When conducting network reconnaissance or penetration testing, efficiency is key. NmapAutomator is a powerful tool that automates and streamlines the process of network scanning, allowing security professionals to focus on actual penetration testing rather than spending time on repetitive scanning tasks. This comprehensive guide on Network Reconnaissance explores what NmapAutomator is, how to set it up, and how to effectively use it for various scanning scenarios. NmapAutomator is a POSIX-compatible shell script designed to automate various types of network scanning tasks. As the name suggests, it’s built on top of the popular Nmap scanning tool but extends its functionality by integrating multiple other security tools like Nikto, GoBuster, and more.

The main goal of this script is to automate the process of enumeration and reconnaissance that is run every time, allowing security professionals to focus their attention on real penetration testing.
NmapAutomator ensures two important benefits:

• It automates various Nmap scans
• It allows reconnaissance to always run in the background

This means that once initial ports are found (typically in 5-10 seconds), you can start manually investigating those ports while letting the rest of the scanning run in the background with no further interaction required.

Features of NmapAutomator

NmapAutomator Network Reconnaissance offers various scan types to suit different needs:

• Network Scan: Shows all live hosts in the target’s network (completes in approximately 15 seconds)
• Port Scan: Shows all open ports (completes in approximately 15 seconds)
• Script Scan: Runs a script scan on found ports (takes about 5 minutes)
• Full Scan: Runs a full range port scan, then conducts a thorough scan on newly discovered ports (takes about 5-10 minutes)
• UDP Scan: Runs a UDP scan (requires sudo privileges and takes about 5 minutes)
• Vulnerability Scan: Runs CVE scan and Nmap Vulns scan on all found ports (takes about 5-15 minutes)
• Recon Scan: Suggests reconnaissance commands and prompts to automatically run them
• All Scan: Runs all the scan types (takes about 20-30 minutes)

It’s important to note that NmapAutomator is a reconnaissance tool and does not perform any exploitation.

Automatic Network Reconnaissance

With the recon option, NmapAutomator automatically recommends and runs the best reconnaissance tools for each discovered port. If a recommended tool is missing from your system, NmapAutomator will suggest how to install it.

Cross-Platform Compatibility

NmapAutomator is 100% POSIX compatible, allowing it to run on any sh shell and any Unix-based machine (even a 10-year-old router). This makes NmapAutomator ideal for lateral movement reconnaissance.
If you want to run NmapAutomator on a remote machine, you can download a static Nmap binary and transfer it to the remote machine. You can then use the -s/–static-nmap option to specify the path to the static Nmap binary.

Remote Mode

NmapAutomator offers a Remote Mode (activated with the -r/–remote flag) designed to run using POSIX shell commands only, without relying on external tools. This mode is still under development, with certain scan types currently supported.

Installing NmapAutomator

Before we can use NmapAutomator, we need to install it and its dependencies.

Prerequisites

NmapAutomator requires certain tools like ffuf, which can be installed with:

sudo apt update
sudo apt install ffuf -y

Alternatively, you can use Gobuster (v3.0 or higher):

sudo apt update
sudo apt install gobuster -y

Other reconnaissance tools used by NmapAutomator include:

• nmap Vulners
• sslscan
• nikto
• joomscan
• wpscan
• droopescan
• smbmap
• enum4linux
• dnsrecon
• odat
• smtp-user-enum
• snmp-check
• snmpwalk
• ldapsearch

Most of these tools should be installed by default in Parrot OS and Kali Linux. If any recommended tool is missing, NmapAutomator will automatically omit it and notify the user.

Installation Steps

To install NmapAutomator, run the following commands:

git clone https://github.com/21y4d/nmapAutomator.git
sudo ln -s $(pwd)/nmapAutomator/nmapAutomator.sh /usr/local/bin/

Additional Dependencies for Complete Functionality

To ensure full functionality, especially for the Vulnerability scan mode, you should install additional components:

1. Install Go:
   • Download Go from https://golang.org/dl/
   • Extract it to /usr/local: tar -C /usr/local -xzf go1.13.6.linux-amd64.tar.gz
   • Export the path: export PATH=$PATH:/usr/local/go/bin
2. Install GoBuster:

   go get github.com/OJ/gobuster
   

3. Install Nikto:

   apt install libwhisker2-perl nikto
   

4. Set up Nmap-Vulners script:

   git clone https://github.com/vulnersCom/nmap-vulners.git
   cp *.nse /usr/share/nmap/scripts
   nmap --script-updatedb
   

Using NmapAutomator

To see all available options, run:

./nmapAutomator.sh -h

This will display the usage information:

Usage: nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE>
Optional: [-r/--remote <REMOTE MODE>] [-d/--dns <DNS SERVER>] [-o/--output <OUTPUT DIRECTORY>] [-s/--static-nmap <STATIC NMAP PATH>]

Example Commands

Here are some example commands:

./nmapAutomator.sh --host 10.1.1.1 --type All
./nmapAutomator.sh -H 10.1.1.1 -t Basic
./nmapAutomator.sh -H academy.htb -t Recon -d 1.1.1.1
./nmapAutomator.sh -H 10.10.10.10 -t network -s ./nmap

Practical Use Cases

Let’s explore some practical use cases for NmapAutomator.

Use Case 1: Quick Reconnaissance of a Web Server

When you need to quickly check a web server, the Port scan type is ideal:

./nmapAutomator.sh 192.168.1.10 Port

This will identify open ports within seconds, allowing you to immediately start investigating while more detailed scans run in the background.

Use Case 2: Comprehensive Security Assessment

For a thorough security assessment, the All scan type provides comprehensive coverage:

./nmapAutomator.sh 192.168.1.10 All

This will run all available scan types, providing a complete picture of the target’s security posture. The scan takes about 20-30 minutes but delivers extensive results.

Use Case 3: Vulnerability Discovery

When specifically looking for vulnerabilities, use the Vulns scan type:

./nmapAutomator.sh 192.168.1.10 Vulns

This performs a CVE scan and Nmap Vulns scan on all discovered ports, helping identify potential security issues.

Use Case 4: Service Enumeration

For detailed information about services running on a target, use the Script scan type:

./nmapAutomator.sh 192.168.1.10 Script

This runs script scans on discovered ports, providing detailed information about running services.

Use Case 5: Scanning with Limited Permissions

If you’re on a system where you don’t have sudo privileges, you can still run most scan types except UDP:

./nmapAutomator.sh 192.168.1.10 Full

Use Case 6: Remote Scanning

If you need to scan from a remote system with limited tools, use the Remote Mode:

./nmapAutomator.sh -H 192.168.1.10 -t Port -r

This uses POSIX shell commands only, making it suitable for systems with limited tool availability.

Limitations and Considerations

While NmapAutomator is a powerful tool, it’s important to be aware of its limitations:

1. The tool primarily works with IP addresses rather than domain names directly
2. Some scan types require sudo privileges
3. The Remote Mode is still under development with limited functionality
4. Vulnerability scans may produce false positives
5. The tool is designed for reconnaissance and does not perform exploitation

Conclusion

NmapAutomator is an excellent tool for security professionals and enthusiasts looking to streamline their reconnaissance process. By automating common scanning tasks, it allows you to focus on analyzing results and actual penetration testing rather than manually running multiple commands. Whether you’re conducting a quick check or a comprehensive security assessment, NmapAutomator provides options to suit your needs. Its POSIX compatibility makes it versatile across different systems, and its integration with other security tools enhances its capabilities beyond basic port scanning. By incorporating NmapAutomator into your security toolkit, you can significantly increase your efficiency and effectiveness in discovering and assessing potential security vulnerabilities.