2011-11-30

An AWK parser for NMAP

NMAP is quite useful for identifing devices on a network, but its output is quite verbose.
Here's an AWK script that parses the output of NMAP into a csv.
It contains some euristics to extract info that might be useful to identify unknown hosts.

function print_buffer()
{
    gsub(":", "", ip)
    gsub("Service Info: ", "", info)
    gsub("\\|_ Discover OS Version over NetBIOS and SMB: ", "", info)
    gsub("Discover OS Version over NetBIOS and SMB: ", "", info)
    gsub(", ", ";", info)
    print ip","os" "hostname" "info
    ip="unknown"
    info="unknown"
    os=""
    hostname=""
}
BEGIN { ip="IP"; info="Info"; }

/Interesting ports/ { print_buffer(); ip=$4 }
/All [0-9]+ scanned/ { print_buffer(); ip=$6 }

/135\/tcp  open  msrpc[ ]+Microsoft RPC/ { if ( os == "") os="Windows NT" }
/135\/tcp  open  msrpc[ ]+Microsoft Windows RPC/ { if ( os == "") os="Windows NT" }
/IIS webserver 3.0/ { os="Windows NT" }
/IIS webserver 4.0/ { os="Windows NT" }
/IIS webserver 5.0/ { os="Windows 2000" }
/IIS webserver 5.1/ { os="Windows XP" }
/IIS webserver 6.0/ { os="Windows 2003" }
/Windows 98 netbios-ssn/ { os="Windows 98" }
/SMB: Windows Vista/ { os="Windows Vista" }
/IIS httpd 3/ { os="Windows NT" }
/Windows XP microsoft-ds/ { os="Windows XP" }
/SMB: Windows XP/ { os="Windows XP" }
/Windows 2000 microsoft-ds/ { os="Windows 2000" }
/Windows 2003 microsoft-ds/ { os="Windows 2003" }
/VMware Authentication Daemon/ { os="VMWare ESX" }
/Apache httpd/ { if ( os == "") os=$7 }
/HP webadmin/ { os="HP" }

/ePolicy Orchestrator \(Computername:/ { hostname=$9 }
/Ultr@VNC \(Name/ { hostname=$6 }
/WinVNC \(Server/ { hostname=$6 }
/Lotus Domino server \(CN=/ { hostname=$7 }

/Service Info/ { info=$0 }
/Discover OS/ { info=info" "$0 }
/telnet/ { info=info" "$4 }
/ ssh / { info=info" unix" }

END { print_buffer() }


Here's a sample output:

xx.xx.xx.10,Windows 2000  OS: Windows |  Windows 2000
xx.xx.xx.12,Windows NT gandalf; OS: Windows |  Windows NT 4.0
xx.xx.xx.13,Windows NT  OS: Windows |  Windows NT 4.0
xx.xx.xx.26,Windows NT bilbo; Host: bilbo.contoso.local; OS: Windows |  Windows NT 4.0
xx.xx.xx.30,  Device: printer
xx.xx.xx.31,  Devices: print server;printer
xx.xx.xx.66,Windows 2000  OS: Windows |  Windows 2000
xx.xx.xx.70,Windows NT aragorn; OS: Windows |  Windows NT 4.0
xx.xx.xx.80,Windows 2000  Host: saruman; OS: Windows |  Windows 2000
xx.xx.xx.82,Windows 2003 pippin; OS: Windows |  Windows Server 2003 3790 Service Pack 2
xx.xx.xx.153,  Device: switch
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)