Tài liệu HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS, THIRD EDITION doc

260 794 1
  • Loading ...
1/260 trang
Tải xuống

Thông tin tài liệu

Ngày đăng: 14/02/2014, 08:20

HACKING EXPOSED:NETWORK SECURITYSECRETS AND SOLUTIONS,THIRD EDITIONSTUART McCLUREJOEL SCAMBRAYGEORGE KURTZSTUART McCLUREJOEL SCAMBRAYGEORGE KURTZOsborne/McGraw-HillNew York Chicago San FranciscoLisbon London Madrid Mexico City MilanNew Delhi San Juan Seoul Singapore Sydney TorontoProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / FrontMatterP:\010Comp\Hacking\381-6\fm.vpMonday, September 10, 2001 2:11:09 PMColor profile: Generic CMYK printer profileComposite Default screenProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / FrontMatterOsborne/McGraw-Hill2600 Tenth StreetBerkeley, California 94710U.S.A.To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers,please contact Osborne/McGraw-Hill at the above address. For information on transla-tions or book distributors outside the U.S.A., please see the International Contact Infor-mation page immediately following the index of this book.Hacking Exposed: Network Security Secrets and Solutions, Third EditionCopyright © 2001 by The McGraw-Hill Companies. All rights reserved. Printed in theUnited Statesof America.Except aspermitted underthe CopyrightAct of1976, nopart ofthis publication may be reproduced or distributed inany form or by any means, or storedin a database or retrieval system, without the prior written permission of the publisher,with the exception that the program listings may be entered, stored, and executed in acomputer system, but they may not be reproduced for publication.1234567890 CUS CUS 01987654321Book p/n 0-07-219382-4 and CD p/n 0-07-219383-2parts ofISBN 0-07-219381-6PublisherBrandon A. NordinVice President & Associate PublisherScott RogersAcquisitions EditorJane K. BrownlowProject EditorLeeAnn PickrellAcquisitions CoordinatorEmma AckerTechnical EditorsTom Lee, Eric SchultzeCopy EditorJanice A. JueProofreadersStefany Otis, Linda Medoff,Paul MedoffIndexerKarin ArrigoniComputer DesignersCarie Abrew, Elizabeth Jang,Melinda LytleIllustratorsMichael Mueller, Lyssa WaldSeries DesignDick Schwartz, Peter F. HancikCover DesignDodie ShoemakerThis book was composed with Corel VENTURA™ Publisher.Information has been obtained by Osborne/McGraw-Hill from sources believed to be reliable. However, because of thepossibility of human or mechanical error by our sources, Osborne/McGraw-Hill, or others, Osborne/McGraw-Hill does notguarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions orthe results obtained from use of such information.P:\010Comp\Hacking\381-6\fm.vpMonday, September 10, 2001 2:11:09 PMColor profile: Generic CMYK printer profileComposite Default screenCHAPTER1Footprinting3ProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AMColor profile: Generic CMYK printer profileComposite Default screenBefore the real fun for the hacker begins, three essential steps must be performed.This chapter will discuss the first one—footprinting—the fine art of gathering targetinformation. For example, when thieves decide to rob a bank, they don’t just walkin and start demanding money (not the smart ones, anyway). Instead, they take greatpains in gathering information about the bank—the armored car routes and deliverytimes, the video cameras, and the number of tellers, escape exits, and anything else thatwill help in a successful misadventure.The same requirement applies to successful attackers. They must harvest a wealth ofinformation to execute a focused and surgical attack (one that won’t be readily caught).As a result, attackers will gather as much information as possible about all aspects of anorganization’s security posture. Hackers end up with a unique footprint or profile of theirInternet, remote access, and intranet/extranet presence. By following a structured meth-odology, attackers can systematically glean information from a multitude of sources tocompile this critical footprint on any organization.WHAT IS FOOTPRINTING?The systematic footprinting of an organization enablesattackers to create a complete pro-file of an organization’s security posture. By usinga combination of tools and techniques,attackers cantake anunknown quantity (Widget Company’s Internet connection) and re-duce it to a specific range of domain names, network blocks, and individual IP addressesof systems directly connected to the Internet. While there are many types of footprintingtechniques, they are primarily aimed at discovering information related to the followingenvironments: Internet, intranet, remote access, and extranet. Table 1-1 depicts these en-vironments and the critical information an attacker will try to identify.Why Is Footprinting Necessary?Footprinting is necessary to systematically and methodically ensure that all pieces of in-formation related to the aforementioned technologies are identified. Without a soundmethodology forperforming this type of reconnaissance,you arelikely tomiss key piecesof information related to a specific technology or organization. Footprinting is often themost arduous task of trying to determine the security posture of an entity; however, it isone of the most important. Footprinting must be performed accurately and in a con-trolled fashion.INTERNET FOOTPRINTINGWhile many footprinting techniques are similar across technologies (Internet andintranet), this chapter will focus on footprinting an organization’s Internet connection(s).Remote access will be covered in detail in Chapter 9.4Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AMColor profile: Generic CMYK printer profileComposite Default screenIt is difficult to provide a step-by-step guide on footprinting because it is an activitythat may lead you down several paths. However, this chapter delineates basic steps thatshould allow you to complete a thorough footprint analysis. Many of these techniquescan be applied to the other technologies mentioned earlier.Chapter 1: Footprinting5ProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Technology IdentifiesInternet Domain nameNetwork blocksSpecific IP addresses of systems reachable via the InternetTCP and UDP services running on each system identifiedSystem architecture (for example, SPARC vs. X86)Access control mechanisms and related access control lists (ACLs)Intrusion detection systems (IDSes)System enumeration (user and group names, system banners,routing tables, SNMP information)Intranet Networking protocols in use (for example, IP, IPX, DecNET,and so on)Internal domain namesNetwork blocksSpecific IP addresses of systems reachable via intranetTCP and UDP services running on each system identifiedSystem architecture (for example, SPARC vs. X86)Access control mechanisms and related access control lists (ACLs)Intrusion detection systemsSystem enumeration (user and group names, system banners,routing tables, SNMP information)RemoteaccessAnalog/digital telephone numbersRemote system typeAuthentication mechanismsVPNs and related protocols (IPSEC, PPTP)Extranet Connection origination and destinationType of connectionAccess control mechanismTable 1-1. Environments and the Critical Information Attackers Can IdentifyP:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AMColor profile: Generic CMYK printer profileComposite Default screen6Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Step 1. Determine the Scope of Your ActivitiesThe first item to address is to determine the scope of your footprinting activities. Are yougoing to footprint an entire organization, or are you going to limit your activities to cer-tain locations (for example, corporate vs. subsidiaries)? In some cases, it may be a daunt-ing task to determine all the entities associated with a target organization. Luckily, theInternet provides a vast pool of resources you can use to help narrow the scope of activi-ties and also provides some insight as to the types and amount of information publiclyavailable about your organization and its employees.MOpen Source SearchPopularity: 9Simplicity: 9Impact: 2Risk Rating: 7As a starting point, peruse the target organization’s web page if they have one. Manytimes an organization’s web page provides a ridiculous amount of information that canaid attackers. We have actually seen organizations list security configuration options fortheir firewallsystem directly ontheir Internetweb server. Otheritems ofinterest include▼ Locations■ Related companies or entities■ Merger or acquisition news■Phone numbers■Contact names and email addresses■Privacy or security policies indicating the types ofsecurity mechanisms in place▲Links to other web servers related to the organizationIn addition, try reviewing the HTML source code for comments. Many items notlisted for public consumption are buried in HTML comment tags such as “<,” “!,” and“ ” Viewing the source code offline may be faster than viewing it online, so it is oftenbeneficial to mirror the entire site for offline viewing. Having a copy of the site locally mayallow you to programmatically search for comments or other items of interest, thus mak-ing your footprinting activities more efficient. Wget (http://www.gnu.org/software/P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AMColor profile: Generic CMYK printer profileComposite Default screenChapter 1: Footprinting7ProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1wget/wget.html) for UNIX and Teleport Pro (http://www.tenmax.com/teleport/home.htm) for Windows are great utilities to mirror entire web sites.After studying web pages, you can perform open source searches for information re-lating tothe targetorganization. Newsarticles, press releases, and so on, may provide ad-ditional clues about the state of the organization and their security posture. Web sitessuch as finance.yahoo.com or http://www.companysleuth.com provide aplethora of in-formation. If you are profiling a company that is mostly Internet based, you may find bysearching for related news stories that they have had numerous security incidents. Usingyour web search engine of choice will suffice for this activity. However, there are moreadvanced searching tools and criteria you can use to uncover additional information.The FerretPRO suite of search tools from FerretSoft (http://www.ferretsoft.com) isone of our favorites. WebFerretPRO enables you to search many different search enginessimultaneously. In addition, other tools in the suite allow you to search IRC, USENET,email, and file databases looking for clues. Also, if you’re looking for a free solution tosearch multiple search engines, check out http://www.dogpile.com.Searching USENET for postings related to @example.com often reveals useful infor-mation. In one case, we saw a posting from a system administrator’s work account re-garding his new PBX system. He said this switch was new to him, and he didn’t knowhow toturn offthe default accounts and passwords. We’d hate to guess how many phonephreaks were salivating over the prospect ofmaking freecalls at that organization. Need-less to say, you can gain additional insight into the organization and the technical prowessof its staff just by reviewing their postings.Lastly, you can use the advanced searching capabilities of some of the major searchengines like AltaVista or Hotbot. These search engines provide a handy facility that allowsyou to search for all sites that have links back to the target organization’s domain. Thismay not seem significant at first, but let’s explore the implications. Suppose someone inan organizationdecides toput up a rogue web site athome oron thetarget network’ssite.This web server may not be secure or sanctioned by the organization. So we can begin tolook for potential rogue web sites just by determining which sites actually link to the targetorganization’s web server, as shown in Figure 1-1.You can see that the search returned all sites that link back to http://www.l0pht.comand that contain the word “hacking.” So you could easily use this search facility to findsites linked to your target domain.The last example, depicted in Figure 1-2, allows you to limit your search to a particu-lar site. In our example, we searched http://www.l0pht.com for all occurrences of“mudge.” This query could easily be modified to search for other items of interest.Obviously, these examples don’t cover every conceivable item to search for duringyour travels—be creative. Sometimes the most outlandish search yields the most produc-tive results.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:32 AMColor profile: Generic CMYK printer profileComposite Default screenEDGAR SearchFor targets that are publicly traded companies, you can consult the Securities and ExchangeCommission (SEC) EDGAR database at http://www.sec.gov, as shown in Figure 1-3.One of the biggest problems organizations have is managing their Internet connec-tions, especially when they are actively acquiring or merging with other entities. So it isimportant tofocus onnewly acquired entities. Two of the best SEC publications to revieware the 10-Q and 10-K. The 10-Q is a quick snapshot of what the organization has doneover the last quarter. This update includes the purchase or disposition of other entities.The 10-Kis a yearlyupdate ofwhat the company has doneand may not be astimely asthe10-Q. Itis agood ideato perusethese documentsby searchingfor “subsidiary”or “subse-quent events.” This may provide you with information on a newly acquired entity. Oftenorganizations will scramble to connect the acquired entities to their corporate networkwith littleregard for security. So itis likelythat you maybe ableto find security weaknesses8Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Figure 1-1. With the AltaVista search engine, use thelink:www.example.comdirective toquery all sites with links back to the target domain.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:32 AMColor profile: Generic CMYK printer profileComposite Default screenin the acquired entity that would allow you to leapfrog into the parent company. At-tackers are opportunistic and are likely to take advantage of the chaos that normally comeswith combining networks.With an EDGAR search, keep in mind that you are looking for entity names that aredifferent from the parent company. This will become critical in subsequent steps whenyou perform organizational queries from the various whois databases available (see“Step 2. Network Enumeration”).UCountermeasure: Public Database SecurityMuch of the information discussed earlier must be made publicly available; this is espe-cially true for publicly traded companies. However, it is important to evaluate and classifythe type of information that is publicly disseminated. The Site Security Handbook (RFC2196) can be found at http://www.ietf.org/rfc/rfc2196.txt and is a wonderful resourceChapter 1: Footprinting9ProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Figure 1-2. With AltaVista, use thehost:example.comdirective to query the site for thespecified string (for example, “mudge”).P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:33 AMColor profile: Generic CMYK printer profileComposite Default screenfor many policy-related issues. Finally, remove any unnecessary information from yourweb pages that may aid an attacker in gaining access to your network.Step 2. Network EnumerationPopularity: 9Simplicity: 9Impact: 5Risk Rating: 8The first step in the network enumeration process is to identify domain names andassociated networks related to a particular organization. Domain names represent the10Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Figure 1-3. The EDGAR database allows you to query public documents, providing importantinsight into the breadth of the organization by identifying its associated entities.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:33 AMColor profile: Generic CMYK printer profileComposite Default screen[...]... with X and GTK+ GUI toolkit Table 1-2 Whois Searching Techniques and Data Sources P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:33 AM 11 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 12 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and. .. from their web site P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:35 AM 17 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 18 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions database handle The handle we are searching for is... than looking for just a domain name We must use the keyword “name” and submit the query to Network Solutions [bash]$ whois Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks Acme Networks "name Acme Networks"@whois.networksolutions.com (NAUTILUS-AZ-DOM) NAUTILUS-NJ.COM (WINDOWS4-DOM)... technical support person P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:35 AM 15 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 16 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions The record creation and modification dates indicate... all instances of the entity name and is broader P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:34 AM 13 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 14 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions than looking for just... generate fake P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:39 AM 27 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 28 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions responses Finally, depending on your site’s security paradigm,... violation of the RFC, which states that DNS P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:38 AM 23 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 24 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions queries greater than 512 bytes will... traffic A good starting port number P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:38 AM 25 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 26 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions would be UDP port 53 (DNS queries)... September 07, 2001 10:37:37 AM 21 ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen 22 Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Hacking Exposed: Network Security Secrets and Solutions Not all footprinting functions must be performed through UNIX commands A number of Windows products provide the... tasks P:\010Comp \Hacking\ 381-6\ch01.vp Friday, September 07, 2001 10:37:37 AM ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 Chapter 1: Footprinting utility will recursively transfer zone information and create a compressed database of zone and host files . Chapter 9.4 Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure,. Default screen6 Hacking Exposed: Network Security Secrets and SolutionsProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure,
- Xem thêm -

Xem thêm: Tài liệu HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS, THIRD EDITION doc, Tài liệu HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS, THIRD EDITION doc, Tài liệu HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS, THIRD EDITION doc, Step 1. Determine the Scope of Your Activities

Tài liệu mới bán

Mục lục

Xem thêm

Gợi ý tài liệu liên quan cho bạn

Nhận lời giải ngay chưa đến 10 phút Đăng bài tập ngay