USING SNORT AND ETHEREAL TO MASTER
THE 8 LAYERS OF AN INSECURE NETWORK
Michael Gregg Stephen Watkins Technical Editor
George Mays, Chris Ries, Ron Bandes, Brandon Franklin
George Mays, Chris Ries, Ron Bandes, Brandon Franklin
 |
| Hack the Stack |
Contents
Foreword. . . . . . . . . . . . . . . . . . .xxv
Chapter 1 Extending OSI to Network Security
Introduction . . . . . . . . . . . . . . . .2
Our Approach to This Book
Tools of the Trade
Protocol Analyzers
Intrusion Detection Systems . . . .3
Organization of This Book . . . . .4
The People Layer . . . . . . . . . . .5
The Application Layer . . . . . . . .6
The Presentation Layer
The Session Layer
The Transport Layer
The Network Layer . . . . . . . . .7
The Data Link Layer
The Physical Layer
Common Stack Attacks . . . . .8
The People Layer
The Application Layer
The Session Layer . . . . . . . . 10
The Transport Layer
The Data Link Layer . . . . . . 11
The Physical Layer
Mapping OSI to TCP/IP . . .13
Countermeasures Found in Each Layer .14
The Current State of IT Security..... . . . .16
Physical Security . . . . . . . . . . 17
Communications Security
Signal Security
Computer Security . . . . . . . . .18
Network Security...................18
Information Security . . . . . . . .19
Using the Information in This Book
Vulnerability Te. . . . . . . . . . . .20
Security Testing
Finding and Reporting Vulnerabilities .. . .21
Summary . . . . . . . . . . . . . . . .23
Solutions Fast Track
Frequently Asked Questions .25
Chapter 2 The Physical Layer
Introduction . . . . . . . . . . . . . . . . . . . . .28
Defending the Physical Layer
Design Security . . . . . . . . . . . . . . . . . . .29
Perimeter Security . . . . . . . . . . . . . . . . .30
Fencing . . . . . . . . . . . . . . . . . . . . . . . . .31
Gates, Guards, and Grounds Design . . . 32
Facility Security . . . . . . . . . . . . . .33
Entry Points . . . . . . . . . . . . . . . . .34
Access Control . . . . . . . . . . . . . .36
Device Security . . . . . . . . . . . . . ..38
Identification and Authentication . .39
Computer Controls . . . . . . . . .41
Mobile Devices and Media
Communications Security. . . . .44
Bluetooth
802.11 Wireless Protocols . . . 46
Attacking the Physical Layer . .47
Stealing Data . . . . . . . . . . . . . 48
Data Slurping . . . . . . . . . . . . .48
Lock Picks . . . . . . . . . . . . . ..49
Wiretapping . . . . . . . . . . . . . .54
Scanning and Sniffing . . . . . . .54
The Early History of Scanning and Sniffing. .54
Modern Wireless Vulnerabilities . . . . . . . . .55
Hardware Hacking . . . . . . . . . . . . . . .. .. . .57
Bypassing Physical Controls . . . . . . . . . . ....58
Modifying Hardware . . . . . . . . . . . . . . . . . .59
Layer 1 Security Project . . . . . . . . . . . . . . .64
One-Way Data Cable
Summary . . . . . . . . . . . . . . . . . . . . . . . . . ..65
Solutions Fast Track . . . . . . . . . . . . . . . . . .66
Frequently Asked Questions . . . . . . . . . . . .67
Chapter 3 Layer 2: The Data Link Layer
Introduction . . . . . . . . . . . . . . . . . ..70
Ethernet and the Data Link Layer
The Ethernet Frame Structure . . . . .71
Understanding MAC Addressing . . 72
Identifying Vendor Information
Performing Broadcast and Multicast 73
Examining the EtherType
Understanding PPP and SLIP
Examining SLIP
Examining PPP . . . . . . . . . . . . . . . .74
Working with a Protocol Analyzer . .75
Writing BPFs . . . . . . . . . . . . . . . . . 77
Examining Live Traffic . . . . . . . . . . .78
Filtering Traffic, Part Two . . . . . . . ..79
Understanding How ARP Works . . .82
Examining ARP Packet Structure
Attacking the Data Link Layer . . . . .84
Passive versus Active Sniffing . . . . . 85
ARP Poisoning
ARP Flooding . . . . . . . . . . . . . . . . .87
Routing Games
Sniffing Wireless . . . . . . . . . . . . .. . .88
Netstumbler
Kismet
Cracking WEP . . . . . . . . . . . . . . . . 89
Wireless Vulnerabilities . . . . . . . . . . 90
Conducting Active Wireless Attacks
Jamming Attacks . . . . . . . . . 91
MITM Attacks
Defending the Data Link Layer
Securing Your Network from Sniffers
Using Encryption
Secure Shell (SSH) . . . . . . . .92
Secure Sockets Layers (SSL)
PGP and S/MIME
Switching . . . . . . . . . . . . . . .93
Employing Detection Techniques
Local Detection
Network Detection . . . . . . . .94
DNS Lookups
Latency
Driver Bugs
Network Monitor . . . . . . . . .95
Using Honeytokens
Data Link Layer Security Project
Using the Auditor Security Collection to Crack WEP
Cracking WEP with the Aircrack Suite . ..96
Cracking WPA with CoWPAtty . . . . . . ..98
Summary . . . . . . . . . . . . . . . . 99
Solutions Fast Track
Frequently Asked Questions . .101
Chapter 4 Layer 3: The Network Layer
Introduction . . . . . . . . . . . . . .104
The IP Packet Structure
Identifying IP’s Version . . . . .106
Type of Service . . . . . . . . . . .107
Total Length . . . . . . . . . . . .. .110
Datagram ID Number
Fragmentation . . . . . . . . . . . .111
Time to Live (TTL) . . . . . . . .112
Protocol Field . . . . . . . . . . . .115
Checksum . . . . . . . . . . . . . .116
IP Address
IP Options
The ICMP Packet Structure 118
ICMP Basics
ICMP Message Types and Format
Common ICMP Messages . 119
Destination Unreachable . . . 120
Traceroute . . . . . . . . . . . . .121
Path MTU Discovery . . . .. .122
Redirects
Attacking the Network Layer .. .123
IP Attacks . . . . . . . . . . . . . . . .124
Spoofing
Fragmentation
Passive Fingerprinting . . . . . . .. .126
p0f—a Passive Fingerprinting Tool . . . 129
IP’s Role in Port Scanning . . . . . . . . . .131
ICMP Attacks . . . . . . . . . . . . . . . . . ..133
Covert Channels
ICMP Echo Attacks . . . . . . . . . . . . . .136
Port Scanning
OS Fingerprinting . . . . . . . . . . . . . . . .137
DoS Attacks and Redirects
Router and Routing Attacks . . . . . . . . .138
Network Spoofing . . . . . . . . . . . . . . . .139
Defending the Network Layer . . . . . . .140
Securing IP
Securing ICMP
Securing Routers and Routing Protocols 141
Address Spoofing . . . . . . . . . . . . . . . . .142
Network Layer Security Project . . . . . .143
Ptunnel
ACKCMD . . . . . . . . . . . . . . . . . . . . . .145
Summary . . . . . . . . . . . . . . . . . . . . . .. .146
Solutions Fast Track
Frequently Asked Questions . . . . . . . . .149
Chapter 5 Layer 4: The Transport Layer
Introduction . . . . . . . . . . . . . . . . . . . . . .152
Connection-Oriented versus Connectionless Protocols
Connection-Oriented Protocols
Connectionless Protocols . . . . . . . . . . . ..153
Why Have Both Kinds of Protocols?
Protocols at the Transport Layer
UDP . . . . . . . . . . . . . . . . . . . . . . . . . . .154
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Source and Destination Ports . . . . . . . . . .156
Source Sequence Number
and Acknowledgment Sequence Number .157
Data Offset . . . . . . . . . . . . . . . . . . 158
Control Bits
Window Size . . . . . . . . . . . . . . . . .159
Checksum
Urgent Pointer . . . . . . . . . . . . . . . .160
How TCP Sessions Begin and End
TCP Session Startup
TCP Session Teardown . . . . . . . . .161
The Hacker’s Perspective . . . . . .. .162
Some Common Attacks . . . . . . . ...163
Scanning the Network
Port Scanning Overview . . . . .. . . .164
TCP Scan Variations . . . . . . . . . . .165
Nmap Basics
Nmap:The Most Well Known Scanning Tool .167
Amap . . . . . . . . . . . . . . . . . . . . . . .170
Scanrand . . . . . . . . . . . . . . . . . . . . 172
Operating System Fingerprinting . . ..173
How OS Discovery Works . . . . . . .174
Xprobe2 . . . . . . . . . . . . . . . . . . . . .176
OS Fingerprinting with Nmap . . . . .179
Detecting Scans on Your Network . .181
Snort Rules . . . . . . . . . . . . . . . . . . .182
The Snort User Interface—
Basic Analysis and Security Engine
Defending the Transport Layer . . . . .183
How the SSL Protocol Operates . . ..184
Phase 1
Phase 2 . . . . . . . . . . . . . . . . . . . . . ..185
Phase 3
How SSL Appears on the Network
SSL/TLS Summary . . . . . . . . . . . .. .187
Transport Layer Project—Setting Up Snort
Getting Started . . . . . . . . . . . . . . . . .188
Install Fedora Core 4
Install Supporting Software . . . . . . . .190
Summary . . . . . . . . . . . . . . . .. . . . . .200
Solutions Fast Track
Frequently Asked Questions . . . . . . .202
Chapter 6 Layer 5: The Session Layer
Introduction . . . . . . . . . . . . . . . . . . . . . .206
Attacking the Session Layer
Observing a SYN Attack
Session Hijacking . . . . . . . . . . . . . .. . . .209
Session Hijacking Tools . . . . . . . . . .213
Domain Name System (DNS) Poisoning . .216
Sniffing the Session Startup . . . . .218
Authentication . . . . . .219
Authenticating with Password
Authentication Protocol . . . . . . . .219
Authenticating with the Challenge Handshake
Authentication Protocol
Authenticating with Local
Area Network Manager and NT LAN Manager .220
Authenticating with NTLMv2
Authenticating with Kerberos
Tools Used for Sniffing the Session Startup . . . . . .221
Observing a RST Attack . . . . . . . . . . . . . . . . . . ..223
Defeating Snort at the Session Layer . . . . . . . . . . .224
Defending the Session Layer . . . . . . . . . . . . . . . . .227
Mitigating DoS Attacks
Preventing Session Hijacking . . . . . . . . . . . . . . . . .228
Selecting Authentication Protocols . . . . . . . . . . . . .229
Defending Against RST Attacks . . . . . . . . . . . . .. .231
Detecting Session Layer Attacks . . . . . . . . . . . . . .232
Port Knocking
Session Layer Security Project
Using Snort to Detect Malicious Traffic . . . . .233
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Solutions Fast Track
Frequently Asked Questions . . . . . . . . . . . . .239
Chapter 7 Layer 6: The Presentation Layer
Introduction . . . . . . . . . . . . . . . . . . . . . . . . ..242
The Structure of NetBIOS and SMB
Attacking the Presentation Layer . . . . . . . . . .245
NetBIOS and Enumeration
Exploiting the IPC$ Share . . . . . . . . . . . . . . ..247
Sniffing Encrypted Traffic . . . . . . . . . . . . . . . ..250
Attacking Kerberos . . . . . . . . . . . . . . . . . . . ..253
Tools to Intercept Traffic . . . . . . . . . . . . . . . . .257
Defending the Presentation Layer . . . . . . . . . ..266
Encryption
The Role of IPSec . . . . . . . . . . . . . . . . . . .. . .268
Protecting E-mail . . . . . . . . . . . . . . . . . . . .. . .272
Secure/Multipurpose Internet Mail Extensions
Tightening NetBIOS Protections . . . . . . . . . .. .273
Presentation Layer Security Project . . . . . . . . .274
Subverting Encryption and Authentication
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Solutions Fast Track
Frequently Asked Questions . . . . . . . . . . . . . . .282
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Chapter 8 Layer 7: The Application Layer
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . .286
The Structure of FTP
FTP Protocol Overview
FTP Example . . . . . . . . . . . . . . . . . . . . . . . . .. .288
FTP Security Issues . . . . . . . . . . . . . . . . . . . . .291
Analyzing Domain Name System and Its Weaknesses 292
DNS Message Format
The DNS Lookup Process . . . . . .. .295
The DNS Hierarchy . . . . . . . . . . . . 296
Caching
Zones and Zone Transfers . . . .. . . . .297
DNS Utilities
DNS Security Issues . . . . . . . . . . . . 298
Other Insecure Application Layer Protocols .. .299
Simple Mail Transfer Protocol
SMTP Protocol Overview
SMTP Security Issues . . . . . . . . . . ..300
Telnet . . . . . . . . . . . . . . . . . . . . . . . .301
Protocol Overview . . . . . . . . . . . . . .302
Security Issues . . . . . . . . . . . . . . . . .302
Other Protocols
Attacking the Application Layer . . . .303
Attacking Web Applications
SQL Injection
Code Injection . . . . . . . . . . . . . . . . .304
Cross-Site Scripting . . . . . . . . . . . .305
Directory Traversal Attacks . . . . . .307
Information Disclosure
Authentication and Access Control Vulnerabilities . .308
CGI Vulnerabilities
Attacking DNS
Information Gathering . . . . . . . . . . . .309
DNS Cache Poisoning
DNS Cache Snooping . . . . . . . . . . ..310
MITM Attacks . . . . . . . . . . . . . . . . .311
Buffer Overflows . . . . . . . . . . . . . . . 313
Stack Overflows . . . . . . . . . . . . . . . .314
Heap Overflows . . . . . . . . . . . . . . .320
Integer Overflows
Exploiting Buffer Overflows . . . . . . .321
Reverse Engineering Code . . . . .. . .324
Executable File Formats . . . . . . . . .325
Black-Box Analysis . . . . . . . . . . . . .327
White-Box Analysis . . . . . . . . . . . . .329
Application Attack Platforms . . . .. . .332
Metasploit Exploitation Framework . .333
Other Application Attack Tools . . . .336
Defending the Application Layer
SSH
SSH Protocol Architecture
Common Applications of SSH . . . .. .338
Pretty Good Privacy . . . . . . . . . . . . .339
How PGP Works
Key Distribution . . . . . . . . . . . . . . . .340
Securing Software
Building Secure Software
Security Testing Software . . . . . . . . .341
Hardening Systems . . . . . . . . . . . . . 343
Vulnerability Scanners . . . . . . . . . . ..346
Nessus . . . . . . . . . . . . . . . . . . . . . .346
Application-Layer Security Project:
Using Nessus to Secure the Stack . .347
Analyzing the Results . . . . . . . . . . . .348
Summary . . . . . . . . . . . . . . . . . . . . 350
Solutions Fast Track
Frequently Asked Questions . . . . . .352
Chapter 9 Layer 8: The People Layer
Introduction . . . . . . . . . . . . . . . . . . . .354
Attacking the People Layer
Social Engineering . . . . . . . . . . . . . . .355
In Person
Phone
Fax . . . . . . . . . . . . . . . . . . . . . . . . . .366
Internet . . . . . . . . . . . . . . . . . . . . . . .367
Phreaking
Phreak Boxes
Wiretapping . . . . . . . . . . . . . . . . . . ..369
Stealing
Cell Phones
World Wide Web, E-mail, and Instant Messaging . .371
Trojan Horses and Backdoors . . . . . . . . . . . . 372
Disguising Programs
Phishing
Domain Name Spoofing . . . . . . . . . . . . . . . . .373
Secure Web Sites . . . . . . . . . . . . . . . . . . . . . .374
Defending the People Layer . . . . . . . . . . . . . ..375
Policies, Procedures, and Guidelines
Person-to-Person Authentication . . . . . . . . . . .377
Data Classification and Handling
Education,Training, and Awareness Programs .378
Education . . . . . . . . . . . . . . . . . . . . . .379
Training . . . . . . . . . . . . . . . . . . . . . . . 381
Security Awareness Programs
Evaluating . . . . . . . . . . . . . . . . . . . . ...382
Testing
Monitoring and Enforcement . . . . . . . .383
Periodic Update of Assessment and Controls
Regulatory Requirements
Privacy Laws
Corporate Governance Laws . . . . . . .386
Making the Case for Stronger Security 390
Risk Management
Asset Identification and Valuation
Threat Assessment . . . . . . . . . . . . . . .392
Impact Definition and Quantification .. .394
Control Design and Evaluation . . . . . ..395
Residual Risk Management
People Layer Security Project
Orangebox Phreaking . . . . . . . . . . . . .396
Summary . . . . . . . . . . . . . . . . . . . . . .398
Solutions Fast Track
Frequently Asked Questions . . . . . . .399
Appendix A Risk Mitigation: Securing the Stack. . 401
Introduction . . . . . . .402
Physical
Data Link . . . . . . .. .403
Network . . . . . . . . .404
Transport . . . . . . . .405
Session
Presentation . . . . . .406
Application
People . . . . . . . . . .420
Summary . . . . . . . .422
Index . . . . . . . . . . 423
The first thing many people think of when they hear the word hack is some
type of malicious activity. I have always thought of the term in a somewhat
broader sense. Although some hacks are malicious, many others are not.
Nonmalicious hacks are about exploring the details of programmable systems
and learning how they really work.They are explored by those who want to
understand every minute detail of a system and how to stretch the capabilities
of these systems beyond what they were originally designed to do.The nonmalicious
hacker is different from the average user or even the script kiddie who
prefers to learn only the minimum necessary knowledge. Hack the Stack was
written for those who seek to better understand and to gain a deeper knowledge
of how TCP/IP systems really work. Such knowledge enables security
professionals to make systems and networks more secure and to meet the challenges
that they face each day.
------------------------------------------------------------
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
●▬▬▬❂❂❂▬▬▬●
Product details
Price
|
|
|---|---|
File Size
| 7,363 KB |
Pages
|
468 p |
File Type
|
PDF format |
ISBN
| 1-59749-109-8 |
Copyright
| 2006 by Syngress Publishing, Inc |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
