Talk to a Security Expert Now: (800) 721-9177

Penetration Testing : NMAP.XML to TAB

Following up on my last NMAP post, processing port scan data in a meaningful manner is essential to network penetration testing. For those who wish to skip the SQL stage and get quick results, the following one-liner will use xmlstarlet to parse a NMAP XML file:

cat nmap.xml | xmlstarlet sel -T -t -m "//state[@state='open']" -m ../../.. -v [email protected] -m hostnames/hostname -i @name -o ' (' -v @name -o ')' -b -b -b -o "	" -m .. -v @portid -o '/' -v @protocol -o "	" -m service -v @name -i "@tunnel='ssl'" -o 's' -b -o "	" -v @product -o ' ' -v @version -v @extrainfo -b -n -

Into the following tab delimited format:

IP (HOST) t PORT/PROTOCOL t SERVICE t EXTRAINFO

This command sorts ports properly, but does not properly order the hosts. To do this, pipe the above command to the following:

sed 's_^([^t ]*)( ([^)]*))?t([^t ]*)_1.32_' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 | sed 's_^(([0-9]{1,3}.){3}[0-9]{1,3}).([^ t]*)( ([^)]*))?_14t3_'

This command converts lines that look like IP (HOST) t PORT to IP.PORT (HOST), sorts it, and then converts them back to IP (HOST) t PORT. From there, it is simply a matter of grepping for your favorite service. For example, if you wanted to focus on web penetration testing, all you would have to do is pipe the above to:

grep -i -e http

To get a list of services relevant to your testing. Happy Hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *