Install Nmap, run your first host discovery scan, interpret open ports and service versions, and understand exactly what an attacker sees when they scan your network.
Nmap (Network Mapper) is the de facto standard tool for network discovery and security auditing. Every CEH module that involves reconnaissance uses it, and it appears in penetration testing methodologies worldwide. This guide gets you from zero to performing a real service version scan in under 20 minutes — using Kali Linux or any Debian-based system.
Nmap is pre-installed on Kali Linux. Verify it's present and check the version — you want 7.9x or later for full NSE script support:
If it's missing (unlikely on Kali), install it:
Before scanning ports, find out which hosts are alive on the network. A ping scan (-sn) sends ICMP echo requests without probing ports — fast and quiet:
Most Nmap scan types require raw socket access, which needs root privileges. Always use sudo nmap unless you're doing a basic TCP connect scan (-sT).
The default Nmap scan (-sS) is a SYN scan — it sends a SYN packet and never completes the TCP handshake, making it stealthier than a full TCP connect scan:
Port scanning without permission is illegal in most jurisdictions. In VAPTIC labs, your Metasploitable 2 target is pre-authorised. Never scan systems you do not own or have explicit written permission to test.
Knowing a port is open is useful. Knowing what version of software is listening is essential for vulnerability research. The -sV flag probes each open port and attempts to identify the service and its version:
OpenSSH 4.7 from 2008 has multiple known CVEs. Apache 2.2.8 is severely outdated. A real attacker cross-references these versions against the NVD and Exploit-DB immediately. This is exactly what Module 3 of CEH v13 (Scanning Networks) teaches.
The -O flag enables OS fingerprinting using TCP/IP stack quirks. The -A flag combines version detection, OS detection, script scanning, and traceroute — the all-in-one aggressive mode:
The -T4 flag sets timing to "aggressive" — faster scans at the cost of a slightly higher chance of packet loss on congested networks. Use -T3 (normal) in production environments.
In real engagements you need to save results. Nmap supports three output formats — always use -oA to save all three at once:
Once you have a service version, your next move is to search for exploits. In the next guide, we feed this Nmap output directly into Metasploit using db_import to auto-populate the target database.