CSY202 Week 03 - Practice scanning and enumeration before moving to reading resources.

Opening Framing: From Intelligence to Attack Surface

Reconnaissance told you about the organization. Now it's time to discover exactly what's running on their systems. Scanning and enumeration move from passive intelligence gathering to active interaction with target systems.

Port scanning reveals open services. Service enumeration identifies what's running on those ports. Deep enumeration extracts usernames, shares, configurations, and other details that enable exploitation.

This week covers network scanning with Nmap, service enumeration techniques, and how to systematically extract information from discovered services.

Key insight: Every open port is a potential entry point. Thorough enumeration ensures you don't miss opportunities.

1) Network Scanning Fundamentals

Understanding how scanning works:

Port States:

Open:
- Service accepting connections
- Potential attack vector
- Needs enumeration

Closed:
- Port accessible but no service
- Host is reachable
- Firewall allows traffic

Filtered:
- No response received
- Firewall blocking
- Can't determine if open/closed

Unfiltered:
- Port accessible
- Can't determine open/closed
- Seen in ACK scans

TCP Scanning Methods:

TCP Connect Scan (-sT):
- Completes full TCP handshake
- SYN → SYN-ACK → ACK
- Most reliable
- Easily logged
- Slower

TCP SYN Scan (-sS):
- "Stealth" scan
- Sends SYN, waits for SYN-ACK
- Doesn't complete handshake
- Faster, less logged
- Requires root/admin

TCP handshake:
Client          Server
  |--- SYN ----->|
  |<- SYN-ACK ---|
  |--- ACK ----->|
  [Connection established]

SYN scan stops here:
  |--- SYN ----->|
  |<- SYN-ACK ---|
  |--- RST ----->|
  [Connection reset]

Other Scan Types:

UDP Scan (-sU):
- Scans UDP ports
- Much slower than TCP
- Essential for DNS, SNMP, DHCP
- Open ports often don't respond

FIN/NULL/Xmas Scans:
- Send malformed packets
- Attempt to bypass firewalls
- Less reliable on Windows
- -sF, -sN, -sX

ACK Scan (-sA):
- Maps firewall rules
- Doesn't find open ports
- Shows filtered vs unfiltered

Version Detection (-sV):
- Probes open ports
- Identifies services and versions
- Essential for vulnerability assessment

Key insight: Different scan types serve different purposes. SYN scans are fast and stealthy; connect scans are reliable; UDP scans catch services others miss.

2) Mastering Nmap

Nmap is the essential scanning tool:

Basic Syntax:
nmap [scan type] [options] [target]

Target specification:
nmap 192.168.1.1           # Single IP
nmap 192.168.1.1-254       # Range
nmap 192.168.1.0/24        # CIDR notation
nmap target.com            # Hostname
nmap -iL targets.txt       # File input

Common scans:

# Quick scan - top 1000 ports
nmap 192.168.1.1

# Full port scan
nmap -p- 192.168.1.1

# Specific ports
nmap -p 22,80,443,8080 192.168.1.1

# Port range
nmap -p 1-1000 192.168.1.1

# Service version detection
nmap -sV 192.168.1.1

# OS detection
nmap -O 192.168.1.1

# Aggressive scan (OS, versions, scripts, traceroute)
nmap -A 192.168.1.1

Nmap Scripting Engine (NSE):

NSE extends Nmap's functionality:

# Default scripts (safe)
nmap -sC 192.168.1.1

# Specific script
nmap --script=http-title 192.168.1.1

# Script category
nmap --script=vuln 192.168.1.1

# Multiple scripts
nmap --script=http-title,http-headers 192.168.1.1

Script categories:
- auth: Authentication bypass
- broadcast: Network discovery
- brute: Brute force attacks
- default: Safe, useful scripts
- discovery: Service discovery
- exploit: Actual exploits (careful!)
- fuzzer: Fuzzing tests
- intrusive: May crash services
- malware: Malware detection
- safe: Won't harm targets
- version: Version detection
- vuln: Vulnerability checks

# List available scripts
ls /usr/share/nmap/scripts/
nmap --script-help=*http*

Professional Nmap Usage:

# Comprehensive scan workflow:

# 1. Host discovery
nmap -sn 192.168.1.0/24 -oG hosts.txt

# 2. Quick port scan on live hosts
nmap -iL live_hosts.txt -p- --min-rate=1000 -oA quick_scan

# 3. Detailed scan on open ports
nmap -iL live_hosts.txt -p [open_ports] -sV -sC -oA detailed_scan

# Output formats:
-oN normal.txt      # Normal output
-oG grepable.txt    # Grepable format
-oX scan.xml        # XML output
-oA basename        # All formats

# Speed/timing:
-T0  # Paranoid (very slow, IDS evasion)
-T1  # Sneaky
-T2  # Polite
-T3  # Normal (default)
-T4  # Aggressive
-T5  # Insane (fast, may miss ports)

# Useful combinations:
# Stealth scan with version detection
nmap -sS -sV -p- -T4 -oA full_scan target.com

# Vulnerability scan
nmap -sV --script=vuln -oA vuln_scan target.com

Key insight: Nmap is incredibly powerful, but it takes practice to use effectively. Learn the options—they matter.

3) Service Enumeration

Once you find open ports, enumerate the services:

SMB Enumeration (445/139):

# Nmap SMB scripts
nmap -p 445 --script=smb-enum-shares,smb-enum-users 192.168.1.1

# smbclient - list shares
smbclient -L //192.168.1.1 -N

# smbmap - show permissions
smbmap -H 192.168.1.1

# enum4linux - comprehensive SMB enum
enum4linux -a 192.168.1.1

# Access a share
smbclient //192.168.1.1/share_name

Information to extract:
- Share names and permissions
- User accounts
- Password policy
- OS version
- Domain/workgroup

HTTP/HTTPS Enumeration (80/443):

# Nmap HTTP scripts
nmap -p 80,443 --script=http-title,http-headers,http-methods 192.168.1.1

# Directory brute forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# More thorough
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html

# Feroxbuster (faster, recursive)
feroxbuster -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Nikto - web vulnerability scanner
nikto -h http://target.com

# Curl for manual inspection
curl -I http://target.com
curl -X OPTIONS http://target.com -v

Things to find:
- Admin panels
- Configuration files
- Backup files (.bak, .old)
- Source code files
- API endpoints
- Hidden directories

FTP Enumeration (21):

# Nmap FTP scripts
nmap -p 21 --script=ftp-anon,ftp-syst 192.168.1.1

# Manual connection
ftp 192.168.1.1

# Anonymous login
Username: anonymous
Password: anonymous@

# Check for:
# - Anonymous access
# - Write permissions
# - Sensitive files
# - FTP version (CVEs)

SSH Enumeration (22):

# Banner grab
nc 192.168.1.1 22

# Nmap scripts
nmap -p 22 --script=ssh-auth-methods,ssh-hostkey 192.168.1.1

# Check for:
# - SSH version
# - Supported authentication methods
# - Key types
# - Known vulnerabilities (old versions)

DNS Enumeration (53):

# Zone transfer attempt (if allowed)
dig axfr @192.168.1.1 target.com

# DNS enumeration
dnsrecon -d target.com -t std

# Nmap DNS scripts
nmap -p 53 --script=dns-zone-transfer 192.168.1.1

Key insight: Each service has its own enumeration techniques. Generic scanning finds the ports; service-specific enumeration finds the vulnerabilities.

4) SNMP Enumeration

SNMP often reveals extensive system information:

SNMP Basics:

- Simple Network Management Protocol
- UDP port 161
- Community strings act as passwords
- Default: "public" (read), "private" (write)
- SNMPv1 and v2c send community strings in cleartext

Why SNMP matters:
- System information
- Network configuration
- Running processes
- Installed software
- User accounts
- ARP tables

SNMP Enumeration Commands:

# Check if SNMP is open
nmap -sU -p 161 192.168.1.1

# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1

# Enumerate with known community string
snmpwalk -v2c -c public 192.168.1.1

# Get system info
snmpwalk -v2c -c public 192.168.1.1 system

# Get running processes
snmpwalk -v2c -c public 192.168.1.1 hrSWRunName

# Get installed software
snmpwalk -v2c -c public 192.168.1.1 hrSWInstalledName

# Get network interfaces
snmpwalk -v2c -c public 192.168.1.1 ifDescr

# Nmap SNMP scripts
nmap -sU -p 161 --script=snmp-info,snmp-processes,snmp-interfaces 192.168.1.1

Useful OIDs:

Common OIDs to query:

1.3.6.1.2.1.1       - System info
1.3.6.1.2.1.1.1.0   - System description
1.3.6.1.2.1.1.5.0   - Hostname
1.3.6.1.2.1.25.1    - Host resources
1.3.6.1.2.1.25.4.2  - Running processes
1.3.6.1.2.1.25.6.3  - Installed software

# Example: Get hostname
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.5.0

Key insight: SNMP is often overlooked but can reveal everything about a system—including credentials in some cases.

5) Enumeration Automation and Organization

Efficient enumeration requires organization:

Automated Enumeration Tools:

AutoRecon:
# Comprehensive automated scanning
autorecon 192.168.1.1

# Creates organized directory structure
# Runs service-specific scans automatically

nmapAutomator:
# Staged scanning approach
./nmapAutomator.sh 192.168.1.1 All

Legion (GUI):
# Graphical interface for scanning/enumeration
# Good for visualizing results

Organizing Enumeration Results:

Directory structure:

target_192.168.1.1/
├── nmap/
│   ├── initial_scan.nmap
│   ├── full_port_scan.nmap
│   ├── service_scan.nmap
│   └── vuln_scan.nmap
├── web/
│   ├── gobuster.txt
│   ├── nikto.txt
│   └── screenshots/
├── smb/
│   ├── enum4linux.txt
│   └── shares.txt
├── snmp/
│   └── snmpwalk.txt
└── notes.md

Enumeration Checklist:

Per-port enumeration checklist:

□ Port 21 (FTP)
  □ Banner grab
  □ Anonymous login attempt
  □ Version → CVE check

□ Port 22 (SSH)
  □ Banner/version
  □ Auth methods
  □ Version → CVE check

□ Port 25/587 (SMTP)
  □ VRFY/EXPN commands
  □ Open relay check

□ Port 53 (DNS)
  □ Zone transfer attempt
  □ DNS enumeration

□ Port 80/443 (HTTP/S)
  □ Technology fingerprinting
  □ Directory brute forcing
  □ Vulnerability scanning
  □ robots.txt, sitemap.xml

□ Port 139/445 (SMB)
  □ Share enumeration
  □ User enumeration
  □ Null session check

□ Port 161 (SNMP)
  □ Community string brute force
  □ Full SNMP walk

□ Port 389/636 (LDAP)
  □ Anonymous bind
  □ User enumeration

□ Port 3306 (MySQL)
  □ Version detection
  □ Default credentials

□ Port 3389 (RDP)
  □ NLA check
  □ Version/CVE

Key insight: Checklists prevent missed opportunities. Systematic enumeration beats random poking every time.

Real-World Context: Scanning in Engagements

How scanning works in professional pentesting:

Noise Considerations: Real scans generate logs and alerts. Discuss with the client whether stealth matters. Some tests intentionally test detection capabilities; others prioritize thoroughness over stealth.

Scan Timing: Production networks may be sensitive to scan traffic. Coordinate timing, use appropriate scan speeds, and have emergency contacts ready.

False Positives: Nmap and other tools sometimes misidentify services. Always verify interesting findings manually before including in reports.

MITRE ATT&CK Mapping:

T1046 - Network Service Discovery: Port scanning
T1135 - Network Share Discovery: SMB enumeration
T1087 - Account Discovery: User enumeration
T1018 - Remote System Discovery: Host discovery

Key insight: Scanning is noisy. In real engagements, balance thoroughness with operational considerations.

Guided Lab: Network Scanning Exercise

Practice comprehensive scanning against lab targets.

Step 1: Target Setup

# Ensure your lab is running:
# - Kali Linux (attacker)
# - Metasploitable 2 (target)
# - Both on same network

# Find Metasploitable IP
# From Metasploitable console:
ifconfig

# Verify connectivity from Kali:
ping [metasploitable-ip]

Step 2: Host Discovery

# Discover live hosts
nmap -sn 192.168.x.0/24

# Record live hosts for further scanning

Step 3: Port Scanning

# Quick scan (top 1000 ports)
nmap -sV [target-ip] -oN quick_scan.txt

# Full port scan
nmap -p- --min-rate=1000 [target-ip] -oN full_ports.txt

# Detailed scan on discovered ports
nmap -sV -sC -p [ports] [target-ip] -oN detailed_scan.txt

Step 4: Service Enumeration

# For each open port, perform service-specific enumeration

# Example for port 21 (FTP):
nmap -p 21 --script=ftp-* [target-ip]
ftp [target-ip]  # Try anonymous login

# Example for port 80 (HTTP):
nikto -h http://[target-ip]
gobuster dir -u http://[target-ip] -w /usr/share/wordlists/dirb/common.txt

# Example for SMB:
enum4linux -a [target-ip]

Step 5: Document Findings

Create enumeration report:
- All open ports
- Service versions
- Interesting findings per service
- Potential vulnerabilities noted
- Recommended next steps

Reflection (mandatory)

How many open ports did you find? Which surprised you?
What services look most promising for exploitation?
What default credentials or misconfigurations did you find?
How would you prioritize your findings for the next phase?

