Nmap: extract undesirable ports for sending mail with Batch and Blat
-
28-04-2021 - |
Question
Context
I use FINDSTR /C:"portid=" "scanports.xml"
to extract theses lines from a file:
<port protocol="tcp" portid="21"><state state="open" reason="syn-ack" reason_ttl="124"/><service name="ftp" method="table" conf="3"/></port>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="124"/><service name="ssh" method="table" conf="3"/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="124"/><service name="http" method="table" conf="3"/></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="124"/><service name="https" method="table" conf="3"/></port>
<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="124"/><service name="ms-term-serv" method="table" conf="3"/></port>
Questions
- How to extract
21
,22
,80
,443
and3389
from this line? - Same question for a random number in
[0-9]
except21
,22
,80
,443
and3389
?
I want to send by email all opened ports usually not open.
La solution
You can use a second FINDSTR to filter out the "normally open" ports. The solution I show uses an external file to list the ports to exclude (the normally open ones). Alternatively the list could be specified on the command line as multiple /C
options.
ignore.txt (edit as needed)
portid="21"
portid="22"
portid="80"
portid="443"
portid="3389"
findstr /c:"portid=" test.txt | findstr /r /v /g:"ignore.txt"
There is a bug with FINDSTR in that it may fail to find a match if there are multiple literal search strings of different lengths. That is the reason I chose to use the /R
regular expression option.
If the format of the XML file is consistent then you can use FOR /F with DELIMS set to the quote character to pull out the 4th token. The syntax for specifying a FOR /F options with quote as a delimiter is odd: Normally you would do something like "tokens=4 delims=,"
. But to include quote as a delimiter you have to do a bunch of escaping: tokens^=4^ delims^=^"
.
Putting it all together you get
@echo off
for /f tokens^=4^ delims^=^" %%P in (
'findstr /c:"portid=" test.txt ^| findstr /r /v /g:"ignore.txt"'
) do (
echo unusual open port = %%P
)
exit /b
If the format (attribute order) of the XML can vary, then the solution is more complex. You first use an outer FOR /F to read the entire line into a variable. You use a SET * search and replace op to find the portid location within the string, and then a second FOR /F to parse out the actual port.
setlocal enableDelayedExpansion
for /f "delims=" %%L in (
'findstr /c:"portid=" test.txt ^| findstr /r /v /g:"ignore.txt"'
) do (
set "ln=%%L"
for /f delims^=^=^" %%A in ("!ln:*portid=!") do set port=%%A
echo unusual open port = !port!
)
Once you have the port ids isolated you are in a position to build your mail message. I recommend using Blat for Windows to send your email.
Autres conseils
You could use FOR/F for parsing lines.
FINDSTR /C:"portid=" "scanports.xml" > tmpFile.tmp
FOR /F "tokens=3 delims=>=" %%1 in (tmpFile.tmp) DO (
echo %%~1
)
This is a little cheating, but your batch file can call a VBScript script:
c:\windows\system32\cscript.exe //nologo scanports.vbs
Where scanports.vbs is the following script:
Option Explicit
Dim xml, port
Set xml = CreateObject("Microsoft.XMLDOM")
xml.load "scanports.xml"
For Each port in xml.documentElement.selectNodes("//port")
WScript.Echo port.getAttribute("portid")
Next
I finish my script with jeb's answer and this link.
Code:
@ECHO Off
SETLOCAL ENABLEDELAYEDEXPANSION
REM Blat options:
SET blat="C:\Program Files (x86)\blat276\full\blat.exe"
SET server=127.0.0.1
SET port=25
SET from=x@x.com
SET to=y@y.com
FOR %%i IN (1,1,9) DO (
"C:\Program Files (x86)\Nmap\nmap.exe" server%%i.com -oX scanports%%i.xml
FINDSTR /C:"portid=" scanports%%i.xml >> scanports%%itemp.txt
FOR /F "tokens=*" %%a IN (scanports%%itemp.txt) DO (
SET x=%%a
SET x=!x:"=/!
FOR /f "tokens=4,12 delims=/" %%a IN ("!x!") DO (
IF NOT %%a==21 IF NOT %%a==22 IF NOT %%a==80 IF NOT %%a==443 IF NOT %%a==3389 (
%blat% -server %server% -port %port% -f %from% -to %to% -html -s "Port ouvert sur server%%i" -body "Port %%a : %%b"
)
)
)
DEL scanports%%i.xml
DEL scanports%%itemp.txt
)