book

Assessing Network Security

by Ben Smith, Kevin Lam, David LeBlanc

July 2004

Intermediate to advanced

592 pages

15h 18m

English

Microsoft Press

Read now

Unlock full access

Assessing Network Security
A Note Regarding Supplemental Files
Acknowledgments
Foreword
Introduction
Who Should Read This BookOrganization of This BookSystem RequirementsSupport
I. Planning and Performing Security Assessments
1. Introduction to Performing Security Assessments
Role of Security Assessments in Network SecurityWhy Does Network Security Fail?Human FactorsPolicy FactorsMisconfigurationPoor AssumptionsIgnoranceFailure to Stay Up-to-DateTypes of Security AssessmentsVulnerability ScanningEnumerate Computers, Operating Systems, and ApplicationsIdentify Common Security MistakesSearch for Computers with Known VulnerabilitiesTest for Exposure to Common AttacksPenetration TestingHow Vulnerabilities Are ExploitedWeakness in People and ProcessesIT Security AuditingFrequently Asked Questions
2. Key Principles of Security
Making Security EasyKeeping Services RunningAllowing the Right Users Access to the Right InformationDefending Every Layer as if It Were the Last Layer of DefenseKeeping a Record of Attempts to Access InformationCompartmentalizing and Isolating ResourcesAvoiding the Mistakes Everyone Else MakesControlling the Cost of Meeting Security ObjectivesRisk ManagementLearning to Manage RiskSetting the ScopeIdentifying Assets and Determining Their ValuePredicting Threats and Vulnerabilities to AssetsDocumenting the Security RisksDetermining a Risk Management StrategyMonitoring AssetsTracking Changes to RisksRisk Management StrategiesAcceptanceMitigationTransferenceAvoidanceImmutable LawsFrequently Asked Questions
3. Using Vulnerability Scanning to Assess Network Security
Setting a Scope for the ProjectDefining the TargetEnumerationRecorded StateWell-Defined ConfigurationsDefining the Target ScopeDefining Types of VulnerabilitiesDetermining GoalsChoosing a TechnologyTools and Managed vs. Unmanaged TargetsChecklist for Evaluating ToolsCreating a Process for Scanning for VulnerabilitiesDetecting VulnerabilitiesAssigning Risk Levels to VulnerabilitiesIdentifying Vulnerabilities That Have not Been RemediatedDetermining Improvement in Network Security Over TimeCreating a Process for Analyzing the ResultsFrequently Asked Questions
4. Conducting a Penetration Test
What the Attacker Is Thinking AboutNotoriety, Acceptance, and EgoFinancial GainChallengeActivismRevengeEspionageInformation WarfareDefining the Penetration Test EngagementSetting the GoalsGaining Control of Confidential InformationGaining Administrator Access to a System or SystemsGaining Physical Access to a Device or LocationGetting Caught by Security AdministratorsCompromising ApplicationsDenying Others Use of a ServiceCausing Direct Financial Damage to an OrganizationSetting the ScopePerforming the Penetration TestLocating Areas of Weakness in Network or Application DefensesDetermining How Vulnerabilities Were CompromisedLocating Assets that Could be Accessed, Altered, or DestroyedDetermining Whether the Attack Was DetectedIdentifying the Attack FootprintMaking RecommendationsFrequently Asked Questions

5. Performing IT Security Audits
Components of an IT Security AuditPolicyAdministrative PoliciesTechnical PoliciesPhysical PoliciesProcesses and ProceduresOperationsPreliminary DecisionsLegal ConsiderationsRegulatory ConsiderationsOperational ConsiderationsOrganizational ConsiderationsPlanning and Performing the AuditBuilding Your Audit FrameworkSetting the Scope and TimelineObtaining Legal and Management ApprovalCompleting the AuditAnalyzing and Reporting the ResultsFrequently Asked Questions
6. Reporting Your Findings
Guidelines for Reporting Your FindingsConcise and ProfessionalTechnically AccurateObjectiveMeasurableFramework for Reporting Your FindingsDefine the VulnerabilityAccessDifficultyValue of the Asset to the AttackerDocument Mitigation PlansIdentify Where Changes Should OccurAssign Responsibility for Implementing Approved RecommendationsFrequently Asked Questions
7. Building and Maintaining Your Security Assessment Skills
Building Core SkillsImproving Network, Operating System, and Application SkillsNetwork SkillsOperating System SkillsApplication SkillsDeveloping Programming SkillsCompiled LanguagesInterpreted LanguagesPracticing Security AssessmentsEvaluating ToolsVerifying Results and CountermeasuresSharpening Your SkillsBuilding a Network to Practice Security AssessmentsStaying Up-to-DateFinding a CourseChoosing an InstructorHands-On ExperienceTraining QualificationsIndustry CredentialsReferencesEvaluating materialsAssessing the Training VenueChoosing a ConferenceVendor-SponsoredVendor-AgnosticAcademicInternet-Based ResourcesInternet Mailing ListsSecurity BulletinsSecurity WebsitesFrequently Asked Questions
II. Penetration Testing for Nonintrusive Attacks
8. Information Reconnaissance
Understanding Information ReconnaissanceRegistrar InformationDetermining Your Registrar InformationCountermeasuresIP Network Block AssignmentDetermining Your Organization’s IP Network Block AssignmentCountermeasuresWeb PagesReviewing Web Server ContentManual ReviewAutomated ReviewCountermeasuresSearch EnginesReviewing Your Website with Search EnginesCountermeasuresPublic Discussion ForumsTaking a Snapshot of Your Organization’s ExposureCountermeasuresFrequently Asked Questions
9. Host Discovery Using DNS and NetBIOS
Using DNSCommon Record TypesStart of AuthorityName ServerAddressCanonical NamePointerMail ExchangeService LocatorMiscellaneous RecordsExamining a Zone TransferUsing NetBIOSUsing LDAPFrequently Asked Questions
10. Network and Host Discovery
Network Sweeping TechniquesICMP SweepsUDP SweepsTCP SweepsBroadcast SweepsCountermeasuresNetwork Topology DiscoveryTrace RoutingFirewalkingCountermeasuresFrequently Asked Questions
11. Port Scanning
TCP Connect ScansCustom TCP ScansSYN ScansFIN ScansSYN/ACK and ACK ScansXMAS ScansNull ScansIdle ScansUDP ScansFTP Bounce ScansPort Scanning Tips and TricksFragmentation and Port ScansPort Scanning CountermeasuresFrequently Asked Questions
12. Obtaining Information from a Host
FingerprintingIP and ICMP FingerprintingTCP FingerprintingCountermeasuresApplication FingerprintingCountermeasuresWhat’s On That Port?Interrogating a HostUser InformationGroup InformationFile SharesOperating System InformationUser SessionsService UsersCountermeasuresFrequently Asked Questions
13. War Dialing, War Driving, and Bluetooth Attacks
Modem Detection—War DialingAnatomy of a War Dialing AttackIdentify Telephone Number Blocks to DialDetect Dial-Up SystemsAssess VulnerabilityCountermeasuresWireless LAN Detection—War DrivingMAC Address FilteringDisabling a Service Set ID BroadcastingWired Equivalent PrivacyAuthenticationOpen System AuthenticationShared Key AuthenticationData EncryptionAnatomy of a War Driving AttackDetecting Wireless NetworksAssessing VulnerabilityCountermeasuresBluetooth AttacksDevice DetectionCountermeasuresData TheftCountermeasuresServices TheftCountermeasuresNetwork SniffingCountermeasuresFrequently Asked Questions
III. Penetration Testing for Intrusive Attacks
14. Automated Vulnerability Detection
Scanning TechniquesBanner Grabbing and FingerprintingExploiting the VulnerabilityInference TestingReplaying Network SniffsPatch DetectionSelecting a ScannerVulnerability ChecksScanner SpeedReliability and ScalabilityCheck AccuracyUpdate FrequencyReporting FeaturesScanning ApproachesHost-Based ScannersNetwork-Based ScannersDangers of Using Automated ScannersTips for Using Scanners SafelyFrequently Asked Questions
15. Password Attacks
Where to Find PasswordsBrute Force AttacksOnline Password TestingOffline Password TestingOffline Password Attack StrategiesDictionary AttacksVariant Dictionary AttacksBrute Force AttacksCountermeasuresPassword Disclosure AttacksFile System PasswordsEncrypted PasswordsSniffing for PasswordsKeystroke LoggersCountermeasuresFrequently Asked Questions
16. Denial of Service Attacks
Flooding AttacksTesting Flooding AttacksCountermeasuresResource Starvation AttacksCPU Starvation AttacksTesting for CPU Starvation AttacksCountermeasuresMemory Starvation AttacksDisk Storage Consumption AttacksTesting for Disk Storage ConsumptionCountermeasuresDisruption of ServiceFrequently Asked Questions
17. Application Attacks
Buffer OverrunsStack OverrunsHeap OverrunsFormat String BugsCountermeasuresInteger OverflowsCountermeasuresFinding Buffer OverrunsFrequently Asked Questions
18. Database Attacks
Database Server DetectionDetecting Database Servers on Your NetworkNetwork Deployment RecordsPort ScanningApplication Programming Interfaces (APIs)SQL Query Analyzer ToolMicrosoft Baseline Security AnalyzerOdbcping UtilitySQLPing UtilityCountermeasuresMissing Product PatchesDetecting Missing PatchesCountermeasuresUnauthorized AccessDetecting the Potential for Unauthorized AccessCountermeasuresWeak PasswordsDetecting Weak PasswordsCountermeasuresNetwork SniffingDetecting Network Sniffing ThreatsCountermeasuresSQL InjectionDetecting SQL Injection VectorsCountermeasuresFrequently Asked Questions
19. Network Sniffing
Understanding Network SniffingDebunking Network Sniffing MythsMyth #1: An Attacker Can Remotely Sniff NetworksMyth #2: Switches Are Immune to Network Sniffing AttacksMedia Access Control Table FloodingAddress Resolution Protocol Table ModificationsInternet Control Message Protocol RedirectsCompromising SwitchesDetecting Network Sniffing ThreatsManual DetectionReviewing Network ArchitectureMonitoring DNS QueriesMeasuring LatencyUsing False MAC Addresses and ICMP PacketsUsing Trap AccountsUsing Non-Broadcast ARP PacketUsing Automated Detection ToolsDetecting Microsoft Network Monitor InstallationsCountermeasuresFrequently Asked Questions
20. Spoofing
IP SpoofingCountermeasuresSpoofing E-MailCountermeasuresDNS SpoofingAttacking the ClientAttacking the DNS ServerAttacking Server Update ZonesAttacking Through the Name RegistryCountermeasuresFrequently Asked Questions
21. Session Hijacking
Understanding Session HijackingNetwork-Level Session HijackingHijacking a TCP SessionHijacking a UDP SessionDetermining Your Susceptibility to ThreatsCountermeasuresTricks and TechniquesTCP ACK Packet StormsARP Table ModificationsTCP ResynchronizingRemotely Modifying Routing TablesHost-Level Session HijackingUser Session HijackingCountermeasuresServer Port HijackingDetecting Hijack-Susceptible PortsCountermeasuresApplication-Level HijackingDetecting AttacksCountermeasuresFrequently Asked Questions
22. How Attackers Avoid Detection
Log FloodingCountermeasuresLogging MechanismsCountermeasuresDetection MechanismsCountermeasuresFragmentationSession Splicing AttacksPacket Fragmentation AttacksFragmentation Time-Out AttacksCountermeasuresCanonicalizationCountermeasuresDecoysCountermeasuresHow Attackers Avoid Detection Post-IntrusionUsing RootkitsCountermeasuresHiding DataHidden File AttributeHiding Files on Windows SystemsHiding Files on UNIX SystemsNTFS Alternate File StreamsReplacing and Renaming FilesSteganographyTampering with Log FilesCountermeasuresFrequently Asked Questions
23. Attackers Using Non-Network Methods to Gain Access
Gaining Physical Access to Information ResourcesPhysical IntrusionComputersWiring ClosetsMailrooms, File Cabinets, Labs, and Equipment RoomsRemote SurveillanceLooking in WindowsHigh-Tech Shoulder SurfingElectronic EavesdroppingSniffing Wireless NetworksCapturing Traffic DownstreamRetrieving Voice MailTargeted Equipment TheftDumpsters and Recycling BinsLease Returns, Auctions, and Equipment ResalesComputersRemovable Storage Devices and Specialized HardwareMediaDocumentationUsing Social EngineeringBriberyAssuming a Position of AuthorityForgeryFlatteryFrequently Asked Questions
IV. Security Assessment Case Studies
24. Web Threats
Client-Level ThreatsCross-Site Scripting AttacksFinding XSS VectorsCountermeasuresUnpatched Web Browser AttacksCountermeasuresServer-Level ThreatsRepudiationInformation DisclosureServer Header ExposureCountermeasuresDirectory BrowsingCountermeasuresElevation of PrivilegesMissing PatchesCountermeasuresUnknown VulnerabilitiesCountermeasuresMitigating Buffer Overruns with URLScanMaxUrlMaxQueryString"Max-" Header PrefixMaxAllowedContentLengthNonessential ServicesOperating System ServicesCountermeasuresWeb Server ServicesCountermeasuresCanonicalization AttacksCountermeasuresDenial of ServiceService-Level ThreatsUnauthorized AccessCountermeasuresNetwork SniffingCountermeasuresTamperingCountermeasuresInformation DisclosureCountermeasuresFrequently Asked Questions
25. E-Mail Threats
Client-Level ThreatsAttaching Malicious FilesCountermeasuresEducate UsersEnable E-Mail Client ProtectionInstall Antivirus SoftwareCreate PolicyExploiting Unpatched E-Mail ClientsCountermeasuresEmbedding Malicious ContentCountermeasuresExploiting User TrustSpoofed E-MailsCountermeasuresPhishing AttacksCountermeasuresE-Mail ScamsCountermeasuresServer-Level ThreatsAttaching Malicious FilesCountermeasuresSpoofing E-MailCountermeasuresExploiting Unpatched E-Mail ServersCountermeasuresSpamWhy You Should Be Concerned About SpamTricks and TechniquesConfirming E-Mail Addresses Using Unsubscribe RequestsCountermeasuresUsing Web BeaconsCountermeasuresUsing Windows Messenger Service to SpamCountermeasuresBypassing Spam FiltersCountermeasuresHarvesting User E-Mails from Public Discussion ForumsCountermeasuresRandomizing the Contents of SpamCountermeasuresAbusing Third-Party Mail RelaysCountermeasuresWhat Is Being Done About SpamFrequently Asked Questions
26. Domain Controller Threats
Password AttacksCountermeasuresDisabling LAN Manager HashesDisabling Reversible EncryptionForcing Strong Passwords Across DomainsEducating Users to Use Secure PasswordsUsing the System Key UtilityElevation of PrivilegeExploiting Nonessential ServicesEnumerating Services on Your Domain ControllerExploiting Nonessential AccountsIdentifying Your Nonessential AccountsCountermeasuresExploiting Unpatched Domain ControllersCountermeasuresAttacking Privileged Domain Accounts and GroupsIdentifying Group MembershipCountermeasuresDenial of ServiceCountermeasuresPhysical Security ThreatsCountermeasuresFrequently Asked Questions
27. Extranet and VPN Threats
Fundamentals of Secure Network DesignDual-Homed HostScreened HostScreened SubnetsSplit Screened SubnetsPenetration Testing an ExtranetA Sample Extranet Penetration TestGathering InformationGetting Your Foot in the DoorExploring the Internal NetworkExpanding Your InfluenceFrequently Asked Questions
V. Appendixes
A. Checklists
Penetration Test ChecklistsChapter 8: Information ReconnaissanceChapter 9: Host Discovery Using DNS and NetBIOSChapter 10: Network and Host DiscoveryChapter 11: Port ScanningChapter 12: Obtaining Information from a HostChapter 13: War Dialing, War Driving, and Bluetooth AttacksChapter 14: Automated Vulnerability DetectionChapter 15: Password AttacksChapter 16: Denial of Service AttacksChapter 17: Application AttacksChapter 18: Database AttacksChapter 19: Network SniffingChapter 20: SpoofingChapter 21: Session HijackingChapter 22: How Attackers Avoid DetectionChapter 23: Attackers Using Non-Network Methods to Gain AccessChapter 24: Web ThreatsChapter 25: E-Mail ThreatsChapter 26: Domain Controller ThreatsChapter 27: Extranet and VPN ThreatsCountermeasures ChecklistsChapter 8: Information ReconnaissanceChapter 9: Host Discovery Using DNS and NetBIOSChapter 10: Network and Host DiscoveryChapter 11: Port ScanningChapter 12: Obtaining Information from a HostChapter 13: War Dialing, War Driving, and Bluetooth AttacksChapter 15: Password AttacksChapter 16: Denial of Service AttacksChapter 17: Application AttacksChapter 18: Database AttacksChapter 19: Network SniffingChapter 20: SpoofingChapter 21: Session HijackingChapter 22: How Attackers Avoid DetectionChapter 23: Attackers Using Non-Network Methods to Gain AccessChapter 24: Web ThreatsChapter 25: E-Mail ThreatsChapter 26: Domain Controller ThreatsChapter 27: Extranet and VPN Threats
B. References
Chapter 1: Introduction to Performing Security AssessmentsChapter 2: Key Principles of SecurityChapter 3: Using Vulnerability Scanning to Assess Network SecurityChapter 4: Conducting a Penetration TestChapter 5: Performing IT Security AuditsChapter 6: Reporting Your FindingsChapter 7: Building and Maintaining Your Security Assessment SkillsChapter 8: Information ReconnaisanceChapter 9: Host Discovery Using DNS and NetBIOSChapter 10: Network and Host DiscoveryChapter 11: Port ScanningChapter 12: Obtaining Information from a HostChapter 13: War Dialing, War Driving, and Bluetooth AttacksChapter 14: Automated Vulnerability DetectionChapter 15: Password AttacksChapter 16: Denial of Service AttacksChapter 17: Application AttacksChapter 18: Database AttacksChapter 19: Network SniffingChapter 20: SpoofingChapter 21: Session HijackingChapter 22: How Attackers Avoid DetectionChapter 23: Attackers Using Non-Network Methods to Gain AccessChapter 24: Web ThreatsChapter 25: E-Mail ThreatsChapter 26: Domain Controller ThreatsChapter 27: Extranet and VPN Threats
About the Authors
Index
About the Authors
Copyright

Content preview from Assessing Network Security

Chapter 13. War Dialing, War Driving, and Bluetooth Attacks

As the saying goes, there is more than one way to skin a cat, and in the digital security world this saying holds some definite truth. Attackers can often compromise an organization’s network without ever having to touch a perimeter firewall. This chapter is about some of the ways they do this—for example, by compromising a dial-up-enabled system, which can provide almost immediate access to internal networks. Dial-up access is a threat that tends to be overlooked or neglected by almost every organization, and in this chapter you’ll look at the dangers of doing so. You’ll also look at threats created by deploying wireless networks, and finally, you’ll look at issues that are specific ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0735620334Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Assessing Network Security

by Ben Smith, Kevin Lam, David LeBlanc

Chapter 13. War Dialing, War Driving, and Bluetooth Attacks

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.