CyberSchool Module 3 · Reconnaissance
Home › Module 3 › Nmap & Scanning
Lesson 5

Reconnaissance & Nmap

Before anyone can secure — or test — a network, they have to know what's on it. That discovery phase is called reconnaissance. This lesson teaches the essential recon commands and then goes deep on Nmap, the world's most famous scanning tool.

Read this before you scan anything Scanning maps out other people's computers. Doing it without permission is illegal — in Zambia it falls under the Cyber Security and Cyber Crimes Act, and similar laws exist worldwide. Only scan machines you own or have explicit written authorisation to test. In this lesson we scan your own Kali machine and your own lab target (Metasploitable) — both set up in Module 2. There are also public, legal practice targets like scanme.nmap.org, which the Nmap project permits people to scan for learning.

What is reconnaissance?

Reconnaissance (“recon”) means gathering information about a target before doing anything else. Defenders do it to know their own attack surface; testers do it to understand what they're authorised to assess.

Analogy — A building inspector A safety inspector walks around a building first: how many doors and windows are there? Which are unlocked? Which look old and weak? They map the building before checking any single lock. Recon is that walk-around for a network — and a good defender does it on their own building to fix weak spots before an intruder finds them.

Warm-up recon commands (a quick recap)

$ ping -c 4 192.168.56.101 # is this host alive? send 4 test packets $ traceroute 192.168.56.101 # what path do packets take to reach it? $ dig +short example.com # DNS: what IP does a name point to? $ whois example.com # public registration info about a domain

These answer “is it there?” and “how do I reach it?” Nmap answers the much richer question: “what is actually running on it?”

Tool deep dive: Nmap

What it is & why it exists

Nmap (“Network Mapper”) is a free, open-source scanner created by Gordon Lyon in 1997. It sends carefully crafted packets to a target and studies the replies to work out: which hosts are alive, which ports are open, what services those ports run, which software versions they use, and often which operating system the host runs. It exists because you cannot protect (or assess) what you cannot see.

Analogy — Knocking on every door Recall from Lesson 3 that ports are numbered doors on a computer. Nmap politely knocks on each door and listens: a door that answers is open (a service is home), a door that says “go away” is closed, and a door with no reply at all is filtered (a firewall is blocking the knock). From who answers, Nmap builds a map of the building.

Installing Nmap

Kali ships with Nmap already. On other systems:

$ sudo apt update && sudo apt install nmap # Debian/Ubuntu/Kali $ nmap --version # confirm it's installed

Step 1 — Host discovery (who's alive?)

First, find live hosts on your lab network without scanning ports yet:

$ nmap -sn 192.168.56.0/24 # -sn = "ping scan": just discover which hosts are up, no port scan. # The /24 scans the whole subnet (256 addresses).

What it does: lists every device that responds on your lab subnet. When you'd use it: the very first step — turn a range of addresses into a short list of real machines.

Step 2 — Port scanning (which doors are open?)

$ nmap 192.168.56.101 # Default scan: checks the 1000 most common TCP ports.

Nmap has several ways to knock. The most important:

FlagScan typeHow it works (simply)Needs sudo?
-sSSYN / “stealth”Sends SYN, reads the reply, never finishes the handshake. Fast & quiet. The default when run as root.Yes
-sTTCP connectCompletes the full handshake. Works without special privileges.No
-sUUDPScans UDP ports (DNS, DHCP). Slower, but finds services TCP scans miss.Yes
Connecting back to the handshake A SYN scan is the three-way handshake from Lesson 3, deliberately left unfinished: Nmap sends SYN; if it gets SYN-ACK the port is open; if it gets a reset (RST) the port is closed. That's the whole trick.

Step 3 — Service & version detection (what's behind the door?)

$ nmap -sV 192.168.56.101 # -sV = probe open ports to learn the service and its exact version.

Why it matters: knowing a port is open is useful; knowing it runs, say, an old, outdated version of a web server is what tells a defender exactly what to patch. Version info is the bridge from “scanning” to “vulnerability assessment” (Module 5).

