E.H
Through out this course, we have given you an overview of the differentphases during an ethical hacking exercise and we have given youbackground information on good security design. In addition youshould have gained an understanding of some of the current security vulnerabilities, exploits and attacks.
 |
| Ethical Hacking, Student Guide |
Internet Security Systems, Inc.
6600 Peachtree-Dunwoody Road
Building 300
Atlanta, GA 30328
888-263-8739
======
Module 1: Welcome to the Class!
Print Date: September 21, 2000
Screenshot
Contents
Module 1: Welcome to the Class!
Getting Acquainted.. 1
...With the Instructor . .1
...With Others in the Class . 1
Getting the Most Out of this Course..2
The Instructor’s Role . 2
Your Role. . 2
About this Course .3
Course Objectives. 3
Using this Training Guide . . 4
Course Outline . .4
About Internet Security Systems. . 6
How ISS Started. 6
Company Growth . .6
ISS Products. . .7
Security Management Solutions . . . 8
The ISS X-Force . .9
Consulting and Educational Services . 9
Security Assessment Services (SAS) . .10
ANSA - The Adaptive Network Security Alliance . 10
Contact Information . 12
Module 2: Legal And HR Issues
About This Module . .15
Purpose of this Module . . 15
Module Objectives. . . 15
Legal and HR Issues . .16
Introduction. . .16
Legal Issues . . 16
International Cyber Crime. . .16
Computer Fraud . . 17
Computer Forgery.. . 17
Damage to Computer Data or Computer Programmes.. 17
Computer Sabotage. 18
Unauthorized Access. . 18
Unauthorized Interception . . 18
Data Protection . . . . 18
How much hacking is there? . . . 19
Why Should We Care?. . . 20
UK Computer Misuse Act, 1990 . 20
1990 Chapter 18 . . . 20
Objectives Review. . . 24
Module 3: Why Perform Ethical Hacking?
About This Module . . . 25
Purpose of this Module . . . 25
Module Objectives. . . . 25
Ethics . . . . . . . . . . . 26
Introduction. . . . . . . 26
The Hacker Ethic . . . . . 26
The Security Arguments. 26
The Idle System Argument . 27
The Student Hacker Argument . 27
The Social Protector Argument. . 28
Conclusion of Ethics . . . . . 28
Hacking . . . . . . . . . . 29
Introduction. . . . . . 29
Hacker’s View of Security . 29
Enhancing IT Staff Security Awareness. . . 29
Better Response to Intrusions . . . . . . . 29
Conclusion of Hacking . . . . . . . . . .. . 30
Typical scenario. . . . . . . . . . . . . . .. . 30
Typically Overlooked Issues . . . . . 31
Objectives Review. . . . . . . . . . . . . 32
Module 4: Attack Types and Vulnerabilities
About This Module . . .. . 33
Purpose of this Module . . . . 33
Module Objectives. . . . . . . 33
Attack Types and Vulnerabilities . . . 34
Introduction. . . . . . . . . . . . . . . . 34
Buffer Overflow Attacks . . . . . 34
Denial of Service (DoS) Attacks. . . . 35
Distributed Denial of Service (DDoS) Attacks . .36
Misconfigurations . . . . . . . . . . . . 37
Abuse of Trust . . . . . . . . . . .. 38
Brute Force Attacks . . . . . . . 38
CGI and WWW Services . . . 39
Backdoors and Trojans . . . . . 41
Case Study: The Dangers of Mobile Code . . . . . 43
General . . . . . . . .. . . . . . . . . . . . . . . . 43
Java . . . . . . . . . . . . . . . . . . . . . .. . .. . 43
Java Security . . . . . . . . . . . . . . . . . . . 44
ActiveX . . . . . . . . . . . . . . . . . . . . . . ..46
ActiveX Security . . . . . . . . . . . . . . . . 47
Solutions . . . . . . . . . . . . . . . . . . . . . . 48
Conclusion. . . . . . . . . . . . . . . . . . . . . 49
Objectives Review. . . . . . . . . . . . . . . 50
Module 5: Searching For Public Corporate Information
About This Module . . . . . . . . . . . . . . . . 51
Purpose of this Module . . . . . . . . . . . .. . 51
Module Objectives. . . . . . . . . . . . . . . . . . . 51
Passive Information Gathering . . . . . . . . . . . . . 52
What is Passive Information Gathering? . . . . . .. 52
ICANN . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . 53
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 53
Sources of Information . . . . . . . . . .. . . . . . .. 54
Regional Internet Registries (RIR’s) . . . . . . . 54
Whois Search . . . . . . . . . . . . . . . . . . . . . . 54
EDGAR Database . . . . . . . . . . . . . . . . .. . 57
Stock Exchange Websites. . . . . . . . . . . . . 57
Company Homepage. . . . . . . . . . . . . . . . . . 58
News Sites, Newsgroups and Search Engines . 60
Objectives Review. . . . . . . . . . . . . . . . . . . . . . 61
Module 6: Searching For Technical Information
About This Module . . . . . . .63
Purpose of this Module . . . . . . 63
Module Objectives. . . . . . . . . . . . 63
Gathering Technical Information . . . .. 64
Introduction. . . . . . . . . . . . . . . . . . . . . .64
Zone Transfer . . . . . . . . . . . . . . . . . . . . . 65
Introduction. . . . . . . . . . . . . . . . . . . . . . . .65
Difference between a Zone and a Domain. . 66
Zone Allocation . . . . . . . . . . .. . . . . . . . . . 67
Allocation by Class . . . . . . . . . . . . . . . . . 67
Allocation by “Cuts” . . . . . . . . . . . . . . 68
Zone Transfers. . . . . . . . . . . . . . . . .70
Significant Resource Records (RR’s) . . 72
Start Of Authority Record (SOA). . . . . .. 72
Name Server Record (NS) . . . . . . . . . . . .. 72
Address Record (A) . . . . . . . . . . . . . . . . . . . 73
Mail Exchange Record (MX) . . . . . . . . . . . . . . . 73
Further Information. . . . . . . . . . . . . . . . . . . . . . . . .73
Tools Used to Query Name Servers . . . . .. . . . . . . . .74
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....74
NSLookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
DIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Sam Spade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Zone Transfer Query Refusal . . . . . . . . . . . 82
Objectives Review. . . . . . . . . . . . . . . . . . 83
Module 7: Network Scanning
About This Module . . . . . . . . . . . .. . 85
Purpose of this Module . . . . . . . . . 85
Module Objectives. . . . . . . . . . . 85
Network Scanning . . . . . . . . . 86
Introduction. . . . . . . . . . .. . . 86
Stealth . . . . . . . . .. . . 86
Unobtrusive Network Mapping . . 87
Firewall and Gateway Design Traits . . 89
Network Address Translation (NAT) .. 89
IP Visibility . . . . . . . . . . . . . . . . 89
Risk Level . . . . . . . . . . . . . . 90
Ping Sweeps . . . . . . . . .. 91
ping, gping and fping . . . . 91
fping . . . . . . . . . . . . . . . . 91
Risk Level . . . . . . . . . . . 91
Traceroute . . . . . . . . . 92
Traceroute Variations . 92
Routers . . . . . . . . . . . 92
Risk Level . . . . . . 93
Network Mapping. . . . 94
Risk Level . . . . . . 94
SMTP Headers . . . . 95
Risk Level . . . . . .. . 98
Advanced Techniques . .. 99
Pinging Firewalled Hosts . 99
Advanced Traceroute . . . . 99
Traceroute through DNS . . 99
Risk Level . . . . . . . . . . 100
Local Scanning and Sniffing . 101
Network Sniffers . . . . . . .. . . 101
Communication Encryption . . . 102
L0pht Crack . . . . . . . . . . 102
Sniffing on a Switched Network . 102
Address Learning . . 103
Redirecting Traffic . 103
UNC Share Risk. .. 104
Masterclass: Network Design Issues .. 105
Introduction. . . . . . . . 105
Network Design . . . . 105
Current Security Awareness . . . 106
Bastion Hosts. . . . . 107
Multi-Homing . . . . .. 108
The Application Proxy Firewall. . . . . 109
Layering Firewalls . . . . .. . 109
Multiple Firewall Interfaces. . .. . . 111
Availability and Reliability . . . . . . . 112
Implementations of Availability and Reliability . . 113
Eliminating Single Points of Failure (SPF’s). . . .114
Corporate Network Example. . . . . . . . . . 115
Conclusions . . . . . . . . . . . . . . . . . . . .. .. . 117
Objectives Review. . . . . . . . . . . . . . . . . 118
Module 8: Interpreting Network Results
About This Module . . . . . .. . . 119
Purpose of this Module . . . . . 119
Module Objectives. . . . . . .. . 119
Interpreting Network Results . . 120
Introduction. . . . . . . . . . . . . 120
Live Hosts . . . . . . . . . . . .120
Traceroute . . . . . . . . 120
SMTP Headers. . . 122
Objectives Review. . . . . 126
Module 9: Host Scanning
About This Module . . . 127
Purpose of this Module . . . 127
Module Objectives. . . . . . . .. 127
Host Scanning . . . . . . . . . 128
Introduction. . . . . . . . . . 128
Social engineering . . . . . 128
Enumeration . . . . . . . . . 128
Host and OS Identification . 128
Port Scanning . . . . . . . . . . 128
hping . . . . . . . . . . . . . . 129
Firewall Responses . . . .. . 130
Vulnerability Scanning . . . . . . 132
ISS Internet Scanner. . . . 132
Retina . . . . 132
Nessus Security Scanner. . . 132
Vetescan . . . . . . . . . . . . . 133
Cerberus (CIS) . . . . .. . 133
References . . . . . . . . . 133
Masterclass: Port Scanning and OS Identification . 134
Introduction. . . . . . . . . . . . . . . . . . . . . . . . 134
Port Scanning . . . . . . . . . . . . . . . . . . .. . 134
Port Scanning Protocols. . . . . . . . . . .. 135
Transmission Control Protocol (TCP) . . . 135
3-Way Handshake . . . . . . . . . . . . . .. . 136
TCP Scanning . . . . . . . . . . . . . . . . . 137
User Datagram Protocol . . . . . . . 138
UDP Scanning . . . . . . . . . . . . . 138
Operating System Idiosyncrasies . 140
Stealthy Services . . . . . . . . . . . . 140
Remote OS Identification. . . . . . 140
Active Operating System Identification. . . 141
IP Stack Behavior. . . . . . . . . . . . . . . . . . 143
Non-standard TCP/IP 3-way Handshakes 144
Packets with Non-standard IP or TCP Flags . . 144
Various ICMP packets . . . . . . . . . . . . . . . . . 145
Passive Operating System Identification . .. . 145
References . . . . . . . . . . . . . . . . . . . . . . .. 146
Objectives Review. . . . . . . . . . . . . . . . . 147
Module 10: Interpreting Host Results
About This Module . . . . . . . . 149
Purpose of this Module . . . . 149
Module Objectives. . . . . . 149
Interpreting Host Results . 150
Windows NT . . . . . . . . 152
Solaris . . . . . . . . . . 152
TCP SYN scans . . . . 152
Other TCP scans . . .. . 153
UDP scan . . . . . . . . . . . . 154
Vulnerability Scans . . . . .. . 154
Vetescan . . . . . . . . . . . . 155
Nessus . . . . . . . . . . . . . 169
ISS Internet Scanner. .175
hping . . . . . . . . 175
Firewalk. . . 176
Masterclass: Good Firewall Design. . 177
Introduction. . . . . . . . . . . . . . . . . 177
Packet Filtering . . . . . . . . . . . . 177
Filtering of TCP . . . . . . . . . 179
Filtering of UDP . . . . . .. . 179
Filtering of ICMP. . . . . 180
Packet Filtering Limitations. . 180
Proxy Servers. . . . . . . . . 181
Trade-off: Packet Filters vs. Proxy Servers . 181
Network Level Firewalls and Application Level Firewalls . . 183
Firewall Combinations . . . . 185
Objectives Review. . . . . . 187
Module 11: Vulnerability and Exploit Research
About This Module . . . 189
Purpose of this Module . .. . 189
Module Objectives. . . . . . . . . 189
Vulnerability Research . . . . . . . 190
Introduction. . . . . . . . . . . . . . . . 190
Vulnerability Research . . . . . . . . 190
Fix Advisories . . . . . . . . . . . . . 190
Full Disclosure Advisories. . .. . . 191
Application Errors . . . . . . . . . 191
Automated Tools . . . . . . . 192
Manual Checking . . . . . . . 192
Buffer Overflows . . . . . .. 192
Detecting Buffer Overflows . . . 193
Exploit Chains . . . . 193
Exploit Research . . . . 195
Web servers and FTP sites 195
IRC. . . . . . . . . . . . . .. 195
News Groups. . . . 196
Research Resources . . 196
Useful References . . . . . . . 197
Objectives Review. . . . . .. . . . 200
Module 12: Theoretical Exploitation
About This Module . . . . . .. . 201
Purpose of this Module . . .. . . 201
Case Study: Web Spoofing. . . 202
Web Spoofing Methodology . . 202
Result. . . . . . . . . . . . . . . . . . 203
Perfecting the False Web . . . . 203
Conclusion. . . . . . . . . . . . . . . 204
Case Study - Distributed Denial-of-Service Attacks . 205
Attacks. . . . . . . . . . . . . . 205
Tribal Flood Network (TFN) . . 205
Trin00 . . . . . . . . . 205
TFN2k . . . . . . .. 206
Stacheldraht. . . . . 206
TFN2k in more detail. . . 206
Defence . . . . . . . . . . . 207
Attack Survival . . . . . . 208
Moving Target . . . . . 208
Filtering . . . . . . . . . . 208
High Bandwidth . . . . 209
Rate Filtering . . . . . . . . 209
Attack Prevention . . . . 210
Ingress Filtering. . . . .. . 210
Sending Spoofed Packets. .. . 210
Integrate with Existing Program . . . . 210
Comparing Usual Addresses. . 211
Control Channel Filtering . . . . 211
Active Response . . . 211
Network Security Assessment . .. 211
Attack Forensics . . . . . . . 212
DNS logs . . . . . . . . . . 212
Control Channel Detection . . 212
Correlation and Integration. . . 212
Module 13: Exploitation In Action
About This Module . . . . . 213
Purpose of this Module . . . 213
Module Objectives. . . . . . . 213
Vulnerability Exploitation in Action. . 214
Introduction. . . . . . . . . . . . . . . . . . 214
Example 1: RDS Exploit . . . . . . . . . . 215
History. . . . . . . . . . . . . . . . . . . . 215
Overview. . . . . . . . . 215
Use of the Exploit . . 216
Example 2: eEye . . . . 218
History. . . . . . . . . 218
Overview. . . . . . . . . . . 218
Use of the Exploit . . .. 218
Example 3: Firewall-1 DoS/ jolt2.c and cpd.c . . 220
History. . . . . . . . . . 220
Overview. . . . . . . . . 220
Use of the Exploit . . . . . . 220
Example 4: Back Orifice . . . . 222
History. . . . .. 222
Overview. . . . . . . . . . . . . 222
Use of the Exploit . . . . . . . . . . . 222
Case Study: Buffer Overflows . . . 224
Introduction. . . . . . 224
Buffers . . . . . . . . 224
The Stack . . . . . . . 224
Stack Operation . . . . 224
Case Study - TCP Session Hijacking.. 228
History. . . . . . . . . . . . . . . . . . . . . . .. . . . 228
Passive and Active Sniffing Attacks . . 228
Session Hijacking. . . . . . . . . . . . 228
Initiating a Telnet Session . . . 229
Telnet Session Established. .229
Acceptable Packets . . . . .. . 230
Hijacking a Session . . . . . . . 230
Objectives Review. . . . . . . . . 233
Module 14: Summary
Introduction . . . . . . . . . . . . . . . . 235
Passive Information Gathering . . . 236
Active Information Gathering. . . . 238
Firewall and Router Assessment. . 240
Vulnerability Exploitation . . . .241
Mitnick Versus Shimomura .242
Introduction. . . . . . . .242
Setting up the attack . 243
Conclusion. . . . . . .. 247
Course Review. . . 248
Course Objectives . .248
Print Date: September 21, 2000
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
Product details
Price
|
|
|---|---|
File Size
| 7,624 KB |
Pages
|
258 p |
File Type
|
PDF format |
ISBN
| 1-5465462-67-8 |
Copyright
| 2000 Internet Security Systems, Inc |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
