Network Security Assessment by Chris McNab The following errata were *corrected* in the 8/04 reprint: Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem (Preface, xvi) Hackers Defined; The quote "The art of manipulating a process in such a way that it performs an action that is useful to you" HAS BEEN REFORMATTED to appear in italics. [4] Figure 1-1; "Network Security Assessment Automated network scanning and report generation, useful to test networks from opportunistic attack" NOW READS: "Network Security Assessment Effective assessment of Internet- based risks using automated tools and qualification by hand" {8} Figure 1-2; "Accessible TOP and UDP network services" NOW READS: "Accessible TCP and UDP network services" {8} Figure 1-2; The arrow going down from 'Network Enumeration' to 'New domain names and IP addresses' HAS BEEN REVERSED and now points upward. {66} first paragraph; "If some ports don't respond, but others respond with RST/ACK, the unresponsive ports are considered unfiltered" NOW READS: "If some ports don't respond, but others respond with RST/ACK, the responsive ports are considered unfiltered" {87} Example 5-14; "snmpwalk -c public 192.168.0.1" NOW READS: "snmpwalk -c private 192.168.0.1" (111) OpenSSL; "HEAD / HTTP/1.0" NOW APPERAS in bold. {121} Unicode revisited; http://www.example.org/scripts/..%255c../winnt/system32/cmd.exe/?/c+dir NOW READS: http://www.example.org/scripts/..%255c../winnt/system32/cmd.exe?/c+dir (122) Example 6-14; "ispc 192.168.189.10/scripts/idq.dll" NOW APPEARS in bold. {122} The following sentence HAS BEEN ADDED to the end of the first paragraph, so that ti NOW READS: " ... The iisoop.dll source code is available for analysis at http://www.w00w00.org/files/iisoop.tgz. The bug reference is CVE-2002-0869 and MS02-062." {138}About 1/3 down page, the two URLs: http://www.securityfocus.com/archive/75/295545/2003-09-07/2003-09-13/1 http://www.securityfocus.com/archive/75/337304/2003-09-11/2003-09-17/1 NOW READ: http://www.securityfocus.com/archive/75/295545 http://www.securityfocus.com/archive/75/337304 {150} xp_cmdshell;the following code: "/price.asp?ProductID=12984';EXEC%20master..xp_cmdshell'ping.exe %20212.123.86.4" HAS BEEN REFORMATTED so that it NOW APPEARS: "/price.asp?ProductID=12984';EXEC%20master..xp_cmdshell'ping.exe%20212.123.86.4" {151} within the first code example at the top of the page; 'net users' NOW READS 'net%20users' {162} Table 7-1; "OpenSSH 3.7.1 contains buffer management errors" NOW READS: "OpenSSH 3.7 and prior contains buffer management errors" (167) 4th line from the bottom; "Running 7350logoout from a Linux platform" NOW READS: "Running 7350logout from a Linux platform". (197) Final paragraph; "although this may be difficult to exploit under Solaris." NOW READS: "although this may be difficult to exploit." {213} Penultimate paragraph; " , which relates to a remote vulnerability in MySQL 3.23.56 ..." NOW READS: " , which relates to a post-authentication vulnerability in MySQL 3.23.56 ..." {215} Microsoft Windows Networking Services; To the list of ports (including loc-srv, netbios-ns, microsoft-ds, etc.), NOW READS: loc-srv 135/tcp ... netbios-ssn 139/tcp microsoft-ds 445/tcp microsoft-ds 445/udp {219} rpcdump and ifids, final line; "ncacn_http (RPC over HTTP on TCP port 80 or 593)" NOW READS: "ncacn_http (RPC over HTTP on TCP port 80, 593, or others)" {222, 227, and in the index} "Uriel" NOW READS "Urity" {223} Gleaning User Details via SAMR and LSARPC Interfaces, first paragraph; " .. if the SAMR or LSARPC interfaces are accessible." NOW READS: " .. if the SAMR RPC interface is accessible." (232) penultimate paragraph; "An attack can run SMBRelay or LC4 ..." NOW READS: "An attack can run SMBRelay or LC5 ..." (241) second paragraph, below Example 9-19; The four instances of "LC4" HAVE BEEN CHANGED to "LC5". {252} Table 10-1 NOW INCLUDES CVE-2002-0906, as follows: CVE-2002-0906 28/06/2002 Sendmail 8.12.4 and prior can be compromised if running in a non-default configuration, by an attacker using an authoritative DNS server to provide a malformed TXT record to the mail server upon connecting. {312} Figure 13-17; "Pointer to formal string" NOW READS: "Pointer to format string" {313} Figure 13-18; "Pointer to formal string" NOW READS: "Pointer to format string" {327} Example 14-7; "25/tcp open smtp" NOW READS: "23/tcp open telnet"