hack3rs.ca network-security
/learning/tools/ndiff :: tool-guide-14

defender@hack3rs:~/learning/tools$ open ndiff

Ndiff

Scan comparison / change detection

Ndiff compares Nmap XML scan results so defenders can identify exposure changes, service drift, and unexpected port differences over time.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

  • $Name the specific question this tool answers — and one question it cannot answer alone.
  • $Run the simplest command in a lab against a host you control; read every field in the output before moving on.
  • $Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
  • $Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
  • $Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

  • $Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
  • $State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
  • $Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
  • $Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
  • $Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

  • $Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
  • $Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
  • $Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
  • $Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
  • $Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Reference docs for Ndiff — commands, flags, config options release notes Changelog and release history for Ndiff project site Ndiff project home and maintainer information

ethical-use-and-defense-scope

Ndiff should only touch systems you are authorized to test. That includes passive tools: if it collects data, hits a service, or reads credentials, you need explicit scope before it runs.

Before you run it: write down the target, the expected output, and the stop condition. After you run it: save the commands and output so another analyst can reproduce your results without guessing.

Defenders use Ndiff to find gaps — weak configs, missing detections, credential exposure, protocol abuse paths. Attackers use the same output. Keep that tension in mind. The measure of a good lab session is what you hardened or detected afterward, not how far the tool ran.

tool-history-origin-and-purpose

  • $When created: Introduced as an Nmap companion utility in the 2000s for comparing scan outputs.
  • $Why it was created: Defenders needed a simple way to detect changes in network exposure and focus attention on deltas instead of full scan noise.

Created within the Nmap ecosystem to help users compare scan results over time instead of manually reviewing raw outputs.

why-defenders-still-use-it

People use Ndiff to support recurring audits, change validation, and drift detection for ports and services.

How the tool evolved
  • +Became a practical utility for scan delta workflows.
  • +Commonly used in scheduled audits and remediation validation.
  • +Pairs well with inventory tagging and ticketing for change review.

when-this-tool-is-a-good-fit

  • +Exposure drift detection after maintenance windows.
  • +Comparing pre/post remediation scans.
  • +Reducing analyst fatigue by focusing on deltas.

when-to-use-another-tool-or-source

  • !When you need host process/user context, pair with endpoint or OS logs.
  • !When you need ownership and business impact, pair with CMDB/ticketing/asset context.
  • !When the tool output is ambiguous, validate using a second evidence source before concluding.
  • !When production risk is high, test in a lab first and use change coordination.

1. Where Ndiff Fits in a Defender's Workflow

Ndiff compares Nmap XML scan results so defenders can identify exposure changes, service drift, and unexpected port differences over time.

The role here is "Scan comparison / change detection." That scoping matters. A triage tool used as an investigation tool produces the wrong level of depth; an investigation tool used as a monitoring tool burns analyst time. Pick the right phase, then pick the tool.

Start with a concrete question — "Is this service reachable from the DMZ?" or "Do we have stale DNS records for this domain?" — rather than opening the tool and seeing what turns up.

2. Running It Safely and Repeatably

Write down target scope, authorized impact, and a stop condition before you run anything. If the lab ends and your notes only say "ran Ndiff", the session didn't count as learning.

Baseline first. Collect one clean-state output, label it, save it. Then make your change or run your test. Without a before state, you can't tell what Ndiff actually found versus what was already there.

No tool output is self-contained. Pair Ndiff findings with packet captures, host logs, asset inventory, and change tickets before drawing conclusions.

3. Reading Output Like an Analyst

Ndiff output answers a narrow question. Check scope first: right host, right interface, right time window, right protocol layer. If any of those are off, the output is misleading, not wrong — a subtler problem.

Collect a known-good example before chasing anomalies. An analyst who has only ever seen bad output can't explain why something is suspicious — they can only say it looks different. Baseline removes that ambiguity.

Every output review ends with a decision: close it, escalate it, tune a detection, patch something, or collect more evidence. "Interesting" without a next action isn't a finding.

4. Lab Design and Practice

One goal per lab session. Not "learn Ndiff" — something specific: validate a lockout policy, catch a stale record, confirm a port is filtered end-to-end. Narrow goals produce usable results.

Run both the normal case and the failing case in the same session. The contrast is what builds judgment. Analysts who have only seen success don't recognize partial failures under pressure.

Finish with a written summary: what you observed, the evidence behind it, what you still don't know, and one thing that should change — a control, a detection, a runbook entry. That summary is the actual output of the lab.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. Exposure drift detection after maintenance windows.

Suggested starting block: Orientation And Baseline Setup

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

2. Comparing pre/post remediation scans.

Suggested starting block: Scan Comparison

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

3. Reducing analyst fatigue by focusing on deltas.

Suggested starting block: Review And Document Findings

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Orientation And Baseline Setup

Beginner
Command
ndiff -h
Example Output
Ndiff 7.94 ( https://nmap.org/ndiff/ )
Usage: ndiff [option] FILE1 FILE2

File arguments FILE1 and FILE2 are Nmap XML output files.

  -h, --help     display this help
  -v, --verbose  also show hosts and ports that haven't changed
      --text     output in text format (default)
      --xml      output in XML format

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Scan Comparison

Intermediate
Command
ndiff tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
Example Output
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Review And Document Findings

Advanced
Command
grep -E "^\+" tool-labs/ndiff/artifacts/delta.xml | head -20   # new entries in current scan
Example Output
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Orientation And Baseline Setup

Beginner
Command
ndiff -h
Command Anatomy
  • $Base command: ndiff
  • $Primary arguments/options: -h
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Ndiff 7.94 ( https://nmap.org/ndiff/ )
Usage: ndiff [option] FILE1 FILE2

File arguments FILE1 and FILE2 are Nmap XML output files.

  -h, --help     display this help
  -v, --verbose  also show hosts and ports that haven't changed
      --text     output in text format (default)
      --xml      output in XML format

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Orientation And Baseline Setup

Beginner
Command
nmap -sV -oX tool-labs/ndiff/scans/baseline.xml 192.168.1.0/24   # scan authorized scope
Command Anatomy
  • $Base command: nmap
  • $Primary arguments/options: -sV -oX tool-labs/ndiff/scans/baseline.xml 192.168.1.0/24 #
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Discovery, reachability testing, or service/version validation.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Orientation And Baseline Setup

Beginner
Command
mkdir -p tool-labs/ndiff/{scans,notes,artifacts}
Command Anatomy
  • $Base command: mkdir
  • $Primary arguments/options: -p tool-labs/ndiff/{scans,notes,artifacts}
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
# no output — directory created successfully

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Scan Comparison

Intermediate
Command
ndiff tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
Command Anatomy
  • $Base command: ndiff
  • $Primary arguments/options: tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Scan Comparison

Intermediate
Command
ndiff --verbose tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
Command Anatomy
  • $Base command: ndiff
  • $Primary arguments/options: --verbose tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.10 (webserver.lab)
 Ports: 22/open/tcp, 80/open/tcp, 443/open/tcp  (unchanged)

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///  (new — not in baseline)
 Ports: 22/open/tcp  (unchanged)

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp  (was open, now closed)

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Scan Comparison

Intermediate
Command
ndiff --xml tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml > tool-labs/ndiff/artifacts/delta.xml
Command Anatomy
  • $Base command: ndiff
  • $Primary arguments/options: --xml tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml > tool-labs/ndiff/artifacts/delta.xml
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Review And Document Findings

Advanced
Command
grep -E "^\+" tool-labs/ndiff/artifacts/delta.xml | head -20   # new entries in current scan
Command Anatomy
  • $Base command: grep
  • $Primary arguments/options: -E "^\+" tool-labs/ndiff/artifacts/delta.xml | head
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Quick evidence extraction from logs or command output.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Review And Document Findings

