Understanding how devices communicate on a network is a cornerstone of Information Technology. At the heart of this communication are ports and protocols – the essential rules and channels that govern data flow across systems. Whether you're troubleshooting a network issue, performing a security assessment, or mapping out assets, knowing how to identify open ports, active services, and connected endpoints is critical.
This lab is designed to introduce and reinforce core concepts of ports, protocols, and network discovery through hands-on use of popular network scanning tools – including Advanced IP Scanner, Nmap, and its graphical counterpart Zenmap. By the end, you’ll not only have a strong theoretical grasp but also practical experience scanning a live network, interpreting results, and identifying potential security and infrastructure insights.
Note: Only run scanning tools on networks where you have explicit permission from the owner or administrator.
It all starts with the TCP/IP (Transmission Control Protocol/Internet Protocol) suite. The TCP/IP Suite is the fundamental communication framework of computer networking and the Internet that allows devices to connect and communicate across the Internet and most modern networks. It is a suite of protocols that work together to transmit data between computers.
TCP/IP is comprised of two fundamental transport layer protocols to facilitate computer network communications over local and remote networks. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
While TCP focuses on reliable, ordered communication, UDP is designed for speed and simplicity. It’s used when applications care more about performance than guaranteed delivery, for such example such as video streaming or voice/video communications.
| Feature | TCP | UDP |
|---|---|---|
| Type | Connection-oriented | Connectionless |
| Delivery | Reliable, ordered, checked | Unreliable, unordered |
| Speed | Slower | Faster |
| Use Case | Web, email, file transfer | Streaming, gaming, VoIP |
Port numbers exist at the Transport Layer of TCP/IP. They act as logical endpoints, identifying specific services or applications running on a device.
Analogy: If an IP address is a building's address, the port number is the apartment number.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 20/21 | TCP | FTP | File Transfer Protocol |
| 22 | TCP | SSH | Secure remote access |
| 23 | TCP | Telnet | Remote shell (unencrypted) |
| 25 | TCP | SMTP | Email sending |
| 53 | UDP/TCP | DNS | Domain name resolution |
| 80 | TCP | HTTP | Insecure web browsing |
| 443 | TCP | HTTPS | Secure web browsing |
| 3389 | TCP | RDP | Remote Desktop Protocol |
| 445 | TCP | SMB | File sharing on Windows networks |
These five core protocols/services play a foundational role in making our everyday digital experiences possible.
DNS acts as the internet's phonebook, translating human-friendly domain names (like google.com) into IP addresses (like 142.250.190.78) that computers use to identify each other on a network. Without DNS, you’d have to remember the exact IP address of every website or service you want to access Every time you type a URL or click a link, DNS silently resolves it for you. It’s the first step in nearly every online interaction.
DHCP automatically assigns IP addresses and network configuration details (like subnet masks, default gateways, and DNS servers) to devices on a network. Thanks to DHCP, your device connects to Wi-Fi and just works – no manual IP settings required. It allows for quick, scalable, and conflict-free connectivity across home, office, and public networks.
SMTP is the protocol used to send outgoing emails from a client (like Outlook or Gmail) to a mail server, or between mail servers themselves. Every time you hit “send”, SMTP handles the delivery process behind the scenes – routing your message across server until it reaches its destination inbox. Without SMTP, modern email communication wouldn’t be possible.
IMAP is a protocol that allows your email client to retrieve and sync messages from a mail server, while keeping them stored on the server itself. IMAP is what makes email synchronizing possible across multiple devices. When you read, delete, or organize email on your phone, those changes show up instantly on your laptop too – because IMAP keeps everything in sync on the server.
HTTP is the protocol that governs how web browsers and servers communicate, transferring web pages, images, scripts, and more. HTTPS is the secure, encrypt version of HTTP. It’s what loads every web page you visit. HTTP ensures your data – such as login credentials, credit card info, and personal details – are encrypted and protected from prying eyes. In today’s internet, HTTPS isn’t just important – it’s essential.
These five protocols work together to enable everything from browsing the web, sending emails, and connecting to networks, and even keeping your inbox in sync. They represent the invisible architecture of digital life. Without them:
They’re the unsung heroes of the internet – working behind the scenes every second of every day.
