Combining tools from the Nmap project allows us to set up a simple but powerful monitoring system. This can then be used by system administrators monitoring a web server or by penetration testers wanting to surveil a remote system.
This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by an e-mail if changes are detected in a network.
Create the directory /usr/local/share/nmap-mon/ to store all the necessary files.
Scan your target host and save the results in the directory that you just created.
# nmap -oX base_results.xml -sV -PN <target>
The resulting file base_results.xml will be used as your base file, meaning that it should reflect the known "good" versions and ports.
Copy the file nmap-mon.sh into your working directory.
The output of the scan will be as follows.
#!/bin/bash #Bash script to email admin when changes are detected in a network using Nmap and Ndiff. # #Don't forget to adjust the CONFIGURATION variables. #Paulino Calderon <[email protected]> # #CONFIGURATION # NETWORK="YOURDOMAIN.COM" [email protected] NMAP_FLAGS="-sV -Pn -p- -T4" BASE_PATH=/usr/local/share/nmap-mon/ BIN_PATH=/usr/local/bin/ BASE_FILE=base.xml NDIFF_FILE=ndiff.log NEW_RESULTS_FILE=newscanresults.xml BASE_RESULTS="$BASE_PATH$BASE_FILE" NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE" if [ -f $BASE_RESULTS ] then echo "Checking host $NETWORK" ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then echo "Network changes detected in $NETWORK" cat $NDIFF_RESULTS echo "Alerting admin $ADMIN" mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS fi fi
Update the configuration values according to your system.
NETWORK="YOURDOMAIN.COM" [email protected] NMAP_FLAGS="-sV -Pn -p- -T4" BASE_PATH=/usr/local/share/nmap-mon/ BIN_PATH=/usr/local/bin/ BASE_FILE=base.xml NDIFF_FILE=ndiff.log NEW_RESULTS_FILE=newscanresults.xml
Make nmap-mon.sh executable by entering the following command:
# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh
You can now run the script nmap-mon.sh to make sure it is working correctly.
# /usr/local/share/nmap-mon/nmap-mon.sh
Launch your crontab editor:
# crontab -e
Add the following command:
0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh
You should now receive e-mail alerts when Ndiff detects a change in your network.
Ndiff is a tool for comparing two Nmap scans. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, in order to identify the differences between them.
You can adjust the interval between scans by modifying the cron line:
0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh
To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.
To monitor some specific service, you need to update the scan parameters in nmap-mon.sh.
NMAP_FLAGS="-sV -Pn"
For example, if you would like to monitor a web server, you may use the following parameters:
NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"
These parameters set port scanning only to ports 80 and 443, and in addition these parameters include the script http-google-safe to check if your web server has been marked as malicious by the Google Safe Browsing service.
- The Listing open ports on a remote host recipe
- The Fingerprinting services of a remote host recipe
- The Finding live hosts in your network recipe
- The Running NSE scripts recipe
- The Comparing scan results with Ndiff recipe
- The Discovering hosts with ICMP ping scans recipe in Chapter 2, Network Exploration
- The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration
- The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration
- The Checking if a host is known for malicious activities recipe in Chapter 3, Gathering Additional Host Information
- The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information