🛡️ Methodology Checklist
- Save all formats at once:
nmap -oA [BASENAME] [TARGET] - Grepable format for parsing:
nmap -oG [FILE] [TARGET] - XML for tool import (Metasploit, Faraday):
nmap -oX [FILE] [TARGET] - Append to existing output: use
-oG -and redirect - Import XML into Metasploit:
db_import [FILE].xml - Review saved output before proceeding to exploitation phase
🎯 Operational Context
Think Dumber First: Always use
-oA [basename]from the very first scan — you cannot recreate scan results after the engagement. Store scans in organized directories:/root/engagement/[TARGET]/scans/. Grepable format (.gnmap) enables fastgrepsearches. XML format imports directly into Metasploit withdb_import.
When you land here: Starting any scan. The baseline workflow: nmap [FLAGS] -oA /root/[ENGAGEMENT]/scans/[TARGET]-[SCANTYPE]. Never run a scan without output saving — it will be needed for the report, even if you think you won’t use it.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p- -oA scans/target-full | Save all 3 output formats simultaneously (recommended) |
sudo nmap [TARGET_IP] -p- -oN scans/target.nmap | Save human-readable normal format only |
sudo nmap [TARGET_IP] -p- -oG scans/target.gnmap | Save grepable format only |
sudo nmap [TARGET_IP] -p- -oX scans/target.xml | Save XML format only |
xsltproc target.xml -o report.html | Convert XML output to HTML report |
cat target.gnmap | grep "80/open" | awk '{print $2}' | Extract IPs with port 80 open from grepable output |
🔬 Deep Dive & Workflow
Output Formats
| Flag | Extension | Use Case |
|---|---|---|
-oN | .nmap | Human-readable, good for quick review and paste into notes |
-oG | .gnmap | One line per host — easy parsing with grep/awk/cut |
-oX | .xml | Structured data for importing into Metasploit (db_import), Searchsploit, or converting to HTML |
-oA | All 3 | Best practice — always use this |
Why Save All Formats
- Comparison: Diff results between SYN vs Connect scans.
- Documentation: Evidence for pentest reports.
- Tool Import: Metasploit’s
db_importrequires XML; grepable is needed for scripted pipelines.
HTML Report
xsltproc (pre-installed on Kali/Parrot) converts the XML to a styled browser-viewable table of open ports.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Output files created in wrong directory | Relative path used | Always use absolute path: -oA /root/htb/[BOX]/scans/initial; verify with ls -la /root/htb/[BOX]/scans/ |
| XML import to MSF fails ‘no services found’ | Scan run without -sV; no version data in XML | Re-run targeted scan with -sV: nmap -p [OPEN_PORTS] -sV -oX rescan.xml; then db_import rescan.xml |
| grep on .gnmap returns no results | Wrong field syntax | Grepable format: grep 'open' file.gnmap | awk '{print $2}'; fields are: Host State OpenPorts Hostname |
| Output file is 0 bytes | Scan failed immediately (bad target or permission) | Check nmap exit code: echo $?; run with -v to see failure reason; confirm target is reachable |
| Can’t open .xml in browser | No XSLT stylesheet linked | Convert: xsltproc /usr/share/nmap/nmap.xsl result.xml -o result.html; open result.html in browser |
📝 Reporting Trigger
Finding Title: (Scan output is evidence — attach relevant nmap output files to findings as supporting evidence. XML output linked to CVE database provides authoritative version-to-vulnerability mapping. Incomplete scan coverage should be disclosed in report limitations.)