Sunday, March 19, 2017

A Simple Python 3 Script for my Favorite nmap Scripts

There are a few nmap scripts I use all the time. I can't always remember the syntax so I wrote a simple Python 3 script to list them.

If an IP address is required you are prompted to enter one. You can put in any valid IP address or address range in nmap format. There is no error checking so if you put in an invalid address you will get an invalid script output.

If an SNMP community string is required you will be prompted to enter it. Again, there is no error checking so enter carefully.

Example Usage

Trouble shooting NTP on Cisco devices can be time consuming. The first step I take is to run the nmap script for ntp info. It quickly tells me if the ip address I'm pointing "ntp server" to is actually serving up NTP.

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ python3 nmap3.py

0 Download Cisco Configs using SNMP
1 Checking Server Cipher Suites using ports 443, 465, 993 and 995
2 Display SSH fingerprint (Host Keys)
3 Troubleshooting DHCP with the NMAP Broadcast-DHCP-Discover script
4 Troubleshooting DHCP with the NMAP DHCP-Discover script
5 Troubleshooting IPv6 DHCP with a broadcast discover
6 Brute Forcing SNMP with NMAP - Requires a text file of guesses in c: ftp-root\snmp-string.txt
7 BACNET - scripts from https://github.com/digitalbond/Redpoint#enip-enumeratense
8 DNS Broadcast Discover
9 Banner Grab using banner-plus from HD Moore
10 NTP Monlist - Pull down NTP server information
11 NTP INFO - Pull down general NTP information
12 DNS Brute - Uses nselib/data/dns-srv-names for list of SRV records to try, nselib/data/vhosts-full.lst for hosts
13 SMB - Various scripts for SMB servers
14 SNMP on Windows
15 Basic Script Scan the -vv option includes more detail
16 SQL nmap --script smb-os-discovery.nse -p445 192.168.10.221
17 - Check for SSH V1


3.4.3 (default, Nov 17 2016, 01:08:31)
[GCC 4.8.4]


Input a number to select 11
Enter the IP Address 192.168.10.221
nmap -sU -p 123 --script ntp-info 192.168.10.221
mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ sudo nmap -sU -p 123 --script ntp-info 192.168.10.221

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-19 18:23 PDT
Nmap scan report for 192.168.10.221
Host is up (0.0013s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|_  receive time stamp: 2017-03-20T01:23:57
MAC Address: 00:0C:29:4C:AA:4E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.31 seconds

If you don't see a time stamp the server you are using won't work.

Environmental Monitoring Systems

Here is a more involved example. I do a lot of core switch and edge switch replacements. It's important to know if any Environmental Monitoring Systems (EMS) are in place. Choice 7 in the script will return each of the Digital Bond ISC nmap scripts. Luckily most of my customers have a dedicated EMS vlan so I just scan that vlan.

BUT, I have found EMS devices on GUEST networks (oops!) and on user LAN segments so you may need to scan a lot of networks.

Since there are a lot of different EMS vendors the script outputs 11 different nmap scripts.

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ python3 nmap3.py

0 Download Cisco Configs using SNMP
1 Checking Server Cipher Suites using ports 443, 465, 993 and 995
2 Display SSH fingerprint (Host Keys)
3 Troubleshooting DHCP with the NMAP Broadcast-DHCP-Discover script
4 Troubleshooting DHCP with the NMAP DHCP-Discover script
5 Troubleshooting IPv6 DHCP with a broadcast discover
6 Brute Forcing SNMP with NMAP - Requires a text file of guesses in c: ftp-root\snmp-string.txt
7 BACNET - scripts from https://github.com/digitalbond/Redpoint#enip-enumeratense
8 DNS Broadcast Discover
9 Banner Grab using banner-plus from HD Moore
10 NTP Monlist - Pull down NTP server information
11 NTP INFO - Pull down general NTP information
12 DNS Brute - Uses nselib/data/dns-srv-names for list of SRV records to try, nselib/data/vhosts-full.lst for hosts
13 SMB - Various scripts for SMB servers
14 SNMP on Windows
15 Basic Script Scan the -vv option includes more detail
16 SQL nmap --script smb-os-discovery.nse -p445 192.168.10.221
17 - Check for SSH V1


3.4.3 (default, Nov 17 2016, 01:08:31)
[GCC 4.8.4]


Input a number to select 7
Enter the IP Address 10.23.200.0/24
nmap -sU -p 47808 -n --script bacnet-info.nse 10.23.200.0/24
nmap -sU -p 47808 -n --script BACnet-discover-enumerate 10.23.200.0/24
nmap -sU -p 47808 -n --script BACnet-discover-enumerate --script-args full=yes 10.23.200.0/24
nmap -p 44818 --script enip-enumerate 10.23.200.0/24
nmap -p 1911 --script fox-info 10.23.200.0/24
nmap -p 502 --script modicon-info.nse -sV 10.23.200.0/24
nmap -p 9600 --script omrontcp-info 10.23.200.0/24
nmap -sU -p 9600 --script omronudp-info 10.23.200.0/24
nmap -p 1962 --script pcworx-info -sV 10.23.200.0/24
nmap -p 20547 --script proconos-info -sV 10.23.200.0/24
nmap -p 102 --script s7-enumerate -sV 10.23.200.0/24
sudo nmap -sU -p 47808 -n --script BACnet-discover-enumerate 10.23.200.0/24
sudo nmap -sU -p 47808 -n --script BACnet-discover-enumerate --script-args full=yes 10.23.200.0/24
sudo nmap -p 1911 --script fox-info 10.23.200.0/24
nmap -p 9600 --script omrontcp-info 10.23.200.0/24
sudo nmap -sU -p 9600 --script omronudp-info 10.23.200.0/24
nmap -p 1962 --script pcworx-info -sV 10.23.200.0/24
nmap -p 20547 --script proconos-info -sV 10.23.200.0/24
sudo nmap -p 102 --script s7-enumerate -sV 10.23.200.0/24
sudo nmap -p 44818 --script enip-enumerate 10.23.200.0/24
sudo nmap -p 502 --script modicon-info.nse -sV 10.23.200.0/24
mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$



The Script

You can download the script on github at nmap-python

No comments:

Post a Comment