Nmap Scan - Professional Network Reconnaissance
You are helping the user perform professional network reconnaissance and port scanning using nmap. This skill provides guidance for various scan types, output formats, and result analysis.
Output Directory
Directory Structure
nmap-output/ ├── nmap-portscan.nmap # Initial fast port discovery ├── nmap-portscan.xml ├── nmap-portscan.gnmap ├── nmap-services.nmap # Detailed service detection on open ports ├── nmap-services.xml └── nmap-services.gnmap
IMPORTANT: Always save nmap output to an organized directory structure. By default, use ./nmap-output/ or specify a custom directory.
Default Scanning Strategy
IMPORTANT: Unless the user explicitly requests a different scan type, ALWAYS use this two-phase approach:
Phase 1: Fast Port Discovery (Root SYN Scan)
sudo nmap -p- <target> -oA <output-dir>/nmap-portscan
-
Why sudo: Running as root enables fast SYN scan (-sS is implicit)
-
Why -p-: Scans all 65535 ports quickly
-
Duration: Typically 1-3 minutes for SYN scan
-
Output: List of all open ports
Host Down Detection: If the scan output contains "Note: Host seems down", automatically retry with:
sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan
-
-Pn : Skip host discovery, treat host as online
-
Use this when firewalls block ping probes
Phase 2: Targeted Service Detection
After Phase 1 completes, parse the open ports and run:
nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services
-
-p <OPEN_PORT_LIST> : Only scan the ports found to be open (e.g., -p 23,80,443,554,8000 )
-
-sV : Service version detection
-
-sC : Run default NSE scripts for additional enumeration
-
Duration: Usually 1-3 minutes since only scanning known open ports
Why This Strategy?
-
Speed: Fast SYN scan finds all open ports in 1-3 minutes
-
Thoroughness: Covers all 65535 ports, not just top 1000
-
Efficiency: Service detection only runs on confirmed open ports
-
Accuracy: Two-phase approach reduces false negatives
Parsing Open Ports
After Phase 1, extract open ports using:
Extract open ports from .gnmap file
grep "Ports:" <output-dir>/nmap-portscan.gnmap | sed 's/.*Ports: //g' | sed 's|/|\n|g' | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'
Or parse from .nmap file:
grep "^[0-9]" <output-dir>/nmap-portscan.nmap | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'
Implementation Workflow
When the nmap-scan skill is invoked:
Create output directory
OUTPUT_DIR="./nmap-output" mkdir -p "$OUTPUT_DIR"
Run Phase 1: Fast port discovery
sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"
Check for "Host seems down" error
if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then echo "Host appears down, retrying with -Pn flag..." sudo nmap -p- -Pn <target> -oA "$OUTPUT_DIR/nmap-portscan" fi
Parse open ports from results
OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
Run Phase 2: Service detection on open ports
if [ -n "$OPEN_PORTS" ]; then nmap -p "$OPEN_PORTS" -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services" else echo "No open ports found, skipping service detection." fi
Report results location
echo "Scan complete. Results saved to: $OUTPUT_DIR"
Scan Types
Quick Scan (Top 1000 Ports)
Use for initial reconnaissance or when time is limited:
nmap -sV -sC <target> -oA <output-prefix>
-
-sV : Service version detection
-
-sC : Run default NSE scripts
-
-oA : Output in all formats (normal, XML, grepable)
-
Scans top 1000 most common ports
-
Typical duration: 1-3 minutes
Comprehensive Scan (All Ports)
