Security Power Tools is written by members of the Juniper Networks’ J-Security Team as well as two guests: Jennifer Granick of Stanford University and Philippe Bionde, an independent developer in France. It took a group effort because network security issues keep us rather busy in our day jobs, and the scope of this book requires the experiences of a diverse group of security professionals. We split up the different tools after several investigative meetings, and then worked for six months writing, revising, writing, and revising again. Writing books is not our specialty, so we apologize as a group if you hit rough spots ahead. The editors, we are told, tore their hair out trying to create a single voice from a dozen different voices, and they eventually gave up. We decided to stop hiding the fact that the book was written by 12 people and just, well, admit it.
To envision how the dirty dozen approach worked for us, imagine yourself in a room with 12 security experts when someone asks a question about, say, wireless penetration. Eight of us are behind our laptops doing other work, and we all look up and offer our own piece of advice. The other four roll their eyes, wait for a moment until the laptops gain preference again, and then interject their opinions. Throughout this book, each chapter represents a slightly different answer from 1 of these 12 voices; thus, the style and approach for each chapter might be a little different depending on who is talking and whose laptop is closed, but the info is always spot on—and all the chapters have been peer-reviewed.
A few other items we wrestled with are operating system coverage, reader expertise, and tool selection.
We cover a wide variety of operating systems: Windows, Linux, Mac OS, Unix, and others, depending on the security tool. We once debated having different sections in each chapter, sorted by tool, but that lasted for about eight minutes at our author round table.
The matter of reader expertise was a bit more of a struggle. Some of our major assumptions about who you, the reader, are, and what qualifications you bring to the book are detailed in the next two sections of this Preface. We generally assumed this book is for intermediate-to-advanced level network security administrators, but our discussions at our author round table noted that it was really tool-specific. Some network security tools are straightforward, others are exotically difficult. It also depends on whether the tool has an express purpose on the black- or white-hat divide of things. So, if you start on a tool that is either too simplistic or too advanced for you, we recommend jumping around a little and reviewing those tools that are seemingly at your level, and either working up or down as you introduce yourself to tools you may not know.
Our final struggle was which tools to document. Our O’Reilly editor gave us an ideal page count to shoot for. This was our first parameter or else the book would cost a hundred dollars. Next, each of us reviewed different tools depending on our chapter subject, according to criteria such as is the tool available on multiple OSs, is there a large user base (making it applicable to more of our readers), is there a good commercial support or large community support (so our readers can go way past this book), and is there anything to talk about (because quite frankly, some tools do one thing so well and so simplistically that they are almost too obvious and easy to use). There are a dozen other reasons that we chose the tools that we did, and not all of the tools we initially picked made it into the book; in the end, we had to make decisions. Our apologies to those tools that didn’t make the cut; and to those that did, our apologies when we panned, criticized, or nitpicked—our opinions are just that. As readers, take what we say with a grain of salt and try the tool for yourself—it may be just the thing you want or need.
As a group, we want to thank Juniper Networks for giving us time to write and compose this book project. They also made other resources available and paid for them, which helped us write better and faster. If you must know, the book contract was with 12 writers and not with Juniper. Juniper Networks is not responsible for anything we say and does not endorse anything we say, and the information we give here is our personal opinion and not the official views of Juniper Networks or of our departments. This book is a collection of a dozen different views on how security power tools work and how they might be applied. But our thanks must go to Juniper Networks for realizing that knowledge is different than data, and that its employees are resources unto themselves.
Finally, as a group, we would like to thank Avishai (Avi) Avivi, the group manager for the 10 of us who are Juniper employees (and the writer of this book’s Foreword). Many times after our book round tables, he would mutter, “Never again, never again,” but then we noticed that when the first draft of the cover of the book came from O’Reilly, he printed it and tacked it up in his office. As a group, we are very aware that he decided to shave his head because he simply got tired of pulling his hair out over this book.
While it would probably suffice to say that this book is for any person interested in network security tools, it is not for the beginner. Rather, we should say that while a beginner could read this book, much of it requires a little more time in front of the computer monitor diagnosing network security matters.
In general, this book was written for network security admins, engineers, and consultants at an intermediate-to-advanced skill level. Depending on your expertise, more or less of this book may be new material to you, or new tools you haven’t tried or experienced. Your network responsibilities could be small, intermediate, or large, and we’ve tried to scale our tool examination appropriately.
Our editors, who were beginners in this field, told us the book was fascinating. They never knew how fragile networks are. From this standpoint, the book is a great one to flop down on the COO’s desk to get some new equipment. And Chapter 1, on network security and the law, is of great interest to anyone in the security business.
So we recommend the following course of action. Browse the seven sections of this book and dip into a security tool chapter that you find appropriate to start. Then start skipping around. Use the cross references to other chapters and tools. Few people, if any, are going to read the book consecutively from the first page to the end. Jump in and out and then try something new—play with it on your laptop, then try another tool. We think this is the best way to not only use the book but to adapt it to your expertise, instead of the other way around.
As a group, we assume that you, the reader, are at least familiar with the basics of modern TCP/IP networks and the Internet. You should know what an IP address is and what a TCP port number is, and you should have at least a rough understanding of TCP flags and the like. While we discuss security tools for a variety of operating systems, the majority of tools are used via the Unix command line, so having access to a Unix machine and knowing how to get around in a shell are necessary if you want to follow along. A few of the more advanced chapters deal with programming-related tools, so a knowledge of at least one programming language will help with these (but don’t worry if you aren’t a programmer, there are plenty of other chapters that don’t require any programming knowledge at all). Finally, a basic knowledge of computer security is assumed. Terms such as vulnerability, exploit, and denial of service should be familiar to you if you are to truly get the most from this book.
Security Power Tools is divided into seven self-explanatory sections: Legal and Ethics, Reconnaissance, Penetration, Control, Defense, Monitoring, and Discovery. Some sections have multiple chapters, others have just a few. Use the sections as general reference heads to help you navigate.
The book is divided into 23 chapters. Some chapters are written by individuals, some are written by two or three authors. As a group, we’ve chosen the lead writer for each chapter to briefly provide an overview.
Chapter 1, by Jennifer Stisa Granick. If you come away from this chapter having only the ability to identify when you need to talk to a lawyer, I’ve achieved my goal in writing it. The chapter assumes that legal rules and regulations are not the same as, but overlap with, ethical and moral considerations. It then discusses both law and ethics in security testing, vulnerability reporting, and reverse engineering as examples for you to test yourself and your ability to identify murky areas of the law and networking security.
Chapter 2, by Bryan Burns. This chapter provides an introduction to the concept of network scanning and details the workings of three different network scanning programs, including the venerable nmap. After reading this chapter, you will know how to find computers on a network, identify which services are running on remote computers, and even identify the versions of services and operating systems running on computers on the other side of the world. As cartoons have taught us, “knowing is half the battle,” and this chapter is all about knowing what’s on the network.
Chapter 3, by Julien Sobrier. This chapter explores Windows and Linux tools that are used to look for vulnerabilities. It focuses on the result analysis to understand what type of information you really get from them. This chapter should allow you to choose the best tools for your tests, to tweak them to get the best results, and to understand what the reports mean. It also reveals common misuses of these tools.
Chapter 4, by Eric Markham. For a while back in the late ’90s, I worked at a “Mom and Pop” ISP and then transitioned to a number of startups, always as the Manager of Information Technology. I chose to write this chapter because my work experience was directly related. I take a somewhat down-to-earth approach to network security with the expectation that you have good understanding about TCP/IP networks, the major differences between *nix and other operating systems, and what makes the sky blue.
Chapter 5, by Michael Lynn. This chapter starts with a basic description of the 802.11 protocol and then discusses various open source and commercial tools to help with wireless reconnaissance. In the wireless world, the hardware you have and the operating system you use can make a lot of difference in what tools you choose to deploy, so I’ve tried to give you a clear breakdown of what your options are. I also try to give a clear picture of what the pros and cons of each tool are so you can find the tool that best fits your needs. Along the way, I hope I can show you some cool features that you might not have been aware of that will make wardriving easier and more successful. This chapter does not assume you have any prior knowledge of 802.11 networks.
Chapter 6, by Philippe Biondi. This chapter explains the difference between off-the-rack and made-to-measure tools when it comes to discovering networks, assessing robustness of equipment, interacting with proprietary protocols, and exploiting flaws. It also includes a brief foray into packet generation (or packet mangling), as many problems are quickly answered by on-the-fly packet or stream mangling, provided that one knows the right tools. Since English is my second language, I want to thank David Coffey for helping me rewrite and rephrase this chapter’s instructional language.
Chapter 7, by Bryan Burns. Metasploit is an extremely powerful and popular framework and set of tools for automated penetration of remote computers over the network. In this chapter, you will learn how to configure and use Metasploit to exploit the latest software vulnerabilities and take control of other computers. Because network monitoring tools are being deployed more and more often these days, an entire section is dedicated to the Metasploit features provided for slipping silently past these types of devices.
Chapter 8, by Bryan Burns, Steve Manzuik, and Michael Lynn. In Chapter 5, you learned about tools that find wireless networks and gather information about them. In this chapter, we present three tools that take things to the next level: wireless penetration. Aircrack is a toolset for capture and offline analysis of wireless traffic with the goal of cracking wireless encryption keys. Airpwn is a tool that lets you to inject your own data into someone else’s wireless traffic, allowing for all sorts of subtle games to be played. Finally, Karma pretends to be legitimate access points, allowing for total visibility and control of any wireless client hapless enough to connect to it. With these three tools, wireless networks (even WEP-encrypted ones) are your’s for the taking.
Chapter 9, by Nicolas Beauchesne. Exploitation frameworks became much more popular after the appearance of Metasploit. However, some commercial players are in this field too, such as Core Security (makers of Impact) and Immunity Security (makers of Canvas). Those frameworks offer flexibility and power. This chapter covers their basic usage, some advanced features (e.g., adding exploits), and how to customize those frameworks to meet your needs.
Chapter 10, by Philippe Biondi. This chapter is a collection of tricks and tools I use to manipulate shell scripts and create exploits. It includes tools to help you analyze existing shell scripts as well as creating and testing your own. Since English is my second language, I want to thank David Coffey for helping me rewrite and rephrase this chapter’s instructional language.
Chapter 11, by Chris Iezzoni. This chapter demonstrates the usage and configuration of several of the most popular and easily obtained tools for use as backdoors. VNC is a common remote administration tool, available for both Windows and Unix. Here, I demonstrate some ways to streamline its installation for use as a backdoor. BO2k is a very popular purpose-built backdoor that runs on Windows, and this chapter demonstrates some of the more advanced modules available. Last, but certainly not least, some popular methods of backdooring Unix-based systems are covered. More advanced Unix backdoors are not covered due to their distribution-specific nature.
Chapter 12, by Nicolas Beauchesne. This chapter is a quick review of known rootkits for Windows and Linux and their usage and limitations. It is oriented more toward the usage and detection of those rootkits than exploring of their inner workings. I look at the differences in their detection paradigms in order to explain the different benefits of each technology. Among the detection tools, I include some system internals kits and advanced tools like IceSword. Combining the power of those tools should help you cover most cases of infection.
Chapter 13, by Dave Killion. This chapter covers host-based firewalls that are provided free for the three most common operating systems: Windows Firewall/Internet Connection Sharing, Windows, Netfilter/IPTables on Linux, and ipfw/natd on *BSD. Depending on how these hosts are employed, these instructions also cover using these systems as a gateway firewall in router or NAT mode. There are many firewall products out there—some of them very good—and there are many, many books written on them. With just a chapter to work with, I did the best I could to cover the basics of firewall policy, functionality, and configuration. After reading my chapter, you should have a good understanding of firewall functionality that can be applied to any firewall product, as well as some good hands-on experience with practical firewall management on an OS of your choice.
Chapter 14, by Eric Markham and Eric Moret. After you learned how to defend your network through access control via a Firewall in Chapter 13, this chapter will introduce some tools to protect a Windows or Linux computer. You will go through logical steps starting with choosing what to turn off, to running day-to-day systems at Least User privileges, and locking down a few Linux kernel parameters with security in mind. In the later part of the chapter, SELinux and its indispensable support tools are introduced. Then various ways to audit password strength are presented, from the venerable John The Ripper to modern rainbow cracking techniques. It finishes on the more advanced and broader virtualization topic.
Chapter 15, by Julien Sobrier and Eric Moret. The next logical step following perimeter and host hardening is communication security. This chapter will walk you through the use of SSH. And although this tool originates from the *nix world, it has excellent support on Windows. The chapter then introduces email encryption and explains the two competing standards: OpenPGP and S/MIME. Then stunnel is used to secure any server daemon traffic, regardless of its implementation. Last but not least, we will echo the media that is so quick to denounce identity theft through physical hardware theft and present solutions to encrypt entire disks or partitions.
Chapter 16, by Julien Sobrier. This chapter will help you to protect your own computer against the most common threats: viruses, worms, malware, spam, and phishing. It is probably the chapter that covers the largest spectrum of skills, from beginner (tweak your Windows antivirus) to advanced (create your own virus signatures or procmail rules). Knowledge of regular expressions and shell scripts would help you to customize the examples given in the chapter, but most of the sections are accessible to beginners.
Chapter 17, by Julien Sobrier. The tools presented in this chapter are complementary and cover different areas of security testing. A lot of examples on how to automate the tests are given throughout. The tools are great to use in all QA processes—not just for security devices but for any network device.
Chapter 18, by Dave Killion. Being able to monitor, capture, and analyze packets can be incredibly useful, either to troubleshoot network performance, debug a problematic networking program, or capture an attack for later analysis or as evidence for prosecution. I walk you through using several different cross-platform capture tools, including tcpdump and Wireshark, from both the command line as well as from a Graphical User Interface (GUI), as well as some tricks to manage your pcap files to distill them down to just what you are looking for. When you are finished with my chapter, you’ll catch yourself thinking “I wonder what THAT program looks like on the wire?”, and you’ll have the tools and knowledge to find out.
Chapter 19, by Nicolas Beauchesne. This chapter covers tools such as Honeyd and Snort. Since lots of books already exist for those tools, the approach taken here was to give the reader a quick round-up of its normal usage and then illuminate some ways to push those technologies in a new way, since they are flexible and can be used to perform plenty of tasks. Also covered in this chapter is a way to integrate these tools to gain network intelligence instead of just monitoring information.
Chapter 20, by Eric Moret. This chapter will introduce system administrators to the practice of monitoring production servers for file changes, by initially covering a large selection of tools and then diving deeper into Tripwire (my ex-aequo favorite), and Samhain’s setup and configuration. Next I cover the use of Logwatch for log reporting on Linux, followed by a step-by-step guide to writing new log filters. I close the chapter with Prelude-IDS, a tool used to centralize security management of large number of networked devices.
Chapter 21, by Chris Iezzoni. This chapter covers some popular forensic tools that can be used for such tasks as attack and incident investigation, and malware discovery. I’ve tried to stick to mostly free collections of tools such as The Forensic Toolkit and SysInternals. With just these, a surprising amount of information can be unearthed about the inner workings of your system. This will give you a foundation upon which to explore on your own more complex tools, such as The Coroner’s Toolkit (TCT).
Chapter 22, by Nicolas Beauchesne. This chapter covers the different fuzzer and fuzzing techniques as well as how to create a new fuzzer script. Some tips are provided on how to setup a fuzzing test-bed and how to perform efficient tracing and debugging to improved the efficiency of your fuzzer tests. Also provided is a quick reversing of a network protocol for fuzzing purposes, so the reader knows what to look for when performing these tasks.
Chapter 23, by Michael Lynn. This chapter covers the art of binary reverse engineering using tools such as Interactive Disassembler and Ollydbg. I present you with a case study in which I show you how to find real bugs in closed source software. During this study, I’ll show you how to use popular disassemblers and debuggers, and I’ll even teach you how to write basic scripts to enhance these powerful tools. By the end of this chapter, you should be able to use these tools to find bugs without source code, and you should be able to get a good understanding of how reverse engineering of this type really works. No prior knowledge of reverse engineering or assembly language is required, although it will be helpful. You should have an understanding of basic programming skills to get the most out of this chapter.
The following typographical conventions are used in this book:
- Plain text
Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl).
- Italic
Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities.
Constant widthIndicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands.
Constant width boldShows commands or other text that should be typed literally by the user. Also used for emphasis in code sections.
Constant width italicShows text that should be replaced with user-supplied values.
Tip
This icon signifies a tip, suggestion, or general note.
Warning
This icon indicates a warning or caution.
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: "Security Power Tools, by Bryan Burns et al. Copyright 2007 O’Reilly Media, Inc., 978-0-596-00963-2.”
If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com.
Please address comments and questions concerning this book to the publisher:
| O’Reilly Media, Inc. |
| 1005 Gravenstein Highway North |
| Sebastopol, CA 95472 |
| 800-998-9938 (in the United States or Canada) |
| 707-829-0515 (international or local) |
| 707-829-0104 (fax) |
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
| http://www.oreilly.com/catalog/9780596009632 |
To comment or ask technical questions about this book, send email to:
| bookquestions@oreilly.com |
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:
| http://www.oreilly.com |
When you see a Safari® Books Online icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.
Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
As a group, we’d like to thank Patrick Ames, our Juniper Networks Books editor-in-chief, for assisting us through the long, nine-month creation cycle and for giving us the advice and guidance to write and publish this book. We would also like to thank the many people at Juniper Networks who either reviewed or helped us in ways too numerous to recall. And we would like to thank the management of Juniper Networks for supporting us and granting us corporate resources to research and write this book.
The authors’ individual acknowledgments are as follows:
Bryan Burns: Thanks to Avi, Paul, and Patrick for herding the cats. Thanks to Avi and Daniel for freeing up the time needed to write this book. Last but not least, thanks to Zuzana, Nico, and Sasha for at least trying to leave me alone long enough to get some work done.
Nicolas Beauchesne: I would like to thank Avi for giving me the time to write this book, and to Paul for the miracle of translating my bad English into something readable. Thanks to Julie, Kim, Sabrina, and Martine for their moral support.
Philippe Biondi: I’d like to thank Marina Retbi, Arnaud Ébalard, and Fabrice Desclaux for proofreading my bad English, and David Coffey who helped turn it into something that does not make you wish you were blind.
Jennifer Stisa Granick: I would like to thank my clients for facing personal risk and legal uncertainty in order to advance the state of the art of computer security (and for dreaming up so many interesting ways of getting in trouble), and my husband, Brad Stone, for always encouraging me.
Paul Guersch: I would like to acknowledge the engineers (Bryan, Julien, Dave, Chris, Eric, Michael, Eric, Nic, and Steve) who wrote this book. Since I am not an engineer, I am truly amazed at how much they know about network security. They are truly at the top of their game when it comes to securing and protecting customer systems. They keep me on my toes. I would also like to acknowledge Patrick Ames for his leadership in this project, and Avi Avivi for his trust in me.
Chris Iezzoni: This is my first contribution to a security-related book and I’ve learned a lot in the process. Mostly that it’s an enormous amount of work for everyone involved. I’d like to thank my peers and coworkers for their efforts towards making this book a reality. Thanks to Paul for enduring my continuously late chapters and resulting edits. Special thanks to Avi for hiring me so many years ago.
Dave Killion: I felt like a juggler while working on this project—normal work, the book, school full time, my family, and other “special” projects—it was hard keeping it all in the air. I’d like to thank my boss, Avi, for understanding when the “work” ball was caught lower than some others, Paul for keeping me on track and not letting the “book” ball fall too far, but mostly my wife Dawn and my two kids, Rebecca and Justin, who supported me through all this stress to make this book, my job, my schooling, and, most importantly, my family a success. I love you guys!
Michael Lynn: I would like to thank Mrs. Baird for keeping me out of trouble throughout school, Robert Baird for keeping me out of trouble throughout and after college, and Jennifer Granick for getting me out of trouble when getting into trouble was the only moral thing to do.
Steve Manzuik: I would like to thank all the guys at Juniper who have struggled to get their day-to-day work done while still getting chapters completed more or less on the deadline date. Thanks to Avi for allowing me to go against my own better judgment and get involved in this project. Lastly, I would like to thank “Uncle Jack” for helping me out on those long evenings spent reviewing each chapter.
Eric Markham: I would like to acknowledge that without the support of my peers and my wife (who is actually a writer by trade), this book would be somewhat thinner.
Eric Moret: Thank you to the media at large for making our jobs possible. Keeping the public informed on cyber security risks is what puts bread and stinky cheese on the table. More seriously though, thank you Bryan for having convinced so many of us into writing a few “piece of cake” chapters in a book about security. Above all, thank you to my lovely wife Zoulfia who had to endure both our three-year-old Antoine and one-year-old Isabelle during a few weekends while I fled to the office, working to make my chapter’s deadline.
Julien Sobrier: I would like to thank Avi for giving us time to write the book, Paul for helping to clean up my English, and my wife Yanchen and daughter Anais for letting me work at home on this book.
Get Security Power Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
