Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: How to aggregate output of NMAP

Re: How to aggregate output of NMAP

From: Vladimir Parkhaev <vladimir_at_arobas.net>
Date: Tue, 5 Feb 2002 18:33:50 -0500

Quoting Lodin, Steven {GZ-Q~Mannheim} (STEVEN.LODIN_at_Roche.COM):
> Someone else mentioned Perl and gave a small code example. If this is interesting to you, check out ndiff (Nmap diff). I don't have the URL, but if I remember correctly, I found it from one of the nmap mailing list archives on www.insecure.org.
>

I mailed this to the original poster... It does what I think he wanted....

#########################################################################

#!/usr/bin/perl -w

$NmapLog = './bla';
$look4 = qr/ftp|http|echo/;
# ^^^^^^^^^
# add more sevices you want to create summary for

open (IN, $NmapLog) or die "open $NmapLog err: $!\n";
while (<IN>) {
  chomp;
  $ip = $1 if /^Interesting\sports\s.*\((.*)\):/;
  push @{$phash{$&}}, $ip if /$look4/;
}
close IN;

foreach ( keys %phash ) {
  $num = scalar @{$phash{$_}};
  print "\'$_\' open on $num server", (($num == 1)? undef : 's'),
        " : ", (join ', ' , @{$phash{$_}}), "\n";
}

#########################################################################

> I think I would use a combination of grep/cut/sort/uniq/wc for the how many part. One question you didn't ask is "what are the web servers". For this, I use Whisker to classify the web servers. Any better options?
>

Sure. Well, I REALY feel like writing perl code today....

#########################################################################

#!/usr/bin/perl -w
use IO::Socket;
$|++;

$net = '192.168.121';
# modify here if you scaning class B

$SIG{ALRM} = sub { die 'TimeouT'; };

foreach $ip (1..254) {
  $host = $net . '.' . $ip;
# modify here as well if you scaning class B
  $sock = IO::Socket::INET->new ( PeerAddr => $host,
                                  PeerPort => 80,
                                  Timeout => 2,
                                  Proto => 'tcp' ) or next;
  $sock->autoflush(1);

  alarm 5; # set alarm for braindead IIS servers
  eval {
     print $sock 'GET / HTTP/1.1' . "\015\012" x 2;
     while ( <$sock> ) {
       if ( /Server: /i ) {
          s/\s+$//g;
          printf "%-15s %-50s\n", $host, $_;
       }
     }
     alarm 0;
  };

  if ( $@ ) { # check for status of eval
     ($@ =~ /TimeouT/)? warn "Timedout while talking to $host, braindead IIS?\n"
                      : warn "eval failed (host $host):$!\n";
  }
  else {
    alarm 0;
  }
  close $sock;
}

#########################################################################

> Another thought came to me... Perhaps the scanssh program has some summarization code in it as well that could be reused...

Nah. Just roll your own :) 

--
print chr hex for qw +
2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A 44 38
37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20 20 31
44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44 0A +;
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Feb 06 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]