Lesson Notes
Nmap: Port Scanning
Module 3: Tools of the Trade. Scans including SSL services.
Module 3: Nmap Port Scanning — Comprehensive Theory Guide
Nmap (Network Mapper) is the de facto standard tool for discovering live hosts, open ports, and the services bound to those ports on a network. It is essential for reconnaissance: before you attempt exploitation or recommend hardening, you must know exactly what is listening and which software versions are in use. This lesson provides a detailed theoretical foundation so you can use Nmap safely, interpret its output correctly, and integrate SSL/TLS assessment into your recon workflow. Unauthorized port scanning is illegal in many jurisdictions; only scan targets you own or have explicit written permission to test.
Why Port Scanning Matters in Security
Every open port is a potential entry point. Attackers use port scans to build a map of the target: which services are exposed, which versions run (for CVE and exploit matching), and which ports might be misconfigured or forgotten. Defenders use the same technique to audit their own perimeter and internal segments—finding unexpected listeners (e.g. RDP or SMB on a web server) before an attacker does. Nmap's output feeds into vulnerability scanners, exploit frameworks (e.g. Metasploit), and manual testing. Without an accurate port and service map, you cannot prioritize remediation or scope an ethical penetration test.
TCP SYN Scan (-sS): Mechanics and Why It Works
A TCP connection begins with a three-way handshake: client sends SYN, server responds with SYN-ACK, client sends ACK. In a SYN scan, Nmap sends only the initial SYN packet to each target port. If the port is open, the server replies with SYN-ACK; Nmap then sends an RST (reset) instead of ACK, so no full connection is established. This is called a half-open or stealth scan. Benefits: Nmap never completes the handshake, so it is faster than a full connect scan and leaves fewer completed connections in logs (some systems log only established connections). Requirement: Nmap must run with privileges that allow raw socket creation (root on Linux, Administrator on Windows); otherwise you must use connect scan (-sT), which uses the OS's normal TCP stack and completes the handshake.
TCP Connect Scan (-sT), UDP Scan (-sU), and Ping Sweep (-sn)
Connect scan (-sT) uses the operating system's connect() call: Nmap completes the full three-way handshake. Use it when you do not have raw packet capability (e.g. unprivileged user) or when you want to simulate what a normal client would do. UDP scan (-sU) is different: UDP is connectionless, so there is no handshake. Nmap sends a UDP probe (often empty or protocol-specific); an open port may send a response, a closed port may send ICMP unreachable. Many UDP ports are reported as open|filtered because no response is received (firewall may drop silently). UDP scanning is slower and noisier; use when you need to find DNS, SNMP, or other UDP services. Ping sweep (-sn) skips port scanning entirely: Nmap sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests to discover live hosts. Useful for quickly building a host list before a full port scan.
Version Detection (-sV): Banners and Probe Matching
Knowing that port 22 is open is not enough—you need to know it is OpenSSH 8.9 or Dropbear 2022.83. Version detection (-sV) sends a set of probes (banner grabs, protocol-specific payloads) to each open port and matches responses against a database of signatures. The result is a product name and version (e.g. Apache httpd 2.4.52, OpenSSH 8.9p1). This is critical for CVE lookup: you search for the product and version in the NVD or exploit-db to find known vulnerabilities. Banners can be spoofed or suppressed (security through obscurity), but in many lab and legacy environments they are accurate. Always document version detection output in your report; it is evidence for risk rating and remediation.
Port States: Open, Closed, Filtered, and Open|Filtered
Nmap classifies each port into one of several states. Open: a service is listening and responded to the scan (e.g. SYN-ACK for TCP). Closed: the port is reachable (no firewall drop) but no service is listening (e.g. RST in response to SYN). Filtered: Nmap received no response—a firewall or filter likely dropped the probe. Open|filtered: Nmap cannot distinguish (e.g. UDP port that did not respond; could be open and silent or filtered). From a security perspective, open ports are your primary concern: each one is a potential vulnerability. Closed ports indicate the host is reachable but that port is not in use. Filtered ports suggest network controls; evading or bypassing them is out of scope unless explicitly authorized.
SSL/TLS Services and the ssl-enum-ciphers Script
Many services run over SSL/TLS: HTTPS (443), SMTPS (465), LDAPS (636), and others. Nmap can detect that a port is speaking TLS (e.g. from the ServerHello in the handshake). The NSE script ssl-enum-ciphers (nmap --script ssl-enum-ciphers -p 443 <host>) performs a TLS handshake and enumerates which protocol versions and cipher suites the server supports. Output includes TLS 1.0, 1.1, 1.2, 1.3 and a list of ciphers (e.g. TLS_RSA_WITH_AES_128_CBC_SHA). Weak or deprecated items—SSLv3, TLS 1.0, RC4, export ciphers, or NULL ciphers—indicate misconfiguration and should be reported. Use this during recon to recommend TLS hardening (disable weak protocols and ciphers, enforce TLS 1.2+) before or alongside application-level testing.
Ethics, Scope, and Documenting Results
Port scanning can be disruptive (e.g. triggering IDS/IPS or overwhelming fragile devices) and is legally sensitive. Only scan targets you own or for which you have explicit written authorization. Define scope in advance: IP ranges, allowed scan types, and time windows. Document every scan: command used, target, timestamp, and key findings (open ports, versions). This supports repeatability and report writing. Nmap is the foundation of service enumeration; combine it with Wireshark (passive or post-capture analysis) and Burp (web traffic) for a complete recon picture. Next lesson: Burp Suite for intercepting and modifying HTTP/HTTPS traffic, including installing the CA certificate to decrypt HTTPS.
Key Takeaway for Lesson 16
Nmap discovers hosts (ping sweep), open ports (SYN or connect scan), and service versions (version detection). Port states—open, closed, filtered, open|filtered—must be interpreted correctly for risk assessment. Use ssl-enum-ciphers (and related scripts) to assess TLS configuration on HTTPS and other SSL-wrapped services. Always scan only authorized targets and document results for reporting. Next: Burp Suite web proxy and HTTPS interception with certificate installation.