Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Nmap Network Exploration and Security Auditing Cookbook, Third Edition
Nmap Network Exploration and Security Auditing Cookbook, Third Edition

Nmap Network Exploration and Security Auditing Cookbook, Third Edition: Network discovery and security scanning at your fingertips , Third Edition

eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Nmap Network Exploration and Security Auditing Cookbook, Third Edition

Chapter 2: Getting Familiar with Nmap's Family

As new functionalities were added to Nmap, new tools were written and incorporated into the Nmap family as sub-projects, such as Ndiff, Ncat, Ncrack, Zenmap, Nping, and even the Nmap Scripting Engine itself, to complement and extend the coverage of network-related tasks. These sub-projects were introduced throughout the years of the Nmap project participating in the Google Summer of Code program and they have become invaluable for the community as they serve specific needs.

This chapter will serve as an introduction to those who are unfamiliar with all the tools from the Nmap family and it will also show practical usage examples to those who know them but don't really use them. In this chapter, we will cover the following recipes:

  • Monitoring servers remotely with Nmap and Ndiff
  • Crafting ICMP echo replies with Nping
  • Managing multiple scanning profiles with Zenmap
  • Running Lua scripts against a network connection with Ncat
  • Discovering systems with weak passwords with Ncrack
  • Using Ncat to diagnose a network client
  • Defending against Nmap service detection scans

Monitoring servers remotely with Nmap and Ndiff

By using tools from the Nmap project, we can set up a simple but effective monitoring system. Because our monitoring system will depend on Nmap, we can monitor not only open ports but any information the Nmap Scripting Engine can gather. To detect changes on the network, we will need to compare the results of two scans: the base or known good state and the current scan result. Consider the ports that you know that must be open as your base state.

Ndiff was designed to address the issues of using the traditional diff command with two Nmap scan results in XML format. It compares the files by removing false positives introduced by dynamic fields such as timestamps and producing a more human-friendly output.

This recipe describes how to use Bash scripting, cron, Nmap, and Ndiff to set up a monitoring system that alerts by email if changes are detected in a network or host.

Getting ready

In this recipe, we assume the system has been configured to send email via the mail command. If you would like to change the notification method, you simply need to update the Bash script and replace the mail command according to your preferred notification method. For example, you could use curl to make an HTTP request to your favorite social network or run a script that restarts the service.

How to do it...

To set up a simple monitoring system with Nmap, we are going to need to do a few things:

  1. Create the /usr/local/share/nmap-mon/ directory (or whatever location you prefer) to store all the files required for our monitoring system.
  2. Scan your targets and save the result in XML format in the directory that you just created:
    # nmap -oX base_results.xml -sV -n <target>

    The resulting base_results.xml file will be used as your base file, meaning that it should reflect the known good state of your network or host.

  3. Create the nmap-mon.sh file in the directory you created earlier and paste the following code:
    #!/bin/bash
    #Bash script to email admin when changes are detected in a network using Nmap and Ndiff.
    #
    #Don't forget to adjust the CONFIGURATION variables.
    #Paulino Calderon <calderon@websec.mx>
    #
    #CONFIGURATION
    # 
    NETWORK="YOURTARGET" 
    ADMIN=YOUR@EMAIL.COM
    NMAP_FLAGS="-n -sV"
    BASE_PATH=/usr/local/share/nmap-mon/ 
    BIN_PATH=/usr/local/bin/ 
    BASE_FILE=base.xml 
    NDIFF_FILE=ndiff.log 
    NEW_RESULTS_FILE=newscanresults.xml 
    BASE_RESULTS="$BASE_PATH$BASE_FILE"
    NEW_RESULTS="$BASE_PATH$NEW_RESULTS_FILE" 
    NDIFF_RESULTS="$BASE_PATH$NDIFF_FILE"
    if [ -f $BASE_RESULTS ] then
      echo "Checking host $NETWORK"
      ${BIN_PATH}nmap -oX $NEW_RESULTS $NMAP_FLAGS $NETWORK
      ${BIN_PATH}ndiff $BASE_RESULTS $NEW_RESULTS > $NDIFF_RESULTS
      if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then
        echo "Network changes detected in $NETWORK" 
        cat $NDIFF_RESULTS
        echo "Alerting admin $ADMIN"
        mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS
      fi
    fi
  4. Update the configuration values in the previous Bash script according to your system and needs:
    NETWORK="YOURTARGET" 
    ADMIN=YOUR@EMAIL.COM 
    NMAP_FLAGS="-sV -n -p-"
    BASE_PATH=/usr/local/share/nmap-mon/ 
    BIN_PATH=/usr/local/bin/ 
    BASE_FILE=base.xml 
    NDIFF_FILE=ndiff.log 
    NEW_RESULTS_FILE=newscanresults.xml
  5. Make nmap-mon.sh executable by entering the following command:
    # chmod +x /usr/local/share/nmap-mon/nmap-mon.sh
  6. Now run the nmap-mon.sh script to make sure it is working correctly:
    # /usr/local/share/nmap-mon/nmap-mon.sh
  7. Launch your crontab editor to automatically execute the script periodically:
    # crontab -e
  8. Add the following command:
    0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

You should now receive email alerts when Ndiff detects a change in your network.

How it works...

Ndiff is a tool for comparing two Nmap scans. Think about the traditional diff but for Nmap scan reports. With some help from Bash and cron, we set up a task that is executed at regular intervals to scan our network and compare our current state with an older state, to identify the differences between them. We used some basic Bash scripting to execute our monitoring scan and then executed Ndiff to compare the results:

if [ $(cat $NDIFF_RESULTS | wc -l) -gt 0 ] then
  echo "Network changes detected in $NETWORK"
  cat $NDIFF_RESULTS
  echo "Alerting admin $ADMIN"
  mail -s "Network changes detected in $NETWORK" $ADMIN < $NDIFF_RESULTS 
fi

There's more...

You can adjust the interval between scans by modifying the cron line:

0 * * * * /usr/local/share/nmap-mon/nmap-mon.sh

To update your base file, you simply need to overwrite your base file located at /usr/local/share/nmap-mon/. Remember that when we change the scan parameters to create our base file, we need to update them in nmap-mon.sh too.

Monitoring specific services

To monitor specific services, you need to update the scan parameters in nmap-mon.sh:

NMAP_FLAGS="-sV -Pn"

For example, if you would like to monitor a web server, you may use the following command:

NMAP_FLAGS="-sV --script http-google-safe -Pn -p80,443"

These options limit port scanning to ports 80 and 443; run the http-google-safe script to check whether your web server has been marked as malicious by the Google Safe Browsing service.

Crafting ICMP echo replies with Nping

Nping is a utility designed to ease the process of crafting network packets. It is very useful to debug and troubleshoot network communications and perform traffic analysis.

This recipe will introduce Nping and go over the process of crafting and transmitting custom ICMP packets.

How to do it...

Let's say that we want to respond to an ICMP echo request packet with an echo reply using Nping. Consider that the first ICMP echo request packet has a source IP of 192.168.0.10 with an ICMP ID of 520, and the data string was the word ping. With that information, we can craft the reply with the following command:

#nping --icmp -c 1 --icmp-type 0 --icmp-code 0 --source-ip 192.168.0.5 --dest-ip 192.168.0.10 --icmp-id 520 --icmp-seq 0 --data-string 'ping'

In the output, you should see the sent ICMP echo reply packet with the values taken from the ICMP echo request packets:

SENT (0.0060s) ICMP [192.168.0.5 > 192.168.0.10 Echo reply (type=0/code=0) id=520 seq=0] IP [ttl=64 id=10898 iplen=32 ] 
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (32B) | Rcvd: 0 (0B) | Lost: 1 (100.00%) Nping done: 1 IP address pinged in 1.01 seconds

How it works...

Nping allows configuring the values of most fields in TCP, UDP, ARP, and ICMP packets easily. The following command will send an ICMP echo reply packet with the values obtained from the ICMP echo request packet:

#nping --icmp -c 1 --icmp-type 0 --icmp-code 0 --source-ip 192.168.0.5 --dest-ip 192.168.0.10 --icmp-id 520 --icmp-seq 0 --data-string 'ping'

Let's break it down by its arguments:

  • --icmp: Sets ICMP as the protocol to use.
  • -c 1: Packet count. Sends only one packet.
  • --icmp-type 0 --icmp-code 0: Sets the ICMP type and code. This type corresponds to an echo reply message.
  • --source-ip 192.168.0.5 --dest-ip 192.168.0.10: Sets the source and destination IP address.
  • --icmp-id 520: Sets the ICMP identifier of the request packet.
  • --icmp-seq 0: Sets the ICMP sequence number.
  • --data-string 'ping': Sets the data string.

There's more...

Nping can set most fields in TCP, UDP, ARP, and ICMP packets via arguments but offers a lot more customization than we offer. In addition to the interesting timing and performance options, Nping supports a mode named echo that is handy when troubleshooting firewall or routing issues. I highly recommend you go over the documentation at https://nmap.org/nping/ to become familiar with this powerful tool and more scenarios where it can be handy.

Managing multiple scanning profiles with Zenmap

Scanning profiles are a combination of Nmap options that can be used to save time when launching Nmap scans.

This recipe is about adding, editing, and deleting a scanning profile in Zenmap.

How to do it...

Let's add a new profile for scanning web servers:

  1. Launch Zenmap.
  2. Click on Profile on the main toolbar.
  3. Click on New Profile or press Ctrl + P. Profile Editor will be launched.
  4. Enter a profile name and a description on the Profile tab.
  5. Enable Version detection and select TCP connect scan (-sT) in the Scan tab.
  6. Enable Don't ping before scanning (-Pn) in the Ping tab.
  7. Enable the following scripts on the Scripting tab:

    http-backup-finder

    http-config-backup

    http-cors

    http-cross-domain-policy

    http-csrf

    http-dombased-xss

    http-enum

    http-favicon

    http-headers

    http-methods

    http-open-redirect

    http-robots.txt

    http-server-header

    http-svn-info

    http-title

  8. Next, go to the Target tab and click on Ports to scan (-p) and enter 80, 443.
  9. Save your changes by clicking on Save Changes:

Figure 2.1 – NSE script selection in Zenmap

Your new scanning profile should be available from the Profile drop-down menu. We selected some of the available scripts to give you an idea, but you can adjust the scan according to your needs.

How it works...

After using the editor to create our profile, we are left with the following Nmap command:

$ nmap -sT -sV -p 80,443 -T4 -v -Pn --script http-backup-finder,http-config-backup,http-cors,http-cross-domain-policy,http-csrf,http-dombased-xss,http-enum,http-headers,http-methods,http-open-redirect,http-robots.txt,http-server-header,http-title <target>

Using the Profile wizard, we have enabled service scanning (-sV), set the scanning ports to 80 and 443, disabled host discovery (-Pn), and selected a bunch of HTTP-related scripts to gather as much information as possible from this web server. We now have this command saved and easily accessible for our scanning activities against new targets in the future.

There's more...

Customizing scan profiles can be done through the user interface. Default scanning profiles can be used as templates when creating new ones. Let's review how we work with the scanning profiles.

Zenmap scanning profiles

The predefined Zenmap scanning profiles help newcomers familiarize themselves with Nmap. I recommend that you analyze them to understand the scanning techniques available in Nmap along with some useful combinations of its options:

  • Intense scan: nmap -T4 -A -v
  • Intense scan plus UDP: nmap -sS -sU -T4 -A -v
  • Intense scan, all TCP ports: nmap -p 1-65535 -T4 -A -v
  • Intense scan, no ping: nmap -T4 -A -v -Pn
  • Ping scan: nmap -sn
  • Quick scan: nmap -T4 -F
  • Quick scan plus: nmap -sV -T4 -O -F --version-light
  • Quick traceroute: nmap -sn --traceroute
  • Regular scan: nmap
  • Slow comprehensive scan: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 - PA3389 -PU40125 -PY -g 53 --script "default or discovery and safe"

    Important note

    You can find other scanning profiles in the database of Rainmap Lite at https://github.com/cldrn/rainmap-lite/wiki/Scanning-profiles.

Editing or deleting a scan profile

To edit or delete a scan profile, you need to select the entry you wish to modify from the Profile drop-down menu. Click on Profile on the main toolbar and select Edit Selected Profile (Ctrl + E).

The editor will be launched, allowing you to edit or delete the selected profile.

Running Lua scripts against a network connection with Ncat

Ncat allows users to read, write, redirect, and modify network data in some very interesting ways. Think about it as an enhanced version of the traditional tool netcat. Ncat offers the possibility of running external commands once a connection has been established successfully. Users may use Lua scripts to perform actions on the network sockets created by Ncat.

The following recipe will show you how to run an HTTP server contained in a Lua script with Ncat.

How to do it...

  1. Running Lua scripts against network connections in Ncat is very straightforward; just use the --lua-exec option to set the Lua script you want to execute and the listening port or host to connect to:
    $ncat --lua-exec <path to Lua script> --listen <port>
  2. To start a web server with Ncat, locate the httpd.lua script inside your Ncat's script folder and use the following command:
    $ncat --lua-exec /path/to/httpd.lua --listen 8080 --keep-open
  3. Ncat will start listening on port 8080 and execute the specified Lua script. You may verify that the script is running correctly by pointing a web browser in that direction and checking whether the Got a request for message appears on the output.

How it works...

If you have used netcat before, you are already halfway there. Similar to netcat, Ncat can be put into listening (--listen) and connect mode. However, netcat lacks the --lua-exec option, which serves the purpose of executing an external Lua script against the network socket. This option is very handy for scripting tasks aimed at testing or debugging a wide range of services. The main strength of using this execution mode is that the programs are cross-platform as they are executed on the same built-in interpreter.

The httpd.lua script is an example distributed with Ncat to illustrate service emulation, but it should be clear that our options are endless. Lua is a very powerful language, and many tasks can be scripted with very few lines.

There's more...

Ncat offers a wide range of options that are documented thoroughly at https://nmap.org/ncat/guide/index.html. Do not forget to stop there and go over the full documentation.

Other ways of executing external commands with Ncat

Ncat supports three options to execute external programs:

  • --exec: This runs commands without shell interpretation.
  • --sh-exec: This runs commands by passing a string to a system shell.
  • --lua-exec: This runs a Lua script using the built-in interpreter.

Discovering systems with weak passwords with Ncrack

Ncrack is a network authentication cracking tool designed to identify systems with weak credentials. It is highly flexible and supports popular network protocols, such as FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, and MySQL.

In this recipe, you will learn how to install Ncrack to find systems with weak passwords.

Getting ready

Grab the latest stable version of Ncrack from https://nmap.org/ncrack/. At the moment, the latest version is 0.7:

$wget https://nmap.org/ncrack/dist/ncrack-0.7.tar.gz

Decompress the file and enter the new directory:

$ tar -zxf ncrack-0.7.tar.gz
$ cd ncrack-0.7

Configure and build Ncrack with the following command:

$./configure && make

Finally, install it in your system:

#make install

Now you should be able to use Ncrack anywhere in your system.

How to do it...

To start a basic dictionary attack against an SSH server, use the following command:

$ncrack ssh://<target>:<port>

Ncrack will use the default settings to attack the SSH server running on the specified IP address and port. This might take some time depending on the network conditions:

Discovered credentials for ssh on 192.168.1.2 22/tcp:
192.168.1.2 22/tcp ssh: guest 12345
Ncrack done: 1 service scanned in 56 seconds. Ncrack finished.

In this case, we have successfully found the credentials of the account guest. Someone should have known that 12345 is not a good password.

How it works...

Ncrack takes as arguments the hostname or IP address of the target and a service to attack. Targets and services can be defined as follows:

<[service-name]>://<target>:<[port-number]>

The simplest command requires a target and the service specification. Another way of running the scan shown earlier is as follows:

$ncrack 192.168.1.2:22
Starting Ncrack 0.7 ( http://ncrack.org ) at 2020-10-08 22:10 EST Discovered credentials for ssh on 192.168.1.2 22/tcp:
192.168.1.2 22/tcp ssh: guest 12345 192.168.1.2 22/tcp ssh: admin money$
Ncrack done: 1 service scanned in 156.03 seconds. Ncrack finished.

In this case, Ncrack automatically detected the SSH service based on the port number given in the target and performed a password auditing attack using the default dictionaries shipped with Ncrack. Luckily, this time we found two accounts with weak passwords.

There's more...

As we have seen, Ncrack provides a few different ways of specifying targets, but it takes it to the next level with some interesting features, such as the ability to pause and resume attacks. We will briefly explore some of its options, but I highly recommend you read the official documentation at https://nmap.org/ncrack/man.html for the full list of options.

Configuring authentication options

Ncrack would not be a good network login cracker without options to tune the authentication process. Ncrack users may use their own username and password lists with the -U and -P options correspondingly if the included lists (inside the /lists directory) are not adequate:

$ ncrack -U <user list file> -P <password list file> <[service- name]>://<target>:<[port-number]>

Otherwise, we might have a specific username or password we would like to test with the --user and --pass options:

$ ncrack --user <username> <[service-name]>://<target>:<[port-number]>
$ ncrack --pass <password> <[service-name]>://<target>:<[port-number]>

Pausing and resuming attacks

Ncrack supports resuming incomplete scans with the --resume option. If you had to stop a cracking session, just resume it by passing the filename of the previous session:

$ncrack --resume cracking-session <[service-name]>://<target>:<[port-number]>

If you would like to set the filename of the session to resume it later in case you need to, use the --save option:

$ncrack --save cracking-session <[service-name]>://<target>:<[port-number]>

Using Ncat to diagnose a network client

Ncat can be used for a wide range of tasks including diagnosing network communications. The ability to easily set it up as a proxy is helpful when we need to analyze the traffic sent by a network client. With the help of Ncat, we can analyze the data exchanged and identify possible errors.

This recipe describes how to use Ncat to analyze network communications between a remote server and our local client.

How to do it...

Start a local listener with Ncat:

$ncat -l -k 5555 --hex-dump client.txt

We now have a listener on localhost port 5555. It is time to configure our client to connect to our local IP address (it works on remote IP addresses as well). Connect to our listener to see the traffic that is sent by the client. For example, to see what probes are sent during a service scan, we use this:

$nmap -sV -p 5555 localhost

The traffic sent will be displayed as the output of our first ncat command:

$ncat -l -k 5555 --hex-dump client.txt
versionbind??SMB@@?PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12CNXN2????host::GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0
?(r????|

Depending on the client, a configuration might support proxies out of the box. If not, use the target IP address to the host where your listener is running. Note that you may not be able to change the port, but you can use the same port on your local machine to work around this. The hex dump will be saved in the client.txt file:

Figure 2.2 – Hex dump of traffic sent by the client

Figure 2.2 – Hex dump of traffic sent by the client

How it works...

The ncat command starts a listener on localhost port 5555 (-l 5555) that accepts multiple connections (-k) and dumps the output in hexadecimal format (--hex-dump client.txt). In this case, Ncat acts as a proxy between the local or remote server and our client (Nmap) and the client is instructed to connect to the proxy. Note that in this example we are not re-routing the network traffic, but it is possible. The output shown by Ncat is the traffic sent by the client.

The interesting option here is --hex-dump, which allows us to see those unprintable characters usually found in network traffic. Hex format makes it easier to analyze and compare with the expected results. If something is not being sent correctly, we would catch it here after reading the output.

There is more...

Since Ncat supports encrypted channels out of the box, a simple solution to upgrade services that use plain text to communicate is tunneling the traffic in an encrypted channel with Ncat. Ncat can chain multiple commands to achieve this – as here, for example:

ncat -l localhost 143 --sh-exec "ncat --ssl imap.packtpub.com 993"

Once the client connects to local port 143, it connects to imap.packtpub.com using an encrypted channel (--ssl). When the network traffic leaves the box, it will be using the SSL channel.

Defending against Nmap service detection scans

If you belong to the blue team of an organization, it is likely you are already running a decoy host in your network. But what about something that slows down attackers? As Nmap is one of the most popular tools for port scanning, it is a good idea to implement something that will hinder the scans.

In this recipe, you will learn how to make Nmap scan indefinitely when a service detection scan is used against a target.

How to do it...

To start a fake HTTP service that sends random data indefinitely on a Linux-based host, use the following Ncat command:

$ncat -l 127.0.0.1 8080 -c "echo 'HTTP/1.1 200 OK\r\n\r\n'; cat /dev/urandom" -k

A new service running on port 8080 will start on your localhost. If an attacker uses Nmap's service detection scan (-sV), the service will prevent Nmap from closing the network socket, and hence the scan will never finish.

How it works...

The previous Ncat command simply listens on the local IP address TCP port 8080 (-l 127.0.0.1 8080) and executes a system command using the -c option. The -k option is also used to enable multiple connections so the socket is not closed after the first client connects. The executed system command is composed of two parts:

  • A fake protocol header: echo 'HTTP/1.1 200 OK\r\n\r\n'
  • Random data stream: cat /dev/urandom

The fake application protocol header is used to confuse the scanner making it launch a read operation that will only close once data transmission is complete, which will never happen. Additionally, Nmap prints results only when all hosts are processed, and if one host isn't complete, none of the results from that group are printed, so the attackers won't be able to see the incomplete results report. By using the /dev/urandom pseudo-device, we generate an infinite body message to append to the response and achieve this infinite response condition.

There's more...

Even though it is basic, this technique is pretty effective and does not only work on Nmap. You would be surprised how fragile some vulnerability scanners are, and this is only one method for hindering their results. You should get creative and analyze how the scanner works to identify possible attack vectors. In this recipe, we used an HTTP header to trick the scanner, but other protocols could also be susceptible.

Attacking web crawlers in security scanners

Writing web crawlers and handling the infinite combination of tags and fields in poorly written HTML is difficult. Scanners often include web crawlers to enumerate the attack surface and even detect vulnerabilities. By targeting the web crawler engine in scanners, we may affect the scanning behavior. Common attacks against web crawlers include web servers with link loops, pages with a high number of nested links, and dynamic content generation, among many others. Try these techniques against security scanners to discover interesting defense techniques!

Left arrow icon Right arrow icon

Description

Nmap is one of the most powerful tools for network discovery and security auditing used by millions of IT professionals, from system administrators to cybersecurity specialists. This third edition of the Nmap: Network Exploration and Security Auditing Cookbook introduces Nmap and its family - Ncat, Ncrack, Ndiff, Zenmap, and the Nmap Scripting Engine (NSE) - and guides you through numerous tasks that are relevant to security engineers in today’s technology ecosystems. The book discusses some of the most common and useful tasks for scanning hosts, networks, applications, mainframes, Unix and Windows environments, and ICS/SCADA systems. Advanced Nmap users can benefit from this book by exploring the hidden functionalities within Nmap and its scripts as well as advanced workflows and configurations to fine-tune their scans. Seasoned users will find new applications and third-party tools that can help them manage scans and even start developing their own NSE scripts. Practical examples featured in a cookbook format make this book perfect for quickly remembering Nmap options, scripts and arguments, and more. By the end of this Nmap book, you will be able to successfully scan numerous hosts, exploit vulnerable areas, and gather valuable information.

Who is this book for?

This Nmap cookbook is for IT personnel, security engineers, system administrators, application security enthusiasts, or anyone who wants to master Nmap and its scripting engine. This book is also recommended for anyone looking to learn about network security auditing, especially if they’re interested in understanding common protocols and applications in modern systems. Advanced and seasoned Nmap users will also benefit by learning about new features, workflows, and tools. Basic knowledge of networking, Linux, and security concepts is required before taking up this book.

What you will learn

  • Scan systems and check for the most common vulnerabilities
  • Explore the most popular network protocols
  • Extend existing scripts and write your own scripts and libraries
  • Identify and scan critical ICS/SCADA systems
  • Detect misconfigurations in web servers, databases, and mail servers
  • Understand how to identify common weaknesses in Windows environments
  • Optimize the performance and improve results of scans
Estimated delivery fee Deliver to Taiwan

Standard delivery 10 - 13 business days

$12.95

Premium delivery 5 - 8 business days

$45.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 13, 2021
Length: 436 pages
Edition : 3rd
Language : English
ISBN-13 : 9781838649357
Languages :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Taiwan

Standard delivery 10 - 13 business days

$12.95

Premium delivery 5 - 8 business days

$45.95
(Includes tracking information)

Product Details

Publication date : Sep 13, 2021
Length: 436 pages
Edition : 3rd
Language : English
ISBN-13 : 9781838649357
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 158.97
Privilege Escalation Techniques
$54.99
Linux for Networking Professionals
$48.99
Nmap Network Exploration and Security Auditing Cookbook, Third Edition
$54.99
Total $ 158.97 Stars icon

Table of Contents

15 Chapters
Chapter 1: Nmap Fundamentals Chevron down icon Chevron up icon
Chapter 2: Getting Familiar with Nmap's Family Chevron down icon Chevron up icon
Chapter 3: Network Scanning Chevron down icon Chevron up icon
Chapter 4: Reconnaissance Tasks Chevron down icon Chevron up icon
Chapter 5: Scanning Web Servers Chevron down icon Chevron up icon
Chapter 6: Scanning Databases Chevron down icon Chevron up icon
Chapter 7: Scanning Mail Servers Chevron down icon Chevron up icon
Chapter 8: Scanning Windows Systems Chevron down icon Chevron up icon
Chapter 9: Scanning ICS/SCADA Systems Chevron down icon Chevron up icon
Chapter 10: Scanning Mainframes Chevron down icon Chevron up icon
Chapter 11: Optimizing Scans Chevron down icon Chevron up icon
Chapter 12: Generating Scan Reports Chevron down icon Chevron up icon
Chapter 13: Writing Your Own NSE Scripts Chevron down icon Chevron up icon
Chapter 14: Exploiting Vulnerabilities with the Nmap Scripting Engine Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Most Recent
Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(7 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Most Recent

Filter reviews by




John Jul 08, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Worth the buy.
Amazon Verified review Amazon
saiello Jan 29, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I've read through a lot of nmap and network scanning books and they were all under whelming, but this one is very good. It's not a lot of BS memorize these flags, the book simply shows you how to use the tool.There are some little things that the book leaves out and the syntax examples could be a little better. However, it's for sure worth getting if you want to learn nmap. Just be prepared for a little googeling.
Amazon Verified review Amazon
Anslem John Jan 13, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a great book for anyone wanting to learn about Nmap and its features and capabilities. It goes beyond the basic information and take you to advance level features such as monitoring the servers remotely, scanning for weak ssh passwords. What I particularly like is the author dedicated a chapter to scanning Industrial systems which is not common in other NMAP books\guides.I highly recommend this book to anyone who uses NMAP
Amazon Verified review Amazon
Donald A. Tevault Nov 27, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
There's a wealth of information in this book for both systems administrators and security administrators. It start with an explanation of the basic nmap scan types, and then leads you through a discussion of the various scripts. And really, this is the best part. I mean, it's easy to find information about basic nmap scanning, but this is the only place I've found that gives you a thorough explanation about how to use the scanning scripts. And believe me, there's a lot more versatility with these scripts than I had ever dreamed possible. So yes, I can heartily recommend picking up a copy of this book.
Amazon Verified review Amazon
Sanchit Oct 21, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book covers a wide range of recipes of Nmap and Nmap Scripting Engine. And goes deep into details with examples and background knowledge laid out together.I particularly like how the dense information is organized into helpful sections.Think it's a great reference guide for people who are interested in learning about security auditing.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela