DOCSLIB.ORG

O'reilly Network Security Assessment

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
O'reilly Network Security Assessment SECOND EDITION Network Security Assessment Chris McNab Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Network Security Assessment, Second Edition by Chris McNab Copyright © 2008 Chris McNab. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Tatiana Apandi Indexer: Lucie Haskins Production Editor: Sarah Schneider Cover Designer: Karen Montgomery Copyeditor: Amy Thomson Interior Designer: David Futato Proofreader: Sarah Schneider Illustrator: Robert Romano Printing History: March 2004: First Edition. October 2007: Second Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Network Security Assessment, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN-10: 0-596-51030-6 ISBN-13: 978-0-596-51030-5 [M] Table of Contents Foreword . xi Preface . xv 1. Network Security Assessment . 1 The Business Benefits 1 IP: The Foundation of the Internet 2 Classifying Internet-Based Attackers 2 Assessment Service Definitions 3 Network Security Assessment Methodology 4 The Cyclic Assessment Approach 8 2. Network Security Assessment Platform . 10 Virtualization Software 10 Operating Systems 11 Reconnaissance Tools 13 Network Scanning Tools 13 Exploitation Frameworks 14 Web Application Testing Tools 16 3. Internet Host and Network Enumeration . 17 Querying Web and Newsgroup Search Engines 18 Querying Domain WHOIS Registrars 20 Querying IP WHOIS Registrars 23 BGP Querying 28 DNS Querying 30 Web Server Crawling 37 Automating Enumeration 37 v SMTP Probing 38 Enumeration Technique Recap 39 Enumeration Countermeasures 40 4. IP Network Scanning . 42 ICMP Probing 42 TCP Port Scanning 49 UDP Port Scanning 60 IDS Evasion and Filter Circumvention 62 Low-Level IP Assessment 71 Network Scanning Recap 76 Network Scanning Countermeasures 77 5. Assessing Remote Information Services . 79 Remote Information Services 79 DNS 80 Finger 86 Auth 88 NTP 89 SNMP 91 LDAP 95 rwho 98 RPC rusers 98 Remote Information Services Countermeasures 99 6. Assessing Web Servers . 101 Web Servers 101 Fingerprinting Accessible Web Servers 102 Identifying and Assessing Reverse Proxy Mechanisms 107 Enumerating Virtual Hosts and Web Sites 113 Identifying Subsystems and Enabled Components 114 Investigating Known Vulnerabilities 132 Basic Web Server Crawling 155 Web Servers Countermeasures 158 7. Assessing Web Applications . 160 Web Application Technologies Overview 160 Web Application Profiling 161 Web Application Attack Strategies 170 vi | Table of Contents Web Application Vulnerabilities 180 Web Security Checklist 196 8. Assessing Remote Maintenance Services . 198 Remote Maintenance Services 198 FTP 199 SSH 212 Telnet 215 R-Services 220 X Windows 224 Citrix 229 Microsoft Remote Desktop Protocol 232 VNC 234 Remote Maintenance Services Countermeasures 237 9. Assessing Database Services . 239 Microsoft SQL Server 239 Oracle 244 MySQL 252 Database Services Countermeasures 255 10. Assessing Windows Networking Services . 256 Microsoft Windows Networking Services 256 Microsoft RPC Services 257 The NetBIOS Name Service 273 The NetBIOS Datagram Service 275 The NetBIOS Session Service 276 The CIFS Service 285 Unix Samba Vulnerabilities 287 Windows Networking Services Countermeasures 288 11. Assessing Email Services . 290 Email Service Protocols 290 SMTP 290 POP-2 and POP-3 302 IMAP 303 Email Services Countermeasures 305 Table of Contents | vii 12. Assessing IP VPN Services . 307 IPsec VPNs 307 Attacking IPsec VPNs 311 Microsoft PPTP 320 SSL VPNs 321 VPN Services Countermeasures 329 13. Assessing Unix RPC Services . 330 Enumerating Unix RPC Services 330 RPC Service Vulnerabilities 332 Unix RPC Services Countermeasures 339 14. Application-Level Risks . 340 The Fundamental Hacking Concept 340 Why Software Is Vulnerable 341 Network Service Vulnerabilities and Attacks 342 Classic Buffer-Overflow Vulnerabilities 346 Heap Overflows 356 Integer Overflows 364 Format String Bugs 367 Memory Manipulation Attacks Recap 373 Mitigating Process Manipulation Risks 374 Recommended Secure Development Reading 376 15. Running Nessus . 377 Nessus Architecture 377 Deployment Options and Prerequisites 378 Nessus Installation 379 Configuring Nessus 383 Running Nessus 389 Nessus Reporting 390 Running Nessus Recap 392 16. Exploitation Frameworks . 393 Metasploit Framework 393 CORE IMPACT 400 Immunity CANVAS 408 Exploitation Frameworks Recap 414 viii | Table of Contents A. TCP, UDP Ports, and ICMP Message Types . 415 B. Sources of Vulnerability Information . 420 C. Exploit Framework Modules . 422 Index . 453 Table of Contents | ix Foreword 1 After managing the performance of over 20,000 infrastructure and applications pene- tration tests, I have come to realize the importance of technical testing and providing information security assurance. This book accurately defines a pure technical assessment methodology, giving you the ability to gain a much deeper understanding of the threats, vulnerabilities, and exposures that modern public networks face. The purpose for conducting the tens of thousands of penetration tests during my 20+ years working in information systems security was “to identify technical vulnerabilities in the tested system in order to cor- rect the vulnerability or mitigate any risk posed by it.” In my opinion, this is a clear, concise, and perfectly wrong reason to conduct penetration testing. As you read this book, you will realize that vulnerabilities and exposures in most environments are due to poor system management, patches not installed in a timely fashion, weak password policy, poor access control, etc. Therefore, the principal rea- son and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. The most common of these systems management process failures exist in the following areas: • System software configuration • Applications software configuration • Software maintenance • User management and administration Unfortunately, many IT security