Network Security Assessment

Chris McNab is the Technical Director of Matta, a vendor-independent security consulting outfit based in the United Kingdom. Since 2000, Chris has presented and run applied hacking courses across Europe, training a large number of financial, retail, and government clients in practical attack and penetration techniques, so that they can assess and protect their own networks effectively. Chris speaks at a number of security conferences and seminars, and is routinely called to comment on security events and other breaking news. He has appeared on television and radio stations in the UK (including BBC 1 and Radio 4), and in a number of publications and computing magazines. Responsible for the provision of security assessment services at Matta, Chris and his team undertake Internet-based, internal, application, and wireless security assessment work, providing clients with practical and sound technical advice relating to secure network design and hardening strategies. Chris boasts a 100% success rate when compromising the networks of multinational corporations and financial services companies over the last five years.

Foreword Preface 1. Network Security Assessment The Business Benefits IP: The Foundation of the Internet Classifying Internet-Based Attackers Assessment Service Definitions Network Security Assessment Methodology The Cyclic Assessment Approach 2. The Tools Required The Operating Systems Free Network Scanning Tools Commercial Network Scanning Tools Protocol-Dependent Assessment Tools 3. Internet Host and Network Enumeration Web Search Engines NIC Querying DNS Querying Enumeration Technique Recap Enumeration Countermeasures 4. IP Network Scanning ICMP Probing TCP Port Scanning UDP Port Scanning IDS Evasion and Filter Circumvention Low-Level IP Assessment Network Scanning Recap Network Scanning Countermeasures 5. Assessing Remote Information Services Remote Information Services systat and netstat DNS finger auth SNMP LDAP rwho RPC rusers Remote Information Services Countermeasures 6. Assessing Web Services Web Services Identifying the Web Service Identifying Subsystems and Components Investigating Web Service Vulnerabilities Accessing Poorly Protected Information Assessing CGI Scripts and Custom ASP Pages Web Services Countermeasures 7. Assessing Remote Maintenance Services Remote Maintenance Services SSH Telnet R-Services X Windows Microsoft Remote Desktop Protocol VNC Citrix Remote Maintenance Services Countermeasures 8. Assessing FTP and Database Services FTP FTP Banner Grabbing and Enumeration FTP Brute-Force Password Guessing FTP Bounce Attacks Circumventing Stateful Filters Using FTP FTP Process Manipulation Attacks FTP Services Countermeasures Database Services Microsoft SQL Server Oracle MySQL Database Services Countermeasures 9. Assessing Windows Networking Services Microsoft Windows Networking Services Microsoft RPC Services The NetBIOS Name Service The NetBIOS Datagram Service The NetBIOS Session Service The CIFS Service Unix Samba Vulnerabilities Windows Networking Services Countermeases 10. Assessing Email Services Email Service Protocols SMTP POP-2 and POP-3 IMAP Email Services Countermeasures 11. Assessing IP VPN Services IPsec VPNs Attacking IPsec VPNs Check Point VPN Security Issues Microsoft PPTP VPN Services Countermeasures 12. Assessing Unix RPC Services Enumerating Unix RPC Services RPC Service Vulnerabilities Unix RPC Services Countermeasures 13. Application-Level Risks The Fundamental Hacking Concept The Reasons Why Software Is Vulnerable Network Service Vulnerabilities and Attacks Classic Buffer-Overflow Vulnerabilities Heap Overflows Integer Overflows Format String Bugs Memory Manipulation Attacks Recap Mitigating Process Manipulation Risks Recommended Secure Development Reading 14. Example Assessment Methodology Network Scanning Accessible Network Service Identification Investigation of Known Vulnerabilities Network Service Testing Methodology Flow Diagram Recommendations Closing Comments A. TCP, UDP Ports, and ICMP Message Types TCP Ports UDP Ports ICMP Message Types B. Sources of Vulnerability Information Security Mailing