Use for thorough assessment when all ports must be checked:
nmap -sV -sC -p- <target> -oA <output-prefix>
-
-p- : Scan all 65535 ports
-
Significantly longer duration (5-30+ minutes depending on target)
-
Use only when comprehensive coverage is required
Stealth SYN Scan
Use when trying to avoid detection (requires root/sudo):
sudo nmap -sS -sV -sC <target> -oA <output-prefix>
-
-sS : SYN stealth scan (doesn't complete TCP handshake)
-
Less likely to be logged by target
-
Requires root privileges
UDP Scan
Use when UDP services need to be enumerated:
sudo nmap -sU --top-ports 100 <target> -oA <output-prefix>
-
-sU : UDP scan
-
--top-ports 100 : Scan top 100 UDP ports (UDP scanning is slow)
-
Common UDP services: DNS (53), SNMP (161), DHCP (67/68)
-
Very slow - use top-ports to limit scope
Aggressive Scan
Use for maximum information gathering (noisy):
nmap -A -T4 <target> -oA <output-prefix>
-
-A : Enable OS detection, version detection, script scanning, traceroute
-
-T4 : Aggressive timing template (faster but more detectable)
-
Very noisy - will be detected by IDS/IPS
-
Use only with authorization
Vulnerability Scan
Use to check for known vulnerabilities:
nmap -sV --script vuln <target> -oA <output-prefix>
-
--script vuln : Run NSE vulnerability detection scripts
-
Checks for common CVEs and misconfigurations
-
Can be noisy and trigger alerts
OS Detection
Use to identify operating system:
sudo nmap -O <target> -oA <output-prefix>
-
-O : Enable OS detection
-
Requires root privileges
-
Uses TCP/IP stack fingerprinting
Alternative Scan Types
The following scan types are available if the user explicitly requests them instead of the default two-phase strategy:
Quick Scan (Top 1000 Ports Only)
Use ONLY if user explicitly requests a quick/fast scan:
nmap -sV -sC <target> -oA <output-dir>/nmap-quick
-
-sV : Service version detection
-
-sC : Run default NSE scripts
-
-oA : Output in all formats (normal, XML, grepable)
-
Scans top 1000 most common ports ONLY
-
Typical duration: 1-3 minutes
-
Limitation: May miss services on non-standard ports
Scan Workflow
Default Workflow (Two-Phase Strategy)
Phase 1: Port Discovery
-
Run fast SYN scan: sudo nmap -p- <target> -oA <output-dir>/nmap-portscan
-
Check for "Host seems down" and retry with -Pn if needed
-
Wait for scan to complete (typically 1-3 minutes)
Phase 2: Service Detection 4. Parse open ports from Phase 1 results 5. Run targeted service detection: nmap -p <OPEN_PORTS> -sV -sC <target> -oA <output-dir>/nmap-services
- Wait for scan to complete (typically 1-3 minutes)
Phase 3: Analysis 7. Review the service detection results to determine:
-
What services are running?
-
What versions are detected?
-
Are there any interesting services (web, SSH, database, IoT protocols)?
-
Do NSE scripts reveal any issues?
Additional Targeted Scans (Optional)
Based on service detection results, run specialized scans:
If web services found (80, 443, 8080, etc.):
nmap -p 80,443,8080,8443 --script http-* <target> -oA <output-dir>/nmap-web
If SSH found:
nmap -p 22 --script ssh-* <target> -oA <output-dir>/nmap-ssh
If RTSP found (554):
nmap -p 554 --script rtsp-* <target> -oA <output-dir>/nmap-rtsp
If ONVIF/camera suspected:
nmap -p 80,554,8000,8080 --script http-methods,http-headers <target> -oA <output-dir>/nmap-onvif
Output Management
Output Formats
Always use -oA <prefix> to generate all three formats:
-
.nmap
-
Normal human-readable format
-
.xml
-
XML format for parsing/importing into tools
-
.gnmap
-
Grepable format for command-line processing
Timing and Performance
