Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Automating nmap scans SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Automating nmap scans

With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:


nmap -sT -A <scan_target>


I had indicated that I often use variations on that command to automate periodic scans against a critical IP range.  I had left you with some basics about what other parts of nmap can be helpful to automate this.  This week I received some questions about the automation steps, so here is the rest of the details.  In practice, most of my automated scripts have evolved from this simple state, but in its very basic form here is where they evolved from.  

In order to truly automate the scan we need three components:
Input file – to tell nmap which targets to scan
Output file(s) – to record and compare the results
Bash script - to act as a wrapper for the process steps

To tell nmap which IPs or networks to scan you can use the -iL <filename> parameter.  For a quick scan I usually just create a file called ips.txt in the current directory.  The contents of that file can be single IPs or network ranges in CIDR format, one address/network per line. So that takes us to an nmap command of:


nmap -sT -A -iL <address_file>


As stated in the previous diary, the -oA <filename> parameter will send the nmap scan results to files utilizing all three of nmap’s output formats; normal (.nmap), XML (.xml), and grepable (.gnmap).  Only the .xml version is used by ndiff, but I find the other output formats useful for other purposes such as investigating after the scan.  Typically I just send my output to a file called nmap_current.  So the resulting nmap command is:


nmap -sT -A -iL <address_file> -oA nmap_current


and once that command is complete there will be three nmap output files:
nmap_current.gnmap  
nmap_current.nmap  
nmap_current.xml

There are many ways the running of this can be automated, but typically I just create a simple bash shell script and schedule it with cron to run at the appropriate interval.  A sample Bash script, nmap_scan.sh:

#!/bin/bash

# if there is a current file from a past run, then copy it to previous
if [ -f nmap_current.xml ];then
   cp nmap_current.xml nmap_previous.xml
fi

# run nmap
/usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

# if there is not a previous file then there is no point running ndiff
# this will fix itself on the next run
if [ -f nmap_previous.xml ];then
   /bin/ndiff nmap_previous.xml nmap_current.xml >> ndiff_out.txt
fi

Please note that is not a very robust script.  The paths should be more explicit, and  it does not handle the emailing of the ndiff result, but as a quick and dirty script it will do.
Once the script completes you will find the differences between the current scan and the previous scan in ndiff_out.txt in standard diff formal.  i.e. anything from the original file that has been removed shows a minus sign in the first column and anything in the new file that has been added shows with a plus sign in the first column.

# cat ndiff_out.txt
-Nmap 7.60 scan initiated Mon May 18 19:36:21 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current
+Nmap 7.60 scan initiated Mon May 18 20:12:00 2020 as: /usr/bin/nmap -sT -A -iL ips.txt -oA nmap_current

Hostname REDACTED (IP REDACTED):
OS details:
 Vodavi XTS-IP PBX
- Android 5.0 - 5.1
- Linux 3.2 - 3.10
 Linux 3.2 - 3.16
 Linux 3.2 - 4.8
+ Linux 3.2 - 3.10
 Linux 4.2
+ Android 5.0 - 5.1
+ Linux 2.6.32
 Linux 3.10
 Linux 3.13
- Linux 2.6.32
 Linux 2.6.32 - 3.10

+Hostname REDACTED (IP REDACTED):
+Host is up.
+Not shown: 999 closed ports
+PORT   STATE SERVICE VERSION
+3306/tcp open mysql  MariaDB (unauthorized)
+OS details:
+ Linux 2.6.32
+ Linux 3.7 - 3.10
+ Linux 3.10
+ Linux 3.16
+ Linux 3.8 - 4.9
+ Linux 3.1
+ Linux 3.2
+ AXIS 210A or 211 Network Camera (Linux 2.6.17)
+ Linux 3.11 - 3.14
+ Linux 3.19

A little knowledge of the network and some analysis and this is enough to give you a warning if something unusual is going on. i.e. an unauthorized device, or service has appeared, or the configuration of one of the devices has changed. 
 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

303 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!