T. J. Klevinsky, Scott Laliberte, Ajay Gupta
Hack I.T.introduces penetration testing and its vital role in an overall network security plan.
Penetration testing--in which professional, "white hat" hackers attempt to break through an
organization’s security defenses--has become a key defense weapon in today’s information systems
security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent
true "black hat" hackers from compromising systems and exploiting proprietary information.
organization’s security defenses--has become a key defense weapon in today’s information systems
security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent
true "black hat" hackers from compromising systems and exploiting proprietary information.
 |
| Hack IT Security Through Penetration Testing |
T.J. Klevinsky, CISSP
T.J. is a manager with Ernst & Young's Security and Technology Solutions practice. He is
currently responsible for coordinating attack and penetration exercises in various parts of
the world. As an instructor for his company's “Extreme Hacking” course, T.J. is constantly
researching new tools and techniques for exploiting security vulnerabilities. To keep the
course up-to-date, new tools and methods are included in the attack and penetration
methodology. Additionally, as the author and instructor for the System Administration and
Network Security (SANS) Institute course “Contemporary Hacking Tools and Penetration
Testing,” T.J. has had the opportunity to interact with other penetration-testing
professionals across the globe to identify new tools and techniques and to bring these
experiences and tools to this book.
Scott Laliberte
Scott is a manager with Ernst & Young's Security and Technology Solutions practice. He
has extensive experience and expertise in the areas of information systems security,
network operations, and electronic commerce. Specifically, Scott has managed and led
numerous attack and penetration engagements and systems vulnerability assessments for
midsize and Fortune 500 companies. During these engagements Scott used a variety of
commercial and proprietary tools and techniques to identify vulnerabilities in networks,
operating systems, and applications. Scott is also responsible for coordinating and
designing e-commerce architectures and verifying security controls and the effectiveness
of the architectures. In addition, Scott is an instructor for Ernst & Young's “Extreme
Hacking” course, where he helps train others in Ernst & Young's attack and penetration methodology.
Ajay Gupta
Ajay is a senior security professional with Ernst & Young's Security and Technology
Solutions practice, where he performs security reviews for Ernst & Young clients. He has
experience in performing penetration testing, risk analysis, and code review engagements
as well as evaluating the security posture of client organizations ranging from Fortune 100
firms to e-commerce start-ups. Ajay is an instructor for Ernst & Young's “Extreme Hacking”
course and spends a large portion of his time developing and reviewing new tools. Ajay is
one of Ernst & Young's specialists in intrusion detection systems and has evaluated,
installed, and configured various intrusion detection tools. He has been a speaker in the
fields of security and electronic commerce for various national organizations and universities.
Preface
Why write a book about hacking? The question is really whether a book about the
techniques and tools used to break into a network would be beneficial to the information
security community. We, the authors, believe that penetration testing is a valuable and
effective means of identifying security holes and weaknesses in a network and computing
environment. Understanding how others will try to break into a network offers considerable
insight into the common pitfalls and misconfigurations that make networks vulnerable. This
insight is essential to creating a comprehensive network security structure.
Some may argue that providing this penetration-testing information gives script kiddies and
hackers ammunition to better attack systems. However, script kiddies and hackers already
have access to this information or have the time to find it—most of the material presented
in this book is available from a variety of sources on the Internet. The problem is that the
system and security administrators defending against attacks do not have the time or
resources to research the sites necessary to compile this information. We decided to write
this book to provide defenders with the information hackers already have. A hacker has to
find only one hole to gain unauthorized access. The security group defending against the
hackers needs to find all the holes to prevent unauthorized access.
There is no tried-and-true training that can make everyone a security expert, but there are
some baseline principles, skills, and tools that must be mastered to become proficient in
this field. Our goal is to provide you with those skills in a manner that helps you to
understand the structure and tools used and to begin developing your own style of penetration testing.
The process described in this book is not the only way to perform a penetration test. We
continue to evolve our own methodology to respond to new technologies and threats. This
process has worked well for us in the past and continues to be a successful way to
evaluate and test network security.
Introduction
It certainly seems that over the past few years the security ramifications of online activity
have begun to permeate the national consciousness. Mainstream media have begun to
take an interest in and glamorize the compromises that have taken place. Even Hollywood
has movies about hacking, the latest being Warner Brothers' Swordfish starring John
Travolta, Halle Berry, and Hugh Jackman as the world's foremost hacker.
Despite the growing level of interest in this field, there is still little known about the actual
issues involved in securing networks and electronic assets. Many people consider
anti-virus software used to defend against Internet e-mail viruses to be the cure-all for all
varieties of information security threats. Viruses are a big problem, no doubt, potentially
leading to huge losses in terms of lost productivity and corrupted intellectual assets.
However, cyber crime (hacking) can be much more than the release of an e-mail
attachment that proclaims love (the I LOVE YOU virus) or promises sexy pictures (the
Anna Kournikova virus) to all the friends and business associates of unsuspecting victims.
The true dangers of cyber crime are of far greater consequence. Individuals with technical
knowledge of networks and networking devices can steal sensitive information (for
example, U.S. troop deployments from Department of Defense computers, source code for
new software products, medical records) or money (through online access to bank
accounts or credit card numbers used with online retailers) or conduct a host of juvenile
pranks (erasing backup files recording the last six months of activity, raising the
temperature in buildings, turning off phone systems).
While these may seem to be scare tactics used to get people to spend time, energy, and
good money on unnecessary things, that is, unfortunately, not the case. The threats are
real. They are evident in the latest “Computer Crime and Security Survey” by the Computer
Security Institute and the Federal Bureau of Investigation and in news reports of cases of
identity theft and firms facing the realization that they are being blackmailed by a hacker
who has their customer list (including credit card information).
Given this burgeoning interest in keeping networks free from hacking minds, there has
naturally been greater interest in taking steps to ensure networks are secure. One such
step is to perform a professional penetration test, also called attack and penetration or
ethical hacking. There are various parts of the security industry, namely those people who
provide security consulting services (also called professional services), those who develop
and market security products, and finally those who are managed security service
providers (MSSPs).
MSSPs provide outsourced security monitoring and management of all or parts of a
network in exchange for a retainer. Firewalls, intrusion detection systems, audit logs, and
virus scanners can all be managed by an MSSP. The developers of security products
include commercial interests, a large open-source community, and smaller groups of black
hat hackers who aim to create tools to automate the network analysis and review process.
Such tools include firewalls, intrusion detection systems, auditing tools, virus scanners,
vulnerability scanners, network mappers, network sniffers, encryption tools, password
crackers, banner grabbers … the list goes on. In addition, tools and scripts, such as
denial-of-service exploits, that aid in the compromise of networks are also frequently
developed and released. Naturally, this later set of tools come generally from the domain of
open-source or black hat developers, while commercial interests stick to more benign offerings.
Penetration-testing services are a component of consulting services. Consulting services
also include the development of security policies and procedures, the performance of
security vulnerability and risk analysis of networks, and the design and implementation of
security solutions (such as a firewall solution, a public key infrastructure, a single sign-on
solution, or an IDS solution) and a host of related services. The goal of security consulting
services, especially for penetration testing, is to improve or augment the security posture of
a network or system.
“And he that breaks a thing to find out what it is has left the path of wisdom.”
—Galdalf the Grey from The Fellowship of the Ring, Volume 1 of The Lord
of the Rings by J.R.R. Tolkien
This sentiment applies to penetration testing. Our testing does not intend to and never
should actually cripple or compromise a network. However, testing must detect as many
ways to do so as possible. The findings or results of the testing are aimed at improving the
security posture of a network by presenting countermeasures for the vulnerabilities
identified. The process is simple: take a few white hat hackers, give them black hats for a
short period of time, and let them try to figure out all the possible ways a system can be
compromised. Then, take the black hats away and have them report on their findings—to
the client, not to the general Internet hacker community.
This book focuses on presenting a method for performing penetration testing. In doing so,
we do not discuss other consulting services available. And while we do discuss in some
detail the tools we use for penetration testing, this work should not be considered a
comprehensive review of the security products available in the market today. We also do
not address the burgeoning MSSP field, though we briefly discuss it in the final chapter on future trends.
We, the authors, share a connection with the professional services firm Ernst & Young
LLP. We attest that the ideas and opinions presented throughout this work are not
necessarily those of Ernst & Young but solely the critical analysis based on our years of field experience.
Truth be told, much of the information presented here can be found in various places on
the Web, in news groups, in e-mail distribution lists, or at other destinations on the Internet
(a listing is presented in Chapter 22). Those who believe writing such a book is dangerous
since it may result in teaching people how to hack do not see the value in improving
security through testing and measuring defenses against the techniques of opponents.
Hackers already know how to hack and have the time and energy to research (and
develop) hacking techniques. The good guys, who are busy battling the day-to-day fires of
maintaining the corporate network, do not have the luxury of this time and cannot perform
this level of research. We hope this book will be a tool for the good guys. It consolidates
and organizes the information already available to the hacker community so that security
professionals can arm themselves in the security battle.
We hope you find this text as useful to read as it was challenging for us to write. We are
glad to provide our knowledge and intelligence on penetration testing. How you choose to
use it is of your own volition. Remember: Penetration testing without permission is
illegal—a point we hope this text makes clear.
Happy reading.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 12,564 KB |
Pages
|
575 p |
File Type
|
PDF format |
ISBN
| 0-201-71956-8 |
Copyright
| 2002 by Pearson Education, Inc |
Hack I.T.:
Security Through Penetration Testing
Contents
Foreword
Preface
Audience
Authors
How to Use This Book
Acknowledgments
Introduction
1. Hacking Today
2. Defining the Hacker
2.1 Hacker Skill Levels
2.2 Information Security Consultants
2.3 Hacker Myths
2.4 Information Security Myths
3. Penetration for Hire
3.1 Ramifications of Penetration Testing
3.2 Requirements for a Freelance Consultant
3.3 Announced vs. Unannounced Penetration Testing
4. Where the Exposures Lie
4.1 Application Holes
4.2 Berkeley Internet Name Domain ( BIND ) Implementations
4.3 Common Gateway Interface ( CGI )
4.4 Clear Text Services
4.5 Default Accounts
4.6 Domain Name Service ( DNS )
4.7 File Permissions
4.8 FTP and telnet
4.9 ICMP
4.10 IMAP and POP
4.11 Modems
4.12 Lack of Monitoring and Intrusion Detection
4.13 Network Architecture
4.14 Network File System ( NFS )
4.15 NT Ports 135?139
4.16 NT Null Connection
4.17 Poor Passwords and User IDs
4.18 Remote Administration Services
4.19 Remote Procedure Call ( RPC )
4.20 SENDMAIL
4.21 Services Started by Default
4.22 Simple Mail Transport Protocol ( SMTP )
4.23 Simple Network Management Protocol ( SNMP ) Community Strings
4.24 Viruses and Hidden Code
4.25 Web Server Sample Files
4.26 Web Server General Vulnerabilities
4.27 Monitoring Vulnerabilities
5. Internet Penetration
5.1 Network Enumeration/Discovery
5.2 Vulnerability Analysis
5.3 Exploitation
Case Study: Dual-Homed Hosts
6. Dial-In Penetration
6.1 War Dialing
6.2 War Dialing Method
6.3 Gathering Numbers
6.4 Precautionary Methods
6.5 War Dialing Tools
Case Study: War Dialing
7. Testing Internal Penetration
7.1 Scenarios
7.2 Network Discovery
7.3 NT Enumeration
7.4 UNIX
7.5 Searching for Exploits
7.6 Sniffing
7.7 Remotely Installing a Hacker Tool Kit
7.8 Vulnerability Scanning
Case Study: Snoop the User Desktop
8. Social Engineering
8.1 The Telephone
8.2 Dumpster Diving
8.3 Desktop Information
8.4 Common Countermeasures
9. UNIX Methods
9.1 UNIX Services
9.2 Buffer Overflow Attacks
9.3 File Permissions
9.4 Applications
9.5 Misconfigurations
9.6 UNIX Tools
Case Study: UNIX Penetration
10. The Tool Kit
10.1 Hardware
10.2 Software
10.3 VMware
11. Automated Vulnerability Scanners
11.1 Definition
11.2 Testing Use
11.3 Shortfalls
11.4 Network-Based and Host-Based Scanners
11.5 Tools
11.6 Network-Based Scanners
11.7 Host-Based Scanners
11.8 Pentasafe VigilEnt
11.9 Conclusion
12. Discovery Tools
12.1 WS_Ping ProPack
12.2 NetScanTools
12.3 Sam Spade
12.4 Rhino9 Pinger
12.5 VisualRoute
12.6 Nmap
12.7 What's running
13. Port Scanners
13.1 Nmap
13.2 7th Sphere Port Scanner
13.3 Strobe
13.4 SuperScan
14. Sniffers
14.1 Dsniff
14.2 Linsniff
14.3 Tcpdump
14.4 BUTTSniffer
14.5 SessionWall-3 (Now eTrust Intrusion Detection)
14.6 AntiSniff
15. Password Crackers
15.1 L0phtCrack
15.2 pwdump2
15.3 John the Ripper
15.4 Cain
15.5 ShowPass
16. Windows NT Tools
16.1 NET USE
16.2 Null Connection
16.3 NET VIEW
16.4 NLTEST
16.5 NBTSTAT
16.6 epdump
16.7 NETDOM
16.8 Getmac
16.9 Local Administrators
16.10 Global (?Domain Admins?)
16.11 Usrstat
16.12 DumpSec
16.13 user2Sid/sid2User
16.14 NetBIOS Auditing Tool ( NAT )
16.15 SMBGrind
16.16 SRVCHECK
16.17 SRVINFO
16.18 AuditPol
16.19 REGDMP
16.20 Somarsoft DumpReg
16.21 Remote
16.22 Netcat
16.23 SC
16.24 AT
16.25 FPipe
Case Study: Weak Passwords
Case Study: Internal Penetration to Windows
17. Web-Testing Tools
17.1 Whisker
17.2 SiteScan
17.3 THC Happy Browser
17.4 wwwhack
17.5 Web Cracker
17.6 Brutus
Case Study: Compaq Management Agents Vulnerability
18. Remote Control
18.1 pcAnywhere
18.2 Virtual Network Computing
18.3 NetBus
18.4 Back Orifice 2000
19. Intrusion Detection Systems
19.1 Definition
19.2 IDS Evasion
19.3 Pitfalls
19.4 Traits of Effective IDSs
19.5 IDS Selection
20. Firewalls
20.1 Definition
20.2 Monitoring
20.3 Configuration
20.4 Change Control
20.5 Firewall Types
20.6 Network Address Translation
20.7 Evasive Techniques
20.8 Firewalls and Virtual Private Networks
Case Study: Internet Information Server Exploit?MDAC
21. Denial-of-Service Attacks
21.1 Resource Exhaustion Attacks
21.2 Port Flooding
21.3 SYN Flooding
21.4 IP Fragmentation Attacks
21.5 Distributed Denial-of-Service Attacks
21.6 Application-Based DoS Attacks
21.7 Concatenated DoS Tools
21.8 Summary
22. Wrapping It Up
22.1 Countermeasures
22.2 Keeping Current
23. Future Trends
23.1 Authentication
23.2 Encryption
23.3 Public Key Infrastructure
23.4 Distributed Systems
23.5 Forensics
23.6 Government Regulation
23.7 Hacking Techniques
23.8 Countermeasures
23.9 Cyber-Crime Insurance
A. CD-ROM Contents
Organization of the CD-ROM
Compilation of Programs
B. The Twenty Most Critical Internet Security Vulnerabilities?The Experts'
Consensus
The SANS Institute
G1?Default Installs of Operating Systems and Applications
G2?Accounts with No Passwords or Weak Passwords
G3?Non-existent or Incomplete Backups
G4?Large Number of Open Ports
G5?Not Filtering Packets for Correct Incoming and Outgoing Addresses
G6?Non-existent or Incomplete Logging
G7?Vulnerable CGI Programs
W1? Unicode Vulnerability (Web Server Folder Traversal)
W2?ISAPI Extension Buffer Overflows
W3? IIS RDS Exploit (Microsoft Remote Data Services)
W4?NETBIOS?Unprotected Windows Networking Shares
W5?Information Leakage Via Null Session Connections
W6?Weak Hashing in SAM ( LM Hash)
U1?Buffer Overflows in RPC Services
U2?Sendmail Vulnerabilities
U3?Bind Weaknesses
U4?R Commands
U5?LPD (Remote Print Protocol Daemon)
U6?Sadmind and Mountd
U7?Default SNMP Strings
Appendix Appendix A ?Common Vulnerable Ports
Appendix Appendix B ?The Experts Who Helped Create the Top Ten and Top
Twenty Internet Vulnerability list
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
