Nmap Recon Guide: Tunnel Vision vs Landscape Scan

If you're on a Red Team mission — even a simulated one — you need to see what others can't. Sometimes that means scanning the entire battlefield. Sometimes it means focusing on a single sentry. In this article, we break down the two mindsets that every Nmap user must master: targeted reconnaissance and environmental mapping.

🌪️ PART 1 — Tunnel Vision: Targeted Scanning

Imagine you already know the IP of a machine — maybe it's a second PC at home, a test server, or an IoT device. Your job now is to go deep, not wide.

🧭 Step 1 – Find the Target IP

On the machine you want to scan, use the following command to find its IP address:

ip a

Look for a line like:

inet 192.168.1.42/24

This means the machine's IP is 192.168.1.42. Make sure the machine is on the same network as yours so you can reach it.

🔌 Optional Lab Setup

If you're learning, the easiest way to simulate this is to:

• Run a second VM (e.g., Ubuntu or Metasploitable) on the same host network
• Use ip a inside that VM to get its IP
• Scan it from your main system using its local IP

This helps you practice scans in a safe and isolated environment.

🔍 Step 2 – Launch a Focused Scan

nmap -sC -sV -O -Pn 192.168.1.42

• -sC: run default scripts
• -sV: detect service versions
• -O: attempt OS detection
• -Pn: skip host discovery (assume host is up)

This reveals open ports, services, software versions, and possible OS fingerprinting. It's the sniper approach — you're focused on a single target.

📡 Understanding Hosts, Ports & Services

🧍 Host

A host is any device connected to the network — PC, smartphone, printer, or smart lightbulb. Each has an IP address (e.g., 192.168.1.42).

🔌 Ports

Ports are virtual doors used by services and applications to communicate over the network. Here are a few commonly found ones:

• 22 – SSH (Secure Shell): Remote administration and login for Unix/Linux systems. If open, can be a target for brute-force login attempts.
• 80 – HTTP: Unencrypted web traffic. Might host a public or internal site. Could be vulnerable to directory traversal or outdated CMS issues.
• 443 – HTTPS: Secure web traffic. Always worth checking with tools like sslscan or whatweb to identify cert misconfigs or tech stack.
• 21 – FTP (File Transfer Protocol): Used for file transfers. Weaknesses include anonymous login, cleartext credentials, and misconfigurations.
• 3389 – RDP (Remote Desktop Protocol): Used for remote access to Windows systems. If exposed, it can be a major attack vector.

Ports can be:

• Open – the service is available and accepting connections
• Closed – nothing is listening on that port
• Filtered – traffic is being blocked (e.g., by a firewall or IDS)

⚙️ Services

Nmap can detect services running behind open ports. This includes software names and often their versions, e.g., Apache 2.4.41, OpenSSH 7.9, etc. This is critical for vulnerability research.

🌍 PART 2 — Landscape Scan: Network Reconnaissance

Other times, you're blind in a new environment. You need situational awareness.

🧭 Step 1 – Find Your IP and Subnet

To scan your network, you first need to know your local IP and subnet:

ip a

Look for a line like:

inet 192.168.1.23/24

This tells you your IP is 192.168.1.23 and your subnet is /24, so the network range is 192.168.1.0/24.

🔍 Step 2 – Ping the Entire Network

Once you know the subnet, scan to find live hosts:

nmap -sn 192.168.1.0/24

This ping scans the subnet to find live hosts. Sample output:

Nmap scan report for 192.168.1.1 (Router)
Host is up.
Nmap scan report for 192.168.1.42 (Ubuntu-MSI)
Host is up.
Nmap scan report for 192.168.1.74
Host is up.

Once hosts are identified, zoom in:

nmap -sC -sV -O -Pn 192.168.1.42

🧠 Strategy Breakdown

Tunnel Vision = deep recon on a known IP. Use when your target is precise and valuable.

Landscape Scan = broad awareness. Use to discover hidden assets and understand the terrain.

🧨 Bonus: Advanced Nmap Tips

• nmap -sS -T4 192.168.1.42 – stealth SYN scan
• nmap --top-ports 100 192.168.1.42 – scan top 100 ports
• nmap -p- 192.168.1.42 – full port scan
• nmap -sV --script vuln 192.168.1.42 – detect known vulns

🧰 What to Do With Results

• SSH open? → try brute force with hydra
• Web server? → scan with gobuster, nikto
• SMB? → explore with enum4linux, crackmapexec

📂 Save Your Scan

nmap -sV -O 192.168.1.42 -oN hyuga-scan.txt

📌 Final Advice

Start wide, go deep. One gives you the map. The other, the secret doors.

🧪 Try This – Your First Recon Challenge

• Spin up a second VM on your network (e.g., Metasploitable, Parrot, or Kali)
• Find its IP address using ip a
• From your main system, run a full port scan with service detection:

nmap -sC -sV -O -Pn [target-ip]

Try to interpret what services are running. What ports are open? Is there a potential weakness?

📌 Nmap Cheat Sheet

• nmap -sn [range] – Ping scan (host discovery)
• nmap -sC -sV [ip] – Default scripts + service versions
• nmap -O [ip] – OS detection
• nmap -Pn [ip] – Skip ping check
• nmap -p- [ip] – All ports (1–65535)
• nmap --top-ports 100 [ip] – Most common 100 ports
• nmap -sV --script vuln [ip] – Known vulnerabilities
• nmap -oN output.txt – Save to file

⚠️ Ethics Reminder

Only scan networks you are authorized to analyze.

– Hyuga