.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .\" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SCANPBNJ.MAN.1 1p" .TH SCANPBNJ.MAN.1 1p "2006-11-06" "perl v5.8.8" "User Contributed Perl Documentation" .SH "NAME" .Vb 2 \& ScanPBNJ \- a program for running Nmap scans and storing the results in \& a PBNJ 2.0 database. .Ve .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& scanpbnj [Options] {target specification} .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" .Vb 9 \& ScanPBNJ performs an Nmap scan and then stores the results in \& a database. The ScanPBNJ stores information about the machine that has \& been scanned. ScanPBNJ stores the IP Address, Operating System, \& Hostname and a localhost bit. The localhost bit, is simply a single \& bit which is 1 when the target machine is localhost, otherwise it is \& 0. It also stores two timestamps for the machine table. The first is \& a human readable version and the second is the unix time. Both of \& these timestamp correspond to the first time that the machine was \& scanned. .Ve .PP .Vb 8 \& ScanPBNJ stores information about the services that are found to be \& running on the target machine. ScanPBNJ stores typical information \& about the service, by storing the port and protocol. Also, ScanPBNJ \& stores version, product and service state information about each \& service. The service state can either be up or down. Two timestamps \& are also inserted for each instance of every service. The first is a \& human readable version and the second is the unix time. Both of \& these timestamp correspond to the time that the service was scanned. .Ve .PP .Vb 2 \& This tool can give an admin a clear network layout with of \& all the machines with all the services they are running. .Ve .PP .Vb 1 \& Apart of PBNJ 2.0 suite of tools to monitor changes on a network. .Ve .SH "OPTIONS" .IX Header "OPTIONS" .Vb 1 \& Usage: scanpbnj [Options] {target specification} .Ve .PP .Vb 5 \& Target Specification: \& Can be a IP Address, hostname, network etc. \& Ex: microsoft.com, 10.0.0.0/24, 192.168.1.1, 10.0.0.0\-100 \& \-i \-\-iplist Scan using a list of IPs from a file \& \-x \-\-xml Parse scan/info from Nmap XML file .Ve .PP .Vb 10 \& Scan Options: \& \-a \-\-args Execute Nmap with args (needs quotes) \& \-e \-\-extraargs Add args to the default args (needs quotes) \& \-\-inter Perform scan with non default interface \& \-m \-\-moreports Add ports to scan ex: 8080 or 3306,5900\-5910 \& \-n \-\-nmap Path to Nmap executable \& \-p \-\-pingscan Ping Target then scan the alive host(s) \& \-\-udp Add UDP to the scan arguments \& \-\-rpc Add RPC to the scan arguments \& \-r \-\-range Ports for scan [def 1\-1025] .Ve .PP .Vb 1 \& \-\-diffbanner Parse changes of the banner .Ve .PP .Vb 3 \& Config Options: \& \-d \-\-dbconfig Config for results database [def config.yaml] \& \-\-configdir Directory for the database config file .Ve .PP .Vb 2 \& \-\-data SQLite Database override [def data.dbl] \& \-\-dir Directory for SQLite or CSV files [def .] .Ve .PP .Vb 6 \& General Options: \& \-\-nocolors Don't Print Colors \& \-\-test Testing information \& \-\-debug Debug information \& \-v \-\-version Display version \& \-h \-\-help Display this information .Ve .PP .Vb 1 \& Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu ) .Ve .SH "THINGS TO NOTE" .IX Header "THINGS TO NOTE" .Vb 1 \& * ScanPBNJ requires root privileges to perform a scan. .Ve .PP .Vb 1 \& * If you do not pass a specific ports range, 1\-1025 is used. .Ve .PP .Vb 2 \& * If there are configs in the current directory, they are used \& instead of those in the user's config directory. .Ve .PP .Vb 2 \& * ScanPBNJ does not modify previous database entries. It simply \& inserts new information when a change is found. .Ve .PP .Vb 2 \& * One thing that should be done when performing scans is to make \& sure to use the same ports or you will get false positives. .Ve .SH "EXAMPLE SINGLE SCAN" .IX Header "EXAMPLE SINGLE SCAN" .Vb 1 \& 1) Scan a class B network on ports 1\-9000 .Ve .PP .Vb 1 \& sudo ./scanpbnj \-r 1\-9000 10.0.0.0/16 .Ve .PP .Vb 1 \& 2) Scan an IP Address on ports 1\-9000 .Ve .PP .Vb 1 \& sudo ./scanpbnj \-r 1\-9000 10.0.0.100 .Ve .SH "EXAMPLE AUTOMATED SCANS" .IX Header "EXAMPLE AUTOMATED SCANS" .Vb 1 \& The following examples can be added to /etc/crontab .Ve .PP .Vb 1 \& 1) Scan a Class C network every 2 hours .Ve .PP .Vb 1 \& 30 */2 * * * root scanpbnj 10.0.0.\e* .Ve .PP .Vb 1 \& 2) Scan a Class C network everyday at 2:30 .Ve .PP .Vb 1 \& 30 2 * * * root scanpbnj 10.0.0.\e* .Ve .SH "TARGET SPECIFICATION" .IX Header "TARGET SPECIFICATION" .Vb 9 \& The target specified is a typical method of probing the network. \& Therefore, any of the following can be used: \& (e.g. 10.0.0.1, 10.0.0.1\-254, 10.0.0.0/24 or 10.0.0.\e* ). \& The first example is simply an IP address. The second example is \& the scanning of a range. The third is a range in CIDR notation. \& The fourth example is the IP with the star which specifies to scan \& 255 hosts. This is the same format that Nmap uses with the only \& exception being the \e* on the last octet. This is needed because it \& needs to not interpret the star when it is being executed. .Ve .PP .Vb 4 \& Another option, is to use a hostname or domain name. ScanPBNJ will \& then resolve the name to the correct IP address. If you pass a \& debug flag with level 1 or greater, ScanPBNJ will display what IP \& address, the hostname resolved too. .Ve .Sh "\-i Scan using a list of IPs from a file" .IX Subsection "-i Scan using a list of IPs from a file" .Vb 4 \& The iplist option is useful when you have a specific list of IPs to \& scan. This will perform a full scan of the IPs that are specified. \& This option is similar to using \-sL with Nmap. The results of \& the scan are inserted into the database. .Ve .Sh "\-x Parse scan/info from Nmap \s-1XML\s0 file" .IX Subsection "-x Parse scan/info from Nmap XML file" .Vb 7 \& This option is useful when you can't perform the scan yourself or \& you don't want ScanPBNJ to perform the scan. Another situation where \& this is useful, is if you have an XML file that was done in the past \& and you want to extract information from it, possibly to compare \& with what is currently being run on the target. ScanPBNJ parses the \& Nmap XML file and extracts the information about the host(s) and \& service(s) then inserts the results into the database. .Ve .SH "SCAN OPTIONS" .IX Header "SCAN OPTIONS" .Sh "\-a \-\-args " .IX Subsection "-a --args " .Vb 1 \& ** NOTE ** This option needs quotes around the passed arguments .Ve .PP .Vb 6 \& This option will bypass the default arguments that are used in \& scanning with Nmap. This can be used to do a particular type of scan \& that is not possible by simply adding extra arguments. For example, \& if you want to only scan UDP ports and still do version \& identification and OS detection, you would do so using the following \& notation: .Ve .PP .Vb 1 \& sudo scapbnj \-a "\-A \-O \-sU" localhost .Ve .Sh "\-e \-\-extraargs " .IX Subsection "-e --extraargs " .Vb 1 \& ** NOTE ** This option needs quotes around the passed arguments .Ve .PP .Vb 4 \& This option will add additional arguments onto the default scan \& arguments. This is most useful in doing scans where time optimization \& is needed. Therefore, these arguments will be added and then used in \& the scan. .Ve .Sh "\-\-inter " .IX Subsection "--inter " .Vb 3 \& This option sets an alternative interface for performing the scan. \& This is useful when you have multiple interfaces on a machine \& with restrictions on which devices can access certain IP or IP ranges. .Ve .Sh "\-m \-\-moreports " .IX Subsection "-m --moreports " .Vb 3 \& This options adds additional ports to the range of ports to scan. \& Individual port numbers are OK, as are ranges separated by a \& hyphen (e.g. 1\-1023,5800,5900,8080). .Ve .PP .Vb 1 \& For example: .Ve .PP .Vb 1 \& sudo scanpbnj \-m 7000\-7500,8080 localhost .Ve .PP .Vb 1 \& This scan would scan the default range as well 7000\-7500 and 8080. .Ve .Sh "\-n \-\-nmap " .IX Subsection "-n --nmap " .Vb 6 \& Use an alternative Nmap rather than Nmap located in the your path. \& This is useful if you have multiple version of Nmap installed on \& a system or if you are testing a new version of Nmap. Remember that if \& you are using a newly compiled version of Nmap that you need to \& export NMAPDIR to the location that Nmap was compiled in. Thus, if \& you have compiled Nmap in your homedir, use the following notation: .Ve .PP .Vb 1 \& export NMAPDIR=$HOME/nmap\-VERSION/ .Ve .PP .Vb 1 \& sudo scanpbnj \-n $HOME/nmap\-VERISON/ localhost .Ve .Sh "\-p Ping Target then scan the host(s) that are alive" .IX Subsection "-p Ping Target then scan the host(s) that are alive" .Vb 6 \& The ping scan is a useful method of only scanning the host that are \& responding to ICMP echo requests. This scan basically takes the host \& that respond to ICMP echo requests and then performs a scan only on \& those hosts. Therefore, no time is wasted in scanning hosts that do \& not respond. The results of the scan are then inserted into the \& database. .Ve .Sh "\-\-udp Add \s-1UDP\s0 to the scan arguments" .IX Subsection "--udp Add UDP to the scan arguments" .Vb 1 \& Perform a UDP scan, in addition to the default scan. .Ve .PP .Vb 1 \& sudo scanpbnj \-\-udp localhost .Ve .PP .Vb 2 \& If you want to only perform a UDP scan you need to set the specific \& arguments for the scan. .Ve .PP .Vb 1 \& sudo scanpbnj \-a "\-vv \-O \-P0 1\-1025 \-sVU" localhost .Ve .Sh "\-\-rpc Add \s-1RPC\s0 to the scan arguments" .IX Subsection "--rpc Add RPC to the scan arguments" .Vb 1 \& Perform a RPC scan in addition to the default scan. .Ve .PP .Vb 1 \& sudo scanpbnj \-\-udp localhost .Ve .PP .Vb 2 \& If you want to only perform a RPC scan you need to set the specific \& arguments for the scan. .Ve .PP .Vb 1 \& sudo scanpbnj \-a "\-vv \-O \-P0 1\-1025 \-sVR" localhost .Ve .Sh "\-r \-\-range " .IX Subsection "-r --range " .Vb 1 \& Ports for scan [default 1\-1025] .Ve .PP .Vb 3 \& This option specifies which ports you want to scan and overrides the \& default. Individual port numbers are OK, as are ranges separated by a \& hyphen (e.g. 1\-1023,5800,5900,8080 ). .Ve .PP .Vb 1 \& Thus, a scan like this is ok. .Ve .PP .Vb 1 \& sudo scanpbnj \-r 22,25,80,100\-200 localhost .Ve .PP .Vb 2 \& Also, if you have leave off the number after the hyphen it will scan \& all from the start port to 65535. .Ve .PP .Vb 1 \& For example: .Ve .PP .Vb 1 \& sudo scanpbnj \-r 22,25\- localhost .Ve .Sh "\-\-diffbanner" .IX Subsection "--diffbanner" .Vb 1 \& Parse changes of the banner .Ve .PP .Vb 5 \& This options enables ScanPBNJ to do comparisons on the banner. The \& reason this is not on by default is that it could show changes in \& services that are not are important to the user. However, this option \& is useful to a security professional who is looking for any changes \& that occur so that they can be verified. .Ve .SH "DATABASE OPTIONS" .IX Header "DATABASE OPTIONS" .Sh "\-d \-\-dbconfig " .IX Subsection "-d --dbconfig " .Vb 1 \& Config for results database [default config.yaml] .Ve .PP .Vb 1 \& This option is used to specify an alternative config.yaml file. .Ve .Sh "\-\-configdir " .IX Subsection "--configdir " .Vb 1 \& Directory for Config file [default . ] .Ve .PP .Vb 2 \& This option is used to specify an alternative directory for the \& config.yaml file. .Ve .Sh "\-\-data " .IX Subsection "--data " .Vb 1 \& SQLite Database override [default data.dbl ] .Ve .PP .Vb 2 \& This option is used when you want to change the name of the SQLite \& database file that is generated. .Ve .Sh "\-\-dir " .IX Subsection "--dir " .Vb 1 \& Directory for SQLite or CSV files [default . ] .Ve .PP .Vb 2 \& This option is used when you want the database to be generated in a \& different directory. .Ve .SH "GENERAL OPTIONS" .IX Header "GENERAL OPTIONS" .Sh "\-\-nocolors" .IX Subsection "--nocolors" .Vb 2 \& The default results from ScanPBNJ print the useful changes with colors \& This options will simply not print the colors. .Ve .Sh "\-\-test " .IX Subsection "--test " .Vb 5 \& Increases the Test level, causing ScanPBNJ to print testing information \& about the scan in progress. Using the Test level is mostly only using \& for testing. This will also print the debugging information so it can \& get rather lengthy. The greater the Test level the more output will be \& given. .Ve .PP .Vb 3 \& This option is also used for reporting bugs. All bug reports should \& be submitted using \-\-test 1 and an additional report may be needed \& depending on the issue. .Ve .Sh "\-\-debug " .IX Subsection "--debug " .Vb 5 \& Increases the Debug level, causing ScanPBNJ to print more information \& about the scan in progress. Nmap scanning arguments are shown as well \& as the ip address if you are scanning a domain name. This option is \& used to give the user more information about what the scanner is doing. \& The higher the debug level the more output the user will receive. .Ve .Sh "\-v \-\-version" .IX Subsection "-v --version" .Vb 1 \& Prints the ScanPBNJ version number and exits. .Ve .Sh "\-h \-\-help" .IX Subsection "-h --help" .Vb 2 \& Prints a short help screen with the command flags. Running ScanPBNJ \& without any arguments does the same thing. .Ve .SH "DEFAULT SCAN" .IX Header "DEFAULT SCAN" .Vb 1 \& Here are the default arguments that are used during a default scan: .Ve .PP .Vb 1 \& \-vv \-O \-P0 \-sSV \-p 1\-1025 .Ve .SH "FILES" .IX Header "FILES" .Vb 6 \& PBNJ's data files are stored in ScanPBNJ and OutputPBNJ. When either \& of these programs is run the configuration files will be generated \& for the user if they don't already exists and placed in the \& $HOME/.pbnj\-2.0 directory. Again, if there is a configuration file \& in the current directory it is used instead of the version in the \& configuration directory. .Ve .PP .Vb 2 \& $HOME/.pbnj\-2.0/config.yaml \- holds settings for connecting to \& the database which store the information from PBNJ scans. .Ve .PP .Vb 4 \& $HOME/.pbnj\-2.0/query.yaml \- lists all queries that can be used to \& retrieve information from the database. Also, includes the name and \& description for each query. This is only generated when you executed \& OutputPBNJ. .Ve .PP .Vb 6 \& For Windows, the pbnj\-2.0 config directory is in the APPDATA \& directory, which contains both config.yaml and query.yaml. Depending \& on your environment, the APPDATA directory may be a different location \& from other environments. Therefore, when the configs are executed for \& the first time they will display the path where the configs were \& generated. .Ve .SH "FEATURE REQUESTS" .IX Header "FEATURE REQUESTS" .Vb 5 \& Any feature requests should be reported to the online \& feature\-request\-tracking system available on the web at : \& http://sourceforge.net/tracker/?func=add&group_id=149390&atid=774489 \& Before requesting a feature, please check to see if the features has \& already been requested. .Ve .SH "BUG REPORTS" .IX Header "BUG REPORTS" .Vb 5 \& Any bugs found should be reported to the online bug\-tracking system \& available on the web at : \& http://sourceforge.net/tracker/?func=add&group_id=149390&atid=774488. \& Before reporting a bug, please check to see if the bug has already been \& reported. .Ve .PP .Vb 4 \& When reporting PBNJ bugs, it is important to include a reliable way to \& reproduce the bug, version number of PBNJ and Nmap, OS \& name and version, and any relevant hardware specs. And of course, \& patches to rectify the bug are even better. .Ve .SH "SUPPORTED DATABASES" .IX Header "SUPPORTED DATABASES" .Vb 1 \& The following databases are supported: .Ve .PP .Vb 4 \& * SQLite [default] \& * MySQL \& * Postgres \& * CSV .Ve .SH "DATABASE SCHEMA" .IX Header "DATABASE SCHEMA" .Vb 1 \& The following is the SQLite version of the database schema: .Ve .PP .Vb 18 \& CREATE TABLE machines ( \& mid INTEGER PRIMARY KEY AUTOINCREMENT, \& ip TEXT, \& host TEXT, \& localh INTEGER, \& os TEXT, \& machine_created TEXT, \& created_on TEXT); \& CREATE TABLE services ( \& mid INTEGER, \& service TEXT, \& state TEXT, \& port INTEGER, \& protocol TEXT, \& version TEXT, \& banner TEXT, \& machine_updated TEXT, \& updated_on TEXT); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" .Vb 1 \& outputpbnj(1), genlist(1), nmap(1) .Ve .SH "AUTHORS" .IX Header "AUTHORS" .Vb 1 \& Joshua D. Abraham ( jabra@ccs.neu.edu ) .Ve .SH "LEGAL NOTICES" .IX Header "LEGAL NOTICES" .Vb 6 \& This program is distributed in the hope that it will be useful, but \& WITHOUT ANY WARRANTY; without even the implied warranty of \& MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \& General Public License for more details at \& http://www.gnu.org/copyleft/gpl.html, or in the COPYING file included \& with PBNJ. .Ve .PP .Vb 7 \& It should also be noted that PBNJ has occasionally been known to \& crash poorly written applications, TCP/IP stacks, and even operating \& systems. While this is extremely rare, it is important to keep in \& mind. PBNJ should never be run against mission critical systems \& unless you are prepared to suffer downtime. We acknowledge here that \& PBNJ may crash your systems or networks and we disclaim all liability \& for any damage or problems PBNJ could cause. .Ve