Now that we have mapped the target's DNS infrastructure and identified live hosts, the next step in our active reconnaissance workflow is port scanning. Port scanning reveals which network ports are open on a target host โ essentially showing us which doors and windows are unlocked. Nmap (Network Mapper) is the industry-standard tool for this task, and mastering it is non-negotiable for any aspiring penetration tester.
Network services communicate over ports โ numbered endpoints ranging from 0 to 65535. The first 1024 ports are well-known ports assigned to common services. Ports use two protocols: TCP (connection-oriented, reliable) and UDP (connectionless, fast). A port can be in one of three states:
| Port | Protocol | Service | Common Use |
|---|---|---|---|
| 21 | TCP | FTP | File transfers โ often misconfigured for anonymous access |
| 22 | TCP | SSH | Secure remote administration |
| 23 | TCP | Telnet | Unencrypted remote access โ rarely used today |
| 25 | TCP | SMTP | Email sending |
| 53 | TCP/UDP | DNS | Domain name resolution |
| 80 | TCP | HTTP | Web traffic (unencrypted) |
| 110 | TCP | POP3 | Email retrieval |
| 135 | TCP | MS-RPC | Windows RPC endpoint mapper |
| 139 | TCP | NetBIOS | Windows file sharing over NetBIOS |
| 443 | TCP | HTTPS | Web traffic (encrypted) |
| 445 | TCP | SMB | Windows file and printer sharing |
| 3306 | TCP | MySQL | MySQL database server |
| 3389 | TCP | RDP | Remote Desktop Protocol |
| 8080 | TCP | HTTP-Proxy | Alternative web server / proxy port |
Nmap supports multiple scan types, each with different characteristics regarding speed, stealth, and reliability. Understanding when to use each type is crucial.
| Scan Type | Flag | Description | Use Case |
|---|---|---|---|
| TCP SYN (Stealth) | -sS | Sends SYN, receives SYN-ACK, sends RST (never completes handshake) | Fast and stealthy โ default for privileged scans |
| TCP Connect | -sT | Completes the full TCP three-way handshake | When SYN scan is not available (unprivileged) |
| UDP Scan | -sU | Sends UDP packets and analyzes ICMP responses | Discovering DNS, SNMP, DHCP, TFTP services |
| ACK Scan | -sA | Sends ACK packets to determine firewall rules | Mapping firewall rulesets, not finding open ports |
| FIN Scan | -sF | Sends FIN packets โ exploits TCP RFC behavior | Bypassing stateless firewalls that only filter SYN |
| NULL Scan | -sN | Sends packets with no flags set | Another stealth technique for bypassing firewalls |
| XMAS Scan | -sX | Sends packets with FIN, PSH, URG flags lit | Stealth scanning โ named because the packet is 'lit up like a Christmas tree' |
๐ก SYN scans (-sS) require root/administrator privileges because they craft raw packets. If you run Nmap as a regular user, it defaults to TCP Connect scan (-sT), which is slower and more detectable.
Let us start with a basic SYN scan against a single target. This is the most common starting point in any penetration test.
This scan probed all 65535 TCP ports and found 7 open ports. The target is running FTP, SSH, two web services, Windows file sharing, and a MySQL database. Each of these is a potential attack surface.
In real engagements, you will rarely scan a single host. Nmap supports various target specifications.
The --top-ports 100 flag tells Nmap to scan only the 100 most common ports, which dramatically reduces scan time while still catching the majority of services. This is ideal for initial sweeps of large networks.
Nmap offers six timing templates that control scan speed and stealth. Choosing the right template depends on your network conditions and detection avoidance requirements.
| Template | Flag | Speed | Use Case |
|---|---|---|---|
| Paranoid | -T0 | Very slow โ one probe every 5 minutes | IDS evasion on monitored networks |
| Sneaky | -T1 | Slow โ 15 seconds between probes | Avoiding rate-based detection |
| Polite | -T2 | Moderate โ 0.4s between probes | Minimizing network impact |
| Normal | -T3 | Default โ adaptive timing | General-purpose scanning |
| Aggressive | -T4 | Fast โ parallel probes | Fast networks, CTF environments |
| Insane | -T5 | Very fast โ minimal delays | Extremely fast LANs, time-critical scans |
โ ๏ธ Aggressive timing templates (-T4, -T5) can overwhelm slow networks or trigger intrusion detection systems. In production environments, start with -T2 or -T3 and only increase speed if the network can handle it.
Professional penetration testers always save their scan results in multiple formats for reporting and later analysis.
The -oA flag creates three files: scan_results.nmap (human-readable), scan_results.xml (machine-parseable), and scan_results.gnmap (grepable). The XML format is especially important because it can be imported into tools like Metasploit and reporting platforms.
Verify exercises to earn โ 150 XP and unlock next lab level.