Introducing LazyMap, a new script I have been working on.

What does it do?

It is simply a bash script that automates the NMAP tool to assist with internal network scans.

Why use it?

For anyone who has worked in a cold data centre will appreciate that running NMAP over many VLANs with cold hands can be a bit boring. This makes life a lot easier to manage results and more.

The script basically uses NMAP and asks a series of questions and then scans all the live hosts. It feeds the live hosts into full scans and then will output all the unique ports and even will create a Nessus policy for the ports open. This is a much quicker way to Nessus devices.  You can specify which interface to scan from and allows you to easily scan multiple VLANs at once.

This is still work in progress and I come across the odd scenario on a test where I make some modifications. But it really has been a useful script to get consistent scans and output.

This really only works properly with Backtrack 5. Due to the way it opens new terminals for each scan. If you are using anythingother than Backtrack, you may find it will only run one scan at a time. So ideally use Backtrack 5 and it will run fine.


Download from the NCC Open Source GitHub Repository below:

Tested on Backtrack 5 and Kali only. Run as root.


Detailed information and screen shots are below:

You can specify which interface to scan from. For a lot of internal work you may have 10x VLANs to scan and have been given 10x pre-configured switch ports. It can be rather boring watching Nmap run on one at a time, then switching ports.




I have 4x USB Ethernet cards which are only £12 each.. So I can scan multiple VLANs at once without any confusion of status or results as each window states which VLAN/name. This is worth every penny if you have 10-20 separate VLANs and a massive time saving tool. All you do is run one instance of the script on each network interface, so just run the script again and pick another interface.




If needed it will setup your static IP/Gateway for you.


Enter the client ref or VLAN ref. It will create a folder for that job and save all output into there.

You can scan single IP/range or give it a input list just as normal. Basically any normal NMAP input – so,, 192.168.10/24 or a a list with the IPs /tmp/ips.txt (must be exact path)



It will display just the live hosts if finds (doesn’t just do ping sweep). If it doesn’t find any live hosts via NMAP it will arp-scan the IPs/range you entered.






It will then scan just the live hosts. This should launch 4x terminals at once – this may not work on non B.T versions.. ideally use B.T5 and I know that works. If you find it is doing just one scan at a time, then try BT5.



If the full TCP or UDP scans look like with take ages (i.e 2-4 hours) and you need it quicker, just press CTRL C in that window and it will auto stop the T4 scan, clean up files and start that scan again using T5 and continue.




Once all the scans are complete (Full TCP, Common TCP, Quick UDP and Safe Script) press ENTER on the first screen and it will output all unique TCP and UDP ports which are formatted correctly so you can paste these straight into a custom Nessus policy for ease.



It can also auto generate a Nessus Policy for you.


Just export the Internal Nessus policy (check script header for info/settings/name) and place in the same directory as the script and it will detect if it is there and create a custom file for you based on the ports it finds and name it. It switches on some options, but some you need to ensure are set when you first export the template.


Every scan you then run LazyMap will detect this default Nessus policy and create you a new policy file for each scan with just the custom ports. You only need to replace the template file when you update your plugins, otherwise keep the same one there. It will make more sense once you try it. It doest matter what the file is called, just go into polices in Nessus and export one and copy it to the LazyMap directory.

Just import the generated policy from the Lazymap scan  into Nessus and paste in the live hosts only and it will be much faster. Scanning just the custom ports and live hosts in Nessus makes a massive difference to the speed and accuracy of findings. I have noticed if you have a massive amount of ports the Nessus Flash interface doest seem to like a huge amount of ports. But if you use the HTML5 interface /html5.html#/ it works perfect.

Remember to replace the template Nessus file within the same directory as the Lazymap script. It can be called any name and any extension as it greps for it. Also remember when you update plugins to replace this file to ensure you have the latest modules.

The script will turn on “safe checks”, “consider unscanned ports as closed”. You ideally want to turn on manually on your Nessus policy before you export it into the LazyMap directory as the template (“UDP Scan”, “SNMP Scan”, “SYN Scan” and turn off “Ping host”

A lot of people seem to NMAP network ranges, then Nessus the range again. This will take ages and NMAP will be more accurate for port scans. So the best way I find is to NMAP the ranges, then use a custom policy in Nessus on just the live hosts and scanning only the unique ports open. This makes it way faster and gives more accurate results.


It will also give a summary of start/stop times for audit use (saves to a file also) so you can see if all scans have worked ok.



It saves all hosts up/down, scan types and unique ports, Nessus policy etc  in the client/ref directory. Handy when a client says you didn’t scan a box, you can prove what was up and down. Or when they say you crashed it have the times all to handy easier.




You can also turn scans on/off within the header. You may just want to run a full tcp and quick UDP. It will by default run Full TCP, Quick UDP, Common Ports and a Safe Script Scan.