Nmap 6: Network exploration and security auditing Cookbook电子书

Nmap 6: Network Exploration and Security Auditing Cookbook

Table of Contents

Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Nmap Fundamentals

Introduction

Downloading Nmap from the official source code repository

Getting ready

How to do it...

How it works...

There's more...

Experimenting with development branches

Keeping your source code up-to-date

See also

Compiling Nmap from source code

Getting ready

How to do it...

How it works...

There's more...

OpenSSL development libraries

Configure directives

Precompiled packages

See also

Listing open ports on a remote host

How to do it...

How it works...

There's more...

Privileged versus unprivileged

Port states

Port scanning techniques supported by Nmap

See also

Fingerprinting services of a remote host

How to do it...

How it works...

There's more...

Aggressive detection

Submitting service fingerprints

See also

Finding live hosts in your network

How to do it...

How it works...

There's more...

Traceroute

NSE scripts

See also

Scanning using specific port ranges

How to do it...

How it works...

There's more...

See also

Running NSE scripts

How to do it...

How it works...

There's more...

NSE script arguments

Adding new scripts

NSE script categories

See also

Scanning using a specified network interface

How to do it...

How it works...

There's more...

Checking a TCP connection

See also

Comparing scan results with Ndiff

Getting ready

How to do it...

How it works...

There's more...

Output format

Verbose mode

See also

Managing multiple scanning profiles with Zenmap

How to do it...

How it works...

There's more...

Editing and deleting a scan profile

See also

Detecting NAT with Nping

How to do it...

How it works...

There's more...

Nping Echo Protocol

See also

Monitoring servers remotely with Nmap and Ndiff

How to do it...

How it works...

There's more...

Monitoring specific services

See also

2. Network Exploration

Introduction

Discovering hosts with TCP SYN ping scans

How to do it...

How it works...

There's more...

Privileged versus unprivileged TCP SYN ping scan

Firewalls and traffic filters

See also

Discovering hosts with TCP ACK ping scans

How to do it...

How it works...

There's more...

Privileged versus unprivileged TCP ACK ping scan

Selecting ports in TCP ACK ping scans

See also

Discovering hosts with UDP ping scans

How to do it...

How it works...

There's more...

Selecting ports in UDP ping scans

See also

Discovering hosts with ICMP ping scans

How to do it...

How it works...

There's more...

ICMP types

See also

Discovering hosts with IP protocol ping scans

How to do it...

How it works...

There's more...

Supported IP protocols and their payloads

See also

Discovering hosts with ARP ping scans

How to do it...

How it works...

There's more...

MAC address spoofing

See also

Discovering hosts using broadcast pings

How to do it...

How it works...

There's more...

Target library

See also

Hiding our traffic with additional random data

How to do it...

How it works...

There's more...

See also

Forcing DNS resolution

How to do it...

How it works...

There's more...

Specifying different DNS nameservers

See also

Excluding hosts from your scans

How to do it...

How it works...

There's more...

Excluding a host list from your scans

See also

Scanning IPv6 addresses

How to do it...

How it works...

There's more...

OS detection in IPv6 scanning

See also

Gathering network information with broadcast scripts

How to do it...

How it works...

There's more...

Target library

See also

3. Gathering Additional Host Information

Introduction

Geolocating an IP address

Getting ready

How to do it...

How it works...

There's more...

Submitting a new geo-location provider

See also

Getting information from WHOIS records

How to do it...

How it works...

There's more...

Disabling cache and the implications of this

See also

Checking if a host is known for malicious activities

Getting ready

How to do it...

How it works...

There's more...

See also

Collecting valid e-mail accounts

Getting ready

How to do it...

How it works...

There's more...

NSE script arguments

HTTP User Agent

See also

Discovering hostnames pointing to the same IP address

Getting ready

How to do it...

How it works...

There's more...

See also

Brute forcing DNS records

How to do it...

How it works...

There's more...

Target library

See also

Fingerprinting the operating system of a host

How to do it...

How it works...

There's more...

OS detection in verbose mode

Submitting new OS fingerprints

See also

Discovering UDP services

How to do it...

How it works...

There's more...

Port selection

See also

Listing protocols supported by a remote host

How to do it...

How it works...

There's more...

Customizing the IP protocol scan

See also

Discovering stateful firewalls by using a TCP ACK scan

How to do it...

How it works...

There's more...

Port states

See also

Matching services with known security vulnerabilities

Getting ready

How to do it...

How it works...

There's more...

See also

Spoofing the origin IP of a port scan

Getting ready

How to do it...

How it works...

There's more...

The IP ID sequence number

See also

4. Auditing Web Servers

Introduction

Listing supported HTTP methods

How to do it...

How it works...

There's more...

Interesting HTTP methods

HTTP User Agent

HTTP pipelining

See also

Checking if an HTTP proxy is open

How to do it...

How it works...

There's more...

HTTP User Agent

See also

Discovering interesting files and directories on various web servers

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

See also

Brute forcing HTTP authentication

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

Brute modes

See also

Abusing mod_userdir to enumerate user accounts

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

See also

Testing default credentials in web applications

How to do it...

How it works...

There's more...

HTTP User Agent

See also

Brute-force password auditing WordPress installations

How to do it...

How it works...

There's more...

HTTP User Agent

Brute modes

See also

Brute-force password auditing Joomla! installations

How to do it...

How it works...

There's more...

HTTP User Agent

Brute modes

See also

Detecting web application firewalls

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

See also

Detecting possible XST vulnerabilities

How to do it...

How it works...

There's more...

HTTP User Agent

See also

Detecting Cross Site Scripting vulnerabilities in web applications

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

See also

Finding SQL injection vulnerabilities in web applications

How to do it...

How it works...

There's more...

HTTP User Agent

HTTP pipelining

See also

Detecting web servers vulnerable to slowloris denial of service attacks

How to do it...

How it works...

There's more...

HTTP User Agent

See also

5. Auditing Databases

Introduction

Listing MySQL databases

How to do it...

How it works...

There's more...

See also

Listing MySQL users

How to do it...

How it works...

There's more...

See also

Listing MySQL variables

How to do it...

How it works...

There's more...

See also

Finding root accounts with empty passwords in MySQL servers

How to do it...

How it works...

There's more...

See also

Brute forcing MySQL passwords

How to do it...

How it works...

There's more...

Brute modes

See also

Detecting insecure configurations in MySQL servers

How to do it...

How it works...

There's more...

See also

Brute forcing Oracle passwords

How to do it...

How it works...

There's more...

Brute modes

See also

Brute forcing Oracle SID names

How to do it...

How it works...

There's more...

See also

Retrieving MS SQL server information

How to do it...

How it works...

There's more...

Force scanned ports only in NSE scripts for MS SQL

See also

Brute forcing MS SQL passwords

How to do it...

How it works...

There's more...

Brute modes

See also

Dumping the password hashes of an MS SQL server

How to do it...

How it works...

There's more...

See also

Running commands through the command shell on MS SQL servers

How to do it...

How it works...

There's more...

See also

Finding sysadmin accounts with empty passwords on MS SQL servers

How to do it...

How it works...

There's more...

Force scanned ports only in NSE scripts for MS SQL

See also

Listing MongoDB databases

How to do it...

How it works...

There's more...

See also

Retrieving MongoDB server information

How to do it...

How it works...

There's more...

See also

Listing CouchDB databases

How to do it...

How it works...

There's more...

See also

Retrieving CouchDB database statistics

How to do it...

How it works...

There's more...

See also

6. Auditing Mail Servers

Introduction

Discovering valid e-mail accounts using Google Search

Getting ready

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Detecting open relays

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Brute forcing SMTP passwords

How to do it...

How it works...

There's more...

Brute modes

Debugging NSE scripts

See also

Enumerating users in an SMTP server

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Detecting backdoor SMTP servers

How to do it...

How it works...

There's more...

See also

Brute forcing IMAP passwords

How to do it...

How it works...

There's more...

Brute modes

Debugging NSE scripts

See also

Retrieving the capabilities of an IMAP mail server

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Brute forcing POP3 passwords

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Retrieving the capabilities of a POP3 mail server

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

How to do it...

How it works...

There's more...

Debugging NSE scripts

See also

7. Scanning Large Networks

Introduction

Scanning an IP address range

How to do it...

How it works...

There's more...

CIDR notation

Privileged versus unprivileged

Port states

Port scanning techniques

See also

Reading targets from a text file

How to do it...

How it works...

There's more...

CIDR notation

Excluding a host list from your scans

See also

Scanning random targets

How to do it...

How it works...

There's more...

Legal issues with port scanning

Target library

See also

Skipping tests to speed up long scans

How to do it...

How it works...

There's more...

Scanning phases of Nmap

Debugging Nmap scans

Aggressive detection

See also

Selecting the correct timing template

How to do it...

How it works...

There's more...

See also

Adjusting timing parameters

How to do it...

How it works...

There's more...

Scanning phases of Nmap

Debugging Nmap scans

See also

Adjusting performance parameters

How to do it...

How it works...

There's more...

Scanning phases of Nmap

Debugging Nmap scans

See also

Collecting signatures of web servers

How to do it...

How it works...

There's more...

HTTP User Agent

See also

Distributing a scan among several clients using Dnmap

Getting ready

How to do it...

How it works...

There's more...

Dnmap statistics

See also

8. Generating Scan Reports

Introduction

Saving scan results in normal format

How to do it...

How it works...

There's more...

Saving Nmap's output in all formats

Including debugging information in output logs

Including the reason for a port or host state

Appending Nmap output logs

OS detection in verbose mode

See also

Saving scan results in an XML format

How to do it...

How it works...

There's more...

Saving Nmap's output in all formats

Appending Nmap output logs

Structured script output for NSE

See also

Saving scan results to a SQLite database

Getting Ready

How to do it...

How it works...

There's more...

Dumping the database in CSV format

Fixing outputpbnj

See also

Saving scan results in a grepable format

How to do it...

How it works...

There's more...

Saving Nmap's output in all formats

Appending Nmap output logs

See also

Generating a network topology graph with Zenmap

How to do it...

How it works...

There's more...

See also

Generating an HTML scan report

Getting Ready...

How to do it...

How it works...

There's more...

See also

Reporting vulnerability checks performed during a scan

How to do it...

How it works...

There's more...

See also

9. Writing Your Own NSE Scripts

Introduction

Making HTTP requests to identify vulnerable Trendnet webcams

How to do it...

How it works...

There's more...

Debugging Nmap scripts

Setting the user agent pragmatically

HTTP pipelining

See also

Sending UDP payloads by using NSE sockets

How to do it...

How it works...

There's more...

Exception handling

Debugging Nmap scripts

See also

Exploiting a path traversal vulnerability with NSE

How to do it...

How it works...

There's more...

Debugging NSE scripts

Setting the user agent pragmatically

HTTP pipelining

See also

Writing a brute force script

How to do it...

How it works...

There's more...

Debugging NSE scripts

Exception handling

Brute modes

See also

Working with the web crawling library

How to do it...

How it works...

There's more...

Debugging NSE scripts

Setting the user agent pragmatically

HTTP pipelining

Exception handling

See also

Reporting vulnerabilities correctly in NSE scripts

How to do it...

How it works...

There's more...

Vulnerability states of the library vulns

See also

Writing your own NSE library

How to do it...

How it works...

There's more...

Debugging NSE scripts

Exception handling

Importing modules in C

See also

Working with NSE threads, condition variables, and mutexes in NSE

How to do it...

How it works...

There's more...

Debugging NSE scripts

Exception handling

See also

A. References

Index