Scanning and Enumeration
Active reconnaissance turns "what exists" into "what is exploitable": which hosts are up, which ports answer, what service and version responds, and what a login prompt or web app reveals. nmap is the canonical tool, and reading its output is a core defender skill — it is exactly what an attacker sees, and it is detectable in your logs if you are watching.
This topic runs real scans against the Meridian lab and shows both views at once: the attacker's map of open ports and versions, and the same activity lighting up Meridian's firewall and IDS logs. Scanning is the noisiest stage of the campaign, which makes it the best place to catch it.
Host Discovery and Port Scanning
First the attacker finds live hosts, then which TCP and UDP ports answer. A SYN scan, a full connect scan, and stealthier variants differ in how much noise they make and how they appear in logs, but the goal is the same: an open port is an invitation to enumerate. Every listening service is a door the attacker will now try to identify.
Service and Version Detection
nmap -sV fingerprints the software and version behind each port, which an attacker cross-references against known CVEs. A service banner announcing an old version is a roadmap straight to an exploit — which is why suppressing version banners and keeping services current is not cosmetic, it removes the attacker's shortcut from scan to exploitation.
# service + version detection against a host you own in the lab nmap -sV -p- meridian-lab-01.internal # PORT STATE SERVICE VERSION # 22/tcp open ssh OpenSSH 8.2p1 # 443/tcp open ssl/http nginx 1.18.0 # 5432/tcp open postgresql PostgreSQL 13.4 <-- database exposed! and an old version # the same scan appears in the host's firewall/IDS logs as many # sequential connection attempts from one source — a detection opportunity
The scan reveals SSH, the web server, and — the finding that matters — a PostgreSQL database listening and running an old version. To the attacker this is a target list; to Priya, the same burst of sequential connection attempts from one source is a scan signature in the firewall logs. The defensive lessons are two: close that exposed database port, and alert on the scan pattern.
Enumeration Beyond Ports
Enumeration is the patient extraction that turns a scan into a target list: directory brute-forcing on the web app, share enumeration over SMB, DNS and SNMP queries, usernames and paths and configuration teased out one request at a time. It is quieter than a full port scan but still detectable — a flood of 404s from a directory brute-forcer has a shape a defender can alert on.
Detecting the Scan
Port scans and enumeration light up firewall and IDS logs: many connections, sequential ports, unusual user-agents, bursts of 404s. A defender who ingests these can catch the campaign at its noisiest, before exploitation — and the internal scans matter most of all, because enumeration after a foothold is the prelude to lateral movement, and east-west scanning is exactly what Chapter 4's segmentation is meant to expose.
- Exposing service versions in banners and error pages, handing attackers a direct CVE lookup.
- Leaving unnecessary ports and services open — every listening service is enumeration surface, and forgotten ones are unmonitored.
- Not logging or alerting on scan patterns, so the loudest, most detectable attacker phase passes unnoticed.
- Confusing a clean external scan with security, when internal enumeration after a foothold is often where the real damage path opens.
- Exposing a database or admin port to a network it should never be reachable from.
- Scan your own environment regularly, with authorization, so you find open ports and outdated versions before an attacker does.
- Minimize listening services and suppress version banners; every closed port is enumeration you do not have to defend.
- Alert on scan and enumeration signatures in firewall and IDS logs — sequential ports, directory brute-force user-agents, unusual query volume.
- Watch internal east-west scanning specifically, since post-foothold enumeration is the prelude to lateral movement.
- Fix what a scan reveals — an exposed database, an old version — rather than only noting it.
Knowledge Check
Why is suppressing service version banners a meaningful defensive step?
- The banner reveals the software, so attackers find CVEs
- Banners consume significant network bandwidth
- Banners are the only way a port can be scanned
- Hiding the banner automatically encrypts the whole service
Why is scanning considered the best stage of an attack to detect?
- It is the noisiest phase, lighting up firewall and IDS logs
- It is the only stage that touches the network
- Attackers always scan from their real IP address
- Scanning cannot be done without alerting the target by email
Why does internal (east-west) scanning deserve special attention?
- It precedes lateral movement
- Internal scans are always louder than external ones
- Internal hosts cannot run nmap
- External scans are harmless and never matter
You got correct