securecodebox / scanner-infrastructure-nmap Goto Github PK

Part of the deprecated secureCodeBox v1, see secureCodeBox/secureCodeBox Repo for v2

License: Apache License 2.0

JavaScript 91.60% Dockerfile 5.39% Shell 3.01%

nmap security security-scanner security-automation security-tools microservice

scanner-infrastructure-nmap's Introduction

title	path	category	usecase	release
Nmap	scanner/Nmap	scanner	Network Scanner	https://img.shields.io/github/release/secureCodeBox/scanner-infrastructure-nmap.svg

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

About

This repository contains a self contained µService utilizing the NMAP Networkscanner for the secureCodeBox project. To learn more about the Nmap scanner itself visit nmap.org.

Nmap Configuration

The nmap scan target is set via the targets location of the securityTest. The target should be a Hostname or an IP Address.

Additional nmap scan features can be configured via the NMAP_PARAMTER attribute. For a detailed explanation to which parameters are availible refer to the Nmap Reference Guide.

Some usefull example parameters listed below:

-p xx: Scan ports of the target. Replace xx with a single port number or a range of ports.
-PS, -PA, -PU xx: Replace xx with the ports to scan. TCP SYN/ACK or UDP discovery.
-sV: Determine service and version info.
-O: Determine OS info. Note: This requires the the user to be run as root or the system capabilities to be extended to allow nmap to send raw sockets. See more information on how to deploy the secureCodeBox nmap container to allow this and the nmap docs about priviliged scans
-A: Determine service/version and OS info.
-script xx: Replace xx with the script name. Start the scan with the given script.
--script xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts.

Example

Example configuration:

[
    {
        "name": "nmap",
        "context": "BodgeIt",
        "target": {
            "name": "BodgeIt",
            "location": "bodgeit.example.com",
            "attributes": {
                "NMAP_PARAMTER": "-Pn"
            }
        }
    }
]

Example Output:

{
    "findings": [
        {
            "id": "40d62ef5-81ca-4880-b59f-bd541f5d7c60",
            "name": "http",
            "description": "Port 80 is open using tcp protocol.",
            "category": "Open Port",
            "osi_layer": "NETWORK",
            "severity": "INFORMATIONAL",
            "attributes": {
                "port": 80,
                "state": "open",
                "ip_address": "192.168.0.1",
                "mac_address": null,
                "protocol": "tcp",
                "hostname": "bodgeit.example.com",
                "method": "table",
                "operating_system": null,
                "service": "http",
                "serviceProduct": null,
                "serviceVersion": null,
                "scripts": null
            },
            "location": "tcp://192.168.0.1:80",
            "false_positive": false
        },
        {
            "id": "120b6403-fb95-4794-92a6-af6ec53ecc54",
            "name": "https",
            "description": "Port 443 is open using tcp protocol.",
            "category": "Open Port",
            "osi_layer": "NETWORK",
            "severity": "INFORMATIONAL",
            "attributes": {
                "port": 443,
                "state": "open",
                "ip_address": "192.168.0.1",
                "mac_address": null,
                "protocol": "tcp",
                "hostname": "bodgeit.example.com",
                "method": "table",
                "operating_system": null,
                "service": "https",
                "serviceProduct": null,
                "serviceVersion": null,
                "scripts": null
            },
            "location": "tcp://192.168.0.1:443",
            "false_positive": false
        },
        {
            "id": "a24c9e95-536f-4374-9ef8-a76e4ac526c4",
            "name": "https-alt",
            "description": "Port 8443 is open using tcp protocol.",
            "category": "Open Port",
            "osi_layer": "NETWORK",
            "severity": "INFORMATIONAL",
            "attributes": {
                "port": 8443,
                "state": "open",
                "ip_address": "192.168.0.1",
                "mac_address": null,
                "protocol": "tcp",
                "hostname": "bodgeit.example.com",
                "method": "table",
                "operating_system": null,
                "service": "https-alt",
                "serviceProduct": null,
                "serviceVersion": null,
                "scripts": null
            },
            "location": "tcp://192.168.0.1:8443",
            "false_positive": false
        },
        {
            "id": "9260dd97-a571-4a25-a253-d6ca9ccbb234",
            "name": "dynamid",
            "description": "Port 9002 is open using tcp protocol.",
            "category": "Open Port",
            "osi_layer": "NETWORK",
            "severity": "INFORMATIONAL",
            "attributes": {
                "port": 9002,
                "state": "open",
                "ip_address": "192.168.0.1",
                "mac_address": null,
                "protocol": "tcp",
                "hostname": "bodgeit.example.com",
                "method": "table",
                "operating_system": null,
                "service": "dynamid",
                "serviceProduct": null,
                "serviceVersion": null,
                "scripts": null
            },
            "location": "tcp://192.168.0.1:9002",
            "false_positive": false
        },
        {
            "id": "c98330a6-b2b3-4d12-b0f5-d41af0a13dbe",
            "name": "Host: bodgeit.example.com",
            "description": "Found a host",
            "category": "Host",
            "osi_layer": "NETWORK",
            "severity": "INFORMATIONAL",
            "attributes": {
                "ip_address": "192.168.0.1",
                "hostname": "bodgeit.example.com",
                "operating_system": null
            },
            "location": "bodgeit.example.com",
            "false_positive": false
        }
    ]
}

