You are previewing Penetration Testing and Network Defense.
O'Reilly logo
Penetration Testing and Network Defense

Book Description

The practical guide to simulating, detecting, and responding to network attacks 

  • Create step-by-step testing plans

  • Learn to perform social engineering and host reconnaissance

  • Evaluate session hijacking methods

  • Exploit web server vulnerabilities

  • Detect attempts to breach database security

  • Use password crackers to obtain access information

  • Circumvent Intrusion Prevention Systems (IPS) and firewall protections and disrupt the service of routers and switches

  • Scan and penetrate wireless networks

  • Understand the inner workings of Trojan Horses, viruses, and other backdoor applications

  • Test UNIX, Microsoft, and Novell servers for vulnerabilities

  • Learn the root cause of buffer overflows and how to prevent them

  • Perform and prevent Denial of Service attacks

  • Penetration testing is a growing field but there has yet to be a definitive resource that instructs ethical hackers on how to perform a penetration test with the ethics and responsibilities of testing in mind. Penetration Testing and Network Defense offers detailed steps on how to emulate an outside attacker in order to assess the security of a network.

    Unlike other books on hacking, this book is specifically geared towards penetration testing. It includes important information about liability issues and ethics as well as procedures and documentation. Using popular open-source and commercial applications, the book shows you how to perform a penetration test on an organization’s network, from creating a test plan to performing social engineering and host reconnaissance to performing simulated attacks on both wired and wireless networks.

    Penetration Testing and Network Defense also goes a step further than other books on hacking, as it demonstrates how to detect an attack on a live network. By detailing the method of an attack and how to spot an attack on your network, this book better prepares you to guard against hackers. You will learn how to configure, record, and thwart these attacks and how to harden a system to protect it against future internal and external attacks.

    Full of real-world examples and step-by-step procedures, this book is both an enjoyable read and full of practical advice that will help you assess network security and develop a plan for locking down sensitive data and company resources.

    “This book goes to great lengths to explain the various testing approaches that are used today and gives excellent insight into how a responsible penetration testing specialist executes his trade.”

    –Bruce Murphy, Vice President, World Wide Security Services, Cisco Systems®

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Icons Used in This Book
    6. Command Syntax Conventions
    7. Foreword
    8. Introduction
      1. Who Should Read this Book
      2. Ethical Considerations
      3. How This Book Is Organized
    9. I. Overview of Penetration Testing
      1. 1. Understanding Penetration Testing
        1. Defining Penetration Testing
        2. Assessing the Need for Penetration Testing
          1. Proliferation of Viruses and Worms
          2. Wireless LANs
          3. Complexity of Networks Today
          4. Frequency of Software Updates
          5. Availability of Hacking Tools
          6. The Nature of Open Source
          7. Reliance on the Internet
          8. Unmonitored Mobile Users and Telecommuters
          9. Marketing Demands
          10. Industry Regulations
          11. Administrator Trust
          12. Business Partnerships
          13. Hacktivism
        3. Attack Stages
        4. Choosing a Penetration Testing Vendor
        5. Preparing for the Test
        6. Summary
      2. 2. Legal and Ethical Considerations
        1. Ethics of Penetration Testing
        2. Laws
          1. U.S. Laws Pertaining to Hacking
            1. 1973 U.S. Code of Fair Information Practices
            2. 1986 Computer Fraud and Abuse Act (CFAA)
            3. State Laws
          2. Regulatory Laws
            1. 1996 U.S. Kennedy-Kasselbaum Health Insurance Portability and Accountability Act (HIPAA)
            2. Graham-Leach-Bliley (GLB)
            3. USA PATRIOT Act
            4. 2002 Federal Information Security Management Act (FISMA)
            5. 2003 Sarbanes-Oxley Act (SOX)
          3. Non-U.S. Laws Pertaining to Hacking
        3. Logging
        4. To Fix or Not to Fix
        5. Summary
      3. 3. Creating a Test Plan
        1. Step-by-Step Plan
          1. Defining the Scope
          2. Social Engineering
          3. Session Hijacking
          4. Trojan/Backdoor
        2. Open-Source Security Testing Methodology Manual
        3. Documentation
          1. Executive Summary
          2. Project Scope
          3. Results Analysis
          4. Summary
          5. Appendixes
        4. Summary
    10. II. Performing the Test
      1. 4. Performing Social Engineering
        1. Human Psychology
          1. Conformity Persuasion
          2. Logic Persuasion
          3. Need-Based Persuasion
          4. Authority-Based Persuasion
          5. Reciprocation-Based Social Engineering
          6. Similarity-Based Social Engineering
          7. Information-Based Social Engineering
        2. What It Takes to Be a Social Engineer
          1. Using Patience for Social Engineering
          2. Using Confidence for Social Engineering
          3. Using Trust for Social Engineering
          4. Using Inside Knowledge for Social Engineering
        3. First Impressions and the Social Engineer
        4. Tech Support Impersonation
        5. Third-Party Impersonation
        6. E-Mail Impersonation
        7. End User Impersonation
        8. Customer Impersonation
        9. Reverse Social Engineering
        10. Protecting Against Social Engineering
        11. Case Study
        12. Summary
      2. 5. Performing Host Reconnaissance
        1. Passive Host Reconnaissance
          1. A Company Website
          2. EDGAR Filings
          3. NNTP USENET Newsgroups
          4. User Group Meetings
          5. Business Partners
        2. Active Host Reconnaissance
          1. NSLookup/Whois Lookups
          2. SamSpade
          3. Visual Route
        3. Port Scanning
          1. TCP Connect() Scan
          2. SYN Scan
          3. NULL Scan
          4. FIN Scan
          5. ACK Scan
          6. Xmas-Tree Scan
          7. Dumb Scan
        4. NMap
          1. NMap Switches and Techniques
          2. Compiling and Testing NMap
          3. Fingerprinting
          4. Footprinting
        5. Detecting a Scan
          1. Intrusion Detection
          2. Anomaly Detection Systems
          3. Misuse Detection System
          4. Host-Based IDSs
          5. Network-Based IDSs
          6. Network Switches
          7. Examples of Scan Detection
            1. Detecting a TCP Connect() Scan
            2. Detecting a SYN Scan
            3. Detecting FIN, NULL, and Xmas-Tree Scans
            4. Detecting OS Guessing
        6. Case Study
        7. Summary
      3. 6. Understanding and Attempting Session Hijacking
        1. Defining Session Hijacking
          1. Nonblind Spoofing
          2. Blind Spoofing
          3. TCP Sequence Prediction (Blind Hijacking)
        2. Tools
          1. Juggernaut
          2. Hunt
          3. TTY-Watcher
          4. T-Sight
          5. Other Tools
        3. Beware of ACK Storms
        4. Kevin Mitnick’s Session Hijack Attack
        5. Detecting Session Hijacking
          1. Detecting Session Hijacking with a Packet Sniffer
            1. Configuring Ethereal
            2. Watching a Hijacking with Ethereal
          2. Detecting Session Hijacking with Cisco IDS
            1. Signature 1300: TCP Segment Overwrite
            2. Signature 3250: TCP Hijack
            3. Signature 3251: TCP Hijacking Simplex Mode
            4. Watching a Hijacking with IEV
        6. Protecting Against Session Hijacking
        7. Case Study
        8. Summary
        9. Resources
      4. 7. Performing Web Server Attacks
        1. Understanding Web Languages
          1. HTML
          2. DHTML
          3. XML
