Book Image

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By : Paulino Calderon
Book Image

Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition

By: Paulino Calderon

Overview of this book

Nmap is one of the most powerful tools for network discovery and security auditing used by millions of IT professionals, from system administrators to cybersecurity specialists. This third edition of the Nmap: Network Exploration and Security Auditing Cookbook introduces Nmap and its family - Ncat, Ncrack, Ndiff, Zenmap, and the Nmap Scripting Engine (NSE) - and guides you through numerous tasks that are relevant to security engineers in today’s technology ecosystems. The book discusses some of the most common and useful tasks for scanning hosts, networks, applications, mainframes, Unix and Windows environments, and ICS/SCADA systems. Advanced Nmap users can benefit from this book by exploring the hidden functionalities within Nmap and its scripts as well as advanced workflows and configurations to fine-tune their scans. Seasoned users will find new applications and third-party tools that can help them manage scans and even start developing their own NSE scripts. Practical examples featured in a cookbook format make this book perfect for quickly remembering Nmap options, scripts and arguments, and more. By the end of this Nmap book, you will be able to successfully scan numerous hosts, exploit vulnerable areas, and gather valuable information.

Related Content you might be interested in

Current Title:

Small book image
Nmap Network Exploration and Security Auditing Cookbook, Third Edition - Third Edition
Paulino Calderon
Sep, 2021 | 436 pages
Small book image
Network Scanning Cookbook
Sairam Jetty
Sep, 2018 | 304 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2021 | 800 pages
Small book image
Kali Linux 2018: Assuring Security by Penetration Testing
Lee Allen | Alex Samm | Shakeel Ali | Damian Boodoo | Tedi Heriyanto | Gerard Johansen | Shiva V N Parasram
Oct, 2018 | 528 pages
Table of Contents (22 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Chapter 1: Nmap Fundamentals
Chapter 1: Nmap Fundamentals
Technical requirements
Building Nmap's source code
Finding online hosts
Listing open ports on a target
Fingerprinting OSes and services running on a target
Using NSE scripts against a target host
Scanning random targets on the internet
Collecting signatures of web servers
Scanning with Rainmap Lite
Free Chapter
2
Chapter 2: Getting Familiar with Nmap's Family
Chapter 2: Getting Familiar with Nmap's Family
Monitoring servers remotely with Nmap and Ndiff
Crafting ICMP echo replies with Nping
Managing multiple scanning profiles with Zenmap
Running Lua scripts against a network connection with Ncat
Discovering systems with weak passwords with Ncrack
Using Ncat to diagnose a network client
Defending against Nmap service detection scans
3
Chapter 3: Network Scanning
Chapter 3: Network Scanning
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with SCTP INIT ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Performing advanced ping scans
Discovering hosts with broadcast ping scans
Scanning IPv6 addresses
Spoofing the origin IP of a scan
Using port scanning for host discovery
4
Chapter 4: Reconnaissance Tasks
Chapter 4: Reconnaissance Tasks
Performing IP address geolocation
Getting information from WHOIS records
Obtaining traceroute geolocation information
Querying Shodan to obtain target information
Collecting valid email accounts and IP addresses from web servers
Discovering hostnames pointing to the same IP address
Discovering hostnames by brute-forcing DNS records
Matching services with public vulnerability advisories and picking the low-hanging fruit
5
Chapter 5: Scanning Web Servers
Chapter 5: Scanning Web Servers
Listing supported HTTP methods
Discovering interesting files and folders on web servers
Brute forcing HTTP authentication
Brute forcing web applications
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting XSS vulnerabilities
Finding SQL injection vulnerabilities
Finding web applications with default credentials
Detecting insecure cross-domain policies
Detecting exposed source code control systems
Auditing the strength of cipher suites in SSL servers
6
Chapter 6: Scanning Databases
Chapter 6: Scanning Databases
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Brute-forcing MySQL passwords
Finding root accounts with an empty password in MySQL servers
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving information from MS SQL servers
Brute forcing MS SQL passwords
Dumping password hashes of MS SQL servers
Running commands through xp_cmdshell in MS SQL servers
Finding system administrator accounts with empty passwords in MS SQL servers
Obtaining information from MS SQL servers with NTLM enabled
Retrieving MongoDB server information
Detecting MongoDB instances with no authentication enabled
Listing MongoDB databases
Listing CouchDB databases
Retrieving CouchDB database statistics
Detecting Cassandra databases with no authentication enabled
Brute forcing Redis passwords
7
Chapter 7: Scanning Mail Servers
Chapter 7: Scanning Mail Servers
Detecting SMTP open relays
Brute-forcing SMTP passwords
Detecting suspicious SMTP servers
Enumerating SMTP usernames
Brute-forcing IMAP passwords
Retrieving the capabilities of an IMAP server
Brute-forcing POP3 passwords
Retrieving the capabilities of a POP3 server
Retrieving information from SMTP servers with NTLM authentication
8
Chapter 8: Scanning Windows Systems
Chapter 8: Scanning Windows Systems
Obtaining system information from SMB
Detecting Windows clients with SMB signing disabled
Detecting IIS web servers that disclose Windows 8.3 names
Detecting Windows hosts vulnerable to MS08-067 and MS17-010
Retrieving the NetBIOS name and MAC address of a host
Enumerating user accounts of Windows targets
Enumerating shared folders
Enumerating SMB sessions
Finding domain controllers
Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants
Listing supported SMB protocols
Detecting vulnerabilities using the SMB2/3 boot-time field
Detecting whether encryption is enforced in SMB servers
9
Chapter 9: Scanning ICS/SCADA Systems
Chapter 9: Scanning ICS/SCADA Systems
Finding common ports used in ICS/SCADA systems
Finding HMI systems
Enumerating Siemens SIMATIC S7 PLCs
Enumerating Modbus devices
Enumerating BACnet devices
Enumerating Ethernet/IP devices
Enumerating Niagara Fox devices
Enumerating ProConOS devices
Enumerating Omrom PLC devices
Enumerating PCWorx devices
10
Chapter 10: Scanning Mainframes
Chapter 10: Scanning Mainframes
Listing CICS transaction IDs in IBM mainframes
Enumerating CICS user IDs for the CESL/CESN login screen
Brute-forcing z/OS JES NJE node names
Enumerating z/OS TSO user IDs
Brute-forcing z/OS TSO accounts
Listing VTAM application screens
11
Chapter 11: Optimizing Scans
Chapter 11: Optimizing Scans
Skipping phases to speed up scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Adjusting scan groups
Distributing a scan among several clients using dnmap
12
Chapter 12: Generating Scan Reports
Chapter 12: Generating Scan Reports
Saving scan results in a normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating HTML scan reports
Reporting vulnerability checks
Generating PDF reports with fop
Saving NSE reports in Elasticsearch
Visualizing Nmap scan results with IVRE
13
Chapter 13: Writing Your Own NSE Scripts
Chapter 13: Writing Your Own NSE Scripts
Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers
Sending UDP payloads using NSE sockets
Generating vulnerability reports in NSE scripts
Exploiting an SMB vulnerability
Writing brute-force password auditing scripts
Crawling web servers to detect vulnerabilities
Working with NSE threads, condition variables, and mutexes in NSE
Writing a new NSE library in Lua
Writing a new NSE library in C/C++
Getting your scripts ready for submission
14
Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine
Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine
Generating vulnerability reports in NSE scripts
Writing brute-force password auditing scripts
Crawling web servers to detect vulnerabilities
Exploiting SMB vulnerabilities
15
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options
Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options
HTTP user agent
Appendix Β: Brute-Force Password Auditing Options
Appendix Β: Brute-Force Password Auditing Options
Brute modes
Appendix C: NSE Debugging
Appendix C: NSE Debugging
Debugging NSE scripts
Exception handling
Appendix D: Additional Output Options
Appendix D: Additional Output Options
Saving output in all formats
Appending Nmap output logs
Including debugging information in output logs
Including the reason for a port or host state
OS detection in verbose mode
Appendix Ε: Introduction to Lua
Appendix Ε: Introduction to Lua
Flow control structures
Data types
String handling
Common data structures
I/O operations
Coroutines
Metatables
Things to remember when working with Lua
Appendix F: References and Additional Reading
Appendix F: References and Additional Reading
Why subscribe?

Discovering hostnames pointing to the same IP address

Web servers return different content depending on the hostname used in the HTTP request host header. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP, thus expanding the attack surface.

This recipe shows how to discover new hostnames pointing to the same IP address.

How to do it...

  1. To discover hostnames pointing to the same IP address, use the following Nmap command:
    $nmap -sn --script hostmap-* <target>
  2. The hostmap-crtsh script returns all records that match the given IP address by querying an external service from https://crt.sh. There were other hostmap scripts that at the moment are broken because of changes in the API, but are expected to work again in the future. If there are records on the public database, they will be included in the results:
    Host script results:
| hostmap-crtsh: 
|   subdomains...
Previous Section
End of Section 7
Next Section