Security Power Tools is divided into seven self-explanatory sections: Legal and Ethics, Reconnaissance, Penetration, Control, Defense, Monitoring, and Discovery. Some sections have multiple chapters, others have just a few. Use the sections as general reference heads to help you navigate.
The book is divided into 23 chapters. Some chapters are written by individuals, some are written by two or three authors. As a group, we've chosen the lead writer for each chapter to briefly provide an overview.
Chapter 1, by Jennifer Stisa Granick. If you come away from this chapter having only the ability to identify when you need to talk to a lawyer, I've achieved my goal in writing it. The chapter assumes that legal rules and regulations are not the same as, but overlap with, ethical and moral considerations. It then discusses both law and ethics in security testing, vulnerability reporting, and reverse engineering as examples for you to test yourself and your ability to identify murky areas of the law and networking security.
Chapter 2, by Bryan Burns. This chapter provides an introduction to the concept of network scanning and details the workings of three different network scanning programs, including the venerable nmap. After reading this chapter, you will know how to find computers on a network, identify which services are running on remote computers, and even identify the versions of services and operating systems running on computers on the other side of the world. As cartoons have taught us, "knowing is half the battle," and this chapter is all about knowing what's on the network.
Chapter 3, by Julien Sobrier. This chapter explores Windows and Linux tools that are used to look for vulnerabilities. It focuses on the result analysis to understand what type of information you really get from them. This chapter should allow you to choose the best tools for your tests, to tweak them to get the best results, and to understand what the reports mean. It also reveals common misuses of these tools.
Chapter 4, by Eric Markham. For a while back in the late '90s, I worked at a "Mom and Pop" ISP and then transitioned to a number of startups, always as the Manager of Information Technology. I chose to write this chapter because my work experience was directly related. I take a somewhat down-to-earth approach to network security with the expectation that you have good understanding about TCP/IP networks, the major differences between *nix and other operating systems, and what makes the sky blue.
Chapter 5, by Michael Lynn. This chapter starts with a basic description of the 802.11 protocol and then discusses various open source and commercial tools to help with wireless reconnaissance. In the wireless world, the hardware you have and the operating system you use can make a lot of difference in what tools you choose to deploy, so I've tried to give you a clear breakdown of what your options are. I also try to give a clear picture of what the pros and cons of each tool are so you can find the tool that best fits your needs. Along the way, I hope I can show you some cool features that you might not have been aware of that will make wardriving easier and more successful. This chapter does not assume you have any prior knowledge of 802.11 networks.
Chapter 6, by Philippe Biondi. This chapter explains the difference between off-the-rack and made-to-measure tools when it comes to discovering networks, assessing robustness of equipment, interacting with proprietary protocols, and exploiting flaws. It also includes a brief foray into packet generation (or packet mangling), as many problems are quickly answered by on-the-fly packet or stream mangling, provided that one knows the right tools. Since English is my second language, I want to thank David Coffey for helping me rewrite and rephrase this chapter's instructional language.
Chapter 7, by Bryan Burns. Metasploit is an extremely powerful and popular framework and set of tools for automated penetration of remote computers over the network. In this chapter, you will learn how to configure and use Metasploit to exploit the latest software vulnerabilities and take control of other computers. Because network monitoring tools are being deployed more and more often these days, an entire section is dedicated to the Metasploit features provided for slipping silently past these types of devices.
Chapter 8, by Bryan Burns, Steve Manzuik, and Michael Lynn. In Chapter 5, you learned about tools that find wireless networks and gather information about them. In this chapter, we present three tools that take things to the next level: wireless penetration. Aircrack is a toolset for capture and offline analysis of wireless traffic with the goal of cracking wireless encryption keys. Airpwn is a tool that lets you to inject your own data into someone else's wireless traffic, allowing for all sorts of subtle games to be played. Finally, Karma pretends to be legitimate access points, allowing for total visibility and control of any wireless client hapless enough to connect to it. With these three tools, wireless networks (even WEP-encrypted ones) are your's for the taking.
Chapter 9, by Nicolas Beauchesne. Exploitation frameworks became much more popular after the appearance of Metasploit. However, some commercial players are in this field too, such as Core Security (makers of Impact) and Immunity Security (makers of Canvas). Those frameworks offer flexibility and power. This chapter covers their basic usage, some advanced features (e.g., adding exploits), and how to customize those frameworks to meet your needs.
