Network Security Assessment

BUY THIS BOOK

Print Book $39.99

Print+PDF $51.99

PDF $31.99

Safari Books Online

What is this?

Print Book £24.99

What is this?

Looking to Reprint or License this content?

Tell a friend

Network Security Assessment, Second Edition Know Your Network

By Chris McNab
Book Price: $39.99 USD
£24.99 GBP
PDF Price: $31.99

Cover | Table of Contents | Colophon

Index

[ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ Q ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Y ], [ Z ],

A [ Top ]
A (Address) resource records, 30, 41
AAC (Advanced Access Control), 232
Abendschan, James W., 247
Access Control List (ACL), 71, 378
Account Information Security (AIS), xviii
ACK flag probe scanning, 49, 54-56
ACL (Access Control List), 71, 378
Active Directory (AD)
DNS services, 82
NetBIOS name service, 273
SMB null sessions, 270
(see also GC service)
Active Server Pages (see ASP)
AD (see Active Directory)
ADM
ADMrsh tool, 223
ADMsnmp tool, 91, 92
ADMspoof tool, 223
web site, 223
ADMIN$ share, 282, 284
Administrator account
common password combination, 281
countermeasures, 288, 289
Administrators group, 270, 284
ADMsnmp tool, 91
Adobe ColdFusion, 167, 168
Advanced Access Control (AAC), 232
AES algorithm, 315
AfrNIC (African Network Information Centre), 24
aggressive mode (IKE)
countermeasures, 329
overview, 308-310
PSK authentication, 318-320
AH (Authentication Header), 308, 329
AIS (Account Information Security), xviii
Aitel, Dave, 139
ajp_process_callback( ) function, 151
allocator algorithm, 344
Allow: field, 106
American Registry for Internet Numbers (ARIN), 24, 25-26
Andrews, Chip, 240
Anger sniffer, 321
Anley, Chris, 254
anonymous FTP, 237
ap_log_rerror( ) function, 146
Apache web servers
Apache HTTP Server, 146-150, 168
Apache Tomcat, 150-152, 168
FrontPage support, 125
HTTP POST method and, 111
modules supported, 129
WebDAV support, 116
apache-monster exploit, 147
apache-nosejob script, 147
APNIC (Asia Pacific Network Information Centre), 24, 28
Apple Mac OS X platform (see Mac OS X platform)
apt-get package management program, 12
aptitude package management program, 12
Argeniss ultimate 0day exploits pack
Apache modules, 150
ASP vulnerabilities, 141
exploit modules, 443-451
Argeniss ultimate 0day exploits pack (continued)
Immunity CANVAS support, 410
Microsoft Exchange issues, 300
Microsoft SQL Server, 243
MySQL, 254
SMTP vulnerabilities, 299
TNS listener service, 248
web site, 15
Arhont NTP fingerprinting tool, 89
ARIN (American Registry for Internet Numbers), 24, 25-26
Arkin, Ofir, 48
ARP redirect spoofing, 58
arpspoof tool, 12
AS (Autonomous System) numbers, 28, 29
ASCII-to-decimal table, 178
ASCII-to-hex table, 176, 178
Asia Pacific Network Information Centre (APNIC), 24, 28
ASMX extension, 167, 175
ASP (Active Server Pages)
file extension, 167
ISAPI extensions, 123
vulnerabilities, 141
web server support, 121, 122
ASP extension, 167
ASP.NET framework
file extensions, 167
ISAPI extensions, 123
session ID variable, 168
vulnerabilities, 141
web server support, 121, 122
ASP.NET_SessionId variable, 168
ASPSESSIONID variable, 168
ASPX extension, 167
auth service, 88
auth_ldap plug-in, 149
auth_ldap_log_reason( ) function, 149
AUTH_SYS mode (sadmind), 336
AUTHENTICATE command, 304
authentication
brute-forcing, 157
CIFS service, 282
cookie and, 173
countermeasures, 238
FrontPage vulnerabilities, 143
HTTP mechanisms, 118
IIS support, 128
IKE service, 307, 308, 318-320
IPsec support, 315
LDAP bypass, 191
listener enumeration and, 245
Nessus support, 377
NetBIOS session service, 281
Oracle issues, 249-251
OWA and, 127
PPTP support, 320
RSA signature, 314, 315
SMTP support, 293
SQL injection and, 189, 190
SSH and, 214
VNC and, 234
web application vulnerabilities, 180-184
X Windows, 224
Authentication Header (AH), 308, 329
AUTHINFO command, 299
Authorization: field, 172
Autonomous System (AS) numbers, 28, 29

B [ Top ]
backend databases
countermeasures, 197
technology assessments, 169
vulnerabilities, 188
backoff patterns, 312-315
Basic authentication, 118, 143
Bay Networks, 216, 219
BCOPY extension, 124
BDAT command, 299
BDELETE extension, 124
BEA WebLogic, 168
BeEF application, 196
Berkeley Internet Name Domain (BIND) service, 81-82
bf_ldap tool, 96
BGP querying
newsgroups, 19
open sources, 17
reconnaissance techniques, 28, 29, 40
BiDiBLAH tool, 13, 37, 378
big-endian byte ordering, 356, 375
BIND (Berkeley Internet Name Domain) service, 81-82
BlackWidow tool, 37
blindcrawl.pl tool, 86
Block Started by Symbol (BSS) segment, 343, 344, 345, 373
BMOVE extension, 124
BPROPFIND extension, 124
BPROPPATCH extension, 124
broadcast addresses, 46
brute-force grinding attacks
CIFS service, 286
countermeasures, 237, 289, 305
DNS zone transfers and, 35
forward DNS grinding and, 36, 85
FTP services, 204
HTTP authentication, 157
IMAP services, 304
LDAP service and, 96
Microsoft SQL Server and, 242
MySQL and, 252
NetBIOS session service, 281, 286
Oracle issues, 249-251
POP3 vulnerabilities, 302
PPTP vulnerabilities, 321
RDP and, 233
remote maintenance services and, 198
RPC services, 270
session ID, 184, 196
SMTP, 293, 294
SNMP service and, 91
SSH and, 214
SSL vulnerabilities, 328
Telnet and, 218-219
VNC and, 235, 236
web application vulnerabilities, 181
web servers and, 119
Brutus tool
BAD (Brutus Application Definition), 297
FTP attacks, 204
HTTP authentication and, 157
IMAP services, 304
OWA attacks, 127
POP3 and, 302
Sendmail attacks, 297
BSD platform
Apache chunk-handling exploit, 147
fingerd service, 87
FTP service banners, 201
FTP vulnerabilities, 209
memcpy( ) function, 366
SMB-AT support, 285
Telnet support, 216
BSS (Block Started by Symbol) segment, 343, 344, 345, 373
buffer overflow
Apache web server vulnerabilities, 150
auth service vulnerabilities, 89
BIND vulnerabilities, 81
cfingerd package vulnerabilities, 88
countermeasures, 158
defined, 342
FTP services and, 205
heap overflows, 356-363
integer overflows, 364-367
IPsec vulnerabilities, 316
NTP vulnerabilities, 90
remote maintenance services and, 198
stack overflows, 346-356
web server vulnerabilities, 102, 126
Burp suite, 16

C [ Top ]
cable-docsis community string, 93
cache corruption, 81, 275
CacheFlow appliances, 111
Cain & Abel tool, 275, 284, 320
Calendar Manager Service Daemon (CMSD), 337
call_trans2open( ) function, 288
canary values, 375
Canonical Name (CNAME) resource records, 30
Caucho Resin, 168, 169
ccTLD registrars, 20
CEH (Certified Ethical Hacker), xix
Cenzic Hailstorm, 16
CERT web site
FTP bounce scanning, 205
Microsoft Exchange issues, 303
vulnerability notes, 6, 110
Certified Ethical Hacker (CEH), xix
CESG (Communications and Electronics Security Group), xvii, 276
CESG Listed Adviser Scheme (CLAS), xvii
CFID variable, 168
cfingerd package, 88
CFM extension, 167
CFML extension, 167
CFTOKEN variable, 168
CGI scripts, 146, 167
chaining, 401
channel_lookup( ) function, 215
Check Point Firewall-1
circumventing filters, 70, 206, 207
countermeasures, 78
fastmode services and, 78
reverse DNS querying, 84
Check Point SSL VPN server, 322
Check Point SVN web services, 50
CHECK program (CESG), xvii
CHECKIN method, 117
CHECKOUT method, 117
cheops tool, 75
chunk_split( ) function, 137
cidentd package, 89
CIDR slash notation, 46
CIFS (Common Internet File System)
authentication, 282
countermeasures, 288, 289
defined, 256, 285
enumeration, 285
remote maintenance support, 199
SMB null sessions, 270
ciphers, enumerating, 324-327
cisco community string, 92
Cisco devices
bypassing filters, 70
community strings, 92
fingerd service, 86
FTP service vulnerabilities, 207
IPsec vulnerabilities, 316
NTP services, 89
SNMP vulnerabilities, 94
SSH banners, 213
Telnet support, 216, 217, 218, 219
XAUTH authentication, 308
Citrix service
accessing nonpublic applications, 230, 231
countermeasures, 238
ICA client, 229
overview, 229
vulnerabilities, 231, 232
citrix-pa-proxy script, 231
citrix-pa-scan utility, 230
Clarke, Justin, 143, 157
CLAS (CESG Listed Adviser Scheme), xvii
Clearswift MAILsweeper, 300-301, 306
CMSD (Calendar Manager Service Daemon), 337
cmsd exploit, 337, 338
CNAME (Canonical Name) resource records, 30
command injection
countermeasures, 192, 193
LDAP injection, 191-192
OS, 184-186, 192, 193
SQL injection, 186-191, 192, 250, 388
web application attack strategies, 175
Common Internet File System (see CIFS)
Communications and Electronics Security Group (CESG), xvii, 276
community strings, 92
Compaq Tru64 platform, 201
confirm_phpdoc_compiled( ) function, 137
CONNECT method (HTTP)
countermeasures, 159
description, 109, 116
reverse proxy mechanisms, 107, 109
vulnerabilities, 133
connect( ) scanning, 49-50
Connection: field, 172, 180
Conover, Matt, 140
Content-Encoding: field, 172
Content-Language: field, 172
Content-Length: field, 106, 149, 172
Content-MD5: field, 172
Content-Range: field, 172
Content-Type: field, 172, 179
Cookie: field, 173
cookies
expiration policy, 184, 196
web application attack strategies, 173
X Windows, 225
XSS attacks, 195
COPY method (HTTP), 117
CORE IMPACT framework
Apache vulnerabilities, 147, 150
architecture and features, 401-402
ASP vulnerabilities, 141
BIND exploit scripts, 82
documentation, 408
exploit modules, 428-434
FrontPage vulnerabilities, 144
FTP service vulnerabilties, 209, 211
functionality, 402-408
IIS vulnerabilities, 139
IMAP issues, 305
ISAPI vulnerabilities, 142
LDAP exploit scripts, 98
Microsoft exploit scripts, 83
Microsoft SQL Server and, 243
MySQL exploit scripts, 254
NTLM authentication, 294
OpenSSL vulnerabilities, 152
Oracle XDB services, 251
overview, 15, 400, 414
OWA vulnerabilities, 145
PHP vulnerabilities, 138
QPOP issues, 303
RPC vulnerabilities, 265-266, 332-334
r-services exploit scripts, 224
Samba vulnerabilities, 288
Sendmail exploit scripts, 298
SMTP exploit scripts, 299
SNMP exploit scripts, 95
SSH vulnerabilities, 215
SSL exploits, 328
Telnet vulnerabilities, 220
VNC exploit scripts, 237
WebDAV vulnerabilities, 142
X Windows exploit scripts, 228
CORE Security Technologies, 15
Council of Registered Ethical Security Testers (CREST), xix
Courier IMAP, 304, 305
CPU (Critical Patch Update), 251, 255
crackaddr( ) function, 298
CRAM-MD5 authentication mechanism, 293
createdomuser command (rpcclient), 268
CreateFile( ) function, 243
CREST (Council of Registered Ethical Security Testers), xix
Critical Patch Update (CPU), 251, 255
cross-site scripting (see XSS)
cross-site tracing (XST), 133
cryptographic hashing, 182
cryptography (see encryption)
Cryptologic, 1
CVE (see MITRE Corporation CVE)
CWD command, 210
Cyrus IMAP, 305

D [ Top ]
DarwinPorts, 13
data segment, 343, 344, 345, 373
Date: field, 106
Davis, Carlton R., 307
DB2 database services, 239
DCE locator service (see endpoint mappers)
DCOM, 270, 289
deallocator algorithm, 344
debug command, 246
decoy hosts, defining, 65
Default Password List (DPL), 249
defenders dilemma, 3
Defense Intelligence Agency (DIA), xiii
DELE command, 210, 303
DELETE method (HTTP)
countermeasures, 159
description, 116
vulnerabilities, 134, 136
deletedomuser command (rpcclient), 268
denial-of-service (see DoS)
DES algorithm
countermeasures, 329
FrontPage support, 144
session management and, 182
transform enumeration, 315
VNC support, 235
weak support, 324-327
Desktop Subprocess Control Daemon (DTSPCD), 228
DH (Diffie-Hellman) exchange, 309-310, 315
Dhanjani, Nitesh, 143, 157
dictionary files, 219
Diffie-Hellman (DH) exchange, 309-310, 315
dig utility
DNS querying, 30
DNS zone transfers, 32
platform support, 13
UDP port scanning, 60
Digest authentication, 118
DIGEST-MD5 authentication mechanism, 293
digital certificates, 329
D-Link, 92, 219
DNS querying
against internal IP addresses, 103
enumeration countermeasures, 41
forward, 30-31
forward DNS grinding, 35, 36, 85
reconnaissance techniques, 5, 13, 17, 40
reverse DNS sweeping, 36, 37, 84
(see also DNS zone transfers)
DNS service
BIND vulnerabilities, 81-82
countermeasures, 99
DNS zone transfers and, 83
forward DNS grinding, 85
retrieving version information, 80
reverse DNS querying, 84
Windows vulnerabilities, 82-83
DNS zone transfers
enumeration countermeasures, 41
remote information services and, 83
techniques, 32-35
DO extension, 167
DoS (denial-of-service)
BIND vulnerabilities, 81
IIS vulnerabilities, 140
Immunity CANVAS and, 410
IPsec vulnerabilities, 317-318
Microsoft Exchange issues, 300
Microsoft SQL Server and, 243
Nessus and, 385, 392
NetBIOS name service and, 275
DoS (denial-of-service) (continued)
network scanning countermeasures, 78
Nmap and, 52
opportunistic hacking, 3
SMTP vulnerabilities, 299
TNS service, 249
VPN services, 307
double-free attacks, 363
double-hex encoding, 176, 178
Dowd, Mark, 376
DPL (Default Password List), 249
Dsniff sniffer, 321
dtors section (programs), 372
DTSPCD (Desktop Subprocess Control Daemon), 228
dumb scanning, 49, 58-60, 76

E [ Top ]
ebp (stack frame pointer)
runtime memory organization, 344-345
stack overflows, 347, 350, 351, 354
EC-Council, xix
eEye Digital Security, 376
eEye Preview, 6
eEye Retina, 14
effectiveness of security management, xiii
EHLO command, 292, 293, 299
eip (instruction pointer)
runtime memory organization, 344-345
stack overflows, 347, 350-351, 354, 373
ELF (Executable File Format), 362
email
common ports, 290
countermeasures, 305
filtering, 35
IMAP services, 303-305
POP2/POP3 services, 302-303
SMTP services, 290-302
enable community string, 92
Encapsulating Security Payload (ESP), 308, 329
encoding filter evasion techniques, 176-180
encryption
countermeasures, 329
Nessus support, 377
PPTP and, 320
s_client program, 322
SAM database passwords, 284
session management and, 182
endpoint mappers
countermeasures, 288
defined, 257
epdump support, 258-259
RpcScan support, 263
rpctools support, 260-262
entity database, 401
enum tool, 277-278
enum_csc_policy( ) function, 288
enumdomgroups command (rpcclient), 268
enumdomusers command (rpcclient), 268, 269
epdump utility, 258-259
escape characters, 185, 186, 191
ESMTP (Extended SMTP), 292, 293
ESP (Encapsulating Security Payload), 308, 329
esp (stack pointer), 344-345, 350, 351
Ethereal sniffer, 48, 74
exec service (Unix), 220
Executable File Format (ELF), 362
exhaustion attack, negotiation slots, 317
exim package, 305
exit( ) function, 355, 362
EXITFUNC variable, 399
expect script, 214
Expect: field, 172
exploit scripts
Argeniss support, 443-451
BIND, 82
Citrix, 232
CORE IMPACT, 428-434
GLEG VulnDisco, 439-443
IMAP services, 305
Immunity CANVAS, 434-439
LDAP, 98
Microsoft DNS, 83
Microsoft WINS, 83
MSF, 422-428
MySQL, 253
PHP, 118
RPC services, 334, 337-338
r-services, 224
Sendmail, 298
SMTP, 299
SNMP, 95
SSH, 215
SSL, 328
Telnet, 220
TNS service, 248
VNC, 237
X Windows, 228
exploitation frameworks
commercial, 15
purpose, 10, 14
(see also CORE IMPACT; Immunity CANVAS; MSF)
EXPN command (Sendmail), 295, 297
EXP-RC4-MD5 cipher, 325, 327
Extended SMTP (ESMTP), 292, 293

F [ Top ]
F5 Networks, 94, 328
Fedora Core distribution, 12
Fiddler tool, 181
file extensions, server-side, 165
filesystem access, 193-194
filters
circumventing, 62-70, 77
circumventing stateful, 70, 206, 207
circumventing using FTP, 206-208
command injection countermeasures, 192
email, 35
evasion techniques, 176-180
RPC services countermeasures, 339
web server countermeasures, 158
FIN probes, 53, 54
FIN TCP flag, 53
Finger service, 86-88, 222
finger_mysql utility, 252
fingerprinting
accessible web servers, 102-107
IP, 75
IPsec service endpoints, 312-315
NTP, 89
OS, 48, 75
session ID, 167-169
SMTP services, 291, 292
SSH services, 213
Telnet services, 216-218
Firewalk utility, 71, 73-74
firewalls
circumventing filters using FTP, 206
countermeasures, 237, 329
email services countermeasures, 305
filter evasion techniques, 176
FTP service vulnerabilities, 199
ICMP messages and, 43
IP ID header scanning and, 59
NAT support, 47, 73
network scanning countermeasures, 78
search engine attacks, 340
source ports to bypass filtering, 70
source routing and, 67
vulnerabilities and, 340
Flake, Halvar, 356
focused attacks, 2, 3
ForceSQL utility, 242
format string bugs
BIND vulnerabilities, 81
memory manipulation and, 342, 374
overview, 367-373
forward DNS grinding, 35, 36, 85
forward DNS querying, 30-31
Foundry, 92
Foundstone SuperScan, 52
fragmented packets (see packet fragmentation)
fragroute package, 63
fragroute utility, 64-65
fragtest utility, 63
frame pointer overwrite, 342, 347, 352-356
free( ) function, 344, 358-362
FreeBSD platform
FTP service banners, 200
httprint tool, 107
MySQL support, 252
Nessus support, 378
ProFTPD support, 211
Telnet support, 217
FreeSSHd, 215
FrontPage (Microsoft), 125-126, 143-144
FrSIRT web site, 6
Fryxar, 62
F-Secure, 212, 213
FTP bounce scanning
FTP service vulnerabilities, 199
overview, 56-57, 204-205
TCP port scanning and, 49
FTP services
assessing permissions, 201-203
banner grabbing/enumeration, 199-201
bounce attacks, 204-205
circumventing stateful filters, 206-208
classes of attack, 199
countermeasures, 237
FTP service vulnerabilities, 56-57
Mac OS X support, 12
overview, 199
process manipulation attacks, 208-212

