HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS .
Color profile:CMYKExposed:printer profileProLib8Generic/ HackingNetworkComposite Default screenSecurity Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / FrontMatterHACKING EXPOSED:NETWORK SECURITYSECRETS AND SOLUTIONS,THIRD EDITIONSTUART McCLUREJOEL SCAMBRAYGEORGE KURTZOsborne/McGraw-HillNew York Chicago San FranciscoLisbon London Madrid Mexico City MilanNew Delhi San Juan Seoul Singapore Sydney TorontoP:\010Comp\Hacking\381-6\fm.vpMonday, September 10, 2001 2:11:09 PM
ProLib8Generic/ HackingNetworkColor profile:CMYKExposed:printer profileComposite Default screenSecurity Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / FrontMatterOsborne/McGraw-Hill2600 Tenth StreetBerkeley, California 94710U.S.A.To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers,please contact Osborne/McGraw-Hill at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book.Hacking Exposed: Network Security Secrets and Solutions, Third EditionCopyright 2001 by The McGraw-Hill Companies. All rights reserved. Printed in theUnited States of America. Except as permitted under the Copyright Act of 1976, no part ofthis publication may be reproduced or distributed in any form or by any means, or storedin a database or retrieval system, without the prior written permission of the publisher,with the exception that the program listings may be entered, stored, and executed in acomputer system, but they may not be reproduced for publication.1234567890 CUS CUS 01987654321Book p/n 0-07-219382-4 and CD p/n 0-07-219383-2parts ofISBN 0-07-219381-6PublisherBrandon A. NordinVice President & Associate PublisherScott RogersAcquisitions EditorJane K. BrownlowProject EditorLeeAnn PickrellAcquisitions CoordinatorEmma AckerTechnical EditorsTom Lee, Eric SchultzeCopy EditorJanice A. JueProofreadersStefany Otis, Linda Medoff,Paul MedoffIndexerKarin ArrigoniComputer DesignersCarie Abrew, Elizabeth Jang,Melinda LytleIllustratorsMichael Mueller, Lyssa WaldSeries DesignDick Schwartz, Peter F. HancikCover DesignDodie ShoemakerThis book was composed with Corel VENTURA Publisher.Information has been obtained by Osborne/McGraw-Hill from sources believed to be reliable. However, because of thepossibility of human or mechanical error by our sources, Osborne/McGraw-Hill, or others, Osborne/McGraw-Hill does notguarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions orthe results obtained from use of such information.P:\010Comp\Hacking\381-6\fm.vpMonday, September 10, 2001 2:11:09 PM
ProLib8/ CMYK printerprofileComposite Default screenSecrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1CHAPTER ay, September 07, 2001 10:37:31 AM
ProLib8/ CMYK printerprofileComposite Default screen4Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Hacking Exposed: Network Security Secrets and Solutionsefore the real fun for the hacker begins, three essential steps must be performed.This chapter will discuss the first one—footprinting—the fine art of gathering targetinformation. For example, when thieves decide to rob a bank, they don’t just walkin and start demanding money (not the smart ones, anyway). Instead, they take greatpains in gathering information about the bank—the armored car routes and deliverytimes, the video cameras, and the number of tellers, escape exits, and anything else thatwill help in a successful misadventure.The same requirement applies to successful attackers. They must harvest a wealth ofinformation to execute a focused and surgical attack (one that won’t be readily caught).As a result, attackers will gather as much information as possible about all aspects of anorganization’s security posture. Hackers end up with a unique footprint or profile of theirInternet, remote access, and intranet/extranet presence. By following a structured methodology, attackers can systematically glean information from a multitude of sources tocompile this critical footprint on any organization.BWHAT IS FOOTPRINTING?The systematic footprinting of an organization enables attackers to create a complete profile of an organization’s security posture. By using a combination of tools and techniques,attackers can take an unknown quantity (Widget Company’s Internet connection) and reduce it to a specific range of domain names, network blocks, and individual IP addressesof systems directly connected to the Internet. While there are many types of footprintingtechniques, they are primarily aimed at discovering information related to the followingenvironments: Internet, intranet, remote access, and extranet. Table 1-1 depicts these environments and the critical information an attacker will try to identify.Why Is Footprinting Necessary?Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified. Without a soundmethodology for performing this type of reconnaissance, you are likely to miss key piecesof information related to a specific technology or organization. Footprinting is often themost arduous task of trying to determine the security posture of an entity; however, it isone of the most important. Footprinting must be performed accurately and in a controlled fashion.INTERNET FOOTPRINTINGWhile many footprinting techniques are similar across technologies (Internet andintranet), this chapter will focus on footprinting an organization’s Internet connection(s).Remote access will be covered in detail in Chapter 9.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AM
ProLib8/ CMYK printerprofileComposite Default screenSecrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Chapter 1:FootprintingTechnologyIdentifiesInternetDomain nameNetwork blocksSpecific IP addresses of systems reachable via the InternetTCP and UDP services running on each system identifiedSystem architecture (for example, SPARC vs. X86)Access control mechanisms and related access control lists (ACLs)Intrusion detection systems (IDSes)System enumeration (user and group names, system banners,routing tables, SNMP information)IntranetNetworking protocols in use (for example, IP, IPX, DecNET,and so on)Internal domain namesNetwork blocksSpecific IP addresses of systems reachable via intranetTCP and UDP services running on each system identifiedSystem architecture (for example, SPARC vs. X86)Access control mechanisms and related access control lists (ACLs)Intrusion detection systemsSystem enumeration (user and group names, system banners,routing tables, SNMP information)RemoteaccessAnalog/digital telephone numbersRemote system typeAuthentication mechanismsVPNs and related protocols (IPSEC, PPTP)ExtranetConnection origination and destinationType of connectionAccess control mechanismTable 1-1.Environments and the Critical Information Attackers Can IdentifyIt is difficult to provide a step-by-step guide on footprinting because it is an activitythat may lead you down several paths. However, this chapter delineates basic steps thatshould allow you to complete a thorough footprint analysis. Many of these techniquescan be applied to the other technologies mentioned earlier.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:31 AM5
ProLib8/ CMYK printerprofileComposite Default screen6Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Hacking Exposed: Network Security Secrets and SolutionsStep 1. Determine the Scope of Your ActivitiesThe first item to address is to determine the scope of your footprinting activities. Are yougoing to footprint an entire organization, or are you going to limit your activities to certain locations (for example, corporate vs. subsidiaries)? In some cases, it may be a daunting task to determine all the entities associated with a target organization. Luckily, theInternet provides a vast pool of resources you can use to help narrow the scope of activities and also provides some insight as to the types and amount of information publiclyavailable about your organization and its employees.MOpen Source SearchPopularity:9Simplicity:9Impact:2Risk Rating:7As a starting point, peruse the target organization’s web page if they have one. Manytimes an organization’s web page provides a ridiculous amount of information that canaid attackers. We have actually seen organizations list security configuration options fortheir firewall system directly on their Internet web server. Other items of interest include Locations Related companies or entities Merger or acquisition news Phone numbers Contact names and email addresses Privacy or security policies indicating the types ofsecurity mechanisms in place Links to other web servers related to the organizationIn addition, try reviewing the HTML source code for comments. Many items notlisted for public consumption are buried in HTML comment tags such as “ ,” “!,” and“--.” Viewing the source code offline may be faster than viewing it online, so it is oftenbeneficial to mirror the entire site for offline viewing. Having a copy of the site locally mayallow you to programmatically search for comments or other items of interest, thus making your footprinting activities more efficient. Wget 1-6\ch01.vpFriday, September 07, 2001 10:37:31 AM
ProLib8/ CMYK printerprofileComposite Default screenSecrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Chapter 1:Footprintingwget/wget.html) for UNIX and Teleport Pro (http://www.tenmax.com/teleport/home.htm) for Windows are great utilities to mirror entire web sites.After studying web pages, you can perform open source searches for information relating to the target organization. News articles, press releases, and so on, may provide additional clues about the state of the organization and their security posture. Web sitessuch as finance.yahoo.com or http://www.companysleuth.com provide a plethora of information. If you are profiling a company that is mostly Internet based, you may find bysearching for related news stories that they have had numerous security incidents. Usingyour web search engine of choice will suffice for this activity. However, there are moreadvanced searching tools and criteria you can use to uncover additional information.The FerretPRO suite of search tools from FerretSoft (http://www.ferretsoft.com) isone of our favorites. WebFerretPRO enables you to search many different search enginessimultaneously. In addition, other tools in the suite allow you to search IRC, USENET,email, and file databases looking for clues. Also, if you’re looking for a free solution tosearch multiple search engines, check out http://www.dogpile.com.Searching USENET for postings related to @example.com often reveals useful information. In one case, we saw a posting from a system administrator’s work account regarding his new PBX system. He said this switch was new to him, and he didn’t knowhow to turn off the default accounts and passwords. We’d hate to guess how many phonephreaks were salivating over the prospect of making free calls at that organization. Needless to say, you can gain additional insight into the organization and the technical prowessof its staff just by reviewing their postings.Lastly, you can use the advanced searching capabilities of some of the major searchengines like AltaVista or Hotbot. These search engines provide a handy facility that allowsyou to search for all sites that have links back to the target organization’s domain. Thismay not seem significant at first, but let’s explore the implications. Suppose someone inan organization decides to put up a rogue web site at home or on the target network’s site.This web server may not be secure or sanctioned by the organization. So we can begin tolook for potential rogue web sites just by determining which sites actually link to the targetorganization’s web server, as shown in Figure 1-1.You can see that the search returned all sites that link back to http://www.l0pht.comand that contain the word “hacking.” So you could easily use this search facility to findsites linked to your target domain.The last example, depicted in Figure 1-2, allows you to limit your search to a particular site. In our example, we searched http://www.l0pht.com for all occurrences of“mudge.” This query could easily be modified to search for other items of interest.Obviously, these examples don’t cover every conceivable item to search for duringyour travels—be creative. Sometimes the most outlandish search yields the most productive results.P:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:32 AM7
ProLib8/ CMYK printerprofileComposite Default screen8Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Hacking Exposed: Network Security Secrets and SolutionsFigure 1-1.With the AltaVista search engine, use the link:www.example.com directive toquery all sites with links back to the target domain.EDGAR SearchFor targets that are publicly traded companies, you can consult the Securities and ExchangeCommission (SEC) EDGAR database at http://www.sec.gov, as shown in Figure 1-3.One of the biggest problems organizations have is managing their Internet connections, especially when they are actively acquiring or merging with other entities. So it isimportant to focus on newly acquired entities. Two of the best SEC publications to revieware the 10-Q and 10-K. The 10-Q is a quick snapshot of what the organization has doneover the last quarter. This update includes the purchase or disposition of other entities.The 10-K is a yearly update of what the company has done and may not be as timely as the10-Q. It is a good idea to peruse these documents by searching for “subsidiary” or “subsequent events.” This may provide you with information on a newly acquired entity. Oftenorganizations will scramble to connect the acquired entities to their corporate networkwith little regard for security. So it is likely that you may be able to find security weaknessesP:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:32 AM
ProLib8/ CMYK printerprofileComposite Default screenSecrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Chapter 1:Figure 1-2.FootprintingWith AltaVista, use the host:example.com directive to query the site for thespecified string (for example, “mudge”).in the acquired entity that would allow you to leapfrog into the parent company. Attackers are opportunistic and are likely to take advantage of the chaos that normally comeswith combining networks.With an EDGAR search, keep in mind that you are looking for entity names that aredifferent from the parent company. This will become critical in subsequent steps whenyou perform organizational queries from the various whois databases available (see“Step 2. Network Enumeration”).Public Database SecurityU Countermeasure:Much of the information discussed earlier must be made publicly available; this is espe-cially true for publicly traded companies. However, it is important to evaluate and classifythe type of information that is publicly disseminated. The Site Security Handbook (RFC2196) can be found at http://www.ietf.org/rfc/rfc2196.txt and is a wonderful resourceP:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:33 AM9
ProLib8/ CMYK printerprofileComposite Default screen10Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Hacking Exposed: Network Security Secrets and SolutionsFigure 1-3.The EDGAR database allows you to query public documents, providing importantinsight into the breadth of the organization by identifying its associated entities.for many policy-related issues. Finally, remove any unnecessary information from yourweb pages that may aid an attacker in gaining access to your network.Step 2. Network EnumerationPopularity:9Simplicity:9Impact:5Risk Rating:8The first step in the network enumeration process is to identify domain names andassociated networks related to a particular organization. Domain names represent theP:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:33 AM
ProLib8/ CMYK printerprofileComposite Default screenSecrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Chapter 1:Footprintingcompany’s presence on the Internet and are the Internet equivalent to your company’sname, such as “AAAApainting.com” and “moetavern.com.”To enumerate these domains and begin to discover the networks attached to them,you must scour the Internet. There are multiple whois databases you can query that willprovide a wealth of information about each entity we are trying to footprint. Before theend of 1999, Network Solutions had a monopoly as the main registrar for domain names(com, net, edu, and org) and maintained this information on their whois servers. Thismonopoly was dissolved and currently there is a multitude of accredited registrars(http://www.internic.net/alpha.html). Having new registrars available adds steps infinding our targets (see “Registrar Query” later in this step). We will need to query thecorrect registrar for the information we are looking for.There are many different mechanisms (see Table 1-2) to query the various whois databases. Regardless of the mechanism, you should still receive the same information. Usersshould consult Table 1-3 for other whois servers when looking for domains other thancom, net, edu, or org. Another valuable resource, especially for finding whois servers outside of the United States, is http://www.allwhois.com. This is one of the most completewhois resources on the Internet.MechanismResourcesPlatformWeb w.arin.netAny platform witha web clientWhois clientWhois is supplied with most versionsof UNIX.Fwhois was created by ChrisCappuccio ccappuc@santefe.edu UNIXWS Ping ProPackhttp://www.ipswitch.com/Windows 95/NT/2000Sam Spadehttp://www.samspade.org/sswWindows 95/NT/2000Sam Spade WebInterfacehttp://www.samspade.org/Any platform with aweb clientNetscan ndows 95/NT/2000Xwhoishttp://c64.org/ nr/xwhois/UNIX with X andGTK GUI toolkitTable 1-2.Whois Searching Techniques and Data SourcesP:\010Comp\Hacking\381-6\ch01.vpFriday, September 07, 2001 10:37:33 AM11
ProLib8/ CMYK printerprofileComposite Default screen12Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1Hacking Exposed: Network Security Secrets and SolutionsWhois ServerAddressesEuropean IP Address Allocationshttp://www.ripe.net/Asia Pacific IP Address Allocationshttp://whois.apnic.netU.S. militaryhttp://whois.nic.milU.S. governmenthttp://whois.nic.govTable 1-3.Government, Military, and International Sources of Whois DatabasesDifferent information can be gleaned with each query. The following query typesprovide the majority of information hackers use to begin their attack: Registrar Organizational Domain Network Displays all information related to a particular network or a singleIP address Point of con
ProLib8 / Hacking Exposed: Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 1 P:\010Comp\Hacking\381-6\ch01.vp Friday, September 07, 2001 10:37:31 AM Color profile: Generic CMYK printer profile Composite Default screen
Hacking / Hacking Exposed 6: Network Security Secrets & Solutions / McClure & Scambray / 161374-3 546 Hacking Exposed 6: Network Security Secrets & Solutions Server extensions Input validation (for example, buffer overfl ows) This list is essentially a subset of the Open Web Application Security Project (OWASP)
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.
Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.
Hacking The Wild: Desert Island Castaway Survival Series Marathon Hacking The Wild: Escape from Death Valley Hacking The Wild: Deadly Glacier Hacking The Wild: Alaskan Ice Forest Hacking The Wild: Black Bayou, The Hacking The Wild: Desert Island Castaway
private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical
Ethical Hacking Foundation Exam Syllabus 8 Literature A Georgia Weidman - Penetration testing, A Hands-On Introduction to Hacking San Francisco, ISBN:978-1-59327-564-8 B Article EXIN Ethical Hacking Foundation. Free download at www.exin.com Optional C D E Stuart McClure, Joel Scambray, George Kurtz - Hacking Exposed 7: Network
Integrasi Budidaya Ikan Air Tawar dengan Lemna sp. Kontributor: Dr. Ir. Iskandar, M.Si Konsorsium Hivos Diterbitkan dalam rangka penyebarluasan informasi tentang intensifikasi pemanfaatan ampas biogas (bio-slurry) dalam bidang akuakultur bagi para penerima manfaat Program GADING yang dilaksanakan oleh Konsorsium Hivos dan didukung oleh MCA-Indonesia dalam Program Kemakmuran Hijau Gathering and .
