This script creates a Bash or DOS script to scan networks using Nmap Security Scanner or Masscan.
If Nmap is selected, then the created Bash or DOS script performs four scans. The first two Nmap commands scan
only the most promising TCP and UDP ports, which are specified in the script's configuration file (see
createscanfile.config),
sections InterestingTcpPorts and InterestingUdpPorts. Afterwards, in case of TCP, all remaining TCP ports are
scanned. The final command scans the remaining top 100 UDP ports (use --top-udp flag to change this default
configuration).
If Masscan is selected, then the created Bash script (no DOS support) performs two scans. The first scan, scans
all targets for the most promising TCP ports (see InterestingTcpPorts) and the second scans all TCP ports.
As we want to manually start penetration testing as soon as possible, we would like to have scan results as fast as possible. Consequently, this script creates a Nmap or Masscan scan script file, which first scans the most promising services (e.g., FTP, HTTP, SMB, etc.) and afterwards continues scanning the remaining ports.
Note that this script only creates Nmap and Masscan script files but does not execute the Nmap or Masscan scripts directly for the following two reasons:
- On the scan machine itself, just Nmap or Masscan and not Python3 must be installed
- After the generation of the Nmap or Masscan script, penetration testers are still able to review and customize the Nmap or Masscan scripts to their specific needs
This section summarize the standard operating procedures (SOP) for Masscan and Nmap.
In internal penetration tests, we eventually want to start scanning hosts that definitely exist. This can be
accomplished by using the computer information collected via Sharphound3.
The following Bash command documents how we can query all enabled computer names from the Neo4j database and store the
results in the file hosts.txt.
kali@kali:~$ cypher-shell --format plain -u neo4j 'MATCH(c:Computer{enabled: true}) WHERE c.name IS NOT NULL RETURN c.name;' | grep -v c.name | sed -e's/\"//g' > hosts.txtThe hosts.txt can then be used as input for the scan (see below). When these scans are completed, then we can
continue scanning the remaining IP addresses to be as complete as possible.
The following example documents the SOP for scanning a network using Masscan.
First, we create the template scan script file using the following command or download the latest version:
kali@kali:~$ python3 createscanscript.py --bash masscan > runmasscan.shNote that if we are dealing with a local network where our own IP addresses are also within the scope, we can also use
argument --exclude to exclude these IP addresses from the scan.
Before executing the script, we review the content of the newly created scan file runmasscan.sh and if desired, change
variable masscan_options (e.g., remove option -Pn or update rate limit). In addition, it might be desired to remove
certain scans (like remaining TCP ports). If everything is alright, we start the scan by executing the following
commands:
kali@kali:~$ chmod +x runmasscan.sh
# scan all hosts mentioned in file hosts.txt via network interface eth0
kali@kali:~$ sudo ./runmasscan.sh eth0 hosts.txt
# or execute scan on single host
kali@kali:~$ ./runmasscan.sh eth0 127.0.0.1As mentioned before, this script executes two Masscan scans. For each scan, the script creates one XML file. As soon as one of the scans finishes, you can start doing your vulnerability analysis. Alternatively, you can import the created XML file(s) into the Kali Intelligence Suite (KIS), as depicted below. For more information about KIS, refer to README.
kali@kali:~$ kismanage workspace -a $workspace
kali@kali:~$ kismanage scan -w $workspace --masscan *.xml
[*] importing XML file: masscan-tcp-all_hosts.txt.xml
[*] importing XML file: masscan-tcp-interesting_hosts.txt.xmlThe following example documents the SOP for scanning a network using Nmap.
For external and remote networks, we can determine the maximum round trip time (RTT) by sending 20 SYN packets to a known open port of one of the hosts within the target network range.
kali@kali:~$ hping3 -c 20 --syn -p 80 $target
[...]
round-trip min/avg/max = 10.2/20.1/35.4 msAfterwards, we create the Nmap scan file and specify the measured maximum RTT (see previous command) as value for the
--avg-rtt argument. Based on this argument, the script will compute the Nmap timing according to the blog post
Timing and Performance. Alternatively, we can download and use the
latest version:
kali@kali:~$ python3 createscanscript.py --bash nmap --avg-rtt 35 --udp-port 100 > runnmap.shNote that if we are dealing with a local network where our own IP addresses are also within the scope, we can also use
argument --exclude to exclude these IP addresses from the scan.
Before executing the script, review the content of the newly created scan file runnmap.sh and if desired, change
variable nmap_options (e.g., remove option -Pn or add -T4). In addition, it might be desired to remove
certain scans (like remaining TCP ports). If everything is alright, we start the scan by executing the following
commands:
kali@kali:~$ chmod +x runnmap.sh
# scan all hosts mentioned in file hosts.txt via network interface eth0
kali@kali:~$ ./runnmap.sh eth0 hosts.txt
# or execute scan on single host
kali@kali:~$ ./runnmap.sh eth0 127.0.0.1As mentioned before, this script executes four Nmap scans. Each scan, the script creates three output files (nmap, gnmap, and xml). As soon as one of the scans finishes, you can start doing your vulnerability analysis. Alternatively, you can import the created XML file(s) into the Kali Intelligence Suite (KIS), as depicted below. For more information about KIS, refer to README.
kali@kali:~$ kismanage workspace -a $workspace
kali@kali:~$ kismanage scan -w $workspace --nmap *.xml
[*] Importing XML file: nmap-udp-remaining-top100_hosts.txt.xml
[*] Importing XML file: nmap-tcp-remaining_hosts.txt.xml
[*] Importing XML file: nmap-tcp-interesting_hosts.txt.xml
[*] Importing XML file: nmap-udp-interesting_hosts.txt.xmlLukas Reiter (@chopicalquy) - Scan Script Creator
This project is licensed under the GPLv3 License - see the LICENSE file for details.