Network Security Assessment, 2nd Edition

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
1. Network Security Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Business Benefits 1
IP: The Foundation of the Internet 2
Classifying Internet-Based Attackers 2
Assessment Service Definitions 3
Network Security Assessment Methodology 4
The Cyclic Assessment Approach 8
2. Network Security Assessment Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Virtualization Software 10
Operating Systems 11
Reconnaissance Tools 13
Network Scanning Tools 13
Exploitation Frameworks 14
Web Application Testing Tools 16
3. Internet Host and Network Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Querying Web and Newsgroup Search Engines 18
Querying Domain WHOIS Registrars 20
Querying IP WHOIS Registrars 23
BGP Querying 28
DNS Querying 30
Web Server Crawling 37
Automating Enumeration 37

SMTP Probing 38
Enumeration Technique Recap 39
Enumeration Countermeasures 40
4. IP Network Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ICMP Probing 42
TCP Port Scanning 49
UDP Port Scanning 60
IDS Evasion and Filter Circumvention 62
Low-Level IP Assessment 71
Network Scanning Recap 76
Network Scanning Countermeasures 77
5. Assessing Remote Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Remote Information Services 79
DNS 80
Finger 86
Auth 88
NTP 89
SNMP 91
LDAP 95
rwho 98
RPC rusers 98
Remote Information Services Countermeasures 99
6. Assessing Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Web Servers 101
Fingerprinting Accessible Web Servers 102
Identifying and Assessing Reverse Proxy Mechanisms 107
Enumerating Virtual Hosts and Web Sites 113
Identifying Subsystems and Enabled Components 114
Investigating Known Vulnerabilities 132
Basic Web Server Crawling 155
Web Servers Countermeasures 158
7. Assessing Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Web Application Technologies Overview 160
Web Application Profiling 161
Web Application Attack Strategies 170

Web Application Vulnerabilities 180
Web Security Checklist 196
8. Assessing Remote Maintenance Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Remote Maintenance Services 198
FTP 199
SSH 212
Telnet 215
R-Services 220
X Windows 224
Citrix 229
Microsoft Remote Desktop Protocol 232
VNC 234
Remote Maintenance Services Countermeasures 237
9. Assessing Database Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Microsoft SQL Server 239
Oracle 244
MySQL 252
Database Services Countermeasures 255
10. Assessing Windows Networking Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Microsoft Windows Networking Services 256
Microsoft RPC Services 257
The NetBIOS Name Service 273
The NetBIOS Datagram Service 275
The NetBIOS Session Service 276
The CIFS Service 285
Unix Samba Vulnerabilities 287
Windows Networking Services Countermeasures 288
11. Assessing Email Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Email Service Protocols 290
SMTP 290
POP-2 and POP-3 302
IMAP 303
Email Services Countermeasures 305