Nmap 6:Network exploration and security auditing Cookbook
上QQ阅读APP看书,第一时间看更新

Monitoring servers remotely with Nmap and Ndiff

Combining tools from the Nmap project allows us to set up a simple but powerful monitoring system. This can then be used by system administrators monitoring a web server or by penetration testers wanting to surveil a remote system.

This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by an e-mail if changes are detected in a network.

How to do it...

Create the directory /usr/local/share/nmap-mon/ to store all the necessary files.

Scan your target host and save the results in the directory that you just created.

# nmap -oX base_results.xml -sV -PN <target>

The resulting file base_results.xml will be used as your base file, meaning that it should reflect the known "good" versions and ports.

Copy the file nmap-mon.sh into your working directory.

The output of the scan will be as follows.

#!/bin/bash 
#Bash script to email admin when changes are detected in a network using Nmap and Ndiff. 
# 
#Don't forget to adjust the CONFIGURATION variables. 
#Paulino Calderon <calderon@websec.mx> 

# 
#CONFIGURATION 
# 
NETWORK="YOURDOMAIN.COM" 
ADMIN=YOUR@EMAIL.COM 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml 

BASE_RESULTS="$BASE_PATH$BASE_FILE" 
NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" 
NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE" 

if [ -f $BASE_RESULTS ] 
then 
 echo "Checking host $NETWORK" 
 ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK 
 ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS 
 if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] 
 then 
 echo "Network changes detected in $NETWORK" 
 cat $NDIFF_RESULTS 
 echo "Alerting admin $ADMIN" 
 mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS 
 fi 
fi 

Update the configuration values according to your system.

NETWORK="YOURDOMAIN.COM" 
ADMIN=YOUR@EMAIL.COM 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml 

Make nmap-mon.sh executable by entering the following command:

# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh 

You can now run the script nmap-mon.sh to make sure it is working correctly.

# /usr/local/share/nmap-mon/nmap-mon.sh

Launch your crontab editor:

# crontab -e 

Add the following command:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

You should now receive e-mail alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, in order to identify the differences between them.

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor some specific service, you need to update the scan parameters in nmap-mon.sh.

NMAP_FLAGS="-sV -Pn"

For example, if you would like to monitor a web server, you may use the following parameters:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443" 

These parameters set port scanning only to ports 80 and 443, and in addition these parameters include the script http-google-safe to check if your web server has been marked as malicious by the Google Safe Browsing service.

See also

  • The Listing open ports on a remote host recipe
  • The Fingerprinting services of a remote host recipe
  • The Finding live hosts in your network recipe
  • The Running NSE scripts recipe
  • The Comparing scan results with Ndiff recipe
  • The Discovering hosts with ICMP ping scans recipe in Chapter 2, Network Exploration
  • The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration
  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
  • The Checking if a host is known for malicious activities recipe in Chapter 3, Gathering Additional Host Information
  • The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information