Solved

Running Nmap on a schedule

Posted on 2016-08-17
3
53 Views
Last Modified: 2016-09-05
What is the best way to run Nmap on a schedule in windows.

We want to be able to run Nmap scans on a daily basis that are run on a schedule.
0
Comment
Question by:VH
  • 2
3 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 100 total points (awarded by participants)
ID: 41759161
Here is a summary of nmap commands:

http://bencane.com/2013/02/25/10-nmap-commands-every-sysadmin-should-know/

Work out the commands you want and then, you can also output to a file using a command: nmap -oG test.txt

Once you have worked out this, you can make a scheduled task with Task Scheduler.
0
 
LVL 61

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41759187
By default there isn't a NMAP scheduled scan. But there can be a script with other tools to work off something similar. But the example is for non-windows for e.g. Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a network daily and get email reports of the state of the network and changes since the previous scan
https://nmap.org/book/ndiff-man-periodic.html
But I am thinking ZenMap for Windows and tap on windows scheduler for the schedule approach as well as have ndiff to compare btw differen XML result from the scan. But it is not readily automated. There is a Scandiff tools that is based on Powershell that does this
Scandiff is a PowerShell script to automate host discovery and scanning with nmap. This script was written to perform nmap host discovery and port scanning from a remote network and send the results to a recipient through email. After discovering and scanning hosts, scandiff performs an nmap ndiff on the output against previous results, 7zips all generated output, and optionally emails all output to a specified email address.
Using scandiff:
 .\scandiff-0.9.ps1 -frequency [daily|weekly] -basename foo -outdir X:\path\to\output\directory -targets (nmap-style target specification or path to file containing targets) -email [0|1] -discover [0|1]

Example:
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets 192.168.1.10-25,scanme.nmap.org
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets c:\targets.txt

Scandiff takes a number of arguments. The usage of each argument is described below:

PARAMETER frequency
 Frequency is either daily or weekly.

Daily performs discovery using a limited set of ports and performs an nmap scan using the default nmap TCP port list.

Weekly performs a discovery using a limited set of ports and performs an nmap scan using the full TCP port range and a limited set of UDP ports defined in the script.
https://github.com/hardwaterhacker/scandiff
https://hardwatersec.blogspot.sg/2014/10/automating-host-discovery-nmap-and.html

But primarily, you should consider your target topology and aggressiveness when in scheduling of NMAP scan as it affect the finding accuracy and resource required for a timely picture update of your system. For example, you will not want to have too big of a window span in between scans nor have a very short window span such that the scan is almost back to back that these scanning does not give any timely or significant results respectively. You can check out consideration for the scan times (below) and it stated techniques for improving scan times include omitting non-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). For e.g. Optimizing timing parameters can also make a substantial difference. Those options are listed below.

--min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
--min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
--min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
--max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
--host-timeout <time> (Give up on slow target hosts)
--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
--min-rate <number>; --max-rate <number> (Directly control the scanning rate)

Furthermore, you (which you may already know) can specify them with the -T option and their number (0–5) or their name.  

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)  

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) as below:

T0 - The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe.
T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes.
T3 is Nmap's default behavior, which includes parallelization.
T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.
T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as well as setting the maximum TCP scan delay to 5 ms.
0
 
LVL 61

Expert Comment

by:btan
ID: 41784462
Scheduled means to run and leverage on scripts shared
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now