Re: How to aggregate output of NMAP
From: Vladimir Parkhaev (vladimir@arobas.net)Date: 02/06/02
- Previous message: E: "Re: Political Analysis of Security Products"
- In reply to: Lodin, Steven {GZ-Q~Mannheim}: "RE: How to aggregate output of NMAP"
- Next in thread: Fyodor: "Re: How to aggregate output of NMAP"
- Next in thread: Mike Brentlinger: "Re: How to aggregate output of NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Feb 2002 18:33:50 -0500 From: Vladimir Parkhaev <vladimir@arobas.net> To: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN@Roche.COM>
Quoting Lodin, Steven {GZ-Q~Mannheim} (STEVEN.LODIN@Roche.COM):
> Someone else mentioned Perl and gave a small code example. If this is interesting to you, check out ndiff (Nmap diff). I don't have the URL, but if I remember correctly, I found it from one of the nmap mailing list archives on www.insecure.org.
>
I mailed this to the original poster... It does what I think he wanted....
#########################################################################
#!/usr/bin/perl -w
$NmapLog = './bla';
$look4 = qr/ftp|http|echo/;
# ^^^^^^^^^
# add more sevices you want to create summary for
open (IN, $NmapLog) or die "open $NmapLog err: $!\n";
while (<IN>) {
chomp;
$ip = $1 if /^Interesting\sports\s.*\((.*)\):/;
push @{$phash{$&}}, $ip if /$look4/;
}
close IN;
foreach ( keys %phash ) {
$num = scalar @{$phash{$_}};
print "\'$_\' open on $num server", (($num == 1)? undef : 's'),
" : ", (join ', ' , @{$phash{$_}}), "\n";
}
#########################################################################
> I think I would use a combination of grep/cut/sort/uniq/wc for the how many part. One question you didn't ask is "what are the web servers". For this, I use Whisker to classify the web servers. Any better options?
>
Sure. Well, I REALY feel like writing perl code today....
#########################################################################
#!/usr/bin/perl -w
use IO::Socket;
$|++;
$net = '192.168.121';
# modify here if you scaning class B
$SIG{ALRM} = sub { die 'TimeouT'; };
foreach $ip (1..254) {
$host = $net . '.' . $ip;
# modify here as well if you scaning class B
$sock = IO::Socket::INET->new ( PeerAddr => $host,
PeerPort => 80,
Timeout => 2,
Proto => 'tcp' ) or next;
$sock->autoflush(1);
alarm 5; # set alarm for braindead IIS servers
eval {
print $sock 'GET / HTTP/1.1' . "\015\012" x 2;
while ( <$sock> ) {
if ( /Server: /i ) {
s/\s+$//g;
printf "%-15s %-50s\n", $host, $_;
}
}
alarm 0;
};
if ( $@ ) { # check for status of eval
($@ =~ /TimeouT/)? warn "Timedout while talking to $host, braindead IIS?\n"
: warn "eval failed (host $host):$!\n";
}
else {
alarm 0;
}
close $sock;
}
#########################################################################
> Another thought came to me... Perhaps the scanssh program has some summarization code in it as well that could be reused...
Nah. Just roll your own :)
-- print chr hex for qw + 2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A 44 38 37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20 20 31 44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44 0A +;---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: E: "Re: Political Analysis of Security Products"
- In reply to: Lodin, Steven {GZ-Q~Mannheim}: "RE: How to aggregate output of NMAP"
- Next in thread: Fyodor: "Re: How to aggregate output of NMAP"
- Next in thread: Mike Brentlinger: "Re: How to aggregate output of NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
