the hacker's handbook the strategy behind breaking into and defending networks.pdf.crdownload

Session Auth EavesdroppingSession Auth/ID Stealing or “Hijacking”Client Session/ID TheftCryptographic Key-Based AuthenticationKey Transfer and Key Management VulnerabilitiesKey Transfer

The Strategy behind Breaking

into and Defending Networks

Information Security Architecture

Jan Killmeyer Tudor

ISBN: 0-8493-9988-2

Information Security Management

Handbook, 4th Edition, Volume 1

Harold F Tipton and Micki Krause, Editors

ISBN: 0-8493-9829-0

Information Security Management

Handbook, 4th Edition, Volume 2

Harold F Tipton and Micki Krause, Editors

ISBN: 0-8493-0800-3

Information Security Management

Handbook, 4th Edition, Volume 3

Harold F Tipton and Micki Krause, Editors

ISBN: 0-8493-1127-6

Information Security Management

Handbook, 4th Edition, Volume 4

Harold F Tipton and Micki Krause, Editors

ISBN: 0-8493-1518-2

ISBN: 0-8493-1137-3

Information Security Risk Analysis

Thomas R Peltier ISBN: 0-8493-0880-1

Interpreting the CMMI: A Process Improvement Approach

Margaret Kulpa and Kurt Johnson ISBN: 0-8493-1654-5

IS Management Handbook, 8th Edition

Carol V Brown and Heikki Topi ISBN: 0-8493-1595-6

Managing a Network Vulnerability Assessment

Thomas R Peltier and Justin Peltier ISBN: 0-8493-1270-1

A Practical Guide to Security Engineering and Information Assurance

Debra Herrmann ISBN: 0-8493-1163-2

The Privacy Papers:

Managing Technology and Consumers, Employee, and Legislative Action

Rebecca Herold ISBN: 0-8493-1248-5

Securing and Controlling Cisco Routers

Peter T Davis ISBN: 0-8493-1290-6

Six Sigma Software Development

Christine B Tayntor ISBN: 0-8493-1193-4

Software Engineering Measurement

John Munson ISBN: 0-8493-1502-6

A Technical Guide to IPSec Virtual Private Networks

James S Tiller ISBN: 0-8493-0876-3

Telecommunications Cost Management

Brian DiMarsico, Thomas Phelps IV, and William A Yarberry, Jr.

ISBN: 0-8493-1101-2

AUERBACH PUBLICATIONS

www.auerbach-publications.com

AUERBACH PUBLICATIONS

A CRC Press Company Boca Raton London New York Washington, D.C.

Handbook

SUSAN YOUNG AND DAVE AITEL

The Strategy behind Breaking

into and Defending Networks

This book contains information obtained from authentic and highly regarded sources Reprinted material

is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the authors and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher.

All rights reserved Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA The fee code for users of the Transactional Reporting Service is ISBN 0-8493-0888-7/04/$0.00+$1.50 The fee is subject to change without notice For organizations that have been granted a photocopy license

by the CCC, a separate system of payment has been arranged.

The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale Specific permission must be obtained in writing from CRC Press LLC for such copying.

Direct all inquiries to CRC Press LLC, 2000 N.W Corporate Blvd., Boca Raton, Florida 33431

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.

Visit the Auerbach Publications Web site at www.auerbach-publications.com

© 2004 by CRC Press LLC Auerbach is an imprint of CRC Press LLC

No claim to original U.S Government works International Standard Book Number 0-8493-0888-7 Library of Congress Card Number 2003055391 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Printed on acid-free paper

Library of Congress Cataloging-in-Publication Data

Young, Susan (Susan Elizabeth), 1968–

The hacker’s handbook : the strategy behind breaking into and defending Networks / Susan Young, Dave Aitel.

p cm.

Includes bibliographical references and index.

ISBN 0-8493-0888-7 (alk paper)

1 Computer networks—Security measures 2 Computer networks—Access control 3 Computer hackers I Aitel, Dave II Title.

TK5105.59.Y68 2003

CIP

Acknowledgments

Every book, as they say, has a story This book’s history has been a longand varied one Along the way, numerous individuals have contributed

The authors would like to thank the following individuals for their tributions and support:

tireless support of this book, in spite of its long (and somewhatnefarious) history

and John Zuena — for taking the time and care to write severalexcellent chapters on the hacking community, malware, directoryservices, and network hardware that contain some truly unique andinteresting material

Cemm, Ben Rothke, and Ted Shagory, for their insights and fordedicating their time and energy to helping to shape a better book

We are confident that this review process will continue as this textgoes to publication, and want — in advance — to thank our readersand reviewers for their attention to the ongoing quality of this book

In addition, Dave Aitel would like to thank Justine Bone for her supportand encouragement and Susan Young would like to thank the following indi-viduals: the Darklord (Thomas McGinn) for keeping his personal commit-ment to support the effort that went into this book in spite of many months

of spent deadlines, missed weekends, and fatigue (thanks, T2B); TrevorYoung, for lending his genuine talent, enthusiasm, time, and care to craftingthe illustrations throughout this book; Gemma Young, and her parents,Sylvia and Neil, for their interest, support, and advice through two years oflong distance phone calls; and International Network Services (and parti-cularly Steven Marandola, Bob Breingan, and Shaun Meaney) for makingavailable time and support for the completion of this book

Dave Aitel is the founder of Immunity, Inc (www.immunitysec.com), withprior experience at both private industry security consulting companies andthe National Security Agency His tools, SPIKE and SPIKE Proxy, are widelyregarded as the best black box application assessment tools available

Susan Younghas worked in the security field for the past seven years, four

of which have been spent in the security consulting arena, helping clientsdesign and implement secure networks, training on security technologies,and conducting security assessments and penetration tests of client system

or network defenses (so-called ethical hacking) Her experience hasincluded consulting work in the defense sector and the financial industry, aswell as time spent evaluating and deconstructing various security products.She currently works as a senior security consultant in the Boston area secu-rity practice of International Network Services (INS)

Scott Brown (CISSP, GCIA, GCIH) is a senior security consultant for tional Network Services, with more than 13 years experience in the infor-mation technologies field He is a Certified Information Systems SecurityProfessional (CISSP), and holds both SANS GCIA and GCIH certifications.Scott is also a private pilot with a rating in single engine aircraft.

Interna-John Zuena (CISSP, CCNA, CCDA, NNCSE) is a senior consultant for national Network Services, with more than 14 years experience in the infor-mation technologies field He is a Certified Information Systems SecurityProfessional (CISSP) and holds both Cisco and Nortel internetworking cer-tifications He is also a private pilot with ratings in both single engine air-planes and helicopters

to create a set of illustrations for this book that have become truly integral

to the book and the subject matter

List of Abbreviations

ASCII ASCII Character Set (ASCII)

Server Edition

CANVAS Immunity Security’s CANVAS Vulnerability Scanner

EIGRP Enhanced Interior Gateway Routing Protocol

ESMTP Extended Simple Mail Transfer (Protocol)

requests where the oldest requests are prioritized

THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS

Library, Microsoft)

HTTPS Secure Hypertext Transmission Protocol

ISAKMP Internet Security Association and Key Management Protocol

desig-nation used by Microsoft’s Internet Information Server (IIS)

MSRPC Microsoft Remote Procedure Call

PHP Hypertext Preprocessor

SATAN Security Administrator Tool for Analyzing Networks

SIGINT Signal Intelligence

SOCKS Sockets Protocol (Firewall)

impose File System Access Control Lists

SYN-ACK Synchronize-Acknowledge (TCP SYN ACK)

XDMCPD X Display Manager Control Protocol

1 Introduction: The Chess Game

Book StructureChapter 2 Case Study in SubversionChapter 3 Know Your OpponentChapter 4 Anatomy of an AttackChapter 5 Your Defensive ArsenalChapter 6 Programming

Chapter 7 IP and Layer 2 ProtocolsChapter 8 The Protocols

Chapter 9 Domain Name System (DNS)Chapter 10 Directory Services

Chapter 11 Simple Mail Transfer Protocol (SMTP)Chapter 12 Hypertext Transfer Protocol (HTTP)Chapter 13 Database Hacking

Chapter 14 Malware and VirusesChapter 15 Network HardwareChapter 16 Consolidating GainsChapter 17 After the FallChapter 18 Conclusion

PART I FOUNDATION MATERIAL

2 Case Study in Subversion

DalmedicaThe DilemmaThe InvestigationNotes

3 Know Your Opponent

TerminologyScript KiddyCrackerWhite Hat HackerBlack Hat HackerHacktivismProfessional Attackers

HistoryComputer Industry and CampusSystem Administration

Home ComputersHome Computers: Commercial SoftwareHome Computers: The BBS

Phone SystemsEthics and Full DisclosureOpponents Inside

The Hostile InsiderCorporate PoliticsConclusion

Notes

4 Anatomy of an Attack

OverviewReconnaissanceSocial Engineering and Site ReconnaissanceInternet Reconnaissance

Internet Search Engines and Usenet ToolsFinancial Search Tools, Directories, Yellow Pages,and Other Sources

IP and Network ReconnaissanceRegistrar and whois SearchesNetwork Registrar Searches (ARIN)DNS Reconnaissance

Mapping TargetsWar DialingNetwork Mapping (ICMP)ICMP Queries

TCP Pings: An Alternative to ICMPTraceroute

Additional Network Mapping ToolsPort Scanning

TCP and UDP ScanningBanner GrabbingPacket Fragmentation OptionsDecoy Scanning CapabilitiesIdent Scanning

FTP Bounce ScanningSource Port ScanningStack Fingerprinting TechniquesVulnerability Scanning (Network-Based OSand Application Interrogation)

Researching and Probing VulnerabilitiesSystem/Network Penetration

Account (Password) CrackingApplication Attacks

Cache ExploitsFile System HackingHostile and Self-Replicating CodeProgramming Tactics

Process ManipulationShell Hacking

Session HijackingSpoofing

State-Based AttacksTraffic Capture (Sniffing)Trust Relationship ExploitationDenial-of-Service

ConsolidationSecurityNotesReferencesTextsWeb References

5 Your Defensive Arsenal

The Defensive ArsenalAccess ControlsNetwork Access Controls (Firewalls)State Management Attacks on FirewallsFirewall Ruleset and Packet Filter Reconnaissance

IP Spoofing to Circumvent Network Access ControlsDenial-of-Service

Packet Fragmentation AttacksApplication Level AttacksSystem Access ControlsHost-Based FirewallsOperating System Access Controlsand Privilege ManagementAuthentication

IP AuthenticationPassword AuthenticationAccount/Password CrackingEavesdropping Attacks

Password Guessing AttacksToken-Based AuthenticationSession AuthenticationSession Authentication Scheme CrackingGeneration of Counterfeit Session Auth CredentialsSession ID Brute-Forcing

Session Auth EavesdroppingSession Auth/ID Stealing or “Hijacking”

Client Session/ID TheftCryptographic (Key-Based) AuthenticationKey Transfer and Key Management VulnerabilitiesKey Transfer Vulnerabilities

Key Management Vulnerabilities(Public Key Infrastructure)Key Binding and Impersonation VulnerabilitiesDictionary and Brute-Force Attacks

against Weak SecretsCentralized Authentication ServersRADIUS

TACACSKerberosHuman Authentication (Biometrics)Resource Controls

NonrepudiationDigital Signatures (and Digital Certificates)Privacy

Virtual Private Network (VPN)Session and Protocol EncryptionSecure Sockets Layer (SSL)Certificate and Impersonation Attacks (SSL)Cryptographic Weaknesses (SSL)

Attacks against the Handshake Protocol (SSL)SSL Man-in-the-Middle Attacks

Man-in-the-Middle Attack Version Rollback (SSL)Viruses, Worms, and other Application Issues (SSL)Secure Shell (SSH)

File System EncryptionIntrusion Detection

Network-Based and Host-Based IDSAnomaly-Based (Behavior-Based) IDSSignature-Based (Knowledge-Based) IDSIDS Hacking Exploits

Address Spoofing or ProxyingAttacking the IDS

Denial-of-ServiceInstigating Active EventsNondefault Evasion and Pattern Change EvasionPacket Fragmentation and “Session Splicing”Port Scan Evasion

TCP Session Synchronization Attacks

URL Encoding (Unicode and Hex Attacks)Web Evasion Techniques

File System Integrity CheckersSecurity Information ManagementData Integrity

Application ProxiesContent Assurance (Antivirus, Content Scanning)Notes

ReferencesTextsWeb References

6 Programming

LanguagesSpeed and Security Trade-OffsNative Compiled Code: C/C++/AssemblyBytecode/Just in Time Compiled Code(“Managed” Code): C#/JavaInterpreted (Usually Compiled into Byte Codes

at Runtime): Perl, Python (Scripting Languages),PHP, Visual Basic, ASP, Lisp, JSP (Web Languages)Language-Specific Flaws and Strategic Ways to Protectagainst Them

The Basics of Buffer Overflows and Other MemoryAllocation Errors

HistoryBasic Stack OverflowsOptions for the Hacker after a Stack Overflow

So What Is a Stack Canary?

Heap OverflowsFormat String BugsInteger OverflowsSignal Races on UNIXWhat Is Shellcode?

Interpreter BugsFile Name CanonicalizationLogic Error War StoriesPlatform-Specific Programming Security IssuesWindows NT Compared to UNIX

Types of ApplicationsWeb ApplicationsCross-Site Scripting VulnerabilitiesJava J2EE

Traditional ASP

.NetLAMPRemote Procedure CallingCreating an RPC ProgramSpecial Cases

Setuid Applications on UNIXDCOM Services

Auditing TechniquesTools That Aid Source AuditingTools That Aid Reverse EngineeringFuzzing Audit Tools

Web Security Audit ToolsGeneral Security ToolsEncryption and AuthenticationLayered Defenses

Platform-Specific Defenses (Security through Securityand Security through Obscurity)

Nonexecutable StackUsing a Different Platform Than ExpectedFile System User Access Controls

Process LoggingThe Insider Problem, Backdoors, and Logic BombsBuying an Application Assessment

ConclusionReferences

7 IP and Layer 2 Protocols

Layer 2 ProtocolsAddress Resolution Protocol (ARP)Protocol

Hacking ExploitsSecurity (Mapping ARP Exploits to ARP Defenses)Static ARP Entries on Internet Gateways

and FirewallsNetwork ManagementARP MonitoringPort-Level SecurityReverse Address Resolution Protocol (RARP)Protocol

Hacking ExploitsSecurity (Defenses for RARP-Related Attacks:DHCP, BOOTP)

Assignment of Static IP Addresses to ClientsUse of DHCP/BOOTP MAC Controls

ARP Monitoring

Port-Level SecurityLayer 3 Protocols

IP ProtocolProtocolHacking Exploits

IP Eavesdropping (Packet Sniffing)

IP Spoofing

IP Session Hijacking (Man-in-the-Middle Attacks)

IP Packet Fragmentation AttacksICMP-Based Fragmentation AttacksTiny Fragment Attacks

Overlapping Fragment Attacks

IP Covert TunnelingSecurity (Mapping IP Exploits to IP Defenses)Tools and Techniques to Detect PromiscuousMode Packet Sniffers

System Audits to Identify NICs

in Promiscuous ModeSystem Hardening Procedures

to Inhibit Sniffer InstallationInspection of Systems for Signs

of Rootkit CompromiseInstitution of Switched NetworkInstitution of ARP MonitoringInstitution of Traffic EncryptionImplementation of Strong AuthenticationInstitution of Spoof Protection at Firewallsand Access Control Devices

Patch TCP/IP ImplementationsDeny Source Routing at Gateways and FirewallsDeny ICMP Redirects at Gateways and FirewallsDeter the Use of IP Addresses for Authentication

or Construction of Trust Relationships Implement ARP Controls

Monitor Network Traffic Using Networkand Host-based IDS

Restrict ICMP Traffic into and out of

a Protected NetworkPatch Firewalls and Intrusion Detection Systemsagainst Packet Fragmentation AttacksNotes

ReferencesTextsRequest for Comments (RFCs)White Papers and Web References

8 The Protocols

Layer 3 ProtocolsInternet Control Message Protocol (ICMP)Protocol

Hacking ExploitsICMP-Based Denial-of-ServiceICMP Network ReconnaissanceICMP Time Exceeded

ICMP Access Control EnumerationICMP Stack Fingerprinting

ICMP Covert TunnelingSecurity

Deny ICMP BroadcastsNetwork Controls against ICMP Packet Flooding

IP Spoofing DefensesPatch TCP/IP Implementations againstICMP Denial-of-Service and ICMP TypingMonitor Network Traffic Using Network andHost-Based Intrusion Detection Systems (IDSs)Restriction of Specific ICMP Message TypesMonitor ICMP Activity at Firewalls

and Intrusion Detection SystemsLayer 4 Protocols

Transmission Control Protocol (TCP)Protocol

Hacking ExploitsCovert TCPTCP Denial-of-ServiceTCP Sequence Number Prediction(TCP Spoofing and Session Hijacking)TCP Stack Fingerprinting

TCP State-Based AttacksSecurity

Network Controls against TCP Packet Flooding

IP Spoofing DefensesPatch TCP/IP Implementations against TCPDenial-of-Service, TCP Stack Fingerprinting,and TCP Sequence Number PredictionMonitor Network Traffic Using Networkand Host-Based IDS SystemsActivation of SYN Flood Protection on Firewallsand Perimeter Gateways

Implement Stateful FirewallingUser Datagram Protocol (UDP)

Protocol

Hacking ExploitsCovert UDPUDP Denial-of-ServiceUDP Packet Inspection VulnerabilitiesSecurity

Disable Unnecessary UDP ServicesNetwork Controls against UDP Packet Flooding

IP Spoofing DefensesPatch TCP/IP Implementations against UDPDenial-of-Service

Monitor Network Traffic Using and Host-Based IDS Systems Implement Stateful FirewallingNotes

Network-ReferencesTextsRequest for Comments (RFCs)White Papers and Web References

PART II SYSTEM AND NETWORK PENETRATION

9 Domain Name System (DNS)

The DNS ProtocolDNS Protocol and Packet Constructs(Packet Data Hacking)

DNS VulnerabilitiesDNS Exploits and DNS HackingProtocol-Based HackingReconnaissanceDNS Registration InformationName Server Information

IP Address and Network Topology DataInformation on Key Application ServersProtocol-Based Denial-of-Service

Dynamic DNS (DDNS) HackingApplication-Based Attacks

Buffer Overflows (Privileged Server Access,Denial-of-Service)

Exploiting the DNS Trust ModelDNS Registration AttacksDNS Spoofing

Cache PoisoningDNS HijackingDNS Security and ControlsMapping Exploits to DefensesDefensive Strategy

Configuration Audit and Verification ToolsDDNS Security

Name Server RedundancyDNSSEC: Authentication and Encryption of DNS DataName Server Software Upgrade(s)

Network and Name Server Monitoringand Intrusion Detection

Berkeley Internet Name Daemon (BIND)Logging Controls

Microsoft Windows 2000 DNS Logging ControlsPatches and Service Packs

Server-Side Access ControlsSplit-Level DNS Topologies (and DNS Proxying)Split-Level DNS Topology

System and Service HardeningNotes

ReferencesTextsRequest for Comments (RFCs)Mailing Lists and NewsgroupsWeb References

10 Directory Services

What Is a Directory Service?

Components of a DirectorySchema

Leaf ObjectContainer ObjectNamespaceDirectory Information TreeDirectory Information Base (DIB)Directory Features

Directory SecuritySingle Sign OnUses for Directory SystemsDirectory-Enabled NetworkingLinked Provisioning

Global DirectoryPublic Key InfrastructureDirectory Models

Physical vs LogicalFlat vs HierarchicalX.500 Directory

X.500 SchemaX.500 PartitionsX.500 Objects and Naming

A Word about AliasesX.500 Back-End ProcessesDirectory Information TreeDirectory Information BaseReplication

Agents and ProtocolsX.500 Directory AccessX.500 Security

AuthenticationSimple AuthenticationStrong AuthenticationAccess Control

RightsSummaryLightweight Directory Access Protocol (LDAP)LDAP Schema

LDAP PartitionsLDAP Objects and NamingLDAP Queries

LDAP Data Interchange Format (LDIF)LDAP Security

AuthenticationAnonymous AccessSimple AuthenticationSimple Authentication with Secure SocketsLayer (SSL)/Transport Layer Security (TLS)Simple Authentication and Security Layer (SASL)Access Control

SummaryActive DirectoryWindows NTWindows 2000 SchemaWindows 2000 PartitionsWindows 2000 Objects and NamingThe Domain

The TreeThe ForestThe Forest Root DomainNaming Standards and Resolution in Windows 2000Active Directory Back-End Processes

The Directory Information Base (DIB)Replication

The Global CatalogWindows 2000 SecurityAuthentication

KerberosNTLMAccess ControlExploiting LDAPSun ONE Directory Server 5.1Microsoft Active DirectorySummary

Future DirectionsFurther Reading

11 Simple Mail Transfer Protocol (SMTP)

The SMTP ProtocolSMTP Protocol and Packet Constructs(Packet Data Hacking)

SMTP VulnerabilitiesSMTP Protocol Commands and Protocol ExtensionsProtocol Commands

Protocol ExtensionsSMTP Exploits and SMTP HackingSMTP Protocol AttacksAccount CrackingEavesdropping and ReconnaissanceESMTP and Command Set VulnerabilitiesProtocol-Based Denial-of-ServiceMail Bombing

Mail SpammingMan-in-the-Middle AttacksApplication-Based AttacksMalicious Content (MIME Attacks)Buffer Overflows (Privileged Server Access)Worms and Automated Attack Tools

Application-Based Denial-of-ServiceAttacks on the Mail Trust ModelMail Spoofing

Identity ImpersonationAttacks on Data IntegrityDelivery Status Notification ManipulationSMTP Security and Controls

Mapping Exploits to DefensesDefensive Strategy

Antispam/Antirelay ControlsAntivirus and Content ScanningClient-Side Access ControlsContent or Code SigningDelivery Status Notification ControlsDisable Vulnerable ESMTP and SMTP Commands

Disable Vulnerable MIME TypesNetwork and SMTP Server Monitoring,Intrusion Detection

Patches and Service PacksSeparation of SMTP and Intranet Account DatabasesServer-Side Access Controls

Server RedundancySMTP Header Stripping and ParsingSMTP Source Routing ControlsSplit SMTP Topology

System and Service HardeningTransport Layer Security, Secure SocketLayer Security

NotesReferencesTextsRequest for Comments (RFCs)White Papers and Web References

12 Hypertext Transfer Protocol (HTTP)

The HTTP ProtocolHTTP Protocol and Packet Constructs(Packet Data Hacking)

HTTP VulnerabilitiesHTTP Protocol Methods (and Associated Vulnerabilities)HTTP Exploits and HTTP Hacking

HTTP Protocol AttacksEavesdropping and ReconnaissanceAccount Cracking

Basic Access AuthenticationDigest Access AuthenticationHTTP Method VulnerabilitiesContent VulnerabilitiesCaching Exploits

Cache PoisoningMan-in-the-Middle AttacksUnauthorized Retrieval of Cache Dataand Cache Monitoring

Denial-of-ServiceProtocol-Based Denial-of-ServiceApplication-Based Attacks

Buffer Overflows (Privileged Server Access,Denial-of-Service)

Directory Traversal AttacksApplication-Based Denial-of-ServiceAttacks on the HTTP Trust Model

State-Based Attacks (Session ID Hacking)HTTP Spoofing/HTTP RedirectionMan-in-the-Middle Attacks (Session Hijacking)HTTP Security and Controls

Mapping Exploits to DefensesDefensive Strategy

Caching Controls and Cache RedundancyDisable Vulnerable HTTP MethodsHTTP Header Stripping

Implementation of HTTP DigestAccess Authentication Load Balancing and Server RedundancyNetwork and HTTP Server Monitoring,Intrusion Detection

Patches and Service PacksSecurity for Financial TransactionsServer-Side Access ControlsSystem and Service HardeningTransport Layer Security or Secure SocketLayer Security

NotesReferencesTextsRequest for Comments (RFCs)Web References

13 Database Hacking and Security

IntroductionEnumeration of WeaknessesSQL Injection

IntroductionPhases of SQL InjectionHacking Microsoft SQL ServerOverflows in Microsoft SQL ServerYou Had Me at Hello

SQL Server Resolver Service Stack OverflowMicrosoft SQL Server Postauth VulnerabilitiesMicrosoft SQL Server SQL Injection

A Note on Attacking Cold Fusion Web ApplicationsDefault Accounts and Configurations

Hacking OracleBuffer Overflows in Oracle ServersSQL Injection on Oracle

Default User AccountsTools and Services for Oracle AssessmentsOther Databases

Connecting BackwardsDemonstration and ExamplesPhase 1 DiscoveryPhase 2 Reverse Engineering the Vulnerable ApplicationPhase 3 Getting the Results of Arbitrary QueriesConclusions

14 Malware and Viruses

Ethics AgainTarget PlatformsScript MalwareLearning Script Virus Basics with Anna KournikovaBinary Viruses

Binary File VirusesBinary Boot VirusesHybrids

Binary WormsWorst to ComeAdware InfectionsConclusionNotes

15 Network Hardware

OverviewNetwork InfrastructureRouters

SwitchesLoad-Balancing DevicesRemote Access DevicesWireless TechnologiesNetwork Infrastructure Exploits and HackingDevice Policy Attacks

Installation PolicyAcceptable Use PolicyAccess Policy

Configuration Storage PolicyPatch or Update PolicyDenial-of-Service

Device ObliterationConfiguration Removal or ModificationSending Crafted Requests

Physical Device TheftEnvironmental Control ModificationResource Expenditure

Diagnostic Port AttackSequence (SYN) Attack

Land AttackBandwidth ExpenditureBroadcast (Smurf) AttacksOther ICMP-Related AttacksRedirects

ICMP Router Discovery Protocol (IDRP) AttackPing O’Death

SquelchFragmented ICMPNetwork Mapping ExploitsPing

TracerouteBroadcast PacketsInformation TheftNetwork SniffingHijacking AttacksSpoofing

Address SpoofingTCP Sequence AttacksMedia Access (MAC) Address ExploitsPassword or Configuration ExploitsDefault Passwords or Configurations

No PasswordsWeak PasswordsDictionary Password AttacksBrute-Force Attacks

Logging AttacksLog ModificationLog DeletionLog ReroutingSpoofed Event ManagementNetwork Ports and Protocols Exploits and AttacksTelnet

BOOTPFingerSmall ServicesDevice Management AttacksAuthentication

Console AccessModem Access (AUX)Management ProtocolsWeb (HTTP[S])Telnet

SSH (Version 1)TFTP

SNMPDevice Configuration Security AttacksPasswords

Remote Loading (Network Loads)Router-Specific Exploits

Routing Protocol AttacksAuthentication

IRDP AttacksCisco Discovery Protocol (CDP)Classless Routing

Source RoutingRoute Table AttacksModificationPoisoningARP Table AttacksModificationPoisoningMan-in-the-Middle AttackAccess-Control Lists AttacksSwitch-Specific ExploitsARP Table

ModificationPoisoningMan-in-the-Middle AttackMedia Access (MAC) Address ExploitsChanging a Host’s MAC

Duplicate MAC AddressesLoad-Balancing Device — Specific ExploitsRemote Access Device — Specific ExploitsWeak User Authentication

Same Account and Login Multiple DevicesShared Login Credentials

Home User System ExploitationWireless Technology — Specific ExploitsInterception and Monitoring

JammingInsertionRogue Access PointsUnauthorized ClientsClient-to-Client AttacksMedia Access (MAC) AddressDuplicate IP Address

Improper Access Point ConfigurationService Set Identifier (SSID)Default SSID

SSID BroadcastingWired Equivalent Privacy (WEP) ExploitsNetwork Infrastructure Security and Controls

Defensive StrategyRouting Protocol Security OptionsManagement Security OptionsOperating System Hardening OptionsProtecting Running ServicesHardening of the BoxExplicitly Shut Down All Unused InterfacesLimit or Disable In-Band Access (via Telnet,SSH, SNMP, Etc.)

Reset All Default PasswordsUse Encrypted PasswordsUse Remote AAA AuthenticationUse Access Lists to Protect Terminal, SNMP,TFTP Ports

Remote Login (Telnet) ServiceSNMP Service

Routing ServicesLimit Use of SNMPLimit Use of Internal Web Servers Usedfor Configuration

Disable Cisco Discovery Protocol (CDP)

on Cisco Gear Outside of the Firewall

Do Not Leak Info in BannersKeep Up-to-Date on Security Fixes forYour Network Infrastructure DevicesDoS and Packet Flooding Controls

Use IP Address Spoofing ControlsWatch for Traffic Where the Sourceand Destination Addresses Are the SameEnforce Minimum Fragment Size to Protectagainst Tiny Fragment Attack, OverlappingFragment Attack, and Teardrop AttackDisable IP Unreachables on External InterfacesDisable ICMP Redirects on External InterfacesDisable Proxy ARP

Disable IP Directed Broadcasts (SMURF Attacks)Disable Small Services (No Service Small-ServersUDP and No Service Small-Servers TCP) Disable IP Source Routing (No IP Source-Route)Use Traffic Shaping (Committed Access Rate)Tools

Configuration Audit and Verification ToolsWireless Network Controls

NotesReferencesToolsRequest for Comments (RFCs)White Paper

Web References

PART III CONSOLIDATION

16 Consolidating Gains

OverviewConsolidation (OS and Network Facilities)Account and Privilege Management FacilitiesAccount Cracking

SMBCaptureActive Directory Privilege Reconnaissanceand Hacking

Built-In/Default Accounts, Groups,and Associated PrivilegesFinger Service ReconnaissanceKerberos Hacking and Account AppropriationKeystroke Logging

LDAP Hacking and LDAP ReconnaissancePolling the Account Database

Social EngineeringTrojanized Login ProgramsFile System and I/O ResourcesFile System and Object Privilege IdentificationFile System (Operating System) Hacking

File Sharing ExploitsNFS (IP) SpoofingSMBRelayFile Handle/File Descriptor HackingFile System Device and I/O HackingFile System Exploitation throughApplication Vulnerabilities Application-Based File System HackingExtended File System Functionalityand File System HackingService and Process Management FacilitiesProcesses, Services, and Privilege IdentificationStarting/Stopping Services and Executingwith Specific Privileges

API, Operating System, and ApplicationVulnerabilities

Buffer Overflows, Format String,and Other Application AttacksDebugging Processes and Memory ManipulationInter-Process Communication (IPC), Named Pipe,and Named Socket Hacking

Devices and Device Management FacilitiesDevices and Device Management HackingKeystroke Logging

Packet SniffingLibraries and Shared LibrariesLibrary (and Shared Library) HackingShell Access and Command Line FacilitiesShell Hacking

Registry Facilities (NT/2000)Registry Hacking

Client SoftwareClient Software AppropriationListeners and Network ServicesAccount/Privilege Appropriation via

a Vulnerable Network ServiceNetBIOS/SMB ReconnaissanceNetwork Information Service (NIS) ReconnaissanceNIS Hacking

SNMP ReconnaissanceNetwork Trust RelationshipsAccount Cracking

IP SpoofingToken Capture and ImpersonationApplication/Executable EnvironmentConsolidation (Foreign Code)

TrojansBackdoors (and Trojan Backdoors)Backdoor Listeners

Backdoor ApplicationsRootkits

Kernel-Level RootkitsSecurity

Mapping Exploits to DefensesNotes

References and System Hardening ReferencesTexts

Web References

System Hardening ReferencesWindows NT/2000

UNIX Platforms

17 After the Fall

Logging, Auditing, and IDS EvasionLogging and Auditing EvasionWindows NT/2000 Logging/Auditing Evasion

IP SpoofingAccount MasqueradingDeletion/Modification of Log File EntriesDeletion of Log Files

Disabling LoggingControlling What Is LoggedManipulation of Audit OptionsDeletion or Update of Audit FilesUNIX Platforms

UNIX Logging/Auditing Evasion

IP SpoofingAccount MasqueradingDeletion/Modification of Log File EntriesDeletion of Log Files

Disabling Log FilesControlling What Is LoggedManipulation of Audit and Accounting OptionsDeletion or Update of Audit Files

Routers (Cisco)AAA Protocols (RADIUS, TACACS)Centralized Logging Solutions (Syslog)

IP SpoofingAccount MasqueradingDeletion/Modification of Log File EntriesDeletion of Log Files

Disabling Log FilesControlling What Is LoggedIDS Evasion

Forensics EvasionEnvironment SanitizationSanitizing History FilesSanitizing Cache FilesFile Hiding and File System ManipulationOperating System File Hiding TechniquesAlternate Data Streams (NT/2000/XP)Steganography

Cryptography

Covert Network ActivitiesCovert TCP

“Normalizing” Traffic (Covert Shells)ICMP Covert Tunneling

Investigative, Forensics, and Security ControlsMapping Exploits to Defenses

Centralized Logging and Archival of Log File DataCentralized Reporting and Data CorrelationEncryption of Local Log File Data

Establishment of Appropriate Access Controlsfor Log Files

Implementation of Tools for Remote Monitoring

of Log FilesPatches and Software UpdatesProcess Monitoring for Logging ServicesRegular File System Audits

Strict Management of Audit andAccounting-Related PrivilegesTraffic Encryption for Syslog Packet DataNotes

ReferencesTextsWeb References

18 Conclusion

Conclusion: Case Study in SubversionDalmedica’s Perspective

Access PointsBastion HostsReconnaissance ActivityTarget Systems

Conclusion (Final Thoughts)References

Areas of FocusGeneral Hacking and Security ResourcesAuthentication Technologies

CryptographyDNS and Directory ServicesNetwork ManagementRoute/Switch InfrastructuresStorage Networking

Voice over IPWireless NetworksNotes

Chapter 1

Introduction:

The Chess Game

When you see a good move, look for a better one.

— Garry Kasparov

A chess game is a dialogue, a conversation between a player and his opponent Each move by the opponent may contain threats or be a blunder, but a player cannot defend against threats or take advantage

of blunders if he does not first ask himself: What is my opponent ning after each move?

— Bruce A Moon

In many ways, this is almost the hardest chapter to pen in this book; in ing this, I am forced to relive the many occasions on which I have stood in

writ-a bookstore lewrit-afing through writ-a technicwrit-al book, trying to determine its vwrit-alue

to the technical “excursion” I am currently embarked on I generally startwith the preface … (sigh) For this particular book, putting together an

was deliberately constructed as a multifaceted text

Let me try — this book is about hacking, yes, but it is also weightedtowards the security community At the time when the authors startedframing the book (May 2001), a significant number of books on the subject

of digital hacking and security had already been published In an effort tomake some “space” for this book, we reviewed many of them and came tothe conclusion that there was room for a book that adopted an analyticalperspective on hacking and security and attempted to inform readersabout the technical aspects of hacking that are, perhaps, least understood

by system, network, and security administrators

To this end, we compiled a list of objectives that truly informed the way

in which this book was constructed:

intended to inform the reader’s understanding of both Most

is to inform the way in which administrators defend systems andnetworks by exploring hacking exploits and defenses in the sametechnical context

directory services and specific administrative tasks, system ing, forensics investigation, etc.), to facilitate using the book as atechnical security reference If you are a DNS administrator, forexample, you should be able to quickly locate material relevant toDNS hacking and DNS security

Key foundation chapters address the following:

intended to provide a rounded approach to the subject matter Each

chapter is organized to provide an appropriate theoretical tion for the chapter material as a frame of reference for the reader.Tools, exploit code, and hacking “techniques” are analyzed in thiscontext but with sufficient latitude to reinforce the fact that hacking

founda-is still a “creative” activity

“path” for readers to continue to augment their knowledge of thefield and act as a guide to consolidating the sheer volume of hackingand security information available through the Internet and otherresources Providing this information is also intended to ensure thatthe technical material presented in this book is enduring

As indicated, the book is oriented toward systems, network, and securityadministrators with some degree of security experience who are looking toexpand their knowledge of hacking techniques and exploits as a means ofinforming their approach to systems and network security This orienta-tion makes for a fairly broad audience and is reflected in the breadth of thematerial presented To ensure that the book delivers on this objective,each chapter contains a table mechanism and chapter section that delib-erately “maps” hacking exploits to prospective defenses, and each chapterends with a treatment of prospective security defenses

The only practical limitation to the book material is that the authorschose to focus on the Microsoft Windows NT/2000 and UNIX platforms;the volume and depth of technical material presented in the book necessi-tated setting some scope constraints The authors felt that there might bevalue in limiting the range of platforms represented in the text to add moretechnical depth to the application hacking material Rather than under-representing platforms such as Novell or Mainframe/Midrange, the deci-sion was made to exclude them altogether

To reinforce the positioning of hacking and security material in the book,

a “chess game” analogy has been played throughout the material (none ofthe authors, by the way, are particularly good chess players) The dynamicsand strategy of chess were thought by the authors to have several parallelswith the subject matter presented in this book:

the chess game depends upon that party’s ability to enhance his orher skills relative to his or her opponent’s

the moves of their opponents so that they can prevail and checkmatetheir opponents

security tactics can be conceived of in the same manner

and creative attacker can overcome them

• Offensive strategies also exist, but intelligent and vigilant defenderscan counter them.

than learning and adjusting as the chess game progresses

move

Use of this analogy is also intended to credit the general hacking munity for its resourcefulness in pursuing new types of vulnerabilitiesand exploit code It is not a perfect analogy (defenders generally do notattack their attackers, for example), but it is pretty close The chess gametheme has been reinforced in this book through the incorporation of aseries of illustrations (by Trevor Young) that lend some art (and humor)

com-to the subject matter

Susan Young March 2003

Book Structure

pro-gramming, protocol, and attack concepts that are applied throughout the

addresses specific subject areas (protocols, services, technologies, ing facilities, hostile code) that relate to system and network penetration

con-solidation activities conducted by hackers once a system or network hasbeen successfully penetrated to establish and expand a “presence.”The following information provides a detailed breakdown on the con-tent of each chapter

Chapter 2 Case Study in Subversion

The concept behind this chapter is to present a case study that strates what a complex network attack looks like from an administrator’s

case study material from an attacker’s perspective, leveraging the cal material presented throughout the book

techni-The case study adopts a couple of fictional characters (a hacker and work administrator) and charts their moves as the attack unwinds usingsystem and device log files, screens, etc., and a fairly complex networkbased around a reasonable security architecture

net-Chapter 3 Know Your Opponent

constitute the hacking community, providing a potential “profile” of ahacker — script kiddie, hacker, cracker, competitor, political activist, cyberterrorist, Gray Hat, Black Hat, etc

This chapter is intended to provide some insight into hacking psychologyand hacking motivation

Chapter 4 Anatomy of an Attack

of the tools appropriated in the process Five elements of attack strategyare presented in a model that opens the chapter:

Ch 1 Introduction: The Chess Game

Ch 2 Case Study in Subversion

Ch 3 Know Your Opponent

Ch 9 Domain Name System (DNS)

Ch 10 Directory Services

Ch 11 Simple Mail Transfer Protocol (SMTP)

Ch 12 Hypertext Transfer Protocol (HTTP)

“Generic” types of attack are briefly overviewed in this chapter as text for the technical chapters that follow, including account attacks,buffer overflows, denial-of-service, session hijacking, spoofing, etc.Each chapter segment concludes with a “Tools” section that provides atable of references to applicable tools and pointers to source code and Webreferences.

con-Chapter 5 Your Defensive Arsenal

This chapter dissects the tools employed by administrators to defend anetworked environment and examines the vulnerabilities and types ofexploits each are prone to

The following framework is used to organize the security technologiespresented in the chapter:

technical complement of the “Protocols” chapters that follow The chapteraddresses the programming flaws exploited by attackers in constructingexploit code and the methodology and programming facilities they drawupon in building a hacking exploit

Written for the nonprogrammer, the chapter details various types ofcompiled and interpreted languages and investigates the following types ofprogramming deficiencies and hacking facilities: