Introduction
In this lab, you will learn the fundamentals of network scanning using Nmap (Network Mapper), a powerful open-source tool for network discovery and security auditing. You will start with basic port scans, advance to service and version detection, and then explore the Nmap Scripting Engine (NSE) to perform vulnerability checks. Finally, you will learn how to analyze and save your scan results in various formats for reporting. This lab provides a step-by-step, hands-on introduction to Nmap's core features for effective network security assessment.
Perform a Basic Network Scan
In this step, you will get acquainted with Nmap by performing a basic scan. A basic scan is used to discover which ports are open on a target machine. An open port indicates that a service (like a web server or SSH) is running and listening for connections.
The lab environment has been pre-configured with several services running on localhost (your own virtual machine) for you to practice on. The nmap tool is already installed.
First, verify that Nmap is installed and check its version. Open the terminal and run the following command:
nmap --version
You should see output confirming the Nmap version, similar to this:
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.9.1
Compiled without:
Available nsock engines: epoll poll select
Now, perform your first scan against localhost. This command tells Nmap to check for the most common open ports on your local machine.
nmap localhost
Examine the output. Nmap will list the ports it found to be open, along with the state and the common service associated with that port. The output will look something like this, showing the services prepared for this lab:
Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000092s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
2121/tcp open ccproxy-ftp
2222/tcp open EtherNetIP-1
3001/tcp open nessus
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
This initial scan gives you a map of the running services, which is the first step in any network security assessment.
Detect Service Versions
In this step, you will use Nmap to perform service and version detection. Knowing which ports are open is useful, but knowing the exact software and version running on those ports is much more powerful for a security analyst. Outdated software is a primary source of vulnerabilities.
We will use the -sV flag, which instructs Nmap to probe open ports to determine detailed service and version information.
Run a version detection scan against localhost. To make the scan more efficient, target the specific ports used in this example rather than scanning all ports.
nmap -sV -p 22,8080 localhost
Pro Tip: Targeting specific ports dramatically reduces scan time. A full port range scan with
-sVcan take several minutes, while this targeted approach typically completes in seconds.
Compare the output with the basic scan from Step 1. You will now see an additional column, VERSION, which provides details about the software running on each port.
The output will be more detailed, similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
8080/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
This information is critical. For example, if the scan revealed an old version of nginx with a known critical vulnerability, you would know exactly where to focus your remediation efforts.
Use the Nmap Scripting Engine (NSE)
In this step, you will use the Nmap Scripting Engine (NSE), one of Nmap's most powerful features. It allows you to automate a wide variety of networking tasks using a library of scripts. These scripts can be used for more advanced discovery, vulnerability detection, and even exploitation.
You will use the -sC flag, which runs a set of default scripts that are considered safe and useful for discovery. Because the FTP service in this lab runs on the nonstandard port 2121, combine -sC with service detection (-sV) so Nmap can identify the service before choosing the matching scripts.
Run an Nmap scan with service detection and the default scripts enabled against localhost. Target ports 2121 and 8080 so the scan stays quick while still showing script output from the FTP and web services.
nmap -sV -sC -p 2121,8080 localhost
Review the output. You will see additional information indented under each port. This is the output from the NSE scripts. For example, the ftp-anon script can report that anonymous FTP login is allowed on port 2121, the http-title script might grab the title of the web page on port 8080, and SSL scripts might report on certificate details.
The output will be even more verbose:
Starting Nmap 7.80 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000099s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
2121/tcp open ftp vsftpd 3.0.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Logged in as ftp
|_End of status
8080/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Unix
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
As you can see, the default scripts discovered that anonymous FTP login is allowed on port 2121 and retrieved the title of the web page on port 8080. This is valuable intelligence gathered automatically.
Run a Vulnerability Scan
In this step, you will use NSE scripts to hunt for vulnerabilities. The NSE includes a category of scripts specifically designed to check for known security flaws. You can run all scripts in the vuln category to perform a broad vulnerability scan.
It is best practice to always save the output of long or important scans to a file. We will use the -oN flag to save the output in Nmap's normal format.
First, combine what you've learned. Run a scan that includes service detection (-sV) and executes all vulnerability scripts (--script vuln). Save the output to a file named vuln_scan.txt.
nmap -sV --script vuln -oN vuln_scan.txt localhost
This scan may take a few minutes as it is running many scripts against each open port.
Once the scan is complete, a file named vuln_scan.txt will be created in your current directory (/home/labex/project). You can view its contents using the cat command:
cat vuln_scan.txt
The output file is long, so it's more efficient to search for keywords. Use grep to look for lines that indicate a vulnerability. The term "VULNERABLE" is a strong indicator.
grep "VULNERABLE" vuln_scan.txt
You should see output showing any vulnerabilities found. In this lab environment, you'll likely see a vulnerability related to Apache's byterange filter:
| VULNERABLE:
| State: VULNERABLE
To see the full vulnerability details, you can search for the specific CVE or look at the complete scan output. For example, you might find an Apache DoS vulnerability (CVE-2011-3192) on port 8080. Note that you may also see some script errors (like clamav-exec: ERROR) which are normal and can be ignored - these occur when certain vulnerability scripts cannot execute properly in the lab environment.
This step demonstrates how to actively probe for weaknesses, moving from simple discovery to a targeted security audit.
Save and Format Scan Findings
In this step, you will learn how to save your results in multiple formats and create a user-friendly HTML report. Properly documenting and reporting your findings is a critical skill for any security professional. Nmap supports several output formats suitable for different purposes.
First, create a dedicated directory to keep your reports organized.
mkdir -p ~/project/reports
Now, run the scan again, but this time save the output in two formats simultaneously: normal text (-oN) and XML (-oX). XML is a structured format that is ideal for processing with other tools.
nmap -sV -p 8080 --script vuln -oN ~/project/reports/scan_report.txt -oX ~/project/reports/scan_report.xml localhost
The XML format is not very human-readable. Nmap provides a utility called xsltproc to convert the XML file into a clean HTML report. Run the following command to generate scan_report.html.
xsltproc ~/project/reports/scan_report.xml -o ~/project/reports/scan_report.html
Verify that all your report files have been created in the ~/project/reports directory. Use the ls -l command to list the files and their details.
ls -l ~/project/reports
You should see your three report files:
total 40
-rw-rw-r-- 1 labex labex 14276 Aug 28 15:12 scan_report.html
-rw-rw-r-- 1 labex labex 5686 Aug 28 15:11 scan_report.txt
-rw-rw-r-- 1 labex labex 14924 Aug 28 15:11 scan_report.xml
You now have a plain text file for quick review, an XML file for machine processing, and an HTML file for easy sharing and presentation.
Summary
In this lab, you have gained practical experience with Nmap, a fundamental tool in cybersecurity. You started by performing basic port scans to identify open services on a network host. You then progressed to more advanced techniques, including service version detection (-sV) to identify specific software and its version. You also explored the power of the Nmap Scripting Engine (NSE) by running default scripts (-sC) and a full vulnerability scan (--script vuln). Finally, you learned the professional practice of saving scan results in multiple formats (-oN, -oX) and converting them into a readable HTML report for analysis and documentation. These skills form a solid foundation for using Nmap in real-world network security assessments.



