Pario TechnoBlob

A chronological documentation test project, nothing serious, really!

Detecting changes to your network services/damons

Posted on by Hans-Henry Jakobsen

This is a tutorial to detect changes in port from hosts on your network.
The basic approach is to ping every available address upon your subnet and see which ones are up by detecting replies.

If you install the package libperl-net-ping you can use the following script to see which hosts upon your LAN are alive:

#!/usr/bin/perl -w

use strict;
use Net::Ping;

my $LAN = "192.168.1.";

foreach my $octet (1 .. 255)
{
	my $pinger = Net::Ping->new();
	if ( $pinger->ping( $LAN . $octet ) )
	{
		print  $LAN . $octet . "\n";
	}
	$pinger->close();
}

Save the script as /usr/local/bin/scan-lan and make sure it’s executable by running chmod 755 /usr/local/bin/scan-lan.

This would give you a list of IP addresses which might look like the following:

192.168.1.1
192.168.1.2
192.168.1.10
192.168.1.50
192.168.1.90

With a list like that saved to text file you can now start scanning your network for services.

In order to detect changes to our network we wish to record all the services on the machines in our LAN then later rescan to detect anything different.

Using the scan-lan and nmap we can create a file for each machine that’s up containing its services.

Save this script as /usr/local/bin/make-baseline, and make it executable with “chmod 755 /usr/local/bin/make-baseline”:

#!/bin/sh

mkdir -p /var/log/scans

for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.base
done

This is our baseline scan. With this in hand we have a list of all the hosts upon a lan which are currently up, and the services they are running.

Now we just to write another script to compare the current state to that we recorded in our baseline, this will notify us of changes.

The following script can do that job for us, save it as /usr/local/bin/scan-services:

#!/bin/sh

if [ ! -d /var/log/scans ]; then
   echo "Baseline directory isn't present"
   exit
fi

#
#  Scan all the machines
#
for i in `/usr/local/bin/scan-lan` ; do
    nmap -sV $i | grep ' open ' > /var/log/scans/$i.log
done

#
# Cleanup
#
rm /var/log/scans/*-added.txt
rm /var/log/scans/*-removed.txt
cd /var/log/scans/

#
# Find new and removed
#
for i in /var/log/scans/*.log; do
  diff --context $i ${i/.log/}.base | grep '^+ ' > `basename $i .log`-added.txt
  diff --context $i ${i/.log/}.base | grep '^- ' > `basename $i .log`-removed.txt
done

#
#  Now show the results
#
for i in /var/log/scans/*-added.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -added.txt` has had the following services added:"
      cat $i
      echo " "
    fi
done

for i in /var/log/scans/*-removed.txt; do
    if [ -s $i ]; then
      echo " "
      echo "The machine `basename $i -removed.txt` has had the following services removed:"
      cat $i
      echo " "
    fi
done

If you make this executable and run it you should see no output, as your current network hasn’t changed in the past few minutes.

Delete a line or two from one or more of the .base files in the /var/log/scans directory and run it again.

This time you should see output like this:

The machine 192.168.1.1 has had the following services added:
+ 8889/tcp open  http        GNUMP3d streaming server 2.9

The machine 127.0.0.1 has had the following services removed:
- 19/tcp   open  discard?