book

Network Security Assessment, 3rd Edition

by Chris McNab

December 2016

Beginner

494 pages

12h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OverviewAudienceOrganizationUse of RFC and CVE ReferencesVulnerabilities Covered in This BookRecognized Assessment StandardsNIST SP 800-115NSA IAMCESG CHECKCESG Recognized QualificationsPCI DSSPTESMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookO’Reilly SafariComments and QuestionsAcknowledgmentsTechnical Reviewers and Contributors
The State of the ArtThreats and Attack SurfaceAttacking Client SoftwareAttacking Server SoftwareAttacking Web ApplicationsExposed LogicAssessment FlavorsStatic AnalysisDynamic TestingWhat This Book Covers
Network Security Assessment MethodologyReconnaissanceVulnerability ScanningInvestigation of VulnerabilitiesExploitation of VulnerabilitiesAn Iterative Assessment ApproachYour Testing PlatformUpdating Kali LinuxDeploying a Vulnerable Server
The Fundamental Hacking ConceptWhy Software Is VulnerableConsidering Attack SurfaceA Taxonomy of Software Security ErrorsThreat ModelingSystem ComponentsAdversarial GoalsSystem Access and Execution ContextAttacker EconomicsAttacking C/C++ ApplicationsRuntime Memory LayoutProcessor Registers and MemoryWriting to MemoryReading from MemoryCompiler and OS Security FeaturesCircumventing Common Safety FeaturesLogic Flaws and Other BugsCryptographic WeaknessesVulnerabilities and Adversaries Recap
Querying Search Engines and WebsitesGoogle SearchQuerying NetcraftUsing ShodanDomainToolsPGP Public Key ServersSearching LinkedInDomain WHOISManual WHOIS QueryingIP WHOISIP WHOIS Querying Tools and ExamplesBGP EnumerationDNS QueryingForward DNS QueryingDNS Zone Transfer TechniquesForward DNS GrindingReverse DNS SweepingIPv6 Host EnumerationCross-Referencing DNS DatasetsSMTP ProbingAutomating EnumerationEnumeration Technique RecapEnumeration Countermeasures
Data Link Protocols802.3 Ethernet Testing802.1Q VLAN802.1X PNACCDP802.1D STPLocal IP ProtocolsDHCPPXELLMNR, NBT-NS, and mDNSWPADInternal Routing ProtocolsIPv6 Network DiscoveryIdentifying Local GatewaysLocal Network Discovery RecapLocal Network Attack Countermeasures
Initial Network Scanning with NmapICMPTCPUDPSCTPBringing Everything TogetherLow-Level IP AssessmentCrafting Arbitrary PacketsTCP/IP Stack FingerprintingIP ID AnalysisManipulating TTL to Reverse Engineer ACLsRevealing Internal IP AddressesVulnerability Scanning with NSEBulk Vulnerability ScanningIDS and IPS EvasionTTL ManipulationData Insertion and Scrambling with SniffJokeConfiguring and Running SniffJokeNetwork Scanning RecapNetwork Scanning Countermeasures
FTPFingerprinting FTP ServicesKnown FTP VulnerabilitiesTFTPKnown TFTP VulnerabilitiesSSHFingerprintingEnumerating FeaturesDefault and Hardcoded CredentialsInsecurely Generated Host KeysSSH Server Software FlawsTelnetDefault Telnet CredentialsTelnet Server Software FlawsIPMIDNSFingerprintingTesting for Recursion SupportKnown DNS Server FlawsMulticast DNSNTPSNMPExploiting SNMPLDAPLDAP AuthenticationLDAP OperationsLDAP Directory StructureFingerprinting and Anonymous BindingBrute-Force Password GrindingObtaining Sensitive DataLDAP Server Implementation FlawsKerberosKerberos KeysTicket FormatKerberos Attack SurfaceLocal AttacksUnauthenticated Remote AttacksKerberos Implementation FlawsVNCAttacking VNC ServersUnix RPC ServicesManually Querying Exposed RPC ServicesRPC Service VulnerabilitiesCommon Network Service Assessment RecapService Hardening and Countermeasures
NetBIOS Name ServiceSMBMicrosoft RPC ServicesAttacking SMB and RPCMapping Network Attack SurfaceAnonymous IPC Access via SMBSMB Implementation FlawsIdentifying Exposed RPC ServicesBrute-Force Password GrindingAuthenticating and Using AccessRemote Desktop ServicesBrute-Force Password GrindingAssessing Transport SecurityRDP Implementation FlawsMicrosoft Services Testing RecapMicrosoft Services Countermeasures
Mail ProtocolsSMTPService FingerprintingMapping SMTP ArchitectureEnumerating Supported Commands and ExtensionsRemotely Exploitable FlawsUser Account EnumerationBrute-Force Password GrindingContent Checking CircumventionReview of Mail Security FeaturesPhishing via SMTPPOP3Service FingerprintingBrute-Force Password GrindingIMAPService FingerprintingBrute-Force Password GrindingKnown IMAP Server FlawsMail Services Testing RecapMail Services Countermeasures

IPsecPacket FormatISAKMP, IKE, and IKEv2IKE AssessmentExploitable IPsec WeaknessesPPTPVPN Testing RecapVPN Services Countermeasures
TLS MechanicsSession NegotiationCipher SuitesKey Exchange and AuthenticationTLS AuthenticationSession ResumptionSession RenegotiationCompressionSTARTTLSUnderstanding TLS VulnerabilitiesExploitable FlawsMitigating TLS ExposuresAssessing TLS EndpointsIdentifying the TLS Library and VersionEnumerating Supported Protocols and Cipher SuitesEnumerating Supported Features and ExtensionsCertificate ReviewStress Testing TLS EndpointsManually Accessing TLS-Wrapped ServicesTLS Service Assessment RecapTLS HardeningWeb Application Hardening
Web Application TypesWeb Application TiersThe Presentation TierTLSHTTPCDNsLoad BalancersPresentation-Tier Data FormatsThe Application TierApplication-Tier Data FormatsThe Data Tier
Identifying Proxy MechanismsEnumerating Valid HostsWeb Server ProfilingAnalyzing Server ResponsesHTTP Header ReviewCrawling and Investigation of ContentActive ScanningWAF DetectionServer and Application Framework FingerprintingIdentifying Exposed ContentQualifying Web Server VulnerabilitiesReviewing Exposed ContentBrute-Force Password GrindingInvestigating Supported HTTP MethodsKnown Microsoft IIS VulnerabilitiesKnown Apache HTTP Server FlawsKnown Apache Coyote WeaknessesKnown Nginx DefectsWeb Server Hardening
Framework and Data Store ProfilingUnderstanding Common FlawsPHPPHP Management ConsolesPHP CMS PackagesApache TomcatThe Manager ApplicationKnown Tomcat FlawsAttacking Apache JServ ProtocolJBoss TestingServer Profiling via HTTPWeb Consoles and Invoker ServletsIdentifying MBeansExploiting MBeansExploiting the RMI Distributed Garbage CollectorKnown JBoss VulnerabilitiesAutomated JBoss ScanningApache StrutsExploiting the DefaultActionMapperJDWPAdobe ColdFusionColdFusion ProfilingExposed Management InterfacesKnown ColdFusion Software DefectsApache Solr VulnerabilitiesDjangoRailsUsing an Application’s Secret TokenNode.jsMicrosoft ASP.NETApplication Framework Security Checklist
MySQLBrute-Force Password GrindingAuthenticated MySQL AttacksPostgreSQLBrute-Force Password GrindingAuthenticated PostgreSQL AttacksMicrosoft SQL ServerBrute-Force Password GrindingAuthenticating and Evaluating ConfigurationOracle DatabaseInteracting with the TNS ListenerOracle SID GrindingDatabase Account Password GrindingAuthenticating with Oracle DatabasePrivilege Escalation and PivotingMongoDBRedisKnown WeaknessesMemcachedApache HadoopNFSApple Filing ProtocoliSCSIData Store Countermeasures
TCP PortsUDP PortsICMP Message Types
Twitter AccountsBug TrackersMailing ListsSecurity Events and Conferences

Content preview from Network Security Assessment, 3rd Edition

Chapter 11. Assessing TLS Services

This chapter describes the steps you should undertake to identify weaknesses in TLS services. Before we get to that, I would like to take a moment to discuss how TLS came to be, and why this book avoids mentioning SSL for the most part.

Netscape Navigator dominated the browser market in the 1990s with around 70 percent market share. Between 1994 and 1996, Netscape Communications developed its own transport encryption mechanism known as Secure Sockets Layer (SSL). Due to its market dominance, SSL was widely adopted. The Internet Engineering Task Force (IETF) formed a committee to turn the Netscape SSL 3.0 protocol into a standard—the official name being Transport Layer Security (TLS), as ratified by RFC 2246 in 1999.

Entire books are dedicated to the topic. An excellent reference that provides additional layers of detail around TLS and its features is Ivan Ristić’s Bulletproof SSL and TLS (Feisty Duck, 2014).¹

Figure 11-1 shows TLS running at OSI Layer 6, providing transport security to the application protocol above (HTTP, in this case). This chapter describes the mechanics of TLS version 1.2,² along with assessment tactics that should be adopted for TLS and legacy SSL endpoints. SSL 3.0 is particularly flawed and support is being rapidly phased-out online.