 |
| Network Security Assessment (2nd Edition) |
Chris McNab
Bob Ayers is currently the Director for Critical Infrastructure Defense with a major
IT company based in the United Kingdom. Previously, Bob worked for 29 years with
the U.S. Department of Defense (DoD). His principal IT security assignments were
with the Defense Intelligence Agency (DIA) where he served as the Chief of the DoD
Intelligence Information System (DoDIIS). During this assignment, Bob developed
and implemented new methodologies to ensure the security of over 40,000 computers
processing highly classified intelligence information. Bob also founded the DoD
computer emergency response capability, known as the Automated Systems Security
Incident Support Team (ASSIST). Noticed for his work in DoDIIS, the U.S. Assistant
Secretary of Defense (Command, Control, Communications, and Intelligence)
selected Bob to create and manage a 155-person, $100-million-per-year DoD-wide
program to improve all aspects of DoD IT security. Prior to leaving government
service, Bob was the director of the U.S. DoD Defensive Information Warfare program.
Preface
It is never impossible for a hacker to break into a computer system, only improbable.
Computer hackers routinely break into corporate, military, online banking, and
other networked environments. Even in 2007, as I am writing this second edition of
Network Security Assessment, I still perform incident response work in these sectors.
As systems generally become more secure, the methods used by these attackers are
becoming more advanced, involving intricate repositioning, social engineering, physical
compromise (stealing disks from servers or installing rogue wireless access
points), and use of specific zero-day exploits to attack peripheral software components
such as antivirus or backup solutions that are widely deployed internally
within corporate networks.
By the same token, you would expect professional security consultants to be testing
for these types of issues. In the vast majority of cases they are not. I know this
because at Matta we run a program called Sentinel, which involves testing security
assessment vendors for companies in the financial services sector. The Sentinel platform
contains a number of vulnerable systems, and vendors are scored based on the
vulnerabilities they identify and report.
Since 2004, Matta has processed nearly 30 global penetration testing vendors using
Sentinel. In a recent test involving 10 testing providers, we found the following:
• Two vendors failed to scan all 65536 TCP ports
• Five vendors failed to report the publicly accessible MySQLservice root
password of “password”
• Seven vendors failed to report the easily exploitable, high-risk SSLPCT overflow
(MS04-011)
A number of vendors have tested the Sentinel platform on more than one occasion. It
is clear that there is a lack of adherence to a strict testing methodology, and test
results (in particular, the final report presented to the customer) vary wildly,
depending on the consultant involved.
So here I am, in 2007, updating this book with a clear vision: to document a clear
and concise Internet-based network security assessment methodology and approach.
After running the Sentinel program through a number of iterations, performing a
number of challenging penetration tests myself, and working to build a competent
team at Matta, I feel it is the right time to update this book.
Table of Contents
Foreword
Preface
1. Network Security Assessment
The Business Benefits 1
IP: The Foundation of the Internet 2
Classifying Internet-Based Attackers 2
Assessment Service Definitions 3
Network Security Assessment Methodology 4
The Cyclic Assessment Approach 8
2. Network Security Assessment Platform
Virtualization Software 10
Operating Systems 11
Reconnaissance Tools 13
Network Scanning Tools 13
Exploitation Frameworks 14
Web Application Testing Tools 16
3. Internet Host and Network Enumeration
Querying Web and Newsgroup Search Engines 18
Querying Domain WHOIS Registrars 20
Querying IP WHOIS Registrars 23
BGP Querying 28
DNS Querying 30
Web Server Crawling 37
Automating Enumeration 37
SMTP Probing 38
Enumeration Technique Recap 39
Enumeration Countermeasures 40
4. IP Network Scanning
ICMP Probing 42
TCP Port Scanning 49
UDP Port Scanning 60
IDS Evasion and Filter Circumvention 62
Low-Level IP Assessment 71
Network Scanning Recap 76
Network Scanning Countermeasures 77
5. Assessing Remote Information Services
Remote Information Services 79
DNS 80
Finger 86
Auth 88
NTP 89
SNMP 91
LDAP 95
rwho 98
RPC rusers 98
Remote Information Services Countermeasures 99
6. Assessing Web Servers
Web Servers 101
Fingerprinting Accessible Web Servers 102
Identifying and Assessing Reverse Proxy Mechanisms 107
Enumerating Virtual Hosts and Web Sites 113
Identifying Subsystems and Enabled Components 114
Investigating Known Vulnerabilities 132
Basic Web Server Crawling 155
Web Servers Countermeasures 158
7. Assessing Web Applications
Web Application Technologies Overview 160
Web Application Profiling 161
Web Application Attack Strategies 170
Web Application Vulnerabilities 180
Web Security Checklist 196
8. Assessing Remote Maintenance Services
Remote Maintenance Services 198
FTP 199
SSH 212
Telnet 215
R-Services 220
X Windows 224
Citrix 229
Microsoft Remote Desktop Protocol 232
VNC 234
Remote Maintenance Services Countermeasures 237
9. Assessing Database Services
Microsoft SQL Server 239
Oracle 244
MySQL 252
Database Services Countermeasures 255
10. Assessing Windows Networking Services
Microsoft Windows Networking Services 256
Microsoft RPC Services 257
The NetBIOS Name Service 273
The NetBIOS Datagram Service 275
The NetBIOS Session Service 276
The CIFS Service 285
Unix Samba Vulnerabilities 287
Windows Networking Services Countermeasures 288
11. Assessing Email Services
Email Service Protocols 290
SMTP 290
POP-2 and POP-3 302
IMAP 303
Email Services Countermeasures 305
12. Assessing IP VPN Services
IPsec VPNs 307
Attacking IPsec VPNs 311
Microsoft PPTP 320
SSL VPNs 321
VPN Services Countermeasures 329
13. Assessing Unix RPC Services
Enumerating Unix RPC Services 330
RPC Service Vulnerabilities 332
Unix RPC Services Countermeasures 339
14. Application-Level Risks
The Fundamental Hacking Concept 340
Why Software Is Vulnerable 341
Network Service Vulnerabilities and Attacks 342
Classic Buffer-Overflow Vulnerabilities 346
Heap Overflows 356
Integer Overflows 364
Format String Bugs 367
Memory Manipulation Attacks Recap 373
Mitigating Process Manipulation Risks 374
Recommended Secure Development Reading 376
15. Running Nessus
Nessus Architecture 377
Deployment Options and Prerequisites 378
Nessus Installation 379
Configuring Nessus 383
Running Nessus 389
Nessus Reporting 390
Running Nessus Recap 392
16. Exploitation Frameworks
Metasploit Framework 393
CORE IMPACT 400
Immunity CANVAS 408
Exploitation Frameworks Recap 414
A. TCP, UDP Ports, and ICMP Message Types . . 415
B. Sources of Vulnerability Information . . . . 420
C. Exploit Framework Modules . .. . 422
Index . . . . . 453
Preface
1. Network Security Assessment
The Business Benefits 1
IP: The Foundation of the Internet 2
Classifying Internet-Based Attackers 2
Assessment Service Definitions 3
Network Security Assessment Methodology 4
The Cyclic Assessment Approach 8
2. Network Security Assessment Platform
Virtualization Software 10
Operating Systems 11
Reconnaissance Tools 13
Network Scanning Tools 13
Exploitation Frameworks 14
Web Application Testing Tools 16
3. Internet Host and Network Enumeration
Querying Web and Newsgroup Search Engines 18
Querying Domain WHOIS Registrars 20
Querying IP WHOIS Registrars 23
BGP Querying 28
DNS Querying 30
Web Server Crawling 37
Automating Enumeration 37
SMTP Probing 38
Enumeration Technique Recap 39
Enumeration Countermeasures 40
4. IP Network Scanning
ICMP Probing 42
TCP Port Scanning 49
UDP Port Scanning 60
IDS Evasion and Filter Circumvention 62
Low-Level IP Assessment 71
Network Scanning Recap 76
Network Scanning Countermeasures 77
5. Assessing Remote Information Services
Remote Information Services 79
DNS 80
Finger 86
Auth 88
NTP 89
SNMP 91
LDAP 95
rwho 98
RPC rusers 98
Remote Information Services Countermeasures 99
6. Assessing Web Servers
Web Servers 101
Fingerprinting Accessible Web Servers 102
Identifying and Assessing Reverse Proxy Mechanisms 107
Enumerating Virtual Hosts and Web Sites 113
Identifying Subsystems and Enabled Components 114
Investigating Known Vulnerabilities 132
Basic Web Server Crawling 155
Web Servers Countermeasures 158
7. Assessing Web Applications
Web Application Technologies Overview 160
Web Application Profiling 161
Web Application Attack Strategies 170
Web Application Vulnerabilities 180
Web Security Checklist 196
8. Assessing Remote Maintenance Services
Remote Maintenance Services 198
FTP 199
SSH 212
Telnet 215
R-Services 220
X Windows 224
Citrix 229
Microsoft Remote Desktop Protocol 232
VNC 234
Remote Maintenance Services Countermeasures 237
9. Assessing Database Services
Microsoft SQL Server 239
Oracle 244
MySQL 252
Database Services Countermeasures 255
10. Assessing Windows Networking Services
Microsoft Windows Networking Services 256
Microsoft RPC Services 257
The NetBIOS Name Service 273
The NetBIOS Datagram Service 275
The NetBIOS Session Service 276
The CIFS Service 285
Unix Samba Vulnerabilities 287
Windows Networking Services Countermeasures 288
11. Assessing Email Services
Email Service Protocols 290
SMTP 290
POP-2 and POP-3 302
IMAP 303
Email Services Countermeasures 305
12. Assessing IP VPN Services
IPsec VPNs 307
Attacking IPsec VPNs 311
Microsoft PPTP 320
SSL VPNs 321
VPN Services Countermeasures 329
13. Assessing Unix RPC Services
Enumerating Unix RPC Services 330
RPC Service Vulnerabilities 332
Unix RPC Services Countermeasures 339
14. Application-Level Risks
The Fundamental Hacking Concept 340
Why Software Is Vulnerable 341
Network Service Vulnerabilities and Attacks 342
Classic Buffer-Overflow Vulnerabilities 346
Heap Overflows 356
Integer Overflows 364
Format String Bugs 367
Memory Manipulation Attacks Recap 373
Mitigating Process Manipulation Risks 374
Recommended Secure Development Reading 376
15. Running Nessus
Nessus Architecture 377
Deployment Options and Prerequisites 378
Nessus Installation 379
Configuring Nessus 383
Running Nessus 389
Nessus Reporting 390
Running Nessus Recap 392
16. Exploitation Frameworks
Metasploit Framework 393
CORE IMPACT 400
Immunity CANVAS 408
Exploitation Frameworks Recap 414
A. TCP, UDP Ports, and ICMP Message Types . . 415
B. Sources of Vulnerability Information . . . . 420
C. Exploit Framework Modules . .. . 422
Index . . . . . 453
Overview
This book tackles one single area of information security in detail: that of undertaking
IP-based network security assessment in a structured and logical way. The
methodology presented in this book describes how a determined attacker will scour
Internet-based networks in search of vulnerable components (from the network to
the application level) and how you can perform exercises to assess your networks
effectively. This book doesn’t contain any information that isn’t relevant to IP-based
security testing; topics that are out of scope include war dialing and 802.11 wireless assessment.
Assessment is the first step any organization should take to start managing information
risks correctly. My background is that of a teenage hacker turned professional
security analyst, with a 100 percent success rate over the last nine years in compromising
the networks of multinational corporations. I have a lot of fun working in the
security industry and feel that now is the time to start helping others by clearly
defining an effective best-practice network assessment methodology.
By assessing your networks in the same way that a determined attacker does, you can
take a more proactive approach to risk management. Throughout this book, there
are bulleted checklists of countermeasures to help you devise a clear technical
strategy and fortify your environments at the network and application levels.
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 4,566 KB |
Pages
|
500 p |
File Type
|
PDF format |
ISBN-10
ISBN-13 | 0-596-51030-6 978-0-596-51030-5 |
Copyright
| 2008 Chris McNab |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
