Drill: Basic Port Scanning with nmap

Goal

Use nmap to perform basic port scans and service detection to verify what is actually listening and reachable.

Setup

• Linux system with nmap installed (apt install nmap or yum install nmap)
• Permission to scan the target host (never scan systems you do not own or have authorization for)

Commands

Quick scan of common ports:

nmap 10.0.0.5

Scan specific ports:

nmap -p 22,80,443,8080 10.0.0.5

Scan a port range:

nmap -p 1-1024 10.0.0.5

Service version detection:

nmap -sV -p 22,80,443 10.0.0.5

TCP SYN scan (fast, default with root):

nmap -sS -p 1-65535 10.0.0.5

TCP connect scan (no root needed):

nmap -sT -p 80,443 10.0.0.5

Scan a subnet for live hosts:

nmap -sn 10.0.0.0/24

Show reason for port state:

nmap --reason -p 22,80,443 10.0.0.5

Output in all formats:

nmap -oA /tmp/scan-results -p 22,80,443 -sV 10.0.0.5

What to Look For

• open means a service is accepting connections
• filtered means a firewall is silently dropping packets (no RST, no response)
• closed means the port responded with RST (host is up but nothing is listening)
• Service version info from -sV confirms what software is running

Common Mistakes

• Scanning without authorization (legal and ethical implications)
• Using -sS without root and getting TCP connect scan instead without realizing it
• Scanning all 65535 ports over WAN (very slow; use targeted port lists)
• Not using --reason and guessing why a port is shown as filtered vs closed

Cleanup

rm -f /tmp/scan-results.*