When conducting network reconnaissance or penetration testing, efficiency is key. NmapAutomator is a powerful tool that automates and streamlines the process of network scanning, allowing security professionals to focus on actual penetration testing rather than spending time on repetitive scanning tasks. This comprehensive guide on Network Reconnaissance explores what NmapAutomator is, how to set it up, and how to effectively use it for various scanning scenarios. NmapAutomator is a POSIX-compatible shell script designed to automate various types of network scanning tasks. As the name suggests, it’s built on top of the popular Nmap scanning tool but extends its functionality by integrating multiple other security tools like Nikto, GoBuster, and more.
The main goal of this script is to automate the process of enumeration and reconnaissance that is run every time, allowing security professionals to focus their attention on real penetration testing.
NmapAutomator ensures two important benefits:
- It automates various Nmap scans
- It allows reconnaissance to always run in the background
This means that once initial ports are found (typically in 5-10 seconds), you can start manually investigating those ports while letting the rest of the scanning run in the background with no further interaction required.
Table of Contents
Features of NmapAutomator
NmapAutomator Network Reconnaissance offers various scan types to suit different needs:
- Network Scan: Shows all live hosts in the target’s network (completes in approximately 15 seconds)
- Port Scan: Shows all open ports (completes in approximately 15 seconds)
- Script Scan: Runs a script scan on found ports (takes about 5 minutes)
- Full Scan: Runs a full range port scan, then conducts a thorough scan on newly discovered ports (takes about 5-10 minutes)
- UDP Scan: Runs a UDP scan (requires sudo privileges and takes about 5 minutes)
- Vulnerability Scan: Runs CVE scan and Nmap Vulns scan on all found ports (takes about 5-15 minutes)
- Recon Scan: Suggests reconnaissance commands and prompts to automatically run them
- All Scan: Runs all the scan types (takes about 20-30 minutes)
It’s important to note that NmapAutomator is a reconnaissance tool and does not perform any exploitation.
Automatic Network Reconnaissance
With the recon option, NmapAutomator automatically recommends and runs the best reconnaissance tools for each discovered port. If a recommended tool is missing from your system, NmapAutomator will suggest how to install it.
Cross-Platform Compatibility
NmapAutomator is 100% POSIX compatible, allowing it to run on any sh shell and any Unix-based machine (even a 10-year-old router). This makes NmapAutomator ideal for lateral movement reconnaissance.
If you want to run NmapAutomator on a remote machine, you can download a static Nmap binary and transfer it to the remote machine. You can then use the -s/–static-nmap option to specify the path to the static Nmap binary.
Remote Mode
NmapAutomator offers a Remote Mode (activated with the -r/–remote flag) designed to run using POSIX shell commands only, without relying on external tools. This mode is still under development, with certain scan types currently supported.
Installing NmapAutomator
Before we can use NmapAutomator, we need to install it and its dependencies.
Prerequisites
NmapAutomator requires certain tools like ffuf, which can be installed with:
sudo apt update sudo apt install ffuf -y
Alternatively, you can use Gobuster (v3.0 or higher):
sudo apt update sudo apt install gobuster -y
Other reconnaissance tools used by NmapAutomator include:
- nmap Vulners
- sslscan
- nikto
- joomscan
- wpscan
- droopescan
- smbmap
- enum4linux
- dnsrecon
- odat
- smtp-user-enum
- snmp-check
- snmpwalk
- ldapsearch
Most of these tools should be installed by default in Parrot OS and Kali Linux. If any recommended tool is missing, NmapAutomator will automatically omit it and notify the user.
Installation Steps
To install NmapAutomator, run the following commands:
git clone https://github.com/21y4d/nmapAutomator.git sudo ln -s $(pwd)/nmapAutomator/nmapAutomator.sh /usr/local/bin/
Additional Dependencies for Complete Functionality
To ensure full functionality, especially for the Vulnerability scan mode, you should install additional components:
- Install Go:
- Download Go from https://golang.org/dl/
- Extract it to /usr/local:
tar -C /usr/local -xzf go1.13.6.linux-amd64.tar.gz - Export the path:
export PATH=$PATH:/usr/local/go/bin
- Install GoBuster:
go get github.com/OJ/gobuster
- Install Nikto:
apt install libwhisker2-perl nikto
- Set up Nmap-Vulners script:
git clone https://github.com/vulnersCom/nmap-vulners.git cp *.nse /usr/share/nmap/scripts nmap --script-updatedb
Using NmapAutomator
To see all available options, run:
./nmapAutomator.sh -h
This will display the usage information:
Usage: nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE> Optional: [-r/--remote <REMOTE MODE>] [-d/--dns <DNS SERVER>] [-o/--output <OUTPUT DIRECTORY>] [-s/--static-nmap <STATIC NMAP PATH>]
Example Commands
Here are some example commands:
./nmapAutomator.sh --host 10.1.1.1 --type All ./nmapAutomator.sh -H 10.1.1.1 -t Basic ./nmapAutomator.sh -H academy.htb -t Recon -d 1.1.1.1 ./nmapAutomator.sh -H 10.10.10.10 -t network -s ./nmap
Practical Use Cases
Let’s explore some practical use cases for NmapAutomator.
Use Case 1: Quick Reconnaissance of a Web Server
When you need to quickly check a web server, the Port scan type is ideal:
./nmapAutomator.sh 192.168.1.10 Port
This will identify open ports within seconds, allowing you to immediately start investigating while more detailed scans run in the background.
Use Case 2: Comprehensive Security Assessment
For a thorough security assessment, the All scan type provides comprehensive coverage:
./nmapAutomator.sh 192.168.1.10 All
This will run all available scan types, providing a complete picture of the target’s security posture. The scan takes about 20-30 minutes but delivers extensive results.
Use Case 3: Vulnerability Discovery
When specifically looking for vulnerabilities, use the Vulns scan type:
./nmapAutomator.sh 192.168.1.10 Vulns
This performs a CVE scan and Nmap Vulns scan on all discovered ports, helping identify potential security issues.
Use Case 4: Service Enumeration
For detailed information about services running on a target, use the Script scan type:
./nmapAutomator.sh 192.168.1.10 Script
This runs script scans on discovered ports, providing detailed information about running services.
Use Case 5: Scanning with Limited Permissions
If you’re on a system where you don’t have sudo privileges, you can still run most scan types except UDP:
./nmapAutomator.sh 192.168.1.10 Full
Use Case 6: Remote Scanning
If you need to scan from a remote system with limited tools, use the Remote Mode:
./nmapAutomator.sh -H 192.168.1.10 -t Port -r
This uses POSIX shell commands only, making it suitable for systems with limited tool availability.
Limitations and Considerations
While NmapAutomator is a powerful tool, it’s important to be aware of its limitations:
- The tool primarily works with IP addresses rather than domain names directly
- Some scan types require sudo privileges
- The Remote Mode is still under development with limited functionality
- Vulnerability scans may produce false positives
- The tool is designed for reconnaissance and does not perform exploitation
Conclusion
NmapAutomator is an excellent tool for security professionals and enthusiasts looking to streamline their reconnaissance process. By automating common scanning tasks, it allows you to focus on analyzing results and actual penetration testing rather than manually running multiple commands. Whether you’re conducting a quick check or a comprehensive security assessment, NmapAutomator provides options to suit your needs. Its POSIX compatibility makes it versatile across different systems, and its integration with other security tools enhances its capabilities beyond basic port scanning. By incorporating NmapAutomator into your security toolkit, you can significantly increase your efficiency and effectiveness in discovering and assessing potential security vulnerabilities.