In the last part, we learnt about the various options that Nmap provides for avoiding detection by firewall and IDS. So far, the output from Nmap that we've been looking at is all from the console. In this post, we'll look at the various output options that Nmap provides.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).
If you require all three output file types to be created, use this option.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Create Text Output
While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).
nikhilh@ubuntu:~$ nmap -d -oN scan-results.txt scanme.nmap.org
...
...
nikhilh@ubuntu:~$ cat scan-results.txt
# Nmap 7.70 scan initiated Fri Aug 24 15:10:21 2018 as: nmap -d -oN scan-results.txt scanme.nmap.org
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.083s latency).
Scanned at 2018-08-24 15:10:21 PDT for 23s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
# Nmap done at Fri Aug 24 15:10:44 2018 -- 1 IP address (1 host up) scanned in 23.06 seconds
It is important to note here that the debug information was not saved to the text file. To ensure that the previous content of the file are not erased, use the --append-output option.
Create XML Output
This is the most used output type. Scan results in XML format can also be used as an input to Zenmap or Ndiff. While the results of the scan are stored in the XML file, Nmap also outputs to STDOUT (usually, the console).
nikhilh@ubuntu:~$ nmap -d -oX scan-results.xml scanme.nmap.org
...
...
nikhilh@ubuntu:~$ cat scan-results.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.70 scan initiated Fri Aug 24 15:20:07 2018 as: nmap -d -oX scan-results.xml scanme.nmap.org -->
<nmaprun scanner="nmap" args="nmap -d -oX scan-results.xml scanme.nmap.org" start="1535149207" startstr="Fri Aug 24 15:20:07 2018" version="7.70" xmloutputversion="1.04">
<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-993,995,999-1002,1007,1009-
...
...
848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="1"/>
<debugging level="1"/>
<taskbegin task="Ping Scan" time="1535149207"/>
<taskend task="Ping Scan" time="1535149207" extrainfo="1 total hosts"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskend task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskbegin task="Connect Scan" time="1535149207"/>
<taskend task="Connect Scan" time="1535149228" extrainfo="1000 total ports"/>
<host starttime="1535149207" endtime="1535149228"><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="45.33.32.156" addrtype="ipv4"/>
<hostnames>
<hostname name="scanme.nmap.org" type="user"/>
<hostname name="scanme.nmap.org" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="996">
<extrareasons reason="no-responses" count="996"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" method="table" conf="3"/></port>
..
...
<runstats><finished time="1535149228" timestr="Fri Aug 24 15:20:28 2018" elapsed="21.08" summary="Nmap done at Fri Aug 24 15:20:28 2018; 1 IP address (1 host up) scanned in 21.08 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
The above XML file has hard-coded stylesheet paths which make it useful only on the system where it was created. To make a portable XML file, use the --webxml option along with -oX. To avoid using the stylesheet at all, use the --no-stylesheet option.
Create Grepable Output
Using this option, we can have output that is in a format which is convenient for grep to work on. While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).
nikhilh@ubuntu:~$ nmap -d -oG scan-results.txt scanme.nmap.org
...
...
nikhilh@ubuntu:~$ cat scan-results.txt
# Nmap 7.70 scan initiated Fri Aug 24 15:27:16 2018 as: nmap -d -oG scan-results.txt scanme.nmap.org
# Ports scanned: TCP(1000;1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-
...
...
56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 45.33.32.156 (scanme.nmap.org) Status: Up
Host: 45.33.32.156 (scanme.nmap.org) Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9929/open/tcp//nping-echo///, 31337/open/tcp//Elite/// Ignored State: filtered (996)
# Nmap done at Fri Aug 24 15:27:37 2018 -- 1 IP address (1 host up) scanned in 21.75 seconds
Create all Output Types
If you require all three output file types to be created, use this option.
nikhilh@ubuntu:~$ nmap -d -oA scan-results scanme.nmap.org
nikhilh@ubuntu:~$ ls scan-results*
scan-results.gnmap scan-results.nmap scan-results.xml
That's it for my Nmap tutorial! It is very important for you to know that the options that we've learnt over the tutorial are not an exhaustive list of options that Nmap provides. These are the options that you must know when you start playing around with Nmap. For an exhaustive list of Nmap options, visit their docs page at: https://nmap.org/book/man.html.
If you have any questions, leave them in the comments below and I'll get back to you as soon as I can! Thanks for reading!