What does nmap actually tell an attacker?

nmap tells an attacker which ports are open, which services are running on those ports, which specific versions of those services are deployed, and (via NSE scripts) whether those services have known misconfigurations like anonymous FTP login, unauthenticated Redis, or exposed database details. In 6–30 seconds against a single host, nmap produces the reconnaissance profile that attackers use to decide which exploits to try next.

What is an NSE script in nmap?

Nmap Script Engine (NSE) scripts are Lua programs that run additional checks against detected services. Examples: ftp-anon checks whether FTP allows anonymous login without credentials; mysql-info extracts capability flags and auth plugin details from MySQL; redis-info retrieves version, memory usage, and role from an exposed Redis instance. NSE scripts are the difference between knowing 'port 6379 is open' and knowing 'Redis 6.2.14 is running with no authentication and the key-value store is directly readable.'

Why is Redis without authentication so dangerous?

An unauthenticated Redis instance is fully readable and writable by anyone who can reach port 6379. An attacker can run KEYS * to list all stored data, GET to read values, FLUSHALL to delete everything, or SLAVEOF to replicate the entire dataset to an attacker-controlled server. Redis is frequently used as a session store (user authentication tokens), cache (potentially sensitive business data), and queue backend. Unauthenticated Redis has been the root cause of breaches affecting major companies including GitHub (2015 session hijacking), and it remains one of the most common misconfigurations found on cloud infrastructure today.

What is the vsftpd 2.3.4 backdoor?

vsftpd 2.3.4 (released June 2011) contained a deliberately planted backdoor: if an attacker sent a username containing the smiley face :), the server would open a shell on TCP port 6200 with root access. This is CVE-2011-2523, one of the earliest documented supply chain attacks against open-source software — malicious code inserted into the official distribution package. Any server still running vsftpd 2.3.4 in 2026 is running software with a 15-year-old backdoor that has had a public Metasploit module since 2011.

How does nmap fit into the SecurityClaw workflow?

nmap is the first tool in the SecurityClaw reconnaissance pipeline. It identifies which services are running and which versions. Once nmap produces its output, SecurityClaw's subsequent skills target specific findings: Nikto runs a deep web scan against the Apache servers found by nmap; nuclei checks for specific CVEs (like CVE-2021-41773 on Apache 2.4.49); sqlmap tests the MySQL endpoint for SQL injection once nmap confirms the port is open. nmap is the map. The other skills are the weapons.

Which scan options were used in the D8 demo?

The D8 demo used: -sV (service version detection), -T4 (aggressive timing for speed), specific port targeting (-p 2121,2222,3306,6379,8081,8082), and six NSE scripts (ftp-anon, ftp-syst, http-title, ssh-hostkey, mysql-info, redis-info). The entire scan completed in 6.32 seconds against localhost. Against remote hosts, scan times typically range from 30 seconds to several minutes depending on network latency and number of ports scanned.

What Attackers See Before You Do: nmap Network Discovery in Real Time

🔒 SecurityClaw Demo D8 — March 5, 2026 | Campaign #11 | Category: network-recon | View all demos →

Six seconds. Six findings. All critical.

Before any attacker sends a single exploit payload, they run reconnaissance. nmap is the first tool they reach for — and in Demo D8, SecurityClaw's nmap skill ran against a controlled target containing six deliberately planted services. The output was unambiguous: anonymous FTP login, a backdoored service version, a web server associated with one of the most-exploited CVEs of the last five years, an exposed Tomcat Manager interface, an unauthenticated database, and an unauthenticated Redis instance.

The scan took 6.32 seconds. The findings represent the reconnaissance profile an attacker would have before writing a single exploit.

Here's the full terminal output, followed by an analysis of exactly what each finding reveals — and why it matters.

The Demo Setup

SecurityClaw's D8 demo used a controlled Python target server that simulates six real services on localhost, each configured to exhibit a specific real-world misconfiguration. The services were chosen to mirror findings commonly encountered in penetration tests against enterprise environments:

vsftpd 2.3.4 — FTP server with anonymous login enabled
OpenSSH 7.4 — SSH server running a 2016 release with known CVEs
MySQL 5.7.39 — Database accessible from network with full capability exposure
Redis 6.2.14 — Key-value store with no authentication
Apache 2.4.49 — The exact version associated with CVE-2021-41773
Apache Tomcat 9.0.31 — With Manager interface exposed

None of these configurations require exotic exploitation. They are all textbook penetration test findings — the kind that appear repeatedly in breach reports because they are genuinely common in real environments.

The Scan Command

nmap -sV -T4 -p 2121,2222,3306,6379,8081,8082 127.0.0.1 \
  --script=ftp-anon,ftp-syst,http-title,ssh-hostkey,mysql-info,redis-info

The flags breakdown:

-sV — Service version detection. Without this, nmap only tells you a port is open. With it, nmap probes the service to identify the exact application and version.
-T4 — Aggressive timing. Faster scan, acceptable false-negative risk on very slow networks. Appropriate for controlled environments.
--script=... — Six NSE scripts. Each fires against the relevant service to extract additional context beyond the version banner.

The Output

Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-05 19:09 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000015s latency).

PORT     STATE SERVICE VERSION
2121/tcp open  ftp     vsftpd 2.3.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: socket EOF
2222/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.7.39-0ubuntu0.20.04.2
| mysql-info:
|   Protocol: 10
|   Version: 5.7.39-0ubuntu0.20.04.2
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, LongPassword,
|     IgnoreSigpipes, Speaks41ProtocolOld, FoundRows, LongColumnFlag,
|     SupportsTransactions, InteractiveClient, ConnectWithDatabase, ODBCClient,
|     Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal,
|     SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins,
|     SupportsMultipleStatments
|   Status: Autocommit
|   Salt: R&/CKsNGg8^&6N*cMWD1
|_  Auth Plugin Name: mysql_native_password
6379/tcp open  redis   Redis key-value store 6.2.14
| redis-info:
|   Version: 6.2.14
|   Operating System: Linux 5.4.0-150-generic x86_64
|   Connected clients: 1
|   Connected slaves: 0
|   Used memory: 856.38K
|_  Role: master
8081/tcp open  http    Apache httpd 2.4.49 ((Ubuntu))
|_http-title: Company Intranet Portal
|_http-server-header: Apache/2.4.49 (Ubuntu)
8082/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/9.0.31
|_http-server-header: Apache-Coyote/1.1
Service Info: OS: Unix

Nmap done: 1 IP address (1 host up) scanned in 6.32 seconds

6 services. 6 findings. 6.32 seconds. 0 false positives.

Finding Analysis: What Each Line Actually Means

Finding 1 — vsftpd 2.3.4 + Anonymous FTP Login

2121/tcp open  ftp     vsftpd 2.3.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)

This single line contains two separate critical findings.

vsftpd 2.3.4 is not just an old version — it is specifically the version that contained CVE-2011-2523, a deliberately planted backdoor. If an attacker sends a username containing the string :) (a smiley face), the server opens a root shell on TCP port 6200. This vulnerability has had a public Metasploit module since 2011 and is one of the first exploits taught in offensive security courses for precisely this reason: it's the simplest possible confirmation that version numbers matter.

Anonymous FTP login is the second problem. FTP code 230 means "Login successful" — without any credentials. An unauthenticated attacker can log in to the FTP server, browse the file tree, and download files. In many real environments, FTP directories contain database backups, configuration files, or deployment artefacts that were never meant to be accessible.

Both problems are detected with a single port scan. Both are trivially exploitable. Neither requires any privilege escalation.

Finding 2 — OpenSSH 7.4 (2016 Release)

2222/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)

OpenSSH 7.4 was released in November 2016. At the time of this scan, that's roughly 10 years of SSH CVEs that have accumulated above this version.

The immediately relevant CVE for this version is CVE-2018-15473 — a username enumeration vulnerability. Before attempting to authenticate, an attacker can enumerate valid usernames on the system. That transforms a brute-force attack from "try every username in a wordlist" to "I know which usernames exist, now I only need to brute-force passwords for those accounts."

More broadly, the version banner tells an attacker that this server has not been updated in close to a decade. If SSH hasn't been patched, it's unlikely that other components of this system have been either. A single version banner becomes a signal about the entire security posture of the host.

Finding 3 — MySQL 5.7.39, Accessible From Network

3306/tcp open  mysql   MySQL 5.7.39-0ubuntu0.20.04.2
| mysql-info:
|   Protocol: 10
|   Version: 5.7.39-0ubuntu0.20.04.2
|   Capabilities flags: 63487
|   Auth Plugin Name: mysql_native_password

Two problems here. First: MySQL 5.7 reached end-of-life in October 2023. Running EOL software means security vulnerabilities discovered after that date will never receive patches.

Second — and more immediately damaging — is the fact that MySQL is listening on port 3306 and is accessible from the network at all. Production databases should only be accessible from localhost or a private internal network, never from an external network interface. An externally-accessible MySQL port means anyone who reaches the network can attempt to authenticate.

The mysql-info NSE script goes further: it extracts the capability flags (63487 — which enumerate exactly which MySQL features are supported), the auth plugin name (mysql_native_password, which uses weaker password hashing than caching_sha2_password), and the password challenge salt. The salt isn't directly exploitable, but it does confirm which auth mechanism is in use and reduces the search space for offline hash attacks.

Finding 4 — Redis 6.2.14, No Authentication, Role: Master

6379/tcp open  redis   Redis key-value store 6.2.14
| redis-info:
|   Version: 6.2.14
|   Role: master
|   Connected clients: 1
|   Used memory: 856.38K

This is the most dangerous finding in the scan.

Redis with no requirepass configuration accepts connections from any source and executes all commands without authentication. An attacker who reaches port 6379 can:

Run KEYS * to list every key in the store
Run GET <key> to read any value — session tokens, cached user data, queued jobs
Run FLUSHALL to destroy all data instantly (denial of service)
Use SLAVEOF <attacker-ip> 6379 to replicate the entire dataset to an attacker-controlled server
Use the CONFIG SET dir + SAVE technique to write files to arbitrary filesystem paths (classic Redis-based persistence and privilege escalation)

The role: master is significant. A Redis master with slaves means there may be replica servers also receiving all writes. An attacker who compromises the master may have instantaneous read access to data being replicated across the entire cluster.

Redis is used as a session store in many web applications. Unauthenticated access to a session store is account takeover for every active user simultaneously.

Finding 5 — Apache 2.4.49, CVE-2021-41773

8081/tcp open  http    Apache httpd 2.4.49 ((Ubuntu))
|_http-title: Company Intranet Portal
|_http-server-header: Apache/2.4.49 (Ubuntu)

Apache 2.4.49 is the version directly associated with CVE-2021-41773 — a path traversal vulnerability that was publicly disclosed on October 5, 2021 with a working exploit. Within 24 hours, mass scanning campaigns were targeting this CVE across the internet. Within 48 hours, a public Metasploit module existed. Within 72 hours, it appeared in the CISA Known Exploited Vulnerabilities catalogue.

The exploit allows an unauthenticated attacker to read arbitrary files on the server (path traversal) and, if mod_cgi is enabled, achieve remote code execution. The patch for this version (2.4.51) was released the same week.

Apache 2.4.49 was available for approximately four days before it was known to be critically vulnerable. Any server still running this version in 2026 has been vulnerable for over four years.

The page title Company Intranet Portal is also informative from an attacker's perspective — it suggests this server has access to internal company resources, elevating the value of exploitation.

Finding 6 — Apache Tomcat 9.0.31, Manager Exposed

8082/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/9.0.31
|_http-server-header: Apache-Coyote/1.1

Apache Tomcat's Manager application (/manager/html) allows authenticated users to deploy WAR (Web Application Archive) files — effectively uploading and executing arbitrary Java code on the server.

The classic penetration test scenario: the Tomcat Manager is reachable, default credentials (tomcat:tomcat or admin:admin) haven't been changed, and the attacker uploads a reverse shell WAR file. Full server compromise in under two minutes. This technique was demonstrated in countless CTF challenges and real breach reports precisely because it works against production servers that were deployed and never hardened.

The version (9.0.31) was released in February 2020. Tomcat 9.0.31 has known CVEs including deserialization vulnerabilities in session persistence mechanisms.

The Honest Gap: ssh-hostkey

The ssh-hostkey NSE script returned no key in this demo. The controlled target server simulates service banners but does not complete a full SSH cryptographic handshake — which is required for ssh-hostkey to extract the server's public key.

In a real scan against a live SSH server, ssh-hostkey would return the server's RSA, ECDSA, and ED25519 public keys. These are useful for host fingerprinting: if you scan the same server twice and the host key has changed, the server may have been replaced, rebuilt, or compromised (a key indicator in incident response).

This gap is a demo environment limitation, not a nmap limitation. In production use, ssh-hostkey works against any genuine SSH server.

The Bigger Picture: Enterprise Network Infrastructure Is Now the #1 Zero-Day Target

The findings above represent a controlled demo environment — software versions deliberately chosen to illustrate common vulnerabilities. But the 2025 Threat Intelligence Group annual report from Google provides sobering context: 43 of 90 zero-days actively exploited in 2025 targeted enterprise products, specifically security appliances, networking infrastructure, VPNs, and virtualisation platforms.

This statistic marks a significant shift. For most of the 2010s, the most-exploited zero-days targeted browsers and consumer endpoints (Windows, Adobe Flash, Internet Explorer). The 2020s are seeing enterprise network infrastructure — firewalls, VPN concentrators, load balancers — becoming the primary zero-day target class.

The reason is straightforward: enterprise network devices are rarely protected by EDR, run embedded firmware that lags behind patch cycles by months or years, and sit at the perimeter where every connection passes through them. A zero-day in a perimeter firewall is more valuable than a zero-day in a single endpoint because it provides access to everything behind it.

nmap is the tool that tells you what's on your network before your attacker does. If you don't have an inventory of every open port and service version across your infrastructure, someone else is building that inventory for you.

How nmap Fits Into the SecurityClaw Workflow

nmap is the reconnaissance layer — the map. Every subsequent SecurityClaw skill targets specific findings from the nmap output:

nmap finds Apache 2.4.49 on port 8081 → nuclei checks for CVE-2021-41773 against that specific endpoint
nmap finds Tomcat 9.0.31 on port 8082 → Nikto runs a full web misconfiguration scan against the Tomcat interface
nmap finds MySQL on port 3306 → sqlmap can target web applications that connect to this database
nmap finds Redis on port 6379 → SecurityClaw flags for manual verification (unauthenticated Redis is a direct finding, not a web vulnerability)

This is the SecurityClaw philosophy: don't run every tool against every endpoint. Let nmap build the map first, then target tools precisely. Speed and accuracy over brute-force coverage.

SecurityClaw D8 Scorecard

Metric	Value
Campaign	D8 (campaign_id=11)
Result	PASS ✅
Services planted	6
Services detected	6 / 6 (100%)
NSE scripts fired	5 / 6 (ssh-hostkey gap documented)
Scan time	6.32 seconds
Category opened	network-recon (first campaign)
Scorecard campaigns (post-D8)	11 total
Overall pass rate (post-D8)	81.82%

Security Resources

If you're building nmap proficiency or developing a deeper understanding of the network reconnaissance techniques behind real-world attacks:

Penetration Testing: A Hands-On Introduction to Hacking — covers nmap, service enumeration, and the full recon-to-exploitation pipeline in a practical, lab-focused format
The Web Application Hacker's Handbook — once nmap has mapped the attack surface, this book covers how to exploit the web applications running on those services
Metasploit: The Penetration Tester's Guide — covers how to move from nmap findings (version detection) to Metasploit exploitation, including the vsftpd 2.3.4 backdoor module demonstrated in this article

💰 Affiliate disclosure: Amazon links above use our affiliate tag (altclaw-20). Purchases made through these links support this site at no additional cost to you.

🔒 Full SecurityClaw demo series: View all 9 campaigns →
📊 SecurityClaw scorecard: 85.71% pass rate, 14 campaigns →
📖 Related: Fake Claude Code, Fake OpenClaw: The InstallFix Developer CLI Impersonation Campaign →