ScanPBNJ
| You are here: | ScanPBNJ
|
Description
ScanPBNJ performs an Nmap scan and then stores the results in a database. The ScanPBNJ stores information about the machine that has been scanned. ScanPBNJ stores the IP Address, Operating System, Hostname and a localhost bit. The localhost bit, is simply a single bit which is 1 when the target machine is localhost, otherwise it is 0. It also stores two timestamps for the machine table. The first is a human readable version and the second is the unix time. Both of these timestamp correspond to the first time that the machine was scanned.
ScanPBNJ stores information about the services that are found to be running on the target machine. ScanPBNJ stores typical information about the service, by storing the port and protocol. Also, ScanPBNJ stores version, product and service state information about each service. The service state can either be up or down. Two timestamps are also inserted for each instance of every service. The first is a human readable version and the second is the unix time. Both of these timestamp correspond to the time that the service was scanned.
This tool can give an admin a clear network layout with of all the machines with all the services they are running.
Apart of PBNJ 2.0 suite of tools to monitor changes on a network.
Installation
$ sudo apt-get install pbnj
Usage
Basic syntax
$ scanpbnj [Options] {target specification}
Target Specification
Can pass hostnames, IP addresses, networks, etc.
Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
- -i --iplist <iplist>
- Scan using a list of IPs from a file
- -x --xml <xml-file>
- Parse scan/info from Nmap XML file
Scan Options
- -a --args <args>
- Execute Nmap with args (needs quotes)
- -e --extraargs <args>
- Add args to the default args (needs quotes)
- --inter <interface>
- Perform Nmap Scan using non default interface
- -m --moreports <ports>
- Add ports to scan ex: 8080 or 3306,5900
- -n --nmap <path>
- Path to Nmap executable
- -p --pingscan
- Ping Target then scan the host(s) that are alive
- --udp
- Add UDP to the scan arguments
- --rpc
- Add RPC to the scan arguments
- -r --range <ports>
- Ports for scan [def 1-1025]
- --diffbanner
- Parse changes of the banner
Config Options
- -d --dbconfig <config>
- Config for results database [def config.yaml]
- --configdir <dir>
- Directory for the database config file
- --data <file>
- SQLite Database override [def data.dbl]
- --dir <dir>
- Directory for SQLite or CSV file [def . ]
General Options
- --nocolors
- Don't Print Colors
- --test <level>
- Testing information
- --debug <level>
- Debug information
- -v --version
- Display version
- -h --help
- Display this information
Example
We first initialize the database by scanning a host (192.168.100.18) with TCP/SYN scan (-a '-sS'):
$ sudo scanpbnj -a '-sS' 192.168.100.18
--------------------------------------
Starting Scan of 192.168.100.18
Machine is already in the database
Checking Current Services
= ftp:21 is (unknown version) unknown product
= ssh:22 is (unknown version) unknown product
Scan Complete for 192.168.100.18
--------------------------------------
It detects 2 services on the machine (FTP on port 21/tcp and SSH on port 22/tcp).
Now we start a new service: Apache, on port 80/tcp:
$ sudo /etc/init.d/apache2 start
And we stop vsftpd (the daemon for FTP):
$ sudo /etc/init.d/vsftpd stop
We launch the scan again:
$ sudo scanpbnj -a '-sS' 192.168.100.18
--------------------------------------
Starting Scan of 192.168.100.18
Machine is already in the database
Checking Current Services
! Service 21:tcp ftp is down
= ssh:22 is (unknown version) unknown product
Inserting Service on 80:tcp http
Scan Complete for 192.168.100.18
--------------------------------------
We can easily identify what has been changed since the last scan:
- The service listening on port 21/tcp (identified as ftp) is DOWN
- A new service is running on port 80/tcp
We could also have done a version scan by passing the -sV argument to be able to identify the services.