Cover image for Network Security Tools

Book description

If you're an advanced security professional, then you know that the battle to protect online privacy continues to rage on. Security chat rooms, especially, are resounding with calls for vendors to take more responsibility to release products that are more secure. In fact, with all the information and code that is passed on a daily basis, it's a fight that may never end. Fortunately, there are a number of open source security tools that give you a leg up in the battle. Often a security tool does exactly what you want, right out of the box. More frequently, you need to customize the tool to fit the needs of your network structure. Network Security Tools shows experienced administrators how to modify, customize, and extend popular open source security tools such as Nikto, Ettercap, and Nessus. This concise, high-end guide discusses the common customizations and extensions for these tools, then shows you how to write even more specialized attack and penetration reviews that are suited to your unique network environment. It also explains how tools like port scanners, packet injectors, network sniffers, and web assessment tools function. Some of the topics covered include:

  • Writing your own network sniffers and packet injection tools

  • Writing plugins for Nessus, Ettercap, and Nikto

  • Developing exploits for Metasploit

  • Code analysis for web applications

  • Writing kernel modules for security applications, and understanding rootkits

While many books on security are either tediously academic or overly sensational, Network Security Tools takes an even-handed and accessible approach that will let you quickly review the problem and implement new, practical solutions--without reinventing the wheel. In an age when security is critical, Network Security Tools is the resource you want at your side when locking down your network.

