1 min read Intermediate Network

Service Enumeration Cheatsheet

Quick command reference for enumerating common network services after host discovery and port scanning. Replace $IP with the target. Only test systems you are authorised to assess.

Initial port + service discovery

# fast full TCP sweep, then targeted service/version + default scripts
nmap -p- --min-rate 5000 -T4 $IP -oN ports.txt
nmap -sC -sV -p <open_ports> $IP -oN services.txt
nmap -sU --top-ports 50 $IP            # common UDP services

DNS (53/tcp,udp)

dig axfr @$IP example.com              # zone transfer attempt
dig any example.com @$IP
nslookup -type=ns example.com $IP
dnsenum example.com / dnsrecon -d example.com -t axfr

SMB (139/445)

nmap --script "smb-enum-shares,smb-enum-users,smb-os-discovery,smb-vuln-*" -p445 $IP
enum4linux-ng -A $IP
smbclient -L //$IP/ -N                 # null session share listing
nxc smb $IP -u '' -p '' --shares       # netexec (formerly crackmapexec)
nxc smb $IP -u user -p pass --users

SNMP (161/udp)

snmpwalk -v2c -c public $IP
snmp-check $IP -c public
onesixtyone -c community.txt $IP        # community string brute force
# walk system, users, processes, installed software via standard OIDs

RDP (3389)

nmap --script "rdp-enum-encryption,rdp-ntlm-info" -p3389 $IP
nxc rdp $IP -u users.txt -p passwords.txt   # credential spray (mind lockout)
xfreerdp /v:$IP /u:user /p:pass             # connect once creds are valid

SSH (22)

nmap --script "ssh2-enum-algos,ssh-auth-methods" -p22 $IP
ssh-audit $IP                          # weak ciphers / algorithms
nxc ssh $IP -u users.txt -p passwords.txt   # or hydra -L users.txt -P pass.txt ssh://$IP

FTP (21)

nmap --script "ftp-anon,ftp-syst" -p21 $IP
ftp $IP                                # try anonymous:anonymous

SMTP (25/465/587)

nmap --script "smtp-commands,smtp-enum-users,smtp-open-relay" -p25 $IP
smtp-user-enum -M VRFY -U users.txt -t $IP

LDAP (389/636)

nmap --script "ldap-rootdse,ldap-search" -p389 $IP
ldapsearch -x -H ldap://$IP -s base namingcontexts
nxc ldap $IP -u user -p pass --users

References

HackTricks Pentesting Network / per-port pages: https://hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html
Nmap NSE script reference: https://nmap.org/nsedoc/
NetExec (CrackMapExec successor) docs: https://www.netexec.wiki/
enum4linux-ng: https://github.com/cddmp/enum4linux-ng

Initial port + service discovery​

DNS (53/tcp,udp)​

SMB (139/445)​

SNMP (161/udp)​

RDP (3389)​

SSH (22)​

FTP (21)​

SMTP (25/465/587)​

LDAP (389/636)​

References​