Nmap Security Scanner
Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors
|

 |
Intro |
Reference Guide |
Book |
Install Guide |
Download |
Changelog |
Zenmap GUI |
Docs |
Bug Reports |
OS Detection |
Propaganda |
Related Projects |
In the Movies |
In the News |
|
 |
This output format is covered last because it is deprecated.
The XML output format is far more powerful, and is nearly as
convenient for experienced users. XML is a standard for which dozens
of excellent parsers are available, while grepable output is my own
simple hack. XML is extensible to support new Nmap features as they
are released, while I often must omit those features from grepable
output for lack of a place to put them. Nevertheless, grepable output is still quite popular. It is a
simple format that lists each host on one line and can be trivially
searched and parsed with standard Unix tools such as grep, awk, cut,
sed, diff, and Perl. Even I usually use it for one-off tests done at the
command line. Finding all the hosts with the SSH port open or that
are running Solaris takes only a simple grep to identify the hosts,
piped to an awk or cut command to print the desired fields. One grepable output aficionado is MadHat (madhat@unspecific.com), who contributed to this section. Example 13.13, “A typical example of grepable output” shows a
typical example of grepable output. Normally each host takes only one
line, but I split this entry into seven lines to fit on the page.
There are also three lines starting with a hash prompt (not counting
the Nmap command line). Those are comments describing when Nmap
started, the command line options used, and completion time and statistics.
One of the comment lines enumerates the port numbers that were
scanned. I shortened it to avoid wasting dozens of lines. That
particular comment is only printed in verbose (-v )
mode. Increasing the verbosity level beyond one -v
will not further change the grepable output. The times and dates have
been replaced with [time] to reduce line length. Example 13.13. A typical example of grepable output # nmap -oG - -T4 -A scanme.nmap.org
# nmap 3.77 scan initiated [time] as: nmap -oG - -T4 -A scanme.nmap.org
# Ports scanned: TCP(1663;1-1027,1029-1033,1040,...,65301) UDP(0;)↵
PROTOCOLS(0;)
Host: 205.217.153.62 (scanme.nmap.org)
Ports: 22/open/tcp//ssh//OpenSSH 3.1p1 (protocol 1.99)/,
25/open/tcp//smtp//qmail smtpd/, 53/open/tcp//domain//ISC BIND 9.2.1/,
80/open/tcp//http//Apache httpd 2.0.39 ((Unix) mod_perl|1.99_07-dev)/,
113/closed/tcp//auth/// Ignored State: filtered (1658)
OS: Linux 2.4.0 - 2.5.20|Linux 2.4.18 - 2.4.20 Seq Index: 3004446
IP ID Seq: All zeros
# Nmap run completed at [time] -- 1 IP address (1 host up) scanned in 27.177↵
seconds
The command-line here requested that grepable output be sent to
standard output with the - argument to
-oG . Aggressive timing (-T4 ) as
well as OS and version detection (-A ) were requested.
The comment lines are self-explanatory, leaving the meat of grepable output
in the Host line. Had I scanned more hosts, each
of the available ones would have its own Host line. The host line is split into fields, each of which consist of a
field name followed by a colon and space, then the field content. The
fields are separated by tab characters (ASCII number 9, '\t'). Example 13.13, “A typical example of grepable output” shows six fields: Host,
Ports, Ignored State, OS, Seq Index, and IP ID. A Status section is
included in list (-sL ) and ping
(-sP ) scans, and a Protocols section is included in
IP protocol (-sO ) scans. The exact fields given
depend on Nmap options used. For example, OS detection triggers the
OS, Seq Index, and IP ID fields. Because they are tab delimited, you
might split up the fields with a Perl line such as: @fields = split("\t", $host_line); In the case of Example 13.13, “A typical example of grepable output”, the array
@fields would contain six
members. $fields[0] would contain “Host:
205.217.153.62 (scanme.nmap.org) ”, and
$fields[1] would contain the long Ports field. Scripts
that parse grepable output should ignore fields they don't recognize,
as new fields may be added to support Nmap enhancements. The eight possible fields are described in the
following sections. Example: Host: 205.217.153.62 (scanme.nmap.org) The Host field always comes first and is included no matter what
Nmap options are chosen. The contents are the IP address (an IPv6
address if -6 was specified), a space, and then the
reverse DNS name in parentheses. If no reverse name is available,
the parentheses will be empty. Example: Ports: 111/open/tcp//rpcbind (rpcbind V2)/(rpcbind:100000*2-2)/2 (rpc #100000)/, 113/closed/tcp//auth/// The Ports field is by far the most complex, as can be seen in
Example 13.13, “A typical example of grepable output” It includes
entries for every interesting port (the ones which would be included
in the port table in normal Nmap output). The port entries are
separated with a comma and a space character. Each port entry
consists of seven subfields, separated by a forward slash (/). The subfields
are: port number, state, protocol, owner, service, SunRPC info, and
version info. Some subfields may be empty, particularly for basic port
scans without OS or version detection. The consecutive slashes in
Example 13.13, “A typical example of grepable output” reveal empty
subfields. In Perl, you might split them up as so: ($port, $state, $protocol, $owner, $service, $rpc_info, $version) =
split('/', $ports);
Alternatively, you could grab the information from the command
line using commands such as these:
cut -d/ -f<fieldnumbers >
awk -F/ '{print $<fieldnumber >}';
Certain subfields can contain a slash in other output modes.
For example, an SSL-enabled web server would show up as
ssl/http and the version info might contain strings
such as mod_ssl/2.8.12 . Since a slash is the
subfield delimiter, this would screw up parsing. To avoid this
problem, slashes are changed into the pipe character (|) when they
would appear anywhere in the Port field. Parsers should be written to allow more than seven
slash-delimited subfields and to simply ignore the extras because
future Nmap enhancements may call for new ones. The following
list describes each of the seven currently defined Port
subfields. - Port number
This is simply the numeric TCP or UDP port
number. - State
The same port state which would appear in the normal
output port table is shown here. - Protocol
This is tcp or udp . - Owner
Specifies the username that the remote service is
running under if ident scan (-I ) was requested and
succeeded. - Service
The service name, as obtained from an
nmap-services lookup, or (more reliably)
through version detection (-sV ) if it was requested
and succeeded. With version detection enabled, compound entries
such as ssl|http and entries with a trailing
question mark may be seen. The meaning is the same as for normal
output, as discussed in Chapter 7, Service and Application Version Detection - SunRPC info
If version detection (-sV ) or RPC
scan (-sR ) were requested and the port was found to
use the SunRPC protocol, the RPC program number and accepted version
numbers are included here. A typical example is
“(rpcbind:100000*2-2) ”. The data is always
returned inside parentheses. It starts with the program name, then
a colon and the program number, then an asterisk followed by the low
and high supported version numbers separated by a hyphen. So in
this example, rcpbind (program number 100,000) is listening on the
port for rcpbind version 2
requests. - Version info
If version detection is requested and succeeds,
the results are provided here in the same format used in
interactive output. For SunRPC ports, the RPC data is printed here
too. The format for RPC results in this column is <low version
number>-<high version number> (rpc #<rpc program number>).
When only one version number is supported, it is printed by itself
rather than as a range. A port which shows
(rpcbind:100000*2-2) in the SunRPC info subfield
would show 2 (rpc #100000) in the version info
subfield.
Example: Protocols: 1/open/icmp/, 2/open|filtered/igmp/ The IP protocol scan (-sO ) has a Protocols
field rather than Ports. Its contents are quite similar to the Ports
field, but it has only three subfields rather than seven. They are
delimited with slashes, just as with the Ports field. Any slashes
that would appear in a subfield are changed into pipes (|), also as
done in the Ports field. The subfields are protocol number, state,
and protocol name. These correspond to the three fields shown in
interactive output for a protocol scan. An example of IP protocol
scan grepable output is shown in Example 13.14, “Grepable output for IP protocol scan” The Host line
is wrapped for readability. Example 13.14. Grepable output for IP protocol scan # nmap -v -oG - -sO localhost
# nmap 3.75 scan initiated [time] as: nmap -oG - -sO -v localhost
# Ports scanned: TCP(0;) UDP(0;) PROTOCOLS(256;0-255)
Host: 127.0.0.1 (syn) Protocols: 1/open|filtered/icmp/, 2/open|filtered/igmp/,↵
6/open|filtered/tcp/, 17/open|filtered/udp/, 255/open|filtered//↵
Ignored State: closed (251)
# Nmap run completed at [time] -- 1 IP address (1 host up) scanned in 1.340↵
seconds
Example: Ignored State: filtered (1658) To save space, Nmap may omit ports in one non-open state from
the list in the Ports field. Nmap does this in interactive output
too. Regular Nmap users are familiar with the lines such as
“The 1658 ports scanned but not shown below are in state:
filtered”. For grepable mode, that state is given in the
Ignored State field. Following the state name is a space, then in
parentheses is the number of ports found in that state. Example: OS: Linux 2.4.0 - 2.5.20 Any perfect OS matches are listed here. If there are multiple
matches, they are separated by a pipe character as shown in Example 13.13, “A typical example of grepable output” Only the free-text
descriptions are provided. Grepable mode does not provide the vendor,
OS family, and device type classification shown in other output
modes. Example: Seq Index: 3004446 This number is an estimate of the difficulty of performing TCP
initial sequence number sequence prediction attacks against the remote
host. These are also known as blind spoofing attacks, and they
allow an attacker to forge a full TCP connection to a remote host as
if it was coming from some other IP address. This can always help an
attacker hide his or her tracks, and it can lead to privilege
escalation against services such as rlogin that commonly grant extra
privileges to trusted IP addresses. The Seq Index value is only available when
OS detection (-O ) is requested and succeeds in
probing for this. It is reported in interactive output when verbosity
(-v ) is requested. More details on the computation
and meaning of this value are provided in Chapter 8, Remote OS Detection Example: IP ID Seq: All zeros This simply describes the remote host's IP ID generation
algorithm. It is only available when OS detection
(-O ) is requested and succeeds in probing for it.
Interactive mode reports this as well, and it is discussed in
Chapter 8, Remote OS Detection Example: Status: Up Ping and list scans contain only two fields in grepable mode: Host and Status.
Status describes the target host as either Up, Down, or
Unknown. List scan always categorizes targets as Unknown because it
does not perform any tests. Ping scan lists a host as up if it
responds to at least one ping probe, and down if no responses are
received. It used to also report Smurf if ping probes sent to the target resulted in one
or more responses from other hosts, but that is no longer done. Down hosts are only shown when verbosity is
enabled with -v . Example 13.15, “Ping scan grepable output” demonstrates a ping
scan of 100 random hosts, while Example 13.16, “List scan grepable output” demonstrates a list
scan of five hosts. Example 13.15. Ping scan grepable output # nmap -sP -oG - -iR 100
# nmap [version] scan initiated [time] as: nmap -sP -oG - -iR 100
Host: 67.101.77.102 (h-67-101-77-102.nycmny83.covad.net) Status: Up
Host: 219.93.164.197 () Status: Up
Host: 222.113.158.200 () Status: Up
Host: 66.130.155.190 (modemcable190.155-130-66.mc.videotron.ca) Status: Up
# Nmap done at [time] -- 100 IP addresses (4 hosts up) scanned in 13.22 seconds
Example 13.16. List scan grepable output # nmap -sL -oG - -iR 5
# nmap [version] scan initiated [time] as: nmap -sL -oG - -iR 5
Host: 199.223.2.1 () Status: Unknown
Host: 191.222.112.87 () Status: Unknown
Host: 62.23.21.157 (host.157.21.23.62.rev.coltfrance.com) Status: Unknown
Host: 138.217.47.127 (CPE-138-217-47-127.vic.bigpond.net.au) Status: Unknown
Host: 8.118.0.91 () Status: Unknown
# Nmap done at [time] -- 5 IP addresses (0 hosts up) scanned in 1.797 seconds
Parsing Grepable Output on the Command LineGrepable output really shines when you want to gather
information quickly without the overhead of writing a script to parse
XML output. Example 13.17, “Parsing grepable output on the command line”
shows a typical example of this. The goal is to find all hosts on a
class C sized network with port 80 open. Nmap is told to scan just
that port of each host (skipping the ping stage) and to output a
grepable report to stdout. The results are piped to a trivial awk
command which finds lines containing /open/ and
outputs fields two and three for each matching line. Those fields are
the IP address and hostname (or empty parentheses if the hostname is
unavailable). Example 13.17. Parsing grepable output on the command line > nmap -p80 -PN -oG - 10.1.1.0/24 | awk '/open/{print $2 " " $3}'
10.1.1.72 (userA.corp.foocompany.biz)
10.1.1.73 (userB.corp.foocompany.biz)
10.1.1.75 (userC.corp.foocompany.biz)
10.1.1.149 (admin.corp.foocompany.biz)
10.1.1.152 (printer.corp.foocompany.biz)
10.1.1.160 (10-1-1-160.foocompany.biz)
10.1.1.161 (10-1-1-161.foocompany.biz)
10.1.1.201 (10-1-1-201.foocompany.biz)
10.1.1.254 (10-1-1-254.foocompany.biz)
|
|