Skip to content
Codex Codex

Service Footprinting

T1046 Network Service Discovery T1018 Remote System Discovery T1133 External Remote Services T1210 Exploitation of Remote Services T1135 Network Share Discovery T1087 Account Discovery

TL;DR

Section titled “TL;DR”

Once reconnaissance hands you a host list with banners, the next stage is per-service enumeration. Each service has its own protocol, default config, common misconfigurations, and operator playbook. This cluster covers the 16 services that account for the vast majority of “open port → finding” paths in real engagements.

# Port-driven decision flow:
#  port 21          → FTP                       (anon auth, file enum)
#  port 22          → SSH                       (banner version, auth methods, key files)
#  port 25/587/465  → SMTP                      (VRFY user enum, open relay)
#  port 53          → DNS                       (AXFR zone transfer, version probe)
#  port 110/995     → POP3                      (cred test, IMAP fallback)
#  port 111/2049    → NFS                       (showmount, mount, file enum)
#  port 135         → MS-RPC / WMI              (wmiexec)
#  port 139/445     → SMB                       (anonymous shares, RID enum)
#  port 143/993     → IMAP                      (cred test, folder browse)
#  port 161/udp     → SNMP                      (community string bruteforce, OID walk)
#  port 512/513/514 → R-services                (rlogin/rsh, .rhosts trust)
#  port 623/udp     → IPMI                      (RAKP hash extraction)
#  port 873         → Rsync                     (share enum, anon access)
#  port 1433        → MSSQL                     (sa creds, xp_cmdshell)
#  port 1521        → Oracle TNS                (SID enum, default creds)
#  port 3306        → MySQL                     (empty root, db enum)
#  port 3389        → RDP                       (NLA check, cert info)
#  port 5985/5986   → WinRM                     (credentialed shell)

Success indicator: per-service findings - credentials, file access, configuration disclosures, or chained vulnerabilities that lead to host compromise.

Operator mindset for this cluster

Section titled “Operator mindset for this cluster”

Each page follows the same four-act structure because that’s how an operator actually approaches a service:

  1. Protocol overview - what’s the service for, what’s the wire protocol, what’s the default port? You need a working mental model before you can spot what’s wrong.
  2. Default configuration - what does an out-of-the-box deployment look like? Knowing the baseline lets you spot deviations, which is where the findings come from.
  3. Dangerous settings - the specific config knobs that admins flip for convenience and forget to flip back. Each one maps to a class of finding.
  4. Footprinting commands - the actual commands that test for each dangerous setting and surface the data the operator needs.

Every page is a self-contained reference. Read it linearly the first time you encounter the service; thereafter, jump to the footprinting section.

How services group operationally

Section titled “How services group operationally”

Different services share tooling and mental models. For triage:

FamilyPagesShared concern
File sharesFTP, SMB, NFS, RsyncAnonymous access, world-readable shares, file enumeration
MailSMTP, IMAP / POP3User enumeration, open relay, credential testing
Name resolutionDNSZone transfer, subdomain disclosure
Network managementSNMP, IPMICommunity string defaults, hash retrieval
DatabasesMySQL, MSSQL, Oracle TNSDefault credentials, schema enumeration, file write primitives
Linux remote managementSSH, R-servicesAuth method enum, weak trust relationships
Windows remote managementRDP, WinRM, WMICredential reuse, NLA checks, named pipes

These families share tooling: smbclient/rpcclient cover several Windows-adjacent services; impacket covers most of them; nmap’s NSE scripts have per-service coverage for everything in this list.

What this cluster doesn’t cover

Section titled “What this cluster doesn’t cover”
  • Web services (HTTP/HTTPS) - handled in the web cluster. HTTP is its own universe and gets its own treatment.
  • Active Directory–specific protocols (LDAP, Kerberos, MS-RPC AD enumeration) - coming in a future cluster. SMB and WinRM here cover the basics that bleed into AD work but the AD-domain semantics need their own pages.
  • VPN / IPSec / SSL-VPN protocols - coming in a future cluster.
  • Industrial control / IoT protocols (Modbus, BACnet, MQTT) - niche, not currently covered.

A note on stealth

Section titled “A note on stealth”

Active enumeration is loud. Every connection you make to a target service shows up in its logs and can trigger IDS/IPS alerts. Patterns to keep in mind:

  • Nmap default scripts identify themselves explicitly. RDP scans send a cookie mstshash=nmap; SMTP scans send recognizable HELO patterns. On hardened targets, these get caught.
  • Authentication failures cascade. A brute-force attempt against SSH that locks out an account creates a help-desk ticket and possibly a detection alert. fail2ban will block your source after a few failures.
  • Specific NSE scripts are noisier than others. smb-vuln-* scripts probe known CVEs and will trip any modern SIEM. mssql-brute and mysql-brute attempt credential pairs.
  • Volume matters. Scanning every port on every host at full speed across a /24 is unmistakable. Slow scans (-T2 or -T1 in nmap) trade time for stealth.

Calibrate to the engagement. Black-box pen-tests usually accept the noise; red-team engagements often require careful pacing.

Order to work through this cluster

Section titled “Order to work through this cluster”

If you’re learning the cluster sequentially: file shares first (highest immediate-finding rate), then databases (often defaulted credentials), then mail (cleanest user-enum primitives), then management protocols (highest-impact when credentials work).

If you’ve found a specific port open: jump directly to the relevant page from the port lookup table at the top of this page.

Defenses D3-NTA Network Traffic Analysis D3-IDA