I need load ip list from file, scan it, and create output format such as ip:port. I tried this:
nmap -iL mylistwithip.txt -p 80,21 -oG -PS 80,21 | awk '/open/{print $2}' >` output.txt
but it gives me only "open" and that's all.
While I need only opened ports from list of IP addresses, for example:
192.168.2.1
192.168.2.2
192.168.2.3
after scan ports, sample output.txt:
192.168.2.1:80
192.168.2.1:21
192.168.2.3:80
(only scanned ip addresses with opened ports)
Try this awk oneliner:
nmap -Pn -oG - 192.168.1.1 | awk '/open/{ s = $2; for (i = 5; i <= NF-4; i++) s = substr($i,1,length($i)-4) "\n"; split(s, a, "/"); print $2 ":" a[1]}'
try one more solution with single awk only.
nmap -vv -iL file | awk -F'[ /]' '/Discovered open port/{print $NF":"$4}'
Quick and ugly hack to achieve that:
nmap -vv -iL mylistwithip.txt | grep "Discovered open port" | awk {'print $6":"$4'} | awk -F/ {'print $1'} > output.txt
With -vv output includes lines like
Discovered open port 22/tcp on 192.168.2.1
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 22/tcp on 192.168.2.107
Discovered open port 80/tcp on 192.168.2.107
First awk selects "ip address" and "port number/protocol" fields, and second cuts off "/protocol".
This will probably break in some future update of nmap. Using -sG (greppable output) would be a better idea.
Related
There are many awk attacks to my server. I have tried to block them , but too much of them .
is there a way to block them one time?
I use this command :
netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head
show the result
[root#local ~]# netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head
1080 80 107.189.8.33
864 80 185.129.61.5
485 80 23.154.177.11
386 80 183.245.24.27
318 80 185.243.218.32
309 80 185.220.101.2
276 80 61.153.251.150
259 80 59.148.106.164
235 80 185.175.119.113
And after list a ip , I will find the connection ips to 80 port more than 100 ones . and block them .
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="107.189.8.0/24" drop'
Anyway to make a .sh file , to find out the awk ips which more than 200 connections , and add them to the droplist of the firewall?
in this case , need to exclude 127.0.0.1 and our own ips .
hope anyone can help thanks.
I have tried to output the ips with problem using this code .
netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head > ccips.txt
after this , I use :
awk '{sub("IP:", "", $3); print $3}' /root/ccips.txt | xargs -n1 -I{} firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address={} drop'
this can block all the ips with attack .
I just don't know how to import this to a .sh , which can be do this in one command .
I THINK what you're trying to do is create a file like this of IPs you don't want to block:
$ cat allowedIPs
127.0.0.1
whatever...
and then have a script like this to block all IPs not in that file connecting to port 80 (untested and guessing at what the netstat -an output looks like by reading your code):
$ cat blockIPs
#!/usr/bin/env bash
netstat -an |
awk -F: '
NR == FNR {
allowedIPs[$1]
next
}
{
split($2,portIP," ")
port = portIP[1]
ip = portIP[2]
}
(port == 80) && !(ip in allowedIPs) && !seen[ip]++ {
print ip
}
' allowedIPs - |
xargs -n1 -I{} firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address={} drop'
I'm not interested in all the information of ifconfig output, I just want to know the network interface with its respective ip address.
I can get the network interface from ifconfig using the command:
ifconfig |grep " L" | awk '{ print $1}'
eth0
lo
tun0
and the ip address of each interface with the command
ifconfig |grep "inet:" | cut -d: -f2 | awk '{ print $1}'
192.168.0.10
127.0.0.1
10.5.0.13
How can display both data together, network interface and ip addres with just one command or script?
eth0 - 192.168.0.10
lo - 127.0.0.1
tun0 - 10.5.0.13
You can use ip route show instead to get the information you want. Filter with this command for example:
ip r show|grep " src "|cut -d " " -f 3,12
outputs something like:
eth0 192.168.1.114
I'm trying to write a script that gathers network information with awk command.
ifconfig enp0s3| grep "inet " | awk '{gsub("addr:","",$2); print $2 }'
this is the command that I ended up getting to get my IP address, yet I have not figured out how can I write it in a script where I can get an output like this:
IP Address : 10.0.2.15
I tried
echo" IP Address:"$ ifconfig enp0s3| grep "inet " | awk '{gsub("addr:","",$2); print $2 }'
but I keep getting errors.
You can use the following awk command to get the IP Address and the MAC Address in a single run. However, the default gateway isn't available via ifconfig:
ifconfig eth0 \
| awk -F'( *|:)' '{printf "IP Address: %s\nMAC Address: %s\n",$16,$7":"$8":"$9":"$10":"$11":"$12}' RS='\n\n'
Output:
IP Address: 10.0.2.15
MAC Address: 00:23:12:f2:56:6d
I have the following nmap output:
Nmap scan report for 192.168.1.14
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
110/tcp closed pop3
--
Nmap scan report for 192.168.1.15
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
110/tcp open pop3 Popper
--
Nmap scan report for 192.168.1.20
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
110/tcp open pop3 Dove
which I get using the command: nmap -p 110 -sV 192.168.1.10-20
Note: I have not used the -oG output format with nmap because I understand that it is deprecated.
The output I require:
192.168.1.15 open Popper
192.168.1.20 open Dove
As you can see it should print the IP address, the State and Version of only the OPEN ports
What I have tried:
Using all sorts of variations (of the command below) using grep and awk to get my required output but cannot get it too work how I want it to:
nmap -p 110 -sV 192.168.1.10-20 | grep -B3 'open' | egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}"
The difficulty I am having is how to extract specific parts from different lines of the output and put them together
Update
I have found that sometimes in the VERSION column there are more than just single words e.g sometimes it may say Popper 1.2.7-Beta rather than just Popper. In which case it then just prints 1.2.7-Beta instead of Popper 1.2.7-Beta (because the space between the words confuses it). How would you deal with this occurring?
Try this:
awk '/Nmap scan report/ { host=$NF } NF==4 && $2=="open" { print host, $2, $NF }' nmap-output.txt
Explanation:
1) For any line that matches the string "Nmap scan report", remember the last field of the line in the variable name "host"
2) For any line that has 4 fields and where the second field matches the string "open", print the remembered "host" variable, the second field of this line ("open"), and the last field of the line (what is in the Version column).
How about this awk:
awk '/^Nmap/{a=$5}
/^110\/tcp open/{print a,$2,$3}' Your_file
I have an Apache server log and am trying to determine what IP address has generated the most traffic. I've already managed to get it formatted so its just the IPs and their traffic in bytes:
xxx.xxx.xxx.xxx 915925
yyy.yyy.yyy.yyy 1193
zzz.zzz.zzz.zzz 2356
So now I'm looking for a method to combine and add the bytes of identical IPs and then just find the top value.
Any ideas?
If you have the ip and traffic bytes in a file use the following to get the work done.
cat file | perl -ane '$h{ $F[0] } += $F[1]; END { for ( sort keys %h ) { printf qq[%s %d\n], $_, $h{ $_ } } }' | sort -k2 -n -r
awk '{A[$1]+=$2;next}END{for(i in A){print i,A[i]}}' file | sort -k2 -n -r