| name | nmap-scanning |
| description | Use Nmap for network discovery and security scanning. Use this skill when performing host discovery, port scanning, OS detection, or vulnerability assessment on network targets. |
Nmap Scanning
Network discovery and security auditing with Nmap.
Basic Scanning
# Host discovery (ping scan)
nmap -sn 192.168.1.0/24
# TCP SYN scan (default, requires root)
sudo nmap -sS 192.168.1.1
# TCP connect scan (no root required)
nmap -sT 192.168.1.1
# UDP scan
sudo nmap -sU 192.168.1.1
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
# Scan port range
nmap -p 1-1000 192.168.1.1
# Scan all ports
nmap -p- 192.168.1.1
# Top 100 most common ports
nmap --top-ports 100 192.168.1.1
Python Nmap Integration
import nmap
def basic_scan(target: str, ports: str = "1-1000") -> dict:
"""Perform basic TCP scan."""
scanner = nmap.PortScanner()
scanner.scan(target, ports, arguments='-sT')
results = {}
for host in scanner.all_hosts():
results[host] = {
'state': scanner[host].state(),
'protocols': {}
}
for proto in scanner[host].all_protocols():
results[host]['protocols'][proto] = {}
for port in scanner[host][proto].keys():
results[host]['protocols'][proto][port] = {
'state': scanner[host][proto][port]['state'],
'name': scanner[host][proto][port]['name'],
'product': scanner[host][proto][port].get('product', ''),
'version': scanner[host][proto][port].get('version', '')
}
return results
# Example
results = basic_scan('scanme.nmap.org', '22,80,443')
for host, data in results.items():
print(f"Host: {host} ({data['state']})")
for proto, ports in data['protocols'].items():
for port, info in ports.items():
print(f" {port}/{proto}: {info['state']} - {info['name']}")
Service Version Detection
# Version detection
nmap -sV 192.168.1.1
# Aggressive version detection
nmap -sV --version-intensity 5 192.168.1.1
# Light version detection (faster)
nmap -sV --version-light 192.168.1.1
def version_scan(target: str, ports: str = "1-1000") -> dict:
"""Scan with service version detection."""
scanner = nmap.PortScanner()
scanner.scan(target, ports, arguments='-sV')
services = []
for host in scanner.all_hosts():
for proto in scanner[host].all_protocols():
for port in scanner[host][proto].keys():
info = scanner[host][proto][port]
if info['state'] == 'open':
services.append({
'host': host,
'port': port,
'protocol': proto,
'service': info['name'],
'product': info.get('product', ''),
'version': info.get('version', ''),
'extrainfo': info.get('extrainfo', '')
})
return services
OS Detection
# OS detection (requires root)
sudo nmap -O 192.168.1.1
# OS detection with version detection
sudo nmap -O -sV 192.168.1.1
# Aggressive OS detection
sudo nmap -O --osscan-guess 192.168.1.1
def os_detection(target: str) -> dict:
"""Detect operating system."""
scanner = nmap.PortScanner()
scanner.scan(target, arguments='-O')
os_info = {}
for host in scanner.all_hosts():
if 'osmatch' in scanner[host]:
os_info[host] = []
for match in scanner[host]['osmatch']:
os_info[host].append({
'name': match['name'],
'accuracy': match['accuracy'],
'osclass': match.get('osclass', [])
})
return os_info
Timing and Performance
# Timing templates (T0=paranoid, T5=insane)
nmap -T4 192.168.1.1
# Set specific timing
nmap --min-rate 1000 192.168.1.1
nmap --max-retries 2 192.168.1.1
# Parallel scanning
nmap --min-parallelism 10 192.168.1.1
Script Scanning (NSE)
# Default scripts
nmap -sC 192.168.1.1
# Specific script
nmap --script=http-title 192.168.1.1
# Script category
nmap --script=vuln 192.168.1.1
nmap --script=safe 192.168.1.1
# Multiple scripts
nmap --script="http-* and not http-brute" 192.168.1.1
# Script with arguments
nmap --script=http-brute --script-args userdb=users.txt 192.168.1.1
def script_scan(target: str, scripts: str = "default") -> dict:
"""Run NSE scripts."""
scanner = nmap.PortScanner()
scanner.scan(target, arguments=f'--script={scripts}')
script_output = {}
for host in scanner.all_hosts():
script_output[host] = {}
for proto in scanner[host].all_protocols():
for port in scanner[host][proto].keys():
info = scanner[host][proto][port]
if 'script' in info:
script_output[host][port] = info['script']
return script_output
Output Formats
# Normal output
nmap -oN scan.txt 192.168.1.1
# XML output
nmap -oX scan.xml 192.168.1.1
# Grepable output
nmap -oG scan.gnmap 192.168.1.1
# All formats
nmap -oA scan 192.168.1.1
def save_scan_results(target: str, output_file: str):
"""Scan and save results in multiple formats."""
scanner = nmap.PortScanner()
scanner.scan(target, arguments='-sV -sC')
# Save XML
with open(f"{output_file}.xml", 'w') as f:
f.write(scanner.get_nmap_last_output())
# Save as JSON
import json
with open(f"{output_file}.json", 'w') as f:
results = {}
for host in scanner.all_hosts():
results[host] = dict(scanner[host])
json.dump(results, f, indent=2)
Firewall/IDS Evasion
# Fragment packets
nmap -f 192.168.1.1
# Specify MTU
nmap --mtu 24 192.168.1.1
# Decoy scan
nmap -D decoy1,decoy2,ME 192.168.1.1
# Idle scan
nmap -sI zombie_host 192.168.1.1
# Source port manipulation
nmap --source-port 53 192.168.1.1
Common Scan Profiles
SCAN_PROFILES = {
'quick': '-T4 -F',
'full': '-T4 -p- -sV',
'stealth': '-sS -T2 -f --data-length 200',
'comprehensive': '-sS -sV -sC -O -T4',
'vuln': '-sV --script=vuln',
'web': '-sV -p 80,443,8080,8443 --script=http-*',
}
def profile_scan(target: str, profile: str) -> dict:
"""Scan using predefined profile."""
scanner = nmap.PortScanner()
args = SCAN_PROFILES.get(profile, SCAN_PROFILES['quick'])
scanner.scan(target, arguments=args)
return {host: dict(scanner[host]) for host in scanner.all_hosts()}