ScanPBNJ

From aldeid
Jump to navigation Jump to search


You are here:
ScanPBNJ

Description

ScanPBNJ performs an Nmap scan and then stores the results in a database. The ScanPBNJ stores information about the machine that has been scanned. ScanPBNJ stores the IP Address, Operating System, Hostname and a localhost bit. The localhost bit, is simply a single bit which is 1 when the target machine is localhost, otherwise it is 0. It also stores two timestamps for the machine table. The first is a human readable version and the second is the unix time. Both of these timestamp correspond to the first time that the machine was scanned.

ScanPBNJ stores information about the services that are found to be running on the target machine. ScanPBNJ stores typical information about the service, by storing the port and protocol. Also, ScanPBNJ stores version, product and service state information about each service. The service state can either be up or down. Two timestamps are also inserted for each instance of every service. The first is a human readable version and the second is the unix time. Both of these timestamp correspond to the time that the service was scanned.

This tool can give an admin a clear network layout with of all the machines with all the services they are running.

Apart of PBNJ 2.0 suite of tools to monitor changes on a network.

Installation

$ sudo apt-get install pbnj

Usage

Basic syntax

$ scanpbnj [Options] {target specification}

Target Specification

Can pass hostnames, IP addresses, networks, etc.

Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254

-i --iplist <iplist>
Scan using a list of IPs from a file
-x --xml <xml-file>
Parse scan/info from Nmap XML file

Scan Options

-a --args <args>
Execute Nmap with args (needs quotes)
-e --extraargs <args>
Add args to the default args (needs quotes)
--inter <interface>
Perform Nmap Scan using non default interface
-m --moreports <ports>
Add ports to scan ex: 8080 or 3306,5900
-n --nmap <path>
Path to Nmap executable
-p --pingscan
Ping Target then scan the host(s) that are alive
--udp
Add UDP to the scan arguments
--rpc
Add RPC to the scan arguments
-r --range <ports>
Ports for scan [def 1-1025]
--diffbanner
Parse changes of the banner

Config Options

-d --dbconfig <config>
Config for results database [def config.yaml]
--configdir <dir>
Directory for the database config file
--data <file>
SQLite Database override [def data.dbl]
--dir <dir>
Directory for SQLite or CSV file [def . ]

General Options

--nocolors
Don't Print Colors
--test <level>
Testing information
--debug <level>
Debug information
-v --version
Display version
-h --help
Display this information

Example

We first initialize the database by scanning a host (192.168.100.18) with TCP/SYN scan (-a '-sS'):

$ sudo scanpbnj  -a '-sS' 192.168.100.18

--------------------------------------
Starting Scan of 192.168.100.18
Machine is already in the database
Checking Current Services
        = ftp:21 is (unknown version) unknown product
        = ssh:22 is (unknown version) unknown product
Scan Complete for 192.168.100.18
--------------------------------------

It detects 2 services on the machine (FTP on port 21/tcp and SSH on port 22/tcp).

Now we start a new service: Apache, on port 80/tcp:

$ sudo /etc/init.d/apache2 start

And we stop vsftpd (the daemon for FTP):

$ sudo /etc/init.d/vsftpd stop

We launch the scan again:

$ sudo scanpbnj  -a '-sS' 192.168.100.18

--------------------------------------
Starting Scan of 192.168.100.18
Machine is already in the database
Checking Current Services
        ! Service 21:tcp ftp is down
        = ssh:22 is (unknown version) unknown product                                                
        Inserting Service on 80:tcp http
Scan Complete for 192.168.100.18                                                                     
--------------------------------------

We can easily identify what has been changed since the last scan:

  • The service listening on port 21/tcp (identified as ftp) is DOWN
  • A new service is running on port 80/tcp

We could also have done a version scan by passing the -sV argument to be able to identify the services.

Comments

Talk:ScanPBNJ