Port Scanning Mastery
Eight modules. Every scanning technique from host discovery to firewall evasion. Each skill practised against a live running lab — hands-on assignments, not theory. The scanning foundation every professional pentester builds first.
The Scanning Methodology
The four-phase recon workflow used by professional pentesters on every engagement.
Phase 1 — Host Discovery
Identify what's alive before spending time on dead IPs.
On a LAN, ARP (-PR) is fastest. Over a routed network use ICMP + TCP probes.
Against hardened hosts, -Pn treats every IP as alive — expensive but necessary when ICMP is blocked.
nmap -sn 10.10.10.0/24 # Ping sweep
nmap -PS22,80,443 -sn TARGET # TCP SYN probe
nmap -PU53,161 -sn TARGET # UDP probe
nmap -Pn TARGET # Skip discoveryPhase 2 — Port Scanning
Start fast: masscan or nmap -p- to find every open port.
Then hand just the open ports to nmap for deep inspection.
Never run -sV against all 65535 — it takes forever.
# Step 1: find open ports fast
nmap -p- --min-rate 5000 --open -T4 TARGET -oN ports.txt
# Step 2: deep scan only open ports
ports=$(grep ^[0-9] ports.txt | cut -d/ -f1 | tr '\n' ',')
nmap -sC -sV -p$ports TARGET -oN detailed.txtPhase 3 — Service Fingerprinting
Version detection (-sV) plus the default scripts (-sC) turns a port number
into actionable intelligence. Cross-reference every version against CVE databases
before touching an exploit.
nmap -sC -sV -p22,80,443 TARGET
searchsploit "OpenSSH 7.4"
searchsploit "Apache 2.4.49"
searchsploit "vsftpd 2.3.4"Phase 4 — Targeted NSE Scripts
After version detection, run protocol-specific scripts to extract live data. SMTP user enumeration, LDAP dumps, SMB share lists, MySQL empty-password checks — each takes seconds and often hands you a foothold without touching an exploit.
nmap --script=smtp-enum-users TARGET -p25
nmap --script=ldap-search TARGET -p389
nmap --script=smb-enum-shares TARGET -p445
nmap --script=mysql-empty-password TARGET -p3306
nmap --script=redis-info TARGET -p6379The Eight Modules
Complete them in order. Each module has paced hands-on assignments — finish all tasks before moving to the next.
Host Discovery
Before you scan ports you need to know what's alive. Master nmap's ping sweep techniques — ICMP echo, TCP SYN ping, ARP (local), and no-ping mode for firewalled hosts. DNS and SNMP labs provide realistic live targets.
- nmap -sn (ping sweep) — ICMP echo + TCP ACK to 80/443
- nmap -PR (ARP ping, Layer 2 LAN only)
- nmap -Pn (skip host discovery — treat all as online)
- nmap -PS/-PA/-PU (TCP SYN / ACK / UDP probe ports)
- fping -a -g (fast ICMP sweep of a CIDR range)
- netdiscover -r (passive ARP on LAN)
Hands-on assignments for this module are available to Premium members.
TCP Port Scanning
The four TCP scan types every tester needs — SYN (stealth), Connect, NULL/FIN/Xmas for firewall probing, and ACK for rule-set mapping. Run them against real SSH, HTTP, and Telnet services.
- nmap -sS (SYN/half-open) — fastest, requires raw socket / root
- nmap -sT (full TCP connect) — unprivileged, leaves auth log entries
- nmap -sN / -sF / -sX (NULL / FIN / Xmas) — RST=closed, no reply=open|filtered
- nmap -sA (ACK scan) — maps stateful firewall rules, not open ports
- nmap -sW (Window scan) — exploits quirk in TCP window field
- Understanding SYN-ACK vs RST vs ICMP port-unreachable responses
- Interpreting open / closed / filtered / open|filtered states
Hands-on assignments for this module are available to Premium members.
UDP Scanning
UDP services are ignored by beginners and examined by examiners. SNMP (161), TFTP (69), DNS (53), and SYSLOG (514) all run UDP. Learn to interpret nmap's notoriously slow UDP results and speed them up.
- nmap -sU (UDP scan) — ICMP port-unreachable = closed, no reply = open|filtered
- nmap -sU --open (show only open/open|filtered)
- Combining UDP + TCP: nmap -sU -sS -p U:161,T:22,80
- Speeding up UDP: --min-rate, --max-retries 1, top ports
- snmpwalk -v2c -c public (confirm SNMP is open and readable)
- tftp <host> (connect and GET to confirm TFTP open)
- unicornscan -mU (alternative fast UDP scanner)
Hands-on assignments for this module are available to Premium members.
Service & Version Detection
Banner grabbing tells you the software, version, and sometimes OS in seconds. Combine -sV with targeted scripts to pull credentials, certs, and config from live services.
- nmap -sV (version intensity 0–9, default 7)
- nmap -sV --version-intensity 9 (max probes)
- nmap -sV --version-light (fast, less accurate)
- Banner grabbing: nc -nv <ip> <port> / telnet <ip> <port>
- Banner grabbing: curl -v (HTTP) / openssl s_client (TLS)
- Reading nmap service fingerprints (nmap-service-probes)
- Mapping version → CVE: searchsploit / exploit-db.com / NVD
Hands-on assignments for this module are available to Premium members.
OS Detection
TCP/IP stack fingerprinting identifies the remote OS without any authentication. Understand the probes nmap sends and how to interpret ambiguous results on containers and VMs.
- nmap -O (OS detection, requires root)
- nmap -O --osscan-guess (aggressive guess when fingerprint is partial)
- nmap -O --osscan-limit (skip if fewer than 1 open + 1 closed port)
- Reading OS CPE strings: cpe:/o:linux:linux_kernel:5.4
- Why containers skew OS detection (shared kernel)
- xprobe2 (alternative OS fingerprinter)
- Passive OS fingerprinting: p0f
Hands-on assignments for this module are available to Premium members.
NSE Scripting Engine
nmap's 600+ scripts turn a port scanner into an exploitation assistant. Learn the script categories, how to write targeted checks, and how to extract live data from SMTP, LDAP, SMB, MySQL, and Redis.
- nmap --script=<name|wildcard|category>
- Script categories: auth, brute, default, discovery, exploit, safe, vuln
- smtp-enum-users, smtp-vrfy, smtp-open-relay
- ldap-search, ldap-rootdse, ldap-brute
- smb-enum-shares, smb-enum-users, smb-vuln-ms17-010
- mysql-info, mysql-empty-password, mysql-brute
- redis-info, redis-brute, redis-config (unauthorized RCE check)
- nmap --script-help <name> / --script-args / --script-trace
- Writing a custom NSE rule in Lua (basics)
Hands-on assignments for this module are available to Premium members.
Fast & Mass Scanning
When you need to scan /16 subnets or 65535 ports in seconds, masscan and RustScan are your tools. Learn their syntax, how to tune rate/source-port, and how to feed their output back into nmap for deep inspection.
- masscan -p0-65535 --rate=10000 (all ports, controlled rate)
- masscan --banners (grab banner during scan)
- masscan -oX / -oJ / -oL (XML / JSON / list output)
- rustscan -a <ip> -- -sV -sC (pipe open ports into nmap)
- nmap -p- --min-rate 5000 --open -T4 (fast all-port nmap)
- nmap --top-ports 1000 / --top-ports 100
- Combining tools: masscan finds open ports → nmap does -sV on them
- Rate limiting to avoid triggering IDS/IPS
Hands-on assignments for this module are available to Premium members.
Firewall & IDS Evasion
Real engagements have stateful firewalls, IDS rules, and rate limiters. Learn fragmentation, decoys, source-port spoofing, timing manipulation, and idle/zombie scans to get accurate results through defensive layers.
- nmap -f / --mtu (fragment IP packets)
- nmap -D RND:10 (random decoy IPs in packet source)
- nmap --source-port 53/80/443 (spoof source port past firewall rules)
- nmap -T0 / -T1 (paranoid / sneaky timing — slow but quiet)
- nmap --scan-delay / --max-scan-delay
- nmap -sI <zombie> (Idle/IPID scan — completely blind/spoofed)
- nmap --data-length <n> (append random data to packets)
- hping3 --scan (low-level TCP crafting)
- Understanding IDS signatures and how scan timing defeats them
Hands-on assignments for this module are available to Premium members.
Quick Reference Cheat Sheet
The commands you run at the start of every engagement — copy this to your playbook.
Standard Engagement Opening
# 1. Host discovery (ICMP + TCP + UDP probes)
nmap -PE -PS22,80,443 -PA80 -PU53,161 -sn \
TARGET/24 -oG alive.gnmap
grep "Up" alive.gnmap | cut -d' ' -f2 > hosts.txt
# 2. Fast all-port scan
nmap -p- --min-rate 5000 --open -T4 \
-iL hosts.txt -oN allports.txt
# 3. Service + script scan on open ports
ports=$(grep ^[0-9] allports.txt | cut -d/ -f1 \
| sort -u | tr '\n' ',')
nmap -sC -sV -p$ports -iL hosts.txt \
-oA detailed
# 4. UDP top-200
sudo nmap -sU --top-ports 200 \
-iL hosts.txt -oN udp.txtnmap Timing Templates
nmap -T0 # Paranoid — 5 min/probe (IDS evasion)
nmap -T1 # Sneaky — 15 sec/probe
nmap -T2 # Polite — 0.4 sec/probe
nmap -T3 # Normal — adaptive (default)
nmap -T4 # Aggressive — 10ms min RTT (exam default)
nmap -T5 # Insane — fastest, unreliable on WAN
# Fine-grained
--min-rate 5000 # min packets/sec
--max-retries 2 # reduce for speed
--host-timeout 30s # skip slow hostsEssential Flags Reference
-sS # SYN scan (root, default for TCP)
-sU # UDP scan
-sV # Version detection
-sC # Default NSE scripts
-O # OS detection
-A # All: -O -sV -sC --traceroute
-p- # All 65535 ports
--open # Show only open ports
--reason # Show why state was assigned
-v / -vv # Verbose / very verbose
-n # No DNS resolution
-oA output # Save all three formats
-iL file # Read targets from filePost-Scan Analysis Workflow
# Extract all open TCP ports from grepable output
grep "Ports:" scan.gnmap | \
grep -oP '\d+/open/tcp' | \
cut -d/ -f1 | sort -n
# Import XML into Metasploit
msf> db_import scan.xml
# Parse with python-libnmap
pip install python-libnmap
python3 -c "
from libnmap.parser import NmapParser
r = NmapParser.parse_fromfile('scan.xml')
for h in r.hosts:
for s in h.services:
if s.state == 'open':
print(f'{h.address}:{s.port}/{s.protocol} {s.service}')
"