Before completing this lab, ensure you are working in a legal and safe environment. If you haven't already, you can set up your own hacking lab by completing our first tutorial:

Setting Up Your Free Virtual Hacking Environment

Now we finally start doing something that actually feels like hacking.

We are going to use one of the most important tools in cybersecurity:

Nmap

Nmap stands for:

Network Mapper

And honestly, if you stay in cybersecurity long enough, you will use Nmap constantly.

Penetration testers use it.
System administrators use it.
Blue teams use it.
Red teams use it.
Security researchers use it.

Because before you can attack or secure anything, you first need to understand what exists on the network.

That process is called:

Reconnaissance

Or simply:

Recon

Recon is the process of gathering information about systems, devices, services, and networks.

This is one of the most important phases of ethical hacking.

And beginners constantly underestimate it.

A lot of real-world compromises happen because organizations expose services they forgot existed.

That is where Nmap becomes incredibly powerful.

What We Will Be Scanning

Inside our VMware hacking lab, we already installed:

• Kali Linux
• Metasploitable

Metasploitable is intentionally vulnerable.

That makes it the perfect target for learning reconnaissance and enumeration.

Our goal is NOT to immediately exploit things.

That beginner mindset is backwards.

First, we learn how attackers identify targets.

Step 1 – Boot Up Both Virtual Machines

Start:

• Your Kali Linux VM
• Your Metasploitable VM

Wait until both fully load.

Log into Metasploitable using:

Username: msfadmin
Password: msfadmin

You should now have:

• Kali Linux = attacker machine
• Metasploitable = target machine

Step 2 – Find The IP Address of Metasploitable

Inside the Metasploitable terminal, type:

ifconfig

You will see several sections of network information.

Look for something similar to:

inet addr:192.168.x.x

or:

192.168.x.x

Your IP will probably not match mine exactly.

Example:

192.168.182.130

Write this down.

This is the target IP we will scan from Kali Linux.

Step 3 – Open The Kali Linux Terminal

Inside Kali Linux, open your terminal.

First, let’s verify connectivity.

Use:

ping TARGET-IP

Example:

ping 192.168.182.130

If everything is working correctly, you should start seeing replies.

Example:

64 bytes from 192.168.182.130

Press:

CTRL + C

to stop the ping.

If ping does not work:

• Verify both VMs are running
• Verify both VMs use NAT networking in VMware
• Verify the target IP is correct

Step 4 – Understanding Ports

Before using Nmap, you need to understand ports.

Devices communicate through ports.

Think of ports like doors into services running on a machine.

Examples:

If a port is open, that usually means something is listening there.

That could be:

• a web server,
• remote login service,
• database,
• mail server,
• or vulnerable application.

Nmap helps us discover those services.

Step 5 – Running Your First Nmap Scan

Run:

nmap TARGET-IP

Example:

nmap 192.168.182.130

Nmap will begin scanning common ports.

After several seconds, you should see results similar to:

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http

This is your first real reconnaissance scan.

Already, we learned:

• the target is alive,
• multiple services are exposed,
• and several possible attack surfaces exist.

This is how hacking actually starts.

Not with movie scenes.

With information gathering.

Step 6 – Understanding Open Ports

Let’s break down one line:

23/tcp open telnet

This means:

• Port 23 is open
• TCP protocol is being used
• Telnet service is running

Telnet is old and insecure.

That immediately tells experienced attackers something important.

Many vulnerabilities are discovered purely through service identification.

Step 7 – Service Version Detection

Now let’s gather more information.

Use:

nmap -sV TARGET-IP

Example:

nmap -sV 192.168.182.130

The -sV flag tells Nmap to detect service versions.

Now you may see results like:

vsftpd 2.3.4
Apache httpd 2.2.8
OpenSSH 4.7p1

This is extremely valuable information.

Because vulnerabilities are often tied to specific versions.

Attackers constantly search for:

• outdated software,
• unpatched systems,
• vulnerable versions,
• forgotten services.

Step 8 – Aggressive Scanning

Now let’s run a more detailed scan.

Use:

nmap -A TARGET-IP

Example:

nmap -A 192.168.182.130

This enables:

• OS detection
• service detection
• script scanning
• traceroute

This scan takes longer.

But the amount of information returned becomes much larger.

You may see:

• operating system guesses,
• service banners,
• server details,
• additional information about running services.

This is why reconnaissance matters so much.

Step 9 – Scanning All Ports

By default, Nmap scans only common ports.

But systems have:

65535

possible TCP ports.

To scan all ports:

nmap -p- TARGET-IP

Example:

nmap -p- 192.168.182.130

This takes longer.

But sometimes attackers discover forgotten services running on uncommon ports.

And honestly, organizations miss this stuff constantly.

Step 10 – Saving Scan Results

Professional testers document everything.

Save results with:

nmap -oN results.txt TARGET-IP

Example:

nmap -oN metasploitable-scan.txt 192.168.182.130

Now your scan results are stored in a file.

You can later review them using:

cat metasploitable-scan.txt

or:

less metasploitable-scan.txt

Step 11 – Understanding TCP vs UDP

Most beginner scans focus on TCP.

But UDP exists too.

Examples of UDP services:

• DNS
• DHCP
• SNMP
• VPN services

UDP scanning is slower and more difficult.

Basic UDP scan:

sudo nmap -sU TARGET-IP

UDP is important because many organizations completely ignore it.

Step 12 – Understanding Stealth Scanning

Nmap includes multiple scan types.

One famous example is:

SYN scanning

Example:

sudo nmap -sS TARGET-IP

This is often called a:

half-open scan

It is faster and stealthier than full connection scans.

This is where you start realizing Nmap is far more than a “port scanner.”

It is an extremely advanced reconnaissance framework.

Step 13 – Identifying Attack Surface

At this point, look at your results critically.

Questions attackers ask:

• Are outdated services running?
• Are unnecessary ports exposed?
• Is remote login enabled?
• Are default services active?
• Are old protocols still supported?
• Is anonymous access allowed?
• Are development services exposed publicly?

Most systems are not compromised through magic.

They are compromised through bad configuration.

Step 14 – Common Beginner Mistakes

Scanning The Wrong IP

Beginners constantly scan:

127.0.0.1

without realizing they are scanning themselves.

Verify target IPs carefully.

Ignoring Service Versions

Service detection matters enormously.

Version numbers often reveal vulnerabilities.

Running Only Default Scans

Default scans are useful, but limited.

Learn scan flags.

Trying To Exploit Everything Immediately

Slow down.

Enumeration comes first.

Professionals spend huge amounts of time gathering information before exploitation.

Step 15 – Why Nmap Matters So Much

Nmap teaches several critical cybersecurity concepts:

• Networking
• Services
• Ports
• Enumeration
• Fingerprinting
• Attack surface analysis
• Documentation
• Reconnaissance methodology

And honestly, good reconnaissance separates beginners from professionals.

Because skilled attackers are not randomly smashing buttons.

They are collecting information methodically.

Bonus – Useful Beginner Nmap Commands

Ping Scan Only

Discover live hosts:

nmap -sn 192.168.182.0/24

Scan Specific Ports

nmap -p 21,22,80 TARGET-IP

Fast Scan

nmap -F TARGET-IP

Detect Operating System

sudo nmap -O TARGET-IP

Increase Scan Verbosity

nmap -v TARGET-IP

Closing Thoughts

Nmap is one of the most important tools in cybersecurity.

And the crazy part is:

We barely scratched the surface.

Professional testers use Nmap for:

• large network mapping,
• vulnerability discovery,
• firewall analysis,
• host discovery,
• scripting,
• automation,
• and advanced reconnaissance.

But even learning basic Nmap usage immediately starts teaching you how networks actually work.

And that understanding matters far more than blindly running exploits.

In the next tutorials, we will continue exploring Kali Linux tools, service enumeration, vulnerability analysis, and real-world penetration testing concepts inside our hacking lab.

Please Subscribe to keep up with future tutorials, and always feel free to contact me or leave a comment below.