Audit your network using Nmap, Ndiff and cron
To combat the ill effects of trojans, rootkits and worms (not to forget the new H1N1 virus) one "should" regularly scan their local network for changes, preferably on a daily basis. Then again, one "should" also preferably feed the dog, greet the neighbors and clean their teeth on a daily basis. Tell me, who has time to do all that?
Network auditing is a tedious task and because it's not very stimulating work, you're likely more prone to error. I too, as your fellow computer enthusiast, like to automate just about anything (and as such my dog is never hungry, my teeth never dirty and my neighbor never under-greeted).
So here's how I did it this time.
1. Nmap 5 to the rescue!
Nmap is a "network exploration tool and security / port scanner", commonly used by sysadmins and unanimously considered (by me) to be an indispensable tool. Nmap version 5 was recently (july 16th, 2009) released - bringing some exciting new features. This article focuses on Ndiff, the scan comparison tool. It's the fruit of a Google Summer of Code project in 2008.
Your first task is to install Nmap 5. It happily runs on Windows, Linux, and Mac OS X, however this article is written with Linux in mind. Note: earlier releases won't do, on Debian Lenny I had to obtain version 5 through the backports repository.
2. Next, install the script
Make a directory somewhere only accessible by root and put the following bash script in it:
#!/bin/bash
# Simple cron-based network auditing scanner
# Requires Nmap 5+
# Related article @ http://blog.fili.nl/articles/audit-your-network-using-nmap-ndiff-and-cron/
MAILOUT=your@email.com
NETWORK=10.0.0.0/24
CWD=`dirname $0`
NMAP=/usr/bin/nmap
NDIFF=/usr/bin/ndiff
MAIL=/usr/bin/mail
if [ -f "$CWD/baseline.xml" ]; then
echo "Scanning network $NETWORK..."
$NMAP -n -oX "$CWD/current.xml" $NETWORK >/dev/null
echo -n "Comparing Nmap scans using Ndiff..."
$NDIFF $CWD/baseline.xml $CWD/current.xml >$CWD/last-result
if [ $(stat -c%s "$CWD/last-result") -gt 70 ]; then
echo "Changed!"; echo "$MAILOUT has been notified."
cat $CWD/last-result | mail -s "Alert: Network $NETWORK changed" $MAILOUT
mv $CWD/current.xml $CWD/baseline.xml
else
echo "Ok."
rm -f $CWD/current.xml $CWD/last-result
fi
else
echo "First scan, generating baseline..."
$NMAP -n -oX "$CWD/baseline.xml" $NETWORK >/dev/null
fi
Download: naudit-cron.sh
It's a quite straightforward script as you can see.
Here's what it does:
- At the first run, it makes a baseline scan of your network to compare too.
- At subsequent runs it makes a new scan and compares that to the baseline scan. When something differs in your network (like newly opened/closed ports or computers that have appeared/disappeared) it alerts an admin.
- Finally it updates the baseline xml-file to reflect the change.
3. Configure the script
There are few settings to adjust, but they are important. MAILOUT obviously declares where to send the notifications to. With NETWORK you can define what you want to scan, this could be an entire subnet (in CIDR notation) or a single ip.
MAILOUT=your@email.com NETWORK=10.0.0.0/24
Make the file executable and run it (a couple of times) to generate the baseline xml-file and to verify that everything works as expected.
4. Finally, cron it
The only step left is to automatically execute this script on a hourly/daily/weekly basis. This is kind of OS specific, on most Linux distribution you'd create a new file in /etc/cron.d/ containing:
# minute - hour - monthday - month - weekday - command 0 1 * * * root /root/naudit-cron/naudit-cron.sh >/dev/null
Tweak the cron settings and you're done!