Table of Contents
Introduction Reconnaissance is the most critical phase of ethical hacking and penetration testing. Before exploiting any vulnerability, an ethical hacker must clearly understand the target system, its network exposure, and the services it is running. This understanding reduces guesswork and helps security professionals focus on real risks instead of assumptions.
Nmap (Network Mapper) is one of the most trusted tools used during this phase. It allows ethical hackers to actively interact with a target system and collect technical information such as open ports, running services, service versions, and operating system details. Because of its accuracy and flexibility, Nmap is considered a foundation tool in cybersecurity.
This Blog explains Nmap scans in a theory‑first approach , supported by real scan outputs taken from a Kali Linux environment running inside VirtualBox.
Environment Used for Scanning The scans shown in this Blog were performed in the following setup:
Attacker Machine: Kali Linux 2025.2
Platform: Oracle VirtualBox
Network Type: Local network / NAT or Bridged (lab environment)
Target IP Address: 192.168.0.143
The target system is a Windows-based host running common network services.
Basic Nmap Scan – Initial Reconnaissance
(fig-1) Command Used
nmap 192.168.0.143
Explanation
A basic Nmap scan is the first step in reconnaissance. This scan checks the top 1000 most commonly used TCP ports on the target system. These ports are selected because they are frequently associated with popular services such as file sharing, web servers, and remote access tools.
The goal of this scan is not deep analysis, but rather to quickly understand which services are exposed to the network.
Observed Results (Figure 1)
The scan output reveals that the host is online and responding. Several important ports are found open:
The presence of these ports strongly indicates a Windows operating system , because ports 135, 139, and 445 are closely associated with Windows networking and file-sharing mechanisms.
This scan establishes the attack surface of the target.
Understanding Filtered Ports The scan output also shows that 996 TCP ports are filtered . A filtered port means that Nmap did not receive a response, usually due to a firewall or security rule blocking the probe.
This tells the ethical hacker that a firewall is active, but not fully restrictive, because some critical ports are still accessible.
Aggressive Scan – Deep Enumeration
(fig-2) Command Used
nmap -A 192.168.0.143
(fig-3)
What the -A Option Does
The -A flag enables aggressive scanning , which combines multiple scanning techniques into a single command. This includes:
This scan is used when an ethical hacker wants maximum information about a target system.
Service and Version Detection Observed Results (Figure 2 & Figure 3)
The aggressive scan identifies not only open ports, but also the exact services and versions running on those ports:
Port 135: Microsoft Windows RPC
Port 139: Microsoft Windows NetBIOS Session Service
Port 445: Microsoft Windows SMB service
Port 3306: TCP wrapped service (likely MySQL with restricted access)
Version detection is extremely important because vulnerabilities are often tied to specific software versions. Knowing the service type allows ethical hackers to research known weaknesses using CVE databases.
Operating System Detection How Nmap Detects the OS
Nmap identifies operating systems by analyzing network behavior such as TCP window size, packet responses, and timing patterns. Each operating system implements TCP/IP slightly differently, allowing Nmap to make an educated guess.
Observed Results
The scan strongly suggests that the target system is:
This is confirmed by OS fingerprints and service behavior. The scan also indicates that the target is likely running inside a virtualized environment rather than physical hardware.
OS Detection Limitations
(fig-4) Nmap includes a warning stating that OS detection may be unreliable because it could not find at least one open and one closed port under ideal conditions. This is a common limitation when firewalls restrict traffic.
Despite this, Nmap still provides a highly accurate probable OS match , which is sufficient for reconnaissance.
Script Scanning Results Host Script Output (Figure 3)
The scan includes script results such as smb2-time, which reveals:
Although this information may seem minor, time synchronization data can sometimes help in advanced attacks or forensic analysis.
Network Distance Analysis The scan reports a network distance of 1 hop , which means the target system is on the same local network or directly reachable. This information confirms that the scan is being performed in a controlled lab environment.
Security Implications of the Findings From an ethical hacking perspective, the scan reveals several important security considerations:
SMB services exposed on ports 139 and 445 increase the attack surface
MySQL running on port 3306 suggests a backend database service
Windows RPC services may be vulnerable if not properly patched
Each of these services must be reviewed for misconfigurations, weak authentication, and outdated software.
Legal and Ethical Notice All scans shown in this documentation were performed in an authorized lab environment . Scanning systems without explicit permission is illegal and unethical.
Ethical hackers must always ensure they have written authorization before performing any network scans.
Conclusion This Blog demonstrates how Nmap is used in real-world ethical hacking to gather accurate and actionable information about a target system. By starting with a basic scan and progressing to aggressive scanning, ethical hackers can build a complete technical profile of a system.
The screenshots used in this Blog reflect real scan output from Kali Linux and illustrate how theory translates into practice. Mastering Nmap is not about memorizing commands, but about understanding how systems communicate and expose services over a network.
With proper authorization and responsible usage, Nmap becomes one of the most powerful tools for improving system security.
Frequently Asked Questions (FAQ) 1. What is Nmap used in ethical hacking?
Nmap is used for reconnaissance and enumeration. It helps ethical hackers identify live hosts, open ports, running services, service versions, and operating systems before attempting any vulnerability analysis or exploitation.
2. Is Nmap legal to use?
Nmap is legal when used on systems you own or have explicit permission to scan. Scanning unauthorized systems or public websites without consent is illegal and unethical.
3. What does a filtered port mean in Nmap results?
A filtered port means that Nmap did not receive a response from the target. This usually indicates the presence of a firewall or security device blocking the scan packets.
4. Why are ports 135, 139, and 445 important?
These ports are commonly associated with Windows networking services such as RPC and SMB. Open access to these ports can expose a system to serious security risks if not properly secured.
5. What is the difference between a basic scan and an aggressive scan?
A basic scan checks common ports to identify open services, while an aggressive scan performs service detection, OS detection, script scanning, and traceroute to gather maximum information.
6. Why does Nmap sometimes fail to detect the exact operating system?
OS detection can be affected by firewalls, limited open ports, or non-ideal network conditions. In such cases, Nmap provides a best-guess result instead of an exact match.
7. What is the purpose of service version detection?
Service version detection helps identify the exact software running on a port. This information is critical for finding known vulnerabilities related to that software version.
8. What is the Nmap Scripting Engine (NSE)?
The Nmap Scripting Engine allows users to run scripts for vulnerability detection, misconfiguration checks, and information gathering, extending Nmap beyond basic scanning.
9. Can Nmap detect databases like MySQL?
Yes, Nmap can identify database services such as MySQL if the port is open and accessible. In the Blog, port 3306 indicates a MySQL-related service.
10. Why is Nmap considered a core tool for cybersecurity professionals?
Nmap provides accurate network visibility, supports multiple scanning techniques, and works across platforms. Its flexibility and reliability make it essential for ethical hackers and security analysts.
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
