Module 4 · Lesson 2 · 30 minutes

⚡ nmap in practice — 4 levels of depth

From "a quick glance at open windows" to "a full server portrait". Using analogies, without long tables of flags.

📖 Why you need to know this

In the previous lesson, we understood the idea: a scanner walks around a house and tries every window. Now — how to do it.

Imagine you are an investigator. You have 4 levels of house inspection:

A quick glance from the street — which windows are lit
Careful — what kind of lamp is in each window, what brand
Standard inspection with basic tests — is the gate open, is there a dog
Full portrait — all of the above + find out whose house it is

These are the 4 main ways to use nmap. You don't need to memorize a bunch of flags — you need to understand the 4 levels and when to use each.

🚪 Level 1: "A Quick Glance"

🎯 In a nutshell in 30 seconds

The very first command of any hacker. Run it and in 5-30 seconds find out which windows (ports) are open on the server.

nmap scanme.nmap.org

What you'll see:

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
9929/tcp  open     nping-echo
31337/tcp open     Elite

That's it. Which windows are open, what's roughly inside them. No details. This is how every server investigation in the world begins.

🔍 Level 2: "What version is the program in the window"

🎯 In a nutshell in 30 seconds

Knowing "window 22 is SSH" is useful. Knowing "window 22 is OpenSSH 6.6 from 2014" is 100 times more valuable.

Old version = high chance that methods for exploiting it have already been published on the internet (this is called CVE — Common Vulnerabilities and Exposures).

nmap -sV scanme.nmap.org

The flag -sV = "Version". Don't memorize it as a formula — remember "s-V adds versions".

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.6.1p1 Ubuntu  ← version!
80/tcp  open  http    Apache httpd 2.4.7      ← version!

Now Google: "OpenSSH 6.6.1 CVE" → you'll find specific vulnerabilities. This is the main mechanism for exploiting old servers.

🤝 Level 3: "Standard Checks"

🎯 In a nutshell in 30 seconds

nmap has ~600 built-in checks for common issues. You can run a "basic set" with a single command — it will check the most popular ones itself.

nmap -sC scanme.nmap.org

The flag -sC = "Scripts default". What it will check itself:

On a web server — what technologies, if robots.txt exists, headers
On SSH — what encryption versions (are there any weak ones)
On FTP — is passwordless login allowed (anonymous)
On Windows networks (SMB) — which folders are open to everyone

You don't need to memorize every check. Run it and read the output — everything is clearly labeled there.

👑 Level 4: "Full Server Portrait"

🎯 In a nutshell in 30 seconds

One command — everything above + OS + route to the server.

This is the main command for the first 5 minutes of any investigation.

sudo nmap -A scanme.nmap.org

The flag -A = "All / Aggressive". Remember it as "aggressive — that's a full portrait".

What you'll get in one minute:

Which windows are open
What version of the program is in each window
All standard checks (as in -sC)
Server OS (Ubuntu 22, Windows Server 2019, etc.)
How many "hops" across the network to the server

This is enough to immediately understand — "is there anything interesting here to investigate".

📋 Cheat Sheet: Which Level When

What I want	Command	Time
Quickly understand what's open	`nmap target`	~10 sec
Find out service versions	`nmap -sV target`	~30 sec
Run standard checks	`nmap -sC target`	~1 min
Full portrait	`sudo nmap -A target`	~2-5 min

📍 How to scan specific windows

By default, nmap will check the "top-1000" windows. This is sufficient in 99% of cases. But sometimes you want to do it differently:

# Only windows 80 and 443
nmap -p 80,443 target

# ALL 65535 windows (slow, but complete)
nmap -p- target

Memorizing is not mandatory. When you need it — ask Claude or Google it.

🎯 How a real pentester uses nmap

💡 Two-step strategy

Experienced hackers don't do a full scan right away. They do this:

Step 1 — quick reconnaissance: nmap -p- --min-rate 5000 target — which windows are open at all (5 minutes instead of an hour)
Step 2 — full portrait of only the found windows: sudo nmap -A -p 22,80,443 target

Why this way? Because a full portrait of 65,535 windows would take an hour. And the two-step strategy — 10 minutes.

🤔 Simple understanding check test

Which command will simply show "which windows are open"? → nmap target
Which flag adds program versions? → -sV
Which flag creates a "full portrait" with one command? → -A
Why does a hacker need to know the service version? → To look for CVEs — a catalog of known vulnerabilities for that version
Should you immediately run nmap -A on all 65,535 windows? → No, first a quick scan → then detailed on the found ones

🛠 You don't have to do it, but it's interesting

Open Kali and perform 3 scans of scanme.nmap.org. This is legal — the site is specifically for practice.

# 1. Quick glance
nmap scanme.nmap.org

# 2. Versions + standard checks
nmap -sV -sC scanme.nmap.org

# 3. Full portrait
sudo nmap -A scanme.nmap.org

Read the output. What did you learn? What OS? What services? What versions? Take this output and go to the next lesson — there we will learn to analyze what we found.

🤖 Vibe-task: Ask Claude

Open Claude and ask:

I scanned scanme.nmap.org with the command `sudo nmap -A`.
Here is my output:

[insert nmap -A output here]

Explain to me like I'm 10 years old — what am I looking at here?
Which windows are open? What roughly lives inside them?
What is the server's OS? How old are these programs?
Is there anything "juicy" here to investigate?