-
Notifications
You must be signed in to change notification settings - Fork 216
Home
you can file an issue about it and ask that it be added.
Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques.
- simple CLI with the ability to run pure Nmap engine
- predefined scans included in the modules
- support Nmap Scripting Engine (NSE)
- TOR support (with proxychains)
- multiple scans at one time
- at this point: 31 modules with 459 scan profiles
Sandmap provides simple and intuitive cli that supports the entire reconnaissance process using the built-in Nmap options.
Command line consists of two levels:
-
cli(main)>
- the main level by means of which we can set and display session parameters, display information about modules, obtain a list of profiles in a given module, enable a given module and manipulate a temporary command stack. -
cli(module_name)>
- level of the module that provides many commands available in the main menu. The main differences are the ability to run scan profiles and add them to the temporary stack of commands, as well as displaying the description of each profile.
A standard command displaying help.
If you are in the space of the module, you can display its help using this command. If you provide an argument that is the name of the NSE module, its help will be displayed (using nmap --script-help = <nse_module_name>
).
cli(main)> help
Main Commands
-------------
help <module> show cli help or module help
list show available modules
show <module [key]> show info about modules and profiles
config <key>|<module [key]> show global or module configuration
set <key>|<module [key]> set global or module variable value
use <module> use module (changed env)
pushd init|show|flush command line commands stack
search <key> search key in all commands
reload <modules|config> reload all modules cache or configuration
banner show banner
nmap <nmap_params> clear nmap command
Options:
<module> module name
<key> key value
Module Commands
---------------
help <module> display module or NSE help
show <key> display module or profile info
config <key> show module configuration
set <key> set module variable value
use <module> reuse module (changed env)
pushd <key>|init|show|flush command line commands stack (experimental)
search <key> search key in all commands
Examples
--------
show sample show 'sample' module info
config terminal show 'terminal' key value
use sample use 'sample' module
search http search 'http' in all commands
This parameter displays all available modules along with the number of profiles and a short description.
cli(main)> list
Module Profiles Description
------ -------- -----------
awesome 3 Awesome Nmap predefined commands module
host_discovery 12 Nmap Host Discovery module
nse_broadcast 19 NSE Broadcast Module
nse_citrix 5 NSE Citrix Service Module
nse_databases 31 NSE Databases Service Module
nse_dns-dhcp 27 NSE DNS and DHCP Module
nse_external 6 NSE External scripts (eg. from github)
nse_ftp 9 NSE FTP Service Module
nse_hadoop 7 NSE Hadoop Services Module
nse_http-cve 22 NSE HTTP Vulnerability CVE Module
nse_http-protocol 50 NSE HTTP Protocol Module
nse_http-services 28 NSE HTTP Services Module
nse_mail 15 NSE Mail Services Module
nse_oracle 6 NSE Oracle Services Module
nse_other-auth 3 NSE Other Auth Module
nse_other-discovery 3 NSE Other Discovery Module
nse_other-network 38 NSE Other Network Module
nse_other-services 54 NSE Other Services Module
nse_other-version 1 NSE Other Version Module
nse_remote-access 16 NSE Remote Access Module
nse_smb 23 NSE SMB Protocol Module
nse_smb-vuln 11 NSE SMB Protocol Vulnerability Module
nse_snmp 12 NSE SNMP Protocol Module
nse_socks 3 NSE SOCKS Module
nse_ssl 16 NSE SSL Protocol Module
nse_vuln-scanners 7 NSE Vulnerability Scanners Module
nse_whois 2 NSE Whois Database Module
os_detection 4 Nmap OS Detection module
port_scan 11 Nmap Port Scan types module
service_detection 5 Service and Version Detection module
zenmap 10 Zenmap module
All Modules: 31
All Profiles: 459
This option show information about the module or module profile. These are the identifier and profile alias that we can use to determine the scanning technique and the parameters used by the profile. In addition, this command allows you to display information about a specific profile.
The parameter of this option is the name of the module and name of the profile.
cli(main)> show host_discovery
ID Alias Nmap Parameters
-- ----- ---------------
0 list_scan -sL
1 no_port_scan -sn
2 no_ping -Pn
3 tcp_syn_ping -PS -p
4 tcp_ack_ping -PA -p 80
5 udp_ping -PU -p 80
6 sctp_init_ping -PY -p 80
7 arp_ping -PR
8 icmp_ping-1 -PE
9 icmp_ping-2 -PP
10 icmp_ping-3 -PM
cli(main)> show nse_vuln ssl-dh-params
ID Alias Nmap Parameters
-- ----- ---------------
104 ssl-dh-params --script ssl-dh-params
Description:
https://nmap.org/nsedoc/scripts/ssl-dh-params.html
The config parameter displays information about session variables. With their help, We can define the purpose or objectives of the scan, enable the transmission of traffic through the TOR network, set the type of output and specify additional parameters.
This option can be called without parameters and specify the name of the session variable. The initial values of variables are specified in the file etc/main.cfg
.
cli(main)> config
Description: Destination
Examples: '127.0.0.1,example.com'
{ "dest":"127.0.0.1" }
Description: Nmap Parameters
Examples: '--script ssl-ccs-injection -p 443'
{ "params":"" }
Description: Report type
Examples: 'nmap|xml|grep'
{ "report":"" }
Description: Pass through TOR
Examples: 'true|false'
{ "tor":"" }
Description: Terminal type
Examples: 'internal|external'
{ "terminal":"internal" }
By config
We display the values of session variables and use the set
command to specify their new values.
The parameters of this command are the name of the variable and the new value. Specifying an empty value resets the value of the variable.
cli(main)> set dest 192.168.252.1
cli(main)> config dest
Description: Destination
Examples: '127.0.0.1,example.com'
{ "dest":"192.168.252.1" }
Activates the given module and goes to its space.
The parameters of this option is the module name.
cli(main)> use nse_mail
cli(nse_mail)>
This command provides a local stack for storing multiple commands that can be used with one scan.
The parameters of this option are the profile alias or identifier. Additionally, you can display the contents of the stack (show
), reset its contents ( flush
) or initiate a scan (init
).
cli(zenmap_scan)> pushd ping_scan
cli(zenmap_scan)> pushd show
pushd: -sn
cli(zenmap_scan)> main
cli(main)> pushd init
terminal:
> internal
command:
> nmap -sn 127.0.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-27 07:25 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds
Result: pass
cli(main)> pushd flush
stdout: pushd flushed
cli(main)> pushd show
stdout: pushd empty
Allows you to search for profiles in the database.
The parameter of this command is the string of characters in the profile name.
cli(main)> search rsa-vuln
Module Alias Nmap Parameters
------ ----- ---------------
nse_ssl rsa-vuln-roca --script rsa-vuln-roca
This option allows you to reload the configuration and modules.
The parameters of this command are config
or modules
.
cli(main)> config terminal
Description: Terminal type
Examples: 'internal|external'
{ "terminal":"internal" }
cli(main)> set terminal external
cli(main)> config terminal
Description: Terminal type
Examples: 'internal|external'
{ "terminal":"external" }
cli(main)> reload config
stdout: config reloaded
cli(main)> config terminal
Description: Terminal type
Examples: 'internal|external'
{ "terminal":"internal" }
This option is available only from the level of a given module. If you want to use scan with multiple profiles, use the pushd
mechanism at the same time.
The parameters of this option are the profile alias or identifier.
cli(zenmap)> init 4
terminal:
> internal
command:
> nmap -sn 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-07 11:14 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds
Result: pass
In addition (since version v1.2.0), the --args
parameters accepts the arguments of the script (only for NSE).
cli(nse_broadcast)> show 13
ID Alias Nmap Parameters
-- ----- ---------------
13 broadcast-ping --script=broadcast-ping
Script arguments:
broadcast-ping.timeout = '3s'
broadcast-ping.num_probes = '1'
broadcast-ping.interface = ''
Description:
https://nmap.org/nsedoc/scripts/broadcast-ping.html
cli(nse_broadcast)> init 13 --args
broadcast-ping.timeout: 1s
broadcast-ping.num_probes: 5
broadcast-ping.interface:
terminal:
> internal
command:
> nmap --script=broadcast-ping --script-args broadcast-ping.timeout=1s,broadcast-ping.num_probes=5 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-19 14:13 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
53/tcp open domain
5432/tcp open postgresql
5900/tcp open vnc
5901/tcp open vnc-1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
9000/tcp open cslistener
9001/tcp open tor-orport
9002/tcp open dynamid
9003/tcp open unknown
9900/tcp open iua
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds
Result: pass