Manage Your ASSets: NMAP Automation


The first step of a vulnerability management program is maintaining an asset inventory. In order to keep software up-to-date, you need to know what software is there. Even if you have good change management practices, you still have the occasional rogue server or service at best and a hacked server with a rootkit and backdoor at worst.

I’ve set up an automated, weekly nmap scan that runs, compares the results against the previous week’s scan, and emails me with what has changed on my network. Attached to the email is the nmap output so I can dive deeper if something suspicious appears in the changes.

Weekly Email

Tools

Nmap, or Network Mapper, is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

One of the scripts installed with Nmap is Ndiff. It is a tool that compares two Nmap scans. Specifically, it takes two Nmap XML output files and prints the differences between them. This shows you hosts coming up and down and ports becoming open or closed. Fyodor’s NMAP Book has a simple script that I’ve altered and automated using cron.

The Script

This script lives in my home directory.

#!/bin/sh
# scans “TARGETS” with nmap
# compares with previous scan using ndiff
# emails results

#variables
TARGETS=”x.x.1.0/24 x.x.11.0/24 x.x.88.0/24″
OPTIONS=”-v -T3 -F -sV –datadir /home/pubal/nmap”
date=`date +%F`

#where to put scans
cd /home/pubal/scans

#scan
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null

#compare scans
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
echo “*** NDIFF RESULTS ***”
cat diff-$date
echo
fi
echo “*** NMAP RESULTS ***”
cat scan-$date.nmap
ln -sf scan-$date.xml scan-prev.xml

#email results
/home/pubal/email/smtp-cli.pl –host smtp.gmail.com –port 587 –from pubal@gmail.com –to pubal@company.org –subject “External Nmap Diff” –body-plain=/home/pubal/scans/diff-$date –attach=/home/pubal/scans/scan-$date.xml

I configured cron to run this script every weekend.

pubal@sectools:~$ crontab -l

0 1 * * 6 /home/pubal/nmap/network_diff.sh

More Fun NMAP Tricks

NMAP is free and extremely useful tool. If you want other tips, pick up the NMAP book!

Other Sources

NMAP
SANS Critical Security Controls
Useful Email Command Line Script

Leave a Reply

Your email address will not be published. Required fields are marked *