Recently a colleague of mine at nullsecurity.net released a new scanning tool called wnmap. Basically it’s a wrapper around nmap which helps automating the scanning process by using simple configuration files. Let’s have a look at it..
Configuration
Make sure you you have downloaded the archive and open src/core/wnmap.conf in order to edit:
- the wnmap path
- editor preferences
- global parameters (to use in every scan)
Now the obligatory -help message:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
-==[ wnmap by nrz@nullsecurity.net ]==--
Usage: wnmap [options] <target specification> | <misc>
TARGET SPECIFICATION:
Can pass hostname or IP address.
OPTIONS:
SCANNING - USER MODE:
-F: 'fast' scan - nmap args: -F
-K: 'ack' scan - nmap args: -PA
-V: 'version' scan - nmap args: -sV -version-trace
-O: 'os' scan - nmap args: -O --osscan-guess
-M: 'script_malware' scan - nmap args: -script malware
-H: 'http-methods' scan - nmap args: -P0 --script=http-methods.nse -p 80,443
SCANNING - STANDARD MODE:
-C: chain all modes
LOAD NEW SCAN:
-a {wnmap_arg;mode_name;nmap_args;need_sudo?[true,false]}: add new scan to user mode
MISC:
-r: rescan host by default
-e: edit wmodes.conf
-v: print version of wnmap and exit
-h: print this help and exit
EXAMPLES:
wnmap -F 8.8.8.8 -r # scan again
wnmap -C scanme.nmap.org # give it all you got
wnmap -a "-I;iddle-scan;-P0 -p- -sI sweet.host.com;true"
wnmap -e # edit modes
|
As you can see the tool comes along with several **predefined **running modes. You can easily edit them at src/core/wmodes.conf:
1
2
3
4
5
6
7
8
|
% cat src/core/wmodes.conf
# SAMPLE FILE !!! DEFINE YOUR OWN MAGIC !!!
# wnmap_arg; mode_name; nmap_args; sudo?
-F;fast;-F;false
-K;ack;-PA;false
-V;version;-sV -version-trace;false
-O;os;-O --osscan-guess;true
-M;script_malware;-script malware;false
|
Quite handy, isn’t it? You can chain the modes using **-C. **
Add new mode
Let’s say I want to add a new mode, which will scan all hosts at port 80 and 443 for web services. In particular I want to the the supported HTTP methods at those ports.
You can easily use the command line to insert the new mode:
1
2
3
|
% ./wnmap -a "-H;http-methods;-P0 --script=http-methods.nse -p 80,443;false"
--==[ wnmap by nrz@nullsecurity.net ]==--
[+] New mode added!
|
or edit **src/core/wmodes.conf **directly.Now let’s scan a host using the newly inserted mode:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
% ./wnmap -H scanme.nmap.org
--==[ wnmap by nrz@nullsecurity.net ]==--
[+] Creating scanme.nmap.org/http-methods
[+] Scanning scanme.nmap.org
[*] cmd: /usr/bin/nmap -P0 --script=http-methods.nse -p 80,443 --reason -oX scanme.nmap.org/http-methods/scanme.nmap.org.xml -oN scanme.nmap.org/http-methods/scanme.nmap.org.nmap scanme.nmap.org
Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-11 15:32 CEST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up, received user-set (0.18s latency).
PORT STATE SERVICE REASON
80/tcp open http syn-ack
|_http-methods: GET HEAD POST OPTIONS
443/tcp closed https conn-refused
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
|
Now you should see a directory called scanme.nmap.org inside your working directory. The output of the scan was saved as a regular nmap file and as XML.
1
2
3
4
5
|
# tree scanme.nmap.org
scanme.nmap.org
`-- http-methods
|-- scanme.nmap.org.nmap
`-- scanme.nmap.org.xml
|
Combine modes
You could now combine the modes:
1
|
% ./wnmap -H -F scanme.nmap.org
|
And you’ll get:
1
2
3
4
5
6
7
8
|
# tree scanme.nmap.org
scanme.nmap.org
|-- fast
| |-- scanme.nmap.org.nmap
| `-- scanme.nmap.org.xml
`-- http-methods
|-- scanme.nmap.org.nmap
`-- scanme.nmap.org.xml
|