Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Nmap: Network Exploration and Security Auditing Cookbook
  • Table Of Contents Toc
  • Feedback & Rating feedback
Nmap: Network Exploration and Security Auditing Cookbook

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By : Paulino Calderon
4.7 (3)
Buy this Book
close
close
Nmap: Network Exploration and Security Auditing Cookbook

Nmap: Network Exploration and Security Auditing Cookbook

4.7 (3)
By: Paulino Calderon
Buy this Book

Overview of this book

This is the second edition of ‘Nmap 6: Network Exploration and Security Auditing Cookbook’. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations. The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.
Table of Contents (18 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Sections
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
Nmap Fundamentals
chevron up
Icon
Nmap Fundamentals
Icon
Introduction
Icon
Building Nmap's source code
Icon
Finding live hosts in your network
Icon
Listing open ports on a target host
Icon
Fingerprinting OS and services running on a target host
Icon
Using NSE scripts against a target host
Icon
Reading targets from a file
Icon
Scanning an IP address ranges
Icon
Scanning random targets on the Internet
Icon
Collecting signatures of web servers
Icon
Monitoring servers remotely with Nmap and Ndiff
Icon
Crafting ICMP echo replies with Nping
Icon
Managing multiple scanning profiles with Zenmap
Icon
Running Lua scripts against a network connection with Ncat
Icon
Discovering systems with weak passwords with Ncrack
Icon
Launching Nmap scans remotely from a web browser using Rainmap Lite
2
Network Exploration
Icon
Network Exploration
Icon
Introduction
Icon
Discovering hosts with TCP SYN ping scans
Icon
Discovering hosts with TCP ACK ping scans
Icon
Discovering hosts with UDP ping scans
Icon
Discovering hosts with ICMP ping scans
Icon
Discovering hosts with SCTP INIT ping scans
Icon
Discovering hosts with IP protocol ping scans
Icon
Discovering hosts with ARP ping scans
Icon
Performing advanced ping scans
Icon
Discovering hosts with broadcast ping scans
Icon
Scanning IPv6 addresses
Icon
Gathering network information with broadcast scripts
Icon
Scanning through proxies
Icon
Spoofing the origin IP of a scan
3
Reconnaissance Tasks
Icon
Reconnaissance Tasks
Icon
Introduction
Icon
Performing IP address geolocation
Icon
Getting information from WHOIS records
Icon
Obtaining traceroute geolocation information
Icon
Querying Shodan to obtain target information
Icon
Checking whether a host is flagged by Google Safe Browsing for malicious activities
Icon
Collecting valid e-mail accounts and IP addresses from web servers
Icon
Discovering hostnames pointing to the same IP address
Icon
Discovering hostnames by brute forcing DNS records
Icon
Obtaining profile information from Google's People API
Icon
Matching services with public vulnerability advisories
4
Scanning Web Servers
Icon
Scanning Web Servers
Icon
Introduction
Icon
Listing supported HTTP methods
Icon
Checking whethera web server is an open proxy
Icon
Discovering interesting files and folders in web servers
Icon
Abusing mod_userdir to enumerate user accounts
Icon
Brute forcing HTTP authentication
Icon
Brute forcing web applications
Icon
Detecting web application firewalls
Icon
Detecting possible XST vulnerabilities
Icon
Detecting XSS vulnerabilities
Icon
Finding SQL injection vulnerabilities
Icon
Detecting web servers vulnerable to slowloris denial of service attacks
Icon
Finding web applications with default credentials
Icon
Detecting web applications vulnerable to Shellshock
Icon
Detecting insecure cross-domain policies
Icon
Detecting exposed source code control systems
Icon
Auditing the strength of cipher suites in SSL servers
Icon
Scrapping e-mail accounts from web servers
5
Scanning Databases
Icon
Scanning Databases
Icon
Introduction
Icon
Listing MySQL databases
Icon
Listing MySQL users
Icon
Listing MySQL variables
Icon
Brute forcing MySQL passwords
Icon
Finding root accounts with an empty password in MySQL servers
Icon
Detecting insecure configurations in MySQL servers
Icon
Brute forcing Oracle passwords
Icon
Brute forcing Oracle SID names
Icon
Retrieving information from MS SQL servers
Icon
Brute forcing MS SQL passwords
Icon
Dumping password hashes of MS SQL servers
Icon
Running commands through xp_cmdshell in MS SQL servers
Icon
Finding system administrator accounts with empty passwords in MS SQL servers
Icon
Obtaining information from MS SQL servers with NTLM enabled
Icon
Retrieving MongoDB server information
Icon
Detecting MongoDB instances with no authentication enabled
Icon
Listing MongoDB databases
Icon
Listing CouchDB databases
Icon
Retrieving CouchDB database statistics
Icon
Detecting Cassandra databases with no authentication enabled
Icon
Brute forcing Redis passwords
6
Scanning Mail Servers
Icon
Scanning Mail Servers
Icon
Introduction
Icon
Detecting SMTP open relays
Icon
Brute forcing SMTP passwords
Icon
Detecting suspicious SMTP servers
Icon
Enumerating SMTP usernames
Icon
Brute forcing IMAP passwords
Icon
Retrieving the capabilities of an IMAP server
Icon
Brute forcing POP3 passwords
Icon
Retrieving the capabilities of a POP3 server
Icon
Retrieving information from SMTP servers with NTLM authentication
7
Scanning Windows Systems
Icon
Scanning Windows Systems
Icon
Introduction
Icon
Obtaining system information from SMB
Icon
Detecting Windows clients with SMB signing disabled
Icon
Detecting IIS web servers that disclose Windows 8.3 names
Icon
Detecting Windows hosts vulnerable to MS08-067
Icon
Retrieving the NetBIOS name and MAC address of a host
Icon
Enumerating user accounts of Windows hosts
Icon
Enumerating shared folders
Icon
Enumerating SMB sessions
Icon
Finding domain controllers
Icon
Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
8
Scanning ICS SCADA Systems
Icon
Scanning ICS SCADA Systems
Icon
Introduction
Icon
Finding common ports used in ICS SCADA systems
Icon
Finding HMI systems
Icon
Enumerating Siemens SIMATIC S7 PLCs
Icon
Enumerating Modbus devices
Icon
Enumerating BACnet devices
Icon
Enumerating Ethernet/IP devices
Icon
Enumerating Niagara Fox devices
Icon
Enumerating ProConOS devices
Icon
Enumerating Omrom PLC devices
Icon
Enumerating PCWorx devices
9
Optimizing Scans
Icon
Optimizing Scans
Icon
Introduction
Icon
Skipping phases to speed up scans
Icon
Selecting the correct timing template
Icon
Adjusting timing parameters
Icon
Adjusting performance parameters
Icon
Distributing a scan among several clients using Dnmap
10
Generating Scan Reports
Icon
Generating Scan Reports
Icon
Introduction
Icon
Saving scan results in a normal format
Icon
Saving scan results in an XML format
Icon
Saving scan results to a SQLite database
Icon
Saving scan results in a grepable format
Icon
Generating a network topology graph with Zenmap
Icon
Generating HTML scan reports
Icon
Reporting vulnerability checks
Icon
Generating PDF reports with fop
Icon
Saving NSE reports in ElasticSearch
11
Writing Your Own NSE Scripts
Icon
Writing Your Own NSE Scripts
Icon
Introduction
Icon
Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
Icon
Sending UDP payloads using NSE sockets
Icon
Generating vulnerability reports in NSE scripts
Icon
Exploiting a path traversal vulnerability with NSE
Icon
Writing brute force password auditing scripts
Icon
Crawling web servers to detect vulnerabilities
Icon
Working with NSE threads, condition variables, and mutexes in NSE
Icon
Writing a new NSE library in Lua
Icon
Writing a new NSE library in C/C++
Icon
Getting your scripts ready for submission
12
HTTP, HTTP Pipelining, and Web Crawling Configuration Options
Icon
HTTP, HTTP Pipelining, and Web Crawling Configuration Options
Icon
HTTP user agent
Icon
HTTP pipelining
Icon
Configuring the NSE library httpspider
13
Brute Force Password Auditing Options
Icon
Brute Force Password Auditing Options
Icon
Brute modes
14
NSE Debugging
Icon
NSE Debugging
Icon
Debugging NSE scripts
Icon
Exception handling
15
Additional Output Options
Icon
Additional Output Options
Icon
Saving output in all formats
Icon
Appending Nmap output logs
Icon
Including debugging information in output logs
Icon
Including the reason for a port or host state
Icon
OS detection in verbose mode
16
Introduction to Lua
Icon
Introduction to Lua
Icon
Flow control structures
Icon
Data types
Icon
String handling
Icon
Concatenation
Icon
Common data structures
Icon
I/O operations
Icon
Coroutines
Icon
Metatables
Icon
Things to remember when working with Lua
17
References and Additional Reading
Icon
References and Additional Reading

Discovering systems with weak passwords with Ncrack

Ncrack is a network authentication cracking tool designed to identify systems with weak credentials. It is highly flexible and supports popular network protocols, such as FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, and MySQL.

In this recipe, you will learn how to install Ncrack to find systems with weak passwords.

Getting ready

Grab the latest stable version of Ncrack from https://nmap.org/ncrack/. At the moment, the latest version is 0.5:

$wget https://nmap.org/ncrack/dist/ncrack-0.5.tar.gz

Untar the compressed file and enter the new directory:

$ tar -zxf ncrack-0.5.tar.gz 
$ cd ncrack-0.5

Configure and build Ncrack with the command:

$./configure && make

Finally, install it in your system:

#make install

Now you should be able to use Ncrack anywhere in your system.

How to do it...

To start a basic dictionary attack against a SSH server, use the following command:

$ncrack ssh://<target>:<port>

Ncrack will use the default settings to attack the SSH server running on the specified IP address and port. This might take some time depending on the network conditions:

   Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-04-03 21:10 EEST  
   Discovered credentials for ssh on 192.168.1.2 22/tcp: 
   192.168.1.2 22/tcp ssh: guest 12345  
   Ncrack done: 1 service scanned in 56 seconds.  
   Ncrack finished.

In this case, we have successfully found the credentials of the account guest. Someone should have known better that 12345 is not a good password.

How it works...

Ncrack takes as arguments the hostname or IP address of the target and a service to attack. Targets and services can be defined as follows:

<[service-name]>://<target>:<[port-number]>

The simplest command requires a target and the service specification. Another way of running the scan shown earlier is as follows:

$ncrack 192.168.1.2:22 
   Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-01-03 22:10 EEST  
   Discovered credentials for ssh on 192.168.1.2 22/tcp: 
   192.168.1.2 22/tcp ssh: guest 12345 
   192.168.1.2 22/tcp ssh: admin money$  
   Ncrack done: 1 service scanned in 156.03 seconds.  
   Ncrack finished.

In this case, Ncrack automatically detected the SSH service based on the port number given in the target and performed a password auditing attack using the default dictionaries shipped with Ncrack. Luckily, this time we found two accounts with weak passwords.

There's more...

As we have seen Ncrack provides a few different ways of specifying targets, but it takes it to the next level with some interesting features, such as the ability to of pause and resume attacks. We will briefly explore some of its options, but I highly recommend you read the official documentation at https://nmap.org/ncrack/man.html for the full list of options.

Configuring authentication options

Ncrack would not be a good network login cracker without options to tune the authentication process. Ncrack users may use their own username and password lists with the options -U and -P correspondingly if the included lists (inside the directory /lists) are not adequate:

$ ncrack -U <user list file> -P <password list file> <[service-name]>://<target>:<[port-number]>

Otherwise, we might have a specific username or password we would like to test with the options --user and --pass:

$ ncrack --user <username> <[service-name]>://<target>:<[port-number]>
$ ncrack --pass <password> <[service-name]>://<target>:<[port-number]>

Pausing and resuming attacks

Ncrack supports resuming incomplete scans with the --resume option. If you had to stop a cracking session, just resume it passing the filename of the previous session:

$ncrack --resume cracking-session <[service-name]>://<target>:<[port-number]>

If we would like to set the filename of the session, use the --save option:

$ncrack --save cracking-session <[service-name]>://<target>:<[port-number]>
Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Nmap: Network Exploration and Security Auditing Cookbook
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon