book

Network Security Assessment, 3rd Edition

by Chris McNab

December 2016

Beginner

494 pages

12h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OverviewAudienceOrganizationUse of RFC and CVE ReferencesVulnerabilities Covered in This BookRecognized Assessment StandardsNIST SP 800-115NSA IAMCESG CHECKCESG Recognized QualificationsPCI DSSPTESMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookO’Reilly SafariComments and QuestionsAcknowledgmentsTechnical Reviewers and Contributors
The State of the ArtThreats and Attack SurfaceAttacking Client SoftwareAttacking Server SoftwareAttacking Web ApplicationsExposed LogicAssessment FlavorsStatic AnalysisDynamic TestingWhat This Book Covers
Network Security Assessment MethodologyReconnaissanceVulnerability ScanningInvestigation of VulnerabilitiesExploitation of VulnerabilitiesAn Iterative Assessment ApproachYour Testing PlatformUpdating Kali LinuxDeploying a Vulnerable Server
The Fundamental Hacking ConceptWhy Software Is VulnerableConsidering Attack SurfaceA Taxonomy of Software Security ErrorsThreat ModelingSystem ComponentsAdversarial GoalsSystem Access and Execution ContextAttacker EconomicsAttacking C/C++ ApplicationsRuntime Memory LayoutProcessor Registers and MemoryWriting to MemoryReading from MemoryCompiler and OS Security FeaturesCircumventing Common Safety FeaturesLogic Flaws and Other BugsCryptographic WeaknessesVulnerabilities and Adversaries Recap
Querying Search Engines and WebsitesGoogle SearchQuerying NetcraftUsing ShodanDomainToolsPGP Public Key ServersSearching LinkedInDomain WHOISManual WHOIS QueryingIP WHOISIP WHOIS Querying Tools and ExamplesBGP EnumerationDNS QueryingForward DNS QueryingDNS Zone Transfer TechniquesForward DNS GrindingReverse DNS SweepingIPv6 Host EnumerationCross-Referencing DNS DatasetsSMTP ProbingAutomating EnumerationEnumeration Technique RecapEnumeration Countermeasures
Data Link Protocols802.3 Ethernet Testing802.1Q VLAN802.1X PNACCDP802.1D STPLocal IP ProtocolsDHCPPXELLMNR, NBT-NS, and mDNSWPADInternal Routing ProtocolsIPv6 Network DiscoveryIdentifying Local GatewaysLocal Network Discovery RecapLocal Network Attack Countermeasures
Initial Network Scanning with NmapICMPTCPUDPSCTPBringing Everything TogetherLow-Level IP AssessmentCrafting Arbitrary PacketsTCP/IP Stack FingerprintingIP ID AnalysisManipulating TTL to Reverse Engineer ACLsRevealing Internal IP AddressesVulnerability Scanning with NSEBulk Vulnerability ScanningIDS and IPS EvasionTTL ManipulationData Insertion and Scrambling with SniffJokeConfiguring and Running SniffJokeNetwork Scanning RecapNetwork Scanning Countermeasures
FTPFingerprinting FTP ServicesKnown FTP VulnerabilitiesTFTPKnown TFTP VulnerabilitiesSSHFingerprintingEnumerating FeaturesDefault and Hardcoded CredentialsInsecurely Generated Host KeysSSH Server Software FlawsTelnetDefault Telnet CredentialsTelnet Server Software FlawsIPMIDNSFingerprintingTesting for Recursion SupportKnown DNS Server FlawsMulticast DNSNTPSNMPExploiting SNMPLDAPLDAP AuthenticationLDAP OperationsLDAP Directory StructureFingerprinting and Anonymous BindingBrute-Force Password GrindingObtaining Sensitive DataLDAP Server Implementation FlawsKerberosKerberos KeysTicket FormatKerberos Attack SurfaceLocal AttacksUnauthenticated Remote AttacksKerberos Implementation FlawsVNCAttacking VNC ServersUnix RPC ServicesManually Querying Exposed RPC ServicesRPC Service VulnerabilitiesCommon Network Service Assessment RecapService Hardening and Countermeasures
NetBIOS Name ServiceSMBMicrosoft RPC ServicesAttacking SMB and RPCMapping Network Attack SurfaceAnonymous IPC Access via SMBSMB Implementation FlawsIdentifying Exposed RPC ServicesBrute-Force Password GrindingAuthenticating and Using AccessRemote Desktop ServicesBrute-Force Password GrindingAssessing Transport SecurityRDP Implementation FlawsMicrosoft Services Testing RecapMicrosoft Services Countermeasures
Mail ProtocolsSMTPService FingerprintingMapping SMTP ArchitectureEnumerating Supported Commands and ExtensionsRemotely Exploitable FlawsUser Account EnumerationBrute-Force Password GrindingContent Checking CircumventionReview of Mail Security FeaturesPhishing via SMTPPOP3Service FingerprintingBrute-Force Password GrindingIMAPService FingerprintingBrute-Force Password GrindingKnown IMAP Server FlawsMail Services Testing RecapMail Services Countermeasures

IPsecPacket FormatISAKMP, IKE, and IKEv2IKE AssessmentExploitable IPsec WeaknessesPPTPVPN Testing RecapVPN Services Countermeasures
TLS MechanicsSession NegotiationCipher SuitesKey Exchange and AuthenticationTLS AuthenticationSession ResumptionSession RenegotiationCompressionSTARTTLSUnderstanding TLS VulnerabilitiesExploitable FlawsMitigating TLS ExposuresAssessing TLS EndpointsIdentifying the TLS Library and VersionEnumerating Supported Protocols and Cipher SuitesEnumerating Supported Features and ExtensionsCertificate ReviewStress Testing TLS EndpointsManually Accessing TLS-Wrapped ServicesTLS Service Assessment RecapTLS HardeningWeb Application Hardening
Web Application TypesWeb Application TiersThe Presentation TierTLSHTTPCDNsLoad BalancersPresentation-Tier Data FormatsThe Application TierApplication-Tier Data FormatsThe Data Tier
Identifying Proxy MechanismsEnumerating Valid HostsWeb Server ProfilingAnalyzing Server ResponsesHTTP Header ReviewCrawling and Investigation of ContentActive ScanningWAF DetectionServer and Application Framework FingerprintingIdentifying Exposed ContentQualifying Web Server VulnerabilitiesReviewing Exposed ContentBrute-Force Password GrindingInvestigating Supported HTTP MethodsKnown Microsoft IIS VulnerabilitiesKnown Apache HTTP Server FlawsKnown Apache Coyote WeaknessesKnown Nginx DefectsWeb Server Hardening
Framework and Data Store ProfilingUnderstanding Common FlawsPHPPHP Management ConsolesPHP CMS PackagesApache TomcatThe Manager ApplicationKnown Tomcat FlawsAttacking Apache JServ ProtocolJBoss TestingServer Profiling via HTTPWeb Consoles and Invoker ServletsIdentifying MBeansExploiting MBeansExploiting the RMI Distributed Garbage CollectorKnown JBoss VulnerabilitiesAutomated JBoss ScanningApache StrutsExploiting the DefaultActionMapperJDWPAdobe ColdFusionColdFusion ProfilingExposed Management InterfacesKnown ColdFusion Software DefectsApache Solr VulnerabilitiesDjangoRailsUsing an Application’s Secret TokenNode.jsMicrosoft ASP.NETApplication Framework Security Checklist
MySQLBrute-Force Password GrindingAuthenticated MySQL AttacksPostgreSQLBrute-Force Password GrindingAuthenticated PostgreSQL AttacksMicrosoft SQL ServerBrute-Force Password GrindingAuthenticating and Evaluating ConfigurationOracle DatabaseInteracting with the TNS ListenerOracle SID GrindingDatabase Account Password GrindingAuthenticating with Oracle DatabasePrivilege Escalation and PivotingMongoDBRedisKnown WeaknessesMemcachedApache HadoopNFSApple Filing ProtocoliSCSIData Store Countermeasures
TCP PortsUDP PortsICMP Message Types
Twitter AccountsBug TrackersMailing ListsSecurity Events and Conferences

Content preview from Network Security Assessment, 3rd Edition

Chapter 2. Assessment Workflow and Tools

This chapter outlines my penetration testing approach and describes an effective testing setup. Many assessment tools run on Linux platforms, and Windows-specific utilities are required when attacking Microsoft systems. A flexible, virtualized platform is key. At Matta, we ran a program called Sentinel, through which we evaluated third-party testing vendors for clients in the financial services sector. Each vendor was ranked based on the vulnerabilities identified within the systems we had prepared. In a single test involving 10 vendors, we found that:

Two failed to scan all 65,536 TCP ports
Five failed to report the MySQL service root password of “password”

Some were evaluated multiple times. There seemed to be a lack of adherence to a strict testing methodology, and test results (the final report) varied depending on the consultants involved.

During testing, it is important to remember that there is an entire methodology that you should be following. Engineers and consultants often venture down proverbial rabbit holes, and neglect key areas of the environment.

By the same token, it is also important to quickly identify significant vulnerabilities within a network. As such, this methodology bears two hallmarks: