diff options
Diffstat (limited to 'ndiff/docs')
-rw-r--r-- | ndiff/docs/ndiff.1 | 437 | ||||
-rw-r--r-- | ndiff/docs/ndiff.dtd | 139 | ||||
-rw-r--r-- | ndiff/docs/ndiff.xml | 413 |
3 files changed, 989 insertions, 0 deletions
diff --git a/ndiff/docs/ndiff.1 b/ndiff/docs/ndiff.1 new file mode 100644 index 0000000..7f636ab --- /dev/null +++ b/ndiff/docs/ndiff.1 @@ -0,0 +1,437 @@ +'\" t +.\" Title: ndiff +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 05/17/2023 +.\" Manual: User Commands +.\" Source: Ndiff +.\" Language: English +.\" +.TH "NDIFF" "1" "05/17/2023" "Ndiff" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +ndiff \- Utility to compare the results of Nmap scans +.SH "SYNOPSIS" +.HP \w'\fBndiff\fR\ 'u +\fBndiff\fR [\fIoptions\fR] {\fIa\&.xml\fR} {\fIb\&.xml\fR} +.SH "DESCRIPTION" +.PP +Ndiff is a tool to aid in the comparison of Nmap scans\&. It takes two Nmap XML output files and prints the differences between them\&. The differences observed are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Host states (e\&.g\&. up to down) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Port states (e\&.g\&. open to closed) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Service versions (from +\fB\-sV\fR) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +OS matches (from +\fB\-O\fR) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Script output +.RE +.PP +Ndiff, like the standard +\fBdiff\fR +utility, compares two scans at a time\&. +.SH "OPTIONS SUMMARY" +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Show a help message and exit\&. +.RE +.PP +\fB\-v\fR, \fB\-\-verbose\fR +.RS 4 +Include all hosts and ports in the output, not only those that have changed\&. +.RE +.PP +\fB\-\-text\fR +.RS 4 +Write output in human\-readable text format\&. +.RE +.PP +\fB\-\-xml\fR +.RS 4 +Write output in machine\-readable XML format\&. The document structure is defined in the file +ndiff\&.dtd +included in the distribution\&. +.RE +.PP +Any other arguments are taken to be the names of Nmap XML output files\&. There must be exactly two\&. +.SH "EXAMPLE" +.PP +Let\*(Aqs use Ndiff to compare the output of two Nmap scans that use different options\&. In the first, we\*(Aqll do a fast scan (\fB\-F\fR), which scans fewer ports for speed\&. In the second, we\*(Aqll scan the larger default set of ports, and run an NSE script\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +# \fBnmap \-F scanme\&.nmap\&.org \-oX scanme\-1\&.xml\fR +# \fBnmap \-\-script=html\-title scanme\&.nmap\&.org \-oX scanme\-2\&.xml\fR +$ \fBndiff \-v scanme\-1\&.xml scanme\-2\&.xml\fR +\-Nmap 5\&.35DC1 at 2010\-07\-16 12:09 ++Nmap 5\&.35DC1 at 2010\-07\-16 12:13 + + scanme\&.nmap\&.org (64\&.13\&.134\&.52): + Host is up\&. +\-Not shown: 95 filtered ports ++Not shown: 993 filtered ports + PORT STATE SERVICE VERSION + 22/tcp open ssh + 25/tcp closed smtp + 53/tcp open domain ++70/tcp closed gopher + 80/tcp open http ++|_ html\-title: Go ahead and ScanMe! + 113/tcp closed auth ++31337/tcp closed Elite +.fi +.if n \{\ +.RE +.\} +.PP +Changes are marked by a +\- +or ++ +at the beginning of a line\&. We can see from the output that the scan without the +\fB\-F\fR +fast scan option found two additional ports: 70 and 31337\&. The +html\-title +script produced some additional output for port 80\&. From the port counts, we may infer that the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed)\&. +.PP +The +\fB\-v\fR +(or +\fB\-\-verbose\fR) option to Ndiff made it show even the ports that didn\*(Aqt change, like 22 and 25\&. Without +\fB\-v\fR, they would not have been shown\&. +.SH "OUTPUT" +.PP +There are two output modes: text and XML\&. Text output is the default, and can also be selected with the +\fB\-\-text\fR +option\&. Text output resembles a unified diff of Nmap\*(Aqs normal terminal output\&. Each line is preceded by a character indicating whether and how it changed\&. +\- +means that the line was in the first scan but not in the second; ++ +means it was in the second but not the first\&. A line that changed is represented by a +\- +line followed by a ++ +line\&. Lines that did not change are preceded by a blank space\&. +.PP +Example\ \&1 +is an example of text output\&. Here, port 80 on the host photos\-cache\-snc1\&.facebook\&.com gained a service version (lighttpd 1\&.5\&.0)\&. The host at 69\&.63\&.179\&.25 changed its reverse DNS name\&. The host at 69\&.63\&.184\&.145 was completely absent in the first scan but came up in the second\&. +.PP +\fBExample\ \&1.\ \&Ndiff text output\fR +.sp +.if n \{\ +.RS 4 +.\} +.nf +\-Nmap 4\&.85BETA3 at 2009\-03\-15 11:00 ++Nmap 4\&.85BETA4 at 2009\-03\-18 11:00 + + photos\-cache\-snc1\&.facebook\&.com (69\&.63\&.178\&.41): + Host is up\&. + Not shown: 99 filtered ports + PORT STATE SERVICE VERSION +\-80/tcp open http ++80/tcp open http lighttpd 1\&.5\&.0 + +\-cm\&.out\&.snc1\&.tfbnw\&.net (69\&.63\&.179\&.25): ++mailout\-snc1\&.facebook\&.com (69\&.63\&.179\&.25): + Host is up\&. + Not shown: 100 filtered ports + ++69\&.63\&.184\&.145: ++Host is up\&. ++Not shown: 98 filtered ports ++PORT STATE SERVICE VERSION ++80/tcp open http Apache httpd 1\&.3\&.41\&.fb1 ++443/tcp open ssl/http Apache httpd 1\&.3\&.41\&.fb1 +.fi +.if n \{\ +.RE +.\} +.PP +XML output, intended to be processed by other programs, is selected with the +\fB\-\-xml\fR +option\&. It is based on Nmap\*(Aqs XML output, with a few additional elements to indicate differences\&. The XML document is enclosed in +\fInmapdiff\fR +and +\fIscandiff\fR +elements\&. Host differences are enclosed in +\fIhostdiff\fR +tags and port differences are enclosed in +\fIportdiff\fR +tags\&. Inside a +\fIhostdiff\fR +or +\fIportdiff\fR, +\fIa\fR +and +\fIb\fR +tags show the state of the host or port in the first scan (\fIa\fR) or the second scan (\fIb\fR)\&. +.PP +Example\ \&2 +shows the XML diff of the same scans shown above in +Example\ \&1\&. Notice how port 80 of photos\-cache\-snc1\&.facebook\&.com is enclosed in +\fIportdiff\fR +tags\&. For 69\&.63\&.179\&.25, the old hostname is in +\fIa\fR +tags and the new is in +\fIb\fR\&. For the new host 69\&.63\&.184\&.145, there is a +\fIb\fR +in the +\fIhostdiff\fR +without a corresponding +\fIa\fR, indicating that there was no information for the host in the first scan\&. +.PP +\fBExample\ \&2.\ \&Ndiff XML output\fR +.sp +.if n \{\ +.RS 4 +.\} +.nf +<?xml version="1\&.0" encoding="UTF\-8"?> +<nmapdiff version="1"> + <scandiff> + <hostdiff> + <host> + <status state="up"/> + <address addr="69\&.63\&.178\&.41" addrtype="ipv4"/> + <hostnames> + <hostname name="photos\-cache\-snc1\&.facebook\&.com"/> + </hostnames> + <ports> + <extraports count="99" state="filtered"/> + <portdiff> + <port portid="80" protocol="tcp"> + <state state="open"/> + <a> + <service name="http"/> + </a> + <b> + <service name="http" product="lighttpd" version="1\&.5\&.0"/> + </b> + </port> + </portdiff> + </ports> + </host> + </hostdiff> + <hostdiff> + <host> + <status state="up"/> + <address addr="69\&.63\&.179\&.25" addrtype="ipv4"/> + <hostnames> + <a> + <hostname name="cm\&.out\&.snc1\&.tfbnw\&.net"/> + </a> + <b> + <hostname name="mailout\-snc1\&.facebook\&.com"/> + </b> + </hostnames> + <ports> + <extraports count="100" state="filtered"/> + </ports> + </host> + </hostdiff> + <hostdiff> + <b> + <host> + <status state="up"/> + <address addr="69\&.63\&.184\&.145" addrtype="ipv4"/> + <ports> + <extraports count="98" state="filtered"/> + <port portid="80" protocol="tcp"> + <state state="open"/> + <service name="http" product="Apache httpd" + version="1\&.3\&.41\&.fb1"/> + </port> + <port portid="443" protocol="tcp"> + <state state="open"/> + <service name="http" product="Apache httpd" tunnel="ssl" + version="1\&.3\&.41\&.fb1"/> + </port> + </ports> + </host> + </b> + </hostdiff> + </scandiff> +</nmapdiff> +.fi +.if n \{\ +.RE +.\} +.SH "PERIODIC DIFFS" +.PP +Using Nmap, Ndiff, cron, and a shell script, it\*(Aqs possible to scan a network daily and get email reports of the state of the network and changes since the previous scan\&. +Example\ \&3 +shows the script that ties it together\&. +.PP +\fBExample\ \&3.\ \&Scanning a network periodically with Ndiff and cron\fR +.sp +.if n \{\ +.RS 4 +.\} +.nf +#!/bin/sh +TARGETS="\fItargets\fR" +OPTIONS="\-v \-T4 \-F \-sV" +date=`date +%F` +cd /root/scans +nmap $OPTIONS $TARGETS \-oA scan\-$date > /dev/null +if [ \-e scan\-prev\&.xml ]; then + ndiff scan\-prev\&.xml scan\-$date\&.xml > diff\-$date + echo "*** NDIFF RESULTS ***" + cat diff\-$date + echo +fi +echo "*** NMAP RESULTS ***" +cat scan\-$date\&.nmap +ln \-sf scan\-$date\&.xml scan\-prev\&.xml +.fi +.if n \{\ +.RE +.\} +.PP +If the script is saved as +/root/scan\-ndiff\&.sh, add the following line to root\*(Aqs crontab: +.sp +.if n \{\ +.RS 4 +.\} +.nf +0 12 * * * /root/scan\-ndiff\&.sh +.fi +.if n \{\ +.RE +.\} +.sp +.SH "EXIT CODE" +.PP +The exit code indicates whether the scans are equal\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +0 means that the scans are the same in all the aspects Ndiff knows about\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +1 means that the scans differ\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +2 indicates a runtime error, such as the failure to open a file\&. +.RE +.sp +.SH "BUGS" +.PP +Report bugs to the +nmap\-dev +mailing list at +<dev@nmap\&.org>\&. +.SH "HISTORY" +.PP +Ndiff started as a project by Michael Pattrick during the 2008 Google Summer of Code\&. Michael designed the program and led the discussion of its output formats\&. He wrote versions of the program in Perl and C++, but the summer ended shortly after it was decided to rewrite the program in Python for the sake of Windows (and Zenmap) compatibility\&. This Python version was written by David Fifield\&. James Levine +\m[blue]\fBreleased\fR\m[]\&\s-2\u[1]\d\s+2 +a Perl script named Ndiff with similar functionality in 2000\&. +.SH "AUTHORS" +.PP +David Fifield +<david@bamsoftware\&.com> +.PP +Michael Pattrick +<mpattrick@rhinovirus\&.org> +.SH "WEB SITE" +.PP +\m[blue]\fB\%https://nmap.org/ndiff/\fR\m[] +.SH "NOTES" +.IP " 1." 4 +released +.RS 4 +\%https://seclists.org/nmap-hackers/2000/315 +.RE diff --git a/ndiff/docs/ndiff.dtd b/ndiff/docs/ndiff.dtd new file mode 100644 index 0000000..087ab33 --- /dev/null +++ b/ndiff/docs/ndiff.dtd @@ -0,0 +1,139 @@ +<!-- +DTD for the Ndiff XML output format. +David Fifield <david@bamsoftware.com> + +Ndiff XML output is similar to Nmap XML output. Inside of the root +nmapdiff element, the scandiff element represents a single diff of two +scans. Inside scandiff, host differences are within hostdiff elements +and port differences are within portdiff elements. These may appear +anywhere where host and port elements would appear, respectively. + +Within a hostdiff or portdiff, differences are shown with a and b +elements, which show the state of things in the A and B +scan, respectively. These elements can appear most places in the output. + +The output may contain hosts and ports that haven't changed. These are +stored in normal host and port elements. + +Examples: +A host in the A scan but not in the B scan. + <hostdiff> + <a> + <host>...</host> + </a> + </hostdiff> +A host in the B scan but not in the A scan. + <hostdiff> + <b> + <host>...</host> + </b> + </hostdiff> +A host that gained a hostname and had a port change state. Port 22 is +unchanged. + <hostdiff> + <host> + <hostnames> + <hostname name="abc.example.com/> + <b> + <hostname name="xyz.example.com/> + </b> + </hostnames> + <ports> + <portdiff> + <a> + <port portid="10" protocol="tcp"> + <state state="open"/> + </port> + </a> + <b> + <port portid="10" protocol="tcp"> + <state state="closed"/> + </port> + </b> + <port portid="22" protocol="tcp"> + <state state="open"/> + </port> + </portdiff> + </ports> + </host> + </hostdiff> +--> + +<!-- Parameter entities defining "data types" used in the rest of the + DTD. --> +<!ENTITY % host-state "(unknown | up | down)"> +<!ENTITY % address-type "(ipv4 | ipv6 | mac)"> +<!ENTITY % protocol "(ip | tcp | udp)"> +<!ENTITY % port-state "CDATA"> + +<!ELEMENT nmapdiff (scandiff)> +<!-- The current version is "1". Lack of a version attribute indicates +version 0, which was rather different. --> +<!ATTLIST nmapdiff version CDATA #IMPLIED> + +<!ELEMENT scandiff (prescript | hostdiff | host | postscript | (a, b?) | b)*> + +<!ELEMENT nmaprun EMPTY> +<!ATTLIST nmaprun + scanner CDATA #REQUIRED + args CDATA #IMPLIED + start CDATA #IMPLIED + startstr CDATA #IMPLIED + version CDATA #REQUIRED> + +<!ELEMENT prescript (script* | (a, b?) | b)> +<!ELEMENT postscript (script* | (a, b?) | b)> + +<!ELEMENT hostdiff (host | (a, b?) | b)> + +<!ELEMENT host (status | address | hostnames | ports | os | hostscript | a | b)*> + +<!ELEMENT status EMPTY> +<!ATTLIST status state %host-state; #REQUIRED> + +<!ELEMENT hostnames (hostname | a | b)*> + +<!ELEMENT address EMPTY> +<!ATTLIST address addr CDATA #REQUIRED + addrtype %address-type; "ipv4"> + +<!ELEMENT hostname EMPTY> +<!ATTLIST hostname name CDATA #REQUIRED> + +<!ELEMENT ports ((extraports* | (a, b))?, (portdiff | port)*)> + + +<!ELEMENT portdiff (port | (a, b?) | b)> + +<!ELEMENT extraports EMPTY> +<!ATTLIST extraports state %port-state; #REQUIRED + count CDATA #REQUIRED> + +<!ELEMENT port (state | service | script | a | b)*> +<!ATTLIST port protocol %protocol; #REQUIRED + portid CDATA #REQUIRED> + +<!ELEMENT state EMPTY> +<!ATTLIST state state %port-state; #REQUIRED> + +<!ELEMENT service EMPTY> +<!ATTLIST service name CDATA #IMPLIED + product CDATA #IMPLIED + version CDATA #IMPLIED + extrainfo CDATA #IMPLIED + tunnel CDATA #IMPLIED> + +<!ELEMENT script EMPTY> +<!ATTLIST script id CDATA #REQUIRED + output CDATA #REQUIRED> + +<!ELEMENT os (osmatch | a | b)*> + +<!ELEMENT osmatch EMPTY> +<!ATTLIST osmatch name CDATA #REQUIRED> + +<!ELEMENT hostscript (script | a | b)*> + +<!ENTITY % diff-elem "(nmaprun | prescript | postscript | host | status | address | hostname | extraports* | port | state | service | script | os | osmatch* | hostscript)"> +<!ELEMENT a %diff-elem;> +<!ELEMENT b %diff-elem;> diff --git a/ndiff/docs/ndiff.xml b/ndiff/docs/ndiff.xml new file mode 100644 index 0000000..bdb953e --- /dev/null +++ b/ndiff/docs/ndiff.xml @@ -0,0 +1,413 @@ +<!-- This is the DocBook XML source for the Ndiff manual page. --> + +<refentry> + <refmeta> + <refentrytitle>ndiff</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo class="source">Ndiff</refmiscinfo> + <refmiscinfo class="manual">User Commands</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>ndiff</refname> + <refpurpose>Utility to compare the results of Nmap scans</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>ndiff</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='req'> + <replaceable><filename>a.xml</filename></replaceable> + </arg> + <arg choice='req'> + <replaceable><filename>b.xml</filename></replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="ndiff-man-description"> + <title>Description</title> + + <para> + Ndiff is a tool to aid in the comparison of Nmap scans. It takes two + Nmap XML output files and prints the differences between them. The + differences observed are: + <itemizedlist> + <listitem> + <para>Host states (e.g. up to down)</para> + </listitem> + <listitem> + <para>Port states (e.g. open to closed)</para> + </listitem> + <listitem> + <para>Service versions (from <option>-sV</option>)</para> + </listitem> + <listitem> + <para>OS matches (from <option>-O</option>)</para> + </listitem> + <listitem> + <para>Script output</para> + </listitem> + </itemizedlist> + </para> + + <para> + Ndiff, like the standard <command>diff</command> utility, compares two scans + at a time. + </para> + </refsect1> + + <refsect1 id="ndiff-man-options"> + <title>Options Summary</title> + + <variablelist> + <varlistentry> + <term><option>-h</option></term> + <term><option>--help</option></term> + <listitem> + <para> + Show a help message and exit. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-v</option></term> + <term><option>--verbose</option></term> + <listitem> + <para> + Include all hosts and ports in the output, not only those that + have changed. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--text</option></term> + <listitem> + <para> + Write output in human-readable text format. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--xml</option></term> + <listitem> + <para> + Write output in machine-readable XML format. The document + structure is defined in the file + <filename>ndiff.dtd</filename> included in the distribution. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + Any other arguments are taken to be the names of Nmap XML output + files. There must be exactly two. + </para> + </refsect1> + + <refsect1 id="ndiff-man-example"> + <title>Example</title> + + <para> + Let's use Ndiff to compare the output of two Nmap scans that use + different options. In the first, we'll do a fast scan + (<option>-F</option>), which scans fewer ports for speed. In the + second, we'll scan the larger default set of ports, and run an NSE + script. + </para> + +<screen> +# <userinput>nmap -F scanme.nmap.org -oX scanme-1.xml</userinput> +# <userinput>nmap --script=html-title scanme.nmap.org -oX scanme-2.xml</userinput> +$ <userinput>ndiff -v scanme-1.xml scanme-2.xml</userinput> +-Nmap 5.35DC1 at 2010-07-16 12:09 ++Nmap 5.35DC1 at 2010-07-16 12:13 + + scanme.nmap.org (64.13.134.52): + Host is up. +-Not shown: 95 filtered ports ++Not shown: 993 filtered ports + PORT STATE SERVICE VERSION + 22/tcp open ssh + 25/tcp closed smtp + 53/tcp open domain ++70/tcp closed gopher + 80/tcp open http ++|_ html-title: Go ahead and ScanMe! + 113/tcp closed auth ++31337/tcp closed Elite +</screen> + + <para> + Changes are marked by a <literal>-</literal> or <literal>+</literal> + at the beginning of a line. We can see from the output that the scan + without the <option>-F</option> fast scan option found two + additional ports: 70 and 31337. The + <filename>html-title</filename> script produced some additional + output for port 80. From the port counts, we may infer that the fast + scan scanned 100 ports (95 filtered, 3 open, and 2 closed), while + the normal scan scanned 1000 (993 filtered, 3 open, and 4 closed). + </para> + + <para> + The <option>-v</option> (or <option>--verbose</option>) option to + Ndiff made it show even the ports that didn't change, like 22 and + 25. Without <option>-v</option>, they would not have been shown. + </para> + </refsect1> + + <refsect1 id="ndiff-man-output"> + <title>Output</title> + + <para> + There are two output modes: text and XML. Text output is the + default, and can also be selected with the <option>--text</option> + option. Text output resembles a unified diff of Nmap's normal + terminal output. Each line is preceded by a character indicating + whether and how it changed. <literal>-</literal> means that the line + was in the first scan but not in the second; <literal>+</literal> + means it was in the second but not the first. A line that changed is + represented by a <literal>-</literal> line followed by a + <literal>+</literal> line. Lines that did not change are preceded by + a blank space. + </para> + + <para> + <xref linkend="ndiff-man-ex-text-output" xrefstyle="select: label nopage"/> + is an example of text output. Here, port 80 on the host + photos-cache-snc1.facebook.com gained a service + version (<computeroutput>lighttpd 1.5.0</computeroutput>). The host + at 69.63.179.25 changed its reverse DNS name. The host at + 69.63.184.145 was completely absent in the first scan but came up in + the second. + </para> + + <example id="ndiff-man-ex-text-output"> + <title>Ndiff text output</title> +<screen> +-Nmap 4.85BETA3 at 2009-03-15 11:00 ++Nmap 4.85BETA4 at 2009-03-18 11:00 + + photos-cache-snc1.facebook.com (69.63.178.41): + Host is up. + Not shown: 99 filtered ports + PORT STATE SERVICE VERSION +-80/tcp open http ++80/tcp open http lighttpd 1.5.0 + +-cm.out.snc1.tfbnw.net (69.63.179.25): ++mailout-snc1.facebook.com (69.63.179.25): + Host is up. + Not shown: 100 filtered ports + ++69.63.184.145: ++Host is up. ++Not shown: 98 filtered ports ++PORT STATE SERVICE VERSION ++80/tcp open http Apache httpd 1.3.41.fb1 ++443/tcp open ssl/http Apache httpd 1.3.41.fb1 +</screen> + </example> + + <para> + XML output, intended to be processed by other programs, is selected + with the <option>--xml</option> option. It is based on Nmap's XML + output, with a few additional elements to indicate differences. The + XML document is enclosed in <varname>nmapdiff</varname> and + <varname>scandiff</varname> elements. Host differences are enclosed + in <varname>hostdiff</varname> tags and port differences are + enclosed in <varname>portdiff</varname> tags. Inside a + <varname>hostdiff</varname> or <varname>portdiff</varname>, + <varname>a</varname> and <varname>b</varname> tags show the state of + the host or port in the first scan (<varname>a</varname>) or the + second scan (<varname>b</varname>). + </para> + + <para> + <xref linkend="ndiff-man-ex-xml-output" xrefstyle="select: label nopage"/> + shows the XML diff of the same scans shown above in + <xref linkend="ndiff-man-ex-text-output" xrefstyle="select: label"/>. + Notice how port 80 of + photos-cache-snc1.facebook.com is enclosed in + <varname>portdiff</varname> tags. For 69.63.179.25, the old hostname + is in <varname>a</varname> tags and the new is in + <varname>b</varname>. For the new host 69.63.184.145, there is a + <varname>b</varname> in the <varname>hostdiff</varname> without a + corresponding <varname>a</varname>, indicating that there was no + information for the host in the first scan. + </para> + + <example id="ndiff-man-ex-xml-output"> + <title>Ndiff XML output</title> +<screen> +<![CDATA[<?xml version="1.0" encoding="UTF-8"?> +<nmapdiff version="1"> + <scandiff> + <hostdiff> + <host> + <status state="up"/> + <address addr="69.63.178.41" addrtype="ipv4"/> + <hostnames> + <hostname name="photos-cache-snc1.facebook.com"/> + </hostnames> + <ports> + <extraports count="99" state="filtered"/> + <portdiff> + <port portid="80" protocol="tcp"> + <state state="open"/> + <a> + <service name="http"/> + </a> + <b> + <service name="http" product="lighttpd" version="1.5.0"/> + </b> + </port> + </portdiff> + </ports> + </host> + </hostdiff> + <hostdiff> + <host> + <status state="up"/> + <address addr="69.63.179.25" addrtype="ipv4"/> + <hostnames> + <a> + <hostname name="cm.out.snc1.tfbnw.net"/> + </a> + <b> + <hostname name="mailout-snc1.facebook.com"/> + </b> + </hostnames> + <ports> + <extraports count="100" state="filtered"/> + </ports> + </host> + </hostdiff> + <hostdiff> + <b> + <host> + <status state="up"/> + <address addr="69.63.184.145" addrtype="ipv4"/> + <ports> + <extraports count="98" state="filtered"/> + <port portid="80" protocol="tcp"> + <state state="open"/> + <service name="http" product="Apache httpd" + version="1.3.41.fb1"/> + </port> + <port portid="443" protocol="tcp"> + <state state="open"/> + <service name="http" product="Apache httpd" tunnel="ssl" + version="1.3.41.fb1"/> + </port> + </ports> + </host> + </b> + </hostdiff> + </scandiff> +</nmapdiff>]]></screen> + </example> + </refsect1> + + <refsect1 id="ndiff-man-periodic"> + <title>Periodic Diffs</title> + + <para> + Using Nmap, Ndiff, cron, and a shell script, it's possible to scan a + network daily and get email reports of the state of the network and + changes since the previous scan. + <xref linkend="ndiff-man-ex-cron" xrefstyle="select: label nopage"/> + shows the script that ties it together. + </para> + + <example id="ndiff-man-ex-cron"> + <title>Scanning a network periodically with Ndiff and cron</title> +<programlisting> +#!/bin/sh +TARGETS="<replaceable>targets</replaceable>" +OPTIONS="-v -T4 -F -sV" +date=`date +%F` +cd /root/scans +nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null +if [ -e scan-prev.xml ]; then + ndiff scan-prev.xml scan-$date.xml > diff-$date + echo "*** NDIFF RESULTS ***" + cat diff-$date + echo +fi +echo "*** NMAP RESULTS ***" +cat scan-$date.nmap +ln -sf scan-$date.xml scan-prev.xml +</programlisting> + </example> + + <para> + If the script is saved as <filename>/root/scan-ndiff.sh</filename>, + add the following line to root's crontab: +<programlisting> +0 12 * * * /root/scan-ndiff.sh +</programlisting> + </para> + </refsect1> + + <refsect1 id="ndiff-man-exit-code"> + <title>Exit Code</title> + + <para> + The exit code indicates whether the scans are equal. + <itemizedlist spacing="compact"> + <listitem><para>0 means that the scans are the same in all the + aspects Ndiff knows about.</para></listitem> + <listitem><para>1 means that the scans differ.</para></listitem> + <listitem><para>2 indicates a runtime error, such as the failure + to open a file.</para></listitem> + </itemizedlist> + </para> + </refsect1> + + <refsect1 id="ndiff-man-bugs"> + <title>Bugs</title> + <para> + Report bugs to the <citetitle>nmap-dev</citetitle> mailing list at + <email>dev@nmap.org</email>. + </para> + </refsect1> + + <refsect1 id="ndiff-man-history"> + <title>History</title> + + <para> + Ndiff started as a project by Michael Pattrick during the 2008 + Google Summer of Code. Michael designed the program and led the + discussion of its output formats. He wrote versions of the program + in Perl and C++, but the summer ended shortly after it was decided + to rewrite the program in Python for the sake of Windows (and + Zenmap) compatibility. This Python version was written by David + Fifield. James Levine <ulink url="https://seclists.org/nmap-hackers/2000/315">released</ulink> a Perl script named Ndiff with + similar functionality in 2000. + </para> + </refsect1> + + <refsect1 id="ndiff-man-authors"> + <title>Authors</title> + + <para> + David Fifield <email>david@bamsoftware.com</email> + </para> + <para> + Michael Pattrick <email>mpattrick@rhinovirus.org</email> + </para> + </refsect1> + + <refsect1 id="ndiff-man-web"> + <title>Web site</title> + + <para> + <ulink url="https://nmap.org/ndiff/"/> + </para> + </refsect1> +</refentry> |