Network Mapping
by Joel R. Voss aka. Javantea
Nov 11-13, 2005

NetMap2 0.2.2 Source [sig]
NetMap1 0.2.1 Source [sig]


Netmap1 Neg9 Talk
Netmap2 Neg9 Talk
Netmap2 Neg9 Project

The Network Mapping project (also known as Neg9 UW Network Project) plans to develop tools to report on the usage of public networks through active scanning of ports. The first two tools are known as netmap1. It uses Nmap to discover available hosts and discover open ports on the hosts. Netmap1 involves two tools that can be run as part of a script. and are run by the script The output of the script are a set of xml files and records in a MySQL database.

Since running a MySQL server concurrently while scanning ports is a ironic security vulnerability, the two tools can run without reporting to MySQL and will produce xml files that can be tarred, encrypted, and transported to a secure local network where the data can be imported into the database.


Netmap1 requires Nmap, Python, MySQL for Python, Bash, and a MySQL server.

There is a bug in certain wireless drivers that will result in a full kernel hang when running Nmap in a certain configurations used in Netmap1. This is a bug of the wireless driver. Use at your own risk.


Nmap is a very useful program for scanning networks, detecting computers, and finding open ports. But using Nmap on a public network with default options is foolish. For one, it puts a lot of stress on the hosts being scanned. Secondly, it is easily detectable and blockable by system admins. Finally, it is slow when the number of targets is very large (10,000). Netmap1 looks only for the ports that are useful in identification of computers.

The first command used is nmap which generates an xml file with hosts up and down.

nmap -sP -oX ping1.xml --host_timeout 1000 $IP
This command can be run as a user or as root, with different methods for each. Depending on security, it may be advisable to run as root.

I recommend not using the --randomize_hosts option. Although it would be useful, it is broken in the current revision (3.93).

The second command is This parses the output of the previous command and creates a shell file to scan hosts.

python ping1.xml port1_
In the script,, we output this command to a file and then execute it.

The output of the previous command looks like this.

nmap -sS -P0 -T2 \
-p "21,22,23,25,37,53,80,113,135,139,443,445,\
1025,1433,3306,3389,5800,5900,6000,6881-6889" \
-oX port1_192.168.0.1.xml
The option -sS (Stealth SYN Scan) requires root. If you do not wish to use root, you can use -sT (Connect Scan) instead by modifying the script.

Using -p with the various ports ensures that the command finishes as fast as possible.

The last command simply prints the ports in the XML in case you missed them. If you are using MySQL, it inserts the ports into the database.

python port1_192.168.0.1.xml
A sample network map database created with Netmap1 can be found here: Netmap1


Edit and run.
More detailed information coming soon.


Comments: 0

Leave a reply »

  • Leave a Reply
    Your gravatar
    Your Name