Nmap Reconnaissance

## Overview

25 stars

Best use case

Nmap Reconnaissance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

## Overview

Teams using Nmap Reconnaissance should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/nmap-recon/SKILL.md --create-dirs "https://raw.githubusercontent.com/ComeOnOliver/skillshub/main/skills/TerminalSkills/skills/nmap-recon/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/nmap-recon/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How Nmap Reconnaissance Compares

Feature / Agent	Nmap Reconnaissance	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

## Overview

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Nmap Reconnaissance

## Overview

Nmap is the standard tool for network discovery and security auditing. It identifies live hosts, open ports, running services and their versions, operating systems, and potential vulnerabilities. Every penetration test starts with Nmap. Supports TCP/UDP scanning, OS fingerprinting, NSE (Nmap Scripting Engine) for vulnerability detection, and output in XML/JSON for automation.

## Instructions

### Step 1: Host Discovery

```bash
# Discover live hosts on a subnet (no port scan)
nmap -sn 192.168.1.0/24
# -sn: ping scan only, no port scan
# Output: list of live IPs with MAC addresses and hostnames

# Discover hosts without ping (when ICMP is blocked)
nmap -Pn -sn 10.0.0.0/24

# ARP discovery on local network (most reliable on LAN)
nmap -PR -sn 192.168.1.0/24
```

### Step 2: Port Scanning

```bash
# Quick scan — top 1000 ports with service detection
nmap -sV -sC -T4 target.example.com
# -sV: detect service versions (Apache 2.4.52, OpenSSH 8.9)
# -sC: run default NSE scripts (safe checks)
# -T4: aggressive timing (faster, noisier)

# Full TCP port scan — all 65535 ports
nmap -p- -sV --open target.example.com
# -p-: scan all ports (not just top 1000)
# --open: show only open ports (less noise)

# UDP scan — catches DNS, SNMP, TFTP, NTP
nmap -sU --top-ports 100 target.example.com
# UDP scans are slow — limit to top ports

# Specific port ranges
nmap -p 80,443,8080-8090,3000-3010 target.example.com
```

### Step 3: Service Enumeration and OS Detection

```bash
# Aggressive scan — service version + OS detection + scripts + traceroute
nmap -A -T4 target.example.com
# Combines: -sV -sC -O --traceroute

# OS fingerprinting
nmap -O --osscan-guess target.example.com
# Identifies: Linux 5.x, Windows Server 2019, FreeBSD 13, etc.

# Banner grabbing for specific services
nmap -sV --version-intensity 5 -p 22,80,443,3306,5432,6379 target.example.com
# Higher intensity = more probes = better detection
```

### Step 4: NSE Vulnerability Scripts

```bash
# Run vulnerability detection scripts
nmap --script vuln target.example.com
# Checks for: ShellShock, Heartbleed, SMB vulns, etc.

# Specific vulnerability checks
nmap --script ssl-heartbleed -p 443 target.example.com
nmap --script smb-vuln-ms17-010 -p 445 target.example.com
nmap --script http-shellshock --script-args uri=/cgi-bin/status -p 80 target.example.com

# Web server enumeration
nmap --script http-enum,http-title,http-headers,http-methods -p 80,443,8080 target.example.com

# Brute force (use with authorization only)
nmap --script ssh-brute --script-args userdb=users.txt,passdb=pass.txt -p 22 target.example.com

# DNS enumeration
nmap --script dns-brute --script-args dns-brute.domain=example.com
```

### Step 5: Output for Automation

```bash
# XML output for parsing (tools like searchsploit, Metasploit)
nmap -sV -sC -oX scan-results.xml target.example.com

# All formats at once
nmap -sV -sC -oA scan-results target.example.com
# Creates: scan-results.nmap, scan-results.xml, scan-results.gnmap

# Grepable output for quick filtering
nmap -sV -oG - target.example.com | grep "open"

# Parse XML results programmatically
python3 -c "
import xml.etree.ElementTree as ET
tree = ET.parse('scan-results.xml')
for host in tree.findall('.//host'):
    ip = host.find('.//address[@addrtype=\"ipv4\"]').get('addr')
    for port in host.findall('.//port'):
        portid = port.get('portid')
        service = port.find('service')
        name = service.get('name', 'unknown') if service is not None else 'unknown'
        version = service.get('version', '') if service is not None else ''
        state = port.find('state').get('state')
        if state == 'open':
            print(f'{ip}:{portid} — {name} {version}')
"
```

### Step 6: Stealth and Evasion

```bash
# SYN scan (half-open, less logged)
nmap -sS -T2 target.example.com
# -sS: SYN scan (doesn't complete TCP handshake)
# -T2: polite timing (slower but less detectable)

# Fragment packets to evade firewalls
nmap -f -sS target.example.com

# Decoy scan — hide your IP among fake sources
nmap -D RND:10 -sS target.example.com
# RND:10: generate 10 random decoy IPs

# Idle scan — completely anonymous via zombie host
nmap -sI zombie-host.example.com target.example.com

# Source port manipulation (bypass weak firewalls)
nmap --source-port 53 -sS target.example.com
```

## Guidelines

- **Always have written authorization** before scanning any network or host.
- Start with `-sn` (host discovery) → `-sV -sC` (service scan) → `--script vuln` (vulnerability scan). Don't jump to aggressive scans.
- `-T4` is good for most assessments. Use `-T2` when stealth matters, `-T5` only on local networks.
- Full port scan (`-p-`) takes much longer but catches services on non-standard ports — always do it.
- UDP scans (`-sU`) are slow but important — many vulnerabilities live on UDP (SNMP, DNS, TFTP).
- Save all output as XML (`-oX`) — it integrates with Metasploit, searchsploit, and custom parsers.
- NSE scripts in the `vuln` category are safe for authorized testing. `brute` and `exploit` categories are aggressive.
- Combine with `searchsploit` to cross-reference found service versions with known exploits.

Related Skills

shodan-reconnaissance

from ComeOnOliver/skillshub

This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges...

shodan-reconnaissance-and-pentesting

from ComeOnOliver/skillshub

This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports." It provides comprehensive guidance for using Shodan's search engine, CLI, and API for penetration testing reconnaissance.

reconnaissance-knowledge

from ComeOnOliver/skillshub

Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.

nmap

from ComeOnOliver/skillshub

Professional network reconnaissance and port scanning using nmap. Supports various scan types (quick, full, UDP, stealth), service detection, vulnerability scanning, and NSE scripts. Use when you need to enumerate network services, detect versions, or perform network reconnaissance.

recon-nmap

from ComeOnOliver/skillshub

Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.

Daily Logs

from ComeOnOliver/skillshub

Record the user's daily activities, progress, decisions, and learnings in a structured, chronological format.

Socratic Method: The Dialectic Engine

from ComeOnOliver/skillshub

This skill transforms Claude into a Socratic agent — a cognitive partner who guides

Sokratische Methode: Die Dialektik-Maschine

from ComeOnOliver/skillshub

Dieser Skill verwandelt Claude in einen sokratischen Agenten — einen kognitiven Partner, der Nutzende durch systematisches Fragen zur Wissensentdeckung führt, anstatt direkt zu instruieren.

College Football Data (CFB)

from ComeOnOliver/skillshub

Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.

College Basketball Data (CBB)

from ComeOnOliver/skillshub

Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.

Betting Analysis

from ComeOnOliver/skillshub

Before writing queries, consult `references/api-reference.md` for odds formats, command parameters, and key concepts.

Research Proposal Generator

from ComeOnOliver/skillshub

Generate high-quality academic research proposals for PhD applications following Nature Reviews-style academic writing conventions.