Hack I.T. - Security Through Penetration Testing

Description

• Copyright 2002
• Dimensions: 7-3/8" x 9-1/4"
• Pages: 544
• Edition: 1st

• Book
• ISBN-10: 0-201-71956-8
• ISBN-13: 978-0-201-71956-7

"This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art."
--From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team

Penetration testing--in which professional, "white hat" hackers attempt to break through an organization's security defenses--has become a key defense weapon in today's information systems security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent true "black hat" hackers from compromising systems and exploiting proprietary information.

Hack I.T. introduces penetration testing and its vital role in an overall network security plan. You will learn about the roles and responsibilities of a penetration testing professional, the motivation and strategies of the underground hacking community, and potential system vulnerabilities, along with corresponding avenues of attack. Most importantly, the book provides a framework for performing penetration testing and offers step-by-step descriptions of each stage in the process. The latest information on the necessary hardware for performing penetration testing, as well as an extensive reference on the available security tools, is included.

Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies, techniques, and tools you need to test and protect your system--before the real hackers attack.

Specific topics covered in this book include:

• Hacking myths
• Potential drawbacks of penetration testing
• Announced versus unannounced testing
• Application-level holes and defenses
• Penetration through the Internet, including zone transfer, sniffing, and port scanning
• War dialing
• Enumerating NT systems to expose security holes
• Social engineering methods
• Unix-specific vulnerabilities, such as RPC and buffer overflow attacks
• The Windows NT Resource kit
• Port scanners and discovery tools
• Sniffers and password crackers
• Web testing tools
• Remote control tools
• Firewalls and intrusion detection systems
• Numerous DoS attacks and tools

0201719568B01042002



Downloads

CD Contents

Download the CD Contents from Hack I.T.— Security Through Penetration Testing



Extras

Related Articles

Ajay Gupta on Privacy, Security, and Air Conditioning

Customizing an ERP During Implementation? Just Say No

Database Issues in Homeland Security

Developing a Continuity-of-Operations Plan

Information Security: Insider Alert

Resuming Business Operations After a Virus Infection

Six Steps to Security Awareness

Small Office Security

The Art of Social Engineering

The Dirty Dozen: The 12 Security Lapses That Make Your .Com, .Org, or .Net an Unwitting Collaborator with Cyberterrorists

Unwitting Collaborators, Part 10: System Hijacking  Worms, Viruses & Trojan Horses

Unwitting Collaborators, Part 11: DNS Poisoning and Domain Hijacking

Unwitting Collaborators, Part 3: Spyware

Unwitting Collaborators, Part 4: Internal Threats

Unwitting Collaborators, Part 5: System and Application Vulnerabilities

Unwitting Collaborators, Part 6: Wireless Insecurity

Unwitting Collaborators, Part 7: Denial-of-Service Attacks

Unwitting Collaborators, Part 8: Tunneling

Unwitting Collaborators, Part 9: Steganography



Sample Content

Online Sample Chapters

Security Through Penetration Testing: Internet Penetration

Security Through Penetration Testing: Wrap Up

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
klevinskych05.pdf

klevinskych22.pdf

Table of Contents

Preface.


Introduction.


1. Hacking Today.


2. Defining the Hacker.

Hacker Skill Levels.

First-Tier Hackers.

Second-Tier Hackers.

Third-Tier Hackers.

Information Security Consultants.

Hacker Myths.

Information Security Myths.

3. Penetration for Hire.

Ramifications of Penetration Testing.

Requirements for a Freelance Consultant.

Skill Set.

Knowledge.

Tool Kit.

Hardware.

Record Keeping.

Ethics.

Announced vs. Unannounced Penetration Testing.

Definitions.

Pros and Cons of Both Types of Penetration Testing.

Documented Compromise.

4. Where the Exposures Lie.

Application Holes.

Berkeley Internet Name Domain (BIND) Implementations.

Common Gateway Interface (CGI).

Clear Text Services.

Default Accounts.

Domain Name Service (DNS).

File Permissions.

FTP and telnet.

ICMP.

IMAP and POP.

Modems

Lack of Monitoring and Intrusion Detection.

Network Architecture.

Network File System (NFS).

NT Ports 135n139.

NT Null Connection.

Poor Passwords and User IDs.

Remote Administration Services.

Remote Procedure Call (RPC).

sendmail.

Services Started by Default.

Simple Mail Transport Protocol (SMTP).

Simple Network Management Protocol (SNMP) Community Strings.

Viruses and Hidden Code.

Web Server Sample Files.

Web Server General Vulnerabilities.

Monitoring Vulnerabilities.

5. Internet Penetration.

Network Enumeration/Discovery.

Whois Query.

Zone Transfer.

Ping Sweeps.

Traceroute.

Vulnerability Analysis.

OS Identification.

Port Scanning.

Application Enumeration.

Internet Research.

Exploitation.

Case Study: Dual-Homed Hosts.

6. Dial-In Penetration.

War Dialing.

War Dialing Method.

Dialing

Login.

Login Screens.

Gathering Numbers.

Precautionary Methods.

War Dialing Tools.

ToneLoc.

THC-Scan.

TeleSweep.

PhoneSweep.

Case Study: War Dialing.

7. Internal Penetration Testing.

Scenarios.

Network Discovery.

NT Enumeration.

UNIX.

Searching for Exploits.

Sniffing.

Remotely Installing a Hacker Tool Kit.

Vulnerability Scanning.

Case Study: Snoop the User Desktop.

8. Social Engineering.

The Telephone.

Technical Support.

Disgruntled Customer.

Get Help Logging In.

Additional Methods.

Dumpster Diving.

Desktop Information.

Common Countermeasures.

9. UNIX Methods.

UNIX Services.

inetd Services.

r Services.

Remote Procedure Call Services.

Buffer Overflow Attacks.

File Permissions.

Applications.

Mail Servers.

Web Servers.

X Windows.

DNS Servers.

Misconfigurations.

UNIX Tools.

Datapipe.c.

QueSO.

Cheops.

nfsshell.

XSCAN.

Case Study: UNIX Penetration.

10. The Tool Kit.

Hardware.

Software.

Windows NT Workstation.

Linux.

VMware.

11. Automated Vulnerability Scanners.

Definition.

Testing Use.

Shortfalls.

Network-Based and Host-Based Scanners.

Tools.

Network-Based Scanners.

Network Associates CyberCop Scanner.

ISS Internet Scanner.

Nessus.

Symantec (Formerly Axent Technologies) NetRecon.

Bindview HackerShield (bv-control for Internet Security).

Host-Based Scanners.

Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM).

Pentasafe VigilEnt.

Conclusion.

12. Discovery Tools.

WS_Ping ProPack.

NetScanTools.

Sam Spade.

Rhino9 Pinger.

VisualRoute.

Nmap.

Whatis running.

13. Port Scanners.

Nmap.

7th Sphere Port Scanner.

Strobe.

SuperScan.

14. Sniffers.

Dsniff.

Linsniff.

Tcpdump.

BUTTSniffer.

SessionWall-3 (Now eTrust Intrusion Detection).

AntiSniff.

15. Password Crackers.

L0phtCrack.

pwdump2.

John the Ripper.

Cain.

ShowPass.

16. Windows NT Tools.

NET USE.

Null Connection.

NET VIEW.

NLTEST.

NBTSTAT.

epdump.

NETDOM.

Getmac.

Local Administrators.

Global (iDomain Adminsi).

Usrstat.

DumpSec.

user2Sid/sid2User.

NetBIOS Auditing Tool (NAT).

SMBGrind.

SRVCHECK.

SRVINFO.

AuditPol.

REGDMP.

Somarsoft DumpReg.

Remote.

Netcat.

SC.

AT.

FPipe.

Case Study: Weak Passwords.

Case Study: Internal Penetration to Windows.

17. Web-Testing Tools.

Whisker

SiteScan.

THC Happy Browser.

wwwhack.

Web Cracker.

Brutus.

Case Study: Compaq Management Agents Vulnerability.

18. Remote Control.

pcAnywhere.

Virtual Network Computing.

NetBus.

Back Orifice 2000.

19. Intrusion Detection Systems.

Definition.

IDS Evasion.

Stealth Port Scanning.

Aggressive Techniques.

Pitfalls.

Traits of Effective IDSs.

IDS Selection.

RealSecure

NetProwler.

Secure Intrusion Detection.

eTrust Intrusion Detection.

Network Flight Recorder.

Dragon.

Snort.

20. Firewalls.

Definition.

Monitoring.

Configuration.

Change Control.

Firewall Types.

Packet-Filtering Firewalls.

Stateful-Inspection Firewalls.

Proxy-Based Firewalls.

Network Address Translation.

Evasive Techniques.

Firewalls and Virtual Private Networks.

Case Study: Internet Information Server ExploitoMDAC.

21. Denial-of-Service Attacks.

Resource Exhaustion Attacks.

Papasmurf.

Trash2.

Igmpofdeath.c.

Fawx.

OBSD_fun.

Port Flooding.

Mutilate.

Pepsi5.

SYN Flooding.

Synful.

Synk4.

Naptha.

IP Fragmentation Attacks.

Jolt2.

Teardrop.

Syndrop.

Newtear.

Distributed Denial-of-Service Attacks.

Tribe Flood Network 2000.

Trin00.

Stacheldraht.

Usage.

Application-Based DoS Attacks.

Up Yours.

Wingatecrash.

WinNuke.

BitchSlap.

DOSNuke.

Shutup.

Web Server DoS Attacks.

Concatenated DoS Tools.

CyberCop.

ISS Internet Scanner.

Toast.

Spike.sh5.3.

Summary.

22. Wrapping It Up.

Countermeasures.

Keeping Current.

Web Sites.

Mailing Lists.

23. Future Trends.

Authentication.

Two- and Three-Factor Authentication.

Biometrics.

Token-Based Authentication.

Directory Services.

Encryption.

Public Key Infrastructure.

Distributed Systems.

Forensics.

Government Regulation.

Hacking Techniques.

Countermeasures.

Cyber-Crime Insurance.

Appendix A.


Appendix B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus.


Index. 0201719568T01172002

Preface

Why write a book about hacking? The question is really whether a book about the techniques and tools used to break into a network would be beneficial to the information security community. We, the authors, believe that penetration testing is a valuable and effective means of identifying security holes and weaknesses in a network and computing environment. Understanding how others will try to break into a network offers considerable insight into the common pitfalls and misconfigurations that make networks vulnerable. This insight is essential to creating a comprehensive network security structure.

Some may argue that providing this penetration-testing information gives script kiddies and hackers ammunition to better attack systems. However, script kiddies and hackers already have access to this information or have the time to find it--most of the material presented in this book is available from a variety of sources on the Internet. The problem is that the system and security administrators defending against attacks do not have the time or resources to research the sites necessary to compile this information. We decided to write this book to provide defenders with the information hackers already have. A hacker has to find only one hole to gain unauthorized access. The security group defending against the hackers needs to find all the holes to prevent unauthorized access.

There is no tried-and-true training that can make everyone a security expert, but there are some baseline principles, skills, and tools that must be mastered to become proficient in this field. Our goal is to provide you with those skills in a manner that helps you to understand the structure and tools used and to begin developing your own style of penetration testing.The process described in this book is not the only way to perform a penetration test. We continue to evolve our own methodology to respond to new technologies and threats. This process has worked well for us in the past and continues to be a successful way to evaluate and test network security.

Audience

This book is intended for the security administrators, systems administrators, technology auditors, and other authorized representatives of companies that want to legitimately test their security posture and intrusion detection or incident response capabilities. In addition, other individuals who need to assess systems and network security may find the tools and techniques described in this book useful. It is designed as a beginner's book for enhancing network security through penetration testing. No previous knowledge of penetration testing is required, but an understanding of networking, TCP/IP, Windows NT/2000, network security, and UNIX is needed to be able to execute a penetration test.

A word of caution: Although this book details the processes and tools for performing a penetration test, it does not describe how to do this without alerting network security devices. Many of these techniques will be detected and should not be performed without the written consent of the owners of the target systems. We intend for this book to be not a how-to hack manual but rather a framework for performing a systematic network security review. Intrusion detection mechanisms on most networks today have become very sophisticated and, if configured properly, can be used to track anyone practicing these techniques on a network.

How to Use This Book

The managers of an ever-growing number of companies are beginning to see information security as an issue requiring attention, showing how much of a threat they truly believe exists. In any case, whether you work as part of the security department of a large corporation or as a system administrator with security as part of your job description, knowing how to get into your network is one of the best ways to secure it.

