Nmap Development mailing list archives
Re: [RFC] Output file option for capturing service and os fingerprints
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 19 Jun 2008 23:51:10 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 19 Jun 2008 17:17:34 -0600 David Fifield <david () bamsoftware com> wrote:
On Thu, Jun 19, 2008 at 05:25:56PM -0500, Tom Sellers wrote:What I would like to do is add the ability to specify an output file on the command line that would be used to capture service and os fingerprints. It would need to work in addition is any other requested output formats. nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.1.1/24 nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.2.1/24 The goal would be to be able to scan multiple large network segments and then check the files for unidentified services and devices. Any thoughts on this? Oh, if there is already a simple way to do this please break out the clue stick and fill me in.OS fingerprints are in XML output if you use -v or -d. You can find them with the XPath expression /nmaprun/host/os/osfingperint/@fingerprint. Admittedtly it would be awkward to find just unmatched OSes, because you would have to find hosts for which there is no osmatch element, and then extract the fingerprint. OS fingerprint are also in -oN output. You can just grep them out with "^OS:". Or did you have something else in mind? David Fifield
Hi David, Tom; I have a hacked up perl script that provides this output as one of its options (attached). The script reads Nmap "normal" text output and *not* XML. I've wanted to add XML support but just haven't felt a pressing need to actually do so. To grab out a bunch of fingerprints and print them in a slightly more human-friendly form do something like this: $ ./npwn.pl -p -f ~/flexmap/log/report_a.b.174.168.nmap a.b.174.168:12346 NULL -> ERROR: Too many log clients attached Npwn will take a directory instead of a file if you'd like and output the entire pile of fingerprints. Fingerprint output is actually secondary to the primary goal of detecting compromised machines by a Nmap scan. The script has scaled just fine to accommodate our rather large network. For a directory example against 192,000 individual .nmap files: $ time ./npwn.pl -P -d ~/flexmap/log/ | egrep -v '^$' | wc 34329 454950 8055630 real 0m20.860s user 0m14.144s sys 0m6.375s Here is typical compromised host detection output: a.b.c.d (dyn-c-d.ucsd.edu): - - ------------------------------------------------------------------------------- {5} [FTPFP] -- FTP server on 65500 found in fingerprint {8} [FTPUPTIME] -- FTP uptime reported on 65500 found in fingerprint {9} [FTPMS] -- FTP service on 65500 is pretending to be Microsoft service {10} [HACKED] -- Hacked boasting on 65500 found in fingerprint e.f.g.h (ip###.ucsd.edu): - - ------------------------------------------------------------------------------- {5} [FTPFP] -- FTP server on 3388 found in fingerprint {5} [FTPFP] -- FTP server on 65500 found in fingerprint {9} [FTPMS] -- FTP service on 65500 is pretending to be Microsoft service Of course the script is pretty strict so I've build in exclude/ignore capability. Here is that format: $ cat awknowledged.npwn a.b.0.0/16 WSD SSDP STCP NOPASSWD OLDTCPIP HTTP_PROXY SQUID SOHOHTTPD FTP SMTP HTTP MYSQL MSSQL MULTI_RADMIN NNTP IPHONE MANYPORTS OLD_MSFTP OLD_MSSMTP e.f.128.0/17 WSD SSDP HTTP IPHONE OLDTCPIP e.f.222.0/24 BADPORT e.f.115.111 FTPFP a.b.152.74 PWNZ HTTP I hope you find the script useful. Here's my big disclaimer though: I wrote this script for our environment and it isn't release quality. Some day I'll set down and make it a quality open source project. Until then if you hack it to get it to work for you I'd appreciate it if you sent useful changes back. The first order of business would probably be to add XML parsing ability so that the script isn't so fragile. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkha8PQACgkQqaGPzAsl94IAhgCgnj5pmEQF/WuRi4S3LOczr5C6 7qcAoKQBNsGg75Jo7JClo3z+4t1L7UFe =923Y -----END PGP SIGNATURE-----
Attachment:
npwn.pl
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [RFC] Output file option for capturing service and os fingerprints Tom Sellers (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints David Fifield (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Tom Sellers (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Michael Pattrick (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Michael Pattrick (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 20)
- Re: [RFC] Output file option for capturing service and os fingerprints Michael Pattrick (Jun 20)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 20)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 20)
- Re: [RFC] Output file option for capturing service and os fingerprints Brandon Enright (Jun 19)
- Re: [RFC] Output file option for capturing service and os fingerprints David Fifield (Jun 19)