I have some data from an Nmap Scan. It looks like this.
Nmap scan report for 10.16.17.34
Host is up (0.011s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
| http-headers:
| Date: THU, 30 AUG 2012 22:46:11 GMT
| Expires: THU, 30 AUG 2012 22:46:11 GMT
| Content-type: text/html
|
|_ (Request type: GET)
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (11)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLSv1.0
| Ciphers (10)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
2023/tcp open xinuexpansion3
Nmap scan report for 10.16.40.0
Host is up (0.00062s latency).
All 65535 scanned ports on 10.16.40.0 are closed
Nmap scan report for 10.16.40.1
Host is up (0.00071s latency).
All 65535 scanned ports on 10.16.40.1 are closed
What I am attempting to do is to either use Awk, Sed or Grep or something else to extract any section that starts with Nmap Scan and ends in a blank new line and has ssl-enum-ciphers in it. I figured out with Awk how to print each section but I can't get it to check for the ssl line. I'm out of my league with this.
Thanks
What you have is blank-line separated records. You can use awk to check for your ssl-enum-ciphers:
awk -v RS='' '/ssl-enum-ciphers/' file.txt
This will check that the record doesn't contain the phrase 'host down':
awk -v RS='' '/ssl-enum-ciphers/ && !/host down/' file.txt
You could make this more stringent by changing the field separator to a newline character:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/' file.txt
Add some newlines between records:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/ { printf "%s\n\n", $0 }' file.txt
Processing Nmap text output is tricky and fraught with dangers, since it can change from version to version. For parsing Nmap output, use the XML output with the -oX or -oA arguments. Then use an XML parsing library or utility to extract the information you need.
For your example, use xmlstarlet to extract the host element that contains a script element with the id attribute set to "ssl-enum-ciphers". This example will output the IP address of the target, followed by the output from the ssl-enum-ciphers script:
xmlstarlet sel -t -m '//script[#id="ssl-enum-ciphers"]' \
-v '../../../address[#addrtype="ipv4"]/#addr' -v '#output' output.xml
In the next release of Nmap, script output itself will be further broken into XML structures, making it easier to do things like output a list of only the weak ciphers in use.
Related
I want to send a single number via netcat. I don't want to send the ASCII representation of the number, but the binary version of the number (uint8, int32, etc.). I have a UDP port open in Matlab that is waiting to receive the number. Matlab's dsp.UDPReceiver can only accept ['uint8' (default) | 'double' | 'single' | 'int8' | 'int16' | 'uint16' | 'int32' | 'uint32' | 'logical']. FYI, I am sending integers via UDP to a process to control some action therein.
I originally tried
echo 5 | netcat -u localhost 12345
but the receiver (in Matlab) prints out ans = uint8 53 because the output of echo is the string not the binary representation of the number 5. I tried using bc like this:
echo "obase=2;5" | bc -l|netcat -u localhost 12345
but get the result ans = uint8 49 because bc is returning the ASCII version of the binary rather than the bits themselves.
How can I send a single number via netcat?
With the option -e echo supports given the bytes as hexadecimal or octal. With -n the final newline gets supressed:
echo -n -e '\x05' | netcat ...
I'm working with the Google Healthcare API and there's a step in the walk through that uses netcat to send an HL7 message to the MLLP adapter.
(I used nmap to download ncat for Windows)
I have the adapter running locally but the command they provide is written for Mac/Nix users and I'm on Windows.
echo -n -e "\x0b$(cat hl7.txt)\x1c\x0d" | nc -q1 localhost 2575 | less
So I tried rewriting this for windows powershell:
$hl7 = type hl7.txt
Write-Output "-n -e \x0b" $hl7 "\x1c\x0d" | ncat -q1 localhost 2575 | less
When I try this, I get an error that "less" is invalid and also -q1 is also an invalid command.
If I remove -q1 and | less the command executes with no output or error message.
I'm wondering if I'm using ncat incorrectly here or the write-output incorrectly?
What is the -q1 parameter?
It doesn't seem to be a valid ncat parameter from what I've researched.
I've been following this walkthrough:
https://cloud.google.com/healthcare/docs/how-tos/mllp-adapter#connection_refused_error_when_running_locally
We're really converting the echo command, not the ncat command. The syntax for ascii codes is different in powershell.
[char]0x0b + (get-content hl7.txt) + [char]0x1c + [char]0x0d |
ncat -q1 localhost 2575
in ascii: 0b vertical tab, 1c file seperator, 0d carriage return http://www.asciitable.com
Or this. `v is 0b and `r is 0d
"`v$(get-content hl7.txt)`u{1c}`r" | ncat -q1 localhost 2575
If you want it this way, it's the same thing. All three ways end up being the same.
"`u{0b}$(get-content hl7.txt)`u{1c}`u{0d}" | ncat -q1 localhost 2575
I want to check how many active meetings there are on the BBB server at any one time from the command line. I have tried
$ bbb-conf --network
but not getting anywhere. I have also checked the number of active connections to port 80 and 443
$ netstat -anp | grep :443 | grep ESTABLISHED | wc -l
but I'm not sure if I can trust that figure.
I know I can use the isMeetingRunning call from the API but I'm just looking for command line.
Any ideas would be appreciated
The following bash script, which can be run from command line on the same machine as the BigBlueButton server, will process the response to the BBB API getMeetings call.
#!/bin/bash
APICallName="getMeetings"
APIQueryString=""
X=$( bbb-conf --secret | fgrep URL: )
APIEndPoint=${X##* }
Y=$( bbb-conf --secret | fgrep Secret: )
Secret=${Y##* }
S=$APICallName$APIQueryString$Secret
Checksum=$( echo -n $S | sha1sum | cut -f 1 -d ' ' )
if [[ "$APIQueryString" == "" ]]
then
URL="${APIEndPoint}api/$APICallName?checksum=$Checksum"
else
URL="${APIEndPoint}api/$APICallName?$APIQueryString&checksum=$Checksum"
fi
wget -q -O - "$URL" | grep -o '<meetingID>' | wc -w
Tested on a live BBB machine.
Note:
The APICallName and APIQueryString can be modified to provide interface to other BBB API calls. See https://docs.bigbluebutton.org/dev/api.html
The command-line sha1sum will output a different result if a newline is appended to its input. This is the reason echo -n is used instead of echo.
In the last line, the script processes the XML output from the API call in a very naïve way, simply counting the number of occurences of the <meetingID> tag. More elaborate processing would probably require parsing the XML.
I have two web servers running with One load balancer with Haproxy. I need to block IP's that are coming to my load balancer more than often. How do I check all the incoming IP's? Is there a log?
If you want to see the established connections on a Linux server, use this command (via SSH):
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -n 10
If you want to log more verbose HAProxy activity, use this setting in haproxy.cfg:
log 127.0.0.1 local0 info
You can view the more verbose output in /var/log/haproxy_0.log
You should try this :
echo 'Client IP: '.$_SERVER["REMOTE_ADDR"];
echo 'Client IP: '.$_SERVER["HTTP_CLIENT_IP"];
These commands displays loadbalancer's IP. More at : https://serverfault.com/a/331909
Okay, I want to have Nmap scan an IP range for computers with a certain port open (port 80 in this case) and have it output all the IP's it finds into a text file, stored in this format:
192.168.0.1
192.168.0.185
192.168.0.192
192.168.0.195
So to output the file, I tried using this command:
nmap -sT -p 80 -ttl 40 192.168.0.0-255 -oG - | grep "80/open" > output.txt
Where "output.txt" is the output file that contains the results. So a line of output.txt looks
like this:
Host: 192.168.0.1 () Ports: 80/open/tcp//http///
So I basically want it only to output the IP address with port 80 open, and nothing else.
I want it to not output the "Host: " or the "()" and "Ports: 80/open/tcp//http///" lines. So is there anyway I can have Nmap not put that stuff into the output file? Or make it only
output the IP addresses? I tried looking at the map page, it was of little help. And I looked all over the Internet and that wasn't very useful either. So does anyone know how I can do this? Thanks
Awk is your friend!
$ nmap -sT -p 80 192.168.0.0/24 -oG - | awk '/ 80\/open/{print $2}' > output.txt
This will find lines with port 80 open (notice the space before 80, if you plan to scan more than the one port!), and print field 2, splitting on whitespace. Another way to do it would be:
$ nmap -sT -p 80 --open 192.168.0.0/24 -oG - | awk '$4=="Ports:"{print $2}' > output.txt
This one uses the --open argument to Nmap to only produce output for hosts with open ports. The awk command checks that this is a "Ports" line, not a "Status" line (which may only show up when using -v, but I'm not positive) before printing the IP address.
Note that it is usually in your best interests to save the scan results to a file, to avoid needing to repeat the scan if you decide to extract some different information. If you choose to do this, I would recommend using the XML output (-oX), since there are lots of analysis tools that have parsers built for it already.
Having nmap produce exactly what you want would indeed be nice. But as a more general solution:
$ nmap ... | grep ... | tr '/' ' ' | awk '{ print $2,$5; }
192.168.0.1 80
Or maybe:
nmap ... | grep ... | tr '/' ' ' | cut -d' ' -f2,8
I found a script called scanreport.sh very useful. Although its not necessary, you could just use awk as suggested, but thought it might be of interest.
It gives the ability to output the nmap results nicely by service or port (with highlighting). It uses the grep-able output from nmap (-oG) after a quick tidy from grep -v ^# nmapoutput.txt > report.txt
Example
nmap -sS 192.168.1.22 -oG /directory/of/choice/results.txt
grep -v ^# results.txt > report.txt
./scanreport.sh -f report.txt
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -p 80
Host: 192.168.1.22 ()
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -s ssh
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
Plenty of stuff on google about it but here a link to one ref.
./scanreport.sh