Exercise: Scanning the Network with Nmap

Discovering Devices and Services

A hands-on exercise using the powerful nmap tool to scan your local network, discover active hosts, and identify the services they are running.
Author

Chuck Nelson

Published

November 13, 2025

1 Purpose

This exercise introduces you to nmap, one of the most powerful and widely-used tools for network discovery and security auditing. As an IT technician, you can use nmap to quickly create a map of your network, identify what devices are connected, and see what services (e.g., web servers, file shares) they are offering. This is an invaluable skill for both network management and security analysis.

2 What You’ll Accomplish

By the end of this exercise, you will be able to:

  • Install nmap on a Fedora system.
  • Perform a simple ping scan to discover live hosts on your network.
  • Conduct a port scan on a specific host to identify open ports and services.
  • Interpret basic nmap output.

This exercise maps to the following program and course learning outcomes:

  • Program Learning Outcomes (PLOs):
    • 6. Maintain environment: Using nmap to audit and understand the devices on your network is a key maintenance and security task.
  • Course Learning Outcomes (CLOs):
    • 3. Troubleshoot hardware and basic network components: nmap can help you verify if a device is online and if its services are accessible, which is critical for troubleshooting.

This exercise develops the following skills, which align with the O*NET SOC Code 15-1232.00 for Computer User Support Specialists.

Learning Objective O*NET KSAs Technologies Used
Discover live hosts on a local network. Knowledge: Telecommunications, Security and Government
Skills: Systems Analysis		 nmap
Identify open ports and services on a host. Knowledge: Telecommunications, Security and Government
Abilities: Problem Sensitivity		 Port Scanning

3 Prerequisites

This exercise requires a running Fedora 42 virtual machine with internet access and a user account with sudo privileges. You should also have the IP address of your default gateway from the previous exercise.

4 Step-by-Step Guide

Open a terminal window in your Fedora VM to begin.

4.1 Step 1: Install nmap

nmap is a powerful tool and is not installed by default on Fedora.

  1. Run the following command to install the package:

    sudo dnf install -y nmap

4.2 Step 2: Find Your Physical Network Range

Before you can scan, you need to reliably identify your primary network—the one that connects to the internet. A modern Linux system can have many virtual interfaces (for Docker, VMs, etc.), so just grabbing the first IP address you see can be misleading. The best way to find your physical network is to find which one your default gateway (router) is on.

  1. First, find your default gateway’s IP address using the ip route command.

    ip route

    Look for the line starting with default via. Let’s say it shows default via 192.168.1.1. This means your router is at 192.168.1.1, and your physical network is the 192.168.1.x range.

  2. Now, let’s get a cleaner list of your IP addresses. Use the ip command with the -br (brief) and -c (color) flags.

    ip -br -c addr

  3. Look at the output. Find the interface that has an IP address matching the network range from your default gateway. For example, if your gateway was 192.168.1.1, you are looking for the line that shows an address like 192.168.1.150/24. This is your target network range for the scan.

In your student notebook, write down your network range in CIDR notation (e.g., 192.168.1.0/24).

4.3 Step 3: Perform a Ping Scan

A ping scan (-sn) is a simple scan that just discovers which hosts on the network are online and responsive. It does not scan their ports. This is a great first step to map out a network.

  1. Run nmap with the -sn flag on your network range.

    # Replace with your network range from Step 2
sudo nmap -sn 192.168.1.0/24

    Note: Using sudo with nmap often allows for more advanced and accurate scanning techniques.

  2. Analyze the output. nmap will list every IP address that responded, telling you how many hosts are “up”. You should see your own computer, your default gateway (router), and potentially other devices on the network.

In your notebook, list at least two IP addresses that nmap found on your network.

4.4 Step 4: Perform a Service Scan on Your Router

Now you will perform a more detailed scan on a single target: your default gateway. This scan will probe the most common ports to see which services are open.

  1. Run nmap with no flags, just the IP address of your default gateway.

    # Replace with your gateway's IP address
sudo nmap 192.168.1.1

  2. Analyze the output. This time, nmap will show a table of “PORT”, “STATE”, and “SERVICE”.

    • PORT: The port number (e.g., 80, 443).
    • STATE: open, closed, or filtered. open means a service is listening.
    • SERVICE: The common name for the service on that port (e.g., http, https).

    You will likely see port 80 (HTTP) or 443 (HTTPS) open, which corresponds to the router’s web-based administration interface.

In your notebook, list two open ports that nmap found on your default gateway and the service name for each.

4.5 Step 5: Identify the Router’s Manufacturer

When your computer communicates with a device on the local network (like your router), it uses the Address Resolution Protocol (ARP) to find the device’s physical MAC address. Your system keeps a cache of these IP-to-MAC address mappings. You can view this cache to find the MAC address of your router, which can tell you who made it.

  1. Run the ip neigh show command to view your system’s neighbor (ARP) table.

    ip neigh show

  2. Find the line that starts with your router’s IP address. The long hexadecimal number on that line is the router’s MAC address. It will look something like 00:1a:2b:3c:4d:5e.

  3. The first half of a MAC address is the Organizationally Unique Identifier (OUI), which identifies the manufacturer. Copy the MAC address from your terminal.

  4. Open a web browser and navigate to the Wireshark OUI Lookup Tool: https://www.wireshark.org/tools/oui-lookup.html

  5. Paste the MAC address into the search box and click “Find”. The tool will tell you the manufacturer of the network hardware (e.g., “NETGEAR,” “Cisco,” “TP-Link”).

In your notebook, write down the manufacturer of your default gateway.

5 Reflect and Review

ImportantReflection: 3-2-1

Now that you have completed this exercise, reflect on your experience in your Microsoft Teams Student Notebook:

  • 3 pieces of information you can discover with nmap.
  • 2 different types of scans you performed.
  • 1 question you still have about how port scanning works.
TipCheck on Learning

Answer these questions in your notebook to solidify your understanding:

  1. What nmap flag would you use if you only want to discover which hosts are online, without scanning their ports?
  2. What does it mean if nmap reports a port’s state as “open”?
  3. You want to scan your entire local network, which has an IP range of 192.168.10.1 to 192.168.10.254. How would you write this range in CIDR notation for nmap?
  4. Why is nmap a useful tool for both network administrators and security professionals?
Back to top