Jump to content

Help Parsing nmap scan logs


Recommended Posts

Hi,

I have a bunch of nmap.exe scan logs that I would like to get the results from and put into a excel sheet.

Attached is an example of the output nmap log.  IPs were manually changed.

I would like the ip address in column A and any open ports in the next column B.

Any help to get me started would be much appreciated.

I'm guessing I would have to use "StringRegExp" then output to a csv?

#include<AutoItConstants.au3>
#include<FileConstants.au3>
#include<Array.au3>
#include<File.au3>

Global $Files = _FileListToArray(@ScriptDir & "\ScanResults\", "*", 1, False), $Results = @ScriptDir & "\Results.csv"

;_ArrayDisplay($Files) ;Debug

For $i = 0 To UBound($Files) -1
    $a = StringRegExp(FileRead($Files[$i]), " STUCK!! ")
Next

image.png.ceb4900a659d51fa196f492f94242b76.png

ExampleResults.txt

Link to comment
Share on other sites

in this instance I would chop up the text into sections and process that way.

Threw this together, works with your sample but not sure if it will work with the full file.

$hFile = FileOpen("C:\Downloads\ExampleResults.txt", 0)
$sData = FileRead($hFile)


$aSplit = StringSplit($sData, "Nmap scan report for", 1)
ConsoleWrite("Segments = " & $aSplit[0] & @CRLF)

global $aOutput[$aSplit[0]][2]  ;Create an array that will store the info


For $i = 2 to $aSplit[0]    ;Skipping 1 since it will be the file header stuff

    $aLines = StringSplit($aSplit[$i], @CRLF)   ;Split up each section by line
    ConsoleWrite("Segment " & $i & " contains " & $aLines[0] & " lines" & @CRLF)

    If $aLines[0] < 4 then ContinueLoop         ;Attempt to skip sections that are not a scan report

    $aOutput[$i - 2][0] = StringStripWS($aLines[1], 8)  ;Save the IP address

    For $r = 2 to $aLines[0]
        If StringInStr($aLines[$r], "open") Then    
            If $aOutput[$i - 2][1] <> "" Then
                $aOutput[$i - 2][1] &= "," & StringLeft($aLines[$r], StringInStr($aLines[$r], "/") - 1)
            Else
                $aOutput[$i - 2][1] = StringLeft($aLines[$r], StringInStr($aLines[$r], "/") - 1)
            EndIf
        EndIf

    Next

Next

;Use the _Excel functions to write to a spreadsheet

For $o = 0 to UBound($aOutput) - 1
    ConsoleWrite($aOutput[$o][0] & @TAB & $aOutput[$o][1] & @CRLF)
Next

 

Edited by BigDaddyO
Link to comment
Share on other sites

this works with your example

Local $sFile = FileRead ("ExampleResults.txt")
Local $aRes = StringRegExp ($sFile, "(?s)Nmap scan report for (\d+.\d+.\d+.\d).+?SERVICE\v+(\d+)\N+\v+(\d+)\N+\v+(\d+)\N+\v+(\d+)", $STR_REGEXPARRAYGLOBALMATCH)

_ArrayDisplay ($aRes)

 

Link to comment
Share on other sites

@Nine

thank you.  your script worked however I forgot to add in my sample text that the DNS name COULD should before the ip address.

exp:

Nmap scan report for smtadfap-1.kretasdfaez.com.ar (1.1.1.1)
Host is up (0.18s latency).
Not shown: 1091 filtered ports
PORT    STATE SERVICE
25/tcp  open  smtp
443/tcp open  https
 

The DNS name could contain numbers, letters and special characters.

Link to comment
Share on other sites

@antmar904

The fact is that you could have more than four ports, and so, you should/could extract them in a separate instruction.

By the way, the pattern below extracts even  the DNS from the string:

'(?s)Nmap scan report for (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[-.\w]+\s\([^)]+\)).*?(\d+)\/[^\n]+\n(\d+)\/[^\n]+\n(\d+)\/[^\n]+\n(\d+)\/[^\n]+\n'

:)

Click here to see my signature:

Spoiler

ALWAYS GOOD TO READ:

 

Link to comment
Share on other sites

1 hour ago, antmar904 said:

I forgot to add in my sample text that the DNS name COULD should before the ip address.

Could you please create a full range example text file, that we could use for a fully tested script.  I must admit it is kind of annoying.

Link to comment
Share on other sites

@Nine thank you for your help.  the nmap output file could have many variations.  sorry about that. 

@FrancescoDiMuro if I run your string on this output file, some ips are missed and not shown in the array.

 

Unable to find nmap-services!  Resorting to /etc/services
# Nmap 7.70 scan initiated Tue Apr 02 10:55:13 2019 as: nmap.exe -oN C:\20.3.170.4-30.txt 20.3.170.4-30
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-20-003-170-005.cooxcvzgpvgg.com.ar (20.3.170.5)
Host is up (0.19s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for ip-20-003-170-006.cooxcvzgpvgg.com.ar (20.3.170.6)
Host is up (0.19s latency).
Not shown: 1090 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for (20.3.170.9)
Host is up (0.18s latency).
Not shown: 1092 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for smtp-1.kressdfg.tz.com.ar (20.3.170.10)
Host is up (0.18s latency).
Not shown: 1091 filtered ports
PORT    STATE SERVICE
25/tcp  open  smtp
443/tcp open  https

Nmap scan report for ip-20-003-170-012.cooxcvzgpvgg.com.ar (20.3.170.12)
Host is up (0.18s latency).
Not shown: 1092 filtered ports
PORT    STATE  SERVICE
443/tcp closed https

Nmap scan report for ip-20-003-170-014.cooxcvzgpvgg.com.ar (20.3.170.14)
Host is up (0.19s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for ip-20-003-170-017.cooxcvzgpvgg.com.ar (20.3.170.17)
Host is up (0.17s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for (20.3.170.25)
Host is up (0.18s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

# Nmap done at Tue Apr 02 10:57:05 2019 -- 27 IP addresses (8 hosts up) scanned in 112.01 seconds

image.png.5e29ec3f370b9c5cf9a254110b9aac7c.png

 

Edited by antmar904
Link to comment
Share on other sites

Link to comment
Share on other sites

Link to comment
Share on other sites

I'm having issues trying to write the array to csv.  i think I keep overwriting the file...  I'd like to read all the scan result logs to one csv file:

 

For $i = 0 To UBound($Files) -1
    Local $sFile = FileRead($Files[$i])
    Local $aRes = StringRegExp ($sFile, "Nmap scan report for \K.*|\d+(?=/tcp)", $STR_REGEXPARRAYGLOBALMATCH)
Next

_FileWriteFromArray($Results, $aRes, 0)

 

Link to comment
Share on other sites

#include <Constants.au3>
#include <Array.au3>
#include <Excel.au3>

Opt ("MustDeclareVars", 1)

Local $sFile = FileRead ("ExampleResults2.txt")
Local $aRes = StringRegExp ($sFile, "(?s)Nmap scan report for.*?\((\d+\.\d+\.\d+\.\d+)|\v{2}(\d{1,4})\/", $STR_REGEXPARRAYGLOBALMATCH)

Local $oExcel = _Excel_Open()
If @error Then Exit MsgBox($MB_SYSTEMMODAL, "", "Error creating the Excel application object.")
Local $oWorkbook = _Excel_BookNew($oExcel)
If @error Then Exit MsgBox($MB_SYSTEMMODAL, "", "Error creating the new workbook.")

Local $row = 1, $i = 0, $port
While $i < Ubound ($aRes)
  _Excel_RangeWrite($oWorkbook, $oWorkbook.Activesheet, $aRes[$i], "A" & $row)
  $port = ""
  $i += 1
  Do
    If $aRes[$i] <> "" Then $port &= $aRes[$i] & ","
    $i += 1
    If $i = Ubound ($aRes) Then ExitLoop
  Until StringInStr ($aRes[$i],".")
  _Excel_RangeWrite($oWorkbook, $oWorkbook.Activesheet, StringTrimRight ($port,1), "B" & $row)
  $row += 1
WEnd

that will write directly to Excel like you first wanted...but with this example, you could make it to a csv if you prefer

Link to comment
Share on other sites

I'm having issues with this.  I need to read each file then add it to a csv.

 

#include<AutoItConstants.au3>
#include<FileConstants.au3>
#include<Array.au3>
#include<File.au3>

Global $Files = _FileListToArray(@ScriptDir & "\ScanResults\", "*", 1, True), $Results = @ScriptDir & "Results.csv", $Array

;_ArrayDisplay($Files) ;Debug


For $i = 0 To UBound($Files) -1
    Local $sFile = FileRead($Files[$i])
    Local $aRes = StringRegExp ($sFile, "Nmap scan report for \K.*|\d+(?=/tcp)", $STR_REGEXPARRAYGLOBALMATCH)
    ;_ArrayDisplay($aRes)
Next
Exit

 

Edited by antmar904
Link to comment
Share on other sites

@antmar904

First of all, start your For...Next loop from 1, since the 0th element in the array contains the number of files obtained from _FileListToArray().

Then, explain as clearer as you can what kind of result are your expecting from your script, and finally attach or post a sample file, so we can take a look.

Click here to see my signature:

Spoiler

ALWAYS GOOD TO READ:

 

Link to comment
Share on other sites

@FrancescoDiMuro Ok, I think I got it.

 

#include<AutoItConstants.au3>
#include<FileConstants.au3>
#include<Array.au3>
#include<File.au3>

Global $Files = _FileListToArray(@ScriptDir & "\ScanResults\", "*", 1, True)

Local $OutputFile = @ScriptDir & "\Results.txt"
Local $hFile = FileOpen($OutputFile, 1)
For $x = 1 to UBound ($Files) -1
    Local $File = FileRead($Files[$x])
    Local $aRes = StringRegExp ($File, "Nmap scan report for \K.*|\d+(?=/tcp)", $STR_REGEXPARRAYGLOBALMATCH)
    _FileWriteFromArray($hFile, $aRes)
Next
FileClose($Output)
Exit

 

Link to comment
Share on other sites

  • 5 months later...

Hello all.

So I can parse my nmap scan logs and get the port number but now I am required to capture the service running on that port.  Some help with regex is needed!  Thanks again all.

Here is a snippet of the nmap output file:

Unable to find nmap-services!  Resorting to /etc/services
# Nmap 7.70 scan initiated Tue Apr 02 10:55:13 2019 as: nmap.exe -oN C:\20.3.170.4-30.txt 20.3.170.4-30
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-20-003-170-005.cooxcvzgpvgg.com.ar (20.3.170.5)
Host is up (0.19s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for ip-20-003-170-006.cooxcvzgpvgg.com.ar (20.3.170.6)
Host is up (0.19s latency).
Not shown: 1090 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for (20.3.170.9)
Host is up (0.18s latency).
Not shown: 1092 filtered ports
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for smtp-1.kressdfg.tz.com.ar (20.3.170.10)
Host is up (0.18s latency).
Not shown: 1091 filtered ports
PORT    STATE SERVICE
25/tcp  open  smtp
443/tcp open  https

Nmap scan report for ip-20-003-170-012.cooxcvzgpvgg.com.ar (20.3.170.12)
Host is up (0.18s latency).
Not shown: 1092 filtered ports
PORT    STATE  SERVICE
443/tcp closed https

Nmap scan report for ip-20-003-170-014.cooxcvzgpvgg.com.ar (20.3.170.14)
Host is up (0.19s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for ip-20-003-170-017.cooxcvzgpvgg.com.ar (20.3.170.17)
Host is up (0.17s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap scan report for (20.3.170.25)
Host is up (0.18s latency).
Not shown: 1089 closed ports
PORT    STATE    SERVICE
53/tcp  filtered domain
79/tcp  open     finger
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

# Nmap done at Tue Apr 02 10:57:05 2019 -- 27 IP addresses (8 hosts up) scanned in 112.01 seconds

Here is what I have to extract the port number, just need help getting the service running on the port.

Local $aRes = StringRegExp ($File, "Nmap scan report for \K.*|\d+(?=/tcp)", $STR_REGEXPARRAYGLOBALMATCH)

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...