# nmap - Network Port Scanner & Service Detection (`anshumanatrey/nmap-scanner`) Actor Cloud-hosted nmap (industry-standard network scanner by Fyodor). TCP connect port scans, service/version detection, NSE scripts. Results streamed as structured dataset records โ€” one row per discovered port. $0.005 per record. Authorize scans before running. - **URL**: https://apify.com/anshumanatrey/nmap-scanner.md - **Developed by:** [Anshuman Atrey](https://apify.com/anshumanatrey) (community) - **Categories:** Developer tools, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing $5.00 / 1,000 scan records This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## nmap โ€” Network Port Scanner & Service Detection ๐Ÿ“ฆ **Open source ยท MIT:** [github.com/AnshumanAtrey/nmap-scanner](https://github.com/AnshumanAtrey/nmap-scanner) Cloud-hosted [nmap](https://nmap.org) (the industry-standard network scanner by Fyodor / Insecure.Com). Run port scans, service/version detection, OS fingerprinting (limited), and the full library of [Nmap Scripting Engine (NSE)](https://nmap.org/book/nse.html) scripts against any target you're authorized to scan. Results are streamed into the Apify dataset as **structured records** โ€” one row per open port, one per host, one per NSE script result, plus a summary. The raw nmap XML is also saved to the key-value store for downstream tooling. ### Authorization disclaimer You **must** be authorized to scan the target. Port scanning unowned hosts without permission may violate the [Computer Fraud and Abuse Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act) (US) and equivalent laws elsewhere. Use this actor for: your own infrastructure, bug bounty targets within scope, lawful penetration tests, security research, and the official permitted target `scanme.nmap.org`. ### Quick start ```json { "target": "scanme.nmap.org", "scanProfile": "standard" } ```` This scans the top 1000 TCP ports with service/version detection. Takes ~30-60 seconds. ### Apify sandbox constraints Apify containers run **unprivileged** โ€” no root, no `CAP_NET_RAW`. This means: | Scan type | Available? | Reason | |---|---|---| | TCP Connect (`-sT`) | โœ… Yes (default) | Standard sockets work fine | | TCP SYN (`-sS`) | โŒ No | Requires raw sockets / root | | UDP (`-sU`) | โŒ No | Requires raw sockets / root | | Service detection (`-sV`) | โœ… Yes | Works over TCP connect | | Default scripts (`-sC`) | โœ… Yes | Most NSE scripts work unprivileged | | Vuln scripts (`--script vuln`) | โœ… Yes | Same as above | | OS detection (`-O`) | โŒ No | Requires raw sockets / root | If you need SYN/UDP/OS scans, run nmap locally with `sudo` โ€” this actor is for the unprivileged scan types that cover ~80% of real-world use cases. ### Scan profiles | Profile | What it runs | Use when | |---|---|---| | `quick` | `--top-ports 100` | Fast triage | | `standard` (default) | `--top-ports 1000 -sV` | Most use cases | | `thorough` | `-p- -sV -sC` (all 65535 ports + scripts) | Full asset inventory | | `web` | HTTP ports + `http-*` NSE scripts | Web app recon | | `vuln` | `-sV --script vuln` | Vulnerability sweep | | `custom` | Use `ports`/`customScripts`/`customArgs` | Power users | ### Output structure Each scan produces multiple dataset records with a `recordType` discriminator: | recordType | Fields | When | |---|---|---| | `port` | `host`, `address`, `port`, `protocol`, `state`, `service`, `product`, `version` | One per port scanned | | `host` | `host`, `address`, `hostname`, `status`, `openPorts` | One per scanned host | | `script` | `host`, `port`, `scriptId`, `output` | One per NSE script result | | `summary` | `hostsUp`, `openPortsTotal`, `scanDuration`, `cmd`, ... | Always last record | Filter by `recordType` in the Apify Console table view to see one category at a time. The raw nmap XML is saved to the key-value store as `nmap-output.xml` โ€” drop into your own XML parser, Metasploit's `db_import`, or any nmap-aware tool. ### Pricing $0.005 per dataset record produced. A typical `standard` scan against a host with ~20 open services produces ~22 records ($0.11). ### FAQ #### Why can't I run SYN or UDP scans? Apify containers run unprivileged (no root, no `CAP_NET_RAW`). SYN/UDP/OS-detection all need raw sockets which require root. The TCP-connect path covers ~80% of real-world use cases โ€” for the other 20%, run nmap locally with `sudo`. #### Can I scan my home network? Only if your home network is reachable from the public internet โ€” nmap on Apify is a cloud scanner, not a LAN scanner. For internal scans, use the [Apify Proxy](https://docs.apify.com/platform/proxy) to route through a