Welcome to Day 25! Today you will learn how to enumerate database services and SMB shares using Nmap, from basic discovery to advanced, safe enumeration techniques. This guide is detailed and focused only on database and SMB enumeration, with clear explanations and structured concepts.

By completing Day 25, you will be able to:

• Identify common database and SMB ports
• Run safe, basic enumeration scans
• Use Nmap scripts to gather service details
• Interpret results and avoid common pitfalls
• Build a structured workflow for database and SMB enumeration

Only enumerate systems you own or have explicit permission to test. Database and SMB services often expose sensitive data if misconfigured.

Databases run on well-known ports, but sometimes use custom ports. Common database ports:

• 3306 (MySQL/MariaDB)
• 5432 (PostgreSQL)
• 1433 (Microsoft SQL Server)
• 1521 (Oracle)
• 27017 (MongoDB)
• 6379 (Redis)

SMB is used for Windows file sharing and domain services. Common SMB-related ports:

• 445 (SMB over TCP)
• 139 (NetBIOS Session Service)
• 137 (NetBIOS Name Service)
• 138 (NetBIOS Datagram Service)

Discover database and SMB services first:

nmap -p 137,138,139,445,1433,1521,3306,5432,27017,6379 target

Use version detection to identify database engines:

nmap -sV -p 1433,1521,3306,5432,27017,6379 target

Version detection helps identify:

• Database engine type
• Version numbers for patch analysis
• Authentication requirements

Example:

nmap -sV -p 3306 target

SMB versions matter for security and compatibility. Use Nmap scripts to detect SMB version:

nmap -p 445 --script smb-protocols target

Useful safe scripts for enumeration:

• mysql-info
• pgsql-info
• ms-sql-info
• oracle-tns-version
• mongodb-info
• redis-info

Examples:

nmap -p 3306 --script mysql-info target
nmap -p 5432 --script pgsql-info target
nmap -p 1433 --script ms-sql-info target
nmap -p 1521 --script oracle-tns-version target
nmap -p 27017 --script mongodb-info target
nmap -p 6379 --script redis-info target

Safe and common SMB scripts:

• smb-os-discovery
• smb-enum-shares
• smb-enum-users
• smb-security-mode
• smb2-security-mode
• smb2-time

Examples:

nmap -p 445 --script smb-os-discovery target
nmap -p 445 --script smb-enum-shares target
nmap -p 445 --script smb-enum-users target

Key concepts in database enumeration:

• Service discovery (what DB engine is running)
• Version detection (is it outdated)
• Authentication mode (password, no-auth, or integrated)
• Exposure (public vs internal services)

Key SMB concepts:

• Workgroup or domain name
• Server OS details
• Share lists and permissions
• SMB signing requirements

nmap -p 445 --script smb-enum-shares target

Look for:

• Anonymous access
• Sensitive share names
• Writable shares

nmap -p 445 --script smb-enum-users target

Use only with permission; user enumeration can be sensitive.

nmap -p 445 --script smb-os-discovery target

This reveals OS, domain/workgroup, and system time.

Check whether SMB signing is required:

nmap -p 445 --script smb-security-mode,smb2-security-mode target

Some scripts can check for authentication modes without brute force. Example (MySQL):

nmap -p 3306 --script mysql-info target

• Default port: 3306
• Common script: mysql-info
• Possible issues: default accounts, outdated versions

• Default port: 5432
• Common script: pgsql-info
• Possible issues: weak auth or exposure to public networks

• Default port: 1433
• Common script: ms-sql-info
• Extra scripts: ms-sql-ntlm-info

• Default port: 1521
• Common script: oracle-tns-version

• Default port: 27017
• Common script: mongodb-info
• Check for no-auth setups with extreme caution

• Default port: 6379
• Common script: redis-info

Run a safe script bundle on multiple DB ports:

nmap -sV -p 1433,1521,3306,5432,27017,6379 --script mysql-info,pgsql-info,ms-sql-info,oracle-tns-version,mongodb-info,redis-info target

Use a target list to scan multiple hosts:

nmap -p 137,138,139,445,1433,1521,3306,5432,27017,6379 -sV -iL targets.txt -oA outputs/db-smb-batch

Always use -oA for parsing and reporting:

nmap -p 445 -sV --script smb-os-discovery -oA outputs/smb target

Extract SMB hosts:

grep "445/open" outputs/db-smb-batch.gnmap

Extract DB hosts:

grep "3306/open" outputs/db-smb-batch.gnmap

Databases sometimes run on custom ports. Use version detection across a range if needed:

nmap -sV -p 1-10000 target

Older systems may still expose NetBIOS services:

nmap -sU -p 137,138 target
nmap -sT -p 139 target

Use safe and default categories when possible:

nmap -p 445 --script safe target

Some scripts attempt brute force or intrusive checks. Only run them with explicit permission and clear scope.

SMB signing prevents certain attacks but can affect performance. Detection:

nmap -p 445 --script smb2-security-mode target

nmap -p 445 --script smb2-time,smb-os-discovery target

• Publicly accessible databases are high risk
• Weak or default credentials can lead to compromise
• Unencrypted DB traffic can leak data

• Anonymous share access
• Weak SMB signing or outdated protocols
• Legacy SMBv1 exposure

Some scripts support credentials for deeper checks. Always store credentials securely and only use with permission.

Banners can be misleading or spoofed. Confirm with multiple methods when possible.

Database and SMB services should be segmented from public access. Enumeration can reveal segmentation gaps.

Look for TLS support on database connections where applicable.

nmap -p 445 --script smb-os-discovery,smb-enum-shares target -oA outputs/smb-basic

nmap -sV -p 1433,3306,5432,1521,27017,6379 --script ms-sql-info,mysql-info,pgsql-info,oracle-tns-version,mongodb-info,redis-info target -oA outputs/db-bundle

nmap -sV -p 137,138,139,445,1433,1521,3306,5432,27017,6379 --script smb-os-discovery,mysql-info,pgsql-info,ms-sql-info target -oA outputs/db-smb-combined

Look for:

• Open SMB ports with share listings
• Database banners and version details
• Weak SMB signing or legacy protocols
• Unexpected database services on internal networks

• SMB shares accessible anonymously
• SMBv1 still enabled
• Databases exposed to public networks
• Outdated database versions

• Inventory internal database servers
• Check SMB share exposure
• Validate segmentation and firewall rules
• Confirm patching levels

• Nmap does not perform full database security audits
• Scripts provide surface-level enumeration
• Deep checks usually require authenticated tools

• Start with safe scripts
• Keep scope minimal
• Log outputs and options
• Confirm findings with additional tools if needed

1. Why is SMB signing important?
2. What risks exist when databases are public?
3. How do you balance scan coverage with safety?
4. What limitations does Nmap have for DB enumeration?

Tomorrow (Day 26) you will learn about cloud and external perimeter scanning.

Congratulations on completing Day 25! You now have a structured approach to database and SMB enumeration.