A quick tip: since more than a year now I’ve been including xml output with each nmap scan I perform. I discovered that the xml output contains more (explicit) data than the other forms of output.
nmap -oG test.csv -oX test.xml scanme.nmap.org
Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-23 05:05 EST
Nmap scan report for scanme.nmap.org (126.96.36.199)
Host is up (0.65s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
The grepable output:
The xml output:
shinnai made an interesting comment when I released my tool to find contained files: he wanted to know if I could add a batch mode.
I guess this batch mode is interesting when you want to check if a large set of files contains a particular file. So I added this features and release it here.
Now you can provide more than one containing-file to find-file-in-file.py: you can just type several files, use wildcards and/or use at-files (@file). When you specify @filename, find-file-in-file.py will search in all the files listed in textfile filename (each file on a separate line).
When you provide only one file to search, then this new version will just work like the previous version.
But if you provide more than one file, then batch mode is enabled. In batch mode, the contained file is searched for in each containing file. If a (partial) match is found, it will be included in the report. If no match is found, no output is produced. If you want output even when no match is found, then use option verbose (-v).
Example for a bunch of MSI files:
find-file-in-file.py msi49.tmp *.msi
003a7200 00005600 (100%)
00295600 00001000 (18%)
00294a00 00000c00 (13%)
00296600 00003a00 (67%)
File msi49.tmp was found in only 2 MSI files.
This new version of the generic frame extraction tool (naft-gfe) can handle files (RAM dumps) that are too large to fit into memory.
Use option -b for buffered reads. By default, the file will be read and analyzed in blocks of 101MB (100MB buffer + 1MB overlap buffer).
Since the file is not read completely in memory, there is a possibility that some frames/packets are not completely read in memory. For example, a frame starts in the first block of 100MB, and ends in the second block of 100MB. The analysis routines would miss this frame.
To avoid this, the program reads the first block of 100MB (block A) plus an extra block of 1MB (block B). This block of 101MB (A + B) is analyzed. Then, the second block of 100MB (block C) is read, and the extra block B is prepended to block C for analysis (B + C). Hence the overlap buffer is analyzed twice, but packets are only extracted once from this buffer. This procedure is repeated for the complete file.
It is important that the overlap buffer is large enough to accommodate the largest possible frame or packet. That’s why by default, it is 1MB.
Use options -S and -O to choose your own size for buffer and overlap buffer.