Penetration Testing mailing list archives
Re: How to aggregate output of NMAP
From: Vladimir Parkhaev <vladimir () arobas net>
Date: Tue, 5 Feb 2002 18:33:50 -0500
Quoting Lodin, Steven {GZ-Q~Mannheim} (STEVEN.LODIN () Roche COM):
Someone else mentioned Perl and gave a small code example. If this is interesting to you, check out ndiff (Nmap diff). I don't have the URL, but if I remember correctly, I found it from one of the nmap mailing list archives on www.insecure.org.
I mailed this to the original poster... It does what I think he wanted.... ######################################################################### #!/usr/bin/perl -w $NmapLog = './bla'; $look4 = qr/ftp|http|echo/; # ^^^^^^^^^ # add more sevices you want to create summary for open (IN, $NmapLog) or die "open $NmapLog err: $!\n"; while (<IN>) { chomp; $ip = $1 if /^Interesting\sports\s.*\((.*)\):/; push @{$phash{$&}}, $ip if /$look4/; } close IN; foreach ( keys %phash ) { $num = scalar @{$phash{$_}}; print "\'$_\' open on $num server", (($num == 1)? undef : 's'), " : ", (join ', ' , @{$phash{$_}}), "\n"; } #########################################################################
I think I would use a combination of grep/cut/sort/uniq/wc for the how many part. One question you didn't ask is "what are the web servers". For this, I use Whisker to classify the web servers. Any better options?
Sure. Well, I REALY feel like writing perl code today.... ######################################################################### #!/usr/bin/perl -w use IO::Socket; $|++; $net = '192.168.121'; # modify here if you scaning class B $SIG{ALRM} = sub { die 'TimeouT'; }; foreach $ip (1..254) { $host = $net . '.' . $ip; # modify here as well if you scaning class B $sock = IO::Socket::INET->new ( PeerAddr => $host, PeerPort => 80, Timeout => 2, Proto => 'tcp' ) or next; $sock->autoflush(1); alarm 5; # set alarm for braindead IIS servers eval { print $sock 'GET / HTTP/1.1' . "\015\012" x 2; while ( <$sock> ) { if ( /Server: /i ) { s/\s+$//g; printf "%-15s %-50s\n", $host, $_; } } alarm 0; }; if ( $@ ) { # check for status of eval ($@ =~ /TimeouT/)? warn "Timedout while talking to $host, braindead IIS?\n" : warn "eval failed (host $host):$!\n"; } else { alarm 0; } close $sock; } #########################################################################
Another thought came to me... Perhaps the scanssh program has some summarization code in it as well that could be reused...
Nah. Just roll your own :) -- print chr hex for qw + 2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A 44 38 37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20 20 31 44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44 0A +; ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- How to aggregate output of NMAP Carmelo Floridia (Feb 05)
- Re: How to aggregate output of NMAP R. DuFresne (Feb 05)
- Re: How to aggregate output of NMAP stephen (Feb 06)
- Re: How to aggregate output of NMAP George Lewis (Feb 06)
- Re: How to aggregate output of NMAP Scott Nursten (Feb 06)
- <Possible follow-ups>
- Re: How to aggregate output of NMAP Mike Brentlinger (Feb 05)
- Re: How to aggregate output of NMAP Vladimir Parkhaev (Feb 05)
- RE: How to aggregate output of NMAP Lodin, Steven {GZ-Q~Mannheim} (Feb 05)
- Re: How to aggregate output of NMAP Fyodor (Feb 06)
- Re: How to aggregate output of NMAP Vladimir Parkhaev (Feb 06)
- RE: How to aggregate output of NMAP Viraf Hathiram (Feb 06)
- RE: How to aggregate output of NMAP Rayburn, Gordon (Feb 12)
- Re: How to aggregate output of NMAP Robert Rich (Feb 13)
- Re: How to aggregate output of NMAP R. DuFresne (Feb 05)