John,
Thanks for the help. I have made the changes you suggested. However, now
the irc subroutine is always called. For example, if I give the port as 80
and nmap identifies http running, it still calls the irc subroutine. It
should only call the irc subroutine if nmap identifies the port as running
irc. This is why I was under the impression that I need to search nmap's
output file for the work irc. What is the most efficent way of doing this?
Would it be to read in the file and then search for the string irc, or can
this be done directly using a regex like? I dont think I completely
understand the use of the regex you suggested.
code with changes made:
# nmap subroutine
sub nmap {
# use nmap for service fingerprinting and write results to
<ip>-results-nmap.txt
my @array = "nmap -sV -P0 -T4 -o results-nmap.txt -p $port $ip";
system(@array);
print ("\n");
print ("Nmap results written to results-nmap.txt\n");
# read nmap results into an array for searching
my @searcharraynmap = qx/nmap -sV -P0 -T4 -p $port $ip/;
my $searchresults = @searcharraynmap;
# call irc subroutine if irc found
if ($searchresults)
{
irc();
}
}
# end nmap subroutine
On Dec 3, 2008 7:53pm, "John W. Krahn" <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:
I am working on a script to help find malicious traffic that takes the
supplied ip and port from the user, does a number of checks (reverse dns,
whois, banner grabbing, amap and nmap service fingerprinting), and then
prints the results to a file. My intent is to quickly check blocked
outbound traffic based on firewall logs to find infected machines. I have
most of the script working correctly, except I want to take my nmap results
that are written to a file and search them for the word irc. If it is
found, call the irc subroutine. Nmap outputs correctly, but when I try to
open the file to search it, I get an error stating No such file or
directory. When I check the dir that script is called from, I see the nmap
output being created. What am I doing wrong here?
code excerpt:
# nmap subroutine
sub nmap {
# use nmap for service fingerprinting and write results to
-results-nmap.txt
my @array = ("nmap", "-sV", "-P0", "-T4", "-o results-nmap.txt", "-p
$port", $ip);
system(@array);
Your problem is that you can either supply a single string to system:
my $cmd = "nmap -sV -P0 -T4 -o results-nmap.txt -p $port $ip";
system $cmd;
Or a list with no extraneous whitespace:
my @cmd = 'nmap', '-sV', '-P0', '-T4', '-o', 'results-nmap.txt', '-p',
$port, $ip;
system @cmd;
But it won't work with a combination of both as in your example.
You should also verify that system() worked correctly:
my @cmd = 'nmap', '-sV', '-P0', '-T4', '-o', 'results-nmap.txt', '-p',
$port, $ip;
0 == system @cmd or die "system @cmd failed: $?";
print ("\n");
print ("Nmap results written to results-nmap.txt\n");
# open results-nmap.txt to search for irc
open (NMAPIRC, "results-nmap.txt") || die ("Could not open
results-nmap.txt to search for irc: $!\n"); #this is as far as the script
gets
# read results-nmap.txt into an array for searching
my @searcharraynmap = ;
Or you could just read the output of nmap directly into your array
without the intervening file:
my @searcharraynmap = qx/nmap -sV -P0 -T4 -p $port $ip/;
Or with more control over error messages:
open my $PIPE, '-|', 'nmap', '-sV', '-P0', '-T4', '-p', $port, $ip
or die "Cannot open a pipe from nmap: $!";
my @searcharraynmap = ;
close $PIPE or warn $! ? "Error closing nmap pipe: $!"
: "Exit status $? from nmap";
my $searchresults = grep {'irc'} @searcharraynmap;
Your grep() test is a string which is always true so every element of
@searcharraynmap will be passed through, and you are capturing the results
from grep in a scalar so $searchresults will contain the number of elements
in @searcharraynmap. That could be more simply written as:
my $searchresults = @searcharraynmap;
# print value during testing - remove later
print ("Value of search results (nmap): $searchresults\n");
# call irc subroutine if irc found
if ($searchresults ne "")
That should be:
if ( $searchresults )
{
irc();
}
}
# end nmap subroutine
John
--
Those people who think they know everything are a great
annoyance to those of us who do. -- Isaac Asimov
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
