By Kevin BeaverForeword by Stuart McClureHackingFORDUMmIES‰Hacking For Dummies®
Published byWiley Publishing, Inc.
111 River StreetHoboken, NJ 07030-5774Copyright ©2004 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permittedunder Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the CopyrightClearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests tothe Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail: permcoordinator@
wiley.com.
Trademarks:Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for theRest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the UnitedStates and other countries, and may not be used without written permission. All other trademarks are theproperty of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendormentioned in this book.
GENERAL DISCLAIMER:THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WAR-
RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORKAND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIESOF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BYSALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOTBE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THEPUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SER-
VICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONALPERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FORDAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TOIN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOTMEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATIONOR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULDBE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEAREDBETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contactour Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.
Library of Congress Control Number: 2004101971ISBN: 0-7645-5784-XManufactured in the United States of America10 9 8 7 6 5 4 3 2 11B/RV/QU/QU/IN01
About the AuthorAs founder and principal consultant of Principle Logic, LLC, Kevin Beaverhas over 16 years of experience in IT and specializes in information security.
Before starting his own information security services business, Kevin servedin various information technology and security roles for several Fortune
500 corporations and a variety of consulting, e-commerce, and educationalinstitutions. In addition to ethical hacking, his areas of information securityexpertise include network and wireless network security, e-mail and instantmessaging security, and incident responseKevin is also author of the book The Definitive Guide to Email Management andSecurity by Realtimepublishers.com and co-author of the book The PracticalGuide to HIPAA Privacy and Security Complianceby Auerbach Publications. Inaddition, he is technical editor of the book Network SecurityFor Dummies byWiley Publishing, and a contributing author and editor of the book HealthcareInformation Systems, 2nded.by Auerbach Publications.
Kevin is a regular columnist and information security expert advisor forSearchSecurity.com and SearchMobileComputing.com and is a Security ClinicExpert for ITsecurity.com.In addition, his information security work has beenpublished in Information Security Magazine, HIMSS Journal of HealthcareInformation Management, Advance for Health Information Executives as wellas on SecurityFocus.com. Kevin is an information security instructor for theSoutheast Cybercrime Institute and also frequently speaks on informationsecurity at various workshops and conferences around the U.S. includingTechTarget’s Decisionsconferences, CSI, and the Southeast CybercrimeSummit.
Kevin is the founder and president of the Technology Association of Georgia’sInformation Security Society and serves as an IT advisory board member forseveral universities and companies around the southeast. Kevin earned hisbachelor’s degree in Computer Engineering Technology from Southern Poly-
technic State University and his master’s degree in Management of Technologyfrom Georgia Tech. He also holds CISSP, MCSE, Master CNE, and IT Project+
certifications. Kevin can be reached at kbeaver@principlelogic.com.
DedicationFor Amy, Garrett, Master, and Murphy — through thick and thicker, we did it!
I couldn’t have written this book without the tremendous inspiration each ofyou have given me. You all make the world a better place — thanks for beinghere for me.
Author’s AcknowledgmentsFirst, I’d like to thank Melody Layne, my acquisitions editor at Wiley, forcontacting me with this book idea, providing me this great opportunity, andfor being so patient with me during the acquisitions, writing, and editingprocesses. Also, thanks to all the other members of the acquisitions team atWiley who helped me shape my outline and initial chapter.
I’d like to thank my project editor, Pat O’Brien, as well as Kim Darosett and therest of the tireless editorial staff at Wiley for all of your hard work, patience,
and great edits! Also, thanks to Terri Varveris for making the initial Dummiescontact several years back in the Hungry Minds days and for introducing meto the team — you truly helped get this ball rolling.
Major kudos go out to the security legend, Peter T. Davis, my technical editor.
Your For Dummiesexperience and seemingly never-ending technical knowl-
edge are a great asset to this book. I really appreciate your time and effortyou’ve put forth, and I’m truly honored that you helped me on this project.
I’d also like to thank Stuart McClure — the highly-talented security expertand phenomenal author — for writing the foreword. It’s funny how this bookturned out and how you still ended up being involved! Just look at what youcreated instead — you should be proud.
To Ira Winkler, Dr. Philippe Oechslin, David Rhoades, Laura Chappell, MattCaldwell, Thomas Akin, Ed Skoudis, and Caleb Sima — thank you all for doingsuch a great job with the case studies in this book! They’re a perfect fit andeach of you were true professionals and great to work with. I really appreciateyour time and effort.
I’d like to extend deep gratitude to Robert Dreyer — my favorite professor atSouthern Poly — who piqued my technical interest in computer hardware andsoftware and who taught me way more about computer bits and bytes than Ithought I’d ever know. Also, thanks to my friend William Long — one of thesmartest people I’ve ever known — for being the best computer and networkmentor I could ever have. In addition, I’d like to thank John Cirami for show-
ing me how to run that first DOS executable file off of that 5 1/4” floppy wayback when and for helping me to get the ball rolling in my computer career.
A well-deserved thanks also goes out to all my friends and colleagues — youknow who you are — who helped provide feedback and advice about the titlechange.
Finally, I’d like to thank Rik Emmett, Geoff Tate, Neil Peart, and allof theirsupporting band members for the awesome lyrics and melodies that inspiredme to keep pushing forward with this book during the challenging times.
Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and
Media DevelopmentProject Editor:Pat O’BrienAcquisitions Editor:Melody LayneSenior Copy Editor:Kim DarosettTechnical Editor:Peter T. DavisEditorial Manager:Kevin KirschnerMedia Development Manager:Laura VanWinkleMedia Development Supervisor:
Richard GravesEditorial Assistant:Amanda FoxworthCartoons:Rich Tennant, www.the5thwave.comProductionProject Coordinator: Maridee EnnisLayout and Graphics: AndreaDahl,
Denny Hager, LynseyOsborn,
HeatherRyan, JacqueSchneiderProofreaders: Carl W. Pierce, Brian H. Walls,
TECHBOOKSProduction ServicesIndexer: TECHBOOKSProduction ServicesPublishing and Editorial for Technology DummiesRichard Swadley,Vice President and Executive Group PublisherAndy Cummings,Vice President and PublisherMary C. Corder,Editorial DirectorPublishing for Consumer DummiesDiane Graves Steele,Vice President and PublisherJoyce Pepple,Acquisitions DirectorComposition ServicesGerry Fahey,Vice President of Production ServicesDebbie Stailey,Director of Composition Services01
Contents at a GlanceForeword...................................................................xviiIntroduction.................................................................1Part I: Building the Foundation for Ethical Hacking .......7Chapter 1: Introduction to Ethical Hacking ...................................................................9Chapter 2: Cracking the Hacker Mindset ......................................................................21Chapter 3: Developing Your Ethical Hacking Plan .......................................................29Chapter 4: Hacking Methodology ..................................................................................39Part II: Putting Ethical Hacking in Motion ..................53Chapter 5: Social Engineering ........................................................................................55Chapter 6: Physical Security ..........................................................................................69Chapter 7: Passwords .....................................................................................................79Part III: Network Hacking ........................................103Chapter 8: War Dialing ..................................................................................................105Chapter 9: Network Infrastructure ..............................................................................117Chapter 10: Wireless LANs ...........................................................................................147Part IV: Operating System Hacking ..........................165Chapter 11: Windows ....................................................................................................167Chapter 12: Linux ..........................................................................................................193Chapter 13: Novell NetWare .........................................................................................215Part V: Application Hacking .....................................235Chapter 14: Malware .....................................................................................................237Chapter 15: Messaging Systems ..................................................................................257Chapter 16: Web Applications .....................................................................................279Part VI: Ethical Hacking Aftermath ..........................297Chapter 17: Reporting Your Results ............................................................................299Chapter 18: Plugging Security Holes ...........................................................................305Chapter 19: Managing Security Changes ....................................................................31101
Part VII: The Part of Tens .........................................317Chapter 20: Ten Tips for Getting Upper Management Buy-In ..................................319Chapter 21: Ten Deadly Mistakes ................................................................................323Part VIII: Appendixes ...............................................327Appendix A: Tools and Resources................................................................................329Appendix B: About the Book Web Site.........................................................................337Index.......................................................................33901
Table of ContentsForeword...................................................................xviiIntroduction..................................................................1Who Should Read This Book? ........................................................................1About This Book ..............................................................................................2How to Use This Book ....................................................................................2What You Don’t Need to Read .......................................................................3Foolish Assumptions ......................................................................................3How This Book Is Organized ..........................................................................3Part I: Building the Foundation for Ethical Hacking ..........................4Part II: Putting Ethical Hacking in Motion ..........................................4Part III: Network Hacking ......................................................................4Part IV: Operating System Hacking .....................................................4Part V: Application Hacking .................................................................5Part VI: Ethical Hacking Aftermath .....................................................5Part VII: The Part of Tens .....................................................................5Part VIII: Appendixes ............................................................................5Icons Used in This Book .................................................................................6Where to Go from Here ...................................................................................6Part I: Building the Foundation for Ethical Hacking ........7Chapter 1: Introduction to Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . .9How Hackers Beget Ethical Hackers .............................................................9Defining hacker ......................................................................................9Ethical Hacking 101 .............................................................................10Understanding the Need to Hack Your Own Systems ..............................11Understanding the Dangers Your Systems Face .......................................12Nontechnical attacks ..........................................................................12Network-infrastructure attacks .........................................................13Operating-system attacks ...................................................................13Application and other specialized attacks .......................................13Obeying the Ethical hacking Commandments ..........................................14Working ethically .................................................................................14Respecting privacy ..............................................................................14Not crashing your systems ................................................................15The Ethical hacking Process ........................................................................15Formulating your plan ........................................................................15Selecting tools ......................................................................................17Executing the plan ...............................................................................19Evaluating results ................................................................................20Moving on .............................................................................................2001
Chapter 2: Cracking the Hacker Mindset . . . . . . . . . . . . . . . . . . . . . . . .21What You’re Up Against ................................................................................21Who Hacks .....................................................................................................22Why Hackers Hack ........................................................................................24Planning and Performing Attacks ................................................................26Maintaining Anonymity ................................................................................27Chapter 3: Developing Your Ethical Hacking Plan . . . . . . . . . . . . . . . .29Getting Your Plan Approved ........................................................................29Establishing Your Goals ................................................................................30Determining What Systems to Hack ...........................................................32Creating Testing Standards ..........................................................................33Timing ...................................................................................................34Specific tests ........................................................................................34Blind versus knowledge assessments ..............................................35Location ................................................................................................36Reacting to major exploits that you find ..........................................36Silly assumptions .................................................................................36Selecting Tools ...............................................................................................37Chapter 4: Hacking Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Setting the Stage ............................................................................................39Seeing What Others See ...............................................................................41Gathering public information ............................................................41Mapping the network ..........................................................................43Scanning Systems ..........................................................................................45Hosts .....................................................................................................46Modems and open ports ....................................................................46Determining What’s Running on Open Ports .............................................47Assessing Vulnerabilities .............................................................................49Penetrating the System ................................................................................51Part II: Putting Ethical Hacking in Motion ...................53Chapter 5: Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Social Engineering 101 ..................................................................................55Before You Start .............................................................................................56Why Hackers Use Social Engineering .........................................................58Understanding the Implications ..................................................................58Performing Social-Engineering Attacks ......................................................59Fishing for information .......................................................................60Building trust .......................................................................................62Exploiting the relationship .................................................................63Social-Engineering Countermeasures .........................................................65Policies ..................................................................................................66User awareness ....................................................................................66Hacking For Dummies x01
Chapter 6: Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69Physical-Security Vulnerabilities ................................................................69What to Look For ...........................................................................................70Building infrastructure .......................................................................72Utilities ..................................................................................................73Office layout and usage ......................................................................74Network components and computers ..............................................75Chapter 7: Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Password Vulnerabilities ..............................................................................79Organizational password vulnerabilities ..........................................80Technical password vulnerabilities ..................................................82Cracking Passwords ......................................................................................82Cracking passwords the old-fashioned way ....................................83High-tech password cracking .............................................................85General password-hacking countermeasures ..................................91Password-protected files ....................................................................95Other ways to crack passwords ........................................................97Securing Operating Systems ......................................................................101Windows .............................................................................................101Linux and UNIX ..................................................................................102Part III: Network Hacking ........................................103Chapter 8: War Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105War Dialing ...................................................................................................105Modem safety .....................................................................................105General telephone-system vulnerabilities ......................................106Attacking .............................................................................................106Countermeasures ..............................................................................114Chapter 9: Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . .117Network Infrastructure Vulnerabilities ....................................................119Choosing Tools ............................................................................................120Scanners .............................................................................................120Vulnerability assessment .................................................................121Scanning, Poking, and Prodding ................................................................121Port scanners .....................................................................................121SNMP scanning ..................................................................................129Banner grabbing ................................................................................130Firewall rules ......................................................................................131Looking through a network analyzer ..............................................134The MAC-daddy attack .....................................................................140Denial of service ................................................................................144General network defenses ................................................................146xiTable of Contents01
Chapter 10: Wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147Understanding the Implications of Wireless Network Vulnerabilities ....147Choosing Your Tools ...................................................................................148Wireless LAN Discovery .............................................................................151Checking for worldwide recognition ...............................................151Scanning your local airwaves ..........................................................152Wireless Network Attacks ..........................................................................154Encrypted traffic ...............................................................................155Countermeasures ..............................................................................156Rogue networks .................................................................................158Countermeasures ..............................................................................159Physical-security problems ..............................................................160Countermeasures ..............................................................................160Vulnerable wireless workstations ...................................................161Countermeasures ..............................................................................161Default configuration settings .........................................................162Countermeasures ..............................................................................163Part IV: Operating System Hacking ..........................165Chapter 11: Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Windows Vulnerabilities ............................................................................168Choosing Tools ............................................................................................168Essential tools ....................................................................................169Free Microsoft tools ..........................................................................169All-in-one assessment tools ..............................................................170Task-specific tools .............................................................................170Information Gathering ................................................................................171System scanning ................................................................................171NetBIOS ..............................................................................................174RPC ................................................................................................................177Enumeration .......................................................................................178Countermeasures ..............................................................................178Null Sessions ...............................................................................................179Hacks ...................................................................................................179Countermeasures ..............................................................................184Share Permissions .......................................................................................186Windows defaults ..............................................................................186Testing ................................................................................................187General Security Tests ................................................................................189Windows Update ................................................................................189Microsoft Baseline Security Analyzer (MBSA) ...............................190LANguard ............................................................................................191Chapter 12: Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193Linux Vulnerabilities ...................................................................................194Choosing Tools ............................................................................................194Hacking For Dummies xii01
Information Gathering ................................................................................195System scanning ................................................................................195Countermeasures ..............................................................................199Unneeded Services .....................................................................................200Searches ..............................................................................................200Countermeasures ..............................................................................202.rhosts and hosts.equiv Files .....................................................................204Hacks ...................................................................................................204Countermeasures ..............................................................................205NFS ................................................................................................................206Hacks ...................................................................................................206Countermeasures ..............................................................................207File Permission ............................................................................................207Hacks ...................................................................................................207Countermeasures ..............................................................................207Buffer Overflows .........................................................................................208Attacks ................................................................................................209Countermeasures ..............................................................................209Physical Security .........................................................................................209Hacks ...................................................................................................210Countermeasures ..............................................................................210General Security Tests ................................................................................211Patching Linux .............................................................................................212Distribution updates .........................................................................213Multiplatform update managers ......................................................213Chapter 13: Novell NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215NetWare Vulnerabilities ..............................................................................215Choosing Tools ............................................................................................216Getting Started ............................................................................................216Server access methods .....................................................................217Port scanning .....................................................................................217NCPQuery ...........................................................................................219Countermeasures ..............................................................................220Authentication .............................................................................................220Rconsole .............................................................................................221Server-console access ......................................................................224Intruder detection .............................................................................224Rogue NLMs .......................................................................................225Clear-text packets ..............................................................................229General Best Practices for Minimizing NetWare Security Risks ............230Rename admin ...................................................................................231Disable eDirectory browsing ...........................................................231Removing bindery contexts .............................................................233System auditing .................................................................................233TCP/IP parameters ............................................................................234Patching ..............................................................................................234xiiiTable of Contents01
Part V: Application Hacking .....................................235Chapter 14: Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237Implications of Malware Attacks ...............................................................237Types of Malware ........................................................................................239Trojan horses .....................................................................................239Viruses ................................................................................................240Worms .................................................................................................240Rootkits ...............................................................................................240Spyware ..............................................................................................241Built-in programming interfaces ......................................................241Logic bombs .......................................................................................242Security tools .....................................................................................242How Malware Propagates ...........................................................................243Automation .........................................................................................243E-mail ...................................................................................................243Hacker backdoors .............................................................................244Testing ..........................................................................................................244Vulnerable malware ports ................................................................244Manual assessment ...........................................................................245Antivirus software testing ................................................................249Network scanning ..............................................................................250Behavioral-analysis tools .................................................................253Malware Countermeasures ........................................................................253General system administration .......................................................253E-mails .................................................................................................255Files .....................................................................................................255Chapter 15: Messaging Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257Messaging-System Vulnerabilities .............................................................257E-Mail Attacks ..............................................................................................258E-mail bombs .....................................................................................258Banners ...............................................................................................263SMTP attacks .....................................................................................265General best practices for minimizing e-mail security risks ........271Instant Messaging .......................................................................................272Vulnerabilities ....................................................................................272Countermeasures ..............................................................................275Chapter 16: Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279Web-Application Vulnerabilities ................................................................279Choosing Your Tools ...................................................................................280Insecure Login Mechanisms ......................................................................280Testing ................................................................................................280Countermeasures ..............................................................................283Directory Traversal .....................................................................................283Testing ................................................................................................283Countermeasures ..............................................................................285Hacking For Dummies xiv01
Input Filtering ..............................................................................................285Input attacks ......................................................................................286Countermeasures ..............................................................................289Default Scripts .............................................................................................289Attacks ................................................................................................289Countermeasures ..............................................................................290URL Filter Bypassing ...................................................................................290Bypassing filters ................................................................................290Countermeasures ..............................................................................292Automated Scans ........................................................................................292Nikto ....................................................................................................292WebInspect .........................................................................................292General Best Practices for Minimizing
Web-Application Security Risks .............................................................294Obscurity ............................................................................................294Firewalls ..............................................................................................295Part VI: Ethical Hacking Aftermath ...........................297Chapter 17: Reporting Your Results . . . . . . . . . . . . . . . . . . . . . . . . . . . .299Pulling the Results Together ......................................................................299Prioritizing Vulnerabilities .........................................................................301Reporting Methods .....................................................................................302Chapter 18: Plugging Security Holes . . . . . . . . . . . . . . . . . . . . . . . . . .305Turning Your Reports into Action .............................................................305Patching for Perfection ...............................................................................306Patch management ............................................................................306Patch automation ..............................................................................307Hardening Your Systems ............................................................................308Assessing Your Security Infrastructure ....................................................309Chapter 19: Managing Security Changes . . . . . . . . . . . . . . . . . . . . . . .311Automating the Ethical Hacking Process .................................................311Monitoring Malicious Use ..........................................................................312Outsourcing Ethical Hacking .....................................................................313Instilling a Security-Aware Mindset ..........................................................315Keeping Up with Other Security Issues ....................................................316Part VII: The Part of Tens ..........................................317Chapter 20: Ten Tips for Getting Upper Management Buy-In . . . . . .319Cultivate an Ally and Sponsor ...................................................................319Don’t Be a FUDdy Duddy ............................................................................319Demonstrate How the Organization Can’t Afford to Be Hacked ...........320Outline the General Benefits of Ethical Hacking .....................................320xvTable of Contents01
Show How Ethical Hacking Specifically Helps the Organization ...........321Get Involved in the Business .....................................................................321Establish Your Credibility ..........................................................................321Speak on Their Level ..................................................................................322Show Value in Your Efforts .........................................................................322Be Flexible and Adaptable .........................................................................322Chapter 21: Ten Deadly Mistakes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323Not Getting Approval in Writing ................................................................323Assuming That You Can Find All Vulnerabilities During Your Tests ....324Assuming That You Can Eliminate All Security Vulnerabilities .............324Performing Tests Only Once ......................................................................324Pretending to Know It All ...........................................................................325Running Your Tests without Looking at Things
from a Hacker’s Viewpoint .....................................................................325Ignoring Common Attacks ..........................................................................325Not Using the Right Tools ..........................................................................325Pounding Production Systems at the Wrong Time .................................326Outsourcing Testing and Not Staying Involved .......................................326Part VIII: Appendixes ...............................................327Appendix A: Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329Awareness and Training .............................................................................329Dictionary Files and Word Lists ................................................................329General Research Tools ..............................................................................330Hacker Stuff ..................................................................................................330Linux .............................................................................................................331Log Analysis .................................................................................................331Malware ........................................................................................................331Messaging .....................................................................................................332NetWare ........................................................................................................332Networks ......................................................................................................332Password Cracking ......................................................................................333War Dialing ...................................................................................................334Web Applications ........................................................................................334Windows .......................................................................................................334Wireless Networks ......................................................................................335Appendix B: About the Book Web Site . . . . . . . . . . . . . . . . . . . . . . . . .337Index........................................................................339Hacking For Dummies xvi01
Foreword
Little more than 10 years ago, security was barely a newborn in diapers.
With only a handful of security professionals in 1994, few practiced secu-
rity and even fewer truly understood it. Security technologies amounted tolittle more than anti-virus software and packet filtering routers at that time.
And the concept of a “hacker” came primarily from the Hollywood movie “WarGames”; or more often it referred to someone with a low golf score. As a result,
just like Rodney Dangerfield it got “no respect” and no one took it seriously.
IT professionals saw it largely as a nuisance, to be ignored— that is untilthey were impacted by it.
Today, the number of Certified Information Systems Security Professionals(CISSP) have topped 23,000 (www.isc2.org) worldwide, and there are moresecurity companies dotting the landscape than anyone could possibly remem-
ber.Today security technologies encompass everything from authenticationand authorization, to firewalls and VPNs. There are so many ways to addressthe security problem that it can cause more than a slight migraine simply con-
sideringthe alternatives. And the term “hacker” has become a permanent partof our everyday vernacular — as defined in nearly daily headlines. The world(and its criminals) has changed dramatically.
So what does all this mean for you, the home/end user or IT/security profes-
sional that is thrust into this dangerous online world every time you hit thepower button on your computer? The answer is “everything”. The digitallandscape is peppered with land mines that can go off with the slightesttouch or, better yet, without any provocation whatsoever. Consider somesimple scenarios:
Simply plugging into the Internet without a properly configured firewallcan get you hacked before the pizza is delivered, within 30 minutes
or less.
Opening an email attachment from a family member, friend, or work col-
league can install a backdoor on your system allowing a hacker freeaccess to your computer.
Downloading and executing a file via your Internet Messaging (IM) pro-
gram can turn your pristine desktop into a Centers for Disease Control(CDC) hotzone, complete with the latest alphabet soup virus.
Browsing to an innocent (and trusted) website can completely compro-
mise your computer, allowing a hacker to read your sensitive files orworse delete them.
Trust me when we say the likelihood of becoming an Internet drive-by statisticon the information superhighway is painfully real.
I am often asked, “Is the fear, uncertainty, and doubt (FUD) centered on cybert-
errorismjustified? Can cyber-terrorists really affect our computer systemsand our public infrastructure as some have prognosticated like new ageNostradamus soothsayers? The answer I always give is “Unequivocally, yes”.
The possibility of a digital Pearl Harbor is closer than many think. Organizedterrorist cells like Al Qaeda are raided almost weekly, and when computers arediscovered, their drives are filled with cyber hacking plans, U.S. infrastructureblueprints, and instructions on attacking U.S. computer and infrastructuretargets.
Do you believe the energy commissions report about the biggest power outagein U.S history? The one that on August 14, 2003 left 1/5thof the U.S. populationwithout power (about 50 million people) for over 12 hours? Do you believe thatit has to do with untrimmed trees and faulty control processes? If you believein Occam’s Razor, then yes, the simplest explanation is usually the correct onebut remember this: the power outage hit just three days after the MicrosoftBlaster worm, one of the most vicious computer worms ever unleashed onthe Internet, first hit. Coincidence? Perhaps.
Some of you may be skeptical, saying “Well, if the threat is so real, why hasn’tsomething bad happened yet?” I respond simply, “If I had come to you onSept. 10, 2001, and said that in the near future people would use commercialairplanes as bombs to kill over 3,000 people in the matter of 5 hours, wouldyou believe me?” I understand your skepticism. And you should be skeptical.
But we are asking for your trust, and your faith, before something bad happens.
Trust that we know the truth, we know what is possible, and we know themind of the enemy. I think we can all agree on at least one thing, we cannotallow them to succeed.
Every minute of every day there are governments, organized crime, and hackergroups turning the doors on your house looking for an unlocked entry. Theyare rattling the windows and circling your domicile, looking for a weakness, avulnerability, or a way into your house. Are you going to let them in? Are yougoing to sit idly by and watch as they ransack your belongings, make use ofyour facilities, and desecrate your sanctuary? Or are you going to empoweryourself, educate yourself, and prevent them from winning? The actions youtake today will ultimately answer that question.
Do not despair, all hope is not lost. Increasing security is more of a mindsetthan anything else. Security is akin to working out. If you don’t do it regularly,
it won’t become a part of your lifestyle. And if it doesn’t become a part of yourlifestyle, it will quickly become something you can forego and avoid. In otherwords, you won’t be fit. Same thing applies for security. If you don’t realize thatit is a process, not a goal, then you will never make it part of your everydaywellness routine, as a result it quickly becomes something you forego andavoid. And if you avoid it, you will eventually be bit by it.
Hacking For Dummies xviii01
The greatest gift you can give yourself is that of education. What you don’tknow may not kill you but it may seriously impact you or someone you careabout. Knowing what you don’t know is the real trick. And filling in the gapsof knowledge is paramount to preventing a significant attack. Hacking ForDummies can fill in those gaps. Kevin has done a remarkable job in presentingmaterial that is valuable and unique in that it covers hacking methodologiesfor Windows, Novell, and Linux, as well as such little covered topics as physi-
cal security, social engineering, and malware. The varied coverage of securitytopics in this book is what helps you more completely understand the mindof the hacker and how they work; and it will ultimately be the singular reasonyou may avoid an attack in the future. Read it carefully. Learn from it. Andpractice what it says in every area you can.
Make no mistake; the digital battlefield is very real. It has no beginning, it hasno ending, it has no boundaries, and it has no rules. Read this book, learnfrom it and defend yourself or we may lose this digital war.
Stuart McClure is a world-renowned information security expert, founder and co-
author of the highly-popular Hacking Exposed series of books, and founder andPresident and Chief Technology Officer of Foundstone, Inc., experts in strategicsecurity. He can be reached at stu@foundstone.com.
xixForeword01
Hacking For Dummies xx01
IntroductionWelcome to Hacking For Dummies.This book outlines computer hackertricks and techniques — in plain English — to assess the security ofyour own information systems, find security vulnerabilities, and fix the vul-
nerabilities before malicious and criminal hackers have an opportunity totake advantage of them. This hacking is the professional, aboveboard, andlegal type of security testing — which I call ethical hacking throughout thebook.Computer and network security is a complex subject and an ever-
moving target. You must stay on top of it to ensure your information is pro-
tected from the bad guys.
You can implement all the security technologies and other best practicespossible, and your information systems may be secure — as far as you know.
However, until you understand how hackers think and apply that knowledgeto assess your systems from a hacker’s-eye view, you can’t get a true sense ofhow secure your information really is.
Ethical hacking — sometimes referred to as penetration testingor white-hathacking— is a necessary requirement to ensure that information systems aretruly secure on an ongoing basis. This book provides you with the knowledgerequired to successfully implement an ethical hacking program, along withcountermeasures that you can implement to keep malicious hackers out ofyour business.
Who Should Read This Book?
If you want to hack other people’s computer systems maliciously, this book isnot for you.
Disclaimer:If you choose to use the information in this book to hack or breakinto computer systems maliciously in an unauthorized fashion, you’re on yourown. Neither I, as the author, nor anyone else associated with this book shallbe liable or responsible for any unethical or criminal choices that you maymake and execute using the methodologies and tools that I describe. Thisbook is intended solely for the IT professional to test information security inan authorized fashion.
Okay, now that that’s out of the way, time for the good stuff! This book is foryou if you’re a network administrator, information-security manager, securityconsultant, or someone interested in finding out more about legally and ethi-
cally hacking your own or a customer’s information systems to make themmore secure.
As the ethical hacker performing well-intended information-security assess-
ments, you can detect and point out security holes that may otherwise beoverlooked. If you’re performing these tests on your own systems, the infor-
mation you uncover in your tests can help you win over management andprove that information security should be taken seriously. Likewise, if you’reperforming these tests for your customers, you can help find security holesthat can be plugged before malicious hackers have a chance to exploit them.
The information in this book helps you stay on top of the security game andenjoy the fame and glory that comes with helping your organization and cus-
tomers prevent bad things from happening to their information.
About This BookHacking For Dummiesis a reference guide on hacking computers and networksystems. The ethical hacking techniques are based on the unwritten rules ofcomputer system penetration testing and information-security best practices.
This book covers everything from establishing your hacking plan to testingyour systems to managing an ongoing ethical hacking program. Realistically,
for many networks, operating systems, and applications, thousands of possi-
ble hacks exist. I cover the major ones that you should be concerned about.
Whether you need to assess security vulnerabilities on a small home-officenetwork, a medium-size corporate network, or across large enterprise sys-
tems, Hacking For Dummiesprovides the information you need.
How to Use This BookThis book includes the following features:
Various technical and nontechnical hack attacks and their detailedmethodologies
Hack-attack case studies from well-known and anonymous hackers andother security experts
Specific countermeasures to protect against hack attacksEach chapter is an individual reference on a specific ethical hacking subject.
You can refer to individual chapters that pertain to the type of systems you’reassessing, or you can read the book straight through.
2Hacking For Dummies
Before you start hacking your systems, familiarize yourself with the informa-
tion in Part I so you’re prepared for the tasks at hand. The adage “if you failto plan, you plan to fail” rings true for the ethical hacking process. You mustget written permission and have a solid game plan.
This material is not intended to be used for unethical or illegal hacking pur-
poses to propel you from script kiddie to mega hacker. Rather, it is designedto provide you with the knowledge you need to hack your own or your cus-
tomers’ systems — in an ethical and legal manner — to enhance the securityof the information involved.
What You Don’t Need to ReadDepending on your computer and network configurations, you may be able toskip chapters. For example, if you aren’t running Linux or wireless networks,
you can skip those chapters.
Foolish AssumptionsI make a few assumptions about you, aspiring information-security person:
You’re familiar with basic computer-, network-, and information-security-
related concepts and terms.
You have a basic understanding of what hackers do.
You have access to a computer and a network on which to test thesetechniques.
You have access to the Internet in order to obtain the various tools usedin the ethical hacking process.
You have permission to perform the hacking techniques in this book.
How This Book Is OrganizedThis book is organized into eight parts — six regular chapter parts, a Part ofTens, and a part with appendixes. These parts are modular, so you can jumparound from one part to another as needed. Each chapter provides practicalmethodologies and best practices you can utilize as part of your ethical hack-
ing efforts, including checklists and references to specific tools you can use,
as well as resources on the Internet.
3Introduction02
Part I: Building the FoundationforEthicalHackingThis part covers the fundamental aspects of ethical hacking. It starts with anoverview of the value of ethical hacking and what you should and shouldn’tdo during the process. You get inside the hacker’s mindset and discover howto plan your ethical hacking efforts. This part covers the steps involved inthe ethical hacking process, including how to choose the proper tools.
Part II: Putting Ethical Hacking in MotionThis part gets you rolling with the ethical hacking process. It covers severalwell-known hack attacks, including social engineering and cracking pass-
words, to get your feet wet. The techniques presented are some of the mostwidely used hack attacks. This part covers the human and physical elementsof security, which tend to be the weakest links in any information-securityprogram. After you plunge into these topics, you’ll know the tips and tricksrequired to perform common general hack attacks against your systems, aswell as specific countermeasures to keep your information systems secure.
Part III: Network HackingStarting with the larger network in mind, this part covers methods to testyour systems for various well-known network infrastructure vulnerabilities.
From weaknesses in the TCP/IP protocol suite to wireless network insecuri-
ties, you find out how networks are compromised using specific methods offlawed network communications, along with various countermeasures thatyou can implement to keep from becoming a victim. This part also includescase studies on some of the network hack attacks that are presented.
Part IV: Operating System HackingPractically all operating systems have well-known vulnerabilities that hackersoften use. This part jumps into hacking three widely used operating systems:
Windows, Linux, and NetWare. The hacking methods include scanning youroperating systems for vulnerabilities and enumerating the specific hosts togain detailed information. This part also includes information on exploitingwell-known vulnerabilities in these operating systems, taking over operatingsystems remotely, and specific countermeasures that you can implement tomake your operating systems more secure. This part also includes case stud-
ies on operating-system hack attacks.
4Hacking For Dummies
Part V: Application HackingApplication security is gaining more visibility in the information-security arenathese days. An increasing number of attacks are aimed directly at variousapplications, which are often able to bypass firewalls, intrusion-detectionsystems, and antivirus software. This part discusses hacking specific appli-
cations, including coverage on malicious software and messaging systems,
along with practical countermeasures that you can put in place to make yourapplications more secure.
One of the most common network attacks is on Web applications. Practicallyevery firewall lets Web traffic into and out of the network, so most attacks areagainst the millions of Web applications available to almost anyone. This partcovers Web application hack attacks, countermeasures, and some applicationhacking case studies for real-world security testing scenarios.
Part VI: Ethical Hacking AftermathAfter you’ve performed your ethical hack attacks, what do you do with theinformation you’ve gathered? Shelve it? Show it off? How do you move for-
ward? This part answers all these questions and more. From developingreports for upper management to remediating the security flaws that you dis-
cover to establishing procedures for your ongoing ethical hacking efforts,
this part brings the ethical hacking process full circle. This information notonly ensures that your effort and time are well spent, but also is evidencethat information security is as an essential element for success in any busi-
ness that depends on computers and information technology.
Part VII: The Part of TensThis part contains tips to help ensure the success of your ethical hackingprogram. You find out how to get upper management to buy into your ethicalhacking program so you can get going and start protecting your systems. Thispart also includes the top ten ethical hacking mistakes to avoid and my topten tips for ethical hacking success.
Part VIII: AppendixesThis part includes two appendixes that cover ethical hacking reference mate-
rials. This includes a one-stop reference listing of ethical hacking tools andresources, as well as information on the Hacking For DummiesWeb site.
5Introduction02
Icons Used in This BookThis icon points out technical information that is interesting but not vital toyour understanding of the topic being discussed.
This icon points out information that is worth committing to memory.
This icon points out information that could have a negative impact on yourethical hacking efforts — so please read it!
This icon refers to advice that can help highlight or clarify an importantpoint.
Where to Go from HereThe more you know about how hackers work and how your systems shouldbe tested, the better you’re able to secure your computer systems. This bookprovides the foundation that you need to develop and maintain a successfulethical-hacking program for your organization and customers. Keep in mindthat the high-level concepts of ethical hacking won’t change as often as thespecific information-security vulnerabilities you’re protecting against. The artand science of ethical hacking will always remain an art and a science — anda field that’s ever-changing. You must keep up with the latest hardware andsoftware technologies, along with the various vulnerabilities that come aboutyear after year. No one best way to hack your systems ethically exists, sotweak this information to your heart’s content. Happy (ethical) hacking!
6Hacking For Dummies
Part IBuilding theFoundation forEthical Hacking03
In this part . . .Your mission — should you choose to accept it — is tofind the holes in your network before the bad guys do.
This mission will be fun, educational, and most likely enter-
taining. It will certainly be an eye-opening experience. Thecool part is that you can emerge as the hero, knowing thatyour company will be better protected against hackerattacks and less likely to have its name smeared acrossthe headlines at any time.
If you’re new to ethical hacking, this is the place to begin.
The chapters in this part will get you started with informa-
tionon what to do and how to do it when you’re hackingyour own systems. Oh, and also, you find out what nottodo as well. This information will guide you through buildingthe foundation for your ethical hacking program to makesure you’re going down the right path so you don’t veeroff and end up going down a one-way dead-end street.
Chapter 1Introduction to Ethical HackingIn This Chapter
Understanding hacker objectives
Outlining the differences between ethical hackers and malicious hackers
Examining how the ethical hacking process has come about
Understanding the dangers that your computer systems face
Starting the ethical hacking processThis book is about hacking ethically — the science of testing your comput-
ers and network for security vulnerabilities and plugging the holes youfind before the bad guys get a chance to exploit them.
Although ethicalis an often overused and misunderstood word, the Merriam-
Webster dictionary defines ethicalperfectly for the context of this book andthe professional security testing techniques that I cover — that is, conformingto accepted professional standards of conduct. IT practitioners are obligated toperform all the tests covered in this book aboveboard and only after permis-
sion has been obtained by the owner(s) of the systems — hence the disclaimerin the introduction.
How Hackers Beget Ethical HackersWe’ve all heard of hackers. Many of us have even suffered the consequencesof hacker actions. So who are these hackers? Why is it important to knowabout them? The next few sections give you the lowdown on hackers.
Defining hackerHackeris a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software orelectronic systems. Hackers enjoy exploring and learning how computersystems operate. They love discovering new ways to work electronically.
Recently, hacker has taken on a new meaning — someone who maliciouslybreaks into systems for personal gain. Technically, these criminals arecrackers(criminal hackers). Crackers break into (crack) systems withmalicious intent. They are out for personal gain: fame, profit, and evenrevenge. They modify, delete, and steal critical information, often makingother people miserable.
The good-guy (white-hat) hackers don’t like being in the same category as thebad-guy (black-hat) hackers. (These terms come from Western movies wherethe good guys wore white cowboy hats and the bad guys wore black cowboyhats.) Whatever the case, most people give hackera negative connotation.
Many malicious hackers claim that they don’t cause damage but instead arealtruistically helping others. Yeah, right. Many malicious hackers are elec-
tronic thieves.
In this book, I use the following terminology:
Hackers (or bad guys) try to compromise computers.
Ethical hackers(or good guys)protect computers against illicit entry.
Hackers go for almost any system they think they can compromise. Someprefer prestigious, well-protected systems, but hacking into anyone’ssystemincreases their status in hacker circles.
Ethical Hacking 101You need protection from hacker shenanigans. An ethical hacker possessesthe skills, mindset, and tools of a hacker but is also trustworthy. Ethical hack-
ers perform the hacks as security tests for their systems.
If you perform ethical hacking tests for customers or simply want to addanother certification to your credentials, you may want to consider the ethi-
cal hacker certification Certified Ethical Hacker, which is sponsored by EC-
Council. See www.eccouncil.org/CEH.htmfor more information.
Ethical hacking — also known as penetration testing or white-hat hacking —
involves the same tools, tricks, and techniques that hackers use, but with onemajor difference: Ethical hacking is legal. Ethical hacking is performed withthe target’s permission. The intent of ethical hacking is to discover vulnera-
bilities from a hacker’s viewpoint so systems can be better secured. It’s partof an overall information risk management program that allows for ongoingsecurity improvements. Ethical hacking can also ensure that vendors’ claimsabout the security of their products are legitimate.
10Part I:Building the Foundation for Ethical Hacking
To hack your own systems like the bad guys, you must think like they think.
It’s absolutely critical to know your enemy; see Chapter 2 for details.
Understanding the Need toHackYourOwn SystemsTo catch a thief, think like a thief.That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers andexpanding knowledge of hackers combined with the growing number of systemvulnerabilities and other unknowns, the time will come when all computersystems are hacked or compromised in some way. Protecting your systemsfrom the bad guys — and not just the generic vulnerabilities that everyoneknows about — is absolutely critical. When you know hacker tricks, you cansee how vulnerable your systems are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a falsefeeling of safety. These security systems often focus on high-level vulnerabili-
ties, such as viruses and traffic through a firewall, without affecting how hack-
erswork. Attacking your own systems to discover vulnerabilities is a step tomaking them more secure. This is the only proven method of greatly hardeningyour systems from attack. If you don’t identify weaknesses, it’s a matter oftime before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like themto protect your systems from them. You, as the ethical hacker, must knowactivities hackers carry out and how to stop their efforts. You should knowwhat to look for and how to use that information to thwart hackers’ efforts.
You don’t have to protect your systems from everything. You can’t. The onlyprotection against everything is to unplug your computer systems and lockthem away so no one can touch them — not even you. That’s not the bestapproach to information security. What’s important is to protect your sys-
tems from known vulnerabilities and common hacker attacks.
It’s impossible to buttress all possible vulnerabilities on all your systems. Youcan’t plan for all possible attacks — especially the ones that are currentlyunknown. However, the more combinations you try — the more you test wholesystems instead of individual units — the better your chances of discoveringvulnerabilities that affect everything as a whole.
Don’t take ethical hacking too far, though. It makes little sense to harden yoursystems from unlikely attacks. For instance, if you don’t have a lot of foot traffic11Chapter 1: Introduction to Ethical Hacking04
in your office and no internal Web server running, you may not have as muchto worry about as an Internet hosting provider would have. However, don’tforget about insider threats from malicious employees!
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper managementthat vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Understanding the DangersYourSystemsFaceIt’s one thing to know that your systems generally are under fire from hackersaround the world. It’s another to understand specific attacks against your sys-
temsthat are possible. This section offers some well-known attacks but is byno means a comprehensive listing. That requires its own book: Hack AttacksEncyclopedia,by John Chirillo (Wiley Publishing, Inc.).
Many information-security vulnerabilities aren’t critical by themselves.
However, exploiting several vulnerabilities at the same time can take its toll.
For example, a default Windows OS configuration, a weak SQL Server admin-
istrator password, and a server hosted on a wireless network may not bemajor security concerns separately. But exploiting all three of these vulnera-
bilities at the same time can be a serious issue.
Nontechnical attacksExploits that involve manipulating people — end users and even yourself —
are the greatest vulnerability within any computer or network infrastructure.
Humans are trusting by nature, which can lead to social-engineering exploits.
Social engineering is defined as the exploitation of the trusting nature of humanbeings to gain information for malicious purposes. I cover social engineeringin depth in Chapter 5.
Other common and effective attacks against information systems are physical.
Hackers break into buildings, computer rooms, or other areas containing crit-
ical information or property. Physical attacks can include dumpster diving(rummaging through trash cans and dumpsters for intellectual property,
passwords, network diagrams, and other information).
12Part I:Building the Foundation for Ethical Hacking
Network-infrastructure attacksHacker attacks against network infrastructures can be easy, because manynetworks can be reached from anywhere in the world via the Internet. Hereare some examples of network-infrastructure attacks:
Connecting into a network through a rogue modem attached to acomputer behind a firewall
Exploiting weaknesses in network transport mechanisms, such as TCP/IPand NetBIOS
Flooding a network with too many requests, creating a denial of service(DoS) for legitimate requests
Installing a network analyzer on a network and capturing every packetthat travels across it, revealing confidential information in clear text
Piggybacking onto a network through an insecure 802.11b wirelessconfigurationOperating-system attacksHacking operating systems (OSs) is a preferred method of the bad guys. OSscomprise a large portion of hacker attacks simply because every computerhas one and so many well-known exploits can be used against them.
Occasionally, some operating systems that are more secure out of the box —
such as Novell NetWare and the flavors of BSD UNIX — are attacked, andvulnerabilities turn up. But hackers prefer attacking operating systems likeWindows and Linux because they are widely used and better known for theirvulnerabilities.
Here are some examples of attacks on operating systems:
Exploiting specific protocol implementations
Attacking built-in authentication systems
Breaking file-system security
Cracking passwords and encryption mechanismsApplication and other specialized attacksApplications take a lot of hits by hackers. Programs such as e-mail serversoftware and Web applications often are beaten down:
13Chapter 1: Introduction to Ethical Hacking04
Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol(SMTP) applications are frequently attacked because most firewalls andother security mechanisms are configured to allow full access to theseprograms from the Internet.
Malicious software (malware) includesviruses, worms, Trojan horses,
and spyware. Malware clogs networks and takes down systems.
Spam (junk e-mail) is wreaking havoc on system availability and storagespace. And it can carry malware.
Ethical hacking helps reveal such attacks against your computer systems.
Parts II through V of this book cover these attacks in detail, along with spe-
cific countermeasures you can implement against attacks on your systems.
Obeying the Ethical HackingCommandmentsEvery ethical hacker must abide by a few basic commandments. If not, badthings can happen. I’ve seen these commandments ignored or forgotten whenplanning or executing ethical hacking tests. The results weren’t positive.
Working ethicallyThe word ethicalin this context can be defined as working with high profes-
sional morals and principles. Whether you’re performing ethical hacking testsagainst your own systems or for someone who has hired you, everything youdo as an ethical hacker must be aboveboard and must support the company’sgoals. No hidden agendas are allowed!
Trustworthinessis the ultimate tenet. The misuse of information is absolutelyforbidden. That’s what the bad guys do.
Respecting privacyTreat the information you gather with the utmost respect. All informationyouobtain during your testing — from Web-application log files to clear-textpasswords — must be kept private. Don’t use this information to snoop intoconfidential corporate information or private lives. If you sense that someoneshould know there’s a problem, consider sharing that information with theappropriate manager.
14Part I:Building the Foundation for Ethical Hacking
Involve others in your process. This is a “watch the watcher” system that canbuild trust and support your ethical hacking projects.
Not crashing your systemsOne of the biggest mistakes I’ve seen when people try to hack their own sys-
tems is inadvertently crashing their systems. The main reason for this is poorplanning. These testers have not read the documentation or misunderstandthe usage and power of the security tools and techniques.
You can easily create DoS conditions on your systems when testing. Runningtoo many tests too quickly on a system causes many system lockups. I knowbecause I’ve done this! Don’t rush things and assume that a network or spe-
cific host can handle the beating that network scanners and vulnerability-
assessment tools can dish out.
Many security-assessment tools can control how many tests are performedon a system at the same time. These tools are especially handy if you need torun the tests on production systems during regular business hours.
You can even create an account or system lockout condition by social engi-
neering someone into changing a password, not realizing that doing so mightcreate a system lockout condition.
The Ethical Hacking ProcessLike practically any IT or security project, ethical hacking needs to be plannedin advance. Strategic and tactical issues in the ethical hacking process shouldbe determined and agreed upon. Planning is important for any amount oftesting — from a simple password-cracking test to an all-out penetration teston a Web application.
Formulating your planApproval for ethical hacking is essential. Make what you’re doing known andvisible — at least to the decision makers. Obtaining sponsorshipof the projectis the first step. This could be your manager, an executive, a customer, oreven yourself if you’re the boss. You need someone to back you up and signoff on your plan. Otherwise, your testing may be called off unexpectedly ifsomeone claims they never authorized you to perform the tests.
15Chapter 1: Introduction to Ethical Hacking04
The authorization can be as simple as an internal memo from your boss ifyou’re performing these tests on your own systems. If you’re testing for acustomer, have a signed contract in place, stating the customer’s support andauthorization. Get written approval on this sponsorship as soon as possibleto ensure that none of your time or effort is wasted. This documentation isyour Get Out of Jail Freecard if anyone questions what you’re doing.
You need a detailed plan, but that doesn’t mean you have to have volumes oftesting procedures. One slip can crash your systems — not necessarily whatanyone wants. A well-defined scope includes the following information:
Specific systems to be tested
Risks that are involved
When the tests are performed and your overall timeline
How the tests are performed
How much knowledge of the systems you have before you start testing
What is done when a major vulnerability is discovered
The specific deliverables — this includes security-assessment reportsand a higher-level report outlining the general vulnerabilities to beaddressed, along with countermeasures that should be implementedWhen selecting systems to test, start with the most critical or vulnerablesystems. For instance, you can test computer passwords or attempt social-
engineering attacks before drilling down into more detailed systems.
It pays to have a contingency plan for your ethical hacking process in casesomething goes awry. What if you’re assessing your firewall or Web applica-
tion, and you take it down? This can cause system unavailability, which canreduce system performance or employee productivity. Even worse, it couldcause loss of data integrity, loss of data, and bad publicity.
Handle social-engineering and denial-of-service attacks carefully. Determinehow they can affect the systems you’re testing and your entire organization.
Determining when the tests are performed is something that you must thinklong and hard about. Do you test during normal business hours? How aboutlate at night or early in the morning so that production systems aren’t affected?
Involve others to make sure they approve of your timing.
The best approach is an unlimited attack, wherein any type of test is possi-
ble. The bad guys aren’t hacking your systems within a limited scope, so whyshould you? Some exceptions to this approach are performing DoS, social-
engineering, and physical-security tests.
Don’t stop with one security hole. This can lead to a false sense of security.
Keep going to see what else you can discover. I’m not saying to keep hacking16Part I:Building the Foundation for Ethical Hacking
until the end of time or until you crash all your systems. Simply pursue thepath you’re going down until you can’t hack it any longer (pun intended).
One of your goals may be to perform the tests without being detected. Forexample, you may be performing your tests on remote systems or on a remoteoffice, and you don’t want the users to be aware of what you’re doing. Other-
wise, the users may be on to you and be on their best behavior.
You don’t need extensive knowledge of the systems you’re testing — just abasic understanding. This will help you protect the tested systems.
Understanding the systems you’re testing shouldn’t be difficult if you’re hack-
ing your own in-house systems. If you’re hacking a customer’s systems, youmay have to dig deeper. In fact, I’ve never had a customer ask for a fully blindassessment. Most people are scared of these assessments. Base the type oftest you will perform on your organization’s or customer’s needs.
Chapter 19 covers hiring “reformed” hackers.
Selecting toolsAs with any project, if you don’t have the right tools for ethical hacking, accom-
plishingthe task effectively is difficult. Having said that, just because you usethe right tools doesn’t mean that you will discover all vulnerabilities.
Know the personal and technical limitations. Many security-assessment toolsgenerate false positives and negatives (incorrectly identifying vulnerabilities).
Others may miss vulnerabilities. If you’re performing tests such as social-
engineering or physical-security assessments, you may miss weaknesses.
Many tools focus on specific tests, but no one tool can test for everything.
For the same reason that you wouldn’t drive in a nail with a screwdriver, youshouldn’t use a word processor to scan your network for open ports. This iswhy you need a set of specific tools that you can call on for the task at hand.
The more tools you have, the easier your ethical hacking efforts are.
Make sure you that you’re using the right tool for the task:
To crack passwords, you need a cracking tool such as LC4, John theRipper, or pwdump.
A general port scanner, such as SuperScan, may not crack passwords.
For an in-depth analysis of a Web application, a Web-application assess-
ment tool (such as Whisker or WebInspect) is more appropriate than anetwork analyzer (such as Ethereal).
17Chapter 1: Introduction to Ethical Hacking04
When selecting the right security tool for the task, ask around. Get advicefrom your colleagues and from other people online. A simple Groups searchon Google (www.google.com) or perusal of security portals, such asSecurityFocus.com, SearchSecurity.com, and ITsecurity.com, often producesgreat feedback from other security experts.
