eZinepenetration testingUNKL4B

Formatting output from NMAP with Python

Become a Patron!

img

Hello people from my blog, how are you?

I’m missing, right?

Well, a few weeks ago I did not open the bash and my python console to play, I have worked and studied too much, because of the work I will have to take some certifications, but I already wanted to write about what I am going to say here for you. A few weeks ago I started to study a lib in python that uses NMAP to perform scans, nothing new, it just uses NMAP as a subprocess and formats the output of the result.

Then you ask me:

– “Okay your animal, so why are you going to show us something that already exists, want to reinvent the wheel?”

Not my friends, I’ll actually go, but I’ll take a different path.

The pq of using a lib and programming something that already exists, I’ll explain, simple. In a pentest we usually need specific results to generate a report or even for a better service filtering and with python we have that possibility.

First, let’s install the required lib for creating a custom nmap script.

$ pip install python-nmap

That said, let’s start by understanding how lib works.

Just a note, I will not show how NMAP works, if you want to understand about nmap, I advise you to type the command below:

Although for you to mount some script with this lib you have to have the least notion of nmap, I will not explain here, just the basics to give a “NORTH” for the use of lib.

Coming back, lib as I said above, use nmap in a subprocess, if you open the python-nmap lib, you can see in line 63 the import of the subprocess and in line 228 the use of nmap through the subprocess. (Considering the last update of ‘2016.03.15’ the lines remain the same)

LINE:63

LINE: 228-231

228 P = subprocess.Popen(args, buzz=100000,
229                     stdin=subprocess.PIPE,
230                     stdout=subprocess.PIPE,
231                     stderr=subprocess.PIPE)

Still looking at the lib, we will see that it parses the nmap XML result, generated by the “-oX” argument, as can be seen at line 224.

224 args = [[self._nmap_path, '-oX', (I.e.] + h_args + [['-P', ports]*(ports is not None) + f_args

So, this lib could be made or improved by any of us, it is worth mentioning here that many (myself included in this) are afraid to collaborate with projects like this, we will lose this fear in people!

Understanding this do we know that we HAVE to have nmap installed right friends?

Let’s start joking a little.

The entire nmap result will be loaded into a dict on the variable you set, let’s see how it goes, let’s do a basic scan.

Another important detail, I’m using python2.7, why? I do not know, but I am: P

I have not tested on python3.x

import nmap

nm = nmap.PortScanner()
scan = nm.scan(hosts="127.0.0.1",arguments="-sS -sU -p 80")

print(scan)

The result will be equal to this:

{'nmap': {'scanstats': {'uphosts': '1', 'timestr': 'Wed May 11 01:33:40 2016', 'downhosts': '0', 'totalhosts' , 'elapsed': '0.51'}, 'scaninfo': {'udp': {'services':' 80 ',' method ':' udp '},' tcp ': {' services': ' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ' 'localhost-response'}, 'udp': {80: {'product': '', 'state': 'closed', 'version': '', 'name' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' , 'conf': '3', 'extrainfo': '', 'reason': 'reset', 'cpe': ''}}, 'hostnames': [{'type': 'PTR', 'name': 'localhost'}]}}}

Giving that slap, I arranged it in json format for better visualization:

{
  "nmap": {
    "scanstats": {
      "uphosts": "1",
      "timestr": "Wed May 11 01:33:40 2016",
      downhosts: "0",
      "totalhosts": "1",
      elapsed: "0.51"
    },
    "scaninfo": {
      "udp": {
        "services": "80",
        "method": "udp"
      },
      "tcp": {
        "services": "80",
        "method": "syn"
      }
    },
    "command_line": "nmap -oX--sS -sU -p 80 127.0.0.1"
  },
  "scan": {
    "127.0.0.1": {
      "status": {
        "state": "up",
        reason: "localhost-response"
      },
      "udp": {
        "80": {
          "product": "",
          "state": closed,
          "version": "",
          "name": "http",
          "conf": "3",
          "extrainfo": "",
          reason: "port-unreach",
          "cpe": ""
        }
      },
      vendor: {},
      "addresses": {
        "ipv4": "127.0.0.1"
      },
      "tcp": {
        "80": {
          "product": "",
          "state": closed,
          "version": "",
          "name": "http",
          "conf": "3",
          "extrainfo": "",
          reason: reset,
          "cpe": ""
        }
      },
      "hostnames": [[
        {
          "type": "PTR",
          "name": "localhost"
        }
      ]
    }
  }
}

In a simple scan we can see what comes next, we can already perform some filters here, for example, we can perform something specific if we find port 80 open, the good thing to receive the value inside python is the possibility of creating infinite possibilities of exploration in a pentest.

I will not prolong this post much longer, I intend to address better in the coming posts, but as an intro, I made a script to exemplify the use of nmap and you see what we can do.

import nmap

nm = nmap.PortScanner()
nm.scan(hosts='ig.com.br', arguments='-sS -p 80')
for hst in nm.all_hosts():
    print hst
    if nm[[hst].has_tcp(80) is True:
        import requests
        url = "http: //%s" % hst
        r = requests.get(url)
        print(r.text)

In the script above, once we found a port 80 open, we performed a GET on the page and printed the contents, this could be used together with the nmap script of the server’s method check nmap and if it finds the PUT method already perform an upload a file to the target server in a pentest environment where you have many servers is a good way to automate the pentest.

Well, it’s the tip galera, I’ll go deeper into the nmap lib in the next posts, now I’m sleepy and I have to wake up early tomorrow, hug !!!

I would already forget, I will speak at BSIDES LATAM 2016 that takes place on days 11 and 12 at PUC-SP Consolação, for more information, you can consult this link: http://latam.securitybsides.com.br/

I’m going to present the research I did on GitMiner, I want to see you there !!!

Source by [UNKl4B]




Tags
Show More

Leave a Reply

Back to top button
Close