Nmap Network Reconnaissance Overview Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE). IMPORTANT : Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own. Quick Start Basic host discovery and port…

, user_id):\n raise ValueError(\"Invalid user ID format\")\n\n# Use ORM query builders\nuser = User.query.filter_by(id=user_id).first()\n```\n\n**Step 4: Implement least privilege**\n- Database user should have minimum required permissions\n- Use read-only accounts for SELECT operations\n- Never use admin/root accounts for application queries\n\n### XSS Remediation\n\n**Step 1: Enable auto-escaping**\n- Most modern frameworks escape by default\n- Ensure auto-escaping is not disabled\n\n**Step 2: Use framework-specific safe methods**\n\n```javascript\n// React: Use JSX (auto-escapes)\n\u003cdiv>{userInput}\u003c/div>\n\n// Vue: Use template syntax (auto-escapes)\n\u003cdiv>{{ userInput }}\u003c/div>\n\n// Angular: Use property binding (auto-escapes)\n\u003cdiv [textContent]=\"userInput\">\u003c/div>\n```\n\n**Step 3: Sanitize when HTML is required**\n\n```javascript\nimport DOMPurify from 'dompurify';\n\n// Sanitize HTML content\nconst clean = DOMPurify.sanitize(userHTML, {\n ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],\n ALLOWED_ATTR: []\n});\n```\n\n**Step 4: Content Security Policy (CSP)**\n\n```html\n\u003c!-- Add CSP header -->\nContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'\n```\n\n---\n\n## Advanced Configuration\n\nThis section contains detailed configuration options and tuning parameters.\n\n### Example: SAST Tool Configuration\n\n```yaml\n# Advanced security scanner configuration\nscanner:\n # Severity threshold\n severity_threshold: MEDIUM\n\n # Rule configuration\n rules:\n enabled:\n - sql-injection\n - xss\n - hardcoded-secrets\n disabled:\n - informational-only\n\n # False positive reduction\n confidence_threshold: HIGH\n exclude_patterns:\n - \"*/test/*\"\n - \"*/tests/*\"\n - \"*/node_modules/*\"\n - \"*.test.js\"\n - \"*.spec.ts\"\n\n # Performance tuning\n max_file_size_kb: 2048\n timeout_seconds: 300\n parallel_jobs: 4\n\n # Output configuration\n output_format: json\n include_code_snippets: true\n max_snippet_lines: 10\n```\n\n---\n\n## Examples and Code Samples\n\nThis section provides comprehensive code examples for various scenarios.\n\n### Example 1: Secure API Authentication\n\n```python\n# Secure API key handling\nimport os\nfrom functools import wraps\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n# Load API key from environment (never hardcode)\nVALID_API_KEY = os.environ.get('API_KEY')\nif not VALID_API_KEY:\n raise ValueError(\"API_KEY environment variable not set\")\n\ndef require_api_key(f):\n @wraps(f)\n def decorated_function(*args, **kwargs):\n api_key = request.headers.get('X-API-Key')\n\n if not api_key:\n return jsonify({'error': 'API key required'}), 401\n\n # Constant-time comparison to prevent timing attacks\n import hmac\n if not hmac.compare_digest(api_key, VALID_API_KEY):\n return jsonify({'error': 'Invalid API key'}), 403\n\n return f(*args, **kwargs)\n return decorated_function\n\[email protected]('/api/secure-endpoint')\n@require_api_key\ndef secure_endpoint():\n return jsonify({'message': 'Access granted'})\n```\n\n### Example 2: Secure Password Hashing\n\n```python\n# Secure password storage with bcrypt\nimport bcrypt\n\ndef hash_password(password: str) -> str:\n \"\"\"Hash a password using bcrypt.\"\"\"\n # Generate salt and hash password\n salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)\n hashed = bcrypt.hashpw(password.encode('utf-8'), salt)\n return hashed.decode('utf-8')\n\ndef verify_password(password: str, hashed: str) -> bool:\n \"\"\"Verify a password against a hash.\"\"\"\n return bcrypt.checkpw(\n password.encode('utf-8'),\n hashed.encode('utf-8')\n )\n\n# Usage\nstored_hash = hash_password(\"user_password\")\nis_valid = verify_password(\"user_password\", stored_hash) # True\n```\n\n### Example 3: Secure File Upload\n\n```python\n# Secure file upload with validation\nimport os\nimport magic\nfrom werkzeug.utils import secure_filename\n\nALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}\nALLOWED_MIME_TYPES = {\n 'application/pdf',\n 'image/png',\n 'image/jpeg'\n}\nMAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB\n\ndef is_allowed_file(filename: str, file_content: bytes) -> bool:\n \"\"\"Validate file extension and MIME type.\"\"\"\n # Check extension\n if '.' not in filename:\n return False\n\n ext = filename.rsplit('.', 1)[1].lower()\n if ext not in ALLOWED_EXTENSIONS:\n return False\n\n # Check MIME type (prevent extension spoofing)\n mime = magic.from_buffer(file_content, mime=True)\n if mime not in ALLOWED_MIME_TYPES:\n return False\n\n return True\n\ndef handle_upload(file):\n \"\"\"Securely handle file upload.\"\"\"\n # Check file size\n file.seek(0, os.SEEK_END)\n size = file.tell()\n file.seek(0)\n\n if size > MAX_FILE_SIZE:\n raise ValueError(\"File too large\")\n\n # Read content for validation\n content = file.read()\n file.seek(0)\n\n # Validate file type\n if not is_allowed_file(file.filename, content):\n raise ValueError(\"Invalid file type\")\n\n # Sanitize filename\n filename = secure_filename(file.filename)\n\n # Generate unique filename to prevent overwrite attacks\n import uuid\n unique_filename = f\"{uuid.uuid4()}_{filename}\"\n\n # Save to secure location (outside web root)\n upload_path = os.path.join('/secure/uploads', unique_filename)\n file.save(upload_path)\n\n return unique_filename\n```\n\n---\n\n## Best Practices for Reference Documents\n\n1. **Start with \"When to use\"** - Help Claude know when to load this reference\n2. **Include table of contents** - For documents >100 lines\n3. **Use concrete examples** - Code samples with vulnerable and fixed versions\n4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context\n5. **Provide remediation** - Don't just identify issues, show how to fix them\n6. **Organize logically** - Group related content, use clear headings\n7. **Keep examples current** - Use modern patterns and current framework versions\n8. **Be concise** - Even in references, challenge every sentence\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15672,"content_sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f"},{"filename":"references/WORKFLOW_CHECKLIST.md","content":"# Workflow Checklist Template\n\nThis template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.\n\n## Pattern 1: Sequential Workflow Checklist\n\nUse this pattern for operations that must be completed in order, step-by-step.\n\n### Security Assessment Workflow\n\nProgress:\n[ ] 1. Identify application entry points and attack surface\n[ ] 2. Map authentication and authorization flows\n[ ] 3. Identify data flows and sensitive data handling\n[ ] 4. Review existing security controls\n[ ] 5. Document findings with framework references (OWASP, CWE)\n[ ] 6. Prioritize findings by severity (CVSS scores)\n[ ] 7. Generate report with remediation recommendations\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 2: Conditional Workflow\n\nUse this pattern when the workflow branches based on findings or conditions.\n\n### Vulnerability Remediation Workflow\n\n1. Identify vulnerability type\n - If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)\n - If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)\n - If Authentication flaw → See [auth-remediation.md](auth-remediation.md)\n - If Authorization flaw → See [authz-remediation.md](authz-remediation.md)\n - If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)\n\n2. Assess severity using CVSS calculator\n - If CVSS >= 9.0 → Priority: Critical (immediate action)\n - If CVSS 7.0-8.9 → Priority: High (action within 24h)\n - If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)\n - If CVSS \u003c 4.0 → Priority: Low (action within 30 days)\n\n3. Apply appropriate remediation pattern\n4. Validate fix with security testing\n5. Document changes and update security documentation\n\n---\n\n## Pattern 3: Iterative Workflow\n\nUse this pattern for operations that repeat across multiple targets or items.\n\n### Code Security Review Workflow\n\nFor each file in the review scope:\n1. Identify security-sensitive operations (auth, data access, crypto, input handling)\n2. Check against secure coding patterns for the language\n3. Flag potential vulnerabilities with severity rating\n4. Map findings to CWE and OWASP categories\n5. Suggest specific remediation approaches\n6. Document finding with code location and fix priority\n\nContinue until all files in scope have been reviewed.