HomeEthical Hacking in 5 DaysDay 2
Day 2 of 5
⏱ ~60 minutes
Ethical Hacking in 5 Days — Day 2

Scanning & Enumeration

With a target map in hand, you move from port discovery to deep enumeration: pulling service banners, walking directory trees, extracting user lists, and identifying software versions that might be vulnerable.

Vulnerability Scanning with Nessus/OpenVAS

Vulnerability scanners compare discovered services against databases of known CVEs. Nessus (Tenable) and OpenVAS (Greenbone) are industry standards. They rank findings by CVSS score. Scanners find low-hanging fruit fast but produce false positives — every finding must be manually validated.

Web Enumeration with Gobuster & Nikto

Web apps deserve dedicated tools. Gobuster brute-forces directories and virtual hosts. Nikto scans for 6,700+ known web server issues: outdated software, misconfigured headers, default credentials, and exposed sensitive files like /admin, /.git, and /phpinfo.php.

SMB and NetBIOS Enumeration

Windows networks expose SMB (port 445) and NetBIOS (139). Tools like enum4linux-ng and smbclient enumerate shares, users, groups, and policies without authentication. This data feeds directly into password attacks and lateral movement planning.

bash
# Nmap NSE scripts for deeper enumeration
nmap -sV --script=vuln 192.168.1.100
nmap -p 445 --script smb-enum-users 192.168.1.100

# Web directory brute-force
gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt

# Nikto web scanner
nikto -h http://192.168.1.100

# SMB enumeration
enum4linux-ng -A 192.168.1.100
smbclient -L //192.168.1.100 -N

# Banner grabbing
nc -nv 192.168.1.100 22
telnet 192.168.1.100 80
💡
Run scans during off-hours in production engagements — aggressive scanning can crash fragile services. Always coordinate with the client on scan windows.
📝 Day 2 Exercise
Enumerate a Vulnerable VM
  1. Download Metasploitable 2 from SourceForge and spin it up in your lab network
  2. Run a full Nmap service scan: nmap -A -T4 [metasploitable-ip]
  3. Use Gobuster to find hidden directories on the Metasploitable DVWA web app
  4. Run enum4linux-ng to list SMB users and shares
  5. Identify 3 CVEs from the scan output using the National Vulnerability Database

Day 2 Summary

  • Vulnerability scanners rank findings by CVSS severity score
  • Gobuster and Nikto specialize in web application enumeration
  • SMB enumeration extracts users and shares from Windows networks
  • Banner grabbing reveals exact software versions
  • Every automated finding needs manual validation
Challenge

Run a full enumeration against Metasploitable 2. Create a prioritized findings list ranking the top 5 vulnerabilities by exploitability and potential impact.

← Previous
Day 1: Recon & OSINT
Next →
Day 3: Exploitation Fundamentals
Finished this lesson?