Figure 9.8 System Status Hardware modules. The Hardware modules are defined as follows: Cmos Contents. This module reports crucial troubleshooting information from the system CMOS nonvolatile RAM (see Figure 9.9). CMOS, or complementary metal oxide semiconductor, is the semiconductor technology used in the transistors manufactured into computer microchips. An important part of configuration troubleshooting is the information recorded in Cmos Contents, such as the char- acteristics, addresses, and interrupt requests (IRQs) of devices. This component is helpful when information is gathered before a TigerBox-compatible operating system is installed. On some newer systems or systems with personal protec- tion, the Cmos contents are protected and will therefore come up blank. Figure 9.9 Cmos Contents module. TigerSuite 4.0 263 Figure 9.10 Disk Space Info and Volume Info modules. Drives: Disk Space Info and Volume Info. These modules (see Figure 9.10) report important data statistics about the current condition of hard drive disk space and volume data. The information provided here facilitates a partitioning scheme before a TigerBox-compatible operating system is installed. Memory Status, Power Status, and Processor Info. These modules (see Figure 9.11) provide crucial memory, power, and processor status before, during, and after a security analysis and/or a penetration-testing sequence. From the data gathered, an average baseline can be predicted regarding how many threads can be initialized during a scanning analysis, how many discovery modules can operate simultaneously, how many network addresses can be tested simultaneously, and much more. Figure 9.11 Memory Status, Power Status, and Processor Info modules. 264 Chapter 9 System Status Internetworking Modules The system status internetworking sniffer modules can be activated by clicking on the mini-TigerSuite icon in the taskbar, then System Status, and finally Internetworking from the submenu of choices (see Figure 9.12). Recall that a network sniffer can be an invaluable tool for diagnosing network problems—to see what is going on behind the scenes, so to speak—during host-to-node communication. A sniffer captures the data coming in and going out of the NIC or modem and displays that information in a table. The internetworking modules are defined as follows: IP Stats. This module (see Figure 9.13) gathers current statistics on header errors, interface IP routes, datagrams, fragments, and reassemblies. Remember, IP is a protocol designed to interconnect networks to form an internet for passing data back and forth. IP contains addressing and control information that enable pack- ets to be routed through an internet. The equipment that encounters these pack- ets (e.g., routers) strip off and examine the headers that contain the sensitive routing information. Then, these headers are modified and reformulated as a packet to be passed along. IP datagrams are the primary information units in the Internet. IP’s responsibilities also include the fragmentation and reassembly of datagrams to support links with different transmission sizes. Packet headers contain control information (route specifications) and user data. This informa- tion can be copied, modified, and/or spoofed. ICMP Stats. This module (see Figure 9.14) collects current ICMP messages com- ing in and going out the network interface, after which it is typically used with flooders and spoofers. The ICMP sends message packets, reporting errors, and other pertinent information back to the sending station, or source. Hosts and infrastructure equipment use the ICMP to communicate control and error infor- mation as it pertains to IP packet processing. ICMP message encapsulation is a twofold process: As they travel across the Internet, messages are encapsulated in IP datagrams, which are encapsulated in frames. Basically, ICMP uses the same unreliable means of communications as a datagram. Therefore, ICMP error mes- sages may be lost or duplicated. The following ICMP messages are the ones that we’re concerned with. Figure 9.12 Launching the system status internetworking sniffer modules. TigerSuite 4.0 265 Figure 9.13 IP Stats module. ■■ Echo Reply (Type 0)/Echo Request (Type 8). The basic mechanism for testing possible communication between two nodes. The receiving station, if avail- able, is asked to reply to the Packet INternet Groper (PING), a protocol for testing whether a particular computer IP address is active. By using ICMP, PING sends a packet to its IP address and waits for a response. Figure 9.14 ICMP Stats module. 266 Chapter 9 ■■ Destination Unreachable (Type 3). There are several issuances for this message type, including when a router or gateway does not know how to reach the destination, when a protocol or application is not active, when a datagram specifies an unstable route, or when a router must fragment the size of a datagram and cannot because the Don’t Fragment Flag is set. ■■ Source Quench (Type 4). A basic form of flow control for datagram delivery. When datagrams arrive too quickly at a receiving station to process, the datagrams are discarded. During this process, for every datagram that has been dropped, an ICMP Type 4 message is passed along to the sending sta- tion. The Source Quench messages actually become requests, to slow down the rate at which datagrams are sent. On the flip side, Source Quench mes- sages do not have a reverse effect, whereas the sending station will increase the rate of transmission. ■■ Route Redirect (Type 5). Routing information is exchanged periodically to accommodate network changes and to keep routing tables up to date. When a router identifies a host that is using a nonoptional route, the router sends an ICMP Type 5 message while forwarding the datagram to the desti- nation network. As a result, routers can send Type 5 messages only to hosts directly connected to their networks. ■■ Datagram Time Exceeded (Type 11). A gateway or router will emit a Type 11 message if it is forced to drop a datagram because the Time-to-Live (TTL) field is set to 0. Basically, if the router detects the TTL = 0 field when inter- cepting a datagram, it will be forced to discard that datagram and send an ICMP message Type 11. ■■ Datagram Parameter Problem (Type 12). This message type specifies a problem with the datagram header that is impeding further processing. The data- gram will be discarded and a Type 12 message will be transmitted. ■■ Timestamp Request (Type 13)/Timestamp Reply (Type 14). These message types provide a means for delay tabulation of the network. The sending station injects a send timestamp (the time that the message was sent); the receiving station will append a receive timestamp to compute an estimated delay time and assist in their internal clock synchronization. ■■ Information Request (Type 15)/Information Reply (Type 16). Stations use Type 15 and Type 16 messages to obtain an Internet address for a network to which they are attached. The sending station will emit the message, with the net- work portion of the Internet address, and wait for a response, with the host portion (its IP address) filled in. ■■ Address Mask Request (Type 17)/Address Mask Reply (Type 18). Similar to an Information Request/Reply, stations can send Type 17 and Type 18 mes- sages to obtain the subnet mask of the network to which they are attached. Stations may submit this request to a known node, such as a gateway or router, or they may broadcast the request to the network. TigerSuite 4.0 267 Figure 9.15 TCP Stats module. Network Parameters. This module is used primarily for locating information at a glance. The information provided is beneficial for detecting successful config- uration spoofing modifications and current routing/network settings before performing a penetration attack. TCP Stats. IP has many weaknesses, including unreliable packet delivery (pack- ets may be dropped with transmission errors, bad routes, and/or throughput degradation). TCP helps reconcile these problems by providing reliable, stream- oriented connections. In fact, TCP/IP is based primarily on TCP functionality, which is based on IP, to make up the TCP/IP suite. These features describe a connection-oriented process of communication establishment. TCP organizes and counts bytes in the data stream with a 32-bit sequence number. Every TCP packet contains a starting sequence number (first byte) and an acknowledgment number (last byte). A concept known as a sliding window is implemented to make stream transmissions more efficient. The sliding window uses bandwidth more effectively, as it will allow the transmission of multiple packets before an acknowledgment is required. TCP flooding is a common form of malicious attack on network interfaces; as a result, the TCP Stats module (see Figure 9.15) was developed to monitor and verify such activity. UDP Stats. UDP provides multiplexing and demultiplexing between protocol and application software. Multiplexing is the concurrent transmission of multiple signals into an input stream across a single physical channel. Demultiplexing is the separation of multiplexed streams that back into multiple output streams. Multiplexing and demultiplexing, as they pertain to UDP, transpire through ports. Each station application must negotiate a port number before sending a UDP datagram. When UDP is on the receiving side of a datagram, it checks the 268 Chapter 9 header (destination port field) to determine whether it matches one of the sta- tion’s ports currently in use. If the port is in use by a listening application, the transmission will proceed. If the port is not in use, an ICMP error message will be generated and the datagram will be discarded. Other common flooding attacks on target network interfaces involve UDP overflow strikes. The UDP Stats module (see Figure 9.16) monitors and verifies such attacks for proactive reporting and testing successful completions. TigerBox Toolkit Accessing the TigerBox Toolkit utilities is a simple matter of clicking on the mini-Tiger- Suite icon in the taskbar, then TigerBox Toolkit, and finally Tools from the submenu of choices (as shown in Figure 9.17). TigerBox Tools The TigerBox tools described in this section are designed for performing network dis- coveries; they include modules that provide finger, DNS, hostname, nameserver (NS) lookup, trace route, and WhoIs queries. Each tool is intended to work with any exist- ing router, bridge, switch, hub, personal computer, workstation, and server. Detailed discovery reporting, compatible with any Web browser, makes these tools excellent resources for inventory, as well as for management. The output gathered from these utilities is imperative for the information discovery phase of a professional security assessment. The utilities are defined as follows: Finger Query. A finger query is a client daemon module for querying a fingerd (finger daemon) that accepts and handles finger requests. If an account can be fingered, inspecting the account will return predisposed information, such as the real name of the account holder and the last time he or she logged in to that account. Typically, .edu, .net, and .org accounts utilize finger server daemons that can be queried. Some accounts, however, do not employ a finger server daemon because of host system security or operational policies. Finger daemons have become a popular target of NIS DoS attacks because the standard finger daemon will willingly look for similar matches. Figure 9.16 UDP Stats module. TigerSuite 4.0 269 Figure 9.17 Launching TigerBox Toolkit Tools. DNS Query. The DNS is used primarily to translate between domain names and their IP addresses, as well as to control Internet e-mail delivery, HTTP requests, and domain forwarding. The DNS directory service consists of DNS data, DNS servers, and Internet protocols for fetching data from the servers. The records in the DNS directory are split into files, or zones, which are kept on authoritative servers distributed all over the Internet to answer queries according to the DNS network protocol. Also, most servers are authoritative for some zones and per- form a caching function for all other DNS information. The DNS Query module (see Figure 9.18) performs DNS queries to obtain indispensable discovery infor- mation—usually one of the first steps in a hacker’s course of action. DNS resource record types include the following: A: Address. Defined in RFC 1035. AAAA: IPv6 Address. Defined in RFC 1886. AFSDB: AFS Database Location. Defined in RFC 1183. CNAME: Canonical Name. Defined in RFC 1035. GPOS: Geographical position. Defined in RFC 1712; now obsolete. HINFO: Host Information. Defined in RFC 1035. ISDN. Defined in RFC 1183. KEY: Public Key. Defined in RFC 2065. KX: Key Exchanger. Defined in RFC 2230. LOC: Location. Defined in RFC 1876. MB: Mailbox. Defined in RFC 1035. MD: Mail Destination. Defined in RFC 1035; now obsolete. MF: Mail Forwarder. Defined in RFC 1035; now obsolete. MG: Mail Group Member. Defined in RFC 1035. 270 Chapter 9 MINFO: Mailbox or Mail List Information. Defined in RFC 1035. MR: Mail Rename Domain Name. Defined in RFC 1035. MX: Mail Exchanger. Defined in RFC 1035. NS: Name Server. Defined in RFC 1035. NSAP: Network Service Access Point Address. Defined in RFC 1348; redefined in RFCs 1637 and 1706. NSAP-PTR: Network Service Access Protocol. Defined in RFC 1348; now obsolete. NULL. Defined in RFC 1035. NXT: Next. Defined in RFC 2065. PTR: Pointer. Defined in RFC 1035. PX: Pointer to X.400/RFC 822 Information. Defined in RFC 1664. RP: Responsible Person. Defined in RFC 1183. RT: Route Through. Defined in RFC 1183. SIG: Cryptographic Signature. Defined in RFC 2065. SOA: Start of Authority. Defined in RFC 1035. SRV: Server. Defined in RFC 2052. TXT: Text. Defined in RFC 1035. WKS: Well-Known Service. Defined in RFC 1035. X25. Defined in RFC 1183. Figure 9.18 DNS Query module. TigerSuite 4.0 271 An example DNS query request for one of the most popular Internet search engines, Yahoo! (www.yahoo.com), would reveal the following: ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13700 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 19 ;; yahoo.com, type = ANY, class = IN yahoo.com. 12h44m31s IN NS NS3.EUROPE.yahoo.com. yahoo.com. 12h44m31s IN NS NS1.yahoo.com. yahoo.com. 12h44m31s IN NS NS5.DCX.yahoo.com. yahoo.com. 23m3s IN A 204.71.200.243 yahoo.com. 23m3s IN A 204.71.200.245 yahoo.com. 3m4s IN MX 1 mx2.mail.yahoo.com. yahoo.com. 3m4s IN MX 0 mx1.mail.yahoo.com. yahoo.com. 12h44m31s IN NS NS3.EUROPE.yahoo.com. yahoo.com. 12h44m31s IN NS NS1.yahoo.com. yahoo.com. 12h44m31s IN NS NS5.DCX.yahoo.com. NS3.EUROPE.yahoo.com. 1h13m23s IN A 194.237.108.51 NS1.yahoo.com. 7h18m19s IN A 204.71.200.33 NS5.DCX.yahoo.com. 1d2h46m6s IN A 216.32.74.10 mx2.mail.yahoo.com. 4m4s IN A 128.11.23.250 mx2.mail.yahoo.com. 4m4s IN A 128.11.68.213 mx2.mail.yahoo.com. 4m4s IN A 128.11.68.139 mx2.mail.yahoo.com. 4m4s IN A 128.11.68.144 mx2.mail.yahoo.com. 4m4s IN A 128.11.23.244 mx2.mail.yahoo.com. 4m4s IN A 128.11.23.241 mx2.mail.yahoo.com. 4m4s IN A 128.11.68.146 mx2.mail.yahoo.com. 4m4s IN A 128.11.68.158 mx1.mail.yahoo.com. 4m4s IN A 128.11.68.218 mx1.mail.yahoo.com. 4m4s IN A 128.11.68.221 mx1.mail.yahoo.com. 4m4s IN A 128.11.23.238 mx1.mail.yahoo.com. 4m4s IN A 128.11.68.223 mx1.mail.yahoo.com. 4m4s IN A 128.11.68.100 mx1.mail.yahoo.com. 4m4s IN A 128.11.23.198 mx1.mail.yahoo.com. 4m4s IN A 128.11.23.250 mx1.mail.yahoo.com. 4m4s IN A 128.11.23.224 IP/Hostname Finder. This module is very simple to use for querying the Internet for either a primary IP address, given a hostname, or vice versa. The particular use of this module is to quickly determine the primary address or hostname of a network during the discovery phases. To activate this module, just enter in a hostname—www.yahoo.com, for example—and click Get IP Address, as shown in Figure 9.19. NS Lookup. This module is an advanced cohort of the IP/hostname Finder mod- ule just described, as it will search for multiple secondary addresses in relation to a single hostname (see Figure 9.20). 272 Chapter 9 TEAMFLY Team-Fly ® [...]... following script was sent to drastically degrade performance: &bom=ctac_ler_txt&BV_ionID=@@@@0582212215.0973528057@@@@&BV_EniID=faljfc lmeghbekfcflcfhfcggm.01302281129534321441159 167 862 99991234512 569 234 563 25 413331 465 4329105198 765 1111111231231234 563 20033 369 27 269 6 969 80911110719141 12582011312141 163 29912190592045 466 21 365 4529533 364 266 6184505534 460 9839545 365 660 34 861 64479 166 766 80 769 69199 A final example consists... contents.) cd directory Change directory Using cd without the directory name will take you to your home directory; using cd will take you to your previous directory and is a convenient way to toggle between two directories; using cd will take you one directory up (very useful) Using Security Analysis Tools for *NIX and Mac OS X /program_name Run an executable in the current directory The / is needed... externally The TigerBox Toolkit penetrators can be launched by clicking on the mini-TigerSuite icon in the taskbar, then on TigerBox Toolkit, and finally on Penetrators, as shown in Figure 9.27 277 278 Chapter 9 Figure 9.27 Launching TigerBox Toolkit Penetrators Sending Scripts with the Penetrators Vulnerability penetration testing of system and network security is one way to ensure that security policies... recent updates to the system documentation Use and to move around or you may get 293 294 Part III confused Press q to quit A replacement for the somewhat confusing info browsing system might be pinfo apropos topic Supply the list of the commands that have something to do with your topic whatis topic Give a short list of commands matching your topic The whatis is similar to apropos—they... is useful for monitoring target penetrations and verifying spoofed techniques, recording hack trails, and much more The Script field allows for instant replies, hack script uploads, and more to the hacking station or the Tiger Box To test your TigerSim functionality, open the virtual server simulator and start the Web server on port 80 Now start the TigerBreach penetrator, connect to your system’s IP... simulate your choice of network server daemon, whether it be e-mail, HTTP Web page serving, telnet, or FTP The TigerBox Toolkit penetrators are accessed by clicking on the mini-TigerSuite icon in the taskbar, then on TigerBox Toolkit, and then on Simulators, as shown in Figure 9.28 281 Chapter 9 AM FL Y Figure 9.28 Launching TigerBox Toolkit Simulator As part of TigerSuite and TigerBox, the server simulator... Penetrators Vulnerability penetration testing of system and network security is one of the only ways to ensure that security policies and infrastructure protection programs function properly The TigerSuite penetration modules are designed to provide some of the common penetration attacks to test strengths and weaknesses by locating security gaps These procedures offer an in-depth assessment of potential security. .. longer than one screen man topic Display the contents of the system manual pages (help) on the topic Press q to quit the viewer Try man if you need any advanced options The command info topic works similar to man topic, yet it may contain more up -to- date information Manual pages can be hard to read—they were written for UNIX programmers Try any_command help for a brief, easier -to- digest help on a command... domain name into an IP address, to which the user is forwarded to view the Web site An attacker can TigerSuite 4.0 connect to the DNS port (usually port 53) by using telnet or a similar client, then sending random characters, and then disconnecting This attack causes the DNS to stop working When combined with other attacks (e.g., ports 135 and 1031), this attack may cause the machine to crash To demonstrate... modules are well designed to provide detailed penetration attacks that test strengths and weaknesses by locating security gaps These hacking procedures offer you custom in-depth assessment of potential security risks, both internal and external, that may exist When it comes to sending scripts with a penetrator such as TigerBreach or TCP/UDP flooders, after you find a vulnerability in your target system, . performance: &bom=ctac_ler_txt&BV_ionID=@@@@0582212215.0973528057@@@@&BV_EniID=faljfc lmeghbekfcflcfhfcggm.01302281129534321441159 167 862 99991234512 569 234 563 25 413331 465 4329105198 765 1111111231231234 563 20033 369 27 269 6 969 80911110719141 12582011312141 163 29912190592045 466 21 365 4529533 364 266 6184505534 460 9839545 365 660 34 861 64479 166 766 80 769 69199 A final. DNS to stop working. When combined with other attacks (e.g., ports 135 and 1031), this attack may cause the machine to crash. To demonstrate an example, the TigerBreach penetrator is used to. 9.27 Launching TigerBox Toolkit Penetrators. Sending Scripts with the Penetrators Vulnerability penetration testing of system and network security is one way to ensure that security policies and