Introduction
Welcome to this hands-on lab on network enumeration and access. In the field of cybersecurity, the first step to assessing a system's security is understanding what services it exposes to the network. This process is called enumeration.
In this lab, you will simulate the initial phases of a penetration test. You will start by confirming connectivity to a target machine. Then, you will use nmap, a powerful network scanning tool, to discover open ports and identify running services. Finally, you will exploit a weakly configured Telnet service to gain access to the target system and retrieve a hidden flag. This exercise will provide you with fundamental skills in network reconnaissance and exploitation.
Upon completion, you will understand how to:
- Verify network connectivity using
ping. - Scan for open ports and services using
nmap. - Connect to a Telnet service.
- Exploit a simple misconfiguration to gain system access.
Let's begin.
Verify Connectivity to Target with Ping
In this step, you will begin the reconnaissance phase by verifying connectivity to the target system. The ping command is a fundamental network utility used to test if a host is reachable on an IP network. It sends ICMP Echo Request packets to the target and waits for ICMP Echo Reply packets.
Your environment has been pre-configured with a target system accessible via the hostname target.
Run the following command in the terminal to send four packets to the target and confirm it is online:
ping -c 4 target
You should see output similar to the following, indicating that the target is responding and the connection is stable. The exact IP address and time values may vary.
PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.063 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.064 ms
--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3069ms
rtt min/avg/max/mdev = 0.063/0.069/0.086/0.010 ms
Once you see the successful replies, you can be confident that your machine can communicate with the target.
Scan Open Ports with Nmap
In this step, you will use nmap to perform a port scan on the target. Nmap (Network Mapper) is an essential tool for network discovery and security auditing. By scanning for open ports, you can identify which services are running on the target, which is a crucial step in finding potential vulnerabilities.
Execute the following command in your terminal:
nmap target
Nmap will now scan the target machine. After a few moments, it will display a report of its findings. The output should look similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-12 10:54 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00011s latency).
Other addresses for target (not scanned): 172.17.0.2 172.17.0.2 172.17.0.2 172.17.0.2
Not shown: 999 closed ports
PORT STATE SERVICE
23/tcp open telnet
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Observe the output carefully. Nmap has found that port 23/tcp is open and is running the telnet service. This is our entry point for the next step.
Connect to Target via Telnet
In this step, you will attempt to connect to the open Telnet port you discovered. Telnet is an old and insecure protocol that provides a command-line interface to a remote host. Its main vulnerability is that it transmits all data, including usernames and passwords, in cleartext. We will try to exploit a common misconfiguration: an account with a blank password.
Run the telnet command to connect to the target:
telnet target
You will be connected to the Telnet service and prompted for a username.
Trying 172.17.0.2...
Connected to target.
Escape character is '^]'.
target login:
The system is asking for a login. A common practice in penetration testing is to try default or common usernames. Let's try root. Type root at the login prompt and press Enter. Since the system may be misconfigured to allow a blank password, do not enter a password and simply press Enter again if prompted.
target login: root
If successful, you will be logged in and presented with a shell prompt, such as #. This indicates you have gained administrative access to the target system.
/ #
You are now inside the target system's shell.
Explore Target System and Locate Flag
In this step, having successfully gained access to the target system, your final task is to explore the filesystem and find the flag. This simulates the post-exploitation phase where an attacker looks for sensitive information.
You are currently in the root directory (/) of the target machine. Use the ls command to list the files and directories in your current location.
ls
You should see a list of files. Look for a file named flag.txt.
/ ## ls
bin dev etc flag.txt home root usr
/ #
Now that you've located the file, use the cat command to display its contents. This will reveal the flag.
cat flag.txt
The terminal will display the flag's hash value.
/ ## cat flag.txt
labex{d3adb33f_p0rt_sc4nn1ng_m4st3ry}
/ #
Congratulations! You have successfully enumerated, accessed, and retrieved the flag from the target system. Copy the flag value to complete the lab. To exit the Telnet session, you can type exit and press Enter.
Summary
In this lab, you completed a basic penetration testing workflow from reconnaissance to gaining access. You learned how to:
- Use
pingto confirm a target is online and reachable. - Employ
nmap -sVto perform a port scan, identifying open ports and the services running on them. - Identify and connect to an insecure Telnet service.
- Exploit a common misconfiguration (a user with a blank password) to gain shell access to a remote system.
- Navigate the target's filesystem to find and retrieve sensitive information (the flag).
This exercise highlights the importance of network security fundamentals. Services like Telnet should not be exposed to the internet, and all accounts must be protected with strong, unique passwords. By understanding how attackers operate, you are better equipped to defend your own systems.
