zerodumb@hacking-journal:~/tools$

Nmap Quick Scan Script

· 8 min read
enumerationnmappentestingscriptingbash

“The best reconnaissance is the one that doesn’t get caught.”

When you’re working through labs or doing legitimate penetration testing, you need tools that are both effective and ethical. This nmap script emerged from countless hours of manual scanning where I found myself repeating the same commands and missing critical details. It’s built to be thorough, informative, and respectful of system boundaries.

What This Script Does

This isn’t your typical nmap wrapper. It’s a comprehensive scanning tool that:

  • Scans the default 1000 ports with service enumeration and OS detection
  • Runs vulnerability scripts to identify common misconfigurations
  • Checks for known exploits based on detected services and versions
  • Generates multiple output formats (normal, XML, grepable) for different analysis needs
  • Creates a summary report highlighting the most important findings
  • Provides colored output for better readability during live testing

Download

Download the script

or find the repo at nmap-quick

Key Features

Intelligent Exploit Checking

The script doesn’t just scan - it thinks. When it detects common services, it automatically checks for known vulnerabilities:

  • Redis: Unauthenticated access, Lua sandbox escapes, master-slave replication RCE
  • MySQL: Weak passwords, CVE-2016-6662/6663
  • PostgreSQL: Default credentials, CVE-2019-9193
  • SSH: Weak passwords, CVE-2018-15473
  • FTP: Anonymous login, vsftpd 2.3.4 backdoor
  • SMB: EternalBlue, SMBGhost, anonymous access
  • Web Services: Directory traversal, SQL injection, XSS vectors
  • Telnet: Default credentials, unencrypted traffic
  • RPC: NFS misconfigurations, RPC enumeration

Multiple Output Formats

# Normal format for human reading
nmap_quick_scan_20240101_143022.txt

# XML format for automated parsing
nmap_quick_scan_20240101_143022.xml

# Grepable format for quick searching
nmap_quick_scan_20240101_143022.gnmap

# Summary report with key findings
nmap_quick_scan_20240101_143022_summary.txt

Comprehensive Scanning

The script uses these nmap options for thorough enumeration:

  • -sS: SYN scan (stealthy)
  • -sV: Service version detection
  • -O: OS detection
  • --script=vuln,auth,default,discovery,version: Comprehensive script suite
  • --script-args=unsafe=1: Enables potentially intrusive scripts

Usage

Basic Usage

# Scan a single target
./nmap-quick-scan.sh 10.10.10.10

# Scan with custom output filename
./nmap-quick-scan.sh 10.10.10.10 my_scan_results

Prerequisites

# Install nmap (if not already installed)
sudo apt update
sudo apt install nmap

# Install exploitdb for additional exploit checking
sudo apt install exploitdb

Example Output

[*] Starting HTB Nmap Quick Scan
[*] Target: 10.10.10.10
[*] Output file: nmap_quick_scan_20240101_143022.txt

[*] Starting nmap quick scan on 10.10.10.10...
[*] Scanning default 1000 ports with service detection and vulnerability scripts...
[+] Nmap scan completed successfully!
[*] Results saved to:
  - nmap_quick_scan_20240101_143022.txt (normal format)
  - nmap_quick_scan_20240101_143022.xml (XML format)
  - nmap_quick_scan_20240101_143022.gnmap (grepable format)

[*] Parsing nmap results and checking for exploits...
[+] Found ssh on port 22 (version: OpenSSH 7.2p2)
[!] SSH detected on port 22
[*] Common SSH exploits:
  - Weak passwords
  - Default credentials
  - CVE-2018-15473 (OpenSSH 7.7p1)
  - CVE-2016-6210 (OpenSSH 7.2p2)

[+] Found http on port 80 (version: Apache httpd 2.4.18)
[!] HTTP/HTTPS detected on port 80
[*] Common Web exploits:
  - Directory traversal
  - SQL injection
  - XSS vulnerabilities
  - Default credentials
  - Outdated web applications

[*] Generating summary report...
[+] Summary report saved to: nmap_quick_scan_20240101_143022_summary.txt
[+] Quick scan completed! Check the output files for detailed results.

Ethical Considerations

This script is designed for:

  • Authorized penetration testing
  • Educational purposes
  • Security research
  • Bug bounty hunting

Important Notes:

  • Always obtain proper authorization before scanning
  • Respect rate limits and system boundaries
  • Use responsibly and ethically
  • This script requires sudo privileges for SYN scanning

Code Preview

#!/bin/bash

# HTB Nmap Quick Scan Script
# Scans default 1000 ports with service enumeration and exploit checking

set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Function to print colored output
print_status() {
    echo -e "${BLUE}[*]${NC} $1"
}

print_success() {
    echo -e "${GREEN}[+]${NC} $1"
}

print_warning() {
    echo -e "${YELLOW}[!]${NC} $1"
}

print_error() {
    echo -e "${RED}[-]${NC} $1"
}

# Function to check for exploits based on service and version
check_exploits() {
    local service="$1"
    local version="$2"
    local port="$3"
    
    print_status "Checking for known exploits for $service on port $port..."
    
    case "$service" in
        "redis")
            print_warning "Redis detected on port $port"
            print_status "Common Redis exploits:"
            echo "  - Unauthenticated access (default config)"
            echo "  - Redis RCE via Lua sandbox escape"
            echo "  - Redis 4.x/5.x RCE via master-slave replication"
            echo "  - Redis 6.x RCE via Lua sandbox escape"
            ;;
        "mysql")
            print_warning "MySQL detected on port $port"
            print_status "Common MySQL exploits:"
            echo "  - Weak/empty passwords"
            echo "  - CVE-2016-6662 (MySQL 5.5, 5.6, 5.7)"
            echo "  - CVE-2016-6663 (MySQL 5.5, 5.6, 5.7)"
            ;;
        # ... additional service checks
    esac
}

# Main scanning function
run_nmap_scan() {
    local target="$1"
    local output_file="$2"
    
    print_status "Starting nmap quick scan on $target..."
    print_status "Scanning default 1000 ports with service detection and vulnerability scripts..."
    
    # Run nmap with comprehensive options (using sudo)
    sudo nmap -sS -sV -O --script=vuln,auth,default,discovery,version \
         --script-args=unsafe=1 \
         -oN "$output_file" \
         -oX "${output_file%.txt}.xml" \
         -oG "${output_file%.txt}.gnmap" \
         "$target"
}

# ... rest of the script implementation

Troubleshooting

Permission Denied

# Make the script executable
chmod +x nmap-quick-scan.sh

# Run with sudo (required for SYN scanning)
sudo ./nmap-quick-scan.sh 10.10.10.10

You shouldn’t need sudo it will prompt you for password anyway.

Nmap Not Found

# Install nmap
sudo apt update && sudo apt install nmap

No Output Files

  • Check if the target is reachable
  • Verify you have proper permissions
  • Ensure nmap is installed and working

Next Steps

After running this script:

  1. Review the summary report for quick insights
  2. Focus on identified services for manual testing
  3. Run full port scan if needed (65,535 ports)
  4. Use the XML output for automated analysis
  5. Check the grepable format for quick searches

Remember: This is just the beginning. The real work starts with manual testing and exploitation of the identified services.

This script is part of my growing toolkit for ethical penetration testing. It’s designed to be thorough, informative, and respectful of system boundaries. Use it responsibly.

Question loudly so others can learn quietly. Stay curious. Stay loud.

Don’t Be A Skid -Zero

Buy Me A Coffee @iamnotaskid

Related Posts

Tools, README

enumerationreconlabsexploitspentestingscriptingbashpython
tools

Tools and Resources for Ethical Reconnaissance

toolkitresourcesdevelopmentenumerationOSINT
tools

Nmap Full Port Scan Script

enumerationnmappentestingscriptingbashreconnaissance
tools