Practice Example of Scanning and Enumeration

You are a Junior Penetration Tester at CyberShield Security, a consulting firm specializing in internal network assessments. Your team has been asked to assess the internal security posture of a client by identifying exposed services and misconfigurations in their development staging environment. You've been assigned a virtual lab system, Metasploitable 2, which mirrors their older infrastructure.

Your goal is to conduct scanning and enumeration using industry-standard tools, make decisions based on your findings, and identify areas of exposure that could be exploited in a future phase of the engagement.

Task 1: Perform Basic Network Reconnaissance

Objective: Identify the live host and determine which services it exposes.

You begin with a basic subnet scan using Nmap to discover live hosts:

nmap -sn 10.0.2.4/24

This reveals that the target host (Metasploitable 2) is up at 10.0.2.4. Next, you perform a more detailed scan to gather service and version information:

nmap -sV -A 10.0.2.4

Why this matters:

-sV identifies version numbers for exposed services, which can be mapped to known vulnerabilities.

-A enables OS detection and script scanning, providing deeper context.

Strategic Reflection: In a monitored environment, this aggressive scan could trigger alerts. In a red team engagement, you might instead use -sS -T2 for a stealthy SYN scan and trade speed for stealth.

Task 2: Enumerate Services for Deeper Insight

Objective: Probe services to uncover misconfigurations, banners, and access levels.

You select two services to focus on: FTP and SMB.

FTP Enumeration

You run:

nmap -p 21 --script ftp-anon 10.0.2.4

You also connect manually:

ftp 10.0.2.4

SMB Enumeration

You run:

nmap --script=smb-enum-shares,smb-os-discovery -p 139,445 10.0.2.4

Then follow up with:

enum4linux -a 10.0.2.4

Task 3: Analyze Results and Assess the Attack Surface

Objective: Use enumeration data to evaluate which services pose the most risk.

From your findings:

The system runs multiple outdated services with known vulnerabilities.

Anonymous access is enabled on both FTP and SMB.

Database services (MySQL, PostgreSQL) are exposed to the network.

You prioritize SMB as the highest-risk target for a follow-up exploitation phase:

It allows guest access.

It runs an old, vulnerable Samba version.

Misconfigurations align with real-world attacks.

You summarize the system's attack surface as:

Broad and risky, with unauthenticated access, outdated software, and open administrative ports.

Real-World Thinking: In a live client engagement, this level of exposure would warrant immediate remediation. Even if exploitation isn't authorized yet, enumeration alone has revealed serious risk.

Takeaways

Scan types have tradeoffs — be strategic in their use based on environment sensitivity.

Enumeration is about depth, not just listing services — extract access levels, configurations, and vulnerabilities.

Misconfigurations matter as much as CVEs — anonymous access, guest shares, or weak protocols expose systems in different ways.