Nmap Reconnaissance & Enumeration Lab

Conduct a scoped Nmap engagement from planning through reporting, using safe targets to practise discovery, service enumeration, NSE scripting, and documentation.

Lab Objectives

Plan an Nmap engagement with safe, legal targets and written scope.
Run host discovery and topology scans to build a baseline inventory.
Enumerate services, versions, and operating systems with layered scan techniques.
Leverage NSE scripts for vulnerability triage while recording evidence.
Compile findings into an actionable report with remediation priorities.

Legal & Safety Prerequisites

Nmap 7.9+ installed on Linux, macOS, or Windows (WSL recommended).
A test network or lab target you are authorised to scan (for example, scanme.nmap.org).
Terminal access with sudo/administrator rights for privileged scans.
Basic understanding of TCP/IP addressing and common service ports.

Important: Only scan systems you own or have documented permission to test. Unauthorised scanning can lead to disciplinary action or legal consequences.

Part 1: Engagement Planning

Before launching a single packet, align with stakeholders to prevent scope creep and unexpected outages. Complete the checklist below in your lab notebook.

Document the scope: target IP ranges, DNS names, maintenance windows, and prohibited techniques.
Confirm written permission for every target asset. Never scan production systems without approval.
Create a working directory for notes, screenshots, and Nmap output files.
Define success metrics: hosts identified, critical ports enumerated, vulnerabilities validated.

Part 2: Discovery & Enumeration

Execute the scans in order, reviewing results between steps to avoid overwhelming the network. Swap in your authorised targets where necessary.

Recipe	Command	Purpose	Evidence to Capture
Baseline Discovery	`nmap -sn 192.168.56.0/24`	Ping sweep to identify responsive hosts and seed follow-on scans.	Save normal output (-oN) and note hosts that require alternative discovery (e.g., firewalled).
TCP Connect Sweep	`sudo nmap -sS -p 1-1024 192.168.56.101`	Half-open scan of privileged TCP ports to catch exposed services quickly.	Capture the state of high-value ports (22, 80, 443, etc.) and compare to expected baseline.
Service & Version Detection	`sudo nmap -sV -O 192.168.56.101`	Fingerprint service banners and operating system details for each responsive host.	Record version strings and OS guesses for later CVE matching.
Vulnerability Script Scan	`sudo nmap --script vuln 192.168.56.101`	Run curated NSE scripts to identify common vulnerabilities and misconfigurations.	Export results to XML/grepable format for correlation with ticketing tools.

Use -oA scanname to export in normal, grepable, and XML formats simultaneously for easier later analysis.

Part 3: Scripted Deep Dives

Expand beyond default scripts to focus on areas of concern discovered during enumeration.

Catalogue relevant NSE categories with nmap --script-help default,vuln,safe.
Run targeted scripts, for example sudo nmap --script ssl-enum-ciphers -p 443 target for TLS analysis or sudo nmap --script smb-os-discovery -p 445 target on SMB hosts.
Store script output separately and mark any errors or false positives for follow-up validation.

Prefer the safe script category on production-like assets; reserve intrusive scripts for explicit red-team scenarios.

Part 4: Reporting & Clean-up

Convert raw scan data into a concise deliverable that decision makers can act on.

Summarise each host with discovered services, versions, and identified risks.
Highlight unexpected open ports or services that violate policy.
Provide reproduction steps and affected evidence (command used, timestamp, output snippet).
Recommend mitigations (patching, firewall rule, service hardening) and assign owners.
Store artefacts securely and sanitise the lab environment (stop scans, close terminals).

Quick Reference Commands

nmap -sn target/24 — Host discovery without port scanning.
sudo nmap -sS -Pn target — SYN scan when ICMP is filtered.
sudo nmap -sU -p 53,161 target — UDP scan for DNS/SNMP.
sudo nmap -A target — Aggressive scan (versions, OS, traceroute).
nmap -oA reports/target — Export in multiple formats.

Evidence Checklist

Signed scope-of-work or written authorisation.
Planning notes with targets, timelines, and exclusions.
Nmap output files (normal, grepable, XML) stored in versioned folder.
Screenshots or terminal captures of key findings.
Final report with remediation recommendations.