consultants provide detailed lists of specific test findings and never attempt the higher-order analysis needed to answer the question “Why?” This failure to identify and correct the underlying management cause of the test findings assures that, when the consultant returns to test the client after six months, a whole new set of findings will appear. xi If you are an IT professional who is responsible for security, use this book to help you assess your networks; it is effectively a technical briefing of the tools and tech- niques that your enemies can use against your systems. If you are a consultant performing a security assessment for a client, it is vital that you bear in mind the mismanagement reasons for the vulnerabilities, as discussed here. Several years ago, my company conducted a series of penetration tests for a very large international client. The client was organized regionally; IT security policy was issued centrally and implemented regionally. We mapped the technical results to the following management categories: OS configuration Vulnerabilities due to improperly configured operating system software Software maintenance Vulnerabilities due to failure to apply patches to known vulnerabilities Password/access control Failure to comply with password policy and improper access control settings Malicious software Existence of malicious software (Trojans, worms, etc.) or evidence of use Dangerous services Existence of vulnerable or easily exploited services or processes Application configuration Vulnerabilities due to improperly configured applications We then computed the average number of security assessment findings per 100 sys- tems tested for the total organization and produced the chart shown in Figure F-1. Average vulnerabilities by management category 70 60 50 40 30 20 Vulnerabilities per 100 hosts Vulnerabilities 10 0 Bad O/S S/W Pswd/Access Malicious Dangerous Bad Apps config maintenance control software services config Figure F-1. Average vulnerabilities by management category xii | Foreword We then conducted a comparison of the performance of each region against the cor- porate average. The results were quite striking, as shown in Figure F-2 (above the average is bad, with more findings than the corporate average). Regional comparisons vs. average 120 100 80 60 40 20 0 deviation from average from deviation –20 Vulnerabilities per 100 hosts Vulnerabilities –40 –60 –80 Region 1 Region 2 Region 3 Region 4 KEY Bad O/S config Pswd/Access control Dangerous
Load more

Recommended publications
  • VI. Lotus Domino
    Le groupware - 1 / 60 - Sommaire I. Introduction ................................................................................................ 2 A. Histoire (Source : Michel Alberganti) ................................................................................ 2 B. Définition................................................................................................................... 2 C. L'offre....................................................................................................................... 2 1. Intranet / Internet................................................................................................. 2 2. Messagerie........................................................................................................... 3 II. Les clients de messagerie ............................................................................... 3 A. Windows Messaging : Msmail........................................................................................... 4 1. Installer et administrer un bureau de poste .................................................................. 4 2. Propriétés du client MAPI......................................................................................... 7 B. Utiliser Outlook ......................................................................................................... 15 1. Les options .........................................................................................................15 2. Envoi de messages ................................................................................................20
    [Show full text]
  • GO!Notifysync Pre-Purchase Checklist
    GO!NotifySync Pre-Purchase Checklist Prior to purchasing GO!NotifySync you will need to identify the following configuration information. Consult your Mail Server Administrator, if necessary, to obtain this information. Mail Server Administrators can also reference, Guidelines for Administrators. My Mail Server Type is GO!NotifySync supports ActiveSync protocol versions 2.5, 12.0, or 12.1. GO!NotifySync is certified against the following versions of ActiveSync servers: GroupWise 8.0.2 HP2, 8.0.2 HP3, 2012, or 2014 with Novell Data Synchronizer or Novell Mobility Services 2.0 Microsoft Exchange 2010 Microsoft Exchange 2007 Microsoft Exchange 2003 Below is a list of additional ActiveSync servers. If these systems adhere to the supported ActiveSync protocol versions (2.5, 12.0, or 12.1), GO!NotifySync has a high probability of working as designed: AXIGEN Messaging CommuniGate Pro Google Hotmail IBM Lotus Notes Traveler v8.5.2.1 IceWarp Server Ipswitch IMail Server Kerio MailServer Office 365 Open-Xchange Scalix Zarafa Zimbra Collaboration Suite My Email Domain is The text after the @ sign in your Email address is your Email Domain. If your Email address is: [email protected], your Email Domain is: mycompany.com GO!NotifySync Pre-Purchase Checklist 1 My Mail/ActiveSync Server Address is This is the external address of your Mail/ActiveSync server. Information that may help you identify the ActiveSync Server Address: Your best source for this information is your Mail Server Administrator. What address is used to log into Web mail? That would be the ActiveSync Server address. Ask: What is the address I would use to connect to the ActiveSync Server? My Domain is Domain refers to a group of servers on a network that are administered as a unit.
    [Show full text]
  • Spam Filtering (Domain Level)
    • ------=---~ IPS WIT CH II L..--..../ J------I IMai I Server Contents CHAPTER 1 Introduction to IMail Administrator About Help ...........................................................................................................................1 Web Administrator and Client ..............................................................................................3 IMail Administrator Requirements........................................................................................5 New for Version 11...............................................................................................................6 Accessing the IMail Web Administration............................................................................12 Using Internet Information Services (IIS) Virtual Directories..............................................13 Additional Resources .........................................................................................................14 Installing Patches and Upgrades .......................................................................................15 Table of Features...............................................................................................................16 Helpful Definitions ..............................................................................................................17 File Attachment Settings ....................................................................................................18 IMail Processing Order.......................................................................................................18
    [Show full text]
  • Setting up Imail Server As a Backup Mail Spooler
    • ------=---~ IPS WIT CH II L..--..../ J------I IMai I Server Contents CHAPTER 1 Introduction to IMail Administrator About Help .......................................................................................................................... 1 Web Administrator and Client ............................................................................................. 3 IMail Administrator Requirements ....................................................................................... 5 System Requirements ......................................................................................................... 6 New for Version 11.01 ....................................................................................................... 11 Accessing the IMail Web Administration ........................................................................... 19 Using Internet Information Services (IIS) Virtual Directories ............................................. 20 Additional Resources ........................................................................................................ 20 IMail Getting Started Guide Links ..................................................................................... 22 Installing Patches and Upgrades ...................................................................................... 23 Table of Features .............................................................................................................. 23 Helpful Definitions ............................................................................................................
    [Show full text]
  • Imail V12 Administrator Help
    Ipswitch, Inc. Web: www.imailserver.com 753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518 Copyrights ©2011 Ipswitch, Inc. All rights reserved. IMail Server – Administration Help This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. Except as permitted by such license, no part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the expressed prior written consent of Ipswitch, Inc. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Ipswitch, Inc. While every effort has been made to assure the accuracy of the information contained herein, Ipswitch, Inc. assumes no responsibility for errors or omissions. Ipswitch, Inc. also assumes no liability for damages resulting from the use of the information contained in this document. Ipswitch Collaboration Suite (ICS), the Ipswitch Collaboration Suite (ICS) logo, IMail, the IMail logo, WhatsUp, the WhatsUp logo, WS_FTP, the WS_FTP logos, Ipswitch Instant Messaging (IM), the Ipswitch Instant Messaging (IM) logo, Ipswitch, and the Ipswitch logo are trademarks of Ipswitch, Inc. Other products and their brands or company names are or may be trademarks or registered trademarks, and are the property of their respective companies. Update History December 2011 v12 April 2011 v11.5 October 2010 v11.03 May 2010 v11.02 Contents CHAPTER 1 Introduction to IMail Administrator About Help .....................................................................................................................................................................
    [Show full text]
  • Abstract GEGICK, MICHAEL CHARLES. Analyzing Security
    Abstract GEGICK, MICHAEL CHARLES. Analyzing Security Attacks to Generate Signatures from Vulnerable Architectural Patterns. (Under the direction of Dr. Laurie Williams.) Current techniques for software security vulnerability identification include the use of abstract, graph-based models to represent information about an attack. These models can be in the form of attack trees or attack nets and can be accompanied with a supporting text- based profile. Matching the abstract models to specific system architectures for effective vulnerability identification can be a challenging process. This thesis suggests that abstract regular expressions can be used to represent events of known attacks for the identification of security vulnerabilities in future applications. The process of matching the events in the regular expression to a sequence of components in a system design may facilitate the means of identifying vulnerabilities. Performing the approach in the design phase of a software process encourages security to be integrated early into a software application. Students in an undergraduate security course demonstrated a strong ability to accurately match regular expressions to a system design. The identification of vulnerabilities is limited to known attacks of other systems and does not offer descriptions of what new attacks are possible to a future application. Extending the approach to incorporate new attacks is an avenue of future work. Analyzing Security Attacks to Generate Signatures from Vulnerable Architectural Patterns by Michael Charles
    [Show full text]
  • Email Reputation Services Stops Email Threats Before the Gateway
    Securing Your Web World ANTI-SPAM ANTI-PHISHING Trend Micro™ Email Reputation Services Stops Email Threats Before the Gateway Email-based threats are rising dramatically. Spam, spyware, phishing, botnets, SERVICES zombies, targeted email attacks, and blended-threat attacks not only sap Protection Points employee productivity, they endanger company networks. At the same time, • Gateway administrative resources and budgets are overtaxed and existing security systems are stretched to the limit. Threat Protection • Spam Trend Micro Email Reputation Services stop up to 80 percent of spam and other email threats at • Phishing their source–before they can hit the gateway and flood messaging infrastructure. Email Reputation • Bots and botnets 1 Services has the highest catch rate for standalone email reputation services and is the only solution • Zombies to offer an administration console, which gives access to reports and provides the option to actively • Blended Threats manage spam and blended email threats. As a highly effective first layer of security with extensive MTA support, the services complement your current email security and greatly reduce spam’s impact on the gateway, allowing your messaging security to run at optimal efficiency. KEY ADVANTAGES • Stops spam at its source, catching up to 80 percent with almost zero false positives KEY FEATURES • Features simple set up, high scalablility, Complements your current messaging security and low maintenance costs • Offers a choice of deployment options to meet your needs • Provides easy
    [Show full text]
  • DISTRIBUTED SYSTEMS CONTENTS 1.0 Aim And
    UNIT – I LESSON 1: DISTRIBUTED SYSTEMS CONTENTS 1.0 Aim and Objectives 1.1. Introduction 1.2. Organization 1.3. Goals and Advantages 1.4. Disadvantages 1.5. Architecture 1.6. Concurrency 1.7. Languages 1.8. Let us Sum UP 1.9. Lesson-End Activities 1.10. Points for Discussion 1.11. References 1.0. AIM AND OBJECTIVES At the end of this Lesson you will be able to understand the concept of Distributed Computing, organization of Distributed Computing, advantages and limitations of Distributed Computing 1.1. INTRODUCTION Distributed computing is a method of computer processing in which different parts of a program are run simultaneously on two or more computers that are communicating with each other over a network. Distributed computing is a type of segmented or parallel computing, but the latter term is most commonly used to refer to processing in which different parts of a program run simultaneously on two or more processors that are part of the same computer. While both types of processing require that a program be segmented—divided into sections that can run simultaneously, distributed computing also requires that the division of the program take into account the different environments on which the different sections of the program will be running. For example, two computers are likely to have different file systems and different hardware components. An example of distributed computing is BOINC, a framework in which large problems can be divided into many small problems which are distributed to many computers. Later, the small results are reassembled into a larger solution.
    [Show full text]
  • PVS Plugin Family
    SecurityCenter 4 TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012 TENABLE NETWORK SECURITY PVS Plugin Family March 13, 2012 at 3:04pm CDT Dave Breslin [dlbreslin] Confidential: The following report contains confidential information. Do not distribute, email, fax, or transfer via any electronic mechanism unless it has been approved by the recipient company's security policy. All copies and backups of this document should be saved on protected storage at all times. Do not share any of the information contained within this report with anyone unless they are authorized to view the information. Violating any of the previous instructions is grounds for termination. PVS Plugin Family SecurityCenter 4 TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012 Table of Contents Plugin Family Summary ...............................................................................................................1 Backdoors .....................................................................................................................................................2 CGI .........................................................................................................................................................................3 Data Leakage ............................................................................................................................................ 5 Database .........................................................................................................................................................7 DNS
    [Show full text]
  • Nessus Plugin Family
    SecurityCenter 4 TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012 ITS DEPT Nessus Plugin Family March 5, 2012 at 6:15pm CST [third] Confidential: The following report contains confidential information. Do not distribute, email, fax, or transfer via any electronic mechanism unless it has been approved by the recipient company's security policy. All copies and backups of this document should be saved on protected storage at all times. Do not share any of the information contained within this report with anyone unless they are authorized to view the information. Violating any of the previous instructions is grounds for termination. Nessus Plugin Family SecurityCenter 4 TENABLE NETWORK SECURITY INC., COPYRIGHT © 2012 Table of Contents Plugin Family Summary ...............................................................................................................1 AIX Local Security Checks .......................................................................................................3 Backdoors .....................................................................................................................................................4 CentOS Local Security Checks ...........................................................................................6 CGI abuses .................................................................................................................................................. 7 CGI abuses : XSS ...............................................................................................................................
    [Show full text]
  • TBS Internet API Reference Documentaiton
    API TBS XML-RPC The content of this manual is the property of TBS INTERNET, all rights reserved. All reproduction, copy or mirroring prohibited. V1.2.1 IPv4 Operations Base URL : https://apisandbox6.or2.clust2.tbs-internet.net (IPv6 Sandbox) Application : api-operations.php Methodes : Name: Purpose: achat order renouvellement renew refabrication reissue revocation revocation dcvEmailRenvoyer Email DCV Resending dcvCodeValidation Email DCV Code Validation Information Base URL : https://apisandbox6.or2.clust2.tbs-internet.net (IPv6 Sandbox) Application : api-infos.php Methodes : Name: Purpose: statut Status solde Balance enSommeil Asleep reference Reference dcvAdresses DCV Addresses IPv4 Operations Base URL : https://apisandbox4.or2.clust2.tbs-internet.net:1443 (Sandbox IPv4) Application : api-operations.php Methodes : Name: Purpose: achat order renouvellement renew refabrication reissue revocation revocation dcvEmailRenvoyer Email DCV Resending dcvCodeValidation Email DCV Code Validation Information Base URL : https://apisandbox4.or2.clust2.tbs-internet.net:1443 (Sandbox IPv4) Application : api-infos.php Methodes : Name: Purpose: statut Status solde Balance enSommeil Asleep reference Reference dcvAdresses DCV Addresses Page 1 API xml-rpc 3 methods : achat(order), renouvellement(renew), refabrication(reissue) Achat/Order Parameters Descriptions Mandatory Type Default identification user, Password Yes Struct demande For bulk purchases, one structure per request Yes Struct Renouvellement/Renew Parameters Descriptions Mandatory Type Default
    [Show full text]
  • Trend Micro Email Reputation Services
    Securing Your Web World ANTI-SPAM ANTI-PHISHING Trend Micro™ Email Reputation Services Stoppt E-Mail-Bedrohungen vor dem Gateway Über E-Mail verbreitete Bedrohungen nehmen dramatisch zu. Spam, Spyware, SERVICES Phishing, Bot-Netze, Zombies, gezielte E-Mail-Angriffe und kombinierte Angriffe Geschützte Punkte beeinträchtigen nicht nur die Produktivität der Mitarbeiter, sondern stellen auch • Gateway eine ernsthafte Gefahr für Unternehmensnetzwerke dar. Gleichzeitig werden verwaltungstechnische Ressourcen und Budgets über Gebühr beansprucht und Schutzumfang vorhandene Sicherheitssysteme stoßen an ihre Leistungsgrenzen. • Spam • Phishing Trend Micro Email Reputation Services stoppen bis zu 80 Prozent von Spam und anderen E-Mail- • Bots und Bot-Netze Bedrohungen an der Quelle – bevor sie den Gateway erreichen und die Messaging-Infrastruktur • Zombies überschwemmen. Email Reputation Services haben die höchste Auffangrate für Standalone E-Mail • Komplexe Bedrohungen Reputation Services1 und ist die einzige Lösung, die eine Verwaltungskonsole zum Abrufen von Berichten und zur aktiven Verwaltung von Spam- und kombinierten E-Mail-Bedrohungen bietet. Die Services stellen eine höchst wirksame erste Sicherheitsebene mit umfassender MTA-Unterstützung dar und ergänzen Ihre bestehenden E-Mail-Sicherheitsmechanismen, indem sie Spam bereits am ENTSCHEIDENDE VORTEILE Gateway abwehren – somit ist höchste Effizienz in punkto Messaging-Sicherheit gewährleistet. • Stoppt Spam an der Quelle und fängt bis zu 80 Prozent mit sehr hoher Trefferquote ab • Einfache
    [Show full text]