Errata

Network Security Assessment

Errata for Network Security Assessment

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted By Date submitted Date corrected
Printed
Page 4
Figure 1-1, Penetration Testing

"Wide scope 'no holds barred' approach involving multiple attack vendors..."
should read:
"...involving multiple attack vectors..."

 Anonymous   
Printed
Page 4
Figure 1-1

"Network Security Assessment
Automated network scanning and
report generation, useful to test
networks from opportunistic attack"

NOW READS:
"Network Security Assessment
Effective assessment of Internet-
based risks using automated tools
and qualification by hand"

 Anonymous    Aug 01, 2004
Printed
Page 8
Figure 1-2

The description in the "Brute Force Password Grinding" box:
Using multipe vectors...
should read:
Using multiple vectors...

 Anonymous   
Printed
Page 8
Figure 1-2

"Accessible TOP and UDP network services"

NOW READS:
"Accessible TCP and UDP network services"

 Anonymous    Aug 01, 2004
Printed
Page 8
Figure 1-2

The arrow going down from 'Network Enumeration' to 'New domain names and IP
addresses' HAS BEEN REVERSED and now points upward.

 Anonymous    Aug 01, 2004
Printed
Page 14

http://www.microsoft.com/ntserver/nts/downloads/recommended/netkit/default.asp

NOW READS:
http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp

AND
http://www.netxeyes.org/smbcrack.exe

NOW READS:
http://www.netxeyes.org/SMBCrack.exe

 Anonymous    May 01, 2004
Printed
Page 46

"Using half-open SYN flags to probe a target is known as an inverted technique because ... "

NOW READS::
"Using malformed TCP flags to probe a target is known as an inverted technique because ... "

 Anonymous    May 01, 2004
Printed
Page 49

http://www.eaglenet.org/antirez/hping2.html

NOW READS:
http://www.hping.org

 Anonymous    May 01, 2004
Printed
Page 66
first paragraph

"If some ports don't respond, but others respond with
RST/ACK, the unresponsive ports are considered unfiltered"

NOW READS:
"If some ports don't respond, but others respond with
RST/ACK, the responsive ports are considered unfiltered"

 Anonymous    Aug 01, 2004
Printed
Page 79

Table 5-1 should include the following two entries:

ZXFR denial-of-service CVE-2000-0887 8.2-8.2.2 patch level 6

Large TTL negative CVE-2003-0914 8.3-8.3.7 and 8.4-8.4.3
cache poisoning bug

 Anonymous   
Printed
Page 87

snmpwalk -c public 192.168.0.1

NOW READS:
snmpwalk -c private 192.168.0.1

 Anonymous    May 01, 2004
Printed
Page 87
Example 5-14

"snmpwalk -c public 192.168.0.1"

NOW READS:
"snmpwalk -c private 192.168.0.1"

 Anonymous    Aug 01, 2004
Printed
Page 91

http://www.xfocus.net/exploits

NOW READS:
http://examples.oreilly.com/9780596006112/tools/bf_ldap.tar.gz

 Anonymous    May 01, 2004
Printed
Page 111
OpenSSL

"HEAD / HTTP/1.0" NOW APPERAS in bold.

 Anonymous    Aug 01, 2004
Printed
Page 121
Unicode revisited

http://www.example.org/scripts/..%255c../winnt/system32/cmd.exe/?/c+dir

NOW READS:
http://www.example.org/scripts/..%255c../winnt/system32/cmd.exe?/c+dir

 Anonymous    Aug 01, 2004
Printed
Page 122
Example 6-14

"ispc 192.168.189.10/scripts/idq.dll" NOW APPEARS in bold.

 Anonymous    Aug 01, 2004
Printed
Page 122

The following sentence HAS BEEN ADDED to the end of the first paragraph, so that ti NOW READS:
" ... The iisoop.dll source code is available for analysis at
http://www.w00w00.org/files/iisoop.tgz. The bug reference is CVE-2002-0869
and MS02-062."

