book

Network Security Assessment

Name: Network Security Assessment
Author: Chris McNab
ISBN: 9780596006112

by Chris McNab

March 2004

Intermediate to advanced

396 pages

11h

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Foreword
About Bob Ayers
Preface
Recognized Assessment StandardsNSA IAMCESG CHECKHackers DefinedOrganizationAudienceMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookComments and QuestionsAcknowledgments
1. Network Security Assessment
1.1. The Business Benefits1.2. IP: The Foundation of the Internet1.3. Classifying Internet-Based Attackers1.4. Assessment Service Definitions1.5. Network Security Assessment Methodology1.5.1. Internet Host and Network Enumeration1.5.2. Bulk Network Scanning and Probing1.5.3. Investigation of Vulnerabilities1.5.4. Exploitation of Vulnerabilities1.6. The Cyclic Assessment Approach
2. The Tools Required
2.1. The Operating Systems2.1.1. Windows NT Family Platforms2.1.2. Linux2.1.3. MacOS X2.1.4. VMware2.2. Free Network Scanning Tools2.2.1. nmap2.2.2. Nessus2.2.3. NSAT2.2.4. Foundstone SuperScan2.3. Commercial Network Scanning Tools2.4. Protocol-Dependent Assessment Tools2.4.1. Microsoft NetBIOS, SMB, and CIFS2.4.1.1. Enumeration and information gathering tools2.4.1.2. Brute-force password guessing tools2.4.2. DNS2.4.3. HTTP and HTTPS
3. Internet Host and Network Enumeration
3.1. Web Search Engines3.1.1. Google Advanced Search Functionality3.1.1.1. Enumerating CIA contact details with Google3.1.1.2. Effective search query strings3.1.2. Searching Newsgroups3.2. NIC Querying3.2.1. NIC Querying Tools and Examples3.2.1.1. Using the Sam Spade Windows client3.2.1.2. Using the Unix whois utility3.2.1.3. Directly querying ARIN3.2.1.4. Harvesting user details through WHOIS3.3. DNS Querying3.3.1. Forward DNS Querying3.3.1.1. Forward DNS querying through nslookup3.3.1.2. Forward DNS querying through host3.3.1.3. Forward DNS querying through dig3.3.1.4. Information retrieved through forward DNS querying3.3.2. DNS Zone Transfer Techniques3.3.2.1. Performing DNS zone transfers with nslookup3.3.2.2. Information retrieved through DNS zone transfer3.3.2.3. Performing DNS zone transfers using host and dig3.3.2.4. Further querying3.3.2.5. Mapping subdomains with host3.3.2.6. Example of a DNS zone transfer refusal3.3.3. Reverse DNS Sweeping3.3.4. SMTP Probing3.4. Enumeration Technique Recap3.5. Enumeration Countermeasures
4. IP Network Scanning
4.1. ICMP Probing4.1.1. SING4.1.2. nmap4.1.3. Gleaning Internal IP Addresses4.1.4. Identifying Subnet Broadcast Addresses4.2. TCP Port Scanning4.2.1. Standard Scanning Methods4.2.1.1. Vanilla connect( ) scanning4.2.1.1.1. Tools that perform connect( ) TCP scanning4.2.1.2. Half-open SYN flag scanning4.2.1.2.1. Tools that perform half-open SYN scanning4.2.2. Stealth TCP Scanning Methods4.2.2.1. Inverse TCP flag scanning4.2.2.1.1. Tools that perform inverse TCP flag scanning4.2.2.2. ACK flag probe scanning4.2.2.2.1. Analysis of the TTL field of received packets4.2.2.2.2. Analysis of the WINDOW field of received packets4.2.2.2.3. Tools that perform ACK flag probe scanning4.2.3. Third-Party and Spoofed TCP Scanning Methods4.2.3.1. FTP bounce scanning4.2.3.1.1. Tools that perform FTP bounce port scanning4.2.3.2. Proxy bounce scanning4.2.3.3. Sniffer-based spoofed scanning4.2.3.4. IP ID header scanning4.3. UDP Port Scanning4.3.1. Tools That Perform UDP Port Scanning4.4. IDS Evasion and Filter Circumvention4.4.1. Fragmenting Probe Packets4.4.1.1. fragtest4.4.1.2. fragroute4.4.1.2.1. fragroute.conf4.4.1.3. nmap4.4.2. Emulating Multiple Attacking Hosts4.4.3. Source Routing4.4.3.1. Assessing source-routing vulnerabilities4.4.3.1.1. lsrscan4.4.3.1.2. lsrtunnel4.4.4. Using Specific TCP and UDP Source Ports4.5. Low-Level IP Assessment4.5.1. Analyzing Responses to TCP Probes4.5.1.1. hping24.5.1.2. firewalk4.5.2. Passively Monitoring ICMP Responses4.5.3. IP Fingerprinting4.5.4. TCP Sequence and IP ID Incrementation4.6. Network Scanning Recap4.7. Network Scanning Countermeasures
5. Assessing Remote Information Services
5.1. Remote Information Services5.2. systat and netstat5.3. DNS5.3.1. Retrieving DNS Service Version Information5.3.2. DNS Zone Transfers5.3.3. DNS Information Leaks and Reverse Lookup Attacks5.3.4. BIND Vulnerabilities5.3.4.1. BIND TSIG overflow exploit5.3.5. Microsoft DNS Service Vulnerabilities5.3.5.1. Extracting Active Directory network service information5.3.5.2. Remote vulnerabilities in the Microsoft DNS server5.4. finger5.4.1. finger Information Leaks5.4.2. finger Redirection5.4.3. Directly Exploitable finger Bugs5.5. auth5.5.1. auth Process Manipulation Vulnerabilities5.6. SNMP5.6.1. ADMsnmp5.6.2. snmpwalk5.6.3. Default Community Strings5.6.4. Compromising Devices by Reading from SNMP5.6.5. Compromising Devices by Writing to SNMP5.6.6. SNMP Process-Manipulation Vulnerabilities5.7. LDAP5.7.1. Anonymous LDAP Access5.7.2. LDAP Brute Force5.7.3. Active Directory Global Catalog5.7.4. LDAP Process Manipulation Vulnerabilities5.8. rwho5.9. RPC rusers5.10. Remote Information Services Countermeasures
6. Assessing Web Services
6.1. Web Services6.2. Identifying the Web Service6.2.1. HTTP HEAD6.2.2. HTTP OPTIONS6.2.2.1. Common HTTP OPTIONS responses6.2.3. Automated Web Service Fingerprinting6.2.3.1. WebServerFP6.2.3.2. hmap6.2.3.3. 404print6.2.4. Identifying the Web Service Through an SSL Tunnel6.3. Identifying Subsystems and Components6.3.1. ASP.NET6.3.2. WebDAV6.3.3. Microsoft FrontPage6.3.4. Microsoft Outlook Web Access6.3.4.1. Exchange 5.5 OWA public folders information leak6.3.5. Default IIS ISAPI Extensions6.3.6. PHP6.3.7. OpenSSL6.4. Investigating Web Service Vulnerabilities6.4.1. The Tools6.4.1.1. nikto6.4.1.2. N-Stealth6.4.2. Security Web Sites and Mailing Lists6.4.3. Microsoft IIS Vulnerabilities6.4.3.1. IIS ASP sample scripts and tools6.4.3.2. HTR (ISM.DLL) extension exposures6.4.3.2.1. IIS HTR administrative scripts6.4.3.2.2. HTR process-manipulation vulnerabilities6.4.3.2.3. Reading sensitive files through HTR requests6.4.3.3. HTW (WEBHITS.DLL) extension exposures6.4.3.4. IIS Unicode exploit6.4.3.4.1. Unicode revisited6.4.3.4.2. Unicode limitations and tools6.4.3.5. PRINTER (MSW3PRT.DLL) extension overflow6.4.3.6. IDA (IDQ.DLL) extension overflow6.4.3.7. IIS WebDAV vulnerability6.4.3.8. Microsoft FrontPage exposures6.4.3.9. Poorly configured IIS permissions6.4.4. Apache Vulnerabilities6.4.4.1. Apache chunk-handling vulnerability6.4.4.1.1. Apache chunk handling BSD exploit6.4.4.1.2. Apache chunk handling Win32 exploit6.4.4.2. Other Apache exposures and vulnerabilities6.4.5. OpenSSL Vulnerabilities6.4.5.1. OpenSSL client key overflow6.4.5.2. Other OpenSSL exposures and vulnerabilities6.4.6. HTTP Proxy Component Exposures6.4.6.1. HTTP CONNECT6.4.6.2. HTTP POST6.4.6.3. HTTP GET6.4.6.4. Testing HTTP proxies6.5. Accessing Poorly Protected Information6.5.1. Brute-Forcing HTTP Authentication6.6. Assessing CGI Scripts and Custom ASP Pages6.6.1. Parameter Manipulation and Filter Evasion6.6.1.1. URL query-string manipulation6.6.1.2. User cookie manipulation6.6.1.3. Form field manipulation6.6.1.4. Filter evasion6.6.2. Error-Handling Problems6.6.3. Operating System Command Injection6.6.3.1. Run arbitrary system commands6.6.3.2. Modify parameters passed to system commands6.6.3.3. Execute additional commands6.6.3.4. Operating system command-injection countermeasures6.6.4. SQL Command Injection6.6.4.1. Basic testing methodology6.6.4.2. Calling stored procedures6.6.4.2.1. xp_cmdshell6.6.4.2.2. sp_makewebtask6.6.4.2.3. xp_regread6.6.4.3. Compromising data using SELECT and INSERT6.6.5. Web Application Assessment Tools6.6.5.1. Achilles6.7. Web Services Countermeasures
7. Assessing Remote Maintenance Services
7.1. Remote Maintenance Services7.2. SSH7.2.1. SSH Fingerprinting7.2.2. SSH Brute-Force Password Grinding7.2.3. SSH Vulnerabilities7.2.3.1. SSH1 CRC32 compensation vulnerability7.2.3.2. SSH1 CRC32 compensation exploit7.2.3.3. OpenSSH challenge-response vulnerability7.2.3.4. OpenSSH challenge-response exploit7.2.3.5. Other remotely exploitable SSH flaws7.3. Telnet7.3.1. Telnet Service Fingerprinting7.3.1.1. telnetfp7.3.1.2. Manual telnet fingerprinting7.3.2. Telnet Brute-Force Password-Grinding7.3.2.1. Common device telnet passwords7.3.2.2. Dictionary files and word lists7.3.3. Telnet Vulnerabilities7.3.3.1. System V-derived /bin/login static overflow vulnerability7.3.3.2. Solaris /bin/login static overflow exploits7.3.3.3. BSD-derived telrcv( ) heap overflow vulnerability7.3.3.4. FreeBSD telrcv( ) heap overflow exploit7.3.3.5. Other remotely exploitable Telnet bugs7.4. R-Services7.4.1. Directly Accessing R-Services7.4.1.1. Unix ~/.rhosts and /etc/hosts.equiv files7.4.2. R-Services Brute Force7.4.3. Spoofing RSH Connections7.4.4. Known R-Services Vulnerabilities7.5. X Windows7.5.1. X Windows Authentication7.5.1.1. xhost7.5.1.2. xauth7.5.2. Assessing X Servers7.5.2.1. List open windows7.5.2.2. Take screenshots of specific open windows7.5.2.3. Capture keystrokes typed in specific windows7.5.2.4. Send keystrokes to specific windows7.5.3. Known X Window System Vulnerabilities7.6. Microsoft Remote Desktop Protocol7.6.1. RDP Brute-Force Password Grinding7.6.2. RDP Vulnerabilities7.7. VNC7.7.1. VNC Brute-Force Password Grinding7.8. Citrix7.8.1. Using The Citrix ICA Client7.8.2. Accessing Nonpublic Published Applications7.8.3. Citrix Vulnerabilities7.9. Remote Maintenance Services Countermeasures

8. Assessing FTP and Database Services
8.1. FTP8.2. FTP Banner Grabbing and Enumeration8.2.1. Analyzing FTP Banners8.2.2. Assessing FTP Permissions8.3. FTP Brute-Force Password Guessing8.4. FTP Bounce Attacks8.4.1. FTP Bounce Port Scanning8.4.2. FTP Bounce Exploit Payload Delivery8.5. Circumventing Stateful Filters Using FTP8.5.1. PORT and PASV8.5.2. PASV Abuse8.6. FTP Process Manipulation Attacks8.6.1. Solaris and BSD FTP Globbing Issues8.6.2. WU-FTPD Vulnerabilities8.6.2.1. Exploiting WU-FTPD 2.6.1 on Linux with 7350wurm8.6.3. ProFTPD Vulnerabilities8.6.4. Microsoft IIS FTP Server8.7. FTP Services Countermeasures8.8. Database Services8.9. Microsoft SQL Server8.9.1. SQL Server Enumeration8.9.2. SQL Server Brute Force8.9.2.1. SQLAT8.9.3. SQL Server Process Manipulation Vulnerabilities8.10. Oracle8.10.1. TNS Listener Enumeration and Information Leak Attacks8.10.1.1. Pinging the TNS Listener8.10.1.2. Retrieving Oracle version and platform information8.10.1.3. Other TNS Listener commands8.10.1.4. Retrieving the current status of the TNS Listener8.10.1.5. Executing an information leak attack8.10.2. TNS Listener Process-Manipulation Vulnerabilities8.10.2.1. TNS Listener COMMAND stack overflow (CVE-2001-0499) exploit8.10.2.2. Creating files using the TNS Listener (CVE-2000-0818)8.10.3. Oracle Brute-Force and Post-Authentication Issues8.10.3.1. OAT8.10.3.2. MetaCoretex8.11. MySQL8.11.1. MySQL Enumeration8.11.2. MySQL Brute Force8.11.3. MySQL Process-Manipulation Vulnerabilities8.12. Database Services Countermeasures
9. Assessing Windows Networking Services
9.1. Microsoft Windows Networking Services9.1.1. SMB, CIFS, and NetBIOS9.2. Microsoft RPC Services9.2.1. Enumerating System Information9.2.1.1. epdump9.2.1.2. Known IFID values9.2.1.3. rpdump and ifids9.2.1.4. RpcScan9.2.2. Gleaning User Details via SAMR and LSARPC Interfaces9.2.2.1. walksam9.2.2.2. rpcclient9.2.3. Brute-Forcing Administrator Passwords9.2.4. Executing Arbitrary Commands9.2.5. Exploiting RPC Services Directly9.3. The NetBIOS Name Service9.3.1. Enumerating System Details9.3.2. Attacking the NetBIOS Name Service9.4. The NetBIOS Datagram Service9.5. The NetBIOS Session Service9.5.1. Enumerating System Details9.5.1.1. enum9.5.1.2. winfo9.5.1.3. GetAcct9.5.2. Brute-Forcing User Passwords9.5.3. Authenticating with NetBIOS9.5.4. Executing Commands9.5.5. Accessing and Modifying Registry Keys9.5.6. Accessing The SAM Database9.6. The CIFS Service9.6.1. CIFS Enumeration9.6.1.1. User enumeration through smbdumpusers9.6.2. CIFS Brute Force9.7. Unix Samba Vulnerabilities9.8. Windows Networking Services Countermeasures
10. Assessing Email Services
10.1. Email Service Protocols10.2. SMTP10.2.1. SMTP Service Fingerprinting10.2.2. Sendmail10.2.2.1. Sendmail information leak exposures10.2.2.1.1. EXPN10.2.2.1.2. VRFY10.2.2.1.3. RCPT TO:10.2.2.2. Automating Sendmail user enumeration10.2.2.3. Sendmail process manipulation vulnerabilities10.2.3. Microsoft Exchange SMTP Service10.2.4. SMTP Open Relay Testing10.2.5. SMTP Relay and Anti-Virus Circumvention10.3. POP-2 and POP-310.3.1. POP-3 Brute-Force Password-Grinding10.3.2. POP-3 Process Manipulation Attacks10.3.2.1. Qualcomm QPOP process-manipulation vulnerabilities10.3.2.2. Microsoft Exchange POP-3 process-manipulation vulnerabilities10.4. IMAP10.4.1. IMAP Brute Force10.4.2. IMAP Process Manipulation Attacks10.5. Email Services Countermeasures
11. Assessing IP VPN Services
11.1. IPsec VPNs11.1.1. ISAKMP and IKE11.1.1.1. Main mode IKE11.1.1.2. Aggressive mode IKE11.2. Attacking IPsec VPNs11.2.1. IPsec Enumeration11.2.2. Initial ISAKMP Service Probing11.2.3. Investigating Known ISAKMP and IKE Weaknesses11.2.4. Aggressive Mode IKE PSK Cracking11.3. Check Point VPN Security Issues11.3.1. Check Point IKE Username Enumeration11.3.2. Check Point Telnet Service Username Enumeration11.3.3. Check Point SecuRemote Information Leak Attacks11.3.3.1. Sniffing interface IP addresses11.3.3.2. Downloading SecuRemote network topology information11.3.4. Check Point RDP Firewall Bypass Vulnerability11.4. Microsoft PPTP11.5. VPN Services Countermeasures
12. Assessing Unix RPC Services
12.1. Enumerating Unix RPC Services12.1.1. Identifying RPC Services Without the Portmapper12.2. RPC Service Vulnerabilities12.2.1. Abusing rpc.mountd (100005)12.2.1.1. CVE-1999-000212.2.1.2. CVE-2003-025212.2.1.3. Listing and accessing exported directories through mountd and NFS12.2.2. Multiple Vendor rpc.statd (100024) Vulnerabilities12.2.2.1. CVE-1999-0018 and CVE-1999-001912.2.2.2. CVE-1999-049312.2.2.3. CVE-2000-066612.2.3. Solaris rpc.sadmind (100232) Vulnerabilities12.2.3.1. CVE-1999-097712.2.3.2. CVE-2003-072212.2.4. Solaris rpc.cachefsd (100235) Vulnerability12.2.5. Solaris rpc.snmpXdmid (100249) Vulnerability12.2.6. Multiple Vendor rpc.cmsd (100068) Vulnerabilities12.2.7. Multiple Vendor rpc.ttdbserverd (100083) Vulnerability12.2.7.1. Solaris rpc.ttdbserverd exploit12.2.7.2. IRIX rpc.ttdbserverd exploit12.3. Unix RPC Services Countermeasures
13. Application-Level Risks
13.1. The Fundamental Hacking Concept13.2. The Reasons Why Software Is Vulnerable13.3. Network Service Vulnerabilities and Attacks13.3.1. Memory Manipulation Attacks13.3.2. Runtime Memory Organization13.3.2.1. The text segment13.3.2.2. The data and BSS segments13.3.2.3. The stack13.3.2.4. The heap13.3.3. Processor Registers and Memory13.4. Classic Buffer-Overflow Vulnerabilities13.4.1. Stack Overflows13.4.2. Stack Smash (Saved Instruction Pointer Overwrite)13.4.2.1. Causing a program crash13.4.2.2. Compromising the logical program flow13.4.2.3. Analyzing the program crash13.4.2.4. Creating and injecting shellcode13.4.3. Stack Off-by-One (Saved Frame Pointer Overwrite)13.4.3.1. Analyzing the program crash13.4.3.2. Exploiting an off-by-one bug to modify the instruction pointer13.4.3.3. Exploiting an off-by-one bug to modify data in the parent function’s stack frame13.4.3.4. Off-by-one effectiveness against different processor architectures13.5. Heap Overflows13.5.1. Overflowing the Heap to Compromise Program Flow13.5.2. Other Heap Corruption Attacks13.5.2.1. Heap off-by-one and off-by-five bugs13.5.2.2. Double-free bugs13.5.2.3. Recommended further reading13.6. Integer Overflows13.6.1. Heap Wrap-Around Attacks13.6.2. Negative-Size Bugs13.7. Format String Bugs13.7.1. Reading Adjacent Items on the Stack13.7.2. Reading Data From any Address on the Stack13.7.3. Overwriting Any Word in Memory13.7.4. Recommended Format String Bug Reading13.8. Memory Manipulation Attacks Recap13.9. Mitigating Process Manipulation Risks13.9.1. Nonexecutable Stack and Heap Implementation13.9.2. Use of Canary Values in Memory13.9.3. Running Unusual Server Architecture13.9.4. Compiling Applications From Source13.9.5. Active System Call Monitoring13.10. Recommended Secure Development Reading
14. Example Assessment Methodology
14.1. Network Scanning14.1.1. Initial Network Scanning14.1.2. Full Network Scanning14.1.3. Low-Level Network Testing14.1.3.1. TCP ISN sequence generation14.1.3.2. IP ID sequence generation14.1.3.3. Source routing testing14.1.3.4. Other tests14.2. Accessible Network Service Identification14.2.1. Initial Telnet Service Assessment14.2.2. Initial SSH Service Assessment14.2.3. Initial SMTP Service Assessment14.2.4. Initial Web Service Assessment14.2.4.1. ASP.NET investigation14.2.4.2. ISAPI extension enumeration14.2.4.3. Automated scanning for FrontPage and OWA components14.2.4.4. SSL web service investigation14.3. Investigation of Known Vulnerabilities14.3.1. Cisco IOS Accessible Service Vulnerabilities14.3.2. Solaris 8 Accessible Service Vulnerabilities14.3.3. Windows 2000 Accessible Service Vulnerabilities14.4. Network Service Testing14.4.1. Cisco IOS Router (192.168.10.1)14.4.2. Solaris Mail Server (192.168.10.10)14.4.3. Windows 2000 Web Server (192.168.10.25)14.5. Methodology Flow Diagram14.6. Recommendations14.6.1. Quick Win Recommendations14.6.1.1. Cisco IOS router14.6.1.2. Solaris mail server14.6.1.3. Windows 2000 web server14.6.1.3.1. Disable unnecessary ISAPI extensions14.6.1.3.2. Install URLScan to block HTTP methods and filter requests14.6.2. Long-Term Recommendations14.7. Closing Comments
A. TCP, UDP Ports, and ICMP Message Types
A.1. TCP PortsA.2. UDP PortsA.3. ICMP Message Types
B. Sources of Vulnerability Information
B.1. Security Mailing ListsB.2. Vulnerability Databases and ListsB.3. Underground Web SitesB.4. Security Events and Conferences
Index
Colophon
Copyright

Content preview from Network Security Assessment

Chapter 2. The Tools Required

This chapter describes the operating systems and some key tools required to undertake an IP-based network security assessment. Many advanced TCP/IP assessment utilities are available only for Unix-based systems such as Linux, so you will often find that a competent security consultant uses a variety of tools under different operating systems to assess and successfully penetrate a network. These tools and their respective uses are discussed in detail throughout the book, and they are listed here so that you can select and start to prepare your assessment platform before moving forward.

All tools listed in this book can also be found in the O’Reilly archive at http://examples.oreilly.com/networksa/tools. I have listed the original sites in most cases so that you can freely browse other tools and papers on each respective site.

The Operating Systems

Selecting the operating platforms to use during a network security assessment depends on the type of network you are going to test (e.g., completely Microsoft Windows), and the depth to which you will perform your assessment. Often it is the case that to successfully launch exploit scripts against Linux or Unix systems, access to a Unix-like platform (usually Linux or BSD-derived) is required to correctly compile and run specialist exploit tools. What follows is a discussion of the operating systems that are commonly used.

Windows NT Family Platforms

As Windows NT systems (NT 4.0, 2000, XP, 2003 Server, etc.) start ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 059600611XErrata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Security Assessment

by Chris McNab

Chapter 2. The Tools Required