Information Gathering & Enumeration
Service Enumeration Techniques
5 min read
After discovering open ports, you must enumerate each service thoroughly. This lesson covers common services found in OSCP environments.
SMB Enumeration (Port 445, 139)
SMB is one of the most exploited protocols in OSCP. Always enumerate it comprehensively.
Quick SMB Checks
# Check SMB version and OS info
nmap --script=smb-os-discovery -p 445 $IP
# List shares
smbclient -L //$IP -N
# CrackMapExec enumeration
crackmapexec smb $IP
# Check for null session
smbclient //$IP/share -N
Enum4linux (Comprehensive)
# Full enumeration
enum4linux -a $IP
# Key output to look for:
# - Users and groups
# - Share permissions
# - Password policy
# - OS information
SMB Share Access
# List shares with null session
smbclient -L //$IP -N
# Connect to a share
smbclient //$IP/share -U username
# Download all files recursively
smbget -R smb://$IP/share -U username
# Mount share locally
sudo mount -t cifs //$IP/share /mnt/share -o user=username
Common Vulnerabilities
| Vulnerability | Nmap Script | Affected Versions |
|---|---|---|
| EternalBlue (MS17-010) | smb-vuln-ms17-010 |
Windows 7, Server 2008 R2 |
| MS08-067 | smb-vuln-ms08-067 |
Windows XP, Server 2003 |
| SMB Signing Disabled | smb-security-mode |
Various |
# Check for EternalBlue
nmap --script=smb-vuln-ms17-010 -p 445 $IP
FTP Enumeration (Port 21)
Basic FTP Checks
# Check for anonymous login
nmap --script=ftp-anon -p 21 $IP
# Manual anonymous test
ftp $IP
# Username: anonymous
# Password: (blank or any email)
# List FTP version
nmap -sV -p 21 $IP
FTP Commands
# Once connected:
ls # List files
get file # Download file
put file # Upload file (if writable)
binary # Switch to binary mode
ascii # Switch to ASCII mode
Exploitable FTP Servers
| Server | Vulnerability | Check |
|---|---|---|
| vsftpd 2.3.4 | Backdoor | Port 6200 opens after login |
| ProFTPD 1.3.3c | Remote Code Execution | Searchsploit |
| FileZilla | Credential storage | Check config files |
SSH Enumeration (Port 22)
SSH is usually not directly exploitable, but provides valuable information.
Version Detection
# Get SSH version
nmap -sV -p 22 $IP
# Or connect directly
ssh -v $IP
SSH Attacks
# Brute force (use as last resort)
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://$IP
# Check for weak keys
nmap --script=ssh-hostkey -p 22 $IP
SMTP Enumeration (Port 25, 587)
SMTP can reveal valid usernames through VRFY and EXPN commands.
User Enumeration
# Manual VRFY
nc -nv $IP 25
VRFY root
VRFY admin
# Automated enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/names.txt -t $IP
# Nmap script
nmap --script=smtp-enum-users -p 25 $IP
Check Relay
# Test for open relay
nmap --script=smtp-open-relay -p 25 $IP
SNMP Enumeration (UDP 161)
SNMP often leaks sensitive information with default community strings.
Check Default Communities
# Using onesixtyone
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $IP
# Using Nmap
nmap -sU -p 161 --script=snmp-brute $IP
Walking SNMP Tree
# Walk entire MIB tree
snmpwalk -v2c -c public $IP
# Get system info
snmpwalk -v2c -c public $IP system
# Get running processes (Windows)
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.4.2.1.2
# Get installed software
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.6.3.1.2
Critical SNMP OIDs
| OID | Information |
|---|---|
1.3.6.1.2.1.25.4.2.1.2 |
Running processes |
1.3.6.1.2.1.25.6.3.1.2 |
Installed software |
1.3.6.1.4.1.77.1.2.25 |
Windows users |
1.3.6.1.2.1.6.13.1.3 |
TCP local ports |
NFS Enumeration (Port 2049)
Network File System shares can expose sensitive files.
# Show mounted shares
showmount -e $IP
# Mount a share
sudo mount -t nfs $IP:/share /mnt/nfs
# List share permissions
nmap --script=nfs-showmount -p 2049 $IP
RPC Enumeration (Port 111)
# List RPC services
rpcinfo -p $IP
# Enumerate using Nmap
nmap --script=rpc-grind,rpcinfo -p 111 $IP
Service Enumeration Checklist
For every target, check:
□ SMB (445, 139) - shares, users, vulnerabilities
□ FTP (21) - anonymous access, version exploits
□ SSH (22) - version, weak credentials
□ HTTP/HTTPS (80, 443, 8080) - [covered in web enum]
□ SMTP (25) - user enumeration
□ SNMP (161 UDP) - default communities
□ DNS (53) - zone transfers
□ NFS (2049) - exported shares
□ MySQL (3306) - default credentials
□ MSSQL (1433) - sa account, xp_cmdshell
□ RDP (3389) - brute force, BlueKeep
Next, we'll focus specifically on web application enumeration. :::