I am often asked “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.” While that is simple advice it is a lot harder to implement. One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans) for $40,000 a year.
After I cried for the state of my industry I told them I could do this for them with a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account.
Here is how I did it:
- Created a free Sendgrid account.
- Spun up $5 a Month Digitalocean Ubuntu Droplet.
- Added a nmaper.company.com DNS record to be perfectly clear waht the box was doing.
- Updated and installed needed software:
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install ssmtp nmap xsltproc
- Created necessary folders:
mkdir /root/nmap/
mkdir /root/nmap/diffs
- Edit /etc/ssmtp/ssmtp.conf with this:
[email protected]
mailhub=smtp.sendgrid.com
rewriteDomain=
[email protected]
UseSTARTTLS=YES
AuthUser=jgamblin
AuthPass=password
FromLineOverride=YES - Copy this to
/root/namp/scan.sh:
#!/bin/sh
TARGETS="jerrygamblin.com scanme.nmap.org"
OPTIONS="-v -sV -T4 -F --open"
date=$(date +%F%T)
cd ~/nmap/diffs
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
email()
{
/usr/sbin/ssmtp [email protected] <<EOF
From: [email protected]
Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***
$(cat diff-$date)
EOF
}
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
[ "$?" -eq "1" ] && email
fi
ln -sf scan-$date.xml scan-prev.xml Test (addcat diff-$dateto bottom of the script to see output.)- Add a cron job to crontab to run every 15 minutes (or hour for bigger networks)
- Talk your boss into buying you something awesome with the $39,970 in savings.
It was as simple as that and I put this together in an afternoon. Up next is to build a Slackbot and an to deliver the differences to their slack channel.
