尝试从Nmap输出中提取部分

时间:2012-09-05 01:11:29

标签: sed awk nmap

我有一些来自Nmap Scan的数据。它看起来像这样。

Nmap scan report for 10.16.17.34
Host is up (0.011s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
| http-headers: 
|   Date: THU, 30 AUG 2012 22:46:11 GMT
|   Expires: THU, 30 AUG 2012 22:46:11 GMT
|   Content-type: text/html
|   
|_  (Request type: GET)
443/tcp  open  https
| ssl-enum-ciphers: 
|   SSLv3
|     Ciphers (11)
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
|       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - unknown strength
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|   TLSv1.0
|     Ciphers (10)
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - unknown strength
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - unknown strength
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - unknown strength
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_DES_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_MD5 - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength
2023/tcp open  xinuexpansion3

Nmap scan report for 10.16.40.0
Host is up (0.00062s latency).
All 65535 scanned ports on 10.16.40.0 are closed

Nmap scan report for 10.16.40.1
Host is up (0.00071s latency).
All 65535 scanned ports on 10.16.40.1 are closed

我试图做的是使用Awk,Sed或Grep或其他东西来提取任何以Nmap Scan开头的部分,并以空白的新行结尾并且其中包含ssl-enum-ciphers。我想到了Awk如何打印每个部分,但我无法检查ssl线。我已经离开了我的联盟 感谢

2 个答案:

答案 0 :(得分:0)

你所拥有的是空行分隔记录。您可以使用awk检查您的ssl-enum-ciphers:

awk -v RS='' '/ssl-enum-ciphers/' file.txt

这将检查记录是否包含短语'host down':

awk -v RS='' '/ssl-enum-ciphers/ && !/host down/' file.txt

通过将字段分隔符更改为换行符,可以使此更严格:

awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/' file.txt

在记录之间添加一些换行符:

awk 'BEGIN { RS=""; FS="\n" } /ssl-enum-ciphers/ && $1 !~ /host down/ { printf "%s\n\n", $0 }' file.txt

答案 1 :(得分:0)

处理Nmap文本输出很棘手且充满危险,因为它可以在不同版本之间进行更改。要解析Nmap输出,请使用带有-oX-oA参数的XML output。然后使用XML解析库或实用程序来提取所需的信息。

对于您的示例,请使用xmlstarlet提取包含host元素的script元素,并将id属性设置为“ssl-enum-ciphers”。此示例将输出目标的IP地址,然后输出ssl-enum-ciphers脚本的输出:

xmlstarlet sel -t -m '//script[@id="ssl-enum-ciphers"]' \
-v '../../../address[@addrtype="ipv4"]/@addr' -v '@output' output.xml

在Nmap的下一个版本中,脚本输出本身将进一步分解为XML结构,使得更容易执行输出仅使用的弱密码列表之类的事情。

相关问题