So for this week I went in depth on how to enumerate information's like hosts available, what are the services running and enumerating those services.

For this demo I will be using the lab called ice from tryhackme

Before that we will see how nmap works first we all know it shows results like live hosts, services and other information but how does it work underneath.

First to discover all the active hosts in the subnet it sends ICMP echo requests. Once live hosts identified it performs TCP SYN scan.

There are three output states you can get

PORT     STATE    SERVICE
22/tcp   open     ssh
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3306/tcp closed    mysql

open means you can get information from the port cause its active. you can perform exploits.

closed means the port is not active. the service is not available.

Filtered means it is blocked by firewall. you can bypass these firewall with nmap or other tools to get information's.

now lets see the commands we have in nmap

How to identify all the active hosts in the subnet

nmap 10.49.180.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-14 11:53 UTC
Nmap scan report for 10.49.180.6
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 10.49.180.38
Host is up (0.025s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
8000/tcp  open  http-alt
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown

Nmap scan report for 10.49.180.81
Host is up (0.025s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 10.49.180.158
Host is up (0.026s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5002/tcp open  rfe
5003/tcp open  filemaker
5004/tcp open  avt-profile-1

Nmap done: 256 IP addresses (4 hosts up) scanned in 5.47 seconds

Now that we know the hosts that are active lets start with the ip they gave in tryhackme box

nmap 10.49.180.38
None

windows system by default blocks ICMP packets so we need to use -Pn

nmap -Pn 10.49.180.38
None

Now you can see the open ports

now we know the services running but not much usefull so we find the service versions

nmap -Pn 10.49.180.38 -sV
None

Now we got the versions but nmap has a feature where we can enumerate more data by using the default scripts in the nmap.

nmap -Pn 10.49.180.38 -sC
None

ok but when we use just nmap and ip like nmap -Pn 10.49.180.38 it only scan the commanly used 1000 ports so we need to specify all ports using -p- command.

nmap -Pn 10.49.180.38 -p-
None

Since this is all the ports this box has we are not able to see other tcp ports

this method scan all 65,535 ports but what about UDP ports. we need to specify nmap to scan udp ports using -sU

nmap -Pn 10.49.180.38 -sU
None

When using -A it combines script scan, version scan , os scan and traceroute. It generates lot of noise and is easily detected. so its better to use it in CTF.

                                                                                                                                                                                             
┌──(dante㉿DANTECH)-[~/Desktop]
└─$ nmap -Pn 10.49.180.38 -A 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-14 11:16 UTC
Nmap scan report for 10.49.180.38
Host is up (0.023s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
|_ssl-date: 2025-12-14T11:17:52+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2025-12-13T11:05:40
|_Not valid after:  2026-06-14T11:05:40
| rdp-ntlm-info: 
|   Target_Name: DARK-PC
|   NetBIOS_Domain_Name: DARK-PC
|   NetBIOS_Computer_Name: DARK-PC
|   DNS_Domain_Name: Dark-PC
|   DNS_Computer_Name: Dark-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2025-12-14T11:17:38+00:00
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp  open  http         Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 2008|7|Vista|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Vista SP2 or Windows 7 or Windows Server 2008 R2 or Windows 8.1
Network Distance: 3 hops
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-12-14T11:17:37
|_  start_date: 2025-12-14T11:05:38
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 0a:31:c7:34:33:b9 (unknown)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Dark-PC
|   NetBIOS computer name: DARK-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-12-14T05:17:37-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h12m02s, deviation: 2h40m59s, median: 2s

TRACEROUTE (using port 199/tcp)
HOP RTT      ADDRESS
1   20.78 ms 192.168.128.1
2   ...
3   22.90 ms 10.49.180.38

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.61 seconds

Now so far we saw how to gather information like live hosts, services, service version, os detection and other data But this method takes a lot of time. so nmap has a command where we can shorten the time it takes by using -T4. it starts from 0 to 5 where 0 is very slow and 5 is very fast.

I will run the same command again but the time difference will be less when i use T5. Remember T5 is aggressive scan and can be detected. nmap by default use T3.

┌──(dante㉿DANTECH)-[~/Desktop]
└─$ nmap -Pn 10.49.180.38 -sC -sV -p- -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-14 11:57 UTC
Nmap scan report for 10.49.180.38
Host is up (0.025s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE        VERSION
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server?
|_ssl-date: 2025-12-14T11:58:26+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: DARK-PC
|   NetBIOS_Domain_Name: DARK-PC
|   NetBIOS_Computer_Name: DARK-PC
|   DNS_Domain_Name: Dark-PC
|   DNS_Computer_Name: Dark-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2025-12-14T11:58:21+00:00
| ssl-cert: Subject: commonName=Dark-PC
| Not valid before: 2025-12-13T11:05:40
|_Not valid after:  2026-06-14T11:05:40
5357/tcp  open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp  open  http           Icecast streaming media server
|_http-title: Site doesn't have a title (text/html).
49152/tcp open  msrpc          Microsoft Windows RPC
49153/tcp open  msrpc          Microsoft Windows RPC
49154/tcp open  msrpc          Microsoft Windows RPC
49158/tcp open  msrpc          Microsoft Windows RPC
49159/tcp open  msrpc          Microsoft Windows RPC
49160/tcp open  msrpc          Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DARK-PC, NetBIOS user: <unknown>, NetBIOS MAC: 0a:31:c7:34:33:b9 (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Dark-PC
|   NetBIOS computer name: DARK-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-12-14T05:58:21-06:00
|_clock-skew: mean: 1h12m01s, deviation: 2h40m59s, median: 1s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-12-14T11:58:21
|_  start_date: 2025-12-14T11:05:38

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.74 seconds

Now we found that smb service is running but while using script scan -sC we didn't get much info. we can use other nmap scripts to get a lot of information and we can use -p to just enumerate in single port.

nmap -p 139,445 --script smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode 10.49.180.38
None

Now we got the system name, shares in the system, security mode used. we can use other tools to connect to the system. So far we are just viewing it in the terminal what if we want to save the file and view it at a later time. we can just copy and paste it in notepad but what if we need it in other file formats.

| Flag  | Format   | Use case         |
| ----- | -------- | ---------------- |
| `-oN` | Normal   | Readable         |
| `-oX` | XML      | Automation       |
| `-oG` | Grepable | CLI parsing      |
| `-oA` | All      | Best overall     |
nmap -Pn 10.49.180.38 -oA scan
None

-sS is Nmap's TCP SYN scan, where Nmap sends a single SYN packet to a target port and infers the port state from the response: a SYN/ACK means the port is open (and Nmap immediately resets the connection without completing the handshake), an RST means the port is closed, and no response or an ICMP error indicates the port is filtered; because it never fully establishes a TCP connection, it's fast, relatively stealthy, and the default scan type when Nmap is run with root privileges.

nmap -Pn 10.49.180.38 -sS
None

Now let see on how to manipulate the logs.

 sudo nmap 10.49.180.38 -p 8000 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

This command runs a stealth TCP SYN scan on port 80 of 10.129.2.28, skipping host discovery (-Pn), DNS resolution (-n), and ARP pings, while printing every packet sent and received (--packet-trace) to show what's happening on the wire; it also uses five random decoy IPs (-D RND:5) so the target sees multiple fake sources along with yours, making it harder to identify the real scanner, which is useful for learning packet behavior or basic evasion techniques.

None

Accurate scanning helps reduce noise, identify real attack paths, and plan exploitation more effectively during a penetration test. In the next blog i will show you how to enumerate each services and the use of the services with different tools.

That's it for today. Try different tools and exploring around to find the tool thats suitable for you..