Nmap Recon

Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.

Triggers

"scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"

Requirements

```
nmap
```
must be installed (standard on Kali, available via package managers)
Root/sudo for SYN scans and OS detection

Usage

Quick Scan (Top 1000 ports)

nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET

Full Port Scan

nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET

Fast Scan (Quick check)

nmap -F -T4 TARGET

Stealth SYN Scan (requires root)

sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET

UDP Scan (Top 100 ports)

sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET

Vulnerability Scan

nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET

Aggressive Scan (OS, version, scripts, traceroute)

nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET

Output Parsing

Nmap outputs in multiple formats with

-oA

```
.nmap
```
- Human readable
```
.xml
```
- Machine parseable
```
.gnmap
```
- Greppable format

Parse open ports from greppable output:

grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u

Extract service versions:

grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'

Quick summary from XML:

xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null

Common Scan Profiles

Profile	Command	Use Case
Quick	`nmap -F -T4`	Fast initial recon
Standard	`nmap -sC -sV`	Service detection + default scripts
Full	`nmap -p- -sC -sV`	All 65535 ports
Stealth	`sudo nmap -sS -T2`	Evasive scanning
Vuln	`nmap --script vuln`	Vulnerability detection
Aggressive	`nmap -A -T4`	Full enumeration

Script Categories

# List available scripts
ls /usr/share/nmap/scripts/
Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGET
Run specific script

nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET

Target Specification

# Single host
nmap 192.168.1.1
CIDR range
nmap 192.168.1.0/24
Range
nmap 192.168.1.1-254
From file
nmap -iL targets.txt
Exclude hosts

nmap 192.168.1.0/24 --exclude 192.168.1.1

Timing Templates

```
-T0
```
Paranoid (IDS evasion)
```
-T1
```
Sneaky (IDS evasion)
```
-T2
```
Polite (slow)
```
-T3
```
Normal (default)
```
-T4
```
Aggressive (fast)
```
-T5
```
Insane (very fast, may miss ports)

Authorization Required

⚠️ Only scan targets you own or have explicit written authorization to test.

Never scan:

Public infrastructure without permission
Networks you don't control
Production systems without approval

Example Workflow

# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts
2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports
3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET
4. Vulnerability scan

nmap --script vuln -oA vuln_scan TARGET

Nmap Recon

AI Skill Market Insights

Be Part of the 0+ Developer Community

Nmap Recon

Triggers

Requirements

Usage

Quick Scan (Top 1000 ports)

Full Port Scan

Fast Scan (Quick check)

Stealth SYN Scan (requires root)

UDP Scan (Top 100 ports)

Vulnerability Scan

Aggressive Scan (OS, version, scripts, traceroute)

Output Parsing

Parse open ports from greppable output:

Extract service versions:

Quick summary from XML:

Common Scan Profiles

Script Categories

Run specific category

Run specific script

Target Specification

CIDR range

Range

From file

Exclude hosts

Timing Templates

Authorization Required

Example Workflow

2. Fast port scan on discovered hosts

3. Deep scan interesting hosts

4. Vulnerability scan

Quick Start

Manual Installation

TEAR & SHARE

Tags

Channels

Learn

Compare

Company