Re: [RFC] Output file option for capturing service and os fingerprints

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 19 Jun 2008 17:17:34 -0600
David Fifield <david () bamsoftware com> wrote:

> On Thu, Jun 19, 2008 at 05:25:56PM -0500, Tom Sellers wrote:
> > What I would like to do is add the ability to specify an output
> > file on the command line that would be used to capture service
> > and os fingerprints.  It would need to work in addition is any
> > other requested output formats.
> >
> > nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.1.1/24
> > nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.2.1/24
> >
> > The goal would be to be able to scan multiple large network segments
> > and then check the files for unidentified services and devices.
> >
> > Any thoughts on this?  Oh, if there is already a simple way to do
> > this please break out the clue stick and fill me in.
>
> OS fingerprints are in XML output if you use -v or -d. You can find
> them with the XPath
> expression /nmaprun/host/os/osfingperint/@fingerprint. Admittedtly it
> would be awkward to find just unmatched OSes, because you would have
> to find hosts for which there is no osmatch element, and then extract
> the fingerprint.
>
> OS fingerprint are also in -oN output. You can just grep them out with
> "^OS:". Or did you have something else in mind?
>
> David Fifield

Hi David, Tom;

I have a hacked up perl script that provides this output as one of its
options (attached).

The script reads Nmap "normal" text output and *not* XML.  I've wanted
to add XML support but just haven't felt a pressing need to actually do
so.

To grab out a bunch of fingerprints and print them in a slightly more
human-friendly form do something like this:

$ ./npwn.pl -p -f ~/flexmap/log/report_a.b.174.168.nmap
a.b.174.168:12346   NULL -> ERROR: Too many log clients attached  

Npwn will take a directory instead of a file if you'd like and output
the entire pile of fingerprints.  Fingerprint output is actually
secondary to the primary goal of detecting compromised machines by a
Nmap scan.  The script has scaled just fine to accommodate our rather
large network.

For a directory example against 192,000 individual .nmap files:
$ time ./npwn.pl -P -d ~/flexmap/log/ | egrep -v '^$' | wc
  34329  454950 8055630

real    0m20.860s
user    0m14.144s
sys     0m6.375s


Here is typical compromised host detection output:

a.b.c.d (dyn-c-d.ucsd.edu):
- - -------------------------------------------------------------------------------
{5} [FTPFP] --  FTP server on 65500 found in fingerprint
{8} [FTPUPTIME] --  FTP uptime reported on 65500 found in fingerprint
{9} [FTPMS] --  FTP service on 65500 is pretending to be Microsoft service
{10} [HACKED] --  Hacked boasting on 65500 found in fingerprint

e.f.g.h (ip###.ucsd.edu):
- - -------------------------------------------------------------------------------
{5} [FTPFP] --  FTP server on 3388 found in fingerprint
{5} [FTPFP] --  FTP server on 65500 found in fingerprint
{9} [FTPMS] --  FTP service on 65500 is pretending to be Microsoft service


Of course the script is pretty strict so I've build in exclude/ignore
capability.  Here is that format:

$ cat awknowledged.npwn
a.b.0.0/16 WSD SSDP STCP NOPASSWD OLDTCPIP HTTP_PROXY SQUID SOHOHTTPD FTP SMTP HTTP MYSQL MSSQL MULTI_RADMIN NNTP 
IPHONE MANYPORTS OLD_MSFTP OLD_MSSMTP
e.f.128.0/17 WSD SSDP HTTP IPHONE OLDTCPIP
e.f.222.0/24 BADPORT
e.f.115.111 FTPFP
a.b.152.74 PWNZ HTTP


I hope you find the script useful.  Here's my big disclaimer though: I
wrote this script for our environment and it isn't release quality.
Some day I'll set down and make it a quality open source project.
Until then if you hack it to get it to work for you I'd appreciate it
if you sent useful changes back.

The first order of business would probably be to add XML parsing
ability so that the script isn't so fragile.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkha8PQACgkQqaGPzAsl94IAhgCgnj5pmEQF/WuRi4S3LOczr5C6
7qcAoKQBNsGg75Jo7JClo3z+4t1L7UFe
=923Y
-----END PGP SIGNATURE-----

Attachment: npwn.pl
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org