different
domains of the target organization.
11. We now move on to DNS enumeration of Windows DNS servers.

12. Click Windows 10 to switch to the Windows 10 machine.

13. Click Start at the bottom of Desktop, click Type here to search, and type cmd;
click Command Prompt.
14. The Command Prompt window appears; type nslookup, and press Enter.

15. In the nslookup interactive mode, type set querytype=soa, and press Enter.

16. Type the target domain certifiedhacker.com and press Enter. This resolves the

target domain information.
set querytype=soa sets the query type to SOA (Start of Authority) record to retrieve
administrative information about the DNS zone of the target
domain certifiedhacker.com.
17. The result appears, displaying information about the target domain such as
the primary name server and responsible mail addr, as shown in the screenshot.
18. In the nslookup interactive mode, type ls -d [Name Server] (in this example, the
name is ns1.bluehost.com) and press Enter, as shown in the screenshot.
In this command, ls -d requests a zone transfer of the specified name server.
19. The result appears, displaying that the DNS server refused the zone transfer, as
shown in the screenshot.
 After retrieving DNS name server information, the attacker can use one of the servers to
test whether the target DNS allows zone transfers or not. In this case, the zone transfer
was refused for the target domain. A penetration tester should attempt DNS zone
transfers on different domains of the target organization.
20. This concludes the demonstration of performing DNS zone transfer using dig and
nslookup commands.

21. Close all open windows and document all the acquired information.

Task 2: Perform DNS Enumeration using DNSSEC Zone Walking

DNSSEC zone walking is a DNS enumeration technique that is used to obtain the internal records of
the target DNS server if the DNS zone is not properly configured. The enumerated zone information
can assist you in building a host network map.
There are various DNSSEC zone walking tools that can be used to enumerate the target domain’s
DNS record files.
Here, we will use the DNSRecon tool to perform DNS enumeration through DNSSEC zone walking.

1. Click Parrot Security to switch to the Parrot Security machine, click the MATE

Terminal icon at the top-left corner of Desktop to open a Terminal window.
2. In the terminal window, type sudo su and press Enter to run the programs as a
root user.

3. In the [sudo] password for attacker field, type toor as a password and

press Enter.
The password that you type will not be visible.
4. Now, type cd and press Enter to jump to the root directory.
5. A Parrot Terminal window appears. Type dnsrecon -h and press Enter to view all
the available options in the DNSRecon tool.
6. Type dnsrecon -d [Target domain] -z (in this example, the target domain
is www.certifiedhacker.com); press Enter.
In this command, -d specifies the target domain and -z specifies that the DNSSEC zone
walk be performed with standard enumeration.
7. The result appears, displaying the enumerated DNS records for the target domain.
In this case, DNS record file A is enumerated, as shown in the screenshot.
 Using the DNSRecon tool, the attacker can enumerate general DNS records for a given
domain (MX, SOA, NS, A, AAAA, SPF, and TXT). These DNS records contain digital
signatures based on public-key cryptography to strengthen authentication in DNS.
8. This concludes the demonstration of performing DNS Enumeration using DNSSEC
zone walking.

9. You can also use other DNS enumeration tools such

as LDNS (https://www.nlnetlabs.nl), nsec3map (https://github.com), nsec3walker (https
://dnscurve.org), and DNSwalk (https://github.com) to perform DNS enumeration on
the target domain.

10. Close all open windows and document all the acquired information.