\n\n---\n\n## Pattern 4: Feedback Loop Workflow\n\nUse this pattern when validation and iteration are required.\n\n### Secure Configuration Generation Workflow\n\n1. Generate initial security configuration based on requirements\n2. Run validation script: `./scripts/validate_config.py config.yaml`\n3. Review validation output:\n - Note all errors (must fix)\n - Note all warnings (should fix)\n - Note all info items (consider)\n4. Fix identified issues in configuration\n5. Repeat steps 2-4 until validation passes with zero errors\n6. Review warnings and determine if they should be addressed\n7. Apply configuration once validation is clean\n\n**Validation Loop**: Run validator → Fix errors → Repeat until clean\n\n---\n\n## Pattern 5: Parallel Analysis Workflow\n\nUse this pattern when multiple independent analyses can run concurrently.\n\n### Comprehensive Security Scan Workflow\n\nRun these scans in parallel:\n\n**Static Analysis**:\n[ ] 1a. Run SAST scan (Semgrep/Bandit)\n[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)\n[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)\n[ ] 1d. Run license compliance check\n\n**Dynamic Analysis**:\n[ ] 2a. Run DAST scan (ZAP/Burp)\n[ ] 2b. Run API security testing\n[ ] 2c. Run authentication/authorization testing\n\n**Infrastructure Analysis**:\n[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)\n[ ] 3b. Run container image scan (Trivy/Grype)\n[ ] 3c. Run configuration review\n\n**Consolidation**:\n[ ] 4. Aggregate all findings\n[ ] 5. Deduplicate and correlate findings\n[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)\n[ ] 7. Generate unified security report\n\n---\n\n## Pattern 6: Research and Documentation Workflow\n\nUse this pattern for security research and documentation tasks.\n\n### Threat Modeling Workflow\n\nResearch Progress:\n[ ] 1. Identify system components and boundaries\n[ ] 2. Map data flows between components\n[ ] 3. Identify trust boundaries\n[ ] 4. Enumerate assets (data, services, credentials)\n[ ] 5. Apply STRIDE framework to each component:\n - Spoofing threats\n - Tampering threats\n - Repudiation threats\n - Information disclosure threats\n - Denial of service threats\n - Elevation of privilege threats\n[ ] 6. Map threats to MITRE ATT&CK techniques\n[ ] 7. Identify existing mitigations\n[ ] 8. Document residual risks\n[ ] 9. Recommend additional security controls\n[ ] 10. Generate threat model document\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 7: Compliance Validation Workflow\n\nUse this pattern for compliance checks against security standards.\n\n### Security Compliance Audit Workflow\n\n**SOC 2 Controls Review**:\n[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)\n[ ] 2. Verify logical access controls implementation (CC6.1)\n[ ] 3. Review authentication mechanisms (CC6.1)\n[ ] 4. Verify encryption implementation (CC6.1, CC6.7)\n[ ] 5. Review audit logging configuration (CC7.2)\n[ ] 6. Verify security monitoring (CC7.2, CC7.3)\n[ ] 7. Review incident response procedures (CC7.3, CC7.4)\n[ ] 8. Verify backup and recovery processes (A1.2, A1.3)\n\n**Evidence Collection**:\n[ ] 9. Collect policy documents\n[ ] 10. Collect configuration screenshots\n[ ] 11. Collect audit logs\n[ ] 12. Document control gaps\n[ ] 13. Generate compliance report\n\n---\n\n## Pattern 8: Incident Response Workflow\n\nUse this pattern for security incident handling.\n\n### Security Incident Response Workflow\n\n**Detection and Analysis**:\n[ ] 1. Confirm security incident (rule out false positive)\n[ ] 2. Determine incident severity (SEV1/2/3/4)\n[ ] 3. Identify affected systems and data\n[ ] 4. Preserve evidence (logs, memory dumps, network captures)\n\n**Containment**:\n[ ] 5. Isolate affected systems (network segmentation)\n[ ] 6. Disable compromised accounts\n[ ] 7. Block malicious indicators (IPs, domains, hashes)\n[ ] 8. Implement temporary compensating controls\n\n**Eradication**:\n[ ] 9. Identify root cause\n[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)\n[ ] 11. Patch vulnerabilities exploited\n[ ] 12. Reset compromised credentials\n\n**Recovery**:\n[ ] 13. Restore systems from clean backups (if needed)\n[ ] 14. Re-enable systems with monitoring\n[ ] 15. Verify system integrity\n[ ] 16. Resume normal operations\n\n**Post-Incident**:\n[ ] 17. Document incident timeline\n[ ] 18. Identify lessons learned\n[ ] 19. Update security controls to prevent recurrence\n[ ] 20. Update incident response procedures\n[ ] 21. Communicate with stakeholders\n\n---\n\n## Usage Guidelines\n\n### When to Use Workflow Checklists\n\n✅ **Use checklists for**:\n- Complex multi-step operations\n- Operations requiring specific order\n- Security assessments and audits\n- Incident response procedures\n- Compliance validation tasks\n\n❌ **Don't use checklists for**:\n- Simple single-step operations\n- Highly dynamic exploratory work\n- Operations that vary significantly each time\n\n### Adapting This Template\n\n1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file\n2. **Customize steps** to match your specific security tool or process\n3. **Add framework references** (OWASP, CWE, NIST) where applicable\n4. **Include tool-specific commands** for automation\n5. **Add decision points** where manual judgment is required\n\n### Checklist Best Practices\n\n- **Be specific**: \"Run semgrep --config=auto .\" not \"Scan the code\"\n- **Include success criteria**: \"Validation passes with 0 errors\"\n- **Reference standards**: Link to OWASP, CWE, NIST where relevant\n- **Show progress**: Checkbox format helps track completion\n- **Provide escape hatches**: \"If validation fails, see troubleshooting.md\"\n\n### Integration with Feedback Loops\n\nCombine checklists with validation scripts for maximum effectiveness:\n\n1. Create checklist for the workflow\n2. Provide validation script that checks quality\n3. Include \"run validator\" step in checklist\n4. Loop: Complete step → Validate → Fix issues → Re-validate\n\nThis pattern dramatically improves output quality through systematic validation.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":8390,"content_sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f"},{"filename":"skill-report.json","content":"{\n \"schema_version\": \"2.0\",\n \"meta\": {\n \"generated_at\": \"2026-01-16T15:55:28.160Z\",\n \"slug\": \"agentsecops-recon-nmap\",\n \"source_url\": \"https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/offsec/recon-nmap\",\n \"source_ref\": \"main\",\n \"model\": \"claude\",\n \"analysis_version\": \"3.0.0\",\n \"source_type\": \"community\",\n \"content_hash\": \"1d065c11f7062db85e10d419deca2334f856ff72cca42822f2b7aed3ba906176\",\n \"tree_hash\": \"fbf1143c1784f5ad21b80b1c28832502541417de509f429c876a463c2b626266\"\n },\n \"skill\": {\n \"name\": \"recon-nmap\",\n \"description\": \"Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.\\n\",\n \"summary\": \"Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and ...\",\n \"icon\": \"🔍\",\n \"version\": \"0.1.0\",\n \"author\": \"AgentSecOps\",\n \"license\": \"MIT\",\n \"category\": \"offsec\",\n \"tags\": [\n \"reconnaissance\",\n \"nmap\",\n \"port-scanning\",\n \"service-enumeration\",\n \"network-security\",\n \"osint\"\n ],\n \"supported_tools\": [\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"risk_factors\": [\n \"external_commands\",\n \"network\",\n \"filesystem\",\n \"env_access\",\n \"scripts\"\n ]\n },\n \"security_audit\": {\n \"risk_level\": \"low\",\n \"is_blocked\": false,\n \"safe_to_publish\": true,\n \"summary\": \"Documentation-only skill providing Nmap command examples and templates for authorized security testing. All 395 static findings are false positives - the scanner detected patterns in documentation describing legitimate security tooling, but the skill contains no executable code that performs scanning, network access, or credential handling.\",\n \"risk_factor_evidence\": [\n {\n \"factor\": \"external_commands\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 298,\n \"line_end\": 298\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 301,\n \"line_end\": 301\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 304,\n \"line_end\": 304\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 307,\n \"line_end\": 307\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 310,\n \"line_end\": 310\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 134,\n \"line_end\": 134\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 250,\n \"line_end\": 250\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 291,\n \"line_end\": 291\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 54,\n \"line_end\": 74\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 74,\n \"line_end\": 95\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 95,\n \"line_end\": 108\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 108,\n \"line_end\": 111\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 111,\n \"line_end\": 118\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 118,\n \"line_end\": 122\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 122,\n \"line_end\": 129\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 129,\n \"line_end\": 135\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 135,\n \"line_end\": 151\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 151,\n \"line_end\": 154\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 154,\n \"line_end\": 162\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 162,\n \"line_end\": 296\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 296,\n \"line_end\": 306\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 306,\n \"line_end\": 309\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 309,\n \"line_end\": 318\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 318,\n \"line_end\": 333\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 333,\n \"line_end\": 342\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 342,\n \"line_end\": 346\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 346,\n \"line_end\": 354\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 354,\n \"line_end\": 358\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 358,\n \"line_end\": 361\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 361,\n \"line_end\": 371\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 371,\n \"line_end\": 404\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 404,\n \"line_end\": 414\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 414,\n \"line_end\": 447\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 447,\n \"line_end\": 451\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 451,\n \"line_end\": 472\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 472,\n \"line_end\": 476\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 476,\n \"line_end\": 537\n },\n {\n \"file\": \"references/WORKFLOW_CHECKLIST.md\",\n \"line_start\": 74,\n \"line_end\": 74\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 36,\n \"line_end\": 45\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 45,\n \"line_end\": 76\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 76,\n \"line_end\": 91\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 91,\n \"line_end\": 102\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 102,\n \"line_end\": 104\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 104,\n \"line_end\": 110\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 110,\n \"line_end\": 125\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 125,\n \"line_end\": 130\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 130,\n \"line_end\": 132\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 132,\n \"line_end\": 135\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 135,\n \"line_end\": 137\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 137,\n \"line_end\": 140\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 140,\n \"line_end\": 142\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 142,\n \"line_end\": 145\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 145,\n \"line_end\": 147\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 147,\n \"line_end\": 150\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 150,\n \"line_end\": 152\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 152,\n \"line_end\": 156\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 156,\n \"line_end\": 174\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 174,\n \"line_end\": 178\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 178,\n \"line_end\": 187\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 187,\n \"line_end\": 193\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 193,\n \"line_end\": 205\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 205,\n \"line_end\": 209\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 209,\n \"line_end\": 226\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 226,\n \"line_end\": 232\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 232,\n \"line_end\": 244\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 244,\n \"line_end\": 256\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 256,\n \"line_end\": 273\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 273,\n \"line_end\": 293\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 293,\n \"line_end\": 311\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 311,\n \"line_end\": 317\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 317,\n \"line_end\": 332\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 332,\n \"line_end\": 336\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 336,\n \"line_end\": 345\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 345,\n \"line_end\": 351\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 351,\n \"line_end\": 370\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 370,\n \"line_end\": 384\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 384,\n \"line_end\": 413\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 413,\n \"line_end\": 425\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 425,\n \"line_end\": 429\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 429,\n \"line_end\": 441\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 441,\n \"line_end\": 445\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 445,\n \"line_end\": 454\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 454,\n \"line_end\": 458\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 458,\n \"line_end\": 470\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 470,\n \"line_end\": 474\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 474,\n \"line_end\": 489\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 489,\n \"line_end\": 497\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 497,\n \"line_end\": 518\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 518,\n \"line_end\": 522\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 522,\n \"line_end\": 549\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 549,\n \"line_end\": 558\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 558,\n \"line_end\": 563\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 563,\n \"line_end\": 579\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 579,\n \"line_end\": 586\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 586,\n \"line_end\": 593\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 593,\n \"line_end\": 610\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 502,\n \"line_end\": 502\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 497,\n \"line_end\": 518\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 498,\n \"line_end\": 498\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 131,\n \"line_end\": 131\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 141,\n \"line_end\": 141\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 151,\n \"line_end\": 151\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 234,\n \"line_end\": 234\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 237,\n \"line_end\": 237\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 240,\n \"line_end\": 240\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 243,\n \"line_end\": 243\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 353,\n \"line_end\": 353\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 356,\n \"line_end\": 356\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 357,\n \"line_end\": 357\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 360,\n \"line_end\": 360\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 369,\n \"line_end\": 369\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 598,\n \"line_end\": 598\n }\n ]\n },\n {\n \"factor\": \"network\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 240,\n \"line_end\": 240\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 43,\n \"line_end\": 43\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 44,\n \"line_end\": 44\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 45,\n \"line_end\": 45\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 73,\n \"line_end\": 73\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 118,\n \"line_end\": 118\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 119,\n \"line_end\": 119\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 151,\n \"line_end\": 151\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 191,\n \"line_end\": 191\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 192,\n \"line_end\": 192\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 193,\n \"line_end\": 193\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 217,\n \"line_end\": 217\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 260,\n \"line_end\": 260\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 261,\n \"line_end\": 261\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 288,\n \"line_end\": 288\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 6,\n \"line_end\": 6\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 103,\n \"line_end\": 103\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 118,\n \"line_end\": 118\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 123,\n \"line_end\": 123\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 126,\n \"line_end\": 126\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 127,\n \"line_end\": 127\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 128,\n \"line_end\": 128\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 130,\n \"line_end\": 130\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 131,\n \"line_end\": 131\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 133,\n \"line_end\": 133\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 134,\n \"line_end\": 134\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 19,\n \"line_end\": 19\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 20,\n \"line_end\": 20\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 21,\n \"line_end\": 21\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 366,\n \"line_end\": 366\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 631,\n \"line_end\": 631\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 632,\n \"line_end\": 632\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 633,\n \"line_end\": 633\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 634,\n \"line_end\": 634\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 635,\n \"line_end\": 635\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 572,\n \"line_end\": 572\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 573,\n \"line_end\": 573\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 574,\n \"line_end\": 574\n }\n ]\n },\n {\n \"factor\": \"filesystem\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 261,\n \"line_end\": 261\n }\n ]\n },\n {\n \"factor\": \"env_access\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 132,\n \"line_end\": 132\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 156,\n \"line_end\": 156\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 157,\n \"line_end\": 157\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 163,\n \"line_end\": 163\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 165,\n \"line_end\": 165\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 424,\n \"line_end\": 424\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 425,\n \"line_end\": 425\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 427,\n \"line_end\": 427\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 430,\n \"line_end\": 430\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 432,\n \"line_end\": 432\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 444,\n \"line_end\": 444\n }\n ]\n },\n {\n \"factor\": \"scripts\",\n \"evidence\": [\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 138,\n \"line_end\": 138\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 137,\n \"line_end\": 137\n }\n ]\n }\n ],\n \"critical_findings\": [],\n \"high_findings\": [],\n \"medium_findings\": [],\n \"low_findings\": [],\n \"dangerous_patterns\": [],\n \"files_scanned\": 6,\n \"total_lines\": 2372,\n \"audit_model\": \"claude\",\n \"audited_at\": \"2026-01-16T15:55:28.160Z\"\n },\n \"content\": {\n \"user_title\": \"Run network reconnaissance with Nmap\",\n \"value_statement\": \"Network reconnaissance is essential for security assessments but requires structured workflows to ensure thoroughness and compliance. This skill provides ready-to-use Nmap commands, workflow checklists, and integration templates for port scanning, service enumeration, and vulnerability detection.\",\n \"seo_keywords\": [\n \"nmap\",\n \"network scanning\",\n \"port scanning\",\n \"network reconnaissance\",\n \"security auditing\",\n \"vulnerability detection\",\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"actual_capabilities\": [\n \"Execute Nmap host discovery and ping sweeps on target networks\",\n \"Perform port scanning with multiple techniques (TCP SYN, UDP, connect scans)\",\n \"Run service version detection and OS fingerprinting on discovered hosts\",\n \"Execute Nmap Scripting Engine (NSE) scripts for vulnerability detection\",\n \"Generate scan reports in multiple formats (XML, grepable, normal output)\",\n \"Apply firewall evasion techniques and timing optimizations\"\n ],\n \"limitations\": [\n \"Nmap must be installed on the system before using this skill\",\n \"Network scanning requires explicit authorization from network owner\",\n \"Skill provides guidance only; actual scanning is performed by Nmap\",\n \"Results depend on network conditions and target configuration\"\n ],\n \"use_cases\": [\n {\n \"target_user\": \"Security professionals\",\n \"title\": \"Authorized penetration testing\",\n \"description\": \"Conduct network reconnaissance during authorized penetration tests with comprehensive Nmap workflows and compliance documentation\"\n },\n {\n \"target_user\": \"DevSecOps engineers\",\n \"title\": \"CI/CD security integration\",\n \"description\": \"Integrate Nmap scanning into CI/CD pipelines using provided GitHub Actions templates for continuous security validation\"\n },\n {\n \"target_user\": \"Compliance auditors\",\n \"title\": \"Network security assessments\",\n \"description\": \"Perform compliance scanning to validate network segmentation and identify security gaps against security frameworks\"\n }\n ],\n \"prompt_templates\": [\n {\n \"title\": \"Quick host discovery\",\n \"scenario\": \"Find live hosts on a network\",\n \"prompt\": \"Use Nmap to discover live hosts on network 192.168.1.0/24 using ping sweep and output results to live_hosts.txt\"\n },\n {\n \"title\": \"Port enumeration\",\n \"scenario\": \"Scan ports on discovered hosts\",\n \"prompt\": \"Run Nmap service version detection (-sV) on all hosts in live_hosts.txt and save results to service_scan\"\n },\n {\n \"title\": \"Vulnerability scan\",\n \"scenario\": \"Detect security vulnerabilities\",\n \"prompt\": \"Execute NSE vulnerability scripts against targets to check for MS17-010, Heartbleed, and SSL vulnerabilities\"\n },\n {\n \"title\": \"Comprehensive assessment\",\n \"scenario\": \"Full security reconnaissance\",\n \"prompt\": \"Run comprehensive Nmap reconnaissance including host discovery, full port scan, OS detection, and vulnerability scripts on 10.0.1.0/24\"\n }\n ],\n \"output_examples\": [\n {\n \"input\": \"Scan 192.168.1.0/24 for live hosts and open ports\",\n \"output\": [\n \"Host Discovery Results:\",\n \" - 192.168.1.10: Status: Up\",\n \" - 192.168.1.15: Status: Up\",\n \" - 192.168.1.20: Status: Up\",\n \"Port Scan Summary:\",\n \" - 192.168.1.10: Ports 22 (SSH), 80 (HTTP), 443 (HTTPS) - Open\",\n \" - 192.168.1.15: Ports 22 (SSH), 3389 (RDP) - Open\",\n \"Service Detection:\",\n \" - SSH: OpenSSH 8.4p1 on 192.168.1.10\",\n \" - HTTP: Apache 2.4.41 on 192.168.1.10\"\n ]\n },\n {\n \"input\": \"Run vulnerability detection on a target\",\n \"output\": [\n \"Vulnerability Scan Results:\",\n \" - 192.168.1.10:443 - ssl-heartbleed: NOT VULNERABLE\",\n \" - 192.168.1.10:445 - smb-vuln-ms17-010: VULNERABLE (Critical)\",\n \" - 192.168.1.15:22 - ssh-brute: No weak credentials detected\",\n \"Recommendations:\",\n \" - Apply MS17-010 patch to 192.168.1.10 immediately\"\n ]\n }\n ],\n \"best_practices\": [\n \"Always verify written authorization before scanning any network or system\",\n \"Start with host discovery before port scanning to reduce scan time and network impact\",\n \"Use rate limiting (--max-rate) and timing templates (-T1 to -T4) to avoid overwhelming targets\"\n ],\n \"anti_patterns\": [\n \"Running aggressive scans (-T5) without rate limiting on production networks\",\n \"Scanning without first identifying the scope and obtaining proper authorization\",\n \"Failing to document scan parameters and results for compliance and incident response\"\n ],\n \"faq\": [\n {\n \"question\": \"Is Nmap installed by default?\",\n \"answer\": \"No. Nmap must be installed separately on the system before using this skill. Install via package manager (apt, yum, brew).\"\n },\n {\n \"question\": \"Can this skill scan any network?\",\n \"answer\": \"Only scan networks you own or have explicit written authorization for. Unauthorized scanning may be illegal.\"\n },\n {\n \"question\": \"Does this skill work offline?\",\n \"answer\": \"Yes. All Nmap commands execute locally. External URLs in documentation are references only.\"\n },\n {\n \"question\": \"Can I integrate with CI/CD pipelines?\",\n \"answer\": \"Yes. The skill provides GitHub Actions templates for automated security scanning in pipelines.\"\n },\n {\n \"question\": \"What scan types are supported?\",\n \"answer\": \"TCP SYN (-sS), TCP Connect (-sT), UDP (-sU), service detection (-sV), OS detection (-O), and NSE scripts.\"\n },\n {\n \"question\": \"How does this differ from vulnerability scanners?\",\n \"answer\": \"Nmap provides network discovery and basic vulnerability detection via scripts. Full vulnerability scanners (Nessus, OpenVAS) offer deeper assessment.\"\n }\n ]\n },\n \"file_structure\": [\n {\n \"name\": \"assets\",\n \"type\": \"dir\",\n \"path\": \"assets\",\n \"children\": [\n {\n \"name\": \"ci-config-template.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci-config-template.yml\",\n \"lines\": 358\n },\n {\n \"name\": \"rule-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/rule-template.yaml\",\n \"lines\": 356\n }\n ]\n },\n {\n \"name\": \"references\",\n \"type\": \"dir\",\n \"path\": \"references\",\n \"children\": [\n {\n \"name\": \"EXAMPLE.md\",\n \"type\": \"file\",\n \"path\": \"references/EXAMPLE.md\",\n \"lines\": 551\n },\n {\n \"name\": \"WORKFLOW_CHECKLIST.md\",\n \"type\": \"file\",\n \"path\": \"references/WORKFLOW_CHECKLIST.md\",\n \"lines\": 254\n }\n ]\n },\n {\n \"name\": \"SKILL.md\",\n \"type\": \"file\",\n \"path\": \"SKILL.md\",\n \"lines\": 636\n }\n ]\n}\n","content_type":"application/json; charset=utf-8","language":"json","size":32702,"content_sha256":"1e58e0e9721dc75649d6925923adfe09ba05c455ac815d60c62844f4cb897b9b"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Nmap Network Reconnaissance","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE).","type":"text"}]},{"type":"paragraph","content":[{"text":"IMPORTANT","type":"text","marks":[{"type":"strong"}]},{"text":": Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Start","type":"text"}]},{"type":"paragraph","content":[{"text":"Basic host discovery and port scanning:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Quick scan of common ports\nnmap -F \u003ctarget-ip>\n\n# Scan top 1000 ports with service detection\nnmap -sV \u003ctarget-ip>\n\n# Comprehensive scan with OS detection and default scripts\nnmap -A \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Network Reconnaissance Workflow","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Verify authorization and scope [ ] 2. Perform host discovery and asset enumeration [ ] 3. Conduct port scanning on live hosts [ ] 4. Enumerate services and versions [ ] 5. Perform OS fingerprinting and detection [ ] 6. Run NSE scripts for vulnerability detection [ ] 7. Document findings and generate reports [ ] 8. Validate results and identify false positives","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Authorization Verification","type":"text"}]},{"type":"paragraph","content":[{"text":"CRITICAL","type":"text","marks":[{"type":"strong"}]},{"text":": Before any scanning activities:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirm written authorization from network owner","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review scope document for in-scope IP ranges and domains","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify scanning windows and rate-limiting requirements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document emergency contact for accidental disruption","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirm blacklisted hosts (production databases, critical infrastructure)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Host Discovery","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify live hosts in target network:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Ping sweep (ICMP echo)\nnmap -sn \u003ctarget-network>/24\n\n# ARP scan (local network only, faster and more reliable)\nnmap -sn -PR \u003ctarget-network>/24\n\n# TCP SYN ping (when ICMP blocked)\nnmap -sn -PS22,80,443 \u003ctarget-network>/24\n\n# UDP ping (for hosts blocking TCP)\nnmap -sn -PU53,161 \u003ctarget-network>/24\n\n# Disable ping, assume all hosts alive\nnmap -Pn \u003ctarget-network>/24","type":"text"}]},{"type":"paragraph","content":[{"text":"Host discovery techniques","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ICMP Echo (-PE)","type":"text","marks":[{"type":"strong"}]},{"text":": Standard ping, often blocked","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TCP SYN (-PS)","type":"text","marks":[{"type":"strong"}]},{"text":": Half-open connection to specified ports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TCP ACK (-PA)","type":"text","marks":[{"type":"strong"}]},{"text":": Sends ACK packets, useful for stateful firewalls","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"UDP (-PU)","type":"text","marks":[{"type":"strong"}]},{"text":": Sends UDP packets to specified ports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ARP (-PR)","type":"text","marks":[{"type":"strong"}]},{"text":": Layer 2 discovery, only works on local network","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Output live hosts to file for subsequent scanning:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"nmap -sn \u003ctarget-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Port Scanning","type":"text"}]},{"type":"paragraph","content":[{"text":"Scan discovered hosts for open ports:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Fast scan (top 100 ports)\nnmap -F -iL live_hosts.txt\n\n# Top 1000 ports (default)\nnmap -iL live_hosts.txt\n\n# Scan all 65535 ports\nnmap -p- -iL live_hosts.txt\n\n# Scan specific ports\nnmap -p 22,80,443,3389,8080 -iL live_hosts.txt\n\n# Scan port ranges\nnmap -p 1-1024,3000-9000 -iL live_hosts.txt","type":"text"}]},{"type":"paragraph","content":[{"text":"Scan techniques","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TCP SYN Scan (-sS)","type":"text","marks":[{"type":"strong"}]},{"text":": Default, stealthy half-open scan (requires root)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"sudo nmap -sS \u003ctarget-ip>","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TCP Connect Scan (-sT)","type":"text","marks":[{"type":"strong"}]},{"text":": Full TCP connection (no root required)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"nmap -sT \u003ctarget-ip>","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"UDP Scan (-sU)","type":"text","marks":[{"type":"strong"}]},{"text":": Scan UDP ports (slow but critical)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"sudo nmap -sU -p 53,161,500 \u003ctarget-ip>","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Version Detection (-sV)","type":"text","marks":[{"type":"strong"}]},{"text":": Probe services for version information","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"nmap -sV \u003ctarget-ip>","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Aggressive Scan (-A)","type":"text","marks":[{"type":"strong"}]},{"text":": Enable OS detection, version detection, script scanning, traceroute","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"sudo nmap -A \u003ctarget-ip>","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Timing and performance","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Paranoid (0) - Extremely slow, IDS evasion\nnmap -T0 \u003ctarget-ip>\n\n# Sneaky (1) - Very slow, IDS evasion\nnmap -T1 \u003ctarget-ip>\n\n# Polite (2) - Slows down to use less bandwidth\nnmap -T2 \u003ctarget-ip>\n\n# Normal (3) - Default timing\nnmap -T3 \u003ctarget-ip>\n\n# Aggressive (4) - Faster, assumes reliable network\nnmap -T4 \u003ctarget-ip>\n\n# Insane (5) - Very fast, may miss results\nnmap -T5 \u003ctarget-ip>","type":"text"}]},{"type":"paragraph","content":[{"text":"Rate limiting for safety","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Limit to 100 packets/second\nnmap --max-rate 100 \u003ctarget-ip>\n\n# Minimum 10 packets/second\nnmap --min-rate 10 \u003ctarget-ip>\n\n# Scan with delays to avoid detection\nnmap --scan-delay 1s \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"4. Service Enumeration","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify services and extract version information:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Service version detection\nnmap -sV \u003ctarget-ip>\n\n# Aggressive version detection (more probes)\nnmap -sV --version-intensity 5 \u003ctarget-ip>\n\n# Light version detection (fewer probes, faster)\nnmap -sV --version-intensity 0 \u003ctarget-ip>\n\n# Specific service enumeration\nnmap -sV -p 80,443 --script=http-headers,http-title \u003ctarget-ip>","type":"text"}]},{"type":"paragraph","content":[{"text":"Service-specific enumeration","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# SMB enumeration\nnmap -p 445 --script=smb-os-discovery,smb-security-mode \u003ctarget-ip>\n\n# SSH enumeration\nnmap -p 22 --script=ssh-hostkey,ssh-auth-methods \u003ctarget-ip>\n\n# DNS enumeration\nnmap -p 53 --script=dns-nsid,dns-recursion \u003ctarget-ip>\n\n# HTTP/HTTPS enumeration\nnmap -p 80,443 --script=http-methods,http-robots.txt,http-title \u003ctarget-ip>\n\n# Database enumeration\nnmap -p 3306 --script=mysql-info \u003ctarget-ip>\nnmap -p 5432 --script=pgsql-brute \u003ctarget-ip>\nnmap -p 1433 --script=ms-sql-info \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"5. Operating System Detection","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify target operating systems:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# OS detection\nsudo nmap -O \u003ctarget-ip>\n\n# Aggressive OS detection with version scanning\nsudo nmap -A \u003ctarget-ip>\n\n# Limit OS detection to promising targets\nsudo nmap -O --osscan-limit \u003ctarget-ip>\n\n# Guess OS aggressively\nsudo nmap -O --osscan-guess \u003ctarget-ip>","type":"text"}]},{"type":"paragraph","content":[{"text":"OS fingerprinting indicators","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TCP/IP stack characteristics","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Open port patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Service banners and versions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TTL values and TCP window sizes","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"6. NSE Script Scanning","type":"text"}]},{"type":"paragraph","content":[{"text":"Nmap Scripting Engine for advanced reconnaissance and vulnerability detection:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run default NSE scripts\nnmap -sC \u003ctarget-ip>\n\n# Run all scripts in category\nnmap --script=vuln \u003ctarget-ip>\nnmap --script=exploit \u003ctarget-ip>\nnmap --script=discovery \u003ctarget-ip>\n\n# Run specific script\nnmap --script=http-sql-injection \u003ctarget-ip>\n\n# Multiple scripts\nnmap --script=smb-vuln-ms17-010,smb-vuln-cve-2017-7494 \u003ctarget-ip>\n\n# Script with arguments\nnmap --script=http-brute --script-args http-brute.path=/admin \u003ctarget-ip>","type":"text"}]},{"type":"paragraph","content":[{"text":"NSE script categories","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"auth","type":"text","marks":[{"type":"strong"}]},{"text":": Authentication testing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"broadcast","type":"text","marks":[{"type":"strong"}]},{"text":": Network broadcast/multicast discovery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"brute","type":"text","marks":[{"type":"strong"}]},{"text":": Brute-force password auditing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"default","type":"text","marks":[{"type":"strong"}]},{"text":": Default safe scripts (-sC)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"discovery","type":"text","marks":[{"type":"strong"}]},{"text":": Network and service discovery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"dos","type":"text","marks":[{"type":"strong"}]},{"text":": Denial of service testing (use with caution)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"exploit","type":"text","marks":[{"type":"strong"}]},{"text":": Exploitation attempts (authorized only)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"external","type":"text","marks":[{"type":"strong"}]},{"text":": External resource queries (WHOIS, etc.)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"fuzzer","type":"text","marks":[{"type":"strong"}]},{"text":": Fuzzing attacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"intrusive","type":"text","marks":[{"type":"strong"}]},{"text":": Intrusive scanning (may crash services)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"malware","type":"text","marks":[{"type":"strong"}]},{"text":": Malware detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"safe","type":"text","marks":[{"type":"strong"}]},{"text":": Safe scripts unlikely to crash services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"version","type":"text","marks":[{"type":"strong"}]},{"text":": Version detection enhancement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"vuln","type":"text","marks":[{"type":"strong"}]},{"text":": Vulnerability detection","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Common vulnerability detection scripts","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check for EternalBlue (MS17-010)\nnmap -p 445 --script=smb-vuln-ms17-010 \u003ctarget-ip>\n\n# Heartbleed detection\nnmap -p 443 --script=ssl-heartbleed \u003ctarget-ip>\n\n# Shellshock detection\nnmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh \u003ctarget-ip>\n\n# Check for weak SSL/TLS\nnmap -p 443 --script=ssl-enum-ciphers \u003ctarget-ip>\n\n# SQL injection testing\nnmap -p 80 --script=http-sql-injection \u003ctarget-ip>\n\n# Check for anonymous FTP\nnmap -p 21 --script=ftp-anon \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"7. Output and Reporting","type":"text"}]},{"type":"paragraph","content":[{"text":"Generate reports in multiple formats:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Normal output to screen and file\nnmap \u003ctarget-ip> -oN scan_results.txt\n\n# XML output (for parsing/import)\nnmap \u003ctarget-ip> -oX scan_results.xml\n\n# Grepable output (for easy parsing)\nnmap \u003ctarget-ip> -oG scan_results.gnmap\n\n# All formats\nnmap \u003ctarget-ip> -oA scan_results\n\n# Script kiddie output (for fun)\nnmap \u003ctarget-ip> -oS scan_results.skid","type":"text"}]},{"type":"paragraph","content":[{"text":"Convert and process results:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Convert XML to HTML report\nxsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o report.html\n\n# Parse XML with Python\npython3 -c \"import xml.etree.ElementTree as ET; tree = ET.parse('scan_results.xml'); root = tree.getroot(); [print(host.find('address').get('addr')) for host in root.findall('host')]\"\n\n# Extract open ports from grepable output\ngrep 'Ports:' scan_results.gnmap | awk '{print $2, $5}'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"8. Firewall and IDS Evasion","type":"text"}]},{"type":"paragraph","content":[{"text":"Techniques to evade detection (authorized testing only):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Fragment packets\nsudo nmap -f \u003ctarget-ip>\n\n# Use decoys\nsudo nmap -D RND:10 \u003ctarget-ip>\nsudo nmap -D decoy1,decoy2,ME,decoy3 \u003ctarget-ip>\n\n# Spoof source IP (requires raw packet privileges)\nsudo nmap -S \u003cspoofed-ip> -e \u003cinterface> \u003ctarget-ip>\n\n# Randomize target order\nnmap --randomize-hosts -iL targets.txt\n\n# Use proxy\nnmap --proxies http://proxy:8080 \u003ctarget-ip>\n\n# Idle scan (zombie host required)\nsudo nmap -sI \u003czombie-host> \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Considerations","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authorization & Legal Compliance","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Written Permission","type":"text","marks":[{"type":"strong"}]},{"text":": Obtain explicit authorization before scanning any network","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scope Definition","type":"text","marks":[{"type":"strong"}]},{"text":": Only scan explicitly authorized IP ranges and ports","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Disruption Risk","type":"text","marks":[{"type":"strong"}]},{"text":": Some scans (DOS, exploit scripts) can crash services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Privacy","type":"text","marks":[{"type":"strong"}]},{"text":": Service enumeration may expose sensitive information","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Log Traces","type":"text","marks":[{"type":"strong"}]},{"text":": Scanning activities are typically logged by firewalls and IDS","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Operational Security","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rate Limiting","type":"text","marks":[{"type":"strong"}]},{"text":": Use ","type":"text"},{"text":"--max-rate","type":"text","marks":[{"type":"code_inline"}]},{"text":" to avoid overwhelming targets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Timing","type":"text","marks":[{"type":"strong"}]},{"text":": Schedule scans during approved maintenance windows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Bandwidth","type":"text","marks":[{"type":"strong"}]},{"text":": Consider network impact, especially for large scans","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Noise","type":"text","marks":[{"type":"strong"}]},{"text":": Aggressive scans are easily detected by security monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"False Positives","type":"text","marks":[{"type":"strong"}]},{"text":": Validate findings before reporting vulnerabilities","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Audit Logging","type":"text"}]},{"type":"paragraph","content":[{"text":"Document all reconnaissance activities:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scan start and end timestamps","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Source IP address and scanner hostname","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Target IP ranges and ports scanned","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Nmap command-line arguments used","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Number of hosts discovered and ports found","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vulnerabilities identified via NSE scripts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Any service disruptions or anomalies","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Compliance","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PTES","type":"text","marks":[{"type":"strong"}]},{"text":": Reconnaissance phase of Penetration Testing Execution Standard","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"OWASP","type":"text","marks":[{"type":"strong"}]},{"text":": ASVS verification requirements for network security","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK","type":"text","marks":[{"type":"strong"}]},{"text":": T1046 (Network Service Scanning)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PCI-DSS 11.2","type":"text","marks":[{"type":"strong"}]},{"text":": External and internal vulnerability scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ISO 27001","type":"text","marks":[{"type":"strong"}]},{"text":": A.12.6 Technical vulnerability management","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: External Perimeter Assessment","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Phase 1: Identify live hosts\nnmap -sn -PE -PS80,443 -PA3389 \u003cexternal-network>/24 -oG - | awk '/Up$/{print $2}' > external_hosts.txt\n\n# Phase 2: Scan common external services\nnmap -Pn -sV -p 21,22,25,53,80,110,143,443,587,993,995,3389,8080,8443 -iL external_hosts.txt -oA external_scan\n\n# Phase 3: Vulnerability detection\nnmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080,8443 -iL external_hosts.txt -oA external_vulns\n\n# Phase 4: SSL/TLS security audit\nnmap -Pn -p 443,8443 --script=ssl-enum-ciphers,ssl-cert -iL external_hosts.txt -oA ssl_audit","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Internal Network Mapping","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Phase 1: Fast host discovery\nnmap -sn -PR \u003cinternal-network>/24 -oG - | awk '/Up$/{print $2}' > internal_hosts.txt\n\n# Phase 2: Comprehensive port scan\nnmap -sV -p- -T4 -iL internal_hosts.txt -oA internal_full_scan\n\n# Phase 3: OS fingerprinting\nsudo nmap -O -iL internal_hosts.txt -oA internal_os_detection\n\n# Phase 4: Service enumeration\nnmap -sV --script=default,discovery -iL internal_hosts.txt -oA internal_services","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: Web Application Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Identify web servers\nnmap -p 80,443,8000,8080,8443 --open -oG - \u003ctarget-network>/24 | grep 'open' | awk '{print $2}' > web_servers.txt\n\n# Enumerate web technologies\nnmap -sV -p 80,443,8080,8443 --script=http-enum,http-headers,http-methods,http-title,http-server-header -iL web_servers.txt -oA web_enum\n\n# Check for common web vulnerabilities\nnmap -p 80,443 --script=http-sql-injection,http-csrf,http-vuln-cve2017-5638 -iL web_servers.txt -oA web_vulns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 4: SMB/CIFS Security Audit","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enumerate SMB hosts\nnmap -p 445 --open \u003ctarget-network>/24 -oG - | grep 'open' | awk '{print $2}' > smb_hosts.txt\n\n# SMB version and configuration\nnmap -p 445 --script=smb-protocols,smb-security-mode,smb-os-discovery -iL smb_hosts.txt -oA smb_enum\n\n# Check for SMB vulnerabilities\nnmap -p 445 --script=smb-vuln* -iL smb_hosts.txt -oA smb_vulns\n\n# Enumerate shares (authentication may be required)\nnmap -p 445 --script=smb-enum-shares,smb-enum-users -iL smb_hosts.txt -oA smb_shares","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 5: Database Server Discovery","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Scan for common database ports\nnmap -sV -p 1433,1521,3306,5432,5984,6379,9200,27017 \u003ctarget-network>/24 -oA database_scan\n\n# MySQL enumeration\nnmap -p 3306 --script=mysql-info,mysql-databases,mysql-variables \u003ctarget-ip>\n\n# PostgreSQL enumeration\nnmap -p 5432 --script=pgsql-brute \u003ctarget-ip>\n\n# MongoDB enumeration\nnmap -p 27017 --script=mongodb-info,mongodb-databases \u003ctarget-ip>\n\n# Redis enumeration\nnmap -p 6379 --script=redis-info \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"CI/CD Integration","type":"text"}]},{"type":"paragraph","content":[{"text":"Automated security scanning in pipelines:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"#!/bin/bash\n# ci_network_scan.sh - Continuous network security validation\n\nTARGET_NETWORK=\"$1\"\nOUTPUT_DIR=\"scan_results/$(date +%Y%m%d_%H%M%S)\"\n\nmkdir -p \"$OUTPUT_DIR\"\n\n# Quick security scan\nnmap -Pn -sV --script=vuln -p 21,22,25,80,443,3389,8080 \\\n \"$TARGET_NETWORK\" -oA \"$OUTPUT_DIR/security_scan\"\n\n# Parse results for critical findings\nif grep -i \"VULNERABLE\" \"$OUTPUT_DIR/security_scan.nmap\"; then\n echo \"CRITICAL: Vulnerabilities detected!\"\n exit 1\nfi\n\necho \"Security scan completed successfully\"\nexit 0","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Security Tools Integration","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Metasploit Integration","type":"text","marks":[{"type":"strong"}]},{"text":": Import Nmap XML with ","type":"text"},{"text":"db_import","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vulnerability Scanners","type":"text","marks":[{"type":"strong"}]},{"text":": Feed Nmap results to Nessus, OpenVAS, Qualys","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SIEM Integration","type":"text","marks":[{"type":"strong"}]},{"text":": Parse Nmap output for security monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Asset Management","type":"text","marks":[{"type":"strong"}]},{"text":": Update CMDB with discovered hosts and services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Shodan/Censys","type":"text","marks":[{"type":"strong"}]},{"text":": Validate external exposure findings","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"MITRE ATT&CK Mapping","type":"text"}]},{"type":"paragraph","content":[{"text":"Map Nmap reconnaissance to ATT&CK framework:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reconnaissance","type":"text","marks":[{"type":"strong"}]},{"text":": T1595 (Active Scanning)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1595.001 (Scanning IP Blocks)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T1595.002 (Vulnerability Scanning)","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Discovery","type":"text","marks":[{"type":"strong"}]},{"text":": T1046 (Network Service Scanning)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Discovery","type":"text","marks":[{"type":"strong"}]},{"text":": T1040 (Network Sniffing)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Credential Access","type":"text","marks":[{"type":"strong"}]},{"text":": T1110 (Brute Force) - when using NSE brute scripts","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: No Results Despite Hosts Being Online","type":"text"}]},{"type":"paragraph","content":[{"text":"Causes","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ICMP blocked by firewall","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Host-based firewall dropping probes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network ACLs filtering traffic","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Skip ping, assume all hosts up\nnmap -Pn \u003ctarget-ip>\n\n# Try TCP ping instead of ICMP\nnmap -PS80,443 -PA3389 \u003ctarget-ip>\n\n# Try multiple discovery techniques\nnmap -PE -PS22,80,443 -PA3389 -PU53,161 \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Scan Too Slow","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Increase timing template\nnmap -T4 \u003ctarget-ip>\n\n# Scan fewer ports\nnmap -F \u003ctarget-ip> # Top 100 ports\nnmap --top-ports 1000 \u003ctarget-ip>\n\n# Parallelize by splitting targets\nnmap -T4 192.168.1.1-50 &\nnmap -T4 192.168.1.51-100 &\nnmap -T4 192.168.1.101-150 &\nwait\n\n# Use masscan for very fast port scanning\nmasscan -p 1-65535 --rate 10000 \u003ctarget-network>/24","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: False Positives in Vulnerability Scripts","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Manually verify findings with specific exploit tools","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check service version against CVE databases","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"--version-intensity 9","type":"text","marks":[{"type":"code_inline"}]},{"text":" for more accurate version detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run vulnerability-specific NSE scripts instead of broad categories","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cross-reference with authenticated vulnerability scanners","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Getting Blocked by Firewall/IDS","type":"text"}]},{"type":"paragraph","content":[{"text":"Solutions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Slow down scan\nnmap -T1 --scan-delay 1s \u003ctarget-ip>\n\n# Fragment packets\nsudo nmap -f \u003ctarget-ip>\n\n# Randomize scan order\nnmap --randomize-hosts -iL targets.txt\n\n# Use source port 53 (often allowed)\nnmap -g 53 \u003ctarget-ip>\n\n# Split into smaller scans over time\nnmap -p 1-1000 \u003ctarget-ip>\n# Wait several hours\nnmap -p 1001-2000 \u003ctarget-ip>","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Defensive Considerations","type":"text"}]},{"type":"paragraph","content":[{"text":"Organizations can detect Nmap scanning by:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network IDS","type":"text","marks":[{"type":"strong"}]},{"text":": Signature detection of scan patterns (vertical/horizontal sweeps)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Firewall Logs","type":"text","marks":[{"type":"strong"}]},{"text":": Multiple connection attempts from single source","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Port Scan Detection","type":"text","marks":[{"type":"strong"}]},{"text":": Monitoring for SYN packets without completion","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Honeypots","type":"text","marks":[{"type":"strong"}]},{"text":": Triggering alerts when accessing decoy services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Traffic Analysis","type":"text","marks":[{"type":"strong"}]},{"text":": Unusual packet patterns (fragmentation, timing anomalies)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Enhance defensive posture:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy network intrusion detection systems (Snort, Suricata)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable firewall logging and monitor for scan patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use port knocking or service hiding for sensitive services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implement rate limiting on border firewalls","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy honeypots to detect and track reconnaissance","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Nmap Network Scanning Official Guide","type":"text","marks":[{"type":"link","attrs":{"href":"https://nmap.org/book/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"NSE Script Documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://nmap.org/nsedoc/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK: Network Service Scanning","type":"text","marks":[{"type":"link","attrs":{"href":"https://attack.mitre.org/techniques/T1046/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PTES Technical Guidelines","type":"text","marks":[{"type":"link","attrs":{"href":"http://www.pentest-standard.org/index.php/Intelligence_Gathering","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"OWASP Testing Guide: Information Gathering","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"recon-nmap","tags":["reconnaissance","nmap","port-scanning","service-enumeration","network-security","osint"],"author":"@skillopedia","source":{"stars":336,"repo_name":"marketplace","origin_url":"https://github.com/aiskillstore/marketplace/blob/HEAD/skills/agentsecops/recon-nmap/SKILL.md","repo_owner":"aiskillstore","body_sha256":"2ac14ee3accca405aa4f50bf262084d2235f731d5795a8edc3c9b68cf8122979","cluster_key":"81254d0433c7bbd0b3e75b7c0ab155bde7607eb3d19af6f772dca00fd4e263df","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aiskillstore/marketplace/skills/agentsecops/recon-nmap/SKILL.md","attachments":[{"id":"d3ef1da3-e307-5597-9cde-3b5b0f4e2f72","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/d3ef1da3-e307-5597-9cde-3b5b0f4e2f72/attachment.yml","path":"assets/ci-config-template.yml","size":11105,"sha256":"0fc554799a0e03a44883990f208f2a428f3c1e70eed1a9bcfbc01e728962b91e","contentType":"application/yaml; charset=utf-8"},{"id":"976511ee-00c5-50d3-ab3a-2dc0a37a298a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/976511ee-00c5-50d3-ab3a-2dc0a37a298a/attachment.yaml","path":"assets/rule-template.yaml","size":11044,"sha256":"cb228a390bcd3745cafb1783c6337d9106ae179e853935ae19c90caac10a0497","contentType":"application/yaml; charset=utf-8"},{"id":"54d8c51a-2070-5c8c-a442-2f5d69263d9a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/54d8c51a-2070-5c8c-a442-2f5d69263d9a/attachment.md","path":"references/EXAMPLE.md","size":15672,"sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f","contentType":"text/markdown; charset=utf-8"},{"id":"745db155-0759-5134-96da-172222f1b695","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/745db155-0759-5134-96da-172222f1b695/attachment.md","path":"references/WORKFLOW_CHECKLIST.md","size":8390,"sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f","contentType":"text/markdown; charset=utf-8"},{"id":"3730a7c2-c41f-5d0d-8831-fbb4b0c03bea","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/3730a7c2-c41f-5d0d-8831-fbb4b0c03bea/attachment.json","path":"skill-report.json","size":32702,"sha256":"1e58e0e9721dc75649d6925923adfe09ba05c455ac815d60c62844f4cb897b9b","contentType":"application/json; charset=utf-8"}],"bundle_sha256":"a003567e8401b9b69c566b89af30b4a702166adfab87a6ace9d49142145c61b1","attachment_count":5,"text_attachments":5,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/agentsecops/recon-nmap/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","frameworks":["MITRE-ATT&CK","OWASP","PTES"],"import_tag":"clean-skills-v1","maintainer":"[email protected]","references":["https://nmap.org/book/","https://nmap.org/nsedoc/","https://attack.mitre.org/techniques/T1046/"],"description":"Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.\n","dependencies":{"tools":["python3","masscan"],"packages":["nmap"]}}},"renderedAt":1782980487237}

Nmap Network Reconnaissance Overview Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE). IMPORTANT : Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own. Quick Start Basic host discovery and port…