Introduction
Revision Historyβ
| Date | Author | Summary |
|---|---|---|
| 06-NOV-2022 | TSgt. Bernadotte | Initial draft |
| 27-DEC-2022 | TSgt. Bernadotte | Updated references to required scripts |
| 13-JUN-2023 | TSgt. Bernadotte | Converted document to markdown |
| 19-JAN-2024 | TSgt. Bernadotte | Updated instructions to import to Elastic |
| 03-AUG-2024 | TSgt. Bernadotte | Updated documentation for excluding IPs |
End-Stateβ
The purpose of this SOP is to create standardized nmap scan results that will be stored in Elasticsearch for easy accessibility and searchability.
- Nmap DNS resolved hostname results will be populated in the Elasticsearch
nmapindex and searchable with:event.dataset:"hostname-scan" - Nmap ping scan results will be populated in the Elasticsearch
nmapindex and searchable with:event.dataset:"ping-scan" - Nmap port scan results populated in the Elasticsearch
nmapindex and searchable with:event.dataset:"port-scan" - Nmap service detection results populated in the Elasticsearch
nmapindex and searchable with:event.dataset:"svc-scan" - Nmap OS detection results populated in the Elasticsearch
nmapindex and searchable with:event.dataset:"os-scan"
Requirementsβ
262COS-Nmap_Scanner-SCRIPT-001(nmap-scanner.sh)262COS-Import_To_Elasticsearch-SCRIPT-001(Import-ToElasticsearch.psm1)- An Elasticsearch server
Considerationsβ
There are three scanning options outlined in this SOP:
- The default
Option 1is to scan nmapβs top 1000 TCP ports plus WinRM (which is not included in the top 1000) Option 2is to scan well-known remote management ports β information required by host analysts for host interactionOption 3is to scan ALL 0-65535 TCP and UDP ports, which is comprehensive but takes a LONG time
Some limitations of the nmap-scanner.sh script:
- The
nmap-scanner.shscript is written for the specific purpose of translating ping, port, service detection, and OS detection scan results into CSV and JSON formats - The
nmap-scanner.shscript does not provide the ability to translate more complex or use-case specific nmap scan results into CSV or JSON (which is why it is hardcoded to the most common scans executed during a mission)