nmap
Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.
Best use case
nmap is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.
Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "nmap" skill to help with this workflow task. Context: Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/nmap/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How nmap Compares
| Feature / Agent | nmap | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Nmap Scan - Professional Network Reconnaissance
You are helping the user perform professional network reconnaissance and port scanning using nmap. This skill provides guidance for various scan types, output formats, and result analysis.
## Output Directory
### Directory Structure
```bash
nmap-output/
├── nmap-portscan.nmap # Initial fast port discovery
├── nmap-portscan.xml
├── nmap-portscan.gnmap
├── nmap-services.nmap # Detailed service detection on open ports
├── nmap-services.xml
└── nmap-services.gnmap
```
**IMPORTANT**: Always save nmap output to an organized directory structure. By default, use `./nmap-output/` or specify a custom directory.
## Default Scanning Strategy
**IMPORTANT**: Unless the user explicitly requests a different scan type, ALWAYS use this two-phase approach:
### Phase 1: Fast Port Discovery (Root SYN Scan)
```bash
sudo nmap -p- <target> -oA <output-dir>/nmap-portscan
```
- **Why sudo**: Running as root enables fast SYN scan (-sS is implicit)
- **Why -p-**: Scans all 65535 ports quickly
- **Duration**: Typically 1-3 minutes for SYN scan
- **Output**: List of all open ports
**Host Down Detection**:
If the scan output contains "Note: Host seems down", automatically retry with:
```bash
sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan
```
- `-Pn`: Skip host discovery, treat host as online
- Use this when firewalls block ping probes
### Phase 2: Targeted Service Detection
After Phase 1 completes, parse the open ports and run:
```bash
nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services
```
- `-p <OPEN_PORT_LIST>`: Only scan the ports found to be open (e.g., `-p 23,80,443,554,8000`)
- `-sV`: Service version detection
- `-sC`: Run default NSE scripts for additional enumeration
- **Duration**: Usually 1-3 minutes since only scanning known open ports
### Why This Strategy?
1. **Speed**: Fast SYN scan finds all open ports in 1-3 minutes
2. **Thoroughness**: Covers all 65535 ports, not just top 1000
3. **Efficiency**: Service detection only runs on confirmed open ports
4. **Accuracy**: Two-phase approach reduces false negatives
### Parsing Open Ports
After Phase 1, extract open ports using:
```bash
# Extract open ports from .gnmap file
grep "Ports:" <output-dir>/nmap-portscan.gnmap | sed 's/.*Ports: //g' | sed 's|/|\n|g' | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'
```
Or parse from .nmap file:
```bash
grep "^[0-9]" <output-dir>/nmap-portscan.nmap | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'
```
## Implementation Workflow
When the nmap-scan skill is invoked:
1. **Create output directory**
```bash
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"
```
2. **Run Phase 1: Fast port discovery**
```bash
sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"
```
3. **Check for "Host seems down" error**
```bash
if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then
echo "Host appears down, retrying with -Pn flag..."
sudo nmap -p- -Pn <target> -oA "$OUTPUT_DIR/nmap-portscan"
fi
```
4. **Parse open ports from results**
```bash
OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
```
5. **Run Phase 2: Service detection on open ports**
```bash
if [ -n "$OPEN_PORTS" ]; then
nmap -p "$OPEN_PORTS" -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
else
echo "No open ports found, skipping service detection."
fi
```
6. **Report results location**
```bash
echo "Scan complete. Results saved to: $OUTPUT_DIR"
```
## Scan Types
### Quick Scan (Top 1000 Ports)
Use for initial reconnaissance or when time is limited:
```bash
nmap -sV -sC <target> -oA <output-prefix>
```
- `-sV`: Service version detection
- `-sC`: Run default NSE scripts
- `-oA`: Output in all formats (normal, XML, grepable)
- Scans top 1000 most common ports
- Typical duration: 1-3 minutes
### Comprehensive Scan (All Ports)
Use for thorough assessment when all ports must be checked:
```bash
nmap -sV -sC -p- <target> -oA <output-prefix>
```
- `-p-`: Scan all 65535 ports
- Significantly longer duration (5-30+ minutes depending on target)
- Use only when comprehensive coverage is required
### Stealth SYN Scan
Use when trying to avoid detection (requires root/sudo):
```bash
sudo nmap -sS -sV -sC <target> -oA <output-prefix>
```
- `-sS`: SYN stealth scan (doesn't complete TCP handshake)
- Less likely to be logged by target
- Requires root privileges
### UDP Scan
Use when UDP services need to be enumerated:
```bash
sudo nmap -sU --top-ports 100 <target> -oA <output-prefix>
```
- `-sU`: UDP scan
- `--top-ports 100`: Scan top 100 UDP ports (UDP scanning is slow)
- Common UDP services: DNS (53), SNMP (161), DHCP (67/68)
- Very slow - use top-ports to limit scope
### Aggressive Scan
Use for maximum information gathering (noisy):
```bash
nmap -A -T4 <target> -oA <output-prefix>
```
- `-A`: Enable OS detection, version detection, script scanning, traceroute
- `-T4`: Aggressive timing template (faster but more detectable)
- Very noisy - will be detected by IDS/IPS
- Use only with authorization
### Vulnerability Scan
Use to check for known vulnerabilities:
```bash
nmap -sV --script vuln <target> -oA <output-prefix>
```
- `--script vuln`: Run NSE vulnerability detection scripts
- Checks for common CVEs and misconfigurations
- Can be noisy and trigger alerts
### OS Detection
Use to identify operating system:
```bash
sudo nmap -O <target> -oA <output-prefix>
```
- `-O`: Enable OS detection
- Requires root privileges
- Uses TCP/IP stack fingerprinting
## Alternative Scan Types
The following scan types are available if the user explicitly requests them instead of the default two-phase strategy:
### Quick Scan (Top 1000 Ports Only)
Use ONLY if user explicitly requests a quick/fast scan:
```bash
nmap -sV -sC <target> -oA <output-dir>/nmap-quick
```
- `-sV`: Service version detection
- `-sC`: Run default NSE scripts
- `-oA`: Output in all formats (normal, XML, grepable)
- Scans top 1000 most common ports ONLY
- Typical duration: 1-3 minutes
- **Limitation**: May miss services on non-standard ports
## Scan Workflow
### Default Workflow (Two-Phase Strategy)
**Phase 1: Port Discovery**
1. Run fast SYN scan: `sudo nmap -p- <target> -oA <output-dir>/nmap-portscan`
2. Check for "Host seems down" and retry with `-Pn` if needed
3. Wait for scan to complete (typically 1-3 minutes)
**Phase 2: Service Detection**
4. Parse open ports from Phase 1 results
5. Run targeted service detection: `nmap -p <OPEN_PORTS> -sV -sC <target> -oA <output-dir>/nmap-services`
6. Wait for scan to complete (typically 1-3 minutes)
**Phase 3: Analysis**
7. Review the service detection results to determine:
- What services are running?
- What versions are detected?
- Are there any interesting services (web, SSH, database, IoT protocols)?
- Do NSE scripts reveal any issues?
