Cover image for Security Power Tools

Book description

What if you could sit down with some of the most talented security engineers in the world and ask any network security question you wanted? Security Power Tools lets you do exactly that! Members of Juniper Networks' Security Engineering team and a few guest experts reveal how to use, tweak, and push the most popular network security applications, utilities, and tools available using Windows, Linux, Mac OS X, and Unix platforms. Designed to be browsed, Security Power Tools offers you multiple approaches to network security via 23 cross-referenced chapters that review the best security tools on the planet for both black hat techniques and white hat defense tactics. It's a must-have reference for network administrators, engineers and consultants with tips, tricks, and how-to advice for an assortment of freeware and commercial tools, ranging from intermediate level command-line operations to advanced programming of self-hiding exploits. Security Power Tools details best practices for:

  • Reconnaissance -- including tools for network scanning such as nmap; vulnerability scanning tools for Windows and Linux; LAN reconnaissance; tools to help with wireless reconnaissance; and custom packet generation

  • Penetration -- such as the Metasploit framework for automated penetration of remote computers; tools to find wireless networks; exploitation framework applications; and tricks and tools to manipulate shellcodes

  • Control -- including the configuration of several tools for use as backdoors; and a review of known rootkits for Windows and Linux

  • Defense -- including host-based firewalls; host hardening for Windows and Linux networks; communication security with ssh; email security and anti-malware; and device security testing

  • Monitoring -- such as tools to capture, and analyze packets; network monitoring with Honeyd and snort; and host monitoring of production servers for file changes

  • Discovery -- including The Forensic Toolkit, SysInternals and other popular forensic tools; application fuzzer and fuzzing techniques; and the art of binary reverse engineering using tools like Interactive Disassembler and Ollydbg

A practical and timely network security ethics chapter written by a Stanford University professor of law completes the suite of topics and makes this book a goldmine of security information. Save yourself a ton of headaches and be prepared for any network security dilemma with Security Power Tools.

Table of Contents

  1. Security Power Tools
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Foreword
    3. Credits
      1. About the Author
    4. Preface
      1. Audience
      2. Assumptions This Book Makes
      3. Contents of This Book
        1. Legal and Ethics
        2. Reconnaissance
        3. Penetration
        4. Control
        5. Defense
        6. Monitoring
        7. Discovery
      4. Conventions Used in This Book
      5. Using Code Examples
      6. We'd Like to Hear from You
      7. Safari® Books Online
      8. Acknowledgments
    5. I. Legal and Ethics
      1. 1. Legal and Ethics Issues
        1. Core Issues
          1. Be Able to Identify These Legal Topics
        2. Computer Trespass Laws: No "Hacking" Allowed
          1. What Does It Mean to Access or Use a Computer?
          2. What Is Adequate Authorization to Access a Computer?
          3. Common Law Computer Trespass
          4. Case Study: Active Defense
          5. Law and Ethics: Protecting Yourself from Computer Trespass Claims
        3. Reverse Engineering
          1. Copyright Law and Reverse Engineering
            1. What to do to protect yourself with fair use
          2. Reverse Engineering, Contracts, and Trade Secret Law
            1. What to do to protect yourself
          3. Reverse Engineering and Anti-Circumvention Rules
            1. What to do to protect yourself when working in DMCA
        4. Vulnerability Reporting
            1. What to do to protect yourself when reporting vulnerabilities
        5. What to Do from Now On
    6. II. Reconnaissance
      1. 2. Network Scanning
        1. How Scanners Work
          1. TCP Scanning
          2. UDP Scanning
        2. Superuser Privileges
        3. Three Network Scanners to Consider
        4. Host Discovery
          1. Dealing with Blocked Pings
          2. Choosing the Right Ports
          3. Combining Multiple Host Scan Techniques
        5. Port Scanning
          1. Default Port Ranges
        6. Specifying Custom Ports
          1. Nmap
          2. Unicornscan
          3. Scanrand
        7. Specifying Targets to Scan
        8. Different Scan Types
          1. UDP Scan Types
          2. TCP Scan Types
          3. Special TCP Scan Types in Nmap
          4. An Example of Using Multiple Scan Types
        9. Tuning the Scan Speed
          1. Nmap
          2. Unicornscan
          3. Scanrand
        10. Application Fingerprinting
        11. Operating System Detection
        12. Saving Nmap Output
        13. Resuming Nmap Scans
        14. Avoiding Detection
          1. Idle Scans
          2. Decoys
        15. Conclusion
      2. 3. Vulnerability Scanning
        1. Nessus
          1. License
          2. Architecture
          3. Tenable Security Center
          4. Windows Configuration
          5. Linux Configuration
          6. Local Vulnerabilities
          7. Network Scan
          8. Scan Results
          9. Policy Configuration
          10. Plug-ins
          11. Plug-in Code Example
          12. Linux Command Line
          13. Windows Command Line
        2. Nikto
          1. Types of Vulnerabilities
          2. Command Line
          3. Evasion Techniques
        3. WebInspect
          1. Purpose
          2. WebInspect Scan
          3. Policy Tuning
          4. Settings Tuning
          5. Report Analysis
          6. False Positives Analysis
          7. WebInspect Tools
          8. Assessment Management Platform (AMP)
      3. 4. LAN Reconnaissance
        1. Mapping the LAN
        2. Using ettercap and arpspoof on a Switched Network
          1. Running ettercap
          2. Running arpspoof from the dsniff suite
        3. Dealing with Static ARP Tables
          1. Using macof to Stupefy a Switch
          2. Super-Stealthy Sniffing
        4. Getting Information from the LAN
          1. Logging Packet Data
          2. Filtering Incoming Packets
          3. Fingerprinting LAN Hosts
          4. Sniffing Plain-Text Passwords
          5. Shadow Browsing
        5. Manipulating Packet Data
      4. 5. Wireless Reconnaissance
        1. Get the Right Wardriving Gear
        2. 802.11 Network Basics
        3. 802.11 Frames
        4. How Wireless Discovery Tools Work
        5. Netstumbler
        6. Kismet at a Glance
        7. Using Kismet
        8. Sorting the Kismet Network List
        9. Using Network Groups with Kismet
        10. Using Kismet to Find Networks by Probe Requests
        11. Kismet GPS Support Using gpsd
          1. Generating Maps
          2. Kismet Location Tracking
        12. Looking Closer at Traffic with Kismet
        13. Capturing Packets and Decrypting Traffic with Kismet
        14. Wireshark at a Glance
          1. Enabling rfmon Mode
            1. Linux
            2. OpenBSD, NetBSD, and FreeBSD
            3. Mac OS X
            4. Windows
        15. Using Wireshark
        16. AirDefense Mobile
        17. AirMagnet Analyzers
        18. Other Wardriving Tools
          1. Airopeek
          2. KisMac
      5. 6. Custom Packet Generation
        1. Why Create Custom Packets?
          1. Custom Packet Example: Ping of Death
          2. Hping
          3. Getting Started with Hping2
          4. Hping2's Limitations
        2. Scapy
          1. Decode, Do Not Interpret
          2. Probe Once, Interpret Many Times
          3. Scapy's Limitations
          4. Working with Scapy
          5. Creating and Manipulating Packets with Scapy
          6. Navigating Between Layers
          7. Scapy Tips and Shortcuts
            1. Looking only at the custom data in a packet
            2. Viewing computed data in a packet
            3. Decoding the packet payload differently
            4. Sprintf shortcut for creating custom packets
            5. Operations on packet lists
            6. Producing a simple diagram of packet flow
            7. Sending and interacting with Scapy
            8. Super-sockets
          8. Building Custom Tools with Scapy
          9. Studying a New Protocol
          10. Writing Add-Ons
            1. Examples of creating Scapy add-ons
          11. Test Campaigns
        3. Packet-Crafting Examples with Scapy
          1. ARP Cache Poisoning
          2. Tracerouting: A Step-by-Step Example
          3. Traceroute and NAT
          4. Firewalking
          5. Sliced Network Scan
          6. Fuzzing
        4. Packet Mangling with Netfilter
          1. Transparent Proxying
          2. QUEUE and NFQUEUE
        5. References
    7. III. Penetration
      1. 7. Metasploit
        1. Metasploit Interfaces
          1. The Metasploit Console
          2. The Metasploit Command-Line Interface
          3. The Metasploit Web Interface
        2. Updating Metasploit
        3. Choosing an Exploit
        4. Choosing a Payload
          1. Metasploit Payloads
          2. Choosing a Payload Variant
        5. Setting Options
          1. Hidden Options
        6. Running an Exploit
          1. Debugging Exploitation
        7. Managing Sessions and Jobs
          1. Sessions
          2. Jobs
        8. The Meterpreter
          1. Some Useful Meterpreter Commands
          2. Meterpreter Session Example
        9. Security Device Evasion
        10. Sample Evasion Output
        11. Evasion Using NOPs and Encoders
          1. NOP Generators
          2. Payload Encoders
        12. In Conclusion
      2. 8. Wireless Penetration
        1. WEP and WPA Encryption
        2. Aircrack
        3. Installing Aircrack-ng
          1. Windows Installation
          2. Linux Installation
        4. Running Aircrack-ng
        5. Airpwn
        6. Basic Airpwn Usage
          1. Command-Line Options
        7. Airpwn Configuration Files
        8. Using Airpwn on WEP-Encrypted Networks
        9. Scripting with Airpwn
        10. Karma
          1. Installing Karma
          2. Scanning for Victims
          3. Basic Configuration
          4. Proxy Network Traffic
        11. Conclusion
      3. 9. Exploitation Framework Applications
        1. Task Overview
          1. Other Framework Advantages
        2. Core Impact Overview
          1. Running Core Impact Behind a NAT
          2. Automatic Network Penetration with Core Impact
        3. Network Reconnaissance with Core Impact
          1. Importing Module Information with Core Impact
        4. Core Impact Exploit Search Engine
        5. Running an Exploit
          1. Bypassing Core Impact's Exploit Version Restrictions
        6. Running Macros
          1. The Local Side
          2. Using the Mini-Shell
        7. Bouncing Off an Installed Agent
        8. Enabling an Agent to Survive a Reboot
        9. Mass Scale Exploitation
        10. Writing Modules for Core Impact
        11. The Canvas Exploit Framework
          1. The Covertness Bar
        12. Porting Exploits Within Canvas
        13. Using Canvas from the Command Line
        14. Digging Deeper with Canvas
        15. Advanced Exploitation with MOSDEF
        16. Writing Exploits for Canvas
        17. Exploiting Alternative Tools
      4. 10. Custom Exploitation
        1. Understanding Vulnerabilities
          1. Performing a Simple Exploit
        2. Analyzing Shellcode
          1. Disassemblers
          2. The libopcode Disassembling Library
          3. The libdisasm Disassembling Library
        3. Testing Shellcode
          1. Inclusion into a C File
          2. A Shellcode Loader
          3. Debugging Shellcode
        4. Creating Shellcode
          1. nasm
          2. GNU Compiler Collection
            1. Quick glance at the binary-building internals
            2. Building shellcode from assembly language
            3. Building shellcode in C
          3. The SFlib Library
            1. What SFLib looks like
            2. Using SFLib
          4. ShellForge
            1. Getting started
            2. Cross-platform generation
            3. Loaders
            4. Inline shellcoding
          5. InlineEgg
          6. Metasploit Framework's msfpayload
        5. Disguising Shellcode
          1. alpha2
          2. Metasploit Framework's msfencoder
        6. Execution Flow Hijacking
          1. Metasploit Framework's msfelfscan and msfpescan
          2. EEREAP
          3. Code Injection
        7. References
    8. IV. Control
      1. 11. Backdoors
        1. Choosing a Backdoor
        2. VNC
        3. Creating and Packaging a VNC Backdoor
          1. Consolidating the Backdoor
          2. Packaging VNC As a Backdoor
        4. Connecting to and Removing the VNC Backdoor
          1. Removing the Backdoor
        5. Back Orifice 2000
        6. Configuring a BO2k Server
          1. Setting Variables
          2. Minimum Configuration
            1. IO plug-in
            2. Encryption plug-in
            3. Authentication plug-in
            4. Control plug-ins
        7. Configuring a BO2k Client
        8. Adding New Servers to the BO2k Workspace
        9. Using the BO2k Backdoor
        10. BO2k Powertools
          1. Server Setup
          2. Client Setup
            1. The BO Tools Connect To window
            2. Using the File Browser
            3. Using the Registry Editor
          3. A Sneak Peek at the Backdoor's Desktop with BO Peep
            1. BO Peep installation and configuration
            2. The VidStream listener
            3. The VidStream client
            4. The Hijack listener
            5. The Hijack client
        11. Encryption for BO2k Communications
        12. Concealing the BO2k Protocol
        13. Removing BO2k
        14. A Few Unix Backdoors
          1. A Simple Unix Backdoor
          2. Netcat
          3. A Simple Netcat Backdoor
            1. Crontab and Netcat
          4. Lots of Options
      2. 12. Rootkits
        1. Windows Rootkit: Hacker Defender
          1. Configuring hxdef
            1. Making hxdef harder to detect
          2. Connecting to Hacker Defender's Backdoor
            1. Install/uninstall/reconfigure hxdef
            2. Uninstalling a process you cannot see
        2. Linux Rootkit: Adore-ng
          1. Installing Adore
          2. Using Adore
        3. Detecting Rootkits Techniques
          1. Signature Scanner
          2. Inspecting Dangerous Calls
          3. Differentiating Call Results
          4. Looking for Hooks
          5. System Integrity
        4. Windows Rootkit Detectors
          1. Rootkit Revealer
          2. IceSword
            1. Functionalities of IceSword
            2. Finding a rootkit and killing it
              1. Removing the rootkit with IceSword
        5. Linux Rootkit Detectors
          1. Kstat
            1. Interface lookup
            2. Listing processes
            3. Investigating individual processes
            4. Examining the syscall table
          2. Zeppoo
          3. Chkrootkit
            1. Detecting new rootkits
            2. Using safe binaries
            3. In the cron
        6. Cleaning an Infected System
        7. The Future of Rootkits
    9. V. Defense
      1. 13. Proactive Defense: Firewalls
        1. Firewall Basics
          1. Router/Network Address Translation Router
          2. Endpoint/Host
          3. Transparent/Bridge Firewall
          4. The Tools
          5. Securing Concepts
            1. Allowing limited inbound connections
            2. Tightening inbound connections by host
          6. Further Investigation
        2. Network Address Translation
          1. Setting Up a Basic NAT Gateway
          2. NAT with Inbound Service Mapping
        3. Securing BSD Systems with ipfw/natd
          1. Initial Setup
          2. Inbound Connection Blocking with BSD ipfw/natd
          3. Allowing Inbound Connections with BSD ipfw2/natd
          4. Filtering Connections with BSD ipfw2/natd
          5. BSD ipfw2/natd NAT Gateway
          6. Inbound Service Mapping with BSD ipfw2/natd
        4. Securing GNU/Linux Systems with netfilter/iptables
          1. Initial Setup
          2. Inbound Connection Blocking with Netfilter
          3. Filtering Connections with Netfilter
          4. Allowing Inbound Connections with Netfilter
          5. Netfilter NAT Gateway
          6. Inbound Service Mapping with Netfilter
          7. Internet-in-a-Box: All Traffic to One Destination Using Netfilter
        5. Securing Windows Systems with Windows Firewall/Internet Connection Sharing
          1. Initial Setup
          2. Inbound Connection Blocking with Windows FW/ICS
          3. Allowing Inbound Connections with Windows FW/ICS
          4. Filtering Connections with Windows FW/ICS
          5. A Windows FW/ICS NAT Gateway
          6. Inbound Service Mapping with Windows FW/ICS
        6. Verifying Your Coverage
      2. 14. Host Hardening
        1. Controlling Services
        2. Turning Off What You Do Not Need
        3. Limiting Access
          1. sudo
          2. sudowin
            1. Issues with sudowin
        4. Limiting Damage
          1. Mounting Volumes As noexec
          2. Controlling the Linux Kernel Through /proc/sys
            1. /proc/sys/kernel/cap-bound
            2. /proc/sys/net
            3. /proc/sys/kernel/modprobe
        5. Bastille Linux
        6. SELinux
          1. Enabling SELinux
          2. Transparent Usage of SELinux
          3. Tweaking SELinux's Policy
          4. Local SELinux Policy Generation
          5. Underlying SELinux Principle of Operations
        7. Password Cracking
          1. John the Ripper
          2. Rainbow Cracking
        8. Chrooting
        9. Sandboxing with OS Virtualization
          1. Cooperative Linux
          2. KVM
          3. OpenVZ: OS-Level Virtualization
          4. Parallels
          5. QEMU
          6. UserMode Linux: Paravirtualization
          7. VMWare
          8. Xen: Paravirtulization
          9. Virtualization Summary
      3. 15. Securing Communications
        1. The SSH-2 Protocol
          1. The Transport Layer
          2. The User Authentication Layer
          3. The Connection Layer
        2. SSH Configuration
          1. Server Configuration
          2. User Access Restriction
          3. SSH Client Connection
          4. Tune the Client's Configuration
        3. SSH Authentication
        4. SSH Shortcomings
          1. SSH Man-in-the-Middle Attacks
          2. Host Public Key Distribution with DNSSEC
          3. User's Public Key Distribution
          4. User's Key Operation Restrictions
        5. SSH Troubleshooting
          1. The Client Is Logged Out Just After Logging In
          2. File Permissions
          3. Restrictions to Users or Groups
        6. Remote File Access with SSH
          1. File Copy
          2. FTP Through SSH
          3. File Synchronization
          4. Remote Filesystem
          5. Source Code Transfer
        7. SSH Advanced Use
          1. Agent Forwarding
          2. X and Port Forwarding
          3. Escape Sequences
          4. Perpetual Tunneling with autossh
          5. Storing Your SSH Private Key on a USB Drive
        8. Using SSH Under Windows
          1. Cygwin
          2. PuTTY
          3. WinSCP
          4. SecureCRT
        9. File and Email Signing and Encryption
        10. GPG
          1. Theory of Operations
          2. How to Obtain Public Keys
          3. Web of Trust
          4. In Practice
        11. Create Your GPG Keys
          1. Adding Subkeys
          2. Different Keys for Different Addresses
          3. Modify Your Web of Trust Model
          4. Import of Public Keys
          5. Revoke a Key
        12. Encryption and Signature with GPG
          1. File Signature
          2. Email Encryption and Signature
        13. PGP Versus GPG Compatibility
        14. Encryption and Signature with S/MIME
          1. X.509 Certificate
          2. S/MIME
          3. Certificate Authority
          4. S/MIME Versus GPG/PGP
        15. Stunnel
          1. SSL Versus TLS
          2. Create an X.509 Certificate
          3. Client Encryption
          4. Server Encryption
          5. Client and Server Encryption
          6. Transparent Proxy
        16. Disk Encryption
        17. Windows Filesystem Encryption with PGP Disk
        18. Linux Filesystem Encryption with LUKS
          1. Comparing dm-crypt to cryptoloop and loop-AES
        19. Conclusion
      4. 16. Email Security and Anti-Spam
        1. Norton Antivirus
          1. Installation Test
          2. Configuration Tuning
            1. Failed tests
            2. Updates
        2. The ClamAV Project
        3. ClamWin
          1. Configuration
        4. Freshclam
          1. How to Run Freshclam
          2. Examples of Commands for Freshclam
        5. Clamscan
        6. clamd and clamdscan
          1. On-Access Scanning
          2. Clamd As a Network Server
          3. Clamd Commands
          4. Test clamscan and clamdscan/clamd
          5. clamscan or clamdscan?
        7. ClamAV Virus Signatures
          1. MD5 Signatures
          2. Hexadecimal Signatures
          3. Advanced Hexadecimal Signatures
          4. HTML Signatures
        8. Procmail
          1. Mail Delivery Chain
        9. Basic Procmail Rules
          1. Examples
        10. Advanced Procmail Rules
          1. Scoring
        11. ClamAV with Procmail
        12. Unsolicited Email
        13. Spam Filtering with Bayesian Filters
          1. Spamprobe
          2. Automate the Learning Phase
          3. Maintenance
          4. SpamProbe with Procmail
          5. Inconvenient
        14. SpamAssassin
          1. Configuration Files
          2. SpamAssassin Variables
          3. Administrator Settings
        15. SpamAssassin Rules
          1. Meta Tests
          2. Score
          3. Whitelist and Blacklist
          4. Language
          5. Bayesian Filter
        16. Plug-ins for SpamAssassin
          1. Collaborative Plug-ins
          2. SpamAssassin Network Tests
        17. SpamAssassin with Procmail
          1. SpamAssassin As a Daemon or Server
          2. ClamAV, SpamProbe, and SpamAssassin with Procmail
        18. Anti-Phishing Tools
          1. Email Filtering
          2. Toolbar for Web Browsers
        19. Conclusion
      5. 17. Device Security Testing
        1. Replay Traffic with Tcpreplay
          1. What and How to Test
          2. tcpreplay
          3. Rewrite Packets with Tcpreplay
            1. MAC address
            2. IP address
            3. TCP/UDP port
          4. Tcpreplay with Two Interfaces
          5. flowreplay
          6. Tomahawk
        2. Traffic IQ Pro
          1. Setup
          2. Replay Traffic Files
          3. Attack Files
          4. Standard Traffic Files
          5. Scan
          6. Import Custom Packet Captures
          7. Packet Editing
          8. Conclusion
        3. ISIC Suite
          1. Network Setup
          2. esic
          3. isic, icmpsic, tcpsic, udpsic, and multisic
          4. Automation
        4. Protos
    10. VI. Monitoring
      1. 18. Network Capture
        1. tcpdump
          1. Basics
          2. Berkeley Packet Filter (BPF)
          3. Writing Packets to Disk
          4. Advanced BPF Filtering
          5. Advanced Dump Display
          6. Using tcpdump to Extract Packets
        2. Ethereal/Wireshark
          1. Basics
          2. Starting a Capture
            1. Capture
            2. Display Options
            3. Name Resolution
          3. Loading a Previously Created Capture
          4. Viewing a Capture
          5. Basic Wireshark Display Filters
          6. Advanced Wireshark Display Filters
          7. Saving Select Packets to Disk
          8. Packet Colorization
          9. Overriding Default Protocol Decoders
          10. TShark Techniques
          11. Wireshark Statistics
          12. Setting Useful Defaults
        3. pcap Utilities: tcpflow and Netdude
          1. tcpflow
            1. Basics
          2. Netdude
            1. Basics
            2. Cleaning up a botched pcap file
            3. Editing packet payloads
        4. Python/Scapy Script Fixes Checksums
          1. Basics
        5. Conclusion
      2. 19. Network Monitoring
        1. Snort
          1. Different Snort Modes
          2. Writing Signatures for Snort
          3. Passive Network Mapping
          4. Stealth Ethernet
          5. Disabling a Rule
          6. Changing the Default Port of a Service
          7. Snort Preprocessor
          8. Excluding Authorized Scans
          9. Log Analysis
          10. Updating Rules
          11. Blocking Port Scan
          12. From a NIDS to an ILDS
            1. Protocols that should be monitored
            2. Limitations of Snort as an ILDS
          13. Monitoring Network Usage
        2. Implementing Snort
          1. NIDS
          2. User Monitoring
          3. ILDS
        3. Honeypot Monitoring
          1. The Value of a Honeypot
          2. Using Honeyd to Emulate a Server
          3. Using Honeyd to Emulate a Network
          4. Using Honeyd As a Tar Pit
          5. Implementing Honeyd
          6. Writing New Scripts with Honeyd
          7. Jail
          8. HoneyView and Log Management
        4. Gluing the Stuff Together
      3. 20. Host Monitoring
        1. Using File Integrity Checkers
        2. File Integrity Hashing
        3. The Do-It-Yourself Way with rpmverify
        4. Comparing File Integrity Checkers
          1. Afick
          2. Aide
          3. Integrit
          4. Remote Filesystem Checker (RFC)
          5. Samhain/Beltane
          6. Open Source Tripwire
        5. Prepping the Environment for Samhain and Tripwire
          1. Samhain
          2. Tripwire
        6. Database Initialization with Samhain and Tripwire
          1. Samhain
          2. Tripwire
        7. Securing the Baseline Storage with Samhain and Tripwire
