ワンクリックで
nmap
Canonical Nmap CLI syntax, strict staged scanning workflow, and sandbox-safe bounded scan patterns with timeout backoff.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Canonical Nmap CLI syntax, strict staged scanning workflow, and sandbox-safe bounded scan patterns with timeout backoff.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Automated tool-assisted strategies for blind injection attacks (SQL, NoSQL, command, XPath). Covers when and how to use sqlmap, custom scripting, and binary search optimization to minimize token consumption and execution time. Use when manual blind injection would require >20 sequential requests.
HTTP Request Smuggling (HRS) / Desync attack detection and exploitation. Covers CL.TE, TE.CL, TE.TE detection, payload crafting, and chaining with SSRF/cache poisoning. Use when front-end/back-end architecture is suspected or when HTTP parsing discrepancies exist.
Race condition vulnerability detection and exploitation. Covers time-of-check to time-of-use (TOCTOU), limit bypass, coupon abuse, and multi-endpoint race chains. Use when state-dependent logic (credits, inventory, votes, transfers) exists or CTF challenge involves concurrent operations.
Exact Nuclei command structure, template selection, staged scanning workflow, and bounded high-throughput execution controls with timeout backoff.
Common CTF exploitation patterns, quick wins, and time-saving tricks for web, crypto, pwn, and misc challenges. Use when you are stuck on a CTF challenge or want to rapidly test known patterns.
Linux and Windows privilege escalation techniques, enumeration scripts, and common misconfigurations. Use when you have obtained a low-privilege shell and need to escalate to root or SYSTEM.
| name | nmap |
| description | Canonical Nmap CLI syntax, strict staged scanning workflow, and sandbox-safe bounded scan patterns with timeout backoff. |
Official docs:
Nmap scans MUST follow a staged escalation pattern. NEVER jump to a broad sweep on the first call.
Goal: Find live hosts and open ports quickly.
--top-ports 100 or smaller explicit port lists (-p 22,80,443,8080,8443).-sV), no scripts (-sC) at this stage.--host-timeout 60s.nmap -n -Pn --open --top-ports 100 -T4 --max-retries 1 --host-timeout 60s -oA nmap_stage1 <target>Goal: Identify services and versions on discovered ports.
-sV -sC scoped to the exact ports found: -p <comma_ports>.--script-timeout 30s and --host-timeout 3m.nmap -n -Pn -sV -sC -p <ports> --script-timeout 30s --host-timeout 3m -oA nmap_stage2 <target>Goal: Only run when Stage 1 found nothing useful AND the user explicitly asked for comprehensive coverage.
-p- or --top-ports 1000 are Stage 3 ONLY.-p-) which may take 10-30 minutes?"-T3 or lower and --max-retries 1 to bound duration.nmap -n -Pn -p- -sV --open -T3 --max-retries 1 --host-timeout 10m -oA nmap_stage3 <target>Goal: Run targeted NSE scripts against known service versions.
--script=vuln against all ports blindly.--script=http-* for HTTP, --script=ssh-* for SSH, etc.nmap -n -Pn -p <ports> --script=<service-family>-vuln --script-timeout 30s -oA nmap_stage4 <target>If ANY nmap invocation hits a timeout or runs longer than expected, apply this backoff sequence:
First timeout (>60s for Stage 1, >3m for Stage 2):
--top-ports 100 -> --top-ports 50 or -p 22,80,443).-T4 -> -T3.--max-retries 1 (already minimal).Second timeout (same stage):
-p 22,80,443.-T2 and --host-timeout 30s.Never retry the exact same command after a timeout. Each retry MUST have a smaller scope or lower timing template.
-n skip DNS resolution-Pn skip host discovery when ICMP/ping is filtered-sS SYN scan (root/privileged)-sT TCP connect scan (no raw-socket privilege)-sV detect service versions-sC run default NSE scripts-p <ports> explicit ports (-p- for all TCP ports — Stage 3 only)--top-ports <n> quick common-port sweep (Stage 1 default)--open show only hosts with open ports-T<0-5> timing template (-T4 common, -T3 for broader scans)--max-retries <n> cap retransmissions--host-timeout <time> give up on very slow hosts--script-timeout <time> bound NSE script runtime-oA <prefix> output in normal/XML/grepable formatsIf nmap fails with "You requested a scan type which requires root privileges":
-sS with -sT.Stage 1 (Discovery):
nmap -n -Pn --open --top-ports 100 -T4 --max-retries 1 --host-timeout 60s -oA nmap_s1 <host>
Stage 2 (Service enrichment, ports from Stage 1):
nmap -n -Pn -sV -sC -p <ports> --script-timeout 30s --host-timeout 3m -oA nmap_s2 <host>
Stage 3 (Full port — explicit auth only):
nmap -n -Pn -p- -sV --open -T3 --max-retries 1 --host-timeout 10m -oA nmap_s3 <host>
-p- on the first call is a protocol violation.--host-timeout; add --script-timeout whenever NSE scripts are involved.-p- unless Stage 1 returned zero open ports AND the user explicitly requested full coverage.naabu for broad port discovery; use nmap for scoped verification/enrichment.-Pn.--script-timeout or switch to targeted scripts.If uncertain, query web_search with:
site:nmap.org/book nmap <flag>