Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.

Related Content you might be interested in

Current Title:

Small book image
Nmap 6: Network Exploration and Security Auditing Cookbook
Nov, 2012 | 318 pages
No titles found
Table of Contents (18 chapters)
Nmap 6: Network Exploration and Security Auditing Cookbook
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
Credits
About the Author
About the Author
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Nmap Fundamentals
Nmap Fundamentals
Introduction
Downloading Nmap from the official source code repository
Compiling Nmap from source code
Listing open ports on a remote host
Fingerprinting services of a remote host
Finding live hosts in your network
Scanning using specific port ranges
Running NSE scripts
Scanning using a specified network interface
Comparing scan results with Ndiff
Managing multiple scanning profiles with Zenmap
Detecting NAT with Nping
Monitoring servers remotely with Nmap and Ndiff
2
Network Exploration
Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Discovering hosts using broadcast pings
Hiding our traffic with additional random data
Forcing DNS resolution
Excluding hosts from your scans
Scanning IPv6 addresses
Gathering network information with broadcast scripts
3
Gathering Additional Host Information
Gathering Additional Host Information
Introduction
Geolocating an IP address
Getting information from WHOIS records
Checking if a host is known for malicious activities
Collecting valid e-mail accounts
Discovering hostnames pointing to the same IP address
Brute forcing DNS records
Fingerprinting the operating system of a host
Discovering UDP services
Listing protocols supported by a remote host
Discovering stateful firewalls by using a TCP ACK scan
Matching services with known security vulnerabilities
Spoofing the origin IP of a port scan
4
Auditing Web Servers
Auditing Web Servers
Introduction
Listing supported HTTP methods
Checking if an HTTP proxy is open
Discovering interesting files and directories on various web servers
Brute forcing HTTP authentication
Abusing mod_userdir to enumerate user accounts
Testing default credentials in web applications
Brute-force password auditing WordPress installations
Brute-force password auditing Joomla! installations
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting Cross Site Scripting vulnerabilities in web applications
Finding SQL injection vulnerabilities in web applications
Detecting web servers vulnerable to slowloris denial of service attacks
5
Auditing Databases
Auditing Databases
Introduction
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Finding root accounts with empty passwords in MySQL servers
Brute forcing MySQL passwords
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving MS SQL server information
Brute forcing MS SQL passwords
Dumping the password hashes of an MS SQL server
Running commands through the command shell on MS SQL servers
Finding sysadmin accounts with empty passwords on MS SQL servers
Listing MongoDB databases
Retrieving MongoDB server information
Listing CouchDB databases
Retrieving CouchDB database statistics
6
Auditing Mail Servers
Auditing Mail Servers
Introduction
Discovering valid e-mail accounts using Google Search
Detecting open relays
Brute forcing SMTP passwords
Enumerating users in an SMTP server
Detecting backdoor SMTP servers
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP mail server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 mail server
Detecting vulnerable Exim SMTP servers version 4.70 through 4.75
7
Scanning Large Networks
Scanning Large Networks
Introduction
Scanning an IP address range
Reading targets from a text file
Scanning random targets
Skipping tests to speed up long scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Collecting signatures of web servers
Distributing a scan among several clients using Dnmap
8
Generating Scan Reports
Generating Scan Reports
Introduction
Saving scan results in normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating an HTML scan report
Reporting vulnerability checks performed during a scan
9
Writing Your Own NSE Scripts
Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable Trendnet webcams
Sending UDP payloads by using NSE sockets
Exploiting a path traversal vulnerability with NSE
Writing a brute force script
Working with the web crawling library
Reporting vulnerabilities correctly in NSE scripts
Writing your own NSE library
Working with NSE threads, condition variables, and mutexes in NSE
References
References
Index
Index

Spoofing the origin IP of a port scan

Idle scanning is a very powerful technique, where Nmap takes advantage of an idle host with a predictable IP ID sequence number to spoof the origin IP of a port scan.

This recipe illustrates how to find zombie hosts and use them to spoof your IP address when scanning a remote host with Nmap.

Getting ready

To launch an idle scan we need a zombie host. A zombie host is a machine with a predictable IP ID sequence number that will be used as the spoofed IP address. A good candidate must not be communicating with other hosts, in order to maintain the correct IP ID sequence number and avoid false positives.

To find hosts with an incremental IP ID sequence, you could use the script ipidseq as follows:

#nmap -p80 --script ipidseq <your ip>/24
#nmap -p80 --script ipidseq -iR 1000

Possible candidates will return the text Incremental in the script's output section:

Host is up (0.28s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
|_ipidseq...
Previous Section
End of Chapter 3
Next Chapter