Reconnaissance & Nmap
Before anyone can secure — or test — a network, they have to know what's on it. That discovery phase is called reconnaissance. This lesson teaches the essential recon commands and then goes deep on Nmap, the world's most famous scanning tool.
What is reconnaissance?
Reconnaissance (“recon”) means gathering information about a target before doing anything else. Defenders do it to know their own attack surface; testers do it to understand what they're authorised to assess.
Warm-up recon commands (a quick recap)
These answer “is it there?” and “how do I reach it?” Nmap answers the much richer question: “what is actually running on it?”
Tool deep dive: Nmap
What it is & why it exists
Nmap (“Network Mapper”) is a free, open-source scanner created by Gordon Lyon in 1997. It sends carefully crafted packets to a target and studies the replies to work out: which hosts are alive, which ports are open, what services those ports run, which software versions they use, and often which operating system the host runs. It exists because you cannot protect (or assess) what you cannot see.
Installing Nmap
Kali ships with Nmap already. On other systems:
Step 1 — Host discovery (who's alive?)
First, find live hosts on your lab network without scanning ports yet:
What it does: lists every device that responds on your lab subnet. When you'd use it: the very first step — turn a range of addresses into a short list of real machines.
Step 2 — Port scanning (which doors are open?)
Nmap has several ways to knock. The most important:
| Flag | Scan type | How it works (simply) | Needs sudo? |
|---|---|---|---|
| -sS | SYN / “stealth” | Sends SYN, reads the reply, never finishes the handshake. Fast & quiet. The default when run as root. | Yes |
| -sT | TCP connect | Completes the full handshake. Works without special privileges. | No |
| -sU | UDP | Scans UDP ports (DNS, DHCP). Slower, but finds services TCP scans miss. | Yes |
Step 3 — Service & version detection (what's behind the door?)
Why it matters: knowing a port is open is useful; knowing it runs, say, an old, outdated version of a web server is what tells a defender exactly what to patch. Version info is the bridge from “scanning” to “vulnerability assessment” (Module 5).
Step 4 — OS detection & the aggressive scan
Step 5 — A taste of the Nmap Scripting Engine (NSE)
Nmap can run small scripts to do deeper checks. These range from harmless information-gathering to safe, well-known vulnerability checks. Start with the gentle ones:
We'll dedicate real time to NSE and vulnerability scanning in Module 5. For now, just know the capability exists and always run scripts only against authorised lab targets.
Saving your results (like a professional)
Real engagements require documentation. Saving scans is how you write findings into a report later.
This is a simulated scan of a practice target. Try: nmap -sn 192.168.56.0/24, nmap 192.168.56.101, or nmap -sV 192.168.56.101.
Reading Nmap output
Every scan reports a state for each port. Learn these four words:
| State | Meaning |
|---|---|
| open | A service is actively listening — a live door. |
| closed | Reachable, but nothing is listening on that port. |
| filtered | A firewall is blocking the probe — Nmap can't tell. |
| open|filtered | Nmap couldn't decide between the two (common with UDP). |
Run against your own Metasploitable VM (or scanme.nmap.org, which the Nmap project allows for practice). Replace the IP with your target's address.
- Discover which hosts are up on your lab subnet:
$ nmap -sn 192.168.56.0/24Note the target's IP (e.g. 192.168.56.101).
- Find open ports:
$ nmap 192.168.56.101You should see several open ports — a deliberately weak machine has many doors open.
- Identify the software and versions behind them, and save the results:
$ sudo nmap -sV -O 192.168.56.101 -oN target-scan.txtOpen target-scan.txt with less target-scan.txt. You now have a documented inventory: services, versions, and a guessed OS.
- Analyse like a defender: for each old version you see, write one sentence: “This service is outdated and should be updated or removed.” That single habit is the heart of vulnerability assessment — which is exactly where Module 5 picks up.
Key takeaways
- Reconnaissance is mapping what's on a network before anything else — and it's a defensive skill first.
- Nmap discovers hosts (-sn), scans ports, and identifies services (-sV) and operating systems (-O).
- A SYN scan (-sS) is just an unfinished TCP handshake; port states are open, closed, filtered.
- Always save results (-oN) and always scan only authorised targets.