book

Nmap 6: Network Exploration and Security Auditing Cookbook

Name: Nmap 6: Network Exploration and Security Auditing Cookbook
Author: Paulino Calderon
ISBN: 9781849517485

by Paulino Calderon

November 2012

Intermediate to advanced

318 pages

6h 36m

English

Packt Publishing

Read now

Unlock full access

Nmap 6: Network Exploration and Security Auditing Cookbook
Table of Contents
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers and moreWhy Subscribe?Free Access for Packt account holders
Preface
What this book covers
What you need for this book

Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Nmap Fundamentals
Introduction
Downloading Nmap from the official source code repository
Getting readyHow to do it...How it works...There's more...Experimenting with development branchesKeeping your source code up-to-dateSee also
Compiling Nmap from source code
Getting readyHow to do it...How it works...There's more...OpenSSL development librariesConfigure directivesPrecompiled packagesSee also
Listing open ports on a remote host
How to do it...How it works...There's more...Privileged versus unprivilegedPort statesPort scanning techniques supported by NmapSee also
Fingerprinting services of a remote host
How to do it...How it works...There's more...Aggressive detectionSubmitting service fingerprintsSee also
Finding live hosts in your network
How to do it...How it works...There's more...TracerouteNSE scriptsSee also
Scanning using specific port ranges
How to do it...How it works...There's more...See also
Running NSE scripts
How to do it...How it works...There's more...NSE script argumentsAdding new scriptsNSE script categoriesSee also
Scanning using a specified network interface
How to do it...How it works...There's more...Checking a TCP connectionSee also
Comparing scan results with Ndiff
Getting readyHow to do it...How it works...There's more...Output formatVerbose modeSee also
Managing multiple scanning profiles with Zenmap
How to do it...How it works...There's more...Editing and deleting a scan profileSee also
Detecting NAT with Nping
How to do it...How it works...There's more...Nping Echo ProtocolSee also
Monitoring servers remotely with Nmap and Ndiff
How to do it...How it works...There's more...Monitoring specific servicesSee also
2. Network Exploration
Introduction
Discovering hosts with TCP SYN ping scans
How to do it...How it works...There's more...Privileged versus unprivileged TCP SYN ping scanFirewalls and traffic filtersSee also
Discovering hosts with TCP ACK ping scans
How to do it...How it works...There's more...Privileged versus unprivileged TCP ACK ping scanSelecting ports in TCP ACK ping scansSee also
Discovering hosts with UDP ping scans
How to do it...How it works...There's more...Selecting ports in UDP ping scansSee also
Discovering hosts with ICMP ping scans
How to do it...How it works...There's more...ICMP typesSee also
Discovering hosts with IP protocol ping scans
How to do it...How it works...There's more...Supported IP protocols and their payloadsSee also
Discovering hosts with ARP ping scans
How to do it...How it works...There's more...MAC address spoofingSee also
Discovering hosts using broadcast pings
How to do it...How it works...There's more...Target librarySee also
Hiding our traffic with additional random data
How to do it...How it works...There's more...See also
Forcing DNS resolution
How to do it...How it works...There's more...Specifying different DNS nameserversSee also
Excluding hosts from your scans
How to do it...How it works...There's more...Excluding a host list from your scansSee also
Scanning IPv6 addresses
How to do it...How it works...There's more...OS detection in IPv6 scanningSee also
Gathering network information with broadcast scripts
How to do it...How it works...There's more...Target librarySee also
3. Gathering Additional Host Information
Introduction
Geolocating an IP address
Getting readyHow to do it...How it works...There's more...Submitting a new geo-location providerSee also
Getting information from WHOIS records
How to do it...How it works...There's more...Disabling cache and the implications of thisSee also
Checking if a host is known for malicious activities
Getting readyHow to do it...How it works...There's more...See also
Collecting valid e-mail accounts
Getting readyHow to do it...How it works...There's more...NSE script argumentsHTTP User AgentSee also
Discovering hostnames pointing to the same IP address
Getting readyHow to do it...How it works...There's more...See also
Brute forcing DNS records
How to do it...How it works...There's more...Target librarySee also
Fingerprinting the operating system of a host
How to do it...How it works...There's more...OS detection in verbose modeSubmitting new OS fingerprintsSee also
Discovering UDP services
How to do it...How it works...There's more...Port selectionSee also
Listing protocols supported by a remote host
How to do it...How it works...There's more...Customizing the IP protocol scanSee also
Discovering stateful firewalls by using a TCP ACK scan
How to do it...How it works...There's more...Port statesSee also
Matching services with known security vulnerabilities
Getting readyHow to do it...How it works...There's more...See also
Spoofing the origin IP of a port scan
Getting readyHow to do it...How it works...There's more...The IP ID sequence numberSee also
4. Auditing Web Servers
Introduction
Listing supported HTTP methods
How to do it...How it works...There's more...Interesting HTTP methodsHTTP User AgentHTTP pipeliningSee also
Checking if an HTTP proxy is open
How to do it...How it works...There's more...HTTP User AgentSee also
Discovering interesting files and directories on various web servers
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningSee also
Brute forcing HTTP authentication
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningBrute modesSee also
Abusing mod_userdir to enumerate user accounts
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningSee also
Testing default credentials in web applications
How to do it...How it works...There's more...HTTP User AgentSee also
Brute-force password auditing WordPress installations
How to do it...How it works...There's more...HTTP User AgentBrute modesSee also
Brute-force password auditing Joomla! installations
How to do it...How it works...There's more...HTTP User AgentBrute modesSee also
Detecting web application firewalls
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningSee also
Detecting possible XST vulnerabilities
How to do it...How it works...There's more...HTTP User AgentSee also
Detecting Cross Site Scripting vulnerabilities in web applications
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningSee also
Finding SQL injection vulnerabilities in web applications
How to do it...How it works...There's more...HTTP User AgentHTTP pipeliningSee also
Detecting web servers vulnerable to slowloris denial of service attacks
How to do it...How it works...There's more...HTTP User AgentSee also
5. Auditing Databases
Introduction
Listing MySQL databases
How to do it...How it works...There's more...See also
Listing MySQL users
How to do it...How it works...There's more...See also
Listing MySQL variables
How to do it...How it works...There's more...See also
Finding root accounts with empty passwords in MySQL servers
How to do it...How it works...There's more...See also
Brute forcing MySQL passwords
How to do it...How it works...There's more...Brute modesSee also
Detecting insecure configurations in MySQL servers
How to do it...How it works...There's more...See also
Brute forcing Oracle passwords
How to do it...How it works...There's more...Brute modesSee also
Brute forcing Oracle SID names
How to do it...How it works...There's more...See also
Retrieving MS SQL server information
How to do it...How it works...There's more...Force scanned ports only in NSE scripts for MS SQLSee also
Brute forcing MS SQL passwords
How to do it...How it works...There's more...Brute modesSee also
Dumping the password hashes of an MS SQL server
How to do it...How it works...There's more...See also
Running commands through the command shell on MS SQL servers
How to do it...How it works...There's more...See also
Finding sysadmin accounts with empty passwords on MS SQL servers
How to do it...How it works...There's more...Force scanned ports only in NSE scripts for MS SQLSee also
Listing MongoDB databases
How to do it...How it works...There's more...See also
Retrieving MongoDB server information
How to do it...How it works...There's more...See also
Listing CouchDB databases
How to do it...How it works...There's more...See also
Retrieving CouchDB database statistics
How to do it...How it works...There's more...See also
6. Auditing Mail Servers
Introduction
Discovering valid e-mail accounts using Google Search
Getting readyHow to do it...How it works...There's more...Debugging NSE scriptsSee also
Detecting open relays
How to do it...How it works...There's more...Debugging NSE scriptsSee also
Brute forcing SMTP passwords
How to do it...How it works...There's more...Brute modesDebugging NSE scriptsSee also
Enumerating users in an SMTP server
How to do it...How it works...There's more...Debugging NSE scriptsSee also
Detecting backdoor SMTP servers
How to do it...How it works...There's more...See also
Brute forcing IMAP passwords
How to do it...How it works...There's more...Brute modesDebugging NSE scriptsSee also
Retrieving the capabilities of an IMAP mail server
How to do it...How it works...There's more...Debugging NSE scriptsSee also
Brute forcing POP3 passwords
How to do it...How it works...There's more...Debugging NSE scriptsSee also
Retrieving the capabilities of a POP3 mail server
How to do it...How it works...There's more...Debugging NSE scriptsSee also
Detecting vulnerable Exim SMTP servers version 4.70 through 4.75
How to do it...How it works...There's more...Debugging NSE scriptsSee also
7. Scanning Large Networks
Introduction
Scanning an IP address range
How to do it...How it works...There's more...CIDR notationPrivileged versus unprivilegedPort statesPort scanning techniquesSee also
Reading targets from a text file
How to do it...How it works...There's more...CIDR notationExcluding a host list from your scansSee also
Scanning random targets
How to do it...How it works...There's more...Legal issues with port scanningTarget librarySee also
Skipping tests to speed up long scans
How to do it...How it works...There's more...Scanning phases of NmapDebugging Nmap scansAggressive detectionSee also
Selecting the correct timing template
How to do it...How it works...There's more...See also
Adjusting timing parameters
How to do it...How it works...There's more...Scanning phases of NmapDebugging Nmap scansSee also
Adjusting performance parameters
How to do it...How it works...There's more...Scanning phases of NmapDebugging Nmap scansSee also
Collecting signatures of web servers
How to do it...How it works...There's more...HTTP User AgentSee also
Distributing a scan among several clients using Dnmap
Getting readyHow to do it...How it works...There's more...Dnmap statisticsSee also
8. Generating Scan Reports
Introduction
Saving scan results in normal format
How to do it...How it works...There's more...Saving Nmap's output in all formatsIncluding debugging information in output logsIncluding the reason for a port or host stateAppending Nmap output logsOS detection in verbose modeSee also
Saving scan results in an XML format
How to do it...How it works...There's more...Saving Nmap's output in all formatsAppending Nmap output logsStructured script output for NSESee also
Saving scan results to a SQLite database
Getting ReadyHow to do it...How it works...There's more...Dumping the database in CSV formatFixing outputpbnjSee also
Saving scan results in a grepable format
How to do it...How it works...There's more...Saving Nmap's output in all formatsAppending Nmap output logsSee also
Generating a network topology graph with Zenmap
How to do it...How it works...There's more...See also
Generating an HTML scan report
Getting Ready...How to do it...How it works...There's more...See also
Reporting vulnerability checks performed during a scan
How to do it...How it works...There's more...See also
9. Writing Your Own NSE Scripts
Introduction
Making HTTP requests to identify vulnerable Trendnet webcams
How to do it...How it works...There's more...Debugging Nmap scriptsSetting the user agent pragmaticallyHTTP pipeliningSee also
Sending UDP payloads by using NSE sockets
How to do it...How it works...There's more...Exception handlingDebugging Nmap scriptsSee also
Exploiting a path traversal vulnerability with NSE
How to do it...How it works...There's more...Debugging NSE scriptsSetting the user agent pragmaticallyHTTP pipeliningSee also
Writing a brute force script
How to do it...How it works...There's more...Debugging NSE scriptsException handlingBrute modesSee also
Working with the web crawling library
How to do it...How it works...There's more...Debugging NSE scriptsSetting the user agent pragmaticallyHTTP pipeliningException handlingSee also
Reporting vulnerabilities correctly in NSE scripts
How to do it...How it works...There's more...Vulnerability states of the library vulnsSee also
Writing your own NSE library
How to do it...How it works...There's more...Debugging NSE scriptsException handlingImporting modules in CSee also
Working with NSE threads, condition variables, and mutexes in NSE
How to do it...How it works...There's more...Debugging NSE scriptsException handlingSee also
A. References
Index

Content preview from Nmap 6: Network Exploration and Security Auditing Cookbook

Comparing scan results with Ndiff

Ndiff was designed to address the issues of using diff with two XML scan results. It compares files by removing false positives and producing a more readable output, which is perfect for anyone who needs to keep a track of the scan results.

This recipe describes how to compare two Nmap scans to detect the changes in a host.

Getting ready

Ndiff requires two Nmap XML files to work, so make sure you have previously saved the scan results of the same host. If you haven't, you can always scan your own network, deactivate a service, and scan again to get these two test files. To save the results of an Nmap scan into an XML file use -oX <filename>.

How to do it...

Open your terminal.
Enter the following command:
```
$ ndiff FILE1 ...
```

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

Publisher Resources

ISBN: 9781849517485Other

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design