Why Footprinting Comes First
The biggest mistake I see from less experienced testers is jumping straight to exploitation without understanding what they're targeting. Footprinting is the discipline of mapping everything exposed on a target before you attempt to break anything. Port scanning tells you what's listening. Service enumeration tells you what version, what configuration, and what information the service is leaking by default.
Done properly, footprinting tells you where your effort is best spent. You might discover an exposed SNMP service leaking network topology, or an FTP server with anonymous read access containing configuration files. The path of least resistance is usually visible in the enumeration phase if you're thorough.
The Priority Order
Start with port scanning (all ports, not just top 1000). Then banner grab each open port. Then protocol-specific enumeration. Then cross-reference what you find. Services that seem boring in isolation often become interesting when you combine what they leak.
SMB and FTP Enumeration
SMB is one of the richest targets for enumeration on Windows networks. Null session authentication — connecting without credentials — still works on many environments and exposes share listings, domain information, and user accounts. SMB signing misconfigurations enable relay attacks. Open shares might contain sensitive documents, scripts with embedded credentials, or backup files.
smbclient -N -L //TARGET_IP smbmap -H TARGET_IP rpcclient -U "" TARGET_IP enum4linux-ng.py TARGET_IP -A ftp TARGET_IP wget -m --no-passive ftp://anonymous:anonymous@TARGET_IP/
DNS, SMTP, and SNMP
DNS zone transfers are one of those findings that should be embarrassing in 2026 but still show up regularly. A misconfigured DNS server that allows AXFR queries to any client dumps every hostname and IP in the zone. That's your complete internal network map, handed to you for free.
dig ns target.com @nameserver dig any target.com @nameserver dig axfr target.com @nameserver
SNMP with default community strings is another gift. SNMPv1 and v2c use plaintext community strings ("public" and "private" are defaults that many devices never change). If you can query SNMP with the community string, you can pull system information, network interfaces, routing tables, running processes, and installed software — on routers, switches, printers, and servers that would otherwise be opaque.
snmpwalk -v2c -c public TARGET_IP snmpwalk -v2c -c private TARGET_IP 1.3.6.1.2.1.25.4.2.1.2
NFS and Other Services
NFS exports without authentication are still common in internal networks. If a share is exported with the no_root_squash option and you can mount it, you can create SUID binaries on the share that execute with root privileges when run on the server. IMAP and POP3 enumeration might reveal user credential patterns. LDAP queries can dump domain objects without credentials in many default configurations.
showmount -e TARGET_IP mount -t nfs TARGET_IP:/share ./target-NFS/ -o nolock ls -la ./target-NFS/
The goal at the end of the footprinting phase is a clear picture: which services are running, what versions, what's misconfigured, and what information is already available without any exploitation. That picture drives every decision that comes after it.