Hack Proofing Your Network: Internet Tradecraft

Ryan Russell, Syngress

ISBN:1928994156, Edition: 1, 2000-01-15

Price: $49.95

Contents

Foreword ~ xxiii
Introduction ~ xxvii

Part I: Theory and Ideals

Chapter 1: Politics ~ 1
Introduction ~ 2
Definitions of the Word Hacker ~ 2
Hacker ~ 2
Cracker ~ 3
Script Kiddie ~ 5
Phreak ~ 6
White Hat/Black Hat ~ 6
Grey Hat ~ 7
Hacktivism ~ 8
The Role of the Hacker ~ 9
Criminal ~ 9
Magician ~ 10
Security Professional ~ 11
Consumer Advocate ~ 12
Civil Rights Activist ~ 13
Cyber Warrior ~ 14
Motivation ~ 15
Recognition ~ 15
Admiration ~ 16
Curiosity ~ 16
Power & Gain ~ 17
Revenge ~ 17
Legal/Moral Issues ~ 19
What’s Illegal ~ 19
Reasonably Safe ~ 21
What’s Right? ~ 22
Exceptions? ~ 23
The Hacker Code ~ 23
Why This Book? ~ 24
Public vs. Private Research ~ 25
Who Is Affected when an Exploit Is Released? ~ 26
Summary ~ 27
FAQs ~ 28

Chapter 2 Laws of Security ~ 31
Introduction ~ 32
What Are the Laws of Security? ~ 32
Client-side Security Doesn't Work ~ 33
Applying the Law ~ 34
Exceptions ~ 37
Defense ~ 37
You Can't Exchange Encryption Keys without a Shared Piece of Information ~ 37
Applying the Law ~ 38
Exceptions ~ 40
Defense ~ 41
Viruses and Trojans Cannot Be 100 Percent Protected Against ~ 41
Applying the Law ~ 42
Exceptions ~ 43
Defense ~ 44
Firewalls Cannot Protect You 100 Percent from Attack ~ 44
Applying the Law ~ 45
Social Engineering ~ 46
Attacking Exposed Servers ~ 46
Attacking the Firewall Directly ~ 47
Client-side Holes ~ 48
Exceptions ~ 48
Defense ~ 49
Secret Cryptographic Algorithms Are Not Secure ~ 49
Applying the Law ~ 50
Exceptions ~ 51
Defense ~ 51
If a Key Isn't Required, You Don't Have Encryption; You Have Encoding ~ 51
Applying the Law ~ 52
Exceptions ~ 53
Defense ~ 53
Passwords Cannot Be Securely Stored on the Client Unless There Is Another Password to Protect Them ~ 53
Applying the Law ~ 55
Exceptions ~ 56
Defense ~ 57
In Order for a System to Begin to Be Considered Secure, It Must Undergo an Independent Security Audit ~ 57
Applying the Law ~ 57
Exceptions ~ 58
Defense ~ 58
Security Through Obscurity Doesn't Work ~ 58
Applying the Law ~ 59
Exceptions ~ 60
Defense ~ 61
People Believe That Something Is More Secure Simply Because It's New ~ 61
Applying the Law ~ 62
Exceptions ~ 63
Defense ~ 63
What Can Go Wrong Will Go Wrong ~ 64
Applying the Law ~ 64
Exceptions ~ 64
Defense ~ 64
Summary ~ 64
FAQs ~ 65

Chapter 3: Classes of Attack ~ 67
Introduction ~ 68
What Are the Classes of Attack? ~ 68
Denial-of-Service ~ 68
Information Leakage ~ 79
File Creation, Reading, Modification, Removal ~ 82
Misinformation ~ 82
Special File/Database Access ~ 83
Elevation of Privileges ~ 85
Problems ~ 88
How Do You Test for Vulnerability without Exercising the Exploit? ~ 89
How to Secure Against These Classes of Attack ~ 90
Denial-of-Service ~ 91
Information Leakage ~ 92
File Creation, Reading, Modification, Removal ~ 94
Misinformation ~ 95
Special File/Database Access ~ 95
Elevation of Privileges ~ 97
Summary ~ 97
FAQs ~ 98

Chapter 4: Methodology ~ 101
Introduction ~ 102
Types of Problems ~ 102
Black Box ~ 102
Chips ~ 102
Unknown Remote Host ~ 105
Information Leakage ~ 105
Translucent Box ~ 107
Tools ~ 107
System Monitoring Tools ~ 108
Packet Sniffing ~ 112
Debuggers, Decompilers, and Related Tools ~ 113
Crystal Box ~ 117
Problems ~ 117
Cost/Availability of Tools ~ 117
Obtaining/Creating a Duplicate Environment ~ 118
How to Secure Against These Methodologies ~ 118
Limit Information Given Away ~ 119
Summary ~ 119
Additional Resources ~ 120
FAQs ~ 120

Part II: Theory and Ideals

Chapter 5: Diffing ~ 121
Introduction ~ 122
What Is Diffing? ~ 122
Files ~ 123
Tools ~ 126
File Comparison Tools ~ 126
Hex Editors ~ 128
File System Monitoring Tools ~ 132
Other Tools ~ 136
Problems ~ 140
Checksums/Hashes ~ 140
Compression/Encryption ~ 141
How to Secure Against Diffing ~ 142
Summary ~ 142
FAQs ~ 143

Chapter 6: Cryptography ~ 145
Introduction ~ 146
An Overview of Cryptography and Some of Its Algorithms (Crypto 101) ~ 146
History ~ 146
Encryption Key Types ~ 147
Algorithms ~ 149
Symmetric Algorithms ~ 149
Asymmetric Algorithms ~ 151
Problems with Cryptography ~ 153
Secret Storage ~ 154
Universal Secret ~ 157
Entropy and Cryptography ~ 159
Brute Force ~ 163
L0phtCrack ~ 164
Crack ~ 166
John the Ripper ~ 166
Other Ways Brute Force Attacks Are Being Used ~ 167
Distributed.net ~ 167
Deep Crack ~ 169
Real Cryptanalysis ~ 169
Differential Cryptanalysis ~ 170
Side-Channel Attacks ~ 172
Summary ~ 173
Additional Resources ~ 173
FAQs ~ 174

Chapter 7: Unexpected Input ~ 177
Introduction ~ 178
Why Unexpected Data Is Dangerous ~ 178
Situations Involving Unexpected Data ~ 179
HTTP/HTML ~ 179
Unexpected Data in SQL Queries ~ 181
Disguising the Obvious ~ 185
Finding Vulnerabilities ~ 186
Black-Boxing ~ 186
Use the Source (Luke) ~ 189
Application Authentication ~ 190
Protection: Filtering Bad Data ~ 194
Escaping Characters Is Not Always Enough ~ 194
Perl ~ 194
Cold Fusion/Cold Fusion Markup Language (CFML) ~ 195
ASP ~ 195
PHP ~ 196
Protecting Your SQL Queries ~ 196
Silently Removing vs. Alerting on Bad Data ~ 197
Invalid Input Function ~ 198
Token Substitution ~ 198
Available Safety Features ~ 198
Perl ~ 199
PHP ~ 200
Cold Fusion/Cold Fusion Markup Language ~ 200
ASP ~ 200
MySQL ~ 201
Summary ~ 201
FAQs ~ 202

Chapter 8: Buffer Overflow ~ 203
Introduction ~ 204
What Is a Buffer Overflow? ~ 204
Smashing the Stack ~ 207
Hello Buffer ~ 207
What Happens When I Overflow a Buffer? ~ 210
Methods to Execute Payload ~ 216
Direct Jump (Guessing Offsets) ~ 216
Blind Return ~ 216
Pop Return ~ 218
Call Register ~ 219
Push Return ~ 220
What Is an Offset? ~ 220
No Operation (NOP) Sled ~ 221
Off-by-One Struct Pointer ~ 221
Dereferencing—Smashing the Heap ~ 222
Corrupting a Function Pointer ~ 222
Trespassing the Heap ~ 223
Designing Payload ~ 225
Coding the Payload ~ 225
Injection Vector ~ 225
Location of Payload ~ 226
The Payload Construction Kit ~ 226
Getting Bearings ~ 237
Finding the DATA Section, Using a Canary ~ 237
Encoding Data ~ 238
XOR Protection ~ 238
Using What You Have—Preloaded Functions ~ 238
Hashing Loader ~ 243
Loading New Libraries and Functions ~ 245
WININET.DLL ~ 246
Confined Set Decoding ~ 247
Nybble-to-Byte Compression ~ 247
Building a Backward Bridge ~ 247
Building a Command Shell ~ 247
“The Shiny Red Button”—Injecting a Device Driver into Kernel Mode ~ 251
Worms ~ 253
Finding New Buffer Overflow Exploits ~ 253
Summary ~ 257
FAQs ~ 258

Part III: Remote Attacks

Chapter 9: Sniffing ~ 259
What Is “Sniffing?” ~ 260
How Is Sniffing Useful to an Attacker? ~ 260
How Does It Work? ~ 260
What to Sniff? ~ 261
Authentication Information ~ 261
Telnet (Port 23) ~ 261
FTP (Port 21) ~ 262
POP (Port 110) ~ 262
IMAP (Port 143) ~ 262
NNTP (Port 119) ~ 263
rexec (Port 512) ~ 263
rlogin (Port 513) ~ 264
X11 (Port 6000+) ~ 264
NFS File Handles ~ 264
Windows NT Authentication ~ 265
Other Network Traffic ~ 266
SMTP (Port 25) ~ 266
HTTP (Port 80) ~ 266
Common Implementations ~ 267
Network Associates Sniffer Pro ~ 267
NT Network Monitor ~ 268
TCPDump ~ 269
dsniff ~ 270
Esniff.c ~ 271
Sniffit ~ 271
Advanced Sniffing Techniques ~ 272
Switch Tricks ~ 272
ARP Spoofing ~ 273
ARP Flooding ~ 273
Routing Games ~ 273
Operating System Interfaces ~ 274
Linux ~ 274
BSD ~ 277
libpcap ~ 277
Windows ~ 279
Protection ~ 279
Encryption ~ 279
Secure Shell (SSH) ~ 279
Switching ~ 281
Detection ~ 281
Local Detection ~ 281
Network Detection ~ 282
DNS Lookups ~ 282
Latency ~ 282
Driver Bugs ~ 282
AntiSniff ~ 283
Network Monitor ~ 283
Summary ~ 283
Additional Resources ~ 283
FAQs ~ 284

Chapter 10: Session Hijacking ~ 285
Introduction ~ 286
What Is Session Hijacking? ~ 286
TCP Session Hijacking ~ 287
TCP Session Hijacking with Packet Blocking ~ 290
Route Table Modification ~ 290
ARP Attacks ~ 292
TCP Session Hijacking Tools ~ 293
Juggernaut ~ 293
Hunt ~ 296
UDP Hijacking ~ 300
Other Hijacking ~ 301
How to Protect Against Session Hijacking ~ 302
Encryption ~ 302
Storm Watchers ~ 302
Summary ~ 303
Additional Resources ~ 304
FAQs ~ 305

