Network Scanning Laboratory

Nmap Mastery & Enumeration Techniques
Based on CEH v12 - Chapter 3: Scanning Networks

CRITICAL - Legal & Ethical Notice

Network scanning is ILLEGAL without explicit written authorization. Only scan networks and systems you own or have written permission to test. Unauthorized scanning violates the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide. Use these techniques ONLY in authorized penetration tests, CTF competitions, or your own lab environments.

Golden Rule: If you don't own it and don't have written permission, don't scan it.

Lab Progress

Command Builder Used
Scan Simulator Tested
Quiz Completed (70%+)

Introduction to Network Scanning

Network scanning is the second phase of the Cyber Kill Chain, following reconnaissance. It involves actively probing target systems to discover live hosts, open ports, running services, and operating systems. This intelligence forms the foundation for exploitation planning.

The Three Pillars of Scanning

Key Insight: Nmap (Network Mapper) is the industry-standard tool for network scanning. Created by Gordon Lyon (Fyodor), it's used by security professionals, penetration testers, and system administrators worldwide. Understanding Nmap is essential for both offensive and defensive security.

1. Host Discovery

Before scanning ports, we need to identify which hosts are alive on the network. Host discovery uses various techniques to determine if a system is online.

Ping Sweep Techniques

ICMP Ping
TCP Ping
ARP Scan
Skip Discovery

ICMP Echo Request (Traditional Ping)

# Ping scan entire subnet nmap -sn 192.168.1.0/24 # Same as: nmap -sP (older syntax) # -sn = Ping scan (no port scan)

Sends ICMP Echo Request packets to discover live hosts. Many firewalls block ICMP, so this method may miss hosts even if they're online.

TCP SYN Ping (Stealth Discovery)

# TCP SYN to port 80 nmap -PS80 192.168.1.0/24 # TCP ACK to port 443 nmap -PA443 192.168.1.0/24 # Multiple ports nmap -PS22,80,443,3389 192.168.1.0/24

Sends TCP SYN packets to common ports. More effective than ICMP since TCP is rarely blocked. If you get a SYN/ACK or RST, the host is alive.

ARP Scan (Local Network Only)

# ARP scan on local subnet (most reliable on LAN) nmap -PR 192.168.1.0/24 # Nmap automatically uses ARP for local networks nmap -sn 192.168.1.0/24

On local networks, ARP scanning is the most reliable method. It operates at Layer 2 and cannot be blocked by firewalls. Only works on the same network segment.

Skip Host Discovery (Treat All as Online)

# Force port scanning even if host appears down nmap -Pn 192.168.1.100 # Useful when firewalls block ping but services are running nmap -Pn -p 80,443 target.com

Skips host discovery and proceeds directly to port scanning. Use when you know a host is online but it doesn't respond to ping probes (heavy firewall filtering).

Detection Risk: Ping sweeps generate noticeable network traffic. Intrusion Detection Systems (IDS) can detect rapid ping probes across multiple IPs. Use timing controls (-T options) to reduce detection likelihood.

2. Port Scanning Techniques

Port scanning identifies which ports are open on a target system. Different scan types offer trade-offs between speed, stealth, and reliability.

TCP Connect Scan (-sT)

nmap -sT 192.168.1.100

Stealth: Low
Speed: Slow
Requires Root: No

Completes full TCP three-way handshake. Loudest scan type but doesn't require root privileges. Easy to detect in logs.

SYN Stealth Scan (-sS)

nmap -sS 192.168.1.100

Stealth: Medium
Speed: Fast
Requires Root: Yes

Sends SYN, waits for SYN/ACK, then sends RST (doesn't complete handshake). Default scan type. Faster and stealthier than TCP Connect.

UDP Scan (-sU)

nmap -sU 192.168.1.100

Stealth: Medium
Speed: Very Slow
Requires Root: Yes

Scans UDP ports. Much slower than TCP scans. Critical for finding DNS, SNMP, DHCP services. Often overlooked by attackers and defenders.

XMAS Scan (-sX)

nmap -sX 192.168.1.100

Stealth: High
Speed: Fast
Requires Root: Yes

Sets FIN, PSH, and URG flags (packet "lit up like a Christmas tree"). Can bypass simple stateless firewalls. Works on Unix/Linux, not Windows.

FIN Scan (-sF)

nmap -sF 192.168.1.100

Stealth: High
Speed: Fast
Requires Root: Yes

Sends FIN flag only. Should receive RST from closed ports, nothing from open ports. Stealthy but unreliable on Windows systems.

NULL Scan (-sN)

nmap -sN 192.168.1.100

Stealth: High
Speed: Fast
Requires Root: Yes

Sends packet with no flags set. Similar to FIN scan logic. Very stealthy but may be flagged by modern IDS as abnormal traffic.

ACK Scan (-sA)

nmap -sA 192.168.1.100

Stealth: Medium
Speed: Fast
Requires Root: Yes

Sends ACK flag. Used to map firewall rulesets, not determine open ports. Helps identify filtered vs. unfiltered ports.

Idle/Zombie Scan (-sI)

nmap -sI zombie_host target

Stealth: Maximum
Speed: Very Slow
Requires Root: Yes

Uses a "zombie" host to scan the target. Your IP never touches the target. Extremely stealthy but requires finding a suitable zombie host.

Common Port Scanning Commands

# Scan specific ports nmap -p 22,80,443 192.168.1.100 # Scan port range nmap -p 1-1000 192.168.1.100 # Scan all 65535 ports nmap -p- 192.168.1.100 # Fast scan (top 100 ports) nmap -F 192.168.1.100 # Scan top 1000 ports (default) nmap 192.168.1.100 # Combined TCP SYN + UDP scan nmap -sS -sU -p U:53,111,137,T:21-25,80,443 192.168.1.100
Pro Tip: The default Nmap scan checks only the top 1000 most common ports. To find services on unusual ports, use -p- to scan all 65,535 ports, but be prepared for a much longer scan time.

3. Service & Version Detection

Knowing a port is open isn't enough. We need to identify what service is running and its version to find potential vulnerabilities.

Banner Grabbing & Version Detection

# Service version detection nmap -sV 192.168.1.100 # Aggressive version detection (more probes) nmap -sV --version-intensity 5 192.168.1.100 # Light version detection (fewer probes, faster) nmap -sV --version-intensity 0 192.168.1.100 # Version detection on specific ports nmap -sV -p 22,80,443 192.168.1.100

OS Fingerprinting

Active OS Detection

# OS detection nmap -O 192.168.1.100 # Aggressive OS detection attempts nmap -O --osscan-guess 192.168.1.100 # Limit OS detection to promising targets nmap -O --osscan-limit 192.168.1.0/24

Active OS detection sends specially crafted packets and analyzes responses to determine the operating system. Looks at TCP/IP stack implementation details, window sizes, and other unique fingerprints.

The Aggressive Scan (-A)

# Aggressive scan: OS detection + Version detection + Scripts + Traceroute nmap -A 192.168.1.100 # Equivalent to: nmap -O -sV -sC --traceroute 192.168.1.100
Detection Warning: The -A flag is extremely loud. It triggers OS detection, service version probes, default NSE scripts, and traceroute. This will absolutely be logged and may trigger IDS alerts. Use only when stealth isn't a concern.

Sample Service Detection Output

Starting Nmap 7.94 ( https://nmap.org ) Nmap scan report for 192.168.1.100 Host is up (0.0012s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) 443/tcp open ssl/http Apache httpd 2.4.52 ((Ubuntu)) 3306/tcp open mysql MySQL 8.0.32-0ubuntu0.22.04.2 Service detection performed. Please report any incorrect results. Nmap done: 1 IP address (1 host up) scanned in 12.45 seconds
Intelligence Value: Service versions reveal specific vulnerabilities. For example, "OpenSSH 8.9p1" can be checked against CVE databases. "Apache 2.4.52" can be tested for known exploits. This is where reconnaissance becomes actionable.

