You are previewing Network Security Assessment.
O'Reilly logo
Network Security Assessment

Book Description

There are hundreds--if not thousands--of techniques used to compromise both Windows and Unix-based systems. Malicious code and new exploit scripts are released on a daily basis, and each evolution becomes more and more sophisticated. Keeping up with the myriad of systems used by hackers in the wild is a formidable task, and scrambling to patch each potential vulnerability or address each new attack one-by-one is a bit like emptying the Atlantic with paper cup. If you're a network administrator, the pressure is on you to defend your systems from attack. But short of devoting your life to becoming a security expert, what can you do to ensure the safety of your mission critical systems? Where do you start? Using the steps laid out by professional security analysts and consultants to identify and assess risks, Network Security Assessment offers an efficient testing model that an administrator can adopt, refine, and reuse to create proactive defensive strategies to protect their systems from the threats that are out there, as well as those still being developed. This thorough and insightful guide covers offensive technologies by grouping and analyzing them at a higher level--from both an offensive and defensive standpoint--helping administrators design and deploy networks that are immune to offensive exploits, tools, and scripts. Network administrators who need to develop and implement a security assessment program will find everything they're looking for--a proven, expert-tested methodology on which to base their own comprehensive program--in this time-saving new book.

Table of Contents

  1. Network Security Assessment
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Foreword
      1. About Bob Ayers
    4. Preface
      1. Recognized Assessment Standards
        1. NSA IAM
        2. CESG CHECK
      2. Hackers Defined
      3. Organization
      4. Audience
      5. Mirror Site for Tools Mentioned in This Book
      6. Using Code Examples
      7. Conventions Used in This Book
      8. Comments and Questions
      9. Acknowledgments
    5. 1. Network Security Assessment
      1. 1.1. The Business Benefits
      2. 1.2. IP: The Foundation of the Internet
      3. 1.3. Classifying Internet-Based Attackers
      4. 1.4. Assessment Service Definitions
      5. 1.5. Network Security Assessment Methodology
        1. 1.5.1. Internet Host and Network Enumeration
        2. 1.5.2. Bulk Network Scanning and Probing
        3. 1.5.3. Investigation of Vulnerabilities
        4. 1.5.4. Exploitation of Vulnerabilities
      6. 1.6. The Cyclic Assessment Approach
    6. 2. The Tools Required
      1. 2.1. The Operating Systems
        1. 2.1.1. Windows NT Family Platforms
        2. 2.1.2. Linux
        3. 2.1.3. MacOS X
        4. 2.1.4. VMware
      2. 2.2. Free Network Scanning Tools
        1. 2.2.1. nmap
        2. 2.2.2. Nessus
        3. 2.2.3. NSAT
        4. 2.2.4. Foundstone SuperScan
      3. 2.3. Commercial Network Scanning Tools
      4. 2.4. Protocol-Dependent Assessment Tools
        1. 2.4.1. Microsoft NetBIOS, SMB, and CIFS
          1. 2.4.1.1. Enumeration and information gathering tools
          2. 2.4.1.2. Brute-force password guessing tools
        2. 2.4.2. DNS
        3. 2.4.3. HTTP and HTTPS
    7. 3. Internet Host and Network Enumeration
      1. 3.1. Web Search Engines
        1. 3.1.1. Google Advanced Search Functionality
          1. 3.1.1.1. Enumerating CIA contact details with Google
          2. 3.1.1.2. Effective search query strings
        2. 3.1.2. Searching Newsgroups
      2. 3.2. NIC Querying
        1. 3.2.1. NIC Querying Tools and Examples
          1. 3.2.1.1. Using the Sam Spade Windows client
          2. 3.2.1.2. Using the Unix whois utility
          3. 3.2.1.3. Directly querying ARIN
          4. 3.2.1.4. Harvesting user details through WHOIS
      3. 3.3. DNS Querying
        1. 3.3.1. Forward DNS Querying
          1. 3.3.1.1. Forward DNS querying through nslookup
          2. 3.3.1.2. Forward DNS querying through host
          3. 3.3.1.3. Forward DNS querying through dig
          4. 3.3.1.4. Information retrieved through forward DNS querying
        2. 3.3.2. DNS Zone Transfer Techniques
          1. 3.3.2.1. Performing DNS zone transfers with nslookup
          2. 3.3.2.2. Information retrieved through DNS zone transfer
          3. 3.3.2.3. Performing DNS zone transfers using host and dig
          4. 3.3.2.4. Further querying
          5. 3.3.2.5. Mapping subdomains with host
          6. 3.3.2.6. Example of a DNS zone transfer refusal
        3. 3.3.3. Reverse DNS Sweeping
        4. 3.3.4. SMTP Probing
      4. 3.4. Enumeration Technique Recap
      5. 3.5. Enumeration Countermeasures
    8. 4. IP Network Scanning
      1. 4.1. ICMP Probing
        1. 4.1.1. SING
        2. 4.1.2. nmap
        3. 4.1.3. Gleaning Internal IP Addresses
        4. 4.1.4. Identifying Subnet Broadcast Addresses
      2. 4.2. TCP Port Scanning
        1. 4.2.1. Standard Scanning Methods
          1. 4.2.1.1. Vanilla connect( ) scanning
            1. 4.2.1.1.1. Tools that perform connect( ) TCP scanning
          2. 4.2.1.2. Half-open SYN flag scanning
            1. 4.2.1.2.1. Tools that perform half-open SYN scanning
        2. 4.2.2. Stealth TCP Scanning Methods
          1. 4.2.2.1. Inverse TCP flag scanning
            1. 4.2.2.1.1. Tools that perform inverse TCP flag scanning
          2. 4.2.2.2. ACK flag probe scanning
            1. 4.2.2.2.1. Analysis of the TTL field of received packets
            2. 4.2.2.2.2. Analysis of the WINDOW field of received packets
            3. 4.2.2.2.3. Tools that perform ACK flag probe scanning
        3. 4.2.3. Third-Party and Spoofed TCP Scanning Methods
          1. 4.2.3.1. FTP bounce scanning
            1. 4.2.3.1.1. Tools that perform FTP bounce port scanning
          2. 4.2.3.2. Proxy bounce scanning
          3. 4.2.3.3. Sniffer-based spoofed scanning
          4. 4.2.3.4. IP ID header scanning
      3. 4.3. UDP Port Scanning
        1. 4.3.1. Tools That Perform UDP Port Scanning
      4. 4.4. IDS Evasion and Filter Circumvention
        1. 4.4.1. Fragmenting Probe Packets
          1. 4.4.1.1. fragtest
          2. 4.4.1.2. fragroute
            1. 4.4.1.2.1. fragroute.conf
          3. 4.4.1.3. nmap
        2. 4.4.2. Emulating Multiple Attacking Hosts
        3. 4.4.3. Source Routing
          1. 4.4.3.1. Assessing source-routing vulnerabilities
            1. 4.4.3.1.1. lsrscan
            2. 4.4.3.1.2. lsrtunnel
        4. 4.4.4. Using Specific TCP and UDP Source Ports
      5. 4.5. Low-Level IP Assessment
        1. 4.5.1. Analyzing Responses to TCP Probes
          1. 4.5.1.1. hping2
          2. 4.5.1.2. firewalk
        2. 4.5.2. Passively Monitoring ICMP Responses
        3. 4.5.3. IP Fingerprinting
        4. 4.5.4. TCP Sequence and IP ID Incrementation
      6. 4.6. Network Scanning Recap
      7. 4.7. Network Scanning Countermeasures
    9. 5. Assessing Remote Information Services
      1. 5.1. Remote Information Services
      2. 5.2. systat and netstat
      3. 5.3. DNS
        1. 5.3.1. Retrieving DNS Service Version Information
        2. 5.3.2. DNS Zone Transfers
        3. 5.3.3. DNS Information Leaks and Reverse Lookup Attacks
        4. 5.3.4. BIND Vulnerabilities
          1. 5.3.4.1. BIND TSIG overflow exploit
        5. 5.3.5. Microsoft DNS Service Vulnerabilities
          1. 5.3.5.1. Extracting Active Directory network service information
          2. 5.3.5.2. Remote vulnerabilities in the Microsoft DNS server
      4. 5.4. finger
        1. 5.4.1. finger Information Leaks
        2. 5.4.2. finger Redirection
        3. 5.4.3. Directly Exploitable finger Bugs
      5. 5.5. auth
        1. 5.5.1. auth Process Manipulation Vulnerabilities
      6. 5.6. SNMP
        1. 5.6.1. ADMsnmp
        2. 5.6.2. snmpwalk
        3. 5.6.3. Default Community Strings
        4. 5.6.4. Compromising Devices by Reading from SNMP
        5. 5.6.5. Compromising Devices by Writing to SNMP
        6. 5.6.6. SNMP Process-Manipulation Vulnerabilities
      7. 5.7. LDAP
        1. 5.7.1. Anonymous LDAP Access
        2. 5.7.2. LDAP Brute Force
        3. 5.7.3. Active Directory Global Catalog
        4. 5.7.4. LDAP Process Manipulation Vulnerabilities
      8. 5.8. rwho
      9. 5.9. RPC rusers
      10. 5.10. Remote Information Services Countermeasures
    10. 6. Assessing Web Services
      1. 6.1. Web Services
      2. 6.2. Identifying the Web Service
        1. 6.2.1. HTTP HEAD
        2. 6.2.2. HTTP OPTIONS
          1. 6.2.2.1. Common HTTP OPTIONS responses
        3. 6.2.3. Automated Web Service Fingerprinting
          1. 6.2.3.1. WebServerFP
          2. 6.2.3.2. hmap
          3. 6.2.3.3. 404print
        4. 6.2.4. Identifying the Web Service Through an SSL Tunnel
      3. 6.3. Identifying Subsystems and Components
        1. 6.3.1. ASP.NET
        2. 6.3.2. WebDAV
        3. 6.3.3. Microsoft FrontPage
        4. 6.3.4. Microsoft Outlook Web Access
          1. 6.3.4.1. Exchange 5.5 OWA public folders information leak
        5. 6.3.5. Default IIS ISAPI Extensions
        6. 6.3.6. PHP
        7. 6.3.7. OpenSSL
      4. 6.4. Investigating Web Service Vulnerabilities
        1. 6.4.1. The Tools
          1. 6.4.1.1. nikto
          2. 6.4.1.2. N-Stealth
        2. 6.4.2. Security Web Sites and Mailing Lists
        3. 6.4.3. Microsoft IIS Vulnerabilities
          1. 6.4.3.1. IIS ASP sample scripts and tools
          2. 6.4.3.2. HTR (ISM.DLL) extension exposures
            1. 6.4.3.2.1. IIS HTR administrative scripts
            2. 6.4.3.2.2. HTR process-manipulation vulnerabilities
            3. 6.4.3.2.3. Reading sensitive files through HTR requests
          3. 6.4.3.3. HTW (WEBHITS.DLL) extension exposures
          4. 6.4.3.4. IIS Unicode exploit
            1. 6.4.3.4.1. Unicode revisited
            2. 6.4.3.4.2. Unicode limitations and tools
          5. 6.4.3.5. PRINTER (MSW3PRT.DLL) extension overflow
          6. 6.4.3.6. IDA (IDQ.DLL) extension overflow
          7. 6.4.3.7. IIS WebDAV vulnerability
          8. 6.4.3.8. Microsoft FrontPage exposures
          9. 6.4.3.9. Poorly configured IIS permissions
        4. 6.4.4. Apache Vulnerabilities
          1. 6.4.4.1. Apache chunk-handling vulnerability
            1. 6.4.4.1.1. Apache chunk handling BSD exploit
            2. 6.4.4.1.2. Apache chunk handling Win32 exploit
          2. 6.4.4.2. Other Apache exposures and vulnerabilities
        5. 6.4.5. OpenSSL Vulnerabilities
          1. 6.4.5.1. OpenSSL client key overflow
          2. 6.4.5.2. Other OpenSSL exposures and vulnerabilities
        6. 6.4.6. HTTP Proxy Component Exposures
          1. 6.4.6.1. HTTP CONNECT
          2. 6.4.6.2. HTTP POST
          3. 6.4.6.3. HTTP GET
          4. 6.4.6.4. Testing HTTP proxies
      5. 6.5. Accessing Poorly Protected Information
        1. 6.5.1. Brute-Forcing HTTP Authentication
