The first step of a vulnerability management program is maintaining an asset inventory. In order to keep software up-to-date, you need to know what software is there. Even if you have good change management practices, you still have the occasional rogue server or service at best and a hacked server with a rootkit and backdoor at worst.
I’ve set up an automated, weekly nmap scan that runs, compares the results against the previous week’s scan, and emails me with what has changed on my network. Attached to the email is the nmap output so I can dive deeper if something suspicious appears in the changes.
Nmap, or Network Mapper, is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
One of the scripts installed with Nmap is Ndiff. It is a tool that compares two Nmap scans. Specifically, it takes two Nmap XML output files and prints the differences between them. This shows you hosts coming up and down and ports becoming open or closed. Fyodor’s NMAP Book has a simple script that I’ve altered and automated using cron.
This script lives in my home directory.
# scans “TARGETS” with nmap
# compares with previous scan using ndiff
# emails results
TARGETS=”x.x.1.0/24 x.x.11.0/24 x.x.88.0/24″
OPTIONS=”-v -T3 -F -sV –datadir /home/pubal/nmap”
#where to put scans
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
echo “*** NDIFF RESULTS ***”
echo “*** NMAP RESULTS ***”
ln -sf scan-$date.xml scan-prev.xml
/home/pubal/email/smtp-cli.pl –host smtp.gmail.com –port 587 –from email@example.com –to firstname.lastname@example.org –subject “External Nmap Diff” –body-plain=/home/pubal/scans/diff-$date –attach=/home/pubal/scans/scan-$date.xml
I configured cron to run this script every weekend.
pubal@sectools:~$ crontab -l
0 1 * * 6 /home/pubal/nmap/network_diff.sh