Cover image for Network Security Assessment, 2nd Edition

Book description

How secure is your network? The best way to find out is to attack it. Network Security Assessment provides you with the tricks and tools professional security consultants use to identify and assess risks in Internet-based networks-the same penetration testing model they use to secure government, military, and commercial networks. With this book, you can adopt, refine, and reuse this testing model to design and deploy networks that are hardened and immune from attack. Network Security Assessment demonstrates how a determined attacker scours Internet-based networks in search of vulnerable components, from the network to the application level. This new edition is up-to-date on the latest hacking techniques, but rather than focus on individual issues, it looks at the bigger picture by grouping and analyzing threats at a high-level. By grouping threats in this way, you learn to create defensive strategies against entire attack categories, providing protection now and into the future. Network Security Assessment helps you assess:

  • Web services, including Microsoft IIS, Apache, Tomcat, and subsystems such as OpenSSL, Microsoft FrontPage, and Outlook Web Access (OWA)

  • Web application technologies, including ASP, JSP, PHP, middleware, and backend databases such as MySQL, Oracle, and Microsoft SQL Server

  • Microsoft Windows networking components, including RPC, NetBIOS, and CIFS services

  • SMTP, POP3, and IMAP email services

  • IP services that provide secure inbound network access, including IPsec, Microsoft PPTP, and SSL VPNs

  • Unix RPC services on Linux, Solaris, IRIX, and other platforms

  • Various types of application-level vulnerabilities that hacker tools and scripts exploit

Assessment is the first step any organization should take to start managing information risks correctly. With techniques to identify and assess risks in line with CESG CHECK and NSA IAM government standards, Network Security Assessment gives you a precise method to do just that.

Table of Contents

  1. Network Security Assessment, 2nd Edition
  2. A Note Regarding Supplemental Files
  3. Foreword
    1. About Bob Ayers
  4. Preface
    1. Overview
    2. Recognized Assessment Standards
      1. NSA IAM
      2. CESG CHECK
      3. PCI Data Security Standards
      4. Other Assessment Standards and Associations
    3. Hacking Defined
    4. Organization
    5. Audience
    6. Mirror Site for Tools Mentioned in This Book
    7. Using Code Examples
    8. Conventions Used in This Book
    9. Comments and Questions
    10. Acknowledgments
      1. Guest Authors Featured in This Book
  5. 1. Network Security Assessment
    1. The Business Benefits
    2. IP: The Foundation of the Internet
    3. Classifying Internet-Based Attackers
    4. Assessment Service Definitions
    5. Network Security Assessment Methodology
      1. Internet Host and Network Enumeration
      2. Bulk Network Scanning and Probing
      3. Investigation of Vulnerabilities
      4. Exploitation of Vulnerabilities
    6. The Cyclic Assessment Approach
  6. 2. Network Security Assessment Platform
    1. Virtualization Software
      1. VMware
      2. Microsoft Virtual PC
      3. Parallels
    2. Operating Systems
      1. Microsoft Windows Platforms
      2. Linux Platforms
      3. Apple Mac OS X
    3. Reconnaissance Tools
    4. Network Scanning Tools
      1. Nmap
      2. Nessus
      3. Commercial Network Scanning Tools
    5. Exploitation Frameworks
      1. Metasploit Framework
      2. Commercial Exploitation Frameworks
    6. Web Application Testing Tools
      1. Commercial Web Application Scanning Tools
  7. 3. Internet Host and Network Enumeration
    1. Querying Web and Newsgroup Search Engines
      1. Google Search Functionality
        1. Enumerating contact details with Google
        2. Effective search query strings
      2. Searching Newsgroups
      3. Querying Netcraft
    2. Querying Domain WHOIS Registrars
        1. Using the Unix whois utility
    3. Querying IP WHOIS Registrars
      1. IP WHOIS Querying Tools and Examples
        1. Querying WHOIS databases to enumerate objects for a given company
        2. Using WHOIS web search engines
        3. Harvesting user details through WHOIS
        4. Enumerating WHOIS maintainer objects
    4. BGP Querying
    5. DNS Querying
      1. Forward DNS Querying
        1. Forward DNS querying through nslookup
      2. DNS Zone Transfer Techniques
        1. Checking for DNS zone transfer weaknesses using host
        2. Using dig to perform a DNS zone transfer using a specific name server
        3. Information retrieved through DNS zone transfer
        4. PTR record enumeration through DNS zone transfer
      3. Forward DNS Grinding
      4. Reverse DNS Sweeping
    6. Web Server Crawling
    7. Automating Enumeration
    8. SMTP Probing
    9. Enumeration Technique Recap
    10. Enumeration Countermeasures
  8. 4. IP Network Scanning
    1. ICMP Probing
      1. ICMP Probing Tools
        1. SING
        2. Nmap
        3. ICMPScan
      2. Identifying Subnet Network and Broadcast Addresses
      3. Gleaning Internal IP Addresses
      4. OS Fingerprinting Using ICMP
    2. TCP Port Scanning
      1. Standard Scanning Methods
        1. Vanilla connect( ) scanning
          1. Tools that perform connect( ) TCP scanning.
        2. Half-open SYN flag scanning
          1. Tools that perform half-open SYN scanning.
      2. Stealth TCP Scanning Methods
        1. Inverse TCP flag scanning
          1. Tools that perform inverse TCP flag scanning.
        2. ACK flag probe scanning
          1. Analysis of the TTL field of received packets.
          2. Analysis of the WINDOW field of received packets.
          3. Tools that perform ACK flag probe scanning.
      3. Third-Party and Spoofed TCP Scanning Methods
        1. FTP bounce scanning
          1. Tools that perform FTP bounce port scanning.
        2. Proxy bounce scanning
        3. Sniffer-based spoofed scanning
        4. IP ID header scanning
    3. UDP Port Scanning
      1. Tools That Perform UDP Port Scanning
    4. IDS Evasion and Filter Circumvention
      1. Fragmenting Probe Packets
        1. Fragtest
        2. Fragroute
          1. fragroute.conf.
        3. Nmap
      2. Emulating Multiple Attacking Hosts
      3. Source Routing
        1. Assessing source routing vulnerabilities
          1. LSRScan.
          2. LSRTunnel.
      4. Using Specific Source Ports to Bypass Filtering
    5. Low-Level IP Assessment
      1. Analyzing Responses to TCP Probes
        1. Hping2
        2. Firewalk
      2. Passively Monitoring ICMP Responses
      3. IP Fingerprinting
      4. TCP Sequence and IP ID Incrementation
    6. Network Scanning Recap
    7. Network Scanning Countermeasures
  9. 5. Assessing Remote Information Services
    1. Remote Information Services
    2. DNS
      1. Retrieving DNS Service Version Information
      2. BIND Vulnerabilities
        1. BIND exploit scripts
      3. Microsoft DNS Service Vulnerabilities
        1. Remote vulnerabilities in Microsoft DNS and WINS services
      4. DNS Zone Transfers
      5. Reverse DNS Querying
      6. Forward DNS Grinding
    3. Finger
      1. Finger Information Leaks
      2. Finger Redirection
      3. Finger Process Manipulation Vulnerabilities
    4. Auth
      1. Auth Process Manipulation Vulnerabilities
    5. NTP
      1. NTP Fingerprinting
      2. Further NTP Querying
      3. NTP Vulnerabilities
    6. SNMP
      1. ADMsnmp
      2. snmpwalk
      3. Default Community Strings
      4. Compromising Devices by Reading from SNMP
      5. Compromising Devices by Writing to SNMP
      6. SNMP Process Manipulation Vulnerabilities
        1. SNMP exploit scripts
    7. LDAP
      1. Anonymous LDAP Access
      2. LDAP Brute Force
      3. Active Directory Global Catalog
      4. LDAP Process Manipulation Vulnerabilities
        1. LDAP exploit scripts
    8. rwho
    9. RPC rusers
    10. Remote Information Services Countermeasures
  10. 6. Assessing Web Servers
    1. Web Servers
    2. Fingerprinting Accessible Web Servers
      1. Manual Web Server Fingerprinting
        1. HTTP HEAD
        2. HTTP OPTIONS
          1. Common HTTP OPTIONS responses.
        3. Querying the web server through an SSL tunnel
      2. Automated Web Server Fingerprinting
        1. httprint
    3. Identifying and Assessing Reverse Proxy Mechanisms
      1. HTTP CONNECT
      2. HTTP POST
      3. HTTP GET
      4. Automated HTTP Proxy Testing
    4. Enumerating Virtual Hosts and Web Sites
      1. Identifying Virtual Hosts
    5. Identifying Subsystems and Enabled Components
      1. Generic Subsystems
        1. HTTP 1.0 methods
        2. HTTP 1.1 methods
        3. WebDAV
        4. PHP
        5. Basic authentication mechanisms
      2. Microsoft-Specific Subsystems
        1. IIS sample and administrative scripts
        2. Microsoft ASP and ASP.NET
        3. Microsoft ISAPI extensions
          1. Microsoft Exchange Server WebDAV extensions.
        4. Microsoft FrontPage
        5. Windows Media Services
        6. Outlook Web Access
        7. RPC over HTTP support
        8. Enhanced authentication mechanisms
      3. Apache Subsystems
      4. Automated Scanning for Interesting Components
    6. Investigating Known Vulnerabilities
      1. Generic Subsystem Vulnerabilities
        1. CONNECT vulnerabilities
        2. TRACE vulnerabilities
        3. PUT and DELETE vulnerabilities
        4. WebDAV vulnerabilities
        5. PHP subsystem vulnerabilities
      2. Microsoft Web Server and Subsystem Vulnerabilities
        1. IIS 5.0 vulnerabilities
          1. IIS 5.0 local privilege escalation exploit (CVE-2002-0869)
        2. IIS 6.0 vulnerabilities
        3. ASP and ASP.NET
        4. ISAPI extensions
        5. Microsoft proprietary WebDAV extensions
        6. Microsoft FrontPage
        7. Outlook Web Access
      3. Apache Web Server and Subsystem Vulnerabilities
        1. Apache HTTP Server
          1. Apache chunk-handling (CVE-2002-0392) BSD exploit.
        2. Apache HTTP Server modules
        3. Apache Tomcat
          1. Tomcat JSP source code disclosure.
        4. OpenSSL
        5. OpenSSL client master key overflow (CVE-2002-0656) exploits
    7. Basic Web Server Crawling
      1. Wikto
      2. Brute-Forcing HTTP Authentication
    8. Web Servers Countermeasures
  11. 7. Assessing Web Applications
    1. Web Application Technologies Overview
    2. Web Application Profiling
      1. HTML Source Review
        1. Manual HTML sifting and analysis
        2. Automated HTML sifting and analysis
      2. Analysis of Server-Side File Extensions
      3. Session ID Fingerprinting
        1. JSESSIONID string fingerprinting
          1. Apache Tomcat 4.x and later.
          2. Apache Tomcat 3.x and earlier.
          3. Caucho Resin 3.0.21 and later.
          4. Caucho Resin 3.0.20 and earlier.
          5. IBM WebSphere.
          6. Sun Java System Application Server.
      4. Active Backend Database Technology Assessment
    3. Web Application Attack Strategies
      1. Server-Side Script Variables
      2. HTTP Request Headers
      3. HTTP Cookie Fields
      4. XML Request Content
        1. WSDL enumeration
        2. Attacking via XML
      5. Filter Evasion Techniques
        1. Encoding and obfuscating attack code
          1. Hex encoding.
          2. Double-hex encoding.
          3. HTML UTF-8 and hex encoding.
        2. HTTP request smuggling
    4. Web Application Vulnerabilities
      1. Authentication Issues
        1. Default/guessable user accounts
        2. HTTP form brute force
        3. Session management weaknesses
          1. Weak session ID generation.
          2. Session fixation.
          3. Insufficient timeout and expiration mechanisms.
      2. Parameter Modification
        1. Command injection
          1. OS command injection.
          2. Run arbitrary system commands.
          3. Modify parameters passed to system commands.
          4. Execute additional commands.
          5. SQL injection.
          6. Microsoft SQL injection testing methodology.
          7. Microsoft stored procedures.
          8. xp_cmdshell.
          9. sp_makewebtask.
          10. xp_regread.
          11. Bypassing authentication mechanisms.
        2. Compromising data using SELECT, INSERT, and UPDATE
          1. SELECT.
          2. INSERT and UPDATE.
        3. Advanced SQL injection reading
        4. LDAP injection
          1. LDAP authentication bypass.
          2. Reading LDAP data.
        5. Command injection countermeasures
        6. Filesystem access
        7. Cross-site scripting
    5. Web Security Checklist
  12. 8. Assessing Remote Maintenance Services
    1. Remote Maintenance Services
    2. FTP
      1. FTP Banner Grabbing and Enumeration
        1. Analyzing FTP banners
      2. Assessing FTP Permissions
      3. FTP Brute-Force Password Guessing
      4. FTP Bounce Attacks
        1. FTP bounce port scanning
        2. FTP bounce exploit payload delivery
      5. Circumventing Stateful Filters Using FTP
        1. PORT and PASV
        2. PASV abuse
      6. FTP Process Manipulation Attacks
        1. Solaris and BSD FTP glob( ) issues
          1. Solaris glob( ) username grinding
          2. Other Solaris glob( ) issues
          3. BSD glob( ) vulnerabilities
        2. WU-FTPD vulnerabilities
          1. WU-FTPD exploit scripts
        3. ProFTPD vulnerabilities
          1. ProFTPD exploit scripts
        4. Microsoft IIS FTP server
        5. Known vulnerabilities in other popular third-party FTP services
    3. SSH
      1. SSH Fingerprinting
        1. SSH protocol support
      2. SSH Brute-Force Password Grinding
      3. SSH Vulnerabilities
        1. SSH exploit scripts
    4. Telnet
      1. Telnet Service Fingerprinting
        1. TelnetFP
        2. Manual Telnet fingerprinting
      2. Telnet Brute-Force Password Grinding
        1. Common device Telnet passwords
        2. Dictionary files and word lists
      3. Telnet Vulnerabilities
        1. Telnet exploit scripts
    5. R-Services
      1. Directly Accessing R-Services
        1. Unix ~/.rhosts and /etc/hosts.equiv files
      2. R-Services Brute-Force
      3. Spoofing RSH Connections
      4. Known R-Services Vulnerabilities
        1. R-Services exploit scripts
    6. X Windows
      1. X Windows Authentication
        1. xhost
        2. xauth
      2. Assessing X Servers
        1. List open windows
        2. Take screenshots of specific open windows
        3. Capture keystrokes from specific windows
        4. Send keystrokes to specific windows
      3. Known X Window System and Window Manager Vulnerabilities
        1. X Windows exploit scripts
    7. Citrix
      1. Using the Citrix ICA Client
      2. Accessing Nonpublic Published Applications
      3. Citrix Vulnerabilities
        1. Citrix exploit scripts
    8. Microsoft Remote Desktop Protocol
      1. RDP Brute-Force Password Grinding
      2. RDP Vulnerabilities
    9. VNC
      1. VNC Brute-Force Password Grinding
      2. VNC Vulnerabilities
        1. VNC exploit scripts
    10. Remote Maintenance Services Countermeasures
  13. 9. Assessing Database Services
    1. Microsoft SQL Server
      1. Interacting with Microsoft SQL Server
      2. SQL Server Enumeration
        1. SQLPing
        2. MetaCoretex
      3. SQL Server Brute Force
        1. SQLAT
      4. SQL Server Process Manipulation Vulnerabilities
        1. SQL resolution service overflow (CVE-2002-0649) demonstration
    2. Oracle
      1. TNS Listener Enumeration and Information Leak Attacks
        1. Pinging the TNS listener
        2. Retrieving Oracle version and platform information
        3. Other TNS listener commands
        4. Retrieving the current status of the TNS listener
        5. Executing an information leak attack
      2. TNS Listener Process Manipulation Vulnerabilities
      3. Oracle Brute-Force and Post-Authentication Issues
        1. OAT
        2. MetaCoretex
        3. Post-authentication Oracle database vulnerabilities and exploits
      4. Oracle XDB Services
    3. MySQL
      1. MySQL Enumeration
      2. MySQL Brute Force
      3. MySQL Process Manipulation Vulnerabilities
        1. MySQL exploit scripts
          1. Exploitation framework support for MySQL.
          2. MySQL UDF library injection.
    4. Database Services Countermeasures
  14. 10. Assessing Windows Networking Services
    1. Microsoft Windows Networking Services
      1. SMB, CIFS, and NetBIOS
    2. Microsoft RPC Services
      1. Enumerating Accessible RPC Server Interfaces
        1. epdump
        2. rpctools (rpcdump and ifids)
        3. RpcScan
      2. Identifying Vulnerable RPC Server Interfaces
        1. Microsoft RPC interface process manipulation bugs
      3. Gleaning User Details via SAMR and LSARPC Interfaces
        1. walksam
        2. Accessing RPC interfaces over SMB and named pipes using rpcclient
        3. SMB null sessions and hardcoded named pipes
      4. Brute-Forcing Administrator Passwords
      5. Enumerating System Details Through WMI
      6. Executing Arbitrary Commands
    3. The NetBIOS Name Service
      1. Enumerating System Details
      2. Attacking the NetBIOS Name Service
    4. The NetBIOS Datagram Service
    5. The NetBIOS Session Service
      1. Enumerating System Details
        1. enum
        2. winfo
        3. GetAcct
      2. Brute-Forcing User Passwords
      3. Authenticating with NetBIOS
      4. Executing Commands
      5. Accessing and Modifying Registry Keys
      6. Accessing the SAM Database
    6. The CIFS Service
      1. CIFS Enumeration
        1. User enumeration through smbdumpusers
      2. CIFS Brute Force
    7. Unix Samba Vulnerabilities
    8. Windows Networking Services Countermeasures
  15. 11. Assessing Email Services
    1. Email Service Protocols
    2. SMTP
      1. SMTP Service Fingerprinting
      2. Enumerating Enabled SMTP Subsystems and Features
      3. SMTP Brute-Force Password Grinding
        1. NTLM overflows through SMTP authentication
      4. SMTP Open Relay Testing
      5. Sendmail Assessment
        1. Sendmail information leak exposures
          1. EXPN.
          2. VRFY.
          3. RCPT TO:.
        2. Automating Sendmail user enumeration
        3. Sendmail process manipulation vulnerabilities
          1. Sendmail exploit scripts
      6. Microsoft SMTP Service Assessment
        1. Microsoft Exchange Server exploit scripts
      7. SMTP Content Checking Circumvention
    3. POP-2 and POP-3
      1. POP-3 Brute-Force Password Grinding
      2. POP-3 Process Manipulation Attacks
        1. Qualcomm QPOP process manipulation vulnerabilities
        2. Microsoft Exchange POP-3 process manipulation vulnerabilities
    4. IMAP
      1. IMAP Brute Force
      2. IMAP Process Manipulation Attacks
        1. UW IMAP exploit scripts
    5. Email Services Countermeasures
  16. 12. Assessing IP VPN Services
    1. IPsec VPNs
      1. ISAKMP and IKE
        1. Main mode
        2. Aggressive mode
    2. Attacking IPsec VPNs
      1. IPsec Service Endpoint Enumeration
      2. IPsec Service Endpoint Fingerprinting
      3. Supported Transform Enumeration
      4. Investigating Known Weaknesses
      5. Denial-of-Service Vulnerabilities
        1. Malformed IKE packet DoS
        2. Negotiation slots exhaustion attack
      6. Aggressive Mode IKE PSK User Enumeration
      7. Aggressive Mode IKE PSK Cracking
    3. Microsoft PPTP
    4. SSL VPNs
      1. Basic SSL Querying
      2. Enumerating Weak Cipher Support
      3. Known SSL Vulnerabilities
        1. SSL implementation exploits
        2. SSL VPN web interface issues
    5. VPN Services Countermeasures
  17. 13. Assessing Unix RPC Services
    1. Enumerating Unix RPC Services
      1. Identifying RPC Services Without Portmapper Access
      2. Connecting to RPC Services Without Portmapper Access
    2. RPC Service Vulnerabilities
      1. Abusing NFS and rpc.mountd (100005)
        1. CVE-2003-0252
        2. CVE-1999-0832
        3. CVE-1999-0002
        4. Listing and accessing exported directories through mountd and NFS
      2. Multiple Vendor rpc.statd (100024) Vulnerabilities
      3. Solaris rpc.sadmind (100232) Vulnerabilities
        1. CVE-1999-0977
        2. CVE-2003-0722
      4. Multiple Vendor rpc.cmsd (100068) Vulnerabilities
      5. Multiple Vendor rpc.ttdbserverd (100083) Vulnerabilities
    3. Unix RPC Services Countermeasures
  18. 14. Application-Level Risks
    1. The Fundamental Hacking Concept
    2. Why Software Is Vulnerable
    3. Network Service Vulnerabilities and Attacks
      1. Memory Manipulation Attacks
      2. Runtime Memory Organization
        1. The text segment
        2. The data and BSS segments
        3. The stack
        4. The heap
      3. Processor Registers and Memory
    4. Classic Buffer-Overflow Vulnerabilities
      1. Stack Overflows
        1. Stack smash (saved instruction pointer overwrite)
          1. Causing a program crash.
          2. Compromising the logical program flow.
          3. Analyzing the program crash.
          4. Creating and injecting shellcode.
        2. Stack off-by-one (saved frame pointer overwrite)
        3. Analyzing the program crash
        4. Exploiting an off-by-one bug to modify the instruction pointer
        5. Exploiting an off-by-one bug to modify data in the parent function's stack frame
        6. Off-by-one effectiveness against different processor architectures
    5. Heap Overflows
      1. Overflowing the Heap to Compromise Program Flow
      2. Other Heap Corruption Attacks
        1. Heap off-by-one and off-by-five bugs
        2. Double-free bugs
        3. Recommended further reading
    6. Integer Overflows
      1. Heap Wrap-Around Attacks
      2. Negative-Size Bugs
    7. Format String Bugs
      1. Reading Adjacent Items on the Stack
      2. Reading Data from Any Address on the Stack
      3. Overwriting Any Word in Memory
      4. Recommended Format String Bug Reading
    8. Memory Manipulation Attacks Recap
    9. Mitigating Process Manipulation Risks
      1. Nonexecutable Stack and Heap Implementation
      2. Use of Canary Values in Memory
      3. Running Unusual Server Architecture
      4. Compiling Applications from Source
      5. Active System Call Monitoring
    10. Recommended Secure Development Reading
  19. 15. Running Nessus
    1. Nessus Architecture
    2. Deployment Options and Prerequisites
    3. Nessus Installation
      1. Server Installation
        1. Windows and Mac OS X installation
        2. Unix-based installation
          1. Adding the first user
          2. Registering Nessus and retrieving the latest plug-ins
      2. Client Installation
        1. NessusClient 3 and 1
        2. NessusWX
    4. Configuring Nessus
      1. Basic Nessus Configuration
      2. NessusClient 3 Scanning Options
        1. Safe checks
        2. Nessus TCP scanner
        3. Ping the remote host
        4. Number of hosts/checks in parallel
      3. NessusClient 3 Plug-in Selection
        1. Enable dependencies at runtime
        2. Silent dependencies
      4. NessusClient 3 Advanced Options
        1. Enable CGI scanning
        2. Thorough tests
        3. Optimize test
    5. Running Nessus
    6. Nessus Reporting
    7. Running Nessus Recap
  20. 16. Exploitation Frameworks
    1. Metasploit Framework
      1. MSF Architecture and Features
        1. Interface
        2. Modules
        3. Payloads
      2. Using MSF
      3. Further Reading
    2. CORE IMPACT
      1. IMPACT Architecture & Features
        1. Agents
        2. Modules
        3. Console
      2. Using IMPACT
        1. Information gathering
        2. Attack and penetration
        3. Repositioning
    3. Immunity CANVAS
      1. CANVAS Architecture & Features
        1. Console
        2. Modules
        3. MOSDEF nodes
        4. Add-on exploit packs for CANVAS
      2. Using CANVAS
        1. Repositioning
        2. Further information
    4. Exploitation Frameworks Recap
  21. A. TCP, UDP Ports, and ICMP Message Types
    1. TCP Ports
    2. UDP Ports
    3. ICMP Message Types
  22. B. Sources of Vulnerability Information
    1. Security Mailing Lists
    2. Vulnerability Databases and Lists
    3. Underground Web Sites
    4. Security Events and Conferences
  23. C. Exploit Framework Modules
    1. MSF
    2. CORE IMPACT
    3. Immunity CANVAS
      1. GLEG VulnDisco
      2. Argeniss Ultimate 0day Exploits Pack
  24. About the Author
  25. Colophon
  26. Copyright