Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    Only $11.99/month after trial. Cancel anytime.

    Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
    Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
    Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
    Ebook837 pages5 hours

    Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

    By Paulino Calderon

    ()

    Read preview

    About this ebook

    About This Book
    • Learn through practical recipes how to use Nmap for a wide range of tasks for system administrators and penetration testers.
    • Learn the latest and most useful features of Nmap and the Nmap Scripting Engine.
    • Learn to audit the security of networks, web applications, databases, mail servers, Microsoft Windows servers/workstations and even ICS systems.
    • Learn to develop your own modules for the Nmap Scripting Engine.
    • Become familiar with Lua programming.
    • 100% practical tasks, relevant and explained step-by-step with exact commands and optional arguments description
    Who This Book Is For

    The book is for anyone who wants to master Nmap and its scripting engine to perform real life security auditing checks for system administrators and penetration testers. This book is also recommended to anyone looking to learn about network security auditing. Finally, novice Nmap users will also learn a lot from this book as it covers several advanced internal aspects of Nmap and related tools.

    LanguageEnglish
    PublisherPackt Publishing
    Release dateMay 26, 2017
    ISBN9781786461537
    Nmap: Network Exploration and Security Auditing Cookbook - Second Edition

    Related to Nmap

    Related ebooks

    Networking For You

    View More
    View More

    Related podcast episodes

    Related articles

    Related categories

    Reviews for Nmap

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      Nmap - Paulino Calderon

      Title Page

      Nmap: Network Exploration and Security Auditing Cookbook

      Second Edition

      A complete guide to mastering Nmap and its scripting engine, covering practical tasks for penetration testers and system administrators

      Paulino Calderon

             BIRMINGHAM - MUMBAI

      Copyright

      Nmap: Network Exploration and Security Auditing Cookbook

       Second Edition

      Copyright © 2017 Packt Publishing

      All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

      Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

      Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

      First published: November 2012

      Second edition: May 2017

      Production reference: 1240517

      Published by Packt Publishing Ltd.

      Livery Place

      35 Livery Street

      Birmingham 

      B3 2PB, UK.

      ISBN 978-1-78646-745-4

      www.packtpub.com

      Credits

      About the Author

      Paulino Calderon (@calderpwn on Twitter) is the cofounder of Websec, a company offering information security consulting services based in Mexico and Canada. When he is not traveling to a security conference or conducting on-site consulting for Fortune 500 companies, he spends peaceful days in Cozumel, a beautiful small island in the Caribbean, learning new technologies, conducting big data experiments, developing new tools, and finding bugs in software.

      Paulino is active in the open source community, and his contributions are used by millions of people in the information security industry. In 2011, Paulino joined the Nmap team during the Google Summer of Code to work on the project as an NSE developer. He focused on improving the web scanning capabilities of Nmap, and he has kept contributing to the project since then. In addition, he has been a mentor for students who focused on vulnerability detection during the Google Summer of Code 2015 and 2017.

      He has published Nmap 6: Network Exploration and Security Auditing Cookbook and Mastering the Nmap Scripting Engine, which cover practical tasks with Nmap and NSE development in depth. He loves attending information security conferences, and he has given talks and participated in workshops in dozens of events in Canada, the United States, Mexico, Colombia, Peru, Bolivia, and Curacao.

      Acknowledgments

      As always, I would like to dedicate this book to a lot of special people who have helped me get where I am.

      Special thanks to Fyodor for mentoring me and giving me the opportunity to participate in this amazing project named Nmap. To all the development team, from whom I have learned a lot and now I have the pleasure to know personally, thanks for always answering all my questions and being outstanding individuals.

      To my mother, Edith, and my brothers, Omar and Yael, thanks for always supporting me and being the best family I could ask for.

      To Martha, who I will always love more than anything, and Pedro Moguel, Martha Vela, Maru, Jo, Fana, Pete, and Pablo, thanks for welcoming me into your family.

      Nothing but love to all my friends. It is impossible to list all of you, but know that I appreciate all your love and support. You are always in my heart. Greetings to b33rcon, H4ckD0g5, Security Room LATAM, and the Negan clan, keep on hacking!

      To Pedro, Roberto, and the Websec team, thanks for joining me in this crazy adventure that started 6 years ago.

      In memory of my father, Dr. Paulino Calderon Medina, who I miss every day.

      About the Reviewer

      Nikhil Kumar has over 5 years of experience in information security. Currently he is working with Biz2Credit as a Senior Security Consultant. He is a certified ethical hacker, and has bachelor's and master's degrees in computer science. He has done globally accepted certifications such as OSCP, OSWP, and CEH. He has written many articles on web application security, security coding practices, web application firewalls, and so on. He has discovered multiple vulnerabilities in big hotshot applications, including Apple, Microsoft, and so on.

      Nikhil can be contacted on LinkedIn at https://in.linkedin.com/in/nikhil73.

      www.PacktPub.com

      For support files and downloads related to your book, please visit www.PacktPub.com.

      Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

      At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

      https://www.packtpub.com/mapt

      Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

      Why subscribe?

      Fully searchable across every book published by Packt

      Copy and paste, print, and bookmark content

      On demand and accessible via a web browser

      Customer Feedback

      Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1786467453.

      If you'd like to join our team of regular reviewers, you can e-mail us at customerreviews@packtpub.com. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

      Table of Contents

      Preface

      What this book covers

      What you need for this book

      Who this book is for

      Sections

      Getting ready

      How to do it…

      How it works…

      There's more…

      See also

      Conventions

      Reader feedback

      Customer support

      Downloading the color images of this book

      Errata

      Piracy

      Questions

      Nmap Fundamentals

      Introduction

      Building Nmap's source code

      Getting ready

      How to do it...

      How it works...

      There's more...

      Experimental branches

      Updating your local working copy

      Customizing the building process

      Precompiled packages

      Finding live hosts in your network

      How to do it...

      How it works...

      There's more...

      Tracing routes

      Running the Nmap Scripting Engine during host discovery

      Exploring more ping scanning techniques

      Listing open ports on a target host

      How to do it...

      How it works...

      There's more...

      Privileged versus unprivileged

      Scanning specific port ranges

      Selecting a network interface

      More port scanning techniques

      Fingerprinting OS and services running on a target host

      How to do it...

      How it works...

      There's more...

      Increasing version detection intensity

      Aggressive detection mode

      Configuring OS detection

      OS detection in verbose mode

      Submitting new OS and service fingerprints

      Using NSE scripts against a target host

      How to do it...

      How it works...

      There's more...

      NSE script arguments

      Script selection

      Debugging NSE scripts

      Adding new scripts

      Reading targets from a file

      How to do it...

      How it works...

      There's more...

      Excluding a host list from your scans

      Scanning an IP address ranges

      How to do it...

      How it works...

      There's more...

      CIDR notation

      Scanning random targets on the Internet

      How to do it...

      How it works...

      There's more...

      Legal issues with port scanning

      Collecting signatures of web servers

      How to do it...

      How it works...

      There's more...

      Monitoring servers remotely with Nmap and Ndiff

      Getting ready

      How to do it...

      How it works...

      There's more...

      Monitoring specific services

      Crafting ICMP echo replies with Nping

      How to do it...

      How it works...

      There's more...

      Managing multiple scanning profiles with Zenmap

      How to do it...

      How it works...

      There's more...

      Zenmap scanning profiles

      Editing or deleting a scan profile

      Running Lua scripts against a network connection with Ncat

      How to do it...

      How it works...

      There's more...

      Other ways of executing external commands with Ncat

      Discovering systems with weak passwords with Ncrack

      Getting ready

      How to do it...

      How it works...

      There's more...

      Configuring authentication options

      Pausing and resuming attacks

      Launching Nmap scans remotely from a web browser using Rainmap Lite

      Getting ready

      How to do it...

      How it works...

      There's more...

      Custom arguments

      Network Exploration

      Introduction

      Discovering hosts with TCP SYN ping scans

      How to do it...

      How it works...

      There's more...

      Privileged versus unprivileged TCP SYN ping scan

      Firewalls and traffic filtering

      Discovering hosts with TCP ACK ping scans

      How to do it...

      How it works...

      There's more...

      Privileged versus unprivileged TCP ACK ping scans

      Selecting ports in TCP ACK ping scans

      Discovering hosts with UDP ping scans

      How to do it...

      How it works...

      There's more...

      Selecting ports in UDP ping scans

      Discovering hosts with ICMP ping scans

      How to do it...

      How it works...

      There's more...

      Local versus remote networks

      ICMP types

      Discovering hosts with SCTP INIT ping scans

      How to do it...

      How it works...

      There's more...

      Unprivileged SCTP INIT ping scans

      Selecting ports in SCTP INIT ping scans

      Discovering hosts with IP protocol ping scans

      How to do it...

      How it works...

      There's more...

      Setting alternate IP protocols

      Generating random data for the IP packets

      Supported IP protocols and their payloads

      Discovering hosts with ARP ping scans

      How to do it...

      How it works...

      There's more...

      MAC address spoofing

      IPv6 scanning

      Performing advanced ping scans

      How to do it...

      How it works...

      There's more...

      Ping probe effectiveness

      Discovering hosts with broadcast ping scans

      How to do it...

      How it works...

      There's more...

      Broadcast ping options

      Target library

      Scanning IPv6 addresses

      How to do it...

      How it works...

      There's more...

      IPv6 fingerprinting

      Discovering new IPv6 targets

      Gathering network information with broadcast scripts

      How to do it...

      How it works...

      There's more...

      Script selection

      Target library

      Scanning through proxies

      How to do it...

      How it works...

      There's more...

      Proxychains

      Spoofing the origin IP of a scan

      Getting ready

      How to do it...

      How it works...

      There's more...

      Choosing your zombie host wisely

      The IP ID sequence number

      Reconnaissance Tasks

      Introduction

      Performing IP address geolocation

      Getting ready

      How to do it...

      How it works...

      There's more...

      Submitting a new geolocation provider

      Getting information from WHOIS records

      How to do it...

      How it works...

      There's more...

      Selecting service providers

      Ignoring referral records

      Disabling cache

      Obtaining traceroute geolocation information

      How to do it...

      How it works...

      There's more...

      Querying Shodan to obtain target information

      Getting ready

      How to do it...

      How it works...

      There's more...

      Saving the results in CSV files

      Specifying a single target

      Checking whether a host is flagged by Google Safe Browsing for malicious activities

      Getting ready

      How to do it...

      How it works...

      There's more...

      Collecting valid e-mail accounts and IP addresses from web servers

      How to do it...

      How it works...

      There's more...

      Discovering hostnames pointing to the same IP address

      How to do it...

      How it works...

      There's more...

      Discovering hostnames by brute forcing DNS records

      How to do it...

      How it works...

      There's more...

      Customizing the dictionary

      Adjusting the number of threads

      Specifying a DNS server

      Using the NSE library target

      Obtaining profile information from Google's People API

      Getting ready

      How to do it...

      How it works...

      There's more...

      Matching services with public vulnerability advisories

      Getting ready

      How to do it...

      How it works...

      There's more...

      Scanning Web Servers

      Introduction

      Listing supported HTTP methods

      How to do it...

      How it works...

      There's more...

      Interesting HTTP methods

      Checking whethera web server is an open proxy

      How to do it...

      How it works...

      There's more...

      Discovering interesting files and folders in web servers

      How to do it...

      How it works...

      There's more...

      Using a Nikto database

      Abusing mod_userdir to enumerate user accounts

      How to do it...

      How it works...

      There's more...

      Brute forcing HTTP authentication

      How to do it...

      How it works...

      There's more...

      Brute modes

      Brute forcing web applications

      How to do it...

      How it works...

      There's more...

      Brute forcing WordPress installations

      Brute forcing WordPress installations

      Detecting web application firewalls

      How to do it...

      How it works...

      There's more...

      Detecting possible XST vulnerabilities

      How to do it...

      How it works...

      There's more...

      Detecting XSS vulnerabilities

      How to do it...

      How it works...

      There's more...

      Finding SQL injection vulnerabilities

      How to do it...

      How it works...

      There's more...

      Detecting web servers vulnerable to slowloris denial of service attacks

      How to do it...

      How it works...

      There's more...

      Finding web applications with default credentials

      How to do it...

      How it works...

      There's more...

      Detecting web applications vulnerable to Shellshock

      How to do it...

      How it works...

      There's more...

      Executing commands remotely

      Spidering web servers to find vulnerable applications

      Detecting insecure cross-domain policies

      How to do it...

      How it works...

      There's more...

      Finding attacking domains available for purchase

      Detecting exposed source code control systems

      How to do it...

      How it works...

      There's more...

      Obtaining information from subversion source code control systems

      Auditing the strength of cipher suites in SSL servers

      How to do it...

      How it works...

      There's more...

      Scrapping e-mail accounts from web servers

      How to do it...

      How it works...

      There's more...

      Scanning Databases

      Introduction

      Listing MySQL databases

      How to do it...

      How it works...

      There's more...

      Listing MySQL users

      How to do it...

      How it works...

      There's more...

      Listing MySQL variables

      How to do it...

      How it works...

      There's more...

      Brute forcing MySQL passwords

      How to do it...

      How it works...

      There's more...

      Finding root accounts with an empty password in MySQL servers

      How to do it...

      How it works...

      There's more...

      Detecting insecure configurations in MySQL servers

      How to do it...

      How it works...

      There's more...

      Brute forcing Oracle passwords

      How to do it...

      How it works...

      There's more...

      Brute forcing Oracle SID names

      How to do it...

      How it works...

      There's more...

      Retrieving information from MS SQL servers

      How to do it...

      How it works...

      There's more...

      Force-scanned ports only in NSE scripts for MS SQL

      Brute forcing MS SQL passwords

      How to do it...

      How it works...

      There's more...

      Dumping password hashes of MS SQL servers

      How to do it...

      How it works...

      There's more...

      Running commands through xp_cmdshell in MS SQL servers

      How to do it...

      How it works...

      There's more...

      Finding system administrator accounts with empty passwords in MS SQL servers

      How to do it...

      How it works...

      There's more...

      Force-scanned ports only in MS SQL scripts

      Obtaining information from MS SQL servers with NTLM enabled

      How to do it...

      How it works...

      There's more...

      Retrieving MongoDB server information

      How to do it...

      How it works...

      There's more...

      Detecting MongoDB instances with no authentication enabled

      How to do it...

      How it works...

      There's more...

      Listing MongoDB databases

      How to do it...

      How it works...

      There's more...

      Listing CouchDB databases

      How to do it...

      How it works...

      There's more...

      Retrieving CouchDB database statistics

      How to do it...

      How it works...

      There's more...

      Detecting Cassandra databases with no authentication enabled

      How to do it...

      How it works...

      There's more...

      Brute forcing Redis passwords

      How to do it...

      How it works...

      There's more...

      Scanning Mail Servers

      Introduction

      Detecting SMTP open relays

      How to do it...

      How it works...

      There's more...

      Brute forcing SMTP passwords

      How to do it...

      How it works...

      There's more...

      Detecting suspicious SMTP servers

      How to do it...

      How it works...

      There's more...

      Enumerating SMTP usernames

      How to do it...

      How it works...

      There's more...

      Brute forcing IMAP passwords

      How to do it...

      How it works...

      There's more...

      Retrieving the capabilities of an IMAP server

      How to do it...

      How it works...

      There's more...

      Brute forcing POP3 passwords

      How to do it...

      How it works...

      There's more...

      Retrieving the capabilities of a POP3 server

      How to do it...

      How it works...

      There's more...

      Retrieving information from SMTP servers with NTLM authentication

      How to do it...

      How it works...

      There's more...

      Scanning Windows Systems

      Introduction

      Obtaining system information from SMB

      How to do it...

      How it works...

      There's more...

      Detecting Windows clients with SMB signing disabled

      How to do it...

      How it works...

      There's more...

      Checking UDP when TCP traffic is blocked

      Attacking hosts with message signing disabled

      Detecting IIS web servers that disclose Windows 8.3 names

      How to do it...

      How it works...

      There's more...

      Bruteforcing Windows 8.3 names

      Detecting Windows 8.3 names through different HTTP methods

      Detecting Windows hosts vulnerable to MS08-067

      How to do it...

      How it works...

      There's more...

      Exploiting MS08-067

      Detecting other SMB vulnerabilities

      Retrieving the NetBIOS name and MAC address of a host

      How to do it...

      How it works...

      There's more...

      Enumerating user accounts of Windows hosts

      How to do it...

      How it works...

      There's more...

      Selecting LSA bruteforcing or SAMR enumeration exclusively

      Checking UDP when TCP traffic is blocked

      Enumerating shared folders

      How to do it...

      How it works...

      There's more...

      Enumerating SMB sessions

      How to do it...

      How it works...

      Preparing a brute force password auditing attack

      Checking UDP when TCP traffic is blocked

      Finding domain controllers

      How to do it...

      How it works...

      There's more...

      Finding domain master browsers

      Finding DNS servers

      Detecting Shadow Brokers' DOUBLEPULSAR SMB implants

      How to do it...

      How it works...

      There's more...

      Scanning ICS SCADA Systems

      Introduction

      Finding common ports used in ICS SCADA systems

      How to do it...

      How it works...

      There's more...

      Finding HMI systems

      How to do it...

      How it works...

      There's more...

      Creating a database for HMI service ports

      Enumerating Siemens SIMATIC S7 PLCs

      How to do it...

      How it works...

      There's more...

      Enumerating Modbus devices

      How to do it...

      How it works...

      There's more...

      Enumerating BACnet devices

      How to do it...

      How it works...

      There's more...

      Discovering the BACnet broadcast management device

      Enumerating Ethernet/IP devices

      How to do it...

      How it works...

      There's more...

      Enumerating Niagara Fox devices

      How to do it...

      How it works...

      There's more...

      Enumerating ProConOS devices

      How to do it...

      How it works...

      There's more...

      Enumerating Omrom PLC devices

      How to do it...

      How it works...

      There's more...

      Enumerating PCWorx devices

      How to do it...

      How it works...

      Optimizing Scans

      Introduction

      Skipping phases to speed up scans

      How to do it...

      How it works...

      There's more...

      Selecting the correct timing template

      How to do it...

      How it works...

      There's more...

      Adjusting timing parameters

      How to do it...

      How it works...

      There's more...

      Estimating round trip times with Nping

      Displaying the timing settings

      Adjusting performance parameters

      How to do it...

      How it works...

      There's more...

      Distributing a scan among several clients using Dnmap

      Getting ready

      How to do it...

      How it works...

      There's more...

      Dnmap statistics

      Internet-wide scanning

      Generating Scan Reports

      Introduction

      Saving scan results in a normal format

      How to do it...

      How it works...

      There's more...

      Saving scan results in an XML format

      How to do it...

      How it works...

      There's more...

      Structured script output for NSE

      Saving scan results to a SQLite database

      Getting ready

      How to do it...

      How it works...

      There's more...

      Dumping the database in CSV format

      Fixing outputpbnj

      Saving scan results in a grepable format

      How to do it...

      How it works...

      There's more...

      Generating a network topology graph with Zenmap

      How to do it...

      How it works...

      There's more...

      Generating HTML scan reports

      Getting ready

      How to do it...

      How it works...

      There's more...

      Reporting vulnerability checks

      How to do it...

      How it works...

      There's more...

      Generating PDF reports with fop

      Getting ready

      How to do it...

      How it works...

      There's more...

      Generating reports in other formats

      Saving NSE reports in ElasticSearch

      Getting ready

      How to do it...

      How it works...

      There's more...

      Writing Your Own NSE Scripts

      Introduction

      Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers

      How to do it...

      How it works...

      There's more...

      Setting the user agent pragmatically

      HTTP pipelining

      Sending UDP payloads using NSE sockets

      How to do it...

      How it works...

      There's more...

      Generating vulnerability reports in NSE scripts

      How to do it...

      How it works...

      There's more...

      Vulnerability states of the library vulns

      Exploiting a path traversal vulnerability with NSE

      How to do it...

      How it works...

      There's more...

      Setting the user agent pragmatically

      HTTP pipelining

      Writing brute force password auditing scripts

      How to do it...

      How it works...

      There's more...

      Crawling web servers to detect vulnerabilities

      How to do it...

      How it works...

      There's more...

      Working with NSE threads, condition variables, and mutexes in NSE

      How to do it...

      How it works...

      There's more...

      Writing a new NSE library in Lua

      How to do it...

      How it works...

      There's more...

      Writing a new NSE library in C/C++

      How to do it...

      How it works...

      There's more...

      Getting your scripts ready for submission

      How to do it...

      How it works...

      There's more...

      HTTP, HTTP Pipelining, and Web Crawling Configuration Options

      HTTP user agent

      HTTP pipelining

      Configuring the NSE library httpspider

      Brute Force Password Auditing Options

      Brute modes

      NSE Debugging

      Debugging NSE scripts

      Exception handling

      Additional Output Options

      Saving output in all formats

      Appending Nmap output logs

      Including debugging information in output logs

      Including the reason for a port or host state

      OS detection in verbose mode

      Introduction to Lua

      Flow control structures

      Conditional statements - if, then, elseif

      Loops - while

      Loops - repeat

      Loops - for

      Data types

      String handling

      Character classes

      Magic characters

      Patterns

      Captures

      Repetition operators

      Concatenation

      Finding substrings

      String repetition

      String length

      Formatting strings

      Splitting and joining strings

      Common data structures

      Tables

      Arrays

      Linked lists

      Sets

      Queues

      Custom data structures

      I/O operations

      Modes

      Opening a file

      Reading a file

      Writing a file

      Closing a file

      Coroutines

      Creating a coroutine

      Executing a coroutine

      Determining current coroutine

      Getting the status of a coroutine

      Yielding a coroutine

      Metatables

      Arithmetic methamethods

      Relational methamethods

      Things to remember when working with Lua

      Comments

      Dummy assignments

      Indexes

      Semantics

      Coercion

      Safe language

      Booleans

      References and Additional Reading

      Preface

      Nmap: Network Exploration and Security Auditing Cookbook, is a practical book that covers some of the most useful tasks you can do with Nmap. The book is divided into tasks or recipes. Each recipe focuses on a single task explained with command-line examples, sample output, and even additional personal tips that I know you will find handy.

      Nmap's vast functionality is explored through 11 chapters covering more than 120 different tasks for penetration testers and system administrators. Unlike Nmap's official book, this cookbook focuses on the tasks you can do with the Nmap Scripting Engine and unofficial related tools, covering the core functionality of Nmap, but without focusing on the scanning techniques that are perfectly described in the official book. Think of this book as an addition to what the official Nmap book covers.

      There were many great NSE scripts I wish I had more space to include in this book and many more that will be created after its publication. I invite you to follow the development mailing list and stay up to date with Nmap's latest features and NSE scripts.

      I hope that you not only enjoy reading this cookbook, but as you

      Enjoying the preview?
      Page 1 of 1