Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Zenmap search interface overhaul
From: Fyodor <fyodor () insecure org>
Date: Tue, 27 May 2008 18:56:12 -0700

On Fri, May 23, 2008 at 04:33:50PM -0600, David Fifield wrote:
On Fri, May 23, 2008 at 03:09:07AM +0200, Vladimir Mitrovic wrote:

What search needs do you have? Do you currently use custom scripts to
search through your saved Nmap scans, or does nobody really need to do
that? If people only need to do simple searches, then the search
function should be simple too. Or maybe you could do more if only you
had a more powerful search tool.

I like the idea of free text as a filter.  Once I scan a huge network
(or open a scan file), I'd like to be able to search for strings like
bind or apache and have that filter the results to only those which
match the string.  I'd probably normally use the bareword match
Vladimir mentioned, since most of my queries will not have any/many
false positives.  Maybe there will happen to be a machine named
apache.example.com, but that is OK because my main goal is to filter
down the results so I can review them by hand more easily.  Right now
I just do that by opening the Nmap output in a text editor such as
emacs and then searching for the relevant strings.

The reason for searching for a certain string might be that I'm doing
a pen-test and I have a zero day exploit for (software) and so I'm
searching to see if it exists on the network I scanned.  This is also
useful for someone who runs a large network.  If he gets an advisory
about a major bug in openssh or whatever, he can then search his
latest daily scan log for openssh very quickly so he knows what to
patch.

Also, I might have an ssh brute force tool and so I want to limit the
results to just the machines with tcp port 22 open (or open|filtered,
I suppose, though that's mostly useful for UDP) or a service
discovered on any port with the service name ssh.

There is also the issue of "searching for a historical scan to open".
That isn't something I do as frequently.  The date options you've
mentioned would clearly be useful there.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault