Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2019 | Buch

System Setup Kapitel lesen Erstes Kapitel lesen

Cyber Operations

Building, Defending, and Attacking Modern Computer Networks

verfasst von: Mike O'Leary

Verlag: Apress

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Know how to set up, defend, and attack computer networks with this revised and expanded second edition.

You will learn to configure your network from the ground up, beginning with developing your own private virtual test environment, then setting up your own DNS server and AD infrastructure. You will continue with more advanced network services, web servers, and database servers and you will end by building your own web applications servers, including WordPress and Joomla!. Systems from 2011 through 2017 are covered, including Windows 7, Windows 8, Windows 10, Windows Server 2012, and Windows Server 2016 as well as a range of Linux distributions, including Ubuntu, CentOS, Mint, and OpenSUSE.

Key defensive techniques are integrated throughout and you will develop situational awareness of your network and build a complete defensive infrastructure, including log servers, network firewalls, web application firewalls, and intrusion detection systems.

Of course, you cannot truly understand how to defend a network if you do not know how to attack it, so you will attack your test systems in a variety of ways. You will learn about Metasploit, browser attacks, privilege escalation, pass-the-hash attacks, malware, man-in-the-middle attacks, database attacks, and web application attacks.

What You’ll Learn

Construct a testing laboratory to experiment with software and attack techniquesBuild realistic networks that include active directory, file servers, databases, web servers, and web applications such as WordPress and Joomla!Manage networks remotely with tools, including PowerShell, WMI, and WinRMUse offensive tools such as Metasploit, Mimikatz, Veil, Burp Suite, and John the RipperExploit networks starting from malware and initial intrusion to privilege escalation through password cracking and persistence mechanismsDefend networks by developing operational awareness using auditd and Sysmon to analyze logs, and deploying defensive tools such as the Snort intrusion detection system, IPFire firewalls, and ModSecurity web application firewalls

Who This Book Is For

This study guide is intended for everyone involved in or interested in cybersecurity operations (e.g., cybersecurity professionals, IT professionals, business professionals, and students)

Inhaltsverzeichnis

Frontmatter
Chapter 1. System Setup
Abstract
Cyber operations is about the configuration, defense, and attack of real systems. This text focuses on systems that were deployed between 2011 and 2017.
Mike O’Leary
Chapter 2. Basic Offense
Abstract
How does an adversary attack a computer system? One approach is to provide data to a program running on that system that causes it to act on behalf of the attacker. The Morris worm, released in 1988, attacked vulnerable services including fingerd and sendmail, as well as poorly configured rexec and rsh. When it attacked fingerd, it sent a 536-byte request to C code using gets() that provided a buffer with only 512 bytes of space; the resulting overflow allowed the worm's code to execute on the target.
Mike O’Leary
Chapter 3. Operational Awareness
Abstract
Core to successful cyber operations is the ability to maintain the integrity and availability of computer systems and networks. The first step in this process is knowing what is occurring on defended systems and networks. Both Windows and Linux feature tools that provide information about running processes, system users, and network connections. Network traffic between systems can be captured and analyzed with tools including tcpdump and Wireshark. In this chapter, the reader will learn what live information is available to a system administrator facing a potentially compromised system or network and will find different indicators of the attacks.
Mike O’Leary
Chapter 4. DNS Server BIND DNS and BIND
Abstract
Real networks are more than a collection of workstations identified by their IP address; on the Internet, systems refer to each other through their names, and the Domain Name System (DNS) provides a method to translate from names to addresses and back again. The DNS protocols form the core protocol for the Internet, and an understanding of cyber operations requires an understanding of DNS.
Mike O’Leary
Chapter 5. Scanning the Network
Abstract
The web browser attacks of Chapter 2 require the victim to visit a web site controlled by the attacker. In more realistic scenarios, the attacker needs to know some details of the target network before being able to launch attacks that have a reasonable chance of success.
Mike O’Leary
Chapter 6. Active Directory
Abstract
Active Directory is a database of users, groups, computers, printers, and other objects. Windows uses Active Directory to organize the objects together into domains and larger forests. These are managed by domain controllers. Common platforms for domain controllers include Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Mike O’Leary
Chapter 7. Remote Windows Management
Abstract
Windows allows users on one system to access and manage other systems through a range of mechanisms. Many common tools and commands allow the user to specify the target as a remote system. Some of these commands run over Server Message Block (SMB), other commands use Remote Procedure Calls (RPC), while another option is Windows Remote Management (WinRM). These require different services running on the target and different firewall settings for proper communication.
Mike O’Leary
Chapter 8. Attacking the Windows Domain
Abstract
An attacker that has gained a foothold on a network using the techniques of Chapter 2 can use Metasploit and native tools to expand their influence. Metasploit comes with reconnaissance modules that allow the attacker to determine their user privileges, the domain controller(s), and the account names for the domain administrators. If the attacker has compromised a privileged account, there are methods to allow the attacker to bypass User Account Control (UAC) to gain SYSTEM privileges. If not, the chapter presents ways the attacker can try to gain SYSTEM privileges, including exploiting insecure configuration of the host or using one of the Metasploit privilege escalation modules.
Mike O’Leary
Chapter 9. Privilege Escalation in Linux
Abstract
An attacker that gains a foothold on a Linux system wants to escalate privileges to root in the same way that an attacker on a Windows domain wants to escalate privileges to Administrator or Domain Administrator. The techniques used on a Linux target are somewhat different. There are fewer privilege escalation modules in Metasploit, so an attacker may need to rely on a customized exploit. The success of these exploits may require a particular distribution and a version. These exploits are usually distributed as source code, and so need to be compiled. The 2016 Dirty COW class of attacks is particularly powerful because they work against such a wide range of systems; nearly every Linux system prior to the 2016 patch can be exploited.
Mike O’Leary
Chapter 10. Logging
Abstract
An administrator running a network needs to understand what is happening on that network, making an understanding of logs essential. Not only do logs help determine how the network is functioning, they can also provide clues to the activities of malicious actors on a network. However, because an attacker that gains root or administrative privileges can modify any logs saved on that system, an administrator needs to know how to set up a distributed logging system so that logs on one system are stored on a different system.
Mike O’Leary
Chapter 11. Malware Malware and Persistence
Abstract
Chapter 11 shows some elementary ways an attacker can gain an initial foothold on a network using active content in a browser or some simple malware generated through msfconsole. The Metasploit package also includes msfvenom, a tool that can be used to create more sophisticated malware. A limitation of msfvenom is that the malware it generates is often caught by modern antivirus products. Veil-Evasion can be used to craft malware that is not usually detected by antivirus.
Mike O’Leary
Chapter 12. Defending the Windows Domain
Abstract
A savvy defender understands that they may not be able to prevent a capable attacker from gaining an initial foothold on their network. On any real network, the collection of potential attack vectors is large, and the attacker only needs to be successful once to get that initial foothold. Even something as simple as a phishing attack can be used to obtain that initial shell.
Mike O’Leary
Chapter 13. Network Services
Abstract
An administrator running a network needs to securely provide services to users. This chapter introduces some common network services.
Mike O’Leary
Chapter 14. Web server Apache Apache Apache and ModSecurity
Abstract
Apache is arguably the most significant web server; the September 2018 Netcraft survey reports that Apache runs 34% of the top million busiest sites, with Nginx reporting 25% and Microsoft 10%.
Mike O’Leary
Chapter 15. Web server IIS IIS IIS Internet Information Services IIS IIS and ModSecurity
Abstract
Microsoft Internet Information Services (IIS) is a web server available on Windows Server, as well as on Windows desktop systems. On Windows Server, it is considered a server role, and it is installed using the roles and features components. As a web server, IIS can run multiple web sites on multiple ports using multiple protocols. It can be managed locally or remotely through the graphical tool IIS Manager. Configuration information is stored in .xml configuration files that can be manipulated with command-line tools. Access to IIS web sites can be controlled in several ways, including filtering by properties of the client or the request. Authentication of remote clients can be done via HTTP basic authentication but can also take place using Windows authentication methods. Web sites can be protected by SSL using self-signed certificates, certificates signed by a local signing server, or by a commercial Certificate Authority. Customizable logging to plaintext log files is provided, and PowerShell can be used to parse these logs.
Mike O’Leary
Chapter 16. Web Attacks
Abstract
Web servers provide new features for legitimate users, but they also provide avenues of attack for malicious actors. An attacker that has been able to compromise a system on a network can extract passwords stored in Internet Explorer or Firefox. A defender can use a master password on Firefox to mitigate these kinds of attacks. An attacker that can find their way on to the local network can use Ettercap to launch a man in the middle attacks. If a web server automatically redirects unsecure HTTP traffic to a secure HTTPS site, then an attacker can use sslstrip to intercept the traffic before it is encrypted, allowing them to attack the connection without the browser warning of an improperly configured certificate chain.
Mike O’Leary
Chapter 17. Firewall Firewall IPFire IPFire IPFire Firewalls
Abstract
Network firewalls allow a defender to segment their network into different zones; one common architecture has a DMZ for external facing systems and a separate internal network. Linux distributions like IPFire can be used as the anchor point for such networks; these can be implemented virtually using VMWare Workstation or VirtualBox. IPFire controls traffic in and out of these networks, allowing for network address translation (NAT) and egress filtering. IPFire also provides a range of services, including logging, a time server, and a web proxy.
Mike O’Leary
Chapter 18. MySQL and MariaDB MariaDB MySQL and MariaDB MySQL and MariaDB
Abstract
MySQL is a commonly used open source relational database that is used in conjunction with web applications like WordPress and Joomla. The company that developed MySQL was acquired by Oracle, and many of the original developers of MySQL became concerned for the future licensing of MySQL. In 2009, they created a fork of MySQL, named MariaDB, which serves as a replacement for the same version of MySQL.
Mike O’Leary
Chapter 19. Intrusion detection system Snort IDS Snort Snort Snort
Abstract
Snort is an open source network intrusion detection system that can be installed on Linux and Windows. It functions by first normalizing traffic, then checking the traffic against sets of rules. There are community rules, registered rules, and commercial rules for Snort available from http://www.snort.org ; it is also possible to write custom rules. To avoid false positives, Snort needs to be tuned for its environment. Snort can raise alerts when specific traffic is seen on the network; it can also detect port scans, ARP spoofing, and sensitive data like credit card numbers or social security numbers.
Mike O’Leary
Chapter 20. PHP PHP
Abstract
PHP is the final component of the traditional “LAMP” stack: Linux, Apache, MySQL/MariaDB, and PHP. It provides a full -featured programming language to develop web pages with active content; it currently is used as the server-side programming language for roughly 80% of all web sites. The current version of PHP is PHP 7, which was initially released in December 2015. During 2011–2018, some systems continued to support and run the older PHP 5, which was released in 2004. PHP 6 was only partially developed and never reached general availability.
Mike O’Leary
Chapter 21. Web Applications
Abstract
Web applications based on the LAMP stack of Linux, Apache, MySQL, and PHP are important and a common target of attackers. Some web applications like phpMyAdmin are primarily administrative; phpMyAdmin is used to remotely manage MySQL installations. Applications like Joomla and WordPress are content management systems that are used as the back end for many web sites; more than a quarter of web sites use WordPress or Joomla.
Mike O’Leary
Backmatter
Metadaten
Titel
Cyber Operations
verfasst von
Mike O'Leary
Copyright-Jahr
2019
Verlag
Apress
Electronic ISBN
978-1-4842-4294-0
Print ISBN
978-1-4842-4293-3
DOI
https://doi.org/10.1007/978-1-4842-4294-0