Network discovery is a fundamental aspect of cybersecurity and ethical hacking. Understanding what devices exist on a network, what services they run, and what potential vulnerabilities they expose is essential for maintaining a secure digital environment. In this blog post, we document our hands-on experience setting up a Kali Linux virtual machine and using Nmap (Network Mapper) to perform comprehensive network discovery on a home network.

Nmap is an open-source utility that has become the industry standard for network exploration and security auditing. It uses raw IP packets to determine available hosts on a network, the services those hosts offer, the operating systems they run, and various other characteristics essential for security assessment. Known for its versatility, Nmap allows security professionals to identify active hosts, enumerate running services, and detect vulnerabilities.

Lab Setup: Kali Linux Virtual Machine

Environment Configuration

Before diving into network scanning, we set up a proper lab environment using:

  • Hypervisor: VirtualBox 7.0
  • Guest OS: Kali Linux 2024.4
  • RAM Allocation: 4 GB (minimum 2 GB required)
  • Storage: 25 GB dynamically allocated VDI
  • Network Mode: Bridged Adapter

Finding My Network Range

Before scanning, we first determined the network’s IP range using the following command:

ip addr show

We ran the ip addr show command to identify our network details before starting the scan. The output confirmed that the eth0 interface was active and assigned the IP address 192.168.0.179/24.

Network Discovery: Host Scanning

Ping Sweep with Nmap (-sn)

The first step in network reconnaissance is identifying which hosts are active on the network. Using Nmap’s ping scan feature, we discovered all active devices without performing intrusive port scans. The -sn option disables port scanning and focuses solely on host discovery, making the process faster and less intrusive.

Command Used:

sudo nmap -sn 192.168.0.0/24

Scan Results: Discovered Devices

During the scan, we found six active devices on the network. Using MAC address vendor lookup, we were able to identify the manufacturers of these devices, giving us a clearer understanding of what types of systems were connected.

Service Detection: Deep Scanning

Version Detection Scan (-sV)

After identifying active hosts, the next step was determining which services were running on each device. Nmap’s service version detection sends a series of probes to open ports in an attempt to identify application names and versions. This information is crucial for uncovering potential vulnerabilities and misconfigurations.

Commands Used:

sudo nmap -sV 192.168.0.1
sudo nmap -sV 192.168.0.199

Detailed Service Scan Results

Router (192.168.0.1)

The Nmap scan showed that the router at 192.168.0.1 had three open ports: 80 (HTTP), 443 (HTTPS), and 9000 (unknown service). Because the service running on port 9000 was not recognised, Nmap returned a fingerprint instead of a confirmed version match.

Desktop PC (192.168.0.199)

The version scan identified active services on the desktop host and helped confirm which systems were exposing network services. This step was useful for distinguishing between devices that were merely online and those that were actually accepting connections.

As part of the security assessment, the diagrams below visually represent the home network setup, highlighting the devices and services identified during scanning.

This diagram visualises the local 192.168.0.0/24 network, showing the router with its open ports and all connected devices, including the desktop and the unidentified hosts.

Network Topology Overview

At the centre of the topology is the Tenda home router (192.168.0.1), functioning as both the default gateway and the primary wireless access point. All detected devices, whether connected through Ethernet or Wi-Fi, communicate through this router.

Discovered Network Components

  • Router (192.168.0.1) – Central gateway providing essential network routing and hosting multiple services:
    • 80/tcp (HTTP)
    • 443/tcp (HTTPS)
    • 9000/tcp (unknown service)
  • Desktop PC (192.168.0.199) – Trusted endpoint connected to the network.
  • Unknown Device (192.168.0.179) – Unidentified device requiring verification.
  • Unknown Device (192.168.0.191) – Unidentified endpoint requiring investigation.
  • Unknown Device (192.168.0.196) – Unidentified endpoint requiring investigation.

A design-focused callout box highlights the router’s exposed services, emphasising that these open management and application ports may require additional security hardening. The visualisation communicates a centralised router with multiple endpoints—some trusted and some unidentified—along with a quick overview of potential exposure points.

Security Risk Assessment

Presence of Unidentified Devices

Nmap detected multiple unknown hosts within the 192.168.0.0/24 subnet. Because these IP addresses were not immediately associated with known devices, they could represent IoT devices, guest connections, or potentially unauthorised endpoints. Any unknown or unmanaged device increases the overall attack surface.

Router Exposing Web Management Interfaces

The router (192.168.0.1) exposes management services over both HTTP (80) and HTTPS (443).

  • HTTPS is secure and generally acceptable.
  • HTTP, however, may transmit login credentials in plaintext if used, posing a significant risk.

If weak or default credentials are configured, an attacker with network access could compromise the router.

Unidentified Service Running on Port 9000/tcp

An additional service is listening on 9000/tcp, and its purpose is not immediately known. Until verified, this service should be treated as a potential vulnerability, particularly because it is running on a critical network device.

What We Can Do Next

Based on our findings, the following steps should be taken to strengthen network security:

  • Identify and label all devices connected to the network to ensure that no unauthorised hosts exist.
  • Secure the router’s management interfaces by:
    • Disabling HTTP access
    • Using strong, unique administrator credentials
  • Investigate the service running on port 9000 and disable it if it is unnecessary.
  • Keep the router firmware updated to mitigate known vulnerabilities.