This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.
In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network todaybefore they end up in the headlines tomorrow.
New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms.
A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities.
Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht).
Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities.
A revised and updated dial-up chapter with new material onPBX and voicemail system hacking.
New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks.
Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7.
Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.
|Edition description:||Older Edition|
|Product dimensions:||7.50(w) x 9.25(h) x 1.47(d)|
About the Author
Joel Scambray is Managing Principal, Stuart McClure is President/CTO, and George Kurtz is CEO of Foundstone Inc., a premier security consulting and training company. They have promoted information system security over a combined fifteen years of consulting and training for Fortune 500 companies, and in forums ranging from Stuart and Joel's weekly "Security Watch" column for InfoWorld, to George's renowned Black Hat Conference presentations.
Read an Excerpt
Chapter 8: Hacking UNIXSome feel drugs are about the only thing more addicting than obtaining root access on a UNIX system. The pursuit of root access dates back to the early days of UNIX, so we need to provide some historical background on its evolution.
The Quest for Root
In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS (Multiplexed Information and Computing System) project wasn't progressing as fast as they would have liked. Their decision to "hack up" a new operating system called UNIX forever changed the landscape of computing. UNIX was intended to be a powerful, robust, multiuser operating system that excelled at running programs, specifically, small programs called tools. Security was not one of UNIX's primary design characteristics, although UNIX does have a great deal of security if implemented properly. UNIX's promiscuity was a result of the open nature of developing and enhancing the operating system kernel, as well as the small tools that made this operating system so powerful. The early UNIX environments were usually located inside Bell Labs or in a university setting where security was controlled primarily by physical means. Thus, any user who had physical access to a UNIX system was considered authorized. In many cases, implementing root-level passwords was considered a hindrance and dismissed.
While UNIX and UNIX-derived operating systems have evolved considerably over the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent developers and code hackers scour source code for potential vulnerabilities. Furthermore, it is a badge of honor to post newly discovered vulnerabilities to security mailing lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and why the coveted root access is obtained. Throughout this chapter, remember that in UNIX there are two levels of access: the all-powerful root and everything else. There is no substitute for root!
A Brief Review
You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems and enumerate information. We used port scanners such as nmap to help identify open TCP/UDP ports as well as to fingerprint the target operating system or device. We used rpcinfo and showmount to enumerate RPC service and NFS mount points, respectively. We even used the all-purpose netcat (nc) to grab banners that leak juicy information such as the applications and associated versions in use. In this chapter, we will explore the actual exploitation and related techniques of a UNIX system. It is important to remember that footprinting and network reconnaissance of UNIX systems must be done before any type of exploitation. Footprinting must be executed in a thorough and methodical fashion to ensure that every possible piece of information is uncovered. Once we have this information, we need to make some educated guesses about the potential vulnerabilities that may be present on the target system. This process is known as vulnerability mapping.
Vulnerability mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. This is a critical phase in the actual exploitation of a target system that should not be overlooked. It is necessary for attackers to map attributes such as listening services, specific version numbers of running servers (for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for SMTP), system architecture, and username information to potential security holes. There are several methods attackers can use to accomplish this task:
All these methods have their pros and cons; however, it is important to remember that only uneducated attackers known as "script kiddies" will skip the vulnerability mapping stage by throwing everything and the kitchen sink at a system to get in without knowing how and why an exploit works. We have witnessed many real-life attacks where the perpetrators were trying to use UNIX exploits against a Windows NT system. Needless to say, these attackers were inexpert and unsuccessful. The following list summarizes key points to consider when performing vulnerability mapping:
REMOTE ACCESS VERSUS LOCAL ACCESS
The remainder of this chapter is broken into two major sections, remote and local access. Remote access is defined as gaining access via the network (for example, a listening service) or other communication channel. Local access is defined as having an actual command shell or login to the system. Local access attacks are also referred to as privilege escalation attacks. It is important to understand the relationship between remote and local access. There is a logical progression where attackers remotely exploit a vulnerability in a listening service and then gain local shell access. Once shell access is obtained, the attackers are considered to be local on the system. We try to logically break out the types of attacks that are used to gain remote access and provide relevant examples. Once remote access is obtained, we explain common ways attackers escalate their local privileges to root. Finally, we explain information-gathering techniques that allow attackers to garner information about the local system so that it can be used as a staging point for additional attacks. It is important to remember that this chapter is not a comprehensive book on UNIX security; for that we refer you to Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford. Additionally, this chapter cannot cover every conceivable UNIX exploit and flavor of UNIX-that would be a book in itself. Rather, we aim to categorize these attacks and to explain the theory behind them. Thus, when a new attack is discovered, it will be easy to understand how it works, though it was not specifically covered. We take the "teach a man to fish and feed him for life" approach rather than the "feed him for a day" approach.
As mentioned previously, remote access involves network access or access to another communications channel, such as a dial-in modem attached to a UNIX system. We find that analog/ISDN remote access security at most organizations is abysmal. We are limiting our discussion, however, to accessing a UNIX system from the network via TCP/IP. After all, TCP/IP is the cornerstone of the Internet, and it is most relevant to our discussion on UNIX security.
The media would like everyone to believe that there is some sort of magic involved with compromising the security of a UNIX system. In reality, there are three primary methods to remotely circumventing the security of a UNIX system:
1. Exploiting a listening service (for example, TCP/UDP)
2. Routing through a UNIX system that is providing security between two or more networks
3. User-initiated remote execution attacks (for example, hostile web site, Trojan horse email, and so on)
Let's take a look at a few examples to understand how different types of attacks fit into the preceding categories.
Route Through a UNIX System Your UNIX firewall was circumvented by attackers. How is this possible? you ask. We don't allow any inbound services, you say. In many instances attackers circumvent UNIX firewalls by source routing packets through the firewall to internal systems. This feat is possible because the UNIX kernel had IP forwarding enabled when the firewall application should have been performing this function. In most of these cases, the attackers never actually broke into the firewall per se; they simply used it as a router.
Throughout this section, we will address specific remote attacks that fall under one of the preceding three categories. If you have any doubt about how a remote attack is possible, just ask yourself three questions:
1. Is there a listening service involved?
2. Does the system perform routing?
3. Did a user or a user's software execute commands that jeopardized the security of the host system?
You are likely to answer yes to at least one question....
Table of Contents
|Part I||Casing the Establishment|
|Case Study: Target Acquisition||2|
|What Is Footprinting?||6|
|Why Is Footprinting Necessary?||6|
|Step 1.||Determine the Scope of Your Activities||8|
|Step 2.||Network Enumeration||13|
|Step 3.||DNS Interrogation||22|
|Step 4.||Network Reconnaissance||27|
|Identifying TCP and UDP Services Running||46|
|Windows-Based Port Scanners||51|
|Port Scanning Breakdown||57|
|Active Stack Fingerprinting||61|
|Passive Stack Fingerprinting||65|
|The Whole Enchilada: Automated Discovery Tools||67|
|Windows NT/2000 Enumeration||72|
|NT/2000 Network Resource Enumeration||76|
|NT/2000 User and Group Enumeration||87|
|NT/2000 Applications and Banner Enumeration||95|
|Let Your Scripts Do the Walking||99|
|Browsing the Network Neighborhood||100|
|Part II||System Hacking|
|Case Study: Know Your Enemy||116|
|4||Hacking Windows 95/98 and ME||117|
|Win 9x Remote Exploits||118|
|Direct Connection to Win 9x Shared Resources||119|
|Win 9x Backdoor Servers and Trojans||124|
|Known Server Application Vulnerabilities||129|
|Win 9x Denial of Service||130|
|Win 9x Local Exploits||130|
|Windows Millennium Edition (ME)||137|
|5||Hacking Windows NT||141|
|Where We're Headed||143|
|What About Windows 2000?||143|
|The Quest for Administrator||144|
|Remote Exploits: Denial of Service and Buffer Overflows||160|
|Consolidation of Power||174|
|Remote Control and Back Doors||194|
|General Countermeasures to Privileged Compromise||207|
|Rootkit: The Ultimate Compromise||211|
|Clearing the Event Log||214|
|6||Hacking Windows 2000||219|
|NetBIOS-SMB Password Guessing||229|
|Eavesdropping on Password Hashes||229|
|Attacks Against IIS 5||229|
|Remote Buffer Overflows||233|
|Denial of Service||233|
|Grabbing the Win 2000 Password Hashes||241|
|The Encrypting File System (EFS)||246|
|Clearing the Event Log||252|
|General Countermeasures: New Windows Security Tools||257|
|7||Novell NetWare Hacking||265|
|Attaching but Not Touching||267|
|Enumerate Bindery and Trees||268|
|Opening the Unlocked Doors||275|
|Spoofing Attacks (Pandora)||287|
|Once You Have Admin on a Server||290|
|Owning the NDS Files||292|
|Web Sites (ftp://ftp.novell.com/pub/updates/nw/nw411/)||302|
|The Quest for Root||306|
|A Brief Review||306|
|Remote Access Versus Local Access||307|
|Data Driven Attacks||312|
|I Want My Shell||317|
|Common Types of Remote Attacks||322|
|After Hacking Root||357|
|Part III||Network Hacking|
|Case Study: Sweat the Small Stuff!||374|
|9||Dial-Up, PBX, Voicemail, and VPN Hacking||377|
|A Final Note||403|
|Virtual Private Network (VPN) Hacking||415|
|Lower the Gates (Vulnerabilities)||437|
|Shared Versus Switched||443|
|Detecting the Media You're On||444|
|Passwords on a Silver Platter: Dsniff||445|
|Sniffing on a Network Switch||448|
|Advanced Firewall Discovery||465|
|Scanning Through Firewalls||469|
|Application Proxy Vulnerabilities||477|
|12||Denial of Service (DoS) Attacks||483|
|Motivation of DoS Attackers||484|
|Types of DoS Attacks||485|
|Routing and DNS Attacks||487|
|Generic DoS Attacks||488|
|Sites Under Attack||491|
|UNIX and Windows NT DoS||494|
|Remote DoS Attacks||495|
|Distributed Denial of Service Attacks||499|
|Local DoS Attacks||504|
|Part IV||Software Hacking|
|Case Study: Using All the Dirty Tricks to Get In||508|
|13||Remote Control Insecurities||511|
|Discovering Remote Control Software||512|
|What Software Package Is the Best in Terms of Security?||521|
|Virtual Network Computing (VNC)||523|
|Subverting the System Environment: Rootkits and Imaging Tools||558|
|Finding Well-Known Vulnerabilities||570|
|Automated Scripts, for All Those "Script Kiddies"||570|
|Script Inadequacies: Input Validation Attacks||573|
|Active Server Pages (ASP) Vulnerabilities||582|
|Poor Web Design||598|
|16||Hacking the Internet User||601|
|Malicious Mobile Code||603|
|Java Security Holes||614|
|Beware the Cookie Monster||618|
|Internet Explorer HTML Frame Vulnerabilities||621|
|Mail Hacking 101||626|
|Executing Arbitrary Code Through Email||629|
|Outlook Address Book Worms||637|
|File Attachment Attacks||639|
|Napster Hacking with Wrapster||649|
|Global Countermeasures to Internet User Hacking||650|
|Keep Antivirus Signatures Updated||650|
|Guarding the Gateways||651|
|B||Top 14 Security Vulnerabilities||661|
|C||About the Companion Web Site||663|
|Wordlists and Dictionaries||666|
Most Helpful Customer Reviews
This is very 'warez' book I've ever read. The coolest way for hacking and protecting your awsome server.
This is the best book for people who wish to become hackers or for people who want to be safe from them. This is a real good it is worth every penny a MUST BUY! What are you waiting for buy this book and be safe! You may think your safe but your not wait until you buy this book and see how safe you will be!
i think this book was reALLY GOOD IT SHOWED ME HOW TO KEEP MY COMPUTER SAFE FROM HACKERS AND CRACKERS !!! THANKS A BUNCH REAL GOOD BOOK
This is a great book that teaches the reader not only how to hack a certain vulnerbility, but also how to fix it so it doesn't happen to you. The second edition is great, better than the first. It includes a whole new chapter, 'Hacking the Internet User,' and win2k exploits.
The first edition was a great book, explaining how people use trojans and different scripts to break into networks, but this one is even better. It not only has better coverage of things from the first book, it includes great exploits for Win2k