I l@ve RuBoard Front Matter Table of Contents About the Author Examples Hack I.T.: Security Through Penetration Testing T. J. Klevinsky Scott Laliberte Ajay Gupta Publisher: Addison Wesley First Edition February 01, 2002 ISBN: 0-201-71956-8, 544 pages "This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art." -From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team Penetration testing in which professional, "white hat" hackers attempt to break through an organization’s security defenses has become a key defense weapon in today’s information systems security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent true "black hat" hackers from compromising systems and exploiting proprietary information. Hack I.T.introduces penetration testing and its vital role in an overall network security plan. You will learn about the roles and responsibilities of a penetration testing professional, the motivation and strategies of the underground hacking community, and potential system vulnerabilities, along with corresponding avenues of attack. Most importantly, the book provides a framework for performing penetration testing and offers step-by-step descriptions of each stage in the process. The latest information on the necessary hardware for performing penetration testing, as well as an extensive reference on the available security tools, is included. Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies, techniques, and tools you need to test and protect your system before the real hackers attack. I l@ve RuBoard I l@ve RuBoard Hack I.T.: Security Through Penetration Testing Foreword Preface Audience Authors How to Use This Book Acknowledgments Introduction 1. Hacking Today 2. Defining the Hacker 2.1 Hacker Skill Levels 2.2 Information Security Consultants 2.3 Hacker Myths 2.4 Information Security Myths 3. Penetration for Hire 3.1 Ramifications of Penetration Testing 3.2 Requirements for a Freelance Consultant 3.3 Announced vs. Unannounced Penetration Testing 4. Where the Exposures Lie 4.1 Application Holes 4.2 Berkeley Internet Name Domain ( BIND ) Implementations 4.3 Common Gateway Interface ( CGI ) 4.4 Clear Text Services 4.5 Default Accounts 4.6 Domain Name Service ( DNS ) 4.7 File Permissions 4.8 FTP and telnet 4.9 ICMP 4.10 IMAP and POP 4.11 Modems 4.12 Lack of Monitoring and Intrusion Detection 4.13 Network Architecture 4.14 Network File System ( NFS ) 4.15 NT Ports 135?139 4.16 NT Null Connection 4.17 Poor Passwords and User IDs 4.18 Remote Administration Services 4.19 Remote Procedure Call ( RPC ) 4.20 SENDMAIL 4.21 Services Started by Default 4.22 Simple Mail Transport Protocol ( SMTP ) 4.23 Simple Network Management Protocol ( SNMP ) Community Strings 4.24 Viruses and Hidden Code 4.25 Web Server Sample Files 4.26 Web Server General Vulnerabilities 4.27 Monitoring Vulnerabilities 5. Internet Penetration 5.1 Network Enumeration/Discovery 5.2 Vulnerability Analysis 5.3 Exploitation Case Study: Dual-Homed Hosts 6. Dial-In Penetration 6.1 War Dialing 6.2 War Dialing Method 6.3 Gathering Numbers 6.4 Precautionary Methods 6.5 War Dialing Tools Case Study: War Dialing 7. Testing Internal Penetration 7.1 Scenarios 7.2 Network Discovery 7.3 NT Enumeration 7.4 UNIX 7.5 Searching for Exploits 7.6 Sniffing 7.7 Remotely Installing a Hacker Tool Kit 7.8 Vulnerability Scanning Case Study: Snoop the User Desktop 8. Social Engineering 8.1 The Telephone 8.2 Dumpster Diving 8.3 Desktop Information 8.4 Common Countermeasures 9. UNIX Methods 9.1 UNIX Services 9.2 Buffer Overflow Attacks 9.3 File Permissions 9.4 Applications 9.5 Misconfigurations 9.6 UNIX Tools Case Study: UNIX Penetration 10. The Tool Kit 10.1 Hardware 10.2 Software 10.3 VMware 11. Automated Vulnerability Scanners 11.1 Definition 11.2 Testing Use 11.3 Shortfalls 11.4 Network-Based and Host-Based Scanners 11.5 Tools 11.6 Network-Based Scanners 11.7 Host-Based Scanners 11.8 Pentasafe VigilEnt 11.9 Conclusion 12. Discovery Tools 12.1 WS_Ping ProPack 12.2 NetScanTools 12.3 Sam Spade 12.4 Rhino9 Pinger 12.5 VisualRoute 12.6 Nmap 12.7 What's running 13. Port Scanners 13.1 Nmap 13.2 7th Sphere Port Scanner 13.3 Strobe 13.4 SuperScan 14. Sniffers 14.1 Dsniff 14.2 Linsniff 14.3 Tcpdump 14.4 BUTTSniffer 14.5 SessionWall-3 (Now eTrust Intrusion Detection) 14.6 AntiSniff 15. Password Crackers 15.1 L0phtCrack 15.2 pwdump2 15.3 John the Ripper 15.4 Cain 15.5 ShowPass 16. Windows NT Tools 16.1 NET USE 16.2 Null Connection 16.3 NET VIEW 16.4 NLTEST 16.5 NBTSTAT 16.6 epdump 16.7 NETDOM 16.8 Getmac 16.9 Local Administrators 16.10 Global (?Domain Admins?) 