Home > Website Pentesting

Service Enumeration

Service enumeration is the process of deeply analyzing every open port discovered during port scanning to identify the exact service, software version, configuration state, authentication methods, installed modules, default settings, and potential vulnerabilities. While port scanning tells you what is open, service enumeration tells you what you can do with it.

Service enumeration converts raw port data into actionable exploitation paths. It reveals hidden functionalities, weak configurations, outdated versions, and mismanaged protocols that attackers use to compromise systems. This chapter provides full theory and fully detailed, real-world practical workflows for enumerating each major service type encountered in pentesting.

Purpose of Service Enumeration

Service enumeration helps determine:

  • Exact software running behind each port

  • Version numbers and build details

  • Supported authentication methods

  • Enabled or disabled modules

  • Misconfigurations

  • Default or weak credentials

  • Hidden commands and banners

  • File structures or system details

  • User accounts and roles

Enumeration is where you convert open ports into vulnerabilities.

Relationship Between Port Scanning and Service Enumeration

Port scanning → “Port 22 is open.”

Service enumeration →

  • What version of SSH?

  • Is password auth enabled?

  • Are weak ciphers used?

  • Are usernames enumeratable?

  • Does it leak system info?

You must enumerate every single open port because even one poorly configured service can lead to full compromise.

Practical Service Enumeration: Full Workflow

Below is the practical workflow you will repeatedly use.

Step 1: Scan All Ports (already done in previous chapter)

Assume you found these ports:

22 (SSH)
80 (HTTP)
443 (HTTPS)
3306 (MySQL)
21 (FTP)
445 (SMB)

Now enumerate them one by one.

Enumerating Common Services (Practical & In-depth)

Below is an exhaustive breakdown of how to enumerate each service properly.

SSH Enumeration (Port 22)

SSH usually runs secure remote login, but misconfigurations can give access.

Step 1: Banner Grabbing

nc -nv $IP 22

Example output:

SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.6

This reveals:

  • SSH version

  • OS hints

  • Potential CVEs

Step 2: Nmap Enumeration

nmap -p22 -sV --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods $IP

These scripts reveal:

  • Supported encryption ciphers

  • Authentication types

  • Host keys

  • Weak algorithms

Step 3: Username Enumeration Test

hydra -L users.txt -p invalidpass ssh://$IP

If response times differ, usernames may be enumerable.

SSH enumeration builds the foundation for power brute forcing or credential attacks.

FTP Enumeration (Port 21)

FTP often leaks files, allows anonymous login, or reveals system structure.

Step 1: Check Banner

nc -nv $IP 21

Example:

220 (vsFTPd 3.0.3)

Step 2: Check Anonymous Login

ftp $IP
Name: anonymous
Password: anything

If login works, enumerate directories.

Step 3: Nmap Enumeration

nmap -p21 --script=ftp-anon,ftp-syst,ftp-vsftpd-backdoor,ftp-proftpd-backdoor -sV $IP

Reveals:

  • OS type

  • Directory structure

  • Vulnerable backdoor versions

Step 4: Manual Directory Enumeration

ls -la
cd /
ls -la

Download files:

mget *

One exposed FTP folder can contain passwords, backups, or source code.

SMB Enumeration (Port 445)

SMB is one of the most dangerous services to expose externally.

Step 1: Nmap Enumeration

nmap -p445 --script smb-os-discovery,smb-enum-shares,smb-enum-users $IP

Find:

  • OS version

  • Samba version

  • Exposed shares

  • User accounts

Step 2: List SMB Shares (Unauthenticated)

smbclient -L //$IP -N

If shares are visible:

smbclient //$IP/share -N

Enumerate files:

ls
cd confidential
get passwords.txt

SMB commonly leaks internal files.

HTTP/HTTPS Enumeration (Ports 80, 443, 8080, etc.)

Web service enumeration is huge and leads to major vulnerabilities.

