Author: Guilherme Pigoso Garcia
Focus: Junior SOC Analyst / Blue Team
Environment: Kali Linux + Metasploitable2 (VirtualBox)
Tools Used: Nmap
Framework Reference: NIST SP 800-53 — CA-7 (Continuous Monitoring), RA-5 (Vulnerability Scanning)
This lab demonstrates network reconnaissance using Nmap — one of the most critical tools in both offensive and defensive security. From a SOC Analyst perspective, Nmap is used to map the attack surface of an organisation, identify vulnerable services, and support vulnerability management programs.
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux — 192.168.56.101 |
| Target Machine | Metasploitable2 — 192.168.56.102 |
| Network Mode | Host-Only (VirtualBox) |
| Nmap Version | 7.95 |
- Perform progressive Nmap scans from basic to advanced
- Identify open ports and running services on the target
- Detect service versions and correlate with known CVEs
- Save scan results as forensic evidence
- Demonstrate the SOC analyst workflow for vulnerability identification
Before scanning, confirmed network connectivity between both machines:
ping 192.168.56.102 -c 4| Part | Explanation |
|---|---|
ping |
Sends ICMP packets to test connectivity |
192.168.56.102 |
Target IP — Metasploitable2 |
-c 4 |
Limits to 4 packets |
Result: Host is up — connectivity confirmed. ✅
nmap 192.168.56.102| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
192.168.56.102 |
Target IP |
Result: Multiple open ports identified including FTP, SSH, HTTP, Telnet, MySQL and Shell services — confirming a large attack surface.
nmap -sV 192.168.56.102| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
-sV |
Service Version — detects exact version of each running service |
192.168.56.102 |
Target IP |
Key Findings:
| Service | Version Detected | CVE | Risk |
|---|---|---|---|
| vsftpd | 2.3.4 | CVE-2011-2523 | |
| OpenSSH | 4.7p1 | Multiple CVEs | |
| MySQL | 5.0.51a | Multiple CVEs |
nmap -sV -O 192.168.56.102| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
-sV |
Detects service versions |
-O |
OS Detection — identifies the target operating system |
192.168.56.102 |
Target IP |
Result: Linux 2.6.x kernel detected — released circa 2008, significantly outdated and affected by numerous known vulnerabilities.
nmap -sV -O -A 192.168.56.102 -oN scan_metasploitable.txt| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
-sV |
Detects service versions |
-O |
Detects operating system |
-A |
Aggressive scan — enables OS detection, version detection, script scanning and traceroute simultaneously |
192.168.56.102 |
Target IP |
-oN |
Output Normal — saves results to a readable text file |
scan_metasploitable.txt |
Evidence file name |
Result: Comprehensive scan returned detailed service information, OS fingerprint, and script results. Output saved to file for documentation and analysis.
nmap --top-ports 20 192.168.56.102| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
--top-ports 20 |
Scans only the 20 most common ports on the internet |
192.168.56.102 |
Target IP |
Result: Most common ports confirmed open. Some ports returned as closed — no firewall filtering detected. Used in SOC for rapid triage without running a full scan.
Port States Reference:
| State | Meaning | SOC Implication |
|---|---|---|
| open | Active port with running service | |
| closed | Accessible but no service running | ⚪ Normal — monitor |
| filtered | Firewall blocking — Nmap cannot determine state | 🔍 May hide services |
nmap -p 21,22,80,3306 -sV 192.168.56.102 -oN scan_servicos_criticos.txt| Part | Explanation |
|---|---|
nmap |
Network reconnaissance tool |
-p 21,22,80,3306 |
Scans specific ports — FTP, SSH, HTTP, MySQL |
-sV |
Detects service versions |
192.168.56.102 |
Target IP |
-oN |
Saves output to file |
scan_servicos_criticos.txt |
Evidence file name |
| Port | State | Service | Version | Risk |
|---|---|---|---|---|
| 21/tcp | open | FTP | vsftpd 2.3.4 | |
| 22/tcp | open | SSH | OpenSSH 4.7p1 Debian | |
| 80/tcp | open | HTTP | Apache httpd 2.2.8 Ubuntu | |
| 3306/tcp | open | MySQL | MySQL 5.0.51a-3ubuntu5 |
Additional Information Revealed:
- OS: Unix/Linux — CPE: cpe:/o:linux:linux_kernel
- MAC Address: PCS Systemtechnik/Oracle VirtualBox NIC — confirms VM environment
- Latency: 0.00097s — local network
nmap -p 21 -sV 192.168.56.102
nmap -p 6200 -sV 192.168.56.102| Part | Explanation |
|---|---|
-p 21 |
Scans FTP port |
-p 6200 |
Scans vsftpd backdoor port |
-sV |
Detects service version |
Result:
- Port 21: open — vsftpd 2.3.4 confirmed
- Port 6200: closed — backdoor not yet triggered
SOC Note: The vsftpd 2.3.4 backdoor (CVE-2011-2523) opens port 6200 only after being triggered by a specific exploit sequence. In a passive scan, it appears closed. This demonstrates that Nmap alone cannot confirm exploitability — only that the vulnerable version is present.
| CVE | Service | Severity | Recommendation |
|---|---|---|---|
| CVE-2011-2523 | vsftpd 2.3.4 | Critical | Disable FTP or upgrade immediately |
| Multiple CVEs | OpenSSH 4.7p1 | High | Upgrade to current version |
| Multiple CVEs | Apache 2.2.8 | High | Upgrade to current version |
| Multiple CVEs | MySQL 5.0.51a | High | Upgrade to current version |
1. Nmap is both offensive and defensive Attackers use Nmap to find entry points. Defenders use it to find them first. Running regular Nmap scans against your own infrastructure is a core component of vulnerability management programs.
2. Version detection is critical
A port being open is not enough information. -sV reveals the exact service version, which can then be cross-referenced against CVE databases (NVD, Mitre, Exploit-DB) to determine actual risk.
3. Always save scan output
Using -oN to save results creates an evidence trail. In enterprise environments, scan results are stored, compared over time, and fed into vulnerability management platforms such as Tenable Nessus or Qualys.
4. Nmap findings drive incident response
Nmap detects vulnerable service version
↓
Cross-reference with CVE database
↓
Assess exploitability and business impact
↓
Report as vulnerability finding
↓
Recommend: patch, upgrade, or disable service
↓
Verify remediation with follow-up scan
5. GDPR and compliance implications Running outdated, unpatched services that expose known CVEs in an organisation handling personal data constitutes inadequate technical security measures under GDPR Article 32. Discovery of these findings during an audit requires immediate remediation and documentation.
| Flag | Full Name | Purpose |
|---|---|---|
-sV |
Service Version | Detect service versions |
-O |
OS Detection | Identify operating system |
-A |
Aggressive | Enable all detection features |
-p |
Port | Specify specific ports |
--top-ports |
Top Ports | Scan most common ports |
--open |
Open | Show only open ports |
-oN |
Output Normal | Save results to file |
- NIST SP 800-53 — CA-7: Continuous Monitoring
- NIST SP 800-53 — RA-5: Vulnerability Scanning
- CVE-2011-2523: https://nvd.nist.gov/vuln/detail/CVE-2011-2523
- Nmap Documentation: https://nmap.org/docs.html
- GDPR Article 32 — Security of Processing
Lab environment: Kali Linux + Metasploitable2 on VirtualBox | Date: 2026
GitHub: https://github.com/GPigoso