Hands-On INFORMATION SECURITY Lab Manual,.Third Edition

Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, CISM, CISSP

""_,_, ...... 'oo ...... _1_'" ...... ,_ ...... ~ ...... 141461

~..' COURSE(ENGAGE Learning-TECHNOLOGY 11111111 11

Australia. Brazil. Japan. Korea. Mexico· Singapore· Spain. United Kingdom. United States TABLE OF Contents

CHAPTER 1: INFORMATION SECURITY PROCESS FLOWS 1 Flow 1.1 Firewalls 3 Flow 1.2 Remote Access 3 Flow 1.3 Access Controls 4 Flow 1.4 Vulnerability Assessment 5 Flow 1.5 Penetration Testing 6 Flow 1.6 Forensics and Antiforensics 7 Flow 1.7 Client Security 8 Flow 1.8 Perimeter Defense 10 Flow 1.9 Server Security 11 Flow 1.10 Intrusion Detection 12 Flow 1.11 Network Security 13 Flow 1.12 Cyber Defense 14 References 15

CHAPTER 2: BACKGROUND AND THEORY FOR LAB EXERCISES 17 2.1 Footprinting 18 2.2 Scanning and Enumeration 22 2.3 OS Processes and Services 25 2.4 Vulnerability Identification and Research 26 2.5 Vulnerability Validation 28 2.6 Systems Remediatiob. and Hardening 28 2.7 Web Browser Security and Configuration 29 2.8 Data Management 30 2.9 Data Backup and Recovery 31 2.10 Access Controls 31 2.11 Host Intrusion Detection 33 2.12 Log Security Issues 34 2.13 Privacy and Anti-forensics 36 2.14 Software Firewalls 36 2.15 Linksys Firewalls Routers and Access Points 38 2.16 Network Intrusion Detection Systems 38 2.17 Network Traffic Analysis 39 2.18 Virtual Private Networks and Remote Access 41 2.19 Digital Certificates 41 2.20 Password Circumvention 43 2.21 Antivirus Defense 43 2.22 Malware Prevention and Detection 44

CHAPTER 3: WINDOWS LABS 47 Lab 3.1 Footpiinting Using Windows 48 Lab 3.2 Scanning and Enumeration Using Windows 73 Lab 3.3 Windows OS Processes and Services 81 Lab 3.4 Vulnerability Identification and Research Using Windows 91 Lab 3.5 Vulnerability Validation Using Windows 105 Lab 3.6 System Remediation and Hardening Using Windows 113 Lab 3.7 Windows Web Browser Security and Configuration 141 Lab 3.8 Data Management Using Windows 157 Lab 3.9 Data Backup and Recovery Using Windows 171 Lab 3.10 Access Controls Using Windows 185 Lab 3.11 Host Intrusion Detection Using Windows 201 Lab 3.12 Log Security Issues Using Windows 211 Lab 3.13 Windows Privacy and Antiforensics Issues 223 iv Hands-On Information Security lab Manual

Lab 3.14 Software Firewalls Using Windows 235 Lab 3.15 Linksys Firewall Routers and Access Points 251 Lab 3.16 Network Intrusion Detection Systems Using Windows 273 t~ Lab 3.17 Network Traffic Analysis Using Windows 285 Lab 3. 18 Virtual Private Networks and Remote Access Using Windows 301 Lab 3.19 Digital Certificates Using Windows 315 Lab 3.20 Password Circumvention Using Windows 323 Lab 3.21 Antivirus Using Windows 331 Lab 3.22 Malware Prevention and Detection Using Windows 347

CHAPTER 4: LINUX LABS 361 Lab 4.1 Footprinting Using Linux 362 Lab 4.2 Scanning and Enumeration Using Linux 373 Lab 4.3 Linux OS Processes and Services 383 Lab 4.4 Vulnerability Identification and Research Using Linux 395 Lab 4.5 Vulnerability Validation Using Linux 401 Lab 4.6 System Remediation and Hardening Using Linux 409 Lab 4~ 7 Linux Web Browser Security 419 Lab 4.8 Data Management Using Linux 427 Lab 4.9 Data Management Using Linux 433 Lab 4.10 Access Controls Using Linux 443 Lab 4.11 Host Intrusion Detection Using Linux 455 Lab 4.12 Log and Security Using Linux 461 Lab 4.13 Privacy and Antiforensics Issues Using Linux 467 Lab 4.14 Software Firewalls Using Linux 471 Lab 4.15 Linksys Firewall Routers and Access Points 483 Lab 4.16 Network Intrusion Detection Systems Using Linux 485 Lab 4.17 Network Traffic Analysis Using Linux 493 Lab 4. 18 Virtual Private Networks and Remote Access Using Linux 505 Lab 4.19 Digital Certificates Using Linux 511 Lab 4.20 Password Circumvention Using Linux 523

Lab 4.21 Antivirus Using Linux 533 /"- ~ Lab 4.22 Malware Prevention and Detection 541 • INDEX 545 Index

* (wildcard), 376 Advanced tab Attack Surface Reduction (ASR), 29, - (tilde), 389 Firefox, 153-154 113,409 Windows Firewall, 237-238, 242 attacks, Web-based, 29-30 A Advanced Tools, Microsoft Vista, attrib command, 181 A (address) record, 20 84-85 audible alerting, Snort, 280-281 -A flag Advanced Wireless Settings subtab, audit account logon events, 214 iptable command, 472 Linksys WAP, 266-267 audit policies, Local Computer ps command, 384 adware Policy, 213 AAAA (address) record, 20 Ad-Aware, detecting with, Audit Policy, 118-119 absolute mode, chmod command, 350-352 :J authentication, 4 447-449 Adblock Plus, detecting with, Automatic Lock settings, ZoneAlarm, ACCEPT policy, 474 353-354 245-246 access control lists (ACLs), 3 overview, 44 Autoruns, 86-87 access controls Spybot - Search & Destroy, AVG antivirus software, 335-339 file system access controls, Linux, detecting with, 347-348 445-452 Alert rule, Snort, 487 B overview, 4-5, 31-33, 443 alerts backdoors, 18, 44 user access controls, Linux, Snort, 280-281 backup and recovery 443-445 ZoneAlarm, 243, 246-247 Backup or Restore utility, Windows, 185-200 amap, 374-375 Windows, 171-178 Access Point mode, Linksys WAp, 264 anti-forensics of drive images, 436-437 Access Restrictions, Linksys, issues in Windows, 223-233 overview, 31 253-255 issues using Linux, 467-469 recovering deleted files, 437-440 Ack option, Snort, 488 overview, 7-8, 36 with SyncToy, 178-180 ACLs (access control lists), 3 antivirus software using Linux command-line tools, Activate rule, Snort, 487 existing antivirus evaluation, 433-436 Active Directory, 42, 189-191 Windows, 331-332 Windows Recovery Console, active stack fingerprinting, 23, free tools, Windows, 332-343 180-182 77-78, 376-379 for Linux, 533-537 Backup and Restore Utility, Ad-Aware, 350-353 overview, 331 Windows, 176-178 Adblock Plus add-on, 353-357, types of malicious codes, 43-44 Basic Settings window, Linksys 420-421 AP Client mode, Linksys W AP, 264 WAP,258 Add A Port option, Windows AP Mode subtab, Linksys W AP, Bastille Linux, 414-416 Firewall, 237 263-264 batch command, 181 Add-ons dialog box, Firefox, Apache Web server Benchmark Report, CIS NG Scoring 420-421 hardening, 411-412 Tool, 92-93 address (A) record, 20 overview, 29 BHOs (Browser Helper Objects), 350 address (AAAA) record, 20 requesting certificates through, Ibin directory, 32, 446 ADMIN$ share, 186, 190 515-520 Bind, hardening, 412-413 Administration utility Application Log Properties window, blocking Linksys Firewall, 255 Event Viewer, 212 adware, 355-357 Linksys WAP, 261-269 Application logs, Microsoft Event content, Firefox, 149-150 administrative shares, 186, 190 Viewer, 35 ident probes, 478 administrator, systems application-level proxy firewall, 37 Iboot directory, 32 maintaining log files, 217 applications. See software bootcfg command, 181 obtaining SAM file, 323 ARIN Web site, 57-58 bots, 347, 541 Advanced mode, Backup and ASR (Attack Surface Reduction). Browser Helper Objects (BHOs), 350 Restore Utility, 176-178 See Attack Surface Reduction browsing history, deleting, 223 Advanced Settings window, (ASR) buffer overflows, 26 ZoneAlarm, 244 asterisk (*) wildcard, 376 Bugtraq, 101-102

545 546 Index

c clearlogs, 218-219 Create Supervisor Password window, -c flag, WinDump, 285 file system access controls, Linux, IE Content Advisor, 146-147 -c option 445-450 Critical Objects, Ad-Aware, 351 ( ping command, 366 log files, Linux, 461-462 cross-site scripting (XSS), 29, 30 useradd command, 526 network reconnaissance, Linux, CS Lite Options dialog box, I C switch, chkntfs command, 162 362-370 422-423 C$ share, 186, 190 network reconnaissance, Windows, CVE (Common Vulnerabilities and cables, Ethernet, 252 48-54 Exploits),98-100 Capture Filters screen, Wireshark, running chkdsk from, Windows, 292-293 157-160 D scanning and enumeration, Capture Interfaces screen, Wireshark, -D flag, iptable command, 473 Windows, 73-74 292 -d option, useradd command, 526 security default reset, Windows, 113 CAs (certificate authorities), 41-42, ID switch, chkntfs command, 162 315-319,511 system hardening, Linux, 409-411 daily backup, 173 CCleaner, 226-228 user management, Linux, 445 Darik's Boot and Nuke (DBAN), cd command, 181 using TrueCrypt, 450-452 230-231 Center for Internet Security (CIS) wipe tool, Linux, 467-468 data backup and recovery. See tools, 91-94, 395-397 command-line tool, SCW, 129, backup and recovery certificate authorities (CAs), 41-42, 133-134 data management 315-319,511 Common Vulnerabilities and Exploits certificate publishers, 41 (CVE),98-100 drive management, Linux, 427-429 Certificate Services, Microsoft, 42, 127 Computer Management window, drive management, Windows, certificates. See digital certificates Windows, 306-307 157-169 chage command, 526-527 Computer scanner tab, AVG, 337 exploring file systems, Linux, chains, 471-474 configuration files 429-430 channel, Linksys W AP, 259 file-integrity tool, 34 overview, 30-31, 427-431 chdir command, 181 Snort, 488-489 data storage options, SyncToy, chkdsk command, 157-161, 181 Confirm Attribute Changes dialog 179-180 ( chkntfs command, 161-162 box, 192-193 DBAN (Darik's Boot and Nuke), chkrootkit command, 541 Connection Manager window, 230-231 chmod command, 447-448, 524 N essus WX, 97 dd tool, Linux, 436-437 chown command, 525 console users, 190 DDoS (distributed denial-of-service) CIDR format, 488 container files, TrueCrypt, 450-452 attacks, 33 cipher command, 193-194 Content Advisor, Internet Explorer, Default Web Site Properties, lIS, 122 circuit-level proxy firewa1ls, 37 146-148 . del command, 181 CIS (Center for Internet Security) Content option, Snort, 488 Delegation signer (DS) record, 20 tools, 91-94, 395-397 Content tab, Firefox, 149-150 delete command, 181 CIS Benchmarks, 395 Contribute option, SyncToy, 179 deleted files, recovering, 437-440 ClamWin antivirus software, 332-335 cookies deleting browsing history, 223 Clean Disk Security, 229-230 Ad-Aware, detecting with, denial of resources, 46 350-352 Clear Private Data options, Firefox, denial-of-service (DoS) attacks, 33 225-226, 420 Adblock Plus, detecting with, deny permissions, 188, 191 clearlogs, 211, 218-219 353-354 destination port modules, 476 clients Firefox options for, 151, 423 destination specification rules, 475 hardening with Microsoft Security Internet Explorer settings for, Idev directory, 32, 437 Guide, 115-117 144-146 DHCID (DHCP identifier) record, 20 Microsoft VPN, 301-304 Spybot - Search & Destroy, security, 8-9 detecting with, 347-348 differential backup, 173 cls command, 181 copy backup, 173 dig (domain information groper), 64-65 color schemes, Wireshark, 294, 500 copy command, 181 dig command, 365-366 command line CPU utilization, sorting processes digital certificates access control testing with, by, 385 Linux, 42, 511-521 Windows, 185-186 cracking passwords, 527-529 overview, 41-42 backup and recovery from, Linux, Crawl website option, Sam Spade, Windows, 42, 315-321 { 433-436 60-61 digital forensics, 7-8 Index 547

dir command, 181 EM (evidentiary material), 7 f flag, top command, 387 directories e-mail addresses, 19 Factory Defaults window, Linksys, access control, Linux, 446-450 enable command, 181 257, 269 permissions, 448-450 Encrypting File System (EFS), 32, FAT file system, 32 sticky bit, 447, 450 192-195 FAT32 file system, 32 virtual, 125 . encryption file access control, 195-197 disable command, 181 EFS, 32 file integrity Disk Defragrnenter, 162-163 Linksys WAP, 259-260 Integrit, monitoring with, 456-457 disk imaging, 436-437 TrueCrypt, 196, 450-452 LAN guard S.I.M., monitoring disk inconsistencies, 429-430 Encryption Options window, with,204-209 Disk Management, 164-167 TrueCrypt, 196 Linux hash command, monitoring diskpart command, 181 enumeration with, 455-456 distributed denial-of-service (DD oS) fingerprinting, 18 MD5Summer, testing with, attacks, 33 with Linux command line, 201-204 DNS (Domain Name System) 373-374 tJ file server, 127 overview, 20-21 with NMap, 77-78, 376-379 file sharing, 187 query using Sam Spade, 63 overview, 22-25, 73, 373 file systems query with Linux commands, scanning with THC-Amap, access controls, 445-450, 450-452 365-366 374-375 exploring in Linux, 429-430 WHOIS,19 TCP lIP family of proto"cols, 23-24 fixing inconsistencies in, 427 DNSKEY (DNS Key) record, 20 using SuperScan for Windows, joumaling, 467 domain controller, 127 74-76 files domain information groper (dig), with Windows command line, recovery, 437-440 64-65 73-74 restoring, 435 Domain Name System (DNS). See erasing hard disks, 230-231 filter table, 471, 474-477 DNS (Domain Name System) ESTABLISHED state, 477 filters domain-level Administrator, 323 I etc directory, 32 Adblock Plus, 357 domains etc/passwd file, 409-410 Tcpdump, 495-496 queries, 19 etclsshl sshd_config file, 409-410 Wireshark, 291-293, 497-498 security, 10 Ethemet cables, 252 fingerprinting, 18, 22, 77-78, user access controls in, 189-192 event logging, Windows, 213-217 376-379 DoS (denial-of-service) attacks, 33 Event Viewer Firefox, Mozilla drive images, recovery of, 436-437 audit account logon results in, Adblock Plus add-on, 353-357 drive management 214-215 cleanup in, 225-226 Linux, 427-429 configuring, 213 overview, 30 using chkdsk command, 157-161 log security issues, 211-212 securing configuration of, 419-424 using chkntfs command, 161-162 Security Log Properties, 215 security settings, 148-154 using Disk Defragrnenter, 162-163 Snort alerts in, 281-282 Web reconnaissance using, 55-59 firewall routers, Linksys, 251~257 using Disk Management, 164-167 types oflogs in, 35 firewalls Drive Properties window, 167 viewing scan results in, 207-208 Linksys hardware, 38 DROP policy, 473 evidentiary material (EM), 7 Linux, 37, 471-479 DS (Delegation signer) record, 20 Exceptions tab, Windows Firewall, overview, 3 dumpfile, 290 236-237, 241, 306 software, 36-38 Dynamic rule, Snort, 487 execute (x) permission, 446 understanding role in information exit command, 181 E security, 12 expand command, 181 -E option, chage command, 526 Windows, 235-249 ext3 file system, 429 -e option, useradd command, 526 ZoneAlarm settings, 243-244 extrusion, 11 Echo option, SyncToy, 179 Firmware Upgrade subtab, Linksys Edit Target window, NessusWX, 97 F WAP, 268 Effective Permissions tab, Properties F flag First Run Wizard, AVG, 335-336 window, 192 iptable command, 473 first-party cookies, 145 EFS (Encrypting File System), 32, ps command, 384 fixbootcommand,181 192-195 top command, 385-386 fixmbrcommand,181 EICAR test file, 535-537 f flag, fsck, 428 Flags option, Snort, 488 548 Index

footprinting hash cracker, 529 information theft, 30 See also Sam Spade hash utility infrastructure server, 127 DNS,20-21 Linux, 455-456 inheritance, permission, 191-192 network reconnaissance, 21-22 Windows, 201-204 INPUT chain, filter table, 474 overview, 18, 48 help command, 181 insane timing, 377 using command line, Windows, hijacking, session, 30 installing 48-54 hisecws template, 118 AVG, 335-336 using Linux, 362-371 Ihome directory, 32 certificates, 318 using Web Browser, Windows, honeypots, 38 Linksys firewall, 257-260 55-59 Host and Service Discovery tab, ZoneAlarm Basic, 242 Web reconnaissance, 18-19 SuperScan, 75 integrit, 34, 456-457 WHOIS, 19-20 host command, 364-365, 366 interactive mode, fsck, 427 forensics, digital, 7-8 Host option, ping command, 367 interface rules, 475 format command, 181 host -t rnx command, 366 Internet FORWARD chain, filter table, 474 host-based firewalls, 3;; See also Web reconnaissance FQDN (fully qualified domain host-based IDS cleanup, 223-226 name), 20 Linux, 455-459 gathering inverse mapping fsck utility, 427-429 Windows, 201-208 information, 364-365 fstab file, 429-430 hosts hardening servers, Linux, 409-414 fully qualified domain name allowing connections through Web requesting certificates through, (FQDN),20 interface, 310-311 515-520 G allowing user access to, 306-307 security and configuration of -g flag, lsof command, 390 connecting remote computer to, browser, 29-30, 141-155, -G option, useradd command, 526 307-310 419-425 -g option, useradd command, 526 executing code on remote, 405-406 Internet Access policy, 253-254 General tab scanning with amap, 374-375 Internet Connection Firewall, MSConfig utility, 84 -Hq flag, amap, 374 Windows, 240-242 Windows Firewall, 235, 236, 241 HTTP, 217 Internet Control Message Protocol global.conf file, 412 I (ICMP), 21-22, 23, 51-53 graphical user interface (GUI), -I (Uppercase i) option, chage com- Internet Explorer (lE) SCW; 129 mand,526 cleanup in, 223-225 grep command, 446-447 -I flag, iptable command, 472 overview, 39 Group Policy Editor, 117-121, 134, -i option, ping command, 366 security settings, 141-148 135, 182 IAS server, 127 Web reconnaissance using, 55-59 Group Policy Wizard, 116 ICMP (Internet Control Message Internet Information Services (lIS) groups Protocol), 21-22, 23, 51-53, allowing remote connections identifying in directory listing, 446 366-368 through Web interface, 310 managing from command line, 445 ICMP Settings window, Windows log files, 216 managing with Yast, 443-445 Firewall, 239 securing, 121-126 GUr (graphical user interface), ident probes, 478 security problems In, 29 SCW,129 IDS (intrusion detection systems). See Internet Network Information H intrusion detection system (IDS) Center (InterNIC), 19 -H flag, amap, 374 IDScenter, Snort, 275-282 Internet Options window, lE, hard disks, wiping, 230-231 IDScenter configuration dialog box, 224-225 hard links, 446 275-277 Internet zone, Internet Explorer, 142 hardening system lE (Microsoft Internet Explorer). See Internet-facing servers, hardening, with Bastille, 414-416 Internet Explorer (lE) 409-411 overview, 28-29, 409 lIS (Internet Information Services). InterNIC (Internet Network server configuration and security, See Internet Information Information Center), 19 Linux, 409-414 Services (lIS) InterNIC Web site, 56-57 Windows, 113-140 lIS Lockdown Tool, 29, 121-126 intrusion detection systems (IDS) hardware images,. blocking, 355-357 See also host-based IDS; See also Linksys hardware incremental backup, 173, 434 network-based IDS SOHO devices, 251 Infections tab, AVG, 339 LANguard S.I.M., 33, 204-209 { Index 549

Linux file integrity, 34 password circumvention, 523-531 LOG target, 477-478 overview, 11-12 permissions, 32, 523-527 logical drives, creating, 164-167 f) types of attacks, 33-34 privacy issues, 467-469 login screen, Linksys W AP, 260 --_/ Windows file integrity, 33-34 ps command, assessment with, logon command, 181 INVALID state, 477 383-384 Logon Information Properties inverse mapping, 19, 364-365 rainbow tables, 529 window, 138 IP address, 188, 190-191 remote access, 505-509 logrotate, Linux, 462-463 IP header, 289 software firewalls in, 471-479 long directory listing, 446 IPC$ share, 186, 190 top command, assessment with, Is of command, 388-391 ipchains, Linux, 37 384-388 M IPSECKEY (IPSEC Key) record, 20 user access controls, 443-445 -m option iptables, 37, 471-474, 477-479 VPNs, 505-509 chage command, 526 Itype option, Snort, 488 vulnerabilities, 26-27, 395-399, 523 traceroute command, 369 J vulnerability validation, 401-407 -M option, chage command, 526 John the Ripper, 523-529 Web browser security, 419-425 mac module, 477 journaling file systems, 467 Linux command line mail exchange (MX) record, 20 backup and recovery from, K Main TrueCrypt Window, 195 433-436 main. cf file, 414 k flag, top command, 387-388 file system access controls from, malware KDE Desktop, 505 445-450 antivirus testing, Linux, 535 KDE Remote Desktop, 506-508 log files, 461-462 clearlogs, 211 kernel logging, 477 system hardening, 409-411 on Linux systems, 533 KEY record, 20 user management, 445 overview, 44-45, 347 killing processes, 387-388 using TrueCrypt, 450-452 prevention and detection in Linux, Klarru\V, 533, 535-537 wipe tool, 467-468 541-543 L listsvc command, 181 using Ad-Aware, 350-353 -1 (Lowercase L) option, chage com- live capture, Wireshark, 500-501 using Adblock Plus for Firefox, mand,526 Live OneCare (LOC), Windows, lD\' 353-357 LANguard System Integrity Monitor 340-343 using Spybot - Search & Destroy (S.LM.), 33, 204-209 LOC (Location) record, 20 1.6.0, 347-350 limit module, 477 Local Area Connection Properties Management tab, Linksys WAP, 267 Linksys hardware window, 240 mangle table, 471 broadband router, 38 Local intranet zone, Internet map command, 181 firewall routers, 251-257 Explorer, 142, 144 mapping network drives, 188-189, overview, 251 Local Machine Policy, 213 190-191 WAP,257-269 Local Resources options window, master password, Firefox, 420 Linux Remote Desktop Connection, MBSA (Microsoft Baseline Security antiforensics issues, 467-469 308-309 Analyzer), 94-96 antivirus software for, 533-537 Location (LOC) record, 20 md command, ! 81 backup and recovery in, 433-441 Lockdown Tool, IIS, 121-126 MD5Summer, 201-204 digital certificates, 42, 511-521 log files member server, 127 drive management in, 427-429 Ad-Aware, 352 Metasploit framework, 105-109, file system access controls, 445-452 Linksys, 256 401-406 file systems in, 429-430 in Linux, 35, 461-465 Microsoft antivirus, 340-343 firewalls, 37 LOC,343 Microsoft Baseline Security Analyzer footprinting, 362-371 overview, 34 (MBSA), 94-96 intrusion detection in, 34, 455-459 security issues in Windows, Microsoft Certificate Authority (CA), log files in, 35, 461-465 211-222 315-319 lsof command, assessment with, Snort, 275, 279-280 Microsoft Certificate Services, 42 388-391 Windows, 35 Microsoft Internet Explorer (lE). See malware prevention and detection Windows Firewall, 238-239 Internet Explorer (lE) in, 541-543 ZoneAlarm,246-247 Microsoft Management Console network IDS, 485-491 Log rule, Snort, 487 (MMC), 134-138,212-217. ~ overview, 383 Log subtab, Linksys W AP, 268 See also snap-ins, MMC 550 Index

Microsoft Remote Desktop protocol network reconnaissance operating system (RDP),305-311 overview, 21-22 Autoruns, 86-87 Microsoft Security Guides, 115-117 ping (Packet InterNet Groper), 21 monitoring processes and services, , Microsoft Server 2003 Security with Sam Spade, 65-67 Windows, 25 Guide, 126-128 traceroute, 21-22 MSConfig utility, 83-84 Microsoft System Configuration using Linux command line, Performance Information and (MSConfig) utility, 83-84 362-370 Tools, Windows, 84--85 Microsoft update Web site, 114-115 using Windows command line, processes, Linux, 383-391 Microsoft VPN client, 301-304 48-54 processes, Windows, 81-82 Midnight Commander, Linux, network traffic analysis services, Linux, 383-391 437-440 See also firewalls services, Windows, 82-83 MIRROR target, 478 Linux, 493-502 Windows Defender, 85-86 mkdir command, 181 overview, 39-41 Options tab, CCleaner, 228 MMC (Microsoft Management Windows, 285-300 Options window, Firefox, 148-154 Console), 134-138,212-217. network-based firewalls, 37 organizational queries, 19 See also snap-ins, MMC network-based IDS organizations more command, 182 Linux, 485-491 determining role of server in, 127 mounted partitions, 436 overview, 38-39 information collection using Web Mozilla Firefox. See Firefox, Mozilla using Windows, 273-283 Browser, 55 MS 04-011 exploit, 106, 402 networks OUTPUT chain, filter table, 474 MSConfig (Microsoft System See also virtual private networks OUTPUT policy, 473-474 Configuration) utility, 83-84 (VPN) overwriting files, 467 Msg option, Snort, 488 security, 12-13 Owner tab, Properties window, 192 .msi software kits, 115-116, 126 trusted, 3, 9 ownership, file, 450 multiprogramming, 81, 383 untrusted, 3, 9 P MX (mail exchange) record, 20 New Connection Wizard, Windows, p flag, top command, 387 N 301-303 -p option, Linux traceroute com- New Local Group window, Yast, n flag mand,369 ( tail command, 462 444 Packet InterNet Groper (ping). See top command, 386 New Partition Wizard, 165-166 ping (packet InterNet Groper) -N flag, iptable command, 472 NEW state, 477 packet logger mode, Snort, 39 name server lookup, Sam Spade, 64 New Technology File System packet sniffing name server (NS) record, 21 (NTFS),32 overview, 39-40 named.conf file, 413 Next-Secure (NSEC) record, 21 WinDump, 285-291 NASL (Nessus Attack Scripting NG Scoring Tool, 91-94, 395':"'397 Wireshark, 291-297 Language), 27, 397 NIC (network interface card), packet-filtering firewall, 36 nat table, 471 273-274 packet-matching modules, 476 National Vulnerability Database Web NMap, 77-78, 376-379 packets site, 99-100 noninteractive mode, fsck, 427 analysis, 497-502 nbtstat command, 73-74, 185-186 nonterminating target, 477 capturing, 286-291 Nessus Attack Scripting Language normal backup, 173 capturing, Wireshark, 293-297, (NASL), 27, 397 now argument, rdiff -backup, 435 497-501 Nessus Project, 27, 96-98, 397 NS (name server) record, 21 collecting, Snort, 275 Net Use command, 185 NSEC (Next-Secure) record, 21 iptables, 471 Netcat tool, 373-374 NSEC3 (NSEC) record, 21 kernel logging, 477 Network Connections Settings, nslookup, 20, 48-51, 365 processed in WinDump, 285-286 Windows Firewall, 238 NTFS (New Technology File paranoid timing, 377 network drives, mapping, 188-189, System), 32 partitions, 164--167 190-191 null session, 185-186 pass phrase, 515, 518 network interface card (NIC), 273-274 0 Pass rule, Snort, 487 network intrusion detection mode, Omine NT Password & Registry passive stack fingerprinting, 23 Snort, 39 Editor, 325-328 password aging, 526 Network Mode, Linksys WAP, 259 OpenSSL, 42, 511-520 Password Policy options, Security network queries, 19 openSUSE, 443, 461 Console, 119-120 (- Index 551

passwords print server, 127 WinDump, 285, 290-291 circumventing, 43, 323-329, pnvacy wipe command, 468 o 523-531 issues in Windows, 223-233 R flag, top command, 386 cracking with John the Ripper, issues using Linux, 467-469 -R option, Linux ping command, 527-529 overview, 36 366 Firefox, 420 settings in Internet Explorer, rainbow crack, 529 Linksys router, 255 144-146 rainbow tables, 325, 529 Linksys WAP, 258 Privacy Objects, Ad-Aware, 351 rd command, 182 remembering on Internet sites, 151 Privacy tab rdiff-backup tool, Linux, 433-436 Supervisor, Internet Explorer, Firefox, 151-152, 225-226, 420 RDP (Remote Desktop protocol), 146-147 Internet Explorer, 145 305-311 TrueCrypt, 196-197, 451 private data, deleting, Firefox, 225-226 read (r) permission, 446 payload, 107, 403 private keys, 315 record types, DNS, 20-21 PEM pass phrase, 515, 518 Iproc directory, 32 recovery, data. See backup and penetration testing processes tl recovery with Metasploit framework, assessment of, Windows OS, 81-82 registrar queries, 19 105-109, 401-406 lsof command, assessment with, REJECT policy, 474 overview, 6-7 388-391 REJECT target, 478 Performance Information and Tools, OS monitoring of, 25 RELATED state, 477 Windows Vista, 84-85 overview, 383 remediation. See system remediation perimeter defense, 9-10 ps command, assessment with, remote access permissions 383-384 connecting to host, 307-310 identifying in directory listing, 446 top command, assessment with, Linux, 505-509 inheritance, 191-192 384-388 with Microsoft RDP, 305-311 Linux, 32, 523-527 using ps command, 384 . overview, 3-4 setting with chmod command, Program Control options, VPNs,41 447-450 ZoneAlarm, 244-245 Remote Desktop Connection, UNIX, 32 promiscuous mode, 39 307-310 •.(... '/) \1) Permissions tab, Properties window, Properties window, LANGuard SIM Remote Desktop protocol (RDP), 190 3,205-206 305-311 persistent cookies, 145 protocols Remote Desktop Web Services, personal firewalls, 37 filter table rules, 474 310-311 physical security, 27 tcpdump qualifiers, 496 Remote ·tab, System Properties win- ping (Packet InterNet Groper) ps command, Linux, 383-384 dow,305 Linux, 366-368 public key infrastructure (PKI), 26, ren command, 182 network reconnaissance, 21, 65-66 41, 315, 511 rename command, 182 using nmap, 376 public keys, 315, 511 requesting certificates, 316-317 Web reconnaissance, 51-53 PWDump7, 323-325 resetting routers, 257 PKI (public key infrastructure), 26, Q resources 41, 315, 511 -q flag, amap, 374 denial of, 40 - point of contact queries, 19 -q option identifying source of attacks on, 25 policies, chain, 471 ping command, 366 identifying with enumeration, 23 Policy Template tools, 117-118 traceroute command, 369 Restricted sites zone, Internet port scanning qualifiers, tcpdump, 496 Explorer, 142 Resultant Set of Policy snap-in, 135 with nmap, 376-377 queries overview, 18 reverse lookup, nslookup utility, DNS, 20, 63 Windows, 50 with THC-Amap, 374-375 host, Linux, 364-365 Windows command line, 74-76 WHOIS, 19,362-364 rm command, 467 Port Services screen, Linksys, 254 rmdir command, 182 ports R Iroot directory, 32 adding to Windows Firewall, 237, 241 r (read) permission, 446 root privileges, 390 testing with netcat, 373 -r flag rootkits, 347, 541-542 Postfix, hardening, 413-414 Netcat tool, 373 rotating log files, 280, 462-463 preprocessors, IDScenter, 278, 279 rdiff -backup, 435 routers. See firewall routers, Linksys ------~ 552 Index rules Security Guides Setup encryption window, Linksys chain, 472-473 Microsoft Server 2003, 126-128 WAP,259-260 Snort, 487-488 ovennew, 115-117 Setup tab, Linksys WAP, 263-264 rules files, Snort, 279 Security logs, Event Viewer, 35, 215 Setup Wizard, Linksys, 257-260 f S security perimeter, 9-10 shares, administrative, 186, 190 -s option Security tab, Firefox, 152-153,419 S.I.M. (LANguard System Integrity Monitor), 33, 204-209 ping command, 367 security templates, Windows, 116- 117, 127 small office/home office (SOHO) useradd command, 526 Security window, Linksys Firewall, device, 251 salting, 529 253 snap-ins, MMC SAM (security account management) Security Zones, Internet Explorer, Event Viewer, 213 file, 323, 523 141-144 Group Policy Editor, 182 Sam Spade SecurityFocus' BugTraq Web site, Group Policy Object Editor, 135 dig, 64-65 101-102 Policy Template tools, 117-118 DNS query using, 63 Select Users window, Windows, 307 Resultant Set of Policy, 135 gathering Web site information self-signed CA certificate, 515 Security Configuration and Analysis with, 59-60 Seq option, Snort, 488' tool, 117 gathering WHOIS information servers Security templates, 117-118 with, 61-63 connecting to VPN, 304 Wireless Monitor, 134-135 ping, 65-66 hardening Internet-facing, Linux, snapshots, deleting, 435-436 traceroute, 66-67 409-414 sniffer mode, Snort, 39 Web crawling with, 60-61 opening tunnels to, 508 SNMP subtab, Linksys WAP, 268 /sbin directory, 32 security, 11 Snort scan jobs, 205-207 Sennce locator (SRV) record, 21 base configuration, 273-275 scanner software, 23 Sennce Report, CIS NG Scoring IDScenter,275-282 scanning Tool, 93-94 installation, 273-275 generic enumeration with Linux sennces Linux network lDS, 485-489 command line, 373-374 assessment of, Windows OS, 82-83 ovennew,39 with Nessus, 27 Autoruns, managing with, 86-87 SOA (start of authority) record, 21 { with NMap, 77-78, 376-379 closing unnecessary, 24 software. See spedfic software by name overview, 18, 22-25, 73, 373 Linksys settings, 254 software firewalls the TCP /IP family of protocols, lsof command, assessment with, Linux, 471-479 23-24 388-391 overview, '36-38 with THC-Amap, 374-375 MSConfig utility, managing with, Windows, 235-249 using SuperScan for Windows, 83-84 Software Restriction Policies, Group 74-76 OS monitoring of, 25 Policy Console, 135-137 Windows command line, 73-74 ovennew,383 SOHO (small office/home office) schedule, backup, 174 Performance Information and device, 251 Schedule Job window, Backup Utility Tools, managing with, 84-85 sorting methods, process, 385:-386 Advanced Mode, 177-178 ps command, assessment with, source port modules, 476 scwcmd.exe, 129, 133-134 383-384 source specification rules, 475 Secure Shell (SSH), 409-411, top command, assessment with, SPI (stateful packet inspection) fire- 507-508 384-388 will, 37 security account management (SAM) Windows Defender, managing Spybot - Search & Destroy, 347-350 ; file, 323, 523 with, 85-86 spyware security alerts; ZoneAlarm, 243 Sennces tab, MSConfig utility, 84 Ad-Aware, detecting with, 350-352 Security Configuration and Analysis Sennces View, Windows, 82-83 Adblock Plus, detecting with, tool, 117, 120-121 session cookies, 145 353-354 Security Configuration Database, 1:29 session hijacking, 30 ovennew,44 Security Configuration Wizard, set command, 182 Spybot - Search & Destroy, detect- Windows Server 2003, 129-134 Set Schedule window, 174 ing with, 347-348 security default reset, Windows, 113 SETA (Security Education, Training, SRV (Sennce locator) record, 21 security domains, 10 , and Awareness), 8~9 SSH (Secure Shell), 409-411, Security Education, Training, and setgid permission, 447, 449 507-508 { Awareness (SETA), 8-9 setuid permission, 447, 449 SSID, Linksys W AP, 259, 260-261 Index 553

SSID Broadcast function, Linksys scanning ports with runap, 376-377 IT:time switch, chkntfs command, WAP,265 SYN flag, 24 162 (() stack fingerprinting, 22 testing ports with netcat, 373 TTL (Time-To-Live), 21-22, 367 start of authority (SOA) record, 21 TCP Connect, 24 Ttl option, Snort, 488 Startup tab, MSConfig utility, 84 tcp flags modules, 476 tunnels, opening encrypted, 508 state, connection tracking, 477 TCP header, 289 TXT (Text) record, 21 stateful packet inspection firewall tcp modules, 476 type command, 182 (SPI), 37 Tcpdump, 493-496 Type of service (TOS) option, ping Status tab, Linksys WAP, 262 TCPDump for Windows command, 367 Status window, Linksys, 252-253 (WinDump), 285-291 U sticky bit, 447, 450 TCP/IP -u flag, Netcat tool, 373 Stored User Names and Passwords family of protocols, 23-24 -u option, useradd command, 526 window, 137-138 handshake, 23-24 UDP (User Datagram Protocol) Ping utility, 21 su command, 523 overview, 23 port scanning, 74-76 -sU flag, nmap, 377 scanning ports with nmap, 377 Traceroute, 21-22 suid files, 446-447 scanning with amap, 375 templates, Windows security, superblocks, 467 testing ports with netcat, 373-374 116-117,127 SuperScan, 74-76 udp modules, 476 Temporary Internet Files and History Supervisor password, Internet uid.conf file, 412 Settings window, IE, 224 Explorer, 146-147 UNIX Text (TXT) record, 21 symbolic mode, chmod command, nslookup command, 365 theft, information, 30 447,449 permissions, 32 third-party cookies, 145 SYN stealth scans, 377 untrusted network, 3, 9 Threat Analysis Index (TAl), 353 Synchronize option, SyncToy, 179 URLScan, 125 threats, versus vulnerabilities, 26 SyncToy,178-180 user access controls three-way handshake, 375 syslog-ng log daemon, 461 in domains, 189-192 tilde (-), 389 system cleanup, 226-230 in Linux, 443-445 Time-To-Live (TTL), 21-22, 367 system hardening. See hardening overview, 31-33 timing options, nmap, 377-378 ~O system in Windows, 186-189 Tools tab system integrity monitor, 33-34 User Datagram Protocol (UDP). See CCleaner, 228 System logs, Microsoft Event UDP (User Datagram Protocol) Spybot - Search & Destroy, Viewer, 35 user ID, 446 348-349 System Properties window, User Report, CIS NG Scoring top command, 384-388 Windows, 305 Tool, 93 TOS (Type of service) option, ping system remediation useradd command, 525-526 command, 367 Linux, 409-417 users, adding in Linux, 525-526 touch command, 524 Windows, 113-140 lusr directory, 32 traceroute systemroot command, 182 usr.conf file, 456 in Linux, 369-370 %systemroofllo variable, 186, 190 lusrlsrc directoqr, 457 network reconnaissance, 21-22, 66-67 Systems Infonnation Software Web reconnaissance, Windows, V Environment, Microsoft Vista, 85 53-54 -v flag T tracert command, 53-54 amap,374 -T flag, nmap, 377 tracking file changes, 462 Netcat tool, 373 -t modifier, Linux, 366 traffic analysis -v option, ping command, 366 TAl (Threat Analysis Index), 353 Linux, 493-502 validation, vulnerability, 28 tail command, 461-462 Windows, 285-300 Ivar directory, 32 target extensions, iptable, 477-479 transfer direction, 496 variables, Snort, 278 targets, rule, 475 Trojans,44 Ivar/log/httpd log, Linux, 35 TARPIT target, 478 TrueCrypt, 195-197,450-452 Ivar/log/lastlog log, Linux, 35 Task Manager, Windows, 81-82 TrueCrypt Volume Creation Wizard, Ivar/log/maillog log, Linux, 35 TCP 195-196 Ivar/log/messages log, Linux, 35 ACK flag, 24 trusted network, 3, 9 Ivar/log/secure log, Linux, 35 ?t FIN flag, 24 Trusted sites zone, Internet Explorer, Ivar/log/utrnp log, Linux, 35 '>-- NULL flag, 24 142 Ivar/log/wtrn log, Linux, 35 554 Index

vhost-ssl.conffile, 515, 519 Web Crawler tool, Sam Spade, network traffic analysis, 285-300 virtual directories, 125 60-61 password circumvention in, virtual network computing (VNC), Web Distributed Authoring and 323-329 remote access with, 505-508 Versioning (WebDAV) privacy issues in, 223-233 virtual private networks (VPNs). feature, 125 remote access, 305-311 See VPNs (virtual private Web login window, Linksys WAP, 260 scanning, 73-80 networks) Web reconnaissance security default reset, 113 virus scans See also Sam Spade system remediation, 113-140 AVG,337-339 overview, 18-19 systems cleanup, 226-230 ClamWin,332-335 using command line, Windows, VPNs,301-304 KlamAV,536-537 48-52 vulnerabilities,91-104 LOC,341 using Web Browser, 55-59 vulnerability validation, 105-111 viruses using Web browser, 370 Web Browser security and on Linux systems, 533 Web server, 127 configuration, 141-155 overview, 43 Web server logs, 217tJ Windows Components Wizard, 310 VNC (virtual network computing), Web sites Windows Defender, 85-86 remote access with, 505-508 See also specific Web sites by name Windows Encrypting File System Volume Password, TrueCrypt, gathering information with Sam (EFS), 192-195 196-197 Spade, 59-60 Windows Firewall Volume Size window, TrueCrypt, 196 Web reconnaissance, 18-19 setting up remote desktops, volumes, TrueCrypt, 450-452 Web-based attacks, 29-30 305-306 VPN Connection login window, 304 W ebDAV (Web Distributed Authoring Vista, 235-239 VPN Connection Properties win- and Versioning) feature, 125 Windows 2003 server, 240-242 dow, 303-304 Webmaster, 18-19 XP,235-239 VPNs (virtual private networks) WHOIS Windows Live OneCare (LOC), Linux, 505-509 gathering information with Sam 340-343 with Microsoft VPN client, Spade, 61-63 Windows Packet Capture (WinPCap) 301-304 gathering information with Web library, 291 overview, 3, 41 Browsers, 56-59 Windows Recovery Console, ( vulnerabilities Linux command line query, 180-182 assessment, 5-6 362-364 Windows Security Center, 236 Linux, 26-27, 395-399 overview, 19-20 Windows Server 2003 penetration testing for, 6 WHOIS lookup, ARIN Web site, hardening, 126-138 remediation, 28-29 57-58 requesting CA's certificate for, validation, 28, 105-111,401-407 Whois Search page, InterNIC Web 315-319 Windows, 91-104 site, 56-57 vulnerabilities, 26 Windows Server 2003, 26 wildcard (*), 376 Windows Firewall, 240-242 W Windows Windows Vista w (write) permission, 446 See also footprinting Performance Information and -w flag, WinDump, 285, 290 access controls, 185-200 Tools, 84-85- -W option, chage command, 526 antiforensics, 223-233 security configuration, 113-121 -w option, traceroute command, 369 certificates, 42 Windows XP WAPs (wireless access points). See data backup and recovery, 171-183 security configuration, 113-121 wireless access points (WAPs) data management, 157-169 vulnerability validation, 105-109 warn log file, 461 digital certificates, 315-321 WinDump (TCPDump for Web browsers enumeration, 73-80 Windows), 285-291 cleanup, 223-226 hardening system, 113-140 WinPCap (Windows Packet gathering inverse mapping intrusion detection, 33-34, Capture) library, 291 information, 364-365 201-209 wipe tool, Linux, 467-468 requesting certificates through, logging, 35, 211-222 wiping hard disks, 230-231 515-520 malware prevention and detection, wireless access points (WAPs) security and configuration, 29-30, 347-359 administering, 261-267 141-155,419-425 network intrusion detection configuring other wireless devices Web reconnaissance using, 55-59, 370 systems, 273-283 from, 260-261 Index 555

hardening, 38 Wireshark Network Protocol XSS (cross-site scripting), 29, 30 installing Linksys Firewall, 257-260 Analyzer, 291-297, 496-502 X-windows protocol, 383 overview, 257 workstation template, Windows, y Wireless Bridge mode, Linksys W AP, 117-121 Y flag, fsck, 428 264 worms Y AST utility, 443-445, 533-534 on Linux systems, 533 Wireless MAC Filter subtab, Linksys Z WAP,266 overview, 43 -z flag, Netcat tool, 373 Wireless Monitor snap-in, 134-135 write (w) permission, 446 Zenmap, 77-78 Wireless Repeater mode, Linksys X zombies, 347, 541 WAP,264 x (execute) permission, 446 zone transfer, DNS, 20, 21, 413 Wireless Security screen, Linksys -x flag, iptable command, 473 ZoneAlarm, 242-247 WAP,261 x flag, ps command, 383 ZoneAlarm Pro, 36 Wireless tab, Linksys WAP, 264-267 IX switch, chkntfs command, 162 zones, Internet Explorer, 141-144

o

o