Trying to Extract Sections from Nmap Output
https://stackoverflow.com/questions/12273280
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have some data from an Nmap Scan. It looks like this.
Nmap scan report for 10.16.17.34
Host is up (0.011s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
| http-headers:
| Date: THU, 30 AUG 2012 22:46:11 GMT
| Expires: THU, 30 AUG 2012 22:46:11 GMT
| Content-type: text/html
|
|_ (Request type: GET)
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (11)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLSv1.0
| Ciphers (10)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
2023/tcp open xinuexpansion3
Nmap scan report for 10.16.40.0
Host is up (0.00062s latency).
All 65535 scanned ports on 10.16.40.0 are closed
Nmap scan report for 10.16.40.1
Host is up (0.00071s latency).
All 65535 scanned ports on 10.16.40.1 are closed
What I am attempting to do is to either use Awk, Sed or Grep or something else to extract any section that starts with Nmap Scan and ends in a blank new line and has ssl-enum-ciphers in it. I figured out with Awk how to print each section but I can't get it to check for the ssl line. I'm out of my league with this.
Thanks
La solution
What you have is blank-line separated records. You can use awk to check for your ssl-enum-ciphers:
awk -v RS='' '/ssl-enum-ciphers/' file.txt
This will check that the record doesn't contain the phrase 'host down':
awk -v RS='' '/ssl-enum-ciphers/ && !/host down/' file.txt
You could make this more stringent by changing the field separator to a newline character:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/' file.txt
Add some newlines between records:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/ { printf "%s\n\n", $0 }' file.txt
Autres conseils
Processing Nmap text output is tricky and fraught with dangers, since it can change from version to version. For parsing Nmap output, use the XML output with the -oX or -oA arguments. Then use an XML parsing library or utility to extract the information you need.
For your example, use xmlstarlet to extract the host element that contains a script element with the id attribute set to "ssl-enum-ciphers". This example will output the IP address of the target, followed by the output from the ssl-enum-ciphers script:
xmlstarlet sel -t -m '//script[@id="ssl-enum-ciphers"]' \
-v '../../../address[@addrtype="ipv4"]/@addr' -v '@output' output.xml
In the next release of Nmap, script output itself will be further broken into XML structures, making it easier to do things like output a list of only the weak ciphers in use.
