Home lab
Find headless devices
If I plug in a Raspberry Pi, VM, camera, printer, lab box, or small server and do not know its IP address, Nmap can help me find it.
Recon • Home Lab • CTFs • Safe Pentesting
My favorite recon tool is Nmap.
Whether I am doing a CTF on Hack The Box, checking my home lab, finding the IP address of a headless Raspberry Pi, or mapping out a small test network, Nmap is usually one of the first tools I reach for.
Nmap feels like a superpower because it turns a mystery network into something visible: live hosts, open ports, running services, software versions, and clues about what to investigate next.
Important: only scan systems you own or have clear permission to test.
For this guide, the safe targets are your own home network, your own lab, your own VMs,
or intentionally authorized platforms like CTF labs.
Find my network
What subnet am I on?
Discover live hosts
What devices are responding?
Scan ports and services
What is exposed?
Document the results
What should I investigate, secure, or fix?
Nmap is not the whole pentest. It is the map you build before you decide where to look closer.
Why Nmap matters
Before I can secure, troubleshoot, or test a network, I need to know what exists. Nmap helps answer that quickly.
Cybersecurity
See the attack surface
Open ports show where a machine is listening. SSH, HTTP, SMB, DNS, databases, and admin panels all tell me what kind of system I am looking at.
CTF practice
Start with recon
In CTFs and lab platforms, Nmap is often the first real step. It tells me which services are available before I start researching versions or testing paths.
Install Nmap
Here is the magic of apt install again: on most Linux systems,
Nmap is one package install away, and it is FREE like most other Linux
utilities. I usually install it with a few other basic network tools so the
machine is ready for troubleshooting, home lab discovery, and safe recon work.
sudo apt update
sudo apt install nmap wireshark tcpdump net-tools iproute2 dnsutils -y
Note: on Debian, Ubuntu, Kali, Raspberry Pi OS, and most common Linux
distros, the package is simply called
nmap.
Quick start: find devices on my own network
The first thing I usually need is my subnet. If my laptop is on
192.168.1.42, the network is often something like
192.168.1.0/24. That means “scan all addresses from
192.168.1.1 through 192.168.1.254.”
Find my IP address
I use this to see my current interface, IP address, and subnet.
ip -4 addr showFind my default route
This usually shows the router/gateway and helps confirm which network I am on.
ip routePing scan the subnet
This asks: “Which hosts are alive?” It does not do a full port scan yet.
nmap -sn 192.168.1.0/24Use ARP discovery on a local LAN
On my own local network, ARP discovery is often better at finding nearby devices.
sudo nmap -sn -PR 192.168.1.0/24
Home lab use case: if I boot a Raspberry Pi with no monitor, I can run a
ping scan from my laptop and look for a new device. The result usually gives me the IP,
hostname, and sometimes the vendor.
What the output is telling me
Nmap output can look plain, but it is packed with useful clues.
| Output | What I learn | Why it matters |
|---|---|---|
| Host is up | The device responded to discovery. | I now know the IP address is active. |
| MAC Address | The hardware address of a local network device. | The vendor hint can reveal Raspberry Pi, Apple, Dell, TP-Link, etc. |
| Hostname | The name the device reports or resolves to. | A name like raspberrypi, printer, or nas gives
context. |
| Open port | A service is listening. | This is a possible admin path, app endpoint, or security exposure. |
| Service version | The software behind a port. | Versions help with patching, research, and authorized security testing. |
Commands I actually use
I do not need every Nmap flag at once. These are the practical commands I would actually use in a home lab, school lab, CTF, or authorized pentest.
Basic scan of one host
Good first look after I find a device.
nmap 192.168.1.50Scan common ports faster
Useful when I want a quick overview.
nmap --top-ports 100 192.168.1.50Detect service versions
This is one of the most useful recon commands.
nmap -sV 192.168.1.50Try OS detection
This needs root privileges and is not always perfect, but it can give helpful clues.
sudo nmap -O 192.168.1.50Scan every TCP port
Slower, but useful when I want to avoid missing a service on an unusual port.
nmap -p- 192.168.1.50Scan all ports and detect services
My deeper scan after a quick scan finds something interesting.
nmap -p- -sV --reason 192.168.1.50Save results
For labs and reports, saving output is better than relying on terminal scrollback.
nmap -sV -oN scan-results.txt 192.168.1.50Save in all formats
This creates normal, grepable, and XML output with the same base filename.
nmap -sV -oA scans/target-192-168-1-50 192.168.1.50My normal Nmap workflow
I try to move from broad to specific. First I find the network. Then I find live hosts. Then I scan one target more carefully.
Find my subnet
I check my own IP and default route so I know what range belongs to my local network.
Discover hosts
I run a ping or ARP scan to see which devices are alive.
Pick a target
I choose one IP that belongs to my device, VM, CTF target, or authorized lab box.
Scan ports
I check which services are exposed and save the results.
# 1. Check my network
ip -4 addr show
ip route
# 2. Discover live hosts on my own LAN
sudo nmap -sn -PR 192.168.1.0/24
# 3. Scan one device
nmap -sV 192.168.1.50
# 4. Run a deeper scan if it is my device or an authorized target
nmap -p- -sV --reason -oA scans/target-192-168-1-50 192.168.1.50Finding a headless Raspberry Pi or lab device
This is one of the most practical Nmap uses. If a device has no screen, I can still find it from another computer on the same network.
Scan before and after plugging it in
I can scan the network, plug in the device, wait for it to boot, then scan again. The new IP is probably the device I just added.
sudo nmap -sn -PR 192.168.1.0/24Clues in the output
- New IP address that was not there before
- Hostname like
raspberrypi,ubuntu, ordebian - Vendor name from the MAC address
- Open SSH port, usually
22/tcp
# After finding a likely device, check if SSH is open
nmap -p 22 -sV 192.168.1.50Using Nmap for CTFs and pentesting
In a CTF or authorized pentest, Nmap helps me build the starting picture. I am not trying to guess. I am collecting facts.
01
What is alive?
Find the target or confirm that the assigned IP is reachable.
02
What is open?
Look for ports like SSH, HTTP, HTTPS, SMB, FTP, DNS, databases, or custom apps.
03
What is running?
Use service detection to identify software and versions.
04
What comes next?
Research the service, visit web ports, check banners, and document everything.
Scope rule: CTF targets and lab boxes are designed for this. Random public IPs,
school systems, company systems, and other people's devices are not targets unless I have
written authorization.
Common ports worth recognizing
Nmap becomes more useful when I recognize what common ports usually mean.
| Port | Common service | What I think when I see it |
|---|---|---|
| 22 | SSH | Remote Linux login. Useful for servers, Raspberry Pis, VMs, and cloud machines. |
| 53 | DNS | Name resolution. Could be a router, DNS server, Pi-hole, or lab service. |
| 80 | HTTP | Plain web server. I usually open this in a browser next. |
| 443 | HTTPS | Encrypted web server. Also worth checking in a browser. |
| 445 | SMB | Windows file sharing or Samba. Important in labs, but risky if exposed publicly. |
| 3306 | MySQL/MariaDB | Database service. Should usually not be exposed broadly. |
| 5432 | PostgreSQL | Database service. Useful in apps, but should be carefully firewalled. |
| 8080 | Alternate HTTP | Often a dev server, proxy, admin panel, API, or containerized app. |
Scanning multiple authorized targets
If I have a small lab with a few known IPs, I can put them into a target file and scan them consistently.
cat > targets.txt << "EOF"
192.168.1.20
192.168.1.50
192.168.1.77
EOF
nmap -sV -iL targets.txt -oA scans/home-lab-services
Why this is useful: a target file keeps my scan repeatable. If I am writing
a lab report or comparing before-and-after hardening, repeatable commands matter.
What I do after a scan
Nmap gives me the map. It does not automatically tell me the full answer. After the scan, I still need to inspect, research, test safely, and document.
Web ports
Open in a browser
If I see 80, 443, 8080, or another web port,
I check the page, headers, title, login forms, and visible app behavior.
SSH
Confirm expected access
If SSH is open on my own server, I confirm whether it should be reachable from that network and whether key-based login is configured.
Hardening
Reduce exposure
If I find services that should not be exposed, I fix firewall rules, bind services to localhost, disable unused software, or move access behind a VPN.
Beginner mistakes to avoid
Nmap is powerful, but most mistakes come from scanning the wrong thing, scanning too broadly, or not understanding the output.
Bad habits
- Scanning random public IPs without permission
- Running huge scans before understanding the target
- Assuming OS detection is always correct
- Forgetting to save scan results
- Ignoring the difference between filtered, closed, and open ports
Better habits
- Start with your own lab or authorized CTF target
- Scan broad first, then narrow down
- Use
-sVto identify services - Save output with
-oNor-oA - Write notes as you go
My basic Nmap cheat sheet
This is the short version I would keep nearby.
# Find my IP and route
ip -4 addr show
ip route
# Find live hosts on my own local network
nmap -sn 192.168.1.0/24
sudo nmap -sn -PR 192.168.1.0/24
# Basic scan of one host
nmap 192.168.1.50
# Service detection
nmap -sV 192.168.1.50
# OS detection
sudo nmap -O 192.168.1.50
# All TCP ports
nmap -p- 192.168.1.50
# All TCP ports with service detection
nmap -p- -sV --reason 192.168.1.50
# Save normal output
nmap -sV -oN scan-results.txt 192.168.1.50
# Save all output formats
nmap -sV -oA scans/target-name 192.168.1.50
# Scan from a list of authorized targets
nmap -sV -iL targets.txt -oA scans/lab-scanFinal idea
Nmap is one of the best first tools to learn because it teaches recon. It helps me find devices, understand networks, discover exposed services, and turn a confusing environment into something I can reason about. Used safely, it is useful for home labs, CTFs, school labs, server hardening, troubleshooting, and real penetration testing workflows.