Security Warrior Other computer security resources from O’Reilly Related titles 802.11 Security Secure Coding: Principles & Building Internet Firewalls Practices Computer Security Basics Securing Windows NT/2000 Java Cryptography Servers for the Internet Java Security SSH, The Secure Shell: The Definitive Guide Linux Security Cookbook Web Security, Privacy, and Secure Programming Cook- Commerce book for C and C++ Database Nation Network Security with OpenSSL Building Secure Servers with Linux Practical Unix and Internet Security Security Books security.oreilly.com is a complete catalog of O’Reilly’s books on Resource Center security and related technologies, including sample chapters and code examples. oreillynet.com is the essential portal for developers interested in open and emerging technologies, including new platforms, pro- gramming languages, and operating systems. Conferences O’Reilly & Associates brings diverse innovators together to nur- ture the ideas that spark revolutionary industries. We specialize in documenting the latest tools and systems, translating the in- novator’s knowledge into useful skills for those in the trenches. Visit conferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today with a free trial. Security Warrior Cyrus Peikari and Anton Chuvakin Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Security Warrior by Cyrus Peikari and Anton Chuvakin Copyright © 2004 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly Media, Inc. books may be purchased for educational, business, or sales promotional use. On- line editions are also available for most titles (safari.oreilly.com). For more information, contact our cor- porate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Production Editor: Colleen Gorman Cover Designer: Emma Colby Interior Designer: David Futato Printing History: January 2004: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Security Warrior, the image of Sumo wrestlers, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 0-596-00545-8 [M] [11/04] Dr. Cyrus Peikari is humbled before Bahá’u’lláh, the Glory of God. He also thanks his students, teachers, and fellow seekers of knowledge. Dr. Peikari is also grateful to his family for their support and encouragement. —Dr. Cyrus Peikari The part of the book for which I am responsible is dedicated to Olga, who put up with me during all those evenings I spent working on the book and who actually encouraged me to write when I was getting lazy. —Dr. Anton Chuvakin Table of Contents Preface . xiii Part I. Software Cracking 1. Assembly Language . 3 Registers 4 ASM Opcodes 7 References 8 2. Windows Reverse Engineering . 9 History of RCE 10 Reversing Tools 11 Reverse Engineering Examples 23 References 32 3. Linux Reverse Engineering . 33 Basic Tools and Techniques 34 A Good Disassembly 54 Problem Areas 69 Writing New Tools 74 References 116 4. Windows CE Reverse Engineering . 118 Windows CE Architecture 119 CE Reverse Engineering Fundamentals 123 Practical CE Reverse Engineering 131 vii Reverse Engineering serial.exe 147 References 160 5. Overflow Attacks . 161 Buffer Overflows 161 Understanding Buffers 162 Smashing the Stack 165 Heap Overflows 166 Preventing Buffer Overflows 167 A Live Challenge 168 References 175 Part II. Network Stalking 6. TCP/IP Analysis . 179 A Brief History of TCP/IP 179 Encapsulation 179 TCP 180 IP 182 UDP 184 ICMP 185 ARP 185 RARP 186 BOOTP 186 DHCP 186 TCP/IP Handshaking 186 Covert Channels 188 IPv6 188 Ethereal 190 Packet Analysis 191 Fragmentation 192 References 198 7. Social Engineering . 199 Background 200 Performing the Attacks 202 Advanced Social Engineering 209 References 211 viii | Table of Contents 8. Reconnaissance . 212 Online Reconnaissance 212 Conclusion 224 References 224 9. OS Fingerprinting . 225 Telnet Session Negotiation 225 TCP Stack Fingerprinting 226 Special-Purpose Tools 229 Passive Fingerprinting 229 Fuzzy Operating System Fingerprinting 232 TCP/IP Timeout Detection 234 References 235 10. Hiding the Tracks . 236 From Whom Are You Hiding? 236 Postattack Cleanup 237 Forensic Tracks 243 Maintaining Covert Access 248 References 254 Part III. Platform Attacks 11. Unix Defense . 257 Unix Passwords 257 File Permissions 261 System Logging 264 Network Access in Unix 267 Unix Hardening 270 Unix Network Defense 285 References 298 12. Unix Attacks . 299 Local Attacks 299 Remote Attacks 307 Unix Denial-of-Service Attacks 321 References 328 Table of Contents | ix 13. Windows Client Attacks . 329 Denial-of-Service Attacks 329 Remote Attacks 339 Remote Desktop/Remote Assistance 343 References 349 14. Windows Server Attacks . 350 Release History 350 Kerberos Authentication Attacks 351 Kerberos Authentication Review 351 Defeating Buffer Overflow Prevention 356 Active Directory Weaknesses 357 Hacking PKI 359 Smart Card Hacking 360 Encrypting File System Changes 363 Third-Party Encryption 365 References 367 15. SOAP XML Web Services Security . 369 XML Encryption 369 XML Signatures 372 Reference 373 16. SQL Injection . 374 Introduction to SQL 374 SQL Injection Attacks 377 SQL Injection Defenses 383 PHP-Nuke Examples 387 References 390 17. Wireless Security . 391 Reducing Signal Drift 391 Problems with WEP 393 Cracking WEP 393 Practical WEP Cracking 399 VPNs 399 TKIP 400 SSL 401 x | Table of Contents Airborne Viruses 401 References 406 Part IV. Advanced Defense 18. Audit Trail Analysis . 409 Log Analysis Basics 409 Log Examples 410 Logging States 418 When to Look at the Logs 419 Log Overflow and Aggregation 420 Challenge of Log Analysis 421 Security Information Management 421 Global Log Aggregation 422 References 423 19. Intrusion Detection Systems . 424 IDS Examples 425 Bayesian Analysis 430 Hacking Through IDSs 435 The Future of IDSs 437 Snort IDS Case Study 439 IDS Deployment Issues 443 References 445 20. Honeypots . 446 Motivation 447 Building the Infrastructure 448 Capturing Attacks 457 References 458 21. Incident Response . 459 Case Study: Worm Mayhem 459 Definitions 460 Incident Response Framework 462 Small Networks 466 Medium-Sized Networks 471 Large Networks 473 References 477 Table of Contents | xi 22. Forensics and Antiforensics . 478 Hardware Review 478 Information Detritus 480 Forensics Tools 481 Bootable Forensics CD-ROMs 486 Evidence Eliminator 490 Forensics Case Study: FTP Attack 497 References 506 Part V. Appendix Appendix: Useful SoftICE Commands and Breakpoints . 509 Index . 517 xii | Table of Contents Preface ...All samurai ought certainly apply themselves to the study of military science. But a bad use can be made of this study to puff oneself up and disparage one’s colleagues by a lot of high-flown but incorrect arguments that only mislead the young and spoil their spirit. For this kind gives forth a wordy discourse that may appear to be correct and proper enough, but actually he is striving for effect and thinking only of his own advantage, so the result is the deterioration of his character and the loss of the real samurai spirit. This is a fault arising from a superficial study of the subject, so those who begin it should never be satisfied to go only halfway but persevere until they understand all the secrets and only then return to their former simplicity and live a quiet life.... —Daidoji Yuzan The Code of the Samurai * This book offers unique methods for honing your information security (infosec) technique. The typical reader is an intermediate- to advanced-level practitioner. But who among us is typical? Each of us approaches infosec with distinctive training and skill. Still, before you spend your hard-earned money on this book, we will try to describe the target reader. As an example, you might enjoy this book if you already have experience with net- working and are able to program in one or more languages. Although your interest in infosec might be new, you have already read at least a few technical books on the sub- ject, such as Practical UNIX & Internet Security from O’Reilly. You found those books to be informative, and you would like to read more of the same, but hopefully cover- ing newer topics and at a more advanced level. Rather than an introductory survey of security from the defensive side, you would like to see through an attacker’s eyes. You are already familiar with basic network attacks such as sniffing, spoofing, and denial-of-service. You read security articles and vulnerability mailing lists online, and * Samurai quote courtesy of http://www.samurai-archives.com. xiii This is the Title of the Book, eMatter Edition Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved. you know this is the best way to broaden your education. However, you now want a single volume that can quickly ratchet your knowledge level upward by a few notches. Instead of reading a simple catalog of software tools, you would like to delve deeper into underlying concepts such as packet fragmentation, overflow attacks, and operat- ing system fingerprinting.