Nmap 6: Network Exploration and Security Auditing Cookbook

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.

Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

Nmap Fundamentals

Introduction

Downloading Nmap from the official source code repository

Compiling Nmap from source code

Listing open ports on a remote host

Fingerprinting services of a remote host

Finding live hosts in your network

Scanning using specific port ranges

Running NSE scripts

Scanning using a specified network interface

Comparing scan results with Ndiff

Managing multiple scanning profiles with Zenmap

Detecting NAT with Nping

Monitoring servers remotely with Nmap and Ndiff

Network Exploration

Introduction

Discovering hosts with TCP SYN ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with UDP ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ARP ping scans

Discovering hosts using broadcast pings

Hiding our traffic with additional random data

Forcing DNS resolution

Excluding hosts from your scans

Scanning IPv6 addresses

Gathering network information with broadcast scripts

Gathering Additional Host Information

Introduction

Geolocating an IP address

Getting information from WHOIS records

Checking if a host is known for malicious activities

Collecting valid e-mail accounts

Discovering hostnames pointing to the same IP address

Brute forcing DNS records

Fingerprinting the operating system of a host

Discovering UDP services

Listing protocols supported by a remote host

Discovering stateful firewalls by using a TCP ACK scan

Matching services with known security vulnerabilities

Spoofing the origin IP of a port scan

Auditing Web Servers

Introduction

Listing supported HTTP methods

Checking if an HTTP proxy is open

Discovering interesting files and directories on various web servers

Brute forcing HTTP authentication

Abusing mod_userdir to enumerate user accounts

Testing default credentials in web applications

Brute-force password auditing WordPress installations

Brute-force password auditing Joomla! installations

Detecting web application firewalls

Detecting possible XST vulnerabilities

Detecting Cross Site Scripting vulnerabilities in web applications

Finding SQL injection vulnerabilities in web applications

Detecting web servers vulnerable to slowloris denial of service attacks

Auditing Databases

Introduction

Listing MySQL databases

Listing MySQL users

Listing MySQL variables

Finding root accounts with empty passwords in MySQL servers

Brute forcing MySQL passwords

Detecting insecure configurations in MySQL servers

Brute forcing Oracle passwords

Brute forcing Oracle SID names

Retrieving MS SQL server information

Brute forcing MS SQL passwords

Dumping the password hashes of an MS SQL server

Running commands through the command shell on MS SQL servers

Finding sysadmin accounts with empty passwords on MS SQL servers

Listing MongoDB databases

Retrieving MongoDB server information

Listing CouchDB databases

Retrieving CouchDB database statistics

Auditing Mail Servers

Introduction

Discovering valid e-mail accounts using Google Search

Detecting open relays

Brute forcing SMTP passwords

Enumerating users in an SMTP server

Detecting backdoor SMTP servers

Brute forcing IMAP passwords

Retrieving the capabilities of an IMAP mail server

Brute forcing POP3 passwords

Retrieving the capabilities of a POP3 mail server

Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

Scanning Large Networks

Introduction

Scanning an IP address range

Reading targets from a text file

Scanning random targets

Skipping tests to speed up long scans

Selecting the correct timing template

Adjusting timing parameters

Adjusting performance parameters

Collecting signatures of web servers

Distributing a scan among several clients using Dnmap

Generating Scan Reports

Introduction

Saving scan results in normal format

Saving scan results in an XML format

Saving scan results to a SQLite database

Saving scan results in a grepable format

Generating a network topology graph with Zenmap

Generating an HTML scan report

Reporting vulnerability checks performed during a scan

Writing Your Own NSE Scripts

Introduction

Making HTTP requests to identify vulnerable Trendnet webcams

Sending UDP payloads by using NSE sockets

Exploiting a path traversal vulnerability with NSE

Writing a brute force script

Working with the web crawling library

Reporting vulnerabilities correctly in NSE scripts

Writing your own NSE library

Working with NSE threads, condition variables, and mutexes in NSE

References

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Appendix A. References

This appendix reflects the incredible amount of work that people have put into Nmap. I recommend that you complement reading this cookbook with the information from Nmap's official documentation shown at the following URLs:

Installing and Compiling Nmap – http://nmap.org/book/install.html

Service and Application Version Detection – http://nmap.org/book/vscan.html

Nping's Echo mode – http://nmap.org/book/nping-man-echo-mode.html

Zenmap – http://nmap.org/zenmap/

OS Detection – http://nmap.org/book/man-os-detection.html

Port Scanning Techniques – http://nmap.org/book/man-port-scanning-techniques.html

Host Discovery – http://nmap.org/book/man-host-discovery.html

Miscellaneous Nmap Options – http://nmap.org/book/man-misc-options.html

NSEDoc – http://nmap.org/nsedoc/

ip-geolocation-geobytes.nse documentation – http://nmap.org/nsedoc/scripts/ip-geolocation-geobytes.html

ip-geolocation-geoplugin.nse documentation – http://nmap.org/nsedoc/scripts/ip-geolocation-geoplugin.html

ip-geolocation-ipinfodb.nse documentation – http://nmap.org/nsedoc/scripts/ip-geolocation-ipinfodb.html

ip-geolocation-maxmind.nse documentation – http://nmap.org/nsedoc/scripts/ip-geolocation-maxmind.html

