Jun 25, 2018
Automating NMAP Scans
Automating NMAP Scans
Why do I need automation ?
Security analysts just don’t have the time to always run manual tests. Let’s say I wanted to monitor my ports and services open on my external lab IP address. It is not feasible for me to run a scan at 3am every day for the rest of my life. Therefore, if I had a tool that could automatically run a scan, check to see if anything suspicious is found and can alert me if that is the case would be hugely beneficial. In my case, I have created a method to do this and it is a very simple and straight forward method that virtually any one can use!
How can I create a NMAP scanning server ?
Servers are pretty easy to put up whether it’s a Virtual Image that’s spun up on a bare box, desktop, or in the cloud. In my case a Linux Ubuntu Server was used. It has a firewall and is assigned an external public IP address. It then has the ability to scan my lab network public IP address to be able to identify any open ports/services. It’s a great way to gain some visibility into knowing if any new ports were opened that shouldn’t have been or were missed.
*WARNING* please be sure that the network you are scanning is your own, or that you have WRITTEN PERMISSION to scan the network you desire. Scanning networks where you have no written permission can lead to legal issues, so please be sure you have permission or ownership of a network before doing so.
Why should I use your code ?
Most scanners out there such as Nessus, Qualys etc… all charge to use their services to run external scans and vulnerability assessments. Not all of us especially for lab environments, or very small networks can afford or justify the costs. This a simple and FREE way to run your own network port & services scan at anytime. This is also no hit on Nessus or any other scanner out there, which I personally used for non-personal use. But, on a personal level as a simple check, this NMAP tool is more than enough to meet my needs for my lab environment.
The code
The code will scan the set subnet(s) and run a simple SYN scan on all 65535 ports of each IP address looking for any open ports & services. If the scan is different from the previous days scan, it will send an email out alerting the user that changes were found, and what these exact changes are so that they can be investigated furthermore.
The following code is written in bash. Feel free to use and modify it however it fits your needs.
#! /bin/sh
DIR="/home/username/scans"
NETWORKS="10.10.1.0-255"
TODAY=`date +%Y%m%d`
YESTERDAY=`date -d yesterday +%Y%m%d`
for network in $NETWORKS
do
nmap -Pn -sS -p1-65535 $network -oG $DIR/$network.$TODAY.nmap
done
for network in $NETWORKS
do
diff -I "^#" $DIR/$network.$TODAY.nmap $DIR/$network.$YESTERDAY.nmap > $DIR/$network.$TODAY.diff
done
for network in $NETWORKS
do
SIZE=`find $DIR/$network.$TODAY.diff -size +0b`
if [ "$SIZE" = "$DIR/$network.$TODAY.diff" ]
then
cat $DIR/$network.$TODAY.diff | mail -s "Change Detected for $network" [email protected]
fi
doneChanging the code
There are a few changes that will need to be made to get this to work for you on your server.
You’ll need to change:
“DIR” variable to match your home directory, or any other directory you wish to save the scan at.
“NETWORKS” variable to match the subnet(s) you would like to scan.
“[email protected]” needs to be changed to a valid email address where you can receive emails when a difference is found.
I hope this tool helps others out there as much as it’s helped me out. Feel free to leave any comments, questions or suggestions.
My name is Harry Taheem
I am a Cyber Security Engineer.
My aim is to post things I learn or find interesting and allow others to hopefully gain some more insight. I also plan on posting general IT related issues, as Iād like 
Nice site man Ive been looking everywhere for something like this!
Very efficiently written information. It will be beneficial to everyone who usess it, as well as yours truly :). Keep doing what you are doing – for sure i will check out more posts.