Nmap Network Exploration and Security Auditing Cookbook [3 ed.]
1838649352, 9781838649357
A complete reference guide to mastering Nmap and its scripting engine, covering practical tasks for IT personnel, securi
277
49
30MB
English
Pages 436
Year 2021
Report DMCA / Copyright
DOWNLOAD PDF FILE
Table of contents :
Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Chapter 1: Nmap Fundamentals
Technical requirements
Building Nmap's source code
Getting ready
How to do it...
How it works...
There's more...
Finding online hosts
How to do it...
How it works...
There's more...
Listing open ports on a target
How to do it...
How it works...
There's more...
Fingerprinting OSes and services running on a target
How to do it...
How it works...
There's more...
Using NSE scripts against a target host
How to do it...
How it works...
There's more...
Scanning random targets on the internet
How to do it...
How it works...
There's more...
Collecting signatures of web servers
How to do it...
How it works...
There's more...
Scanning with Rainmap Lite
Getting ready
How to do it...
How it works...
There's more...
Chapter 2: Getting Familiar with Nmap's Family
Monitoring servers remotely with Nmap and Ndiff
Getting ready
How to do it...
How it works...
There's more...
Crafting ICMP echo replies with Nping
How to do it...
How it works...
There's more...
Managing multiple scanning profiles with Zenmap
How to do it...
How it works...
There's more...
Running Lua scripts against a network connection with Ncat
How to do it...
How it works...
There's more...
Discovering systems with weak passwords with Ncrack
Getting ready
How to do it...
How it works...
There's more...
Using Ncat to diagnose a network client
How to do it...
How it works...
There is more...
Defending against Nmap service detection scans
How to do it...
How it works...
There's more...
Chapter 3: Network Scanning
Discovering hosts with TCP SYN ping scans
How to do it...
How it works...
There's more...
Discovering hosts with TCP ACK ping scans
How to do it...
How it works...
There's more...
Discovering hosts with UDP ping scans
How to do it...
How it works...
There's more...
Selecting ports in UDP ping scans
Discovering hosts with ICMP ping scans
How to do it...
How it works...
There's more...
Discovering hosts with SCTP INIT ping scans
How to do it...
How it works...
There's more...
Discovering hosts with IP protocol ping scans
How to do it...
How it works...
There's more...
Discovering hosts with ARP ping scans
How to do it...
How it works...
There's more...
Performing advanced ping scans
How to do it...
How it works...
There's more...
Discovering hosts with broadcast ping scans
How to do it...
How it works...
There's more...
Scanning IPv6 addresses
How to do it...
How it works...
There's more...
Spoofing the origin IP of a scan
Getting ready
How to do it...
How it works…
There's more...
Using port scanning for host discovery
How to do it...
How it works...
There's more...
Chapter 4: Reconnaissance Tasks
Performing IP address geolocation
Getting ready
How to do it...
How it works...
There's more...
Getting information from WHOIS records
How to do it...
How it works...
There's more...
Obtaining traceroute geolocation information
How to do it...
How it works...
There's more...
Querying Shodan to obtain target information
Getting ready
How to do it...
How it works...
There's more...
Collecting valid email accounts and IP addresses from web servers
How to do it...
How it works...
There's more...
Discovering hostnames pointing to the same IP address
How to do it...
How it works...
There's more...
Discovering hostnames by brute-forcing DNS records
How to do it...
How it works...
There's more...
Matching services with public vulnerability advisories and picking the low-hanging fruit
How to do it...
How it works...
There's more...
Chapter 5: Scanning Web Servers
Listing supported HTTP methods
How to do it...
How it works...
There's more...
Discovering interesting files and folders on web servers
How to do it...
How it works...
There's more...
Brute forcing HTTP authentication
How to do it...
How it works...
There's more...
Brute forcing web applications
How to do it...
How it works...
There's more...
Detecting web application firewalls
How to do it...
How it works...
There's more...
Detecting possible XST vulnerabilities
How to do it...
How it works...
There's more...
Detecting XSS vulnerabilities
How to do it...
How it works...
There's more...
Finding SQL injection vulnerabilities
How to do it...
How it works...
There's more…
Finding web applications with default credentials
How to do it...
How it works...
There's more...
Detecting insecure cross-domain policies
How to do it...
How it works...
There's more...
Detecting exposed source code control systems
How to do it...
How it works...
There's more...
Auditing the strength of cipher suites in SSL servers
How to do it...
How it works...
There's more...
Chapter 6: Scanning Databases
Listing MySQL databases
How to do it…
How it works...
There's more...
Listing MySQL users
How to do it...
How it works…
There's more...
Listing MySQL variables
How to do it...
How it works...
There's more...
Brute forcing MySQL passwords
How to do it...
How it works...
There's more...
Finding root accounts with an empty password in MySQL servers
How to do it...
How it works...
There's more...
Detecting insecure configurations in MySQL servers
How to do it...
How it works...
There's more...
Brute forcing Oracle passwords
How to do it...
How it works...
There's more...
Brute forcing Oracle SID names
How to do it...
How it works...
There's more...
Retrieving information from MS SQL servers
How to do it...
How it works...
There's more...
Brute forcing MS SQL passwords
How to do it...
How it works...
There's more...
Dumping password hashes of MS SQL servers
How to do it...
How it works...
There's more...
Running commands through xp_cmdshell in MS SQL servers
How to do it...
How it works...
There's more...
Finding system administrator accounts with empty passwords in MS SQL servers
How to do it...
How it works...
There's more...
Obtaining information from MS SQL servers with NTLM enabled
How to do it...
How it works...
There's more...
Retrieving MongoDB server information
How to do it...
How it works...
There's more...
Detecting MongoDB instances with no authentication enabled
How to do it...
How it works...
There's more...
Listing MongoDB databases
How to do it...
How it works...
There's more...
Listing CouchDB databases
How to do it...
How it works...
There's more...
Retrieving CouchDB database statistics
How to do it...
How it works...
There's more...
Detecting Cassandra databases with no authentication enabled
How to do it...
How it works...
There's more...
Brute forcing Redis passwords
How to do it...
How it works...
There's more...
Chapter 7: Scanning Mail Servers
Detecting SMTP open relays
How to do it...
How it works...
There's more...
Brute-forcing SMTP passwords
How to do it...
How it works...
There's more...
Detecting suspicious SMTP servers
How to do it...
How it works...
There's more...
Enumerating SMTP usernames
How to do it...
How it works...
There's more...
Brute-forcing IMAP passwords
How to do it...
How it works...
There's more...
Retrieving the capabilities of an IMAP server
How to do it...
How it works...
There's more...
Brute-forcing POP3 passwords
How to do it...
How it works...
There's more...
Retrieving the capabilities of a POP3 server
How to do it...
How it works...
There's more...
Retrieving information from SMTP servers with NTLM authentication
How to do it...
How it works...
There's more...
Chapter 8: Scanning Windows Systems
Obtaining system information from SMB
How to do it...
How it works...
There's more...
Detecting Windows clients with SMB signing disabled
How to do it...
How it works...
There's more...
Detecting IIS web servers that disclose Windows 8.3 names
How to do it...
How it works...
There's more...
Detecting Windows hosts vulnerable to MS08-067 and MS17-010
How to do it...
How it works...
There's more...
Retrieving the NetBIOS name and MAC address of a host
How to do it...
How it works...
There's more...
Enumerating user accounts of Windows targets
How to do it...
How it works...
There's more...
Enumerating shared folders
How to do it...
How it works...
There's more...
Enumerating SMB sessions
How to do it...
How it works...
There's more...
Finding domain controllers
How to do it...
How it works...
There's more…
Detecting the Shadow Brokers' DOUBLEPULSAR SMB implants
How to do it...
How it works...
There's more...
Listing supported SMB protocols
How to do it...
How it works...
There's more...
Detecting vulnerabilities using the SMB2/3 boot-time field
How to do it...
How it works...
There's more...
Detecting whether encryption is enforced in SMB servers
How to do it...
How it works...
There's more...
Chapter 9: Scanning ICS/SCADA Systems
Finding common ports used in ICS/SCADA systems
How to do it...
How it works...
There's more...
Finding HMI systems
How to do it...
How it works...
There's more...
Enumerating Siemens SIMATIC S7 PLCs
How to do it...
How it works...
There's more...
Enumerating Modbus devices
How to do it...
How it works...
There's more...
Enumerating BACnet devices
How to do it...
How it works...
There's more...
Enumerating Ethernet/IP devices
How to do it...
How it works...
There's more...
Enumerating Niagara Fox devices
How to do it...
How it works...
There's more...
Enumerating ProConOS devices
How to do it...
How it works...
There's more...
Enumerating Omrom PLC devices
How to do it...
How it works...
There's more...
Enumerating PCWorx devices
How to do it...
How it works...
Chapter 10: Scanning Mainframes
Listing CICS transaction IDs in IBM mainframes
How to do it...
How it works...
There's more...
Enumerating CICS user IDs for the CESL/CESN login screen
How to do it...
How it works...
There's more...
Brute-forcing z/OS JES NJE node names
How to do it...
How it works...
There's more...
Enumerating z/OS TSO user IDs
How to do it...
How it works...
There's more...
Brute-forcing z/OS TSO accounts
How to do it...
How it works...
There's more...
Listing VTAM application screens
How to do it...
How it works...
There's more...
Chapter 11: Optimizing Scans
Skipping phases to speed up scans
How to do it...
How it works...
There's more...
Selecting the correct timing template
How to do it...
How it works...
There's more...
Adjusting timing parameters
How to do it...
There's more...
Adjusting performance parameters
How to do it...
How it works...
There's more...
Adjusting scan groups
How to do it...
There's more...
Distributing a scan among several clients using dnmap
Getting ready
How to do it...
How it works...
There's more...
Chapter 12: Generating Scan Reports
Saving scan results in a normal format
How to do it...
How it works...
There's more...
Saving scan results in an XML format
How to do it...
How it works...
There's more...
Saving scan results to a SQLite database
Getting ready
How to do it...
How it works...
There's more...
Saving scan results in a grepable format
How to do it...
How it works...
There's more...
Generating a network topology graph with Zenmap
How to do it...
How it works...
There's more...
Generating HTML scan reports
Getting ready
How to do it...
How it works...
There's more...
Reporting vulnerability checks
How to do it...
How it works...
There's more...
Generating PDF reports with fop
Getting ready
How to do it...
How it works...
There's more...
Saving NSE reports in Elasticsearch
Getting ready
How to do it...
How it works...
There's more...
Visualizing Nmap scan results with IVRE
Getting ready
How to do it...
How it works...
There's more...
Chapter 13: Writing Your Own NSE Scripts
Making HTTP requests to identify vulnerable Supermicro IPMI/BMC controllers
How to do it...
How it works...
There's more...
Sending UDP payloads using NSE sockets
How to do it...
How it works...
There's more...
Generating vulnerability reports in NSE scripts
How to do it...
How it works...
There's more...
Exploiting an SMB vulnerability
How to do it...
How it works...
There's more...
Writing brute-force password auditing scripts
How to do it...
How it works...
There's more...
Crawling web servers to detect vulnerabilities
How to do it...
How it works...
There's more...
Working with NSE threads, condition variables, and mutexes in NSE
How to do it...
How it works...
There's more...
Writing a new NSE library in Lua
How to do it...
How it works...
There's more...
Writing a new NSE library in C/C++
How to do it...
How it works...
There's more...
Getting your scripts ready for submission
How to do it...
How it works...
There's more...
Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine
Generating vulnerability reports in NSE scripts
How to do it...
How it works...
There's more...
Writing brute-force password auditing scripts
How to do it...
How it works...
There's more...
Crawling web servers to detect vulnerabilities
How to do it...
How it works...
There's more...
Exploiting SMB vulnerabilities
How to do it...
How it works...
There's more...
Appendix A– HTTP, HTTP Pipelining, and Web Crawling Configuration Options
HTTP user agent
HTTP pipelining
Configuring the NSE httpspider library
Appendix B – Brute-Force Password Auditing Options
Brute modes
Appendix C – NSE Debugging
Debugging NSE scripts
Exception handling
Appendix D – Additional Output Options
Saving output in all formats
Appending Nmap output logs
Including debugging information in output logs
Including the reason for a port or host state
OS detection in verbose mode
Appendix E – Introduction to Lua
Flow control structures
Conditional statements – if, then, elseif
Loops – while
Loops – repeat
Loops – for
Data types
String handling
Character classes
Magic characters
Patterns
Captures
Repetition operators
Concatenation
Finding substrings
String repetition
String length
Formatting strings
Splitting and joining strings
Common data structures
Tables
Arrays
Linked lists
Sets
Queues
Custom data structures
I/O operations
Modes
Opening a file
Reading a file
Writing a file
Closing a file
Coroutines
Creating a coroutine
Executing a coroutine
Determining the current coroutine
Getting the status of a coroutine
Yielding a coroutine
Metatables
Arithmetic metamethods
Relational metamethods
Things to remember when working with Lua
Comments
Dummy assignments
Indexes
Semantics
Coercion
Safe language
Booleans
Appendix F – References and Additional Reading
Other Books You May Enjoy
Index