███╗ ██╗███╗ ███╗ █████╗ ██████╗ ████╗ ██║████╗ ████║██╔══██╗██╔══██╗ ██╔██╗ ██║██╔████╔██║███████║██████╔╝ ██║╚██╗██║██║╚██╔╝██║██╔══██║██╔═══╝ ██║ ╚████║██║ ╚═╝ ██║██║ ██║██║
NMAP
NETWORK MAPPER — PORT SCANNING TRAINING LAB
MODULE 01 — HOST DISCOVERY · PORT SCANNING · SERVICE DETECTION · OS FINGERPRINTING
Initialising raw socket interface...

OBJECTIVES

Run a basic ping scan (-sn)
Run a SYN scan to find open ports (-sS)
Detect service versions (-sV)
Fingerprint the OS (-O)
Run an aggressive scan (-A)
Scan all 65535 ports (-p-)
Use a script scan (-sC)
Submit the pentest report
💻
Terminal
📡
Scan Results
📖
Reference
📝
Notepad
📋
Report
NMAP LAB
Terminal
Scan Results
Reference
Notepad
Report
--:--:--
PHASE 1 — HOST DISCOVERY
MISSION BRIEF
PENTEST ENGAGEMENT — AUTHORISED

NMAP PORT SCANNING

TARGET: 10.10.14.100 — scanme.apexlab.local

SCENARIO

You are a penetration tester at the start of an authorised engagement against Apex Lab's test server at 10.10.14.100. Your first task is reconnaissance — use Nmap to map the target's open ports, running services, and operating system before moving to exploitation phases.

TARGET

PropertyValue
IP Address10.10.14.100
Hostnamescanme.apexlab.local
ScopeSingle host — all ports
AuthorisationWritten — ref APX-2026-PT-04

PHASES

  • Phase 1 — Host discovery (is it alive?)
  • Phase 2 — Port scanning (what's open?)
  • Phase 3 — Service detection (what's running?)
  • Phase 4 — OS fingerprinting (what OS?)
  • Phase 5 — Aggressive / script scanning
  • Phase 6 — Full port scan
  • Phase 7 — Document and report

HINT

Always start with a ping scan to confirm the host is up before launching heavier scans. Type help in the terminal for all available commands.

Display Mode
TERMINAL — attacker@kali:~$
┌──(attacker㉿kali)-[~]
└─$ # Target: 10.10.14.100 — Type "help" for commands
└─$
SCAN RESULTS — 10.10.14.100
10.10.14.100
No scan run yet
STATUS
OPEN PORTS
OS
PORT
STATE
PROTOCOL
SERVICE
VERSION
Run a scan to populate results
SERVICE DETAIL
Click a port row to inspect the service
REFERENCE MANUAL — NMAP
SCAN TYPES
FlagDescription
-snPing scan — host discovery only, no port scan
-sSSYN scan — stealthy, half-open (default with root)
-sTTCP connect scan — full handshake, no root needed
-sUUDP scan — slower, finds UDP services
-sAACK scan — maps firewall rules
DETECTION FLAGS
FlagDescription
-sVService/version detection
-OOS detection (requires root)
-AAggressive: OS + version + scripts + traceroute
-sCDefault NSE scripts
PORT SELECTION
FlagDescription
-p 80,443Specific ports
-p 1-1024Port range
-p-All 65535 ports
--top-ports 100Top 100 most common ports
TIMING & PERFORMANCE
FlagDescription
-T0 to -T5Timing template (0=paranoid, 5=insane)
-T4Fast scan — good for local networks
OUTPUT FLAGS
FlagDescription
-oN file.txtNormal output to file
-oX file.xmlXML output
-oG file.gnmapGrepable output
-v / -vvVerbose / very verbose
COMMON EXAMPLES
Quick host check
nmap -sn 10.10.14.100
Subnet ping sweep (find live hosts)
nmap -sn 10.10.14.0/24
List scan (no packets sent)
nmap -sL 10.10.14.0/24
SYN scan top ports
nmap -sS 10.10.14.100
Version + OS detection
nmap -sV -O 10.10.14.100
Full aggressive scan
nmap -A -T4 10.10.14.100
All ports
nmap -p- -T4 10.10.14.100
Script scan
nmap -sC -sV 10.10.14.100
NOTEPAD — RECON NOTES
PENTEST REPORT — NMAP RECON
TARGET DETAILS
KEY SERVICES
RISK ASSESSMENT
Score: 0 / 8