AI

AI Powered Nmap using ShellGPT

by raj

Overview

This article examines how pairing ShellGPT — an AI-powered command-line assistant driven by the OpenAI API — with Nmap fundamentally changes the pace and precision of network reconnaissance. Traditional reconnaissance demands that the operator memorise a large vocabulary of Nmap flags, NSE script names, output-processing pipelines, and service-specific enumeration tools. ShellGPT eliminates that requirement: the operator expresses intent in plain English, and the AI returns an execution-ready command in seconds. The result is a workflow that scales from a first-time learner to an experienced penetration tester without changing a single step.

This article documents progressive reconnaissance operations organised into four phases. The first phase covers setup: installing ShellGPT, configuring an OpenAI API key, and verifying end-to-end connectivity. The second phase covers active scanning: discovering live hosts, enumerating ports, fingerprinting services and operating systems, conducting stealth and aggressive scans, and running NSE-based vulnerability and protocol audits across FTP, SSH, HTTP, SMB, NFS, MSRPC, and SCTP. The third phase covers AI-driven analysis: piping saved scan output into ShellGPT for an instant attack-surface review and generating a complete enumeration command set from that analysis. The fourth phase covers technique design: asking ShellGPT to construct stealth scan configurations and explain complex flag combinations without any live target. Each section presents the natural-language prompt, the generated command, and a detailed analysis of the output, so the article serves equally as a demonstration, a reference, and a learning resource.

Table of Contents:

  • Introduction
  • Lab Environment
  • Installing ShellGPT
  • Generating and Configuring an OpenAI API Key
  • Verifying ShellGPT with a Baseline Query
  • Discovering Live Hosts and Saving Results
  • Running a Fast Port Scan Across All Live Hosts
  • Deep Service and OS Fingerprinting on a Single Target
  • Enumerating MSRPC Services
  • Conducting a TCP SYN (Stealth) Scan
  • Scanning a Specific Set of Ports
  • Scanning Multiple Targets Simultaneously
  • OS Detection via TTL Analysis on Two Hosts
  • Applying a Timing Template for Speed Optimisation
  • Executing an Aggressive Scan
  • Running an NSE Vulnerability Scan
  • Enumerating HTTP Services with NSE
  • Enumerating SMB Shares and OS Details
  • Enumerating SSH Algorithms and Host Keys
  • Detecting Web Technologies via HTTP Headers
  • Running a Traceroute to Map Network Topology
  • Inspecting Packets with the Packet-Trace Flag
  • Saving a Service-Version Scan to Disk for Downstream Analysis
  • Piping Scan Results into ShellGPT for Attack-Surface Analysis
  • Generating a Complete Enumeration Command Set from Scan Output
  • Designing a Stealthy SYN Scan Configuration
  • Using ShellGPT to Demystify Complex Flag Combinations
  • Using Shell-GPT for SSH Brute-Force Attacks
  • Mitigation Strategies
  • Conclusion

Introduction

Network reconnaissance is the mandatory first act of any penetration test or security assessment. Before an attacker can enumerate services, probe vulnerabilities, or plan exploitation paths, they must first map what exists on the network — which hosts are alive, which ports are open, and which software is listening on each. Nmap has been the industry-standard tool for this task for over two decades, and its depth is unmatched: it supports dozens of scan types, hundreds of NSE scripts covering every major protocol, OS fingerprinting, timing control, output formatting, and packet-level tracing. That depth is also its barrier to entry; the full Nmap reference spans thousands of options and assembling the right combination for a given task requires experience.

ShellGPT removes that barrier by acting as an intelligent translator between operator intent and Nmap syntax. The operator describes what they want — “scan these hosts for live ports,” “enumerate SMB shares without credentials,” “run a vulnerability scan” — and ShellGPT produces the correct command, confirms it with an interactive Execute prompt, and runs it immediately. The same tool operates in reverse as an analyst: when fed a saved scan file, it identifies the exposed services, assesses the risk profile of each, and generates the enumeration commands needed to follow up. It also functions as an on-demand instructor, explaining any Nmap flag combination in plain language before the operator executes it.

