Analysis Console for Intrusion Databas

Howlett_index.fm Page 559 Thursday, June 24, 2004 3:47 PM

Index

3Com, 165 Adleman, Leonard, 282 100 percent outsourced IT, 20 ADOdb, 247 802.11 wireless standards, 318 ADOdb Web site, 247 802.11i, 347 AeroSniff, 335 AES, 284 A Afind utility, 376 ACID (Analysis Console for Intrusion Databases), 2, AH (Authentication Header), 285–286 201, 246 AirCERT, 247 ADOdb, 247 Airjack, 343 analyzing alert data, 255 AirSnort, 335, 346 archiving alerts, 258 Anomalous IDS (intrusion detection system), ARIN lookup, 256 194–195 carefully using names, 259 Anonymous Internet access, 320 categorizing alerts, 253 Antennas, 324 common IP destination addresses, 255 Anti-virus software, 7, 12 configuration page, 251 AP (access point), 317–319 configuring, 250–251 Apache Web servers, xi, 22, 244–245 daily use, 256–257 NCC (Nessus Command Center), 267 GD, 248 PHP, 261 graphing data, 257–258 Apache Web site, 244 information on alert types, 253–254 AppleTalk, 164 installing, 249–250 Application layer, 57, 121–122 introduction to using, 251–252 Application ports, 2 IP source address, 255–256 Applications JpGraph, 247–248 exposing systems to vulnerability, 121 main page, 251 getting data, 57 narrowing search criteria, 252 on high port numbers, 90 overall statistics on database, 251–252 port numbers, 88–89 PHPLOT, 247 testing for security holes, 122 reverse DNS lookup, 255–256 Arcnet, 164 Sam Spade search, 256 ARIN lookup, 256 sensitive data, 254 Armed forces, 352 service being attacked most, 256 ARP (Address Resolution Protocol), 59, 166 Snort sensors, 248 Asymmetric cryptography, 281–282 sorting alerts, 254 AT&T, 1 3 SQL databases, 247 Attacks statistics on AG (alert group), 252 coming through firewalls, 194 summary information on database AG filing criminal charges, 350–351 (alert group), 252 repeated evidence of, 355 tuning and managing NIDS, 253–254 Authentication, 284 variables for configuring, 250–251 /autopsy directory, 369 Web servers, 247 Autopsy Forensic Browser, 368–370 ACID database, maintaining, 258 Auto-rooters, 9 acid_conf.php file, 250 Availability, 5 Ad-hoc mode, 317 Awk, 13

559 Howlett_index.fm Page 560 Thursday, June 24, 2004 3:47 PM

560 Index

B CGI programs and Nessus, 133 Back Orifice, 95 CGI scripts, default location for, 144 Back Orifice 2000, 95 Cgi-bin directory, 117 Backups Chain of trust, 299 baseline database, 230 Chains, 64 current and vulnerability scanning, 158–159 chargen service, 129 Bandwidth, 7–8 Chat rooms, 19 Baseline database, 230 Cheswick, Bill, 125 Bastille, 29–30 chmod command, 67 Bastille Linux, 2, 27–30 Chrooted jail, 29 Bastille Web site, 28 C.I.A., 4 BBSs (Bulletin Board Systems), 13 Cisco Aeronet wireless cards, 335 Beacon broadcasts, 321 Cisco routers, 124 Beale, Jay, 28 Civic action, 352 Bell Labs, 13 Class action suits, 10 Binary files, replacing with trojanized versions, Cloud Nine Communications, 10 226–227 Code BIND (Berkley Internet Naming Domain), xi permission to release as open source, 265 security holes, 126 viewing, 18 version of, 116 Code Red worm, 5, 9–10, 123, 196 Bindinfo file, 116 ColdFusion, 126 Bison scripting language, 168 Commercial software products, 16–18 Bit-wise copy, 366 Communications Blaster worm, 6 encrypting all, 43 Blowfish, 284 securing important, 3 Bounce Scan, 105 Compile-time parameters, 98 Breadth, 346 Compiling from source code, 97–98 Break-ins, 3 comp.os.linux.advocacy newsgroup, 382 Broadband, 7–8 comp.os.unix.bsd.freebsd.misc newsgroup, 382 Broadcast traffic, 165–166 comp.os.unix.bsd.openbsd.misc newsgroup, 382 Brute force attacks, 130, 283 comp.sci.opensource newsgroup, 382 Brute force login, 141 Computer crimes, 5–9, 194 BSD license, 13, 21, 23 Computer forensics careers, 351–352 BSD license Web site, 23 Confidentiality, 4–5 BSD mailing list archive, 382 Connection, setting up and closing down, 57 BSD UNIX, xi Copyright violations, 11 BSDI, 23 Coroner's Toolkit, 3, 356, 368 BSSID (Basic Station System ID), 318 Corporate secrets and data disclosure, 11 Buffer overflow, 89–90, 124, 128, 130 Cost of open source software, 15 Bug finder/beta tester, 385 CPAN (Comprehensive Perl Archive Network) Business information security risks, 9–12 system, 237 Business processes and firewalls, 60–61 CSI (Computer Security Institute), 5–7 Curses toolkit, 28 C Custom applications and vulnerability scanning, Carrier, Brian, 368 160 Center for Internet Security Web site, 45 Customer lists, 11 CERT (Computer Emergency Response Team), 6, Cypherspace Web site, 287 247 CERT Web site, 247 D CertServer Web site, 298 DALnet, 13 CGI directory, 114 Danyliw, Roman, 247 Howlett_index.fm Page 561 Thursday, June 24, 2004 3:47 PM

Index 561

Data Echo Reply ICMP message, 31 encryption, 279 Echo Request ICMP message, 31 format readable by receiving party, 57 echo service, 129 managing with databases and Web servers, Education and open source software, 18–19 241–264 Electronic Freedom Foundation, 306 Data link layer, 55–56, 164 Ellis, James, 281 Data loss, 9 EMACS, 66, 113–114 Databases EMACS home page, 114 administrative activity, 200 EMACS Quick Reference, 114 baseline attributes of files, 226–227 Embarrassment, 10 external access into, 126 Employee policy issues, 12 hackers, 126 Encrypted files, 3 intrusion detection data, 247 Encrypting files managing security data, 241–264 all communications, 43 daytime service, 129 GnuPG (GNU Privacy Guard), 298 dd, 293, 365–368, 372 PGP (Pretty Good Privacy), 291–292 DDOS (distributed denial of service) attack, 7–8 Encryption, 57 Decrypt file, 345 asymmetric cryptography, 281–282 Decrypting files, 299 data, 279 Deep Throat, 95 FreeS/WAN, 306–312 Department of Homeland Security, 352 GnuPG (GNU Privacy Guard), 295–301 DES (Data Encryption Standard), 283 OpenSSH, 301–305 Destination machine dropping packets, 31 PKE (public key encryption), 281–282 DHCP broadcast traffic, 165 protocols, 280 Dial-up connections, 7 Public Key cryptography, 281 Diffie, Whitfield, 281 reversing process, 293 dig command, 37–39 shared secret, 281 Digital certificates, 284–285 symmetric cryptography, 281 Disaster Recovery Plan, 9 types of, 281–282 discard service, 129 VPNs (Virtual Private Networks), 305 Discussion groups, 385–386 Encryption algorithms, 283–284 D-Link wireless cards, 335 Encryption applications, 284–286 DMZ interface, 60 Encryption protocols, 285–286 DMZ (Demilitarized Zone) segment, 74 Encryption software, 287–295 DNS (Domain Name Servers), 58 Ephemeral port numbers, 88–89 responsible for domain name, 37 ESP packets, 309 security holes, 126 /etc/freeswan/ipsec.conf file, 310 DNS cache poisoning, 126 /etc/pcmcia/config.opts directory, 336 DNS lookup request and ping (Packet Internet /etc/ssh directory, 303 Groper), 31 /etc/ssh file, 303 DNS servers, 126, 129 Ethereal, 2, 309 Documenting security activities, 60 application server troubleshooting, 190 Domains, 37–39 benefits, 183–184 DoS (Denial of Service) attacks, 10, 131 capture options, 188 -dport statements, 68 compiling, 185 -dports flag, 68 display options, 189–190 Drivers, installing, 335–337 graphical interface, 183 GTK development libraries, 184 E information about packets, 185, 187 Early warning system, 2 libpcap libraries, 184 Easy CD creator, 78 Linux installation, 184–185 echo replies (ping responses), 60 network optimization, 190 Howlett_index.fm Page 562 Thursday, June 24, 2004 3:47 PM

562 Index

Ethereal, (continued) attacks from within, 125 packet contents, 187 blocking offending IP addresses, 3 packet stream data, 185–187 business processes, 60–61 RPM packages, 184 “deny all” statement, 62 saving output, 190 disallowing SYN packets, 59 starting capture session, 187–189 DMZ interface, 60 tools, 189–190 double-checking rules, 194 usage, 185–187 echo replies (ping responses), 60 Windows installation, 185 eliminating existing rules, 67 Ethereal Web site, 185 filters, 60 Ethernet, 164–166 higher end, 54 Ethernet card, 165 ICMP-type packets, 60 Ethernet networks, 165–166 implementing and testing, 61 Ethernet sniffers, 164 interfaces, 59 Evidence file, 366 Linux built-in, 59 Exchange security problems, 125 low-end consumer-grade, 54 Expect, 13 lptables, 62–70 Extendibility, 15 lptables creation, 66–70 NAT, 309 F Nessus server outside of, 159 Factoring large prime numbers, 282 reviewing and testing, 61 Farmer, Dan, 368 rules, 61–62 Fault-tolerant network, 57 running Web server on, 71 FBI Web site, 350 shell scripts, 66–67 FBI's NIPC (National Infrastructure Protection SmoothWall Express, 75–86 Center), 5 tprivate interface, 59 Federal law enforcement, 352 traffic on port 80, 89 Files trusted interface, 59 access time listing, 376 Turtle Firewall, 71–75 checking integrity, 231 vendors, 54 database of baseline attributes, 226–227 vulnerable to attack, 2 decrypting, 299 vulnerable to normal OS-level exploits, 125 encrypted, 3 WAN interface, 59–60 GnuPG (GNU Privacy Guard), 298–299 weaknesses in, 124–125 listing attributes, 377–378 Web server, 125 PGP encryption, 291–292 Windows XP, 86 securing important, 3 Windows-based, 86 signing with public key, 292–293 Firewall-wizards mailing list, 70 wiping from hard disk, 293 Flex scripting language, 168 Filters and firewalls, 60 Flush command, 67 FIN packet, 59 Forensic analysis, 356–357 FIN Scan, 104 Forensic analysis tools FIN/ACK packet, 59 dd, 366–368 finger, 39–41, 129 The Forensic Toolkit, 375–379 exploiting bug in, 124 Fport, 357–360 Sam Spade for Windows, 48 lsof, 360–363 security holes, 39 The Sleuth Kit/Autopsy Forensic Browser, sending without username, 40 368–374 Firewall server, configuring securely, 2 Forensic data, 354–355 Firewalls, 1, 12, 53–54 Forensic evidence, copies of, 365 “allow all” statement, 62 The Forensic Toolkit, 375–379 attacks coming through, 194 Forensic tools, 349–352 Howlett_index.fm Page 563 Thursday, June 24, 2004 3:47 PM

Index 563

FORWARD chain, 67 simple symmetric cryptography, 298 Fport, 357–360 web of trust model, 299 Franklin, Ben, 161 GnuPGreenware, 288 Free Software Foundation, xi, 13, 21 Google, 129 Free Software Foundation Web site, 384 GPL (General Public License), 13, 15, 22–23, 277 FreeBSD, 23 GPL Web site, 23 FreeS/WAN, 306 GPS Clock Web site, 355 installing, 307–308 GPSDrive, 343 IPsec, 308 GPSDrive Web site, 343 Linux, 307 GPSMAP, 343 OE (Opportunistic Encryption) mode, 308 grep, piping ps command into, 42 opportunistic encryption, 307, 311–312 GTK (Gimp Tool Kit), 135 parameters, 309 GTK Web site, 135 peer-to-peer mode, 308–310 road warrior mode, 308, 310–311 H starting, 307–308 Hack ‘a’ Tack, 95 usage, 308–312 Hackers, 7 FreeS/WAN Web site, 306 altering certain system files, 26 Freshmeat Web site, 265, 383–384 automated and random attacks, 9 Frigido, Andrea, 71 bandwidth, 8 FTP and sudden surge in traffic, 194 blank or weak passwords, 128 FTP servers, write access to anonymous users, 142 brute force hacking, 130 buffer overflow, 89–90, 124, 130 G civil action, 352 GCC (Gnu C Compiler), 21 databases, 126 Gcc (Gnu C Compiler), 13, 98 DNS cache poisoning, 126 GD, 248 DNS servers, 126 GD Web site, 248 DoS (Denial of Service) attacks, 10, 131 Gencases file, 345 finding passwords, 302 get_port_state() NASL function, 157 finding tools on Internet, 130 Gilmore, John, 306 Hacker Ethics code, 8 GNOME, 27 idle or unused accounts, 127 GNU GPL (General Public License), 21–23 information about users, 40 GnuPG (GNU Privacy Guard), 295 information leaks, 129–130 basic information of key, 300 log-on habits and schedule, 40 chain of trust, 299 mail servers, 125 decrypting files, 299 manufacturer default accounts, 127–128 encrypting files, 298 mass Web site defacement binges, 10 files, 298 multiple entries into system, 123–124 GPL license, 296 NetBIOS null sessions, 130 installing, 296–297 point-and-click hacking tools or scripts, 8 key edit mode, 300 port scan, 130 managing key trusts, 300–301 published and known security holes, 122–123 OpenPGP standard, 296 replacing binary files with Trojanized versions, pass-phrases, 297 226–227 printing fingerprint of key, 300 router or firewall weaknesses, 124–125 public-private key pair creation, 297 Script Kiddies, 8–9 publishing public keys, 298 sites with dedicated broadband access, 7 revocation certificate, 297–298 snmpwalk, 128 signing files, 299 social engineering attack, 130 signing keys, 300 storage lockers, 8 Howlett_index.fm Page 564 Thursday, June 24, 2004 3:47 PM

564 Index

Hackers (continued) IBM, 20 storing tools and other ill-gotten loot, 8 ICMP (Internet Control Message Protocol), 31 tracking down source or location of, 32 ICMP-type packets and firewalls, 60 Trojan horses, 94 .ida buffer overflow, 196–198 uncommon ports, 90 Identity theft, 10 unneeded services, 128–129 Idle Scan, 105 unsecured computers, 11 IDS (intrusion detection system), 193 user and file management, 126–127 ACID (Analysis Console for Intrusion vulnerability scanner, 130 Detection), 201 Web servers, 125 analysis tools, 201 whois information, 130 anomalous, 194–195 zombies, 8 categories of alerts, 200 Hard disks defining attacks, 193 hidden data streams, 377 exempting hosts from examination, 200 wiping files from, 293 false positives, 201 Hardening Kismet, 343–344 Linux, 28–30 proper system configuration, 200–201 security tool system, 27–44 Snort, 201–216 Windows, 45–51 Snort for Windows, 217–221 Hardware Snort Webmin Interface, 216–217 NIDS requirements, 204 tuning, 201 Snort, 203 IEEE (International Electrical and Electronic Snort for Windows, 220–221 Engineers), 165 standard default logins and user accounts, 127 IIS (Internet Information Server) and cmd.exe attack, wireless LANs, 323–324 196 Hash file, 373 IIS Web server, 196–198 Hashes, 284, 356–357 Illicit services, 95–96 Healthcare, 11 Implementing secure wireless solution, 3 Hellman, Martin, 281 Incident response plan, 353–354 Hermes chipsets, 323, 335 Incoming connections, blocking, 1 Hewlett-Packard, 11 Information leaks, 129–130 Hfind utility, 376–377 Information security (info-security) Hidden files and Windows, 376–377 availability, 5 HIPAA (Health Insurance Portability and business risks, 9–12 Accountability Act of 1996), 11 C.I.A., 4 Host unreachable ICMP message, 31 confidentiality, 4–5 Host-based intrusion detection, 225–231 ignoring, 6 Hosts, 143–145, 148 integrity, 5 HP Open View, 199 Infrastructure mode, 317 /htdocs/www.acid directory, 250 Inline Snort, 202 /html directory, 114 INN, xi HTTP login forms, 141 Installer.sh file, 112 httpd process, 235 Instant messengers, 12 Hunt utility, 378–379 Integrity, 5 Hybrid cryptosystem, 289 Interdependence, 16 Hydra, 133, 141 Internal files, securing, 3 Internal investigations, 352 I Internet, 123 IANA (Internet Assigned Numbers Authority), anonymous access, 320 87–88 broadband connections, 7–8 IANA Web site, 88 computer crimes, 7 Howlett_index.fm Page 565 Thursday, June 24, 2004 3:47 PM

Index 565

hackers, 7 K open source software, 13–14 Kazaa, 12 plain text, 279 KDE, 27 private address ranges, 70 Key rings, 290–291 InternetMovies.com, 11 Keyserver Web site, 298 Internic, 36 Kismet, 328 Intrusion detection, host-based, 225 capture session statistics, 341 Intrusion detection systems, 12 configuration switches, 337–338 Investigating break-ins, 3–4 GPS support, 343 IP addresses, 56, 58 GPSMAP, 343 formats, 100–101 Hermes chipsets, 335 port scan, 130 IDS, 343–344 space problem, 170 installing, 337–338 structure, 100, 102 interface settings, 340 traceroute (UNIX), 32–35 key commands, 341–342 IP masquerading and lptables, 70 logging and interface options, 339 IP networks, 100, 102 Network List section, 340–341 IP protocols Prism II chipsets, 335 encrypting and verifying packets, 285 scrolling view of events, 341 identifying version, 170–171 wireless usage, 340–342 Snort, 222 Kismet Wireless, 184, 334–344 IPBlock, 48 kismet.conf file, 338, 344 IPC (Inter-Process Communication) share, 127 kismet_ui.conf file, 338 Ipchains, 59, 63–64 Knowledge Base, 148 Ipfwadm, 59, 63 IPS (Intrusion Prevention Systems), 195–196 L IPsec, 306–307 L2TP (Layer Two Tunneling Protocol), 286 AH (Authentication Header), 285–286 LANalyser, 184 ESP packets, 309 Latency, 31 FreeS/WAN, 308 LEAP, 345, 347 transport mode, 286 Least privilege, 126–127 tunnel mode, 286 Lex, 168 VPN tunnel and encryption, 84–85 Liability, 10–11 ipsec.conf file, 308, 311 libnasl file, 136 IPv4 (IP version 4), 170, 285 Libpcap libraries, 135, 168, 184, 203 IPv4 packets, 171 Libpcap Web site, 135 IPv6 (IP version 6), 170–171, 285 Linksys wireless cards, 335 IPX/SPX, 57 Linux, xi, 14, 22 ISAPI (Internet Server API), 196 AeroSniff, 335 ISC Web site, 355 AirSnort, 335, 344–346 ISO (International Standards Organizations), 54 built-in firewalls, 59 .iso image file, 78 case sensitivity, 29 ISP complaints, 352 dd, 366–368 DMZ interface, 60 J Ethereal installation, 184–185 Java Nessus Report Manager, 259 FreeS/WAN, 307 John the Ripper, 312–314 Gcc (Gnu C Compiler), 98 Joining open source movement, 384–387 GPSDrive, 343 JpGraph, 247–248 hardening, 27–44 JpGraph Web site, 247 Ipchains, 59 Howlett_index.fm Page 566 Thursday, June 24, 2004 3:47 PM

566 Index

Linux (continued) ICMP packets, 69 Ipfwadm, 59 incoming connections only on certain ports, 68 Kismet Wireless, 334–344 incoming traffic based on inside connections, 68 lptables, 59, 63 installing, 63–64 lsof, 360–363 IP masquerading, 70 NCC (Nessus Command Center), 267 NAT (Network Address Translation), 70 Nessus installation, 135–136 port scans, 93 Nmap installation, 97–99 preventing users from protocol use, 68–69 Prism2Dump, 335 scripts, 63 RPM for Perl modules, 237 setting up logging, 69 RPM (RedHat Package Manager) format, xvi smurf attack, 68 scanning commands, 364 specifications, 65–66 tools, xvi spoofing, 67–68 tprivate interface, 59 tables, 64–66 trusted interface, 59 UDP packets, 69 /var/log directory, 234 usage, 64–66 VPNs (Virtual Private Networks), 306 lsof (LiSt Open Files), 360–363 WAN interface, 59–60 Webmin service, 71 M WEPcrack, 335 -m multiport, 68 wireless drivers, 335 MAC (Media Access Control) addresses, 55–56, 166 wlan-ng drivers, 336 BSSID (Basic Station System ID), 318 Linux messages file, 234–235 hosts, 145 Linux-WLAN Web site, 336 MAC Addresses Web site, 56 Local law enforcement, 351 Mail servers Log files, 234 hackers, 125 failed login attempts, 235 security holes, 2 monitoring, 3, 236–241 Mail system testing, 142 reviewing, 363–365 Mailing lists, 19, 386 security information, 235 open source software, 382 UNIX, 363–364 support, 17 Windows, 363 Major Domo, xi, 386 Log2db.pl script, 114 Make install command, 98 Logic errors, 160 Makefile, 98 Logins Malicious software, 9 configurations, 141 Malware, 9 failed attempts, 235 Managing key trusts, 300–301 Loss of customers, 10 Mandrake Linux Loss of productivity, 12 EMACS, 113 lptables, 59, 62 tools, xvi accepting fragmented packets, 67 Manufacturer default accounts, 127–128 command line, 63 MapPoint, 324, 331–333 commands, 64–65 MASQUERADE flag, 70 current rule set, 63 MD5 hashing algorithm, 284, 356–357 “deny all” statement, 67 Merkle, Ralph, 281 domain as only allowable port, 69 Metcalfe, Bob, 165 dropped packets, 69 Microsoft RPC (Remote Procedure Call) eliminating existing rules, 67 vulnerabilities, 6 firewall creation, 66–70 MINIX, 13–14 flushing other chains, 67 Monitoring log files, 236–241 HTTP and Web traffic, 68 Morris, Robert, 124 Howlett_index.fm Page 567 Thursday, June 24, 2004 3:47 PM

Index 567

Morris worm, 124 Perl, 267, 270 MySQL, 207 PHP-compliant Web server, 270 commands, 243–244 platforms, 267 configuring Snort for, 248–249 project elements, 268 /etc/ld.so.conf file, 242 Schedule Management screen, 276 install script, 242 scheduling database, 266 locking down, 243 scheduling scan, 276–277 NCC (Nessus Command Center), 267 Sourceforge page, 269 NPI (Nessus PHP Interface), 259 symbolic link, 271 ownership and file permissions, 242 system administrator option, 273 /scripts directory, 242 Target Management screen, 274 security, 243 usage, 272–273 starting as daemon, 243 User Management screen, 273 user and group, 242 user name and password, 273 user name and password, 243 Web interface for setting Nessus options, 267 MySQL databases, 220 Web site, 269 admin user, 243 Nero, 78 NPI (Nessus PHP Interface), 260 NesQuick, 259 MySQL server, 242–243, 261 Nessus, 2, 131 MySQL Web site, 242 auto-install script, 135–136 auto-installer script remotely running, 135 N automatic scheduled scan of network, 145 Napster, 12 avoiding pattern-matching NIDS, 143 NASA Web site, 355 brute force login, 141 NASL (Nessus Attack Scripting Language), 15, 133, certificate for SSL communications, 137 156–158 CGI programs, 133 NAT (Network Address Translation), 70, 309 CGI scripts default location, 144 National Security Agency Web site, 45 client-server architecture, 132–133 .nbe format, 260 database creation, 262 NCC (Nessus Command Center), 2–3, 145, 265 documentation, 135 adding targets, 274–276 exporting scans into NIP, 263 adding users, 273 extensive install process, 135 admin user and password combination, 271 flexibility, 138 Apache, 267 Ftp writable directories, 142 automating scans, 266 hosts by MAC address, 145 database interface for Nessus results, 266–267 HTML, 134 database schema with tables, 269 Hydra, 133 GPL, 277 integration with other tools, 133 group administrators option, 273 KB (Knowledge Base) tab, 147–149 group management feature, 273 Knowledge Base, 134, 147–149 installing, 270–272 LaTeX, 134 Linux, 267 Linux installation, 135–136 logical layout, 269 listing previously run sessions, 147 login page, 272 login, 141 main screen, 272 login page, 138 management platform for Nessus scanning, 266 mailing lists, 134–135 managing users, target files, and schedules, 273 medium- to large-size networks, 259 modular and expandable, 272–273 multiple report formats, 134 MySQL, 267, 270 NASL (Nessus Attack Scripting Language), 15, Nessus interface, 266 133 Nessus server and client, 270 new hosts, 148 Howlett_index.fm Page 568 Thursday, June 24, 2004 3:47 PM

568 Index

Nessus (continued) Nessus server NIDS (Network Intrusion Detection System), logging into, 138 142–143, 199 outside firewall, 159 Nikto, 133 users, 147 Nmap, 133, 140 Nessus Web site, 158 NNTP (Network News) server, 142 nessus-announce mailing list, 134 number of simultaneous tests, 143–144 Nessus-core file, 136 open source project, 133 nessus-cvs mailing list, 134 ping remote host, 140–141 nessusd daemon, 42 plain text, 134 nessus-devel mailing list, 134 Plugins tab, 139 Nessus-libraries file, 136 port range, 143 nessus-php directory, 262 port scanner, 133, 145 Nessus-php index file, 263 Preferences tab, 139 nessusphp.inc file, 262 prerequisites, 135 Nessus-plug-ins file, 136 reading targets from file, 146 Nessus.rc text file, 150 record of targets and settings, 146 NessusWX, 149 retesting hosts, 148 client-side settings, 150–151 reusing Knowledge Base, 148 Comments tab, 152 reverse DNS lookup, 144 installing, 150 robust support network, 134–135 interface, 150 sample scanning configurations, 155–156 MySQL support, 150 saving sessions without data, 147 Options tab, 152 Scan Options tab, 143–145 PDF files, 150 scanning without being connected to client, Plugins tab, 152 145 Port scan tab, 152 security scan data and database reports, 3 report manipulation, 150 server-side options, 139–143 reporting formats, 150 setting up, 137 reports, 154 smart testing, 133–134 scan configurations (sessions), 151 SMTP settings, 142 Scan Status screen, 153–154 status of scan, 148–149 server-controlled settings, 150 Target Selection tab, 145–147 session profile, 151–154 testing, 142 Session Properties window, 152 testing every host, 148 user interface, 150 testing on every host, 144 Net Security SVCS Web site, 269 testing SSL services, 141 NetBEUI, 57 two different parts generating data, 260 NetBIOS, 57, 130 UID (User ID numbers) range, 141 NetBSD, 23 unsafe checks, 144–145 NetBus, 95 unscanned ports as closed, 143 netfilter.org Web site, 63 user accounts, 137 NetIQ, 234 User tab, 147 Netmasks, 100, 102 user-created scripts, 156–158 NetPatrol, 234 vulnerability tests depth, 132 Netscape, 283 Web mirroring, 142 NetScreen, 54 Whisker, 133, 142 NetStumbler, 20, 184, 323 Windows domain test, 142 converting output to MapPoint, 331–333 XML, 134 data fields, 326–327 zone file for domain, 146 installing, 325 Nessus mailing list, 134 listing access points, 325 Howlett_index.fm Page 569 Thursday, June 24, 2004 3:47 PM

