Nmap Scanning Routine
I am always looking for open smtp, ssh, or sip servers. This is the routine that I have set up to scan for these open hosts. In order to set this up for yourself you will need to have Nmap and AutoIt installed. If you are using the non-install version of Nmap then you will need to add the Nmap directory to PATH. You can either do that in the .bat file that I use or by right-clicking My Computer and selecting properties. Go to the advanced tab and click the environmental variables button. Add the Nmap directory to PATH.
Here is my .bat file to run the scan.
@echo off
title nmap scan
nmap -iL hosts.txt -sS -sV --version-all -vv --open -p 80,5060 -oX results.xml --stylesheet http://www.insecure.org/nmap/data/nmap.xsl
start results.xml
The first two lines just make the command prompt look pretty by removing the output and giving the window a title. The third line actually runs the scan. It uses the file hosts.txt to import the IP addresses from, it uses the TCP SYN technique to scan, it is checking service information for each port, verbose mode is turned on, it will only show open ports, it is scanning ports 25 (smtp), 80 (http), and 5060 (sip). It is outputting the results to results.xml, and it is using the stylesheet from the nmap website to make the xml file readable. The last line just opens the xml file.
If you don’t add the Nmap directory to the environmental variables then in the .bat file before running Nmap add this line where C:\program files\nmap would be the Nmap directory.
set path=%path%;C:\program files\nmap
How do I populate the hosts.txt file? I like to get a bunch of random hosts, and the best way that I have found to do that is through P2P networks. In uTorrent I just go to the Peers tab, right-click, and choose Copy Peer List.
This is going to give you a nice random selection of potentially open/vulnerable hosts. I then paste this list into the hosts.txt file. The only problem is that the peer list also has the port numbers at the end of the IP address in this fashion 192.168.1.1:5454. Nmap only wants the IP address so we have to get rid of the port number. To do this I set up an AutoIt script.
$input = InputBox("Remove Ports", "Filename:")
If $input = "" then Exit
$open = FileOpen($input, 0)
$write = FileOpen("peers -ports.txt", 2)
while 1
$line = FileReadLine($open)
If @error = -1 Then ExitLoop
$array = StringSplit($line, ":")
FileWriteLine($write, $array[1])
wend
FileClose($open)
FileClose($write)
FileDelete(â€hosts.txtâ€)
FileCopy(â€peers -ports.txtâ€, “hosts.txtâ€)
FileDelete(â€peers -ports.txtâ€)
MsgBox( 1, “â€, “Done.â€)
If your host file doesn’t always change then it would be faster just to set $input to the filename of the script instead of using an input box. Note: On Windows Vista the above script wouldn’t work unless I changed the double quotes to single quotes.