PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-06 14:39:03 +00:00
Code Issues Projects Releases Wiki Activity

Merge from /nmap-exp/david/ndiff-mkii and

Browse Source 
/nmap-exp/david/zenmap-ndiff-alt. This is the new Ndiff output format
described in http://seclists.org/nmap-dev/2009/q1/0825.html and
http://seclists.org/nmap-dev/2009/q2/0127.html.
This commit is contained in:
david
2009-04-10 19:07:39 +00:00
parent e69ae791cb
commit c701b9559b
7 changed files with 1449 additions and 1291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG
View File

@@ -1,5 +1,10 @@
# Nmap Changelog ($Id$); -*-text-*-
o [Ndiff] The output has been changed to look like Nmap's output and
be easier to read. See the Ndiff README file for an example. The XML
output is now based on Nmap's XML output as well. Zenmap's diff
viewer shows the new output with syntax highlighting. [David]
o [Zenmap] The "Cancel" has been restored to the main screen. It will
cancel the scan that is currently being displayed.

104
ndiff/README
View File

@@ -2,80 +2,56 @@ Ndiff
Ndiff is a tool to aid in the comparison of Nmap scans. Specifically, it
takes two Nmap XML output files and prints the differences between them:
hosts coming up and down, ports becoming open or closed, and things like
that.
hosts coming up and down, ports becoming open or closed, service and OS
changes.
To install, run (as root)
python setup.py install
It's also possible to run the program from within the distribution
without installing it.
Use "ndiff --help" for usage instructions. Output can be in
human-readable text format ("ndiff --text") or machine-readable XML
format ("ndiff --xml").
Use "ndiff --help" for usage instructions.
Here is a sample of the text output:
Here is a sample of the output:
$ ./ndiff test-scans/random-1.xml test-scans/random-2.xml
Thu Sep 11 11:39:32 2008 -> Tue Sep 16 13:59:22 2008
cuvtdnray-504.example.com (10.214.143.33):
Host is up, was unknown.
Add ipv4 address 10.214.143.33.
Add hostname cuvtdnray-504.example.com.
+3389/tcp open microsoft-rdp Microsoft Terminal Service
999 tcp ports are filtered.
scnqxez-842.example.com (10.189.71.117):
Remove hostname scnqxez-842.example.com.
10.226.19.80:
-21/tcp filtered
+21/tcp open ftp Netgear broadband router ftpd 1.0
-23/tcp filtered
+23/tcp open telnet Netgear broadband router admin telnetd
-80/tcp filtered
+80/tcp open http Embedded Allegro RomPager webserver 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
-8701/tcp open unknown
+8701/tcp filtered
ywnleu-108.example.com (10.242.160.155):
Host is up, was unknown.
Add ipv4 address 10.242.160.155.
Add hostname ywnleu-108.example.com.
1000 tcp ports are filtered.
fiyrownc-307.example.com (10.65.53.252):
Host is unknown, was up.
Remove ipv4 address 10.65.53.252.
Remove hostname fiyrownc-307.example.com.
-8089/tcp open upnp Microsoft Windows UPnP
999 tcp ports changed state from filtered to unknown.
$ ./ndiff test-scans/random-1.xml test-scans/random-2.xml
-Nmap 4.75 at 2008-09-11 11:39
+Nmap 4.76 at 2008-09-16 13:59
Here is an abbreviated sample of the XML output:
-scnqxez-842.example.com (10.189.71.117):
+10.189.71.117:
Host appears to be up.
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp ProFTPD 1.3.1
80/tcp open http Apache httpd
443/tcp open http Apache httpd
873/tcp closed rsync
$ ./ndiff --xml test-scans/random-1.xml test-scans/random-2.xml
<?xml version="1.0" encoding="UTF-8"?>
<nmapdiff>
<scandiff a-start="1221154772" b-start="1221595162">
<host>
<address addr="10.214.143.33" addrtype="ipv4"/>
<hostname name="cuvtdnray-504.example.com"/>
<host-state-change a-state="unknown" b-state="up"/>
<host-address-add>
<address addr="10.214.143.33" addrtype="ipv4"/>
</host-address-add>
<host-hostname-add>
<hostname name="cuvtdnray-504.example.com"/>
</host-hostname-add>
<port-state-change a-state="unknown" b-state="filtered" portid="1" protocol="tcp"/>
<port-state-change a-state="unknown" b-state="filtered" portid="3" protocol="tcp"/>
<port-state-change a-state="unknown" b-state="filtered" portid="4" protocol="tcp"/>
</host>
<host>
<address addr="10.189.71.117" addrtype="ipv4"/>
<hostname name="scnqxez-842.example.com"/>
<host-hostname-remove>
<hostname name="scnqxez-842.example.com"/>
</host-hostname-remove>
</host>
</scandiff>
</nmapdiff>
+cuvtdnray-504.example.com (10.214.143.33):
+Host appears to be up.
+Not shown: 999 filtered ports
+PORT STATE SERVICE VERSION
+3389/tcp open microsoft-rdp Microsoft Terminal Service
10.226.19.80:
Host appears to be up.
-Not shown: 999 filtered ports
+Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
-21/tcp filtered
+21/tcp open ftp Netgear broadband router ftpd 1.0
-23/tcp filtered
+23/tcp open telnet Netgear broadband router admin telnetd
-80/tcp filtered
+80/tcp open http Embedded Allegro RomPager webserver 4.07 UPnP/1.0 (ZyXEL ZyWALL 2)
-8701/tcp open unknown
+8701/tcp filtered
Use -v or --verbose to see all hosts and ports, not just those that have
changed.
Ndiff started as a project by Michael Pattrick <mpattrick@rhinovirus.org>
during the 2008 Google Summer of Code. Michael designed the program and

88
ndiff/docs/ndiff.1
View File

@@ -1,103 +1,73 @@
'\" t
.\" Title: ndiff
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\" Date: 09/18/2008
.\" Manual:
.\" Source:
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.74.3 <http://docbook.sf.net/>
.\" Date: 03/25/2009
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
.TH "NDIFF" "1" "09/18/2008" "" ""
.TH "NDIFF" "1" "03/25/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ndiff - Utility to compare the results of Nmap scans
ndiff \- Utility to compare the results of Nmap scans
.SH "SYNOPSIS"
.HP 6
\fBndiff\fR [\fIoptions\fR] {\fI\fIa\.xml\fR\fR} {\fI\fIb\.xml\fR\fR}
.HP \w'\fBndiff\fR\ 'u
\fBndiff\fR [\fIoptions\fR] {\fIa\&.xml\fR} {\fIb\&.xml\fR}
.SH "DESCRIPTION"
.PP
Ndiff is a tool to aid in the comparison of Nmap scans\. Specifically, it takes two Nmap XML output files and prints the differences between them: hosts coming up and down, ports becoming open or closed, and things like that\.
Ndiff is a tool to aid in the comparison of Nmap scans\&. It takes two Nmap XML output files and prints the differences between them: hosts coming up and down, ports becoming open or closed, etc\&.
.PP
Ndiff compares two scans at a time\. The
\(lqbefore\(rq
scan is called the A scan and the
\(lqafter\(rq
scan is the B scan\. The letters A and B are used to avoid giving the impression that scans must be given in time order\. They do not; it\'s possible to get a
\(lqbackward\(rq
diff from a newer scan to an older scan\.
.PP
Ndiff can produce output in human\-readable text or machine\-readable XML formats\. Use the
\fB\-\-text\fR
and
\fB\-\-xml\fR
options to control which\. Output goes to standard output\.
Ndiff compares two scans at a time\&. The first scan is called the A scan and the second scan is called the B scan\&.
.SH "OPTIONS SUMMARY"
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Show a help message and exit\.
Show a help message and exit\&.
.RE
.PP
\fB\-v\fR, \fB\-\-verbose\fR
.RS 4
Do not consolidate long port lists into a simple count\. When a host is up in the B scan that was not present in the A scan, commonly most of its ports will change from the state "unknown" to "closed" or "filtered"\. If the port list is very long, it will be consolidated into a line like
.sp
.RS 4
.nf
994 tcp ports changed state from unknown to filtered\.
.fi
.RE
.sp
With
\fB\-\-verbose\fR, all 994 ports will be listed:
.sp
.RS 4
.nf
The following tcp ports changed state from unknown to filtered:
1,3,4,6,7,9,13,17,19\-21,23,24,26,30,32,
33,37,42,43,49,79,81\-85,88\-90,99,100,106,109\-11
1,119,125,135,139,143,144,146,161,163,179,199,2
.fi
.RE
.sp
and so on\.
.sp
In XML output, every port is always listed explictly\.
\fB\-\-verbose\fR
has no effect\.
Include all hosts and ports in the output, not only those that have changed\&.
.RE
.PP
\fB\-\-text\fR
.RS 4
Write output in human\-readable text format\.
Write output in human\-readable text format\&.
.RE
.PP
\fB\-\-xml\fR
.RS 4
Write output in machine\-readable text format\. For a description of the XML format see the
\fInmap\.dtd\fR
file in the Ndiff distribution\.
This option is not currently supported\&.
.RE
.PP
Any other arguments are taken to be the names of Nmap XML output files\. There must be exactly two\. The first one listed is the A scan and the second is the B scan\.
Any other arguments are taken to be the names of Nmap XML output files\&. There must be exactly two\&. The first one listed is the A scan and the second is the B scan\&.
.SH "BUGS"
.PP
Report bugs to the
nmap\-dev
mailing list at
<nmap\-dev@insecure\.org>\.
nmap\-dev@insecure\&.org\&.
.SH "HISTORY"
.PP
Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code\. Michael designed the program and led the discussion of its output formats\. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the program in Python for the sake of Windows compatibility\. This Python version is written by David Fifield\.
Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code\&. Michael designed the program and led the discussion of its output formats\&. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the program in Python for the sake of Windows (and Zenmap) compatibility\&. This Python version was written by David Fifield\&.
.SH "AUTHORS"
.PP
David Fifield
<david@bamsoftware\.com>
david@bamsoftware\&.com
.PP
Michael Pattrick
<mpattrick@rhinovirus\.org>
mpattrick@rhinovirus\&.org
.SH "WEB SITE"
.PP
\fI\%http://nmap.org/ndiff/\fR
\m[blue]\fB\%http://nmap.org/ndiff/\fR\m[]

229
ndiff/docs/ndiff.dtd
View File

@@ -2,170 +2,123 @@
DTD for the Ndiff XML output format.
David Fifield <david@bamsoftware.com>
Ndiff compares two scans at a time. The "before" and "after" scans are
called the A and B scans, respectively. Some of the XML output uses this
convention, for example the a-start and b-start attributes of the
scandiff element.
Ndiff XML output is similar to Nmap XML output. Inside of the root
nmapdiff element, the scandiff element represents a single diff of two
scans. Inside scandiff, host differences are within hostdiff elements
and port differences are within portdiff elements. These may appear
anywhere where host and port elements would appear, respectively.
The scandiff element represents a single diff of an A and B scan. Within
it are zero or more host elements. At the beginning of each host element
is any number of address and hostname elements, used to identify it. The
addresses and hostnames are taken from the A scan, unless the host was
not present in the A scan, in which case they come from the B scan.
Therefore they may not represent the final status of the host "after"
the diff; the addresses and hostnames may have changed between the A and
B scans.
Within a hostdiff or portdiff, differences are shown with a and b
elements, which show the state of things in the A and B
scan, respectively. These elements can appear most places in the output.
Following the address and hostname elements is an ordered list of
elements, each representing one diff "hunk." A hunk is an atomic
difference operation. For example, the host-state-change element
represents a host changing its state, perhaps from "unknown" to "up".
See the comments above each diff hunk element for a precise description
of what they mean.
The output may contain hosts and ports that haven't changed. These are
stored in normal host and port elements.
The order of diff hunks can matter. For example,
<port-state-change protocol="tcp" portid="100" a-state="open" b-state="closed"/>
<port-id-change a-protocol="tcp" a-portid="100" b-protocol="tcp" b-portid="200"/>
is different than the opposite order
<port-state-change protocol="tcp" portid="100" a-state="open" b-state="closed"/>
<port-id-change a-protocol="tcp" a-portid="100" b-protocol="tcp" b-portid="200"/>
The first order means, "Change the state of port 100/tcp from open to
closed, then swap ports 100/tcp and 200/tcp." If port 200/tcp was
initially filtered, this results in
PORT STATE
100/tcp filtered
200/tcp closed
The second order means, "Swap ports 100/tcp and 200/tcp, then change the
state of port 100/tcp from open to closed." In this case, port 200/tcp
must have originally been open. If port 100/tcp was initially filtered,
this results in
PORT STATE
100/tcp closed
200/tcp filtered
Examples:
A host in the A scan but not in the B scan.
<hostdiff>
<a>
<host>...</host>
</a>
</hostdiff>
A host in the B scan but not in the A scan.
<hostdiff>
<b>
<host>...</host>
</b>
</hostdiff>
A host that gained a hostname and had a port change state. Port 22 is
unchanged.
<hostdiff>
<host>
<hostnames>
<hostname name="abc.example.com/>
<b>
<hostname name="xyz.example.com/>
</b>
</hostnames>
<ports>
<portdiff>
<a>
<port portid="10" protocol="tcp">
<state state="open"/>
</port>
</a>
<b>
<port portid="10" protocol="tcp">
<state state="closed"/>
</port>
</b>
<port portid="22" protocol="tcp">
<state state="open"/>
</port>
</portdiff>
</ports>
</host>
</hostdiff>
-->
<!-- Parameter entities defining "data types" used in the rest of the
DTD. -->
<!ENTITY % protocol "(ip | tcp | udp)">
<!ENTITY % host-state "(unknown | up | down)">
<!ENTITY % address-type "(ipv4 | ipv6 | mac)">
<!ENTITY % protocol "(ip | tcp | udp)">
<!ENTITY % port-state "CDATA">
<!-- The diff-hunk parameter entity is any element that represents a
diff hunk. -->
<!ENTITY % diff-hunk
"(host-state-change | host-address-add | host-address-remove
| host-hostname-add | host-hostname-remove
| port-id-change | port-state-change)"
>
<!ELEMENT nmapdiff (scandiff)>
<!-- The current version is "1". Lack of a version attribute indicates
version 0, which was rather different. -->
<!ATTLIST nmapdiff version CDATA #IMPLIED>
<!ELEMENT scandiff (host*)>
<!-- a-start and b-start are the start times of the A and B scans,
expressed as a decimal number of seconds since the epoch. -->
<!ATTLIST scandiff a-start CDATA #IMPLIED
b-start CDATA #IMPLIED>
<!ELEMENT scandiff (hostdiff | host)*>
<!ELEMENT host ((address | hostname)*, (%diff-hunk;)*)>
<!ELEMENT hostdiff (host | (a, b?) | b)>
<!ELEMENT host (status | address | hostnames | ports | os | a | b)*>
<!ELEMENT status EMPTY>
<!ATTLIST status state %host-state; #REQUIRED>
<!ELEMENT hostnames (hostname | a | b)*>
<!ELEMENT address EMPTY>
<!ATTLIST address addrtype (mac | ipv4 | ipv6) "ipv4"
addr CDATA #REQUIRED>
<!ATTLIST address addr CDATA #REQUIRED
addrtype %address-type; "ipv4">
<!ELEMENT hostname EMPTY>
<!ATTLIST hostname name CDATA #REQUIRED>
<!-- Diff hunk elements. Each of these represents an atomic difference
operation. -->
<!ELEMENT ports ((extraports* | (a, b))?, (portdiff | port)*)>
<!--
The host changed its state, for example from "unknown" to "up". a-state
is the state of the host in the A scan and b-state is the state of the
host in the B scan.
-->
<!ELEMENT host-state-change EMPTY>
<!ATTLIST host-state-change a-state %host-state; #REQUIRED
b-state %host-state; #REQUIRED>
<!--
The host gained an address in the B scan that it didn't have in the A
scan.
-->
<!ELEMENT host-address-add (address)>
<!ELEMENT portdiff ((a, b?) | b)>
<!--
The host had an address in the A scan that it didn't have in the B scan.
-->
<!ELEMENT host-address-remove (address)>
<!ELEMENT extraports EMPTY>
<!ATTLIST extraports state %port-state; #REQUIRED
count CDATA #REQUIRED>
<!--
The host gained a hostname in the B scan that it didn't have in the A
scan.
-->
<!ELEMENT host-hostname-add (hostname)>
<!ELEMENT port (state?, service?)>
<!ATTLIST port protocol %protocol; #REQUIRED
portid CDATA #REQUIRED>
<!--
The host had a hostname in the A scan that it didn't have in the B scan.
-->
<!ELEMENT host-hostname-remove (hostname)>
<!ELEMENT state EMPTY>
<!ATTLIST state state %port-state; #REQUIRED>
<!--
The host gained an OS in the B scan that it didn't have in the A scan.
-->
<!ELEMENT host-os-add EMPTY>
<!attlist host-os-add name #REQUIRED>
<!ELEMENT service EMPTY>
<!ATTLIST service name CDATA #IMPLIED
product CDATA #IMPLIED
version CDATA #IMPLIED
extrainfo CDATA #IMPLIED
tunnel CDATA #IMPLIED>
<!--
The host had an OS in the A scan that it didn't have in the B scan.
-->
<!ELEMENT host-os-remove EMPTY>
<!attlist host-os-remove name #REQUIRED>
<!--
The services that were running on two ports were swapped between the A
and B scans. The portid and protocol attributes give the A and B port
specifications. The portid attributes are just decimal port numbers and
the protocol attributes are something like "ip", "tcp", or "udp".
<!ELEMENT os (osmatch | a | b)*>
For example: If, in the A scan port 100/tcp was filtered and port
200/tcp was open running OpenSSH, then the hunk
<port-id-change a-protocol="tcp" a-portid="100" b-protocol="tcp" b-portid="200"/>
means that in the B scan port 100/tcp is open running OpenSSH and port
200/tcp is filtered.
<!ELEMENT osmatch EMPTY>
<!ATTLIST osmatch name CDATA #REQUIRED>
Later hunks may further modify the ports that were swapped by this hunk.
See the note about order in the comment at the top.
-->
<!ELEMENT port-id-change EMPTY>
<!ATTLIST port-id-change a-portid CDATA #REQUIRED
a-protocol %protocol; #REQUIRED
b-portid CDATA #REQUIRED
b-protocol %protocol; #REQUIRED>
<!--
The port identified by the portid and protocol attributes changed state
from that given by the a-state attribute to that given by the b-state
attribute.
-->
<!ELEMENT port-state-change (a-service, b-service)?>
<!ATTLIST port-state-change portid CDATA #REQUIRED
protocol %protocol; #REQUIRED
a-state %port-state; #REQUIRED
b-state %port-state; #REQUIRED>
<!--
The service of a port from the A scan.
-->
<!ELEMENT a-service EMPTY>
<!ATTLIST a-service name CDATA #IMPLIED
product CDATA #IMPLIED
version CDATA #IMPLIED
extrainfo CDATA #IMPLIED>
<!--
Likewise for the B scan.
-->
<!ELEMENT b-service EMPTY>
<!ATTLIST b-service name CDATA #IMPLIED
product CDATA #IMPLIED
version CDATA #IMPLIED
extrainfo CDATA #IMPLIED>
<!ENTITY % diff-elem "(host | hostname | extraports* | port | state | service | os | osmatch*)">
<!ELEMENT a %diff-elem;>
<!ELEMENT b %diff-elem;>

47
ndiff/docs/ndiff.xml
View File

@@ -30,25 +30,14 @@
<title>Description</title>
<para>
Ndiff is a tool to aid in the comparison of Nmap scans. Specifically, it
takes two Nmap XML output files and prints the differences between them:
hosts coming up and down, ports becoming open or closed, etc.
Ndiff is a tool to aid in the comparison of Nmap scans. It takes two
Nmap XML output files and prints the differences between them: hosts
coming up and down, ports becoming open or closed, etc.
</para>
<para>
Ndiff compares two scans at a time. The <quote>before</quote> scan
is called the A scan and the <quote>after</quote> scan is the B
scan. The letters A and B are used to avoid giving the impression
that scans must be given in time order. They do not; it's possible
to get a <quote>backward</quote> diff from a newer scan to an older
scan.
</para>
<para>
Ndiff can produce output in human-readable text or machine-readable
XML formats. Use the <option>--text</option> and
<option>--xml</option> options to control which. Output goes to
standard output.
Ndiff compares two scans at a time. The first scan is called the A
scan and the second scan is called the B scan.
</para>
</refsect1>
@@ -60,7 +49,7 @@
<term><option>-h</option></term>
<term><option>--help</option></term>
<listitem>
<para>
<para>
Show a help message and exit.
</para>
</listitem>
@@ -70,24 +59,8 @@
<term><option>--verbose</option></term>
<listitem>
<para>
Do not consolidate long port lists into a simple count. When
a host is up in the B scan that was not present in the A scan,
commonly most of its ports will change from the state
"unknown" to "closed" or "filtered". If the port list is very
long, it will be consolidated into a line like
<screen>994 tcp ports changed state from unknown to filtered.
</screen>
With <option>--verbose</option>, all 994 ports will be listed:
<screen>The following tcp ports changed state from unknown to filtered:
1,3,4,6,7,9,13,17,19-21,23,24,26,30,32,
33,37,42,43,49,79,81-85,88-90,99,100,106,109-11
1,119,125,135,139,143,144,146,161,163,179,199,2
</screen>
and so on.
</para>
<para>
In XML output, every port is always listed explictly.
<option>--verbose</option> has no effect.
Include all hosts and ports in the output, not only those that
have changed.
</para>
</listitem>
</varlistentry>
@@ -103,9 +76,7 @@
<term><option>--xml</option></term>
<listitem>
<para>
Write output in machine-readable text format. For a
description of the XML format see the
<filename>nmap.dtd</filename> file in the Ndiff distribution.
This option is not currently supported.
</para>
</listitem>
</varlistentry>

1181
ndiff/ndiff
View File

File diff suppressed because it is too large Load Diff

1086
ndiff/ndifftest.py
View File

File diff suppressed because it is too large Load Diff