Chapter 10: Scanning and Enumeration

"Scanning is the transition from passively watching to actively touching. Every packet you send leaves a trace, and every response reveals a secret." — HD Moore, creator of Metasploit

In the previous chapters, we gathered intelligence without directly interacting with our targets (passive reconnaissance) and began carefully probing their external-facing infrastructure (active reconnaissance). Now we cross a decisive threshold. Scanning and enumeration is where theory meets the wire — where you systematically probe every port, interrogate every service, and catalog every accessible resource on a target network. This chapter transforms you from an observer into an active participant in the penetration testing lifecycle.

If reconnaissance is the art of learning about your target from a distance, scanning is the science of mapping it up close. Every open port is a potential doorway, every running service a potential conversation, and every misconfigured share a potential treasure chest. The tools and techniques in this chapter form the backbone of every successful penetration test, and mastering them will distinguish you from script kiddies who blindly fire automated tools without understanding the packets flowing across the wire.

10.1 Port Scanning Fundamentals

10.1.1 What Is Port Scanning?

Port scanning is the process of sending packets to a range of port numbers on a target host to determine which ports are open, closed, or filtered. Since networked services bind to specific ports to accept connections, identifying open ports reveals what services are running — and therefore what attack surface is available.

💡 Key Concept: A port is a 16-bit number (0–65535) that acts as an endpoint for network communication. TCP and UDP each have their own 65,536 ports, meaning a single host can theoretically have 131,072 distinct ports.

The three standard port states are:

10.1.2 The TCP Three-Way Handshake Revisited

Understanding port scanning requires mastering the TCP three-way handshake introduced in Chapter 6:

1. SYN: The client sends a TCP segment with the SYN flag set to initiate a connection.
2. SYN-ACK: If the port is open, the server responds with SYN-ACK.
3. ACK: The client completes the handshake with an ACK.

Different scan types manipulate this process in different ways to extract information while minimizing detection.

10.1.3 TCP Scan Types

TCP Connect Scan (-sT): Completes the full three-way handshake. This is the most reliable but also the most detectable scan type, because the operating system's TCP stack handles the entire connection. Every successful connection will appear in the target's logs.

SYN Scan (-sS): Also called "half-open" scanning. The scanner sends a SYN packet and waits for a SYN-ACK (open) or RST (closed). If it receives SYN-ACK, it immediately sends RST to tear down the connection before it completes. Because the handshake never finishes, many older logging mechanisms won't record the connection attempt.

⚠️ Authorization Warning: SYN scanning requires raw socket privileges (root/administrator). More importantly, it requires explicit authorization from the target's owner. Unauthorized port scanning may violate computer crime laws regardless of your intent.

FIN Scan (-sF): Sends a packet with only the FIN flag set. Per RFC 793, a closed port should respond with RST, while an open port should silently drop the packet. This technique is useful against stateless firewalls that only filter SYN packets.

Xmas Scan (-sX): Sets the FIN, PSH, and URG flags simultaneously. The name comes from the packet being "lit up like a Christmas tree." It works on the same RFC 793 principle as the FIN scan.

NULL Scan (-sN): Sends a TCP segment with no flags set. Like FIN and Xmas scans, it relies on the RFC specification, but many modern operating systems (particularly Windows) do not comply with this RFC, making these scan types unreliable against Windows targets.

ACK Scan (-sA): Does not determine whether ports are open or closed. Instead, it maps firewall rulesets by determining whether ports are filtered or unfiltered. An RST response means the port is unfiltered (reachable through the firewall), while no response or ICMP unreachable means filtered.

10.1.4 UDP Scanning

UDP scanning (-sU) is notoriously slow and unreliable because UDP is connectionless. The scanner sends a UDP datagram to the target port:

• Open: The service responds with a UDP packet (or the port simply absorbs the packet silently).
• Closed: The target responds with ICMP port unreachable (type 3, code 3).
• Filtered: No response or an ICMP unreachable with certain codes.

The fundamental challenge is that open and filtered ports often look identical — neither responds. Nmap addresses this by sending protocol-specific payloads to well-known UDP ports (DNS on 53, SNMP on 161, etc.) to elicit application-layer responses.

📊 Performance Note: A full UDP scan of 65,535 ports can take 18+ hours because most operating systems rate-limit ICMP unreachable messages (typically one per second on Linux). Always scope UDP scans to the most common ports unless you have a compelling reason to scan the full range.

10.1.5 Port Number Categories

In practice, most penetration testers begin with a scan of the top 1,000 ports (Nmap's default), then expand to a full 65,535-port scan on hosts of interest.

10.2 Nmap: The Network Mapper in Depth

10.2.1 Why Nmap?

Nmap (Network Mapper) is the gold standard of network scanning tools, maintained by Gordon "Fyodor" Lyon since 1997. It is free, open source, cross-platform, and extraordinarily powerful. Nmap is used by security professionals, system administrators, and researchers worldwide, and it has even appeared in major motion pictures — most famously in The Matrix Reloaded (2003), where Trinity uses Nmap's real output to scan and exploit a target system.

🔗 Pop Culture Connection: In The Matrix Reloaded, Trinity uses nmap -v -sS -O 10.2.2.2 to discover a vulnerable SSH server, then exploits it with the real SSH CRC32 exploit (CVE-2001-0144). It was one of the first accurate depictions of hacking in a Hollywood film.

10.2.2 Basic Nmap Syntax and Options

The general Nmap syntax is:

nmap [Scan Type] [Options] [Target Specification]

Target specification is flexible:

nmap 192.168.1.1                  # Single host
nmap 192.168.1.0/24               # CIDR notation (256 hosts)
nmap 192.168.1.1-254              # Range
nmap 192.168.1.1,2,3,10           # Specific hosts
nmap -iL targets.txt              # Read from file
nmap 10.0.0.0/8 --exclude 10.0.0.1  # Exclude specific hosts

Port specification:

nmap -p 22,80,443 target           # Specific ports
nmap -p 1-1024 target              # Range
nmap -p- target                    # All 65,535 ports
nmap -p U:53,161,T:80,443 target   # Protocol-specific
nmap --top-ports 100 target        # Top N most common ports

10.2.3 Host Discovery

Before scanning ports, Nmap determines which hosts are alive. By default on a local subnet, it uses ARP requests. For remote hosts, it sends:

1. ICMP Echo Request
2. TCP SYN to port 443
3. TCP ACK to port 80
4. ICMP Timestamp Request

You can customize host discovery:

nmap -sn 192.168.1.0/24           # Ping sweep only (no port scan)
nmap -Pn target                    # Skip host discovery (treat all as alive)
nmap -PS22,80,443 target           # TCP SYN ping on specific ports
nmap -PA80 target                  # TCP ACK ping
nmap -PE target                    # ICMP echo ping only
nmap -PP target                    # ICMP timestamp ping

💡 MedSecure Scenario: During the MedSecure engagement, we start by performing a ping sweep of their internal network: nmap -sn 10.10.0.0/16. This reveals 347 active hosts across multiple subnets. We document each discovered host, noting which subnets appear to be server VLANs versus workstation VLANs.

10.2.4 Timing and Performance

Nmap provides six timing templates:

You can also fine-tune timing:

nmap --min-rate 1000 target        # Send at least 1000 packets/sec
nmap --max-retries 2 target        # Reduce retransmissions
nmap --host-timeout 5m target      # Give up on slow hosts
nmap --scan-delay 200ms target     # Wait between probes

⚠️ Lab Note: For the Student Home Lab, -T4 is typically fine. In real engagements, balance speed against the risk of crashing services or triggering alerts. Fragile embedded devices (medical equipment, IoT sensors) can fail under aggressive scanning.

10.2.5 Output Formats

Nmap supports multiple output formats that you should use for documentation and integration:

nmap -oN scan.txt target           # Normal text output
nmap -oX scan.xml target           # XML (for parsing and import)
nmap -oG scan.gnmap target         # Grepable output
nmap -oA scan_all target           # All three formats at once
nmap -oX - target | xsltproc ...   # Transform XML to HTML

The XML output is particularly valuable because it can be imported into vulnerability management platforms, parsed with scripts, and transformed into reports.

10.2.6 Nmap Scripting Engine (NSE)

The Nmap Scripting Engine is what elevates Nmap from a port scanner to a comprehensive security assessment platform. NSE scripts are written in Lua and can perform everything from vulnerability detection to brute-force attacks.

nmap --script=default target       # Run default scripts (same as -sC)
nmap --script=vuln target          # Run all vulnerability detection scripts
nmap --script=smb-enum-shares target  # Run specific script
nmap --script "http-*" target      # Wildcard matching
nmap --script=http-title --script-args http.useragent="Mozilla" target

NSE script categories include:

🧪 Try It in Your Lab: Against your Metasploitable VM, run: nmap -sV -sC -p- -oA full_scan 192.168.x.x. Then explore the results. You will find dozens of vulnerable services that Nmap's default scripts automatically identify.

10.2.7 Nmap for Large Networks

When scanning large networks (class B or class A ranges), efficiency matters:

# Phase 1: Fast host discovery
nmap -sn -T4 10.0.0.0/16 -oG alive_hosts.gnmap

# Phase 2: Quick top-port scan of alive hosts
nmap -sS -T4 --top-ports 100 -iL alive.txt -oA quick_scan

# Phase 3: Full port scan on interesting hosts
nmap -sS -p- -T4 --min-rate 5000 -iL interesting.txt -oA full_scan

# Phase 4: Deep service/script scan on open ports
nmap -sV -sC -p <open_ports> -iL interesting.txt -oA deep_scan

This phased approach prevents you from spending days on a full scan when a targeted approach yields faster results.

10.2.8 Masscan: Speed at Scale

While Nmap is comprehensive, Masscan by Robert Graham is designed for raw speed. It can scan the entire IPv4 address space in approximately six minutes, achieving rates of 25 million packets per second by using its own custom TCP/IP stack rather than the operating system's.

masscan 0.0.0.0/0 -p80 --rate=25000000   # Scan all of IPv4 on port 80
masscan 10.0.0.0/8 -p0-65535 --rate=100000  # Internal network full scan
masscan 192.168.1.0/24 -p1-65535 --rate=1000 -oJ results.json

📊 Speed Comparison: Scanning all 65,535 TCP ports on a single host typically takes Nmap 15-25 minutes with default settings. Masscan can do it in under a second. However, Masscan has no service detection, script engine, or sophisticated OS fingerprinting. The best approach is to use Masscan for fast port discovery and then feed the results into Nmap for deep analysis.

Other Notable Port Scanners:

10.3 Service Version Detection and OS Fingerprinting

10.3.1 Banner Grabbing

The simplest form of service identification is banner grabbing — connecting to a port and reading the welcome message:

nc -nv 192.168.1.100 22
# SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

nc -nv 192.168.1.100 80
# Then send: HEAD / HTTP/1.0
# Server: Apache/2.4.49 (Unix)

⚠️ Limitation: Many administrators change or remove banners (banner hardening), and banners can be deliberately falsified. Never rely solely on banner information.

10.3.2 Nmap Service Version Detection (-sV)

Nmap's -sV option goes far beyond simple banner grabbing. It uses the nmap-service-probes database containing over 11,000 match signatures. The process:

1. Perform a NULL probe (connect and wait for a banner)
2. Match the banner against known signatures
3. If no match, send protocol-specific probes from the probe database
4. Continue sending probes until a match is found or all probes are exhausted

nmap -sV target                    # Standard version detection
nmap -sV --version-intensity 5 target  # Default intensity (0-9)
nmap -sV --version-all target      # Try every probe (slow but thorough)
nmap -sV --version-light target    # Only most likely probes (fast)

Example output:

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.49 ((Unix))
443/tcp  open  ssl/http    Apache httpd 2.4.49 ((Unix))
3306/tcp open  mysql       MySQL 5.7.38-0ubuntu0.18.04.1
8080/tcp open  http-proxy  Squid http proxy 4.13

10.3.3 OS Fingerprinting

OS fingerprinting determines the operating system of a target by analyzing subtle differences in how different TCP/IP stacks implement protocol specifications. Nmap uses two approaches:

Active OS Fingerprinting (-O): Sends specially crafted packets and analyzes responses. It examines: - TCP ISN (Initial Sequence Number) generation patterns - IP ID sequence generation - TCP options and ordering - TCP window size - ICMP response handling - Explicit Congestion Notification (ECN) behavior

nmap -O target                     # OS detection
nmap -O --osscan-guess target      # Aggressive guessing
nmap -O --osscan-limit target      # Only attempt if at least one open and one closed port

Example output:

OS details: Linux 5.4 - 5.15 (96%), Ubuntu 20.04 (93%), Debian 11 (91%)
Network Distance: 2 hops

Passive OS Fingerprinting: Tools like p0f analyze traffic without sending any packets, identifying operating systems from normal network traffic characteristics such as TCP window size, TTL, DF flag, and TCP options.

p0f -i eth0                        # Passive listening mode

💡 MedSecure Scenario: During the MedSecure assessment, OS fingerprinting reveals a mix of Windows Server 2019 domain controllers, Ubuntu 22.04 application servers, and — alarmingly — several Windows Server 2012 R2 systems that are past end-of-life. We flag these immediately as high-priority targets.

10.3.4 Combining It All: The Comprehensive Scan

The most common "full assessment" scan combines multiple options:

nmap -sS -sV -sC -O -p- -T4 --min-rate 5000 -oA comprehensive target

This performs: SYN scan + version detection + default scripts + OS detection + all ports + aggressive timing + rate control + all output formats.

For the ShopStack engagement, we would refine this further:

# ShopStack web application focus
nmap -sS -sV -sC -O -p 80,443,8080,8443,3000,3306,5432,6379,27017 \
  --script "http-*,ssl-*" -oA shopstack_web shopstack.example.com

10.4 Network Enumeration (SMB, SNMP, LDAP, NFS)

Enumeration goes beyond simple port scanning. It is the process of actively extracting information from discovered services — usernames, shares, groups, machine names, routes, SNMP data, and more. This section covers the most valuable enumeration targets in typical enterprise environments.

10.4.1 SMB Enumeration (Ports 139, 445)

Server Message Block (SMB) is arguably the most information-rich protocol for penetration testers in Windows environments. A misconfigured SMB service can reveal usernames, group memberships, password policies, shared folders and files, and even stored credentials.

Null Session Enumeration:

A null session is an unauthenticated connection to SMB. While modern Windows versions restrict null sessions, many legacy systems and misconfigured servers still permit them:

# Enumerate shares
smbclient -L //target -N

# Map a share
smbclient //target/share -N

# Enum4linux — comprehensive SMB enumeration
enum4linux -a target

# Enum4linux-ng (modern rewrite in Python)
enum4linux-ng -A target

CrackMapExec (NetExec) for SMB:

CrackMapExec (now maintained as NetExec) is a Swiss Army knife for SMB enumeration:

# Enumerate hosts and shares
crackmapexec smb 192.168.1.0/24
crackmapexec smb target --shares
crackmapexec smb target --users
crackmapexec smb target --pass-pol
crackmapexec smb target --groups

# Spider shares for interesting files
crackmapexec smb target -u user -p pass --spider_folder . --pattern "password|credential|secret"

Nmap NSE for SMB:

nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p 445 target
nmap --script smb-vuln-* -p 445 target  # Check for EternalBlue, etc.

What to look for in SMB enumeration:

• Anonymous/guest access to shares
• Readable shares containing sensitive files (scripts with credentials, configuration files, backups)
• Writable shares (potential for payload delivery)
• Password policies (lockout threshold, complexity requirements)
• User lists for password spraying
• SMBv1 enabled (vulnerability to EternalBlue/MS17-010)

🔴 Security Impact: The WannaCry ransomware (2017) and NotPetya (2017) both exploited SMBv1 via EternalBlue (MS17-010). Identifying SMBv1 on a network is a critical finding.

10.4.2 SNMP Enumeration (Port 161 UDP)

Simple Network Management Protocol (SNMP) is designed for managing network devices — routers, switches, printers, and servers. It is also an enumeration goldmine when community strings (essentially passwords) are weak or default.

SNMP Versions: - SNMPv1: No encryption, community string in plaintext - SNMPv2c: Still no encryption, community string in plaintext - SNMPv3: Supports authentication and encryption

Community String Brute Force:

# Onesixtyone — fast SNMP community string scanner
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.1.0/24

# Hydra
hydra -P community_strings.txt target snmp

SNMP Walking:

# Walk entire MIB tree
snmpwalk -v2c -c public target

# Get specific OIDs
snmpwalk -v2c -c public target 1.3.6.1.2.1.25.4.2.1.2   # Running processes
snmpwalk -v2c -c public target 1.3.6.1.2.1.25.6.3.1.2   # Installed software
snmpwalk -v2c -c public target 1.3.6.1.4.1.77.1.2.25     # User accounts (Windows)
snmpwalk -v2c -c public target 1.3.6.1.2.1.6.13.1.3      # TCP connections

# Snmp-check — formatted SNMP enumeration
snmp-check target -c public

Valuable SNMP data: - System description and hostname - Network interface information and IP addresses - Routing tables - Running processes - Installed software - User accounts - TCP/UDP connection tables - ARP cache

💡 MedSecure Scenario: SNMP enumeration on MedSecure's network reveals that several Cisco switches and HP printers still use the default community string "public." The switch MIB data exposes the entire VLAN topology, and a printer's SNMP data reveals it is storing print jobs containing patient records.

10.4.3 LDAP Enumeration (Ports 389, 636)

Lightweight Directory Access Protocol (LDAP) is the backbone of Active Directory environments. Anonymous LDAP binds, while increasingly disabled, can reveal the entire directory structure:

# Anonymous LDAP enumeration
ldapsearch -x -H ldap://target -b "dc=medsecure,dc=local" -s sub "(objectclass=*)"

# Enumerate users
ldapsearch -x -H ldap://target -b "dc=medsecure,dc=local" "(objectclass=user)" sAMAccountName

# Enumerate groups
ldapsearch -x -H ldap://target -b "dc=medsecure,dc=local" "(objectclass=group)" cn member

# Nmap LDAP scripts
nmap --script ldap-rootdse,ldap-search -p 389 target

Windapsearch is a Python tool designed specifically for AD LDAP enumeration:

windapsearch -d medsecure.local --dc target -U  # Enumerate users
windapsearch -d medsecure.local --dc target -G  # Enumerate groups
windapsearch -d medsecure.local --dc target -m  # Enumerate computers
windapsearch -d medsecure.local --dc target --da  # Find domain admins

10.4.4 NFS Enumeration (Port 2049)

Network File System (NFS) shares, when misconfigured, can expose sensitive files to any host on the network:

# Show NFS exports
showmount -e target

# Nmap NFS enumeration
nmap --script nfs-ls,nfs-showmount,nfs-statfs -p 2049 target

# Mount an export
mkdir /tmp/nfs_mount
mount -t nfs target:/exported_share /tmp/nfs_mount

Common NFS misconfigurations: - Exports to * (any host) - no_root_squash option (allows root access) - Sensitive directories exported (/home, /etc, /var/backups)

10.4.5 Other Valuable Enumeration Targets

DNS (Port 53):

nmap --script dns-zone-transfer -p 53 target
dig axfr @target medsecure.local

SMTP (Port 25):

# User enumeration via VRFY and EXPN commands
smtp-user-enum -M VRFY -U users.txt -t target
nmap --script smtp-enum-users -p 25 target

RPC (Port 111):

rpcinfo -p target
nmap --script rpcinfo -p 111 target

Redis (Port 6379):

redis-cli -h target
> INFO
> CONFIG GET *
> KEYS *

MySQL (Port 3306):

nmap --script mysql-info,mysql-enum,mysql-empty-password -p 3306 target
mysql -h target -u root --password=''

10.5 Web Server and Application Enumeration

Web applications are the most common entry point in modern penetration tests. Web enumeration goes beyond simple port scanning to discover directories, files, technologies, virtual hosts, and application-level information.

10.5.1 Web Server Fingerprinting

# HTTP response headers
curl -I https://target
# Server: nginx/1.18.0
# X-Powered-By: PHP/7.4.3

# Nmap HTTP scripts
nmap --script http-headers,http-server-header -p 80,443 target

# Whatweb — technology fingerprinting
whatweb target

# Wappalyzer (browser extension) or its CLI equivalent

10.5.2 Directory and File Brute-Forcing

Content discovery tools systematically request common directory and file names to find hidden content:

Gobuster:

gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -t 50 -o gobuster_results.txt

# With extensions
gobuster dir -u http://target -w wordlist.txt -x php,html,txt,bak,old -t 50

# VHOST discovery
gobuster vhost -u http://target -w subdomains.txt

Feroxbuster (recursive brute-forcing in Rust):

feroxbuster -u http://target -w wordlist.txt -x php,html -t 50 --depth 3

Ffuf (fast web fuzzer):

# Directory fuzzing
ffuf -w wordlist.txt -u http://target/FUZZ

# Parameter fuzzing
ffuf -w params.txt -u "http://target/page?FUZZ=value"

# Virtual host fuzzing
ffuf -w subdomains.txt -u http://target -H "Host: FUZZ.target.com" -fs 1234

10.5.3 Nikto: Web Vulnerability Scanner

Nikto is an open-source web server scanner that checks for thousands of potentially dangerous files, outdated server versions, and server configuration problems:

nikto -h http://target -o nikto_report.html -Format htm
nikto -h http://target -Tuning 123bde  # Specific test categories

Nikto is noisy and easily detected but thorough. It is valuable as a first-pass check during authorized assessments.

10.5.4 CMS Enumeration

Content Management Systems have specialized enumeration tools:

WordPress:

wpscan --url http://target --enumerate u,vp,vt,dbe
# u = users, vp = vulnerable plugins, vt = vulnerable themes, dbe = database exports

Joomla:

joomscan -u http://target

Drupal:

droopescan scan drupal -u http://target

🔗 ShopStack Scenario: The ShopStack web application runs a custom Node.js frontend backed by a WordPress blog at /blog/. WPScan reveals three vulnerable plugins, including one with a known remote code execution vulnerability. The main application uses React with a GraphQL API, which we'll enumerate further with tools like InQL and Altair.

10.5.5 SSL/TLS Enumeration

# SSLScan
sslscan target:443

# Nmap SSL scripts
nmap --script ssl-enum-ciphers,ssl-cert,ssl-heartbleed -p 443 target

# testssl.sh (comprehensive)
testssl.sh target:443

# Check for specific vulnerabilities
nmap --script ssl-heartbleed -p 443 target  # Heartbleed
nmap --script ssl-poodle -p 443 target      # POODLE

10.6 Vulnerability Scanners (Nessus, OpenVAS, Nuclei)

While manual scanning and enumeration provide deep understanding, professional penetration testers also leverage automated vulnerability scanners to efficiently identify known vulnerabilities across large networks.

10.6.1 Understanding Vulnerability Scanners

Vulnerability scanners work by:

1. Discovering hosts and services (like Nmap)
2. Fingerprinting services and versions
3. Matching discovered versions against vulnerability databases
4. Testing for specific vulnerabilities using active checks (sending exploit probes without actually exploiting)
5. Reporting findings with severity ratings, CVE references, and remediation guidance

⚖️ Important Distinction: Vulnerability scanners identify potential vulnerabilities. They do not exploit them. Exploitation is the next phase (covered in Chapters 12-17). Scanning tells you "this door might be unlocked"; exploitation tells you "I opened it."

10.6.2 Nessus

Tenable's Nessus is the most widely deployed commercial vulnerability scanner, with over 200,000 plugins checking for vulnerabilities, misconfigurations, and compliance violations.

Key Features: - Agent-based and network-based scanning - Over 200,000 vulnerability checks (plugins) - Credential scanning (authenticated checks reveal far more) - Compliance checking (PCI DSS, HIPAA, CIS Benchmarks) - Web application scanning - Cloud infrastructure scanning

Nessus Scan Types: | Scan Type | Purpose | |-----------|---------| | Basic Network Scan | General-purpose vulnerability assessment | | Advanced Scan | Fully customizable scan | | Web Application Tests | OWASP Top 10 and web-specific checks | | Credentialed Patch Audit | Authenticated check for missing patches | | Malware Scan | Detection of known malware indicators | | Compliance | CIS, DISA STIG, PCI DSS auditing |

Credential Scanning:

Unauthenticated scans only see what's exposed on the network. Credentialed scans log into hosts and examine installed software, patch levels, configurations, and local vulnerabilities:

# Unauthenticated: finds ~50 vulnerabilities
# Credentialed: finds ~300 vulnerabilities on the same hosts

📊 Industry Statistic: According to Tenable research, credentialed scans typically find 5-10 times more vulnerabilities than unauthenticated scans on the same targets.

10.6.3 OpenVAS (Greenbone Vulnerability Manager)

OpenVAS is the leading open-source vulnerability scanner, now part of the Greenbone Community Edition. While not as polished as Nessus, it offers comprehensive vulnerability detection for organizations that cannot afford commercial tools.

Setup in Kali:

sudo apt install gvm
sudo gvm-setup         # Initial setup (downloads ~50,000 NVTs)
sudo gvm-start         # Start the services
# Access web interface at https://127.0.0.1:9392

Key Concepts: - NVTs (Network Vulnerability Tests): OpenVAS plugins, over 50,000 available - Scan Configs: Predefined scanning profiles (Full and Fast, Discovery Only, etc.) - Targets: Hosts to scan, with optional credentials - Tasks: Scan jobs combining targets and configurations - Reports: Results with severity ratings and remediation

OpenVAS supports authenticated scanning with SSH keys, SMB credentials, and SNMP community strings.

10.6.4 Nuclei

Nuclei, from ProjectDiscovery, represents a modern approach to vulnerability scanning. It uses YAML templates to define detection checks, making it extremely extensible and community-driven.

# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Scan with all templates
nuclei -u http://target

# Scan with specific templates
nuclei -u http://target -t cves/
nuclei -u http://target -t technologies/
nuclei -u http://target -t exposures/

# Scan multiple targets
nuclei -l urls.txt -t cves/ -severity critical,high

# Custom template
nuclei -u http://target -t my_custom_template.yaml

Example Nuclei Template:

id: apache-struts-rce
info:
  name: Apache Struts RCE - CVE-2017-5638
  severity: critical
  tags: cve,apache,rce
requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
      Content-Type: "%{(#_='multipart/form-data').(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)}"
    matchers:
      - type: word
        words:
          - "uid="

Why Nuclei is Gaining Popularity: - Over 8,000 community-contributed templates - Extremely fast (written in Go) - Easy to write custom templates - CI/CD integration for continuous vulnerability detection - Active community and rapid template updates for new CVEs

10.6.5 Comparing Vulnerability Scanners

🧪 Try It in Your Lab: Install OpenVAS in Kali and run a full scan against Metasploitable 2. Then run Nuclei against your DVWA instance. Compare the findings. You'll notice significant overlap but also unique detections from each tool. Professional pentesters use multiple scanners for comprehensive coverage.

10.6.6 Scan Scheduling and Continuous Monitoring

In enterprise environments, vulnerability scanning is not a one-time activity:

• Weekly scans: Quick scans of critical assets
• Monthly scans: Full scans of the entire network
• Triggered scans: After major changes (new deployments, patch cycles)
• Continuous monitoring: Agent-based scanning for real-time visibility

10.7 Organizing and Documenting Scan Results

10.7.1 The Information Overload Problem

A single comprehensive scan of a medium enterprise network can produce thousands of findings. Without organization, this data is overwhelming and useless. Professional penetration testers need structured approaches to manage scan results.

10.7.2 Note-Taking Frameworks

CherryTree: A hierarchical note-taking application popular among pentesters. It supports rich text, code blocks, images, and file attachments organized in a tree structure.

Recommended structure:

Engagement Name
├── Scope and Rules of Engagement
├── Reconnaissance
│   ├── Passive OSINT
│   └── Active Recon
├── Scanning
│   ├── Host Discovery
│   ├── Port Scans
│   ├── Service Enumeration
│   └── Vulnerability Scans
├── Exploitation
│   ├── Successful Exploits
│   └── Failed Attempts
├── Post-Exploitation
├── Findings
│   ├── Critical
│   ├── High
│   ├── Medium
│   └── Low
└── Evidence
    ├── Screenshots
    └── Artifacts

Obsidian: A markdown-based knowledge management tool gaining popularity for its linking capabilities and graph view.

Notion / Joplin / OneNote: Other options depending on team preferences.

10.7.3 Data Management Tools

Nmap XML Parsing:

import xml.etree.ElementTree as ET

tree = ET.parse('scan.xml')
root = tree.getroot()

for host in root.findall('host'):
    addr = host.find('address').get('addr')
    for port in host.findall('.//port'):
        portid = port.get('portid')
        state = port.find('state').get('state')
        service = port.find('service')
        if state == 'open':
            name = service.get('name', 'unknown') if service is not None else 'unknown'
            print(f"{addr}:{portid} - {name}")

Spreadsheet Tracking:

For each discovered host, maintain a tracking spreadsheet:

10.7.4 Automated Reporting Integration

Several tools help bridge scanning and reporting:

• Dradis: Open-source collaboration and reporting platform that imports Nmap, Nessus, and other tool outputs
• Faraday: Integrated penetration test environment with vulnerability management
• PlexTrac: Commercial pentest reporting platform
• Pwndoc: Open-source pentest report generator

10.7.5 MedSecure Scan Results Summary

💡 Running Example: After completing all scanning and enumeration phases on MedSecure's network, we organize our findings:

Network Topology Discovered: - 347 active hosts across 12 subnets - 4 domain controllers (Windows Server 2019) - 23 application servers (mix of Ubuntu and Windows) - 3 database servers (2 MSSQL, 1 PostgreSQL) - 15 network devices (Cisco switches, Palo Alto firewalls) - 287 workstations - 15 printers/multifunction devices

Critical Findings from Scanning: 1. 3 hosts with SMBv1 enabled (EternalBlue potential) 2. Apache 2.4.49 on patient portal (path traversal CVE-2021-41773) 3. SNMP default community strings on 12 network devices 4. NFS exports with no_root_squash on backup server 5. Anonymous LDAP bind enabled on 2 domain controllers 6. SSL/TLS: 7 servers supporting TLS 1.0/1.1

10.8 Chapter Summary

This chapter covered the essential skills of scanning and enumeration — the foundation upon which all subsequent exploitation relies. We explored:

Port Scanning Fundamentals: TCP and UDP scan types, port states, and the mechanics of each scanning technique from full-connect scans to stealthy FIN/Xmas/NULL scans.

Nmap Mastery: From basic syntax through advanced features including the Nmap Scripting Engine, timing optimization, output formats, and large-network scanning strategies. We also examined Masscan for high-speed scanning scenarios.

Service and OS Identification: Banner grabbing, Nmap's version detection engine with its 11,000+ signatures, and both active and passive OS fingerprinting techniques.

Protocol Enumeration: Deep dives into SMB, SNMP, LDAP, and NFS enumeration — the protocols that yield the most actionable intelligence in enterprise environments. We covered the tools, techniques, and specific data to extract from each.

Web Enumeration: Directory brute-forcing with Gobuster and Ffuf, CMS-specific scanners, SSL/TLS analysis, and web server fingerprinting.

Vulnerability Scanners: Comprehensive coverage of Nessus, OpenVAS, and Nuclei — their strengths, limitations, and how professional testers combine them for maximum coverage.

Documentation: Note-taking frameworks, data management tools, and automated reporting integration to transform raw scan data into actionable intelligence.

✅ Key Principle: Scanning and enumeration is not about running tools — it is about understanding what the tools tell you. A great penetration tester can look at an Nmap scan and immediately identify the most promising attack vectors. That intuition comes from understanding protocols, not just commands.

In the next chapter, we will take the output of our scanning phase and systematically assess it for vulnerabilities, learning to distinguish critical findings from noise and to communicate risk effectively to stakeholders.

"The art is not in the scan itself, but in knowing what to do with the results." — Anonymous Pentester