          1. Samhain
          2. Tripwire
        8. Running Filesystem Checks with Samhain and Tripwire
          1. Samhain
          2. Tripwire
        9. Managing File Changes and Updating Storage Database with Samhain and Tripwire
          1. Samhain
          2. Tripwire
        10. Recognizing Malicious Activity with Samhain and Tripwire
          1. Tripwire
          2. Samhain
        11. Log Monitoring with Logwatch
        12. Improving Logwatch's Filters
        13. Host Monitoring in Large Environments with Prelude-IDS
          1. Log Correlation
        14. Conclusion
    11. VII. Discovery
      1. 21. Forensics
        1. Netstat
          1. Finding a Linux Backdoor with Netstat
          2. Finding a Windows Backdoor with Netstat
        2. The Forensic ToolKit
          1. Hfind.exe: Discover Hidden Files
          2. Sfind.exe: Discover Files Hidden in Alternate Data Streams
          3. FileStat.exe: Very Detailed Data on a Specific File
            1. The Security Descriptor
            2. File streams
            3. Timestamps
          4. Working with Alternate Data Streams
        3. Sysinternals
          1. Autoruns: What Runs Without Your Help?
            1. Trimming down the list
          2. RootkitRevealer: Rooting Out Rootkits
            1. RootkitRevealer from the console
          3. Streams: Find and Delete Data Hidden in Streams the Sysinternals Way
          4. TCPView: A Graphical Netstat
          5. Process Explorer: Powerful Process Management
            1. Replacing the Task Manager with Process Explorer
            2. Run as...
          6. Now What?
      2. 22. Application Fuzzing
        1. Which Fuzzer to Use
        2. Different Types of Fuzzers for Different Tasks
          1. Block-Based Fuzzers
          2. Riot
          3. Flipper
          4. Inline Fault Injection
          5. Setting Up a Network Fuzzer Test Bed
            1. The client
            2. The fuzzer
            3. The server/target
          6. Gathering Information of the Target's Side
        3. Writing a Fuzzer with Spike
        4. The Spike API
          1. Reversing a Protocol with Spike
        5. File-Fuzzing Apps
          1. PaiMei
          2. FileFuzz
        6. Fuzzing Web Applications
        7. Configuring WebProxy
        8. Automatic Fuzzing with WebInspect
        9. Next-Generation Fuzzing
        10. Fuzzing or Not Fuzzing
      3. 23. Binary Reverse Engineering
        1. Interactive Disassembler
          1. Opening the Binary
            1. Special cases
          2. Searching in IDA
            1. Searching for text strings
            2. Searching for immediate values
          3. Defining Data Types
            1. Structures and unions
              1. An example
            2. Enumerations
          4. Annotating the Code
            1. Setting comments
            2. Marking positions
            3. An example
          5. Code Navigation
          6. Tracking the Flow of Execution
            1. Cross-reference
            2. Flow charts
            3. Tracking function calls
          7. Using Subview Windows
            1. Functions window
            2. Strings window
            3. Names window
            4. Imports and exports windows
          8. Debugging with IDA
            1. Initial configuration
            2. Setting breakpoints and watchpoints
            3. Stepping through the program
            4. Examining data
            5. Tracing
            6. Taking a memory snapshot
            7. Remote debugging
              1. Configuring the client
              2. Configuring the remote host
          9. Finding the Bugs
          10. Making Scripts with IDC
            1. IDC Hello World
            2. Functions and variables
            3. Expressions and statements
            4. Interacting with the IDA database
            5. Adding graphical interfaces
            6. Faking global variables with arrays
            7. Making hotkeys
            8. Automating large tasks
          11. Using IDA Plug-ins
        2. Sysinternals
          1. RegMon
          2. FileMon
          3. Setting Filters
        3. OllyDbg
          1. The Basics
            1. Setting breakpoints and watchpoints
            2. Stepping through the program
            3. Animated stepping
            4. Examining data
          2. Navigating Through the Disassembly
            1. Using bookmarks
          3. Editing Data
            1. Copying and pasting binary sections
            2. The patches window
            3. Undoing edits
            4. Saving your changes
          4. Using OllyDbg with the FreeCiv Case Study
            1. Finding the location of interest
            2. Making our changes
            3. Running the hack
        4. Other Tools
          1. SoftICE
          2. HT
    12. Index
    13. About the Authors
    14. Colophon
    15. SPECIAL OFFER: Upgrade this ebook with O’Reilly