This is a script I use to enumerate hosts with the nmap scanning tool. Feed it a host/ip and base directory (under which another directory will be created to store enumeration data).
Something like:
./enum_host.sh 192.168.0.7 /data/nmap_data
You can also find this in my Gists at github at https://gist.github.com/ryan-wendel/2266751e23641ed0ff38fb7a2c3502cf
The entire script:
#!/bin/bash HOST="$1" BASE="$2" SCAN_UDP="1" GRAB_BANNERS="1" TOP_TCP_PORTS="100" TOP_UDP_PORTS="50" TEMPLATE_NUM="2" TCP_FILE="${BASE}/${HOST}/tcp_scan_${HOST}" TCP_DEEP_FILE="${BASE}/${HOST}/tcp_scan_deep_${HOST}" UDP_FILE="${BASE}/${HOST}/udp_scan_${HOST}" #SCRIPT_DIR="/home/users/rwendel/tools/nmap/scripts" SCRIPT_DIR="/usr/share/nmap/scripts" #PERF_OPTIONS="-n --max-rtt-timeout 500ms --max-retries 3 --max-scan-delay 20ms" #PERF_OPTIONS="-n -T${TEMPLATE_NUM} --max-rtt-timeout 350ms --max-retries 2" PERF_OPTIONS="-n -T${TEMPLATE_NUM} --initial-rtt-timeout 500ms --min-rtt-timeout 100ms --max-rtt-timeout 1000ms --host-timeout 10m --scan-delay 100ms --max-scan-delay 500ms --max-retries 2" print_help() { echo "Usage: $(basename $0) <host/ip> <project directory>" } if [ -z "${HOST}" ]; then echo "Error: Provide me a host/ip" echo print_help exit 1 fi if [ -z "${BASE}" ]; then echo "Error: Provide me a directory to output to." echo print_help exit 2 fi if [ -z "${SCAN_UDP}" ]; then echo "Error: Provide me with a zero or one to control UDP toggle." echo print_help exit 3 fi if [ -z "${GRAB_BANNERS}" ]; then echo "Error: Provide me with a zero or one to control banner toggle." echo print_help exit 4 fi mkdir -p ${BASE}/${HOST} if [ "$?" -ne "0" ]; then echo "Error: File permissions issue" exit 5 fi if [ "${GRAB_BANNERS}" -gt "0" ]; then mkdir -p ${BASE}/${HOST}/banners fi nmap -Pn -sT --top-ports ${TOP_TCP_PORTS} ${PERF_OPTIONS} ${HOST} -oA ${TCP_FILE} if [ "${GRAB_BANNERS}" -gt "0" ]; then grep open ${TCP_FILE}.nmap 2>/dev/null | grep -v -e 'Not shown' -e '^#' -e scanned | cut -d'/' -f1 | while read PORT; do #printf "$(amap -b ${HOST} ${PORT})" > "${BASE}/${HOST}/banners/${PORT}_tcp_banner.txt" nmap -Pn -sV -sT -p ${PORT} ${PERF_OPTIONS} --script=banner --script-args=banner.ports=${PORT} ${HOST} > "${BASE}/${HOST}/banners/${PORT}_tcp_banner.txt" done fi if [ "${SCAN_UDP}" -gt "0" ]; then nmap -n -Pn -sU --top-ports ${TOP_UDP_PORTS} ${PERF_OPTIONS} --open ${HOST} -oA ${UDP_FILE} if [ "${GRAB_BANNERS}" -gt "0" ]; then grep open ${UDP_FILE}.nmap 2>/dev/null | grep -v -e 'Not shown' -e '^#' -e scanned | cut -d'/' -f1 | while read PORT; do nmap -Pn -sV -sU -p ${PORT} ${PERF_OPTIONS} --script=banner --script-args=banner.ports=${PORT} ${HOST} > "${BASE}/${HOST}/banners/${PORT}_udp_banner.txt" #printf "$(amap -u -b ${HOST} ${PORT})" > "${BASE}/${HOST}/banners/${PORT}_udp_banner.txt" done fi fi PORTS=$(grep open ${TCP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ -n "${PORTS}" ]; then nmap -A -Pn -sT -p ${PORTS} ${PERF_OPTIONS} ${HOST} -oA ${TCP_DEEP_FILE} grep 'tcp.*open' ${TCP_DEEP_FILE}.nmap fi PORTS=$(grep 'open.*netbios' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ -n "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/smb enum4linux -a ${HOST} > ${BASE}/${HOST}/smb/enum_${HOST}.txt echo "######################## OS Discovery" > ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-os-discovery ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Security Mode" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-security-mode ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## System Info" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-system-info ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Domains" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-enum-domains ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Shares" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-enum-shares ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Users" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-enum-users ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Groups" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-enum-groups ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## SMB ls" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-ls ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## SMB Enum " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-mbenum ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## SMB Vulns " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=smb-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt echo "######################## Samba Vulns " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=samba-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt fi PORTS=$(grep 'open.*http' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/http echo "######################## Cookie Flags" > ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-cookie-flags ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## CORS" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-cors ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## Cross Domain Policy" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-cross-domain-policy ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## Methods" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-methods ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## Headers" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-headers ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## Vulns" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## WAF Detect" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-waf-detect ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt echo "######################## WAF Fingerprint" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt nmap -Pn -p ${PORTS} --script=http-waf-fingerprint ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt fi PORTS=$(grep 'open.*ftp' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/ftp nmap -Pn -p ${PORTS} --script=ftp-vuln* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/vulns_ftp_${HOST}.txt nmap -Pn -p ${PORTS} --script=ftp-*-backdoor ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/vulns_ftp_backdoor_${HOST}.txt nmap -Pn -p ${PORTS} --script=ftp-anon ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/ftp_anon_${HOST}.txt fi PORTS=$(grep 'open.*smtp' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/smtp nmap -Pn -p ${PORTS} --script=smtp-vuln* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/vuln_smtp_${HOST}.txt nmap -Pn -p ${PORTS} --script=smtp-open-relay ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/smtp_open_relay_${HOST}.txt nmap -Pn -p ${PORTS} --script=smtp-enum-users ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/smtp_enum_users_${HOST}.txt fi # MySQL PORTS=$(grep 'open.*mysql' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/mysql nmap -Pn -p ${PORTS} --script=mysql-* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/mysql/mysql_${HOST}.txt fi # SSH PORTS=$(grep 'open.*ssh' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') if [ "${PORTS}" ]; then mkdir -p ${BASE}/${HOST}/ssh nmap -Pn -p ${PORTS} --script=ssh* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ssh/ssh_${HOST}.txt fi
I have the following lines set for external scanning. I’ve been running into issues with network security devices rate-limiting or hiding ports from me when trying to scan too fast.
TOP_TCP_PORTS="100" TOP_UDP_PORTS="50" TEMPLATE_NUM="2" PERF_OPTIONS="-n -T${TEMPLATE_NUM} --initial-rtt-timeout 500ms --min-rtt-timeout 100ms --max-rtt-timeout 1000ms --host-timeout 10m --scan-delay 100ms --max-scan-delay 500ms --max-retries 2"
Which yields a directory that looks like.
The banners directory.
Various nmap nse script output, too. The enum file is enum4linux output. More work could be put into the service enumeration sections. I’ll get around to it at some point.