residential IP, or run nmap on a private box. #### What's the difference between `standard` and `thorough`? `standard` scans the top 1000 TCP ports with version detection โ€” completes in ~1 minute and catches 95% of services. `thorough` hits all 65535 ports plus default scripts โ€” takes 15-45 minutes per host. Use thorough only when you genuinely need a complete inventory. #### Will Apify block my port scans? Apify allows outbound port scans, but the **target** may block you. Apify Residential Proxy rotates IPs to mitigate this. Some firewalls also fingerprint nmap traffic specifically โ€” to bypass, use `customArgs` with `--scan-delay 1s -T2` (slower but stealthier). #### Can I import the XML into Metasploit / Greenbone / Nessus? Yes โ€” the raw nmap XML is saved to the key-value store as `nmap-output.xml`. Download it and `db_import nmap-output.xml` in `msfconsole`, or import into Greenbone/Nessus directly. ### Pairs nicely with Bundle for full attack-surface recon: - **[theHarvester](https://apify.com/anshumanatrey/theharvester-osint)** โ€” Discover subdomains first, then port-scan each one with nmap - **[NetIntel](https://apify.com/anshumanatrey/netintel)** โ€” WHOIS, DNS, GeoIP, SSL context for every IP nmap finds - **[Bug Bounty Finder](https://apify.com/anshumanatrey/bug-bounty-finder)** โ€” Confirm the target has a bounty program before sending vuln reports - **[Holehe Email OSINT](https://apify.com/anshumanatrey/holehe-email-osint)** โ€” OSINT the email addresses on services nmap discovers - **[Social Analyzer](https://apify.com/anshumanatrey/social-analyzer)** โ€” Find usernames of admins/developers exposed in service banners - **[Zomato Restaurant Scraper](https://apify.com/anshumanatrey/zomato-restaurant-scraper)** โ€” Restaurant lead lists (separate B2B use case) ### Credits Built on top of [nmap](https://nmap.org) by Gordon Lyon (Fyodor). nmap is licensed under the Nmap Public Source License Version 0.95 โ€” please review before commercial use. # Actor input Schema ## `target` (type: `string`): IP address, hostname, CIDR range, or space-separated list. Examples: 8.8.8.8 | scanme.nmap.org | 192.168.1.0/24 | 10.0.0.1 10.0.0.2. You MUST be authorized to scan the target. ## `scanProfile` (type: `string`): Preset combinations. quick = top 100 ports fast | standard = top 1000 + service detection | thorough = all 65535 ports + scripts | web = web ports + HTTP scripts | vuln = vulnerability NSE scripts. Pick 'custom' to use the raw flags below. ## `ports` (type: `string`): Port specification (only used when scanProfile is 'custom'). Examples: 22 | 1-1000 | 22,80,443 | top-100 | top-1000 | all. Leave empty for nmap default. ## `scanTechnique` (type: `string`): TCP connect (-sT) is the only technique that works without root. Apify containers run unprivileged so SYN/UDP/etc are not available. ## `serviceDetection` (type: `boolean`): Identify what service is running on each open port and its version. Adds 10-60s per host. ## `defaultScripts` (type: `boolean`): Run the default category of NSE scripts (~100 useful scripts: banner grabbing, SSL info, HTTP titles, etc.). ## `customScripts` (type: `string`): Comma-separated NSE script names or categories. Examples: http-title,ssl-cert | vuln | http-\* | safe and discovery. ## `timing` (type: `string`): T0 paranoid (slow, IDS-evading) ... T5 insane (very fast, may miss results). T4 is the sweet spot for most internet targets. ## `skipHostDiscovery` (type: `boolean`): Assume host is up, skip ping probe. Recommended โ€” Apify network often blocks ICMP. ## `excludePorts` (type: `string`): Comma-separated ports to exclude (--exclude-ports). Example: 9100,4444 ## `openPortsOnly` (type: `boolean`): Suppress closed/filtered ports in the output. Cleaner dataset. ## `customArgs` (type: `string`): Raw nmap flags appended to the command. Use with care โ€” must be valid nmap flags. Example: --max-retries 2 --host-timeout 30s ## `timeout` (type: `integer`): Hard kill nmap after this many seconds. Default 1800 (30 min). ## Actor input object example ```json { "target": "scanme.nmap.org", "scanProfile": "standard", "scanTechnique": "tcp-connect", "serviceDetection": true, "defaultScripts": false, "timing": "T4", "skipHostDiscovery": true, "openPortsOnly": true, "timeout": 1800 } ``` # Actor output Schema ## `scanResults` (type: `string`): All scan findings โ€” discovered ports, host information, NSE script outputs, and the summary row. Filter the dataset by `recordType` (port|host|script|summary) to view a single category. ## `rawXml` (type: `string`): Raw nmap -oX XML output for the scan, saved as `nmap-output.xml` in the key-value store for downstream tooling that prefers nmap's native format. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "target": "scanme.nmap.org" }; // Run the Actor and wait for it to finish const run = await client.actor("anshumanatrey/nmap-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "target": "scanme.nmap.org" } # Run the Actor and wait for it to finish run = client.actor("anshumanatrey/nmap-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "target": "scanme.nmap.org" }' | apify call anshumanatrey/nmap-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=anshumanatrey/nmap-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "nmap - Network Port Scanner & Service Detection", "description": "Cloud-hosted nmap (industry-standard network scanner by Fyodor). TCP connect port scans, service/version detection, NSE scripts. Results streamed as structured dataset records โ€” one row per discovered port. $0.005 per record. Authorize scans before running.", "version": "1.0", "x-build-id": "Lk6SE8DTToupDjFAK" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/anshumanatrey~nmap-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-anshumanatrey-nmap-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/anshumanatrey~nmap-scanner/runs": { "post": { "operationId": "runs-sync-anshumanatrey-nmap-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/anshumanatrey~nmap-scanner/run-sync": { "post": { "operationId": "run-sync-anshumanatrey-nmap-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "target" ], "properties": { "target": { "title": "Target", "type": "string", "description": "IP address, hostname, CIDR range, or space-separated list. Examples: 8.8.8.8 | scanme.nmap.org | 192.168.1.0/24 | 10.0.0.1 10.0.0.2. You MUST be authorized to scan the target." }, "scanProfile": { "title": "Scan Profile", "enum": [ "quick", "standard", "thorough", "web", "vuln", "custom" ], "type": "string", "description": "Preset combinations. quick = top 100 ports fast | standard = top 1000 + service detection | thorough = all 65535 ports + scripts | web = web ports + HTTP scripts | vuln = vulnerability NSE scripts. Pick 'custom' to use the raw flags below.", "default": "standard" }, "ports": { "title": "Ports", "type": "string", "description": "Port specification (only used when scanProfile is 'custom'). Examples: 22 | 1-1000 | 22,80,443 | top-100 | top-1000 | all. Leave empty for nmap default." }, "scanTechnique": { "title": "Scan Technique", "enum": [ "tcp-connect" ], "type": "string", "description": "TCP connect (-sT) is the only technique that works without root. Apify containers run unprivileged so SYN/UDP/etc are not available.", "default": "tcp-connect" }, "serviceDetection": { "title": "Service & Version Detection (-sV)", "type": "boolean", "description": "Identify what service is running on each open port and its version. Adds 10-60s per host.", "default": true }, "defaultScripts": { "title": "Default NSE Scripts (-sC)", "type": "boolean", "description": "Run the default category of NSE scripts (~100 useful scripts: banner grabbing, SSL info, HTTP titles, etc.).", "default": false }, "customScripts": { "title": "Custom NSE Scripts (--script)", "type": "string", "description": "Comma-separated NSE script names or categories. Examples: http-title,ssl-cert | vuln | http-* | safe and discovery." }, "timing": { "title": "Timing Template", "enum": [ "T0", "T1", "T2", "T3", "T4", "T5" ], "type": "string", "description": "T0 paranoid (slow, IDS-evading) ... T5 insane (very fast, may miss results). T4 is the sweet spot for most internet targets.", "default": "T4" }, "skipHostDiscovery": { "title": "Skip Host Discovery (-Pn)", "type": "boolean", "description": "Assume host is up, skip ping probe. Recommended โ€” Apify network often blocks ICMP.", "default": true }, "excludePorts": { "title": "Exclude Ports", "type": "string", "description": "Comma-separated ports to exclude (--exclude-ports). Example: 9100,4444" }, "openPortsOnly": { "title": "Show Only Open Ports (--open)", "type": "boolean", "description": "Suppress closed/filtered ports in the output. Cleaner dataset.", "default": true }, "customArgs": { "title": "Custom nmap Arguments (advanced)", "type": "string", "description": "Raw nmap flags appended to the command. Use with care โ€” must be valid nmap flags. Example: --max-retries 2 --host-timeout 30s" }, "timeout": { "title": "Subprocess Timeout (seconds)", "minimum": 30, "maximum": 3600, "type": "integer", "description": "Hard kill nmap after this many seconds. Default 1800 (30 min).", "default": 1800 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```