I'm using regex to parse NMAP output. I want the ip addresses which are up with the corresponding ports open. Now I've a very naive method of doing that:
awk '/^Scanning .....................ports]/ {print substr ($2,1,15);}' results.txt
awk '/^[0-9][0-9]/ {print substr($1,1,4);}' results.txt | awk -f awkcode.awk
where awkcode.awk contains the code to extract numbers out of the substring.
The first line prints all the ips that are up and 2nd gives me the ports. My problem is that I want them mapped to each other. Is there any way to do that? Even a sed script would do.
You will probably find using the "Grepable" output format to be easier to parse:
nmap -oG - -v -A 192.168.0.1-254
Sample output:
Host: 192.168.1.1 (foo) Status: Up
Host: 192.168.1.1 (foo) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.2.12 ((Ubuntu))/, 139/open/tcp//netbios-ssn//Samba smbd 3.X (workgroup: BAR)/, 445/open/tcp//netbios-ssn//Samba smbd 3.X (workgroup: BAR)/, 7100/open/tcp//font-service//X.Org X Font Server/ Ignored State: closed (995)
Or if you have an XML parser, use the XML output format:
nmap -oX - -v -A 192.168.0.1-254
Sample output:
<?xml version="1.0" ?>
<?xml-stylesheet href="file:///usr/share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 5.00 scan initiated Sun Jun 13 08:11:32 2010 as: nmap -oX - -v -A 192.168.1.1-254 -->
<nmaprun scanner="nmap" args="nmap -oX - -v -A 192.168.1.1-254" start="1276434692" startstr="Sun Jun 13 08:11:32 2010" version="5.00" xmloutputversion="1.03">
...
...
<host starttime="1276434692" endtime="1276434775"><status state="up" reason="syn-ack"/>
<address addr="192.168.1.1" addrtype="ipv4" />
<hostnames><hostname name="foo" type="PTR" /></hostnames>
<ports><extraports state="closed" count="995">
<extrareasons reason="conn-refused" count="995"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="5.1p1 Debian 6ubuntu2" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10" /><script id="ssh-hostkey" output="1024 1a:2b:4d:5e:6f:00:f1:e2:d3:c4:b5:a6:e2:f3:fe (DSA)
2048 fa:eb:dc:cd:be:af:a0:75:65:8a:52:7d:11:22:33:44 (RSA)" /></port>
Related
Attempting to capture traffic but I don't know the write syntax to filter the output to a readable pcap file.
I need to use the syntax
tcpdump -r file.pcap
and to filter eth0 icmp traffic
tcpdump -i eth0 icmp -c 10 > file.pcap
is there a way to do this in one line of command?
Yes, but, if you're writing a pcap file rather than a text file, it doesn't involve the > character.
By default, tcpdump captures traffic from an interface, or reads a capture file, and writes out a human-readable dissection of the packets to the standard output.
You need the -w flag to write out a pcap file, so, in your case, the command is
tcpdump -r file.pcap -w file.pcap ICMP
Your command
tcpdump -i eth0 icmp -c 10 > file.pcap
wouldn't write out a pcap file, it writes out text such as
16:30:59.808885 IP 192.168.1.5 > example.com: ICMP echo request, id 40541, seq 0, length 64
16:30:59.841404 IP example.com > 192.168.1.5: ICMP echo reply, id 40541, seq 0, length 64
If you wanted to write the ICMP traffic to a pcap file, you would do
tcpdump -i eth0 icmp -c 10 -w file.pcap
I'm unable to get 'get' in terminal using Grep.
This code used to work on Lion but in Maverick the GET doesn't show...
sudo tcpdump -i en1 -n -s 0 -w - | grep -a -o -E "Host\:\ .*|GET\ \/.*"
Any help or suggestions maybe?
Try:
sudo tcpdump -s 0 -A | egrep --color=never -a -o "Host\: .*|GET\ \/.*"
The -w - writes the raw packets whereas the -A decodes to ASCII; handy for web pages (per man)
I found that if grep was outputting color, the Host: lines were output as empty lines.
How can I get GNU diff ignore the blank lines in the following example?
File a:
x
do
done
File b:
x
do
done
Neither file has trailing white spaces in any line.
Using GNU diff 3.1 on Mac OS X I get:
diff -w a b
2d1
< do
3a3
> do
Same when I add various promising looking options:
diff --suppress-blank-empty -E -b -w -B -I '^[[:space:]]*$' --strip-trailing-cr -i a b
2d1
< do
3a3
> do
What am I missing here?
diff --version
diff (GNU diffutils) 3.1
I think the problem here is that diff is seeing do as being removed from the first file, and added to the second, maybe because there isn't enough context around the change.
If you reverse the order of the files as arguments, diff reports that the space is added and removed, and will then ignore it with --ignore-blanks-lines.
Looking at it as a unified diff, this is a little more clear:
$ diff test.txt test2.txt -u
--- test.txt 2015-10-20 10:50:52.585167600 -0700
+++ test2.txt 2015-10-20 10:51:01.042167600 -0700
## -1,4 +1,4 ##
x
-do
+do
done
prp#QW7PRP09-14 ~/temp
$ diff test2.txt test.txt -u
--- test2.txt 2015-10-20 10:51:01.042167600 -0700
+++ test.txt 2015-10-20 10:50:52.585167600 -0700
## -1,4 +1,4 ##
x
-
do
+
done
And the result with the --ignore-blank-lines, and the order switched:
prp#QW7PRP09-14 ~/temp
$ diff test2.txt test.txt -B -u
The terminal transcript speaks for itself:
iMac:~$ echo -n a | md5
0cc175b9c0f1b6a831c399e269772661
iMac:~$ perl -e 'system "echo -n a | md5"'
c3392e9373ccca33629d82b17699420f
Note that the MD5 hash of a is 0cc175b9c0f1b6a831c399e269772661, the first
result. Why does it turns out to be different when the same command is called
by perl?
By the way, perl is perl 5, version 12, subversion 4 (v5.12.4) built for darwin-thread-multi-2level. And the system: Mac OS 10.8, Darwin 12.0
When in the /bin/sh shell on mac, echo -n doesn't not print out the newline like it does in /bin/bash. You can see this if you drop into /bin/sh and run echo -n a, your output should look like this:
sh-3.2$ echo -n a
-n a
so you're literally getting -n a instead of the desired a. As perl system runs /bin/sh to evaluate your command, -n a is being passed into md5 instead of your desired a
The specific question has already been answered, but I want to point out that od is useful to help understand exactly what any command outputs or file contains. This is useful especially to show otherwise non-printing characters.
$ echo -n a | od -tc
0000000 a
0000001
$ perl -e 'system "echo -n a | od -tc";'
0000000 - n a \n
0000005
Okay, I want to have Nmap scan an IP range for computers with a certain port open (port 80 in this case) and have it output all the IP's it finds into a text file, stored in this format:
192.168.0.1
192.168.0.185
192.168.0.192
192.168.0.195
So to output the file, I tried using this command:
nmap -sT -p 80 -ttl 40 192.168.0.0-255 -oG - | grep "80/open" > output.txt
Where "output.txt" is the output file that contains the results. So a line of output.txt looks
like this:
Host: 192.168.0.1 () Ports: 80/open/tcp//http///
So I basically want it only to output the IP address with port 80 open, and nothing else.
I want it to not output the "Host: " or the "()" and "Ports: 80/open/tcp//http///" lines. So is there anyway I can have Nmap not put that stuff into the output file? Or make it only
output the IP addresses? I tried looking at the map page, it was of little help. And I looked all over the Internet and that wasn't very useful either. So does anyone know how I can do this? Thanks
Awk is your friend!
$ nmap -sT -p 80 192.168.0.0/24 -oG - | awk '/ 80\/open/{print $2}' > output.txt
This will find lines with port 80 open (notice the space before 80, if you plan to scan more than the one port!), and print field 2, splitting on whitespace. Another way to do it would be:
$ nmap -sT -p 80 --open 192.168.0.0/24 -oG - | awk '$4=="Ports:"{print $2}' > output.txt
This one uses the --open argument to Nmap to only produce output for hosts with open ports. The awk command checks that this is a "Ports" line, not a "Status" line (which may only show up when using -v, but I'm not positive) before printing the IP address.
Note that it is usually in your best interests to save the scan results to a file, to avoid needing to repeat the scan if you decide to extract some different information. If you choose to do this, I would recommend using the XML output (-oX), since there are lots of analysis tools that have parsers built for it already.
Having nmap produce exactly what you want would indeed be nice. But as a more general solution:
$ nmap ... | grep ... | tr '/' ' ' | awk '{ print $2,$5; }
192.168.0.1 80
Or maybe:
nmap ... | grep ... | tr '/' ' ' | cut -d' ' -f2,8
I found a script called scanreport.sh very useful. Although its not necessary, you could just use awk as suggested, but thought it might be of interest.
It gives the ability to output the nmap results nicely by service or port (with highlighting). It uses the grep-able output from nmap (-oG) after a quick tidy from grep -v ^# nmapoutput.txt > report.txt
Example
nmap -sS 192.168.1.22 -oG /directory/of/choice/results.txt
grep -v ^# results.txt > report.txt
./scanreport.sh -f report.txt
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -p 80
Host: 192.168.1.22 ()
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -s ssh
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
Plenty of stuff on google about it but here a link to one ref.
./scanreport.sh