You ran the scan. Nmap gave you a list of open ports and services. Now what?
This is where a lot of beginners freeze. The scan worked — but the output is just sitting there. Here's how to turn nmap results into actual next steps.
Nmap is not the hack. Nmap is the map.
Think of it like being a chef prepping for service. The scan is your mise en place — everything laid out, organized, ready to work with. The actual cooking hasn't started yet. Now you take what you found and you do something with it.
Open Port Found
↓
Identify the Service & Version
↓
Research the Service
↓
Look for Known Vulnerabilities
↓
Attempt Exploitation or Deeper Enumeration
↓
Document Everything
- Check the version nmap found against https://exploit-db.com
- If you have credentials — try them
- If you have a private key — try it:
ssh -i id_rsa user@<target> - Look for username enumeration vulnerabilities on older versions
- Open it in your browser first — look at it with your eyes
- Run gobuster or feroxbuster for directory enumeration
- Run Nikto for quick vulnerability check
- Check the SSL certificate on 443 — it often leaks hostnames and domains
- Look at page source — comments, hidden fields, linked files
- Check for robots.txt and sitemap.xml
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt
nikto -h http://<target>
curl http://<target>/robots.txt- Run
enum4linux(legacy — preferenum4linux-ngornetexec) for full enumeration - Check for EternalBlue with nmap script
- List shares and try to access them
enum4linux -a <target>
smbclient -L //<target>/ -N
nmap --script smb-vuln-ms17-010 -p 445 <target>- Always try anonymous login first
- Look for files you can download
- Check if you can upload files
ftp <target>
# username: anonymous
# password: anything- Try root with no password
- Try common default credentials
mysql -u root -h <target>
mysql -u root -p -h <target>- Connect with netcat and grab the banner
- Google the service name and version
- Search exploit-db.com for the exact version
nc <target> <port>For every service version nmap identifies, run it through these resources:
| Resource | What to look for | URL |
|---|---|---|
| Exploit-DB | Public exploits for the exact version | https://exploit-db.com |
| NVD | CVE details and severity scores | https://nvd.nist.gov |
| GTFOBins | Unix binary abuse for privesc | https://gtfobins.github.io |
| HackTricks | Methodology and technique reference | https://book.hacktricks.xyz |
Whether you're in a CTF or a real engagement — document as you go. You will forget what you found and when.
# Minimum documentation per scan
nmap -sV -sC -oA <machinename>-initial <target>
# Keep a notes file
echo "Port 80 open - Apache 2.4.38 - check for CVEs" >> notes.txt
echo "Port 22 - OpenSSH 7.9 - try default creds" >> notes.txtFor real engagements, every finding needs:
- What you found
- How you found it
- What the risk is
- How to fix it
This reference covers nmap. But nmap is just the beginning.
The full picture — from pre-engagement through reporting, privilege escalation, lateral movement, and beyond — is covered in the SudoCode Pentesting Methodology Guide.
Follow along for updates and new tool references as they drop:
More documentation covering additional tools, techniques, and methodology is coming to this GitHub. Stay tuned. 🔪
by SudoChef · Part of the SudoCode Pentesting Methodology Guide