Ndiff - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 13: Ndiff

Overview

Ndiff is a tool within the Nmap suite that allows you to compare two scans and flag any changes between them. It accepts two Nmap XML output files and highlights the differences between each file for easy comparison. Ndiff can be used on the command line or in GUI form within the Zenmap application.

Summary of features covered in this section:

ndiff
Comparison Using Ndiff

-v
Ndiff Verbose Mode

--xml
XML Output Mode

Scan Comparison Using Ndiff

The ndiff utility is used to perform a comparison of two Nmap scans.

Usage syntax: ndiff [file1.xml file2.xml]

$ ndiff scan1.xml scan2.xml

-Nmap 6.47 scan initiated Sat Jan 17 12:52:38 2015 as: nmap -oX scan1.xml 10.10.4.25

+Nmap 6.47 scan initiated Sat Jan 17 12:52:53 2015 as: nmap -oX scan2.xml 10.10.4.25

10.10.4.25:

-Not shown: 998 closed ports

+Not shown: 999 closed ports

PORT STATE SERVICE VERSION

-25/tcp open smtp

Comparison of two Nmap scans

Basic usage of the Ndiff utility consists of comparing two Nmap XML output files. Differences between the two files are highlighted with a minus sign indicating the information in the first file and the plus sign indicating the changes within the second file. In the above example we see that port 25 on the second scan has changed states when compared to the first scan.

Ndiff Verbose Mode

The -v option is used to display verbose output with Ndiff.

Usage syntax: ndiff -v [file1.xml file2.xml]

$ ndiff -v scan1.xml scan2.xml

-Nmap 6.47 scan initiated Sat Jan 17 12:52:38 2015 as: nmap -oX scan1.xml 10.10.4.25

+Nmap 6.47 scan initiated Sat Jan 17 12:52:53 2015 as: nmap -oX scan2.xml 10.10.4.25

10.10.4.25:

Host is up.

-Not shown: 998 closed ports

+Not shown: 999 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh

-25/tcp open smtp

Output of a Ndiff scan in verbose mode

The verbose output displays all lines of both XML files and highlights the differences with a minus sign indicating the information in the first file and the plus sign indicating the changes within the second file. This is in contrast to the default ndiff behavior which only displays the differences between the two files. Verbose output is often more helpful than the default output, as it displays all information regardless whether or not there are differences.

XML Output Mode

The -xml option is used to generate XML output with Ndiff.

Usage syntax: ndiff --xml [file1.xml] [file2.xml]

$ ndiff --xml scan1.xml scan2.xml | more

<?xml version="1.0" encoding="utf-8"?>

<nmapdiff version="1"><scandiff><a><nmaprun args="nmap -oX scan1.xml 10.10.4.25" scanner="nmap" start="1421520758" startstr="Sat Jan 17 12:52:38 2015" version="6.47"/>

</a><b><nmaprun args="nmap -oX scan2.xml 10.10.4.25" scanner="nmap" start="1421520773" startstr="Sat Jan 17 12:52:53 2015" version="6.47"/>

</b><hostdiff>

<host>

<address addr="10.10.4.25" addrtype="ipv4"/>

<ports>

<a>

<extraports count="998" state="closed"/>

</a>

<b>

<extraports count="999" state="closed"/>

</b>

<portdiff>

<a>

<port portid="25" protocol="tcp">

<state state="open"/>

<service name="smtp"/>

</port>

</a>
[...]

Ndiff XML output

XML output is a great tool for feeding information from Ndiff into a third party program using a widely supported format.

Tip: The default --xml output displays the XML code on the screen. To save this information file, type ndiff --xml scan1.xml scan2.xml >ndiff.xml which will redirect the output to a file called ndiff.xml.