Nmap-Parser-1.01 Released (finally)

After much rewriting and reworking – I am finally proud to announce that 1.01 is released. Why not 1.00? Well, I did not like my CPAN file just having a 1 by its name. Also it did pass 7 of the CPAN testers, so it should be good to go.

Please read the documentation carefully because there have been MAJOR changes. (If you do not want to install and have all your old script breaking). I know some people are going to get mad because of the major changes, but trust me they had to be done. In most cases, you should like the new framework.

Thanks for your patience and understanding. Happy 4th of July!

Real-Time Scanning – (no better time() like ‘now’)

You can run a nmap scan and have the parser parse the information automagically. The only constraint is that you cannot use ‘-oX’, ‘-oN’, or ‘-oG’ as one of your arguments for nmap command line parameters passed to parsescan().

 use Nmap::Parser;

 my $np = new Nmap::Parser;
 my @hosts = @ARGV; #get hosts from cmd line

 #runs the nmap command with hosts and parses it automagically
 $np->parsescan('/usr/bin/nmap','-sS O -p 1-1023',@hosts);

 for my $host ($np->all_hosts()){
        print $host->hostname."\n";
        #do mor stuff...
 }

Callbacks – (not our $normal *69)

This is probably the easiest way to write a script with using Nmap::Parser, if you don’t need the general scan session information. During the parsing process, the parser will obtain information of every host. The callback function (in this case ‘booyah()’) is called after the parsing of every host (sequentially). When the callback returns, the parser will delete all information of the host it had sent to the callback. This callback function is called for every host that the parser encounters. The callback function must be setup before parsing

 use Nmap::Parser;
 my $np = new Nmap::Parser;

 $np->callback( \&booyah );

 $np->parsefile('nmap_results.xml');
    # or use parsescan()

 sub booyah {
    my $host = shift; #Nmap::Parser::Host object, just parsed
    print 'IP: ',$host->addr,"\n";
         # ... do more stuff with $host ...

    #when it returns, host object will be deleted from memory
    #(good for processing VERY LARGE files or scans)
 }

New Nmap-Parser website up and running!

After learning PHP and MySQL and a whole bunch of javascript – I can finally get out of using blogger (not that there is anything wrong with that), but now I wrote my own self-maintaining website! I can now write articles, post updates and manage the website right from sourceforge.

If you ever want to contribute articles (tutorials or anything) to the webiste, go to the articles section and use the link provided to send me your content. I will post it for you so everyone else enjoy (it should be Nmap-Parser or Nmap related).

Thanks,

Anthony G Persaud

DHCP Hosts Search Script

Called in rc.local or custom wireless networking scripts, dhcphosts.pl generates an /etc/hosts file for a host on a DHCP network, allowing the use of hostnames regardless of given IP addresses. The code can also be found at http://dual.home.comcast.net/perl/dhcphosts.txt

#!/usr/bin/perl

# dhcphosts.pl - by dual
#
# Generates an /etc/hosts file for a
# box on a DHCP network
#
# - Simply call it in /etc/rc.local.
# - Depends on Nmap::Parser.
####################################

# Include Nmap::Parser
######################
use strict;
use Nmap::Parser;

# Declare and set variables
###########################
my $ip;
my $fqn;
my $dmain;
my $tld;
my $host;
my $path = '/usr/bin/nmap';
my $args = '-sP';
my @ips  = qw/192.168.1.101-109/;
my $ip_addr;
my $mac_addr;

# Obtain local info
###################
my @ifconfig = `/sbin/ifconfig eth1`;
foreach my $line (@ifconfig) {
  $ip = $1 if ($line =~ /inet addr:(d{1,3}.d{1,3}.d{1,3}.d{1,3})/);
}

open NETWK, ") {
  $fqn = $1 if ($_ =~ /^HOSTNAME=(.+)$/);
}

close NETWK;

my @names = split (/./, "$fqn");
$host  = $names[0];
$dmain = $names[1];
$tld   = $names[2];

# Clobber /etc/hosts
####################
open HOSTS, ">/etc/hosts" or die "Can't open hosts: $!";

# Print local info
##################
print HOSTS "# Generated by dhcphosts.plnn";
print HOSTS "# Gotta have loopbackn";
print HOSTS "127.0.0.1tlocalhost.localdomaintlocalhostnn";
print HOSTS "# This box...n";
print HOSTS "$ipt$fqnt$hostnn";
print HOSTS "# Remaining network hostsn";

# Scan, parse and print the remaining network
#############################################
my $nmap = new Nmap::Parser;
$nmap->parsescan ($path, $args, @ips);

for my $host ($nmap->all_hosts()) {
  $ip_addr  = $host->addr;
  $mac_addr = $host->mac_addr;
  if ($mac_addr =~ /.{2}:.{2}:.{2}:.{2}:.{2}:.{2}/) {
    # Fill in your MACs and hostnames here
    if ($mac_addr =~ /XX:XX:XX:XX:XX:XX/) {
      print HOSTS "$ip_addrthostname1.$dmain.$tldthostname1n";
    }
    elsif ($mac_addr =~ /XX:XX:XX:XX:XX:XX/) {
      print HOSTS "$ip_addrthostname2.$dmain.$tldthostname2n";
    }
    elsif ($mac_addr =~ /XX:XX:XX:XX:XX:XX/) {
      print HOSTS "$ip_addrthostname3.$dmain.$tldthostname3n";
    }
    elsif ($mac_addr =~ /XX:XX:XX:XX:XX:XX/) {
      print HOSTS "$ip_addrthostname4.$dmain.$tldthostname4n";
    }
  }
}

# Clean up
##########
close HOSTS;

__END__
=pod

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

=cut

Using Nmap-Parser to check for suspicioius new services

((no less 'of'; my $self) Using multiple instances of Nmap::Parser is extremely useful in helping audit/monitor the network Policy (ohh noo! its that ‘P’ word!). In this example, we have a set of hosts that had been scanned previously for tcp services where the image was saved in base_image.xml. We now will scan the same hosts, and compare if any new tcp have been open since then (good way to look for suspicious new services). Easy security Compliance detection. (ooh noo! The ‘C’ word too!).

use Nmap::Parser;
 use vars qw($nmap_exe $nmap_args @ips);
 my $base = new Nmap::Parser;
 my $curr = new Nmap::Parser;

 $base->parsefile('base_image.xml'); #load previous state
 $curr->parsescan($nmap_exe, $nmap_args, @ips); #scan current hosts

 for my $ip ($curr->get_ips ) 
 {
        #assume that IPs in base == IPs in curr scan
        my $ip_base = $base->get_host($ip);
        my $ip_curr = $curr->get_host($ip);
        my %port = ();

        #find ports that are open that were not open before
        #by finding the difference in port lists
        my @diff =  grep { $port{$_} < 2} 
                   (map {$port{$_}++; $_} 
                   ( $ip_curr->tcp_open_ports , 
                     $ip_base->tcp_open_ports ));

        print "$ip has these new ports open: ".join(',',@diff) 
                 if(scalar @diff);

        for (@diff){
                   print "$_ seems to be ",
                            $ip_curr->tcp_service($_)->name,
                   "\n";
}

 }