LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   nmap OS detection in many networks (https://www.linuxquestions.org/questions/linux-security-4/nmap-os-detection-in-many-networks-4175440419/)

Lexus45 12-07-2012 05:48 AM
nmap OS detection in many networks
 
Hello all.

I need to scan many networks for OS detection purpose - to find hosts running Windows.

If to speak about one single host, this command is nice:
Code:
nmap -O -n -PN -v 10.5.1.112
But I have a number of subnets, about 50, and it's not very convenient to read an output like http://pastebin.com/WZEwaWXM
Even more, this example shows only 10.5.1.100-254 results. And I have about 50 such networks. And nmap scans these addresses for 15-20 minutes already and the scanning still goes on.
Look through this output please. It has only three detected online PCs. All other information is not desirable at this moment.
All we need to see are such sections (from which it is clear that the host has an IP address 10.5.1.108, two opened ports and one of them indicates on *nix-like OS, and the OS detection information itself):
Code:
Nmap scan report for 10.5.1.108
Host is up (0.043s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
5900/tcp open  vnc
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=12/7%OT=22%CT=1%CU=36897%PV=Y%DS=4%DC=I%G=Y%TM=50C1D5B3%P=
OS:i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M4
OS:D8ST11NW6%O2=M4D8ST11NW6%O3=M4D8NNT11NW6%O4=M4D8ST11NW6%O5=M4D8ST11NW6%O
OS:6=M4D8ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%D
OS:F=N%T=40%W=3908%O=M4D8NNSNW6%CC=Y%Q=)T1(R=Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=Y%DF=N%T=40%W=3890%S=O%A=S+%F=AS%O=M4D8ST11NW6%RD=0%Q=)T
OS:3(R=Y%DF=N%T=40%W=3890%S=O%A=O%F=A%O=NNT11%RD=0%Q=)T3(R=Y%DF=N%T=40%W=38
OS:90%S=O%A=O%F=AS%O=M4D8ST11NW6%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)

I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win).

So, is it any more convenient way to scan 50 networks and have a nice output ?
I've read nmap's man but couldn't find something useful, e.g. how to hide everything but IP address and OS-detection. Is 'grep' the only thing which can do this ?

I want to write some Bash script which will scan net by net (I have a list of networks, so 10.0.0.0/8 is not necessary) and redirect the output to a txt file.

You're welcome to share your ideas.
Of course it's possible to scan each subnet and output everything according to it to a separate txt file, and then have 50 txt files. But I'd like some more beautiful solution, if it is possible.

Thanks.

ntubski 12-07-2012 08:33 AM
Quote:
Originally Posted by Lexus45 (Post 4844450)
Code:
nmap -O -n -PN -v 10.5.1.112
But I have a number of subnets, about 50, and it's not very convenient to read an output like http://pastebin.com/WZEwaWXM
Even more, this example shows only 10.5.1.100-254 results. And I have about 50 such networks. And nmap scans these addresses for 15-20 minutes already and the scanning still goes on.
Look through this output please. It has only three detected online PCs.
The -PN option is an old version of -Pn (No ping):
Quote:
-Pn (No ping)
... Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. So if a class B target address space (/16) is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active...

... In previous versions of Nmap, -Pn was -P0 and -PN.
Also, -v means verbose, as in "give me more output".

Quote:
Originally Posted by Lexus45
So, is it any more convenient way to scan 50 networks and have a nice output ?
I've read nmap's man but couldn't find something useful, e.g. how to hide everything but IP address and OS-detection. Is 'grep' the only thing which can do this ?
There aren't really any options in nmap for selecting only certain info, but there are options to change the output to "grepable" format or XML which makes it easier to get the bits that you want, see the Output section in the manual.

Habitual 12-07-2012 09:42 AM
Quote:
...I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win)....
Inconclusive indication as OpenSSH could be installed on the Windows host(s). But oh well...

Something like
Code:
nmap -P0 -v -sU -p 22 -oA ssh_scan 10.0.0.0/8
should work.

Then review ssh_scan file.

Have a Great Day and Merry Christmas!

OlRoy 12-07-2012 10:54 AM
It's way more reliable to consult AD, or use WMIC... Perhaps also a lot faster than using Nmap.

To show the OS and version use:

Code:
C:\> wmic os get name,version
Other commands can be found on the SANS Diary, and if you have the appropriate privileges, they can be scripted to run across a domain.

NyteOwl 12-08-2012 01:40 PM
Quote:
Originally Posted by Habitual (Post 4844592)
Quote:
...I also don't need much of other information (on the other hand an opened 22/TCP port indicates that the host is running Linux, not Win)....
Inconclusive indication as OpenSSH could be installed on the Windows host(s). But oh well...
Correct. Port 22/TCP being open is not necessarily indicative of Linux.

Just a sample of some things that use 22/TCP:

SSH (Linux, BSD, Unix, Solaris, Windows, Apple OS, etc)
AudioReQuest, VideoRequest, Networdz, Putty (Windows applications)
iGet (Apple OS application)
InCommand, Shaft, Skun, Adore sshd (trojans)


OS fingerprinting is difficult and not entirely reliable. Some internet facing systems are "scrubbed" so as to present misleading fingerprinting data, especially honeypots.

Lexus45 12-10-2012 09:15 PM
Thanks to all, I used this script:
Code:
#!/bin/bash
# nmap OS detection script by Alexey Kazantsev. E-mail: kurgan-rus at inbox dot ru

# general vars
DATE=`date +"%F_%k-%M"`
LOGDIR="nmap-os-detection"
NMAPCMD="nmap -O -n"

# branch vars
CITY1="10.x.1.0"
CITY2="10.y.1.0"
CITY3="10.z.1.0"
...
CITYN=.....

mkdir $LOGDIR
cd $LOGDIR

$NMAPCMD --exclude 10.x.1.1 $CITY1/24        > scan-$CITY1-$DATE-city1.txt
$NMAPCMD --exclude 10.y.1.1 $CITY2/24        > scan-$CITY2-$DATE-city2.txt
$NMAPCMD --exclude 10.z.1.1 $CITY3/24        > scan-$CITY3-$DATE-city3.txt
...
$NMAPCMD --exclude 10.n.n.n $CITYN/24        > scan-$CITYN-$DATE-cityN.txt


All times are GMT -5. The time now is 05:25 PM.