Vulnarex | Elite Cybersecurity Learning Platform

#Network Scanning and Enumeration with Nmap#link

This is the capstone lesson of our course, where we bring together everything you have learned — the OSI model, TCP/IP, port concepts, and packet analysis — into one powerful, practical skill: network scanning with Nmap. Nmap (Network Mapper) is the most important tool in any penetration tester's toolkit. It is used for host discovery, port scanning, service detection, OS fingerprinting, and scripting. By the end of this lesson, you will be able to conduct a full network reconnaissance engagement.

Host Discovery — Finding Live Targets

Before you can scan ports, you need to know which hosts are alive. Nmap offers several host discovery techniques, each with different strengths and stealth characteristics.

Nmap Host Discovery Techniques

root@vulnarex:~## Ping sweep (ICMP echo + TCP SYN to port 443 + TCP ACK to port 80) nmap -sn 192.168.1.0/24 # TCP SYN ping (skip ICMP, good when ping is blocked) nmap -sn -PS22,80,443 192.168.1.0/24 # ARP discovery (most reliable on local networks) nmap -sn -PR 192.168.1.0/24 # UDP ping (can find hosts that block ICMP and TCP) nmap -sn -PU53,161 192.168.1.0/24

Port Scanning Techniques

Nmap supports multiple scan types, each exploiting different aspects of the TCP/IP stack. Choosing the right scan is a trade-off between speed, stealth, and reliability.

Scan Type	Flag	Description	Stealth Level
SYN Scan	-sS	Half-open scan. Sends SYN, reads response, never completes handshake. Default for root.	High — no full connection logged
TCP Connect	-sT	Completes full three-way handshake. Default for non-root users.	Low — full connection logged by target
UDP Scan	-sU	Sends UDP probes. Slow but finds DNS, SNMP, TFTP, etc.	Medium — UDP is stateless
FIN Scan	-sF	Sends FIN packet. Bypasses stateless firewalls that only block SYN.	High — unusual traffic pattern
XMAS Scan	-sX	Sends FIN+PSH+URG flags (like a Christmas tree). Stealthy.	High — easily detected by modern IDS
NULL Scan	-sN	Sends packet with no flags set. Stealthy bypass technique.	High — easily detected by modern IDS
ACK Scan	-sA	Sends ACK to map firewall rulesets, not find open ports.	N/A — used for firewall mapping
Idle Scan	-sI	Uses a zombie host to scan anonymously. Your IP never touches the target.	Very High — truly anonymous

Service and OS Detection

Once you find open ports, you need to know what services are running and what operating system the target uses. Nmap's service version detection and OS fingerprinting are incredibly powerful.

Comprehensive Nmap Scan

root@vulnarex:~#sudo nmap -sS -sV -O -A -p- --open -T4 -oA full_scan 192.168.1.20

info

💡 The -p- flag scans all 65,535 ports. Without it, Nmap only scans the top 1,000 most common ports. Many services run on non-standard ports, so a full scan is essential for thorough reconnaissance.

Nmap Scripting Engine (NSE)

Nmap's scripting engine is what transforms it from a scanner into a full reconnaissance and exploitation platform. NSE scripts can enumerate services, detect vulnerabilities, brute-force credentials, and even exploit weaknesses.

Using NSE Scripts

root@vulnarex:~## Scan for common vulnerabilities on a web server nmap --script vuln -p 80,443 192.168.1.20 # Enumerate SMB shares and users nmap --script smb-enum-shares,smb-enum-users -p 445 192.168.1.20 # Brute-force SSH (use responsibly!) nmap --script ssh-brute -p 22 192.168.1.20 # List all available scripts in a category nmap --script-help "default or safe"

Evasion Techniques

Modern networks have firewalls and intrusion detection systems. Nmap includes several options to evade these defenses:

▪-f — Fragment packets into 8-byte fragments to evade packet inspection
▪--mtu <size> — Set custom MTU for fragmentation
▪-D <decoys> — Send decoy scans from fake IPs to hide your real source
▪-S <ip> — Spoof source address (requires ability to see responses)
▪-e <interface> — Specify which network interface to use
▪--data-length <n> — Append random data to packets to evade signature detection
▪-T<0-5> — Timing template. T0=paranoid (IDS evasion), T5=insane (fastest)
▪--scan-delay <time> — Add delay between probes to evade rate-based detection

STRICT SECURE AUDIT RULE

⚠️ Evasion techniques should only be used during authorized penetration tests with explicit permission. Using decoys (-D) against unauthorized targets can cause innocent parties to receive abuse complaints. Spoofing source addresses (-S) is illegal in many jurisdictions.

Putting It All Together — A Recon Workflow

Here is a complete reconnaissance workflow that combines everything from this course into a professional engagement:

bash

# Step 1: Host Discovery
nmap -sn -PS22,80,443 -PA80,443 -PE -oA host_discovery 10.10.10.0/24

# Step 2: Quick port scan on discovered hosts
nmap -sS --top-ports 1000 -T4 --open -oA quick_scan 10.10.10.5

# Step 3: Full port scan on interesting hosts
nmap -sS -p- -T4 --open -oA full_ports 10.10.10.5

# Step 4: Service version detection on open ports
nmap -sV -sC -p 22,80,443,3306 -oA service_scan 10.10.10.5

# Step 5: OS detection and traceroute
nmap -O --traceroute -p 22,80,443 -oA os_scan 10.10.10.5

# Step 6: Vulnerability scanning with NSE
nmap --script vuln -p 22,80,443,3306 -oA vuln_scan 10.10.10.5

# Step 7: Capture traffic during scanning for analysis
sudo tcpdump -i eth0 -w scan_traffic.pcap host 10.10.10.5

callout

Congratulations! You have completed Networking Fundamentals for Hackers. You now understand the OSI model, TCP/IP protocols, IP addressing, DNS, ARP, packet analysis with Wireshark, and network scanning with Nmap. These skills form the foundation for every advanced topic in offensive security — from exploitation to post-exploitation to red teaming. Continue practicing in your lab, on CTF platforms, and through certification study (CEH, OSCP, PNPT) to build on this foundation.

challenge BLOCK (★ 100 XP)

Capstone Challenge: Full Network Reconnaissance

Select your proof vectors above