Each enables remote control of systems and should be secured with encryption, firewalls, and VPNs.
RDP is a proprietary protocol developed by Microsoft that allows users to remotely access and control a Windows computer’s graphical interface over a network connection. It transmits the full desktop environment including audio and clipboard sharing, enabling seamless remote interaction as if sitting directly at the machine. RDP typically operations over TCP port 3389 and is widely used in enterprise environments for IT support, remote administration, and virtual desktop infrastructure (VDI).
SSH is a cryptographic network protocol used to securely access and manage systems – primarily Unix – or Linux-based – through a command-line interface. Unlike RDP, SSH doesn’t transmit a graphical interface by default, but focuses on encrypted remote shell access, file transfers, and port forwarding. SSH operates over TCP port 22 and is commonly used by system administrators and developers for secure server management.
VNC is a cross-platform remote access protocol that allows a user to remotely control another system’s graphical interface by transmitting screen updates and keyboard/mouse input over the network. Unlike RDP, VNC is platform-independent and uses Remote Framebuffer (RFB) protocol. It typically runs on TCP port 5900 and is often used for remote support, desktop sharing, and lightweight access to non-Windows systems.
All three protocols – RDP, SSH, and VNC – enables remote access to systems across a network, allowing administrators or users to manage machines without being physically present.
They serve the common purpose of remote control and system interaction; though they differ in how they deliver that experience. RDP and VNC both provide graphical desktop access, while SSH provides secure command-line control.
Each uses its own communication port and encryption method, but all three can be secured through firewalls, VPNs, or tunneling to limit exposure and ensure safe remote connectivity.
To scan for devices on a network using Advanced IP Scanner, enter the default gateway followed by the subnet CIDR (in this case, /24). Then, click "Scan" in the top-left corner to begin scanning for online devices connected to the specific network.
For each device it detects, Advanced IP Scanner will display the hostname, IP address, manufacturer, and MAC address.
Nmap (Network Mapper) is a powerful, open-source network scanning tool used to discover hosts, services, and vulnerabilities on a network. It works by sending specially crafted packets to target systems and analyzing their responses.
Nmap is widely used by:
Whether you're scanning a single device or mapping an entire network, Nmap provides deep insight into what's running, where it's running, and how it's communicating - making it one of the most versatile tools in the industry.
-sS: TCP SYN scan-sU: UDP scan-A: Aggressive (OS, services, scripts)--script vuln: Run vulnerability detection scriptssudo nmap -sn 10.38.1.115
Purpose: Perform a ping scan (aka "host discovery").
What it does:
Ideal for quickly identifying live devices on a network
sudo nmap -sS 10.38.1.115
Purpose: Run a TCP SYN scan (stealth scan).
What it does:
This is Nmap's default scan type and is useful for staying low-profile during recon.
sudo nmap -sU 10.38.1.115
Purpose: Perform a UDP port scan
What it does:
Use this to identify services running over UDP, which are often overlooked but critical
sudo nmap -A 10.38.1.115
Purpose: Perform an aggressive scan on the target
What it does:
Great for gathering detailed recon on a single target in one go.
sudo nmap --script vuln 10.38.1.115
Purpose: Run the vulnerability scanning script category.
What it does
Useful for vulnerability enumeration, but can be noisy and intrusive on live systems
This lab revealed the interconnected layers of modern networking, beginning with the TCP/IP model and its role in routing and delivering data. We explored how port numbers distinguish services on a host, how protocols like TCP and UDP define transmission behavior, and how core services like DNS, DHCP, SMTP, and HTTP/HTTPS make the internet function.
Then, we transitioned from theory to practice with hands-on exploration using Advanced IP Scanner, Nmap, and Zenmap — seeing how these tools help uncover endpoints, services, and potential vulnerabilities across a network.
Understanding what devices are on your network, what ports are open, and what services are running is essential knowledge for anyone in IT, cybersecurity, or network management.
With this lab, you’ve built a strong foundation to support further learning in network security, system administration, and vulnerability assessment.
Back to Home