Beginner’s Guide to nmap – Part 2
Showing Only IPs of Active Hosts / Output to File
There may be a need to output only the IP addresses of the active hosts on a subnet. We can strip out all of the nmap standard output except the IP address of each active host with the following command:
nmap -n -sn 192.168.56.0/24 -oG - | awk '/Up$/{print $2}'
-n is used to disable reverse DNS resolution of IP addresses. Not only is this necessary for our desired output, but it speeds up scanning as well and is generally recommended unless you either need or want reverse DNS resolution. Note that sometimes DNS names can be helpful though, especially when identifying targets on an unfamiliar network. -sn denotes a ping scan, which will only return up/down status and won’t perform a port scan on discovered hosts.
Output of that command will show only IP addresses of active hosts, one per line on the screen. To perform a deeper search, you can replace the -sn with a different scan type, like -sS or -sT, but the output may show duplicate lines for multiple hosts. To show only unique IP addresses, you can pipe the output from the command above through uniq to only show unique lines.
nmap -n -sS 192.168.56.0/24 -oG - | awk '/Up$/{print $2}' | uniq
We can also pipe the output to a text file easily as well for documentation purposes or for use as input with another nmap command with the -iL flag.
nmap -n -sS 192.168.56.0/24 -oG - | awk '/Up$/{print $2}' | uniq > output.txt
Decoy Scanning
Sometimes when scanning a network we’ll want to hide our IP address. The -S flag can be used to specify a source IP address that isn’t the one our machine is using, but the problem in doing that is that all return traffic (which we are trying to gather) will be sent to the spoofed source IP address. A better solution might be to obfuscate our own IP address amongst a bunch of other IP addresses so that any sort of logging mechanism will log multiple scans which look like they’re coming from multiple machines in order to make it harder to trace back the actual scan to our own machine. We can do this with the -D flag.
We’ll assume that our own address is 192.168.56.100 for this example, and that we know 192.168.56.101 and .102 are valid nodes that are currently online. We can easily use the -D flag to provide a list of IP addresses outside of our own that will also appear to be scanning. These machines will actually receive a copy of the return traffic that’s destined to our machine, but the stack will discard it. Here we’ll be scanning the entire 192.168.56.0/24 subnet.
nmap -n -sS -D 192.168.56.101,192.168.56.102 192.168.56.0/24
Unfortunately with the -D flag we must provide a comma separated list of IPs to include as sources in the scan, and we can’t use a range.
Using Scripts
Using the –script=<script> flag, we can specify a built-in script to run against host(s) while running our scan. nmap has a bunch of good built-in scripts that allow you to scan for things like specific vulnerabilities, whether or not anonymous login to FTP is allowed on a host, user enumeration on certain systems, and much more. The entire list of available scripts is provided on the nmap.org website.
I used the ftp-anon script against a Metasploitable 2 VM at 192.168.56.102 using the following command:
nmap -n -sV -T4 --script=ftp-anon 192.168.56.102
As you can see, under the output for port 21, this machine does allow anonymous FTP login.
Also notice that the machine is running vsftpd version 2.3.4. There also happens to be a script listed for nmap called ftp-vsftpd-backdoor, with this description:
“Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.”
Just for fun, I tried the command again with that script, and this is what I got.
Granted, Metasploitable VMs are obviously designed to be full of holes, but this provides a good example of what scripts in nmap are capable of. Although nmap isn’t a replacement for a real vulnerability scanner, scripts like these are capable of bringing some of that functionality to nmap.
If you want to explore all of the nmap scripts that are installed by default on Kali, scripts are located in the /usr/share/nmap/scripts directory.
Generating an HTML Report from a Scan
You may want to produce scan output in a readable, printable fashion as part of a report or even your own notes. This is a two step process, but is a fairly simple thing to do. We’ll expand upon the scan that we performed above, but add the -oX flag to our command. The -oX takes on parameter – the name of an output file in XML format.
nmap -n -sV -T4 --script=ftp-anon 192.168.56.102 -oX /root/output.xml
To convert this XML file in to a nice, readable HTML webpage, well use the xsltproc command.
xsltproc output.xml -o output.html
This command will leave the XML file untouched, but will create a nice HTML file that is easily readable in a browser. This can be added to a digital report or printed and looks very nice.
Conclusion
This concludes my two-part Beginner’s Guide to nmap series. If you would like to see more of these series, let me know down in the comments and I would be happy to add additional posts in the future. nmap is a very powerful tool, and there’s always more to learn about not only the features that are baked in, but how nmap’s output can be used with other tools to be very useful. I hope you’ve enjoyed this series, and thank you for reading.
If you enjoyed this tutorial and would like to see more, please feel free to share this article on social media, comment below letting me know what else you’d like to see, and follow me on Twitter @JROlmstead.