Re: How to aggregate output of NMAP

[Vladimir Parkhaev <vladimir () arobas net>]

Quoting Lodin, Steven {GZ-Q~Mannheim} (STEVEN.LODIN () Roche COM):
> Someone else mentioned Perl and gave a small code example.  If this is interesting to you, check out ndiff (Nmap 
> diff).  I don't have the URL, but if I remember correctly, I found it from one of the nmap mailing list archives on 
> www.insecure.org.

I mailed this to the original poster... It does what I think he wanted....

#########################################################################

#!/usr/bin/perl -w

$NmapLog = './bla';
$look4   = qr/ftp|http|echo/;
#                 ^^^^^^^^^
# add more sevices you want to create summary for

open (IN, $NmapLog) or die "open $NmapLog err: $!\n";
while (<IN>) {
  chomp;
  $ip = $1 if /^Interesting\sports\s.*\((.*)\):/;
  push @{$phash{$&}}, $ip if /$look4/;
}
close IN;

foreach ( keys %phash ) {
  $num = scalar @{$phash{$_}};
  print "\'$_\' open on $num server", (($num == 1)? undef : 's'),
        " : ", (join ', ' , @{$phash{$_}}), "\n";
}

#########################################################################


> I think I would use a combination of grep/cut/sort/uniq/wc for the how many part.  One question you didn't ask is 
> "what are the web servers".  For this, I use Whisker to classify the web servers.  Any better options?

Sure. Well, I REALY feel like writing perl code today....


#########################################################################

#!/usr/bin/perl -w
use IO::Socket;
$|++;

$net = '192.168.121';
# modify here if you scaning class B

$SIG{ALRM} = sub { die 'TimeouT'; };

foreach $ip (1..254) {
  $host = $net . '.' . $ip;
# modify here as well if you scaning class B
  $sock = IO::Socket::INET->new ( PeerAddr => $host,
                                  PeerPort => 80,
                                  Timeout  => 2,
                                  Proto    => 'tcp' ) or next;
  $sock->autoflush(1);

  alarm 5;   # set alarm for braindead IIS servers
  eval {      
     print $sock 'GET / HTTP/1.1' . "\015\012" x 2;
     while ( <$sock> ) {
       if ( /Server: /i ) {
          s/\s+$//g;
          printf "%-15s %-50s\n", $host, $_;
       }
     }
     alarm 0;
  };

  if ( $@ ) {              # check for status of eval
     ($@ =~ /TimeouT/)? warn "Timedout while talking to $host, braindead IIS?\n"
                      : warn "eval failed (host $host):$!\n";
  }
  else {
    alarm 0;
  }
  close $sock;
}

#########################################################################


> Another thought came to me...  Perhaps the scanssh program has some summarization code in it as well that could be 
> reused...

Nah. Just roll your own :)

--
print chr hex for qw +
2D 2D 0A 76 6C 61 64 69 6D 69 72 40 61 72 6F 62 61 73 2E 6E 65 74 0A 44 38
37 44 20 44 32 46 42 20 46 31 36 33 20 46 31 43 31 20 34 32 30 41 20 20 31
44 31 46 20 36 43 42 39 20 31 46 38 39 20 38 35 30 42 20 30 38 44 44 0A +;

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/