Chapter 11: Spoofing: Attacks on Trusted Identity ~ 307
Introduction ~ 308
What It Means to Spoof ~ 308
Spoofing Is Identity Forgery ~ 308
Spoofing Is an Active Attack against Identity Checking Procedures ~ 308
Spoofing Is Possible at All Layers of Communication ~ 309
Spoofing Is Always Intentional ~ 309
Spoofing May Be Blind or Informed, but Usually Involves Only Partial Credentials ~ 311
Spoofing Is Not the Same Thing as Betrayal ~ 312
Spoofing Is Not Always Malicious ~ 312
Spoofing Is Nothing New ~ 312
Background Theory ~ 313
The Importance of Identity ~ 313
The Evolution of Trust ~ 314
Asymmetric Signatures between Human Beings ~ 314
Establishing Identity within Computer Networks ~ 316
Return to Sender ~ 317
In the Beginning, there was…a Transmission ~ 318
Capability Challenges ~ 320
Ability to Transmit: “Can It Talk to Me?” ~ 320
Ability to Respond: “Can It Respond to Me?” ~ 321
Ability to Encode: “Can It Speak My Language?” ~ 324
Ability to Prove a Shared Secret: “Does It Share a Secret with Me?” ~ 326
Ability to Prove a Private Keypair: “Can I Recognize Your Voice?” ~ 328
Ability to Prove an Identity Keypair: “Is Its Identity Independently Represented in My Keypair?” ~ 329
Configuration Methodologies: Building a Trusted Capability Index ~ 329
Local Configurations vs. Central Configurations ~ 329
Desktop Spoofs ~ 330
The Plague of Auto-Updating Applications ~ 331
Impacts of Spoofs ~ 332
Subtle Spoofs and Economic Sabotage ~ 332
Subtlety Will Get You Everywhere ~ 333
Selective Failure for Selecting Recovery ~ 333
Attacking SSL through Intermittent Failures ~ 335
Summary ~ 335
FAQs ~ 337

Chapter: 12 Server Holes ~ 339
Introduction ~ 340
What Are Server Holes? ~ 340
Denial of Service ~ 340
Daemon/Service Vulnerabilities ~ 341
Program Interaction Vulnerabilities ~ 341
Denial of Service ~ 341
Compromising the Server ~ 342
Goals ~ 344
Steps to Reach Our Goal ~ 344
Hazards to Keep in Mind ~ 344
Planning ~ 346
Network/Machine Recon ~ 347
Research/Develop ~ 354
Execute the Attack ~ 356
Cleanup ~ 356
Summary ~ 357
FAQs ~ 358

Chapter 13: Client Holes ~ 359
Introduction ~ 360
Threat Source ~ 360
Malicious Server ~ 360
Mass vs. Targeted Attack ~ 363
Location of Exploit ~ 364
Drop Point ~ 365
Malicious Peer ~ 366
E-Mailed Threat ~ 368
Easy Targets ~ 368
Session Hijacking and Client Holes ~ 370
How to Secure Against Client Holes ~ 370
Minimize Use ~ 370
Anti-Virus Software ~ 373
Limiting Trust ~ 373
Client Configuration ~ 375
Summary ~ 378
FAQs ~ 380

Chapter 14: Viruses, Trojan Horses, and Worms ~ 383
Introduction ~ 384
How Do Viruses, Trojans Horses, and Worms Differ? ~ 384
Viruses ~ 384
Worms ~ 385
Macro Virus ~ 385
Trojan Horses ~ 386
Hoaxes ~ 387
Anatomy of a Virus ~ 387
Propagation ~ 388
Payload ~ 389
Other Tricks of the Trade ~ 390
Dealing with Cross-Platform Issues ~ 391
Java ~ 391
Macro Viruses ~ 391
Recompilation ~ 392
Proof that We Need to Worry ~ 392
Morris Worm ~ 392
ADMw0rm ~ 392
Melissa and I Love You ~ 393
Creating Your Own Malware ~ 398
New Delivery Methods ~ 398
Other Thoughts on Creating New Malware ~ 399
How to Secure Against Malicious Software ~ 400
Anti-Virus Software ~ 400
Web Browser Security ~ 402
Anti-Virus Research ~ 403
Summary ~ 403
FAQs ~ 404

Part IV: Reporting

Chapter 15 Reporting Security Problems ~ 407
Introduction ~ 408
Should You Report Security Problems? ~ 408
Who to Report Security Problems To? ~ 409
Full Disclosure ~ 411
Reporting Security Problems to Vendors ~ 414
Reporting Security Problems to the Public ~ 418
Publishing Exploit Code ~ 420
Problems ~ 421
Repercussions from Vendors ~ 421
Risk to the Public ~ 422
How to Secure Against Problem Reporting ~ 422
Monitoring Lists ~ 422
Vulnerability Databases ~ 422
Patches ~ 423
Response Procedure ~ 423
Summary ~ 425

Index ~ 427