NCL: Scanning & Reconnaissance
Port discovery, service enumeration, and OS fingerprinting with nmap
Scanning & Reconnaissance
Scanning is the process of discovering what services are running on a network target — which ports are open, what software is listening, and what operating system is in use. In NCL, you are given target IP addresses and must answer questions about the services running on them.
The primary tool is nmap (Network Mapper), a port scanner that probes TCP and UDP ports and identifies services by their responses.
1. TCP Port Scanning
A port is a numbered endpoint (0-65535) on a networked device. Each open port runs a service — port 22 runs SSH, port 80 runs HTTP, port 443 runs HTTPS. Scanning identifies which ports are open (accepting connections), closed (rejecting), or filtered (no response, likely firewalled).
Basic scans
# Scan the 1000 most common ports (default)
nmap 10.0.0.1
# Scan ALL 65535 ports (slower but complete)
nmap -p- 10.0.0.1
# Scan specific ports
nmap -p 22,80,443,8080 10.0.0.1
# Scan a range
nmap -p 1-1024 10.0.0.1
Scan types
| Flag | Type | How it works |
|---|---|---|
-sT |
TCP connect | Full TCP handshake (SYN → SYN-ACK → ACK). Reliable but logged by the target. |
-sS |
SYN stealth | Sends SYN, reads SYN-ACK, but never completes the handshake. Faster and harder to detect. Requires root. |
-sU |
UDP scan | Sends UDP packets. Much slower because UDP has no handshake — nmap must wait for timeout on each port. |
-sn |
Ping sweep | No port scan — just checks which hosts are alive on a network. |
In NCL, -sS (SYN scan) is the standard approach. It requires root/sudo but is faster and less likely to be logged.
Checkpoint: You run nmap on a target and port 22 shows "filtered". What does this mean?
Filtered means nmap received no response — the port is neither open nor definitively closed. This usually indicates a firewall is silently dropping the packets. Compare with closed (the target explicitly responded with RST, meaning no service is running) and open (the target responded with SYN-ACK, meaning a service is listening).
2. Service and Version Detection
Knowing a port is open is step one. Knowing what software and version is running on it is step two — and is what NCL actually asks about.
# Detect service versions on open ports
nmap -sV 10.0.0.1
# Aggressive detection (version + OS + scripts + traceroute)
nmap -A 10.0.0.1
# Run default nmap scripts (vulnerability checks, banner grabbing)
nmap -sC 10.0.0.1
# Combined: stealth scan + version + scripts + OS detection
nmap -sS -sV -sC -O 10.0.0.1
The -sV flag probes open ports to determine the service name and version. For example, instead of just “port 80 open”, it reports “Apache httpd 2.4.41” — which you can then search for known vulnerabilities.
Banner grabbing
Some services send a banner (a text greeting) when you connect. You can grab banners manually:
# Connect to a port and read the banner
nc -v 10.0.0.1 22 # SSH banner
nc -v 10.0.0.1 21 # FTP banner
curl -I http://10.0.0.1 # HTTP server header
Checkpoint: nmap -sV shows port 21 running "vsftpd 2.3.4". Why is this significant?
vsftpd 2.3.4 has a known backdoor — connecting with a username ending in :) (smiley face) opens a root shell on port 6200. This is one of the most famous CTF vulnerabilities. Search searchsploit vsftpd 2.3.4 for the exploit.
3. OS Detection
nmap can fingerprint the operating system by analyzing how the target responds to specific TCP/IP probes (window sizes, TTL values, TCP options):
# OS detection (requires root)
nmap -O 10.0.0.1
# Limit OS detection to promising targets
nmap -O --osscan-limit 10.0.0.1
OS detection is less reliable than service detection — it guesses based on TCP stack behavior. In NCL, it is occasionally asked but less common than service version questions.
4. Output and Scripting
Saving results
# Save in all formats (normal, XML, grepable)
nmap -oA scan_results 10.0.0.1
# Normal text output
nmap -oN results.txt 10.0.0.1
# Grepable output (one host per line, easy to parse)
nmap -oG results.gnmap 10.0.0.1
Parsing grepable output
# Find all hosts with port 80 open
grep "80/open" results.gnmap | awk '{print $2}'
# Find all open ports for a specific host
grep "10.0.0.1" results.gnmap
NSE (Nmap Scripting Engine)
nmap includes hundreds of scripts for vulnerability scanning, brute forcing, and information gathering:
# Run a specific script
nmap --script=http-title 10.0.0.1
# Run all scripts in a category
nmap --script=vuln 10.0.0.1
# List available scripts
ls /usr/share/nmap/scripts/ | grep http
Checkpoint: You need to scan a target as quickly as possible during an NCL game. What nmap flags give you the best speed-to-information ratio?
nmap -sS -sV --top-ports 100 -T4 TARGET — SYN scan (-sS) is fast, version detection (-sV) gives the info NCL asks about, --top-ports 100 limits to the most common ports (instead of 1000), and -T4 increases timing aggressiveness. This runs in seconds instead of minutes.
5. Common Ports Reference
Memorize these — NCL frequently asks what service runs on a given port:
| Port | Service | Protocol | Notes |
|---|---|---|---|
| 20/21 | FTP | TCP | File transfer (20=data, 21=control) |
| 22 | SSH | TCP | Encrypted remote shell |
| 23 | Telnet | TCP | Unencrypted remote shell (insecure) |
| 25 | SMTP | TCP | Email sending |
| 53 | DNS | TCP/UDP | Domain name resolution |
| 80 | HTTP | TCP | Web server |
| 110 | POP3 | TCP | Email retrieval |
| 143 | IMAP | TCP | Email retrieval (supports folders) |
| 443 | HTTPS | TCP | Encrypted web |
| 445 | SMB | TCP | Windows file sharing |
| 3306 | MySQL | TCP | Database |
| 3389 | RDP | TCP | Windows remote desktop |
| 5432 | PostgreSQL | TCP | Database |
| 8080 | HTTP-alt | TCP | Alternative web / proxy |
| 8443 | HTTPS-alt | TCP | Alternative encrypted web |
Resources
Practice: TryHackMe — Nmap (search “nmap”) · HackTheBox (real machines to scan)
Reference: Nmap Reference Guide · Port Number Database
Video: NetworkChuck — nmap tutorial · IppSec — HackTheBox enumeration