commit aa597c61c595e38397b6210aedd3e94635fd8ea3 Author: James Brechtel Date: Mon Mar 23 14:10:15 2026 -0400 Adding nmap skill diff --git a/nmap/SKILL.md b/nmap/SKILL.md new file mode 100644 index 0000000..820684c --- /dev/null +++ b/nmap/SKILL.md @@ -0,0 +1,152 @@ +# Nmap Recon + +Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance. + +## Triggers + +- "scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan" + +## Requirements + +- `nmap` must be installed (standard on Kali, available via package managers) +- Root/sudo for SYN scans and OS detection + +## Usage + +### Quick Scan (Top 1000 ports) +```bash +nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET +``` + +### Full Port Scan +```bash +nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET +``` + +### Fast Scan (Quick check) +```bash +nmap -F -T4 TARGET +``` + +### Stealth SYN Scan (requires root) +```bash +sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET +``` + +### UDP Scan (Top 100 ports) +```bash +sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET +``` + +### Vulnerability Scan +```bash +nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET +``` + +### Aggressive Scan (OS, version, scripts, traceroute) +```bash +nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET +``` + +## Output Parsing + +Nmap outputs in multiple formats with `-oA`: +- `.nmap` - Human readable +- `.xml` - Machine parseable +- `.gnmap` - Greppable format + +### Parse open ports from greppable output: +```bash +grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u +``` + +### Extract service versions: +```bash +grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}' +``` + +### Quick summary from XML: +```bash +xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null +``` + +## Common Scan Profiles + +| Profile | Command | Use Case | +|---------|---------|----------| +| Quick | `nmap -F -T4` | Fast initial recon | +| Standard | `nmap -sC -sV` | Service detection + default scripts | +| Full | `nmap -p- -sC -sV` | All 65535 ports | +| Stealth | `sudo nmap -sS -T2` | Evasive scanning | +| Vuln | `nmap --script vuln` | Vulnerability detection | +| Aggressive | `nmap -A -T4` | Full enumeration | + +## Script Categories + +```bash +# List available scripts +ls /usr/share/nmap/scripts/ + +# Run specific category +nmap --script=default,safe TARGET +nmap --script=vuln TARGET +nmap --script=exploit TARGET +nmap --script=auth TARGET + +# Run specific script +nmap --script=http-title TARGET +nmap --script=smb-vuln* TARGET +``` + +## Target Specification + +```bash +# Single host +nmap 192.168.1.1 + +# CIDR range +nmap 192.168.1.0/24 + +# Range +nmap 192.168.1.1-254 + +# From file +nmap -iL targets.txt + +# Exclude hosts +nmap 192.168.1.0/24 --exclude 192.168.1.1 +``` + +## Timing Templates + +- `-T0` Paranoid (IDS evasion) +- `-T1` Sneaky (IDS evasion) +- `-T2` Polite (slow) +- `-T3` Normal (default) +- `-T4` Aggressive (fast) +- `-T5` Insane (very fast, may miss ports) + +## Authorization Required + +⚠️ **Only scan targets you own or have explicit written authorization to test.** + +Never scan: +- Public infrastructure without permission +- Networks you don't control +- Production systems without approval + +## Example Workflow + +```bash +# 1. Quick scan to find live hosts +nmap -sn 192.168.1.0/24 -oA live_hosts + +# 2. Fast port scan on discovered hosts +nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports + +# 3. Deep scan interesting hosts +nmap -p- -sC -sV -oA deep_scan TARGET + +# 4. Vulnerability scan +nmap --script vuln -oA vuln_scan TARGET +```