      6. 6.6. Assessing CGI Scripts and Custom ASP Pages
        1. 6.6.1. Parameter Manipulation and Filter Evasion
          1. 6.6.1.1. URL query-string manipulation
          2. 6.6.1.2. User cookie manipulation
          3. 6.6.1.3. Form field manipulation
          4. 6.6.1.4. Filter evasion
        2. 6.6.2. Error-Handling Problems
        3. 6.6.3. Operating System Command Injection
          1. 6.6.3.1. Run arbitrary system commands
          2. 6.6.3.2. Modify parameters passed to system commands
          3. 6.6.3.3. Execute additional commands
          4. 6.6.3.4. Operating system command-injection countermeasures
        4. 6.6.4. SQL Command Injection
          1. 6.6.4.1. Basic testing methodology
          2. 6.6.4.2. Calling stored procedures
            1. 6.6.4.2.1. xp_cmdshell
            2. 6.6.4.2.2. sp_makewebtask
            3. 6.6.4.2.3. xp_regread
          3. 6.6.4.3. Compromising data using SELECT and INSERT
        5. 6.6.5. Web Application Assessment Tools
          1. 6.6.5.1. Achilles
      7. 6.7. Web Services Countermeasures
    11. 7. Assessing Remote Maintenance Services
      1. 7.1. Remote Maintenance Services
      2. 7.2. SSH
        1. 7.2.1. SSH Fingerprinting
        2. 7.2.2. SSH Brute-Force Password Grinding
        3. 7.2.3. SSH Vulnerabilities
          1. 7.2.3.1. SSH1 CRC32 compensation vulnerability
          2. 7.2.3.2. SSH1 CRC32 compensation exploit
          3. 7.2.3.3. OpenSSH challenge-response vulnerability
          4. 7.2.3.4. OpenSSH challenge-response exploit
          5. 7.2.3.5. Other remotely exploitable SSH flaws
      3. 7.3. Telnet
        1. 7.3.1. Telnet Service Fingerprinting
          1. 7.3.1.1. telnetfp
          2. 7.3.1.2. Manual telnet fingerprinting
        2. 7.3.2. Telnet Brute-Force Password-Grinding
          1. 7.3.2.1. Common device telnet passwords
          2. 7.3.2.2. Dictionary files and word lists
        3. 7.3.3. Telnet Vulnerabilities
          1. 7.3.3.1. System V-derived /bin/login static overflow vulnerability
          2. 7.3.3.2. Solaris /bin/login static overflow exploits
          3. 7.3.3.3. BSD-derived telrcv( ) heap overflow vulnerability
          4. 7.3.3.4. FreeBSD telrcv( ) heap overflow exploit
          5. 7.3.3.5. Other remotely exploitable Telnet bugs
      4. 7.4. R-Services
        1. 7.4.1. Directly Accessing R-Services
          1. 7.4.1.1. Unix ~/.rhosts and /etc/hosts.equiv files
        2. 7.4.2. R-Services Brute Force
        3. 7.4.3. Spoofing RSH Connections
        4. 7.4.4. Known R-Services Vulnerabilities
      5. 7.5. X Windows
        1. 7.5.1. X Windows Authentication
          1. 7.5.1.1. xhost
          2. 7.5.1.2. xauth
        2. 7.5.2. Assessing X Servers
          1. 7.5.2.1. List open windows
          2. 7.5.2.2. Take screenshots of specific open windows
          3. 7.5.2.3. Capture keystrokes typed in specific windows
          4. 7.5.2.4. Send keystrokes to specific windows
        3. 7.5.3. Known X Window System Vulnerabilities
      6. 7.6. Microsoft Remote Desktop Protocol
        1. 7.6.1. RDP Brute-Force Password Grinding
        2. 7.6.2. RDP Vulnerabilities
      7. 7.7. VNC
        1. 7.7.1. VNC Brute-Force Password Grinding
      8. 7.8. Citrix
        1. 7.8.1. Using The Citrix ICA Client
        2. 7.8.2. Accessing Nonpublic Published Applications
        3. 7.8.3. Citrix Vulnerabilities
      9. 7.9. Remote Maintenance Services Countermeasures
    12. 8. Assessing FTP and Database Services
      1. 8.1. FTP
      2. 8.2. FTP Banner Grabbing and Enumeration
        1. 8.2.1. Analyzing FTP Banners
        2. 8.2.2. Assessing FTP Permissions
      3. 8.3. FTP Brute-Force Password Guessing
      4. 8.4. FTP Bounce Attacks
        1. 8.4.1. FTP Bounce Port Scanning
        2. 8.4.2. FTP Bounce Exploit Payload Delivery
      5. 8.5. Circumventing Stateful Filters Using FTP
        1. 8.5.1. PORT and PASV
        2. 8.5.2. PASV Abuse
      6. 8.6. FTP Process Manipulation Attacks
        1. 8.6.1. Solaris and BSD FTP Globbing Issues
        2. 8.6.2. WU-FTPD Vulnerabilities
          1. 8.6.2.1. Exploiting WU-FTPD 2.6.1 on Linux with 7350wurm
        3. 8.6.3. ProFTPD Vulnerabilities
        4. 8.6.4. Microsoft IIS FTP Server
      7. 8.7. FTP Services Countermeasures
      8. 8.8. Database Services
      9. 8.9. Microsoft SQL Server
        1. 8.9.1. SQL Server Enumeration
        2. 8.9.2. SQL Server Brute Force
          1. 8.9.2.1. SQLAT
        3. 8.9.3. SQL Server Process Manipulation Vulnerabilities
      10. 8.10. Oracle
        1. 8.10.1. TNS Listener Enumeration and Information Leak Attacks
          1. 8.10.1.1. Pinging the TNS Listener
          2. 8.10.1.2. Retrieving Oracle version and platform information
          3. 8.10.1.3. Other TNS Listener commands
          4. 8.10.1.4. Retrieving the current status of the TNS Listener
          5. 8.10.1.5. Executing an information leak attack
        2. 8.10.2. TNS Listener Process-Manipulation Vulnerabilities
          1. 8.10.2.1. TNS Listener COMMAND stack overflow (CVE-2001-0499) exploit
          2. 8.10.2.2. Creating files using the TNS Listener (CVE-2000-0818)
        3. 8.10.3. Oracle Brute-Force and Post-Authentication Issues
          1. 8.10.3.1. OAT
          2. 8.10.3.2. MetaCoretex
      11. 8.11. MySQL
        1. 8.11.1. MySQL Enumeration
        2. 8.11.2. MySQL Brute Force
        3. 8.11.3. MySQL Process-Manipulation Vulnerabilities
      12. 8.12. Database Services Countermeasures
    13. 9. Assessing Windows Networking Services
      1. 9.1. Microsoft Windows Networking Services
        1. 9.1.1. SMB, CIFS, and NetBIOS
      2. 9.2. Microsoft RPC Services
        1. 9.2.1. Enumerating System Information
          1. 9.2.1.1. epdump
          2. 9.2.1.2. Known IFID values
          3. 9.2.1.3. rpdump and ifids
          4. 9.2.1.4. RpcScan
        2. 9.2.2. Gleaning User Details via SAMR and LSARPC Interfaces
          1. 9.2.2.1. walksam
          2. 9.2.2.2. rpcclient
        3. 9.2.3. Brute-Forcing Administrator Passwords
        4. 9.2.4. Executing Arbitrary Commands
        5. 9.2.5. Exploiting RPC Services Directly
      3. 9.3. The NetBIOS Name Service
        1. 9.3.1. Enumerating System Details
        2. 9.3.2. Attacking the NetBIOS Name Service
      4. 9.4. The NetBIOS Datagram Service
      5. 9.5. The NetBIOS Session Service
        1. 9.5.1. Enumerating System Details
          1. 9.5.1.1. enum
          2. 9.5.1.2. winfo
          3. 9.5.1.3. GetAcct
        2. 9.5.2. Brute-Forcing User Passwords
        3. 9.5.3. Authenticating with NetBIOS
        4. 9.5.4. Executing Commands
        5. 9.5.5. Accessing and Modifying Registry Keys
        6. 9.5.6. Accessing The SAM Database
      6. 9.6. The CIFS Service
        1. 9.6.1. CIFS Enumeration
          1. 9.6.1.1. User enumeration through smbdumpusers
        2. 9.6.2. CIFS Brute Force
      7. 9.7. Unix Samba Vulnerabilities
      8. 9.8. Windows Networking Services Countermeasures
    14. 10. Assessing Email Services
      1. 10.1. Email Service Protocols
      2. 10.2. SMTP
        1. 10.2.1. SMTP Service Fingerprinting
        2. 10.2.2. Sendmail
          1. 10.2.2.1. Sendmail information leak exposures
            1. 10.2.2.1.1. EXPN
            2. 10.2.2.1.2. VRFY
            3. 10.2.2.1.3. RCPT TO:
          2. 10.2.2.2. Automating Sendmail user enumeration
