Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Tue Sep 29, 2020 5:09 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
PostPosted: Tue Jan 19, 2010 9:56 am 
Offline
Newbie

Joined: Tue Jan 19, 2010 9:49 am
Posts: 10
I am trying to use Open-AudIT on a large enterprise network and it seems like it will accomplish much of what I would like it to accomplish.

When I run nmap_linux.sh from a central machine no data is added to Open-AudIT. Is this to be expected? If so why? I want to do daily scans of each subnet but do not want to run NMAP at each location if possible. I understand a NMAP scan will only provide limited data on the remote network but it is helpful to see new open ports or ip addresses.

I hope this has not been posted previously but I tried to search and saw some similar but did not find an answer to my particular problem.

Thanks in advance.

Doug


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 19, 2010 7:46 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
NMAP may or may not produce results, depending on a raft of other factors, (see the NMAP FAQ in the FAQs section). You may need to grit your teeth and just install a copy of nmap on each subnet, but take a look at the FAQ first it might shed some light on the issue.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 19, 2010 11:39 pm 
Offline
Newbie

Joined: Tue Jan 19, 2010 9:49 am
Posts: 10
Could you point me to the NMAP FAQ? I see 15 topics under FAQ in the forums and none of them have a title that includes NMAP??

When I run the NMAP script to a remote subnet it collects data it just never shows up on the website. It almost seems like the PHP post script isn't accepting the data because it does not include MAC or something else?

Doug


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 23, 2010 8:51 am 
Offline
Newbie

Joined: Tue Jan 19, 2010 9:49 am
Posts: 10
Can you point me to the NAMP FAQ's can't seem to find them and a search for nmap returns nothing due to 'too many results'.

help???

Doug


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 23, 2010 9:21 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
You are quite correct there is no NMAP FAQ :oops: There is a lot of information in the support forum however, but I do need to add an up to date FAQ. Will get on to that early next week, time permitting.

Meanwhile, a brief synopsis.

Nmap probes for open ports on network attached devices. It uses various methods to do this, as most firewalls will spot a simple scan, and put their shields up. So NMAP uses "...softly softly" tactics to ensure the machines will report the maximum information. (See the nmap site for how this works)

You need a copy of NMAP installed on your machine, either in the scripts folder, or somewhere in your PATH, Alternatively, edit the nmap script, and point it to your nmap executable.

Once this is done, you should be able to run the script.

If you want to glean the maximum information about devices, such as guessing the OS and manufacturer, this relies on examining the MAC address of the device, and this information is only available on the local subnet (a limitation of TCP/IP and ethernet, not NMAP) This is why you need to scan from a machine attached to the same subnet as the device. MAC info doesn't get passed between routers, only IP info.

You can run from one subnet to another, but your results will be limited.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 23, 2010 10:21 pm 
Offline
Newbie

Joined: Tue Jan 19, 2010 9:49 am
Posts: 10
I understand that there would be less less information, mac address for example will be missing, when scanning a remote subnet. But NO data is put into the OA system from the remote site. It seems since there is no MAC it does not post??? NMAP returns a good bit of data from the remote subnets as I have used NMAP long before I started using OA and find the info very useful for my audits and would like it inserted into the OA database, actually it might be in the DB but I don't see it in OA???

Doug


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 24, 2010 11:33 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I must admit, I haven't tried to use NMAP between subnets, as I have a box available at each site which will NMAP for me and provides the results. :? It may be the case that OA requires the mac address to allow it to enter data in to the database.

If, as I suspect, nmap.sh is using the mac address as the unique identifier for the items discovered, (although I haven't verified this) and therefore if the script doesn't return a mac address, or if the address returned is blank, then all of the data will be written to the same record (the one with the blank mac address). This would be consistent with your result, NMAP appears to work, but the data doesn't show up in the database. This leaves you with a problem (not an insurmountable one, but a problem none the less). If I am right, then the script needs to be altered to invent a mac address (say one based on a repeated pattern of the bytes of the IP address, converted to HEX for example) for any case where there is no mac address. You will still be unable to obtain some of the information you would see using a local scan, but at least you will see something.

...or you could run the nmap script from the remote subnet :twisted:

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group