Creating a system inventory is a common task for system and network administrators. Information security specialists often need inventories as well. Even in shops that have inventory tools, a method is often needed to validate the inventory and identify systems that the tool may not be aware of.
The open source security audit tool nmap has all the necessary features needed to run ad-hoc or automated inventory processes. However, it is not obvious which parameters and output format are ideal to quickly create an inventory of your environment in a useable format.
Generating usable nmap results
To create a usable inventory, the format of the generated data is crucial. If a report is being shared, a portable format is likely needed. Comma-separated values (CSV) are ideal, as this format can be loaded easily into spreadsheet and database programs. If the report is not shared, then a format that stands on its own must be included with the output. This article will provide example of the CSV generation.
The inventory created by nmap and other network polling tools is a network-based inventory. The inventory created provides information that is critical to system, application and protocol management, such as a system's IP address, its operating system and the applications that it is running on network ports. The inventory will not include information such as how much memory the system has, how many processors there are, etc. This type of hardware inventory requires either an SNMP agent on the system or some other program or script running on the system to determine the hardware in the system.
Creating systems reports
A systems report can be quickly generated by nmap. Simply by scanning a network, an immediate list of systems and their protocols can be seen by using operating system identification (-O) and possibly verbose output (-v) against the complete network (/24):
nmap -O -v 192.168.1.0/24
However, the format is unruly, as pages and pages of output are generated. What is needed is a very clean output that can be easily loaded into a spreadsheet.
Nmap supports the output parameter (-o) to influence how it should write data to standard out. By using it combined with G (-oG), nmap will create output that grep can work easily with, which makes our inventory creation much easier.
Using operating system identification and the “grepable” output formatting, the following command can be used to run the raw reports and output the report to report.txt:
nmap -O -oG report.txt 192.168.1.0/24
This report, however, is still difficult to read and is not easily readable by a spreadsheet program or database, and includes the IP addresses that are not assigned to a system, since it scans the complete network:
cat report.txt
# nmap 5.21 scan initiated Thu Sep 30 08:28:31 2010 as: nmap -O -oG report.txt 192.168.1.0/24
Host: 192.168.1.0 () Status: Down
Host: 192.168.1.3 () Status: Down
Host: 192.168.1.4 () Status: Down
Host: 192.168.1.5 () Status: Down
Host: 192.168.1.1 (router.domain.com) Status: Up
Host: 192.168.1.1 (router.domain.com) Ports: 80/open/tcp//http///, 443/open/tcp//https///, 4567/open/tcp//unknown///, 8080/open/tcp//http-proxy///, 8443/open/tcp//https-alt/// Ignored State:closed (995) OS: Linux 2.4.18 - 2.4.35 (likely embedded) Seq Index: 205 IP ID Seq: All zeros
…
To create a system report that includes IP address, hostname and operating system, we need to focus on the lines containing the information. The easiest way to identify these lines is to search for OS:
grep "OS:" report.txt
Host: 192.168.1.1 (router.domain.com) Ports: 80/open/tcp//http///, 443/open/tcp//https///, 4567/open/tcp//unknown///, 8080/open/tcp//http-proxy///, 8443/open/tcp//https-alt/// Ignored State: closed (995) OS: Linux 2.4.18 - 2.4.35 (likely embedded) Seq Index: 205 IP ID Seq: All zeros
…
We now have the information necessary to create the report. However, a lot of information exists in the entry (such as open ports, sequences, etc.) that is not needed and should be dropped during the report generation. Let's remove Host:, Ports:, and all the ports included; OS:, everything starting with Seq up to the end of the line; and, finally, the first set of parenthesis around the host name:
grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//'
The ouput of this command is in this format:
192.168.1.1 router.domain.com Linux 2.4.18 - 2.4.35 (likely embedded)
Now the IP address, hostname and operating system are easily identifiable, and it's a matter of piping that output to awk to add quotes and commas for the CSV. Basically, quotes are added around the IP address, the host name and all the words that make up the operating system identification tag:
grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//' | awk '{print "\"" $1 "\",\""$2"\"," $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 "\""}' >report.csv
Looking at the newly created report.csv file, the output is now in CSV format and can easily be loaded into a spreadsheet:
cat report.csv
"192.168.1.1","router.domain.com","Linux 2.4.18 - 2.4.35 (likely embedded) "
"192.168.1.2","freddy","Linux 2.4.35"
"192.168.1.6","computer.home","Linux 2.4.21 (embedded)|MontaVista embedded Linux 2.4.17 "
"192.168.1.7","IMAC.home","Apple Mac OS X 10.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin"
"192.168.1.8","new-host-3.home","Apple iPhone mobile phone (iPhone OS 3.0 - 3.2, Darwin 10.0.0d3) "
"192.168.1.11","new-host-5.home","Apple Mac OS X 10.5 - 10.6 (Leopard - Snow Leopard)"
"192.168.1.15","AppleTV.home","Apple Mac OS X 10.4.8 - 10.4.11 (Tiger) (Darwin 8.8.0 – 8.11.1)"
Conclusion
Using the output of nmap, combined with the power of grep, sed, and awk, a complete network inventory can be generated in a matter of seconds on a small environment, and in a matter of minutes even in a very large environment.
These same tools can be used by the information security specialist seeking to identify changes such as additions and removal of systems within the environment.
Monday, October 25, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment