Haktip 108 – NMap 101: NDiff and Your Tips!

Today on HakTip, Shannon shows off NDiff, a program inside NMap that lets you compare XML outputs.

Download HD  |   Download MP4

Ndiff is a tool that allows you to compare two XML output files made by NMap and see the differences between a couple of different outputs. Remember episode 103? That’s where I showed you how to output to an XML file.

To use it, type: ndiff test1.xml test2.xml. The minus sign you see on some lines indicates the output of the first file, and the plus sign is that of the second file. You can also use -v with ndiff to see a verbose version of the differences. If you type ndiff –xml a.xml b.xml, you’ll see the xml output on your screen, and you can then save that information into a new xml file if you wanted to.

You can also mess with a scan while it is scanning – you don’t have to rerun it with your changes. You can choose to increase verbosity with ‘v’, increase debugging with ‘d’, type a ‘p’ for packet tracing, or a ‘?’ to see the help menu. This is called Runtime Interaction.

Now for a couple of good tips from our viewers: Matt says: I figured I’d point out the tool ncat which typically comes with nmap from the repositories. The nice thing about this version is it has two new options –recv-only and –send-only. They are useful for one way transfers since by default netcat is two way. The thing is that even if netcat is finished receiving or sending data, it will still keep the connection open for the other direction. With the options mentioned above, once the file is sent or received, it will shutdown so you don’t have to ^C either end. Just thought you might find that useful.

From Sergei: You had trouble getting DNS resolution to work when you were scanning your local 10.73 network. There is nothing wrong with your Linux laptop. If you were to use your ISP’s DNS server, it wouldn’t be able to resolve these addresses since 10.x block of IPs is a private range and can only exist behind a firewall on a home or business network. None of the public DNS servers would know what to do with 10.x addresses. Another way to resolve IP address would be to use local hosts file which would be /etc/hosts on Linux. This is actually the first place where your computer looks to resolve an IP address. You would have to type each existing host IP in your 10.73 network and its host name. If there is nothing in /etc/hosts your laptop moves on to DNS server to get name resolution. DNS servers are specified in /etc/resolv.conf file, but it doesn’t look like you are running your own internal DNS server on hak 5 network, so the lookup on your ISP server which you probably get from DHCP fails and NMAP only shows IPs, but no names.

And from DuMuT6p: Wanted to point out that the SERVICE column will show a name based on the port. So if you change your ssh server to port 666 nmap will show that Doom is running. Really proud for discovering this myself after an hour of searching why my Linux has a Windows service 😀

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>