23rd International Symposium INFOTECH-JAHORINA, 20-22 March 2024
Automation of Nmap Scanning of Information
Systems
Slavimir Stošović, Nikola Vukotić, Dušan Stefanović, Nikola Milutinović
Department of Information and Communication Technologies
The Academy of Applied Technical and Preschool Studies
Nis, Serbia
slavimir.stosovic@akademijanis.edu.rs, nikola.vukotic@akademijanis.edu.rs,
dusan.stefanovic@akademijanis.edu.rs, nikola.milutinovic@akademijanis.edu.rs
Abstract—One of the key factors in the security and protection of
2024 23rd International Symposium INFOTEH-JAHORINA (INFOTEH) | 979-8-3503-2994-0/24/$31.00 ©2024 IEEE | DOI: 10.1109/INFOTEH60418.2024.10496014
modern information systems involves the complete elimination or
reduction to a minimum of the risk of compromising them through
attacks by malicious actors. System vulnerabilities of hardware
components, as the basic building blocks of information systems,
represent the main "points of penetration" of hackers into the
system. This paper describes the method of automating the
scanning of information system components, by integrating the
Nmap script vulners.nse into the PowerShell and Bash
environments, to find and eliminate these weaknesses promptly.
Newly created scripts will be automatically executed at defined
time intervals, providing the administrator with information on
the total number of detected vulnerabilities for which the
exploitation method is known, and automatically generating an e-
mail message with details of all detected flaws.
Keywords-component; information systems; Nmap;
vulnerabilities; PowerShell, Bash
I. INTRODUCTION
In today's digital age, information systems represent the vital
foundation of organizations and companies, making them a
pillar in all aspects of business. Preserving the integrity, security,
and performance of these systems is becoming increasingly
important and given the continuously growing number of threats
and vulnerabilities, it is imperative to develop effective tools and
techniques for monitoring and protection. One of the key aspects
of this protection lies in the ability to timely detect, analyze, and
remediate security vulnerabilities of systems, services, and
applications.
Among the numerous tools for detecting security
weaknesses and deficiencies in information system components,
Nmap (Network Mapper) [1] will be used in this work for
several reasons: a wide range of functionality and versatility in
this sense, adaptability through NSE (Nmap Scripting Engine)
scripts, speed and efficiency, large community and support, the
ability to integrate with other tools, open-source implementation
and, finally, the advanced settings options for fine-tuning scans
that it offers users. The listed items make Nmap a powerful tool
for detecting vulnerabilities in information systems, allowing
users to effectively identify potential weak points and take
adequate steps to improve system security. Through precise
979-8-3503-2994-0/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: Universitas Airlangga. Downloaded on May 05,2024 at 11:12:51 UTC from IEEE Xplore. Restrictions apply.
scanning of open ports and identification of services, the Nmap
script vulners.nse enables the detection of vulnerabilities of
individual system components, assessing the severity of each, a
link to a website with a detailed description and mitigation
method, as well as information on whether an exploitation
method is already known.
The topic of this paper is precisely the automation of the
process of scanning information systems for vulnerabilities
through the integration of Nmap scripts in PowerShell and Bash
environments. These scripting languages were chosen for their
powerful functionality and wide use for administrative and
automation purposes. Syntegrating aims to speed up the
scanning process, improve efficiency, and facilitate the analysis
of the results.
In the final instance, through a deeper understanding of the
mentioned technologies and their functionalities, the work
should contribute to a better understanding of how the
integration of Nmap scripts in popular Windows and
Unix/Linux environments can improve the security of
information systems and facilitate the work of cyber security
teams.
II. IMPLEMENTATION MODELS
When implementing and considering network automation
and programming, we can come across many trends and
technologies in the network industry that have emerged recently.
Many of them are considered SDN (Software-Defined
Networking) or can be viewed as such, but it should be noted
that in addition to the characteristics of the SDN paradigm that
bring the separation of the control level from the data level,
controller-based networks, APIs on network devices, network
automation tools (framework), there are also approaches that
share the same general idea of software running on top of the
network infrastructure, and are used to automate tedious
repetitive tasks, centralize and simplify network management,
abstract and hide interactions with network devices at "low
level". The concept behind these trends aims to create hybrid
newer solutions and approaches, depending on the environment
as well as the network devices themselves, to automate
configuration management and the implementation of daily
tasks, on both traditional and newer networks. This leads to the
 23rd International Symposium INFOTECH-JAHORINA, 20-22 March 2024
fact that strategies for implementing network automation and
programming differ from case to case [2].
Three common approaches and ways of realization - USE
CASES of automation of management level and online
operations, which is illustrated in Figure 1, will be briefly
explained.
Figure 1. Implementation models
Cisco DNA Center is a network management software
solution that provides a centralized platform for automating
network operations, managing network devices, and enforcing
network-wide policies. It aims to simplify network operations,
improve network performance and security, and provide easier
insight into network behavior and performance in real-time [3].
Cisco DNA Center, as a network management controller, is
based on the foundations of Cisco Digital Network Architecture
(DNA) and Intent-Based Networking (IBN), following the same
general concepts of SDN controller architecture. Figure 2 shows
the general concept of the Cisco DNA Center.
Figure 2. The general concept of the Cisco DNA Center
Ansible and other tools, intended for automating server IT
infrastructure, are executed in a distributed manner, where the
Ansible control host connects to each server being automated via
SSH, and Python code is subsequently copied to each server.
This code is what performs the automation task, by entering a
certain configuration into the device. After expanding the
possibilities for automating network devices, the idea was
slightly changed to function in a centralized way.
Communication is done via SSH (CLI), HTTP-based API,
NETCONF… etc., and Python codes are run locally on the
control node, instead of being copied to target network devices.
979-8-3503-2994-0/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: Universitas Airlangga. Downloaded on May 05,2024 at 11:12:51 UTC from IEEE Xplore. Restrictions apply.
Figure 3 illustrates the general idea of Ansible workflow with a
network element.
Figure 3. Ansible workflow with the network element
One of the main factors that make network automation and
programming possible, and also enables further development,
are application programming interfaces - APIs, on network
devices. API is a way for a program (software) to communicate
or obtain variables and data structures (often JSON/XML),
which are used by another program, making logical choices
based on the obtained values, by changing the values of those
variables, creating new ones or deleting variables. APIs allow
programs, running on different computers, to communicate with
each other, exchanging data to perform a specific task. There are
several types of network device APIs, each with a different set
of standards to meet different needs, for example, OpenFlow
protocol, REST, and NETCONF protocol. Even the command-
line interface (CLI), in an automated network management
system, is considered an API (although it is a user interface,
designed more for human use). Here we will provide a brief
specification for the common types of APIs found on network
devices, with the corresponding Python modules provided.
Figure 4 shows different Python libraries on one side, which
through transport protocols, can use device APIs on the other
side [4].
Figure 4. Device API with associated Python modules
III. AN OVERVIEW OF POWERSHELL, BASH AND NSE
PowerShell is an integrated environment within the Windows
operating system developed to manage configuration and
automate administrative tasks. Its intuitive syntax is based on
 23rd International Symposium INFOTECH-JAHORINA, 20-22 March 2024
the .NET framework, allowing developers to use an object-
oriented approach and easier integration with other Microsoft
technologies. In addition to the scripting language, it includes
powerful tools, cmdlets, modules, and resources that allow users
to effectively manage and automate Windows environments.
PowerShell features include automatic script execution,
efficient resource management, the ability to work interactively,
and easy manipulation of text and files. It also provides
advanced data processing and analysis capabilities, making it a
powerful tool for complex operations and information
transformations. A disadvantage may be the primary orientation
towards the Windows platform, which limits its applicability in
cross-platform environments. Also, for inexperienced users,
learning PowerShell can be challenging due to the extensive
syntax and complex concepts.
Bash (Bourne Again Shell) is a standard Unix shell and
scripting language used to interact with and manage Unix-like
operating systems. The Bash syntax is based on the sh shell but
has been extended and enhanced with additional features and
capabilities, making it a very flexible and advanced tool.
One of the key features of Bash is its strong support for
scripting, which allows the automation of various tasks and
processes. It is widely accepted in the Linux community,
providing plenty of resources, documentation, and support. In
addition, it is inherently present in most Unix and Linux
distributions, making it readily available and widely accepted.
On the other hand, Bash can be challenging for users unfamiliar
with Unix syntax and concepts. Also, while it's great for
automated tasks and word processing, it can be less efficient
when working with complex objects and operations that require
a high degree of abstraction.
Despite the challenges, Bash is an essential tool for every
system administrator, developer, and user of Unix and Linux
systems, providing advanced management and automation
capabilities in this environment.
The most progressive part of Nmap itself is the NSE
mechanism, which provides the ability to create and execute
scripts directly within the Nmap environment, which
significantly expands its capabilities and adaptation to specific
needs. Scripts can perform a variety of tasks, including
vulnerability detection, service analysis, system information
gathering, and more.
The advantages of using Nmap NSE include the ability to
adapt the scanning of information systems to specific needs,
deeper analysis of systems and services, and effective detection
of vulnerabilities. Also, NSE is continuously updated by the
community, constantly improving the scripts to detect the latest
vulnerabilities and services.
Writing and properly using scripts requires a deeper
knowledge of network concepts, security of information
systems, and risks. Also, improper use can cause inconvenience
and abuse, so it is important to use Nmap NSE responsibly and
ethically.
Overall, Nmap NSE is an extremely useful tool for system
administrators and security professionals, providing advanced
979-8-3503-2994-0/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: Universitas Airlangga. Downloaded on May 05,2024 at 11:12:51 UTC from IEEE Xplore. Restrictions apply.
scanning and analysis options for information systems, with the
ability to customize and enhance functionality through
IV. AUTOMATION THROUGH POWERSHELL
The program code below shows the way to integrate the NSE
vulners script into the PowerShell program code. Within the
PowerShell script, variables are used to define the names of the
XML file for recording the scan results and the log file for
temporarily storing the number of detected vulnerabilities, as
well as the name or IP address of the machine(s) on which the
scan is performed. The prerequisite for executing the Nmap
command is that Nmap is already installed on the system and
that the path is entered in the system variables. Nmap scanning
by the vulners script is part of an infinite loop and is executed at
defined time intervals, in this case, every 3600 seconds.
while ($true) {
# Fetching current date and time
$CurrentDateTime = Get-Date -Format "yyyyMMddHHmmss"
# Config parameters for Nmap scanning
$NmapPath = "C:\Program Files (x86)\Nmap\"
$Output = "outputWinTmr__$J{CurrentDateTime}.xml"
$Log = "outputWinSvrPS.log"
$TargetIP = "192.168.233.129"
$NmapArgs = "-sV --script vulners -oX $Output $TargetIP"
Start-Process-FilePath "${NmapPath}nmap.exe"-ArgumentList
$NmapArgs-Wait
# Reading file content
$fileContent = Get-Content -Path $Output -Raw
# Counter init
$exploitCount = 0
# Iterating through file
foreach ($line in $fileContent) {
$lineExploitCount =($line-split"\*EXPLOIT\*").Count -1
$exploitCount += $lineExploitCount
}
# Loading the previous value from the log file, if exists
$prevExploitCount = 0
if (Test-Path $Log) {
$prevExploitCount = Get-Content -Path $Log
}
# Writing the current value to the log file
$exploitCount | Set-Content -Path $Log
if ([int]$exploitCount -gt [int]$prevExploitCount) {
$Dif = [int]$exploitCount - [int]$prevExploitCount
}
else {
$Dif = [int]$prevExploitCount - [int]$exploitCount
}
if ($exploitCount -ne $prevExploitCount) {
# Config parameters for email
$SMTPServer = "mail.nmapmaster.com"
$SMTPPort = 587
$SMTPUsername = "Administrator"
$SMTPPassword = "asdfl234"
$SenderEmail = "vulners@nmapmaster.com"
$RecipientEmail = "lepomirp@nmapmaster.com"
$Subject = "Nmap Vulnerability report za Windows Ser-ver"
if ($Dif -gt 0) {
$Body = " The number of EXPLOIT vulnerabilities com-
pared to the previous scan increased by: $D:
Total number of EXPLOIT vulnerabilities currently:
$exploitCount.'nNmap vulnerability report it to
}
elseif ($Dif -It 0) {
$Body = " The number of EXPLOIT vulnerabilities compared
to the previous scan reduced by: $D:
Total number of EXPLOIT vulnerabilities currently: $ex-
ploitCount.'nNmap vulnerability report it to
}
# Sending an email with an attached XML file
$SecurePassword = ConvertTo-SecureString $SMTPPassword -
AsPlainText -Force
 23rd International Symposium INFOTECH-JAHORINA, 20-22 March 2024

$EmailParams = @{ Body=" The number of EXPLOIT vulnerabilities com-

From = $SenderEmail pared to the previous scan increased by:
To = $RecipientEmail $Dif.\\nTotal number of High and Critical level
Subject = $Subject EXPLOIT vulnerabilities currently: $expl]
Body = $Body \\nNmap vulnerability the report is attached."
SmtpServer = $SMTPServer elif [ "$exploitCount" -lt ”$prevExploitCount" ]; then
Port = $SMTPPort Dif=$((prevExploitCount - exploitcount))
Credential = New-Object System.Management.Automa- Body=" The number of EXPLOIT vulnerabilities com-
tion.PSCredential ($SMTPUsername; pared to the previous scan reduced by:
$SecurePassword) $Dif.\\nTotal number of High and Critical level
Attachments = $Output EXPLOIT vulnerabilities currently: $expl
} \\nNmap vulnerability the report is attached."
try { fi
Send-MailMessage @EmailParams
Write-Output "Emain sent to $RecipientEmail." # Sending an email message with an XML file attached
} echo $Body | mail -A $Output -s "$Subject" "$RecipientEmail”
catch {
Write-Error "Error sending mail: $_" # Checking the status of an email message
} if [ $? -eq 0 ]; then
} echo "Email sent successfully."
Start-Sleep -Seconds 3600 else
} echo " Error sending email."
fi
fi
V. AUTOMATION THROUGH POWERSHELL sleep 3600
done
The program code in bellow shows the way to integrate the
NSE vulners script into the Bash program code. Apart from the In this case, only High and Critical level vulnerabilities, i.e.
syntax adapted to the Bash language, the only fundamental those whose sensitivity is above 7, according to the CVSSv3
difference compared to the activity realized by the PowerShell standard, will be detected.
script from section 3 is that the minimum CVSS [5] vulnerability
threshold that the script will report in the final report is specified In order not to unnecessarily load the recipient's e-mail box
in the Nmap arguments. by sending e-mail messages after each scan, the script is
while true; do
programmed to generate and send e-mail messages only if it
registers changes in the number of vulnerabilities for which the
CurrentDateTime=$(date +"%Y%m%d_%H%M%S") exploitation method is known, compared to the previous scan.
Output="outputWinSvrTC__${CurrentDateTime}.xml"
Log="outputWinSvrSh.log" TargetIP="192.168.233.129"
VI. THE REPORT
NmapArgs="-sV --script vulners --script-args mincvss=7.0 -oX The final results of the scan are directly dependent on the
$Output $TargetIP"
given arguments in the Nmap command. It is possible to
nmap $NmapArgs combine different types of scans, and determine one or more
target devices, transport protocol (TCP or UDP), specific or
exploitCount=0
range of ports, as well as the criticality level of the vulnerability
exploitCount=$(grep -F -o "*EXPLOIT*" "^Output” | wc -1) based on CVSS.
prevExploitCount=0 The scan report (English Nmap Scan Report), a part of which
if [ -f "$Log" ]; then is shown in Figure 9, provides all the necessary and necessary
prevExploitCount=$(cat "$Log")
fi information to see the level of exposure to the risk of a scanned
device or system to a potential hacker attack. Most of the reports
echo "$exploitCount" > "$Log” refer to open ports and the services performed on them. The
echo " Total number of EXPLOIT vulnerabilities currently: $ex- report contains information about the software running on a
ploitCount" specific port, its version, the transport protocol it uses, as well as
echo " Number of EXPLOIT vulnerabilities in the previous scan: additional information detected by the scan, such as the service
$prevExploitCount"
if [ "$exploitCount" -ne "$revExploitCount" ]; then protocol version, the operating system running on the target
# Konfiguracioni parametri za email device, and the like. For services with enumerated
SMTPServer="mail.nmapmaster.com" vulnerabilities, the report primarily provides CPE (Common
SMTPPort=587
SMTPUsername="Administrator" Platform Enumeration) [6] information. In these examples and
SMTPPassword="asdf1234" most often, the CPE comes with the /a: identifier, which
SenderEmail="vulners@nmapmaster.com" indicates the software or application. The following is a list of
RecipientEmail="lepomirp@nmapmaster.com”
Subject="Nmap Vulnerability report za Windows Server " the codes of all detected vulnerabilities for a specific application
or version (the number and level of severity of individual
if [ "$exploitCount" -gt "$prevExploitCount" ]; then vulnerabilities may differ significantly depending on the version
Dif=$((exploitCount - prevExploitCount))
of the application itself.

979-8-3503-2994-0/24/$31.00 ©2024 IEEE

Authorized licensed use limited to: Universitas Airlangga. Downloaded on May 05,2024 at 11:12:51 UTC from IEEE Xplore. Restrictions apply.
 23rd International Symposium INFOTECH-JAHORINA, 20-22 March 2024
Figure 9. Report generated by the vulners.nse script (part)
The information of extreme importance for security
administrators offered by this report is precisely the assessment
of the severity of a specific vulnerability, as well as whether
there is already a known method of exploitation, i.e. whether the
specific vulnerability has previously been used for a successful
hacking attack. These two pieces of information are crucial
when deciding on the priority of vulnerabilities for mitigation.
In this regard, all the scripts in the work are designed in such a
way that the administrator is given information in the body of
the e-mail about the number of vulnerabilities for which the
method of exploitation is already known, and it is recommended
that these are repaired first [7, 8] . Another very useful piece of
information in the report is a website where you can find detailed
information about each detected vulnerability, as well as how to
mitigate it.
VII. CONCLUSION
Based on the scripts presented in this paper, administrators
can adapt their own to specific environments and needs,
speeding up and facilitating the process of scanning information
systems, thereby increasing efficiency and reducing errors due
to the human factor.
The advantages of such solutions are easy to see: faster and
more efficient execution of scans compared to manual methods,
scripts are executed constantly in the same way that ensures
consistency and consistency, reduction of the level of risk due to
timely detection of vulnerabilities and potential threats, greater
coverage through more frequent and wider scanning of
information system, and finally, saving time and resources
because administrators can focus on analyzing results and
making key decisions instead of wasting time on repetitive
operations.
Potential disadvantages of this approach can be: errors in the
script code that can result in incomplete or incorrect results,
979-8-3503-2994-0/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: Universitas Airlangga. Downloaded on May 05,2024 at 11:12:51 UTC from IEEE Xplore. Restrictions apply.
partial loss of control over the process itself due to complete
automation, intensive scanning of a large number of devices can
introduce an additional load on the network affecting the
reliability and performance of the system, also some complex
scanning and analysis scenarios may not be fully automated,
requiring manual customization and intervention.
In conclusion, automating Nmap scans through PowerShell
and Bash scripts is an effective way to manage modern IT
infrastructure and improve its security. Further development of
these tools and scripts may result in innovations that will help
organizations more effectively identify system vulnerabilities
and better protect against potential cyber threats. The research in
the paper indicates the importance of the continuous evolution
of tools and approaches to scanning information systems, to
adequately respond to the complex challenges of information
security in the future.
REFERENCES
[1] Nmap.org, https://nmap.org, accessed September 23, 2023.
[2] E. Jason, Network automation with Ansible, O'Reilly Media, Inc, USA,
2016.
[3] E G. Jason, H. Roddie and V. Srilatha, Cisco Software-Defined Access,
Cisco Press, 2021.
[4] O. WENDELL, CCNA 200-301 Official Cert Guide, Volume 2, San Jose,
CA: Cisco Press, 2020.
[5] Paulino Calderon, "Nmap Network Exploration and Security Auditing
Cookbook - Third Edition", Packt Publishing, September 2021
[6] First.org, https://first.org/cvss/, accessed September 2023.
[7] Vulners, https://vulners.com/nmap/nmap:vulners.nse, accessed
September 2023.
[8] https://nmap.org/book/output-formats-cpe.html, accessed September
2023.