Book Image

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By : Paulino Calderon
Book Image

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By: Paulino Calderon

Overview of this book

This is the second edition of ‘Nmap 6: Network Exploration and Security Auditing Cookbook’. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations. The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.
Table of Contents (18 chapters)
13
Brute Force Password Auditing Options
17
References and Additional Reading

Managing multiple scanning profiles with Zenmap

Scanning profiles are a combination of Nmap options and arguments that can be used to save time when launching Nmap scans.

This recipe is about adding, editing, and deleting a scanning profile in Zenmap.

How to do it...

Let's add a new profile for scanning web servers:

  1. Launch Zenmap.
  2. Click on Profile on the main toolbar.
  3. Click on New Profile or Command (CtrlP). The Profile Editor will be launched.
  4. Enter a profile name and a description on the Profile tab.
  5. Enable Version detection and select TCP connect scan (-sT) in the Scan tab.
  6. Enable Don't ping before scanning (-Pn) in the Ping tab.
  7. Enable the following scripts on the Scripting tab:
    • hostmap-ip2hosts
    • http-apache-negotiation
    • http-apache-server
    • http-auth-finder
    • http-backup-finder
    • http-config-backup
    • http-cors
    • http-cross-domain-policy
    • http-csrf
    • http-default-accounts
    • http-devframework
    • http-dombased-xss
    • http-enum
    • http-exif-spider
    • http-favicon
    • http-git
    • http-headers
    • http-iis-short-name-brute
    • http-methods
    • http-mobileversion-checker
    • http-ntlm-info
    • http-open-proxy
    • http-open-redirect
    • http-trace
    • http-php-version
    • http-phpself-xss
    • http-robots.txt
    • http-server-header
    • http-shellshock
    • http-svn-info
    • http-title
  8. Next, go to the Target tab and click on Ports to scan (-p) and enter 80, 443.
  1. Save your changes by clicking on Save Changes:

Your new scanning profile should be available on the Profile drop-down menu.

How it works...

After using the editor to create our profile, we are left with the following Nmap command:

$ nmap -sT -sV -p 80,443 -T4 -v -Pn --script hostmap-ip2hosts,http-apache-negotiation,http-apache-server-status,http-auth-finder,http-backup-finder,http-config-backup,http-cors,http-cross-domain-policy,http-csrf,http-default-accounts,http-devframework,http-dombased-xss,http-exif-spider,http-git,http-headers,http-iis-short-name-brute,http-methods,http-ntlm-info,http-open-proxy,http-open-redirect,http-phpself-xss,http-robots.txt,http-server-header,http-shellshock,http-svn-info,http-title,http-waf-detect <target>

Using the Profile wizard, we have enabled service scanning (-sV), set the scanning ports to 80 and 443, configure ping options (-Pn), and select a bunch of HTTP-related scripts to gather as much information as possible from this web server. We now have this command saved for our scanning activities against new targets in the future.

There's more...

Customizing scan profiles can be done through the user interface. Default scanning profiles can be used as templates when creating new ones. Let's review how we work with the scanning profiles.

Zenmap scanning profiles

The predefined Zenmap scanning profiles help newcomers familiarize themselves with Nmap. I recommend you to analyze them to understand the scanning techniques available in Nmap, along with some useful combinations of its options:

  • Intense scan: nmap -T4 -A -v
  • Intense scan plus UDP: nmap -sS -sU -T4 -A -v
  • Intense scan, all TCP ports: nmap -p 1-65535 -T4 -A -v
  • Intense scan, no ping: nmap -T4 -A -v -Pn
  • Ping scan: nmap -sn
  • Quick scan: nmap -T4 -F
  • Quick scan plus: nmap -sV -T4 -O -F -version-light
  • Quick traceroute: nmap -sn -traceroute
  • Regular scan: nmap
  • Slow comprehensive scan: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script default or discovery and safe
You can find more scanning profiles at https://github.com/cldrn/rainmap-lite/wiki/Scanning-profiles.

Editing or deleting a scan profile

To edit or delete a scan profile, you need to select the entry you wish to modify from the Profile drop-down menu. Click on Profile on the main toolbar and select Edit Selected Profile (Ctrl + E).

The editor will be launched allowing you to edit or delete the selected profile.