Introduction
Nmap is an extremely powerful tool for portscanning. However, its primary job is not to make the output look pretty, which is why it will output to XML where you can use a neat little perl library called NmapParse. New features will even allow you to call nmap from within your perl script.
The Problem
So lets say that you want to scan an entire subnet and look for web servers in preparation for putting it behind a firewall. You could just run nmap and look for open ports 80 and 443. It would be difficult to distinguish public web servers, printers, and any other device that runs a web server. For this you need to use the Nmap option “-sV” to grab the banner. You then want to have some grepable output to produce some sort of report for the local admin or for your own purpose (like a penetration test). The Nmap command to do this would be:


nmap -sV -oG report.out -p 80,443 192.168.1.1-254

The results are pretty ugly as most of us have recognized. The fields are separated by “/” and the number of fields tends to vary making it difficult to parse reliably.


Host: 192.168.1.16 (snowblood.pauldotcom.com) Ports: 80/open/tcp//http?///, 443/closed/tcp//https///
Host: 192.168.1.87 (zatoichi.pauldotcom.com) Ports: 80/open/tcp//http//Microsoft IIS webserver 5.0/, 443/closed/tcp//https///
Host: 192.168.1.140 (azumi.pauldotcom.com) Ports: 80/open/tcp//http//Apache httpd 1.3.33 ((Darwin) mod_jk|1.2.2)/, 443/filtered/tcp//https///
Host: 192.168.1.141 (izo.pauldotcom.com) Ports: 80/open/tcp//http?///, 443/filtered/tcp//https///
Host: 192.168.1.15 (shinobi.pauldotcom.com) Ports: 80/open/tcp//http//Apache httpd 1.3.28 ((Unix))/, 443/closed/tcp//https///

Using NmapParse
You can download NmapParse from their web site at http://npx.sourceforge.net/. The most recent versions are much improved, and even include functions to run nmap from within your perl script. This makes it easy to run a scan and parse the results, now we don’t have to save out an xml file to parse, making for a much cleaner solution. My script, as ugly as it is, seems to work pretty good:


# ./nmapparse.pl -i 192.168.1.1-254
nmapparse.pl – ( paul@hacknaked.tv )
————————————————–
Hostname : hunggar.pauldotcom.com
Address : 192.168.1.55
Service : 80 (http) HP Jetdirect httpd
————————————-
Hostname : longfist.pauldotcom.com
Address : 192.168.1.30
Service : 80 (http-mgmt) HP LaserJet Embedded webserver: Agranat-EmWeb 5.2.6
————————————-
Hostname : wingchun.pauldotcom.com
Address : 192.168.1.16
Service : 80 (http) HP JetDirect printer webadmin HP-ChaiServer 3.0
————————————-
Hostname : bagua.pauldotcom.com
Address : 192.168.1.98
Service : 80 (http) AXIS 1440 print server http config
————————————-
Hostname : choylayfut.pauldotcom.com
Address : 192.168.1.88
Service : 80 (http) Apache httpd 1.3.22 (Unix) mod_perl/1.25
————————————-

It was pretty easy to code up and make it look pretty. There is a lot more that could be added here, and NmapParse makes it pretty easy to do so. If you modify it, or create your own script please share it with the rest of us!
Download the full script here
Happy Nmaping!
.com

About the author

Paul Asadoorian is the Founder & CEO of Security Weekly, where the flagship show recently re-titled "Paul's Security Weekly" has been airing for over 8 years. By day he is the Product Evangelist for Tenable Network Security. Paul produces and hosts the various shows here at Security Weekly, all dedicated to providing the latest security news, interviews with the industries finest and technical how-to segments. Paul is also the founder and host of "The Stogie Geeks Show", featuring cigar reviews for cigar enthusiasts.