The Only Way to Stop a Hacker is to Think Like One

(1)

™

1 YEAR UPGRADE

BUYER PROTECTION PLAN

UPDATED

The Only Way to Stop a Hacker is to Think Like One

David R. Mirza Ahmad Ido Dubrawsky

Hal Flynn

Joseph “Kingpin” Grand Robert Graham

Norris L. Johnson, Jr.

K2

Dan “Effugas” Kaminsky F. William Lynch

Steve W. Manzuik Ryan Permeh Ken Pfeil

Rain Forest Puppy Ryan Russell Technical Editor

UPDATED

(2)

s o l u t i o n s @ s y n g r e s s . c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening.

Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations.

Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features:

■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters.

■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors.

■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material.

■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics.

Best of all, the book you’re now holding is your key to this amazing site.

Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase.

Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/solutions

(3)

(4)

1 YEAR UPGRADE

BUYER PROTECTION PLAN

David R. Mirza Ahmad Ido Dubrawsky

Hal Flynn

Joseph “Kingpin” Grand Robert Graham

Norris L. Johnson, Jr.

K2

Dan “Effugas” Kaminsky

F. William Lynch Steve W. Manzuik Ryan Permeh Ken Pfeil

Rain Forest Puppy Ryan Russell Technical Editor

(5)

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER 001 D7Y4T945T5 002 AKTRT4MW34 003 VMB663N54N 004 SGD34B39KA 005 87U8Q26NVH 006 N4D4RNTEM4 007 2HBVHTR46T 008 ZPB9R5653R 009 J6N5M4BRAS 010 5T6YH2TZFC

PUBLISHED BY Syngress Publishing, Inc.

800 Hingham Street Rockland, MA 02370

Hack Proofing Your Network, Second Edition

Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-70-9

Technical Editor: Ryan Russell Cover Designer: Michael Kavish

Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier Developmental Editor: Kate Glennon Indexer: Robert Saigh

Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

(6)

v

Acknowledgments

v We would like to acknowledge the following people for their kindness and support in making this book possible.

Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks.

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise.

Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope.

Annabel Dent and Paul Barry of Harcourt Australia for all their help.

David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Ethan Atkin at Cranbury International for his help in expanding the Syngress program.

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada.

From Ryan Russell

I would like to dedicate my work to my wonderful wife and children, without whom none of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to thank Brian Martin for his assistance in tech editing, and of course the authors who took the time to write the book. Special thanks go out to those authors who worked on the first edition, before anyone had any idea that it would do well or how it would come out.

(7)

Contributors

Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems.

Dan has delivered presentations at several major industry conferences including Linuxworld, DEF CON, and the Black Hat Briefings, and he also contributes actively to OpenSSH, one of the more significant cryptographic systems in use today. Dan founded the cross-disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to integrate psychological and techno- logical theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University in California.

Rain Forest Puppyis a security research and development consultant for a Midwest-based security consulting company. RFP has been working in R&D and coding in various languages for over seven years.While the Web is his primary hobby focus point, he has also played in other realms including:

Linux kernel security patches, lockdown of various Windows and UNIX operating systems, and the development of honeypots and other attack alert tools. In the past he’s reported on SQL tampering and common CGI problems, and has contributed security tools (like whisker) to the information security community.

Ken Pfeilis the Security Program Manager for Identix Inc.’s information technology security division. Ken started with Identix following his position as Chief Information Security Officer for Miradiant Global Network, Inc.

Ken has over 14 years of IT and security experience, having served with such companies as Microsoft, Dell, and Merrill Lynch.While employed at Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise Security” whitepaper series, and is the founder of “The NT Toolbox”Web site. He currently covers new security risks and vulnerabilities for Windows and .Net magazines’ Security Administrator publication, and was the resident expert for multiplatform integration and security issues for “The Windows 2000 Experts Journal.”

vi

(8)

vii

Joseph “Kingpin” Grandis a Boston-based electrical engineer and product designer. His pioneering hardware and security research has been published in various academic and industry journals. He has lectured widely on security product design and analysis, portable devices, and digital forensics. In addition to testifying before the United States Senate Governmental Affairs, Joseph has presented his research at the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the USENIX Security Symposium, and the IBM Thomas J.Watson Research Center.

Joseph was a long-time researcher with the L0pht hacker think tank. He holds a Bachelor’s of Science in Computer Engineering from Boston University in Boston, Massachusetts.

K2is a security engineer. He works on a variety of systems ranging from UNIX to all other operating systems. He has spent a lot of time working through security issues wherever they exist; core kernels, networking services, or binary protections. K2 is a member of w00w00 and is a con- tributing member of The Honeynet Project. He would like to thank Anya for all her help and support throughout the year.

David M. Ahmadis Threat Analysis Manager for SecurityFocus and moderator of the Bugtraq mailing list. SecurityFocus is the leading provider of security intelligence services. David has played a key role in the development of the vulnerability database at SecurityFocus.The focus of this duty has been the analysis of software vulnerabilities and the methods used to exploit them. David became the moderator of Bugtraq, the well-known computer security mailing list in 2001. He currently resides in Calgary, Alberta, Canada with his family.

F. William Lynch(SCSA, CCNA, LPI-I, MCSE, MCP, Linux+, A+) is co- author for Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X), also pub- lished by Syngress Publishing. He is an independent security and systems administration consultant and specializes in firewalls, virtual private networks, security auditing, documentation, and systems performance analysis.

William has served as a consultant to multinational corporations and the Federal government including the Centers for Disease Control and

Prevention headquarters in Atlanta, Georgia as well as various airbases of the USAF. He is also the founder and director of the MRTG-PME project,

(9)

viii

which uses the MRTG engine to track systems performance of various UNIX-like operating systems.William holds a Bachelor’s degree in

Chemical Engineering from the University of Dayton in Dayton, Ohio and a Masters of Business Administration from Regis University in Denver, Colorado.

Hal Flynnis a Threat Analyst at SecurityFocus, the leading provider of Security Intelligence Services for Business. Hal functions as a Senior Analyst, performing research and analysis of vulnerabilities, malicious code, and network attacks. He provides the SecurityFocus team with UNIX and

Network expertise. He is also the manager of the UNIX Focus Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and Focus- GeneralUnix mailing lists.

Hal has worked the field in jobs as varied as the Senior Systems and Network Administrator of an Internet Service Provider, to contracting the United States Defense Information Systems Agency, to Enterprise-level consulting for Sprint. He is also a veteran of the United States Navy Hospital Corps, having served a tour with the 2nd Marine Division at Camp

Lejeune, North Carolina as a Fleet Marine Force Corpsman. Hal is mobile, living between sunny Phoenix, Arizona and wintry Calgary, Alberta, Canada.

Rooted in the South, he still calls Montgomery, Alabama home.

Ryan Permehis a developer and researcher with eEye Digital Security. He works on the Retina and SecureIIS product lines and leads the reverse engineering and custom exploitation efforts for eEye’s research team. Ryan was behind the initital analysis of the CodeRed worm, and has developed many proof of concept exploits provided to vendors and the security community.

Ryan has experience in NT, UNIX, systems and application programming as well as large-scale secure network deployment and maintenance. Ryan currently lives and works in sunny Orange County, California. Ryan would like to offer special thanks to Riley Hassel for his assistance in providing the Linux exploitation of a sample buffer overflow. He would also like to thank the rest of the eEye team, Greg Hoglund, and Ryan Russell, for the original foundation ideas included in his chapter.

Norris L. Johnson, Jr.(MCSE, MCT, CTT+, A+, Network +) is a technology trainer and owner of a consulting company in the Seattle-Tacoma

(10)

ix

area. His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients.

He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues, providing planning, implementation, and integration services. In addition to consulting work, Norris provides technical training for clients and teaches for area community and technical colleges. He co-authored Configuring and Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 1- 92899480-6), and performed technical edits on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1).

Norris holds a Bachelor’s degree from Washington State University.

He is deeply appreciative of the support of his wife Cindy and three sons in helping to maintain his focus and efforts toward computer training and education.

Ido Dubrawsky(CCNA, SCSA) is a Network Security Engineer and a member of Cisco’s Secure Consulting Services in Austin,Texas. He currently conducts security posture assessments for clients as well as provides technical consulting for security design reviews. His strengths include Cisco routers and switches, PIX firewall, Solaris systems, and freeware intrusion detection systems. Ido holds a Bachelor’s and a Master’s degree from the University of Texas at Austin and is a member of USENIX and SAGE. He has written several articles covering Solaris security and network security for Sysadmin magazine as well as SecurityFocus. He lives in Austin,Texas with his family.

Robert Grahamhas been developing sniffers since 1990, where he wrote most of the protocol decodes for the ProTools protocol-analyzer, including real-time tools for password sniffing and Telnet session spying. Robert worked for Network General between 1994 and 1998 where he rewrote all of the protocol-decodes for the Sniffer protocol-analyzer. He founded Network ICE in 1998 and created the BlackICE network-snifing intrusion detection system. He is now the chief architect at Internet Security Systems in charge of the design for the RealSecure IDS.

Steve Manzuik(MCP) was most recently a Manager in Ernst & Young’s Security and Technology Solutions practice specializing in profiling services.

(11)

x

Over the last ten years Steve has been involved in IT integration, support, and security. Steve is a published author on security topics, a sought after speaker and information security panelist and is the moderator of a full disclosure security mailing list,VulnWatch (www.vulnwatch.org). Steve also has acted as a Security Analyst for a world wide group of White Hat Hackers and Security Researchers, the BindView RAZOR Team.

Steve is a board member of the Calgary Security Professionals

Information Exchange (SPIE) group, which is an information-sharing group of local security professionals from various private and government sectors.

Steve has a strong background in Microsoft technologies and the various security issues surrounding them, and has successfully guided multiple organizations in securing Microsoft Windows NT hosts for use in a hostile envi- ronment. He lives in Calgary, Alberta, Canada with his wife Heather, son, Greyson and newborn daughter Hope.

The following individuals contributed to the first edition of Hack Proofing Your Network: Internet Tradecraft. Although not contributors to the second edi- tion, their work and ideas from the first edition have been included.

Oliver Friedrichs has over twelve years of experience in the information security industry, ranging from development to management. Oliver is a co- founder of the information security firm SecurityFocus.com. Previous to founding SecurityFocus, Oliver was a Co-Founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. Post acquisition, Oliver managed the development of Network Associates’ award-winning CyberCop Scanner network auditing product, and managed Network Associates’ vulnerability research team.

Oliver has delivered training on computer security issues for organizations such as the IRS, FBI, Secret Service, NASA,TRW, Canadian Department of Defense, RCMP, and CSE.

Greg Hoglund is a software engineer and researcher. He has written sev- eral successful security products for Windows NT. Greg also operates the

From the First Edition

(12)

xi

Windows NT Rootkit project, located at www.rootkit.com. He has written several white papers on content-based attacks, kernel patching, and forensics.

Currently he works as a founder of Click To Secure, Inc., building new security and quality assurance tools. His web site can be found at www.clicktosecure.com.

Elias Levy is the moderator of Bugtraq, one of the most read security mailing lists on the Internet, and a co-founder of Security Focus.

Throughout his career, Elias has served as computer security consultant and security engineer for some of the largest corporations in the United States.

Outside of the computer security industry, he has worked as a UNIX software developer, a network engineer, and system administrator.

