PoshCode Archive  Artifact [f37bfe9667]

Artifact f37bfe96678700660c1aeacad726cbd958b73e86459675460c2909c2265c1a0b:

  • File parse-nmap.ps1 — part of check-in [fb7a9dc667] at 2018-06-10 12:56:41 on branch trunk — Get a sample nmap XML file to play with and see some examples of using the script at https://blogs.sans.org/windows-security/2009/06/11/powershell-script-to-parse-nmap-xml-output/ (this is where the latest version will be maintained, it’s been edited a few times already since being posted here). (user: Jason Fossen size: 8908)

# encoding: ascii
# api: powershell
# title: 
# description: Get a sample nmap XML file to play with and see some examples of using the script at https://blogs.sans.org/windows-security/2009/06/11/powershell-script-to-parse-nmap-xml-output/  (this is where the latest version will be maintained, it’s been edited a few times already since being posted here).
# version: 3.0
# type: function
# author: Jason Fossen 
# license: CC0
# function: parse-nmap
# x-poshcode-id: 1219
# x-archived: 2009-07-22T10:23:11
#
#
Param ($Path, [Switch] $RunStatsOnly, [Switch] $ShowProgress)

function parse-nmap 
{
	####################################################################################
	#.Synopsis 
	#    Parse XML output file(s) of the nmap port scanner (www.nmap.org). 
	#
	#.Description 
	#    Parse XML output file(s) of the nmap port scanner (www.nmap.org) and  
	#    emit custom objects with properties containing the scan data. The 
	#    script can accept either piped or parameter input.  The script can be
	#    safely dot-sourced without error as is. 
	#
	#.Parameter Path  
	#    Either 1) a string with or without wildcards to one or more XML output
	#    files, or 2) one or more FileInfo objects representing XML output files.
	#
	#.Parameter RunStatsOnly
	#    Only displays general scan information from each XML output file, such
	#    as scan start/stop time, elapsed time, command-line arguments, etc.
	#
	#.Parameter ShowProgress
	#    Prints progress information to StdErr while processing host entries.    
	#
	#.Example 
	#    dir *.xml | .\parse-nmap.ps1
	#
	#.Example 
	#	 .\parse-nmap.ps1 -path onefile.xml
	#    .\parse-nmap.ps1 -path *files.xml 
	#
	#.Example 
	#    $files = dir *some.xml,others*.xml,there?.xml 
	#    .\parse-nmap.ps1 -path $files    
	#
	#.Example 
	#    .\parse-nmap.ps1 -path scanfile.xml -runstatsonly
	#
	#Requires -Version 1.0 
	#
	#.Notes 
	#  Author: Jason Fossen (http://blogs.sans.org/windows-security/)  
	# Version: 3.0
	# Updated: 18.Jul.2009
	#   Other: Once PowerShell 2.0 has been out a few months, the script will be
	#          rewritten as an advanced function and otherwise spruced up...
	#   LEGAL: PUBLIC DOMAIN.  SCRIPT PROVIDED "AS IS" WITH NO WARRANTIES OR GUARANTEES OF 
	#          ANY KIND, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY AND/OR FITNESS FOR
	#          A PARTICULAR PURPOSE.  ALL RISKS OF DAMAGE REMAINS WITH THE USER, EVEN IF
	#          THE AUTHOR, SUPPLIER OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF
	#          ANY SUCH DAMAGE.  IF YOUR STATE DOES NOT PERMIT THE COMPLETE LIMITATION OF
	#          LIABILITY, THEN DELETE THIS FILE SINCE YOU ARE NOW PROHIBITED TO HAVE IT.
	####################################################################################

	param ($Path, [Switch] $RunStatsOnly, [Switch] $ShowProgress)
	
	if ($Path -match "/\?|/help|-h|-help|--h|--help") 
	{ 
		"`nPurpose: Process nmap XML output files (www.nmap.org)."
		"Example: dir *.xml | .\parse-nmap.ps1 `n"
		exit 
	}

	if ($Path -eq $null) {$Path = @(); $input | foreach { $Path += $_ } } 
	if (($Path -ne $null) -and ($Path.gettype().name -eq "String")) {$Path = dir $path} #To support wildcards in $path.  
	$1970 = [DateTime] "01 Jan 1970 01:00:00 GMT"

	if ($RunStatsOnly)
	{
		ForEach ($file in $Path) 
		{
			$xmldoc = new-object System.XML.XMLdocument
			$xmldoc.Load($file)
			$stat = ($stat = " " | select-object FilePath,FileName,Scanner,Profile,ProfileName,Hint,ScanName,Arguments,Options,NmapVersion,XmlOutputVersion,StartTime,FinishedTime,ElapsedSeconds,ScanType,Protocol,NumberOfServices,Services,VerboseLevel,DebuggingLevel,HostsUp,HostsDown,HostsTotal)
			$stat.FilePath = $file.fullname
			$stat.FileName = $file.name
			$stat.Scanner = $xmldoc.nmaprun.scanner
			$stat.Profile = $xmldoc.nmaprun.profile
			$stat.ProfileName = $xmldoc.nmaprun.profile_name
			$stat.Hint = $xmldoc.nmaprun.hint
			$stat.ScanName = $xmldoc.nmaprun.scan_name
			$stat.Arguments = $xmldoc.nmaprun.args
			$stat.Options = $xmldoc.nmaprun.options
			$stat.NmapVersion = $xmldoc.nmaprun.version
			$stat.XmlOutputVersion = $xmldoc.nmaprun.xmloutputversion
			$stat.StartTime = $1970.AddSeconds($xmldoc.nmaprun.start) 	
			$stat.FinishedTime = $1970.AddSeconds($xmldoc.nmaprun.runstats.finished.time)
			$stat.ElapsedSeconds = $xmldoc.nmaprun.runstats.finished.elapsed
			$stat.ScanType = $xmldoc.nmaprun.scaninfo.type	
			$stat.Protocol = $xmldoc.nmaprun.scaninfo.protocol		
			$stat.NumberOfServices = $xmldoc.nmaprun.scaninfo.numservices

			#In the original XML, ranges of ports are summarized, e.g., "500-522", but the script will list each port separately.
			$stat.Services = $xmldoc.nmaprun.scaninfo.services   #A long comma-delimitted string which includes ",50-88," ranges.
			$stat.Services = $($stat.Services.replace("-","..")).Split(",") 
			$temp  = $stat.Services | where { $_ -notlike "*..*"} | foreach { [Int] $_ } 
			$stat.Services | where { $_ -like "*..*" } | foreach { invoke-expression "$_" } | foreach { $temp += [Int] $_ } 
			$stat.Services = $temp | sort #Services now contains a sorted Int32 array of all ports, range operators removed. 

			$stat.VerboseLevel = $xmldoc.nmaprun.verbose.level
			$stat.DebuggingLevel = $xmldoc.nmaprun.debugging.level		
			$stat.HostsUp = $xmldoc.nmaprun.runstats.hosts.up
			$stat.HostsDown = $xmldoc.nmaprun.runstats.hosts.down		
			$stat.HostsTotal = $xmldoc.nmaprun.runstats.hosts.total
			$stat 			
		}
		return #Don't process hosts.  
	}
	
	ForEach ($file in $Path) {
		If ($ShowProgress) { [Console]::Error.WriteLine("[" + (get-date).ToLongTimeString() + "] Starting $file" ) }

		$xmldoc = new-object System.XML.XMLdocument
		$xmldoc.Load($file)
		
		# Process each of the <host> nodes from the nmap report.
		$i = 0  #Counter for <host> nodes processed.
		$xmldoc.nmaprun.host | foreach-object { 
			$hostnode = $_   # $hostnode is a <host> node in the XML.
		
			# Init variables, with $entry being the custom object for each <host>. 
			$service = " " #service needs to be a single space.
			$entry = ($entry = " " | select-object FQDN, HostName, Status, IPv4, IPv6, MAC, Ports, OS) 

			# Extract state element of status:
			$entry.Status = $hostnode.status.state.Trim() 
			if ($entry.Status.length -eq 0) { $entry.Status = "<no-status>" }

			# Extract fully-qualified domain name(s).
			$hostnode.hostnames | foreach-object { $entry.FQDN += $_.hostname.name + " " } 
			$entry.FQDN = $entry.FQDN.Trim()
			if ($entry.FQDN.Length -eq 0) { $entry.FQDN = "<no-fullname>" }

			# Note that this code cheats, it only gets the hostname of the first FQDN if there are multiple FQDNs.
			if ($entry.FQDN.Contains(".")) { $entry.HostName = $entry.FQDN.Substring(0,$entry.FQDN.IndexOf(".")) }
			elseif ($entry.FQDN -eq "<no-fullname>") { $entry.HostName = "<no-hostname>" }
			else { $entry.HostName = $entry.FQDN }

			# Process each of the <address> nodes, extracting by type.
			$hostnode.address | foreach-object {
				if ($_.addrtype -eq "ipv4") { $entry.IPv4 += $_.addr + " "}
				if ($_.addrtype -eq "ipv6") { $entry.IPv6 += $_.addr + " "}
				if ($_.addrtype -eq "mac")  { $entry.MAC  += $_.addr + " "}
			}        
			if ($entry.IPv4 -eq $null) { $entry.IPv4 = "<no-ipv4>" } else { $entry.IPv4 = $entry.IPv4.Trim()}
			if ($entry.IPv6 -eq $null) { $entry.IPv6 = "<no-ipv6>" } else { $entry.IPv6 = $entry.IPv6.Trim()}
			if ($entry.MAC  -eq $null) { $entry.MAC  = "<no-mac>" }  else { $entry.MAC  = $entry.MAC.Trim() }


			# Process all ports from <ports><port>, and note that <port> does not contain an array if it only has one item in it.
			if ($hostnode.ports.port -eq $null) { $entry.Ports = "<no-ports>" } 
			else 
			{
				$hostnode.ports.port | foreach-object {
					If ($_.service.name -eq $null) { $service = "unknown" } else { $service = $_.service.name } 
					$entry.Ports += $_.state.state + ":" + $_.protocol + ":" + $_.portid + ":" + $service + " " 
				}
				$entry.Ports = $entry.Ports.Trim()
			}


			# Extract fingerprinted OS type and percent of accuracy.
			$hostnode.os.osmatch | foreach-object {$entry.OS += $_.name + " <" + ([String] $_.accuracy) + "%-accuracy> "} 
			$entry.OS = $entry.OS.Trim()
			if ($entry.OS -eq "<%-accuracy>") { $entry.OS = "<no-os>" }


			# Emit custom object from script.
			$i++  #Progress counter...
			$entry
		}

		If ($ShowProgress) { [Console]::Error.WriteLine("[" + (get-date).ToLongTimeString() + "] Finished $file, processed $i entries." ) }
	}
}



if ($path -eq $null) { $path = @(); $input | foreach { $Path += $_ } } #Piping issues...

if ($showprogress) {parse-nmap -path $Path -showprogress}
elseif ($runstatsonly) {parse-nmap -path $Path -runstatsonly}
else { parse-nmap -path $Path }