Copyrighted Material

Home , DSniff, Ettercap (software), KisMAC, SecureCRT, Tunneling protocol

Index

Andrews, Chip (Special Ops Security), • Numerics • 305–306 anonymity, 34 802.11 encryption protocols, 161–162 Apache Web server, 209 802.11i encryption protocols, 165 APNIC, 51, 353 AppDetectivePro, 308, 352 application attacks, 16 Arcsight Logger, 331, 355 • A • ARIN, 51, 353 ARP (Address Resolution Protocol), 140 Absinthe, 363 ARP spoofi ng. See also network Abuse.net SMTP relay checker, 355 infrastructure attacks access control, 217 countermeasures, 144 access points (APs) defi ned, 140 MAC address of, 156 how it works, 140–141 network vulnerabilities and, 152 using Cain & Abel, 141–143 rogue wireless devices, 165 Arpwatch, 144, 356 account enumeration attacks, 257–260 Asleap, 164, 365 account lockout, 112 Asterisk, 68 Active Directory database, 93 Athena FirewallGrader, 133 Acunetix Web Vulnerability Scanner, 278, attack tree analysis, 39 288, 290, 296, 363 attacks Address Resolution Protocol (ARP), 140 account enumeration attacks, 257–259 Advanced Access Password Recovery, application attacks, 16 307, 352 ARP spoofi ng, 140–143 Advanced Archive Password Recovery, banner grabbing, 130–131, 255–257 102–103, 358 brute-force attacks, 95–96 Advanced Encryption Standard (AES), buffer overfl ows, 283–284 162, 165 code injection, 287–289 Advanced SQL Password Recovery, database attacks, 303–309 304, 306, 352 denial of service attacks, 145–147 AES (Advanced Encryption Standard), dictionary attacks, 94–95 162, 165 COPYRIGHTEDdirectory MATERIAL reversal attacks, 280–283 AfriNIC, 50, 353 dumpster diving, 15 Aircrack, 154, 161, 365 e-mail attacks, 252–267 AirMagnet Handheld Analyzer, 155 e-mail bombs, 252–255 AirMagnet WiFi Analyzer, 154, 166, e-mail header disclosures, 263 168–169, 365 e-mail traffi c capture, 264 Airodump, 161 encrypted traffi c, 160–165 AirSnort, 365 hidden fi eld manipulation, 285–286 Akin, Thomas (Southeast Cybercrime input fi ltering attacks, 283–291 Institute), 251 instant messaging, 267–270, 287–289 allintitle Google operator, 282 keystroke logging, 103–104 Amap, 215 368 Hacking For Dummies, 3rd Edition

MAC address spoofi ng, 143–144, 170–175 BigFix Patch Management, 227, 325, 359 malware, 264 Bing search engine, 48, 353 network infrastructure attacks, 15 BIOS passwords, 107, 358 nontechnical, 14–15 BitLocker, 198 operating system attacks, 15 black hat hackers, 10 password cracking, 89–109 BlackKnightList, 95, 296 physical, 15 blank password, 101–102 rainbow attacks, 96 Blast tool, 146, 356 rconsole attacks, 233–236 Blaster worm, 181 reasons for, 31 blind assessment, 42, 47 SMTP attacks, 257–265 blind SQL injection, 287 SMTP relay attacks, 260–262 Blooover, 160 social engineering, 15 Bluejacking, 160, 351 SQL injection, 287–289 BlueScanner, 160, 351 storage system attacks, 309–313 Bluesnarfer, 160, 351 styles of, 32 BlueSniper rifl e, 160 timing, 33 Bluetooth, 160, 351 URL manipulation, 285 BorderManager resources, 356 voice over IP, 270–276 broadcast mode, 140 vulnerability and, 33 brute-force attacks, 95–96 auditing, security, 12 Brutus Auditory Professional, 269 brute-force testing with, 296 authenticated scans, 205–206 password cracking with, 93 authorization, 18 POP3 password cracking with, 265 automated assessment, 56 Web site, 355, 358, 363 Awareity MOAT, 362 BTScanner for XP, 160, 351 buffer overfl ows, 223–224, 283–284 building infrastructure, physical security, 78–79 • B • business phones, 68 background checks, 49 buy-in, management, 339 BackTrack ally and sponsor, 337 capturing e-mail traffi c address with, 258 benefi ts of ethical hacking, 339 fi rewall rulebase testing with, 133 establishing credibility, 340 Linux security testing with, 154, 209 fl exibility and adaptability, 341 network vulnerability testing with, 148 getting involved in business, 339–340 Web site, 355 practical advice, 337 banner grabbing. See also network speaking on management’s level, 340 infrastructure attacks value in efforts, 340–341 countermeasures, 131 what-if-scenarios, 338 defi ned, 130 overview, 130 telnet, 130–131 banners, 130, 255–257 • C • Bastille Linux Hardening Program, 361 Cain & Abel. See also software and testing Beaver, Kevin (Security On Wheels), 360 tools believability in social engineering, 69 ARP spoofi ng with, 141–143 Berkeley Software Distribution (BSD) r-commands, 218–220 Index 369

capturing and recording voice traffi c code injection, 287–289 with, 274–276 Common Vulnerabilities and Exposures, capturing e-mail traffi c with, 264 55, 363 cracking Oracle password hashes CommView with, 307 denial of service testing with, 146 network analysis with, 105, 121, 135 network analysis with, 106, 135 password cracking with, 92, 304 Web site, 357, 362 Web site, 356, 358, 362 CommView for Wi-Fi, 166–167, 365 Camasia Studio, 41 Computer Underground Digest, 354 Canary Wireless, 155 contingency plan, 18 cantenna, 155, 365 COPS, 223 CAPTCHA, 255, 297 copy rooms, 81 Car Whisperer, 160, 351 Counter Mode with Cipher Block Chaining Carrier Sense Multiple Access/Collision Message Authentication Code Avoidance (CSMA/CA) protocol, 175 (CCMP), 162 case studies countermeasures database hacking, 305–306 account enumeration attacks, 257–260 e-mail attacks, 251 ARP poisoning, 144 messaging-system attacks, 251 ARP spoofi ng, 144 network infrastructure attacks, 118 banner attacks, 257 password cracking, 87 banner grabbing, 131 physical security, 77 buffer overfl ows, 223–224 social engineering, 63 database attacks, 308–309 Web application attacks, 279 default confi guration settings exploits, wireless network attack, 153 177–178 CCTV security camera, 27 default script attacks, 294 Center for Internet Security, 113, 321, denial of service attacks, 146–147, 176 326, 361 directory reversal attacks, 282–283 certifi cations, 352 e-mail attachment attacks, 253 Certifi ed Ethical Hacker (CEH), 12 e-mail attacks, 266–267 .cgi extension, 299 e-mail bombs, 253–254 CHAP Password Tester, 310, 361 e-mail connection attacks, 253 Chappell, Laura, 118 e-mail header disclosures, 263 Character Generator pot (NetWare), 232 encrypted traffi c attacks, 164–165 chargen, 123 fi le permission attacks, 222–223 Checkmarx, 300, 361 fi rewalls, 133–134 CheckPoint, 300 hosts.equiv fi le attacks, 219–220 chkconfig, 217 input fi ltering attacks, 291 chknull (password-cracking software), 92 instant messaging vulnerabilities, 268–269 ChoicePoint, 49 MAC address spoofi ng, 144, 175 Chronology of Data Breaches, 338, 363 missing patch exploitation, 205 CIFShareBF, 310, 361 NetBIOS, 190 CipherTrust IronMail, 255 Netware intruders, 238 Cisco Global Exploiter, 148–149 NetWare Loadable Module, 241 civil liberties, 32 network analyzers, 139–140 Clear Channel Assessment attack, 175–176 network infrastructure attacks, 135 cleartext packets, 242 NFS attacks, 221 client notifi cation, 37 null sessions, 194–195 closed-circuit television (CCTV), 81 packet capture, 242 370 Hacking For Dummies, 3rd Edition

countermeasures (continued) daytime, 123 password cracking, 109–114 .db fi le, 311 physical security attacks, 224–225 .dbf fi le, 311 physical security problems, 176–177 Debian Linux Security Alerts, 359 port scanning, 127–128 Debian Package System, 227 .rhost fi le attacks, 219–220 Deep Freeze, 104, 361 rogue NLM attack, 241 defaced Web pages, 31, 364 rogue wireless devices, 170 default confi guration settings, 178 SMTP relay attacks, 263 default script attacks, 292–293 SNMP scanning, 130 deliverables, 19 social engineering, 72–74 denial of service (DoS) attacks. storage system attacks, 313 See also network infrastructure attacks system scans, 212 countermeasures, 146–147 unneeded services, 216–217 defi ned, 145 unsecured login mechanisms, 297 distributed, 145 Voice over IP, 276 Ping of Death, 145 vulnerable wireless workstations, Queensland, 175–176 177–178 SYN fl oods, 145 wireless network attacks, 158–159 testing, 146 Counterpane, 331 WinNuke, 145 Crack, 358 dictionary attacks, 94–95 crackers, 10 dictionary fi les, 358 cracking tools, 20 Digital Hotspotter, 155, 168, 365 cracklib, 114 directional antenna, 155 crashing system during tests, 17 directory reversal attacks criminal hackers, 10, 28 countermeasures, 282–283 cross-site scripting (XSS), 290 crawlers, 280–281 CWE/SANS Top 25 Most Dangerous defi ned, 280 Programming Errors, 363 Google, 281–282 CxAudit, 300 distributed denial of service (DDoS) CxDeveloper, 300–301 attacks, 145 cyberterrorists, 29 D-Link DWL-650 wireless NIC, 175 DNS (Domain Name System), 123 DNSstuff.com, 50, 353 dnstools.com, 353 • D • .doc fi le, 311 daemons, 209 .docx fi le, 311 Data Thief tool, 305 Dogwood Management Partners Security database attacks. See also storage system Posters, 362 attacks Domain Name System (DNS), 123 best practices for minimizing risks, doors, 79–80 308–309 Draper, John (Captain Crunch), 27 case study, 305–306 drop ceilings, 80 fi nding databases on network, 304–306 dsniff program, 140, 357 overview, 303 dsrepair (NetWare Loadable Module), 239 password cracking, 306–307 DumpSec utility, 55, 192, 364 scanning for vulnerabilities, 307–308 dumpster diving, 15, 67 testing tools, 303–304 tools, 352 Index 371

encryption protocols, 161–162 • E • overview, 161–162 eBlaster (keystroke-logging software), 104 tools, 162–164 echo, 123 enumeration utility, 55, 185–186 Echo port (NetWare), 232 error-based SQL injection, 287 Ecora Patch Manager, 326, 359 errors and omission insurance, 35 eDirectory, 229 Essential NetTools, 120, 357 Effective File Search, 310, 361 ethical hackers, 10 EICAR Anti-Virus test fi le, 356 ethical hacking EICAR test string, 265 assessing vulnerabilities, 55–57 Elcomsoft Advanced Archive Password attack tree analysis, 39 Recovery, 102–103 vs. auditing, 12 Elcomsoft Distributed Password Recovery, automating, 329–330 92, 306, 352, 358 avoiding system crashes in, 17 Elcomsoft System Recovery, 108–109, 359 blind assessment in, 47 Elcomsoft Wireless Security Auditor certifi cation, 12 (EWSA), 154, 162–163, 365 compliance and regulatory concerns, e-mail attacks. See also messaging-system 12–13 attacks defi ned, 11 banners, 255–257 determining systems to hack, 37–40 case study, 251 evaluating results in, 22–23 e-mail bombs, 252–255 executing plan in, 22 guidelines against, 266–267 footprinting, 47–52 overview, 16 formulating plan, 18–19 SMTP attacks, 257–265 gathering public information, 48–49 software solutions against, 266 goals, 13–14, 36–37 e-mail bombs. See also messaging-system insurance, 35 attacks logging information in, 46 automated security controls against, mistakes in, 347–350 254–255 network mapping, 50–52 bandwidth blocking, 253–254 outsourcing, 332–333 countermeasures against connection penetrating system, 57–58 attacks, 253–254 performing, 45–47 perimeter protection, 255 policy considerations, 12 storage overload, 253 reasons for effectiveness of, 343–345 using attachments, 252–253 respecting privacy in, 17 using connections, 253–254 scanning systems, 52–53 using fl oods of e-mails, 253 similarity to beta testing, 45 e-mail fi rewalls, 255 similarity to malicious attacks, 46 e-mail header disclosures, 263–264 testing standards, 40–43 e-mail security testing zone, 265 tools, 20–21, 44 e-mail servers, 55 working ethically, 16–17 e-mail traffi c, capturing, 264 ettercap utility, 135, 357 EMail Verify, 257–258 Event ID 4226 Patcher tool, 185 encrypted traffi c, 160–164 event logging system, 331 encrypted traffi c attacks. See also wireless EventsManager, 331 network attacks exploit tools, 352 countermeasures, 164–165 372 Hacking For Dummies, 3rd Edition

EXPN command, 257, 259 GFI EventsManager, 355 external attachers, 10 GFI LANguard. See also software and testing tools authenticated scans with, 206 Linux system testing with, 208 • F • NetWare vulnerability testing with, Facebook, 145 230, 233 Fedora Linux, 154 patch automation with, 326 File Extension Source, The, 353 share fi nder, 197 fi le permission attacks, 221–223 storage system testing with, 309 fi le sharing, 267–268 system scanning with, 186, 210–212 File Transfer Protocol (FTP), 123, 209, 213 vulnerability assessment with, 121 FileLocator Pro, 309, 310, 312, 361 Web site, 357, 359, 361, 364 fi letype:fi le-extension hostname: query Windows system testing with, 184 (Google), 281 goals in ethical hacking, 36–37 findstr, 104 Goog Mail Enum, 258, 260 fi nger, 123 Google, 20, 48, 67, 281–282, 353 Finnigan, Pete, 352 Google Desktop, 361 fi re detection and suppression systems, 79 Google Groups, 51, 282 Firefox, confi guring for Web proxy, 284 Google Hacking Database (GHDB), 282, 364 Firefox Web Developer, 278, 284, 298, 364 Google Hacking for Penetration Testers Firewalk, 133, 357 (Long), 282 fi rewalls government domains, 353 countermeasures against attacks, 133–134 GrabiQNs, 310, 361 e-mail, 255 Gramm-Leach-Bliley Act (GLBA), 13, 354 testing, 131–134 Greenidea Visible Statement, 362 Web security, 299–300 grep, 104 Flash fi les, 48–49 GroupWide (NetWare), 232 Fluke WiFi Analyzer, 154 footprinting. See also ethical hacking gathering public information, 47–49 overview, 47 • H • Web crawling, 49 hackers Web search, 48 anonymity, 34 Fortify Software, 361 behavior of, 26 Fortres program 101, 104, 361 black hat, 10 Foundstone, 298, 364 categories of, 28 fping, 52 criminal hackers, 28 FreeZip, 97, 356 cyberterrorists, 29 freshmeat.net, 209 defi ned, 10 FTP (File Transfer Protocol), 123, 209, 213 ethical, 10 FTP control, 123 hackers for hire, 29 fully qualifi ed domain names (FQDNs), 51 hacktivists, 29 mindset of, 27 motivations of, 25–26, 29–31 online resources, 354 • G • reformed, 333 Getif utility, 120, 128, 232, 357 script kiddies, 26, 28 GFI e-mail security test, 356 Index 373

security researchers, 28 inetd.conf, 216–217 stereotypical view of, 25–26 inference, 90–91 white hat, 10 information-gathering Hackin9, 33, 354 overview, 47 hacking port scanning, 53–54 civil liberties and, 32 system scans, 52–53, 209–212 planning and performing, 32–33 Web crawling, 49 reasons for, 29–31 Web search, 48–49 vulnerabilities in security and, 33 Web sites, 49 Hacking Wireless Networks For Dummies InGuardians, Inc., 153 (Davis), 162, 166, 321 input fi ltering attacks. See also Web hacktivists, 29 application attacks Hacme Tools, 298, 364 buffer overfl ows, 283–284 hardening, 326–327, 361–362 code injection, 287–289 Health Information Technology for countermeasures, 291 Economic and Clinical Health cross-site scripting, 290 (HITECH), 354 hidden fi eld manipulation, 285–286 Health Insurance Portability and overview, 283 Accountability Act (HIPAA), 12–13, 354 SQL injection, 287–289 hidden fi eld manipulation, 285–286 URL manipulation, 285 high-impact vulnerabilities, 320 (IN)SECURE Magazine, 33 Homebrew WiFi antenna, 365 instant messaging Honeypots: Tracking Hackers, 354 countermeasures against vulnerabilities, Hoover’s business information, 353 268–269 hosting providers, notifying, 41 detecting traffi c, 269 hosts, scanning, 52 log fi les, 268 hosts.equiv fi le attacks, 218–220 overview, 267 HTTP (Hypertext Transfer Protocol), 123 sharing fi les in, 267–268 HTTP Get requests, 292 system confi guration, 269–270 HTTP POST requests, 292 user behavior, 269 HTTP proxy, 123 vulnerabilities, 267–268 HTTPS (HTTP over SSL), 123 insurance, 35 HTTrack Website Copier, 49, 278, Internet Control Message Protocol (ICMP), 280–281, 364 123–124 HyperTerminal, 261 Internet Key Exchange (IKE), 148–149 Hypertext Transfer Protocol (HTTP), Internet Security Advisors Group, 62 16, 123 Internet service providers (ISP), notifying, 41 Internet services, 209 intruder lockout, 112 • I • intrusion detection, 237–238 ICMP (Internet Control Message Protocol), intrusion prevention system, evading, 27 123–124 inurl Goole operator, 282 Identity Finder, 309, 312–313, 361 Invisible KeyLogger Stealth, 104, 354 Identity Finder Pro, 104 IP address, scanning, 52 IKE (Internet Key Exchange), 148–149 IP Personality, 299 IKEcrack, 357 IP spoofi ng, 147 Imperva, 362 374 Hacking For Dummies, 3rd Edition

laptops, locking, 84 • J • laws and regulations, 354 JavaScript, 290 LEAP protocol, 164 John the Ripper likability in social engineering, 69 cracking Unix passwords with, 98 link Goole operator, 282 cracking Windows passwords with, 96–98 LinkedIn, 20 overview, 92 Linux Administrator’s Security Guide., 362 Web site, 359 Linux Kernel Updates, 359 Johnson, Craig, 356 Linux operating system JRB Software, 240, 356 attacks, 15 Juniper Networks, 300, 313 distribution updates, 227 multiplatform update managers, 227 overview, 207–208 password protection in, 114 • K • password storage location in, 94 patching, 227 Karalon, 132 reasons for popularity of, 207 Kerberos, 91 unneeded services, 213–218 KeyGhost, 104, 354 Linux Security Auditing Tool (LSAT), 209 keypads, programmable, 81 Linux systems. See also Windows systems keys, 81 buffer overfl ows, 223–224 keystroke logging, 103–104, 354 fi le permission attacks, 221–223 KisMAC, 161, 365 general security tests, 225–226 Kismet, 154, 166 hosts.equiv fi le attacks, 218–220 KLC Consulting, 173 multiplatform update managers, 227 Klockwork, 300, 361 NFS attacks, 220–221 Knoppix Linux, 108, 154, 355 overview, 207 knowledge assessment, 42 patching, 226 Korean National Police Agency, 29 physical security attacks, 224–225 .rhosts fi le attacks, 218–220 security tools, 208–209 • L • system scanning, 209–212 vulnerabilities, 208 L0phtrcrack, 99 websites, 355 LACNIC, 51, 353 live toolkits, 355 LANguard. See also software and testing location of testing, 43 tools lockdown programs, 104 authenticated scans with, 206 log analysis, 355 Linux system testing with, 208 LogAnalysis.org, 355 NetWare vulnerability testing with, Logger, 331 230, 233 LoveBug worm, 72 patch automation with, 326 low-impact vulnerabilities, 320 share fi nder, 197 lsof, 215 storage system testing with, 309 Lumension Patch and Remediation, system scanning with, 186, 210–212 227, 359 vulnerability assessment with, 121 Web site, 357, 359, 361, 364 Windows system testing with, 184 Index 375

Microsoft TechNet Security Center, 360 • M • Microsoft Update, 326 M+Guardian, 255 military domains, 353 MAC (Media Access Control), 140, 170 Milw0rm, 352 MAC address, 156 mirroring, 278 MAC address spoofi ng. See also wireless missing patch exploitation network attacks countermeasures, 205 countermeasures, 144, 175 overview, 198 overview, 170–171 using Metasploit, 199–205 steps in, 170–174 mistakes in ethical hacking, 350 Unix-based systems, 143 Mitnick, Kevin, 27 Windows systems, 143–144 monitor mode, 137 MAC address vendor lookup, 357 multiplatform update managers, 227 MAC Changer, 173, 357 Mafi aBoy (hacker), 145 magazines, 33 • N • mail rooms, 81 Mailsnarf, 264, 356 NAP (Network Access Protection), 198 malicious internal users, 10 NASanon, 310, 361 malicious users National Institute of Standards and defi ned, 10 Technology (NIST), 88, 326 monitoring, 330–331 National Vulnerability Database, malware, 264–266 88, 213, 321 managed security services provider nbstat, 183, 188–189 (MSSP), 331 Nessus, 121, 209, 357 manual assessment, 56 net view command, 192 MD5 passwords, 114 NetBIOS (Network Basic Input/Output Media Access Control (MAC), 140, 170 System) medium-impact vulnerabilities, 320 countermeasures, 190 Message Architect, 255 hacks, 188 messaging-system attacks overview, 187 case study, 251 shares, 189–190 e-mail attacks, 252–267 unauthenticated enumeration, 188–189 instant messaging, 267–270 vulnerable ports, 188 testing tools, 355–356 NetBIOS Auditing Tool, 359 voice over IP, 270–276 NetBios over TCP/IP, 123 vulnerabilities, 249–250 Netcat, 132, 357 Web sites, 355–356 Netcraft, 54, 353 Metasploit, 58, 184, 199–205, 265, 352 Netfi lter/iptables, 357 Microsoft Access database fi les, 307 NetResident, 134, 264, 268, 357 Microsoft Baseline Security Analyzer NetScanTools Pro (MBSA), 183, 206, 326, 365 denial of service testing with, 146 Microsoft Exchange, 256 Linux system testing with, 212 Microsoft IIS server, 299 network analysis with, 120 Microsoft PPTP VPN, 123 port scanning with, 126–127 Microsoft SQL Monitor, 123 system scanning with, 52 Microsoft SQL Server, 123 Web site, 357 Microsoft SQL Server Management Studio NetScreen, 300, 313 Express, 352 NetServerMon, 356 376 Hacking For Dummies, 3rd Edition

netstat, 183, 215 fi rewall rules, 131–134 NetStumbler, 154, 157–158, 166–167, 365 MAC address spoofi ng, 143–144 NetUsers, 193 network analyzers, 134–140 NetWare Administrator, 244 overview, 15, 117 NetWare Core Protocol, 232 port scanning, 122–128 NetWare Loadable Module (NLM) scanners, 120–121 admin utilities, 240 SNMP scanning, 128–130 countermeasures, 241 vulnerabilities, 119 documentation, 241 vulnerability assessment tools, 121 dsrepair, 239 network interface card (NIC), 132 modules command, 238–239 network mapping overview, 234 Google Groups, 51 setpwd password reset tool, 238 overview, 50 tcpcon, 239–240 privacy policies, 51–52 unauthenticated logins, 241 Whois lookup, 50 network Network Security Bible (Cole), 117 countermeasures, 84 Network Security For Dummies (Cobb), 113, Internet Key Exchange weaknesses, 148 257, 323, 326 physical attacks, 82–83 Network Security Toolkit, 154, 355 unsecured interfaces, 147–148 Network users, 365 vulnerabilities, 83, 147–149 NFS (Network File System), 220–221 Network Access Protection (NAP), 198 NFS attacks, 220–221 network analyzers, 53 NGSSQuirrel, 307, 352, 364 Cain & Abel, 135 NIC (network interface card), 132 CommView, 135 Nigerian 419 e-mail fraud, 72 confi guring, 137 nipper, 133 countermeasures, 139–140 NIST Guide to Enterprise Password defi ned, 134 Management, 359 detecting, 140 NIST National Vulnerability Database, 55 ettercap, 135 NIST SP800-58 document, 363 functions of, 134 NIST Special Publication 800-48, 351 information obtained from, 134, 135–137 Nmap. See also software and testing tools monitor mode, 137 command-line options, 124 OmniPeek, 135 Connect scan, 126 port scanning with, 105–106 FIN Stealth scan, 126 programs, 120–121 Linux system testing with, 208, 214 requirements, 135 Null scan, 126 Web sites, 356–358 ping sweeping with, 123–124 Wireshark, 135 port scanning with, 53, 120 Network Associates, 134 scanning Linux system with, 212 network browsing, UDP ports for, 188 SYN Stealth scan, 126 Network File System (NFS), 220–221 system scanning with, 187 network infrastructure attacks UDP scan, 126 analyzers, 120–121 Web site, 357 ARP spoofi ng, 140–143 Xmas Tree scan, 126 banner grabbing, 130–131 NmapWin, 55, 120, 357 case study, 118 NoLMHash registry key, 113 defenses, 149–150 nontechnical attacks, 14–15 denial of service, 145–147 Index 377

North American Electric Reliability omnidirectional antenna, 155 Corporation (NERC), 13 OmniPeek Novell ConsoleOne utility, 243, 245 fi nding hidden APs with, 166–167 Novell NetMail, 256 network analysis with, 106, 135 Novell Netware port scanning with, 53 admin account, renaming, 243 viewing encrypted wireless traffi c auditing, 246 with, 164 bindery contexts, removing, 245–246 vulnerability assessment with, 121 cleartext packets, 242 Web site, 357, 363, 365 eDirectory browsing, disabling, 244–245 wireless network analysis with, 154 intruder detection, 237–238 Online Hacker Jargon File, 354 overview, 229 online resources patching, 246 Bluetooth, 351 port scanning, 231–233 certifi cations, 352 rconsole attacks, 233–236 database tools, 352 security risks, minimizing, 243–246 exploit tools, 352 security tools, 230 general research tools, 353 server access methods, 231 hacking, 354 server-console access, 236 keyloggers, 354 servers, 230 laws and regulations, 354 TCP/IP parameters, 246 Linux tools, 355 testing for rogue NLMs, 238–241 live toolkits, 355 testing tools, 356 log analysis, 355 vulnerabilities, 229–230 messaging-system testing tools, 355–356 Novell Patches and Security, 360 NetWare, 356 npasswd, 114 network testing tools, 356–358 N-Stalker Web Application Security password cracking tool, 358–359 Scanner, 278, 293 patch management, 359–360 N-Stealth Web Application Security security education, 360 Scanner, 364 security methods and models, 360 NTAccess, 108, 359 source code analysis, 361 null password, 101–102 storage testing tools, 361 null sessions system hardening, 361–362 confi guration and user information, user awareness and training, 362 192–194 Voice over IP, 362–363 countermeasures, 194–195 vulnerability databases, 363 disabling, 114 Web applications, 363–364 mapping, 191 Windows, 364–365 net view command, 192 wireless networks, 365–366 overview, 190 open ports, scanning, 53–55 Open Source Security Testing Methodology Manual, 58, 360 • O • OpenBSD, 15 Objectif Securité, 87 OPENROWSET command, 305 OCTAVE methodology, 360 OpenSSH, 210 Oechslin, Philippe, 87 operating system attacks, 15 offi ce layout and usage, physical security, operating system attacks, Linux 80–82 buffer overfl ows, 223–224 Offi cial Internet Protocol Standards, 117 fi le permission attacks, 221–223 378 Hacking For Dummies, 3rd Edition

operating system attacks, Linux (continued) Orinoco card, 154–155 general security tests, 225–226 Ounce Labs, 300, 361 hosts.equiv fi le attacks, 218–220 outsourcing, 332–333, 350 multiplatform update managers, 227 OWASP WebGoat Project, 298, 360 NFS attacks, 220–221 overview, 207 patching, 226 physical security attacks, 224–225 • P • .rhosts fi le attacks, 218–220 packet signing, 242 security tools, 208–209 Pandora, 92, 359 system scanning, 209–212 Pandora NetWare, 242, 356 vulnerabilities, 208 Paros Proxy, 286, 364 operating system attacks, Novell Netware passfilt.dll, 114 admin account, renaming, 243 passwd+, 114 auditing, 246 password cracking bindery contexts, removing, 245–246 blank, 101–102 cleartext packets, 242 brute-force attacks, 95–96 eDirectory browsing, disabling, 244–245 case study, 87 intruder detection, 237–238 checking for null/blank passwords in overview, 229 NetWare, 101–102 patching, 246 countermeasures, 109–112 port scanning, 231–233 database hacking, 306–307 rconsole attacks, 233–236 dictionary attacks, 94–95 security risks, minimizing, 243–246 inference, 90–91 security tools, 230 keystroke logging, 103–104 server access methods, 231 with network analyzer, 105–106 server-console access, 236 password-protected fi les, 102–103 servers, 230 password-reset programs, 108–109 TCP/IP parameters, 246 rainbow attacks, 96 testing for rogue NLMs, 238–241 rainbow cracking, 99 testing tools, 356 shoulder surfi ng, 85, 90 vulnerabilities, 229–230 social engineering, 89–90 operating system attacks, Windows software, 92–94 authenticated scans, 205–206 tools, 358–359 missing patch exploitation, 198–205 Unix passwords with John the Ripper, 98 NetBIOS, 187–190 weak authentication, 91 null sessions, 190–195 weak BIOS passwords, 107 overview, 181–182 weak password storage, 104–105 scanning, 185–187 Web sites, 358–359 security tools, 182–184 Windows password with ophcrack, share permissions, 196–198 99–101 testing tools, 364–365 Windows passwords with pwdump3 and vulnerabilities, 182 John the Ripper, 96–98 operating systems, securing, 113–114 Password Management Guideline ophcrack (password-cracking software), document, 96 92, 96, 99–101, 359 Password Safe, 359 Ophcrack Live, 81 password-protected fi les, 102–103 organizational password vulnerabilities, password-reset programs, 108–109 86–88 Index 379 passwords. See also password cracking Novell Netware, 236 divulging, 71 offi ce layout and usage, 80–82 malicious users, 27 utilities, 79–80 null, 101–102 wireless networks, 176–177 overview, 85 Ping of Death, 145 policy considerations, 110–111 ping sweep, 123–124, 127–128 possible combinations, 99 Point-to-Point Tunneling Protocol storage locations by operating systems, (PPTP), 164 93–94 POP3 (Post Offi ce Protocol version 3), 123 storing, 110 Port 80 Software, 299, 364 strong, 110–111 port number listing, 357 vulnerabilities, organizational, 86 port number lookup, 357 vulnerabilities, technical, 88 port scanners weak storage, 104–105 in ethical hacking, 20 patches, security how it works, 124 automating, 325–326 NetScanTools Pro, 126–127 for Linux systems, 224–225 Nmap, 126 managing, 325 programs, 53 for password hacking, 112 SuperScan, 125 tools, 325–326 port scanning Web sites, 359–360 commonly hacked ports, 123 Patent and Trademark Offi ce, 353 countermeasures, 127–128 Payment Card Industry Data Security information obtained from, 53–55, Standard (PCI DSS), 13, 132, 354 124–125 pcAnywhere, 123 Linux systems, 209–212 PDF documents, 48–49 in network infrastructure attacks, 122 PGP Whole Disk Encryption, 108, 362 Novell Netware systems, 231–233 Philippines, hacking ring in, 29 ping sweep, 123–124 phishing. See also social engineering tools, 53, 124–127 dumpster diving, 67 Windows systems, 185–186 overview, 66 ports, commonly hacked, 123 phone systems, 68 PortSentry, 213, 357 in social engineering, 62 power failure, 79 using the Internet, 67 power-protection equipment, 79 phone systems, 68 PPTP (Point-to-Point Tunneling PHRACK, 33, 354 Protocol), 164 physical security pre-shared keys (PSKs), 162 case study, 77 Pretty Good Privacy (PGP), 22 exploiting weakness in, 27 Prism Test Utility, 175 factors in, 76 privacy, respecting, 17 overview, 75 privacy policies, 51–52 tailgating, 77 Privacy Rights Clearinghouse, 338, 363 technical security and, 77 Proactive Password Auditor, 92, 95, 359 vulnerabilities, 75 Proactive System Password Recovery, physical security attacks 92, 359 buildings, 78–79 professional liability insurance, 35 Linux operating system, 224–225 Project RainbowCrack, 96 network components and computers, PromiscDetect, 106, 140, 357 81–84 380 Hacking For Dummies, 3rd Edition

promiscuous mode, 106, 134 .rhosts fi le attacks, 218–220 pwdump3, 92, 96–98, 359 rich Internet applications (RIAs), 298 Pyn Logic, 362 RIPE Network Coordination Centre, 51, 353 risks, 18 rogue network, 27 rogue wireless devices • Q • AP characteristics of, 165–166 QualysGuard. See also software and testing countermeasures, 170 tools detecting with WLAN analyzers, 165–168 database testing with, 304 overview, 165 denial of service testing with, 146 root directory, 218 Linux system testing with, 209 RPC/DCE for Microsoft networks, 123 storage system testing with, 309 RPM Package Manager, 227 vulnerability assessment with, 56–57, 121 .rtf fi le, 311 Web site, 352, 357, 365 RTP (Real-time Transport Protocol), 272 Windows system testing with, 184, 199 QualysGuard Suite, 56–57 Queensland DoS attack, 175–176 Quest Policy Authority, 269 • S • SANS, 113 scanners, 120–121 screens, locking, 84 • R • script kiddies, 26, 28 rainbow cracking, 87, 96, 99 ScriptLogic Patch Authority Ultimate, 326 Rainbow tables, 359 search engines, 48, 67 RainbowCrack, 92, 359 SearchSecurity.com, 20 RC4 encryption algorithm, 161 SeattleWireless Hardware Comparison Rcon program, 356 page, 365 Real-time Transport Protocol (RTP), 272 SEC fi lings, 67 reCAPTCHA, 297 SecureCRT, 261 recycling bins, 81 SecureIIS, 300, 362 Red Hat Enterprise Linux, 220, 227 SecureWorks, 331 Red Hat Linux Security Advisories, 360 Securities and Exchange Commission, 353 Red Hat Package Manager, 227 SecurITree, 360 red team, 37, 77 Security Accounts Manager (SAM) reformed hackers, 333 database, 93, 97 regedit, 143 security assessment tools, 44 related Google operator, 282 security auditing, 12 remote procedure calls, 123, 181 security awareness, 333–334 Remote tool, 230, 356 security by obscurity, 299 remote-administration software, 83 security infrastructure, assessing, 327–328 reports Security Innovation, 300 action items, 321–322 security measures methods, 320–322 account enumeration attacks, 257–260 organizing information, 317–319 ARP poisoning, 144 prioritizing vulnerabilities in, 319–320 ARP spoofi ng, 144 securing, 320 assessing security infrastructure, 327–328 residential phone, 68 banner attacks, 257 reverse social engineering, 70 banner grabbing, 131 Index 381 buffer overfl ows, 223–224 Security On Wheels, 360 database attacks, 308–309 security portals, 20 default confi guration settings exploits, Security Tools Distribution, 154, 355 177–178 SecurityFocus.com, 20 default script attacks, 294 semidirectional antenna, 155 denial of service attacks, 146–147, 176 sendmail server, 214 directory reversal attacks, 282–283 Server Message Block (SMB), 188 e-mail attachment attacks, 253 ServerDefender, 300, 362 e-mail attacks, 266–267 ServerMask, 299, 364 e-mail bombs, 253–254 service set identifi er (SSID), 157–158 e-mail connection attacks, 253 Session Initiation Protocol (SIP), 272 e-mail header disclosures, 263 SetGID, 221–222 encrypted traffi c attacks, 164–165 setpwd password reset tool (NetWare fi le permission attacks, 222–223 Loadable Module), 238 fi rewalls, 133–134 SetUID, 221–222 hosts.equiv fi le attacks, 219–220 share permissions implementing, 323–324 defaults, 196 input fi ltering attacks, 291 overview, 196–198 instant messaging vulnerabilities, 268–269 testing, 197 MAC address spoofi ng, 144, 175 Windows 2000/NT, 196 missing patch exploitation, 205 Windows XP, 196 NetBIOS, 190 ShareEnum, 184 Netware intruders, 238 Shavlik Technologoes NetChk, 325 NetWare Loadable Module, 241 shoulder surfi ng, 85, 90 network analyzers, 139–140 shredders, 67 network infrastructure attacks, 135 Sima, Caleb (SPI Dynamics), 279 NFS attacks, 221 Simple Mail Transfer Protocol (SMTP), 16, null sessions, 194–195 123, 257 packet capture, 242 Simple Network Management Protocol password cracking, 109–114 (SNMP), 123, 128–130 patching, 324–326 SIP (Session Initiation Protocol), 272 physical security attacks, 224–225 sipsak, 363 physical security problems, 176–177 SiteDigger, 364 port scanning, 127–128 site:hostname keywords: query .rhost fi le attacks, 219–220 (Google), 281 rogue NLM attack, 241 SiVus, 272–274, 363 rogue wireless devices, 170 Slackware, 154, 227 security awareness and training, 333–334 Slackware Package Tool, 227 SMTP relay attacks, 263 SMAC, 143–144, 173, 357 SNMP scanning, 130 SMB (Server Message Block), 188 social engineering, 72–74 SMTP (Simple Mail Transfer Protocol), storage system attacks, 313 123, 257 system hardening, 326–327 SMTP attacks system scans, 212 account enumeration, 257–260 unneeded services, 216–217 e-mail header disclosures, 263–264 unsecured login mechanisms, 297 e-mail traffi c capture, 264 Voice over IP, 276 malware, 264–266 vulnerable wireless workstations, 177–178 relay, 260–263 wireless network attacks, 158–159 382 Hacking For Dummies, 3rd Edition

