using previously discovered hosts, ports, and services?

[Royce Williams <royce () techsolvency com>]

What is the simplest way to use existing lists of IP:port sets for use
with multiple separate runs of service discovery, or recycling
existing IP:port:service sets for use with multiple script runs?

Ideally, it would be great to be able to pass a 'grepable'-style
host/port file straight to -iL, and have nmap DWIM, skip discovery,
and go straight to service detection.  If services were also supplied,
nmap could go straight to running requested scripts.

Details and use cases follow.

I would like to do something like the following:

1. Run a simple host and port discovery, saving the results.

2. Feed discovery results from #1 into various levels of service
detection until I find the combination that I need, then run that
service detection against the entire corpus. Save the results.

3. Feed service detection results from #2 into various scripts as needed.

I know that I can feed a list of discovered IPs to nmap, which would
accomplish part of the goal, but I don't think that I can also pass a
list of which specific ports were discovered for each IP, as in:

192.0.2.1:80
192.0.2.1:443
192.0.2.2:389
192.0.2.4:5900
... etc.

I've also read up on '--resume', but it sounds like it would not
provide the granular control that I'm looking for.  It won't let me
decide to use a different script, or easily combine sets of discovered
hosts and ports, or easily repurpose existing discovery data.

I would also like to be able to combine multiple host/port sets,
including "pre-discovered" data from non-nmap sources, into a single
corpus.

This would also be great to "prime the pump" for service detection by
using output from a previous run.  Nmap could quickly verify existing
hosts, ports and services, and fall back to the general discovery and
detection routines if there's a mismatch.  (Could this improve
performance for re-scanning existing networks?)

If there's no direct support for reusing discovery, is it possible to
construct an artificial log file (for use with --resume) that
accomplishes the same result?  (The 'grepable' format looks simplest,
and I could write a script that would convert other data into grepable
format.)  Or could I do an ordinary host/port/service run, save the
logfile off, and then modify the logfile to let me "resume" at the
point that a script would have started?

If there is already a way to do this, please let me know which search
terms would have turned it up.  Otherwise, please consider this a
feature request. :-)

Royce
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/