Nmap Interactive Learning Lab

Step 1 — Find Active Devices

sudo nmap -sn 192.168.1.0/24

Copy

What this command does

• -sn → Disables port scanning and performs only host discovery.
• 192.168.1.0/24 → Scans every IP in the subnet (192.168.1.1 – 192.168.1.254).
• sudo → Required for certain low-level network operations like ARP scans.

Why this scan is important

• Identify all active devices on the network.
• Detect unauthorized devices connected to Wi-Fi or LAN.
• Create a baseline inventory of network assets.

How Nmap detects hosts Nmap may use several techniques depending on network conditions:

• ARP requests (most reliable on local networks)
• ICMP echo requests (similar to ping)
• TCP SYN probes

What to look for

• Unknown IP addresses
• Devices that should not exist on the network
• Unexpected numbers of hosts

Real-World Security Use Security teams often run this scan during:

• Network audits
• Asset discovery
• Incident response investigations

Simulate Scan

Starting Nmap...
Nmap scan report for 192.168.1.5
Host is up
Nmap scan report for 192.168.1.12
Host is up
Nmap scan report for 192.168.1.20
Host is up

Step 2 — Deep Scan Device

sudo nmap -sV -p- 192.168.1.15

Copy

What this command does

• -sV → Performs service version detection.
• -p- → Scans all 65,535 TCP ports.
• 192.168.1.15 → Target device discovered in the previous scan.

Why this scan is important Once a host is discovered, the next step is determining:

• Which ports are open
• Which services are running
• Which software versions are installed

These details are essential for identifying **potential vulnerabilities**. What to look for

• Unexpected open ports
• Services running outdated software
• Administrative services exposed (SSH, RDP)

Example Security Insight If port 22 (SSH) is open:

• Check if SSH should be accessible.
• Ensure strong authentication is configured.

If port 80 or 443 is open:

• It likely hosts a web server.
• Further testing may include web vulnerability scanning.

Security Perspective Attackers perform these scans to find entry points. Defenders perform them to detect vulnerabilities before attackers do.

Simulate Scan

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Quick Web Server Test

nmap -p 80 example.com

Copy

What this command does

• -p 80 → Scans only port 80 (HTTP).
• example.com → Target domain.

Why this scan is useful Web servers typically run on:

• Port 80 → HTTP
• Port 443 → HTTPS

Security analysts often perform quick checks to verify that a web service is reachable. Possible results

• open → The service is reachable.
• closed → The port exists but no service is listening.
• filtered → A firewall is blocking the probe.

What to look for

• Unexpected open ports
• Services exposed that should be internal only
• Misconfigured firewall rules

Security Example If a server accidentally exposes admin panels or internal services to the internet, attackers may gain access to sensitive systems.

Simulate Scan

PORT   STATE SERVICE
80/tcp open  http

nmap -Pn -p 3306,5432,1433,27017 your-external-ip

Copy

What this command does

• -Pn → Skips host discovery and assumes the host is online.
• -p → Specifies which ports to scan.

Common database ports

• 3306 → MySQL
• 5432 → PostgreSQL
• 1433 → Microsoft SQL Server
• 27017 → MongoDB

Why this scan is important Exposed databases are one of the most common causes of **massive data breaches**. If these ports are open to the internet, attackers may attempt:

• Password brute-force attacks
• Data extraction
• Remote database exploitation

What to look for

• Ports showing open
• Services responding unexpectedly

Ideal secure result Most organizations expect these ports to show:

• filtered → blocked by firewall
• closed → service not exposed

Simulate Scan

PORT      STATE    SERVICE
3306/tcp  filtered mysql
5432/tcp  filtered postgresql
1433/tcp  filtered ms-sql
27017/tcp filtered mongodb