4. IDS/Firewall Evasion Techniques

Modern networks deploy Intrusion Detection Systems (IDS), firewalls, and logging. These techniques help evade detection or bypass filtering.

Timing Templates

# T0: Paranoid (serial, 5 min delays) - IDS evasion nmap -T0 192.168.1.100 # T1: Sneaky (serial, 15 sec delays) nmap -T1 192.168.1.100 # T2: Polite (serial, 0.4 sec delays) - reduces bandwidth nmap -T2 192.168.1.100 # T3: Normal (default) - balanced nmap -T3 192.168.1.100 # T4: Aggressive (parallel) - fast, assumes reliable network nmap -T4 192.168.1.100 # T5: Insane (parallel, very fast) - may miss results nmap -T5 192.168.1.100

Packet Fragmentation

# Fragment packets into 8 bytes (bypasses simple packet filters) nmap -f 192.168.1.100 # Double fragmentation (16 bytes) nmap -ff 192.168.1.100 # Custom MTU (must be multiple of 8) nmap --mtu 24 192.168.1.100

Fragmentation splits packets into smaller pieces. Some older firewalls and IDS can't properly reassemble fragmented packets, allowing scans to slip through.

Decoy Scanning

# Use decoy IPs to hide your real IP in logs nmap -D RND:10 192.168.1.100 # Specify decoy IPs manually nmap -D 192.168.1.5,192.168.1.6,192.168.1.7,ME 192.168.1.100 # ME can be placed anywhere in the list nmap -D decoy1,decoy2,decoy3,ME,decoy4,decoy5 192.168.1.100

Decoy scanning makes it appear as if multiple IPs are scanning the target. Your real IP is hidden among decoys in the target's logs. Doesn't work against intrusion prevention systems (IPS) that can correlate responses.

Source Port Manipulation

# Spoof source port (some firewalls trust port 53/DNS) nmap --source-port 53 192.168.1.100 # Alternative syntax nmap -g 53 192.168.1.100 # Common trusted ports: 20 (FTP), 53 (DNS), 88 (Kerberos) nmap --source-port 20 192.168.1.100

MAC Address Spoofing

# Spoof MAC address (local network only) nmap --spoof-mac Apple 192.168.1.100 # Specific MAC address nmap --spoof-mac 00:11:22:33:44:55 192.168.1.100 # Random MAC nmap --spoof-mac 0 192.168.1.100

Combined Evasion Example

# Maximum stealth scan combining multiple techniques nmap -sS -Pn -f -D RND:10 --source-port 53 -T2 --data-length 25 192.168.1.100 # Breakdown: # -sS: SYN stealth scan # -Pn: Skip ping (assume host is up) # -f: Fragment packets # -D RND:10: Use 10 random decoys # --source-port 53: Spoof DNS source port # -T2: Polite timing (slow and steady) # --data-length 25: Append random data to packets
Reality Check: While these evasion techniques can bypass basic firewalls, modern IDS/IPS systems (Snort, Suricata, commercial NGFWs) can detect and block most of them. Fragmentation is reassembled, decoys are correlated, and timing anomalies are flagged. These techniques are more effective against legacy systems.

5. Nmap Scripting Engine (NSE)

NSE extends Nmap's capabilities with hundreds of scripts for vulnerability detection, exploitation, authentication, and reconnaissance. Scripts are written in Lua.

