RFC - nmap "crawl" feature / script

I have been pondering this feature since the --traceroute option was added.

I wonder if it would be possible to have nmap crawl the hops.  So that
after scanning the system you targeted, nmap will automatically scan
each of the hosts along the way with the same command-line options
(minus the option asking for the crawl -- we don't to scan the same
systems multiple times).

I am working on a perl script to read an nmap output file and scan
from the traceroute data, but it would be easier if it were possible
straight from nmap.

I plan on using Nmap::Parser 1.16 for the perl script, but I don't see
a built in method to access the traceroute data.  I may end up using
XML::Twig raw and pulling it out that way.

But before I start doing anything, has anyone else ever considered
this a desirable feature?  If so, has someone already written a script
to handle it?

Thank you.

-Jason

--
NOTICE: Reading this email message requires root privileges which you
do not appear to possess. Sorry, dude.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

As well as traceroute you could look into the reason_ip field. The
field is only populated if a returned packet's source address is
different to the address of the host being scanned.

They normally turn out to be from routers and firewalls filtering for
other hosts.

- eddie

2008/7/8 DePriest, Jason R. <jrdepriest@...>:
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Hi Jason,

DePriest, Jason R. wrote:
> But before I start doing anything, has anyone else ever considered
> this a desirable feature?  If so, has someone already written a script
> to handle it?

I have written a Python script that does this (and a bit more) and posted it
here at nmap-dev (http://seclists.org/nmap-dev/2008/q1/0409.html). Check out
that post for an overview of how it works.

This is a part of my Summer of Code proposal, and is all planned as the
functionality of the future "network visualization" mode for Zenmap, where you
can combine RadialNet's graphical network representation with runtime updates
to the topology.

So, you could use a command similar to that script of mine to "initialize" the
topology, and then aggregate any subsequent scans to the topology, without the
need to run a new, broader scan. Or, for example, you could do a quick
initialization of your local LAN's topology with 'nmap -p80 --traceroute
192.168.1.0/28' and then proceed to append data to the topology by running more
in-depth scans on each of the hosts. Good stuff! The initial design is nearing
completion, I'll post to this list within the next couple of days, explaining
the proposed functionality in more detail.

Cheers,
Vladimir

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Good idea. It reminded me of the concept of pivoting in core impact.
http://www.coresecurity.com/?module=ContentMod&action=item&id=519

On Tue, Jul 8, 2008 at 9:00 PM, DePriest, Jason R. <jrdepriest@...>
wrote:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Jul 2008 13:00:22 -0500
"DePriest, Jason R." <jrdepriest@...> wrote:
...snip...
> But before I start doing anything, has anyone else ever considered
> this a desirable feature?  If so, has someone already written a script
> to handle it?
>
> Thank you.
>
> -Jason
>

I've chatted with Fyodor about a similar idea involving host discovery
via SNMP from the detected routers (hops) from a --traceroute.

The idea is that most bigger organisations have routing gear for which
you can extract the ARP/CAM table via SNMP to discover new hosts.  If
you learn about the local router for a host, a few SNMP queries later
and you can have all the hosts in that VLAN, or even all the hosts
for any VLAN routed out of that router.

After really flushing the ideas out though we both agreed that while
that ability could be very useful, it is best left to an external
script.  Nmap is a great _port_scanner_ but probably shouldn't have
every darn networking task we can think of stuffed into it.

One thing that /would/ be nice though is to expose --traceroute
information to NSE so that a script can try to query the local router
for the target's MAC address.  IIRC this would require re-ordering NSE
to come after --traceroute.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkhz5qMACgkQqaGPzAsl94K5ZQCeJS0mijLV2amWHJiTzBnx5KkY
zswAnA/9rfXvT7O1mUCfLEq3YR8k+TYB
=o3+u
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

On Tue, Jul 8, 2008 at 11:13 PM, Brandon Enright <> wrote:
This at least reads the

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

On Tue, Jul 8, 2008 at 11:56 PM, DePriest, Jason R. <> wrote:
Sorry about the last one.  Apparently, I accidentally hit a key
combination in GMail and sends messages.  Oops.

What I was going to say is that I have this perl snippet that is ugly but works.

It can read an XML file from Nmap, pull out the targets, then
determine the systems in the trace route.

It is very ugly, but here it is.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
#!/usr/bin/perl -w

use Data::Dumper;
BEGIN { $ENV{HARNESS_ACTIVE} = 1 } # hack to fix cannot find
ParserDetails.ini error message
use XML::Simple qw(:strict);

my $fileName = $ARGV[0];
chomp($fileName);
my $xref = XMLin("$fileName", ForceArray => 1, keyattr => []);

for (my $i=0;$i<=$#{${$xref}{host}};$i++) { # each host you scanned
        print "For target system ",
${${${${${$xref}{host}}[$i]}{address}}[0]}{addr}, " traceroute minus
target was\n";
        for (my $j=0;$j<=$#{${${${${$xref}{host}[0]}{trace}}[0]}{hop}}-1;$j++) {
                print ${${${${${${$xref}{host}[0]}{trace}}[0]}{hop}}[$j]}{ttl}, "\t";
                print ${${${${${${$xref}{host}[0]}{trace}}[0]}{hop}}[$j]}{ipaddr}, "\n";
        }
}
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

You really don't *need* Data::Dumper, but it is what I used to figure
out how to create the ugly reference nightmares.

Output looks like this.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
C:\Tools\Code\projects\nmap-crawl>perl nmap-crawl.pl test-data.xml
For target system 10.x.x.5 traceroute minus target was
1       10.x.x.1
2       10.x.x.18
3       10.x.x.66
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org