PsNmapParser

PsNmapParser is a PowerShell-based utility for parsing, querying, exporting, and reporting on Nmap XML scan results. It is mostly intended for pentesters, who need flexible access to Nmap output.

The module reads one or multiple Nmap XML output files, turns it into structured objects, and provides:

• A small but powerful query syntax to query and filter hosts, ports, protocols, services, and products
• A set of special commands to extract HTTP/TLS information, blocked ports, scan statistics, and more
• Simple export options (TXT, CSV, JSON, XML) for further processing and reporting

Why PowerShell?
In some engagements, only Windows PowerShell 5.1 is available. Therefore, the tool is designed to run on both Windows PowerShell 5.1 and PowerShell Core (7+), on Windows and Linux, without external dependencies.

Known limitations
PsNmapParser works best on small to medium Nmap XML files. On very large scans, the in-memory filtering and sorting may become noticeably slower.

---

Features

• Supports Nmap XML output (-oX and -oA)
• Merge and analyze multiple scan files at once
• Flexible query syntax for selecting columns and applying filters
• Outputs proper PowerShell objects by default (pipeline-friendly)
• Optional table formatting with -Table
• CSV one-liner output for single-column queries using -Csv
• Built-in export functionality (TXT, CSV, JSON, XML)
• Ccan statistics via scan-info
• Special helper commands for:
  • HTTP ports and metadata (http-ports, http-title, http-info)
  • TLS/SSL ports and certificate details (tls-ports, ssl-common-name)
  • Blocked or wrapped ports (blocked-ports)
• Full compatibility with PowerShell 5.1 and PowerShell 7+ (Windows & Linux)
• No external dependencies required
• Proper IP sorting
• Accepts flexible token naming (host-port, hosts-ports, etc.)

Requirements

• PowerShell 5.1 or later (PowerShell 7+ supported)
• Nmap XML output generated with -oX or -oA

Screenshots

Showing scan statistics for multiple input files:

Showing hosts, ports, and services from both scan files, filtered for port 3306, export as csv:

Showing services (filtered for HTTP), and host:ports (filtered for IPs starting with 10.0.0), along with protocol and hostname:

Installation

git clone https://github.com/zh54321/PsNmapParser
cd PsNmapParser
Import-Module ./PsNmapParser.psm1

Optional execution policy (process local):

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Basic Usage

Invoke-PsNmapParser scan.xml hostport-service

Multiple files:

Invoke-PsNmapParser "scan1.xml,scan2.xml" service-host-port

Query Syntax Overview

Columns

• host
• hostname
• port
• protocol
• service
• product
• hostport

Example: service-hostport

Filters (to append)

• tcp / udp
• closed
• filtered
• open (default)
• all

Example: host-port-udp

Per-column filters

Syntax:

token:pattern[||pattern2]

Matching modes:

• =foo (exact)
• *foo (contains)
• foo (startsWith)
• ~foo (endsWith)

Negation:

• !foo
• !=foo
• !*foo
• !~foo

Special Commands

• scan-info – Show scan overview (Nmap command, timing, hosts, open ports, protocols).
• all-hosts – List all discovered hosts regardless of port state.
• blocked-ports – Show ports blocked by firewalls or filtering (e.g. admin-prohibited, tcpwrapped).
• http-ports – Detect HTTP/HTTPS services and reconstruct reachable URLs.
• http-title – Extract HTML page titles using the http-title Nmap script.
• http-info – Display aggregated HTTP details (service, product, headers, titles, redirects).
• tls-ports – Identify ports that appear to speak TLS/SSL.
• ssl-common-name – Extract TLS certificate Common Name and SAN (requires Nmap -sC or --script ssl-cert).

Exporting Results

You can export results using the -Export switch.
Supported formats:

• Txt
• Csv
• Json
• Xml

An optional target file can be specified with -Path.

If no path is provided, a file is created in the current directory using the following default naming scheme:

PsNmapParser_<command>_YYYYDDMM_HHMM.<ext>

📌 Examples

This section shows practical examples of how to use PsNmapParser in different scenarios.

💡 In all examples below, replace scan.xml with the path to your own Nmap XML file (one or multiple)

---

🔹 Basic host and port listing

List all hosts that have at least one open port (default state filter):

Invoke-PsNmapParser scan.xml host

List all hosts and their open ports:

Invoke-PsNmapParser scan.xml host-port

Same information, but sorted primarily by port, then by host:

Invoke-PsNmapParser scan.xml port-host

List combined IP:PORT pairs:

Invoke-PsNmapParser scan.xml hostport

---

🔹 Working with protocols and states

List all open TCP ports:

Invoke-PsNmapParser scan.xml port-tcp

List all open UDP ports:

Invoke-PsNmapParser scan.xml port-udp

List all closed TCP ports:

Invoke-PsNmapParser scan.xml port-tcp-closed

List all ports, any state (open, closed, filtered, open|filtered, etc.):

Invoke-PsNmapParser scan.xml host-port-all

List filtered UDP ports only:

Invoke-PsNmapParser scan.xml host-port-udp-filtered

---

🔹 Filtering by host

Show only hosts in the 10.0.0.0/8 range (starts with 10.0):

Invoke-PsNmapParser scan.xml host:10.0.

Show hosts that are not in 10.0.:

Invoke-PsNmapParser scan.xml host:!10.0.

Show hosts exactly matching a single IP:

Invoke-PsNmapParser scan.xml host:=10.0.0.5

---

🔹 Filtering by port

Show only ports 80 or 443:

Invoke-PsNmapParser scan.xml "host-port:=80||=443"

Show all ports except port 80 (exact negation):

Invoke-PsNmapParser scan.xml host-port:!=80

Show only ports in the high range (e.g. 8000 and above – based on prefix):

Invoke-PsNmapParser scan.xml host-port:8

---

🔹 Filtering by service and product

Show all HTTP-like services (service name contains http):

Invoke-PsNmapParser scan.xml host-port-service:*http

Show only pure http (exact match):

Invoke-PsNmapParser scan.xml host-port-service:=http

---

🔹 Filtering by hostname

Show hosts where the first hostname contains router:

Invoke-PsNmapParser scan.xml host-hostname:*router

Show all HTTPS ports on hosts whose name ends with .corp.local:

Invoke-PsNmapParser scan.xml "host-hostname:~.corp.local-port-service:=https"

Show only entries for a specific hostname:

Invoke-PsNmapParser scan.xml host-port-hostname:=web01.corp.local

---

🔹 Combining multiple filters (AND / OR)

Filters on different fields are AND-combined, while patterns within one field use OR.

Example: show HTTP/HTTPS services on hosts in 10.0.:

Invoke-PsNmapParser scan.xml "host:10.0.-port-service:=http||=https"

• host:10.0. → host starts with 10.0.
• service:=http||=https → service is exactly http OR https
• Combined with AND between host and service filters.

Example: open TCP ports on hosts not in 10. and ports not 22:

Invoke-PsNmapParser scan.xml host-port-tcp-host:!10.-port:!=22

---

🔹 Using CSV mode

Generate a comma-separated list of hosts (single line, no header):

Invoke-PsNmapParser scan.xml host -Csv

Comma-separated list of all open ports (single line, no header):

Invoke-PsNmapParser scan.xml port -Csv

ℹ️ -Csv is only supported when exactly one column is selected (e.g. host, port, hostport, hostname).

---

🔹 Working with multiple scan files

Pass a comma- or semicolon-separated list of files. All scans are merged logically:

Invoke-PsNmapParser "scan1.xml,scan2.xml" host-port-service

or

Invoke-PsNmapParser "scan1.xml;scan2.xml" host-port-service

You can still use all filters and special commands exactly as with a single file.

---

🔹 Scan overview and statistics

Get a high-level summary of one or more scans: total hosts, open ports, protocols, and per-file statistics:

Invoke-PsNmapParser scan.xml scan-info

With multiple files:

Invoke-PsNmapParser "scan1.xml,scan2.xml,scan3.xml" scan-info

This prints a human-readable text report with an overall summary and per-scan details.

---

🔹 HTTP-related helpers

List all HTTP/HTTPS URLs detected in the scan:

Invoke-PsNmapParser scan.xml http-ports

List HTTP titles (from the http-title script output):

Invoke-PsNmapParser scan.xml http-title

Detailed HTTP info (service, tunnel, product, server header, title, redirect URL):

Invoke-PsNmapParser scan.xml http-info

Combine with -Table for a nicely formatted view:

Invoke-PsNmapParser scan.xml http-info -Table

---

🔹 TLS / SSL helpers

List ports that appear to speak TLS (https, SSL tunnel or SSL scripts present):

Invoke-PsNmapParser scan.xml tls-ports

List certificate common names and SubjectAltName data from ssl-cert:

Invoke-PsNmapParser scan.xml ssl-common-name

---

🔹 Exporting results

Export HTTP info to CSV:

Invoke-PsNmapParser scan.xml http-info -Export Csv

Export all host-port-service data to JSON into a custom path:

Invoke-PsNmapParser scan.xml host-port-service -Export Json -Path .\http_services.json

Export scan overview to a timestamped TXT file (path auto-generated):

Invoke-PsNmapParser scan.xml scan-info -Export Txt

Run export quietly (no console output, only the exported file):

Invoke-PsNmapParser scan.xml host-port-service -Export Csv -Silent

---

🔹 Piping and further PowerShell processing

Because most commands return objects, you can further process them directly in PowerShell.

Example: top 10 most common open ports:

Invoke-PsNmapParser scan.xml host-port |
    Group-Object -Property Port |
    Sort-Object Count -Descending |
    Select-Object -First 10

Example: list all hosts with an open HTTP service (port 80, service contains http):

invoke-psnmapparser ".\nmap_host_discovery.xml,http_scan.xml" host-port-service |
    Where-Object { $_.Port -eq 80 -and $_.Service -like "*http*" } |
    Select-Object -Property Host, Port, Service -Unique 

Example: export all hosts with at least one open HTTPS service to CSV:

$https = Invoke-PsNmapParser scan.xml host-port-service:=https
$https | Export-Csv .\https_hosts.csv -NoTypeInformation

These examples are only a starting point — you can freely combine columns, filters, and PowerShell commands to fit your workflow.

Contributing

Bug reports, feature requests, and pull requests are welcome.