Nmap 6: Network Exploration and Security Auditing Cookbook A complete guide to mastering Nmap 6 and its scripting engine, covering practical tasks for penetration testers and system administrators Paulino Calderón Pale BIRMINGHAM - MUMBAI Nmap 6: Network Exploration and Security Auditing Cookbook Copyright © 2012 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: November 2012 Production Reference: 2201112 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.. ISBN 978-1-84951-748-5 www.packtpub.com Cover Image by Renata Gómez Cárdenas ([email protected]) Credits Author Project Coordinator Paulino Calderón Pale Sai Gamare Reviewers Proofreader Carlos A. Ayala Rocha Dirk Manuel David Shaw Indexer Rekha Nair Acquisition Editor Robin de Jongh Graphics Valentina D'Silva Lead Technical Editor Dayan Hyames Production Coordinator Nitesh Thakur Technical Editors Veronica Fernandes Nitee Shetty Cover Work Nitesh Thakur Copy Editor Insiya Morbiwala About the Author Paulino Calderón Pale (@calderpwn) is a very passionate software developer and penetration tester from a Caribbean island in México called Cozumel. He learned to write code and administer IT infrastructures early in his life—skills that came handy when he joined the information security industry. Today, he loves learning new technologies, penetration testing, conducting data-gathering experiments, developing software, and contributing to the open source community. He maintains a blog of his public work at http://calderonpale.com. In the summer of 2011, he joined Google’s Summer of Code program to work on the Nmap project as an NSE (Nmap Scripting Engine) developer. He focused on improving the web scanning capabilities of Nmap and has produced over 20 scripts for gathering information, and detecting and exploiting security vulnerabilities since then. He is the cofounder of Websec, an information security company focused on web security operation in México (http://websec.mx) and Canada (http://websec.ca), where they help companies in different industries secure their IT infrastructures. Acknowledgement I would like to dedicate this book to a lot of people. Firstly, I would like to especially thank Fyodor for giving me the opportunity of joining the Nmap project during the Google Summer of Code. This book wouldn’t have existed if you had not taken a chance with me that summer. My parents Edith and Paulino who have been incredibly supportive my whole life, my brothers Omar and Yael who have made this a real fun ride, and my girlfriend Martha Moguel and her family, who were really supportive and understanding with the lack of dates and Sunday meals while I worked on this book. I would like to thank the Nmap team and contributors, especially to all the people who I’ve learned some much from—Patrik Karlsson, David Fifield, Ron Bowes, Daniel Miller, Henri Doreau, Patrick Donelly, Brendan Coles, Luis Martin, Toni Ruotto, Tom Sellers and Djalal Harouni. I would also like to thanks all my good friends and business partners, Roberto Salgado and Pedro Joaquín for all the extra work they had to do to cover for me, and my friends in info-sec—Carlos Ayala, Alejandro Hernández, Luis Guillermo Castañeda, Edgar Pimienta, Giovanni Cruz, Diego Bauche, Christian Navarrete, Eduardo Vela, Lenin Alevsk, Christian Yerena, Humberto Ochoa, Marcos Schejtman, Angel Morelos, Eduardo Ruiz, Ruben Ventura, Alejandro Hernández Flores (alt3kx), Luis Alberto Cortes, Oscar Lopez, Víctor Hugo Ramos Alvarez , Antonio Toriz, Francisco León, Armin García, Roberto Martinez, Hecky, Victor Gomez, Luis Solis, Hector Lopez, Matias Katz, Jaime Restrepo, Carlos Lozano, David Murillo, Uriel Márquez, Marc Ruef, David Moreno, Leonardo Pigñer, Alvaro Andrade, Alfonso Deluque, and Lorenzo Martínez. I thank all my friends in Cozumel and Victoria who I may not have seen as much as I would have liked, lately, but who are always in my heart. And finally, I would like to thank Packt Publishing and their staff for all the support and help provided when publishing this book. About the Reviewers Carlos A. Ayala Rocha is an Information Security Consultant with more than 10 years of experience in Network Security, Intrusion Detection/Prevention, Forensic Analysis, and Incident Response. He has analyzed, designed, and implemented solutions, procedures, and mechanisms focused on risk mitigation for large companies, governments, internet service providers, and homeland security agencies in Mexico and several Latin American countries. He is an Advisory Board Member, Proctor, and Mentor for the SANS Institute, and a founding member of the Mexican Information Security Association (ASIMX). He holds many security industry certifications, such as CISSP, GCIH, GCFA, and GPEN, among others. He currently works as a Consulting Engineer at Arbor Networks for Latin America. David Shaw has extensive experience in many aspects of information security. Beginning his career as a Network Security Analyst, he monitored perimeter firewalls and intrusion detection systems in order to identify and neutralize threats in real time. After working in the trenches of perimeter analysis, he joined an External Threat Assessment Team as a Security Researcher, working closely with large financial institutions to mitigate external risk and combat phishing attacks. He has particular interests in exploit development and unconventional attack vectors, and was a speaker at ToorCon 12 in San Diego, CA. He is currently the Director of Penetration Testing Technology at Redspin, specializing in external and application security assessments, and managing a team of highly-skilled engineers. I would like to thank my wonderful team at Redspin for allowing me the opportunity to conduct research and hone my skills, and without whom I would never be where I am today. www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt’s online digital book library. Here, you can access, read and search across Packt’s entire library of books. Why Subscribe? f Fully searchable across every book published by Packt f Copy and paste, print and bookmark content f On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Table of Contents Preface 5 Chapter 1: Nmap Fundamentals 9 Introduction 10 Downloading Nmap from the official source code repository 11 Compiling Nmap from source code 13 Listing open ports on a remote host 16 Fingerprinting services of a remote host 19 Finding live hosts in your network 22 Scanning using specific port ranges 25 Running NSE scripts 27 Scanning using a specified network interface 31 Comparing scan results with Ndiff 33 Managing multiple scanning profiles with Zenmap 36 Detecting NAT with Nping 39 Monitoring servers remotely with Nmap and Ndiff 41 Chapter 2: Network Exploration 45 Introduction 45 Discovering hosts with TCP SYN ping scans 46 Discovering hosts with TCP ACK ping scans 48 Discovering hosts with UDP ping scans 50 Discovering hosts with ICMP ping scans 51 Discovering hosts with IP protocol ping scans 53 Discovering hosts with ARP ping scans 56 Discovering hosts using broadcast pings 60 Hiding our traffic with additional random data 63 Forcing DNS resolution 65 Excluding hosts from your scans 67 Scanning IPv6 addresses 69 Gathering network information with broadcast scripts 71