Enumeration is arguably the most critical phase of penetration testing. The challenge and the goal aren’t just about gaining access to the target — it’s about identifying every possible way the system could be attacked.
This isn’t something tools can do for you on their own. Tools are helpful, but their output is only valuable if you know how to interpret it. Enumeration is less about clicking buttons and more about actively interacting with services, understanding what information they reveal, and exploring the possibilities they offer.
To do this effectively, it’s essential to understand how each service works, the protocols it uses, and the correct syntax for communication. This knowledge lets us probe intelligently and spot potential weaknesses.
The goal of enumeration is to expand our understanding of the target’s technologies and protocols while learning to adapt to new information. The more information we gather, the clearer the attack surface becomes — making it easier to find vectors to exploit. In short, enumeration is the foundation of a successful penetration test, and the more thorough you are here, the more options you’ll have later.
Host Discovery
When performing an internal penetration test across a company’s network, the first step is to get a clear overview of which systems are online and available to interact with. To actively discover these systems, we can use Nmap’s host discovery features. Nmap offers a variety of methods to check whether a target is alive, and one of the most effective is using ICMP echo requests — essentially “pings” to see which machines respond.
It’s also a best practice to save every scan. Stored results are invaluable for later comparison, documentation, and reporting. Different tools (or even different scan options in Nmap) can produce slightly different results, so keeping records helps you track what works best and ensures nothing is overlooked.
Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.
Because the ICMP echo reply had TTL = 128, and an initial TTL of 128 is the fingerprint most commonly used by [REDACTED] systems.
Host and Port Scanning
To get the most out of any penetration test, it’s crucial to understand how your tools work and what happens behind the scenes when they perform scans. The results are only meaningful if you know how they were obtained and what they actually represent.
Once we’ve confirmed that a target is online, the next step is to gather a more detailed picture of the system. Key information to collect includes:
- Open ports and the services running on them
- Service versions, which can hint at potential vulnerabilities
- Information provided by the services themselves, such as banners or configuration details
- The operating system, to understand the environment and possible attack vectors
Analyzing this data carefully allows us to make informed decisions about which paths to pursue during an attack.
Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.
$ nmap -p- -sS 127.0.0.1 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 10:52 -03
Warning: 127.0.0.1 giving up on port because retransmission cap hit (2).
Nmap scan report for 127.0.0.1
Host is up (0.15s latency).
Not shown: 65414 closed tcp ports (reset), 114 filtered tcp ports (no-response)
PORT STATE SERVICE
[REDACTED]
Nmap done: 1 IP address (1 host up) scanned in 123.55 seconds
Enumerate the hostname of your target and submit it as the answer. (case-sensitive)
$ nmap -sV 127.0.0.1 -T5 --script dns-brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 10:59 -03
Nmap scan report for 127.0.0.1
Host is up (0.14s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open Elite?
| fingerprint-strings:
| GetRequest:
| 220 [REDACTED]
|_
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint...
SF-Port31337-T:7.94%XN=7D5/2%Time=6814CFD79B%x86_64-pc-linux-gnu%r(GetRequest,1F,"220\x20HTD\{p0F7pDV3r510nb4n3r3\}\r\n");
Service Info: Host: [REDACTED]; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_dns-brute: Can't guess domain of "127.0.0.1"; use dns-brute.domain script argument.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.56 seconds
Saving the Results
Whenever we run scans, it’s important to save the results. Keeping records allows us to compare different scanning methods later and understand how each one behaves.
Nmap provides three main formats for saving scan results:
- Normal output (
-oN) → saved as a.nmapfile - Grepable output (
-oG) → saved as a.gnmapfile - XML output (
-oX) → saved as a.xmlfile
If you want to save your scan in all three formats at once, you can use the -oA option. This is especially handy for documentation, reporting, or further analysis with other tools.
Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.
$ nmap -p- -sS 127.0.0.1 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 10:52 -03
Warning: 127.0.0.1 giving up on port because retransmission cap hit (2).
Nmap scan report for 127.0.0.1
Host is up (0.15s latency).
Not shown: 65414 closed tcp ports (reset), 114 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
[REDACTED]/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 123.55 seconds
Service Enumeration
For penetration testing, it’s crucial to determine the exact application and its version whenever possible. Knowing the version allows us to:
- Scan for known vulnerabilities specific to that version
- Analyze the source code if it’s publicly available
- Find precise exploits that match both the service and the target’s operating system
The more accurate the version information, the more targeted and effective our attack strategy can be. This step is key for turning general reconnaissance into actionable intelligence.
Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
$ nmap -sV 127.0.0.1 -T5 --script dns-brute
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 10:59 -03
Nmap scan report for 127.0.0.1
Host is up (0.14s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open Elite?
| fingerprint-strings:
| GetRequest:
| 220 [REDACTED]
|_
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint...
SF-Port31337-T:7.94%XN=7D5/2%Time=6814CFD79B%x86_64-pc-linux-gnu%r(GetRequest,1F,"220\x20HTD\{p0F7pDV3r510nb4n3r3\}\r\n");
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_dns-brute: Can't guess domain of "127.0.0.1"; use dns-brute.domain script argument.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.56 seconds
Nmap Scripting Engine
Another powerful feature of Nmap is the Nmap Scripting Engine (NSE). NSE allows us to write or use Lua scripts to interact with specific services, automate tasks, and gather more detailed information than standard scans. Whether it’s checking for vulnerabilities, performing advanced enumeration, or probing for configuration issues, NSE greatly extends Nmap’s capabilities beyond simple port scanning.
Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
If you execute this, you are going to find a lot of vulnerabilities. But when you look at the file robots.txt, you find the flag
nmap -sV -script vuln 127.0.0.1 -T5
Firewall and IDS/IPS Evasion – Easy Lab
Let’s get hands-on. Imagine a company hires us to test their IT security defenses, including IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems). Their goal is to improve security, and they plan to make specific adjustments to their IDS/IPS after each successful test. The catch? We don’t know exactly how they’ll make those changes.
Our objective is to extract as much information as possible from the given scenarios while staying under the radar. For learning purposes, we’re provided access to a status page at:
http://<target>/status.php
This page displays the number of alerts triggered. We know that exceeding a certain threshold will get us banned, so our tests need to be as quiet and stealthy as possible. This exercise is a great way to see firsthand how IDS/IPS systems react to different scanning and attack techniques, and how careful planning can help avoid detection.
Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
$ nmap -sV -sC 127.0.0.1 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 11:27 -03
Nmap scan report for 127.0.0.1
Host is up (0.15s latency).
Not shown: 869 closed tcp ports (reset), 128 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 [REDACTED] 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
| 256 e1:e8:c5:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
| 256 1ac:cac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open http Apache httpd 2.4.29 (Ubuntu)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10001/tcp open scp-config?
| fingerprint-strings:
| GetRequest:
| 220 [REDACTED]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint...
SF-Port10001-T:7.94SVN%r=7D5/2%Time=6814D65A%p=x86_64-pc-linux-gnu%r(GetRequest,1F,"220\x20HTD\{pr0F7pDV3r510nb4nn3r\}\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.08 seconds
Firewall and IDS/IPS Evasion – Medium Lab
After completing our first test and submitting the results, the client’s administrators updated their IDS/IPS and firewall configurations. During the follow-up meeting, it was clear they weren’t satisfied with their previous setup and wanted stricter traffic filtering across the network.
Important note: To successfully complete this exercise, we must use the UDP protocol over the VPN. This adds an extra layer of realism, as we need to adapt our approach to the updated defenses while still gathering the required information.
After the configurations are transferred to the system, our client wants to know if it is possible to find out our target’s DNS server version. Submit the DNS server version of the target as the answer.
$ nmap --min-rate=10000 127.0.0.1 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 11:48 -03
Nmap scan report for 127.0.0.1
Host is up (0.14s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp filtered domain
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 7.63 seconds
$ nmap -sUVC 127.0.0.1 -p53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 11:49 -03
Nmap scan report for 127.0.0.1
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
53/udp open domain (unknown banner: HTD{GoTtgUnyze9Psw4vGjcuMpHRp})
| dns-nsid:
| _bind.version: [REDACTED]
| fingerprint-strings:
| DNSVersionBindReq:
| version
| bind
| HTD{GoTtgUnyze9Psw4vGjcuMpHRp}
| NBTStat:
| CkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
| ROOT-SERVERS:
| CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.\x01\x00\x01\x00
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint...
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.92 seconds
Firewall and IDS/IPS Evasion – Hard Lab
Following our second test, the client gained valuable insights and sent one of their administrators to a training course on IDS/IPS systems. According to the client, the training lasted one week.
Now, the administrator has implemented all the recommended precautions and wants us to conduct another round of testing. This time, specific services have been adjusted, and communication settings for the provided software have been modified. Our task is to evaluate how these changes impact the network’s defenses and identify any remaining gaps.
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
Let’s do a syn scan with nmap, source port 53 on all ports
$ nmap -sS --min-rate 5000 --source-port 53 127.0.0.1 -p- --stats-every=5s
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 11:55 -03
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.42% done; ETC: 11:55 (0:00:10 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 69.40% done; ETC: 11:55 (0:00:04 remaining)
Nmap scan report for 127.0.0.1
Host is up (0.14s latency).
Not shown: 64562 closed tcp ports (reset), 970 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
50000/tcp open ibm-db2
Nmap done: 1 IP address (1 host up) scanned in 15.02 seconds
Port 50000 seems have something. Let’s use Netcat on it with port 53
$ nc 127.0.0.1 50000 -p 53
220 [REDACTED]