NMAP - Banner Check

Sub-playbook that performs an Nmap scan and compares the results against a regular expression to determine a match. This could be used to look for OpenSSH versions or other OS information found in the banner.

Nmap · 11 tasks · 4 inputs · 3 outputs

Inputs

  • RemoteIP — Remote IP address in an incident/alert.
  • RemotePort — Remote port number in an incident/alert.
  • Regex — Regular expression to compare against the banner for a match.
  • NMAPOptions — Options to be used for Nmap scan. (We do "--script=banner -p<RemotePort>" by default and recommend using "-Pn" to skip a ping check.)

Outputs

  • ScanResult — The result of the scan (if done).
  • ScanDone — Whether a scan was actually performed (based on subtypes).
  • NMAP.Scan — NMAP scan data

Commands used

nmap-scan

Flowchart

yes yes yes Start Start NMAP banner scan - nmap-scan NMAP banner scan nmap-scan No scan done No scan done Complete Complete Is NMAP enabled? Is NMAP enabled? Scan done Scan done Closed scan result Closed scan result Open scan result Open scan result Undetermined scan result Undetermined scan result Is there banner in output? Is there banner in output? Does banner match regex? Does banner match regex?