概述

Nmap Recon

Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.

Triggers

"scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"

Requirements

nmap must be installed (standard on Kali, available via package managers)
Root/sudo for SYN scans and OS detection

Usage

Quick Scan (Top 1000 ports)

nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET

Full Port Scan

nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET

Fast Scan (Quick check)

nmap -F -T4 TARGET

Stealth SYN Scan (requires root)

sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET

UDP Scan (Top 100 ports)

sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET

Vulnerability Scan

nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET

Aggressive Scan (OS, version, scripts, traceroute)

nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET

Output Parsing

Nmap outputs in multiple formats with -oA:

.nmap - Human readable
.xml - Machine parseable
.gnmap - Greppable format

Parse open ports from greppable output:

grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u

Extract service versions:

grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'

Quick summary from XML:

xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null

Common Scan Profiles

Profile	Command	Use Case
---------	---------	----------
Quick	`nmap -F -T4`	Fast initial recon
Standard	`nmap -sC -sV`	Service detection + default scripts
Full	`nmap -p- -sC -sV`	All 65535 ports
Stealth	`sudo nmap -sS -T2`	Evasive scanning
Vuln	`nmap --script vuln`	Vulnerability detection
Aggressive	`nmap -A -T4`	Full enumeration

Script Categories

# List available scripts
ls /usr/share/nmap/scripts/

# Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGET

# Run specific script
nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET

Target Specification

# Single host
nmap 192.168.1.1

# CIDR range
nmap 192.168.1.0/24

# Range
nmap 192.168.1.1-254

# From file
nmap -iL targets.txt

# Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1

Timing Templates

-T0 Paranoid (IDS evasion)
-T1 Sneaky (IDS evasion)
-T2 Polite (slow)
-T3 Normal (default)
-T4 Aggressive (fast)
-T5 Insane (very fast, may miss ports)

Authorization Required

⚠️ Only scan targets you own or have explicit written authorization to test.

Never scan:

Public infrastructure without permission
Networks you don't control
Production systems without approval

Example Workflow

# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts

# 2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports

# 3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET

# 4. Vulnerability scan
nmap --script vuln -oA vuln_scan TARGET

版本历史

共 1 个版本

v1.0.0 当前

2026-03-28 11:22 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)

安全，无风险

查看报告

Nmap Recon

概述

Nmap Recon

Triggers

Requirements

Usage

Quick Scan (Top 1000 ports)

Full Port Scan

Fast Scan (Quick check)

Stealth SYN Scan (requires root)

UDP Scan (Top 100 ports)

Vulnerability Scan

Aggressive Scan (OS, version, scripts, traceroute)

Output Parsing

Parse open ports from greppable output:

Extract service versions:

Quick summary from XML:

Common Scan Profiles

Script Categories

Target Specification

Timing Templates

Authorization Required

Example Workflow

版本历史

安全检测

腾讯云安全 (Keen)

腾讯云安全 (Sanbu)

🔗 相关推荐

1password

Skill Vetter

OpenClaw Backup