Page 1 of 1

parsing nmap output

Posted: Sat Apr 21, 2012 1:31 pm
by Dulus
OK, i have nmap output like this below, i have it all parsed in variable $lines
The lip adresses and the lines in format "22/tcp open ssh" are those which have importance to me

Code: Select all

Starting Nmap 5.00 ( http://nmap.org ) at 2012-04-19 20:08 CEST
Interesting ports on 192.168.70.6:
Not shown: 1022 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet

Interesting ports on 192.168.70.25:
Not shown: 1021 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
80/tcp  open  http
443/tcp open  https

Nmap done: 256 IP addresses (2 hosts up) scanned in 7.27 seconds
there may be multiple block of results in output not just two.
I need to get IP adresses and their corresponding Port_number protocol, state and name of service

My code which take care of parsing "Port_number protocol, state and name of service" is>

Code: Select all

$port_mappings = preg_grep('!^\d+/\S+ +\S+ !', $lines); // get the interesting lines
        $parsed_port_mappings = array();
        foreach($port_mappings as $port_mapping)
        {
            preg_match('!^(?P<port>\d+)/(?P<protocol>\S+) +(?P<state>\S+) +(?P<service>\S+)!', $port_mapping, $parsed_port_mappings[]);
        } 
when i want to access some value its get done by $parsed_port_mappings[X]['service'] where X is the number of line which has format like "21/tcp open ftp"

The problem is i need to make som adjustment which provide me some machanism to parse also IP addresses and their coresponding "Port_number protocol, state and name of service" best would be multiarray like "$parsed_port_mappings[X][Y]['service']" probably, where X will be the IP address and Y will be the corresponding lines or any other solution which will fit here. Thanks for your help.

Re: parsing nmap output

Posted: Sun Apr 22, 2012 3:30 pm
by Robert07
What you could do is loop through all the lines, not just the ones that match your pattern, and keep track of the IP in another variable:

Code: Select all

$thisIP='';
foreach ($lines as $line) {
  if (preg_match('/Interesting\sports\son\s([\d\.]+?):/', $line, $ipMatch)) {
    $thisIP=$ipMatch[0];
  }
  if (preg_match('!^(?P<port>\d+)/(?P<protocol>\S+) +(?P<state>\S+) +(?P<service>\S+)!', $line, $parsed_mappings)) {
    $parsed_port_mappings[$thisIP] = $parsed_mappings;
  }
}

Re: parsing nmap output

Posted: Mon Apr 23, 2012 6:08 am
by Weirdan
Why don't you output your nmap results in a machine-readable format, like XML (with -oX filename.xml switch) ?

Re: parsing nmap output

Posted: Mon Apr 23, 2012 7:18 am
by Dulus
Thank you Robert07. Your code needed some changes and it had to be extended, but you gave me an idea how to do it. It is working now. It is not perfect but its working. As a quick fix it is enough, later it will be optimized. There is some bug in my added code which makes some empty array elements, but that is easily filtered before saving to DB.Thank you again.

About that XML format, yes it occured to me, if it would be solely for me i will be going that way (much easier and less room for error), but the consultant said he wants to have "compatibility with outputs copied from the console". SO yeah it s*cks but it had to be done.

should i copy my working code here for "future use" for others ?