          4. XHTML
          5. JavaScript
          6. JScript
          7. VBScript
          8. Perl
          9. ASP
          10. CGI
          11. PHP Hypertext Preprocessor
          12. ColdFusion
          13. Java Once Called Oak
            1. Client-Based Java
            2. Server-Based Java
        2. Website Architecture
        3. E-Commerce Architecture
          1. Apache HTTP Server Vulnerabilities
          2. IIS Web Server
            1. Showcode.asp
            2. Privilege Escalation
            3. Buffer Overflows
        4. Web Page Spoofing
        5. Cookie Guessing
          1. Hidden Fields
        6. Brute Force Attacks
          1. Brutus
          2. HTTP Brute Forcer
          3. Detecting a Brute Force Attack
          4. Protecting Against Brute Force Attacks
        7. Tools
          1. NetCat
          2. Vulnerability Scanners
          3. IIS Xploit
          4. execiis-win32.exe
          5. CleanIISLog
          6. IntelliTamper
          7. Web Server Banner Grabbing
          8. Hacking with Google
        8. Detecting Web Attacks
          1. Detecting Directory Traversal
          2. Detecting Whisker
        9. Protecting Against Web Attacks
          1. Securing the Operating System
          2. Securing Web Server Applications
            1. IIS
              1. IIS Lock Down
              2. UrlScan
            2. Apache
          3. Securing Website Design
          4. Securing Network Architecture
        10. Case Study
        11. Summary
      5. 8. Performing Database Attacks
        1. Defining Databases
          1. Oracle
            1. Structure
            2. SQL
          2. MySQL
            1. Structure
            2. SQL
          3. SQL Server
            1. Structure
            2. SQL
          4. Database Default Accounts
        2. Testing Database Vulnerabilities
          1. SQL Injection
          2. System Stored Procedures
            1. xp_cmdshell
          3. Connection Strings
          4. Password Cracking/Brute Force Attacks
        3. Securing Your SQL Server
          1. Authentication
          2. Service Accounts
          3. Public Role
          4. Guest Account
          5. Sample Databases
          6. Network Libraries
          7. Ports
        4. Detecting Database Attacks
          1. Auditing
            1. Failed Logins
            2. System Stored Procedures
          2. SQL Injection
        5. Protecting Against Database Attacks
        6. Case Study
        7. Summary
        8. References and Further Reading
      6. 9. Password Cracking
        1. Password Hashing
          1. Using Salts
          2. Microsoft Password Hashing
          3. UNIX Password Hashing
        2. Password-Cracking Tools
          1. John the Ripper
          2. Pwdump3
          3. L0phtcrack
          4. Nutcracker
          5. Hypnopædia
          6. Snadboy Revelation
          7. Boson GetPass
          8. RainbowCrack
        3. Detecting Password Cracking
          1. Network Traffic
          2. System Log Files
          3. Account Lockouts
          4. Physical Access
          5. Dumpster Diving and Key Logging
          6. Social Engineering
        4. Protecting Against Password Cracking
          1. Password Auditing
          2. Logging Account Logins
          3. Account Locking
          4. Password Settings
            1. Password Length
            2. Password Expiration
            3. Password History
          5. Physical Protection
          6. Employee Education and Policy
        5. Case Study
        6. Summary
      7. 10. Attacking the Network
        1. Bypassing Firewalls
        2. Evading Intruder Detection Systems
        3. Testing Routers for Vulnerabilities
          1. CDP
          2. HTTP Service
          3. Password Cracking
          4. Modifying Routing Tables
        4. Testing Switches for Vulnerabilities
          1. VLAN Hopping
          2. Spanning Tree Attacks
          3. MAC Table Flooding
          4. ARP Attacks
          5. VTP Attacks
        5. Securing the Network
          1. Securing Firewalls
          2. Securing Routers
            1. Disabling CDP
            2. Disabling or Restricting the HTTP Service
            3. Securing Router Passwords
            4. Enabling Authentication for Routing Protocols
              1. RIP Authentication
              2. EIGRP Authentication
              3. OSPF Authentication
              4. IS-IS Authentication
              5. BGP Authentication
          3. Securing Switches
            1. Securing Against VLAN Hopping
            2. Securing Against Spanning Tree Attacks
            3. Securing Against MAC Table Flooding and ARP Attacks
            4. Securing Against VTP Attacks
        6. Case Study
        7. Summary
      8. 11. Scanning and Penetrating Wireless Networks
        1. History of Wireless Networks
        2. Antennas and Access Points
        3. Wireless Security Technologies
          1. Service Set Identifiers (SSIDs)
          2. Wired Equivalent Privacy (WEP)
          3. MAC Filtering
          4. 802.1x Port Security
          5. IPSec
        4. War Driving
        5. Tools
          1. NetStumbler
          2. StumbVerter
          3. DStumbler
          4. Kismet
          5. GPSMap
          6. AiroPeek NX
          7. AirSnort
          8. WEPCrack
        6. Detecting Wireless Attacks
          1. Unprotected WLANs
          2. DoS Attacks
          3. Rogue Access Points
          4. MAC Address Spoofing
          5. Unallocated MAC Addresses
          6. Preventing Wireless Attacks
          7. Preventing Man-in-the-Middle Attacks
          8. Establishing and Enforcing Standards for Wireless Networking
        7. Case Study
        8. Summary
      9. 12. Using Trojans and Backdoor Applications
        1. Trojans, Viruses, and Backdoor Applications
        2. Common Viruses and Worms
          1. Chernobyl
          2. I Love You
          3. Melissa
          4. BugBear
          5. MyDoom
          6. W32/Klez
          7. Blaster
          8. SQL Slammer
          9. Sasser
        3. Trojans and Backdoors
          1. Back Orifice 2000
          2. Tini
          3. Donald Dick
          4. Rootkit
          5. NetCat
          6. SubSeven
          7. Brown Orifice
          8. Beast
            1. Beast Server Settings
            2. Beast Client
        4. Detecting Trojans and Backdoor Applications
          1. MD5 Checksums
          2. Monitoring Ports Locally
            1. Netstat
            2. fport
            3. TCPView
          3. Monitoring Ports Remotely
          4. Anti-virus and Trojan Scanners Software
          5. Intrusion Detection Systems
        5. Prevention
        6. Case Study
        7. Summary
      10. 13. Penetrating UNIX, Microsoft, and Novell Servers
        1. General Scanners
          1. Nessus
          2. SAINT
          3. SARA
          4. ISS
          5. NetRecon
        2. UNIX Permissions and Root Access
          1. Elevation Techniques
            1. Stack Smashing Exploit
            2. rpc.statd Exploit
            3. irix-login.c
          2. Rootkits
            1. Linux Rootkit IV
            2. Beastkit
        3. Microsoft Security Models and Exploits
          1. Elevation Techniques
            1. PipeUpAdmin
            2. HK
          2. Rootkits
        4. Novell Server Permissions and Vulnerabilities
          1. Pandora
          2. NovelFFS
        5. Detecting Server Attacks
        6. Preventing Server Attacks
        7. Case Study
        8. Summary
      11. 14. Understanding and Attempting Buffer Overflows
        1. Memory Architecture
          1. Stacks
          2. Heaps
          3. NOPs
        2. Buffer Overflow Examples
          1. Simple Example
          2. Linux Privilege Escalation
          3. Windows Privilege Escalation
        3. Preventing Buffer Overflows
          1. Library Tools to Prevent Buffer Overflows
          2. Compiler-Based Solutions to Prevent Buffer Overflows
          3. Using a Non-Executable Stack to Prevent Buffer Overflows
        4. Case Study
        5. Summary
      12. 15. Denial-of-Service Attacks
        1. Types of DoS Attacks
          1. Ping of Death
          2. Smurf and Fraggle
          3. LAND Attack
          4. SYN Flood
        2. Tools for Executing DoS Attacks
          1. Datapool
          2. Jolt2
          3. Hgod
          4. Other Tools
        3. Detecting DoS Attacks
          1. Appliance Firewalls
          2. Host-Based IDS
          3. Signature-Based Network IDS
          4. Network Anomaly Detectors
        4. Preventing DoS Attacks
          1. Hardening
            1. Network Hardening
            2. Application Hardening
            3. Intrusion Detection Systems
        5. Case Study
        6. Summary
      13. 16. Case Study: A Methodical Step-By-Step Penetration Test
        1. Case Study: LCN Gets Tested
          1. Planning the Attack
          2. Gathering Information
          3. Scanning and Enumeration
            1. External Scanning
            2. Wireless Scanning
          4. Gaining Access
            1. Gaining Access via the Website
            2. Gaining Access via Wireless
          5. Maintain Access
          6. Covering Tracks
          7. Writing the Report
        2. DAWN Security
          1. Executive Summary
            1. Objective
            2. Methodology
            3. Findings
          2. Summary
          3. Graphical Summary
          4. Technical Testing Report
            1. Black-Box Testing
          5. Presenting and Planning the Follow-Up
    11. III. Appendixes
      1. A. Preparing a Security Policy
        1. What Is a Security Policy?
        2. Risk Assessment
          1. Assets
          2. Threats
          3. Cost
          4. Getting Acceptance
        3. Basic Policy Requirements
          1. Sample E-Mail Usage Policy
          2. Understanding Your Environment
          3. Balancing Productivity and Protection
          4. The Trust Model
          5. How Should It Be Written?
          6. Who Creates the Policy?
          7. Types of Policies
            1. E-Mail Policies
            2. Internet Policies
            3. Remote Access Policies
            4. Password Policies
            5. Physical Access Policies
            6. Backup Policies
            7. Disaster Recover Policy
        4. Security Policy Implementation and Review
        5. Preparing a Security Policy in Ten Basic Steps
        6. Reference Links
      2. B. Tools
        1. Performing Host Reconnaissance (Chapter 5)
        2. Understanding and Attempting Session Hijacking (Chapter 6)
        3. Performing Web-Server Attacks (Chapter 7)
        4. Performing Database Attacks (Chapter 8)
        5. Cracking Passwords (Chapter 9)
        6. Attacking the Network (Chapter 10)
        7. Scanning and Penetrating Wireless Networks (Chapter 11)
        8. Using Trojans and Backdoor Applications (Chapter 12)
        9. Penetrating UNIX, Microsoft, and Novell Servers (Chapter 13)
        10. Understanding and Attempting Buffer Overflows (Chapter 14)
        11. Denial-of-Service Attacks (Chapter 15)
    12. Glossary