search

Enumerating Services

We cannot enumerate every ports on every machines during an internal assessment (because of allotted time). We have to choose specific ports (smb, web ports, administrative ports, etc).

hashtag
SMB

To make our life easier during exploitation and post-exploitation, machines with port 445 open must be enumerated.

sudo nmap -Pn -p 445 -iL targets_rfc1918.txt -oA targets_smb ;
cat targets_smb.gnmap | grep "445/open" | cut -d" " -f 2 > targets_smb.txt

hashtag
Databases Ports

You can enumerate SQL services with:

sudo nmap -Pn -p 1433,3306,5432 -iL targets_rfc1918.txt -oA targets_sql ;
cat targets_sql.gnmap | grep "1433/open" | cut -d" " -f 2 > targets_sqlserver.txt ;
cat targets_sql.gnmap | grep "3306/open" | cut -d" " -f 2 > targets_mysql.txt ;
cat targets_sql.gnmap | grep "5432/open" | cut -d" " -f 2 > targets_postgresql.txt

hashtag
Administrative Ports

It is interesting to enumerate administrative services:

sudo nmap -Pn -p 21,22,23,88,3389,5900 -iL targets_rfc1918.txt -oA targets_adm ;
cat targets_sql.gnmap | grep "21/open" | cut -d" " -f 2 > targets_ftp.txt ;
cat targets_sql.gnmap | grep "22/open" | cut -d" " -f 2 > targets_ssh.txt ;
cat targets_sql.gnmap | grep "23/open" | cut -d" " -f 2 > targets_telnet.txt ;
cat targets_sql.gnmap | grep "3389/open" | cut -d" " -f 2 > targets_rdp.txt ;
cat targets_sql.gnmap | grep "5900/open" | cut -d" " -f 2 > targets_vnc.txt

hashtag
Web Ports

Enumerating web services is important to test for sensitive web applications exposure (administrative applications, vulnerable applications, etc).

All these scans give us valuable information.

circle-info

When a blacklist is provided by client, simply use:

  • zmap:

    • --blacklist-file

  • nmap:

    • --excludefile

hashtag
Automating

This script automatize previous steps.

PreviousEnumerating MachinesNextDNS Enumeration

Last updated