🧪 Skills
Nmap Recon
Perform network reconnaissance and port scanning with Nmap to find open ports, detect services, identify vulnerabilities, and enumerate targets accurately.
v1.0.0
Description
Nmap Recon
Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.
Triggers
- "scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"
Requirements
nmapmust be installed (standard on Kali, available via package managers)- Root/sudo for SYN scans and OS detection
Usage
Quick Scan (Top 1000 ports)
nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET
Full Port Scan
nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET
Fast Scan (Quick check)
nmap -F -T4 TARGET
Stealth SYN Scan (requires root)
sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET
UDP Scan (Top 100 ports)
sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET
Vulnerability Scan
nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET
Aggressive Scan (OS, version, scripts, traceroute)
nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET
Output Parsing
Nmap outputs in multiple formats with -oA:
.nmap- Human readable.xml- Machine parseable.gnmap- Greppable format
Parse open ports from greppable output:
grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u
Extract service versions:
grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'
Quick summary from XML:
xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null
Common Scan Profiles
| Profile | Command | Use Case |
|---|---|---|
| Quick | nmap -F -T4 |
Fast initial recon |
| Standard | nmap -sC -sV |
Service detection + default scripts |
| Full | nmap -p- -sC -sV |
All 65535 ports |
| Stealth | sudo nmap -sS -T2 |
Evasive scanning |
| Vuln | nmap --script vuln |
Vulnerability detection |
| Aggressive | nmap -A -T4 |
Full enumeration |
Script Categories
# List available scripts
ls /usr/share/nmap/scripts/
# Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGET
# Run specific script
nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET
Target Specification
# Single host
nmap 192.168.1.1
# CIDR range
nmap 192.168.1.0/24
# Range
nmap 192.168.1.1-254
# From file
nmap -iL targets.txt
# Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1
Timing Templates
-T0Paranoid (IDS evasion)-T1Sneaky (IDS evasion)-T2Polite (slow)-T3Normal (default)-T4Aggressive (fast)-T5Insane (very fast, may miss ports)
Authorization Required
⚠️ Only scan targets you own or have explicit written authorization to test.
Never scan:
- Public infrastructure without permission
- Networks you don't control
- Production systems without approval
Example Workflow
# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts
# 2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports
# 3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET
# 4. Vulnerability scan
nmap --script vuln -oA vuln_scan TARGET
Reviews (0)
Sign in to write a review.
No reviews yet. Be the first to review!
Comments (0)
No comments yet. Be the first to share your thoughts!