Have you ever ran an nmap scan and accidentally closed the terminal, went past the scrollback buffer, or simply couldn’t recall what the results were later in the day? I have. A lot. This blog post will show an easy way to keep nmap scan history using shell functions and the tee command.
One of the things that penetration testers and sysadmins constantly preach about is good record keeping. This makes a lot of sense:
- You will have records of what you ran and when. If you are accused of breaking something, you may be able to refute the accusing party’s claims.
- You may have a limited time window to perform the test. Having everything logged will help with writing your report.
- Running a scan or attempting an exploit more than once may get you caught. If you had logged your previous attempts, you won’t have to do this again.
- You can review previous scan results for changes.
- You can review prior scan results on repeat engagements. They may not have fixed everything and you can score easy wins.
Many penetration testing tools have robust logging capabilities baked in, but more often than not they don’t or the output isn’t ideal. This leads to technicians getting creative with their tools’ shell prompts and using tools such as tmux, screen, and script to keep records. This solution works pretty well, but searching for specific command output can be cumbersome if your logs are somewhat sizeable.
One of the tools I need to review a lot is nmap. Since I have to do revisit scan results so often, I added this to my .bashrc/.zshrc to automatically log my scans:
# Log nmap scans to ~/.nmap
NMAP_BIN=$(which nmap)
if [ $? -eq 0 ]; then
if [ ! -d $HOME/.nmap ]; then
mkdir $HOME/.nmap
fi
nmap () {
NMAP_LOGFILE=$HOME/.nmap/nmap-$(date +%F-%T.%N).log
echo "nmap $@\n\n" > $NMAP_LOGFILE
$NMAP_BIN $@ |tee -a $NMAP_LOGFILE
}
fi
This allows me to reference the scan in my ~/.nmap directory instead of opening a script or screen logfile and searching for what I need.
DMFR SECURITY 