Skill

port-scanning

Intelligent port scanning orchestration with nmap service detection and vulnerability scripting

Install

Run in your terminal

npx claudepluginhub overtimepog/greyhatcc --plugin greyhatcc

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.3k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.3k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.3k

Stats

Stars0

Forks0

Last CommitFeb 25, 2026

Actions

View Source View Plugin View on GitHub View README

Port Scanning

Usage

/greyhatcc:portscan <target> [--quick|--full|--vuln|--udp|--stealth]

Smart Input

{{ARGUMENTS}} is parsed automatically — just provide a target in any format:

URL (https://example.com/path) → extracted domain + full URL used as target
Domain (example.com) → https:// prepended, used as target
IP (1.2.3.4) → used directly for infrastructure testing
H1 URL (hackerone.com/program) → program handle extracted, scope loaded via H1 API
Empty → error: "Usage: /greyhatcc:<skill> <target>"

No format specification needed from user — detect and proceed.

Context Loading (MANDATORY)

Before executing this skill:

Load scope: .greyhatcc/scope.json — verify target IP/domain is in scope, note exclusions
Load hunt state: .greyhatcc/hunt-state.json — check active phase, resume context
Load program files: findings_log.md, tested.json, gadgets.json — avoid duplicating work
Load memory: Check MEMORY.md for target-specific notes from previous sessions
Check program rules: respect rate limits, testing hours, prohibited methods (some programs ban aggressive scanning)

Scan Profiles

Quick (default) — 2-5 minutes

nmap -Pn -sV --top-ports 1000 -T4 <target>

Flags: -Pn skip host discovery (assume up), -sV version detection, -T4 aggressive timing.

Full — 15-60 minutes

nmap -Pn -sV -sC -p- -T3 <target>

Flags: -p- all 65535 ports, -sC default scripts, -T3 normal timing (less likely to trigger rate limits). Consider run_in_background: true for this if you have other work to do — it takes time. Foreground is fine if you're waiting for results.

Vulnerability — 5-15 minutes

nmap -Pn -sV --script vuln -p <detected_ports> <target>

Run AFTER quick/full scan. Only scan ports already discovered. --script vuln runs vulnerability detection scripts.

UDP — 10-30 minutes

nmap -Pn -sU --top-ports 100 -T4 <target>

Flags: -sU UDP scan (much slower than TCP). Focus on top 100 UDP ports. Key UDP services: DNS (53), SNMP (161/162), TFTP (69), NTP (123), LDAP (389).

Stealth — 10-30 minutes

nmap -Pn -sS -sV --top-ports 1000 -T2 --randomize-hosts --data-length 50 <target>

Flags: -sS SYN scan (half-open), -T2 polite timing, --randomize-hosts random scan order, --data-length pad packets. Use when: WAF/IDS is active, program requires low-noise testing.

Nmap Flag Reference

Flag	Purpose	When to Use
`-Pn`	Skip host discovery	Always (assume host is up)
`-sV`	Version detection	Always (identify service versions)
`-sC`	Default scripts	Full scans (fingerprint + light vuln check)
`-sS`	SYN stealth scan	When avoiding detection
`-sU`	UDP scan	When looking for DNS, SNMP, NTP
`-p-`	All 65535 ports	Full scans
`--top-ports N`	Top N common ports	Quick scans
`-T0` to `-T5`	Timing (paranoid to insane)	T2-T4 typical for bug bounty
`--script <name>`	NSE script	Targeted vuln checking
`-oN`, `-oX`, `-oG`	Output format	Save results (normal, XML, grepable)
`--open`	Show only open ports	Reduce output noise
`-A`	Aggressive (OS + version + scripts + traceroute)	Deep enumeration
`--reason`	Show why port is open/closed	Debugging scan results

Background Execution (Optional)

For long-running scans, you may use background execution if you have other work to do:

# Full TCP scan — optionally run in background
nmap -Pn -sV -sC -p- -T3 -oN recon/portscan_full.txt <target>
# Set run_in_background: true only if you want to work on something else meanwhile

Foreground is the default and works fine — you'll get the results immediately.

Monitor background scans:

# Check if nmap is still running
ps aux | grep nmap

Output Parsing

After scan completes, extract key findings:

Service Found	Significance	Next Steps
HTTP (80/443)	Web application	`/greyhatcc:webapp`, `/greyhatcc:js`
SSH (22)	Remote access	Check version, brute force if in scope
MySQL (3306) / PostgreSQL (5432)	Database	Check for default creds, public access
Redis (6379)	Cache/DB	Check for unauthenticated access
MongoDB (27017)	NoSQL DB	Check for unauthenticated access
Elasticsearch (9200)	Search engine	Check for open API, data exposure
Docker (2375/2376)	Container engine	Check for unauthenticated API
Kubernetes (6443/8443)	Orchestrator	Check for exposed API, RBAC bypass
RDP (3389)	Remote desktop	Check version, BlueKeep
SMB (445)	File sharing	Check for null session, EternalBlue
SNMP (161)	Network management	Check for public community string
FTP (21)	File transfer	Check for anonymous login

Post-Scan

Parse results and extract open ports + service versions
Cross-reference services with Shodan data (MCP: greyhatcc_s__shodan_host_lookup)
Check detected versions against CVE database (MCP: greyhatcc_sec__cve_search)
Save to recon/portscan_<target>_<profile>.md
Update tested.json with ports scanned
Feed non-standard ports into webapp-testing skill

State Updates

After completing this skill:

Update tested.json — record what was tested (asset + vuln class)
Update gadgets.json — add any informational findings with provides/requires tags for chaining
Update findings_log.md — log any confirmed findings with severity
Update hunt-state.json if in active hunt — set lastActivity timestamp