Nmap is one of the best tools in a sysadmin's toolkit; this powerful tool allows us to quickly determine what computers and devices are on our network, what software and operating systems are running.

In most environments, esp. when there are a large number of servers and workstations in quite a number of subnets, its handy for system administrators to be able to easily find a free IP address.

There have been several times when various security managers have requested to know the following items:

All servers/workstations that are up
Are the following services running: SSH, Telnet, FTP, HTTP, HTTPS, RDP, SMTP
Is there anonymous FTP?
Is there anonymous FTP uploads?

Nmap is obviously the tool to complete the task to find out this information. If we could automate this, then we could easily generate reports for upper management!

Thankfully, the guys over at SANS have already completed most of the work for us. In the post: PowerShell Script To Parse nmap XML Output, the provide a script which gets Nmap XML output and makes it into a format that allows any powershell user to manipulate the results using all the usual commands (format-table, format-list, where-object, select-object).

I developed a simple script to find IP addresses that were in use and provide a simple output that any system administrator or service desk operator could read. The script is simple, and does the following tasks for each subject listed in an array:

Make a user friendly filename
Run nmap to perform a number of ICMP and TCP scans to find servers that are up (I recommend TCP SYN scanning on top of ICMP Ping to ensure you find firewall protected servers and workstations)
Parse the results of nmap and put them into a file in a more friendly format

The script looks like this:

nmap Command breakdown:

-PS20,21,22,23,25,3389,80,443,8080 is a TCP SYN Ping sweep of the subnet of ports 20, 21, 22 etc

-PE is ICMP ping (usual ping command)

-R is perform a reverse DNS look up

--dns-servers is specifying all of our DNS servers (incase you have reverse lookup zones across differing DNS servers)

-p 20,21,22,23,25,3389,80,443,8080 we want to scan these ports for possible reports later on

-oX $nmapfile --no-stylesheet outout the results to the filename and don't use a XML sylesheet

-A enable all advanced options

-v we want verbose output for reporting.

We end with the subnet we want to scan.

Kieran Jacobsen

Aug 23 Automating Nmap analysis with PowerShell

Aug 26 Backtrack 5, VNC and XRDP

Aug 22 MailScanner on Centos

Related Posts

Feb 1 Feb 1 Revisiting Syslog in PowerShell

Jul 1 Jul 1 Sending SYSLOG messages from PowerShell

Jun 24 Jun 24 Accessing the Internet from PowerShell: Net.WebClient

Feb 1
Feb 1 Revisiting Syslog in PowerShell

Jul 1
Jul 1 Sending SYSLOG messages from PowerShell

Jun 24
Jun 24 Accessing the Internet from PowerShell: Net.WebClient