by Joel R. Voss aka. Javantea
Nov 11-13, 2005
The Network Mapping project (also known as Neg9 UW Network Project) plans to develop tools to report on the usage of public networks through active scanning of ports. The first two tools are known as netmap1. It uses Nmap to discover available hosts and discover open ports on the hosts. Netmap1 involves two tools that can be run as part of a script. parse_ping1.py and parse_port1.py are run by the script scan_full1.sh. The output of the script are a set of xml files and records in a MySQL database.
Since running a MySQL server concurrently while scanning ports is a ironic security vulnerability, the two tools can run without reporting to MySQL and will produce xml files that can be tarred, encrypted, and transported to a secure local network where the data can be imported into the database.
There is a bug in certain wireless drivers that will result in a full kernel hang when running Nmap in a certain configurations used in Netmap1. This is a bug of the wireless driver. Use at your own risk.
Nmap is a very useful program for scanning networks, detecting computers, and finding open ports. But using Nmap on a public network with default options is foolish. For one, it puts a lot of stress on the hosts being scanned. Secondly, it is easily detectable and blockable by system admins. Finally, it is slow when the number of targets is very large (10,000). Netmap1 looks only for the ports that are useful in identification of computers.
The first command used is nmap which generates an xml file with hosts up and down.
nmap -sP -oX ping1.xml --host_timeout 1000 $IPThis command can be run as a user or as root, with different methods for each. Depending on security, it may be advisable to run as root.
I recommend not using the --randomize_hosts option. Although it would be useful, it is broken in the current revision (3.93).
The second command is parse_ping1.py. This parses the output of the previous command and creates a shell file to scan hosts.
python parse_ping1.py ping1.xml port1_In the script, scan_full1.sh, we output this command to a file and then execute it.
The output of the previous command looks like this.
nmap -sS -P0 -T2 \ -p "21,22,23,25,37,53,80,113,135,139,443,445,\ 1025,1433,3306,3389,5800,5900,6000,6881-6889" \ -oX port1_192.168.0.1.xml 192.168.0.1The option -sS (Stealth SYN Scan) requires root. If you do not wish to use root, you can use -sT (Connect Scan) instead by modifying the script.
Using -p with the various ports ensures that the command finishes as fast as possible.
The last command simply prints the ports in the XML in case you missed them. If you are using MySQL, it inserts the ports into the database.
python parse_port1.py port1_192.168.0.1.xmlA sample network map database created with Netmap1 can be found here: Netmap1
Edit scan_full1.sh and run.
More detailed information coming soon.