VIP Lab: Nmap Recon From Zero to Vulnerability Report
A premium hands-on Nmap lab using a fictional target, realistic terminal output, port discovery, service fingerprinting, safe vulnerability analysis, and a finished report template.
Key takeaways
- A professional Nmap workflow starts with scope, authorization, target validation, and careful scan intensity.
- The best scans move in stages: host discovery, port discovery, service detection, default scripts, targeted NSE checks, and reporting.
- Nmap findings are not automatically vulnerabilities; they must be validated against service versions, exposure, configuration, and business context.
- A premium lab should end with a clean report: evidence, risk, impact, recommendation, and retest steps.
This premium lab teaches a complete Nmap reconnaissance workflow from the first target check to a finished vulnerability assessment note.
The scenario is fictional. The IP addresses, hostnames, banners, and terminal output are simulated for training. Use this workflow only inside your own lab, your employer's approved environment, or a system where you have written permission to test.
The goal is not to throw random scan flags at a target. The goal is to think like a professional assessor: define scope, discover exposure, identify services, separate evidence from assumptions, rate risk, and write findings a defender can act on.
Lab scenario
You are testing one internal training server for a small company called Northstar Clinic. The security team believes the server was built quickly for a patient document portal proof of concept.
The approved target is:
Target name: northstar-lab-web01
Target IP: 10.10.56.24
Network: 10.10.56.0/24
Scope: 10.10.56.24 only
Rules: Discovery and vulnerability assessment only. No exploitation. No password attacks. No denial-of-service tests.Your deliverable is a short report answering:
- Is the host online?
- Which TCP ports are exposed?
- Which services and versions are visible?
- Which findings look risky?
- What should the owner fix first?
Tools
This lab uses:
- Nmap
- a terminal
- a notes file
- optional browser access for checking service pages inside the lab
Use the latest stable Nmap available in your lab environment. Exact output can vary by version, operating system, network route, and target configuration.
Professional workflow
A clean Nmap assessment follows a ladder:
- Confirm scope.
- Check whether the host responds.
- Find open ports.
- Fingerprint services.
- Run safe default scripts.
- Run targeted vulnerability scripts only where appropriate.
- Interpret the evidence.
- Prioritize risk.
- Write remediation steps.
- Retest after fixes.
Do not start with the loudest scan. Good scanning is controlled.
Step 1: Create a case folder
Create a folder so raw evidence does not get mixed with screenshots, notes, and reports.
-token-keyword">mkdir -p northstar-nmap-lab/scans
cd northstar-nmap-labCreate a small notes file:
Assessment: Northstar Clinic internal lab
Date: 2026-05-15
Target: 10.10.56.24
Tester: Cyberaro VIP Lab Student
Permission: Training lab only
Restrictions: No exploitation, no brute force, no DoSStep 2: Confirm the host is reachable
Start with simple host discovery.
nmap -sn 10.10.56.24 -oN scans/01-host-discovery.txtSimulated terminal output:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:12 +03
Nmap scan report for 10.10.56.24
Host is up (0.0024s latency).
MAC Address: 08:00:27:5A:19:B2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.31 secondsWhat this tells us:
- The target is online.
- Latency is low, which matches an internal lab.
- The MAC vendor suggests a virtual machine.
This is not a vulnerability. It is context.
Step 3: Fast TCP port discovery
Now scan common TCP ports with a normal SYN scan. On Linux, SYN scan usually needs elevated privileges. If you cannot use elevated privileges, Nmap may fall back to a TCP connect scan.
nmap -sS --top-ports 1000 10.10.56.24 -oN scans/02-top-ports.txtSimulated terminal output:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:14 +03
Nmap scan report for 10.10.56.24
Host is up (0.0021s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 08:00:27:5A:19:B2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.84 secondsInitial exposure:
| Port | Service guess | First impression |
|---|---|---|
| 22 | SSH | Administrative access surface |
| 80 | HTTP | Public web app or default site |
| 139 | NetBIOS | Windows/Samba file sharing surface |
| 445 | SMB | File sharing surface, often high value |
| 3306 | MySQL | Database exposed to network |
| 8080 | HTTP proxy/app | Secondary web app, admin panel, or dev service |
The important finding at this stage is not "six ports are open." The important question is whether each port should be reachable from this network.
Step 4: Full TCP sweep
The top ports scan can miss unusual services. Run a full TCP port sweep and save all formats.
nmap -sS -p- --min-rate 3000 10.10.56.24 -oA scans/03-full-tcpSimulated terminal output:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:16 +03
Nmap scan report for 10.10.56.24
Host is up (0.0022s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 18.42 secondsThe full sweep discovered port 10000. That is why full sweeps matter.
Port 10000 is commonly associated with Webmin in many environments, but Nmap's initial service label is only a guess. We need version detection before we make a claim.
Step 5: Service and version detection
Now fingerprint only the ports we found. This is more efficient and easier to read than scanning every port with heavy probes.
nmap -sV -sC -O -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oA scans/04-service-detectionSimulated terminal output:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-15 10:20 +03
Nmap scan report for 10.10.56.24
Host is up (0.0025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 34:9c:4b:7a:11:90:8e:21:cc:55:63:9a:f1:e7:90:44 (RSA)
| 256 a8:8d:7c:3f:18:f0:31:62:c6:24:11:45:ac:03:a1:11 (ECDSA)
|_ 256 27:67:84:d9:f2:55:b5:a2:44:20:6d:29:77:bd:14:c0 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Northstar Clinic Document Portal
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: NORTHSTAR)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: NORTHSTAR)
3306/tcp open mysql MySQL 5.7.33-0ubuntu0.16.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.33-0ubuntu0.16.04.1
| Thread ID: 14
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, LongPassword, Speaks41ProtocolNew, SupportsLoadDataLocal
|_ Salt: Jk82x...training...F1
8080/tcp open http Jetty 9.2.z-SNAPSHOT
|_http-title: Build Server - Login
|_http-server-header: Jetty(9.2.z-SNAPSHOT)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Login to Webmin
|_http-server-header: MiniServ/1.890
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: NORTHSTAR-WEB01; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.19 secondsNow we have evidence, not just guesses.
Important observations:
- Ubuntu 16.04-era packages appear in multiple banners.
- Apache 2.4.18, OpenSSH 7.2p2, Samba 4.3.11, and older Webmin are visible.
- MySQL is reachable directly over the network.
- A build server login page is exposed on 8080.
- Webmin is exposed on 10000.
At this point, the target looks like an old internal server with too many administrative surfaces open.
Step 6: HTTP enumeration
Run HTTP-focused default checks against the web ports.
nmap -sV --script http-title,http-headers,http-server-header,http-methods -p 80,8080,10000 10.10.56.24 -oN scans/05-http-enum.txtSimulated terminal output:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-title: Northstar Clinic Document Portal
| http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-headers:
| Server: Apache/2.4.18 (Ubuntu)
| X-Powered-By: PHP/7.0.33
|_ Set-Cookie: PHPSESSID=training; path=/
8080/tcp open http Jetty 9.2.z-SNAPSHOT
| http-title: Build Server - Login
| http-server-header: Jetty(9.2.z-SNAPSHOT)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
10000/tcp open http MiniServ 1.890
| http-title: Login to Webmin
| http-server-header: MiniServ/1.890
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONSHTTP findings:
- The main portal leaks Apache and PHP version information.
- The build server interface is exposed to the same network.
- Webmin is exposed and identifies its version.
- OPTIONS is enabled, but by itself that is usually informational unless risky methods such as PUT, DELETE, or TRACE are enabled.
Good reporting language:
The server exposes multiple web administration and application interfaces. Version banners suggest outdated components and increase attacker ability to target known weaknesses.
Avoid weak reporting language:
OPTIONS is open, therefore hacked.
Step 7: SMB enumeration
SMB is often sensitive because it can expose shares, host details, signing posture, and authentication behavior.
nmap --script smb-protocols,smb-security-mode,smb-os-discovery,smb2-security-mode -p 139,445 10.10.56.24 -oN scans/06-smb-enum.txtSimulated terminal output:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 4.3.11-Ubuntu)
| Computer name: northstar-web01
| NetBIOS computer name: NORTHSTAR-WEB01
| Domain name: WORKGROUP
| FQDN: northstar-web01
|_ System time: 2026-05-15T10:26:31+03:00
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
| 2.10
| 3.00
|_ 3.02
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not requiredSMB risk indicators:
- SMBv1 appears enabled.
- SMB signing is not required.
- Host and workgroup information are exposed.
- Samba version is old.
This does not prove compromise. It proves the service is risky and should be hardened.
Step 8: MySQL exposure check
Run safe MySQL discovery scripts.
nmap -sV --script mysql-info,mysql-empty-password -p 3306 10.10.56.24 -oN scans/07-mysql-enum.txtSimulated terminal output:
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.7.33-0ubuntu0.16.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.33-0ubuntu0.16.04.1
| Thread ID: 19
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolNew, SupportsTransactions, SupportsCompression
|_ Auth Plugin Name: mysql_native_password
| mysql-empty-password:
|_ root account has empty password: falseGood news:
- The root account did not accept an empty password in this simulated check.
Bad news:
- MySQL is reachable over the network.
- The version banner is exposed.
- The service may contain sensitive data.
Recommended posture: databases should usually bind to localhost or be restricted to specific application hosts and admin networks.
Step 9: Targeted vulnerability scripts
Nmap has NSE vulnerability scripts, but they should be used carefully. Some are intrusive, noisy, unreliable, or inappropriate outside a lab.
In this lab, run a conservative targeted check:
nmap -sV --script vuln -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oN scans/08-targeted-vuln.txtSimulated terminal output excerpt:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
|_vulners: Some checks require external databases; validate manually.
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-enum:
| /login.php: Login page
| /uploads/: Directory may allow listing
|_ /backup/: Backup directory found
| http-vuln-cve2017-5638:
|_ ERROR: Script execution failed. Validate manually; no finding recorded.
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu
| smb-vuln-ms17-010:
|_ This system is patched or not vulnerable.
8080/tcp open http Jetty 9.2.z-SNAPSHOT
| http-enum:
|_ /jenkins/: Jenkins login page
10000/tcp open http MiniServ 1.890
| http-vuln-cve2006-3392:
|_ Webmin version appears old; script did not confirm vulnerability.Important lesson: NSE output is evidence to investigate, not automatic truth.
In the excerpt:
- A backup directory is interesting and should be checked in the lab browser.
- Jenkins exposure is important even without credentials.
- Webmin appears old, but the script did not confirm a specific vulnerability.
- A failed script is not a vulnerability.
- MS17-010 was not found, which should also be reported as a negative check if the client asked for it.
Step 10: Manual evidence review
After automated scans, review each service with human judgment.
SSH on port 22
Evidence:
OpenSSH 7.2p2 Ubuntu 4ubuntu2.10Assessment:
- Old OpenSSH banner.
- Administrative service exposed.
- Risk depends on access controls, MFA, password policy, and allowed users.
Recommendation:
- Restrict SSH to admin VPN or management subnet.
- Disable password login if keys are used properly.
- Remove unused accounts.
- Update the host OS.
- Monitor authentication failures.
HTTP on port 80
Evidence:
Apache/2.4.18 (Ubuntu)
PHP/7.0.33
/backup/ directory discoveredAssessment:
- Apache and PHP versions are old.
- Backup directory may expose source code, configuration, or database dumps.
- Version headers provide useful targeting information.
Recommendation:
- Remove backup files from the web root.
- Patch or migrate the application stack.
- Disable directory listing.
- Reduce banner leakage.
- Add security headers after validating application behavior.
SMB on ports 139 and 445
Evidence:
Samba 4.3.11-Ubuntu
SMBv1 enabled
message_signing: disabledAssessment:
- SMBv1 is legacy and should be disabled.
- SMB signing should be required where possible.
- File sharing should not be exposed broadly.
Recommendation:
- Disable SMBv1.
- Require SMB signing.
- Restrict SMB to approved clients.
- Patch Samba.
- Audit shares and permissions.
MySQL on port 3306
Evidence:
MySQL 5.7.33 reachable from scanner
root empty password check: falseAssessment:
- Direct database exposure increases risk.
- MySQL should rarely be reachable from general user networks.
Recommendation:
- Bind MySQL to localhost if used only by the local app.
- Otherwise restrict access by firewall to approved application hosts.
- Enforce least-privilege database accounts.
- Upgrade to a supported database version.
Build server on port 8080
Evidence:
Jetty 9.2.z-SNAPSHOT
/jenkins/ login pageAssessment:
- Build systems often hold credentials, deployment keys, source code, and environment secrets.
- Exposing Jenkins or similar tools broadly is high risk.
Recommendation:
- Restrict to VPN or admin subnet.
- Enforce SSO and MFA.
- Update Jenkins and plugins.
- Review credential storage.
- Remove unused jobs and tokens.
Webmin on port 10000
Evidence:
MiniServ/1.890
Login to WebminAssessment:
- Webmin is a powerful server administration interface.
- Old management panels are high-value targets.
Recommendation:
- Remove Webmin if unnecessary.
- Restrict access to admin VPN.
- Update to a supported version.
- Enforce MFA where available.
- Monitor logins and configuration changes.
Findings table
| ID | Finding | Severity | Evidence | Recommended fix |
|---|---|---|---|---|
| NS-01 | Exposed administrative services | High | SSH, Webmin, Jenkins reachable | Restrict to VPN/admin subnet |
| NS-02 | Legacy SMB configuration | High | SMBv1 enabled, signing not required | Disable SMBv1, require signing |
| NS-03 | Database exposed to network | High | MySQL 3306 open | Bind locally or restrict by firewall |
| NS-04 | Outdated web stack | Medium | Apache 2.4.18, PHP 7.0.33 | Patch or migrate OS/application |
| NS-05 | Possible web backup directory | Medium | /backup/ discovered | Remove backups from web root |
| NS-06 | Version banner exposure | Low | Server headers visible | Reduce banner detail after patching |
Severity should be adjusted to the real environment. For example, MySQL exposed only to a database admin subnet is less severe than MySQL exposed to every workstation.
Sample final report section
You can reuse this structure for your own assessments.
Finding NS-01: Exposed administrative services
Severity: High
Affected host:
- 10.10.56.24
Evidence:
- 22/tcp OpenSSH 7.2p2
- 8080/tcp Jetty login page with /jenkins/
- 10000/tcp MiniServ/1.890 Webmin login
Impact:
The server exposes multiple administrative or sensitive management interfaces to the tested network. If any one of these interfaces is misconfigured, outdated, or protected by weak credentials, an attacker with network access could attempt unauthorized administration or use the exposed service as a path to deeper compromise.
Recommendation:
Restrict administrative services to a dedicated management subnet or VPN, enforce MFA where supported, remove services that are not required, patch all management interfaces, and monitor authentication events centrally.
Retest:
From a normal user subnet, verify that ports 22, 8080, and 10000 are filtered or unreachable. From the approved admin subnet, verify that authorized administrators can still connect.Retest scan after remediation
After the owner applies fixes, run a smaller retest.
nmap -sS -p 22,80,139,445,3306,8080,10000 10.10.56.24 -oN scans/09-retest-ports.txtIdeal simulated retest output:
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3306/tcp filtered mysql
8080/tcp filtered http-proxy
10000/tcp filtered snet-sensor-mgmtThis would show a much better posture:
- The public web app remains reachable.
- Administrative services are no longer reachable from the tested network.
- SMB and MySQL are blocked from the wrong segment.
What makes this a premium lab
The value is not the command list. Anyone can copy Nmap flags.
The value is the thinking:
- You learned why scan order matters.
- You saw how top-port scans can miss services.
- You separated open ports from confirmed vulnerabilities.
- You interpreted old versions without overclaiming.
- You turned terminal output into report language.
- You ended with remediation and retest steps.
That is the difference between running a tool and doing an assessment.
Final checklist
Before closing the lab, make sure you have:
- host discovery output
- top-port scan output
- full TCP scan output
- service detection output
- HTTP enumeration output
- SMB enumeration output
- MySQL check output
- targeted vulnerability script output
- findings table
- recommendations
- retest plan
Bottom line
Nmap is not just a scanner. In skilled hands, it is a structured way to understand attack surface.
This lab showed a professional path: start quiet, widen carefully, fingerprint accurately, validate findings, avoid exaggeration, and write recommendations that help the system owner reduce risk.
That is exactly the level of practical training that can make a VIP membership feel valuable.
VIP is free during early access.
Read the full premium labs and private guides while Cyberaro VIP is growing. Later, advanced labs, downloads, and private walkthroughs may become members-only.
Open beta
The current VIP library is open so readers can learn, share, and help the section grow before the member experience launches.
