basic-nmap-enum/basic-enum.sh at main · 0xtonyr/basic-nmap-enum · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env bash

cols=$(tput cols 2>/dev/null || echo 80)

print_bar() {
  local inner=$(( cols - 2 ))
  [ "$inner" -lt 0 ] && inner=0
  local bar_inner
  bar_inner=$(printf '%*s' "$inner" '' | tr ' ' '+')
  printf '[%s]\n' "$bar_inner"
}

print_center() {
  local text="$1"
  local len=${#text}
  if [ "$len" -ge "$cols" ]; then
    echo "$text"
  else
    local pad=$(( (cols - len) / 2 ))
    printf "%*s%s\n" "$pad" "" "$text"
  fi
}

usage() {
  echo "Usage: $0 [options] <target>"
  echo ""
  echo "Options:"
  echo "  -u          Include UDP top-20 ports scan"
  echo "  -o <dir>    Output directory (default: current directory)"
  echo "  -r <rate>   Min-rate for nmap (default: 1000)"
  echo "  -h          Show this help"
  exit 1
}

outdir="."
min_rate=1000
udp=0

while getopts ":uo:r:h" opt; do
  case $opt in
    u) udp=1 ;;
    o) outdir="$OPTARG" ;;
    r) min_rate="$OPTARG" ;;
    h) usage ;;
    :) echo "Error: option -$OPTARG requires an argument." >&2; usage ;;
    \?) echo "Error: unknown option -$OPTARG." >&2; usage ;;
  esac
done
shift $(( OPTIND - 1 ))

if [ -z "${1:-}" ]; then
  usage
fi

target="$1"

if ! command -v nmap >/dev/null 2>&1; then
  echo "Error: nmap not found. Install it and try again." >&2
  exit 1
fi

if [ "$(id -u)" -ne 0 ]; then
  SUDO="sudo"
else
  SUDO=""
fi

mkdir -p "$outdir"

# Resolve hostname to IP once so all phases use the same address,
# avoiding failures when DNS becomes unavailable mid-scan (e.g. expiring CTF labs).
if echo "$target" | grep -qE '^([0-9]{1,3}\.){3}[0-9]{1,3}$'; then
  scan_target="$target"
else
  scan_target=$(host -t A "$target" 2>/dev/null | awk '/has address/{print $4; exit}')
  if [ -z "$scan_target" ]; then
    scan_target=$(dig +short A "$target" 2>/dev/null | grep -E '^[0-9.]+$' | head -1)
  fi
  if [ -z "$scan_target" ]; then
    echo "Error: could not resolve \"$target\"." >&2
    exit 1
  fi
fi

print_bar
print_center "Enumeration starting"
print_bar
echo ""
echo "TARGET:   $target"
[ "$scan_target" != "$target" ] && echo "RESOLVED: $scan_target"
echo "OUT DIR:  $outdir"
echo "MIN RATE: $min_rate"
echo ""

timestamp=$(date +%Y%m%d-%H%M%S)
outfile="${outdir}/${target}-${timestamp}"

echo "[*] Phase 1 — full TCP port scan"
ports=$(
  $SUDO nmap -Pn -p- --min-rate="$min_rate" -T4 "$scan_target" \
    | grep -E '^[0-9]+/tcp[[:space:]]+open' \
    | cut -d'/' -f1 \
    | tr '\n' ',' \
    | sed 's/,$//'
)

if [ -n "$ports" ]; then
  echo "[+] Open ports: $ports"
  echo ""
  echo "[*] Phase 2 — service/version scan on discovered ports"
  $SUDO nmap -Pn --min-rate="$min_rate" -T4 -sV -sC -O -p "$ports" "$scan_target" \
    -oA "${outfile}-tcp"
  echo "[+] TCP results saved to ${outfile}-tcp.{nmap,gnmap,xml}"
else
  echo "[-] No open TCP ports found."
fi

if [ "$udp" -eq 1 ]; then
  echo ""
  echo "[*] Phase 3 — UDP top-20 ports scan"
  $SUDO nmap -Pn -sU --top-ports 20 -T4 "$scan_target" \
    -oA "${outfile}-udp"
  echo "[+] UDP results saved to ${outfile}-udp.{nmap,gnmap,xml}"
fi

echo ""
print_bar
print_center "Done!"
print_bar