Re: Version Detection based on past TCP/UDP scan results

["DePriest, Jason R." <jrdepriest () gmail com>]

On 5/30/07, Hyper 4S  wrote:
> All,
>
> assuming we have the results (eg in greppable format) of a normal TCP/UDP
> portscan, is it possible to version scan (-sV) the found open ports, without
> repeating this TCP/UDP scan?
>
> E.g. we have "output", the result of the scan "nmap -sS -sU -p0-65535 -oG
> output [host]"
>
> After having run this scan, we decide we would like to do version detection
> on all found ports listed in "output", as "nmap -sS -sU -sV -p0-65535
> [host]" would give us by rescanning the host.
>
> Is there a way to speed this up by skipping this redundant pre-version
> detection scan, and relying on the portscan results found during an earlier
> run?
>
> Thanks!
>
> H.

If you have the XML output logs, it can be done with Perl using the
Nmap::Parser module.

The documentation for the module even has a section with this intro
before the code: "Using multiple instances of Nmap::Parser is
extremely useful in helping audit/monitor the network Policy (ohh noo!
its that 'P' word!). In this example, we have a set of hosts that had
been scanned previously for tcp services where the image was saved in
base_image.xml. We now will scan the same hosts, and compare if any
new tcp have been open since then (good way to look for suspicious new
services). Easy security Compliance detection. (ooh noo! The 'C' word
too!)."

The module available via CPAN and from links somewhere in this forum's archives.

I suppose if you are a master with sed or awk you could come up with a
one linter that could use the oG file instead of the oX file.  That's
beyond me, though.

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org