Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Chris McNab
Network Security Assessment, 2nd Edition
A Note Regarding Supplemental Files
Foreword
About Bob Ayers
Preface
Overview
Recognized Assessment Standards
NSA IAM
CESG CHECK
PCI Data Security Standards
Other Assessment Standards and Associations
Hacking Defined
Organization
Audience
Mirror Site for Tools Mentioned in This Book
Using Code Examples
Conventions Used in This Book
Comments and Questions
Acknowledgments
Guest Authors Featured in This Book
1. Network Security Assessment
The Business Benefits
IP: The Foundation of the Internet
Classifying Internet-Based Attackers
Assessment Service Definitions
Network Security Assessment Methodology
Internet Host and Network Enumeration
Bulk Network Scanning and Probing
Investigation of Vulnerabilities
Exploitation of Vulnerabilities
The Cyclic Assessment Approach
2. Network Security Assessment Platform
Virtualization Software
VMware
Microsoft Virtual PC
Parallels
Operating Systems
Microsoft Windows Platforms
Linux Platforms
Apple Mac OS X
Reconnaissance Tools
Network Scanning Tools
Nmap
Nessus
Commercial Network Scanning Tools
Exploitation Frameworks
Metasploit Framework
Commercial Exploitation Frameworks
Web Application Testing Tools
Commercial Web Application Scanning Tools
3. Internet Host and Network Enumeration
Querying Web and Newsgroup Search Engines
Google Search Functionality
Enumerating contact details with Google
Effective search query strings
Searching Newsgroups
Querying Netcraft
Querying Domain WHOIS Registrars
Using the Unix whois utility
Querying IP WHOIS Registrars
IP WHOIS Querying Tools and Examples
Querying WHOIS databases to enumerate objects for a given company
Using WHOIS web search engines
Harvesting user details through WHOIS
Enumerating WHOIS maintainer objects
BGP Querying
DNS Querying
Forward DNS Querying
Forward DNS querying through nslookup
DNS Zone Transfer Techniques
Checking for DNS zone transfer weaknesses using host
Using dig to perform a DNS zone transfer using a specific name server
Information retrieved through DNS zone transfer
PTR record enumeration through DNS zone transfer
Forward DNS Grinding
Reverse DNS Sweeping
Web Server Crawling
Automating Enumeration
SMTP Probing
Enumeration Technique Recap
Enumeration Countermeasures
4. IP Network Scanning
ICMP Probing
ICMP Probing Tools
SING
Nmap
ICMPScan
Identifying Subnet Network and Broadcast Addresses
Gleaning Internal IP Addresses
OS Fingerprinting Using ICMP
TCP Port Scanning
Standard Scanning Methods
Vanilla connect( ) scanning
Tools that perform connect( ) TCP scanning.
Half-open SYN flag scanning
Tools that perform half-open SYN scanning.
Stealth TCP Scanning Methods
Inverse TCP flag scanning
Tools that perform inverse TCP flag scanning.
ACK flag probe scanning
Analysis of the TTL field of received packets.
Analysis of the WINDOW field of received packets.
Tools that perform ACK flag probe scanning.
Third-Party and Spoofed TCP Scanning Methods
FTP bounce scanning
Tools that perform FTP bounce port scanning.
Proxy bounce scanning
Sniffer-based spoofed scanning
IP ID header scanning
UDP Port Scanning
Tools That Perform UDP Port Scanning
IDS Evasion and Filter Circumvention
Fragmenting Probe Packets
Fragtest
Fragroute
fragroute.conf.
Nmap
Emulating Multiple Attacking Hosts
Source Routing
Assessing source routing vulnerabilities
LSRScan.
LSRTunnel.
Using Specific Source Ports to Bypass Filtering
Low-Level IP Assessment
Analyzing Responses to TCP Probes
Hping2
Firewalk
Passively Monitoring ICMP Responses
IP Fingerprinting
TCP Sequence and IP ID Incrementation
Network Scanning Recap
Network Scanning Countermeasures
5. Assessing Remote Information Services
Remote Information Services
DNS
Retrieving DNS Service Version Information
BIND Vulnerabilities
BIND exploit scripts
Microsoft DNS Service Vulnerabilities
Remote vulnerabilities in Microsoft DNS and WINS services
DNS Zone Transfers
Reverse DNS Querying
Forward DNS Grinding
Finger
Finger Information Leaks
Finger Redirection
Finger Process Manipulation Vulnerabilities
Auth
Auth Process Manipulation Vulnerabilities
NTP
NTP Fingerprinting
Further NTP Querying
NTP Vulnerabilities
SNMP
ADMsnmp
snmpwalk
Default Community Strings
Compromising Devices by Reading from SNMP
Compromising Devices by Writing to SNMP
SNMP Process Manipulation Vulnerabilities
SNMP exploit scripts
LDAP
Anonymous LDAP Access
LDAP Brute Force
Active Directory Global Catalog
LDAP Process Manipulation Vulnerabilities
LDAP exploit scripts
rwho
RPC rusers
Remote Information Services Countermeasures
6. Assessing Web Servers
Web Servers
Fingerprinting Accessible Web Servers
Manual Web Server Fingerprinting
HTTP HEAD
HTTP OPTIONS
Common HTTP OPTIONS responses.
Querying the web server through an SSL tunnel
Automated Web Server Fingerprinting
httprint
Identifying and Assessing Reverse Proxy Mechanisms
HTTP CONNECT
HTTP POST
HTTP GET
Automated HTTP Proxy Testing
Enumerating Virtual Hosts and Web Sites
Identifying Virtual Hosts
Identifying Subsystems and Enabled Components
Generic Subsystems
HTTP 1.0 methods
HTTP 1.1 methods
WebDAV
PHP
Basic authentication mechanisms
Microsoft-Specific Subsystems
IIS sample and administrative scripts
Microsoft ASP and ASP.NET
Microsoft ISAPI extensions
Microsoft Exchange Server WebDAV extensions.
Microsoft FrontPage
Windows Media Services
Outlook Web Access
RPC over HTTP support
Enhanced authentication mechanisms
Apache Subsystems
Automated Scanning for Interesting Components
Investigating Known Vulnerabilities
Generic Subsystem Vulnerabilities
CONNECT vulnerabilities
TRACE vulnerabilities
PUT and DELETE vulnerabilities
WebDAV vulnerabilities
PHP subsystem vulnerabilities
Microsoft Web Server and Subsystem Vulnerabilities
IIS 5.0 vulnerabilities
IIS 5.0 local privilege escalation exploit (CVE-2002-0869)
IIS 6.0 vulnerabilities
ASP and ASP.NET
ISAPI extensions
Microsoft proprietary WebDAV extensions
Microsoft FrontPage
Outlook Web Access
Apache Web Server and Subsystem Vulnerabilities
Apache HTTP Server
Apache chunk-handling (CVE-2002-0392) BSD exploit.
Apache HTTP Server modules
Apache Tomcat
Tomcat JSP source code disclosure.
OpenSSL
OpenSSL client master key overflow (CVE-2002-0656) exploits
Basic Web Server Crawling
Wikto
Brute-Forcing HTTP Authentication
Web Servers Countermeasures
7. Assessing Web Applications
Web Application Technologies Overview
Web Application Profiling
HTML Source Review
Manual HTML sifting and analysis
Automated HTML sifting and analysis
Analysis of Server-Side File Extensions
Session ID Fingerprinting
JSESSIONID string fingerprinting
Apache Tomcat 4.x and later.
Apache Tomcat 3.x and earlier.
Caucho Resin 3.0.21 and later.
Caucho Resin 3.0.20 and earlier.
IBM WebSphere.
Sun Java System Application Server.
Active Backend Database Technology Assessment
Web Application Attack Strategies
Server-Side Script Variables
HTTP Request Headers
HTTP Cookie Fields
XML Request Content
WSDL enumeration
Attacking via XML
Filter Evasion Techniques
Encoding and obfuscating attack code
Hex encoding.
Double-hex encoding.
HTML UTF-8 and hex encoding.
HTTP request smuggling
Web Application Vulnerabilities
Authentication Issues
Default/guessable user accounts
HTTP form brute force
Session management weaknesses
Weak session ID generation.
Session fixation.
Insufficient timeout and expiration mechanisms.
Parameter Modification
Command injection
OS command injection.
Run arbitrary system commands.
Modify parameters passed to system commands.
Execute additional commands.
SQL injection.
Microsoft SQL injection testing methodology.
Microsoft stored procedures.
xp_cmdshell.
sp_makewebtask.
xp_regread.
Bypassing authentication mechanisms.
Compromising data using SELECT, INSERT, and UPDATE
SELECT.
INSERT and UPDATE.
Advanced SQL injection reading
LDAP injection
LDAP authentication bypass.
Reading LDAP data.
Command injection countermeasures
Filesystem access
Cross-site scripting
Web Security Checklist
8. Assessing Remote Maintenance Services
Remote Maintenance Services
FTP
FTP Banner Grabbing and Enumeration
Analyzing FTP banners
Assessing FTP Permissions
FTP Brute-Force Password Guessing
FTP Bounce Attacks
FTP bounce port scanning
FTP bounce exploit payload delivery
Circumventing Stateful Filters Using FTP
PORT and PASV
PASV abuse
FTP Process Manipulation Attacks
Solaris and BSD FTP glob( ) issues
Solaris glob( ) username grinding
Other Solaris glob( ) issues
BSD glob( ) vulnerabilities
WU-FTPD vulnerabilities
WU-FTPD exploit scripts
ProFTPD vulnerabilities
ProFTPD exploit scripts
Microsoft IIS FTP server
Known vulnerabilities in other popular third-party FTP services
SSH
SSH Fingerprinting
SSH protocol support
SSH Brute-Force Password Grinding
SSH Vulnerabilities
SSH exploit scripts
Telnet
Telnet Service Fingerprinting
TelnetFP
Manual Telnet fingerprinting
Telnet Brute-Force Password Grinding
Common device Telnet passwords
Dictionary files and word lists
Telnet Vulnerabilities
Telnet exploit scripts
R-Services
Directly Accessing R-Services
Unix ~/.rhosts and /etc/hosts.equiv files
R-Services Brute-Force
Spoofing RSH Connections
Known R-Services Vulnerabilities
R-Services exploit scripts
X Windows
X Windows Authentication
xhost
xauth
Assessing X Servers
List open windows
Take screenshots of specific open windows
Capture keystrokes from specific windows
Send keystrokes to specific windows
Known X Window System and Window Manager Vulnerabilities
X Windows exploit scripts
Citrix
Using the Citrix ICA Client
Accessing Nonpublic Published Applications
Citrix Vulnerabilities
Citrix exploit scripts
Microsoft Remote Desktop Protocol
RDP Brute-Force Password Grinding
RDP Vulnerabilities
VNC
VNC Brute-Force Password Grinding
VNC Vulnerabilities
VNC exploit scripts
Remote Maintenance Services Countermeasures
9. Assessing Database Services
Microsoft SQL Server
Interacting with Microsoft SQL Server
SQL Server Enumeration
SQLPing
MetaCoretex
SQL Server Brute Force
SQLAT
SQL Server Process Manipulation Vulnerabilities
SQL resolution service overflow (CVE-2002-0649) demonstration
Oracle
TNS Listener Enumeration and Information Leak Attacks
Pinging the TNS listener
Retrieving Oracle version and platform information
Other TNS listener commands
Retrieving the current status of the TNS listener
Executing an information leak attack
TNS Listener Process Manipulation Vulnerabilities
Oracle Brute-Force and Post-Authentication Issues
OAT
MetaCoretex
Post-authentication Oracle database vulnerabilities and exploits
Oracle XDB Services
MySQL
MySQL Enumeration
MySQL Brute Force
MySQL Process Manipulation Vulnerabilities
MySQL exploit scripts
Exploitation framework support for MySQL.
MySQL UDF library injection.
Database Services Countermeasures
10. Assessing Windows Networking Services
Microsoft Windows Networking Services
SMB, CIFS, and NetBIOS
Microsoft RPC Services
Enumerating Accessible RPC Server Interfaces
epdump
rpctools (rpcdump and ifids)
RpcScan
Identifying Vulnerable RPC Server Interfaces
Microsoft RPC interface process manipulation bugs
Gleaning User Details via SAMR and LSARPC Interfaces
walksam
Accessing RPC interfaces over SMB and named pipes using rpcclient
SMB null sessions and hardcoded named pipes
Brute-Forcing Administrator Passwords
Enumerating System Details Through WMI
Executing Arbitrary Commands
The NetBIOS Name Service
Enumerating System Details
Attacking the NetBIOS Name Service
The NetBIOS Datagram Service
The NetBIOS Session Service
Enumerating System Details
enum
winfo
GetAcct
Brute-Forcing User Passwords
Authenticating with NetBIOS
Executing Commands
Accessing and Modifying Registry Keys
Accessing the SAM Database
The CIFS Service
CIFS Enumeration
User enumeration through smbdumpusers
CIFS Brute Force
Unix Samba Vulnerabilities
Windows Networking Services Countermeasures
11. Assessing Email Services
Email Service Protocols
SMTP
SMTP Service Fingerprinting
Enumerating Enabled SMTP Subsystems and Features
SMTP Brute-Force Password Grinding
NTLM overflows through SMTP authentication
SMTP Open Relay Testing
Sendmail Assessment
Sendmail information leak exposures
EXPN.
VRFY.
RCPT TO:.
Automating Sendmail user enumeration
Sendmail process manipulation vulnerabilities
Sendmail exploit scripts
Microsoft SMTP Service Assessment
Microsoft Exchange Server exploit scripts
SMTP Content Checking Circumvention
POP-2 and POP-3
POP-3 Brute-Force Password Grinding
POP-3 Process Manipulation Attacks
Qualcomm QPOP process manipulation vulnerabilities
Microsoft Exchange POP-3 process manipulation vulnerabilities
IMAP
IMAP Brute Force
IMAP Process Manipulation Attacks
UW IMAP exploit scripts
Email Services Countermeasures
12. Assessing IP VPN Services
IPsec VPNs
ISAKMP and IKE
Main mode
Aggressive mode
Attacking IPsec VPNs
IPsec Service Endpoint Enumeration
IPsec Service Endpoint Fingerprinting
Supported Transform Enumeration
Investigating Known Weaknesses
Denial-of-Service Vulnerabilities
Malformed IKE packet DoS
Negotiation slots exhaustion attack
Aggressive Mode IKE PSK User Enumeration
Aggressive Mode IKE PSK Cracking
Microsoft PPTP
SSL VPNs
Basic SSL Querying
Enumerating Weak Cipher Support
Known SSL Vulnerabilities
SSL implementation exploits
SSL VPN web interface issues
VPN Services Countermeasures
13. Assessing Unix RPC Services
Enumerating Unix RPC Services
Identifying RPC Services Without Portmapper Access
Connecting to RPC Services Without Portmapper Access
RPC Service Vulnerabilities
Abusing NFS and rpc.mountd (100005)
CVE-2003-0252
CVE-1999-0832
CVE-1999-0002
Listing and accessing exported directories through mountd and NFS
Multiple Vendor rpc.statd (100024) Vulnerabilities
Solaris rpc.sadmind (100232) Vulnerabilities
CVE-1999-0977
CVE-2003-0722
Multiple Vendor rpc.cmsd (100068) Vulnerabilities
Multiple Vendor rpc.ttdbserverd (100083) Vulnerabilities
Unix RPC Services Countermeasures
14. Application-Level Risks
The Fundamental Hacking Concept
Why Software Is Vulnerable
Network Service Vulnerabilities and Attacks
Memory Manipulation Attacks
Runtime Memory Organization
The text segment
The data and BSS segments
The stack
The heap
Processor Registers and Memory
Classic Buffer-Overflow Vulnerabilities
Stack Overflows
Stack smash (saved instruction pointer overwrite)
Causing a program crash.
Compromising the logical program flow.
Analyzing the program crash.
Creating and injecting shellcode.
Stack off-by-one (saved frame pointer overwrite)
Analyzing the program crash
Exploiting an off-by-one bug to modify the instruction pointer
Exploiting an off-by-one bug to modify data in the parent function’s stack frame
Off-by-one effectiveness against different processor architectures
Heap Overflows
Overflowing the Heap to Compromise Program Flow
Other Heap Corruption Attacks
Heap off-by-one and off-by-five bugs
Double-free bugs
Recommended further reading
Integer Overflows
Heap Wrap-Around Attacks
Negative-Size Bugs
Format String Bugs
Reading Adjacent Items on the Stack
Reading Data from Any Address on the Stack
Overwriting Any Word in Memory
Recommended Format String Bug Reading
Memory Manipulation Attacks Recap
Mitigating Process Manipulation Risks
Nonexecutable Stack and Heap Implementation
Use of Canary Values in Memory
Running Unusual Server Architecture
Compiling Applications from Source
Active System Call Monitoring
Recommended Secure Development Reading
15. Running Nessus
Nessus Architecture
Deployment Options and Prerequisites
Nessus Installation
Server Installation
Windows and Mac OS X installation
Unix-based installation
Adding the first user
Registering Nessus and retrieving the latest plug-ins
Client Installation
NessusClient 3 and 1
NessusWX
Configuring Nessus
Basic Nessus Configuration
NessusClient 3 Scanning Options
Safe checks
Nessus TCP scanner
Ping the remote host
Number of hosts/checks in parallel
NessusClient 3 Plug-in Selection
Enable dependencies at runtime
Silent dependencies
NessusClient 3 Advanced Options
Enable CGI scanning
Thorough tests
Optimize test
Running Nessus
Nessus Reporting
Running Nessus Recap
16. Exploitation Frameworks
Metasploit Framework
MSF Architecture and Features
Interface
Modules
Payloads
Using MSF
Further Reading
CORE IMPACT
IMPACT Architecture & Features
Agents
Modules
Console
Using IMPACT
Information gathering
Attack and penetration
Repositioning
Immunity CANVAS
CANVAS Architecture & Features
Console
Modules
MOSDEF nodes
Add-on exploit packs for CANVAS
Using CANVAS
Repositioning
Further information
Exploitation Frameworks Recap
A. TCP, UDP Ports, and ICMP Message Types
TCP Ports
UDP Ports
ICMP Message Types
B. Sources of Vulnerability Information
Security Mailing Lists
Vulnerability Databases and Lists
Underground Web Sites
Security Events and Conferences
C. Exploit Framework Modules
MSF
CORE IMPACT
Immunity CANVAS
GLEG VulnDisco
Argeniss Ultimate 0day Exploits Pack
About the Author
Colophon
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Network Security Assessment, 2nd Edition
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset