Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

(704.14KB)
This is an Open Access publication published under CSC-OpenAccess Policy.
The Principles of Modern Attacks Analysis for Penetration Tester
Adam Ali.Zare Hudaib
Pages - 22 - 84     |    Revised - 01-03-2015     |    Published - 31-03-2015
Volume - 9   Issue - 2    |    Publication Date - March / April 2015  Table of Contents
MORE INFORMATION
KEYWORDS
Penetration Testing, DOS Attack, ICMP, IPv6, IPv4, NTP, Honey Pot Systems.
ABSTRACT
Modern cyber defense requires a realistic and thorough understanding of web application security issues. Anyone can learn to sling a few web hacks, but web application penetration testing requires something deeper. Major web application flaws and their exploitation, a field-tested and repeatable process to consistently finding these flaws and convey them will be discussed in this article. Modern attacks principles will be analyzed on purpose to create the most sufficient penetration tests.
CITED BY (0)  
1 Google Scholar
2 CiteSeerX
3 refSeek
4 Scribd
5 SlideShare
6 PdfSR
1 Fraser, B “Site Security Handbook”. Internet: http://www.ietf.org/rfc/rfc2196.txt?number=2196.
2 Herzog, Pete “The open source security testing methodology manual”. Internet: http://www.ideahamster.org/osstmm.htm.
3 Kaye, Krysta “Vulnerability Assessment of a University Computing Environment”. Internet: http://rr.sans.org/casestudies/univ_comp.php.
4 “Risk Assessment Tools and Practices for Information System Security”. Internet: http://www.fdic.gov/news/news/financial/1999/FIL9968a.html.
5 Klikushina, Natalya “Firewall Penetration”. Internet: http://shrike.depaul.edu/~mchen/420/natalya.html.
6 “Nmap Free Stealth Security Scanner”. Internet: http://nmap.org.
7 Corcoran, Tim “An Introduction to NMAP”. Internet: http://rr.sans.org/audit/nmap2.php.
8 “Quality Security Tools”. Internet: http://nmap.org/tools.html.
9 “Internet Security Systems”. Internet: http://www.iss.net.
10 Kurtz, George and Prosise, Chris “Security Strategies” Information Security Magazine September 00(also available at Internet: http://www.infosecuritymag.com/articles/september00/features3.shtml).
11 Antionline.com. Internet: http://www.antionline.com/index.php?action=forums.
12 Moyer, Philip “Penetration Testing: Issues for Management”. Computer Security Institute’s Alert Magazine March 1998 (also available at Internet: http://www.gocsi.com/penet.htm).
13 McClure, Stuart; Scambray, Joel; Kurtz, George Hacking Exposed Berkley, Osborne 1999.
14 DOS Attacks and Free DOS Attacking Tools. Internet: http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/.
15 KoonYaw Tan Intrusion Detection FAQ: How can attacker use ICMP for reconnaissance? Internet: http://www.sans.org/security-resources/idfaq/icmp_misuse.php
16 Ofir Arkin, ICMP Usage in Scanning – The Complete Know How. Internet: http://www.syssecurity.com/html/papers.html
17 Stephen Northcutt and Judy Novak, Network Intrusion Detection .
18 ICMP Parameters Internet: http://www.iana.org/assignments/icmp-parameters .
19 RFC 792 Internet Control Message Protocol . Internet: http://www.ietf.org/rfc/rfc0792.txt .
20 Craig Huegen, The Latest in Denial of Service Attacks: 'Smurfing': Description and Information to Minimize Effects. Internet: http://www.pentics.net/denial-of-service/whitepapers/smurf.cgi .
21 David Dittrich, The “Tribe Flood Network” Distributed Denial of Service Attack Tool. Internet: http://staff.washington.edu/dittrich/misc/tfn.analysis .
22 Loki Project. Internet: http://www.phrack.org/show.php?p=49&a=6 .
23 RFC 1122 Requirements for Internet Hosts – Communication Layers. Internet: http://www.ietf.org/rfc/rfc1122.txt.
24 SING utility. Internet: http://sourceforge.net/projects/sing/ .
25 HPING2 utility. Internet: http://sourceforge.net/projects/hping2/ .
26 NMAP. Internet: http://www.insecure.org/nmap/.
27 Spoofing ICMP redirect host messages with hping. Internet: http://blog.packetheader.net/2010/05/spoofing-icmp-redirect-host-messages.html.
28 Icmp address mask ping. Internet: http://www.networkuptime.com/nmap/page4-8.shtml.
29 Internet: http://www.ddifrontline.com/security-awareness-education/cyber-crime-securityprevention-
30 IPv6 Security Testing and Monitoring Tools . Internet: http://ipv6now.com.au/testing.php.
31 Vesselin Hadjitodorov Security of IPv6 and DNSSEC for penetration testers. Internet: http://www.delaat.net/rp/2010-2011/p40/report.pdf
32 Tech Insight: Retooling Vulnerability Scanning, Penetration Testing For IPv6. Internet: www.darkreading.com/vulnerabilities---threats/tech-insight-retooling-vulnerability-scanningpenetration-testing-for-ipv6/d/d-id/1134284?
33 Avoid Pay Per Click Problems. Internet: http://www.internetworldstats.com/articles/art090.htm.
34 7 Ways to Use Google Webmaster Tools to Increase Traffic To Your Website. Internet: http://www.razorsocial.com/google-webmaster-tools-7-ways-to-increase-traffic-to-yourwebsite/.
35 Warwick Ashford, IPv6: The security risks to business. Internet: http://www.computerweekly.com/feature/IPv6-The-security-risks-to-business.
36 IPv6 Essentials, 3rd Edition by Silvia Hagen Published by O'Reilly Media, Inc., 2014. Intenret: https://www.safaribooksonline.com/library/view/ipv6-essentials3rd/9781449335229/ch01.html.
37 Frank Herberg IPv6 insecurities on “IPv4-only” networks. Internet: http://securityblog.switch.ch/2014/08/26/ipv6-insecurities-on-ipv4-only-networks/.
38 Network Time Protocol (NTP): Threats and Countermeasures. Internet: https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300/.
39 Internet: http://resources.infosecinstitute.com/network-time-protocol-ntp-threatscountermeasures/.
40 Internet: http://tools.ietf.org/html/bcp38.
41 Internet: http://en.wikipedia.org/wiki/Network_Time_Protocol#cite_note-29.
42 Internet: http://www.eecis.udel.edu/~mills/security.html.
43 R7-2014-12: More Amplification Vulnerabilities in NTP Allow Even More DRDoS Attacks. Internet: https://community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks.
44 Extromatica Network Monitor. Internet: http://en.wikipedia.org/wiki/Extromatica_Network_Monitor.
45 Logging and Monitoring Tools. Internet: https://quequero.org/downloads/logging-andmonitoring-tools/.
46 Internet: http://en.wikipedia.org/wiki/Microsoft_Product_Activation.
47 Internet: http://www.sans.org/security-resources/idfaq/honeypot3.php.
48 DNS Hacking (Beginner to Advanced). Internet: http://resources.infosecinstitute.com/dnshacking/.
49 Internet: http://searchsecurity.techtarget.com/tip/Routing-protocol-security.
50 Ta Vinh Thong, Attacks against secure routing protocols. Internet: http://crysys.hu/members/tvthong/links/adhocAttacks.pdf.
51 Hunting Session Fixation Bugs. Internet: http://resources.infosecinstitute.com/huntingsession-fixation-bug/
52 Use offense to inform defense. Find flaws before the bad guys do. Internet: http://pentesting.sans.org/resources/papers/gcih/port-1433-vulnerability-unchecked-buffer-passwordencryption-procedure-104360.
53 Microsoft. “Security Tools and Checklists.” Internet: http://www.microsoft.com/technet/security/tools/tools.asp.
54 Microsoft. “SQL2000 C2 Admin and User Guide”, November 2, 2002. Internet: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=71C146F39907-40CDBABF-3506ECD33254.
55 Rakhmanoff, Martin. jimmers@yandex.ru. June 14, 2002. Internet: http://online.securityfocus.com/archive/1/276953.
56 CERT: VU#225555. July 29, 2002. Internet: http://online.securityfocus.com/advisories/4308.
57 Rakhmanoff, Martin. jimmers@yandex.ru. SecuriTeam. 10/22/2002. Internet: http://www.securiteam.com/windowsntfocus/6O00L0K5PC.html.
58 Microsoft, “SQL Server Documentation Chapter 11”. Internet: http://www.microsoft.com/technet/prodtechnol/sql/proddocs/diag/part3/75528c11.asp?.
59 Anley, Chris. “Advanced SQL Server Injection in SQL Server Applications” Internet: http://www.nextgenss.com/papers/advanced_sql_injection.pdf.
60 Litchfield, David. “Threat Profiling SQL Server”, July 20, 2002. Internet: http://www.nextgenss.com/papers/tp-SQL2000.pdf
61 Nolan, Patrick. Incidents.org “Slapper Worm Update.” Jan 25, 2003. Internet: http://isc.incidents.org/analysis.html?id=180.
Mr. Adam Ali.Zare Hudaib
Licensed Penetration Tester |EC-Council Certified Ethical Hacker |EC-Council Certified Security Analyst |EC-Council Certified Network Analyst | WireShark University Information & Cyber Security Expert CEH , ECSA , LPT , WCNA - Sweden
adamhudaib@gmail.com