parse-nmap.py

Di 03 Mai 2016 by Christoph Bleß en de  Tags nmap / Python / parse-nmap / parse-nmap.py

Parse-nmap is a tool which parses nmap scan results (only XML) from a file. By using parse-nmap it is possible to filter the results by platform or ip. It is also possible to generate a target-list whith the resulting IPs or export the results as a LaTeX table (I used this feature to generate some tables for my OSCP-Report). In this post I will give you some examples to demonstrate the available options of parse-nmap. The script is available in my account on bitbucket.org.

For the following examples we assume that we run a nmap scan to scan the top rated TCP ports and perform a version scan on these ports. The results will be stored in a file called lab-top-ports.xml (see the first code example).

prompt$ nmap -sS -sV --top-ports 20 -oA lab-top-ports <IPs>

Display Options

brief list

The following example shows a brief list of all hosts in the specified nmap file. The first four lines display some information about the number of hosts in the file and the number of hosts after filtering. The brief output lists three colomns per host. The first column contains the IP, the second column contains the hostname (or localhost if the name is not available). The last column contains the OS String (if available).

prompt$ parse-nmap.py lab-top-ports.xml
# number of hosts in the report: 6
# number of hosts after IP filter: 6
# number of hosts after OS and IP filter: 6
# number of hosts after OS, IP and port filter: 6
192.168.56.10 localhost Microsoft Windows XP SP2 or SP3
192.168.56.101 localhost Linux 2.6.32 - 3.10
192.168.56.102 localhost Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
192.168.56.103 localhost Linux 2.4.9 - 2.4.18 (likely embedded)
192.168.56.200 localhost Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
192.168.56.250 localhost Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8

print-ports

If you want to know which ports are open you can use the parameter -p. This option displays the open ports for each host.

prompt$ parse-nmap.py -p lab-top-ports.xml
# number of hosts in the report: 6
# number of hosts after IP filter: 6
# number of hosts after OS and IP filter: 6
# number of hosts after OS, IP and port filter: 6
#===============================================================================
IP:     192.168.56.10
Hostname:   localhost
OS:     Microsoft Windows XP SP2 or SP3
#-------------------------------------------------------------------------------
135 tcp msrpc product: Microsoft Windows RPC ostype: Windows
139 tcp netbios-ssn 
445 tcp microsoft-ds product: Microsoft Windows XP microsoft-ds ostype: Windows

#===============================================================================
IP:     192.168.56.101
Hostname:   localhost
OS:     Linux 2.6.32 - 3.10
#-------------------------------------------------------------------------------
22 tcp ssh product: OpenSSH version: 6.6.1 extrainfo: protocol 2.0
80 tcp http product: Apache httpd version: 2.4.6 extrainfo: (CentOS) PHP/5.4.16
8080 tcp tcpwrapped 

Filter options

Filter open TCP and UDP ports

With parse-nmap it is possible to filter hosts by open TCP (Option -t or --tcp) or UDP (option -u or --udp) ports. The following example will only display ports with an open TCP port 22.

prompt$ parse-nmap.py -p -t 22 lab-top-ports.xml
# number of hosts in the report: 6
# number of hosts after IP filter: 6
# number of hosts after OS and IP filter: 6
# number of hosts after OS, IP and port filter: 2
#===============================================================================
IP:     192.168.56.101
Hostname:   localhost
OS:     Linux 2.6.32 - 3.10
#-------------------------------------------------------------------------------
22 tcp ssh product: OpenSSH version: 6.6.1 extrainfo: protocol 2.0
80 tcp http product: Apache httpd version: 2.4.6 extrainfo: (CentOS) PHP/5.4.16
8080 tcp tcpwrapped 

#===============================================================================
IP:     192.168.56.103
Hostname:   localhost
OS:     Linux 2.4.9 - 2.4.18 (likely embedded)
#-------------------------------------------------------------------------------
22 tcp ssh product: OpenSSH version: 3.1p1 extrainfo: protocol 1.99

Filter hosts by platform

In addition to the port filter it is possible to filter hosts by a specifiy platform, such as Windows or Linux. If you want to do this you need to the option -f or --os-familiy.

prompt$ parse-nmap.py -p -f Windows lab-top-ports.xml
# number of hosts in the report: 6
# number of hosts after IP filter: 6
# number of hosts after OS and IP filter: 4
# number of hosts after OS, IP and port filter: 4
#===============================================================================
IP:     192.168.56.10
Hostname:   localhost
OS:     Microsoft Windows XP SP2 or SP3
#-------------------------------------------------------------------------------
135 tcp msrpc product: Microsoft Windows RPC ostype: Windows
139 tcp netbios-ssn 
445 tcp microsoft-ds product: Microsoft Windows XP microsoft-ds ostype: Windows

#===============================================================================
IP:     192.168.56.102
Hostname:   localhost
OS:     Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
#-------------------------------------------------------------------------------
135 tcp msrpc product: Microsoft Windows RPC ostype: Windows
139 tcp netbios-ssn 
445 tcp netbios-ssn 
1025 tcp msrpc product: Microsoft Windows RPC ostype: Windows

...

Filter by IP

To filter hosts by IP yout can use the option -r.

prompt$ parse-nmap.py -p -r 192.168.56.10 lab-top-ports.xml
# number of hosts in the report: 6
# number of hosts after IP filter: 1
# number of hosts after OS and IP filter: 1
# number of hosts after OS, IP and port filter: 1
#===============================================================================
IP:     192.168.56.10
Hostname:   localhost
OS:     Microsoft Windows XP SP2 or SP3
#-------------------------------------------------------------------------------
135 tcp msrpc product: Microsoft Windows RPC ostype: Windows
139 tcp netbios-ssn 
445 tcp microsoft-ds product: Microsoft Windows XP microsoft-ds ostype: Windows

Using parse-nmap with other tools

generating target lists

You can use parse-nmap to generate target lists for use as input for other tools. The default delimiter is a space, but this can be changed by using option -d or --list-delimiter. The following examples show all hosts which are running a Windows OS with an open TCP port 445. The first one uses the default delimeter the second one uses the delimiter "," to separate the hosts.

prompt$ parse-nmap.py -f Windows -t 445 --list lab-top-ports.xml
192.168.56.10 192.168.56.102 192.168.56.200 192.168.56.250
prompt$ parse-nmap.py -f Windows -t 445 --list -d "," lab-top-ports.xml
192.168.56.10,192.168.56.102,192.168.56.200,192.168.56.250

write target lists to file

If you need the target list as file with one target per line (e.g. if you use onesixtyone), you can use option --list-file. We assume that you perfomed a namp scan for open UDP port 161 and want to generate a target file for onesixtyone. You can do this with the following command:

prompt$ parse-nmap.py -u 161 --list-file targetlist udp.xml

parse-nmap as input for nmap

The following example uses parse-nmap as input for nmap to perform a vulnscan on port 445 on all host which are running on a Windows platform.

prompt$ nmap -sV -p 445 --script=vuln --script-args=unsafe=1 $(parse-nmap.py -f Windows -t 445 --list lab-top-ports.xml)