Zenmap is the official Nmap Security Scanner GUI that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
Nmap is a very powerful utility that can be used to:
- Detect the live host on the network (host discovery)
- Detect the open ports on the host (port discovery or enumeration)
- Detect the software and the version to the respective port (service discovery)
- Detect the operating system, hardware address, and the software version
- Detect the vulnerability and security holes (Nmap scripts)
It is available for both the command line interface and the graphical user interface. Once the exe or ZIP file is downloaded from http://nmap.org/download.html during installation there is an option to either install NMAP as a GUI or the command line interface.
Simply deselect GUI if you wish for the command line interface, which is recommended as you are actually writing the commands yourself.
If you are a beginner then the GUI is a great place to start as it helps a lot with writing the desired commands for you as you can simply select what you wish it to do.
Once the command line version is download and installed open up the Cmd navigate to the folder like below. This is were all the command will then be carried out.
- nmap –help
Lists all the possible commands to help with the following;
- TARGET SPECIFICATION
- HOST DISCOVERY
- SCAN TECHNIQUES
- PORT SPECIFICATION AND SCAN ORDER
- SERVICE/VERSION DETECTION
- SCRIPT SCAN
- OS DETECTION
- TIMING AND PERFORMANCE
- FIREWALL/IDS EVASION AND SPOOFING
Export to File
-help is just an example this can be used for any scan.
- nmap –help > C:\namp.txt
Target address URL or IP Address.
- nmap Target
Results will outline the following:
Scan a number of specific ports
- nmap -p80,21,23 Target
- nmap -O Target1 Target2
Enable OS and version detection
Script scanning, and traceroute; -T4 for faster execution
- nmap -A -T4 Target
Find if host/network is protected by a firewall
- nmap -sA Target
Scan a host when protected by the firewall
- nmap -PN Target
Scan a range of IP address using a wildcard
- nmap 192.168.1.*
- nmap 192.168.1.0/24
Exclude hosts from a scan
- nmap 192.168.1.0/24 –exclude 192.168.1.5
- nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254
Some Examples of Scans
-sS TCP SYN scan
Half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.
- onmap -sS Target
-sT (TCP connect scan)
Is the default TCP scan type when SYN scan is not an option?
Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
- nmap -sT Target
-sU (UDP scans)
Sends a UDP packet to every targeted port and a service will respond with a UDP packet, proving that it is open. Common ports such as 53 and 161. Possibilities to speed up UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using –host-timeout to skip slow hosts.
- nmap -sU Target
Alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.
- nmap -sY Target
-sA (TCP ACK scan)
Used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
- nmap -sA Target
-sO (IP protocol scan)
Allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
- -sO (IP protocol scan)
Zenmap GUI Interface
Zenmap allows interactive creation of Nmap command lines by select the different point and click approach.
Running a scan is as simple as typing the target in the “Target” field, selecting the “Intense scan” profile, and clicking the “Scan” button.
Once the Target and the Profile is selected the Command text-area will outline the Nmap command that is about to be run. This command could also be copied out and used in the Nmap command line interface.
nmap -T4 -A -v testSite.com
Slow comprehensive scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” testSite.com
The Profile Editor
Possible to use the profile editor as an Nmap command editor. Select “New Profile or Command” from under the “Profile” menu or use the ctrl+P keyboard shortcut. The profile editor will appear, displaying whatever command was shown in the main window.
Within the Scripting Tab its possible to Scroll the list on the left to see all the scripts that are installed in the script.db, Scripts can be selected or deselected individually by clicking the check-box next to the script name.
To save the Profile 1st go to the “Profile” tab and give a name to the profile. Then click “Save Changes” to save the new profile.
The newly created Profile will then be saved and can then be selected as a scan option in future.
Nmap is a must have tool for Network Security Experts. It supports many of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Ability to scan huge networks containing hundreds of thousands of machines and most importantly it allows for both the traditional command line and graphical (GUI) versions.
An Analysis of Automated Web Application Scanning Suites
This document is an analysis of the performance of five common web application scanners, which were put against three different types of web applications. The document will provide as an evaluation of the web application scanner suites from installation to the completion of the scan, and will rate the suites on multiple criteria.
Acunetix, Appscan, BURP, Nexpose& NTO Spider.
Study carried out by James Ball, Alexander Heid, Rod Soto : HackMiami
Overall Details Regarding Each Product
Details show that overall the product AppScan is the most costly with Burp Proxy being the cheapest.
Ongoing cyclical web application vulnerability assessments are a critical part of the software development lifecycle (SDLC) for any organization. The harried release cycles of web applications and scarce availability of skilled security engineers to conduct thorough manual assessments makes the market for automated web application vulnerability scanner suites one that will continue to grow. As more products come to market, and more exploitable vulnerabilities are identified, the choices will continue to grow. The end consumer will almost always be faced with picking a product that meets their strictest requirement, the budget. In terms of overall value, it is the conclusion of the researchers conducting the HackMIami 2013 Hackers Conference PwnOff that Portswigger BURP and Rapid7 Nexpose/MetasploitPro currently provide the most value to the independent security consultant in terms of discovered vulnerabilities, ease of use, licensing flexibility, and rage of functionality
Open Source Black Box Testing tools
- OWASP WebScarab
- OWASP CAL9000
- CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
- Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
- OWASP Pantera Web Assessment Studio Project
- SPIKE – http://www.immunitysec.com
- Paros – http://www.parosproxy.org
- Burp Proxy – http://www.portswigger.net
- Achilles Proxy – http://www.mavensecurity.com/achilles
- Odysseus Proxy – http://www.wastelands.gen.nz/odysseus/
- Webstretch Proxy – http://sourceforge.net/projects/webstretch
- Firefox LiveHTTPHeaders, Tamper Data and Developer Tools – http://www.mozdev.org
- Grendel-Scan – http://www.grendel-scan.com
- OWASP SWFIntruder
Testing for specific vulnerabilities
Testing for SQL Injection
- OWASP SQLiX
- Sqlninja: a SQL Server Injection & Takeover Tool – http://sqlninja.sourceforge.net
- Bernardo Damele A. G.: sqlmap, automatic SQL injection tool – http://sqlmap.sourceforge.net
- Absinthe 1.1 (formerly SQLSqueal) – http://www.0x90.org/releases/absinthe/
- SQLInjector – http://www.databasesecurity.com/sql-injector.htm
- bsqlbf-1.2-th – http://www.514.es
- TNS Listener tool (Perl) – http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
- Toad for Oracle – http://www.quest.com/toad
- Foundstone SSL Digger – http://www.foundstone.com/resources/proddesc/ssldigger.htm
Testing for Brute Force Password
- THC Hydra – http://www.thc.org/thc-hydra/
- John the Ripper – http://www.openwall.com/john/
- Brutus – http://www.hoobie.net/brutus/
- Medusa – http://www.foofus.net/~jmk/medusa/medusa.html
Testing Buffer Overflow
- OllyDbg – http://www.ollydbg.de
- “A windows based debugger used for analyzing buffer overflow vulnerabilities”
- Spike – http://www.immunitysec.com/downloads/SPIKE2.9.tgz
- A fuzzer framework that can be used to explore vulnerabilities and perform length testing
- Brute Force Binary Tester (BFB) – http://bfbtester.sourceforge.net
- A proactive binary checker
- Stach & Liu’s Google Hacking Diggity Project – http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
- Foundstone Sitedigger (Google cached fault-finding) – http://www.foundstone.com/resources/proddesc/sitedigger.htm
Commercial Black Box Testing tools
- Typhon – http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
- NGSSQuirreL – http://www.ngssoftware.com/products/database-security/
- Watchfire AppScan – http://www.watchfire.com
- Cenzic Hailstorm – http://www.cenzic.com/products_services/cenzic_hailstorm.php
- Burp Intruder – http://portswigger.net/intruder
- Acunetix Web Vulnerability Scanner – http://www.acunetix.com
- WebSleuth – http://www.sandsprite.com
- NT Objectives NTOSpider – http://www.ntobjectives.com/products/ntospider.php
- Fortify Pen Testing Team Tool – http://www.fortifysoftware.com/products/tester
- Sandsprite Web Sleuth – http://sandsprite.com/Sleuth/
- MaxPatrol Security Scanner – http://www.maxpatrol.com
- Ecyware GreenBlue Inspector – http://www.ecyware.com
- Parasoft WebKing (more QA-type tool)
- MatriXay – http://www.dbappsecurity.com
- N-Stalker Web Application Security Scanner – http://www.nstalker.com
Source Code Analyzers
Open Source / Freeware
- Owasp Orizon
- OWASP LAPSE
- OWASP O2 Platform
- Google CodeSearchDiggity – http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
- PMD – http://pmd.sourceforge.net/
- FlawFinder – http://www.dwheeler.com/flawfinder
- Microsoft’s FxCop
- Splint – http://splint.org
- Boon – http://www.cs.berkeley.edu/~daw/boon
- FindBugs – http://findbugs.sourceforge.net
- Armorize CodeSecure – http://www.armorize.com/index.php?link_id=codesecure
- CodeWizard – http://www.parasoft.com/products/wizard
- Checkmarx CxSuite – http://www.checkmarx.com
- Fortify – http://www.fortifysoftware.com
- GrammaTech – http://www.grammatech.com
- ITS4 – http://www.cigital.com/its4
- Ounce labs Prexis – http://www.ouncelabs.com
- ParaSoft – http://www.parasoft.com
- Virtual Forge CodeProfiler for ABAP – http://www.virtualforge.de
- Veracode – http://www.veracode.com
Acceptance Testing Tools
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.
Open Source Tools
- WATIR – http://wtr.rubyforge.org
- A Ruby based web testing framework that provides an interface into Internet Explorer.
- Windows only.
- HtmlUnit – http://htmlunit.sourceforge.net
- A Java and JUnit based framework that uses the Apache HttpClient as the transport.
- Very robust and configurable and is used as the engine for a number of other testing tools.
- jWebUnit – http://jwebunit.sourceforge.net
- A Java based meta-framework that uses htmlunit or selenium as the testing engine.
- Canoo Webtest – http://webtest.canoo.com
- An XML based testing tool that provides a facade on top of htmlunit.
- No coding is necessary as the tests are completely specified in XML.
- There is the option of scripting some elements in Groovy if XML does not suffice.
- Very actively maintained.
- HttpUnit – http://httpunit.sourceforge.net
- One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
- Watij – http://watij.com
- A Java implementation of WATIR.
- Windows only because it uses IE for its tests (Mozilla integration is in the works).
- Solex – http://solex.sourceforge.net
- An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
- Selenium – http://www.openqa.org/selenium/
- Rational PurifyPlus – http://www-306.ibm.com/software/awdtools
- BugScam – http://sourceforge.net/projects/bugscam
- BugScan – http://www.hbgary.com
- Veracode – http://www.veracode.com
- Rational Requisite Pro – http://www-306.ibm.com/software/awdtools/reqpro