1

使用 Linux,我正在寻找过滤掉仅与 XP 匹配的机器的数据并删除连续的“nmap 扫描报告”行。

Nmap scan report for 13.93.27.138
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
|   OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.139
Nmap scan report for 13.93.27.140
Nmap scan report for 13.93.27.141
Nmap scan report for 13.93.27.143
445/tcp   open  microsoft-ds Microsoft Windows XP microsoft-ds
Aggressive OS guesses: Microsoft Windows 2003 Small Business Server SP1 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows Server 2003 SP1 or SP2 (86%), Microsoft Windows XP Professional SP2 (French) (85%)
|   OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.144
Nmap scan report for 13.93.27.147
445/tcp   open  microsoft-ds Microsoft Windows XP microsoft-ds
Aggressive OS guesses: Microsoft Windows 2003 Small Business Server SP1 (91%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP Professional SP2 (French) (85%), Microsoft Windows Server 2003 SP1 or SP2 (85%)
|   OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.148
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.191
445/tcp   open  microsoft-ds Microsoft Windows XP microsoft-ds
Aggressive OS guesses: Microsoft Windows 2003 Small Business Server SP1 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows Server 2003 SP1 or SP2 (86%), Microsoft Windows XP Professional SP2 (French) (85%)
|   OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.192
OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2

寻找仅显示的报告:

Nmap scan report for 13.93.27.138
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.147
OS: Windows XP (Windows 2000 LAN Manager)

我的想法是使用 awk、grep、sed 或 perl:m/^Nmap。\n。!(^Nmap).*/m 查找以 Nmap 开头的行,并在换行符之后复制不以 Nmap 开头的下一行,例如“OS: Windows XP”。然后重新开始...

感谢您的帮助 :-)

4

3 回答 3

3

使用awk

awk -F "OS: " '/^Nmap/ {a=$0} /OS:/ {print a"\n"FS$2}' file
Nmap scan report for 13.93.27.138
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.143
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.147
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.148
OS: Windows XP (Windows 2000 LAN Manager)
Nmap scan report for 13.93.27.191
OS: Windows XP (Windows 2000 LAN Manager)
于 2013-09-21T07:04:30.257 回答
1

当问题是搜索 Nmap 输出时,答案总是“使用XML 输出格式”。这是因为 Nmap 的常规输出可以在版本之间更改,并且不是针对机器输入进行结构化的。-oXzyou 可以使用or-oA选项让 Nmap 发出 XML 。

您已经对输出进行了很多过滤,但我可以从“|”中看出 在您想要的输出来自NSE 脚本而不是操作系统检测引擎的行的开头。具体来说,这是smb-os-discovery脚本的输出。知道了这一点,我们可以使用 XML 解析器来查找属性包含字符串“OS: Windows XP”//script[@id='smb-os-discovery']的每个元素。output以下是使用xmlstarlet的方法:

xmlstarlet sel -t -m "//script[@id='smb-os-discovery' and contains(@output, 'OS: Windows XP')" -v "ancestor::host/address[@addrtype='ipv4']/@addr" -n scan-output.xml

You can do similar things with the many XML parsing libraries in every language. Python, Perl, and Ruby all have good parsers specifically designed for Nmap's XML output.

EDIT: Since you only want the OS as detected by smb-os-detection, you could save time scanning by only running this script and skipping the OS fingerprinting step. Here's an example of a fast scan like this:

nmap -p 445 --script smb-os-detection -oA smb-scan-%y%m%d 192.0.2.0/24
于 2013-09-21T13:41:56.297 回答
0

这应该可以解决问题:

 perl -ne 'if (/nmap/i) { $nmap = $_ }; if (/(OS:.*XP.*)/) { print $nmap,$1,"\n"; }' report
于 2013-09-21T01:26:29.833 回答