Perform Nmap Scans and Save Results in Different Formats

Introduction

In this lab, you will learn how to use Nmap, a powerful network scanning tool, for basic network reconnaissance. Nmap is a key tool for security professionals, helping to discover hosts, services, and potential vulnerabilities on a network.

Understanding how to save Nmap scan results in different formats is crucial for security assessment and reporting. By mastering this skill, you can document findings, share results with team members, import data into other tools, and create comprehensive security reports. This beginner-friendly lab will guide you through basic Nmap scans and saving results in various formats, equipping you with essential network security assessment skills.

Performing Your First Nmap Scan and Saving the Output

In this step, we're going to learn how to perform a basic Nmap scan and save the results to a text file. Documenting network reconnaissance activities is crucial as it helps you keep track of what you've discovered and can be used for future reference or reporting. So, mastering this skill is essential for anyone interested in network security.

Understanding Nmap Basics

Nmap, short for Network Mapper, is a powerful and widely - used free and open - source utility. Its main purpose is network discovery and security auditing. It works by sending raw IP packets to the target network or host. Based on the responses it receives, Nmap can figure out a lot of information. It can tell you which hosts are available on the network, what services those hosts are offering (like web servers, email servers, etc.), what operating systems they are running, and many other important characteristics. This information is invaluable when you're trying to understand the security posture of a network.

Creating a Directory for Scan Results

First, open a terminal window. By default, the terminal should already be in the /home/labex/project directory. We need a dedicated place to store all the results of our Nmap scans. This makes it easier to organize and manage the data. So, let's create a directory for this purpose using the following command:

mkdir -p /home/labex/project/scans

The -p flag in the mkdir command is very useful. It ensures that the directory is created even if the parent directories don't exist. In our case, the parent directory already exists, but it's a good practice to use this flag in case you want to create a more complex directory structure in the future. If the command executes successfully, you won't see any output. That's normal, and it means the directory has been created.

Running a Basic Nmap Scan

For the sake of demonstration, we'll scan the localhost, which is your own machine, on port 9999. In a real - world situation, you would need proper authorization to scan actual network hosts. Scanning without permission is unethical and may even be illegal.

Now, let's run a basic Nmap scan and save the output to a text file. Execute the following command:

nmap -p 9999 localhost -oN /home/labex/project/scans/initial_scan.txt

Let's break down this command to understand what each part does:

nmap: This is the command to start the Nmap tool. It tells the system that we want to use Nmap for our network scan.
-p 9999: The -p option is used to specify the port we want to scan. In this case, we're scanning port 9999.
localhost: This is the target of our scan. Since we're using localhost, we're scanning our own machine.
-oN /home/labex/project/scans/initial_scan.txt: The -oN option is used to save the output in "normal" format. The path /home/labex/project/scans/initial_scan.txt specifies where the output file will be saved.

After running the command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-30 12:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE  SERVICE
9999/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Viewing the Saved Scan Results

Now that we've run the scan and saved the results to a file, let's check if the results were properly recorded. We can do this by viewing the content of the saved file using the cat command:

cat /home/labex/project/scans/initial_scan.txt

The output you see should be similar to what was displayed in the terminal when you ran the scan. This file now serves as a record of your network reconnaissance activities. You can refer back to it whenever you need to review the information.

Understanding the Scan Results

The scan results contain several important pieces of information:

When the scan was performed: This helps you keep track of the timeline of your network reconnaissance.
The target that was scanned: In our case, it was localhost.
The state of the host: It tells you whether the host is up (reachable) or down (unreachable).
The state of the specified port: It can be open, closed, or filtered. An open port means a service is listening on that port, a closed port means no service is listening, and a filtered port means the port is being blocked by a firewall or other security device.
The service typically associated with that port: For example, port 80 is usually associated with HTTP services.
Statistics about the scan duration: This gives you an idea of how long the scan took.

Now that you've successfully performed your first Nmap scan and saved the results to a file for documentation purposes, in the next step, we'll explore different output formats that Nmap supports.

Saving Nmap Results in XML Format

In this step, we're going to learn how to save the results of an Nmap scan in XML format. XML, or Extensible Markup Language, is a structured data format. It's like a well - organized filing cabinet where each piece of information has its own labeled drawer. This structure makes it easy for other security tools and scripts to process the data. In the world of cybersecurity, where automation is key, having data in a format that can be easily integrated into automated workflows is extremely valuable.

Understanding Different Output Formats

Nmap, a powerful network scanning tool, supports several output formats. Each format has its own unique characteristics and use cases.

Normal Output (-oN): This is a human - readable format. In the previous step, we used this format to view the scan results in a way that's easy for us to understand. It presents the information in a straightforward text - based manner.
XML Output (-oX): As mentioned earlier, XML is a structured format. It arranges data in a hierarchical way using tags and elements. This makes it ideal for other programs to parse and extract specific information.
Grepable Output (-oG): This format is designed to be easily processed by command - line tools like grep. If you want to quickly search for specific patterns in the scan results, the grepable output is very useful.
Script Kiddie Output (-oS): This is a format that's more "script kiddie" friendly. However, it's rarely used in professional security assessments.

