Service Enumeration Tools

Comprehensive collection of service enumeration tools and techniques for network reconnaissance and penetration testing.

Basic Banner Grabbing

# Telnet banner grab
telnet TARGET_IP 80
telnet TARGET_IP 443
telnet TARGET_IP 21
telnet TARGET_IP 25
telnet TARGET_IP 22

# Netcat banner grab
nc TARGET_IP 80
nc TARGET_IP 443
nc TARGET_IP 21
nc TARGET_IP 25
nc TARGET_IP 22

# Nmap banner grab
nmap -sV --script banner TARGET_IP

# Curl banner grab
curl -I http://TARGET_IP
curl -I https://TARGET_IP

# Wget banner grab
wget --spider -S http://TARGET_IP
wget --spider -S https://TARGET_IP

# OpenSSL banner grab
openssl s_client -connect TARGET_IP:443
openssl s_client -connect TARGET_IP:993
openssl s_client -connect TARGET_IP:995

# SMTP banner grab
nc TARGET_IP 25
nc TARGET_IP 587
nc TARGET_IP 465

# FTP banner grab
nc TARGET_IP 21
nc TARGET_IP 990

# SSH banner grab
nc TARGET_IP 22

Advanced Banner Grabbing

# HTTP banner grab with headers
curl -I -H "User-Agent: Mozilla/5.0" http://TARGET_IP

# HTTPS banner grab with headers
curl -I -H "User-Agent: Mozilla/5.0" https://TARGET_IP

# HTTP banner grab with custom headers
curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" http://TARGET_IP

# HTTPS banner grab with custom headers
curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" https://TARGET_IP

# HTTP banner grab with proxy
curl -I --proxy http://proxy:8080 http://TARGET_IP

# HTTPS banner grab with proxy
curl -I --proxy http://proxy:8080 https://TARGET_IP

# HTTP banner grab with timeout
curl -I --connect-timeout 10 http://TARGET_IP

# HTTPS banner grab with timeout
curl -I --connect-timeout 10 https://TARGET_IP

# HTTP banner grab with verbose
curl -I -v http://TARGET_IP

# HTTPS banner grab with verbose
curl -I -v https://TARGET_IP

Version Detection

Nmap Version Detection

# Basic version detection
nmap -sV TARGET_IP

# Version detection with specific ports
nmap -sV -p 80,443,8080,8443 TARGET_IP

# Version detection with all ports
nmap -sV -p- TARGET_IP

# Version detection with intensity
nmap -sV --version-intensity 9 TARGET_IP

# Version detection with light intensity
nmap -sV --version-intensity 1 TARGET_IP

# Version detection with all probes
nmap -sV --version-all TARGET_IP

# Version detection with trace
nmap -sV --version-trace TARGET_IP

# Version detection with debug
nmap -sV --version-debug TARGET_IP

# Version detection with verbose
nmap -sV -v TARGET_IP

Advanced Version Detection

# Version detection with OS detection
nmap -sV -O TARGET_IP

# Version detection with script scanning
nmap -sV -sC TARGET_IP

# Version detection with custom scripts
nmap -sV --script vuln TARGET_IP

# Version detection with output file
nmap -sV -oN results.txt TARGET_IP

# Version detection with XML output
nmap -sV -oX results.xml TARGET_IP

# Version detection with JSON output
nmap -sV -oJ results.json TARGET_IP

# Version detection with grep output
nmap -sV -oG results.grep TARGET_IP

# Version detection with all formats
nmap -sV -oA results TARGET_IP

Service-Specific Enumeration

HTTP Service Enumeration

# HTTP enumeration
nmap --script http-enum TARGET_IP
nmap --script http-headers TARGET_IP
nmap --script http-methods TARGET_IP
nmap --script http-robots.txt TARGET_IP
nmap --script http-sitemap-generator TARGET_IP
nmap --script http-title TARGET_IP
nmap --script http-vhosts TARGET_IP

# HTTP authentication
nmap --script http-auth TARGET_IP
nmap --script http-auth-finder TARGET_IP
nmap --script http-brute TARGET_IP
nmap --script http-form-brute TARGET_IP
nmap --script http-form-fuzzer TARGET_IP

# HTTP vulnerabilities
nmap --script http-vuln-cve2010-0738 TARGET_IP
nmap --script http-vuln-cve2010-2861 TARGET_IP
nmap --script http-vuln-cve2011-3192 TARGET_IP
nmap --script http-vuln-cve2011-3368 TARGET_IP
nmap --script http-vuln-cve2012-1823 TARGET_IP
nmap --script http-vuln-cve2013-0156 TARGET_IP
nmap --script http-vuln-cve2013-6786 TARGET_IP
nmap --script http-vuln-cve2014-2126 TARGET_IP
nmap --script http-vuln-cve2014-2127 TARGET_IP
nmap --script http-vuln-cve2014-2128 TARGET_IP
nmap --script http-vuln-cve2014-2129 TARGET_IP
nmap --script http-vuln-cve2014-2130 TARGET_IP
nmap --script http-vuln-cve2014-2131 TARGET_IP
nmap --script http-vuln-cve2014-2132 TARGET_IP
nmap --script http-vuln-cve2014-2133 TARGET_IP
nmap --script http-vuln-cve2014-2134 TARGET_IP
nmap --script http-vuln-cve2014-2135 TARGET_IP
nmap --script http-vuln-cve2014-2136 TARGET_IP
nmap --script http-vuln-cve2014-2137 TARGET_IP
nmap --script http-vuln-cve2014-2138 TARGET_IP
nmap --script http-vuln-cve2014-2139 TARGET_IP
nmap --script http-vuln-cve2014-2140 TARGET_IP

SMB Service Enumeration

# SMB enumeration
nmap --script smb-enum-shares TARGET_IP
nmap --script smb-enum-users TARGET_IP
nmap --script smb-enum-groups TARGET_IP
nmap --script smb-enum-domains TARGET_IP
nmap --script smb-os-discovery TARGET_IP
nmap --script smb-protocols TARGET_IP
nmap --script smb-security-mode TARGET_IP
nmap --script smb-system-info TARGET_IP

# SMB authentication
nmap --script smb-brute TARGET_IP
nmap --script smb-enum-sessions TARGET_IP
nmap --script smb-enum-sessions TARGET_IP
nmap --script smb-enum-sessions TARGET_IP

# SMB vulnerabilities
nmap --script smb-vuln-cve2009-3103 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP
nmap --script smb-vuln-cve2010-0476 TARGET_IP

SNMP Service Enumeration

# SNMP enumeration
nmap --script snmp-info TARGET_IP
nmap --script snmp-brute TARGET_IP
nmap --script snmp-communities TARGET_IP
nmap --script snmp-hh3c-logins TARGET_IP
nmap --script snmp-interfaces TARGET_IP
nmap --script snmp-ios-config TARGET_IP
nmap --script snmp-netstat TARGET_IP
nmap --script snmp-processes TARGET_IP
nmap --script snmp-public TARGET_IP
nmap --script snmp-sysdescr TARGET_IP
nmap --script snmp-win32-services TARGET_IP
nmap --script snmp-win32-shares TARGET_IP
nmap --script snmp-win32-software TARGET_IP
nmap --script snmp-win32-users TARGET_IP

# SNMP authentication
nmap --script snmp-brute TARGET_IP
nmap --script snmp-communities TARGET_IP
nmap --script snmp-hh3c-logins TARGET_IP

# SNMP vulnerabilities
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP
nmap --script snmp-vuln-cve2010-0476 TARGET_IP

FTP Service Enumeration

# FTP enumeration
nmap --script ftp-anon TARGET_IP
nmap --script ftp-bounce TARGET_IP
nmap --script ftp-brute TARGET_IP
nmap --script ftp-libopie TARGET_IP
nmap --script ftp-proftpd-backdoor TARGET_IP
nmap --script ftp-syst TARGET_IP
nmap --script ftp-vsftpd-backdoor TARGET_IP
nmap --script ftp-vuln-cve2010-4221 TARGET_IP

# FTP authentication
nmap --script ftp-brute TARGET_IP
nmap --script ftp-anon TARGET_IP

# FTP vulnerabilities
nmap --script ftp-vuln-cve2010-4221 TARGET_IP
nmap --script ftp-proftpd-backdoor TARGET_IP
nmap --script ftp-vsftpd-backdoor TARGET_IP

SSH Service Enumeration

# SSH enumeration
nmap --script ssh-hostkey TARGET_IP
nmap --script ssh-brute TARGET_IP
nmap --script ssh-publickey-acceptance TARGET_IP
nmap --script ssh-run TARGET_IP
nmap --script ssh2-enum-algos TARGET_IP
nmap --script sshv1 TARGET_IP

# SSH authentication
nmap --script ssh-brute TARGET_IP
nmap --script ssh-publickey-acceptance TARGET_IP

# SSH vulnerabilities
nmap --script sshv1 TARGET_IP
nmap --script ssh-hostkey TARGET_IP

SMTP Service Enumeration

# SMTP enumeration
nmap --script smtp-commands TARGET_IP
nmap --script smtp-enum-users TARGET_IP
nmap --script smtp-ntlm-info TARGET_IP
nmap --script smtp-open-relay TARGET_IP
nmap --script smtp-strangeport TARGET_IP
nmap --script smtp-vuln-cve2010-4344 TARGET_IP
nmap --script smtp-vuln-cve2011-1720 TARGET_IP
nmap --script smtp-vuln-cve2011-1764 TARGET_IP

# SMTP authentication
nmap --script smtp-enum-users TARGET_IP
nmap --script smtp-brute TARGET_IP

# SMTP vulnerabilities
nmap --script smtp-vuln-cve2010-4344 TARGET_IP
nmap --script smtp-vuln-cve2011-1720 TARGET_IP
nmap --script smtp-vuln-cve2011-1764 TARGET_IP

Custom Service Enumeration

Python Service Enumeration

import socket
import threading
import queue
import time
import requests

def service_enumeration(target, ports, threads=10, delay=0):
    def worker():
        while True:
            try:
                port = ports.get()
                if port is None:
                    break
                
                # Check if port is open
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(1)
                result = sock.connect_ex((target, port))
                
                if result == 0:
                    # Try to grab banner
                    try:
                        if port == 80:
                            response = requests.get(f'http://{target}', timeout=5)
                            print(f"[HTTP] {target}:{port} - {response.headers.get('Server', 'Unknown')}")
                        elif port == 443:
                            response = requests.get(f'https://{target}', timeout=5, verify=False)
                            print(f"[HTTPS] {target}:{port} - {response.headers.get('Server', 'Unknown')}")
                        elif port == 21:
                            sock.send(b'USER anonymous\r\n')
                            banner = sock.recv(1024).decode('utf-8', errors='ignore')
                            print(f"[FTP] {target}:{port} - {banner.strip()}")
                        elif port == 22:
                            banner = sock.recv(1024).decode('utf-8', errors='ignore')
                            print(f"[SSH] {target}:{port} - {banner.strip()}")
                        elif port == 25:
                            banner = sock.recv(1024).decode('utf-8', errors='ignore')
                            print(f"[SMTP] {target}:{port} - {banner.strip()}")
                        else:
                            print(f"[OPEN] {target}:{port}")
                    except:
                        print(f"[OPEN] {target}:{port}")
                
                sock.close()
                time.sleep(delay)
                
            except Exception as e:
                pass
            finally:
                ports.task_done()
    
    # Start threads
    for i in range(threads):
        t = threading.Thread(target=worker)
        t.daemon = True
        t.start()
    
    # Add ports to queue
    for port in range(1, 65536):
        ports.put(port)
    
    # Wait for completion
    ports.join()

# Usage
target = "TARGET_IP"
ports = queue.Queue()
service_enumeration(target, ports, threads=100, delay=0.01)

Bash Service Enumeration

#!/bin/bash

TARGET_IP="TARGET_IP"
THREADS=10

# Function to check service
check_service() {
    local port=$1
    local target=$2
    
    if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then
        # Try to grab banner
        case $port in
            80)
                banner=$(curl -s -I "http://$target" | grep -i "server:" | cut -d' ' -f2-)
                echo "[HTTP] $target:$port - $banner"
                ;;
            443)
                banner=$(curl -s -I "https://$target" | grep -i "server:" | cut -d' ' -f2-)
                echo "[HTTPS] $target:$port - $banner"
                ;;
            21)
                banner=$(echo "QUIT" | nc "$target" "$port" 2>/dev/null | head -1)
                echo "[FTP] $target:$port - $banner"
                ;;
            22)
                banner=$(nc "$target" "$port" 2>/dev/null | head -1)
                echo "[SSH] $target:$port - $banner"
                ;;
            25)
                banner=$(nc "$target" "$port" 2>/dev/null | head -1)
                echo "[SMTP] $target:$port - $banner"
                ;;
            *)
                echo "[OPEN] $target:$port"
                ;;
        esac
    fi
}

# Export function for parallel
export -f check_service
export TARGET_IP

# Run parallel service check
seq 1 65535 | parallel -j "$THREADS" check_service {} "$TARGET_IP"

Best Practices

Rate Limiting

# Add delay between requests
nmap -T2 TARGET_IP

# Use fewer threads
nmap -T1 TARGET_IP

# Use proxy rotation
nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP

Stealth Mode

# Use random timing
nmap -T3 --randomize-hosts TARGET_IP

# Use fragment packets
nmap -sS -f TARGET_IP

# Use decoy scans
nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP

# Use source port spoofing
nmap -sS --source-port 53 TARGET_IP

Output Analysis

# Save results to file
nmap -sV -oN results.txt TARGET_IP

# Filter by service
grep "http" results.txt
grep "ssh" results.txt
grep "ftp" results.txt
grep "smb" results.txt
grep "snmp" results.txt

# Filter by version
grep "Apache" results.txt
grep "nginx" results.txt
grep "IIS" results.txt
grep "OpenSSH" results.txt
grep "vsftpd" results.txt

Troubleshooting

Common Issues

# Connection timeout
nmap -T1 TARGET_IP

# Too many requests
nmap -T0 TARGET_IP

# Invalid target
nmap -sn TARGET_NETWORK

# Permission denied
sudo nmap -sS TARGET_IP

Performance Optimization

# Use appropriate timing
nmap -T4 TARGET_IP

# Use smaller port ranges
nmap -p 1-1000 TARGET_IP

# Use specific scripts
nmap --script vuln TARGET_IP
  • Always obtain proper authorization before testing
  • Respect rate limits and server resources
  • Use appropriate tools for the target
  • Document findings properly
  • Follow responsible disclosure practices