All SkillsGet Started Free
Scanning Network With Nmap Advanced
Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.
MCP get_skill({ skillId: "scanning-network-with-nmap-advanced-c2efb21b" })Use this skill with your agent
Create a free account and connect via MCP
# Scanning Network with Nmap Advanced Techniques
## When to Use
- Performing comprehensive asset discovery across large enterprise networks during authorized assessments
- Enumerating service versions and configurations to identify outdated or vulnerable software
- Bypassing firewall rules and IDS during authorized penetration tests using scan evasion techniques
- Scripting automated vulnerability checks using the Nmap Scripting Engine (NSE)
- Generating structured scan output for integration into vulnerability management pipelines
**Do not use** against networks without explicit written authorization, on production systems during peak hours without approval, or to perform denial-of-service through aggressive scan timing.
## Prerequisites
- Nmap 7.90+ installed (`nmap --version` to verify)
- Root/sudo privileges for SYN scans, OS detection, and raw packet techniques
- Written authorization specifying in-scope IP ranges and any excluded hosts
- Network access to target ranges (VPN, direct connection, or jump host)
- Familiarity with TCP/IP protocols and common port assignments
## Workflow
### Step 1: Host Discovery with Multiple Probes
Use layered discovery to find live hosts even when ICMP is blocked:
```bash
# ARP discovery for local subnet (most reliable on LAN)
nmap -sn -PR 192.168.1.0/24 -oA discovery_arp
# Combined ICMP + TCP + UDP probes for remote networks
nmap -sn -PE -PP -PS21,22,25,80,443,445,3389,8080 -PU53,161,500 10.0.0.0/16 -oA discovery_combined
# List scan to resolve DNS names without sending packets to targets
nmap -sL 10.0.0.0/24 -oN dns_resolution.txt
```
Consolidate results into a live hosts file:
```bash
grep "Host:" discovery_combined.gnmap | awk '{print $2}' | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n > live_hosts.txt
```
### Step 2: Port Scanning with Timing and Performance Tuning
```bash
# Full TCP SYN scan with optimized timing
nmap -sS -p- --min-rate 5000 --max-retries 2 -T4 -iL live_hosts.txt -oA full_tcp_scan
# Top 1000 UDP ports with version detection#mukul-cybersecurity-skills#security#cybersecurity#vulnerability#managementbashnmap