Ethical Hacking for Beginners – Episode 2: Scanning & Enumeration (Updated June 2026) (Updated June 2026)
Here is the thing that separates a real penetration tester from a beginner — it is not the exploit tools, it is the scanning phase. NASSCOM and Deloitte project India will need 1.25 million AI and cybersecurity professionals by 2027, and every single one of those roles expects you to map a network before touching it. In Episode 2 of our Ethical Hacking series, we go deep on scanning and enumeration — the methodology and tools security professionals use to chart attack surfaces. These skills are tested in every CEH, OSCP, and bug bounty program that pays real money in India. If you have watched Episode 1, you know the theory. Now we get practical.
- Scanning identifies live hosts, open ports, and running services on target systems
- Enumeration extracts deeper details — usernames, shares, DNS records, OS fingerprints
- Nmap is the gold-standard scanning tool, free and used by professionals worldwide
- Nessus and OpenVAS automate vulnerability detection and generate client-ready reports
- Always scan only systems you have explicit written authorization to test — no exceptions
What Is the Scanning Phase in Ethical Hacking?
Scanning is the second phase of the ethical hacking lifecycle, sitting between reconnaissance and exploitation. Your goal here is discovery — find out which systems are alive, which ports are open, and what services are running. Think of it like a building surveyor checking every door and window before recommending a security upgrade. There are four main types: port scanning (which ports are open?), network scanning (which hosts are alive?), vulnerability scanning (what weaknesses exist?), and banner grabbing (what exact software version is running?). What most people do not realize is that thorough scanning often surfaces more actionable intelligence than the exploitation phase itself. A well-executed scan with proper documentation is easily 70% of a professional penetration test. Clients pay for the report, not the dramatic exploit — and reports are built from scan data.
Nmap: The Essential Tool Every Security Professional Uses
Nmap — Network Mapper — is the first tool any serious ethical hacker masters, and it stays relevant throughout your career regardless of specialization. The basics get you far: nmap [target] scans the top 1,000 TCP ports. Add -sV for service version detection, -O for OS fingerprinting, and -A for an aggressive combined scan. The SYN scan (-sS) is the professional default — faster than a full connect scan and less noisy in logs. UDP scanning (-sU) catches services like DNS, SNMP, and TFTP that TCP scans miss entirely, and many of the juiciest vulnerabilities live on UDP. Here is a command I give every student as their starting point: nmap -sV -sC --open [target]. The -sC flag runs Nmap default scripts alongside service detection and surfaces low-hanging fruit automatically. Master the Nmap Scripting Engine (NSE) next — the --script vuln flag runs a full vulnerability sweep, --script smb-enum-shares enumerates Windows file shares, and --script dns-zone-transfer attempts DNS zone transfers. These script categories alone cover a huge portion of what you find in real-world engagements.
Enumeration Techniques: Extracting What Scanning Misses
Where scanning gives you a list of open ports, enumeration tells you what is behind each one. This is where you extract specific, actionable intelligence — usernames, group memberships, shared folders, DNS zone data, and running processes. For Windows and Samba targets, enum4linux is your first stop: it pulls user lists, share names, group memberships, and OS details via SMB. A null session — connecting to SMB with no credentials — still works on many legacy enterprise systems and can hand you a complete user list with zero authentication. Rpcclient gives you similar output via RPC. For Linux and network devices, SNMP enumeration is critical — run snmpwalk with common community strings like public and private against any device with port 161 open. DNS enumeration should be attempted on every engagement: a successful zone transfer (dig axfr @nameserver domain.com) dumps every DNS record in the zone, giving you a complete map of internal hostnames. SMTP enumeration using VRFY and EXPN commands confirms valid email addresses for phishing assessments. Document every finding with the exact command used — this discipline is what separates junior testers from professionals.
| Tool | Type | Cost | Best Use Case | Level |
|---|---|---|---|---|
| Nmap | Port/Network Scanner | Free | Network mapping, service detection, NSE scripts | Beginner–Advanced |
| Nessus Essentials | Vulnerability Scanner | Free (16 IPs) | Automated CVE detection, compliance audits | Intermediate |
| OpenVAS | Vulnerability Scanner | Free | Enterprise-scale vulnerability management | Intermediate |
| enum4linux | Enumeration Tool | Free | SMB/Windows user and share enumeration | Beginner |
| Netcat (nc) | Network Utility | Free | Banner grabbing, port connectivity checks | Beginner |
| Masscan | Fast Port Scanner | Free | Rapid scanning of large IP ranges | Intermediate |
Vulnerability Scanning with Nessus and OpenVAS
Manual scanning builds understanding; vulnerability scanners deliver scale. Nessus Essentials (free for up to 16 IPs) and OpenVAS (fully free, open-source) are the two tools referenced in virtually every security analyst job description at companies like HCL Technologies, Tech Mahindra, and Wipro. Both automatically identify missing patches, misconfigurations, default credentials, and known CVEs, generating reports with CVSS severity scores in a format clients expect. Nessus has a cleaner interface and faster scan engine; OpenVAS is completely free and widely used in budget-conscious enterprise environments. The professional workflow is: run a vulnerability scanner first to map the landscape, then manually verify each finding and attempt exploitation on critical-severity issues. False positives exist — a scanner may flag a vulnerability that has been patched or compensating-controlled. Manual verification is what turns a scan dump into a quality pentest report that justifies your fee. Hiring managers at security consultancies test this distinction directly in interviews.
Building a Safe Hacking Lab for Daily Practice
The good news is you do not need expensive hardware to practice these skills legally and safely. Here is the exact setup I recommend: install VirtualBox (free) or VMware Workstation Player (free for personal use). Download Kali Linux as your attack VM — it ships with Nmap, Metasploit, Burp Suite, and every tool pre-installed. For practice targets, download Metasploitable 2 (intentionally vulnerable Linux), DVWA (vulnerable web application), and VulnHub machines matched to your level. Connect everything via a host-only network — isolated from the internet, completely legal, unlimited practice. Metasploitable 2 is the best starting point because every vulnerability is intentional: open FTP with anonymous login, outdated Samba with known CVEs, weak MySQL credentials, an open shell on port 1524. Scan it with every Nmap technique from this episode, enumerate with enum4linux and SNMP tools, then run Nessus or OpenVAS against it. Document everything as if it is a real client engagement — this practice report becomes portfolio evidence for job applications.
Cybersecurity Career Paths and Salaries in India 2026
Scanning and enumeration skills feed directly into multiple well-paying cybersecurity career tracks in India. Security Analysts at companies like Infosys BPM, Wipro, and Cognizant earn Rs 4.5–7 LPA at fresher level, growing to Rs 10–16 LPA with 3–4 years experience (AmbitionBox 2025). Penetration testers at firms like KPMG India, Deloitte, and specialized startups like Sequretek and InstaSafe earn Rs 7–15 LPA at mid-level. Vulnerability assessment engineers — who use precisely the Nessus and OpenVAS skills from this episode — typically start at Rs 5–8 LPA. The CEH certification adds a 20–30% salary premium over non-certified peers with equivalent experience. The progression from here: scanning proficiency leads into exploitation practice, then post-exploitation, then professional reporting, then specialization in web application security, cloud security, or red teaming. ABC Trainings runs dedicated cybersecurity batches in Pune (Wagholi, Hadapsar), Aurangabad (CIDCO, Osmanpura), and Sangli with hands-on lab access. Call +91 7039169629 or WhatsApp 7774002496 to book a free demo.
Maharashtra's Chief Minister Yuva Karmadharak Prakalp Yojana (CMYKPY) offers Rs 6,000–10,000 monthly stipends to eligible youth during approved skill training programs. ABC Trainings is an empanelled CMYKPY training center — enroll in our Cybersecurity course and reduce your training cost with government support. Ask our counselors about eligibility when you call or visit.Get the Cyber Security Brochure + Fees + Batch Dates on WhatsApp
Free 1:1 counselling. Placement track record. CMYKPY/PMKVY eligibility check.
💬 Get Brochure on WhatsApp📞 Call 7039169629About the author: Rahul Patil. 12 yrs experience training engineers across Maharashtra.
Visit Our Centers
- Wagholi (Pune): 1st Floor, Laxmi Datta Arcade, Pune-Ahilyanagar Highway. Call 7039169629
- Hadapsar (Pune HQ): 1st Floor, Shree Tower, opp. Vaibhav Theater, Magarpatta. Call 7039169629
- Cidco (Chh. Sambhajinagar): Kalpana Plaza, opp. Eiffel Tower, N-1 Cidco. Call 7039169629
- Osmanpura (Chh. Sambhajinagar): S.S.C Board to Peer Bazar Road, near Jama Masjid. Call 7039169629
- Sangli: Shubham Emphoria, 1st Floor, Above US Polo Assn., Sangli-Miraj Rd, Vishrambag. Weekend batches available. Call 7039169629
FAQs
Is network scanning without permission illegal in India?
Yes — scanning any network or system without explicit written authorization is illegal under the IT Act 2000 and IT Amendment Act 2008 in India. Ethical hackers always operate under a signed Rules of Engagement document specifying which systems can be tested, when, and by whom. In our training program, all scanning practice is performed on intentionally vulnerable virtual machines in an isolated lab network. Never scan systems you do not own or have written permission to test.
What is the difference between scanning and enumeration in ethical hacking?
Scanning is about discovery — finding which systems are alive, which ports are open, and what services are running. Enumeration goes deeper, extracting specific information like usernames, group memberships, shared folders, DNS records, and software version details from the discovered systems. Scanning maps the terrain; enumeration reads the signs. Both phases happen before any exploitation is attempted, and both feed directly into your exploitation strategy.
Can I learn ethical hacking without a computer science degree?
No degree is required. Ethical hacking is a skills-based field where certifications and demonstrated hands-on ability matter far more than academic qualifications. Many of India's top penetration testers are self-taught or completed intensive training programs. What you need is curiosity, methodical thinking, and consistent lab practice. A CEH or OSCP certification is far more valuable to hiring managers than a generic CS degree without security-specific skills.
How long does it take to learn scanning and enumeration properly?
With focused daily practice of 1–2 hours, most students achieve working proficiency in scanning and enumeration within 4–6 weeks. This means running structured Nmap scans, enumerating SMB/DNS/SNMP services, and producing vulnerability reports using Nessus or OpenVAS. Interview-level confidence — including explaining findings to a non-technical audience — typically develops in 8–10 weeks of structured training.