Table of Contents

  1. Network Security Tools
    1. Preface
      1. Audience
      2. Assumptions This Book Makes
      3. Contents of This Book
      4. Conventions Used in This Book
      5. Using Code Examples
      6. We’d Like to Hear from You
      7. Safari Enabled
      8. Acknowledgments
    2. I. Modifying and Hacking Security Tools
      1. 1. Writing Plug-ins for Nessus
        1. The Nessus Architecture
        2. Installing Nessus
        3. Using Nessus
        4. The NASL Interpreter
        5. Hello World
        6. Datatypes and Variables
          1. Numbers
          2. Strings
          3. Arrays and Hashes
          4. Local and Global Variables
        7. Operators
          1. Arithmetic Operators
          2. Comparison Operators
          3. Assignment Operators
        8. if...else
        9. Loops
          1. for
          2. foreach
          3. repeat...until
          4. while
        10. Functions
        11. Predefined Global Variables
          1. TRUE and FALSE
          2. NULL
          3. Script Categories
          4. Network Encapsulation
        12. Important NASL Functions
          1. Strings
            1. Simple string manipulation functions
            2. Finding and replacing strings
            3. Conversions
          2. Plug-in Descriptions
          3. Knowledge Base
          4. Reporting Functions
        13. Nessus Plug-ins
          1. Probing for Anonymous FTP Access
          2. Using Packet Forgery to Perform a Teardrop Attack
          3. Scanning for CGI Vulnerabilities
          4. Probing for VNC Servers
          5. Installing Your Own Plug-in
      2. 2. Developing Dissectors and Plug-ins for the Ettercap Network Sniffer
        1. Installing and Using Ettercap
        2. Writing an Ettercap Dissector
          1. Overview of FTP Authentication
          2. The FTP Password Dissector
        3. Writing an Ettercap Plug-in
          1. The find_tcp_conn Plug-in
          2. find_tcp_conn.c
      3. 3. Extending Hydra and Nmap
        1. Extending Hydra
          1. Overview of Hydra
          2. Overview of SMTP Authentication
          3. Adding Additional Protocols to Hydra
          4. Implementing SMTP-AUTH in Hydra
          5. Complete Source to hydra-smtpauth.c
          6. Quick Reference to Hydra Functions
            1. void hydra_child_exit(int code)
            2. void hydra_register_socket(int sock)
            3. char *hydra_get_next_pair( )
            4. char *hydra_get_next_login( )
            5. char *hydra_get_next_password( )
            6. void hydra_completed_pair( )
            7. void hydra_completed_pair_found( )
            8. void hydra_report_found(int port, char *svc, FILE *fp)
            9. void hydra_report_found_host (int port, unsigned int ip, char *svc, FILE *fp)
            10. void hydra_report_found_host_msg (int port, unsigned int ip, char *svc, FILE *fp, char *msg)
            11. int hydra_connect_tcp(unsigned long int host, int port)
            12. int hydra_connect_ssl(unsigned long int host, int port)
            13. int hydra_connect_udp(unsigned long int host, int port)
            14. int hydra_disconnect(int socket)
            15. int hydra_data_ready_writing_timed(int socket, long sec, long usec)
            16. int hydra_data_ready_writing(int socket)
            17. int hydra_data_ready_timed(int socket, long sec, long usec)
            18. int hydra_data_ready(int socket)
            19. int hydra_recv(int socket, char *buf, int length)
            20. char *hydra_receive_line(int socket)
            21. int hydra_send(int socket, char *buf, int size, int options)
            22. int make_to_lower(char *buf)
            23. unsigned char hydra_conv64(unsigned char in)
            24. void hydra_tobase64(unsigned char *buf)
            25. void hydra_dump_asciihex(unsigned char *string, int length)
        2. Adding Service Signatures to Nmap
          1. The nmap-service-probes File
            1. Probes
            2. Matches
            3. Soft matches
            4. ports
            5. sslports
            6. totalwaitms
      4. 4. Writing Plug-ins for the Nikto Vulnerability Scanner
        1. Installing Nikto
        2. Using Nikto
        3. Nikto Under the Hood
          1. Nikto’s Program Flow
          2. Nikto’s Plug-in Interface
        4. Existing Nikto Plug-ins
        5. Adding Custom Entries to the Plug-in Databases
          1. .db Files Associated with the nikto_core Plug-in
          2. outdated.db for the nikto_outdated Plug-in
          3. realms.db for the nikto_realms Plug-in
          4. server_msgs.db for the nikto_msgs Plug-in
        6. Using LibWhisker
        7. Writing an NTLM Plug-in for Brute-Force Testing
        8. Writing a Standalone Plug-in to Attack Lotus Domino
      5. 5. Writing Modules for the Metasploit Framework
        1. Introduction to MSF
        2. Overview of Stack Buffer Overflows
          1. Memory Segments and Layout
          2. How a Buffer Overflows and Why It Matters
          3. Shellcode
          4. Putting It All Together: Exploiting a Program
        3. Writing Exploits for MSF
        4. Writing a Module for the MnoGoSearch Overflow
          1. Setting Up the Bug
          2. The Evolution of a Working Exploit Module
        5. Writing an Operating System Fingerprinting Module for MSF
          1. Operating System Fingerprinting and p0f
          2. Setting Up and Modifying p0f
          3. Writing the p0f_socket Module
      6. 6. Extending Code Analysis to the Webroot
        1. Attacking Web Applications at the Source
          1. Scope of a Web Application
          2. Symptomatic Code Approach
          3. Symptom Code
          4. User-Controllable Input
        2. Toolkit 101
          1. Symptom Code Databases
        3. PMD
          1. PMD Rulesets
          2. Installing and Running PMD
        4. Extending PMD
          1. Objectives
          2. Code Walkthrough
            1. ASTCompilationUnit
            2. ASTClassBodyDeclaration
            3. ASTMethodDeclaration
            4. ASTMethodDeclarator
            5. ASTAdditiveExpression
            6. Data tracing
          3. SqlInjectionExample.java
          4. DynSqlSelectStmts.java
          5. dynamicsql.xml
    3. II. Modifying and Hacking Security Tools
      1. 7. Fun with Linux Kernel Modules
        1. Hello World
          1. hello_world.c
          2. Compiling and Testing hello_world
        2. Intercepting System Calls
          1. The System Call Table
          2. strace Is Your Friend
          3. Forcing Access to sys_call_table
            1. intercept_open.c
            2. Compiling and testing intercept_open
          4. Intercepting sys_unlink( ) Using System.map
            1. intercept_unlink.c
            2. Compiling and testing intercept_unlink
          5. Intercepting sys_exit( ) in 2.4 Kernels
            1. intercept_exit.c
            2. Compiling and testing intercept_exit
        3. Hiding Processes
          1. hidepid.c
          2. Compiling and Testing hidepid
        4. Hiding from netstat
          1. hide_sshd.c
          2. Compiling and Testing hide_sshd
      2. 8. Developing Web Assessment Tools and Scripts
        1. Web Application Environment
          1. HTTP
          2. SSL
          3. Perl and LWP
          4. Web Application Vulnerabilities
        2. Designing the Scanner
          1. Functional Requirements
          2. Scanner Design
            1. parseLog.pl
            2. simpleScanner.pl
          3. Generating Test Data
        3. Building the Log Parser
        4. Building the Scanner
          1. Printing Output
            1. printReport subroutine
          2. Parsing the Input File
          3. Making an HTTP Request
            1. makeRequest subroutine
          4. Parameter-Based Testing
            1. sqlTest subroutine
            2. xssTest subroutine
          5. Directory-Based Testing
            1. dirList subroutine
            2. dirPut subroutine
        5. Using the Scanner
        6. Complete Source Code
          1. simpleScanner.pl
          2. parseLog.pl
      3. 9. Automated Exploit Tools
        1. SQL Injection Exploits
          1. Exploit Categories
          2. Exploit Techniques
            1. Error-based SQL injection
            2. Blind SQL injection
        2. The Exploit Scanner
          1. Exploit Logic
          2. The Code
            1. sqlOrTest subroutine
            2. sqlBlindColumnTest subroutine
            3. sqlBlindDataTypeTest subroutine
            4. sqlUnionTest subroutine
            5. sqlColumnTest subroutine
            6. sqlDataTypeTest subroutine
        3. Using the Scanner
      4. 10. Writing Network Sniffers
        1. Introduction to libpcap
          1. Why Use libpcap?
          2. Installing libpcap
        2. Getting Started with libpcap
          1. Overview of Arpsniff
          2. Identify the Network Interface
          3. Open the Network Interface
          4. Configure Packet-Capture Options
          5. Capture and Process Packets
          6. Close Down
          7. Arpsniff
        3. libpcap and 802.11 Wireless Networks
          1. 802.11 Monitor Mode
          2. Adapting Arpsniff to 802.11
        4. libpcap and Perl
          1. Arpsniff in Perl
        5. libpcap Library Reference
          1. Lookup Functions
            1. pcap_lookupdev
            2. pcap_findalldevs
            3. pcap_lookupnet
            4. pcap_freealldevs
          2. Packet-Capture Functions
            1. pcap_open_live
            2. pcap_next
            3. pcap_next_ex
            4. pcap_loop
            5. pcap_dispatch
            6. pcap_setnonblock
            7. pcap_getnonblock
            8. pcap_set_datalink
            9. pcap_compile
            10. pcap_compile_nopcap
            11. pcap_setfilter
            12. pcap_freecode
            13. pcap_breakloop
            14. pcap_fileno
            15. pcap_close
            16. pcap_open_dead
          3. Save and Dump File Functions
            1. pcap_open_offline
            2. pcap_dump_open
            3. pcap_dump
            4. pcap_dump_close
            5. pcap_dump_flush
            6. pcap_major_version
            7. pcap_minor_version
            8. pcap_file
            9. pcap_is_swapped
          4. Status Functions
            1. pcap_datalink
            2. pcap_list_datalinks
            3. pcap_snapshot
            4. pcap_stats
            5. pcap_lib_version
            6. pcap_datalink_name_to_val
            7. pcap_datalink_val_to_name
            8. pcap_datalink_val_to_description
          5. Error-Handling Functions
            1. pcap_geterr
            2. pcap_strerror
            3. pcap_perror
      5. 11. Writing Packet-Injection Tools
        1. Introduction to libnet
          1. Installing libnet
        2. Getting Started with libnet
          1. Writing the I am Tool
          2. Initializing the Session
          3. Building the Protocol Blocks
          4. Sending the Packet
          5. Cleaning Up
          6. The I am Tool Source Code
        3. Advanced libnet Functions
          1. Accessing Raw Packet Data
          2. Context Queues
        4. Combining libnet and libpcap
          1. Overview of SYNplescan
          2. Creating the SYN Packet
          3. Capturing the Responses
          4. The SYNplescan Tool Source Code
        5. Introducing AirJack
          1. Installing AirJack
          2. Using AirJack
            1. Overview of reinject
            2. Using sockets with AirJack
          3. The reinject Tool Source Code
    4. Index
    5. Colophon