The problem is regarding extracting the details of the Oracle Virtual box(2nd paragraph) from the "nmap non-gui version". I understand the usage of "grep" and "loops" and have already tried everything but what if there are other systems connected on the same network. I just want the program to find the word "(Oracle VirtualBox virtual NIC)" and extract everything above it until it finds a blank-line.
**
root#PopeyeTheSailorMan:~# nmap 192.168.43.0/24 > Log.txt
**
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-15 04:08 UTC
Nmap scan report for 192.168.43.1
Host is up (0.0025s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 9A:10:94:51:42:ED (Unknown)
***Nmap scan report for 192.168.43.136
Host is up (0.00071s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 08:00:27:D3:73:2E (Oracle VirtualBox virtual NIC)***
Nmap scan report for kali (192.168.43.79)
Host is up (0.0000070s latency).
All 1000 scanned ports on kali (192.168.43.79) are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 16.00 seconds
If I understand your question, this does what you want:
awk '/Oracle VirtualBox virtual NIC/' RS= Log.txt
With your sample input:
$ awk '/Oracle VirtualBox virtual NIC/' RS= Log.txt
***Nmap scan report for 192.168.43.136
Host is up (0.00071s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 08:00:27:D3:73:2E (Oracle VirtualBox virtual NIC)***
How it works
RS=
This tells awk to read input a paragraph at a time.
/Oracle VirtualBox virtual NIC/
This tells awk to print any paragraph that contains the string Oracle VirtualBox virtual NIC.
grep -n ^$ Log.txt | sed s/://
will give the blank line numbers (suitable for an array)
grep -n 'Oracle VirtualBox virtual NIC' Log.txt | cut -f1 -d\:
will give the line numbers of the target
Use arrays, loops and sed to grok the block you want
sed -n '8,19p' Log.txt
Related
Env- Centos 7 , nmap 6.40
Currently I'm trying to fetch MAC/HW addresses for few list of IP's via nmap command utility and with root user its working perfectly.
As root user
nmap -sP -PE -iL <list-of-IPs>
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:05 EDT
Nmap scan report for 192.168.xx.xx
Host is up (0.0015s latency).
MAC Address: XX:XX:XX:XX:XX:XX
As non-root user
nmap -sP -PE -iL <list-of-IPs>
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds
Requesting your suggestion/help how the same to be achieve via normal user.
Thanks
Nmap must be run as root in order to retrieve this information. Fortunately, there are other sources of MAC address information on a Linux system: the system's ARP tables. After making an attempt to contact an IP address (either using Nmap or some other tool like ping), run arp -n to print the table of IP-to-MAC address mappings.
It is possible to run nmap as non-root user. This Wiki describes pretty good how to set everything up to run it as an unprivileged user. The linked tutorial also describes this for Ubuntu and Red Hat systems, which should be good for you since you are on CentOS.
I think it is important to keep this security warning in mind:
WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It's possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.
Summary from the Wiki:
1. Restrict access to certain groups, for example adm. Make sure that you use the right location of nmap. In my case, this was /usr/bin/nmap:
sudo chgrp adm /usr/bin/nmap
sudo chmod 750 /usr/bin/nmap
2. Make sure the setcap command is installed (more information about capabilities here):
sudo yum install libcap
3. Now, set the capabilities. Once again, make sure to use the right location.
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
4. Finally, you are able to run nmap as unprivileged user. But, you have to explicitly define that you want to do so. You can define it as an argument of nmap
nmap --privileged -sP -PE -iL <list-of-IPs>
or as an environmental variable:
export NMAP_PRIVILEGED=""
Edit: I don't exactly know why this answer is being down-voted since this is one possible answer to the question (although the question is of course better suited for Super User or Unix & Linux Stack Exchange). I added the results from my own systems with and without --privileged below:
$ nmap -sP -PE 192.168.0.1
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0011s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap --privileged -sP -PE 192.168.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0014s latency).
MAC Address: XX:XX:XX:XX:XX:XX (<MANUFACTURER NAME>)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
What is the meaning of the following command and why its not given at help menu of nmap?
Sample command: sudo nmap -sP -n 192.168.0.0-255
Sample output:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 16:09 +06
Nmap scan report for 192.168.0.1
Host is up (0.0035s latency).
MAC Address: 20:L6:A7:55:3D:44 (D-link Technologies)
Nmap scan report for 192.168.0.104
Host is up (0.20s latency).
MAC Address: 18:97:F8:15:26:D9 (Zen Mobile Communication Technology)
Nmap scan report for 192.168.0.118
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.31 seconds
What does -sP mean and why is it used?
This command works properly, but it is not listed to man and help menu.
Please elaborate the circumstances.
From the man page:
In previous releases of Nmap, -sn was known as -sP..
I have been using wire-shark to analyse the packets of socket programs, Now i want to see the traffic of other hosts traffic, as i found that i need to use monitor mode that is only supported in Linux platform, so i tried but i couldn't capture any packets that is transferred in my network, listing as 0 packets captured.
Scenario:
I'm having a network consisting of 50+ hosts (all are powered by windows Except mine), my IP address is 192.168.1.10, when i initiate a communication between any 192.168.1.xx it showing the captured traffic.
But my requirement is to monitor the traffic of 192.168.1.21 b/w 192.168.1.22 from my host i,e. from 192.168.1.10.
1: is it possible to capture the traffic as i mentioned?
2: If it is possible then is wire-shark is right tool for it (or should i have to use differnt one)?
3: if it is not possible, then why?
Just adapt this a bit with your own filters and ips : (on local host)
ssh -l root <REMOTE HOST> tshark -w - not tcp port 22 | wireshark -k -i -
or using bash :
wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)
You can use tcpdump instead of tshark if needed :
ssh -l root <REMOTE HOST> tcpdump -U -s0 -w - -i eth0 'port 22' |
wireshark -k -i -
You are connected to a switch which is "switching" traffic. It bases the traffic you see on your mac address. It will NOT send you traffic that is not destined to your mac address. If you want to monitor all the traffic you need to configure your switch to use a "port mirror" and plug your sniffer into that port. There is no software that you can install on your machine that will circumvent the way network switching works.
http://en.wikipedia.org/wiki/Port_mirroring
I'm looking for methods (iptables rules, etc...) to prevent the asterisk version from showing on a nmap udp scan without closing (drop) the port. If I open it for some ip address, a nmap udp scan to port 5060 from this ip address can resolve the asterisk version(nmap -sU -sV -p 5060 <ipaddress>):
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 1.8.13.0
Is there some way that only shows port 5060 open? Is it possible to hide this asterisk info or change it?
I think you can use pbx info by followin in sip.conf
useragent=SIPClient XXX
But actualy on my host that command show:
[root#pro-sip ~]# nmap -sU -sV -p 5060 78.47.XXX.XXX
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-12-05 22:35 UTC
Interesting ports on pro-sip.net (78.47.XXX.XXX):
PORT STATE SERVICE VERSION
5060/udp open|filtered sip
Nmap finished: 1 IP address (1 host up) scanned in 52.025 seconds
so maybe on your host it just find some issue and guess it is asterisk version XXX
This is Ubuntu 12.04 env. I have a TCP service running on port 8020 on the box:
My question is:
Why port 8020 is not discovered in nmap as an open port while nestat says it's listening?
if i run
netstat -tuplen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 0 10564 1917/python
tcp 0 0 127.0.0.1:8020 0.0.0.0:* LISTEN 117 29259 4448/java
But if i run
nmap -v -sT 127.0.0.1
Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-10 08:51 PDT
Initiating Connect Scan at 08:51
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 53/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9000/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 9001/tcp on 127.0.0.1
Completed Connect Scan at 08:51, 0.04s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: hadoop-namenode-01
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp
9000/tcp open cslistener
9001/tcp open tor-orport
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
By default nmap doesn't scan all ports. try this one.
nmap -sT -sU -p- 127.0.0.1
#Satish, you don't need to add -sU which will scan the UDP ports too, and take a while.
nmap -v -p 8020 127.0.0.1
This should be enough and instant.
By default nmap scans only the well know ports.
You specify a port by using the -p parameter.
To scan all ports : nmap -v -p "*" 127.0.0.1
To scan only port 8020 : nmap -v -p 8020 127.0.0.1