I need to scan many networks for OS detection purpose - to find hosts running Windows.
If to speak about one single host, this command is nice:
nmap -O -n -PN -v 10.5.1.112
But I have a number of subnets, about 50, and it's not very convenient to read an output like http://pastebin.com/WZEwaWXM
Even more, this example shows only 10.5.1.100-254 results. And I have about 50 such networks. And nmap scans these addresses for 15-20 minutes already and the scanning still goes on.
Look through this output please. It has only three
detected online PCs. All other information is not desirable at this moment.
All we need to see are such sections (from which it is clear that the host has an IP address 10.5.1.108, two opened ports and one of them indicates on *nix-like OS, and the OS detection information itself):
Nmap scan report for 10.5.1.108
Host is up (0.043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
5900/tcp open vnc
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win).
So, is it any more convenient way to scan 50 networks and have a nice output ?
I've read nmap's man but couldn't find something useful, e.g. how to hide everything but IP address and OS-detection. Is 'grep' the only thing which can do this ?
I want to write some Bash script which will scan net by net (I have a list of networks, so 10.0.0.0/8 is not necessary) and redirect the output to a txt file.
You're welcome to share your ideas.
Of course it's possible to scan each subnet and output everything according to it to a separate txt file, and then have 50 txt files. But I'd like some more beautiful solution, if it is possible.