// Canonical Nmap CLI syntax, two-pass scanning workflow, and sandbox-safe bounded scan patterns.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | nmap |
| description | Canonical Nmap CLI syntax, strict staged scanning workflow, and sandbox-safe bounded scan patterns with timeout backoff. |
Official docs:
Nmap scans MUST follow a staged escalation pattern. NEVER jump to a broad sweep on the first call.
Goal: Find live hosts and open ports quickly.
--top-ports 100 or smaller explicit port lists (-p 22,80,443,8080,8443).-sV), no scripts (-sC) at this stage.--host-timeout 60s.nmap -n -Pn --open --top-ports 100 -T4 --max-retries 1 --host-timeout 60s -oA nmap_stage1 <target>Goal: Identify services and versions on discovered ports.
-sV -sC scoped to the exact ports found: -p <comma_ports>.--script-timeout 30s and --host-timeout 3m.nmap -n -Pn -sV -sC -p <ports> --script-timeout 30s --host-timeout 3m -oA nmap_stage2 <target>Goal: Only run when Stage 1 found nothing useful AND the user explicitly asked for comprehensive coverage.
-p- or --top-ports 1000 are Stage 3 ONLY.-p-) which may take 10-30 minutes?"-T3 or lower and --max-retries 1 to bound duration.nmap -n -Pn -p- -sV --open -T3 --max-retries 1 --host-timeout 10m -oA nmap_stage3 <target>Goal: Run targeted NSE scripts against known service versions.
--script=vuln against all ports blindly.--script=http-* for HTTP, --script=ssh-* for SSH, etc.nmap -n -Pn -p <ports> --script=<service-family>-vuln --script-timeout 30s -oA nmap_stage4 <target>If ANY nmap invocation hits a timeout or runs longer than expected, apply this backoff sequence:
First timeout (>60s for Stage 1, >3m for Stage 2):
--top-ports 100 -> --top-ports 50 or -p 22,80,443).-T4 -> -T3.--max-retries 1 (already minimal).Second timeout (same stage):
-p 22,80,443.-T2 and --host-timeout 30s.Never retry the exact same command after a timeout. Each retry MUST have a smaller scope or lower timing template.
-n skip DNS resolution-Pn skip host discovery when ICMP/ping is filtered-sS SYN scan (root/privileged)-sT TCP connect scan (no raw-socket privilege)-sV detect service versions-sC run default NSE scripts-p <ports> explicit ports (-p- for all TCP ports — Stage 3 only)--top-ports <n> quick common-port sweep (Stage 1 default)--open show only hosts with open ports-T<0-5> timing template (-T4 common, -T3 for broader scans)--max-retries <n> cap retransmissions--host-timeout <time> give up on very slow hosts--script-timeout <time> bound NSE script runtime-oA <prefix> output in normal/XML/grepable formatsIf nmap fails with "You requested a scan type which requires root privileges":
-sS with -sT.Stage 1 (Discovery):
nmap -n -Pn --open --top-ports 100 -T4 --max-retries 1 --host-timeout 60s -oA nmap_s1 <host>
Stage 2 (Service enrichment, ports from Stage 1):
nmap -n -Pn -sV -sC -p <ports> --script-timeout 30s --host-timeout 3m -oA nmap_s2 <host>
Stage 3 (Full port — explicit auth only):
nmap -n -Pn -p- -sV --open -T3 --max-retries 1 --host-timeout 10m -oA nmap_s3 <host>
-p- on the first call is a protocol violation.--host-timeout; add --script-timeout whenever NSE scripts are involved.-p- unless Stage 1 returned zero open ports AND the user explicitly requested full coverage.naabu for broad port discovery; use nmap for scoped verification/enrichment.-Pn.--script-timeout or switch to targeted scripts.If uncertain, query web_search with:
site:nmap.org/book nmap <flag>