Step 1: Check HTTP Headers

curl -I http://$IP

Look for:

  • Server type

  • Frameworks

  • Language

  • Proxy hints

Example:

Server: Apache/2.4.29 (Ubuntu)
X-Powered-By: PHP/7.2.24

Step 2: Full Nmap HTTP Enumeration

nmap -p80,443 --script=http-title,http-server-header,http-enum,http-methods -sV $IP

Step 3: Directory Enumeration

gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

Look for:

  • /admin

  • /login

  • /test

  • /backup

  • /dev

Step 4: Screenshot the Site

Use EyeWitness:

eyewitness --web --timeout 8 -f alive.txt

Step 5: SSL Enumeration

nmap -p443 --script ssl-enum-ciphers $IP

This reveals weak TLS configurations.

HTTP enumeration is often where full exploitation begins.

MySQL Enumeration (Port 3306)

Misconfigured MySQL servers often allow login without passwords.

Step 1: Banner Check

nc $IP 3306

Example output:

5.7.33-log MySQL Community Server

Step 2: Test Login Without Password

mysql -h $IP -u root

If login works, enumerate databases:

show databases;
use mysql;
select * from user;

Step 3: Nmap Enumeration

nmap -p3306 --script=mysql-info,mysql-users,mysql-databases,mysql-empty-password $IP

If MySQL is exposed externally, it is almost always critical.

SNMP Enumeration (Port 161)

SNMP leaks huge amounts of system data.

Step 1: Check Public Community String

snmpwalk -v2c -c public $IP

If it responds, extract:

  • Installed software

  • Running processes

  • Interfaces

  • Users

  • Network routes

Step 2: Nmap Enumeration

nmap -p161 --script=snmp-info,snmp-processes $IP

SNMP exposure can reveal full system internals.

Redis Enumeration (Port 6379)

Redis should never be exposed to the internet.

Step 1: Check if exposed

nc $IP 6379

Type:

INFO

If you get a full response, the server is wide open.

Step 2: Check for authentication

AUTH password

If empty password works, critical vulnerability.

Identifying Unknown Services

If a port does not display a normal banner:

nmap -sV -p<port> $IP --version-all

If still unknown, attempt raw connection:

nc -nv $IP <port>

Try sending strings:

HELLO
STATUS
QUIT

Services often reveal themselves based on error messages.

Building a Structured Enumeration Blueprint

After enumerating every port, create a structured document:

Example Output:

22/SSH      → OpenSSH 7.2, password auth enabled, OS guess: Ubuntu 16.04  
21/FTP      → vsFTPd 3.0.3, anonymous login allowed  
80/HTTP     → Apache 2.4.29, PHP 7.2, /dev exposed  
443/HTTPS   → Nginx reverse proxy, weak TLS ciphers  
445/SMB     → Exposed share: backup, enumerated users  
3306/MySQL  → root login without password

This document becomes your attack map.

How Service Enumeration Leads to Exploitation

Example attack path built from enumeration:

  • SMB share exposes backup

  • Backup contains database credentials

  • MySQL root login works

  • MySQL has user table with password hashes

  • Hashes crackable → admin login details

  • Admin login gives web backend access

  • Backend allows file upload → remote shell

Without enumeration, this chain is impossible.

Intel Dump

  • Service enumeration identifies software, versions, configurations, and weaknesses.

  • Banner grabbing is the first step for every service.

  • Nmap with service scripts gives deeper insights.

  • Each service has specific enumeration commands.

  • HTTP enumeration includes headers, directories, SSL, and frameworks.

  • SMB, FTP, SSH, Redis, and MySQL often leak credentials or data.

  • SNMP reveals full system internals if “public” is enabled.

  • Unknown services require manual probing.

  • Output must be organized into a structured attack plan.

  • Enumeration directly leads to vulnerability discovery and exploitation.

HOME LEARN COMMUNITY DASHBOARD