Enumerating Servers and Services: A Dive into Network Enumeration

Riya Jain
4 min readDec 6, 2023

Recently, I successfully passed my eLearnSecurity Junior Penetration Tester (eJPT) examination, and I’m excited to share some of my notes on the crucial topic of enumeration. Enumeration is a fundamental step in penetration testing where we extract information about servers and services to identify potential vulnerabilities. In this post, I’ll focus on various enumeration techniques for different services and protocols.

SMB Enumeration

Server Message Block (SMB)

SMB is a network file-sharing protocol used primarily by Windows-based computers. Enumerating SMB can reveal valuable information about shares, users, and sessions.

-Nmap Scripts:
$ nmap -p 445 — script smb-protocols
$ nmap -p 445 — script smb-security-mode
$ nmap -p 445 — script smb-enum-sessions
$ nmap -p 445 — script smb-enum-sessions — script-args smbusername=administrator,smbpassword=smbserver_771


$ smbmap -u guest -p “” -ed . -H
$ smbmap -H -u administrator -p smbserver_771 -x ‘ipconfig’
$ smbmap -H -u administrator -p smbserver_771 — download ‘c$\flag.txt’

SMB — Samba

Samba is the Linux equivalent of SMB. Enumeration can be performed using tools like Metasploit, smbclient, rpcclient, and enum4linux.

FTP Enumeration

FTP (File Transfer Protocol) runs on port 21 and can be enumerated using tools like Hydra or Nmap Scripts.


$ hydra -L /usr/share/merasploit-framework/data/wordlists/common_users.txt -P /usr/share/merasploit-framework/data/wordlists/unix_passwords.txt ftp

-Nmap Scripts:

$ nmap — script ftp-brute — script-args userdb=/root/users -p 21

SSH Enumeration

Secure Shell (SSH) operates on port 22, and its enumeration involves checking algorithms, host keys, and potential weak passwords.

  • Nmap Scripts:

    $ nmap -p 22 — script ssh2-enum-algos
    $ nmap -p 22 — script ssh-hostkey — script-arg ssh_hostkey=full
    $ nmap -p 22 — script ssh-auth-methods — script-args=”ssh.user=student”
  • Hydra:

$ hydra -l student -P /usr/share/passwordlists/rockyou.txt ssh

HTTP Enumeration

Enumerating HTTP involves using tools like WhatWeb, Nmap Scripts, and Metasploit for version detection, banner grabbing, and directory brute-forcing.


$ whatweb

Nmap scripts:

$ nmap -sV -p 80 — script http-enum
$ nmap -sV -p 80 — script http-headers
$ nmap -sV -p 80 — script http-methods — script-args http-methods.url-path=/webdav/

$ use auxiliary/scanner/http/http_version
$ use auxiliary/scanner/http/brute_dirbs

SQL Enumeration

Enumerating SQL services involves using Nmap Scripts, MySQL command-line tools, Metasploit, and Hydra.

Nmap Scripts for MySQL:

$ nmap -p 3306 — script=mysql-empty-password

MySQL Command-line:

$ mysql -h -u root


$ use auxiliary/scanner/mysql/mysql_login
$ use auxiliary/scanner/mysql/mysql_enum_sql_logins
$ use auxiliary/scanner/mysql/mysql_exec — set cmd whoami

MSSQL Enumeration

For Microsoft SQL Server (MSSQL) on Windows, Nmap Scripts, Metasploit, and Hydra can be employed.

Nmap Scripts for MSSQL:

$ nmap -p 1433 — script ms-sql-info
$ nmap -p 1433 — script ms-sql-brute — script-args userdb=<users_list_path>,password=<pass_list_path>


$ use auxiliary/scanner/mssql/mssql_login
$ use auxiliary/admin/mssql/mssql_enum
$ use auxiliary/admin/mssql/mssql_enum_sql_logins

Footprinting & Scanning

For this, You need to MAP the network by using the following tools:

  1. Arp-scan
  2. https://www.kali.org/tools/arp-scan/
  3. Ping
  4. Fping
  5. https://fping.org/
  6. Nmap
  7. https://www.kali.org/tools/nmap/
  8. zenmap


You should also perform a port scan in order to identify the OS and services using Nmap or the following tools:

  • Nmap:
  • To scan all ports: nmap -p-
  • To scan a single port: nmap -p 22
  • To scan a range of ports: nmap -p 1-100
  • Zenmap:
  • To scan all ports: zenmap -p-
  • To scan a single port: zenmap -p 22
  • To scan a range of ports: zenmap -p 1-100
  • Automator:
  • To scan all ports: automator -p-
  • To scan a single port: automator -p 22
  • To scan a range of ports: automator -p 1-100
  • Masscan:
  • To scan all ports: masscan -p- -iL hosts.txt
  • To scan a single port: masscan -p 22 -iL hosts.txt
  • To scan a range of ports: masscan -p 1-100 -iL hosts.txt
  • Rustscan:
  • To scan all ports: rustscan -p-
  • To scan a single port: rustscan -p 22
  • To scan a range of ports: rustscan -p 1-100
  • Autorecon:
  • To scan all ports: autorecon -p-
  • To scan a single port: autorecon -p 22
  • To scan a range of ports: autorecon -p 1-100

Remember to explore and customize these enumeration techniques based on your specific penetration testing scenarios. Enumeration is a critical phase, and thorough exploration can lead to the discovery of potential vulnerabilities and entry points into a system.

Happy hacking!



Riya Jain

Security Researcher | Penetration Tester | Red Team | Blue Team | eJPT|CAP | CND | Purple Team