Explore Pentesting the Easy Way: Using Nmap and Docker

In Part 1, we learned how to scan a server and interpret basic Nmap output. Now it’s time to simulate a real pentest — from detecting services to running actual vulnerability scans — all in a safe, legal, and local environment using Docker.

No signup. No cost. Just you, your terminal, and some powerful open-source tools.

What We'll Do

We'll spin up a deliberately insecure web application (DVWA) using Docker and use Nmap to:

• Find which ports are open on a computer or server
• See what programs (services) are running and which versions they are
• Look for known security issues (vulnerabilities)
• Understand and make sense of the scan results like a real ethical hacker

Step 1: Set Up the Vulnerable App (DVWA)

We’re using DVWA (Damn Vulnerable Web Application), a popular training ground for beginner pentesters.

Requirements:

• Docker installed on your machine
• Nmap installed

Start DVWA with Docker:

docker run -d -p 8888:80 vulnerables/web-dvwa

This command will:

• Download the DVWA image (if not already present)
• Run it inside a container
• Expose the web app on your local machine at http://localhost:8888

When opening http://localhost:8888 you will see something like this

Step 2: Identify the Service and Version

Let’s start with a basic scan to see what’s running:

nmap -sV -p 8888 127.0.0.1

This command tells Nmap to:

• -sV: Detect service versions
• -p 8888: Focus only on port 8888 (where our app runs)

Sample Output:

PORT     STATE SERVICE VERSION
8888/tcp open  http    Apache httpd 2.4.25 ((Debian))

From the above output we can understand:

• What is running: a web server
• Which server: Apache
• Which version: 2.4.25 (Debian build)

📌 Now that we know the server and version, we can check for known vulnerabilities:

Just Google:

apache 2.4.25 vulnerability site:cvedetails.com

Or go to cvedetails.com and search for Apache 2.4.25. You'll find a list of known CVEs (Common Vulnerabilities and Exposures), which tell you what issues exist in that version and how critical they are.

For example:

• CVE-2017-3169 — Path traversal vulnerability
• CVE-2017-3167 — Weak authentication validation

Step 3: Run Vulnerability and Recon Scripts

Now let’s dig deeper. We’ll use Nmap’s built-in http-* scripts to uncover:

• Hidden directories
• HTTP methods allowed
• Security headers
• Web page titles

nmap -sV -p 8888 --script "http-enum,http-methods,http-headers,http-title" 127.0.0.1

What This Does:

• http-enum: Finds common hidden folders (/admin, /config, etc.)
• http-methods: Shows which actions are allowed (e.g., GET, POST)
• http-headers: Reveals cookies, cache settings, etc.
• http-title: Fetches the page title to get app info

Interpreting the Output (Sample)

The below is the output of the nmap command

8888/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-enum:
|   /login.php: Possible admin folder
|   /robots.txt: Robots file
|   /.gitignore: Dev file exposed
|   /config/: Directory listing enabled!
|   /docs/: Another browsable folder
|_  /external/: Same here
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-headers:
|   Set-Cookie: security=low
|   Content-Type: text/html;charset=utf-8
|_  (Request type: HEAD)
| http-title: Login :: Damn Vulnerable Web Application (DVWA) v1.10

What This Means:

This gives us a map of attack surfaces — perfect for the next steps in a pentest (e.g., directory traversal, brute-forcing, exploiting).

What You've Learnt so far

With just a few Nmap commands, you’ve:

• Scanned a live (but safe) web app
• Identified real-world services and versions
• Found directories, cookies, and methods

If you're a software developer who enjoys exploring different technologies and techniques like this one, check out LiveAPI. It’s a super-convenient tool that lets you generate interactive API docs instantly.

So, if you’re working with a codebase that lacks documentation, just use LiveAPI to generate it and save time!

You can instantly try it out here! 🚀