Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

Over 100 practical recipes related to network and application security auditing using the powerful Nmap

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

This ebook is included in a Mapt subscription
Paulino Calderon

Over 100 practical recipes related to network and application security auditing using the powerful Nmap
$0.00
$39.99
$49.99
$29.99p/m after trial
RRP $39.99
RRP $49.99
Subscription
eBook
Print + eBook
Start 30 Day Trial
Subscribe and access every Packt eBook & Video.
 
  • 4,000+ eBooks & Videos
  • 40+ New titles a month
  • 1 Free eBook/Video to keep every month
Start Free Trial
 
Code Files
Preview in Mapt

Book Details

ISBN 139781786467454
Paperback416 pages

Book Description

This is the second edition of ‘Nmap 6: Network Exploration and Security Auditing Cookbook’. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations.

The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.

Table of Contents

Chapter 1: Nmap Fundamentals
Introduction
Building Nmap's source code
Finding live hosts in your network
Listing open ports on a target host
Fingerprinting OS and services running on a target host
Using NSE scripts against a target host
Reading targets from a file
Scanning an IP address ranges
Scanning random targets on the Internet
Collecting signatures of web servers
Monitoring servers remotely with Nmap and Ndiff
Crafting ICMP echo replies with Nping
Managing multiple scanning profiles with Zenmap
Running Lua scripts against a network connection with Ncat
Discovering systems with weak passwords with Ncrack
Launching Nmap scans remotely from a web browser using Rainmap Lite
Chapter 2: Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with SCTP INIT ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Performing advanced ping scans
Discovering hosts with broadcast ping scans
Scanning IPv6 addresses
Gathering network information with broadcast scripts
Scanning through proxies
Spoofing the origin IP of a scan
Chapter 3: Reconnaissance Tasks
Introduction
Performing IP address geolocation
Getting information from WHOIS records
Obtaining traceroute geolocation information
Querying Shodan to obtain target information
Checking whether a host is flagged by Google Safe Browsing for malicious activities
Collecting valid e-mail accounts and IP addresses from web servers
Discovering hostnames pointing to the same IP address
Discovering hostnames by brute forcing DNS records
Obtaining profile information from Google's People API
Matching services with public vulnerability advisories
Chapter 4: Scanning Web Servers
Introduction
Listing supported HTTP methods
Checking whether a web server is an open proxy
Discovering interesting files and folders in web servers
Abusing mod_userdir to enumerate user accounts
Brute forcing HTTP authentication
Brute forcing web applications
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting XSS vulnerabilities
Finding SQL injection vulnerabilities
Detecting web servers vulnerable to slowloris denial of service attacks
Finding web applications with default credentials
Detecting web applications vulnerable to Shellshock
Detecting insecure cross-domain policies
Detecting exposed source code control systems
Auditing the strength of cipher suites in SSL servers
Scrapping e-mail accounts from web servers   
Chapter 5: Scanning Databases
Introduction
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Brute forcing MySQL passwords
Finding root accounts with an empty password in MySQL servers
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving information from MS SQL servers
Brute forcing MS SQL passwords
Dumping password hashes of MS SQL servers
Running commands through xp_cmdshell in MS SQL servers
Finding system administrator accounts with empty passwords in MS SQL servers
Obtaining information from MS SQL servers with NTLM enabled
Retrieving MongoDB server information
Detecting MongoDB instances with no authentication enabled
Listing MongoDB databases
Listing CouchDB databases
Retrieving CouchDB database statistics
Detecting Cassandra databases with no authentication enabled
Brute forcing Redis passwords
Chapter 6: Scanning Mail Servers
Introduction
Detecting SMTP open relays
Brute forcing SMTP passwords
Detecting suspicious SMTP servers
Enumerating SMTP usernames
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 server
Retrieving information from SMTP servers with NTLM authentication
Chapter 7: Scanning Windows Systems
Introduction
Obtaining system information from SMB
Detecting Windows clients with SMB signing disabled
Detecting IIS web servers that disclose Windows 8.3 names
Detecting Windows hosts vulnerable to MS08-067
Retrieving the NetBIOS name and MAC address of a host
Enumerating user accounts of Windows hosts
Enumerating shared folders
Enumerating SMB sessions
Finding domain controllers
Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
Chapter 8: Scanning ICS SCADA Systems
Introduction
Finding common ports used in ICS SCADA systems
Finding HMI systems
Enumerating Siemens SIMATIC S7 PLCs
Enumerating Modbus devices
Enumerating BACnet devices
Enumerating Ethernet/IP devices
Enumerating Niagara Fox devices
Enumerating ProConOS devices
Enumerating Omrom PLC devices
Enumerating PCWorx devices
Chapter 9: Optimizing Scans
Introduction
Skipping phases to speed up scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Distributing a scan among several clients using Dnmap
Chapter 10: Generating Scan Reports
Introduction
Saving scan results in a normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating HTML scan reports
Reporting vulnerability checks
Generating PDF reports with fop
Saving NSE reports in ElasticSearch
Chapter 11: Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
Sending UDP payloads using NSE sockets
Generating vulnerability reports in NSE scripts
Exploiting a path traversal vulnerability with NSE
Writing brute force password auditing scripts
Crawling web servers to detect vulnerabilities
Working with NSE threads, condition variables, and mutexes in NSE
Writing a new NSE library in Lua
Writing a new NSE library in C/C++
Getting your scripts ready for submission
Chapter 12: HTTP, HTTP Pipelining, and Web Crawling Configuration Options
HTTP user agent
HTTP pipelining
Configuring the NSE library httpspider
Chapter 13: Brute Force Password Auditing Options
Brute modes
Chapter 14: NSE Debugging
Debugging NSE scripts
Exception handling
Chapter 15: Additional Output Options
Saving output in all formats
Appending Nmap output logs
Including debugging information in output logs
Including the reason for a port or host state
OS detection in verbose mode
Chapter 16: Introduction to Lua
Flow control structures
Data types
String handling
Concatenation
Common data structures
I/O operations
Coroutines
Metatables
Things to remember when working with Lua
Chapter 17: References and Additional Reading

What You Will Learn

  • Learn about Nmap and related tools, such as Ncat, Ncrack, Ndiff, Zenmap and the Nmap Scripting Engine
  • Master basic and advanced techniques to perform port scanning and host discovery
  • Detect insecure configurations and vulnerabilities in web servers, databases, and mail servers
  • Learn how to detect insecure Microsoft Windows workstations and scan networks using the Active Directory technology
  • Learn how to safely identify and scan critical ICS/SCADA systems
  • Learn how to optimize the performance and behavior of your scans
  • Learn about advanced reporting
  • Learn the fundamentals of Lua programming
  • Become familiar with the development libraries shipped with the NSE
  • Write your own Nmap Scripting Engine scripts

Authors

Table of Contents

Chapter 1: Nmap Fundamentals
Introduction
Building Nmap's source code
Finding live hosts in your network
Listing open ports on a target host
Fingerprinting OS and services running on a target host
Using NSE scripts against a target host
Reading targets from a file
Scanning an IP address ranges
Scanning random targets on the Internet
Collecting signatures of web servers
Monitoring servers remotely with Nmap and Ndiff
Crafting ICMP echo replies with Nping
Managing multiple scanning profiles with Zenmap
Running Lua scripts against a network connection with Ncat
Discovering systems with weak passwords with Ncrack
Launching Nmap scans remotely from a web browser using Rainmap Lite
Chapter 2: Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
Discovering hosts with TCP ACK ping scans
Discovering hosts with UDP ping scans
Discovering hosts with ICMP ping scans
Discovering hosts with SCTP INIT ping scans
Discovering hosts with IP protocol ping scans
Discovering hosts with ARP ping scans
Performing advanced ping scans
Discovering hosts with broadcast ping scans
Scanning IPv6 addresses
Gathering network information with broadcast scripts
Scanning through proxies
Spoofing the origin IP of a scan
Chapter 3: Reconnaissance Tasks
Introduction
Performing IP address geolocation
Getting information from WHOIS records
Obtaining traceroute geolocation information
Querying Shodan to obtain target information
Checking whether a host is flagged by Google Safe Browsing for malicious activities
Collecting valid e-mail accounts and IP addresses from web servers
Discovering hostnames pointing to the same IP address
Discovering hostnames by brute forcing DNS records
Obtaining profile information from Google's People API
Matching services with public vulnerability advisories
Chapter 4: Scanning Web Servers
Introduction
Listing supported HTTP methods
Checking whether a web server is an open proxy
Discovering interesting files and folders in web servers
Abusing mod_userdir to enumerate user accounts
Brute forcing HTTP authentication
Brute forcing web applications
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting XSS vulnerabilities
Finding SQL injection vulnerabilities
Detecting web servers vulnerable to slowloris denial of service attacks
Finding web applications with default credentials
Detecting web applications vulnerable to Shellshock
Detecting insecure cross-domain policies
Detecting exposed source code control systems
Auditing the strength of cipher suites in SSL servers
Scrapping e-mail accounts from web servers   
Chapter 5: Scanning Databases
Introduction
Listing MySQL databases
Listing MySQL users
Listing MySQL variables
Brute forcing MySQL passwords
Finding root accounts with an empty password in MySQL servers
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving information from MS SQL servers
Brute forcing MS SQL passwords
Dumping password hashes of MS SQL servers
Running commands through xp_cmdshell in MS SQL servers
Finding system administrator accounts with empty passwords in MS SQL servers
Obtaining information from MS SQL servers with NTLM enabled
Retrieving MongoDB server information
Detecting MongoDB instances with no authentication enabled
Listing MongoDB databases
Listing CouchDB databases
Retrieving CouchDB database statistics
Detecting Cassandra databases with no authentication enabled
Brute forcing Redis passwords
Chapter 6: Scanning Mail Servers
Introduction
Detecting SMTP open relays
Brute forcing SMTP passwords
Detecting suspicious SMTP servers
Enumerating SMTP usernames
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 server
Retrieving information from SMTP servers with NTLM authentication
Chapter 7: Scanning Windows Systems
Introduction
Obtaining system information from SMB
Detecting Windows clients with SMB signing disabled
Detecting IIS web servers that disclose Windows 8.3 names
Detecting Windows hosts vulnerable to MS08-067
Retrieving the NetBIOS name and MAC address of a host
Enumerating user accounts of Windows hosts
Enumerating shared folders
Enumerating SMB sessions
Finding domain controllers
Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
Chapter 8: Scanning ICS SCADA Systems
Introduction
Finding common ports used in ICS SCADA systems
Finding HMI systems
Enumerating Siemens SIMATIC S7 PLCs
Enumerating Modbus devices
Enumerating BACnet devices
Enumerating Ethernet/IP devices
Enumerating Niagara Fox devices
Enumerating ProConOS devices
Enumerating Omrom PLC devices
Enumerating PCWorx devices
Chapter 9: Optimizing Scans
Introduction
Skipping phases to speed up scans
Selecting the correct timing template
Adjusting timing parameters
Adjusting performance parameters
Distributing a scan among several clients using Dnmap
Chapter 10: Generating Scan Reports
Introduction
Saving scan results in a normal format
Saving scan results in an XML format
Saving scan results to a SQLite database
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating HTML scan reports
Reporting vulnerability checks
Generating PDF reports with fop
Saving NSE reports in ElasticSearch
Chapter 11: Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
Sending UDP payloads using NSE sockets
Generating vulnerability reports in NSE scripts
Exploiting a path traversal vulnerability with NSE
Writing brute force password auditing scripts
Crawling web servers to detect vulnerabilities
Working with NSE threads, condition variables, and mutexes in NSE
Writing a new NSE library in Lua
Writing a new NSE library in C/C++
Getting your scripts ready for submission
Chapter 12: HTTP, HTTP Pipelining, and Web Crawling Configuration Options
HTTP user agent
HTTP pipelining
Configuring the NSE library httpspider
Chapter 13: Brute Force Password Auditing Options
Brute modes
Chapter 14: NSE Debugging
Debugging NSE scripts
Exception handling
Chapter 15: Additional Output Options
Saving output in all formats
Appending Nmap output logs
Including debugging information in output logs
Including the reason for a port or host state
OS detection in verbose mode
Chapter 16: Introduction to Lua
Flow control structures
Data types
String handling
Concatenation
Common data structures
I/O operations
Coroutines
Metatables
Things to remember when working with Lua
Chapter 17: References and Additional Reading

Book Details

ISBN 139781786467454
Paperback416 pages
Read More

Read More Reviews