STUART MCCLURE, JOEL SCAMBRAY, GEORGE KURTZ
Part I Casing the Establishment, Part I Casing the Establishment, Part II System Hacking, Part III Infrastructure Hacking, Part IV Application and Data Hacking, Part V Appendixes
▼ A Ports
▼ B Top 14 SecurityVulnerabilities
▼ C Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
 |
| Hacking Exposed Sixth Edition Network Security Secrets And Solutions |
ABOUT THE AUTHORS
Stuart McClure, CISSP, CNE, CCSEWidely recognized for his extensive and in-depth knowledge of security
products, Stuart McClure is considered one of the industry’s leading
authorities in information security today. A well-published and acclaimed
security visionary, McClure has over two decades of technology and
executive leadership with profound technical, operational, and financial experience.
Stuart McClure is Vice President of Operations and Strategy for the
Risk & Compliance Business Unit at McAfee, where he is responsible for the health and
advancement of security risk management and compliance products and service
solutions. In 2008, Stuart McClure was Executive Director of Security Services at Kaiser
Permanente, the world’s largest health maintenance organization, where he oversaw 140
security professionals and was responsible for security compliance, oversight, consulting,
architecture, and operations. In 2005, McClure took over the top spot as Senior Vice
President of Global Threats, running all of AVERT. AVERT is McAfee’s virus, malware,
and attack detection signature and heuristic response team, which includes over 140 of
the smartest programmers, engineers, and security professionals from around the world.
His team monitored global security threats and provided follow-the-sun signature
creation capabilities. Among his many tactical responsibilities, McClure was also
responsible for providing strategic vision and marketing for the teams to elevate the
value of their security expertise in the eyes of the customer and the public. Additionally,
he created the semiannual Sage Magazine, a security publication dedicated to monitoring global threats.
Prior to taking over the AVERT team, Stuart McClure was Senior Vice President of
Risk Management Product Development at McAfee, Inc., where he was responsible for
driving product strategy and marketing for the McAfee Foundstone family of risk
mitigation and management solutions. Prior to his role at McAfee, McClure was founder,
president, and chief technology officer of Foundstone, Inc., which was acquired by
McAfee in October 2004 for $86M. At Foundstone, McClure led both the product vision
and strategy for Foundstone, as well as operational responsibilities for all technology
development, support, and implementation. McClure drove annual revenues over
100 percent every year since the company’s inception in 1999. McClure was also the
author of the company’s primary patent #7,152,105.
In 1999, he created and co-authored Hacking Exposed: Network Security Secrets &
Solutions, the best-selling computer security book, with over 500,000 copies sold to date.
The book has been translated into more than 26 languages and is ranked the #4 computer
book ever sold—positioning it as one of the best-selling security and computer books in
history. McClure also co-authored Hacking Exposed Windows 2000 (McGraw-Hill
Professional) and Web Hacking: Attacks and Defense (Addison-Wesley).
Prior to Foundstone, McClure held a variety of leadership positions in security and
IT management, with Ernst & Young’s National Security Profiling Team, two years as an
industry analyst with InfoWorld’s Test Center, five years as director of IT for both state
and local California government, two years as owner of his own IT consultancy, and two
years in IT with the University of Colorado, Boulder.
McClure holds a bachelor’s degree in psychology and philosophy, with an emphasis in
computer science applications from the University of Colorado, Boulder. He later earned
numerous certifications including ISC2’s CISSP, Novell’s CNE, and Check Point’s CCSE.
Joel Scambray is co-founder and CEO of Consciere, a provider of strategic
security advisory services. He has assisted companies ranging from newly
minted startups to members of the Fortune 50 in addressing information
security challenges and opportunities for over a dozen years.
Scambray’s background includes roles as an executive, technical
consultant, and entrepreneur. He was a senior director at Microsoft
Corporation, where he led Microsoft’s online services security efforts for
three years before joining the Windows platform and services division to focus on
security technology architecture. Joel also co-founded security software and services
startup Foundstone, Inc., and helped lead it to acquisition by McAfee for $86M. He has
also held positions as a Manager for Ernst & Young, Chief Strategy Officer for Leviathan,
security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and
director of IT for a major commercial real estate firm.
Joel Scambray has co-authored Hacking Exposed: Network Security Secrets & Solutions
since helping create the book in 1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web Applications series (both from McGraw-Hill Professional). Scambray brings tremendous experience in technology development, IT operations security, and consulting to clients ranging from small startups to the world’s largest enterprises. He has spoken widely on information security at forums including Black
Hat, I-4, and The Asia Europe Meeting (ASEM), as well as organizations including CERT,
The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and
government agencies such as the Korean Information Security Agency (KISA), FBI, and
the RCMP.
Scambray holds a bachelor’s of science from the University of California at Davis, an MA
from UCLA, and he is a Certified Information Systems Security Professional (CISSP).
George Kurtz, CISSP, CISA, CPA Former CEO of Foundstone and current Senior Vice President & General Manager of McAfee’s Risk & Compliance Business Unit, George Kurtz is
an internationally recognized security expert, author, and entrepreneur, as
well as a frequent speaker at most major industry conferences. Kurtz has
over 16 years of experience in the security space and has helped hundreds
of large organizations and government agencies tackle the most demanding
security problems. He has been quoted or featured in many major
publications, media outlets, and television programs, including CNN, Fox News, ABC
World News, Associated Press, USA Today, Wall Street Journal, The Washington Post, Time, ComputerWorld, eWeek, CNET, and others.
George Kurtz is currently responsible for driving McAfee’s worldwide growth in the
Risk & Compliance segments. In this role, he has helped transform McAfee from a point
product company to a provider of Security Risk Management and Compliance
Optimization solutions. During his tenure, McAfee has significantly increased its overall
enterprise average selling price (ASP) and its competitive displacements. Kurtz formerly
held the position of SVP of McAfee Enterprise, where he was responsible for helping to
drive the growth of the enterprise product portfolio on a worldwide basis.
Prior to his role at McAfee, Kurtz was CEO of Foundstone, Inc., which was acquired
by McAfee in October 2004. In his position as CEO, Kurtz brought a unique combination
of business acumen and technical security know-how to Foundstone. Having raised over
$20 million in financing, Kurtz positioned the company for rapid growth and took the
company from startup to over 135 people and in four years. Kurtz’s entrepreneurial
spirit positioned Foundstone as one of the premier “pure play” security solutions
providers in the industry.
Prior to Foundstone, Kurtz served as a senior manager and the national leader of
Ernst & Young’s Security Profiling Services Group. During his tenure, Kurtz was
responsible for managing and performing a variety of eCommerce-related security
engagements with clients in the financial services, manufacturing, retailing,
pharmaceuticals, and high technology industries. He was also responsible for codeveloping
the “Extreme Hacking” course. Prior to joining Ernst & Young, he was a
manager at Price Waterhouse, where he was responsible for developing their networkbased
attack and penetration methodologies used around the world.
Under George Kurtz’s direction, he and Foundstone have received numerous awards,
including Inc.’s “Top 500 Companies,” Software Council of Southern California’s
“Software Entrepreneur of the Year 2003” and “Software CEO of the Year 2005,” Fast
Company’s “Fast 50,” American Electronics Association’s “Outstanding Executive,”
Deloitte’s “Fast 50,” Ernst & Young’s “Entrepreneur of the Year Finalist,” Orange County’s
“Hottest 25 People,” and others.
Kurtz holds a bachelor of science degree from Seton Hall University. He also holds
several industry designations, including Certified Information Systems Security
Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Public
Accountant (CPA). He was recently granted Patent #7,152,105 - “System and method for
network vulnerability detection and reporting.” Additional patents are still pending.
About the Contributing Authors
Nathan Sportsman is an information security consultant whose experience includes
positions at Foundstone, a division of McAfee; Symantec; Sun Microsystems; and Dell.
Over the years, Sportsman has had the opportunity to work across all major verticals
and his clients have ranged from Wall St. and Silicon Valley to government intelligence
agencies and renowned educational institutions. His work spans several service lines,
but he specializes in software and network security. Sportsman is also a frequent public
speaker. He has lectured on the latest hacking techniques for the National Security
Agency, served as an instructor for the Ultimate Hacking Series at Black Hat, and is a
regular presenter for various security organizations such as ISSA, Infragard, and
OWASP. Sportsman has developed several security tools and was a contributor to the
Solaris Software Security Toolkit (SST). Industry designations include the Certified
Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler
(GCIH). Sportsman holds a bachelor’s of science in electrical and computer engineering
from The University of Texas at Austin.
Brad Antoniewicz is the leader of Foundstone’s network vulnerability and assessment
penetration service lines. He is a senior security consultant focusing on internal and
external vulnerability assessments, web application penetration, firewall and router
configuration reviews, secure network architectures, and wireless hacking. Antoniewicz
developed Foundstone’s Ultimate Hacking wireless class and teaches both Ultimate
Hacking Wireless and the traditional Ultimate Hacking classes. Antoniewicz has spoken
at many events, authored various articles and whitepapers, and developed many of
Foundstone’s internal assessment tools.
Jon McClintock is a senior information security consultant located in the Pacific
Northwest, specializing in application security from design through implementation
and into deployment. He has over ten years of professional software experience, covering
information security, enterprise and service-oriented software development, and
embedded systems engineering. McClintock has worked as a senior software engineer
on Amazon.com’s Information Security team, where he worked with software teams to
define security requirements, assess application security, and educate developers about
security software best practices. Prior to Amazon, Jon developed software for mobile
devices and low-level operating system and device drivers. He holds a bachelor’s of
science in computer science from California State University, Chico.
Adam Cecchetti has over seven years of professional experience as a security engineer
and researcher. He is a senior security consultant for Leviathan Security Group located
in the Pacific Northwest. Cecchetti specializes in hardware and application penetration
testing. He has led assessments for the Fortune 500 in a vast array of verticals. Prior to
consulting, he was a lead security engineer for Amazon.com, Inc. Cecchetti holds a
master’s degree in electrical and computer engineering from Carnegie Mellon University.
About the Tech Reviewer
Michael Price, research manager for McAfee Foundstone, is currently responsible for
content development for the McAfee Foundstone Enterprise vulnerability management
product. In this role, Price works with and manages a global team of security researchers
responsible for implementing software checks designed to detect the presence of
vulnerabilities on remote computer systems. He has extensive experience in the
information security field, having worked in the areas of vulnerability analysis and
security software development for over nine years.
Introduction
THE ENEMY IS EVERYWHERE AND IT IS COMPLACENCY
With the security “industry” well into its second decade, we have a highly evolved
enemy. This enemy has neither a face nor a voice, neither a dossier nor a tangible
background; it doesn’t even have a name. The only way we know it exists is by measuring
our progress, or lack thereof. The new enemy is complacency.
In the fifth edition, we spoke about the new enemy being vigilance. But what underlies
this lack of vigilance is complacency. We have become complacent—just as we did before
September 11th, 2001. As Spock would say, “Humans are fascinating.” We only react. We
do not pro-act. We do not prevent until something happens. And then it’s too late.
Far too late.
The security industry and the professionals who mark its boundaries have already
been fighting the enemies at the gate and the enemies behind them (the executives and
managers who don’t understand the risk their organization is taking on when they are
lackadaisical about security). But now we must deal with the complacency that comes
from “nothing happening.” Remember that good security is measured by “nothing
happening.” But what happens to the human psyche when “nothing happens”? We
believe we are invincible. That nothing can happen to us. We forget our vulnerability and
frailty. We forget that “bad stuff” can happen. Until the next catastrophe…
So how do we deal with this morass? In our travels, there is only one other way to get
security the attention it requires, only one way to get the “light bulbs to go off”: show
them. And that’s where we come in. Take this book as your guide, as your recipe for
attention. Take this to anyone who will listen or anyone who will watch your screen for
ten seconds, and show them (on test systems, of course) what can happen in an instant
when a bad guy or gal, with the motivation and opportunity to do bad things, turns his
or her attention your way. Then watch the light bulbs go off…
What’s New in the Sixth Edition
Our infinite mission with Hacking Exposed is to continually update and provide security
analysis of the latest technologies for the network, host, application, and database. Each
year new technologies and solutions burp forth in the primordial soup of the Internet
and corporate networks without a single thought to security.
New Content
Here are just a few of the new items in the sixth edition:
• New chapter, “Hacking Hardware,” covering physical locks and access cards,
RFID, laptop security technologies, USB U3, Bluetooth, fi rmware, and many others
• New Windows hacks, including Terminal Services, Kerberos sniffi ng, man-inthe-
middle attacks, Metasploit, device driver exploits, new password cracking
tools, Windows Firewall, Bitlocker, and EFS
• New UNIX hacks, including THC Hydra, Solaris input validation attacks,
dangling pointer attacks, DNS cache poisoning (Kaminsky’s 2008 release),
UNIX Trojans, kernel rootkits, and new password-cracking techniques
• Coverage of new wireless hacks
• New network device hacks, including new Cisco vulnerabilities
• Coverage of new VPN and VoIP hacks, including using Google to hack VPN
confi gurations, hacking IPsec VPN servers, attacking IKE Aggressive Mode,
SIP scanning and enumeration, SIP fl ooding hacks, and TFTP tricks to discover VoIP treasures
• New footprinting, scanning, and enumeration techniques that can go
completely undetected
• Newly condensed denial of service appendix giving you only what you need to know
• Updated coverage of “Hacking the Internet User” and “Hacking Code”
• Brand-new case studies covering new and timely techniques that real-world
hackers use to get into systems and stay there—anonymously
With the security “industry” well into its second decade, we have a highly evolved
enemy. This enemy has neither a face nor a voice, neither a dossier nor a tangible
background; it doesn’t even have a name. The only way we know it exists is by measuring
our progress, or lack thereof. The new enemy is complacency.
In the fifth edition, we spoke about the new enemy being vigilance. But what underlies
this lack of vigilance is complacency. We have become complacent—just as we did before
September 11th, 2001. As Spock would say, “Humans are fascinating.” We only react. We
do not pro-act. We do not prevent until something happens. And then it’s too late.
Far too late.
The security industry and the professionals who mark its boundaries have already
been fighting the enemies at the gate and the enemies behind them (the executives and
managers who don’t understand the risk their organization is taking on when they are
lackadaisical about security). But now we must deal with the complacency that comes
from “nothing happening.” Remember that good security is measured by “nothing
happening.” But what happens to the human psyche when “nothing happens”? We
believe we are invincible. That nothing can happen to us. We forget our vulnerability and
frailty. We forget that “bad stuff” can happen. Until the next catastrophe…
So how do we deal with this morass? In our travels, there is only one other way to get
security the attention it requires, only one way to get the “light bulbs to go off”: show
them. And that’s where we come in. Take this book as your guide, as your recipe for
attention. Take this to anyone who will listen or anyone who will watch your screen for
ten seconds, and show them (on test systems, of course) what can happen in an instant
when a bad guy or gal, with the motivation and opportunity to do bad things, turns his
or her attention your way. Then watch the light bulbs go off…
What’s New in the Sixth Edition
Our infinite mission with Hacking Exposed is to continually update and provide security
analysis of the latest technologies for the network, host, application, and database. Each
year new technologies and solutions burp forth in the primordial soup of the Internet
and corporate networks without a single thought to security.
New Content
Here are just a few of the new items in the sixth edition:
• New chapter, “Hacking Hardware,” covering physical locks and access cards,
RFID, laptop security technologies, USB U3, Bluetooth, fi rmware, and many others
• New Windows hacks, including Terminal Services, Kerberos sniffi ng, man-inthe-
middle attacks, Metasploit, device driver exploits, new password cracking
tools, Windows Firewall, Bitlocker, and EFS
• New UNIX hacks, including THC Hydra, Solaris input validation attacks,
dangling pointer attacks, DNS cache poisoning (Kaminsky’s 2008 release),
UNIX Trojans, kernel rootkits, and new password-cracking techniques
• Coverage of new wireless hacks
• New network device hacks, including new Cisco vulnerabilities
• Coverage of new VPN and VoIP hacks, including using Google to hack VPN
confi gurations, hacking IPsec VPN servers, attacking IKE Aggressive Mode,
SIP scanning and enumeration, SIP fl ooding hacks, and TFTP tricks to discover VoIP treasures
• New footprinting, scanning, and enumeration techniques that can go
completely undetected
• Newly condensed denial of service appendix giving you only what you need to know
• Updated coverage of “Hacking the Internet User” and “Hacking Code”
• Brand-new case studies covering new and timely techniques that real-world
hackers use to get into systems and stay there—anonymously
To Everyone
Message to all readers: as with all prior editions of Hacking Exposed, take the book in
chunks, absorb its rich content in doses, and test everything we show you. There is no
better way to learn than to “do.” Take all the prescriptive text we have accumulated in
these chapters and use the information. Then you should rinse and repeat. In other words,
reread these pages again and again—even after you think you know it all. We guarantee
that you will discover new dimensions to the content that will serve you well.
We have been blessed in this life to be able to present this content to you year after
year. And its success is in large part due to the content, its prescriptive nature, and the
authors that present that matter to you in easily digestible formats. We could not have
predicted Hacking Exposed’s amazing success in 1999, but we can predict something for
the future: as long as you see value in what we write and bring to you, we will continue
to deliver this content in its unfiltered and “exposed” format. We feel it is our mission
and destiny. Happy learning!
Table of Contents
Foreword . . . . . . . . . . . . . . . xix
Acknowledgments . . .. . . . . . . . xxi
Preface . . . .. . . . . . . xxiii
Introduction . . . .. . . . . . . . xxv
Part I Casing the Establishment Case Study . . . .. . . . . 2
IAAAS—It’s All About Anonymity, Stupid . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Tor-menting the Good Guys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
▼ 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
What Is Footprinting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Why Is Footprinting Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Internet Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Step 1: Determine the Scope of Your Activities . . . . . . . . . . . . . . . . . . 10
Step 2: Get Proper Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Step 3: Publicly Available Information . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 4: WHOIS & DNS Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Step 5: DNS Interrogation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Step 6: Network Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
▼ 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Determining If the System Is Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Determining Which Services Are Running or Listening . . . . . . . . . . . . . . . . 54
Scan Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Identifying TCP and UDP Services Running . . . . . . . . . . . . . . . . . . . . 56
Windows-Based Port Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Port Scanning Breakdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
xiv Hacking Exposed 6: Network Security Secrets & Solutions
Detecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Active Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Passive Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
▼ 3 Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Enumerating Common Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Part II System Hacking
Case Study: DNS High Jinx—Pwning the Internet . . . . 152
▼ 4 Hacking Windows . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 157
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
What’s Not Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Unauthenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Authentication Spoofi ng Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Remote Unauthenticated Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Authenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Extracting and Cracking Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Remote Control and Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Port Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Covering Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
General Countermeasures to Authenticated Compromise . . . . . . . . 202
Windows Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Automated Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Policy and Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Bitlocker and the Encrypting File System (EFS) . . . . . . . . . . . . . . . . . 211
Windows Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Integrity Levels, UAC, and LoRIE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Service Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Compiler-based Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Coda: The Burden of Windows Security . . . . . . . . . . . . . . . . . . . . . . . . 220
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
▼ 5 Hacking Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
The Quest for Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
A Brief Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Vulnerability Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Remote Access vs. Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Data-Driven Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
I Want My Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Common Types of Remote Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
After Hacking Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
What Is a Sniffer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
How Sniffers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Popular Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Rootkit Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Part III Infrastructure Hacking
Case Study: Read It and WEP . . . . . 312
▼ 6 Remote Connectivity and VoIP Hacking . . . . . . . . . . . . . . . . . . . 315
Preparing to Dial Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
War-Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Peripheral Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Brute-Force Scripting—The Homegrown Way . . . . . . . . . . . . . . . . . . . . . . . . 336
A Final Note About Brute-Force Scripting . . . . . . . . . . . . . . . . . . . . . . 346
PBX Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Voicemail Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Virtual Private Network (VPN) Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Basics of IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Voice over IP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Attacking VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
▼ 7 Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Autonomous System Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Normal traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
traceroute with ASN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
show ip bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Public Newsgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Service Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Network Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
OSI Layer 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
OSI Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
OSI Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Misconfi gurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Route Protocol Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Management Protocol Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
▼ 8 Wireless Hacking . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 445
Wireless Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
War-Driving Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Wireless Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Wireless Scanning and Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Wireless Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Wireless Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Identifying Wireless Network Defenses and Countermeasures . . . . . . . . . . 470
SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
MAC Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Gaining Access (Hacking 802.11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
MAC Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Attacks Against the WEP Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Tools That Exploit WEP Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
LEAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Attacks Against the WPA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
▼ 9 Hacking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Physical Access: Getting in the Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Hacking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Default Confi gurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Owned Out of the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Standard Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Reverse Engineering Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Mapping the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Sniffi ng Bus Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Firmware Reversing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
JTAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Part IV Application and Data Hacking
Case Study: Session Riding . . . .. . . . 516
▼ 10 Hacking Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Common Exploit Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Buffer Overfl ows and Design Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Input Validation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Common Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
People: Changing the Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Process: Security in the Development Lifecycle (SDL) . . . . . . . . . . . . 532
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Recommended Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
▼ 11 Web Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Web Server Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Source Code Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Canonicalization Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Server Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Buffer Overfl ows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Web Server Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Web Application Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Finding Vulnerable Web Apps with Google . . . . . . . . . . . . . . . . . . . . . 553
Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Web Application Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Common Web Application Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
▼ 12 Hacking the Internet User . . . .. . . . . . . . . . . . . . . . . . . . . . . 585
Internet Client Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
A Brief History of Internet Client Hacking . . . . . . . . . . . . . . . . . . . . . . 586
JavaScript and Active Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Cross-Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Cross-Frame/Domain Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 594
SSL Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Payloads and Drop Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
E-Mail Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Instant Messaging (IM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Microsoft Internet Client Exploits and Countermeasures . . . . . . . . . 604
General Microsoft Client-Side Countermeasures . . . . . . . . . . . . . . . . 609
Why Not Use Non-Microsoft Clients? . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Socio-Technical Attacks: Phishing and Identity Theft . . . . . . . . . . . . . . . . . . . 615
Phishing Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Annoying and Deceptive Software: Spyware, Adware, and Spam . . . . . . . 619
Common Insertion Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Blocking, Detecting, and Cleaning Annoying and
Deceptive Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Malware Variants and Common Techniques . . . . . . . . . . . . . . . . . . . . 623
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Part V Appendixes
▼ A Ports . . . . . . . . . . . . . . . . . . 639
▼ B Top 14 Security Vulnerabilities . . . . .. . . . . . . . . . . . . 647
▼ C Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks .. . . . . . 649
▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 720 p |
File Size
|
15,203 KB |
File Type
|
PDF format |
ISBN
| 978-0-07-161375-0 |
Copyright
| 2009 by The McGraw-Hill Companies |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