 Anonymous    Aug 01, 2004
Printed
Page 138
About 1/3 down page, the two URLs

http://www.securityfocus.com/archive/75/295545/2003-09-07/2003-09-13/1
http://www.securityfocus.com/archive/75/337304/2003-09-11/2003-09-17/1

NOW READ:
http://www.securityfocus.com/archive/75/295545
http://www.securityfocus.com/archive/75/337304

 Anonymous    Aug 01, 2004
Printed
Page 150
xp_cmdshell;the following code

"/price.asp?ProductID=12984';EXEC%20master..xp_cmdshell'ping.exe
%20212.123.86.4"

HAS BEEN REFORMATTED so that it NOW APPEARS:
"/price.asp?ProductID=12984';EXEC%20master..xp_cmdshell'ping.exe%20212.123.86.4"

 Anonymous    Aug 01, 2004
Printed
Page 151
within the first code example at the top of the page

'net users' NOW READS 'net%20users'

 Anonymous    Aug 01, 2004
Printed
Page 162
Table 7-1

"OpenSSH 3.7.1 contains buffer management errors"

NOW READS:
"OpenSSH 3.7 and prior contains buffer management errors"

 Anonymous    Aug 01, 2004
Printed
Page 167
4th line from the bottom

"Running 7350logoout from a Linux platform"

NOW READS:
"Running 7350logout from a Linux platform".

 Anonymous    Aug 01, 2004
Printed
Page 171
2nd paragraph example

"chrismail.trustmatta.com" should be "chris mail.trustmatta.com"

 Anonymous   
Printed
Page 172
notes

It is very easy to get from user/bin to user/root under Unix-based systems
should be:
It is very easy to get from bin privilege to root privilege under Unix-based systems

 Anonymous   
Printed
Page 174
1st paragraph

X Consortium was closed in 1996. X is currently maintained by X.org foundation.

see http://en.wikipedia.org/wiki/X_Window_System#The_X_Consortium

 Anonymous   
Printed
Page 197
Final paragraph

"although this may be difficult to exploit under Solaris."

NOW READS:
"although this may be difficult to exploit."

 Anonymous    Aug 01, 2004
Printed
Page 198
2nd paragraph

heck the MITRE CVE and ...
Should be
check the MITRE CVE and ...

 Anonymous   
Printed
Page 202
Microsoft SQL Server

"The service listens on UDP port 1434 and returns the IP address and port number"
should read:
"The service listens on UDP port 1434 and returns the server name and port number"

 Anonymous   
Printed
Page 202

http://www.sqlsecurity.com/uploads/sqlping.zip

NOW READS:
http://examples.oreilly.com/9780596006112/tools/sqlping.zip

 Anonymous    May 01, 2004
Printed
Page 204

http://www.sqlsecurity.com/uploads/forcesql.zip
and
http://www.sqlsecurity.com/uploads/sqlbf.zip

NOW READ:
http://examples.oreilly.com/9780596006112/tools/forcesql.zip
and
http://examples.oreilly.com/9780596006112/tools/sqlbf.zip

 Anonymous    May 01, 2004
Printed
Page 207
fig 8-7 and paragraph above

VSNUM should be: VSNNUM
(also the index page 370 needs to be corrected too)

Anonymous   
Printed
Page 210
table 8-5, 3rd entry in the "note" column

Oracle 8i and 9iVersion 8.1.7 and 9.0.1 and prior) TNS Listener...
should be:
Oracle 8i and 9i(Version 8.1.7 and 9.0.1 and prior) TNS Listener...

 Anonymous   
Printed
Page 213
Penultimate paragraph

" , which relates to a remote vulnerability in MySQL 3.23.56 ..."

NOW READS:
" , which relates to a post-authentication vulnerability in MySQL 3.23.56
..."

 Anonymous    Aug 01, 2004
Printed
Page 215
Microsoft Windows Networking Services

To the list of ports (including loc-srv, netbios-ns, microsoft-ds, etc.),
NOW READS:

loc-srv 135/tcp
...
netbios-ssn 139/tcp
microsoft-ds 445/tcp
microsoft-ds 445/udp

 Anonymous    Aug 01, 2004
Printed
Page 219
rpcdump and ifids, final line

"ncacn_http (RPC over HTTP on TCP port 80 or 593)"

NOW READS:
"ncacn_http (RPC over HTTP on TCP port 80, 593, or others)"

{222, 227, and in the index}
"Uriel" NOW READS "Urity"

 Anonymous    Aug 01, 2004
Printed
Page 223
Gleaning User Details via SAMR and LSARPC Interfaces, first

paragraph;
" .. if the SAMR or LSARPC interfaces are accessible."

NOW READS:
" .. if the SAMR RPC interface is accessible."

 Anonymous    Aug 01, 2004
Printed
Page 232
penultimate paragraph

"An attack can run SMBRelay or LC4 ..."

NOW READS:
"An attack can run SMBRelay or LC5 ..."

 Anonymous    Aug 01, 2004
Printed
Page 234

http://ntsecurity.nu/toolbox/winfo.exe

NOW READS:
http://ntsecurity.nu/downloads/winfo

 Anonymous    May 01, 2004
Printed
Page 241
second paragraph, below Example 9-19

The four instances of "LC4" HAVE BEEN CHANGED to "LC5".

Anonymous    Aug 01, 2004
Printed
Page 252

Table 10-1 NOW INCLUDES CVE-2002-0906, as follows:

CVE-2002-0906 28/06/2002 Sendmail 8.12.4 and prior can be compromised
if running in a non-default
configuration, by an attacker using an
authoritative DNS server to provide
a malformed TXT record to the mail server upon
connecting.

 Anonymous    Aug 01, 2004
Printed
Page 255
Table 10-3

the "ISS XFID ... Notes" table heading should have a dark grey shaded background

 Anonymous   
Printed
Page 268

(RDP running on TCP port 259)

NOW READS:
(RDP running on UDP port 259)

 Anonymous    May 01, 2004
Printed
Page 275
1st paragraph

Due to the number of different RPC services, associated prognum values, ...
should be:
Due to the number of different RPC services, associated program values, ...

 Anonymous   
Printed
Page 275

Table 12-1 is missing a bug in yppasswd, and currently reads:

100009 yppasswd Yes No No No CVE-2001-0779

should read:

100009 yppasswd Yes No Yes No CVE-2001-0779
CVE-2002-0357

 Anonymous   
Printed
Page 275

Table 12-1 is missing three bugs in ttdbserverd, and currently reads:

100083 ttdbserverd Yes No Yes Yes CVE-2001-0717

should read:

100083 ttdbserverd Yes No Yes Yes CVE-1999-0003
CVE-2001-0717
CVE-2002-0677
CVE-2002-0679

 Anonymous   
Printed
Page 307

The 'xoa' text at the top of Figure 13-16 should be 'x0a'

 Anonymous   
Printed
Page 312
Figure 13-17

"Pointer to formal string"

NOW READS:
"Pointer to format string"

 Anonymous    Aug 01, 2004
Printed
Page 313
Figure 13-18

"Pointer to formal string"

NOW READS:
"Pointer to format string"

 Anonymous    Aug 01, 2004
Printed
Page 327
Example 14-7

"25/tcp open smtp"

NOW READS:
"23/tcp open telnet"

 Anonymous    Aug 01, 2004
Printed
Page 350

The rsync service (port 873) is also susceptible to CAN-2003-0962, so
should read "see CVE-2002-0048 and CAN-2003-0962"

 Anonymous   
Printed
Page 351

"2401 cvspserver Unix CVS service, vulnerable to a number of attacks"

should read:

"2401 cvspserver Unix CVS service, vulnerable to a number of attacks;
see CVE-2003-0015"

 Anonymous   
Printed
Page 351

The rwhois service on TCP port 4321 is also susceptible CVE-2001-0838, so
should read "see CVE-2001-0838 and CVE-2001-0913"

 Anonymous   
Printed
Page 352

The following should be added to Table A-2:

5135 objectserver IRIX ObjectServer service, can be used to add user
accounts on IRIX 6.2
and prior; see CVE-2000-0245

 Anonymous