Script Categories

# Run default scripts (safe, fast, useful) nmap -sC 192.168.1.100 # Run specific script category nmap --script vuln 192.168.1.100 nmap --script auth 192.168.1.100 nmap --script discovery 192.168.1.100 nmap --script exploit 192.168.1.100 # Run specific script nmap --script http-enum 192.168.1.100 # Run multiple scripts nmap --script "http-* and not http-brute" 192.168.1.100 # Update NSE script database nmap --script-updatedb

Essential NSE Scripts

http-enum
Enumerates directories and files on web servers. Finds admin panels, backup files, config files.
--script http-enum
smb-vuln-ms17-010
Detects EternalBlue vulnerability (WannaCry exploit). Critical for Windows systems.
--script smb-vuln-ms17-010
ftp-anon
Checks if FTP server allows anonymous login. Common misconfiguration.
--script ftp-anon
ssh-auth-methods
Lists authentication methods supported by SSH server (password, key, etc).
--script ssh-auth-methods
ssl-cert
Retrieves SSL certificate information. Useful for identifying domains, expiration dates.
--script ssl-cert
dns-brute
Attempts to enumerate DNS hostnames by brute force. Finds subdomains.
--script dns-brute
mysql-empty-password
Checks for MySQL/MariaDB accounts with empty passwords. Common in dev environments.
--script mysql-empty-password
smb-os-discovery
Identifies OS, computer name, domain, and workgroup from SMB.
--script smb-os-discovery
http-sql-injection
Tests for SQL injection vulnerabilities in web applications.
--script http-sql-injection
ssh-brute
Performs brute force password auditing against SSH. Use responsibly.
--script ssh-brute
http-wordpress-enum
Enumerates WordPress users, plugins, themes. Critical for WordPress pentests.
--script http-wordpress-enum
vulners
Queries Vulners.com database for known CVEs based on detected service versions.
--script vulners

NSE Script Arguments

# Pass arguments to scripts nmap --script http-enum --script-args http-enum.basepath='/admin/' 192.168.1.100 # Multiple arguments nmap --script ssh-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.100 # Get script help nmap --script-help http-enum
Offensive Arsenal: NSE scripts turn Nmap from a scanner into a vulnerability assessment tool. The 'vuln' category alone can identify hundreds of CVEs. Combined with version detection (-sV), you can quickly identify exploitable services.

6. Output Formats & Reporting

Proper output formatting is crucial for documentation, analysis, and importing results into other tools.

# Normal output (human-readable) nmap -oN scan_results.txt 192.168.1.100 # XML output (for import into tools like Metasploit) nmap -oX scan_results.xml 192.168.1.100 # Grepable output (easy to parse with grep/awk) nmap -oG scan_results.gnmap 192.168.1.100 # All formats at once nmap -oA scan_results 192.168.1.100 # Append to existing file nmap -oN scan_results.txt --append-output 192.168.1.100 # Verbose output (realtime progress) nmap -v 192.168.1.100 # Very verbose nmap -vv 192.168.1.100 # Debug output (for troubleshooting) nmap -d 192.168.1.100

Converting XML to HTML Report

# Nmap includes XSLT for converting XML to HTML xsltproc scan_results.xml -o report.html # Or use online converters/custom scripts

Interactive Command Builder

Build custom Nmap commands with this interactive tool. Select options and copy the generated command.

Nmap Command Generator

nmap 192.168.1.100

Scan Output Simulator

Simulate different scan types to see what the output looks like. This helps understand what each scan reveals.

Interactive Scan Simulator

Click a scan type above to see simulated output...

Quick Reference Cheat Sheet

Most Common Commands

# Basic scan nmap 192.168.1.100 # Quick scan (top 100 ports) nmap -F 192.168.1.100 # Comprehensive scan nmap -A -T4 192.168.1.100 # Scan entire subnet nmap -sn 192.168.1.0/24 # Scan specific ports with version detection nmap -sV -p 22,80,443,3389 192.168.1.100 # Stealthy scan with evasion nmap -sS -Pn -f -T2 192.168.1.100 # Vulnerability scan nmap -sV --script vuln 192.168.1.100 # UDP service discovery nmap -sU -p 53,67,68,161,162,500 192.168.1.100

Port States

Knowledge Assessment Quiz

Test your understanding of network scanning concepts. You need 70% (7/10) to pass.

← Back to Dark Arts Vault