Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

By : Paulino Calderon

4.7 (3)

Nmap: Network Exploration and Security Auditing Cookbook

4.7 (3)

By: Paulino Calderon

Overview of this book

This is the second edition of ‘Nmap 6: Network Exploration and Security Auditing Cookbook’. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations. The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Conventions

Reader feedback

Customer support

Free Chapter

Nmap Fundamentals

Nmap Fundamentals

Introduction

Building Nmap's source code

Finding live hosts in your network

Listing open ports on a target host

Fingerprinting OS and services running on a target host

Using NSE scripts against a target host

Reading targets from a file

Scanning an IP address ranges

Scanning random targets on the Internet

Collecting signatures of web servers

Monitoring servers remotely with Nmap and Ndiff

Crafting ICMP echo replies with Nping

Managing multiple scanning profiles with Zenmap

Running Lua scripts against a network connection with Ncat

Discovering systems with weak passwords with Ncrack

Launching Nmap scans remotely from a web browser using Rainmap Lite

Network Exploration

Network Exploration

Introduction

Discovering hosts with TCP SYN ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with UDP ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with SCTP INIT ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ARP ping scans

Performing advanced ping scans

Discovering hosts with broadcast ping scans

Scanning IPv6 addresses

Gathering network information with broadcast scripts

Scanning through proxies

Spoofing the origin IP of a scan

Reconnaissance Tasks

Reconnaissance Tasks

Introduction

Performing IP address geolocation

Getting information from WHOIS records

Obtaining traceroute geolocation information

Querying Shodan to obtain target information

Checking whether a host is flagged by Google Safe Browsing for malicious activities

Collecting valid e-mail accounts and IP addresses from web servers

Discovering hostnames pointing to the same IP address

Discovering hostnames by brute forcing DNS records

Obtaining profile information from Google's People API

Matching services with public vulnerability advisories

Scanning Web Servers

Scanning Web Servers

Introduction

Listing supported HTTP methods

Checking whethera web server is an open proxy

Discovering interesting files and folders in web servers

Abusing mod_userdir to enumerate user accounts

Brute forcing HTTP authentication

Brute forcing web applications

Detecting web application firewalls

Detecting possible XST vulnerabilities

Detecting XSS vulnerabilities

Finding SQL injection vulnerabilities

Detecting web servers vulnerable to slowloris denial of service attacks

Finding web applications with default credentials

Detecting web applications vulnerable to Shellshock

Detecting insecure cross-domain policies

Detecting exposed source code control systems

Auditing the strength of cipher suites in SSL servers

Scrapping e-mail accounts from web servers

Scanning Databases

Scanning Databases

Introduction

Listing MySQL databases

Listing MySQL users

Listing MySQL variables

Brute forcing MySQL passwords

Finding root accounts with an empty password in MySQL servers

Detecting insecure configurations in MySQL servers

Brute forcing Oracle passwords

Brute forcing Oracle SID names

Retrieving information from MS SQL servers

Brute forcing MS SQL passwords

Dumping password hashes of MS SQL servers

Running commands through xp_cmdshell in MS SQL servers

Finding system administrator accounts with empty passwords in MS SQL servers

Obtaining information from MS SQL servers with NTLM enabled

Retrieving MongoDB server information

Detecting MongoDB instances with no authentication enabled

Listing MongoDB databases

Listing CouchDB databases

Retrieving CouchDB database statistics

Detecting Cassandra databases with no authentication enabled

Brute forcing Redis passwords

Scanning Mail Servers

Scanning Mail Servers

Introduction

Detecting SMTP open relays

Brute forcing SMTP passwords

Detecting suspicious SMTP servers

Enumerating SMTP usernames

Brute forcing IMAP passwords

Retrieving the capabilities of an IMAP server

Brute forcing POP3 passwords

Retrieving the capabilities of a POP3 server

Retrieving information from SMTP servers with NTLM authentication

Scanning Windows Systems

Scanning Windows Systems

Introduction

Obtaining system information from SMB

Detecting Windows clients with SMB signing disabled

Detecting IIS web servers that disclose Windows 8.3 names

Detecting Windows hosts vulnerable to MS08-067

Retrieving the NetBIOS name and MAC address of a host

Enumerating user accounts of Windows hosts

Enumerating shared folders

Enumerating SMB sessions

Finding domain controllers

Detecting Shadow Brokers' DOUBLEPULSAR SMB implants

Scanning ICS SCADA Systems

Scanning ICS SCADA Systems

Introduction

Finding common ports used in ICS SCADA systems

Finding HMI systems

Enumerating Siemens SIMATIC S7 PLCs

Enumerating Modbus devices

Enumerating BACnet devices

Enumerating Ethernet/IP devices

Enumerating Niagara Fox devices

Enumerating ProConOS devices

Enumerating Omrom PLC devices

Enumerating PCWorx devices

Optimizing Scans

Optimizing Scans

Introduction

Skipping phases to speed up scans

Selecting the correct timing template

Adjusting timing parameters

Adjusting performance parameters

Distributing a scan among several clients using Dnmap

Generating Scan Reports

Generating Scan Reports

Introduction

Saving scan results in a normal format

Saving scan results in an XML format

Saving scan results to a SQLite database

Saving scan results in a grepable format

Generating a network topology graph with Zenmap

Generating HTML scan reports

Reporting vulnerability checks

Generating PDF reports with fop

Saving NSE reports in ElasticSearch

Writing Your Own NSE Scripts

Writing Your Own NSE Scripts

Introduction

Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers

Sending UDP payloads using NSE sockets

Generating vulnerability reports in NSE scripts

Exploiting a path traversal vulnerability with NSE

Writing brute force password auditing scripts

Crawling web servers to detect vulnerabilities

Working with NSE threads, condition variables, and mutexes in NSE

Writing a new NSE library in Lua

Writing a new NSE library in C/C++

Getting your scripts ready for submission

HTTP, HTTP Pipelining, and Web Crawling Configuration Options

HTTP, HTTP Pipelining, and Web Crawling Configuration Options

HTTP user agent

HTTP pipelining

Configuring the NSE library httpspider

Brute Force Password Auditing Options

Brute Force Password Auditing Options

Brute modes

NSE Debugging

NSE Debugging

Debugging NSE scripts

Exception handling

Additional Output Options

Additional Output Options

Saving output in all formats

Appending Nmap output logs

Including debugging information in output logs

Including the reason for a port or host state

OS detection in verbose mode

Introduction to Lua

Introduction to Lua

Flow control structures

Data types

String handling

Concatenation

Common data structures

I/O operations

Coroutines

Metatables

Things to remember when working with Lua

References and Additional Reading

References and Additional Reading

Retrieving the NetBIOS name and MAC address of a host

NetBIOS name resolution is enabled in most of Windows clients today and even a debugging utility called nbtstat is shipped with Windows to diagnose name resolution problems with NetBIOS over TCP/IP. We can use NetBIOS to obtain useful information such as the computer name, user, and MAC address with one single request.

This recipe shows how to retrieve the NetBIOS information and MAC address of a Windows host with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -sU -p137 --script nbstat <target>

The NSE script nbstat will return the NetBIOS name, NetBIOS user, and MAC address of the system:

   PORT    STATE SERVICE 
   137/udp open  microsoft-ds 
  ...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Nmap: Network Exploration and Security Auditing Cookbook

Search

Your notes and bookmarks