How to scan IP range using nmap?

sknsk · 03-15-2017, 12:33 AM

Scripting language : Bash Shell Script

I have to create one function in which read IP addresses one by one from one file (iplist.txt) and scan these IP using nmap. This scan IP's output is saved in output.txt file and parse output.txt file to filter only open ports with particular IP which is saved in parse.txt file.

format of parse.txt file:

Code:

ip             open port
x.x.x.x            x

2. My goal:
1. Find all ports open on a whole range and in one file.
2. Save only open ports with IP address in another file. Don't save filtered or closed ports in this file.

eg. Format of file:
IP_address Open_port

Code:

192.168.0.1         21
192.168.0.1         80
....

so I have write the script which scan IP range and save the whole output. I just want script of second option.
I have attached the script. Please help me if possible to implement second option. In second option, my script take open port/tcp and all other details but i want only ip address with open port as shown above file format.

code:

Code:

readfile()
{
while read -r line
do
 name="$line"
 echo "$name"
 conunt=$line
 nmap -oN output.txt -vv -T4 -f -iL iplist.txt $line1
done < iplist.txt
grep -i "open" output.txt > parse.txt 
}

readfile

output is:

iplist.txt

Code:

192.168.0.1
192.168.0.2

output.txt

Code:

Nmap scan report for 192.168.0.1
Host is up, received echo-reply ttl 128 (1.0s latency).
Scanned at 2017-03-14 05:47:17 EDT for 90s
Not shown: 985 closed ports
Reason: 985 resets
PORT      STATE    SERVICE        REASON
135/tcp   open     msrpc          syn-ack ttl 128
139/tcp   open     netbios-ssn    syn-ack ttl 128
445/tcp   open     microsoft-ds   syn-ack ttl 128
514/tcp   filtered shell          no-response
554/tcp   open     rtsp           syn-ack ttl 128
902/tcp   open     iss-realsecure syn-ack ttl 128
912/tcp   open     apex-mesh      syn-ack ttl 128
1025/tcp  open     NFS-or-IIS     syn-ack ttl 128
1026/tcp  open     LSA-or-nterm   syn-ack ttl 128
1027/tcp  open     IIS            syn-ack ttl 128
1028/tcp  open     unknown        syn-ack ttl 128
1029/tcp  open     ms-lsa         syn-ack ttl 128
2869/tcp  open     icslap         syn-ack ttl 128
5357/tcp  open     wsdapi         syn-ack ttl 128
10243/tcp open     unknown        syn-ack ttl 128

Nmap scan report for 192.168.0.2
Host is up, received reset ttl 128 (0.18s latency).
All 1000 scanned ports on 192.168.0.1 are filtered (914) or closed (86) because of 914 no-responses and 86 resets

parse.txt

Code:

135/tcp   open     msrpc          syn-ack ttl 128
139/tcp   open     netbios-ssn    syn-ack ttl 128
445/tcp   open     microsoft-ds   syn-ack ttl 128
514/tcp   filtered shell          no-response
554/tcp   open     rtsp           syn-ack ttl 128
902/tcp   open     iss-realsecure syn-ack ttl 128
912/tcp   open     apex-mesh      syn-ack ttl 128
1025/tcp  open     NFS-or-IIS     syn-ack ttl 128
1026/tcp  open     LSA-or-nterm   syn-ack ttl 128
1027/tcp  open     IIS            syn-ack ttl 128
1028/tcp  open     unknown        syn-ack ttl 128
1029/tcp  open     ms-lsa         syn-ack ttl 128
2869/tcp  open     icslap         syn-ack ttl 128
5357/tcp  open     wsdapi         syn-ack ttl 128
10243/tcp open     unknown        syn-ack ttl 128

----------------------------------------------------------------------------------------------------------------------

Expected output of parse.txt:

Code:

192.168.0.1     135
192.168.0.1     139
192.168.0.1     445
192.168.0.1     514
192.168.0.1     554
192.168.0.1     902
192.168.0.1     912
192.168.0.1     1025
192.168.0.1     1026
192.168.0.1     1027
192.168.0.1     1028
192.168.0.1     1029
192.168.0.1     2869
192.168.0.1     5357
192.168.0.1     10243

Turbocapitalist · 03-15-2017, 03:18 AM

It's pretty easy with awk.

Just a quick guess: You'd just look for /^Nmap scan report for/ and clear your value for the 1st column, then if /host down/ is not present use the 5th or 6th field to set the subsequent 1st column value. Then until that happens again, print out the port number when 'open' is found in the appropriate column.

Functions like sub() or gsub() can be used to tidy the fields.

How far can you get with awk now?

sknsk · 03-17-2017, 05:28 AM

Hello,

I have tried using awk command but I didn't got expected answer yet. Can you give me code for this.

Turbocapitalist · 03-17-2017, 05:30 AM

The way the forum works is that you show what you have been trying and ask questions about it. So please show what you tried with awk and how far you were able to get with either your own approach or the guidance given already.

astrogeek · 03-17-2017, 01:53 PM

This should be fairly easy with awk, one method already indicated by Turbocapitalist in post #2.

Alternatively, you might want to think of 'Nmap scan report...' as the record separator and each subsequent line as a field, then get the IP address from the first "field" and port numbers from /^[0-9]+/ of each following field (line).

But as already said, it is more helpful to everyone if you show us your own attempt as the starting point, then we can suggest and refine our advice based on that example.

sknsk · 03-18-2017, 07:10 AM

Error in filter.awk :

nmap_scan.sh

Code:

readfile()
{
while read -r line
do
 name="$line"
 echo "$name"
 conunt=$line
 nmap -oG output.txt -T4 -f -iL iplist.txt $line1
done < iplist.txt
awk -f filter.awk output.txt > parse.txt 
}

readfile

filter.awk

Code:

awk '/^Nmap scan report/{cHost=$5;}
       /open/ { split($1,a,"/"); result[cHost][a[1]]=""}
       END {
       for (i in result) {
         printf i;
         for (j in result[i])
           printf ",%s", j ;
         print ""} }' |
  sed -e 's/,/\t/'

Output-

output.txt-

Code:

# Nmap 7.01 scan initiated Sat Mar 15 06:27:08 2017 as: nmap -oG output.txt -T4 -f -iL iplist.txt
Host: 192.168.1.99 ()    Status: Up
Host: 192.168.1.99 ()    Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 514/filtered/tcp//shell///, 554/open/tcp//rtsp///, 902/open/tcp//iss-realsecure///, 912/open/tcp//apex-mesh///, 1025/open/tcp//NFS-or-IIS///, 1026/open/tcp//LSA-or-nterm///, 1027/open/tcp//IIS///, 1028/open/tcp//unknown///, 1036/open/tcp//nsstp///, 2869/open/tcp//icslap///, 5357/open/tcp//wsdapi///, 10243/open/tcp//unknown///    Ignored State: closed (985)
Host: 192.168.0.1 ()    Status: Up
Host: 192.168.0.1 ()    Status: Up
Host: 192.168.0.101 ()    Status: Up
Host: 192.168.0.101 ()    Status: Up
# Nmap done at Sat Mar 15 06:29:02 2017 -- 3 IP addresses (3 hosts up) scanned in 113.19 seconds

Error-

Code:

awk: 2: unexpected character '''
awk: filter.awk: line 4: syntax error at or near [
awk: filter.awk: line 7: syntax error at or near [
awk: 9: unexpected character '''

Turbocapitalist · 03-18-2017, 07:52 AM

Ok. With that kind of input and the way you are starting awk, I'd try something like the pieces below. The Output Field Separator (OFS) can be set to a tab if you like. However, the following does not really use it because of the printf. Also, since the string "open" could possibly come in several contexts, it's best to not rely on it by itself and add in an extra check.

Code:

awk 'BEGIN {
    OFS="\t";
}

/^Host/{
    cHost=$2;
    if( $4 == "Ports:" && /\/open\// ){
        cPorts=$0;
        sub( /^.*Ports:/, "", cPorts );
        split( cPorts, a, "," );
        for( i in a ) {
            if( a[i] ~ /\/open\// ) {
                sub( /\/.*$/, "", a[i] );
                printf( "%s\t%s\n",cHost,a[i] );
            }
        }
    }
}

END {
    print "Done!";
}' output.txt > parse.txt

sknsk · 03-21-2017, 01:20 AM

Thank you so much......it works.

Turbocapitalist · 03-21-2017, 02:13 AM

No worries. But more important than it working is that you understand how it works and what was changed in the awk script.

How familiar are the following?

sub()
split()
~
printf()

They're there in the awk manual.

Code:

man awk