PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-02 04:49:02 +00:00
Code Issues Projects Releases Wiki Activity

Regenerate ndiff.1.

Browse Source
This commit is contained in:
david
2009-07-16 20:37:02 +00:00
parent b4e3fd762a
commit 163dab3acd
1 changed files with 334 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
ndiff/docs/ndiff.1
View File

@@ -2,12 +2,12 @@
.\" Title: ndiff
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.74.3 <http://docbook.sf.net/>
.\" Date: 03/25/2009
.\" Date: 07/16/2009
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
.TH "NDIFF" "1" "03/25/2009" "[FIXME: source]" "[FIXME: manual]"
.TH "NDIFF" "1" "07/16/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@@ -25,9 +25,70 @@ ndiff \- Utility to compare the results of Nmap scans
\fBndiff\fR [\fIoptions\fR] {\fIa\&.xml\fR} {\fIb\&.xml\fR}
.SH "DESCRIPTION"
.PP
Ndiff is a tool to aid in the comparison of Nmap scans\&. It takes two Nmap XML output files and prints the differences between them: hosts coming up and down, ports becoming open or closed, etc\&.
Ndiff is a tool to aid in the comparison of Nmap scans\&. It takes two Nmap XML output files and prints the differences between them\&. The differences observed are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Host states (e\&.g\&. up to down)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Port states (e\&.g\&. open to closed)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Service versions (from
\fB\-sV\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
OS matches (from
\fB\-O\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Script output
.RE
.sp
.RE
.PP
Ndiff compares two scans at a time\&. The first scan is called the A scan and the second scan is called the B scan\&.
Ndiff, like the standard
\fBdiff\fR
utility, compares two scans at a time\&.
.SH "OPTIONS SUMMARY"
.PP
\fB\-h\fR, \fB\-\-help\fR
@@ -47,10 +108,268 @@ Write output in human\-readable text format\&.
.PP
\fB\-\-xml\fR
.RS 4
This option is not currently supported\&.
Write output in machine\-readable XML format\&. The document structure is defined in the file
ndiff\&.dtd
included in the distribution\&.
.RE
.PP
Any other arguments are taken to be the names of Nmap XML output files\&. There must be exactly two\&. The first one listed is the A scan and the second is the B scan\&.
Any other arguments are taken to be the names of Nmap XML output files\&. There must be exactly two\&.
.SH "EXAMPLE"
.PP
Let\'s use Ndiff to compare the output of two Nmap scans that use different options\&. In the first, we\'ll do a fast scan (\fB\-F\fR), which scans fewer ports for speed\&. In the second, we\'ll scan the larger default set of ports, and run an NSE script\&.
.sp
.if n \{\
.RS 4
.\}
.nf
# nmap \-F scanme\&.nmap\&.org \-oX scanme\-1\&.xml
# nmap \-\-script=html\-title scanme\&.nmap\&.org \-oX scanme\-2\&.xml
$ ndiff \-v scanme\-1\&.xml scanme\-2\&.xml
\-Nmap 4\&.90RC2 at 2009\-07\-16 13:29
+Nmap 4\&.90RC2 at 2009\-07\-16 13:33
scanme\&.nmap\&.org (64\&.13\&.134\&.52):
Host is up\&.
\-Not shown: 95 filtered ports
+Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
+70/tcp closed gopher
80/tcp open http
+|_ html\-title: Go ahead and ScanMe!
113/tcp closed auth
+31337/tcp closed Elite
.fi
.if n \{\
.RE
.\}
.PP
Changes are marked by a
\-
or
+
at the beginning of a line\&. We can see from the output that the scan without the
\fB\-F\fR
fast scan option found two additional ports: 70 and 31337\&. The
html\-title\&.nse
script produced some additional output for port 80\&. From the port counts, we may infer that the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed)\&.
.PP
The
\fB\-v\fR
(or
\fB\-\-verbose\fR) option to Ndiff made it show even the ports that didn\'t change, like 22 and 25\&. Without
\fB\-v\fR, they would not have been shown\&.
.SH "OUTPUT"
.PP
There are two output modes: text and XML\&. Text output is the default, and is also selected with the
\fB\-\-text\fR
option\&. Text output resembles a unified diff of Nmap\'s normal terminal output\&. Each line is preceded by a character indicating whether and how it changed\&.
\-
means that the line was in the first scan but not in the second;
+
means it was in the second but not the first\&. A line that changed is represented by a
\-
line followed by a
+
line\&. Lines that did not change are preceded by a blank space\&.
.PP
Example\ \&1, \(lqNdiff text output\(rq
is an example of text output\&. Here, port 80 on the host
photos\-cache\-snc1\&.facebook\&.com
gained a service version (lighttpd 1\&.5\&.0)\&. The host at 69\&.63\&.179\&.25 changed its reverse DNS name\&. The host at 69\&.63\&.184\&.145 was completely absent in the first scan but came up in the second\&.
.PP
\fBExample\ \&1.\ \&Ndiff text output\fR
.sp
.if n \{\
.RS 4
.\}
.nf
\-Nmap 4\&.85BETA3 at 2009\-03\-15 11:00
+Nmap 4\&.85BETA4 at 2009\-03\-18 11:00
photos\-cache\-snc1\&.facebook\&.com (69\&.63\&.178\&.41):
Host is up\&.
Not shown: 99 filtered ports
PORT STATE SERVICE VERSION
\-80/tcp open http
+80/tcp open http lighttpd 1\&.5\&.0
\-cm\&.out\&.snc1\&.tfbnw\&.net (69\&.63\&.179\&.25):
+mailout\-snc1\&.facebook\&.com (69\&.63\&.179\&.25):
Host is up\&.
Not shown: 100 filtered ports
+69\&.63\&.184\&.145:
+Host is up\&.
+Not shown: 98 filtered ports
+PORT STATE SERVICE VERSION
+80/tcp open http Apache httpd 1\&.3\&.41\&.fb1
+443/tcp open ssl/http Apache httpd 1\&.3\&.41\&.fb1
.fi
.if n \{\
.RE
.\}
.PP
XML output, intended to be processed by other programs, is selected with the
\fB\-\-xml\fR
option\&. It is based on Nmap\'s XML output, with a few additional elements to indicate differences\&. The XML document is enclosed in
\fInmapdiff\fR
and
\fIscandiff\fR
elements\&. Host differences are enclosed in
\fIhostdiff\fR
tags and port differences are enclosed in
\fIportdiff\fR
tags\&. Inside a
\fIhostdiff\fR
or
\fIportdiff\fR,
\fIa\fR
and
\fIb\fR
tags show the state of the host or port in the first scan (\fIa\fR) or the second scan (\fIb\fR)\&.
.PP
Example\ \&2, \(lqNdiff XML output\(rq
shows the XML diff of the same scans shown above in
Example\ \&1\&. Notice how port 80 of
photos\-cache\-snc1\&.facebook\&.com
is enclosed in
\fIportdiff\fR
tags\&. For 69\&.63\&.179\&.25, the old hostname is in
\fIa\fR
tags and the new is in
\fIb\fR\&. For the new host 69\&.63\&.184\&.145, there is a
\fIb\fR
in the
\fIhostdiff\fR
without a corresponding
\fIa\fR, indicating that there was no information for the host in the first scan\&.
.PP
\fBExample\ \&2.\ \&Ndiff XML output\fR
.sp
.if n \{\
.RS 4
.\}
.nf
<?xml version="1\&.0" encoding="UTF\-8"?>
<nmapdiff version="1">
<scandiff>
<hostdiff>
<host>
<status state="up"/>
<address addr="69\&.63\&.178\&.41" addrtype="ipv4"/>
<hostnames>
<hostname name="photos\-cache\-snc1\&.facebook\&.com"/>
</hostnames>
<ports>
<extraports count="99" state="filtered"/>
<portdiff>
<port portid="80" protocol="tcp">
<state state="open"/>
<a>
<service name="http"/>
</a>
<b>
<service name="http" product="lighttpd" version="1\&.5\&.0"/>
</b>
</port>
</portdiff>
</ports>
</host>
</hostdiff>
<hostdiff>
<host>
<status state="up"/>
<address addr="69\&.63\&.179\&.25" addrtype="ipv4"/>
<hostnames>
<a>
<hostname name="cm\&.out\&.snc1\&.tfbnw\&.net"/>
</a>
<b>
<hostname name="mailout\-snc1\&.facebook\&.com"/>
</b>
</hostnames>
<ports>
<extraports count="100" state="filtered"/>
</ports>
</host>
</hostdiff>
<hostdiff>
<b>
<host>
<status state="up"/>
<address addr="69\&.63\&.184\&.145" addrtype="ipv4"/>
<ports>
<extraports count="98" state="filtered"/>
<port portid="80" protocol="tcp">
<state state="open"/>
<service name="http" product="Apache httpd" version="1\&.3\&.41\&.fb1"/>
</port>
<port portid="443" protocol="tcp">
<state state="open"/>
<service name="http" product="Apache httpd" tunnel="ssl" version="1\&.3\&.41\&.fb1"/>
</port>
</ports>
</host>
</b>
</hostdiff>
</scandiff>
</nmapdiff>
.fi
.if n \{\
.RE
.\}
.SH "PERIODIC DIFFS"
.PP
Using Nmap, Ndiff, cron, and a shell script, it\'s possible to scan a network daily and get email reports of the state of the network and changes since the previous scan\&.
Example\ \&3, \(lqScanning a network periodically with Ndiff and cron\(rq
shows the script that ties it together\&.
.PP
\fBExample\ \&3.\ \&Scanning a network periodically with Ndiff and cron\fR
.sp
.if n \{\
.RS 4
.\}
.nf
#!/bin/sh
TARGETS="\fItargets\fR"
OPTIONS="\-v \-T4 \-F \-sV"
date=`date +%F`
cd /root/scans
nmap $OPTIONS $TARGETS \-oA scan\-$date > /dev/null
if [ \-e scan\-prev\&.xml ]; then
ndiff scan\-prev\&.xml scan\-$date\&.xml > diff\-$date
echo "*** NDIFF RESULTS ***"
cat diff\-$date
echo
fi
echo "*** NMAP RESULTS ***"
cat scan\-$date\&.nmap
ln \-sf scan\-$date\&.xml scan\-prev\&.xml
.fi
.if n \{\
.RE
.\}
.PP
If the script is saved as
/root/scan\-ndiff\&.sh, add the following line to root\'s crontab:
.sp
.if n \{\
.RS 4
.\}
.nf
0 12 * * * /root/scan\-ndiff\&.sh
.fi
.if n \{\
.RE
.\}
.sp
.SH "BUGS"
.PP
Report bugs to the
@@ -59,7 +378,9 @@ mailing list at
nmap\-dev@insecure\&.org\&.
.SH "HISTORY"
.PP
Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code\&. Michael designed the program and led the discussion of its output formats\&. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the program in Python for the sake of Windows (and Zenmap) compatibility\&. This Python version was written by David Fifield\&.
Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code\&. Michael designed the program and led the discussion of its output formats\&. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the program in Python for the sake of Windows (and Zenmap) compatibility\&. This Python version was written by David Fifield\&. James Levine
\m[blue]\fBreleased\fR\m[]\&\s-2\u[1]\d\s+2
a Perl script named Ndiff with similar functionality in 2000\&.
.SH "AUTHORS"
.PP
David Fifield
@@ -71,3 +392,9 @@ mpattrick@rhinovirus\&.org
.PP
\m[blue]\fB\%http://nmap.org/ndiff/\fR\m[]
.SH "NOTES"
.IP " 1." 4
released
.RS 4
\%http://seclists.org/nmap-hackers/2000/0315.html
.RE