16.11 Usrstat 16.12 DumpSec 16.13 user2Sid/sid2User 16.14 NetBIOS Auditing Tool ( NAT ) 16.15 SMBGrind 16.16 SRVCHECK 16.17 SRVINFO 16.18 AuditPol 16.19 REGDMP 16.20 Somarsoft DumpReg 16.21 Remote 16.22 Netcat 16.23 SC 16.24 AT 16.25 FPipe Case Study: Weak Passwords Case Study: Internal Penetration to Windows 17. Web-Testing Tools 17.1 Whisker 17.2 SiteScan 17.3 THC Happy Browser 17.4 wwwhack 17.5 Web Cracker 17.6 Brutus Case Study: Compaq Management Agents Vulnerability 18. Remote Control 18.1 pcAnywhere 18.2 Virtual Network Computing 18.3 NetBus 18.4 Back Orifice 2000 19. Intrusion Detection Systems 19.1 Definition 19.2 IDS Evasion 19.3 Pitfalls 19.4 Traits of Effective IDSs 19.5 IDS Selection 20. Firewalls 20.1 Definition 20.2 Monitoring 20.3 Configuration 20.4 Change Control 20.5 Firewall Types 20.6 Network Address Translation 20.7 Evasive Techniques 20.8 Firewalls and Virtual Private Networks Case Study: Internet Information Server Exploit?MDAC 21. Denial-of-Service Attacks 21.1 Resource Exhaustion Attacks 21.2 Port Flooding 21.3 SYN Flooding 21.4 IP Fragmentation Attacks 21.5 Distributed Denial-of-Service Attacks 21.6 Application-Based DoS Attacks 21.7 Concatenated DoS Tools 21.8 Summary 22. Wrapping It Up 22.1 Countermeasures 22.2 Keeping Current 23. Future Trends 23.1 Authentication 23.2 Encryption 23.3 Public Key Infrastructure 23.4 Distributed Systems 23.5 Forensics 23.6 Government Regulation 23.7 Hacking Techniques 23.8 Countermeasures 23.9 Cyber-Crime Insurance A. CD-ROM Contents Organization of the CD-ROM Compilation of Programs B. The Twenty Most Critical Internet Security Vulnerabilities?The Experts' Consensus The SANS Institute G1?Default Installs of Operating Systems and Applications G2?Accounts with No Passwords or Weak Passwords G3?Non-existent or Incomplete Backups G4?Large Number of Open Ports G5?Not Filtering Packets for Correct Incoming and Outgoing Addresses G6?Non-existent or Incomplete Logging G7?Vulnerable CGI Programs W1? Unicode Vulnerability (Web Server Folder Traversal) W2?ISAPI Extension Buffer Overflows W3? IIS RDS Exploit (Microsoft Remote Data Services) W4?NETBIOS?Unprotected Windows Networking Shares W5?Information Leakage Via Null Session Connections W6?Weak Hashing in SAM ( LM Hash) U1?Buffer Overflows in RPC Services U2?Sendmail Vulnerabilities U3?Bind Weaknesses U4?R Commands U5?LPD (Remote Print Protocol Daemon) U6?Sadmind and Mountd U7?Default SNMP Strings Appendix Appendix A ?Common Vulnerable Ports Appendix Appendix B ?The Experts Who Helped Create the Top Ten and Top Twenty Internet Vulnerability Lists I l@ve RuBoard I l@ve RuBoard Hack I.T.: Security Through Penetration Testing Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley, Inc. was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but they make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for special sales. For more information, please contact: Pearson Education Corporate Sales Division 201 W. 103rd Street Indianapolis, IN 46290 (800) 428-5331 corpsales@pearsoned.com Visit AW on the Web: www.aw.com/cseng/ Library of Congress Cataloging-in-Publication Data Klevinsky, T.J. Hack I.T. : security through penetration testing / T.J. Klevinsky, Scott Laliberte, Ajay Gupta. p. cm. Includes index. 0-201-71956-8 (pbk.) 1. Computer security. 2. Computer—Access control—Testing. I. Laliberte, Scott. II. Gupta, Ajay. III. Title. QA76.9.A25 K56 2002 005.8—dc21 2001056058 Copyright © 2002 by Pearson Education, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Inc. Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047 [...]