Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

1. Nmap Fundamentals FREE CHAPTER

• Introduction
• Downloading Nmap from the official source code repository
• Compiling Nmap from source code
• Listing open ports on a remote host
• Fingerprinting services of a remote host
• Finding live hosts in your network
• Scanning using specific port ranges
• Running NSE scripts
• Scanning using a specified network interface
• Comparing scan results with Ndiff
• Managing multiple scanning profiles with Zenmap
• Detecting NAT with Nping
• Monitoring servers remotely with Nmap and Ndiff

2. Network Exploration

• Introduction
• Discovering hosts with TCP SYN ping scans
• Discovering hosts with TCP ACK ping scans
• Discovering hosts with UDP ping scans
• Discovering hosts with ICMP ping scans
• Discovering hosts with IP protocol ping scans
• Discovering hosts with ARP ping scans
• Discovering hosts using broadcast pings
• Hiding our traffic with additional random data
• Forcing DNS resolution
• Excluding hosts from your scans
• Scanning IPv6 addresses
• Gathering network information with broadcast scripts

3. Gathering Additional Host Information

• Introduction
• Geolocating an IP address
• Getting information from WHOIS records
• Checking if a host is known for malicious activities
• Collecting valid e-mail accounts
• Discovering hostnames pointing to the same IP address
• Brute forcing DNS records
• Fingerprinting the operating system of a host
• Discovering UDP services
• Listing protocols supported by a remote host
• Discovering stateful firewalls by using a TCP ACK scan
• Matching services with known security vulnerabilities
• Spoofing the origin IP of a port scan

4. Auditing Web Servers

• Introduction
• Listing supported HTTP methods
• Checking if an HTTP proxy is open
• Discovering interesting files and directories on various web servers
• Brute forcing HTTP authentication
• Abusing mod_userdir to enumerate user accounts
• Testing default credentials in web applications
• Brute-force password auditing WordPress installations
• Brute-force password auditing Joomla! installations
• Detecting web application firewalls
• Detecting possible XST vulnerabilities
• Detecting Cross Site Scripting vulnerabilities in web applications
• Finding SQL injection vulnerabilities in web applications
• Detecting web servers vulnerable to slowloris denial of service attacks

5. Auditing Databases

• Introduction
• Listing MySQL databases
• Listing MySQL users
• Listing MySQL variables
• Finding root accounts with empty passwords in MySQL servers
• Brute forcing MySQL passwords
• Detecting insecure configurations in MySQL servers
• Brute forcing Oracle passwords
• Brute forcing Oracle SID names
• Retrieving MS SQL server information
• Brute forcing MS SQL passwords
• Dumping the password hashes of an MS SQL server
• Running commands through the command shell on MS SQL servers
• Finding sysadmin accounts with empty passwords on MS SQL servers
• Listing MongoDB databases
• Retrieving MongoDB server information
• Listing CouchDB databases
• Retrieving CouchDB database statistics

6. Auditing Mail Servers

• Introduction
• Discovering valid e-mail accounts using Google Search
• Detecting open relays
• Brute forcing SMTP passwords
• Enumerating users in an SMTP server
• Detecting backdoor SMTP servers
• Brute forcing IMAP passwords
• Retrieving the capabilities of an IMAP mail server
• Brute forcing POP3 passwords
• Retrieving the capabilities of a POP3 mail server
• Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

7. Scanning Large Networks

• Introduction
• Scanning an IP address range
• Reading targets from a text file
• Scanning random targets
• Skipping tests to speed up long scans
• Selecting the correct timing template
• Adjusting timing parameters
• Adjusting performance parameters
• Collecting signatures of web servers
• Distributing a scan among several clients using Dnmap

8. Generating Scan Reports

• Introduction
• Saving scan results in normal format
• Saving scan results in an XML format
• Saving scan results to a SQLite database
• Saving scan results in a grepable format
• Generating a network topology graph with Zenmap
• Generating an HTML scan report
• Reporting vulnerability checks performed during a scan

9. Writing Your Own NSE Scripts

• Introduction
• Making HTTP requests to identify vulnerable Trendnet webcams
• Sending UDP payloads by using NSE sockets
• Exploiting a path traversal vulnerability with NSE
• Writing a brute force script
• Working with the web crawling library
• Reporting vulnerabilities correctly in NSE scripts
• Writing your own NSE library
• Working with NSE threads, condition variables, and mutexes in NSE

References

Index