Mudge is the former CEO and Chief Scientist of renowned ‘hacker think- tank’ the L0pht, and is considered the nation’s leading “grey-hat hacker.” He and the original members of the L0pht are now heading up @stake’s

research labs, ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought-after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs and to be a witness to the House and Senate joint Judiciary Oversight committee. Mudge has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other government agencies. Mudge participated in President Clinton’s security summit at the White House. He joined a small group of high tech executives, privacy experts, and government officials to discuss Internet security.

A recognized name in cryptanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on

Computer and Communications Security, and the Secure Networking – CQRE International Exhibition and Congress.

He is the original author of L0phtCrack, the award winning NT password auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools, many of which resulted in numerous CERT advisories, vendor updates, and patches.

(13)

xii

Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant currently located in Biloxi, MS. He has assisted several clients in the development and implementation of network security plans for their organizations. Both network and operating system security has always intrigued Stace, so he strives to constantly stay on top of the changes in this ever-evolving field.While in the Air Force he held the positions of Network Security Officer and Computer Systems Security Officer.While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards. Stace was a contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co- authored over 18 books published by Osborne/McGraw-Hill, Syngress, and Microsoft Press. He has also performed as Technical Editor for various other books and has written for Internet Security Advisor magazine.

Ryan Russell is the best-selling author of Hack Proofing Your Network:

Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6). He is an Incident Analyst at SecurityFocus, has served as an expert witness on security topics, and has done internal security investigation for a major software vendor. Ryan has been working in the IT field for over 13 years, the last 7 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years, and is frequently sought after as a speaker at security conferences. Ryan has contributed to four other Syngress Publishing titles on the topic of networking, and four on the topic of security. He holds a Bachelors of Science degree in Computer Science.

Technical Editor and Contributor

(14)

Obtaining Authentication Information 363 Monitoring Telnet (Port 23) 364 Monitoring FTP (Port 21) 364 Monitoring POP (Port 110) 365 Monitoring IMAP (Port 143) 365 Monitoring NNTP (Port 119) 366 Monitoring rexec (Port 512) 366 Monitoring rlogin (Port 513) 367 Monitoring X11 (Port 6000+) 368 Monitoring NFS File Handles 368 Capturing Windows NT Authentication

Information 369 Capturing Other Network Traffic 370 Monitoring SMTP (Port 25) 370 Monitoring HTTP (Port 80) 370 Popular Sniffing Software 371 Ethereal 371 Network Associates Sniffer Pro 372

NT Network Monitor 374

WildPackets 375 TCPDump 376 dsniff 377 Ettercap 380 Esniff.c 380 Sniffit 381

Carnivore 382

Additional Resources 385

Advanced Sniffing Techniques 385 Man-in-the-Middle (MITM) Attacks 385 Cracking 386

Switch Tricks 386

ARP Spoofing 386

MAC Flooding 387

Routing Games 388

Ethereal Capture Preferences

(22)

Exploring Operating System APIs 388 Linux 388 BSD 392 libpcap 392 Windows 395 Taking Protective Measures 395

Providing Encryption 395

Secure Shell (SSH) 396

Secure Sockets Layers (SSL) 397

PGP and S/MIME 397

Switching 398 Employing Detection Techniques 398

Local Detection 398

Network Detection 399

DNS Lookups 399

Latency 399

Driver Bugs 400

AntiSniff 400

Network Monitor 400

Summary 401

Frequently Asked Questions 404 Chapter 11 Session Hijacking 407 Introduction 408 Understanding Session Hijacking 408 TCP Session Hijacking 410 TCP Session Hijacking with Packet

Blocking 411 Route Table Modification 411

ARP Attacks 414

UDP Hijacking 415

Examining the Available Tools 416 Juggernaut 416 Hunt 420 Ettercap 425 SMBRelay 430

Storm Watchers 430

ACK Storms 431

Playing MITM for Encrypted Communications 433 Man-in-the-Middle Attacks 434 Dsniff 435

Other Hijacking 436

Understanding Session Hijacking

;The point of hijacking a connection is to steal trust.

;Hijacking is a race scenario: Can the attacker get an appropriate response packet in before the legitimate server or client can?

;Attackers can remotely modify routing tables to redirect packets or get a system into the routing path between two hosts.

(23)

Summary 438

Frequently Asked Questions 440 Chapter 12 Spoofing: Attacks

on Trusted Identity 443

Introduction 444

What It Means to Spoof 444

Spoofing Is Identity Forgery 444 Spoofing Is an Active Attack

against Identity Checking Procedures 445 Spoofing Is Possible at All

Layers of Communication 445 Spoofing Is Always Intentional 446

Spoofing May Be Blind or Informed, but Usually Involves Only Partial

Credentials 447 Spoofing Is Not the Same Thing as Betrayal 448 Spoofing Is Not Necessarily Malicious 448 Spoofing Is Nothing New 449

Background Theory 449

The Importance of Identity 450

The Evolution of Trust 451

Asymmetric Signatures between Human

Beings 451 Establishing Identity within Computer

Networks 453

Return to Sender 454

In the Beginning,There Was…

a Transmission 455

Capability Challenges 457

Ability to Transmit: “Can It Talk

to Me?” 457

Ability to Respond: “Can It Respond

to Me?” 459

Ability to Encode: “Can It Speak My

Language?” 463

Ability to Prove a Shared Secret:

“Does It Share a Secret with Me?” 465 Ability to Prove a Private Keypair:

“Can I Recognize Your Voice?” 467 Tools & Traps…

Perfect Forward Secrecy:

SSL’s Dirty Little Secret The dirty little secret of SSL is that, unlike SSH and unnecessarily like standard PGP, its standard modes are not perfectly forward secure. This means that an attacker can lie in wait, sniffing encrypted traffic at its leisure for as long as it desires, until one day it breaks in and steals the SSL private key used by the SSL engine (which is extractable from all but the most custom hardware).

(24)

Ability to Prove an Identity Keypair:

“Is Its Identity Independently

Represented in My Keypair?” 468 Configuration Methodologies:

Building a Trusted Capability Index 470 Local Configurations vs. Central

Configurations 470

Desktop Spoofs 471

The Plague of Auto-Updating Applications 471

Impacts of Spoofs 473

Subtle Spoofs and Economic Sabotage 474 Flattery Will Get You Nowhere 474 Subtlety Will Get You Everywhere 476 Selective Failure for Selecting Recovery 476 Bait and Switch: Spoofing the Presence

of SSL Itself 478

Down and Dirty: Engineering Spoofing Systems 486 Spitting into the Wind: Building

a Skeleton Router in Userspace 486 Designing the Nonexistent:The

Network Card That Didn’t Exist but

Responded Anyway 487

Implementation: DoxRoute, Section

by Section 488

Bring Out the Halon: Spoofing Connectivity Through Asymmetric

Firewalls 510 Symmetric Outgoing TCP:

A Highly Experimental Framework for Handshake-Only TCP

Connection Brokering 511 Summary 518

Solution Fast Track 519

Chapter 13 Tunneling 527

Introduction 528 Strategic Constraints of Tunnel Design 530 Privacy: “Where Is My Traffic Going?” 532 Routability: “Where Can This Go Through?” 532 Deployability: “How Painful

Is This to Get Up and Running?” 533 Flexibility: “What Can

(25)

Quality: “How Painful Will

This System Be to Maintain?” 537 Designing End-to-End Tunneling Systems 537 Drilling Tunnels Using SSH 538 Security Analysis: OpenSSH 3.02 539

Setting Up OpenSSH 541

Open Sesame: Authentication 543 Basic Access: Authentication by Password 543 Transparent Access: Authentication by

Private Key 544

Server to Client Authentication 544 Client to Server Authentication 545 Command Forwarding: Direct

Execution for Scripts and Pipes 550 Port Forwarding: Accessing Resources on

Remote Networks 556

Local Port Forwards 557

Dynamic Port Forwards 560 Internet Explorer 6: Making the Web

Safe for Work 561

Speak Freely: Instant Messaging

over SSH 564

That’s a Wrap: Encapsulating Arbitrary Win32 Apps within the Dynamic

Forwarder 566 Summoning Virgil: Using Dante’s

Socksify to Wrap UNIX Applications 567

Remote Port Forwards 569

When in Rome:Traversing

the Recalcitrant Network 571 Crossing the Bridge: Accessing

Proxies through ProxyCommands 571 No Habla HTTP? Permuting thy Traffic 575 Show Your Badge: Restricted

Bastion Authentication 576 Bringing the Mountain: Exporting

SSHD Access 579

Echoes in a Foreign Tongue:

Cross-Connecting Mutually

Firewalled Hosts 581

Not In Denver, Not Dead: Now What? 584 Standard File Transfer over SSH 584 Primary questions for

privacy of communications include the following:

■ Can anyone else monitor the traffic within this tunnel?

Read access, addressed by encryption.

■ Can anyone else modify the traffic within this tunnel, or surreptitiously gain access to it? Write access, addressed primarily through authentication.

(26)

Incremental File Transfer over SSH 586

CD Burning over SSH 589

Acoustic Tubing: Audio

Distribution over TCP and SSH 593 Summary 598

Frequently Asked Questions 606 Chapter 14 Hardware Hacking 609 Introduction 610 Understanding Hardware Hacking 610 Opening the Device: Housing

and Mechanical Attacks 611

Types of Tamper Mechanisms 613

Tamper Resistance 615

Tamper Evidence 615

Tamper Detection 615

Tamper Response 617

External Interfaces 618

Protocol Analysis 620

Electromagnetic Interference

and Electrostatic Discharge 623 Analyzing the Product Internals: Electrical

Circuit Attacks 624

Reverse-engineering the Device 624 Basic Techniques: Common Attacks 627

Device Packaging 627

Memory Retrieval 628

Timing Attacks 629

Advanced Techniques: Epoxy

Removal and IC Delidding 630 Silicon Die Analysis 631 Cryptanalysis and Obfuscation Methods 632

What Tools Do I Need? 634

Starter Kit 634

Advanced Kit 635

Example: Hacking the iButton Authentication

Token 637 Experimenting with the Device 638 Reverse-engineering the “Random”

Response 639 Example: Hacking the NetStructure 7110

E-commerce Accelerator 642 Understanding

Hardware Hacking

Hardware hacking is done for the following reasons:

■ General analysis of the product to determine common security weaknesses and attacks

■ Access to the internal circuit without evidence of device tampering

■ Retrieval of any internal or secret data

components

■ Cloning of the device

■ Retrieving memory contents

■ Elevation of privilege

(27)

Opening the Device 642 Retrieving the Filesystem 642 Reverse-engineering the Password

Generator 646 Summary 648

Frequently Asked Questions 652 Chapter 15 Viruses, Trojan Horses,

and Worms 655

Introduction 656 How Do Viruses,Trojans Horses, and

Worms Differ? 656

Viruses 656 Worms 657

Macro Virus 658

Trojan Horses 659

Hoaxes 660

Anatomy of a Virus 660

Propagation 660 Payload 662 Other Tricks of the Trade 663 Dealing with Cross-platform Issues 664 Java 664

Macro Viruses 665

Recompilation 665

Shockwave Flash 665

Proof that We Need to Worry 665

The Morris Worm 666

ADMw0rm 666 Melissa and I Love You 666

Sadmind Worm 673

Code Red Worms 674

Nimda Worm 675

Creating Your Own Malware 677

New Delivery Methods 678

Faster Propagation Methods 679 Other Thoughts on Creating New Malware 679 How to Secure Against Malicious Software 680

Anti-Virus Software 681

Updates and Patches 683

Web Browser Security 683

Anti-Virus Research 683

A “worm” is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propa- gate a complete working version of itself on to other machines.

(28)

Summary 685

Chapter 16 IDS Evasion 689

Introduction 690 Understanding How Signature-Based IDSs Work 690 Judging False Positives and Negatives 693

Alert Flooding 693

Using Packet Level Evasion 694

IP Options 696

Time-To-Live Attacks 696

IP Fragmentation 697

TCP Header 698

TCP Synchronization 699

TCB Creation 699

Stream Reassembly 700

TCB Teardown 701

Using Fragrouter and Congestant 701 Countermeasures 704 Using Application Protocol Level Evasion 705 Security as an Afterthought 705

Evading a Match 706

Alternate Data Encodings 706 Web Attack Techniques 707

Method Matching 708

Directory and File Referencing 708 Countermeasures 709 Using Code Morphing Evasion 709 Summary 713

Frequently Asked Questions 716 Chapter 17 Automated Security

Review and Attack Tools 719

Introduction 720 Learning about Automated Tools 720 Exploring the Commercial Tools 725

CyberCop Scanner 728

Internet Security Systems (ISS)

Internet Scanner 728

BindView’s BV-Control for Internet Security 729

eEye Retina 729

Tools & Traps…

Baiting with Honeynets Recently, there has been an upsurge in the use of honeynets as a defensive tool. A honeynet is a system that is deployed with the intended purpose of being compromised.

These are hyper defensive tools that can be imple- mented at any location inside a network. The cur- rent best known configuration type for these tools is where two systems are deployed, one for the bait, the other configured to log all traffic.

(29)

Deciding How Much Detail to Publish

;Take great care in deciding whether or not you want to provide exploit code with your NSF report.

;You must be prepared to take a slight risk when reporting security flaws. You could end up facing the vendor’s wrath.

;Be extra cautious in describing any security flaw that requires the circumvention of a vendor’s copyright protection

mechanisms.

Other Products 729

Exploring the Free Tools 730 Nessus 730 Security Administrators

Integrated Network Tool (SAINT) 731 Security Administrators Research

Assistant (SARA) 732

ShadowScan 732

Nmap and NmapNT 732

Whisker 733

VLAD the Scanner 733

Other Resources 734

Using Automated Tools for Penetration Testing 734 Testing with the Commercial Tools 734 Testing the Free Tools 739 Knowing When Tools Are Not Enough 743 The New Face of Vulnerability Testing 744 Summary 745

Frequently Asked Questions 746 Chapter 18 Reporting Security Problems 749 Introduction 750 Understanding Why Security

Problems Need to Be Reported 750

Full Disclosure 752

Determining When and to

Whom to Report the Problem 755 Whom to Report Security Problems to? 755

How to Report a Security Problem

to a Vendor 758

Deciding How Much Detail to Publish 759 Publishing Exploit Code 759 Problems 760 Repercussions from Vendors 760

Reporting Errors 762

Risk to the Public 762

Summary 763

Index 767

Vulnerability Scanners by Number

Vulnerability Product Count ISS Internet 976 Scanner

NAI 830 CyberCop

Scanner

BV Control 900 for Internet

Security

Harris 1,200 STAT

Scanner

Symantec 600 NetRecon

eEye Retina 820

The Only Way to Stop a Hacker is to Think Like One

1 YEAR UPGRADE

UPDATED

The Only Way to Stop a Hacker is to Think Like One

UPDATED

s o l u t i o n s @ s y n g r e s s . c o m

www.syngress.com/solutions

1 YEAR UPGRADE

Acknowledgments

From Ryan Russell

Contributors

From the First Edition

Technical Editor and Contributor

Contents