Nmap Commands Lab: Port Scanning to Privilege Escalation
Learn how to use Nmap to scan ports and escalate to root
Practice nmap commands hands-on: scan ports, find a Telnet service with weak credentials, and escalate to root. A beginner-friendly lab covering network reconnaissance and Linux privilege escalation step by step.
Nmap (Network Mapper) is the most widely used network scanning tool in cybersecurity, and knowing its core nmap commands is essential for discovering hosts, services, and open ports across a network. This hands-on lab teaches the nmap commands you use for real port scanning, then puts them to work against a legacy Telnet service that still shows up on misconfigured systems. Identifying and exploiting weak services this way is a core skill for penetration testers and security analysts.
Essential Nmap Commands
Nmap provides a full set of scanning techniques for network reconnaissance. A basic scan lists open ports and the services behind them. Adding the -sV flag turns on version detection, which probes open ports to fingerprint the exact software and version number, the information you need to match a service against known vulnerabilities. The -sC flag runs Nmap's default scripts for extra enumeration, like checking for anonymous FTP, reading HTTP server headers, and testing common misconfigurations. Learning a handful of nmap commands well beats memorizing every flag.
Reading scan output matters as much as knowing which flags to run. Each open-port line shows the port number, protocol, state, and service. Version strings often reveal the exact build, which you can cross-reference against CVE and Exploit-DB. Scan, identify, research: that loop is the foundation of penetration testing reconnaissance.
The Telnet Protocol and Its Risks
Telnet is a legacy remote-access protocol that sends everything, including usernames and passwords, in plaintext over the network. SSH replaced it almost everywhere, but Telnet still lingers on legacy systems, embedded devices, network gear, and industrial control systems. When an nmap scan turns up a Telnet service, it is a high-value target, because default or weak credentials often hand you immediate access.
Connecting to a Telnet service with default credentials is a common early step in a penetration test. Plenty of devices ship with well-known username and password pairs that administrators never change. Once you have initial access, the next phase is privilege escalation: moving from a limited user account to root.
Why Practice Nmap Commands in a Lab?
The progression from nmap scanning to service exploitation to privilege escalation is the core penetration testing methodology, and the fastest way to learn it is hands-on. On HackerDNA you run the real nmap commands against a live target, read the actual output, and escalate to root yourself. Each step builds on the last: scanning reveals services, analysis finds the weakness, exploitation gets you in, and privilege escalation gives you full control.
What You Will Learn
- Run the core nmap commands for port scanning, service version detection, and default scripts
- Interpret nmap scan output and identify potentially vulnerable services
- Understand the Telnet protocol and the risks of plaintext remote access
- Gain initial access using default and weak credentials
- Escalate privileges from a standard user account to root
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
Launch your dedicated machine to begin hacking
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
