Skip to main content

Introduction


Revision History​

DateAuthorSummary
06-NOV-2022TSgt. BernadotteInitial draft
27-DEC-2022TSgt. BernadotteUpdated references to required scripts
13-JUN-2023TSgt. BernadotteConverted document to markdown
19-JAN-2024TSgt. BernadotteUpdated instructions to import to Elastic
03-AUG-2024TSgt. BernadotteUpdated documentation for excluding IPs

End-State​

The purpose of this SOP is to create standardized nmap scan results that will be stored in Elasticsearch for easy accessibility and searchability.

  1. Nmap DNS resolved hostname results will be populated in the Elasticsearch nmap index and searchable with: event.dataset:"hostname-scan"
  2. Nmap ping scan results will be populated in the Elasticsearch nmap index and searchable with: event.dataset:"ping-scan"
  3. Nmap port scan results populated in the Elasticsearch nmap index and searchable with: event.dataset:"port-scan"
  4. Nmap service detection results populated in the Elasticsearch nmap index and searchable with: event.dataset:"svc-scan"
  5. Nmap OS detection results populated in the Elasticsearch nmap index and searchable with: event.dataset:"os-scan"

Requirements​

  1. 262COS-Nmap_Scanner-SCRIPT-001 (nmap-scanner.sh)
  2. 262COS-Import_To_Elasticsearch-SCRIPT-001 (Import-ToElasticsearch.psm1)
  3. An Elasticsearch server

Considerations​

There are three scanning options outlined in this SOP:

  1. The default Option 1 is to scan nmap’s top 1000 TCP ports plus WinRM (which is not included in the top 1000)
  2. Option 2 is to scan well-known remote management ports – information required by host analysts for host interaction
  3. Option 3 is to scan ALL 0-65535 TCP and UDP ports, which is comprehensive but takes a LONG time

Some limitations of the nmap-scanner.sh script:

  1. The nmap-scanner.sh script is written for the specific purpose of translating ping, port, service detection, and OS detection scan results into CSV and JSON formats
  2. The nmap-scanner.sh script does not provide the ability to translate more complex or use-case specific nmap scan results into CSV or JSON (which is why it is hardcoded to the most common scans executed during a mission)