Automate Scans with Nmap

Introduction

In this lab, you will learn how to automate Nmap scans using shell scripting and cron scheduling. The lab starts by creating a simple shell script, scan.sh, containing an Nmap SYN scan command targeting 192.168.1.1. You'll then make the script executable using chmod +x scan.sh and run it from the terminal.

The lab continues by expanding the script to include multiple scans using a text editor. Finally, you'll schedule the script to run automatically using cron, configuring it with crontab -e, and verify the automated execution in the Xfce terminal.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/save_output -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/port_scanning -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/scan_types -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/target_specification -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/syn_scan -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/os_version_detection -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/service_detection -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/scripting_basics -.-> lab-547088{{"Automate Scans with Nmap"}} nmap/script_management -.-> lab-547088{{"Automate Scans with Nmap"}} end

Create scan script with echo "nmap -sS 192.168.1.1" > scan.sh

In this step, we will create a simple shell script that executes an Nmap scan. This script will serve as the foundation for automating more complex scans later on. We'll use the echo command to write the Nmap command into a file named scan.sh.

First, let's understand what echo does. The echo command simply prints its arguments to the standard output. We can redirect this output to a file using the > operator.

The Nmap command we'll use is nmap -sS 192.168.1.1. Let's break it down:

nmap: This is the command to run the Nmap scanner.
-sS: This option specifies a SYN scan, which is a stealthy way to scan ports. It's also known as a "half-open" scan because it doesn't complete the TCP handshake.
192.168.1.1: This is the target IP address we want to scan. This is a common private IP address, but you might need to adjust it based on your network configuration.

Now, let's create the script. Open your terminal in the ~/project directory (if you are not already there) and execute the following command:

echo "nmap -sS 192.168.1.1" > scan.sh

This command will create a file named scan.sh in your ~/project directory and write the Nmap command into it.

To verify that the file was created correctly, you can use the cat command to display its contents:

cat scan.sh

You should see the following output:

nmap -sS 192.168.1.1

This confirms that the script has been created with the correct Nmap command.

Make script executable with chmod +x scan.sh

In this step, we will make the scan.sh script executable. By default, newly created files in Linux do not have execute permissions. We need to explicitly grant this permission to allow us to run the script.

The chmod command is used to change the permissions of a file or directory. The +x option adds execute permission to the specified file.

In your terminal, navigate to the ~/project directory (if you are not already there) and execute the following command:

chmod +x scan.sh

This command will add execute permission to the scan.sh file.

To verify that the script is now executable, you can use the ls -l command to list the file's permissions.

ls -l scan.sh

You should see output similar to this:

-rwxr-xr-x 1 labex labex 25 Oct 26 10:00 scan.sh

The x in the -rwxr-xr-x string indicates that the file is now executable. Specifically, the first rwx refers to the owner's permissions (read, write, execute), the second r-x refers to the group's permissions, and the third r-x refers to the permissions for others.

Now that the script is executable, we can run it in the next step.

Run script with ./scan.sh

In this step, we will execute the scan.sh script we created and made executable in the previous steps.

To run the script, we use the ./ prefix. This tells the shell to execute the script located in the current directory.

In your terminal, ensure you are in the ~/project directory and execute the following command:

./scan.sh

You should see Nmap output in your terminal. The output will vary depending on whether the target host (192.168.1.1) is reachable and what services are running on it. If the target is unreachable, you might see a message like "Host seems down." If the target is reachable, you'll see a list of open ports and other information about the target.

Important Note: The 192.168.1.1 IP address is a common default gateway address. If this is not the correct address for a device on your network, the scan may not produce useful results. You can replace 192.168.1.1 with the IP address of a device on your network that you wish to scan. However, ensure you have permission to scan the target. Scanning networks without permission is illegal and unethical.

Because the output of nmap can vary greatly depending on the network and target, we cannot reliably verify the output directly. However, we can verify that the command was executed by checking the command history.

Add multiple scans to script in Xfce text editor

In this step, we will add more Nmap scan commands to our scan.sh script using the Xfce text editor. This will allow us to perform multiple scans with a single script execution.

First, open the scan.sh file in the Xfce text editor. You can do this by right-clicking on the desktop, selecting "Open Terminal Here", and then typing the following command:

nano scan.sh

This will open the scan.sh file in the nano text editor.

Currently, the script contains a single line:

nmap -sS 192.168.1.1

Let's add another scan command. For example, we can add a ping scan (-sn) to check if another host is up:

nmap -sS 192.168.1.1
nmap -sn 192.168.1.2

You can add as many scan commands as you like. For example, let's add a version detection scan (-sV) to the first target:

nmap -sS -sV 192.168.1.1
nmap -sn 192.168.1.2

Now, the script will first perform a SYN scan with version detection on 192.168.1.1, and then perform a ping scan on 192.168.1.2.

Important Note: Remember to replace 192.168.1.1 and 192.168.1.2 with the IP addresses of devices on your network that you wish to scan, and ensure you have permission to scan them.

To save the changes, press Ctrl+X, then Y to confirm, and then Enter to save the file.

Now, when you run the script using ./scan.sh, it will execute all the Nmap commands you added.

Schedule scan with cron using crontab -e

In this step, we will schedule our scan.sh script to run automatically using cron. cron is a time-based job scheduler in Linux-like operating systems. It allows you to schedule commands or scripts to run at specific times, dates, or intervals.

To schedule a task with cron, we use the crontab command. The crontab -e command opens the crontab file in a text editor (usually nano in the LabEx environment).

In your terminal, type the following command:

crontab -e

If this is the first time you're using crontab, you might be prompted to select an editor. Choose nano by selecting the corresponding number.

The crontab file contains a list of cron jobs, each on a separate line. Each line consists of six fields:

minute hour day_of_month month day_of_week command

minute: The minute of the hour when the job will run (0-59).
hour: The hour of the day when the job will run (0-23).
day_of_month: The day of the month when the job will run (1-31).
month: The month of the year when the job will run (1-12).
day_of_week: The day of the week when the job will run (0-6, where 0 is Sunday).
command: The command to execute.

For example, to run the scan.sh script every minute, add the following line to the crontab file:

* * * * * /home/labex/project/scan.sh

This line means:

*: Every minute
*: Every hour
*: Every day of the month
*: Every month
*: Every day of the week
/home/labex/project/scan.sh: The command to execute (the full path to our script)

Important: It's generally not a good idea to run scans every minute in a real-world scenario, as it can put a strain on the network and the target devices. For testing purposes in this lab, running it every minute is acceptable.

To save the changes, press Ctrl+X, then Y to confirm, and then Enter to save the file.

You should see a message like "crontab: installing new crontab". This means the cron job has been successfully scheduled.

Cron jobs typically run in the background without displaying any output. To see the output of the scan.sh script, you can redirect it to a file. For example, to redirect the output to a file named scan.log in your ~/project directory, you can modify the cron job entry as follows:

* * * * * /home/labex/project/scan.sh > /home/labex/project/scan.log 2>&1

The > /home/labex/project/scan.log part redirects the standard output to the scan.log file, and 2>&1 redirects the standard error to the same file.

Verify automation in Xfce terminal

In this step, we will verify that the scan.sh script is being executed automatically by cron. Since we scheduled the script to run every minute, we should see evidence of its execution.

If you redirected the output of the script to a file (e.g., scan.log), you can check the contents of that file to see if the script has been running. In your terminal, type the following command:

tail /home/labex/project/scan.log

This command will display the last few lines of the scan.log file. If the script is running correctly, you should see output from the Nmap scans in the file, updated every minute.

If you did not redirect the output to a file, you won't have a scan.log file. In this case, you can create one now and redirect the cron job output to it. Edit the crontab again:

crontab -e

And change the cron job entry to:

* * * * * /home/labex/project/scan.sh > /home/labex/project/scan.log 2>&1

Save the crontab file. Then, wait for a minute or two and check the scan.log file again using tail /home/labex/project/scan.log.

If you still don't see any output, there might be a problem with the script or the cron job. Double-check the following:

Make sure the scan.sh script is executable (chmod +x scan.sh).
Make sure the cron job entry is correct in the crontab file (crontab -l to list the cron jobs).
Make sure the full path to the script is used in the cron job entry (/home/labex/project/scan.sh).
Check for any errors in the script itself.

Important: Because the cron job runs every minute, the scan.log file will grow quickly. You might want to remove the cron job after you have verified that it is working correctly to avoid filling up the disk space. You can remove the cron job by editing the crontab file (crontab -e) and deleting the line you added.

Summary

In this lab, we learned how to automate Nmap scans using shell scripts and cron. First, we created a simple shell script named scan.sh containing an Nmap SYN scan command targeting a specific IP address. We then used chmod +x scan.sh to make the script executable, allowing us to run it directly from the terminal.

Next, we expanded the script to include multiple scans using a text editor. Finally, we scheduled the script to run automatically using cron, configuring a cron job with crontab -e and verifying the automation in the Xfce terminal. This demonstrated how to automate network scanning tasks for regular monitoring or security assessments.