Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By : Paulino Calderon

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By: Paulino Calderon

Overview of this book

Nmap is one of the most powerful tools for network discovery and security auditing used by millions of IT professionals, from system administrators to cybersecurity specialists. This third edition of the Nmap: Network Exploration and Security Auditing Cookbook introduces Nmap and its family - Ncat, Ncrack, Ndiff, Zenmap, and the Nmap Scripting Engine (NSE) - and guides you through numerous tasks that are relevant to security engineers in today’s technology ecosystems. The book discusses some of the most common and useful tasks for scanning hosts, networks, applications, mainframes, Unix and Windows environments, and ICS/SCADA systems. Advanced Nmap users can benefit from this book by exploring the hidden functionalities within Nmap and its scripts as well as advanced workflows and configurations to fine-tune their scans. Seasoned users will find new applications and third-party tools that can help them manage scans and even start developing their own NSE scripts. Practical examples featured in a cookbook format make this book perfect for quickly remembering Nmap options, scripts and arguments, and more. By the end of this Nmap book, you will be able to successfully scan numerous hosts, exploit vulnerable areas, and gather valuable information.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Share Your Thoughts

Chapter 1: Nmap Fundamentals

Technical requirements

Building Nmap's source code

Finding online hosts

Listing open ports on a target

Fingerprinting OSes and services running on a target

Using NSE scripts against a target host

Scanning random targets on the internet

Collecting signatures of web servers

Scanning with Rainmap Lite

Free Chapter

Chapter 2: Getting Familiar with Nmap's Family

Monitoring servers remotely with Nmap and Ndiff

Crafting ICMP echo replies with Nping

Managing multiple scanning profiles with Zenmap

Running Lua scripts against a network connection with Ncat

Discovering systems with weak passwords with Ncrack

Using Ncat to diagnose a network client

Defending against Nmap service detection scans

Chapter 3: Network Scanning

Discovering hosts with TCP SYN ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with UDP ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with SCTP INIT ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ARP ping scans

Performing advanced ping scans

Discovering hosts with broadcast ping scans

Scanning IPv6 addresses

Spoofing the origin IP of a scan

Using port scanning for host discovery

Chapter 4: Reconnaissance Tasks

Performing IP address geolocation

Getting information from WHOIS records

Obtaining traceroute geolocation information

Querying Shodan to obtain target information

Collecting valid email accounts and IP addresses from web servers

Discovering hostnames pointing to the same IP address

Discovering hostnames by brute-forcing DNS records

Matching services with public vulnerability advisories and picking the low-hanging fruit

Chapter 5: Scanning Web Servers

Listing supported HTTP methods

Discovering interesting files and folders on web servers

Brute forcing HTTP authentication

Brute forcing web applications

Detecting web application firewalls

Detecting possible XST vulnerabilities

Detecting XSS vulnerabilities

Finding SQL injection vulnerabilities

Finding web applications with default credentials

Detecting insecure cross-domain policies

Detecting exposed source code control systems

Auditing the strength of cipher suites in SSL servers

Chapter 6: Scanning Databases

Listing MySQL databases

Listing MySQL users

Listing MySQL variables

Brute-forcing MySQL passwords

Finding root accounts with an empty password in MySQL servers

Detecting insecure configurations in MySQL servers

Brute forcing Oracle passwords

Brute forcing Oracle SID names

Retrieving information from MS SQL servers

Brute forcing MS SQL passwords

Dumping password hashes of MS SQL servers

Running commands through xp_cmdshell in MS SQL servers

Finding system administrator accounts with empty passwords in MS SQL servers

Obtaining information from MS SQL servers with NTLM enabled

Retrieving MongoDB server information

Detecting MongoDB instances with no authentication enabled

Listing MongoDB databases

Listing CouchDB databases

Retrieving CouchDB database statistics

Detecting Cassandra databases with no authentication enabled

Brute forcing Redis passwords

Chapter 7: Scanning Mail Servers

Detecting SMTP open relays

Brute-forcing SMTP passwords

Detecting suspicious SMTP servers

Enumerating SMTP usernames

Brute-forcing IMAP passwords

Retrieving the capabilities of an IMAP server

Brute-forcing POP3 passwords

Retrieving the capabilities of a POP3 server

Retrieving information from SMTP servers with NTLM authentication

Chapter 8: Scanning Windows Systems

Obtaining system information from SMB

Detecting Windows clients with SMB signing disabled

Detecting IIS web servers that disclose Windows 8.3 names

Detecting Windows hosts vulnerable to MS08-067 and MS17-010

Retrieving the NetBIOS name and MAC address of a host

Enumerating user accounts of Windows targets

Enumerating shared folders

Enumerating SMB sessions

Finding domain controllers

Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants

Listing supported SMB protocols

Detecting vulnerabilities using the SMB2/3 boot-time field

Detecting whether encryption is enforced in SMB servers

Chapter 9: Scanning ICS/SCADA Systems

Finding common ports used in ICS/SCADA systems

Finding HMI systems

Enumerating Siemens SIMATIC S7 PLCs

Enumerating Modbus devices

Enumerating BACnet devices

Enumerating Ethernet/IP devices

Enumerating Niagara Fox devices

Enumerating ProConOS devices

Enumerating Omrom PLC devices

Enumerating PCWorx devices

Chapter 10: Scanning Mainframes

Listing CICS transaction IDs in IBM mainframes

Enumerating CICS user IDs for the CESL/CESN login screen

Brute-forcing z/OS JES NJE node names

Enumerating z/OS TSO user IDs

Brute-forcing z/OS TSO accounts

Listing VTAM application screens

Chapter 11: Optimizing Scans

Skipping phases to speed up scans

Selecting the correct timing template

Adjusting timing parameters

Adjusting performance parameters

Adjusting scan groups

Distributing a scan among several clients using dnmap

Chapter 12: Generating Scan Reports

Saving scan results in a normal format

Saving scan results in an XML format

Saving scan results to a SQLite database

Saving scan results in a grepable format

Generating a network topology graph with Zenmap

Generating HTML scan reports

Reporting vulnerability checks

Generating PDF reports with fop

Saving NSE reports in Elasticsearch

Visualizing Nmap scan results with IVRE

Chapter 13: Writing Your Own NSE Scripts

Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers

Sending UDP payloads using NSE sockets

Generating vulnerability reports in NSE scripts

Exploiting an SMB vulnerability

Writing brute-force password auditing scripts

Crawling web servers to detect vulnerabilities

Working with NSE threads, condition variables, and mutexes in NSE

Writing a new NSE library in Lua

Writing a new NSE library in C/C++

Getting your scripts ready for submission

Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine

Generating vulnerability reports in NSE scripts

Writing brute-force password auditing scripts

Crawling web servers to detect vulnerabilities

Exploiting SMB vulnerabilities

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options

HTTP user agent

Appendix Β: Brute-Force Password Auditing Options

Brute modes

Appendix C: NSE Debugging

Debugging NSE scripts

Exception handling

Appendix D: Additional Output Options

Saving output in all formats

Appending Nmap output logs

Including debugging information in output logs

Including the reason for a port or host state

OS detection in verbose mode

Appendix Ε: Introduction to Lua

Flow control structures

Data types

String handling

Common data structures

I/O operations

Coroutines

Metatables

Things to remember when working with Lua

Appendix F: References and Additional Reading

Why subscribe?

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Dumping password hashes of MS SQL servers

After gaining access to an MS SQL server, we can dump all the password hashes of the server to compromise other accounts. Nmap can help us retrieve these hashes in a format usable by popular cracking tools such as John the Ripper.

This recipe shows how to dump password hashes of an MS SQL server with Nmap.

How to do it...

To dump all the password hashes of an MS SQL server with an empty system administrator password, run the following Nmap command:

$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes
<target>

The password hashes will be included in the script output section:

PORT     STATE SERVICE  VERSION
1433/tcp open   ms-sql-s Microsoft SQL Server 2011 Service Info: CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-empty-password:
|   [192.168.1.102\MSSQLSERVER]
|_    sa:<empty> => Login Success
| ms...

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By : Paulino Calderon

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By: Paulino Calderon

Overview of this book

Related Content you might be interested in

Current Title:

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

Network Scanning Cookbook

Industrial Cybersecurity

Kali Linux 2018: Assuring Security by Penetration Testing

Dumping password hashes of MS SQL servers

How to do it...