In professional security assessments, the XML format is frequently used. The reason is that it can be imported into other security tools for further analysis. For example, you can take the XML output from an Nmap scan and use it in a vulnerability management system to get a more in - depth view of the network's security status.

Running an Nmap Scan with XML Output

Now, let's run another scan on the localhost port 9999. But this time, we'll save the output in XML format. Here's the command:

nmap -p 9999 localhost -oX /home/labex/project/scans/advanced_scan.xml

Let's break down this command to understand what each part does:

nmap: This is the command to run the Nmap tool. It's the starting point for all our network scanning operations.
-p 9999: The -p option is used to specify the port we want to scan. In this case, we're scanning port 9999.
localhost: This is the target we're scanning. localhost refers to your local machine. So, we're scanning our own machine's port 9999.
-oX /home/labex/project/scans/advanced_scan.xml: The -oX option tells Nmap to save the output in XML format. The path /home/labex/project/scans/advanced_scan.xml specifies where the XML file will be saved.

When you run this command, you should see similar output to what you saw in Step 1. But now, the results are also saved in XML format in the specified file.

Viewing the XML Output

Let's take a look at the content of the XML file we just created. We can use the cat command to display the contents of the file:

cat /home/labex/project/scans/advanced_scan.xml

The output will be in XML format. It looks quite different from the normal output. XML uses tags and elements to structure the data. This structure makes it easy for computers to parse the information. Here's a simplified example of what you might see:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -p 9999 localhost -oX /home/labex/project/scans/advanced_scan.xml" start="1635598800" startstr="Sat Oct 30 12:00:00 2023" version="7.80" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="1" services="9999"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1635598800" endtime="1635598800">
<status state="up" reason="localhost-response" reason_ttl="0"/>
<address addr="127.0.0.1" addrtype="ipv4"/>
<hostnames>
<hostname name="localhost" type="user"/>
<hostname name="localhost" type="PTR"/>
</hostnames>
<ports>
<port protocol="tcp" portid="9999">
<state state="closed" reason="conn-refused" reason_ttl="0"/>
<service name="unknown" method="table" conf="3"/>
</port>
</ports>
<times srtt="97" rttvar="5000" to="100000"/>
</host>
<runstats>
<finished time="1635598800" timestr="Sat Oct 30 12:00:00 2023" elapsed="0.07" summary="Nmap done at Sat Oct 30 12:00:00 2023; 1 IP address (1 host up) scanned in 0.07 seconds" exit="success"/>
<hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

Advantages of XML Output

The XML format offers several advantages:

Structured Data: Information in XML is organized in a hierarchical structure. Each element has a clear relationship with other elements, making it easy to understand the data's organization.
Machine - Readable: Other programs and scripts can easily parse XML data. This allows for seamless integration with different tools in your security workflow.
Integration: XML output can be imported into other security tools like Metasploit, OpenVAS, or custom security dashboards. This enables you to combine the results of your Nmap scan with other security analysis tools.
Data Transformation: You can convert XML data to other formats like HTML or PDF. This is useful for creating reports that are easy to share and present.
Data Extraction: Using XML parsing tools, you can extract specific information from the XML file. For example, you can extract all the open ports or the details of a particular host.

Practical Applications

In a real - world security assessment, saving scan results in XML format can be very useful. Here are some practical applications:

Import into vulnerability management systems: You can import the XML output into a vulnerability management system to get a comprehensive view of the network's security vulnerabilities.
Create custom reports using XSLT transformations: XSLT (Extensible Stylesheet Language Transformations) can be used to transform the XML data into custom reports. This allows you to present the information in a way that's most relevant to your needs.
Process with automated scripts to extract specific information: You can write automated scripts to parse the XML file and extract specific information, such as all the hosts with open ports on a particular service.
Share structured data with team members or clients: XML data can be easily shared with others. Team members or clients can use the structured data for their own analysis.
Maintain a database of network reconnaissance data: You can store the XML files in a database to keep a record of your network reconnaissance activities over time.

By learning to save Nmap output in different formats, you've taken an important step in building your network security skills. These formats allow you to document your findings effectively and integrate with other security tools in your workflow.

Summary

In this lab, you have learned essential skills for network reconnaissance documentation using Nmap. You successfully performed basic Nmap scans on specific ports of the localhost, and saved the scan results in both normal text and XML formats. The text format is easy for human readability, while the XML format facilitates integration with other security tools and automated processing.

These skills are crucial for security professionals to document findings, create reports, and share results. Saving scan results in different formats allows for efficient management of network reconnaissance data and seamless integration into security workflows. As you progress in cybersecurity, proper documentation of security tests will prove to be as important as the tests themselves. The flexibility to save Nmap outputs in various formats enables you to choose the most suitable format for different scenarios.