Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.

Related Content you might be interested in

Current Title:

Small book image
Nmap 6: Network Exploration and Security Auditing Cookbook
Nov, 2012 | 318 pages
No titles found
Table of Contents (18 chapters)
Nmap 6: Network Exploration and Security Auditing Cookbook
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
Credits
About the Author
About the Author
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Nmap Fundamentals
Nmap Fundamentals
Introduction
Downloading Nmap from the official source code repository
Compiling Nmap from source code
Listing open ports on a remote host
Fingerprinting services of a remote host
Finding live hosts in your network
Scanning using specific port ranges
Running NSE scripts
Scanning using a specified network interface
Comparing scan results with Ndiff
Managing multiple scanning profiles with Zenmap
Detecting NAT with Nping
Monitoring servers remotely with Nmap and Ndiff
2
Network Exploration
Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Discovering hosts using broadcast pings
Hiding our traffic with additional random data
Forcing DNS resolution
Excluding hosts from your scans
Scanning IPv6 addresses
Gathering network information with broadcast scripts
3
Gathering Additional Host Information
Gathering Additional Host Information
Introduction
Geolocating an IP address
Getting information from WHOIS records
Checking if a host is known for malicious activities
Collecting valid e-mail accounts
Discovering hostnames pointing to the same IP address
Brute forcing DNS records
Fingerprinting the operating system of a host
Discovering UDP services
Listing protocols supported by a remote host
Discovering stateful firewalls by using a TCP ACK scan
Matching services with known security vulnerabilities
Spoofing the origin IP of a port scan
4
Auditing Web Servers
Auditing Web Servers
Introduction
Listing supported HTTP methods
Checking if an HTTP proxy is open
Discovering interesting files and directories on various web servers
Brute forcing HTTP authentication
Abusing mod_userdir to enumerate user accounts
Testing default credentials in web applications
Brute-force password auditing WordPress installations
Brute-force password auditing Joomla! installations
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting Cross Site Scripting vulnerabilities in web applications
Finding SQL injection vulnerabilities in web applications
Detecting web servers vulnerable to slowloris denial of service attacks
5
Auditing Databases
Auditing Databases
Introduction
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Finding root accounts with empty passwords in MySQL servers
Brute forcing MySQL passwords
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving MS SQL server information
Brute forcing MS SQL passwords
Dumping the password hashes of an MS SQL server
Running commands through the command shell on MS SQL servers
Finding sysadmin accounts with empty passwords on MS SQL servers
Listing MongoDB databases
Retrieving MongoDB server information
Listing CouchDB databases
Retrieving CouchDB database statistics
6
Auditing Mail Servers
Auditing Mail Servers
Introduction
Discovering valid e-mail accounts using Google Search
Detecting open relays
Brute forcing SMTP passwords
Enumerating users in an SMTP server
Detecting backdoor SMTP servers
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP mail server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 mail server
Detecting vulnerable Exim SMTP servers version 4.70 through 4.75
7
Scanning Large Networks
Scanning Large Networks
Introduction
Scanning an IP address range
Reading targets from a text file
Scanning random targets
Skipping tests to speed up long scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Collecting signatures of web servers
Distributing a scan among several clients using Dnmap
8
Generating Scan Reports
Generating Scan Reports
Introduction
Saving scan results in normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating an HTML scan report
Reporting vulnerability checks performed during a scan
9
Writing Your Own NSE Scripts
Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable Trendnet webcams
Sending UDP payloads by using NSE sockets
Exploiting a path traversal vulnerability with NSE
Writing a brute force script
Working with the web crawling library
Reporting vulnerabilities correctly in NSE scripts
Writing your own NSE library
Working with NSE threads, condition variables, and mutexes in NSE
References
References
Index
Index

Monitoring servers remotely with Nmap and Ndiff

Combining tools from the Nmap project allows us to set up a simple but powerful monitoring system. This can then be used by system administrators monitoring a web server or by penetration testers wanting to surveil a remote system.

This recipe describes how to use bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts the user by an e-mail if changes are detected in a network.

How to do it...

Create the directory /usr/local/share/nmap-mon/ to store all the necessary files.

Scan your target host and save the results in the directory that you just created.

# nmap -oX base_results.xml -sV -PN <target>

The resulting file base_results.xml will be used as your base file, meaning that it should reflect the known "good" versions and ports.

Copy the file nmap-mon.sh into your working directory.

The output of the scan will be as follows.

#!/bin/bash 
#Bash script to email admin when changes are detected in a network using Nmap and Ndiff. 
# 
#Don't forget to adjust the CONFIGURATION variables. 
#Paulino Calderon <[email protected]> 

# 
#CONFIGURATION 
# 
NETWORK="YOURDOMAIN.COM" 
[email protected] 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml 

BASE_RESULTS="$BASE_PATH$BASE_FILE" 
NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" 
NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE" 

if [ -f $BASE_RESULTS ] 
then 
  echo "Checking host $NETWORK" 
  ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK 
  ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS 
  if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] 
  then 
    echo "Network changes detected in $NETWORK" 
    cat $NDIFF_RESULTS 
    echo "Alerting admin $ADMIN" 
    mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS 
  fi 
fi

Update the configuration values according to your system.

NETWORK="YOURDOMAIN.COM" 
[email protected] 
NMAP_FLAGS="-sV -Pn -p- -T4" 
BASE_PATH=/usr/local/share/nmap-mon/ 
BIN_PATH=/usr/local/bin/ 
BASE_FILE=base.xml 
NDIFF_FILE=ndiff.log 
NEW_RESULTS_FILE=newscanresults.xml

Make nmap-mon.sh executable by entering the following command:

# chmod +x /usr/local/share/nmap-mon/nmap-mon.sh

You can now run the script nmap-mon.sh to make sure it is working correctly.

# /usr/local/share/nmap-mon/nmap-mon.sh

Launch your crontab editor:

# crontab -e

Add the following command:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

You should now receive e-mail alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. With some help from bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, in order to identify the differences between them.

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor some specific service, you need to update the scan parameters in nmap-mon.sh.

NMAP_FLAGS="-sV -Pn"

For example, if you would like to monitor a web server, you may use the following parameters:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"

These parameters set port scanning only to ports 80 and 443, and in addition these parameters include the script http-google-safe to check if your web server has been marked as malicious by the Google Safe Browsing service.

See also

  • The Listing open ports on a remote host recipe

  • The Fingerprinting services of a remote host recipe

  • The Finding live hosts in your network recipe

  • The Running NSE scripts recipe

  • The Comparing scan results with Ndiff recipe

  • The Discovering hosts with ICMP ping scans recipe in Chapter 2, Network Exploration

  • The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration

  • The Gathering network information with broadcast scripts recipe in Chapter 2, Network Exploration

  • The Checking if a host is known for malicious activities recipe in Chapter 3, Gathering Additional Host Information

  • The Discovering UDP services recipe in Chapter 3, Gathering Additional Host Information

Previous Section
End of Chapter 1
Next Chapter