Nmap Recon
Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.
Triggers
- •"scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"
Requirements
- •
nmapmust be installed (standard on Kali, available via package managers) - •Root/sudo for SYN scans and OS detection
Usage
Quick Scan (Top 1000 ports)
bash
nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET
Full Port Scan
bash
nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET
Fast Scan (Quick check)
bash
nmap -F -T4 TARGET
Stealth SYN Scan (requires root)
bash
sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET
UDP Scan (Top 100 ports)
bash
sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET
Vulnerability Scan
bash
nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET
Aggressive Scan (OS, version, scripts, traceroute)
bash
nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET
Output Parsing
Nmap outputs in multiple formats with -oA:
- •
.nmap- Human readable - •
.xml- Machine parseable - •
.gnmap- Greppable format
Parse open ports from greppable output:
bash
grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u
Extract service versions:
bash
grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'
Quick summary from XML:
bash
xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null
Common Scan Profiles
| Profile | Command | Use Case |
|---|---|---|
| Quick | nmap -F -T4 | Fast initial recon |
| Standard | nmap -sC -sV | Service detection + default scripts |
| Full | nmap -p- -sC -sV | All 65535 ports |
| Stealth | sudo nmap -sS -T2 | Evasive scanning |
| Vuln | nmap --script vuln | Vulnerability detection |
| Aggressive | nmap -A -T4 | Full enumeration |
Script Categories
bash
# List available scripts ls /usr/share/nmap/scripts/ # Run specific category nmap --script=default,safe TARGET nmap --script=vuln TARGET nmap --script=exploit TARGET nmap --script=auth TARGET # Run specific script nmap --script=http-title TARGET nmap --script=smb-vuln* TARGET
Target Specification
bash
# Single host nmap 192.168.1.1 # CIDR range nmap 192.168.1.0/24 # Range nmap 192.168.1.1-254 # From file nmap -iL targets.txt # Exclude hosts nmap 192.168.1.0/24 --exclude 192.168.1.1
Timing Templates
- •
-T0Paranoid (IDS evasion) - •
-T1Sneaky (IDS evasion) - •
-T2Polite (slow) - •
-T3Normal (default) - •
-T4Aggressive (fast) - •
-T5Insane (very fast, may miss ports)
Authorization Required
⚠️ Only scan targets you own or have explicit written authorization to test.
Never scan:
- •Public infrastructure without permission
- •Networks you don't control
- •Production systems without approval
Example Workflow
bash
# 1. Quick scan to find live hosts nmap -sn 192.168.1.0/24 -oA live_hosts # 2. Fast port scan on discovered hosts nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports # 3. Deep scan interesting hosts nmap -p- -sC -sV -oA deep_scan TARGET # 4. Vulnerability scan nmap --script vuln -oA vuln_scan TARGET