• Table of Contents

  Page V

• + Foreword

  Page IX

  • About Bob Ayers

    Page XI

• + Preface

  Page XIII

  • + Recognized Assessment Standards

    Page XIV

    • NSA IAM

      Page XIV

    • CESG CHECK

      Page XIV

  • Hackers Defined

    Page XVI

  • Organization

    Page XVI

  • Audience

    Page XVIII

  • Mirror Site for Tools Mentioned in This Book

    Page XVIII

  • Using Code Examples

    Page XIX

  • Conventions Used in This Book

    Page XIX

  • Comments and Questions

    Page XX

  • Acknowledgments

    Page XX

• + Network Security Assessment

  Page 1

  • The Business Benefits

    Page 1

  • IP: The Foundation of the Internet

    Page 2

  • Classifying Internet-Based Attackers

    Page 3

  • Assessment Service Definitions

    Page 3

  • + Network Security Assessment Methodology

    Page 4

    • Internet Host and Network Enumeration

      Page 5

    • Bulk Network Scanning and Probing

      Page 5

    • Investigation of Vulnerabilities

      Page 6

    • Exploitation of Vulnerabilities

      Page 7

  • The Cyclic Assessment Approach

    Page 7

• + The Tools Required

  Page 9

  • + The Operating Systems

    Page 9

    • Windows NT Family Platforms

      Page 9

    • Linux

      Page 10

    • MacOS X

      Page 10

    • VMware

      Page 10

  • + Free Network Scanning Tools

    Page 11

    • nmap

      Page 11

    • Nessus

      Page 11

    • NSAT

      Page 11

    • Foundstone SuperScan

      Page 12

  • Commercial Network Scanning Tools

    Page 12

  • + Protocol-Dependent Assessment Tools

    Page 13

    • + Microsoft NetBIOS, SMB, and CIFS

      Page 13

      • Enumeration and information gathering tools

        Page 13

      • Brute-force password guessing tools

        Page 14

    • DNS

      Page 14

    • HTTP and HTTPS

      Page 15

• + Internet Host and Network Enumeration

  Page 17

  • + Web Search Engines

    Page 17

    • + Google Advanced Search Functionality

      Page 18

      • Enumerating CIA contact details with Google

        Page 19

      • Effective search query strings

        Page 19

    • Searching Newsgroups

      Page 20

  • + NIC Querying

    Page 21

    • + NIC Querying Tools and Examples

      Page 22

      • Using the Sam Spade Windows client

        Page 22

      • Using the Unix whois utility

        Page 23

      • Directly querying ARIN

        Page 24

      • Harvesting user details through WHOIS

        Page 24

  • + DNS Querying

    Page 25

    • + Forward DNS Querying

      Page 26

      • Forward DNS querying through nslookup

        Page 26

      • Forward DNS querying through host

        Page 27

      • Forward DNS querying through dig

        Page 27

      • Information retrieved through forward DNS querying

        Page 28

    • + DNS Zone Transfer Techniques

      Page 28

      • Performing DNS zone transfers with nslookup

        Page 29

      • Information retrieved through DNS zone transfer

        Page 31

      • Performing DNS zone transfers using host and dig

        Page 32

      • Further querying

        Page 32

      • Mapping subdomains with host

        Page 32

      • Example of a DNS zone transfer refusal

        Page 32

    • Reverse DNS Sweeping

      Page 33

    • SMTP Probing

      Page 33

  • Enumeration Technique Recap

    Page 34

  • Enumeration Countermeasures

    Page 35

• + IP Network Scanning

  Page 36

  • + ICMP Probing

    Page 36

    • SING

      Page 38

    • nmap

      Page 39

    • Gleaning Internal IP Addresses

      Page 40

    • Identifying Subnet Broadcast Addresses

      Page 40

  • + TCP Port Scanning

    Page 42

    • + Standard Scanning Methods

      Page 42

      • Vanilla connect() scanning

        Page 42

      • Half-open SYN flag scanning

        Page 44

    • + Stealth TCP Scanning Methods

      Page 46

      • Inverse TCP flag scanning

        Page 46

      • ACK flag probe scanning

        Page 47

    • + Third-Party and Spoofed TCP Scanning Methods

      Page 49

      • FTP bounce scanning

        Page 49

      • Proxy bounce scanning

        Page 51

      • Sniffer-based spoofed scanning

        Page 51

      • IP ID header scanning

        Page 52

  • + UDP Port Scanning

    Page 54

    • Tools That Perform UDP Port Scanning

      Page 55

  • + IDS Evasion and Filter Circumvention

    Page 56

    • + Fragmenting Probe Packets

      Page 56

      • fragtest

        Page 57

      • fragroute

        Page 57

      • nmap

        Page 58

    • Emulating Multiple Attacking Hosts

      Page 59

    • + Source Routing

      Page 59

      • Assessing source-routing vulnerabilities

        Page 61

    • Using Specific TCP and UDP Source Ports

      Page 63

  • + Low-Level IP Assessment

    Page 65

    • + Analyzing Responses to TCP Probes

      Page 65

      • hping2

        Page 66

      • firewalk

        Page 67

    • Passively Monitoring ICMP Responses

      Page 68

    • IP Fingerprinting

      Page 69

    • TCP Sequence and IP ID Incrementation

      Page 70

  • Network Scanning Recap

    Page 71

  • Network Scanning Countermeasures

    Page 72

• + Assessing Remote Information Services

  Page 73

  • Remote Information Services

    Page 73

  • systat and netstat

    Page 73

  • + DNS

    Page 75

    • Retrieving DNS Service Version Information

      Page 76

    • DNS Zone Transfers

      Page 76

    • DNS Information Leaks and Reverse Lookup Attacks

      Page 78

    • + BIND Vulnerabilities

      Page 79

      • BIND TSIG overflow exploit

        Page 80

    • + Microsoft DNS Service Vulnerabilities

      Page 80

      • Extracting Active Directory network service information

        Page 81

      • Remote vulnerabilities in the Microsoft DNS server

        Page 81

  • + finger

    Page 81

    • finger Information Leaks

      Page 82

    • finger Redirection

      Page 83

    • Directly Exploitable finger Bugs

      Page 83

  • + auth

    Page 84

    • auth Process Manipulation Vulnerabilities

      Page 85

  • + SNMP

    Page 85

    • ADMsnmp

      Page 86

    • snmpwalk

      Page 86

    • Default Community Strings

      Page 87

    • Compromising Devices by Reading from SNMP

      Page 87

    • Compromising Devices by Writing to SNMP

      Page 88

    • SNMP Process-Manipulation Vulnerabilities

      Page 89

  • + LDAP

    Page 90

    • Anonymous LDAP Access

      Page 90

    • LDAP Brute Force

      Page 91

    • Active Directory Global Catalog

      Page 92

    • LDAP Process Manipulation Vulnerabilities

      Page 92

  • rwho

    Page 92

  • RPC rusers

    Page 93

  • Remote Information Services Countermeasures

    Page 93

• + Assessing Web Services

  Page 95

  • Web Services

    Page 95

  • + Identifying the Web Service

    Page 96

    • HTTP HEAD

      Page 96

    • + HTTP OPTIONS

      Page 99

      • Common HTTP OPTIONS responses

        Page 100

    • + Automated Web Service Fingerprinting

      Page 101

      • WebServerFP

        Page 101

      • hmap

        Page 101

      • 404print

        Page 103

    • Identifying the Web Service Through an SSL Tunnel

      Page 104

  • + Identifying Subsystems and Components

    Page 105

    • ASP.NET

      Page 105

    • WebDAV

      Page 106

    • Microsoft FrontPage

      Page 106

    • + Microsoft Outlook Web Access

      Page 107

      • Exchange 5.5 OWA public folders information leak

        Page 108

    • Default IIS ISAPI Extensions

      Page 109

    • PHP

      Page 110

    • OpenSSL

      Page 111

  • + Investigating Web Service Vulnerabilities

    Page 111

    • + The Tools

      Page 112

      • nikto

        Page 112

      • N-Stealth

        Page 113

    • Security Web Sites and Mailing Lists

      Page 114

    • + Microsoft IIS Vulnerabilities

      Page 115

      • IIS ASP sample scripts and tools

        Page 115

      • HTR (ISM.DLL) extension exposures

        Page 116

      • HTW (WEBHITS.DLL) extension exposures

        Page 118

      • IIS Unicode exploit

        Page 119

      • PRINTER (MSW3PRT.DLL) extension overflow

        Page 122

      • IDA (IDQ.DLL) extension overflow

        Page 122

      • IIS WebDAV vulnerability

        Page 123

      • Microsoft FrontPage exposures

        Page 125

      • Poorly configured IIS permissions

        Page 126

    • + Apache Vulnerabilities

      Page 128

      • Apache chunk-handling vulnerability

        Page 128

      • Other Apache exposures and vulnerabilities

        Page 131

    • + OpenSSL Vulnerabilities

      Page 131

      • OpenSSL client key overflow

        Page 132

      • Other OpenSSL exposures and vulnerabilities

        Page 134

    • + HTTP Proxy Component Exposures

      Page 135

      • HTTP CONNECT

        Page 135

      • HTTP POST

        Page 136

      • HTTP GET

        Page 137

      • Testing HTTP proxies

        Page 138

  • + Accessing Poorly Protected Information

    Page 139

    • Brute-Forcing HTTP Authentication

      Page 140

  • + Assessing CGI Scripts and Custom ASP Pages

    Page 140

    • + Parameter Manipulation and Filter Evasion

      Page 141

      • URL query-string manipulation

        Page 141

      • User cookie manipulation

        Page 142

      • Form field manipulation

        Page 144

      • Filter evasion

        Page 145

    • Error-Handling Problems

      Page 146

    • + Operating System Command Injection

      Page 146

      • Run arbitrary system commands

        Page 146

      • Modify parameters passed to system commands

        Page 147

      • Execute additional commands

        Page 147

      • Operating system command-injection countermeasures

        Page 148

    • + SQL Command Injection

      Page 148

      • Basic testing methodology

        Page 149

      • Calling stored procedures

        Page 149

      • Compromising data using SELECT and INSERT

        Page 151

    • + Web Application Assessment Tools

      Page 152

      • Achilles

        Page 152

  • Web Services Countermeasures

    Page 153

• + Assessing Remote Maintenance Services

  Page 155

  • Remote Maintenance Services

    Page 155

  • + SSH

    Page 156

    • SSH Fingerprinting

      Page 156

    • SSH Brute-Force Password Grinding

      Page 157

    • + SSH Vulnerabilities

      Page 158

      • SSH1 CRC32 compensation vulnerability

        Page 158

      • SSH1 CRC32 compensation exploit

        Page 159

      • OpenSSH challenge-response vulnerability

        Page 161

      • OpenSSH challenge-response exploit

        Page 161

      • Other remotely exploitable SSH flaws

        Page 162

  • + Telnet

    Page 163

    • + Telnet Service Fingerprinting

      Page 163

      • telnetfp

        Page 163

      • Manual telnet fingerprinting

        Page 164

    • + Telnet Brute-Force Password-Grinding

      Page 165

      • Common device telnet passwords

        Page 165

      • Dictionary files and word lists

        Page 166

    • + Telnet Vulnerabilities

      Page 167

      • System V-derived /bin/login static overflow vulnerability

        Page 167

      • Solaris /bin/login static overflow exploits

        Page 167

      • BSD-derived telrcv() heap overflow vulnerability

        Page 168

      • FreeBSD telrcv() heap overflow exploit

        Page 169

      • Other remotely exploitable Telnet bugs

        Page 170

  • + R-Services

    Page 170

    • + Directly Accessing R-Services

      Page 171

      • Unix ~/.rhosts and /etc/hosts.equiv files

        Page 171

    • R-Services Brute Force

      Page 172

    • Spoofing RSH Connections

      Page 173

    • Known R-Services Vulnerabilities

      Page 173

  • + X Windows

    Page 174

    • + X Windows Authentication

      Page 174

      • xhost

        Page 174

      • xauth

        Page 174

    • + Assessing X Servers

      Page 175

      • List open windows

        Page 176

      • Take screenshots of specific open windows

        Page 176

      • Capture keystrokes typed in specific windows

        Page 176

      • Send keystrokes to specific windows

        Page 177

    • Known X Window System Vulnerabilities

      Page 178

  • + Microsoft Remote Desktop Protocol

    Page 178

    • RDP Brute-Force Password Grinding

      Page 178

    • RDP Vulnerabilities

      Page 179

  • + VNC

    Page 180

    • VNC Brute-Force Password Grinding

      Page 180

  • + Citrix

    Page 182

    • Using The Citrix ICA Client

      Page 182

    • Accessing Nonpublic Published Applications

      Page 183

    • Citrix Vulnerabilities

      Page 185

  • Remote Maintenance Services Countermeasures

    Page 185

• + Assessing FTP and Database Services

  Page 186

  • FTP

    Page 186

  • + FTP Banner Grabbing and Enumeration

    Page 187

    • Analyzing FTP Banners

      Page 188

    • Assessing FTP Permissions

      Page 188

  • FTP Brute-Force Password Guessing

    Page 191

  • + FTP Bounce Attacks

    Page 191

    • FTP Bounce Port Scanning

      Page 192

    • FTP Bounce Exploit Payload Delivery

      Page 192

  • + Circumventing Stateful Filters Using FTP

    Page 193

    • PORT and PASV

      Page 193

    • PASV Abuse

      Page 194

  • + FTP Process Manipulation Attacks

    Page 196

    • Solaris and BSD FTP Globbing Issues

      Page 196

    • + WU-FTPD Vulnerabilities

      Page 198

      • Exploiting WU-FTPD 2.6.1 on Linux with 7350wurm

        Page 199

    • ProFTPD Vulnerabilities

      Page 201

    • Microsoft IIS FTP Server

      Page 201

  • FTP Services Countermeasures

    Page 201

  • Database Services

    Page 202

  • + Microsoft SQL Server

    Page 202

    • SQL Server Enumeration

      Page 202

    • + SQL Server Brute Force

      Page 204

      • SQLAT

        Page 204

    • SQL Server Process Manipulation Vulnerabilities

      Page 204

  • + Oracle

    Page 206

    • + TNS Listener Enumeration and Information Leak Attacks

      Page 207

      • Pinging the TNS Listener

        Page 207

      • Retrieving Oracle version and platform information

        Page 207

      • Other TNS Listener commands

        Page 208

      • Retrieving the current status of the TNS Listener

        Page 208

      • Executing an information leak attack

        Page 209

    • + TNS Listener Process-Manipulation Vulnerabilities

      Page 209

      • TNS Listener COMMAND stack overflow (CVE-2001-0499) exploit

        Page 210

      • Creating files using the TNS Listener (CVE-2000-0818)

