Metasploitable Nmap Enumeration Lab 2026 — Complete Walkthrough

📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.

🧪 METASPLOITABLE LAB SERIES

FREE

Lab 2 of the Metasploitable Series · 7% complete

⚠️ Legal Disclaimer: This lab must be run against your own Metasploitable 2 VM on a fully isolated local network — host-only or NAT adapter only. Never run these scans against systems you do not own or have explicit written authorisation to test. Unauthorised scanning is illegal in most jurisdictions.

This lab is the bridge from setup to exploitation. Before you touch a single exploit in Metasploit, you need to know exactly what’s running, what versions, and what OS you’re dealing with. Miss this phase and you’re guessing. Do it right — using the technique I’m walking you through here — and your exploit selection goes from random to surgical. If you haven’t set up your lab yet, start with the Metasploitable Lab Setup guide first, then come back here. This lab sits inside the broader ethical hacking methodology — enumeration is Phase 2, and it drives everything that follows.

🎯 What You’ll Master in This Lab

✅ Discover your Metasploitable target using Nmap host discovery
✅ Run a full 65535-port TCP scan and read the output like a pro
✅ Extract exact service and version numbers with -sV
✅ Fingerprint the target OS using -O and aggressive scan mode
✅ Run NSE scripts to pull vulnerability intelligence before exploiting

⏱️ ~90 minutes · 3 exercises · browser + terminal + analysis ### Before You Start — What You Need - You need Metasploitable 2 running in VirtualBox or VMware — set it up here if you haven’t already - You need Kali Linux with Nmap installed — Nmap ships with Kali by default, so just open a terminal - You need both VMs on the same host-only or NAT network — they must be able to reach each other - You need your Metasploitable IP address — you’ll confirm this in Step 1 using host discovery - You need root or sudo access on Kali — OS fingerprinting requires elevated privileges ### Lab Contents — Metasploitable Nmap Enumeration Lab 2026 1. Step 1 — Find Your Metasploitable Target on the Network 2. Metasploitable Nmap Enumeration — Full TCP Port Scan 3. Service Version Detection — What’s Actually Running on Each Port 4. OS Fingerprinting — Confirm What You’re Actually Attacking 5. NSE Scripts — Pull Vulnerability Intelligence Automatically 6. UDP Scanning — The Ports Everyone Forgets 7. Reading Your Results — Building the Target Profile In Lab 1 you got Metasploitable running and confirmed the VM is reachable. Now the real work starts. Enumeration is the phase that separates a useful pentest from a lucky guess — it’s where you build the intelligence that determines which exploits are worth running. Skip it and you’re firing blind. Do it properly and by the time you open Metasploit you’ll already know exactly which module to load. If you want to see the full range of free labs this methodology connects to, check the SecurityElites Labs — 47 Free Hacking Labs list. And when you need quick reference on the specific Nmap flags we’re using today, the SecurityElites tools section has you covered.

Step 1 — Find Your Metasploitable Target on the Network

Before any other scan runs, I always confirm the target IP with a host discovery sweep. Not because I don’t trust the setup — but because scanning the wrong IP in a lab environment wastes time, and on a real engagement it’s a cardinal sin. On Metasploitable labs your subnet is usually 192.168.x.x or 10.0.x.x depending on your VM adapter config. Here’s how to pin it down in under 30 seconds.

NMAP — PING SWEEP (HOST DISCOVERY)

Copy

Replace 192.168.56.0/24 with your actual subnet

sudo nmap -sn 192.168.56.0/24
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 192.168.56.1
Host is up (0.00023s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00089s latency).
MAC Address: 08:00:27:XX:XX:XX (Oracle VirtualBox)
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.14s

Two hosts up. The .1 is your gateway or host adapter. The .101 with the VirtualBox MAC address — that’s Metasploitable. Lock that IP in. Every command from here uses it as the target.

If you’re on a NAT network rather than host-only, use the ARP scan variant — it’s faster and more reliable on local segments:

NMAP — ARP DISCOVERY (FASTER ON LOCAL NETWORKS)

Copy

ARP scan — works only on local subnet, no routing required

sudo nmap -PR -sn 192.168.56.0/24
Host is up (0.00031s latency).
MAC Address: 08:00:27:A1:B2:C3 (Oracle VirtualBox)

securityelites.com

root@kali:~# sudo nmap -sn 192.168.56.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2026-04-21 09:14 BST
Nmap scan report for 192.168.56.1
Host is up (0.00023s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00089s latency).
MAC Address: 08:00:27:A1:B2:C3 (Oracle VirtualBox)
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.14s

📸 Ping sweep results — two hosts discovered. The VirtualBox MAC address on 192.168.56.101 confirms this is your Metasploitable VM. That’s your target IP for every scan that follows.

📖 Read the complete guide on SecurityElites

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →

This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.

推荐订阅源