Exposure Audit Lab with Nmap and Ndiff (Defensive Validation)

Scan only systems you own or are explicitly authorized to scan. The goal here is a repeatable audit workflow — not probing random hosts or verifying whether some internet service is reachable.

Start with a clearly scoped target: one VM or one small lab subnet. Define the purpose before running anything: inventory validation, firewall rule check, or change comparison. Those three questions produce different scan designs.

Write down the exact command and timestamp so you can reproduce the same scan later and compare results. This habit also helps you explain expected scanner traffic to anyone reviewing network logs.

Run a baseline Nmap scan and save the output in XML format. Change one thing in the lab — start or stop a service, adjust a firewall rule, or change network reachability. Run the same scan again and pipe both XML files through Ndiff.

The key learning outcome is not the raw scan output. It is explaining what changed, why it changed, and whether the difference matches your intended configuration or represents drift you did not expect.

Pick one result from the diff and validate it manually with curl, nc, or a service log. That step teaches you to treat scan output as evidence to confirm rather than as a final answer.

Keep a simple scan log: date, operator, target, purpose, command, and findings. This scales into real environments and makes your work auditable when someone asks why a scan ran.

Choose the least intrusive scan that answers your question. A targeted SYN scan against a specific port range teaches more about scope discipline than a full -A scan when you are learning the basics.

Connect this lab to threat pages on exposed services so scanning is learned as a risk-reduction activity, not a standalone technical exercise.