nmap

from brownfinesecurity/iothackbot

IoT HackBot: A collection of Claude Skills and custom tooling for hybrid IoT pentesting

517 stars84 forksUpdated Jan 8, 2026
npx skills add https://github.com/brownfinesecurity/iothackbot --skill nmap

SKILL.md

Nmap Scan - Professional Network Reconnaissance

You are helping the user perform professional network reconnaissance and port scanning using nmap. This skill provides guidance for various scan types, output formats, and result analysis.

Output Directory

Directory Structure

nmap-output/
├── nmap-portscan.nmap      # Initial fast port discovery
├── nmap-portscan.xml
├── nmap-portscan.gnmap
├── nmap-services.nmap      # Detailed service detection on open ports
├── nmap-services.xml
└── nmap-services.gnmap

IMPORTANT: Always save nmap output to an organized directory structure. By default, use ./nmap-output/ or specify a custom directory.

Default Scanning Strategy

IMPORTANT: Unless the user explicitly requests a different scan type, ALWAYS use this two-phase approach:

Phase 1: Fast Port Discovery (Root SYN Scan)

sudo nmap -p- <target> -oA <output-dir>/nmap-portscan
  • Why sudo: Running as root enables fast SYN scan (-sS is implicit)
  • Why -p-: Scans all 65535 ports quickly
  • Duration: Typically 1-3 minutes for SYN scan
  • Output: List of all open ports

Host Down Detection: If the scan output contains "Note: Host seems down", automatically retry with:

sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan
  • -Pn: Skip host discovery, treat host as online
  • Use this when firewalls block ping probes

Phase 2: Targeted Service Detection

After Phase 1 completes, parse the open ports and run:

nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services
  • -p <OPEN_PORT_LIST>: Only scan the ports found to be open (e.g., -p 23,80,443,554,8000)
  • -sV: Service version detection
  • -sC: Run default NSE scripts for additional enumeration
  • Duration: Usually 1-3 minutes since only scanning known open ports

Why This Strategy?

  1. Speed: Fast SYN scan finds all open ports in 1-3 minutes
  2. Thoroughness: Covers all 65535 ports, not just top 1000
  3. Efficiency: Service detection only runs on confirmed open ports
  4. Accuracy: Two-phase approach reduces false negatives

Parsing Open Ports

After Phase 1, extract open ports using:

# Extract open ports from .gnmap file
grep "Ports:" <output-dir>/nmap-portscan.gnmap | sed 's/.*Ports: //g' | sed 's|/|\n|g' | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'

Or parse from .nmap file:

grep "^[0-9]" <output-dir>/nmap-portscan.nmap | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'

Implementation Workflow

When the nmap-scan skill is invoked:

  1. Create output directory

    OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

  2. Run Phase 1: Fast port discovery

    sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"

  3. Check for "Host seems down" error

    if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then
    echo "Host appears down, retrying with -Pn flag..."
    sudo nmap -p- -Pn <target> -oA "$OUTPUT_DIR/nmap-portscan"
fi

  4. Parse open ports from results

    OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')

  5. Run Phase 2: Service detection on open ports

    if [ -n "$OPEN_PORTS" ]; then
    nmap -p "$OPEN_PORTS" -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
else
    echo "No open ports found, skipping service detection."
fi

  6. Report results location

    echo "Scan complete. Results saved to: $OUTPUT_DIR"

Scan Types

Quick Scan (Top 1000 Ports)

Use for initial reconnaissance or when time is limited:

nmap -sV -sC <target> -oA <output-prefix>
  • -sV: Service version detection
  • -sC: Run default NSE scripts
  • -oA: Output in all formats (normal, XML, grepable)
  • Scans top 1000 most common ports
  • Typical duration: 1-3 minutes

Comprehensive Scan (All Ports)

Use for thorough assessment when all ports must be checked:

nmap -sV -sC -p- <target> -oA <output-prefix>
  • -p-: Scan all 65535 ports
  • Significantly longer duration (5-30+ minutes depending on target)
  • Use only when comprehensive coverage is required

Stealth SYN Scan

Use when trying to avoid detection (requires root/sudo):

sudo nmap -sS -sV -sC <target> -oA <output-prefix>
  • -sS: SYN stealth scan (doesn't complete TCP handshake)
  • Less likely to be logged by target
  • Requires root privileges

UDP Scan

Use when UDP services need to be enumerated:

sudo nmap -sU --top-ports 100 <target> -oA <output-prefix>
  • -sU: UDP scan
  • --top-ports 100: Scan top 100 UDP ports (UDP scanning is slow)
  • Common UDP services: DNS (53), SNMP (161), DHCP (67/68)
  • Very slow - use top-ports to limit scope

Aggressive Scan

Use for maximum information gathering (noisy):

nmap -A -T4 <target> -oA <output-prefix>
  • -A: Enable O

...

Read full content

Repository

brownfinesecurity
brownfinesecurity/iothackbotParent repository

Repository Stats

Stars517
Forks84
LicenseMIT License