NMAP Asset Discovery
In this guide we will showcase how to create an EC2 instance, connect to it, install NMAP and given a target identify and extract the open ports of the target. Then use Asset Update to store them within the Asset A-Ops application.
Download template
Requirements
- Asset Integration
- AWS EC2 Integration
- Remote Integration
- Secure Secrets Integration
- System Integration
Steps
- Add Trigger object to the flow, name it and press save
- In this particular guide, there are prerequisite information necessary for example, the particular target. Which can be specified in an action and stored within a variable.
- Add a Secure Secret action which the key value that is used for the AWS instance should be added
- Add and configure an AWS EC2 Connect object to the flow, with an Access Key and Secret Access Key. The region depends on the environment the information resides in.
- Add an AWS EC2 Create Instance adding the necessary information such as instance name, ami, instance type, key name, subnet, and security group. Finally, tick the Assign Public IP according to the requirements.
- if on Step 5, the Public IP address was ticked, add an AWS EC2 List Instances object to retrieve the Public IP address information of the newly built instance.
- Using a Remote Connect Linux Object, specifying the IP address, username, and key-file for connecting to it.
- Add a Remote Command object to install nmap, using the following command
apt-get install nmap -y
- Add another Remote Command to execute the nmap scan. For the purpose of this example, a simple scan was specified:
nmap --open -Pn %%var[local][target]%%
. - Add an Extract action specifying the following Regex:
(?P<port>[0-9]+)\\/(?P<type>(tcp|udp))\\s+(?P<state>\\w+)\\s+(?P<service>\\w+)
to parse the events generated by the nmap scan. - Add and configure a ForEach action to loop over the Nmap Results that have been extracted.
- Store the tcp / udp ports that have been identified within the given list using an action.
- Once the ForEach loop has been completed, using a link object with RC code specified as 200, Create / Update a given asset with the results of the nmap scan.
- Terminate the newly created nmap server using a AWS EC2 Terminate Instance specifying the instance ID.
All above steps can be viewed below.