... genius-level hackers (first tier), many more second-tier hackers, and a large population in the third tier Within our categorization, we discuss their capabilities and motivations I l@ve RuBoard I l@ve RuBoard 2.1 Hacker Skill Levels 2.1.1 First-Tier Hackers First-tier hackers are programmers who have the ability to find unique vulnerabilities in existing software and to create working exploit code These hackers,... All hackers are the same This myth is borne out of a lack of knowledge among the general public about the hacker community All hackers are not the same As mentioned above, different hackers focus on different technologies and have different purposes and skill levels Some hackers have malicious intent; some don't They are not all teenagers who spend far too much time in front of a computer Not all hackers... RuBoard I l@ve RuBoard 2.3 Hacker Myths All the perceptions of hackers and their portrayal in movies and entertainment have lead to the development of “hacker myths.” These myths involve common misconceptions about hackers and can lead to misconceptions about how to defend against them Here we have attempted to identify some of these myths and dispel common misconceptions 1 Hackers are a well-organized,... computer-savvy friends Often one first-tier hacker creates the programs and other members of the team run them against target networks This creates a reputation for the group rather than a single individual 2.1.2 Second-Tier Hackers Hackers in this tier have a technical skill level equivalent to that of system administrators Tier-two hackers are far more common than tier-one hackers and may have experience with... its source code In May 1999, the FBI investigated several hacking groups based in the United States After the FBI seized a suspected teenage hacker's computer, several hacker groups retaliated by defacing government Web sites At one point, a DoS attack caused the FBI Web site to be taken offline for seven days.[5] In January 2000, an Internet hacker threatened CD Universe, stating that if the company... prepackaged hacking tools downloaded from the Internet to do their hacking Script kiddies are usually individuals who are intrigued by the notion of gaining unauthorized access and are open to using untested pieces of code, especially while others (target networks and users) are at risk For this reason, tier-three hackers get the least respect but are often the most annoying and dangerous Tier-three hackers... refer to malicious computer hackers Unfortunately, the media and general population have given the term hacker a negative connotation, so we use it to describe any person who attempts to access a system through unauthorized channels This chapter also presents a profile of information security professionals and discusses popular hacker and information security myths Categorizing hackers by the technology... Hackers are a well-organized, malicious group There is indeed a community within the hacker underground There are hacking-related groups such as Alt-2600 and Cult of the Dead Cow, IRC “hacking” channels, and related newsgroups However, these groups are not formed into a well-organized group that targets specific networks for hacking They share a common interest in methods for avoiding security defenses and... Those who believe writing such a book is dangerous since it may result in teaching people how to hack do not see the value in improving security through testing and measuring defenses against the techniques of opponents Hackers already know how to hack and have the time and energy to research (and develop) hacking techniques The good guys, who are busy battling the day-to-day fires of maintaining the... are actively involved in developing technologies that can be used to improve overall network security, such as hackers from the ISS X-force, the Bindview Razor Team, and the AXENT SWAT team (AXENT has been purchased by Symantec) Tier-one hackers can work independently or through a network of hacking teams that run exploits from a variety of locations, making it difficult to trace the activities back . representatives of companies that want to legitimately test their security posture and intrusion detection or incident response capabilities. In addition, other. This insight is essential to creating a comprehensive network security structure. Some may argue that providing this penetration-testing information gives