### Additional Targeted Scans (Optional)
Based on service detection results, run specialized scans:
**If web services found (80, 443, 8080, etc.)**:
```bash
nmap -p 80,443,8080,8443 --script http-* <target> -oA <output-dir>/nmap-web
```
**If SSH found**:
```bash
nmap -p 22 --script ssh-* <target> -oA <output-dir>/nmap-ssh
```
**If RTSP found (554)**:
```bash
nmap -p 554 --script rtsp-* <target> -oA <output-dir>/nmap-rtsp
```
**If ONVIF/camera suspected**:
```bash
nmap -p 80,554,8000,8080 --script http-methods,http-headers <target> -oA <output-dir>/nmap-onvif
```
## Output Management
### Output Formats
Always use `-oA <prefix>` to generate all three formats:
- `.nmap` - Normal human-readable format
- `.xml` - XML format for parsing/importing into tools
- `.gnmap` - Grepable format for command-line processing
## Timing and Performance
### Timing Templates
Use `-T<0-5>` to control scan speed:
- `-T0` (Paranoid): Extremely slow, for IDS evasion
- `-T1` (Sneaky): Very slow, for IDS evasion
- `-T2` (Polite): Slow, less bandwidth intensive
- `-T3` (Normal): Default, balanced speed
- `-T4` (Aggressive): Fast, recommended for modern networks
- `-T5` (Insane): Very fast, may miss results
**Default**: Use `-T3` or omit (default is T3)
**Fast scans**: Use `-T4` when speed is important and network can handle it
**Stealth**: Use `-T1` or `-T2` for evasion
### Timeout Considerations
- Phase 1 Port Discovery (sudo nmap -p-): 180-300 seconds timeout (3-5 minutes)
- Phase 2 Service Detection (nmap -p <ports> -sV -sC): 120-180 seconds timeout (2-3 minutes)
- UDP scan: 600+ seconds timeout (very slow)
## Network Ranges
### Single Host
```bash
nmap <ip-address>
```
### CIDR Notation
```bash
nmap 192.168.1.0/24
```
### IP Range
```bash
nmap 192.168.1.1-254
```
### Multiple Hosts
```bash
nmap 192.168.1.1 192.168.1.10 192.168.1.100
```
### Exclude Hosts
```bash
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254
```
## NSE Scripts
### Common Script Categories
```bash
# Authentication scripts
nmap --script auth <target>
# Brute force scripts
nmap --script brute <target>
# Default safe scripts
nmap -sC <target> # equivalent to --script default
# Discovery scripts
nmap --script discovery <target>
# Vulnerability scripts
nmap --script vuln <target>
# All HTTP scripts
nmap --script "http-*" <target>
```
### IoT-Specific Scripts
```bash
# RTSP enumeration
nmap -p 554 --script rtsp-methods,rtsp-url-brute <target>
# UPnP discovery
nmap -p 1900 --script upnp-info <target>
# MQTT discovery
nmap -p 1883,8883 --script mqtt-subscribe <target>
# Modbus enumeration
nmap -p 502 --script modbus-discover <target>
```
## Result Analysis
### Key Information to Extract
1. **Open Ports and Services**
- What ports are open?
- What services are running?
- What versions are detected?
2. **Service Fingerprints**
- Does version detection reveal outdated software?
- Are there known vulnerabilities for detected versions?
3. **NSE Script Results**
- Authentication issues?
- Information disclosure?
- Misconfigurations?
4. **Operating System**
- What OS is running?
- What OS version?
### Parsing Nmap Output
**Extract open ports**:
```bash
grep "^[0-9]" nmap-output.nmap | grep "open"
```
**Extract service versions**:
```bash
grep -E "^[0-9]+/tcp.*open" nmap-output.nmap
```
**Check for vulnerabilities in NSE output**:
```bash
grep -i "vuln\|cve\|exploit" nmap-output.nmap
```
## Common IoT Service Ports
When scanning IoT devices, pay special attention to:
| Port | Service | Description |
|------|---------|-------------|
| 21 | FTP | File transfer (often misconfigured) |
| 22 | SSH | Remote administration |
| 23 | Telnet | Insecure remote access |
| 80 | HTTP | Web interface |
| 443 | HTTPS | Secure web interface |
| 554 | RTSP | Video streaming |
| 1883 | MQTT | IoT messaging protocol |
| 3702 | WS-Discovery | ONVIF device discovery |
| 5000 | UPnP | Universal Plug and Play |
| 8000 | HTTP Alt | Alternative HTTP port |
| 8080 | HTTP Proxy | Alternative HTTP port |
| 8883 | MQTT/TLS | Secure MQTT |
## Best Practices
### 1. Always Save Output
Never run nmap without saving output:
```bash
# GOOD
nmap -p <ports> -sV -sC <target> -oA output/nmap-services
# BAD
nmap -sV -sC <target>
```
### 2. Always Use Two-Phase Strategy
Always use the default two-phase strategy unless explicitly told otherwise:
```bash
# Phase 1: Fast port discovery
sudo nmap -p- <target> -oA nmap-portscan
# Phase 2: Service detection on open ports
nmap -p <OPEN_PORTS> -sV -sC <target> -oA nmap-services
```
### 3. Use Appropriate Timing
Match timing to your needs:
```bash
# Pentest with authorization: Fast
nmap -sV -sC -T4 <target>
# Red team/stealth: Slow
nmap -sV -sC -T2 <target>
```
### 4. Document Scan Parameters
Always document:
- What scan type was used?
- What date/time was scan performed?
- What were the scan results?
- Any anomalies or errors?
### 5. Respect Authorization
- Only scan systems you have permission to scan
- Respect scope limitations
- Be aware of scan impact on production systems
- Use appropriate timing to avoid DoS
## Integration with IoT Testing Workflow
### For IoT Pentests
1. Run default two-phase scan (port discovery + service detection)
2. Run wsdiscovery if ONVIF suspected based on open ports
3. Run onvifscan if port 80/554 open on camera
4. Run targeted HTTP scripts if web interface found
### Output Directory Usage
Always save to an organized output directory:
```bash
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"
# Phase 1: Port discovery
sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"
# Phase 2: Service detection
nmap -p <OPEN_PORTS> -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
```
## Troubleshooting
### Scan Taking Too Long
- Use `-T4` for faster scanning
- Limit port range: `-p 1-1000` instead of `-p-`
- Use `--top-ports 100` instead of all ports
### No Results / Firewalled
- Try different scan types: `-sS`, `-sT`, `-sA`
- Use `-Pn` to skip host discovery
- Try `-f` for fragmented packets
- Consider using `--source-port 53` or other trusted ports
### Requires Root/Sudo
These scan types require root:
- `-sS` (SYN scan)
- `-sU` (UDP scan)
- `-O` (OS detection)
- Raw packet features
### Permission Denied Errors
If you see "Permission denied" or "Operation not permitted":
```bash
# Run with sudo
sudo nmap <options> <target>
```
## Example Workflows
### Workflow 1: Standard Single Target Scan (Default)
```bash
TARGET="192.168.1.100"
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"
# Phase 1: Fast port discovery
sudo nmap -p- $TARGET -oA "$OUTPUT_DIR/nmap-portscan"
# Check for "Host seems down"
if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then
sudo nmap -p- -Pn $TARGET -oA "$OUTPUT_DIR/nmap-portscan"
fi
# Parse open ports
OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
# Phase 2: Service detection
if [ -n "$OPEN_PORTS" ]; then
nmap -p "$OPEN_PORTS" -sV -sC $TARGET -oA "$OUTPUT_DIR/nmap-services"
fi
```
### Workflow 2: IoT Camera Testing
```bash
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"
# 1. Run default two-phase scan
sudo nmap -p- 192.168.1.100 -oA "$OUTPUT_DIR/nmap-portscan"
OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
nmap -p "$OPEN_PORTS" -sV -sC 192.168.1.100 -oA "$OUTPUT_DIR/nmap-services"
# 2. If ONVIF camera detected, check HTTP methods
nmap -p 80 --script http-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-http"
# 3. Check RTSP service
nmap -p 554 --script rtsp-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-rtsp"
```
### Workflow 3: Additional UDP/OS Detection
```bash
OUTPUT_DIR="./nmap-output"
# After completing default two-phase scan, optionally add:
# UDP scan (top ports)
sudo nmap -sU --top-ports 100 <target> -oA "$OUTPUT_DIR/nmap-udp"
# OS detection
sudo nmap -O <target> -oA "$OUTPUT_DIR/nmap-os"
# Vulnerability scan
nmap -sV --script vuln <target> -oA "$OUTPUT_DIR/nmap-vuln"
```
## Questions to Ask User
Before starting scans, clarify:
1. **Target**: What is the IP address or network range?
