Chapter 10 Exercises: Scanning and Enumeration

These exercises progress from foundational concepts to advanced, multi-step practical challenges. Complete them in your Student Home Lab environment using authorized targets only.

⚠️ Authorization Reminder: Only perform scanning exercises against systems you own or have explicit written permission to test. Your home lab (Kali Linux + Metasploitable/DVWA) is your safe testing ground.

Foundational Exercises

Exercise 10.1: TCP Scan Type Comparison

Perform three different TCP scan types against a single target host in your lab:

  1. Run a TCP Connect scan (-sT) against the top 100 ports.
  2. Run a SYN scan (-sS) against the same ports.
  3. Run an Xmas scan (-sX) against the same ports.

For each scan, record: (a) the number of open ports found, (b) the scan duration, and (c) the packet count sent (use --packet-trace or Wireshark). Write a 300-word comparison explaining the differences in results, speed, and network footprint. Why might results differ between scan types?

Exercise 10.2: UDP Scanning Challenges

Scan your Metasploitable VM for UDP services:

  1. Scan the top 20 UDP ports: nmap -sU --top-ports 20 <target>
  2. Scan the top 1000 UDP ports and note the duration.
  3. Explain in writing why UDP scanning is slower than TCP scanning. What mechanism does the target's operating system use that limits scanning speed?
  4. Identify at least two open UDP services and describe their potential security implications.

Exercise 10.3: Port Number Research

Without using a scanning tool, research and document the default ports for the following 15 services. Then verify your answers by scanning a target that runs at least five of them:

DNS, SSH, Telnet, SMTP, HTTP, POP3, IMAP, HTTPS, SMB, SNMP, LDAP, MySQL, RDP, PostgreSQL, MongoDB

Create a reference table with columns: Port Number, Protocol (TCP/UDP/Both), Service Name, Common Security Issues.

Exercise 10.4: Host Discovery Methods

Using a /24 subnet in your lab:

  1. Perform an ARP-based discovery: nmap -sn -PR <subnet>/24
  2. Perform a TCP SYN ping discovery: nmap -sn -PS22,80,443 <subnet>/24
  3. Perform an ICMP-only discovery: nmap -sn -PE <subnet>/24
  4. Compare results. Why might each method find different hosts? In what scenarios would you choose one method over another?

Intermediate Exercises

Exercise 10.5: Nmap Scripting Engine Exploration

Explore the NSE against your Metasploitable target:

  1. List all available NSE scripts: ls /usr/share/nmap/scripts/
  2. Run the default script category and document three interesting findings.
  3. Run the vuln script category against port 445 (SMB).
  4. Find and run a script that enumerates HTTP methods on the web server.
  5. Write a brief explanation of the difference between "safe" and "intrusive" NSE script categories. Why does the distinction matter during a real engagement?

Exercise 10.6: Service Version Detection Deep Dive

Against a target running at least five services:

  1. Run a version scan: nmap -sV <target>
  2. Increase version intensity to maximum: nmap -sV --version-all <target>
  3. Compare the results. Did the higher intensity reveal any additional information?
  4. For each detected service version, search the CVE database (cve.mitre.org or nvd.nist.gov) for known vulnerabilities. Create a table mapping each service to its known CVEs.
  5. Attempt to manually verify one version detection result using netcat or telnet.

Exercise 10.7: SMB Enumeration Challenge

Against a target with SMB enabled (Metasploitable or a Windows VM):

  1. Use smbclient -L to list available shares.
  2. Use enum4linux -a to perform comprehensive enumeration.
  3. Attempt to connect to each discovered share and document their permissions.
  4. Use Nmap's smb-enum-shares and smb-enum-users scripts.
  5. Document all discovered: (a) share names and permissions, (b) usernames, (c) OS version, (d) workgroup/domain name. Explain which of these findings would be most valuable during a penetration test and why.

Exercise 10.8: SNMP Enumeration

Set up an SNMP service in your lab (or use Metasploitable):

  1. Use onesixtyone with a common community string wordlist to discover the community string.
  2. Use snmpwalk to enumerate the full MIB tree.
  3. Extract and document: (a) system information, (b) running processes, (c) network interfaces, (d) installed software.
  4. Explain why SNMP with default community strings is such a significant security risk. What information could an attacker use from your enumeration results?

Exercise 10.9: Web Server Enumeration

Against DVWA or another web application in your lab:

  1. Use curl -I to capture response headers and identify the web server and version.
  2. Run Gobuster with the directory-list-2.3-medium.txt wordlist.
  3. Run Nikto against the same target.
  4. Use WhatWeb to fingerprint the technologies.
  5. Compare the results across all tools. Create a consolidated list of all discovered paths, technologies, and potential issues. Which tool found the most unique results?

Advanced Exercises

Exercise 10.10: Masscan + Nmap Pipeline

Design and implement a two-phase scanning methodology:

  1. Use Masscan to quickly discover all open TCP ports on a /24 subnet: masscan <subnet>/24 -p0-65535 --rate=1000 -oJ masscan_results.json
  2. Write a Python script (or use command-line tools) to parse Masscan's JSON output and extract unique IP:port combinations.
  3. Feed those results into Nmap for detailed service detection: nmap -sV -sC -p <ports> <hosts>
  4. Document the total time for this pipeline vs. a single nmap -sV -sC -p- scan. Calculate the time savings.

Exercise 10.11: Comprehensive Network Enumeration

Perform a full enumeration exercise against your lab network:

  1. Discover all live hosts.
  2. Identify all open ports on each host.
  3. Detect service versions and operating systems.
  4. Enumerate SMB shares, SNMP data, and any other accessible services.
  5. Identify at least five potential vulnerabilities.
  6. Organize all findings into a CherryTree or markdown document following the structure described in Section 10.7.2.
  7. Create a network diagram based on your scan results.

Exercise 10.12: Nmap Timing Analysis

Test how timing affects scan accuracy and detection:

  1. Scan the same target with timing templates T1 through T5.
  2. For each, record: (a) number of open ports found, (b) scan duration, (c) number of packets sent.
  3. Create a graph showing the relationship between scan speed and accuracy.
  4. If you have an IDS (Snort or Suricata) in your lab, check which timing templates trigger alerts.
  5. Write a recommendation for which timing template to use in different engagement scenarios.

Exercise 10.13: Nuclei Template Writing

  1. Install Nuclei and run it against DVWA with the default templates.
  2. Study three existing templates from the Nuclei templates repository.
  3. Write a custom Nuclei template that detects a specific misconfiguration in your lab (e.g., a default credential page, an exposed phpinfo file, or a directory listing).
  4. Test your template and verify it produces accurate results.
  5. Discuss how custom templates could be used in a CI/CD pipeline for continuous security monitoring.

Exercise 10.14: Vulnerability Scanner Comparison

  1. Run both OpenVAS and Nuclei against the same target.
  2. Create a comparison matrix documenting: (a) total findings per tool, (b) severity distribution, (c) unique findings per tool, (d) false positive rate (verify at least five findings manually), (e) scan duration.
  3. Write a 500-word analysis recommending when to use each tool, considering factors like target type, time constraints, and engagement scope.

Exercise 10.15: ShopStack Enumeration Scenario

You have been engaged to perform a vulnerability assessment of ShopStack's staging environment. The scope includes: - Web application: shopstack-staging.local (ports 80, 443, 3000, 8080) - Database: db.shopstack-staging.local - Redis cache: redis.shopstack-staging.local

Simulate this by configuring appropriate services in your lab, then:

  1. Perform host discovery and port scanning on all in-scope targets.
  2. Enumerate all web technologies and hidden directories.
  3. Check for default credentials on all discovered services.
  4. Run a vulnerability scan with at least two different tools.
  5. Organize findings into a prioritized list using CVSS scores.
  6. Produce a one-page executive summary of your findings suitable for ShopStack's CTO.

Capstone Exercise

Exercise 10.16: Automated Scanning Pipeline

Design and build a Python script that automates a full scanning pipeline:

  1. Accepts a target specification (IP, CIDR, or hostname) as input.
  2. Performs host discovery using Nmap.
  3. Scans discovered hosts for open ports.
  4. Runs service version detection on open ports.
  5. Executes relevant NSE scripts based on discovered services.
  6. Parses all results into a structured JSON format.
  7. Generates a markdown summary report.

The script should include error handling, logging, and the ability to resume interrupted scans. Test it against your lab environment and include sample output.

💡 Hint: Review the example-01-port-scanner.py and example-02-service-enumerator.py code files in this chapter's code directory for foundational building blocks.

Reflection Questions

Exercise 10.17: Ethics of Scanning

Write a 500-word essay addressing the following: You discover during an authorized internal penetration test that scanning a particular subnet causes a legacy medical device to become unresponsive. The device is not in your scope, but it is on the same network segment as your targets. What are your ethical and professional obligations? How should you proceed?

Exercise 10.18: Scanning Detection

From a defender's perspective, describe five techniques you would implement to detect and respond to port scanning activity on your network. For each technique, explain what type of scanning it would detect and what it might miss.

Research and summarize the legal status of port scanning in three different countries. Is simply scanning a target (without exploiting anything) illegal? What factors determine legality? Reference specific laws and court cases where possible.

Exercise 10.20: Tool Selection Strategy

A client has engaged you for a vulnerability assessment of their network containing 500 hosts across 10 subnets. You have five business days. Describe your scanning and enumeration strategy, including: tool selection, scanning phases, timing considerations, and how you would organize the results. Justify each decision.