Wednesday, October 29, 2014

Automating nmap and ndiff with PowerShell

I like to perform reconnaissance against my network border on a regular basis to identify new services and new hosts.  With nmap, some bash, and cron, this is pretty easy to do.  Unfortunately, the system I have outside our network to do this with is a Windows system with Kali running in a VM.  I say unfortunately, because for some scans, running from Kali within a VM is significantly slower than performing a scan from nmap in Windows.  I know you're thinking "But why don't you just get a *nix box in the cloud?"  You deal with what you have available to you.  Larger organizations sometimes come with less flexibility.

I wanted to be able to scan a given set of hosts and compare the results of each scan against the previous scan.  The ndiff utility included with nmap was designed to do just that.  I also wanted to get those results emailed to me.  I also wanted to encrypt these results before emailing them, because reasons.  I hadn't spent a lot of time with PowerShell, so this seemed like an opportunity to both get something done and learn PowerShell.  The result is scandiff, a partial wrapper for nmap, ndiff, and 7Zip written in PowerShell.

Scandiff does a discovery scan against the targets supplied looking for open ports to identify live hosts.  These hosts are then re-scanned using a larger set of ports and service version probing (-sV).  I chose this two step method to decrease overall scan times when scanning large IP spaces.  If the IP space being scanned is behind a firewall blocking pings and not returning RST, nmap will determine all ports are "open|filtered" and marks the host as up.  The downside to this approach is that  it is possible to miss hosts which have ports opened but are not included in the probed ports list.  It is advisable to review your infrastructure and include all common ports for your network's services in your discovery probe list.

Scandiff retains the previous output in an XML file, $basename-prev.xml.  Once the scan has completed, ndiff is run to compare the current scan results against the previous results to generate a -diff.txt file.

Once the ndiff operation has completed, the XML files, nmap log, and diff file are added to an encrypted 7Zip archive.  This archive is added as an attachment to a System.Net.Mail.MailMessage email object.  The results are then emailed to a designated recipient using the PowerShell Net.Mail.SMTPClient.

I used Gmail to relay the output to my inbox.  This section can be modified to relay through a different email server, and authentication can be disabled if not required by your mail server.  Email output can be disabled completely by specifying "-email 0" or "-email $False".

I'm still playing around with the nmap options to find the right balance of accuracy and thoroughness vs. performance.  The script also has very little error handling.  I will be working on adding this in the coming weeks.  I am also looking at being able to specify the majority of configuration options from a configuration file to make the command line operation less unwieldy.

Scandiff can be downloaded from github here: https://github.com/hardwaterhacker/scandiff.  Let me know if you find this useful.  I'd welcome any input on how to improve this script.

No comments:

Post a Comment