This guide walks through the Nmap and Scapy labs I completed as part of a cybersecurity class.
Lab context:
Kali Linux OVA on VirtualBox, using a class lab network range (e.g.10.6.6.0/24).
Tools: Nmap, Scapy, tcpdump, Wireshark, and a bit of SMB.
Iβll show:
- The exact commands I ran
- What each option means (beginner-friendly)
- How to capture and inspect traffic
- How this maps to real-world security work
Iβll also include a snippet for if you want to consider a GitHub repo later.
π Ethics & Safety Reminder
Only scan networks and systems you own or have explicit permission to test.
Everything here is done inside a controlled class lab environment.
π Table of Contents
- Introduction
- Lab Setup Overview
- Quick Tool Overview
- Part 1 β Nmap Lab
- Part 2 β Scapy Lab
- Troubleshooting & Common Gotchas
- How This Maps to Real-World Security Work
- How Iβll Structure the GitHub Repo
- Final Reflections
1. Introduction
In this lab, I used Kali Linux on VirtualBox to:
- Discover hosts on a lab subnet
- Probe a specific target (
10.6.6.23) with Nmap - Enumerate SMB shares
- Capture traffic with
tcpdumpand open it in Wireshark - Use Scapy to sniff, store, and inspect packets (including ICMP and HTTP-like traffic)
If youβre new to Nmap and Scapy:
- Think of Nmap as a network scanner (whoβs online, what ports, what services).
- Think of Scapy as Python-powered packet LEGO β you can sniff, dissect, and even craft packets.
2. Lab Setup Overview
Environment:
- Host: Your regular OS (Windows / macOS / Linux)
- VM: Kali Linux OVA imported into VirtualBox
-
Network: Class lab network (example:
10.6.6.0/24) -
Target system:
10.6.6.23(lab host with SMB services)
π Document your VM networking mode (NAT, Bridged, Internal Network). My lab environment used an internal bridge named
br-internal.Note: It is important that your VM has network access for some of the testing to work.
3. Quick Tool Overview
Tools used in this assignment:
- Nmap β Port scanning, OS detection, service identification, SMB enumeration
- smbclient β Connect to SMB shares
-
tcpdump β Capture packets into
.pcap - Wireshark β GUI packet analysis
- Scapy β Python-based packet crafting/sniffing toolkit
4. Part 1 - Nmap Lab
Commands used:
nmap -sn 10.6.6.0/24
sudo nmap -O 10.6.6.23
nmap -p21 -sV -A -T4 10.6.6.23
nmap -A -p139,445 10.6.6.23
nmap --script smb-enum-shares.nse -p445 10.6.6.23
smbclient //10.6.6.23/print$ -N
ifconfig
ip route
cat /etc/resolv.conf
sudo tcpdump -i eth0 -s 0 -w packetcapture.pcap
ls packetcapture.pcap
wireshark
4.1 Host Discovery with -sn
nmap -sn 10.6.6.0/24
What it does:
Performs a ping scan across the /24 network to identify active hosts.
Why it matters:
You always start by identifying what is alive before deeper scans.
βββ(kaliγΏKali)-[~]
ββ$ nmap -sn 10.6.6.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-10 01:36 UTC
Nmap scan report for 10.6.6.1
Host is up (0.00019s latency).
Nmap scan report for webgoat.vm (10.6.6.11)
Host is up (0.00017s latency).
Nmap scan report for juice-shop.vm (10.6.6.12)
Host is up (0.00013s latency).
Nmap scan report for dvwa.vm (10.6.6.13)
Host is up (0.000074s latency).
Nmap scan report for mutillidae.vm (10.6.6.14)
Host is up (0.000035s latency).
Nmap scan report for gravemind.vm (10.6.6.23)
Host is up (0.00027s latency).
Nmap scan report for 10.6.6.100
Host is up (0.000049s latency).
Nmap done: 256 IP addresses (7 hosts up) scanned in 6.31 seconds
4.2 OS Detection with -O
sudo nmap -O 10.6.6.23
Uses TCP/IP fingerprinting to guess the remote OS.
Root is required because raw packets are used.
βββ(kaliγΏKali)-[~]
ββ$ sudo nmap -O 10.6.6.23
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-10 01:39 UTC
Nmap scan report for gravemind.vm (10.6.6.23)
Host is up (0.000037s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:42:0A:06:06:17 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=12/10%OT=21%CT=1%CU=38430%PV=Y%DS=1%DC=D%G=Y%M=02420A%
OS:TM=6938CF53%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=FF%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.39 seconds
4.3 Service Detection & Aggressive Scan
nmap -p21 -sV -A -T4 10.6.6.23
Breakdown:
-
-p21β Scan only port 21 (FTP) -
-sVβ Service/version detection -
-Aβ Aggressive mode (OS detect, versioning, scripts, traceroute) -
-T4β Faster scans
βββ(kaliγΏKali)-[~]
ββ$ nmap -p21 -sV -A -T4 10.6.6.23
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-10 01:41 UTC
Nmap scan report for gravemind.vm (10.6.6.23)
Host is up (0.000092s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 16 Aug 13 2021 file1.txt
| -rw-r--r-- 1 0 0 16 Aug 13 2021 file2.txt
| -rw-r--r-- 1 0 0 29 Aug 13 2021 file3.txt
|_-rw-r--r-- 1 0 0 26 Aug 13 2021 supersecretfile.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.6.6.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
4.4 SMB Enumeration (Ports 139 & 445)
SMB enumeration is the process of querying a target system or network for information related to the Server Message Block (SMB) protocol.
Scan SMB ports:
nmap -A -p139,445 10.6.6.23
βββ(kaliγΏKali)-[~]
ββ$ nmap -A -p139,445 10.6.6.23
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-10 01:48 UTC
Nmap scan report for gravemind.vm (10.6.6.23)
Host is up (0.000090s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: GRAVEMIND
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: gravemind
| NetBIOS computer name: GRAVEMIND\x00
| Domain name: \x00
| FQDN: gravemind
|_ System time: 2025-12-10T01:48:34+00:00
| smb2-time:
| date: 2025-12-10T01:48:33
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.18 seconds
Enumerate shares:
nmap --script smb-enum-shares.nse -p445 10.6.6.23
Command Breakdown:
-
nmap: The network scanner tool. -
--script smb-enum-shares.nse: Tells Nmap to use the specific Nmap Scripting Engine (NSE) script designed to enumerate SMB shares. -
-p445: Restricts the scan to TCP port 445, the common port for SMB traffic. -
10.6.6.23: The IP address of the target machine.
βββ(kaliγΏKali)-[~]
ββ$ nmap --script smb-enum-shares.nse -p445 10.6.6.23
Starting Nmap 7.94 ( https://nmap.org ) at 2025-12-10 01:50 UTC
Nmap scan report for gravemind.vm (10.6.6.23)
Host is up (0.00032s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: <blank>
| \\10.6.6.23\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba 4.9.5-Debian)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| \\10.6.6.23\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: READ/WRITE
| \\10.6.6.23\workfiles:
| Type: STYPE_DISKTREE
| Comment: Confidential Workfiles
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\spool\samba
|_ Anonymous access: READ/WRITE
Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds
Connect manually:
smbclient //10.6.6.23/print$ -N
Command Breakdown:
| Component | Meaning | Purpose |
|---|---|---|
smbclient |
SMB/CIFS client tool | Connect to Windows-style shared folders |
//10.6.6.23 |
Server IP | Where the SMB service is hosted |
/print$ |
Share name (hidden) | Printer admin share on the target |
-N |
No password prompt | Anonymous login attempt |
βββ(kaliγΏKali)-[~]
ββ$ smbclient //10.6.6.23/print$ -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
Exit with:
exit
4.5 Capture Traffic with tcpdump + Wireshark
Check network settings:
ifconfig
ip route
cat /etc/resolv.conf
ββ$ ifconfig
br-internal: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.6.6.1 netmask 255.255.255.0 broadcast 10.6.6.255
inet6 fe80::42:b1ff:feae:eb4f prefixlen 64 scopeid 0x20<link>
ether 02:42:b1:ae:eb:4f txqueuelen 0 (Ethernet)
RX packets 1565 bytes 99196 (96.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2534 bytes 168594 (164.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
βββ(kaliγΏKali)-[~]
ββ$ ip route
default via 10.0.2.2 dev eth0 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 metric 100
10.5.5.0/24 dev br-339414195aeb proto kernel scope link src 10.5.5.1
10.6.6.0/24 dev br-internal proto kernel scope link src 10.6.6.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.0.0/24 dev br-355ee7945a88 proto kernel scope link src 192.168.0.1
βββ(kaliγΏKali)-[~]
ββ$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.16.0.1
Capture packets:
sudo tcpdump -i eth0 -s 0 -w packetcapture.pcap
Command Breakdown:
| Flag / Component | Meaning | Purpose |
|---|---|---|
sudo |
Run as root | Required for packet capture |
tcpdump |
Packet capture tool | Similar to Wireshark CLI |
-i eth0 |
Interface selection | Capture only from eth0 |
-s 0 |
Snapshot length | Capture full packets |
-w packetcapture.pcap |
Write to file | Save packets for later analysis |
βββ(kaliγΏKali)-[~]
ββ$ sudo tcpdump -i eth0 -s 0 -w packetcapture.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C38 packets captured
38 packets received by filter
0 packets dropped by kernel
Note: You will need to create traffic in a second terminal.
βββ(kaliγΏKali)-[~]
ββ$ ping google.com
PING google.com (64.233.177.138) 56(84) bytes of data.
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=1 ttl=255 time=21.1 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=2 ttl=255 time=21.2 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=3 ttl=255 time=21.4 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=4 ttl=255 time=21.4 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=5 ttl=255 time=21.6 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=6 ttl=255 time=21.9 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=7 ttl=255 time=21.7 ms
64 bytes from yx-in-f138.1e100.net (64.233.177.138): icmp_seq=8 ttl=255 time=21.8 ms
^C
--- google.com ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7011ms
rtt min/avg/max/mdev = 21.129/21.518/21.916/0.276 ms
Ctrl + C in both terminals to stop capture.
Open in Wireshark:
wireshark <yourpcapfilename>.pcap
5. Part 2 β Scapy Lab
Commands used:
sudo su
scapy
sniff()
# new terminal
ping google.com
paro = _
paro.summary()
sniff(iface="br-internal")
ping 10.6.6.1
paro2 = _
paro2.summary()
sniff(iface="br-internal", filter="icmp", count=5)
ping 10.6.6.23
paro3 = _
paro3.summary()
paro3[3]
5.1 Starting Scapy
sudo su
scapy
Scapy opens an interactive Python shell for packet manipulation.
βββ(rootγΏKali)-[/home/kali]
ββ# scapy
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.5.0
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | Craft packets like it is your last
scccccp///pSP///p p//Y | day on earth.
sY/////////y caa S//P | -- Lao-Tze
cayCyayP//Ya pY/Ya |
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
using IPython 8.14.0
>>>
5.2 First Sniff: Watching a Ping to Google
Inside Scapy:
sniff()
>>> sniff()
^C<Sniffed: TCP:0 UDP:16 ICMP:12 Other:2>
>>>
New terminal:
ping google.com
βββ(kaliγΏKali)-[~]
ββ$ ping google.com
PING google.com (64.233.177.101) 56(84) bytes of data.
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=1 ttl=255 time=22.0 ms
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=2 ttl=255 time=21.9 ms
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=3 ttl=255 time=22.0 ms
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=4 ttl=255 time=21.9 ms
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=5 ttl=255 time=21.6 ms
64 bytes from yx-in-f101.1e100.net (64.233.177.101): icmp_seq=6 ttl=255 time=22.0 ms
^C
--- google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 21.641/21.896/22.043/0.127 ms
Stop both with Ctrl + C.
5.3 Using Variables and .summary()
paro = _
paro.summary()
_ holds the last Scapy result. This prints a oneβline summary of all packets.
>>> paro=_
>>> paro.summary()
Ether / IP / UDP / DNS Qry "b'google.com.'"
Ether / IP / UDP / DNS Qry "b'google.com.'"
Ether / IP / UDP / DNS Ans "2607:f8b0:4002:c08::71"
Ether / IP / UDP / DNS Ans "64.233.177.101"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / IP / ICMP 10.0.2.15 > 64.233.177.101 echo-request 0 / Raw
Ether / IP / ICMP 64.233.177.101 > 10.0.2.15 echo-reply 0 / Raw
Ether / IP / UDP / DNS Qry "b'101.177.233.64.in-addr.arpa.'"
Ether / IP / UDP / DNS Ans "b'yx-in-f101.1e100.net.'"
Ether / ARP who has 10.0.2.2 says 10.0.2.15
Ether / ARP is at 52:55:0a:00:02:02 says 10.0.2.2 / Padding
5.4 Sniffing on br-internal
sniff(iface="br-internal")
Generate traffic:
ping 10.6.6.1
Save results:
paro2 = _
paro2.summary()
Note: Here you may have noticed no traffic was captured. This is my assumption: This is a lab envionment to mimic real-world environments.
In many lab or corporate networks:
.1is the default gatewayIt may be configured to drop or ignore ping (ICMP) for security.
5.5 ICMP-Only Sniff with Filter + Count
sniff(iface="br-internal", filter="icmp", count=5)
Generate ICMP traffic:
ping 10.6.6.23
Due to count set only the first 5 packets were captured.
βββ(kaliγΏKali)-[~]
ββ$ ping 10.6.6.23
PING 10.6.6.23 (10.6.6.23) 56(84) bytes of data.
64 bytes from 10.6.6.23: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 10.6.6.23: icmp_seq=2 ttl=64 time=0.035 ms
64 bytes from 10.6.6.23: icmp_seq=3 ttl=64 time=0.034 ms
64 bytes from 10.6.6.23: icmp_seq=4 ttl=64 time=0.029 ms
64 bytes from 10.6.6.23: icmp_seq=5 ttl=64 time=0.030 ms
64 bytes from 10.6.6.23: icmp_seq=6 ttl=64 time=0.018 ms
64 bytes from 10.6.6.23: icmp_seq=7 ttl=64 time=0.028 ms
^C
--- 10.6.6.23 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6144ms
rtt min/avg/max/mdev = 0.018/0.030/0.041/0.006 ms
5.6 Inspecting Packet Fields
paro3 = _
paro3.summary()
paro3[3]
<Sniffed: TCP:0 UDP:0 ICMP:5 Other:0>
>>> paro3=_
>>> paro3.summary()
Ether / IP / ICMP 10.6.6.1 > 10.6.6.23 echo-request 0 / Raw
Ether / IP / ICMP 10.6.6.23 > 10.6.6.1 echo-reply 0 / Raw
Ether / IP / ICMP 10.6.6.1 > 10.6.6.23 echo-request 0 / Raw
Ether / IP / ICMP 10.6.6.23 > 10.6.6.1 echo-reply 0 / Raw
Ether / IP / ICMP 10.6.6.1 > 10.6.6.23 echo-request 0 / Raw
Full details:
paro3[3].show()
Shows details for the third entry in the summary list.
>>> paro3[3].show()
###[ Ethernet ]###
dst = 02:42:b1:ae:eb:4f
src = 02:42:0a:06:06:17
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 84
id = 2449
flags =
frag = 0
ttl = 64
proto = icmp
chksum = 0x50f5
src = 10.6.6.23
dst = 10.6.6.1
\options \
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0x56f3
id = 0xb2ed
seq = 0x2
unused = ''
###[ Raw ]###
load = 'n\\xde8i\x00\x00\x00\x00\\x87\x02\t\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'
6. Troubleshooting
Common issues:
No packets captured
- Verify interface:
ifconfig - Use correct
ifacein Scapy
Nmap OS detection fails
- Firewalls may block probes
- OS detection is best-effort
tcpdump permission denied
Use sudo.
Wireshark shows nothing useful
Apply filters:
icmp
smb
ip.addr == 10.6.6.23
7. Real-World Applications
These labs build skills used in:
- Asset discovery & attack surface mapping
- Vulnerability assessments
- Incident response (packet capture)
- Forensics
- Custom IDS/IPS development (Scapy)
8. GitHub Repo Structure - Example
nmap-scapy-lab/
βββ README.md
βββ nmap/
β βββ nmap-host-discovery.md
β βββ nmap-smb-enum.md
β βββ images/
β βββ 01-nmap-host-discovery.png
β βββ 02-smb-enum.png
βββ scapy/
βββ scapy-sniffing.md
βββ scapy-icmp-analysis.md
βββ images/
βββ 01-scapy-summary.png
βββ 02-scapy-show.png
9. Final Reflections
This lab helped me:
- Understand Nmap flags and scan behavior
- Capture and analyze real traffic with tcpdump/Wireshark
- Use Scapy to dissect packet fields in detail
Happy scanning responsibly! π΅οΈββοΈπ‘
π€ Connect
If you enjoyed this article or youβre also learning DevOps, Linux, Security, or Cloud automation, Iβd love to connect, share ideas, and learn.
π¬ Feel free to reach out or follow my journey on π LinkedIn
Top comments (0)