A big part of penetration testing is recon and discovery. If you cannot properly identify the network you are testing, you may be missing possible avenues into the infrastructure. Nmap is a command line solution that takes the stress out of this for you. There is also a GUI interface version called Zenmap that provides the same functionality.
Nmap is is a network mapping tool that identifies open ports and allows you to paint a full picture of what is happening on any given network. This is where you will mostly find the mistakes a system engineer leaves behind after quickly setting up a server. Below are some key items to keep an eye out for.
Non external servers hitting port 80 or 443
You should plan to see some servers with these ports open, as they are probably hosting a website and if you simply navigate to the IP over that port you can verify this very quickly. What you really need to look for is if there are a lot of servers with these ports open. By default, they should be locked down and only opened if they are hosting a website. If you are dealing with an inexperience systems engineer, you might see the same configuration on all the server IPs detected with the NMAP scan.
Port 22 open on any server
If you discovered port 22 open on any IP, this should be the first place you focus your efforts. You are going to want to try logging in with very generic admin login credentials (look up some example online for both windows and Linux servers) to see if they left those the same as well (ex. username:admin password: admin). It could be a long shot, but if the system admin left port 22 wide open, then i'm sure they weren't too concerned with changing the admin account password.
Undefined 5 digit ports
If you see some very long and undefined ports (16882 for example), definatly pay some attention to these to determine if it could be anything valuable. The mindset of opening this port could have been “it is not a well known port, so no one will ever think to look for it”. Many of this 5 digit ports will allow the same abilities as SSH in some situations. Any ports that you do not recognize upfront should be investigated online for potential use cases which could results in a lead generation for the testing engagement.
At the end of the Day, Nmap needs to be in your testing procedure as it takes a huge manual lift off and allows you to focus on finding loophole ports into a network.