Bryan Burns, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, Philippe Biondi, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch0596009631, 9780596009632
Table of contents :
Security Power Tools……Page 1
Table of Contents……Page 6
Foreword……Page 14
About the Authors……Page 18
Preface……Page 22
Assumptions This Book Makes……Page 24
Reconnaissance……Page 25
Penetration……Page 26
Defense……Page 27
Monitoring……Page 28
Discovery……Page 29
Using Code Examples……Page 30
Acknowledgments……Page 31
Part I……Page 34
Legal and Ethics Issues……Page 36
1.1 Core Issues……Page 37
Be Able to Identify These Legal Topics……Page 39
1.2 Computer Trespass Laws: No “Hacking” Allowed……Page 40
What Does It Mean to Access or Use a Computer?……Page 41
What Is Adequate Authorization to Access a Computer?……Page 42
Common Law Computer Trespass……Page 43
Case Study: Active Defense……Page 44
Law and Ethics: Protecting Yourself from Computer Trespass Claims……Page 45
Copyright Law and Reverse Engineering……Page 46
What to do to protect yourself with fair use……Page 48
Reverse Engineering, Contracts, and Trade Secret Law……Page 49
What to do to protect yourself……Page 50
Reverse Engineering and Anti-Circumvention Rules……Page 51
What to do to protect yourself when working in DMCA……Page 54
1.4 Vulnerability Reporting……Page 55
1.5 What to Do from Now On……Page 59
Part II……Page 62
2.1 How Scanners Work……Page 64
TCP Scanning……Page 65
2.2 Superuser Privileges……Page 66
2.4 Host Discovery……Page 67
Dealing with Blocked Pings……Page 68
2.5 Port Scanning……Page 70
Default Port Ranges……Page 71
Nmap……Page 72
2.7 Specifying Targets to Scan……Page 73
UDP Scan Types……Page 75
Special TCP Scan Types in Nmap……Page 76
An Example of Using Multiple Scan Types……Page 77
2.9 Tuning the Scan Speed……Page 78
Nmap……Page 79
Unicornscan……Page 80
Scanrand……Page 81
2.11 Operating System Detection……Page 82
2.13 Resuming Nmap Scans……Page 84
Idle Scans……Page 85
Decoys……Page 86
2.15 Conclusion……Page 87
3.1 Nessus……Page 88
Tenable Security Center……Page 89
Linux Configuration……Page 90
Local Vulnerabilities……Page 93
Network Scan……Page 94
Scan Results……Page 96
Policy Configuration……Page 97
Plug-ins……Page 98
Plug-in Code Example……Page 100
Linux Command Line……Page 102
Types of Vulnerabilities……Page 105
Command Line……Page 106
Evasion Techniques……Page 107
WebInspect Scan……Page 109
Policy Tuning……Page 111
Settings Tuning……Page 112
Report Analysis……Page 113
False Positives Analysis……Page 114
WebInspect Tools……Page 116
Assessment Management Platform (AMP)……Page 118
LAN Reconnaissance……Page 119
4.1 Mapping the LAN……Page 120
4.2 Using ettercap and arpspoof on a Switched Network……Page 121
Running ettercap……Page 122
Running arpspoof from the dsniff suite……Page 124
4.3 Dealing with Static ARP Tables……Page 125
Super-Stealthy Sniffing……Page 126
Filtering Incoming Packets……Page 127
Fingerprinting LAN Hosts……Page 128
Sniffing Plain-Text Passwords……Page 129
4.5 Manipulating Packet Data……Page 131
5.1 Get the Right Wardriving Gear……Page 134
5.2 802.11 Network Basics……Page 135
5.3 802.11 Frames……Page 136
5.5 Netstumbler……Page 138
5.6 Kismet at a Glance……Page 140
5.7 Using Kismet……Page 143
5.9 Using Network Groups with Kismet……Page 145
5.11 Kismet GPS Support Using gpsd……Page 146
5.12 Looking Closer at Traffic with Kismet……Page 147
5.13 Capturing Packets and Decrypting Traffic with Kismet……Page 149
5.14 Wireshark at a Glance……Page 150
Enabling rfmon Mode……Page 151
5.15 Using Wireshark……Page 152
5.16 AirDefense Mobile……Page 155
5.17 AirMagnet Analyzers……Page 159
KisMac……Page 162
6.1 Why Create Custom Packets?……Page 163
6.2 Hping……Page 165
Getting Started with Hping2……Page 166
Hping2’s Limitations……Page 168
Decode, Do Not Interpret……Page 169
Probe Once, Interpret Many Times……Page 171
Working with Scapy……Page 172
Creating and Manipulating Packets with Scapy……Page 173
Navigating Between Layers……Page 176
Looking only at the custom data in a packet……Page 177
Sprintf shortcut for creating custom packets……Page 178
Operations on packet lists……Page 180
Sending and interacting with Scapy……Page 181
Super-sockets……Page 185
Building Custom Tools with Scapy……Page 187
Studying a New Protocol……Page 189
Writing Add-Ons……Page 192
Examples of creating Scapy add-ons……Page 193
Test Campaigns……Page 195
ARP Cache Poisoning……Page 196
Tracerouting: A Step-by-Step Example……Page 199
Traceroute and NAT……Page 207
Firewalking……Page 209
Sliced Network Scan……Page 211
Fuzzing……Page 213
Transparent Proxying……Page 216
QUEUE and NFQUEUE……Page 219
6.6 References……Page 222
Part III……Page 224
Metasploit……Page 226
7.1 Metasploit Interfaces……Page 227
The Metasploit Console……Page 228
The Metasploit Command-Line Interface……Page 229
The Metasploit Web Interface……Page 231
7.3 Choosing an Exploit……Page 233
7.4 Choosing a Payload……Page 235
Metasploit Payloads……Page 236
Choosing a Payload Variant……Page 238
7.5 Setting Options……Page 239
Hidden Options……Page 240
7.6 Running an Exploit……Page 242
Debugging Exploitation……Page 243
Sessions……Page 245
Jobs……Page 246
7.8 The Meterpreter……Page 248
Some Useful Meterpreter Commands……Page 249
Meterpreter Session Example……Page 251
7.9 Security Device Evasion……Page 252
7.10 Sample Evasion Output……Page 253
7.11 Evasion Using NOPs and Encoders……Page 254
NOP Generators……Page 255
Payload Encoders……Page 256
7.12 In Conclusion……Page 257
8.1 WEP and WPA Encryption……Page 258
8.2 Aircrack……Page 259
8.3 Installing Aircrack-ng……Page 260
Windows Installation……Page 261
8.4 Running Aircrack-ng……Page 262
8.6 Basic Airpwn Usage……Page 264
Command-Line Options……Page 266
8.7 Airpwn Configuration Files……Page 268
8.8 Using Airpwn on WEP-Encrypted Networks……Page 269
8.9 Scripting with Airpwn……Page 270
8.10 Karma……Page 271
Scanning for Victims……Page 272
Proxy Network Traffic……Page 273
8.11 Conclusion……Page 274
9.1 Task Overview……Page 275
Other Framework Advantages……Page 276
9.2 Core Impact Overview……Page 277
Automatic Network Penetration with Core Impact……Page 278
9.3 Network Reconnaissance with Core Impact……Page 279
9.4 Core Impact Exploit Search Engine……Page 280
9.5 Running an Exploit……Page 282
9.6 Running Macros……Page 283
The Local Side……Page 284
Using the Mini-Shell……Page 285
9.8 Enabling an Agent to Survive a Reboot……Page 286
9.9 Mass Scale Exploitation……Page 287
9.10 Writing Modules for Core Impact……Page 288
9.11 The Canvas Exploit Framework……Page 291
The Covertness Bar……Page 292
9.12 Porting Exploits Within Canvas……Page 293
9.13 Using Canvas from the Command Line……Page 294
9.15 Advanced Exploitation with MOSDEF……Page 295
9.16 Writing Exploits for Canvas……Page 297
9.17 Exploiting Alternative Tools……Page 300
Custom Exploitation……Page 301
10.1 Understanding Vulnerabilities……Page 302
Performing a Simple Exploit……Page 303
Disassemblers……Page 308
The libopcode Disassembling Library……Page 310
The libdisasm Disassembling Library……Page 311
10.3 Testing Shellcode……Page 312
Inclusion into a C File……Page 313
A Shellcode Loader……Page 314
Debugging Shellcode……Page 315
10.4 Creating Shellcode……Page 318
nasm……Page 319
Quick glance at the binary-building internals……Page 321
Building shellcode from assembly language……Page 322
Building shellcode in C……Page 323
What SFLib looks like……Page 324
Using SFLib……Page 325
Getting started……Page 326
Inline shellcoding……Page 329
InlineEgg……Page 330
Metasploit Framework’s msfpayload……Page 332
alpha2……Page 335
Metasploit Framework’s msfencoder……Page 337
10.6 Execution Flow Hijacking……Page 339
Metasploit Framework’s msfelfscan and msfpescan……Page 340
EEREAP……Page 341
Code Injection……Page 347
10.7 References……Page 353
Part IV……Page 354
Backdoors……Page 356
11.1 Choosing a Backdoor……Page 357
11.2 VNC……Page 358
11.3 Creating and Packaging a VNC Backdoor……Page 360
Consolidating the Backdoor……Page 362
Packaging VNC As a Backdoor……Page 364
11.4 Connecting to and Removing the VNC Backdoor……Page 365
Removing the Backdoor……Page 366
11.5 Back Orifice 2000……Page 367
11.6 Configuring a BO2k Server……Page 368
Setting Variables……Page 370
IO plug-in……Page 371
Control plug-ins……Page 372
11.7 Configuring a BO2k Client……Page 373
11.8 Adding New Servers to the BO2k Workspace……Page 375
11.9 Using the BO2k Backdoor……Page 376
Server Setup……Page 378
The BO Tools Connect To window……Page 379
Using the File Browser……Page 380
Using the Registry Editor……Page 381
BO Peep installation and configuration……Page 383
The VidStream client……Page 384
The Hijack listener……Page 385
The Hijack client……Page 387
11.11 Encryption for BO2k Communications……Page 388
11.12 Concealing the BO2k Protocol……Page 389
11.13 Removing BO2k……Page 391
A Simple Unix Backdoor……Page 392
A Simple Netcat Backdoor……Page 393
Crontab and Netcat……Page 394
Lots of Options……Page 395
12.1 Windows Rootkit: Hacker Defender……Page 396
Configuring hxdef……Page 397
Install/uninstall/reconfigure hxdef……Page 398
12.2 Linux Rootkit: Adore-ng……Page 399
Using Adore……Page 400
Signature Scanner……Page 401
Differentiating Call Results……Page 402
System Integrity……Page 403
IceSword……Page 404
Functionalities of IceSword……Page 405
Finding a rootkit and killing it……Page 406
Listing processes……Page 409
Examining the syscall table……Page 410
Zeppoo……Page 411
Detecting new rootkits……Page 412
12.6 Cleaning an Infected System……Page 413
12.7 The Future of Rootkits……Page 414
Part V……Page 416
Router/Network Address Translation Router……Page 418
Securing Concepts……Page 419
Allowing limited inbound connections……Page 420
Further Investigation……Page 421
13.2 Network Address Translation……Page 422
Setting Up a Basic NAT Gateway……Page 423
13.3 Securing BSD Systems with ipfw/natd……Page 424
Initial Setup……Page 425
Inbound Connection Blocking with BSD ipfw/natd……Page 426
Allowing Inbound Connections with BSD ipfw2/natd……Page 429
Filtering Connections with BSD ipfw2/natd……Page 430
BSD ipfw2/natd NAT Gateway……Page 431
Inbound Service Mapping with BSD ipfw2/natd……Page 433
13.4 Securing GNU/Linux Systems with netfilter/iptables……Page 434
Initial Setup……Page 436
Inbound Connection Blocking with Netfilter……Page 437
Filtering Connections with Netfilter……Page 440
Allowing Inbound Connections with Netfilter……Page 441
Netfilter NAT Gateway……Page 442
Inbound Service Mapping with Netfilter……Page 443
Internet-in-a-Box: All Traffic to One Destination Using Netfilter……Page 444
Initial Setup……Page 445
Allowing Inbound Connections with Windows FW/ICS……Page 446
Filtering Connections with Windows FW/ICS……Page 448
Inbound Service Mapping with Windows FW/ICS……Page 449
13.6 Verifying Your Coverage……Page 450
Host Hardening……Page 454
14.1 Controlling Services……Page 455
14.2 Turning Off What You Do Not Need……Page 456
14.3 Limiting Access……Page 457
sudo……Page 459
sudowin……Page 461
14.4 Limiting Damage……Page 463
Mounting Volumes As noexec……Page 464
Controlling the Linux Kernel Through /proc/sys……Page 465
/proc/sys/kernel/cap-bound……Page 467
/proc/sys/kernel/modprobe……Page 468
14.5 Bastille Linux……Page 469
14.6 SELinux……Page 471
Transparent Usage of SELinux……Page 472
Tweaking SELinux’s Policy……Page 474
Local SELinux Policy Generation……Page 475
Underlying SELinux Principle of Operations……Page 476
John the Ripper……Page 477
Rainbow Cracking……Page 478
14.8 Chrooting……Page 481
14.9 Sandboxing with OS Virtualization……Page 482
KVM……Page 483
QEMU……Page 484
VMWare……Page 485
Xen: Paravirtulization……Page 486
Virtualization Summary……Page 487
Securing Communications……Page 488
15.1 The SSH-2 Protocol……Page 489
The Transport Layer……Page 490
The User Authentication Layer……Page 491
Server Configuration……Page 492
SSH Client Connection……Page 495
Tune the Client’s Configuration……Page 496
15.3 SSH Authentication……Page 498
SSH Man-in-the-Middle Attacks……Page 504
Host Public Key Distribution with DNSSEC……Page 505
User’s Key Operation Restrictions……Page 508
15.5 SSH Troubleshooting……Page 509
The Client Is Logged Out Just After Logging In……Page 510
Restrictions to Users or Groups……Page 512
File Copy……Page 513
File Synchronization……Page 514
Remote Filesystem……Page 515
15.7 SSH Advanced Use……Page 516
X and Port Forwarding……Page 517
Escape Sequences……Page 520
Storing Your SSH Private Key on a USB Drive……Page 521
Cygwin……Page 522
PuTTY……Page 523
SecureCRT……Page 526
15.9 File and Email Signing and Encryption……Page 527
Theory of Operations……Page 528
Web of Trust……Page 530
In Practice……Page 531
15.11 Create Your GPG Keys……Page 532
Adding Subkeys……Page 535
Different Keys for Different Addresses……Page 537
Import of Public Keys……Page 538
Revoke a Key……Page 539
15.12 Encryption and Signature with GPG……Page 540
File Signature……Page 541
15.13 PGP Versus GPG Compatibility……Page 542
S/MIME……Page 543
Certificate Authority……Page 544
S/MIME Versus GPG/PGP……Page 545
SSL Versus TLS……Page 546
Create an X.509 Certificate……Page 547
Client Encryption……Page 549
Server Encryption……Page 551
15.16 Disk Encryption……Page 553
15.17 Windows Filesystem Encryption with PGP Disk……Page 554
15.18 Linux Filesystem Encryption with LUKS……Page 555
Comparing dm-crypt to cryptoloop and loop-AES……Page 556
15.19 Conclusion……Page 557
Email Security and Anti-Spam……Page 558
Installation Test……Page 560
Failed tests……Page 561
Updates……Page 563
16.3 ClamWin……Page 564
Configuration……Page 565
16.4 Freshclam……Page 566
How to Run Freshclam……Page 568
16.5 Clamscan……Page 569
16.6 clamd and clamdscan……Page 571
On-Access Scanning……Page 572
Clamd As a Network Server……Page 574
Clamd Commands……Page 575
Test clamscan and clamdscan/clamd……Page 576
16.7 ClamAV Virus Signatures……Page 577
Hexadecimal Signatures……Page 578
HTML Signatures……Page 580
Mail Delivery Chain……Page 581
16.9 Basic Procmail Rules……Page 583
Examples……Page 584
16.10 Advanced Procmail Rules……Page 585
Scoring……Page 586
16.12 Unsolicited Email……Page 587
Spamprobe……Page 589
Automate the Learning Phase……Page 590
SpamProbe with Procmail……Page 591
Inconvenient……Page 592
Configuration Files……Page 593
SpamAssassin Variables……Page 594
16.15 SpamAssassin Rules……Page 595
Meta Tests……Page 596
Score……Page 597
Language……Page 598
Bayesian Filter……Page 599
Collaborative Plug-ins……Page 600
SpamAssassin Network Tests……Page 601
SpamAssassin As a Daemon or Server……Page 602
ClamAV, SpamProbe, and SpamAssassin with Procmail……Page 603
16.18 Anti-Phishing Tools……Page 604
Toolbar for Web Browsers……Page 605
16.19 Conclusion……Page 607
Device Security Testing……Page 609
What and How to Test……Page 610
tcpreplay……Page 611
Rewrite Packets with Tcpreplay……Page 613
IP address……Page 614
Tcpreplay with Two Interfaces……Page 615
flowreplay……Page 618
17.2 Traffic IQ Pro……Page 619
Setup……Page 620
Replay Traffic Files……Page 621
Attack Files……Page 622
Standard Traffic Files……Page 623
Scan……Page 624
Conclusion……Page 625
17.3 ISIC Suite……Page 626
esic……Page 627
isic, icmpsic, tcpsic, udpsic, and multisic……Page 629
Automation……Page 632
17.4 Protos……Page 634
Part VI……Page 638
Basics……Page 640
Berkeley Packet Filter (BPF)……Page 642
Writing Packets to Disk……Page 644
Advanced Dump Display……Page 645
18.2 Ethereal/Wireshark……Page 647
Starting a Capture……Page 648
Capture……Page 649
Display Options……Page 651
Name Resolution……Page 652
Viewing a Capture……Page 653
Basic Wireshark Display Filters……Page 654
Advanced Wireshark Display Filters……Page 657
Saving Select Packets to Disk……Page 658
Overriding Default Protocol Decoders……Page 659
TShark Techniques……Page 661
Wireshark Statistics……Page 663
18.3 pcap Utilities: tcpflow and Netdude……Page 664
Basics……Page 666
Cleaning up a botched pcap file……Page 667
Editing packet payloads……Page 668
Basics……Page 671
18.5 Conclusion……Page 672
Different Snort Modes……Page 673
Writing Signatures for Snort……Page 674
Passive Network Mapping……Page 675
Disabling a Rule……Page 676
Snort Preprocessor……Page 677
Log Analysis……Page 678
Updating Rules……Page 679
From a NIDS to an ILDS……Page 681
Limitations of Snort as an ILDS……Page 682
Monitoring Network Usage……Page 683
19.2 Implementing Snort……Page 684
User Monitoring……Page 685
19.3 Honeypot Monitoring……Page 686
The Value of a Honeypot……Page 687
Using Honeyd to Emulate a Server……Page 688
Implementing Honeyd……Page 689
Writing New Scripts with Honeyd……Page 691
HoneyView and Log Management……Page 694
19.4 Gluing the Stuff Together……Page 695
20.1 Using File Integrity Checkers……Page 697
20.2 File Integrity Hashing……Page 699
20.3 The Do-It-Yourself Way with rpmverify……Page 701
Afick……Page 703
Integrit……Page 704
Samhain/Beltane……Page 705
Samhain……Page 706
Tripwire……Page 710
20.6 Database Initialization with Samhain and Tripwire……Page 711
Tripwire……Page 712
Samhain……Page 713
Tripwire……Page 714
Samhain……Page 715
Samhain……Page 717
Tripwire……Page 719
Tripwire……Page 720
Samhain……Page 721
20.11 Log Monitoring with Logwatch……Page 722
20.12 Improving Logwatch’s Filters……Page 723
20.13 Host Monitoring in Large Environments with Prelude-IDS……Page 725
20.14 Conclusion……Page 727
Part VII……Page 730
Forensics……Page 732
Finding a Linux Backdoor with Netstat……Page 733
Finding a Windows Backdoor with Netstat……Page 735
21.2 The Forensic ToolKit……Page 737
Hfind.exe: Discover Hidden Files……Page 738
Sfind.exe: Discover Files Hidden in Alternate Data Streams……Page 739
FileStat.exe: Very Detailed Data on a Specific File……Page 740
The Security Descriptor……Page 741
Timestamps……Page 742
21.3 Sysinternals……Page 743
Autoruns: What Runs Without Your Help?……Page 744
Trimming down the list……Page 745
RootkitRevealer: Rooting Out Rootkits……Page 747
RootkitRevealer from the console……Page 748
TCPView: A Graphical Netstat……Page 749
Process Explorer: Powerful Process Management……Page 752
Replacing the Task Manager with Process Explorer……Page 755
Run as………Page 756
Now What?……Page 757
Application Fuzzing……Page 758
22.1 Which Fuzzer to Use……Page 759
Block-Based Fuzzers……Page 760
Riot……Page 761
Inline Fault Injection……Page 762
The server/target……Page 763
Gathering Information of the Target’s Side……Page 765
22.3 Writing a Fuzzer with Spike……Page 767
22.4 The Spike API……Page 768
Reversing a Protocol with Spike……Page 770
22.5 File-Fuzzing Apps……Page 772
PaiMei……Page 773
FileFuzz……Page 774
22.6 Fuzzing Web Applications……Page 775
22.7 Configuring WebProxy……Page 777
22.8 Automatic Fuzzing with WebInspect……Page 779
22.9 Next-Generation Fuzzing……Page 780
22.10 Fuzzing or Not Fuzzing……Page 781
23.1 Interactive Disassembler……Page 782
Opening the Binary……Page 783
Searching for text strings……Page 784
Defining Data Types……Page 785
Enumerations……Page 786
An example……Page 787
Cross-reference……Page 788
Functions window……Page 789
Debugging with IDA……Page 790
Examining data……Page 792
Remote debugging……Page 793
Finding the Bugs……Page 794
Functions and variables……Page 801
Interacting with the IDA database……Page 802
Adding graphical interfaces……Page 804
Making hotkeys……Page 805
Automating large tasks……Page 807
RegMon……Page 808
The Basics……Page 809
Navigating Through the Disassembly……Page 810
Saving your changes……Page 811
Finding the location of interest……Page 812
Running the hack……Page 813
HT……Page 814
Index……Page 816
Reviews
There are no reviews yet.