nmap_skill

This skill guides professional network reconnaissance with nmap, enabling quick port discovery, service detection, and structured results for IoT assessments.
  • Python

520

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill brownfinesecurity/iothackbot --skill nmap

  • SKILL.md16.0 KB

Overview

This skill provides professional network reconnaissance and port scanning workflows using nmap. It implements a reliable two-phase default strategy (fast SYN port discovery followed by targeted service detection) and includes recommendations for alternative scan types, NSE usage, and output management. The focus is on repeatable, auditable scans and organized output storage. Use it to enumerate services, detect versions, and surface potential IoT issues.

How this skill works

The skill runs a Phase 1 fast SYN scan as root to discover all open TCP ports across 65535 ports and saves results in a structured output directory. It parses the Phase 1 output to extract open ports and then runs Phase 2 service/version detection and default NSE scripts only against confirmed open ports. It handles host-down cases by retrying with -Pn, offers timing and scan-type options (UDP, stealth, aggressive, vuln, OS detection), and always produces .nmap, .xml and .gnmap outputs for analysis. Scripts and targeted follow-up scans (HTTP, SSH, RTSP, ONVIF) are recommended based on detected services.

When to use it

  • Full network reconnaissance when you need complete port coverage and service versions
  • Quick initial triage when time is limited (use quick/top-1000 scan only if requested)
  • IoT pentesting to enumerate device services (RTSP, ONVIF, MQTT, UPnP, Modbus)
  • Targeted vulnerability checks using NSE vuln scripts
  • When you need organized, machine-readable output for downstream parsing or reporting

Best practices

  • Always save output with -oA to an organized directory (e.g., ./nmap-output/) for reproducibility
  • Use the default two-phase strategy (fast port discovery then targeted service detection) unless explicitly asked otherwise
  • Run privileged scans with sudo when using SYN, UDP, or OS detection flags that require raw sockets
  • Match timing templates to risk: T4 for speed on authorized tests, T1/T2 for stealth or sensitive networks
  • Document scan parameters, date/time, and any anomalies; respect scope and obtain authorization before scanning

Example use cases

  • Standard pentest: discover all open ports on a host, then run -sV -sC against confirmed ports and save outputs
  • IoT camera assessment: detect ports 80/554/8000 and run http-*/rtsp-* scripts to enumerate feeds and onvif info
  • Vulnerability sweep: run --script vuln after version detection to flag known CVEs for further validation
  • Stealth enumeration: perform sudo -sS with -T1/-T2 for low-noise discovery in sensitive environments
  • UDP service discovery: run sudo -sU --top-ports 100 when UDP services (DNS, SNMP, MQTT) are suspected

FAQ

Always use -oA <prefix> to produce .nmap (human), .xml (parsing/import), and .gnmap (grepable) files.

Host appears down in results — what next?

Retry Phase 1 with -Pn to skip host discovery (sudo nmap -p- -Pn) as firewalls may block probes.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational