Back to VIP
VIP
Free during early access

VIP Lab: Nmap Recon From Zero to Vulnerability Report

A premium hands-on Nmap lab using a fictional target, realistic terminal output, port discovery, service fingerprinting, safe vulnerability analysis, and a finished report template.

Eng. Hussein Ali Al-AssaadPublished May 15, 202614 min read

Key takeaways

  • A professional Nmap workflow starts with scope, authorization, target validation, and careful scan intensity.
  • The best scans move in stages: host discovery, port discovery, service detection, default scripts, targeted NSE checks, and reporting.
  • Nmap findings are not automatically vulnerabilities; they must be validated against service versions, exposure, configuration, and business context.
  • A premium lab should end with a clean report: evidence, risk, impact, recommendation, and retest steps.

This premium lab teaches a complete Nmap reconnaissance workflow from the first target check to a finished vulnerability assessment note.

The scenario is fictional. The IP addresses, hostnames, banners, and terminal output are simulated for training. Use this workflow only inside your own lab, your employer's approved environment, or a system where you have written permission to test.

The goal is not to throw random scan flags at a target. The goal is to think like a professional assessor: define scope, discover exposure, identify services, separate evidence from assumptions, rate risk, and write findings a defender can act on.

Lab scenario

You are testing one internal training server for a small company called Northstar Clinic. The security team believes the server was built quickly for a patient document portal proof of concept.

The approved target is:

text
Target name: northstar-lab-web01
Target IP: 10.10.56.24
Network: 10.10.56.0/24
Scope: 10.10.56.24 only
Rules: Discovery and vulnerability assessment only. No exploitation. No password attacks. No denial-of-service tests.

Your deliverable is a short report answering:

  1. Is the host online?
  2. Which TCP ports are exposed?
  3. Which services and versions are visible?
  4. Which findings look risky?
  5. What should the owner fix first?

Tools

This lab uses:

  • Nmap
  • a terminal
  • a notes file
  • optional browser access for checking service pages inside the lab

Use the latest stable Nmap available in your lab environment. Exact output can vary by version, operating system, network route, and target configuration.

Professional workflow

A clean Nmap assessment follows a ladder:

  1. Confirm scope.
  2. Check whether the host responds.
  3. Find open ports.
  4. Fingerprint services.
  5. Run safe default scripts.
  6. Run targeted vulnerability scripts only where appropriate.
  7. Interpret the evidence.
  8. Prioritize risk.
  9. Write remediation steps.
  10. Retest after fixes.

Do not start with the loudest scan. Good scanning is controlled.

Step 1: Create a case folder

Create a folder so raw evidence does not get mixed with screenshots, notes, and reports.

bash
-token-keyword">mkdir -p northstar-nmap-lab/scans
cd northstar-nmap-lab

Create a small notes file:

text
Assessment: Northstar Clinic internal lab
Date: 2026-05-15
Target: 10.10.56.24
Tester: Cyberaro VIP Lab Student
Permission: Training lab only
Restrictions: No exploitation, no brute force, no DoS

Step 2: Confirm the host is reachable

Start with simple host discovery.

bash
nmap -sn 10.10.56.24 -oN scans/01-host-discovery.txt

Simulated terminal output:

text
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:12 +03
Nmap scan report for 10.10.56.24
Host is up (0.0024s latency).
MAC Address: 08:00:27:5A:19:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

What this tells us:

  • The target is online.
  • Latency is low, which matches an internal lab.
  • The MAC vendor suggests a virtual machine.

This is not a vulnerability. It is context.

Step 3: Fast TCP port discovery

Now scan common TCP ports with a normal SYN scan. On Linux, SYN scan usually needs elevated privileges. If you cannot use elevated privileges, Nmap may fall back to a TCP connect scan.

bash
nmap -sS --top-ports 1000 10.10.56.24 -oN scans/02-top-ports.txt

Simulated terminal output:

text
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:14 +03
Nmap scan report for 10.10.56.24
Host is up (0.0021s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
8080/tcp open  http-proxy
MAC Address: 08:00:27:5A:19:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds

Initial exposure:

Port Service guess First impression
22 SSH Administrative access surface
80 HTTP Public web app or default site
139 NetBIOS Windows/Samba file sharing surface
445 SMB File sharing surface, often high value
3306 MySQL Database exposed to network
8080 HTTP proxy/app Secondary web app, admin panel, or dev service

The important finding at this stage is not "six ports are open." The important question is whether each port should be reachable from this network.

Step 4: Full TCP sweep

The top ports scan can miss unusual services. Run a full TCP port sweep and save all formats.

bash
nmap -sS -p- --min-rate 3000 10.10.56.24 -oA scans/03-full-tcp

Simulated terminal output:

text
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:16 +03
Nmap scan report for 10.10.56.24
Host is up (0.0022s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
8080/tcp  open  http-proxy
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 18.42 seconds

The full sweep discovered port 10000. That is why full sweeps matter.

Port 10000 is commonly associated with Webmin in many environments, but Nmap's initial service label is only a guess. We need version detection before we make a claim.

Step 5: Service and version detection

Now fingerprint only the ports we found. This is more efficient and easier to read than scanning every port with heavy probes.

bash
nmap -sV -sC -O -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oA scans/04-service-detection

Simulated terminal output:

text
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:20 +03
Nmap scan report for 10.10.56.24
Host is up (0.0025s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 34:9c:4b:7a:11:90:8e:21:cc:55:63:9a:f1:e7:90:44 (RSA)
|   256 a8:8d:7c:3f:18:f0:31:62:c6:24:11:45:ac:03:a1:11 (ECDSA)
|_  256 27:67:84:d9:f2:55:b5:a2:44:20:6d:29:77:bd:14:c0 (ED25519)
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Northstar Clinic Document Portal
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: NORTHSTAR)
445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: NORTHSTAR)
3306/tcp  open  mysql       MySQL 5.7.33-0ubuntu0.16.04.1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.33-0ubuntu0.16.04.1
|   Thread ID: 14
|   Capabilities flags: 63487
|   Some Capabilities: SupportsTransactions, LongPassword, Speaks41ProtocolNew, SupportsLoadDataLocal
|_  Salt: Jk82x...training...F1
8080/tcp  open  http        Jetty 9.2.z-SNAPSHOT
|_http-title: Build Server - Login
|_http-server-header: Jetty(9.2.z-SNAPSHOT)
10000/tcp open  http        MiniServ 1.890 (Webmin httpd)
|_http-title: Login to Webmin
|_http-server-header: MiniServ/1.890
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NORTHSTAR-WEB01; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds

Now we have evidence, not just guesses.

Important observations:

  • Ubuntu 16.04-era packages appear in multiple banners.
  • Apache 2.4.18, OpenSSH 7.2p2, Samba 4.3.11, and older Webmin are visible.
  • MySQL is reachable directly over the network.
  • A build server login page is exposed on 8080.
  • Webmin is exposed on 10000.

At this point, the target looks like an old internal server with too many administrative surfaces open.

Step 6: HTTP enumeration

Run HTTP-focused default checks against the web ports.

bash
nmap -sV --script http-title,http-headers,http-server-header,http-methods -p 80,8080,10000 10.10.56.24 -oN scans/05-http-enum.txt

Simulated terminal output:

text
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-title: Northstar Clinic Document Portal
| http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-headers:
|   Server: Apache/2.4.18 (Ubuntu)
|   X-Powered-By: PHP/7.0.33
|_  Set-Cookie: PHPSESSID=training; path=/

8080/tcp  open  http    Jetty 9.2.z-SNAPSHOT
| http-title: Build Server - Login
| http-server-header: Jetty(9.2.z-SNAPSHOT)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

10000/tcp open  http    MiniServ 1.890
| http-title: Login to Webmin
| http-server-header: MiniServ/1.890
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

HTTP findings:

  • The main portal leaks Apache and PHP version information.
  • The build server interface is exposed to the same network.
  • Webmin is exposed and identifies its version.
  • OPTIONS is enabled, but by itself that is usually informational unless risky methods such as PUT, DELETE, or TRACE are enabled.

Good reporting language:

The server exposes multiple web administration and application interfaces. Version banners suggest outdated components and increase attacker ability to target known weaknesses.

Avoid weak reporting language:

OPTIONS is open, therefore hacked.

Step 7: SMB enumeration

SMB is often sensitive because it can expose shares, host details, signing posture, and authentication behavior.

bash
nmap --script smb-protocols,smb-security-mode,smb-os-discovery,smb2-security-mode -p 139,445 10.10.56.24 -oN scans/06-smb-enum.txt

Simulated terminal output:

text
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 4.3.11-Ubuntu)
|   Computer name: northstar-web01
|   NetBIOS computer name: NORTHSTAR-WEB01
|   Domain name: WORKGROUP
|   FQDN: northstar-web01
|_  System time: 2026-05-15T10:26:31+03:00
| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|_    3.02
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required

SMB risk indicators:

  • SMBv1 appears enabled.
  • SMB signing is not required.
  • Host and workgroup information are exposed.
  • Samba version is old.

This does not prove compromise. It proves the service is risky and should be hardened.

Step 8: MySQL exposure check

Run safe MySQL discovery scripts.

bash
nmap -sV --script mysql-info,mysql-empty-password -p 3306 10.10.56.24 -oN scans/07-mysql-enum.txt

Simulated terminal output:

text
PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.7.33-0ubuntu0.16.04.1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.33-0ubuntu0.16.04.1
|   Thread ID: 19
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SupportsCompression
|_  Auth Plugin Name: mysql_native_password
| mysql-empty-password:
|_  root account has empty password: false

Good news:

  • The root account did not accept an empty password in this simulated check.

Bad news:

  • MySQL is reachable over the network.
  • The version banner is exposed.
  • The service may contain sensitive data.

Recommended posture: databases should usually bind to localhost or be restricted to specific application hosts and admin networks.

Step 9: Targeted vulnerability scripts

Nmap has NSE vulnerability scripts, but they should be used carefully. Some are intrusive, noisy, unreliable, or inappropriate outside a lab.

In this lab, run a conservative targeted check:

bash
nmap -sV --script vuln -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oN scans/08-targeted-vuln.txt

Simulated terminal output excerpt:

text
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
|_vulners: Some checks require external databases; validate manually.

80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-enum:
|   /login.php: Login page
|   /uploads/: Directory may allow listing
|_  /backup/: Backup directory found
| http-vuln-cve2017-5638:
|_  ERROR: Script execution failed. Validate manually; no finding recorded.

445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu
| smb-vuln-ms17-010:
|_  This system is patched or not vulnerable.

8080/tcp  open  http    Jetty 9.2.z-SNAPSHOT
| http-enum:
|_  /jenkins/: Jenkins login page

10000/tcp open  http    MiniServ 1.890
| http-vuln-cve2006-3392:
|_  Webmin version appears old; script did not confirm vulnerability.

Important lesson: NSE output is evidence to investigate, not automatic truth.

In the excerpt:

  • A backup directory is interesting and should be checked in the lab browser.
  • Jenkins exposure is important even without credentials.
  • Webmin appears old, but the script did not confirm a specific vulnerability.
  • A failed script is not a vulnerability.
  • MS17-010 was not found, which should also be reported as a negative check if the client asked for it.

Step 10: Manual evidence review

After automated scans, review each service with human judgment.

SSH on port 22

Evidence:

text
OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

Assessment:

  • Old OpenSSH banner.
  • Administrative service exposed.
  • Risk depends on access controls, MFA, password policy, and allowed users.

Recommendation:

  • Restrict SSH to admin VPN or management subnet.
  • Disable password login if keys are used properly.
  • Remove unused accounts.
  • Update the host OS.
  • Monitor authentication failures.

HTTP on port 80

Evidence:

text
Apache/2.4.18 (Ubuntu)
PHP/7.0.33
/backup/ directory discovered

Assessment:

  • Apache and PHP versions are old.
  • Backup directory may expose source code, configuration, or database dumps.
  • Version headers provide useful targeting information.

Recommendation:

  • Remove backup files from the web root.
  • Patch or migrate the application stack.
  • Disable directory listing.
  • Reduce banner leakage.
  • Add security headers after validating application behavior.

SMB on ports 139 and 445

Evidence:

text
Samba 4.3.11-Ubuntu
SMBv1 enabled
message_signing: disabled

Assessment:

  • SMBv1 is legacy and should be disabled.
  • SMB signing should be required where possible.
  • File sharing should not be exposed broadly.

Recommendation:

  • Disable SMBv1.
  • Require SMB signing.
  • Restrict SMB to approved clients.
  • Patch Samba.
  • Audit shares and permissions.

MySQL on port 3306

Evidence:

text
MySQL 5.7.33 reachable from scanner
root empty password check: false

Assessment:

  • Direct database exposure increases risk.
  • MySQL should rarely be reachable from general user networks.

Recommendation:

  • Bind MySQL to localhost if used only by the local app.
  • Otherwise restrict access by firewall to approved application hosts.
  • Enforce least-privilege database accounts.
  • Upgrade to a supported database version.

Build server on port 8080

Evidence:

text
Jetty 9.2.z-SNAPSHOT
/jenkins/ login page

Assessment:

  • Build systems often hold credentials, deployment keys, source code, and environment secrets.
  • Exposing Jenkins or similar tools broadly is high risk.

Recommendation:

  • Restrict to VPN or admin subnet.
  • Enforce SSO and MFA.
  • Update Jenkins and plugins.
  • Review credential storage.
  • Remove unused jobs and tokens.

Webmin on port 10000

Evidence:

text
MiniServ/1.890
Login to Webmin

Assessment:

  • Webmin is a powerful server administration interface.
  • Old management panels are high-value targets.

Recommendation:

  • Remove Webmin if unnecessary.
  • Restrict access to admin VPN.
  • Update to a supported version.
  • Enforce MFA where available.
  • Monitor logins and configuration changes.

Findings table

ID Finding Severity Evidence Recommended fix
NS-01 Exposed administrative services High SSH, Webmin, Jenkins reachable Restrict to VPN/admin subnet
NS-02 Legacy SMB configuration High SMBv1 enabled, signing not required Disable SMBv1, require signing
NS-03 Database exposed to network High MySQL 3306 open Bind locally or restrict by firewall
NS-04 Outdated web stack Medium Apache 2.4.18, PHP 7.0.33 Patch or migrate OS/application
NS-05 Possible web backup directory Medium /backup/ discovered Remove backups from web root
NS-06 Version banner exposure Low Server headers visible Reduce banner detail after patching

Severity should be adjusted to the real environment. For example, MySQL exposed only to a database admin subnet is less severe than MySQL exposed to every workstation.

Sample final report section

You can reuse this structure for your own assessments.

text
Finding NS-01: Exposed administrative services

Severity: High

Affected host:
- 10.10.56.24

Evidence:
- 22/tcp OpenSSH 7.2p2
- 8080/tcp Jetty login page with /jenkins/
- 10000/tcp MiniServ/1.890 Webmin login

Impact:
The server exposes multiple administrative or sensitive management interfaces to the tested network. If any one of these interfaces is misconfigured, outdated, or protected by weak credentials, an attacker with network access could attempt unauthorized administration or use the exposed service as a path to deeper compromise.

Recommendation:
Restrict administrative services to a dedicated management subnet or VPN, enforce MFA where supported, remove services that are not required, patch all management interfaces, and monitor authentication events centrally.

Retest:
From a normal user subnet, verify that ports 22, 8080, and 10000 are filtered or unreachable. From the approved admin subnet, verify that authorized administrators can still connect.

Retest scan after remediation

After the owner applies fixes, run a smaller retest.

bash
nmap -sS -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oN scans/09-retest-ports.txt

Ideal simulated retest output:

text
PORT      STATE    SERVICE
22/tcp    filtered ssh
80/tcp    open     http
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
3306/tcp  filtered mysql
8080/tcp  filtered http-proxy
10000/tcp filtered snet-sensor-mgmt

This would show a much better posture:

  • The public web app remains reachable.
  • Administrative services are no longer reachable from the tested network.
  • SMB and MySQL are blocked from the wrong segment.

What makes this a premium lab

The value is not the command list. Anyone can copy Nmap flags.

The value is the thinking:

  • You learned why scan order matters.
  • You saw how top-port scans can miss services.
  • You separated open ports from confirmed vulnerabilities.
  • You interpreted old versions without overclaiming.
  • You turned terminal output into report language.
  • You ended with remediation and retest steps.

That is the difference between running a tool and doing an assessment.

Final checklist

Before closing the lab, make sure you have:

  • host discovery output
  • top-port scan output
  • full TCP scan output
  • service detection output
  • HTTP enumeration output
  • SMB enumeration output
  • MySQL check output
  • targeted vulnerability script output
  • findings table
  • recommendations
  • retest plan

Bottom line

Nmap is not just a scanner. In skilled hands, it is a structured way to understand attack surface.

This lab showed a professional path: start quiet, widen carefully, fingerprint accurately, validate findings, avoid exaggeration, and write recommendations that help the system owner reduce risk.

That is exactly the level of practical training that can make a VIP membership feel valuable.

VIP early access

VIP is free during early access.

Read the full premium labs and private guides while Cyberaro VIP is growing. Later, advanced labs, downloads, and private walkthroughs may become members-only.

Full labs openEarly accessPremium label kept

Open beta

The current VIP library is open so readers can learn, share, and help the section grow before the member experience launches.

Free now. Advanced member features may arrive later.