Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Nmap: Network Exploration and Security Auditing Cookbook

You're reading from   Nmap: Network Exploration and Security Auditing Cookbook Network discovery and security scanning at your fingertips

Arrow left icon
Product type Paperback
Published in May 2017
Publisher
ISBN-13 9781786467454
Length 416 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Paulino Calderon Paulino Calderon
Author Profile Icon Paulino Calderon
Paulino Calderon
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Nmap Fundamentals 2. Network Exploration FREE CHAPTER 3. Reconnaissance Tasks 4. Scanning Web Servers 5. Scanning Databases 6. Scanning Mail Servers 7. Scanning Windows Systems 8. Scanning ICS SCADA Systems 9. Optimizing Scans 10. Generating Scan Reports 11. Writing Your Own NSE Scripts 12. HTTP, HTTP Pipelining, and Web Crawling Configuration Options 13. Brute Force Password Auditing Options 14. NSE Debugging 15. Additional Output Options 16. Introduction to Lua 17. References and Additional Reading

Monitoring servers remotely with Nmap and Ndiff

Using tools from the Nmap project we can set up a simple but powerful monitoring system. Because our monitoring system will depend on Nmap, we can monitor any information Nmap can gather. To detect changes on the network, we will need to compare the results of two scans: the base or known good state and the last results obtained. Now it is the perfect time to introduce Ndiff.

Ndiff was designed to address the issues of using the traditional diff command with two XML scan results. It compares files by removing false positives and producing a more readable output, which is perfect for anyone who needs to keep track of the scan results.

This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by e-mail if changes are detected in a network.

Getting ready

In this recipe, we assume the system has been configured to send mail via the mail command. If you would like to change the notification method, you simply need to update the bash script. You could use curl to POST data to your favorite social network or run a script that restarts the service. The possibilities are endless.

How to do it...

To setup a simple monitoring system with Nmap, we are going to need to do a few things:

  1. Create the directory /usr/local/share/nmap-mon/ directory (or whatever location you prefer) to store all the files required for our monitoring system.
  2. Scan your targets and save the result in XML format in the directory that you just created:
# nmap -oX base_results.xml -sV -Pn <target>  

The resulting file base_results.xml file will be used as your base file, meaning that it should reflect the known good versions and ports.

  1. Create the file nmap-mon.sh file in the directory you created earlier and paste the following code:
#!/bin/bash  
#Bash script to email admin when changes are detected in a network using Nmap and Ndiff.
#
#Don't forget to adjust the CONFIGURATION variables.
#Paulino Calderon <calderon@websec.mx>
#
#CONFIGURATION
#
NETWORK="YOURTARGET"
ADMIN=YOUR@EMAIL.COM
NMAP_FLAGS="-n -sV -Pn -p- -T4"
BASE_PATH=/usr/local/share/nmap-mon/
BIN_PATH=/usr/local/bin/
BASE_FILE=base.xml
NDIFF_FILE=ndiff.log
NEW_RESULTS_FILE=newscanresults.xml
BASE_RESULTS="$BASE_PATH$BASE_FILE"
NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE"
NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE"
if [ -f $BASE_RESULTS ]
then
echo "Checking host $NETWORK"
${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK
${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS
if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ]
then
echo "Network changes detected in $NETWORK"
cat $NDIFF_RESULTS
echo "Alerting admin $ADMIN"
mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
fi
fi
  1. Update the configuration values according to your system:
NETWORK="YOURTARGET"  
ADMIN=YOUR@EMAIL.COM
NMAP_FLAGS="-sV -Pn -p- -T4"
BASE_PATH=/usr/local/share/nmap-mon/
BIN_PATH=/usr/local/bin/
BASE_FILE=base.xml
NDIFF_FILE=ndiff.log
NEW_RESULTS_FILE=newscanresults.xml
  1. Make nmap-mon.sh executable by entering the following command:
# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh   
  1. Now run the nmap-mon.sh script to make sure it is working correctly.
# /usr/local/share/nmap-mon/nmap-mon.sh  
  1. Launch your crontab editor to execute the script periodically automatically:
# crontab -e   
  1. Add the following command:
0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh  

You should now receive e-mail alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. Think about the traditional diff but for Nmap scan reports. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, to identify the differences between them. We used some basic bash scripting to execute our monitoring scan and then executed Ndiff to compare the results:

  if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ]  
then
echo "Network changes detected in $NETWORK"
cat $NDIFF_RESULTS
echo "Alerting admin $ADMIN"
mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
fi

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh  

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor some specific service, you need to update the scan parameters in nmap-mon.sh:

NMAP_FLAGS="-sV -Pn"  

For example, if you would like to monitor a web server, you may use the following parameters:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"   

These parameters set port scanning only to ports 80 and 443, and in addition, these parameters include the http-google-safe script to check whether your web server has been marked as malicious by the Google safe browsing service.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime