.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "Parser 3pm" .TH Parser 3pm "2022-11-20" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Nmap::Parser \- parse nmap scan data with perl .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 2 \& use Nmap::Parser; \& my $np = new Nmap::Parser; \& \& $np\->parsescan($nmap_path, $nmap_args, @ips); \& #or \& $np\->parsefile($file_xml); \& \& my $session = $np\->get_session(); \& #a Nmap::Parser::Session object \& \& my $host = $np\->get_host($ip_addr); \& #a Nmap::Parser::Host object \& \& my $service = $host\->tcp_service(80); \& #a Nmap::Parser::Host::Service object \& \& my $os = $host\->os_sig(); \& #a Nmap::Parser::Host::OS object \& \& #\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- \& \& my $np2 = new Nmap::Parser; \& \& $np2\->callback(\e&my_callback); \& \& $np2\->parsefile($file_xml); \& #or \& $np2\->parsescan($nmap_path, $nmap_args, @ips); \& \& sub my_callback { \& \& my $host = shift; \& #Nmap::Parser::Host object \& #.. see documentation for all methods ... \& \& } .Ve .PP \&\fIFor a full listing of methods see the documentation corresponding to each object.\fR You can also visit the website for additional installation instructions. .SH "DESCRIPTION" .IX Header "DESCRIPTION" This module implements a interface to the information contained in an nmap scan. It is implemented by parsing the xml scan data that is generated by nmap. This will enable anyone who utilizes nmap to quickly create fast and robust security scripts that utilize the powerful port scanning abilities of nmap. .PP The latest version of this module can be found on here .SH "OVERVIEW" .IX Header "OVERVIEW" This module has an internal framework to make it easy to retrieve the desired information of a scan. Every nmap scan is based on two main sections of informations: the scan session, and the scan information of all hosts. The session information will be stored as a Nmap::Parser::Session object. This object will contain its own methods to obtain the desired information. The same is true for any hosts that were scanned using the Nmap::Parser::Host object. There are two sub objects under Nmap::Parser::Host. One is the Nmap::Parser::Host::Service object which will be used to obtain information of a given service running on a given port. The second is the Nmap::Parser::Host::OS object which contains the operating system signature information (\s-1OS\s0 guessed names, classes, osfamily..etc). .PP .Vb 9 \& Nmap::Parser \-\- Core parser \& | \& +\-\-Nmap::Parser::Session \-\- Nmap scan session information \& | \& +\-\-Nmap::Parser::Host \-\- General host information \& | | \& | |\-Nmap::Parser::Host::Service \-\- Port service information \& | | \& | |\-Nmap::Parser::Host::OS \-\- Operating system signature information .Ve .SH "METHODS" .IX Header "METHODS" .SS "Nmap::Parser" .IX Subsection "Nmap::Parser" The main idea behind the core module is, you will first parse the information and then extract data. Therefore, all parse*() methods should be executed before any get_*() methods. .IP "\fBparse($string)\fR" 4 .IX Item "parse($string)" .PD 0 .IP "\fBparse($filehandle)\fR" 4 .IX Item "parse($filehandle)" .PD Parses the nmap scan information in \f(CW$string\fR. Note that is usually only used if you have the whole xml scan information in \f(CW$string\fR or if you are piping the scan information. .IP "\fBparsefile($xml_file)\fR" 4 .IX Item "parsefile($xml_file)" Parses the nmap scan data in \f(CW$xml_file\fR. This file can be generated from an nmap scan by using the '\-oX filename.xml' option with nmap. If you get an error or your program dies due to parsing, please check that the xml information is compliant. The file is closed no matter how \f(CW\*(C`parsefile()\*(C'\fR returns. .IP "\fBparsescan($nmap,$args,@ips)\fR" 4 .IX Item "parsescan($nmap,$args,@ips)" This method runs an nmap scan where \f(CW$nmap\fR is the path to the nmap executable or binary, \&\f(CW$args\fR are the nmap command line parameters, and \f(CW@ips\fR are the list of \s-1IP\s0 addresses to scan. \fBparsescan()\fR will automagically run the nmap scan and parse the information. .Sp If you wish to save the xml output from \fBparsescan()\fR, you must call \fBcache_scan()\fR method \fB\s-1BEFORE\s0\fR you start the \fBparsescan()\fR process. This is done to conserve memory while parsing. \fBcache_scan()\fR will let Nmap::Parser know to save the output before parsing the xml since Nmap::Parser purges everything that has been parsed by the script to conserve memory and increase speed. .Sp \&\fISee section \s-1EXAMPLES\s0 for a short tutorial\fR .Sp \&\fINote: You cannot have one of the nmap options to be '\-oX', '\-oN' or '\-oG'. Your program will die if you try and pass any of these options because it decides the type of output nmap will generate. The \s-1IP\s0 addresses can be nmap-formatted addresses see \f(BInmap\fI\|(1)\fR .Sp If you get an error or your program dies due to parsing, please check that the xml information is compliant. If you are using \fBparsescan()\fR or an open filehandle , make sure that the nmap scan that you are performing is successful in returning xml information. (Sometimes using loopback addresses causes nmap to fail). .IP "\fBcache_scan($filename)\fR" 4 .IX Item "cache_scan($filename)" This function allows you to save the output of a \fBparsescan()\fR (or nmap scan) to the disk. \f(CW$filename\fR is the name of the file you wish to save the nmap scan information to. It defaults to nmap\-parser\-cache.xml It returns the name of the file to be used as the cache. .Sp .Vb 2 \& #Must be called before parsescan(). \& $np\->cache_scan($filename); #output set to nmap\-parser\-cache.xml \& \& #.. do other stuff to prepare for parsescan(), ex. setup callbacks \& \& $np\->parsescan(\*(Aq/usr/bin/nmap\*(Aq,$args,@IPS); .Ve .IP "\fB\fBpurge()\fB\fR" 4 .IX Item "purge()" Cleans the xml scan data from memory. This is useful if you have a program where you are parsing lots of nmap scan data files with persistent variables. .IP "\fBcallback(\e&code_ref)\fR" 4 .IX Item "callback(&code_ref)" Sets the parsing mode to be done using the callback function. It takes the parameter of a code reference or a reference to a function. If no code reference is given, it resets the mode to normal (no callback). .Sp .Vb 2 \& $np\->callback(\e&my_function); #sets callback, my_function() will be called \& $np\->callback(); #resets it, no callback function called. Back to normal. .Ve .IP "\fB\fBget_session()\fB\fR" 4 .IX Item "get_session()" Obtains the Nmap::Parser::Session object which contains the session scan information. .IP "\fBget_host($ip_addr)\fR" 4 .IX Item "get_host($ip_addr)" Obtains the Nmap::Parser::Host object for the given \f(CW$ip_addr\fR. .IP "\fBdel_host($ip_addr)\fR" 4 .IX Item "del_host($ip_addr)" Deletes the stored Nmap::Parser::Host object whose \s-1IP\s0 is \f(CW$ip_addr\fR. .IP "\fB\fBall_hosts()\fB\fR" 4 .IX Item "all_hosts()" .PD 0 .IP "\fBall_hosts($status)\fR" 4 .IX Item "all_hosts($status)" .PD Returns an array of all the Nmap::Parser::Host objects for the scan. If the optional status is given, it will only return those hosts that match that status. The status can be any of the following: \f(CW\*(C`(up|down|unknown|skipped)\*(C'\fR .IP "\fB\fBget_ips()\fB\fR" 4 .IX Item "get_ips()" .PD 0 .IP "\fBget_ips($status)\fR" 4 .IX Item "get_ips($status)" .PD Returns the list of \s-1IP\s0 addresses that were scanned in this nmap session. They are sorted using addr_sort. If the optional status is given, it will only return those \s-1IP\s0 addresses that match that status. The status can be any of the following: \f(CW\*(C`(up|down|unknown|skipped)\*(C'\fR .IP "\fBaddr_sort(@ips)\fR" 4 .IX Item "addr_sort(@ips)" This function takes a list of \s-1IP\s0 addresses and returns the correctly sorted version of the list. .SS "Nmap::Parser::Session" .IX Subsection "Nmap::Parser::Session" This object contains the scan session information of the nmap scan. .IP "\fB\fBfinish_time()\fB\fR" 4 .IX Item "finish_time()" Returns the numeric time that the nmap scan finished. .IP "\fB\fBnmap_version()\fB\fR" 4 .IX Item "nmap_version()" Returns the version of nmap used for the scan. .IP "\fB\fBnumservices()\fB\fR" 4 .IX Item "numservices()" .PD 0 .IP "\fBnumservices($type)\fR" 4 .IX Item "numservices($type)" .PD If numservices is called without argument, it returns the total number of services that were scanned for all types. If \f(CW$type\fR is given, it returns the number of services for that given scan type. See \fBscan_types()\fR for more info. .IP "\fB\fBscan_args()\fB\fR" 4 .IX Item "scan_args()" Returns a string which contains the nmap executed command line used to run the scan. .IP "\fBscan_type_proto($type)\fR" 4 .IX Item "scan_type_proto($type)" Returns the protocol type of the given scan type (provided by \f(CW$type\fR). See \fBscan_types()\fR for more info. .IP "\fB\fBscan_types()\fB\fR" 4 .IX Item "scan_types()" Returns the list of scan types that were performed. It can be any of the following: \&\f(CW\*(C`(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|ipproto)\*(C'\fR. .IP "\fB\fBstart_str()\fB\fR" 4 .IX Item "start_str()" Returns the human readable format of the start time. .IP "\fB\fBstart_time()\fB\fR" 4 .IX Item "start_time()" Returns the numeric form of the time the nmap scan started. .IP "\fB\fBtime_str()\fB\fR" 4 .IX Item "time_str()" Returns the human readable format of the finish time. .IP "\fB\fBxml_version()\fB\fR" 4 .IX Item "xml_version()" Returns the version of nmap xml file. .IP "\fB\fBprescripts()\fB\fR" 4 .IX Item "prescripts()" .PD 0 .IP "\fBprescripts($name)\fR" 4 .IX Item "prescripts($name)" .PD A basic call to \fBprescripts()\fR returns a list of the names of the \s-1NSE\s0 scripts run in the pre-scanning phase. If \f(CW$name\fR is given, it returns the text output of the a reference to a hash with \*(L"output\*(R" and \*(L"contents\*(R" keys for the script with that name, or undef if that script was not run. The value of the \*(L"output\*(R" key is the text output of the script. The value of the \&\*(L"contents\*(R" key is a data structure based on the \s-1XML\s0 output of the \s-1NSE\s0 script. .IP "\fB\fBpostscripts()\fB\fR" 4 .IX Item "postscripts()" .PD 0 .IP "\fBpostscripts($name)\fR" 4 .IX Item "postscripts($name)" .PD A basic call to \fBpostscripts()\fR returns a list of the names of the \s-1NSE\s0 scripts run in the post-scaning phase. If \f(CW$name\fR is given, it returns the text output of the a reference to a hash with \*(L"output\*(R" and \*(L"contents\*(R" keys for the script with that name, or undef if that script was not run. The value of the \*(L"output\*(R" key is the text output of the script. The value of the \&\*(L"contents\*(R" key is a data structure based on the \s-1XML\s0 output of the \s-1NSE\s0 script. .SS "Nmap::Parser::Host" .IX Subsection "Nmap::Parser::Host" This object represents the information collected from a scanned host. .IP "\fB\fBstatus()\fB\fR" 4 .IX Item "status()" Returns the state of the host. It is usually one of these \&\f(CW\*(C`(up|down|unknown|skipped)\*(C'\fR. .IP "\fB\fBaddr()\fB\fR" 4 .IX Item "addr()" Returns the main \s-1IP\s0 address of the host. This is usually the IPv4 address. If there is no IPv4 address, the IPv6 is returned (hopefully there is one). .IP "\fB\fBaddrtype()\fB\fR" 4 .IX Item "addrtype()" Returns the address type of the address given by \fBaddr()\fR . .IP "\fB\fBall_hostnames()\fB\fR" 4 .IX Item "all_hostnames()" Returns a list of all hostnames found for the given host. .IP "\fB\fBextraports_count()\fB\fR" 4 .IX Item "extraports_count()" Returns the number of extraports found. .IP "\fB\fBextraports_state()\fB\fR" 4 .IX Item "extraports_state()" Returns the state of all the extraports found. .IP "\fB\fBhostname()\fB\fR" 4 .IX Item "hostname()" .PD 0 .IP "\fBhostname($index)\fR" 4 .IX Item "hostname($index)" .PD As a basic call, \fBhostname()\fR returns the first hostname obtained for the given host. If there exists more than one hostname, you can provide a number, which is used as the location in the array. The index starts at 0; .Sp .Vb 4 \& #in the case that there are only 2 hostnames \& hostname() eq hostname(0); \& hostname(1); #second hostname found \& hostname(400) eq hostname(1) #nothing at 400; return the name at the last index .Ve .IP "\fB\fBipv4_addr()\fB\fR" 4 .IX Item "ipv4_addr()" Explicitly return the IPv4 address. .IP "\fB\fBipv6_addr()\fB\fR" 4 .IX Item "ipv6_addr()" Explicitly return the IPv6 address. .IP "\fB\fBmac_addr()\fB\fR" 4 .IX Item "mac_addr()" Explicitly return the \s-1MAC\s0 address. .IP "\fB\fBmac_vendor()\fB\fR" 4 .IX Item "mac_vendor()" Return the vendor information of the \s-1MAC.\s0 .IP "\fB\fBdistance()\fB\fR" 4 .IX Item "distance()" Return the distance (in hops) of the target machine from the machine that performed the scan. .IP "\fB\fBtrace_error()\fB\fR" 4 .IX Item "trace_error()" Returns a true value (usually a meaningful error message) if the traceroute was performed but could not reach the destination. In this case \f(CW\*(C`all_trace_hops()\*(C'\fR contains only the part of the path that could be determined. .IP "\fB\fBall_trace_hops()\fB\fR" 4 .IX Item "all_trace_hops()" Returns an array of Nmap::Parser::Host::TraceHop objects representing the path to the target host. This array may be empty if Nmap did not perform the traceroute for some reason (same network, for example). .Sp Some hops may be missing if Nmap could not figure out information about them. In this case there is a gap between the \f(CW\*(C`ttl()\*(C'\fR values of consecutive returned hops. See also \f(CW\*(C`trace_error()\*(C'\fR. .IP "\fB\fBtrace_proto()\fB\fR" 4 .IX Item "trace_proto()" Returns the name of the protocol used to perform the traceroute. .IP "\fB\fBtrace_port()\fB\fR" 4 .IX Item "trace_port()" Returns the port used to perform the traceroute. .IP "\fB\fBos_sig()\fB\fR" 4 .IX Item "os_sig()" Returns an Nmap::Parser::Host::OS object that can be used to obtain all the Operating System signature (fingerprint) information. See Nmap::Parser::Host::OS for more details. .Sp .Vb 3 \& $os = $host\->os_sig; \& $os\->name; \& $os\->osfamily; .Ve .IP "\fB\fBtcpsequence_class()\fB\fR" 4 .IX Item "tcpsequence_class()" .PD 0 .IP "\fB\fBtcpsequence_index()\fB\fR" 4 .IX Item "tcpsequence_index()" .IP "\fB\fBtcpsequence_values()\fB\fR" 4 .IX Item "tcpsequence_values()" .PD Returns the class, index and values information respectively of the tcp sequence. .IP "\fB\fBipidsequence_class()\fB\fR" 4 .IX Item "ipidsequence_class()" .PD 0 .IP "\fB\fBipidsequence_values()\fB\fR" 4 .IX Item "ipidsequence_values()" .PD Returns the class and values information respectively of the ipid sequence. .IP "\fB\fBtcptssequence_class()\fB\fR" 4 .IX Item "tcptssequence_class()" .PD 0 .IP "\fB\fBtcptssequence_values()\fB\fR" 4 .IX Item "tcptssequence_values()" .PD Returns the class and values information respectively of the tcpts sequence. .IP "\fB\fBuptime_lastboot()\fB\fR" 4 .IX Item "uptime_lastboot()" Returns the human readable format of the timestamp of when the host had last rebooted. .IP "\fB\fBuptime_seconds()\fB\fR" 4 .IX Item "uptime_seconds()" Returns the number of seconds that have passed since the host's last boot from when the scan was performed. .IP "\fB\fBhostscripts()\fB\fR" 4 .IX Item "hostscripts()" .PD 0 .IP "\fBhostscripts($name)\fR" 4 .IX Item "hostscripts($name)" .PD A basic call to \fBhostscripts()\fR returns a list of the names of the host scripts run. If \f(CW$name\fR is given, it returns the text output of the a reference to a hash with \*(L"output\*(R" and \*(L"contents\*(R" keys for the script with that name, or undef if that script was not run. The value of the \*(L"output\*(R" key is the text output of the script. The value of the \&\*(L"contents\*(R" key is a data structure based on the \s-1XML\s0 output of the \s-1NSE\s0 script. .IP "\fB\fBtcp_ports()\fB\fR" 4 .IX Item "tcp_ports()" .PD 0 .IP "\fB\fBudp_ports()\fB\fR" 4 .IX Item "udp_ports()" .PD Returns the sorted list of TCP|UDP ports respectively that were scanned on this host. Optionally a string argument can be given to these functions to filter the list. .Sp .Vb 2 \& $host\->tcp_ports(\*(Aqopen\*(Aq) #returns all only \*(Aqopen\*(Aq ports (even \*(Aqopen|filtered\*(Aq) \& $host\->udp_ports(\*(Aqopen|filtered\*(Aq); #matches exactly ports with \*(Aqopen|filtered\*(Aq .Ve .Sp \&\fINote that if a port state is set to 'open|filtered' (or any combination), it will be counted as an 'open' port as well as a 'filtered' one.\fR .IP "\fB\fBtcp_port_count()\fB\fR" 4 .IX Item "tcp_port_count()" .PD 0 .IP "\fB\fBudp_port_count()\fB\fR" 4 .IX Item "udp_port_count()" .PD Returns the total of TCP|UDP ports scanned respectively. .IP "\fB\fBtcp_port_state_ttl()\fB\fR" 4 .IX Item "tcp_port_state_ttl()" Returns the 'reason_ttl' value present in nmap xml result. .IP "\fBtcp_del_ports($portid, [$portid, ...])\fR" 4 .IX Item "tcp_del_ports($portid, [$portid, ...])" .PD 0 .IP "\fBudp_del_ports($portid, [ \f(CB$portid\fB, ...])\fR" 4 .IX Item "udp_del_ports($portid, [ $portid, ...])" .PD Deletes the current \f(CW$portid\fR from the list of ports for given protocol. .IP "\fBtcp_port_state($portid)\fR" 4 .IX Item "tcp_port_state($portid)" .PD 0 .IP "\fBudp_port_state($portid)\fR" 4 .IX Item "udp_port_state($portid)" .PD Returns the state of the given port, provided by the port number in \f(CW$portid\fR. .IP "\fB\fBtcp_open_ports()\fB\fR" 4 .IX Item "tcp_open_ports()" .PD 0 .IP "\fB\fBudp_open_ports()\fB\fR" 4 .IX Item "udp_open_ports()" .PD Returns the list of open TCP|UDP ports respectively. Note that if a port state is for example, 'open|filtered', it will appear on this list as well. .IP "\fB\fBtcp_filtered_ports()\fB\fR" 4 .IX Item "tcp_filtered_ports()" .PD 0 .IP "\fB\fBudp_filtered_ports()\fB\fR" 4 .IX Item "udp_filtered_ports()" .PD Returns the list of filtered TCP|UDP ports respectively. Note that if a port state is for example, 'open|filtered', it will appear on this list as well. .IP "\fB\fBtcp_closed_ports()\fB\fR" 4 .IX Item "tcp_closed_ports()" .PD 0 .IP "\fB\fBudp_closed_ports()\fB\fR" 4 .IX Item "udp_closed_ports()" .PD Returns the list of closed TCP|UDP ports respectively. Note that if a port state is for example, 'closed|filtered', it will appear on this list as well. .IP "\fBtcp_service($portid)\fR" 4 .IX Item "tcp_service($portid)" .PD 0 .IP "\fBudp_service($portid)\fR" 4 .IX Item "udp_service($portid)" .PD Returns the Nmap::Parser::Host::Service object of a given service running on port, provided by \f(CW$portid\fR. See Nmap::Parser::Host::Service for more info. .Sp .Vb 3 \& $svc = $host\->tcp_service(80); \& $svc\->name; \& $svc\->proto; .Ve .PP \fINmap::Parser::Host::Service\fR .IX Subsection "Nmap::Parser::Host::Service" .PP This object represents the service running on a given port in a given host. This object is obtained by using the tcp_service($portid) or udp_service($portid) method from the Nmap::Parser::Host object. If a portid is given that does not exist on the given host, these functions will still return an object (so your script doesn't die). Its good to use \fBtcp_ports()\fR or \fBudp_ports()\fR to see what ports were collected. .IP "\fB\fBconfidence()\fB\fR" 4 .IX Item "confidence()" Returns the confidence level in service detection. .IP "\fB\fBextrainfo()\fB\fR" 4 .IX Item "extrainfo()" Returns any additional information nmap knows about the service. .IP "\fB\fBmethod()\fB\fR" 4 .IX Item "method()" Returns the detection method. .IP "\fB\fBname()\fB\fR" 4 .IX Item "name()" Returns the service name. .IP "\fB\fBowner()\fB\fR" 4 .IX Item "owner()" Returns the process owner of the given service. (If available) .IP "\fB\fBport()\fB\fR" 4 .IX Item "port()" Returns the port number where the service is running on. .IP "\fB\fBproduct()\fB\fR" 4 .IX Item "product()" Returns the product information of the service. .IP "\fB\fBproto()\fB\fR" 4 .IX Item "proto()" Returns the protocol type of the service. .IP "\fB\fBrpcnum()\fB\fR" 4 .IX Item "rpcnum()" Returns the \s-1RPC\s0 number. .IP "\fB\fBtunnel()\fB\fR" 4 .IX Item "tunnel()" Returns the tunnel value. (If available) .IP "\fB\fBfingerprint()\fB\fR" 4 .IX Item "fingerprint()" Returns the service fingerprint. (If available) .IP "\fB\fBversion()\fB\fR" 4 .IX Item "version()" Returns the version of the given product of the running service. .IP "\fB\fBscripts()\fB\fR" 4 .IX Item "scripts()" .PD 0 .IP "\fBscripts($name)\fR" 4 .IX Item "scripts($name)" .PD A basic call to \fBscripts()\fR returns a list of the names of the \s-1NSE\s0 scripts run for this port. If \f(CW$name\fR is given, it returns a reference to a hash with \*(L"output\*(R" and \*(L"contents\*(R" keys for the script with that name, or undef if that script was not run. The value of the \*(L"output\*(R" key is the text output of the script. The value of the \&\*(L"contents\*(R" key is a data structure based on the \s-1XML\s0 output of the \s-1NSE\s0 script. .PP \fINmap::Parser::Host::OS\fR .IX Subsection "Nmap::Parser::Host::OS" .PP This object represents the Operating System signature (fingerprint) information of the given host. This object is obtained from an Nmap::Parser::Host object using the \f(CW\*(C`os_sig()\*(C'\fR method. One important thing to note is that the order of \s-1OS\s0 names and classes are sorted by \fB\s-1DECREASING ACCURACY\s0\fR. This is more important than alphabetical ordering. Therefore, a basic call to any of these functions will return the record with the highest accuracy. (Which is probably the one you want anyways). .IP "\fB\fBall_names()\fB\fR" 4 .IX Item "all_names()" Returns the list of all the guessed \s-1OS\s0 names for the given host. .IP "\fB\fBclass_accuracy()\fB\fR" 4 .IX Item "class_accuracy()" .PD 0 .IP "\fBclass_accuracy($index)\fR" 4 .IX Item "class_accuracy($index)" .PD A basic call to \fBclass_accuracy()\fR returns the osclass accuracy of the first record. If \f(CW$index\fR is given, it returns the osclass accuracy for the given record. The index starts at 0. .IP "\fB\fBclass_count()\fB\fR" 4 .IX Item "class_count()" Returns the total number of \s-1OS\s0 class records obtained from the nmap scan. .IP "\fB\fBname()\fB\fR" 4 .IX Item "name()" .PD 0 .IP "\fBname($index)\fR" 4 .IX Item "name($index)" .IP "\fB\fBnames()\fB\fR" 4 .IX Item "names()" .IP "\fBnames($index)\fR" 4 .IX Item "names($index)" .PD A basic call to \fBname()\fR returns the \s-1OS\s0 name of the first record which is the name with the highest accuracy. If \f(CW$index\fR is given, it returns the name for the given record. The index starts at 0. .IP "\fB\fBname_accuracy()\fB\fR" 4 .IX Item "name_accuracy()" .PD 0 .IP "\fBname_accuracy($index)\fR" 4 .IX Item "name_accuracy($index)" .PD A basic call to \fBname_accuracy()\fR returns the \s-1OS\s0 name accuracy of the first record. If \f(CW$index\fR is given, it returns the name for the given record. The index starts at 0. .IP "\fB\fBname_count()\fB\fR" 4 .IX Item "name_count()" Returns the total number of \s-1OS\s0 names (records) for the given host. .IP "\fB\fBosfamily()\fB\fR" 4 .IX Item "osfamily()" .PD 0 .IP "\fBosfamily($index)\fR" 4 .IX Item "osfamily($index)" .PD A basic call to \fBosfamily()\fR returns the \s-1OS\s0 family information of the first record. If \f(CW$index\fR is given, it returns the \s-1OS\s0 family information for the given record. The index starts at 0. .IP "\fB\fBosgen()\fB\fR" 4 .IX Item "osgen()" .PD 0 .IP "\fBosgen($index)\fR" 4 .IX Item "osgen($index)" .PD A basic call to \fBosgen()\fR returns the \s-1OS\s0 generation information of the first record. If \f(CW$index\fR is given, it returns the \s-1OS\s0 generation information for the given record. The index starts at 0. .IP "\fB\fBportused_closed()\fB\fR" 4 .IX Item "portused_closed()" Returns the closed port number used to help identify the \s-1OS\s0 signatures. This might not be available for all hosts. .IP "\fB\fBportused_open()\fB\fR" 4 .IX Item "portused_open()" Returns the open port number used to help identify the \s-1OS\s0 signatures. This might not be available for all hosts. .IP "\fB\fBos_fingerprint()\fB\fR" 4 .IX Item "os_fingerprint()" Returns the \s-1OS\s0 fingerprint used to help identify the \s-1OS\s0 signatures. This might not be available for all hosts. .IP "\fB\fBtype()\fB\fR" 4 .IX Item "type()" .PD 0 .IP "\fBtype($index)\fR" 4 .IX Item "type($index)" .PD A basic call to \fBtype()\fR returns the \s-1OS\s0 type information of the first record. If \f(CW$index\fR is given, it returns the \s-1OS\s0 type information for the given record. The index starts at 0. .IP "\fB\fBvendor()\fB\fR" 4 .IX Item "vendor()" .PD 0 .IP "\fBvendor($index)\fR" 4 .IX Item "vendor($index)" .PD A basic call to \fBvendor()\fR returns the \s-1OS\s0 vendor information of the first record. If \f(CW$index\fR is given, it returns the \s-1OS\s0 vendor information for the given record. The index starts at 0. .PP \fINmap::Parser::Host::TraceHop\fR .IX Subsection "Nmap::Parser::Host::TraceHop" .PP This object represents a router on the \s-1IP\s0 path towards the destination or the destination itself. This is similar to what the \f(CW\*(C`traceroute\*(C'\fR command outputs. .PP Nmap::Parser::Host::TraceHop objects are obtained through the \&\f(CW\*(C`all_trace_hops()\*(C'\fR and \f(CW\*(C`trace_hop()\*(C'\fR Nmap::Parser::Host methods. .IP "\fB\fBttl()\fB\fR" 4 .IX Item "ttl()" The Time To Live is the network distance of this hop. .IP "\fB\fBrtt()\fB\fR" 4 .IX Item "rtt()" The Round Trip Time is roughly equivalent to the \*(L"ping\*(R" time towards this hop. It is not always available (in which case it will be undef). .IP "\fB\fBipaddr()\fB\fR" 4 .IX Item "ipaddr()" The known \s-1IP\s0 address of this hop. .IP "\fB\fBhost()\fB\fR" 4 .IX Item "host()" The host name of this hop, if known. .SH "EXAMPLES" .IX Header "EXAMPLES" I think some of us best learn from examples. These are a couple of examples to help create custom security audit tools using some of the nice features of the Nmap::Parser module. Hopefully this can double as a tutorial. More tutorials (articles) can be found at .SS "Real-Time Scanning" .IX Subsection "Real-Time Scanning" You can run a nmap scan and have the parser parse the information automagically. The only constraint is that you cannot use '\-oX', '\-oN', or '\-oG' as one of your arguments for nmap command line parameters passed to \fBparsescan()\fR. .PP .Vb 1 \& use Nmap::Parser; \& \& my $np = new Nmap::Parser; \& my @hosts = @ARGV; #get hosts from cmd line \& \& #runs the nmap command with hosts and parses it automagically \& $np\->parsescan(\*(Aq/usr/bin/nmap\*(Aq,\*(Aq\-sS O \-p 1\-1023\*(Aq,@hosts); \& \& for my $host ($np\->all_hosts()){ \& print $host\->hostname."\en"; \& #do mor stuff... \& } .Ve .PP If you would like to run the scan using \fBparsescan()\fR but also save the scan xml output, you can use \fBcache_scan()\fR. You must call \fBcache_scan()\fR \s-1BEFORE\s0 you initiate the \fBparsescan()\fR method. .PP .Vb 2 \& use Nmap::Parser; \& my $np = new Nmap::Parser; \& \& #telling np to save output \& $np\->cache_scan(\*(Aqnmap.localhost.xml\*(Aq); \& $np\->parsescan(\*(Aq/usr/bin/nmap\*(Aq,\*(Aq\-F\*(Aq,\*(Aqlocalhost\*(Aq); \& #do other stuff... .Ve .SS "Callbacks" .IX Subsection "Callbacks" This is probably the easiest way to write a script with using Nmap::Parser, if you don't need the general scan session information. During the parsing process, the parser will obtain information of every host. The callback function (in this case '\fBbooyah()\fR') is called after the parsing of every host (sequentially). When the callback returns, the parser will delete all information of the host it had sent to the callback. This callback function is called for every host that the parser encounters. \fIThe callback function must be setup before parsing\fR .PP .Vb 2 \& use Nmap::Parser; \& my $np = new Nmap::Parser; \& \& \& $np\->callback( \e&booyah ); \& \& $np\->parsefile(\*(Aqnmap_results.xml\*(Aq); \& # or use parsescan() \& \& sub booyah { \& my $host = shift; #Nmap::Parser::Host object, just parsed \& print \*(AqIP: \*(Aq,$host\->addr,"\en"; \& # ... do more stuff with $host ... \& \& #when it returns, host object will be deleted from memory \& #(good for processing VERY LARGE files or scans) \& } .Ve .ie n .SS "Multiple Instances \- (""no less \*(Aqof\*(Aq; my $self"")" .el .SS "Multiple Instances \- (\f(CWno less \*(Aqof\*(Aq; my $self\fP)" .IX Subsection "Multiple Instances - (no less of; my $self)" Using multiple instances of Nmap::Parser is extremely useful in helping audit/monitor the network \fBP\fRolicy (ohh noo! its that 'P' word!). In this example, we have a set of hosts that had been scanned previously for tcp services where the image was saved in \fIbase_image.xml\fR. We now will scan the same hosts, and compare if any new tcp have been open since then (good way to look for suspicious new services). Easy security \fBC\fRompliance detection. (ooh noo! The 'C' word too!). .PP .Vb 4 \& use Nmap::Parser; \& use vars qw($nmap_exe $nmap_args @ips); \& my $base = new Nmap::Parser; \& my $curr = new Nmap::Parser; \& \& \& $base\->parsefile(\*(Aqbase_image.xml\*(Aq); #load previous state \& $curr\->parsescan($nmap_exe, $nmap_args, @ips); #scan current hosts \& \& for my $ip ($curr\->get_ips ) \& { \& #assume that IPs in base == IPs in curr scan \& my $ip_base = $base\->get_host($ip); \& my $ip_curr = $curr\->get_host($ip); \& my %port = (); \& \& #find ports that are open that were not open before \& #by finding the difference in port lists \& my @diff = grep { $port{$_} < 2} \& (map {$port{$_}++; $_} \& ( $ip_curr\->tcp_open_ports , $ip_base\->tcp_open_ports )); \& \& print "$ip has these new ports open: ".join(\*(Aq,\*(Aq,@diff) if(scalar @diff); \& \& for (@diff){print "$_ seems to be ",$ip_curr\->tcp_service($_)\->name,"\en";} \& \& } .Ve .SH "SUPPORT" .IX Header "SUPPORT" .SS "Discussion Forum" .IX Subsection "Discussion Forum" If you have questions about how to use the module, or any of its features, you can post messages to the Nmap::Parser module forum on CPAN::Forum. .SS "Bug Reports, Enhancements, Merge Requests" .IX Subsection "Bug Reports, Enhancements, Merge Requests" Please submit any bugs or feature requests to: .PP \&\fBPlease make sure that you submit the xml-output file of the scan which you are having trouble with.\fR This can be done by running your scan with the \fI\-oX filename.xml\fR nmap switch. Please remove any important \s-1IP\s0 addresses for security reasons. It saves time in reproducing issues. .SH "SEE ALSO" .IX Header "SEE ALSO" .Vb 1 \& nmap, XML::Twig .Ve .PP The Nmap::Parser page can be found at: . It contains the latest developments on the module. The nmap security scanner homepage can be found at: . .SH "AUTHORS" .IX Header "AUTHORS" Origiinal author, Anthony Persaud . However, special thanks to: Daniel Miller and Robin Bowes . Please see Changes.md file for a list of other great contributors. .SH "COPYRIGHT Copyright (c) <2003\-2017> " .IX Header "COPYRIGHT Copyright (c) <2003-2017> " \&\s-1MIT\s0 License .PP Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \*(L"Software\*(R"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: .PP The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0