You are previewing Hack I.T.: Security Through Penetration Testing.
O'Reilly logo
Hack I.T.: Security Through Penetration Testing

Book Description

"This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art."
--From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team

Penetration testing--in which professional, "white hat" hackers attempt to break through an organization's security defenses--has become a key defense weapon in today's information systems security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent true "black hat" hackers from compromising systems and exploiting proprietary information.

Hack I.T. introduces penetration testing and its vital role in an overall network security plan. You will learn about the roles and responsibilities of a penetration testing professional, the motivation and strategies of the underground hacking community, and potential system vulnerabilities, along with corresponding avenues of attack. Most importantly, the book provides a framework for performing penetration testing and offers step-by-step descriptions of each stage in the process. The latest information on the necessary hardware for performing penetration testing, as well as an extensive reference on the available security tools, is included.

Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies, techniques, and tools you need to test and protect your system--before the real hackers attack.

Specific topics covered in this book include:

  • Hacking myths

  • Potential drawbacks of penetration testing

  • Announced versus unannounced testing

  • Application-level holes and defenses

  • Penetration through the Internet, including zone transfer, sniffing, and port scanning

  • War dialing

  • Enumerating NT systems to expose security holes

  • Social engineering methods

  • Unix-specific vulnerabilities, such as RPC and buffer overflow attacks

  • The Windows NT Resource kit

  • Port scanners and discovery tools

  • Sniffers and password crackers

  • Web testing tools

  • Remote control tools

  • Firewalls and intrusion detection systems

  • Numerous DoS attacks and tools



  • 0201719568B01042002

    Table of Contents

    1. Copyright
    2. Foreword
    3. Preface
      1. Audience
      2. Authors
        1. T.J. Klevinsky, CISSP
        2. Scott Laliberte
        3. Ajay Gupta
      3. How to Use This Book
      4. Acknowledgments
    4. Introduction
    5. 1. Hacking Today
    6. 2. Defining the Hacker
      1. 2.1. Hacker Skill Levels
        1. 2.1.1. First-Tier Hackers
        2. 2.1.2. Second-Tier Hackers
        3. 2.1.3. Third-Tier Hackers
      2. 2.2. Information Security Consultants
      3. 2.3. Hacker Myths
      4. 2.4. Information Security Myths
    7. 3. Penetration for Hire
      1. 3.1. Ramifications of Penetration Testing
      2. 3.2. Requirements for a Freelance Consultant
        1. 3.2.1. Skill Set
        2. 3.2.2. Knowledge
        3. 3.2.3. Tool Kit
        4. 3.2.4. Hardware
        5. 3.2.5. Record Keeping
        6. 3.2.6. Ethics
      3. 3.3. Announced vs. Unannounced Penetration Testing
        1. 3.3.1. Definitions
        2. 3.3.2. Pros and Cons of Both Types of Penetration Testing
        3. 3.3.3. Documented Compromise
    8. 4. Where the Exposures Lie
      1. 4.1. Application Holes
      2. 4.2. Berkeley Internet Name Domain (BIND) Implementations
      3. 4.3. Common Gateway Interface (CGI)
      4. 4.4. Clear Text Services
      5. 4.5. Default Accounts
      6. 4.6. Domain Name Service (DNS)
      7. 4.7. File Permissions
      8. 4.8. FTP and telnet
      9. 4.9. ICMP
      10. 4.10. IMAP and POP
      11. 4.11. Modems
      12. 4.12. Lack of Monitoring and Intrusion Detection
      13. 4.13. Network Architecture
      14. 4.14. Network File System (NFS)
      15. 4.15. NT Ports 135–139
      16. 4.16. NT Null Connection
      17. 4.17. Poor Passwords and User IDs
      18. 4.18. Remote Administration Services
      19. 4.19. Remote Procedure Call (RPC)
      20. 4.20. SENDMAIL
      21. 4.21. Services Started by Default
      22. 4.22. Simple Mail Transport Protocol (SMTP)
      23. 4.23. Simple Network Management Protocol (SNMP) Community Strings
      24. 4.24. Viruses and Hidden Code
      25. 4.25. Web Server Sample Files
      26. 4.26. Web Server General Vulnerabilities
      27. 4.27. Monitoring Vulnerabilities
    9. 5. Internet Penetration
      1. 5.1. Network Enumeration/Discovery
        1. 5.1.1. Whois Query
        2. 5.1.2. Zone Transfer
        3. 5.1.3. Ping Sweeps
        4. 5.1.4. Traceroute
      2. 5.2. Vulnerability Analysis
        1. 5.2.1. OS Identification
        2. 5.2.2. Port Scanning
        3. 5.2.3. Application Enumeration
        4. 5.2.4. Internet Research
      3. 5.3. Exploitation
      4. Case Study: Dual-Homed Hosts
        1. Lessons Learned
    10. 6. Dial-In Penetration
      1. 6.1. War Dialing
      2. 6.2. War Dialing Method
        1. 6.2.1. Dialing
        2. 6.2.2. Login
        3. 6.2.3. Login Screens
      3. 6.3. Gathering Numbers
      4. 6.4. Precautionary Methods
      5. 6.5. War Dialing Tools
        1. 6.5.1. ToneLoc
        2. 6.5.2. THC-Scan
        3. 6.5.3. TeleSweep
        4. 6.5.4. PhoneSweep
      6. Case Study: War Dialing
        1. Lessons Learned
    11. 7. Testing Internal Penetration
      1. 7.1. Scenarios
      2. 7.2. Network Discovery
      3. 7.3. NT Enumeration
      4. 7.4. UNIX
      5. 7.5. Searching for Exploits
      6. 7.6. Sniffing
      7. 7.7. Remotely Installing a Hacker Tool Kit
      8. 7.8. Vulnerability Scanning
      9. Case Study: Snoop the User Desktop
        1. Lessons Learned
    12. 8. Social Engineering
      1. 8.1. The Telephone
        1. 8.1.1. Technical Support
        2. 8.1.2. Disgruntled Customer
        3. 8.1.3. Get Help Logging In
        4. 8.1.4. Additional Methods
      2. 8.2. Dumpster Diving
      3. 8.3. Desktop Information
      4. 8.4. Common Countermeasures
    13. 9. UNIX Methods
      1. 9.1. UNIX Services
        1. 9.1.1. inetd Services
        2. 9.1.2. R Services
        3. 9.1.3. Remote Procedure Call Services
      2. 9.2. Buffer Overflow Attacks
      3. 9.3. File Permissions
      4. 9.4. Applications
        1. 9.4.1. Mail Servers
        2. 9.4.2. Web Servers
        3. 9.4.3. X Windows
        4. 9.4.4. DNS Servers
      5. 9.5. Misconfigurations
      6. 9.6. UNIX Tools
        1. 9.6.1. Datapipe.c
        2. 9.6.2. QueSO
        3. 9.6.3. Cheops
        4. 9.6.4. nfsshell
        5. 9.6.5. XSCAN
      7. Case Study: UNIX Penetration
        1. Lessons Learned
    14. 10. The Tool Kit
      1. 10.1. Hardware
      2. 10.2. Software
        1. 10.2.1. Windows NT Workstation
        2. 10.2.2. Linux
      3. 10.3. VMware
    15. 11. Automated Vulnerability Scanners
      1. 11.1. Definition
      2. 11.2. Testing Use
      3. 11.3. Shortfalls
      4. 11.4. Network-Based and Host-Based Scanners
      5. 11.5. Tools
      6. 11.6. Network-Based Scanners
        1. 11.6.1. Network Associates CyberCop Scanner
        2. 11.6.2. ISS Internet Scanner
        3. 11.6.3. Nessus
        4. 11.6.4. Symantec (Formerly Axent Technologies) NetRecon
        5. 11.6.5. Bindview HackerShield (bv-control for Internet Security)
      7. 11.7. Host-Based Scanners
        1. 11.7.1. Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM)
      8. 11.8. Pentasafe VigilEnt
      9. 11.9. Conclusion
    16. 12. Discovery Tools
      1. 12.1. WS_Ping ProPack
      2. 12.2. NetScanTools
      3. 12.3. Sam Spade
      4. 12.4. Rhino9 Pinger
      5. 12.5. VisualRoute
      6. 12.6. Nmap
      7. 12.7. What's running
    17. 13. Port Scanners
      1. 13.1. Nmap
      2. 13.2. 7th Sphere Port Scanner
      3. 13.3. Strobe
      4. 13.4. SuperScan
    18. 14. Sniffers
      1. 14.1. Dsniff
      2. 14.2. Linsniff
      3. 14.3. Tcpdump
      4. 14.4. BUTTSniffer
      5. 14.5. SessionWall-3 (Now eTrust Intrusion Detection)
      6. 14.6. AntiSniff
    19. 15. Password Crackers
      1. 15.1. L0phtCrack
      2. 15.2. pwdump2
      3. 15.3. John the Ripper
      4. 15.4. Cain
      5. 15.5. ShowPass
    20. 16. Windows NT Tools
      1. 16.1. NET USE
      2. 16.2. Null Connection
      3. 16.3. NET VIEW
      4. 16.4. NLTEST
      5. 16.5. NBTSTAT
      6. 16.6. epdump
      7. 16.7. NETDOM
      8. 16.8. Getmac
      9. 16.9. Local Administrators
      10. 16.10. Global (“Domain Admins”)
      11. 16.11. Usrstat
      12. 16.12. DumpSec
      13. 16.13. user2Sid/sid2User
      14. 16.14. NetBIOS Auditing Tool (NAT)
      15. 16.15. SMBGrind
      16. 16.16. SRVCHECK
      17. 16.17. SRVINFO
      18. 16.18. AuditPol
      19. 16.19. REGDMP
      20. 16.20. Somarsoft DumpReg
      21. 16.21. Remote
      22. 16.22. Netcat
      23. 16.23. SC
      24. 16.24. AT
      25. 16.25. FPipe
      26. Case Study: Weak Passwords
        1. Lessons Learned
      27. Case Study: Internal Penetration to Windows
        1. Lessons Learned
    21. 17. Web-Testing Tools
      1. 17.1. Whisker
      2. 17.2. SiteScan
      3. 17.3. THC Happy Browser
      4. 17.4. wwwhack
      5. 17.5. Web Cracker
      6. 17.6. Brutus
      7. Case Study: Compaq Management Agents Vulnerability
        1. Lessons Learned
    22. 18. Remote Control
      1. 18.1. pcAnywhere
      2. 18.2. Virtual Network Computing
      3. 18.3. NetBus
      4. 18.4. Back Orifice 2000
    23. 19. Intrusion Detection Systems
      1. 19.1. Definition
      2. 19.2. IDS Evasion
        1. 19.2.1. Stealth Port Scanning
        2. 19.2.2. Aggressive Techniques
      3. 19.3. Pitfalls
      4. 19.4. Traits of Effective IDSs
      5. 19.5. IDS Selection
        1. 19.5.1. RealSecure
        2. 19.5.2. NetProwler
        3. 19.5.3. Secure Intrusion Detection
        4. 19.5.4. eTrust Intrusion Detection
        5. 19.5.5. Network Flight Recorder
        6. 19.5.6. Dragon
        7. 19.5.7. Snort
    24. 20. Firewalls
      1. 20.1. Definition
      2. 20.2. Monitoring
      3. 20.3. Configuration
      4. 20.4. Change Control
      5. 20.5. Firewall Types
        1. 20.5.1. Packet-Filtering Firewalls
        2. 20.5.2. Stateful-Inspection Firewalls
        3. 20.5.3. Proxy-Based Firewalls
      6. 20.6. Network Address Translation
      7. 20.7. Evasive Techniques
      8. 20.8. Firewalls and Virtual Private Networks
      9. Case Study: Internet Information Server Exploit—MDAC
        1. Lessons Learned
    25. 21. Denial-of-Service Attacks
      1. 21.1. Resource Exhaustion Attacks
        1. 21.1.1. Papasmurf
        2. 21.1.2. Trash2
        3. 21.1.3. Igmpofdeath.c
        4. 21.1.4. Fawx
        5. 21.1.5. OBSD_fun
      2. 21.2. Port Flooding
        1. 21.2.1. Mutilate
        2. 21.2.2. Pepsi5
      3. 21.3. SYN Flooding
        1. 21.3.1. Synful
        2. 21.3.2. Synk4
        3. 21.3.3. Naptha
      4. 21.4. IP Fragmentation Attacks
        1. 21.4.1. Jolt2
        2. 21.4.2. Teardrop
        3. 21.4.3. Syndrop
        4. 21.4.4. Newtear
      5. 21.5. Distributed Denial-of-Service Attacks
        1. 21.5.1. Tribe Flood Network 2000
        2. 21.5.2. Trin00
        3. 21.5.3. Stacheldraht
        4. 21.5.4. Usage
      6. 21.6. Application-Based DoS Attacks
        1. 21.6.1. Up Yours
        2. 21.6.2. Wingatecrash
        3. 21.6.3. WinNuke
        4. 21.6.4. BitchSlap
        5. 21.6.5. DOSNuke
        6. 21.6.6. Shutup
        7. 21.6.7. Web Server DoS Attacks
      7. 21.7. Concatenated DoS Tools
        1. 21.7.1. CyberCop
        2. 21.7.2. ISS Internet Scanner
        3. 21.7.3. Toast
        4. 21.7.4. Spike.sh5.3
      8. 21.8. Summary
    26. 22. Wrapping It Up
      1. 22.1. Countermeasures
      2. 22.2. Keeping Current
        1. 22.2.1. Web Sites
        2. 22.2.2. Mailing Lists
          1. 8lgm (Eight Little Green Men)—majordomo@8lgm.org
          2. Academic Firewalls—majordomo@net.tamu.edu
          3. Alert—request-alert@iss.net
          4. Best of Security—best-of-security-request@suburbia.net
          5. Bugtraq—listserv@netspace.org
          6. Computer Emergency Response Team—cert@cert.org
          7. Computer Incident Advisory Capability—ciac-listproc@llnl.gov
          8. Computer Underground Digest—cu-digest-request@weber.ucsd.edu
          9. Cypherpunks—majordomo@toad.com
          10. Firewalls—majordomo@greatcircle.com
          11. Information Systems Security Forum—listserv@etsuadmn.etsu.edu
          12. Intrusion Detection Systems—majordomo@uow.edu.au
          13. Microsoft Security—microsoft_security-subscribe-request@announce.microsoft.com
          14. NT Bugtraq—listserv@listserv.ntbugtraq.com
          15. NT Security—request-ntsecurity@iss.net
          16. Phrack—phrack@well.com
          17. Privacy Forum—privacy-request@vortex.com
          18. Risks—risks-request@csl.sri.com
          19. SANS Institute—digest@sans.org
          20. Sneakers—majordomo@cs.yale.edu
          21. Virus—listserv@lehigh.edu
          22. Virus Alert—listserv@lehigh.edu
          23. WWW Security—www-security-request@nsmx.rutgers.edu
    27. 23. Future Trends
      1. 23.1. Authentication
        1. 23.1.1. Two- and Three-Factor Authentication
        2. 23.1.2. Biometrics
        3. 23.1.3. Token-Based Authentication
        4. 23.1.4. Directory Services
      2. 23.2. Encryption
      3. 23.3. Public Key Infrastructure
      4. 23.4. Distributed Systems
      5. 23.5. Forensics
      6. 23.6. Government Regulation
      7. 23.7. Hacking Techniques
      8. 23.8. Countermeasures
      9. 23.9. Cyber-Crime Insurance
    28. A. CD-ROM Contents
      1. Organization of the CD-ROM
        1. VisualRoute
        2. Hunt
        3. Dsniff
        4. Nmap
        5. Hackershield
        6. NetRecon
        7. PhoneSweep
        8. Whisker
        9. Remote Data Services
        10. L0phtCrack
        11. Netcat
        12. Internet Security Systems
        13. Nessus
      2. Compilation of Programs
    29. B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus
      1. The SANS Institute
        1. Five Notes for Readers:
      2. G1—Default Installs of Operating Systems and Applications
        1. G1.1 Description:
        2. G1.2 Systems impacted:
        3. G1.3 CVE entries:
        4. G1.4 How to determine if you are vulnerable:
        5. G1.5 How to protect against it:
      3. G2—Accounts with No Passwords or Weak Passwords
        1. G2.1 Description:
        2. G2.2 Systems impacted:
        3. G2.3 CVE entries:
        4. G2.4 How to determine if you are vulnerable:
        5. G2.5 How to protect against it:
      4. G3—Non-existent or Incomplete Backups
        1. G3.1 Description:
        2. G3.2 Systems impacted:
        3. G3.3 CVE entries:
        4. G3.4 How to determine if you are vulnerable:
        5. G3.5 How to protect against it:
      5. G4—Large Number of Open Ports
        1. G4.1 Description:
        2. G4.2 Systems impacted:
        3. G4.3 CVE entries:
        4. G4.4 How to determine if you are vulnerable:
        5. G4.5 How to protect against it:
      6. G5—Not Filtering Packets for Correct Incoming and Outgoing Addresses
        1. G5.1 Description:
        2. G5.2 Systems impacted:
        3. G5.3 CVE entries:
        4. G5.4 How to determine if you are vulnerable:
        5. G5.5 How to protect against it:
      7. G6—Non-existent or Incomplete Logging
        1. G6.1 Description:
        2. G6.2 Systems impacted:
        3. G6.3 CVE entries:
        4. G6.4 How to determine if you are vulnerable:
        5. G6.5 How to protect against it:
      8. G7—Vulnerable CGI Programs
        1. G7.1 Description:
        2. G7.2 Systems impacted:
        3. G7.3 CVE entries:
        4. G7.4 How to determine if you are vulnerable:
        5. G7.5 How to protect against it:
      9. W1— Unicode Vulnerability (Web Server Folder Traversal)
        1. W1.1 Description:
        2. W1.2 Systems impacted:
        3. W1.3 CVE entries:
        4. W1.4 How to determine if you are vulnerable:
        5. W1.5 How to protect against it:
      10. W2—ISAPI Extension Buffer Overflows
        1. W2.1 Description:
        2. W2.2 Systems impacted:
        3. W2.3 CVE entries:
        4. W2.4 How to determine if you are vulnerable:
        5. W2.5 How to protect against it:
      11. W3—IIS RDS Exploit (Microsoft Remote Data Services)
        1. W3.1 Description:
        2. W3.2 Systems impacted:
        3. W3.3 CVE entries:
        4. W3.4 How to determine if you are vulnerable:
        5. W3.5 How to protect against it:
      12. W4—NETBIOS—Unprotected Windows Networking Shares
        1. W4.1 Description:
        2. W4.2 Systems impacted:
        3. W4.3 CVE entries:
        4. W4.4 How to determine if you are vulnerable:
        5. W4.5 How to protect against it:
      13. W5—Information Leakage Via Null Session Connections
        1. W5.1 Description:
        2. W5.2 Systems impacted:
        3. W5.3 CVE entries:
        4. W5.4 How to determine if you are vulnerable:
        5. W5.5 How to protect against it:
      14. W6—Weak Hashing in SAM (LM Hash)
        1. W6.1 Description:
        2. W6.2 Systems impacted:
        3. W6.3 CVE entries:
        4. W6.4 How to determine if you are vulnerable:
        5. W6.5 How to protect against it:
      15. U1—Buffer Overflows in RPC Services
        1. U1.1 Description:
        2. U1.2 Systems impacted:
        3. U1.3 CVE entries:
        4. U1.4 How to determine if you are vulnerable:
        5. U1.5 How to protect against it:
      16. U2—Sendmail Vulnerabilities
        1. U2.1 Description:
        2. U2.2 Systems impacted:
        3. U2.3 CVE entries:
        4. U2.4 How to determine if you are vulnerable:
        5. U2.5 How to protect against it:
      17. U3—Bind Weaknesses
        1. U3.1 Description:
        2. U3.2 Systems impacted:
        3. U3.3 CVE entries:
        4. U3.4 How to determine if you are vulnerable:
        5. U3.5 How to protect against it:
      18. U4—R Commands
        1. U4.1 Description:
        2. U4.2 Systems impacted:
        3. U4.3 CVE entries:
        4. U4.4 How to determine if you are vulnerable:
        5. U4.5 How to protect against it:
      19. U5—LPD (Remote Print Protocol Daemon)
        1. U5.1 Description:
        2. U5.2 Systems impacted:
        3. U5.3 CVE entries:
        4. U5.4 How to determine if you are vulnerable:
        5. U5.5 How to protect against it:
      20. U6—Sadmind and Mountd
        1. U6.1 Description:
        2. U6.2 Systems impacted:
        3. U6.3 CVE entries:
        4. U6.4 How to determine if you are vulnerable:
        5. U6.5 How to protect against it:
      21. U7—Default SNMP Strings
        1. U7.1 Description:
        2. U7.2 Systems impacted:
        3. U7.3 CVE entries:
        4. U7.4 How to determine if you are vulnerable:
        5. U7.5 How to protect against it:
      22. Appendix A—Common Vulnerable Ports
      23. Appendix B—The Experts Who Helped Create the Top Ten and Top Twenty Internet Vulnerability Lists