Nmap Training LabWhat is Nmap?
Nmap (Network Mapper) is the world's leading network discovery and security scanning tool. It's an open-source powerhouse used by security professionals, penetration testers, and system administrators to discover hosts, services, and vulnerabilities across networks. Think of it as a "network X-ray machine" that reveals what's running on target systems.
CRITICAL LEGAL WARNING
Scanning networks without authorization is ILLEGAL in most jurisdictions and can result in criminal prosecution. ONLY scan:
- Networks you own or manage
- Systems where you have written permission
- This training lab's simulated environments
Unauthorized scanning can be prosecuted under the Computer Fraud and Abuse Act (USA), Computer Misuse Act (UK), and similar laws worldwide.
Why Do We Need Nmap?
- Network Inventory: Discover all devices on your network (servers, IoT devices, forgotten systems)
- Security Auditing: Find open ports and services that could be exploited
- Vulnerability Assessment: Identify outdated services with known vulnerabilities
- Penetration Testing: Essential reconnaissance phase for ethical hacking
- Network Troubleshooting: Verify firewall rules and service availability
The Three Core Capabilities
- Host Discovery: Find active devices on a network
- Port Scanning: Determine which ports are open, closed, or filtered
- Service/OS Detection: Identify what's running and the operating system
Understanding Ports & Services
Before scanning, you must understand what you're looking for.
What Are Ports?
Ports are logical endpoints for network communication. Think of an IP address as a building address, and ports as individual apartment numbers. There are 65,535 ports (0-65535) divided into three ranges:
22 - SSH (Secure Shell)
80 - HTTP (Web traffic)
443 - HTTPS (Encrypted web)
21 - FTP (File Transfer)
25 - SMTP (Email)
53 - DNS (Domain Name System)
# Registered Ports (1024-49151)
3306 - MySQL Database
3389 - RDP (Remote Desktop)
8080 - Alternative HTTP
# Dynamic/Private Ports (49152-65535)
Used for temporary client connections
Port States in Nmap
- open: Service is actively accepting connections (vulnerable attack surface)
- closed: Port is accessible but no service listening (host is up, but nothing there)
- filtered: Nmap can't determine if open (firewall blocking probes)
- unfiltered: Port is accessible but state unclear (rare, ACK scan)
- open|filtered: Nmap can't tell if open or filtered
- closed|filtered: Nmap can't tell if closed or filtered
Security Insight
Every open port is a potential attack vector. Security best practice: Close all ports except those absolutely necessary, and firewall the rest.
TCP vs UDP Scanning
Understanding the difference between TCP and UDP is crucial for effective scanning.
TCP (Transmission Control Protocol)
- Connection-oriented (handshake)
- Reliable delivery guaranteed
- Easier to scan (SYN/ACK responses)
- Most common services use TCP
- Examples: HTTP, SSH, FTP, SMTP
UDP (User Datagram Protocol)
- Connectionless (no handshake)
- No delivery guarantee
- Harder to scan (often no response)
- Used for speed-critical apps
- Examples: DNS, DHCP, VoIP, VPN
The TCP Three-Way Handshake
| |
|--- SYN --------->| (Client initiates)
| |
|<-- SYN-ACK ------| (Server accepts)
| |
|--- ACK --------->| (Connection established)
Nmap exploits this handshake for various scan types. A SYN scan sends SYN packets and analyzes responses without completing the handshake (stealthier).
Nmap Scan Types
Different scan types have different stealth levels, speed, and accuracy. Choose based on your needs and authorization level.
TCP SYN Scan (-sS) - "Stealth Scan"
- How it works: Sends SYN packets, analyzes SYN-ACK responses, never completes handshake
- Advantages: Fast, stealthy (doesn't complete connections), default scan
- Disadvantages: Requires root/admin privileges
- When to use: Default choice for most scans (if you have permissions)
TCP Connect Scan (-sT)
- How it works: Completes full TCP connection using OS connect() call
- Advantages: Doesn't need root, works everywhere
- Disadvantages: Slower, more easily logged/detected
- When to use: When you don't have root or -sS is blocked
UDP Scan (-sU)
- How it works: Sends UDP packets, waits for ICMP "port unreachable" or service response
- Advantages: Finds UDP services (DNS, DHCP, VPN)
- Disadvantages: VERY slow (no responses from open ports), often rate-limited
- When to use: When looking for UDP services specifically
Pro Tip: Combine TCP and UDP
Use nmap -sS -sU 192.168.1.1 to scan both TCP and UDP. This is comprehensive but slow.
ACK Scan (-sA) - Firewall Detection
- How it works: Sends ACK packets to detect firewall rules
- Purpose: Doesn't determine open/closed, only filtered/unfiltered
- When to use: Mapping firewall rulesets
FIN, Xmas, Null Scans (-sF, -sX, -sN)
nmap -sX 192.168.1.1 # Xmas scan (FIN, PSH, URG flags)
nmap -sN 192.168.1.1 # Null scan (no flags)
- How they work: Exploit TCP RFC loophole (closed ports respond with RST, open ports don't respond)
- Advantages: Can bypass some firewalls, very stealthy
- Disadvantages: Don't work against Windows, unreliable, mainly for evading detection
- When to use: Evading stateless firewalls, advanced evasion scenarios
Service & Version Detection
Service Detection (-sV)
Probes open ports to determine the actual service and version running. This is CRITICAL for security assessments because:
- Port 80 might be running a vulnerable version of Apache 2.2.x
- Outdated versions often have known CVEs (Common Vulnerabilities and Exposures)
- Verifies the service matches the expected port (detecting backdoors)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
443/tcp open ssl/http nginx 1.14.0
OS Detection (-O)
Uses TCP/IP stack fingerprinting to guess the operating system. Analyzes subtle differences in how OSes implement networking.
- Helps prioritize targets (Windows vs Linux have different attack vectors)
- Identifies unexpected OSes (server running Windows when you expected Linux)
- Requires root privileges and at least one open and one closed port
Aggressive Scan (-A)
Enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute. Very thorough but LOUD and easily detected.
Detectability Warning
Aggressive scans (-A, -sV with high intensity) generate significant network traffic and are easily detected by IDS/IPS systems. Use only on authorized targets during approved testing windows.
NSE: Nmap Scripting Engine
NSE scripts extend Nmap's capabilities with vulnerability detection, advanced discovery, and exploitation checks.
Basic Script Usage
nmap --script=default 192.168.1.1 # Run default safe scripts
nmap --script=http-* 192.168.1.1 # All HTTP-related scripts
nmap --script=smb-enum-shares 192.168.1.1 # Specific script
Useful Script Categories
- auth: Authentication testing (bypass, brute force)
- broadcast: Discover hosts via broadcast
- brute: Brute force password attacks
- default: Safe, commonly useful scripts (-sC shortcut)
- discovery: Advanced host/service discovery
- exploit: Attempt to exploit vulnerabilities (DANGEROUS - authorized only!)
- vuln: Check for known vulnerabilities
Powerful Examples
nmap --script=smb-vuln-ms17-010 192.168.1.0/24
# Enumerate web application technologies
nmap --script=http-enum example.com
# Check for SSL/TLS vulnerabilities
nmap --script=ssl-* 192.168.1.1
Timing & Performance
Nmap's timing templates (-T) control scan speed vs stealth. Choose based on your scenario.
nmap -T1 192.168.1.1 # Sneaky - Very slow, evades IDS
nmap -T2 192.168.1.1 # Polite - Slower, low bandwidth
nmap -T3 192.168.1.1 # Normal - Default, balanced
nmap -T4 192.168.1.1 # Aggressive - Fast, assumes good network
nmap -T5 192.168.1.1 # Insane - Very fast, may miss results
When to Use Each Timing
- T0-T1: Penetration testing where stealth is paramount
- T2: Scanning production systems (minimizes impact)
- T3: Default, works for most scenarios
- T4: Internal scans, pentests with time constraints
- T5: Only on isolated lab networks (unreliable on real networks)
Pro Tip
Combine with parallelism: nmap -T4 --min-parallelism 100 192.168.1.0/24 scans an entire /24 network very quickly.
Port Specification Techniques
By default, Nmap scans the 1000 most common ports. Customize for thorough or targeted scans.
nmap -p 22,80,443 192.168.1.1 # Multiple specific ports
nmap -p 1-1000 192.168.1.1 # Port range
nmap -p- 192.168.1.1 # ALL 65535 ports (slow!)
nmap -p T:22,80,U:53,161 192.168.1.1 # TCP and UDP specific
nmap --top-ports 100 192.168.1.1 # Scan top 100 most common ports
nmap -F 192.168.1.1 # Fast mode (100 most common)
Full Port Scan Warning
Scanning all 65535 ports (-p-) takes significantly longer. On slow networks, combine with -T4 or limit parallelism. Always consider if the time investment is justified.
Target Specification
Nmap supports flexible target formats for single hosts or entire networks.
nmap example.com # Hostname (resolves to IP)
nmap 192.168.1.0/24 # CIDR notation (entire subnet)
nmap 192.168.1.1-50 # Range (IPs 1 through 50)
nmap 192.168.1.* # Wildcard (entire /24)
nmap 192.168.1.1 192.168.1.5 # Multiple targets space-separated
nmap -iL targets.txt # Read targets from file
nmap --exclude 192.168.1.5 192.168.1.0/24 # Exclude specific IP
Output Formats & Saving Results
Always save scan results for reporting, comparison, and legal documentation.
nmap -oX scan.xml 192.168.1.1 # XML output (for tools)
nmap -oG scan.gnmap 192.168.1.1 # Grepable output (parsing)
nmap -oA scan 192.168.1.1 # All formats (scan.nmap, .xml, .gnmap)
Best Practice
Always use -oA basename to save all three formats. XML is required for importing into vulnerability management tools, while normal output is easier for manual review.
Ethical & Legal Considerations
YOU MUST UNDERSTAND THIS
Unauthorized network scanning is a CRIME. Before scanning ANY network:
- Get explicit written authorization from the network owner
- Define the scope (what IPs/networks are in scope)
- Agree on testing windows (time of day, duration)
- Document everything (authorization, scope, findings)
- Respect scope boundaries (never scan out-of-scope targets)
Legal Frameworks
- USA: Computer Fraud and Abuse Act (CFAA) - Unauthorized access is federal crime
- UK: Computer Misuse Act 1990 - Up to 10 years imprisonment
- EU: GDPR + national laws - Data breach penalties + criminal charges
- International: Council of Europe Convention on Cybercrime
Real-World Consequences
- Security researcher scanned hospital network "to help" - arrested, lost job, criminal record
- Student scanned university "for thesis research" - expelled, sued for damages
- Pentester exceeded authorized scope by one IP - contract terminated, lawsuit
Safe Practice Environments
Learn Nmap safely in these authorized environments:
- This training lab (simulated targets)
- Your own home network (devices you own)
- Intentionally vulnerable VMs (HackTheBox, TryHackMe, DVWA)
- Cloud instances YOU created (AWS, Azure, etc.)
- Employer networks with written authorization
Ready to Practice?
Head to the Scanner Lab tab to practice scanning simulated targets with realistic responses. Then test your skills in the Challenges section!
Interactive Learning
The Scanner Lab provides multiple simulated target scenarios (web servers, Windows hosts, firewalled systems). Build real-world scanning skills in a safe, legal environment!
Your Progress
Basic Scan Types
Port Specification
Service & OS Detection
Timing & Performance
NSE Scripts
Target Specification
Output Options
Other Useful Options
Common Combinations
Progress Management
Statistics
Learning Panel
Welcome to Nmap Training!
This interactive lab will teach you how to use Nmap for network reconnaissance and security scanning like a professional penetration tester.
Getting Started
Start with the Learn tab for fundamentals, then practice in the Scanner Lab!
Quick Commands
Click to insert into target field: