book

Network Security Assessment, 3rd Edition

by Chris McNab

December 2016

Beginner

494 pages

12h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OverviewAudienceOrganizationUse of RFC and CVE ReferencesVulnerabilities Covered in This BookRecognized Assessment StandardsNIST SP 800-115NSA IAMCESG CHECKCESG Recognized QualificationsPCI DSSPTESMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookO’Reilly SafariComments and QuestionsAcknowledgmentsTechnical Reviewers and Contributors
The State of the ArtThreats and Attack SurfaceAttacking Client SoftwareAttacking Server SoftwareAttacking Web ApplicationsExposed LogicAssessment FlavorsStatic AnalysisDynamic TestingWhat This Book Covers
Network Security Assessment MethodologyReconnaissanceVulnerability ScanningInvestigation of VulnerabilitiesExploitation of VulnerabilitiesAn Iterative Assessment ApproachYour Testing PlatformUpdating Kali LinuxDeploying a Vulnerable Server
The Fundamental Hacking ConceptWhy Software Is VulnerableConsidering Attack SurfaceA Taxonomy of Software Security ErrorsThreat ModelingSystem ComponentsAdversarial GoalsSystem Access and Execution ContextAttacker EconomicsAttacking C/C++ ApplicationsRuntime Memory LayoutProcessor Registers and MemoryWriting to MemoryReading from MemoryCompiler and OS Security FeaturesCircumventing Common Safety FeaturesLogic Flaws and Other BugsCryptographic WeaknessesVulnerabilities and Adversaries Recap
Querying Search Engines and WebsitesGoogle SearchQuerying NetcraftUsing ShodanDomainToolsPGP Public Key ServersSearching LinkedInDomain WHOISManual WHOIS QueryingIP WHOISIP WHOIS Querying Tools and ExamplesBGP EnumerationDNS QueryingForward DNS QueryingDNS Zone Transfer TechniquesForward DNS GrindingReverse DNS SweepingIPv6 Host EnumerationCross-Referencing DNS DatasetsSMTP ProbingAutomating EnumerationEnumeration Technique RecapEnumeration Countermeasures
Data Link Protocols802.3 Ethernet Testing802.1Q VLAN802.1X PNACCDP802.1D STPLocal IP ProtocolsDHCPPXELLMNR, NBT-NS, and mDNSWPADInternal Routing ProtocolsIPv6 Network DiscoveryIdentifying Local GatewaysLocal Network Discovery RecapLocal Network Attack Countermeasures
Initial Network Scanning with NmapICMPTCPUDPSCTPBringing Everything TogetherLow-Level IP AssessmentCrafting Arbitrary PacketsTCP/IP Stack FingerprintingIP ID AnalysisManipulating TTL to Reverse Engineer ACLsRevealing Internal IP AddressesVulnerability Scanning with NSEBulk Vulnerability ScanningIDS and IPS EvasionTTL ManipulationData Insertion and Scrambling with SniffJokeConfiguring and Running SniffJokeNetwork Scanning RecapNetwork Scanning Countermeasures
FTPFingerprinting FTP ServicesKnown FTP VulnerabilitiesTFTPKnown TFTP VulnerabilitiesSSHFingerprintingEnumerating FeaturesDefault and Hardcoded CredentialsInsecurely Generated Host KeysSSH Server Software FlawsTelnetDefault Telnet CredentialsTelnet Server Software FlawsIPMIDNSFingerprintingTesting for Recursion SupportKnown DNS Server FlawsMulticast DNSNTPSNMPExploiting SNMPLDAPLDAP AuthenticationLDAP OperationsLDAP Directory StructureFingerprinting and Anonymous BindingBrute-Force Password GrindingObtaining Sensitive DataLDAP Server Implementation FlawsKerberosKerberos KeysTicket FormatKerberos Attack SurfaceLocal AttacksUnauthenticated Remote AttacksKerberos Implementation FlawsVNCAttacking VNC ServersUnix RPC ServicesManually Querying Exposed RPC ServicesRPC Service VulnerabilitiesCommon Network Service Assessment RecapService Hardening and Countermeasures
NetBIOS Name ServiceSMBMicrosoft RPC ServicesAttacking SMB and RPCMapping Network Attack SurfaceAnonymous IPC Access via SMBSMB Implementation FlawsIdentifying Exposed RPC ServicesBrute-Force Password GrindingAuthenticating and Using AccessRemote Desktop ServicesBrute-Force Password GrindingAssessing Transport SecurityRDP Implementation FlawsMicrosoft Services Testing RecapMicrosoft Services Countermeasures
Mail ProtocolsSMTPService FingerprintingMapping SMTP ArchitectureEnumerating Supported Commands and ExtensionsRemotely Exploitable FlawsUser Account EnumerationBrute-Force Password GrindingContent Checking CircumventionReview of Mail Security FeaturesPhishing via SMTPPOP3Service FingerprintingBrute-Force Password GrindingIMAPService FingerprintingBrute-Force Password GrindingKnown IMAP Server FlawsMail Services Testing RecapMail Services Countermeasures

IPsecPacket FormatISAKMP, IKE, and IKEv2IKE AssessmentExploitable IPsec WeaknessesPPTPVPN Testing RecapVPN Services Countermeasures
TLS MechanicsSession NegotiationCipher SuitesKey Exchange and AuthenticationTLS AuthenticationSession ResumptionSession RenegotiationCompressionSTARTTLSUnderstanding TLS VulnerabilitiesExploitable FlawsMitigating TLS ExposuresAssessing TLS EndpointsIdentifying the TLS Library and VersionEnumerating Supported Protocols and Cipher SuitesEnumerating Supported Features and ExtensionsCertificate ReviewStress Testing TLS EndpointsManually Accessing TLS-Wrapped ServicesTLS Service Assessment RecapTLS HardeningWeb Application Hardening
Web Application TypesWeb Application TiersThe Presentation TierTLSHTTPCDNsLoad BalancersPresentation-Tier Data FormatsThe Application TierApplication-Tier Data FormatsThe Data Tier
Identifying Proxy MechanismsEnumerating Valid HostsWeb Server ProfilingAnalyzing Server ResponsesHTTP Header ReviewCrawling and Investigation of ContentActive ScanningWAF DetectionServer and Application Framework FingerprintingIdentifying Exposed ContentQualifying Web Server VulnerabilitiesReviewing Exposed ContentBrute-Force Password GrindingInvestigating Supported HTTP MethodsKnown Microsoft IIS VulnerabilitiesKnown Apache HTTP Server FlawsKnown Apache Coyote WeaknessesKnown Nginx DefectsWeb Server Hardening
Framework and Data Store ProfilingUnderstanding Common FlawsPHPPHP Management ConsolesPHP CMS PackagesApache TomcatThe Manager ApplicationKnown Tomcat FlawsAttacking Apache JServ ProtocolJBoss TestingServer Profiling via HTTPWeb Consoles and Invoker ServletsIdentifying MBeansExploiting MBeansExploiting the RMI Distributed Garbage CollectorKnown JBoss VulnerabilitiesAutomated JBoss ScanningApache StrutsExploiting the DefaultActionMapperJDWPAdobe ColdFusionColdFusion ProfilingExposed Management InterfacesKnown ColdFusion Software DefectsApache Solr VulnerabilitiesDjangoRailsUsing an Application’s Secret TokenNode.jsMicrosoft ASP.NETApplication Framework Security Checklist
MySQLBrute-Force Password GrindingAuthenticated MySQL AttacksPostgreSQLBrute-Force Password GrindingAuthenticated PostgreSQL AttacksMicrosoft SQL ServerBrute-Force Password GrindingAuthenticating and Evaluating ConfigurationOracle DatabaseInteracting with the TNS ListenerOracle SID GrindingDatabase Account Password GrindingAuthenticating with Oracle DatabasePrivilege Escalation and PivotingMongoDBRedisKnown WeaknessesMemcachedApache HadoopNFSApple Filing ProtocoliSCSIData Store Countermeasures
TCP PortsUDP PortsICMP Message Types
Twitter AccountsBug TrackersMailing ListsSecurity Events and Conferences

Content preview from Network Security Assessment, 3rd Edition

Chapter 4. Internet Network Discovery

This chapter describes the first steps taken when assuming the role of an Internet-based attacker. A competent adversary will use open sources to map an organization’s networks and identify its users. Here are three of those sources:

Web search engines and sites (e.g., Google, Netcraft, and LinkedIn)
WHOIS registries
Accessible DNS servers

The majority of this probing is indirect, sending traffic to websites including Google, and public WHOIS and DNS servers. Two tactics involve sending traffic to the target network, however, as follows:

Probing the target’s own DNS servers
Network probing via SMTP

Through initial reconnaissance, you can identify potential weaknesses. Peripheral systems are commonly insecure when compared to publicized web, application server, and mail endpoints.

The reconnaissance process is iterative, repeating enumeration tasks upon uncovering new information (such as a domain name, or office location). The agreed scope of an assessment exercise defines the boundaries, which sometimes might include third parties. Target Corporation suffered a severe compromise in 2013, in which the VPN credentials of a vendor were reportedly used to gain access to the internal network, resulting in the exposure of 70 million customer records.¹

Querying Search Engines and Websites

Search engines catalog useful information. Google and other sites provide advanced search functions that let attackers build a clear picture of ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Cybersecurity – Attack and Defense Strategies - Second Edition

Publisher Resources

ISBN: 9781491911044Supplemental Content Errata Page

Network Security Assessment, 3rd Edition

by Chris McNab

Chapter 4. Internet Network Discovery

Querying Search Engines and Websites

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Cybersecurity – Attack and Defense Strategies - Second Edition

Applied Network Security Monitoring

Network Protocols for Security Professionals

Cyber Security and Network Security

Publisher Resources

Chapter 4. Internet Network Discovery

Querying Search Engines and Websites

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Cybersecurity – Attack and Defense Strategies - Second Edition

Applied Network Security Monitoring

Network Protocols for Security Professionals

Cyber Security and Network Security

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.