hackingpath
learn/phase-2/p2-w6/lesson 01
Week 6 · lesson 1

Enumeration & Port Scanning with nmap

Hands-on lesson: run nmap scans in the terminal and interpret the results.

What you'll learn

  • Understand enumeration and why port scanning matters in security testing.
  • Run TCP, UDP, and stealth scans with nmap; interpret port states.
  • Identify services and OS versions using version detection.
  • Write targeted nmap commands for different network scenarios.

Enumeration & Port Scanning with nmap

What is enumeration?

Enumeration is the process of discovering and gathering detailed information about a target after it's been identified as online. For a penetration tester or security researcher, it means:

  • Which ports are open (and on what do they listen)?
  • What services are running (SSH, HTTP, MySQL)?
  • What versions are installed (OpenSSH 7.6, Apache 2.4)?
  • What OS is it running (Linux, Windows)?
  • What can be attacked?

nmap is the industry standard for this job, fast, flexible, and powerful.

Port states

When nmap scans a port, it reports one of these states:

  • Open, the service is listening and accepting connections. Means there's something to attack.
  • Closed, no service on that port, but the port is reachable. The target responds with an RST (reset) packet.
  • Filtered, nmap got no response. A firewall is likely dropping the probe. Unknown state, could be open or closed.
  • Open|filtered, (UDP and some other protocols only) the target did not respond; could be open, or could be filtered by a firewall.

TCP flags (the building blocks)

nmap uses TCP flags to craft different scan types. Know these six:

  • SYN, initiates a connection.
  • ACK, acknowledges a previous packet.
  • FIN, closes a connection.
  • RST, forcefully resets a connection.
  • PSH, push: send data now.
  • URG, urgent data flag.

Scan types

TCP SYN Scan (-sS)

sudo nmap -sS 192.168.1.100

The "half-open" or "stealth" scan. Sends a SYN, sees if the target responds with SYN-ACK (open) or RST (closed), then resets without completing the handshake.

Pros: Fast, less logged by simple systems. Cons: Requires root/sudo.

TCP Full Scan (-sT)

nmap -sT 192.168.1.100

Completes the full 3-way TCP handshake. Works without root. More likely to be logged.

UDP Scan (-sU)

sudo nmap -sU 192.168.1.100

Scans UDP ports (DNS, SNMP, DHCP, NTP, etc.). Slow because UDP is connectionless; nmap waits for timeouts.

Stealth Scans (NULL, FIN, Xmas)

sudo nmap -sN 192.168.1.100  # NULL scan, no flags set
sudo nmap -sF 192.168.1.100  # FIN scan, only FIN flag
sudo nmap -sX 192.168.1.100  # Xmas scan, FIN, PSH, URG flags (packet looks like Christmas tree)

These exploit the fact that if a port is closed, the target should respond with RST to a packet with no flags (or certain flags). If there's no response, the port may be open or filtered. Very slow.

Common command patterns

Basic TCP scan

nmap 192.168.1.100
nmap -sT 192.168.1.100

Scans the 1000 most common TCP ports on the target.

Quick discovery (ping scan, no ports)

nmap -sn 192.168.1.0/24

Pings all IPs in the subnet to see which are up. No port scanning.

All TCP ports

sudo nmap -p- 192.168.1.100

Scans all 65535 TCP ports (takes a while).

Service version detection

sudo nmap -sV 192.168.1.100

Probes open ports to identify the service and version.

OS detection

sudo nmap -O 192.168.1.100

Attempts to guess the operating system (requires root).

Aggressive scan (version + OS + scripts)

sudo nmap -A 192.168.1.100

Combines -sV (version), -O (OS detection), and script scanning. Very noisy; designed for when stealth doesn't matter.

Faster scan (less thorough, higher timeout)

nmap -T3 192.168.1.100

Timing template T0 (paranoid) to T5 (insane). T3 is normal; higher = faster but less accurate.

Disable ping check

nmap -Pn 192.168.1.100

Assumes the target is up; skips the initial ping. Useful if the target doesn't respond to ICMP.

UDP scan on specific ports

sudo nmap -sU -p 53,67,68,123 192.168.1.100

Scans only DNS (53), DHCP (67/68), and NTP (123).

Practical examples: try these in the terminal

Scan localhost to see what you're running

nmap localhost
nmap 127.0.0.1

No root needed. You'll see which of your local services are listening.

Scan your router

nmap 192.168.1.1

Most routers are on .1 in a /24 network. See what ports they expose.

Fast scan of your subnet (which hosts are up)

nmap -sn 192.168.1.0/24

No port scanning; just ICMP pings. Shows which IPs are alive.

Detailed scan of one host

nmap -sV -sC 192.168.1.100

-sV detects versions; -sC runs default scripts (software detection scripts).

Why this matters

Port scanning is the reconnaissance phase of every penetration test. Open ports are attack surface. Knowing what's listening, and what version, tells you:

  • Is this service patched or vulnerable?
  • What exploitation tools exist for it?
  • Is the network segmented (can internal hosts talk, or does a firewall block them)?

Firewalls and IDS systems detect port scanning, so auditors run scans to find what their own defenses can see and block. Red teams (and attackers) use nmap to map the network and find the easiest targets.

Check your understanding

6 questions

Type an answer and press Check. Grading is keyword-based and forgiving, so short answers are fine.

  1. 1

    An nmap scan prints 22/tcp open ssh and 23/tcp closed telnet. Which port number is accepting connections?

  2. 2

    Write the nmap command to run a stealth (half-open) SYN scan against 192.168.1.10.

  3. 3

    You need to scan every one of the 65535 TCP ports on 192.168.1.10. Write the nmap command.

  4. 4

    You have a /24 subnet (192.168.1.0/24) and need to find which hosts are alive without scanning ports. Write the nmap command.

  5. 5

    An nmap scan reports 443/tcp open ssl/http Apache httpd 2.4.41. Which web server software and version is running?

  6. 6

    Write the nmap command to detect the service versions running on 192.168.1.10.

Previous
Next