Nmap: Scan Types You Actually Use in Labs

Preamble

Nmap is the default network reconnaissance tool for authorized labs: host discovery, port scanning, service/version detection, and NSE scripts that automate follow-up checks. This post is not a catalog of every flag—it is the subset I actually use when mapping a VM, container network, or homework topology I am allowed to touch.

Discovery first

Before port scans, I confirm which hosts are up (ping sweep or ARP-aware discovery on local segments). Blind -p- sweeps against large ranges without scope burn time and goodwill.

Host discovery (-sn, “ping scan” without port phase) answers “who answers on this subnet?”—useful after DHCP or when your hypervisor assigns a new VM address.

$ nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00045s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.10 seconds

You get a target list for the next phase instead of spraying ports at empty addresses.

Scan types you should understand

SYN scans (-sS, privileged) are the classic half-open pattern—fast and relatively quiet compared to full TCP connect in some environments. Connect scans work without raw sockets when you lack privileges.

$ sudo nmap -sS -p 22,80,443 192.168.56.101
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

$ nmap -sT -p 22,80,443 192.168.56.101
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

-sT is the same TCP connect path a normal client uses; use it when you cannot run Nmap as root. The STATE column is what you track: open, closed, filtered (often a firewall drop).

Understand what UDP implies: slower, noisier, stateless headaches—still necessary when you care about DNS, SNMP, or custom services.

$ sudo nmap -sU -p 53,161 --host-timeout 30s 192.168.56.101
PORT    STATE         SERVICE
53/udp  open|filtered domain
161/udp closed        snmp

open|filtered is typical for UDP: no positive proof the port is closed. Tighten timeouts and small port lists so lab scans finish.

Service discovery: versions, scripts, and what you record

Service discovery is the step where open ports become named daemons and often version strings. That is the layer exploit frameworks and patch planning both care about.

-sV probes banners and behavior; -sC runs the default NSE script set (safe-ish defaults, still read the list). Together they turn “port 80” into “Apache 2.4.x with default page” or “nginx reverse proxy.”

$ sudo nmap -sS -sV -sC -p 22,80 192.168.56.101
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: ...
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Welcome to lab target

-A bundles OS detection, version detection, default scripts, and traceroute—convenient in dedicated lab VMs, heavy-handed elsewhere. I treat it like -sC -sV plus extras and only when I want that bundle.

Targeted scripts answer specific questions without running the whole default set:

$ nmap -p 80 --script http-title,http-headers 192.168.56.101

NSE scripts range from helpful (http-title) to intrusive or destructive. I read script categories and --script-help before pointing defaults at production-adjacent systems—even in labs, habits form muscle memory.

Handing enumeration to Metasploit

What you want in notes: IP, port, protocol, service name, product/version (and script findings). That tuple is what you search against in module databases and what justifies auxiliary scanners versus exploits in a lab.

The follow-on workflow—importing or transcribing Nmap output, starting with auxiliary verification, and only then touching exploits in isolated environments—is spelled out in Metasploit in a Controlled Lab After Nmap. Nmap supplies the service discovery; Metasploit organizes the structured experimentation on top, still only where you are explicitly allowed to do so.

Mapping to your own stacks

When you deploy Java or Python services in Docker, correlate open ports with compose files and health checks. “Connection refused” mysteries often end at iptables, published ports, or binding to localhost inside a container.

Conclusion

Network visibility complements application logs and OpenTelemetry Traces Across Python and Java. Service-level Nmap output feeds defensive inventory (what is actually listening?) and, in authorized labs, the enumeration handoff in Metasploit in a Controlled Lab After Nmap—always in isolated environments with clear scope.