Re: [RFC] Output file option for capturing service and os fingerprints

["Michael Pattrick" <mpattrick () rhinovirus org>]

Hey tom,

I just noticed that Brandon already posted a script for this, but I
wrote one too! lol

It lists all unidentified OS fingerprints(or all fingerprints if the
scan was -v or -d) and all unidentified services.
It requires the latest Nmap::Parser[1] and the output is like this:

> perl getOS.pl scan.xml
IP: 10.0.0.2
SCAN(V=4.65%D=6/19%OT=14334%CT=%CU=42336%PV=Y%DS=1%G=N%M=0016D3%TM=485AFC95%P=x86_64-unknown-linux-gnu)
SEQ(SP=FA%GCD=1%ISR=103%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)
...snip...
IE(R=Y%DFI=S%T=80%TOSI=Z%CD=Z%SI=S%DLI=S)

Unidentified service, TCP port 14334:
SF-Port14334-TCP:V=4.65%I=7%D=6/19%Time=485AFC82%P=x86_64-unknown-linux-gnu%r(GetRequest,20,"\xbf\x13\xde
...snip...
SF:r\x88\x97a\x0c")%r(SIPOptions,20,"\xfc\xac\|\xf8\xa9\x04\x07\xa5\x20\x1
SF:c\x88\xbc7k\]\xd1\xf3\xa7\xa8\x90\xb3qE\?\x8d\xa4\

I hope this is what you were thinking of.

Cheers,
Michael

[1] http://nmapparser.wordpress.com/

On Thu, Jun 19, 2008 at 6:25 PM, Tom Sellers <nmap () fadedcode net> wrote:
> I have concept for a patch that I might try my hand at writing.
> Before I do this I want to make sure that the change is something
> that others would find useful and has a chance of being accepted.
>
> What I would like to do is add the ability to specify an output
> file on the command line that would be used to capture service
> and os fingerprints.  It would need to work in addition is any
> other requested output formats.
>
> In short what I have in mind is using a command like this:
>
> nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.1.1/24
> nmap -sV -O -R -oFP fingerprints.txt --append-output 192.168.2.1/24
>
> The goal would be to be able to scan multiple large network segments
> and then check the files for unidentified services and devices.
>
> I have some very basic c skills and looking at the code this change
> looks like something I might be able to do. For the service portion
> I think most of the changes would be in the program argument handling
> section in nmap.cc, the output header file, some changes around
> 822 in output.cc, and then making sure the file is closed properly.
>
> Any thoughts on this?  Oh, if there is already a simple way to do
> this please break out the clue stick and fill me in.
>
> Thanks,
>
> Tom
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

Attachment: getOS.pl
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org