Timing Templates
Use -T<0-5> to control scan speed:
-
-T0 (Paranoid): Extremely slow, for IDS evasion
-
-T1 (Sneaky): Very slow, for IDS evasion
-
-T2 (Polite): Slow, less bandwidth intensive
-
-T3 (Normal): Default, balanced speed
-
-T4 (Aggressive): Fast, recommended for modern networks
-
-T5 (Insane): Very fast, may miss results
Default: Use -T3 or omit (default is T3) Fast scans: Use -T4 when speed is important and network can handle it Stealth: Use -T1 or -T2 for evasion
Timeout Considerations
-
Phase 1 Port Discovery (sudo nmap -p-): 180-300 seconds timeout (3-5 minutes)
-
Phase 2 Service Detection (nmap -p -sV -sC): 120-180 seconds timeout (2-3 minutes)
-
UDP scan: 600+ seconds timeout (very slow)
Network Ranges
Single Host
nmap <ip-address>
CIDR Notation
nmap 192.168.1.0/24
IP Range
nmap 192.168.1.1-254
Multiple Hosts
nmap 192.168.1.1 192.168.1.10 192.168.1.100
Exclude Hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254
NSE Scripts
Common Script Categories
Authentication scripts
nmap --script auth <target>
Brute force scripts
nmap --script brute <target>
Default safe scripts
nmap -sC <target> # equivalent to --script default
Discovery scripts
nmap --script discovery <target>
Vulnerability scripts
nmap --script vuln <target>
All HTTP scripts
nmap --script "http-*" <target>
IoT-Specific Scripts
RTSP enumeration
nmap -p 554 --script rtsp-methods,rtsp-url-brute <target>
UPnP discovery
nmap -p 1900 --script upnp-info <target>
MQTT discovery
nmap -p 1883,8883 --script mqtt-subscribe <target>
Modbus enumeration
nmap -p 502 --script modbus-discover <target>
Result Analysis
Key Information to Extract
Open Ports and Services
-
What ports are open?
-
What services are running?
-
What versions are detected?
Service Fingerprints
-
Does version detection reveal outdated software?
-
Are there known vulnerabilities for detected versions?
NSE Script Results
-
Authentication issues?
-
Information disclosure?
-
Misconfigurations?
Operating System
-
What OS is running?
-
What OS version?
Parsing Nmap Output
Extract open ports:
grep "^[0-9]" nmap-output.nmap | grep "open"
Extract service versions:
grep -E "^[0-9]+/tcp.*open" nmap-output.nmap
Check for vulnerabilities in NSE output:
grep -i "vuln|cve|exploit" nmap-output.nmap
Common IoT Service Ports
When scanning IoT devices, pay special attention to:
Port Service Description
21 FTP File transfer (often misconfigured)
22 SSH Remote administration
23 Telnet Insecure remote access
80 HTTP Web interface
443 HTTPS Secure web interface
554 RTSP Video streaming
1883 MQTT IoT messaging protocol
3702 WS-Discovery ONVIF device discovery
5000 UPnP Universal Plug and Play
8000 HTTP Alt Alternative HTTP port
8080 HTTP Proxy Alternative HTTP port
8883 MQTT/TLS Secure MQTT
Best Practices
- Always Save Output
Never run nmap without saving output:
GOOD
nmap -p <ports> -sV -sC <target> -oA output/nmap-services
BAD
nmap -sV -sC <target>
- Always Use Two-Phase Strategy
Always use the default two-phase strategy unless explicitly told otherwise:
Phase 1: Fast port discovery
sudo nmap -p- <target> -oA nmap-portscan
Phase 2: Service detection on open ports
nmap -p <OPEN_PORTS> -sV -sC <target> -oA nmap-services
- Use Appropriate Timing
Match timing to your needs:
Pentest with authorization: Fast
nmap -sV -sC -T4 <target>
Red team/stealth: Slow
nmap -sV -sC -T2 <target>
- Document Scan Parameters
Always document:
-
What scan type was used?
-
What date/time was scan performed?
-
What were the scan results?
-
Any anomalies or errors?
- Respect Authorization
-
Only scan systems you have permission to scan
-
Respect scope limitations
-
Be aware of scan impact on production systems
-
Use appropriate timing to avoid DoS
Integration with IoT Testing Workflow
For IoT Pentests
-
Run default two-phase scan (port discovery + service detection)
-
Run wsdiscovery if ONVIF suspected based on open ports
-
Run onvifscan if port 80/554 open on camera
-
Run targeted HTTP scripts if web interface found
Output Directory Usage
Always save to an organized output directory:
OUTPUT_DIR="./nmap-output" mkdir -p "$OUTPUT_DIR"
Phase 1: Port discovery
sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"
Phase 2: Service detection
nmap -p <OPEN_PORTS> -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
Troubleshooting
Scan Taking Too Long
-
Use -T4 for faster scanning
-
Limit port range: -p 1-1000 instead of -p-
-
Use --top-ports 100 instead of all ports
No Results / Firewalled
-
Try different scan types: -sS , -sT , -sA
-
Use -Pn to skip host discovery
-
Try -f for fragmented packets
-
Consider using --source-port 53 or other trusted ports
Requires Root/Sudo
These scan types require root:
-
-sS (SYN scan)
-
-sU (UDP scan)
-
-O (OS detection)
-
Raw packet features
Permission Denied Errors
If you see "Permission denied" or "Operation not permitted":
Run with sudo
sudo nmap <options> <target>
Example Workflows
Workflow 1: Standard Single Target Scan (Default)
TARGET="192.168.1.100" OUTPUT_DIR="./nmap-output" mkdir -p "$OUTPUT_DIR"
Phase 1: Fast port discovery
sudo nmap -p- $TARGET -oA "$OUTPUT_DIR/nmap-portscan"
Check for "Host seems down"
if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then sudo nmap -p- -Pn $TARGET -oA "$OUTPUT_DIR/nmap-portscan" fi
Parse open ports
OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
Phase 2: Service detection
if [ -n "$OPEN_PORTS" ]; then nmap -p "$OPEN_PORTS" -sV -sC $TARGET -oA "$OUTPUT_DIR/nmap-services" fi
Workflow 2: IoT Camera Testing
OUTPUT_DIR="./nmap-output" mkdir -p "$OUTPUT_DIR"
1. Run default two-phase scan
sudo nmap -p- 192.168.1.100 -oA "$OUTPUT_DIR/nmap-portscan" OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//') nmap -p "$OPEN_PORTS" -sV -sC 192.168.1.100 -oA "$OUTPUT_DIR/nmap-services"
2. If ONVIF camera detected, check HTTP methods
nmap -p 80 --script http-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-http"
3. Check RTSP service
nmap -p 554 --script rtsp-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-rtsp"
Workflow 3: Additional UDP/OS Detection
OUTPUT_DIR="./nmap-output"
After completing default two-phase scan, optionally add:
UDP scan (top ports)
sudo nmap -sU --top-ports 100 <target> -oA "$OUTPUT_DIR/nmap-udp"
OS detection
sudo nmap -O <target> -oA "$OUTPUT_DIR/nmap-os"
Vulnerability scan
nmap -sV --script vuln <target> -oA "$OUTPUT_DIR/nmap-vuln"
Questions to Ask User
Before starting scans, clarify:
-
Target: What is the IP address or network range?
-
Scope: Single host or network range?
-
Scan Type: Use default two-phase strategy or user has specific requirements?
-
Authorization: Do you have permission to scan this target?
-
Special interests: Any specific services or ports to focus on after initial scan?
Note: Output is saved to ./nmap-output/ by default.
Success Criteria
A successful nmap scan includes:
-
Phase 1 port discovery completed without errors
-
Phase 2 service detection completed on all open ports
-
Results saved in all formats (-oA) in output directory
-
Open ports identified with service versions
-
NSE scripts executed successfully
-
Results documented and ready for analysis
-
Clear summary provided showing:
-
Number of open ports found
-
Key services detected
-
Location of output files