A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing possible avenues into the infrastructure. Nmap is a command line solution that takes the stress out of this process for you. There is also a GUI interface version called Zenmap that provides the same functionality.
Nmap is a network mapping tool that identifies open ports and allows you to paint a full picture of what is happening on any given network. This is where you will find most of the mistakes a system engineer leaves behind after quickly setting up a server. Below are some key items to keep an eye out for.
Non external servers hitting port 80 or 443
You should plan on seeing some servers with these ports open. They are probably hosting a website, and if you simply navigate to the IP over that port, you can verify this very quickly. What you really need to look for is if there are a lot of servers with these ports open. They should be locked down and only opened if they are hosting a website by default. If you are dealing with an inexperienced systems engineer, you might see the same configuration on all the server IPs detected with the NMAP scan.
Port 22 open on any server
If you discovered port 22 open on any IP, this should be the first place you focus your efforts. You are going to want to try logging in with very generic admin login credentials (look up some examples online for both windows and Linux servers) to see if they left those the same as well (ex. username:admin password: admin). It could be a long shot, but if the system admin left port 22 wide open, then I am sure they were not too concerned with changing the admin account password.
Undefined 5 digit ports
If you see some very long and undefined ports (16882 for example), definitely pay some attention to these; you should try to determine if they could be valuable. The mindset of opening this port could have been “it is not a well-known port, so no one will ever think to look for it”. Many of this five-digit ports will allow the same abilities as SSH in some situations. Any ports that you do not recognize upfront should be investigated online for potential use--cases which could results in a lead generation for the testing engagement.
At the end of the day, Nmap needs to be in your testing procedure. It takes a huge manual lift off and allows you to focus on finding loophole ports into a network.