Step 4 — OS detection & the aggressive scan

$ nmap -O 192.168.56.101 # guess the operating system $ nmap -A 192.168.56.101 # "aggressive": -sV + -O + scripts + traceroute in one $ nmap -p- 192.168.56.101 # scan ALL 65535 ports, not just the top 1000 $ nmap -T4 -A 192.168.56.101 # -T4 = faster timing (good on a fast lab network)

Step 5 — A taste of the Nmap Scripting Engine (NSE)

Nmap can run small scripts to do deeper checks. These range from harmless information-gathering to safe, well-known vulnerability checks. Start with the gentle ones:

$ nmap -sV --script=banner 192.168.56.101 # Grab the "banner" text services announce — often reveals software names. $ nmap --script=default 192.168.56.101 # Run the safe default script set for extra detail.

We'll dedicate real time to NSE and vulnerability scanning in Module 5. For now, just know the capability exists and always run scripts only against authorised lab targets.

Saving your results (like a professional)

$ nmap -A 192.168.56.101 -oN scan.txt # -oN = save human-readable output to a file $ nmap -A 192.168.56.101 -oX scan.xml # -oX = save as XML for reports/other tools

Real engagements require documentation. Saving scans is how you write findings into a report later.

Try It Yourself (practice terminal)

This is a simulated scan of a practice target. Try: nmap -sn 192.168.56.0/24, nmap 192.168.56.101, or nmap -sV 192.168.56.101.

kali@lab: ~
Simulated lab scan. Target 192.168.56.101 is a practice VM. Try a command below.
kali@lab:~$

Reading Nmap output

Every scan reports a state for each port. Learn these four words:

StateMeaning
openA service is actively listening — a live door.
closedReachable, but nothing is listening on that port.
filteredA firewall is blocking the probe — Nmap can't tell.
open|filteredNmap couldn't decide between the two (common with UDP).
Practical Exercise 5.1 — Full scan of your lab target

Run against your own Metasploitable VM (or scanme.nmap.org, which the Nmap project allows for practice). Replace the IP with your target's address.

  1. Discover which hosts are up on your lab subnet:
    $ nmap -sn 192.168.56.0/24
    Note the target's IP (e.g. 192.168.56.101).
  2. Find open ports:
    $ nmap 192.168.56.101
    You should see several open ports — a deliberately weak machine has many doors open.
  3. Identify the software and versions behind them, and save the results:
    $ sudo nmap -sV -O 192.168.56.101 -oN target-scan.txt
    Open target-scan.txt with less target-scan.txt. You now have a documented inventory: services, versions, and a guessed OS.
  4. Analyse like a defender: for each old version you see, write one sentence: “This service is outdated and should be updated or removed.” That single habit is the heart of vulnerability assessment — which is exactly where Module 5 picks up.
Quick check: A port shows as filtered. What does that most likely mean?
A service is definitely running there
A firewall is blocking Nmap's probe, so it can't tell
The host is powered off
The port number is invalid
filtered means something (usually a firewall) is dropping the probe, so Nmap gets no clear answer. open = listening, closed = reachable but nothing home.
Why does this matter for your career? Nmap is on virtually every security job description. Penetration testers use it to map targets; defenders and network admins use it to audit their own estate and catch unexpected open ports before attackers do. It is core material for CEH and appears throughout Security+ and CCNA Security. Master Nmap and you've mastered the single most-used tool in the field.

Key takeaways

  • Reconnaissance is mapping what's on a network before anything else — and it's a defensive skill first.
  • Nmap discovers hosts (-sn), scans ports, and identifies services (-sV) and operating systems (-O).
  • A SYN scan (-sS) is just an unfinished TCP handshake; port states are open, closed, filtered.
  • Always save results (-oN) and always scan only authorised targets.
CyberSchool · Module 3, Lesson 5. Scan only systems you own or are authorised to test.