ClawHub

Nmap Recon

Perform network reconnaissance and port scanning with Nmap to find open ports, detect services, identify vulnerabilities, and enumerate targets accurately.

Audits

Error
ClawScanError

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install nmap-recon

Nmap Recon

Network reconnaissance and port scanning using Nmap. Use when asked to scan a target, find open ports, detect services, check for vulnerabilities, or perform network reconnaissance.

Triggers

  • "scan [target]", "port scan", "nmap", "what ports are open", "recon [target]", "service detection", "vulnerability scan"

Requirements

  • nmap must be installed (standard on Kali, available via package managers)
  • Root/sudo for SYN scans and OS detection

Usage

Quick Scan (Top 1000 ports)

nmap -sC -sV -oA scan_$(date +%Y%m%d_%H%M%S) TARGET

Full Port Scan

nmap -p- -sC -sV -oA fullscan_$(date +%Y%m%d_%H%M%S) TARGET

Fast Scan (Quick check)

nmap -F -T4 TARGET

Stealth SYN Scan (requires root)

sudo nmap -sS -sV -O -oA stealth_$(date +%Y%m%d_%H%M%S) TARGET

UDP Scan (Top 100 ports)

sudo nmap -sU --top-ports 100 -oA udp_$(date +%Y%m%d_%H%M%S) TARGET

Vulnerability Scan

nmap --script vuln -oA vulnscan_$(date +%Y%m%d_%H%M%S) TARGET

Aggressive Scan (OS, version, scripts, traceroute)

nmap -A -T4 -oA aggressive_$(date +%Y%m%d_%H%M%S) TARGET

Output Parsing

Nmap outputs in multiple formats with -oA:

  • .nmap - Human readable
  • .xml - Machine parseable
  • .gnmap - Greppable format

Parse open ports from greppable output:

grep "open" scan.gnmap | awk -F'[/]' '{print $1}' | tr ',' '\n' | sort -u

Extract service versions:

grep -E "^[0-9]+/" scan.nmap | awk '{print $1, $3, $4}'

Quick summary from XML:

xmllint --xpath "//port[@state='open']" scan.xml 2>/dev/null

Common Scan Profiles

ProfileCommandUse Case
Quicknmap -F -T4Fast initial recon
Standardnmap -sC -sVService detection + default scripts
Fullnmap -p- -sC -sVAll 65535 ports
Stealthsudo nmap -sS -T2Evasive scanning
Vulnnmap --script vulnVulnerability detection
Aggressivenmap -A -T4Full enumeration

Script Categories

# List available scripts
ls /usr/share/nmap/scripts/

# Run specific category
nmap --script=default,safe TARGET
nmap --script=vuln TARGET
nmap --script=exploit TARGET
nmap --script=auth TARGET

# Run specific script
nmap --script=http-title TARGET
nmap --script=smb-vuln* TARGET

Target Specification

# Single host
nmap 192.168.1.1

# CIDR range
nmap 192.168.1.0/24

# Range
nmap 192.168.1.1-254

# From file
nmap -iL targets.txt

# Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1

Timing Templates

  • -T0 Paranoid (IDS evasion)
  • -T1 Sneaky (IDS evasion)
  • -T2 Polite (slow)
  • -T3 Normal (default)
  • -T4 Aggressive (fast)
  • -T5 Insane (very fast, may miss ports)

Authorization Required

⚠️ Only scan targets you own or have explicit written authorization to test.

Never scan:

  • Public infrastructure without permission
  • Networks you don't control
  • Production systems without approval

Example Workflow

# 1. Quick scan to find live hosts
nmap -sn 192.168.1.0/24 -oA live_hosts

# 2. Fast port scan on discovered hosts
nmap -F -T4 -iL live_hosts.gnmap -oA quick_ports

# 3. Deep scan interesting hosts
nmap -p- -sC -sV -oA deep_scan TARGET

# 4. Vulnerability scan
nmap --script vuln -oA vuln_scan TARGET