Nmap scripting project - Overclock.net

SoBe8503 · 04-20-07

Hey all,

Well I just got a big project dropped in my lap, and I need help deciding how I'm going go about doing it...

I need to figure out how to use Nmap to scan a few thousand IP's, to discover what machines are online; and then put the IP's of the results into a simple host file that our vuln scanner can use. I need to use the OS discovery option so I can filter out any printers / routers etc. I can't use a ping sweep, because many of the machines are set not to respond to ping requests, but every machine has at least one port open, therfore the reason for Nmap.

Any Ideas?? I hope I made sense.

BTW, this is all in windows.

SoBe8503 · 04-20-07

*cough* bump *cough*

Haykuro · 04-20-07

Wow, this sounds like an interesting project. Sorry I can't be of much help at the moment, but if you get anywhere with this be shure to tell me

.

*dangerousHobo* · 04-20-07

To bad its not in linux or I might be able to help.

SoBe8503 · 04-20-07

That's fine, I just need a place to start... How would you do it???

*dangerousHobo* · 04-20-07

Well I'm by no means a pro with nmap.

if all the ips are in a file then that will help you out.
nmap can scan a list of hostnames from a file, like so:

nmap -iL <inputfilename>

To get a list of hostnames that appear to be up, some like: (Don't know how to represent this in windows scripting, but would this would do in linux is if the hostname appears up then a message is outputed to the screen that says something like "Host Overclock.net (66.29.75.34) appears to be up." The command grep takes that contains the string (appears to be up) and outputs it into a file.)

nmap -sP www.overclock.net | grep "appears to be up" > /directory/path/hostup.txt

in the script you can have it just write the current hostname being tested and output that to a file, so then you would have file of just hostnames that appear to nmap to be up. Then you could run nmap with that file of hostnames to get the OS info.

I think it'll be tricky to find the OS info b/c:
1) nmap's OS detection is iffy at times.
2) the only way I know to get OS info is by doing a ping scan, you could try a list scan but I don't think nmap can get the OS info that way.

Some info on commands for nmap (from the manual pages in linux, not sure if the commands are the same in windows):

Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[

robeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <time>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80

rabidgnome229 · 04-21-07

This would be much easier to do on a linux box - I would suggest ssh'ing into one at the least.

How much coding can you do?

SoBe8503 · 04-23-07

I may be able to move this to a linux box if it will be easier.

I am a novice when it comes to coding. I'm familiar with a couple languages (VB, C+, Pearl) and I can write basic batch files in windows, that's about it. Hence why I'm here.

rabidgnome229 · 04-23-07

If you're on a unix box you can do what hobo said by using C's system() function

SoBe8503 · 04-23-07

Well I just found out that it HAS to be windows, cause the vuln scanner we use is Windows based. So never mind on *nix.

04-20-07	#3 (permalink)
Haykuro Audiophile Join Date: Nov 2006 Location: Behind you ¬_¬ Posts: 251 Rep: 9 Unique Rep: 7 Trader Rating: 0	Wow, this sounds like an interesting project. Sorry I can't be of much help at the moment, but if you get anywhere with this be shure to tell me . __________________ (SELLING - PM FOR DETAILS) CPU: Core 2 Duo E4300 @ 3GHZ (Capable of much more) Motherboard: P5B Deluxe \| GPU: X1950PRO \| RAM: 2Gb Team Xtreem PC2-6400 \| PSU: OCZ GameXStream 600w \| Case: Modded Lian Li PC-7B \| CPU Cooling: Tuniq Tower 120 \| GPU Cooling: VF900's

		Overclock.net - Overclocking.net > Software, Programming and Coding > Coding and Programming
Nmap scripting project

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)