Service Enumeration
Knowing port 8080 is open tells you little. Knowing it’s Apache Tomcat 9.0.30 tells you what default paths to check, what CVEs apply, and what credentials to try. Service enumeration turns open ports into identified, versioned services.
Version + default-script scan
Run nmap against only the ports you found open in port scanning, with version detection and the default safe scripts. This is the deep, accurate scan, so let it take its time:
host=203.0.113.10
ports=$(awk -F/ '/open/{print $1}' "hosts/$host/recon/nmap-quick-tcp.gnmap" \
| tr '\n' ',' | sed 's/,$//')
sudo nmap -p"$ports" -sV -sC -A -Pn -n \
--host-timeout 30m \
"$host" \
-oA "hosts/$host/recon/nmap-tcp"
What the flags do:
-sV— probe for service/version.-sC— run the default NSE script set (banner grab, titles, common checks).-A— aggressive: adds OS detection, traceroute, and more scripts. Drop it if you need to be quieter;-sV -sCalone is the high-signal core.--host-timeout— don’t let one stubborn host stall the whole run.
The two output formats you’ll use constantly:
.nmap— human-readable; read it..xml— machine-readable; feed it tosearchsploit, reporting tools, and importers.
What to extract
Walk every host’s .nmap output and pull out:
- Service + version for each port → drives vulnerability hunting.
- HTTP/HTTPS services (including odd ports like 8000, 8443, 3000) → feed to HTTP probing.
- TLS cert names → may surface new vhosts/domains (loop back to discovery).
- Anonymous/guessable access flagged by NSE scripts (FTP anon login, open SMB shares, exposed RPC).
Targeted NSE for interesting services
When -sC flags something, follow up with service-specific scripts. A few I
reach for a lot:
# SMB — shares, users, known vulns
nmap -p139,445 --script "smb-enum-shares,smb-enum-users,smb-vuln-*" "$host"
# HTTP — titles, methods, common files
nmap -p80,443 --script "http-title,http-methods,http-headers,http-enum" "$host"
# SSL/TLS — protocols, ciphers, weaknesses
nmap -p443 --script "ssl-enum-ciphers,ssl-cert" "$host"
Quick service inventory across all hosts
To get a one-line-per-service overview for triage:
grep -hP '^\d+/(tcp|udp)\s+open' hosts/*/recon/nmap-*.nmap \
| awk '{print $1, $3, $4, $5, $6, $7}' \
| sort | uniq -c | sort -rn
This tells you at a glance “we have 40 web servers, 12 SSH, 6 RDP, 3 Tomcat” — which decides where to spend the hunting phase.
Next: get eyes on the web surface with HTTP Probing & Screenshots.