whois.nse documentation – http://nmap.org/nsedoc/scripts/whois.html

http-google-malware.nse documentation – http://nmap.org/nsedoc/scripts/http-google-malware.html

dns-brute.nse documentation – http://nmap.org/nsedoc/scripts/dns-brute.html

ipidseq.nse documentation – http://nmap.org/nsedoc/scripts/ipidseq.html

External script library – https://secwiki.org/w/Nmap/External_Script_Library

http-methods.nse documentation – http://nmap.org/nsedoc/scripts/http-methods.html

http-open-proxy.nse documentation – http://nmap.org/nsedoc/scripts/http-open-proxy.html

http-phpself-xss.nse documentation – http://nmap.org/nsedoc/scripts/http-phpself-xss.html

http-waf-detect.nse documentation – http://nmap.org/nsedoc/scripts/http-waf-detect.html

http-userdir-enum.nse documentation – http://nmap.org/nsedoc/scripts/http-userdir-enum.html

http-enum.nse documentation – http://nmap.org/nsedoc/scripts/http-enum.html

http-brute.nse documentation – http://nmap.org/nsedoc/scripts/http-brute.html

http -default-accounts.nse documentation – http://nmap.org/nsedoc/scripts/http-default-accounts.html

http-wordpress-brute.nse documentation – http://nmap.org/nsedoc/scripts/http-wordpress-brute.html

http-trace.nse documentation – http://nmap.org/nsedoc/scripts/http-trace.html

http-joomla-brute.nse documentation – http://nmap.org/nsedoc/scripts/http-joomla-brute.html

http-unsafe-output-escaping.nse documentation – http://nmap.org/nsedoc/scripts/http-unsafe-output-escaping.html

http -sql-injection.nse documentation – http://nmap.org/nsedoc/scripts/http-sql-injection.html

http-slowloris.nse documentation – http://nmap.org/nsedoc/scripts/http-slowloris.html

ms-sql-brute.nse documentation – http://nmap.org/nsedoc/scripts/ms-sql-brute.html

mysql-databases.nse documentation – http://nmap.org/nsedoc/scripts/mysql-databases.html

mysql-empty-password.nse documentation – http://nmap.org/nsedoc/scripts/mysql-empty-password.html

mysql-variables.nse documentation – http://nmap.org/nsedoc/scripts/mysql-variables.html

mysql-brute.nse documentation – http://nmap.org/nsedoc/scripts/mysql-brute.html

mysql-audit.nse documentation – http://nmap.org/nsedoc/scripts/mysql-audit.html

oracle-brute.nse documentation – http://nmap.org/nsedoc/scripts/oracle-brute.html

oracle-sid-brute.nse documentation – http://nmap.org/nsedoc/scripts/oracle-sid-brute.html

ms-sql-info.nse documentation – http://nmap.org/nsedoc/scripts/ms-sql-info.html

ms-sql-empty-password.nse documentation – http://nmap.org/nsedoc/scripts/ms-sql-empty-password.html

ms-sql-dump-hashes.nse documentation – http://nmap.org/nsedoc/scripts/ms-sql-dump-hashes.html

ms-sql-xp-cmdshell.nse documentation – http://nmap.org/nsedoc/scripts/ms-sql-xp-cmdshell.html

mongodb-databases.nse documentation – http://nmap.org/nsedoc/scripts/mongodb-databases.html

mongodb-info.nse documentation – http://nmap.org/nsedoc/scripts/mongodb-info.html

couchdb-databases.nse documentation – http://nmap.org/nsedoc/scripts/couchdb-databases.html

couchdb-stats.nse documentation – http://nmap.org/nsedoc/scripts/couchdb-stats.html

http-google-search.nse documentation – http://seclists.org/nmap-dev/2011/q3/att-401/http-google-email.nse

smtp-open-relay.nse documentation – http://nmap.org/nsedoc/scripts/smtp-open-relay.html

smtp-brute.nse documentation – http://nmap.org/nsedoc/scripts/smtp-brute.html

smtp-enum-users.nse documentation – http://nmap.org/nsedoc/scripts/smtp-enum-users.html

smtp-strangeport.nse documentation – http://nmap.org/nsedoc/scripts/smtp-strangeport.html

imap-brute.nse documentation – http://nmap.org/nsedoc/scripts/imap-brute.html

imap-capabilities.nse documentation – http://nmap.org/nsedoc/scripts/imap-capabilities.html

pop3-brute.nse documentation – http://nmap.org/nsedoc/scripts/pop3-brute.html

pop3-capabilities.nse documentation – http://nmap.org/nsedoc/scripts/pop3-capabilities.html

smtp-vuln-cve2011-1764.nse documentation – http://nmap.org/nsedoc/scripts/smtp-vuln-cve2011-1764.html

Timing and Performance – http://nmap.org/book/man-performance.html

Nmap Scripting Engine (NSE) – http://nmap.org/book/man-nse.html

Dnmap – http://mateslab.weebly.com/dnmap-the-distributed-nmap.html

Nmap output – http://nmap.org/book/man-output.html

Script Parallelism – http://nmap.org/book/nse-parallelism.html

NSE library stdnse – http://nmap.org/nsedoc/lib/stdnse.html#new_thread

NSE library nmap – http://nmap.org/nsedoc/lib/nmap.html#mutex

Nmap 6: Network Exploration and Security Auditing Cookbook

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Nmap 6: Network Exploration and Security Auditing Cookbook

Appendix A. References