Scheduling Nmap Scans with `cron`

Learn how to schedule Nmap scans using cron, configure different scanning options, and automate logging and reporting of scan results.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. While it is commonly used for on-demand scans, automating Nmap scans using cron can help administrators and security professionals monitor networks regularly without manual intervention.

In this guide, we will explore how to schedule Nmap scans using cron, configure different scanning options, and automate logging and reporting of scan results.

Why Schedule Nmap Scans?

Automating Nmap scans using cron offers several benefits:

  • Continuous Monitoring: Regular scans help detect unauthorized devices and vulnerabilities.
  • Time Efficiency: Scheduled scans reduce the need for manual intervention.
  • Incident Response: Helps in detecting changes in the network that may indicate a security breach.
  • Historical Data: Logs from automated scans can provide insights into network changes over time.

Understanding cron

cron is a time-based job scheduler in Unix-like operating systems. It allows users to schedule tasks (cron jobs) at specific times or intervals. The crontab (cron table) file contains the list of jobs to be executed and their schedules.

Cron Syntax

A cron job consists of six fields:

MIN HOUR DOM MON DOW COMMAND
  • MIN: Minute (0-59)
  • HOUR: Hour (0-23)
  • DOM: Day of the month (1-31)
  • MON: Month (1-12)
  • DOW: Day of the week (0-7, where both 0 and 7 represent Sunday)
  • COMMAND: The command or script to execute

Example:

0 3 * * 1 nmap -sP 192.168.1.0/24

This runs a ping scan (-sP) every Monday at 3 AM on the 192.168.1.0/24 network.

Setting Up Automated Nmap Scans with cron

Step 1: Installing Nmap

Ensure Nmap is installed on your system. If not, install it using:

sudo apt install nmap   # Debian/Ubuntu
sudo yum install nmap   # CentOS/RHEL
brew install nmap       # macOS

Step 2: Creating a Scan Script

Instead of adding Nmap commands directly to crontab, it’s best to use a script. Create a script, for example, nmap_scan.sh:

#!/bin/bash
TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S")
SCAN_DIR="/var/log/nmap"
mkdir -p $SCAN_DIR
nmap -A -T4 192.168.1.0/24 -oN $SCAN_DIR/nmap_scan_$TIMESTAMP.txt
  • TIMESTAMP: Appends a timestamp to log files for easier tracking.
  • SCAN_DIR: Directory where scan logs are stored.
  • nmap -A -T4 192.168.1.0/24: Runs an aggressive scan on the subnet.
  • -oN: Saves the output in a human-readable format.

Make the script executable:

chmod +x nmap_scan.sh

Step 3: Scheduling the Scan with cron

Edit the crontab file:

crontab -e

Add the following entry to schedule the script every day at 2 AM:

0 2 * * * /path/to/nmap_scan.sh

Save and exit the editor.

Customizing Nmap Scan Scheduling

Running Scans at Different Intervals

Modify the cron timing as per requirement:

  • Every 6 hours:

    0 */6 * * * /path/to/nmap_scan.sh

  • Every Sunday at midnight:

    0 0 * * 0 /path/to/nmap_scan.sh

  • Every first day of the month at 4 AM:

    0 4 1 * * /path/to/nmap_scan.sh

Logging and Email Alerts

To log outputs and receive alerts:

  • Redirect output to a log file:

    0 2 * * * /path/to/nmap_scan.sh >> /var/log/nmap_cron.log 2>&1

  • Send email alerts if an error occurs:

    0 2 * * * /path/to/nmap_scan.sh | mail -s "Nmap Scan Report" admin@example.com

    Ensure mailx is installed for email functionality:

    sudo apt install mailutils  # Debian/Ubuntu
sudo yum install mailx      # CentOS/RHEL

Securing Nmap Automation

Automated scanning must be done responsibly to avoid security risks:

  1. Limit Access: Only allow trusted users to execute the scan script.

    sudo chmod 700 /path/to/nmap_scan.sh

  2. Run as a Dedicated User: Create a restricted user for scanning.

    sudo useradd -r -s /bin/false nmapuser

    Assign the script to nmapuser in crontab:

    sudo crontab -u nmapuser -e

  3. Avoid Overloading the Network: Use appropriate timing and scan intensity (-T2 for low-priority scans).

  4. Ensure Logs Are Secure: Store logs in a secure directory and set proper permissions.

    sudo chmod 600 /var/log/nmap/*.txt

Conclusion

Automating Nmap scans using cron is an efficient way to continuously monitor network security. By properly configuring cron jobs, logging results, and securing scan scripts, administrators can ensure effective and responsible network scanning.

Whether for vulnerability assessment, asset discovery, or network monitoring, scheduled Nmap scans provide critical insights into network security, helping administrators stay ahead of potential threats.


< Writing Bash Scripts for Nmap AutomationSetting Up Email Alerts for Nmap Scan Results >