Creating systems reports
A systems report can be quickly generated by nmap. Simply by scanning a network, an immediate list of systems and their protocols can be seen by using operating system identification (-O) and possibly verbose output (-v) against the complete network (/24):

nmap -O -v 192.168.1.0/24

However, the format is unruly, as pages and pages of output are generated. What is needed is a very clean output that can be easily loaded into a spreadsheet.

Nmap supports the output parameter (-o) to influence how it should write data to standard out. By using it combined with G (-oG), nmap will create output that grep can work easily with, which makes our inventory creation much easier.

Using operating system identification and the “grepable” output formatting, the following command can be used to run the raw reports and output the report to report.txt:

nmap -O -oG report.txt 192.168.1.0/24

This report, however, is still difficult to read and is not easily readable by a spreadsheet program or database, and includes the IP addresses that are not assigned to a system, since it scans the complete network:

cat report.txt
# nmap 5.21 scan initiated Thu Sep 30 08:28:31 2010 as: nmap -O -oG report.txt 192.168.1.0/24
Host: 192.168.1.0 ()    Status: Down
Host: 192.168.1.3 ()    Status: Down
Host: 192.168.1.4 ()    Status: Down
Host: 192.168.1.5 ()    Status: Down
Host: 192.168.1.1 (router.domain.com)          Status: Up
Host: 192.168.1.1 (router.domain.com)          Ports: 80/open/tcp//http///, 443/open/tcp//https///, 4567/open/tcp//unknown///, 8080/open/tcp//http-proxy///, 8443/open/tcp//https-alt///      Ignored State:closed (995)    OS: Linux 2.4.18 - 2.4.35 (likely embedded) Seq Index: 205            IP ID Seq: All zeros

To create a system report that includes IP address, hostname and operating system, we need to focus on the lines containing the information. The easiest way to identify these lines is to search for OS:

grep "OS:" report.txt
Host: 192.168.1.1 (router.domain.com)          Ports: 80/open/tcp//http///, 443/open/tcp//https///, 4567/open/tcp//unknown///, 8080/open/tcp//http-proxy///, 8443/open/tcp//https-alt///            Ignored State: closed (995)    OS: Linux 2.4.18 - 2.4.35 (likely embedded) Seq Index: 205            IP ID Seq: All zeros

We now have the information necessary to create the report. However, a lot of information exists in the entry (such as open ports, sequences, etc.) that is not needed and should be dropped during the report generation. Let’s remove Host:, Ports:, and all the ports included; OS:, everything starting with Seq up to the end of the line; and, finally, the first set of parenthesis around the host name:

grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//'

The ouput of this command is in this format:

192.168.1.1 router.domain.com          Linux 2.4.18 - 2.4.35 (likely embedded)

Now the IP address, hostname and operating system are easily identifiable, and it’s a matter of piping that output to awk to add quotes and commas for the CSV. Basically, quotes are added around the IP address, the host name and all the words that make up the operating system identification tag:

grep "OS:" report.txt | sed 's/Host: //' | sed 's/Ports.*OS://' | sed 's/Seq.*$//' | sed 's/(//' | sed 's/)//' | awk '{print "\"" $1 "\",\""$2"\"," $3 " " $4 " "  $5 " "  $6 " "  $7 " "  $8 " "  $9 " " $10 " "  $11 " "  $12 " " $13 " " $14 "\""}' >report.csv

Looking at the newly created report.csv file, the output is now in CSV format and can easily be loaded into a spreadsheet:

cat report.csv
"192.168.1.1","router.domain.com","Linux 2.4.18 - 2.4.35 (likely embedded) "
"192.168.1.2","freddy","Linux 2.4.35"
"192.168.1.6","computer.home","Linux 2.4.21 (embedded)|MontaVista embedded Linux 2.4.17 "
"192.168.1.7","IMAC.home","Apple Mac OS X 10.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin"
"192.168.1.8","new-host-3.home","Apple iPhone mobile phone (iPhone OS 3.0 - 3.2, Darwin 10.0.0d3) "
"192.168.1.11","new-host-5.home","Apple Mac OS X 10.5 - 10.6 (Leopard - Snow Leopard)"
"192.168.1.15","AppleTV.home","Apple Mac OS X 10.4.8 - 10.4.11 (Tiger) (Darwin 8.8.0 – 8.11.1)"

It’s a wrap
Using the output of nmap, combined with the power of grep, sed, and awk, a complete network inventory can be generated in a matter of seconds on a small environment, and in a matter of minutes even in a very large environment.

These same tools can be used by the information security specialist seeking to identify changes such as additions and removal of systems within the environment.

Tagged: