Output Options - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 9: Output Options

Overview

Nmap offers several options for creating formatted output. In addition to displaying the standard output on a screen, you can also save scan results in a text file, XML file, or a single line “grep-able” file. This feature can be helpful when scanning a large number of systems or for comparing the results of two scans using the ndiff utility (discussed in Section 13).

Summary of features covered in this section:

-oN
Save Output to a Text File

-oX
Save Output to a XML File

-oG
Grepable Output

-oA
Output All Supported File Types

-oS
133t Output

Save Output to a Text File

The -oN parameter saves the results of a scan in a plain text file.

Usage syntax: nmap -oN [scan.txt] [target]

# nmap -oN scan.txt 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:27 CST

Nmap scan report for 10.10.4.1

Host is up (0.00016s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

Saving Nmap output in a text file

The results of the above scan are saved to the scan.txt file shown below.

$ cat scan.txt

# Nmap 6.47 scan initiated Sat Jan 17 11:27:36 2015 as: nmap -oN scan.txt 10.10.4.1

Nmap scan report for 10.10.4.1

Host is up (0.00016s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

# Nmap done at Sat Jan 17 11:27:37 2015 -- 1 IP address (1 host up) scanned in 1.69 seconds

Reviewing the contents of the scan.txt file

Note: Nmap will overwrite an existing output file unless the --append-output option is combined with -oN.

Save Output to a XML File

The -oX parameter saves the results of a scan in a XML file.

Usage syntax: nmap -oX [scan.xml] [target]

# nmap -oX scan.xml 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:28 CST

Nmap scan report for 10.10.4.1

Host is up (0.00015s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

Creating a XML output file

The results of the above scan are saved to the scan.xml file shown below.

$ cat scan.xml
<?xml version="1.0"?>

<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>

<!-- Nmap 6.47 scan initiated Sat Jan 17 11:28:48 2015 as: nmap -oX scan.xml 10.10.4.1 -->

<nmaprun scanner="nmap" args="nmap -oX scan.xml 10.10.4.1" start="1421515728" startstr="Sat Jan 17 11:28:48 2015" version="6.47" xmloutputversion="1.04">

[...]

Viewing the contents of the XML output file

Note: The resulting XML file has hardcoded file paths which may only work on the system where the file was created. The --webxml parameter can be combined with -oX to create a portable file for any system (with internet access). To avoid referencing a style sheet at all, use the --no-stylesheet parameter.

Grepable Output

The -oG option enables grepable output.

Usage syntax: n map -oG [scan.txt] [target]

# nmap -oG scan.txt -F -O 10.10.4.1/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-21 12:10 CST
[...]

Creating a grepable output file

The -oG option produces single-line output that is easy to filter using tools like the Unix/Linux grep utility. The example below demonstrates using grep to search for all results matching the quoted text.

# grep "Windows Server 2003" scan.txt

Host: 10.10.4.40 () Ports: 21/open/tcp//ftp///, 25/open/tcp//smtp///, 80/open/tcp//http///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 143/open/tcp//imap///, 443/open/tcp//https///, 445/open/tcp//microsoft-ds///, 1025/open/tcp//NFS-or-IIS///, 1026/open/tcp//LSA-or-nterm///, 1028/open/tcp//unknown///, 3389/open/tcp//ms-wbt-server///, 7070/open/tcp//realserver/// Ignored State: closed (87) OS: Microsoft Windows Server 2003 SP1 or SP2|Microsoft Windows XP SP2 or Windows Server 2003 SP1 or SP2 Seq Index: 244 IP ID Seq: Busy server or unknown class
[...]

Using the grep utility to review an Nmap output file

In the above example, the grep utility will display all instances of the specified text found in the scan.txt file. This makes it simple to quickly search for specific information when analyzing results from a large scan.

Note: The grep pattern matching utility is only available on Unix, Linux, and Mac OS X systems by default. Windows users can download a Win32 port of the GNU grep program at gnuwin32.sourceforge.net to use with the examples discussed in this section.

Output All Supported File Types

The -oA parameter saves the output of a scan in text, grepable, and XML formats.

Usage syntax: nmap -oA [filename] [target]

$ nmap -oA scans 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:41 CST

Nmap scan report for 10.10.3.1

Host is up (0.20s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 3.72 seconds

Creating output files for all available formats

The resulting scan’s output files are created with their respective extensions as displayed below.

$ ls -l scans.*

-rw-r--r-- 1 root root 323 Jan 17 11:41 scans.gnmap

-rw-r--r-- 1 root root 340 Jan 17 11:41 scans.nmap

-rw-r--r-- 1 root root 5295 Jan 17 11:41 scans.xml

Directory listing of the resulting output files

Nmap output files:

scans.gnmap - Grepable output

scans.nmap - Plain text output

scans.xml - XML output

133t Output

The -oS option enables “script kiddie” output.

Usage syntax: nmap -oS [scan.txt] [target]

$ nmap -oS scan.txt 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:45 CST

Nmap scan report for 10.10.3.1

Host is up (0.15s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.17 seconds

Creating a “133t” output file

Script kiddie or “leet” speak output is a cryptic form of typing used mostly by immature teenagers on message boards and chat sites. This option is included as a joke and isn’t really useful for anything other than a good laugh and proving that the Nmap developers have a good sense of humor. The results of the -oS option are saved in the scan.txt file displayed below.

$ cat scan.txt

Start|Ng NmaP 6.47 ( hTtp://nmAp.org ) at 2015-01-17 11:45 c$T

nmap scan r3port f0R 10.10.3.1

H0$t is uP (0.15s lateNcy).

Not sh0wn: 997 Clo$ed port$

PORT $T4TE $3RVIc3

22/tcp 0pen $$h

80/tcp oPeN http

443/tcP 0PeN HtTPz

Nmap don3: 1 1P addr3Sz (1 h0st up) scANn3d in 4.17 Sec0ndz

Nmap script kiddie output