Advanced Pentest & Offensive
Service enumeration — banner grabbing, versions, exposed configurations
After identifying open ports, enumeration extracts specific information from each service. Exact version plus exposed configuration leads directly to CVE research.
Banner Grabbing — quick identification
# netcat — manual connection to service
nc 192.168.1.10 22
nc 192.168.1.10 80
# Example SSH response:
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
# Example HTTP response:
GET / HTTP/1.0
HTTP/1.1 200 OK
Server: Apache/2.4.49 (Ubuntu)
X-Powered-By: PHP/7.4.3# curl — full HTTP headers
curl -I http://192.168.1.10
curl -v http://192.168.1.10 2>&1 | grep -E "^[<>]"
# telnet for plaintext services
telnet 192.168.1.10 25 # SMTP
telnet 192.168.1.10 21 # FTPHTTP — web enumeration
# Directories and hidden files
gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
feroxbuster -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt
# Technologies in use
whatweb http://192.168.1.10
wappalyzer (browser extension)
# Subdomain discovery via vhost fuzzing
gobuster vhost -u http://example.com -w subdomains.txt
# Common files to check:
/robots.txt
/sitemap.xml
/.well-known/security.txt
/admin, /phpmyadmin, /wp-admin
/.git/HEAD (exposed git repository)
/backup.zip, /dump.sqlSMB (port 445) — Windows/Samba enumeration
# List shares without authentication (null session)
smbclient -L //192.168.1.10 -N
smbmap -H 192.168.1.10
# Enum4linux — full SMB/RPC enumeration
enum4linux -a 192.168.1.10
# Users, groups, password policies, shares
Expected output:
[+] Got OS info for 192.168.1.10 from smbclient:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.7.6]
[+] users: administrator, john.smith, service_account
[+] Share: IPC$, ADMIN$, Backups (READ)SMTP (port 25) — user enumeration
# VRFY — check if user exists
telnet 192.168.1.10 25
VRFY root
252 2.0.0 root
VRFY nobody
550 5.1.1 <nobody>: Recipient address rejected
# EXPN — expand distribution list
EXPN webmaster
# Automation
smtp-user-enum -M VRFY -U users.txt -t 192.168.1.10SNMP (port 161 UDP) — configuration dump
# Default community string "public"
snmpwalk -c public -v1 192.168.1.10
snmpwalk -c public -v2c 192.168.1.10 .1.3.6.1.2.1.1
# Useful OIDs:
.1.3.6.1.2.1.1.1.0 → system description
.1.3.6.1.2.1.1.5.0 → hostname
.1.3.6.1.4.1.77.1.2.25 → Windows user accounts
.1.3.6.1.2.1.6.13.1.3 → open TCP ports
# onesixtyone — community string brute force
onesixtyone -c community.txt 192.168.1.10FTP (port 21) — anonymous login and files
# Test anonymous login
ftp 192.168.1.10
Username: anonymous
Password: <any email>
# Via nmap script
nmap --script ftp-anon 192.168.1.10
# If anonymous login works:
ls -la # list files
get file # download
put file # attempt upload (serious misconfiguration)SSH (port 22) — version and authentication
# Supported authentication methods
nmap --script ssh-auth-methods 192.168.1.10
# Version and algorithms
nmap --script ssh2-enum-algos 192.168.1.10
Output:
ssh-auth-methods: publickey, password, keyboard-interactive
Version: OpenSSH 7.2p2 → vulnerable to user enumeration (CVE-2016-6210)Databases — exposure check
# MySQL accessible externally?
nmap -sV -p 3306 --script mysql-info 192.168.1.10
# PostgreSQL
nmap -p 5432 --script pgsql-brute 192.168.1.10
# Redis without authentication (port 6379)
redis-cli -h 192.168.1.10 ping
redis-cli -h 192.168.1.10 info server
# MongoDB without auth (port 27017)
mongosh 192.168.1.10
show dbsEvery enumerated service must be recorded with: exact version, identified configuration, CVEs researched, and planned next action.