Configuration drift and shadow IT create silent vulnerabilities. Regular internal scanning with Nmap allows security teams to verify that segmentation ACLs are working, unauthorized services are offline, and patch levels are consistent.
The most critical internal scan is across trust boundaries. Scanning from the User VLAN to the Server VLAN verifies that inter-VLAN ACLs are actually blocking unauthorized ports (like SMB or RDP) as designed.
💡 Pro-tip: Use Nmap's --reason flag to see exactly why a port is reported as closed or filtered. This helps differentiate between a host firewall dropping the packet and a network ACL blocking it.
The 'filtered' state and 'no-response' reason confirm that a network device (the inter-VLAN firewall) is actively dropping the probes, verifying the segmentation is effective.
Use -sV to identify outdated, vulnerable versions of internal services (e.g., Apache 2.2, SMBv1). Use -O to map operating systems, ensuring that legacy, unsupported OS versions are identified and scheduled for decommissioning.
⚠️ Never run aggressive internal scans during business hours without coordination. Nmap's SYN scans and OS detection can crash fragile legacy IoT devices, medical equipment, or industrial printers.
| Flag | Function | Audit Goal |
|---|---|---|
| -sS | SYN Scan | Verify ACLs / Open ports |
| -sV | Version Detection | Find unpatched software |
| -O | OS Detection | Identify legacy / EOL systems |
Verify exercises to earn ★ 240 XP and unlock next lab level.