Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SCANPBNJ.MAN.1(1)     User Contributed Perl Documentation    SCANPBNJ.MAN.1(1)

NAME
	ScanPBNJ - a program for running Nmap scans and	storing	the results in
	a PBNJ 2.0 database.

SYNOPSIS
	scanpbnj [Options] {target specification}

DESCRIPTION
	ScanPBNJ performs an Nmap scan and then	stores the results in
	a database. The	ScanPBNJ stores	information about the machine that has
	been scanned. ScanPBNJ stores the IP Address, Operating	System,
	Hostname and a localhost bit. The localhost bit, is simply a single
	bit which is 1 when the	target machine is localhost, otherwise it is
	0. It also stores two timestamps for the machine table.	The first is
	a human	readable version and the second	is the unix time. Both of
	these timestamp	correspond to the first	time that the machine was
	scanned.

	ScanPBNJ stores	information about the services that are	found to be
	running	on the target machine. ScanPBNJ	stores typical information
	about the service, by storing the port and protocol. Also, ScanPBNJ
	stores version,	product	and service state information about each
	service. The service state can either be up or down. Two timestamps
	are also inserted for each instance of every service. The first	is a
	human readable version and the second is the unix time.	Both of
	these timestamp	correspond to the time that the	service	was scanned.

	This tool can give an admin a clear network layout with	of
	all the	machines with all the services they are	running.

	Apart of PBNJ 2.0 suite	of tools to monitor changes on a network.

OPTIONS
	Usage: scanpbnj	[Options] {target specification}

	Target Specification:
	  Can be a IP Address, hostname, network etc.
	  Ex: microsoft.com, 10.0.0.0/24, 192.168.1.1, 10.0.0.0-100
	  -i  --iplist <iplist>	   Scan	using a	list of	IPs from a file
	  -x  --xml <xml-file>	   Parse scan/info from	Nmap XML file

	Scan Options:
	  -a  --args <args>	   Execute Nmap	with args (needs quotes)
	  -e  --extraargs <args>   Add args to the default args	(needs quotes)
	      --inter <interface>  Perform scan	with non default interface
	  -m  --moreports <ports>  Add ports to	scan ex: 8080 or
       3306,5900-5910
	  -n  --nmap <path>	   Path	to Nmap	executable
	  -p  --pingscan	   Ping	Target then scan the alive host(s)
	      --udp		   Add UDP to the scan arguments
	      --rpc		   Add RPC to the scan arguments
	  -r  --range <range>	   Ports for scan [def 1-1025]

	       --diffbanner	   Parse changes of the	banner

	Config Options:
	 -d    --dbconfig <config> Config for results database [def
       config.yaml]
	       --configdir <dir>   Directory for the database config file

	       --data <file>	   SQLite Database override [def data.dbl]
	       --dir <dir>	   Directory for SQLite	or CSV files [def .]

	General	Options:
	      --nocolors	   Don't Print Colors
	      --test <level>	   Testing information
	      --debug <level>	   Debug information
	  -v  --version		   Display version
	  -h  --help		   Display this	information

	Send Comments to Joshua	D. Abraham ( jabra@ccs.neu.edu )

THINGS TO NOTE
	* ScanPBNJ requires root privileges to perform a scan.

	* If you do not	pass a specific	ports range, 1-1025 is used.

	* If there are configs in the current directory, they are used
	instead	of those in the	user's config directory.

	* ScanPBNJ does	not modify previous database entries. It simply
	inserts	new information	when a change is found.

	* One thing that should	be done	when performing	scans is to make
	sure to	use the	same ports or you will get false positives.

EXAMPLE	SINGLE SCAN
	1) Scan	a class	B network on ports 1-9000

	    sudo ./scanpbnj -r 1-9000 10.0.0.0/16

	2) Scan	an IP Address on ports 1-9000

	    sudo ./scanpbnj -r 1-9000 10.0.0.100

EXAMPLE	AUTOMATED SCANS
	The following examples can be added to /etc/crontab

	1) Scan	a Class	C network every	2 hours

	30 */2 * * *   root scanpbnj 10.0.0.

	2) Scan	a Class	C network everyday at 2:30

	30 2 * * *     root scanpbnj 10.0.0.

TARGET SPECIFICATION
	The target specified is	a typical method of probing the	network.
	Therefore, any of the following	can be used:
	(e.g. 10.0.0.1,	10.0.0.1-254, 10.0.0.0/24 or 10.0.0.).
	The first example is simply an IP address. The second example is
	the scanning of	a range. The third is a	range in CIDR notation.
	The fourth example is the IP with the star which specifies to scan
	255 hosts. This	is the same format that	Nmap uses with the only
	exception being	the on the last	octet. This is needed because it
	needs to not interpret the star	when it	is being executed.

	Another	option,	is to use a hostname or	domain name. ScanPBNJ will
	then resolve the name to the correct IP	address. If you	pass a
	debug flag with	level 1	or greater, ScanPBNJ will display what IP
	address, the hostname resolved too.

   -i <iplist>	Scan using a list of IPs from a	file
	The iplist option is useful when you have a specific list of IPs to
	scan. This will	perform	a full scan of the IPs that are	specified.
	This option is similar to using	-sL with Nmap. The results of
	the scan are inserted into the database.

   -x <xml-file>  Parse	scan/info from Nmap XML	file
	This option is useful when you can't perform the scan yourself or
	you don't want ScanPBNJ	to perform the scan. Another situation where
	this is	useful,	is if you have an XML file that	was done in the	past
	and you	want to	extract	information from it, possibly to compare
	with what is currently being run on the	target.	ScanPBNJ parses	the
	Nmap XML file and extracts the information about the host(s) and
	service(s) then	inserts	the results into the database.

SCAN OPTIONS
   -a --args <args>
	** NOTE	** This	option needs quotes around the passed arguments

	This option will bypass	the default arguments that are used in
	scanning with Nmap. This can be	used to	do a particular	type of	scan
	that is	not possible by	simply adding extra arguments. For example,
	if you want to only scan UDP ports and still do	version
	identification and OS detection, you would do so using the following
	notation:

	 sudo scapbnj -a "-A -O	-sU"  localhost

   -e --extraargs <args>
	** NOTE	** This	option needs quotes around the passed arguments

	This option will add additional	arguments onto the default scan
	arguments. This	is most	useful in doing	scans where time optimization
	is needed. Therefore, these arguments will be added and	then used in
	the scan.

   --inter <intface>
	This option sets an alternative	interface for performing the scan.
	This is	useful when you	have multiple interfaces on a machine
	with restrictions on which devices can access certain IP or IP ranges.

   -m --moreports <ports>
	This options adds additional ports to the range	of ports to scan.
	Individual port	numbers	are OK,	as are ranges separated	by a
	hyphen (e.g. 1-1023,5800,5900,8080).

	For example:

	 sudo scanpbnj -m 7000-7500,8080  localhost

	This scan would	scan the default range as well 7000-7500 and 8080.

   -n --nmap <alternative-nmap-path>
	Use an alternative Nmap	rather than Nmap located in the	your path.
	This is	useful if you have multiple version of Nmap installed on
	a system or if you are testing a new version of	Nmap. Remember that if
	you are	using a	newly compiled version of Nmap that you	need to
	export NMAPDIR to the location that Nmap was compiled in. Thus,	if
	you have compiled Nmap in your homedir,	use the	following notation:

	 export	NMAPDIR=$HOME/nmap-VERSION/

	 sudo scanpbnj -n $HOME/nmap-VERISON/ localhost

   -p	Ping Target then scan the host(s) that are alive
	The ping scan is a useful method of only scanning the host that	are
	responding to ICMP echo	requests. This scan basically takes the	host
	that respond to	ICMP echo requests and then performs a scan only on
	those hosts. Therefore,	no time	is wasted in scanning hosts that do
	not respond. The results of the	scan are then inserted into the
	database.

   --udp  Add UDP to the scan arguments
	Perform	a UDP scan, in addition	to the default scan.

	 sudo scanpbnj --udp localhost

	If you want to only perform a UDP scan you need	to set the specific
	arguments for the scan.

	 sudo scanpbnj -a "-vv -O -P0 1-1025 -sVU" localhost

   --rpc  Add RPC to the scan arguments
	Perform	a RPC scan in addition to the default scan.

	 sudo scanpbnj --udp localhost

	If you want to only perform a RPC scan you need	to set the specific
	arguments for the scan.

	 sudo scanpbnj -a "-vv -O -P0 1-1025 -sVR" localhost

   -r --range <ports>
	Ports for scan [default	1-1025]

	This option specifies which ports you want to scan and overrides the
	default. Individual port numbers are OK, as are	ranges separated by a
	hyphen (e.g. 1-1023,5800,5900,8080 ).

	Thus, a	scan like this is ok.

	 sudo scanpbnj -r 22,25,80,100-200  localhost

	Also, if you have leave	off the	number after the hyphen	it will	scan
	all from the start port	to 65535.

	For example:

	 sudo scanpbnj -r 22,25- localhost

   --diffbanner
	Parse changes of the banner

	This options enables ScanPBNJ to do comparisons	on the banner. The
	reason this is not on by default is that it could show changes in
	services that are not are important to the user. However, this option
	is useful to a security	professional who is looking for	any changes
	that occur so that they	can be verified.

DATABASE OPTIONS
   -d --dbconfig <file>
	Config for results database [default config.yaml]

	This option is used to specify an alternative config.yaml file.

   --configdir <dir>
	Directory for Config file [default . ]

	This option is used to specify an alternative directory	for the
	config.yaml file.

   --data <file>
	SQLite Database	override [default data.dbl ]

	This option is used when you want to change the	name of	the SQLite
	database file that is generated.

   --dir <dir>
	Directory for SQLite or	CSV files [default . ]

	This option is used when you want the database to be generated in a
	different directory.

GENERAL	OPTIONS
   --nocolors
	The default results from ScanPBNJ print	the useful changes with	colors
	This options will simply not print the colors.

   --test <level>
	Increases the Test level, causing ScanPBNJ to print testing
       information
	about the scan in progress. Using the Test level is mostly only	using
	for testing. This will also print the debugging	information so it can
	get rather lengthy. The	greater	the Test level the more	output will be
	given.

	This option is also used for reporting bugs. All bug reports should
	be submitted using --test 1 and	an additional report may be needed
	depending on the issue.

   --debug <level>
	Increases the Debug level, causing ScanPBNJ to print more information
	about the scan in progress. Nmap scanning arguments are	shown as well
	as the ip address if you are scanning a	domain name. This option is
	used to	give the user more information about what the scanner is
       doing.
	The higher the debug level the more output the user will receive.

   -v --version
	Prints the ScanPBNJ version number and exits.

   -h --help
	Prints a short help screen with	the command flags.  Running ScanPBNJ
	without	any arguments does the same thing.

DEFAULT	SCAN
	Here are the default arguments that are	used during a default scan:

	-vv -O -P0 -sSV	-p 1-1025

FILES
	PBNJ's data files are stored in	ScanPBNJ and OutputPBNJ. When either
	of these programs is run the configuration files will be generated
	for the	user if	they don't already exists and placed in	the
	$HOME/.pbnj-2.0	directory. Again, if there is a	configuration file
	in the current directory it is used instead of the version in the
	configuration directory.

	$HOME/.pbnj-2.0/config.yaml - holds settings for connecting to
	the database which store the information from PBNJ scans.

	$HOME/.pbnj-2.0/query.yaml - lists all queries that can	be used	to
	retrieve information from the database.	Also, includes the name	and
	description for	each query. This is only generated when	you executed
	OutputPBNJ.

	For Windows, the pbnj-2.0 config directory is in the APPDATA
	directory, which contains both config.yaml and query.yaml. Depending
	on your	environment, the APPDATA directory may be a different location
	from other environments. Therefore, when the configs are executed for
	the first time they will display the path where	the configs were
	generated.

FEATURE	REQUESTS
	Any feature requests should be reported	to the online
	feature-request-tracking system	available on the web at	:
	http://sourceforge.net/tracker/?func=add&group_id=149390&atid=774489
	Before requesting a feature, please check to see if the	features has
	already	been requested.

BUG REPORTS
	Any bugs found should be reported to the online	bug-tracking system
	available on the web at	:
	http://sourceforge.net/tracker/?func=add&group_id=149390&atid=774488.
	Before reporting a bug,	please check to	see if the bug has already
       been
	reported.

	When reporting PBNJ bugs, it is	important to include a reliable	way to
	reproduce the bug, version number of PBNJ and Nmap, OS
	name and version, and any relevant hardware specs. And of course,
	patches	to rectify the bug are even better.

SUPPORTED DATABASES
	The following databases	are supported:

	* SQLite [default]
	* MySQL
	* Postgres
	* CSV

DATABASE SCHEMA
	The following is the SQLite version of the database schema:

	CREATE TABLE machines (
		   mid INTEGER PRIMARY KEY AUTOINCREMENT,
		   ip TEXT,
		   host	TEXT,
		   localh INTEGER,
		   os TEXT,
		   machine_created TEXT,
		   created_on TEXT);
	CREATE TABLE services (
		   mid INTEGER,
		   service TEXT,
		   state TEXT,
		   port	INTEGER,
		   protocol TEXT,
		   version TEXT,
		   banner TEXT,
		   machine_updated TEXT,
		   updated_on TEXT);

SEE ALSO
	outputpbnj(1), genlist(1), nmap(1)

AUTHORS
	Joshua D. Abraham ( jabra@ccs.neu.edu )

LEGAL NOTICES
	This program is	distributed in the hope	that it	will be	useful,	but
	WITHOUT	ANY WARRANTY; without even the implied warranty	of
	MERCHANTABILITY	or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	General	Public License for more	details	at
	http://www.gnu.org/copyleft/gpl.html, or in the	COPYING	file included
	with PBNJ.

	It should also be noted	that PBNJ has occasionally been	known to
	crash poorly written applications, TCP/IP stacks, and even operating
	systems.  While	this is	extremely rare,	it is important	to keep	in
	mind.  PBNJ should never be run	against	mission	critical systems
	unless you are prepared	to suffer downtime. We acknowledge here	that
	PBNJ may crash your systems or networks	and we disclaim	all liability
	for any	damage or problems PBNJ	could cause.

perl v5.24.1			  2006-11-15		     SCANPBNJ.MAN.1(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | THINGS TO NOTE | EXAMPLE SINGLE SCAN | EXAMPLE AUTOMATED SCANS | TARGET SPECIFICATION | SCAN OPTIONS | DATABASE OPTIONS | GENERAL OPTIONS | DEFAULT SCAN | FILES | FEATURE REQUESTS | BUG REPORTS | SUPPORTED DATABASES | DATABASE SCHEMA | SEE ALSO | AUTHORS | LEGAL NOTICES

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=scanpbnj&sektion=1p&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help