Skip to content

Nmap Tutorial: Fundamentals of Network Scanning & Penetration Testing (2)

Table of Contents:

  • Introduction

    Thank you for reading this post, don't forget to subscribe!

  • Quick Recap of Part 1

  • What You’ll Learn in This Part

  • SYN Scan Deep Dive (-sS)

  • Full Port Range Scans (-p-)

  • Service and Version Detection (-sV)

  • Interpreting Nmap Output

  • Saving and Formatting Results (-oN, -oG, -oX)

  • Common Use Cases in Real Pentests

  • Next Steps (Preview of Part 3)

  • Internal Resources

  • FAQs

Introduction

Welcome to Part 2 of our Nmap Deep-Dive Series! In Part 1, we covered the basics — from what Nmap is, to how to install it across different operating systems, and how to run your very first scans.

We explored Nmap’s role in reconnaissance, including SYN scanning, enumeration, and the importance of mapping out internet-facing hosts early in an engagement.

Now that you’ve got the fundamentals down, it’s time to level up. In this tutorial, we’ll explore advanced scan types, dive deeper into full port scanning, learn how to fingerprint services more precisely, and begin interpreting real-world scan results.

Recap: What We Covered in Part 1

  • What is Nmap and why it’s essential in pentesting

  • How to install Nmap on Linux, macOS, and Windows

  • Basic usage and lab setup

  • SYN scans (-sS) and interpreting port states

  • The importance of active reconnaissance

SYN Scan Deep Dive (-sS)

The SYN scan is fast and stealthy. Nmap sends a TCP SYN and watches for the response. If it receives a SYN/ACK, the port is open; if RST, it’s closed.

nmap -sS 192.168.96.129

Why use it:

Doesn’t complete the TCP handshake

Harder for firewalls and IDS to detect

Nmap scan results on terminal

The Nmap scan reveals a wide range of open ports and active services on the target host, providing valuable insights for further enumeration and potential exploitation.

What You’ll Learn in Part 2

  • How to scan all 65,535 ports

  • How to detect running services and versions

  • How to save and format scan results for reporting

  • How to chain Nmap with other tools

  • Real-world examples used in bug bounty & pentest workflows

Full TCP Port Scanning with -p-

By default, Nmap only scans the top 1,000 most common ports. But you could be missing critical services running on uncommon ports.

Why Use -p-?

Hidden services often live outside the default range. Admin panels, debug services, or old APIs could be hiding on high ports.

nmap -sS -p- -T4 192.168.96.129

-sS → Stealthy SYN scan

-p- → Scan all 65,535 ports

-T4 → Aggressive timing for faster results

Nmap Tutorial
Service & Version Detection with -sV

Once open ports are found, the next step is to figure out what’s actually running behind them.

nmap -sV 192.168.96.129

It helps identify software, versions, and banners

Great for matching with known vulnerabilities (CVE search)

The use of -sV enables Nmap’s version detection engine to identify service banners and fingerprint running applications. In this scan, several exploitable services are exposed — including legacy versions of vsftpd, Apache, MySQL, Samba, and VNC. Combined with -sS, the stealth SYN scan, this provides a solid baseline for service enumeration.

Combine it:

nmap -sS -sV -p- 192.168.96.129

nmap TCP SYN scan

The scan combines -sS for stealthy half-open probing, -sV for banner grabbing and service fingerprinting, and -p- to bypass the top 1000-port limitation and enumerate the full TCP range. The result is a comprehensive attack surface map, exposing both standard services (e.g., SSH, HTTP, MySQL) and potentially risky legacy services (e.g., Telnet, RSH, VNC, RPC).

Ideal for deep enumeration during internal assessments or vulnerability research in lab environments.

Command breakdown:

-sS  TCP SYN scan (a stealthy “half-open” scan)
-sV  Service version detection (tries to identify what software is running on open ports)
-p-  Scan all 65,535 TCP ports instead of the default top 1,000192.168.96.128 Target IP address

This command tells Nmap to:

Perform a stealthy SYN scan

Identify versions of services running

Check every TCP port, from 1 to 65535, on the host at 192.168.96.128

The output:

Nmap version: 7.95

Target host: 192.168.96.128

Host is up: Responded very quickly (17 microseconds)

65533 ports are closed: They responded with RST packets (a standard “nothing is listening here” response)

Open Ports Section:

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
48927/tcp open status 1 (RPC #100024)
52514/tcp open mountd 1-3 (RPC #100005)
59456/tcp open java-rmi GNU Classpath grmiregistry
60620/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 00:0C:29:CB:10:D8 (VMware)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.18 seconds

Saving & Formatting Scan Results

When performing network scans with Nmap, saving the output in the right format is critical for reporting, scripting, and tool integration. Nmap supports multiple output formats:

Normal Output Format (-oN)

nmap -sS -oN output.txt 192.168.96.129

This saves all scan results in a human-readable format to a file named output.txt.

 As shown in the screenshot below, the output closely mirrors what you see in the terminal — ideal for inclusion in reports or for quick reviews.

 Grepable Output Format (-oG)

nmap -sS -oG greppable.txt 192.168.96.129

This saves the results in a grep-friendly format, which is great for parsing with tools like grep, awk, or for automation in Bash scripts.

Nmap Tutorial

 Example usage:

grep “/open/” greppable.txt

 XML Output Format (-oX)

nmap -sS -oX xml_output.xml 192.168.96.129

This saves the scan results in XML format, which is useful for importing into other security tools like:

  • Metasploit

  • EyeWitness

  • Dradis

  • Faraday

  • Nmap’s own XML parsers

To view the output directly in the terminal, use the cat command:

Common Use Cases in Real Pentests

In real-world testing (or bug bounty), Nmap is your recon backbone. Here’s how it’s used:

situation where nmap excels:

  • Finding forgotten dev/staging servers

  • Enumerating misconfigured databases or FTP

  • Identifying weak crypto on TLS services

  • Detecting old versions of CMS, Apache, MySQL

  • Mapping exposed internal services in lateral movement

Example:

nmap -sS -p- -sV –script=http-enum,ssl-enum-ciphers 192.168.96.129

nmap -sS -p- -sV –script=http-enum,ssl-enum-ciphers 192.168.96.129

This command performs:

A full TCP port scan (-p-)

Stealthy SYN scan (-sS)

Service/version detection (-sV)

Nmap Scripting Engine (NSE) scans for:

Http service enumeration

TLS cipher suite analysis

Scan Results Breakdown

SSL/TLS Cipher Enumeration (ssl-enum-ciphers)

Highlights weak ciphers and insecure SSL settings

Flags cipher suites vulnerable to Sweet32, POODLE, and other TLS downgrade attacks

Lists supported key exchange methods and encryption algorithms

Use this to identify systems still running deprecated SSLv3, TLS 1.0, or using weak 40/56-bit keys.

HTTP Enumeration (http-enum)

Discovers web application structure

Finds admin panels, login portals, hidden folders, and backup files

Flags paths like:

/admin/

/phpmyadmin/

/config/

/dev/

/test/

/server-status/

Great for quickly discovering attack surfaces and unsecured directories

Conclusion: Nmap Deep-Dive – Part 2

In this second part of our Nmap Deep-Dive Series, we moved beyond the basics and into practical, real-world usage of Nmap for reconnaissance and enumeration. You learned how to:

  • Perform stealthy SYN scans (-sS)

  • Scan the full range of 65,535 TCP ports (-p-)

  • Detect running services and their versions (-sV)

  • Save and format your scan results for better analysis and reporting

  • Use Nmap scripting to uncover weak SSL configurations and hidden HTTP directories

These techniques form the backbone of active enumeration, allowing you to move from simply identifying a host to truly understanding its exposed services and potential vulnerabilities. Whether you’re conducting a red team engagement, hunting bugs on a bounty program, or testing your own lab, mastering these techniques will make your recon faster, deeper, and more effective.

What’s Next?

In Part 3, we’ll dive into Nmap’s advanced features, including:

  • The Nmap Scripting Engine (NSE) for vulnerability scanning, brute-forcing, and more

  • OS detection and firewall evasion techniques

  • Building efficient, automated recon workflows

Stay tuned — Nmap’s full potential is just getting started.

Disclaimer

This tutorial is intended for educational purposes only. All scanning examples and techniques demonstrated in this post should only be used in authorized environments, such as your own lab, test networks, or within the scope of a legal penetration test or bug bounty program with explicit permission.

Unauthorized scanning or probing of systems you do not own or have permission to test may be illegal and unethical. The author and publisher are not responsible for any misuse of the information provided.

Always follow your local laws, ethical hacking guidelines, and the terms of service for any targets you interact with.

Want to build your cyber security and pentesting projects?

If you’re setting up your own penetration testing lab or want a reliable platform for projects, I recommend G Online Sites

Their hosting is fast, affordable, and trusted by many in the security community. With G Online Site you get affordable hosting, reliable performance, and 24/7 support — everything you need to start hacking legally and learning fast. Claim Your Hosting Now

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by