Network Security Assessment (2007)(2nd)(en)(478s)

Free Download

Authors:

Edition: 2

ISBN: 9780596510305, 0596510306

Size: 6 MB (6338669 bytes)

Pages: 506/506

File format:

Language:

Publishing Year:

Category: Tags: , ,

Chris McNab9780596510305, 0596510306

How secure is your network? The best way to find out is to attack it. Network Security Assessment provides you with the tricks and tools professional security consultants use to identify and assess risks in Internet-based networks-the same penetration testing model they use to secure government, military, and commercial networks. With this book, you can adopt, refine, and reuse this testing model to design and deploy networks that are hardened and immune from attack. Network Security Assessment demonstrates how a determined attacker scours Internet-based networks in search of vulnerable components, from the network to the application level. This new edition is up-to-date on the latest hacking techniques, but rather than focus on individual issues, it looks at the bigger picture by grouping and analyzing threats at a high-level. By grouping threats in this way, you learn to create defensive strategies against entire attack categories, providing protection now and into the future.

Table of contents :
Network Security Assessment, Second Edition……Page 1
Table of Contents……Page 6
Foreword……Page 12
About Bob Ayers……Page 14
Preface……Page 16
NSA IAM……Page 17
CESG CHECK……Page 18
PCI Data Security Standards……Page 19
Organization……Page 20
Audience……Page 22
Conventions Used in This Book……Page 23
Acknowledgments……Page 24
Guest Authors Featured in This Book……Page 25
The Business Benefits……Page 26
Classifying Internet-Based Attackers……Page 27
Assessment Service Definitions……Page 28
Network Security Assessment Methodology……Page 29
Bulk Network Scanning and Probing……Page 30
Investigation of Vulnerabilities……Page 31
Exploitation of Vulnerabilities……Page 32
The Cyclic Assessment Approach……Page 33
Virtualization Software……Page 35
Operating Systems……Page 36
Apple Mac OS X……Page 37
Nessus……Page 38
Exploitation Frameworks……Page 39
Commercial Exploitation Frameworks……Page 40
Commercial Web Application Scanning Tools……Page 41
Internet Host and Network Enumeration……Page 42
Effective search query strings……Page 43
Searching Newsgroups……Page 44
Querying Domain WHOIS Registrars……Page 45
Using the Unix whois utility……Page 46
Querying IP WHOIS Registrars……Page 48
IP WHOIS Querying Tools and Examples……Page 49
Querying WHOIS databases to enumerate objects for a given company……Page 50
Harvesting user details through WHOIS……Page 51
BGP Querying……Page 53
Forward DNS querying through nslookup……Page 55
Using dig to perform a DNS zone transfer using a specific name server……Page 57
PTR record enumeration through DNS zone transfer……Page 59
Forward DNS Grinding……Page 60
Reverse DNS Sweeping……Page 61
Automating Enumeration……Page 62
SMTP Probing……Page 63
Enumeration Technique Recap……Page 64
Enumeration Countermeasures……Page 65
ICMP Probing……Page 67
SING……Page 68
Nmap……Page 69
ICMPScan……Page 70
Identifying Subnet Network and Broadcast Addresses……Page 71
Gleaning Internal IP Addresses……Page 72
OS Fingerprinting Using ICMP……Page 73
Vanilla connect() scanning……Page 74
Half-open SYN flag scanning……Page 75
Inverse TCP flag scanning……Page 78
ACK flag probe scanning……Page 79
FTP bounce scanning……Page 81
IP ID header scanning……Page 83
UDP Port Scanning……Page 85
IDS Evasion and Filter Circumvention……Page 87
Fragtest……Page 88
Fragroute……Page 89
Emulating Multiple Attacking Hosts……Page 90
Source Routing……Page 91
Assessing source routing vulnerabilities……Page 93
Using Specific Source Ports to Bypass Filtering……Page 95
Analyzing Responses to TCP Probes……Page 96
Hping2……Page 97
Firewalk……Page 98
Passively Monitoring ICMP Responses……Page 99
IP Fingerprinting……Page 100
Network Scanning Recap……Page 101
Network Scanning Countermeasures……Page 102
Remote Information Services……Page 104
Retrieving DNS Service Version Information……Page 105
BIND Vulnerabilities……Page 106
Remote vulnerabilities in Microsoft DNS and WINS services……Page 107
DNS Zone Transfers……Page 108
Reverse DNS Querying……Page 109
Forward DNS Grinding……Page 110
Finger……Page 111
Finger Information Leaks……Page 112
Auth……Page 113
NTP Fingerprinting……Page 114
NTP Vulnerabilities……Page 115
ADMsnmp……Page 116
Default Community Strings……Page 117
Compromising Devices by Reading from SNMP……Page 118
SNMP Process Manipulation Vulnerabilities……Page 119
LDAP……Page 120
LDAP Brute Force……Page 121
LDAP Process Manipulation Vulnerabilities……Page 122
RPC rusers……Page 123
Remote Information Services Countermeasures……Page 124
Web Servers……Page 126
HTTP HEAD……Page 127
HTTP OPTIONS……Page 129
Querying the web server through an SSL tunnel……Page 131
Identifying and Assessing Reverse Proxy Mechanisms……Page 132
HTTP CONNECT……Page 134
HTTP POST……Page 135
HTTP GET……Page 136
Automated HTTP Proxy Testing……Page 137
Identifying Virtual Hosts……Page 138
Identifying Subsystems and Enabled Components……Page 139
HTTP 1.0 methods……Page 140
WebDAV……Page 141
PHP……Page 142
Basic authentication mechanisms……Page 143
Microsoft-Specific Subsystems……Page 144
IIS sample and administrative scripts……Page 145
Microsoft ASP and ASP.NET……Page 146
Microsoft ISAPI extensions……Page 147
Microsoft FrontPage……Page 150
Windows Media Services……Page 151
RPC over HTTP support……Page 152
Enhanced authentication mechanisms……Page 153
Apache Subsystems……Page 154
Automated Scanning for Interesting Components……Page 156
Generic Subsystem Vulnerabilities……Page 157
TRACE vulnerabilities……Page 158
PUT and DELETE vulnerabilities……Page 159
WebDAV vulnerabilities……Page 161
PHP subsystem vulnerabilities……Page 162
IIS 5.0 vulnerabilities……Page 163
IIS 6.0 vulnerabilities……Page 165
ASP and ASP.NET……Page 166
Microsoft proprietary WebDAV extensions……Page 167
Microsoft FrontPage……Page 168
Apache Web Server and Subsystem Vulnerabilities……Page 170
Apache HTTP Server……Page 171
Apache HTTP Server modules……Page 174
Apache Tomcat……Page 175
OpenSSL……Page 177
OpenSSL client master key overflow (CVE-2002-0656) exploits……Page 178
Basic Web Server Crawling……Page 180
Wikto……Page 181
Brute-Forcing HTTP Authentication……Page 182
Web Servers Countermeasures……Page 183
Web Application Technologies Overview……Page 185
Web Application Profiling……Page 186
Manual HTML sifting and analysis……Page 187
Automated HTML sifting and analysis……Page 189
Analysis of Server-Side File Extensions……Page 190
Session ID Fingerprinting……Page 192
JSESSIONID string fingerprinting……Page 193
Active Backend Database Technology Assessment……Page 194
Web Application Attack Strategies……Page 195
Server-Side Script Variables……Page 196
HTTP Request Headers……Page 197
XML Request Content……Page 198
WSDL enumeration……Page 199
Encoding and obfuscating attack code……Page 201
HTTP request smuggling……Page 203
Authentication Issues……Page 205
Session management weaknesses……Page 206
Command injection……Page 209
Compromising data using SELECT, INSERT, and UPDATE……Page 215
LDAP injection……Page 216
Command injection countermeasures……Page 217
Filesystem access……Page 218
Cross-site scripting……Page 219
Web Security Checklist……Page 221
Remote Maintenance Services……Page 223
FTP Banner Grabbing and Enumeration……Page 224
Analyzing FTP banners……Page 225
Assessing FTP Permissions……Page 226
FTP bounce port scanning……Page 229
FTP bounce exploit payload delivery……Page 230
PORT and PASV……Page 231
PASV abuse……Page 232
FTP Process Manipulation Attacks……Page 233
Solaris and BSD FTP glob() issues……Page 234
WU-FTPD vulnerabilities……Page 235
ProFTPD vulnerabilities……Page 236
SSH……Page 237
SSH Fingerprinting……Page 238
SSH Vulnerabilities……Page 239
Telnet……Page 240
TelnetFP……Page 241
Manual Telnet fingerprinting……Page 242
Telnet Brute-Force Password Grinding……Page 243
Telnet Vulnerabilities……Page 244
R-Services……Page 245
Unix ~/.rhosts and /etc/hosts.equiv files……Page 246
R-Services Brute-Force……Page 247
Known R-Services Vulnerabilities……Page 248
xhost……Page 249
Assessing X Servers……Page 250
Capture keystrokes from specific windows……Page 251
Send keystrokes to specific windows……Page 252
X Windows exploit scripts……Page 253
Using the Citrix ICA Client……Page 254
Accessing Nonpublic Published Applications……Page 255
Citrix Vulnerabilities……Page 256
Microsoft Remote Desktop Protocol……Page 257
RDP Brute-Force Password Grinding……Page 258
VNC……Page 259
VNC Brute-Force Password Grinding……Page 260
Remote Maintenance Services Countermeasures……Page 262
Microsoft SQL Server……Page 264
SQLPing……Page 265
MetaCoretex……Page 266
SQL Server Process Manipulation Vulnerabilities……Page 267
SQL resolution service overflow (CVE-2002-0649) demonstration……Page 268
Oracle……Page 269
Retrieving Oracle version and platform information……Page 270
Other TNS listener commands……Page 271
Executing an information leak attack……Page 272
TNS Listener Process Manipulation Vulnerabilities……Page 273
Oracle Brute-Force and Post-Authentication Issues……Page 274
Post-authentication Oracle database vulnerabilities and exploits……Page 275
Oracle XDB Services……Page 276
MySQL Brute Force……Page 277
MySQL exploit scripts……Page 278
Database Services Countermeasures……Page 280
SMB, CIFS, and NetBIOS……Page 281
Enumerating Accessible RPC Server Interfaces……Page 282
epdump……Page 283
rpctools (rpcdump and ifids)……Page 285
Identifying Vulnerable RPC Server Interfaces……Page 288
Microsoft RPC interface process manipulation bugs……Page 290
Gleaning User Details via SAMR and LSARPC Interfaces……Page 291
walksam……Page 292
Accessing RPC interfaces over SMB and named pipes using rpcclient……Page 293
Brute-Forcing Administrator Passwords……Page 295
Enumerating System Details Through WMI……Page 296
The NetBIOS Name Service……Page 298
Enumerating System Details……Page 299
The NetBIOS Datagram Service……Page 300
Enumerating System Details……Page 301
enum……Page 302
winfo……Page 303
GetAcct……Page 305
Authenticating with NetBIOS……Page 306
Accessing and Modifying Registry Keys……Page 307
Accessing the SAM Database……Page 309
User enumeration through smbdumpusers……Page 310
CIFS Brute Force……Page 311
Unix Samba Vulnerabilities……Page 312
Windows Networking Services Countermeasures……Page 313
SMTP……Page 315
SMTP Service Fingerprinting……Page 316
Enumerating Enabled SMTP Subsystems and Features……Page 317
SMTP Brute-Force Password Grinding……Page 318
SMTP Open Relay Testing……Page 319
Sendmail information leak exposures……Page 320
Automating Sendmail user enumeration……Page 322
Sendmail process manipulation vulnerabilities……Page 323
Microsoft Exchange Server exploit scripts……Page 324
SMTP Content Checking Circumvention……Page 325
POP-3 Brute-Force Password Grinding……Page 327
IMAP……Page 328
IMAP Process Manipulation Attacks……Page 329
Email Services Countermeasures……Page 330
IPsec VPNs……Page 332
ISAKMP and IKE……Page 333
Main mode……Page 334
Aggressive mode……Page 335
IPsec Service Endpoint Enumeration……Page 336
IPsec Service Endpoint Fingerprinting……Page 337
Supported Transform Enumeration……Page 340
Investigating Known Weaknesses……Page 341
Negotiation slots exhaustion attack……Page 342
Aggressive Mode IKE PSK User Enumeration……Page 343
Aggressive Mode IKE PSK Cracking……Page 344
Microsoft PPTP……Page 345
SSL VPNs……Page 346
Basic SSL Querying……Page 347
Enumerating Weak Cipher Support……Page 349
SSL VPN web interface issues……Page 353
VPN Services Countermeasures……Page 354
Enumerating Unix RPC Services……Page 355
Identifying RPC Services Without Portmapper Access……Page 356
RPC Service Vulnerabilities……Page 357
Listing and accessing exported directories through mountd and NFS……Page 359
Solaris rpc.sadmind (100232) Vulnerabilities……Page 360
CVE-2003-0722……Page 361
Multiple Vendor rpc.cmsd (100068) Vulnerabilities……Page 362
Multiple Vendor rpc.ttdbserverd (100083) Vulnerabilities……Page 363
Unix RPC Services Countermeasures……Page 364
The Fundamental Hacking Concept……Page 365
Why Software Is Vulnerable……Page 366
Runtime Memory Organization……Page 367
The data and BSS segments……Page 368
The heap……Page 369
Processor Registers and Memory……Page 370
Stack Overflows……Page 371
Stack smash (saved instruction pointer overwrite)……Page 372
Stack off-by-one (saved frame pointer overwrite)……Page 377
Analyzing the program crash……Page 378
Exploiting an off-by-one bug to modify the instruction pointer……Page 379
Heap Overflows……Page 381
Overflowing the Heap to Compromise Program Flow……Page 382
Heap off-by-one and off-by-five bugs……Page 387
Recommended further reading……Page 388
Heap Wrap-Around Attacks……Page 389
Negative-Size Bugs……Page 391
Reading Adjacent Items on the Stack……Page 392
Reading Data from Any Address on the Stack……Page 394
Overwriting Any Word in Memory……Page 396
Memory Manipulation Attacks Recap……Page 398
Mitigating Process Manipulation Risks……Page 399
Compiling Applications from Source……Page 400
Recommended Secure Development Reading……Page 401
Nessus Architecture……Page 402
Deployment Options and Prerequisites……Page 403
Windows and Mac OS X installation……Page 404
Unix-based installation……Page 405
Configuring Nessus……Page 408
Basic Nessus Configuration……Page 409
Safe checks……Page 410
Ping the remote host……Page 411
Silent dependencies……Page 412
Enable CGI scanning……Page 413
Running Nessus……Page 414
Nessus Reporting……Page 415
Running Nessus Recap……Page 417
Metasploit Framework……Page 418
Interface……Page 419
Payloads……Page 420
Using MSF……Page 421
CORE IMPACT……Page 425
Console……Page 426
Using IMPACT……Page 427
Information gathering……Page 429
Attack and penetration……Page 430
Repositioning……Page 432
Immunity CANVAS……Page 433
Console……Page 434
Add-on exploit packs for CANVAS……Page 435
Using CANVAS……Page 436
Exploitation Frameworks Recap……Page 439
TCP Ports……Page 440
ICMP Message Types……Page 443
Vulnerability Databases and Lists……Page 445
Security Events and Conferences……Page 446
MSF……Page 447
CORE IMPACT……Page 453
Immunity CANVAS……Page 459
GLEG VulnDisco……Page 464
Argeniss Ultimate 0day Exploits Pack……Page 468
Index……Page 478

Reviews

There are no reviews yet.

Be the first to review “Network Security Assessment (2007)(2nd)(en)(478s)”
Shopping Cart
Scroll to Top