When the problem is searching Nmap output, the answer is always, "Use the XML output format." This is because Nmap's regular output can change between versions and is not structured for machine input. zyou can get Nmap to emit XML with the -oX
or -oA
options.
You've already filtered the output down a lot, but I can tell from the "|" at the beginning of the lines that the output you want comes from a NSE script instead of the OS detection engine. Specifically, that is the output of the smb-os-discovery
script. Knowing this, we can use an XML parser to look for each element //script[@id='smb-os-discovery']
whose output
attribute contains the string "OS: Windows XP". Here's how to do that with xmlstarlet:
xmlstarlet sel -t -m "//script[@id='smb-os-discovery' and contains(@output, 'OS: Windows XP')" -v "ancestor::host/address[@addrtype='ipv4']/@addr" -n scan-output.xml
You can do similar things with the many XML parsing libraries in every language. Python, Perl, and Ruby all have good parsers specifically designed for Nmap's XML output.
EDIT: Since you only want the OS as detected by smb-os-detection
, you could save time scanning by only running this script and skipping the OS fingerprinting step. Here's an example of a fast scan like this:
nmap -p 445 --script smb-os-detection -oA smb-scan-%y%m%d 192.0.2.0/24