Solved

Running Nmap on a schedule

Posted on 2016-08-17
3
148 Views
Last Modified: 2016-09-05
What is the best way to run Nmap on a schedule in windows.

We want to be able to run Nmap scans on a daily basis that are run on a schedule.
0
Comment
Question by:VH
  • 2
3 Comments
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 100 total points (awarded by participants)
ID: 41759161
Here is a summary of nmap commands:

http://bencane.com/2013/02/25/10-nmap-commands-every-sysadmin-should-know/

Work out the commands you want and then, you can also output to a file using a command: nmap -oG test.txt

Once you have worked out this, you can make a scheduled task with Task Scheduler.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41759187
By default there isn't a NMAP scheduled scan. But there can be a script with other tools to work off something similar. But the example is for non-windows for e.g. Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a network daily and get email reports of the state of the network and changes since the previous scan
https://nmap.org/book/ndiff-man-periodic.html
But I am thinking ZenMap for Windows and tap on windows scheduler for the schedule approach as well as have ndiff to compare btw differen XML result from the scan. But it is not readily automated. There is a Scandiff tools that is based on Powershell that does this
Scandiff is a PowerShell script to automate host discovery and scanning with nmap. This script was written to perform nmap host discovery and port scanning from a remote network and send the results to a recipient through email. After discovering and scanning hosts, scandiff performs an nmap ndiff on the output against previous results, 7zips all generated output, and optionally emails all output to a specified email address.
Using scandiff:
 .\scandiff-0.9.ps1 -frequency [daily|weekly] -basename foo -outdir X:\path\to\output\directory -targets (nmap-style target specification or path to file containing targets) -email [0|1] -discover [0|1]

Example:
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets 192.168.1.10-25,scanme.nmap.org
 ./scandiff.ps1 -frequency daily -basename nmap-output -targets c:\targets.txt

Scandiff takes a number of arguments. The usage of each argument is described below:

PARAMETER frequency
 Frequency is either daily or weekly.

Daily performs discovery using a limited set of ports and performs an nmap scan using the default nmap TCP port list.

Weekly performs a discovery using a limited set of ports and performs an nmap scan using the full TCP port range and a limited set of UDP ports defined in the script.
https://github.com/hardwaterhacker/scandiff
https://hardwatersec.blogspot.sg/2014/10/automating-host-discovery-nmap-and.html

But primarily, you should consider your target topology and aggressiveness when in scheduling of NMAP scan as it affect the finding accuracy and resource required for a timely picture update of your system. For example, you will not want to have too big of a window span in between scans nor have a very short window span such that the scan is almost back to back that these scanning does not give any timely or significant results respectively. You can check out consideration for the scan times (below) and it stated techniques for improving scan times include omitting non-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). For e.g. Optimizing timing parameters can also make a substantial difference. Those options are listed below.

--min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
--min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
--min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
--max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
--host-timeout <time> (Give up on slow target hosts)
--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
--min-rate <number>; --max-rate <number> (Directly control the scanning rate)

Furthermore, you (which you may already know) can specify them with the -T option and their number (0–5) or their name.  

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)  

The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5) as below:

T0 - The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe.
T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes.
T3 is Nmap's default behavior, which includes parallelization.
T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.
T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as well as setting the maximum TCP scan delay to 5 ms.
0
 
LVL 62

Expert Comment

by:btan
ID: 41784462
Scheduled means to run and leverage on scripts shared
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question