Skip to content
@trimstray edited this page May 19, 2018 · 26 revisions

Welcome to the Sandmap wiki!

You can file an issue about it and ask that it be added.


Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques.

Key Features

  • simple CLI with the ability to run pure Nmap engine
  • predefined scans included in the modules
  • support Nmap Scripting Engine (NSE)
  • TOR support (with proxychains)
  • multiple scans at one time
  • at this point: 31 modules with 459 scan profiles

command interpreter (cli)

Sandmap provides simple and intuitive cli that supports the entire reconnaissance process using the built-in Nmap options.

Command line consists of two levels:

  • cli(main)> - the main level by means of which we can set and display session parameters, display information about modules, obtain a list of profiles in a given module, enable a given module and manipulate a temporary command stack.
  • cli(module_name)> - level of the module that provides many commands available in the main menu. The main differences are the ability to run scan profiles and add them to the temporary stack of commands, as well as displaying the description of each profile.

help

A standard command displaying help.

If you are in the space of the module, you can display its help using this command. If you provide an argument that is the name of the NSE module, its help will be displayed (using nmap --script-help = <nse_module_name>).

cli(main)> help

  Main Commands
  -------------

    help    <module>                show cli help or module help
    list                            show available modules
    show    <module [key]>          show info about modules and profiles
    config  <key>|<module [key]>    show global or module configuration
    set     <key>|<module [key]>    set global or module variable value
    use     <module>                use module (changed env)
    pushd   init|show|flush         command line commands stack
    search  <key>                   search key in all commands

    reload  <modules|config>        reload all modules cache or configuration
    banner                          show banner

    nmap    <nmap_params>           clear nmap command

    Options:

      <module>                      module name
      <key>                         key value

  Module Commands
  ---------------

    help    <module>                display module or NSE help
    show    <key>                   display module or profile info
    config  <key>                   show module configuration
    set     <key>                   set module variable value
    use     <module>                reuse module (changed env)
    pushd   <key>|init|show|flush   command line commands stack (experimental)
    search  <key>                   search key in all commands

  Examples
  --------

    show sample                     show 'sample' module info
    config terminal                 show 'terminal' key value
    use sample                      use 'sample' module
    search http                     search 'http' in all commands

list

This parameter displays all available modules along with the number of profiles and a short description.

cli(main)> list

    Module                    Profiles     Description
    ------                    --------     -----------

    awesome                   3            Awesome Nmap predefined commands module
    host_discovery            12           Nmap Host Discovery module
    nse_broadcast             19           NSE Broadcast Module
    nse_citrix                5            NSE Citrix Service Module
    nse_databases             31           NSE Databases Service Module
    nse_dns-dhcp              27           NSE DNS and DHCP Module
    nse_external              6            NSE External scripts (eg. from github)
    nse_ftp                   9            NSE FTP Service Module
    nse_hadoop                7            NSE Hadoop Services Module
    nse_http-cve              22           NSE HTTP Vulnerability CVE Module
    nse_http-protocol         50           NSE HTTP Protocol Module
    nse_http-services         28           NSE HTTP Services Module
    nse_mail                  15           NSE Mail Services Module
    nse_oracle                6            NSE Oracle Services Module
    nse_other-auth            3            NSE Other Auth Module
    nse_other-discovery       3            NSE Other Discovery Module
    nse_other-network         38           NSE Other Network Module
    nse_other-services        54           NSE Other Services Module
    nse_other-version         1            NSE Other Version Module
    nse_remote-access         16           NSE Remote Access Module
    nse_smb                   23           NSE SMB Protocol Module
    nse_smb-vuln              11           NSE SMB Protocol Vulnerability Module
    nse_snmp                  12           NSE SNMP Protocol Module
    nse_socks                 3            NSE SOCKS Module
    nse_ssl                   16           NSE SSL Protocol Module
    nse_vuln-scanners         7            NSE Vulnerability Scanners Module
    nse_whois                 2            NSE Whois Database Module
    os_detection              4            Nmap OS Detection module
    port_scan                 11           Nmap Port Scan types module
    service_detection         5            Service and Version Detection module
    zenmap                    10           Zenmap module

    All Modules:  31
    All Profiles: 459

show

This option show information about the module or module profile. These are the identifier and profile alias that we can use to determine the scanning technique and the parameters used by the profile. In addition, this command allows you to display information about a specific profile.

The parameter of this option is the name of the module and name of the profile.

cli(main)> show host_discovery

  ID   Alias                                    Nmap Parameters
  --   -----                                    ---------------

  0    list_scan                                -sL 
  1    no_port_scan                             -sn 
  2    no_ping                                  -Pn 
  3    tcp_syn_ping                             -PS -p 
  4    tcp_ack_ping                             -PA -p 80 
  5    udp_ping                                 -PU -p 80 
  6    sctp_init_ping                           -PY -p 80 
  7    arp_ping                                 -PR 
  8    icmp_ping-1                              -PE 
  9    icmp_ping-2                              -PP 
  10   icmp_ping-3                              -PM

cli(main)> show nse_vuln ssl-dh-params

  ID   Alias                                    Nmap Parameters
  --   -----                                    ---------------

  104  ssl-dh-params                            --script ssl-dh-params

  Description:
    
    https://nmap.org/nsedoc/scripts/ssl-dh-params.html

config

The config parameter displays information about session variables. With their help, We can define the purpose or objectives of the scan, enable the transmission of traffic through the TOR network, set the type of output and specify additional parameters.

This option can be called without parameters and specify the name of the session variable. The initial values of variables are specified in the file etc/main.cfg.

cli(main)> config

  Description: Destination
    Examples: '127.0.0.1,example.com'
    { "dest":"127.0.0.1" }

  Description: Nmap Parameters
    Examples: '--script ssl-ccs-injection -p 443'
    { "params":"" }

  Description: Report type
    Examples: 'nmap|xml|grep'
    { "report":"" }

  Description: Pass through TOR
    Examples: 'true|false'
    { "tor":"" }

  Description: Terminal type
    Examples: 'internal|external'
    { "terminal":"internal" }

set

By config We display the values of session variables and use the set command to specify their new values.

The parameters of this command are the name of the variable and the new value. Specifying an empty value resets the value of the variable.

cli(main)> set dest 192.168.252.1
cli(main)> config dest

  Description: Destination
    Examples: '127.0.0.1,example.com'
    { "dest":"192.168.252.1" }

use

Activates the given module and goes to its space.

The parameters of this option is the module name.

cli(main)> use nse_mail
cli(nse_mail)>

pushd

This command provides a local stack for storing multiple commands that can be used with one scan.

The parameters of this option are the profile alias or identifier. Additionally, you can display the contents of the stack (show), reset its contents ( flush) or initiate a scan (init).

cli(zenmap_scan)> pushd ping_scan
cli(zenmap_scan)> pushd show
pushd: -sn
cli(zenmap_scan)> main 
cli(main)> pushd init

terminal:
> internal

command:
> nmap -sn 127.0.0.1

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-27 07:25 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

Result: pass

cli(main)> pushd flush
stdout: pushd flushed
cli(main)> pushd show
stdout: pushd empty

search

Allows you to search for profiles in the database.

The parameter of this command is the string of characters in the profile name.

cli(main)> search rsa-vuln

  Module          Alias                                    Nmap Parameters
  ------          -----                                    ---------------

  nse_ssl         rsa-vuln-roca                            --script rsa-vuln-roca

reload

This option allows you to reload the configuration and modules.

The parameters of this command are config or modules.

cli(main)> config terminal

  Description: Terminal type
    Examples: 'internal|external'
    { "terminal":"internal" }

cli(main)> set terminal external
cli(main)> config terminal

  Description: Terminal type
    Examples: 'internal|external'
    { "terminal":"external" }

cli(main)> reload config
stdout: config reloaded
cli(main)> config terminal

  Description: Terminal type
    Examples: 'internal|external'
    { "terminal":"internal" }

init

This option is available only from the level of a given module. If you want to use scan with multiple profiles, use the pushd mechanism at the same time.

The parameters of this option are the profile alias or identifier.

cli(zenmap)> init 4

terminal:
> internal

command:
> nmap -sn 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-07 11:14 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

Result: pass

In addition (since version v1.2.0), the --args parameters accepts the arguments of the script (only for NSE).

cli(nse_broadcast)> show 13

    ID   Alias                               Nmap Parameters
    --   -----                               ---------------

    13   broadcast-ping                      --script=broadcast-ping

  Script arguments:

    broadcast-ping.timeout = '3s'
    broadcast-ping.num_probes = '1'
    broadcast-ping.interface = ''

  Description:

    https://nmap.org/nsedoc/scripts/broadcast-ping.html

cli(nse_broadcast)> init 13 --args
broadcast-ping.timeout: 1s
broadcast-ping.num_probes: 5
broadcast-ping.interface: 

terminal:
> internal

command:
> nmap --script=broadcast-ping --script-args broadcast-ping.timeout=1s,broadcast-ping.num_probes=5 127.0.0.1

Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-19 14:13 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
5432/tcp open  postgresql
5900/tcp open  vnc
5901/tcp open  vnc-1
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
9000/tcp open  cslistener
9001/tcp open  tor-orport
9002/tcp open  dynamid
9003/tcp open  unknown
9900/tcp open  iua

Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

Result: pass
Clone this wiki locally