recon-nmap
Network reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.
What this skill does
# Nmap Network Reconnaissance
## Overview
Nmap (Network Mapper) is the industry-standard tool for network discovery, security auditing, and vulnerability assessment. This skill provides structured workflows for authorized reconnaissance operations including port scanning, service enumeration, OS fingerprinting, and vulnerability detection using Nmap Scripting Engine (NSE).
**IMPORTANT**: Network scanning may be disruptive and must only be conducted with proper authorization. Always ensure written permission before scanning networks or systems you do not own.
## Quick Start
Basic host discovery and port scanning:
```bash
# Quick scan of common ports
nmap -F <target-ip>
# Scan top 1000 ports with service detection
nmap -sV <target-ip>
# Comprehensive scan with OS detection and default scripts
nmap -A <target-ip>
```
## Core Workflow
### Network Reconnaissance Workflow
Progress:
[ ] 1. Verify authorization and scope
[ ] 2. Perform host discovery and asset enumeration
[ ] 3. Conduct port scanning on live hosts
[ ] 4. Enumerate services and versions
[ ] 5. Perform OS fingerprinting and detection
[ ] 6. Run NSE scripts for vulnerability detection
[ ] 7. Document findings and generate reports
[ ] 8. Validate results and identify false positives
Work through each step systematically. Check off completed items.
### 1. Authorization Verification
**CRITICAL**: Before any scanning activities:
- Confirm written authorization from network owner
- Review scope document for in-scope IP ranges and domains
- Verify scanning windows and rate-limiting requirements
- Document emergency contact for accidental disruption
- Confirm blacklisted hosts (production databases, critical infrastructure)
### 2. Host Discovery
Identify live hosts in target network:
```bash
# Ping sweep (ICMP echo)
nmap -sn <target-network>/24
# ARP scan (local network only, faster and more reliable)
nmap -sn -PR <target-network>/24
# TCP SYN ping (when ICMP blocked)
nmap -sn -PS22,80,443 <target-network>/24
# UDP ping (for hosts blocking TCP)
nmap -sn -PU53,161 <target-network>/24
# Disable ping, assume all hosts alive
nmap -Pn <target-network>/24
```
**Host discovery techniques**:
- **ICMP Echo (-PE)**: Standard ping, often blocked
- **TCP SYN (-PS)**: Half-open connection to specified ports
- **TCP ACK (-PA)**: Sends ACK packets, useful for stateful firewalls
- **UDP (-PU)**: Sends UDP packets to specified ports
- **ARP (-PR)**: Layer 2 discovery, only works on local network
Output live hosts to file for subsequent scanning:
```bash
nmap -sn <target-network>/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt
```
### 3. Port Scanning
Scan discovered hosts for open ports:
```bash
# Fast scan (top 100 ports)
nmap -F -iL live_hosts.txt
# Top 1000 ports (default)
nmap -iL live_hosts.txt
# Scan all 65535 ports
nmap -p- -iL live_hosts.txt
# Scan specific ports
nmap -p 22,80,443,3389,8080 -iL live_hosts.txt
# Scan port ranges
nmap -p 1-1024,3000-9000 -iL live_hosts.txt
```
**Scan techniques**:
- **TCP SYN Scan (-sS)**: Default, stealthy half-open scan (requires root)
```bash
sudo nmap -sS <target-ip>
```
- **TCP Connect Scan (-sT)**: Full TCP connection (no root required)
```bash
nmap -sT <target-ip>
```
- **UDP Scan (-sU)**: Scan UDP ports (slow but critical)
```bash
sudo nmap -sU -p 53,161,500 <target-ip>
```
- **Version Detection (-sV)**: Probe services for version information
```bash
nmap -sV <target-ip>
```
- **Aggressive Scan (-A)**: Enable OS detection, version detection, script scanning, traceroute
```bash
sudo nmap -A <target-ip>
```
**Timing and performance**:
```bash
# Paranoid (0) - Extremely slow, IDS evasion
nmap -T0 <target-ip>
# Sneaky (1) - Very slow, IDS evasion
nmap -T1 <target-ip>
# Polite (2) - Slows down to use less bandwidth
nmap -T2 <target-ip>
# Normal (3) - Default timing
nmap -T3 <target-ip>
# Aggressive (4) - Faster, assumes reliable network
nmap -T4 <target-ip>
# Insane (5) - Very fast, may miss results
nmap -T5 <target-ip>
```
**Rate limiting for safety**:
```bash
# Limit to 100 packets/second
nmap --max-rate 100 <target-ip>
# Minimum 10 packets/second
nmap --min-rate 10 <target-ip>
# Scan with delays to avoid detection
nmap --scan-delay 1s <target-ip>
```
### 4. Service Enumeration
Identify services and extract version information:
```bash
# Service version detection
nmap -sV <target-ip>
# Aggressive version detection (more probes)
nmap -sV --version-intensity 5 <target-ip>
# Light version detection (fewer probes, faster)
nmap -sV --version-intensity 0 <target-ip>
# Specific service enumeration
nmap -sV -p 80,443 --script=http-headers,http-title <target-ip>
```
**Service-specific enumeration**:
```bash
# SMB enumeration
nmap -p 445 --script=smb-os-discovery,smb-security-mode <target-ip>
# SSH enumeration
nmap -p 22 --script=ssh-hostkey,ssh-auth-methods <target-ip>
# DNS enumeration
nmap -p 53 --script=dns-nsid,dns-recursion <target-ip>
# HTTP/HTTPS enumeration
nmap -p 80,443 --script=http-methods,http-robots.txt,http-title <target-ip>
# Database enumeration
nmap -p 3306 --script=mysql-info <target-ip>
nmap -p 5432 --script=pgsql-brute <target-ip>
nmap -p 1433 --script=ms-sql-info <target-ip>
```
### 5. Operating System Detection
Identify target operating systems:
```bash
# OS detection
sudo nmap -O <target-ip>
# Aggressive OS detection with version scanning
sudo nmap -A <target-ip>
# Limit OS detection to promising targets
sudo nmap -O --osscan-limit <target-ip>
# Guess OS aggressively
sudo nmap -O --osscan-guess <target-ip>
```
**OS fingerprinting indicators**:
- TCP/IP stack characteristics
- Open port patterns
- Service banners and versions
- TTL values and TCP window sizes
### 6. NSE Script Scanning
Nmap Scripting Engine for advanced reconnaissance and vulnerability detection:
```bash
# Run default NSE scripts
nmap -sC <target-ip>
# Run all scripts in category
nmap --script=vuln <target-ip>
nmap --script=exploit <target-ip>
nmap --script=discovery <target-ip>
# Run specific script
nmap --script=http-sql-injection <target-ip>
# Multiple scripts
nmap --script=smb-vuln-ms17-010,smb-vuln-cve-2017-7494 <target-ip>
# Script with arguments
nmap --script=http-brute --script-args http-brute.path=/admin <target-ip>
```
**NSE script categories**:
- **auth**: Authentication testing
- **broadcast**: Network broadcast/multicast discovery
- **brute**: Brute-force password auditing
- **default**: Default safe scripts (-sC)
- **discovery**: Network and service discovery
- **dos**: Denial of service testing (use with caution)
- **exploit**: Exploitation attempts (authorized only)
- **external**: External resource queries (WHOIS, etc.)
- **fuzzer**: Fuzzing attacks
- **intrusive**: Intrusive scanning (may crash services)
- **malware**: Malware detection
- **safe**: Safe scripts unlikely to crash services
- **version**: Version detection enhancement
- **vuln**: Vulnerability detection
**Common vulnerability detection scripts**:
```bash
# Check for EternalBlue (MS17-010)
nmap -p 445 --script=smb-vuln-ms17-010 <target-ip>
# Heartbleed detection
nmap -p 443 --script=ssl-heartbleed <target-ip>
# Shellshock detection
nmap --script=http-shellshock --script-args uri=/cgi-bin/test.sh <target-ip>
# Check for weak SSL/TLS
nmap -p 443 --script=ssl-enum-ciphers <target-ip>
# SQL injection testing
nmap -p 80 --script=http-sql-injection <target-ip>
# Check for anonymous FTP
nmap -p 21 --script=ftp-anon <target-ip>
```
### 7. Output and Reporting
Generate reports in multiple formats:
```bash
# Normal output to screen and file
nmap <target-ip> -oN scan_results.txt
# XML output (for parsing/import)
nmap <target-ip> -oX scan_results.xml
# Grepable output (for easy parsing)
nmap <target-ip> -oG scan_results.gnmap
# All formats
nmap <target-ip> -oA scan_results
# Script kiddie output (for fun)
nmap <target-ip> -oS scan_results.skid
```
Convert and process results:
```bash
# Convert XML to Related in offsec
privesc-linpeas
IncludedLinux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
crack-hashcat
IncludedAdvanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
network-netcat
IncludedNetwork utility for reading and writing data across TCP/UDP connections, port scanning, file transfers, and backdoor communication channels. Use when: (1) Testing network connectivity and port availability, (2) Creating reverse shells and bind shells for authorized penetration testing, (3) Transferring files between systems in restricted environments, (4) Banner grabbing and service enumeration, (5) Establishing covert communication channels, (6) Testing firewall rules and network segmentation.
pentest-metasploit
IncludedPenetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.