As researchers, we should be aware of all possible avenues for an attacker to accomplish a goal.
So how else might an attacker enumerate which service ports are available on a remote server?
If SNMP is available and the community strings are default/guessable, often this can provide an interface for listing listening ports. This is interesting because we can often retrieve the entire TCP connection table (including all established connections/listening ports) using only SNMP. This could allow an attacker to glean even MORE information than a portscan would if there was a firewall in place.
Another way would be through a zone transfer. Often times DNS names clearly indicate a service. If zone transfers aren't disallowed to the attacker, this could be a useful feature:
Default Server: ns
> set type=ns
learnsecurityonline.com nameserver = ns10.dynamichosting.biz
learnsecurityonline.com nameserver = ns11.dynamichosting.biz
ns10.dynamichosting.biz internet address = 22.214.171.124
ns11.dynamichosting.biz internet address = 126.96.36.199
> server ns10.dynamichosting.biz
Default Server: ns10.dynamichosting.biz
> set type=any
> ls -d learnsecurityonline.com
learnsecurityonline.com. A 188.8.131.52
ftp A 184.108.40.206
mail A 220.127.116.11
webmail A 18.104.22.168
www A 22.214.171.124
These are only a few. Can anyone else think of uncommon methods for accomplishing common hacker tasks? portscanning or otherwise?