How to grep specific lines from nmap -O output?

Question

I got many files named like 192.168.203.txt as the output of

sudo nmap -O --top-ports 192.168.203.* >>192.168.203.txt 

The output looks like as below:

Nmap scan report for 192.168.203.29
Host is up (0.00067s latency).
PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   closed   ssh
23/tcp   closed   telnet
25/tcp   closed   smtp
80/tcp   open     http
110/tcp  closed   pop3
139/tcp  filtered netbios-ssn
443/tcp  closed   https
445/tcp  filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Device type: general purpose
Running: Microsoft Windows 2008|7
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows 7 or Windows Server 2008 SP1
Network Distance: 6 hops

I just want to grep the IP like 192.168.203.29 with http or ssh or other ports open sepetately. Maybe I will pipe all the result IP into a file named http_open_ip.txt.

I have tried grep ftp with commands:

cat *.txt|grep -B 3 "ftp"|grep -B3 "open"|grep "192.168."|awk '{print $5}'|sort -t . -k 3,3n -k  4,4n> ftp_open_ip.txt

Thus, I got a file ftp_open_ip.txt. But I found this command not work with other keywords like ssh stmp. What should I do ?

Answer 1

I am not exactly clear about what you want. Perhaps, you want to look in all the files and for all those IP which will have a http port open in one file, ssh port open in another file. So same IP may be present in multiple files. Assuming that, below is an awk solution

awk 'BEGIN{http_open="http_open";ssh_open="ssh_open";ftp_open="ftp_open"}
  /Nmap scan report for/{ip=$5}
  /ftp/ && /open/{print "ftp open for " ip >> ftp_open}
  /ssh/ && /open/{print "ssh open for " ip >> ssh_open }
  /http/ && /open/{print "http open for " ip >> http_open}
  ' <filename>

It assumes that the file is containing data in same order shown in your example. So Nmap scan report for line has the IP in 5th field. Now after that, the rest is really simple. if ftp, ssh, http etc are found along with open status, we redirect the output in corresponding file.

Answer 2

Instead of all this challenging text processing, you should use Nmap's own features that make this kind of output processing easier. First, Nmap offers many output formats, and options to output to files. Start with this command:

sudo nmap -oA my-scan-%y%m%d -O --top-ports 192.168.203.0/24

The -oA my-scan-%y%m%d option will save the output of your scan in 3 different files:

$ ls
my-scan-20130520.gnmap   my-scan-20130520.nmap   my-scan-20130520.xml

For quick queries, the .gnmap file will be the easiest to use with awk or grep, but it doesn't have all the useful information that is included in the normal (.nmap) or XML formats. If you plan to make this script automated, or extend it in any way, your best bet will be to use the XML output.

Here are a couple commands that will do what you want with these output formats:

awk '/\/open\/tcp\/\/http\//{print $2}' my-scan-*.gnmap > http_open_ip.txt

xmlstarlet sel -t -m "//port[@protocol='tcp' and service/@name='ssh' and state/@state='open']/ancestor::host/address[@addrtype='ipv4']" -v '@addr' -n my-scan-*.xml > ssh_open_ip.txt