Saturday, January 26, 2013

[Book] Nmap 6 Network Exploration and Network Security Auditing cookbook

 A couple of weeks ago, Packetpub reached out to me to review their newest book on Nmap by Paulino Calderon. Due to a lack of time, it wasn't until this week-end that I have been able to write the last words of this review.

 The author's description of the book says "Nmap 6: Network Exploration and Security Auditing Cookbook is a 100 percent practical book that follows a
cookbook's style..." and this is both reasonable and necessary, as the book wouldn't have had much added value over the pretty comprehensive online documentation otherwise. Most recipes come in a "What and why, How to do, How it works, There's more to it and See Also" format, which is good, except for the "See Also" that I found to be a waste of space in my opinion as in most cases it points to recipes in the same chapter and the "References" and "Index" at the end of the book are already comprehensive. If you don't know what Nmap is, or are just searching for the "how to do" part in a rigid format, you may want to take a first look at the online documentation.
Repeating the "legal disclaimer" from the preface at the start of each chapter was a bit annoying. Those who have bad intentions will skip through them (just like those with good intentions do). On the other hand, the author could have provided a good added-value if he provided a virtual machine with the vulnerable software on which to test (and follow with the examples) the book's recipes. Using some existing vulnerable virtual machines would have been rational too.

Following are my views on each chapter of the book. You can skip directly to
the summary/rating.
Chapter 1: Nmap Fundementals.
The book shows up some awesomeness early on. This chapter covers "a lot"
compared to the usual "First Chapter" you see in other books. The Chapter starts with grabbing and building the latest source code from the Nmap repostiroy. *Every* Nmap user should be running bleeding edge, as there are too many bug fixes, new features and especially NSE improvements to miss, waiting for stable releases. I totally agree with the author on skipping the usual, "go to toolwebsite.com, grab packages/binaries and run it."
The chapter continues with recipes, starting with the simple "namp <target>" and showing basic features and flags such as -PN, -n and -p up to using Ndiff and a bash script to automate some monitoring work.
In essence, all the fundamentals needed for the day-to-day tasks are here.

Chapter 2: Network Exploration
This chapter looked more like the man pages with all the different host
discovery and port scanning techniques detailed. In page 48: "...note that there are firewalls configured to drop RST packets..." the author probably meant "..drop SYN packets.." given the context.
Page 51: "... will generate false positives" should have been "...false negatives...".
First part of the chapter is not very interesting and the author's touch was quite absent. Things become a bit more interesting starting from the "Hiding our traffic with additional random data" recipe. Overall it was an ok chapter.

Chapter 3: Gathering Additional Host Information
This chapter deals with collecting information about your targets beyond the
classic OS fingerprinting, port enumeration and service discovery that nmap is
widely known for. There are recipes about IP geolocation, whois records
enumeration, Google Safe Browsing querying, listing supported protocols etc,. The author's touch which lacked in the previous chapter was welcomed here.

Chapter 4: Auditing Web Servers
As I expected, and as the chapters go, the author starts to focus more on
leveraging NSE scripts.
One (major) complaint: "HTTP User Agent" and "HTTP pipelining" paragraphs were repeated numerous times, practically for each recipe in the chapter (and many other times in later chapters). Moving them to the start of the chapter and simply pointing to them would have saved a lot of valuable space.
Other than that, there are a numerous recipes for enumerating and testing web
servers and applications. Not surprising knowing the author's contributions to Nmap.

Chapter 5: Auditing Databases.
"MySQL servers may run on a non-standard port..." passage is again repeated
a couple of times. Same goes for the "Brute modes" passage, but in general the chapter is quite good with a lot of information on testing MySQL servers, Oracle, MS SQL and some nosql db servers such as MongoDB and CouchDB. No love for PostgreSQl ? :)

Chapter 6: Auditing Mail Servers
This chapter goes through testing mail servers using mainly smtp/pop3/imap related NSE scripts. Again, there is some repetition in here. The little paragraph about "Debugging NSE scripts" is repeated 9 times through the chapter (and 11 times in total in the book). Worse, the command is not even changed.
nmap -p80 --script http-google-email -d4 <target>
Other notes about this chapter: In my opinion, the SMTP brute force recipe should come right after the user enumeration recipe, not just right before it.
Same goes for the POP3/IMAP brute force recipes which should come after capabilities querying recipes. But this is a small detail.

Chapter 7: Scanning large networks.
This chapter constitutes a fresh change, as it is not very heavy on using NSE
scripts as the previous chapters. The "reading targets from text
files" and "scanning an ip address range" recipes should be on the first
chapter or second chapter though. The various recipes to optimize the run time
of large network scans are very nice. The closing recipe on running distributed
scans with Dnmap is a nice touch.

Chapter 8: Generating Scan Reports.
The chapter is self-containing with information on generating reports in various
format (text, xml, sqlite DB, html, network topology graph etc,.). In my
opinion, this chapter should have come as the last chapter of the book, or
alternatively at the place of one of the earlier chapters (before the book starts focusing on NSE scripts.)

Chapter 9: Writing Your Own NSE Scripts
This chapter is hands-down the best in the book. The author does a brilliant job
in taking the reader beyond the "Check response code of an HTTP request to some url." scripting tutorials that you will find practically everywhere. These were my expectations knowing the author's contribution to NSE and he surely didn't disappoint. Anyone planning to start writing Nmap scripts would learn a lot from this chapter and enjoy the practical tips in here.

Summary:
The Nmap 6 cookbook is a nice addition to your bookshelf or on a corner of your desk, depending on how often you (should) use Nmap. I had high expectations for this book and I wasn't let down except by the editing / space management.

Pros:
Complete coverage of Nmap and NSE.
Chapter 9 on writing Nmap scripts is very well written.
Cons:
Content duplication. Use of space could have been smarter.

Rating: 4.5 / 5

1 comment: