The most important process during a security assessment is the information gathering phase, as you have probably heard from countless bug bounty hunters these days. In this phase, we discover assets and enumerate the attack surface of our target to learn as much as possible, since every bit of information could help. Normally, in this phase, we gather all the information we can find, including usernames, possible passwords, hostnames, IP addresses, external providers, and internal services, including version banners, among many other interesting bits of data. The information we discover could be invaluable in further stages of our security assessment.

There are thousands of reconnaissance tasks that you can perform during assessments. However, the Nmap Scripting Engine (NSE) has the advantage of having the internal results obtained from the scans, in addition to external data sources that complement the many standalone tools that help us complete...

Identifying the location of an IP address may help system administrators or threat intelligence analysts identify the origin of a network connection. Nmap ships with several NSE scripts that help us perform geolocation of a remote IP address: ip-geolocation-maxmind, ip-geolocation-ipinfodb, ip-geolocation-geoplugin, ip-geolocation-map-bing, ip-geolocation-map-google, and ip-geolocation-map-kml.

This recipe will show you how to set up and use the geolocation scripts included with NSE.

Getting ready

From the scripts mentioned previously, only ip-geolocation-geoplugin does not require an API key. The ip-geolocation-maxmind script depends on a database that is not included in Nmap by default. Sign up and download Maxmind's GeoLite City database from http://dev.maxmind.com/geoip/legacy/geolite/ and place it in your local Nmap data folder (/nselib/data/). Note that the database format has changed, and it is no longer a plaintext .dat file....

WHOIS records contain useful information, such as the registrar/organization name, creation and expiration dates, geographical location, and abuse contact information among some potentially interesting fields. System administrators, IT staff, and other security professionals have been using WHOIS records for years now, and although there are many tools and websites available to query this information, Nmap can process IP ranges/target lists in many formats to perform this task in batch.

This recipe will show you how to retrieve the WHOIS records of an IP address or domain name with Nmap.

How to do it...

1. Open a terminal and enter the following command:

   $nmap -sn --script whois-* <target>

2. The output will look similar to the following:

   Host script results:
   | whois-domain: 
   | 
   | Domain name record found at whois.mx
   | \x0D
   | Domain Name:       websec.mx\x0D
   | \x0D
   | Created On:   ...

Nmap can map network paths by tracing the hops between the origin and destination. Geographical information can be useful when tracing events, and we can include it with Nmap's traceroute functionality with some help from the traceroute- geolocation NSE script.

In this recipe, we will use Nmap to obtain the traceroute geolocation information of a remote target.

How to do it...

1. To obtain the traceroute geolocation information of the intermediary hops, use the following command:

   # nmap --traceroute --script traceroute-geolocation <target>

2. The remote hops will have geolocation information next to the hostname and IP address in the script output:

   Host script results:
   | traceroute-geolocation: 
   |   HOP  RTT    ADDRESS                          ...

Shodan is one of the search engines for internet-connected devices. It is a useful source of information that even includes port and banner information of remote targets, among other bits of interesting data. One of the advantages of passively port scanning with Shodan is that we don't need to communicate directly with the target to obtain the list of open ports, protocols, and service banners.

In this recipe, you will learn how to use Shodan to enumerate services and their versions from remote hosts with Nmap.

Getting ready

The shodan-api NSE script needs an API key before it can be used. Shodan offers free developer API plans that you can obtain by signing up at https://developer.shodan.io/.

Once registered, copy your Shodan API key before continuing.

How to do it...

1. To obtain host information of a remote target from Shodan, use the following command:

   $nmap -sn -Pn -n --script shodan-api --script-args shodan...

Valid email accounts are useful in penetration testing engagements because they can be used for exploiting trust relationships in phishing attacks, password auditing of mail servers, and as usernames in many different systems.

This recipe illustrates how to find a list of public email accounts with Nmap.

How to do it...

1. Open your terminal and enter the following command:

   $ nmap -p <Web Server Port> --script http-grep <target>

2. Nmap will crawl the web application and return any interesting information found, including email addresses:

   PORT    STATE SERVICE                                                      ...

Web servers return different content depending on the hostname used in the HTTP request host header. By discovering new hostnames, penetration testers can access new target web applications that were inaccessible using the server's IP, thus expanding the attack surface.

This recipe shows how to discover new hostnames pointing to the same IP address.

How to do it...

1. To discover hostnames pointing to the same IP address, use the following Nmap command:

   $nmap -sn --script hostmap-* <target>

2. The hostmap-crtsh script returns all records that match the given IP address by querying an external service from https://crt.sh. There were other hostmap scripts that at the moment are broken because of changes in the API, but are expected to work again in the future. If there are records on the public database, they will be included in the results:

   Host script results:
   | hostmap-crtsh: 
   |   subdomains...

DNS records hold a surprising amount of information, and by brute-forcing or guessing them, we can reveal additional targets. DNS entry names often give away information; for example, a DNS record type A named mail indicates that we are dealing with a mail server, or a few years ago Cloudflare's default DNS entry named direct would usually point to the IP address that they were trying to protect.

This recipe shows how to discover DNS records using word lists with Nmap.

How to do it...

1. To discover new DNS entries, run the following Nmap command:

   $nmap -sn --script dns-brute <target>

2. DNS entries will be listed for each of the targets:

   Host script results:
   | dns-brute: 
   |   DNS Brute-force hostnames: 
   |     ipv6.websec.mx - 104.28.4.21
   |     ipv6.websec.mx - 104.28.5.21
   |     ipv6.websec.mx - 172.67.129.81
   |  ...

Version discovery is essential to penetration testers and system administrators as they can use version banners to find public security vulnerabilities affecting a service. NSE allows us to match popular vulnerability databases with the versions of services obtained from our scan automatically.

This recipe shows how to list public security advisories that could possibly affect a service discovered with Nmap.

How to do it...

1. To match security advisories with the service versions obtained from the version detection engine, use the following command:

   # nmap -sV --script vulners <target>

2. The NSE vulners script will return all security advisories that match the service version in the existing database from https://vulners.com:

   Nmap scan report for scanme.nmap.org (45.33.32.156)
   Host is up (0.090s latency).
   Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff...