Re: How to aggregate output of NMAP

From: Fyodor (fyodor@insecure.org)
Date: 02/06/02


Date: Tue, 5 Feb 2002 19:54:18 -0800
From: Fyodor <fyodor@insecure.org>
To: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN@Roche.COM>

On Tue, Feb 05, 2002 at 09:38:45PM +0100, Lodin, Steven {GZ-Q~Mannheim} wrote:

> Someone else mentioned Perl and gave a small code example. If this
> is interesting to you, check out ndiff (Nmap diff). I don't have
> the URL, but if I remember correctly, I found it from one of the
> nmap mailing list archives on www.insecure.org.

Ndiff was written by James Levine and is available at
http://www.vinecorp.com/ndiff/ .

Also, it sounds like the original poster had very simple needs, such
as obtaining a list of ftp or web servers. The Nmap "grepable"
output mode may be sufficient. The syntax is "-oG <filename>" and it
puts the most critical info about a host on a line like this:

Host: 127.0.0.1 (felix.insecure.org) Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 515/open/tcp//printer///, 6000/open/tcp//X11/// Ignored State: closed (1548) OS: Linux Kernel 2.4.0 - 2.4.17 (X86) Seq Index: 3696008 IPID Seq: All zeros

You can easily grep the file for ports like "/dtspc/" and OS strings like
"Solaris". If there are a lot of results, you can obtain just the IPs
by piping them to standard shell commands like 'cut "-d " -f2'.

All this being said, I recommend the XML output mode (-oX) for more
involved analysis and feeding results to other nontrivial programs.
The XML also contains some info that I haven't found a place for in
the normal (or grepable) output formats.

Cheers,
Fyodor
http://www.insecure.org/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • iXsecurity.patch.nmap_statistics.1
    ... This patch is intended for the nmap-2.54BETA30. ... The -c switch will add two rows of statistics when running nmap. ... Resends is number of resends ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: faster scans? (nmap)
    ... avoid doing extended port scans of hosts you already know to be there. ... Ping broadcast and network addresses (NMAP). ... If you get a positive response (i.e. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • iXsecurity.patch.nmap_statistics.1
    ... This patch is intended for the nmap-2.54BETA30. ... The -c switch will add two rows of statistics when running nmap. ... Resends is number of resends ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Auditing boxes with predictable IP Sqeuence(s)
    ... > exotic router, ... Then again, since NMAP can't gather good hard data from the boxes as it doesn't find open TCP ports, it reports a different level of TCP sequence number randomness than that actually encountered in real life TCP connections. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)