Development

Configuration Options

To configure this service specify the following environment variables:

Environment Variable	Value Example
ENGINE_ADDRESS	http://engine
ENGINE_BASIC_AUTH_USER	username
ENGINE_BASIC_AUTH_PASSWORD	123456

Local setup

Clone the repository
Install the dependencies npm install
Run localy npm start

Test

To run the testsuite run:

npm test

Build with docker

To build the docker container run: docker build -t CONTAINER_NAME:LABEL .

scanner-infrastructure-nmap's People

Contributors

Stargazers

Watchers

Forkers

dhawal89 marcelbanic ddazza weslleyrosalem

scanner-infrastructure-nmap's Issues

Update to nmap 7.80

Nmap 7.80 has been released a couple of days ago.

Would be nice to update our nmap version from 7.70. Currently waiting for a release in a stable alpine package repository version: https://pkgs.alpinelinux.org/packages?name=nmap&branch=v3.10

NMAP crash if a host should be scanned wich is not resolveable any more

Describe the bug
As a security tester i would like to use the combined AMASS-NMAP scan to automatically all found subdomains with NMAP directly. Sometimes AMASS returns subdomains which are too old and therefore no longer available. But in this cases the subsequent NMAP scan crashes because it tries to scan a host which is no longer available. But this NMAP error crashes the complete scan process even it has already found valid results.

To Reproduce
Steps to reproduce the behavior:

Start a securityTest with the amass-nmap scan like:

[
  {
    "name": "amass-nmap",
    "context": "my-applicationteam",
    "metaData": {
    },
    "target": {
      "name": "example.com Website Test",
      "location": "example.com",
      "attributes": {
        "NO_DNS": true,
        "NMAP_CONFIGURATION_PROFILE": "HTTP_PORTS",
        "NMAP_HTTP_HEADERS": true
      }
    }
  }

The SCB NMAP scanner crashes if amass returns a old subdomain which is no longer resolveable:

SCANNING location: "nolonger.available.example.com", parameters: "-Pn -p 80,8080,443,8443 --script=http-headers"
WARNING: No targets were specified, so 0 hosts scanned.
Failed to perform Job "ae685f00-8b0e-11ea-a74e-0a580a81026f" Error: Failed to execute nmap portscan.
    at ScannerScaffolding.worker [as _worker] (/src/src/nmap.js:138:23)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:94:5)
Job Failure submitted succesfully.

NMAP instead informs about the real problem here:

nmap nolonger.available.example.com -Pn -p 80,8080,443,8443 --script=http-headers
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 20:34 CEST
Failed to resolve "nolonger.available.example.com".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 18.30 seconds

Expected behavior
In this case NMAP must not crash completely and stop the complete amass-nmap scan. It would be great if in such a case instead of an error a new informational finding would be generated by NMAP:

Finding:

{
    "id": "335edb1d-7105-40f9-843b-0f1b62e0872f",
    "name": "Host not found",
    "description": "Failed to resolve "nolonger.available.example.com".",
    "category": "Host",
    "osi_layer": "NETWORK",
    "severity": "INFORMATIONAL",
    "attributes": {
      "ip_address": "null",
      "hostname": nolonger.available.example.com,
      "operating_system": null
    }

Extend NMAP Result Parsing to identify more Port specific service Informations

Is your feature request related to a problem? Please describe.
As a security tester i would like to get more port specific informations in my kibana dashboard. Therefore i use the service detection of the nmap scanner with an configuration like:

SCB API Call PUT securityTest:

[
  {
    "context": "internal-network",
    "name": "nmap",
    "target": {
      "attributes": {
        "NMAP_PARAMETER": "-Pn -sV"
      },
      "location": "192.168.X.X/24",
      "name": "internal intensive Test scan"
    },
    "tenant": "comanyInternal",
    "metaData": {
      "vlan": "LAN"
    }
  }
]

During the scan process the nmap scanner returns an XML file which contains all result informations which are then parsed and later on persisted. For the service detection usecase there are some additional informations (attributes an elements) which are not parsed yet by the scb-nmap-scanner:

missing port attributes (in Kibana later on in the process)
- <service: ostype
- <service: conf
- <service: method
- <service: extrainfo
- List of all elements

Example NMAP XML Output:

<hostname name="XXX-myhost" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="993">
<extrareasons reason="no-responses" count="993"/>
</extraports>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Microsoft IIS httpd" version="10.0" ostype="Windows" method="probed" conf="10"><cpe>cpe:/a:microsoft:iis:10.0</cpe><cpe>cpe:/o:microsoft:windows</cpe></service></port>
<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="netbios-ssn" product="Microsoft Windows netbios-ssn" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="microsoft-ds" product="Microsoft Windows 7 - 10 microsoft-ds" extrainfo="workgroup: XXXX" hostname="XXXXXXXX" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
<port protocol="tcp" portid="1433"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ms-sql-s" product="Microsoft SQL Server 2016" version="13.00.1742" ostype="Windows" method="probed" conf="10"><cpe>cpe:/a:microsoft:sql_server:2016</cpe><cpe>cpe:/o:microsoft:windows</cpe></service></port>
<port protocol="tcp" portid="3306"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="mysql" product="MySQL" extrainfo="unauthorized" method="probed" conf="10"><cpe>cpe:/a:mysql:mysql</cpe></service></port>
<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ms-wbt-server" product="Microsoft Terminal Services" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
</ports>
<times srtt="24931" rttvar="4136" to="100000"/>
</host>
<runstats><finished time="1585053264" timestr="Tue Mar 24 13:34:24 2020" elapsed="11.34" summary="Nmap done at Tue Mar 24 13:34:24 2020; 1 IP address (1 host up) scanned in 11.34 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

Describe the solution you'd like
It would be great if those additional service related informations will be parsed by the scb-nmap-scanner so that i can analyse them in my security monitoring (kibana dashboard)

NMAP crash if a NMAP CLI warning appears

Describe the bug
As a security tester i would like to configure nmap scans with an intensive version detection of all found ports. In some cases NMAP shows some warnings regarding the version detection. If a warning appears the SCB NMAP scanner will crash instead of ignoring them.

To Reproduce
Steps to reproduce the behavior:

Start an nmap securityTest with version detection (within the SCB API)

[
  {
    "context": "Feature Team 1",
    "metaData": {
      "additionalProp1": "string",
      "additionalProp2": "string",
      "additionalProp3": "string"
    },
    "name": "nmap",
    "target": {
      "attributes": {
        "NMAP_PARAMETER": "--top-ports 250 -sV --version-intensity 2"
      },
      "location": "192.168.0.1/24",
      "name": "SecureCodeBox Demo NMAP Scan"
    }
  }
]

If a warning appears like the follwing the scanner crash like:

SCANNING location: "192.168.0.1/24", parameters: "--top-ports 250 -sV --version-intensity 2"
WARNING: Service 192.168.0.157:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Failed to perform Job "ae1fb39a-897a-11ea-bb19-0a580a80028f" Error: Failed to execute nmap portscan.
at ScannerScaffolding.worker [as _worker] (/src/src/nmap.js:138:23)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:94:5)
Job Failure submitted succesfully.

If you do the same with nmap nativ you get:

nmap 192.168.0.1/24 --top-ports 250 -sV --version-intensity 2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 21:10 CEST
WARNING: Service 192.168.0.92:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
WARNING: Service 192.168.0.152:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
WARNING: Service 192.168.0.157:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value

(all results...)

Expected behavior
The NMAP scanner must not crash if a warning appears. Instead it should just ignore them and work on...

Operating System scans need root rights

Nmap Scan using -O Flag to scan the operating system currently fails because nmap needs root rights to perform the scan.

The preferred solution to this problem is to find a way to perform the scan without root rights.

NMAP Scanner fails without any failure feedback

While Running a NMAP process with multiple targets the scanner fails with (log):

Started working on Job "20eb4e41-6a5b-11e8-810c-0a580a8201fd"
--
  | SCANNING 6 locations
  | SCANNING location: ***********, parameters:
  | SCANNING location: ***********, parameters:
  | SCANNING location: ***********, parameters:
  | Failed to resolve "**************".
  | WARNING: No targets were specified, so 0 hosts scanned.
  | Failed to perform Job "20eb4e41-6a5b-11e8-810c-0a580a8201fd" Error: Failed to execute nmap portscan.
  | at ScannerScaffolding.worker [as _worker] (/src/src/nmap.js:81:19)
  | at <anonymous>
  | at process._tickCallback (internal/process/next_tick.js:188:7)

But the engine process is still running. So...

the failure feedback is somehow missing (API -> Failure)
The scanner shouldn't stop to scan all other (configured) hosts