Nmap is probably the most known and used open source port scanner on the Internet. I’ll explain how to use this wonderful network toolbox to automate a simple asset management solution.
“Know your network!” This is the main focus of this post. Today, having a global and up-to-date overview of network asset is mandatory for all network administrators: New devices are configured or decommissioned, untrusted devices are connected without permissions or users runs unsecured servers. Nmap can be used to build a base-line of your network components and to easily report any detected changes.
The base-line will contain all devices (IP addresses) and services available on them at a given time. By services, I mean here any new applications listening to a TCP or UDP port. Based on this baseline, we will be able to detect:
- Newly connected or removed servers
- Newly configured or stopped services
To detect all changes, I will use a script called “Ndiff”. This tool is available in the Nmap SVN repository. Ndiff is a project born during the 2008 Google Summer of Code. Written in Python, this tool helps in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them.
In the next paragraphs, I will assume that you have a running Linux machine with Nmap and Ndiff properly installed. Please, refer to the setup documentation if you have question about their installation. Note that Nmap is a wonderful tool and has plenty of options. This is not the goal to cover all Nmap features here. Please check the Nmap documentation for more information.
Defining the base line
First, we will perform a scan of our network and save the results into a XML file.
Warning: Do not scan network if you don’t have rights to! In most countries, network scanning is an illegal operation. Take care!
Let’s go with the following command:
# nmap -n -oX /root/baseline.xml 10.255.0.0/24
It will perform a complete scan of the whole C class 10.255.0.0 and save the result in a XML file. During the scan execution, useful information will also be printed on the console.
Scheduling the daily scan
We have now an overview of our network. Let’s schedule a new network scan via a crontab entry every night (hour, week or month depending on your needs):
0 1 * * * (touch /var/run/nmap.running; \ nmap -n -oX /root/current.xml 10.255.0.0/24 >/dev/null; \ rm /var/run/nmap.running)
As we do not know exactly when the scan will be finished, let’s create a lock file during the process execution (/var/run/nmap.running). A new XML file will be created with the current network status.
Generating the report
Via a second crontab entry, we use now Ndiff to generate the difference report between the base line and the current scanner results. Then, we overwrite the base line with the latest results. Notice that the presence of the lock file created above is checked to prevent the Ndiff to run if the scan process is not yet complete. The output of the cron command will be sent by e-mail to the network administrator.
0 2 * * * (while [ -f /var/run/nmap.running]; do sleep 5; done; \ ndiff /root/baseline.xml /root/current.xml | \ /bin/maix -s "Network Scan" firstname.lastname@example.org; \ mv /root/current.xml /root/baseline.xml)
Here are example of generated reports. The first one has detected an unknow SMTP server which was successfully stopped:
# ndiff /root/baseline.xml /root/current.xml Wed Oct 15 13:25:02 2008 -> Wed Oct 15 13:25:02 2008 server1.rootshell.be (10.255.0.12): 25/tcp is closed, was open.
The second one shows a new detected host and its running services:
# ndiff /root/baseline.xml /root/current.xml Wed Oct 15 13:50:15 2008 -> Wed Oct 15 21:42:29 2008 10.255.0.10: Host is up, was unknown. Add ipv4 address 10.255.0.10. 22/tcp is open. 25/tcp is open. 998 tcp ports are filtered.
The Nmap/Ndiff combination will help you to detect changes on your network(s). This can be helpful to deploy monitoring of newly detected services. This can also help to detect potential security breaches. However, this solution is not a vulnerability scanner (like Nessus or OpenVAS)! This is a free and reliable solution to increase your network security. Why hesitate?