Penetration testing and network defense

Security threats are on the rise, and companies must be prepared to face them. One way companies are assessing security risk and the vulnerability of their networks is by hiring security firms to attempt to penetrate their networks or by developing in-house penetration testing skills to continually monitor network vulnerabilities. Penetration testing is a growing field, yet there is no definite resource on how to perform a penetration test and the ethics of testing. Penetration Testing and Cisco Network Defense offers detailed steps on how to emulate an outside attacker to assess the security of a network. Unlike other books on hacking, this book is specifically geared toward penetration testing. Divided into two parts, this book provides a set of guidelines and methodologies for understanding and performing internal penetration tests. It also shows how an attack can be detected on a network. Part one covers understanding penetration testing, assessing risks, and creating a testing plan. Part two focuses on the particulars of testing, and each chapter includes three essential components: the steps to perform a simulated attack using popular commercial and open-source applications; how to detect the attack with Cisco Intrusion Detection Sensor and Security Agent; suggestions on how to harden a system against attacks.

Foreword Introduction Part I Overview of Penetration Testing Chapter 1 Understanding Penetration Testing Defining Penetration Testing Assessing the Need for Penetration Testing Proliferation of Viruses and Worms Wireless LANs Complexity of Networks Today Frequency of Software Updates Availability of Hacking Tools The Nature of Open Source Reliance on the Internet Unmonitored Mobile Users and Telecommuters Marketing Demands Industry Regulations Administrator Trust Business Partnerships Hacktivism Attack Stages Choosing a Penetration Testing Vendor Preparing for the Test Summary Chapter 2 Legal and Ethical Considerations Ethics of Penetration Testing Laws U.S. Laws Pertaining to Hacking 1973 U.S. Code of Fair Information Practices 1986 Computer Fraud and Abuse Act (CFAA) State Laws Regulatory Laws 1996 U.S. Kennedy-Kasselbaum Health Insurance Portability and Accountability Act (HIPAA) Graham-Leach-Bliley (GLB) USA PATRIOT ACT 2002 Federal Information Security Management Act (FISMA) 2003 Sarbanes-Oxley Act (SOX) Non-U.S. Laws Pertaining to Hacking Logging To Fix or Not to Fix Summary Chapter 3 Creating a Test Plan Step-by-Step Plan Defining the Scope Social Engineering Session Hijacking Trojan/Backdoor Open-Source Security Testing Methodology Manual Documentation Executive Summary Project Scope Results Analysis Summary Appendixes Summary Part II Performing the Test Chapter 4 Performing Social Engineering Human Psychology Conformity Persuasion Logic Persuasion Need-Based Persuasion Authority-Based Persuasion Reciprocation-Based Social Engineering Similarity-Based Social Engineering Information-Based Social Engineering What It Takes to Be a Social Engineer Using Patience for Social Engineering Using Confidence for Social Engineering Using Trust for Social Engineering Using Inside Knowledge for Social Engineering First Impressions and the Social Engineer Tech Support Impersonation Third-Party Impersonation E-Mail Impersonation End User Impersonation Customer Impersonation Reverse Social Engineering Protecting Against Social Engineering Case Study Summary Chapter 5 Performing Host Reconnaissance Passive Host Reconnaissance A Company Website EDGAR Filings NNTP USENET Newsgroups User Group Meetings Business Partners Active Host Reconnaissance NSLookup/Whois Lookups SamSpade Visual Route Port Scanning TCP Connect() Scan SYN Scan NULL Scan FIN Scan ACK Scan Xmas-Tree Scan Dumb Scan NMap NMap Switches and Techniques Compiling and Testing NMap Fingerprinting Footprinting Detecting a Scan Intrusion Detection Anomaly Detection Systems Misuse Detection System Host-Based IDSs Network-Based IDSs Network Switches Examples of Scan Detection Detecting a TCP Connect() Scan Detecting a SYN Scan Detecting FIN, NULL, and Xmas-Tree Scans Detecting OS Guessing Case Study Summary Chapter 6 Understanding and Attempting Session Hijacking Defining Session Hijacking Nonblind Spoofing Blind Spoofing TCP Sequence Prediction (Blind Hijacking) Tools Juggernaut Hunt TTY-Watcher T-Sight Other Tools Beware of ACK Storms Kevin Mitnick's Session Hijack Attack Detecting Session Hijacking Detecting Session Hijacking with a Packet Sniffer Configuring Ethereal Watching a Hijacking with Ethereal Detecting Session Hijacking with Cisco IDS Signature 1300: TCP Segment Overwrite Signature 3250: TCP Hijack Signature 3251: TCP Hijacking Simplex Mode Watching a Hijacking with IEV Protecting Against Session Hijacking Case Study Summary Resources Chapter 7 Performing Web Server Attacks Understanding Web Languages HTML DHTML XML XHTML JavaScript JScript VBScript Perl ASP CGI PHP Hypertext Preprocessor ColdFusion Java Once Called Oak Client-Based Java Server-Based Java Website Architecture E-Commerce Architecture Apache HTTP Server Vulnerabilities IIS Web Server Showcode.asp Privilege Escalation Buffer Overflows Web Page Spoofing Cookie Guessing Hidden Fields Brute Force Attacks Brutus HTTP Brute Forcer Detecting a Brute Force Attack Protecting Against Brute Force Attacks Tools NetCat Vulnerability Scanners IIS Xploit execiis-win32.exe CleanIISLog IntelliTamper Web Server Banner Grabbing Hacking with Google Detecting Web Attacks Detecting Directory Traversal Detecting Whisker Protecting Against Web Attacks Securing the Operating System Securing Web Server Applications IIS Apache Securing Website Design Securing Network Architecture Case Study Summary Chapter 8 Performing Database Attacks Defining Databases Oracle Structure SQL MySQL Structure SQL SQL Server Structure SQL Database Default Accounts Testing Database Vulnerabilities SQL Injection System Stored Procedures xp_cmdshell Connection Strings Password Cracking/Brute Force Attacks Securing Your SQL Server Authentication Service Accounts Public Role Guest Account Sample Databases Network Libraries Ports Detecting Database Attacks Auditing Failed Logins System Stored Procedures SQL Injection Protecting Against Database Attacks Case Study Summary References and Further Reading Chapter 9 Password Cracking Password Hashing Using Salts Microsoft Password Hashing UNIX Password Hashing Password-Cracking Tools John the Ripper Pwdump3 L0phtcrack Nutcracker Hypnopaedia Snadboy Revelation Boson GetPass RainbowCrack Detecting Password Cracking Network Traffic System Log Files Account Lockouts Physical Access Dumpster Diving and Key Logging Social Engineering Protecting Against Password Cracking Password Auditing Logging Account Logins Account Locking Password Settings Password Length Password Expiration Password History Physical Protection Employee Education and Policy Case Study Summary Chapter 10 Attacking the Network Bypassing Firewalls Evading Intruder Detection Systems Testing Routers for Vulnerabilities CDP HTTP Service Password Cracking Modifying Routing Tables Testing Switches for Vulnerabilities VLAN Hopping Spanning Tree Attacks MAC Table Flooding ARP Attacks VTP Attacks Securing the Network Securing Firewalls Securing Routers Disabling CDP Disabling or Restricting the HTTP Service Securing Router Passwords Enabling Authentication for Routing Protocols Securing Switches Securing Against VLAN Hopping Securing Against Spanning Tree Attacks Securing Against MAC Table Flooding and ARP Attacks Securing Against VTP Attacks Case Study Summary Chapter 11 Scanning and Penetrating Wireless Networks History of Wireless Networks Antennas and Access Points Wireless Security Technologies Service Set Identifiers (SSIDs) Wired Equivalent Privacy (WEP) MAC Filtering 802.1x Port Security IPSec War Driving Tools NetStumbler StumbVerter DStumbler Kismet GPSMap AiroPeek NX AirSnort WEPCrack Detecting Wireless Attacks Unprotected WLANs DoS Attacks Rogue Access Points MAC Address Spoofing Unallocated MAC Addresses Preventing Wireless Attacks Preventing Man-in-the-Middle Attacks Establishing and Enforcing Standards for Wireless Networking Case Study Summary Chapter 12 Using Trojans and Backdoor Applications Trojans, Viruses, and Backdoor Applications Common Viruses and Worms Chernobyl I Love You Melissa BugBear MyDoom W32/Klez Blaster SQL Slammer Sasser Trojans and Backdoors Back Orifice 2000 Tini Donald Dick Rootkit NetCat SubSeven Brown Orifice Beast Beast Server Settings Beast Client Detecting Trojans and Backdoor Applications MD5 Checksums Monitoring Ports Locally Netstat fport TCPView Monitoring Ports Remotely Anti-virus and Trojan Scanners Software Intrusion Detection Systems Prevention Case Study Summary Chapter 13 Penetrating UNIX, Microsoft, and Novell Servers General Scanners Nessus SAINT SARA ISS NetRecon UNIX Permissions and Root Access Elevation Techniques Stack Smashing Exploit rpc.statd Exploit irix-login.c Rootkits Linux Rootkit IV Beastkit Microsoft Security Models and Exploits Elevation Techniques PipeUpAdmin HK Rootkits Novell Server Permissions and Vulnerabilities Pandora NovelFFS Detecting Server Attacks Preventing Server Attacks Case Study Summary Chapter 14 Understanding and Attempting Buffer Overflows Memory Architecture Stacks Heaps NOPs Buffer Overflow Examples Simple Example Linux Privilege Escalation Windows Privilege Escalation Preventing Buffer Overflows Library Tools to Prevent Buffer Overflows Compiler-Based Solutions to Prevent Buffer Overflows Using a Non-Executable Stack to Prevent Buffer Overflows Case Study Summary Chapter 15 Denial-of-Service Attacks Types of DoS Attacks Ping of Death Smurf and Fraggle LAND Attack SYN Flood Tools for Executing DoS Attacks Datapool Jolt2 Hgod Other Tools Detecting DoS Attacks Appliance Firewalls Host-Based IDS Signature-Based Network IDS Network Anomaly Detectors Preventing DoS Attacks Hardening Network Hardening Application Hardening Intrusion Detection Systems Case Study Summary Chapter 16 Case Study: A Methodical Step-By-Step Penetration Test Case Study: LCN Gets Tested Planning the Attack Gathering Information Scanning and Enumeration External Scanning Wireless Scanning Gaining Access Gaining Access via the Website Gaining Access via Wireless Maintain Access Covering Tracks Writing the Report DAWN Security Executive Summary Objective Methodology Findings Summary Graphical Summary Technical Testing Report Black-Box Testing Presenting and Planning the Follow-Up Part III Appendixes Appendix A Preparing a Security Policy Appendix B Tools Glossary