O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

Book Description

Over 100 practical recipes related to network and application security auditing using the powerful Nmap

About This Book

  • Learn through practical recipes how to use Nmap for a wide range of tasks for system administrators and penetration testers.
  • Learn the latest and most useful features of Nmap and the Nmap Scripting Engine.
  • Learn to audit the security of networks, web applications, databases, mail servers, Microsoft Windows servers/workstations and even ICS systems.
  • Learn to develop your own modules for the Nmap Scripting Engine.
  • Become familiar with Lua programming.
  • 100% practical tasks, relevant and explained step-by-step with exact commands and optional arguments description

Who This Book Is For

The book is for anyone who wants to master Nmap and its scripting engine to perform real life security auditing checks for system administrators and penetration testers. This book is also recommended to anyone looking to learn about network security auditing. Finally, novice Nmap users will also learn a lot from this book as it covers several advanced internal aspects of Nmap and related tools.

What You Will Learn

  • Learn about Nmap and related tools, such as Ncat, Ncrack, Ndiff, Zenmap and the Nmap Scripting Engine
  • Master basic and advanced techniques to perform port scanning and host discovery
  • Detect insecure configurations and vulnerabilities in web servers, databases, and mail servers
  • Learn how to detect insecure Microsoft Windows workstations and scan networks using the Active Directory technology
  • Learn how to safely identify and scan critical ICS/SCADA systems
  • Learn how to optimize the performance and behavior of your scans
  • Learn about advanced reporting
  • Learn the fundamentals of Lua programming
  • Become familiar with the development libraries shipped with the NSE
  • Write your own Nmap Scripting Engine scripts

In Detail

This is the second edition of 'Nmap 6: Network Exploration and Security Auditing Cookbook'. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations.

The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.

Style and approach

This book consists of practical recipes on network exploration and security auditing techniques, enabling you to get hands-on experience through real life scenarios.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Sections
      1. Getting ready
      2. How to do it…
      3. How it works…
      4. There's more…
      5. See also
    5. Conventions
    6. Reader feedback
    7. Customer support
      1. Downloading the color images of this book
      2. Errata
      3. Piracy
      4. Questions
  2. Nmap Fundamentals
    1. Introduction
    2. Building Nmap's source code
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Experimental branches
        2. Updating your local working copy
        3. Customizing the building process
        4. Precompiled packages
    3. Finding live hosts in your network
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Tracing routes
        2. Running the Nmap Scripting Engine during host discovery
        3. Exploring more ping scanning techniques
    4. Listing open ports on a target host
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Privileged versus unprivileged
        2. Scanning specific port ranges
        3. Selecting a network interface
        4. More port scanning techniques
    5. Fingerprinting OS and services running on a target host
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Increasing version detection intensity
        2. Aggressive detection mode
        3. Configuring OS detection
        4. OS detection in verbose mode
        5. Submitting new OS and service fingerprints
    6. Using NSE scripts against a target host
      1. How to do it...
      2. How it works...
      3. There's more...
        1. NSE script arguments
        2. Script selection
        3. Debugging NSE scripts
        4. Adding new scripts
    7. Reading targets from a file
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Excluding a host list from your scans
    8. Scanning an IP address ranges
      1. How to do it...
      2. How it works...
      3. There's more...
        1. CIDR notation
    9. Scanning random targets on the Internet
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Legal issues with port scanning
    10. Collecting signatures of web servers
      1. How to do it...
      2. How it works...
      3. There's more...
    11. Monitoring servers remotely with Nmap and Ndiff
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Monitoring specific services
    12. Crafting ICMP echo replies with Nping
      1. How to do it...
      2. How it works...
      3. There's more...
    13. Managing multiple scanning profiles with Zenmap
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Zenmap scanning profiles
        2. Editing or deleting a scan profile
    14. Running Lua scripts against a network connection with Ncat
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Other ways of executing external commands with Ncat
    15. Discovering systems with weak passwords with Ncrack
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Configuring authentication options
        2. Pausing and resuming attacks
    16. Launching Nmap scans remotely from a web browser using Rainmap Lite
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Custom arguments
  3. Network Exploration
    1. Introduction
    2. Discovering hosts with TCP SYN ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Privileged versus unprivileged TCP SYN ping scan
        2. Firewalls and traffic filtering
    3. Discovering hosts with TCP ACK ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Privileged versus unprivileged TCP ACK ping scans
        2. Selecting ports in TCP ACK ping scans
    4. Discovering hosts with UDP ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Selecting ports in UDP ping scans
    5. Discovering hosts with ICMP ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Local versus remote networks
        2. ICMP types
    6. Discovering hosts with SCTP INIT ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Unprivileged SCTP INIT ping scans
        2. Selecting ports in SCTP INIT ping scans
    7. Discovering hosts with IP protocol ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Setting alternate IP protocols
        2. Generating random data for the IP packets
        3. Supported IP protocols and their payloads
    8. Discovering hosts with ARP ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. MAC address spoofing
        2. IPv6 scanning
    9. Performing advanced ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Ping probe effectiveness
    10. Discovering hosts with broadcast ping scans
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Broadcast ping options
        2. Target library
    11. Scanning IPv6 addresses
      1. How to do it...
      2. How it works...
      3. There's more...
        1. IPv6 fingerprinting
        2. Discovering new IPv6 targets
    12. Gathering network information with broadcast scripts
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Script selection
        2. Target library
    13. Scanning through proxies
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Proxychains
    14. Spoofing the origin IP of a scan
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Choosing your zombie host wisely
        2. The IP ID sequence number
  4. Reconnaissance Tasks
    1. Introduction
    2. Performing IP address geolocation
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Submitting a new geolocation provider
    3. Getting information from WHOIS records
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Selecting service providers
        2. Ignoring referral records
        3. Disabling cache
    4. Obtaining traceroute geolocation information
      1. How to do it...
      2. How it works...
      3. There's more...
    5. Querying Shodan to obtain target information
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Saving the results in CSV files
        2. Specifying a single target
    6. Checking whether a host is flagged by Google Safe Browsing for malicious activities
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
    7. Collecting valid e-mail accounts and IP addresses from web servers
      1. How to do it...
      2. How it works...
      3. There's more...
    8. Discovering hostnames pointing to the same IP address
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Discovering hostnames by brute forcing DNS records
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Customizing the dictionary
        2. Adjusting the number of threads
        3. Specifying a DNS server
        4. Using the NSE library target
    10. Obtaining profile information from Google's People API
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
    11. Matching services with public vulnerability advisories
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
  5. Scanning Web Servers
    1. Introduction
    2. Listing supported HTTP methods
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Interesting HTTP methods
    3. Checking whethera web server is an open proxy
      1. How to do it...
      2. How it works...
      3. There's more...
    4. Discovering interesting files and folders in web servers
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Using a Nikto database
    5. Abusing mod_userdir to enumerate user accounts
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Brute forcing HTTP authentication
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Brute modes
    7. Brute forcing web applications
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Brute forcing WordPress installations
        2. Brute forcing WordPress installations
    8. Detecting web application firewalls
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Detecting possible XST vulnerabilities
      1. How to do it...
      2. How it works...
      3. There's more...
    10. Detecting XSS vulnerabilities
      1. How to do it...
      2. How it works...
      3. There's more...
    11. Finding SQL injection vulnerabilities
      1. How to do it...
      2. How it works...
      3. There's more...
    12. Detecting web servers vulnerable to slowloris denial of service attacks
      1. How to do it...
      2. How it works...
      3. There's more...
    13. Finding web applications with default credentials
      1. How to do it...
      2. How it works...
      3. There's more...
    14. Detecting web applications vulnerable to Shellshock
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Executing commands remotely
          1. Spidering web servers to find vulnerable applications
    15. Detecting insecure cross-domain policies
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Finding attacking domains available for purchase
    16. Detecting exposed source code control systems
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Obtaining information from subversion source code control systems
    17. Auditing the strength of cipher suites in SSL servers
      1. How to do it...
      2. How it works...
      3. There's more...
    18. Scrapping e-mail accounts from web servers
      1. How to do it...
      2. How it works...
      3. There's more...
  6. Scanning Databases
    1. Introduction
    2. Listing MySQL databases
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Listing MySQL users
      1. How to do it...
      2. How it works...
      3. There's more...
    4. Listing MySQL variables
      1. How to do it...
      2. How it works...
      3. There's more...
    5. Brute forcing MySQL passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Finding root accounts with an empty password in MySQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
    7. Detecting insecure configurations in MySQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
    8. Brute forcing Oracle passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Brute forcing Oracle SID names
      1. How to do it...
      2. How it works...
      3. There's more...
    10. Retrieving information from MS SQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Force-scanned ports only in NSE scripts for MS SQL
    11. Brute forcing MS SQL passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    12. Dumping password hashes of MS SQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
    13. Running commands through xp_cmdshell in MS SQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
    14. Finding system administrator accounts with empty passwords in MS SQL servers
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Force-scanned ports only in MS SQL scripts
    15. Obtaining information from MS SQL servers with NTLM enabled
      1. How to do it...
      2. How it works...
      3. There's more...
    16. Retrieving MongoDB server information
      1. How to do it...
      2. How it works...
      3. There's more...
    17. Detecting MongoDB instances with no authentication enabled
      1. How to do it...
      2. How it works...
      3. There's more...
    18. Listing MongoDB databases
      1. How to do it...
      2. How it works...
      3. There's more...
    19. Listing CouchDB databases
      1. How to do it...
      2. How it works...
      3. There's more...
    20. Retrieving CouchDB database statistics
      1. How to do it...
      2. How it works...
      3. There's more...
    21. Detecting Cassandra databases with no authentication enabled
      1. How to do it...
      2. How it works...
      3. There's more...
    22. Brute forcing Redis passwords
      1. How to do it...
      2. How it works...
      3. There's more...
  7. Scanning Mail Servers
    1. Introduction
    2. Detecting SMTP open relays
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Brute forcing SMTP passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    4. Detecting suspicious SMTP servers
      1. How to do it...
      2. How it works...
      3. There's more...
    5. Enumerating SMTP usernames
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Brute forcing IMAP passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    7. Retrieving the capabilities of an IMAP server
      1. How to do it...
      2. How it works...
      3. There's more...
    8. Brute forcing POP3 passwords
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Retrieving the capabilities of a POP3 server
      1. How to do it...
      2. How it works...
      3. There's more...
    10. Retrieving information from SMTP servers with NTLM authentication
      1. How to do it...
      2. How it works...
      3. There's more...
  8. Scanning Windows Systems
    1. Introduction
    2. Obtaining system information from SMB
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Detecting Windows clients with SMB signing disabled
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Checking UDP when TCP traffic is blocked
        2. Attacking hosts with message signing disabled
    4. Detecting IIS web servers that disclose Windows 8.3 names
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Bruteforcing Windows 8.3 names
        2. Detecting Windows 8.3 names through different HTTP methods
    5. Detecting Windows hosts vulnerable to MS08-067
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Exploiting MS08-067
        2. Detecting other SMB vulnerabilities
    6. Retrieving the NetBIOS name and MAC address of a host
      1. How to do it...
      2. How it works...
      3. There's more...
    7. Enumerating user accounts of Windows hosts
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Selecting LSA bruteforcing or SAMR enumeration exclusively
        2. Checking UDP when TCP traffic is blocked
    8. Enumerating shared folders
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Enumerating SMB sessions
      1. How to do it...
      2. How it works...
        1. Preparing a brute force password auditing attack
        2. Checking UDP when TCP traffic is blocked
    10. Finding domain controllers
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Finding domain master browsers
        2. Finding DNS servers
    11. Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
      1. How to do it...
      2. How it works...
      3. There's more...
  9. Scanning ICS SCADA Systems
    1. Introduction
    2. Finding common ports used in ICS SCADA systems
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Finding HMI systems
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Creating a database for HMI service ports
    4. Enumerating Siemens SIMATIC S7 PLCs
      1. How to do it...
      2. How it works...
      3. There's more...
    5. Enumerating Modbus devices
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Enumerating BACnet devices
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Discovering the BACnet broadcast management device
    7. Enumerating Ethernet/IP devices
      1. How to do it...
      2. How it works...
      3. There's more...
    8. Enumerating Niagara Fox devices
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Enumerating ProConOS devices
      1. How to do it...
      2. How it works...
      3. There's more...
    10. Enumerating Omrom PLC devices
      1. How to do it...
      2. How it works...
      3. There's more...
    11. Enumerating PCWorx devices
      1. How to do it...
      2. How it works...
  10. Optimizing Scans
    1. Introduction
    2. Skipping phases to speed up scans
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Selecting the correct timing template
      1. How to do it...
      2. How it works...
      3. There's more...
    4. Adjusting timing parameters
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Estimating round trip times with Nping
        2. Displaying the timing settings
    5. Adjusting performance parameters
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Distributing a scan among several clients using Dnmap
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Dnmap statistics
        2. Internet-wide scanning
  11. Generating Scan Reports
    1. Introduction
    2. Saving scan results in a normal format
      1. How to do it...
      2. How it works...
      3. There's more...
    3. Saving scan results in an XML format
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Structured script output for NSE
    4. Saving scan results to a SQLite database
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Dumping the database in CSV format
        2. Fixing outputpbnj
    5. Saving scan results in a grepable format
      1. How to do it...
      2. How it works...
      3. There's more...
    6. Generating a network topology graph with Zenmap
      1. How to do it...
      2. How it works...
      3. There's more...
    7. Generating HTML scan reports
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
    8. Reporting vulnerability checks
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Generating PDF reports with fop
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
        1. Generating reports in other formats
    10. Saving NSE reports in ElasticSearch
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
  12. Writing Your Own NSE Scripts
    1. Introduction
    2. Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Setting the user agent pragmatically
        2. HTTP pipelining
    3. Sending UDP payloads using NSE sockets
      1. How to do it...
      2. How it works...
      3. There's more...
    4. Generating vulnerability reports in NSE scripts
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Vulnerability states of the library vulns
    5. Exploiting a path traversal vulnerability with NSE
      1. How to do it...
      2. How it works...
      3. There's more...
        1. Setting the user agent pragmatically
        2. HTTP pipelining
    6. Writing brute force password auditing scripts
      1. How to do it...
      2. How it works...
      3. There's more...
    7. Crawling web servers to detect vulnerabilities
      1. How to do it...
      2. How it works...
      3. There's more...
    8. Working with NSE threads, condition variables, and mutexes in NSE
      1. How to do it...
      2. How it works...
      3. There's more...
    9. Writing a new NSE library in Lua
      1. How to do it...
      2. How it works...
      3. There's more...
    10. Writing a new NSE library in C/C++
      1. How to do it...
      2. How it works...
      3. There's more...
    11. Getting your scripts ready for submission
      1. How to do it...
      2. How it works...
      3. There's more...
  13. HTTP, HTTP Pipelining, and Web Crawling Configuration Options
    1. HTTP user agent
    2. HTTP pipelining
    3. Configuring the NSE library httpspider
  14. Brute Force Password Auditing Options
    1. Brute modes
  15. NSE Debugging
    1. Debugging NSE scripts
    2. Exception handling
  16. Additional Output Options
    1. Saving output in all formats
    2. Appending Nmap output logs
    3. Including debugging information in output logs
    4. Including the reason for a port or host state
    5. OS detection in verbose mode
  17. Introduction to Lua
    1. Flow control structures
      1. Conditional statements - if, then, elseif
      2. Loops - while
      3. Loops - repeat
      4. Loops - for
    2. Data types
    3. String handling
      1. Character classes
      2. Magic characters
      3. Patterns
        1. Captures
        2. Repetition operators
    4. Concatenation
      1. Finding substrings
      2. String repetition
      3. String length
      4. Formatting strings
      5. Splitting and joining strings
    5. Common data structures
      1. Tables
      2. Arrays
      3. Linked lists
      4. Sets
      5. Queues
      6. Custom data structures
    6. I/O operations
      1. Modes
      2. Opening a file
      3. Reading a file
      4. Writing a file
      5. Closing a file
    7. Coroutines
      1. Creating a coroutine
      2. Executing a coroutine
      3. Determining current coroutine
      4. Getting the status of a coroutine
      5. Yielding a coroutine
    8. Metatables
      1. Arithmetic methamethods
      2. Relational methamethods
    9. Things to remember when working with Lua
      1. Comments
      2. Dummy assignments
      3. Indexes
      4. Semantics
      5. Coercion
      6. Safe language
      7. Booleans
  18. References and Additional Reading