LinuxQuestions.org - How to scan IP range using nmap?

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - How to scan IP range using nmap? (https://www.linuxquestions.org/questions/programming-9/how-to-scan-ip-range-using-nmap-4175601792/)

How to scan IP range using nmap?

Scripting language : Bash Shell Script

I have to create one function in which read IP addresses one by one from one file (iplist.txt) and scan these IP using nmap. This scan IP's output is saved in output.txt file and parse output.txt file to filter only open ports with particular IP which is saved in parse.txt file.

format of parse.txt file:

Code:

ip            open port

x.x.x.x            x

2. My goal:
1. Find all ports open on a whole range and in one file.
2. Save only open ports with IP address in another file. Don't save filtered or closed ports in this file.

eg. Format of file:
IP_address Open_port

Code:

192.168.0.1        21

192.168.0.1        80

....

so I have write the script which scan IP range and save the whole output. I just want script of second option.
I have attached the script. Please help me if possible to implement second option. In second option, my script take open port/tcp and all other details but i want only ip address with open port as shown above file format.

code:

Code:

readfile()

{

while read -r line

do

 name="$line"

 echo "$name"

 conunt=$line

 nmap -oN output.txt -vv -T4 -f -iL iplist.txt $line1

done < iplist.txt

grep -i "open" output.txt > parse.txt 

}



readfile

output is:

iplist.txt

Code:

192.168.0.1

192.168.0.2

output.txt

Code:

Nmap scan report for 192.168.0.1

Host is up, received echo-reply ttl 128 (1.0s latency).

Scanned at 2017-03-14 05:47:17 EDT for 90s

Not shown: 985 closed ports

Reason: 985 resets

PORT      STATE    SERVICE        REASON

135/tcp  open    msrpc          syn-ack ttl 128

139/tcp  open    netbios-ssn    syn-ack ttl 128

445/tcp  open    microsoft-ds  syn-ack ttl 128

514/tcp  filtered shell          no-response

554/tcp  open    rtsp          syn-ack ttl 128

902/tcp  open    iss-realsecure syn-ack ttl 128

912/tcp  open    apex-mesh      syn-ack ttl 128

1025/tcp  open    NFS-or-IIS    syn-ack ttl 128

1026/tcp  open    LSA-or-nterm  syn-ack ttl 128

1027/tcp  open    IIS            syn-ack ttl 128

1028/tcp  open    unknown        syn-ack ttl 128

1029/tcp  open    ms-lsa        syn-ack ttl 128

2869/tcp  open    icslap        syn-ack ttl 128

5357/tcp  open    wsdapi        syn-ack ttl 128

10243/tcp open    unknown        syn-ack ttl 128



Nmap scan report for 192.168.0.2

Host is up, received reset ttl 128 (0.18s latency).

All 1000 scanned ports on 192.168.0.1 are filtered (914) or closed (86) because of 914 no-responses and 86 resets

parse.txt

Code:

135/tcp  open    msrpc          syn-ack ttl 128

139/tcp  open    netbios-ssn    syn-ack ttl 128

445/tcp  open    microsoft-ds  syn-ack ttl 128

514/tcp  filtered shell          no-response

554/tcp  open    rtsp          syn-ack ttl 128

902/tcp  open    iss-realsecure syn-ack ttl 128

912/tcp  open    apex-mesh      syn-ack ttl 128

1025/tcp  open    NFS-or-IIS    syn-ack ttl 128

1026/tcp  open    LSA-or-nterm  syn-ack ttl 128

1027/tcp  open    IIS            syn-ack ttl 128

1028/tcp  open    unknown        syn-ack ttl 128

1029/tcp  open    ms-lsa        syn-ack ttl 128

2869/tcp  open    icslap        syn-ack ttl 128

5357/tcp  open    wsdapi        syn-ack ttl 128

10243/tcp open    unknown        syn-ack ttl 128

----------------------------------------------------------------------------------------------------------------------

Expected output of parse.txt:

Code:

192.168.0.1    135

192.168.0.1    139

192.168.0.1    445

192.168.0.1    514

192.168.0.1    554

192.168.0.1    902

192.168.0.1    912

192.168.0.1    1025

192.168.0.1    1026

192.168.0.1    1027

192.168.0.1    1028

192.168.0.1    1029

192.168.0.1    2869

192.168.0.1    5357

192.168.0.1    10243

It's pretty easy with awk.

Just a quick guess: You'd just look for /^Nmap scan report for/ and clear your value for the 1st column, then if /host down/ is not present use the 5th or 6th field to set the subsequent 1st column value. Then until that happens again, print out the port number when 'open' is found in the appropriate column.

Functions like sub() or gsub() can be used to tidy the fields.

How far can you get with awk now?

How to scan IP range using nmap?

Hello,

I have tried using awk command but I didn't got expected answer yet. Can you give me code for this.

The way the forum works is that you show what you have been trying and ask questions about it. So please show what you tried with awk and how far you were able to get with either your own approach or the guidance given already.

This should be fairly easy with awk, one method already indicated by Turbocapitalist in post #2.

Alternatively, you might want to think of 'Nmap scan report...' as the record separator and each subsequent line as a field, then get the IP address from the first "field" and port numbers from /^[0-9]+/ of each following field (line).

But as already said, it is more helpful to everyone if you show us your own attempt as the starting point, then we can suggest and refine our advice based on that example.

How to scan IP range using nmap?

Error in filter.awk :

nmap_scan.sh

Code:

readfile()

{

while read -r line

do

 name="$line"

 echo "$name"

 conunt=$line

 nmap -oG output.txt -T4 -f -iL iplist.txt $line1

done < iplist.txt

awk -f filter.awk output.txt > parse.txt 

}



readfile

filter.awk

Code:

awk '/^Nmap scan report/{cHost=$5;}

      /open/ { split($1,a,"/"); result[cHost][a[1]]=""}

      END {

      for (i in result) {

        printf i;

        for (j in result[i])

          printf ",%s", j ;

        print ""} }' |

  sed -e 's/,/\t/'

Output-

output.txt-

Code:

# Nmap 7.01 scan initiated Sat Mar 15 06:27:08 2017 as: nmap -oG output.txt -T4 -f -iL iplist.txt

Host: 192.168.1.99 ()    Status: Up

Host: 192.168.1.99 ()    Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 514/filtered/tcp//shell///, 554/open/tcp//rtsp///, 902/open/tcp//iss-realsecure///, 912/open/tcp//apex-mesh///, 1025/open/tcp//NFS-or-IIS///, 1026/open/tcp//LSA-or-nterm///, 1027/open/tcp//IIS///, 1028/open/tcp//unknown///, 1036/open/tcp//nsstp///, 2869/open/tcp//icslap///, 5357/open/tcp//wsdapi///, 10243/open/tcp//unknown///    Ignored State: closed (985)

Host: 192.168.0.1 ()    Status: Up

Host: 192.168.0.1 ()    Status: Up

Host: 192.168.0.101 ()    Status: Up

Host: 192.168.0.101 ()    Status: Up

# Nmap done at Sat Mar 15 06:29:02 2017 -- 3 IP addresses (3 hosts up) scanned in 113.19 seconds

Error-

Code:

awk: 2: unexpected character '''

awk: filter.awk: line 4: syntax error at or near [

awk: filter.awk: line 7: syntax error at or near [

awk: 9: unexpected character '''

Ok. With that kind of input and the way you are starting awk, I'd try something like the pieces below. The Output Field Separator (OFS) can be set to a tab if you like. However, the following does not really use it because of the printf. Also, since the string "open" could possibly come in several contexts, it's best to not rely on it by itself and add in an extra check.

Code:

awk 'BEGIN {

    OFS="\t";

}



/^Host/{

    cHost=$2;

    if( $4 == "Ports:" && /\/open\// ){

        cPorts=$0;

        sub( /^.*Ports:/, "", cPorts );

        split( cPorts, a, "," );

        for( i in a ) {

            if( a[i] ~ /\/open\// ) {

                sub( /\/.*$/, "", a[i] );

                printf( "%s\t%s\n",cHost,a[i] );

            }

        }

    }

}



END {

    print "Done!";

}' output.txt > parse.txt

How to scan IP range using nmap?

Thank you so much......it works.

No worries. But more important than it working is that you understand how it works and what was changed in the awk script.

How familiar are the following?

sub()
split()
~
printf()

They're there in the awk manual.

Code:

man awk