Network and Service Enumeration

Looking for a foothold? This is where you’ll want to start.

Jump to…

• Network Enumeration
• Host Enumeration
  • Ports & Services

Network Enumeration

ARP

arp-scan

DNS

# Reverse Lookup Brute Force
for ip in {1..255}; do host 192.168.1.$ip; done | grep -v "not found"

# Use a DNS server
for ip in {1..255}; do nslookup 192.168.1.$ip $DNSIP; done | grep -v "can't"

Host Enumeration

autorecon

Tib3rius’ autorecon project is still my favorite automated host scanner. Always helpful, if nothing else to remind you of things to check.

Easy to install, easy to use

nmap

For a more manual touch, nmap direct

# Light scan
nmap --top-ports 100 --open 192.168.1.123

# Heavier port scan
nmap --top-ports 10000 --open 192.168.1.123

# Scan all ports using TCP
nmap 192.168.1.123 -p- -sT --reason

# Script & Version enumerate discovered ports
nmap 192.168.1.123 -p 22,80,... -sC -sV --reason

# UDP Scan
nmap -sU 192.168.1.123

netcat

# Makeshift TCP scan
nc -nvv -w 1 -z 192.168.1.123 $PORT_START-$PORT_STOP

Ports & Services

• 139,445/tcp - SMB
• 2049/tcp - NFS
• 21/tcp - FTP
• 22/tcp - SSH
• 53 - DNS
• 837/tcp - rsync
• 88 - Kerberos

For other ports, check:

• HackTricks.xyz
• Wikipedia Port List