Tool Integrations
Nmap's output formats and command-line interface make it well-suited for integration with other tools used in network analysis, vulnerability research, and incident response workflows.
XML to HTML Reportβ
Nmap's XML output can be converted to a self-contained HTML report using xsltproc and Nmap's bundled stylesheet.
xsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o scan_report.html
- Use Case: Generating a readable HTML report from Nmap XML for sharing, briefing, or archiving.
- Why: The resulting HTML is self-contained and can be opened in any browser without Nmap installed.
Metasploit Frameworkβ
Import Nmap XML into the Metasploit Databaseβ
# Start Metasploit with database
msfconsole -q
# Inside Metasploit
db_import /tmp/scan_results.xml
hosts
services
- Use Case: Populating a Metasploit workspace with discovered hosts and services for exploitation or further enumeration.
- Why:
db_importparses Nmap XML directly into the Metasploit database, making all discovered hosts and services immediately available for module targeting.
Run Nmap From Within Metasploitβ
# Inside Metasploit β results saved directly to the database
db_nmap -sV -sC -T4 192.168.1.0/24
- Use Case: Scanning and immediately storing results without a separate export/import step.
- Why:
db_nmappasses all arguments directly to Nmap and automatically imports the results into the connected workspace database.
Searchsploit (Exploit-DB)β
Cross-reference discovered service versions with known public exploits.
Manual Version Lookup
For a specific service version identified by Nmap, query Searchsploit directly:
searchsploit apache 2.4.6
searchsploit openssh 7.4
# Extract open service versions from Nmap grepable output and search for exploits
nmap -sV 192.168.1.1 -oG - | grep "open" | awk '{print $5, $6, $7}' | sort -u | while read service; do
searchsploit "$service"
done
- Use Case: Rapidly identifying known public exploits for services discovered during scanning.
- Why: Searchsploit queries the local Exploit-DB database offline, enabling rapid exploit triage without internet access.
Python Parsingβ
Extract Hosts and Open Ports from XMLβ
import xml.etree.ElementTree as ET
tree = ET.parse('scan_results.xml')
root = tree.getroot()
for host in root.findall('host'):
addr = host.find('address').get('addr')
ports = host.findall('.//port')
open_ports = [p.get('portid') for p in ports if p.find('state').get('state') == 'open']
if open_ports:
print(f"{addr}: {', '.join(open_ports)}")
Extract Service Versionsβ
import xml.etree.ElementTree as ET
tree = ET.parse('scan_results.xml')
root = tree.getroot()
for host in root.findall('host'):
addr = host.find('address').get('addr')
for port in host.findall('.//port'):
if port.find('state').get('state') == 'open':
svc = port.find('service')
name = svc.get('name', '') if svc is not None else ''
product = svc.get('product', '') if svc is not None else ''
version = svc.get('version', '') if svc is not None else ''
print(f"{addr}:{port.get('portid')}/tcp {name} {product} {version}".strip())
- Use Case: Automated parsing and reporting of scan results, feeding into custom scripts or databases.
Netcat β Manual Banner Grabbingβ
After Nmap identifies open ports, Netcat can manually interact with services to retrieve banners or probe behavior.
# TCP banner grab
nc -nv 192.168.1.1 22
# HTTP header grab
echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -nv 192.168.1.1 80
# SMTP banner
nc -nv 192.168.1.1 25
- Use Case: Manually verifying or expanding on service information returned by Nmap's
-sV. - Why: Some services respond differently to Netcat than to Nmap's version detection probes, potentially revealing additional version or configuration details not captured by automated scanning.