Ethical Hacking Lesson 16 – Service Enumeration | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Reconnaissance & Scanning · Lesson 16

Service Enumeration

Port scanning tells you a door is open. Service enumeration is you walking up to that door, reading the nameplate, checking the lock type, and listening for what's happening on the other side — before you decide whether to knock.

Version numbers are the real target

Here is something that took me a while to fully appreciate: vulnerabilities are not attached to services. They are attached to versions of services. Apache HTTP Server is not vulnerable. Apache HTTP Server 2.2.8 is. That distinction matters enormously because the moment you know the exact version running on a port, you can cross-reference it against the CVE database and know — before attempting a single exploit — whether a public vulnerability exists, how severe it is, and whether a working proof of concept is available.

Service enumeration is the process of extracting those version numbers, configuration details, and software fingerprints from live services. Some of it happens automatically during an Nmap -sV scan. The rest requires targeted interaction with individual services — connecting to them directly and reading what they reveal about themselves.

Banner grabbing — services that introduce themselves

Many services announce themselves the moment you connect. Open a connection to an FTP server and it greets you with a message — the banner — that often includes the software name, version, and sometimes the operating system it is running on. This is called banner grabbing, and it requires nothing more than a basic TCP connection.

Think of it this way: if someone opens your front door and you immediately say "Hi, I'm John, I live here, this is a three-bedroom house built in 1987" — that is a banner. Some services are that forthcoming. Others are not, which is where deeper enumeration techniques come in.

Services that commonly reveal detailed banners

FTP (port 21)

Software name, version, sometimes OS. Connects instantly with netcat.

SSH (port 22)

Protocol version, software and version visible before authentication.

SMTP (port 25)

Mail server software and version. Supports interactive commands.

HTTP (port 80/443)

Server header reveals web server software, version, sometimes OS and modules.

Telnet (port 23)

Login banner often includes hostname, OS, and distribution details.

MySQL (port 3306)

Database version in the initial handshake packet before auth.

Grabbing banners manually with netcat

Netcat is the closest thing to a universal network conversation tool. It opens raw TCP connections to any port and lets you read and write data directly — no protocol overhead, no framing, just raw bytes. Every pen tester has it in their toolkit and uses it almost daily for things as simple as banner grabbing and as complex as setting up reverse shells.

The scenario: Your Nmap scan found FTP on port 21 and SMTP on port 25 on Metasploitable. The version detection gave you approximate information — but you want to see exactly what each service says when you connect directly. You reach for netcat.

# netcat (nc) opens a raw TCP connection to a host and port
# Whatever the service sends back immediately after connection is the banner
# Active recon — packets reach the target — run only within authorised scope

# -v  verbose mode — shows connection status messages
#     useful for confirming the connection actually succeeded
# -n  skip DNS resolution — connect directly by IP, faster and quieter
# -w 3  wait 3 seconds for a response then exit automatically
#        without -w the connection stays open indefinitely after the banner

# Grab the FTP banner on port 21
nc -v -n -w 3 192.168.56.101 21

# Grab the SMTP banner on port 25
nc -v -n -w 3 192.168.56.101 25

Breaking it down:

220 (vsFTPd 2.3.4)
220 is the FTP status code for "service ready." Everything after it is the banner text the server chose to send. In this case vsftpd announced itself by name and version without being asked. That 2.3.4 version number confirms the backdoor finding from Lesson 14 — and you got it with a raw netcat connection in under a second.
metasploitable.localdomain ESMTP Postfix (Ubuntu)
The SMTP banner handed you three pieces of intelligence simultaneously: the internal hostname (metasploitable.localdomain), the mail software (Postfix), and the underlying OS (Ubuntu). Internal hostnames are valuable — they sometimes follow naming conventions that reveal information about the organisation's broader infrastructure.

HTTP headers — the server's ID badge

Web servers are particularly talkative. Every HTTP response includes a set of headers — metadata that travels alongside the page content — and those headers frequently include the server software, version, and enabled modules. You do not even need to look at the page itself. Just ask for the headers.

In 2012, researchers discovered a vulnerability in Apache 2.2.x that allowed directory traversal under specific module configurations. Companies running the vulnerable version were identifiable in minutes using nothing more than a curl request to read the Server header. The fix was a version update. The companies that got hit were the ones nobody had enumerated their web server version on.

# curl fetches content from a URL
# We only want the response headers — not the actual page HTML
# Active recon — a real HTTP request hits the target web server

# -I  sends a HEAD request instead of GET — fetches headers only, no body content
#     faster and produces less traffic than downloading the full page
# -s  silent mode — hides curl's progress bar so output stays clean

curl -I -s http://192.168.56.101

# Also check port 8180 where Apache Tomcat is running
# Different port, potentially different software and version
curl -I -s http://192.168.56.101:8180

Breaking it down:

Server: Apache/2.2.8 (Ubuntu) DAV/2
The Server header confirmed what Nmap told us — Apache 2.2.8 on Ubuntu with WebDAV enabled. WebDAV is a protocol extension that allows files to be written to the web server remotely. If it is misconfigured, it can allow file upload without authentication — a direct path to dropping a web shell.
X-Powered-By: PHP/5.2.4
PHP 5.2.4 was end-of-life in 2011. Finding it running in any modern environment is a significant finding on its own. This version predates critical security fixes that addressed remote code execution vulnerabilities — cross-reference PHP 5.2.4 against the CVE database and you will find multiple critical entries.
Apache-Coyote/1.1 on port 8180
Coyote is the HTTP connector component inside Apache Tomcat. This header confirms Tomcat is running here — which means the /manager/html administration panel almost certainly exists and is worth checking for default credentials. One response header, one confirmed attack vector.

Two curl commands. In the first response alone: Apache version, OS, WebDAV status, PHP version. All of it sitting in the headers of a normal HTTP response. The server told you everything without being pushed.

SMTP enumeration — finding valid users through a mail server

Mail servers have an interesting quirk. The SMTP protocol includes commands — VRFY and EXPN — that were designed to let systems verify whether an email address exists before sending to it. The intent was operational efficiency. The reality is that many mail servers respond differently to valid and invalid usernames — which means you can use them to enumerate which accounts exist on the system.

On a real engagement, confirming which usernames exist on a system feeds directly into the password attack phase. Knowing that "admin," "john.harrison," and "sysadmin" are valid accounts before you start brute-forcing dramatically narrows the target list.

# Connect to the SMTP server interactively using netcat
# We type SMTP commands manually to check whether specific users exist
# The server's response code tells us whether each username is valid

# After the connection opens and shows the 220 banner, type these commands:

# VRFY asks the server to verify whether a username exists
# A 250 response means the user exists — 550 means they do not
# Not all servers honour VRFY — some are configured to always return 252

nc -v -n 192.168.56.101 25

# Then once connected, type these commands one at a time:
# VRFY root
# VRFY admin
# VRFY msfadmin
# VRFY nonexistentuser

Breaking it down:

252 vs 550 response codes
252 means "cannot verify but will try to deliver" — which in practice confirms the user exists. 550 means "user unknown" — the account does not exist. This difference in response is what makes user enumeration possible. You now know root, admin, and msfadmin are valid accounts on this system.
Why this matters for the next phase
These three confirmed usernames — root, admin, msfadmin — become the username list for the password attack phase. Running a brute-force attempt against 1,000 random usernames wastes time and generates noise. Running it against three confirmed accounts is precise and quiet.

SMB enumeration — what Windows shares are advertising

The Server Message Block protocol is the Windows file and printer sharing protocol — and it is one of the most reliably interesting services to enumerate on any network. SMB shares, user lists, domain information, and OS details are all extractable from a live SMB service using standard enumeration tools. On Linux, Samba implements the SMB protocol, which is why you see it on Metasploitable.

enum4linux is the standard tool for SMB enumeration on Linux. It wraps several underlying tools into a single run and pulls everything it can from a target's SMB service — shares, users, groups, password policies, and OS information — without requiring any credentials if the server allows null sessions.

# enum4linux enumerates information from Windows and Samba SMB services
# It attempts null session connections — connecting without credentials
# If the target allows null sessions (common on older systems) it extracts
# shares, usernames, groups, OS details, and password policy information

# -a  runs all basic enumeration checks in a single pass
#     equivalent to running shares, users, groups, OS info separately
# Replace the IP with your Metasploitable address

enum4linux -a 192.168.56.101

Breaking it down:

tmp share — Mapping: OK, Write access: OK
A network share mapped with write access — without any credentials. On a real system this means anyone on the network can drop files into /tmp via SMB. Depending on what processes read from /tmp and what permissions they run with, this can be a path to code execution. The comment "oh noes!" was put there by the Metasploitable developers as a hint.
Four users enumerated without credentials
msfadmin, postgres, user, service — all extracted via a null session connection. Combined with the SMTP VRFY results and the MySQL empty root password, you now have a comprehensive user list across multiple services. This list feeds directly into the credential attack phase.

Stop and count what three service enumeration commands produced: confirmed software versions, an internal hostname, WebDAV exposure, an end-of-life PHP version, three valid SMTP usernames, a writable network share, and four system user accounts — all without authenticating to anything or exploiting a single vulnerability. Service enumeration is methodical, unglamorous, and absolutely essential. The teams that skip it are the ones whose reports miss half the attack surface.

Teacher's Note: Suppress the Server header on production web servers. It is one configuration change that removes a significant amount of free intelligence from any attacker running curl against your infrastructure. Hardened systems return "Server: Apache" or nothing at all — not the full version string with modules listed.

Practice questions

Scenario:

A pen tester connects to port 21 on a target server using netcat and receives this response immediately: "220 FileZilla Server 0.9.41 beta." No commands were sent — the service produced this output the moment the connection was established. The tester now knows the exact FTP software and version running on the target. What is the name for this technique of extracting service version information from an automatic greeting message?


Scenario:

During an authorised engagement, a pen tester connects to a target's SMTP server on port 25 and uses an SMTP protocol command to check whether specific usernames exist on the system. The server returns a 252 response for "admin" and a 550 response for "testuser123" — confirming that admin is a valid account but testuser123 does not exist. Which SMTP command did the tester use to perform this user enumeration?


Scenario:

A pen tester discovers that a Linux server is running Samba on port 445 during their port scan. They want to run a single command that will attempt null session connections and extract available SMB shares, user account names, group memberships, and operating system information from the target — all in one automated pass. Which Kali tool is designed specifically for this type of comprehensive SMB enumeration?


Quiz

Scenario:

A pen tester runs curl -I against a target web server and gets back these headers: "Server: Apache/2.4.51, X-Powered-By: PHP/5.2.4, Content-Type: text/html." They note the Apache version is recent and move on to the next host. Their team lead reviews the output and immediately flags something the tester missed. What did the team lead spot and why does it matter?

Scenario:

A curl -I request to port 8180 on a target returns: "Server: Apache-Coyote/1.1." The pen tester recognises this as the HTTP connector component of Apache Tomcat. Based solely on this header and knowledge of how Tomcat is commonly deployed, what is the most logical immediate next step in the service enumeration phase?

Scenario:

A pen tester runs enum4linux against a target and successfully retrieves a list of user accounts and available SMB shares — without providing any username or password to authenticate to the server. Their client is surprised and asks how the tool extracted user information without credentials. What connection type allowed enum4linux to access this information without authentication?

Up Next · Lesson 17

Vulnerability Scanning

You have a complete service inventory. Now the systematic search for exploitable weaknesses begins — automated scanning, manual validation, and understanding why false positives are more dangerous than they look.

← Previous Course Index Next →