2-3: Service Recon
Note: I'm taking a lighter touch on this section for now. The focus is on higher level methodology rather than getting into the details of how to enumerate specific services/protocols.
Nmap
Technically service recon already started during the initial network recon phase, as passing the -sC flag to nmap runs default scripts against discovered services if nmap recognizes them and has scripts to run against them (e.g., SSH, LDAP, SMB, etc.).
Sometimes that nmap run is enough information to work with depending on what services are discovered. If all there is to enumerate are a SSH port and a web server on port 80, additional service scanning is unlikely to yield more information. On the other hand if there are services with wider attack surfaces at a network level, then it can make sense to spend more time running additional scripts against them.
As an example: discovering a LDAP service is a great case for spending more time on service recon. There are additional scripts that nmap can run, which you can add to the scan with --script "ldap*" to get any LDAP related scripts. There are a few brute force tools in this case, which can be excluded, so we can negate those with --script "ldap* and not brute.
Available scripts can be found in nmap's documentation
Other tools
For specific common services, and more novel ones, there are cases where additional tools (both command line and GUI) can be used to assist with service recon. Many of these tools will come default with Kali, like smbclient for SMB, and others you'll have to install manually.
But these tools are much more service specific, so for the sake of simplicity right now I'll say that in most cases the first place I check is HackTricks before searching more widely if the service isn't covered there.
Other considerations
After a certain point in enumerating here this section begins to blend into the research phase. Anything to do with finding the right tools to check and/or test a service are covered in more detail there.