The significance extends beyond efficiency. AI-assisted reconnaissance democratises advanced techniques: an operator who has never written an NSE invocation can produce a vulnerability scan in seconds. For defenders, the same capability is available for continuous self-assessment — the same commands that map an attacker’s target can map one’s own infrastructure on a scheduled basis. This article documents the full workflow, from initial installation through post-scan analysis, so that practitioners on both sides of the security boundary can understand, replicate, and defend against it.

Lab Environment

All scans in this article execute within a controlled VMware-based network on the 192.168.1.0/24 subnet. The attacker operates from Kali Linux 2024 at 192.168.1.17 running Nmap 7.99 and ShellGPT 1.5.1 with Python 3.13.12. The lab contains six target hosts, each representing a distinct class of system commonly encountered in real-world assessments.

ShellGPT communicates with the OpenAI API over HTTPS on port 443; an active internet connection and a funded OpenAI account are prerequisites. All scans run as root to enable raw socket access for SYN scans, OS detection, and packet tracing. Wireshark is available for packet capture but is not used in the ShellGPT workflow documented here.

Installing ShellGPT

Before any AI-assisted scanning is possible, the attacker installs ShellGPT on Kali Linux using pipx. The pipx installer isolates the package in its own Python virtual environment, preventing dependency conflicts with the rest of the system. The command below pulls shell-gpt version 1.5.1, built on Python 3.13.12, and exposes the sgpt binary globally — the single-entry point for every AI query in this article.

pipx install shell-gpt

The terminal confirms a clean installation: “installed package shell-gpt 1.5.1” and registers the sgpt command as immediately available. From this point forward, every reconnaissance step begins with a plain-English prompt to sgpt rather than a manual command lookup.

Generating and Configuring an OpenAI API Key

ShellGPT routes every query through the OpenAI API, so a valid API key is a prerequisite. The attacker navigates to platform.openai.com/api-keys, clicks “+ Create new secret key,” and names the key sgpt to distinguish it from other credentials in the account. The dashboard shows the new key as Active with “All” permissions, ready to authenticate API calls from the command line.

With the key in hand, the attacker exports it as an environment variable so sgpt picks it up automatically on every invocation:

export OPENAI_API_KEY="sk-proj-<redacted>"

Setting the key as an environment variable rather than hard-coding it in a config file keeps credentials out of shell history and reduces exposure risk — a minimal operational-security practice even in a lab environment.

Verifying ShellGPT with a Baseline Query

Before issuing any scan commands, the attacker validates the installation end-to-end with a simple conceptual question. This confirms that the API key is correctly configured, the network path to OpenAI is clear, and the sgpt binary responds to natural-language input. The command used is:

sgpt "What is Nmap?"

ShellGPT returns a well-structured summary: Nmap stands for Network Mapper, it is an open-source tool for host discovery, port scanning, service and version detection, OS fingerprinting, and security auditing. The response also offers to generate an Nmap cheat sheet or safe scanning examples — demonstrating that the AI is context-aware and interactive, not merely a command translator. The baseline test passes; every subsequent prompt will carry the –shell flag to request an executable command instead of an explanation.

Discovering Live Hosts and Saving Results

With ShellGPT operational, the attacker issues the first reconnaissance command: a live-host sweep of the entire 192.168.1.0/24 subnet. The –chat scan flag opens a persistent chat session named “scan,” and –shell instructs ShellGPT to return an executable command rather than a prose explanation. The natural-language prompt is:

sgpt --chat scan --shell "Scan 192.168.1.1/24 for live hosts and save IPs to network.txt"

ShellGPT synthesises the following compound command, which the attacker executes by responding E (Execute) at the interactive prompt:

The -sn flag performs a ping sweep without port scanning, keeping the operation fast and quiet. The -oG – flag writes grepable output to stdout, which the awk pipeline filters to extract only the IP addresses of hosts that responded with “Up.” The results land directly in network.txt. Inspecting the file with cat reveals six live hosts — 192.168.1.1, .5, .9, .10, .15, and .17 — which become the target list for every subsequent scan.

Running a Fast Port Scan Across All Live Hosts

With the host list in hand, the attacker escalates from discovery to enumeration. A single ShellGPT prompt instructs it to scan every host in network.txt and persist the results:

sgpt --chat scan --shell "Run a fast Nmap scan on targets in network.txt and save results to netscan.txt"

ShellGPT generates the following command, which the attacker executes immediately:

The -T4 timing template maximises speed without triggering most rate-limiting defences. The -F flag restricts the scan to the 100 most common ports, trading completeness for velocity. The -iL flag reads targets from the file, and -oN writes normal-format output to netscan.txt for later reference. The resulting output immediately surfaces the attack surface: 192.168.1.1 exposes DNS, HTTP, and HTTPS; 192.168.1.9 runs FTP, SSH, HTTP, rpcbind, NetBIOS, SMB, and NFS — a classically over-exposed Linux host; and 192.168.1.15 presents the widest profile, with FTP, SSH, Telnet, SMTP, HTTP, rpcbind, SMB, login, shell, MySQL, PostgreSQL, VNC, X11, and AJP13 — the unmistakable fingerprint of a Metasploitable target.

Deep Service and OS Fingerprinting on a Single Target

The fast scan identified 192.168.1.9 as a high-value target. The attacker drills deeper with a service-version and OS-detection scan, again delegating command construction to ShellGPT:

sgpt --chat scan --shell "Use Nmap to scan open ports, MAC address, services, and versions on 192.168.1.9"

The -sV flag probes each open port to extract the exact service name and version string; the -O flag activates OS fingerprinting via TCP/IP stack analysis. The output is forensically precise: FTP resolves to vsftpd 3.0.5, SSH to OpenSSH 8.9p1 on Ubuntu Linux, HTTP to Apache httpd 2.4.52, rpcbind to versions 2–4, and SMB to Samba smbd 4. The MAC address 00:0C:29:85:D1:03 confirms a VMware guest. OS detection places the kernel between Linux 4.15 and 5.19. The entire fingerprint completes in 13.25 seconds.

Enumerating MSRPC Services

The attacker targets the Microsoft RPC attack surface on 192.168.1.15 by invoking the Nmap msrpc-enum NSE script. ShellGPT accepts the intent and constructs the precise NSE invocation:

sgpt --chat scan --shell "Scan MSRPC service of 192.168.1.15 using Nmap"

Port 135 returns closed for MSRPC, while 139 (NetBIOS-SSN) and 445 (Microsoft-DS) are open. The NSE script reports NT_STATUS_OBJECT_NAME_NOT_FOUND — the RPC endpoint mapper is not advertising registered services, consistent with a Samba implementation on Linux rather than a native Windows RPC stack. SMB is present and accessible, but the standard Windows DCOM/RPC enumeration path is unavailable. The scan completes in 0.70 seconds.

Conducting a TCP SYN (Stealth) Scan

The attacker requests a full stealth scan against the Metasploitable target to enumerate every open TCP port without completing a three-way handshake. Because SYN scans require raw socket access, the command runs as root — a requirement ShellGPT implicitly satisfies by generating the correct flag:

sgpt --chat scan --shell "Run a TCP SYN scan on 192.168.1.15"

The -sS flag dispatches a SYN segment to each probed port. An open port answers with SYN/ACK; Nmap replies with RST, collapsing the half-open connection before it is logged by most application-layer monitors. The output catalogues 23 open services: FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), HTTP (80), rpcbind (111), NetBIOS (139), SMB (445), exec (512), login (513), shell (514), rmiregistry (1099), ingreslock (1524), NFS (2049), ccproxy-ftp (2121), MySQL (3306), PostgreSQL (5432), VNC (5900), X11 (6000), IRC (6667), AJP13 (8009), and an unknown service on 8180. The MAC address 00:0C:29:1E:7E:AF confirms the VMware guest. The entire scan completes in 0.79 seconds.

Scanning a Specific Set of Ports

When the attacker needs to verify only a handful of ports, ShellGPT accepts an explicit port list and translates it directly:

sgpt --chat scan --shell "Scan ports 21,22,80,443 on 192.168.1.15"

The targeted scan confirms FTP (21), SSH (22), and HTTP (80) as open, while HTTPS (443) is closed. The absence of HTTPS on a host running Apache narrows the web-application attack surface to plain-text HTTP — a significant finding for subsequent credential-interception attacks. The scan resolves in 0.68 seconds.

Scanning Multiple Targets Simultaneously

ShellGPT handles multi-target scans as naturally as single-host queries:

sgpt --chat scan --shell "Scan open ports on 192.168.1.9 and 192.168.1.15"

Nmap scans both hosts in parallel and returns sequential reports. The report for 192.168.1.9 lists 7 open ports (FTP, SSH, HTTP, rpcbind, NetBIOS, SMB, NFS) with MAC 00:0C:29:85:D1:03. The report for 192.168.1.15 lists 23 open ports — the full Metasploitable surface — with MAC 00:0C:29:1E:7E:AF. Both hosts are confirmed up and fully enumerated within 0.83 seconds of combined scan time.

OS Detection via TTL Analysis on Two Hosts

The attacker requests OS fingerprinting across two hosts in a single prompt:

sgpt --chat scan --shell "Identify the operating systems of 192.168.1.9 and 192.168.1.11 using TTL analysis"

For 192.168.1.9, OS detection reports “Linux 4.15 – 5.19” as the most likely match, with secondary guesses of OpenWrt 21.02 and MikroTik RouterOS 7.2 – 7.5. For 192.168.1.11, the fingerprint is decisive: “Microsoft Windows Server 2019,” corroborated by the CPE cpe:/o:microsoft:windows_server_2019 and open ports 88 (Kerberos), 135 (MSRPC), 389 (LDAP), 445 (SMB), 464 (kpasswd), and 5985 (WS-Management) — the unmistakable signature of a Windows domain controller. The scan completes in 3.29 seconds.

Applying a Timing Template for Speed Optimisation

The attacker benchmarks scan speed using Nmap’s T4 aggressive timing template, which maximises parallelism and reduces inter-probe delays:

sgpt --chat scan --shell "Run a fast timing template scan on 192.168.1.15 using Nmap"

With T4 engaged, Nmap completes a full default-port scan of 192.168.1.15 — enumerating all 23 open services, including MySQL, PostgreSQL, VNC, X11, and AJP13 — in just 0.75 seconds. The T4 template is the practical default for lab environments where stealth is not a concern; in production environments, T3 or lower reduces IDS detection risk at the cost of scan duration.

Executing an Aggressive Scan

The aggressive scan combines four capabilities in a single flag — OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute — yielding the most comprehensive single-pass profile Nmap can produce:

sgpt --chat scan --shell "Aggressive Scan 192.168.1.9 for open ports using Nmap"

The output is extensive. The FTP service (vsftpd 3.0.5) accepts anonymous logins — the ftp-anon NSE script logs in as “ftp,” traverses the pub directory, and records the session banner. SSH (OpenSSH 8.9p1) returns both ECDSA and ED25519 host key fingerprints. Apache on port 80 returns a 403 Forbidden response and its server header confirms version 2.4.52. The rpcbind script fully enumerates the RPC program table, exposing NFS, mountd, nlockmgr, and status programs across TCP and UDP. Samba smbd 4 serves both ports 139 and 445. The combined output surfaces an anonymous FTP foothold, a fully detailed SSH identity, and a complete RPC service map in one scan.

Running an NSE Vulnerability Scan

ShellGPT translates a vulnerability-scan intent directly into an NSE script invocation, removing the need-to-know individual script names:

sgpt --chat scan --shell "Run an Nmap vulnerability scan on 192.168.1.15"

 

The vuln script category runs every installed vulnerability-detection NSE script against each open port. Three critical findings emerge. First, vsftpd 2.3.4 backdoor (CVE-2011-2523) is flagged as VULNERABLE and Exploitable — the script executes id as the shell command and receives uid=0(root) gid=0(root), confirming remote root code execution without any further exploit development. Second, SSL POODLE (CVE-2014-3566) is confirmed VULNERABLE on port 25, exposing any SSL 3.0 session to CBC-padding-oracle decryption attacks. Third, an Anonymous Diffie-Hellman Key Exchange MitM Vulnerability is present on the SMTP service — the cipher suite TLS_DH_anon_WITH_RC4_128_MD5 with a 1024-bit modulus provides no authentication, allowing a man-in-the-middle to compromise session confidentiality and integrity entirely.

Enumerating HTTP Services with NSE

The attacker uses ShellGPT to invoke the http-enum NSE script, which brute-forces common web application paths against the target’s HTTP service:

sgpt --chat scan --shell "Enumerate HTTP services on 192.168.1.15 using Nmap NSE scripts"

The script discovers seven paths on port 80: /tikiwiki/ (Tikiwiki CMS), /test/ (test page), /phpinfo.php (PHP configuration disclosure), /phpMyAdmin/ (database administration interface), /doc/ (directory listing on Apache 2.2.8 with DAV/2 enabled), /icons/ (directory listing), and /index/ (directory listing). Each of these represents a distinct attack vector: phpinfo.php leaks the full PHP and server configuration; phpMyAdmin exposes the database tier directly; WebDAV on /doc/ may allow arbitrary file writes. The enumeration completes in 1.38 seconds and maps the entire web application surface without a single manual browser request.

Enumerating SMB Shares and OS Details

The attacker targets the SMB service on port 445 to extract share names and OS metadata without authentication:

sgpt --chat scan --shell "Enumerate SMB shares and SMB OS details on 192.168.1.15"

The smb-os-discovery script identifies the host as Unix running Samba 3.0.20-Debian, with the computer name metasploitable and FQDN metasploitable.localdomain. The smb-enum-shares script enumerates five shares without credentials: ADMIN$ (IPC), IPC$ (anonymous READ/WRITE), opt (disk, no anonymous access), print$ (printer drivers, no anonymous access), and tmp (disk, anonymous READ/WRITE to C:\tmp). The IPC$ and tmp shares both permit unauthenticated read/write access — IPC$ is exploitable for null-session attacks, and the writable tmp share could serve as a staging area for payload delivery.

Enumerating SSH Algorithms and Host Keys

The attacker audits the SSH service configuration to identify weak cryptographic algorithms that may be exploitable or indicate an unpatched version:

sgpt --chat scan --shell "Enumerate SSH algorithms and SSH information on 192.168.1.15"

The ssh-auth-methods script confirms that the server accepts both publickey and password authentication — the password method is directly susceptible to brute-force attacks. The ssh2-enum-algos script enumerates the full algorithm suite including the deprecated diffie-hellman-group1-sha1 (vulnerable to Logjam), arcfour, 3des-cbc, and CBC-mode AES variants. The ssh-hostkey script extracts a 1024-bit DSA key and a 2048-bit RSA key with their full fingerprints. The presence of these deprecated algorithms marks this SSH daemon as severely outdated and cryptographically weak.

Detecting Web Technologies via HTTP Headers

The attacker probes the HTTP service to fingerprint the web stack at the header level:

sgpt --chat scan --shell "Detect web technologies running on 192.168.1.15"

The three NSE scripts collectively reveal the complete web stack: Apache/2.2.8 (Ubuntu) DAV/2 as the Server field, PHP/5.2.4-2ubuntu5.10 in the X-Powered-By header, and the page title “Metasploitable2 – Linux,” definitively confirming the target’s identity. Apache 2.2.8 reached end-of-life in 2013 and PHP 5.2.4 was released in 2007 — both versions carry a catalogue of publicly known critical vulnerabilities. Port 443 is closed, confirming the absence of HTTPS.

Running a Traceroute to Map Network Topology

The attacker uses Nmap’s built-in traceroute capability to determine the network path to the target:

sgpt --chat scan --shell "Run Nmap traceroute on 192.168.1.15"

The traceroute section reports: Hop 1, RTT 1.89 ms, 192.168.1.15. A single hop confirms that no router or firewall sits between the attacker and the target — they share the same layer-2 broadcast domain. This topological confirmation validates that ARP-based techniques apply, rules out NAT traversal complications, and confirms that every probe reaches the target at wire speed.

Inspecting Packets with the Packet-Trace Flag

As a final diagnostic step, the attacker enables Nmap’s –packet-trace flag to expose the raw packet exchange between the scanner and the target:

sgpt --chat scan --shell "Run an Nmap scan with packet trace enabled on 192.168.1.15"

The output begins with the ARP exchange — “SENT ARP who-has 192.168.1.15 tell 192.168.1.17” followed by “RCVD ARP reply 192.168.1.15 is-at 00:0C:29:1E:7E:AF” — confirming that Nmap resolves liveness at layer 2 before issuing any IP-layer probes. A series of NSOCK INFO lines show the Nmap scripting engine’s event loop processing a DNS reverse lookup. The bulk of the trace consists of SENT TCP SYN packets dispatched to multiple ports simultaneously with randomised TTL values and sequence numbers, followed by RCVD TCP RST/ACK responses for closed ports and RCVD TCP SYN/ACK responses for open ports. The packet trace makes the probe strategy, timing, and response interpretation entirely transparent.

Saving a Service-Version Scan to Disk for Downstream Analysis

Before ShellGPT can analyse scan results, those results must exist as a file the shell can read. The attacker runs a service-version scan against 192.168.1.9 and writes the output directly to scan.txt, deliberately separating the data-collection phase from the analysis phase — a workflow pattern that allows the same scan file to be fed into multiple ShellGPT queries without repeating the scan itself.

The -sV flag instructs Nmap to probe each open port and extract the precise service name and version string through banner grabbing and probe-response matching. The -oN flag writes the output in human-readable normal format to scan.txt. The scan completes in 11.96 seconds and reveals seven open services: vsftpd 3.0.5 on port 21, OpenSSH 8.9p1 on port 22, Apache httpd 2.4.52 on port 80, rpcbind versions 2–4 on port 111, Samba smbd 4 on ports 139 and 445, and nfs_acl 3 on port 2049. This concise snapshot becomes the single source of truth for the AI-driven analysis steps that follow.

Piping Scan Results into ShellGPT for Attack-Surface Analysis

With scan.txt populated, the attacker pipes its contents directly into ShellGPT and requests an attack-surface review with safe next steps. This is ShellGPT operating not as a command generator but as an inline security analyst — reading the raw Nmap output and returning a structured triage report without any manual interpretation.

ShellGPT processes the scan data and returns a well-structured report organised into three sections. The Exposed Services section enumerates all seven services in a prioritised list. The Likely Risk Areas section analyses each service in turn: for FTP, it flags anonymous login, weak credentials, writable uploads, and exposed backups; for HTTP, it directs the operator to enumerate default pages, hidden directories, file upload points, and login panels; for Samba/SMB, it highlights guest access, writable shares, credential reuse, and exposed sensitive files; for NFS, it specifically flags misconfigured exports that allow unauthorized mount access and privilege escalation via root_squash misconfigurations; for SSH, it assigns lower risk unless password authentication is enabled or credentials are reused. The Recommended Next Steps section delivers a numbered action plan covering share enumeration, web crawling, version validation against known CVEs, credential testing, and misconfiguration auditing. The entire analysis arrives in seconds, converting a 12-line scan report into a prioritised penetration-testing checklist with zero manual research.

Generating a Complete Enumeration Command Set from Scan Output

The attack-surface analysis identified what to enumerate; this step asks ShellGPT to produce the exact commands that will do it. The attacker pipes the same scan.txt file into a second ShellGPT query:

cat scan.txt | sgpt "Generate enumeration commands"

ShellGPT responds with a comprehensive, service-by-service command plan organised into five groups. For general Nmap follow-up, it generates three commands: a combined default-script and service-version scan, an aggressive scan, and a vuln-category NSE scan. For FTP, it generates a direct ftp connection attempt followed by ftp-anon, ftp-syst, and ftp-banner NSE scripts. For SSH, it provides ssh2-enum-algos and ssh-hostkey NSE scripts paired with a direct ssh -v verbose connection. For HTTP, it generates curl -i, whatweb, nikto -h, and a gobuster directory brute-force with php, txt, and html extension appending. For NFS and RPC, it generates rpcinfo -p, showmount -e, the nfs-showmount/nfs-ls/nfs-statfs NSE trio, and the full NFS mount workflow. For SMB, it generates smbclient -L with null authentication, the smb-enum-shares/smb-enum-users/smb-os-discovery NSE bundle, and enum4linux-ng. Every command is immediately executable; the operator receives a complete reconnaissance playbook from a single natural-language request.

Designing a Stealthy SYN Scan Configuration

ShellGPT functions equally well as a technique advisor when the attacker needs to design a scan optimised for evasion rather than speed. The following prompt operates without any target file or live scan:

sgpt "Generate Nmap command for stealth SYN scan"

ShellGPT responds with a precise answer and a clear rationale. The core recommendation combines three flags — -sS for SYN scanning, -Pn to suppress host-discovery probes, and -T2 for a polite timing template. The -sS flag keeps connections half-open, preventing session logging at the application layer. The -Pn flag eliminates the discovery footprint entirely. The T2 timing template introduces inter-probe delays that keep the scan rate below most IDS threshold triggers. ShellGPT also lists three optional enhancements: -p- to scan all 65,535 ports, –scan-delay 100ms for an explicit inter-probe pause, and –max-retries 2 to reduce the total packet count. The highlighted example command is:

Using ShellGPT to Demystify Complex Flag Combinations

Beyond command generation and scan analysis, ShellGPT serves as an on-demand reference that explains what any Nmap command does before the operator runs it. The prompt is:

sgpt "Explain nmap -sS -sV -O -Pn"

ShellGPT delivers a precise four-point breakdown: -sS performs a SYN (half-open) scan, faster and stealthier than a full connect scan; -sV activates service and version detection; -O enables OS detection via TCP/IP stack fingerprinting; -Pn disables host discovery entirely, treating the target as up and skipping all ping checks. ShellGPT then synthesises these four flags into a four-step operational summary and provides an immediately executable example command applied to 192.168.1.10. This advisory mode requires no target, no file, and no prior scan — the operator describes what they want to understand, and ShellGPT provides both the theory and the practice in a single response.

Using Shell-GPT for SSH Brute-Force Attacks

The user simply describes their intent in plain English — asking to brute-force SSH on the host at 192.168.1.9 using the wordlists users.txt and pass.txt — and Shell-GPT translates that natural-language request into a precise, executable command. It generates an nmap invocation that targets port 22 and loads nmap’s ssh-brute script, supplying the username and password lists through the script arguments. The tool then presents the familiar Execute / Modify / Describe / Abort prompt, and the operator confirms execution after running the following command:

sgpt --shell "Use nmap to SSH-bruteforce on IP address=192.168.1.9 using users.txt and pass.txt files location /root/"

Once running, nmap begins methodically working through every combination drawn from the two wordlists. The terminal fills with a long sequence of “Trying username/password pair” entries, cycling usernames such as raj, pentest, lowpriv, administrator, ignite, and sa against a series of common passwords like admin@123, Password@123, Ignite@987, and 123. This systematic pairing is the essence of a dictionary-based brute-force attack: rather than guessing randomly, the tool tests a curated list of likely credentials until it either exhausts the list or finds a match.

The payoff appears at the bottom of the output, highlighted in red. Nmap reports that port 22 is open and running SSH, and under the ssh-brute results it lists two sets of valid credentials it successfully recovered: pentest:123 and lowpriv:123. The accompanying statistics note that the script performed 38 guesses in roughly 11 seconds, averaging about 3.5 attempts per second, and the VMware MAC address confirms the target is a virtual machine.

Mitigation Strategies

The reconnaissance workflow documented in this article exposes a consistent pattern: every piece of information that Nmap and ShellGPT collect from the target is information the target chose to disclose. Reducing the reconnaissance attack surface therefore means reducing what a host discloses in response to unsolicited probes. The following mitigations directly address the techniques demonstrated above.

Disable unnecessary services. The most effective mitigation for any reconnaissance finding is service elimination. Every open port is a potential data source for an attacker’s fingerprinting sweep. Metasploitable 2 exposes 23 services on a single host; a hardened server should expose only those strictly required for its role. Administrators should audit every listening port with netstat -tlnp or ss -tlnp on a scheduled basis and shut down anything without a documented business justification.

Enforce strict firewall rules with a default-deny policy. A host-based firewall configured to drop all inbound traffic by default and permit only explicitly whitelisted ports and protocols prevents Nmap from obtaining port-state information on any service it has not been authorised to reach. The DROP target — rather than REJECT — is critical: REJECT generates an ICMP error that confirms the host is alive and the port is filtered, while DROP returns silence. Silence is the correct answer to an unsolicited probe.

Update and patch all services to current supported versions. This article identified vsftpd 2.3.4 (backdoor, CVE-2011-2523, remote root from 2011), Apache 2.2.8 (end-of-life 2013), PHP 5.2.4 (released 2007), Samba 3.0.20 (multiple critical CVEs), OpenSSH with deprecated algorithms including diffie-hellman-group1-sha1, and SSL 3.0 (POODLE, CVE-2014-3566) — none of which would appear on a system running current software. Maintaining a software inventory and applying security patches within a defined SLA is the most direct countermeasure against vulnerability-scan findings.

Harden SSH configuration. Disable password authentication entirely and enforce public-key authentication only. Remove deprecated key-exchange algorithms (diffie-hellman-group1-sha1, diffie-hellman-group14-sha1), deprecated ciphers (arcfour, 3des-cbc, all CBC-mode variants), and deprecated MAC algorithms (hmac-md5, hmac-md5-96, hmac-sha1-96) from the sshd_config file. Use RSA keys of at least 3072 bits or ED25519 keys. Rate-limit SSH connection attempts and use fail2ban or equivalent to block repeated failed authentications.

Restrict FTP or replace it with SFTP/SCP. Anonymous FTP login — as demonstrated on 192.168.1.9 — grants any unauthenticated attacker read access to the pub directory and exposes the server banner, daemon version, and connection metadata. If FTP is required, disable anonymous access, restrict login to named accounts with chroot jails, and consider replacing FTP entirely with SFTP, which provides the same file-transfer functionality over an encrypted SSH channel with no additional attack surface.

Secure SMB and NFS exports. The IPC$ and tmp shares on Metasploitable 2 permit anonymous read/write access — a configuration that allows null-session enumeration of user accounts, shares, and password policies, and provides a writable staging directory for payload delivery. SMB shares should require authentication; guest access should be disabled. NFS exports should enumerate permitted client addresses explicitly, use the no_root_squash option only where operationally required, and restrict export paths to the minimum necessary scope. Both services should be firewalled to permit access only from known client addresses.

Rate-limit and filter ICMP. The UDP ping, SCTP INIT ping, and IP-protocol ping techniques all rely on ICMP error messages — specifically ICMP Port Unreachable and Protocol Unreachable — generated by the target’s own kernel in response to probes for unsupported ports or protocols. Rate-limiting outbound ICMP error messages reduces the information these responses provide, and a strict inbound firewall policy that drops ICMP echo requests prevents standard ping-based host discovery. Note that completely suppressing all outbound ICMP is operationally disruptive (it breaks path MTU discovery); rate-limiting is the practical balance.

Monitor for AI-assisted reconnaissance patterns. Traditional IDS signatures focus on specific tool fingerprints (Nmap’s default TTL patterns, probe timing, and payload content). AI-assisted tools like ShellGPT produce commands that are syntactically identical to manually crafted ones, so signature-based detection is equally effective. However, the velocity and breadth of the workflow documented here — host discovery, fast port scan, service fingerprinting, OS detection, NSE vulnerability scan, protocol enumeration, and HTTP enumeration all within minutes — produces a reconnaissance pattern that rate-based anomaly detection and network behaviour analysis should flag even without tool-specific signatures. Deploying a network IDS such as Snort or Suricata with tuned rate-based rules, and reviewing connection logs for hosts that generate unusually high volumes of SYN packets to diverse ports in short windows, provides a layer of detection that is not bypassed by the AI layer of the attacker’s workflow.

Conclusion

This article has documented twenty-five progressive reconnaissance operations driven by a single consistent workflow: express intent in plain English, receive an execution-ready command, execute it, and interpret the output. The pairing of ShellGPT with Nmap removes the principal barrier to advanced network reconnaissance — the requirement to know the tool — and replaces it with a conversational interface that translates operator intent directly into precise, correct commands across every major scan type, NSE category, and protocol.

The scope of what this workflow achieves in a short session is significant. Starting from a blank terminal, the attacker installed the tool, configured API access, confirmed connectivity, discovered six live hosts, enumerated their open ports, fingerprinted their services and operating systems, identified three remotely exploitable critical vulnerabilities, mapped SMB shares with anonymous access, extracted SSH cryptographic weaknesses, fingerprinted web stacks, traced network topology, inspected raw packet exchanges, saved scan output to disk, fed it back to the AI for an instant attack-surface analysis and a complete enumeration command plan, and designed a stealth scanning configuration — all without writing a single Nmap command from memory.

The implication for defenders is equally direct: this capability is not the exclusive province of experienced penetration testers. Any operator with an OpenAI API key and a running instance of ShellGPT can execute the same workflow against their own infrastructure. The mitigation strategies documented here — service reduction, default-deny firewalling, current patch levels, SSH hardening, SMB and NFS access controls, ICMP rate-limiting, and anomaly-based reconnaissance detection — represent the defensive counterpart to the offensive workflow. A network that implements them consistently has no individual service that discloses useful reconnaissance data in response to any of the twenty-five operations documented above. That is the correct security posture: not the elimination of scanning, but the elimination of what scanning can find.