O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Network Security Assessment, 3rd Edition

Book Description

How secure is your network? The best way to find out is to attack it, using the same tactics attackers employ to identify and exploit weaknesses. With the third edition of this practical book, you’ll learn how to perform network-based penetration testing in a structured manner. Security expert Chris McNab demonstrates common vulnerabilities, and the steps you can take to identify them in your environment.

Table of Contents

  1. Preface
    1. Overview
    2. Audience
    3. Organization
    4. Use of RFC and CVE References
    5. Vulnerabilities Covered in This Book
    6. Recognized Assessment Standards
      1. NIST SP 800-115
      2. NSA IAM
      3. CESG CHECK
      4. CESG Recognized Qualifications
      5. PCI DSS
      6. PTES
    7. Mirror Site for Tools Mentioned in This Book
    8. Using Code Examples
    9. Conventions Used in This Book
    10. O’Reilly Safari
    11. Comments and Questions
    12. Acknowledgments
      1. Technical Reviewers and Contributors
  2. 1. Introduction to Network Security Assessment
    1. The State of the Art
    2. Threats and Attack Surface
      1. Attacking Client Software
      2. Attacking Server Software
      3. Attacking Web Applications
      4. Exposed Logic
    3. Assessment Flavors
      1. Static Analysis
      2. Dynamic Testing
    4. What This Book Covers
  3. 2. Assessment Workflow and Tools
    1. Network Security Assessment Methodology
      1. Reconnaissance
      2. Vulnerability Scanning
      3. Investigation of Vulnerabilities
      4. Exploitation of Vulnerabilities
      5. An Iterative Assessment Approach
    2. Your Testing Platform
      1. Updating Kali Linux
      2. Deploying a Vulnerable Server
  4. 3. Vulnerabilities and Adversaries
    1. The Fundamental Hacking Concept
    2. Why Software Is Vulnerable
    3. Considering Attack Surface
    4. A Taxonomy of Software Security Errors
    5. Threat Modeling
      1. System Components
      2. Adversarial Goals
      3. System Access and Execution Context
      4. Attacker Economics
    6. Attacking C/C++ Applications
      1. Runtime Memory Layout
      2. Processor Registers and Memory
      3. Writing to Memory
      4. Reading from Memory
      5. Compiler and OS Security Features
      6. Circumventing Common Safety Features
    7. Logic Flaws and Other Bugs
    8. Cryptographic Weaknesses
    9. Vulnerabilities and Adversaries Recap
  5. 4. Internet Network Discovery
    1. Querying Search Engines and Websites
      1. Google Search
      2. Querying Netcraft
      3. Using Shodan
      4. DomainTools
      5. PGP Public Key Servers
      6. Searching LinkedIn
    2. Domain WHOIS
      1. Manual WHOIS Querying
    3. IP WHOIS
      1. IP WHOIS Querying Tools and Examples
    4. BGP Enumeration
    5. DNS Querying
      1. Forward DNS Querying
      2. DNS Zone Transfer Techniques
      3. Forward DNS Grinding
      4. Reverse DNS Sweeping
      5. IPv6 Host Enumeration
      6. Cross-Referencing DNS Datasets
    6. SMTP Probing
    7. Automating Enumeration
    8. Enumeration Technique Recap
    9. Enumeration Countermeasures
  6. 5. Local Network Discovery
    1. Data Link Protocols
      1. 802.3 Ethernet Testing
      2. 802.1Q VLAN
      3. 802.1X PNAC
      4. CDP
      5. 802.1D STP
    2. Local IP Protocols
      1. DHCP
      2. PXE
      3. LLMNR, NBT-NS, and mDNS
      4. WPAD
      5. Internal Routing Protocols
      6. IPv6 Network Discovery
      7. Identifying Local Gateways
    3. Local Network Discovery Recap
    4. Local Network Attack Countermeasures
  7. 6. IP Network Scanning
