TransportationDocumentedScanned

nmap-recon

Network reconnaissance and port scanning using Nmap.

Share:

Installation

npx clawhub@latest install nmap-recon

View the full skill documentation and source below.

Documentation

Nmap Recon

Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.

Triggers

  • "scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"

Requirements

  • nmap must be installed (standard on Kali, available via package managers)
  • Root/sudo for SYN scans and OS detection

Usage

Quick Scan (Top 1000 ports)

nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET

Full Port Scan

nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET

Fast Scan (Quick check)

nmap -F -T4 TARGET

Stealth SYN Scan (requires root)

sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET

UDP Scan (Top 100 ports)

sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET

Vulnerability Scan

nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET

Aggressive Scan (OS, version, scripts, traceroute)

nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET

Output Parsing

Nmap outputs in multiple formats with -oA:

  • .nmap - Human readable

  • .xml - Machine parseable

  • .gnmap - Greppable format


Parse open ports from greppable output:


grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u

Extract service versions:

grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'

Quick summary from XML:

xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null

Common Scan Profiles

ProfileCommandUse Case
Quicknmap -F -T4Fast initial recon
Standardnmap -sC -sVService detection + default scripts
Fullnmap -p- -sC -sVAll 65535 ports
Stealthsudo nmap -sS -T2Evasive scanning
Vulnnmap --script vulnVulnerability detection
Aggressivenmap -A -T4Full enumeration

Script Categories

# List available scripts
ls /usr/share/nmap/scripts/

# Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGET

# Run specific script
nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET

Target Specification

# Single host
nmap 192.168.1.1

# CIDR range
nmap 192.168.1.0/24

# Range
nmap 192.168.1.1-254

# From file
nmap -iL targets.txt

# Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1

Timing Templates

  • -T0 Paranoid (IDS evasion)
  • -T1 Sneaky (IDS evasion)
  • -T2 Polite (slow)
  • -T3 Normal (default)
  • -T4 Aggressive (fast)
  • -T5 Insane (very fast, may miss ports)

Authorization Required

⚠️ Only scan targets you own or have explicit written authorization to test.

Never scan:

  • Public infrastructure without permission

  • Networks you don't control

  • Production systems without approval


Example Workflow

# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts

# 2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports

# 3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET

# 4. Vulnerability scan
nmap --script vuln -oA vuln_scan TARGET
Back to Skills Directory

Related Skills in Transportation

airfrance-afkl

Track Air France flights using the Air France–KLM Open Data APIs (Flight Status).

Docs

anachb

Austrian public transport (VOR AnachB) for all of Austria.

Docs

anyone-proxy

This skill enables IP address masking and accessing hidden services on the Anyone Network.

Docs

aviation-weather

Aviation weather: METAR, TAF, PIREPs for flight planning.

Docs

bahn

Deutsche Bahn train connections and travel planning.

Docs