smtpscan, 256, 356 Southeast Cybercrime Institute, 251 Smurf, 160, 351 Special Ops Security, 306 SNARE, 357 Spector Pro (keystroke-logging Sniffdet, 140, 358 software), 104 sniffers, 134 SpectorSoft, 104, 354 SNMP (Simple Network Management spidering, 278, 280–281 Protocol), 123, 128–130 Spitzner, Lance, 34 SNMP scanning, 128–130 sponsorship, 18 SNMPUTIL, 128, 358 SQL injection, 27, 287–289 social engineering SQL Injector, 288–289 behaviors associated with, 69–70 SQLPing3 (password-cracking software), believability in, 69 93, 304, 352, 359 building trust in, 68–69 SSH (Secure Shell), 123 case study, 63 SSID (service set identifi er), 157–158 consequences of, 65 storage system attacks. See also database countermeasures, 72–74 attacks deceptive practices in, 69–72 best practices for minimizing risks, 313 defi ned, 15 misconceptions, 309 examples of, 61–62 overview, 309 false employees, 62 scanning for vulnerabilities, 310 false support personnel, 62 testing tools, 309–310, 361 false vendors, 62 text fi le search, 310–313 likability in, 69 Web sites, 361 outsourcing, 64 StorScan, 310, 361 overview, 61 strong passwords, 110–111 password cracking, 89–90 SUN RPC (remote procedure calls), 123 phishing, 62, 66–68 Super Cantenna, 365 policies, 72 SuperScan reasons for using, 64–65 Linux system testing with, 208, 209–212 reverse, 70 Netware testing with, 230 user awareness and training, 73–74 pinging multiple addresses with, 52 software and testing tools port scanning with, 53, 120 Linux systems, 208–209 scanning Novell Netware systems network analyzers, 120–121, 135 with, 232 Novell Netware, 230 storage system testing with, 309 password cracking, 92–94 Web site, 358, 361 scanners, 120–121 Windows system testing with, 184 selecting, 20–21, 44 SUSE Linux, 227 storage systems, 309–310 SUSE Linux Security Alerts, 360 vulnerability assessment, 121 .swf fi les, 48–49 Web applications, 278 SWFScan, 298, 364 Windows systems, 181–185 Switchboard.com, 353 WLAN security tools, 154–155 SYN fl oods, 145 Software as a Service (SaaS), 331 Sysinternals, 183, 365 Software Engineering Institute, 360 SYSKEY utility, 113 SonicWall, 300, 313 System Center Confi gurationManager, 269 source code analysis, 300–301, 361 system hardening, 326–327, 361–362 SourceForge.net, 209 system scans. See also port scanning Index 383

countermeasures, 212 text fi les, searching for, 310–313 hosts, 52 TFTP (Trivial File Transfer Protocol), 123 information obtained from, 52–53 THC-Amap, 208 Linux systems, 209–212 TheHarvester, 258 scanning, 53–55 TheTrainingCo, 77 Windows systems, 185–187 Tiger, 208 systems tiger team, 37 knowledge of, 19 time-memory tradeoffs, 87 selecting, 18 Traffi c IQ Pro, 132–133, 358 Tripwire, 223 Trivial File Transfer Protocol (TFTP), 123 TrueCrypt, 108, 224, 362 • T • trustworthiness, 16 tailgating, 77 TSGrinder, 359 TCP ports, 188 Twitter, 145 TCP scans, 122 .txt fi le, 311 TCP Wrappers, 217, 358 tcpcon (NetWare Loadable Module), 239–240 TCP/IP For Dummies (Leiden), 117 • U • TCPView, 184 UAC (User Account Control), 198 telecom wires, 80 UDP ports, 188 Telnet, 123, 130–131, 209, 213 UDP scans, 122 Temporal Key Integrity Protocol (TKIP) UDPFlood, 146, 358 encryption, 162 unauthorized software, 27 tests Universal Naming Convention (UNC), 306 assumptions in, 43–44 Unix systems blind vs. knowledge assessments, 42 password protection in, 114 denial of service, 146 wireless hacking tools for, 154 Linux systems, 225–226 unlimited attack, 19 location, 43 unneeded services MAC address protocols, 171–174 access control, 217 mistakes in, 347–350 chkconfig, 217 Netware intruders, 237–238 countermeasures, 216–217 Novell Netware intruders, 237–238 disabling, 216–217 overview, 40 inetd.conf, 216–217 password security, 97–100 security tools, 214–216 performing, 45–47 vulnerabilities, 213–214 reacting to vulnerabilities, 43 unsecured login mechanisms, 294–297 rogue NLM programs, 238–241 up2date, 227 share permissions, 197 URL manipulation, 285 specifi c tests, 41–42 U.S. Patent and Trademark Offi ce, 353 standards, 40 US Search.com, 353 timing, 40–41 US-CERT Vulnerability Notes Database, VoIP hosts, 273 55, 363 Windows systems, 185–187 384 Hacking For Dummies, 3rd Edition

User Account Control (UAC), 198 Novell Netware, 229–230 user awareness and training, 362 passwords, 86–88 user ID, 27, 86, 112 physical security, 76 UserDump, 356 ranking, 320 USSearch, 49 reporting, 319–320 utilities, physical security, 79–80 storage systems, 310 unneeded services, 213–214 Voice over IP, 270–272 • V • Web applications, 280, 297 VBScript, 290 Windows systems, 182 vendor passwords, default, 358 wireless local area networks, 152 virtual local area network (VLAN), 271 vulnerability assessment tools, 121 virtual machine software, 52 vulnerability databases, 363 virtual private network (VPN), 164 vulnerability scanners, 17, 146 VirtualBox, 52, 148 vulnerability testing VMWare Workstation, 52 automated assessment, 56 VNC, 83 manual assessment, 56 Voice over IP (VoIP). See also messaging- tools, 56–57 system attacks Web sites, 55 attacks, 16 capturing and recording voice traffi c, 274–276 • W • countermeasures against walls, 79–80 vulnerabilities, 276 wardriving, 155 overview, 16, 270 warwalking, 168 scanning for vulnerabilities, 272–274 weak authentication, 91 testing tools, 362–363 Web 2.0 hacking, 297 vulnerabilities, 270–272 Web application attacks Web sites, 362–363 best practices for minimizing risks, VoIP For Dummies (Kelly), 270 298–301 VoIP Hopper, 271, 363 case study, 279 VoIP servers, 68 default script attacks, 292–293 vomit, 363 directory reversal, 280–283 VRFY command, 257, 259 input fi ltering attacks, 283–291 vulnerabilities. See also scanning for vulnerabilities, 297 vulnerability testing testing tools, 20, 278 addressing, 323 tools, 363–364 assessing, 55–57 unsecured login mechanisms, 294–297 database attacks, 307–308 vulnerabilities, 280 high-impact, 320 Web sites, 363–364 instant messaging, 267–268 Web browsers, confi guring for Web Linux systems, 208 proxy, 284 low-impact, 320 Web crawling, 49 medium-impact, 320 Web page defacement, 31 messaging-system, 249–250 Web Proxy, 284, 286 network infrastructure, 119–120 Index 385

Web search, 48 WebGoat, 364 Web security WebInspect, 146, 278, 288, 290, 364 fi rewalls, 299–300 Wellenreiter, 154, 366 obscurity, 299 WEP (Wired Equivalent Privacy), 160–161 source code analysis, 300–301 WEPCrack, 161, 366 Web sites WhatIsMyIp.com, 52, 353, 358 background checks, 49 white hat hackers, 10 Bing, 48 Whois.net, 50, 353 Bluetooth, 351 Whole Disk Encryption, 84, 108 certifi cations, 352 Wi-Fi. See wireless local area networks database tools, 352 (WLANs) defaced Web pages, 31 Wi-Fi Protected Access (WPA), 160, 162 exploit tools, 352 Wifi Maps, 366 general research tools, 353 WiGLE database, 156–157, 366 Google, 48 WildPackets OmniPeek, 121, 154 government and business, 49 Wiles, Jack (TheTrainingCo.), 77 hacking, 354 WinAirsnort, 366 keyloggers, 354 windows, 79–80 laws and regulations, 354 Windows 7 operating system, 198 Linux tools, 355 Windows BitLocker, 84, 108 live toolkits, 355 Windows Defender, 198 log analysis, 355 Windows Firewall, 198 messaging-system testing tools, 355–356 Windows operating system NetWare, 356 attacks, 15 network analyzers, 121–122 password storage location in, 93–94 network testing tools, 356–358 securing, 113–114 password cracking tools, 358–359 Windows password. See also password patch management, 359–360 cracking scanners, 121–122 cracking, 87 security education, 360 cracking with ophcrack, 99–101 security methods and models, 360 cracking with pwdump and John the security portals, 20 Ripper, 96–98 security tools, 20 protection of, 113–114 source code analysis, 361 Windows Registry, 113, 143–144 Spitzner, Lance, 34 Windows Server Update Services, 326, 360 storage testing tools, 361 Windows systems. See also Linux systems system hardening, 361–362 authenticated scans, 205–206 user awareness and training, 362 missing patch exploitation, 198–205 VirtualBox, 52 NetBIOS, 187–190 Voice over IP, 362–363 null sessions, 190–195 vulnerability assessment tools, 122 overview, 181–182 vulnerability databases, 363 scanning, 185–187 vulnerability testing, 55 security tools, 182–184 Web applications, 363–364 share permissions, 196–198 Whois lookup, 50–51 testing tools, 364–365 Windows, 364–365 vulnerabilities, 182 wireless networks, 365–366 Windows Terminal Server, 123 386 Hacking For Dummies, 3rd Edition

Winfo, 184, 192–193, 365 wireless workstations, vulnerability of, WinHex, 111, 292, 359 177–178 Winkler, Ira (Internet Security Advisors Wireshark, 53, 106, 135, 268, 358 Group), 63 word lists (password cracking), 358 WinNuke, 145 Wotsit’s Fromat, 353 WinRAR, 95 WPA (Wi-Fi Protected Acess), 160, 162 WinZip, 97, 356 WPA2, 162–163 Wired Equivalent Privacy (WEP), 160–161 Wright, Joshua (InGuardians Inc.), 153 wireless antennas, 155 WSDigger, 298, 364 Wireless Hardware Comparison, 155 WSFuzzer, 298, 364 wireless local area networks (WLANs) access points, 152 case study, 153 checking for AP’s MAC address, 156–157 • X • default confi guration settings, 178 .xls fi le, 311 hacking tools, 154–155 .xlsx fi le, 311 overview, 151 xp_dirtree extended stored scanning SSIDs, 157–158 procedure, 306 vulnerabilities, 152 XSS (cross-site scripting), 290 WiGLE database, 156–157 wireless network attacks Bluetooth, 160 encrypted traffi c, 160–165 • Y • MAC address spoofi ng, 170–175 Yahoo! Finance, 353 overview, 158–159 YaST2 Package Manager, 227 physical security problems, 176–177 Queensland DoS attack, 175–176 rogue wireless devices, 165–170 tools, 365–366 • Z • vulnerable wireless workstations, ZabaSearch, 49, 353 177–178 zombie computers, 71 Web sites, 365–366 Wireless Vulnerabilities and Exploits, 152, 363