Monitoring the Environment: Nmap Diffing

td;lr

During the Red Team Operations, It is sometimes benifitial to monitor the dynamic nature of the client's Infrastructure. As a intial scan we can use nmap to monitor Network State in a short period of time gap and check if any specific port changes accordingly. We can simply use a small bash script for that🖥️ You can also modify this script as per your requirement.

RAW Bash Script

#!/bin/bash
mkdir /Nmap-Diffing/
d=$(date +%Y-%m-%d)
y=$(date -d yesterday +%Y-%m-%d)
/usr/bin/nmap -Pn -A -sV --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oX /Nmap-Diffing/scan_$d.xml 192.168.0.1/24 > /dev/null 2>&1
if [ -e /opt/nmap_diff/scan_$y.xml ]; then
	/usr/bin/ndiff /Nmap-Diffing/scan_$y.xml /Nmap-Diffing/scan_$d.xml > /Nmap-Diffing/diff
.txt 
fi

Setting up Cron

We can also set up a cron job and redirect logs to a file for our reference by adding cron job as below

0 9 * * * /THP/Recon/nmap-diffing.sh >> /var/log/demowebsite.log 2>&1

This is a very basic script that runs nmap every day using default ports and then uses ndiff to compare the results. We can then take the output of this script and use it to notify our team of new ports discovered daily.