Hacking: The Next Generation P1

Hacking: The Next Generation, the image of a pirate ship on the cover, and related trade dress are trademarks of O’Reilly Media, Inc.. Here’s a summary of what we cover: Chapter 1, Intel

Hacking: The Next Generation

Hacking: The Next Generation

Nitesh Dhanjani, Billy Rios, and Brett Hardin

Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo

Hacking: The Next Generation

by Nitesh Dhanjani, Billy Rios, and Brett Hardin

Copyright © 2009 Nitesh Dhanjani All rights reserved.

Printed in the United States of America.

Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://my.safaribooksonline.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.

Editor: Mike Loukides

Production Editor: Loranah Dimant

Copyeditor: Audrey Doyle

Proofreader: Sada Preisch

Indexer: Seth Maislin

Cover Designer: Karen Montgomery

Interior Designer: David Futato

Illustrator: Robert Romano

Printing History:

September 2009: First Edition

Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of

O’Reilly Media, Inc Hacking: The Next Generation, the image of a pirate ship on the cover, and related

trade dress are trademarks of O’Reilly Media, Inc.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps.

While every precaution has been taken in the preparation of this book, the publisher and authors assume

no responsibility for errors or omissions, or for damages resulting from the use of the information tained herein.

Table of Contents

Preface ix

1 Intelligence Gathering: Peering Through the Windows to Your Organization 1

2 Inside-Out Attacks: The Attacker Is the Insider 25

v

Cross-Site Request Forgery (CSRF) 37

3 The Way It Works: There Is No Patch 71

4 Blended Threats: When Applications Exploit Each Other 91

Mailto:// and the Vulnerability in the ShellExecute Windows API 111

5 Cloud Insecurity: Sharing the Cloud with Your Enemy 121

vi | Table of Contents

Amazon’s Elastic Compute Cloud 122

6 Abusing Mobile Devices: Targeting Your Mobile Workforce 149

Direct Attacks Against Your Employees and Associates 162

7 Infiltrating the Phishing Underground: Learning from Online Criminals? 177

8 Influencing Your Victims: Do What We Tell You, Please 201

Abusing Social Profiles 207

9 Hacking Executives: Can Your CEO Spot a Targeted Attack? 223

10 Case Studies: Different Perspectives 241

A Chapter 2 Source Code Samples 255

B Cache_Snoop.pl 265 Index 269

viii | Table of Contents

Attack vectors that seemed fantastical in the past are now a reality The reasons for thisare twofold First, the need for mobility and agility in technology has made the tradi-tional perimeter-based defense model invalid and ineffective The consumption ofservices in the cloud, the use of wireless access points and mobile devices, and the accessgranted to contingent workers have made the concept of the perimeter irrelevant andmeaningless This issue is further amplified by the increased complexity of and trustplaced on web browsers, which when successfully exploited can turn the perimeterinside out Second, the emergence of Generation Y culture in the workforce is facili-tating the use of social media and communication platforms to the point where citizensare sharing critical data about themselves that has been nearly impossible to captureremotely in the past

The new generation of attackers is aware of risks in emerging technologies and knowshow to exploit the latest platforms to the fullest extent This book will expose the skillset and mindset that today’s sophisticated attackers employ to abuse technology andpeople so that you can learn how to protect yourself from them

Audience

This book is for anyone interested in learning the techniques that the more cated attackers are using today Other books on the topic have the habit of rehashinglegacy attack and penetration methodologies that are no longer of any use to criminals

sophisti-If you want to learn how the techniques criminals use today have evolved to containcrafty tools and procedures that can compromise a targeted individual or an enterprise,this book is for you

Assumptions This Book Makes

This book assumes you are familiar with and can graduate beyond elementary attackand penetration techniques, such as the use of port scanners and network analyzers Abasic understanding of common web application flaws will be an added plus

ix

Contents of This Book

This book is divided into 10 chapters Here’s a summary of what we cover:

Chapter 1, Intelligence Gathering: Peering Through the Windows to Your Organization

To successfully execute an attack against any given organization, the attacker mustfirst perform reconnaissance to gather as much intelligence about the organization

as possible In this chapter, we look at traditional attack methods as well as howthe new generation of attackers is able to leverage new technologies for informationgathering

Chapter 2, Inside-Out Attacks: The Attacker Is the Insider

Not only does the popular perimeter-based approach to security provide little riskreduction today, but it is in fact contributing to an increased attack surface thatcriminals are using to launch potentially devastating attacks The impact of theattacks illustrated in this chapter can be extremely devastating to businesses thatapproach security with a perimeter mindset where the insiders are generally trustedwith information that is confidential and critical to the organization

Chapter 3, The Way It Works: There Is No Patch

The protocols that support network communication, which are relied upon for theInternet to work, were not specifically designed with security in mind In thischapter, we study why these protocols are weak and how attackers have and willcontinue to exploit them

Chapter 4, Blended Threats: When Applications Exploit Each Other

The amount of software installed on a modern computer system is staggering With

so many different software packages on a single machine, the complexity of aging the interactions between these software packages becomes increasingly com-plex Complexity is the friend of the next-generation hacker This chapter exposesthe techniques used to pit software against software We present the various blen-ded threats and blended attacks so that you can gain some insight as to how theseattacks are executed and the thought process behind blended exploitation

man-Chapter 5, Cloud Insecurity: Sharing the Cloud with Your Enemy

Cloud computing is seen as the next generation of computing The benefits, costsavings, and business justifications for moving to a cloud-based environment arecompelling This chapter illustrates how next-generation hackers are positioningthemselves to take advantage of and abuse cloud platforms, and includes tangibleexamples of vulnerabilities we have discovered in today’s popular cloud platforms

Chapter 6, Abusing Mobile Devices: Targeting Your Mobile Workforce

Today’s workforce is a mobile army, traveling to the customer and making businesshappen The explosion of laptops, wireless networks, and powerful cell phones,coupled with the need to “get things done,” creates a perfect storm for the next-generation attacker This chapter walks through some scenarios showing how themobile workforce can be a prime target of attacks

x | Preface

Chapter 7, Infiltrating the Phishing Underground: Learning from Online Criminals?

Phishers are a unique bunch They are a nuisance to businesses and legal authoritiesand can cause a significant amount of damage to a person’s financial reputation

In this chapter, we infiltrate and uncover this ecosystem so that we can shed somelight on and advance our quest toward understanding this popular subset of thenew generation of criminals

Chapter 8, Influencing Your Victims: Do What We Tell You, Please

The new generation of attackers doesn’t want to target only networks, operatingsystems, and applications These attackers also want to target the people who haveaccess to the data they want to get a hold of It is sometimes easier for an attacker

to get what she wants by influencing and manipulating a human being than it is toinvest a lot of time finding and exploiting a technical vulnerability In this chapter,

we look at the crafty techniques attackers employ to discover information aboutpeople to influence them

Chapter 9, Hacking Executives: Can Your CEO Spot a Targeted Attack?

When attackers begin to focus their attacks on specific corporate individuals, ecutives often become the prime target These are the “C Team” members of thecompany—for instance, chief executive officers, chief financial officers, and chiefoperating officers Not only are these executives in higher income brackets thanother potential targets, but also the value of the information on their laptops canrival the value of information in the corporation’s databases This chapter walksthrough scenarios an attacker may use to target executives of large corporations

ex-Chapter 10, Case Studies: Different Perspectives

This chapter presents two scenarios on how a determined hacker can pollinate vulnerabilities from different processes, systems, and applications tocompromise businesses and steal confidential data

cross-In addition to these 10 chapters, the book also includes two appendixes Appendix Aprovides the source code samples from Chapter 2, and Appendix B provides the com-

plete Cache_snoop.pl script, which is designed to aid in exploiting DNS servers that are

susceptible to DNS cache snooping

Conventions Used in This Book

The following typographical conventions are used in this book:

Preface | xi

Constant width bold

Shows commands and other text that should be typed literally by the user

Constant width italic

Shows text that should be replaced with user-supplied values

This icon signifies a tip, suggestion, or general note.

This icon indicates a warning or caution.

Using Code Examples

This book is here to help you get your job done In general, you may use the code inthis book in your own configurations and documentation You do not need to contact

us for permission unless you’re reproducing a significant portion of the material Forexample, writing a program that uses several chunks of code from this book does notrequire permission Selling or distributing a CD-ROM of examples from this book doesrequire permission

We appreciate, but do not require, attribution An attribution usually includes the title,

author, publisher, and ISBN For example: “Hacking: The Next Generation, by Nitesh

Dhanjani, Billy Rios, and Brett Hardin Copyright 2009, Nitesh Dhanjani,978-0-596-15457-8.”

If you feel your use of code examples falls outside fair use or the permission given here,feel free to contact us at permissions@oreilly.com

We’d Like to Hear from You

Please address comments and questions concerning this book to the publisher:O’Reilly Media, Inc

1005 Gravenstein Highway North

To comment or ask technical questions about this book, send email to:

bookquestions@oreilly.com

For more information about our books, conferences, Resource Centers, and theO’Reilly Network, see our website at:

http://www.oreilly.com

Safari® Books Online

Safari Books Online is an on-demand digital library that lets you easilysearch over 7,500 technology and creative reference books and videos tofind the answers you need quickly

With a subscription, you can read any page and watch any video from our library online.Read books on your cell phone and mobile devices Access new titles before they areavailable for print, and get exclusive access to manuscripts in development and postfeedback for the authors Copy and paste code samples, organize your favorites, down-load chapters, bookmark key sections, create notes, print out pages, and benefit fromtons of other time-saving features

O’Reilly Media has uploaded this book to the Safari Books Online service To have fulldigital access to this book and others on similar topics from O’Reilly and other pub-lishers, sign up for free at http://my.safaribooksonline.com

Acknowledgments

Thanks to Mike Loukides for accepting the book proposal and for his guidancethroughout the writing process A big thank you goes to the design team at O’Reillyfor creating such a fantastic book cover Thanks also to the rest of the O’Reilly team—Laurel Ackerman, Maria Amodio, Karen Crosby, Audrey Doyle, Edie Freedman,Jacque McIlvaine, Rachel Monaghan, Karen Montgomery, Marlowe Shaeffer, andKaren Shaner

Also, thanks to Mark Lucking for reviewing our chapters

Nitesh would like to thank Richard Dawkins for his dedication in promoting the publicunderstanding of science At a time when reason increasingly seems unfashionable,Richard’s rhetoric provided comfort and hope that were instrumental in gathering upthe energy and enthusiasm needed to write this book (and for other things)

Billy would like to thank his family for their encouragement, his wife for her unendingsupport, and his daughter for her smiles

Brett would like to thank his wife for allowing him many long days and nights awayfrom his family

Preface | xiii

per-as dumpster diving, querying public databper-ases, and querying search engines However,new methods that rely on gathering information from technologies such as social net-working applications are becoming more commonplace In this chapter, we will discussthe traditional methods as well as how the new generation of attackers is able to abusenew technologies to gather information.

From the attacker’s point of view, it is extremely important to perform reconnaissance

as surreptitiously as possible Since information gathering is one of the first steps theattacker may perform, he must take care not to do anything that may alert the target.The techniques in this chapter will therefore concentrate on methods that allow anattacker to gather information without sending a single network packet toward thetarget

Information gathered during reconnaissance always ends up aiding the attacker in someway, even if it isn’t clear early on how the information is useful Attackers want to obtain

as much information about their target as possible, knowing that the data they collect,

if not immediately useful, will most likely be useful in later stages of the attack

Physical Security Engineering

Gathering information through physical means is a traditional tactic that attackers havebeen using for a while now Some examples of information that an attacker can obtainfrom these methods include network diagrams, financial information, floor plans,

1

phone lists, and information regarding conflicts and communications amongemployees.

In the next section, we will look at the different techniques attackers use to gatherintelligence by physical means

Dumpster Diving

Dumpster diving, also called “trashing,” is a method of information gathering in which

an attacker searches through on-site trash cans and dumpsters to gather informationabout the target organization This technique is not new, yet attackers are still able touse it to gather substantial amounts of intelligence Methods have been developed toattempt to prevent attackers from dumpster diving, such as shredding sensitive dataand using off-site companies to securely dispose of sensitive documents

Even though some companies have taken preventive measures to prevent dumpsterdiving, attackers can still gather information if they are willing to go through a target’strash Instead of securely disposing of trash, employees often throw away informationthat is considered sensitive into the nearest trash can Humans are creatures of habitand convenience Why would a person want to walk 25 feet to dispose of somethingwhen there is a trash can under her desk?

Figure 1-1 shows a printer cover sheet that exposes the username of the person whorequested the print job Even this username on a piece of paper is an important findfor an attacker because it helps the attacker understand how the corporation handlesusernames (the first letter of the user’s first name, capitalized, appended to the user’slast name, initial-capped) This knowledge gives the attacker an understanding of how

to formulate an individual’s corporate username The attacker can then use this toconduct further attacks, such as brute force password cracking

Figure 1-1 Printer banner exposing a username

2 | Chapter 1:  Intelligence Gathering: Peering Through the Windows to Your Organization