Week 3 Outcome Check

By the end of this week, you should be able to:

Explain different port scan types and when to use them
Use Nmap effectively including NSE scripts
Enumerate common services (SMB, HTTP, FTP, SNMP)
Organize and document enumeration results
Create systematic enumeration checklists
Use automated enumeration tools

Next week: Vulnerability Analysis—finding and understanding weaknesses in discovered services.

🎯 Hands-On Labs (Free & Essential)

Practice scanning and enumeration before moving to reading resources.

🎮 TryHackMe: Nmap

What you'll do: Run targeted scans, use NSE scripts, and interpret results.
Why it matters: Accurate scans set up every later phase.
Time estimate: 1.5-2 hours

Start TryHackMe Nmap →

🎮 TryHackMe: Network Services

What you'll do: Enumerate SMB, FTP, and other common services.
Why it matters: Enumeration reveals misconfigurations and weak services.
Time estimate: 1.5-2 hours

Start TryHackMe Network Services →

🧱 Hack The Box: Starting Point (Meow)

What you'll do: Apply scanning and enumeration against a beginner target.
Why it matters: Real targets force you to prioritize and validate results.
Time estimate: 1-2 hours

Open HTB Starting Point →

🛡️ Lab: Key Rotation & Secure Storage

What you'll do: Create a rotation plan and store keys in an encrypted vault or env vars.
Deliverable: Key rotation schedule + demo script using a stored key.
Why it matters: Exposure happens; rotation limits blast radius.
Time estimate: 60-90 minutes

💡 Lab Tip: Scan wide, then enumerate deep—service details matter more than port count.

🛡️ Key Rotation & Secure Storage

During enumeration you often find leaked secrets or weak storage. Understanding proper key handling helps you assess real risk.

Best practices:
- Rotate keys regularly and after exposure
- Store keys in a vault or HSM
- Separate keys from encrypted data
- Audit key access and usage

📚 Building on CSY101 Week-14: Align key management with policy and audit evidence.

Resources

Complete the required resources to build your foundation.

Nmap Reference Guide · 60-90 min · 50 XP · Resource ID: csy202_w3_r1 (Required)
NSE Script Documentation · 45-60 min · 50 XP · Resource ID: csy202_w3_r2 (Required)
AutoRecon - Automated Enumeration · Reference · 25 XP · Resource ID: csy202_w3_r3 (Optional)

Lab: Full Network Enumeration

Goal: Perform comprehensive scanning and enumeration against Metasploitable 2 and document all findings.

Part 1: Network Scanning

Perform host discovery on your lab network
Run full port scan against Metasploitable
Perform service version detection on all open ports
Run default NSE scripts
Document all open ports with services

Part 2: Service-Specific Enumeration

FTP (21): Check anonymous access, list files
SSH (22): Identify version, auth methods
HTTP (80): Directory enumeration, technology ID
SMB (139/445): Share and user enumeration
Any other interesting services

Part 3: Vulnerability Identification

Run Nmap vuln scripts
Research CVEs for identified versions
Note potential misconfigurations
Identify default credentials

Part 4: Report

Create organized documentation of all findings
Prioritize findings by exploitability
Recommend next steps for exploitation phase

Deliverable (submit):

Complete port/service listing
Service enumeration results per port
Vulnerability findings with CVE references
Prioritized attack plan for next phase
Raw Nmap output files

Checkpoint Questions

What is the difference between a SYN scan and a connect scan?
What Nmap option performs service version detection?
What information can be obtained from SMB enumeration?
What is the purpose of the Nmap Scripting Engine?
Why is UDP scanning important even though it's slow?
What does a "filtered" port state indicate?

Week 03 Quiz

Test your understanding of scanning techniques and service enumeration.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned scanning and enumeration—the active discovery phase of penetration testing. You used Nmap and service-specific tools to map attack surfaces.

Reflect on these questions:

Scanning is "noisy" and can be detected. How would you balance thoroughness with stealth in different situations?
Many services have default configurations that are insecure. Why do you think this remains such a common problem?
How did systematic enumeration compare to ad-hoc exploration? What did the checklist approach help you find?
What was the most interesting or concerning thing you discovered on Metasploitable?

A strong reflection will consider operational trade-offs and connect findings to real security implications.

Verified Resources & Videos

Nmap Cheat Sheet: StationX Nmap Reference
SMB Enumeration: HackTricks SMB Guide
Enumeration Reference: PayloadsAllTheThings

Scanning and enumeration are foundational skills you'll use in every penetration test. The time spent here determines your success in later phases. Practice until these techniques become second nature. Next week: analyzing what you've found to identify vulnerabilities.