Re: How to aggregate output of NMAP

[Fyodor <fyodor () insecure org>]

On Tue, Feb 05, 2002 at 09:38:45PM +0100, Lodin, Steven {GZ-Q~Mannheim} wrote:

> Someone else mentioned Perl and gave a small code example.  If this
> is interesting to you, check out ndiff (Nmap diff).  I don't have
> the URL, but if I remember correctly, I found it from one of the
> nmap mailing list archives on www.insecure.org.

Ndiff was written by James Levine and is available at
http://www.vinecorp.com/ndiff/ .

Also, it sounds like the original poster had very simple needs, such
as obtaining a list of ftp or web servers.  The Nmap "grepable"
output mode may be sufficient.  The syntax is "-oG <filename>" and it
puts the most critical info about a host on a line like this:

Host: 127.0.0.1 (felix.insecure.org)    Ports: 22/open/tcp//ssh///, 53/open/tcp//domain///, 515/open/tcp//printer///, 
6000/open/tcp//X11///    Ignored State: closed (1548)    OS: Linux Kernel 2.4.0 - 2.4.17 (X86)   Seq Index: 3696008     
  IPID Seq: All zeros

You can easily grep the file for ports like "/dtspc/" and OS strings like
"Solaris".  If there are a lot of results, you can obtain just the IPs
by piping them to standard shell commands like 'cut "-d " -f2'.

All this being said, I recommend the XML output mode (-oX) for more
involved analysis and feeding results to other nontrivial programs.
The XML also contains some info that I haven't found a place for in
the normal (or grepable) output formats.

Cheers,
Fyodor
http://www.insecure.org/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/