Now, you can import the python-nmap module that we can invoke from our scripts, or from the interactive terminal, for example:
Once we have verified the module installation, we can start to perform scans on a specific host. For this, we must do an instantiation of the PortScanner() class, so we can access the most important method: scan(). A good practice to understand how a function, method, or object works is to use the help() or dir() functions to find out the methods available in a module:
If we execute a help (port_scan.scan) command, we see that the scan method of the PortScanner class receives three arguments, the host(s), the ports, and the arguments, and at the end it adds the parameters (all must be string).
With the help command, we can see that information:
The first thing we have to do is import the Nmap library and create our object to start interacting with PortScanner().
We launch our first scan with the scan ('ip', 'ports') method, where the first parameter is the IP address, the second is a port list, and the third parameter is optional. If we do not define it, perform a standard Nmap scan:
import nmap
nm = nmap.PortScanner()
results = nm.scan('192.168.56.101', '1-80','-sV')
In this example, a scan is performed on the virtual machine with the IP address 192.168.56.101 on ports in the 1-80 range. With the argument -sV, we are telling you to detect the versions when invoke scanning.
The result of the scan is a dictionary that contains the same information that would return a scan made with Nmap directly. We can also return to the object we instantiated with the PortScanner() class and test its methods. We can see the nmap command that has been executed in the following screenshot, with the command_line() method.
To obtain more information about the server that is running on a certain port, we can do so using the tcp() method.
In this example, we can see how to obtain information about a specific port with the tcp method:
We can also see if a host is up or not with the state() function that returns the state property we can see in the previous screenshot:
nmap['192.168.56.101'].state()
We also have the all_hosts() method for scanning all the hosts, with which we can see which hosts are up and which are not:
for host in nmap.all_hosts():
print('Host : %s (%s)' % (host, nmap[host].hostname()))
print('State : %s' % nmap[host].state())
We can also see the services that have given some type of response in the scanning process, as well as the scanning method used:
nm.scaninfo()
We also scan all protocols:
for proto in nmap[host].all_protocols():
print('Protocol : %s' % proto)
listport = nmap[host]['tcp'].keys()
listport.sort()
for port in listport:
print('port : %s state : %s' % (port,nmap[host][proto][port]['state']))
The following script tries to perform a scan with python-nmap with the following conditions in the form of arguments.
- Ports to scan: 21,22,23,80,8080.
- -n option to not execute a DNS resolution.
- Once the scan data has been obtained, save them in a scan.txt file.
You can find the following code in the filename: Nmap_port_scanner.py:
#!/usr/bin/python
#import nmap module
import nmap
#initialize portScanner
nm = nmap.PortScanner()
# we ask the user for the host that we are going to scan
host_scan = raw_input('Host scan: ')
while host_scan == "":
host_scan = raw_input('Host scan: ')
#execute scan in portlist
portlist="21,22,23,25,80,8080"
nm.scan(hosts=host_scan, arguments='-n -p'+portlist)
#show nmap command
print nm.command_line()
hosts_list = [(x, nm[x]['status']['state']) for x in nm.all_hosts()]
#write in scan.txt file
file = open('scan.txt', 'w')
for host, status in hosts_list:
print host, status
file.write(host+' ')
#show state for each port
array_portlist=portlist.split(',')
for port in array_portlist:
state= nm[host_scan]['tcp'][int(port)]['state']
print "Port:"+str(port)+" "+"State:"+state
file.write("Port:"+str(port)+" "+"State:"+state+' ')
#close file
file.close()
Nmap_port_scanner.py execution:
In this screenshot we can see the state of the ports passed as parameters in the Metasploitable vm with the specified IP address:
