Enumerate Introduction

In this documentation we will go through the functionality of the thc_en module.

Enumerate is a tool that tries to find valid username accounts on various services such as ftp and smtp.

Interface Parameters:

1. type: currently only ftp and smtp enumeration is supported
2. port: tcp port the service is listening on
3. host: target host to enumerate
4. wordlist: select a username list from the Wordlists folder in the root folder of Carnivore or enter usernames manually

ModGlue Variables:

1. $_CONTEXT['thc_en']['enumerate_results_file']: (string) absolute path to the enumerations result file in the module's root folder
2. $_CONTEXT['thc_en']['enumerate_users']: (array) users to enumerate
3. $_CONTEXT['thc_en']['existing_files']: (array) all files in the Wordlists folder
4. $_CONTEXT['thc_en']['wordlist']: (string) wordlist selected for enumeration attack
5. $_CONTEXT['thc_en']['users']: (array) filtered user list
6. $_CONTEXT['thc_en']['userscount']: (int) amount of users to enumerate
7. $_CONTEXT['thc_en']['port']: (int) tcp port where the service listen on for incoming connections
8. $_CONTEXT['thc_en']['template']: (string) template to write to results file - only applies to Remove File case
9. $_CONTEXT['thc_en']['enumerate_results']: (array) all results from previously enumerated accounts - only applies to Remove File and View File cases
10. $_CONTEXT['thc_en']['enumerate_results_count']: (int) number of results from previously enumerated accounts - only applies to Remove File case
11. $_CONTEXT['thc_en']['update']: (boolean) status holder to see whether the results will be updated or not, true if it is, false if not - only applies to Remove File case
12. $_CONTEXT['thc_en']['record_number']: (int) counts the amount of currently enumerated accounts - only applies to Remove File case
13. $_CONTEXT['thc_en']['valid_file']: (string) validates whether the result file exists - only applies to View File case
14. $_CONTEXT['thc_en']['enumerate_file']: (string) absolute path to the results file in the results folder in the module's root folder - only applies to View File case
15. $_CONTEXT['thc_en']['enumerated_accounts']: (string) all users separated by comma - only applies to View File case
16. $_CONTEXT['thc_en']['enumerate_properties']['users']: (string) users enumerated - only applies to View File case
17. $_CONTEXT['thc_en']['enumerate_properties']['protocol']: (string) enumerations protocol used during this session - only applies to View File case
18. $_CONTEXT['thc_en']['enumerate_properties']['host']: (string) host where the enumeration took place - only applies to View File case
19. $_CONTEXT['thc_en']['enumerate_properties']['time']: (int) timestamp when the session was done - only applies to View File case
20. $_CONTEXT['thc_en']['valid']: (array) all successfuly enumerated users
21. $_CONTEXT['thc_en']['templatenew']: (string) enumeration session file data
22. $_CONTEXT['thc_en']['newfile']: (string) new filename for the enumeration results template data created during current session
23. $_CONTEXT['thc_en']['newfilepath']: (string) absolute path to the new template file, which will be stored in the results folder located in the module's root folder

There may be other variables available, depending on which enumeration type was selected.

ftp.php

1. $_CONTEXT['thc_en']['ftp_connection']: (resource) socket connection to ftp port
2. $_CONTEXT['thc_en']['ftp_response']: (string) data read from socket
3. $_CONTEXT['thc_en']['fake_user']: (string) username we know doesn't exist, this is to verify how the server responds
4. $_CONTEXT['thc_en']['ftp_command_test']: (string) ask the ftp user if the fake user exists
5. $_CONTEXT['thc_en']['ftp_response_code']: (int) if the fake user is accepted (331) we can't rely on server responses and enumeration is impossible
6. $_CONTEXT['thc_en']['userscount']: (int) amount of users to test
7. $_CONTEXT['thc_en']['ftp_response_code']: (int) if the first three characters of the response is 331, the user exists
8. $_CONTEXT['thc_en']['valid']: (array) all users that were successfully verified

smtp.php

1. $_CONTEXT['thc_en']['smtp_commands']['RCPT_TO']: (array) test command 1 and correct response
2. $_CONTEXT['thc_en']['smtp_commands']['EXPN']: (array) test command 2 and correct response
3. $_CONTEXT['thc_en']['smtp_commands']['VRFY']: (array) test command 3 and correct response
4. $_CONTEXT['thc_en']['connection']: (resource) socket connection to smtp port
5. $_CONTEXT['thc_en']['response']: (string) data read from socket
6. $_CONTEXT['thc_en']['responsecode']: (int) response code, 2xx responses are what we are looking for
7. $_CONTEXT['thc_en']['validcommand']: (string) RCPT_TO, VRFY, or EXPN can be valid
8. $_CONTEXT['thc_en']['responsestart']: (int) first character of response code, we are looking for 2 in order to determine whether the command is implemented and successfull

Resource Settings:

• time limit: php default
• memory limit: php default

Dependencies:

Sockets

Expanding Enumerate:

You can expand Enumerate's functionality by writing enumeration scripts for different kind of services. The easiest way is to edit one of the existing scripts in the folder protocols which you can find in the module's root folder. Make sure to include buffer flush commands and a socket connection setup.

Known Issues:

N/A