You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Scanning and enumeration build on reconnaissance by actively probing the target to discover open ports, running services, operating systems, and potential vulnerabilities. This phase transforms the information gathered during recon into actionable intelligence for exploitation.
Every networked service listens on a port (0–65535). Port scanning identifies which ports are open and what services are running:
| Port | Protocol | Service |
|---|---|---|
| 21 | TCP | FTP (File Transfer Protocol) |
| 22 | TCP | SSH (Secure Shell) |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP (Email) |
| 53 | TCP/UDP | DNS |
| 80 | TCP | HTTP |
| 110 | TCP | POP3 (Email) |
| 139/445 | TCP | SMB (File Sharing) |
| 443 | TCP | HTTPS |
| 3306 | TCP | MySQL |
| 3389 | TCP | RDP (Remote Desktop) |
| 5432 | TCP | PostgreSQL |
| 8080 | TCP | HTTP Proxy / Alternative HTTP |
Nmap (Network Mapper) is the most widely used port scanner in penetration testing:
# Scan the most common 1000 ports
nmap 192.168.1.100
# Scan specific ports
nmap -p 22,80,443 192.168.1.100
# Scan all 65535 ports
nmap -p- 192.168.1.100
# Scan a range of hosts
nmap 192.168.1.1-254
# Scan a subnet
nmap 192.168.1.0/24
| Flag | Scan Type | Description |
|---|---|---|
-sS | SYN scan (stealth) | Sends SYN, analyses response, does not complete handshake |
-sT | TCP connect | Completes full TCP handshake (more detectable) |
-sU | UDP scan | Scans UDP ports (slower, often overlooked) |
-sV | Version detection | Identifies service versions |
-sC | Script scan | Runs default Nmap scripts |
-O | OS detection | Identifies the operating system |
-A | Aggressive | Combines OS detection, version, scripts, traceroute |
# Stealth SYN scan with version detection
nmap -sS -sV 192.168.1.100
# Full scan with OS detection and scripts
nmap -A -p- 192.168.1.100
# Scan for specific vulnerabilities using NSE scripts
nmap --script vuln 192.168.1.100
# Output results to multiple formats
nmap -sV -oA scan_results 192.168.1.100
| Flag | Format | Use Case |
|---|---|---|
-oN | Normal | Human-readable text |
-oX | XML | Import into tools like Metasploit |
-oG | Grepable | Easy to parse with grep/awk |
-oA | All formats | Saves normal, XML, and grepable simultaneously |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.