📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 8 OF 100
100-Day Ethical Hacking Course
🔴 Day 8 — Network Scanning – Nmap Tutorial for Beginners
Day 100 — Professional Pentester
Day 9: Google Dorking & OSINT →
08
Today everything you’ve learned so far clicks together into a single workflow. You understand TCP from Day 5. You understand ports from Day 5. You understand subnets from Day 6. You saw packets with Wireshark on Day 7. Now we pick up the tool that uses all of that knowledge simultaneously — and we point it at a target.
Nmap is what reconnaissance actually looks like in practice. By the end of today, you’ll run a professional-grade scan workflow on your Metasploitable 2 lab machine and understand every result it returns.
Nmap (Network Mapper) was created by Gordon “Fyodor” Lyon in 1997 and has been actively developed ever since. It is installed on more professional penetration testers’ machines than any other tool. The OSCP exam, every CTF, every real-world assessment — Nmap is the starting point. Understanding it deeply is not optional.
I’m going to teach you Nmap the way I teach it in professional training: by building from simple host discovery upward to full service enumeration and scripted vulnerability detection. Each layer of complexity builds directly on the previous one. No magic commands you copy-paste without understanding.
🧪
Lab Requirement — Metasploitable 2
Today we scan Metasploitable 2 — a deliberately vulnerable VM. If you haven’t set it up yet, visit our lab setup guide. It runs as a VirtualBox VM on your host-only network alongside Kali. Its IP is typically 192.168.56.101 — confirm with arp -a from Kali after booting it. We scan only within our own lab — never external targets.
📋 Day 8 Contents
- How Nmap Works — The Basics
- Host Discovery — Finding Live Targets
- Scan Types — SYN, TCP, UDP & More
- Service & Version Detection (-sV)
- OS Fingerprinting (-O)
- NSE Scripts — Beyond Basic Scanning
- Timing & Output Formats
- Reading & Interpreting Results
- Nmap Cheat Sheet
- Day 8 Practical Task
How Nmap Works — What Happens When You Run a Scan
Nmap is fundamentally a packet-crafting and response-reading tool. It constructs specific network packets, sends them to targets, and interprets the responses to draw conclusions about what’s running. Understanding this at the packet level — which you can now do thanks to Days 5 and 7 — means you understand why different scan types produce different results and have different detectability profiles.
PHASE 1
Host Discovery
Which IPs in the range are actually alive? Nmap pings, ARP requests, and TCP probes to find live hosts before scanning ports.
PHASE 2
Port Scanning
For each live host, probe ports to determine their state: open, closed, or filtered. Default scans the 1,000 most common ports.
PHASE 3
Service Detection
Connect to open ports and probe the service to identify what’s running and its version. Apache 2.4.29? OpenSSH 7.4? Nmap tells you.
PHASE 4
Script Execution
Run NSE scripts against detected services — enumerate users, check for known vulnerabilities, test for misconfigurations.
Phase 1: Host Discovery — Finding What’s Alive
Before scanning ports, Nmap needs to know which hosts are alive. Scanning thousands of ports on IP addresses that aren’t even up wastes enormous time. Host discovery is the filter that tells Nmap where to focus its effort.
Host discovery — finding live hosts in your lab
Ping scan — which hosts respond to ICMP?
nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00072s latency).
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).
2 hosts up, 254 scanned in 2.31 seconds
-sn = “scan no ports” — host discovery only
On a local LAN, Nmap uses ARP by default (more reliable than ICMP)
Skip host discovery — treat all hosts as alive (use for firewalled targets)
nmap -Pn 192.168.56.101
Assumes host is up even if it doesn’t respond to pings
ARP ping only — fastest on local networks
sudo nmap -PR 192.168.56.0/24
Save only the live hosts for later scanning
nmap -sn 192.168.56.0/24 -oG – | grep “Up” | cut -d” ” -f2 > live_hosts.txt
cat live_hosts.txt
192.168.56.1
192.168.56.101
Phase 2: Scan Types — Choosing How to Probe Ports
Different scan types use different techniques to probe ports — each with different speed, reliability, and detectability trade-offs. You need to know what each type actually does at the packet level, because that determines when and why you’d choose it in a real assessment.
Flag
Scan Type
Root Needed?
How It Works
When to Use
-sS
SYN (Stealth)
Yes
SYN → SYN-ACK → RST (never completes handshake)
Default for authorised scans — fast, reliable, less logged
-sT
TCP Connect
No
Full three-way handshake — uses OS connect() syscall
When no root access — slower and more detectable
-sU
UDP
Yes
Sends UDP probes — no response=open|filtered, ICMP=closed
Find UDP services: DNS (53), SNMP (161), TFTP (69)
-sA
ACK
Yes
Sends ACK packets — maps firewall rules, not open ports
Understanding firewall rules — which ports are filtered vs unfiltered
-sN
NULL
Yes
Sends packet with no TCP flags set
Evade some stateless firewalls — unreliable on Windows
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)