You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
After reconnaissance, scanning and enumeration move from passive information gathering to actively probing the target's systems. This phase identifies live hosts, open ports, running services, and potential vulnerabilities — forming the foundation for exploitation.
Authorisation required: Scanning systems you do not own or have permission to test is illegal. Always confirm your scope before scanning.
Nmap (Network Mapper) is the industry-standard tool for network discovery and security auditing.
# TCP SYN scan (default, stealthy, requires root)
sudo nmap -sS 192.168.1.0/24
# TCP connect scan (no root required, less stealthy)
nmap -sT 192.168.1.100
# UDP scan (slower, but finds DNS, SNMP, DHCP)
sudo nmap -sU 192.168.1.100
# Ping sweep — find live hosts
nmap -sn 192.168.1.0/24
# Version detection on common ports
nmap -sV 192.168.1.100
# Aggressive scan (OS detection, version, scripts, traceroute)
nmap -A 192.168.1.100
# Scan specific ports
nmap -p 80,443,8080,8443 192.168.1.100
# Scan all 65535 ports
nmap -p- 192.168.1.100
# Top 1000 ports with service detection and default scripts
nmap -sC -sV 192.168.1.100
| Flag | Scan Type | Description | Stealth |
|---|---|---|---|
-sS | SYN scan | Sends SYN, analyses response, never completes handshake | High |
-sT | TCP connect | Full TCP handshake | Low |
-sU | UDP scan | Sends UDP packets, waits for ICMP unreachable | Medium |
-sA | ACK scan | Maps firewall rules (filtered vs unfiltered) | Medium |
-sN | NULL scan | No flags set — evades some firewalls | High |
-sF | FIN scan | FIN flag only — evades some firewalls | High |
-sX | Xmas scan | FIN, PSH, URG flags — unusual, may evade IDS | High |
# Run default scripts
nmap -sC 192.168.1.100
# Run a specific script
nmap --script=http-title 192.168.1.100
# Run vulnerability detection scripts
nmap --script=vuln 192.168.1.100
# Run multiple script categories
nmap --script="safe and discovery" 192.168.1.100
# Search for available scripts
ls /usr/share/nmap/scripts/ | grep -i smb
# Normal output to file
nmap -oN scan_results.txt 192.168.1.100
# XML output (for importing into other tools)
nmap -oX scan_results.xml 192.168.1.100
# Grepable output
nmap -oG scan_results.gnmap 192.168.1.100
# All formats at once
nmap -oA scan_results 192.168.1.100
Vulnerability scanners go beyond port scanning to identify known security flaws.
┌─────────────────────────────────────────────┐
│ Nessus Workflow │
│ │
│ 1. Define scan target (IPs/ranges) │
│ 2. Select scan template │
│ - Basic Network Scan │
│ - Web Application Tests │
│ - Advanced Scan (custom plugins) │
│ 3. Configure credentials (for deeper checks)│
│ 4. Launch scan │
│ 5. Review findings by severity │
│ - Critical / High / Medium / Low / Info │
│ 6. Export report │
└─────────────────────────────────────────────┘
# Start OpenVAS (Greenbone Vulnerability Manager)
sudo gvm-start
# Access web interface at https://localhost:9392
# Default creds: admin / <generated during setup>
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.