194_HP_Net2e_FC 2/22/02 10:01 AM Page 1
1 YEAR UPGRADE BUYER PROTECTION PLAN
™
The Only Way to Stop a Hacker is to Think Like One
David R. Mirza Ahmad Dan “Effugas” Kaminsky Ido Dubrawsky F. William Lynch Hal Flynn Steve W. Manzuik Joseph “Kingpin” Grand Ryan Permeh Robert Graham Ken Pfeil Norris L. Johnson, Jr. Rain Forest Puppy K2 Ryan Russell Technical Editor UPDATED BESTSELLER! 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page i
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. “Ask the Author” customer query forms that enable you to post questions to our authors and editors. Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.
www.syngress.com/solutions 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iii
1 YEAR UPGRADE BUYER PROTECTION PLAN
David R. Mirza Ahmad F. William Lynch Ido Dubrawsky Steve W. Manzuik Hal Flynn Ryan Permeh Joseph “Kingpin” Grand Ken Pfeil Robert Graham Rain Forest Puppy
Norris L. Johnson, Jr. Ryan Russell Technical Editor K2 Dan “Effugas” Kaminsky 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 D7Y4T945T5 002 AKTRT4MW34 003 VMB663N54N 004 SGD34B39KA 005 87U8Q26NVH 006 N4D4RNTEM4 007 2HBVHTR46T 008 ZPB9R5653R 009 J6N5M4BRAS 010 5T6YH2TZFC PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network, Second Edition Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-70-9 Technical Editor: Ryan Russell Cover Designer: Michael Kavish Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier Developmental Editor: Kate Glennon Indexer: Robert Saigh Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly,Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent and Paul Barry of Harcourt Australia for all their help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. From Ryan Russell I would like to dedicate my work to my wonderful wife and children, without whom none of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to thank Brian Martin for his assistance in tech editing, and of course the authors who took the time to write the book. Special thanks go out to those authors who worked on the first edition, before anyone had any idea that it would do well or how it would come out.
v 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vi
Contributors
Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. Dan has delivered presentations at several major industry conferences including Linuxworld, DEF CON, and the Black Hat Briefings, and he also contributes actively to OpenSSH, one of the more significant cryptographic systems in use today. Dan founded the cross-disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to integrate psychological and techno- logical theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University in California.
Rain Forest Puppy is a security research and development consultant for a Midwest-based security consulting company. RFP has been working in R&D and coding in various languages for over seven years.While the Web is his primary hobby focus point, he has also played in other realms including: Linux kernel security patches, lockdown of various Windows and UNIX operating systems, and the development of honeypots and other attack alert tools. In the past he’s reported on SQL tampering and common CGI prob- lems, and has contributed security tools (like whisker) to the information security community.
Ken Pfeil is the Security Program Manager for Identix Inc.’s information technology security division. Ken started with Identix following his position as Chief Information Security Officer for Miradiant Global Network, Inc. Ken has over 14 years of IT and security experience, having served with such companies as Microsoft, Dell, and Merrill Lynch.While employed at Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise Security” whitepaper series, and is the founder of “The NT Toolbox”Web site. He currently covers new security risks and vulnerabilities for Windows and .Net magazines’ Security Administrator publication, and was the resident expert for multiplatform integration and security issues for “The Windows 2000 Experts Journal.”
vi 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vii
Joseph “Kingpin” Grand is a Boston-based electrical engineer and product designer. His pioneering hardware and security research has been published in various academic and industry journals. He has lectured widely on security product design and analysis, portable devices, and digital foren- sics. In addition to testifying before the United States Senate Governmental Affairs, Joseph has presented his research at the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the USENIX Security Symposium, and the IBM Thomas J.Watson Research Center. Joseph was a long-time researcher with the L0pht hacker think tank. He holds a Bachelor’s of Science in Computer Engineering from Boston University in Boston, Massachusetts.
K2 is a security engineer. He works on a variety of systems ranging from UNIX to all other operating systems. He has spent a lot of time working through security issues wherever they exist; core kernels, networking ser- vices, or binary protections. K2 is a member of w00w00 and is a con- tributing member of The Honeynet Project. He would like to thank Anya for all her help and support throughout the year.
David M. Ahmad is Threat Analysis Manager for SecurityFocus and mod- erator of the Bugtraq mailing list. SecurityFocus is the leading provider of security intelligence services. David has played a key role in the develop- ment of the vulnerability database at SecurityFocus.The focus of this duty has been the analysis of software vulnerabilities and the methods used to exploit them. David became the moderator of Bugtraq, the well-known computer security mailing list in 2001. He currently resides in Calgary, Alberta, Canada with his family.
F.William Lynch (SCSA, CCNA, LPI-I, MCSE, MCP,Linux+,A+) is co- author for Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X), also pub- lished by Syngress Publishing. He is an independent security and systems administration consultant and specializes in firewalls, virtual private net- works, security auditing, documentation, and systems performance analysis. William has served as a consultant to multinational corporations and the Federal government including the Centers for Disease Control and Prevention headquarters in Atlanta, Georgia as well as various airbases of the USAF.He is also the founder and director of the MRTG-PME project,
vii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page viii
which uses the MRTG engine to track systems performance of various UNIX-like operating systems.William holds a Bachelor’s degree in Chemical Engineering from the University of Dayton in Dayton, Ohio and a Masters of Business Administration from Regis University in Denver, Colorado.
Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of Security Intelligence Services for Business. Hal functions as a Senior Analyst, performing research and analysis of vulnerabilities, malicious code, and net- work attacks. He provides the SecurityFocus team with UNIX and Network expertise. He is also the manager of the UNIX Focus Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and Focus- GeneralUnix mailing lists. Hal has worked the field in jobs as varied as the Senior Systems and Network Administrator of an Internet Service Provider, to contracting the United States Defense Information Systems Agency, to Enterprise-level con- sulting for Sprint. He is also a veteran of the United States Navy Hospital Corps, having served a tour with the 2nd Marine Division at Camp Lejeune, North Carolina as a Fleet Marine Force Corpsman. Hal is mobile, living between sunny Phoenix,Arizona and wintry Calgary,Alberta, Canada. Rooted in the South, he still calls Montgomery,Alabama home.
Ryan Permeh is a developer and researcher with eEye Digital Security. He works on the Retina and SecureIIS product lines and leads the reverse engi- neering and custom exploitation efforts for eEye’s research team. Ryan was behind the initital analysis of the CodeRed worm, and has developed many proof of concept exploits provided to vendors and the security community. Ryan has experience in NT, UNIX, systems and application programming as well as large-scale secure network deployment and maintenance. Ryan currently lives and works in sunny Orange County, California. Ryan would like to offer special thanks to Riley Hassel for his assistance in providing the Linux exploitation of a sample buffer overflow. He would also like to thank the rest of the eEye team, Greg Hoglund, and Ryan Russell, for the original foundation ideas included in his chapter.
Norris L. Johnson, Jr. (MCSE, MCT, CTT+,A+, Network +) is a tech- nology trainer and owner of a consulting company in the Seattle-Tacoma
viii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ix
area. His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients. He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues, providing planning, implementation, and integration services. In addition to consulting work, Norris provides technical training for clients and teaches for area community and technical colleges. He co-authored Configuring and Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 1- 92899480-6), and performed technical edits on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1). Norris holds a Bachelor’s degree from Washington State University. He is deeply appreciative of the support of his wife Cindy and three sons in helping to maintain his focus and efforts toward computer training and education.
Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a member of Cisco’s Secure Consulting Services in Austin,Texas.He currently conducts security posture assessments for clients as well as provides technical consulting for security design reviews. His strengths include Cisco routers and switches, PIX firewall, Solaris systems, and freeware intrusion detection systems. Ido holds a Bachelor’s and a Master’s degree from the University of Texas at Austin and is a member of USENIX and SAGE. He has written several articles covering Solaris security and network security for Sysadmin magazine as well as SecurityFocus. He lives in Austin,Texas with his family.
Robert Graham has been developing sniffers since 1990, where he wrote most of the protocol decodes for the ProTools protocol-analyzer, including real-time tools for password sniffing and Telnet session spying. Robert worked for Network General between 1994 and 1998 where he rewrote all of the protocol-decodes for the Sniffer protocol-analyzer. He founded Network ICE in 1998 and created the BlackICE network-snifing intrusion detection system. He is now the chief architect at Internet Security Systems in charge of the design for the RealSecure IDS.
Steve Manzuik (MCP) was most recently a Manager in Ernst & Young’s Security and Technology Solutions practice specializing in profiling services.
ix 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page x
Over the last ten years Steve has been involved in IT integration, support, and security. Steve is a published author on security topics, a sought after speaker and information security panelist and is the moderator of a full disclosure security mailing list,VulnWatch (www.vulnwatch.org). Steve also has acted as a Security Analyst for a world wide group of White Hat Hackers and Security Researchers, the BindView RAZOR Team. Steve is a board member of the Calgary Security Professionals Information Exchange (SPIE) group, which is an information-sharing group of local security professionals from various private and government sectors. Steve has a strong background in Microsoft technologies and the various security issues surrounding them, and has successfully guided multiple orga- nizations in securing Microsoft Windows NT hosts for use in a hostile envi- ronment. He lives in Calgary,Alberta, Canada with his wife Heather, son, Greyson and newborn daughter Hope.
From the First Edition
The following individuals contributed to the first edition of Hack Proofing Your Network: Internet Tradecraft.Although not contributors to the second edi- tion, their work and ideas from the first edition have been included.
Oliver Friedrichs has over twelve years of experience in the information security industry, ranging from development to management. Oliver is a co- founder of the information security firm SecurityFocus.com. Previous to founding SecurityFocus, Oliver was a Co-Founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. Post acquisition, Oliver managed the development of Network Associates’ award-winning CyberCop Scanner network auditing product, and managed Network Associates’ vulnerability research team. Oliver has delivered training on computer security issues for organizations such as the IRS, FBI, Secret Service, NASA,TRW,Canadian Department of Defense, RCMP,and CSE.
Greg Hoglund is a software engineer and researcher. He has written sev- eral successful security products for Windows NT. Greg also operates the x 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xi
Windows NT Rootkit project, located at www.rootkit.com. He has written several white papers on content-based attacks, kernel patching, and forensics. Currently he works as a founder of Click To Secure, Inc., building new security and quality assurance tools. His web site can be found at www.clicktosecure.com.
Elias Levy is the moderator of Bugtraq, one of the most read security mailing lists on the Internet, and a co-founder of Security Focus. Throughout his career, Elias has served as computer security consultant and security engineer for some of the largest corporations in the United States. Outside of the computer security industry, he has worked as a UNIX soft- ware developer, a network engineer, and system administrator.
Mudge is the former CEO and Chief Scientist of renowned ‘hacker think- tank’ the L0pht, and is considered the nation’s leading “grey-hat hacker.” He and the original members of the L0pht are now heading up @stake’s research labs, ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought-after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs and to be a witness to the House and Senate joint Judiciary Oversight com- mittee. Mudge has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other government agencies. Mudge participated in President Clinton’s security summit at the White House. He joined a small group of high tech executives, privacy experts, and government officials to discuss Internet security. A recognized name in cryptanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking – CQRE International Exhibition and Congress. He is the original author of L0phtCrack, the award winning NT pass- word auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools, many of which resulted in numerous CERT advisories, vendor updates, and patches.
xi 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xii
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS,A+) is a security consultant currently located in Biloxi, MS. He has assisted several clients in the development and imple- mentation of network security plans for their organizations. Both network and operating system security has always intrigued Stace, so he strives to constantly stay on top of the changes in this ever-evolving field.While in the Air Force he held the positions of Network Security Officer and Computer Systems Security Officer.While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul cir- cuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards. Stace was a contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co- authored over 18 books published by Osborne/McGraw-Hill, Syngress, and Microsoft Press. He has also performed as Technical Editor for various other books and has written for Internet Security Advisor magazine.
Technical Editor and Contributor
Ryan Russell is the best-selling author of Hack Proofing Your Network: Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6). He is an Incident Analyst at SecurityFocus, has served as an expert witness on secu- rity topics, and has done internal security investigation for a major software vendor. Ryan has been working in the IT field for over 13 years, the last 7 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years, and is frequently sought after as a speaker at security conferences. Ryan has contributed to four other Syngress Publishing titles on the topic of net- working, and four on the topic of security. He holds a Bachelors of Science degree in Computer Science.
xii 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xiii
Understanding the Contents Current Legal Climate Foreword v 1.5 xxix
This book will teach you Foreword v 1.0 xxxiii techniques that, if used in the wrong way, will get Chapter 1 How To Hack 1 you in trouble with the Introduction 2 law. Me saying this is like What We Mean by “Hack” 2 a driving instructor saying, Why Hack? 3 “I’m going to teach you how to drive; if you drive Knowing What To Expect in the Rest of This Book 4 badly, you might run Understanding the Current Legal Climate 6 someone over.” In both Summary 8 cases, any harm done Frequently Asked Questions 8 would be your fault. Chapter 2 The Laws of Security 11 Introduction 12 Knowing the Laws of Security 12 Client-Side Security Doesn’t Work 14 Tools & Traps… You Cannot Securely Exchange Encryption Keys without a Shared Piece of Information 15 Malicious Code Cannot Be Want to Check that Firewall? 100 Percent Protected against 18 Any Malicious Code Can Be Completely There are an incredible Morphed to Bypass Signature Detection 20 number of freeware tools available to you for Firewalls Cannot Protect beginning your checks of You 100 Percent from Attack 22 vulnerability. I have a Social Engineering 24 couple of favorites that Attacking Exposed Servers 24 allow for quick probes and Attacking the Firewall Directly 26 checks of information about various IP Client-Side Holes 26 addresses: Any IDS Can Be Evaded 27 Secret Cryptographic Algorithms Are Not Secure 28 SuperScan, from Foundstone If a Key Is Not Required,You Do Not Have Corporation: Encryption—You Have Encoding 30 www.foundstone.com/ Passwords Cannot Be Securely Stored on knowledge/free_tools the Client Unless There Is Another Password .html to Protect Them 32 Sam Spade, from In Order for a System to Begin to Be SamSpade.org: Considered Secure, It Must Undergo www.samspade.org. an Independent Security Audit 35 Security through Obscurity Does Not Work 37
xiii 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xiv
xiv Contents
Summary 39 Solutions Fast Track 39 Frequently Asked Questions 42 Chapter 3 Classes of Attack 45 Introduction 46 Identifying and Understanding the Classes of Attack 46 Denial of Service 47 Local Vector Denial of Service 47 Network Vector Denial of Service 50 Information Leakage 56 Service Information Leakage 56 Protocol Information Leakage 58 Leaky by Design 60 Leaky Web Servers 60 A Hypothetical Scenario 61 ; There are seven classes of attacks: denial of Why Be Concerned with Information service (DoS), Leakage? 61 information leakage, Regular File Access 62 regular file access, Permissions 62 misinformation, special Symbolic Link Attacks 63 file/database access, remote arbitrary code Misinformation 65 execution, and Standard Intrusion Procedure 67 elevation of privileges. Special File/Database Access 69 Attacks against Special Files 69 Attacks against Databases 70 Remote Arbitrary Code Execution 72 The Attack 73 Code Execution Limitations 74 Elevation of Privileges 74 Remote Privilege Elevation 75 Identifying Methods of Testing for Vulnerabilities 77 Proof of Concept 77 Exploit Code 78 Automated Security Tools 79 Versioning 79 Standard Research Techniques 80 Whois 81 Domain Name System 86 Nmap 89 Web Indexing 90 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xv
Contents xv
Summary 93 Solutions Fast Track 95 Frequently Asked Questions 96 Chapter 4 Methodology 99 Introduction 100 Q: Is decompiling and other reverse Understanding Vulnerability Research engineering legal? Methodologies 100 Source Code Research 101 A: In the United States, reverse engineering Searching For Error-Prone Functions 101 may soon be illegal. Line-By-Line Review 102 The Digital Millennium Discovery Through Difference 102 Copyright Act includes Binary Research 104 a provision designed to Tracing Binaries 104 prevent the circumvention of Debuggers 105 technological measures Guideline-Based Auditing 105 that control access to Sniffers 105 copyrighted works. The Importance of Source Code Reviews 106 Source code can be Searching Error-Prone Functions 106 copyrighted, and Buffer Overflows 106 therefore makes the reverse engineering of Input Validation Bugs 110 copyrighted code Race Conditions 112 illegal. Reverse Engineering Techniques 113 Disassemblers, Decompilers, and Debuggers 120 Black Box Testing 125 Chips 126 Summary 128 Solutions Fast Track 129 Frequently Asked Questions 130 Recursive Grepping Chapter 5 Diffing 131 Introduction 132 According to Ryan What Is Diffing? 132 Tennant’s (Argoth) Solaris Why Diff? 135 Infrequently Asked Obscure Questions (IAOQ) Looking to the Source Code 136 at http://shells.devunix Going for the Gold:A Gaming Example 139 .org/~argoth/iaoq, a Exploring Diff Tools 143 recursive grep can be Using File-Comparison Tools 143 performed using the Using the fc Tool 143 following command: Using the diff Command 145 /usr/bin/find . | Working with Hex Editors 146 /usr/bin/xargs Hackman 147 /usr/bin/grep PATTERN [N] Curses Hexedit 148 Hex Workshop 149 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xvi
xvi Contents
Utilizing File System Monitoring Tools 150 Doing It The Hard Way: Manual Comparison 150 Comparing File Attributes 151 Using the Archive Attribute 153 Examining Checksums and Hashes 154 Finding Other Tools 155 Troubleshooting 157 Problems with Checksums and Hashes 157 Problems with Compression and Encryption 159 Summary 160 Solutions Fast Track 161 Frequently Asked Questions 162 Chapter 6 Cryptography 165 Introduction 166 Understanding Cryptography Concepts 166 History 167 Encryption Key Types 167 Learning about Standard Cryptographic Algorithms 169 Understanding Symmetric Algorithms 170 DES 170 AES (Rijndael) 172 John the Ripper IDEA 173 Understanding Asymmetric Algorithms 174 Diffie-Hellman 174 John the Ripper is another password-cracking RSA 176 program, but it differs Understanding Brute Force 177 from Crack in that it is Brute Force Basics 177 available in UNIX, DOS, Using Brute Force to Obtain Passwords 178 and Win32 editions. Crack L0phtcrack 180 is great for older systems Crack 181 using crypt(), but John the Ripper is better for newer John the Ripper 182 systems using MD5 and Knowing When Real Algorithms similar password formats. Are Being Used Improperly 183 Bad Key Exchanges 183 Hashing Pieces Separately 184 Using a Short Password to Generate a Long Key 185 Improperly Stored Private or Secret Keys 186 Understanding Amateur Cryptography Attempts 188 Classifying the Ciphertext 189 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xvii
Contents xvii
Frequency Analysis 189 Ciphertext Relative Length Analysis 190 Similar Plaintext Analysis 190 Monoalphabetic Ciphers 191 Other Ways to Hide Information 191 XOR 191 UUEncode 195 Base64 195 Compression 197 Summary 199 Solutions Fast Track 200 Frequently Asked Questions 202 Chapter 7 Unexpected Input 205 Introduction 206 Understanding Why Unexpected Data Is Dangerous 206 Finding Situations Involving Unexpected Data 208 Local Applications and Utilities 208 Understanding Why HTTP/HTML 208 Unexpected Data Is Unexpected Data in SQL Queries 211 Dangerous Application Authentication 215 Disguising the Obvious 220 ; Almost all applications Using Techniques to Find and Eliminate interact with the user, Vulnerabilities 221 and thus take data Black-Box Testing 222 from them. Discovering Network and System ; An application can’t Problems 225 assume that the user is Use the Source 226 playing by the rules. Untaint Data by Filtering It 227 ; The application has to Escaping Characters Is Not Always Enough 227 be wary of buffer Perl 228 overflows, logic alteration, and the Cold Fusion/Cold Fusion validity of data passed Markup Language (CFML) 229 to system functions. ASP 229 PHP 230 Protecting Your SQL Queries 231 Silently Removing versus Alerting on Bad Data 232 Invalid Input Function 232 Token Substitution 233 Utilizing the Available Safety Features in Your Programming Language 233 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xviii
xviii Contents
Perl 233 PHP 235 ColdFusion/ColdFusion Markup Language 235 ASP 236 MySQL 237 Using Tools to Handle Unexpected Data 237 Web Sleuth 237 CGIAudit 237 RATS 237 Flawfinder 238 Retina 238 Hailstorm 238 Pudding 238 Summary 239 Solutions Fast Track 239 Frequently Asked Questions 242 Chapter 8 Buffer Overflow 243 Damage & Defense… Introduction 244 Understanding the Stack 244 Understanding Assembly The Code 246 Language Disassembly 247 There are a few specific The Stack Dump 248 pieces of assembly Oddities and the Stack 249 language knowledge that Understanding the Stack Frame 249 are necessary to Introduction to the Stack Frame 250 understand the stack. One thing that is required is to Passing Arguments to a Function: understand the normal A Sample Program 250 usage of registers in a The Disassembly 251 stack: The Stack Dumps 254 EIP The extended Stack Frames and Calling Syntaxes 256 instruction pointer. Learning about Buffer Overflows 257 ESP The extended A Simple Uncontrolled Overflow: stack pointer. A Sample Program 259 The Disassembly 260 EBP The extended base pointer. The Stack Dumps 262 Creating Your First Overflow 263 Creating a Program with an Exploitable Overflow 264 Writing the Overflowable Code 264 Disassembling the Overflowable Code 265 Stack Dump after the Overflow 267 Performing the Exploit 267 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xix
Contents xix
General Exploit Concepts 268 Buffer Injection Techniques 268 Methods to Execute Payload 269 Designing Payload 281 Performing the Exploit on Linux 282 Performing the Exploit on Windows NT 293 Learning Advanced Overflow Techniques 303 Input Filtering 303 Incomplete Overflows and Data Corruption 304 Stack Based Function Pointer Overwrite 306 Heap Overflows 306 Corrupting a Function Pointer 307 Trespassing the Heap 307 Advanced Payload Design 310 Using What You Already Have 310 Q: How can I eliminate or Dynamic Loading New Libraries 311 minimize the risk of Eggshell Payloads 313 unknown format string vulnerabilities in Summary 314 programs on my Solutions Fast Track 314 system? Frequently Asked Questions 317 A: A good start is having Chapter 9 Format Strings 319 a sane security policy. Introduction 320 Rely on the least- privileges model, Understanding Format String Vulnerabilities 322 ensure that only the Why and Where Do Format most necessary utilities String Vulnerabilities Exist? 326 are installed setuid and How Can They Be Fixed? 327 can be run only by How Format String Vulnerabilities members of a trusted group. Disable or block Are Exploited 328 access to all services Denial of Service 329 that are not completely Reading Memory 329 necessary. Writing to Memory 330 How Format String Exploits Work 332 Constructing Values 333 What to Overwrite 335 Overwriting Return Addresses 335 Overwriting Global Offset Table Entries and Other Function Pointers 335 Examining a Vulnerable Program 336 Testing with a Random Format String 340 Writing a Format String Exploit 344 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xx
xx Contents
Summary 356 Solutions Fast Track 356 Frequently Asked Questions 358 Chapter 10 Sniffing 361 Introduction 362 What Is Sniffing? 362 How Does It Work? 362 What to Sniff? 363 Obtaining Authentication Information 363 Monitoring Telnet (Port 23) 364 Monitoring FTP (Port 21) 364 Monitoring POP (Port 110) 365 Monitoring IMAP (Port 143) 365 Monitoring NNTP (Port 119) 366 Monitoring rexec (Port 512) 366 Monitoring rlogin (Port 513) 367 Monitoring X11 (Port 6000+) 368 Ethereal Capture Monitoring NFS File Handles 368 Preferences Capturing Windows NT Authentication Information 369 Capturing Other Network Traffic 370 Monitoring SMTP (Port 25) 370 Monitoring HTTP (Port 80) 370 Popular Sniffing Software 371 Ethereal 371 Network Associates Sniffer Pro 372 NT Network Monitor 374 WildPackets 375 TCPDump 376 dsniff 377 Ettercap 380 Esniff.c 380 Sniffit 381 Carnivore 382 Additional Resources 385 Advanced Sniffing Techniques 385 Man-in-the-Middle (MITM) Attacks 385 Cracking 386 Switch Tricks 386 ARP Spoofing 386 MAC Flooding 387 Routing Games 388 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxi
Contents xxi
Exploring Operating System APIs 388 Linux 388 BSD 392 libpcap 392 Windows 395 Taking Protective Measures 395 Providing Encryption 395 Secure Shell (SSH) 396 Secure Sockets Layers (SSL) 397 PGP and S/MIME 397 Switching 398 Employing Detection Techniques 398 Local Detection 398 Network Detection 399 DNS Lookups 399 Understanding Session Hijacking Latency 399 Driver Bugs 400 AntiSniff 400 ; The point of hijacking a connection is to steal Network Monitor 400 trust. Summary 401 Solutions Fast Track 402 ; Hijacking is a race scenario: Can the Frequently Asked Questions 404 attacker get an Chapter 11 Session Hijacking 407 appropriate response packet in before the Introduction 408 legitimate server or Understanding Session Hijacking 408 client can? TCP Session Hijacking 410 ; Attackers can remotely TCP Session Hijacking with Packet modify routing tables Blocking 411 to redirect packets or Route Table Modification 411 get a system into the ARP Attacks 414 routing path between UDP Hijacking 415 two hosts. Examining the Available Tools 416 Juggernaut 416 Hunt 420 Ettercap 425 SMBRelay 430 Storm Watchers 430 ACK Storms 431 Playing MITM for Encrypted Communications 433 Man-in-the-Middle Attacks 434 Dsniff 435 Other Hijacking 436 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxii
xxii Contents
Summary 438 Solutions Fast Track 438 Frequently Asked Questions 440 Chapter 12 Spoofing: Attacks on Trusted Identity 443 Introduction 444 What It Means to Spoof 444 Spoofing Is Identity Forgery 444 Spoofing Is an Active Attack against Identity Checking Procedures 445 Tools & Traps… Spoofing Is Possible at All Layers of Communication 445 Perfect Forward Secrecy: Spoofing Is Always Intentional 446 SSL’s Dirty Little Secret Spoofing May Be Blind or Informed, The dirty little secret of but Usually Involves Only Partial SSL is that, unlike SSH and Credentials 447 unnecessarily like standard Spoofing Is Not the Same Thing as Betrayal 448 PGP, its standard modes are not perfectly forward Spoofing Is Not Necessarily Malicious 448 secure. This means that an Spoofing Is Nothing New 449 attacker can lie in wait, Background Theory 449 sniffing encrypted traffic The Importance of Identity 450 at its leisure for as long as The Evolution of Trust 451 it desires, until one day it breaks in and steals the Asymmetric Signatures between Human SSL private key used by Beings 451 the SSL engine (which is Establishing Identity within Computer extractable from all but Networks 453 the most custom Return to Sender 454 hardware). In the Beginning,There Was… a Transmission 455 Capability Challenges 457 Ability to Transmit:“Can It Talk to Me?” 457 Ability to Respond:“Can It Respond to Me?” 459 Ability to Encode:“Can It Speak My Language?” 463 Ability to Prove a Shared Secret: “Does It Share a Secret with Me?” 465 Ability to Prove a Private Keypair: “Can I Recognize Your Voice?” 467 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxiii
Contents xxiii
Ability to Prove an Identity Keypair: “Is Its Identity Independently Represented in My Keypair?” 468 Configuration Methodologies: Building a Trusted Capability Index 470 Local Configurations vs. Central Configurations 470 Desktop Spoofs 471 The Plague of Auto-Updating Applications 471 Impacts of Spoofs 473 Subtle Spoofs and Economic Sabotage 474 Flattery Will Get You Nowhere 474 Subtlety Will Get You Everywhere 476 Selective Failure for Selecting Recovery 476 Bait and Switch: Spoofing the Presence of SSL Itself 478 Down and Dirty: Engineering Spoofing Systems 486 Spitting into the Wind: Building a Skeleton Router in Userspace 486 Designing the Nonexistent:The Network Card That Didn’t Exist but Responded Anyway 487 Implementation: DoxRoute, Section by Section 488 Bring Out the Halon: Spoofing Connectivity Through Asymmetric Firewalls 510 Symmetric Outgoing TCP: A Highly Experimental Framework for Handshake-Only TCP Connection Brokering 511 Summary 518 Solution Fast Track 519 Frequently Asked Questions 523 Chapter 13 Tunneling 527 Introduction 528 Strategic Constraints of Tunnel Design 530 Privacy:“Where Is My Traffic Going?” 532 Routability:“Where Can This Go Through?” 532 Deployability:“How Painful Is This to Get Up and Running?” 533 Flexibility:“What Can We Use This for,Anyway?” 534 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxiv
xxiv Contents
Quality:“How Painful Will This System Be to Maintain?” 537 Designing End-to-End Tunneling Systems 537 Drilling Tunnels Using SSH 538 Security Analysis: OpenSSH 3.02 539 Setting Up OpenSSH 541 Open Sesame:Authentication 543 Basic Access:Authentication by Password 543 Transparent Access:Authentication by Private Key 544 Server to Client Authentication 544 Client to Server Authentication 545 Command Forwarding: Direct Execution for Scripts and Pipes 550 Primary questions for Port Forwarding:Accessing Resources on privacy of Remote Networks 556 communications Local Port Forwards 557 include the following: Dynamic Port Forwards 560 Internet Explorer 6: Making the Web Can anyone else Safe for Work 561 monitor the traffic Speak Freely: Instant Messaging within this tunnel? over SSH 564 Read access, addressed That’s a Wrap: Encapsulating Arbitrary by encryption. Win32 Apps within the Dynamic Can anyone else Forwarder 566 modify the traffic Summoning Virgil: Using Dante’s within this tunnel, or surreptitiously gain Socksify to Wrap UNIX Applications 567 access to it? Write Remote Port Forwards 569 access, addressed When in Rome:Traversing primarily through the Recalcitrant Network 571 authentication. Crossing the Bridge:Accessing Proxies through ProxyCommands 571 No Habla HTTP? Permuting thy Traffic 575 Show Your Badge: Restricted Bastion Authentication 576 Bringing the Mountain: Exporting SSHD Access 579 Echoes in a Foreign Tongue: Cross-Connecting Mutually Firewalled Hosts 581 Not In Denver, Not Dead: Now What? 584 Standard File Transfer over SSH 584 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxv
Contents xxv
Incremental File Transfer over SSH 586 CD Burning over SSH 589 Acoustic Tubing:Audio Distribution over TCP and SSH 593 Summary 598 Solutions Fast Track 600 Frequently Asked Questions 606 Chapter 14 Hardware Hacking 609 Introduction 610 Understanding Hardware Hacking 610 Opening the Device: Housing and Mechanical Attacks 611 Understanding Types of Tamper Mechanisms 613 Hardware Hacking Tamper Resistance 615 Tamper Evidence 615 Hardware hacking is done Tamper Detection 615 for the following reasons: Tamper Response 617 General analysis of the External Interfaces 618 product to determine Protocol Analysis 620 common security Electromagnetic Interference weaknesses and attacks and Electrostatic Discharge 623 Access to the internal Analyzing the Product Internals: Electrical circuit without Circuit Attacks 624 evidence of device Reverse-engineering the Device 624 tampering Basic Techniques:Common Attacks 627 Retrieval of any internal Device Packaging 627 or secret data Memory Retrieval 628 components Timing Attacks 629 Cloning of the device Advanced Techniques:Epoxy Retrieving memory Removal and IC Delidding 630 contents Silicon Die Analysis 631 Elevation of privilege Cryptanalysis and Obfuscation Methods 632 What Tools Do I Need? 634 Starter Kit 634 Advanced Kit 635 Example: Hacking the iButton Authentication Token 637 Experimenting with the Device 638 Reverse-engineering the “Random” Response 639 Example: Hacking the NetStructure 7110 E-commerce Accelerator 642 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxvi
xxvi Contents
Opening the Device 642 Retrieving the Filesystem 642 Reverse-engineering the Password Generator 646 Summary 648 Solutions Fast Track 649 Frequently Asked Questions 652 Chapter 15 Viruses, Trojan Horses, and Worms 655 Introduction 656 How Do Viruses,Trojans Horses, and Worms Differ? 656 Viruses 656 Worms 657 Macro Virus 658 A “worm” is a program Trojan Horses 659 that can run independ- ently, will consume the Hoaxes 660 resources of its host from Anatomy of a Virus 660 within in order to main- Propagation 660 tain itself, and can propa- Payload 662 gate a complete working Other Tricks of the Trade 663 version of itself on to Dealing with Cross-platform Issues 664 other machines. Java 664 Macro Viruses 665 Recompilation 665 Shockwave Flash 665 Proof that We Need to Worry 665 The Morris Worm 666 ADMw0rm 666 Melissa and I Love You 666 Sadmind Worm 673 Code Red Worms 674 Nimda Worm 675 Creating Your Own Malware 677 New Delivery Methods 678 Faster Propagation Methods 679 Other Thoughts on Creating New Malware 679 How to Secure Against Malicious Software 680 Anti-Virus Software 681 Updates and Patches 683 Web Browser Security 683 Anti-Virus Research 683 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxvii
Contents xxvii
Summary 685 Solutions Fast Track 685 Frequently Asked Questions 687 Chapter 16 IDS Evasion 689 Introduction 690 Understanding How Signature-Based IDSs Work 690 Judging False Positives and Negatives 693 Alert Flooding 693 Using Packet Level Evasion 694 IP Options 696 Time-To-Live Attacks 696 IP Fragmentation 697 Tools & Traps… TCP Header 698 TCP Synchronization 699 Baiting with Honeynets TCB Creation 699 Stream Reassembly 700 Recently, there has been TCB Teardown 701 an upsurge in the use of honeynets as a defensive Using Fragrouter and Congestant 701 tool. A honeynet is a Countermeasures 704 system that is deployed Using Application Protocol Level Evasion 705 with the intended purpose Security as an Afterthought 705 of being compromised. Evading a Match 706 These are hyper defensive tools that can be imple- Alternate Data Encodings 706 mented at any location Web Attack Techniques 707 inside a network. The cur- Method Matching 708 rent best known configu- Directory and File Referencing 708 ration type for these tools Countermeasures 709 is where two systems are Using Code Morphing Evasion 709 deployed, one for the bait, the other configured to Summary 713 log all traffic. Solutions Fast Track 714 Frequently Asked Questions 716 Chapter 17 Automated Security Review and Attack Tools 719 Introduction 720 Learning about Automated Tools 720 Exploring the Commercial Tools 725 CyberCop Scanner 728 Internet Security Systems (ISS) Internet Scanner 728 BindView’s BV-Control for Internet Security 729 eEye Retina 729 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxviii
xxviii Contents
Vulnerability Scanners Other Products 729 by Number Exploring the Free Tools 730 Nessus 730 Vulnerability Security Administrators Product Count Integrated Network Tool (SAINT) 731 ISS Internet 976 Security Administrators Research Scanner Assistant (SARA) 732 NAI 830 ShadowScan 732 CyberCop Nmap and NmapNT 732 Scanner Whisker 733 VLAD the Scanner 733 BV Control 900 for Internet Other Resources 734 Security Using Automated Tools for Penetration Testing 734 Testing with the Commercial Tools 734 Harris 1,200 Testing the Free Tools 739 STAT Scanner Knowing When Tools Are Not Enough 743 The New Face of Vulnerability Testing 744 Symantec 600 Summary 745 NetRecon Solutions Fast Track 745 eEye Retina 820 Frequently Asked Questions 746 Chapter 18 Reporting Security Problems 749 Deciding How Much Introduction 750 Detail to Publish Understanding Why Security Problems Need to Be Reported 750 ; Take great care in Full Disclosure 752 deciding whether or Determining When and to not you want to Whom to Report the Problem 755 provide exploit code Whom to Report Security Problems to? 755 with your NSF report. How to Report a Security Problem ; You must be prepared to a Vendor 758 to take a slight risk Deciding How Much Detail to Publish 759 when reporting Publishing Exploit Code 759 security flaws. You Problems 760 could end up facing the vendor’s wrath. Repercussions from Vendors 760 Reporting Errors 762 ; Be extra cautious in Risk to the Public 762 describing any security flaw that requires the Summary 763 circumvention of a Solutions Fast Track 763 vendor’s copyright Frequently Asked Questions 765 protection mechanisms. Index 767 194_HPYN2e_FrmAu.qxd 2/15/02 2:25 PM Page xxix
Foreword v 1.5
For the first edition of this book, the other authors and I had one thing in common: we all had something we wish we could have done differently in our chapters.We either made a mistake, or didn’t explain something as well as we’d like, or forgot to cover something, or wish we had time to write one more bit of code. Like any pro- ject, the time eventually comes to cut the cord, and let it go. Having a second chance to do this book again gives us the opportunity to change all those things we noticed from the moment the first book was printed.A good portion of those were due to the messages from readers that said,“you should have done this differently…”.A great majority of the time, they were absolutely right. In the second edition of Hack Proofing Your Network, I’ve tried to incorporate as many of those suggestions as I could. When Hack Proofing Your Network was first published, there were very few books on the market that taught penetration techniques outright.This book was the first of this genre for my publisher, Syngress Publishing.They were a little nervous.They weren’t sure that teaching hacking techniques was such a great idea. (Other pub- lishers must have been terrified.When I spoke to some of them about a “hacking book,” they didn’t even want to see an outline.“No hacking books.” Of course, some of them now have books of their own in the genre.) Consequently, Syngress felt that if we were to write Hack Proofing Your Network, the book should have coverage of defensive measures for everything. OK, I could do that. I’ve got nothing against defensive measures mind you, I’ve been using them for years. Some of my best friends are defensive measures. It just wasn’t what I had in mind for this book. So, the first edition had a number of “defense” sections, which weren’t as well done as they might have been, and generally made the flow awkward. Well, some things have changed since the first edition of this book. For example, Hack Proofing is now a large series of books, not just a single title.As of this writing, these include: Hack Proofing Your E-commerce Site (ISBN: 1-928994-27-X) Hack Proofing Your Web Applications (ISBN: 1-928994-31-8) Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X) Hack Proofing Linux (ISBN: 1-928994-34-2)
xxix 194_HPYN2e_FrmAu.qxd 2/15/02 2:25 PM Page xxx
xxx Foreword v 1.5
Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) Hack Proofing Your Wireless Network (ISBN: 1-928994-59-8) Hack Proofing ColdFusion 5.0 (ISBN: 1-928994-77-6) And there are more to come.These titles have at least one common feature: they are defense-oriented.That means that the authors of this book didn’t have to worry about tacking on defense pieces this time around. Not that we didn’t include any,but they were used only when they fit. (And just to prove that we don’t have anything against the defense, many of us also did portions of the defense-oriented Hack Proofing books.) This is Foreword version 1.5.This book has had an incremental upgrade (well, closer to an overhaul, but you get the idea.) However, Mudge’s words still apply, so you’ll find them next. Consider this to be a changelog of sorts.Allow me to cover some of the other new and improved changes to this edition.We’re got several entirely new sections, including: