book

Network Security Assessment, 3rd Edition

by Chris McNab

December 2016

Beginner

494 pages

12h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OverviewAudienceOrganizationUse of RFC and CVE ReferencesVulnerabilities Covered in This BookRecognized Assessment StandardsNIST SP 800-115NSA IAMCESG CHECKCESG Recognized QualificationsPCI DSSPTESMirror Site for Tools Mentioned in This BookUsing Code ExamplesConventions Used in This BookO’Reilly SafariComments and QuestionsAcknowledgmentsTechnical Reviewers and Contributors
The State of the ArtThreats and Attack SurfaceAttacking Client SoftwareAttacking Server SoftwareAttacking Web ApplicationsExposed LogicAssessment FlavorsStatic AnalysisDynamic TestingWhat This Book Covers
Network Security Assessment MethodologyReconnaissanceVulnerability ScanningInvestigation of VulnerabilitiesExploitation of VulnerabilitiesAn Iterative Assessment ApproachYour Testing PlatformUpdating Kali LinuxDeploying a Vulnerable Server
The Fundamental Hacking ConceptWhy Software Is VulnerableConsidering Attack SurfaceA Taxonomy of Software Security ErrorsThreat ModelingSystem ComponentsAdversarial GoalsSystem Access and Execution ContextAttacker EconomicsAttacking C/C++ ApplicationsRuntime Memory LayoutProcessor Registers and MemoryWriting to MemoryReading from MemoryCompiler and OS Security FeaturesCircumventing Common Safety FeaturesLogic Flaws and Other BugsCryptographic WeaknessesVulnerabilities and Adversaries Recap
Querying Search Engines and WebsitesGoogle SearchQuerying NetcraftUsing ShodanDomainToolsPGP Public Key ServersSearching LinkedInDomain WHOISManual WHOIS QueryingIP WHOISIP WHOIS Querying Tools and ExamplesBGP EnumerationDNS QueryingForward DNS QueryingDNS Zone Transfer TechniquesForward DNS GrindingReverse DNS SweepingIPv6 Host EnumerationCross-Referencing DNS DatasetsSMTP ProbingAutomating EnumerationEnumeration Technique RecapEnumeration Countermeasures
Data Link Protocols802.3 Ethernet Testing802.1Q VLAN802.1X PNACCDP802.1D STPLocal IP ProtocolsDHCPPXELLMNR, NBT-NS, and mDNSWPADInternal Routing ProtocolsIPv6 Network DiscoveryIdentifying Local GatewaysLocal Network Discovery RecapLocal Network Attack Countermeasures
Initial Network Scanning with NmapICMPTCPUDPSCTPBringing Everything TogetherLow-Level IP AssessmentCrafting Arbitrary PacketsTCP/IP Stack FingerprintingIP ID AnalysisManipulating TTL to Reverse Engineer ACLsRevealing Internal IP AddressesVulnerability Scanning with NSEBulk Vulnerability ScanningIDS and IPS EvasionTTL ManipulationData Insertion and Scrambling with SniffJokeConfiguring and Running SniffJokeNetwork Scanning RecapNetwork Scanning Countermeasures
FTPFingerprinting FTP ServicesKnown FTP VulnerabilitiesTFTPKnown TFTP VulnerabilitiesSSHFingerprintingEnumerating FeaturesDefault and Hardcoded CredentialsInsecurely Generated Host KeysSSH Server Software FlawsTelnetDefault Telnet CredentialsTelnet Server Software FlawsIPMIDNSFingerprintingTesting for Recursion SupportKnown DNS Server FlawsMulticast DNSNTPSNMPExploiting SNMPLDAPLDAP AuthenticationLDAP OperationsLDAP Directory StructureFingerprinting and Anonymous BindingBrute-Force Password GrindingObtaining Sensitive DataLDAP Server Implementation FlawsKerberosKerberos KeysTicket FormatKerberos Attack SurfaceLocal AttacksUnauthenticated Remote AttacksKerberos Implementation FlawsVNCAttacking VNC ServersUnix RPC ServicesManually Querying Exposed RPC ServicesRPC Service VulnerabilitiesCommon Network Service Assessment RecapService Hardening and Countermeasures
NetBIOS Name ServiceSMBMicrosoft RPC ServicesAttacking SMB and RPCMapping Network Attack SurfaceAnonymous IPC Access via SMBSMB Implementation FlawsIdentifying Exposed RPC ServicesBrute-Force Password GrindingAuthenticating and Using AccessRemote Desktop ServicesBrute-Force Password GrindingAssessing Transport SecurityRDP Implementation FlawsMicrosoft Services Testing RecapMicrosoft Services Countermeasures
Mail ProtocolsSMTPService FingerprintingMapping SMTP ArchitectureEnumerating Supported Commands and ExtensionsRemotely Exploitable FlawsUser Account EnumerationBrute-Force Password GrindingContent Checking CircumventionReview of Mail Security FeaturesPhishing via SMTPPOP3Service FingerprintingBrute-Force Password GrindingIMAPService FingerprintingBrute-Force Password GrindingKnown IMAP Server FlawsMail Services Testing RecapMail Services Countermeasures

IPsecPacket FormatISAKMP, IKE, and IKEv2IKE AssessmentExploitable IPsec WeaknessesPPTPVPN Testing RecapVPN Services Countermeasures
TLS MechanicsSession NegotiationCipher SuitesKey Exchange and AuthenticationTLS AuthenticationSession ResumptionSession RenegotiationCompressionSTARTTLSUnderstanding TLS VulnerabilitiesExploitable FlawsMitigating TLS ExposuresAssessing TLS EndpointsIdentifying the TLS Library and VersionEnumerating Supported Protocols and Cipher SuitesEnumerating Supported Features and ExtensionsCertificate ReviewStress Testing TLS EndpointsManually Accessing TLS-Wrapped ServicesTLS Service Assessment RecapTLS HardeningWeb Application Hardening
Web Application TypesWeb Application TiersThe Presentation TierTLSHTTPCDNsLoad BalancersPresentation-Tier Data FormatsThe Application TierApplication-Tier Data FormatsThe Data Tier
Identifying Proxy MechanismsEnumerating Valid HostsWeb Server ProfilingAnalyzing Server ResponsesHTTP Header ReviewCrawling and Investigation of ContentActive ScanningWAF DetectionServer and Application Framework FingerprintingIdentifying Exposed ContentQualifying Web Server VulnerabilitiesReviewing Exposed ContentBrute-Force Password GrindingInvestigating Supported HTTP MethodsKnown Microsoft IIS VulnerabilitiesKnown Apache HTTP Server FlawsKnown Apache Coyote WeaknessesKnown Nginx DefectsWeb Server Hardening
Framework and Data Store ProfilingUnderstanding Common FlawsPHPPHP Management ConsolesPHP CMS PackagesApache TomcatThe Manager ApplicationKnown Tomcat FlawsAttacking Apache JServ ProtocolJBoss TestingServer Profiling via HTTPWeb Consoles and Invoker ServletsIdentifying MBeansExploiting MBeansExploiting the RMI Distributed Garbage CollectorKnown JBoss VulnerabilitiesAutomated JBoss ScanningApache StrutsExploiting the DefaultActionMapperJDWPAdobe ColdFusionColdFusion ProfilingExposed Management InterfacesKnown ColdFusion Software DefectsApache Solr VulnerabilitiesDjangoRailsUsing an Application’s Secret TokenNode.jsMicrosoft ASP.NETApplication Framework Security Checklist
MySQLBrute-Force Password GrindingAuthenticated MySQL AttacksPostgreSQLBrute-Force Password GrindingAuthenticated PostgreSQL AttacksMicrosoft SQL ServerBrute-Force Password GrindingAuthenticating and Evaluating ConfigurationOracle DatabaseInteracting with the TNS ListenerOracle SID GrindingDatabase Account Password GrindingAuthenticating with Oracle DatabasePrivilege Escalation and PivotingMongoDBRedisKnown WeaknessesMemcachedApache HadoopNFSApple Filing ProtocoliSCSIData Store Countermeasures
TCP PortsUDP PortsICMP Message Types
Twitter AccountsBug TrackersMailing ListsSecurity Events and Conferences

Content preview from Network Security Assessment, 3rd Edition

Preface

Adversaries routinely target networks for gain. As I prepare this third edition of Network Security Assessment, the demand for incident response expertise is also increasing. Although software vendors have worked to improve the security of their products over the past decade, system complexity and attack surfaces have grown, and if anything, the overall integrity of the Internet has degraded.

Attacker tactics have become increasingly refined, combining intricate exploitation of software defects, social engineering, and physical attack tactics to target high-value assets. To make matters worse, many technologies deployed to protect networks have been proven ineffective. Google Project Zero¹ team member Tavis Ormandy has publicized severe remotely exploitable flaws within many security products.²

As stakes increase, so does the value of research output. Security researchers are financially incentivized to disclose zero-day vulnerabilities to third parties and brokers, who in turn share the findings with their customers, and in some cases, responsibly notify product vendors. There exists a growing gap by which the number of severe defects known only to privileged groups (e.g., governments and organized criminals) increases each day.

A knee-jerk reaction is to prosecute hackers and curb the proliferation of their tools. The adversaries we face, however, along with the tactics they adopt, are nothing but a symptom of a serious problem: the products we use are unfit for purpose. ...