search
top


Automating NMAP Scans

Automating NMAP Scans

 

Why do I need automation ?

Security analysts just don’t have the time to always run manual tests. Let’s say I wanted to monitor my ports and services open on my external lab IP address. It is not feasible for me to run a scan at 3am every day for the rest of my life. Therefore, if I had a tool that could automatically run a scan, check to see if anything suspicious is found and can alert me if that is the case would be hugely beneficial. In my case, I have created a method to do this and it is a very simple and straight forward method that virtually any one can use!

 

How can I create a NMAP scanning server ?

Servers are pretty easy to put up whether it’s a Virtual Image that’s spun up on a bare box, desktop, or in the cloud. In my case a Linux Ubuntu Server was used. It has a firewall and is assigned an external public IP address. It then has the ability to scan my lab network public IP address to be able to identify any open ports/services. It’s a great way to gain some visibility into knowing if any new ports were opened that shouldn’t have been or were missed.

*WARNING* please be sure that the network you are scanning is your own, or that you have WRITTEN PERMISSION to scan the network you desire. Scanning networks where you have no written permission can lead to legal issues, so please be sure you have permission or ownership of a network before doing so.

Why should I use your code ?

Most scanners out there such as Nessus, Qualys etc… all charge to use their services to run external scans and vulnerability assessments. Not all of us especially for lab environments, or very small networks can afford or justify the costs. This a simple and FREE way to run your own network port & services scan at anytime. This is also no hit on Nessus or any other scanner out there, which I personally used for non-personal use. But, on a personal level as a simple check, this NMAP tool is more than enough to meet my needs for my lab environment.

 

The code

The code will scan the set subnet(s) and run a simple SYN scan on all 65535 ports of each IP address looking for any open ports & services. If the scan is different from the previous days scan, it will send an email out alerting the user that changes were found, and what these exact changes are so that they can be investigated furthermore.

The following code is written in bash. Feel free to use and modify it however it fits your needs.

#! /bin/sh

DIR="/home/username/scans"
NETWORKS="10.10.1.0-255"
TODAY=`date +%Y%m%d`
YESTERDAY=`date -d yesterday +%Y%m%d`


for network in $NETWORKS
do
      nmap -Pn -sS -p1-65535 $network -oG $DIR/$network.$TODAY.nmap
done


for network in $NETWORKS
do
      diff -I "^#" $DIR/$network.$TODAY.nmap $DIR/$network.$YESTERDAY.nmap  > $DIR/$network.$TODAY.diff
done

for network in $NETWORKS
do
      SIZE=`find $DIR/$network.$TODAY.diff -size +0b`
      if [ "$SIZE" = "$DIR/$network.$TODAY.diff" ]
      then
              cat $DIR/$network.$TODAY.diff | mail -s "Change Detected for $network"  [email protected]
      fi
done

Changing the code

There are a few changes that will need to be made to get this to work for you on your server.

You’ll need to change:

DIR” variable to match your home directory, or any other directory you wish to save the scan at.

NETWORKS” variable to match the subnet(s) you would like to scan.

[email protected]” needs to be changed to a valid email address where you can receive emails when a difference is found.

 

I hope this tool helps others out there as much as it’s helped me out. Feel free to leave any comments, questions or suggestions.

 



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

top