Ultimate Scanning Framework

Perform comprehensive network and vulnerability scanning using industry-standard tools. This skill covers port scanning with Nmap, vulnerability assessment with Nessus and OpenVAS, web application scanning, service enumeration, and automated scan orchestration for security assessments.

When to Use This Skill

Choose Ultimate Scanning Framework when you need to:

• Discover hosts, open ports, and running services across network ranges
• Identify known vulnerabilities with automated scanning tools
• Enumerate web application attack surfaces and technologies
• Build automated scanning pipelines for regular security assessments

Consider alternatives when:

• You need to exploit discovered vulnerabilities (use Metasploit or specific attack skills)
• You need manual web application testing (use Burp Suite)
• You need cloud-specific security scanning (use Prowler, ScoutSuite)

Quick Start

Copy
# Host discovery
nmap -sn 10.0.0.0/24 -oG hosts.gnmap

# Comprehensive port and service scan
nmap -sC -sV -O -p- --min-rate 5000 -oA full_scan 10.0.0.1

# Web application scanning
nikto -h https://target.com -output nikto_results.txt
nuclei -u https://target.com -t cves/ -o nuclei_results.txt

Copy
import subprocess
import json
import xml.etree.ElementTree as ET
from dataclasses import dataclass, field
from typing import List, Dict

@dataclass
class ScanResult:
    host: str
    ports: List[Dict] = field(default_factory=list)
    os_guess: str = ""
    vulnerabilities: List[Dict] = field(default_factory=list)

def parse_nmap_xml(xml_file: str) -> List[ScanResult]:
    """Parse Nmap XML output into structured results."""
    tree = ET.parse(xml_file)
    root = tree.getroot()
    results = []

    for host in root.findall('.//host'):
        addr = host.find('.//address[@addrtype="ipv4"]')
        if addr is None:
            continue

        result = ScanResult(host=addr.get('addr'))

        # Parse ports
        for port in host.findall('.//port'):
            state = port.find('state')
            service = port.find('service')
            port_info = {
                'port': int(port.get('portid')),
                'protocol': port.get('protocol'),
                'state': state.get('state') if state is not None else 'unknown',
                'service': service.get('name', '') if service is not None else '',
                'version': service.get('version', '') if service is not None else '',
                'product': service.get('product', '') if service is not None else '',
            }
            result.ports.append(port_info)

        # Parse OS detection
        os_match = host.find('.//osmatch')
        if os_match is not None:
            result.os_guess = os_match.get('name', '')

        results.append(result)

    return results

# results = parse_nmap_xml("full_scan.xml")
# for r in results:
#     print(f"{r.host}: {len(r.ports)} open ports, OS: {r.os_guess}")

Core Concepts

Scanning Tool Reference

Tool	Purpose	Speed	Output
Nmap	Port scanning, service detection	Medium	XML, grepable, normal
Masscan	Ultra-fast port scanning	Very fast	Binary, JSON, list
Nuclei	Template-based vuln scanning	Fast	JSON, SARIF
Nikto	Web server scanning	Medium	TXT, HTML, CSV
OpenVAS	Full vulnerability assessment	Slow	HTML, PDF, XML
Nessus	Enterprise vuln scanning	Slow	HTML, CSV, Nessus format
Rustscan	Fast port scan → Nmap	Very fast	Nmap integration
testssl.sh	TLS/SSL configuration testing	Medium	HTML, JSON

Automated Scan Pipeline

Copy
import subprocess
import os
from datetime import datetime
from pathlib import Path

class ScanPipeline:
    """Orchestrate multiple scanning tools in sequence."""

    def __init__(self, target, output_dir="scan_results"):
        self.target = target
        self.output_dir = Path(output_dir) / datetime.now().strftime("%Y%m%d_%H%M%S")
        self.output_dir.mkdir(parents=True, exist_ok=True)
        self.results = {}

    def run_command(self, name, command, timeout=600):
        """Run a scan command and capture output."""
        print(f"[*] Running {name}...")
        try:
            result = subprocess.run(
                command, shell=True, capture_output=True,
                text=True, timeout=timeout
            )
            self.results[name] = {
                'status': 'success' if result.returncode == 0 else 'error',
                'stdout': result.stdout,
                'stderr': result.stderr,
            }
            print(f"[+] {name} completed")
        except subprocess.TimeoutExpired:
            self.results[name] = {'status': 'timeout'}
            print(f"[!] {name} timed out")
        except Exception as e:
            self.results[name] = {'status': 'error', 'error': str(e)}

    def full_scan(self):
        """Run comprehensive scan pipeline."""
        out = self.output_dir

        # Phase 1: Fast port discovery
        self.run_command("port_discovery",
            f"nmap -p- --min-rate 10000 -oG {out}/ports.gnmap {self.target}",
            timeout=300)

        # Phase 2: Service detection on open ports
        # Parse ports from phase 1
        ports = self._extract_ports(f"{out}/ports.gnmap")
        if ports:
            port_str = ','.join(str(p) for p in ports)
            self.run_command("service_scan",
                f"nmap -sC -sV -p {port_str} -oX {out}/services.xml {self.target}",
                timeout=600)

        # Phase 3: Web scanning (if web ports found)
        web_ports = [p for p in ports if p in (80, 443, 8080, 8443)]
        for port in web_ports:
            scheme = 'https' if port in (443, 8443) else 'http'
            self.run_command(f"nikto_{port}",
                f"nikto -h {scheme}://{self.target}:{port} -output {out}/nikto_{port}.txt",
                timeout=300)

        # Phase 4: SSL/TLS check
        if 443 in ports:
            self.run_command("ssl_check",
                f"sslscan {self.target}:443 > {out}/sslscan.txt",
                timeout=120)

        self._generate_summary()

    def _extract_ports(self, gnmap_file):
        """Extract open ports from grepable Nmap output."""
        ports = set()
        try:
            with open(gnmap_file) as f:
                for line in f:
                    if 'Ports:' in line:
                        for part in line.split('Ports: ')[1].split(','):
                            port_num = part.strip().split('/')[0]
                            if port_num.isdigit():
                                ports.add(int(port_num))
        except FileNotFoundError:
            pass
        return sorted(ports)

    def _generate_summary(self):
        print(f"\n{'='*50}")
        print(f"SCAN SUMMARY — {self.target}")
        print(f"{'='*50}")
        for name, result in self.results.items():
            print(f"  {name}: {result['status']}")
        print(f"\nResults saved to: {self.output_dir}")

# pipeline = ScanPipeline("10.0.0.1")
# pipeline.full_scan()

Configuration

Parameter	Description	Default
target	IP, hostname, or CIDR range	Required
port_range	Ports to scan	"1-65535"
scan_speed	Nmap timing template (T1-T5)	"T4"
min_rate	Minimum packets per second	5000
service_detection	Enable service version detection	true
os_detection	Enable OS fingerprinting	true
script_scan	Run Nmap default scripts	true
output_format	Output format (xml, gnmap, json)	"xml"

Best Practices

1. Use a two-phase scanning approach — Run a fast port discovery scan first (nmap -p- --min-rate 10000), then a detailed service scan only on discovered open ports. This is 10x faster than running -sC -sV -p- in a single pass.

2. Always save scan output in parseable formats — Use -oX for XML and -oG for grepable output. Raw terminal output is hard to process programmatically. XML output integrates with Metasploit (db_import), and grepable output works with grep and awk for quick analysis.

3. Scan UDP ports for commonly missed services — UDP scanning is slow and often skipped. Run nmap -sU --top-ports 50 at minimum to catch DNS (53), SNMP (161), TFTP (69), and NTP (123). These services are frequently misconfigured and provide valuable reconnaissance data.

4. Use Nuclei templates for fast vulnerability checks — Nuclei's template-based scanning is faster than full vulnerability scanners for known CVEs. Run nuclei -u target -t cves/ -t misconfigurations/ for rapid assessment. Community templates cover thousands of CVEs.

5. Verify scanner findings manually before reporting — Automated scanners produce false positives. Verify each finding by manually confirming the vulnerability. A scanner report with unverified findings reduces credibility. Mark each finding as verified or unverified in the report.

Common Issues

Nmap scans are blocked by firewall/IDS — Use fragmented packets (-f), decoy scans (-D RND:5), or slow timing (-T1). For stealth, use SYN scan (-sS) which doesn't complete the TCP handshake. Some IDS systems trigger on the scan rate, not the scan itself.

Scanner reports hundreds of low-severity findings — Focus on high and critical severity findings first. Filter scan output by CVSS score or severity level. Many low-severity findings (missing headers, deprecated TLS versions) are noise in penetration tests but matter for compliance audits.

Masscan results differ from Nmap results — Masscan uses its own TCP stack and may miss ports that Nmap finds (and vice versa). Use Masscan for speed and initial discovery, then validate interesting hosts with Nmap. The tools complement each other.