Nmap, a network scanner

Introduction

Nmap (short for Network Mapper) is a free and open-source network scanner tool that is used to discover hosts and services on a computer network, and to determine what devices are running on the network and what services they are offering. It was developed by Gordon Lyon (also known as Fyodor Vaskovich).

Nmap is widely used by network administrators and security professionals to perform network discovery, security scans, and vulnerability assessment. It can be used to scan large networks with hundreds of thousands of devices, or small networks with just a few devices.

Nmap uses a variety of techniques to scan networks, including raw IP packets, TCP and UDP port scans, and application-level probes. It can identify the operating system and version of devices on the network, as well as the types of services and servers that are running on them.

Nmap is available for Linux, Windows, and MacOS, and can be run from a command-line interface or through a graphical user interface. It is a powerful and flexible tool that is widely used in the field of network security.

Nmap use cases

There are many use cases for Nmap, including:

1. Network discovery: Nmap can be used to scan a network and discover all the devices and services that are running on it. This is useful for:

   
   

   Creating an inventory of all the devices and services on a network: By scanning a network with Nmap, it is possible to create a comprehensive inventory of all the devices and services that are running on the network. This can be useful for keeping track of all the assets on a network and for identifying any unauthorized devices or services.

   
   

   Identifying rogue devices: Nmap can be used to scan a network and identify any devices that are not authorized to be on the network. This can include rogue access points, unauthorized servers, or other devices that may pose a security risk.

   
   

   Identifying devices and services that are no longer in use: Nmap can be used to scan a network and identify devices and services that are no longer in use, or that have been decommissioned. This can help organizations to clean up their networks and remove unnecessary or outdated assets.

   
   

   Maintaining an up-to-date network map: By regularly scanning a network with Nmap, it is possible to maintain an up-to-date map of the network and identify any changes or additions to the network. This can be useful for keeping track of network changes and ensuring that the network is properly configured and secure.

   
   

2. Security scanning: Nmap can be used to perform security scans to identify vulnerabilities on a network. This can include

   
   

   Identifying open ports: Nmap can scan a network and identify all the open ports on the devices on the network. This can be useful for identifying services that are running on the network and for identifying any open ports that may be vulnerable to attack

   
   

   Identifying the operating systems and services running on devices: Nmap can be used to identify the operating systems and services running on devices on a network. This can be useful for identifying any outdated or unpatched systems, or for identifying services that may be vulnerable to attack.

   
   

   Identifying misconfigured or unpatched systems: Nmap can be used to scan a network and identify any systems that are misconfigured or unpatched. This can help organizations to prioritize their efforts to secure their networks and protect against potential threats.

   
   

   Performing network-wide security assessments: Nmap can be used to perform security assessments on an entire network, identifying potential vulnerabilities and security risks. This can be useful for organizations that need to ensure that their networks are secure and compliant with industry standards.

   
   

   Identifying potential attack vectors: By scanning a network with Nmap, it is possible to identify potential attack vectors that could be exploited by malicious actors. This can help organizations to identify and address potential security weaknesses before they are exploited.

   
   

3. Vulnerability assessment: Nmap can be used to identify vulnerabilities on a network, such as open ports, unpatched systems, and misconfigured services. This can help organizations to prioritize their efforts to secure their networks and protect against potential threats.

   
   

   Identifying open ports: Nmap can scan a network and identify all the open ports on the devices on the network. This can be useful for identifying services that are running on the network and for identifying any open ports that may be vulnerable to attack.

   
   

   Identifying the operating systems and services running on devices: Nmap can be used to identify the operating systems and services running on devices on a network. This can be useful for identifying any outdated or unpatched systems, or for identifying services that may be vulnerable to attack.

   
   

   Identifying misconfigured or unpatched systems: Nmap can be used to scan a network and identify any systems that are misconfigured or unpatched. This can help organizations to prioritize their efforts to secure their networks and protect against potential threats.

   
   

   Performing network-wide vulnerability assessments: Nmap can be used to perform vulnerability assessments on an entire network, identifying potential vulnerabilities and security risks. This can be useful for organizations that need to ensure that their networks are secure and compliant with industry standards.

   
   

   Identifying potential attack vectors: By scanning a network with Nmap, it is possible to identify potential attack vectors that could be exploited by malicious actors. This can help organizations to identify and address potential security weaknesses before they are exploited.

   
   

4. Network mapping: Nmap can be used to create a map of a network, showing the relationships between devices and services. This can be useful for visualizing the network and identifying potential vulnerabilities or bottlenecks.

   
   

   Creating a visual representation of a network: By scanning a network with Nmap and creating a map of the network, it is possible to get a visual representation of the network and see how the devices and services are connected. This can be useful for understanding the layout and structure of a network, and for identifying potential vulnerabilities or bottlenecks.

   
   

   Identifying network dependencies: By creating a map of a network with Nmap, it is possible to identify the dependencies between different devices and services on the network. This can be useful for understanding how a network functions and for identifying potential points of failure.

   
   

   Identifying potential bottlenecks: By creating a map of a network with Nmap, it is possible to identify potential bottlenecks on the network, such as devices or services that may be overburdened or underperforming. This can be useful for identifying and addressing potential performance issues on a network.

   
   

   Troubleshooting network issues: By creating a map of a network with Nmap, it is possible to identify potential issues on the network and troubleshoot them more effectively. For example, if a device or service is experiencing performance issues, it may be possible to identify the cause of the issue by examining the network map and identifying any dependencies or bottlenecks on the network.

   
   

   Planning network expansions: By creating a map of a network with Nmap, it is possible to plan for future expansions of the network and identify any potential issues that may arise as a result of the expansion. This can be useful for organizations that are planning to grow their networks or add new devices or services to the network.

   
   

   
   

5. Penetration testing: Nmap can be used as part of a penetration test to identify vulnerabilities and potential attack vectors on a network. This can help organizations to identify and address potential security weaknesses before they are exploited by malicious actors.

   
   

   Nmap scripting engine

   
   

   Nmap (Network Mapper) includes a scripting engine (NSE) that allows users to write and run custom scripts to automate various tasks. These scripts are organized into categories based on their function. Some of the categories available in the NSE include:

   
   

   • auth: Scripts that are designed to perform authentication-related tasks, such as password cracking or testing for weak passwords. Example: "ssh-brute" (brute-forces SSH login credentials)

     
     

   • broadcast: Scripts that are designed to scan broadcast networks and gather information about the hosts that are connected to them. Example: "smb-enum-shares" (enumerates shared SMB resources)

     
     

   • brute: Scripts that are designed to perform brute-force attacks, such as guessing passwords or trying to guess login credentials. Example: "http-form-brute" (brute-forces HTTP login forms)

     
     

   • default: Scripts that are included with Nmap and are run by default when no specific scripts are specified. Example: "dns-recursion" (tests for DNS recursion)

     
     

   • discovery: Scripts that are designed to gather information about hosts and networks, such as identifying the operating system, open ports, and running services. Example: "smb-os-discovery" (determines the operating system of an SMB host)

     
     

   • dos: Scripts that are designed to perform denial-of-service (DoS) attacks. Example: "udp-flood" (floods a target with UDP packets)

     
     

   • exploit: Scripts that are designed to exploit vulnerabilities or vulnerabilities. Example: "ms08-067-netapi" (exploits a vulnerability in the Windows operating system)

     
     

   • fingerprint: Scripts that are designed to identify the operating system or other characteristics of a host or network. Example: "ssl-cert" (identifies the SSL certificate of a service)

     
     

   • safe: Scripts that are designed to be safe to run and are unlikely to cause harm to the target host or network. Example: "http-headers" (retrieves HTTP headers from a web server)

     
     

     vuln: Scripts that are designed to identify known vulnerabilities. Example: "ssl-heartbleed" (tests for the Heartbleed vulnerability in SSL)

     
     

     To run a script from a specific category, users can use the "--script" option followed by the category name and a "*" wildcard. For example, the following command will run all of the scripts in the "discovery" category:

   • 
     

     Nmap -- script=discovery* 192.168.0.1

     
     

     Users can also specify multiple categories by separating them with a comma. For example, the following command will run all of the scripts in the "discovery" and "vuln" categories:

     
     

     Nmap -- script=discovery*,vuln* 192.168.0.1

     
     

     These are just a few examples of the many categories and scripts available in the NSE. There are hundreds of scripts available, covering a wide range of functions and use cases.

     
     

     
     

   
   

   
   

   
   

   
   

HTTP Verbs | HTTP Methods- Brief introduction

• GET The GET method is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.

• HEAD Same as GET, but only transfer the status line and header section.

• POST A POST request is used to send data to the server, for example customer information, file upload etc using HTML forms.

• PUT Replace all current representations of the target resource with the uploaded content.

• DELETE Remove all current representations of the target resource given by URI.

• CONNECT Establish a tunnel to the server identified by a given URI.

• OPTIONS Describe the communication options for the target resource.

• TRACE Perform a message loop-back test along the path to the target resource.

NOTE: URI is a string of character used to identify a resource

Cookie hijacking|Session hijacking|Cookie theft

Cookie hijacking is a hacking process by which the hacker gains unauthorized access to some confidential information in a way which is not facilitated by the user or a secure session.

Specifically speaking cookie hijacking means hacking or stealing the cookies that contain confidential information that is needed to authenticate or connect a user to a remote web server.

Cookie hijacking can be performed by the hacker by using a computer between the node and server or by obtaining access to the cookies stored on the user’s computer.

A hacker can also use source router Internet protocol or IP packets to gain unauthorized access between two communicating nodes.

The hacker would then route the packets containing cookies to pass through his computer before reaching destination.

Cookie hijacking sometimes is used to perform denial of service attacks also known as DOS attacks.

What is a cookie?

Cookies are usually small text files, given ID tags that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.The website stores a corresponding file(with same ID tag)to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address.

Cookies are often indispensable for websites that have huge databases, need logins, have customizable themes, other advanced features.

Cookies usually don't contain much information except for the url of the website that created the cookie, the duration of the cookie's abilities and effects, and a random number. Due to the little amount of information a cookie contains, it usually cannot be used to reveal your identity or personally identifying information.However, marketing is becoming increasingly sophisticated and cookies in some cases can be agressively used to create a profile of your surfing habits.

There are two types of cookies: session cookies and persistent cookies. Session cookies are created temporarily in your browser's subfolder while you are visiting a website. Once you leave the site, the session cookie is deleted. On the other hand, persistent cookie files remain in your browser's subfolder and are activated again once you visit the website that created that particular cookie. A persistent cookie remains in the browser's subfolder for the duration period set within the cookie's file.

More on Cookies

A cookie is a small file of letters and numbers downloaded on to your computer when you access certain websites. Like virtual door keys, cookies unlock a computer's memory and allow a website to recognise users when they return to a site by opening doors to different content or services. Like a key, a cookie itself does not contain information, but when it is read by a browser it can help a website improve the service delivered.

Cookie files are automatically lodged into the cookie file - the memory of your browser - and each one typically contains:

·         The name of the server the cookie was sent from

·         The lifetime of the cookie

·         A value - usually a randomly generated unique number

The website server which sent the cookie uses this number to recognise you when you return to a site or browse from page to page. Only the server that sent a cookie can read, and therefore use, that cookie.

A cookie is a text-only string of information that a website transfers to the cookie file of the browser on the hard disk of computers so that the website can remember who you are.

A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie, and a value, usually a randomly generated unique number. Two common types of cookies are used on most websites-session cookies, which are temporary cookies that remain in the cookie file of your browser until you leave the site, and persistent cookies, which remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie).

Session cookie

A session cookie, also known as an in-memory cookie or transient cookie, exists only in temporary memory while the user navigates the website.[14] Web browsers normally delete session cookies when the user closes the browser.[15] Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

Persistent cookie

Instead of expiring when the web browser is closed as session cookies do, persistent cookies expire at a specific date or after a specific length of time. This means that, for the cookie's entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).

For this reason, persistent cookies are sometimes referred to as tracking cookies because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. However, they are also used for "legitimate" reasons as well (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit).

Secure cookie

A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

HttpOnly cookie

HttpOnly cookies can only be used when transmitted via HTTP (or HTTPS). They are not accessible through non-HTTP APIs such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS), while leaving the threats of cross-site tracing (XCT) and cross-site request forgery (CSRF) intact.

Third-party cookie

Normally, a cookie's domain attribute will match the domain that is shown in the web browser's address bar. This is called a first-party cookie. Third-party cookies, however, belong to domains different from the one shown in the address bar. These sorts of cookies typically appear when web pages feature content, such as banner advertisements, from external websites. This opens up the potential for tracking the user's browsing history, and is often used by advertisers in an effort to serve relevant advertisements to each user.

As an example, suppose a user visits www.example.org. This web site contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com/, and which also sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser.

As of 2014, some websites were setting cookies readable for over 100 third-party domains.[16] On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800.[17]

Most modern web browsers contain privacy settings that can block third-party cookies.

Supercookie

A "supercookie" is a cookie with an origin of a Top-Level Domain (such as .com) or a Public Suffix (such as .co.uk). Ordinary cookies, by contrast, have an origin of a specific domain name, such as example.com.

Supercookies can be a potential security concern and are therefore often blocked by web browsers. If unblocked by the client computer, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate user requests to another website that shares the same Top-Level Domain or Public Suffix as the malicious website. For example, a supercookie with an origin of .com, could maliciously affect a request made to example.com, even if the cookie did not originate from example.com. This can be used to fake logins or change user information.

The Public Suffix List helps to mitigate the risk that supercookies pose. The Public Suffix List is a cross-vendor initiative that aims to provide an accurate and up-to-date list of domain name suffixes. Older versions of browsers may not have an up-to-date list, and will therefore be vulnerable to supercookies from certain domains.

The term "supercookie" is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites in August 2011: cookie syncing that respawned MUID (Machine Unique IDentifier) cookies, and ETag cookies.[18] Due to media attention, Microsoft later disabled this code.

Zombie cookie

Zombie cookies are cookies that are automatically recreated after being deleted. This is accomplished with the help of a client-side script. The script starts by storing the cookie's content in multiple locations, such as Flash local storage, HTML5 storage, and other client-side storage locations. When the script detects the cookie's absence, it recreates the cookie using the data stored in these locations.

Structure

A cookie consists of the following components:

Name

Value

Zero or more attributes