The first part of this book (Chapters 1-4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. This information provides insight into why hacking has become so popular with the media and what difficulties are associated with protecting a network. The material is designed to provide background information to support the use of penetration testing as an important part of an overall network security plan. A penetration test not only tests the network's ability to protect information and other assets from unauthorized individuals but also can test the organization's ability to detect such intrusion attempts and its incident response capabilities. We also discuss some of the common pitfalls in technology and defenses that contribute to security weaknesses. A large portion of successful network security breeches could have been avoided if special attention had been given to these issues.

The second part of this book (Chapters 5-10) provides a structured framework for a penetration test. Penetration testing can be broken down into a series of steps that provide an efficient and comprehensive review of individual network segments. Whether the test is an internal or external review, the methodology follows the steps of discovery, scanning, and exploitation. This section outlines methods for finding the target network, identifying possible vulnerable services, exploiting weaknesses, and documenting the results. This methodology yields a test that is structured, efficient, and repeatable. In this section of the book we also introduce various tools that can be used to assist with this methodology. We briefly describe each tool's use and place in testing.

The third section of this book (Chapters 11-16) provides greater detail on the tools that can increase the speed and accuracy of a penetration test. This "tools and techniques" section is presented in a reference format so you can locate a tool by its role in testing and obtain the information necessary to begin using the tool or find the information necessary to do so. A large collection of tools have been released by commercial and open-source programmers that identify vulnerabilities in networks, applications, and/or services and should be used as part of an assessment. While most of them may be identified by an intrusion detection system, they can usually find exposures on your network faster than manual methods. We provide detailed explanations of each tool, including its basic usage and where to get updates. You will find that some programs are described in greater depth than others. We spend more time on the tools that we find more helpful or that reveal the most information. For ease of use, we obtained demo or freeware software for many of the tools covered and included them on the CD-ROM available with this book. This software is intended to give you the opportunity to become familiar with some of the more popular tools and to see which work best for you. This section is designed to help you pick out the right hardware, operating systems, and software to make a testing tool kit.

The last section of this book (Chapters 17-23) moves toward advanced techniques and application testing. You should review this section once you have created and are comfortable with your own tool kit. This section details methods that can be used to evade intrusion detection systems and firewalls, control hosts on target networks remotely, and test Web servers. It also includes a discussion on denial-of-service attacks and a section on how to keep up with the current trends and latest developments in information security. This section contains a list of Web sites and e-mail lists that we used in our research, as well as information on long-term countermeasures to improve security. Finally, we include a brief discussion about future trends within the information technology arena and the possible risks that these trends may produce.

At the end of some chapters are case studies that deal with some of the issues and tools discussed. The case studies detail steps we have followed in real-world penetration-testing engagements to help illustrate how all the pieces of penetration testing fit together. The samples we selected include internal, external, and dial-up testing and reflect different operating systems, vulnerabilities, and exploits in an attempt to demonstrate as many of the techniques discussed in the book as possible. In each case we keep anonymous the name, industry type, and any other information that could be used to identify the parties involved.

--T.J. Klevinsky
--Scott Laliberte
--Ajay Gupta

0201719568P01172002

Foreword

Click below for Forward related to this title:
klevinskyforeword.pdf

Index

Note: Page numbers followed by f indicate figures.

A

Accounts. See specific types

Active security, automated vulnerability scanning in, 169

Active X code, hidden, 47

Administrator accounts
     determining, with user2Sid and sid2User, 286–287
     password vulnerabilities of, 42

Administrator privileges, in default accounts, 34

Alerts, in firewall monitoring, 371

Announced testing
     definition of, 25
     vs. unannounced testing, 26–27

Anonymity, on the Internet, 16–17

Anonymous mail relay, vulnerabilities of, 140–142

AntiSniff, sniffer detection with, 251–254, 253f

Application(s)
     default installations of, vulnerability of, 454–456
     discovery of, in vulnerability analysis, 63, 64f
     holes in, vulnerabilities of, 32
     in internal penetration testing, 104–105
     in UNIX environments, 140–145

Application-based DoS attacks, 405–406
     tools for, 406–412

ARP packets, in resource exhaustion DoS attacks, 389–390

arpredirect, in dsniff, 245

AS400 systems, accessing, with SessionWall-3, 250

AT, in NT testing, 301–302

Attacks
     brute force (See Brute force attacks)
     internal, 3–4
     probability of, 14

Attrition.org, defaced Web site archive of, 6–7, 7t

AuditPol, in NT testing, 292–293

Authentication mechanisms, 433–437
     in tracing computer connections, 17

Authentication services testing
     case study for, 325–328, 327f
     with Web Cracker, 322–323, 322f, 323f
     with wwwhack, 320–321, 321f

Automated hacker tools, script kiddy use of, 12

Automated monitoring, 49–50

Automated vulnerability scanning. See Vulnerability scanning, automated

B

Back doors, installing with Netcat, 298–300

Back Orifice 2000, remote control with, 344–346

Backups, vulnerabilities associated with, 459–461

Banner grabbing
     in application discovery, 63
     definition of, 63
     in dial-in penetration, 88
     in internal penetration, 96
     with NetScanTools, 204–206, 205f

Baseline standards, importance in security architecture, 421

Berkeley Internet Name Domain (BIND) implementations, vulnerabilities of, 32, 485–487

Bindview HackerShield, 180

Biometrics, in secure authentication, 42–43, 434–436

BitchSlap, for application-based DoS attacks, 409

Brute force attacks
     authentication services targeted by, 320–323, 321f–323f
     default accounts targeted by, 34
     FTP targeted by, 35
     lack of monitoring and intrusion detection in, 38
     modems targeted by, 37
     for password cracking, 287–290
     TELNET targeted by, 35
     with Web Cracker, 322–323, 322f, 323f
     with wwwhack, 320–321, 321f

Brutus, in web site testing, 323–325, 324f

Buffer overflow attacks
     for DoS attacks, 410–412
     against IDSs, 355
     in internal penetration testing, 103
     on ISAPI extensions, 471–473
     on remote procedure calls, 482–484
     in UNIX environments, 133, 136–137
     on UNIX Web servers, 143

Bugtraq, vulnerabilities published by, 29, 426

BUTTSniffer, 248–249

bv-control for Internet Security, 180

C

Cain, password cracking with, 266–267, 267f

Caller ID software, in tracing computer connections, 17

CD Universe, credit card hack against, 6

CERT (Computer Emergency Response Team), Internet address for, 5, 426

CGI (Common Gateway Interface)
     scanning for vulnerabilities in, Whisker for, 316–318, 317f
     vulnerabilities of, 33

CGI programs, security issues in, 33, 467–468

Cheops, 148–151, 149f–151f

Cleaning staff scenario, in internal penetration testing, 93

Clear text services, 33
     sniffing, 105–106

Client companies, confidentiality of information from, 24

Common Gateway Interface. See CGI

Common Vulnerabilities and Exposures (CVE) numbers, 452–453

Community strings (SNMP), vulnerabilities of, 45–46, 492–495

Computer(s), unattended, vulnerabilities of, 122

Computer connections, traceability of, 16–17

Computer crimes, media coverage of, 5–6

Computer Emergency Response Team (CERT), Internet address for, 5, 426

Computer forensics, growth of, 439–440

Computer Intrusion Squad, FBI, security survey by, 2–4

Computer Security Institute (CSI), security survey by, 2–4

Computer viruses. See Virus(es)

Concatenated DoS tools, 412–416

Confidential information
     of client companies, 24
     dumpster diving for, 120–121

Configuration errors
     risks from, 30
     in UNIX environments, 145–146

Configuration files, for UNIX, 128–130, 129t

Configuration management, host-based vulnerability scanners in, 169

Consultant scenario, in internal penetration testing, 92–93

Core dump files, vulnerabilities of, 132

Corporate networks, virus susceptibility of, 6

Countermeasures, 419–423
     for DDoS attacks, 400, 403
     for dumpster diving, 123
     for null connections, 273
     packaging of tools for, 442
     for social engineering, 123–124
     for web server DoS attacks, 411–412

Cracker, definition of, 9

Crawl website tool, in Sam Spade, 219–221, 220f

Credit card numbers, publication of, 6

CSI (Computer Security Institute), security survey by, 2–4

Customer service, social engineering attack on, 116–118

CVE (Common Vulnerabilities and Exposures) numbers, 452–453

CyberCop
     configuration of, 171–175, 172f–174f
     for DoS testing, 412–413, 413f
     scanning with, 50, 167–168, 175

Cyber-crime insurance, 442–443

D

Data classification, importance in security architecture, 421

Datapipe.c, 147

Decoy addresses
  &n



Updates

Submit Errata

