Book description
Over 100 practical recipes related to network and application security auditing using the powerful Nmap
About This Book
Learn through practical recipes how to use Nmap for a wide range of tasks for system administrators and penetration testers.
Learn the latest and most useful features of Nmap and the Nmap Scripting Engine.
Learn to audit the security of networks, web applications, databases, mail servers, Microsoft Windows servers/workstations and even ICS systems.
Learn to develop your own modules for the Nmap Scripting Engine.
Become familiar with Lua programming.
100% practical tasks, relevant and explained step-by-step with exact commands and optional arguments description
Who This Book Is For
The book is for anyone who wants to master Nmap and its scripting engine to perform real life security auditing checks for system administrators and penetration testers. This book is also recommended to anyone looking to learn about network security auditing. Finally, novice Nmap users will also learn a lot from this book as it covers several advanced internal aspects of Nmap and related tools.
What You Will Learn
Learn about Nmap and related tools, such as Ncat, Ncrack, Ndiff, Zenmap and the Nmap Scripting Engine
Master basic and advanced techniques to perform port scanning and host discovery
Detect insecure configurations and vulnerabilities in web servers, databases, and mail servers
Learn how to detect insecure Microsoft Windows workstations and scan networks using the Active Directory technology
Learn how to safely identify and scan critical ICS/SCADA systems
Learn how to optimize the performance and behavior of your scans
Learn about advanced reporting
Learn the fundamentals of Lua programming
Become familiar with the development libraries shipped with the NSE
Write your own Nmap Scripting Engine scripts
In Detail
This is the second edition of 'Nmap 6: Network Exploration and Security Auditing Cookbook'. A book aimed for anyone who wants to master Nmap and its scripting engine through practical tasks for system administrators and penetration testers. Besides introducing the most powerful features of Nmap and related tools, common security auditing tasks for local and remote networks, web applications, databases, mail servers, Microsoft Windows machines and even ICS SCADA systems are explained step by step with exact commands and argument explanations.
The book starts with the basic usage of Nmap and related tools like Ncat, Ncrack, Ndiff and Zenmap. The Nmap Scripting Engine is thoroughly covered through security checks used commonly in real-life scenarios applied for different types of systems. New chapters for Microsoft Windows and ICS SCADA systems were added and every recipe was revised. This edition reflects the latest updates and hottest additions to the Nmap project to date. The book will also introduce you to Lua programming and NSE script development allowing you to extend further the power of Nmap.
Style and approach
This book consists of practical recipes on network exploration and security auditing techniques, enabling you to get hands-on experience through real life scenarios.
Table of contents
- Preface
-
Nmap Fundamentals
- Introduction
- Building Nmap's source code
- Finding live hosts in your network
- Listing open ports on a target host
- Fingerprinting OS and services running on a target host
- Using NSE scripts against a target host
- Reading targets from a file
- Scanning an IP address ranges
- Scanning random targets on the Internet
- Collecting signatures of web servers
- Monitoring servers remotely with Nmap and Ndiff
- Crafting ICMP echo replies with Nping
- Managing multiple scanning profiles with Zenmap
- Running Lua scripts against a network connection with Ncat
- Discovering systems with weak passwords with Ncrack
- Launching Nmap scans remotely from a web browser using Rainmap Lite
-
Network Exploration
- Introduction
- Discovering hosts with TCP SYN ping scans
- Discovering hosts with TCP ACK ping scans
- Discovering hosts with UDP ping scans
- Discovering hosts with ICMP ping scans
- Discovering hosts with SCTP INIT ping scans
- Discovering hosts with IP protocol ping scans
- Discovering hosts with ARP ping scans
- Performing advanced ping scans
- Discovering hosts with broadcast ping scans
- Scanning IPv6 addresses
- Gathering network information with broadcast scripts
- Scanning through proxies
- Spoofing the origin IP of a scan
-
Reconnaissance Tasks
- Introduction
- Performing IP address geolocation
- Getting information from WHOIS records
- Obtaining traceroute geolocation information
- Querying Shodan to obtain target information
- Checking whether a host is flagged by Google Safe Browsing for malicious activities
- Collecting valid e-mail accounts and IP addresses from web servers
- Discovering hostnames pointing to the same IP address
- Discovering hostnames by brute forcing DNS records
- Obtaining profile information from Google's People API
- Matching services with public vulnerability advisories
-
Scanning Web Servers
- Introduction
- Listing supported HTTP methods
- Checking whethera web server is an open proxy
- Discovering interesting files and folders in web servers
- Abusing mod_userdir to enumerate user accounts
- Brute forcing HTTP authentication
- Brute forcing web applications
- Detecting web application firewalls
- Detecting possible XST vulnerabilities
- Detecting XSS vulnerabilities
- Finding SQL injection vulnerabilities
- Detecting web servers vulnerable to slowloris denial of service attacks
- Finding web applications with default credentials
- Detecting web applications vulnerable to Shellshock
- Detecting insecure cross-domain policies
- Detecting exposed source code control systems
- Auditing the strength of cipher suites in SSL servers
- Scrapping e-mail accounts from web servers
-
Scanning Databases
- Introduction
- Listing MySQL databases
- Listing MySQL users
- Listing MySQL variables
- Brute forcing MySQL passwords
- Finding root accounts with an empty password in MySQL servers
- Detecting insecure configurations in MySQL servers
- Brute forcing Oracle passwords
- Brute forcing Oracle SID names
- Retrieving information from MS SQL servers
- Brute forcing MS SQL passwords
- Dumping password hashes of MS SQL servers
- Running commands through xp_cmdshell in MS SQL servers
- Finding system administrator accounts with empty passwords in MS SQL servers
- Obtaining information from MS SQL servers with NTLM enabled
- Retrieving MongoDB server information
- Detecting MongoDB instances with no authentication enabled
- Listing MongoDB databases
- Listing CouchDB databases
- Retrieving CouchDB database statistics
- Detecting Cassandra databases with no authentication enabled
- Brute forcing Redis passwords
-
Scanning Mail Servers
- Introduction
- Detecting SMTP open relays
- Brute forcing SMTP passwords
- Detecting suspicious SMTP servers
- Enumerating SMTP usernames
- Brute forcing IMAP passwords
- Retrieving the capabilities of an IMAP server
- Brute forcing POP3 passwords
- Retrieving the capabilities of a POP3 server
- Retrieving information from SMTP servers with NTLM authentication
-
Scanning Windows Systems
- Introduction
- Obtaining system information from SMB
- Detecting Windows clients with SMB signing disabled
- Detecting IIS web servers that disclose Windows 8.3 names
- Detecting Windows hosts vulnerable to MS08-067
- Retrieving the NetBIOS name and MAC address of a host
- Enumerating user accounts of Windows hosts
- Enumerating shared folders
- Enumerating SMB sessions
- Finding domain controllers
- Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
-
Scanning ICS SCADA Systems
- Introduction
- Finding common ports used in ICS SCADA systems
- Finding HMI systems
- Enumerating Siemens SIMATIC S7 PLCs
- Enumerating Modbus devices
- Enumerating BACnet devices
- Enumerating Ethernet/IP devices
- Enumerating Niagara Fox devices
- Enumerating ProConOS devices
- Enumerating Omrom PLC devices
- Enumerating PCWorx devices
- Optimizing Scans
-
Generating Scan Reports
- Introduction
- Saving scan results in a normal format
- Saving scan results in an XML format
- Saving scan results to a SQLite database
- Saving scan results in a grepable format
- Generating a network topology graph with Zenmap
- Generating HTML scan reports
- Reporting vulnerability checks
- Generating PDF reports with fop
- Saving NSE reports in ElasticSearch
-
Writing Your Own NSE Scripts
- Introduction
- Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
- Sending UDP payloads using NSE sockets
- Generating vulnerability reports in NSE scripts
- Exploiting a path traversal vulnerability with NSE
- Writing brute force password auditing scripts
- Crawling web servers to detect vulnerabilities
- Working with NSE threads, condition variables, and mutexes in NSE
- Writing a new NSE library in Lua
- Writing a new NSE library in C/C++
- Getting your scripts ready for submission
- HTTP, HTTP Pipelining, and Web Crawling Configuration Options
- Brute Force Password Auditing Options
- NSE Debugging
- Additional Output Options
- Introduction to Lua
- References and Additional Reading
Product information
- Title: Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
- Author(s):
- Release date: May 2017
- Publisher(s): Packt Publishing
- ISBN: 9781786467454
You might also like
book
Nmap Network Exploration and Security Auditing Cookbook - Third Edition
A complete reference guide to mastering Nmap and its scripting engine, covering practical tasks for IT …
book
Nmap 6: Network Exploration and Security Auditing Cookbook
Want to master Nmap and its scripting engine? Then this book is for you – packed …
video
Hands-On Network Scanning with Nmap for Network Security
Do you want to enhance your organization’s network security? Are you worried about what could happen …
book
CEH v11 Certified Ethical Hacker Study Guide
As protecting information continues to be a growing concern for today’s businesses, certifications in IT security …