Exam objective: 2.1 Network reconnaissance, protocol scanning (TCP/UDP); 2.4 Tools.
In this lab you will use Nmap to discover hosts, identify open TCP and UDP ports, and detect services and operating systems. We'll target a local Docker container so you can run intrusive scans safely.
sudo apt install -y docker.io
sudo docker run --rm -d --name target -p 2222:22 -p 8080:80 -p 8443:443 \
vulhub/openssh:5.3p1
# Or any image that exposes a few ports; metasploitable2 is heavier but classic:
# sudo docker run --rm -d --name target -p 0.0.0.0:0:0 tleemcjr/metasploitable2Find the target IP (loopback on Killercoda):
TARGET=127.0.0.1sudo nmap -sn 192.168.1.0/24 # adapt to your local LAN, or skip for Docker-sn ("no port scan") sends ICMP, ARP, TCP SYN to 443 and TCP ACK to 80 to find live hosts.
sudo nmap -sS -p- --min-rate 1000 -T4 $TARGET-sShalf-open SYN scan, requires root.-p-all 65535 ports.--min-rate 1000push pps for speed.-T4aggressive timing.
Stealth variants: -sN Null scan, -sF FIN scan, -sX Xmas scan (rarely used; many modern stacks ignore them).
sudo nmap -sU --top-ports 50 $TARGETUDP is slow (no handshake, must wait for ICMP unreachable). Limit to top-N.
sudo nmap -sV -sC -p 22,80,443,2222,8080,8443 $TARGET -oA target-scan-sVprobe service banners.-sCrun default NSE scripts (HTTP title, SSH algos, etc.).-oAsave in all three formats (target-scan.nmap,.xml,.gnmap).
sudo nmap -O $TARGETNmap looks at TCP/IP stack quirks (TTL, window size, ISN sampling) and guesses the OS family.
xsltproc target-scan.xml -o target-scan.htmlOpen target-scan.html in Firefox — that's your appendix artefact for the report.
For tabular consumption:
grep -E "^[0-9]+/" target-scan.nmap| Scan | Flag | Sends | Use case |
|---|---|---|---|
| Connect | -sT |
Full TCP handshake | No root |
| SYN | -sS |
SYN, RST after SYN/ACK | Default stealth |
| ACK | -sA |
ACK | Firewall ruleset mapping |
| FIN/NULL/Xmas | -sF/-sN/-sX |
Crafted flags | Evade simple filters |
| UDP | -sU |
UDP probes | DNS, SNMP, NTP, NetBIOS |
| Ping | -sn |
ICMP/ARP/SYN-443 | Live-host sweep |
- The difference between SYN, Connect, ACK, FIN, UDP and Null/Xmas scans.
- How to combine version detection, default scripts and OS fingerprinting in one run.
- How to export scans to XML/HTML for the report appendix.