Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.

Related Content you might be interested in

Current Title:

Small book image
Nmap 6: Network Exploration and Security Auditing Cookbook
Nov, 2012 | 318 pages
No titles found
Table of Contents (18 chapters)
Nmap 6: Network Exploration and Security Auditing Cookbook
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
Credits
About the Author
About the Author
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Nmap Fundamentals
Nmap Fundamentals
Introduction
Downloading Nmap from the official source code repository
Compiling Nmap from source code
Listing open ports on a remote host
Fingerprinting services of a remote host
Finding live hosts in your network
Scanning using specific port ranges
Running NSE scripts
Scanning using a specified network interface
Comparing scan results with Ndiff
Managing multiple scanning profiles with Zenmap
Detecting NAT with Nping
Monitoring servers remotely with Nmap and Ndiff
2
Network Exploration
Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Discovering hosts using broadcast pings
Hiding our traffic with additional random data
Forcing DNS resolution
Excluding hosts from your scans
Scanning IPv6 addresses
Gathering network information with broadcast scripts
3
Gathering Additional Host Information
Gathering Additional Host Information
Introduction
Geolocating an IP address
Getting information from WHOIS records
Checking if a host is known for malicious activities
Collecting valid e-mail accounts
Discovering hostnames pointing to the same IP address
Brute forcing DNS records
Fingerprinting the operating system of a host
Discovering UDP services
Listing protocols supported by a remote host
Discovering stateful firewalls by using a TCP ACK scan
Matching services with known security vulnerabilities
Spoofing the origin IP of a port scan
4
Auditing Web Servers
Auditing Web Servers
Introduction
Listing supported HTTP methods
Checking if an HTTP proxy is open
Discovering interesting files and directories on various web servers
Brute forcing HTTP authentication
Abusing mod_userdir to enumerate user accounts
Testing default credentials in web applications
Brute-force password auditing WordPress installations
Brute-force password auditing Joomla! installations
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting Cross Site Scripting vulnerabilities in web applications
Finding SQL injection vulnerabilities in web applications
Detecting web servers vulnerable to slowloris denial of service attacks
5
Auditing Databases
Auditing Databases
Introduction
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Finding root accounts with empty passwords in MySQL servers
Brute forcing MySQL passwords
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving MS SQL server information
Brute forcing MS SQL passwords
Dumping the password hashes of an MS SQL server
Running commands through the command shell on MS SQL servers
Finding sysadmin accounts with empty passwords on MS SQL servers
Listing MongoDB databases
Retrieving MongoDB server information
Listing CouchDB databases
Retrieving CouchDB database statistics
6
Auditing Mail Servers
Auditing Mail Servers
Introduction
Discovering valid e-mail accounts using Google Search
Detecting open relays
Brute forcing SMTP passwords
Enumerating users in an SMTP server
Detecting backdoor SMTP servers
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP mail server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 mail server
Detecting vulnerable Exim SMTP servers version 4.70 through 4.75
7
Scanning Large Networks
Scanning Large Networks
Introduction
Scanning an IP address range
Reading targets from a text file
Scanning random targets
Skipping tests to speed up long scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Collecting signatures of web servers
Distributing a scan among several clients using Dnmap
8
Generating Scan Reports
Generating Scan Reports
Introduction
Saving scan results in normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating an HTML scan report
Reporting vulnerability checks performed during a scan
9
Writing Your Own NSE Scripts
Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable Trendnet webcams
Sending UDP payloads by using NSE sockets
Exploiting a path traversal vulnerability with NSE
Writing a brute force script
Working with the web crawling library
Reporting vulnerabilities correctly in NSE scripts
Writing your own NSE library
Working with NSE threads, condition variables, and mutexes in NSE
References
References
Index
Index

Comparing scan results with Ndiff

Ndiff was designed to address the issues of using diff with two XML scan results. It compares files by removing false positives and producing a more readable output, which is perfect for anyone who needs to keep a track of the scan results.

This recipe describes how to compare two Nmap scans to detect the changes in a host.

Getting ready

Ndiff requires two Nmap XML files to work, so make sure you have previously saved the scan results of the same host. If you haven't, you can always scan your own network, deactivate a service, and scan again to get these two test files. To save the results of an Nmap scan into an XML file use -oX <filename>.

How to do it...

  1. Open your terminal.

  2. Enter the following command:

    $ ndiff FILE1 FILE2

  3. The output returns all the differences between FILE1 and FILE2. New lines are shown after a plus sign. The lines that were removed on FILE2 are displayed after a negative sign.

How it works...

Ndiff uses the first file as a base to compare against the second one. It displays the state differences for host, port, services, and OS detection.

There's more...

If you prefer Zenmap, you can use the following steps instead:

  1. Launch Zenmap.

  2. Click on Tools on the main toolbar.

  3. Click on Compare Results (Ctrl + D).

  4. Select the first file by clicking on Open in the section named A scan.

  5. Select the second file by clicking on Open in the section named B scan.

Output format

A human readable format is returned by default. However, Ndiff can return the differences in XML format, if preferred, by using the flag --xml.

Verbose mode

Verbose mode includes all of the information including hosts and ports that haven't changed. To use it, enter the following commands: 

$ ndiff -v FILE1 FILE2
$ ndiff –verbose FILE1 FILE2

See also

  • The Monitoring servers remotely with Nmap and Ndiff recipe

  • The Managing multiple scanning profiles with Zenmap recipe

  • The Geo-locating an IP address recipe in Chapter 3, Gathering Additional Host Information

  • The Getting information from WHOIS records recipe in Chapter 3, Gathering Additional Host Information

  • The Fingerprinting the operative system of a host recipe in Chapter 3, Gathering Additional Host Information

  • The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information

  • The Detecting possible XST vulnerabilities recipe in Chapter 4, Auditing Web Servers

Previous Section
End of Section 11
Next Section