Remote Nmap Scanning with Zenmap

nmap-matrix2_0 I’m not going to insult you by describing the tool Nmap. This is probably the best scanner available on the Internet. Not because it is often used in movies, but just because it does an excellent job! Nmap has plenty of options. So much that reading the Nmap book is a must!

In parallel to the main Nmap tool, a lot of other utilities have been developed to extend even more the features or ease of use. Well known examples are: Nping, Ndiff or Zenmap. As said on the website, “Zenmap is the official Nmap Security Scanner GUI“. It helps the beginners to understand and master the power of Nmap. It helps to create powerful scan profiles based on the huge amount of scan options. But it is also used by people who prefer a GUI instead of a CLI. Last but not least, it offers nice features like building an automatic topology, saving the scan and performing differences between different scan (using Ndiff).

When you use Zenmap to scan a network or hosts, it launches a Nmap process with the chosen parameters. The results are processed from the generated XML file. The Nmap process runs on the same host as Zenmap and, sometimes, it can be a problem! Examples:

  • My home ADSL provider blocks “dangerous” ports like SMTP (WTF!)
  • I’m running Zenmap from a corporate LAN and I’d like to hide it to my target.
  • I’d like to scan from a specific host with specific access rights to the target.

Why not start a Nmap scan from Zenmap but executed on a remote host? Zenmap is able to read a XML produced manually using the “-f” flag. Of course, you can execute your scan manually from the remote host and transfer the results locally. But why not automate all this stuff and run the remote scan directly from Zenmap?

First, I assume that you have a remote host reachable via SSH using a key pair and that your remote user has enough rights to start Nmap (on a technical and legal point of views – reminder: scan only the networks on which you are authorized!) Also, don’t forget that some Nmap options require root’s privileges! The procedure to connect to the remote host must be fully automatic. Use a key pair without a pass phrase or use ssh-agent to unlock your key.

Practically, when you generate a Nmap command line from Zenmap, it appends the following argument before launching the scan:

-oX /tmp/zenmap-xxxxx.xml

‘xxxxxx’ is made of random characters. This XML file will be read by Zenmap to extract the scan results and parse them. That’s why the temporary file must be created on the local machine and not on the remote one where Nmap will be launched. To achieve this, I used a small “wrapper” instead of the Nmap command. How? When you started Zenmap for the first time, it created a configuration file in your home directory: $HOME/.zenmap/zenmap.conf. Edit the file and search for the following line:

nmap_command_path = nmap

Replace the default “nmap” with something like “/usr/local/bin/nmap_wrapper.sh“. Save and exit. Note that you may maintain multiple configurations and specify which one to use when you start Zenmap:

zenmap --confdir=$HOME/.zenmap-remote

Now create the wrapper script (don’t forget to make it executable):

#!/bin/bash
# Nmap wrapper which executes a nmap to a remote host
REMOTE_HOST=scanner.acme.org
REMOTE_USER=nmapuser
REMOTE_NMAP=/usr/bin/nmap
ARGS=$*
NMAP_ARGS=`echo $ARGS | awk '{ for(i=1; i<=NF-2; i++) { printf("%s ", $(i)); } }'`
TMP_FILE=`echo $ARGS | awk '{  printf("%s", $(NF)); }'`
# Launch nmap and save the local XML file
ssh -l $REMOTE_USER $REMOTE_HOST "$REMOTE_NMAP $NMAP_ARGS -oX -" >$TMP_FILE

The script will extract the Nmap arguments and the temporary output file. Then it will build a SSH command which will start the Nmap scan on a remote host. By using the flag “-oX -” (with a hyphen character), the XML results will be sent to stdout and SSH will save the output to the local file (with the classic redirection).

The biggest limitation is that, by using the “-oX -” flag, the interactive mode of Nmap is disabled and Zenmap is unable to give a real-time status of the scan (which can be quite long if the netmask  of the target is small or the options complex). If you’ve an idea how to send the XML output to stderr instead of stdout, let me know!

This is a quick hack I wrote to make my life easier, re-use at your own risks! Anyway, don’t forget: the command line interface is your best friend! 😉

One comment

  1. Instead of redirecting the ssh command directly to $TMP_FILE, why don’t you pipe stdout through tee? (Think a T-pipe fitting.) That command sends input both to stdout and to the file given as an argument, and it should be available on most Linux / UNIX systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.