Skip to main content

nmap

This Integration is part of the Nmap Pack.#

Run nmap scans with the given parameters. This integration was integrated and tested with version 7.70 of nmap. The nmap binary is shipped with the integration Docker. You can see the options available for running an nmap scan here: https://nmap.org/book/man-briefoptions.html. Some scan options require root access for using raw packet scanning techniques. See here for detailed scanning techniques. If you've configured the server to run Docker images with a non-root internal user and you want to use raw packet scanning (for example via the -sS option for SYN/ACK scan), make sure to exclude the demisto/nmap Docker image as documented here.

Configure nmap in Cortex#

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

nmap-scan#


Scan targets with the given parameters

Base Command#

nmap-scan

Input#
Argument NameDescriptionRequired
targetsThe targets to scan. Accepts comma-separated list.Required
optionsThe nmap options to use as documented by nmap.Required
Context Output#
PathTypeDescription
NMAP.Scan.SummaryunknownScan summary.
NMAP.Scan.Versionunknownnmap version.
NMAP.Scan.StartedunknownStart time epoch.
NMAP.Scan.EndedunknownEnd time epoch.
NMAP.Scan.CommandLineunknownThe command line being used.
NMAP.Scan.ScanTypeunknownThe type of discovery scan.
NMAP.Scan.Hosts.HostnameunknownDNS hostname of scanned host×¥
NMAP.Scan.Hosts.AddressunknownScanned host address.
NMAP.Scan.Hosts.StatusunknownIs the host up or down?
NMAP.Scan.Hosts.Services.PortunknownThe port of the service.
NMAP.Scan.Hosts.Services.ProtocolunknownThe protocol of the service.
NMAP.Scan.Hosts.Services.StateunknownThe state of the service.
NMAP.Scan.Hosts.Services.BannerunknownAny captured banner from the service.
NMAP.Scan.Hosts.Services.ServiceunknownThe service name.
NMAP.Scan.Hosts.ScriptResults.IDunknownThe name of the script used.
NMAP.Scan.Hosts.ScriptResults.OutputunknownThe raw results of the script execution.
NMAP.Scan.Hosts.ScriptResults.ElementsunknownAdditional parseable fields from the script output.

Command Example#

!nmap-scan options="-sV" targets=scanme.nmap.org

Context Example#

{
"NMAP": {
"Scan": {
"CommandLine": "/usr/bin/nmap -oX - -vvv --stats-every 1s -sV scanme.nmap.org",
"Ended": 1588340465,
"Hosts": [
{
"Address": "45.33.32.156",
"Hostname": "scanme.nmap.org",
"Services": [
{
"Banner": "",
"Port": 21,
"Protocol": "tcp",
"Service": "tcpwrapped",
"State": "open"
},
{
"Banner": "product: OpenSSH version: 6.6.1p1 Ubuntu 2ubuntu2.13 extrainfo: Ubuntu Linux; protocol 2.0 ostype: Linux",
"Port": 22,
"Protocol": "tcp",
"Service": "ssh",
"State": "open"
},
{
"Banner": "product: Apache httpd version: 2.4.7 extrainfo: (Ubuntu)",
"Port": 80,
"Protocol": "tcp",
"Service": "http",
"State": "open"
},
{
"Banner": "",
"Port": 1723,
"Protocol": "tcp",
"Service": "tcpwrapped",
"State": "open"
},
{
"Banner": "",
"Port": 5060,
"Protocol": "tcp",
"Service": "sip",
"State": "open"
},
{
"Banner": "product: Nping echo",
"Port": 9929,
"Protocol": "tcp",
"Service": "nping-echo",
"State": "open"
},
{
"Banner": "",
"Port": 31337,
"Protocol": "tcp",
"Service": "tcpwrapped",
"State": "open"
}
],
"Status": "up"
}
],
"ScanType": "connect",
"Started": 1588340281,
"Summary": "Nmap done at Fri May 1 13:41:05 2020; 1 IP address (1 host up) scanned in 183.98 seconds",
"Version": "7.70"
}
}
}

Human Readable Output#

Nmap done at Fri May 1 13:41:05 2020; 1 IP address (1 host up) scanned in 183.98 seconds#

Nmap scan report for scanme.nmap.org (45.33.32.156)#

Host is up.#

Services#

PortProtocolStateServiceBanner
21tcpopentcpwrapped
22tcpopensshproduct: OpenSSH version: 6.6.1p1 Ubuntu 2ubuntu2.13 extrainfo: Ubuntu Linux; protocol 2.0 ostype: Linux
80tcpopenhttpproduct: Apache httpd version: 2.4.7 extrainfo: (Ubuntu)
1723tcpopentcpwrapped
5060tcpopensip
9929tcpopennping-echoproduct: Nping echo
31337tcpopentcpwrapped