Re: Nmap "short" or "simplified" output?

[Daniel Miller <bonsaiviking () gmail com>]

Ryan,

The closest that Nmap has for quick bare output is the Grepable format
(-oG, http://nmap.org/book/output-formats-grepable-output.html). This
format is "deprecated," which for practical purposes means that it hasn't
been updated in a long time, and won't be able to support any newer
features of Nmap. The big things that are missing are: NSE script output,
traceroute, MAC address, and CPE.

The most useful advice I can give regarding this is to learn how to turn
off the parts of Nmap that you don't want. Helpful options include:

-sn Turn off port scanning
-Pn Skip host discovery (Use with caution when scanning network ranges!)
-p Specify only the ports you want scanned and no others
-n Skip reverse name resolution
--version-light Reduce the number of service scan probes that are sent (can
reduce accuracy)

And don't use -A unless you really mean it :)

Here are a few recipes I've used for quick Nmap scans and parsing:

# Print IP addresses that are up
nmap -n -sn -oG - $targets | awk '/Status: Up$/{print $2}'

# Print IP addresses that have port 22 open (abusing host discovery via TCP
probes)
nmap -n -sn -PS22 -oG - $targets | awk '/Status: Up$/{print $2}'

# Print the reverse-dns names of a list of IPs without scanning them:
nmap -sL -oG - $targets | awk '$3~/\(.+\)/{print $3}' | tr -d '()'

# Print IPs that have any of these ports open:
nmap -n -p 21-25 -oG - $targets | awk '/\/open\//{print $2}'

You get the idea. Happy hacking!

Dan


On Tue, May 20, 2014 at 8:13 AM, Ryan Robson <ringo380 () gmail com> wrote:

> Heya,
>
> I've had more trouble than I thought I would trying to find an answer to
> this question, and it may really end up being more of a feature request,
> but I could not track anything down to this effect in the documentation:
>
> Is there a flag or option designed to simplify the output that nmap
> provides? The example I've been using is dig's "+short", which just gives
> you the basic response.
>
> I realize that nmap provides output in a number of different of ways
> depending on how you use it, and for my purposes I'm generally just working
> with port status output, so I'm sure it's not a simple matter to implement
> a single flag that applies to all of the different types of nmap output, I
> understand entirely. This is totally a mild inconvenience and 100%
> unimportant in the scheme of things, but it's just something I've always
> wondered but have never been able to confirm. I can of course grep it down
> easily, but I always like to learn what I can about what can be done in the
> original application itself before piping out to other applications.
>
> I appreciate any response you could give on this!
>
> Thanks,
>
> Ryan Robson
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/