1NDIFF(1) User Commands NDIFF(1)
2
6 ndiff - Utility to compare the results of Nmap scans
7
9 ndiff [options] {a.xml} {b.xml}
10
12 Ndiff is a tool to aid in the comparison of Nmap scans. It takes two
13 Nmap XML output files and prints the differences between them. The
14 differences observed are:
15 · Host states (e.g. up to down)
17 · Port states (e.g. open to closed)
19 · Service versions (from -sV)
21 · OS matches (from -O)
23 · Script output
25 Ndiff, like the standard diff utility, compares two scans at a time.
28
30 -h, --help
31 Show a help message and exit.
32 -v, --verbose
34 Include all hosts and ports in the output, not only those that have
35 changed.
36 --text
38 Write output in human-readable text format.
39 --xml
41 Write output in machine-readable XML format. The document structure
42 is defined in the file ndiff.dtd included in the distribution.
43 Any other arguments are taken to be the names of Nmap XML output files.
45 There must be exactly two.
46
48 Let´s use Ndiff to compare the output of two Nmap scans that use
49 different options. In the first, we´ll do a fast scan (-F), which scans
50 fewer ports for speed. In the second, we´ll scan the larger default set
51 of ports, and run an NSE script.
52 # nmap -F scanme.nmap.org -oX scanme-1.xml
54 # nmap --script=html-title scanme.nmap.org -oX scanme-2.xml
55 $ ndiff -v scanme-1.xml scanme-2.xml
56 -Nmap 4.90RC2 at 2009-07-16 13:29
57 +Nmap 4.90RC2 at 2009-07-16 13:33
58 scanme.nmap.org (64.13.134.52):
60 Host is up.
61 -Not shown: 95 filtered ports
62 +Not shown: 993 filtered ports
63 PORT STATE SERVICE VERSION
64 22/tcp open ssh
65 25/tcp closed smtp
66 53/tcp open domain
67 +70/tcp closed gopher
68 80/tcp open http
69 +|_ html-title: Go ahead and ScanMe!
70 113/tcp closed auth
71 +31337/tcp closed Elite
72 Changes are marked by a - or + at the beginning of a line. We can see
74 from the output that the scan without the -F fast scan option found two
75 additional ports: 70 and 31337. The html-title.nse script produced some
76 additional output for port 80. From the port counts, we may infer that
77 the fast scan scanned 100 ports (95 filtered, 3 open, and 2 closed),
78 while the normal scan scanned 1000 (993 filtered, 3 open, and 4
79 closed).
80 The -v (or --verbose) option to Ndiff made it show even the ports that
82 didn´t change, like 22 and 25. Without -v, they would not have been
83 shown.
84
86 There are two output modes: text and XML. Text output is the default,
87 and is also selected with the --text option. Text output resembles a
88 unified diff of Nmap´s normal terminal output. Each line is preceded by
89 a character indicating whether and how it changed. - means that the
90 line was in the first scan but not in the second; + means it was in the
91 second but not the first. A line that changed is represented by a -
92 line followed by a + line. Lines that did not change are preceded by a
93 blank space.
94 Example 1, “Ndiff text output” is an example of text output. Here, port
96 80 on the host photos-cache-snc1.facebook.com gained a service version
97 (lighttpd 1.5.0). The host at 69.63.179.25 changed its reverse DNS
98 name. The host at 69.63.184.145 was completely absent in the first scan
99 but came up in the second.
100 Example 1. Ndiff text output
102 -Nmap 4.85BETA3 at 2009-03-15 11:00
104 +Nmap 4.85BETA4 at 2009-03-18 11:00
105 photos-cache-snc1.facebook.com (69.63.178.41):
107 Host is up.
108 Not shown: 99 filtered ports
109 PORT STATE SERVICE VERSION
110 -80/tcp open http
111 +80/tcp open http lighttpd 1.5.0
112 -cm.out.snc1.tfbnw.net (69.63.179.25):
114 +mailout-snc1.facebook.com (69.63.179.25):
115 Host is up.
116 Not shown: 100 filtered ports
117 +69.63.184.145:
119 +Host is up.
120 +Not shown: 98 filtered ports
121 +PORT STATE SERVICE VERSION
122 +80/tcp open http Apache httpd 1.3.41.fb1
123 +443/tcp open ssl/http Apache httpd 1.3.41.fb1
124 XML output, intended to be processed by other programs, is selected
126 with the --xml option. It is based on Nmap´s XML output, with a few
127 additional elements to indicate differences. The XML document is
128 enclosed in nmapdiff and scandiff elements. Host differences are
129 enclosed in hostdiff tags and port differences are enclosed in portdiff
130 tags. Inside a hostdiff or portdiff, a and b tags show the state of the
131 host or port in the first scan (a) or the second scan (b).
132 Example 2, “Ndiff XML output” shows the XML diff of the same scans
134 shown above in Example 1. Notice how port 80 of
135 photos-cache-snc1.facebook.com is enclosed in portdiff tags. For
136 69.63.179.25, the old hostname is in a tags and the new is in b. For
137 the new host 69.63.184.145, there is a b in the hostdiff without a
138 corresponding a, indicating that there was no information for the host
139 in the first scan.
140 Example 2. Ndiff XML output
142 <?xml version="1.0" encoding="UTF-8"?>
145 <nmapdiff version="1">
146 <scandiff>
147 <hostdiff>
148 <host>
149 <status state="up"/>
150 <address addr="69.63.178.41" addrtype="ipv4"/>
151 <hostnames>
152 <hostname name="photos-cache-snc1.facebook.com"/>
153 </hostnames>
154 <ports>
155 <extraports count="99" state="filtered"/>
156 <portdiff>
157 <port portid="80" protocol="tcp">
158 <state state="open"/>
159 <a>
160 <service name="http"/>
161 </a>
162 <b>
163 <service name="http" product="lighttpd" version="1.5.0"/>
164 </b>
165 </port>
166 </portdiff>
167 </ports>
168 </host>
169 </hostdiff>
170 <hostdiff>
171 <host>
172 <status state="up"/>
173 <address addr="69.63.179.25" addrtype="ipv4"/>
174 <hostnames>
175 <a>
176 <hostname name="cm.out.snc1.tfbnw.net"/>
177 </a>
178 <b>
179 <hostname name="mailout-snc1.facebook.com"/>
180 </b>
181 </hostnames>
182 <ports>
183 <extraports count="100" state="filtered"/>
184 </ports>
185 </host>
186 </hostdiff>
187 <hostdiff>
188 <b>
189 <host>
190 <status state="up"/>
191 <address addr="69.63.184.145" addrtype="ipv4"/>
192 <ports>
193 <extraports count="98" state="filtered"/>
194 <port portid="80" protocol="tcp">
195 <state state="open"/>
196 <service name="http" product="Apache httpd" version="1.3.41.fb1"/>
197 </port>
198 <port portid="443" protocol="tcp">
199 <state state="open"/>
200 <service name="http" product="Apache httpd" tunnel="ssl" version="1.3.41.fb1"/>
201 </port>
202 </ports>
203 </host>
204 </b>
205 </hostdiff>
206 </scandiff>
207 </nmapdiff>
208
211 Using Nmap, Ndiff, cron, and a shell script, it´s possible to scan a
212 network daily and get email reports of the state of the network and
213 changes since the previous scan. Example 3, “Scanning a network
214 periodically with Ndiff and cron” shows the script that ties it
215 together.
216 Example 3. Scanning a network periodically with Ndiff and cron
218 #!/bin/sh
220 TARGETS="targets"
221 OPTIONS="-v -T4 -F -sV"
222 date=`date +%F`
223 cd /root/scans
224 nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
225 if [ -e scan-prev.xml ]; then
226 ndiff scan-prev.xml scan-$date.xml > diff-$date
227 echo "*** NDIFF RESULTS ***"
228 cat diff-$date
229 echo
230 fi
231 echo "*** NMAP RESULTS ***"
232 cat scan-$date.nmap
233 ln -sf scan-$date.xml scan-prev.xml
234 If the script is saved as /root/scan-ndiff.sh, add the following line
236 to root´s crontab:
237 0 12 * * * /root/scan-ndiff.sh
239
242 The exit code indicates whether the scans are equal.
243 · 0 means that the scans are the same in all the aspects Ndiff knows
245 about.
246 · 1 means that the scans differ.
248 · 2 indicates a runtime error, such as the failure to open a file.
250
253 Report bugs to the nmap-dev mailing list at nmap-dev@insecure.org.
254
256 Ndiff started as a project by Michael Pattrick during the 2008 Google
257 Summer of Code. Michael designed the program and led the discussion of
258 its output formats. He wrote versions of the program in Perl and C++,
259 but the summer ended shortly after it was decided to rewrite the
260 program in Python for the sake of Windows (and Zenmap) compatibility.
261 This Python version was written by David Fifield. James Levine
262 released[1] a Perl script named Ndiff with similar functionality in
263 2000.
264
266 David Fifield david@bamsoftware.com
267 Michael Pattrick mpattrick@rhinovirus.org
269
271 http://nmap.org/ndiff/
272
274 1. released
275 http://seclists.org/nmap-hackers/2000/0315.html
276Ndiff 01/26/2010 NDIFF(1)