Nmap Recon
by @nsahal
Perform network reconnaissance and port scanning with Nmap to find open ports, detect services, identify vulnerabilities, and enumerate targets accurately.
clawhub install nmap-reconπ About This Skill
Nmap Recon
Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.
Triggers
Requirements
nmap must be installed (standard on Kali, available via package managers)Usage
Quick Scan (Top 1000 ports)
nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET
Full Port Scan
nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET
Fast Scan (Quick check)
nmap -F -T4 TARGET
Stealth SYN Scan (requires root)
sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET
UDP Scan (Top 100 ports)
sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET
Vulnerability Scan
nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET
Aggressive Scan (OS, version, scripts, traceroute)
nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET
Output Parsing
Nmap outputs in multiple formats with -oA:
.nmap - Human readable.xml - Machine parseable.gnmap - Greppable formatParse open ports from greppable output:
grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u
Extract service versions:
grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'
Quick summary from XML:
xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null
Common Scan Profiles
| Profile | Command | Use Case |
|---------|---------|----------|
| Quick | nmap -F -T4 | Fast initial recon |
| Standard | nmap -sC -sV | Service detection + default scripts |
| Full | nmap -p- -sC -sV | All 65535 ports |
| Stealth | sudo nmap -sS -T2 | Evasive scanning |
| Vuln | nmap --script vuln | Vulnerability detection |
| Aggressive | nmap -A -T4 | Full enumeration |
Script Categories
# List available scripts
ls /usr/share/nmap/scripts/Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGETRun specific script
nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET
Target Specification
# Single host
nmap 192.168.1.1CIDR range
nmap 192.168.1.0/24Range
nmap 192.168.1.1-254From file
nmap -iL targets.txtExclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1
Timing Templates
-T0 Paranoid (IDS evasion)-T1 Sneaky (IDS evasion)-T2 Polite (slow)-T3 Normal (default)-T4 Aggressive (fast)-T5 Insane (very fast, may miss ports)Authorization Required
β οΈ Only scan targets you own or have explicit written authorization to test.
Never scan:
Example Workflow
# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET4. Vulnerability scan
nmap --script vuln -oA vuln_scan TARGET
π‘ Examples
Quick Scan (Top 1000 ports)
nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET
Full Port Scan
nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET
Fast Scan (Quick check)
nmap -F -T4 TARGET
Stealth SYN Scan (requires root)
sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET
UDP Scan (Top 100 ports)
sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET
Vulnerability Scan
nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET
Aggressive Scan (OS, version, scripts, traceroute)
nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET