> nmap-recon
Perform network reconnaissance with Nmap. Use when a user asks to scan networks, discover hosts and services, detect OS versions, find open ports, enumerate service versions, or perform initial reconnaissance for a penetration test.
curl "https://skillshub.wtf/TerminalSkills/skills/nmap-recon?format=md"Nmap Reconnaissance
Overview
Nmap is the standard tool for network discovery and security auditing. It identifies live hosts, open ports, running services and their versions, operating systems, and potential vulnerabilities. Every penetration test starts with Nmap. Supports TCP/UDP scanning, OS fingerprinting, NSE (Nmap Scripting Engine) for vulnerability detection, and output in XML/JSON for automation.
Instructions
Step 1: Host Discovery
# Discover live hosts on a subnet (no port scan)
nmap -sn 192.168.1.0/24
# -sn: ping scan only, no port scan
# Output: list of live IPs with MAC addresses and hostnames
# Discover hosts without ping (when ICMP is blocked)
nmap -Pn -sn 10.0.0.0/24
# ARP discovery on local network (most reliable on LAN)
nmap -PR -sn 192.168.1.0/24
Step 2: Port Scanning
# Quick scan — top 1000 ports with service detection
nmap -sV -sC -T4 target.example.com
# -sV: detect service versions (Apache 2.4.52, OpenSSH 8.9)
# -sC: run default NSE scripts (safe checks)
# -T4: aggressive timing (faster, noisier)
# Full TCP port scan — all 65535 ports
nmap -p- -sV --open target.example.com
# -p-: scan all ports (not just top 1000)
# --open: show only open ports (less noise)
# UDP scan — catches DNS, SNMP, TFTP, NTP
nmap -sU --top-ports 100 target.example.com
# UDP scans are slow — limit to top ports
# Specific port ranges
nmap -p 80,443,8080-8090,3000-3010 target.example.com
Step 3: Service Enumeration and OS Detection
# Aggressive scan — service version + OS detection + scripts + traceroute
nmap -A -T4 target.example.com
# Combines: -sV -sC -O --traceroute
# OS fingerprinting
nmap -O --osscan-guess target.example.com
# Identifies: Linux 5.x, Windows Server 2019, FreeBSD 13, etc.
# Banner grabbing for specific services
nmap -sV --version-intensity 5 -p 22,80,443,3306,5432,6379 target.example.com
# Higher intensity = more probes = better detection
Step 4: NSE Vulnerability Scripts
# Run vulnerability detection scripts
nmap --script vuln target.example.com
# Checks for: ShellShock, Heartbleed, SMB vulns, etc.
# Specific vulnerability checks
nmap --script ssl-heartbleed -p 443 target.example.com
nmap --script smb-vuln-ms17-010 -p 445 target.example.com
nmap --script http-shellshock --script-args uri=/cgi-bin/status -p 80 target.example.com
# Web server enumeration
nmap --script http-enum,http-title,http-headers,http-methods -p 80,443,8080 target.example.com
# Brute force (use with authorization only)
nmap --script ssh-brute --script-args userdb=users.txt,passdb=pass.txt -p 22 target.example.com
# DNS enumeration
nmap --script dns-brute --script-args dns-brute.domain=example.com
Step 5: Output for Automation
# XML output for parsing (tools like searchsploit, Metasploit)
nmap -sV -sC -oX scan-results.xml target.example.com
# All formats at once
nmap -sV -sC -oA scan-results target.example.com
# Creates: scan-results.nmap, scan-results.xml, scan-results.gnmap
# Grepable output for quick filtering
nmap -sV -oG - target.example.com | grep "open"
# Parse XML results programmatically
python3 -c "
import xml.etree.ElementTree as ET
tree = ET.parse('scan-results.xml')
for host in tree.findall('.//host'):
ip = host.find('.//address[@addrtype=\"ipv4\"]').get('addr')
for port in host.findall('.//port'):
portid = port.get('portid')
service = port.find('service')
name = service.get('name', 'unknown') if service is not None else 'unknown'
version = service.get('version', '') if service is not None else ''
state = port.find('state').get('state')
if state == 'open':
print(f'{ip}:{portid} — {name} {version}')
"
Step 6: Stealth and Evasion
# SYN scan (half-open, less logged)
nmap -sS -T2 target.example.com
# -sS: SYN scan (doesn't complete TCP handshake)
# -T2: polite timing (slower but less detectable)
# Fragment packets to evade firewalls
nmap -f -sS target.example.com
# Decoy scan — hide your IP among fake sources
nmap -D RND:10 -sS target.example.com
# RND:10: generate 10 random decoy IPs
# Idle scan — completely anonymous via zombie host
nmap -sI zombie-host.example.com target.example.com
# Source port manipulation (bypass weak firewalls)
nmap --source-port 53 -sS target.example.com
Guidelines
- Always have written authorization before scanning any network or host.
- Start with
-sn(host discovery) →-sV -sC(service scan) →--script vuln(vulnerability scan). Don't jump to aggressive scans. -T4is good for most assessments. Use-T2when stealth matters,-T5only on local networks.- Full port scan (
-p-) takes much longer but catches services on non-standard ports — always do it. - UDP scans (
-sU) are slow but important — many vulnerabilities live on UDP (SNMP, DNS, TFTP). - Save all output as XML (
-oX) — it integrates with Metasploit, searchsploit, and custom parsers. - NSE scripts in the
vulncategory are safe for authorized testing.bruteandexploitcategories are aggressive. - Combine with
searchsploitto cross-reference found service versions with known exploits.
> related_skills --same-repo
> zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
> zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
> zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
> zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.