← All labs
EasyNetwork Recon ~25 min

Subnet Recon & Host Discovery

Given a /24 network, use nmap and ping-sweep techniques to enumerate live hosts and map open ports.

↳ Based on the lesson: Models, IP & NAT

Legal Use Only

Host discovery and port scanning must only be performed on networks you own or have explicit written authorization to scan. Scanning production networks, cloud environments, or any system without permission is illegal under the CFAA and equivalent laws worldwide. This lab is designed for a local VM lab network (e.g., VirtualBox host-only or NAT network).

Scenario

You're beginning an internal network penetration test. The client has given you access to a machine inside their 192.168.56.0/24 internal network segment. Your task before exploitation begins: build a complete asset map - every live host, their OS guesses, and their open ports.

Set up this lab using VirtualBox (or VMware) with two VMs:

  • Attacker: Kali Linux, host-only adapter on 192.168.56.0/24
  • Target: Any Linux VM (Ubuntu Server, Metasploitable2, or another Kali), same host-only adapter

The target should have at least SSH (22) and a web server (80/8080) running. Metasploitable2 is the easiest choice - it ships with many intentionally vulnerable services.

Your Objective

  1. Determine your own IP address and subnet mask
  2. Perform a ping sweep to identify live hosts in the /24
  3. Run a service version scan against discovered hosts
  4. Produce a formatted host inventory table

Hints

Know your interface first

Before scanning, run ip addr show to confirm your own IP and which interface connects to the lab network. This tells you the correct subnet to scan.

Ping sweep vs SYN scan

nmap -sn (ping scan, no port scan) is faster for initial host discovery. Once you have a list of live hosts, run a deeper -sV scan only against those - faster and quieter than scanning the full /24 with version detection.

nmap output formats

-oN filename.txt saves normal output, -oG filename.gnmap saves greppable output (useful for piping), -oX filename.xml saves XML. Save your output - you'll reference it throughout the engagement.

Walkthrough

Step 1: Identify your own IP and network
$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> ...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> ...
    inet 192.168.56.4/24 brd 192.168.56.255 scope global eth0
 
$ ip route
default via 10.0.2.2 dev eth1
192.168.56.0/24 dev eth0 proto kernel scope link src 192.168.56.4

Your lab IP is 192.168.56.4. The host-only network is 192.168.56.0/24. Usable host range: 192.168.56.1 - 192.168.56.254.

Step 2: Ping sweep - find live hosts
$ sudo nmap -sn 192.168.56.0/24 -oG ping-sweep.gnmap
Starting Nmap 7.94
Host: 192.168.56.1 ()    Status: Up
Host: 192.168.56.4 ()    Status: Up   (your Kali machine)
Host: 192.168.56.101 ()  Status: Up
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.18 seconds
 
# Extract just the live IPs:
$ grep "Status: Up" ping-sweep.gnmap | awk '{print $2}'
192.168.56.1
192.168.56.4
192.168.56.101

Three hosts are live. 192.168.56.1 is likely the VirtualBox gateway. 192.168.56.101 is our target.

Step 3: Service version scan against the target
$ sudo nmap -sV -sC -T4 -p- 192.168.56.101 -oN target-full.txt
Starting Nmap 7.94
Nmap scan report for 192.168.56.101
Host is up (0.00048s latency).
 
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.8
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1

This is Metasploitable2. Multiple outdated, vulnerable services - vsftpd 2.3.4 has a known backdoor (CVE-2011-2523), Samba 3.0.20 is vulnerable to CVE-2007-2447.

Step 4: OS detection
$ sudo nmap -O 192.168.56.101
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

Linux 2.6.x - an old kernel, consistent with Metasploitable2 (Ubuntu 8.04, 2008).

Step 5: Build the asset inventory table
# Use nmap XML output and the ndiff/nmap tools, or manually format:
$ cat target-full.txt | grep "^[0-9]" | awk '{print $1, $3, $5, $6, $7, $8}'

Asset Inventory - 192.168.56.0/24

IPHostnameOS GuessOpen PortsNotable Services
192.168.56.1(gateway)VirtualBox host-Router/gateway
192.168.56.101metasploitableLinux 2.6.x21,22,23,25,80,139,445,3306,5432,8180vsftpd 2.3.4, Samba 3.0.20, MySQL 5.0

Solution

# 1. Identify your IP
ip addr show eth0
 
# 2. Ping sweep
sudo nmap -sn 192.168.56.0/24 -oG sweep.gnmap
grep "Status: Up" sweep.gnmap | awk '{print $2}' > live-hosts.txt
 
# 3. Full service scan against live targets (excluding yourself)
sudo nmap -sV -sC -O -T4 -p- -iL live-hosts.txt --exclude 192.168.56.4 -oN full-scan.txt
 
# 4. Summary
grep -E "^[0-9].*open" full-scan.txt

Key takeaway: Network recon always follows this sequence: host discovery (fast, ping sweep) → targeted port scan (against live hosts only) → service version detection → vulnerability cross-reference (searchsploit, NVD). Building a complete asset inventory before exploitation prevents you from missing targets and wasting time scanning dead space.