Advanced
Command
grep -E "^-" tool-labs/ndiff/artifacts/delta.xml | head -20     # entries removed since baseline
Command Anatomy
  • $Base command: grep
  • $Primary arguments/options: -E "^-" tool-labs/ndiff/artifacts/delta.xml | head
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Quick evidence extraction from logs or command output.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Nmap 7.94 scan initiated against 192.168.1.0/24

Host: 192.168.1.15 (db.lab)
+Ports: 3306/open/tcp//mysql///

Host: 192.168.1.20 (old-host.lab)
-Ports: 8080/open/tcp

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Review And Document Findings

Advanced
Command
printf "finding,owner,action,status\n" > tool-labs/ndiff/notes/actions.csv
Command Anatomy
  • $Base command: printf
  • $Primary arguments/options: "finding,owner,action,status\n" > tool-labs/ndiff/notes/actions.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
finding  owner  action  status

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Orientation And Baseline Setup

ndiff -h
nmap -sV -oX tool-labs/ndiff/scans/baseline.xml 192.168.1.0/24   # scan authorized scope
mkdir -p tool-labs/ndiff/{scans,notes,artifacts}

Scan Comparison

ndiff tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
ndiff --verbose tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml
ndiff --xml tool-labs/ndiff/scans/baseline.xml tool-labs/ndiff/scans/current.xml > tool-labs/ndiff/artifacts/delta.xml

Review And Document Findings

grep -E "^\+" tool-labs/ndiff/artifacts/delta.xml | head -20   # new entries in current scan
grep -E "^-" tool-labs/ndiff/artifacts/delta.xml | head -20     # entries removed since baseline
printf "finding,owner,action,status\n" > tool-labs/ndiff/notes/actions.csv

defensive-use-cases

  • $Exposure drift detection after maintenance windows.
  • $Comparing pre/post remediation scans.
  • $Reducing analyst fatigue by focusing on deltas.

common-mistakes

  • $Comparing scans with different scope/options and misreading deltas.
  • $Failing to validate whether a change is expected from a documented deployment.
  • $Treating diff output as complete risk prioritization without asset context.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

  • $Pick the least disruptive command that can still answer the question — then run that one first.
  • $Before you look at output, write one sentence stating what you expect to see.
  • $Mark each output field as 'observed' or 'inferred by tool' before acting on it.
  • $Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
  • $During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
  • $When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

  • ?What question is this tool best suited to answer first?
  • ?What permissions or scope approvals are needed before using it?
  • ?Which second evidence source should you pair with it for higher confidence?
  • ?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints
  • #Start from the tool’s role and the scenario you are investigating.
  • #Never rely on one tool alone for high-confidence incident decisions.
  • #Document normal output patterns during calm periods so anomalies are easier to spot.
  • #Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Pick one specific question Ndiff can answer in your lab, write it down, then write the authorized scope before opening the tool.
# Run the normal case first. Save the output, label it, note the exact command. That is your baseline.
# Run the failure or misconfiguration case. Document what changed in the output and how you would recognize it without already knowing the answer.
# Write a three-sentence summary: what you observed, what evidence supports it, and what you would do next in a real incident.

related-learning-modules

Study the core concepts and workflows behind this tool so your usage stays evidence-driven and repeatable.

open /learning/nmap-scanning-strategy-safe-validation-workflows Nmap Scanning Strategy and Safe Validation Workflows open /learning/exploit-informed-remediation-and-asset-criticality-tagging Exploit-Informed Remediation and Asset Criticality Tagging

related-threat-workflows

See where this tool fits into threat-specific detection, triage, and remediation workflows.

open /threats/exposed-services-and-remote-access-weaknesses Exposed services and remote access weaknesses

related-tools-in-this-path

Continue within the same guided track. These tools are commonly studied next in the path(s) this page belongs to.

<- previous tool Ncat -> next tool Snort