Lab 03: Network Scanning & Enumeration with Nmap¶
| Field | Details |
|---|---|
| Course | SCIA-472 โ Hacking Exposed & Incident Response |
| Topic | Network Scanning & Enumeration |
| Week | 3 |
| Difficulty | โญโญ Intermediate |
| Estimated Time | 60โ75 minutes |
| Tools | Docker, instrumentisto/nmap, vulnerables/web-dvwa, Python 3.11 |
| Target | vulnerables/web-dvwa at 10.10.0.10 (isolated Docker network) |
| Prerequisites | Labs 01โ02 complete; Docker installed and running |
Ethical Use
All attacks and scanning must ONLY target containers you create in this lab. Never scan or attack systems you do not own or have explicit written permission to test.
Overview¶
Network scanning is active reconnaissance โ you are sending packets to targets. This lab uses an isolated Docker network with a deliberately vulnerable target (DVWA โ Damn Vulnerable Web Application). All scans are strictly contained within Docker. Students master Nmap's scanning modes, service detection, OS fingerprinting, and NSE scripts.
By the end of this lab you will be able to:
- Create isolated Docker networks for safe lab environments
- Perform host discovery with ping scans
- Execute TCP connect and SYN scans against target hosts
- Detect service versions and OS fingerprints with Nmap
- Run NSE (Nmap Scripting Engine) scripts for targeted enumeration
- Save and interpret scan output for attack planning
Docker images used: - Scanner:
instrumentisto/nmap- Target:vulnerables/web-dvwa
Part 1 โ Lab Setup¶
Step 1.1 โ Create Isolated Lab Network¶
This network is completely isolated from the internet and your host system's network.
Step 1.2 โ Start Target Container¶
docker run -d \
--name target \
--network scanlab \
--ip 10.10.0.10 \
vulnerables/web-dvwa
sleep 5
docker ps | grep target
Expected output: target container listed as running with status Up.
๐ธ Screenshot checkpoint: Capture docker ps showing the target container running โ label this 03a.
Part 2 โ Host Discovery¶
Before scanning ports, confirm which hosts are alive on the network segment.
Step 2.1 โ Ping Scan (Discover Live Hosts)¶
Expected output: Shows 10.10.0.10 alive, plus the scanner's own IP address assigned by Docker.
๐ธ Screenshot checkpoint: Capture the ping scan output showing discovered live hosts โ label this 03b.
Step 2.2 โ TCP Connect Scan (Most Reliable)¶
Expected output: PORT 80/tcp open http and 3306/tcp open mysql โ DVWA runs Apache and MySQL.
๐ธ Screenshot checkpoint: Capture the port scan results showing open ports โ label this 03c.
Part 3 โ Service & Version Detection¶
Knowing a port is open is not enough. Version detection reveals which software is running โ and which CVEs apply.
Step 3.1 โ Service Version Detection¶
Expected output: Shows Apache httpd version number and MySQL version number.
๐ธ Screenshot checkpoint: Capture the service version detection output โ label this 03d.
Step 3.2 โ Aggressive Scan (OS + Version + Scripts)¶
The -A flag combines OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute.
Expected output: Full output including OS detection attempt, detailed service information, and default NSE script results.
๐ธ Screenshot checkpoint: Capture the aggressive scan output (scroll to show OS and script sections) โ label this 03e.
Step 3.3 โ Full Port Scan (All 65535 Ports)¶
Default Nmap only scans the top 1000 ports. Services on non-standard ports are missed.
Expected output: Scans all ports โ may reveal additional services on non-standard ports.
๐ธ Screenshot checkpoint: Capture the full port scan results โ append to 03e.
Part 4 โ NSE (Nmap Scripting Engine)¶
NSE scripts extend Nmap with targeted checks for specific services and vulnerabilities. Over 600 scripts are included.
Step 4.1 โ HTTP Enumeration Scripts¶
docker run --rm --network scanlab instrumentisto/nmap \
nmap --script=http-title,http-server-header,http-methods 10.10.0.10 -p 80
Expected output: Page title of the web application, server header (Apache/2.4.x), and allowed HTTP methods (GET, POST, OPTIONS, etc.).
๐ธ Screenshot checkpoint: Capture the HTTP NSE script results โ label this 03f.
Step 4.2 โ MySQL Information Scripts¶
docker run --rm --network scanlab instrumentisto/nmap \
nmap --script=mysql-empty-password,mysql-info 10.10.0.10 -p 3306
Expected output: MySQL version banner and result of empty password authentication check.
๐ธ Screenshot checkpoint: Capture the MySQL NSE script results โ append to 03f.
Part 5 โ Saving Scan Results¶
In real engagements, scan output is evidence. Save it in structured formats.
Step 5.1 โ Save to File and Analyze¶
docker run --rm --network scanlab -v /tmp:/output instrumentisto/nmap \
nmap -sV -oN /output/scan_report.txt 10.10.0.10
cat /tmp/scan_report.txt
๐ธ Screenshot checkpoint: Capture the saved scan report contents โ label this 03g.
Step 5.2 โ Interpret Scan Results for Attack Planning¶
docker run --rm python:3.11-slim python3 -c "
findings = [
('80/tcp', 'open', 'Apache httpd 2.4.25', 'HIGH', 'Outdated Apache - check CVE database for 2.4.25'),
('3306/tcp', 'open', 'MySQL 5.7.x', 'HIGH', 'Database exposed - attempt authentication, check for CVEs'),
]
print('=== VULNERABILITY ANALYSIS FROM SCAN ===')
print(f'{\"Port\":<12} {\"State\":<8} {\"Service\":<25} {\"Risk\":<8} {\"Finding\"}')
print('-' * 85)
for port, state, service, risk, finding in findings:
print(f'{port:<12} {state:<8} {service:<25} {risk:<8} {finding}')
print()
print('Next steps: Check CVE database for identified versions')
print('CVE lookup: https://nvd.nist.gov/vuln/search')
print('Apache 2.4.25 CVEs: https://httpd.apache.org/security/vulnerabilities_24.html')
"
๐ธ Screenshot checkpoint: Capture the attack surface analysis table โ label this 03h.
Cleanup¶
Assessment¶
Screenshot Checklist¶
| Label | Required Screenshot | Points |
|---|---|---|
| 03a | docker ps showing target container running | 5 |
| 03b | Ping scan output discovering live hosts | 5 |
| 03c | TCP connect scan showing open ports (80, 3306) | 5 |
| 03d | Service version detection (-sV) with version numbers | 5 |
| 03e | Aggressive scan output (-A) including OS and scripts | 5 |
| 03f | HTTP + MySQL NSE script results | 5 |
| 03g | Saved scan report (scan_report.txt contents) | 5 |
| 03h | Attack surface analysis table | 5 |
| Total | 40 |
Analysis (20 points)¶
Complete a Scan Findings Analysis Table for the DVWA target:
| Port | Protocol | Service | Version | Risk Rating | CVE Reference | Recommended Action |
|---|---|---|---|---|---|---|
| 80 | TCP | |||||
| 3306 | TCP |
For each finding:
- Assign a risk rating (Critical / High / Medium / Low / Info)
- Look up at least one real CVE at nvd.nist.gov
- Provide a specific remediation recommendation
Reflection Questions (40 points โ 10 points each)¶
-
Nmap found Apache 2.4.25 on DVWA. This version is from 2017 and has multiple known vulnerabilities. How would an attacker use this version number to find exploits? What database would they search and what would a typical search query look like?
-
The
-sT(TCP connect) scan vs-sS(SYN stealth) scan: explain the technical difference at the packet level. Why is SYN scanning called "stealthy" and why does it require root/admin privileges? -
Nmap NSE scripts can brute-force credentials, enumerate services, and detect vulnerabilities. Is running NSE scripts against a system you have written authorization to test ethical? What about running them against a production system during business hours โ even with authorization?
-
You saved the scan report to a file. In a real engagement, scan reports are sensitive documents that contain detailed attack surface information. What information must be included in the final deliverable report, and what data retention and destruction policies should govern scan artifacts after the engagement ends?
Grading Rubric
| Component | Points |
|---|---|
| Screenshots (03aโ03h, all visible and labeled) | 40 |
| Scan findings analysis table (complete with CVEs and remediation) | 20 |
| Reflection questions (4 ร 10 pts, substantive answers) | 40 |
| Total | 100 |