2. **Scope**: Single host or network range?
3. **Scan Type**: Use default two-phase strategy or user has specific requirements?
4. **Authorization**: Do you have permission to scan this target?
5. **Special interests**: Any specific services or ports to focus on after initial scan?
Note: Output is saved to `./nmap-output/` by default.
## Success Criteria
A successful nmap scan includes:
- Phase 1 port discovery completed without errors
- Phase 2 service detection completed on all open ports
- Results saved in all formats (-oA) in output directory
- Open ports identified with service versions
- NSE scripts executed successfully
- Results documented and ready for analysis
- Clear summary provided showing:
- Number of open ports found
- Key services detected
- Location of output filesRelated Skills
recon-nmap
Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.
azure-quotas
Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".
raindrop-io
Manage Raindrop.io bookmarks with AI assistance. Save and organize bookmarks, search your collection, manage reading lists, and organize research materials. Use when working with bookmarks, web research, reading lists, or when user mentions Raindrop.io.
zlibrary-to-notebooklm
自动从 Z-Library 下载书籍并上传到 Google NotebookLM。支持 PDF/EPUB 格式,自动转换,一键创建知识库。
discover-skills
当你发现当前可用的技能都不够合适(或用户明确要求你寻找技能)时使用。本技能会基于任务目标和约束,给出一份精简的候选技能清单,帮助你选出最适配当前任务的技能。
web-performance-seo
Fix PageSpeed Insights/Lighthouse accessibility "!" errors caused by contrast audit failures (CSS filters, OKLCH/OKLAB, low opacity, gradient text, image backgrounds). Use for accessibility-driven SEO/performance debugging and remediation.
project-to-obsidian
将代码项目转换为 Obsidian 知识库。当用户提到 obsidian、项目文档、知识库、分析项目、转换项目 时激活。 【激活后必须执行】: 1. 先完整阅读本 SKILL.md 文件 2. 理解 AI 写入规则(默认到 00_Inbox/AI/、追加式、统一 Schema) 3. 执行 STEP 0: 使用 AskUserQuestion 询问用户确认 4. 用户确认后才开始 STEP 1 项目扫描 5. 严格按 STEP 0 → 1 → 2 → 3 → 4 顺序执行 【禁止行为】: - 禁止不读 SKILL.md 就开始分析项目 - 禁止跳过 STEP 0 用户确认 - 禁止直接在 30_Resources 创建(先到 00_Inbox/AI/) - 禁止自作主张决定输出位置
obsidian-helper
Obsidian 智能笔记助手。当用户提到 obsidian、日记、笔记、知识库、capture、review 时激活。 【激活后必须执行】: 1. 先完整阅读本 SKILL.md 文件 2. 理解 AI 写入三条硬规矩(00_Inbox/AI/、追加式、白名单字段) 3. 按 STEP 0 → STEP 1 → ... 顺序执行 4. 不要跳过任何步骤,不要自作主张 【禁止行为】: - 禁止不读 SKILL.md 就开始工作 - 禁止跳过用户确认步骤 - 禁止在非 00_Inbox/AI/ 位置创建新笔记(除非用户明确指定)
internationalizing-websites
Adds multi-language support to Next.js websites with proper SEO configuration including hreflang tags, localized sitemaps, and language-specific content. Use when adding new languages, setting up i18n, optimizing for international SEO, or when user mentions localization, translation, multi-language, or specific languages like Japanese, Korean, Chinese.
google-official-seo-guide
Official Google SEO guide covering search optimization, best practices, Search Console, crawling, indexing, and improving website search visibility based on official Google documentation
github-release-assistant
Generate bilingual GitHub release documentation (README.md + README.zh.md) from repo metadata and user input, and guide release prep with git add/commit/push. Use when the user asks to write or polish README files, create bilingual docs, prepare a GitHub release, or mentions release assistant/README generation.
doc-sync-tool
自动同步项目中的 Agents.md、claude.md 和 gemini.md 文件,保持内容一致性。支持自动监听和手动触发。