Creating a super nice HTML report from nmap .xml output — easy

DJ SUBSTANCE
4 min readSep 19, 2023
DJ Substance brings you the nfoz in 2o23
It surprisingly easy to create a badass .html report from the ugly NMAP output

Required Tools prior to making reports:

Any version of nmap installed that supports the -oA (output all formats).
The way I typically run nmap is as follows:

bash#  nmap -sX -sC -Avvv --top-ports 50 -oA <prefixfilename>  x.x.x.x/x 

Make sure you have permission to write to — if not you could write to /tmp
The main things I would advise without getting into nmap details here:

Keep in mind if the host your nmaping is NOT responding to ICMP :

DJ Substance — nmap output no ping
Keep in mind port scanning a host that is blocking pings can take forever

It is a good thing to ask ChatGPT why this is. Why nmaping 65,000 ports if the host replys with ICMP takes < 5 m, but if the host doesnt reply to ping, it could be 72 hours, and not have exact reliability. This is why i suggest using — top-ports <N> Keep it under 50. In addition

  • sX — “Xmas Scan” — This used to be stealth back in the day with half open connection, but its just a normal TCP scan now
  • sC — nmap nse — utilitize default nmap NSE scripts (google it)
  • Avvv — Verbose Grab banners etc
  • oA — Write out the gnmap , xml and another format.

Time to rock and roll, load up either GUI zenmap or just root nmap —

DJ Substance / nmap
Althought I just picked some random flags, the key is the -oA its going to write the .xml file to /tmp

Once the scan finishes locate the .xml file created (you can always ls -latr, which shows you the last modified files at the bottom).

Notice the HTTP Methods carefully controlled — no TRACE / PUT / DELETE methods

BTW: This is what you should see on your web server’s nothing less, nothing more — port 80 and 443. Output files in /tmp

Verify the .xml file is structurally correct, at times i see a random character in the top.

--

--

DJ SUBSTANCE

twenty years professionally as a Network Engineer, more recently I have focused on red teaming mostly, but I am always up for learning and exchanging info