Artifacts

Posts Tagged ‘SQLite’


Nmap / Zenmap

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Nmap/Zenmap

Artifact/Program Version
4.6, 5.1

Description
Artifacts remaining on system after a scan using Nmap/Zenmap (especially Zenmap).  This is not from the standpoint of showing that the application was run, or by whom (so no prefetch, user assist, etc), nor proving that the application was installed at some point. This is from the standpoint of showing the use (ie, how) an application was put to, and the timeframe (ie, when) involved.

In c:\program files\nmap\zenmap\ a file was created when a scan was saved.  This had the same user-selected name as the saved scan, with the extension USR.  So if the scan saved was “test” then the subsequent file would be “test.usr.”  If you find one of these, you can bet the user saved a scan; this file should be identical to that.  It is an XML file that has all the information about the scan.

In %User%\.zenmap (hidden folder) there are primarily three files of interest:  recent_scans.txt, target_list.txt and zenmap.db. Recent_scans.txt is a list of saved scans (or perhaps the .USR instance, it’s inconclusive at this point); all it has is a list of files with their paths.  Target_list.txt is a list of all target IP addresses, separated by semicolons; it has no other information, not even an associated date.  Zenmap.db is the fun one; it’s a SQLite database that contains a history of what scans were run – type of scan, target IP, XML output (ie, basic scan detail) and time.

%User%\%Local%\Temp has another potential treasure trove of evidence.  You may find temporary files (with no extension) located at this level.  Some contain no data, some contain only a small amount, and others provide a detailed breakdown of the scan, really the veritable motherlode, as it shows the time of the scan, each target port, protocol, scan times, and so on.  Very good stuff, when present.  The temporary files that had only a little content basically mirrored the type of content in the USR files, so if you don’t have one, you might have the other and still have some insight into the scan.

And a slightly tangential question posed on twitter was how to identify a scan with packets.  Fairly simple, right – just start Wireshark, run an Nmap scan, and review the results.  Turns out across multiple types of scans run, that there are 60-byte packets, and all have the following content:  00 0d 60 da b4 e7 00 11  25 d1 04 e0 08 00 45 00.  That’s obviously not the entire contents of each packet, but that was consistent across all packets I saw.

File Locations
c:\program files\nmap\zenmap\*.usr (where * is the user-provided filename)
%User%\.zenmap\recent_scans.txt
%User%\.zenmap\target_list.txt
%User%\.zenmap\zenmap.db (SQLite db)
%User%\%Local%\Temp\tmpf5nhgm (these all start with “tmp” and appear to have 6 more characters following)

Research Links
http://forensicaliente.blogspot.com/2011/10/artifacts-created-by-nmapzenmap.html

Forensic Programs of Use
Nmap for Windows (cli) – http://nmap.org/download.html
Zenmap GUI for Nmap for Windows – http://nmap.org/download.html
SQLite Database Browser – http://sqlitebrowser.sourceforge.net/
Wireshark – http://www.wireshark.org/download.html