Network Reconnaissance: A Practical Guide to Service Discovery

In the world of cybersecurity, understanding what's running on a network is often the first step in both attacking and defending systems. Today, I'm sharing insights from a fascinating security challenge that demonstrates the fundamentals of network service discovery and why it matters.

LeadHand

12/15/20253 min read

The Scenario: Locked Out of Our Own Server

Imagine this: your QA environment has been compromised, you're locked out, and attackers have defaced your systems. Sound dire? It is. But there's a silver lining—the server is still active, and you know its IP address. This is where network reconnaissance becomes your best friend.

The Reconnaissance Game Plan

When you're locked out but know your target's IP, your strategy should be methodical:

  1. Identify your target and its IP address

  2. Scan for open ports (the digital doorways into the system)

  3. Investigate what services are running behind those ports

  4. Find vulnerabilities or exposed services that give you a way back in

Let's walk through each stage with practical examples.

Starting Simple: The Basic Port Scan

The first tool in any security professional's arsenal is Nmap, the Network Mapper. A basic scan reveals the obvious entry points:

nmap MACHINE_IP

This command scans the 1,000 most commonly used ports. In our scenario, it revealed:

  • Port 22 - SSH (Secure Shell for remote access)

  • Port 80 - HTTP (web server)

At first glance, you might visit the website and find it defaced by attackers. Dead end? Not quite.

Going Deeper: Comprehensive Port Scanning

Here's a crucial lesson: there are 65,535 possible TCP ports, and attackers often hide services on non-standard ports to avoid detection. Time to scan them all:

nmap -p- --script=banner MACHINE_IP

The -p- flag tells Nmap to scan all ports, while --script=banner attempts to grab service banners that reveal what's running. This deeper scan uncovered:

  • Port 21212 - FTP server (usually on port 21, but moved for "security through obscurity")

  • Port 25251 - A custom TBFC maintenance application

Exploiting Anonymous FTP Access

Many administrators mistakenly leave FTP servers with anonymous access enabled. This is a goldmine for reconnaissance:

ftp MACHINE_IP 21212 Name: anonymous ftp> ls ftp> get tbfc_qa_key1 -

Just like that, sensitive files can be retrieved without authentication. This is why proper access controls matter.

Interacting with Unknown Services

When you encounter a service you don't recognize, Netcat (nc) is your Swiss Army knife. It can connect to any TCP service and interact with it:

nc -v MACHINE_IP 25251

The server responded with its own command interface. By simply typing HELP, we discovered available commands including one to retrieve another key. Always read the documentation—even when that documentation is provided by the service itself!

The UDP Blind Spot

Most security scans focus on TCP, but UDP services can harbor secrets too. Scanning UDP requires a different approach:

nmap -sU MACHINE_IP

This revealed an open DNS service on port 53. DNS isn't just for resolving domain names—it can store arbitrary text records. Using the dig command:

dig @MACHINE_IP TXT key3.tbfc.local +short

And there's another key hidden in DNS records. This technique is sometimes used by attackers for command and control or data exfiltration.

From Outside to Inside: On-Host Enumeration

Once you regain access to a system, your perspective shifts. Instead of scanning from outside, you can ask the operating system directly what's listening:

ss -tunlp

This revealed services listening only on 127.0.0.1 (localhost)—invisible to external scans. Among them was MySQL on port 3306. Databases often trust localhost connections without authentication, assuming that if you're on the machine, you're authorized:

mysql -D tbfcqa01 -e "show tables;" mysql -D tbfcqa01 -e "select * from flags;"

Mission accomplished. Full access restored.

Key Takeaways for Security Professionals

For Defenders:

  • Don't rely on non-standard ports for security—use proper authentication

  • Disable anonymous access on services like FTP

  • Be cautious about what you store in DNS records

  • Implement network segmentation so compromising one service doesn't expose everything

  • Monitor for unusual port scanning activity

For Penetration Testers:

  • Always scan the full port range—attackers hide in unusual places

  • Don't forget UDP services in your reconnaissance

  • Use banner grabbing to identify services quickly

  • Remember that localhost services are often less secured than external ones

  • Document everything you find systematically

For Everyone:

  • Network security is layered—one exposed service can unravel everything

  • "Security through obscurity" (like using weird port numbers) is not security

  • Proper authentication and access controls are fundamental

  • Regular security audits catch misconfigurations before attackers do

The Bigger Picture

This exercise demonstrates that network reconnaissance isn't just about knowing tools—it's about thinking systematically. Each discovered service is a potential entry point. Each misconfiguration is a foothold. Understanding how services interact, what they expose, and where they're vulnerable is essential whether you're defending a network or testing its security.

The next time you're configuring a server, ask yourself: what would an attacker see if they scanned my network? Then make sure the answer is "only what I want them to see—and nothing more."

Want to practice these skills in a safe environment? Check out platforms like TryHackMe that offer hands-on cybersecurity challenges and learning paths.

Stay secure. Stay informed. Stay ahead

Empowering you to navigate online safely today.

Guide

Alert

info@lnsentinel.com

© 2025. All rights reserved.