Enumeration attacks: What they are and how to prevent them

What is an enumeration attack?

Enumeration attacks occur when malicious actors attempt brute-force access to web applications. Attackers often use credentials exposed in previous breaches or obtained during social engineering scams to attempt access to other websites and applications where users might have used the same login information.

While most enumeration attacks focus on testing account credentials, some involve attacks that use leaked company IT data to learn more about a network or web server database through brute-force querying.

If successful, attackers could gain access to customers' and employees' personally identifiable information (PII). Attackers often then sell the PII on the dark web or use it in future attacks, for example, to drain a victim's bank accounts or make charges on their credit cards.

Enumeration attacks against organizations might involve attackers targeting a company's IT data or attempting privilege escalation and lateral movement to steal more data or perform further attacks.

There are two general enumeration attack types, both of which follow the same general attack pattern:

1. User enumeration. Also known as account enumeration, user enumeration involves brute-forcing login attempts with account credentials stolen from a data breach or compiled from common password lists. Attackers attempt to learn whether an account exists through server responses or by using the "Forgot Password" form on a website or app.
2. Network enumeration. This type of enumeration attack encompasses a variety of targets, such as directories, web services and systems. The goal of a network enumeration attack is to learn about a company's IT infrastructure. Information collected could include OS and software versions, open ports and existing databases. With this information, attackers can develop a focused attack by targeting known vulnerabilities of software and systems.

How does an enumeration attack work?

The majority of enumeration attacks target web-based application databases. Attacks most often occur on the application's login or password reset pages. Attackers test account credentials on the website, seeing how the database server responds, until they gain access to or discern the validity of an account.

When conducting a user enumeration attack on a login page, attackers observe how the web application reacts to a brute-force entry attempt:

• If the reaction is a "username not found" message, attackers know the username isn't in that particular database.
• If the reaction is a "password is incorrect" message, attackers know the username exists within the database and that they can continue to brute-force attack that application.
• From there, they can use the "Forgot Password" or "Forgot Username" forms to see if the system acknowledges sending a reset link to a specific email address.

A network enumeration attack involves malicious actors querying a system, such as a web-based directory. Attackers send requests to a list of common directory names and review the HTTP response codes for each name. A 404 code, for example, indicates the directory doesn't exist, but a 401 tells attackers it does. Malicious actors thus learn how the IT system works and develop a rough idea of the victim's IT infrastructure and potential vulnerabilities.

How to prevent enumeration attacks

While it's not possible to 100% prevent user enumeration attacks, security teams and developers can use the following mitigation best practices:

1. Employ cryptic or generic wording. Well-developed login pages should display a "username and/or password not valid" message. This makes it difficult for attackers to know if the username, password or both are incorrect.
2. Follow authentication best practices. Implement strong password guidelines, securely store account details, use step-up authentication measures and use TLS.
3. Use a next-generation firewall (NGFW). While all firewalls block traffic based on established rules, NGFWs in particular limit the number of failed login attempts from multiple IP addresses.
4. Use a web application firewall. WAFs filter HTTP traffic for malicious or rogue traffic incoming from the internet.
5. Use CAPTCHA. CAPTCHA not only limits the number of times a person can attempt to log in to an app, but also helps slow down attacks and eliminate bots. CAPTCHA can also block automated enumeration attacks.

6. Implement MFA. MFA, which requires additional credentials to successfully log in to an account, blocks cyberattackers from exploiting server responses used to launch enumeration attacks because they are unable to log in without the additional credential(s).
7. Secure source code. The best way to mitigate the risk of an enumeration attack comes down to securing the source code of the web application. Make sure any source code -- open source or otherwise -- is updated and tested through DevSecOps methods before being implemented in production environments.
8. Use rate limiting. Limit the amount or frequency of login attempts during a specific time frame. This time frame can be randomized to frustrate malicious actors attempting brute-force attacks.
9. Device fingerprinting. Capture information about each device where a login attempt occurs to limit unknown device attempts.

Ravi Das is a technical engineering writer for an IT services provider. He is also a cybersecurity consultant at his private practice, ML Tech, Inc., and has the Certified in Cybersecurity (CC) certification from ISC2.

Informa TechTarget editors revised the article in 2025 to improve the reader experience.