book

Network Security Assessment, 3rd Edition

by Chris McNab

December 2016

Beginner

494 pages

12h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OverviewAudienceOrganizationUse of RFC and CVE ReferencesVulnerabilities Covered in This BookRecognized Assessment StandardsNIST SP 800-115NSA IAMCESG CHECKCESG Recognized QualificationsPCI DSSPTESMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookO’Reilly SafariComments and QuestionsAcknowledgmentsTechnical Reviewers and Contributors
The State of the ArtThreats and Attack SurfaceAttacking Client SoftwareAttacking Server SoftwareAttacking Web ApplicationsExposed LogicAssessment FlavorsStatic AnalysisDynamic TestingWhat This Book Covers
Network Security Assessment MethodologyReconnaissanceVulnerability ScanningInvestigation of VulnerabilitiesExploitation of VulnerabilitiesAn Iterative Assessment ApproachYour Testing PlatformUpdating Kali LinuxDeploying a Vulnerable Server
The Fundamental Hacking ConceptWhy Software Is VulnerableConsidering Attack SurfaceA Taxonomy of Software Security ErrorsThreat ModelingSystem ComponentsAdversarial GoalsSystem Access and Execution ContextAttacker EconomicsAttacking C/C++ ApplicationsRuntime Memory LayoutProcessor Registers and MemoryWriting to MemoryReading from MemoryCompiler and OS Security FeaturesCircumventing Common Safety FeaturesLogic Flaws and Other BugsCryptographic WeaknessesVulnerabilities and Adversaries Recap
Querying Search Engines and WebsitesGoogle SearchQuerying NetcraftUsing ShodanDomainToolsPGP Public Key ServersSearching LinkedInDomain WHOISManual WHOIS QueryingIP WHOISIP WHOIS Querying Tools and ExamplesBGP EnumerationDNS QueryingForward DNS QueryingDNS Zone Transfer TechniquesForward DNS GrindingReverse DNS SweepingIPv6 Host EnumerationCross-Referencing DNS DatasetsSMTP ProbingAutomating EnumerationEnumeration Technique RecapEnumeration Countermeasures
Data Link Protocols802.3 Ethernet Testing802.1Q VLAN802.1X PNACCDP802.1D STPLocal IP ProtocolsDHCPPXELLMNR, NBT-NS, and mDNSWPADInternal Routing ProtocolsIPv6 Network DiscoveryIdentifying Local GatewaysLocal Network Discovery RecapLocal Network Attack Countermeasures
Initial Network Scanning with NmapICMPTCPUDPSCTPBringing Everything TogetherLow-Level IP AssessmentCrafting Arbitrary PacketsTCP/IP Stack FingerprintingIP ID AnalysisManipulating TTL to Reverse Engineer ACLsRevealing Internal IP AddressesVulnerability Scanning with NSEBulk Vulnerability ScanningIDS and IPS EvasionTTL ManipulationData Insertion and Scrambling with SniffJokeConfiguring and Running SniffJokeNetwork Scanning RecapNetwork Scanning Countermeasures
FTPFingerprinting FTP ServicesKnown FTP VulnerabilitiesTFTPKnown TFTP VulnerabilitiesSSHFingerprintingEnumerating FeaturesDefault and Hardcoded CredentialsInsecurely Generated Host KeysSSH Server Software FlawsTelnetDefault Telnet CredentialsTelnet Server Software FlawsIPMIDNSFingerprintingTesting for Recursion SupportKnown DNS Server FlawsMulticast DNSNTPSNMPExploiting SNMPLDAPLDAP AuthenticationLDAP OperationsLDAP Directory StructureFingerprinting and Anonymous BindingBrute-Force Password GrindingObtaining Sensitive DataLDAP Server Implementation FlawsKerberosKerberos KeysTicket FormatKerberos Attack SurfaceLocal AttacksUnauthenticated Remote AttacksKerberos Implementation FlawsVNCAttacking VNC ServersUnix RPC ServicesManually Querying Exposed RPC ServicesRPC Service VulnerabilitiesCommon Network Service Assessment RecapService Hardening and Countermeasures
NetBIOS Name ServiceSMBMicrosoft RPC ServicesAttacking SMB and RPCMapping Network Attack SurfaceAnonymous IPC Access via SMBSMB Implementation FlawsIdentifying Exposed RPC ServicesBrute-Force Password GrindingAuthenticating and Using AccessRemote Desktop ServicesBrute-Force Password GrindingAssessing Transport SecurityRDP Implementation FlawsMicrosoft Services Testing RecapMicrosoft Services Countermeasures
Mail ProtocolsSMTPService FingerprintingMapping SMTP ArchitectureEnumerating Supported Commands and ExtensionsRemotely Exploitable FlawsUser Account EnumerationBrute-Force Password GrindingContent Checking CircumventionReview of Mail Security FeaturesPhishing via SMTPPOP3Service FingerprintingBrute-Force Password GrindingIMAPService FingerprintingBrute-Force Password GrindingKnown IMAP Server FlawsMail Services Testing RecapMail Services Countermeasures

IPsecPacket FormatISAKMP, IKE, and IKEv2IKE AssessmentExploitable IPsec WeaknessesPPTPVPN Testing RecapVPN Services Countermeasures
TLS MechanicsSession NegotiationCipher SuitesKey Exchange and AuthenticationTLS AuthenticationSession ResumptionSession RenegotiationCompressionSTARTTLSUnderstanding TLS VulnerabilitiesExploitable FlawsMitigating TLS ExposuresAssessing TLS EndpointsIdentifying the TLS Library and VersionEnumerating Supported Protocols and Cipher SuitesEnumerating Supported Features and ExtensionsCertificate ReviewStress Testing TLS EndpointsManually Accessing TLS-Wrapped ServicesTLS Service Assessment RecapTLS HardeningWeb Application Hardening
Web Application TypesWeb Application TiersThe Presentation TierTLSHTTPCDNsLoad BalancersPresentation-Tier Data FormatsThe Application TierApplication-Tier Data FormatsThe Data Tier
Identifying Proxy MechanismsEnumerating Valid HostsWeb Server ProfilingAnalyzing Server ResponsesHTTP Header ReviewCrawling and Investigation of ContentActive ScanningWAF DetectionServer and Application Framework FingerprintingIdentifying Exposed ContentQualifying Web Server VulnerabilitiesReviewing Exposed ContentBrute-Force Password GrindingInvestigating Supported HTTP MethodsKnown Microsoft IIS VulnerabilitiesKnown Apache HTTP Server FlawsKnown Apache Coyote WeaknessesKnown Nginx DefectsWeb Server Hardening
Framework and Data Store ProfilingUnderstanding Common FlawsPHPPHP Management ConsolesPHP CMS PackagesApache TomcatThe Manager ApplicationKnown Tomcat FlawsAttacking Apache JServ ProtocolJBoss TestingServer Profiling via HTTPWeb Consoles and Invoker ServletsIdentifying MBeansExploiting MBeansExploiting the RMI Distributed Garbage CollectorKnown JBoss VulnerabilitiesAutomated JBoss ScanningApache StrutsExploiting the DefaultActionMapperJDWPAdobe ColdFusionColdFusion ProfilingExposed Management InterfacesKnown ColdFusion Software DefectsApache Solr VulnerabilitiesDjangoRailsUsing an Application’s Secret TokenNode.jsMicrosoft ASP.NETApplication Framework Security Checklist
MySQLBrute-Force Password GrindingAuthenticated MySQL AttacksPostgreSQLBrute-Force Password GrindingAuthenticated PostgreSQL AttacksMicrosoft SQL ServerBrute-Force Password GrindingAuthenticating and Evaluating ConfigurationOracle DatabaseInteracting with the TNS ListenerOracle SID GrindingDatabase Account Password GrindingAuthenticating with Oracle DatabasePrivilege Escalation and PivotingMongoDBRedisKnown WeaknessesMemcachedApache HadoopNFSApple Filing ProtocoliSCSIData Store Countermeasures
TCP PortsUDP PortsICMP Message Types
Twitter AccountsBug TrackersMailing ListsSecurity Events and Conferences

Content preview from Network Security Assessment, 3rd Edition

Chapter 1. Introduction to Network Security Assessment

This chapter introduces the underlying economic principles behind computer network exploitation and defense, describing the current state of affairs and recent changes to the landscape. To realize a defendable environment, you must adopt a proactive approach to security—one that starts with assessment to understand your exposure. Many different flavors of assessment exist, from static analysis of a given application and its code to dynamic testing of running systems. I categorize the testing options here, and list the domains that this book covers in detail.

The State of the Art

I started work on the first edition of this book almost 20 years ago, before computer network exploitation was industrialized by governments and organized criminals to the scale we know today. The zero-day exploit sales business was yet to exist, and hackers were the apex predator online, trading warez over IRC.

The current state of affairs is deeply concerning. Modern life relies heavily on computer networks and applications, which are complex and accelerating in many directions (think cloud applications, medical devices, and self-driving cars). Increasing consumer uptake of flawed products introduces vulnerability.

The Internet is the primary enabler of the global economic system, and relied on for just about everything. An International Institute for Applied Systems Analysis (IIASA) study predicted that total loss of Internet service in a country ...