nmap scanning - for speed and accuracy

nmap-scan.sh

#!/bin/bash

# nmap scanning for speed and accuracy! 
# nmap discovery and nmap scanning don't always play well together. As such,
# you should separate them out into distinct phases. 

# first we do discovery...
# a ping sweep on an internal network will find what you need.
# FIXME make the script take command line args (I've always meant to do this...)
#first, a quick ping sweep, dumping live IP's into a file:
echo "[i] Starting discovery..."
sudo nmap -n -sn -PE 192.168.0.0/22 | grep report | awk '{print $5}' > nmap-liveIPs.txt

# and now we scan, say, 50 hosts at a time, which will cause few issues ever :P
# make a file handle
COUNT = $(wc -l nmap-liveIPs.txt)
echo "[i] Starting scan of $COUNT hosts..."
echo "[i] Creating file handle..."
exec 5< nmap-liveIPs.txt

while read line1 <&5 ; do
        echo $line1 > /tmp/nmap.txt	
	for i in {1..49}; do 
		read end1 <&5; 
		if [ -z $end1 ] 
		then 
			break
		else
			echo $end1 >> /tmp/nmap.txt
		fi
	done; 
	echo "[i] Starting IP is " $line1; 
	echo "[i] Ending IP is " $end1;
	# tweak your parameters here - we'll just do -A on 1000 top ports
	# for now...
	nmap -A --top-ports 1000 -iL /tmp/nmap.txt -oX scan-$line1-to-$end1.xml
done

echo "[i] Cleaning up..."
# not deleting /tmp/nmap.txt nor ./nmap-liveIPs.txt here, just in case you 
# have to kill the scan and then work out what was going on later :P
exec 5<&-