Packt+ | Advance your knowledge in tech

You're reading from Nmap 6: Network Exploration and Security Auditing Cookbook Want to master Nmap and its scripting engine? Then this book is for you – packed with practical tasks and precise instructions, it's a comprehensive guide to penetration testing and network monitoring. Security in depth.

Product type Paperback

Published in Nov 2012

Publisher Packt

ISBN-13 9781849517485

Length 318 pages

Edition 1st Edition

Languages

Lua

Tools

Nmap

Concepts

Networking

Table of Contents (18) Chapters

Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

1. Nmap Fundamentals FREE CHAPTER

2. Network Exploration

3. Gathering Additional Host Information

4. Auditing Web Servers

5. Auditing Databases

6. Auditing Mail Servers

7. Scanning Large Networks

8. Generating Scan Reports

9. Writing Your Own NSE Scripts

References

Index

Monitoring servers remotely with Nmap and Ndiff

Combining tools from the Nmap project allows us to set up a simple but powerful monitoring system. This can then be used by system administrators monitoring a web server or by penetration testers wanting to surveil a remote system.

This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by an e-mail if changes are detected in a network.

How to do it...

Create the directory /usr/local/share/nmap-mon/ to store all the necessary files.

Scan your target host and save the results in the directory that you just created.

# nmap -oX base_results.xml -sV -PN <target>

The resulting file base_results.xml will be used as your base file, meaning that it should reflect the known "good" versions and ports.

Copy the file nmap-mon.sh into your working directory.

The output of the scan will be as follows.

#!/bin/bash 
#Bash script to email admin when changes are detected in a network using Nmap and Ndiff. 
# 
#Don't forget to adjust the CONFIGURATION variables. 
#Paulino Calderon <calderon@websec.mx> 

# 
#CONFIGURATION 
# 
NETWORK="YOURDOMAIN.COM" 
ADMIN=YOUR@EMAIL.COM 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml 

BASE_RESULTS="$BASE_PATH$BASE_FILE" 
NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" 
NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE" 

if [ -f $BASE_RESULTS ] 
then 
  echo "Checking host $NETWORK" 
  ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK 
  ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS 
  if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] 
  then 
    echo "Network changes detected in $NETWORK" 
    cat $NDIFF_RESULTS 
    echo "Alerting admin $ADMIN" 
    mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS 
  fi 
fi

Update the configuration values according to your system.

NETWORK="YOURDOMAIN.COM" 
ADMIN=YOUR@EMAIL.COM 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml

Make nmap-mon.sh executable by entering the following command:

# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh

You can now run the script nmap-mon.sh to make sure it is working correctly.

# /usr/local/share/nmap-mon/nmap-mon.sh

Launch your crontab editor:

# crontab -e

Add the following command:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

You should now receive e-mail alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, in order to identify the differences between them.

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor some specific service, you need to update the scan parameters in nmap-mon.sh.

NMAP_FLAGS="-sV -Pn"

For example, if you would like to monitor a web server, you may use the following parameters:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"

These parameters set port scanning only to ports 80 and 443, and in addition these parameters include the script http-google-safe to check if your web server has been marked as malicious by the Google Safe Browsing service.