Conduct Port Scanning with Nmap

Introduction

In this lab, you will learn to conduct various port scans using Nmap, a powerful network scanning tool. You will explore different scan types, including the TCP connect scan, SYN scan, and techniques for scanning specific ports, port ranges, and the most common "top ports." By the end of this lab, you will have a practical understanding of how to use Nmap to discover open ports and services on a target system, which is a fundamental skill in network reconnaissance and security auditing.

Each scan type has unique characteristics and use cases. For instance, the TCP connect scan completes the full TCP three-way handshake, making it reliable but easily detectable. In contrast, the SYN scan is more stealthy as it does not complete the handshake. You will execute Nmap commands in the Xfce terminal and analyze the output to understand the state of different ports.

Perform a TCP Connect Scan with nmap -sT 127.0.0.1

In this step, you will perform a TCP connect scan using Nmap. This is a basic and reliable form of TCP scanning that completes the full TCP three-way handshake to establish a connection with the target port. While reliable, this method is less stealthy than other scan types because it fully establishes and then tears down a connection, which can be easily logged by the target system.

Let's briefly review the TCP three-way handshake:

1. SYN (Synchronize): The scanner sends a SYN packet to the target port.
2. SYN/ACK (Synchronize/Acknowledge): If the port is open, the target responds with a SYN/ACK packet.
3. ACK (Acknowledge): The scanner completes the connection by sending an ACK packet back to the target.

Nmap's -sT option explicitly performs this full TCP connect scan. Since it completes the TCP connection, it does not require root privileges, but we will use sudo for consistency with subsequent steps that do.

Now, let's perform a TCP connect scan on 127.0.0.1 (localhost). This IP address always refers to your own machine, making it a safe target for practice.

1. Open the Xfce terminal. You should be in your home directory, ~/project.

2. Execute the following command to perform the TCP connect scan:

   sudo nmap -sT 127.0.0.1

   This command instructs Nmap to perform a TCP connect scan (-sT) on the IP address 127.0.0.1. The labex user has sudo privileges without a password, so you can simply press Enter if prompted.

3. Observe the output in the terminal. You will see a list of common ports and their states on your local machine. The output will look similar to this:

   Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 13:36 CST
   Nmap scan report for localhost (127.0.0.1)
   Host is up (0.000052s latency).
   Not shown: 995 closed ports
   PORT     STATE SERVICE
   22/tcp   open  ssh
   2121/tcp open  ccproxy-ftp
   2222/tcp open  EtherNetIP-1
   3001/tcp open  nessus
   8080/tcp open  http-proxy
   
   Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

   The output shows the PORT number, its STATE, and the SERVICE Nmap associates with that port.

   • open means Nmap successfully established a TCP connection to that port.
   • closed means Nmap received a TCP RST (Reset) packet in response to its SYN packet, indicating the port is not listening.
   • Notice that ports 22, 2121, 2222, 3001, and 8080 are open. The custom services (2121, 2222, 8080) were set up by the lab environment, along with SSH on port 22 and another service on port 3001.

Execute a SYN Scan with nmap -sS 127.0.0.1

In this step, you will learn how to perform a SYN scan, also known as a "half-open" scan. This technique is generally more stealthy than a TCP connect scan because it does not complete the full TCP three-way handshake, making it less likely to be logged by the target system's applications.

Here's how a SYN scan works:

1. SYN (Synchronize): The scanner sends a SYN packet to the target port.
2. SYN/ACK (Synchronize/Acknowledge): If the port is open, the target responds with a SYN/ACK packet.
3. RST (Reset): Instead of sending an ACK to complete the connection, the scanner immediately sends a RST packet to abruptly terminate the connection.

Because the full TCP connection is never established, SYN scans are less intrusive and often bypass simpler firewall rules that only monitor completed connections. However, SYN scans typically require root privileges to craft raw packets, which is why we will use sudo.

Now, let's perform a SYN scan on 127.0.0.1.

1. Ensure you are in the Xfce terminal.

2. Execute the following command:

   sudo nmap -sS 127.0.0.1

   This command tells Nmap to perform a SYN scan (-sS) on the IP address 127.0.0.1. Press Enter if prompted for a password.

3. Observe the output. The output will be similar to the TCP connect scan, but the underlying mechanism is different.

   Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 13:36 CST
   Nmap scan report for localhost (127.0.0.1)
   Host is up (0.0000040s latency).
   Not shown: 995 closed ports
   PORT     STATE SERVICE
   22/tcp   open  ssh
   2121/tcp open  ccproxy-ftp
   2222/tcp open  EtherNetIP-1
   3001/tcp open  nessus
   8080/tcp open  http-proxy
   
   Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

   The STATE column indicates the status of each port.

   • open means Nmap received a SYN/ACK packet in response to its SYN packet.
   • closed means Nmap received a RST packet.
   • filtered (which you might see in other scenarios) means Nmap couldn't determine whether the port is open or closed because network filtering (like a firewall) is preventing Nmap from reaching the port.

Scan Specific Ports with nmap -p 2222,8080,2121 127.0.0.1

In this step, you will learn how to scan specific ports on a target system using Nmap. This is particularly useful when you want to focus your scan on particular services or applications that you suspect might be running on the target, rather than scanning all common ports.

Nmap's -p option allows you to specify the exact ports you want to scan. You can specify individual ports separated by commas, a range of ports, or a combination of both. In this case, we will scan ports 2222, 8080, and 2121 on 127.0.0.1. These are the custom TCP services that were set up by the lab environment's initialization script.

• Port 2222 is configured to run an SSH service.
• Port 8080 is configured to run an Nginx web server.
• Port 2121 is configured to run an FTP service.

1. Ensure you are in the Xfce terminal.

2. Execute the following command:

   sudo nmap -p 2222,8080,2121 127.0.0.1

   This command tells Nmap to scan only ports 2222, 8080, and 2121 (-p 2222,8080,2121) on the IP address 127.0.0.1. Nmap will use the default SYN scan method since sudo is used. Press Enter if prompted for a password.

3. Observe the output. You should see that all three specified ports are reported as open.

   Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 13:36 CST
   Nmap scan report for localhost (127.0.0.1)
   Host is up (0.000028s latency).
   
   PORT     STATE SERVICE
   2121/tcp open  ccproxy-ftp
   2222/tcp open  EtherNetIP-1
   8080/tcp open  http-proxy
   
   Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

   The output confirms the status of the specified ports. open means Nmap received a SYN/ACK packet, indicating that the port is actively listening for connections.

Scan a Port Range with nmap -p 1-9000 127.0.0.1

In this step, you will learn how to scan a range of ports on a target system using Nmap. This is useful when you want to identify all open ports within a specific numerical range, which can help you discover services running on non-standard ports.

As you learned in the previous step, Nmap's -p option allows you to specify ports. To scan a range of ports, you use the syntax start-end, where start is the beginning port number and end is the ending port number. In this case, we will scan ports 1 through 9000 on 127.0.0.1. This range is chosen to include the custom services (2121, 2222, 8080) set up in your lab environment.

1. Ensure you are in the Xfce terminal.

2. Execute the following command:

   sudo nmap -p 1-9000 127.0.0.1

   This command tells Nmap to scan ports 1 through 9000 (-p 1-9000) on the IP address 127.0.0.1. Nmap will use the default SYN scan method. Press Enter if prompted for a password.

3. Observe the output. You will see a list of all open ports within the specified range. This might take a bit longer than scanning specific ports due to the larger number of ports being checked.

   Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 13:36 CST
   Nmap scan report for localhost (127.0.0.1)
   Host is up (0.0000020s latency).
   Not shown: 8992 closed ports
   PORT     STATE SERVICE
   22/tcp   open  ssh
   953/tcp  open  rndc
   2121/tcp open  ccproxy-ftp
   2222/tcp open  EtherNetIP-1
   3001/tcp open  nessus
   3002/tcp open  exlm-agent
   5353/tcp open  mdns
   8080/tcp open  http-proxy
   
   Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

   The output shows the status of ports within the 1-9000 range on your local machine. You should see the custom ports (2121, 2222, 8080) listed as open, along with other services that are running such as SSH (22), DNS-related services (953, 5353), and additional services (3001, 3002). Not shown: 8992 closed ports indicates that Nmap only displays the open or filtered ports by default when scanning a large range.

Scan Top Ports with nmap --top-ports 10 127.0.0.1

In this step, you will learn how to scan the most common ports on a target system using Nmap's --top-ports option. This is useful for quickly identifying the most likely services running on a host without scanning all 65535 possible ports. Nmap maintains an internal list of the most frequently used ports, compiled from statistical data.

The --top-ports option tells Nmap to scan a specified number of these most common ports. For example, --top-ports 10 will scan the 10 most common TCP ports.

In this case, we will scan the top 10 most common ports on 127.0.0.1.

1. Ensure you are in the Xfce terminal.

2. Execute the following command:

   sudo nmap --top-ports 10 127.0.0.1

   This command tells Nmap to scan the top 10 most common ports (--top-ports 10) on the IP address 127.0.0.1. Nmap will use the default SYN scan method. Press Enter if prompted for a password.

3. Observe the output. You will see the status of the top 10 ports on your local machine.

   Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 13:36 CST
   Nmap scan report for localhost (127.0.0.1)
   Host is up (0.000010s latency).
   
   PORT     STATE  SERVICE
   21/tcp   closed ftp
   22/tcp   open   ssh
   23/tcp   closed telnet
   25/tcp   closed smtp
   80/tcp   closed http
   110/tcp  closed pop3
   139/tcp  closed netbios-ssn
   443/tcp  closed https
   445/tcp  closed microsoft-ds
   3389/tcp closed ms-wbt-server
   
   Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

   The output shows the status of the top 10 most common ports. You might notice that some of the custom ports (like 8080, 2121, 2222) are not in this list, as they are not among the absolute top 10 most common ports globally, but rather specific to our lab setup. This demonstrates that while --top-ports is efficient, it might miss less common but still important services.

Summary

In this lab, you have learned to conduct various port scans using Nmap. You performed a TCP connect scan with the -sT option on 127.0.0.1, understanding the full TCP three-way handshake involved. You also executed a SYN scan with -sS on 127.0.0.1, which is a more stealthy half-open scan. You practiced scanning specific ports using -p 2222,8080,2121 and a broader port range with -p 1-9000 on 127.0.0.1. Finally, you learned to efficiently scan the most common ports using --top-ports 10 on 127.0.0.1. Through these hands-on exercises, you gained practical experience in interpreting Nmap output and understanding different scan types for network reconnaissance.