Service Enumeration Tools
Service Enumeration Tools Comprehensive collection of service enumeration tools and techniques for network reconnaissance and penetration testing. Banner Grabbing Basic Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 telnet TARGET_IP 443 telnet TARGET_IP 21 telnet TARGET_IP 25 telnet TARGET_IP 22 # Netcat banner grab nc TARGET_IP 80 nc TARGET_IP 443 nc TARGET_IP 21 nc TARGET_IP 25 nc TARGET_IP 22 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP curl -I https://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP wget --spider -S https://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 openssl s_client -connect TARGET_IP:993 openssl s_client -connect TARGET_IP:995 # SMTP banner grab nc TARGET_IP 25 nc TARGET_IP 587 nc TARGET_IP 465 # FTP banner grab nc TARGET_IP 21 nc TARGET_IP 990 # SSH banner grab nc TARGET_IP 22 Advanced Banner Grabbing # HTTP banner grab with headers curl -I -H "User-Agent: Mozilla/5.0" http://TARGET_IP # HTTPS banner grab with headers curl -I -H "User-Agent: Mozilla/5.0" https://TARGET_IP # HTTP banner grab with custom headers curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" http://TARGET_IP # HTTPS banner grab with custom headers curl -I -H "User-Agent: CustomAgent" -H "Accept: */*" https://TARGET_IP # HTTP banner grab with proxy curl -I --proxy http://proxy:8080 http://TARGET_IP # HTTPS banner grab with proxy curl -I --proxy http://proxy:8080 https://TARGET_IP # HTTP banner grab with timeout curl -I --connect-timeout 10 http://TARGET_IP # HTTPS banner grab with timeout curl -I --connect-timeout 10 https://TARGET_IP # HTTP banner grab with verbose curl -I -v http://TARGET_IP # HTTPS banner grab with verbose curl -I -v https://TARGET_IP Version Detection Nmap Version Detection # Basic version detection nmap -sV TARGET_IP # Version detection with specific ports nmap -sV -p 80,443,8080,8443 TARGET_IP # Version detection with all ports nmap -sV -p- TARGET_IP # Version detection with intensity nmap -sV --version-intensity 9 TARGET_IP # Version detection with light intensity nmap -sV --version-intensity 1 TARGET_IP # Version detection with all probes nmap -sV --version-all TARGET_IP # Version detection with trace nmap -sV --version-trace TARGET_IP # Version detection with debug nmap -sV --version-debug TARGET_IP # Version detection with verbose nmap -sV -v TARGET_IP Advanced Version Detection # Version detection with OS detection nmap -sV -O TARGET_IP # Version detection with script scanning nmap -sV -sC TARGET_IP # Version detection with custom scripts nmap -sV --script vuln TARGET_IP # Version detection with output file nmap -sV -oN results.txt TARGET_IP # Version detection with XML output nmap -sV -oX results.xml TARGET_IP # Version detection with JSON output nmap -sV -oJ results.json TARGET_IP # Version detection with grep output nmap -sV -oG results.grep TARGET_IP # Version detection with all formats nmap -sV -oA results TARGET_IP Service-Specific Enumeration HTTP Service Enumeration # HTTP enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # HTTP authentication nmap --script http-auth TARGET_IP nmap --script http-auth-finder TARGET_IP nmap --script http-brute TARGET_IP nmap --script http-form-brute TARGET_IP nmap --script http-form-fuzzer TARGET_IP # HTTP vulnerabilities nmap --script http-vuln-cve2010-0738 TARGET_IP nmap --script http-vuln-cve2010-2861 TARGET_IP nmap --script http-vuln-cve2011-3192 TARGET_IP nmap --script http-vuln-cve2011-3368 TARGET_IP nmap --script http-vuln-cve2012-1823 TARGET_IP nmap --script http-vuln-cve2013-0156 TARGET_IP nmap --script http-vuln-cve2013-6786 TARGET_IP nmap --script http-vuln-cve2014-2126 TARGET_IP nmap --script http-vuln-cve2014-2127 TARGET_IP nmap --script http-vuln-cve2014-2128 TARGET_IP nmap --script http-vuln-cve2014-2129 TARGET_IP nmap --script http-vuln-cve2014-2130 TARGET_IP nmap --script http-vuln-cve2014-2131 TARGET_IP nmap --script http-vuln-cve2014-2132 TARGET_IP nmap --script http-vuln-cve2014-2133 TARGET_IP nmap --script http-vuln-cve2014-2134 TARGET_IP nmap --script http-vuln-cve2014-2135 TARGET_IP nmap --script http-vuln-cve2014-2136 TARGET_IP nmap --script http-vuln-cve2014-2137 TARGET_IP nmap --script http-vuln-cve2014-2138 TARGET_IP nmap --script http-vuln-cve2014-2139 TARGET_IP nmap --script http-vuln-cve2014-2140 TARGET_IP SMB Service Enumeration # SMB enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SMB authentication nmap --script smb-brute TARGET_IP nmap --script smb-enum-sessions TARGET_IP nmap --script smb-enum-sessions TARGET_IP nmap --script smb-enum-sessions TARGET_IP # SMB vulnerabilities nmap --script smb-vuln-cve2009-3103 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP nmap --script smb-vuln-cve2010-0476 TARGET_IP SNMP Service Enumeration # SNMP enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP # SNMP authentication nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP # SNMP vulnerabilities nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP nmap --script snmp-vuln-cve2010-0476 TARGET_IP FTP Service Enumeration # FTP enumeration nmap --script ftp-anon TARGET_IP nmap --script ftp-bounce TARGET_IP nmap --script ftp-brute TARGET_IP nmap --script ftp-libopie TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-syst TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP nmap --script ftp-vuln-cve2010-4221 TARGET_IP # FTP authentication nmap --script ftp-brute TARGET_IP nmap --script ftp-anon TARGET_IP # FTP vulnerabilities nmap --script ftp-vuln-cve2010-4221 TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP SSH Service Enumeration # SSH enumeration nmap --script ssh-hostkey TARGET_IP nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP nmap --script ssh-run TARGET_IP nmap --script ssh2-enum-algos TARGET_IP nmap --script sshv1 TARGET_IP # SSH authentication nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP # SSH vulnerabilities nmap --script sshv1 TARGET_IP nmap --script ssh-hostkey TARGET_IP SMTP Service Enumeration # SMTP enumeration nmap --script smtp-commands TARGET_IP nmap --script smtp-enum-users TARGET_IP nmap --script smtp-ntlm-info TARGET_IP nmap --script smtp-open-relay TARGET_IP nmap --script smtp-strangeport TARGET_IP nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP # SMTP authentication nmap --script smtp-enum-users TARGET_IP nmap --script smtp-brute TARGET_IP # SMTP vulnerabilities nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP Custom Service Enumeration Python Service Enumeration import socket import threading import queue import time import requests def service_enumeration(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break # Check if port is open sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: # Try to grab banner try: if port == 80: response = requests.get(f'http://{target}', timeout=5) print(f"[HTTP] {target}:{port} - {response.headers.get('Server', 'Unknown')}") elif port == 443: response = requests.get(f'https://{target}', timeout=5, verify=False) print(f"[HTTPS] {target}:{port} - {response.headers.get('Server', 'Unknown')}") elif port == 21: sock.send(b'USER anonymous\r\n') banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[FTP] {target}:{port} - {banner.strip()}") elif port == 22: banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[SSH] {target}:{port} - {banner.strip()}") elif port == 25: banner = sock.recv(1024).decode('utf-8', errors='ignore') print(f"[SMTP] {target}:{port} - {banner.strip()}") else: print(f"[OPEN] {target}:{port}") except: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() service_enumeration(target, ports, threads=100, delay=0.01) Bash Service Enumeration #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check service check_service() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then # Try to grab banner case $port in 80) banner=$(curl -s -I "http://$target" | grep -i "server:" | cut -d' ' -f2-) echo "[HTTP] $target:$port - $banner" ;; 443) banner=$(curl -s -I "https://$target" | grep -i "server:" | cut -d' ' -f2-) echo "[HTTPS] $target:$port - $banner" ;; 21) banner=$(echo "QUIT" | nc "$target" "$port" 2>/dev/null | head -1) echo "[FTP] $target:$port - $banner" ;; 22) banner=$(nc "$target" "$port" 2>/dev/null | head -1) echo "[SSH] $target:$port - $banner" ;; 25) banner=$(nc "$target" "$port" 2>/dev/null | head -1) echo "[SMTP] $target:$port - $banner" ;; *) echo "[OPEN] $target:$port" ;; esac fi } # Export function for parallel export -f check_service export TARGET_IP # Run parallel service check seq 1 65535 | parallel -j "$THREADS" check_service {} "$TARGET_IP" Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -sV -oN results.txt TARGET_IP # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt # Filter by version grep "Apache" results.txt grep "nginx" results.txt grep "IIS" results.txt grep "OpenSSH" results.txt grep "vsftpd" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices