Course Snapshot
Nmap is the most popular and flexible tool widely used by Penetration testers, network administrators, security enthusiasts & bug bounty hunters. Nmap offers a ton of options to perform scans. This course is created to master the nmap tool with clear and easy to follow instructions & hands-on demonstrations.
The contents & techniques in the course are derived from my experience as a network & web application pentester. So, I will be touching on the most relevant & straight forward techniques that actually have worked during my experience on-field.
The course will start with explanation on Basics of TCP 3-way handshake to build up the base for nmap scans to advanced for performing network security assessments with nmap security scanner.
Practical examples and underlying concepts of nmap scanner and will teach you on:
-
Getting started with nmap
-
Fundamentals of scanning.
-
Basic scan techniques of nmap
-
Detecting hosts, Operating Systems & Service versions.
-
Useful Nmap script scans for vulnerability detection & auditing services.
-
Creating scan profiles on Zenmap – Frontend for nmap.
-
Evading and testing firewalls
-
Improving scan performance
-
Report creation
-
Automating nmap scans
At the end of the course, you will be proficient in:
-
Port scanning techniques & fine-tune nmap for speed & accuracy.
-
Implement the options provided by nmap scripts to perform complex scans in one go.
-
With powerful Nmap Scripting Engine, perform vulnerability assessments for webservers, mail servers, web applications.
-
Do password auditing for active services like FTP, TELNET, SSH, etc.
-
Test for misconfigured firewalls/IDSes and bypass weak rulesets.
-
Create nmap scan reports, Automate and manage network-wide scans, monitor the assets for any misconfigurations and/or vulnerabilities.
Getting Started with nmap
-
1Introduction to the course - Network Security Auditing with nmap
This is the introductory video of the course. The video contains information about the course, the instructor's short introduction about the experience in the field of cyber security, a quick introduction about nmap tool.
The course objectives are:
1- make students proficient in port scanning techniques and fine tune nmap for speed and accuracy
2- using the powerful NSE scripts perform various vulnerability assessment tasks, password audits for services like web server, mail server, database servers and gather information for web applications.
3- Test for misconfiguration on firewall rulesets and bypass any weak ruleset for firewall.
4- create nmap scan reports and explore options available for report generation.
-
2Course Structure
In this video, we will have a summary about the course contents, the teaching methodology for the course, Requirements - both on the knowledge as well as Hardware & Software part
Fundamentals of Scanning
-
3Introduction to nmap security scanner
In this lecture, we will get a quick introduction to nmap security scanner and disclaimer about the course.
-
4Nmap installation on Ubuntu Linux OS
In this video, we will have a look at options available to us for installation of nmap security scanner to Ubuntu Linux Operating System. We will explore options such as installation from official ubuntu repositories using the apt-get command and installation of latest versions using the tool alien where we convert a .rpm file to .deb file for our ubuntu machine. We will also see why we use these options for installations in this video.
-
5Nmap installation on Microsoft Windows 10 OS
In this video, we will have a quick walkthrough on installation of nmap security scanner on a Microsoft windows 10 Operating system.
-
6Importing a Kali Linux VM to Oracle VM Virtualbox
In this video, we will have a quick demonstration on how you can download and import a pre-built virtual image file directly to a virtualbox instance and quickly setup Kali Linux VM on virtualbox with all necessary tools to get started.
-
7Setup Target VM - Metasploitable Linux VM
In this demonstration, we will setup our target VM - Metasploitable Linux machine into virtualbox. This metasploitable VM will be used throughout this course for testing and performing different scans using nmap security scanner.
-
8Virtualbox Networking - NAT (Network Address Translation)
We will now get an understanding on concepts of virtualbox networking. As these concepts in general are very much useful in all sorts of security and administration tasks. Having a clear understanding about the available modes of networking at our disposal can greatly help us in our day to day tasks.
In this video, we will understand the most prominent networking mode available to us - NAT i.e Network Address Translation. We will see how it is different and its pros and cons.
-
9Virtualbox Networking - NAT Network
In this video, we will have a look at another networking mode - NAT Networking and demonstrate how we can setup this network type and what are its salient features and its demonstration.
-
10Virtualbox Networking - Host Only Networking
In this lecture, we will have a look at Virtualbox Host only networking mode and demonstrate how we can setup this network mode and its utility in performing tests.
-
11Virtualbox Networking - Bridged mode
In this lecture, we will be having a look at another networking mode i.e bridged networking mode and we will discuss its pros and cons and its utilities.
-
12Virtualbox Networking - Internal network, Recap & Outro
In this video, we will discuss about the vitrualbox internal network and some hints on how it can be used. Though, this mode is not used for this course, it is still useful to have an idea about it.
As this section comes to end, we have a recap on this section along with resources for reading and referencing along with task for setting up your own virtual lab.
Basic Scanning Techniques
-
13TCP 3-Way Handshake
This lecture is a quick refresher of the good old TCP 3-way handshake. Here we take up this lecture to get an understanding on foundation of scanning by nmap scanner. We will also see the TCP control bits or Flags as we know it, their visualization and quick introduction on these TCP control bits as this knowledge is further useful to understand scan types offered by nmap.
-
14Getting to know Nmap results & Port states
In this lecture, we will know and understand what actually we mean by an 'open', 'closed' & 'filtered' port. And the reasoning behind the port state to be reported by nmap.
Detecting Service Versions and Operating Systems
-
15Module Intro & TCP SYN, TCP CONNECT scans
We will have an introduction on this module and will start by visualizing on TCP SYN scan or also known as 'Half open scan' or 'Stealth scan'. We will perform practical demonstration on our victim machine in our virtual network and see how the scan looks behind the scenes at a packet level. You will get a clarity on how nmap decides on the port states to be open or closed or filtered and trace back the steps on Wireshark network protocol analyzer.
In the same manner, we will also look at the TCP CONNECT scan and how it is different form TCP SYN scan and get to know the major differences in this video.
-
16FIN, NULL & XMAS Scans
In this lecture, we will discuss and demonstrate about FIN, NULL & XMAS scans and their visualization at a packet level and the mechanics of these scans and their behavior when a firewall is enabled and disabled to get a better understanding on such scans.
-
17UDP & SCTP Scans
In this video, we will have a look at port scanning of UDP services and how the packets look when viewed through wireshark tool and in the similar way, we can look for the SCTP scans and its utility in performing scans when there is an appropriate target infrastructure that supports SCTP protocol (eg. Telecom sector networks).
-
18ACK Scan
Another important type of scan option known as ACK scan or Acknowledgement scan. This type of scan option is useful to determine the statefulness of a firewall. You will see how this scan behaves in presence of a firewall ruleset implementation and determine that if the remote firewall is implementing a stateful or stateless filtering.
-
19Maimon & IP Protocol Scans
This video discusses about another type of scan called Maimon scan and how it functions for detection of ports. Also, we see another very important type of scan called IP Protocol scan where this type of scan can help us determine the device type based on its support of protocols. This helps a security auditor in evaluating the device type and its capabilities in the network.
-
20Scans at firewalls
In this video we see how a firewall blocks scan probes and how the scan probes sent through nmap look at firewall logging system and how much information is revealed of an attacker.
-
21Module recap & outro
In this video, we will have a recap on the module and task for you to practice.
-
22Quiz - Basic Scanning techniques
A short quiz on the module on Basic scanning techniques.
Port Specification & scan ordering
-
23Service Version detection - Introduction & demonstration
In this video, you will be getting an introduction on methods that nmap employ to detect version of the active services on a remote host. nmap has various options to offer to detect service versions, we will see how we can use these options to fingerprint the services and how this can be valuable from vulnerability assessment point of view for a security auditor as well as network administrator.
-
24Operating System Detection
In this video you will learn to fingerprint remote operating system with different options available with nmap for operating system detection and you will see how nmap fingerprints the remote operating system with practical demonstrations.
-
25Module Recap & outro
In this video, we take a quick recap on the module and provide you with an exercise to perform & practice the scans for service version and operating system detection.
-
26QUIZ - Service Version & Operating System Detection
Answer the questions
Host Discovery
-
27Introduction part & port specification options in nmap.
In this video, we will begin with the introduction on the module and explore various options available to us for specifying ports in nmap command line. We will explore the available options and learn the convenience these options provide us for scanning by specifying the ports.
We will also see, how changing the default behavior of nmap in not randomizing the ports can impact scan speeds and other options to better understand how it can help us in our security assessments.
-
28Inclusion and Exclusion of targets for scanning
In this video we explore the options where we can either include specific targets for scanning using a list file or in case we do not want to scan a set of hosts/targets then we also have that options at our disposal too.
-
29Module Recap & Outro
Nmap Script scans
-
30Introduction - Host discovery and List scan & No port scan
In this video, we will have a quick introduction about the module and its learning objectives and then begin with various options available to us for host discovery. We will also see how disabling certain in-built options of nmap can impact the speed and behavior of nmap scanner.
-
31No Ping Scan, TCP - SYN & ACK Pings
In this lecture, we will explore more interesting options such as 'No Ping' and look at TCP based pings specifically the SYN and ACK Pings and how they can help us in host discovery when default ICMP pings do not give us reliable results.
-
32UDP & ICMP Pings
In this lecture, we explore the host discovery options based on UDP protocol and ICMP protocols for discovering hosts on a network.
-
33Module recap & outro
-
34Quiz - Host Discovery
A small quiz to refresh concepts on module of host discovery.
Zenmap - GUI for nmap
-
35Introduction to Script scans
In this lecture, we introduce you to nmap script scans and the available categories and remarkable ability of the Nmap Scripting Engine to perform various tasks such as information gathering, vulnerability detection, enumeration, performing various tests in FTP, SSH, Telnet, Database server, Email servers and performing backdoor detection on services.
-
36Demo scripts for Information gathering
We will explore the details about some of the many script scans available to us to perform information gathering for our targets, along with some details on its inner workings.
-
37Demo scripts for webserver testing & enumeration
In this lecture, we take a look at scripts that can be useful to us for performing enumeration of a web server and applications hosted on that server. These scripts will be useful to you when performing initial information gathering and profiling of a web server and application. Also interesting script for detecting unusual services running on a host.
-
38Demo for Vulnerability detection scripts
We will take a look at an interesting script that acts as a vulnerability scanner and assists a security auditor as well as network administrator in detecting vulnerabilities for the running services on the target host.
-
39Bruteforcing - FTP, SSH & Telnet Services using nmap scripts
Detecting weak passwords forms an important part of a security assessment and also detecting misconfigured services too. In this video, we see how we can test for weak passwords on services like FTP, SSH, Telnet and perform a bruteforce attack to discover any weak credentials which can be exploited by attackers.
-
40Demo of nmap scripts for backdoored services detection
In this lecture, we explore the capabilites of nmap scripting engine to detect any known backdoored versions of services.
-
41Auditing MySQL server - 1
In this first part of lecture, we will explore the very useful options for performing security audits on Database servers, we take up the example here specific for MySQL database server running on our metasploitable linux VM. Note that for performing audits on MySQL servers, you will be requiring a Database account and its related password.
-
42Auditing MySQL server - 2
In this second part, we explore the very useful option for MySQL audit. This script is useful for detection of weak MySQL configurations. Note that for performing audits on MySQL servers, you will be requiring a Database account and its related password.
-
43Auditing SMTP servers
In this lecture, we test some of the scripts available for auditing SMTP servers. Depending on the target SMTP server's configuration, the scope of the scripts will vary.
-
44Advanced Script scans - Introduction
Moving ahead, we take up another useful feature of nmap scripting engine available to us is the Advanced option. Here, we get the option to fire up scripts based on the categories. Please note that depending on the options selected, the scans can take up huge times to run and also probably cause network congestion as well as potential Denial of service condition.
-
45Advanced Script scans demo - 1
In this lecture, we see an example on how we can use boolean operators in specifying script scans based on categories.
-
46Advanced Script scans demo - 2
In this lecture, we see another example on how we can use different boolean operators in specifying script scans based on categories.
-
47Advanced Script scans demo - 3
In this lecture, we see how we can use the wildcard character along with boolean operators to specify various scan script categories for scanning.
