Service Enumeration
Methodology
Scan all open ports only unless there are only specific ports/port range you will need to scan. This allows you to quickly get all open ports and only perform service scan (version, script, etc.) once you gathered all open ports.
Things to look for:
Open Ports
Service version
OS version
Open shares (for File sharing services)
Anonymous login
Nmap
Scan Open Ports Only
# Scans all ports (1-65535)
sudo nmap -sS -p- -Pn [TARGET_HOST]
# Scans Top 100 ports sequentially
sudo nmap -sS -F -r -Pn [TARGET_HOST]Nmap Service and OS Scan (Default)
Scans Top 1000 ports (If
-pis ommited)-sSV: Stealth Scan (SYN) and Version detection.-O: OS Enumeration-Pn: Do not Ping (assume host is alive)
sudo nmap -sSV -O -Pn [TARGET_HOST]Nmap Service and OS Scan with Timing Option
-T[1-5]: Speed of the scan, 1 being slowest and 5 being fastest.
sudo nmap -sSV -O -Pn -T[1-5] -p [PORT] [TARGET_HOST]Nmap Service Scan Intensity
sudo nmap -sSV --version-intensity 8 -Pn [TARGET_HOST]
# Version intensity 2
sudo nmap -sSV --version-light -Pn [TARGET_HOST]
# Version intensity 9
sudo nmap -sSV --version-iall -Pn [TARGET_HOST]Nmap Save to a File
sudo nmap -sSV -A -O -Pn -T4 -p [PORT] [TARGET_HOST] | tee nmap-result.txtSSH Enumeration - Manual
Basic SSH. Once you are asked for a password hit ctrl + c to cancel, it may or may not display the SSH banner.
ssh 192.168.1.1For old SSH versions use the command below:
Syntax: ssh [IP] -oKexAlgorithms=+[Method Offered] -c [cipher]
ssh 192.168.1.1 -oKexAlgorithms=+diffe-hellman-group1-sha1 -c aes128-cbc
# Note: select the key exchange and cipher offered by the remote host or what is shown in the error messageLast updated