0

I would like to call Nmap from PHP.

IF I do that :

exec('nmap', $output);
var_dump( $output );

It works, I get the classic "Usage of Nmap" text.

But as soon as I tried to run an UDP check like 

exec('nmap -p 586 -sU xx.xx.xx.xx', $output);
var_dump( $output );

It don't work anymore, with no output.

What am I missing?

Regards

Khorne
  • 63
  • 1
  • 6
  • This is a duplicate of: http://stackoverflow.com/questions/9483227/shell-exec-not-working-with-nmap-command – drmarvelous Aug 21 '14 at 14:56
  • No it is not a duplicate! Using the full path doesn't change anything. It works with few options like -v but with -sU it fails – Khorne Aug 21 '14 at 15:14
  • Not only was the full path mentioned in there, but different code was also used. – drmarvelous Aug 21 '14 at 15:17
  • You are still wrong. The problem was not a question of path or different code. The problem was that NMAP is not fully functional with the webservers user. – Khorne Aug 31 '14 at 10:41

3 Answers3

2

Certain Nmap features require root privileges to run. -sU UDP port scanning is one of these. On Linux, the full list is:

  • -sU UDP port scans
  • -sS TCP SYN scans
  • -sA/W/M/N/F/X TCP scans with various flags
  • -PE/PP/PM ICMP host discovery probes
  • -sO IP Protocol scans
  • -sY/Z SCTP scans
  • -O OS detection
  • --traceroute tracerouting
  • Pretty much all the IDS evasion options

Needless to say, it's probably NOT A GOOD IDEA to let your web server run Nmap commands as root. I also caution you to be very strict about what user input you let into the Nmap command line. Lots of Nmap features can be abused to execute arbitrary functions.

bonsaiviking
  • 5,825
  • 1
  • 20
  • 35
0

Try using the backtick operator (`) to run Nmap. That will return the output into a variable. So:

$output = `nmap -p 586 -sU xx.xx.xx.xx`;

More on the backtick operator: http://php.net/manual/en/language.operators.execution.php

Josh Pennington
  • 6,418
  • 13
  • 60
  • 93
  • Same as before. "Nmap" alone works and return the Usage text, but nothing as soon as I add option after Nmap – Khorne Aug 21 '14 at 15:02
0

Important notice: NMAP is not fully functional with the webservers user (apache, www-data, ...). Only root can do everything with NMAP.

I'd use popen().

$stream = popen('/usr/bin/nmap -p 586 -sU xx.xx.xx.xx', 'r');

while (!feof($stream)) {
    //Make sure you use semicolon at the end of command
    $buffer = fread($stream, 1024);
    echo $buffer, PHP_EOL;
}

pclose($stream);

Or worth trying:

// Start output buffering
ob_start();
// Flush COMPLETE output of nmap
fpassthru('/usr/bin/nmap -p 586 -sU xx.xx.xx.xx');
// Capture output buffer contents
$output = ob_get_contents();
// Shutdown output buffers
ob_end_clean();
Pixsa
  • 571
  • 6
  • 16
Daniel W.
  • 31,164
  • 13
  • 93
  • 151
  • Your notice explain everything I guess. For example the -v option works, but not the -sU . – Khorne Aug 21 '14 at 15:17
  • You can use nmap without root but **many** options don't work then. If you have SSH access, try with root `su www-data` (or apache,..) then run nmap from console. It will fail :-/ – Daniel W. Aug 21 '14 at 15:25
  • @Khorne Hint: You can setup php-fpm (fcgi) (better with nginx I guess) and let the PHP script be executed by root from the web. – Daniel W. Aug 21 '14 at 15:28