Hundreds, if not thousands, of tools can be used for ethical hacking — fromyour own words and actions to software-based vulnerability-assessment pro-
grams to hardware-based network analyzers. The following list runs downsome of my favorite commercial, freeware, and open-source security tools:
Nmap
EtherPeek
SuperScan
QualysGuard
WebInspect
LC4 (formerly called L0phtcrack)
LANguard Network Security Scanner
Network Stumbler
ToneLocHere are some other popular tools:
Internet Scanner
Ethereal
Nessus
Nikto
Kismet
THC-ScanI discuss these tools and many others in Parts II through V when I go into thespecific hack attacks. Appendix A contains a more comprehensive listing ofthese tools for your reference.
The capabilities of many security and hacking tools are often misunderstood.
This misunderstanding has shed negative light on some excellent tools, suchas SATAN (Security Administrator Tool for Analyzing Networks) and Nmap(Network Mapper).
Some of these tools are complex. Whichever tools you use, familiarize yourselfwith them before you start using them. Here are ways to do that:
18Part I:Building the Foundation for Ethical Hacking
Read the readme and/or online help files for your tools.
Study the user’s guide for your commercial tools.
Consider formal classroom training from the security-tool vendor oranother third-party training provider, if available.
Look for these characteristics in tools for ethical hacking:
Adequate documentation.
Detailed reports on the discovered vulnerabilities, including how theymay be exploited and fixed.
Updates and support when needed.
High-level reports that can be presented to managers or nontechie types.
These features can save you time and effort when you’re writing the report.
Executing the planEthical hacking can take persistence. Time and patience are important. Becareful when you’re performing your ethical hacking tests. A hacker in yournetwork or a seemingly benign employee looking over your shoulder maywatch what’s going on. This person could use this information against you.
It’s not practical to make sure that no hackers are on your systems beforeyou start. Just make sure you keep everything as quiet and private as possi-
ble. This is especially critical when transmitting and storing your test results.
If possible, encrypt these e-mails and files using Pretty Good Privacy (PGP) orsomething similar. At a minimum, password-protect them.
You’re now on a reconnaissance mission. Harness as much information aspossible about your organization and systems, which is what malicious hack-
ers do. Start with a broad view and narrow your focus:
1.Search the Internet for your organization’s name, your computer andnetwork system names, and your IP addresses.
Google is a great place to start for this.
2.Narrow your scope, targeting the specific systems you’re testing.
Whether physical-security structures or Web applications, a casualassessment can turn up much information about your systems.
3.Further narrow your focus with a more critical eye. Perform actualscans and other detailed tests on your systems.
4.Perform the attacks, if that’s what you choose to do.
19Chapter 1: Introduction to Ethical Hacking04
Evaluating resultsAssess your results to see what you uncovered, assuming that the vulnerabil-
ities haven’t been made obvious before now. This is where knowledge counts.
Evaluating the results and correlating the specific vulnerabilities discoveredis a skill that gets better with experience. You’ll end up knowing your systemsas well as anyone else. This makes the evaluation process much simplermoving forward.
Submit a formal report to upper management or to your customer, outliningyour results. Keep these other parties in the loop to show that your effortsand their money are well spent. Chapter 17 describes this process.
Moving onWhen you’ve finished your ethical hacking tests, you still need to implementyour analysis and recommendations to make sure your systems are secure.
New security vulnerabilities continually appear. Information systems con-
stantly change and become more complex. New hacker exploits and securityvulnerabilities are regularly uncovered. You may discover new ones! Securitytests are a snapshot of the security posture of your systems. At any time,
everything can change, especially after software upgrades, adding computersystems, or applying patches. Plan to test regularly (for example, once aweek or once a month). Chapter 19 covers managing security changes.
20Part I:Building the Foundation for Ethical Hacking
Chapter 2Cracking the Hacker MindsetIn This Chapter
Understanding the enemy
Profiling hackers
Understanding why hackers do what they do
Examining how hackers go about their businessBefore you start assessing the security of your own systems, it helps toknow something about the enemies you’re up against. Many informa-
tion-security product vendors and other professionals claim that you shouldprotect your systems from the bad guys — both internal and external. Butwhat does this mean? How do you know how these bad guys think and work?
Knowing what hackers want helps you understand how they work. Under-
standing how they work helps you look at your information systems in a wholenew way. In this chapter, I describe what you’re up against, who’s actuallydoing the hacking, and what their motivations and methods are so you’rebetter prepared for your ethical hacking tests.
What You’re Up AgainstThanks to sensationalism, the definition of hackerhas transformed fromharmless tinkerer to malicious criminal. Hackers often state that the generalpublic misunderstands them, which is mostly true. It’s easy to prejudge whatyou don’t understand. Hackers can be classified by both their abilities andunderlying motivations. Some are skilled, and their motivations are benign;
they’re merely seeking more knowledge. At the other end of the spectrum,
hackers with malicious intent seek some form of personal gain. Unfortunately,
the negative aspects of hacking usually overshadow the positive aspects,
resulting in the stereotyping.
Historically, hackers have hacked for the pursuit of knowledge and the thrillof the challenge. Script kiddies aside, hackers are adventurous and innovativethinkers, and are always thinking about exploiting computer vulnerabilities.
(For more on script kiddies, see “Who Hacks,” later in this chapter.) They seewhat others often overlook. They wonder what would happen if a cable wereunplugged, a switch were flipped, or lines of code were changed in a program.
These old-school hackers are like Tim the Toolman Taylor — Tim Allen’s char-
acter on the late, great sitcom Home Improvement— thinking mechanical andelectronic devices can be improved if they’re “rewired.” More recent evidenceshows that many hackers are hacking for political, competitive, and even finan-
cial purposes, so times are changing.
When they were growing up, hackers’ rivals were monsters and villains onvideo game screens. Now hackers see their electronic foes as only that —
electronic. Hackers who perform malicious acts don’t really think about thefact that human beings are behind the firewalls and Web applications they’reattacking. They ignore that their actions often affect those human beings innegative ways, such as jeopardizing their job security.
Hackers and the act of hacking drive the advancement of security technology.
After all, hackers don’t create security holes; they expose and exploit existingholes in applications. Unfortunately, security technology advances don’t wardoff all hacker attacks, because hackers constantly search for new holes andweaknesses. The only sure-fire way to keep the bad guys at bay is to use behav-
ior modification to change them into productive, well-adjusted members ofsociety. Good luck with that.
However you view the stereotypical hacker, one thing is certain: Some peoplealways will try to take down your computer systems through manual hackingor by creating and launching automated worms and other malware. You musttake the appropriate steps to protect your systems against them.
Who HacksComputer hackers have been around for decades. Since the Internet becamewidely used in the late 1990s, we’ve started to hear more and more about hack-
ing. Only a few hackers, such as John Draper (also known as Captain Crunch)
and Kevin Mitnick, are well known. Gobs more unknown hackers are lookingto make a name for themselves. They’re the ones to look out for.
In a world of black and white, it’s easy to describe the typical hacker. A gen-
eral stereotype of a typical hacker is an antisocial, pimple-faced teenage boy.
But the world has many shades of gray and, therefore, many types of hackers.
Hackers are human like the rest of us and are, therefore, unique individuals,
so an exact profile is hard to outline. The best broad description of hackers isthat all hackers aren’tequal. Each hacker has motives, methods, and skills.
But some general characteristics can help you understand them.
Not all hackers are antisocial, pimple-faced teenagers. Regardless, hackerspossess curiosity, bravado, and often very sharp minds.
22Part I:Building the Foundation for Ethical Hacking
Just like anyone can become a thief, an arsonist, or a robber, anyone canbecome a hacker, regardless of age, gender, or race. Given this diverse profile,
skills vary widely from one malicious hacker to the next. Some hackers barelyknow how to surf the Internet, whereas others write software that other hack-
ers and ethical hackers alike depend on.
Script kiddies:These are computer novices who take advantage of thehacker tools and documentation available for free on the Internet butdon’t have any knowledge of what’s going on behind the scenes. Theyknow just enough to cause you headaches but typically are very sloppy intheir actions, leaving all sorts of digital fingerprints behind. Even thoughthese guys are the stereotypical hackers that you hear about in the newsmedia, they often need minimal skills to carry out their attacks.
Intermediate hackers:These halfway hackers usually know just enoughto cause serious problems. They know about computers and networks,
and often use well-known exploits. Some want to be experts; given enoughtime and effort, they can be.
Elitehackers:These are skilled hacking experts. These are the peoplewho write many of the hacker tools, including the scripts and other pro-
grams that the script kiddies use. These folks write such malware asviruses and worms. They can break into systems and cover their tracks.
They can even make it look like someone else hacked the systems.
Elite hackers are often very secretive and share information with their“subordinates” only when they are deemed worthy. Typically, for lower-
ranked hackers to be considered worthy, they must possess some uniqueinformation or prove themselves through a high-profile hack. These hack-
ersare your worst enemies in information security. Okay, maybe they’renot as bad as untrained end users, but that’s another issue. Fortunately,
elite hackers are not as plentiful as script kiddies.
Other hacktivists try to disseminate political or social messages through theirwork. A hacktivist wants to raise public awareness of an issue. Examples of23Chapter 2: Cracking the Hacker MindsetIs the government hacking?
While in a conflict with another country, somegovernments will wage war via the Internet andother computer systems. For example, the U.S.
government reportedly has launched cyber-
attacks against its adversaries — such asYugoslavia during the Milosevic crisis in the late1990s and in the recent war in Iraq.
Are we headed toward a digital Pearl Harbor?
I’m not convinced that we are, but this methodof waging war is becoming more common astechnology progresses. Many folks are skepti-
cal about this as well, and the U.S. govern-
ment denies most of its involvement. However,
because the world increasingly relies on com-
puter and network technology, PCs, and theInternet, those avenues may become the launch-
ingpads or battlegrounds for future conflicts.
hacktivism are the Web sites that were defaced with the Free Kevinmessagesin the name of freeing Kevin Mitnick from prison for his famous hackingescapades. Other cases of hacktivism include messages about legalizing
marijuana, protests against the U.S. Navy spy plane that collided with theChinese fighter jet in 2001, the common hacker attacks between India andPakistan, and attacks against the U.S. White House Web site over the years.
Cyberterroristsattack government computers or public utility infrastructures,
such as power grids and air-traffic-control towers. They crash critical systemsor steal classified government information. Countries take these threats soseriously that many mandate information-security controls in such industriesas the power industry to protect essential systems against these attacks.
Hackers for hireare part of organized crime on the Internet. In late 2003, theKorean National Police Agency busted the Internet’s largest organized hackingring, which had over 4,400 members. Prior to that, police in the Philippinesbusted a multimillion-dollar organized hacking ring that was selling cheapphone calls made through phone lines the ring had hacked into. Many ofthese hackers hire themselves out for money — and lots of it!
Why Hackers HackThe main reason hackers hack is because they can! Okay, it goes a little deeperthan that. Hacking is a casual hobby for some hackers — they just hack to seewhat they can and can’t break into, usually testing only their own systems.
These aren’t the folks I’m writing about here. I’m focusing on those hackerswho are obsessive and often have criminal intent.
Many hackers get a kick out of outsmarting corporate and government IT andsecurity administrators. They thrive on making headlines and being notoriouscyberoutlaws. Defeating an entity or possessing knowledge makes them feelbetter about themselves. Many of these hackers feed off instant gratification.
They become obsessed with this feeling. Hackers can’t resist the adrenalinerush they get when breaking into someone else’s systems. Often, the moredifficult the job is, the greater the thrill.
The knowledge that malicious hackers gain and the elevated ego that comeswith that knowledge are like an addiction and a way of life. Some hackers wantto make your life miserable, and others simply want to be seen or heard. Somecommon hacker motives are revenge, basic bragging rights, curiosity, boredom,
challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, andcorporate espionage.
Hackers often promote individualism — or at least the decentralization ofinformation — because many believe that all information should be free.
They think cyberattacks are different from attacks in the real world. Theyeasily ignore or misunderstand their victims and the consequences of hacking.
24Part I:Building the Foundation for Ethical Hacking
Many hackers say they don’t intend to harm or profit through their bad deeds,
which helps them justify their work. They often don’t look for tangible payoffs.
Just proving a point is often a good enough reward for them.
Many business owners and managers — even some network and securityadministrators — believe that they don’t have anything that a hacker wants orthat hackers can’t do much damage if they break in. This couldn’t be furtherfrom the truth. This kind of thinking helps support hackers and their objec-
tives. Hackers can compromise a seemingly unimportant system to accessthe network and use it as a launching pad for attacks on other systems.
It’s worth repeating that hackers often hack because they can. Some hackersgo for high-profile systems, but hacking into anyone’s system helps them fitinto hacker circles. Hackers use the false sense of security that many peoplehave and go for almost any system they think they can compromise. Theyknow that electronic information can be in more than one place at the sametime. It’s tough to prove that hackers took the information and possess it.
Similarly, hackers know that a simple defaced Web page — however easilyattacked — is not good for business. The following Web sites show examplesof Web pages that have been defaced in the past few years:
www.2600.com/hacked_pages
www.onething.com/archiveHacked sites like these can persuade management and other nonbelieversthat information threats and vulnerabilities should be addressed.
Hacking continues to get easier for several reasons:
Increasing use of networks and Internet connectivity
Anonymity provided by computer systems working over the Internet
Increasing number and availability of hacking tools
Computer-savvy children
Unlikelihood that hackers are investigated or prosecuted if caughtAlthough most hacker attacks go unnoticed or unreported, hackers who arediscovered are often not pursued or prosecuted. When they’re caught, hack-
ers often rationalize their services as being altruistic and a benefit to society:
They’re merely pointing out vulnerabilities before someone else does.
Regardless, if justice is ever served, it helps eliminate the “fame and glory”
reward system that hackers thrive on.
These criminal hackers are in the minority, so don’t think that you’re upagainst millions of these villains. Many other hackers just love to tinker andonly seek knowledge of how computer systems work.
25Chapter 2: Cracking the Hacker Mindset05
Planning and Performing AttacksHacking styles vary widely:
Some hackers prepare far in advance of a large attack. They gathersmall bits of information and methodically carry out their hacks, as Ioutline in Chapter 4. These hackers are more difficult to track.
Other hackers — usually, the inexperienced script kiddies — actbefore they think things through. For example, such hackers may try totelnet directly into an organization’s router without hiding their identi-
ties. Other hackers may try to launch a DoS attack against a MicrosoftExchange e-mail server without first determining what version ofExchange is running or what patches are installed.
These are the guys who usually get caught.
Although the hacker underground is a community, many of the hackers —
especially the elite hackers — don’t share information with the crowd. Mosthackers do much of their work independently from other hackers. Hackerswho network with one another use private bulletin board systems (BBSs),
anonymous e-mail addresses, hacker Web sites, and Internet Relay Chat (IRC).
You can log on to many of these sites to see what hackers are doing.
Whatever approach they take, most malicious hackers prey on ignorance.
They know the following aspects of real-world security:
The majority of systems that hackers want to attack aren’t managedproperly. The computer systems aren’t properly patched, hardened, andmonitored as they should be. Hackers often can attack by flying belowthe average radar of the firewalls, IDSs, and authentication systems.
26Part I:Building the Foundation for Ethical Hacking
Hacking in the name of libertyMany hackers exhibit behaviors that contradictwhat they’re fighting for — that is, they fight forcivil liberties and want to be left alone, and at thesame time, they love prying into other people’sbusiness. Many hackers claim to be civil liber-
tarians supporting the principles of personal pri-
vacy and freedom. However, they act in anentirely different way by intruding on the privacyand property of others. They often steal theproperty and rights of others, yet are willing togo to great lengths to get their own rights backfrom anyone who tries to take them away.
The case against copyrighted materials andtheRecording Industry Association of America(RIAA) is a classic example. Hackers have goneto great lengths to prove a point, from defacingthe Web sites of organizations that support copy-
rightsto illegally sharing music by using other-
wise legal mediums such as Kazaa, Gnutella,
and Morpheus.
Most network and security administrators simply can’t keep up with thedeluge of new vulnerabilities.
Information systems grow more complex every year. This is yet anotherreason why overburdened administrators find it difficult to know what’shappening across the wire and on the hard drives of their systems.
Time is a hacker’s friend — and it always seems to be on the hacker’s side. Byattacking through computers rather than in person, hackers have more con-
trol over when they can carry out their attacks.
Hack attacks can be carried out slowly, making them hard to detect.
They’re frequently carried out after typical business hours — often, inthe middle of the night. Defenses are often weaker at night — with lessphysical security and less intrusion monitoring — when the typical net-
work administrator (or security guard) is sleeping.
If you want detailed information on how some hackers work or want to keepup with the latest hacker methods, several magazines are worth checking out:
2600 — The Hacker Quarterly magazine (www.2600.com). I’ve found gobsof great information in 2600.
PHRACK (www.phrack.org).
Computer Underground Digest (www.soci.niu.edu/~cudigest).
Also, check out Lance Spitzner’s Web site www.tracking-hackers.comforsome great information on using honeypots to track hacker behavior.
Hackers learn from their hacking mistakes. Every mistake moves them onestep closer to breaking into someone’s system. They use this wisdom whencarrying out future attacks.
Maintaining AnonymitySmarthackers want to be as low-key as possible. Covering their tracks is apriority. In fact, success often depends on it. They don’t want to raise suspi-
cion so they can come back and access the systems in the future. Hackersoften remain anonymous by using one of the following techniques:
Borrowed or stolen dial-up accounts from friends or previous employers
Public computers at libraries, schools, or kiosks at the local mall
Internet proxy servers or anonymizer services
Anonymous or disposable e-mail accounts from free e-mail services27Chapter 2: Cracking the Hacker Mindset05
Open e-mail relays
Unsecured computers — also called zombies — at other organizations
Workstations or servers on the victim’s own networkIf hackers use enough steppingstones for their attacks, they are hard to trace.
28Part I:Building the Foundation for Ethical Hacking
Chapter 3Developing Your EthicalHackingPlanIn This Chapter
Setting ethical hacking goals
Selecting which systems to test
Developing your ethical hacking testing standards
Examining hacking toolsAs an ethical hacker, you must plan your ethical hacking efforts before youstart. A detailed plan doesn’t mean that your testing must be elaborate.
It just means that you’re very clear and concise on what’s done. Given theseriousness of ethical hacking, make this as structured a process as possible.
Even if you’re just testing a single Web application or workgroup of comput-
ers, it’s critical to establish your goals, define and document the scope ofwhat you’ll be testing, determine your testing standards, and gather andfamiliarize yourself with the proper tools for the task. This chapter coversthese steps to help you create a positive ethical hacking environment so youcan set yourself up for success.
Getting Your Plan ApprovedGetting approval for ethical hacking is critical. First, obtain project sponsor-
ship. This approval can come from your manager, an executive, a customer,
or yourself (if you’re the boss). Otherwise, your testing may be canceled sud-
denly, or someone can deny authorizing the tests. There can even be legalconsequences for unauthorized hacking. Always make sure that what you’redoing is known and visible — at least to the decision-makers. Chapter 20outlines ten tips for getting upper management’s buy-in on your securityinitiatives.
If you’re an independent consultant or have a business with a team of ethicalhackers, consider getting professional liability (also known as errors andomissions) insurance from an agent who specializes in business insurancecoverage. This kind of insurance can be expensive, but it can be well worth it.
The authorization can be as simple as an internal memo from upper manage-
ment if you’re performing these tests on your own systems. If you’re perform-
ing testing for a customer, you must have a signed contract in place, statingthe customer’s support and authorization. Get written approval as soon aspossible to ensure that your time and efforts are not wasted. This documen-
tation is your securityif anyone questions what you’re doing.
Establishing Your GoalsYour ethical hacking plan needs goals. The main goal of ethical hacking is tofind vulnerabilities in your systems so you can make them more secure. Youcan then take this a step further:
Define more specific goals. Align these goals with your businessobjectives.
Create a specific schedule with start and end dates. These dates arecritical components of your overall plan.
Before you begin any ethical hacking, you absolutely, positively need every-
thing in writing and signed-off on.
Document everything, and involve upper management in this process. Yourbest ally in your ethical hacking efforts is a manager who supports whatyou’re doing.
The following questions can start the ball rolling:
Does ethical hacking support the mission of the business and its IT andsecurity departments?
What business goals are met by performing ethical hacking?
These goals may include the following:
•Prepping for the internationally accepted security framework ofISO 17799 or a security seal such as SysTrust or WebTrust•Meeting federal regulations•Improving the company’s image
How will ethical hacking improve security, IT, and the general business?
What information are you protecting?
30Part I:Building the Foundation for Ethical Hacking
This could be intellectual property, confidential customer information,
or private employee information.
How much money, time, and effort are you and your organization willingto spend on ethical hacking?
What specific deliverables will there be?
Deliverablescan include anything from high-level executive reports todetailed technical reports and write-ups on what you tested along withthe outcomes of your tests. You can deliver specific information that isgleaned during your testing, such as passwords and other confidentialinformation.
What specific outcomes do you want?
Desired outcomes include the justification for hiring or outsourcing secu-
ritypersonnel, increasing your security budget, or enhancing securitysystems.
People within your organization may attempt to keep you from performingyour ethical hacking plans. The best antidote is education. Show how ethicalhacking helps support the business in everyone’s favor.
After you know your goals, document the steps to get there. For example, ifone goal is to develop a competitive advantage to keep existing customersand attract new ones, determine the answers to these questions:
When will you start your ethical hacking?
Will your ethical hacking be blind, in which you know nothing about thesystems you’re testing, or a knowledge-based attack, in which you’regiven specific information about the systems you’re testing such as IPaddresses, hostnames, and even usernames and passwords?
Will this testing be technical in nature or involve physical securityassessments or even social engineering?
Will you be part of a larger ethical hacking team, often called a tigerteamor red team?
Will you notify your customers of what you’re doing? If so, how?
Customer notification is a critical issue. Many customers appreciate thatyou’re taking steps to protect their information. Approach the testing ina positive way. Don’t say, “We’re breaking into our systems to see whatinformation of yours is vulnerable to hackers.” Instead, you can say thatyou’re assessing the overall security of your systems so the informationis as secure as possible from the bad guys.
How will you notify customers that the organization is taking steps toenhance the security of their information?
What measurements can ensure that these efforts are paying off?
31Chapter 3: Developing Your Ethical Hacking Plan06
Establishing your goals takes time, but you won’t regret it. These goals areyour road map. If you have any concerns, refer to these goals to make surethat you stay on track.
Determining What Systems to HackYou probably don’t want — or need — to assess the security of all your sys-
tems at the same time. This could be quite an undertaking and could lead toproblems. I’m not saying you shouldn’t eventually assess every computer andapplication you have. I’m just suggesting that whenever possible, you shouldbreak your ethical hacking projects into smaller chunks to make them moremanageable. You may decide which systems to test based on a high-level riskanalysis, answering questions such as:
What are your most critical systems? Which systems, if hacked, wouldcause the most trouble or the greatest losses?
Which systems appear to be most vulnerable to attack?
Which systems are not documented, are rarely administered, or are theones you know the least about?
After you’ve established your overall goals, decide which systems to test.
This step helps you carefully define a scope for your ethical hacking so thatyou not only establish everyone’s expectations up front, but also better esti-
mate the time and resources for the job.
The following list includes systems and applications that you may considerperforming your hacking tests on:
Routers
Firewalls
Network infrastructure as a whole
Wireless access points and bridges
Web, application, and database servers
E-mail and file/print servers
Workstations, laptops, and tablet PCs
Mobile devices (such as PDAs and cell phones) that store confidentialinformation
Client and server operating systems
Client and server applications, such as e-mail or other in-house systems32Part I:Building the Foundation for Ethical Hacking
What specific systems you should test depends on several factors. If you havea small network, you can test everything from the get-go. You may considertesting just public-facing hosts such as e-mail and Web servers and theirassociated applications. The ethical hacking process is flexible. Base thesedecisions on what makes the most business sense.
Start with the most vulnerable systems, and consider the following factors:
Where the computer or application resides on the network
Which operating system and application(s) it runs
The amount or type of critical information stored on itIf you’re hacking your own systems or a customer’s systems, a previoussecurity-risk assessment or vulnerability test may already have generatedthis information. If so, that documentation may help identify systems formore testing.
Ethical hacking goes a few steps beyond the higher-level information riskassessments and vulnerability testing. As an ethical hacker, you first gleaninformation on all systems — including the organization as a whole — andthen further assess the systems that appear most vulnerable. I discuss theethical hacking methodology in more detail in Chapter 4.
Another factor to help you decide where to start is to assess the systems thathave the greatest visibility. For example, focusing on a database or file serverthat stores customer or other critical information may make more sense — atleast initially — than concentrating on a firewall or Web server that hostsmarketing information about the company.
Creating Testing StandardsOne miscommunication or slip-up can send your systems crashing duringyour ethical hacking tests. No one wants that to happen. To prevent mishaps,
develop and document testing standards. These standards should include
When the tests are performed, along with the overall timeline
What tests are performed
How the tests are performed, and from where
How much knowledge of the systems you acquire in advance
What you do when a major vulnerability is discoveredThis is a list of general best practices. You can apply more standards for yoursituation.
33Chapter 3: Developing Your Ethical Hacking Plan06
TimingYou know they say that it’s “all in the timing.” This is especially true whenperforming ethical hacking tests. Make sure that the tests you’re performingminimize disruption to business processes, information systems, and people.
You want to avoid situations like miscommunicating the timing of tests andcausing a DoS attack against a high-traffic e-commerce site in the middle ofthe day, or forcing yourself or others to perform password-cracking tests inthe middle of the night. It’s amazing what a 12-hour time difference can make!
Everyone in the project should agree on a detailed timeline before you begin.
This puts everyone on the same page and sets correct expectations.
Notify any Internet Service Providers (ISP) or Application Service Providers(ASPs) involved before performing any tests across the Internet. This way,
ISPs and ASPs will be aware of the testing going on, which will minimize thechance that they will block your traffic if they suspect malicious behaviorthat shows up on their firewalls or Intrusion Detection Systems (IDSs).
The timeline should include specific short-term dates and times of each test,
the start and end dates, and any specific milestones in between. You candevelop and enter your timeline into a simple spreadsheet or Gantt chart, oryou can include the timeline as part of your initial customer proposal andcontract. For example, you could use a timeline similar to the following:
Test PerformedTesterStart TimeProjected End TimeWar dialTommy Tinker July 1, 6:00 a.m.July 1, 10:00 a.m.
Password crackingAmy TrustyJuly 2, 12:00 p.m.July 2, 5:00 p.m.
This timeline will keep things simple and provide a reference during testing.
Specific testsYou may have been charged with performing a general penetration test, or youmay want to perform specific tests, such as cracking passwords or war-dialinginto a network. Or you might be performing a social-engineering test or assess-
ing the Windows operating systems on the network. However you’re testing,
you may want to conceal the specifics of the testing to keep what you’re doingcovert or to protect your methodologies. In fact, your manager or customermay not want the details. Either way, document and make known at a high levelwhat you’re doing. This can help eliminate any potential miscommunicationand keep you out of hot water.
A good way to provide evidence of what was tested, when it was tested, andmore is to enable logging on the systems you’re testing.
34Part I:Building the Foundation for Ethical Hacking
Sometimes, you may know the general tests that you’re performing, but if you’reusing automated tools, it may be next to impossible to understand completelyevery test you’re performing. This is especially true if the software you’re usingreceives real-time vulnerability-testing updates from the vendor every time yourun it. The potential for frequent updates underscores the importance of read-
ing the documentation and readme files that come with the tools you’re using.
I have experienced surprising vulnerability updates in the past. I was perform-
ing an automated assessment on a customer’s Web site — the same test I hadjust performed the previous week. The customer and I had scheduled the testdate and time in advance. What I didn’t know is that the software vendor madesome changes to its Web form submission tests, and I flooded the customer’sWeb application, creating a DoS condition.
Luckily, this DoS condition occurred after business hours and didn’t affectthe customer’s operations. However, the customer’s Web application wascoded to generate an alert e-mail for every form submission. The applicationdeveloper and company’s president received 4,000 e-mails in their inboxeswithin about 10 minutes — ouch! I was lucky that the president was tech-
savvy and understood the situation. It’s important to have a contingency planin case a situation like this occurs.
Blind versus knowledge assessmentsIt may be good to have some knowledge of the systems you’re testing, but it’snot required. However, a basic understanding of the systems you’re hackingcan protect you and others. Obtaining this knowledge shouldn’t be difficult ifyou’re hacking your own in-house systems. If you’re hacking a customer’ssystems, you may have to dig a little deeper into how the systems work soyou know what’s what. That’s how I’ve always done it. In fact, I’ve never hada customer ask for a fully blind assessment. Most people are scared of theseassessments. This doesn’t mean that blind assessments aren’t valuable. Thetype of assessment you carry out depends on your specific needs.
The best approach is to plan on unlimitedattacks, wherein any test is possible.
The bad guys aren’t hacking your systems within a limited scope, so whyshould you?
Consider whether the tests should be undetected. This isn’t required butshould be considered, especially for social-engineering and physical securitytests. I outline specific tests for those subjects in Chapter 5 and Chapter 6.
A false sense of vigilance can be created if too many insiders know about yourtesting which can end up negating the hard work you’re putting into this.
This doesn’t mean you shouldn’t tell anyone. Always have a main point ofcontact within the organization — preferably someone with decision-makingauthority — that both you and all employees can contact if and when some-
thing goes wrong.
35Chapter 3: Developing Your Ethical Hacking Plan06
LocationThe tests you’re performing dictate where you must run them from. Your goalis to hack your systems from locations where malicious hackers can accessthe systems. You can’t predict whether you’ll be attacked by a hacker fromoutside or inside your network, so cover all your bases. Combine external(public Internet) tests and internal (private network) tests.
You can perform some tests, such as password cracking and network-infra-
structure assessments, from the comfort of your office — inside the network.
But it may be better to have a true outsider perform other tests on routers,
firewalls, and public Web applications.
For your external hacks that require network connectivity, you may have togo off-site (a good excuse to work from home) or use an external proxy server.
Better yet, if you can assign an available public IP address to your computer,
plug into the network on the outside of the firewall for a hacker’s-eye view ofyour systems. Internal tests are easy because you need only physical accessto the building and the network.
Reacting to major exploits that you findDetermine ahead of time whether you’ll stop or keep going when you find acritical security hole. Your manager or your customer may not ask you to,
but I think it’s best to keep going to see what else you can discover. I’m notsaying to keep hacking until the end of time or until you crash all your sys-
tems. Simply pursue the path you’re going down until you can’t hack it anylonger (pun intended).
Silly assumptionsYou’ve heard what you make of yourself when you assume things. Even so,
you must make assumptions when you hack your systems. Here are someexamples of those assumptions:
Computers, networks, and people are available when you’re testing.
You have all the proper hacking tools.
The hacking tools you’re using won’t crash your systems.
Your hacking tools actually work.
You know all the risks of your tests.
You should document all assumptions and have management or your cus-
tomer sign off on them as part of your overall approval process.
36Part I:Building the Foundation for Ethical Hacking
Selecting ToolsThe required security-assessment tools (hacking tools)depend on the testsyou’re running. You can perform some ethical hacking tests with a pair ofsneakers, a telephone, and a basic workstation on the network. However,
comprehensive testing is easier with hacking tools.
Not only do you need an arsenal of tools, but you should also use the righttool for the task:
If you’re cracking passwords, a general port scanner such as SuperScanor Nmap may not do the trick. For this task, you need a tool such as LC4,
John the Ripper, or pwdump.
If you’re attempting an in-depth analysis of a Web application, a Web-
application assessment tool (such as Nikto or WebInspect) is moreappropriate than a network analyzer such as Ethereal.
If you’re not sure what tools to use, fear not. Throughout this book, I intro-
duce a wide variety of tools — both free and commercial — that you can useto accomplish your tasks.
You can choose among hundreds, if not thousands, of tools for ethicalhacking — everything from your own words and actions to software-basedvulnerability-assessment programs to hardware-based network analyzers.
Here’s a rundown of some of my favorite commercial, freeware, and open-
source security tools:
@stake L0phtcrack (now called LC4)
Ethereal
Foundstone SuperScan
Qualys QualysGuard
GFI LANguard Network Security Scanner
John the Ripper
Network Stumbler
Nessus
Nikto
Nmap
Pwdump2
SPI Dynamics WebInspect
THC-RUT
ToneLoc37Chapter 3: Developing Your Ethical Hacking Plan06
Wellenreiter
WildPackets EtherPeek and AiroPeekI discuss these tools, including details on how to use many of them, in Parts IIthrough V when I cover specific hack attacks. Appendix A contains a morecomprehensive listing of these tools for your reference.
The capabilities of many security and hacking tools are often misunderstood.
This misunderstanding has shed negative light on some excellent tools, suchas SATAN (Security Administrator Tool for Analyzing Networks) and Nmap(Network Mapper). It’s important to know what each tool can and can’t doand how to use each one. I suggest reading the manual and other help files.
Unfortunately, some tools have limited documentation, which can be prettyfrustrating when you’re trying to use those tools. You can search newsgroupsand message boards and post a message if you’re having trouble with a tool.
Hacking tools can be hazardous to your network’s health. Be careful whenusing them. Always make sure that you understand what every option doesbefore you use it. Try your tools on test systems if you’re not sure how to usethem. These precautions help prevent DoS conditions and loss of dataintegrity and availability on your production systems.
Look for these characteristics in the tools you select for ethical hacking:
Adequate documentation.
Detailed reports on the vulnerabilities, including how they may beexploited and fixed.
Updates and support when needed.
High-level reports that can be presented to managers or other nontechietypes. These reports can save you time and effort when you’re writingthe report. I cover the reporting process in Chapter 17.
Know the limitations of your tools and of yourself. Many security-assessmenttools generate false positives — alerting to a vulnerability when it doesn’treally exist. Some even generate false negatives, which means they miss thevulnerabilities altogether. Likewise, if you’re performing social-engineeringtests or physical-security assessments, it’s only human to miss specificvulnerabilities.
You may despise some “popular” freeware and open-source hacking tools. Ifthese tools end up causing you more headaches than they’re worth or don’tdo what you need them to do, consider purchasing commercial alternatives.
They’re often easier to use and typically generate better reports faster —
especially high-level executive reports. Some commercial tools are quiteexpensive, but their ease of use and functionality may justify the cost.
38Part I:Building the Foundation for Ethical Hacking
Chapter 4Hacking MethodologyIn This Chapter
Examining steps for successful ethical hacking
Gleaning information about your organization from the Internet
Scanning your network
Looking for vulnerabilitiesBefore you start testing your systems, plan a basic methodology. Ethicalhacking involves more than just penetrating and patching. Proven tech-
niques can help guide you along the hacking highway and ensure that youend up at the right destination. Planning a methodology that supports yourethical hacking goals is what separates the professionals from the amateurs.
Setting the StageIn the past, ethical hacking was mostly a manual process. Now, tools canautomate various tasks. These tools allow you to focus on performing thetests instead of on your testing methods. However, it’s important to follow ageneral methodology and understand what’s going on behind the scenes.
Ethical hacking is similar to beta testing software. Think logically — like aprogrammer — dissecting and interacting with all the network componentsto see how they work. You gather information — often small pieces — andassemble the pieces of the puzzle. You start at point A with several goals inmind, hack (repeating many steps along the way), and move closer until youdiscover security vulnerabilities at point B.
The process that ethical hacking is built around is basically the same as whata malicious hacker would use. The goals and how you achieve them are dif-
ferent. In addition, as an ethical hacker, you will eventually attempt to assessallinformation-security vulnerabilities and properly address them, ratherthan run a single exploit. Today’s attacks can come from any angle againstany system, not just from the perimeter of your network and the Internet.
Test everypossible entry point, including partner, vendor, and customernetworks, as well as home users, wireless LANs, and modems.
When you start rolling with your ethical hacking, keep detailed logs of everytest you perform, every system you test, and your results. This informationcan help you do the following:
Track what worked in previous tests and why.
Help prove that you didn’t maliciously hack the systems.
Correlate your testing with intrusion-detection systems and other logfiles if questions arise.
In addition to taking general notes, it’s also helpful to take screen captures ofyour results whenever possible. These will come in handy later if you need toshow proof of what occurred, as well as when you’re generating your finalreport. Chapter 1 lists the general steps of ethical hacking.
These steps don’t include specific information on the low-tech hacking methodsthat you will use for social engineering and assessing physical security, butthe techniques are basically the same. I cover these methods in more detailin Chapters 5 and 6.
Your main task is to simulate information-gathering and system compromisescarried out by a hacker. This can be either a partial attack on one computeror a comprehensive attack against the entire organization. Generally, you’relooking for what both inside and outside hackers see. You want to assessinternal systems (processes and procedures that involve computers, net-
works, people, and physical infrastructures). Look for vulnerabilities; checkhow all your systems interconnect and how private systems and informationare protected from untrusted elements.
If you’re performing ethical hacking for a customer, you may go the blind-
assessment route and start with just the company name and no other infor-
mation that gives you a leg up, such as:
IP addresses
Host names
Software versions
Firewall rules
Phone numbers
Employee namesThis blind-assessment approach allows you to start from ground zero andgives you a better sense of what information hackers can access publicly.
As an ethical hacker, you may not have to worry about covering your tracksor evading intrusion-detection systems, because everything you’re doing islegitimate. But then again, one of your goals may be to test systems in a stealthy40Part I:Building the Foundation for Ethical Hacking
fashion. I discuss techniques that hackers use to conceal their actions in laterchapters and outline some countermeasures for them as well. I don’t discusscovering your tracks in the overall ethical hacking methodology.
Seeing What Others SeeYour reconnaissance mission can turn up a ton of information about yourorganization and systems that the whole world can see. This process is oftencalled footprinting.Here’s how to gather the information:
Start by using a Web browser to search the Web for information aboutyour organization.
With the resources available on the Internet, you can gather informationuntil the end of time. Unless you’re reallybored or trying to take advan-
tage of AOL’s introductory offer to stay online for free for 23 hours a day,
I don’t recommend it!
Discover more-specific information about your systems from a hacker’sviewpoint. You can determine this information by running network scans,
probing ports, and assessing vulnerability.
Whether you’re searching generally or probing more technically, you ulti-
mately should limit the amount of information you gather based on what’sreasonable for you. You may spend an hour, a day, or a week gathering thisinformation — it all just depends on how large your organization is and thecomplexity of your information systems.
Gathering public informationThe amount of information you can passively gather usually is staggering.
This information is all over the Internet. It’s your job to find out what every-
one knows about you. This information positions hackers to target specificareas, including departments and individuals.
Web searchPerforming a Web search or simply browsing your Web site can turn up thefollowing information:
Employee names and contact info
Important company dates
Incorporation filings for private companies41Chapter 4: Hacking Methodology07
SEC filings for public companies
Press releases on moves, organizational changes, and new products
Mergers and acquisitions
Patents and trademarks
Presentations, articles, and WebcastsMy favorite tool — the favorite of many hackers — is Google (www.google.
com). It ferrets out information — from word-processing documents to graph-
ics files — on any publicly accessible computer. It’s free, too! There are entirebooks on using Google. Appendix A lists my favorite resources. With Google,
you can search the Internet several ways:
By typing keywords: This often reveals dozens and sometimes hun-
dreds of pages of information — such as files, phone numbers, andaddresses — that you never guessed were available.
By performing more advanced Web searches: Google’s advanced searchoptions can find sites that link back to your company’s Web site. Thistype of search often reveals a lot of information about partners, vendors,
clients, and other affiliations.
By using switches to dig deeper into a Web site:For example, if youwant to find a certain word or file on your Web site, simply enter a linelike one of the following into Google:
site:www.your_domain.com keywordsite:www.your_domain.com filenameWeb crawlingWeb-crawling utilities such as BlackWidow can mirror your Web site by down-
loading every publicly accessible file from it. You can then inspect
The Web site layout and configuration offline.
The HTML source code of Web pages.
Comment fields. These fields contain such information as names ande-mail addresses of the developers and internal IT personnel, servernames, software versions, and internal addressing schemes.
Web sitesThese Web sites may provide specific information about your organization:
Government and business Web sites:
•www.hoovers.comand finance.yahoo.comfor detailed informa-
tion about public companies42Part I:Building the Foundation for Ethical Hacking
•www.sec.gov/edgar.shtmlfor SEC filings on public companies•www.uspto.govfor patent and trademark registrations•The Web site for your state’s Secretary of State or similar organiza-
tion for incorporation and corporate officer information
Background checks through companies such as ChoicePoint(www.choicepoint.com) and USSearch (www.ussearch.com)
Mapping the networkWhen you’re mapping out your network, you can search public databasesand resources to see what the hackers know about you.
WhoisThe best starting point is to perform a Whois lookup by using any one of theWhois tools available on the Internet. Whoisis the tool you’ve most likelyused to check whether a particular Internet domain name is available.
For ethical hacking, Whois provides information that can give a hacker a legup to start a social-engineering attack or to scan your network:
Internet domain-name information, such as contact names and addresses
DNS servers responsible for your domainYou can look up Whois information at one of the following places:
A domain registrar’s site, such as www.networksolutions.comorwww.registerfly.com.
An ISP’s tech-support page.
My favorite Whois tool is Sam Spade (www.samspade.org). You can use itsWeb site or download its Windows-based tool, shown in Figure 4-1.
You can run DNS queries directly from the site or download the site’s Windows-
based tool and run it from your PC. Sam Spade can
Display general domain-registration information
Show which host handles e-mail (the Mail Exchanger or MX record) for adomain
Determine whether the host is listed on some spam blacklists43Chapter 4: Hacking Methodology07
The following list runs down various lookup sites for other categories:
Government:whois.nic.gov
Military:whois.nic.mil
AfriNIC: www.afrinic.org(emerging Regional Internet Registry forAfrica)
APNIC: www.apnic.net/search/index.html(Regional InternetRegistry for the Asia Pacific Region)
ARIN: www.arin.net/whois/index.html(Regional Internet Registryfor North America, a portion of the Caribbean, and subequatorial Africa)
LACNIC:Latin American and Caribbean Internet Addresses Registrywww.lacnic.net
RIPE Network Coordination Centre: www.ripe.net/db/whois/
whois.html(Europe, Central Asia, African countries north of theequator, and the Middle East)
Alldomains.comoffers a reverse Whois service called D-Tective. This paidservice finds specific Internet domains for a domain name, a phone number,
or an address.
Figure 4-1:
The SamSpadegraphicalinterface.
44Part I:Building the Foundation for Ethical Hacking
Google groupsThe Google Groups at groups.google.comcan reveal surprising publicnetwork information. Search for such information as your hostnames, IPaddresses, and usernames. You can search hundreds of millions of Usenetposts back to 1981 for public and often very private information.
You might find some information such as the following that you didn’t realizewas being made public:
A tech-support or similar message that divulges too much informationabout your systems. Many people who post messages to Usenet don’trealize that their messages are shared with the world.
Disgruntled employees or customers who have posted confidential infor-
mation about your company.
A few years ago, I was helping some folks at an Internet startup companyselect a telephone service vendor. I searched Google Groups for a vendorthey were interested in and turned up some interesting information aboutthe telephone service’s network. Apparently, its network administrator hadposted some messages to a tech-support site that revealed his full name ande-mail address, specific server names, IP addresses, and network configura-
tion information of its internal systems. My customer used another vendor.
If you discover that confidential information is posted about your company,
you may be able to get it removed. Check out the Google Groups help page atgroups.google.com/googlegroups/help.htmlfor details.
Privacy policiesCheck your Web site’s privacy policy. A good practice is to disclose basicinformation about how user information is protected.
Make sure that the people writing privacy policies don’t divulge details aboutyour information-security infrastructure. An Internet startup businessmanonce contacted me about business opportunities. During the conversation,
he was bragging about his company’s security systems to ensure the privacyof client information. I went to his Web site to check out his privacy policy.
He had posted the brand and model of firewall he was using. Not a good idea!
Scanning SystemsActive information gathering produces more details about your network andhelps you see your systems from a hacker’s perspective. For instance, you can45Chapter 4: Hacking Methodology07
Use the information provided by your Whois lookups and start testingother closely related IP addresses and host names. When you map out —
enumerate — your network, you see how your systems are laid out.
This includes determining IP addresses, host names (both external
and internal), running protocols, open ports, and running servicesandapplications.
Scan your internal hosts — if they are within the scope of your testing.
These hosts may not be visible to outsiders, but you should test them.
The hacker may be on the inside!
If you’re not completely comfortable scanning your systems, consider firstusing a lab with test systems or a system running virtual-machine softwaresuch as VMware Workstation or Microsoft’s Virtual PC. Some hacking toolsmay not work as designed when you run them on virtual-machine software. Ifyou have trouble getting the software to load or hosts to respond, you mayhave to run your tests against physically separate computers.
HostsScan and document specific hosts that are reachable from the Internet. Startby pinging either specific host names or IP addresses with one of these:
The basic ping utility that’s built into your operating system
A third-party utility that allows you to ping multiple addresses at thesame time, such as SuperScan (www.foundstone.com) and NetScanToolsPro (www.netscantools.com) for Windows and fping for UNIX (whichallows you to ping more than one address)
The site www.whatismyip.comshows how your gateway IP address appearson the Internet. Just browse to that site. Your outermost public IP address(your firewall or router— preferably not your local computer) appears.
Modems and open portsScan for modems and open ports by using network-scanning tools:
Check for unsecured modems with war-dialing software, such as ToneLoc,
PhoneSweep, and THC-Scan. I cover war dialing in Chapter 8.
Scan network ports with SuperScan or Nmap (www.insecure.org/
nmap). You can use a happy-clicky-GUI version made for Windows calledNMapWin, shown in Figure 4-2. See Chapter 9 for details.
Listen to network traffic with a network analyzer such as Ethereal. I coverthis topic in various chapters throughout the book.
46Part I:Building the Foundation for Ethical Hacking
Scanning internally is easy. Simply connect your PC to the network, load upthe software, and fire away. Scanning from outsideyour network takes a fewmore steps, but it can be done:
For war dialing, scanning shouldn’t be an issue. You can just use one ofyour internal analog lines to dial out from.
Pinging and scanning is more complicated. The easiest way to connectand get an “outside-in” perspective is to assign yourself a public IPaddress and plug your workstation into a switch or hub on the publicside of your firewall or router. Physically, you’re not on the Internet look-
ing in, but this type of connection works just the same.
Determining What’s RunningonOpenPortsAs an ethical hacker, you should glean as much information as possible afterscanning your systems. You can often identify the following information:
Protocols in use, such as IP, IPX, and NetBEUI
Services running on the hosts, such as e-mail and database applicationsFigure 4-2:
TheNMapWingraphicalinterface.
47Chapter 4: Hacking Methodology07
Available remote-access services, such as Windows Terminal Servicesand Secure Shell (SSH)
VPN services, such as PPTP, SSL, and IPSec
Required authentication for network sharesYou can look for the following open ports (your network scanning programreports these as open):
Ping (ICMP echo) replies; ICMP traffic is allowed to and from the host
TCP port 20 and/or 21, showing that FTP is running
TCP port 23, showing that telnet is running
TCP ports 25 or 465 (SMTP), 110 or 995 (POP3), or 143 or 993 (IMAP),
showing that an e-mail server is running
TCP/UDP port 53, showing that a DNS server is running
TCP ports 80 and 443, showing that a Web server is running
TCP/UDP ports 137, 138, and 139, showing that an unprotected Windowshost is runningThousands of ports can be open — 65,535, to be exact. I cover many popularport numbers when describing hacks throughout this book. A listing of allwell-known port numbers (ports 1–1023) and registered port numbers (ports1024–49151), with their associated protocols and services, is located atwww.iana.org/assignments/port-numbers. You can also perform a port-
number lookup at www.cotse.com/cgi-bin/port.cgi.
If you detect a Web server running on the system you’re testing, you cancheck the software version by using one of the following methods:
Type the site’s name, followed by a page that you know doesn’t exist,
such as www.your_domain.com/1234.html. Many Web servers returnan error page showing detailed version information.
Use Netcraft’s Web server-search utility (www.netcraft.com), whichconnects to your server from the Internet and displays the Web-serverversion and operating system, as shown in Figure 4-3.
You can dig deeper for more specific information on your hosts. This revealswhat software version is running on the systems and more:
NMapWin can determine the system OS version; refer to Figure 4-2.
An enumeration utility (such as DumpSec) can extract users, groups,
and file and share permissions directly from Windows.
Many systems return useful banner information when you connect to aservice or application running on a port. For example, if you telnet to an48Part I:Building the Foundation for Ethical Hacking
e-mail server on port 25 by entering telnet mail.your_domain.com25at a command prompt, you may see something like this:
220 mail.your_domain.com ESMTP all_the_version_info_
you’ll_ever_needReadyMost e-mail servers return detailed information, such as the version andthe current service pack installed. After you have this information, you(and hackers) can determine what vulnerabilities are present on thesystem from some of the Web sites listed in the next section.
An e-mail to an invalid address may return with detailed e-mail headerinformation. A bounced message often discloses lots of information thatcan be used against you, including internal IP addresses and softwareversions. On certain Windows systems, you can map drives and establishother types of network connections. I cover these issues in Chapter 11.
Assessing VulnerabilitiesAfter finding potential security holes, test whether they are vulnerabilities.
Before you test, perform some manual searching. You can research hackermessage boards, Web sites, and vulnerability databases, such as these:
Common Vulnerabilities and Exposures (cve.mitre.org/cve)
CERT/CC Vulnerability Notes Database (www.kb.cert.org/vuls)
NIST ICAT Metabase (icat.nist.gov/icat.cfm)
These sites list practically every known vulnerability. If you can’t find a vulner-
ability documented on one of these sites, search the vendor’s site. You can findFigure 4-3:
Netcraft’sWeb-serverversionutility.
49Chapter 4: Hacking Methodology07
a list of commonly exploited vulnerabilities at www.sans.org/top20. This isthe SANS Top 20 Internet Security Vulnerabilities consensus list, which iscompiled and updated by information-security authorities.
If you’re not keen on researching your potential vulnerabilities and can jumpright into testing, you have a couple of options:
Manual assessment: You can assess the potential vulnerabilities by con-
necting to the ports that are exposing the service or application andpoking around. You should manually assess certain vulnerabilities (suchas in Web applications). The vulnerability reports in the preceding data-
bases often disclose how to do this — at least generally. If you have a lotof free time, performing these tests manually may be for you.
Automated assessment: If you’re like me, you’ll assess vulnerabilitiesautomatically when you can. Manual assessments are a great way tolearn, but people usually don’t have the time for most manual steps.
I love many of the available vulnerability-assessment tools. Some test
forvulnerabilities on specific platforms (such as Windows and UNIX) andtypesof networks (either wired or wireless). They test for specific systemvulnerabilities — some even focus on the SANS Top 20 list. Versions of thesetools can map the business logic within an application; others can help soft-
ware developers test for code flaws. The drawback to these tools is that theyfind only individual vulnerabilities, not correlating vulnerabilities. However,
this is changing with the advent of event-correlation applications.
Many people love the Nessus tool (www.nessus.org). However, it’s not bestfor beginners or without a Linux or UNIX server.
One of my favorite ethical hacking weapons is a vulnerability-assessment toolcalled QualysGuard by Qualys (www.qualys.com). It’s both a port scannerand vulnerability-assessment tool. You don’t even need a computer to run it.
QualysGuard — which has its roots in Nessus — is an application serviceprovider-based commercial tool. Just browse to the Qualys Web site, log in,
and enter the IP address of the systems you want to test. You schedule theassessment; it runs, then generates excellent reports, such as these:
An executive report containing information like the partial screencapture of a QualysGuard report shown in Figure 4-4.
A technical report of detailed explanations of the vulnerabilities andspecific countermeasures.
Like most good security tools, you pay for QualysGuard — it’s not the leastexpensive tool — but you get what you pay for. Some newer products offersimilar technical capabilities while adding convenience.
50Part I:Building the Foundation for Ethical Hacking
Assessing vulnerabilities with a tool such as QualysGuard requires follow-upexpertise. Study the reports to base your recommendations on the testedsystems.
Penetrating the SystemYou can use identified critical security holes to do the following:
Gain further information about the host and its data.
Start or stop certain services or applications.
Access other systems.
Disable logging or other security controls.
Capture screen shots.
Install such hacker tools as rootkits(hacker programs that masqueradeas legitimate OS programs) and network analyzers for later backdoorentry.
Capture keystrokes.
Send an e-mail as the administrator.
Perform a buffer-overflow attack.
Launch another type of DoS attack.
Upload a file proving your victory.
Figure 4-4:
AsampleQualysGuardvulnerability-
assessmentreport.
51Chapter 4: Hacking Methodology07
You can exploit the vulnerabilities on your systems and go for completesystem penetration. Ideally, you’ve already made your decision on this. Youmay want to leave well enough alone. There are also tasks you can’t do —
such as installing rootkits or planting a file — unless you try.
Leave the more-intrusive penetration to those with more time on their hands.
Focus on correcting problems. Part VI of this book covers reporting, patching,
and managing.
Don’t take the steps I outline in this chapter too literally. General ethicalhacking methodologies can be either too simplistic or too rigid. Ultimately,
you are in control and can decide what to do and when to do it.
52Part I:Building the Foundation for Ethical Hacking
Part IIPutting EthicalHacking in Motion08
In this part . . .
Let the games begin! You’ve waited long enough —
now’s the time to start testing your systems. Butwhere do you start? How about with your two Ps — yourpeople and your physical systems? These are, after all,
two of the most easily and commonly attacked targets inyour organization.
This part starts out with a discussion of hacking people.
It then goes on to take a look at physical security vulnera-
bilities. Of course, I’d be remiss in a part about people if Iskipped passwords, so I cover testing those as well. Thisis a great way to get the ball rolling to warm you up for themore specific hacks that come later in the book.
Chapter 5Social EngineeringIn This Chapter
Introducing social engineering
Examining the ramifications of social engineering
Understanding social-engineering techniques
Protecting your organization against social engineeringSocial engineering takes advantage of the weakest link in any organiza-
tion’s information-security defenses: the employees. Social engineering is“people hacking” and involves maliciously exploiting the trusting nature ofhuman beings for information that can be used for personal gain.
Social Engineering 101Typically, hackers pose as someone else to gain information they otherwisecan’t access. Hackers then take the information obtained from their victimsand wreak havoc on network resources, steal or delete files, and even commitindustrial espionage or some other form of fraud against the organizationthey’re attacking. Social engineering is different fromphysical-security issues,
such as shoulder surfing and dumpster diving, but they are related.
Here are some examples of social engineering:
False support personnelclaim that they need to install a patch or newversion of software on a user’s computer, talk the user into downloadingthe software, and obtain remote control of the system.
False vendors claim to need to make updates to the organization’saccounting package or phone system, ask for the administrator pass-
word, and obtain full access.
False contest Web sites run by hackers gather user IDs and passwordsof unsuspecting contestants. The hackers then try those passwords onother Web sites, such as Yahoo! and Amazon.com, and steal personal orcorporate information.
False employees notify the security desk that they have lost their keysto the computer room, are given a set of keys, and obtain unauthorizedaccess to physical and electronic information.
Sometimes, social engineers act as forceful and knowledgeable employees,
such as managers or executives. Other times, they may play the roles ofextremely uninformed or naïve employees. They often switch from one modeto the other, depending on whom they are speaking to.
Effective information security — especially for fighting social engineering —
begins and ends with your users. Other chapters in this book provide greattechnical advice, but never forget that basic human communication andinteraction also affect the level of security. The candy-securityadage is “Hardcrunchy outside, soft chewy inside.” The hard crunchy outsideis the layer ofmechanisms — such as firewalls, intrusion-detection systems, and encryp-
tion — that organizations rely on to secure their information. The soft chewyinsideis the people and the systems inside the organization. If hackers canget past the thick outer layer, they can compromise the (mostly) defenselessinner layer.
Social engineering is one of the toughest hacks, because it takes great skill tocome across as trustworthy to a stranger. It’s also by far the toughest hackto protect against because people are involved. In this chapter, I explore theramifications of social engineering, techniques for your own ethical hackingefforts, and specific countermeasures to take against social engineering.
Before You StartI approach the ethical hacking methodologies in this chapter differently thanin subsequent hacking chapters. Social engineering is an art and a science. Ittakes great skill to perform social engineering as an ethical hacker and isdependent upon your personality and overall knowledge of the organizationyou’re testing. If social engineering isn’t natural for you, consider using theinformation in this chapter for educational purposes — at first — until youhave more time to study the subject.
You can use the information in this chapter to perform specific tests or improveinformation-security awareness in your organization. Social engineering canharm people’s jobs and reputations, and confidential information could beleaked. Proceed with caution and think before you act.
You can perform social-engineering attacks millions of ways. For this reason,
and because it’s next to impossible to train specific behaviors in one chapter,
I don’t provide how-to instructions on carrying out social-engineering attacks.
Instead, I describe specific social-engineering scenarios that have worked forother hackers — both ethical and unethical. You can tailor these same tricksand techniques to specific situations.
56Part II:Putting Ethical Hacking in Motion
57Chapter 5: Social EngineeringA case study in social engineeringwithIraWinklerIn this case study, Ira Winkler, a world-renownedsocial engineer, was gracious in sharing withme an interesting study in social engineering.
The SituationMr. Winkler’s client wanted a general tempera-
ture of the organization’s security awarenesslevel. He and his accomplice went for the pot ofgold and tested the organization’s susceptibilityto social engineering. Getting started, theyscoped out the main entrance of the client’sbuilding and found that the reception/securitydesk was in the middle of a large lobby and wasstaffed by a receptionist. The next day, the twomen walked into the building during the morn-
ing rush while pretending to talk on cell phones.
They stayed at least 15 feet from the attendantand simply ignored her as they walked by.
After they were inside the facility, they found aconference room to set up shop. They sat downto plan the rest of the day and decided a facilitybadge would be a great start. Mr. Winkler calledthe main information number and asked for theoffice that makes the badges. He was forwardedto the reception/security desk. He then pre-
tended to be the CIO and told the person ontheother end of the line that he wanted badgesfor a couple of subcontractors. The personresponded, “Send the subcontractors down tothe main lobby.”
When Mr. Winkler and his accomplice arrived,
a uniformed guard asked what they were work-
ing on, and they mentioned computers. Theguard then asked them if they needed access tothe computer room! Of course they said, “Thatwould help.” Within minutes, they both hadbadges with access to all office areas and thecomputer operations center. They went to thebasement and used their badges to open themain computer room door. They walked right inand were able to access a Windows server,
load the user administration tool, add a newuser to the domain, and make the user amember of the administrators’ group. Then theyquickly left.
The two men had access to the entire corporatenetwork with administrative rights within twohours! They also used the badges to performafter-hours walkthroughs of the building. Indoing this, they found the key to the CEO’s officeand planted a mock bug there.
The OutcomeNobody outside the team knew what the twomen did until they were told after the fact. Afterthe employees were informed, the guard super-
visor called Mr. Winkler and wanted to knowwho issued the badges. Mr. Winkler informedhim that the fact that his area didn’t know whoissued the badges was a problem in and ofitself, and that he does not disclose that infor-
mation.
How This Could Have Been PreventedAccording to Mr. Winkler, the security deskshould have been located closer to the entrance,
and the company should have had a formalprocess for issuing badges. In addition, accessto special areas like the computer room shouldrequire approval from a known entity. Afteraccess is granted, a confirmation should besent to the approver. Also, the server screenshould have been locked, the account shouldnot have been logged on unattended, and anyaddition of an administrator-level account shouldbe audited and appropriate parties should bealerted.
Ira Winkler, CISSP, CISM, is considered one ofthe world’s best social engineers. You can findmore of his case studies in his book SpiesAmong Us (McGraw-Hill).
These social-engineering techniques may be best performed by an outsiderto the organization. If you’re performing these tests against your own organi-
zation, you may have difficulties acting as an outsider if everyone knows you.
This may not be a problem in larger organizations, but if you have a small,
close-knit company, people usually are on to your antics.
You can outsource social-engineering testing to a trusted consulting firm oreven have a colleague perform the tests for you. The key word here is trusted.
If you’re involving someone else, you must get references, perform backgroundchecks, and have the testing approved by management in writing beforehand.
I cover the topic of outsourcing ethical hacking in Chapter 19.
Why Hackers Use Social EngineeringBad guys use social engineering to break into systems because they can. Theywant someone to open the door to the organization so that they don’t have tobreak in and risk getting caught. Firewalls, access controls, and authenticationdevices can’t stop a determined social engineer.
Most social engineers perform their attacks slowly, so they’re not so obviousand don’t raise suspicion. The bad guys gather bits of information over timeand use the information to create a broader picture. Alternatively, some social-
engineering attacks can be performed with a quick phone call or e-mail. Themethods used depend on the hacker’s style and abilities.
Social engineers know that many organizations don’t have formal data classi-
fication, access-control systems, incident-response plans, and security-
awareness programs.
Social engineers know a lot about a lot of things — both inside and outsidetheir target organizations — because it helps them in their efforts. The moreinformation social engineers gain about organizations, the easier it is for themto pose as employees or other trusted insiders. Social engineers’ knowledgeand determination give them the upper hand over average employees whoare unaware of the value of the information social engineers are seeking.
Understanding the ImplicationsMost organizations have enemies that want to cause trouble through socialengineering. These enemies could be current or former employees seekingrevenge, competitors wanting a leg up, or basic hackers trying to prove theirskills.
58Part II:Putting Ethical Hacking in Motion
Regardless of who is causing the trouble, every organization is at risk. Largercompanies spread across several locations are often more vulnerable, butsmall companies also are attacked. Everyone from receptionists to securityguards to IT personnel are potential victims of social engineering. Help-deskand call-center employees are especially vulnerable because they are trainedto be helpful and forthcoming with information. Even the average untrainedend user is susceptible to attack.
Social engineering has serious consequences. Because the objective of socialengineering is to coerce someone for ill-gotten gains, anything is possible.
Effective social engineers can obtain the following information:
User or administrator passwords
Security badges or keys to the building and even the computer room
Intellectual property such as design specifications, formulae, or otherresearch and development documentation
Confidential financial reports
Private and confidential employee information
Customer lists and sales prospectsIf any of the preceding information is leaked out, it can cause financial losses,
lower employee morale, jeopardize customer loyalty, and even create legalissues. The possibilities are endless.
One reason protecting against social-engineering attacks is difficult is that theyaren’t well documented. Because so many possible methods exist, recoveryand protection are difficult after the attack. The hard crunchy outsidecreated byfirewalls and intrusion-detection systems often creates a false sense of security,
making the problem even worse.
With social engineering, you never know the next method of attack. The bestyou can do is remain vigilant, understand the social engineer’s methodology,
and protect against the most common attacks. In the rest of this chapter, Idiscuss how you can do this.
Performing Social-Engineering AttacksThe process of social engineering is actually pretty basic. In general, socialengineers find the details of organizational processes and information systemsto perform their attacks. With this information, they know what to pursue.
Hackers typically perform social-engineering attacks in four simple steps:
59Chapter 5: Social Engineering09
1.Perform research.
2.Build trust.
3.Exploit relationship for information through words, actions, or
technology.
4.Use the information gathered for malicious purposes.
These steps can include myriad substeps and techniques, depending on theattack being performed.
Before social engineers perform their attacks, they need a goal in mind. Thisis the hacker’s first step in this process, and this goal is most likely alreadyimplanted in the hacker’s mind. What does the hacker want to accomplish?
What is the hacker trying to hack? Does he want intellectual property, serverpasswords, or security badges; or does he simply want to prove that thecompany’s defenses can be penetrated? In your efforts as an ethical hackerperforming social engineering, determine this goal before you move forward.
Fishing for informationSocial engineers typically start by gathering public information about theirvictim. Many social engineers acquire information slowly over time so theydon’t raise suspicion. Obviousness is a tip-off when defending against socialengineering. I cover other warning signs throughout the rest of this chapter.
Regardless of the initial research method, all a hacker needs to start penetrat-
ing an organization is an employee list, a few key internal phone numbers, ora company calendar.
Using the InternetToday’s basic research medium is the Internet. A few minutes on Google orother search engines, using simple key words such as the company name orspecific employees’ names, often produces a lot of information. You can findeven more information in SEC filings at www.sec.govand at sites such aswww.hoovers.comand finance.yahoo.com. In fact, many organizations —
especially upper management — would be dismayed by what’s available. Byusing this search-engine information and browsing the company’s Web site,
the hacker often has enough information to start.
Hackers can pay $100 or less for a comprehensive background check on indi-
viduals. These searches can turn up practically any public — and sometimesprivate — information about a person in minutes.
60Part II:Putting Ethical Hacking in Motion
Dumpster divingDumpster diving is a more difficult method of obtaining information. Thismethod is literally going through trash cans for information about a company.
Dumpster diving can turn up even the most confidential information, becausemany employees think that their information is safe after it goes into file 13.
Most people don’t think about the potential value of paper they throw away.
These documents often contain a wealth of information that tips off the socialengineer with information needed to penetrate the organization further. Theastute social engineer looks for the following printed documents:
Internal phone lists
Organizational charts
Employee handbooks, which often contain security policies
Network diagrams
Password lists
Meeting notes
Spreadsheets and reports
E-mails containing confidential informationShredding is effective if the paper is cross-shredded into tiny pieces of con-
fetti. Inexpensive shredders that shred documents only in long strips arebasically worthless against a determined social engineer. With a little timeand tape, a social engineer can easily piece a document back together.
Hackers often gather confidential personal and business information fromothers by listening in on conversations held in restaurants, coffee shops, andairports. People who speak loudly when talking on a cell phone are a greatsource. Poetic justice, perhaps? While writing in public places, it’s amazingwhat I’ve heard others divulge — and I wasn’t trying to listen!
Hackers also look for floppy disks, CD-ROM and DVD discs, old computercases (especially with hard drives) and backup tapes.
See Chapter 6 for more on trash and other physical-security issues, includingcountermeasures against these exploits.
Phone systemsHackers can obtain information by using the dial-by-name feature built intomost voice-mail systems. To access this feature, you usually just press 061Chapter 5: Social Engineering09
when calling into the company’s main number or even someone’s desk. Thistrick works best after hours to make sure that no one answers.
Hackers can protect their identifies if they can hide where they’re callingfrom. Here are some ways that they can do that:
Residential phonessometimes can hide their numbers from caller ID.
The code to hide a residential phone number from a caller ID is *67. Justdial *67 before the number; it blocks the source number.
This feature is usually disabled when you’re calling toll-free (800, 888, 877)
numbers.
Business phonesare more difficult to spoof from an office by using aphone switch. However, all the hacker usually needs is the user guideand administrator password for the phone-switch software. In manyswitches, the hacker can enter the source number — including a falsifiednumber, such as the victim’s home phone number.
Hackers find interesting bits of information, such as when their victims are outof town, just by listening to voice-mail messages. They even study victims’voices by listening to their voice-mail messages or Internet presentations andWebcasts to impersonate those people.
Building trustTrust — so hard to gain, so easy to lose. Trust is the essence of social engi-
neering. Most humans trust other humans until a situation occurs that forcesthem not to. We want to help one another, especially if trust can be built andthe request for help is reasonable. Most people want to be team players in theworkplace and don’t know what can happen if they divulge too much informa-
tion to a “trusted” source. This is why social engineers can accomplish theirgoals. Of course, building deep trust often takes time. Crafty social engineersgain it within minutes or hours. How do they build trust?
Likability: Who can’t relate to a nice person? Everyone loves courtesy.
The friendlier the social engineer — without going overboard — thebetter his chances of getting what he wants. Social engineers often beginby establishing common interests. They often use information theygained in the research phase to determine what the victim likes and actas if they like those things as well. For instance, they can phone victimsor meet them in person and, based on information they’ve learned aboutthe person, start talking about local sports teams or how wonderful it isto be single again. A few low-key and well-articulated comments can bethe start of a nice new relationship.
62Part II:Putting Ethical Hacking in Motion
Believability:Of course, believability is based in part on the knowledgethat social engineers have and how likable they are. But social engineersalso use impersonation — perhaps posing as a new employee or fellowemployee that the victim hasn’t met. They may even pose as a vendorthat does business with the organization. They often modestly claimauthority to influence people. The most common social-engineering trickis to do something nice so that the victim feels obligated to be nice inreturn or to be a team player for the organization.
Exploiting the relationshipAfter social engineers obtain the trust of their unsuspecting victims, theycoax them into divulging more information than they should. Whammo —
they can go in for the kill. They do this through face-to-face or electroniccommunications that victims feel comfortable with, or they use technologyto get victims to divulge information.
Deceit through words and actionsWily social engineers can get inside information from their victims many ways.
They are often articulate and focus on keeping their conversations movingwithout giving their victims much time to think about what they’re saying.
However, if they’re careless or overly anxious during their social-engineeringattacks, the following tip-offs may give them away:
Acting overly friendly or eager
Mentioning names of prominent people within the organization
Bragging about authority within the organization
Threatening reprimands if requests aren’t honored
Acting nervous when questioned (pursing the lips and fidgeting —
especially the hands and feet, because more conscious effort is requiredto control body parts that are farther from the face)
Overemphasizing details
Physiological changes, such as dilated pupils or changes in voice pitch
Appearing rushed
Refusing to give information
Volunteering information and answering unasked questions
Knowing information that an outsider should not have
A known outsider using insider speech or slang63Chapter 5: Social Engineering09
Asking strange questions
Misspelling words in written communicationsA good social engineer isn’t obvious with the preceding actions, but these aresome of the signs that malicious behavior is in the works.
Hackers often do a favor for someoneand then turn around and ask that personif he or she would mind helping them. This is a common social-engineeringtrick that works pretty well. Hackers also often use what’s called reverse socialengineering. This is where they offer help if a specific problem arises; sometime passes, the problem occurs (often by their doing), and then they help fixthe problem. They may come across as heroes, which can further their cause.
Hackers also simply may ask an unsuspecting employee for a favor. Yes —
they just outright ask for a favor. Many people fall for it.
Impersonating an employee is easy. Social engineers can wear a similar look-
ing uniform, make a fake ID badge, or simply dress like the real employees.
They often pose as employees. People think, “Hey — he looks and acts likeme, so he must be one of us.” Social engineers also pretend to be employeescalling in from an outside phone line. This is an especially popular way ofexploiting help-desk and call-center personnel. Hackers know that it’s easyfor these people to fall into a rut due to such repetitive tasks as saying,
“Hello, can I get your customer number, please?”
Here’s my story about how I was social-engineered because I didn’t thinkbefore I spoke. One day, I was having trouble with my high-speed Internetconnection. I figured I could just use dial-up access, because it’s better thannothing for e-mail and other basic tasks. I contacted my ISP and told the tech-
support guy I couldn’t remember my dial-up password. This sounds like thebeginning of a social-engineering stunt that I could’ve pulled off, but I gottaken. The slick tech-support guy paused for a minute, as if he was pulling upmy account info, and then asked, “What password did you try?”
Stupid me, I proceeded to mouth off all the passwords it could’ve been! Thephone got quiet for a moment. He reset my password and told me what itwas. After I hung up the phone, I thought, “What just happened? I just gotsocial-engineered!” Man, was I mad at myself. I changed all the passwordsthat I divulged in case he used that information against me. I still bet to thisday that he was just experimenting with me. Lesson learned: Never, ever,
under any circumstances divulge your password to someone else.
Deceit through technologyTechnology can make things easier — and more fun — for the social engineer.
Often, the request comes from a computer or other electronic entity youthink you can identify. But spoofing a computer name, an e-mail address, a faxnumber, or a network address is easy. Fortunately, you can take a few counter-
measures against this, as described in the next section.
64Part II:Putting Ethical Hacking in Motion
One way hackers deceive through technology is by sending e-mail for criticalinformation. Such e-mail usually provides a link that directs victims to a pro-
fessional- and legitimate-looking Web site that “updates” such account infor-
mation as user IDs, passwords, and Social Security numbersMany spam messages use this trick. Most users are inundated with so muchspam and other unwanted e-mail that they often let their guard down and opene-mails and attachments that they shouldn’t open. These e-mails usually lookprofessional and believable. They often dupe people into disclosing informa-
tion they should never give in exchange for a gift. These social-engineeringtricks also occur when a hacker who has already broken into the networksends messages or creates fake Internet pop-up windows. The same trickshave occurred through instant messaging and cell-phone messaging.
In some well-publicized incidents, hackers e-mailed to their victims a patchpurporting to come from Microsoft or another well-known vendor. Users thinkit looks like a duck and it quacks like a duck — but it’s not Bill this time! Themessage is from a hacker wanting the user to install the “patch” so a Trojan-
horsekeylogger can be installed or a backdoor can be created into computersand networks. Hackers use these backdoors to hack into the organization’ssystems or use the victims’ computers (known as zombies) as launching padsto attack another system. Even viruses or worms use social engineering. Forinstance, the LoveBug worm told users they had a secret admirer. When thevictims opened the e-mail, it was too late. Their computers were infected;
perhaps worse, they didn’t have a secret admirer.
The Nigerian 419 e-mail fraud scheme attempts to access unsuspectingpeople’s bank accounts and money. These social engineers — scamsters —
offer to transfer millions of dollars to the victim to repatriate a deceasedclient’s funds to the United States. All the victim must provide is personalbank-account information and a little money up front to cover the transferexpenses. Victims have ended up having their bank accounts emptied.
Many computerized social-engineering tactics can be performed anonymouslythrough Internet proxy servers, anonymizers, and remailers. When people fallfor requests for confidential personal or corporate information, the sourcesof these social-engineering attacks are often impossible to track.
Social-Engineering CountermeasuresYou have only a few good lines of defense against social engineering. Even withstrong security systems, a naïve or untrained user can let the social engineerinto the network. Never underestimate the power of social engineers.
65Chapter 5: Social Engineering09
PoliciesSpecific policies help ward off social engineering long-term in these areas:
Classifying data
Hiring employees and contractors and setting up user IDs
Terminating employees and contractors, and removing user IDs
Setting and resetting passwords
Handling proprietary and confidential information
Escorting guestsThese policies must be enforceable and enforced — for everyone within theorganization. Keep them up to date and tell your end users about them.
User awarenessThe best line of defense against social engineering is an organization withemployees who can identify and respond to social-engineering attacks. Userawareness begins with initial training for everyone and follows with security-
awareness initiatives to keep social-engineering defenses on everyone’s mind.
Align training and awareness with specific security policies.
Consider outsourcing security training to a seasoned security trainer.
Employees often take training more seriously if it comes from an outsider.
Outsourcing security training is worth the investment.
As you approach ongoing user training and awareness in your organization,
the following tips help you combat social-engineering long term:
Treat security awareness and training as a business investment.
Train users on an ongoing basis to keep security fresh in their minds.
Tailor your training content to your audience whenever possible.
Create a social-engineering awareness program for your business func-
tions and user roles.
Keep your messages as nontechnical as possible.
Develop incentive programs for preventing and reporting incidents.
Lead by example.
66Part II:Putting Ethical Hacking in Motion
Share these tips with your users to help prevent social-engineering attacks:
Never divulge any information unless you can validate that the personrequesting the information needs it and is who he says he is. If a requestis made over the telephone, verify the caller’s identity, and call back.
Never click an e-mail link that supposedly loads a page with informationthat needs updating. This is especially true for unsolicited e-mails.
Escort all guests within a building.
Never send or open files from strangers.
Never give out passwords.
A few other general suggestions can ward off social engineering:
Never let a stranger connect to one of your network jacks — even for afew seconds. A hacker can place a network analyzer, Trojan-horse pro-
gram, or other malware directly onto your network.
Classify your information assets, both hard-copy and electronic. Trainall employees to handle each asset type.
Develop and enforce computer media and document destruction policiesthat help ensure data is handled carefully and stays where it should.
Use cross-shredding paper shredders. Better, hire a document-shreddingcompany that specializes in confidential document destruction.
Never allow anonymous File Transfer Protocol (FTP) access into yourFTP servers if you don’t have to.
These techniques can reinforce the content of formal training:
New-employee orientation, lunch ’n’ learns, e-mails, and newsletters
Social-engineering survival brochure with tips and FAQs
Trinkets, such as screen savers, mouse pads, sticky notes, pens, andoffice postersAppendix A lists my favorite user-awareness trinket vendors to improveuser awareness in your organization.
67Chapter 5: Social Engineering09
68Part II:Putting Ethical Hacking in Motion
Chapter 6Physical SecurityIn This Chapter
Understanding the importance of physical security
Q&A with a well-known physical-security expert
Looking for physical-security vulnerabilities
Implementing countermeasures for physical-security attacksI’m a strong believer that information security is more dependent on non-
technical policies, processes, and procedures than on the technical
hardware and software solutions that many people swear by. Physical
security — protection of physical property— encompasses both technical andnontechnical components.
Physical security is an often overlooked aspect of an information-securityprogram. Physical security is a critical component of information security.
Your ability to secure your information depends on your ability to secureyour site physically. In this chapter, I cover some common physical-securityweaknesses, as they relate to computers and information security, to look forin your own systems. In addition, I outline free and low-cost countermeasuresto minimize your vulnerabilities. I don’t recommend breaking and entering,
which is required for some physical-security tests. Instead, approach sensi-
tive areas to see how far you canget. Take a fresh look — from an outsider’sperspective — at the physical vulnerabilities I cover in this chapter. You maydiscover holes in your physical-security infrastructure.
Physical-Security VulnerabilitiesWhatever your computer and network-security technology, practically anyhack is possible if a hacker is in your building or computer room. That’s whyit’s important to look for physical-security vulnerabilities.
In small companies, some physical-security issues may not be a problem.
Many physical security vulnerabilities depend on factors like the following:
Size of the building
Number of buildings or sites
Number of employees
Location and number of building entrance/exit points
Placement of the computer room(s) and other confidential informationLiterally thousands of possible physical-security vulnerabilities exist. Thebad guys are always on the lookout for them — so you should find these vul-
nerabilities first. Here are some common physical-security vulnerabilities I’vefound when assessing security:
No receptionist in a building
No visitor sign-in or escort required for building access
Employees trusting visitors just because they’re wearing vendor uni-
forms or say they’re there to work on the copier or computers
No access controls on doors
Doors propped open
Publicly accessible computer rooms
Backup media lying around
Unsecured computer hardware and software media
CDs and floppy disks with confidential information in trash cansWhen these physical-security vulnerabilities are exploited, bad things canhappen. Perhaps the biggest problem is that unauthorized people can enteryour building. After intruders are in your building, they can wander the halls;
log onto computers; rummage through the trash; and steal hard-copy docu-
ments, floppy disks and CDs, and even computers out of offices.
What to Look ForYou should look for specific security vulnerabilities. Many potential physical-
security exploits seem unlikely, but they happen to organizations that don’ttake physical security seriously.
Hackers can exploit many physical-security vulnerabilities, including weak-
nesses in a building’s infrastructure, office layout, computer-room access,
and design. In addition to these factors, consider the facility’s proximity to70Part II:Putting Ethical Hacking in Motion
local emergency assistance (police, fire, and ambulance) and the area’s crimestatistics (burglary, breaking and entering, and so on) so you can better under-
standwhat you’re up against.
71Chapter 6: Physical SecurityA Q&A on physical security with Jack WilesIn this Q&A session, Jack Wiles, an information-
security pioneer with over 30 years of experi-
ence, answered several questions on physicalsecurity and how a lack of it often leads to infor-
mation insecurity.
How important do you think physical securityis in relation to technical-security issues?
I’ve been asked that question many times in thepast, and from decades of experience with bothphysical and technical security, I have a stan-
dard answer. Without question, many of themost expensive technical-security counter-
measures and tools become worthless whenphysical security is weak. If I can get my teaminto your building(s) and walk up to someone’sdesk and log in as that person, I have bypassedall your technical-security systems. In pastsecurity assessments, after my team and Ientered a building, we always found that peoplesimply thought that we belonged there — thatwe were employees. We were always friendlyand helpful when we came in contact with realemployees. They would often return the kind-
ness by helping us with whatever we asked for.
How were you able to get into most of thebuildings when you conducted “red team” pen-
etration tests for companies?
In many cases, we just boldly walked into thebuilding and went up the elevator in multistorybuildings. If we were challenged, we alwayshad a story ready. Our typical story was that wethought that this was the HR department, andwe were there to apply for a job. If we werestopped at the door and told which building togo to for HR, we simply left and then looked forother entrances to that same building. If wefound an outside smoking area at a differentdoor, we attempted tailgatingand simply walkedin behind other employees who were reenter-
ing the building after finishing their breaks.
Tailgating also worked at most entrances thatrequired card access. In my career as a red-
team leader, we were never stopped and ques-
tioned. We simply said, “Thank you” as wewalked in and compromised the entire building.
What kinds of things would you bring out of abuilding?
It was always easy to get enough importantdocumentation to prove that we were there. Inmany cases, the documentation was sitting in abox next to someone’s desk (especially if thatperson was someone important) marked RECY-
CLE. To us, that really said, “Steal me first”! Wefound it interesting that many companies just lettheir recycle boxes fill up before emptying them.
We would also look for a room where strip-cutshredders were used. The documents that wereshredded were usually stored in clear plasticbags. We loaded these bags into our cars andhad many of the shredded documents put backtogether in a few hours. We found that if wepasted the strips from any page on cardboardwith as much as aninch of space between thestrips, the final document was still readable.
Jack Wiles is president of TheTrainingCo.
andpromotesthe annual information-
security conference Techno Security (www.
thetrainingco.com).
The following sections list vulnerabilities to look for when assessing your orga-
nization’s physical security. This won’t take a lot of technical savvy or expen-
sive equipment. Depending on the size of your facilities, these tests shouldn’ttake much time. The bottom line is to determine whether the physical-securitysystems are adequate for the risks involved. Above all, be practical and usecommon sense.
Building infrastructureDoors, windows, and walls are critical components of a building — especiallyin a computer room or in an area where confidential information is stored.
Attack pointsHackers can exploit a handful of building-infrastructure vulnerabilities.
Consider the following attack points, which are commonly overlooked:
Are doors propped open? If so, why?
Can gaps at the bottom of critical doors allow someone using a balloonor other device to trip a sensor on the inside of a “secure” room?
Would it be easy to force doors open? Would a simple kick near thedoorknob suffice?
What is the building and/or computer room made of (steel, wood, con-
crete), and how sturdy are the walls and entryways? How resilient wouldthe material be to earthquakes, tornadoes, strong winds, heavy rains,
and vehicles driving into the building?
Are any doors or windows made of glass? Is this glass clear? Is the glassshatterproof or bulletproof?
Are doors, windows, and other entry points wired to an alarm system?
Are there drop ceilingswith tiles that can be pushed up? Are the wallsslab-to-slab? If not, hackers can easily scale walls, bypassing any door orwindow access controls.
CountermeasuresMany physical-security countermeasures for building vulnerabilities mayrequire other maintenance, construction, or operations experts. If buildinginfrastructures is not your forte, you can hire outside experts during thedesign, assessment, and retrofitting stages to ensure that you have adequatecontrols. Here are some of the best ways to solidify building security:
Strong doors and locks
Windowless walls around computer rooms72Part II:Putting Ethical Hacking in Motion
An alarm system that’s connected to all access points and continuouslymonitored
Lighting (especially around entry/exit points)
Mantraps that allow only person at a time to pass through a door
Fences (barbed wire and razor wire)
UtilitiesYou must consider building and computer-room utilities, such as power,
water, and fire suppression, when accessing physical security. These utilitiescan help fight off such incidents as fire and keep other access controls run-
ning during a power loss. They can also be used against you if an intruderenters the building.
Attack pointsHackers often exploit utility-related vulnerabilities. Consider the followingattack points, which are commonly overlooked:
Is power-protection equipment (surge protectors, UPSs, and generators)
in place? How easily accessible are the on/off switches on these devices?
Can an intruder walk in and flip a switch?
When the power fails, what happens to physical-security mechanisms?
Do they failopen, allowing anyone through, or failclosed, keeping every-
one in or out until the power is restored?
Where are fire-detection and -suppression devices — including alarmsensors, extinguishers, and sprinkler systems — located? Determinehow a malicious intruder can abuse them. Are these devices placedwhere they can harm electronic equipment during a false alarm?
Where are water and gas shutoff valves located? Can you access them,
or would you have to call maintenance personnel about an incident?
Are local telecom wires (both copper and fiber) that run outside of thebuilding located aboveground, where someone can tap into them withtelecom tools? Can digging in the area cut them easily? Are they locatedon telephone poles that are vulnerable to traffic accidents?
CountermeasuresYou may need to involve other experts during the design, assessment, orretrofitting stages. The key is placement:
Where are the major utility controls placed?
Can a hacker or other miscreant walking through the building access thecontrols to turn them on and off?
73Chapter 6: Physical Security10
Covers for on/off switches and thermostat controls and locks for serverpower buttons and PCI expansion slots are effective defenses.
I once assessed the physical security of an Internet collocation facility for avery large computer company (whose name will remain anonymous). I made itpast the front guard and tailgated through all the controlled doors to reach thedata center. After I was inside, I walked by such equipment as servers, routers,
firewalls, UPSs, and power cords that were owned by very large dot-com com-
panies. All this equipment was completely exposed to anyone walking in thatarea. A quick flip of a switch or an accidental trip over a network cable dan-
gling to the floor could bring an entire shelf — and a global e-commerce site —
to the ground.
Office layout and usageOffice design and usage can either help or hinder physical security.
Hackers may exploit some office vulnerabilities. Consider these attack points:
Does a receptionist or security guard monitor traffic in and out?
Do employees have confidential information on their desks? What aboutmail and other packages — do they lie around outside someone’s dooror, even worse, outside the building, waiting for pickup?
Where are trash cans and dumpsters located? Are they easily accessibleby anyone? Are recycling bins or shredders used? Open recycling binsand other careless handling of trash are open invitations for dumpsterdiving— in which hackers search for confidential company informationin phone lists and memos in the trash. Dumpster diving can lead tomany security exposures.
How secure are mail and copy rooms? If hackers can access theserooms, they can steal mail or company letterhead to use against you.
Are closed-circuit television (CCTV) cameras used andmonitored?
What access controls are on doors and windows? Are regular keys, cardkeys, combination locks, or biometrics used? Who can access these keys,
and where are they stored? Keys and programmable keypad combinationsare often shared among users, making accountability difficult to deter-
mine. Find out how many people share these combinations and keys.
CountermeasuresSimple measures can reduce your exposure to office vulnerabilities:
74Part II:Putting Ethical Hacking in Motion
A receptionist or a security guard who monitors people coming and going.
This is the most critical countermeasure. This person can ensure thatevery visitor signs in and that all new or untrusted visitors are alwaysescorted.
Make it policy and procedure for all employees to question strangersand report strange behavior in the building.
Employees Onlyor Authorized Personnel Onlysigns show the bad guyswhere they shouldgo instead of deterring them from entering.
CCTV cameras.
Single entry/exit points to a building or computer room.
Secure areas for dumpsters.
Cross-cut shredders or secure recycling bins for hard-copy documents.
Limited numbers of keys and pass-code combinations.
Make keys and pass codes unique for each person, whenever possible.
Biometrics identification systems can be very effective, but they canalso be expensive and difficult to manage.
Network components and computersAfter hackers obtain physical access to a building, they look for the computerroom and other easily accessible computer and network devices.
Attack pointsThe keys to the kingdom are often as close as someone’s desktop computerand not much farther than an unsecured computer room or wiring closet.
Malicious intruders can do the following:
Obtain network access and send malicious e-mails as a logged-in user.
Steal files from the computer by copying them onto a floppy disk or USBdrive, or by e-mailing them to an external address.
Enter unlocked computer rooms and mess around with servers, firewalls,
and routers.
Walk out with network diagrams, contact lists, and business-continuityand incident-response plans.
Obtain phone numbers from analog lines and circuit IDs from T1, frame-
relay, and other telecom equipment for future attacks.
75Chapter 6: Physical Security10
Practically every bit of unencrypted information that traverses the networkcan be recorded for future analysis through one of the following methods:
Connecting a computer running network-analyzer software to a hub,
monitor, or mirrored port on a switch on your network
Installing network-analyzer software on an existing computer.
This is very hard to spot.
How would hackers access this information in the future?
The easiest attack method is to either install remote-administration soft-
ware on the computer or dial into a modem by using VNC orpcAnywhere.
A crafty hacker with enough time can bind a public IP address to thecomputer if it’s outside the firewall. Hackers with enough networkknowledge can configure new firewall rules to do this.
Also consider these other vulnerabilities:
How easily can someone’s computer be accessed during regular hours?
During lunchtime? After hours?
Are servers, firewalls, routers, and switches mounted in locked racks?
Are computers — especially laptops — secured to desks with locks?
Are passwords stored on sticky notes on computer screens, keyboards,
or desks?
Are backup media lying around the computer room susceptible to theft?
Are media safes used to protect backup media? Who can access the safe?
How are laptops and hand-held computers handled in-house and whenemployees are working from home or traveling? Are personal digitalassistants (PDAs) and cell phones sitting around unsecured? Thesedevices are often at great risk because of their size and value. Also, theyare typically unprotected by the organization’s regular security controls.
Are specific policies and technologies in place to help protect them? Islocking laptop bags and PDA cases required? What about power-on pass-
words? Also consider encryption in case these devices get into ahacker’s hands.
How easily can someone access a wireless access point(AP) signal or theAP itself to join the network?
Are network firewalls, routers, switches, and hubs (basically, anythingwith an Ethernet connection) easily accessible, which would enable ahacker to plug into the network easily?
76Part II:Putting Ethical Hacking in Motion
Are all cables patched through on the patch panel in the wiring closet soall network drops are live?
This is very common but a bad idea.
Are cable traps/locks in place that prevent hackers from unplugging net-
work cables from patch panels or computers to use those connectionsfor their own computers?
CountermeasuresNetwork and computer security countermeasures are some of the simplest toimplement, yet the most difficult to enforce because they involve everydayactions. Here is a rundown of these countermeasures:
Require users to lock their screens — which usually takes a few clicks orkeystrokes in Windows or UNIX — to keep intruders out of their systems.
Ensure that strong passwords are used (as covered in Chapter 7).
Require laptop users to lock their systems to their desks with a lockingcable. This is especially important in larger companies or locations thatreceive a lot of foot traffic.
Keep computer rooms and wiring closets locked, and monitor thoseareas for malicious wrongdoings.
Keep a current inventory of hardware and software within the organiza-
tion — especially in computer rooms — so it’s easy to determine whenextra equipment appears or other equipment is missing.
Properly secure computer media — such as floppy disks, CD-ROMs,
tapes, and hard drives — when stored and during transport.
Use a bulk eraser on magnetic media before it’s discarded.
77Chapter 6: Physical Security10
78Part II:Putting Ethical Hacking in Motion
Chapter 7PasswordsIn This Chapter
Identifying password vulnerabilities
Examining password-hacking tools and techniques
Hacking operating-system passwords
Hacking password-protected files
Protecting your systems from password hackingPassword hacking is one of the easiest and most common ways hackersobtain unauthorized computer or network access. Although strong pass-
words that are difficult to crack(or guess) are easy to create and maintain,
users often neglect this. Therefore, passwords are one of the weakest links inthe information-security chain. Passwords rely on secrecy. After a passwordis compromised, its original owner isn’t the only person who can access thesystem with it. That’s when bad things start happening.
Hackers have many ways to obtain passwords. They can glean passwordssimply by asking for them or by looking over the shoulders of users as theytype them in. Hackers can also obtain passwords from local computers byusing password-cracking software. To obtain passwords from across a net-
work, hackers can use remote cracking utilities or network analyzers.
This chapter demonstrates just how easily hackers can gather passwordinformation from your network. I outline common password vulnerabilitiesthat exist in computer networks and describe countermeasures to help pre-
vent these vulnerabilities from being exploited on your systems.
If you perform the tests and implement the countermeasures outlined in thischapter, you’re well on your way to securing your systems’ passwords.
Password VulnerabilitiesWhen you balance the cost of security and the value of the protected infor-
mation, the combination of user ID and secret password isusually adequate.
However, passwords give a false sense of security. The bad guys know thisand attempt to crack passwords as a step toward breaking into computersystems.
One big problem with relying solely on passwords for information security isthat more than one person can know them. Sometimes, this is intentional;
often, it’s not. You can’t know who has a password other than the owner.
Knowing a password doesn’t make someone an authorized user.
Here are the two general classifications of password vulnerabilities:
Organizational orend-user vulnerabilities: This includes lack of pass-
word awareness on the part of end users and the lack of password poli-
cies that are enforced within the organization.
Technical vulnerabilities:This includes weak encryption methods andinsecure storage of passwords on computer systems.
Before computer networks and the Internet, the user’s physical environmentwas an additional layer of password security. Now that most computers havenetwork connectivity, that protection is gone.
Organizational password vulnerabilitiesIt’s human nature to want convenience. This makes passwords one of the eas-
iest barriers for an attacker to overcome. Almost 3 trillion (yes, trillion with atand 12 zeros) eight-character password combinations are possible by usingthe 26 letters of the alphabet and the numerals 0 through 9. However, mostpeople prefer to create passwords that are easy to remember. Users like touse such passwords as “password,” their login name, or a pet’s name.
Unless users are educated and reminded about using strong passwords, theirpasswords usually are
Weak and easy to guess.
Seldom changed.
Reused for many security points. When bad guys crack a password, theytry to access other systems with the same password and user name.
Written down in nonsecure places. The more complex a password is, themore difficult it is to crack. However, when users create more complexpasswords, they’re more likely to write them down. Hackers can findthese passwords and use them against you.
80Part II:Putting Ethical Hacking in Motion
81Chapter 7: PasswordsA case study in Windows password vulnerabilitieswith Philippe OechslinIn this case study, Dr. Philippe Oechslin, aresearcher and independent information secu-
rity consultant, shared with me his recentresearch findings on Windows passwordvulnerabilities.
The SituationIn 2003, Dr. Oechslin discovered a new methodfor cracking Windows passwords. While test-
ing a brute-force password-cracking tool, hethought it was a waste of time for everyoneusing the same tool to have to generate thesame hashes over and over again. He believedthat generating a huge dictionary of all possiblehashes would make it easier to crack Windowspasswords, but then he quickly realized that adictionary of the LAN Manager (LM) hashes ofall possible alphanumerical passwords wouldrequire over a terabyte of storage.
During his research, Dr. Oechslin discovered atechnique called time-memory trade-offs,
where hashes are computed in advance butonly a small fraction are stored (approximatelyone in a thousand). He discovered that how theLM hashes are organized allows you to find anypassword if you spend some time recalculatingsome of the hashes. This technique savesmemory but takes a lot of time. Studying thismethod, he found a way to make it more effi-
cient, making it possible to find any of the 80 bil-
lion unique hashes by using a table of 250 millionentries (1GB worth of data) and performing only4 million hash calculations. This process ismuch faster than a brute-force attack, whichmust generate 50 percent of the hashes (40 bil-
lion) on average.
This research is based on the absence of arandom element when Windows passwords arehashed. This is true for both the LM hash andthe NT hash built into Windows. As a result, thesame password produces the same hash onany Windows machine. Although it is knownthat Windows hashes have no random element,
no one has used a technique like the one thatDr. Oechslin discovered to crack Windowspasswords.
For a short time, Dr. Oechslin and his team hadan interactive tool on their Web site(lasecwww.epfl.ch) that enabled visitors tosubmit hashes and have them cracked. Over asix-day period, the tool cracked 1,845 pass-
words in an average of 7.7 seconds! They deac-
tivated the demo after a week (and a million hits)
and did not release the tool because they didn’twant to help hackers. Dr. Oechslin did say thathe has heard about other tools (such asRainbowCrack) that use the same method butare being developed independently.
The OutcomeSo what’s the big deal, you say? This password-
cracking method can crack any alphanumericalpassword in a few seconds, whereas currentbrute-force tools can take several hours. Dr.
Oechslin and his research team have generateda table with which they can crack any pass-
word made of letters, numbers, and 16 othercharacters in less than a minute, demonstratingthat passwords made up of letters and numbersaren’t good enough. He also stated that thismethod is useful for ethical hackers who haveonly limited time to perform their testing.
Unfortunately, hackers have the same benefitand can perform their attacks before anyonedetects them!
Philippe Oechslin, PhD, CISSP, is a lecturer andsenior research assistant at the Swiss FederalInstitute of Technology in Lausanne and spendshis spare time as an independent information-
security consultant.
Technical password vulnerabilitiesYou can often find these serious technical vulnerabilities after exploitingorganizational password vulnerabilities:
Weak password-encryption schemes. Hackers can break weak passwordstorage mechanisms by using cracking methods that I outline in thischapter. Many vendors and developers believe that passwords are safefrom hackers if they don’t publish the source code for their encryptionalgorithms. Wrong!A persistent, patient hacker can usually crack thissecurity by obscurityfairly quickly. After the code is cracked, it is soondistributed across the Internet and becomes public knowledge.
Password-cracking utilities take advantage of weak password encryption.
These utilities do the grunt work and can crack any password, givenenough time and computing power.
Software that stores passwords in memory and easily accessed databases.
End-user applications that display passwords on the screen while typing.
The ICAT Metabase (an index of computer vulnerabilities) currently identifiesover 460 technical password vulnerabilities, 230 of which are labeled as high-
severity. You can search for some of these issues at icat.nist.gov/icat.
cfmto find out how vulnerable some of your systems are from a technicalperspective.
Cracking PasswordsPassword cracking is one of the most enjoyable hacks for the bad guys. It fuelstheir sense of exploration and desire to figure things out. You may not havea burning desire to explore everyone’s passwords, but it helps to approachpassword cracking with this thinking. So where should you start hacking thepasswords on your systems? Generally speaking, any user’s password works.
After you obtain one password, you can obtain others — including adminis-
trator or root passwords.
Administrator passwords are the pot of gold. With unauthorized administrativeaccess, you can do virtually anything on the system. When looking for yourorganization’s password vulnerabilities, I recommend first trying to obtainthe highest level of access possible (such as administrator) through the mostdiscreet method possible. That’s what the hackers do.
You can use low-tech ways and high-tech ways to exploit the vulnerabilities andobtain passwords. For example, you can deceive users into divulging pass-
words over the telephone or simply observe what a user has written down ona piece of paper. Or you can capture passwords directly from a computer orover a network or the Internet with tools covered in the following sections.
82Part II:Putting Ethical Hacking in Motion
Cracking passwords the old-fashioned wayA hacker can use low-tech methods to crack passwords. These methodsinclude using social-engineering techniques, shoulder surfing, and simplyguessing passwords from information that you know about the user.
Social engineeringThe most popular low-tech method is social engineering,which is covered indetail in Chapter 5. Social engineering takes advantage of the trusting natureof human beings to gain information that can later be used maliciously.
TechniquesTo obtain a password through social engineering, you just ask for it. Forexample, you can simply call a user and tell him that he has some important-
looking e-mails stuck in the mail queue and you need his password to log inand free them up. This is how hackers try to get the information!
If your colleague gives you his password, make sure that he changes it.
CountermeasuresUser awareness is the best defense against social engineering. Train users
to spot attacks (such as suspicious phone calls or deceitful e-mails) andrespond effectively. Their best response is to not give out any informationand to alert the appropriate information-security officer in the organizationto see whether the inquiry is legitimate and whether a response is necessary.
For this defense to be successful, the organization must enforce a securitypolicy and provide ongoing security-awareness training to users.
Shoulder surfingShoulder surfing is an effective, low-tech password hack.
TechniquesTo mount this attack, you must be near the user and not look obvious. Simplywatch either the user’s keyboard or screen when logging in.
A hacker with a good eye may watch whether the user is glancing around hisdesk for either a reminder of the password or the password itself.
Many folks have experienced shoulder surfing at the grocery-store checkoutline. You swipe your debit card to pay for your chips and dip; you enter yourPIN to authorize the transaction; and before you know it, the guy in linebehind you has your PIN! He simply watched you enter it into the keypad.
You can try shoulder surfing yourself — though preferably not in the grocery-
store checkout line. Just walk around the office and perform random spotchecks. Go to users’ desks, and ask them to log in to their computers, the83Chapter 7: Passwords11
network, or even their e-mail applications. Just don’t tell them what you’redoing beforehand, or they’ll be on to you and attempt to hide what they’retyping or where they’re looking for their password — two things that theyshould’ve been doing all along!
CountermeasuresEncourage users to be aware of their surroundings and not enter their pass-
words when they suspect that someone is looking over their shoulder.
Instruct users that if they suspect someone is looking over their shoulderwhile they’re logging in, they should politely ask the person to look away.
InferenceInferenceis simply guessing passwords from information you know aboutusers — such as their date of birth, favorite television show, and phone num-
bers. It sounds silly, but you can determine passwords by guessing!
The best defense against an inference hack attack is to educate users aboutcreating secure passwords that do not include information that can be asso-
ciated with them. You can’t easily enforce this practice with technical con-
trols, so you need a sound security policy and ongoing awareness training toremind users of the importance of secure password creation.
Weak authenticationHackers can obtain — or simply avoid having to use — passwords by takingadvantage of older operating systems, such as Windows 9xand Me. Theseoperating systems don’t require passwords to log in.
Bypassing authenticationOn a Windows 9xor similar workstation that’s prompting for a password, youcan press Esc on the keyboard to get right in. After you’re in, you can findother passwords stored in such places as dial-up networking connectionsand screen savers. These weak systems can serve as trustedmachines —
meaning that it’s assumed that they’re secure — and provide good launchingpads for network-based password attacks as well.
CountermeasuresThe only true defense against this hack is to not use operating systems thatemploy weak authentication. To eliminate this vulnerability, upgrade toWindows XP, or use Linux or the flavors of UNIX, including Mac OS X.
More modern authentication systems (such as Kerberos, which is used innewer versions of Windows), directory services (such as Novell’s eDirectory),
and network-based e-mail systems (such as Exchange) encrypt user passwordsor don’t communicate the passwords across the network. These measurescreate an extra layer of security, but these authentication systems still havesome vulnerabilities, which I discuss shortly.
84Part II:Putting Ethical Hacking in Motion
High-tech password crackingHigh-tech password cracking involves using a program that tries to guess apassword by determining all possible password combinations. These high-
tech methods are mostly automated after you access the computer and pass-
word database files.
Password cracking softwareYou can try to crack your organization’s operating-system and Internet-
application passwords with various password cracking tools:
LC4 (previously called L0phtcrack) can sniff out password hashes fromthe wire. Go to www.atstake.com/research/lc
NetBIOS Auditing Tool (NAT) specializes in network-based passwordattacks. Go to www.securityfocus.com/tools/543
Chknull (www.phreak.org/archives/exploits/novell) for NovellNetWare password testing
These tools require physical access on the tested computer:
•John the Ripper (www.openwall.com/john)
•pwdump2 (razor.bindview.com/tools/desc/pwdump2_
readme.html)
•Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/
crack)
•Brutus (www.hoobie.net/brutus)
•Pandora (www.nmrc.org/project/pandora)
•NTFSDOS Professional (www.winternals.com)
Various other handy password tools exist, such as•GetPass for decrypting login passwords for Cisco routers (www.
boson.com/promo/utilities/getpass/getpass_utility.htm)
•Win Sniffer for capturing FTP, e-mail, and other types of passwordsoff the network•Cain and Abel for capturing, cracking, and even calculating varioustypes of passwords on a plethora of systems (www.oxid.it/
cain.html)
You may be wondering what value a password-cracking tool offers if you needphysical access to your systems to test them. Some would say that if a hackercan obtain physical access to your systems and password files, you havemore than just basic information-security problems to worry about. But thiskind of access is entirely possible! What about a summer intern, a disgruntledemployee, or an outside consultant with malicious intent?
85Chapter 7: Passwords11
Password-cracking utilities take a set of known passwords and run themthrough a password-hashing algorithm. The resulting hashes — or anencrypted form of a data set — are then compared at lightning speed to thepassword hashes extracted from the original password database. When amatch is found between the newly generated hash and the hash in the origi-
nal database, the password has been cracked. It’s that simple.
Other password-cracking programs simply attempt to logon using a prede-
fined set of user IDs and passwords. In fact, NAT can do just that. NAT takesadvantage of some known weaknesses in Microsoft’s Server Message Block(SMB) protocol, which is used for file and print sharing.
Try running NAT in a real-world scenario. Simply download NAT from the pre-
ceding address, and extract it to a temporary directory on your hard drive.
NAT comes with some predefined usernames and passwords in the userlist.
txtand passlist.txtfiles, but you can modify them or add your own. Fora quick test of a Windows NT or 2000 machine across the network, enter thisbasic NAT command at a command prompt:
nat -u userlist.txt -p passlist.txt IP_address_of_the_computer_you’re_testingFigure 7-1 shows the output of my test server when I ran NAT against it. NATused the default password list to crack the administrator password in just afew seconds. If you don’t have any luck, consider using one of the dictionaryfiles listed in the next section. Just give the test some time. If you use one ofthe larger lists, the process may take quite a while.
Passwords that are subjected to cracking tools eventually lose. You haveaccess to the same tools as the bad guys. These tools can be used for bothlegitimate auditing and malicious attacks. You want to audit your passwordsbefore the bad guys do, and in this section, I show you some of my favoritemethods for auditing Windows and Linux/UNIX passwords.
Figure 7-1:
Output fromthe NetBIOSAuditingTool.
86Part II:Putting Ethical Hacking in Motion
When trying to crack passwords, the associated user accounts may be lockedout, which could interrupt your users. Be careful if you have intruder lockoutenabled — you may have to go back in and reenable locked accounts.
Passwords are typically stored on a computer in an encrypted fashion, usingan encryption or one-way hash algorithm such as DES or MD5. Hashed pass-
words are then represented as fixed-length encrypted strings that always rep-
resent the same passwords with exactly the same strings. These hashes areirreversible for all practical purposes, so passwords can never be decrypted.
Password storage locations vary by operating system:
Windows usually stores passwords in these locations:
•Security Accounts Manager (SAM) database(c:\winnt\system32\config)
•Active Directory database file that’s stored locally or spread acrossdomain controllers (ntds.dit)
Windows sometimes stores passwords in either a backup of the SAM filein the c:\winnt\repairdirectory or on an emergency repair disk.
Some Windows applications store passwords in the Registry or as plain-
text files on the hard drive!
Linux and other UNIX variants typically store passwords in these files:
•/etc/passwd(readable by everyone)
•/etc/shadow(accessible by root only)
•/etc/security/passwd(accessible by root only)
•/.secure/etc/passwd(accessible by root only)
Two high-tech password-cracking methods are dictionary attacks and brute-
force attacks.
Dictionary attacksDictionary attacks against passwords quickly compare a set of words —
including many common passwords — against a password database. Thisdatabase is a text file with thousands of words typically listed in alphabeticalorder. For instance, suppose that you have a dictionary file that you down-
loaded from one of the sites in the following list. The English dictionary file atthe Purdue site contains one word per line starting with 10th,1st. . . all theway to zucchiniand zygote.
Many password-cracking utilities can use a separate dictionary that youcreate or download from the Internet. Here are some popular sites thathousedictionary files and other miscellaneous word lists:
87Chapter 7: Passwords11
ftp://ftp.cerias.purdue.edu/pub/dict
ftp://ftp.ox.ac.uk/pub/wordlists
packetstormsecurity.nl/Crackers/wordlists
www.outpost9.com/files/WordLists.htmlMost dictionary attacks are good for weak(easily guessed) passwords.
However, some special dictionaries have common misspellings of words suchas pa$$w0rd (password) and 5ecur1ty (security), non-English words, and the-
matic words from religions, politics, or Star Trek.
Brute-force attacksBrute-force attacks can crack any password, given sufficient time. Brute-forceattacks try every combination of numbers, letters, and special charactersuntil the password is discovered. Many password-cracking utilities let youspecify such testing criteria as the characters and password length to try.
A brute-force test can take quite a while, depending on the number of accounts,
their associated password complexities, and the speed of the computer that’srunning the cracking software.
Smart hackers attempt logins slowly or at random times so the failed loginattempts aren’t as predictable or obvious in the system log files. Some mali-
cious users may even call the IT help desk to attempt a reset of the accountthey’ve just locked out. This social-engineering technique could be a majorissue, especially if the organization has no or minimal mechanisms in place toverify that locked-out users are who they say they are.
Can an expiring password deter a hacker’s attack and render password-
cracking software useless? Yes. After the password is changed, the crackingmust start again if the hacker wants to test all the possible combinations.
This is one reason why passwords must be changed periodically. Shorteningthe change interval can reduce the risk of a password’s being cracked.
Exhaustive password-cracking attempts usually aren’t necessary. Most pass-
words are fairly weak. Even minimum password requirements, such as a pass-
word length, can help you in your testing; you may be able to give yourcracking programs more defined cracking parameters, which eliminates com-
binations for faster results.
Cracking passwords with pwdump2 and John the RipperThe following steps use two of my favorite utilities to test the security of cur-
rent passwords on Windows systems:
88Part II:Putting Ethical Hacking in Motion
pwdump2 (to extract password hashes from the Windows SAM database)
John the Ripper (to crack the hashes of Windows and UNIX passwords)
This test requires administrative access to either your Windows NT/2000stand-alone workstation or server:
1.Create a new directory called passwordsfrom the root of yourWindows C: drive.
2.Download and install a decompression tool, if you don’t have one.
FreeZip (members.ozemail.com.au/~nulifetv/freezip) and IZArc(www.webattack.com/get/izarc.shtml) are free Windows decom-
pression tools. Windows XP includes built-in decompression.
3.Download, extract, and install the following software, if you don’talready have it on your system:
•pwdump2 — download the file from razor.bindview.com/
tools/desc/pwdump2_readme.html•John the Ripper — download the file from www.openwall.com/john4.Enter the following command to runpwdump2 and redirect its outputto a file called cracked.txt:
pwdump2 > cracked.txtThis file will be used to store the Windows SAM password hashes thatwill later be cracked with John the Ripper. Figure 7-2 shows the contentsof the cracked.txtfile that contains the local Windows SAM-databasepassword hashes.
5.Enter the following command to review the contents from the resultinghashes:
type cracked.txtAll the users on your system are listed (similar to Figure 7-3), whetheryou run this on a stand-alone Windows NT/2000 system or WindowsPrimary Domain Controller (PDC).
Figure 7-2:
Output frompwdump2.89Chapter 7: Passwords11
6.Enter the following command to run John the Ripper against theWindows SAM password hashes to display the cracked passwords:
john cracked.txtYou should see something similar to the following:
Loaded 3 passwords with no different salts (NT LM DES [24/32 4K])
123(Weak:1)
PASS(Newuser:1)
GUESS(Lame:1)
guesses: 3 time: 0:00:00:00 (3) c/s: 165146 trying: SAMELL - SANDITThis process can take seconds or days, depending on the number ofusers and the complexity of their associated passwords. My Windowsexample took only five seconds to crack five weak passwords.
John the Ripper can crack UNIX passwords. You need root access to yoursystem and to the password (/etc/passwd) and shadow password(/etc/shadow) files. Perform the following steps for cracking UNIXpasswords:
1.Download the UNIX source files from www.openwall.com/john.
2.Extract the program by entering the following command:
tar -zxf john-1.6.tar.gz3.Change into the /srcdirectory that was created when you extractedthe program, and enter the following command:
make generic.
4.Change into the /rundirectory, and enter the following command touse the unshadow program to combine the passwd and shadow filesand copy them to the file cracked.txt:
./unshadow /etc/passwd /etc/shadow > cracked.txt5.Enter the following command to start the cracking process:
./john cracked.txtWhen John the Ripper is complete (and this could take some time), youget an output similar to the results of the preceding Windows process.
Figure 7-3:
Crackedpasswordfile hashesfrompwdump2.90Part II:Putting Ethical Hacking in Motion
After completing the preceding Windows or UNIX steps, you can either
Force users to change passwords that don’t meet specific passwordpolicy requirements.
Create a password policy from scratch.
Be careful handling the results of your password cracking. Password informa-
tion for others is confidential and should be treated with care.
Checking for null passwords in NetWareUsing the chknull program, you can test for NetWare users that have emptypasswords, passwords that match their username, or passwords that matcha specific password that you supply on the command line. Figure 7-4 showsthe output of a chknull session against a NetWare server without being loggedin: Four users have blank passwords, three users have the password “123,”
and one user’s password is the same as his username (avadminuser).
General password-hackingcountermeasuresA password for one system usually equals passwords for many other sys-
tems, because many people use the same passwords on every system theyuse. For this reason, instruct users to create different passwords for differentsystems, especially on the systems that protect more sensitive information.
Strong passwords are important, but balance security and convenience:
You can’t expect users to memorize passwords that are insanely com-
plex and changed every week.
You can’t afford weak passwords or no passwords at all.
Figure 7-4:
NetWarepasswordweaknessesfound withchknull.
91Chapter 7: Passwords11
Storing passwordsIf you have to choose between weak passwords that your users can memo-
rize and strong passwords that your users must write down, I recommendhaving readers write down passwords and store the information securely.
Train users to store their written passwords in a secure place — not on key-
boards or in easily cracked password-protected computer files (such asspreadsheets). Users should store a written password in either of theselocations:
A locked file cabinet or office safe
An encrypted file or database, using such tools as•PGP (www.pgpi.orgfor the free open-source version or www.
pgp.comfor the commercial version)
•Open-source Password Safe, originally developed by Counterpane(passwordsafe.sourceforge.net)
No sticky notes!
Policy considerationsAs an ethical hacker, you should show users the importance of securing theirpasswords. Here are some tips on how to do that:
92Part II:Putting Ethical Hacking in Motion
Passwords by the numbersOne hundred twenty-eight different ASCII char-
acters are used in typical computer passwords.
(Technically, only 126 characters are used,
because you can’t use the NULL and the car-
riage return characters.) A truly random eight-
character password that uses 126 differentcharacters can have 63,527,879,748,485,376 dif-
ferent combinations. Taking that a step further,
if it were possible (and it is, in Linux and UNIX)
to use all 256 ASCII characters (254, withoutNULL and carriage return) in a password,
17,324,859,965,700,833,536 different combina-
tions are possible. This is approximately 2.7 bil-
lion times more combinations than there arepeople on earth!
A text file containing all these possible pass-
words would require millions of terabytes ofstorage space. Even if you included just themore realistic combination of 95 or so ASCII let-
ters, numbers, and standard punctuation char-
acters, such a file would still fill thousands ofterabytes of storage space. These storagerequirements require password-cracking pro-
grams to form the password combinations onthe fly, instead of reading all possible combina-
tions from a text file. That’s why brute-forceattacks are more effective at cracking pass-
words than dictionary attacks.
Given the effectiveness of brute-force pass-
word attacks, it’s not unrealistic to think that inthe future, anyone will be able to crack all pos-
sible password combinations, given the currenttechnology and average lifespan. It probablywon’t happen, but many of us also thought in themid-1980s that 640KB of RAM and 10MB harddrives in our PCs were all we needed.
Demonstrate how to create secure passwords. You may want to refer tothem as pass codes or pass phrases, because people tend to take theword passwordsliterally and use only words, which can be less secure.
Show what can happen when weak passwords are used or passwordsare shared.
Diligently build user awareness of social-engineering attacks.
Enforce (or encourage the use of) a strong password-creation policy thatincludes the following criteria:
Use upper- and lowercase letters, special characters, and numbers.
(Never use only numbers. These passwords can be cracked quickly.)
Misspell words or create acronyms from a quote or a sentence. (Anacronymis a word created from the initials of a phrase. For example,
ASCII is an acronym for American Standard Code for InformationInterchange.)
Use punctuation characters to separate words or acronyms.
Change passwords every 6 to 12 months.
Use different passwords for each system. This is especially importantfor network-infrastructure hosts, such as servers, firewalls, and routers.
Use variable-length passwords. This can throw off the hackers, becausethey won’t know the required minimum or maximum length of passwordsand must try all password length combinations.
Don’t use common slang words or words that are in a dictionary.
Don’t use similar-looking characters, such as 3instead of E, 5 insteadofS, or ! instead of 1.Password-cracking programs can check for this.
Don’t reuse the same password within 12 months.
Use password-protected screen savers.
Don’t share passwords.
Avoid storing user passwords in a central place, such as an unsecuredspreadsheet on a hard drive. This is an invitation for disaster. Use PGP,
Password Safe, or a similar program to store user passwords.
Other considerationsHere are some other password-hacking countermeasures that I recommend:
Enable security auditing to help monitor and track password attacks.
Test your applications to make sure they aren’t storing passwords inmemory or writing them to disk.
93Chapter 7: Passwords11
Some password-cracking Trojan-horse applications are transmittedthrough worms or simple e-mail attachments, such as VBS.Network.BandPWSteal.SoapSpy. These applications can be lethal to your password-
protection mechanisms if they’re installed on your systems. The bestdefense is malware protection software, such as antivirus protection(from a vendor like Norton or McAfee), spyware protection (such asPestPatrol or Spybot), or malicious-code behavioral protection (such
as Finjan’s offerings).
Keep your systems patched. Passwords are reset or compromisedduring buffer overflows or other DoS conditions.
Know your user IDs. If an account has never been used, delete or
disable the account until it’s needed. You can determine unusedaccounts by manual inspection or by using a tool such as DumpSec(www.somarsoft.com), which can enumerate the Windows operatingsystem and gather user ID and other information.
As the security administrator in your organization, you can enable accountlockoutto prevent password-cracking attempts. Most operating systems andsome applications have this capability. Don’t set it too low (less than five failedlogins), and don’t set it too high to give a malicious user a greater chance ofbreaking in. Somewhere between 5 and 50 may work for you. I usually recom-
mend a setting of around 10 or 15.
To use account lockout and prevent any possibilities of a user DoS con-
dition, require two different passwords, and don’t set a lockout time forthe first one.
If you permit auto reset of the account after a certain time period —
often referred to as intruder lockout— don’t set a short time period.
Thirty minutes often works well.
A failed login counter can increase password security and minimize the over-
all effects if the account is being compromised by an automated attack. It canforce a password change after a number of failed attempts. If the number offailed login attempts is high, and they all occurred in a short period of time,
the account has likely experienced an automated password attack.
Some more password-protection countermeasures include the following:
Use stronger authentication methods, such as challenge/response, smartcards, tokes, biometrics, or digital certificates.
Automate password reset. This functionality lets users to manage mostof their password problems without getting others involved. Otherwise,
this support issue becomes expensive, especially for larger organizations.
Password-protect the system BIOS (basic input/output system). This isespecially important on servers and laptops that are susceptible tophysical-security threats and vulnerabilities.
94Part II:Putting Ethical Hacking in Motion
Password-protected filesDo you wonder how vulnerable word-processing, spreadsheet, and zip filesare as users send them into the wild blue yonder? Wonder no more. Somegreat utilities can show how easily passwords are cracked.
Cracking filesMost password-protected files can be cracked in seconds or minutes. You candemonstrate this “wow-factor” security vulnerability to users and manage-
ment. Here’s a real-world scenario:
Your CFO wants to send some confidential financial information in anExcel spreadsheet to the company’s outside financial advisor.
She protects the spreadsheet by assigning a password to it during thefile-save process in Excel 2002.
For good measure, she uses WinZip to compress the file, and addsanother password to make it reallysecure.
The CFO sends the spreadsheet as an e-mail attachment, assuming thatit will reach its destination securely.
The financial advisor’s network has content filtering, which monitorsincoming e-mails for keywords and file attachments. Unfortunately, thefinancial advisory firm’s network administrator is looking in the content-
filtering system to see what’s coming in.
This rogue network administrator finds the e-mail with the con-
fidential attachment, saves the attachment, and realizes that it’spassword-protected.
The network administrator remembers some great password-crackingutilities from ElcomSoft (www.elcomsoft.com) that can help him out. Hemay see something like Figures 7-5 and 7-6.
Cracking password-protected files is as simple as that! Now all that the roguenetwork administrator must do is forward the confidential spreadsheet to hisbuddies or the company’s competitors.
If you carefully select the right options in Advanced ZIP Password Recoveryand Office XP Password Recovery, you can drastically shorten your testingtime. For example, if you know that a password is not over 5 characters or islowercase letters only, you can cut the cracking time in half.
I recommend performing these file password-cracking tests on files that youcapture with a content-filtering or network-analysis tool.
95Chapter 7: Passwords11
CountermeasuresThe best defense against weak file password protection is to require yourusers to use a stronger form of file protection, such as PGP, when necessary.
Ideally, you don’t want to rely on users to make decisions about what theyshould use this method to secure, but it’s better than nothing. Stress that afile-encryption mechanism such as PGP is secure only if users keep theirpasswords confidential and never transmit or store them in clear text.
Figure 7-6:
ElcomSoft’sAdvancedOffice XPPasswordRecoverycracking
a spread-
sheet.
Figure 7-5:
ElcomSoft’sAdvancedZIPPasswordRecoverycracking azip file.
96Part II:Putting Ethical Hacking in Motion
If you’re concerned about nonsecure transmissions through e-mail, considerone of these options:
Block all outbound e-mail attachments that aren’t protected on youre-mail server.
Use an encryption program, such as PGP, to create self-extractingencrypted files.
Use content-filtering applications.
Other ways to crack passwordsOver the years, I’ve found other ways to crack passwords, both technicallyand through social engineering.
Keystroke loggingOne of the best techniques for cracking passwords is remote keystrokelogging— the use of software or hardware to record keystrokes as they’rebeing typed into the computer.
Be careful with keystroke logging. Even with good intentions, monitoringemployees can raise some legal issues. Discuss what you’ll be doing withyour legal counsel, and get approval from upper management.
Logging toolsWith keystroke-logging tools, you can later assess the log files of your appli-
cation to see what passwords people are using:
Keystroke-logging applications can be installed on the monitored com-
puter. I recommend that you check out eBlaster and Spector Pro bySpectorSoft (www.spectorsoft.com). Another popular tool that youcan use is Invisible KeyLogger Stealth, at www.amecisco.com/iks.htm,
as well as the hardware-based KeyGhost (www.keyghost.com). Dozensof other such tools are available on the Internet.
Hardware-based tools fit between the keyboard and the computer orreplace the keyboard altogether.
A shared computer can capture the passwords of every user who logs in.
CountermeasuresThe best defense against the installation of keystroke-logging software onyour systems is a spyware-detection program or popular antivirus products.
97Chapter 7: Passwords11
The potential for hackers to install keystroke-logging software is anotherreason to ensure that your users aren’t downloading and installing randomshareware or opening attachments in unsolicited e-mails. Consider lockingdown your desktops by setting the appropriate user rights through local orgroup security policy in Windows. Alternatively, you could use a commerciallock-down program, such as Fortres 101 (www.fortres.com) for Windows orDeep Freeze (www.deepfreezeusa.com) for Windows and Mac OS X.
Weak password storageMany legacy and stand-alone applications such as e-mail, dial-up networkconnections, and accounting software store passwords locally, making themvulnerable to password hacking. By performing a basic text search, I’ve foundpasswords stored in clear text on the local hard drives of machines.
SearchingYou can try using your favorite text-searching utility — such as the Windowssearch function, findstr, or grep— to search for passwordor passwdon yourdrives. You may be shocked to find what’s on your systems. Some programseven write passwords to disk or leave them stored in memory.
This is a hacker’s dream. Head it off if you can.
CountermeasuresThe only reliable way to eliminate weak password storage is to use only appli-
cationsthat store passwords securely. This may not be practical, but it’s youronly guarantee that your passwords are secure.
Before upgrading applications, contact your software vendor or search for athird-party solution.
Network analyzerA network analyzer sniffs the packets traversing the network. This is what thebad guys do if they can gain control over a computer or gain physical networkaccess to set up their network analyzer. If they gain physical access, they canlook for a network jack on the wall and plug right in!
TestingFigure 7-7 shows how crystal-clear passwords can be through the eyes of anetwork analyzer. This figure shows the password packet from an EtherPeekcapture of a POP3 session using Microsoft Outlook to download messagesfrom an e-mail server. Look in the POP — Post Office Protocol section for thepassword of “MyPassword”. These same clear-text password vulnerabilitiescan apply to instant messaging, Web-site logins, telnet sessions, and more.
Basically, if traffic is not being tunneled through a VPN, SSH, SSL, or someother form of encrypted link, it’s vulnerable to attack.
98Part II:Putting Ethical Hacking in Motion
Although you can benefit from using a commercial network analyzer such asEtherPeek, you don’t need to buy one for your testing. An open-source pro-
gram, Ethereal, runs on Windows and UNIX platforms. You can search forpassword traffic on the network a million ways. For example, to capture POP3password traffic, set up a trigger to search for the PASS command. When thenetwork analyzer sees the PASS command in the packet, it starts capturingdata until your specified time or number of packets.
Capture this data on a hub segment of your network, or plug your network-
analyzer system into a monitor port on a switch. Otherwise, you can’t seeanyone else’s data traversing the network — just yours. Check your switch’suser’s guide for whether it has a monitor or mirror port and instructions onhow to configure it. You can connect your network analyzer to a hub on thepublic side of your firewall. You’ll capture only those packets that are enter-
ing or leaving your network — not internal traffic.
CountermeasuresHere are some good defenses against network-analyzer attacks:
Use switches on your network, not hubs.
If you must use hubs on network segments, a program such as sniffdet,
cpm, and sentinel can detect network cards in promiscuous mode(accepting all packets, whether destined for it or not). Network cards inthis mode are signs of a network analyzer running on the network.
Don’t let a hacker gain physical access to your switches or the networkconnection on the public side of your firewall. With physical access, ahacker can connect to a switch monitor port, or tap into the unswitchednetwork segment outside the firewall and capture packets.
Switches do not provide complete security because they are vulnerable toARP poisoning attacks, which I cover in Chapter 9.
Most computer BIOSs allow power-on passwords and/or setup passwords toprotect the computer’s hardware settings that are stored in the CMOS chip.
Here are some ways around these passwords:
Figure 7-7:
AnEtherPeekcaptureofaPOP3passwordpacket.
99Chapter 7: Passwords11
You can usually reset these passwords by either unplugging the CMOSbattery or changing a jumper on the motherboard.
Password-cracking utilities for BIOS passwords are available.
Some systems (especially laptops) can’t be reset easily. You can lose all thehardware settings and lock yourself out of your own computer. If you plan tohack your own BIOS passwords, check for information in your user manual oron labmice.techtarget.com/articles/BIOS_hack.htmon doing thissafely.
Weak passwords in limboBad guys often exploit user accounts that have just been reset by a networkadministrator or help desk. Accounts may need to be reset if users forget theirpasswords, or if the accounts have been locked out because of failed attempts.
WeaknessesHere are some reasons why user accounts can be vulnerable:
When user accounts are reset, they often are assigned an easily crackedpassword (such as the user’s name or the word password). The timebetween resetting the user account and changing the password is aprime opportunity for a break-in.
Many systems have either default accounts or unused accounts withweak passwords or no passwords at all. These are prime targets.
CountermeasuresThe best defenses against attacks on passwords in limbo are solid help-deskpolicies and procedures that prevent weak passwords from being available atanygiven time during the password-reset process. Perhaps the best ways toovercome this vulnerability are as follows:
Require users to be on the phone with the help desk, or have a help-
desk member perform the reset at the user’s desk.
Require that the user immediately log in and change his password.
If you need the ultimate in security, implement stronger authenticationmethods, such as challenge/response, smart cards, or digital certificates.
Automate password-reset functionality on your network so users canmanage most of their password problems without help from others.
For a good list of default system passwords for vendor equipment, checkwww.cirt.net/cgi-bin/passwd.pl.
Password-reset programsNetwork administrators occasionally use administrator password-resettingprograms, which can be used against a network.
100Part II:Putting Ethical Hacking in Motion
ToolsOne of my favorites for Windows is NTAccess (www.mirider.com/ntaccess.
html). This program isn’t fancy, but it does the job.
CountermeasuresThe best safeguard against a hacker using a password-reset program againstyour systems is to ensure the hacker can’t gain physical access. When ahacker has physical access, all bets are off.
Securing Operating SystemsYou can implement various operating-system security measures to ensurethat passwords are protected.
Regularly perform these low-tech and high-tech password-cracking tests tomake sure that your systems are as secure as possible — perhaps as part of amonthly, quarterly, or biannual audit.
WindowsThe following countermeasures can help prevent password hacks onWindows systems:
Some Windows passwords can be gleaned by simply reading the cleartext or crackable cipher text from the Windows Registry. Secure yourregistries by doing the following:
•Allowing only administrator access.
•Hardening the operating system by using well-known hardeningbest practices, such as such as those from SANS (www.sans.org),
NIST (csrc.nist.gov), the National Security Agency SecurityRecommendation Guides (www.nsa.gov/snac/index.html), andthe ones outlined in Network Security For Dummies,by Chey Cobb(Wiley Publishing, Inc.).
Use SYSKEY for enhanced Windows password protection.
•By default, Windows 2000 encrypts the SAM database that storeshashes of the Windows account passwords. It’s not the default inWindows NT.
•You can use the SYSKEY utility to encrypt the database forWindows NT machines and to move the database-encryption keyfrom Windows 2000 and later machines.
Don’t rely only on the SYSKEY utility. Tools such as ElcomSoft’sAdvanced EFS Data Recovery program can crack SYSKEY encryption.
101Chapter 7: Passwords11
Keep all SAM-database backup copies secure.
Disable the storage of LM hashes in Windows for passwords that areshorter than 15 characters.
For example, in Windows 2000 SP2 and later, you can create and set theNoLMHash registry key to a value of 1 under HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Control\Lsa.
Use passfilt.dll or local or group security policies to help eliminate weakpasswords on Windows systems before they’re created.
Disable null sessions in your Windows version:
•In Windows XP, enable the Do Not Allow Anonymous Enumerationof SAM Accounts and Shares option in the local security policy.
•In Windows 2000, enable the No Access without ExplicitAnonymous Permissions option in the local security policy.
•In Windows NT, enable the following Registry key:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1Linux and UNIXThe following countermeasures can help prevent password cracks on Linuxand UNIX systems:
Use shadowed MD5 passwords.
Help prevent weak passwords from being created. You can use eitherbuilt-in operating-system password filtering (such as cracklib in Linux)
or a password auditing program (such as npasswd or passwd+).
Check your /etc/passwdfile for duplicate root UID entries. Hackers canexploit such entries as root backdoors.
102Part II:Putting Ethical Hacking in Motion
Part IIINetwork Hacking12
In this part . . .
Now that you’re off and running with your ethicalhacking tests, it’s time to take things to a new level.
The previous tests — at least the social engineering andphysical security tests — have started at a high level andwere not that technical. Times are a-changin’! You nowneed to look at network security. This is where thingsstart getting more technical.
This part starts out by looking into one of the most over-
looked information security vulnerabilities. By that, I meanrogue modems installed on computers randomly through-
out your network. This part then moves on to look at thenetwork as a whole from the inside and the outside foreverything from perimeter security to network scanningto DoS vulnerabilities and more. Finally, this part takes
a look at how to assess the security of the wireless LANtechnology that’s introducing some serious security vul-
nerabilities into networks these days.
Chapter 8War DialingIn This Chapter
Controlling dial-up access
Testing for war dialing weaknesses
Preventing war dialingWar dialing— the act of using a computer to scan other computersautomatically for accessible modems — was made popular in the movieWar Games.War dialing seems old-fashioned and less sexy than other hackingtechniques these days; however, it’s a very critical test to run against yournetwork. This chapter shows how to test for war dialing vulnerabilities andoutlines countermeasures to help keep your network from being victimized.
War DialingIt’s amazing how often end users and careless network administrators con-
nect modems to computers inside the network. Some companies spend anastonishing amount of money and effort to roll out intrusion-prevention soft-
ware, application firewalls, and forensics protection tools while ignoring thatan unsecured modem on the network can render that protection worthless.
Modem safetyModems are still on today’s networks because of leftover remote accessservers (RAS) that provide remote connectivity into the corporate network.
Many network administrators — hesitant to deploy a VPN — still have modemson their servers and other hosts for other reasons, such as for administeringthe network, troubleshooting problems remotely, and even providing connec-
tivityto remote offices. Some network administrators have legitimate modemsinstalled for third-party monitoring purposes and business continuity; modemsare a low-cost alternative network access method if the Internet connection isdown. Many of these modems — and their software — run in default modewith weak passwords or none at all.
Practically every computer sold today has a modem. End users create dial-upnetworking connections so they can bypass the firewall-blocking and employee-
monitoring systems in place on the corporate network. Many users want to dialinto their work computers from home. Some users even set up their modemsto send and receive faxes so that they eliminate every possible reason to leavetheir desks during the work day.
It’s not as big a deal if the modem is configured for outboundaccess only, butthere’s always a chance that someone can use it to obtain inboundaccess. Asoftware misconfiguration or a weak password can give a hacker access.
So what’s the bottom line? Unsecured modems inside the network — andeven ones with basic passwords — can put your entire network at risk. Manyof these modems have remote-connectivity software such as pcAnywhere,
Procomm Plus, and even Apple Remote Access and Timbuktu Pro for Applecomputers. This software can provide backdoor access to the entire network.
In many cases, a hacker can take over the computer with the modem attachedand communications software running, gaining full access to everything thecurrently logged-in user can access. Ouch!
General telephone-system vulnerabilitiesA war-dialing attack can uncover other telephone-system vulnerabilities:
Dial tone:Many phone switches support a repeat, or second dial tone,
for troubleshooting or other outbound call purposes. This allows aphone technician, a user, or even a hacker to enter a password at thefirst dial tone and make outbound calls to anywhere in the world — allon your organization’s dime. Many hackers use war dialing to detectrepeat dial tones so they can carry out these phone attacks in the future.
Voice mail:Voice-mail systems — especially PC-based types — andentire private branch exchange (PBX) phone switches can be probed bywar-dialing software and later compromised by a hacker.
AttackingWar dialing is not that complicated. Depending on your tools and the amountof phone numbers you’re testing, this can be an easy test. War dialinginvolves these basic hacking methodologies:
Gathering public information and mapping your network
Scanning your systems
Determining what’s running on the systems discovered
Attempting to penetrate the systems discovered106Part III:Network Hacking
The process of war dialing is as simple as entering phone numbers into yourfreeware or commercial war-dialing software and letting the program work itsmagic — preferably overnight, so you can get some sleep!
Before you get started, keep in mind that it might be illegal to war-dial in yourjurisdiction, so be careful! Also, make sure you war-dial only the numbersyou’re authorized to dial. Even though you will most likely perform your wardialing after hours — at night or over a weekend — make sure that upper107Chapter 8: War DialingA case study in war dialing with David RhoadesIn this case study, David Rhoades, a well-knownwar dialing and Web-application security expert,
shared an experience performing an ISDN wardial. Here’s an account of what happened.
The situationA few years ago, Mr. Rhoades had anIntegrated Services Digital Network (ISDN) cir-
cuit in his home office for two voice lines. ISDNalso allowed him 128Kbps Internet access. HisISDN terminal adapter(sometimes incorrectlycalled an ISDN modem) allowed him to callother ISDN numbers extremely fast. He decidedto write an ISDN war dialer that would takeadvantage of the amazing speed of ISDN. Inabout one second, he could dial the number anddetermine whether the other side was ISDN,
ISDN with a busy signal, or a regular analogline. Analog war dialing is much slower. Ananalog modem would require at least 30 sec-
onds to dial the number and recognize the otherend as a modem — and that assumes the otherend answers on the first ring. So an ISDN wardialer is very fast at locating other ISDN lines.
The only downsides are that not all ISDN equip-
ment can detect analog modems, and you mayhave to dial in a second time to detect themproperly. Why bother locating ISDN numberswith a war dial? If the other end is ISDN, a ter-
minal adapter or some other piece of equipmentmight be remotely accessible just by calling it.
Shortly after Mr. Rhoades wrote the ISDN wardialer, his company got a request for a war dialfor a large German bank. The only catch wasthat the project called for an ISDN war dial,
because ISDN was popular in Europe and hiscustomer knew that the bank had lots of ISDNcircuits. Mr. Rhoades soon found himself on aflight to Frankfurt with his software and ISDNterminal adapter.
The outcomeMr. Rhoades found several ISDN and analoglines within the bank’s system. His biggest chal-
lenge was becoming familiar with the dial-insoftware packages, which were popular inEurope but unknown in the United States.
Fortunately for Mr. Rhoades, most vendorsoffered free demos of their software, which hecould use to access the remote systems.
The bottom line is that if you want to be certainthat no dial-up connections to your networkexist, consider other methods of communica-
tion, such as ISDN. Also, never assume thatwell-known communications software is beingused on the dial-up connection. If you don’t rec-
ognize what’s answering, explore it further. Thebad guys most certainly will.
David Rhoades is a principal consultantwithMaven Security Consulting Inc. (www.
mavensecurity.com) and teaches at secu-
rity conferences around the globe for USENIX,
the MIS Training Institute, and ISACA.
management and possibly even the people who are working know whatyou’re doing. You don’t want anyone being surprised by this!
War dialing is slow, because it can take anywhere from 30 to 60 seconds orlonger to dial and test one number. A war-dialing test can take all night oreven a weekend to dial all the numbers in one exchange. To counter this, ifyou use ToneLoc for your war dialing, there’s a neat utility called Prescan,
part of the ToneLoc Utilities Phun-Pak (www.hackcanada.com/ice3/phreak)
that will let you fill in ToneLoc data files with known exchanges before youever get started. This can save a ton of time!
You may have several thousand phone numbers to test if you need to testan entire exchange, so this process can take some time. If you use severalmodems at once for your tests, you can speed the testing time dramatically.
However, before you can do this, several things have to be in place:
You need multiple analog lines to dial out from. Today, these analog linescan be hard to get.
Given the complexities involved, you may have to do one of the following:
•Be present during the tests so you can manage all the war-dialingsessions you have to load.
•Automate the tests with batch files.
•Use a commercial war-dialing utility that supports simultaneoustesting with multiple modems.
Gathering informationTo get started, you need phone numbers to test for modems. You can programthese numbers into your war-dialing software and automate the process.
You need to find two kinds of phone numbers for testing:
Dialing rangesassigned to your organization, such as the following:
•555-0000 through 555-9999 (10,000 possible numbers)
•555-0100 through 555-0499 (400 possible numbers)
•555-1550 through 555-1599 (50 possible numbers)
Nonstandard analog numbersthat have a different exchange from yourmain digital lines. These numbers may not be publicly advertised.
To find or verify your organization’s phone numbers, check these resources:
Local telephone white and yellow pages. Either refer to hard copies orcheck out Internet sites such as www.switchboard.com.
Internet searches for your company name and main phone number.
(Check your organization’s Web site, too.)
108Part III:Network Hacking
Google may find published numbers in surprising places, such as cham-
ber of commerce and industry association listings.
Internet domain name Whois entries at a lookup site such as www.
samspade.org. The Whois database often contains direct phone num-
bers and other contact information that can give a hacker a leg up onthe phone-number scheme within your organization.
Phone-service documentation,such as monthly phone bills and phone-
system installation paperworkSelecting war-dialing toolsWar dialing requires outbound phone access, software tools, and a compatiblemodem.
SoftwareMost war-dialing tools are freeware or shareware, but a few commercial war-
dialing tools are also available, such as PhoneSweep by Sandstorm Enterprises(www.sandstorm.net/products/phonesweep).
These two freeware tools are very effective:
ToneLoc (www.securityfocus.com/data/tools/auditing/pstn/
tl110.zip), written by Minor Threat and Mucho Maas
THC-Scan, written by The Hacker’s Choice (www.thc.org/releases.php)
There’s a list of war-dialing programs at www.pestpatrol.com/pestinfo/
phreaking_tool.asp. If the freeware tools don’t have features you need,
consider a commercial product, such as PhoneSweep.
ModemsA plain Hayes-compatible modem usually is fine for outbound war dialing.
I’ve had trouble running both ToneLoc and THC-Scan on various modems, soyou may have to tinker with COM port settings, modem initialization strings,
and even modem types until you find a combinations that works.
The best way to determine what type of modem to use is to consult your war-
dialing software’s documentation:
If in doubt, go with a name-brand model, such as U.S. Robotics, 3Com, oran older Hayes unit.
As a last resort, check the modem documentation for features that themodem supports.
You can use this information to ensure you have the best software and hard-
ware combination to minimize any potential headaches.
109Chapter 8: War Dialing13
Some modems can increase war-dialing efficiency by detecting
Voices,which can speed up the war-dialing process
Second dial tones,which allows more dialing from the systemDialing in from the outsideWar dialing is pretty basic — you enter the phone numbers you want to dialinto your war-dialing software, kick off the program, and let it do its magic.
When the war-dialing software finds a carrier (which is basically a validmodem connection), the software logs the number, hangs up, and triesanother number you programmed it to test.
Keep the following in mind to maximize your war-dialing efforts:
Configure your war-dialing software to dial the list of numbers randomlyinstead of sequentially, if possible.
Some phone switches, war-dialing detection programs (such asSandstorm Enterprises’ Sandtrap), and even the phone company itselfmay detect and stop war dialing — especially when an entire exchangeof phone numbers is dialed sequentially or quickly.
If you’re dialing from a line that can block Caller ID, dial *67 immediatelybefore dialing the number so your phone number isn’t displayed. Thismay not work if you’re calling toll-free numbers.
If you’re dialing long-distance numbers during your testing, make surethat you know about the potential charges. Costs can add up fast!
Using toolsToneLoc and THC-Scan are similar in usage and functionality:
Run a configuration utility to configure your modem and other dialsettings.
Run the executable file to war-dial.
There are a few differences between the two, such as timeout settings and otherenhanced menu functionality that was introduced in THC-Scan. You can get anoutline of all the differences at web.textfiles.com/software/toneloc.txt.
ConfigurationIn this example, I use my all-time favorite tool — ToneLoc — for war dialing.
To begin the configuration process for ToneLoc, run the tlcfg.exeutility.
You can tweak modem, dialing, and logging settings.
Two settings on the ModemOptions menu are likely to need adjustments, asshown in Figure 8-1:
110Part III:Network Hacking
Serial port•Enter 1, 2, 3, or 4 for the specific COM port where your modem isinstalled.
•Leave the Port Address and Port IRQ settings at 0 for the defaultsettings unless you’ve made configuration changes to your modem.
If you’re not sure what port your modem is installed on, run msinfo32.
exefrom the Windows Start/Run prompt, and browse to the Components/
Modem folder. The modem’s COM port value is listed in the Attached Toitem, as shown in Figure 8-2.
Baud rate. Enter at least 19,200 if your modem supports it — preferably115,000 if you have a 56K modem.
You may not be able to war-dial some older — and much slower —
modems if the rates don’t match.
Figure 8-2:
Determiningyourmodem’sport COMport with theWindowsSystemInformationtool.
Figure 8-1:
Configuringthe modemin ToneLoc’sTLCFGutility.
111Chapter 8: War Dialing13
TestingAfter you’ve configured ToneLoc, you’re ready to start war dialing with one ofthe following options:
Number range. For a range of numbers from 770-555-1200 through770-555-1209, enter the following command at a command prompt:
toneloc 770-555-12XX /R:00-09This command tells ToneLoc to dial all numbers beginning with 404-555-15numbers and then use the range of 00 through 99 in place of XX.
Single number. To test one number (770-555-1234), enter it at a commandprompt like this:
toneloc 770-555-123X /R:4-4To see all the command-line options, enter tonelocby itself at a commandprompt.
After you enter the appropriate command (if you’ve configured the programcorrectly and your modem is working), ToneLoc produces test results in twoforms:
Activity and counter display. As shown in Figure 8-3, ToneLoc displays itsactivity and increments its counters, such as the number of carriers andbusy signals.
tone.logfile.The following information is stored in this log file:
•Records of all activities during testing. You can peruse this file forfailed attempts (such as busy signals) to retest later.
•Lists the carriers that ToneLoc discovered and such as the infor-
mation displayed as a login prompt. You can use this informationto penetrate your systems further.
Figure 8-3:
ToneLoc inthe middleof a wardial.
112Part III:Network Hacking
An abbreviated tone.logfile is as follows:
01:18:20 ¯
01:18:20 ToneLoc v1.10 (Sep 29 1994)
01:18:20 ToneLoc started on 31-Jan-10401:18:20 Using COM1 (16450 UART)
01:18:20 Data file: 770-555-.DAT01:18:20 Config file: TL.CFG01:18:20 Log file: TONE.LOG01:18:20 Mask used: 770-555-12XX01:18:20 Range used: 00-0901:18:20 Scanning for: Carriers01:18:20 Initializing Modem ... Done01:18:24 770-555-1208 - Timeout (0)
01:19:02 770-555-1201 - Busy01:19:40 770-555-1205 - No Carrier. . .01:22:52 770-555-1207 - * CARRIER *
01:23:30 770-555-1204 - Timeout (0)
01:24:08 Autosaving01:24:48 770-555-1206 - Timeout (0)
01:25:20 All 10 numbers dialed01:25:20 Sending exit string ... Done01:25:21 Dials = 10, Dials/hour = 9401:25:21 0:07 spent current scan01:25:21 Exit with errorlevel 0In the sixth line of the preceding example, ToneLoc is configured to read theTL.CFGfile for its configuration options. With the seventh line, the findingsare written to the TONE.LOGfile.
The range of numbers dialed is 770-555-1200 through 770-555-1209. You candetermine this by substituting the Range values (00-09) for the XXin themask. ToneLoc dials numbers randomly, as you can see since it started with770-555-1208, and so forth. The 1208, 1204, and 1206 numbers just timed out(meaning that no modem was detected). The 1201 number was apparentlybusy at the time, and the 1205 number didn’t answer at all. ToneLoc found acarrier (modem) on the 1207 number. Ah ha! Time to dig deeper to see what’son the other end — such as what you’re prompted with and details about theremote system that are given.
Rooting through the systemsWhen you identify phone numbers with modems attached, take one of theseactions to penetrate the system further and test for related vulnerabilities:
Stop your testing, determine whether the modems are legitimate, anddisable or remove any rogue modems.
113Chapter 8: War Dialing13
Attempt to penetrate the systems further by•Determining what application is listening on the other end by usinga communications program, such as Carbon Copy, Procomm Plus,
or the free HyperTerminal that’s built into Windows.
•Attempting to crack passwords, if necessary.
Commercial tools such as PhoneSweep automate this process for you —
making purchasing such a tool a lot more attractive.
A few questions can help you determine what’s listening on the other endand decide whether to investigate this device and possibly remove it:
How many rings does it take for the carrier to pick up?
Is the carrier available only during certain time periods?
What type of authentication prompt is presented (password only, userID and password, or another combination)?
Does login screen or banner tell you about the software that’s running?
CountermeasuresA few countermeasures can help protect your network against war dialing.
Phone numbersYou can protect your phone numbers — especially those that are assigned tomodems on critical computer systems — by:
Limiting the phone numbers that are made public.
Work with human resources, marketing, and management to ensure thatonly necessary phone numbers are unveiled.
Obtaining analog-line phone numbers that aren’t within the standardexchange of your main digital lines. This prevents hackers from findingmodems within your main phone-number block.
Modem operationYou can help prevent unauthorized modem usage and operation by:
Documenting, publishing, and educating all end users on modem usage.
If users need modem access, require them to present the business reason.
Requiring strong passwords on all communications software.
114Part III:Network Hacking
Purchasing dial-only modems or disabling inbound access in your com-
munications software.
Legacy applications may require occasional modem access. Make itpolicy — and train your users — to keep the modem powered off orunplugged from the phone line when it’s not being used.
When installing modems into computers within the organization, require alldial-up networking through either a VPN or a modem pool connected to aRAS server that IT/security manages centrally. Review all telephone bills eachmonth to ensure that you don’t have unauthorized lines installed.
InstallationSecure modem placement maximizes security, prevents war-dialing attacks,
and makes modem management and future ethical hacking tests much easier:
External modemsare usually easy to see, but they can be hidden underdesks and forgotten.
Internal modemsmay require you to inspect every networked computerphysically for a phone cable plugged into the back.
Digital phone-line converters can allow a user to connect an analog modemto a digital line — which normally fries the modem.
115Chapter 8: War Dialing13
116Part III:Network Hacking
Chapter 9Network InfrastructureIn This Chapter
Selecting tools
Scanning network hosts
Assessing security with a network analyzer
Preventing denial-of-service and infrastructure vulnerabilitiesYour computer systems and applications require one of the most funda-
mental communications systems in your organization — your network.
Your network consists of such devices as routers, firewalls, and even generichosts (including servers and workstations) that you must assess as part ofthe ethical hacking process.
Many people refer to ethical hacking in terms of performing security testsfrom a network-only perspective. This is only part of the overall issue. Youcan’t discount the basics of old-fashioned network security tests. I outlinethem in this chapter, with some solid countermeasures to foil attacks againstyour network.
There are thousands of possible network vulnerabilities, equally as manytools, and even more testing techniques. You don’t need to test your networkfor everypossible vulnerability, using every tool available and techniqueimaginable. The tests in this chapter produce a good overall assessment ofyour network.
You can eliminate many well-known network vulnerabilities by simply patch-
ing your network hosts with the latest vendor software and firmware patches.
Odds are that your network will notbe attacked to exploit most of these vul-
nerabilities. Even if it is, the results are not likely to be detrimental. You caneliminate many other vulnerabilities by following some security best practiceson your network. The tests, tools, and techniques in this chapter offer themost bang for your ethical hacking buck.
118Part III:Network Hacking
A case study in hacking network infrastructureswith Laura ChappellLaura Chappell — one of the world’s foremostauthorities on network protocols and analysis —
shared with me an interesting experience shehad when assessing a customer’s network.
Here’s her account of what happened.
The SituationMs. Chappell had a customer call with a routine“the network is slow” problem. Upon her arrivalonsite, the customer mentioned sporadic out-
ages and poor performance when connectingto the Internet as well. First, she examinedindividual flows between various clients andservers. Localized communications appearednormal, but any communication that flowedthrough the firewall to the Internet or otherbranch offices was severely delayed. It wastime to sniff the traffic going through the firewallto see whether she could isolate the cause ofthe delay.
The OutcomeA quick review of the traffic crossing the fire-
wall indicated that the outside links were satu-
rated, so it was time to review and classify thetraffic. Using the Sniffer Network Analyzer, Ms.
Chappell plugged in to examine the protocol dis-
tribution. She saw that almost 45 percent of thetraffic was listed as “others” and was unrecog-
nizable. She captured some data and found sev-
eral references to pornographic images. Furtherexamination of the packets led her to two spe-
cific port numbers that appeared consistently inthe trace files — port 1214 (Kazaa) and 6346(Gnutella), two peer-to-peer (P2P) file sharingapplications. She did a complete port scanofthe network to see what was running andfound over 30 systems running either Kazaa orGnutella. Their file transfer processes wereeating up the bandwidth and dragging downallcommunications. It would have been simpleto shut down these systems and remove theapplications, but she wanted to investigatethem further without the users’ knowledge.
Ms. Chappell decided to use her own Kazaa andGnutella clients to look through the shared fold-
ers of the systems. By becoming a peer memberwith the other hosts on the network, she couldperform searches through other shared folders,
which indicated some of the users had sharedtheir network directories! Through these sharedfolders, she was able to obtain the corporatepersonnel roster, including home phone num-
bers and addresses, accounting records, andseveral confidential memos that provided time-
lines for projects under way at the company!
Many users said they shared these folders toregain access to the P2P network, because theyhad previously been labeled free loadersbecause their shares contained only a few files.
They were under the delusion that because noone knew the filenames contained in the net-
work directories, no one would search formatching values. Although this on-site visitstarted with a standard performance and com-
munication review, it ended with the detectionof some huge security breaches in the com-
pany. Anyone can use these P2P tools to getonto the network and grab the files in theshared folders — with no authorization orauthentication required!
Laura Chappell is Senior Protocol Analyst attheProtocol Analysis Institute, LLC (www.
packet-level.com). A best-selling authorand lecturer, Ms. Chappell has trained thou-
sands of network administrators, security tech-
nicians, and law enforcement personnel onpacket-level security, troubleshooting, and opti-
mization techniques. I highly recommend thatyou check out her Web site for some excellenttechnical content to help you become a betterethical hacker.
Network Infrastructure VulnerabilitiesNetwork infrastructure vulnerabilities are the foundation for all technicalsecurity issues in your information systems. These lower-level vulnerabilitiesaffect everything running on your network. That’s why you need to test forthem and eliminate them whenever possible.
Your focus for ethical hacking tests on your network infrastructure should beto find weaknesses that others can see in your network so you can quantifyyour level of exposure.
Many issues are related to the security of your network infrastructure. Someissues are more technical and require you to use various tools to assess themproperly. You can assess others with a good pair of eyes and some logicalthinking. Some issues are easy to see from outside the network, and othersare easier to detect from inside your network.
Network infrastructure security involves assessing such areas as
Where such devices as a firewall or IDS (intrusion detection system) areplaced on the network and how they are configured
What hackers see when they perform port scans and how they canexploit vulnerabilities in your network hosts
Network design, such as Internet connections, remote-access capabili-
ties, layered defenses, and placement of hosts on the network
Interaction of installed security devices
Protocols in use
Commonly attacked ports that are unprotected
Network host configuration
Network monitoring and maintenanceIf any of these network security issues is exploited, bad things can happen:
A DoS attack can take down your Internet connection — or even yourentire network.
A hacker using a network analyzer can steal confidential information ine-mails and files being transferred.
Backdoors into your network can be set up.
Specific hosts can be attacked by exploiting local vulnerabilities acrossthe network.
119Chapter 9: Network Infrastructure14
Before moving forward with assessing your network infrastructure security,
remember to do the following:
Test your systems from both the outside in and the inside out.
Obtain permission from partner networks that are connected to yournetwork to check for vulnerabilities on their ends that can affect yournetwork’s security, such as open ports and lack of a firewall or a miscon-
figured router.
Choosing ToolsYour tests require the right tools. Great commercial, shareware, and freewaretools are available.
If you’re looking for easy-to-use security tools with all-in-one packaging, you getwhat you pay for— most of the time — especially for the Windows platform.
Tons of security professionals swear by many free security tools, especiallythose that run on UNIX-based operating systems. Many of these tools offer alot of value — if you have the time, patience, and willingness to learn their insand outs.
You can equip your toolbox with scanners and vulnerability-assessment tools.
You need more than one tool. No tool does everything you need.
ScannersThese scanners provide practically all the port-scanning and network-testingtools you’ll need:
Sam Spade for Windows(samspade.org/ssw) for network queries fromDNS lookups to traceroutes
SuperScan (www.foundstone.com) for ping sweeps and port scanning
NetScanTools Pro (www.netscantools.com) for dozens of networksecurity-assessment functions, including ping sweeps, port scanning,
and SMTP relay testing
Nmap(www.insecure.org/nmap) or NMapWin (sourceforge.net/
projects/nmapwin) as a happy-clicky-GUI front end for host-port probingand operating-system fingerprinting
Netcat (www.atstake.com/research/tools/network_utilities) themost versatile security tool for such security checks as port scanningand firewall testing
WildPackets EtherPeek (www.wildpackets.com) for network analysis120Part III:Network Hacking
Vulnerability assessmentThese vulnerability-assessment tools will allow you to test your networkhosts for various known vulnerabilities as well as potential configurationissues that could lead to security exploits:
GFI LANguard Network Security Scanner (www.gfi.com) for port scan-
ning and other vulnerability testing
Nessus (www.nessus.org) as a free all-in-one tool for such tests as pingsweeps, port scanning, and vulnerability testing
Qualys QualysGuard(www.qualys.com) as a great all-in-one tool for in-
depth vulnerability testing, if you can justify the costScanning, Poking, and ProddingPerforming these ethical hacks on your network infrastructure involves fol-
lowing basic hacking steps:
1.Gather information and map your network.
2.Scan your systems to see which are available.
3.Determine what’s running on the systems discovered.
4.Attempt to penetrate the systems discovered, if you choose to.
Every network card driver and implementation of TCP/IP in most operatingsystems, including Windows and Linux, and even in your firewalls and routers,
has quirks that result in different behaviors when scanning, poking, and prod-
ding your systems. This can result in different responses from your varyingsystems. Refer to your administrator guides or vendor Web sites for detailson any known issues and possible patches that are available to fix them. Ifyou have all your systems patched, this shouldn’t be an issue.
Port scannersA port scanner shows you what’s what on your network. It’s a software toolthat basically scans the network to see who’s there.
Port scanners provide basic views of how the network is laid out. They canhelp identify unauthorized hosts or applications and network host configura-
tion errors that can cause serious security vulnerabilities.
The big-picture view from port scanners often uncovers security issuesthatmay otherwise go unnoticed. Port scanners are easy to use and can test121Chapter 9: Network Infrastructure14
systems regardless of what operating systems and applications they’re run-
ning. The tests can be performed very quickly without having to touch indi-
vidual network hosts, which would be a real pain otherwise.
The real trick to assessing your overall network security is interpreting theresults you get back. You can get false positives on open ports, and you mayhave to dig deeper. For example, UDP scans — like the protocol itself — areless reliable than TCP scans and often produce false positives, because manyapplications don’t know how to respond to random incoming UDP scans.
A feature-rich scanner — usually, a commercial product — often can identifyports and see what’s running in one step.
Port-scan tests take time. The length of time depends on the number of hostsyou have, the number of ports you scan, the tools you use, and the speed ofyour network links.
Scan more than just the important hosts. These othersystems often bite youif you ignore them. Also, perform the same tests with different utilities to seewhether you get different results. Not all tools find the same open ports andvulnerabilities. This is unfortunate, but it’s a reality of ethical hacking tests.
If your results don’t match after you run the tests using different tools, youmay want to explore the issue further. If something doesn’t look right — suchas a strange set of open ports — it probably isn’t. Test it again; if you’re indoubt, use another tool for a different perspective.
As an ethical hacker, you should scan all 65,535 UDP and 65,535 TCP ports oneach network host that’s found by your scanner. If you find questionable ports,
look for documentation that the application is known and authorized.
For speed and simplicity, you can scan commonly hacked ports (listed inTable 9-1).
Table 9-1Commonly Hacked PortsPort NumbersServiceProtocols7EchoTCP, UDP19 ChargenTCP, UDP20 FTP data (File Transfer Protocol)TCP21 FTP controlTCP22SSHTCP23TelnetTCP122Part III:Network Hacking
Port NumbersServiceProtocols25SMTP (Simple Mail Transfer Protocol)TCP37DaytimeTCP, UDP53DNS (Domain Name System)UDP69TFTP (Trivial File Transfer Protocol)UDP79FingerTCP, UDP80HTTP (Hypertext Transfer Protocol) TCP110POP3 (Post Office Protocol version 3)TCP111SUN RPC (remote procedure calls)TCP, UDP135RPC/DCE end point mapper for Microsoft networksTCP, UDP137, 138, 139NetBIOS over TCP/IPTCP, UDP161SNMP (Simple Network Management Protocol)TCP, UDP220IMAP (Internet Message Access Protocol)TCP443HTTPS (HTTP over SSL)TCP512, 513, 514Berkeley r commands (such as rsh, rexec, and rlogin)TCP1214Kazaa and MorpheusTCP, UDP1433Microsoft SQL ServerTCP, UDP1434Microsoft SQL MonitorTCP, UDP3389Windows Terminal ServerTCP5631, 5632pcAnywhereTCP6346, 6347GnutellaTCP, UDP12345, 12346, NetBusTCP12631, 12632,
20034, 2003527444TrinooUDP27665TrinooTCP31335TrinooUDP31337Back OrificeUDP34555TrinooUDP123Chapter 9: Network Infrastructure14
Ping sweepA ping sweep of all your network subnets and hosts is a good way to find outwhich hosts are alive and kicking on the network. A ping sweep is when youping a range of addresses using Internet Control Message Protocol (ICMP)
packets. Figure 9-1 shows the command and the results of using Nmap to per-
form a ping sweep of a class C subnet range.
Dozens of Nmap command-line options exist, which can be overwhelmingwhen you just want to do a basic scan. You can just enter nmapon the com-
mand line to see all the options available.
These command-line options can be used for an Nmap ping sweep:
-sPtells Nmap to perform a ping scan.
-ntells Nmap to not perform name resolution.
You may want to omit this if you want to resolve hostnames to see whichsystems are responding. Name resolution may take slightly longer, though.
•-T 4 optiontells Nmap to perform an aggressive (faster) scan.
•192.168.1.1-254tells Nmap to scan the entire 192.168.1.x subnet.
Port scanningMost port scanners operate in three steps:
1.The port scanner sends TCP SYN requests to the host or range of hostsyou set it to scan.
Some port scanners, such as SuperScan, perform ping sweeps to deter-
mine which hosts are available before starting the TCP port scans.
Most port scanners scan only TCP ports by default. Don’t forget aboutUDP ports. You can scan UDP ports with a UDP port scanner such asNmap LANguard Network Security Scanner.
Figure 9-1:
Performinga pingsweep ofanentireclass Cnetworkwith Nmap.
124Part III:Network Hacking
2.The port scanner waits for replies from the available hosts.
3.The port scanner probes these available hosts for up to 65,535 possibleTCP and UDP ports — based on which ports you tell it to scan — to seewhich ones have available services on them.
The port scans provide the following information about the live hosts onyour network:
Hosts that are active and reachable through the network
Network addresses of the hosts found
Services or applications that the hosts may berunningAfter performing a generic sweep of the network, you can dig deeper intospecific hosts you’ve found.
SuperScanMy favorite tool to perform generic TCP port scans is SuperScan. Figure 9-2shows the results of my scan and a few interesting ports open on severalhosts, including Windows Terminal Server and SSH.
In Figure 9-2, I selected the Only Scan Responsive Pings and All Selected Portsin List options. However, you may want to select some other options:
Figure 9-2:
ATCP portscan usingSuperScan.
125Chapter 9: Network Infrastructure14
If you don’t want to ping each host first — which helps make the test runmore efficiently — deselect the Only Scan Responsive Pings option. (ICMPcan be blocked, which can cause the scanner to not find certain hosts.)
If you want to scan a certain range of well-known ports or ports specificto your systems, you can configure SuperScan to do so. I recommendthese settings:
•If you want to perform a scan on well-known ports, at least selectthe All Selected Ports in List option.
•If this is your initial scan, scan all ports from 1 to 65,535.
NmapAfter you have a general idea of what hosts are available and what ports areopen, you can perform fancier scans to verify that the ports are actually openand not being reported as a false positive. If you wish to do this, Nmap is theperfect tool to use. Nmap allows you to run the following additional scans:
Connect: This basic TCP scan looks for any open TCP ports on the host.
You can use this scan to see what’s running and determine whether IDSs,
firewalls, or other logging devices log the connections.
UDP Scan:This basic UDP scan looks for any open UDP ports on thehost. You can use this scan to see what’s running and determinewhether IDSs, firewalls, or other logging devices log the connections.
SYN Stealth:This scan creates a half-open TCP connection with the hostpossibly evading IDS systems and logging. This is a good scan for testingIDSs, firewalls, and other logging devices.
FIN Stealth, Xmas Tree, and Null:These scans let you mix things up abit — no pun intended — by sending strangely formed packets to yournetwork hosts so you can see how they respond. These scans basicallychange around the flags in the TCP headers of each packet, which allowsyou to test how each host handles them to point out weak TCP/IP imple-
mentations and patches that may need to be applied.
Be careful when performing these scans. You can create your own DoS attackand potentially crash applications or entire systems. Unfortunately, if youhave a host with a weak TCP/IP stack (the software that controls TCP/IP com-
munications on your hosts), there is no good way to prevent this. The bestway to reduce the chance of this occurring is to use the slow Nmap timingoptions — Paranoid, Sneaky, or Polite — when running your scans.
Figure 9-3 shows the NMapWin Scan tab, where you can select all theseoptions. If you’re a command-line fan, you see the command-line parametersdisplayed in the lower-left corner of the NMapWin screen. This helps whenyou know what you want to do and the command-line help isn’t enough.
126Part III:Network Hacking
If you connect to a single port carefully enough (as opposed to several all atonce) without making too much noise, you may be able evade your IDS/IDPsystem. This is a good test of your IDS and firewall systems, so assess yourlogs to see what they saw during this process.
CountermeasuresYou can implement various countermeasures to typical port scanning.
Traffic restrictionEnable only the traffic you need to access internal hosts — preferably as faras possible from the hosts you’re trying to protect. You apply these rules intwo places:
External router for inbound traffic
Firewall for outbound trafficConfigure firewalls to look for potentially malicious behavior over time(such as the number of packets received in a certain period of time), andhave rules in place to cut off attacks if a certain threshold is reached,
such as 100 port scans in one minute.
Most firewalls, IDSs, and IDPs detect port scanning and cut it off in realtime. Figure 9-4 shows an example: A basic Nmap OS fingerprint scanwas detected and cut off (hence the black slash) by ISS’s BlackICE per-
sonal firewall and IDP product in real time.
Figure 9-3:
In-depthport-
scanningoptions inNMapWin.
127Chapter 9: Network Infrastructure14
Gathering network informationNetScanTools Pro is a great tool for general network information, such as thenumber of unique IP addresses, NetBIOS names, and MAC addresses found.
The following report is an example of the NetScanner (network scanner)
output of NetScanTools Pro 2000:
Statistics for NetScannerScan completion time = Sat, 7 Feb 2004 14:11:08Start IP address: 192.168.1.1End IP address: 192.168.1.254Number of target IP addresses: 254Number of IP addresses responding to pings: 13Number of IP addresses sent pings: 254Number of intermediate routers responding to pings: 0Number of successful NetBIOS queries: 13Number of IP addresses sent NetBIOS queries: 254Number of MAC addresses obtained by NetBIOS queries: 13Number of successful Subnet Mask queries: 0Number of IP addresses sent Subnet Mask queries: 254Number of successful Whois queries: 254Traffic denialDeny ICMP traffic to specific hosts you’re trying to protect. Most hosts don’tneed to have ICMP enabled — especially inbound ICMP requests — unlessit’sneeded for a network management system that monitors hosts using thisprotocol.
You canbreak applications on your network, so make sure that you analyzewhat’s going on, and understand how applications and protocols are working,
before you disable such network traffic as ICMP.
Figure 9-4:
BlackICElogsshowinghow anNmap scanwas cut off.
128Part III:Network Hacking
SNMP scanningSimple Network Management Protocol (SNMP) is a protocol built into virtu-
ally every network device. Network management programs (such as HPOpenView and LANDesk) use SNMP for remote network host management.
Unfortunately, SNMP also presents security vulnerabilities.
VulnerabilitiesThe problem is that most network hosts run SNMP that isn’t hardened orpatched to prevent known security vulnerabilities. The majority of networkdevices have SNMP enabled and don’t even need it!
If SNMP is compromised, a hacker can gather such network information asARP tables and TCP connections to attack your systems. If SNMP shows upin port scans, you can bet that a hacker will try to compromise the system.
Figure 9-5 shows how GFI LANguard determined the NetWare version running(Version 6, Service Pack 3) by simply querying a host running unprotectedSNMP. Here are some other utilities for SNMP enumeration:
The commercial tool SolarWinds (www.solarwinds.net)
Free Windows GUI-based Getif (www.wtcs.org/snmp4tpc/getif.htm)
Text-based SNMPUTIL for Windows (www.wtcs.org/snmp4tpc/FILES/
Tools/SNMPUTIL/SNMPUTIL.zip)
CountermeasuresPreventing SNMP attacks can be as simple as A-B-C:
Always disable SNMP on hosts if you’re not using it — period.
Block the SNMP port (UDP port 161) at the network perimeter.
Change the default SNMP community string from public to another valuethat’s more difficult to guess. This makes SNMP harder to hack.
Figure 9-5:
Informationgathered byquerying avulnerableSNMP host.
129Chapter 9: Network Infrastructure14
Banner grabbingBanners are the welcome screens that divulge software version numbers andother host information to a network host. This banner information may iden-
tify the operating system, the version number, and the specific service packs,
so hackers know possible vulnerabilities. You can grab banners by usingeither plain old telnet or Netcat.
telnetYou can telnet to hosts on the default telnet port (TCP port 23) to see whetheryou’re presented with a login prompt or any other information. Just enter thefollowing line at the command prompt in Windows or UNIX:
telnet ip_addressYou can telnet to other commonly used ports with these commands:
SMTP:
telnet ip_address25
HTTP:
telnet ip_address80
POP3:
telnet ip_address110Figure 9-6 shows specific version information about an Exchange 2003 serverwhen telnetting to it on port 25.
NetcatNetcat can grab banner information from routers and other network hosts,
such as a wireless access point or managed Ethernet switch.
The following steps bring back information about a host that runs a Webserver for remote management purposes:
Figure 9-6:
InformationgatheredaboutExchange2003 viatelnet.
130Part III:Network Hacking
1.Enter the following line to initiate a connection on port 80:
nc –v ip_address802.Wait for the initial connection.
Netcat returns the message hostname [ip_address] 80 (http) open.
3.Enter the following line to grab the home page of the Web server:
GET / HTTP/1.04.Press Enter a couple of times to load the page.
Figure 9-7 shows some typical results with Netcat.
CountermeasuresThe following steps can reduce the chance of banner-grabbing attacks:
If there is no business need for services that offer banner information,
disable those unused services on the network host.
If there is no business need for the default banners, or if you can cus-
tomize the banners displayed, configure the network host’s applicationor operating system to either disable the banners or remove informationfrom the banners that could give an attacker a leg up.
If you can customize your banners, check with your lawyer about adding awarning message similar to this:
Warning!!! This is a private system. All use is monitored and recorded. Anyunauthorized use of this system may result in civil and/or criminal prosecu-
tion to the fullest extent of the law.
Firewall rulesAs part of your ethical hacking, you can test your firewall rules to make surethey’re working like they’re supposed to.
Figure 9-7:
AWeb-
serverbannergrabusingNetcat.
131Chapter 9: Network Infrastructure14
TestingA few tests can verify that your firewall actually does what it says it’s doing.
You can connect through it on the ports you believe are open, but what aboutall the other ports that can be open and shouldn’t be?
Some security-assessment tools can not only test for open ports, but alsodetermine whether traffic is actually allowed to pass through the firewall.
All-in-one toolsAll-in-one tools aren’t perfect, but their broad testing capabilities make thenetwork scanning process a lot less painful and can save you tons of time!
Their reporting is really nice, too, especially if you will show your test resultsto upper management.
Nessus, QualysGuard, and GFI LANguard Network Security Scanner providesimilar results. Figure 9-8 is partial output from LANguard. It identifies openports on the test network and presents information on SNMP, operating-systeminformation, and special alerts to look for.
You can use LANguard Network Security Scanner and QualysGuard to findoperating-system vulnerabilities and patches that need to be applied. Prettyslick! I show you more on this in Chapter 11, which covers Windows.
NetcatNetcat can test certain firewall rules without having to test a productionsystem directly. For example, you can check whether the firewall allows port23 (telnet) through. Follow these steps to see whether a connection can bemade through port 23:
1.Load Netcat on a client machine inside the network.
This allows you to test from the inside out.
Figure 9-8:
Informationgatheredfrom anetworkscan usingLANguardNetworkSecurityScanner.
132Part III:Network Hacking
2.Load Netcat on a testing computer outside the firewall.
This allows you to test from the outside in.
3.Enter the Netcat listener command on the client (internal) machinewith the port number you’re testing.
For example, if you’re testing port 23, enter this command:
nc –l –p 23 cmd.exe4.Enter the Netcat command to initiate an inbound session on the test-
ing (external) machine. You must include the following information:
•The IP address of the internal machine you’re testing•The port number you’re testingFor example, if the IP address of the internal (client) machine is10.11.12.2 and the port is 23, enter this command:
nc –v 10.11.12.2 23If Netcat presents you with a new command prompt (that’s what the cmd.exeis for in Step 3) on the external machine, it means that you connected and arenow executing commands on the internal machine! This can serve severalpurposes, including testing firewall rules and — well, uhhhmmm — executingcommands on a remote system!
Alternative testing toolsThese utilities test firewall rules more robustly than Netcat:
Firewalk:A UNIX-based tool (www.packetfactory.net/firewalk)
Firewall Informer:A commercial tool by BLADE Software (www.
blade-software.com)
CountermeasuresThe following countermeasures can prevent a hacker from testing your firewall:
Limit traffic to what’s needed.
Set rules on your firewall (and router, if needed) to pass only traffic thatyou absolutely must pass. For example, have rules in place that allowHTTP inbound to an internal Web server and outbound for external Webaccess.
This is the best defense against someone poking at your firewall.
Block ICMP to help prevent abuse from some automated tools, such asFirewalk.
Enable stateful packet inspection on the firewall, if you can. It can blockunsolicited requests.
133Chapter 9: Network Infrastructure14
Looking through a network analyzerA network analyzer is a tool that allows you to look into a network and ana-
lyze data going across the wire for network optimization, security, and/ortroubleshooting purposes. Like a microscope for a lab scientist, a networkanalyzer is a must-have tool for any security professional.
Network analyzers are often generically referred to as sniffers,though that’sactually the name and trademark of a specific product from NetworkAssociates, Sniffer (the original network-analysis tool).
A network analyzer is handy for sniffing packets. Watch for the following net-
work traffic behavior:
What do packet replies look like? Are they coming from the host you’retesting or from an intermediary device?
Do packets appear to traverse a network host or security device, suchas a router, a firewall, IDS, or a proxy server?
When assessing security and responding to security incidents, a network ana-
lyzer can help you
View anomalous network traffic and even track down an intruder.
Develop a baseline of network activity and performance before a secu-
rity incident occurs, such as protocols in use, usage trends, and MACaddresses.
When your network behaves erratically, a network analyzer can help you•Track and isolate malicious network usage•Detect malicious Trojan-horse applications•Monitor and track down DoS attacksYou can use one of the following programs for network analysis:
EtherPeek by WildPackets (www.wildpackets.com) is my favoritenetwork analyzer. It delivers a ton of features that the higher-endnetwork analyzers of yesterday have for a fraction of their cost.
EtherPeek is available for the Windows operating systems.
I download the open-source Ethereal network analyzer from www.
ethereal.orgif I need a quick fix and don’t have my laptop nearby.
It’snot as user-friendly as EtherPeek, but it is very powerful if you’rewilling to learn its ins and outs. Ethereal is available for both Windowsand UNIX-based operating systems.
134Part III:Network Hacking
Two other powerful and free utilities can perform such functions asnetwork analysis:
•ettercap (ettercap.sourceforge.net) for Windows and UNIX-
based operating systems. I cover ettercap in more detail in “ARPspoofing,” later in the chapter.
•dsniff (www.monkey.org/~dugsong/dsniff) for UNIX-basedoperating systems.
A network analyzer is just software running on a computer with a networkcard.It works by placing the network card in promiscuous mode, which enablesthe card to see all the traffic on the network, even traffic not destined to thenetwork-analyzer host. The network analyzer performs the following functions:
Captures all network traffic
Interprets or decodes what is found into a human-readable format
Displays it all in chronological orderHere are a few caveats for using a network analyzer:
To capture all traffic, you must connect the analyzer to either•A hub on the network•A monitor/span/mirror port on a switch
You should connect the network analyzer to a hub on the outside of thefirewall, as shown in Figure 9-9, as part of your testing so you can seetraffic similar to what a network-based IDS sees:
•What’s entering your network beforethe firewall filters eliminatesthe junk traffic•What’s leaving your network afterthe traffic goes past the firewallInternetLANNetwork analyzercomputerFirewallRouterEthernet HubFigure 9-9:
Connectinga networkanalyzeroutside thefirewall.
135Chapter 9: Network Infrastructure14
Whether you connect your network analyzer inside or outside your firewall,
you see immediate results. It can be an overwhelming amount of information,
but you can look for these issues first:
Odd traffic, such as•Unusual amount of ICMP packets•Excessive amounts of multicast or broadcast traffic•Packet types that don’t belong, such as NetBIOS in a NetWareenvironment
Internet usage habits, which can help point out malicious behavior of arogue insider or system that has been compromised, such as•Web surfing•E-mail•IM
Questionable usage, such as•Many lost or oversized packets•High bandwidth consumption that may point to a Web or FTPserver that doesn’t belong
Reconnaissance probes and system profiling from port scanners and
vulnerability-assessment tools, such as a significant amount of inboundtraffic from unknown hosts — especially over ports that are not usedvery much, such as FTP or telnet.
Hacking in progress, such as tons of inbound UDP or ICMP echorequests, SYN floods, or excessive broadcasts.
Nonstandard host names on your network. For example, if your systemsare named Computer1, Computer2, and so on, a computer namedGEEKz4evUR should raise a red flag.
Hidden servers (especially Web, SMTP, FTP, and DHCP) that may beeating network bandwidth or serving illegal software or even access intoyour network hosts.
Attacks on specific applications that show such commands as /bin/rm,
/bin/ls, echo, and cmd.exe.
You may need to let your network analyzer run for quite a while — severalhours to several days, depending on what you’re looking for.
Before getting started, configure your network analyzer to capture and storethe most relevant data:
If your network analyzer permits it, configure your network analyzersoftware to use a first-in, first-out buffer.
136Part III:Network Hacking
This overwrites the oldest data when the buffer fills up, but it may beyour only option if memory and hard drive space are limited on yournetwork-analysis computer.
If your network analyzer permits it, record all the traffic into a capturefile, and save it to the hard drive. This is the ideal scenario — especiallyif you have a large hard drive, such as 50GB or more.
You can easily fill a several-gigabyte hard drive in a short period of time.
When network traffic doesn’t look right in a network analyzer, it proba-
bly isn’t. It’s better to be safe than sorry.
Run a baseline when your network is working normally. You can see anyobvious abnormalities when an attack occurs.
Clear-as-day decoding makes a network analyzer worth every penny youmaypay.
Figure 9-10 shows what a Smurf DoS attack can do to a network in just 30seconds. (I created this attack with BLADE Software’s IDS Informer, but youcan use other tools.) On a small network with very little traffic, the utilizationnumber is 823 kilobits/second — not too large a number for a 100-megabit/
second Ethernet network. However, on a busy network with a lot more traffic,
the number would be staggering.
Figure 9-11 shows the Smurf DoS attack on EtherPeek’s conversation monitor.
Three million bytes were transmitted in this short period of time — fromone host.
Figure 9-12 shows what a WANRemote backdoor remote administrationtool(RAT) looks like across the network using EtherPeek. It shows the com-
mandssent to get files from the local C: drive, kill UNIX processes, and unloadX-Window.
Figure 9-10:
What aSmurf DoSattack lookslike througha networkanalyzer.
137Chapter 9: Network Infrastructure14
If one workstation consumes considerably more bandwidth than the others —
such as the 10.11.12.203 host in Figure 9-13 — dig deeper to see what’s goingon. (Such network hosts as servers often send and receive more traffic thanother hosts.)
Figure 9-14 shows an indication that a port scan is being run on the network.
It shows all the different protocols and the small number of packets this analy-
sisfound, including Gnutella, telnet, and rlogin.
Figure 9-13:
Higher-
than-normalnetworkusage (asshownbythe10.11.12.203host).
Figure 9-12:
WANRemoteRAT-attacktraffic.
Figure 9-11:
A SmurfDoSconversa-
tionviaEtherPeek.
138Part III:Network Hacking
Check your network for a high number of ARP requests and ICMP echorequests proportionate to your overall traffic, as shown in Figure 9-15.
CountermeasuresA network analyzer can be used for good or evil. All these tests can be usedagainst you, too. A few countermeasures can help prevent someone fromusing an unauthorized network analyzer, but there’s no way to completelyprevent it.
If hackers can connect to your network (physical or wireless), they can cap-
ture packets on the network, even if you’re using a switch.
Figure 9-15:
Abnormallyhigh ICMPand ARPrequestsshowpotentialmaliciousbehavior.
Figure 9-14:
Manynonstandardprotocolscan indicatethat a portscan istakingplace.
139Chapter 9: Network Infrastructure14
Physical securityEnsure that adequate physical security is in place to prevent a hacker fromplugging into your network:
Keep the bad guys out of your server room and wiring closet.
A special monitor port on a switch where a hacker can plug in a networkanalyzer is especially sensitive. Make sure it’s extra secure.
Make sure that such unsupervised areas as unoccupied desks don’thave live network connections.
Network-analyzer detectionYou can use a network- or host-based utility to determine if someone is run-
ning an unauthorized network analyzer on your network:
sniffdet (sniffdet.sourceforge.net) for UNIX-based systems
PromiscDetect (ntsecurity.nu/toolbox/promiscdetect) forWindowsThese tools enable you to monitor the network for Ethernet cards that arerunning in promiscuous mode. You simply load the programs on your com-
puter, and the programs alert you if they see promiscuous behaviors on thenetwork (sniffdet) or local system (PromiscDetect).
The MAC-daddy attackAttackers can use ARP (Address Resolution Protocol) running on your net-
work to make their systems appear to be either your system or anotherauthorized host on your network.
ARP spoofingAn excessive amount of ARP requests can be a sign of an ARP poisoningattack (or ARP spoofing) on your network.
What happens is that a client running a program such as the UNIX-baseddsniff or the UNIX- and DOS/Windows-based ettercap can change the ARPtables — the tables that store IP addresses to media access control (MAC)
mappings — on network hosts. This causes the victim computers to thinkthey need to send traffic to the attacker’s computer, rather than the true des-
tination computer, when communicating on the network. This is often referredto as a Man-in-the-Middle (MITM) attack.
This security vulnerability is inherent in how TCP/IP communications arehandled.
140Part III:Network Hacking
Here’s a typical ARP spoofing attack with a hacker’s computer (Hacky) andtwo legitimate network users’ computers (Joe and Bob):
1.Hacky poisons the ARP caches of victims Joe and Bob by using dsniff,
ettercap, or a utility he wrote.
2.Joe associates Hacky’s MAC address with Bob’s IP address.
3.Bob associates Hacky’s MAC address with Joe’s IP address.
4.Joe’s traffic and Bob’s traffic are sent to Hacky’s IP address first.
5.Hacky’s network analyzer captures Joe’s traffic and Bob’s traffic.
If Hacky is configured to act like a router and forward packets, it forwardsthe traffic to its original destination. The original sender and receivernever know the difference!
Figure 9-16 shows the juicy e-mail stuff I found with ettercap. I loaded ettercapon my Windows computer, selected 10.11.12.204 as the source and 10.11.12.2as the destination, and used ARP poisoning. Voilà!
Spoofed ARP replies can be sent to a switch very quickly, which often crashesthe switch. The switch reverts to broadcast mode, which makes it work like ahub. When this occurs, an attacker can sniff every packet going through theswitch without bothering with ARP spoofing.
MAC-address spoofingMAC-address spoofing tricks the switchinto thinking you (actually, your com-
puter) are someone else. You simply change your MAC address and masquer-
ade as another user.
You can use this trick to test such access control systems as your IDS, fire-
wall, and even operating-system login controls that check for specific MACaddresses.
Figure 9-16:
A sampleofwhathackerscanfindwith ARPpoisoning.
141Chapter 9: Network Infrastructure14
UNIX-based systemsIn UNIX and Linux, you can spoof MAC addresses with the ifconfig utility.
Follow these steps:
1.While logged in as root, use ifconfig to enter a command that disablesthe network interface. Insert the network interface number that youwant to disable (usually, eth0) into the command, like this:
[root@localhost root]# ifconfig eth0 down2.Enter a command for the MAC address you want to use.
Insert the fake MAC address and the network interface number (eth0)
into the command again, like this:
[root@localhost root]# ifconfig eth0 hw ether new_mac_addressYou can use a more feature-rich utility called MAC Changer (www.alobbs.
com/macchanger) for Linux systems.
WindowsYou can use regedit to edit the Windows Registry, but I like using a neatWindows utility called SMAC (www.klcconsulting.net/smac), which makesMAC spoofing a simple process. Follow these steps to use SMAC:
1.Load the program.
2.Select the adapter for which you want to change the MAC address.
3.Enter the new MAC address in the New Spoofed MAC Address fields,
and click Update MAC.
4.Stop and restart the network card with these steps:
i.Right-click the network card in Network and Dialup Connections.
ii.Select Disable, and then right-click again and click Enable for thechange to take effect.
You may have to reboot for this to work properly.
5.Click Refresh in the SMAC interface.
You should see something similar to the SMAC screen capture in
Figure 9-17.
To reverse Registry changes with SMAC, follow these steps:
1.Select the adapter for which you want to change the MAC address.
2.Click Remove MAC.
142Part III:Network Hacking
3.Stop and restart the network card with these steps:
i.Right-click the network card in Network and Dialup Connections.
ii.Select Disable, and then right-click again and click Enable for thechange to take effect.
You may have to reboot for this to work properly.
4.Click Refresh in the SMAC interface.
You should see your original MAC address again.
CountermeasuresA few countermeasures on your network can minimize the effects of a hackerattack against ARP and MAC addresses on your network.
PreventionYou can prevent MAC-address spoofing if your switches can enable port secu-
rity to prevent automatic changes to the switch MAC address tables.
No realistic countermeasures for ARP poisoning exist. The only way to preventARP poisoning is to create and maintain static ARP entries in your switches forevery host on the network. This is definitely something that no network admin-
istrator has time to do!
DetectionYou can detect these two types of hacks through either an IDS or a stand-aloneMAC address monitoring utility.
Figure 9-17:
SMACshowing aspoofedMACaddress.
143Chapter 9: Network Infrastructure14
Arpwatch is a UNIX-based program alerts you via e-mail if it detects changesin MAC addresses associated with specific IP addresses on the network.
Denial of serviceDenial-of-service (DoS) attacks are among the most common hacker attacks. Ahacker initiates so many invalid requests to a network host that it uses all itsresources responding to them and ignores legitimate requests.
DoS attacksThe following types of DoS attacks are possible against your network andhosts, and can cause systems to crash, data to be lost, and every user tojump on your case, wondering when Internet access will be restored.
Individual attacksHere are some common DoS attacks:
SYN floods: The attacker literally floods a host with TCP SYN packets.
Ping of Death: The attacker sends IP packets that exceed the maximumlength of 65,535 bytes, which can ultimately crash the TCP/IP stack onmany operating systems.
WinNuke:This attack can disable networking on older Windows 95 andNT computers.
Distributed attacksDistributed DoS (DDoS) attacks have an exponentially greater impact on theirvictims. The most famous was the DDoS attack against eBay, Yahoo!, CNN,
and dozens of other Web sites by the hacker known as MafiaBoy. These aresome common distributed attacks:
Smurf attack:An attacker spoofs the victim’s address and sends ICMPecho request (ping packets) to the broadcast address. The victim com-
puter gets deluged with tons of packets in response to those echorequests.
Trinoo and Tribe Flood Network (TFN) attacks: Sets of client- andserver-based programs launch packet floods against a victim machine,
effectively overloading it and causing it to crash.
DoS attacks can be carried out with tools that the hacker either writes ordownloads off the Internet. These are good tools to test your network’sIDS/IDP and firewalls. You can find programs that allow actual attacks andprograms, such as BLADE Software’s IDS Informer, that let you send con-
trolled attacks.
144Part III:Network Hacking
TestingYour first DoS test should be a search for DoS vulnerabilities from a port-
scanning and network-analysis perspective.
Don’t test for DoS unless you have test systems or can perform controlledtests with the proper tools. Poorly planned DoS testing is a job search in themaking. It’s like trying to delete data from a network share remotely andhoping that the access controls in place are going to prevent it.
CountermeasuresMost DoS attacks are difficult to predict, but they can be easy to prevent:
Test and apply security patches as soon as possible for such networkhosts as routers and firewalls, as well as for server and workstationoperating systems.
Use IDS and IDP systems to monitor regularly for DoS attacks.
You can run a network analyzer in continuous capturemode if you can’tjustify the cost of an all-out IDS or IDP solution.
Configure firewalls and routers to block malformed traffic. You can dothis only if your systems support it, so refer to your administrator’sguide for details.
Minimize IP spoofing by either•Using authentication and encryption, such as a Public KeyInfrastructure (PKI)
•Filtering out external packets that appear to come from an internaladdress, the local host (127.0.0.1), or any other private and non-
routable address such as 10.x.x.x, 172.16.x.x–172.31.x.x, or192.168.x.x
Block all ICMP traffic inbound to your network unless you specificallyneed it. Even then, you should allow it only in to specific hosts.
Disable all unneeded TCP/UDP small services (such as echo and chargen).
Establish a baseline of your network protocols and traffic patterns before aDoS attack occurs. That way, you know what to look for. And periodicallyscan for such potential DoS vulnerabilities as rogue DoS software installed onnetwork hosts.
Work with a minimum necessarymentality when configuring your networkdevices such as firewalls and routers:
Identify traffic that is necessary for approved network usage.
Allow the traffic that’s needed.
Deny all other traffic.
145Chapter 9: Network Infrastructure14
General network defensesRegardless of the specific attacks against your system, a few good practicescan help prevent many network problems:
Stateful inspection on firewalls. This can help ensure that all traffic tra-
versing it is legitimate and can prevent DoS attacks and other spoofingattacks.
Rules to perform packet filtering based on traffic type, TCP/UDP ports,
IP addresses, and even specific interfaces on your routers before thetraffic is ever allowed to enter your network.
Proxy filtering and Network Address Translation (NAT).
Finding and eliminating fragmented packets entering your network (fromFraggle or other type of attack) via an IDS or IDP system.
Segmenting and firewalling these network segments:
•The internal network in general•Critical departments, such as accounting, finance, HR, andresearch146Part III:Network Hacking
Chapter 10Wireless LANsIn This Chapter
Understanding risks of wireless LANs
Selecting wireless LAN hacking tools
Hacking against wireless LANs
Minimizing wireless network security risksWireless local area networks (WLANs) — specifically, the ones based onthe IEEE 802.11 standard — are increasingly being deployed into bothbusiness and home networks. Next to instant messaging and personal videorecorders, WLANs are the neatest technology I’ve used in quite a while. Ofcourse, with any new technology come security issues, and WLANs are noexception. In fact, the 802.11b wireless technology has been the poster childfor weak security and network hack attacks for several years running.
WLANs offer a ton of business value, from convenience to reduced networkdeployment time. Whether your organization allows wireless network accessor not, testing for WLAN security vulnerabilities is critical. In this chapter, Icover some common wireless network security vulnerabilities that you shouldtest for. And I discuss some cheap and easy countermeasures you can imple-
ment to help ensure that WLANs are not more of a risk to your organizationthan they’re worth.
Understanding the Implications ofWireless Network VulnerabilitiesWLANs are very susceptible to hacker attacks — even more so than wirednetworks are (discussed in Chapter 9). They have vulnerabilities that canallow a hacker to bring your network to its knees and allow your informationto be gleaned right out of thin air. If a hacker comprises your WLAN, you canexperience the following problems:
Loss of network access, including e-mail, Web, and other services thatcan cause business downtime
Loss of confidential information, including passwords, customer data,
intellectual property, and more
Legal liabilities associated with unauthorized usersMost of the wireless vulnerabilities are in the 802.11 protocol and within wire-
less access points(APs) — the central hublike devices that allow wirelessclients to connect to the network. Wireless clients have some vulnerabilitiesas well.
Various fixes have come along in recent years to address these vulnerabili-
ties, but most of these fixes have not been applied or are not enabled bydefault. You may also have employees installing rogue WLAN equipment onyour network without your knowledge; this is the most serious threat to yourwireless security and a difficult one to fight off. Even when WLANs are hard-
ened and all the latest patches have been applied, you still may have someserious security problems, such as DoS and man-in-the-middle attacks (likeyou have on wired networks), that will likely be around for a while.
Choosing Your ToolsSeveral great WLAN security tools are available for both the Windows andUNIX platforms. The UNIX tools — which mostly run on Linux and BSD — canbe a bear to configure and run properly if the planets and stars are not prop-
erly aligned. The PC Card services in Linux are the trickiest to set up, depend-
ing on your type of WLAN card and your Linux version.
Don’t get me wrong — the UNIX-based tools are excellent at what they do.
Programs such as Kismet (www.kismetwireless.net), AirSnort (airsnort.
shmoo.com), AirJack (802.11ninja.net/airjack), and Wellenreiter (www.
wellenreiter.net) offer many features that most Windows-based applica-
tions don’t have. These programs run really well if you have all the Linuxdependencies installed. They also offer many features that you don’t needwhen assessing the security of your WLAN.
In the spirit of keeping things simple, the tests I outline in this chapter requireonly Windows-based utilities. My favorite tools for assessing wireless tools inWindows are as follows:
NetStumbler (www.netstumbler.com) for AP discovery and enumeration
Wireless client management software — such as Orinoco’s Client Managersoftware — for AP discovery and enumeration148Part III:Network Hacking
WildPackets’ AiroPeek (www.wildpackets.com) or your favorite WLANanalyzer for detailed information on wireless hosts, decryption ofencrypted traffic, and more
LANguard Network Security Scanner (www.gfi.com) for WLAN enumera-
tion and vulnerability scanning149Chapter 10: Wireless LANsA case study with Matt Caldwell
on hacking wireless networksMatt Caldwell, shared with me a wild story of awireless warflying experience — yes, it’swardriving, but in an airplane! Here’s hisaccount of what happened.
The SituationMr. Caldwell’s employer — the state ofGeorgia— wanted to have the state’s wirelessnetworks assessed. The problem with terrestrialwardriving is that it’s very slow, so Mr. Caldwelland his team conducted an experiment to deter-
mine the most economical way to assess theaccess points across the state of Georgia, whichcomprised 47,000 employees and 70 agencies.
They knew the location of the buildings andknew they had to visit all of them. As a test, theydrove around one building to count the numberof access points they detected and concludedthat it would take almost six months to assess allthe state buildings.
In his spare time, Mr. Caldwell flies single-
engine aircraft, and he decided that if the mili-
tary could gather intelligence via aircraft, socould he! After getting through some politicalred tape, he and a fellow aviator used duct tapeto mount an antenna on a Cessna 172RG (hethanks MacGyver for this idea!). He mountedthe antenna at a 90-degree angle from theplane’s nose so that he could make notes on thedirection of the plot point. By doing some simplemath, plus 90 degrees gave them radial on theapproximate bearing of the target access point.
The OutcomeAs Mr. Caldwell and his colleague climbedabove 500 feet, NetStumbler (the wirelessassessment software they were using) beganchiming over the engine noise with its “bongs.”
It seemed like every second, a new wireless APwas being discovered. They made their wayaround downtown Atlanta and detected over300 unique APs at about 2,000 feet AGL. Theyproved that warflying can be an effectivemethod of detecting access points and a greatstatistical-gathering activity. They collecteddata on 382 APs in less than one hour in the air!
Matt Caldwell’s Lessons Learned
Don’t eat a McDonald’s double cheese-
burger before flying — or at least carry abarf bag!
Use extra duct tape and a safety rope, orput the antenna in the aircraft.
Use good software to do triangulation soyou don’t have to calculate the positionmanually.
Seventy percent of the APs detected had noWEP encryption!
Almost 50 percent of the APs detected haddefault SSIDs.
Matt Caldwell, CISSP, is founder of and chiefsecurity officer for GuardedNet, Inc.
You also need the proper hardware. A good setup I’ve used is a laptop PCwith an Orinoco (formerly made by Lucent, now Proxim) 802.11b PC Card.
This card is not only compatible with NetStumbler, but also has an antennaconnector that allows you to connect an external antenna. Another bonus isthat most wireless security tools are very friendly with the Orinoco card. Alot of security tool support is available for the Prism2 chipset found in wire-
less cards by Belkin, D-Link, Linksys, and more. Before you purchase a wire-
less PC Card or PCI adapter, verify what chipset it has to ensure compatibilitywith the majority of security tools. The SeattleWireless HardwareComparisonpage (www.seattlewireless.net/index.cgi/HardwareComparison) is agood reference for this type of information.
You can also use a handheld wireless security testing device such as anAirMagnet (www.airmagnet.com) or the Fluke WaveRunner (www.flukenetworks.com). Both devices have their own built-in programs that aregreatfor testing security settings on your WLAN.
An external antenna is also something to consider as part of your arsenal. Ihave had good luck running tests without an antenna, but your mileage mayvary. If you’re performing a walk-through of your facilities to test for wirelesssignals, for example, adding an additional antenna increases your odds offinding legitimate — and, more important, unauthorized APs. You can chooseamong three main types of wireless antennas:
Omnidirectional:Transmits and receives wireless signals 360 degreesover shorter distances, such as in boardrooms or reception areas. Theseantennas, also known as dipoles, typically come installed on APs fromthe factory.
Semidirectional:Transmits and receives directionally focused wirelesssignals over medium distances, such as down corridors and across oneside of an office.
Directional: Transmits and receives highly focused wireless signals overlong distances, such as between buildings. This antenna, also knownasa high-gain antenna, is the antenna of choice for wireless hackers dri-
ving around cities looking for vulnerable APs — an act also known aswardriving.
As an alternative to the antennas described in the preceding list, you can use anifty Pringles-can design. If you’re interested in trying this, check out the articleat www.oreillynet.com/cs/weblog/view/wlg/448for details. Youcan eventry other alternatives, such as a pork-and-beans can! A simple Internet searchturns up a lot of information on this subject, if you’re interested. One site inparticular sells a Cantenna kit pretty cheaply at mywebpages.comcast.net/
hughpep.
150Part III:Network Hacking
Wireless LAN DiscoveryAfter you have an Internet connection, wireless hardware (a wireless card,
at a minimum), and wireless testing software (NetStumbler or similar clientmanagement software, at a minimum), you’re ready to roll.
Checking for worldwide recognitionThe first test requires only the MAC address of your AP and access to theInternet. You’re testing to see if someone has discovered your WLAN andposted information about it for the world to see. If you’re not sure what yourAP’s MAC address is, you should be able to view it by using the arp -acom-
mand in DOS. You may have to ping the access point’s IP address first so theMAC address is loaded into your ARP cache. Figure 10-1 shows what this maylook like.
After you have the AP’s MAC address, browse to the WiGLE database of WLANs(www.wigle.net) to see if your AP is listed. You have to register with the siteto perform a database query, but it’s worth it. After you select the Query linkand login, you see a screen similar to Figure 10-2. You can enter such AP infor-
mation as geographical coordinates, but the simplest thing to do is enter yourMAC address in the format shown.
If your AP is listed, that means that someone has discovered it — most likelyvia wardriving — and has posted the information for others to see. You needto start implementing the security countermeasures listed in this chapter assoon as possible to keep others from using this information against you! Youcan also check www.wifimaps.comto see if your AP is listed at anotherWLAN lookup site.
Figure 10-1:
FindingtheMACaddressofan APusing arp.
151Chapter 10: Wireless LANs15
Scanning your local airwavesMonitor the airwaves around your building to see what authorized and unau-
thorized APs you can find. You’re looking for the SSID (service set identifier),
which is your WLAN’s name. If you have multiple WLANs, each one has a net-
work SSID associated with it.
Here’s where NetStumbler comes into play. NetStumbler can discover SSIDsand other detailed information about wireless APs, including the following:
MAC address
Name
Radio channel in use
Vendor name
Whether encryption is on or off
RF signal strength (signal-to-noise ratio)
Figure 10-2:
Searchingfor yourwirelessAPs usingthe WiGLEdatabase.
152Part III:Network Hacking
Figure 10-3 shows an example of what you might see when runningNetStumbler in your environment. The information that you see here is whatothers can see. NetStumbler and most other tools work by sending a probe-
request signal from the client. Any APs within signal range must respond towith their SSIDs — that is, if they’re configured to broadcast their SSIDs.
Kismet — the popular wireless sniffer (network analyzer) for Linux and BSDUNIX — looks not only for probe responses from APs like NetStumbler does,
but also for other 802.11 management packets, such as association responsesand beacons. This allows Kismet to detect the presence of a WLAN even whenprobe-response packets are disabled in the AP — something that NetStumblercan’t do.
When you’re using certain wireless security assessment tools, includingNetStumbler and AiroPeek, your adapter may be put in passive monitoringmode. This means you can no longer communicate with other wireless hostsor APs while the program is loaded. Also, some programs require a specializeddriver for your wireless card that often disables normal WLAN functionality. Ifthis is the case, you need to roll back (reinstall) the original adapter’s driver(supplied by the vendor) to restore the standard functions of your adapter.
The best way to search for APs that are not broadcasting their SSIDs
from within Windows is to use a WLAN analyzer such as AiroPeek (myfavorite) — which is the sister product of the excellent wired network ana-
lyzer EtherPeek — or TamoSoft’s CommView for Wi-Fi (www.tamos.com/
products/commwifi), which I’ve heard great things about. You can do thisby enabling a capture filter on 802.11 management packets, as shown inAiroPeek’s options in Figure 10-4.
An ad-hoc mode — a peer-to-peer type setup — in WLANs can allow wirelessclients to communicate directly with one another without having to passthrough an AP. These types of WLANs operate outside the normal wirelesssecurity controls and, thus, can cause serious security issues above andbeyond the normal 802.11 vulnerabilities. The best way to detect these roguenetworks is to use NetStumbler. You can also use a WLAN analyzer or wire-
less IDS and search for beacon packets where the ESS field is not equal to 1.
Figure 10-3:
NetStumblerdisplaysdetaileddata on APs.
153Chapter 10: Wireless LANs15
Wireless Network AttacksVarious malicious hacks — including various DoS attacks — can be carriedoutagainst your WLAN. This includes APs that are forced to reveal their SSIDsduring the process of being disassociated from the network and rejoining. Inaddition, hackers can literally jam the RF signal of an AP — especially in802.11b and 802.11g systems — and force the wireless clients to reassociatetoa rogue AP masquerading as the victim AP. Hackers can create man-in-the-
middle attacks by maliciously using tools such as ESSID-jack and monkey-jackand can flood your network with thousands of packets per second by mali-
ciously using packet-generation tools such as Gspoof or LANforge — enoughtobring the network to its knees. Even more so than with wired networks, thistype of DoS attack is practically impossible to prevent on WLANs.
Various hacking tools for the UNIX platform can perform these types of hacks,
including Cqure AP, HostAP, and AirJack. After hackers carry out these typesof attacks against your WLAN, they can attempt to capture traffic and pene-
trate into any systems that attach to it.
You can carry out several — nonmalicious — attacks against your WLAN. Theassociated countermeasures help protect your network from these vulnera-
bilities, as well as from the malicious attacks previously mentioned. Whentesting your WLAN security, look out for the following weaknesses:
Unencrypted wireless traffic
Unauthorized APsFigure 10-4:
AiroPeekdetects APsthat don’tbroadcastSSIDs.
154Part III:Network Hacking
RF signals that are too strong
Wireless equipment that’s easy to access physically
Default configuration settingsA good starting point for testing is to attempt to attach to your WLAN as anoutsider and run a vulnerability-assessment tool, such as LANguard NetworkSecurity Scanner. This test enables you to see what others can see on yournetwork, including information on the OS version, open ports on your AP, andeven network shares on wireless clients. Figure 10-5 shows the type of infor-
mation that can be revealed about an AP on your network.
Encrypted trafficWireless traffic can be captured directly out of the airwaves, making this com-
munications medium susceptible to malicious eavesdropping. Unless the trafficis encrypted, it’s sent and received in cleartext just like on a standard wirednetwork. On top of that, the 802.11 encryption protocol, Wired EquivalentPrivacy (WEP), has its own weakness that allows hackers to crack the encryp-
tion keys and decrypt the captured traffic. This vulnerability has helped putWLANs on the map — so to speak.
WEP, in a certain sense, actually lives up to its name: It provides the privacyequivalent to that of a wired network and then some. However, it was notintended to be cracked so easily. WEP uses a fairly strong symmetric (shared-
key) encryption algorithm called RC4. Hackers can observe encrypted wirelesstraffic and recover the WEP key due to a flaw in how the RC4 initializationFigure 10-5:
A LANguardscan of apotentiallyvulnerableAP.
155Chapter 10: Wireless LANs15
vector (IV) is implemented in the protocol. This weakness is due to the factthat the IV is only 24 bits long, which causes it to be repeated every 16.7 mil-
lion packets — even sooner in many cases, based on the amount of wirelessclients entering and leaving the network.
Most WEP implementations initialize WLAN hardware with an IV of 0 andincrement it by one for each packet sent. This can lead to the IV’s being
reinitialized — started over at 0 — approximately every five hours. Giventhis, WLANs that have a small number of clients transmitting a relativelysmall rate of wireless packets are normally more secure than large WLANsthat transmit a lot of wireless data.
Using various UNIX-based tools such as WEPCrack (wepcrack.
sourceforge.net), AirSnort (airsnort.shmoo.com), and WepAttack(wepattack.sourceforge.net), hackers need to collect only a few hours’up to a few days’ (depending on how much wireless traffic is on the network)
worth of packets to be able to break the WEP key.
A longer key length, such as 128 bit or 192 bit, doesn’t make WEP exponentiallymore difficult to crack. This is because WEP’s static key scheduling algorithmrequires only that about 20,000 or so additional packets be captured to cracka key for every extra bit in the key length.
Although WEP is crackable, it’s still much better than no encryption at all.
Similar to the effect that home-security-system signs have on would-be homeintruders, a wireless LAN running WEP is not nearly as attractive to a hackeras one without it. The hacker is likely to just move on to easier targets.
You can carry out this attack against your network, but it probably won’tprove anything other than WEP is vulnerable. After you implement the WEPcountermeasures mentioned in the next section, you can always run some ofthe WEP cracking tools to ensure that the countermeasures are working.
If you need to use your WLAN analyzer to view traffic as part of your securityassessment, you won’t be able to see any traffic if WEP is enabled unless youknow your WEP key. You can enter your key into your analyzer, but justremember that hackers can do the same thing if they’re able to crack yourWEP key using one of the tools I mention earlier!
Figure 10-6 shows an example of how you can view protocols on your WLANby entering your WEP key into AiroPeek via the 802.11 tab in the CaptureOptions window before you start your packet capture.
CountermeasuresThe simplest solution to the WEP problem is to use a VPN for all wireless com-
munications. You can easily implement this in a Windows environment — for156Part III:Network Hacking
free — by enabling PPTP for client communications. You can also use theIPSec support built into Windows, as well as SSH, SSL/TLS, and other propri-
etary vendor solutions, to keep your traffic secure.
Newer 802.11-based solutions exist as well. If you can configure your wirelesshosts to regenerate a new key dynamically after a certain number of packetshave been sent, the WEP vulnerability can’t be exploited. Many AP vendorshave already implemented this fix as a separate configuration option, so checkfor the latest firmware with features to manage key rotation. For instance, theproprietary Cisco LEAP protocol uses per-user WEP keys that offer a layer ofprotection if you’re running Cisco hardware.
The wireless industry has come up with a solution to the WEP problem calledWi-Fi Protected Access (WPA). WPA uses the Temporal Key Integrity Protocol(TKIP) encryption system, which fixes all the known WEP issues. WPA requiresan 802.1x authentication server, such as a RADIUS server, to manage useraccounts for the WLAN. Check with your vendor for WPA updates.
A forthcoming 802.11i standard from the IEEE integrates the WPA fixes andmore. This standard is an improvement over WPA but is not compatible witholder 802.11b hardware, due to its implementation of the Advanced EncryptionStandard (AES) for encryption. The workaround for this is to use TKIP, which isbackward-compatible with older hardware because it uses the RC4 encryptionscheme. Keep an eye out for 802.11i support for your wireless hardware.
Figure 10-6:
UsingAiroPeekClientManager tosearch forrogue APs.
157Chapter 10: Wireless LANs15
Rogue networksWatch out for unauthorized APs and wireless clients attached to your net-
work that are running in ad-hoc mode.
Using NetStumbler or your client manager software, you can test for APs thatdon’t belong on your network. You can also use the network monitoring fea-
tures in a WLAN analyzer such as AiroPeek.
Look for the following rogue AP characteristics:
Odd SSIDs, including the popular default ones linksys,tsunami,comcom-
com,and wireless.
Odd AP system names — that is, the name of the AP if your hardwaresupports this feature — not to be confused with the SSID.
MAC addresses that don’t belong on your network. Look at the firstthree bytes of the MAC address (the first six numbers), which specifythe vendor name. You can perform a MAC-address vendor lookup atcoffer.com/mac_findto find information on APs you’re unsure of.
Weak radio signals, which can indicate that an AP has been hidden awayor is on the outside of your building.
Communications across a different radio channel than what your net-
work communicates on.
A degradation in network throughput for any WLAN client.
Figure 10-7 shows how you can use AiroPeek’s Monitor utility to spot an oddnetwork host (the NETGEAR system) when you have a Cisco Aironet-only net-
work, or vice versa.
My test network for this example is small compared to what you might see,
but you get the idea of how an odd system can stand out.
Don’t rely solely on this method. Hackers can spoof their MAC addresses,
making them look like Cisco Aironet systems that belong on your network.
Walk around your building or campus to perform this test to see what youcan find. Physically look for devices that don’t belong — a well-placed AP orWLAN client that’s turned off won’t show up in your network analysis tools.
Search near the outskirts of the building or near any publicly accessibleareas. Scope out boardrooms and the offices of upper-level managers for anyunauthorized devices. These are places that are typically off-limits but oftenare used as locations for hackers to set up rogue APs.
158Part III:Network Hacking
WLANs authenticate the wireless devices, not the users. Hackers can use thisto their advantage by gaining access to a wireless client via remote-accesssoftware such as telnet or SSH or by exploiting a known application or OS vul-
nerability. After they’re able to do that, they potentially have full access toyour network.
CountermeasuresThe only way to detect rogue APs and hosts on your network is to monitoryour WLAN proactively, looking for indicators that wireless clients or rogueAPs might exist. But if rogue APs or clients don’t show up in NetStumbler orin your client manager software, that doesn’t mean you’re off the hook. Youmay also need to break out the WLAN analyzer, wireless IDS, or other net-
work management application.
You can enable MAC-address filtering controls on your AP so that wirelessclients must have an authorized MAC address before being allowed to con-
nect. The problem with this countermeasure is that hackers can easily spoofMAC addresses in UNIX by using the ifconfigcommand and in Windowswith the SMAC utility, as I describe in Chapter 9. However like WEP, MAC-
address-based access controls are another layer of protection and betterthan nothing at all. If a hacker spoofs one of your MAC addresses, the onlyway to detect malicious behavior is to spot the same MAC address beingused in two or more places on the WLAN.
You may be able to make a couple of configuration changes — depending onyour AP — to keep hackers from carrying out these tests against you:
If possible, increase your wireless beacon broadcast interval to the max-
imum setting, which is around 65,535 milliseconds (roughly 66 seconds).
This can help hide the AP from hackers who are wardriving or walkingby your building quickly.
Figure 10-7:
UsingAiroPeek’sMonitor tospot aproduct thatdoesn’tbelong.
159Chapter 10: Wireless LANs15
Disable probe responses to prevent your AP from responding toNetStumbler requests.
Use personal firewall software such as BlackICE — my favorite — (blackice.
iss.net) or ZoneAlarm (www.zonelabs.com) on all client computers to pre-
vent unauthorized remote access to your network.
Physical-security problemsVarious physical-security vulnerabilities can result in physical theft, thereconfiguration of wireless devices, and the capturing of confidential informa-
tion. You should look for the following security vulnerabilities when testingyour systems:
APs mounted on the outside of a building and accessible to the public.
Poorly mounted antennas — or the wrong types of antennas — thatbroadcast too strong a signal and that are accessible to the public.
Youcan view the signal strength in NetStumbler or your wireless clientmanager.
These issues are often overlooked due to rushed installations, improper plan-
ning, and lack of technical knowledge, but they can come back to haunt youlater.
CountermeasuresSecure APs, antennas, and other equipment in secure closets, ceilings, orother places that are difficult for a would-be intruder to access physically.
Terminate your APs outside any firewall or other network perimeter securitydevices — or at least in a DMZ — whenever possible. If you place the wirelessequipment inside your secure network, it can negate any benefits you wouldget out of your perimeter security devices.
If wireless signals are propagating outside your building where they don’tbelong, either
Turn down the transmit power setting of your AP.
Use a smaller or different antenna (semidirectional or directional) todecrease the signal.
Some basic planning helps prevent these vulnerabilities.
160Part III:Network Hacking
Vulnerable wireless workstationsWireless workstations have tons of security vulnerabilities — from weakpasswords to unpatched security holes to the storage of WEP keys locally.
One serious vulnerability is for wireless clients using the Orinoco wirelesscard. The Orinoco Client Manager software stores encrypted WEP keys in theWindows Registry — even for multiple networks — as shown in Figure 10-8.
You can crack the key by using the Lucent Orinoco Registry Encryption/
Decryption program found at www.cqure.net/tools.jsp?id=3. Make surethat you use the -dcommand-line switch and put quotes around the encryptedkey, as shown in Figure 10-9. This program comes in handy if you forget whatyour key is, but it can be used against you as well.
If hackers remotely access a workstation via the Connect Network Registry inregedit, they can obtain these keys, crack them, and be on your network in ajiffy.
CountermeasuresYou can implement the following countermeasures on your workstations tokeep them from used as entry points into your WLAN.
Figure 10-9:
Cracking aWEP keywith LucentOrinoco.
Figure 10-8:
EncryptedWEP key ofa wirelesscard.
161Chapter 10: Wireless LANs15
Regularly perform vulnerability assessments on your wireless worksta-
tions, as well as your other network hosts.
Apply the latest vendor security patches and enforce strong user
passwords.
Use personal firewalls on these systems to keep malicious intruders offof those systems and out of your network.
Install antivirus software.
Consider installing an antispyware application such as PestPatrol.
Default configuration settingsSimilar to wireless workstations, wireless APs have many known vulnerabili-
ties. The most common ones are default SSIDs and admin passwords. Themore specific ones occur only on certain hardware and software versionsthat are posted in vulnerability databases and vendor Web sites.
The one vulnerability that stands out above all others is that certain APs,
including Linksys, D-Link, and more, are susceptible to a vulnerability thatexposes any WEP key(s), MAC-address filters, and even the admin password!
All that hackers have to do to exploit this is to send a broadcast packet onUDP port 27155 with a string of gstsearch.
To test for this vulnerability, you can use a program called pong. This pro-
gram sends the broadcast packet automatically and returns any informationit discovers. To run pong, follow these steps:
1.Download the program from www.mobileaccess.de/wlan/dl.php/
pong_v1.1.zip.
2.Unzip the program to c:\wireless(or a similar directory).
3.Drop out to a DOS prompt, and enter pong.
If pong returns no answer,as shown in Figure 10-10, you’re safe. Otherwise,
look out!
Figure 10-10:
The resultsyou shouldget frompong.
162Part III:Network Hacking
CountermeasuresYou can implement some of the simplest and effective security countermea-
sures for WLANs — and they’re all free:
Make sure that you change default admin passwords, AP names, andSSIDs.
Disable SSID broadcasting if you don’t need this feature. Figure 10-11shows the SSID setting for a Cisco Aironet AP.
Disable SNMP if you’re not using it.
Apply the latest firmware patches for your APs and WLAN cards. Thiscountermeasure helps to prevent various vulnerabilities, including theUDP broadcast exploit. If you find that it doesn’t, consider using anothervendor’s wireless products.
Figure 10-11:
CiscoAironetsetting todisableSSIDbroadcasts.
163Chapter 10: Wireless LANs15
164Part III:Network Hacking
Part IVOperating SystemHacking
In this part . . .
Now that you’re past the network level, it’s time toget down to the nitty-gritty — those fun operatingsystems you use on a daily basis and have come to bothlove and hate. There’s definitely not enough room in thisbook to cover every operating system version or evenevery operating system vulnerability, but I certainly hitthe important parts — especially the ones that aren’teasily fixed with patches.
This part starts out by looking at the most widely used(and picked on) operating system — Microsoft Windows.
From Windows NT to Windows Server 2003, I show yousome of the best ways to attack and secure these operat-
ing systems from the bad guys. This part then takes a lookat Linux and its less publicized yet still major securityflaws. Many of the hacks and countermeasures I cover canapply to many other flavors of UNIX as well. This part thenmoves on to the tried-and-true Novell NetWare operatingsystem — perhaps the most secure in this lineup but stillnot vulnerability-free as many Novell die-hards like tobelieve. I cover the major issues along with solid counter-
measures you can implement to keep your mighty Novellboxes secure and still mostly reboot-free.
Chapter 11WindowsIn This Chapter
Port scanning a Windows server
Gleaning Windows information without logging in
Exploiting common vulnerabilities when logged into Windows
Minimizing Windows security risksThe Microsoft Windows OS family (with such versions as NT, 2000, XP, andServer 2003) is the most widely used OS in the world. It’s also the mostwidely hacked. Is this because Microsoft doesn’t care as much about securityas other OS vendors? The short answer is no.Sure, numerous security flawswere overlooked — especially in the Windows NT days — but becauseMicrosoft products are so pervasive throughout networks, Microsoft is theeasiest vendor to pick on, and often it’s Microsoft products that end up in thecrosshairs of hackers. This is the same reason that you see so many vulnera-
bility alerts on Microsoft products. The one positive about hackers is thatthey’re driving the requirement for better security!
Many security flaws in the headlines aren’t new. They’re variants of vulnera-
bilities that have been around for a long time in UNIX and Linux, such as theRPC vulnerabilities that the Blaster worm used. You’ve heard the saying “themore things change, the more they stay the same.” That applies here, too.
Most Windows attacks are prevented if the patches were properly applied.
Thus, poor security management is often the real reason Windows attacksare successful, yet Microsoft takes the blame and must carry the burden.
In addition to the password attacks I cover in Chapter 7 and some of the mal-
ware attacks I cover in Chapter 14, many other attacks are possible against aWindows-based system. Tons of information can be gleaned from Windowsby simply connecting to the system across a network and using tools to pullthe information out. Many of these tests don’t even require you to be authen-
ticated to the remote system. All hackers need is a Windows computer with adefault configuration that’s not protected by such measures as a firewall.
When you start poking around on your network, you may be surprised athow many of your Windows-based computers have security vulnerabilities.
After you connect to a Windows system and have a valid user name and pass-
word (by either knowing it or deriving it from using the password crackingtechniques in Chapter 7), you can test other aspects of Windows security.
This chapter shows you how to test for some of the most critical attacksagainst the Windows OS family and outlines countermeasures to make sureyour systems are secure.
Windows VulnerabilitiesGiven the general ease of use of Windows, its enterprise-ready ActiveDirectory service, and the feature-rich .NET development platform, manyorganizations have moved to the Microsoft platform for their networkingneeds. Many businesses — especially the small to medium-sized ones —
depend solely on the Windows OS for network usage. Many large organiza-
tions run critical servers such as Web servers and database servers on theWindows platform. If security vulnerabilities aren’t addressed and managedproperly, they can bring a network or an entire organization to its knees.
When Windows and other Microsoft software are attacked — especially by awidespread Internet-based worm or virus — hundreds of thousands of orga-
nizations and millions of computers are affected. Many well-known attacksagainst Windows can lead to
Leakage of confidential information, including files being copied andcredit card numbers being stolen
Passwords being cracked and used to carry out other attacks
Systems taken completely offline by DoS attacks
Entire databases being corrupted or deletedWhen insecure Windows-based systems are attacked, serious things canhappen to a tremendous amount of computers around the world.
Choosing ToolsThousands of Windows hacking and testing tools are available. The key is tofind a set of tools that can do what you need and that you’re comfortableusing.
168Part IV:Operating System Hacking
Many security tools — including some of the tools in this chapter — aren’tdesigned for Windows Server 2003 and newer operating systems but workwith them. However, the program documentation sometimes isn’t updated toreflect its compatibility. The most recent version of each tool in this chapteris compatible with Windows NT, 2000, and Server 2003.
The more security tools and other power user applications you install inWindows — especially programs that tie into the network drivers and TCP/IPstack — the more unstable Windows becomes. I’m talking about slow perfor-
mance, blue screens of death, and general instability issues. Unfortunately,
often the only fix is to reinstall Windows and all your applications. I’ve had torebuild my system once during the writing of this book and a total of threetimes in the past year. Ah, the memories of those DOS and Windows 3.xdayswhen things were much simpler!
Essential toolsEvery Windows security tester needs these special tools:
Nmap (www.insecure.org) for UDP and other types of port scanningNmap is an excellent tool for OS fingerprinting.
Vision (www.foundstone.com) for mapping applications to TCP/UDPportsFree Microsoft toolsYou can use the following Windows programs and free security tools thatMicrosoft provides to test your systems for various security weaknesses.
Built-in Windows programs (Windows 9xand later versions) for NetBIOSand TCP/UDP service enumeration:
•nbtstat for gathering NetBIOS name table information•netstat for displaying open ports on the local Windows system•net for running various network based commands including view-
ing of shares on remote Windows systems
Microsoft Baseline Security Analyzer www.microsoft.com/technet/
security/tools/mbsahome.aspfor testing for missing patches andbasic Windows security settings.
169Chapter 11: Windows17
Windows Resource Kits (including some tools that are free for downloadat www.microsoft.com) for security and OS management.
You can get specific details about Resource Kit books published byMicrosoft Press at www.microsoft.com/learning.
All-in-one assessment toolsThe following tools perform a wide variety of security tests including
Port scanning
OS fingerprinting
Basic password cracking
Detailed vulnerability mappings of the various security weaknesses thetools find on your Windows systemsI recommend any of these comprehensive sets of tools:
LANguard Network Security Scanner (www.gfi.com)
QualysGuard (www.qualys.com)
QualysGuard has very detailed and accurate vulnerability testing.
Nessus (www.nessus.org)
Task-specific toolsThe following tools perform one or two specific tasks. These tools providedetailed security assessments of your Windows systems and insight that youmay not otherwise get from all-in-one assessment tools:
SuperScan (www.foundstone.com) for TCP port scanning and pingsweeps.
A tool for enumerating Windows security settings. Given the enhancedsecurity of Windows Server 2003, these tools can’t connect and enumer-
ate a default install of Windows Server 2003 system like a Windows 2000or NT system — but you can use these tools nonetheless. It’s a goodidea to test for vulnerable “non-default” configurations in case thesecure default settings have been changed.
To gather such information as security policies, local user accounts, andshares, your decision may be based on your preferred interface:
170Part IV:Operating System Hacking
•Winfo (www.ntsecurity.nu/toolbox/winfo) runs from theWindows command line.
•DumpSec (www.somarsoft.com) runs from a graphical Windowsinterface.
•Walksam (razor.bindview.com/tools/files/rpctools-1.0.
zip) runs from the Windows command line.
If you’re scanning a network only for Windows shares, consider Legion(packetstormsecurity.nl/groups/rhino9/legionv21.zip).
Rpcdump (razor.bindview.com/tools/files/rpctools-1.0.zip)
for enumerating RPC ports to search for running applications.
Network Users (www.optimumx.com/download/netusers.zip) forgathering Windows login information.
Information GatheringWhen you assess Windows vulnerabilities, start by scanning your computersto see what the bad guys can see.
The hacks in this chapter are against the versions of the Windows Server OS(NT, 2000, and Server 2003) from inside a firewall. Unless I point out otherwise,
all the tests in this chapter can be run against all versions of the Windowsserver OS. The attacks in this chapter are significant enough to warrant test-
ing for regardless of your current setup. Your results may vary from minedepending on these factors:
OS versions
Security measures, such as patch levels and access controls (such asfirewall policies and local Windows security policies)
System scanningA few straightforward processes can identify weaknesses. Other steps canminimize your vulnerability.
TestingStart gathering information about your Windows systems by running an ini-
tial port scan:
171Chapter 11: Windows17
1.Run basic scans to find which ports are open on each Windows system:
•Scan for TCP ports with a port scanning tool, such as SuperScan orNmap.
•Scan for UDP ports with a port scanning tool, such as Nmap.
2.Perform OS enumeration (such as scanning for shares and specific OSversions) by using an all-in-one assessment tool, such as LANguardNetwork Security Scanner.
3.Scan your Windows systems for open ports that could point to poten-
tial security vulnerabilities.
The tool you use depends on whether you need a basic summary of vul-
nerable ports or a comprehensive system report:
•If you need a basic summary of open ports, scan your Windowssystems with SuperScan.
The SuperScan results in Figure 11-1 show several potentially vul-
nerable ports open on a Windows Server 2003 system, includingthose for SMTP (port 25), a Web server (port 80), RPC (port 135),
and the ever popular — and easily hacked — NetBIOS (ports 139and 445).
•If you need a comprehensive system report, scan your Windowssystems with LANguard Network Security Scanner.
In Figure 11-2, LANguard shows the server version (identified asWindows XP initially and then later as Windows 2003), the system’scurrent date and time setting and system uptime, and the server’sdomain (PL).
Figure 11-1:
Scanning aWindowsServer 2003system withSuperScan.
172Part IV:Operating System Hacking
4.You can run Nmap with the -Ooption to confirm the OS characteris-
tics — the version information referred to as the OS fingerprint—
that you found with your scanning tool, as shown in Figure 11-3.
A hacker can use this information to determine potential vulnerabilitiesfor your system. Make sure you’ve applied the latest patches and systemhardening best practices.
In Figure 11-3, Nmap reports the OS version as Windows .NET EnterpriseServer — the original name of Windows Server 2003.
CountermeasuresYou can prevent a hacker from gathering certain information about yourWindows systems by implementing the proper security settings on your net-
work and on the Windows hosts themselves.
Figure 11-3:
Using Nmapto determinetheWindowsversion.
Figure 11-2:
Gatheringsystemdetails withLANguardNetworkSecurityScanner.
173Chapter 11: Windows17
InformationIf you don’t want anyone gathering information about your Windows systems,
you have two options:
Protect Windows with either of these countermeasures:
•A firewall that blocks the Windows-specific ports for RPC (port135) and NetBIOS (ports 137–139 and 445)
•An intrusion prevention system, such as the host-based BlackICEsoftware
Disable unnecessary services so that they don’t appear when a connec-
tion is madeFingerprintingYou can prevent OS fingerprinting tests by either
Using a host-based intrusion prevention system
Denying all inbound traffic with a firewall — this just may not be practi-
cal for your needsNetBIOS
You can gather Windows information by poking around with NetBIOS(Network Basic Input/Output System) functions and programs. NetBIOSallows applications to make networking calls and communicate with otherhosts within a LAN.
These Windows NetBIOS ports can be compromised if they’re not properlysecured:
UDP ports for network browsing:
•Port 137 (NetBIOS name services)
•Port 138 (NetBIOS datagram services)
TCP ports for Server Message Block (SMB):
•Port 139 (NetBIOS session services)
•Port 445 (runs SMB over TCP/IP without NetBIOS)
Windows NT doesn’t support port 445.
174Part IV:Operating System Hacking
HacksThe following hacks can be carried out on unprotected systems runningNetBIOS.
Unauthenticated enumerationWhen you’re performing your unauthenticated tests, you can gather configu-
ration information about the local or remote systems with either
All-in-one assessment tools, such as LANguard Network SecurityScanner.
The nbtstatprogram that’s built into Windows (nbtstat stands for NetBIOSover TCP/IP Statistics). Figure 11-4 shows information that you can gatherfrom a Windows Server 2003 system with a simple nbtstat query.
nbtstat shows the remote computer’s NetBIOS name table, which you gatherby using the nbtstat -Acommand. This displays the following information:
Computer name
Domain name
Computer’s MAC addressYou may even be able to glean the ID of the currently logged user from aWindows NT or Windows 2000 server.
A GUI utility such as LANguard Network Security Scanner isn’t necessary togather this basic information from a Windows system. The graphical interfaceoffered by commercial software such as this just presents its findings in aprettier fashion!
Figure 11-4:
Usingnbtstat togathercriticalWindowsinformation.
175Chapter 11: Windows17
SharesWindows uses network shares to shareout certain folders or drives on thesystem so other users can access them across the network. Shares are easyto set up and work very well. However, they’re often misconfigured, allowinghackers and other unauthorized users to access information they shouldn’tbe able to get to. You can search for Windows network shares by using theLegion tool. This tool scans an entire range of IP addresses looking forWindows shares. It uses the SMB protocol (TCP port 139) to discover theseshares and displays them in a nice graphical fashion sorted by IP address, asshown in Figure 11-5.
The shares displayed in Figure 11-5 are just what hackers are looking for —
especially because the share names give hackers a hint at what type of filesmight be available if they connect to the shares. After hackers discover theseshares, they’re likely to dig a little further to see if they can browse the filesand more within the shares. I cover shares in more detail in the “SharePermissions” section, later in this chapter.
CountermeasuresYou can implement the following security countermeasures to minimizeNetBIOS attacks on your Windows systems.
Limit trafficYou can protect your Windows systems from NetBIOS attacks by using somebasic network infrastructure protection systems as well as some generalWindows security best practices:
Figure 11-5:
UsingLegion toscan yournetwork forWindowsshares.
176Part IV:Operating System Hacking
If possible, the best way to protect Windows-based systems from NetBIOSattacks is to put them behind a firewall.
A firewall isn’t always effective. If the attack comes from inside the net-
work, a network-perimeter-based firewall won’t help.
If a perimeter-based firewall won’t suffice, you can protect yourWindows hosts by either•Installing a personal firewall such as BlackICEThis is the simplest and most secure method of protecting aWindows system from NetBIOS attacks.
•Disabling NetBIOS on your systems.
This often requires disabling Windows file and printer sharing — whichmay not be practical in a network mixed with Windows 2000, NT, and evenWindows 9xsystems that rely on NetBIOS for file and printer sharing.
Hidden shares — those with a dollar sign ($) appended to the end of theshare name — don’t really help hide the share name. Hackers found out longago that they can easily get around this form of security by obscurity byusing the right methods and tools.
PasswordsIf NetBIOS network shares are necessary, make strong passwords mandatory.
With the proper tools, hackers can easily crack NetBIOS passwords acrossthenetwork. NetBIOS passwords aren’t case sensitive, so they can be crackedmore easily than case sensitive passwords that require both capital and smallletters. Chapter 7 explains password security in detail.
RPCWindows uses remote procedure call (RPC) and DCE internal protocols to
Communicate with applications and other OSs.
Execute code remotely over a network.
RPC in Windows uses TCP port 135.
RPC exploits can be carried out against a Windows host — perhaps the best-
known being the Blaster worm that reared its ugly head after a flaw was foundin the Windows RPC implementation.
177Chapter 11: Windows17
EnumerationHackers use RPC enumeration programs to see what’s running on the host.
With that information, hackers can then penetrate the system further.
Rpcdump is my favorite tool for enumerating RPC on Windows systems. Figure11-6 shows the abbreviated output of Rpcdump run against a Windows 2000server. Rpcdump found the RPC listeners for MS SQL Server and even a DHCPserver running on this host — and this is a hardened Windows 2000 serverwith all the latest patches running BlackICE intrusion prevention software!
CountermeasuresThe appropriate step to prevent RPC enumeration depends on whether yoursystem has network-based applications, such as Microsoft SQL and MicrosoftOutlook:
Without network-based applications, the best countermeasure is a fire-
wall that blocks access to RPC services (TCP port 135).
This firewall may disable network-based applications.
If you have network-based applications, one of these options can reducethe risk of RPC enumeration:
•If highly critical systems such as Web or database servers needaccess only from trusted systems, give only trusted systemsaccess to TCP port 135.
•If your critical systems must be made accessible to the public,
make sure your RPC-based applications are patched and config-
ured to run as securely as possible.
Don’t try to disable the RPC server within Windows with such “fixes” asRegistry hacks. You may end up with a Windows server or applications thatstop working on the network, forcing you to reinstall and reconfigure thesystem.
Figure 11-6:
Rpcdumpshows RPC-
basedservices.
178Part IV:Operating System Hacking
Null Sessions
A well-known vulnerability within Windows can map an anonymous connection(null session) to a hidden share called IPC$ (interprocess communication). Thisattack method can be used to
Gather Windows host configuration information, such as user IDs andshare names.
Edit parts of the remote computer’s Registry.
HacksAlthough Windows Server 2003 doesn’t allow null session connections bydefault, Windows 2000 Server and NT Server do — and plenty of those sys-
tems are still around to cause problems on most networks.
Windows Server 2003 and Windows XP at the desktop are much more secureout of the box than their predecessors. Keep this in mind when it comes timeto upgrade your systems.
MappingTo map a null session, follow these steps for each Windows computer towhich you want to map a null session:
1.Format the basic net command, like this:
net use \\host_name_or_IP_address\ipc$ “” “/user:”
The netcommand to map null sessions requires these parameters:
•net(the built-in Windows networkcommand) followed by the usecommand•IP address of the system to which you want to map a null
connection•A blank password and usernameThe blanks are why it’s called a nullconnection.
2.Press Enter to make the connection.
Figure 11-7 shows an example of the complete command when mappinga null session. After you map the null session, you should see the mes-
sage The command completed successfully.
179Chapter 11: Windows17
To confirm that the sessions are mapped, enter this command at the com-
mand prompt:
net useAs shown in Figure 11-7, you should see the mappings to the IPC$ share oneach computer to which you’re connected.
Gleaning informationWith a null session connection, you can use other utilities to remotelygathercritical Windows information. Dozens of tools can gather this typeofinformation.
You — like a hacker — can take the output of these enumeration programsand attempt (as an unauthorized user) to try such gleaning of information as
Cracking the passwords of the users found. (See Chapter 7 for more onpassword cracking.)
Mapping drives to the network shares.
You can use the following applications for system enumeration against serverversions of Windows prior to Server 2003.
Windows Server 2003 is much more secure than its predecessors againstsuch system enumeration vulnerabilities as null session attacks. If the serveris in its default configuration, it should be secure; however, you should per-
form these tests against your Windows Server 2003 systems to be sure.
net viewThe net viewcommand shows shares that the Windows host has available.
You can use the output of this program to see information that the server isadvertising to the world and what can be done with it, such as:
Figure 11-7:
Mappinganullsession to aWindows2000 server.
180Part IV:Operating System Hacking
Share information that a hacker can use to attack your systems, such asmapping drives and cracking share passwords.
Share permissions that may need to be removed, such as the permissionfor the Everyone group to at least see the share on Windows NT and2000 systems.
To run net view, enter the following at a command prompt:
net viewFigure 11-8 shows an example.
Configuration and user informationWinfo and DumpSec can gather useful information about users and configura-
tion, such as
Windows domain to which the system belongs
Security policy settings
Local usernames
Drive sharesYour preference may depend on whether you like graphical interfaces or acommand line:
Winfo (www.ntsecurity.nu/toolbox/winfo) is a command-line tool.
Because Winfo is a command-line tool, you can create batch (script) filesthat automate the enumeration process. The following is an abbreviatedversion of Winfo’s output of a Windows NT server, but you can glean thesame information from a Windows 2000 server:
Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom- http://www.ntsecurity.nu/toolbox/winfo/
SYSTEM INFORMATION:
Figure 11-8:
net viewdisplaysdrive shareson a remoteWindowshost.
181Chapter 11: Windows17
- OS version: 4.0PASSWORD POLICY:
- Time between end of logon time and forced logoff: No forced logoff- Maximum password age: 42 days- Minimum password age: 0 days- Password history length: 0 passwords- Minimum password length: 0 charactersUSER ACCOUNTS:
* Administrator(This account is the built-in administrator account)
* doctorx* Guest(This account is the built-in guest account)
* IUSR_WINNT* kbeaver* nikkiSHARES:
* ADMIN$
- Type: Special share reserved for IPC or administrative share* IPC$
- Type: Unknown* Here2Bhacked- Type: Disk drive* C$
- Type: Special share reserved for IPC or administrative share* Finance- Type: Disk drive* HR- Type: Disk driveThis information cannot be gleaned from Windows Server 2003 bydefault.
DumpSec produces Windows configuration and user information in agraphical interface. Figure 11-9 shows the local user accounts on aremote system.
DumpSec can save reports as delimited files that can be imported intoanother application (such as a spreadsheet) when you create your finalreports. You can peruse the information for user IDs that don’t belongon your system, such as
•Ex-employee accounts•Potential backdoor accounts that a hacker may have createdIf hackers get this information, they can attempt to exploit potentialweak passwords and log in as those users.
182Part IV:Operating System Hacking
WalksamWalksam gleans information about Windows users by walking the SAM data-
base through an established null session. Figure 11-10 is an example of itsoutput. This output is obviously similar to the DumpSec output, but the maindifference here is that this attack can be scripted to somewhat automate theprocess.
Network UsersNetwork Users (www.optimumx.com/download/netusers.zip) can showwho has logged into a remote Windows computer. You can see such informa-
tion as
Abused account privileges
Users currently logged into the systemFigure 11-11 shows the history of local logins of a remote Windows 2000workstation.
Figure 11-11:
TheNetworkUsers tool.
Figure 11-10:
UserinformationgatheredwithWalksam.
Figure 11-9:
DumpSecdisplaysusers on aserver.
183Chapter 11: Windows17
This information can help you track who’s logging into a system for auditingpurposes. Unfortunately, this information can be useful for hackers whenthey’re trying to figure out what user IDs are available to crack. They mayeven determine the system’s daily use if the user IDs are descriptive, suchasbackup(for a backup server) or devuser(for a development server).
CountermeasuresYou can easily prevent null session connection hacks by implementing one ormore of the following security measures.
Secure versionsIf it makes good business sense and the timing is right, upgrade to the moresecure Windows Server 2003. It doesn’t have these vulnerabilities by default.
Blocking NetBIOSIt’s absolutely critical that you block NetBIOS on systems that don’t need toadvertise to the world that it’s running and available to be hacked.
Block NetBIOS on your Windows server by preventing these TCP portsfrom passing through your network firewall or personal firewall:
•139 (NetBIOS sessions services)
•445 (runs SMB over TCP/IP without NetBIOS)
Windows NT doesn’t support port 445.
Although Windows Server 2003 does not have the same null session vul-
nerability by default as older versions of Windows server operating sys-
tems, it’s still a good idea to block NetBIOS ports on these systems.
Disable File and Print Sharing for Microsoft Networks in the Propertiestab of the machine’s network connection.
RegistryFor Windows NT and 2000, you can eliminate this vulnerability by changingthe Windows Registry. Depending on the Windows version, you can selectone of these security settings:
None:This is the default setting.
Rely on Default Permissions (Setting 0):This setting allows the defaultnull session connections.
184Part IV:Operating System Hacking
Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1):
This is the medium security level setting. This setting still allows nullsessions to be mapped to IPC$, enabling tools such as Walksam to beable to glean information from the system.
No Access without Explicit Anonymous Permissions (Setting 2):Thishigh security setting prevents null session connections and system
enumeration.
The high security setting has a few drawbacks:
•High security creates problems for domain controller communica-
tion and network browsing.
•The high security setting isn’t available in Windows NT.
Microsoft Knowledge Base Article 246261 covers the caveats of using thehigh security setting for Restrict Anonymous. It’s available on the Web atsupport.microsoft.com/default.aspx?scid=KB;en-us;246261.
Windows 2000In Windows 2000, you don’t have to edit the Registry. You can set local securitypolicy in the Local Policies/Security Options of the Local Security Settings. Thesecurity setting is called Additional Restrictions for Anonymous Connections.
This setting is referred to as RestrictAnonymous, as shown in Figure 11-12.
Figure 11-12:
Localsecuritypolicysettings inWindows2000 toprevent nullsessions.
185Chapter 11: Windows17
Windows NTFor Windows NT, follow these steps to change the Registry to disable nullsessions:
1.Run either of the following Registry editing programs in Windows:
•regedit.exe•regedt32.exe2.Make a backup copy of the Registry.
•If you’re using regedit, select Registry/Export Registry File.
•If you’re using regedt32, select Registry/Save Key.
3.Browse to the key HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\LSA.
4.Right-click in the right window and select New/DWORD Value.
5.Enter RestrictAnonymous as the name.
6.Double-click the RestrictAnonymous key and enter 1as the value.
7.Exit the Registry editor (regedit or regedt32).
8.Reboot the computer.
The new setting takes effect after the system is rebooted.
Share PermissionsWindows shares— the available network drives that show up when browsingthe network in Network Neighborhood or My Network Places — are often mis-
configured, allowing more people to have access to them than they should.
This is a security vulnerability that can be exploited by the casual browser,
but the implications of a hacker gaining unauthorized access to a Windowssystem can result in serious consequences, including the leakage of confiden-
tial information and even the deletion of critical files.
Windows defaultsThe default share permission depends on the Windows system version.
Windows 2000/NTWhen creating shares in Windows NT and 2000, the group Everyone is givenFull Control access in the share by default for all files to
186Part IV:Operating System Hacking
Browse files
Read files
Write files
Anyone who maps to the IPC$ connection with a null session (as describedinthe preceding section “Null Sessions”) is automatically made part of theEveryone group! This means that remote hackers can automatically gainbrowse, read, and write access to a Windows NT or 2000 server if they estab-
lish a null session.
If share permissions are misconfigured, hackers on the Internet may gainaccess to these shares on an unprotected system and open, create, anddelete files at will!
Windows 2003 ServerIn Windows 2003 Server, the Everyone group is given only Read access toshares. This is definitely an improvement over the defaults in Windows 2000and NT, but it’s not the best setting for the utmost security. You still mayhave situations where you don’t even want the Everyone group to have Readaccess to a share.
TestingAssessing your share permissions is a good way to get an overall view of whocan access what. This testing shows how vulnerable your network shares —
and confidential information — can be. You can find shares with default per-
missions and unnecessary access rights enabled.
The best test for share permissions that shouldn’t exist is to log in to theWindows computer and run an enumeration program so you can see who hasaccess to what.
DumpSecDumpSec shows the share permissions on your servers in a graphical form.
You simply connect to the remote computer and select Dump Permissions forShares in the Report menu. This produces shares labeled as unprotected,simi-
lar to what’s shown in Figure 11-13.
This vulnerability exists in both Windows NT and Windows 2000 servers.
Thankgoodness Microsoft fixed this default weakness in Windows Server 2003!
187Chapter 11: Windows17
LANguardLANguard Network Security Scanner also shows the share permissions onyour servers in a graphical fashion. Figure 11-14 shows an example.
188Part IV:Operating System Hacking
Windows workstation securityThis chapter focuses on Windows Server OSs(NT, 2000, and Server 2003) with brief mentionsof security issues involving Windows worksta-
tion OSs (9x,Me, and XP). Windows servers areoften the most critical servers on a network, butyou shouldn’t overlook the workstations.
If you’re running Windows 95, 98, or Me as theOS for your network workstations, it may betime to upgrade. These three OSs simply aren’tmade for secure networking. Even the olderWindows NT has better security built-in. Why?
Because that’s how Microsoft designed it.
Windows 9xand Me were designed for thecasual home user — not for networking in abusiness setting. They support networking suchas domain logins and file and printer sharing,
but these security measures are easily circum-
vented. Just try pressing Esc on your keyboardthe next time you’re presented with a loginscreen on one of these OSs. The login screenwill go away, and you’ll have full rights onthesystem. Your best bet for security andhacker countermeasures is to upgrade theseold OSs — and most likely the hardware, too —
to the latest and greatest computers runningWindows XP Professional or newer.
Although Windows XP is much more secure bydefault than its older siblings, take a couplemore steps to make it as secure as possible:
Apply the latest patches as described in thesection “Windows Update” or by using anautomated patch management tool.
Run LANguard Network Security Scannerand the Microsoft Baseline Security Analyzerto identify any obvious security vulnerabili-
ties, such as weak passwords and autologon.
Enable the Internet Connection Firewall(ICF). This personal firewall provides atremendous amount of security over thestandard configuration. It blocks all unso-
licited inbound traffic unless that traffic isexplicitly allowed.
There are other firewall options as well,
such as BlackICE or ZoneAlarm. You maybe able to run both ICF and a third-partyfirewall at the same time, but I don’t rec-
ommend it for system operation and stabil-
ity purposes.
To enable ICF on a Windows XP Professionalsystem, perform the following steps:
1.Load the Control Panel and then chooseNetworking and Internet Connections.
Network Connections.
2.Right-click on the network adapter onwhich you want to enable ICF and selectProperties.
3.Click the Advanced tab and then select theProtect My Computer or Network by Limitingor Preventing Access to This Computer fromthe Internet check box.
Supposedly, starting with Windows XP ServicePack 2, ICF will have many more advanced fea-
tures such as firewalling being enabled bydefault, boot-time protection of the system, andsupport for various security profiles dependingon how and where the user is logged in.
General Security TestsAs part of your ethical hacking, you can run the following security tests todetermine other potential weaknesses in your Windows systems.
Windows UpdateWindows Update is the simplest way to check for missing Windows patches —
especially critical security updates. How you run Windows Update depends onyour Windows version:
Figure 11-14:
Unprotectedshares in aremoteWindowsNT server.
Figure 11-13:
Unprotectedshares in aWindowsNT system.
189Chapter 11: Windows17
If you have Windows 2000, XP, or Server 2003, run Windows Update fromthe Start menu.
For Windows NT, browse to windowsupdate.microsoft.com. On thatpage, click Scan for Updates to check your system for any missingpatches.
Microsoft has announced plans to stop providing updates for WindowsNT. You can’t assume that Windows Update will have patches for newsecurity vulnerabilities discovered.
Microsoft Baseline SecurityAnalyzer(MBSA)
Microsoft Baseline Security Analyzer (MBSA) is my preferred method forchecking for missing security patches. MBSA is a free utility from Microsoft.
MBSA checks Windows NT, 2000, XP, and Server 2003 systems for missingpatches and also tests Windows, SQL Server, and IIS for such basic securitysettings as weak passwords. You can use these tests to identify securityweaknesses in your systems. Figure 11-15 shows a sample of the security
settings MBSA tests.
With MBSA, you can scan either
The local system you’re logged into
Computers across the network, if your currently logged-in user ID existsas an Administrator equivalent on the remote system you’re testingFigure 11-15:
TestingbasicWindowssecuritysettings.
190Part IV:Operating System Hacking
MBSA requires an administrator account on the local machines you’re scan-
ning and a manual connection to them.
LANguardLANguard Network Security Scanner is my favorite feature-rich patch andWindows vulnerability scanning tool. With LANguard, you can
Test for vulnerabilities and missing patches
Deploy patches across the network to remote systems
Figure 11-16 shows the depth of information that this program can providewhen scanning Windows systems for vulnerabilities and security settings.
This type of information is very helpful when testing your own systems —
especially if you have a large or complex network.
This information is also very helpful to hackers, especially if they have deter-
mined a local user’s password. This way, they can authenticate to the systemand check to see what patches and security settings are missing.
It seems like no matter how many times you manually check local securitysettings and test to ensure that all patches are installed, a program such asLANguard Network Security Scanner or the popular and powerful Hyena(www.systemtools.com/hyena) always seems to find security issues youmay have overlooked. This is why I recommend that you include an all-in-oneassessment tool, such as one of these programs, in your security toolbox.
Figure 11-16:
Informationon missingpatches andweaksecuritysettings.
191Chapter 11: Windows17
192Part IV:Operating System Hacking
Chapter 12LinuxIn This Chapter
Examining Linux hacking tools
Port-scanning a Linux server
Gleaning Linux information without logging in
Exploiting common vulnerabilities when logged into Linux
Minimizing Linux security risksLinux — the new darling competitor to Microsoft — is the latest flavor ofUNIX that has really taken off in corporate networks. A common miscon-
ception is that Windows is the most insecure operating system (OS). However,
Linux — and most of its sister variants of UNIX — is prone to the same secu-
rity vulnerabilities as any other operating system.
Hackers are attacking Linux in droves because of its popularity and growingusage in today’s network environment. Because some versions of Linux arefree— in the sense that you don’t have to pay for the base operating system —
many organizations are installing Linux for their Web servers and e-mailservers in hopes of saving money. Linux has grown in popularity for other
reasons, including the following:
Abundant resources available, including books, Web sites, and consul-
tant expertise.
Perception that Linux is more secure than Windows.
Unlikeliness that Linux will get hit with as many viruses (not necessarilyworms) as Windows and its applications do. This is an area where Linuxexcels when it comes to security, but it probably won’t stay that way.
Increased buy-in from other UNIX vendors, including IBM and SunMicrosystems. Even Novell is rewriting NetWare to be based on theLinux kernel.
Growing ease of use.
In addition to the password attacks I cover in Chapter 7 and some of the mal-
ware attacks I cover in Chapter 14, many other attacks are possible against aLinux-based system. Linux can be tested remotely without being authenti-
cated to the system. With all things being equal (that is, running the latestkernel and having the latest patches applied), it can be more difficult to gleanthe same amount of information from a Linux host than from a Windows orNetWare host without being logged in. After you log in to Linux with a validusername and password, you can glean a lot of information by running secu-
rity tests to see how your system might stand up to a malicious internal useror hacker with a valid login.
In this chapter, I show you some critical security issues in the Linux operat-
ing system and outline some countermeasures to plug the holes so you cankeep the bad guys out. A lot of this information applies to all flavors of UNIX.
I demonstrate the vulnerabilities by using Red Hat Linux versions 7.3 and 8.0,
running Linux kernel version 2.4.18. I use Red Hat because it’s the most popu-
lar and widely used Linux distribution. It’s also the Linux that I prefer.
Linux VulnerabilitiesVulnerabilities and hacker attacks against Linux are affecting a growingnumber of organizations — especially e-commerce companies and ISPs thatrely on Linux for many of their systems. When Linux systems are hacked, thevictim organizations can experience the same side effects as if they were run-
ning Windows, including:
Leakage of confidential intellectual property and customer information
Passwords being cracked
Systems taken completely offline by DoS attacks
Corrupted or deleted databasesChoosing ToolsYou can use many UNIX-based security tools to test your Linux systems.
Some are much better than others. I often find that my Windows-based com-
mercial tools do as good a job as any. My favorites are as follows:
194Part IV:Operating System Hacking
Windows-based SuperScan (www.foundstone.com) for ping sweeps andTCP port scanning
Nmap (www.insecure.org) for OS fingerprinting and more detailed portscanning
Windows-based LANguard Network Security Scanner (www.gfi.com) forport scanning, OS enumeration, and vulnerability testing
THC-Amap (www.thc.org/releases.php) for application version
mapping
Tiger (ftp.debian.org/debian/pool/main/t/tiger) for automati-
cally assessing local-system security settings
Linux Security Auditing Tool (LSAT) (usat.sourceforge.net) for auto-
matically assessing local-system security settings
VLAD the Scanner (razor.bindview.com/tools/vlad) to test for theSANS Top 10 Security Vulnerabilities
QualysGuard (www.qualys.com) for OS fingerprinting, port scanning,
and very detailed and accurate vulnerability testing
Nessus (www.nessus.org) for OS fingerprinting, port scanning, and vul-
nerability testingThousands of other Linux hacking and testing tools are available. The key isto find a set of tools — preferably as few as possible — that can do the jobthat you need to do and that you feel comfortable working with.
Information GatheringYou can scan your Linux-based systems and gather information from bothoutside (if the system is a publicly accessible host) and inside your network.
Scan from both directions so you see what the bad guys can see from bothoutside and inside the network.
System scanningLinux services — called daemons— are the programs that run on a systemand serve up various applications for users.
195Chapter 12: Linux18
Internet services, such as the Apache Web server (httpd), telnet (telnetd),
and FTP (ftpd), often give away too much information about the system,
such as software versions, internal IP addresses, and usernames. Thisinformation can allow a hacker to attack a known weakness in the system.
TCP and UDP small servicessuch as echo, daytime, and chargen, areoften enabled by default and don’t need to be.
The vulnerabilities inherent in your Linux systems depend on what servicesare running. You can perform basic port scans to glean information aboutwhat’s running.
The SuperScan results in Figure 12-1 show many potentially vulnerable ser-
vices on this Linux system, including RPC, a Web server, telnet, and FTP.
In addition to SuperScan, you can run another scanner, such as Nessus orLANguard Network Security Scanner, against the system to try to glean moreinformation, including
A vulnerable version of OpenSSH, as shown in Figure 12-2
The finger information returned by LANguard, as shown in Figure 12-3Figure 12-1:
Port-
scanning
a Linuxserver withSuperScan.
196Part IV:Operating System Hacking
LANguard even determined that the server is running the Berkeley SoftwareDistribution (BSD) r-services and more in the Alerts section of Figure 12-3. ItFigure 12-3:
LANguardNetworkSecurityScannergleaninguserinformationvia finger.
Figure 12-2:
UsingNessus todiscover avulnerabilitywithOpenSSH.
197Chapter 12: Linux18
also displays a description of the potential vulnerability, as well as a link tothe CERT Web site, which contains more information about it. Figure 12-3 alsoshows that LANguard thinks the remote operating system is Red Hat Linux.
This information can be handy when you come across unfamiliar open ports.
Figure 12-4 shows various r-servicesand other daemons that network admin-
istrators are notorious for running unnecessarily on UNIX–based operatingsystems. Notice that LANguard points out specific vulnerabilities associatedwith some of the these services, along with a recommendation to use SSH asan alternative.
You can go a step further and find out the exact distribution and kernel ver-
sion by running an OS fingerprint scan using Nmap, as shown in Figure 12-5.
The QualysGuard scan of a Linux server shown in Figure 12-6 outlines threatsto the system in an informative graphic form that nontechie types — the onesto whom you may be showing the results — just love.
Figure 12-5:
Using Nmapto determinethe OSkernelversion of
a Linuxserver.
Figure 12-4:
Potentiallyvulnerabler-servicesfound byLANguard.
198Part IV:Operating System Hacking
CountermeasuresAlthough you can’t completely prevent system scanning, you can still imple-
ment the following countermeasures to keep the bad guys from gleaning toomuch information from your systems:
Protect the systems with either•A firewall, such as netfilter/iptables (www.netfilter.org).
•A host-based intrusion-prevention application, such as PortSentry(sourceforge.net/projects/sentrytools) now owned byCisco Systems (www.psionic.com) or SNARE (www.intersectalliance.com/projects/Snare).
These security systems are the best way to prevent an attacker fromgathering information about your Linux systems.
Disable the services you don’t need, including RPC and such daemonsas HTTP, FTP, and telnet. You may very well need some of these dae-
mons and more — just make sure you have a business need for them.
This keeps the services from showing up in a port scan and, thus, givesan attacker less incentive to break into your system.
Make sure the latest software and patches are loaded; if a hacker deter-
mines what you’re running, the chances of exploitation are reduced.
Figure 12-6:
Linuxthreatsoutlined in aQualysGuardscan.
199Chapter 12: Linux18
Unneeded ServicesWhen you know which applications are running — such as FTP, telnet, and aWeb server — it’s nice to know exactly which versions are running so youcan look up any of their associated vulnerabilities and decide whether to justturn them off.
SearchesSeveral security tools can help determine vulnerabilities. These types of utili-
ties may not be able to identify all applications down to the exact versionnumber, but they’re a very powerful way of gleaning system information.
VulnerabilitiesBe especially mindful of these known security weaknesses in a system:
FTP — especially if it’s not properly configured — can provide a way fora hacker to download and access files on your system.
Telnet is vulnerable to network-analyzer captures of the clear-text userID and password it uses.
Old versions of sendmail — the world’s most popular e-mail server —
have many security issues.
Make sure sendmail is patched and hardened.
R-services such as rlogin, rdist, rexecd, rsh, and rcp are especially vul-
nerable to hacker attacks, as I discuss in this chapter.
ToolsThe following tools can perform more in-depth information gathering beyondport scanning to enumerate your Linux systems and see what the hackers see:
Nmap can check for specific versions of the services loaded, as shown inFigure 12-7. Simply run Nmap with this command-line switch:
-sV
Amap is similar to Nmap, but it has a couple of advantages:
•Amap is much faster for these types of scans.
•Amap can detect applications that are configured to run on non-
standard ports, such as Apache running on port 6789 instead ofitsdefault 80.
The output of an Amap scan of the localhost (hence, the 127.0.0.1address) is shown in Figure 12-8. Amap was run with the followingoptions to enumerate some commonly hacked ports:
200Part IV:Operating System Hacking
-1 makes the scan run faster.
-b prints the responses in ASCII characters.
-q skips reporting of closed ports.
21probes port.
22 probes SSH port.
23 probes telnet port.
80 probes HTTP port.
netstat shows the currently running services on a local machine. Enterthis command:
netstat –anp
List Open Files (lsof) displays processes that are listening and files thatare open on the systemTo run lsof, enter this command at a Linux command prompt:
lsof –i +MChapter 14 covers more on usage of lsof as well.
Figure 12-8:
Using Amapto checkapplicationversions.
Figure 12-7:
Using Nmapto checkapplicationversions.
201Chapter 12: Linux18
CountermeasuresYou can and should disable the unneeded daemons on your Linux systems.
This is one of the best ways to keep your Linux system secure. It’s like lock-
ing the doors and windows in your house — the more you lock, the fewerplaces an intruder can enter.
Disabling unneeded servicesThe best method of disabling unneeded services depends on how the daemonis being loaded in the first place. There are several places to do this, depend-
ing on the version of Linux you’re running.
If you don’t need a service running, take the safe route. Turn it off!
inetd.confIf it makes good business sense — in other words, you don’t need it — disableunneeded services by commenting out the loading of daemons you don’t need.
Follow these steps:
1.Enter the following command at the command prompt:
ps -auxThe process ID (PID) for each daemon, including inetd, is listed on thescreen. In Figure 12-9, the PID for the sshd (Secure Shell) daemon is 646.2.Copy the PID for inetd from the screen on a notepad.
3.Open /etc/inetd.confin the Linux text editor vi by entering the fol-
lowing command:
vi /etc/inetd.conf4.When you have the file loaded in vi, enable the insert (edit) mode bypressing I.
5.Move the cursor to the beginning of the line of the daemon that youwant to disable, such as httpd (Web server daemon), and type #at thebeginning of the line.
This comments out the line and prevents it from loading when youreboot the server or restart inetd.
6.To exit vi and save your changes, simply press Esc to exit the insertmode, type :wq,and then press Enter.
This tells vi that you want to write your changes and quit.
7.Restart inetd by entering this command with the inetd PID:
kill –HUP PID202Part IV:Operating System Hacking
chkconfigIf you don’t have an inetd.conffile, your version of Linux is probably run-
ning xinetd(www.xinetd.org) — a more secure replacement for inetd — tolisten for incoming network application requests. You can edit the /etc/
xinetd.conffile if this is the case. For more information on the usage ofxinetd and xinetd.conf, enter man xinetdor man xinetd.confat a Linuxcommand prompt. If you’re running Red Hat 7.0 or later, you can run the/sbin/chkconfigprogram to turn off the daemons you don’t want to load.
For example, you can enter the following to disable the snmp daemon:
chkconfig --del snmpdYou can also enter chkconfig —listat a command prompt to see what ser-
vices are enabled in the xinetd.conffile.
The chkconfig program can be used to disable other services, such as FTP,
telnet, and Web server.
Access controlTCP Wrappers can control access to critical services that you run, such asFTP or HTTP. This program controls access for TCP services and logs theirusage, helping you control access via hostname or IP address and track mali-
cious activities.
You can download it from www.stanford.edu/group/itss-ccs/security/
unix/tcpwrappers.html.
Figure 12-9:
Viewing theprocess IDsfor runningdaemonsusing
ps -aux.
203Chapter 12: Linux18
.rhosts and hosts.equiv FilesLinux — and all the flavors of UNIX — are very file-based operating systems.
Practically everything that’s done on the system involves the manipulation offiles. This is why so many attacks against Linux are at the file level.
HacksIf hackers can capture a user ID and password by using a network analyzer, orcan crash an application and gain root access via a buffer overflow, one thingthey look for is what users are trusted by the local system. The /etc/hosts.
equivand .rhostsfiles list this information.
.rhostsThe $home/.rhostsfiles in Linux specify which remote users can accesstheBerkeley Software Distribution (BSD) r-commands (such as rsh, rcp, andrlogin) on the local system without a password. This file is in a specific user’shome directory, such as /home/jsmith. A .rhostsfile may look like the this:
tribe scotttribe eddieThis file allows users Scott and Eddie on the remote-system tribe to login tothe local host with the same privileges as the local user. If a plus sign (+) isentered in the remote-host and user fields, any user from any host could login to the local system. The hacker can add entries into this file by
Manually manipulating it.
Running a script that exploits an insecure Common Gateway Interface(CGI) script on a Web-server application that’s running on the system.
This configuration file is a prime target for a hacker attack. On most Linuxsystems I’ve tested, these files aren’t enabled by default. However, a user cancreate one in his or her home directory on the system — intentionally oraccidentally — which can create a major security hole on your system.
hosts.equivThe /etc/hosts.equivspecifies which accounts on the system can accessservices on the local host. For example, if tribewere listed in this file, allusers on the tribe system would be allowed access! As with the .rhostsfile,
external hackers can read this file and then spoof their IP address and host-
name to gain unauthorized access to the local system. Hackers can also usethe names located in the .rhostsand hosts.equivfiles to look for names ofother computers to attack.
204Part IV:Operating System Hacking
CountermeasuresUse both of the following countermeasures to prevent hacker attacks againstthe .rhostsand hosts.equivfiles in your Linux system.
Disabling commandsA good way to prevent abuse of these files is to disable the BSD r-commandsaltogether. This can be done by either
Commenting out the lines starting with shell, login,and execininetd.conf.
Editing the rexec, rlogin,and rshfiles located in the /etc/
xinetd.ddirectory. Open each file in a text editor, and change
disable=no to disable=yes, as shown in Figure 12-10.
In Red Hat Linux, you can disable the BSD r-commands with the setup program:
1.Enter setupat a command prompt.
2.Select System Services from the menu.
3.Remove the asterisks next to each of the r-services.
Blocking accessA couple of countermeasures can block rogue access of the .rhostsandhosts.equivfiles:
Block spoofed addresses at the firewall, as I outline in Chapter 9.
Set the permissions on these files so that only the owners can readthem.
Figure 12-10:
The rexecfile showingthe disableoption.
205Chapter 12: Linux18
•.rhosts: Enter this command in each user’s home directory:
chmod 600 .rhosts•hosts.equiv: Enter this command in the /etcdirectory:
chmod 600 hosts.equivYou can also use Tripwire (www.tripwire.org) to monitor these files and bealerted when access or changes are made.
NFSThe Network File System (NFS) is used to mount remote file systems (similarto shares in Windows) from the local machine.
HacksIf NFS was setup improperly or its configuration has been tampered with —
namely, the /etc/exportsfile containing a setting that allows the world toread the entire file system — remote hackers can easily obtain remote accessand do anything they want on the system. All it takes is a line such as the fol-
lowing in the /etc/exportsfile:
/ rwThis line basically says anyone can remotely mount the root partition in aread-write fashion. Of course, the following conditions must also be true:
The NFS daemon (nfsd) must be loaded, along with the portmap daemonthat would map NFS to RPC.
The firewall must allow the nfs traffic through.
The remote systems that are allowed into the server running the NFSdaemon must be placed into the /etc/hosts.allowfile.
This remote-mounting capability is easy to misconfigure. It’s often related toa Linux administrator’s not understanding what it takes to share out the NFSmounts and just resorting to the easiest way possible to get it working. Afterhackers can gain remote access, the system is theirs.
206Part IV:Operating System Hacking
CountermeasuresThe best defense against NFS hacking depends on whether you actually needthe service running.
If you don’t need NFS, disable it altogether.
If you need NFS, implement both of the following countermeasures:
•Filter NFS traffic at the firewall — typically, TCP port 111 if youwant to filter all RPC traffic.
•Make sure that your /etc/exportsand /etc/hosts.allowfilesare configured properly to keep the world outside your network.
File PermissionIn Linux, special file types allow programs to run with the file owner’s rights:
SetUID (for user IDs)
SetGID (for group IDs)
SetUID and SetGIF are required when a user runs a program that needs fullaccess to the system to perform its tasks. For example, when a user invokesthe passwd program to his or her password, the program is actually loadedand run with root or any other user’s privileges. This is done so that the usercan run the program, and the program can update the password databasewithout root’s having to get involved in the process manually.
HacksBy default, rogue programs that run with root privileges can be easily hidden.
A hacker may do this to hide such hacking files as rootkits on the system.
CountermeasuresYou can test for these rogue programs by using both manual and automatedtesting methods.
207Chapter 12: Linux18
Manual testingThe following commands can identify SetUID and SetGID programs:
Programs that are configured for SetUID:
find / -perm -4000 –print
Programs that are configured for SetGID:
find / -perm -2000 –print
Files that are readable by anyone in the world:
find / -perm -2 -type f –print
Hidden files:
find / -name “.*”
You probably have hundreds of files in each of these categories, so don’t bealarmed. When you discover files with these attributes set, you’ll need tomake sure that they are actually supposed to have those attributes byresearching in your documentation, on the Internet, or even by comparingthem to a known secure system or data backup.
Keep an eye on your systems to detect any new SetUID or SetGID files thatsuddenly appear.
Automatic testingYou can use an automated file-modification auditing program to alert youwhen these types of changes are made. This is what I recommend — it’s a loteasier on an ongoing basis.
A change-detection application, such as Tripwire, can help you keeptrack of what changed and when.
A file-monitoring program, such as COPS (dan.drydog.com/cops), findsfiles that have changed in status (such as a new SetUID or removedSetGID).
Buffer OverflowsRPC and other vulnerable daemons are common methods for buffer-overflowattacks. Buffer-overflow attacks are often how the hacker can get in to modifysystem files, read database files, and more.
208Part IV:Operating System Hacking
AttacksIn a buffer-overflow attack, the hacker either manually sends strings of infor-
mation to the victim Linux machine or writes a script to do so. These stringscontain
Instructions to the processor to basically do nothing.
Malicious code to replace the attacked process.
For example, exec (“/bin/sh”)creates a shell command prompt.
A pointer to the start of the malicious code in the memory buffer.
If an attacked application (such as FTP or RPC) is running as root (many pro-
grams do), this can give the hacker root permissions in his remote shell.
You can run security-testing tools against your systems to test for bufferoverflows, but I don’t recommend it, because it can crash your system!
CountermeasuresThree main countermeasures can help prevent buffer-overflow attacks:
Disable unneeded services.
Protect your Linux systems with either a firewall or host-based intrusionprevention.
Enable another access control mechanism, such as TCP Wrappers, thatauthenticates users with a password.
Don’t just enable access controls via an IP address or hostname. Thatcan easily be spoofed.
Always make sure that your systems have been updated with the latestkernel and security patches.
Physical SecuritySome Linux vulnerabilities involve the hacker’s actually being at the systemconsole.
209Chapter 12: Linux18
HacksWhen a hacker is at the system console, anything goes, including rebootingthe system (even if no one is logged in) simply by pressing Ctrl+Alt+Del. Afterthe system is rebooted, the hacker can start it up in single-user mode, whichallows the hacker to zero out the root password or possibly even read theentire /etc/passwdor /etc/shadowfile.
CountermeasuresEdit your /etc/inittabfile and remark out (place a #sign in front of) theline that reads ca::ctrlaltdel:/sbin/shutdown -t3 -r now,as shownin the last line of Figure 12-11.
If you believe that a hacker has recently gained access to your system eitherphysically or by exploiting a vulnerability such as a weak password or bufferoverflow, you can use the lastprogram to view the last few logins into thesystem to check for strange login IDs or login times. This program perusesthe /var/log/wtmpfile and displays the users who logged in last. You canenter last | headto view the first part of the file (the first ten lines) if youwant to see the most recent logins.
Figure 12-11:
/etc/inittabshowing theline thatallows aCtrl+Alt+Delshutdown.
210Part IV:Operating System Hacking
General Security TestsYou can assess critical, and often-overlooked, security issues on your Linuxsystems, such as the following:
Misconfigurations or unauthorized entries in the /etc/passwdand/etc/shadowfiles
Password policies
Users equivalent to root
Suspicious automated tasks configured in cron
Signature checks on system binary files
Checks for rootkits
Network configuration, including measures to prevent packet spoofingand other DoS attacks
Permissions on system log filesYou can do all these assessments manually — or, better yet, use an automatedtool to do it for you! Figure 12-12 shows the initiation of the Tiger securityauditing tool, and Figure 12-13 shows a portion of the audit results. Talk aboutsome great bang for no buck with this tool!
Figure 12-12:
Runningthe Tigersecurityauditingtool.
211Chapter 12: Linux18
I like to run the Red Hat–focused Linux Security Auditing Tool (LSAT) in addi-
tion to Tiger. It’s similar to Tiger, but it also searches for Red Hat Linux-specificsecurity issues.
You can use to test for the SANS Top 20 (www.sans.org/top20) Vulnerabilitiesis VLAD the Scanner by the Bindview Razor security team. A portion of itsoutput is shown in Figure 12-14.
Patching LinuxOngoing patching is perhaps the best thing you can do to enhance the secu-
rity of your Linux systems. Regardless of the Linux distribution you use,
using a tool to assist in your patching efforts makes your job a lot easier.
Figure 12-14:
Partialoutput of theVLAD theScannertool.
Figure 12-13:
Partialoutput of theTiger tool.
212Part IV:Operating System Hacking
Distribution updatesThe distribution process is different on every distribution of Linux. You canuse the following tools, based on your specific distribution.
Red HatYou can use the following tools to update Red Hat Linux systems:
Red Hat Package Manager (RPM), which is the GUI-based applicationthat runs in the Red Hat GUI desktop. It manages those files with a .rpmextension that Red Hat and other freeware and open-source developersuse to package their programs.
up2date, a command-line text-based tool that is included in Red Hat.
AutoRPM (www.autorpm.org).
The open-source NRH-up2date (www.nrh-up2date.org).
DebianYou can use the Debian Package System (dpkg) included with the operatingsystem to update Debian Linux systems.
SlackwareYou can use the Slackware Package Tool (pkgtool) tool included with theoperating system to update Slackware Linux systems.
SuSE/NovellSuSE (now owned by Novell) includes the YaST2 Package Manager.
Multiplatform update managersCommercial tools add nice features over the standard package managers(which I describe in this chapter), such as correlating patches with vulnera-
bilities and automatically deploying appropriate patches. Commercial toolsthat can help with Linux patch management include BigFix Patch Manager(www.bigfix.com) and SysUpdate (www.securityprofiling.com).
213Chapter 12: Linux18
214Part IV:Operating System Hacking
Chapter 13Novell NetWareIn This Chapter
Selecting NetWare hacking tools
Port-scanning a NetWare server
Gleaning NetWare information without logging in
Exploiting common vulnerabilities when logged into NetWare
Minimizing NetWare security risksAs much as some of Novell’s competitors like to say that NetWare is athing of the past, it’s still alive and kicking quite strongly. There are mil-
lions of NetWare users around the world. The organizations running NetWareand other Novell products demand a solid directory-services infrastructureand stable environment.
NetWare administrators — some of the best around — often overlook or denythat NetWare is hackable. This chapter shows you how to test for the most crit-
ical NetWare exploits and outlines countermeasures to prevent the problems.
NetWare VulnerabilitiesNovell NetWare has a reputation as one of the most secure operating systemsavailable. This is one reason that you rarely hear of NetWare servers’ gettinghacked or having new vulnerabilities that crop up constantly. However, NetWarehas its security issues. Various NetWare vulnerabilities can be exploited —
from NDS (now called eDirectory) enumeration to remote password testing tospoofing NetWare packets. Hackers can exploit many of NetWare’s vulnerabil-
ities without even logging into the server!
NetWare servers are frequently the most vital servers within a network. Theyoften perform the following functions:
House critical files
Store replicas of the eDirectory database for hosting, replicating, andmanaging such directory-service objects as user IDs, printers, organiza-
tional units, and application licenses
Host e-mail with Novell GroupWise
Host Web sites and Web applications with such programs as Apache andTomcat
Serve as firewalls with Novell BorderManagerStarting with NetWare 7, Novell will release a version of NetWare that’s Linux-
based. So, if you do a lot of work with NetWare, now’s the time to start beef-
ing up on your Linux skills!
Choosing ToolsThe following are my favorite NetWare-specific tools — they can offer upeverything you need:
SuperScan(www.foundstone.com) for port scanning
LANGuard Network Security Scanner(www.gfi.com) for port scanning,
OS enumeration, and vulnerability testing
NCPQuery(razor.bindview.com/tools/index.shtml) for serverand eDirectory enumeration
Remote(packetstormsecurity.nl/Netware/penetration) forRemote Console password crackingMake sure that you have the latest version of Novell’s Client32 software fromdownload.novell.comon your test computer before running these tests.
Getting StartedAlthough NetWare doesn’t have many serious security vulnerabilities (rela-
tively speaking), a few stand out. The hacks in this chapter are against adefault installation of NetWare 5.1 from inside the firewall. However, these216Part IV:Operating System Hacking
vulnerabilities and tests apply to most versions of NetWare 4.xand newer —
the ones running NDS and eDirectory. I also point out a few critical NetWare3.xvulnerabilities.
Patches on your specific systems may have fixed some of these vulnerabili-
ties. If you don’t get the exact same results as shown in this chapter, you’reprobably safe!
If you have the latest Novell-supplied patches on your systems, your systemsare likely to be secure. However, the hacks in this chapter are significant, soyou should test for them to make sure that your server is safe.
Older versions of NetWare such as 4.2 and 5.0 are being phased out of sup-
port. You’ll no longer receive security updates for these versions.
Server access methodsYou can access a NetWare server in the following four ways — each of whichaffects how you can test:
Not-logged in: This is a connection where you simply perform portscans or make NCP calls across the network without actually logging in.
Logged in:This connection requires you to log in with a valid bindery oreDirectory user ID and password.
This is the basic method for accessing standard NetWare services.
Web access:This connection may be available if you’re running GroupWiseWebAccess e-mail services, various NetWare management tools, or otherbasic Web-server applications.
Console access: This access method requires you to be either at theserver console or using a remote-connectivity product (such as NetWare’sbuilt-in rconsole or even a console that shipped with NetWare 3.xandearlier systems).
When you finish scanning your NetWare systems for open ports andgeneralinformation gathering, you can test for common NetWare securityvulnerabilities.
Port scanningStart testing your NetWare systems by performing an initial port scan tocheck what hackers can see. You can perform these scans in two main ways:
217Chapter 13: Novell NetWare19
If the server has a public IP address, scan from outside the firewall, ifpossible.
If the server doesn’t have a public IP address, you can scan internally onthe network.
Hackers can be inside your network, too!
The SuperScan results in Figure 13-1 show several potentially vulnerable portsopen on this NetWare server, including FTP and the commonly exploited Echoand Character Generator ports. In addition, the NetWare specific port 524 isNCP (NetWare Core Protocol). NetWare uses this protocol for its internal com-
munications with such hosts as clients and other servers — similar to SMB inWindows.
You may also find that GroupWise is running (TCP port 1677), as well aspotentially a Web server and other Web-based remote-access ports, such as80, 443, 2200, 8008, and 8009.
You can also perform a scan with LANguard Network Security Scanner. Usinga commercial tool such as this can often provide more details about the sys-
tems you’re scanning than a basic port scanner. Figure 13-2 shows that it candetermine more information about the server, such as the NetWare versionand SNMP information. It also tells you what’s listening on the open portswithout your having to look them up.
Figure 13-1:
UsingSuperScanto scan adefaultinstallationof NetWare5.1.218Part IV:Operating System Hacking
NCPQueryYou can run NCPQuery with command line options to gather informationabout your server and directory tree, including the server information shownin Figure 13-3.
This is a lot of information for a hacker to see without being logged in!
Figure 13-3:
Server andeDirectoryinformationgleanedwithNCPQuery.
Figure 13-2:
Gatheringdetails withLANguardNetworkSecurityScanner.
219Chapter 13: Novell NetWare19
CountermeasuresThe following countermeasures can prevent the malicious enumeration ofyour NetWare systems:
Installing the latest patches can eliminate many NetWare server
vulnerabilities.
If your NetWare version has been or will be phased out by Novell —
meaning that it no longer provides security patches — you should seri-
ously consider upgrading to the latest version.
Port scanning can be performed with two steps:
1.Unload any unneeded services, which in turn closes any associ-
ated ports.
2.Place the server behind a firewall to help block outsider attacks.
Blocking NCP port 524 at the firewall is the only way to disable anNCPQuery type of attack from outside.
This may not help much for insider attacks. Internal network communi-
cations require the NCP port 524 to be available.
Use strong passwords for all user IDs in case a hacker discovers an IDand attempts to log in.
AuthenticationIf a hacker can gather information such as the server, eDirectory, and user IDinformation, he may be able to exploit a known vulnerability or even try tolog in by using the user IDs that he discovered. When he’s in, all bets are off,
and anything goes. He could
Log into your network as a regular user.
Log into your network as admin.
Obtain physical access to the server console.
It’s wise to assume that a hacker could log in as a user or administrator onyour NetWare system and test for the worst-case scenario.
220Part IV:Operating System Hacking
RconsoleOne of the most serious NetWare security vulnerabilities is the NetWareRemote Console program (referred to as rconsole). Rconsole is an SPX
protocol–based remote-control program similar to telnet and WindowsTerminal Services. It gives users full access to the NetWare console if theyknow the password. rconsole consists of the following:
The remote.nlmand rspx.nlmfiles on the server
The rconsole.execlient program in the sys:\publicdirectory
For rconsole to work, you must load the rspx NLM with one of thesemethods:
•Enter load rspxat the console.
•Place it in your autoexec.ncfor ldremote.ncffile just belowyour load remote line.
AttacksRconsole is vulnerable because its passwords can be easily obtained. Thepasswords are stored in either clear text or an easily crackable hash formaton the server in the sys:\system\autoexec.ncffile or sys:\system\
ldremote.ncffiles.
If you encrypt your rconsole passwords, cracking them is simple. The follow-
ing steps demonstrate how vulnerable the rconsole password really is:
1.Enter load remotetoload the remote NetWare Loadable Module(NLM) on the server.
2.Enter the password you want to use when prompted.
3.Enter remote encryptand enter your rconsole password again whenprompted.
The server generates the encrypted password and displays the entirecommand you need to run on the screen, including the hashed pass-
word. It looks similar to the response in Figure 13-4.
The server may also enter the command into the ldremote.ncffile,
but it sometimes fails. For simplicity, just enter theload remote-Epasswordcommand manually into your autoexec.ncffile. Don’t writethis password down somewhere that’s easily accessible to others.
221Chapter 13: Novell NetWare19
Now it’s time to try cracking the encrypted rconsole password. For this, I usethe remote cracking program — not to be confused with the remote NLMthat’s part of rconsole.
Simply run the remote.execracking program against the rconsole passwordhash that’s displayed on the screen (or stored in the server’s autoexe.ncfor ldremote.ncffile). Enter a line like the following at a command prompt:
remote password_hashThe result is the rconsole password.
You can try the preceding steps against mypassword. Figure 13-4 shows thehash:
287502221D2EBB4BCDD44BDC68Anyone using the following three items can even capture the encrypted rcon-
sole password traveling across the wire and decrypt it:
Network analyzer
Rcon program (packetstormsecurity.nl/Netware/penetration/
rcon.zip)
The steps outlined in the rconfaq.txtfile at packetstormsecurity.
nl/Netware/audit/rconfaq.zipFigure 13-4:
Encryptingyourrconsolepassword.
222Part IV:Operating System Hacking
The remote NLM stores its password in server memory. Anyone with consoleaccess can go into the NetWare debugger by pressing Shift+Alt+Shift+Esc(yes, you use both Shift keys) on the server keyboard and view it in cleartext. The process is explained at packetstormsecurity.nl/Netware/
audit/rconfaq.zip.
CountermeasuresThe following can prevent attacks against NetWare servers running rconsole:
Don’t use rconsole — at least, don’t use it on critical NetWare servers.
(Does anyone have a server that isn’t critical?)
If you must use rconsole, secure it with one of the following steps foryour version of NetWare:
•In NetWare 4.xor earlier, lock your server by using the monitorNLM.
•With NetWare 5 and newer, load the scrsaver NLM. It displays thefancy text-based NetWare snake and requires a valid NetWareaccount to unlock.
Consider using one of these remote NetWare management programsinstead of rconsole:
•Rconj is a Java-based version of rconsole that’s able to work overusing TCP. It comes with NetWare 5.xand later but has limitedfunctionality.
Be sure to patch Rconj if you run it on NetWare 6. Rconj has a knownauthentication vulnerability when running on NetWare 6 that allows ahacker to gain access without a password.
•AdRem Software (www.adremsoft.com) offers a couple of greatrconsole replacements that I highly recommend you check out.
•AdRem Free Remote Console runs on NetWare 4.xSP9 and laterservers.
As the name implies, it’s free!
AdRem Free Remote Console doesn’t encrypt remote-console com-
munications, but it does require a valid NetWare login with a userID that has console operator privilege (such as admin or equiva-
lent). This adds a level of security that plain old rconsole just can’toffer.
•AdRem sfConsole is a commercial product with a ton of features,
including encrypted communications and a Web-based interface.
223Chapter 13: Novell NetWare19
Server-console accessPhysical access to the server console is a hacker’s pot of gold. After hackersobtain this access, they can do practically anything they want to with theserver. This includes accessing the NetWare debugger to retrieve passwordsand potentially other confidential information stored in memory — not tomention crash the server and more.
The following countermeasures help ensure that NetWare console access isminimized to only those who are authorized:
Physical security is a must. Chapter 6 explains how to secure serverrooms.
Lock the server screen. You can keep the server console secure by eitherselecting the Lock Server Console option in the monitor NLM or loadingthe scrsaver NLM.
Intruder detectionIntruder detection is one of the most critical security features built intoNetWare. It locks a user account for a specific period of time after a certainnumber of failed login attempts.
Make sure that intruder detection is enabled on your system. It’s disabledbydefault.
TestingDefault settings for intruder detection — after it’s enabled — in NetWare 5.1are shown in Figure 13-5. Chapter 7 details intruder detection.
Try logging in with invalid passwords for several test users — preferably,
users from different organizational units (OUs) within eDirectory — to seewhether intruder detection is working. Make sure that you type badpass-
words; blank ones don’t seem to work well for this test. Here’s how you knowwhether intruder detection is working:
If intruder detection is on, you should get a response similar to
Figure 13-6.
If intruder detection is off, you get prompted over and over again for apassword.
This is how hackers test whether intrusion detection is enabled on yourNetWare server.
224Part IV:Operating System Hacking
CountermeasuresYou can implement the following countermeasures to ensure that unautho-
rized logins are minimized and intruder detection is not abused:
Enable intruder detection as high in the directory tree as possible —
preferably, at the uppermost organization level.
This is one of the best hacking countermeasures you can implement in aNetWare environment.
Look for evidence that the console NLM was unloaded by searching forentries in the sys:\etc\console.logfile.
Consider logging all events to a remote syslog server to help prevent ahacker from tampering with evidence.
Rogue NLMsIf a hacker gains console access to your server, a legitimate yet potentiallydangerous NLM can be loaded, which can do bad things to the system.
Figure 13-6:
A NovellClient32message.
Figure 13-5:
Intruder-
detectionsettings inNetWare5.1.225Chapter 13: Novell NetWare19
TestingThe following tests look for rogue NLMs running on your server.
Modules commandYou can use the modules command at the server console prompt to viewloaded modules. As shown in Figure 13-7, you simply enter the commandmodulesat the server-console screen, and it displays a listing of NLMs thatare loaded — from first to last in order of loading.
Look for these NLMs in the modules output. If neither you nor another admin-
istrator has loaded the following NLMs, you have a problem:
Password reset tools:
•setpwdThis third-party NLM can reset anyuser’s password on the server —
including admin! It’s located at ftp.cerias.purdue.edu/pub/
tools/novell/setpwd.zip.
•setspwdThis program resets the supervisor/admin password for NetWare3.xand 4.x.
•setspassThis program resets the supervisor password for NetWare 3.xsystems.
Figure 13-7:
Viewingloadedapplicationson aNetWareserver.
226Part IV:Operating System Hacking
dsrepair: This built-in NLM can corrupt or destroy eDirectory. It’s actu-
ally intended to repair and maintain the eDirectory database.
netbasic:This built-in NLM can copy eDirectory files from the hiddensys:\_netwaredirectory. It accesses a DOS-like prompt on the server.
Check whether the nwconfig NLM is loaded. This built-in NLM is often usedfor day-to-day server maintenance, such as installing patches and editingsystem files. However, a hacker can load it and back up or restore theeDirectory database so that its files can be copied for malicious purposes.
You can look to see if the NLM is loaded by either
Looking at the modules output
Pressing Ctrl+Esc to view all loaded applications
Pressing Alt+Esc to toggle through all loaded applicationsMany NLMs can load on a NetWare server — especially in the more recentversions. If you have a question about what an NLM does or want to seewhether it’s valid, you can search on the filename at www.google.comor atsupport.novell.comto get more information.
A port scan of the server from another computer can find rogue applicationsas well.
TcpconThe tcpcon NLM shows ports that are listening and connected. Follow thesesteps to use it:
1.Enter load tcpconat the server prompt.
2.Select Protocol Information from the main menu.
3.Select TCP and then TCP Connections to view the TCP ports that areopen.
4.Select UDP and then UDP Listeners to view the UDP ports that areopen.
Figure 13-8 shows the TCP ports that are open and listening on thisserver, including chargen, FTP, and NCP.
If something doesn’t look right, it may not be, so investigate the port numberfurther. My favorite port number reference is at www.iana.org/assignments/
port-numbers, but a simple Google search usually is productive.
227Chapter 13: Novell NetWare19
Admin utilitiesIf hackers can successfully log in to a NetWare server or eDirectory, they canuse, in malicious ways, some of the great — and free — NetWare admin utili-
ties from JRB Software (www.jrbsoftware.com). For example, hackers can
Run the downsrvrprogram to reboot a NetWare server — most likely atthe worst possible time.
Use the serv_cmdprogram to disable logins, remotely load NLMs, andadd bindery contexts to the system.
CountermeasuresThe following countermeasures can minimize the chances that maliciousNLMs will be running on your servers.
DocumentationThe best way to keep track of loaded NLMs is to document, document, anddocument your server. It’s critical to know what’s supposed to be loaded onyour server at all times.
For each loaded NLM, you need to know its name, version, and date.
Keeping up-to-date records can get tedious, especially with a largenumber of servers. Consider purchasing a commercial product —
NetServerMon or AdRem Server Manager — to help you manage thistask.
Figure 13-8:
Usingtcpcon toshow openTCP portson aNetWareserver.
228Part IV:Operating System Hacking
Save and print recent versions of your startup.ncfand autoexec.ncffiles.
Document — at least, at a high level — your eDirectory structure. Youcan either•Take a screen capture of eDirectory as it looks in NetWareAdministrator or ConsoleOne.
•Run cx /t /a /r, and save the output of the program to a text fileby entering the following at a command prompt:
cx /t /a /r > filename.txtUpdate your documentation after any system changes are made or any newpatches are applied.
Unauthorized loginsTo prevent rogue NLMs or remote applications from being loaded or run froma workstation, apply these security measures to your NetWare systems:
Make strong passwords on everyNetWare account. I outline minimumpassword requirements in Chapter 7.
Secure the server console.
Enable intruder detection.
Neutralize dangerous NLMs, such as netbasic. You can either renamethem or remove them.
If you remove dangerous NLMs, make a backup of the files first. You mayneed them in the future.
Clear-text packetsMost internal LAN traffic — regardless of the operating system in use — trav-
els across the wire in clear text. The clear text can be captured and usedagainst you.
Packet captureClear-text packets can be captured with either
A network analyzer
Components of the Pandora NetWare hacking suite (www.nmrc.org/
project/pandora)
229Chapter 13: Novell NetWare19
Pandora can spoof NCP packets, which can give them admin equiva-
lency on the network after the hacker logs in via a standard useraccount that he previously compromised. A hacker could log in as anormal user with a weak or blank password and then use Pandora tomanipulate NetWare traffic and get admin rights on the network.
CountermeasuresYou can easily set up NCP packet signingwithin a NetWare environment. Thisencrypts and provides proof that a packet actually originated from the send-
ing host. NCP packet signing has four levels, but the level for the utmostsecurity is level 3, which requires packet signatures.
This can slow network traffic and place a larger processing burden on yourserver. Level-3 packet signing can decrease network performance on busyNetWare servers — sometimes, by more than 50 percent.
The following steps explain how to enable level-3 packet signing:
Enable level-3 packet signing on the server and at the top of theautoexec.ncffile with the following command:
set ncp packet signature option=3
Enable level-3 packet signing on NetWare clients with these steps:
1.Right-click your red Novell icon in your Windows system tray.
2.Select Novell Client Properties and Advanced Settings.
3.Set the Signature Level to 3 (Required).
In NetWare 3.xand earlier, passwords are sent in clear text across the net-
work. For these versions, you can enter the following command on yourserver and in the autoexec.ncffile to help prevent passwords from beingcaptured with a network analyzer:
set allow unencrypted passwords=offGeneral Best Practices for MinimizingNetWare Security RisksAlthough you can’t completely defend NetWare servers against attacks, youcan come close, which is more than you can say for other leading operatingsystems. These NetWare hacking countermeasures can help improve securityon your NetWare server above and beyond what I’ve already recommended.
230Part IV:Operating System Hacking
Rename adminRename the admin account. Figure 13-9 shows how this can be done in theNovell ConsoleOne utility.
Be careful. Other applications, such as the server backup software, maydepend on this ID.
If you rename admin, be sure to edit any backup jobs or startup scripts thatdepend on the admin account. It’s actually best to not use the admin accountfor these purposes anyway, so this may be a good time to make a change bycreating an admin equivalent for each application that’s dependent on anadmin ID. This can help make your system more secure by reducing thenumber of places that the admin account is exposed and vulnerable to crack-
ing on the network.
Disable eDirectory browsingA good way to ward off attacks is to disable Public’s right to browse thedirectory tree in either NetWare Administrator for NetWare 4.xor NovellConsoleOne for NetWare 5.xand later. This right is enabled by default toenable users to browse the eDirectory tree easily.
Figure 13-9:
RenamingtheNetWareadminaccountwithConsoleOne.
231Chapter 13: Novell NetWare19
Disabling the Public Browse right or any other eDirectory or file rights cancause problems, such as locking users (including you) out of the network,
disabling login scripts, and disabling printing. The potential risk depends onhow you configure eDirectory. If you remove Public’s Browse right, you canusually grant specific object rights lower in the tree where they’re neededtokeep everything working. Make sure that you test these types of criticalchanges before applying them to your production environment.
NetWare AdministratorFollow these steps to disable the Public browse right to eDirectory withNetWare Administrator (sys:\public\win32\nwadmn32.exe):
1.Right-click the Root object in your directory tree.
2.Select Trustees of this Object.
3.Select the [Public] trustee, as shown in Figure 13-10.4.Uncheck the Browse object right.
Novell ConsoleOneFollow these steps to disable the Public browse right to eDirectory withNovell ConsoleOne (sys:\public\mgmt\ConsoleOne\1.2\bin\
ConsoleOne.exe):
1.Right-click your tree object.
2.Select Trustees of this Object.
Figure 13-10:
The defaultBrowseright for[Public],
shown inNetWareAdmin-
istrator.
232Part IV:Operating System Hacking
3.Select the [Public] trustee and then click Assigned Rights.
4.Uncheck the Browse right, as shown in Figure 13-11.
Removing bindery contextsRemove any bindery contexts loaded on your server. Bindery contexts are inplace in NetWare 4.xand later to provide backward compatibility with olderclients that need to access the servers as though they’re NetWare 3.xor earlierservers. This is typically due to either older applications or NetWare clients(such as netx and VLMs) that make bindery calls instead of eDirectory calls.
Removing bindery contexts can help prevent hacker attacks against binderyweaknesses. To disable the bindery context on your server, simply remarkout the set Bindery Contextline in your server’s autoexec.ncffile.
If you remove your bindery contexts, make sure that no clients or applicationsdepend on NetWare bindery emulation.
System auditingTurn on system auditing by running the auditcon program at a commandprompt. This can help you track down a future intruder by auditing files, vol-
umes, and even the directory tree. It’s just good security practice as well. YouFigure 13-11:
The defaultBrowseright for[Public],
shown inConsoleOne.
233Chapter 13: Novell NetWare19
can get specific instructions on using auditcon for system auditing purposesin the Novell Technical Information Document How to setup Auditing on yourNetworkat support.novell.com/cgi-bin/search/searchtid.cgi?/
10068513.htm.
TCP/IP parametersIn NetWare 5.xand above, based on your specific version, you can preventseveral types of DoS attacks as shown below by entering the following TCP/IPparameters at the server console:
set discard oversized ping packets=onset discard oversized UDP packets=onset filter subnet broadcast packets=onset filter packets with IP header options=onset ipx netbios replication option=0set tcp defend land attacks=onset tcp defend syn attacks=onYou can enter the preceding commands into the server’s autoexec.ncffileso that they load each time the server starts.
PatchingPatch, patch, and patch again! Novell lists the latest patches for the NetWareversions it supports on its Web site:
support.novell.com/produpdate/patchlist.html#nw234Part IV:Operating System Hacking
Part VApplicationHacking20
In this part . . .
Well, this book has covered everything from non-
technical hacks to network hacks to operatingsystem hacks. One major category is left to cover: theapplications that run on top of all of this.
This part first covers malware (you know, those darnviruses, worms, and so on) and malware prevention tools,
along with some various countermeasures. Although mal-
ware is not particularly an application ethical hackers use(at least try not to use), it still affects everything else doneon networks from a security perspective, including mes-
saging systems and Web applications, which are also inthis part. This part then takes a look at various messaginghacks and countermeasures affecting e-mail and instantmessaging systems. Finally, this part takes a look atcommon Web application hacks, along with some counter-
measures to secure them from the elements.
Chapter 14MalwareIn This Chapter
Distributing malware
Testing your systems
Preventing malwareMalicious software (malware)has long been one of the biggest problemscomputer users face. Viruses and worms have proved to be the biggestnuisances, but these types of malware are ineffective if adequate controls are inplace. On the other hand, such types of malware as Trojan horses and rootkitscan inflict serious harm against computers and information, and are muchharder to defend against.
The implications of testing your own systems with malware attacks — ashackers would do — are similar to some of the social-engineering and physi-
cal-security attacks I cover elsewhere in the book. Introducing known mal-
ware into your production systems is just not a good idea, considering thatyour business is at stake. In this chapter, although I cover some benign testsyou can run against your systems, I focus on how malware gets onto yoursystems, how to find and remove it after an infection is found, and whatproven countermeasures you can take to increase the odds that malwarestays out of your systems.
Implications of Malware AttacksMalware is one of the greatest threats to the security of your information. Notonly do you have to deal with the well-known malware — the ILoveYous andCode Reds of the world — infecting your computers, but also, hackers areconstantly developing new ways to wreak havoc on systems. It seems thatevery month, widespread malware attacks take place around the globe. Themore recent attacks are mostly self-propagating— which means that they needno user intervention to spread across computer networks and the Internet.
These programs attack unpatched software and gullible users opening mali-
cious e-mail attachments21
238Part V:Application Hacking
A case study in malware with Ed SkoudisIn this case study, Ed Skoudis, an information-
security consultant for International NetworkServices, shared an experience he had relatedto malware. Here’s his account of what
happened.
The situationMr. Skoudis and his penetration-testing teamwere hired by a large financial institution todetermine whether they could break into thebank’s updated Internet gateway infrastructure.
This penetration test focused on the new ele-
ments of their infrastructure, including severalVPN gateways, firewalls, routers, and a handfulof servers. The goal of the test was to search forvulnerabilities and see how deep into the targetproduction network the team could penetrate.
The Web server was where things started to getinteresting for Mr. Skoudis and his team. Duringthe test in mid-2003, while scanning all of thetarget systems for vulnerabilities with the freeNessus tool, the team discovered that the Webserver was vulnerable to the WebDAV buffer-
overflow exploit. This flaw was originallyannounced by Microsoft in March 2003, but noone had patched the server for 60 days.
The outcomeMr. Skoudis and his team were able to executecommands on the machine by ticklingWebDAVand installed the Netcat tool to create a back-
door. Then they scheduled the Netcat backdoorto restart every 10 minutes, to make sure theycould re-enter the system continually if theywere ever knocked off. Mr. Skoudis emphasizedthat penetration testers need to be extremelycareful in choosing the type of malware they uti-
lize in their testing regimen. As a side note, hestated that he installs only application-levelbackdoors that are well understood, like Netcat.
In addition, he stressed that penetration testersshould not install rootkits or introduce self-
replicating code, such as viruses and worms,
because they can make a production machineextremely unstable.
With the Netcat backdoor firmly lodged on thetarget system, the team set up shop on thevictim Windows Web server. They installed theirscanning tools on this machine, including theNmap port scanner. Using the conquered Webserver as a jump-off point to scan further intothe network, the team found another vulnerablesystem. This time, they discovered a poorly con-
figured Solaris machine on the internal networkthat allowed SSH access with an easilyguessed password. After he and his team com-
promised the Solaris server, they installedanother Netcat backdoor on that system.
With two relatively common flaws — anunpatched Windows Web server and an easilyguessed password — Mr. Skoudis and his teammanaged to gain deep access into the targetnetwork. He emphasized the possibility of thistype of attack by a not-so-ethical hacker, alongwith the widespread availability of the malwareneeded to carry it out, and underscored theimportance of having a solid security program.
This includes keeping systems patched andeducating users and administrators in selectingdifficult-to-guess passwords.
Ed Skoudis uses his exceptional technicalexpertise to perform security assessments,
design secure network architectures, andrespond to computer attacks for his customers.
He is a well-known speaker on issues associ-
ated with hacker tools and defenses, and hasauthored the excellent Prentice Hall booksMalware: Fighting Malicious Codeand CounterHack: A Step-by-Step Guide to ComputerAttacks and Effective Defenses.
Most malware attacks — especially the recent ones — exploit well-known
vulnerabilities that should’ve been fixed months before the attacks occur.
Unfortunately, the general practice within IT and security is to install patcheswhen people get around to it. This is mostly because people either don’t makeit a priority to patch or simply can’t keep up with all the patches requiredacross all their systems. The hackers know this and take full advantage of it.
The widespread malware attacks that you hear about on the news aren’t theones to worry about. Trojan horses, rootkits, spyware, and other deviousprograms are the scary ones. These applications can do the following:
List running processes and applications
Load and kill running processes and applications
Capture keystrokes
Search and copy files
Steal passwords
Edit system files
Turn on Web cams and microphones
Remotely reboot computers
Perform practically any administrative functionBad things can happen if any of these events occurs on your network, includ-
ing confidential information being stolen, computers being taken offline, anddata being deleted.
Types of MalwareMost malware is platform-specific:It targets specific operating systems, appli-
cations, and vulnerabilities to spread more quickly.
Trojan horsesTrojan horses — named after the infamous Greek wooden horse used to pen-
etrate the city of Troy — are executable files, often transmitted via e-mail,
that masquerade as legitimate programs but actually perform malicious acts.
239Chapter 14: Malware21
Trojan-horse code works in the background — doing things like deleting infor-
mation, gathering passwords, and capturing keystrokes — while a legitimate-
looking program, such as a screen saver or game, runs in the foreground.
Many Trojans — called remote-access Trojans,or RATs— set up backdoors onthe systems they infect, allowing hackers to access them remotely and con-
trol them from across the Internet. Many Trojans aren’t detected by antivirusprograms. With all things being equal (and antivirus software running), this isthe malware you should be afraid of. Some common RATs are NetBus,
SubSeven, and Back Orifice.
VirusesComputer viruses are the best-known malware category. Viruses are pro-
grams that are often self-replicating— meaning that they can make copies ofthemselves — and attach to executable files, deleting information and crash-
ing computers whenever a user or other process runs the program. Even PDAviruses exist, some of which drain batteries and call 911 for you — howthoughtful!
WormsWormsare self-propagating programs that travel around the Internet at light-
ning speed. They load up in memory, effectively exploit known software vul-
nerabilities, and often end up crashing the systems.
RootkitsRootkitsare nasty applications that hackers can use to control a computercompletely,with the ultimate prize of crashing the system or stealing informa-
tion. Rootkits are mostly found on UNIX systems but are becoming popularon the Windows platform. Rootkits are sets of programs that either
Masquerade as typical administrator command-line programs
Integrate into the kernel, or core, of the operating systemKernel-based rootkits, such as Knark for Linux and the FU rootkit for Windows,
tie into the actual operating system. With these programs, hackers can240Part V:Application Hacking
Hide system processes and applications from the Windows Task Manageror the process list in UNIX
Change the group membership of processes and applications so that amalicious program can run as the system, administrator, or root account
Modify environment variables
Make programs look like they were run by another user, concealing thehacker’s identity in audit logsSpywareSpyware programs spy on you and sometimes even capture and transmit
confidential information from your computer. They’re installed as cookies,
Windows Registry entries, and even executables on the local computer.
“Legitimate” spyware that may be installed by an administrator or otherperson to watch someone’s computer usage includes SpectorSoft’s eBlasterand Spector Pro, and TrueActive (formerly known as WinWhatWhere).
These programs are extremely powerful and capture video screen shots, turnon the local microphone, track Web browsing, and even forward copies ofe-mails sent and received to a third-party address. Powerful andscary!
Adware is similar to spyware but a little less intrusive. It tracks Internet usageand pulls targeted ads to specific users, based on their habits.
Built-in programming interfacesProgramming interfaces built into operating systems can be used maliciously:
Java appletsare programs written in the Sun Microsystems programminglanguage. Although these programs run in a sandbox— or safe area — toensure that the local system is not compromised by malicious code, theycan still cause security problems.
Microsoft .NETapplicationsare programs written based on the newapplication framework from Microsoft. Like Java applets, these pro-
grams have their own playpen that helps ensure that malicious code isnot executed.
ActiveXcontrolsare Microsoft-based programs that everyone loves tohate. ActiveX controls can be executed with minimal effort in such appli-
cations as Internet Explorer, Outlook, and other Microsoft programs.
241Chapter 14: Malware21
Their control over a computer can potentially cause serious harm to acomputer system and its stored information.
VBScriptsare scaled-down versions of Microsoft’s Visual Basic program-
ming language. Similar to ActiveX controls, these scripts can wreakhavoc on local data.
Many of the common malware programs traversing the Internet todayare VBScripts.
Windows Script Host (WSH)is a script processor built into Windows —
similar to DOS batch files — that can be used to perform malicious acts.
JavaScript programs,which are similar to ActiveX and VBScripts, arewritten in Netscape’s scripting language. They can cause computersharm if users willingly run them within Web browsers and e-mails.
Not all applications written in these programming interfaces are malicious.
Many legitimate programs are used every day that run just fine and don’t doany harm.
Logic bombsA logic bombis a program — often, an automated script using regular networkadministration tools — that is scheduled to run when it’s triggered by a certainevent, such as someone’s logging in, or run on a specific date or time, such astwo weeks after an employee is let go.
Logic bombs are a common way for disgruntled employees to seek revengeon their former employers. Some logic bombs have destroyed entire data-
bases of information, including the famous logic bomb planted by Tim Lloydat Omega Engineering a few years back. This program erased all the informa-
tion from the company’s NetWare server, putting a stop to its manufacturingprocesses. This event resulted in $10 million in damages to the company, andultimately, 80 employees got laid off.
Security toolsYour own security tools can be used against you. This includes the followingtools:
Vulnerability scanners, such as Nessus and even the tried-and-trueNetcat tool, can place backdoors in your systems.
Network analyzers, including the ARP poisoning tools ettercap anddsniff.
242Part V:Application Hacking
The DOS debug program that still ships with Windows.
The NetWare debugger backdoor.
You access the backdoor by pressing Shift+Alt+Shift+Esc all at the sametime (using both Shift keys) at the server console.
How Malware PropagatesSome time back — practically forever, in computer time — most malwarepropagated via floppy disks. In 1981, the first computer virus was released:
the Apple II Elk Cloner virus. In 1986, the first virus that affected theMicrosoft/Intel platform — the Brain virus — was released. Both of theseviruses were floppy-disk–based, but neither packed the punch that manyviruses have come to inflict on their victims since that time.
Some of the first malware exploited vulnerabilities in computer hardware andsoftware architectures — like what happens today. These old-fashioned virusesspread very slowly by today’s standards. It could take months and sometimesyears for a few thousand systems to be infected. What’s different about today’smalware? It’s the method of propagation. The Internet allows malware tospread around the world quickly. Malware can affect hundreds of thousandsofsystems within a few weeks, as happened with the Code Red and Nimdaworms, or within a few minutes, as we saw with the Slammer/Sapphire worm.
Hackers from anywhere in the world can try penetrating your systems — attheir convenience.
AutomationAutomated attacks are the wave of the future for malware. The Internet is notgoing away. In fact, more systems are going online — more users, more hack-
ers, and a greater number of applications are emerging that can be affected.
This includes Web services; peer-to-peer (P2P) software, such as instant mes-
saging (IM); and other file-sharing technologies, such as Gnutella, Kazaa,
Morpheus, and mobile-device applications that run on PDAs and cell phones.
E-mailThe most common malware attack channel is through e-mail. A hacker simplyattaches a virus or Trojan horse to an e-mail — often, through an automatedmechanism — and sends the message to unsuspecting users. This process is243Chapter 14: Malware21
automated with self-propagating worms making an attack even easier. Thetext of the e-mail says, “See the attached note” or “Check out this game.”
Many gullible users open the attachment, thinking it’s something that willbrighten up their day. Instead, it’s malware looking to copy or delete localfiles and often glean e-mail addresses from the user’s address book to senditself on to other users. If antivirus software is missing, outdated, or disabledat the time, this can spell bad news for the computer or network.
Hacker backdoorsMalware is propagated on computer systems by hackers compromising ahost from across the network or Internet, obtaining administrator or rootaccess by exploiting a known vulnerability and then installing the malware totheir heart’s content. They can set up backdoors, giving them remote accessso they can come back and play in the future.
Many of these infections go unnoticed indefinitely, usually until the networkadministrator suspects that something strange is going on, or the systemcrashes, or information gets stolen or erased.
TestingYou can carry out various tests to check for malware infections on your net-
work, as described in the following sections.
Vulnerable malware portsYou should look for Trojan ports when assessing your systems. Here aresome common ones to look out:
31337, 54320, and 54321 (Back Orifice and Back Orifice 2000)
12345 and 12346 (NetBus)
1243 and 27374 (SubSeven)
When testing, look for computers listening on these ports. These port num-
bers can usually be changed in most malware applications, so don’t rely onthese completely.
244Part V:Application Hacking
Two great Web sites I refer to a lot when I want to see how a particular pieceof malware works are the following:
www.simovits.com/trojans/trojans.htmlis a comprehensive listingof Trojan horses.
PestPatrol’s catalog of pests at research.pestpatrol.com/PestInfo/
pestdatabase.asp.
Manual assessmentIt helps to know your systems — what software is installed and what servicesare running. Document your baseline environment, if you haven’t already, byusing the same methods I describe in this chapter.
If you suspect that one of your systems may be infected by malware, or youwant to see which applications are loaded on your system, there are toolsand techniques you can use. The key here is to search for things that justdon’t look right.
WindowsBecause most malware affects Windows, there are various tests specific tothat platform you can carry out to test for malware infections.
Odd file namesIf you’re unsure what a specific file does or want more details on file-formatand header information, you have a couple of options for information:
Check Wotsit’s Format at www.wotsit.orgfor information on file for-
mats and headers.
Search for the filename in Google with both Web and Groups searches.
NetstatRun netstat -anat a command prompt.
The aoption displays all connections and listening ports.
The noption displays IP addresses and port numbers in numeric form tomake them easier to read.
You see something similar to the following list:
245Chapter 14: Malware21
Active ConnectionsProto Local Address Foreign Address StateTCP 0.0.0.0:80 0.0.0.0:0 LISTENINGTCP 0.0.0.0:135 0.0.0.0:0 LISTENINGTCP 0.0.0.0:445 0.0.0.0:0 LISTENINGTCP 10.11.12.202:139 0.0.0.0:0 LISTENINGTCP 10.11.12.202:1044 208.215.179.139:80 CLOSE_WAITTCP 10.11.12.202:2099 10.11.12.204:139 ESTABLISHEDTCP 10.11.12.202:2100 10.11.12.2:139 TIME_WAITUDP 0.0.0.0:445 *:*
UDP 10.11.12.202:137 *:*
UDP 10.11.12.202:138 *:*
The preceding example shows several Microsoft NetBIOS networking ports(135, 137, 138, 139, and 445) and an HTTP connection in progress (port 80).
The NetBIOS connections may be questionable, but I’ve actually initiatedthose connections, so I trust that they’re legitimate.
Look for connections to the following ports to scope out possible malware orother hacker behavior in progress:
NetBIOS ports
Common malware ports
Ports that can indicate malicious behavior, including telnet (TCP port 23)
and FTP sessions that shouldn’t be occurring (TCP ports 20 and 21)
Port mappingA port-mapper program shows which applications are actually connected tothe specific open ports.
My favorite port mapper is a free tool called Vision by Foundstone (www.
foundstone.com). I recommend this tool for your toolbox.
Figure 14-1 shows the detailed information that Vision can provide. Ports12345 and 12346 are mapped to c:\temp\Patch.exe. That’s the NetBusserver executable — yikes!
Task ManagerPress Ctrl+Alt+Del to load the Windows Task Manager and see whether anystrange applications or processes are loaded.
Many strange-looking processes are legitimate. Make sure that you know whatyou’re dealing with, so you don’t stop a legitimate program. A quick Googlesearch on the filename usually provides enough information. Just because it’snot there doesn’t mean it’s not loaded, though, because some processes, suchas the FU rootkit for Windows, have the ability to hide themselves.
246Part V:Application Hacking
Net useYou can run net useat a command prompt to see what drives are mappedto external systems. Look for drive mappings that should not be there.
RegistryLook in your Windows Registry under the following HKEY_LOCAL_MACHINE(HKLM) keys for strange-looking applications that are loading. This is acommon place for malware to be initiated upon startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKLM\Microsoft\Windows\CurrentVersion\RunOnceHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExStartup filesCheck your Windows startup folder and files such as autoexec.batandconfig.sysin the root directory of the C: drive for any applications thatdon’t belong. Unknown programs can signal that a rogue application is con-
figured to start every time the computer boots.
LinuxFor your Linux-based systems, you can run various tests to find out moreabout what’s running on your systems.
netstatRun netstat -atto view active network connections.
Figure 14-2 shows that a Web server and SSH server are running with twocomputers connected to these services. In addition, you see that the X11 ser-
vice for X Window along with the domain service (DNS), sunrpc, and SMTPservice for e-mail. Check these types of things before a suspected attackoccurs so that you know what belongs and what doesn’t.
Figure 14-1:
RunningVision tomap portstoactualapplicationsrunning on asystem.
247Chapter 14: Malware21
lsofThe lsof utility lists open files, as shown in Figure 14-3, so you can check forstrange connections. This is similar to the Vision program for Windows.
psThe ps utility displays running processes, as shown in Figure 14-4. You cancheck for strange applications that don’t look right.
This is why it helps to know what’s supposed to be loaded!
Startup filesCheck your Linux startup files (such as inetd.confand xinetd.conf) forany applications that don’t belong. Unknown programs can signal that arogue application is configured to start every time the computer boots.
Figure 14-3:
Using thelsof utility tolook forpotentialmalwareapplicationsthat areloaded.
Figure 14-2:
Runningnetstat inLinux showsthe networkconnections.
248Part V:Application Hacking
Network cardDetermine whether someone or some malware has placed the machine’s net-
work card into promiscuous mode, indicating the use of a network analyzer.
Enter this line at the command prompt:
ifconfig –a | grep PROMISCIf the return value is not empty, an interface is running in promiscuous mode.
You can enter this command into a cron job that runs every few hours thatcan alert you if one is found.
Antivirus software testingFor starters, check whether your antivirus software is actually working.
Before you begin testing your antivirus software, make sure that you have thelatest virus software engine and signatures loaded.
You have a couple of safe options for checking the effectiveness of yourantivirus software, as described in the following two sections. This is by nomeans a comprehensive method of testing your malware-protection mecha-
nisms, but it serves as a good, safe start.
Eicar test stringEicar is a European-based malware think tank that has worked in conjunctionwith malware vendors to provide this basic system test. The eicar test stringFigure 14-4:
Running theps utility todisplayrunningprocesses.
249Chapter 14: Malware21
is transmitted in the body of an e-mail or as a file attachment so that you cansee how your server and workstations respond. You basically access this file —
which contains the following 68-character string — on your computer to seewhether your antivirus or other malware software detects it:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
You can download a text file with this string from www.eicar.org/anti_
virus_test_file.htm. Several versions of the file are available on this site.
One version is a zip file. I recommend testing with this file to make sure thatyour antivirus software can detect malware within compressed files.
When you run this test, you may see results similar to Figure 14-5 from yourantivirus software.
GFI’s Email Security Testing ZoneA freebie at www.gfi.com/emailsecuritytestis a good e-mail malware testto run against your server and clients. This series of tests sends e-mails withmalicious-like scripts in such programming languages as Visual Basic andActiveX to check exactly what gets through your e-mail system. These aren’tmalicious tests — just tests that shouldinvoke your antivirus software orother protective measures on your e-mail server or gateway if your softwareis configured and working correctly.
Network scanningUse Nmap, SuperScan, or your favorite port-scanning tool to check for abnor-
mal ports open on your network hosts.
Figure 14-5:
Using theeicar teststring to testantivirussoftware.
250Part V:Application Hacking
Some connections that show as open aren’t necessarily accurate and depend-
able. You may need to investigate unknown ports on the systems further byusing a port-mapping tool such as Vision for Windows or lsof for Linux, asdescribed previously in this chapter.
Using SuperScan, you may find the following results in a quick network scan:
* - 10.10.1.1 fs1|___ 12345 Win95/NT Netbus backdoor* - 10.10.1.2 [Unknown]
* - 10.10.1.4 laser* + 10.10.1.204 PC100|___ 12345 Win95/NT Netbus backdoor* + 10.10.1.209 DQ|___ 12345 Win95/NT Netbus backdoorYou can also use Nmap to find specific malware ports, as shown in Figure 14-6.
During a recent incident response project that I was on, I found dozens ofcomputers listening on TCP port 12345 — the default port of the NetBusTrojan! Needless to say, I was quite concerned. After some poking around,
Idiscovered that NetBus had not infested the network, as it originallyappeared. It was the OfficeScan NT antivirus product by Trend Micro thatwas listening on that port — who would’ve thought? Major lesson learned.
I recommend scanning your entire network for spyware with PestPatrolAuditor’s Edition (www.pestpatrol.com) or a similar program. Figure 14-7shows the results of a stand-alone PestPatrol scan on the local computer; itfound NetBus and several spyware cookies. PestPatrol detects spyware,
adware, Trojans, and some rootkits.
Figure 14-6:
Nmapresultsshowing theNetBusserverlistening onports 12345and 12346.251Chapter 14: Malware21
Every time I run a full scan on my system, tools are called suspect,and mysoftware — antivirus software especially — tends to “clean up” those toolsfor me. I must either replace my security tools from backup or download andinstall them again. If any of your security tools or security testing softwaremay look like malware on your computer, either
Keep backup copies of the original installation files.
Have your malware-protection software skip the files or directorieswhere your security tools are installed.
Of course, if an infection is suspected — and periodically, such as once amonth, even when infections aren’t suspected — run your antivirus softwareagainst all the computers on your network. Another tool to double-check yoursystems is McAfee’s AVERT Stinger (vil.nai.com/vil/stinger). This stand-
alone antivirus executable checks for several dozen of the latest common mal-
ware items and known variants of each.
Behavioral-analysis toolsFor a neat set of tests to find whether your Windows-based systems are sus-
ceptible to behavioral-based malware attacks — that is, attacks that don’tmatch a specific signature, but perform a function such as writing to the localhard drive — check out the demos at the Finjan Software Test Center at www.
finjan.com/mcrc/sec_test.cfm. These tests — which include “malicious”
Figure 14-7:
Sampleresults froma PestPatrolscan.
252Part V:Application Hacking
executables, JavaScript, ActiveX, and Visual Basic — safely show you justwhat can happen without the proper malware protection in place on yoursystems.
In my testing, few antivirus and personal firewall applications actually detectedany wrongdoings when running these tests. The scripting tests require you togrant permission to load the scripts — many users just do this automatically!
Malware CountermeasuresYou can implement various countermeasures to prevent malware attacksagainst your systems, as described in the following sections.
General system administrationSecurity countermeasures within your organization can help prevent attacks:
Your first and foremost goal should be to keep hackers and malware outof your systems in the first place. If you perform the other countermea-
sures and system-hardening best practices mentioned throughout thisbook and referenced in Appendix A, you’re on your way.
Create an incident-response plan. The FedCIRC Incident HandlingChecklists at www.fedcirc.gov/incidentResponse/IHchecklists.
htmlis a good place to start.
No matter what measures you have in place to protect your systemsfrom malware infections, you’ll probably be attacked sometime. Planahead so you don’t have to make critical decisions under pressure.
Before deploying networkwide any programs downloaded from theInternet, test and analyze the programs for malicious behavior on iso-
lated systems.
Use malware-protection software (such as antivirus, spyware protection,
and Trojan testers).
Two guidelines can increase the effectiveness of your protection:
•Load the software on the layers of your network wherever possible,
including on firewalls, content-filtering servers, e-mail gateways/
firewalls, e-mail servers, and e-mail clients.
253Chapter 14: Malware21
•Use different malware-protection applications (from multiple ven-
dors) or a program that combines the scanning engines of severalantivirus vendors in one fell swoop, such as Antigen from SybariSoftware (www.sybari.com/home).
Apply the latest software patches — especially critical security updates.
Back up critical systems regularly. This could include performing the
following:
•Image or other backup that can be restored quickly in the event ofa serious infection•Copies and MD5 or SHA checksums of critical executables in caseyou need to restore or compare existing ones for authenticity•Emergency repair disks for critical systems in case of a malwareinfection
Enable heuristics protection in your antivirus software, if possible, tohelp detect behavioral anomalies that need to be blocked or cleaned.
Never rely on digitally signed code — such as ActiveX controls thatInternet Explorer downloads and prompts you to load — to run properlyon your systems. Digital signatures on this code verify only that it camefrom a trustworthy source — not how it actually behaves when it’sloaded.
Don’t just disable such application interfaces as ActiveX, WindowsScript Host, JavaScript, and Java without a good reason.
All these programming interfaces have some legitimate uses. Applicationscan stop working if these interfaces are disabled haphazardly. If the othersecurity controls I mention here are in place, your systems should bepretty secure from malware written in these languages. You want to find agood balance between security and usability for your users so that secu-
rity doesn’t get in the way of people doing their jobs.
Make sure that a firewall is always in place on your network. Use it tolook for•Suspicious ports in use (or trying to be used)
•Heavy traffic patterns that can signal a malware infection
Use IDS and IDP systems to stop potential malware infections in theirtracks when they try to enter your network.
Run a rootkit-detection application:
•Rkdet (vancouver-Webpages.com/rkdet) for Linux checks forsomeone installing a rootkit or other malware on your systems.
•chkrootkit (www.chkrootkit.org) tests after the fact for over 50different installed rootkits on many popular flavors of UNIX.
254Part V:Application Hacking
E-mailsIn addition to the preceding security countermeasures, you can implementseveral e-mail–specific malware-protection measures:
Make it policy for users not to open unsolicited e-mails and any attach-
ments — especially those from unknown senders.
Plan for users who ignore or forget about the policy of leaving unsolicitede-mails and attachments unopened.
These automatic technical measures can help prevent malware frominfecting user systems:
•At the server or e-mail gateway, filter e-mails that have executableattachments, such as .com, .exe, .pif, .scr, and .vbs. The FileExtension Source at filext.comhas information about more than8,500 file types.
•Alwaysrun antivirus software wherever it can be installed — at thehandheld, desktop, and server levels, if possible.
•Run antivirus software at the server or gateway levels, if possible.
Make sure that encrypted files and emails can be protected against
malware.
•Encryption won’t keep malware out of files or e-mails. You’ll justhave encrypted malware within the files or e-mails.
•Encryption keeps your server or gateway antivirus from detectingthe malware until it reaches the desktop.
FilesYou must perform regular malware protective maintenance on your file sys-
tems. The following countermeasures will help:
Periodically scan all possible systems on your network, and enable real-
time malware protection that can’t easily be disabled by users.
Scan all files — not just executable ones — to help prevent unknownmalware issues.
Consider changing file associations for potentially malicious executa-
bles, such as com, .exe, .pif, .scr, and .wsh.
For example, you can change the Windows Script Host file associationsto something like Notepad.exe in case they’re ever launched. That way,
Notepad will load the file instead of the Windows Script Host engine.
255Chapter 14: Malware21
256Part V:Application Hacking
Chapter 15Messaging SystemsIn This Chapter
Attacking e-mail systems
Assailing instant messaging
Securing your servers and clientsMessaging systems — those e-mail and instant messaging (IM) applica-
tions that we depend on — are often hacked within a network. Why?
Well, from my experience, messaging software — both at the server andclient level — is vulnerable because network administrators forget aboutsecuring these systems, believe that antivirus software is all that’s neededtokeep trouble away, and ignore the existing security vulnerabilities.
In this chapter, I show you how to test for common e-mail and instant-
messaging issues. I also outline key countermeasures to help prevent thesehacks against your systems.
Messaging-System VulnerabilitiesE-mail and instant-messaging applications are hacking targets on your net-
work. In fact, e-mail systems are some of the most targeted. Given the prolif-
eration and business value of instant messaging and other P2P applications,
attacks against networks launched via instant-messaging channels will be atleast as common as e-mail attacks.
A ton of vulnerabilities are inherent in messaging systems. The following fac-
tors can create weaknesses:
Security is rarely integrated into software development.
Convenience and usability often outweigh the need for security.
Many of the messaging protocols were not designed with security inmind — especially those developed several decades ago, when securitywasn’t nearly the issue it is today.
Many hacker attacks against messaging systems are just minor nuisances;
others can inflict serious harm on your information and your organization’sreputation. The hacker attacks against messaging systems include these:
Transmitting malware (as I describe in Chapter 14)
Crashing servers
Obtaining remote control of workstations
Capturing and modifying confidential information as it travels across thenetwork
Perusing e-mails in e-mail databases on servers and workstations
Perusing instant-messaging log files on workstation hard drives
Gathering messaging trend information, via log files or a network ana-
lyzer, that can tip off the hacker about conversations between peopleand organizations
Gathering internal network configuration information, such as host-
names and IP addressesHacker attacks like these can lead to such problems as lost business,
unauthorized — and potentially illegal — disclosure of confidential infor-
mation, and loss of information.
E-Mail AttacksThe following e-mail attacks exploit the most common e-mail security vulner-
abilities I’ve seen. The good news is that you can eliminate or minimize mostof them to the point where your information is not at risk. You may not wantto carry out all these attacks against your e-mail system — especially duringpeak traffic times — so be careful!
Some of these attacks require the basic hacking methodologies: gatheringpublic information, scanning and enumerating your systems, and attacking.
Others can be carried out by sending e-mails or capturing network traffic.
E-mail bombsE-mail bombs can crash a server and provide unauthorized administratoraccess. They attack by creating DoS conditions against your e-mail softwareand even your network and Internet connection by taking up so much band-
width and requiring so much storage space.
258Part V:Application Hacking
259Chapter 15: Messaging SystemsA case study in e-mail hacking with Thomas AkinIn this case study, Thomas Akin, a well-knownexpert in e-mail systems and forensics, sharedwith me an experience in e-mail hacking. Here’shis account of what happened.
The situationMr. Akin was involved in a case where a client’se-mail system was blacklisted for sending hun-
dreds of thousands of spam e-mails. The clientspent two weeks reconfiguring its e-mail serverin an attempt to stop the spam e-mails fromgoing through the system. The client looked atevery technical possibility — including makingsure that the server was not an open SMTPrelay — but nothing worked. Over 100,000 spame-mails a day were being sent through the com-
pany. After losing several customers becausethe company couldn’t send them any e-mails,
the company called Mr. Akin to see whether hecould help.
Mr. Akin first checked to see whether the e-mailsystem was acting as an open relay, but it wasnot. Because the e-mail system wasn’t miscon-
figured, there shouldn’t have been any reasonfor blacklisting the client. Then he reviewed thespam e-mail headers, expecting to see a stan-
dard spoofed e-mail. Instead, after reviewingthe headers, he saw that they werecomingfrom the company’s e-mail system. Not onlythat, but they were also originating from areserved IP address — an address that isn’teven allowed on the Internet.
Momentarily stumped, Mr. Akin looked at thetext of the e-mail messages themselves. “Onetime only!” “Buy me now!” “Best deal ever!”
This is the standard spam nonsense, except thatthese e-mails were signed by Laura and John(names disguised to protect the guilty). Not onlythat, Laura and John listed their phone numbersso potential customers could contact themeasily — 555-1234. How nice of them!
The outcomeA quick search online turned up a phone-
number match to a Laura and John living in EastBumble, USA. Bingo! It turned out that Johnwas a former employee and that his dial-upaccount had not been disabled when he wasfired from the company. A quick glance at thelog files showed that the “john” account hadused the company’s dial-up access during theexact times the spam e-mails were sent out.
The company immediately disabled theaccount, and the spam e-mails stopped.
Even though the spamming was stopped, thecompany was desperate to know how thee-mails were being sent through its system. Thedial-up account should have allowed only lim-
ited access through a menu system — not fullaccess to the organization’s network. Aftersome research, Mr. Akin determined that Johnhad bypassed the dial-up’s menu system andwas using a program called slirp to turn hisinternal dial-up connection into a full Internetconnection. Because John was dialing into thecompany’s modem bank, the e-mail system sawhim as an internal user, letting him send e-mailto anyone and anywhere he wanted. The com-
pany quickly reviewed all dial-up accounts andfound that over two dozen accounts were stillactive and being used by former employees!
Thomas Akin is the founding director of theSoutheast Cybercrime Institute at KennesawState University. He is a CISSP, holds severalnetworking certifications, and is a member ofMensa.
AttachmentsAn attacker can create an attachment-overloading attack by sending hundredsor thousands of e-mails with very large attachments.
AttacksAttachment attacks may have a couple of different goals:
The whole e-mail server may be targeted for a complete interruption ofservice with these failures:
•Storage overloadMultiple large messages can quickly fill the total storage capacityof an e-mail server. If the messages aren’t automatically deleted bythe server or manually deleted by individual user accounts, theserver will be unable to receive new messages.
This can create a serious DoS problem for your e-mail system,
either crashing it or requiring you take your system offline to cleanup the junk that has accumulated. A 100MB file attachment sentten times to 80 users can take 80GB of storage space. Yikes!
•Bandwidth blockingAn attacker can crash your e-mail service or bring it to a crawl byfilling the incoming Internet connection with junk. Even if yoursystem automatically identifies and discards obvious attachmentattacks, the bogus messages eat resources and delay processing ofvalid messages.
An attack on a single e-mail address can have serious consequences ifthe address is for a really important user or group.
CountermeasuresThese countermeasures can help prevent attachment-overloading attacks:
Limit the size of either e-mails or e-mail attachments. Check for thisoption in e-mail server configuration options (such as those provided inNovell GroupWise and Microsoft Exchange), e-mail content filtering, ande-mail clients.
This is the best protection against attachment overloading.
Limit each user’s space on the server. This denies large attachmentsfrom being written to disk. Limit message sizes for inbound and evenoutbound messages if you want to prevent a user from launching thisattack inside your network. I’ve found 10MB to 20MB to be good limits.
260Part V:Application Hacking
Consider using FTP or HTTP instead of e-mail for large file transfers. Bydoing so, you can store one copy of the file on a server and have therecipient download it on his or her own. This can help keep messagestore sizes at a minimum.
ConnectionsA hacker can send a huge amount of e-mails simultaneously to addresses onyour network. These connection attacks can cause the server to give up on ser-
vicing any inbound or outbound TCP requests. This can lead to a completeserver lockup or a crash, often resulting in a condition where the attacker isallowed administrator or root access to the system!
AttacksThis attack is often carried out in spam attacks, which are covered later inthis chapter.
CountermeasuresMany e-mail servers allow you to limit the number of resources used forinbound connections, as shown in the Number of SMTP Receive Threadsoption for Novell GroupWise in Figure 15-1. It can be next to impossible tocompletely stop an unlimited amount of inbound requests. However, you canminimize the impact of the attack. This setting limits the amount of serverprocessor time, which can help prevent a DoS attack.
Figure 15-1:
Limiting thenumber ofresources tohandleinboundmessages.
261Chapter 15: Messaging Systems22
Even in large companies, there’s no reason that thousands of thousands ofinbound e-mail deliveries should be necessary within a short time period.
Some e-mail servers, especially UNIX-based servers, can be programmed todeliver e-mails to a daemon or service for automated functions. If DoS protec-
tion isn’t built into the system, a hacker can crash both the server and theapplication that receives these messages.
AutorespondersAn interesting attack I’ve seen is to find two or more users on the same or dif-
ferent e-mail systems that have autoresponder configured. Autoresponder isthat annoying automatic e-mail response you often get back from randomusers when you’re subscribing to a mailing list. A message goes to the mailing-
list subscribers, and then users have their e-mail configured to automaticallyrespond back, saying they’re out of the office or, worse, on vacation. This is agreat way to tell thousands of people that your house and belongings are pos-
sibly available for taking — but I digress.
AttacksAn autoresponder attack is a pretty easy hack. Many unsuspecting users ande-mail administrators never know what hit them! The hacker sends each of thetwo (or more) users an e-mail from the other simply by masquerading as thatperson (an easy hack I outline in this chapter). This attack can create a never-
ending loop that bounces thousands of messages back and forth betweenusers. This can create a DoS condition by filling either the user’s individualdisk space quota on the e-mail server or the e-mail server’s entire disk space.
CountermeasuresThe best countermeasure for an autoresponder attack is to make it policythat no one sets up an autoresponder message. Those messages are tooannoying to be of value anyway, right?
Prevent e-mail attacks as far out on your network perimeter as you can. Themore traffic or malicious behavior you keep off your e-mail servers and clients,
the better.
Automatic e-mail securityYou can implement the following countermeasures as an additional layer ofsecurity for your e-mail systems.
TarpittingTarpittingdetects inbound messages destined for unknown users. If youre-mail server supports tarpitting, it can help prevent spam or DoS attacksagainst your server. If a predefined threshold is exceeded — say, more than262Part V:Application Hacking
ten messages — the tarpitting function effectively blocks traffic from the send-
ing IP address for a period of time.
E-mail firewallsE-mail firewalls and content-filtering applications (such as CipherTrust’sIronMail and NetIQ’s MailMarshal, respectively) can prevent various e-mailattacks. These tools protect practically every aspect of an e-mail system.
Perimeter protectionAlthough not e-mail–specific, many firewall, IDS, and IDP systems can detectvarious e-mail attacks and shut off the attacker in real time. This can come inhandy during an attack at an inconvenient time.
BannersOne of the first orders of business for a hacker when hacking an e-mail serveris performing a basic banner grab to see whether he can tell what e-mail serversoftware is running. This is one of the most critical tests to find out what theworld knows about your SMTP, POP3, and IMAP servers.
Gathering informationFigure 15-2 shows the banner displayed on an e-mail server when a basic telnetconnection is made on port 25 (SMTP). To do this, at a command prompt,
simply enter telnet ip_or_hostname_of _your_server 25. This brings up atelnet session on TCP port 25.
In Figure 15-2, it’s pretty obvious what e-mail software type and version theserver is running. This information can give hackers some ideas about possi-
ble attacks, especially if they search a vulnerability database for known vul-
nerabilities of that software version. Figure 15-3 shows the same e-mail serverwith its SMTP banner changed from the default (okay, the previous one was,
too) to disguise such information as the e-mail server’s version number.
Figure 15-2:
An SMTPbannershowingserver-
versioninformation.
263Chapter 15: Messaging Systems22
You can gather information on POP3 and IMAP e-mail services as well by tel-
netting to either port 110 (POP3) or port 143 (IMAP).
If you’ve changed your default SMTP banner, don’t think that no one can figureout the version. One Linux-based tool called smtpscan (www.greyhats.org/
outils/smtpscan) determines e-mail server version information based onhow the server responds to malformed SMTP requests. Figure 15-4 showstheresults from smtpscan against the same server shown in Figure 15-3. Itdetected the product and version number of the e-mail server!
CountermeasuresThere isn’t a 100 percent secure way of disguising banner information. I sug-
gest these banner security tips for your SMTP, POP3, and IMAP servers:
Change your default banners to cover up the information.
Make sure that you’re always running the latest software patches.
Harden your server as much as possible by using well-known best prac-
tices from such resources as SANS (www.sans.org), NIST (csrc.nist.
gov), National Security Agency Security Recommendation Guides (www.
nsa.gov/snac/index.html), and Network Security For Dummies,byChey Cobb (Wiley Publishing, Inc.).
Figure 15-4:
smtpscangathersversion infowhen theSMTPbanner isdisguised.
Figure 15-3:
An SMTPbanner thatdisguisesthe versioninformation.
264Part V:Application Hacking
SMTP attacksSome hacker attacks exploit weaknesses in the Simple Mail Transfer Protocol(SMTP). This e-mail communications protocol — which is over 20 years old —
was designed for functionality, not security.
Account enumerationA clever way that hackers can verify whether e-mail accounts exist on a serveris simply to telnet to the server on port 25 and run the VRFY command. TheVRFY — short for verify — command makes a server query to check whethera specific user ID exists. Spammers often automate this method to perform adirectory harvest attack(DHA). It’s a way of gleaning valid e-mail addressesfrom a server or domain so hackers know who to send spam messages.
AttacksFigure 15-5 shows how easy it is to verify an e-mail address on a server withthe VRFY command enabled. Scripting this attack can test thousands ofe-mail address combinations.
The SMTP command EXPN — short for expand — may allow attackers to verifywhat mailing lists exist on a server as well. You can simply telnet to your e-mailserver on port 25 and try EXPN on your system if you know of any mailing liststhat may exist. Figure 15-6 shows what this result may look like. It’s simple toscript this attack and test thousands of mailing-list combinations.
You may get bogus information from your server when performing these twotests. Some SMTP servers don’t support the VRFY and EXPN commands, andsome e-mail firewalls simply ignore them or return false information.
Figure 15-5:
Using VRFYto verify thatan e-mailaddressexists.
265Chapter 15: Messaging Systems22
CountermeasuresThe best solution for preventing this type of e-mail account enumerationdepends on whether you need to enable the VRFY and EXPN commands:
Disable VRFY and EXPN unless you need your remote systems to be ableto gather user and mailing-list information from your server.
If you need VRFY and EXPN functionality, check your e-mail server orcontent filtering documentation for the ability to limit these commandsto specific hosts on your network or the Internet.
RelaySMTP relay lets users send e-mails through external servers. Open e-mailrelays are one of the greatest problems on the Internet. Spammers and hack-
ers can use an e-mail server to send spam or attack through e-mail under theguise of the unsuspecting open-relay owner.
Keep in mind the following key points when checking your e-mail system forSMTP-relay weaknesses:
Test your e-mail server by using more than one tool or testing method.
Multiple tests minimize any errors or oversights.
Test for open relay from outside your network. If you test from theinside, you may get a false positive, because outbound e-mail relayingmay be configured and necessary for your internal e-mail clients.
Automatic testingHere are a couple of easy ways to test your server for SMTP relay:
Free online tools.
One of my favorite online tools is located at www.abuse.net/relay.
html. You can perform the anonymous test without entering your e-mailaddress — unless you’re an abuse.net member. It immediately displaysthe test results in your browser.
Figure 15-6:
Using EXPNto verify thata mailing listexists.
266Part V:Application Hacking
Other Windows-based tools, such as Sam Spade for Windows. Figure 15-7shows how you can run an SMTP Relay check on your e-mail server.
Figure 15-8 contains the results of this test on my test server, showingthat relaying is enabled.
Some SMTP servers accept inbound relay connections and make it looklike relaying works. This isn’t always the case, because the filtering maytake place behind the scenes. Check whether the e-mail actually made itthrough by checking the account you sent the test relay message to.
Manual testingYou can manually test your server for SMTP relay by telnetting to the e-mailserver on port 25. Follow these steps:
Figure 15-8:
Positiveresults fromtesting foran openSMTP relay.
Figure 15-7:
SMTP relaycheck toolin SamSpade forWindows.
267Chapter 15: Messaging Systems22
1.Telnet to your server on port 25.
You can do this two ways:
•Use your favorite graphical telnet application, such as HyperTerminal(which comes with Windows) or SecureCRT (www.vandyke.com).
•Enter the following command at a Windows or UNIX commandprompt:
telnetmailserver_address 25To see what’s entered, you may have to enable local echoing of charac-
ters in your telnet program, such as Hyper Terminal.
You should see the SMTP welcome banner when the connection is made.
2.Enter a command to tell the server, “Hi, I’m connecting from thisdomain.” Enter the command like this:
helo yourdomain.comAfter each command in these steps, you should receive a different-
numbered message, like 999 OK. You can ignore these messages.
3.Enter a command to tell the server your e-mail address, like this:
mail from:yourname@yourdomain.com4.Enter a command to tell the server who to send the e-mail to, like this:
rcpt to:yourname@yourdomain.com5.Enter a command to tell the server that the message body is to follow,
like this:
data6.Enter the following text as the body of the message:
A relay test7.End the command with a period on a line by itself.
This marks the end of the message. After you enter this final period,
your message will be sent if relaying is allowed.
8.Check for relaying on your server:
•Look for a message like Relay not allowedto come back from theserver.
If you get a message like this returned, SMTP relaying is notallowed on your server.
268Part V:Application Hacking
You may get this message after you enter the rcpt to: command.
•If you don’t receive a message back from your server, check yourinbox for the relayed e-mail.
If you receive the test e-mail you sent, SMTP relaying is enabled onyour server.
CountermeasuresYou can implement the following countermeasures on your e-mail server todisable or at least control SMTP relaying:
Disable SMTP relay on your e-mail server. If you don’t know whether youneed SMTP relay, you probably don’t. You can enable SMTP relay forspecific hosts if needed.
www.mailabuse.org/tsi/ar-fix.htmlprovides information on dis-
abling SMTP relay on e-mail servers.
Enforce authentication, if your e-mail server allows it. You may be ableto require such authentication methods as password authentication oran e-mail address that matches the e-mail server’s domain. Check youre-mail server and client documentation for details on setting up thistype of authentication.
E-mail header disclosuresIf your e-mail client and server are configured with typical defaults, a mali-
cious hacker may find critical pieces of information:
Internal IP address of your e-mail client machine (maybe the entire IPaddressing scheme)
Software versions of your client and server and their vulnerabilities
HostnameTestingFigure 15-9 shows the header information revealed in a test e-mail I sent tomy free Web account. As you can see, it shows off quite a bit of informationabout my e-mail system.
The third Received line discloses my system’s hostname, IP address,
server name, and e-mail client software version.
The X-Mailer line displays the Microsoft Outlook version I used to sendthis message.
269Chapter 15: Messaging Systems22
CountermeasuresThe best countermeasure to prevent information disclosures in e-mail head-
ers is to configure your e-mail server/gateway/firewall to rewrite your e-mailheaders, either changing the information shown or removing it altogether.
Check your e-mail server documentation to see whether this is an option.
If full-fledged header rewriting is not available, you may at least be able toprevent the sending of some critical information, such as server software
version numbers and internal IP addresses.
Capturing trafficE-mail traffic can be captured with a network analyzer or an e-mail packetsniffer and reconstructor.
Mailsnarf is an e-mail packet sniffer and reconstructor. It’s part of the dsniffpackage. You can get dsniff from www.monkey.org/~dugsong/dsniff(UNIXvariants) or www.datanerds.net/~mike/dsniff.html(Windows).
If traffic is captured, a hacker can do one of the following:
Compromise one host and potentially have full access to another adja-
cent host, such as your e-mail server.
Exploit known security vulnerabilities in e-mail server, e-mail client, andsoftware.
MalwareE-mail systems are regularly attacked by such malware as viruses and worms.
Figure 15-9:
Criticalinformationrevealed ine-mailheaders.
270Part V:Application Hacking
E-mail is one of the best ways for malware to propagate. Chapter 14covers malware.
Hackers often compromise systems by running e-mail services thataren’t being used or that need to be updated.
General best practices for minimizinge-mail security risksThe following countermeasures help keep messages as secure as possible.
Software solutionsThe right software can neutralize many threats:
Use malware-protection software on the e-mail server — better, the e-mailgateway — to prevent malware from reaching e-mail clients.
Apply the latest operating system and e-mail application security patchesconsistently and after any security alerts are released.
If it makes good business sense, encrypt messages. You can use S/MIMEor PGP to encrypt sensitive messages or use e-mail encryption at thedesktop level or the server or e-mail gateway. (You can use SSL/TLSbetween your e-mail client and server via POP3S or IMAPS or betweenyour e-mail gateway and remote e-mail gateways. I prefer to implementencryption between gateways so that the user doesn’t have to beinvolved.)
It’s best not to depend on your users to encrypt messages. Use an enter-
prise solution to encrypt messages.
Operating guidelinesSome simple operating rules can keep your walls high:
Put your e-mail server behind a firewall, preferably in a DMZ that’s on adifferent network segment from the Internet and from your internal LAN.
Disable unused protocols and services on your e-mail server.
Run your e-mail server on a dedicated server, if possible, to help keephackers out of other servers and information if the server is hacked.
Log all transactions with the server in case you need to investigate mali-
cious use in the future.
271Chapter 15: Messaging Systems22
If your server doesn’t need e-mail services running (SMTP, POP3, andIMAP), disable them — immediately.
For Web-based e-mail such as Microsoft’s Outlook Web Access (OWA),
properly secure your Web-server application and operating system byusing the hardening resources I mention throughout this book.
If you’re running sendmail — especially an older version — considerrunning a secure alternative, such as Postfix or qmail.
Instant MessagingThe hottest new technology taking networks by storm is instant messaging(IM). Although IM offers a lot of business value, some serious security issuesare associated with it. This is especially true if it’s not managed properly andend users are free to install, configure, and use it in any way they want.
VulnerabilitiesIM has several critical security vulnerabilities, including the following:
Name hijacking, allowing a hacker to assume the identity of an IM user
Launching a DoS attack on an IM client, allowing the attacker to takeremote control of the computer
Capturing internal IP address information (similar to the way it’s dis-
closed in e-mail headers)
Transferring malware, including viruses and malicious Trojan horsesYou can remedy most of these vulnerabilities by applying the latest softwarepatches and keeping antivirus signatures up to date. However, two IM vulner-
abilities are susceptible to malicious attack, so they deserve a little more dis-
cussion. These affect most of the popular IM clients, including AOL InstantMessenger (AIM) and ICQ. These vulnerabilities are just problems with filesharing and log files, but these weaknesses can make all the difference in theworld when it comes to securing your network.
Sharing network drivesThe biggest problem with IM clients is the ability to share files. This featuremay be pretty neat for home users or others with stand-alone computers, butit can pose a real security risk to your network and information. Practically272Part V:Application Hacking
every IM client gives users the ability to share both local and network files.
Figure 15-10 shows an example of file sharing configured in AIM.
Once untrained or careless users share your network drives via their IMclients, they’ve just granted potentially anyone on their IM network permis-
sion to view and copy those files. Figure 15-11 shows a sample of what youcan see over the AIM network.
Figure 15-12 shows some AIM File Transfer settings that can allow any remoteuser to place files on your network — malware and all!
Figure 15-11:
When usersshare filesvia IM,
othersmayseeinformationlike this.
Figure 15-10:
File-sharingoptionsunder end-
user control.
273Chapter 15: Messaging Systems22
If you know of IM users on your network, follow these steps to assess thesecurity of their software and configuration:
1.Determine IM clients that are running on your network.
You can detect IM software with•Manual inspection of the local workstation•A third-party workstation hardware and software inventory
program•A network analyzer that shows IM traffic. For instance, you can useEthereal to capture and display various types of IM protocols, suchas AOL Instant Messenger (AIM protocol), ICQ (ICQ protocol), andMSNMS (MSN Messenger).
2.Install the IM clients on your own system.
Avoid creating your own security holes: Download and install the latestclient versions, and don’t enable file sharing.
3.Find your network’s IM users.
You can identify IM users by either looking up users with a directorysearch in the IM client (many IM clients publish this information bydefault) or asking users for their handles for all their IM clients.
4.For each user, check settings to see whether they’re sharing files.
It’s often just a simple right-click on their IM handle within the IM soft-
ware to copy files to and from their system.
Figure 15-12:
Options toreceive filesin AOLInstantMessenger.
274Part V:Application Hacking
Log filesMany IM clients can log all IM conversations. Some clients log all conversa-
tions by default. Have users enabled logging and inadvertently shared theirlog files with the world? It’s a smoking gun for a hacker to use! Figure 15-13shows part of an ICQ conversation stored in communications gobbledygookin a log file found in the c:\Program Files\ICQfolder.
CountermeasuresIM vulnerabilities can be difficult to detect, because most rogue IM softwareis desktop-based. If you have a large network, checking every computer forthese vulnerabilities is pretty much impossible. Spot checks can be inaccu-
rate, because every desktop and every user can be different.
Even if you disallow IM — or any messaging software — on your network, usersalways install it. If you implement these countermeasures, you’re better pre-
pared to protect your users from themselves and hackers.
Detecting IM trafficIn addition to a network analyzer, you can detect IM traffic by using the fol-
lowing tools:
IM traffic-detection tools from Akonix (www.akonix.com) work like anetwork analyzer.
Rogue Aware (www.akonix.com/products/rogueaware.asp) is a freetool. As shown in Figure 15-14, Rogue Aware detects such traffic on thenetwork as IM and other P2P communications (such as Kazaa andGnutella) and file sharing on the network. I recommend that you check itout and use this tool as part of your ethical hacking toolkit. Ideally, youinstall it on a computer that’s connected to a monitor port on a switchor a hub adjacent to your firewall to ensure that you see all the traffic.
Figure 15-13:
IM log filesrevealingjuicyinformation.
275Chapter 15: Messaging Systems22
Akonix’s Enforcer and L7 Enterprise are commercial utilities that havemore functionality. Other vendors offer similar solutions, such as FaceTimeCommunications (www.facetime.com) and IM Logic (www.imlogic.com).
If you can justify the cost — which is relatively easy — I recommend thatyou check these products out.
Desktop auditing utilities can show you which applications are installedand their specific settings. Such products as Ecora’s Enterprise Auditor(www.ecora.com/ecora/products/enterprise_auditor.asp),
Microsoft’s Systems Management Server (www.microsoft.com/
smserver/default.asp) and some lower-end shareware tools can
offer this type of functionality.
Maintenance and configurationIn addition to the tools listed in the previous section, you can implementthese IM hacking countermeasures:
User behavior:
•Have a policy banning or limiting the usage of all P2P software.
•Instruct users not to open file attachments or configure their IMsoftware to share or receive file attachments.
•Instruct users to keep their buddy lists private and not share theirinformation.
Figure 15-14:
AkonixRogueAwaredetects IMlogins andfile sharing.
276Part V:Application Hacking
System configuration:
•Change default IM software installation directories to help elimi-
nate automated attacks.
•Apply all the latest IM software patches.
•Ensure that the latest antivirus software and personal-firewall soft-
ware is loaded on each instant-messaging client.
•Ensure that proper file and directory access controls are in placeto effectively give your users the minimum necessary rights fortheir jobs. This countermeasure helps keep prying eyes out ifsomeone can exploit an IM vulnerability.
•If you allow IM on your network for business purposes, considerstandardizing an enterprise-based IM application such as Jabber orLotus Sametime. These applications have more-robust and manage-
ablesecurity options, which can ensure control.
277Chapter 15: Messaging Systems22
278Part V:Application Hacking
Chapter 16Web ApplicationsIn This Chapter
Attacking Web applications
Countering application hackingWeb applications, like e-mail, are common hacker targets becausethey’re everywhere and often open for anyone to poke around in. BasicWeb sites used for marketing, contact information, document downloads, andso on are a common target for hackers — especially the script-kiddie types —
to deface. However, for criminal hackers, Web sites that store valuable infor-
mation, like credit-card and Social Security numbers, are especially attractive.
This is where the money is, so to speak.
Why are Web applications so vulnerable? The general consensus is they’revulnerable because of poor software development and testing practices.
Sound familiar? It should, because this is the same problem that affects oper-
ating systems and practically all computer systems. This is the side effect ofrelying on software compilers to perform error checking, lack of user demandfor higher-quality software, and emphasizing time-to-market instead of secu-
rity and stability.
This chapter presents Web application hacks to check on your systems. Youcan test for literally thousands of vulnerabilities, but I focus on the ones I seemost often. I also outline countermeasures to help minimize the chances thata hacker can carry out these attacks against your Web applications.
Web-Application VulnerabilitiesHacker attacks against insecure Web applications — via Hypertext TransferProtocol (HTTP) — make up the majority of all Internet-related attacks. Mostof these attacks can be carried out even if the HTTP traffic is encrypted (viaHTTPS or HTTP over SSL) because the communications medium has nothingto do with these attacks. The security vulnerabilities actually lie within eitherthe Web applications themselves or the Web server and browser softwarethat the applications run on and communicate with.
Many attacks against Web applications are just minor nuisances or may notaffect confidential information or system availability. However, some attackscan wreak havoc on your systems. Whether the Web attack is against a basicbrochureware site or against the company’s most critical customer server,
these attacks can hurt your organization.
Choosing Your ToolsFreeware and commercial tools can help ensure that your tests are compre-
hensive and minimize your testing time. All these tools basically work thesame way, with such capabilities as scanning for script vulnerabilities, testingfor invalid user input, and viewing critical files.
My favorite tools are Nikto (www.cirt.net/code/nikto.shtml), Nessus(www.nessus.org), and SPI Dynamics’ WebInspect (www.spidynamics.com).
These certainly are not the only tools available. It’s still a young market forcommercial tool vendors, so keep your eyes peeled for emerging products.
Insecure Login MechanismsMany Web sites require users to login before they can do anything with theapplication. These login mechanisms often do not handle incorrect user IDsor passwords gracefully. They often divulge too much information that ahacker can use to gather valid user IDs and passwords.
TestingTo test for insecure login mechanisms, browse to your application and loginin the following ways:
Using an invalid user ID with a valid password
Using an valid user ID with an invalid password
Using an invalid user ID and passwordAfter you enter this information, the Web application probably responds witha message like Your user ID is invalidor Your password is invalid.
The Web application may also return a generic error message, such as Youruser ID and password combination is invalidand, at the same time,
return different error codes in the URL for invalid user IDs and invalid pass-
words, as shown in Figures 16-1 and 16-2.280Part V:Application Hacking
281Chapter 16: Web ApplicationsCase study in hacking Web applications
with Caleb SimaIn this case study, Caleb Sima, a well-knownpenetration-testing expert, shared an experi-
ence performing a Web-application securitytest. Here’s his account of what happened.
The SituationMr. Sima was hired to perform a Web-applica-
tion penetration test to assess the security of awell-known financial Web site. Equipped withnothing more than the URL of the main financialsite, Mr. Sima set out to find what other sitesexisted for the organization and began by usingGoogle to search for possibilities. He initially ranan automated scan against the main servers todiscover any low-hanging fruit. This scan pro-
vided information on the Web-server versionand some other basic information, but nothingthat proved useful without further research. Andwhile Mr. Sima performed the scan, neither theIDS nor the firewall noticed any of his activity!
Then he issued a request to the server on theinitial Web page, which returned some interest-
ing information. The Web application appearedto be accepting many parameters, but as hecontinued to browse the site, he noticed that theparameters in the URL stayed the same. Hedecided to delete all the parameters within theURL to see what information the server wouldreturn when queried. The server respondedwith an error message describing the type ofapplication environment.
Next, Mr. Sima performed a Google search onthe application that resulted in some detaileddocumentation. He found several articles andtech notes within this information that showedhim how the application worked and whatdefault files might exist. In fact, the server hadseveral of these default files. He used this infor-
mation to probe the application further. Hequickly discovered internal IP addresses, aswell as what services the application was offer-
ing. Now that he knew exactly what version theadmin was running, he wanted to see what elsehe could find.
Mr. Sima continued to manipulate the URL fromthe application by adding &characters withinthe statement to control the custom script. Thisallowed him to capture all source codes files!
He noted some interesting filenames, includingVerifyLogin.htm, ApplicationDetail.
htm, CreditReport.htm, and ChangePassword.htm. Then he tried to connect toeach file by issuing a specially formatted URL tothe server. The server returned a User notlogged inmessage for each request and statedthat the connection must be made from theintranet.
The OutcomeMr. Sima knew where the files were locatedand was able to sniff the connection and deter-
mine that the ApplicationDetail.htmfileset a cookie string. With little manipulation ofthe URL, he hit the jackpot! This file returnedclient information and credit cards when a new-
customer application was being processed.
CreditReport.htmallowed him to viewcustomer credit-report status, fraud informa-
tion, declined-application status, and a multi-
tude of other sensitive information. The lessonto be learned: Hackers can utilize many types ofinformation to break through Web applications.
The individual exploits in this case study wereminor, but when combined, they resulted insevere vulnerabilities.
Caleb Sima was a charter member of the X-Forceteam at Internet Security Systems and the
first member of the Penetration Testing team.
He went on to co-found SPI Dynamics (www.
spidynamics.com) and become its CTO, aswell as director of SPI Labs, the application-secu-
rity research and development group within SPIDynamics.
In either case, this is bad news, because the application is telling you not onlywhich parameter is invalid, but also which one is valid.This means that thehackers now know either a good user name or password — their work hasbeen cut in half! If they know the username (which usually is easier to guess),
they can simply write a script to automate the password-cracking process, andvice versa. They can also use a remote Web login-cracking tool, such as Brutus(www.hoobie.net/brutus), to attempt to break in, using a preconfigured filewith user IDs and passwords, or even use it to perform brute-force attacks.
Figure 16-2:
A login
error in
the URL foran invalidpassword.
Figure 16-1:
A login
error in
the URL foran invaliduser ID.
282Part V:Application Hacking
CountermeasuresYou can implement the following countermeasures to prevent hackers fromattacking weak login systems in your Web applications:
Any login errors that are returned to the end user should be as genericas possible, saying something like Your user ID and password com-
bination is invalid.
The application should never return error codes in the URL that differen-
tiate between an invalid user ID and invalid password, as shown inFigures 16-1 and 16-2.
If a URL message must be returned, the application should keep it asgeneric as possible. Here’s an example:
www.your_Web_app.com/login.cgi?success=falseThis URL message may not be as convenient to the user, but it helpshide the mechanism and the behind-the-scenes actions from a hacker.
Directory TraversalA directory traversal is a really basic attack, but it can turn up interestinginformation about a Web site. This attack is basically browsing a site andlooking for clues about the server’s directory structure.
TestingPerform the following tests to determine information about your Web site’sdirectory structure.
robots.txtStart your testing with a search for the Web server’s robots.txtfile. Thisfile tells search engines which directories not to index. Thinking like a hacker,
you may deduce that the directories listed in this file may contain some infor-
mation that needs to be protected. Figure 16-3 shows a robots.txtfile thatgives away information.
283Chapter 16: Web Applications23
FilenamesConfidential files on a Web server may have names like those of publicly acces-
sible files. For example, if this year’s product line is posted as www.your_Web_
app.com/productline2004.pdf, confidential information about next year’sproducts may be www.your_Web_app.com/productline2005.pdf.
A user may place confidential files on the server without realizing that theyare accessible without a direct link from the Web site.
CrawlersA spider program like BlackWidow (www.softbytelabs.com/BlackWidow)
can crawl your site to look for every publicly accessible file. Figure 16-4shows the crawl output of a basic Web site.
Complicated sites often reveal more information that should not be there,
including old data files and even application scripts and source code.
Look at the output of your crawling program to see what files are available.
Regular HTML and PDF files are probably okay, because they’re most likelyneeded for normal Web-application operation. But it wouldn’t hurt to openeach file to make sure it belongs.
Figure 16-4:
UsingBlackWidowto crawl
a Web site.
Figure 16-3:
A Webserver’srobots.
txtlisting.
284Part V:Application Hacking
CountermeasuresYou can employ two main countermeasures to having files compromised viamalicious directory traversals:
Don’t store old, sensitive, or otherwise nonpublic files on your Webserver. The only files that should be in your /htdocsor DocumentRootfolder are those that are needed for the site to function properly. Thesefiles should not contain confidential information that you don’t want theworld to see.
Ensure that your Web server is properly configured to allow publicaccess only to those directories that are needed for the site to func-
tion.Minimum necessary privileges are key here, so provide access onlyto the bare-minimum files and directories needed for the Web applica-
tion to perform properly.
Check your Web server’s documentation for instructions to controlpublic access. Depending on your Web-server version, these access con-
trols are set in
•The httpd.conffile and the .htaccessfiles for ApacheRefer to httpd.apache.org/docs/configuring.htmlfor moreinformation.
•Internet Information Services Manager settings for Home Directoryand Directory (IIS 5.1)
•Internet Information Services Manager settings for Home Directoryand Virtual Directory (IIS 6.0)
The latest versions of these Web servers have good directory security bydefault, so if possible, make sure you’re running the latest versions:
Check for the latest version of Apache at httpd.apache.org.
The most recent version of IIS (for Windows Server 2003) is 6.0.
Input FilteringWeb applications are notorious for taking practically any type of input,
assuming that it’s valid, and processing it further. Not validating input is oneof the greatest mistakes that Web-application developers can make. This canlead to system crashes, malicious database manipulation, and even databasecorruption.
285Chapter 16: Web Applications23
Input attacksSeveral attacks can be run against a Web application that insert malformeddata — often, too much at once — which can confuse, crash, or make theWeb application divulge too much information to the attacker.
Buffer overflowsOne of the most serious input attacks is a buffer overflow that specificallytargets input fields in Web applications.
For instance, a credit-reporting application may authenticate users beforethey’re allowed to submit data or pull reports. The login form uses the follow-
ing code to grab user IDs with a maximum input of 12 characters, as denotedby the maxsizevariable:
1 comment:
I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work.
outsourcing pros and cons
Post a Comment