You are previewing Assessing Network Security.
O'Reilly logo
Assessing Network Security

Book Description

Help beat the hackers at their own game! Discover how to take charge of system assets through hands-on vulnerability scanning, penetration testing, and other advanced testing techniques—straight from members of the Microsoft Security Team.

Table of Contents

  1. Assessing Network Security
  2. A Note Regarding Supplemental Files
  3. Acknowledgments
  4. Foreword
  5. Introduction
    1. Who Should Read This Book
    2. Organization of This Book
    3. System Requirements
    4. Support
  6. I. Planning and Performing Security Assessments
    1. 1. Introduction to Performing Security Assessments
      1. Role of Security Assessments in Network Security
      2. Why Does Network Security Fail?
        1. Human Factors
        2. Policy Factors
        3. Misconfiguration
        4. Poor Assumptions
        5. Ignorance
        6. Failure to Stay Up-to-Date
      3. Types of Security Assessments
        1. Vulnerability Scanning
          1. Enumerate Computers, Operating Systems, and Applications
          2. Identify Common Security Mistakes
          3. Search for Computers with Known Vulnerabilities
          4. Test for Exposure to Common Attacks
        2. Penetration Testing
          1. How Vulnerabilities Are Exploited
          2. Weakness in People and Processes
        3. IT Security Auditing
      4. Frequently Asked Questions
    2. 2. Key Principles of Security
      1. Making Security Easy
        1. Keeping Services Running
        2. Allowing the Right Users Access to the Right Information
        3. Defending Every Layer as if It Were the Last Layer of Defense
        4. Keeping a Record of Attempts to Access Information
        5. Compartmentalizing and Isolating Resources
        6. Avoiding the Mistakes Everyone Else Makes
        7. Controlling the Cost of Meeting Security Objectives
      2. Risk Management
        1. Learning to Manage Risk
          1. Setting the Scope
          2. Identifying Assets and Determining Their Value
          3. Predicting Threats and Vulnerabilities to Assets
          4. Documenting the Security Risks
          5. Determining a Risk Management Strategy
          6. Monitoring Assets
          7. Tracking Changes to Risks
        2. Risk Management Strategies
          1. Acceptance
          2. Mitigation
          3. Transference
          4. Avoidance
      3. Immutable Laws
      4. Frequently Asked Questions
    3. 3. Using Vulnerability Scanning to Assess Network Security
      1. Setting a Scope for the Project
        1. Defining the Target
          1. Enumeration
          2. Recorded State
          3. Well-Defined Configurations
        2. Defining the Target Scope
        3. Defining Types of Vulnerabilities
      2. Determining Goals
      3. Choosing a Technology
        1. Tools and Managed vs. Unmanaged Targets
        2. Checklist for Evaluating Tools
      4. Creating a Process for Scanning for Vulnerabilities
        1. Detecting Vulnerabilities
        2. Assigning Risk Levels to Vulnerabilities
        3. Identifying Vulnerabilities That Have not Been Remediated
        4. Determining Improvement in Network Security Over Time
      5. Creating a Process for Analyzing the Results
      6. Frequently Asked Questions
    4. 4. Conducting a Penetration Test
      1. What the Attacker Is Thinking About
        1. Notoriety, Acceptance, and Ego
        2. Financial Gain
        3. Challenge
        4. Activism
        5. Revenge
        6. Espionage
        7. Information Warfare
      2. Defining the Penetration Test Engagement
        1. Setting the Goals
          1. Gaining Control of Confidential Information
          2. Gaining Administrator Access to a System or Systems
          3. Gaining Physical Access to a Device or Location
          4. Getting Caught by Security Administrators
          5. Compromising Applications
          6. Denying Others Use of a Service
          7. Causing Direct Financial Damage to an Organization
        2. Setting the Scope
      3. Performing the Penetration Test
        1. Locating Areas of Weakness in Network or Application Defenses
        2. Determining How Vulnerabilities Were Compromised
        3. Locating Assets that Could be Accessed, Altered, or Destroyed
        4. Determining Whether the Attack Was Detected
        5. Identifying the Attack Footprint
        6. Making Recommendations
      4. Frequently Asked Questions
    5. 5. Performing IT Security Audits
      1. Components of an IT Security Audit
        1. Policy
          1. Administrative Policies
          2. Technical Policies
          3. Physical Policies
        2. Processes and Procedures
        3. Operations
      2. Preliminary Decisions
        1. Legal Considerations
        2. Regulatory Considerations
        3. Operational Considerations
        4. Organizational Considerations
      3. Planning and Performing the Audit
        1. Building Your Audit Framework
        2. Setting the Scope and Timeline
        3. Obtaining Legal and Management Approval
        4. Completing the Audit
        5. Analyzing and Reporting the Results
      4. Frequently Asked Questions
    6. 6. Reporting Your Findings
      1. Guidelines for Reporting Your Findings
        1. Concise and Professional
        2. Technically Accurate
        3. Objective
        4. Measurable
      2. Framework for Reporting Your Findings
        1. Define the Vulnerability
          1. Access
          2. Difficulty
          3. Value of the Asset to the Attacker
        2. Document Mitigation Plans
        3. Identify Where Changes Should Occur
        4. Assign Responsibility for Implementing Approved Recommendations
      3. Frequently Asked Questions
    7. 7. Building and Maintaining Your Security Assessment Skills
      1. Building Core Skills
        1. Improving Network, Operating System, and Application Skills
          1. Network Skills
          2. Operating System Skills
          3. Application Skills
        2. Developing Programming Skills
          1. Compiled Languages
          2. Interpreted Languages
        3. Practicing Security Assessments
          1. Evaluating Tools
          2. Verifying Results and Countermeasures
          3. Sharpening Your Skills
          4. Building a Network to Practice Security Assessments
      2. Staying Up-to-Date
        1. Finding a Course
          1. Choosing an Instructor
            1. Hands-On Experience
            2. Training Qualifications
            3. Industry Credentials
            4. References
          2. Evaluating materials
          3. Assessing the Training Venue
        2. Choosing a Conference
          1. Vendor-Sponsored
          2. Vendor-Agnostic
          3. Academic
        3. Internet-Based Resources
        4. Internet Mailing Lists
        5. Security Bulletins
        6. Security Websites
      3. Frequently Asked Questions
  7. II. Penetration Testing for Nonintrusive Attacks
    1. 8. Information Reconnaissance
      1. Understanding Information Reconnaissance
      2. Registrar Information
        1. Determining Your Registrar Information
        2. Countermeasures
      3. IP Network Block Assignment
        1. Determining Your Organization’s IP Network Block Assignment
        2. Countermeasures
      4. Web Pages
        1. Reviewing Web Server Content
          1. Manual Review
          2. Automated Review
        2. Countermeasures
      5. Search Engines
        1. Reviewing Your Website with Search Engines
        2. Countermeasures
      6. Public Discussion Forums
        1. Taking a Snapshot of Your Organization’s Exposure
        2. Countermeasures
      7. Frequently Asked Questions
    2. 9. Host Discovery Using DNS and NetBIOS
      1. Using DNS
        1. Common Record Types
          1. Start of Authority
          2. Name Server
          3. Address
          4. Canonical Name
          5. Pointer
          6. Mail Exchange
          7. Service Locator
          8. Miscellaneous Records
        2. Examining a Zone Transfer
      2. Using NetBIOS
      3. Using LDAP
      4. Frequently Asked Questions
    3. 10. Network and Host Discovery
      1. Network Sweeping Techniques
        1. ICMP Sweeps
        2. UDP Sweeps
        3. TCP Sweeps
        4. Broadcast Sweeps
        5. Countermeasures
      2. Network Topology Discovery
        1. Trace Routing
        2. Firewalking
        3. Countermeasures
      3. Frequently Asked Questions
    4. 11. Port Scanning
      1. TCP Connect Scans
      2. Custom TCP Scans
        1. SYN Scans
        2. FIN Scans
        3. SYN/ACK and ACK Scans
        4. XMAS Scans
        5. Null Scans
        6. Idle Scans
      3. UDP Scans
      4. FTP Bounce Scans
      5. Port Scanning Tips and Tricks
      6. Fragmentation and Port Scans
      7. Port Scanning Countermeasures
      8. Frequently Asked Questions
    5. 12. Obtaining Information from a Host
      1. Fingerprinting
        1. IP and ICMP Fingerprinting
        2. TCP Fingerprinting
        3. Countermeasures
      2. Application Fingerprinting
        1. Countermeasures
      3. What’s On That Port?
        1. Interrogating a Host
          1. User Information
          2. Group Information
          3. File Shares
          4. Operating System Information
          5. User Sessions
          6. Service Users
        2. Countermeasures
      4. Frequently Asked Questions
    6. 13. War Dialing, War Driving, and Bluetooth Attacks
      1. Modem Detection—War Dialing
        1. Anatomy of a War Dialing Attack
          1. Identify Telephone Number Blocks to Dial
          2. Detect Dial-Up Systems
          3. Assess Vulnerability
        2. Countermeasures
      2. Wireless LAN Detection—War Driving
        1. MAC Address Filtering
        2. Disabling a Service Set ID Broadcasting
        3. Wired Equivalent Privacy
          1. Authentication
            1. Open System Authentication
            2. Shared Key Authentication
          2. Data Encryption
        4. Anatomy of a War Driving Attack
          1. Detecting Wireless Networks
          2. Assessing Vulnerability
        5. Countermeasures
      3. Bluetooth Attacks
        1. Device Detection
          1. Countermeasures
        2. Data Theft
          1. Countermeasures
        3. Services Theft
          1. Countermeasures
        4. Network Sniffing
          1. Countermeasures
      4. Frequently Asked Questions
  8. III. Penetration Testing for Intrusive Attacks
    1. 14. Automated Vulnerability Detection
      1. Scanning Techniques
        1. Banner Grabbing and Fingerprinting
        2. Exploiting the Vulnerability
        3. Inference Testing
        4. Replaying Network Sniffs
        5. Patch Detection
      2. Selecting a Scanner
        1. Vulnerability Checks
        2. Scanner Speed
        3. Reliability and Scalability
        4. Check Accuracy
        5. Update Frequency
        6. Reporting Features
      3. Scanning Approaches
        1. Host-Based Scanners
        2. Network-Based Scanners
        3. Dangers of Using Automated Scanners
        4. Tips for Using Scanners Safely
      4. Frequently Asked Questions
    2. 15. Password Attacks
      1. Where to Find Passwords
      2. Brute Force Attacks
        1. Online Password Testing
        2. Offline Password Testing
        3. Offline Password Attack Strategies
          1. Dictionary Attacks
          2. Variant Dictionary Attacks
          3. Brute Force Attacks
        4. Countermeasures
      3. Password Disclosure Attacks
        1. File System Passwords
        2. Encrypted Passwords
        3. Sniffing for Passwords
        4. Keystroke Loggers
        5. Countermeasures
      4. Frequently Asked Questions
    3. 16. Denial of Service Attacks
      1. Flooding Attacks
        1. Testing Flooding Attacks
        2. Countermeasures
      2. Resource Starvation Attacks
        1. CPU Starvation Attacks
          1. Testing for CPU Starvation Attacks
          2. Countermeasures
        2. Memory Starvation Attacks
        3. Disk Storage Consumption Attacks
          1. Testing for Disk Storage Consumption
          2. Countermeasures
      3. Disruption of Service
      4. Frequently Asked Questions
    4. 17. Application Attacks
      1. Buffer Overruns
        1. Stack Overruns
        2. Heap Overruns
        3. Format String Bugs
        4. Countermeasures
      2. Integer Overflows
        1. Countermeasures
      3. Finding Buffer Overruns
      4. Frequently Asked Questions
    5. 18. Database Attacks
      1. Database Server Detection
        1. Detecting Database Servers on Your Network
          1. Network Deployment Records
          2. Port Scanning
          3. Application Programming Interfaces (APIs)
          4. SQL Query Analyzer Tool
          5. Microsoft Baseline Security Analyzer
          6. Odbcping Utility
          7. SQLPing Utility
        2. Countermeasures
      2. Missing Product Patches
        1. Detecting Missing Patches
        2. Countermeasures
      3. Unauthorized Access
        1. Detecting the Potential for Unauthorized Access
        2. Countermeasures
      4. Weak Passwords
        1. Detecting Weak Passwords
        2. Countermeasures
      5. Network Sniffing
        1. Detecting Network Sniffing Threats
        2. Countermeasures
      6. SQL Injection
        1. Detecting SQL Injection Vectors
        2. Countermeasures
      7. Frequently Asked Questions
    6. 19. Network Sniffing
      1. Understanding Network Sniffing
      2. Debunking Network Sniffing Myths
        1. Myth #1: An Attacker Can Remotely Sniff Networks
        2. Myth #2: Switches Are Immune to Network Sniffing Attacks
          1. Media Access Control Table Flooding
          2. Address Resolution Protocol Table Modifications
          3. Internet Control Message Protocol Redirects
          4. Compromising Switches
      3. Detecting Network Sniffing Threats
        1. Manual Detection
        2. Reviewing Network Architecture
        3. Monitoring DNS Queries
        4. Measuring Latency
        5. Using False MAC Addresses and ICMP Packets
        6. Using Trap Accounts
        7. Using Non-Broadcast ARP Packet
        8. Using Automated Detection Tools
        9. Detecting Microsoft Network Monitor Installations
      4. Countermeasures
      5. Frequently Asked Questions
    7. 20. Spoofing
      1. IP Spoofing
        1. Countermeasures
      2. Spoofing E-Mail
        1. Countermeasures
      3. DNS Spoofing
        1. Attacking the Client
        2. Attacking the DNS Server
        3. Attacking Server Update Zones
        4. Attacking Through the Name Registry
        5. Countermeasures
      4. Frequently Asked Questions
    8. 21. Session Hijacking
      1. Understanding Session Hijacking
      2. Network-Level Session Hijacking
        1. Hijacking a TCP Session
        2. Hijacking a UDP Session
        3. Determining Your Susceptibility to Threats
        4. Countermeasures
        5. Tricks and Techniques
          1. TCP ACK Packet Storms
          2. ARP Table Modifications
          3. TCP Resynchronizing
          4. Remotely Modifying Routing Tables
      3. Host-Level Session Hijacking
        1. User Session Hijacking
          1. Countermeasures
        2. Server Port Hijacking
          1. Detecting Hijack-Susceptible Ports
          2. Countermeasures
      4. Application-Level Hijacking
        1. Detecting Attacks
        2. Countermeasures
      5. Frequently Asked Questions
    9. 22. How Attackers Avoid Detection
      1. Log Flooding
        1. Countermeasures
      2. Logging Mechanisms
        1. Countermeasures
      3. Detection Mechanisms
        1. Countermeasures
      4. Fragmentation
        1. Session Splicing Attacks
        2. Packet Fragmentation Attacks
        3. Fragmentation Time-Out Attacks
        4. Countermeasures
      5. Canonicalization
        1. Countermeasures
      6. Decoys
        1. Countermeasures
      7. How Attackers Avoid Detection Post-Intrusion
        1. Using Rootkits
          1. Countermeasures
        2. Hiding Data
          1. Hidden File Attribute
            1. Hiding Files on Windows Systems
            2. Hiding Files on UNIX Systems
          2. NTFS Alternate File Streams
          3. Replacing and Renaming Files
          4. Steganography
        3. Tampering with Log Files
          1. Countermeasures
      8. Frequently Asked Questions
    10. 23. Attackers Using Non-Network Methods to Gain Access
      1. Gaining Physical Access to Information Resources
        1. Physical Intrusion
          1. Computers
          2. Wiring Closets
          3. Mailrooms, File Cabinets, Labs, and Equipment Rooms
        2. Remote Surveillance
          1. Looking in Windows
          2. High-Tech Shoulder Surfing
          3. Electronic Eavesdropping
            1. Sniffing Wireless Networks
            2. Capturing Traffic Downstream
            3. Retrieving Voice Mail
        3. Targeted Equipment Theft
        4. Dumpsters and Recycling Bins
        5. Lease Returns, Auctions, and Equipment Resales
          1. Computers
          2. Removable Storage Devices and Specialized Hardware
          3. Media
          4. Documentation
      2. Using Social Engineering
        1. Bribery
        2. Assuming a Position of Authority
        3. Forgery
        4. Flattery
      3. Frequently Asked Questions
  9. IV. Security Assessment Case Studies
    1. 24. Web Threats
      1. Client-Level Threats
        1. Cross-Site Scripting Attacks
          1. Finding XSS Vectors
          2. Countermeasures
        2. Unpatched Web Browser Attacks
          1. Countermeasures
      2. Server-Level Threats
        1. Repudiation
        2. Information Disclosure
          1. Server Header Exposure
            1. Countermeasures
          2. Directory Browsing
            1. Countermeasures
        3. Elevation of Privileges
          1. Missing Patches
            1. Countermeasures
          2. Unknown Vulnerabilities
            1. Countermeasures
            2. Mitigating Buffer Overruns with URLScan
            3. MaxUrl
            4. MaxQueryString
            5. "Max-" Header Prefix
            6. MaxAllowedContentLength
          3. Nonessential Services
            1. Operating System Services
            2. Countermeasures
            3. Web Server Services
            4. Countermeasures
          4. Canonicalization Attacks
            1. Countermeasures
        4. Denial of Service
      3. Service-Level Threats
        1. Unauthorized Access
          1. Countermeasures
        2. Network Sniffing
          1. Countermeasures
        3. Tampering
          1. Countermeasures
        4. Information Disclosure
          1. Countermeasures
      4. Frequently Asked Questions
    2. 25. E-Mail Threats
      1. Client-Level Threats
        1. Attaching Malicious Files
          1. Countermeasures
            1. Educate Users
            2. Enable E-Mail Client Protection
            3. Install Antivirus Software
            4. Create Policy
        2. Exploiting Unpatched E-Mail Clients
          1. Countermeasures
        3. Embedding Malicious Content
          1. Countermeasures
        4. Exploiting User Trust
          1. Spoofed E-Mails
            1. Countermeasures
          2. Phishing Attacks
            1. Countermeasures
          3. E-Mail Scams
            1. Countermeasures
      2. Server-Level Threats
        1. Attaching Malicious Files
          1. Countermeasures
        2. Spoofing E-Mail
          1. Countermeasures
        3. Exploiting Unpatched E-Mail Servers
          1. Countermeasures
      3. Spam
        1. Why You Should Be Concerned About Spam
        2. Tricks and Techniques
          1. Confirming E-Mail Addresses Using Unsubscribe Requests
            1. Countermeasures
          2. Using Web Beacons
            1. Countermeasures
          3. Using Windows Messenger Service to Spam
            1. Countermeasures
          4. Bypassing Spam Filters
            1. Countermeasures
          5. Harvesting User E-Mails from Public Discussion Forums
            1. Countermeasures
          6. Randomizing the Contents of Spam
            1. Countermeasures
          7. Abusing Third-Party Mail Relays
            1. Countermeasures
        3. What Is Being Done About Spam
      4. Frequently Asked Questions
    3. 26. Domain Controller Threats
      1. Password Attacks
        1. Countermeasures
          1. Disabling LAN Manager Hashes
          2. Disabling Reversible Encryption
          3. Forcing Strong Passwords Across Domains
          4. Educating Users to Use Secure Passwords
          5. Using the System Key Utility
      2. Elevation of Privilege
        1. Exploiting Nonessential Services
          1. Enumerating Services on Your Domain Controller
        2. Exploiting Nonessential Accounts
          1. Identifying Your Nonessential Accounts
          2. Countermeasures
        3. Exploiting Unpatched Domain Controllers
          1. Countermeasures
        4. Attacking Privileged Domain Accounts and Groups
          1. Identifying Group Membership
          2. Countermeasures
      3. Denial of Service
        1. Countermeasures
      4. Physical Security Threats
        1. Countermeasures
      5. Frequently Asked Questions
    4. 27. Extranet and VPN Threats
      1. Fundamentals of Secure Network Design
        1. Dual-Homed Host
        2. Screened Host
        3. Screened Subnets
        4. Split Screened Subnets
      2. Penetration Testing an Extranet
      3. A Sample Extranet Penetration Test
        1. Gathering Information
        2. Getting Your Foot in the Door
        3. Exploring the Internal Network
        4. Expanding Your Influence
      4. Frequently Asked Questions
  10. V. Appendixes
    1. A. Checklists
      1. Penetration Test Checklists
        1. Chapter 8: Information Reconnaissance
        2. Chapter 9: Host Discovery Using DNS and NetBIOS
        3. Chapter 10: Network and Host Discovery
        4. Chapter 11: Port Scanning
        5. Chapter 12: Obtaining Information from a Host
        6. Chapter 13: War Dialing, War Driving, and Bluetooth Attacks
        7. Chapter 14: Automated Vulnerability Detection
        8. Chapter 15: Password Attacks
        9. Chapter 16: Denial of Service Attacks
        10. Chapter 17: Application Attacks
        11. Chapter 18: Database Attacks
        12. Chapter 19: Network Sniffing
        13. Chapter 20: Spoofing
        14. Chapter 21: Session Hijacking
        15. Chapter 22: How Attackers Avoid Detection
        16. Chapter 23: Attackers Using Non-Network Methods to Gain Access
        17. Chapter 24: Web Threats
        18. Chapter 25: E-Mail Threats
        19. Chapter 26: Domain Controller Threats
        20. Chapter 27: Extranet and VPN Threats
      2. Countermeasures Checklists
        1. Chapter 8: Information Reconnaissance
        2. Chapter 9: Host Discovery Using DNS and NetBIOS
        3. Chapter 10: Network and Host Discovery
        4. Chapter 11: Port Scanning
        5. Chapter 12: Obtaining Information from a Host
        6. Chapter 13: War Dialing, War Driving, and Bluetooth Attacks
        7. Chapter 15: Password Attacks
        8. Chapter 16: Denial of Service Attacks
        9. Chapter 17: Application Attacks
        10. Chapter 18: Database Attacks
        11. Chapter 19: Network Sniffing
        12. Chapter 20: Spoofing
        13. Chapter 21: Session Hijacking
        14. Chapter 22: How Attackers Avoid Detection
        15. Chapter 23: Attackers Using Non-Network Methods to Gain Access
        16. Chapter 24: Web Threats
        17. Chapter 25: E-Mail Threats
        18. Chapter 26: Domain Controller Threats
        19. Chapter 27: Extranet and VPN Threats
    2. B. References
      1. Chapter 1: Introduction to Performing Security Assessments
      2. Chapter 2: Key Principles of Security
      3. Chapter 3: Using Vulnerability Scanning to Assess Network Security
      4. Chapter 4: Conducting a Penetration Test
      5. Chapter 5: Performing IT Security Audits
      6. Chapter 6: Reporting Your Findings
      7. Chapter 7: Building and Maintaining Your Security Assessment Skills
      8. Chapter 8: Information Reconnaisance
      9. Chapter 9: Host Discovery Using DNS and NetBIOS
      10. Chapter 10: Network and Host Discovery
      11. Chapter 11: Port Scanning
      12. Chapter 12: Obtaining Information from a Host
      13. Chapter 13: War Dialing, War Driving, and Bluetooth Attacks
      14. Chapter 14: Automated Vulnerability Detection
      15. Chapter 15: Password Attacks
      16. Chapter 16: Denial of Service Attacks
      17. Chapter 17: Application Attacks
      18. Chapter 18: Database Attacks
      19. Chapter 19: Network Sniffing
      20. Chapter 20: Spoofing
      21. Chapter 21: Session Hijacking
      22. Chapter 22: How Attackers Avoid Detection
      23. Chapter 23: Attackers Using Non-Network Methods to Gain Access
      24. Chapter 24: Web Threats
      25. Chapter 25: E-Mail Threats
      26. Chapter 26: Domain Controller Threats
      27. Chapter 27: Extranet and VPN Threats
    3. About the Authors
  11. Index
  12. About the Authors
  13. Copyright