          3. 10.2.2.3. Sendmail process manipulation vulnerabilities
        3. 10.2.3. Microsoft Exchange SMTP Service
        4. 10.2.4. SMTP Open Relay Testing
        5. 10.2.5. SMTP Relay and Anti-Virus Circumvention
      3. 10.3. POP-2 and POP-3
        1. 10.3.1. POP-3 Brute-Force Password-Grinding
        2. 10.3.2. POP-3 Process Manipulation Attacks
          1. 10.3.2.1. Qualcomm QPOP process-manipulation vulnerabilities
          2. 10.3.2.2. Microsoft Exchange POP-3 process-manipulation vulnerabilities
      4. 10.4. IMAP
        1. 10.4.1. IMAP Brute Force
        2. 10.4.2. IMAP Process Manipulation Attacks
      5. 10.5. Email Services Countermeasures
    15. 11. Assessing IP VPN Services
      1. 11.1. IPsec VPNs
        1. 11.1.1. ISAKMP and IKE
          1. 11.1.1.1. Main mode IKE
          2. 11.1.1.2. Aggressive mode IKE
      2. 11.2. Attacking IPsec VPNs
        1. 11.2.1. IPsec Enumeration
        2. 11.2.2. Initial ISAKMP Service Probing
        3. 11.2.3. Investigating Known ISAKMP and IKE Weaknesses
        4. 11.2.4. Aggressive Mode IKE PSK Cracking
      3. 11.3. Check Point VPN Security Issues
        1. 11.3.1. Check Point IKE Username Enumeration
        2. 11.3.2. Check Point Telnet Service Username Enumeration
        3. 11.3.3. Check Point SecuRemote Information Leak Attacks
          1. 11.3.3.1. Sniffing interface IP addresses
          2. 11.3.3.2. Downloading SecuRemote network topology information
        4. 11.3.4. Check Point RDP Firewall Bypass Vulnerability
      4. 11.4. Microsoft PPTP
      5. 11.5. VPN Services Countermeasures
    16. 12. Assessing Unix RPC Services
      1. 12.1. Enumerating Unix RPC Services
        1. 12.1.1. Identifying RPC Services Without the Portmapper
      2. 12.2. RPC Service Vulnerabilities
        1. 12.2.1. Abusing rpc.mountd (100005)
          1. 12.2.1.1. CVE-1999-0002
          2. 12.2.1.2. CVE-2003-0252
          3. 12.2.1.3. Listing and accessing exported directories through mountd and NFS
        2. 12.2.2. Multiple Vendor rpc.statd (100024) Vulnerabilities
          1. 12.2.2.1. CVE-1999-0018 and CVE-1999-0019
          2. 12.2.2.2. CVE-1999-0493
          3. 12.2.2.3. CVE-2000-0666
        3. 12.2.3. Solaris rpc.sadmind (100232) Vulnerabilities
          1. 12.2.3.1. CVE-1999-0977
          2. 12.2.3.2. CVE-2003-0722
        4. 12.2.4. Solaris rpc.cachefsd (100235) Vulnerability
        5. 12.2.5. Solaris rpc.snmpXdmid (100249) Vulnerability
        6. 12.2.6. Multiple Vendor rpc.cmsd (100068) Vulnerabilities
        7. 12.2.7. Multiple Vendor rpc.ttdbserverd (100083) Vulnerability
          1. 12.2.7.1. Solaris rpc.ttdbserverd exploit
          2. 12.2.7.2. IRIX rpc.ttdbserverd exploit
      3. 12.3. Unix RPC Services Countermeasures
    17. 13. Application-Level Risks
      1. 13.1. The Fundamental Hacking Concept
      2. 13.2. The Reasons Why Software Is Vulnerable
      3. 13.3. Network Service Vulnerabilities and Attacks
        1. 13.3.1. Memory Manipulation Attacks
        2. 13.3.2. Runtime Memory Organization
          1. 13.3.2.1. The text segment
          2. 13.3.2.2. The data and BSS segments
          3. 13.3.2.3. The stack
          4. 13.3.2.4. The heap
        3. 13.3.3. Processor Registers and Memory
      4. 13.4. Classic Buffer-Overflow Vulnerabilities
        1. 13.4.1. Stack Overflows
        2. 13.4.2. Stack Smash (Saved Instruction Pointer Overwrite)
          1. 13.4.2.1. Causing a program crash
          2. 13.4.2.2. Compromising the logical program flow
          3. 13.4.2.3. Analyzing the program crash
          4. 13.4.2.4. Creating and injecting shellcode
        3. 13.4.3. Stack Off-by-One (Saved Frame Pointer Overwrite)
          1. 13.4.3.1. Analyzing the program crash
          2. 13.4.3.2. Exploiting an off-by-one bug to modify the instruction pointer
          3. 13.4.3.3. Exploiting an off-by-one bug to modify data in the parent function's stack frame
          4. 13.4.3.4. Off-by-one effectiveness against different processor architectures
      5. 13.5. Heap Overflows
        1. 13.5.1. Overflowing the Heap to Compromise Program Flow
        2. 13.5.2. Other Heap Corruption Attacks
          1. 13.5.2.1. Heap off-by-one and off-by-five bugs
          2. 13.5.2.2. Double-free bugs
          3. 13.5.2.3. Recommended further reading
      6. 13.6. Integer Overflows
        1. 13.6.1. Heap Wrap-Around Attacks
        2. 13.6.2. Negative-Size Bugs
      7. 13.7. Format String Bugs
        1. 13.7.1. Reading Adjacent Items on the Stack
        2. 13.7.2. Reading Data From any Address on the Stack
        3. 13.7.3. Overwriting Any Word in Memory
        4. 13.7.4. Recommended Format String Bug Reading
      8. 13.8. Memory Manipulation Attacks Recap
      9. 13.9. Mitigating Process Manipulation Risks
        1. 13.9.1. Nonexecutable Stack and Heap Implementation
        2. 13.9.2. Use of Canary Values in Memory
        3. 13.9.3. Running Unusual Server Architecture
        4. 13.9.4. Compiling Applications From Source
        5. 13.9.5. Active System Call Monitoring
      10. 13.10. Recommended Secure Development Reading
    18. 14. Example Assessment Methodology
      1. 14.1. Network Scanning
        1. 14.1.1. Initial Network Scanning
        2. 14.1.2. Full Network Scanning
        3. 14.1.3. Low-Level Network Testing
          1. 14.1.3.1. TCP ISN sequence generation
          2. 14.1.3.2. IP ID sequence generation
          3. 14.1.3.3. Source routing testing
          4. 14.1.3.4. Other tests
      2. 14.2. Accessible Network Service Identification
        1. 14.2.1. Initial Telnet Service Assessment
        2. 14.2.2. Initial SSH Service Assessment
        3. 14.2.3. Initial SMTP Service Assessment
        4. 14.2.4. Initial Web Service Assessment
          1. 14.2.4.1. ASP.NET investigation
          2. 14.2.4.2. ISAPI extension enumeration
          3. 14.2.4.3. Automated scanning for FrontPage and OWA components
          4. 14.2.4.4. SSL web service investigation
      3. 14.3. Investigation of Known Vulnerabilities
        1. 14.3.1. Cisco IOS Accessible Service Vulnerabilities
        2. 14.3.2. Solaris 8 Accessible Service Vulnerabilities
        3. 14.3.3. Windows 2000 Accessible Service Vulnerabilities
      4. 14.4. Network Service Testing
        1. 14.4.1. Cisco IOS Router (192.168.10.1)
        2. 14.4.2. Solaris Mail Server (192.168.10.10)
        3. 14.4.3. Windows 2000 Web Server (192.168.10.25)
      5. 14.5. Methodology Flow Diagram
      6. 14.6. Recommendations
        1. 14.6.1. Quick Win Recommendations
          1. 14.6.1.1. Cisco IOS router
          2. 14.6.1.2. Solaris mail server
          3. 14.6.1.3. Windows 2000 web server
            1. 14.6.1.3.1. Disable unnecessary ISAPI extensions
            2. 14.6.1.3.2. Install URLScan to block HTTP methods and filter requests
        2. 14.6.2. Long-Term Recommendations
      7. 14.7. Closing Comments
    19. A. TCP, UDP Ports, and ICMP Message Types
      1. A.1. TCP Ports
      2. A.2. UDP Ports
      3. A.3. ICMP Message Types
    20. B. Sources of Vulnerability Information
      1. B.1. Security Mailing Lists
      2. B.2. Vulnerability Databases and Lists
      3. B.3. Underground Web Sites
      4. B.4. Security Events and Conferences
    21. Index
    22. Colophon
    23. SPECIAL OFFER: Upgrade this ebook with O’Reilly