The rise of reconnaissance tools in the last decade has been remarkable.
And understandably so; cybersecurity continues to receive significant attention on all fronts, from secretive accounts of cyber espionage to the now rather ubiquitous corporate breach scenarios pressuring organizations across the globe. Better security comes at a price too, and in the absence of significant security measures anti-patterns quickly evolve to give miscreants ample targets of opportunity.
While the existence of indiscriminate internet scanning is largely accepted, automating the information gathering process in a meaningful and productive fashion entails a conscientious effort to arrive at a suitable combination of the best tools and techniques. In the recent past, fine-grained intelligence driven by tools like Nmap, and its supporting Nmap Scripts (NSE) platform, have hinted at the success of open-source tools in dealing with footprinting—the active collection of infrastructure data points, and other interesting aspects, beyond simple enumeration—a growing trend in the identification of exposed assets and applications.
In this blog post, we'll examine the nmapAutomator project, as it automates and extends the classification and vulnerability assessment stages of targeted infrastructure via the traditional triggers provided by Nmap's most prominent features, which include port scanning and similar methods. Introducing such a tool would not be complete without practical examples and potential use cases, including some instructions to deliver a seamless setup experience.
Let's take a peek.
What is nmapAutomator?
The Nmap automator, otherwise known as nmapAutomator, is essentially a POSIX-compatible shell script that automates the process of target discovery, enumeration, and reconnaissance by leveraging Nmap commands in a unique way. Normally, mastering a tool like Nmap will require not only the ability to memorize and apply a myriad of command-line arguments, or flags, but also the capacity to transform a wealth of output into a consumable product; consequently, conducting scanning activities with such level of detail can easily take several days (if not weeks) to complete.
Depending on certain host and network conditions, nmapAutomator can deploy a full-range Nmap vulnerability scan and CVE identification sequence well under 30 minutes. This may seem like a long time, but keep in mind that the scan types are designed to produce as much actionable intelligence about a target as possible. Additionally, nmapAutomator includes running instances of tools such as SSLscan, Nikto, and FFuF, all known throughout the bug bounty and pentesting ecosystems.
In all, nmapAutomator supports the following scanning features:
- Network: Shows all live hosts in the host's network (~15 seconds)
- Port: Shows all open ports (~15 seconds)
- Script: Runs a script scan on found ports (~5 minutes)
- Full: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
- UDP: Runs a UDP scan "requires sudo" (~5 minutes)
- Vulns: Runs CVE scan and Nmap Vulns scan on all found ports (~5-15 minutes)
- Recon: Suggests recon commands, then prompts to automatically run them
- All: Runs all the scans (~20-30 minutes)
For example, the -Network option allows to provide a single IP address and discover live hosts in the same subnet:
Nmap automation on remote hosts via nmapAutomator can be achieved with the help of the -r/--remote flag. Known as Remote Mode, this feature (still under development) was designed to harness POSIX shell commands without relying on any external tools.
Many of the ethical hacking tools required by nmapAutomator should already be part of popular distributions such as Kali Linux and Parrot OS. Besides SSLscan, Nikto, and FFuF, as aforementioned, this list includes: ldapsearch, snmpwalk, snmp-check, smtp-user-enum, droopescan, smbmap, enum4linux, dnsrecon, odat, wpscan, joomscan, gobuster, and nmap_vulners.
To meet some of these requirements, for example, tools such as FFluf and Gobuster can be installed with:
sudo apt update sudo apt install ffuf -y
sudo apt update sudo apt install gobuster -y
Conversely, installing the nmapAutomator script itself can be accomplished using:
git clone https://github.com/21y4d/nmapAutomator.git sudo ln -s $(pwd)/nmapAutomator/nmapAutomator.sh /usr/local/bin/
Furthermore, when running nmapAutomator, if any of the recommended tools are found to be missing, they will be automatically omitted, and the user will be notified.
Using nmapAutomator is straightforward. The conditions are given by the following parameters:
nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE> where the target host can take the form of an IPv4 address (18.104.22.168) or a hostname (scanme.nmap.org), and the -t option specifies the scan type (e.g., Port). For instance:
./nmapAutomator.sh --host 10.1.1.1 --type All ./nmapAutomator.sh -H 10.1.1.1 -t Basic ./nmapAutomator.sh -H example.com -t Recon -d 22.214.171.124 ./nmapAutomator.sh -H 10.10.10.10 -t network -s ./nmap
In addition, there are a handful of optional parameters such as -d, which allows you to specify DNS servers, or -o, which allows you to set the output directory where the final report will reside. NmapAutomator saves the output of each type of scan into a separate file, under the output directory, including the entire script output which you can view later using your favorite tool.
Additional features are currently in the pipeline and will be added in future releases, including enabling multiple scan types in one scan, scanning multiple hosts in one scan, and implementing Remote Mode on all scans.
Once again, nmapAutomator was designed with ease of use in mind; thus, we are going to create a simple test case against the domain scanme.nmap.org — this is a server provided by the Nmap project who has authorized users to scan this endpoint for testing purposes as long as the scanning activity isn't excessive or too intrusive.
Using the -t Recon scan option, your results should be similar to this:
As you can see, Nikto started its web server recon, we can see the results below:
Now it's time to see FFuF in action:
Similarly, we can try the -t Script option on discovered ports—these scripts make up the default set and are equivalent to using Nmap's -sC or -A flags, and they are considered safe as they won't perform any unintended activity that could interfere with normal operations on the target host. However, some will definitely trigger IDS or IPS events, so proceed with caution.
Let's run the above against an internal Apache server and watch the results:
Throughout all our tests, nmapAutomator exhibited impressive running times and scanning dynamics. Featuring the ability to run as a background process in automated fashion, it is difficult to imagine such a tool not becoming a permanent addition to the recon and enumeration stockpiles even if these spaces abound with time-tested principles and applications.
We invite you to give nmapAutomator a try and see for yourself the numerous advantages to be found in a tool that allows you to focus on your reconnaissance and pentesting while leaving aside overcomplicated configurations.
You won't be disappointed.