        Page 210

    • + Oracle Brute-Force and Post-Authentication Issues

      Page 211

      • OAT

        Page 212

      • MetaCoretex

        Page 212

  • + MySQL

    Page 212

    • MySQL Enumeration

      Page 212

    • MySQL Brute Force

      Page 213

    • MySQL Process-Manipulation Vulnerabilities

      Page 213

  • Database Services Countermeasures

    Page 214

• + Assessing Windows Networking Services

  Page 215

  • + Microsoft Windows Networking Services

    Page 215

    • SMB, CIFS, and NetBIOS

      Page 215

  • + Microsoft RPC Services

    Page 216

    • + Enumerating System Information

      Page 216

      • epdump

        Page 217

      • Known IFID values

        Page 219

      • rpdump and ifids

        Page 219

      • RpcScan

        Page 222

    • + Gleaning User Details via SAMR and LSARPC Interfaces

      Page 223

      • walksam

        Page 223

      • rpcclient

        Page 225

    • Brute-Forcing Administrator Passwords

      Page 226

    • Executing Arbitrary Commands

      Page 227

    • Exploiting RPC Services Directly

      Page 227

  • + The NetBIOS Name Service

    Page 230

    • Enumerating System Details

      Page 231

    • Attacking the NetBIOS Name Service

      Page 232

  • The NetBIOS Datagram Service

    Page 232

  • + The NetBIOS Session Service

    Page 233

    • + Enumerating System Details

      Page 233

      • enum

        Page 234

      • winfo

        Page 235

      • GetAcct

        Page 237

    • Brute-Forcing User Passwords

      Page 237

    • Authenticating with NetBIOS

      Page 238

    • Executing Commands

      Page 239

    • Accessing and Modifying Registry Keys

      Page 239

    • Accessing The SAM Database

      Page 240

  • + The CIFS Service

    Page 241

    • + CIFS Enumeration

      Page 241

      • User enumeration through smbdumpusers

        Page 242

    • CIFS Brute Force

      Page 243

  • Unix Samba Vulnerabilities

    Page 244

  • Windows Networking Services Countermeasures

    Page 245

• + Assessing Email Services

  Page 247

  • Email Service Protocols

    Page 247

  • + SMTP

    Page 247

    • SMTP Service Fingerprinting

      Page 248

    • + Sendmail

      Page 249

      • Sendmail information leak exposures

        Page 249

      • Automating Sendmail user enumeration

        Page 252

      • Sendmail process manipulation vulnerabilities

        Page 252

    • Microsoft Exchange SMTP Service

      Page 253

    • SMTP Open Relay Testing

      Page 253

    • SMTP Relay and Anti-Virus Circumvention

      Page 254

  • + POP-2 and POP-3

    Page 256

    • POP-3 Brute-Force Password-Grinding

      Page 256

    • + POP-3 Process Manipulation Attacks

      Page 257

      • Qualcomm QPOP process-manipulation vulnerabilities

        Page 257

      • Microsoft Exchange POP-3 process-manipulation vulnerabilities

        Page 258

  • + IMAP

    Page 258

    • IMAP Brute Force

      Page 258

    • IMAP Process Manipulation Attacks

      Page 259

  • Email Services Countermeasures

    Page 260

• + Assessing IP VPN Services

  Page 261

  • + IPsec VPNs

    Page 261

    • + ISAKMP and IKE

      Page 262

      • Main mode IKE

        Page 262

      • Aggressive mode IKE

        Page 263

  • + Attacking IPsec VPNs

    Page 263

    • IPsec Enumeration

      Page 264

    • Initial ISAKMP Service Probing

      Page 264

    • Investigating Known ISAKMP and IKE Weaknesses

      Page 265

    • Aggressive Mode IKE PSK Cracking

      Page 266

  • + Check Point VPN Security Issues

    Page 268

    • Check Point IKE Username Enumeration

      Page 268

    • Check Point Telnet Service Username Enumeration

      Page 269

    • + Check Point SecuRemote Information Leak Attacks

      Page 269

      • Sniffing interface IP addresses

        Page 269

      • Downloading SecuRemote network topology information

        Page 270

    • Check Point RDP Firewall Bypass Vulnerability

      Page 271

  • Microsoft PPTP

    Page 271

  • VPN Services Countermeasures

    Page 272

• + Assessing Unix RPC Services

  Page 273

  • + Enumerating Unix RPC Services

    Page 273

    • Identifying RPC Services Without the Portmapper

      Page 274

  • + RPC Service Vulnerabilities

    Page 275

    • + Abusing rpc.mountd (100005)

      Page 276

      • CVE-1999-0002

        Page 276

      • CVE-2003-0252

        Page 276

      • Listing and accessing exported directories through mountd and NFS

        Page 276

    • + Multiple Vendor rpc.statd (100024) Vulnerabilities

      Page 277

      • CVE-1999-0018 and CVE-1999-0019

        Page 277

      • CVE-1999-0493

        Page 278

      • CVE-2000-0666

        Page 278

    • + Solaris rpc.sadmind (100232) Vulnerabilities

      Page 278

      • CVE-1999-0977

        Page 278

      • CVE-2003-0722

        Page 279

    • Solaris rpc.cachefsd (100235) Vulnerability

      Page 279

    • Solaris rpc.snmpXdmid (100249) Vulnerability

      Page 280

    • Multiple Vendor rpc.cmsd (100068) Vulnerabilities

      Page 280

    • + Multiple Vendor rpc.ttdbserverd (100083) Vulnerability

      Page 282

      • Solaris rpc.ttdbserverd exploit

        Page 282

      • IRIX rpc.ttdbserverd exploit

        Page 283

  • Unix RPC Services Countermeasures

    Page 283

• + Application-Level Risks

  Page 284

  • The Fundamental Hacking Concept

    Page 284

  • The Reasons Why Software Is Vulnerable

    Page 285

  • + Network Service Vulnerabilities and Attacks

    Page 286

    • Memory Manipulation Attacks

      Page 286

    • + Runtime Memory Organization

      Page 286

      • The text segment

        Page 287

      • The data and BSS segments

        Page 287

      • The stack

        Page 288

      • The heap

        Page 288

    • Processor Registers and Memory

      Page 289

  • + Classic Buffer-Overflow Vulnerabilities

    Page 290

    • Stack Overflows

      Page 290

    • + Stack Smash (Saved Instruction Pointer Overwrite)

      Page 291

      • Causing a program crash

        Page 292

      • Compromising the logical program flow

        Page 293

      • Analyzing the program crash

        Page 294

      • Creating and injecting shellcode

        Page 295

    • + Stack Off-by-One (Saved Frame Pointer Overwrite)

      Page 296

      • Analyzing the program crash

        Page 297

      • Exploiting an off-by-one bug to modify the instruction pointer

        Page 299

      • Exploiting an off-by-one bug to modify data in the parent function’s stack frame

        Page 300

      • Off-by-one effectiveness against different processor architectures

        Page 300

  • + Heap Overflows

    Page 301

    • Overflowing the Heap to Compromise Program Flow

      Page 301

    • + Other Heap Corruption Attacks

      Page 306

      • Heap off-by-one and off-by-five bugs

        Page 307

      • Double-free bugs

        Page 307

      • Recommended further reading

        Page 308

  • + Integer Overflows

    Page 308

    • Heap Wrap-Around Attacks

      Page 308

    • Negative-Size Bugs

      Page 310

  • + Format String Bugs

    Page 311

    • Reading Adjacent Items on the Stack

      Page 311

    • Reading Data From any Address on the Stack

      Page 313

    • Overwriting Any Word in Memory

      Page 315

    • Recommended Format String Bug Reading

      Page 317

  • Memory Manipulation Attacks Recap

    Page 317

  • + Mitigating Process Manipulation Risks

    Page 318

    • Nonexecutable Stack and Heap Implementation

      Page 319

    • Use of Canary Values in Memory

      Page 319

    • Running Unusual Server Architecture

      Page 320

    • Compiling Applications From Source

      Page 320

    • Active System Call Monitoring

      Page 320

  • Recommended Secure Development Reading

    Page 321

• + Example Assessment Methodology

  Page 322

  • + Network Scanning

    Page 322

    • Initial Network Scanning

      Page 322

    • Full Network Scanning

      Page 324

    • + Low-Level Network Testing

      Page 326

      • TCP ISN sequence generation

        Page 326

      • IP ID sequence generation

        Page 327

      • Source routing testing

        Page 327

      • Other tests

        Page 328

  • + Accessible Network Service Identification

    Page 328

    • Initial Telnet Service Assessment

      Page 328

    • Initial SSH Service Assessment

      Page 329

    • Initial SMTP Service Assessment

      Page 329

    • + Initial Web Service Assessment

      Page 331

      • ASP.NET investigation

        Page 332

      • ISAPI extension enumeration

        Page 333

      • Automated scanning for FrontPage and OWA components

        Page 334

      • SSL web service investigation

        Page 334

  • + Investigation of Known Vulnerabilities

    Page 334

    • Cisco IOS Accessible Service Vulnerabilities

      Page 335

    • Solaris 8 Accessible Service Vulnerabilities

      Page 335

    • Windows 2000 Accessible Service Vulnerabilities

      Page 337

  • + Network Service Testing

    Page 338

    • Cisco IOS Router (192.168.10.1)

      Page 338

    • Solaris Mail Server (192.168.10.10)

      Page 339

    • Windows 2000 Web Server (192.168.10.25)

      Page 342

  • Methodology Flow Diagram

    Page 343

  • + Recommendations

    Page 343

    • + Quick Win Recommendations

      Page 343

      • Cisco IOS router

        Page 343

      • Solaris mail server

        Page 343

      • Windows 2000 web server

        Page 345

    • Long-Term Recommendations

      Page 345

  • Closing Comments

    Page 347

• + TCP, UDP Ports, and ICMP Message Types

  Page 349

  • TCP Ports

    Page 349

  • UDP Ports

    Page 352

  • ICMP Message Types

    Page 352

• + Sources of Vulnerability Information

  Page 354

  • Security Mailing Lists

    Page 354

  • Vulnerability Databases and Lists

    Page 354

  • Underground Web Sites

    Page 355

  • Security Events and Conferences

    Page 355

• Index

  Page 357

There are hundreds--if not thousands--of techniques used to compromise both Windows and Unix-based systems. Malicious code and new exploit scripts are released on a daily basis, and each evolution becomes more and more sophisticated. Keeping up with the myriad of systems used by hackers in the wild is a formidable task, and scrambling to patch each potential vulnerability or address each new attack one-by-one is a bit like emptying the Atlantic with paper cup.

If you're a network administrator, the pressure is on you to defend your systems from attack. But short of devoting your life to becoming a security expert, what can you do to ensure the safety of your mission critical systems? Where do you start?

Using the steps laid out by professional security analysts and consultants to identify and assess risks, Network Security Assessment offers an efficient testing model that an administrator can adopt, refine, and reuse to create proactive defensive strategies to protect their systems from the threats that are out there, as well as those still being developed.

This thorough and insightful guide covers offensive technologies by grouping and analyzing them at a higher level--from both an offensive and defensive standpoint--helping administrators design and deploy networks that are immune to offensive exploits, tools, and scripts. Network administrators who need to develop and implement a security assessment program will find everything they're looking for--a proven, expert-tested methodology on which to base their own comprehensive program--in this time-saving new book.