Thilan Dissanayaka Computer Networking June 05, 2020

Real Hackers Don’t Guess - They Nmap it!

When you enter your first CTF or OSCP lab, there is one tool that becomes your best friend, your compass, and sometimes your only hope.

That tool is Nmap.

In the world of hacking, information is power. And Nmap gives you everything—services, versions, operating systems, open ports, firewalls, weird misconfigurations… You name it.

This is the story of how Nmap became the first step in every successful attack chain.

Chapter 1: The Dark Room Before the Light

You’re dropped into your first OSCP machine. It’s silent. No clues. Just an IP address.

192.168.50.23

You don’t know who lives there. A Windows server? A forgotten Linux box? A hardened firewall? A misconfigured FTP server?

CTFs intentionally give you zero context. That’s the game.

Your only flashlight: Nmap.

Chapter 2: The First Scan — Finding the Doors

The first thing any OSCP student learns:

"Always start with a basic TCP scan."

Your opening move:

nmap -sC -sV -oN scan.txt 192.168.50.23

What this does:

-sC → runs default safe NSE scripts

-sV → grabs service versions

-oN scan.txt → saves results

Finds open ports

Identifies services

Pulls banners

Gives login prompts (FTP/SSH/SMTP)

Finds web servers

Sometimes reveals vulnerabilities immediately

This is your recon foundation.

OSCP tip: 📝 Always save your scans. You’ll come back to them during pivoting or privilege escalation.

Chapter 3: The Aggressive Scan — Pushing Deeper

Once you know the open ports, you probe deeper. This is where Nmap becomes a weapon.

Example aggressive scan:

nmap -A -T4 -oN aggressive.txt 192.168.50.23

-A includes:

OS detection

Version detection

Script scanning

Traceroute

The output is often gold:

“Apache httpd 2.4.29 (Ubuntu)”

“OpenSSH 7.2p2 Ubuntu 4ubuntu2.8”

“Dangerous file permissions”

“SMB shares available”

“FTP allows anonymous login”

OSCP students immediately copy those versions into Google + ExploitDB. You might instantly find:

Apache mod_ssl vulnerabilities

OpenSSH auth bypass CVEs

Weak SMB shares

Misconfigured NFS mounts

This is where exploitation begins.

Chapter 4: You Found a Web Port… What Now?

In most CTFs and OSCP labs, your Nmap scan reveals:

80/tcp open http

You visit the page — maybe it’s empty. But Nmap can go deeper.

Run Nmap’s HTTP scripts:

nmap --script http-enum,http-title,http-headers -p80 192.168.50.23

This may uncover:

Hidden directories

Old CMS versions

Virtual hosts

Admin panels

Backup folders

Credentials in headers

OSCP Tip: If you see /backup, /old, /dev, or /test, you’re very close.

Chapter 5: UDP — The Forgotten Attack Surface

OSCP machines sometimes hide vulnerable services on UDP.

Run this:

nmap -sU --top-ports 50 -oN udp.txt 192.168.50.23

Possible findings:

TFTP server with no authentication

SNMP with public community string

DNS misconfigurations

NTP reflection vulnerabilities

OpenVPN ports

UDP is slow, but one open SNMP port can give full read access to the machine.

Chapter 6: The Nmap Scripts That Win CTFs

Nmap’s secret power: its NSE (Nmap Scripting Engine).

Here are the most important ones for OSCP/CTFs.

1. SMB Exploitation Scripts nmap –script smb-vuln* -p445 192.168.50.23

Finds EternalBlue, MS17-010, SMB signing issues.

1. FTP Misconfigurations nmap –script ftp-anon -p21 192.168.50.23

2. SSH Weak Keys nmap –script ssh2-enum-algos,ssh-hostkey -p22 192.168.50.23

3. HTTP Enumeration nmap –script http-enum -p80,443 192.168.50.23

4. VNC Authentication Bypass nmap –script vnc-info,vnc-title -p5900 192.168.50.23

5. MySQL Enumeration nmap –script mysql-info,mysql-enum -p3306 192.168.50.23

These scripts alone can solve half of beginner-to-intermediate CTF boxes.

Chapter 7: Turning Nmap Output Into Vulnerabilities

After scanning, OSCP workflow becomes:

Identify service + version

Search for exploits:

ExploitDB

Searchsploit

Google

Test exploit or misconfiguration

Gain foothold

Escalate privileges

Example:

Nmap output shows:

445/tcp open microsoft-ds Windows 7 Professional SP1

You immediately think:

EternalBlue (MS17-010)

SMB vulnerabilities

Null session

Unpatched Windows box

This is exactly how CTF players chain recon → exploit → root.

Chapter 8: The OSCP-Style Full Scan Template

Here’s the template OSCP students use in every machine:

1. Fast scan

nmap -p- –min-rate 10000 -oN allports.txt 192.168.50.23

2. Deep scan on found ports

nmap -sC -sV -p -oN services.txt 192.168.50.23

3. Aggressive post-scan

nmap -A -p -oN aggressive.txt 192.168.50.23

This gives you everything you need to begin exploitation.

Chapter 9: The Real Reason Nmap Wins CTFs

Nmap doesn’t hack machines for you. What it does is something far more important:

It tells you where to look.

Every CTF and OSCP box has an intended attack path. Nmap helps you discover it, step by step:

A weird port

An outdated service

A misconfigured protocol

A forgotten backup directory

A vulnerable CMS

An exposed SMB share

A port unexpectedly open

These are the clues. Your job is to follow them.

Nmap is the detective lens.

Epilogue: Master Nmap, Master Your Recon

When you walk into OSCP labs, Nmap becomes your:

Guide

Teacher

Scout

Map

First weapon

Most reliable tool

Mastering Nmap means mastering the most important phase of hacking: reconnaissance.

And in OSCP… your recon determines your success.