Pentest Methodology

Scanning & Enumeration

Mastering nmap, service/version detection, and enumerating SMB, web, and other services for a foothold.

Medium 28 minnmapenumerationsmb

Recon told you what exists. Scanning tells you what's running on it. Enumeration goes one step deeper: not just "port 445 is open" but "SMB is running, the hostname is DC01, anonymous login is allowed, and here are the available shares." The gap between a scan result and a foothold is almost always filled by thorough enumeration.

Scanning and Enumeration Require Authorization

Port scanning, service fingerprinting, and protocol enumeration are active techniques that generate network traffic and create log entries on target systems. They are only legal within an authorized penetration test or on systems you own. Scanning systems without permission violates the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act, and equivalent laws worldwide. Use these techniques only in authorized lab environments or engagements.

The Purpose of This Phase

After recon, you have a list of IP addresses and hostnames. Scanning transforms that list into a detailed service map:

  • Which hosts are alive?
  • What ports are open on each?
  • What services are listening on those ports?
  • What versions are those services running?
  • Are there default scripts that reveal misconfigurations?

The output of this phase is a prioritized list of potential attack vectors heading into exploitation.

nmap: The Scanner's Swiss Army Knife

Nmap (Network Mapper) is the foundational tool for network scanning. It has been the industry standard for over 20 years because it is fast, flexible, accurate, and extensible through a scripting engine.

Host Discovery

Before scanning ports, determine which hosts are alive. Scanning 65,535 ports against dead hosts wastes time.

kali@vr4cs: ~

ICMP Is Often Blocked

Many production networks block ICMP echo (ping) as a basic hardening measure. A ping sweep returning no results doesn't mean no hosts are alive - it may mean ICMP is filtered. Use -PS (TCP SYN to port 443), -PA (TCP ACK), or -PU (UDP) as alternatives. The -Pn flag skips discovery entirely and scans anyway.

SYN Scan (-sS): The Default and Why

The SYN scan is nmap's default when run as root and the most common scan type for good reason.

kali@vr4cs: ~

How SYN scan works: nmap sends a TCP SYN packet. If the port is open, the target replies SYN-ACK - nmap immediately sends RST instead of completing the handshake. The connection is never fully established, so many older application logs won't record it. If the port is closed, the target replies RST-ACK. If filtered, there's no reply (firewall drops the packet).

Without root privileges, nmap falls back to a connect scan (-sT), which completes the full TCP handshake - noisier, but works without raw socket access.

Service and Version Detection (-sV)

Port states tell you what's open; version detection tells you what is open.

kali@vr4cs: ~

Now you know specific versions: OpenSSH 7.9p1, Apache 2.4.38, Samba 4.9.5. This is what you feed into vulnerability research. CVEs are tied to specific version ranges.

Default Scripts (-sC)

Nmap's Scripting Engine (NSE) ships with hundreds of scripts. -sC runs the "default" category - a curated set that gathers information without being intrusive.

kali@vr4cs: ~

Notice Message signing enabled but not required - this is a misconfiguration that enables NTLM relay attacks. Script output like this is your bridge from "port is open" to "here's a specific vulnerability class."

Full Port Scan (-p-)

The default nmap scan covers only the top 1,000 most common ports. Services running on non-standard ports will be missed. A full scan covers all 65,535 ports.

kali@vr4cs: ~

Port 27017 (MongoDB) on a non-default-looking host? That's a significant finding. Many data breaches have come from internet-exposed MongoDB instances with no authentication.

The Complete Workflow: Combining Flags

In practice you chain these together:

kali@vr4cs: ~

The -oN flag saves output to a file. Always save output - you'll reference it throughout the engagement. nmap also supports -oX (XML), -oG (grepable), and -oA (all formats simultaneously).

Useful nmap Flags Reference

FlagPurpose
-sSSYN scan (stealth, requires root)
-sVService and version detection
-sCDefault NSE scripts
-p-All 65,535 ports
-p 80,443,8080Specific ports
-T4Aggressive timing (faster)
--min-rate 5000Minimum packet rate (fast full scans)
-PnSkip host discovery (assume host is up)
-OOS detection
--script vulnRun vulnerability-category NSE scripts
-oA outputSave all output formats
-v / -vvVerbose output

SMB Enumeration

SMB (Server Message Block) on ports 445 and 139 is a favorite target. It exposes file shares, hosts usernames, reveals the Windows domain, and historically has had devastating vulnerabilities (EternalBlue/MS17-010, PrintNightmare, etc.).

enum4linux

enum4linux is a wrapper around several Samba tools that automates SMB enumeration against Windows and Samba targets.

kali@vr4cs: ~

Key findings from this output:

  • RID cycling found actual usernames (alice, bob, Administrator)
  • The Shared share is readable and writable without authentication - a critical misconfiguration

smbclient: Browsing Shares

Once you've identified accessible shares, smbclient lets you connect and browse like an FTP client.

kali@vr4cs: ~

credentials.txt on a world-readable share is an obvious finding. In practice, sensitive data on accessible shares might be less obviously named - look for configuration files, database dumps, backup archives, scripts.

Download Only What You Need

When you find sensitive files on a share, download only what is necessary to document the finding. Do not bulk-download gigabytes of data. If you encounter regulated data (health records, financial data, PII), stop, document the location, and report without downloading - you don't need the data itself to prove the exposure exists.

Web Service Enumeration

Web applications are often the primary attack surface. After nmap confirms HTTP/HTTPS is running, enumeration goes deeper.

Directory and File Discovery

kali@vr4cs: ~

/admin with a 301 redirect and /login.php are your entry points for the exploitation phase. /backup returning 403 (Forbidden) tells you it exists but access is restricted - sometimes these restrictions are bypassable.

Nikto: Web Vulnerability Scanner

kali@vr4cs: ~

Nikto found phpMyAdmin - a database management interface often left accessible with default or weak credentials.

Other Service Enumeration

FTP (Port 21)

kali@vr4cs: ~

Anonymous FTP login is a finding. Even if the content is benign, the misconfiguration matters.

SNMP (Port 161 UDP)

kali@vr4cs: ~

SNMP with the default public community string is a misconfiguration. The full MIB walk can expose running processes, network interfaces, installed software, and routing tables.

Hands-on Lab

Service Enumeration to Foothold

Put this lesson into practice: spin up the lab environment and work from a raw nmap scan through SMB enumeration, web directory discovery, and service analysis to identify a credible exploitation path. You'll chain multiple tools together - nmap, enum4linux, smbclient, gobuster - and document your findings in a structured format as you'd do in a real engagement. The lab ends when you can articulate exactly which service, version, and misconfiguration you would exploit next.

Building the Findings Log

Scanning and enumeration produces a lot of output. Organize it as you go:

# findings.md structure (update in real time during the engagement)
 
## 192.168.1.10 (workstation01.example-target.com)
 
### Open Ports
22 (SSH/OpenSSH 7.9p1), 80 (HTTP/Apache 2.4.38), 445 (SMB/Samba 4.9.5)
8080 (HTTP - Tomcat 9.0.30), 27017 (MongoDB 4.2 - unauthenticated)
 
### Critical Findings
- [CRITICAL] MongoDB on 27017 accessible without authentication
- [HIGH] SMB share "Shared" accessible without credentials, writable
- [HIGH] /phpmyadmin/ exposed, default credentials not yet tested
 
### Usernames Discovered
alice, bob, Administrator (via enum4linux RID cycling)
 
### Next Steps
- Test MongoDB access directly (mongo 192.168.1.10)
- Test phpMyAdmin with common credential pairs
- Enumerate /admin directory on port 80

This log becomes your notes for the exploitation phase and eventually feeds into the report.

Key Takeaways

  • nmap's core workflow: fast full-port scan first (-p- --min-rate 5000), then deep scan on discovered ports (-sC -sV).
  • -sS (SYN scan) is the default for good reason: faster and stealthier than a full connect scan.
  • -sC runs default NSE scripts that often surface misconfigurations directly (unsigned SMB, anonymous FTP, weak banners).
  • SMB enumeration with enum4linux and smbclient can reveal usernames, domain info, and accessible file shares - all without exploiting anything.
  • Web enumeration with gobuster and nikto identifies hidden directories, exposed admin panels, and outdated software.
  • Document everything in real time. Version numbers, service names, misconfiguration details - these are your evidence for the report and your roadmap into exploitation.

Previous

Reconnaissance & OSINT

Next

Exploitation & Getting a Shell