-
48Advanced Script scans demo - 4
In this video, we see the advanced script categories for UDP services.
-
49Outro - Advanced script scans
-
50Module recap & outro
Firewall Evasion Testing
-
51Zenmap - Introduction & Scan profile creation.
In this module, you will get a quick introduction on Zenmap which is the graphical frontend of nmap. We will have a walkthrough on various options on the graphical frontend to create scans and we also have the liberty to craft our own scans as per our requirement and save it in the form of profile.
-
52Module recap & outro
Scan Timing & Performance
-
53Introduction to Firewall evasion & testing with available nmap options
In this video, we get an introduction of the module and take a quick look at the available options for testing and evading firewalls using nmap security scanner.
-
54Fragmentation Scan
In this lecture, we will have a look at option to test firewall based on packet fragmentation where we count on a firewall misconfiguration that can sometimes help an attacker bypass the firewall ruleset.
-
55Sending Decoys
In this lecture, we explore the option given by nmap to send decoys to the firewall to obsure our IP address which provides us a small level of anonymity.
-
56Spoofing IP & MAC addresses
In this video, we take a look at most interesting topic - IP and MAC address spoofing. You will learn that how implementation of weak rulesets at firewall, deliberately or unknowingly can potentially create a security loophole and make the network vulnerable to attacks.
-
57Spoofing Source port
In this lecture and demonstration, we will explore another option provided by nmap to spoof source port to test for any firewall rule that relies on filtering based on incoming packet's source port.
-
58Appending signatures to scans.
As a security professional, it becomes important to keep your trails in place so as to provide a proof of work as well as proof of concept. Apart from options discussed in earlier sections, it is highly recommended to use this option and append your signatures while performing scans so that the client's firewall and other security mechanisms can have your signatures of the tasks you performed.
-
59Module recap & outro
Reporting with nmap
-
60Introduction - Scan timing & performance
-
61Timing templates of nmap scanner
In this lecture, we discuss and try out different timing templates offered by nmap and understand how the templates are related to the scan speed and performance and how we can leverage these options as per the situation we are into.
-
62Scan Parallelism
In this video, we will have a walkthrough on the option of scan parallelism and inspect the scan probes in Wireshark protocol analyzer and study the effects of parallelism on scan speeds and performance.
-
63Setting Host timeouts
Sometimes, when nmap is scanning on large group of hosts and there are some hosts that are very slow to respond may be due to network performance or other factors, this can slow down our scans. By using the option of host timeouts in a correct manner, we can tell nmap to give up on slow performing hosts and speed up our scans in this manner.
-
64Scanning host groups
The default behaviour of nmap is to scan 5 hosts simultaneously when it is scanning a large group of hosts. In case we want to change this behavior, we can also do that. However, we must be aware that depending on the target network, this option can have positive as well as negative impacts on our scan speed and accuracy.
-
65Setting Scan delays
In this lecture, we see how we can set customized delays in scan and observe the same in wireshark protocol analyzer. This option can be useful against any threshold based firewall or IDS.
-
66Throttling packets per second
In this lecture, we will see how we can throttle probe packets per second and observe the same in wireshark protocol analyzer.
-
67Module recap & outro
Bonus Content
-
68Introduction & Scan reporting - Part 1
In this video of this module, we will have a look and explore the options available for creating reports using the tool nmap and generate output that can be feeded into other tools as input to further perform more advanced scans.
-
69Scan reporting - Part 2
In this video, we will have a look at another option for reporting - the grepable option which is now deprecated by it is still used mainly the output works as an input for other tools or custom programs that can take grepable output generated by nmap.
We will also have a look at nmap all format that outputs the scan report in all the formats - xml, grepable, nmap format as well as script kiddie format.
-
70Resuming interrrupted scans from nmap outputs
This lecture describes a very practical situation where in case of scanning a network, our scan might break or get interrupted due to various reasons. But if we have put the option to save the output in nmap, then we can resume the scan from exactly where it broke.
We will have a practical demonstration on this situation and show you how it can be done.
-
71Miscellaneous scan options.
In this video, we will have a look at other options that assists us during the phase of scanning.
-
72Module recap & outro