Post

Service Enumeration & Footprinting

Posted Updated
Preview Image
By Cyb3rtr0n
1 min read
Service Enumeration & Footprinting

Overview

Service enumeration is a crucial phase in network security and penetration testing, where security professionals gather detailed information about the services running on a target’s open ports. This step goes beyond simply identifying live hosts; it uncovers the type, version, and configuration of services, helping to pinpoint potential vulnerabilities and attack vectors.

This post covers enumeration techniques for a wide range of commonly used network services, including FTP, SSH, SMTP, DNS, SMB, RDP, and various email and database services. You will find practical tools, commands, and methodologies to systematically enumerate services, verify configurations, and identify weaknesses for further analysis.

FTP (Port 21/TCP)

FTP (File Transfer Protocol) is primarily used for transferring files.

Nmap Script Engine (NSE)

Check for Anonymous Login:

1

nmap -p 21 --script=ftp-anon <ip>

Check for Vulnerabilities on FTP:

1

nmap -p 21 --script=vuln <ip>

Connecting to FTP

Check FTP manually:

1
2
3

nc -nv <ip> 21
# or
telnet <ip> 21

Non-SSL Connections:

1

ftp <ip> 21

SSL/TLS Connections:

1

openssl s_client -connect <ip>:21 -starttls ftp

Brute-Forcing FTP

Using Hydra:

1
2
3

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt \
      -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt \
      <ip> ftp

Using Nmap:

1
2
3
4

echo "<username1>" > userlist.txt
echo "<username2>" >> userlist.txt
echo "<username3>" >> userlist.txt
nmap -p 21 --script ftp-brute --script-args userdb=/root/userlist.txt <ip>

Downloading Files via FTP

  • Mirror Entire FTP Directory (Useful to bypass proxies):
    1
2

    wget -m ftp://anonymous:anonymous@<ip>
wget -m --no-passive ftp://anonymous:anonymous@<ip>
  • Download Files with Special Characters in Credentials:
    1

    wget -r --user="USERNAME" --password="PASSWORD" ftp://<ip>/
  • FTP Command for Downloading All Files in Current Directory:
    1

    mget *

Using Metasploit for FTP

  • Get FTP Version:
    1
2
3
4

    msfconsole
use auxiliary/scanner/ftp/ftp_version
set RHOSTS <ip>
run
  • FTP Brute Force:
    1
2
3
4
5

    use auxiliary/scanner/ftp/ftp_login
set RHOSTS <ip>
set USER_FILE /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
run
  • Check for Anonymous Login:
    1
2
3

    use auxiliary/scanner/ftp/anonymous
set RHOSTS <ip>
run
The Hacker’s PlayBook
Enumeration
This post is licensed under CC BY 4.0 by the author.