SUSAN YOUNG AND DAVE AITEL
The Strategy behind Breaking into and Defending Networks
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.
A CRC Press Company
Boca Raton London New York Washington, D.C.
 |
| The Hacker's Handbook |
Every book, as they say, has a story. This book’s history has been a long
and varied one. Along the way, numerous individuals have contributed
their time, focus, energy, technical acumen, or moral support to seeing
The Hacker’s Handbook through to its conclusion.
The authors would like to thank the following individuals for their contributions
and support:
• Rich O’Hanley and the production staff at Auerbach Press for their
tireless support of this book, in spite of its long (and somewhat
nefarious) history.
• Our contributing authors — Felix Lindner, Jim Barrett, Scott Brown,
and John Zuena — for taking the time and care to write several
excellent chapters on the hacking community, malware, directory
services, and network hardware that contain some truly unique and
interesting material.
• Our technical reviewers, including Jim Tiller, Anton Chuvakin, Sean
Cemm, Ben Rothke, and Ted Shagory, for their insights and for
dedicating their time and energy to helping to shape a better book.
We are confident that this review process will continue as this text
goes to publication, and want — in advance — to thank our readers
and reviewers for their attention to the ongoing quality of this book.
In addition, Dave Aitel would like to thank Justine Bone for her support
and encouragement and Susan Young would like to thank the following individuals:
the Darklord (Thomas McGinn) for keeping his personal commitment
to support the effort that went into this book in spite of many months
of spent deadlines, missed weekends, and fatigue (thanks, T2B); Trevor
Young, for lending his genuine talent, enthusiasm, time, and care to crafting
the illustrations throughout this book; Gemma Young, and her parents,
Sylvia and Neil, for their interest, support, and advice through two years of
long distance phone calls; and International Network Services (and particularly
Steven Marandola, Bob Breingan, and Shaun Meaney) for making
available time and support for the completion of this book.
Authors
Dave Aitel is the founder of Immunity, Inc. (www.immunitysec.com), with
prior experience at both private industry security consulting companies and
the National Security Agency. His tools, SPIKE and SPIKE Proxy, are widely
regarded as the best black box application assessment tools available.
Susan Young has worked in the security field for the past seven years, four
of which have been spent in the security consulting arena, helping clients
design and implement secure networks, training on security technologies,
and conducting security assessments and penetration tests of client system
or network defenses (so-called ethical hacking). Her experience has
included consulting work in the defense sector and the financial industry, as
well as time spent evaluating and deconstructing various security products.
She currently works as a senior security consultant in the Boston area security
practice of International Network Services (INS).
Illustrator
Trevor Young has been drawing, painting, creating, and generally exercising
his artistic imagination for a very long time.
Young attended Camberwell College of Art in London, studying graphic
design and illustration, and has gone on to a successful career in the film
special effects industry in London, first working for the Film Factory and
currently as a digital compositor for Hypnosis VFX Ltd. You will find him in
the IMDb at http://us.imdb.com/Name?Young,+Trevor. He has continued to
work in illustration from time to time and generously contributed his time
to create a set of illustrations for this book that have become truly integral
to the book and the subject matter.
Introduction: The Chess Game
When you see a good move, look for a better one.
— Emanuel Lasker
Chess, like any creative activity, can exist only through the combined
efforts of those who have creative talent and those who have the ability
to organize their creative work.
— Mikhail Botvinnik
Good offense and good defense both begin with good development.
— Bruce A. Moon
Botvinnik tried to take the mystery out of chess, always relating it to situations
in ordinary life. He used to call chess a typical inexact problem
similar to those which people are always having to solve in everyday life.
— Garry Kasparov
A chess game is a dialogue, a conversation between a player and his
opponent. Each move by the opponent may contain threats or be a
blunder, but a player cannot defend against threats or take advantage
of blunders if he does not first ask himself: What is my opponent planning after each move?
— Bruce A. Moon
In many ways, this is almost the hardest chapter to pen in this book; in writing
this, I am forced to relive the many occasions on which I have stood in
a bookstore leafing through a technical book, trying to determine its value
to the technical “excursion” I am currently embarked on. I generally start
with the preface … (sigh). For this particular book, putting together an
accurate, representative preface is a daunting task;
was deliberately constructed as a multifaceted text.
Let me try — this book is about hacking, yes, but it is also weighted
towards the security community. At the time when the authors started
framing the book (May 2001), a significant number of books on the subject
of digital hacking and security had already been published. In an effort to
make some “space” for this book, we reviewed many of them and came to
the conclusion that there was room for a book that adopted an analytical
perspective on hacking and security and attempted to inform readers
about the technical aspects of hacking that are, perhaps, least understood
by system, network, and security administrators.
To this end, we compiled a list of objectives that truly informed the way
in which this book was constructed:
•Chapters should maintain a dichotomy between hacking and security,
intended to inform the reader’s understanding of both. Most
chapters are deliberately broken into (1) technical (background), (2) hacking, and (3) security sections; the intent of this approach is to inform the way in which administrators defend systems and networks by exploring hacking exploits and defenses in the same technical context.
•Chapters should be organized around specific technical and administrative components
(e.g., specific services such as SMTP, HTTP, DNS,
directory services and specific administrative tasks, system hardening,
forensics investigation, etc.), to facilitate using the book as a
technical security reference. If you are a DNS administrator, for
example, you should be able to quickly locate material relevant to
DNS hacking and DNS security.
•There should be an emphasis on providing a sound technical and
conceptual framework
that readers can apply throughout the book.
Key foundation chapters address the following:
– Attack anatomy (Chapter 4)
– Security technologies (Chapter 5)
– Programming (Chapter 6)
– Transmission Control Protocol/Internet Protocol (TCP/IP) attacks (Chapters 7 and 8)
– Postattack consolidation (Chapters 17 and 18)
•The book should maintain a dual perspective on theory and tools,
intended to provide a rounded approach to the subject matter. Each
chapter is organized to provide an appropriate theoretical foundation
for the chapter material as a frame of reference for the reader.
Tools, exploit code, and hacking “techniques” are analyzed in this
context but with sufficient latitude to reinforce the fact that hacking is still a “creative” activity.
•Chapters should provide detailed reference material to provide a
“path” for readers to continue to augment their knowledge of the
field and act as a guide to consolidating the sheer volume of hacking
and security information available through the Internet and other
resources. Providing this information is also intended to ensure that
the technical material presented in this book is enduring.
As indicated, the book is oriented toward systems, network, and security
administrators with some degree of security experience who are looking to
expand their knowledge of hacking techniques and exploits as a means of
informing their approach to systems and network security. This orientation
makes for a fairly broad audience and is reflected in the breadth of the
material presented. To ensure that the book delivers on this objective,
each chapter contains a table mechanism and chapter section that deliberately
“maps” hacking exploits to prospective defenses, and each chapter
ends with a treatment of prospective security defenses.
The only practical limitation to the book material is that the authors
chose to focus on the Microsoft Windows NT/2000 and UNIX platforms;
the volume and depth of technical material presented in the book necessitated
setting some scope constraints. The authors felt that there might be
value in limiting the range of platforms represented in the text to add more
technical depth to the application hacking material. Rather than underrepresenting
platforms such as Novell or Mainframe/Midrange, the decision
was made to exclude them altogether.
To reinforce the positioning of hacking and security material in the book,
a “chess game” analogy has been played throughout the material (none of
the authors, by the way, are particularly good chess players). The dynamics
and strategy of chess were thought by the authors to have several parallels
with the subject matter presented in this book:
• As with many other strategic games, the success of either party in
the chess game depends upon that party’s ability to enhance his or
her skills relative to his or her opponent’s.
• Chess players engage, to varying extents, in an attempt to predict
the moves of their opponents so that they can prevail and checkmate
their opponents.
• Chess is essentially a game of move and countermove; hacking and
security tactics can be conceived of in the same manner.
• Defensive strategies exist in hacking and security, but an aggressive
and creative attacker can overcome them.
• Offensive strategies also exist, but intelligent and vigilant defenders
can counter them.
• Poorly executed plans or rigid adherence to a plan is less effective
than learning and adjusting as the chess game progresses.
• The whole hacking vs. security “chess match” can turn upon a single move.
Use of this analogy is also intended to credit the general hacking community
for its resourcefulness in pursuing new types of vulnerabilities
and exploit code. It is not a perfect analogy (defenders generally do not
attack their attackers, for example), but it is pretty close. The chess game
theme has been reinforced in this book through the incorporation of a
series of illustrations (by Trevor Young) that lend some art (and humor)
to the subject matter.
Susan Young
March 2003
Book Structure
The Hacker’s Handbook has been organized into several sections to aid the
reader’s understanding of the material being presented (see Exhibit 1).
The first part of the book ( Part I. Foundation Material ) introduces programming,
protocol, and attack concepts that are applied throughout the
book. The second part of the book ( Part II. System and Network Penetration )
addresses specific subject areas (protocols, services, technologies, hacking
facilities, hostile code) that relate to system and network penetration.
The final part of the book ( Part III. Consolidation ) details the types of consolidation
activities conducted by hackers once a system or network has
been successfully penetrated to establish and expand a “presence.”
The following information provides a detailed breakdown on the content
of each chapter.
Chapter 2. Case Study in Subversion
The concept behind this chapter is to present a case study that demonstrates
what a complex network attack looks like from an administrator’s
perspective. The conclusion (Chapter 18) to the book revisits the initial
case study material from an attacker’s perspective, leveraging the technical
material presented throughout the book.
The case study adopts a couple of fictional characters (a hacker and network
administrator) and charts their moves as the attack unwinds using
system and device log files, screens, etc., and a fairly complex network
based around a reasonable security architecture.
________________________
Exhibit 1. Layout of
The Hacker’s Handbook
Chapter Title
Ch. 1 Introduction: The Chess Game
Part I Foundation Material
Ch. 2 Case Study in Subversion
Ch. 3 Know Your Opponent
Ch. 4 Anatomy of an Attack
Ch. 5 Your Defensive Arsenal
Ch. 6 Programming
Ch. 7 IP and Layer 2 Protocols
Ch. 8 The Protocols
Part II System and Network Penetration
Ch. 9 Domain Name System (DNS)
Ch. 10 Directory Services
Ch. 11 Simple Mail Transfer Protocol (SMTP)
Ch. 12 Hypertext Transfer Protocol (HTTP)
Ch. 13 Database Hacking
Ch. 14 Malware and Viruses
Ch. 15 Network Hardware
Part III Consolidation
Ch. 16 Consolidating Gains
Ch. 17 After the Fall
Ch. 18 Conclusion
____________________
Chapter 3. Know Your Opponent
Chapter 3 presents a history of hacking and the different elements who
constitute the hacking community, providing a potential “profile” of a
hacker — script kiddie, hacker, cracker, competitor, political activist, cyber terrorist, Gray Hat, Black Hat, etc.
This chapter is intended to provide some insight into hacking psychology and hacking motivation.
Chapter 4. Anatomy of an Attack
Chapter 4 presents an “anatomy” of various types of attacks and a taxonomy
of the tools appropriated in the process. Five elements of attack strategy
are presented in a model that opens the chapter:
• Reconnaissance
• Mapping targets
• System or network penetration
• Denial-of-service
• Consolidation (consolidation tactics are discussed in detail in Chapter 16)
“Generic” types of attack are briefly overviewed in this chapter as context
for the technical chapters that follow, including account attacks,
buffer overflows, denial-of-service, session hijacking, spoofing, etc.
Each chapter segment concludes with a “Tools” section that provides a
table of references to applicable tools and pointers to source code and Web references.
Chapter 5. Your Defensive Arsenal
This chapter dissects the tools employed by administrators to defend a
networked environment and examines the vulnerabilities and types of exploits each are prone to.
The following framework is used to organize the security technologies
presented in the chapter:
• Access control
• Authentication
• Auditing and logging
• Resource controls
• Nonrepudiation
• Privacy
• Intrusion detection
• Data integrity
• Platform integrity
Chapter 6. Programming
Chapter 6 is a technical “foundation” chapter and could be considered the
technical complement of the “Protocols” chapters that follow. The chapter
addresses the programming flaws exploited by attackers in constructing
exploit code and the methodology and programming facilities they draw
upon in building a hacking exploit.
Written for the nonprogrammer, the chapter details various types of
compiled and interpreted languages and investigates the following types of
programming deficiencies and hacking facilities:
• Language-specific flaws
• Buffer overflows and memory allocation errors
• Format string bugs
• Interpreter bugs
• Canonicalization attacks
• Logic errors
• Platform-specific security issues
• Web application issues
• Remote procedure call (RPC) vulnerabilities
The chapter ends by examining different programming mindsets, what
“pits” programmer against programmer, and tools available to software
programmers for validating the security of the software they develop.
Chapter 7. IP and Layer 2 Protocols
Chapter 8. The Protocols
The Protocols chapters focus on the TCP/IP protocols and examine some
of the “generic” TCP/IP exploits and denial-of-service attacks and defenses
against them. Specific protocol material, in some instances, is deferred to
later chapters. The chapters focus on the fundamental vulnerabilities in
TCP/IP that are exploited by hackers and some of the ongoing IP security
initiatives intended to address these.
Each protocol is examined using the OSI reference model as context:
• Layer 2 protocols: Address Resolution Protocol (ARP), Reverse
Address Resolution Protocol (RARP)
• Layer 3 protocols: Internet Protocol (IP), Internet Control Messaging
Protocol (ICMP); routing protocols such as Routing Information
Protocol (RIP), Open Shortest Path First (OSPF), Enhanced Interior
Gateway Routing Protocol (EIGRP), and Border Gateway Protocol
(BGP) are overviewed in the chapter “Network Hardware” (Ch. 15); IP
Security Protocol (IPSec) is detailed in “Your Defensive Arsenal” (Ch. 5)
• Layer 4 protocols: Transmission Control Protocol (TCP), User Datagram Protocol (UDP)
• Layer 5 protocols: Secure Sockets Layer (SSL) addressed in “Your Defensive Arsenal” (Ch. 5)
• Layer 7 protocols: Each addressed in its respective chapter (DNS,
HTTP, Lightweight Directory Access Protocol [LDAP], Open Database
Connectivity [ODBC], Remote Procedure Call [RPC], SMTP, Simple
Network Management Protocol [SNMP], Structure Query Language [SQL], etc.)
A great deal of material is dedicated to the IP protocol, which has some
fundamental security flaws that allow it to be used as a transport for network attacks.
Chapter 9. Domain Name System (DNS)
The focus of this chapter is the Domain Name System, which is treated as
a critical Internet “directory” service and a fragile link in Internet security.
This chapter explores the significance of DNS as a target for hacking
activity and denial-of-service and its appropriation in the construction of
reconnaissance and application attacks. The following types of exploits
are examined in the chapter:
• Reconnaissance attacks
• Cache poisoning
• Application attacks
• Denial-of-service
• Dynamic name registration hacking
• Client/server spoofing
• Name server hijacking
The final section of this chapter provides a set of tools for securing, substantiating,
and monitoring a name service infrastructure and includes
information on split-level DNS implementations, name server redundancy,
dynamic client security, and the use of digital signatures to secure name
server content.
Chapter 10. Directory Services
This chapter provides information on the various types of directory services
in common use on networks and the types of hacking and reconnaissance
exploits to which each is prone. The following directory services and directory
service protocols are discussed in some detail:
• Microsoft Active Directory
• LDAP
• X.500 directory services
As with prior chapters, this chapter explores some of the generic
types of hacking exploits leveraged against directory services and the
specifics of vulnerabilities in particular implementations. The chapter
also overviews directory security and examines directory security in
the context of specific applications of directory services (such as public key infrastructure).
Chapter 11. Simple Mail Transfer Protocol (SMTP)
Chapter 11 analyzes the Simple Mail Transfer Protocol (SMTP) as a core
Internet and private network service and a significant “vector” for the propagation
of malicious code and the construction of denial-of-service attacks.
Key vulnerabilities in the SMTP protocol are detailed as context for the
hacking material, and mail hacking is explored through the dissection of a
variety of attacks, exploit code, and packet data, including:
• Mail eavesdropping and reconnaissance
• ESMTP hacking
• Denial-of-service
• Mail spamming and
The conclusion to the chapter addresses the facilities available to
administrators for hardening SMTP servers and some of the SMTP security
initiatives intended to address specific vulnerabilities in the protocol
(such as Secure/Multipurpose Internet Mail Extensions [S/MIME]).
Chapter 12. Hypertext Transfer Protocol (HTTP)
The HTTP chapter addresses the significance of HTTP as a hacking target
in light of the advent of Internet commerce and the transport of a variety
of sensitive personal and commercial data via HTTP. HTTP servers are frequently
used to provide an accessible Web front-end to complex, back-end
database and custom applications, affording hackers a “conduit” through
which to mount application and data reconnaissance attacks.
HTTP hacking is explored through dissection of the following types of attacks:
• Eavesdropping and reconnaissance
• Account cracking and authentication credential capture
• HTTP method exploits (POST, PUT, etc.)
• HTTP cache exploits
• Denial-of-service
• Directory traversal attacks
• Session ID hacking
• Man-in-the-middle attacks
The chapter concludes by examining HTTP security mechanisms such as
SSL, caching controls, digital certificate or signature security, and session ID security options.
Chapter 13. Database Hacking
Database hacking and database security represent an enormous body of
material. This chapter focuses on vulnerabilities in specific types of database
technologies (SQL Server, Oracle, MySQL) to illustrate some basic
points about database hacking and data security. General themes include:
• SQL injection
• Overflows
• Exploitation of default accounts
Representative database applications and examples are drawn upon to
add “depth” to the material and to document the process of identifying and
exploiting a vulnerable database application.
Chapter 14. Malware and Viruses
This chapter addresses various forms of hostile code that can be used to
achieve denial-of-service, data destruction, information capture, or intrusion.
Definitions are provided for each type of malware for context. These include:
• Viruses
• Worms
• Hoaxes
• Backdoors
• Logic bombs
• Spyware
• Adware
The chapter also details some of the programming and scripting languages
and application facilities that are used to produce hostile code.
Chapter 15. Network Hardware
Chapter 15 addresses vulnerabilities in network hardware and associated
firmware, operating systems, and software. The chapter opens with a
broad discussion of the growing significance of network hardware (routers,
switches, etc.) as a target for hacking activity and by providing a broad
overview of the types of hacking exploits to which each hardware component
(hardware, firmware, software) is susceptible:
• Attacks against routing or switching infrastructures
• Routing protocol attacks (RIP, OSPF, etc.)
• Management attacks (SNMP, HTTP, etc.)
• Operating system/Internet operating system (OS/IOS) attacks
• Denial-of-service
• Wireless hacking
• Packet switching attacks
• Remote access attacks
• Attacks against redundant network components
The final chapter section addresses the security options in network
hardware, protocol, management, and operating system (OS) facilities that
can be leveraged to harden a network device or network, including packet
flooding controls, wireless network security, OS/IOS hardening, routing
protocol access control lists, and authentication controls.
Chapter 16. Consolidating Gains
Chapter 16 is the first of two chapters to address the tactics and tools
employed by attackers to consolidate their position on a system or network
— essentially, the tasks that are undertaken by attackers to ensure
consistent, covert access to a system or network resource or to extend
their privileges as they relate to that resource. It demonstrates the effectiveness
of the hacking community’s knowledge of common system
administration practices, standard system builds, and default application
configurations; the intent of this chapter is to attempt to inform the way
in which system and network administrators approach the management
of these facilities from a “counter-tactics” perspective.
Consolidating Gains explores the use of standard operating systems and
network facilities for consolidation activities, in addition to the application
of “foreign” exploit code:
• Standard OS and network facilities
– Account and privilege management facilities
– File system and input/output (I/O) resources
– Service management facilities
– Process management facilities
– Devices and device management facilities
– Libraries and shared libraries
– Shell access and command line interfaces
– Registry facilities (NT/2000)
– Client software
– Listeners and network services
– Network trust relationships
– Application environment
• Foreign code
– Trojan horses
– Backdoors (including Trojan backdoors)
– Rootkits
– Kernel-level rootkits
The closing section of the chapter presents a collection of procedures
and tools that can be used to stem consolidation activities; the focus of this
material is cross-platform system hardening strategy.
Chapter 17. After the Fall
After the Fall addresses forensics evasion and forensics investigation.
From a hacking perspective, this includes the techniques and tools hackers
employ to evade audit or logging controls and intrusion detection
mechanisms, as well as covert techniques used to frustrate investigative
actions and avoid detection. For the system or network administrator, a
considerable amount of material on the preparations that should occur
prior to a security incident is presented, along with measures for protecting
audit trails and evidence.
The following types of hacking exploits are addressed:
• Logging and auditing evasion (by platform): NT/2000; UNIX; router;
authentication, authorization, and accounting (AAA) protocols, etc.
• Intrusion detection system (IDS) evasion (linked to material in
Chapter 5, “Your Defensive Arsenal”)
• Forensics evasion
– Environment sanitization
– File hiding (including steganography, cryptography) and file system manipulation
– Covert network activities (including IP tunneling, traffic normalization)
The chapter closes with an examination of the types of tools and tactics
security administrators can leverage to improve capabilities to detect and
investigate security incidents, including protections for log files and audit
trails, IDS, data correlation solutions, forensics technologies, and incident handling capabilities.
Chapter 18. Conclusion
The final chapter of The Hacker’s Handbook reviews the case study material
presented in Chapter 2 in the context of the technical material presented
throughout the book. The case study is examined from the attacker’s perspective
and from the perspective of a network administrator investigating the incident.
The chapter concludes with a set of references that supplement the
references provided at the end of each chapter:
• Security sites
• “Underground” sites
• Technical standards
• Ongoing technical “themes” in hacking and security
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 18,483 KB |
Pages
|
849 p |
File Type
|
PDF format |
ISBN
| 0-8493-0888-7 |
Copyright
| 2004 by CRC Press LLC |
Contents
1 Introduction: The Chess Game
Book Structure
Chapter 2. Case Study in Subversion
Chapter 3. Know Your Opponent
Chapter 4. Anatomy of an Attack
Chapter 5. Your Defensive Arsenal
Chapter 6. Programming
Chapter 7. IP and Layer 2 Protocols
Chapter 8. The Protocols
Chapter 9. Domain Name System (DNS)
Chapter 10. Directory Services
Chapter 11. Simple Mail Transfer Protocol (SMTP)
Chapter 12. Hypertext Transfer Protocol (HTTP)
Chapter 13. Database Hacking
Chapter 14. Malware and Viruses
Chapter 15. Network Hardware
Chapter 16. Consolidating Gains
Chapter 17. After the Fall
Chapter 18. Conclusion
PART I FOUNDATION MATERIAL
2 Case Study in Subversion
Dalmedica
The Dilemma
The Investigation
Notes
3 Know Your Opponent
Terminology
Script Kiddy
Cracker
White Hat Hacker
Black Hat Hacker
Hacktivism
Professional Attackers
History
Computer Industry and Campus
System Administration
Home Computers
Home Computers: Commercial Software
Home Computers: The BBS
Phone Systems
Ethics and Full Disclosure
Opponents Inside
The Hostile Insider
Corporate Politics
Conclusion
Notes
4 Anatomy of an Attack
Overview
Reconnaissance
Social Engineering and Site Reconnaissance
Internet Reconnaissance
Internet Search Engines and Usenet Tools
Financial Search Tools, Directories, Yellow Pages,
and Other Sources
IP and Network Reconnaissance
Registrar and whois Searches
Network Registrar Searches (ARIN)
DNS Reconnaissance
Mapping Targets
War Dialing
Network Mapping (ICMP)
ICMP Queries
TCP Pings: An Alternative to ICMP
Traceroute
Additional Network Mapping Tools
Port Scanning
TCP and UDP Scanning
Banner Grabbing
Packet Fragmentation Options
Decoy Scanning Capabilities
Ident Scanning
FTP Bounce Scanning
Source Port Scanning
Stack Fingerprinting Techniques
Vulnerability Scanning (Network-Based OS
and Application Interrogation)
Researching and Probing Vulnerabilities
System/Network Penetration
Account (Password) Cracking
Application Attacks
Cache Exploits
File System Hacking
Hostile and Self-Replicating Code
Programming Tactics
Process Manipulation
Shell Hacking
Session Hijacking
Spoofing
State-Based Attacks
Traffic Capture (Sniffing)
Trust Relationship Exploitation
Denial-of-Service
Consolidation
Security
Notes
References
Texts
Web References
5 Your Defensive Arsenal
The Defensive Arsenal
Access Controls
Network Access Controls (Firewalls)
State Management Attacks on Firewalls
Firewall Ruleset and Packet Filter Reconnaissance
IP Spoofing to Circumvent Network Access Controls
Denial-of-Service
Packet Fragmentation Attacks
Application Level Attacks
System Access Controls
Host-Based Firewalls
Operating System Access Controls
and Privilege Management
Authentication
IP Authentication
Password Authentication
Account/Password Cracking
Eavesdropping Attacks
Password Guessing Attacks
Token-Based Authentication
Session Authentication
Session Authentication Scheme Cracking
Generation of Counterfeit Session Auth Credentials
Session ID Brute-Forcing
Session Auth Eavesdropping
Session Auth/ID Stealing or “Hijacking”
Client Session/ID Theft
Cryptographic (Key-Based) Authentication
Key Transfer and Key Management Vulnerabilities
Key Transfer Vulnerabilities
Key Management Vulnerabilities
(Public Key Infrastructure)
Key Binding and Impersonation Vulnerabilities
Dictionary and Brute-Force Attacks
against Weak Secrets
Centralized Authentication Servers
RADIUS
TACACS
Kerberos
Human Authentication (Biometrics)
Resource Controls
Nonrepudiation
Digital Signatures (and Digital Certificates)
Privacy
Virtual Private Network (VPN)
Session and Protocol Encryption
Secure Sockets Layer (SSL)
Certificate and Impersonation Attacks (SSL)
Cryptographic Weaknesses (SSL)
Attacks against the Handshake Protocol (SSL)
SSL Man-in-the-Middle Attacks
Man-in-the-Middle Attack Version Rollback (SSL)
Viruses, Worms, and other Application Issues (SSL)
Secure Shell (SSH)
File System Encryption
Intrusion Detection
Network-Based and Host-Based IDS
Anomaly-Based (Behavior-Based) IDS
Signature-Based (Knowledge-Based) IDS
IDS Hacking Exploits
Address Spoofing or Proxying
Attacking the IDS
Denial-of-Service
Instigating Active Events
Nondefault Evasion and Pattern Change Evasion
Packet Fragmentation and “Session Splicing”
Port Scan Evasion
TCP Session Synchronization Attacks
URL Encoding (Unicode and Hex Attacks)
Web Evasion Techniques
File System Integrity Checkers
Security Information Management
Data Integrity
Application Proxies
Content Assurance (Antivirus, Content Scanning)
Notes
References
Texts
Web References
6 Programming
Languages
Speed and Security Trade-Offs
Native Compiled Code: C/C++/Assembly
Bytecode/Just in Time Compiled Code
(“Managed” Code): C#/Java
Interpreted (Usually Compiled into Byte Codes
at Runtime): Perl, Python (Scripting Languages),
PHP, Visual Basic, .ASP, Lisp, JSP (Web Languages)
Language-Specific Flaws and Strategic Ways to Protect
against Them
The Basics of Buffer Overflows and Other Memory
Allocation Errors
History
Basic Stack Overflows
Options for the Hacker after a Stack Overflow
So What Is a Stack Canary?
Heap Overflows
Format String Bugs
Integer Overflows
Signal Races on UNIX
What Is Shellcode?
Interpreter Bugs
File Name Canonicalization
Logic Error War Stories
Platform-Specific Programming Security Issues
Windows NT Compared to UNIX
Types of Applications
Web Applications
Cross-Site Scripting Vulnerabilities
Java J2EE
Traditional ASP
.Net
LAMP
Remote Procedure Calling
Creating an RPC Program
Special Cases
Setuid Applications on UNIX
DCOM Services
Auditing Techniques
Tools That Aid Source Auditing
Tools That Aid Reverse Engineering
Fuzzing Audit Tools
Web Security Audit Tools
General Security Tools
Encryption and Authentication
Layered Defenses
Platform-Specific Defenses (Security through Security
and Security through Obscurity)
Nonexecutable Stack
Using a Different Platform Than Expected
File System User Access Controls
Process Logging
The Insider Problem, Backdoors, and Logic Bombs
Buying an Application Assessment
Conclusion
References
7 IP and Layer 2 Protocols
Layer 2 Protocols
Address Resolution Protocol (ARP)
Protocol
Hacking Exploits
Security (Mapping ARP Exploits to ARP Defenses)
Static ARP Entries on Internet Gateways
and Firewalls
Network Management
ARP Monitoring
Port-Level Security
Reverse Address Resolution Protocol (RARP)
Protocol
Hacking Exploits
Security (Defenses for RARP-Related Attacks:
DHCP, BOOTP)
Assignment of Static IP Addresses to Clients
Use of DHCP/BOOTP MAC Controls
ARP Monitoring
Port-Level Security
Layer 3 Protocols
IP Protocol
Protocol
Hacking Exploits
IP Eavesdropping (Packet Sniffing)
IP Spoofing
IP Session Hijacking (Man-in-the-Middle Attacks)
IP Packet Fragmentation Attacks
ICMP-Based Fragmentation Attacks
Tiny Fragment Attacks
Overlapping Fragment Attacks
IP Covert Tunneling
Security (Mapping IP Exploits to IP Defenses)
Tools and Techniques to Detect Promiscuous
Mode Packet Sniffers
System Audits to Identify NICs
in Promiscuous Mode
System Hardening Procedures
to Inhibit Sniffer Installation
Inspection of Systems for Signs
of Rootkit Compromise
Institution of Switched Network
Institution of ARP Monitoring
Institution of Traffic Encryption
Implementation of Strong Authentication
Institution of Spoof Protection at Firewalls
and Access Control Devices
Patch TCP/IP Implementations
Deny Source Routing at Gateways and Firewalls
Deny ICMP Redirects at Gateways and Firewalls
Deter the Use of IP Addresses for Authentication
or Construction of Trust Relationships
Implement ARP Controls
Monitor Network Traffic Using Network
and Host-based IDS
Restrict ICMP Traffic into and out of
a Protected Network
Patch Firewalls and Intrusion Detection Systems
against Packet Fragmentation Attacks
Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References
8 The Protocols
Layer 3 Protocols
Internet Control Message Protocol (ICMP)
Protocol
Hacking Exploits
ICMP-Based Denial-of-Service
ICMP Network Reconnaissance
ICMP Time Exceeded
ICMP Access Control Enumeration
ICMP Stack Fingerprinting
ICMP Covert Tunneling
Security
Deny ICMP Broadcasts
Network Controls against ICMP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against
ICMP Denial-of-Service and ICMP Typing
Monitor Network Traffic Using Network and
Host-Based Intrusion Detection Systems (IDSs)
Restriction of Specific ICMP Message Types
Monitor ICMP Activity at Firewalls
and Intrusion Detection Systems
Layer 4 Protocols
Transmission Control Protocol (TCP)
Protocol
Hacking Exploits
Covert TCP
TCP Denial-of-Service
TCP Sequence Number Prediction
(TCP Spoofing and Session Hijacking)
TCP Stack Fingerprinting
TCP State-Based Attacks
Security
Network Controls against TCP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against TCP
Denial-of-Service, TCP Stack Fingerprinting,
and TCP Sequence Number Prediction
Monitor Network Traffic Using Network
and Host-Based IDS Systems
Activation of SYN Flood Protection on Firewalls
and Perimeter Gateways
Implement Stateful Firewalling
User Datagram Protocol (UDP)
Protocol
Hacking Exploits
Covert UDP
UDP Denial-of-Service
UDP Packet Inspection Vulnerabilities
Security
Disable Unnecessary UDP Services
Network Controls against UDP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against UDP
Denial-of-Service
Monitor Network Traffic Using Networkand
Host-Based IDS Systems
Implement Stateful Firewalling
Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References
PART II SYSTEM AND NETWORK PENETRATION
9 Domain Name System (DNS)
The DNS Protocol
DNS Protocol and Packet Constructs
(Packet Data Hacking)
DNS Vulnerabilities
DNS Exploits and DNS Hacking
Protocol-Based Hacking
Reconnaissance
DNS Registration Information
Name Server Information
IP Address and Network Topology Data
Information on Key Application Servers
Protocol-Based Denial-of-Service
Dynamic DNS (DDNS) Hacking
Application-Based Attacks
Buffer Overflows (Privileged Server Access,
Denial-of-Service)
Exploiting the DNS Trust Model
DNS Registration Attacks
DNS Spoofing
Cache Poisoning
DNS Hijacking
DNS Security and Controls
Mapping Exploits to Defenses
Defensive Strategy
Configuration Audit and Verification Tools
DDNS Security
Name Server Redundancy
DNSSEC: Authentication and Encryption of DNS Data
Name Server Software Upgrade(s)
Network and Name Server Monitoring
and Intrusion Detection
Berkeley Internet Name Daemon (BIND)
Logging Controls
Microsoft Windows 2000 DNS Logging Controls
Patches and Service Packs
Server-Side Access Controls
Split-Level DNS Topologies (and DNS Proxying)
Split-Level DNS Topology
System and Service Hardening
Notes
References
Texts
Request for Comments (RFCs)
Mailing Lists and Newsgroups
Web References
10 Directory Services
What Is a Directory Service?
Components of a Directory
Schema
Leaf Object
Container Object
Namespace
Directory Information Tree
Directory Information Base (DIB)
Directory Features
Directory Security
Single Sign On
Uses for Directory Systems
Directory-Enabled Networking
Linked Provisioning
Global Directory
Public Key Infrastructure
Directory Models
Physical vs. Logical
Flat vs. Hierarchical
X.500 Directory
X.500 Schema
X.500 Partitions
X.500 Objects and Naming
A Word about Aliases
X.500 Back-End Processes
Directory Information Tree
Directory Information Base
Replication
Agents and Protocols
X.500 Directory Access
X.500 Security
Authentication
Simple Authentication
Strong Authentication
Access Control
Rights
Summary
Lightweight Directory Access Protocol (LDAP)
LDAP Schema
LDAP Partitions
LDAP Objects and Naming
LDAP Queries
LDAP Data Interchange Format (LDIF)
LDAP Security
Authentication
Anonymous Access
Simple Authentication
Simple Authentication with Secure Sockets
Layer (SSL)/Transport Layer Security (TLS)
Simple Authentication and Security Layer (SASL)
Access Control
Summary
Active Directory
Windows NT
Windows 2000 Schema
Windows 2000 Partitions
Windows 2000 Objects and Naming
The Domain
The Tree
The Forest
The Forest Root Domain
Naming Standards and Resolution in Windows 2000
Active Directory Back-End Processes
The Directory Information Base (DIB)
Replication
The Global Catalog
Windows 2000 Security
Authentication
Kerberos
NTLM
Access Control
Exploiting LDAP
Sun ONE Directory Server 5.1
Microsoft Active Directory
Summary
Future Directions
Further Reading
11 Simple Mail Transfer Protocol (SMTP)
The SMTP Protocol
SMTP Protocol and Packet Constructs
(Packet Data Hacking)
SMTP Vulnerabilities
SMTP Protocol Commands and Protocol Extensions
Protocol Commands
Protocol Extensions
SMTP Exploits and SMTP Hacking
SMTP Protocol Attacks
Account Cracking
Eavesdropping and Reconnaissance
ESMTP and Command Set Vulnerabilities
Protocol-Based Denial-of-Service
Mail Bombing
Mail Spamming
Man-in-the-Middle Attacks
Application-Based Attacks
Malicious Content (MIME Attacks)
Buffer Overflows (Privileged Server Access)
Worms and Automated Attack Tools
Application-Based Denial-of-Service
Attacks on the Mail Trust Model
Mail Spoofing
Identity Impersonation
Attacks on Data Integrity
Delivery Status Notification Manipulation
SMTP Security and Controls
Mapping Exploits to Defenses
Defensive Strategy
Antispam/Antirelay Controls
Antivirus and Content Scanning
Client-Side Access Controls
Content or Code Signing
Delivery Status Notification Controls
Disable Vulnerable ESMTP and SMTP Commands
Disable Vulnerable MIME Types
Network and SMTP Server Monitoring,
Intrusion Detection
Patches and Service Packs
Separation of SMTP and Intranet Account Databases
Server-Side Access Controls
Server Redundancy
SMTP Header Stripping and Parsing
SMTP Source Routing Controls
Split SMTP Topology
System and Service Hardening
Transport Layer Security, Secure Socket
Layer Security
Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References
12 Hypertext Transfer Protocol (HTTP)
The HTTP Protocol
HTTP Protocol and Packet Constructs
(Packet Data Hacking)
HTTP Vulnerabilities
HTTP Protocol Methods (and Associated Vulnerabilities)
HTTP Exploits and HTTP Hacking
HTTP Protocol Attacks
Eavesdropping and Reconnaissance
Account Cracking
Basic Access Authentication
Digest Access Authentication
HTTP Method Vulnerabilities
Content Vulnerabilities
Caching Exploits
Cache Poisoning
Man-in-the-Middle Attacks
Unauthorized Retrieval of Cache Data
and Cache Monitoring
Denial-of-Service
Protocol-Based Denial-of-Service
Application-Based Attacks
Buffer Overflows (Privileged Server Access,
Denial-of-Service)
Directory Traversal Attacks
Application-Based Denial-of-Service
Attacks on the HTTP Trust Model
State-Based Attacks (Session ID Hacking)
HTTP Spoofing/HTTP Redirection
Man-in-the-Middle Attacks (Session Hijacking)
HTTP Security and Controls
Mapping Exploits to Defenses
Defensive Strategy
Caching Controls and Cache Redundancy
Disable Vulnerable HTTP Methods
HTTP Header Stripping
Implementation of HTTP Digest
Access Authentication
Load Balancing and Server Redundancy
Network and HTTP Server Monitoring,
Intrusion Detection
Patches and Service Packs
Security for Financial Transactions
Server-Side Access Controls
System and Service Hardening
Transport Layer Security or Secure Socket
Layer Security
Notes
References
Texts
Request for Comments (RFCs)
Web References
13 Database Hacking and Security
Introduction
Enumeration of Weaknesses
SQL Injection
Introduction
Phases of SQL Injection
Hacking Microsoft SQL Server
Overflows in Microsoft SQL Server
You Had Me at Hello
SQL Server Resolver Service Stack Overflow
Microsoft SQL Server Postauth Vulnerabilities
Microsoft SQL Server SQL Injection
A Note on Attacking Cold Fusion Web Applications
Default Accounts and Configurations
Hacking Oracle
Buffer Overflows in Oracle Servers
SQL Injection on Oracle
Default User Accounts
Tools and Services for Oracle Assessments
Other Databases
Connecting Backwards
Demonstration and Examples
Phase 1. Discovery
Phase 2. Reverse Engineering the Vulnerable Application
Phase 3. Getting the Results of Arbitrary Queries
Conclusions
14 Malware and Viruses
Ethics Again
Target Platforms
Script Malware
Learning Script Virus Basics with Anna Kournikova
Binary Viruses
Binary File Viruses
Binary Boot Viruses
Hybrids
Binary Worms
Worst to Come
Adware Infections
Conclusion
Notes
15 Network Hardware
Overview
Network Infrastructure
Routers
Switches
Load-Balancing Devices
Remote Access Devices
Wireless Technologies
Network Infrastructure Exploits and Hacking
Device Policy Attacks
Installation Policy
Acceptable Use Policy
Access Policy
Configuration Storage Policy
Patch or Update Policy
Denial-of-Service
Device Obliteration
Configuration Removal or Modification
Sending Crafted Requests
Physical Device Theft
Environmental Control Modification
Resource Expenditure
Diagnostic Port Attack
Sequence (SYN) Attack
Land Attack
Bandwidth Expenditure
Broadcast (Smurf) Attacks
Other ICMP-Related Attacks
Redirects
ICMP Router Discovery Protocol (IDRP) Attack
Ping O’Death
Squelch
Fragmented ICMP
Network Mapping Exploits
Ping
Traceroute
Broadcast Packets
Information Theft
Network Sniffing
Hijacking Attacks
Spoofing
Address Spoofing
TCP Sequence Attacks
Media Access (MAC) Address Exploits
Password or Configuration Exploits
Default Passwords or Configurations
No Passwords
Weak Passwords
Dictionary Password Attacks
Brute-Force Attacks
Logging Attacks
Log Modification
Log Deletion
Log Rerouting
Spoofed Event Management
Network Ports and Protocols Exploits and Attacks
Telnet
BOOTP
Finger
Small Services
Device Management Attacks
Authentication
Console Access
Modem Access (AUX)
Management Protocols
Web (HTTP[S])
Telnet
SSH (Version 1)
TFTP
SNMP
Device Configuration Security Attacks
Passwords
Remote Loading (Network Loads)
Router-Specific Exploits
Routing Protocol Attacks
Authentication
IRDP Attacks
Cisco Discovery Protocol (CDP)
Classless Routing
Source Routing
Route Table Attacks
Modification
Poisoning
ARP Table Attacks
Modification
Poisoning
Man-in-the-Middle Attack
Access-Control Lists Attacks
Switch-Specific Exploits
ARP Table
Modification
Poisoning
Man-in-the-Middle Attack
Media Access (MAC) Address Exploits
Changing a Host’s MAC
Duplicate MAC Addresses
Load-Balancing Device — Specific Exploits
Remote Access Device — Specific Exploits
Weak User Authentication
Same Account and Login Multiple Devices
Shared Login Credentials
Home User System Exploitation
Wireless Technology — Specific Exploits
Interception and Monitoring
Jamming
Insertion
Rogue Access Points
Unauthorized Clients
Client-to-Client Attacks
Media Access (MAC) Address
Duplicate IP Address
Improper Access Point Configuration
Service Set Identifier (SSID)
Default SSID
SSID Broadcasting
Wired Equivalent Privacy (WEP) Exploits
Network Infrastructure Security and Controls
Defensive Strategy
Routing Protocol Security Options
Management Security Options
Operating System Hardening Options
Protecting Running Services
Hardening of the Box
Explicitly Shut Down All Unused Interfaces
Limit or Disable In-Band Access (via Telnet,
SSH, SNMP, Etc.)
Reset All Default Passwords
Use Encrypted Passwords
Use Remote AAA Authentication
Use Access Lists to Protect Terminal, SNMP,
TFTP Ports
Remote Login (Telnet) Service
SNMP Service
Routing Services
Limit Use of SNMP
Limit Use of Internal Web Servers Used
for Configuration
Disable Cisco Discovery Protocol (CDP)
on Cisco Gear Outside of the Firewall
Do Not Leak Info in Banners
Keep Up-to-Date on Security Fixes for
Your Network Infrastructure Devices
DoS and Packet Flooding Controls
Use IP Address Spoofing Controls
Watch for Traffic Where the Source
and Destination Addresses Are the Same
Enforce Minimum Fragment Size to Protect
against Tiny Fragment Attack, Overlapping
Fragment Attack, and Teardrop Attack
Disable IP Unreachables on External Interfaces
Disable ICMP Redirects on External Interfaces
Disable Proxy ARP
Disable IP Directed Broadcasts (SMURF Attacks)
Disable Small Services (No Service Small-Servers
UDP and No Service Small-Servers TCP)
Disable IP Source Routing (No IP Source-Route)
Use Traffic Shaping (Committed Access Rate)
Tools
Configuration Audit and Verification Tools
Wireless Network Controls
Notes
References
Tools
Request for Comments (RFCs)
White Paper
Web References
PART III CONSOLIDATION
16 Consolidating Gains
Overview
Consolidation (OS and Network Facilities)
Account and Privilege Management Facilities
Account Cracking
SMBCapture
Active Directory Privilege Reconnaissance
and Hacking
Built-In/Default Accounts, Groups,
and Associated Privileges
Finger Service Reconnaissance
Kerberos Hacking and Account Appropriation
Keystroke Logging
LDAP Hacking and LDAP Reconnaissance
Polling the Account Database
Social Engineering
Trojanized Login Programs
File System and I/O Resources
File System and Object Privilege Identification
File System (Operating System) Hacking
File Sharing Exploits
NFS (IP) Spoofing
SMBRelay
File Handle/File Descriptor Hacking
File System Device and I/O Hacking
File System Exploitation through
Application Vulnerabilities
Application-Based File System Hacking
Extended File System Functionality
and File System Hacking
Service and Process Management Facilities
Processes, Services, and Privilege Identification
Starting/Stopping Services and Executing
with Specific Privileges
API, Operating System, and Application
Vulnerabilities
Buffer Overflows, Format String,
and Other Application Attacks
Debugging Processes and Memory Manipulation
Inter-Process Communication (IPC), Named Pipe,
and Named Socket Hacking
Devices and Device Management Facilities
Devices and Device Management Hacking
Keystroke Logging
Packet Sniffing
Libraries and Shared Libraries
Library (and Shared Library) Hacking
Shell Access and Command Line Facilities
Shell Hacking
Registry Facilities (NT/2000)
Registry Hacking
Client Software
Client Software Appropriation
Listeners and Network Services
Account/Privilege Appropriation via
a Vulnerable Network Service
NetBIOS/SMB Reconnaissance
Network Information Service (NIS) Reconnaissance
NIS Hacking
SNMP Reconnaissance
Network Trust Relationships
Account Cracking
IP Spoofing
Token Capture and Impersonation
Application/Executable Environment
Consolidation (Foreign Code)
Trojans
Backdoors (and Trojan Backdoors)
Backdoor Listeners
Backdoor Applications
Rootkits
Kernel-Level Rootkits
Security
Mapping Exploits to Defenses
Notes
References and System Hardening References
Texts
Web References
System Hardening References
Windows NT/2000
UNIX Platforms
17 After the Fall
Logging, Auditing, and IDS Evasion
Logging and Auditing Evasion
Windows NT/2000 Logging/Auditing Evasion
IP Spoofing
Account Masquerading
Deletion/Modification of Log File Entries
Deletion of Log Files
Disabling Logging
Controlling What Is Logged
Manipulation of Audit Options
Deletion or Update of Audit Files
UNIX Platforms
UNIX Logging/Auditing Evasion
IP Spoofing
Account Masquerading
Deletion/Modification of Log File Entries
Deletion of Log Files
Disabling Log Files
Controlling What Is Logged
Manipulation of Audit and Accounting Options
Deletion or Update of Audit Files
Routers (Cisco)
AAA Protocols (RADIUS, TACACS)
Centralized Logging Solutions (Syslog)
IP Spoofing
Account Masquerading
Deletion/Modification of Log File Entries
Deletion of Log Files
Disabling Log Files
Controlling What Is Logged
IDS Evasion
Forensics Evasion
Environment Sanitization
Sanitizing History Files
Sanitizing Cache Files
File Hiding and File System Manipulation
Operating System File Hiding Techniques
Alternate Data Streams (NT/2000/XP)
Steganography
Cryptography
Covert Network Activities
Covert TCP
“Normalizing” Traffic (Covert Shells)
ICMP Covert Tunneling
Investigative, Forensics, and Security Controls
Mapping Exploits to Defenses
Centralized Logging and Archival of Log File Data
Centralized Reporting and Data Correlation
Encryption of Local Log File Data
Establishment of Appropriate Access Controls
for Log Files
Implementation of Tools for Remote Monitoring
of Log Files
Patches and Software Updates
Process Monitoring for Logging Services
Regular File System Audits
Strict Management of Audit and
Accounting-Related Privileges
Traffic Encryption for Syslog Packet Data
Notes
References
Texts
Web References
18 Conclusion
Conclusion: Case Study in Subversion
Dalmedica’s Perspective
Access Points
Bastion Hosts
Reconnaissance Activity
Target Systems
Conclusion (Final Thoughts)
References
Areas of Focus
General Hacking and Security Resources
Authentication Technologies
Cryptography
DNS and Directory Services
Network Management
Route/Switch Infrastructures
Storage Networking
Voice over IP
Wireless Networks
Notes
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
