Now you touch the target: find live hosts, open ports, and the exact services behind them. nmap is the workhorse — the map of what can be attacked (and defended).
Why: scanning identifies which hosts are up and which ports are open, turning a list of IPs into a concrete list of reachable services — the foundation of the whole test. When: run this only against in-scope targets, at an agreed rate. Where: nmap is the standard tool; a closed vs. open vs. filtered port tells you what the network is exposing.
# Discover live hosts on the authorized lab subnet:
nmap -sn 192.168.56.0/24 # ping sweep, no port scan
# Scan ports on a specific in-scope target:
nmap -p- 192.168.56.101 # all 65535 TCP ports
nmap --top-ports 1000 192.168.56.101 # faster: the 1000 most commonWhy: an open port is only useful once you know exactly what is behind it — the service, its version, and its configuration — because that is what maps to known vulnerabilities. When: run version detection and default scripts on discovered ports. Where: precise version info (e.g. "vsftpd 2.3.4") is the key that unlocks the vulnerability-identification phase.
# Identify service + version, run safe default scripts, detect the OS:
nmap -sV -sC -O 192.168.56.101
# Example output tells you exactly what's running:
# 21/tcp open ftp vsftpd 2.3.4
# 22/tcp open ssh OpenSSH 4.7p1
# 80/tcp open http Apache httpd 2.2.8
# Those versions are what you look up next.Why: each service has its own enumeration — web servers have directories and endpoints, SMB has shares and users, databases have accounts — and thorough enumeration finds the weak spot. When: dig into every in-scope service methodically; the flaw is usually in enumeration, not exotic exploits. Where: "enumeration is king" — most footholds come from carefully cataloging what is exposed.
# Web content discovery (in scope):
gobuster dir -u http://192.168.56.101 -w /usr/share/wordlists/dirb/common.txt
# SMB shares and info:
smbclient -L //192.168.56.101 -N
enum4linux -a 192.168.56.101
# Methodical enumeration of every service beats hunting for a magic exploit.