Posted in Nmap and some useful usages

Nmap for scanning your infrastructure

   Published Date: May 8, 2017

Nmap for scanning your infrastructure

Description

In this post I would like to share a small solution that checks your infrastructure for open ports other than necessary ones that you explicitly want to open.

Explanation

– The proposed solution is providing a small implementation that checks on regular basis or whenever is necessary, your infrastructure for new opened ports and services. Since any infrastructure is a dynamic one and new services are added/removed all the time, it is hard to track, so you’ll need a such solution in order to avoid unnecessary exposure.

 – We have to use a machine that is located outside from our infrastructure that will do the job. It is important to be located outside because that machine will have the same view of your infrastructure as the rest of the world.
Usually you can use a machine from the cloud, for example you can use one located on Amazon cloud. In Amazon be aware that you can’t use a micro instance and also before starting to scan/check for vulnerabilities, you have to ask Amazon for permission.
All necessary steps are on the following link: https://aws.amazon.com/security/penetration-testing/.

– In proposed implementation we’ll store all the scanning and the script called scan.sh in a new directory called scans located under /.  mkdir -p /scans/archives/
In our example we have 4 data-centers that are exposing their services to the world.
We have following addresses in the data-centers: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.4.0.0/16.
I choose on purpose those addresses from the private IP space because I want to avoid using public ones. If you are using this script you have to use your own address spaces.

Some observations

– Always use your addresses as destination for the scanning. Some infrastructures are using IDSs or other tools like netflow/sflow in order to detect scanning. They can consider these scans as attacks and they can react.
– This tool is for protecting yourself. Internet should be an ethical place and keep in mind  that if you are doing something bad the same thing can happen to you based on action/reaction principle.
– nmap can be used also for some basic vulnerabilities checking. I’ll cover that in one of the following posts. https://nmap.org/book/nse.html

Implementation

#!/bin/bash
DATA=`date +"%m-%d-%Y-%H-%M"`
mkdir -p /scans/nmap_$DATA

#DC1,DC1,DC3,DC4 scanning
nmap -sS -o /scans/nmap_$DATA/10.1_DC1 10.1.0.0/16 > /dev/null 2>&1 &
nmap -sS -o /scans/nmap_$DATA/10.2_DC2 10.2.0.0/16 > /dev/null 2>&1 &
nmap -sS -o /scans/nmap_$DATA/10.3_DC3 10.3.0.0/16 > /dev/null 2>&1 &
nmap -sS -o /scans/nmap_$DATA/10.4_DC4 10.4.0.0/16 > /dev/null 2>&1 &
 
while ( pgrep "nmap" > /dev/null); do
        #echo "is running"
        sleep 10
 done
 tar zcvf /scans/archives/nmap_report_$DATA.tar.gz /scans/nmap_$DATA/
  • Based on how big your network is, these processes can be are very long, so we’ll run them in background.
  • The while loop is checking to is if any nmap instance is still running. If not running than  in the end results will be archived.
  • These archives can be send by email or by scp/ftp transfer to your infrastructure. This part is not covered.
  • The same script can be used for scanning only certain ports. You can modify the nmap command as follows for example in order to scan most known services like ftp, ssh web plain and ssl: 
    nmap -sS -p20,21,22,80,21,443,20,8022 -o /scans/nmap_$DATA/10.1.0.0_DC1 10.1.0.0/16 > /dev/null 2>&1 &
  • Usually I’m running this script twice per month and whenever is necessary. You can add that script to cron by following this steps.
cd /etc/cron.d
touch scan

cat scan
  0 1 15,28 * * root /scans/scan.sh

Don’ forget to restart the cron service.

Author: techwritter