CyberlyTech | Cybersecurity Labs
๐ CYBERSECURITY LAB #2
| Difficulty | Beginner to Intermediate | Estimated Time: 2โ3 Hours |
| Tools Used | Nmap, Kali Linux, Metasploitable 2, Wireshark |
| Category | Network Security | Penetration Testing | Reconnaissance |
๐ Introduction
Nmap: Reconnaissance is the first and most critical phase of any penetration test. Before exploiting vulnerabilities, ethical hackers must understand the target network’s topology, identify live hosts, discover open ports, enumerate running services, and detect operating systems. Nmap (Network Mapper) is the industry-standard tool for this phase.
This CyberlyTech lab provides a comprehensive, hands-on deep dive into Nmap โ from basic host discovery to advanced NSE scripting for vulnerability detection. Whether you’re preparing for CEH, CompTIA Security+, OSCP, or your first bug bounty engagement, mastering Nmap is non-negotiable.
๐ฏ Nmap: Lab Objectives
- Understand the complete network reconnaissance methodology
- Master Nmap scan types: SYN, TCP Connect, UDP, Stealth scans
- Perform OS fingerprinting and service version detection
- Use Nmap Scripting Engine (NSE) for vulnerability detection
- Interpret and document Nmap results professionally
- Understand IDS evasion techniques
โ๏ธ Nmap: Lab Environment Setup
Requirements
- Kali Linux (attacker machine)
- Metasploitable 2 (intentionally vulnerable target VM)
- VirtualBox or VMware with Host-Only or NAT Network
- Wireshark (for packet analysis)
Network Configuration
Set both VMs on the same Host-Only network adapter. Verify connectivity:
ifconfig # Check Kali IP (e.g., 192.168.56.101)
ping 192.168.56.102 # Ping Metasploitable 2
๐งช Nmap Lab Module 1: Host Discovery
Ping Sweep โ Finding Live Hosts
nmap -sn 192.168.56.0/24
The -sn flag disables port scanning and only performs host discovery using ICMP echo requests, ARP, and TCP SYN/ACK probes. This is your first step in mapping any network.
ARP Scan (More Reliable on Local Networks)
nmap -PR -sn 192.168.56.0/24
๐ ๏ธ Nmap Lab Module 2: Port Scanning Techniques
SYN Scan (Stealth Scan) โ Default & Most Common
nmap -sS 192.168.56.102
SYN scan sends a SYN packet and waits for SYN-ACK (open) or RST (closed). It never completes the TCP handshake, making it faster and less detectable than a full connect scan.
TCP Connect Scan
nmap -sT 192.168.56.102
UDP Scan
nmap -sU –top-ports 100 192.168.56.102
Aggressive Full Scan
nmap -A -p- 192.168.56.102
The -A flag enables OS detection (-O), service version detection (-sV), script scanning (-sC), and traceroute. The -p- flag scans all 65,535 ports.
๐ Nmap Lab Module 3: Service & OS Detection
Version Detection
nmap -sV –version-intensity 9 192.168.56.102
This probes open ports to determine service name, version, and protocol. Higher intensity (0-9) means more probes and higher accuracy โ at the cost of more noise on the wire.
OS Fingerprinting
nmap -O 192.168.56.102
Nmap analyzes TCP/IP stack behavior to guess the target OS. Common output example: Linux 2.6.X (Metasploitable 2). Accuracy depends on network conditions and the number of open/closed ports available.
๐ Nmap Lab Module 4: Nmap Scripting Engine (NSE)
Running Default Scripts
nmap -sC 192.168.56.102
Vulnerability Detection Scripts
nmap –script vuln 192.168.56.102
nmap –script smb-vuln-ms17-010 192.168.56.102
nmap –script http-sql-injection 192.168.56.102
FTP Anonymous Login Check
nmap –script ftp-anon -p 21 192.168.56.102
๐ต๏ธ Nmap Lab Module 5: IDS Evasion Techniques
Fragmented Packets
nmap -f 192.168.56.102
Decoy Scanning
nmap -D RND:10 192.168.56.102
Randomize Host Order
nmap –randomize-hosts 192.168.56.0/24
NOTE: These techniques are for educational purposes only. Only use evasion on systems you have explicit authorization to test.
๐ Nmap Scan Types Reference
| Flag | Scan Type | Use Case | Stealth Level |
| -sS | SYN Stealth | Default pentest scan | High |
| -sT | TCP Connect | No root privilege needed | Low (logs created) |
| -sU | UDP Scan | DNS, SNMP, DHCP services | Medium |
โ Conclusion
Network scanning with Nmap is the foundation of every penetration test and security audit. In this lab, you mastered host discovery, port scanning, service enumeration, OS fingerprinting, NSE scripting, and basic IDS evasion. These skills are directly applicable to real-world engagements and are tested in certifications like CEH, OSCP, and CompTIA PenTest+.
The key takeaway: scanning is not just about running commands โ it’s about interpreting results, building a target profile, and planning your attack vector intelligently. Practice these techniques on platforms like HackTheBox, TryHackMe, and VulnHub regularly.
Learn about kali Linux: https://cyberlytech.tech/kali-linux-tutorial-for-beginners-2026/
โ Frequently Asked Questions (FAQ)
Q1: Is Nmap legal to use?
Nmap itself is a legal tool. However, scanning networks without explicit permission from the owner is illegal in most jurisdictions. Always obtain written authorization before scanning any network you do not own.
Q2: How do I scan faster with Nmap?
Use timing templates: -T4 (aggressive) or -T5 (insane). Combine with –min-rate and –min-parallelism flags. For large networks, consider masscan for initial discovery, then Nmap for detailed analysis.
Q3: Can Nmap detect firewalls?
Yes. Nmap can distinguish between filtered (firewall dropping packets), closed (RST received), and open ports. Use -sA (ACK scan) to map firewall rules and -sW (Window scan) for additional firewall analysis.
Q4: What is the difference between -sV and -A in Nmap?
-sV performs only service version detection. -A is an aggressive scan that enables OS detection, version scanning, script scanning, and traceroute simultaneously. Use -A cautiously as it generates significantly more traffic.
Q5: How do I save Nmap results for reporting?
nmap -oN output.txt target # Normal text format
nmap -oX output.xml target # XML format
nmap -oG output.gnmap target # Grepable format
nmap -oA output target # All three formats
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
ยฉ 2026 CyberlyTech โ cyberlytech.tech | Premium Cybersecurity Education