book

Penetration Testing and Network Defense

by Andrew Whitaker, Daniel P. Newman

October 2005

Intermediate to advanced

624 pages

15h 47m

English

Cisco Press

Read now

Unlock full access

Who Should Read this BookEthical ConsiderationsHow This Book Is Organized
Defining Penetration TestingAssessing the Need for Penetration TestingAttack StagesChoosing a Penetration Testing VendorPreparing for the TestSummary
Ethics of Penetration TestingLawsLoggingTo Fix or Not to FixSummary
Step-by-Step PlanOpen-Source Security Testing Methodology ManualDocumentationSummary
Human PsychologyWhat It Takes to Be a Social EngineerFirst Impressions and the Social EngineerTech Support ImpersonationThird-Party ImpersonationE-Mail ImpersonationEnd User ImpersonationCustomer ImpersonationReverse Social EngineeringProtecting Against Social EngineeringCase StudySummary
Passive Host ReconnaissanceActive Host ReconnaissancePort ScanningNMapDetecting a ScanCase StudySummary
Defining Session HijackingToolsBeware of ACK StormsKevin Mitnick’s Session Hijack AttackDetecting Session HijackingProtecting Against Session HijackingCase StudySummaryResources
Understanding Web LanguagesWebsite ArchitectureE-Commerce ArchitectureWeb Page SpoofingCookie GuessingBrute Force AttacksToolsDetecting Web AttacksProtecting Against Web AttacksCase StudySummary
Defining DatabasesTesting Database VulnerabilitiesSecuring Your SQL ServerDetecting Database AttacksProtecting Against Database AttacksCase StudySummaryReferences and Further Reading
Password HashingPassword-Cracking ToolsDetecting Password CrackingProtecting Against Password CrackingCase StudySummary
Bypassing FirewallsEvading Intruder Detection SystemsTesting Routers for VulnerabilitiesTesting Switches for VulnerabilitiesSecuring the NetworkCase StudySummary
History of Wireless NetworksAntennas and Access PointsWireless Security TechnologiesWar DrivingToolsDetecting Wireless AttacksCase StudySummary
Trojans, Viruses, and Backdoor ApplicationsCommon Viruses and WormsTrojans and BackdoorsDetecting Trojans and Backdoor ApplicationsPreventionCase StudySummary
General ScannersUNIX Permissions and Root AccessMicrosoft Security Models and ExploitsNovell Server Permissions and VulnerabilitiesDetecting Server AttacksPreventing Server AttacksCase StudySummary
Memory ArchitectureBuffer Overflow ExamplesPreventing Buffer OverflowsCase StudySummary
Types of DoS AttacksTools for Executing DoS AttacksDetecting DoS AttacksPreventing DoS AttacksCase StudySummary
Case Study: LCN Gets TestedDAWN Security
What Is a Security Policy?Risk AssessmentBasic Policy RequirementsSecurity Policy Implementation and ReviewPreparing a Security Policy in Ten Basic StepsReference Links
Performing Host Reconnaissance (Chapter 5)Understanding and Attempting Session Hijacking (Chapter 6)Performing Web-Server Attacks (Chapter 7)Performing Database Attacks (Chapter 8)Cracking Passwords (Chapter 9)Attacking the Network (Chapter 10)Scanning and Penetrating Wireless Networks (Chapter 11)Using Trojans and Backdoor Applications (Chapter 12)Penetrating UNIX, Microsoft, and Novell Servers (Chapter 13)Understanding and Attempting Buffer Overflows (Chapter 14)Denial-of-Service Attacks (Chapter 15)

Content preview from Penetration Testing and Network Defense

Foreword

Pen testing, ethical hacking, posture assessment, vulnerability scans... the list of names goes on and on. There are as many names for simulating an attack and testing the security of an information system as there are approaches and techniques to be utilized in this endeavor.

While it is quite simple to log onto the web and gain access to tools, information, scripts, etc. to perform these types of tests, the key to doing this work responsibly, and with desirable results, lies in understanding how to execute a pen test the right way. Case studies have shown that a testing exercise designed to identify and improve security measures can turn sour and result in obvious or inaccurate recommendations, or in the worst case scenario, become ...