G [ Top ]
GC (Global Catalog) service
countermeasures, 100
DNS vulnerabilities, 82
LDAP support, 97
SSL support, 79
gcc compiler, 355
GCHQ (Government Communications Headquarters), xvii
gdb tool, 350, 351, 372
Gentoo distribution, 12
GET method (HTTP)
description, 111, 115
HTTP request smuggling, 179
ISAPI extensions, 123
reverse proxy mechanisms, 107, 109
GetAcct tool, 277, 280
GFI MailSecurity for Exchange, 302
GHBA tool, 36, 37, 85
ghostview application, 224
GLEG VulnDisco
Argeniss 0day packs, 15, 410
exploit modules, 439-443
Microsoft SQL Server issues, 243
MySQL exploit scripts, 254
NTP vulnerabilities, 90
SMTP exploit scripts, 300
glob( ) function, 209-210
Global Catalog service (see GC service)
Global Offset Table (GOT), 362
global variables, 343, 345, 373
GNU General Public License (GPL), 377
GNU Wget retriever, 162
GNU Wget tool, 37
GNUCITIZEN page, 196
Goldsmith, Dave, 73
Google search engine
BiDiBLAH tool support, 38
search functionality, 18
SpiderFoot tool support, 38
web server crawling, 37
GOT (Global Offset Table), 362
Government Communications Headquarters (GCHQ), xvii
GPL (GNU General Public License), 377
Graff, Mark, 376
grep tool, 164
grinding attacks (see brute-force grinding attacks)
Grossman, Jeremiah, 133
GSSAPI authentication mechanism, 293
gTLD registrars, 20
guess-who tool, 214

H [ Top ]
H4G1S and the Yorkshire Posse, 330
hacking, xix, 340
half-open SYN flag scanning, 49, 50-53, 70
HEAD method (HTTP)
Apache subsystems and, 129
description, 102-103, 115
PHP support, 118
heap
defined, 344, 345
nonexecutable implementation, 375
heap overflows
FTP vulnerabilities, 209
integer overflows and, 364
overview, 356-363, 374
heap segment, 345, 373
HELO command, 296, 299
HELP command, 295, 297
hex encoding, 176, 178
Hex Workshop, 206
Hills, Roy, 311, 314
Host Information (HINFO) resource record, 30, 41
host utility
DNS zone transfers, 32
DSN querying, 30
platforms supported, 12
Host: field
description, 172
HTTP proxy testing, 113-114
reverse proxy mechanisms, 107-108
hosts.equiv file, 222
Howard, Michael, 376
Hping2 tool
ACK flag probe scanning, 56
IP ID header scanning, 59
low-level IP assessment, 71, 72
HP-UX platform
fingerd service, 86
FTP service banners, 201
r-services support, 220
HTML encoding, 178
HTML source review, 162-164
HTML tags, 195
HTR extension, 123, 142
HTTP authentication, 157
HTTP over SSL, 321
HTTP request smuggling
Apache server vulnerabilities, 146
IIS vulnerabilities, 139, 140
overview, 178
HTTP requests
identifying subsystems, 114-119
OWA support, 127
reverse proxy mechanisms, 107-113
THC Hydra support, 204
vulnerabilities, 132-136
web application attack strategies, 172-173
WebDAV methods, 116
httprint tool, 107
HTTPS web service, 127
HTTrack tool, 37
HTW extension, 123
HTX extension, 123
hybrid mode (IKE), 308, 315

I [ Top ]
IAM (INFOSEC Assessment Methodology), xvi, xvii
IANA, 20, 28
IBM AIX platform
FTP service banners, 201
r-services support, 220
Telnet support, 217
IBM Lotus Domino
IMAP services, 305
LDAP service, 95
server-side file extension, 167
SMTP support, 291
IBM WebSphere, 167, 168, 169
ICA (Independent Computing Architecture), 229
ICANN, 20
ICMP messages
address mask request, 43, 44
echo request, 42, 43, 63
information request, 43
redirect, 44
response, 74
timestamp request, 43, 44
types listed, 418-419
ICMP ping sweeps
fragtest utility and, 63
gleaning internal IP addresses, 47
Nmap tool support, 42, 44, 46
ICMP probing
countermeasures, 78
gleaning internal IP addresses, 47, 48
ICMPScan utility, 45
identifying network addresses, 46
Nmap utility, 44
OS fingerprinting, 48
overview, 77
purpose, 42
SING utility, 43, 44
ICMPScan utility, 45, 48
IDA extension, 123, 142
IDC (Internet Database Connector), 123
IDC extension, 123
identd service, 88
idle scanning, 49, 58-60, 76
IDQ extension, 123
IDS evasion, 62-70, 77
IDSs (Intrusion Detection Systems), 51, 376
IFID values (RPC), 263-265, 267
ifids utility, 127, 260-262
IIS (Internet Information Server)
authentication support, 128
CESG CHECK assault course, xviii
countermeasures, 158, 289
FrontPage server extensions, 125
ISAPI extensions, 122, 123, 124
session ID variable, 168
SQL injection, 186
SSL exploits, 328
vulnerabilities, 138-140, 179
web application attack strategies, 175
web servers and, 120, 121
WebDAV support, 116
IKE (Internet Key Exchange), 307, 308-310
ike-scan tool
endpoint fingerprinting, 312
negotiation slot resource exhaustion, 317
PSK cracking, 319, 320
testing IPsec servers, 311
transform enumeration, 315
ILMI community string, 93
IMAP services
common email port, 290
countermeasures, 306
THC Hydra tool, 204
vulnerabilities, 304-305
imap_mail_compose( ) function, 137
Immunity CANVAS framework
Apache vulnerabilities, 147, 150
architecture and features, 409-410
ASP vulnerabilities, 141
BIND exploit scripts, 82
Citrix exploit scripts, 232
documentation, 414
Immunity CANVAS framework (continued)
exploit modules, 434-439
FrontPage vulnerabilities, 144
FTP service vulnerabilities, 209, 211
functionality, 411-414
IIS vulnerabilities, 139
IMAP issues, 305
ISAPI vulnerabilities, 142
LDAP exploit scripts, 98
Microsoft exploit scripts, 83
Microsoft SQL Server and, 243
MySQL exploit scripts, 254
NTLM authentication, 294
OpenSSL vulnerabilities, 152
overview, 15, 408-409, 414
OWA vulnerabilities, 145
QPOP issues, 303
RPC vulnerabilities, 265-266, 332-334
r-services exploit scripts, 224
Samba vulnerabilities, 288
Sendmail exploit scripts, 298
SMTP vulnerabilities, 299
SNMP exploit scripts, 95
SSH vulnerabilities, 215
SSL exploits, 328
Telnet vulnerabilities, 220
TNS service, 248
VNC exploit scripts, 237
WebDAV vulnerabilities, 142
X Windows exploit scripts, 228
Immunity Inc., 15
impersonation attacks, 176
Independent Computing Architecture (ICA), 229
Index Server (IIS), 123
inetd tool, 332
info command, 397
information leaks
Apache HTTP Server and, 146
ASP vulnerabilities, 141
fingerd service and, 87
FrontPage vulnerabilities, 143
IIS vulnerabilities, 139, 140
ISAPI extensions and, 142
OWA vulnerabilities, 9, 145
PHP vulnerabilities, 137
remote maintenance services and, 198
Sendmail vulnerabilities, 295-297
SSL vulnerabilities, 328
TNS vulnerabilities, 245-247
Informix database services, 239
INFOSEC Assessment Methodology (IAM), xvi, xvii
init_syms( ) function, 253
input validation, 341
INSERT command (SQL), 190
instruction pointer (see eip)
instruction pointer overwrite, 342, 347, 347-352
integer overflows
memory manipulation attacks and, 342
overview, 364-367, 374
Internet Database Connector (IDC), 123
Internet host and network enumeration
automating, 37
BGP querying, 17, 19, 28, 29, 40
countermeasures, 40, 41
DNS querying, 5, 13, 17, 30-37, 40
querying search engines, 5, 18-20
querying WHOIS databases, 5, 13, 17, 20-28, 40
reconnaissance process, 17
SMTP probing, 17, 38, 39, 40
web server crawling, 17, 37, 40
Internet Information Server (see IIS)
Internet Key Exchange (IKE), 307, 308-310
Internet Message Access Protocol (see IMAP services)
Internet Printing Protocol (IPP), 123
Internet Protocol version 4 (IPv4), 2
Internet Protocol version 6 (IPv6), 2
Internet Security Association and Key Management Protocol (ISAKMP), 308-310
Internet Security Systems, 376
Internet Server Application Programming Interface (ISAPI)
vulnerabilities, 142
web server support, 122-123
InterScan VirusWall, 302, 306
Intrusion Detection Systems (IDSs), 51, 376
Intrusion Prevention Systems (IPSs), 376
inverse TCP flag scanning, 49, 53-54, 70
inverted technique, 53
IP addresses
internal, 47, 48, 103
NetBIOS datagram service and, 275
r-services support, 222
IP fingerprinting, 75
IP ID header scanning, 49, 58-60, 76
IP masquerading, 47
IPP (Internet Printing Protocol), 123
IPsec
attacking VPNs, 311-320
bypassing filtering, 70
countermeasures, 329
endpoint enumeration, 311, 312
endpoint fingerprinting, 312-315
PPTP and, 321
SA support, 308
transform enumeration, 315, 316
VPN services, 307-310
vulnerabilities, 316-318
IPSs (Intrusion Prevention Systems), 376
Ipswitch IMAIL IMAP, 305
IPv4 (Internet Protocol version 4), 2
IPv6 (Internet Protocol version 6), 2
IRC service, 88
IRIX services, 332, 334
ISAKMP (Internet Security Association and Key Management Protocol), 308-310
ISAPI (Internet Server Application Programming Interface)
countermeasures, 158
vulnerabilities, 142
web server support, 122-123
ISECOM, xix
ispc.exe tool, 140
ISS BlackICE personal firewall, 47
ISS Internet Scanner, 14
ISS X-Force
investigating vulnerabilities, 6
Microsoft Exchange issues, 303
Oracle exploit scripts, 250
SSH vulnerabilities, 214
TNS listener service, 247

J [ Top ]
J2EE, 181
Java Servlet Pages (see JSP)
JavaScript, 194-196
jidentd package, 89
John the Ripper tool, 126, 144, 284
JROUTE variable, 168
JSESSIONID variable, 168-169
JSP (Java Servlet Pages)
Apache Tomcat support, 146, 150, 152
file extension, 167
session ID variable, 168
JSP extension, 167

K [ Top ]
Kamp, Poul-Henning, 345
Karlsson, Patrik, 242
Kerberos services
GSSAPI authentication mechanism, 293
IPsec filter and, 70
Microsoft DNS service, 82
web servers and, 128
key exchange, 307
keystrokes, capturing, 226, 227
Kingsley, Chris, 345
Klein, Amit, 172, 178, 180
Krahmer, Sebastian, 214

L [ Top ]
LACNIC (Latin American and Caribbean Network Information Centre), 24
Last Stage of Delirium (LSD), 332-334
last-in, first-out (LIFO) order, 350
Latin American and Caribbean Network Information Centre (LACNIC), 24
LDAP injection, 191-193
LDAP service
anonymous access, 96
brute-force attacks, 96
countermeasures, 100
Global Catalog service, 97
Microsoft vulnerabilities, 82
overview, 79, 95-98
process vulnerabilities, 97-98
THC Hydra support, 204
web application attack strategies, 175
ldapsearch utility, 96, 97
ldp.exe utility, 96, 97
Lea, Doug, 357
LeBlanc, David, 376
LHOST variable, 399
libbind overflow, 81
libdnet library, 68
libpcap library, 12, 68
libresolv overflow, 81
libxmlrpc library, 137
License and Logging Service (LLSRV), 264
License and Logging Service (LLSSRV), 266
LIFO (last-in, first-out) order, 350
Lightweight Directory Access Protocol service (see LDAP service)
Linux platform
assessment tools, 12
auth service vulnerabilities, 89
ELF support, 362
Linux platform (continued)
fingerd service, 87, 88
FTP bounce scanning, 56
FTP service banners, 201
httprint tool, 107
MySQL support, 252
Nessus support, 378
off-by-one attacks, 356
OpenSSH support, 213
OpenSSL vulnerabilities, 153
reconnaissance tools, 13
RPC vulnerabilities, 334-335
Samba suite, 287
Sendmail support, 295
SMB-AT support, 285
Telnet support, 216, 217
LIST command, 57, 303, 304
listener enumeration attacks, 245-247
Litchfield, David, 139, 251
little-endian byte ordering, 356, 362
LLSRV (License and Logging Service), 264
LLSSRV (License and Logging Service), 266
Local Administrator rights (Windows), 378
Local Procedure Calls (LPCs), 243
Local Security Authority (LSA), 270, 277
Local Security Authority Subsystem Service (LSASS), 266, 294
local variables, 344, 345
LOCK method (HTTP), 117
lockdown tool, 138, 158
logical program flow
buffer overflow, 346
heap overflows, 357, 357-362
memory manipulation attacks, 342
runtime memory organization, 342, 344
stack overflows, 347, 349
LOGIN authentication mechanism, 293
login service (Unix), 220
long UTF-8 decimal encoding, 178
lookupnames command (rpcclient), 268
lookupsids command (rpcclient), 269
Loose Source and Route Record (LSRR), 67
Lopatic, Thomas, 70, 206, 207
Lotus Domino (see IBM Lotus Domino)
LPCs (Local Procedure Calls), 243
LPORT variable, 399
LSA (Local Security Authority), 270, 277
lsaaddacctrights command (rpcclient), 269
lsaremoveacctrights command (rpcclient), 269
LSARPC interface, 266-270
LSASS (Local Security Authority Subsystem Service), 266, 294
LSD (Last Stage of Delirium), 332-334
LSRR (Loose Source and Route Record), 67
LSRScan tool, 68
LSRTunnel tool, 68, 69

M [ Top ]
Mac OS X platform
assessment tools, 12
FTP service banners, 201
httprint tool, 107
Nessus support, 378, 379, 380
reconnaissance tools, 13
MacDermid, Todd, 68
Mail Exchanger (MX) resource records, 30, 31
MAIL FROM: command, 296
mailbrute utility, 298
Maimon, Uriel, 54
main mode (IKE), 308, 309
maintainer objects, 28
malloc( ) function, 344, 357
Management Information Base (MIB), 91
man-in-the-middle attacks (see MITM attacks)
map_uri_to_worker( ) function, 149, 151
Marchand, Jean-Baptiste, 265, 270
MasterCard SDP program, xviii
Matta Colossus, 14
Maximum Transmission Unit (MTU), 207, 208
McDonald, John, 207
McGraw, Gary, 376
MD5 algorithm, 118, 182, 293, 315
MDAC (Microsoft Data Access Components), 243
MDaemon IMAP, 305
memcpy( ) function, 366
memory manipulation attacks
categories of, 342
overview, 373, 374
overwriting any word in memory, 371-372
processor registers and memory, 345
runtime memory organization, 342-345
memory_limit( ) function, 138
Message Queuing (MQ), 264
Message Queuing (MSMQ), 266
MessageLabs email filtering, 35
MetaCoretex vulnerability scanner, 241, 250, 252
Metasploit Framework (see MSF)
Meterpreter payload (MSF), 394, 396
MIB (Management Information Base), 91
Microsoft .NET Framework, 181
Microsoft Data Access Components (MDAC), 243
Microsoft Exchange
countermeasures, 305
OWA and, 127, 145
POP3 support, 302, 303
RPC over HTTP support, 127
RPC services and, 257, 259
SMTP services and, 291-295, 299-300
WebDAV extensions, 124
Microsoft Messenger Service, 257, 259, 289
Microsoft Outlook, 257, 300, 301
Microsoft PPTP, 320, 321
Microsoft RPC service (see RPC services)
Microsoft SQL Server
brute-force utilities, 242
countermeasures, 255
enumeration, 240-242
interacting with, 240
network ports, 239
overview, 239
SQL injections and, 186-190
technology assessment, 170
versions listed, 241
vulnerabilities, 242-244
Microsoft Task Scheduler
countermeasures, 289
executing commands, 282
RPC support, 257, 262
Microsoft Terminal Services (see RDP)
Microsoft Virtual PC, 11
Microsoft Windows platforms
account/password combinations, 281
assessing FTP permissions, 202
assessment tools, 12
CIFS service, 285
countermeasures, 158
DNS service vulnerabilities, 82-83
filter circumvention, 68
FTP service banners, 201
httprint tool, 107
Nessus support, 378, 379, 380
reconnaissance tools, 13
security flaws, 340
SNMP vulnerabilities, 94
stack overflows, 346
Telnet support, 216
web server support, 120-129
(see also Windows networking services)
Miller, Matt, 393
milw0rm exploit
Apache modules, 147, 150
investigating vulnerabilities, 6
Oracle vulnerabilities, 250, 251
Samba vulnerabilities, 288
MIME headers, 300, 301
MIMEDefang product, 302
mitigation strategies, 374-376
MITM (man-in-the-middle) attacks
attacking IPsec VPNs, 311
Basic authentication and, 118
Microsoft SQL Server and, 243
RDP vulnerabilities, 234
VNC vulnerabilities, 237
MITRE Corporation CVE
Apache vulnerabilities, 146-147, 151-152
ASP.NET vulnerabilities, 141
auth service vulnerabilities, 89
BIND vulnerabilities, 81
Citrix vulnerabilities, 232
CORE IMPACT exploit modules, 428-434
fingerd service vulnerabilities, 88
FrontPage vulnerabilities, 144
FTP service vulnerabilities, 209-212
IIS vulnerabilities, 139-140, 179
IMAP services, 304, 305
Immunity CANVAS modules, 434-439
IPsec vulnerabilities, 317
IPsec weaknesses, 316-318
ISAPI vulnerabilities, 142
LDAP vulnerabilities, 97
MAILsweeper issues, 300, 302
Microsoft DNS service vulnerabilities, 82
Microsoft SQL Server issues, 242-244
Microsoft WINS service vulnerabilities, 83
MSF exploit modules, 422-428
MySQL vulnerabilities, 253-254
NetBIOS name service, 275
NTLM authentication, 294
NTP vulnerabilities, 90
OpenSSL vulnerabilities, 152-155
Oracle vulnerabilities, 250-251
Oracle XDB services, 251
OWA vulnerabilities, 145
PHP vulnerabilities, 137
POP3 vulnerabilities, 303
PROPFIND vulnerabilities, 136
RDP vulnerabilities, 234
RPC vulnerabilities, 263-266, 332-338
MITRE Corporation CVE (continued)
r-services vulnerabilities, 223
Samba vulnerabilities, 287, 288
Sendmail vulnerabilities, 298
SMTP vulnerabilities, 299-300
SNMP vulnerabilities, 95
source routing vulnerability, 68
SSH vulnerabilities, 214-215
SSL vulnerabilities, 328, 329
Telnet vulnerabilities, 219, 220
VNC vulnerabilities, 237
web site, 6, 14
WebDAV vulnerabilities, 142
X Window vulnerabilities, 228
MKCOL method (HTTP), 117, 142
mod_access plug-in, 150
mod_alias plug-in, 150
mod_digest plug-in, 150
mod_digest_apple plug-in, 149
mod_frontpage plug-in, 150
mod_gzip plug-in, 150
mod_imap plug-in, 149
mod_jk plug-in
Apache vulnerabilities, 149, 151
countermeasures, 196
JESSIONID fingerprinting, 168
milw0rm exploit, 150
mod_perl plug-in, 158
mod_proxy plug-in, 149, 151
mod_rewrite plug-in
Apache vulnerabilities, 149, 150, 151
milw0rm exploits, 150
mod_security plug-in
Apache vulnerabilities, 149, 150
countermeasures, 196
httprint tool and, 107
milw0rm exploits, 150
mod_ssl plug-in, 149, 150
mod_tcl plug-in, 149
mod_usertrack plug-in, 150
mode config (IKE), 308
Moore, H D, 135, 141, 336, 393
MOSDEF nodes, 409, 410
mount client software, 331
mount command, 334
mountd service, 334
MOVE method (HTTP), 117
MQ (Message Queuing), 264
MSF (Metasploit Framework)
Apache vulnerabilities, 147, 150
architecture and features, 394-396
ASP vulnerabilities, 141
BIND exploit scripts, 82
cost of, 15
documentation, 400
exploit modules, 422-428
FrontPage vulnerabilities, 144
FTP service vulnerabilities, 209, 211
functionality, 396-400
IIS vulnerabilities, 139
IMAP issues, 305
ISAPI vulnerabilities, 142
LDAP exploit scripts, 98
Microsoft exploit scripts, 83
Microsoft SQL Server and, 243
MySQL exploit scripts, 254
NTLM authentication, 294
Oracle XDB services, 251
overview, 15, 393, 414
OWA vulnerabilities, 145
PHP vulnerabilities, 138
QPOP issues, 303
RPC issues, 265-266, 332-334, 336
r-services exploit scripts, 224
Samba vulnerabilities, 288
Sendmail exploit scripts, 298
SMTP exploit scripts, 299
SNMP exploit scripts, 95
SSH vulnerabilities, 215
SSL exploits, 328
Telnet vulnerabilities, 220
VNC exploit scripts, 237
WebDAV vulnerabilities, 142
X Windows exploit scripts, 228
msfconsole command, 395
msfweb command, 395
msg_receive( ) function, 137
MSMQ (Message Queuing), 266
ms-sql exploit, 243
MTU (Maximum Transmission Unit), 207, 208
Mullen, Tim, 233
multigate search engine, 340
multiple attacking hosts, emulating, 65
MX (Mail Exchanger) resource records, 30, 31
MySQL database services
brute-force attacks, 252
countermeasures, 255
enumeration, 252
network ports, 239
overview, 252
process manipulation attacks, 253-254
mysql_real_connect( ) function, 253

N [ Top ]
Name Server (NS) resource records, 30
named account, 242
named pipes
Microsoft SQL Server and, 240, 242, 243
RPC support, 265, 266, 267, 269
SMB null sessions and, 270
NANOG, 29
NASDAQ, 1
NASL (Nessus Attack Scripting Language), 377
NAT (Network Address Translation), 47, 73, 378
National Security Agency (NSA), xvi
National Vulnerability Database (NVD), 6, 7
NBT (NetBIOS Name Table), 273, 274
nbtstat command, 274
NcFTPd service, 201
Negotiate authentication, 128, 143
negotiation slots exhaustion attack, 317
Nessus Attack Scripting Language (NASL), 377
Nessus Security Scanner
architecture overview, 377, 378
configuring, 383-389
deployment options, 378, 379
executing, 389
functionality, 13, 377
installing, 379-383
operating systems supported, 12, 14
reporting support, 390
NessusClient client, 378, 383, 385-389
NessusWX client, 378, 383, 385
net command, 281
net users command, 189
NetBIOS Name Table (NBT), 273, 274
NetBIOS services
anonymous access via, 276, 277
brute-force attacks, 281, 286
CIFS support, 285
countermeasures, 288, 289
datagram service, 275
name service, 273-274
remote maintenance support, 199
session service, 233, 266, 276-284
SMB support, 256, 285
NetBSD platform, 200, 217
Netcat tool
FTP services, 207, 208
Microsoft SQL Server and, 244
RPC services, 332
SSH fingerprinting, 213
Netcraft web site, 20, 37
NetScreen, 78
Net-SNMP package, 92
Network Address Translation (NAT), 47, 73, 378
Network File System (see NFS)
network reconnaissance
assessment methodology, 4, 5
assessment tools, 10, 13
process overview, 17
network scanning
assessment tools, 10, 13-14
commercial tools, 14
countermeasures, 77
filter circumvention, 62-70, 77
ICMP probing, 42-48, 77
IDS evasion, 62-70, 77
low-level IP assessment, 71-76
purpose, 4, 5
TCP port scanning, 49-60, 77
UDP port scanning, 60-62, 70, 77
network security assessment
business benefits, 1-2
classifying attackers, 2, 3
cyclic assessment approach, 8-9
definitions, 3, 4
methodology, 4-7
Network Time Protocol (NTP), 89-90, 100
netXeyes hacking group, 270
NFS (Network File System)
CESG CHECK assault course, xviii
countermeasures, 339
RPC vulnerabilities, 334, 335
nfsd service, 331
NGSSquirreL tool, 249
Nikto utility
administrative scripts, 120
authentication support, 119, 129
HTTP authentication and, 157
identifying components, 131-132
operating systems supported, 12
PHP vulnerabilities, 138
web site, 16
Wikto tool and, 156
NIST National Vulnerability Database, 6, 7
nlockmgr service, 331
Nmap utility
ACK flag probe scanning, 55
defining decoy hosts, 65
FTP bounce scanning, 57, 204
functionality, 13
Nmap utility (continued)
half-open SYN scanning, 52
ICMP probing, 44
inverse TCP flag scanning, 54
IP fingerprinting, 75
IP ID header scanning, 59, 76
low-level IP assessment, 71, 72
operating systems supported, 12, 13
packet fragmentation and, 63, 65
RPC support, 331
SSL VPNs, 321
UDP port scanning, 62
NOP (no-operation) instructions, 351
NOP sled, 351
Nortel Networks, 328
NOTIFY extension, 124
NS (Name Server) resource records, 30
NSA (National Security Agency), xvi
NSF extension, 167
nslookup utility
DNS querying, 30, 31
DNS zone transfers, 32
platform support, 13
reverse DNS querying, 84
version.bind requests, 81
nslookupcomplain( ) function, 81
N-Stalker tool
administrative scripts, 120
authentication support, 119, 129
identifying components, 131
PHP vulnerabilities, 138
NT LAN Manager (see NTLM)
NTA Monitor, 311
NTLM (NT LAN Manager)
countermeasures, 289
FrontPage support, 143
IIS web server support, 128, 129, 139
Microsoft SQL Server and, 243
SMTP authentication, 293, 294
NTP (Network Time Protocol), 89-90, 100
ntpdc tool, 90
ntpq tool, 90
NULL character
heap overflows, 360
stack overflows, 348, 349, 353
NULL probes, 53, 54
null sessions, 276, 277
NULL-MD5 cipher, 325, 327
NVD (National Vulnerability Database), 6, 7
NXDOMAIN overflow, 81
NXT record overflow, 81

O [ Top ]
OAT (Oracle Auditing Tools), 250
Object Identifier (OID), 91, 93, 94
ODBC, 187
off-by-five attacks, 362
off-by-one attacks, 362, 375
(see also stack off-by-one attack)
OID (Object Identifier), 91, 93, 94
one-time password (OTP) authentication, 293
onsite auditing, 4
Open Source Security Testing Methodology Manual (OSSTMM), xix
Open Source Web Application Security Project (OWASP), xix
OpenBSD platform
attacks on, 1
background, 212
FTP service banners, 201
Sendmail support, 295
stack overflows, 346
Telnet support, 217
OpenDataSource( ) function, 243
OpenSSH package, 213
OpenSSL
enumerating ciphers, 324
s_client program, 322
vulnerabilities, 81, 152-155, 328
openssl ciphers command, 324
openssl-scanner utility, 154
openSUSE distribution, 12
operating systems
assessment tools, 10, 11-13
command injection, 184-186, 192, 193
fingerprinting, 48, 75
heap management, 344
Nessus support, 378
off-by-one attacks, 356
(see also specific platforms)
Ophcrack toolkit, 284
opportunistic attacks, 2, 3
OPTIONS request (HTTP)
Apache subsystems and, 129
overview, 104-106, 116
PHP support, 118
reverse proxy mechanisms, 109
Oracle Auditing Tools (OAT), 250
Oracle database services
authentication and, 249-251
brute-force attacks and, 249-251
countermeasures, 255
default account passwords, 249
network ports, 239
SNMP vulnerabilities, 94
TNS vulnerabilities, 244-248
vulnerabilities, 250-251
XDB services, 251
O'Reilly Media, 330
Osborne, Anthony, 275
OSSTMM (Open Source Security Testing Methodology Manual), xix
OTP (one-time password) authentication, 293
OWA (Outlook Web Access), 127, 145, 158
OWASP (Open Source Web Application Security Project), xix

P [ Top ]
packet fragmentation
fragroute utility, 64-65
fragtest utility, 63
half-open SYN flag scanning, 51
IDS evasion and, 62
network scanning countermeasures, 78
Nmap utility and, 63, 65
Packet Storm web site
BIND exploit scripts, 82
Citrix service, 231, 232
investigating vulnerabilities, 6
Microsoft DNS exploit scripts, 83
Microsoft WINS exploit scripts, 83
MySQL vulnerabilities, 252
POP3 brute-force tools, 302
pscan.c scanner, 50
Sendmail exploit scripts, 298
SMTP exploit scripts, 299
SSH vulnerabilities, 214
VNC exploit scripts, 237
word lists, 219
X Windows exploit scripts, 228
Paketto Keiretsu suite, 52
PAM authentication, 220
Parallels, 11
parameters, web applications, 184-196
Paros tool
attack proxy, 171
session ID injection, 181
web application profiling, 161
web application testing, 16
passprop.exe tool, 289
passwords
authentication vulnerabilities, 181, 191
Cain & Abel tool, 275
common Windows combinations, 281
countermeasures, 288, 305, 329
default device, 219
default for Oracle accounts, 249
IPC$ access, 276
NetBIOS session service and, 281
PAM authentication, 220
Phenoelit DPL, 249
SAM database and, 284
(see also brute-force grinding attacks)
PASV command, 78, 207, 210
PATH environment variable, 220
PCI (Payment Card Industry) standard, xviii
penetration testing
CORE IMPACT and, 402
defined, 4
FTP services, 216
identifying virtual hosts, 113-114
management categories, xii
permissions
assessing for FTP services, 201-203
command shells and, 352
Nessus requirements, 378
PGP COVERT Labs, 275
PGPnet client, 320
Phenoelit web site, 219, 235, 249
PHoss network sniffing utility, 235, 236
PHP
assessing web servers, 117-119
countermeasures, 158, 196
file extensions, 167
session ID variable, 168, 181
vulnerabilities, 137-138
PHP extension, 167
php_mime_split( ) function, 137, 138
PHP3 extension, 167
PHP4 extension, 167
PHP5 extension, 167
PHPSESSID variable, 168
PHTML extension, 167
ping command
ICMP support, 42
Nessus support, 386, 392
SING utility and, 43
TNS listener service and, 245, 246
xp_cmdshell support, 188
ping packets, 42, 43, 63
PL extension, 167
PLAIN authentication mechanism, 293
Playboy Enterprises, 1, 330
Pliam, John, 320
Plink utility, 213
PM extension, 167
pmap_set tool, 332
Pointer (PTR) resource records, 30, 34-35, 41
Point-to-Point Tunneling Protocol (PPTP), 320, 321
POLL extension, 124
POP2 service, 290, 302-303
POP3 service
common email port, 290
countermeasures, 305
THC Hydra support, 204
vulnerabilities, 302-303
PORT command, 56-57, 78, 199, 206
port scanning (see TCP port scanning; UDP port scanning)
portmapper service, 330-332
portsentry security mechanism, 51
POST method (HTTP)
Apache HTTP Server and, 146, 149
description, 110, 115
HTTP request smuggling, 179, 180
reverse proxy mechanisms, 107, 109
web application attack strategies, 176
Post Office Protocol (see POP2 service; POP3 service)
Postfix package, 291
PostgreSQL database services, 239
ppscan.c tool, 58
PPTP (Point-to-Point Tunneling Protocol), 320, 321
PPTP-sniff sniffer, 321
prescan( ) function, 295, 298
PREV_INUSE flag, 358-360, 362
primary name servers, 32
PRINTER extension, 123, 142
printf( ) function, 367-371, 374
private community string, 92
privilege escalation
IIS vulnerabilities, 139, 140
ISAPI extensions and, 142
Microsoft SQL Server and, 243
MySQL vulnerabilities, 253
process manipulation attacks
FTP service, 199, 208-212
IMAP services, 304, 305
Microsoft SQL Server, 242-244
mitigation strategies, 374-376
MySQL and, 253-254
POP3 and, 303
remote maintenance services and, 198
RPC services, 265-266
Sendmail vulnerabilities, 295, 298
TNS service, 248
(see also buffer overflow)
ProFTPD service, 201, 211
PROPFIND method (HTTP)
countermeasures, 159
description, 116
vulnerabilities, 136, 142
PROPPATCH method (HTTP), 116
PROTOS test suite, 98, 317
Provos, Niels, 376
proxy scanning, 49, 58, 103
proxy servers
FTP service vulnerabilities, 199
network scanning countermeasures, 78
reverse mechanisms, 78, 107-113
Proxy-Authorization: field, 172
pscan.c scanner, 50
PSCP utility, 213
PsExec tool, 282
PSFTP utility, 213
PSK authentication
countermeasures, 329
defined, 308
IKE aggressive mode, 318-320
transform enumeration, 315
PsTools package (Sysinternals), 282
PTR (Pointer) resource records, 30, 34-35, 41
public community string, 92, 93
Pure-FTPd service, 201
PUSH TCP flag, 53
PUT method (HTTP)
countermeasures, 159
description, 116
vulnerabilities, 134, 135
PuTTY tool, 213, 214
PWD files, 144
pwdump3 utility, 284
pxytest utility, 112, 113

Q [ Top ]
qmail package, 305
qpopper service, 302, 303
Qualcomm QPOP, 302, 303
QualysGuard, 14
querydominfo command (rpcclient), 268
querygroup command (rpcclient), 268
queryuser command (rpcclient), 268
queso tool, 75
quick mode (IKE), 308

R [ Top ]
rainbow table cracking, 284
RainbowCrack toolkit, 284
Range: field, 172
RASMAN (Remote Access Service Manager), 264, 265
RC4-MD5 cipher, 325, 327
RCPT TO: command (Sendmail), 39, 295-297
RDP (Remote Desktop Protocol), 232-234, 238
read community string, 92
ReadFontAlias( ) function, 228
realpath( ) function, 210
recalls_header( ) function, 146
Referer: field, 149, 172
reg.exe tool, 282, 283
regdmp.exe tool, 282
regini.exe tool, 282, 283
Regional Internet Registries (RIRs), 23, 28
registers, 345
registry keys
accessing, 282, 283
dumping, 189, 242
modifying, 281, 282, 283
removing, 283
RestrictAnonymous setting, 280
reload command, 246
Remote Access Service Manager (RASMAN), 264, 265
Remote Desktop Protocol (see RDP)
remote information services
auth service, 88
countermeasures, 99, 100
DNS service, 80-86
Finger service, 86-88
LDAP service, 79, 82, 95-98
NTP services, 89-90, 100
overview, 79, 80
RPC services, 80, 98
rusers service, 98, 99
rwhod service, 98
SNMP services, 91-95
remote maintenance services
categories of attacks, 198
Citrix support, 229-232
countermeasures, 237, 238
FTP support, 199-212
RDP support, 232-234
r-services support, 220-224
SSH support, 212-215
Telnet services, 215-220
VNC support, 234-237
X Windows support, 224-228
Remote Procedure Call services (see RPC services)
Remoxec utility, 273
reply_nttrans( ) function, 288
R�seaux IP Europ�ens (RIPE), 24, 28
RestrictAnonymous registry setting, 280, 285, 289
RETR command, 211, 303
return address (see instruction pointer), 351
return-into-libc attack, 375
reverse DNS sweeping, 36, 37, 84
reverse proxy mechanisms, 78, 107-113
reverse-lookup technique, 280
rexec client, 221
RFC 791 standard, 67
RFC 792 standard, 419
RFC 793 standard, 53, 54
RFC 950 standard, 419
RFC 959 standard, 56, 199
RFC 1002 standard, 275
RFC 1256 standard, 419
RFC 1323 standard, 71
RFC 1393 standard, 419
RFC 1413 standard, 89
RFC 1812 standard, 419
RFC 2002 standard, 419
RFC 2046 standard, 302
RFC 2052 standard, 82
RFC 2409 standard, 309, 315
RFC 2444 standard, 293
RFC 2518 standard, 116, 123
RFC 2616 standard, 151, 172
RFC 2617 standard, 118
RFC 2831 standard, 293
RFC 4559 standard, 128
RHOST variable, 399
rhosts file extension, 221-223, 336
RID cycling
CIFS services, 285, 286
defined, 280
NetBIOS services and, 276
RPC services and, 267, 269
RIPE (R�seaux IP Europ�ens), 24, 28
RIRs (Regional Internet Registries), 23, 28
Ritter, Jordan, 277
rlogin client, 221, 222
rootdown.pl exploit script, 336
Rosenthal, Chip, 112
router community string, 92
Routin, David, 332
Routing and Remote Access Service (RRAS), 266
RPC (Remote Procedure Call) services
assessing, 257
brute-force attacks, 270
CESG CHECK assault course, xviii
connecting without portmapper, 332
countermeasures, 288, 289, 339
enumerating, 330-332
enumerating server interfaces, 257
executing arbitrary commands, 273
identifying vulnerable interfaces, 263-266
identifying without portmapper, 331
LSARPC interface, 266-270
Microsoft SQL Server support, 240
overview, 80, 98, 99
SAMR interface, 266-270
vulnerabilities, 332-338
RPC over HTTP, 127, 184, 289
rpc.cmsd daemon, 337
rpc.statd service, 335
rpc.ttdbserverd daemon, 338
RPC_CONNECT method, 117, 127, 289
rpcbind tool, 330
rpcclient tool, 268-270
rpcdump utility, 260-262
rpcinfo utility, 12, 99, 330
RpcScan tool, 263
RPORT variable, 399
rquotad service, 331
RRAS (Routing and Remote Access Service), 266
RSA Security, 1, 238, 320
RSA signature authentication, 314, 315
r-services
accessing, 221-222
countermeasures, 238
overview, 220
vulnerabilities, 223
rsh client, 221, 222, 223
RSnake XSS cheat sheet, 178, 195
RST packets, 55
RST/ACK packets
half-open SYN flag scanning, 51
inverse TCP flag scanning, 53, 54
responses to probes, 71
rusers service, 98, 99
rusersd service, 331
rwhod service, 98

S [ Top ]
s_client program (OpenSSL), 322
SA (Security Association), 307, 308, 309
sa administrator account, 242
Sabin, Todd, 127, 260, 267
sadmind (Solstice AdminSuite Daemon), 335, 336
SafeNet client, 320
SAM (Security Account Manager) database
accessing, 284
defined, 7
MSRPC interface, 265
OAT toolkit, 250
SMB null sessions, 270
SQLAT support, 242
xp_regread procedure, 189
Samba open source suite, 287, 288
SAMR interface, 266-270
SamSpade tool, 164
Sana Security, 376
save_config command, 247
SCADA (Supervisory Control And Data Acquisition), 379
Scanrand port scanner, 52, 53
scanudp utility, 62
Schiffman, Mike, 73, 82
Schneier, Bruce, 320
schtasks command, 282
SCM (Service Control Manager), 270
SCP (Secure Copy), 212
ScriptAlias directive, 146
scut (TESO), 356
SDP (Site Data Protection) program, xviii
search engines
vulnerabilities, 340
web and newsgroup, 5, 18-20, 40
SEARCH method
countermeasures, 159
IIS support, 123
proprietary nature of, 117
vulnerabilities, 136, 142
secondary name servers, 32
Secure Computing Safeword, 238
Secure Copy (SCP, 212
Secure FTP (SFTP), 212
Secure Shell services (see SSH services)
security
Nessus Security Scanner, 377-392
recommended reading, 376
running unusual architecture, 375
stack overflows, 346
vulnerability information, 420-421
Security Account Manager (see SAM database)
Security Association (SA), 307, 308, 309
Security Center product, 378
security management effectiveness, xiii
Security Support Provider (SSP), 128, 129
SecurityFocus web site, 6, 110, 214
segmentation fault, 349
SELECT command (SQL), 188, 189, 190
Send ICMP Nasty Garbage (SING) utility, 43
Sendmail
automating user enumeration, 297
command injection, 186
countermeasures, 305
SMTP services and, 291
Telnet support, 218
vulnerabilities, 295-298
web application vulnerabilities, 185
SensePost, 13, 378
Server Message Block protocol (see SMB protocol)
Server: field, 106, 129, 137, 167
ServerMask plug-in, 107
server-side file extensions, 165
Server-side Includes (SSI), 123
server-side scripts, 171, 193-194
Service Control Manager (SCM), 270
services command, 247
session ID
cookies and, 173
countermeasures, 196
fingerprinting, 167-169
timeout mechanism, 184
vulnerabilities, 182-183
XSS attacks, 194
set PAYLOAD command, 399
Set-Cookie: field, 118, 167
SFTP (Secure FTP), 212
SGI IRIX platform, 201, 217
SHA1 algorithm, 182, 315
Shah, Saumil, 107
shell service (Unix), 220
shellcode, 349, 351, 352
show exploits command, 396
show payloads command, 398
showmount client software, 331, 332, 335
SHTM extension, 123
SHTML extension, 123, 142
SIG overflow, 81
Simple Mail Transfer Protocol (see SMTP)
Simple Network Management Protocol service (see SNMP service)
Simple Object Access Protocol (SOAP), 173
SING utility, 43, 44, 63
sirc3 tool, 75
Site Data Protection (SDP) program, xviii
SITE EXEC command, 210
SMB (Server Message Block) protocol
CIFS service, 285
executing commands, 282
named pipe access, 266
null sessions, 270
overview, 256
rpcclient tool, 268-270
smbdumpusers utility, 285
SMB-AT tool, 281, 285, 286
smbbf utility, 286, 287
smbclient tool, 281
SMBCrack tool, 281, 289
smbdumpusers utility, 285, 286
SMTP (Simple Mail Transfer Protocol)
brute-force attacks, 293, 294
circumventing content checking, 300-302
common email port, 290
countermeasures, 41, 305
enumerating features, 292, 293
ESMTP, 292, 293
fingerprinting, 291, 292
open relay testing, 294, 295
overview, 290
reconnaissance techniques, 17, 38, 39, 40
r-services and, 222
vulnerabilities, 299-300
smtpmap tool, 291
smtpscan tool, 291
snapshots, window, 226
sniffing
countermeasures, 306
discovering usernames by, 319
PPTP vulnerabilities, 321
session ID vulnerabilities, 181
sniffer-based spoofed scanning, 49, 58
VNC handshake, 235
SNMP service
ADMsnmp tool, 91
compromising devices by reading from, 93
compromising devices by writing to, 94
countermeasures, 100
default community strings, 92
process vulnerabilities, 94-95
snmpwalk tool, 92
snmpset utility, 92, 94
snmpwalk utility
brute-force attacks and, 91
OID values, 93
overview, 92
platforms supported, 12
UDP port scanning, 60
SOAP (Simple Object Access Protocol), 173
socket( ) function, 376
Solar Eclipse, 154
Solaris platform
fingerd service, 86, 87
FTP service banners, 199, 200
FTP vulnerabilities, 207, 209
Nessus support, 378
RPC service and, 330, 335, 336
r-services support, 220
Sendmail support, 295
Telnet support, 216, 217
Solstice AdminSuite Daemon (sadmind), 335, 336
Song, Dug, 63
Sony Music, 330
source routing, 66-69
sp_makewebtask stored procedure, 188, 189
SPARC platform, 356
SPI Dynamics WebInspect, 16
SpiderFoot tool, 37
split horizon DNS, 41
spoofing
IDS evasion and, 62
internal IP addresses and, 103
RSH connections, 223
sniffer-based scanning, 49, 58
spoofscan tool, 58
Sprint, 330
SQL Auditing Tool (SQLAT), 242
SQL injection
dangerous character strings, 192
Nessus and, 388
Oracle vulnerabilities, 250
overview, 186-191
SQL Server Resolution Service (SSRS), 239
SQL*Net login process, 247
SQLAT (SQL Auditing Tool), 242
sqlbf utility, 242
sqldict utility, 242
sqlite_decode_binary( ) function, 137
SQLPing utility, 240
sqlplus utility, 249
sreplace( ) function, 211
SRV record (DNS), 82
SSH (Secure Shell) services
brute-force attacks and, 214
fingerprinting, 213
overview, 212
port forwarding, 212
vulnerabilities, 214-215
SSH Communications, 212, 213
SSI (Server-side Includes), 123
SSL
basic querying, 322-324
countermeasures, 329
enumerating weak cipher support, 324-327
vulnerabilities, 328, 329
SSL tunnel
email services, 290
LDAP services and, 79
querying web servers, 106
ssl_log( ) function, 149
ssl_util_uuencode_binary( ) function, 149
SSLv2 large client key overflow, 154
SSP (Security Support Provider), 128, 129
SSRR (Strict Source and Route Record), 67
SSRS (SQL Server Resolution Service), 239
stack
defined, 344
nonexecutable implementation, 375
reading adjacent items, 367, 369
reading from any address on, 369, 370
stack frame, 344, 356, 373
stack frame pointer (see ebp)
stack frame variables, 347
stack off-by-one attack, 347, 352-356, 373
stack overflows, 346-356, 364
stack pointer (esp), 344-345, 350, 351
stack segment, 345, 373
stack smash attack, 347, 347-352, 373
static overflows, 364, 374
status command, 246
status service, 331
sticky bit, 203
STM extension, 123
stop command, 247
stored procedures, 187-190
str_replace( ) function, 137
strcpy( ) function, 348
Strict Source and Route Record (SSRR), 67
stunnel tool (see SSL tunnel)
SUBSCRIBE extension, 124
Sun Java System Application Server, 168, 169
Sun Microsystems platform
FTP service banners, 200
hackers and, 330
Sendmail vulnerabilities, 295
SNMP vulnerabilities, 94
Telnet support, 217
SuperScan (Foundstone), 52
superuser privileges, 7
Supervisory Control And Data Acquisition (SCADA), 379
Sutton, Michael, 376
Sybase database services, 239
Symantec Backup Exec, 239
Syn Ack Labs, 68
SYN flood attacks, 51, 52, 78
SYN scanning
Nessus support, 386
TCP port scanning and, 49, 50-53, 70
SYN/ACK packets, 51, 71
Sysinternals PsTools package, 282
SYSKEY encryption, 284
syslog( ) function, 367, 374
Sys-Security Group, 48
system call monitoring, 376
system registry (see registry keys)
system( ) command, 185, 186
Systrace tool, 376

T [ Top ]
Tamper Data tool, 181
TARGET variable, 399
Task Scheduler service (see Microsoft Task Scheduler)
TCP flag scanning, inverse, 49, 53-54, 70
TCP fragmentation scanning, 49
TCP port scanning
ACK flag probe scanning, 49, 54-56
countermeasures, 78
FTP bounce scanning, 49, 56-57
IP ID header scanning, 49, 58-60, 76
overview, 49-60, 77
proxy bounce scanning, 49, 58
sniffer-based spoofed scanning, 49, 58
SYN flag scanning, 49, 50-53, 70
TCP flag scanning, 49, 53-54, 70
TCP fragmentation scanning, 49
vanilla connect( ) scanning, 49-50
TCP ports, 415-417
TCP/IP, 240, 242, 378
tcpdump utility, 48, 64, 74
Telnet services
brute-force grinding, 218-219
countermeasures, 237
fingerprinting, 216-218
overview, 215
SSH support, 213
vulnerabilities, 212, 215, 219-220
telnet utility, 12
TelnetFP, 216
telrcv( ) function, 220
Tenable Network Security, Inc., 377, 378
TERM environment variable, 371
TERMCAP environment variable, 220
TESO, 356
testing
database vulnerabilities, 241
Nessus and, 389
open relay, 294, 295
penetration, 4, 113-114, 216, 402
software vulnerabilities, 341
web applications, 3, 10, 16, 328
web services, 101, 102
text segment, 343, 345
tftp utility, 60, 250
tftpd daemon, 94
THC Hydra tool
authentication and, 119, 129, 157, 181
FrontPage and, 143
FTP services, 204
IMAP services, 304
MySQL vulnerabilities, 252
OWA and, 127
POP3 and, 302
SMTP and, 293
SNMP and, 91
THC-pptp-bruter tool, 321
3Com, 6, 92, 219
3DES algorithm, 315
timeout, session, 184, 196
time-to-live (TTL) field (RST packets), 54, 55
TIS Gauntlet, 39
TLDs (top-level domains), 20
TLS (Transport Layer Security), 377
TNS (Transparent Network Substrate) protocol
countermeasures, 255
information leak attacks, 245-247
listener enumeration attacks, 245-247
Oracle support, 244
process manipulation attacks, 248
tnscmd.pl tool, 245-246
ToolTalk Database (TTDB) service, 338
top-level domains (TLDs), 20
TRACE method (HTTP), 116, 133
traceroute tool
ICMP support, 42
low-level IP assessment, 74
reconnaissance tasks, 13
source routing and, 66
tracert command, 13
Trailer: field, 172
Transfer-Encoding: field, 172
transform enumeration, 315, 316
Transparent Network Substrate protocol (see TNS protocol)
Transport Layer Security (TLS), 377
tree command, 163
Trojan horse programs, 301
TSGrinder tool, 233
TSIG overflow, 81
TTDB (ToolTalk Database) service, 338
TTDB service, 207, 208
TTL (time-to-live) field (RST packets), 54, 55
TTL-based scanning, 51
TXDNS grinding tool, 35, 85

U [ Top ]
U.S. Department of Defense, xiii
Ubuntu distribution, 12
UDDI (Universal Description, Discovery, and Integration), 173
UDF (User Defined Function), 254
UDP port scanning
countermeasures, 78
overview, 60-62, 77
recommended source ports, 70
UDP ports, 418
Unicode, 176, 179
Universal Description, Discovery, and Integration (UDDI), 173
Unix-based platforms
assessing FTP permissions, 202
BIND service, 81
fingerd service, 86, 87
FTP bounce scanning, 56
Nessus support, 378, 380, 381
NTP services, 89, 90
RPC vulnerabilities, 337-338
r-services, 220
rusers service, 98
rwhod service, 98
Samba vulnerabilities, 287, 288
security flaws, 340
smbclient tool, 281
SMTP services, 291
Telnet support, 216
(see also RPC services)
unlink( ) function, 360
UNLOCK method (HTTP), 117
UNSUBSCRIBE extension, 124
UPDATE command (SQL), 190
Upgrade: field, 172
URG TCP flag, 53
Urity, 263, 273
URLscan tool, 138, 140, 158, 196
use command, 398
user accounts
accessing SAM database, 284
authentication vulnerabilities, 181
brute-force attacks, 293
countermeasures, 289, 305
PAM authentication, 220
RPC service, 269
Sendmail vulnerabilities, 295, 298
username grinding, 209
WMIdump tool, 271
User Defined Function (UDF), 254
User-Agent: field, 172
UTF-8 decimal encoding, 178
UW IMAP, 304, 305

V [ Top ]
van Wyk, Kenneth, 376
vanilla connect( ) scanning, 49-50
Vendor ID (VID), 312
venom utility, 271
VeriSign iDefense Security Intelligence Services, 6
version command, 245, 246
version.bind requests, 80, 81
VID (Vendor ID), 312
Viega, John, 376
virtual hosts, identifying, 113, 114
Virtual Network Computing (VNC), 234-238
virtualization software, 10, 11, 379
VISA AIS scheme, xviii
Vitek, Ian, 230, 231
VMware, 11, 379
VNC (Virtual Network Computing), 234-238
VNC inject payload (MSF), 396
VNCrack utility, 235, 236
Volobuev, Yuri, 44
VPN services
attacking, 311-320
countermeasures, 306, 329
discovering usernames, 319
IKE support, 308-310
IPsec, 307-310
ISAKMP support, 308-310
Microsoft PPTP, 320, 321
SSH support, 212
SSL support, 321-328
vulnerabilities, 307
VRFY command (Sendmail), 295, 296, 297
Vscan tool, 54, 60
VsFTPd service, 201
vulnerabilities
exploiting, 4, 7
generic subsystem, 132-138
investigating, 4, 6, 7
memory manipulation attacks, 373, 374
network services, 342-345
parameter modification, 184-196
search engine attacks, 341
in software, 341
sources of information, 420-421
vulnerability scanning
defined, 3
MetaCoretex, 241, 250, 252
Nessus Security Scanner, 12, 13, 14, 377-392

W [ Top ]
walksam utility, 267-268
Wapiti, 16
Warning: field, 172
Watchfire AppScan, 16
WatchGuard, 78
web applications
attack strategies
filter evasion techniques, 176-180
HTTP cookie fields, 173
HTTP request headers, 172-173
server-side script variables, 171
XML request content, 173-176
compiling from source, 376
countermeasures, 196, 197
format string bugs, 367-373
heap overflows, 356-363
integer overflows, 364-367
memory manipulation attacks, 373, 374
profiling
backend database assessments, 170
HTML source review, 162-164
server-side file extensions, 165
session ID fingerprinting, 167-169
software vulnerabilities, 341
stack overflows, 346-356
technologies overview, 160
testing, 3, 10, 16, 328
vulnerabilities
authentication issues, 180-184
parameter modification, 184-196
Web Distributed Authoring and Versioning (see WebDAV)
web server crawling
enumeration countermeasures, 40
overview, 155-157
reconnaissance techniques, 17, 37, 40
web servers
Apache vulnerabilities, 145-155
countermeasures, 158, 159
fingerprinting accessible, 102-107
generic subsystem vulnerabilities, 132-138
identifying enabled components, 131-132
identifying subsystems, 114-130
Microsoft vulnerabilities, 138-145
penetration tests, 113, 114
reverse proxy mechanisms, 107-113
running unusual architecture, 375
steps involved in testing, 101, 102
transfer-encoding mechanisms, 176
web services, 173, 175, 196
Web Services Description Language (WSDL), 174-175
web site crawling, 164, 170
WebDAV (Web Distributed Authoring and Versioning)
ISAPI extensions, 123, 124
overview, 116-117
vulnerabilities, 136, 142
WebLogicSession variable, 168
WebScarab, 16
WHOIS databases
enumeration countermeasures, 40
querying domain registrars, 20-23
querying IP registrars, 23-28
reconnaissance techniques, 5, 13, 17, 40
whois utility, 13, 21-26
Wikto tool, 37, 113, 156
WINDOW field (RST packets), 54, 55
Window Manager, 228
Windows Management Interface (WMI), 270, 271
Windows Media Services, 126
Windows networking services
CIFS support, 256, 270, 282, 285-287
countermeasures, 288, 289
Microsoft RPC services, 257-273
NetBIOS support, 256, 266, 273-284, 285
ports used, 256
Samba vulnerabilities, 287, 288
SMB support, 256
Windows platforms (see Microsoft Windows platforms)
winfo tool, 277, 278, 280
Winrtgen toolkit, 284
WINS service, 82-83
WMI (Windows Management Interface, 270, 271
WMICracker tool, 270
WMIdump tool, 271
write community string, 92
WRITE method, 142
WSDL (Web Services Description Language), 174-175
WU-FTPD service, 201, 210-211
WU-IMAP, 304
WWW-Authenticate: field, 119

X [ Top ]
X Consortium, 224
X Windows, 224-228
XAUTH authentication, 308, 315-316, 320
xauth utility, 225
Xauthority file extension, 225
XFree86 window management system, 228
XGetImage( ) function, 226
xhost command, 224
X-LINK2STATE command, 299
XMAS probes, 53, 54
XML messages, 173-176
X-MS-ENUMATTS extension, 124
xntp3 daemon, 90
xntpd daemon, 90
xp_cmdshell stored procedure, 188, 242
xp_regread stored procedure, 189
X-Powered-By: field, 137
Xprobe2 utility, 48
xpusher program, 227
xscan utility, 225
XsendEvent( ) function, 227
xspy tool, 227
XSS (cross-site scripting)
Apache vulnerabilities, 146, 149, 150
Citrix and, 232
filter evasion techniques, 178
IIS vulnerabilities and, 140
Nessus support, 388
TRACE method and, 133
vulnerabilities, 181, 194-196
web application attack strategies, 175
XSS Shell application, 196
XSS-Proxy application, 196
XST (cross-site tracing), 133
xterm application, 224
xtester program, 227
xwatchwin utility, 226
xwd tool, 226
xwininfo command, 226, 227
xwud command, 226
Xyplex, 219

Y [ Top ]
YASQL (Yet Another SQL*Plus Replacement), 249

Z [ Top ]
zombies, 3, 59
zone transfers (see DNS zone transfers)

Return to Network Security Assessment

© 2008, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.

About O'Reilly
Privacy Policy
Contacts
Authors
Press Room
Jobs
User Groups
Academic Solutions
Newsletters
Writing for O'Reilly
RSS Feeds

Other O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
makezine.com
craftzine.com
hackzine.com
perl.com
xml.com

Sponsored Sites
Inside Aperture
Inside iPhone
Inside Lightroom
Inside Port 25
InsideRIA