book

Network Security Assessment, 2nd Edition

Name: Network Security Assessment, 2nd Edition
Author: Chris McNab
ISBN: 9780596510305

by Chris McNab

November 2007

Intermediate to advanced

504 pages

13h 21m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Foreword
About Bob Ayers
Preface
OverviewRecognized Assessment StandardsNSA IAMCESG CHECKPCI Data Security StandardsOther Assessment Standards and AssociationsHacking DefinedOrganizationAudienceMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookComments and QuestionsAcknowledgmentsGuest Authors Featured in This Book
1. Network Security Assessment
The Business BenefitsIP: The Foundation of the InternetClassifying Internet-Based AttackersAssessment Service DefinitionsNetwork Security Assessment MethodologyInternet Host and Network EnumerationBulk Network Scanning and ProbingInvestigation of VulnerabilitiesExploitation of VulnerabilitiesThe Cyclic Assessment Approach
2. Network Security Assessment Platform
Virtualization SoftwareVMwareMicrosoft Virtual PCParallelsOperating SystemsMicrosoft Windows PlatformsLinux PlatformsApple Mac OS XReconnaissance ToolsNetwork Scanning ToolsNmapNessusCommercial Network Scanning ToolsExploitation FrameworksMetasploit FrameworkCommercial Exploitation FrameworksWeb Application Testing ToolsCommercial Web Application Scanning Tools
3. Internet Host and Network Enumeration
Querying Web and Newsgroup Search EnginesGoogle Search FunctionalityEnumerating contact details with GoogleEffective search query stringsSearching NewsgroupsQuerying NetcraftQuerying Domain WHOIS Registrars Using the Unix whois utilityQuerying IP WHOIS RegistrarsIP WHOIS Querying Tools and ExamplesQuerying WHOIS databases to enumerate objects for a given companyUsing WHOIS web search enginesHarvesting user details through WHOISEnumerating WHOIS maintainer objectsBGP QueryingDNS QueryingForward DNS QueryingForward DNS querying through nslookupDNS Zone Transfer TechniquesChecking for DNS zone transfer weaknesses using hostUsing dig to perform a DNS zone transfer using a specific name serverInformation retrieved through DNS zone transferPTR record enumeration through DNS zone transferForward DNS GrindingReverse DNS SweepingWeb Server CrawlingAutomating EnumerationSMTP ProbingEnumeration Technique RecapEnumeration Countermeasures
4. IP Network Scanning
ICMP ProbingICMP Probing ToolsSINGNmapICMPScanIdentifying Subnet Network and Broadcast AddressesGleaning Internal IP AddressesOS Fingerprinting Using ICMPTCP Port ScanningStandard Scanning MethodsVanilla connect( ) scanningTools that perform connect( ) TCP scanning.Half-open SYN flag scanningTools that perform half-open SYN scanning.Stealth TCP Scanning MethodsInverse TCP flag scanningTools that perform inverse TCP flag scanning.ACK flag probe scanningAnalysis of the TTL field of received packets.Analysis of the WINDOW field of received packets.Tools that perform ACK flag probe scanning.Third-Party and Spoofed TCP Scanning MethodsFTP bounce scanningTools that perform FTP bounce port scanning.Proxy bounce scanningSniffer-based spoofed scanningIP ID header scanningUDP Port ScanningTools That Perform UDP Port ScanningIDS Evasion and Filter CircumventionFragmenting Probe PacketsFragtestFragroutefragroute.conf.NmapEmulating Multiple Attacking HostsSource RoutingAssessing source routing vulnerabilitiesLSRScan.LSRTunnel.Using Specific Source Ports to Bypass FilteringLow-Level IP AssessmentAnalyzing Responses to TCP ProbesHping2FirewalkPassively Monitoring ICMP ResponsesIP FingerprintingTCP Sequence and IP ID IncrementationNetwork Scanning RecapNetwork Scanning Countermeasures
5. Assessing Remote Information Services
Remote Information ServicesDNSRetrieving DNS Service Version InformationBIND VulnerabilitiesBIND exploit scriptsMicrosoft DNS Service VulnerabilitiesRemote vulnerabilities in Microsoft DNS and WINS servicesDNS Zone TransfersReverse DNS QueryingForward DNS GrindingFingerFinger Information LeaksFinger RedirectionFinger Process Manipulation VulnerabilitiesAuthAuth Process Manipulation VulnerabilitiesNTPNTP FingerprintingFurther NTP QueryingNTP VulnerabilitiesSNMPADMsnmpsnmpwalkDefault Community StringsCompromising Devices by Reading from SNMPCompromising Devices by Writing to SNMPSNMP Process Manipulation VulnerabilitiesSNMP exploit scriptsLDAPAnonymous LDAP AccessLDAP Brute ForceActive Directory Global CatalogLDAP Process Manipulation VulnerabilitiesLDAP exploit scriptsrwhoRPC rusersRemote Information Services Countermeasures
6. Assessing Web Servers
Web ServersFingerprinting Accessible Web ServersManual Web Server FingerprintingHTTP HEADHTTP OPTIONSCommon HTTP OPTIONS responses.Querying the web server through an SSL tunnelAutomated Web Server FingerprintinghttprintIdentifying and Assessing Reverse Proxy MechanismsHTTP CONNECTHTTP POSTHTTP GETAutomated HTTP Proxy TestingEnumerating Virtual Hosts and Web SitesIdentifying Virtual HostsIdentifying Subsystems and Enabled ComponentsGeneric SubsystemsHTTP 1.0 methodsHTTP 1.1 methodsWebDAVPHPBasic authentication mechanismsMicrosoft-Specific SubsystemsIIS sample and administrative scriptsMicrosoft ASP and ASP.NETMicrosoft ISAPI extensionsMicrosoft Exchange Server WebDAV extensions.Microsoft FrontPageWindows Media ServicesOutlook Web AccessRPC over HTTP supportEnhanced authentication mechanismsApache SubsystemsAutomated Scanning for Interesting ComponentsInvestigating Known VulnerabilitiesGeneric Subsystem VulnerabilitiesCONNECT vulnerabilitiesTRACE vulnerabilitiesPUT and DELETE vulnerabilitiesWebDAV vulnerabilitiesPHP subsystem vulnerabilitiesMicrosoft Web Server and Subsystem VulnerabilitiesIIS 5.0 vulnerabilitiesIIS 5.0 local privilege escalation exploit (CVE-2002-0869)IIS 6.0 vulnerabilitiesASP and ASP.NETISAPI extensionsMicrosoft proprietary WebDAV extensionsMicrosoft FrontPageOutlook Web AccessApache Web Server and Subsystem VulnerabilitiesApache HTTP ServerApache chunk-handling (CVE-2002-0392) BSD exploit.Apache HTTP Server modulesApache TomcatTomcat JSP source code disclosure.OpenSSLOpenSSL client master key overflow (CVE-2002-0656) exploitsBasic Web Server CrawlingWiktoBrute-Forcing HTTP AuthenticationWeb Servers Countermeasures
7. Assessing Web Applications
Web Application Technologies OverviewWeb Application ProfilingHTML Source ReviewManual HTML sifting and analysisAutomated HTML sifting and analysisAnalysis of Server-Side File ExtensionsSession ID FingerprintingJSESSIONID string fingerprintingApache Tomcat 4.x and later.Apache Tomcat 3.x and earlier.Caucho Resin 3.0.21 and later.Caucho Resin 3.0.20 and earlier.IBM WebSphere.Sun Java System Application Server.Active Backend Database Technology AssessmentWeb Application Attack StrategiesServer-Side Script VariablesHTTP Request HeadersHTTP Cookie FieldsXML Request ContentWSDL enumerationAttacking via XMLFilter Evasion TechniquesEncoding and obfuscating attack codeHex encoding.Double-hex encoding.HTML UTF-8 and hex encoding.HTTP request smugglingWeb Application VulnerabilitiesAuthentication IssuesDefault/guessable user accountsHTTP form brute forceSession management weaknessesWeak session ID generation.Session fixation.Insufficient timeout and expiration mechanisms.Parameter ModificationCommand injectionOS command injection.Run arbitrary system commands.Modify parameters passed to system commands.Execute additional commands.SQL injection.Microsoft SQL injection testing methodology.Microsoft stored procedures.xp_cmdshell.sp_makewebtask.xp_regread.Bypassing authentication mechanisms.Compromising data using SELECT, INSERT, and UPDATESELECT.INSERT and UPDATE.Advanced SQL injection readingLDAP injectionLDAP authentication bypass.Reading LDAP data.Command injection countermeasuresFilesystem accessCross-site scriptingWeb Security Checklist

8. Assessing Remote Maintenance Services
Remote Maintenance ServicesFTPFTP Banner Grabbing and EnumerationAnalyzing FTP bannersAssessing FTP PermissionsFTP Brute-Force Password GuessingFTP Bounce AttacksFTP bounce port scanningFTP bounce exploit payload deliveryCircumventing Stateful Filters Using FTPPORT and PASVPASV abuseFTP Process Manipulation AttacksSolaris and BSD FTP glob( ) issuesSolaris glob( ) username grindingOther Solaris glob( ) issuesBSD glob( ) vulnerabilitiesWU-FTPD vulnerabilitiesWU-FTPD exploit scriptsProFTPD vulnerabilitiesProFTPD exploit scriptsMicrosoft IIS FTP serverKnown vulnerabilities in other popular third-party FTP servicesSSHSSH FingerprintingSSH protocol supportSSH Brute-Force Password GrindingSSH VulnerabilitiesSSH exploit scriptsTelnetTelnet Service FingerprintingTelnetFPManual Telnet fingerprintingTelnet Brute-Force Password GrindingCommon device Telnet passwordsDictionary files and word listsTelnet VulnerabilitiesTelnet exploit scriptsR-ServicesDirectly Accessing R-ServicesUnix ~/.rhosts and /etc/hosts.equiv filesR-Services Brute-ForceSpoofing RSH ConnectionsKnown R-Services VulnerabilitiesR-Services exploit scriptsX WindowsX Windows AuthenticationxhostxauthAssessing X ServersList open windowsTake screenshots of specific open windowsCapture keystrokes from specific windowsSend keystrokes to specific windowsKnown X Window System and Window Manager VulnerabilitiesX Windows exploit scriptsCitrixUsing the Citrix ICA ClientAccessing Nonpublic Published ApplicationsCitrix VulnerabilitiesCitrix exploit scriptsMicrosoft Remote Desktop ProtocolRDP Brute-Force Password GrindingRDP VulnerabilitiesVNCVNC Brute-Force Password GrindingVNC VulnerabilitiesVNC exploit scriptsRemote Maintenance Services Countermeasures
9. Assessing Database Services
Microsoft SQL ServerInteracting with Microsoft SQL ServerSQL Server EnumerationSQLPingMetaCoretexSQL Server Brute ForceSQLATSQL Server Process Manipulation VulnerabilitiesSQL resolution service overflow (CVE-2002-0649) demonstrationOracleTNS Listener Enumeration and Information Leak AttacksPinging the TNS listenerRetrieving Oracle version and platform informationOther TNS listener commandsRetrieving the current status of the TNS listenerExecuting an information leak attackTNS Listener Process Manipulation VulnerabilitiesOracle Brute-Force and Post-Authentication IssuesOATMetaCoretexPost-authentication Oracle database vulnerabilities and exploitsOracle XDB ServicesMySQLMySQL EnumerationMySQL Brute ForceMySQL Process Manipulation VulnerabilitiesMySQL exploit scriptsExploitation framework support for MySQL.MySQL UDF library injection.Database Services Countermeasures
10. Assessing Windows Networking Services
Microsoft Windows Networking ServicesSMB, CIFS, and NetBIOSMicrosoft RPC ServicesEnumerating Accessible RPC Server Interfacesepdumprpctools (rpcdump and ifids)RpcScanIdentifying Vulnerable RPC Server InterfacesMicrosoft RPC interface process manipulation bugsGleaning User Details via SAMR and LSARPC InterfaceswalksamAccessing RPC interfaces over SMB and named pipes using rpcclientSMB null sessions and hardcoded named pipesBrute-Forcing Administrator PasswordsEnumerating System Details Through WMIExecuting Arbitrary CommandsThe NetBIOS Name ServiceEnumerating System DetailsAttacking the NetBIOS Name ServiceThe NetBIOS Datagram ServiceThe NetBIOS Session ServiceEnumerating System DetailsenumwinfoGetAcctBrute-Forcing User PasswordsAuthenticating with NetBIOSExecuting CommandsAccessing and Modifying Registry KeysAccessing the SAM DatabaseThe CIFS ServiceCIFS EnumerationUser enumeration through smbdumpusersCIFS Brute ForceUnix Samba VulnerabilitiesWindows Networking Services Countermeasures
11. Assessing Email Services
Email Service ProtocolsSMTPSMTP Service FingerprintingEnumerating Enabled SMTP Subsystems and FeaturesSMTP Brute-Force Password GrindingNTLM overflows through SMTP authenticationSMTP Open Relay TestingSendmail AssessmentSendmail information leak exposuresEXPN.VRFY.RCPT TO:.Automating Sendmail user enumerationSendmail process manipulation vulnerabilitiesSendmail exploit scriptsMicrosoft SMTP Service AssessmentMicrosoft Exchange Server exploit scriptsSMTP Content Checking CircumventionPOP-2 and POP-3POP-3 Brute-Force Password GrindingPOP-3 Process Manipulation AttacksQualcomm QPOP process manipulation vulnerabilitiesMicrosoft Exchange POP-3 process manipulation vulnerabilitiesIMAPIMAP Brute ForceIMAP Process Manipulation AttacksUW IMAP exploit scriptsEmail Services Countermeasures
12. Assessing IP VPN Services
IPsec VPNsISAKMP and IKEMain modeAggressive modeAttacking IPsec VPNsIPsec Service Endpoint EnumerationIPsec Service Endpoint FingerprintingSupported Transform EnumerationInvestigating Known WeaknessesDenial-of-Service VulnerabilitiesMalformed IKE packet DoSNegotiation slots exhaustion attackAggressive Mode IKE PSK User EnumerationAggressive Mode IKE PSK CrackingMicrosoft PPTPSSL VPNsBasic SSL QueryingEnumerating Weak Cipher SupportKnown SSL VulnerabilitiesSSL implementation exploitsSSL VPN web interface issuesVPN Services Countermeasures
13. Assessing Unix RPC Services
Enumerating Unix RPC ServicesIdentifying RPC Services Without Portmapper AccessConnecting to RPC Services Without Portmapper AccessRPC Service VulnerabilitiesAbusing NFS and rpc.mountd (100005)CVE-2003-0252CVE-1999-0832CVE-1999-0002Listing and accessing exported directories through mountd and NFSMultiple Vendor rpc.statd (100024) VulnerabilitiesSolaris rpc.sadmind (100232) VulnerabilitiesCVE-1999-0977CVE-2003-0722Multiple Vendor rpc.cmsd (100068) VulnerabilitiesMultiple Vendor rpc.ttdbserverd (100083) VulnerabilitiesUnix RPC Services Countermeasures
14. Application-Level Risks
The Fundamental Hacking ConceptWhy Software Is VulnerableNetwork Service Vulnerabilities and AttacksMemory Manipulation AttacksRuntime Memory OrganizationThe text segmentThe data and BSS segmentsThe stackThe heapProcessor Registers and MemoryClassic Buffer-Overflow VulnerabilitiesStack OverflowsStack smash (saved instruction pointer overwrite)Causing a program crash.Compromising the logical program flow.Analyzing the program crash.Creating and injecting shellcode.Stack off-by-one (saved frame pointer overwrite)Analyzing the program crashExploiting an off-by-one bug to modify the instruction pointerExploiting an off-by-one bug to modify data in the parent function’s stack frameOff-by-one effectiveness against different processor architecturesHeap OverflowsOverflowing the Heap to Compromise Program FlowOther Heap Corruption AttacksHeap off-by-one and off-by-five bugsDouble-free bugsRecommended further readingInteger OverflowsHeap Wrap-Around AttacksNegative-Size BugsFormat String BugsReading Adjacent Items on the StackReading Data from Any Address on the StackOverwriting Any Word in MemoryRecommended Format String Bug ReadingMemory Manipulation Attacks RecapMitigating Process Manipulation RisksNonexecutable Stack and Heap ImplementationUse of Canary Values in MemoryRunning Unusual Server ArchitectureCompiling Applications from SourceActive System Call MonitoringRecommended Secure Development Reading
15. Running Nessus
Nessus ArchitectureDeployment Options and PrerequisitesNessus InstallationServer InstallationWindows and Mac OS X installationUnix-based installationAdding the first userRegistering Nessus and retrieving the latest plug-insClient InstallationNessusClient 3 and 1NessusWXConfiguring NessusBasic Nessus ConfigurationNessusClient 3 Scanning OptionsSafe checksNessus TCP scannerPing the remote hostNumber of hosts/checks in parallelNessusClient 3 Plug-in SelectionEnable dependencies at runtimeSilent dependenciesNessusClient 3 Advanced OptionsEnable CGI scanningThorough testsOptimize testRunning NessusNessus ReportingRunning Nessus Recap
16. Exploitation Frameworks
Metasploit FrameworkMSF Architecture and FeaturesInterfaceModulesPayloadsUsing MSFFurther ReadingCORE IMPACTIMPACT Architecture & FeaturesAgentsModulesConsoleUsing IMPACTInformation gatheringAttack and penetrationRepositioningImmunity CANVASCANVAS Architecture & FeaturesConsoleModulesMOSDEF nodesAdd-on exploit packs for CANVASUsing CANVASRepositioningFurther informationExploitation Frameworks Recap
A. TCP, UDP Ports, and ICMP Message Types
TCP PortsUDP PortsICMP Message Types
B. Sources of Vulnerability Information
Security Mailing ListsVulnerability Databases and ListsUnderground Web SitesSecurity Events and Conferences
C. Exploit Framework Modules
MSFCORE IMPACTImmunity CANVASGLEG VulnDiscoArgeniss Ultimate 0day Exploits Pack
About the Author
Colophon
Copyright

Content preview from Network Security Assessment, 2nd Edition

Chapter 10. Assessing Windows Networking Services

This chapter focuses on Microsoft RPC, NetBIOS, and CIFS services that are used in large internal networks to support file sharing, printing, and other functions. If these services aren’t configured or protected properly by network filtering devices, they can be used to great effect to enumerate system details and cause a complete network compromise.

Microsoft Windows Networking Services

Microsoft Windows networking services use the following ports:

loc-srv         135/tcp
loc-srv         135/udp
netbios-ns      137/udp
netbios-dgm     138/udp
netbios-ssn     139/tcp
microsoft-ds    445/tcp
microsoft-ds    445/udp

Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.

SMB, CIFS, and NetBIOS

The Server Message Block (SMB) protocol facilitates resource sharing in Microsoft Windows environments. Under Windows NT, SMB is run through NetBIOS over TCP/IP, using UDP ports 137 and 138 and TCP port 139. Windows 2000 and later support Common Internet File System (CIFS), which provides full SMB access directly through TCP and UDP port 445 (as opposed to using a variety of UDP and TCP ports). Many system administrators diligently filter access to ports between 135 and 139, but have been known to neglect port 445 when protecting Windows 2000, XP, 2003, and Vista hosts.

Microsoft RPC Services

The Microsoft RPC endpoint mapper (also known ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Network Security Assessment, 3rd Edition

Publisher Resources

ISBN: 9780596510305Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Security Assessment, 2nd Edition

by Chris McNab

Chapter 10. Assessing Windows Networking Services