LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-07-2012, 05:48 AM   #1
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Rep: Reputation: 47
Question nmap OS detection in many networks


Hello all.

I need to scan many networks for OS detection purpose - to find hosts running Windows.

If to speak about one single host, this command is nice:
Code:
nmap -O -n -PN -v 10.5.1.112
But I have a number of subnets, about 50, and it's not very convenient to read an output like http://pastebin.com/WZEwaWXM
Even more, this example shows only 10.5.1.100-254 results. And I have about 50 such networks. And nmap scans these addresses for 15-20 minutes already and the scanning still goes on.
Look through this output please. It has only three detected online PCs. All other information is not desirable at this moment.
All we need to see are such sections (from which it is clear that the host has an IP address 10.5.1.108, two opened ports and one of them indicates on *nix-like OS, and the OS detection information itself):
Code:
Nmap scan report for 10.5.1.108
Host is up (0.043s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5900/tcp open  vnc
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=12/7%OT=22%CT=1%CU=36897%PV=Y%DS=4%DC=I%G=Y%TM=50C1D5B3%P=
OS:i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M4
OS:D8ST11NW6%O2=M4D8ST11NW6%O3=M4D8NNT11NW6%O4=M4D8ST11NW6%O5=M4D8ST11NW6%O
OS:6=M4D8ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%D
OS:F=N%T=40%W=3908%O=M4D8NNSNW6%CC=Y%Q=)T1(R=Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=Y%DF=N%T=40%W=3890%S=O%A=S+%F=AS%O=M4D8ST11NW6%RD=0%Q=)T
OS:3(R=Y%DF=N%T=40%W=3890%S=O%A=O%F=A%O=NNT11%RD=0%Q=)T3(R=Y%DF=N%T=40%W=38
OS:90%S=O%A=O%F=AS%O=M4D8ST11NW6%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)

I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win).

So, is it any more convenient way to scan 50 networks and have a nice output ?
I've read nmap's man but couldn't find something useful, e.g. how to hide everything but IP address and OS-detection. Is 'grep' the only thing which can do this ?

I want to write some Bash script which will scan net by net (I have a list of networks, so 10.0.0.0/8 is not necessary) and redirect the output to a txt file.

You're welcome to share your ideas.
Of course it's possible to scan each subnet and output everything according to it to a separate txt file, and then have 50 txt files. But I'd like some more beautiful solution, if it is possible.

Thanks.

Last edited by Lexus45; 12-07-2012 at 06:02 AM.
 
Old 12-07-2012, 08:33 AM   #2
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,455

Rep: Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842Reputation: 842
Quote:
Originally Posted by Lexus45 View Post
Code:
nmap -O -n -PN -v 10.5.1.112
But I have a number of subnets, about 50, and it's not very convenient to read an output like http://pastebin.com/WZEwaWXM
Even more, this example shows only 10.5.1.100-254 results. And I have about 50 such networks. And nmap scans these addresses for 15-20 minutes already and the scanning still goes on.
Look through this output please. It has only three detected online PCs.
The -PN option is an old version of -Pn (No ping):
Quote:
-Pn (No ping)
... Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. So if a class B target address space (/16) is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active...

... In previous versions of Nmap, -Pn was -P0 and -PN.
Also, -v means verbose, as in "give me more output".

Quote:
Originally Posted by Lexus45
So, is it any more convenient way to scan 50 networks and have a nice output ?
I've read nmap's man but couldn't find something useful, e.g. how to hide everything but IP address and OS-detection. Is 'grep' the only thing which can do this ?
There aren't really any options in nmap for selecting only certain info, but there are options to change the output to "grepable" format or XML which makes it easier to get the bits that you want, see the Output section in the manual.
 
1 members found this post helpful.
Old 12-07-2012, 09:42 AM   #3
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,314
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
Quote:
...I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win)....
Inconclusive indication as OpenSSH could be installed on the Windows host(s). But oh well...

Something like
Code:
nmap -P0 -v -sU -p 22 -oA ssh_scan 10.0.0.0/8
should work.

Then review ssh_scan file.

Have a Great Day and Merry Christmas!
 
1 members found this post helpful.
Old 12-07-2012, 10:54 AM   #4
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
It's way more reliable to consult AD, or use WMIC... Perhaps also a lot faster than using Nmap.

To show the OS and version use:

Code:
C:\> wmic os get name,version
Other commands can be found on the SANS Diary, and if you have the appropriate privileges, they can be scripted to run across a domain.
 
Old 12-08-2012, 01:40 PM   #5
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 139Reputation: 139
Quote:
Originally Posted by Habitual View Post
Quote:
...I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win)....
Inconclusive indication as OpenSSH could be installed on the Windows host(s). But oh well...
Correct. Port 22/TCP being open is not necessarily indicative of Linux.

Just a sample of some things that use 22/TCP:

SSH (Linux, BSD, Unix, Solaris, Windows, Apple OS, etc)
AudioReQuest, VideoRequest, Networdz, Putty (Windows applications)
iGet (Apple OS application)
InCommand, Shaft, Skun, Adore sshd (trojans)


OS fingerprinting is difficult and not entirely reliable. Some internet facing systems are "scrubbed" so as to present misleading fingerprinting data, especially honeypots.

Last edited by NyteOwl; 12-08-2012 at 01:41 PM. Reason: Fixed typos
 
Old 12-10-2012, 09:15 PM   #6
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Original Poster
Rep: Reputation: 47
Thanks to all, I used this script:
Code:
#!/bin/bash
# nmap OS detection script by Alexey Kazantsev. E-mail: kurgan-rus at inbox dot ru

# general vars
DATE=`date +"%F_%k-%M"`
LOGDIR="nmap-os-detection"
NMAPCMD="nmap -O -n"

# branch vars
CITY1="10.x.1.0"
CITY2="10.y.1.0"
CITY3="10.z.1.0"
...
CITYN=.....

mkdir $LOGDIR
cd $LOGDIR

$NMAPCMD --exclude 10.x.1.1 $CITY1/24	> scan-$CITY1-$DATE-city1.txt
$NMAPCMD --exclude 10.y.1.1 $CITY2/24	> scan-$CITY2-$DATE-city2.txt
$NMAPCMD --exclude 10.z.1.1 $CITY3/24	> scan-$CITY3-$DATE-city3.txt
...
$NMAPCMD --exclude 10.n.n.n $CITYN/24	> scan-$CITYN-$DATE-cityN.txt
 
  


Reply

Tags
nmap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NMAP 5X OSTYPE Detection metallica1973 Linux - Networking 0 02-23-2011 12:46 PM
LXer: Zenmap Tutorial: Audit Your Networks using Nmap GUI LXer Syndicated Linux News 0 11-23-2010 01:30 AM
LXer: Nmap 4.75 recognizes iPhones and visualizes networks LXer Syndicated Linux News 0 09-10-2008 07:50 PM
LXer: Learn how to use nmap, and nmap GUI, a great port scan tool LXer Syndicated Linux News 0 01-03-2008 09:10 AM
OS detection and port scanning without nmap. User Name. Linux - Security 5 09-07-2006 08:42 AM


All times are GMT -5. The time now is 07:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration