Network Scanning & Port Analysis Lab

Master reconnaissance techniques and Nmap scanning methodologies

Back to Vault Hexworth Prime Home

Scanning Fundamentals

Network scanning is the systematic process of identifying active hosts, open ports, running services, and operating systems within a target network. It forms the foundation of penetration testing and security assessments.

Host Discovery

Purpose: Identify live systems on the network

Techniques:

  • Ping Sweep - ICMP echo requests
  • ARP Scan - Layer 2 discovery (local network)
  • TCP SYN Ping - SYN to common ports
  • UDP Ping - UDP packets to ports

Port Scanning

Purpose: Enumerate open ports and services

Port States:

  • Open - Application accepting connections
  • Closed - Port accessible but no service
  • Filtered - Firewall blocking access
  • Unfiltered - Accessible but state unknown

Service Detection

Purpose: Identify application versions

Methods:

  • Banner Grabbing - Read service banners
  • Version Detection - Probe responses analysis
  • NSE Scripts - Nmap Scripting Engine
  • Signature Matching - Pattern recognition

OS Fingerprinting

Purpose: Determine target operating system

Techniques:

  • Active - Send probes, analyze responses
  • Passive - Observe network traffic
  • TTL Analysis - Time-to-live values
  • TCP/IP Stack - Implementation details
CEH Exam Tip: Understand the difference between TCP connect scans (full handshake, logged) and SYN scans (stealth, half-open). SYN scans are default in Nmap when run with privileges.

Port States Explained

OPEN

Application is actively accepting TCP/UDP connections

CLOSED

Port accessible but no application listening

?
FILTERED

Firewall/filter blocking probe packets

Interactive Nmap Command Builder

Build custom Nmap commands by selecting options below. The command will update in real-time.

nmap -sS 192.168.1.1
Warning: Only scan networks and systems you own or have explicit permission to test. Unauthorized scanning may violate laws and policies.

TCP 3-Way Handshake Visualization

Understanding the TCP handshake is crucial for comprehending different scan types.

Normal Connection (Connect Scan -sT)

Scanner
Target

TCP Flags Explained

SYN
Synchronize
ACK
Acknowledge
FIN
Finish
RST
Reset
PSH
Push
URG
Urgent

SYN (Synchronize)

Initiates connection. Sent by client to begin TCP handshake. Sequence number synchronization.

ACK (Acknowledge)

Acknowledges receipt of packets. Confirms sequence numbers. Present in all packets after initial SYN.

FIN (Finish)

Gracefully terminates connection. Sender has no more data. Used in FIN scans.

RST (Reset)

Abruptly terminates connection. Error condition or refused connection. Immediate closure.

PSH (Push)

Pushes buffered data to application. Don't wait for buffer to fill. Used in XMAS scans.

URG (Urgent)

Urgent data present. Process immediately. Rarely used. Part of XMAS scans.

TCP Scan Types Comparison

Select a scan type to see its characteristics and flag patterns:

Connect Scan
-sT

Full 3-way handshake

Logged, detectable

SYN Scan
-sS

Half-open scan

Stealth, default

FIN Scan
-sF

Only FIN flag set

Firewall evasion

XMAS Scan
-sX

FIN+PSH+URG flags

"Lit up like tree"

NULL Scan
-sN

No flags set

Bypass filters

ACK Scan
-sA

Only ACK flag

Firewall detection

Scan Type Characteristics

Scan Type Flags Open Response Closed Response Stealth Level Use Case
Connect (-sT) SYN → SYN/ACK → ACK Full connection RST Low (logged) No privileges needed
SYN (-sS) SYN → SYN/ACK → RST SYN/ACK RST High (half-open) Default, fast
FIN (-sF) FIN No response RST Very High Firewall bypass
XMAS (-sX) FIN+PSH+URG No response RST Very High IDS evasion
NULL (-sN) None No response RST Very High Filter detection
ACK (-sA) ACK RST (unfiltered) RST (unfiltered) Medium Firewall rules mapping
Important: FIN, XMAS, and NULL scans don't work against Windows systems (they respond differently to RFC 793). These are most effective against Unix/Linux systems.

Common Ports Reference

Essential ports every penetration tester should know:

Well-Known Ports (0-1023)

20/21FTP
22SSH
23Telnet
25SMTP
53DNS
80HTTP
110POP3
143IMAP
443HTTPS
445SMB
3389RDP
3306MySQL

Database Ports

1433MS SQL
1521Oracle
3306MySQL
5432PostgreSQL
27017MongoDB
6379Redis

Web & Application Ports

8080HTTP Alt
8443HTTPS Alt
8000HTTP Dev
3000Node.js
5000Flask
9000PHP-FPM

Security & Admin Ports

161/162SNMP
389LDAP
636LDAPS
88Kerberos
135RPC
139NetBIOS
Pro Tip: Use --top-ports 1000 to scan the most common 1000 ports quickly, or -p- for a comprehensive scan of all 65535 ports.

Timing Templates & Optimization

Nmap provides timing templates to balance speed versus stealth and network load.

Template Name Speed Use Case Detection Risk
-T0 Paranoid Extremely Slow IDS evasion, one port at a time, 5min delays Very Low
-T1 Sneaky Very Slow IDS evasion, 15 second delays between probes Low
-T2 Polite Slow Reduce network load, less bandwidth consumption Medium-Low
-T3 Normal Normal Default timing, balanced approach Medium
-T4 Aggressive Fast Fast, reliable networks, assumes fast connection Medium-High
-T5 Insane Very Fast Very fast networks, sacrifices accuracy for speed High

Performance Optimization Techniques

Port Specification

-p 80,443,8080 - Specific ports

-p 1-1024 - Port range

--top-ports 100 - Most common ports

-p- - All 65535 ports

Parallel Scanning

--min-hostgroup 256 - Scan hosts in parallel

--min-parallelism 100 - Probe parallelization

--max-parallelism 300 - Maximum probes

Timeout Control

--host-timeout 30m - Skip slow hosts

--max-rtt-timeout 100ms - Probe timeout

--min-rtt-timeout 50ms - Minimum wait

Rate Limiting

--max-rate 1000 - Max packets/sec

--min-rate 100 - Minimum rate

--scan-delay 10ms - Delay between probes

DNS Resolution Control

-n Never resolve DNS (faster)
-R Always resolve DNS
--dns-servers 8.8.8.8 Custom DNS server
Performance vs. Accuracy: Aggressive timing (T4-T5) may miss hosts or ports on slow/congested networks. Use T2-T3 for more reliable results.

Nmap Command Cheat Sheet

Target Specification

nmap 192.168.1.1 Scan single IP
nmap 192.168.1.1-20 Scan IP range
nmap 192.168.1.0/24 Scan subnet (CIDR)
nmap -iL targets.txt Scan from file
nmap --exclude 192.168.1.1 Exclude host

Host Discovery

nmap -sn 192.168.1.0/24 Ping scan (no port scan)
nmap -Pn 192.168.1.1 Skip ping (assume host up)
nmap -PS22,80,443 192.168.1.1 TCP SYN ping on ports
nmap -PA80,443 192.168.1.1 TCP ACK ping
nmap -PU 192.168.1.1 UDP ping

Scan Techniques

nmap -sS 192.168.1.1 SYN scan (stealth)
nmap -sT 192.168.1.1 TCP connect scan
nmap -sU 192.168.1.1 UDP scan
nmap -sA 192.168.1.1 ACK scan (firewall detection)
nmap -sF 192.168.1.1 FIN scan
nmap -sX 192.168.1.1 XMAS scan
nmap -sN 192.168.1.1 NULL scan

Service & Version Detection

nmap -sV 192.168.1.1 Version detection
nmap -sV --version-intensity 5 Aggressive version (0-9)
nmap -O 192.168.1.1 OS detection
nmap -A 192.168.1.1 Aggressive (OS, version, scripts)

NSE Scripts

nmap -sC 192.168.1.1 Default scripts
nmap --script vuln 192.168.1.1 Vulnerability scripts
nmap --script http-* 192.168.1.1 All HTTP scripts
nmap --script-help http-enum Script help

Output Formats

nmap -oN output.txt Normal output
nmap -oX output.xml XML output
nmap -oG output.grep Grepable output
nmap -oA output All formats

Firewall/IDS Evasion

nmap -f 192.168.1.1 Fragment packets
nmap -D RND:10 192.168.1.1 Decoy scan (10 decoys)
nmap -S 192.168.1.5 192.168.1.1 Spoof source IP
nmap --source-port 53 Spoof source port
nmap --data-length 25 Append random data
nmap --badsum 192.168.1.1 Bad checksum (firewall test)

Common Combinations

nmap -sS -sV -O -T4 192.168.1.1 Fast comprehensive scan
nmap -p- -T4 -A -v 192.168.1.1 Full aggressive scan
nmap -sU -sS --top-ports 20 -T4 Quick TCP+UDP top ports
nmap -sS -sV --script=vuln -T4 Vulnerability scan

Network Scanning Knowledge Assessment

Test your understanding of network scanning concepts and Nmap techniques.

0/12