Network Security Auditing with nmap

This is the introductory video of the course. The video contains information about the course, the instructor's short introduction about the experience in the field of cyber security, a quick introduction about nmap tool.

The course objectives are:

1- make students proficient in port scanning techniques and fine tune nmap for speed and accuracy

2- using the powerful NSE scripts perform various vulnerability assessment tasks, password audits for services like web server, mail server, database servers and gather information for web applications.

3- Test for misconfiguration on firewall rulesets and bypass any weak ruleset for firewall.

4- create nmap scan reports and explore options available for report generation.

In this video, we will have a summary about the course contents, the teaching methodology for the course, Requirements - both on the knowledge as well as Hardware & Software part

In this lecture, we will get a quick introduction to nmap security scanner and disclaimer about the course.

In this video, we will have a look at options available to us for installation of nmap security scanner to Ubuntu Linux Operating System. We will explore options such as installation from official ubuntu repositories using the apt-get command and installation of latest versions using the tool alien where we convert a .rpm file to .deb file for our ubuntu machine. We will also see why we use these options for installations in this video.

In this video, we will have a quick walkthrough on installation of nmap security scanner on a Microsoft windows 10 Operating system.

In this video, we will have a quick demonstration on how you can download and import a pre-built virtual image file directly to a virtualbox instance and quickly setup Kali Linux VM on virtualbox with all necessary tools to get started.

In this demonstration, we will setup our target VM - Metasploitable Linux machine into virtualbox. This metasploitable VM will be used throughout this course for testing and performing different scans using nmap security scanner.

We will now get an understanding on concepts of virtualbox networking. As these concepts in general are very much useful in all sorts of security and administration tasks. Having a clear understanding about the available modes of networking at our disposal can greatly help us in our day to day tasks.

In this video, we will understand the most prominent networking mode available to us - NAT i.e Network Address Translation. We will see how it is different and its pros and cons.

In this video, we will have a look at another networking mode - NAT Networking and demonstrate how we can setup this network type and what are its salient features and its demonstration.

In this lecture, we will have a look at Virtualbox Host only networking mode and demonstrate how we can setup this network mode and its utility in performing tests.

In this lecture, we will be having a look at another networking mode i.e bridged networking mode and we will discuss its pros and cons and its utilities.

In this video, we will discuss about the vitrualbox internal network and some hints on how it can be used. Though, this mode is not used for this course, it is still useful to have an idea  about it.

As this section comes to end, we have a recap on this section along with resources for reading and referencing along with task for setting up your own virtual lab.

This lecture is a quick refresher of the good old TCP 3-way handshake. Here we take up this lecture to get an understanding on foundation of scanning by nmap scanner. We will also see the TCP control bits or Flags as we know it, their visualization and quick introduction on these TCP control bits as this knowledge is further useful to understand scan types offered by nmap.

In this lecture, we will know and understand what actually we mean by an 'open', 'closed' & 'filtered' port. And the reasoning behind the port state to be reported by nmap.

We will have an introduction on this module and will start by visualizing on TCP SYN scan or also known as 'Half open scan' or 'Stealth scan'. We will perform practical demonstration on our victim machine in our virtual network and see how the scan looks behind the scenes at a packet level. You will get a clarity on how nmap decides on the port states to be open or closed or filtered and trace back the steps on Wireshark network protocol analyzer.

In the same manner, we will also look at the TCP CONNECT scan and how it is different form TCP SYN scan and get to know the major differences in this video.

In this lecture, we will discuss and demonstrate about FIN, NULL & XMAS scans and their visualization at a packet level and the mechanics of these scans and their behavior when a firewall is enabled and disabled to get a better understanding on such scans.

In this video, we will have a look at port scanning of UDP services and how the packets look when viewed through wireshark tool and in the similar way, we can look for the SCTP scans and its utility in performing scans when there is an appropriate target infrastructure that supports SCTP protocol (eg. Telecom sector networks).

Another important type of scan option known as ACK scan or Acknowledgement scan. This type of scan option is useful to determine the statefulness of a firewall. You will see how this scan behaves in presence of a firewall ruleset implementation and determine that if the remote firewall is implementing a stateful or stateless filtering.

This video discusses about another type of scan called Maimon scan and how it functions for detection of ports. Also, we see another very important type of scan called IP Protocol scan where this type of scan can help us determine the device type based on its support of protocols. This helps a security auditor in evaluating the device type and its capabilities in the network.

In this video we see how a firewall blocks scan probes and how the scan probes sent through nmap look at firewall logging system and how much information is revealed of an attacker.

In this video, we will have a recap on the module and task for you to practice.

A short quiz on the module on Basic scanning techniques.

In this video, you will be getting an introduction on methods that nmap employ to detect version of the active services on a remote host. nmap has various options to offer to detect service versions, we will see how we can use these options to fingerprint the services and how this can be valuable from vulnerability assessment point of view for a security auditor as well as network administrator.

In this video you will learn to fingerprint remote operating system with different options available with nmap for operating system detection and you will see how nmap fingerprints the remote operating system with practical demonstrations.

In this video, we take a quick recap on the module and provide you with an exercise to perform & practice the scans for service version and operating system detection.

Answer the questions

In this video, we will begin with the introduction on the module and explore various options available to us for specifying ports in nmap command line. We will explore the available options and learn the convenience these options provide us for scanning by specifying the ports.

We will also see, how changing the default behavior of nmap in not randomizing the ports can impact scan speeds and other options to better understand how it can help us in our security assessments.

In this video we explore the options where we can either include specific targets for scanning using a list file or in case we do not want to scan a set of hosts/targets then we also have that options at our disposal too.

In this video, we will have a quick introduction about the module and its learning objectives and then begin with various options available to us for host discovery. We will also see how disabling certain in-built options of nmap can impact the speed and behavior of nmap scanner.

In this lecture, we will explore more interesting options such as 'No Ping' and look at TCP based pings specifically the SYN and ACK Pings and how they can help us in host discovery when default ICMP pings do not give us reliable results.

In this lecture, we explore the host discovery options based on UDP protocol and ICMP protocols for discovering hosts on a network.

A small quiz to refresh concepts on module of host discovery.

In this lecture, we introduce you to nmap script scans and the available categories and remarkable ability of the Nmap Scripting Engine to perform various tasks such as information gathering, vulnerability detection, enumeration, performing various tests in FTP, SSH, Telnet, Database server, Email servers and performing backdoor detection on services.

We will explore the details about some of the many script scans available to us to perform information gathering for our targets, along with some details on its inner workings.

In this lecture, we take a look at scripts that can be useful to us for performing enumeration of a web server and applications hosted on that server. These scripts will be useful to you when performing initial information gathering and profiling of a web server and application. Also interesting script for detecting unusual services running on a host.

We will take a look at an interesting script that acts as a vulnerability scanner and assists a security auditor as well as network administrator in detecting vulnerabilities for the running services on the target host.

Detecting weak passwords forms an important part of a security assessment and also detecting misconfigured services too. In this video, we see how we can test for weak passwords on services like FTP, SSH, Telnet and perform a bruteforce attack to discover any weak credentials which can be exploited by attackers.

In this lecture, we explore the capabilites of nmap scripting engine to detect any known backdoored versions of services.

In this first part of lecture, we will explore the very useful options for performing security audits on Database servers, we take up the example here specific for MySQL database server running on our metasploitable linux VM. Note that for performing audits on MySQL servers, you will be requiring a Database account and its related password.

In this second part, we explore the very useful option for MySQL audit. This script is useful for detection of weak MySQL configurations. Note that for performing audits on MySQL servers, you will be requiring a Database account and its related password.

In this lecture, we test some of the scripts available for auditing SMTP servers. Depending on the target SMTP server's configuration, the scope of the scripts will vary.

Moving ahead, we take up another useful feature of nmap scripting engine available to us is the Advanced option. Here, we get the option to fire up scripts based on the categories. Please note that depending on the options selected, the scans can take up huge times to run and also probably cause network congestion as well as potential Denial of service condition.

In this lecture, we see an example on how we can use boolean operators in specifying script scans based on categories.

In this lecture, we see another example on how we can use different boolean operators in specifying script scans based on categories.

In this lecture, we see how we can use the wildcard character along with boolean operators to specify various scan script categories for scanning.

In this video, we see the advanced script categories for UDP services.

In this module, you will get a quick introduction on Zenmap which is the graphical frontend of nmap. We will have a walkthrough on various options on the graphical frontend to create scans and we also have the liberty to craft our own scans as per our requirement and save it in the form of profile.

In this video, we get an introduction of the module and take a quick look at the available options for testing and evading firewalls using nmap security scanner.

In this lecture, we will have a look at option to test firewall based on packet fragmentation where we count on a firewall misconfiguration that can sometimes help an attacker bypass the firewall ruleset.

In this lecture, we explore the option given by nmap to send decoys to the firewall to obsure our IP address which provides us a small level of anonymity.

In this video, we take a look at most interesting topic - IP and MAC address spoofing. You will learn that how implementation of weak rulesets at firewall, deliberately or unknowingly can potentially create a security loophole and make the network vulnerable to attacks.

In this lecture and demonstration, we will explore another option provided by nmap to spoof source port to test for any firewall rule that relies on filtering based on incoming packet's source port.

As a security professional, it becomes important to keep your trails in place so as to provide a proof of work as well as proof of concept. Apart from options discussed in earlier sections, it is highly recommended to use this option and append your signatures while performing scans so that the client's firewall and other security mechanisms can have your signatures of the tasks you performed.

In this lecture, we discuss and try out different timing templates offered by nmap and understand how the templates are related to the scan speed and performance and how we can leverage these options as per the situation we are into.

In this video, we will have a walkthrough on the option of scan parallelism and inspect the scan probes in Wireshark protocol analyzer and study the effects of parallelism on scan speeds and performance.

Sometimes, when nmap is scanning on large group of hosts and there are some hosts that are very slow to respond may be due to network performance or other factors, this can slow down our scans. By using the option of host timeouts in a correct manner, we can tell nmap to give up on slow performing hosts and speed up our scans in this manner.

The default behaviour of nmap is to scan 5 hosts simultaneously when it is scanning a large group of hosts. In case we want to change this behavior, we can also do that. However, we must be aware that depending on the target network, this option can have positive as well as negative impacts on our scan speed and accuracy.

In this lecture, we see how we can set customized delays in scan and observe the same in wireshark protocol analyzer. This option can be useful against any threshold based firewall or IDS.

In this lecture, we will see how we can throttle probe packets per second and observe the same in wireshark protocol analyzer.

In this video of this module, we will have a look and explore the options available for creating reports using the tool nmap and generate output that can be feeded into other tools as input to further perform more advanced scans.

In this video, we will have a look at another option for reporting - the grepable option which is now deprecated by it is still used mainly the output works as an input for other tools or custom programs that can take grepable output generated by nmap.

We will also have a look at nmap all format that outputs the scan report in all the formats - xml, grepable, nmap format as well as script kiddie format.

This lecture describes a very practical situation where in case of scanning a network, our scan might break or get interrupted due to various reasons. But if we have put the option to save the output in nmap, then we can resume the scan from exactly where it broke.

We will have a practical demonstration on this situation and show you how it can be done.

In this video, we will have a look at other options that assists us during the phase of scanning.