Get AI summaries of any video or article — Sign up free
Nmap Tutorial to find Network Vulnerabilities thumbnail

Nmap Tutorial to find Network Vulnerabilities

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Use Nmap subnet discovery (e.g., “-sP” against a CIDR range) to quickly list live hosts instead of pinging each IP manually.

Briefing

Nmap turns network reconnaissance into a fast, repeatable workflow: a single scan can identify which hosts are alive, which ports are open, what services those ports likely correspond to, and even what operating system a target runs—information that directly drives vulnerability research and exploitation. Instead of manually pinging devices one by one, Nmap automates discovery across an entire subnet, then moves from “is it up?” to “what’s exposed?” in minutes.

The tutorial starts with the practical problem of scaling. A typical home network like 10.7.1.0/24 can contain up to 254 potential endpoints, making blanket pinging impractical. With Nmap, a command using a ping-scan option (the transcript shows “-sP” against the subnet) returns a list of live hosts—15 hosts up in the example—so the next steps focus only on reachable targets.

From there, the workflow shifts to port scanning, framed around a common attacker goal: finding web servers. The guide uses a TCP connect scan targeting ports 80 and 443 across the subnet (shown with “-sT” and “-p 80,443”). Results are presented per host: some addresses show those ports closed, while others show them open, quickly narrowing the candidate set for web-facing systems. The tutorial emphasizes that open ports are only the starting point, but they’re the fastest way to map the attack surface.

A key technical section explains why Nmap can infer port status so reliably: TCP’s three-way handshake. In a full TCP connect scan, Nmap sends a SYN packet to a port, receives a SYN-ACK if the service is listening, then completes the handshake with an ACK. That completed connection is what the “-sT” scan relies on, and the transcript notes it can be intrusive enough to trigger defenses like intrusion detection systems.

To reduce visibility, the tutorial contrasts the full connect scan with a stealthy “half-open” approach using “-sS” (SYN scan). Instead of completing the handshake, Nmap sends SYN and waits for a SYN-ACK; then it avoids finishing the connection, aiming to prevent firewalls and monitoring systems from seeing a full session. Wireshark packet captures are used to demonstrate the difference: the connect scan shows the full ACK and then a reset/termination, while the stealth scan shows the early exchange and then an abrupt stop.

Beyond discovery, Nmap’s value expands through higher-level enumeration. The guide demonstrates OS detection with “-O” and a combined scan with “-A,” which layers OS detection, version detection, script scanning, and traceroute. Examples include identifying a Linux target’s OS and services, and a Windows Server 2012 R2 domain controller with many open ports and detailed findings such as SSH host keys, Apache on port 80, SMB/file-sharing information, SSL certificate details, and routing paths.

The tutorial also adds operational tactics: using decoys (“-D”) to obfuscate the true source of scanning traffic, and leveraging Nmap’s scripting engine (NSE) to automate vulnerability checks. Running vulnerability scripts against a deliberately vulnerable target (“VulnHub” and a “Kioptrix” box) uses CVE-based logic to flag known weaknesses that could be exploited. The takeaway is clear: Nmap isn’t just a scanner—it’s an end-to-end reconnaissance and enumeration toolkit that turns network mapping into actionable vulnerability intelligence.

Cornell Notes

Nmap automates network reconnaissance by identifying live hosts, mapping open ports, and gathering deeper target intelligence like operating system fingerprints and service versions. The tutorial contrasts a full TCP connect scan (“-sT”), which completes the TCP three-way handshake, with a stealth SYN scan (“-sS”), which avoids finishing the connection to reduce detection. Packet captures in Wireshark illustrate the handshake differences and the resulting traffic patterns. It then demonstrates advanced enumeration using “-O” for OS detection and “-A” for a combined scan that can include version detection, scripting, and traceroute. Finally, Nmap’s scripting engine (NSE) can run vulnerability-focused scripts that check for known CVEs, turning discovery into vulnerability assessment.

How does Nmap replace manual pinging when you need to find live hosts across a subnet?

Instead of pinging each IP individually, Nmap uses a subnet discovery scan (shown with “-sP” against 10.7.1.0/24). In the example, that single command returns a list of live hosts (15 hosts up), so follow-on scanning targets only reachable systems.

Why do open ports matter for hacking workflows?

Open ports reveal exposed services and the likely entry points. The tutorial uses ports 80 and 443 as a concrete example: if those ports are open on a host, the system may be running a web service accessible over HTTP/HTTPS, which narrows the candidate targets for web exploitation.

What is the TCP three-way handshake, and how does Nmap use it to determine whether a port is open?

TCP establishes a connection using SYN → SYN-ACK → ACK. In a full connect scan (“-sT”), Nmap completes this handshake: it sends SYN to the target port, receives SYN-ACK if the service is listening, then sends ACK to finish the connection. That completed exchange is how Nmap confirms open ports.

How does the stealth SYN scan (“-sS”) differ from “-sT,” and why is that useful?

The stealth scan sends SYN and expects SYN-ACK, but it does not complete the full handshake. By avoiding the final ACK/connection establishment, it aims to reduce how much the scan looks like a full session to intrusion detection systems and firewalls. Wireshark captures in the tutorial show the connect scan producing a full handshake and termination, while the stealth scan stops after the early exchange.

What does Nmap gain by using “-O” and “-A” beyond basic port scanning?

“-O” enables OS detection, using fingerprinting to guess the target operating system. “-A” is a combined, more aggressive enumeration option that layers OS detection with additional checks such as version detection, script scanning, and traceroute. The transcript’s examples include identifying Linux and Windows Server 2012 R2 targets and collecting service and certificate details.

How does Nmap’s scripting engine turn scanning into vulnerability assessment?

Nmap’s NSE can run scripts in categories like “vuln.” The tutorial demonstrates using the scripts switch (shown as “--script” with “vuln”) to run vulnerability checks that compare findings against CVEs (Common Vulnerabilities and Exposures). Against a vulnerable target from VulnHub (Kioptrix), the scripts enumerate weaknesses that could be exploited.

Review Questions

  1. When would a full TCP connect scan (“-sT”) be more appropriate than a stealth SYN scan (“-sS”), based on how each interacts with the TCP handshake?
  2. What additional intelligence does “-A” provide compared with a basic port scan, and why does that matter for enumeration?
  3. How do NSE vulnerability scripts use CVE-style information to move from open ports to actionable vulnerability leads?

Key Points

  1. 1

    Use Nmap subnet discovery (e.g., “-sP” against a CIDR range) to quickly list live hosts instead of pinging each IP manually.

  2. 2

    Follow host discovery with targeted TCP port scans (e.g., “-sT” on ports 80 and 443) to map the attack surface efficiently.

  3. 3

    Understand TCP three-way handshake behavior: “-sT” completes SYN → SYN-ACK → ACK, while “-sS” avoids finishing the connection after SYN-ACK.

  4. 4

    Use Wireshark to validate how different Nmap scan types generate different traffic patterns and session behavior.

  5. 5

    Leverage “-O” for OS detection and “-A” for combined enumeration (OS detection, version detection, scripting, traceroute) to move beyond port lists.

  6. 6

    Apply operational tactics like decoys (“-D”) when scanning to obfuscate the true source of traffic.

  7. 7

    Run NSE vulnerability scripts (e.g., “--script vuln”) to check for known CVEs and convert reconnaissance into vulnerability assessment.

Highlights

A single Nmap subnet scan can replace hundreds of individual pings by returning a live-host list (15 up in the example).
The tutorial’s core technical distinction is handshake completion: “-sT” finishes the TCP connection, while “-sS” stops after the SYN-ACK to reduce detection.
Combined enumeration with “-A” can pull together OS guesses, service/version details, SSL certificate metadata, SMB information, and traceroute in one run.
NSE vulnerability scripts automate CVE-based checks, turning “ports open” into “known weaknesses present” on targets like Kioptrix from VulnHub.

Topics

  • Nmap Basics
  • Network Discovery
  • TCP Scanning
  • OS Detection
  • Nmap Scripting Engine

Mentioned

  • Nmap
  • IT
  • IDs
  • TCP
  • Wireshark
  • OS
  • NSE
  • CVEs
  • SMB
  • SSL
  • HTTP
  • HTTPS
  • CEH
  • CIDR

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library