PacktLib: Nmap 6: Network Exploration and Security Auditing Cookbook

Nmap 6: Network Exploration and Security Auditing Cookbook


About the Author


About the Reviewers


Nmap Fundamentals


Downloading Nmap from the official source code repository

Compiling Nmap from source code

Listing open ports on a remote host

Fingerprinting services of a remote host

Finding live hosts in your network

Scanning using specific port ranges

Running NSE scripts

Scanning using a specified network interface

Comparing scan results with Ndiff

Managing multiple scanning profiles with Zenmap

Detecting NAT with Nping

Monitoring servers remotely with Nmap and Ndiff

Network Exploration


Discovering hosts with TCP SYN ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with UDP ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ARP ping scans

Discovering hosts using broadcast pings

Hiding our traffic with additional random data

Forcing DNS resolution

Excluding hosts from your scans

Scanning IPv6 addresses

Gathering network information with broadcast scripts

Gathering Additional Host Information


Geolocating an IP address

Getting information from WHOIS records

Checking if a host is known for malicious activities

Collecting valid e-mail accounts

Discovering hostnames pointing to the same IP address

Brute forcing DNS records

Fingerprinting the operating system of a host

Discovering UDP services

Listing protocols supported by a remote host

Discovering stateful firewalls by using a TCP ACK scan

Matching services with known security vulnerabilities

Spoofing the origin IP of a port scan

Auditing Web Servers


Listing supported HTTP methods

Checking if an HTTP proxy is open

Discovering interesting files and directories on various web servers

Brute forcing HTTP authentication

Abusing mod_userdir to enumerate user accounts

Testing default credentials in web applications

Brute-force password auditing WordPress installations

Brute-force password auditing Joomla! installations

Detecting web application firewalls

Detecting possible XST vulnerabilities

Detecting Cross Site Scripting vulnerabilities in web applications

Finding SQL injection vulnerabilities in web applications

Detecting web servers vulnerable to slowloris denial of service attacks

Auditing Databases


Listing MySQL databases

Listing MySQL users

Listing MySQL variables

Finding root accounts with empty passwords in MySQL servers

Brute forcing MySQL passwords

Detecting insecure configurations in MySQL servers

Brute forcing Oracle passwords

Brute forcing Oracle SID names

Retrieving MS SQL server information

Brute forcing MS SQL passwords

Dumping the password hashes of an MS SQL server

Running commands through the command shell on MS SQL servers

Finding sysadmin accounts with empty passwords on MS SQL servers

Listing MongoDB databases

Retrieving MongoDB server information

Listing CouchDB databases

Retrieving CouchDB database statistics

Auditing Mail Servers


Discovering valid e-mail accounts using Google Search

Detecting open relays

Brute forcing SMTP passwords

Enumerating users in an SMTP server

Detecting backdoor SMTP servers

Brute forcing IMAP passwords

Retrieving the capabilities of an IMAP mail server

Brute forcing POP3 passwords

Retrieving the capabilities of a POP3 mail server

Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

Scanning Large Networks


Scanning an IP address range

Reading targets from a text file

Scanning random targets

Skipping tests to speed up long scans

Selecting the correct timing template

Adjusting timing parameters

Adjusting performance parameters

Collecting signatures of web servers

Distributing a scan among several clients using Dnmap

Generating Scan Reports


Saving scan results in normal format

Saving scan results in an XML format

Saving scan results to a SQLite database

Saving scan results in a grepable format

Generating a network topology graph with Zenmap

Generating an HTML scan report

Reporting vulnerability checks performed during a scan

Writing Your Own NSE Scripts


Making HTTP requests to identify vulnerable Trendnet webcams

Sending UDP payloads by using NSE sockets

Exploiting a path traversal vulnerability with NSE

Writing a brute force script

Working with the web crawling library

Reporting vulnerabilities correctly in NSE scripts

Writing your own NSE library

Working with NSE threads, condition variables, and mutexes in NSE