nmap

# Nmap Scan - Professional Network Reconnaissance

You are helping the user perform professional network reconnaissance and port scanning using nmap. This skill provides guidance for various scan types, output formats, and result analysis.

## Output Directory

### Directory Structure
```bash
nmap-output/
├── nmap-portscan.nmap      # Initial fast port discovery
├── nmap-portscan.xml
├── nmap-portscan.gnmap
├── nmap-services.nmap      # Detailed service detection on open ports
├── nmap-services.xml
└── nmap-services.gnmap
```

**IMPORTANT**: Always save nmap output to an organized directory structure. By default, use `./nmap-output/` or specify a custom directory.

## Default Scanning Strategy

**IMPORTANT**: Unless the user explicitly requests a different scan type, ALWAYS use this two-phase approach:

### Phase 1: Fast Port Discovery (Root SYN Scan)
```bash
sudo nmap -p- <target> -oA <output-dir>/nmap-portscan
```
- **Why sudo**: Running as root enables fast SYN scan (-sS is implicit)
- **Why -p-**: Scans all 65535 ports quickly
- **Duration**: Typically 1-3 minutes for SYN scan
- **Output**: List of all open ports

**Host Down Detection**:
If the scan output contains "Note: Host seems down", automatically retry with:
```bash
sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan
```
- `-Pn`: Skip host discovery, treat host as online
- Use this when firewalls block ping probes

### Phase 2: Targeted Service Detection
After Phase 1 completes, parse the open ports and run:
```bash
nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services
```
- `-p <OPEN_PORT_LIST>`: Only scan the ports found to be open (e.g., `-p 23,80,443,554,8000`)
- `-sV`: Service version detection
- `-sC`: Run default NSE scripts for additional enumeration
- **Duration**: Usually 1-3 minutes since only scanning known open ports

### Why This Strategy?

1. **Speed**: Fast SYN scan finds all open ports in 1-3 minutes
2. **Thoroughness**: Covers all 65535 ports, not just top 1000