Lab 10: Network Reconnaissance
🎯 Objective
Use nmap to perform network reconnaissance on localhost. Understand port states, service detection with -sV, script scanning with -sC, and how defenders detect scanning activity.
📚 Background
Network reconnaissance is the process of discovering hosts, ports, and services on a target network. It is the first technical step in any penetration test and what attackers do before launching attacks. Understanding reconnaissance helps defenders know what information is exposed and how to detect scanning activity.
Nmap (Network Mapper) is the industry standard for network reconnaissance. It can discover live hosts, open ports, running services, operating system versions, and run security scripts against targets. Nmap uses various scan techniques: TCP connect scans (-sT), SYN scans (-sS), UDP scans (-sU), and more.
Port states detected by nmap: open (service listening), closed (no service, host reachable), filtered (firewall blocking), open|filtered (can't determine), and unfiltered. Understanding these states is crucial for interpreting scan results.
Nmap Scripting Engine (NSE) extends nmap with scripts for vulnerability detection, service enumeration, and exploitation. Scripts can detect default credentials, check for known CVEs, enumerate SMB shares. The -sC flag runs default scripts.
⏱️ Estimated Time
40 minutes
📋 Prerequisites
Labs 1-9 completed
Docker with
innozverse-cybersecimage
🛠️ Tools Used
nmap— Network scannernc— Netcat for creating test servicespython3— HTTP server for scanning targets
🔬 Lab Instructions
Step 1: Basic Host Discovery
📸 Verified Output:
💡 What this means:
-sn(ping scan) checks if a host is up without scanning ports.Host is upwith nearly zero latency — loopback is local. On a real network, add-Pnto skip host discovery and scan anyway (some hosts block ping but have open ports).
Step 2: Default TCP Port Scan (Top 1000 Ports)
📸 Verified Output:
💡 What this means: By default, nmap scans the 1000 most common ports. "All 1000 scanned ports are closed" — a clean system with no exposed services is a good security posture. Attackers interpret this as no easy entry points.
Step 3: Scan Specific Ports with Service Version Detection
📸 Verified Output:
💡 What this means:
-sVprobes open ports to determine service version. nmap identified "SimpleHTTPServer 0.6 (Python 3.10.12)" — giving an attacker the exact software version to search for CVEs. Defense: suppress server banners (server_tokens offin nginx).
Step 4: Script Scan (-sC)
📸 Verified Output:
💡 What this means: The
-sCflag ran NSE scripts includinghttp-titlewhich retrieved the web page title: "Directory listing for /" — this tells an attacker that directory listing is enabled, exposing all files on the server. Other NSE scripts check for default credentials, heartbleed, SMB vulnerabilities.
Step 5: Aggressive Scan (-A)
📸 Verified Output:
💡 What this means:
-A(aggressive) combines version detection, script scan, OS detection, and traceroute. Thehttp-server-headerscript extracted the full server banner. OS detection identified Linux. This single command gives attackers a complete picture of the target. Note:-Ais noisy and easily detected by IDS/IPS.
Step 6: TCP SYN vs TCP Connect Scan
📸 Verified Output:
💡 What this means: TCP Connect (
-sT) completes the full handshake and appears in application logs. SYN scan (-sS) sends SYN, receives SYN-ACK, then sends RST without completing the handshake — potentially evading application-level logging but still visible to network IDS. Modern IDS easily detects both.
Step 7: UDP Scanning
📸 Verified Output:
💡 What this means: UDP scanning is harder than TCP — there's no SYN-ACK for open UDP ports. "closed" means ICMP port unreachable was received. "open|filtered" means no response — could be open or filtered. Port 161 (SNMP) with "closed|filtered" is good — SNMP with default community strings "public/private" is a major vulnerability found on routers and switches.
Step 8: All-Port Scan and Output Formats
📸 Verified Output:
💡 What this means:
-p-scans all 65535 ports (we used a small range for speed). Services sometimes run on non-standard ports — only scanning the top 1000 misses them. In real penetration tests,-p-is standard. Save output with-oAfor later analysis with tools like Metasploit or custom scripts.
Step 9: NSE Scripts for Security Testing
📸 Verified Output:
💡 What this means: NSE has 600+ scripts covering everything from brute-forcing to vulnerability detection.
--script smb-vuln-ms17-010checks for EternalBlue — the vulnerability exploited by WannaCry ransomware. These scripts dramatically expand nmap from a port scanner to a lightweight vulnerability scanner.
Step 10: Detecting Port Scans (Defender Perspective)
📸 Verified Output:
💡 What this means: Well-monitored networks detect port scans in seconds. Cloud providers (AWS, Azure) have built-in scanning detection and will block your IP. Honeypot ports (ports that should never receive traffic) are especially useful — any connection to them is immediately suspicious. Canary tokens and HoneyBadger implement this pattern.
✅ Verification
📸 Verified Output:
🚨 Common Mistakes
Scanning without authorization: Port scanning systems you don't own or have permission to test is illegal in many jurisdictions. Always get written authorization.
Only scanning top 1000 ports: Real services run on non-standard ports. Use
-p-to scan all 65535 ports for comprehensive coverage.Ignoring UDP ports: Critical services like DNS (53), SNMP (161), and DHCP (67/68) use UDP. A TCP-only scan misses these.
📝 Summary
Nmap is the industry standard for network reconnaissance; -sV detects service versions, -sC runs security scripts, -A combines all for comprehensive results
Open ports reveal running services; service version detection enables CVE searching; script scanning detects specific vulnerabilities
All reconnaissance leaves traces; defenders use fail2ban, IDS/IPS, and SIEM correlation to detect and block scanning
Always obtain written authorization before scanning; unauthorized scanning violates laws and terms of service
🔗 Further Reading
Last updated