Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Hacking Exposed: Network Security Secrets & Solutions

Hacking Exposed: Network Security Secrets & Solutions

by Stuart McClure, George Kurtz, Joel Scambray
About the Author

Stuart McClure, CISSP, CNE, CCSE (Mission Viejo, CA) is President/Founder of Foundstone, Inc., an elite security consulting and training company.
Joel Scambray, CISSP, CCSE (Lafayette, CA) is Managing Principal of Foundstone, Inc., an elite security consulting and training company. Joel is the author of Microsoft's "Ask Us About


About the Author

Stuart McClure, CISSP, CNE, CCSE (Mission Viejo, CA) is President/Founder of Foundstone, Inc., an elite security consulting and training company.
Joel Scambray, CISSP, CCSE (Lafayette, CA) is Managing Principal of Foundstone, Inc., an elite security consulting and training company. Joel is the author of Microsoft's "Ask Us About Security" column.
George Kurtz, CISSP (Montville, NJ) is CEO/Founder of Foundstone, Inc., an eliete security consulting and training company. He is also a renowned Black Hat speaker and was an Extreme Hacking instructor

Product Details

McGraw-Hill Companies, The
Publication date:
McGraw-Hill Computer Security Series
Edition description:
Older Edition
Product dimensions:
7.38(w) x 9.10(h) x 1.83(d)

Read an Excerpt

Part I: Casing the Establishment

Case Study-Giving Up the Goods

You're excited that your shiny new server with the latest and greatest in hardware just arrived from the factory preconfigured with enough bells and whistles to make it sing. Before you placed your order with (fill in the blank with most any large computer manufacturer), you fastidiously completed the configuration options form indicating you wanted Windows 2000 installed. In addition, you loaded up the server with every eCommerce application needed for deployment. "How handy," you thought. "I can simply order everything I need and ship this server to our data center, and I don't have to configure a thing." Life is good.

Your operations team receives the new server at the data center and follows your instructions to replace the aging NT server with this new one. You exude confidence that your hardware vendor has configured the system with meticulous care, even setting the IP address for you. The switch-over succeeds without a hitch. This customization-by-order takes plug-and-play to a new level, you think. Unfortunately, this takes hacking to a new level as well.

Your super server is actually a leaking sieve of information waiting to be pillaged by any hacker who happens to direct his or her efforts in your direction. With ports like 139 and 445 open to the world, even a novice hacker doesn't have to ask for much more. A quick "anonymous" connection to your server will yield a wealth of information that can be used to determine what users have administrator rights, the last logon date for a user, hidden share information, the last time a password was changed, and if a password is required at all! All of this information can be gleaned-or as we call it, enumerated-via a null session and a few open ports that were determined from footprinting your environment. Scanning and enumerating systems are basic skills most attackers will use to determine if your systems are ripe for picking. Once your system gives up the goods, you are toast.

In our experience, this scenario is all too real and represents a major portion of time spent by determined attackers. The more information that can be gleaned by an attacker, the greater the chances of a successful security breach. While the media likes to sensationalize the "push button" hack, a skilled and determine attacker may take months to footprint and enumerate a target environment before ever executing an exploit. Many users exacerbate this situation by naively trusting hardware manufacturers to securely configure their systems. While some vendors may make token attempts to turn off a service here or there, most systems come out of the box begging to be hacked. Don't get lulled into a false sense of security just because the factory preconfigured your system. Most systems are designed out of the box to reduce support calls, not to keep a hacker out.

The techniques discussed in Chapters 1 through 3 will serve you well. Footprint your own systems before someone with less than honorable intentions does it for you!

Chapter 1: Footprinting

Before the real fun for the hacker begins, three essential steps must be performed. This chapter will discuss the first one-footprinting-the fine art of gathering target information. For example, when thieves decide to rob a bank, they don't just walk in and start demanding money (not the smart ones, anyway). Instead, they take great pains in gathering information about the bank-the armored car routes and delivery times, the video cameras, and the number of tellers, escape exits, and anything else that will help in a successful misadventure.

The same requirement applies to successful attackers. They must harvest a wealth of information to execute a focused and surgical attack (one that won't be readily caught). As a result, attackers will gather as much information as possible about all aspects of an organization's security posture. Hackers end up with a unique footprint or profile of their Internet, remote access, and intranet/extranet presence. By following a structured methodology, attackers can systematically glean information from a multitude of sources to compile this critical footprint on any organization.

What Is Footprinting?

The systematic footprinting of an organization enables attackers to create a complete profile of an organization's security posture. By using a combination of tools and techniques, attackers can take an unknown quantity (Widget Company's Internet connection) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet. While there are many types of footprinting techniques, they are primarily aimed at discovering information related to the following environments: Internet, intranet, remote access, and extranet. Table 1-1 depicts these environments and the critical information an attacker will try to identify.

Why Is Footprinting Necessary?

Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified. Without a sound methodology for performing this type of reconnaissance, you are likely to miss key pieces of information related to a specific technology or organization. Footprinting is often the most arduous task of trying to determine the security posture of an entity; however, it is one of the most important. Footprinting must be performed accurately and in a controlled fashion.

Internet Footprinting
While many footprinting techniques are similar across technologies (Internet and intranet), this chapter will focus on footprinting an organization's Internet connection(s). Remote access will be covered in detail in Chapter 9.

It is difficult to provide a step-by-step guide on footprinting because it is an activity that may lead you down several paths. However, this chapter delineates basic steps that should allow you to complete a thorough footprint analysis. Many of these techniques can be applied to the other technologies mentioned earlier.

Step 1. Determine the Scope of Your Activities

The first item to address is to determine the scope of your footprinting activities. Are you going to footprint an entire organization, or are you going to limit your activities to certain locations (for example, corporate vs. subsidiaries)? In some cases, it may be a daunting task to determine all the entities associated with a target organization. Luckily, the Internet provides a vast pool of resources you can use to help narrow the scope of activities and also provides some insight as to the types and amount of information publicly available about your organization and its employees.

As a starting point, peruse the target organization's web page if they have one. Many times an organization's web page provides a ridiculous amount of information that can aid attackers. We have actually seen organizations list security configuration options for their firewall system directly on their Internet web server. Other items of interest include

  • Locations
  • Related companies or entities
  • Merger or acquisition news
  • Phone numbers
  • Contact names and email addresses
  • Privacy or security policies indicating the types of security mechanisms in place
  • Links to other web servers related to the organization
In addition, try reviewing the HTML source code for comments. Many items not listed for public consumption are buried in HTML comment tags such as "<," "!," and "--." Viewing the source code offline may be faster than viewing it online, so it is often beneficial to mirror the entire site for offline viewing. Having a copy of the site locally may allow you to programmatically search for comments or other items of interest, thus making your footprinting activities more efficient. Wget (http://www.gnu.org/software/wget/wget.html) for UNIX and Teleport Pro (http://www.tenmax.com/teleport/home.htm) for Windows are great utilities to mirror entire web sites.

After studying web pages, you can perform open source searches for information relating to the target organization. News articles, press releases, and so on, may provide additional clues about the state of the organization and their security posture. Web sites such as finance.yahoo.com or http://www.companysleuth.com provide a plethora of information. If you are profiling a company that is mostly Internet based, you may find by searching for related news stories that they have had numerous security incidents. Using your web search engine of choice will suffice for this activity. However, there are more advanced searching tools and criteria you can use to uncover additional information....

What People are Saying About This

Marty Roesch
"If there was an Encyclopedia Britannica of computer security, it would be Hacking Exposed, Third Edition."
--creator of the Snort tool
Lance Spitzner
"A critical step to knowing your enemy is first understanding their tools. Hacking Exposed, Third Edition delivers just that...and more."
--Sun Microsystems GESS Security Team and the coordinator of the Honeynet Project
Barnaby Jack
"Whether you're a struggling novice or a seasoned pro--Hacking Exposed, Third Edition is required reading."
--Win32 Buffer Overflow Expert

Meet the Author

Stuart McClure, who recently co-authored Hacking Exposed Windows 2000, brings over a decade of IT and security experience to Hacking Exposed. For almost three years (and to an audience of over 400,000 readers), Stuart co-authored Security Watch (http://www.infoworld.com/security), a weekly column in InfoWorld addressing topical security issues, exploits, and vulnerabilities.

Prior to co-founding Foundstone, Stuart was a Senior Manager with Ernst & Young's Security Profiling Services Group, responsible for project management, attack and penetration reviews, and technology evaluations. Prior to Ernst & Young, Stuart was a Security Analyst for the InfoWorld Test Center where he evaluated almost 100 network and security products specializing in firewalls, security auditing, intrusion detection, and public key infrastructure (PKI) products. Prior to InfoWorld, Stuart supported IT departments for over six years as a network, systems, and security manager for Novell, NT, Solaris, AIX, and AS/400 platforms.

Stuart holds a B.A. degree from the University of Colorado, Boulder, and numerous certifications including ISC2's CISSP, Novell's CNE, and Check Point's CCSE.

Joel Scambray recently co-authored Hacking Exposed Windows 2000, expanding the international best-selling Hacking Exposed series to an unprecedented third title. Joel's writing draws primarily on his years of experience as an IT security consultant for clients ranging from members of the Fortune 50 to newly minted startups, where he has gained extensive field-tested knowledge of numerous security technologies, and has designed and analyzed security architectures for a variety of applications and products. Joel speaks widely on Windows 2000 security for organizations including The Computer Security Institute, The MIS Training Institute, SANS, ISSA, ISACA, and many large corporations, and he also maintains and teaches Foundstone's Ultimate Hacking Windows course. He is currently Managing Principal with Foundstone, Inc. (http://www.foundstone.com), and previously held positions as a Manager for Ernst & Young, Senior Test Center Analyst for InfoWorld, and Director of IT for a major commercial real estate firm. Joel's academic background includes advanced degrees from the University of California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

George Kurtz is the CEO of Foundstone(http://www.foundstone.com), a cutting edge security solutions provider. Mr. Kurtz is an internationally recognized security expert and has performed hundreds of firewall, network, and eCommerce related security assessments throughout his illustrious security-consulting career. Mr. Kurtz has significant experience with intrusion detection and firewall technologies, incident response procedures, and remote access solutions. As CEO and co-founder of Foundstone, Mr. Kurtz provides a unique combination of business acumen and technical security know-how. These requisite skills are used to provide strategic direction to Foundstone, as well as to help clients understand the business impact of security. Mr. Kurtz's entrepreneurial spirit has positioned Foundstone as one of the premier "pure play" security solutions providers in the industry. Mr. Kurtz, who recently co-authored Hacking Linux Exposed, is a regular speaker at many security conferences and has been quoted in a wide range of publications, including The Wall Street Journal, InfoWorld, USA Today, and the Associated Press. Mr. Kurtz is routinely called to comment on breaking security events and has been featured on various television stations including: CNN, CNBC, NBC, FOX, and ABC.

Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews