Skip to main content

Tool Integrations


Nmap's output formats and command-line interface make it well-suited for integration with other tools used in network analysis, vulnerability research, and incident response workflows.


XML to HTML Report​

Nmap's XML output can be converted to a self-contained HTML report using xsltproc and Nmap's bundled stylesheet.

xsltproc /usr/share/nmap/nmap.xsl scan_results.xml -o scan_report.html
  • Use Case: Generating a readable HTML report from Nmap XML for sharing, briefing, or archiving.
  • Why: The resulting HTML is self-contained and can be opened in any browser without Nmap installed.

Metasploit Framework​

Import Nmap XML into the Metasploit Database​

# Start Metasploit with database
msfconsole -q

# Inside Metasploit
db_import /tmp/scan_results.xml
hosts
services
  • Use Case: Populating a Metasploit workspace with discovered hosts and services for exploitation or further enumeration.
  • Why: db_import parses Nmap XML directly into the Metasploit database, making all discovered hosts and services immediately available for module targeting.

Run Nmap From Within Metasploit​

# Inside Metasploit β€” results saved directly to the database
db_nmap -sV -sC -T4 192.168.1.0/24
  • Use Case: Scanning and immediately storing results without a separate export/import step.
  • Why: db_nmap passes all arguments directly to Nmap and automatically imports the results into the connected workspace database.

Searchsploit (Exploit-DB)​

Cross-reference discovered service versions with known public exploits.

Manual Version Lookup

For a specific service version identified by Nmap, query Searchsploit directly:

searchsploit apache 2.4.6
searchsploit openssh 7.4
# Extract open service versions from Nmap grepable output and search for exploits
nmap -sV 192.168.1.1 -oG - | grep "open" | awk '{print $5, $6, $7}' | sort -u | while read service; do
searchsploit "$service"
done
  • Use Case: Rapidly identifying known public exploits for services discovered during scanning.
  • Why: Searchsploit queries the local Exploit-DB database offline, enabling rapid exploit triage without internet access.

Python Parsing​

Extract Hosts and Open Ports from XML​

import xml.etree.ElementTree as ET

tree = ET.parse('scan_results.xml')
root = tree.getroot()

for host in root.findall('host'):
addr = host.find('address').get('addr')
ports = host.findall('.//port')
open_ports = [p.get('portid') for p in ports if p.find('state').get('state') == 'open']
if open_ports:
print(f"{addr}: {', '.join(open_ports)}")

Extract Service Versions​

import xml.etree.ElementTree as ET

tree = ET.parse('scan_results.xml')
root = tree.getroot()

for host in root.findall('host'):
addr = host.find('address').get('addr')
for port in host.findall('.//port'):
if port.find('state').get('state') == 'open':
svc = port.find('service')
name = svc.get('name', '') if svc is not None else ''
product = svc.get('product', '') if svc is not None else ''
version = svc.get('version', '') if svc is not None else ''
print(f"{addr}:{port.get('portid')}/tcp {name} {product} {version}".strip())
  • Use Case: Automated parsing and reporting of scan results, feeding into custom scripts or databases.

Netcat β€” Manual Banner Grabbing​

After Nmap identifies open ports, Netcat can manually interact with services to retrieve banners or probe behavior.

# TCP banner grab
nc -nv 192.168.1.1 22

# HTTP header grab
echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -nv 192.168.1.1 80

# SMTP banner
nc -nv 192.168.1.1 25
  • Use Case: Manually verifying or expanding on service information returned by Nmap's -sV.
  • Why: Some services respond differently to Netcat than to Nmap's version detection probes, potentially revealing additional version or configuration details not captured by automated scanning.