# Enumerating Services

### SMB

To make our life easier during exploitation and post-exploitation, machines with port 445 open must be enumerated.

```bash
sudo nmap -Pn -p 445 -iL targets_rfc1918.txt -oA targets_smb ;
cat targets_smb.gnmap | grep "445/open" | cut -d" " -f 2 > targets_smb.txt
```

### Databases Ports

You can enumerate SQL services with:

```bash
sudo nmap -Pn -p 1433,3306,5432 -iL targets_rfc1918.txt -oA targets_sql ;
cat targets_sql.gnmap | grep "1433/open" | cut -d" " -f 2 > targets_sqlserver.txt ;
cat targets_sql.gnmap | grep "3306/open" | cut -d" " -f 2 > targets_mysql.txt ;
cat targets_sql.gnmap | grep "5432/open" | cut -d" " -f 2 > targets_postgresql.txt
```

### Administrative Ports

It is interesting to enumerate administrative services:

```bash
sudo nmap -Pn -p 21,22,23,88,3389,5900 -iL targets_rfc1918.txt -oA targets_adm ;
cat targets_sql.gnmap | grep "21/open" | cut -d" " -f 2 > targets_ftp.txt ;
cat targets_sql.gnmap | grep "22/open" | cut -d" " -f 2 > targets_ssh.txt ;
cat targets_sql.gnmap | grep "23/open" | cut -d" " -f 2 > targets_telnet.txt ;
cat targets_sql.gnmap | grep "3389/open" | cut -d" " -f 2 > targets_rdp.txt ;
cat targets_sql.gnmap | grep "5900/open" | cut -d" " -f 2 > targets_vnc.txt
```

### Web Ports

Enumerating web services is important to test for sensitive web applications exposure (administrative applications, vulnerable applications, etc).

```bash
sudo nmap -Pn -p 80,443,8080,8443,9006,7001,7002,8081,49153,10000 -iL targets_rfc1918.txt -oA targets_web
```

All these scans give us valuable information.

{% hint style="info" %}
When a blacklist is provided by client, simply use:

* **zmap:**
  * \--blacklist-file
* **nmap:**
  * \--excludefile
    {% endhint %}

## Automating

This script automatize previous steps.

```bash
sudo nmap -Pn -p 445 -iL targets_rfc1918.txt -oA targets_smb ;
cat targets_smb.gnmap | grep "445/open" | cut -d" " -f 2 > targets_smb.txt ;
sudo nmap -Pn -p 1433,3306,5432 -iL targets_rfc1918.txt -oA targets_sql ;
cat targets_sql.gnmap | grep "1433/open" | cut -d" " -f 2 > targets_sqlserver.txt ;
cat targets_sql.gnmap | grep "3306/open" | cut -d" " -f 2 > targets_mysql.txt ;
cat targets_sql.gnmap | grep "5432/open" | cut -d" " -f 2 > targets_postgresql.txt ;
sudo nmap -Pn -p 21,22,23,88,3389,5900 -iL targets_rfc1918.txt -oA targets_adm ;
cat targets_adm.gnmap | grep "21/open" | cut -d" " -f 2 > targets_ftp.txt ;
cat targets_adm.gnmap | grep "22/open" | cut -d" " -f 2 > targets_ssh.txt ;
cat targets_adm.gnmap | grep "23/open" | cut -d" " -f 2 > targets_telnet.txt ;
cat targets_adm.gnmap | grep "3389/open" | cut -d" " -f 2 > targets_rdp.txt ;
cat targets_adm.gnmap | grep "5900/open" | cut -d" " -f 2 > targets_vnc.txt ;
sudo nmap -Pn -p 80,443,8080,8443,9006,7001,7002,8081,49153,10000 -iL targets_rfc1918.txt -oA targets_web
```