Network Scanning & Enumeration

Every computer on a network has an IP address. Every service running on that computer — web server, SSH, email, database — listens on a numbered port. Network scanning is the process of discovering which machines exist on a network and which ports are open on each one. This is the first thing a security professional does when assessing a target: map what’s there before you can defend it or test it.

This page covers ports and services, the TCP/UDP distinction, nmap (the standard scanning tool), reading scan output, service banners, and responsible scanning practices. Each section includes the exact commands and what their output means.

Prerequisites: You should be comfortable with file navigation and basic shell commands from Weeks 1-2.

1. Ports and Services

Think of an IP address as a building’s street address. A port is a numbered door on that building — there are 65,535 of them (numbered 0 through 65535). Each running service picks a door and listens for visitors.

The first 1024 ports (0-1023) are well-known ports — reserved by convention for standard services. You don’t need a special reason to use port 8080 for a web server, but port 80 is the default everyone expects.

The 15 ports you need to know

When you see an open port, the port number tells you what service is probably running. But services can run on any port — a web server on port 9999 is valid. The port number is a convention, not a rule.

2. TCP vs UDP

Every network service communicates using one of two transport protocols. Understanding the difference matters for scanning because each protocol requires a different scan technique.

TCP (Transmission Control Protocol) works like a phone call. Before any data flows, the two sides perform a three-way handshake:

Client → SYN        → Server    "I want to connect"
Client ← SYN-ACK    ← Server    "OK, I acknowledge"
Client → ACK        → Server    "Connection established"

After the handshake, data flows reliably — every packet is acknowledged, and lost packets are retransmitted. TCP is used by HTTP, SSH, FTP, SMTP, and most services.

UDP (User Datagram Protocol) works like mailing a letter. You send a packet and hope it arrives. There is no handshake, no acknowledgment, no retransmission. This makes UDP faster but unreliable. DNS (port 53) and DHCP (port 67/68) use UDP because speed matters more than guaranteed delivery for small queries.

Why this matters for scanning

TCP scanning is straightforward: send a SYN, get a SYN-ACK back, and you know the port is open. UDP scanning is slow and unreliable: you send a packet and if nothing comes back, the port might be open (service silently accepted it) or filtered (firewall dropped it). The only definitive UDP response is an ICMP “port unreachable” message, which means the port is closed.

3. nmap Basics

nmap (Network Mapper) is the standard network scanning tool. It sends crafted packets to a target, analyzes the responses, and reports which ports are open and what services are running.

Essential scans

# Default scan: top 1000 most common ports
nmap 10.0.0.1

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.0.0.1
Host is up (0.0032s latency).
Not shown: 997 closed tcp ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds

The default scan checks the 1000 most commonly used ports. Fast, but misses anything on an unusual port.

# Scan ALL 65535 ports (slower but complete)
nmap -p 1-65535 10.0.0.1
nmap -p- 10.0.0.1          # shorthand for the same thing

# Scan specific ports
nmap -p 22,80,443,8080 10.0.0.1

# Scan a range
nmap -p 1-1024 10.0.0.1

Service version detection

Knowing a port is open is step one. Knowing what software and version is listening is step two — and is what most competition questions ask about.

# Detect service versions
nmap -sV 10.0.0.1

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp  open  http     Apache httpd 2.4.52 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.52 ((Ubuntu))
3306/tcp open mysql    MySQL 8.0.35-0ubuntu0.22.04.1

Now you know the exact software and version on each port. This is how you find vulnerabilities — search searchsploit Apache 2.4.52 or look up the version on the NVD.

Scan types

# SYN scan (stealthy, requires root)
sudo nmap -sS 10.0.0.1

# TCP connect scan (no root needed, but logged by target)
nmap -sT 10.0.0.1

# UDP scan (slow — no handshake means long timeouts)
sudo nmap -sU 10.0.0.1

# Aggressive scan: OS detection + version + scripts + traceroute
nmap -A 10.0.0.1

Saving output

# Save as normal text
nmap -oN scan_results.txt 10.0.0.1

# Save in all formats (normal, XML, grepable)
nmap -oA scan_results 10.0.0.1

# Grepable output (one host per line, easy to parse)
nmap -oG results.gnmap 10.0.0.1

4. Reading nmap Output

Every line in nmap output carries specific meaning. Here is a complete scan result, annotated:

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for target.ncl.game (10.0.5.22)
Host is up (0.014s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.9
25/tcp   filtered smtp
80/tcp   open     http        nginx 1.18.0 (Ubuntu)
443/tcp  open     ssl/http    nginx 1.18.0 (Ubuntu)
445/tcp  open     netbios-ssn Samba smbd 4.15.13-Ubuntu
3306/tcp open     mysql       MySQL 5.7.42-0ubuntu0.18.04.1
8080/tcp closed   http-proxy
OS: Linux 5.4 (95% confidence)

Port states

In the output above: ports 22, 80, 443, 445, and 3306 are open (services running). Port 25 is filtered (a firewall is silently dropping SMTP traffic). Port 8080 is closed (nothing running, but the machine responded).

What to extract from a scan

1. Open ports — what attack surface exists
2. Service versions — specific software to search for CVEs
3. OS guess — helps narrow down exploit compatibility
4. Filtered ports — indicate a firewall is present (useful for understanding the network architecture)

5. Service Banners

When you connect to an open port, many services greet you with a banner — a text string identifying the software name and version. This is what nmap -sV reads behind the scenes.

You can grab banners manually with netcat (nc) or curl:

# SSH banner
nc -v 10.0.0.1 22

Connection to 10.0.0.1 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6

# FTP banner
nc -v 10.0.0.1 21

Connection to 10.0.0.1 21 port [tcp/ftp] succeeded!
220 (vsFTPd 3.0.5)

# HTTP server header
curl -I http://10.0.0.1

HTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
X-Powered-By: PHP/8.1.2
Content-Type: text/html; charset=UTF-8

Why banners matter

Every piece of version information is a search query. If you know the target runs OpenSSH 8.9p1, you can search for known vulnerabilities in that exact version. If the HTTP response includes X-Powered-By: PHP/8.1.2, you know the tech stack and can look for PHP-specific exploits.

Hardened servers suppress banners. If a service returns no banner or a generic one, it has been configured for security. This itself is useful information — it tells you the target is actively maintained.

6. Beyond nmap: Other Enumeration Tools

nmap handles port discovery. Once you know what services are running, specialized tools dig deeper:

# Enumerate SMB shares (Windows file sharing, port 445)
smbclient -L //10.0.0.1 -N

# Enumerate DNS zone transfer (if misconfigured, dumps all records)
dig axfr @10.0.0.1 example.com

# Enumerate web directories (brute-force common paths)
gobuster dir -u http://10.0.0.1 -w /usr/share/wordlists/dirb/common.txt

# Enumerate SNMP (network device info, port 161/udp)
snmpwalk -v2c -c public 10.0.0.1

Each open port is a door. nmap finds the doors. These tools look through them.

7. Responsible Scanning

Scanning a system sends hundreds or thousands of packets to it. On your own machines and lab servers, this is fine. On someone else’s network, it is potentially illegal.

Rules:

• Your machines: Scan freely. This is how you learn.
• Class lab servers: Scan as directed. The lab environment exists for this purpose.
• Competitions (NCL, NCAE, CTF): Scan the competition network only. The scope is defined in the rules.
• Everything else: Do not scan. Unauthorized scanning violates the Computer Fraud and Abuse Act (18 U.S.C. 1030) and similar laws worldwide. “I was just learning” is not a legal defense.

If you want to practice on real targets legally, use intentionally vulnerable machines: TryHackMe, HackTheBox, and VulnHub all provide targets designed to be scanned and exploited.

8. Practice

1. Port identification: Without looking at the table, write down the service for ports 22, 53, 80, 443, 445, and 3306. Check your answers.

2. Lab scan: Run nmap -sV against the class lab server. Identify every open port, its service, and the software version. Record your findings in a table.

3. Full enumeration: Run nmap -p- -sV -sC against a TryHackMe machine. For each open port, grab the banner manually with nc and compare it to nmap’s version detection. Do they match?

4. Output parsing: Save a scan with nmap -oG results.gnmap 10.0.0.1 and use grep and awk to extract only the open ports and their services into a clean list.

Resources

Practice: TryHackMe — Nmap (search “nmap”) · HackTheBox (real machines to scan) · VulnHub (downloadable VMs)

Reference: Nmap Reference Guide · Port Number Database · IANA Service Name Registry

Video: NetworkChuck — nmap tutorial · IppSec — HackTheBox enumeration