"This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art."
--From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team
Penetration testing--in which professional, "white hat" hackers attempt to break through an organization's security defenses--has become a key defense weapon in today's information systems security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent true "black hat" hackers from compromising systems and exploiting proprietary information.
Hack I.T. introduces penetration testing and its vital role in an overall network security plan. You will learn about the roles and responsibilities of a penetration testing professional, the motivation and strategies of the underground hacking community, and potential system vulnerabilities, along with corresponding avenues of attack. Most importantly, the book provides a framework for performing penetration testing and offers step-by-step descriptions of each stage in the process. The latest information on the necessary hardware for performing penetration testing, as well as an extensive reference on the available security tools, is included.
Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies, techniques, and tools you need to test and protect your system--before the real hackers attack.
Specific topics covered in this book include:
1. Hacking Today.
2. Defining the Hacker.
Hacker Skill Levels.
Information Security Consultants.
Information Security Myths.
Ramifications of Penetration Testing.
Requirements for a Freelance Consultant.
Announced vs. Unannounced Penetration Testing.
Pros and Cons of Both Types of Penetration Testing.
Berkeley Internet Name Domain (BIND) Implementations.
Common Gateway Interface (CGI).
Clear Text Services.
Domain Name Service (DNS).
FTP and telnet.
IMAP and POP.
Lack of Monitoring and Intrusion Detection.
Network File System (NFS).
NT Ports 135n139.
NT Null Connection.
Poor Passwords and User IDs.
Remote Administration Services.
Remote Procedure Call (RPC).
Services Started by Default.
Simple Mail Transport Protocol (SMTP).
Simple Network Management Protocol (SNMP) Community Strings.
Viruses and Hidden Code.
Web Server Sample Files.
Web Server General Vulnerabilities.
Case Study: Dual-Homed Hosts.
War Dialing Method.
War Dialing Tools.
Case Study: War Dialing.
Searching for Exploits.
Remotely Installing a Hacker Tool Kit.
Case Study: Snoop the User Desktop.
Get Help Logging In.
Remote Procedure Call Services.
Buffer Overflow Attacks.
Case Study: UNIX Penetration.
Windows NT Workstation.
Network-Based and Host-Based Scanners.
Network Associates CyberCop Scanner.
ISS Internet Scanner.
Symantec (Formerly Axent Technologies) NetRecon.
Bindview HackerShield (bv-control for Internet Security).
Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM).
7th Sphere Port Scanner.
SessionWall-3 (Now eTrust Intrusion Detection).
John the Ripper.
Global (iDomain Adminsi).
NetBIOS Auditing Tool (NAT).
Case Study: Weak Passwords.
Case Study: Internal Penetration to Windows.
THC Happy Browser.
Case Study: Compaq Management Agents Vulnerability.
Virtual Network Computing.
Back Orifice 2000.
Stealth Port Scanning.
Traits of Effective IDSs.
Secure Intrusion Detection.
eTrust Intrusion Detection.
Network Flight Recorder.
Network Address Translation.
Firewalls and Virtual Private Networks.
Case Study: Internet Information Server ExploitoMDAC.
Resource Exhaustion Attacks.
IP Fragmentation Attacks.
Distributed Denial-of-Service Attacks.
Tribe Flood Network 2000.
Application-Based DoS Attacks.
Web Server DoS Attacks.
Concatenated DoS Tools.
ISS Internet Scanner.
Two- and Three-Factor Authentication.
Public Key Infrastructure.
Why write a book about hacking? The question is really whether a book about the techniques and tools used to break into a network would be beneficial to the information security community. We, the authors, believe that penetration testing is a valuable and effective means of identifying security holes and weaknesses in a network and computing environment. Understanding how others will try to break into a network offers considerable insight into the common pitfalls and misconfigurations that make networks vulnerable. This insight is essential to creating a comprehensive network security structure.
Some may argue that providing this penetration-testing information gives script kiddies and hackers ammunition to better attack systems. However, script kiddies and hackers already have access to this information or have the time to find it--most of the material presented in this book is available from a variety of sources on the Internet. The problem is that the system and security administrators defending against attacks do not have the time or resources to research the sites necessary to compile this information. We decided to write this book to provide defenders with the information hackers already have. A hacker has to find only one hole to gain unauthorized access. The security group defending against the hackers needs to find all the holes to prevent unauthorized access.
There is no tried-and-true training that can make everyone a security expert, but there are some baseline principles, skills, and tools that must be mastered to become proficient in this field. Our goal is to provide you with those skills in a manner that helps you to understand the structure and tools used and to begin developing your own style of penetration testing.The process described in this book is not the only way to perform a penetration test. We continue to evolve our own methodology to respond to new technologies and threats. This process has worked well for us in the past and continues to be a successful way to evaluate and test network security.
This book is intended for the security administrators, systems administrators, technology auditors, and other authorized representatives of companies that want to legitimately test their security posture and intrusion detection or incident response capabilities. In addition, other individuals who need to assess systems and network security may find the tools and techniques described in this book useful. It is designed as a beginner's book for enhancing network security through penetration testing. No previous knowledge of penetration testing is required, but an understanding of networking, TCP/IP, Windows NT/2000, network security, and UNIX is needed to be able to execute a penetration test.
A word of caution: Although this book details the processes and tools for performing a penetration test, it does not describe how to do this without alerting network security devices. Many of these techniques will be detected and should not be performed without the written consent of the owners of the target systems. We intend for this book to be not a how-to hack manual but rather a framework for performing a systematic network security review. Intrusion detection mechanisms on most networks today have become very sophisticated and, if configured properly, can be used to track anyone practicing these techniques on a network.
The managers of an ever-growing number of companies are beginning to see information security as an issue requiring attention, showing how much of a threat they truly believe exists. In any case, whether you work as part of the security department of a large corporation or as a system administrator with security as part of your job description, knowing how to get into your network is one of the best ways to secure it.
The first part of this book (Chapters 1-4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. This information provides insight into why hacking has become so popular with the media and what difficulties are associated with protecting a network. The material is designed to provide background information to support the use of penetration testing as an important part of an overall network security plan. A penetration test not only tests the network's ability to protect information and other assets from unauthorized individuals but also can test the organization's ability to detect such intrusion attempts and its incident response capabilities. We also discuss some of the common pitfalls in technology and defenses that contribute to security weaknesses. A large portion of successful network security breeches could have been avoided if special attention had been given to these issues.
The second part of this book (Chapters 5-10) provides a structured framework for a penetration test. Penetration testing can be broken down into a series of steps that provide an efficient and comprehensive review of individual network segments. Whether the test is an internal or external review, the methodology follows the steps of discovery, scanning, and exploitation. This section outlines methods for finding the target network, identifying possible vulnerable services, exploiting weaknesses, and documenting the results. This methodology yields a test that is structured, efficient, and repeatable. In this section of the book we also introduce various tools that can be used to assist with this methodology. We briefly describe each tool's use and place in testing.
The third section of this book (Chapters 11-16) provides greater detail on the tools that can increase the speed and accuracy of a penetration test. This "tools and techniques" section is presented in a reference format so you can locate a tool by its role in testing and obtain the information necessary to begin using the tool or find the information necessary to do so. A large collection of tools have been released by commercial and open-source programmers that identify vulnerabilities in networks, applications, and/or services and should be used as part of an assessment. While most of them may be identified by an intrusion detection system, they can usually find exposures on your network faster than manual methods. We provide detailed explanations of each tool, including its basic usage and where to get updates. You will find that some programs are described in greater depth than others. We spend more time on the tools that we find more helpful or that reveal the most information. For ease of use, we obtained demo or freeware software for many of the tools covered and included them on the CD-ROM available with this book. This software is intended to give you the opportunity to become familiar with some of the more popular tools and to see which work best for you. This section is designed to help you pick out the right hardware, operating systems, and software to make a testing tool kit.
The last section of this book (Chapters 17-23) moves toward advanced techniques and application testing. You should review this section once you have created and are comfortable with your own tool kit. This section details methods that can be used to evade intrusion detection systems and firewalls, control hosts on target networks remotely, and test Web servers. It also includes a discussion on denial-of-service attacks and a section on how to keep up with the current trends and latest developments in information security. This section contains a list of Web sites and e-mail lists that we used in our research, as well as information on long-term countermeasures to improve security. Finally, we include a brief discussion about future trends within the information technology arena and the possible risks that these trends may produce.
At the end of some chapters are case studies that deal with some of the issues and tools discussed. The case studies detail steps we have followed in real-world penetration-testing engagements to help illustrate how all the pieces of penetration testing fit together. The samples we selected include internal, external, and dial-up testing and reflect different operating systems, vulnerabilities, and exploits in an attempt to demonstrate as many of the techniques discussed in the book as possible. In each case we keep anonymous the name, industry type, and any other information that could be used to identify the parties involved.
Click below for Forward related to this title:
Note: Page numbers followed by f indicate figures.
Accounts. See specific types
Active security, automated vulnerability scanning in, 169
Active X code, hidden, 47
determining, with user2Sid and sid2User, 286–287
password vulnerabilities of, 42
Administrator privileges, in default accounts, 34
Alerts, in firewall monitoring, 371
definition of, 25
vs. unannounced testing, 26–27
Anonymity, on the Internet, 16–17
Anonymous mail relay, vulnerabilities of, 140–142
AntiSniff, sniffer detection with, 251–254, 253f
default installations of, vulnerability of, 454–456
discovery of, in vulnerability analysis, 63, 64f
holes in, vulnerabilities of, 32
in internal penetration testing, 104–105
in UNIX environments, 140–145
Application-based DoS attacks, 405–406
tools for, 406–412
ARP packets, in resource exhaustion DoS attacks, 389–390
arpredirect, in dsniff, 245
AS400 systems, accessing, with SessionWall-3, 250
AT, in NT testing, 301–302
brute force (See Brute force attacks)
probability of, 14
Attrition.org, defaced Web site archive of, 6–7, 7t
AuditPol, in NT testing, 292–293
Authentication mechanisms, 433–437
in tracing computer connections, 17
Authentication services testing
case study for, 325–328, 327f
with Web Cracker, 322–323, 322f, 323f
with wwwhack, 320–321, 321f
Automated hacker tools, script kiddy use of, 12
Automated monitoring, 49–50
Automated vulnerability scanning. See Vulnerability scanning, automated
Back doors, installing with Netcat, 298–300
Back Orifice 2000, remote control with, 344–346
Backups, vulnerabilities associated with, 459–461
in application discovery, 63
definition of, 63
in dial-in penetration, 88
in internal penetration, 96
with NetScanTools, 204–206, 205f
Baseline standards, importance in security architecture, 421
Berkeley Internet Name Domain (BIND) implementations, vulnerabilities of, 32, 485–487
Bindview HackerShield, 180
Biometrics, in secure authentication, 42–43, 434–436
BitchSlap, for application-based DoS attacks, 409
Brute force attacks
authentication services targeted by, 320–323, 321f–323f
default accounts targeted by, 34
FTP targeted by, 35
lack of monitoring and intrusion detection in, 38
modems targeted by, 37
for password cracking, 287–290
TELNET targeted by, 35
with Web Cracker, 322–323, 322f, 323f
with wwwhack, 320–321, 321f
Brutus, in web site testing, 323–325, 324f
Buffer overflow attacks
for DoS attacks, 410–412
against IDSs, 355
in internal penetration testing, 103
on ISAPI extensions, 471–473
on remote procedure calls, 482–484
in UNIX environments, 133, 136–137
on UNIX Web servers, 143
Bugtraq, vulnerabilities published by, 29, 426
bv-control for Internet Security, 180
Cain, password cracking with, 266–267, 267f
Caller ID software, in tracing computer connections, 17
CD Universe, credit card hack against, 6
CERT (Computer Emergency Response Team), Internet address for, 5, 426
CGI (Common Gateway Interface)
scanning for vulnerabilities in, Whisker for, 316–318, 317f
vulnerabilities of, 33
CGI programs, security issues in, 33, 467–468
Cheops, 148–151, 149f–151f
Cleaning staff scenario, in internal penetration testing, 93
Clear text services, 33
Client companies, confidentiality of information from, 24
Common Gateway Interface. See CGI
Common Vulnerabilities and Exposures (CVE) numbers, 452–453
Community strings (SNMP), vulnerabilities of, 45–46, 492–495
Computer(s), unattended, vulnerabilities of, 122
Computer connections, traceability of, 16–17
Computer crimes, media coverage of, 5–6
Computer Emergency Response Team (CERT), Internet address for, 5, 426
Computer forensics, growth of, 439–440
Computer Intrusion Squad, FBI, security survey by, 2–4
Computer Security Institute (CSI), security survey by, 2–4
Computer viruses. See Virus(es)
Concatenated DoS tools, 412–416
of client companies, 24
dumpster diving for, 120–121
risks from, 30
in UNIX environments, 145–146
Configuration files, for UNIX, 128–130, 129t
Configuration management, host-based vulnerability scanners in, 169
Consultant scenario, in internal penetration testing, 92–93
Core dump files, vulnerabilities of, 132
Corporate networks, virus susceptibility of, 6
for DDoS attacks, 400, 403
for dumpster diving, 123
for null connections, 273
packaging of tools for, 442
for social engineering, 123–124
for web server DoS attacks, 411–412
Cracker, definition of, 9
Crawl website tool, in Sam Spade, 219–221, 220f
Credit card numbers, publication of, 6
CSI (Computer Security Institute), security survey by, 2–4
Customer service, social engineering attack on, 116–118
CVE (Common Vulnerabilities and Exposures) numbers, 452–453
configuration of, 171–175, 172f–174f
for DoS testing, 412–413, 413f
scanning with, 50, 167–168, 175
Cyber-crime insurance, 442–443
Data classification, importance in security architecture, 421