Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Nmap Network Exploration and Security Auditing Cookbook, Third Edition

You're reading from   Nmap Network Exploration and Security Auditing Cookbook, Third Edition Network discovery and security scanning at your fingertips

Arrow left icon
Product type Paperback
Published in Sep 2021
Publisher Packt
ISBN-13 9781838649357
Length 436 pages
Edition 3rd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Paulino Calderon Paulino Calderon
Author Profile Icon Paulino Calderon
Paulino Calderon
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Chapter 1: Nmap Fundamentals 2. Chapter 2: Getting Familiar with Nmap's Family FREE CHAPTER 3. Chapter 3: Network Scanning 4. Chapter 4: Reconnaissance Tasks 5. Chapter 5: Scanning Web Servers 6. Chapter 6: Scanning Databases 7. Chapter 7: Scanning Mail Servers 8. Chapter 8: Scanning Windows Systems 9. Chapter 9: Scanning ICS/SCADA Systems 10. Chapter 10: Scanning Mainframes 11. Chapter 11: Optimizing Scans 12. Chapter 12: Generating Scan Reports 13. Chapter 13: Writing Your Own NSE Scripts 14. Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine 15. Other Books You May Enjoy Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options 1. Appendix Β: Brute-Force Password Auditing Options 2. Appendix C: NSE Debugging 3. Appendix D: Additional Output Options 4. Appendix Ε: Introduction to Lua 5. Appendix F: References and Additional Reading

Monitoring servers remotely with Nmap and Ndiff

By using tools from the Nmap project, we can set up a simple but effective monitoring system. Because our monitoring system will depend on Nmap, we can monitor not only open ports but any information the Nmap Scripting Engine can gather. To detect changes on the network, we will need to compare the results of two scans: the base or known good state and the current scan result. Consider the ports that you know that must be open as your base state.

Ndiff was designed to address the issues of using the traditional diff command with two Nmap scan results in XML format. It compares the files by removing false positives introduced by dynamic fields such as timestamps and producing a more human-friendly output.

This recipe describes how to use Bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts by email if changes are detected in a network or host.

Getting ready

In this recipe, we assume the system has been configured to send email via the mail command. If you would like to change the notification method, you simply need to update the Bash script and replace the mail command according to your preferred notification method. For example, you could use curl to make an HTTP request to your favorite social network or run a script that restarts the service.

How to do it...

To set up a simple monitoring system with Nmap, we are going to need to do a few things:

  1. Create the /usr/local/share/nmap-mon/ directory (or whatever location you prefer) to store all the files required for our monitoring system.
  2. Scan your targets and save the result in XML format in the directory that you just created:
    # nmap -oX base_results.xml -sV -n <target>

    The resulting base_results.xml file will be used as your base file, meaning that it should reflect the known good state of your network or host.

  3. Create the nmap-mon.sh file in the directory you created earlier and paste the following code:
    #!/bin/bash
    #Bash script to email admin when changes are detected in a network using Nmap and Ndiff.
    #
    #Don't forget to adjust the CONFIGURATION variables.
    #Paulino Calderon <calderon@websec.mx>
    #
    #CONFIGURATION
    # 
    NETWORK="YOURTARGET" 
    ADMIN=YOUR@EMAIL.COM
    NMAP_FLAGS="-n -sV"
    BASE_PATH=/usr/local/share/nmap-mon/ 
    BIN_PATH=/usr/local/bin/ 
    BASE_FILE=base.xml 
    NDIFF_FILE=ndiff.log 
    NEW_RESULTS_FILE=newscanresults.xml 
    BASE_RESULTS="$BASE_PATH$BASE_FILE"
    NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" 
    NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE"
    if [ -f $BASE_RESULTS ] then
      echo "Checking host $NETWORK"
      ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK
      ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS
      if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then
        echo "Network changes detected in $NETWORK" 
        cat $NDIFF_RESULTS
        echo "Alerting admin $ADMIN"
        mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
      fi
    fi
  4. Update the configuration values in the previous Bash script according to your system and needs:
    NETWORK="YOURTARGET" 
    ADMIN=YOUR@EMAIL.COM 
    NMAP_FLAGS="-sV -n -p-"
    BASE_PATH=/usr/local/share/nmap-mon/ 
    BIN_PATH=/usr/local/bin/ 
    BASE_FILE=base.xml 
    NDIFF_FILE=ndiff.log 
    NEW_RESULTS_FILE=newscanresults.xml
  5. Make nmap-mon.sh executable by entering the following command:
    # chmod +x /usr/local/share/nmap-mon/nmap-mon.sh
  6. Now run the nmap-mon.sh script to make sure it is working correctly:
    # /usr/local/share/nmap-mon/nmap-mon.sh
  7. Launch your crontab editor to automatically execute the script periodically:
    # crontab -e
  8. Add the following command:
    0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

You should now receive email alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. Think about the traditional diff but for Nmap scan reports. With some help from Bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, to identify the differences between them. We used some basic Bash scripting to execute our monitoring scan and then executed Ndiff to compare the results:

if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then
  echo "Network changes detected in $NETWORK"
  cat $NDIFF_RESULTS
  echo "Alerting admin $ADMIN"
  mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS 
fi

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor specific services, you need to update the scan parameters in nmap-mon.sh:

NMAP_FLAGS="-sV -Pn"

For example, if you would like to monitor a web server, you may use the following command:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"

These options limit port scanning to ports 80 and 443; run the http-google-safe script to check whether your web server has been marked as malicious by the Google Safe Browsing service.

You have been reading a chapter from
Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition
Published in: Sep 2021
Publisher: Packt
ISBN-13: 9781838649357
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at R$50/month. Cancel anytime