Nmap displays results based on the responses it receives from the remote hosts. The more hosts that are scanned, the more complex the results are that are printed on the screen. Analyzing these results when printed in terminal or Command Prompt becomes impossible when the number of hosts increases. In order to solve this problem, Nmap supports various reporting formats which can be used as per the user's requirements. One of the simplest ways to store Nmap's output is to use a >> operator followed by a text file name such as output.txt. This will allow Nmap to forward all the contents to that text file. Even the content of a text file becomes a nightmare to analyze for 10+ hosts. Nmap also gives a lot of verbose and debug information, along with a port scan, which can complicate this process even more. The operating system's detection and fingerprinting adds a lot more junk to this data.
The following command is used to run a SYN scan on the IP address 192.168.75.128 and store the output displayed to the output.txt file. This file can be found in the C:\Users\admin folder since Command Prompt is running in the same folder. Furthermore, you can store this file anywhere by just mentioning the absolute path of the file in double quotes:
Nmap –sS –Pn192.168.65.128>> output.txt
Let's see how the result can be copied to a text file by going through the following screenshots:
Navigate to the Nmap installation folder and locate the output.txt file:
You can open this file using any text editor. I personally recommend Notepad++ as it allows you to perform complex analysis on text files and displays them in a segregated manner:
Nmap allows a user to define the output format using command-line flags. The following lists explains the different flags that are allowed by Nmap:
- Interactive output: This is the type of output that is directly displayed in terminal or Command Prompt. This does not require any special Command Prompt argument or flag as this is the basic and default output format. This result is not stored or saved in any location; one can only access this output as long as Command Prompt or Terminal is not closed.
- Normal output (-oN): This output allows the user to save the interact output into a file selected by the user. This reporting option further trims down the output by omitting unnecessary verbose data from the interactive output scan based on the level of verbosity chosen by the user. This will allow the user to have a better look at the port scan results by omitting data that is not required. If a user needs performance data such as scan time and alerts, this is not the right format to choose. Furthermore, you can specify the file folder location by mentioning the absolute path or by launching Command Prompt with the same location as its path.
- XML output (-oX): This type of output is required to upload Nmap data to various tools and websites. Once this format is uploaded to any tool, it is then parsed by a parser so that we can understand the various data types in the output and segregate the data accordingly. There are many XML parses available as open source which are custom-built by various tool OEMs.
- Grepable output (-oG): This format allows users to perform simple operations such as grep, awk, cut, and diff on the output that's generated. The format follows a structure of creating a single-line output for every host with appropriate delimiters so that the user can use simple existing tools in the OS to separate and analyse the results. The Notepad++ utility is one such example that allows delimiter-based separation, which can be used to create a more meaningful report.
- Script kiddie (-oS): This format prints the output in the script.
- Save in all formats (-oA): This flag allows the user to generate output in the three formats mentioned previously (-oN, -oX, and –oG). Instead of performing three different scans to obtain the output formats, one can simply use this flag to obtain all the three reported formats and save it in a file at a provided location.
Nmap also provides various other details as part of the scan results, some of which can be controlled by the verbosity options that are available. The following are the few extra pieces of data that are produced by the verbose option:
- Scan completion time estimates: Nmap also provides performance data such as scan completion time in minutes to seconds, which allows the user to understand the time taken for Nmap to perform the scan. Nmap updates the user between intervals on the time taken and the task being performed, along with the percentage of completion. This allows the user to monitor network scans for larger networks and improve the script's execution time occasionally.
- Open ports: In a normal scan without verbose enabled, all of the open ports are displayed at the end of the scans. Instead, if verbose is enabled, each open port is displayed as soon as it is detected.
- Additional warnings: Nmap also displays any warnings or errors that have occurred during the scan, whether the port scan is taking additional time, or any variance from normal behavior of the scan. This will allow the user to check for any network restrictions and act accordingly.
- OS detection information: OS detection in Nmap is performed using signature detection based on TCP ISN and IP ID prediction. If verbose is enabled and the OS detection option is selected, Nmap displays the prediction of these OSes.
- Host status: Nmap also prints the status of the host as detected during runtime, stating whether the host is live or dead:
Some of the options that can be used along with the verbose ones to control the data displayed in the output are as follows:
- Debug output: Debug mode is an additional flag option provided by Nmap to help the user with further data to understand the port scanning process at the packet level. This can be enabled by appending the verbosity syntax with –d. Furthermore, you can also set the debug level you want to enable, which ranges up to 9, by appending -d9 to the verbose syntax. This is the highest level of debugging and provides a lot of technical data about the port scan being performed:
- Packet trace: This option allows the user to obtain the track of each packet that Nmap is sending. This will allow the user to gain a detailed understanding of the scan. This can be configured by appending --packet-trace to the verbose syntax:
