Network Scanning Tutorial Using Nmap — Day 3

Port Scanning Like Professional Penetration Testers

Excellent! We now move into the phase where real penetration testing actually begins.

Up to now :

✅ Day 1 → You learned how scanning works
✅ Day 2 → You discovered live systems

Today…

👉 You start opening targets systematically.

This is where beginners officially transition toward ethical hacker thinking.

Yesterday, we mapped the network.

We identified:

  • which systems exist
  • which machines respond
  • where infrastructure lives

But here’s the reality every attacker faces next:

A live system means nothing unless it exposes services.

A machine may be alive…

…but completely useless from an attack perspective.

Professional attackers now ask one critical question:

Which doors are open?

Those doors are called ports.

In nearly every breach investigation I’ve participated in, compromise began not with malware — but with an exposed service discovered during port scanning.

Today you learn the most important Nmap skill:

👉 Professional Port Scanning

Note —

Host discovery tells you where targets exist.

Port scanning tells you how to enter.

This is the true beginning of offensive security.

Why Port Scanning Matters

Every application communicating over a network listens on a port.

Examples:

PortServiceRisk
22SSHRemote login
80HTTPWeb vulnerabilities
445SMBRansomware entry
3389RDPRemote takeover

Attackers don’t hack computers.

They exploit services running on ports.

Real Incident Story

During ransomware response engagement:

Initial infection vector?

Port 3389 exposed publicly.

Weak credentials allowed entry.

No exploit required.

Just discovery + access.

Defensive Insight

Modern SOC alerts often trigger when:

  • sequential ports scanned
  • SYN packets spike
  • unusual connection attempts appear

Port scanning is highly monitored.

Which means technique matters.

Understanding Ports Deeply

Think of ports as departments inside a company building.

Reception (Port 80)
IT Support (Port 22)
Finance (Port 443)

You cannot attack randomly.

You must know which department exists.

Port States Concept

Nmap identifies:

StateMeaning
OpenService accepting connections
ClosedReachable but unused
FilteredBlocked by firewall
UnfilteredReachable but uncertain

Confusion

Students panic seeing many closed ports.

Important truth:

Closed ports are GOOD intelligence.

They confirm host presence.

Note —

Scanning success is information gain — not vulnerability discovery yet.

Professional Port Scanning Workflow

Real penetration testers follow:

Phase 1 — Quick Identification

Fast scan for exposed services.

Phase 2 — Detailed Enumeration

Confirm services safely.

Phase 3 — Stealth Adjustment

Avoid detection.

Phase 4 — Service Prioritization

Attack high-value targets.

Enterprise networks punish noisy scanners.

Professionals scan strategically.

✅ HANDS-ON PRACTICAL TUTORIAL (Live Lab)

Now we simulate professional attacker behavior.

Lab Environment

Continue previous setup:

Kali Linux
✅ Metasploitable2
✅ Same subnet

Target Example:

192.168.56.102

Step 1 — Default Port Scan

Goal:
Understand baseline exposure.

Command:

nmap 192.168.56.102

Technical Action

Nmap scans Top 1000 TCP ports.

Uses SYN packets when privileged.

Expected Output

21/tcp open ftp
22/tcp open ssh
80/tcp open http

Attacker Thinking

Immediately attacker considers:

  • FTP misconfiguration
  • SSH brute force
  • Web vulnerabilities

Attack paths emerge.

Note —

Never rush to exploit.

Validate exposure first.

Step 2 — TCP SYN Scan (Stealth Scan)

Most important professional scan.

Command:

sudo nmap -sS 192.168.56.102

Flag Explanation

  • -sS → SYN Scan
  • Half-open connection
  • Faster & stealthier

What Happens Technically?

Process:

  1. SYN sent
  2. SYN/ACK received
  3. Connection aborted

Connection never completes.

Why Attackers Love This

Many logging systems record completed connections only.

SYN scans reduce visibility.

Enterprise Reality Insight

Modern EDR tools still detect patterns.

Stealth ≠ invisible.

Step 3 — TCP Connect Scan

When root privileges unavailable.

nmap -sT 192.168.56.102

Completes full handshake.

Very detectable.

Used cautiously.

Step 4 — Scan All Ports

Default misses uncommon services.

Command:

sudo nmap -p- 192.168.56.102

Meaning

-p- = ports 1–65535

Bug bounty assessment revealed admin panel on port 49152.

Default scan missed it.

Full scan exposed critical vulnerability.

Note —

Professional lesson:

Hidden services live outside defaults.

Step 5 — Fast Port Scan

Time-critical engagement:

nmap -F 192.168.56.102

Scans fewer common ports.

Quick overview.

Step 6 — UDP Scan (Advanced)

Many beginners skip UDP.

Big mistake.

Command:

sudo nmap -sU 192.168.56.102

Finds:

  • DNS
  • SNMP
  • VPN services

UDP scanning slower but valuable.

Attacker Thinking Simulation

At this stage attacker asks:

Which service gives easiest initial access?

Scanning guides exploitation strategy.

Troubleshooting Layer

Scan Extremely Slow?

UDP naturally slow.

Use:

-T4

All Ports Filtered?

Possible reasons:

  • firewall
  • IPS
  • wrong network

Try:

-Pn

Permission Error?

Run with sudo.

Note —

Scanning problems teach network behavior.

Failures are intelligence.

Real-World Scenario

Internal assessment discovered SMB open internally.

Unpatched system.

Later exploited via EternalBlue simulation.

Port scanning revealed attack vector before exploitation phase.

Professional Tools Explained

Port scan data feeds into:

  • Metasploit
  • Nessus
  • OpenVAS
  • Burp workflows
  • Red Team automation

Nmap becomes reconnaissance backbone.

Beginner Mistakes 🚨

❌ Only default scans
❌ Ignoring UDP
❌ Scanning too aggressively
❌ Misreading filtered ports
❌ Skipping full-port scans

Pro Tips From 20 Years Experience 🔥

  • Start small.
  • Validate results twice.
  • Save outputs:
-oN scan.txt
  • Compare scans over time.
  • Understand service importance.

Elite hackers analyze — not rush.

Defensive & Ethical Perspective

Blue Teams detect:

  • SYN floods
  • sequential scanning
  • abnormal port behavior

Defense includes:

  • firewall segmentation
  • honeypots
  • scan detection engines

Understanding scanning improves defense posture.

Practical Implementation Checklist

✅ Default scan completed
✅ SYN scan executed
✅ Full port scan tested
✅ UDP awareness gained
✅ Output interpreted
✅ Results saved

Career Insight

Port scanning mastery enables roles:

  • Penetration Tester
  • Red Team Operator
  • SOC Analyst
  • Threat Hunter
  • Security Consultant

Interview truth:

Most candidates fail explaining SYN scan logic.

You now understand it operationally.

Quick Recap

Today you mastered:

✅ Port states
✅ TCP SYN scanning
✅ Connect scans
✅ Full port discovery
✅ UDP scanning basics
✅ Attacker decision logic

Tomorrow…

We move deeper.

Not just open ports.

But what exactly runs behind them.

FAQs

Why is SYN scan called stealth scan?

Because connection never fully completes, reducing logging visibility.

Should I always scan all ports?

Yes during full assessment, but cautiously.

Why are UDP scans slow?

No handshake confirmation exists.

Can port scanning crash systems?

Rarely, but fragile legacy devices may react poorly.

Is scanning detectable?

Yes. Modern SOC environments monitor scans closely.

What scan do professionals use most?

TCP SYN (-sS) remains industry standard.

Does open port mean vulnerability?

No. It only indicates accessible service.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here