Index 569

networks detected, 326, 328 topology, 166–167 options, 329 tracking troublemakers, 36–37 polling for access points, 328 watching for suspicious activity, 2 saving sessions, 331 Network/server optimization, 94 signal graph, 328 Newsgroups, 381–382 usage, 325–328 NeWT, 150 wireless network card status, 328 NICs (network interface cards), 318, 335–337 NetStumbler Web site, 322 NIDS (Network Intrusion Detection System), 2, Network architecture 142–143, 163, 194 application layer, 57 attacks and suspicious activity from internal data link layer, 55–56 sources, 194 network layer, 56 cmd.exe attack, 196 OSI Reference Model, 54–57 database authentication activity, 200 physical layer, 55 false positives, 198–200 presentation layer, 57 hardware requirements, 204 session layer, 57 .ida buffer overflow, 196–198 transport layer, 56–57 long authentication strings, 199–200 Network card and promiscuous mode, 168 Nessus, 199 Network interface hardware, 55–56 network monitoring system activity, 199 Network layer, 56 network vulnerability scanning/port scanners, Network protocols, 57 199 Network sniffers, 2, 61, 163–164 Nmap, 199 baseline for network, 167 placement of, 210–211 Ethereal, 183–191 signatures, 196–198 getting permission for, 166 sorting and interpreting data, 2 network topology, 166–167 Trojan horse or worm-like behavior, 199 ports, 166–167 tuning and managing with ACID, 253–254 routers, 166 user activity, 199 Tcpdump, 167–181 Nikto, 133 tight search criteria, 167 Nimda worm, 9–10, 123, 196, 199 WinDump, 181–182 NIST (National Institute of Standards and Network Solutions, 36 Technology), 284 Network Solutions Web site, 37 Nlog, 94 Network unreachable ICMP message, 31 add-ons, 115–116 Network use policy, 60 CGI directory, 114 Network Worms, 94 checking external network exposure, 119 Networks hunting for illicit/unknown Web servers, 118 accounts with blank passwords, 128 installing, 112, 114 baseline, 2, 167 organizing and analyzing output, 112–117 checking external exposure, 119 scanning for least common services, 117–118 communication with secondary identification, 56 scanning for servers running on desktops, dropping packets, 31 118–119 fault-tolerant, 57 Trojan horses, 119 information about, 31 usage, 114–115 inventory of, 93–94 user-created extensions, 116–117 mapping needed services, 61 viewing database file, 114–115 monitoring system activity, 199 Nlog directory, 112 NIDS placement, 210–211 Nlog Web site, 112 plain text inter-system communications, 43 Nlog-bind.pl file, 117 scanning from inside and out, 2 Nlog-bind.pl script, 116 scanning with permission, 158 Nlog-config.ph file, 117 Howlett_index.fm Page 570 Thursday, June 24, 2004 3:47 PM

570 Index

Nlog-dns.pl file, 116 Norton, 293 Nlog-finger.pl file, 116 Norton Ghost, 365, 372 Nlog.html file, 114 NPI (Nessus PHP Interface), 259 Nlog-rpc.pl file, 116 analyzing Nessus data, 263–264 Nlog-search.pl file, 117 dataflow, 269 Nlog-smb.pl file, 116 directory for files, 262 Nmap, 2, 96, 135 flow of data, 260 Bounce Scan, 105 importing Nessus scans, 263 carefully selecting scan location, 110 installing, 261–263 checking external network exposure, 119 logical parts, 260 code, 97 manipulating scan data, 264 color coding ports, 111 MySQL, 259–261 command line interface, 97, 103 .nbe format, 260, 263 compiling from source, 98 .nsr format, 263 downloading files, 97 PHP, 259 ease of use, 97 PHP-enabled Web server, 260 FIN Scan, 104 queries, 263–264 Idle Scan, 105 usage, 263–264 illicit/unknown Web servers, 118 Nslookup, 47 IP addresses formats, 100–101 nsr script, 262–263 least common services, 117–118 nsr-php script, 261–262 Linux installation, 97–99 NTP (Network Time Protocol), 355 log file, 114 NULL Scan, 104 miscellaneous options, 107–109 Nessus, 133, 140 O network discovery options, 106 OE (Opportunistic Encryption) mode, 308 NIDS (Network Intrusion Detection System), Official name registrars, 36 199 One-way functions, 282 NULL Scan, 104 Open ports and security, 2 options, 96–97 Open Source Initiative Web site, 384 output, 110–112 Open source movement PingSweep scan, 104 bug finder/beta tester, 385 regularly running scans, 110 discussion groups and supporting other users, RPC Scan, 105 385–386 running as service, 107, 110 joining, 384–387 saved logs formats, 112 providing resources to project, 386–387 scan types, 103 Open source operating systems, 27 scanning networks, 100 Open source projects, 264 starting graphical client, 99 broader need for, 265 SYN scan, 103 NCC (Nessus Command Center), 266–277 TCP Connect scan, 103 patronizing companies supporting open source timing, 106–107, 110 products, 387 Trojan horses, 119 permission to release code as open source, 265 UDP Scan, 104 providing resources to, 386–387 Windows installation, 99–100 Open source security tools, xix–xxi Windows Scan, 105 Open source software, xi, 12 XMAS Scan, 104 100 percent outsourced IT, 20 X-Windows, 97 advantages, 15–19 NMapWin, 99–100 BSD license, 13, 21, 23 NMS (Network Monitoring System), 199 chat rooms, 19 NNTP (Network News) server, 142 cost, 15 Howlett_index.fm Page 571 Thursday, June 24, 2004 3:47 PM

Index 571

documentation, 18 P education, 18–19 Packets, 58 extendibility, 15 delivery address for, 170 GPL (General Public License), 13, 15, 21–23 latency, 31 hashes, 284 logging, 205 history, 13–14 moving between points, 56–57 interdependence, 16 number of hops before dying, 32 Internet, 13–14 suspicious, 205–206 licenses, 21–23 virtual path, 32 Linux, 14 Pass-phrases, 289, 297 mailing lists, 19, 382 Password crackers, 312–314 not fitting needs, 19–20 Password files, testing, 312–314 patches, 16 Password hash file, 314 product life span, 18 Passwords, 7, 127–128, 141 reputation, 19 Patches, 16, 124 resources, 381–384 pcap library, 168 restrictive corporate IT standards, 20 PCMCIA drivers, 335 scripting languages, 15 Peer-to-peer file transfer software, 95–96 security, 4, 15–16 Peer-to-peer mode, 308–310 security software company, 19–20 Perl support, 16–18 NCC (Nessus Command Center), 267 UNIX, 13 Swatch, 237 viewing code, 18 Perl Curses and TK modules, 28 Web sites, 382–384 PGP (Pretty Good Privacy), 3 Windows, 20–21 adding keys to public key ring, 291 OpenBSD, 23 chain of trust, 299 OpenSSH, 301–305 Decrypt/Verify function, 293 OpenSSH Client, 43–44 deleting, 290 OpenSSH server, 302–304 Encrypt and Sign function, 293 OpenSSL, 135 Encrypt function, 291–292 OpenView, 234 encrypting files, 291–292 Operating system tools features, 288 Bastille Linux, 28 Freespace Wipe, 293 dig, 37–39 generating public/private key pair, 289 finger, 39–41 hybrid cryptosystem, 289 OpenSSH Client, 43–44 improper use of, 289 ping (Packet Internet Groper), 30–32 installing, 289 ps, 41–42 key pairs creating and revoking, 291 traceroute (UNIX), 32–37 key rings, 290–291 tracert (Windows), 32–37 options, 293–295 whois, 35–37 pass-phrase, 289–290, 292 Opportunistic encryption, 307, 311–312 PGP Options dialog box, 293–295 Oracle, 207 PGPKeys section, 290–291 ORiNOCO wireless cards, 335–336 PGPMail, 290 OS (operating system), 25 pouring file, 290 attacks on, 26 private key, 290 hardening, 27–44 reversing PGP encryption process, 293 identifying, 31 securing file, 290 securing, 27 shared secret encryption, 292 security features, 26 Sign function, 292–293 OSI Reference Model, 54–57, 121–122 web of trust model, 299 Howlett_index.fm Page 572 Thursday, June 24, 2004 3:47 PM

572 Index

PGP (continued) Ports Wipe function, 293 network sniffing, 166–167 wiping original file, 292 scanning. See port scanners PGP Freeware, 288, 290 unscanned as closed, 143 PGP Web site, 298 verifying suspicious open, 110–111 PGPMail, 290 PostgreSQL, 207 PHP Presentation layer, 57 Apache Web server, 261 Primitives, 175 buffer overflows, 126 Prism II chipsets, 323, 335 color graphs, 247–248 Prism2Dump, 335 httpd.conf configuration file, 246 Private keys, managing, 290–291 manipulation libraries, 248 Private line connections, 7 NPI (Nessus PHP Interface), 259 Processes, listing, 41–42, 45 setting up, 245–246 Product life span, 18 Web-based applications, 245 Promiscuous mode, 168 PHP Web site, 246 Property masks, 228 PHP-enabled Web server, 260 Protocols and encryption, 280 PHPLOT, 247 ps command, 41–42 Physical layer, 55, 164 Public Key cryptography, 281, 302 Physical media, 55 Public key servers, 298 Physical threat, 7 Public keys Pico, 113 managing, 290–291 ping (Packet Internet Groper), 30–32 publishing, 298 Sam Spade for Windows, 47 signing files with, 292–293 Windows, 45 validating, 291 PingSweep scan, 104 Public servers, 2 PKE (public key encryption), 281–283, 289 Public-private key pair, 297 Plain text, 279 Publishing public keys, 298 Plugging holes, 2 PuTTY, 49–51 Plug-ins, 139 Pwlib, 28 plug-ins-writers mailing list, 134 Python, 13 Port 80, 89 Port forwarding, 304–305 Q Port numbers, 88–89 qotd (quote of the day) service, 129 TCP headers, 172 Trojan horses, 94 R Port scan, 130 RangeLan wireless cards, 335 Port scanners, 61 RC4, RC5, and RC6, 284 differences between, 90 RedHat Linux, 14, 26, 28 identifying operating system, 91–92 Remote host, pinging, 140–141 network inventory, 93–94 Remote systems network/server optimization, 94 information on users, 40 Nlog, 112–117 securely logging into, 43–44 Nmap, 96–112 Remote terminal access, 302 overview, 90–92 Reputation, 19 spyware, Trojan horses, and network worms, Resources for open source software, 381–384 94 Restrictive corporate IT standards, 20 TCP fingerprinting, 91–92 Reverse DNS lookup, 144, 255–256 unauthorized or illicit services, 95–96 Revocation certificate, 297–298 when to use, 93 revoke.asc file, 298 Port scans, 93 RFC Editor Web site, 170 Howlett_index.fm Page 573 Thursday, June 24, 2004 3:47 PM

Index 573

Rijndael, 284 identifying, 122–131 Rivest, Ronald, 282, 284 logic errors, 160 Road Warrior mode, 308, 310–311 major Internet outages, 123 Roesch, Martin, 202 not enough time or staff, 123 Roots Web mailing list, 382 patches, 16, 123 Routers potential, 161 finger, 39 published and known, 122–123 network sniffing, 166 unaware of problem, 123 Telnet, 125 Web servers, 125 weaknesses in, 124–125 Windows, 16 RPC Scan, 105 Security policies for employees, 160–161 RPM (RedHat Package Manager) format, xvi Security software company, 19–20 RPMFind Web site, 237, 335 Security tool system, hardening, 27–44 RSA, 282–283 Sed, 13 Sendmail, xi, 22, 125 S Servers sa account, 128 investigating break-ins, 3 Sam Spade for Windows, 47–48 message logs, 234 ACID (Analysis Console for Intrusion port scanning, 94 Databases), 256 rebooting at strange times, 235 installing, 46 running on desktop, 118–119 PuTTY, 49–51 time syncing, 354–355 testing IP address or hostname, 46 Services Samba and potential security holes, 30 account and password for, 141 Samspade.org Web site, 46 attacked most, 256 Schneier, Bruce, 284 brute force login, 141 SCP, 302 illicit, 95–96 Script Kiddies, 8–9 listing running, 94 Scripting languages, 15 mapping out needed, 61 Search engines, 129–130 running Nmap as, 107, 109 Secure wireless solution, implementing, 3 running Snort as, 215–216 Securely logging into remote systems, 43–44 searching for, 42 Securing turning off, 45 files, 290 unauthorized, 95–96 important files and communications, 3 unknown running, 42 perimeter, 1–2 unneeded, 128–129 Security, xi–xii Session layer, 57 early warning system, 2 Session profile, 151–154 hardware and software, 12 Sessions, logging, 50 height cost of, 12 Sfind utility, 377 implementing secure wireless solution, 3 SFTP, 302 important files and communications, 3 SGI Web site, 355 investigating break-ins, 3–4 Shamir, Adi, 282 management system for security data, 2–3 Shared secret encryption, 281 MySQL, 243 Shell scripts, 66–67 open source software, 4, 15–16 Shells, 67 plugging holes, 2 Shmoo Web site, 322, 336 securing perimeter, 1–2 SID (Security ID), 142 unauthorized or illicit services, 95–96 Signatures, 193, 196 Security holes signed.doc file, 299 BIND (Berkley Internet Naming Domain), 126 Signing files and GnuPG (GNU Privacy Guard), buffer overflow, 89–90 299–300 Howlett_index.fm Page 574 Thursday, June 24, 2004 3:47 PM

574 Index

Simovits Web site, 359–360 Sniffer Pro, 184 Simple symmetric cryptography, 298 SNMP (Simple Network Management Protocol), Slash notation, 100, 102 127–128 Slashdot Web site, 383 snmpwalk, 128 The Sleuth Kit/Autopsy Forensic Browser, 356 Snort, 2, 15, 201, 343 adding hosts, 371–372 alert header, 222 adding images, 372–373 alert modes, 206–207 analysis types, 374 alert options, 222–223 analyzing data, 374 anomalous activity detection, 202 Autopsy Forensic Browser, 369 command line, 203 Case Gallery, 371 configuring for maximum performance, creating and logging into case, 370–371 207–209 evidence locker, 369 customizing rule sets, 209 features, 369 database output, 207, 209 hash file, 373 decoders and preprocessors, 208 installing, 369 default snort.conf configuration file, 205 usage, 369–370 disabling rules, 211–215 SmoothWall Corporate Server, 75, 78 features, 203 SmoothWall Express, 75 hardware, 203 additional applications, 85–86 home network, 207 additional connection types support, 77 IDS mode, 203 admin default user name, 80 installing, 203 auto-detecting NICs (network interface cards), internal servers setup, 208 79 intrusion detection mode, 205–206 bootable CD-ROM disk, 78 IP protocols, 222 dedicated machine, 77 logging packets, 205 DHCP client and server, 76–77, 79 logging suspicious packets, 205–206 graphs and reports, 77 MySQL, 248–249 hardware requirements, 77 open source and portable, 203 hostname, 79 output modules configuration, 208–209 installing, 78–80 packet logging mode, 203–205 intrusion detection, 77 packet sniffer mode, 203–204 opening screen, 80 resources, 202 passwords, 80 rule classes file names, 211–215 patches, 83 running, 203 setting up network types, 79 sample custom rules, 224–225 setup mode, 79 securing database, 254 shutting down, 83 as service, 215–216 versus SmoothWall Corporate, 78 signature-based, 202 SSH and Web access to firewall, 77 SMB output option, 206 VPN support, 76 snort.conf configuration file, 207–209, 248 Web caching server, 77 Space module, 202 Web interface user account, 80 Syslog output option, 207, 209 Web proxy server, 77 Unified output module, 209 zones, 79 using names carefully, 259 SmoothWall firewall, 80–81, 83–84 /var/log/snort directory, 205 SmoothWall Web site, 78 writing custom rules, 221–225 SMTP, 142 Snort for Windows, 217–221 Smurf attack, 68 Snort Web site, 221 SNA, 57 Snort Webmin Interface, 216–217 Sniffer, 184 Social engineering attack, 130 Howlett_index.fm Page 575 Thursday, June 24, 2004 3:47 PM

Index 575

Software and wireless LANs, 323–324 text editor usage, 237 SonicWALL, 54, 347 watchfor statement, 240 Source code Symmetric cryptography, 281, 302 compiling from, 97–98 SYN packet, 59 modifications, 22 SYN scan, 103 Sourceforge Web site, 237, 265, 382–383 -syn statement, 68 Space module, 202 SYN/ACK packet, 59 Spoofing, 67–68 Syslog server, 207 Spyware, 94 System files, modifications to, 2257 SQL databases, 247 System V, 13 SQL servers, 128 Systems, listing processes, 41–42 SQL Slammer worm, 123–124, 126, 128 SSH (secure shell), 43–44, 302 T SSH client and Windows, 50–51 Tables, 64–66 SSH server, 302–304 Tampering with records, 12 sshd process, 302 tar -zxvf command, 112 sshd_config file, 303 Targets, 274–276 SSID (Station Set Identifier), 318–321 TCB (Trusted Computing Base), 25 SSL (Secure Socket Layer), 286, 302 TCP (Transmission Control Protocol), 56–57 SSL services, testing, 141 establishing session, 172 Stacheldraht, 95 three-way handshake, 59 Stallman, Richard, 13 TCP Connect scan, 103 State, 59 TCP fingerprinting, 91–92 Storage lockers, 8 TCP Flags, 172–173 StumbVerter, 331–333 -tcp flags, 68 Sub7, 95 TCP headers, 172–173 Support, 16–16 Tcpdump, 167, 309 Supporting other users, 385–386 allowable primitive combinations, 176–179 Swatch (Simple Watcher or Syslog Watcher), 3 comments, 170 action statements, 240–241 destination address, 170 bad logins, 236 example, 169 command options, 238 examples, 180–181 configuration file, 239–241 expressions, 175–179 configuring, 238–239 installing, 168 as daemon or as cron job, 236 options, 173–175 Date::Calc Perl module, 237 parts of IP stack, 173 Date::Format Perl module, 237 ported over to Windows platform, 181–182 Date::HiRes Perl module, 237 primitives, 175 default config file, 238 qualifiers, 176 FTP, SSH, or Telnet usage, 237 running, 169–170 installing, 237–238 source IP address of packet, 170 log file options, 239 TCP sequence number, 173 Perl, 237 TCP/IP packet headers, 170–175 running, 238–239 timestamp, 170, 173 scanning UNIX messages file, 239 Tcpdump Web site, 168 Snort or Nessus messages, 236 TCP/IP swatchrc file, 239–241 ARP (Address Resolution Protocol) request, 59 swatchrc.monitor, 239 becoming standard, 57–58 swatchrc.personal file, 239 communication phases between network nodes, system crashes, 236 58–59 system reboots, 236 communications having state, 59 Howlett_index.fm Page 576 Thursday, June 24, 2004 3:47 PM

576 Index

TCP/IP (continued) Trojan horses, 9, 94–95 fault-tolerant network, 57 database of, 359 headers, 170–175 NIDS (Network Intrusion Detection System), IP address, 58 199 packets, 58 nlog, 119 TCP three-way handshake, 59 nmap, 119 TCP/IP networks, 56 port numbers, 94 TCP/IP packet, layout of, 170 uncommon ports, 90 TCP/UDP port numbers, 87 Trusted interface, 59 Telnet, 302 Trusted zone, 73 routers, 125 TTL (Time to Live) setting, 32 scanning ports, 90–91 Tunnel mode, 286 Terminal program, 43 Turbo Linux, 14 Text editors, 112–114 Turtle Firewall, 1, 63–64, 71–75 Time, 48 Turtle Firewall Web site, 72 Token Ring, 164 twagent, 226 Tools Mandrake Linux 9.1, xvi U RPM (RedHat Package Manager) format, xvi UDP (User Datagram Protocol), 57 searching Web for, 265 UDP Scan, 104 Windows 2000 Pro, xvi UIDs (User ID), 141 Windows XP Pro, xvi Unauthorized services, 95–96 Torvalds, Linus, xi, 14 Universities, 13 Tprivate interface, 59 University of California at Berkley, 13 Trace and Sam Spade for Windows, 48 UNIX, 14 traceroute (UNIX), 32–37 C compiler built in, 97 tracert (Windows), 32–37 case sensitivity, 29 Traffic signatures, 193 dd, 365–368 Transport layer, 56–57 Ethereal, 183–191 Transport mode, 286 John the Ripper, 313 Trin00, 95 log files, 363–364 Trinity, 95 lsof, 360–363 TripleDES, 283–284 Open Source software, 13 Tripwire scanning commands, 364 baseline attributes database, 226–227 The Sleuth Kit/Autopsy Forensic Browser, commercial and open source versions, 226 368–374 configuring, 227–230 Snort, 201–216 cron job, 231 text editors, 113–114 /etc/tripwire directory, 227 tools, xvi file integrity, 231 universities, 13 ignore flags, 229 unixODBC, 207 initializing baseline database, 230 Unsafe checks, 144–145 installing, 227 Untrusted zone, 73 license agreement, 227 USENET, 13 policy file, 227–231 USENET newsgroups, 381–382 property masks, 228 /user/local/etc directory, 338 RPMs, 227 Users site and local pass phrases, 227 adding to NCC, 273 template property masks, 229 least privilege, 126–127 updating database, 231 listing logged-on, 40–41 Howlett_index.fm Page 577 Thursday, June 24, 2004 3:47 PM

Index 577

Nessus server, 147 hunting for unknown/illicit, 118 remote system information about, 40 managing security data, 241–264 SUID (Security ID), 142 NetBIOS null sessions, 130 /usr/local/bin directory, 303 security holes, 2, 125 /usr/local/etc/ssh directory, 303 testing integrity, 142 Web sites, 7–8 V open source software, 382–384 /var/log directory, 234 whois information, 130 Verification and hashes, 284 Web-based applications, 245 VeriSign, 36, 285 Webmin interface, 72 vi, 66, 113 Webmin RPM, 63–64 VIA Web site, 355 Webmin Snort, 218–219 Viruses, 9 Webmin Web site, 63 Vogt, Jens, 99 Well-known port numbers, 88 VPN encryption, 347 WEP (Wired Equivalent Privacy), 319–321, 344, 346 VPN tunnel, 84–85 WEPCrack, 335, 344 VPNs (Virtual Private Networks), 2, 305 WhatsUp Gold, 199 Linux, 306 Whisker, 133, 142 SmoothWall firewall, 83–85 Whois, 35–37, 48 Vulnerability scanners, 12 Wi-Fi, 316–319 attacks in progress or already happened, 161 Windows, 26 current backups and, 158–159 broadcast traffic, 165 custom applications, 160 default guest account, 127 excessive scanning, 159 Ethereal, 183–191 hackers, 130 exposing network configuration information, location of Nessus server, 159 129 logic errors, 160 The Forensic Toolkit, 375–379 minimal impact on other employees, 159 Fport, 357–360 Nessus, 131–141 guides for, 45 NessusWX, 149–154 hardening, 45–51 scanning with permission, 158 hidden files, 376–377 security policies for employees, 160–161 installing Ethereal, 185 testing applications for security holes, 122 installing Nmap, 99–100 undiscovered vulnerabilities, 160 IPC (Inter-Process Communication) share, 127 John the Ripper, 313 W listing processes running, 45 WAN interface, 59–60 log files, 363 War dialing, 321 NessusWX, 149–154 War driving, 321–322 NetStumbler, 324–331 Web network-aware services, 45 login strings, 199–200 Norton Ghost, 365 searching for tools on, 265 NULL session capabilities, 378–379 Web of trust, 291, 299 open source software, 20–21 Web servers ping, 45 ACID (Analysis Console for Intrusion poor security by default, 127 Databases), 247 Sam Spade for Windows, 46–49 allowing dangerous commands, 142 security holes, 16 alternate ports, 118 Services window, 45 buffer overflow, 130 Snort for Windows, 217–221 bugs, 125 SSH client, 50–51 firewalls, 125 StumbVerter, 331–333 hackers, 125 Howlett_index.fm Page 578 Thursday, June 24, 2004 3:47 PM

578 Index

Windows (continued) security perimeter, 316 traceroute, 45 software, 323–324 WinDump, 181–182 StumbVerter, 331–333 Windows 2000 Pro, xvi training staff about, 348 Windows Scan, 105 treating as untrusted, 347 Windows Small Business Server 2000, 26 unencrypted communications, 321 Windows XP unsecured, 322 firewalls, 86 VPN encryption, 347 insecurities, 26 war dialing, 321 Windows XP Pro, xvi war driving, 321 Windows-based firewalls, 86 WEP (Wired Equivalent Privacy), 319–321, 346 WinDump, 181–182 Wi-Fi, 316–317 WinDump-specific commands, 182 wireless cards, 323 WinPcap, 100 wireless perimeter, 329–330 WinPcap libraries, 168, 185, 220 Wireless network node, 318 Wireless cards, 323 Wireless networks Wireless LANs security assessment, 322 802-11-specific vulnerabilities, 320–321 testing security, 3 access to wireless PCs, 320 Wireless PCs, access to, 320 accessing with wireless access point, 320 wlan-ng drivers, 336 AirSnort, 344–346 Worms, 6, 9 anonymous Internet access, 320 accounts with blank passwords, 128 antennas, 324 NIDS (Network Intrusion Detection System), auditing perimeter, 347 199 beacon broadcasts, 321 wtmp, 3 dangers, 319–321 /www subdirectory, 262 default SSIDs, 320–321 /www/htdocs directory, 249 eavesdropping, 319–320 external antenna, 330 X hardware, 323–324 XMAS Scan, 104 improved encryption protocol, 347 X-Windows, 27, 29 informing others of access to, 330 Kismet Wireless, 334–344 Y moving access points, 347–348 Yacc, 168 NetStumbler, 324–331 optimal conditions for auditing, 330 Z overview, 316–319 Zimmerman, Phil, 286–287 permission to access, 329 Zombies, 8 properly configuring, 348