Remote port enumeration using native tools
So now we know how to work out our local services and some traffic diagnostics, how can we enumerate listening ports and services on remote hosts?
The easy way is to use native tools – for instance scp for SFTP servers, or ftp for FTP servers. But what if it's some different service that we don't have an installed client for. Simple enough, the telnet command can be used in a pinch for this – for instance, we can telnet to a printer's admin port, running http (tcp/80), and make a GET request for the header of the first page. Notice the garbage characters at the bottom of the listing – that's how graphics are represented on this page:
$ telnet 192.168.122.241 80 Trying 192.168.122.241... Connected to 192.168.122.241. Escape character is '^]'. GET / HTTP/1.1 HTTP/1.1 200 OK Server: HP HTTP Server; HP PageWide 377dw MFP - J9V80A; Serial Number: CN74TGJ0H7; Built: Thu Oct 15, 2020 01:32...
