New vulnerabilities in network services are disclosed daily to the security community and underground alike, through Internet mailing lists and public forums including Internet Relay Chat (IRC). Proof-of-concept tools are often published for use by security consultants, whereas full-blown exploits are increasingly retained by hackers and not publicly disclosed in this fashion.

Here are five web sites that are extremely useful for investigating potential vulnerabilities within network services:

• SecurityFocus (http://www.securityfocus.com)

• Packet Storm (http://www.packetstormsecurity.org)

• CERT vulnerability notes (http://www.kb.cert.org/vuls/)

• MITRE Corporation CVE (http://cve.mitre.org)

• ISS X-Force (http://xforce.iss.net)

SecurityFocus hosts many useful mailing lists including BugTraq, Vuln-Dev, and Pen-Test. These can be subscribed to by email, and archived posts can be browsed through the web site. Due to the sheer number of posts through these lists, I personally browse the mailing-list archives only every couple of days.

Packet Storm actively archives underground exploit scripts, code, and other files. If you are in search of the latest public tools to compromise vulnerable services, Packet Storm is a good place to start. Often, SecurityFocus provides only proof-of-concept or old exploit scripts that aren’t effective in some cases.

Lately, Packet Storm has not been updated as much as it could be, so I increasingly browse databases such as the MITRE Corporation Common Vulnerabilities and Exposures (CVE), ISS X-Force, and CERT vulnerability notes lists. These lists allow for effective collation and research of all publicly known vulnerabilities so that exploit scripts can be located or built from scratch.

Investigation at this stage may also mean further qualification of vulnerabilities. Often it is the case that bulk network scanning doesn’t give detailed insight into service configuration and certain enabled options, so a degree of manual testing against key hosts is often carried out within this investigation phase.

Key pieces of information that are gathered through investigation include technical details of potential vulnerabilities along with tools and scripts to qualify and exploit the vulnerabilities present.

Upon qualifying potential vulnerabilities in accessible network services to a degree that it’s probable that exploit scripts and tools will work correctly, attacking and exploiting the host is the next step. There’s not really a lot to say about exploitation at a high level, except that by exploiting a vulnerability in a network service and gaining unauthorized access to a host, an attacker breaks computer misuse laws in most countries (including the United Kingdom, United States, and many others). Depending on the goal of the attacker, she can pursue many different routes through internal networks, although after compromising a host, she usually undertakes the following:

• Gain superuser privileges on the host

• Download and crack encrypted user-password hashes (the SAM database under Windows and the /etc/shadow file under most Unix-based environments)

• Modify logs and install a suitable backdoor to retain access to the host

• Compromise sensitive data (databases and network-mapped NFS or NetBIOS shares)

• Upload and use tools (network scanners, sniffers, and exploit scripts) to compromise other networked hosts

This book covers a number of specific vulnerabilities in detail but leaves cracking and pilfering techniques (deleting logs, installing back doors, sniffers and other tools) to the countless number of hacking books available. By providing you with technical information related to network and application vulnerabilities, you will be able to formulate effective countermeasures and risk-mitigation strategies.