Adding nmap skill
This commit is contained in:
+152
@@ -0,0 +1,152 @@
|
|||||||
|
# Nmap Recon
|
||||||
|
|
||||||
|
Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.
|
||||||
|
|
||||||
|
## Triggers
|
||||||
|
|
||||||
|
- "scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- `nmap` must be installed (standard on Kali, available via package managers)
|
||||||
|
- Root/sudo for SYN scans and OS detection
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
### Quick Scan (Top 1000 ports)
|
||||||
|
```bash
|
||||||
|
nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### Full Port Scan
|
||||||
|
```bash
|
||||||
|
nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### Fast Scan (Quick check)
|
||||||
|
```bash
|
||||||
|
nmap -F -T4 TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### Stealth SYN Scan (requires root)
|
||||||
|
```bash
|
||||||
|
sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### UDP Scan (Top 100 ports)
|
||||||
|
```bash
|
||||||
|
sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vulnerability Scan
|
||||||
|
```bash
|
||||||
|
nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
### Aggressive Scan (OS, version, scripts, traceroute)
|
||||||
|
```bash
|
||||||
|
nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
## Output Parsing
|
||||||
|
|
||||||
|
Nmap outputs in multiple formats with `-oA`:
|
||||||
|
- `.nmap` - Human readable
|
||||||
|
- `.xml` - Machine parseable
|
||||||
|
- `.gnmap` - Greppable format
|
||||||
|
|
||||||
|
### Parse open ports from greppable output:
|
||||||
|
```bash
|
||||||
|
grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extract service versions:
|
||||||
|
```bash
|
||||||
|
grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Quick summary from XML:
|
||||||
|
```bash
|
||||||
|
xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
## Common Scan Profiles
|
||||||
|
|
||||||
|
| Profile | Command | Use Case |
|
||||||
|
|---------|---------|----------|
|
||||||
|
| Quick | `nmap -F -T4` | Fast initial recon |
|
||||||
|
| Standard | `nmap -sC -sV` | Service detection + default scripts |
|
||||||
|
| Full | `nmap -p- -sC -sV` | All 65535 ports |
|
||||||
|
| Stealth | `sudo nmap -sS -T2` | Evasive scanning |
|
||||||
|
| Vuln | `nmap --script vuln` | Vulnerability detection |
|
||||||
|
| Aggressive | `nmap -A -T4` | Full enumeration |
|
||||||
|
|
||||||
|
## Script Categories
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# List available scripts
|
||||||
|
ls /usr/share/nmap/scripts/
|
||||||
|
|
||||||
|
# Run specific category
|
||||||
|
nmap --script=default,safe TARGET
|
||||||
|
nmap --script=vuln TARGET
|
||||||
|
nmap --script=exploit TARGET
|
||||||
|
nmap --script=auth TARGET
|
||||||
|
|
||||||
|
# Run specific script
|
||||||
|
nmap --script=http-title TARGET
|
||||||
|
nmap --script=smb-vuln* TARGET
|
||||||
|
```
|
||||||
|
|
||||||
|
## Target Specification
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Single host
|
||||||
|
nmap 192.168.1.1
|
||||||
|
|
||||||
|
# CIDR range
|
||||||
|
nmap 192.168.1.0/24
|
||||||
|
|
||||||
|
# Range
|
||||||
|
nmap 192.168.1.1-254
|
||||||
|
|
||||||
|
# From file
|
||||||
|
nmap -iL targets.txt
|
||||||
|
|
||||||
|
# Exclude hosts
|
||||||
|
nmap 192.168.1.0/24 --exclude 192.168.1.1
|
||||||
|
```
|
||||||
|
|
||||||
|
## Timing Templates
|
||||||
|
|
||||||
|
- `-T0` Paranoid (IDS evasion)
|
||||||
|
- `-T1` Sneaky (IDS evasion)
|
||||||
|
- `-T2` Polite (slow)
|
||||||
|
- `-T3` Normal (default)
|
||||||
|
- `-T4` Aggressive (fast)
|
||||||
|
- `-T5` Insane (very fast, may miss ports)
|
||||||
|
|
||||||
|
## Authorization Required
|
||||||
|
|
||||||
|
⚠️ **Only scan targets you own or have explicit written authorization to test.**
|
||||||
|
|
||||||
|
Never scan:
|
||||||
|
- Public infrastructure without permission
|
||||||
|
- Networks you don't control
|
||||||
|
- Production systems without approval
|
||||||
|
|
||||||
|
## Example Workflow
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# 1. Quick scan to find live hosts
|
||||||
|
nmap -sn 192.168.1.0/24 -oA live_hosts
|
||||||
|
|
||||||
|
# 2. Fast port scan on discovered hosts
|
||||||
|
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports
|
||||||
|
|
||||||
|
# 3. Deep scan interesting hosts
|
||||||
|
nmap -p- -sC -sV -oA deep_scan TARGET
|
||||||
|
|
||||||
|
# 4. Vulnerability scan
|
||||||
|
nmap --script vuln -oA vuln_scan TARGET
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user