Trying to Extract Sections from Nmap Output
Question
I have some data from an Nmap Scan. It looks like this.
Nmap scan report for 10.16.17.34
Host is up (0.011s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
| http-headers:
| Date: THU, 30 AUG 2012 22:46:11 GMT
| Expires: THU, 30 AUG 2012 22:46:11 GMT
| Content-type: text/html
|
|_ (Request type: GET)
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (11)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLSv1.0
| Ciphers (10)
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| Compressors (1)
| NULL
|_ Least strength = unknown strength
2023/tcp open xinuexpansion3
Nmap scan report for 10.16.40.0
Host is up (0.00062s latency).
All 65535 scanned ports on 10.16.40.0 are closed
Nmap scan report for 10.16.40.1
Host is up (0.00071s latency).
All 65535 scanned ports on 10.16.40.1 are closed
What I am attempting to do is to either use Awk, Sed or Grep or something else to extract any section that starts with Nmap Scan and ends in a blank new line and has ssl-enum-ciphers in it. I figured out with Awk how to print each section but I can't get it to check for the ssl line. I'm out of my league with this.
Thanks
La solution
What you have is blank-line separated records. You can use awk
to check for your ssl-enum-ciphers:
awk -v RS='' '/ssl-enum-ciphers/' file.txt
This will check that the record doesn't contain the phrase 'host down':
awk -v RS='' '/ssl-enum-ciphers/ && !/host down/' file.txt
You could make this more stringent by changing the field separator to a newline character:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/' file.txt
Add some newlines between records:
awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/ { printf "%s\n\n", $0 }' file.txt
Autres conseils
Processing Nmap text output is tricky and fraught with dangers, since it can change from version to version. For parsing Nmap output, use the XML output with the -oX
or -oA
arguments. Then use an XML parsing library or utility to extract the information you need.
For your example, use xmlstarlet to extract the host
element that contains a script
element with the id
attribute set to "ssl-enum-ciphers". This example will output the IP address of the target, followed by the output from the ssl-enum-ciphers
script:
xmlstarlet sel -t -m '//script[@id="ssl-enum-ciphers"]' \
-v '../../../address[@addrtype="ipv4"]/@addr' -v '@output' output.xml
In the next release of Nmap, script output itself will be further broken into XML structures, making it easier to do things like output a list of only the weak ciphers in use.