For lateral movement recon or just or running a network-level scan of a target during a pentest engagment, nmap is the standard tool in any scanning arsenal. However, it is a complex tool with a lot of options. nmapAutomator intends to improve the experience and automate a lot of what nmap can do.

The basic idea is that it simplifies using nmap by being able to recommend scans and having useful defaults available. Instead of having to remember that discovering all the active hosts in a network is sudo nmap -vvv --reason -e $INTERFACE $TIMING -sn -PS22-25,80,139,443,8080 -PU53,123,137,161 -PE -PP -PM -iL $ALL_TARGETS_FILE you just run ./nmapAutomator.sh -H <ip in the network> -t network and presto!

Running a network scan on 192.168.0.10

Host is likely running Linux 


---------------------Starting Network Scan---------------------


Found the following live hosts: 
192.168.0.11
192.168.0.12
192.168.0.13
192.168.0.14


---------------------Finished all scans------------------------


Completed in 2 seconds

It even automatically stores the output, both from the shell and in the .nmap format, so you cannot forget to save it. Of course, the drawback is that it hides all the options from you, so if you run into strangely behaving hosts and need a host timeout, you’ll have to go back to digging into the shell script yourself.

As nmapAutomator is written as a nicely commented shell script that doesn’t use cryptic short names, that is thankfully not too hard to do. Tweaking what it uses for network discovery is a simple edit away:

${nmapType} -T4 --max-retries 1 --max-scan-delay 20 -n -sn -oN nmap/Network_${HOST}.nmap ${subnet}/24

This is a much simpler scan than the one we suggested above, but for many networks, it will be sufficient, and where it is not, modifying it is not hard. There are five nmap-based scan types:

1. Network: for network discovery
2. Port: TCP port scan
3. Script: script scan using NSE scripting for extra information
4. Full: combination of port and script scans
5. UDP: UDP port scan that also scans for vulnerabilities

The Vulns scan type also uses nmap, in the sense that the nmap scripting engine (NSE) powers the Vulners script, which actually scans for vulnerabilities with a CVSS score of 7.0 and higher.

Running Vuln scan on common ports
This may take a while, depending on the number of detected services..


PORT     STATE SERVICE  VERSION
25/tcp   open  smtp     Postfix smtpd
| smtp-vuln-cve2010-4344:
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http nginx (reverse proxy)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
143/tcp open imap Dovecot imapd
443/tcp open ssl/http nginx (reverse proxy)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
465/tcp open ssl/smtp Postfix smtpd
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
587/tcp open smtp Postfix smtpd
| smtp-vuln-cve2010-4344: 
|  The SMTP server is not Exim: NOT VULNERABLE
993/tcp open imaps?
8090/tcp open rtsp
| fingerprint-strings:
|   FourOhFourRequest, GetRequest, HTTPOptions:
|     HTTP/1.0 404 Not Found
|     content-type: text/html; charset=utf-8
|     content-length: 53
|     <html><body><h1>Resource not found</h1></body></html>
|   RTSPRequest:
|     RTSP/1.0 501 Not Implemented
|     content-length: 0
|   SIPOptions:
|     SIP/2.0 501 Not Implemented
|     content-length: 0 

Interactive Reconnaissance

Despite the name, nmapAutomator doesn’t only automate nmap, but uses it to feed several other tools too. nmapAutomator’s point of pride is actually the Recon type scan, in which it suggests various tools to perform further scans with.

Before going into what this mode can do, we need to also acknowledge that here is its greatest UX failing. It tries to give the user 25s to pick which tool to run or whether to skip doing anything, but because of the countdown, every second the command line refreshes and wipes out your input, gleefully telling you that smtp- was an “Incorrect Choice!”. Of course, but unfortunately it wasn’t possible to mash fast enough to get smtp-user-enum correct within 1s.

The suggestions are relatively simple, but useful. There’s no machine learning or similar, just a simple list that, for example, runs dnsrecon if port 53/tcp was discovered to be open or SNMPscan if port 161/udp is open. At the same time, a non-standard port like 8090 is not recognized as a web port and no further recon is run against it.

Which commands would you like to run?
All (Default), ffuf, nikto, smtp-user-enum, sslscan, Skip <!>

Running Default in (1)s:


---------------------Running Recon Commands---------------------


Starting smtp-user-enum scan

Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) 

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFV
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Fri Apr 8 16:38:29 2022 ########
######## Scan completed at Fri Apr 8 16:38:32 2022 ########
0 results. 

168 queries in 3 seconds (56.0 queries / sec) 

Finished smtp-user-enum scan 

=========================

Starting nikto scan 

- Nikto v2.1.6

On top of that is the *All* type, which combines all the other scans. Using the information gathered in each step to refine the target lists for the next, this is the most reliable way of using nmapAutomator.

Simple requirements

Another nice thing about nmapAutomator is that it does not require a lot of dependencies. If you are using Kali Linux, the only missing dependency is gobuster or ffuf (either one works), as all other used tools are already installed. Both tools are for bruteforcing directories and files in websites, much like dirbuster or dirb. Gobuster can also enumberate DNS subdomains, Virtual Host names on web servers and Amazon S3 buckets, when used independently.

ffuf (Fuzz Faster U Fool) is a fuzzing tool that can also do a lot of extra fuzzing, including POST data or GET parameters. It can even pull in data generated by other tools and use that for its fuzzing. There is a quite comprehensive article about ffuf explaining all its different functions, including a video provided by Codingo.

Conclusions

Overall, nmapAutomator is a nice little tool that is simple to use and helps in getting started with scanning. Unfortunately, its scans are not very detailed, and in particular nmapAutomator does not provide good tools for when a lot of hosts need to be scanned over multiple subnets. Additionally, gobuster and ffuf both provide a lot of additional functionality, even for passive scans, without POSTing data or similar, that could be integrated. With a bit of customisation and work on its recon suggestions, nmapAutomator could become a great tool. However, it already is another example of just how many cool open-source tools are out there, provided by the infosec community.

About the Author

Mark Zeman has a Master of Science in Engineering with focus on Information and Communication Technologies at the FHNW. He was able to transform his passion of information security to his focus since 2017. During his bachelor studies he worked for an email security company. (ORCID 0000-0003-0085-2097)

Links

• https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html
• https://github.com/21y4d/nmapAutomator
• https://github.com/OJ/gobuster
• https://github.com/ffuf/ffuf
• https://nmap.org