nmap_skill
- Python
520
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill brownfinesecurity/iothackbot --skill nmap- SKILL.md16.0 KB
Overview
This skill provides professional network reconnaissance and port scanning workflows using nmap. It implements a reliable two-phase default strategy (fast SYN port discovery followed by targeted service detection) and includes recommendations for alternative scan types, NSE usage, and output management. The focus is on repeatable, auditable scans and organized output storage. Use it to enumerate services, detect versions, and surface potential IoT issues.
How this skill works
The skill runs a Phase 1 fast SYN scan as root to discover all open TCP ports across 65535 ports and saves results in a structured output directory. It parses the Phase 1 output to extract open ports and then runs Phase 2 service/version detection and default NSE scripts only against confirmed open ports. It handles host-down cases by retrying with -Pn, offers timing and scan-type options (UDP, stealth, aggressive, vuln, OS detection), and always produces .nmap, .xml and .gnmap outputs for analysis. Scripts and targeted follow-up scans (HTTP, SSH, RTSP, ONVIF) are recommended based on detected services.
When to use it
- Full network reconnaissance when you need complete port coverage and service versions
- Quick initial triage when time is limited (use quick/top-1000 scan only if requested)
- IoT pentesting to enumerate device services (RTSP, ONVIF, MQTT, UPnP, Modbus)
- Targeted vulnerability checks using NSE vuln scripts
- When you need organized, machine-readable output for downstream parsing or reporting
Best practices
- Always save output with -oA to an organized directory (e.g., ./nmap-output/) for reproducibility
- Use the default two-phase strategy (fast port discovery then targeted service detection) unless explicitly asked otherwise
- Run privileged scans with sudo when using SYN, UDP, or OS detection flags that require raw sockets
- Match timing templates to risk: T4 for speed on authorized tests, T1/T2 for stealth or sensitive networks
- Document scan parameters, date/time, and any anomalies; respect scope and obtain authorization before scanning
Example use cases
- Standard pentest: discover all open ports on a host, then run -sV -sC against confirmed ports and save outputs
- IoT camera assessment: detect ports 80/554/8000 and run http-*/rtsp-* scripts to enumerate feeds and onvif info
- Vulnerability sweep: run --script vuln after version detection to flag known CVEs for further validation
- Stealth enumeration: perform sudo -sS with -T1/-T2 for low-noise discovery in sensitive environments
- UDP service discovery: run sudo -sU --top-ports 100 when UDP services (DNS, SNMP, MQTT) are suspected
FAQ
Always use -oA <prefix> to produce .nmap (human), .xml (parsing/import), and .gnmap (grepable) files.
Host appears down in results — what next?
Retry Phase 1 with -Pn to skip host discovery (sudo nmap -p- -Pn) as firewalls may block probes.