1. No category

PDF sample

HACKING EXPOSED 7:
NETWORK SECURITY
SECRETS & SOLUTIONS
™
This page intentionally left blank
HACKING EXPOSED 7:
NETWORK SECURITY
SECRETS & SOLUTIONS
™
ST UART M C CLU RE
JOEL SCAMBRAY
GEORGE K U RTZ
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
Copyright © 2012 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976,
no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without
the prior written permission of the publisher.
ISBN: 978-0-07-178029-2
MHID: 0-07-178029-7
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-178028-5,
MHID: 0-07-178028-9.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark.
Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at [email protected].
McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered trademarks of
The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without written permission.
All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with any product or vendor
mentioned in this book.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any
information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of
the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to
comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant
or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free.
Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the
work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the
work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential
or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such
damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or
otherwise.
Crowdstrike
MISSION POSSIBLE
CrowdStrike is a security technology company focused on helping enterprises and governments
protect their most sensitive intellectual properly and national security information from targeted
attacks also known as Advanced Persistent Threats (APTs). CrowdStrike has developed a new
and innovative approach to the growing cyber adversary problem leveraging "Big Data"
technologies to identify and prevent the damage from targeted attacks. Industry luminaries
created CrowdStrike as a direct response to the systemic transfer of wealth from the continuous
theft of intellectual property. CrowdStrike's approach is based on a key principle:
YOU DON'T H A V E A M A L W A R E P R O B L E M
YOU H A V E AN A D V E R S A R Y PROBLEM
The "Maginot line" of security can no longer effectively keep persistent adversaries out of your
organization. Attribution of the adversary is a key strategic piece missing from all current
security technologies. CrowdStrike identifies the cyber adversary on a deeper level by revealing
their tactics, techniques, and procedures (TTPs).
By linking the "what" (malware) to the
"why" (intent) and the "who" (adversary), we help companies strike back at the humandependent and not easily scalable parts of the adversary's operations and provide protection
where it is needed most. CrowdStrike also has a world-class Professional Services Division
staffed with security practitioners with unmatched experience in cyber investigations and forensic
capabilities to help customers respond to advanced cyber attacks. CrowdStrike's Technology,
Intelligence, and Services offer a "Triple Crown" platform to customers providing an unparalleled
strategic advantage over the adversary - today — and into the future. Visit www.crowdstrike.com
to learn more about our mission to change the security industry.
Stop Hackers in Their Tracks
Hacking Exposed
Malware & Rootkits
Hacking Exposed Computer
Forensics, 2nd Edition
Hacking Exposed Wireless,
2nd Edition
Hacking Exposed:
Web Applications, 3rd Edition
IT Security Metrics
Gray Hat Hacking,
2nd Edition
Hacking Exposed, 7th Edition
Hacking Exposed Linux,
3rd Edition
IT Auditing,
2nd Edition
Available in print and ebook formats
@MHcomputing
Industry Leaders in
Software Security Consulting
We offer expert services and solutions to meet
your software security challenges head-on
Best practices gap analysis
Regulatory compliance
Training
Security metrics
Remediation services
Secure code review
Architectural risk analysis
Tool strategy
Tool implementation
BSIMM
cigital
www.cigital.com
To my amazing boys (who hack me on a daily basis), I love you
beyond words. FANMW… URKSHI. To my Dawn, for her
seemingly endless patience and love—I never knew the meaning
of both until you. And to the new girls in my life, Jessica and
Jillian… I love you.
—Stuart McClure
To Austin, TX, my new home and a great place to live; hopefully
we’re helping keep it weird.
—Joel Scambray
To my loving family, Anna, Alexander, and Allegra who provide
inspiration and support, allowing me to follow my passion. To
the late Joe Petrella, for always reminding me “many are called—
few are chosen…”
—George Kurtz
vi
Hacking Exposed 7: Network Security Secrets & Solutions
ABOUT THE AUTHORS
Stuart McClure
Stuart McClure, CNE, CCSE, is the CEO/President of Cylance, Inc., an
elite global security services and products company solving the world’s
most difficult security problems for the most critical companies around
the globe. Prior to Cylance, Stuart was Global CTO for McAfee/Intel,
where he was responsible for a nearly $3B consumer and corporate security
products’ business. During his tenure at McAfee, Stuart McClure also held
the General Manager position for the Security Management Business for
McAfee/Intel, which enabled all McAfee corporate security products to be operationalized, managed, and measured. Alongside those roles, Stuart McClure ran an elite team
of good guy hackers inside McAfee called TRACE that discovered new vulnerabilities
and emerging threats. Before McAfee, Stuart helped run security at the largest healthcare
company in the U.S., Kaiser Permanente. In 1999, Stuart was also the original founder of
Foundstone, Inc., a global consulting and products company, which was acquired by
McAfee in 2004.
Stuart is the creator, lead author, and original founder of the Hacking Exposed™ series
of books and has been hacking for the good guys for over 25 years. Widely recognized
and asked to present his extensive and in-depth knowledge of hacking and exploitation
techniques, Stuart is considered one of the industry’s leading authorities on information
security risk today. A well-published and acclaimed security visionary, McClure brings a
wealth of technical and executive leadership with a profound understanding of both the
threat landscape and the operational and financial risk requirements to be successful in
today’s world.
Joel Scambray
Joel is a Managing Principal at Cigital, a leading software security firm
established in 1992. He has assisted companies ranging from newly minted
startups to members of the Fortune 500 to address information security
challenges and opportunities for over 15 years.
Joel’s background includes roles as an executive, technical consultant,
and entrepreneur. He cofounded and led information security consulting
firm Consciere before it was acquired by Cigital in June 2011. He has been
a Senior Director at Microsoft Corporation, where he provided security leadership in
Microsoft’s online services and Windows divisions. Joel also cofounded security software
and services startup Foundstone, Inc. and helped lead it to acquisition by McAfee in
2004. He previously held positions as a Manager for Ernst & Young, security columnist
for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a
major commercial real-estate firm.
Joel is a widely recognized writer and speaker on information security. He has coauthored and contributed to over a dozen books on IT and software security, many of
them international best-sellers. He has spoken at forums including Black Hat, as well as
About the Authors
for organizations, including IANS, CERT, CSI, ISSA, ISACA, and SANS, private
corporations, and government agencies, including the FBI and the RCMP.
Joel holds a BS from the University of California at Davis, an MA from UCLA, and he
is a Certified Information Systems Security Professional (CISSP).
George Kurtz
George Kurtz, CISSP, CISA, CPA, is cofounder and CEO of CrowdStrike, a
cutting-edge big data security technology company focused on helping
enterprises and governments protect their most sensitive intellectual property
and national security information. George is also an internationally recognized
security expert, author, entrepreneur, and speaker. He has almost 20 years of
experience in the security space and has helped hundreds of large organizations
and government agencies around the world tackle the most demanding security
problems. His entrepreneurial background and ability to commercialize nascent
technologies has enabled him to drive innovation throughout his career by identifying
market trends and correlating them with customer feedback, resulting in rapid growth
for the businesses he has run.
In 2011, George relinquished his role as McAfee’s Worldwide Chief Technology
Officer to his co-author and raised $26M in venture capital to create CrowdStrike. During
his tenure as McAfee’s CTO, Kurtz was responsible for driving the integrated security
architectures and platforms across the entire McAfee portfolio. Kurtz also helped drive
the acquisition strategy that allowed McAfee to grow from $1b in revenue in 2007 to over
$2.5b in 2011. In one of the largest tech M&A deals in 2011, Intel (INTC) acquired McAfee
for nearly $8b. Prior to joining McAfee, Kurtz was Chief Executive Officer and cofounder
of Foundstone, Inc., which was acquired by McAfee in October 2004. You can follow
George on Twitter @george_kurtz or his blog at securitybattlefield.com.
About the Contributing Authors
Christopher Abad is a security researcher at McAfee focusing on embedded threats. He
has 13 years of professional experience in computer security research and software and
hardware development and studied mathematics at UCLA. He has contributed to
numerous security products and has been a frequent speaker at various security
conferences over the years.
Brad Antoniewicz works in Foundstone’s security research division to uncover flaws
in popular technologies. He is a contributing author to both the Hacking ExposedTM and
Hacking ExposedTM Wireless series of books and has authored various internal and external
Foundstone tools, whitepapers, and methodologies.
Christiaan Beek is a principal architect on the McAfee Foundstone Services team. As
such, he serves as the practice lead for the Incident Response and Forensics services team
in EMEA. He has performed numerous forensic investigations from system compromise,
theft, child pornography, malware infections, Advanced Persistent Threats (APT), and
mobile devices.
vii
viii
Hacking Exposed 7: Network Security Secrets & Solutions
Carlos Castillo is a Mobile Malware Researcher at McAfee, an Intel company, where
he performs static and dynamic analysis of suspicious applications to support McAfee’s
Mobile Security for Android product. Carlos’ recent research includes dissection of the
Android Market malware DroidDream, and he is the author of “Android Malware Past,
Present, and Future,” a whitepaper published by McAfee. Carlos also is an active blogger
on McAfee Blog Central. Prior to McAfee, Carlos performed security compliance audits
for the Superintendencia Financiera of Colombia. Before that, Carlos worked at a security
startup Easy Solutions, Inc., where he conducted penetration tests on web applications,
helped shut down phishing and malicious websites, supported security and network
appliances, performed functional software testing, and assisted in research and
development related to anti-electronic fraud. Carlos joined the world of malware research
when he won ESET Latin America’s “Best Antivirus Research” contest. His winning
paper was entitled “Sexy View: The Beginning of Mobile Botnets.” Carlos holds a degree
in Systems Engineering from the Universidad Javeriana in Bogotá, Colombia.
Carric Dooley has been working primarily in information security since 1997. He
originally joined the Foundstone Services team in March 2005 after five years on the ISS
Professional Services team. Currently he is building the Foundstone Services team in
EMEA and lives in the UK with his lovely wife, Michelle, and three children. He has led
hundreds of assessments of various types for a wide range of verticals, and regularly
works with globally recognized banks, petrochemicals, and utilities, and consumer
electronics companies in Europe and the Middle East. You may have met Carric at either
the Black Hat (Vegas/Barcelona/Abu Dhabi) or Defcon conferences, where he has been
on staff and taught several times, in addition to presenting at Defcon 16.
Max Klim is a security consultant with Cigital, a leading software security company
founded in 1992. Prior to joining Cigital, Max worked as a security consultant with
Consciere. Max has over nine years of experience in IT and security, having served both
Fortune 500 organizations and startups. He has extensive experience in penetration
testing, digital forensics, incident response, compliance, and network and security
engineering. Max holds a Bachelor of Applied Science in Information Technology
Management from Central Washington University and is an Encase Certified Examiner
(EnCE), Certified Information Systems Security Professional (CISSP), and holds several
Global Information Assurance Certification (GIAC) credentials.
Tony Lee has over eight years of professional experience pursuing his passion in all
areas of information security. He is currently a Principal Security Consultant at
Foundstone Professional Services (a division of McAfee), in charge of advancing many
of the network penetration service lines. His interests of late are Citrix and kiosk hacking,
post exploitation, and SCADA exploitation. As an avid educator, Tony has instructed
thousands of students at many venues worldwide, including government agencies,
universities, corporations, and conferences such as Black Hat. He takes every opportunity
to share knowledge as a lead instructor for a series of classes that includes Foundstone’s
Ultimate Hacking (UH), UH: Windows, UH: Expert, UH:Wireless, and UH: Web. He
holds a Bachelor of Science in Computer Engineering from Virginia Tech (Go Hokies!)
and Master of Science in Security Informatics from The Johns Hopkins University.
About the Authors
Slavik Markovich has over 20 years of experience in infrastructure, security, and
software development. Slavik cofounded Sentrigo, the database security company
recently acquired by McAfee. Prior to co-founding Sentrigo, Slavik served as VP R&D
and Chief Architect at db@net, a leading IT architecture consultancy. Slavik has
contributed to open source projects and is a regular speaker at industry conferences.
Hernan Ochoa is a security consultant and researcher with over 15 years of
professional experience. Hernan is the founder of Amplia Security, provider of information
security–related services, including network, wireless, and web application penetration
tests, standalone/client-server application black-box assessments, source code audits,
reverse engineering, and vulnerability analysis. Hernan began his professional career in
1996 with the creation of Virus Sentinel, a signature-based file/memory/mbr/boot
sector detection/removal antivirus application with heuristics to detect polymorphic
viruses. Hernan also developed a detailed technical virus information database and
companion newsletter. He joined Core Security Technologies in 1999 and worked there
for 10 years in various roles, including security consultant and exploit writer performing
diverse types of security assessments, developing methodologies, shellcode, and security
tools, and contributing new attack vectors. He also designed and developed several lowlevel/kernel components for a multi-OS security system ultimately deployed at a
financial institution, and served as “technical lead” for ongoing development and
support of the multi-OS system. Hernan has published a number of security tools and
presented his work at several international security conferences including Black Hat,
Hack in the Box, Ekoparty, and RootedCon.
Dr. (Shane) Shook is a Senior Information Security advisor and SME who has
architected, built, and optimized information security implementations. He conducts
information security audits and vulnerability assessments, business continuity planning,
disaster recovery testing, and security incident response, including computer forensics
analysis and malware assessment. He has provided expert testimony on technical issues
in criminal, class action, IRS, SEC, EPA, and ITC cases, as well as state and federal
administrative matters.
Nathan Sportsman is the founder and CEO of Praetorian, a privately held,
multimillion-dollar security consulting, research, and product company. He has extensive
experience in information security and has consulted across most industry sectors with
clients ranging from the NASDAQ stock exchange to the National Security Agency. Prior
to founding Praetorian, Nathan held software development and consulting positions at
Sun Microsystems, Symantec, and McAfee. Nathan is a published author, US patent
holder, NIST individual contributor, and DoD cleared resource. Nathan holds a degree
in Electrical & Computer Engineering from The University of Texas.
About the Technical Reviewers
Ryan Permeh is chief scientist at McAfee. He works with the Office of the CTO to envision
how to protect against the threats of today and tomorrow. He is a vulnerability researcher,
reverse engineer, and exploiter with 15 years of experience in the field. Ryan has spoken
at several security and technology conferences on advanced security topics, published
many blogs and articles, and contributed to books on the subject.
ix
x
Hacking Exposed 7: Network Security Secrets & Solutions
Mike Price is currently chief architect for iOS at Appthority, Inc. In this role, Mike
focuses full time on research and development related to iOS operating system and
application security. Mike was previously Senior Operations Manager for McAfee Labs
in Santiago, Chile. In this role, Mike was responsible for ensuring smooth operation of
the office, working with external entities in Chile and Latin America and generally
promoting technical excellence and innovation across the team and region. Mike was a
member of the Foundstone Research team for nine years. Most recently, he was responsible
for content development for the McAfee Foundstone Enterprise vulnerability
management product. In this role, Mike worked with and managed a global team of
security researchers responsible for implementing software checks designed to detect
the presence of operating system and application vulnerabilities remotely. He has
extensive experience in the information security field, having worked in the area of
vulnerability analysis and infosec-related R&D for nearly 13 years. Mike is also cofounder
of the 8.8 Computer Security Conference, held annually in Santiago, Chile. Mike was
also a contributor to Chapter 11.
AT A GLANCE
Part I Casing the Establishment
▼ 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 3 Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
47
83
Part II Endpoint and Server Hacking
▼ 4 Hacking Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
▼ 5 Hacking UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
▼ 6 Cybercrime and Advanced Persistent Threats . . . . . . . . . . . . . 313
Part III Infrastructure Hacking
▼ 7 Remote Connectivity and VoIP Hacking . . . . . . . . . . . . . . . . . . 373
▼ 8 Wireless Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
▼ 9 Hacking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Part IV Application and Data Hacking
▼ 10 Web and Database Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
▼ 11 Mobile Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
▼ 12 Countermeasures Cookbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
xi
xii
Hacking Exposed 7: Network Security Secrets & Solutions
Part V Appendixes
▼ A Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
▼ B Top 10 Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
▼ C Denial of Service (DoS) and Distributed Denial of
Service (DDoS) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
▼
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Part I Casing the Establishment
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IAAAS—It’s All About Anonymity, Stupid . . . . . . . . . . . . . . . . . . . . .
Tor-menting the Good Guys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
2
▼ 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
8
10
10
10
10
11
27
36
43
46
What Is Footprinting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Is Footprinting Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Step 1: Determine the Scope of Your Activities . . . . . . . . . . . . . . . . . .
Step 2: Get Proper Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Step 3: Publicly Available Information . . . . . . . . . . . . . . . . . . . . . . . . .
Step 4: WHOIS & DNS Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . .
Step 5: DNS Interrogation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Step 6: Network Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining If the System Is Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICMP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCP/UDP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining Which Services Are Running or Listening . . . . . . . . . . . . . . . .
Scan Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identifying TCP and UDP Services Running . . . . . . . . . . . . . . . . . . . .
47
48
49
51
55
61
62
64
xiii
xiv
Hacking Exposed 7: Network Security Secrets & Solutions
Detecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Making Guesses from Available Ports . . . . . . . . . . . . . . . . . . . . . . . . . .
Active Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passive Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Processing and Storing Scan Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Scan Data with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 3 Enumeration
.........................................................
Service Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Common Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
72
73
74
77
79
79
82
83
85
87
90
92
154
Part II Endpoint and Server Hacking
Case Study: International Intrigue
...................................
158
.....................................................
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What’s Not Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unauthenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Unauthenticated Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Extracting and Cracking Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Control and Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Covering Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Countermeasures to Authenticated Compromise . . . . . . . .
Windows Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Policy and Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Enhanced Mitigation Experience Toolkit . . . . . . . . . . . . . . . . . . .
Bitlocker and the Encrypting File System . . . . . . . . . . . . . . . . . . . . . . .
Windows Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity Levels, UAC, and PMIE . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Service Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
159
161
161
162
162
177
184
185
186
200
204
206
209
213
213
213
214
215
217
218
218
219
220
222
223
▼ 4 Hacking Windows
Contents
Compiler-based Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Coda: The Burden of Windows Security . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
226
227
228
▼ 5 Hacking UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
231
232
232
233
234
234
239
255
259
278
294
309
310
The Quest for Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Brief Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vulnerability Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access vs. Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data-driven Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
I Want My Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Types of Remote Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
After Hacking Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rootkit Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 6 Cybercrime and Advanced Persistent Threats
...............................
What Is an APT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operation Aurora . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anonymous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RBN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What APTs Are NOT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of Popular APT Tools and Techniques . . . . . . . . . . . . . . . . . . . . . .
Common APTs Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
313
315
318
320
321
322
323
363
368
Part III Infrastructure Hacking
Case Study: Read It and WEP
.......................................
370
▼ 7 Remote Connectivity and VoIP Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
373
375
377
377
378
378
379
393
403
405
409
Preparing to Dial Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wardialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Peripheral Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Brute-Force Scripting—The Homegrown Way . . . . . . . . . . . . . . . . . . . . . . . .
A Final Note About Brute-Force Scripting . . . . . . . . . . . . . . . . . . . . . .
PBX Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Voicemail Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xv
xvi
Hacking Exposed 7: Network Security Secrets & Solutions
Virtual Private Network (VPN) Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basics of IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking the Citrix VPN Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Voice over IP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attacking VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
414
415
422
440
441
463
▼ 8 Wireless Hacking
465
466
467
467
468
471
471
472
472
474
475
478
479
481
481
485
485
490
496
▼ 9 Hacking Hardware
497
498
505
509
509
509
510
511
511
515
518
518
523
526
.....................................................
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Frequencies and Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Miscellaneous Goodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Discovery and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finding Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sniffing Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WPA Pre-Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WPA Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
....................................................
Physical Access: Getting in the Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Owned Out of the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standard Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Engineering Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mapping the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sniffing Bus Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sniffing the Wireless Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firmware Reversing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICE Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
Part IV Application and Data Hacking
Case Study
.......................................................
528
▼ 10 Web and Database Hacking
............................................
Web Server Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Source Code Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Canonicalization Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Server Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Server Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Application Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finding Vulnerable Web Apps with Google (Googledorks) . . . . . . .
Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Application Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Web Application Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
529
530
532
532
533
534
536
537
538
540
540
541
542
556
570
570
572
587
589
▼ 11 Mobile Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
591
593
594
600
616
635
639
640
641
643
644
651
667
Hacking Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Android Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking Your Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking Other Androids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Android as a Portable Hacking Platform . . . . . . . . . . . . . . . . . . . . . . .
Defending Your Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Know Your iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Secure Is iOS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jailbreaking: Unleash the Fury! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hacking Other iPhones: Fury Unleashed! . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 12 Countermeasures Cookbook
............................................
General Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Re)move the Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticate, Authorize, and Audit . . . . . . . . . . . . . . . . . . . . . . . . . . .
Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adaptive Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
669
671
671
672
673
675
675
xvii
xviii
Hacking Exposed 7: Network Security Secrets & Solutions
Orderly Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple, Cheap, and Easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Desktop Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Server Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Application and Database Scenarios . . . . . . . . . . . . . . . . . . . . . . .
Mobile Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
676
677
677
678
678
679
684
685
686
688
Part V Appendixes
▼ A Ports
...............................................................
▼ B Top 10 Security Vulnerabilities
691
...........................................
699
▼ C Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks . . . . . . . . .
.................................................
701
704
...............................................................
707
Countermeasures
▼
Index
FOREWORD
T
he term cyber-security and an endless list of words prefixed with “cyber” bombard
our senses daily. Widely discussed but often poorly understood, the various terms
relate to computers and the realm of information technology, the key enablers of
our interrelated and interdependent world of today. Governments, private and corporate
entities, and individuals are increasingly aware of the challenges and threats to a wide
range of our everyday online activities. Worldwide reliance on computer networks to
store, access, and exchange information has increased exponentially in recent years.
Include the almost universal dependence on computer-operated or computer-assisted
infrastructure and industrial mechanisms, and the magnitude of the relationship of cyber
to our lives becomes readily apparent.
The impact of security breaches runs the gamut from inconvenience to severe financial
losses to national insecurity. Hacking is the vernacular term, widely accepted as the cause
of these cyber insecurities, which range from the irritating but relatively harmless
activities of youthful pranksters to the very damaging, sophisticated, targeted attacks of
state actors and master criminals.
Previous editions of Hacking Exposed™ have been widely acclaimed as foundation
documents in cyber-security and are staples in the libraries of IT professionals, tech
gurus, and others interested in understanding hackers and their methods. But the authors
know that remaining relevant in the fast-changing realm of IT security requires agility,
insight, and deep understanding about the latest hacking activities and methods. “Rise
and rise again…,” from the movie Robin Hood, is a most appropriate exhortation to rally
security efforts to meet the relentless assaults of cyber hackers.
This Seventh Edition of the text provides updates on enduring issues and adds
important new chapters about Advanced Persistent Threats (APTs), hardware, and
embedded systems. Explaining how hacks occur, what the perpetrators are doing, and
how to defend against them, the authors cover the horizon of computer security. Given
the popularity of mobile devices and social media, today’s netizens will find interesting
reading about the vulnerabilities and insecurities of these common platforms.
The prerequisite for dealing with these issues of IT and computer security is
knowledge. First, we must understand the architectures of the systems we are using and
the strengths and weaknesses of the hardware and software. Next, we must know the
xix
xx
Hacking Exposed 7: Network Security Secrets & Solutions
adversaries: who they are and what they are trying to do. In short, we need intelligence
about the threats and the foes, acquired through surveillance and analysis, before we can
begin to take effective countermeasures. This volume provides the essential foundation
and empowers those who really care about cyber-security.
If we get smart and learn about ourselves, our devices, our networks, and our
adversaries, we will find ourselves on a path to success in defending our cyber endeavors.
What remains is the reality of change: the emergence of new technologies and techniques
and the constant evolution of threats. Hence, we must “rise and rise again…” to stay
abreast of new developments, refreshing our intelligence and acquiring visibility and
insight into attacks.
This new edition of Hacking Exposed™ helps you to get smart and take effective
action. The lambs may indeed become the lions of cyber-security.
William J. Fallon
Admiral, U.S. Navy (Retired)
Chairman, CounterTack, Inc.
Admiral William J. Fallon retired from the U.S. Navy after a distinguished 40 year
career of military and strategic leadership. He has led U.S. and Allied forces in eight
separate commands and played a leadership role in military and diplomatic matters at
the highest levels of the U.S. government. As head of U.S. Central Command, Admiral
Fallon directed all U.S. military operations in the Middle East, Central Asia, and Horn of
Africa, focusing on combat efforts in Iraq and Afghanistan. Chairman of the Board of
CounterTack Inc., a new company in the cyber-security business, Admiral Fallon is also
a partner in Tilwell Petroleum, LLC, advisor to several other businesses, and a
Distinguished Fellow at the Center for Naval Analyses. He is a member of the U.S.
Secretary of Defense Science Board and the Board of the American Security Project.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz