Lesson 4: Network Scanning with nmap
nmap (Network Mapper) is the most widely used scanning tool in cybersecurity. No networking background required — we explain everything from scratch: what a port is (the 'door' of each service on a computer), how TCP works in 3 simple steps, and how to read nmap output. All practice is done only on
nmap sends 'knocks' on a computer's doors (ports) and listens for who answers. Like knocking on every door in a building and noting: 'door 80 — open and answering, door 443 — also open, door 22 — open but guarded'.
- Port
- A logical number (1-65535) that identifies a specific network service on a computer. Port 80 = HTTP, Port 443 = HTTPS, Port 22 = SSH
- TCP Three-Way Handshake
- TCP connection establishment: client sends SYN, server replies SYN-ACK, client completes with ACK. nmap infers port state from the responses
- Open Port
- A port with an active service accepting connections. SYN → SYN-ACK
- Closed Port
- A port the computer responds to with RST (Reset) — exists, but no service is listening. SYN → RST
- Filtered Port
- A port blocked by a firewall — nmap receives no response at all. SYN → no response (timeout)
- Service Version
- The precise identification of the software running on a specific port — e.g., 'Apache httpd 2.4.41'. The `-sV` flag enables version detection