Scan reports are useful to both penetration testers and system administrators in many situations, such as listing assets or communicating potential issues. Unfortunately, a common mistake made by both is not to use the reporting capabilities within Nmap to speed up the generation of the documentation.

Nmap can write the scan results in several formats, and it is up to the user whether to generate an HTML report, read it from a scripting language, or import it into a third-party security tool to continue the security testing. In this chapter, we will cover different tasks related to storing and processing scan reports. We start by introducing the different file formats supported by Nmap. Then, we move on to tips, such as using Zenmap to generate a network topology graph, reporting vulnerability checks, and generating reports in formats not officially supported, as well as visualizing reports with third-party tools. After going through the tasks...

Nmap supports different formats to save scan results. Depending on your needs, you can choose between normal, XML, and grepable output. If you don't set an output option explicitly, normal output mode is used by default. Normal mode saves the output as you see it on your screen but the runtime information is commented out and warnings are removed. This mode presents the findings in a well-structured and easy-to-understand manner for humans. Keep in mind that there are better options to parse information from a report. This recipe shows you how to save Nmap scan results to a file in normal mode.

How to do it...

To save the scan results to a file in a normal output format, add the -oN <filename> option. This option only affects the output format and can be combined with any port or host scanning technique:

$ nmap -oN <output file> <target>

After the scan is complete, the output should be saved in the specified...

Extensible Markup Language (XML) is a widely known, tree-structured file format supported by Nmap. Scan results can be exported or written into an XML file and used for analysis or other additional tasks. This is one of the preferred file formats because all programming languages have very solid libraries for parsing XML and it is widely supported by third-party security tools.

The following recipe teaches you how to save scan results in XML format.

How to do it...

To save the scan results to a file in XML format, add the -oX <filename> option as shown in the following command:

$ nmap -oX <filename> <target>

After the scan is finished, the new file containing the results will be written:

$ nmap -p80 -oX scanme.xml scanme.nmap.org
$ cat scanme.xml

You will get the following output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file...

Developers store information in SQL databases because it is convenient for handling and extracting information with flexible SQL queries. However, Nmap does not support storing results in SQL databases. PBNJ is a set of tools for network monitoring that uses Nmap to detect hosts, ports, and services.

The following recipe will show you how to store scan results in SQLite and MySQL databases.

Getting ready

PBNJ is a set of tools designed to monitor network integrity written by Joshua D. Abraham. If you are running a Debian-based system, you can install it with the following commands:

#cpan -i Shell
#apt-get install pbnj

To learn the requirements of and how to install PBNJ on other systems that support Perl, go to http://pbnj.sourceforge.net/docs.html.

How to do it...

Run scanpbnj and use the -a option to set your Nmap arguments:

#scanpbnj -a <Nmap arguments> <target>

To run a fast scan against the 0xdeadbeefcafe...

Nmap supports different file formats when saving the results of a scan. Depending on your needs, you may choose between the normal, grepable, and XML formats. The grepable format was included to help users extract information from logs without having to write a parser, as this format is meant to be read/parsed with standard Unix tools. Although this feature is deprecated, some people still find it useful to do quick jobs. In the following recipe, we will show you how to output Nmap scans in grepable format.

How to do it...

To save the scan results to a file in grepable format, add the -oG <filename> option, as shown in the following command:

$ nmap -oG <output file> <target>

The output file should appear after the scan is complete:

$ nmap -F -oG scanme.grep scanme.nmap.org
$ cat nmap.grep
# Nmap 7.40SVN scan initiated Thu Dec 29 15:21:44 2016 as: nmap -F - oG scanme.grep scanme.nmap.org
Host: 45.33.32.156 (scanme...

Zenmap's Topology tab allows users to obtain a graphical representation of the network. Network diagrams are used for several tasks in IT, and we can save ourselves from having to draw the topology with third-party tools by exporting the topology graph of networks with Nmap. This tabincludes several visualization options to tweak the view of the graph.

This recipe will show you how to generate an image of your network topology with Zenmap.

How to do it...

Scan the network that you wish to map adding the --traceroute option in Zenmap:

# nmap -sV --traceroute scanme.nmap.org

Go to the tab named Topology. You should see the topology graph now, as shown in the following screenshot:

Figure 12.1 – Example of network topology view

In this view, you may rearrange the location of the nodes and apply a few different visualization styles. When you are happy with the layout, click on Save Graphic...

HTML pages are sometimes more convenient than other file formats; they can be viewed in the web browsers that are shipped with most devices nowadays. For this reason, users might find it useful to generate scan reports in HTML and upload them somewhere for easy access.

The following recipe will show you how to generate an HTML report from an XML results file.

Getting ready

For this task, we will use an XSLT processor tool. There are a few options available for different platforms, but the most popular one for Unix systems is named xsltproc; if you are running a modern Linux, there is a good chance that you already have it installed. xsltproc also works on Windows, but it requires that you add some additional libraries to your system.

If you are looking for other cross-platform XSLT (and XQuery) processors, which are easier to install on Windows, go to http://saxon.sourceforge.net/. They offer a free version of a Java-based solution named Saxon...

Nmap can be used as a vulnerability scanner with the help of some NSE scripts. While this is not Nmap's main objective, the vulnerability detection scripts available are great. The NSE vuln library manages and unifies the output of the vulnerability checks performed by NSE.

This recipe will show you how to make Nmap report the vulnerability checks performed during a scan.

How to do it...

Launch the NSE scripts in the vuln category against your target:

$nmap -sV --script vuln <target>

If Nmap finds a vulnerability, it will be included in the report:

| smb2-vuln-uptime:
|   VULNERABLE:
|   MS17-010: Security update for Windows SMB Server
|     State: LIKELY VULNERABLE
|     IDs:  ms:ms17-010  CVE:2017-0147
|       This system is missing a security update that resolves vulnerabilities in
| ...

Users may also generate Nmap scan reports in PDF format. While Nmap does not support generating PDF reports out of the box, we could use a tool named fop to achieve this task.

The following recipe will show you how to generate PDF scan reports.

Getting ready

Format Object Printer (fop) is an Apache project used in this task to convert from XSL Formatting Objects (XSL-FO) to a PDF file. You need to install this software before continuing. Please download it from http://www.apache.org/dyn/closer.cgi/xmlgraphics/fop and place the binary in your system path.

You will also need a style sheet shipped with Nmap. Please locate the nmap-fo.xsl file in your Nmap installation directory. If you don't have it, you may download it from https://github.com/nmap/nmap/blob/master/docs/nmap-fo.xsl.

How to do it...

Scan your target and save the output in XML mode:

$nmap -oX scanme.xml scanme.nmap.org

Now we use fop to apply the XSL style sheet...

Elasticsearch is a distributed NoSQL database used for handling large amounts of records. For internet-wide scanning, it could be a good idea to store our results in an Elasticsearch instance. Nmap does not support exporting results directly into Elasticsearch; however, we can achieve this task with some help from xmlstarlet.

The following recipe will show you how to generate JSON objects that can be inserted into an Elasticsearch instance.

Getting ready

For this task, we need to use a set of tools named XMLStarlet to work with XML documents. In Debian-based systems, you may install it with the following command:

# apt-get install xmlstarlet

For other systems, visit the XMLStarlet official website for installation instructions at http://xmlstar.sourceforge.net/.

How to do it...

1. Scan your target and save the output in XML mode:

   $nmap -sC -oX scanme.xml scanme.nmap.org

2. Now run the following xmlstarlet command using as...

IVRE (https://ivre.rocks/) is an open source framework for network reconnaissance. It was specially designed for mass scans and integrates several tools such as Nmap, ZGrab2, ZDNS, MASSCAN, Zeek, Argus, and nfdump. The results are meant to be analyzed through a web interface and the scans are done and imported through clients.

The following recipe shows how to install, scan, import, and visualize Nmap scan results with IVRE.

Getting ready

The fastest way to get started with IVRE is to use Docker images and Vagrant. Begin by downloading the images for all the components:

# for img in agent base client db web ; do
> docker pull "ivre/$img"
> done

Locate the Vagrantfile in the Docker directory of the source. If you installed the system package, it should be in /usr/share/ivre/docker. Copy the Vagrantfile to your working directory for IVRE and create the following directories:

# mkdir -m 1777 var_{lib,log}_mongodb...