    1. Initial Network Scanning with Nmap
      1. ICMP
      2. TCP
      3. UDP
      4. SCTP
      5. Bringing Everything Together
    2. Low-Level IP Assessment
      1. Crafting Arbitrary Packets
      2. TCP/IP Stack Fingerprinting
      3. IP ID Analysis
      4. Manipulating TTL to Reverse Engineer ACLs
      5. Revealing Internal IP Addresses
    3. Vulnerability Scanning with NSE
    4. Bulk Vulnerability Scanning
    5. IDS and IPS Evasion
      1. TTL Manipulation
      2. Data Insertion and Scrambling with SniffJoke
      3. Configuring and Running SniffJoke
    6. Network Scanning Recap
    7. Network Scanning Countermeasures
  8. 7. Assessing Common Network Services
    1. FTP
      1. Fingerprinting FTP Services
      2. Known FTP Vulnerabilities
    2. TFTP
      1. Known TFTP Vulnerabilities
    3. SSH
      1. Fingerprinting
      2. Enumerating Features
      3. Default and Hardcoded Credentials
      4. Insecurely Generated Host Keys
      5. SSH Server Software Flaws
    4. Telnet
      1. Default Telnet Credentials
      2. Telnet Server Software Flaws
    5. IPMI
    6. DNS
      1. Fingerprinting
      2. Testing for Recursion Support
      3. Known DNS Server Flaws
    7. Multicast DNS
    8. NTP
    9. SNMP
      1. Exploiting SNMP
    10. LDAP
      1. LDAP Authentication
      2. LDAP Operations
      3. LDAP Directory Structure
      4. Fingerprinting and Anonymous Binding
      5. Brute-Force Password Grinding
      6. Obtaining Sensitive Data
      7. LDAP Server Implementation Flaws
    11. Kerberos
      1. Kerberos Keys
      2. Ticket Format
      3. Kerberos Attack Surface
      4. Local Attacks
      5. Unauthenticated Remote Attacks
      6. Kerberos Implementation Flaws
    12. VNC
      1. Attacking VNC Servers
    13. Unix RPC Services
      1. Manually Querying Exposed RPC Services
      2. RPC Service Vulnerabilities
    14. Common Network Service Assessment Recap
    15. Service Hardening and Countermeasures
  9. 8. Assessing Microsoft Services
    1. NetBIOS Name Service
    2. SMB
    3. Microsoft RPC Services
    4. Attacking SMB and RPC
      1. Mapping Network Attack Surface
      2. Anonymous IPC Access via SMB
      3. SMB Implementation Flaws
      4. Identifying Exposed RPC Services
      5. Brute-Force Password Grinding
      6. Authenticating and Using Access
    5. Remote Desktop Services
      1. Brute-Force Password Grinding
      2. Assessing Transport Security
      3. RDP Implementation Flaws
    6. Microsoft Services Testing Recap
    7. Microsoft Services Countermeasures
  10. 9. Assessing Mail Services
    1. Mail Protocols
    2. SMTP
      1. Service Fingerprinting
      2. Mapping SMTP Architecture
      3. Enumerating Supported Commands and Extensions
      4. Remotely Exploitable Flaws
      5. User Account Enumeration
      6. Brute-Force Password Grinding
      7. Content Checking Circumvention
      8. Review of Mail Security Features
      9. Phishing via SMTP
    3. POP3
      1. Service Fingerprinting
      2. Brute-Force Password Grinding
    4. IMAP
      1. Service Fingerprinting
      2. Brute-Force Password Grinding
      3. Known IMAP Server Flaws
    5. Mail Services Testing Recap
    6. Mail Services Countermeasures
  11. 10. Assessing VPN Services
    1. IPsec
      1. Packet Format
      2. ISAKMP, IKE, and IKEv2
      3. IKE Assessment
      4. Exploitable IPsec Weaknesses
    2. PPTP
    3. VPN Testing Recap
    4. VPN Services Countermeasures
  12. 11. Assessing TLS Services
    1. TLS Mechanics
      1. Session Negotiation
      2. Cipher Suites
      3. Key Exchange and Authentication
      4. TLS Authentication
      5. Session Resumption
      6. Session Renegotiation
      7. Compression
      8. STARTTLS
    2. Understanding TLS Vulnerabilities
      1. Exploitable Flaws
      2. Mitigating TLS Exposures
    3. Assessing TLS Endpoints
      1. Identifying the TLS Library and Version
      2. Enumerating Supported Protocols and Cipher Suites
      3. Enumerating Supported Features and Extensions
      4. Certificate Review
      5. Stress Testing TLS Endpoints
      6. Manually Accessing TLS-Wrapped Services
    4. TLS Service Assessment Recap
    5. TLS Hardening
    6. Web Application Hardening
  13. 12. Web Application Architecture
    1. Web Application Types
    2. Web Application Tiers
      1. The Presentation Tier
      2. TLS
      3. HTTP
      4. CDNs
      5. Load Balancers
      6. Presentation-Tier Data Formats
      7. The Application Tier
      8. Application-Tier Data Formats
      9. The Data Tier
  14. 13. Assessing Web Servers
    1. Identifying Proxy Mechanisms
    2. Enumerating Valid Hosts
    3. Web Server Profiling
      1. Analyzing Server Responses
      2. HTTP Header Review
      3. Crawling and Investigation of Content
    4. Active Scanning
      1. WAF Detection
      2. Server and Application Framework Fingerprinting
      3. Identifying Exposed Content
    5. Qualifying Web Server Vulnerabilities
      1. Reviewing Exposed Content
      2. Brute-Force Password Grinding
      3. Investigating Supported HTTP Methods
      4. Known Microsoft IIS Vulnerabilities
      5. Known Apache HTTP Server Flaws
      6. Known Apache Coyote Weaknesses
      7. Known Nginx Defects
    6. Web Server Hardening
  15. 14. Assessing Web Application Frameworks
    1. Framework and Data Store Profiling
    2. Understanding Common Flaws
    3. PHP
      1. PHP Management Consoles
      2. PHP CMS Packages
    4. Apache Tomcat
      1. The Manager Application
      2. Known Tomcat Flaws
      3. Attacking Apache JServ Protocol
    5. JBoss Testing
      1. Server Profiling via HTTP
      2. Web Consoles and Invoker Servlets
      3. Identifying MBeans
      4. Exploiting MBeans
      5. Exploiting the RMI Distributed Garbage Collector
      6. Known JBoss Vulnerabilities
      7. Automated JBoss Scanning
    6. Apache Struts
      1. Exploiting the DefaultActionMapper
    7. JDWP
    8. Adobe ColdFusion
      1. ColdFusion Profiling
      2. Exposed Management Interfaces
      3. Known ColdFusion Software Defects
      4. Apache Solr Vulnerabilities
    9. Django
    10. Rails
      1. Using an Application’s Secret Token
    11. Node.js
    12. Microsoft ASP.NET
    13. Application Framework Security Checklist
  16. 15. Assessing Data Stores
    1. MySQL
      1. Brute-Force Password Grinding
      2. Authenticated MySQL Attacks
    2. PostgreSQL
      1. Brute-Force Password Grinding
      2. Authenticated PostgreSQL Attacks
    3. Microsoft SQL Server
      1. Brute-Force Password Grinding
      2. Authenticating and Evaluating Configuration
    4. Oracle Database
      1. Interacting with the TNS Listener
      2. Oracle SID Grinding
      3. Database Account Password Grinding
      4. Authenticating with Oracle Database
      5. Privilege Escalation and Pivoting
    5. MongoDB
    6. Redis
      1. Known Weaknesses
    7. Memcached
    8. Apache Hadoop
    9. NFS
    10. Apple Filing Protocol
    11. iSCSI
    12. Data Store Countermeasures
  17. A. Common Ports and Message Types
    1. TCP Ports
    2. UDP Ports
    3. ICMP Message Types
  18. B. Sources of Vulnerability Information
    1. Twitter Accounts
    2. Bug Trackers
    3. Mailing Lists
    4. Security Events and Conferences
  19. C. Unsafe TLS Cipher Suites
  20. Glossary of Terms
  21. Index