Nmapping like Jesus

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Firstly, how about we use some quick Windows tricks?

Code:
ipconfig | findstr "v4"
1580154049962.png

Pretty damn awesome, now can we convert this process into VB.NET to make this into a Visual Studio app, for end-users to sit back and click buttons instead of type commands? Yes.
1580154180957.png

Code:
Public Class Form1
    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load



        Dim strHostName As String

        'Dim strIPAddress As String

        Dim intIPCount

        strHostName = System.Net.Dns.GetHostName()

        intIPCount = System.Net.Dns.GetHostEntry(strHostName).AddressList.Count

        For x = 1 To intIPCount
            ListBox1.Items.Add(System.Net.Dns.GetHostEntry(strHostName).AddressList(x - 1).ToString)
        Next



    End Sub
End Class
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
What if we want to list all the network interfaces? Ahh, bitch.. here we go:
Code:
Imports System.Net.NetworkInformation

Public Class Form1
    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load

        Dim nics As NetworkInterface() = NetworkInterface.GetAllNetworkInterfaces()


        For Each netadapter As NetworkInterface In nics
            'next lets set variable to get interface properties for later use
            Dim intproperties As IPInterfaceProperties = netadapter.GetIPProperties()

            'get first number of IP address.
            Dim firstnum As String
            Try
                firstnum = intproperties.UnicastAddresses(1).Address.ToString()
                firstnum = firstnum.Substring(0, firstnum.IndexOf("."))
            Catch ex As Exception
                'If not IPv4 then
                firstnum = "NOPE"
            End Try

            'check if first number if valid IPv4 address
            'If Val(firstnum) > 0 And Not Val(firstnum) = 169 And Not Val(firstnum) = 127 Then


            'now add the network adaptername to the list

            If netadapter.OperationalStatus = OperationalStatus.Up Then
                ListBox1.Items.Add(netadapter.Name)
            End If
            'End If

        Next



    End Sub
End Class

1580154865586.png

The commented out pieces, I firmly believe that logic is to mitigate listing of local addresses for example - perhaps to only display externally assigned IP addresses if that makes sense.

At this point, we could also gather other useful information for example bytes received and bytes sent:
1580155096994.png

This kind of gives you a rough idea of what the most in-use network adapter is in the event you are looking to see which host is likely needed to be scanned. You could perhaps implement a timer that every 5 seconds creates a sparkline like this:
1580155187054.png

For example this look aight: https://stackoverflow.com/a/32047889
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Anyway, what we have done thus far is get things primed for swapping the intel to Nmap. Now with assuming the user has Nmap installed, we are going to call over to Nmap to log results and display them. This is cool to inspect how sockets work in VB: https://www.codeproject.com/Articles/17257/VB-Port-Scanner

1580156650597.png

When researching into this, we need to be aware of multithreading and how it works regarding networking/sockets.

1580158244755.png

This is nice, I think maybe using a TreeView is going to be the best option since we can split things up by their CIDR for example 127.0.0.1/22 or /24 etc.

Pretty hyped to be performing Nmap scans in the GUI.
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Code:
        If My.Computer.FileSystem.DirectoryExists("C:\Pharoso") Then
            'Dim logInfo = My.Computer.FileSystem.GetDirectoryInfo(
            '"C:\backup\logs")
            'Life goes on
        Else
            My.Computer.FileSystem.CreateDirectory("C:\Pharoso")
        End If

So what we are going to do after this is launch Nmap:
Code:
Shell("nmap -p1-60000 localhost -oG C:\Pharoso\1561984984.txt", AppWinStyle.Hide)

Keep in mind that 1561984984.txt could be a totally random number, the point of this file name is to act only as a temporary holder of Nmap scan intelligence.

Why? We need to wait for Nmap to finish the scan, to then use a timer and see if/when the data is written out to the file so we can pull the Nmap scan data into the VB.NET app.

This will involve parsing all the IP addresses, including ports open and such.

I will be experimenting with ways to parse this intel - so we can get working info showing either in a spreadsheet via, treeview, or whatever else.

Example of working around TreeView:
Code:
        Dim MyNode() As TreeNode
        MyNode = TreeView1.Nodes.Find("Node3", True)
        MyNode(0).Nodes.Add("Alive", "Alive")

        MyNode = TreeView1.Nodes.Find("Alive", True)
        MyNode(0).Nodes.Add("192.168.0.1", "192.168.0.1")
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Ever get sick and tired of using tools like Nmap because you have to pretty much memorize the entire fucking manual?

Well, I don't normally but after you begin thinking about all the NSE choices they have and managing all the data, the appeal of a GUI comes to mind.

Zenmap is not terrible but Zenmap is also trash.

Zenmap uses XML files primarily for a scan compare functionality, I am tempted to believe making this could be easy.

A while ago, there was a post on swifting sweeping w/ Nmap: https://ciphers.pw/threads/nmap-ping-sweep-faster.8218/

The Zenmap GUI provides some insight into how one could build a better tool, in my strong opinion there is a certain UGHHH feeling to Zenmap.

1580229142660.png

While this is not the worst software ever, this could be more beautiful and professional feeling.. for example:
1580229236221.png

The above could firstly all be separated into a Page 1 > Define your scan boundary.

Page 2 > Depth of attack (FULL/Quick/Etc)..

Page 3 > Report generation

The above page examples are TOTALLY random and not perfect also.

Here is an example GUI that is literally threw together in seconds:
1580229344909.png

This is nowhere near completion, although between this and the Zenmap tool there are some quick differences.

For example, some differences include:
  1. A feature list could be built around security team usability for example having an area to supply credentials for NSE scans - eventually extend support to tie into pushing discovered assets into a system like OpenVAS (GMP) - https://community.greenbone.net/t/openvas-api/1964/3
  2. Automation is key to any useful security tool, building with the mentality of set it and forget it.
  3. Support for using remote hosts to split scans evenly distributed, for example using PowerShell on Windows and SSH for Linux.
  4. Lastly, having the ability to remotely deploy entire open source security deployments for example: OpenVAS, Nmap, firewall, honeypot - then have these coexisting together healthily. All that is needed? OS with SSH.
  5. Over an SSH connection to Scanner Nodes, the scan client could be actively refreshing the progress bar. An initial discovery scan could properly scan in a test a number of hosts to estimate future scan times - to display a fairly accurate progress bar. With that said, estimations are all. I still like estimations over seeing "10% done with part 1 of... part...." yeah?
1580230276787.png

fuNmap will automate a complete network discovery by bouncing around various possible hosts:
1580230353270.png

Essentially we breeze through all the 10s, 172s, 192s, and we see who is listening on 22/80/ping - where in the ranges? We just kind of play a game of battleship to effectively scout throughout the network at random. Hit a ship? Find port 80 open!! Great, now scan everything nearby until we stop detecting. Then go back to random seeking.

This method is going to be for anyone unaware of CIDRs/ranges. If you know the ranges, simply input them all into a list and kick back to relax.

Where I plan to develop this tool to:
1580230631723.png

At a very recent stage, this software will support new IP/service detection to fire off an email alert when:
  1. A new port is detected on a live host
  2. New host is detected in a range
  3. Other alert functionality will be supported like SMS on new host/service
The software will integrate with SMTP authentication stored encrypted at rest, decrypted by a configured secure password at software launch.

Configuration files and results will also be encrypted to keep stored information safe from prying eyes.
 
Top