Nmap 6：Network exploration and security auditing Cookbook

Appendix A. References

Working with NSE threads condition variables and mutexes in NSE

Writing your own NSE library

Reporting vulnerabilities correctly in NSE scripts

Working with the web crawling library

Writing a brute force script

Exploiting a path traversal vulnerability with NSE

Sending UDP payloads by using NSE sockets

Making HTTP requests to identify vulnerable Trendnet webcams

Introduction

Chapter 9. Writing Your Own NSE Scripts

Reporting vulnerability checks performed during a scan

Generating an HTML scan report

Generating a network topology graph with Zenmap

Saving scan results in a grepable format

Saving scan results to a SQLite database

Saving scan results in an XML format

Saving scan results in normal format

Introduction

Chapter 8. Generating Scan Reports

Distributing a scan among several clients using Dnmap

Collecting signatures of web servers

Adjusting performance parameters

Adjusting timing parameters

Selecting the correct timing template

Skipping tests to speed up long scans

Scanning random targets

Reading targets from a text file

Scanning an IP address range

Introduction

Chapter 7. Scanning Large Networks

Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

Retrieving the capabilities of a POP3 mail server

Brute forcing POP3 passwords

Retrieving the capabilities of an IMAP mail server

Brute forcing IMAP passwords

Detecting backdoor SMTP servers

Enumerating users in an SMTP server

Brute forcing SMTP passwords

Detecting open relays

Discovering valid e-mail accounts using Google Search

Introduction

Chapter 6. Auditing Mail Servers

Retrieving CouchDB database statistics

Listing CouchDB databases

Retrieving MongoDB server information

Listing MongoDB databases

Finding sysadmin accounts with empty passwords on MS SQL servers

Running commands through the command shell on MS SQL servers

Dumping the password hashes of an MS SQL server

Brute forcing MS SQL passwords

Retrieving MS SQL server information

Brute forcing Oracle SID names

Brute forcing Oracle passwords

Detecting insecure configurations in MySQL servers

Brute forcing MySQL passwords

Finding root accounts with empty passwords in MySQL servers

Listing MySQL variables

Listing MySQL users

Listing MySQL databases

Introduction

Chapter 5. Auditing Databases

Detecting web servers vulnerable to slowloris denial of service attacks

Finding SQL injection vulnerabilities in web applications

Detecting Cross Site Scripting vulnerabilities in web applications

Detecting possible XST vulnerabilities

Detecting web application firewalls

Brute-force password auditing Joomla! installations

Brute-force password auditing WordPress installations

Testing default credentials in web applications

Abusing mod_userdir to enumerate user accounts

Brute forcing HTTP authentication

Discovering interesting files and directories on various web servers

Checking if an HTTP proxy is open

Listing supported HTTP methods

Introduction

Chapter 4. Auditing Web Servers

Spoofing the origin IP of a port scan

Matching services with known security vulnerabilities

Discovering stateful firewalls by using a TCP ACK scan

Listing protocols supported by a remote host

Discovering UDP services

Fingerprinting the operating system of a host

Brute forcing DNS records

Discovering hostnames pointing to the same IP address

Collecting valid e-mail accounts

Checking if a host is known for malicious activities

Getting information from WHOIS records

Geolocating an IP address

Introduction

Chapter 3. Gathering Additional Host Information

Gathering network information with broadcast scripts

Scanning IPv6 addresses

Excluding hosts from your scans

Forcing DNS resolution

Hiding our traffic with additional random data

Discovering hosts using broadcast pings

Discovering hosts with ARP ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with UDP ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with TCP SYN ping scans

Introduction

Chapter 2. Network Exploration

Monitoring servers remotely with Nmap and Ndiff

Detecting NAT with Nping

Managing multiple scanning profiles with Zenmap

Comparing scan results with Ndiff

Scanning using a specified network interface

Running NSE scripts

Scanning using specific port ranges

Finding live hosts in your network

Fingerprinting services of a remote host

Listing open ports on a remote host

Compiling Nmap from source code

Downloading Nmap from the official source code repository

Introduction

Chapter 1. Nmap Fundamentals

Customer support

Reader feedback

Conventions

Who this book is for

What you need for this book

What this book covers

Preface

Support files eBooks discount offers and more

www.PacktPub.com

About the Reviewers

Acknowledgement

About the Author

Credits

Nmap 6: Network Exploration and Security Auditing Cookbook

coverpage

coverpage

Nmap 6: Network Exploration and Security Auditing Cookbook

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Support files eBooks discount offers and more

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Chapter 1. Nmap Fundamentals

Introduction

Downloading Nmap from the official source code repository

Compiling Nmap from source code

Listing open ports on a remote host

Fingerprinting services of a remote host

Finding live hosts in your network

Scanning using specific port ranges

Running NSE scripts

Scanning using a specified network interface

Comparing scan results with Ndiff

Managing multiple scanning profiles with Zenmap

Detecting NAT with Nping

Monitoring servers remotely with Nmap and Ndiff

Chapter 2. Network Exploration

Introduction

Discovering hosts with TCP SYN ping scans

Discovering hosts with TCP ACK ping scans

Discovering hosts with UDP ping scans

Discovering hosts with ICMP ping scans

Discovering hosts with IP protocol ping scans

Discovering hosts with ARP ping scans

Discovering hosts using broadcast pings

Hiding our traffic with additional random data

Forcing DNS resolution

Excluding hosts from your scans

Scanning IPv6 addresses

Gathering network information with broadcast scripts

Chapter 3. Gathering Additional Host Information

Introduction

Geolocating an IP address

Getting information from WHOIS records

Checking if a host is known for malicious activities

Collecting valid e-mail accounts

Discovering hostnames pointing to the same IP address

Brute forcing DNS records

Fingerprinting the operating system of a host

Discovering UDP services

Listing protocols supported by a remote host

Discovering stateful firewalls by using a TCP ACK scan

Matching services with known security vulnerabilities

Spoofing the origin IP of a port scan

Chapter 4. Auditing Web Servers

Introduction

Listing supported HTTP methods

Checking if an HTTP proxy is open

Discovering interesting files and directories on various web servers

Brute forcing HTTP authentication

Abusing mod_userdir to enumerate user accounts

Testing default credentials in web applications

Brute-force password auditing WordPress installations

Brute-force password auditing Joomla! installations

Detecting web application firewalls

Detecting possible XST vulnerabilities

Detecting Cross Site Scripting vulnerabilities in web applications

Finding SQL injection vulnerabilities in web applications

Detecting web servers vulnerable to slowloris denial of service attacks

Chapter 5. Auditing Databases

Introduction

Listing MySQL databases

Listing MySQL users

Listing MySQL variables

Finding root accounts with empty passwords in MySQL servers

Brute forcing MySQL passwords

Detecting insecure configurations in MySQL servers

Brute forcing Oracle passwords

Brute forcing Oracle SID names

Retrieving MS SQL server information

Brute forcing MS SQL passwords

Dumping the password hashes of an MS SQL server

Running commands through the command shell on MS SQL servers

Finding sysadmin accounts with empty passwords on MS SQL servers

Listing MongoDB databases

Retrieving MongoDB server information

Listing CouchDB databases

Retrieving CouchDB database statistics

Chapter 6. Auditing Mail Servers

Introduction

Discovering valid e-mail accounts using Google Search

Detecting open relays

Brute forcing SMTP passwords

Enumerating users in an SMTP server

Detecting backdoor SMTP servers

Brute forcing IMAP passwords

Retrieving the capabilities of an IMAP mail server

Brute forcing POP3 passwords

Retrieving the capabilities of a POP3 mail server

Detecting vulnerable Exim SMTP servers version 4.70 through 4.75

Chapter 7. Scanning Large Networks

Introduction

Scanning an IP address range

Reading targets from a text file

Scanning random targets

Skipping tests to speed up long scans

Selecting the correct timing template

Adjusting timing parameters

Adjusting performance parameters

Collecting signatures of web servers

Distributing a scan among several clients using Dnmap

Chapter 8. Generating Scan Reports

Introduction

Saving scan results in normal format

Saving scan results in an XML format

Saving scan results to a SQLite database

Saving scan results in a grepable format

Generating a network topology graph with Zenmap

Generating an HTML scan report

Reporting vulnerability checks performed during a scan

Chapter 9. Writing Your Own NSE Scripts

Introduction

Making HTTP requests to identify vulnerable Trendnet webcams

Sending UDP payloads by using NSE sockets

Exploiting a path traversal vulnerability with NSE

Writing a brute force script

Working with the web crawling library

Reporting vulnerabilities correctly in NSE scripts

Writing your own NSE library

Working with NSE threads condition variables and mutexes in NSE

Appendix A. References