Overview
This is a practical walkthrough of Nmap based on real usage on my local Linux machine. The goal was to map my home network, identify live hosts, enumerate open services, and practice reconnaissance techniques used in real penetration tests.
Environment
Host machine: Kali Linux running on VirtualBox. Network range: 192.168.1.0/24 (home LAN). All scans performed on my own network for educational purposes.
Step 1: Host Discovery
First I needed to identify what devices were alive on the network before doing any port scanning.
nmap -sn 192.168.1.0/24
The -sn flag disables port scanning and only sends ICMP echo requests and ARP packets. This gave me a list of live hosts within seconds without generating noisy port scan traffic.
Output showed 6 live hosts: router (192.168.1.1), my main machine, phone, and a few IoT devices.
Step 2: Quick Port Scan
With the live hosts identified, I ran a fast scan on the router to see what ports were open.
nmap -T4 --open 192.168.1.1
-T4 speeds up the scan, acceptable on a local network where packet loss is minimal. --open filters output to only show open ports.
Step 3: Service and Version Detection
nmap -sV -sC -p 22,80,443 192.168.1.1
-sV probes open ports to determine service versions. -sC runs the default NSE script set. Specifying -p limits the scan to ports I already knew were open.
Step 4: OS Detection
nmap -O 192.168.1.1
OS detection works by analyzing TCP/IP stack behavior. Requires root privileges.
Step 5: NSE Scripts
nmap --script=ftp-anon 192.168.1.1
nmap --script=http-enum 192.168.1.1
nmap --script=smb-vuln-ms17-010 192.168.1.1
Step 6: Saving Output
nmap -sV -sC -oA recon/nmap_full 192.168.1.1
-oA saves three formats simultaneously: normal (.txt), XML (.xml), and grepable (.gnmap).
Key Takeaways
- Always start with
-snhost discovery before port scanning - Use
-sV -sCas your baseline for any serious enumeration - Save everything with
-oA - NSE scripts dramatically expand reconnaissance depth
- Match timing to context:
-T4for CTFs,-T2for real engagements