Summary

Major revision to the best-selling, step-by-step guide to defending against hacker intrusions - more than 45% new material.

Author Biography

Ed Skoudis is a founder and senior security consultant for the Washington, D.C.-based network security consultancy, Intelguardians Network Intelligence, LLC. His expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He has performed numerous security assessments, designed information security governance and operations teams for Fortune 500 companies, and responded to computer attacks for clients in financial, high technology, health care, and other industries. Ed has demonstrated hacker techniques for the U.S. Senate and is a frequent speaker on issues associated with hacker tools and defenses. He was also awarded 2004 and 2005 Microsoft MVP awards for Windows Server Security and is an alumnus of the Honeynet Project. Prior to Intelguardians, Ed served as a security consultant with International Network Services (INS), Predictive Systems, Global Integrity, SAIC, and Bell Communications Research (Bellcore).

Tom Liston is a senior analyst for the Washington, D.C.-based network security consultancy, Intelguardians Network Intelligence, LLC. He is the author of the popular open source network tarpit, LaBrea, for which he was a finalist for eWeek and PC Magazine’s Innovations In Infrastructure (i3) award in 2002. He is one of the handlers at the SANS Institute’s Internet Storm Center, where he deals daily with cutting edge security issues and authors a popular series of articles under the title “Follow the Bouncing Malware.” Mr. Liston resides in the teeming metropolis of Johnsburg, Illinois, and has four beautiful children (who demanded to be mentioned): Mary, Maggie, Erin, and Victoria.

Foreword

xxi

Preface Reloaded

xxiii

Preface from the First Edition

xxv

Acknowledgments

xxvii

About the Authors

xxxi

Introduction

(24)

The Computer World and the Golden Age of Hacking

(2)

Why This Book?

(3)

Why Cover These Specific Tools and Techniques?

(1)

How This Book Differs

(2)

The Threat: Never Underestimate Your Adversary

(5)

Attacker Skill Levels: From Script Kiddies to the Elite

(1)

A Note on Terminology and Iconography

(3)

Hackers, Crackers, and Hats of Many Colors: Let's Just Use ``Attackers'' and ``Bad Guys''

(2)

Pictures and Scenarios

(1)

Naming Names

(1)

Caveat: These Tools Could Hurt You

(4)

Setting Up a Lab for Experimentation

(1)

Additional Concerns

(2)

Organization of Rest of the Book

(4)

Getting Up to Speed with the Technology

(1)

Common Phases of the Attack

(1)

Future Predictions, Conclusions, and References

(1)

Yeah, But What's NEW?

(3)

Summary

(2)

Networking Overview: Pretty Much Everything You Need to Know About Networking to Follow the Rest of This Book

(66)

The OSI Reference Model and Protocol Layering

(2)

How Does TCP/IP Fit In?

(4)

Understanding TCP/IP

(1)

Transmission Control Protocol (TCP)

(8)

TCP Port Numbers

(3)

TCP Control Bits, the Three-Way Handshake, and Sequence Numbers

(4)

Other Fields in the TCP Header

(1)

User Datagram Protocol (UDP)

(3)

Is UDP Less Secure Than TCP?

(1)

Internet Protocol (IP) and Internet Control Message Protocol (ICMP)

(7)

IP: Drop That Acronym and Put Your Hands in the Air!

(1)

LANs and Routers

(1)

IP Addresses

(1)

Netmasks

(1)

Packet Fragmentation in IP

(1)

Other Components of the IP Header

(2)

ICMP

(2)

Other Network-Level Issues

(13)

Routing Packets

(1)

Network Address Translation

(2)

Firewalls: Network Traffic Cops and Soccer Goalies

(10)

Don't Forget About the Data Link and Physical Layers!

(9)

Ethernet: The King of Wireline Connectivity

(1)

ARP ARP ARP!!

(2)

Hubs and Switches

(2)

802.11: The King of Wireless Connectivity

(3)

Security Solutions for the Internet

(11)

Application-Level Security

(2)

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

(5)

Security at the IP Level: IPSec

(4)

Conclusion

(1)

Summary

(4)

Linux and UNIX Overview: Pretty Much Everything You Need to Know About Linux and UNIX to Follow the Rest of This Book

(36)

Introduction

(4)

Learning About Linux and UNIX

(1)

Architecture

(12)

Linux and UNIX File System Structure

(2)

The Kernel and Processes

(2)

Automatically Starting Up Processes: Init, Inetd, Xinetd, and Cron

(4)

Manually Starting Processes

103

(2)

Interacting with Processes

105

(2)

Accounts and Groups

107

(3)

The /etc/passwd File

107

(2)

The /etc/group File

109

(1)

Root: It's a Bird ... It's a Plane ... No, It's Super-User!

110

(1)

Linux and UNIX Permissions

110

(5)

SetUID Programs

113

(2)

Linux and UNIX Trust Relationships

115

(4)

Logs and Auditing

117

(2)

Common Linux and UNIX Network Services

119

(5)

Telnet: Command-Line Remote Access

119

(1)

FTP: The File Transfer Protocol

120

(1)

A Better Way: Secure Shell (SSH)

120

(1)

Web Servers: HTTP

121

(1)

Electronic Mail

121

(1)

r-Commands

121

(1)

Domain Name Services

122

(1)

The Network File System (NFS)

122

(1)

X Window System

123

(1)

Conclusion

124

(1)

Summary

124

(3)

Windows NT/2000/XP/2003 Overview: Pretty Much Everything You Need to Know about Windows to Follow the Rest of This Book

127

(56)

Introduction

127

(1)

A Brief History of Time

128

(5)

The BAD (Before Active Directory) Old Days

130

(1)

Fundamental Concepts from BAD, or ``This Stuff Still Matters, So Pay Attention''

131

(2)

Shares: Accessing Resources Across the Network

133

(1)

The Underlying Windows Operating System Architecture

133

(4)

User Mode

134

(3)

How Windows Password Representations Are Derived

137

(2)

Kernel Mode

139

(2)

From Service Packs and Hotfixes to Windows Update and Beyond

141

(1)

Accounts and Groups

142

(5)

Accounts

142

(3)

Groups

145

(2)

Privilege Control

147

(2)

Policies

149

(3)

Account Policy

149

(2)

User Properties Settings

151

(1)

Trust

152

(2)

Auditing

154

(2)

Object Access Control and Permissions

156

(4)

Ownership

156

(1)

NTFS and Its Permissions

156

(2)

Share Permissions

158

(1)

Weak Default Permissions and Hardening Guides

159

(1)

Network Security

160

(2)

Limitations in Basic Network Protocols and APIs

160

(2)

Windows 2000 and Beyond: Welcome to the New Millennium

162

(15)

What Windows 2000+ Has to Offer

163

(3)

Security Considerations in Windows 2000+

166

(2)

Architecture: Some Refinements over Windows NT

168

(1)

Accounts and Groups

169

(1)

Privilege Control

170

(3)

Policies

173

(1)

Windows 2000+ Trust

174

(1)

Auditing

175

(1)

Object Access Control

175

(2)

Conclusion

177

(1)

Summary

177

(6)

Phase 1: Reconnaissance

183

(56)

Low-Technology Reconnaissance: Social Engineering, Caller ID Spoofing, Physical Break-In, and Dumpster Diving

184

(11)

Social Engineering

184

(6)

Physical Break-In

190

(3)

Dumpster Diving

193

(2)

Search the Fine Web (STFW)

195

(17)

The Fine Art of Using Search Engines and Recon's Big Gun: Google

196

(11)

Listening in at the Virtual Water Cooler: Newsgroups

207

(1)

Searching an Organization's Own Web Site

208

(1)

Defenses Against Search Engine and Web-Based Reconnaissance

209

(3)

Whois Databases: Treasure Chests of Information

212

(8)

Researching .com, .net, .org, and .edu Domain Names

212

(3)

Researching Domain Names Other Than .com, .net, .org, .edu, .aero, .arpa, .biz, .coop, .info, .int, and .museum

215

(3)

IP Address Assignments Through ARIN and Related Sites

218

(1)

Defenses Against Whois Searches

219

(1)

The Domain Name System

220

(10)

Interrogating DNS Servers

225

(2)

Defenses From DNS-Based Reconnaissance

227

(3)

General-Purpose Reconnaissance Tools

230

(5)

Sam Spade: A General-Purpose Reconnaissance Client Tool

230

(3)

Web-Based Reconnaissance Tools: Research and Attack Portals

233

(2)

Conclusion

235

(1)

Summary

235

(4)

Phase 2: Scanning

239

(100)

War Driving: Finding Wireless Access Points

240

(12)

War Driving Method 1: Active Scanning---Sending Probe Packets with NetStumbler

242

(3)

War Driving Method 2: Listening for Beacons and Other Traffic with Wellenreiter

245

(2)

War Driving Method 3: Forcing Deauthentication with ESSID-Jack

247

(1)

War-Driving Defenses

248

(2)

Going All the Way with a VPN

250

(2)

War Dialing: Looking for Modems in All the Right Places

252

(9)

A Toxic Recipe: Modems, Remote Access Products, and Clueless Users

253

(1)

SysAdmins and Insecure Modems

253

(1)

Finding Telephone Numbers to Feed into a War Dialer

254

(4)

Defenses Against War Dialing

258

(1)

Modem Policy

258

(3)

Network Mapping

261

(7)

Sweeping: Finding Live Hosts

262

(1)

Traceroute: What Are the Hops?

262

(5)

Defenses Against Network Mapping

267

(1)

Determining Open Ports Using Port Scanners

268

(39)

Nmap: A Full-Featured Port-Scanning Tool

269

(3)

Types of Nmap Scans

272

(22)

Defenses Against Port Scanning

294

(7)

Determining Firewall Filter Rules with Firewalk

301

(6)

Vulnerability-Scanning Tools

307

(12)

A Whole Bunch of Vulnerability Scanners

310

(1)

Nessus: The Most Popular Free Vulnerability Scanner Available Today

310

(6)

Vulnerability-Scanning Defenses

316

(2)

Be Aware of Limitations of Vulnerability-Scanning Tools

318

(1)

Intrusion Detection System and Intrusion Prevention System Evasion

319

(16)

How Network-Based IDS and IPS Tools Work

320

(1)

How Attackers Can Evade Network-Based IDSs and IPSs

321

(1)

IDS and IPS Evasion at the Network Level

322

(6)

IDS and IPS Evasion at the Application Level

328

(5)

IDS and IPS Evasion Defenses

333

(2)

Conclusion

335

(1)

Summary

335

(4)

Phase 3: Gaining Access Using Application and Operating System Attacks

339

(100)

Script Kiddie Exploit Trolling

339

(1)

Pragmatism for More Sophisticated Attackers

340

(2)

Buffer Overflow Exploits

342

(35)

Stack-Based Buffer Overflow Attacks

343

(10)

Exploiting Stack-Based Buffer Overflows

353

(1)

Finding Buffer Overflow Vulnerabilities

353

(5)

Heap Overflows

358

(3)

The Exploit Mess and the Rise of Exploitation Engines

361

(6)

Advantages for Attackers

367

(1)

Benefits for the Good Guys, Too?

368

(3)

Buffer Overflow Attack Defenses

371

(6)

Password Attacks

377

(29)

Guessing Default Passwords

378

(4)

The Art and Science of Password Cracking

382

(1)

Let's Crack Those Passwords!

383

(18)

Defenses Against Password-Cracking Attacks

401

(5)

Web Application Attacks

406

(25)

Account Harvesting

407

(3)

Account Harvesting Defenses

410

(1)

Undermining Web Application Session Tracking and Other Variables

410

(2)

Attacking Session Tracking Mechanisms

412

(9)

Defending Against Web Application Session Tracking and Variable Alteration Attacks

421

(2)

SQL Injection

423

(5)

Defenses Against SQL Injection

428

(3)

Exploiting Browser Flaws

431

(4)

Defending Against Browser Exploits

434

(1)

Conclusion

435

(1)

Summary

435

(4)

Phase 3: Gaining Access Using Network Attacks

439

(74)

Sniffing

439

(31)

Sniffing Through a Hub: Passive Sniffing

442

(4)

``Hey, Don't I Know You?'' Passive OS Identification and Vulnerability Identification

446

(3)

Dsniff: A Sniffing Cornucopia

449

(18)

Sniffing Defenses

467

(3)

IP Address Spoofing

470

(12)

IP Address Spoofing Flavor 1: Simple Spoofing---Simply Changing the IP Address

470

(3)

IP Address Spoofing Flavor 2: Predicting TCP Sequence Numbers to Attack UNIX r-Commands

473

(4)

IP Address Spoofing Flavor 3: Spoofing with Source Routing

477

(2)

IP Spoofing Defenses

479

(3)

Session Hijacking

482

(9)

Another Way: Host-Based Session Hijacking

483

(3)

Session Hijacking with Ettercap

486

(2)

Attacking Wireless Access Points

488

(3)

Session Hijacking Defenses

491

(1)

Netcat: A General-Purpose Network Tool

491

(19)

Netcat for File Transfer

493

(2)

Netcat for Port Scanning

495

(1)

Netcat for Making Connections to Open Ports

496

(1)

Netcat for Vulnerability Scanning

497

(1)

Using Netcat to Create a Passive Backdoor Command Shell

498

(1)

Using Netcat to Actively Push a Backdoor Command Shell

499

(2)

Relaying Traffic with Netcat

501

(5)

Persistent Netcat Listeners and Netcat Honeypots

506

(3)

Netcat Defenses

509

(1)

Conclusion

510

(1)

Summary

510

(3)

Phase 3: Denial-of-Service Attacks

513

(34)

Locally Stopping Services

515

(2)

Defenses from Locally Stopping Services

516

(1)

Locally Exhausting Resources

517

(1)

Defenses from Locally Exhausting Resources

518

(1)

Remotely Stopping Services

518

(5)

Defenses from Remotely Stopping Services

522

(1)

Remotely Exhausting Resources

523

(20)

SYN Flood

523

(6)

Smurf Attacks

529

(4)

Distributed Denial-of-Service Attacks

533

(8)

DDoS: A Look at the Future?

541

(1)

Distributed Denial-of-Service Defenses

542

(1)

Conclusion

543

(1)

Summary

544

(3)

Phase 4: Maintaining Access: Trojans, Backdoors, and Rootkits ... Oh My!

547

(80)

Trojan Horses

547

(1)

Backdoors

548

(5)

Netcat as a Backdoor on UNIX Systems

550

(3)

The Devious Duo: Backdoors Melded into Trojan Horses

553

(2)

Roadmap for the Rest of the Chapter

554

(1)

Nasty: Application-Level Trojan Horse Backdoor Tools

555

(13)

Remote-Control Backdoors

555

(13)

Also Nasty: The Rise of the Bots

568

(10)

Distributing Bots: The Worm-Bot Feedback Loop

575

(3)

Additional Nastiness: Spyware Everywhere!

578

(3)

Defenses Against Application-Level Trojan Horse Backdoors, Bots, and Spyware

581

(6)

Bare Minimum: Use Antivirus and Antispyware Tools

581

(2)

Looking for Unusual TCP and UDP Ports

583

(1)

Knowing Your Software

583

(3)

User Education Is Also Critical

586

(1)

Even Nastier: User-Mode Rootkits

587

(17)

What Do User-Mode Rootkits Do?

589

(1)

Linux/UNIX User-Mode Rootkits

589

(7)

Windows User-Mode Rootkits

596

(8)

Defending Against User-Mode Rootkits

604

(4)

Don't Let the Bad Guys Get Super-User Access in the First Place!

604

(3)

Uh-oh ... They Rootkitted Me. How Do I Recover?

607

(1)

Nastiest: Kernel-Mode Rootkits

608

(8)

The Power of Execution Redirection

610

(1)

File Hiding with Kernel-Mode Rootkits

611

(1)

Process Hiding with Kernel-Mode Rootkits

612

(1)

Network Hiding with Kernel-Mode Rootkits

612

(1)

Some Particular Examples of Kernel-Mode Rootkits

613

(3)

Defending Against Kernel-Mode Rootkits

616

(7)

Fighting Fire with Fire: Don't Do It!

616

(1)

Don't Let Them Get Root in the First Place!

616

(1)

Control Access to Your Kernel

617

(1)

Looking for Traces of Kernel-Mode Rootkits by Hand

618

(1)

Automated Rootkit Checkers

619

(2)

File Integrity Checkers Still Help!

621

(1)

Antivirus Tools Help Too!

622

(1)

Trusted CDs for Incident Handling and Investigations

622

(1)

Conclusion

623

(1)

Summary

623

(4)

Phase 5: Covering Tracks and Hiding

627

(44)

Hiding Evidence by Altering Event Logs

628

(9)

Attacking Event Logs in Windows

629

(3)

Attacking System Logs and Accounting Files in Linux and UNIX

632

(3)

Altering Linux and UNIX Shell History Files

635

(2)

Defenses Against Log and Accounting File Attacks

637

(4)

Activate Logging, Please

637

(1)

Setting Proper Permissions

638

(1)

Using a Separate Logging Server

638

(2)

Encrypting Your Log Files

640

(1)

Making Log Files Append Only

640

(1)

Protecting Log Files Using Write-Once Media

640

(1)

Creating Difficult-to-Find Files and Directories

641

(6)

Creating Hidden Files and Directories in UNIX

641

(2)

Creating Hidden Files in Windows

643

(3)

Defenses from Hidden Files

646

(1)

Hiding Evidence on the Network: Covert Channels

647

(18)

Tunneling

649

(6)

Covert Channels and Malware

655

(10)

Defenses Against Covert Channels

665

(3)

Conclusion

668

(1)

Summary

668

(3)

Putting It All Together: Anatomy of an Attack

671

(40)

Scenario 1: Crouching Wi-Fi, Hidden Dragon

673

(12)

Scenario 2: Death of a Telecommuter

685

(11)

Scenario 3: The Manchurian Contractor

696

(12)

Conclusion

708

(1)

Summary

709

(2)

The Future, References, and Conclusions

711

(12)

Where Are We Heading?

711

(4)

Scenario 1: Yikes!

712

(1)

Scenario 2: A Secure Future

713

(1)

Scenario 1, Then Scenario 2

714

(1)

Keeping Up to Speed

715

(6)

Web Sites

715

(3)

Mailing Lists

718

(2)

Conferences

720

(1)

Final Thoughts ... Live Long and Prosper

721

(1)

Summary

722

(1)

Index

723

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

My flight had just landed. It was around midnight. The flight attendant announced that we could turn on our cell phones. As soon as mine booted up, it started buzzing with a frantic call from a newspaper reporter I had recently met. He quickly explained that he had obtained a copy of a manifesto written by a terrorist who had launched some pretty horrific attacks killing hundreds of innocent people a few months back. The reporter had had the text professionally translated so he could get some folks to analyze it. In this 30-page document, this very evil guy was urging his followers to alter their tactics in their struggle. To augment their physical terrorism, the plan was now to start including cyber attacks to maximize their impact on countries that oppose their terrorist agenda. The reporter wanted me to analyze the technical underpinnings of the manifesto, to determine whether it was all smoke and mirrors, or a legitimate cause for concern. I got to my hotel room and snagged a copy of the manifesto from my e-mail. The document I read startled me. Although not technically deep, it was quite astute. Its author emphasized that the terrorist group could enhance their stature and influence and cause more terror to their enemies by undermining their economic well-being through the use of computer attacks. After this really eerie "motivational" speech introduction, the manifesto turned toward describing how different categories of attack could be used to achieve terrorist goals. Although the author didn't include technical details, he did provide a huge number of technical references on computer attacks, pressing his faithful followers to study hard the technologies of the infidel so they could undermine them. The following day I received an unrelated call, this time from a lawyer friend of mine. He explained that a computer attacker had broken into the network of a company and stolen over a million credit card numbers. Because the attacker had pilfered the entire magnetic stripe data stored on the company's servers, the bad guy could create very convincing counterfeit cards, and begin selling them on the black market. My lawyer friend wanted me to look over the details of the heist and explain in nontechnical jargon how the thief was able to pull this off. I carefully reviewed the case, analyzing the bad guy's moves, noting sadly that he had used some pretty standard attack techniques to perpetrate this big-time crime. Given those cases on back-to-back days, I just reread the preface to the original Counter Hackbook I wrote almost five years ago. Although it described a real-world attack against an ISP, it still had a fun feeling to it. The biggest worry then was the defacement of some Web sites and my buddy's boss getting mad, certainly cause for concern, but not the end of the world. I was struck with how much things have changed in computer attacks, and not at all for the better. Five years back, we faced a threat, but it was often manifested in leisurely attacks by kids looking to have some fun. We did face a hardened criminal here and there, of course, but there was a certain whimsy to our work. Today, with organized crime and, yes, even terrorists mastering their computer attack skills, things have taken a turn for the dark and sinister. Sure, the technology has evolved, but increasingly so has the nature of our threat. Underscoring the problem, if you place an unpatched computer on the Internet today, its average survival time before being completely compromised is less than 20 minutes. That time frame fluctuates a bit over the months, sometimes dropping to less than 10 minutes, and occasionally bumping up over 30 minutes when some particularly good patches are released and quickly deployed. However, even the upper-end number is disheartening. Given this highly aggressive threat, it's even more important now than ever for computer professionals (system administrators, network administrators, and security personnel) and even laymen to have knowledge of how the bad guys attack and how to defend against each of their moves. If we don't understand the bad guys' tactics and how to thwart them, they'll continue to have their way with our machines, resulting in some major damage. They know how to attack, and are learning more all the time. We defenders also must be equally if not better equipped. This new edition of Counter Hackrepresents a massive update to the original book; a lot has happened in the last five years in the evolution of computer attack technology. However, the book retains the same format and goal: to describe the attacks in a step-by-step manner and to demonstrate how to defend against each attack using time-tested, real-world techniques. Oh, and one final note: Although the nature of the threat we face has grown far more sinister, don't let that get you down in the dumps. A depressed or frightened attitude might make you frustrated and less agile when dealing with attacks, lowering your capabilities. If we are to be effective in defending our systems, we must keep in mind that this information security work we all do is inherently interesting and even fun. It's incredibly important to be diligent in the face of these evolving threats; don't get me wrong. At the same time, we must strive to keep a positive attitude, fighting the good fight, and making our systems more secure. Preface from the First Edition My cell phone rang. I squinted through my sleepy eyelids at the clock. Ugh! 4AM, New Year's Day. Needless to say, I hadn't gotten very much sleep that night. I picked up the phone to hear the frantic voice of my buddy, Fred, on the line. Fred was a security administrator for a medium-sized Internet Service Provider, and he frequently called me with questions about a variety of security issues. "We've been hacked big time!" Fred shouted, far too loudly for this time of the morning. I rubbed my eyes to try to gain a little coherence. "How do you know they got in? What did they do?" I asked. Fred replied, "They tampered with a bunch of Web pages. This is bad, Ed. My boss is gonna have a fit!" I asked, "How did they get in? Have you checked out the logs?" Fred stuttered, "W-Well, we don't do much logging, because it slows down performance. I only snag logs from a couple of machines. Also, on those systems where we do gather logs, the attackers cleared the log files." "Have you applied the latest security fixes from your operating system vendor to your machines?" I asked, trying to learn a little more about Fred's security posture. Fred responded with hesitation, "We apply security patches every three months. The last time we deployed fixes was ... um ... two-and-a-half months ago." I scratched my aching head and said, "Two major buffer overflow attacks were released last week. You may have been hit. Have they installed any rootkits? Have you checked the consistency of critical files on the system?" "You know, I was planning to install something like Tripwire, but just never got around to it," Fred admitted. I quietly sighed and said, "OK. Just remain calm. I'll be right over so we can start to analyze your machines." You clearly don't want to end up in a situation like Fred, and I want to minimize the number of calls I get at 4AMon New Year's Day. While I've changed Fred's name to protect the innocent, this situation actually occurred. Fred's organization had failed to implement some fundamental security controls, and it had to pay the price when an attacker came knocking. In my experience, m