Network Scanning with Nmap

🎯 Lab Objectives

Understand how Nmap discovers live hosts on a network
Run TCP SYN, UDP, and full-connect scans with appropriate flags
Enumerate running services and their exact version numbers
Perform OS fingerprinting against a target machine
Use NSE (Nmap Scripting Engine) scripts for automated checks
Save scan results in multiple output formats for reporting

What is Nmap?

Nmap ("Network Mapper") is a free, open-source tool for network discovery and security auditing. Originally written by Gordon "Fyodor" Lyon, it's the first tool any penetration tester reaches for when they need to understand what's running on a target network.

Nmap sends carefully crafted packets to the target and analyses the responses to determine which hosts are alive, which ports are open, what services are running, and what operating system the target is running.

⚠️

Legal Warning: Only scan systems you own or have explicit written permission to test. Unauthorised scanning is illegal in most jurisdictions. Use a home lab, a VPN lab (like HackTheBox or TryHackMe), or a dedicated practice environment.

Step 1 — Host Discovery

Before scanning ports, you need to know which hosts are alive. Nmap provides several discovery techniques.

Ping Sweep (ICMP Echo)

Scan an entire subnet to find live hosts. The -sn flag disables port scanning — it only checks if hosts are up.

bashhost discovery

# Ping sweep a /24 subnet
nmap -sn 192.168.1.0/24

# Also show MAC addresses (requires root)
sudo nmap -sn 192.168.1.0/24

# ARP scan (faster, only works on local subnet)
sudo nmap -PR -sn 192.168.1.0/24

# Scan a range of IPs
nmap -sn 10.10.10.1-50

Sample output:

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.00023s latency).
MAC Address: AA:BB:CC:DD:EE:FF (Cisco)
Nmap scan report for 192.168.1.105
Host is up (0.0011s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.41 seconds

Step 2 — TCP SYN Scan (Stealth Scan)

The TCP SYN scan (-sS) is Nmap's default scan when run as root. It sends a SYN packet and waits for a response — never completing the TCP handshake, making it faster and less likely to appear in application logs.

Run a SYN scan

The -p- flag scans all 65,535 ports. Use --min-rate to speed up slow scans.

# Default SYN scan (top 1000 ports)
sudo nmap -sS 10.10.10.1

# Scan ALL 65535 ports
sudo nmap -sS -p- 10.10.10.1

# Fast scan — speed up with rate limiting
sudo nmap -sS -p- --min-rate 5000 10.10.10.1

# Scan specific ports
sudo nmap -sS -p 22,80,443,8080,8443 10.10.10.1

💡

Port States: Nmap reports ports as open (accepting connections), closed (reachable but nothing listening), or filtered (firewall dropping packets, no response).

Step 3 — Service & Version Detection

Knowing a port is open is just the start. The -sV flag probes open ports to determine the exact service name and version number — critical for finding known CVEs.

Version detection scan

# Service version detection
sudo nmap -sV 10.10.10.1

# Increase detection intensity (0-9, default 7)
sudo nmap -sV --version-intensity 9 10.10.10.1

Example output:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
443/tcp open  ssl/http Apache httpd 2.4.38
3306/tcp open mysql    MySQL 5.7.32-0ubuntu0.18.04.1

Step 4 — OS Detection

Nmap can fingerprint the target operating system by analysing how the target responds to a series of specially crafted TCP/IP probes. This requires at least one open and one closed port to work accurately.

OS Fingerprinting

# OS detection (requires root)
sudo nmap -O 10.10.10.1

# Combined: version + OS + default scripts
sudo nmap -sC -sV -O 10.10.10.1

Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

Step 5 — UDP Scanning

Many critical services run over UDP — DNS (53), SNMP (161), DHCP (67/68), NTP (123). These are often missed by TCP-only scans. UDP scanning is slower because there's no handshake.

UDP Scan

# Top 100 UDP ports (much faster)
sudo nmap -sU --top-ports 100 10.10.10.1

# Specific UDP services to check
sudo nmap -sU -p 53,67,68,69,123,161,162,500 10.10.10.1

# Combined TCP + UDP scan
sudo nmap -sS -sU -p T:1-1000,U:53,161 10.10.10.1

Step 6 — NSE Scripts

The Nmap Scripting Engine (NSE) extends Nmap with hundreds of scripts for vulnerability detection, service enumeration, authentication testing, and more. Scripts are located in /usr/share/nmap/scripts/.

Run NSE scripts

# Run default scripts (-sC is shorthand for --script=default)
sudo nmap -sC 10.10.10.1

# Run a specific script
sudo nmap --script http-title 10.10.10.1

# Run all scripts matching a pattern
sudo nmap --script "http-*" 10.10.10.1

# Check for SMB vulnerabilities (MS17-010 / EternalBlue)
sudo nmap --script smb-vuln-ms17-010 -p 445 10.10.10.1

# Enumerate SSH host keys and algorithms
sudo nmap --script ssh-hostkey,ssh2-enum-algos -p 22 10.10.10.1

# HTTP enumeration scripts
sudo nmap --script http-enum,http-headers,http-methods -p 80,443 10.10.10.1

💡

Script categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln. Run all vuln scripts with --script vuln.

Step 7 — The Aggressive Scan

The -A flag combines OS detection, version detection, script scanning, and traceroute into one command. It's noisy but thorough — ideal for CTFs or authorised engagements.

Full aggressive enumeration

# The classic "everything" scan
sudo nmap -A 10.10.10.1

# Combine with all-ports for maximum coverage
sudo nmap -A -p- --min-rate 5000 10.10.10.1

# Timing templates: T0 (slowest) to T5 (fastest/noisiest)
sudo nmap -A -T4 10.10.10.1

Step 8 — Output & Reporting

Good pentesters always save their scan results. Nmap supports multiple output formats — save them all with -oA and you'll have formats for both humans and tools like Metasploit to import.

Save scan output

# Save as all formats simultaneously (recommended)
sudo nmap -sC -sV -oA scan_results 10.10.10.1
# Creates: scan_results.nmap, scan_results.xml, scan_results.gnmap

# Normal text output
sudo nmap -sV -oN output.txt 10.10.10.1

# XML (importable into Metasploit)
sudo nmap -sV -oX output.xml 10.10.10.1

# Grep-able format
sudo nmap -sV -oG output.gnmap 10.10.10.1

# Search grepable output for open ports
grep "open" output.gnmap

📋 Nmap Cheat Sheet

Flag	Description	Example
`-sn`	Ping scan (no port scan)	`nmap -sn 192.168.1.0/24`
`-sS`	TCP SYN (stealth) scan	`sudo nmap -sS target`
`-sT`	TCP connect scan (no root)	`nmap -sT target`
`-sU`	UDP scan	`sudo nmap -sU target`
`-sV`	Service/version detection	`nmap -sV target`
`-sC`	Default NSE scripts	`nmap -sC target`
`-O`	OS fingerprinting	`sudo nmap -O target`
`-A`	Aggressive (OS+Ver+Script+Trace)	`nmap -A target`
`-p-`	All 65535 ports	`nmap -p- target`
`-p 80,443`	Specific ports	`nmap -p 22,80 target`
`-T4`	Timing template (0-5)	`nmap -T4 target`
`-oA`	Output all formats	`nmap -oA out target`
`--script`	Run NSE script(s)	`nmap --script vuln target`
`-v / -vv`	Verbose output	`nmap -v target`
`--min-rate`	Minimum packet rate	`nmap --min-rate 5000 target`

✅

Lab Complete! You now know how to use Nmap for full network reconnaissance. Next, take these results and feed them into Metasploit to start looking for exploits.

Next: Metasploit Basics → ← All Labs