Using tools from the Nmap project we can set up a simple but powerful monitoring system. Because our monitoring system will depend on Nmap, we can monitor any information Nmap can gather. To detect changes on the network, we will need to compare the results of two scans: the base or known good state and the last results obtained. Now it is the perfect time to introduce Ndiff.
Ndiff was designed to address the issues of using the traditional diff command with two XML scan results. It compares files by removing false positives and producing a more readable output, which is perfect for anyone who needs to keep track of the scan results.
This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by e-mail if changes are detected in a network.
In this recipe, we assume the system has been configured to send mail via the mail command. If you would like to change the notification method, you simply need to update the bash script. You could use curl to POST data to your favorite social network or run a script that restarts the service. The possibilities are endless.
To setup a simple monitoring system with Nmap, we are going to need to do a few things:
- Create the directory
/usr/local/share/nmap-mon/directory (or whatever location you prefer) to store all the files required for our monitoring system. - Scan your targets and save the result in XML format in the directory that you just created:
# nmap -oX base_results.xml -sV -Pn <target>The resulting file base_results.xml file will be used as your base file, meaning that it should reflect the known good versions and ports.
- Create the file
nmap-mon.shfile in the directory you created earlier and paste the following code:
#!/bin/bash #Bash script to email admin when changes are detected in a network using Nmap and Ndiff. # #Don't forget to adjust the CONFIGURATION variables. #Paulino Calderon <[email protected]> # #CONFIGURATION # NETWORK="YOURTARGET" [email protected] NMAP_FLAGS="-n -sV -Pn -p- -T4" BASE_PATH=/usr/local/share/nmap-mon/ BIN_PATH=/usr/local/bin/ BASE_FILE=base.xml NDIFF_FILE=ndiff.log NEW_RESULTS_FILE=newscanresults.xml BASE_RESULTS="$BASE_PATH$BASE_FILE" NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE" if [ -f $BASE_RESULTS ] then echo "Checking host $NETWORK" ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then echo "Network changes detected in $NETWORK" cat $NDIFF_RESULTS echo "Alerting admin $ADMIN" mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS fi fi
- Update the configuration values according to your system:
NETWORK="YOURTARGET" [email protected] NMAP_FLAGS="-sV -Pn -p- -T4" BASE_PATH=/usr/local/share/nmap-mon/ BIN_PATH=/usr/local/bin/ BASE_FILE=base.xml NDIFF_FILE=ndiff.log NEW_RESULTS_FILE=newscanresults.xml
- Make
nmap-mon.shexecutable by entering the following command:
# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh - Now run the
nmap-mon.shscript to make sure it is working correctly.
# /usr/local/share/nmap-mon/nmap-mon.sh- Launch your
crontabeditor to execute the script periodically automatically:
# crontab -e - Add the following command:
0 * * * * /usr/local/share/nmap-mon/nmap-mon.shYou should now receive e-mail alerts when Ndiff detects a change in your network.
Ndiff is a tool for comparing two Nmap scans. Think about the traditional diff but for Nmap scan reports. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, to identify the differences between them. We used some basic bash scripting to execute our monitoring scan and then executed Ndiff to compare the results:
if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ]
then
echo "Network changes detected in $NETWORK"
cat $NDIFF_RESULTS
echo "Alerting admin $ADMIN"
mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
fi You can adjust the interval between scans by modifying the cron line:
0 * * * * /usr/local/share/nmap-mon/nmap-mon.shTo update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.
To monitor some specific service, you need to update the scan parameters in nmap-mon.sh:
NMAP_FLAGS="-sV -Pn"For example, if you would like to monitor a web server, you may use the following parameters:
NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443" These parameters set port scanning only to ports 80 and 443, and in addition, these parameters include the http-google-safe script to check whether your web server has been marked as malicious by the Google safe browsing service.