June 13, 2019
Nmap Ndiff and Telegram for red teaming
June 13, 2019
What is Phactive?
Phactive is a little script written in bash, it’s to aid in a red team workflow, Since red team is mostly about continuous monitoring and simulation of a real life attack. unlike in Penetration testing where you just have to run a scan and submit a report the explain your findings, which can be accomplished with a short time missing out new risks and vulnerabilities. For example: During a penetration testing you can run an Nmap scan on port “22” during your scan and its closed. Which might then be opened tomorrow for maybe technical support. So this is where red team idea comes in handing.
So Phactive runs an Nmap scan every morning at 10am with the use of cron job, it then compares the result of Yesterday’s scan result with Todays result using Ndiff. If they are any new open ports or changes in the scan it’s send a report of the new findings to your specified Telegram bot.
This is a very basic red teaming script that runs nmap every day at 10AM using cron job that Scans 0-65535 with "-A -Pn -v -T4 -F -sV" Flags then uses ndiff to compare the result. If there's any difference it sends a notification to your specified Telegram bot aboutnew ports discovered.
Download, setup, and usage
git clone https://github.com/Phexcom/phactive.git /opt/phactive
sudo nano /opt/phactive/main.sh
Add the host you want to scan and monitor:
TARGETS="127.0.0.1" # Target eg: (Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254)
Add your telegram chat id and token:
chat_id="<Telegram chat id>" # Telegram Chat idtg_token="<Telegram Bot Token"# Telegram bot Token
To setup a telegram token and chat id check out this post.
Setup a cron job
Once you done with the setup. You can run a cron job that runs every morning at 10am or your desirable time. Here is an example:
sudo nano /etc/crontab
Then copy and paste then save.
00 10 * * * root bash /opt/phactive/main.sh