Chapter 10, by Philippe Biondi. This chapter is a collection of tricks and tools I use to manipulate shell scripts and create exploits. It includes tools to help you analyze existing shell scripts as well as creating and testing your own. Since English is my second language, I want to thank David Coffey for helping me rewrite and rephrase this chapter's instructional language.
Chapter 11, by Chris Iezzoni. This chapter demonstrates the usage and configuration of several of the most popular and easily obtained tools for use as backdoors. VNC is a common remote administration tool, available for both Windows and Unix. Here, I demonstrate some ways to streamline its installation for use as a backdoor. BO2k is a very popular purpose-built backdoor that runs on Windows, and this chapter demonstrates some of the more advanced modules available. Last, but certainly not least, some popular methods of backdooring Unix-based systems are covered. More advanced Unix backdoors are not covered due to their distribution-specific nature.
Chapter 12, by Nicolas Beauchesne. This chapter is a quick review of known rootkits for Windows and Linux and their usage and limitations. It is oriented more toward the usage and detection of those rootkits than exploring of their inner workings. I look at the differences in their detection paradigms in order to explain the different benefits of each technology. Among the detection tools, I include some system internals kits and advanced tools like IceSword. Combining the power of those tools should help you cover most cases of infection.
Chapter 13, by Dave Killion. This chapter covers host-based firewalls that are provided free for the three most common operating systems: Windows Firewall/Internet Connection Sharing, Windows, Netfilter/IPTables on Linux, and ipfw/natd on *BSD. Depending on how these hosts are employed, these instructions also cover using these systems as a gateway firewall in router or NAT mode. There are many firewall products out there—some of them very good—and there are many, many books written on them. With just a chapter to work with, I did the best I could to cover the basics of firewall policy, functionality, and configuration. After reading my chapter, you should have a good understanding of firewall functionality that can be applied to any firewall product, as well as some good hands-on experience with practical firewall management on an OS of your choice.
Chapter 14, by Eric Markham and Eric Moret. After you learned how to defend your network through access control via a Firewall in Chapter 13, this chapter will introduce some tools to protect a Windows or Linux computer. You will go through logical steps starting with choosing what to turn off, to running day-to-day systems at Least User privileges, and locking down a few Linux kernel parameters with security in mind. In the later part of the chapter, SELinux and its indispensable support tools are introduced. Then various ways to audit password strength are presented, from the venerable John The Ripper to modern rainbow cracking techniques. It finishes on the more advanced and broader virtualization topic.
Chapter 15, by Julien Sobrier and Eric Moret. The next logical step following perimeter and host hardening is communication security. This chapter will walk you through the use of SSH. And although this tool originates from the *nix world, it has excellent support on Windows. The chapter then introduces email encryption and explains the two competing standards: OpenPGP and S/MIME. Then stunnel is used to secure any server daemon traffic, regardless of its implementation. Last but not least, we will echo the media that is so quick to denounce identity theft through physical hardware theft and present solutions to encrypt entire disks or partitions.
Chapter 16, by Julien Sobrier. This chapter will help you to protect your own computer against the most common threats: viruses, worms, malware, spam, and phishing. It is probably the chapter that covers the largest spectrum of skills, from beginner (tweak your Windows antivirus) to advanced (create your own virus signatures or procmail rules). Knowledge of regular expressions and shell scripts would help you to customize the examples given in the chapter, but most of the sections are accessible to beginners.
Chapter 17, by Julien Sobrier. The tools presented in this chapter are complementary and cover different areas of security testing. A lot of examples on how to automate the tests are given throughout. The tools are great to use in all QA processes—not just for security devices but for any network device.
Chapter 18, by Dave Killion. Being able to monitor, capture, and analyze packets can be incredibly useful, either to troubleshoot network performance, debug a problematic networking program, or capture an attack for later analysis or as evidence for prosecution. I walk you through using several different cross-platform capture tools, including tcpdump and Wireshark, from both the command line as well as from a Graphical User Interface (GUI), as well as some tricks to manage your pcap files to distill them down to just what you are looking for. When you are finished with my chapter, you'll catch yourself thinking "I wonder what THAT program looks like on the wire?", and you'll have the tools and knowledge to find out.
Chapter 19, by Nicolas Beauchesne. This chapter covers tools such as Honeyd and Snort. Since lots of books already exist for those tools, the approach taken here was to give the reader a quick round-up of its normal usage and then illuminate some ways to push those technologies in a new way, since they are flexible and can be used to perform plenty of tasks. Also covered in this chapter is a way to integrate these tools to gain network intelligence instead of just monitoring information.
Chapter 20, by Eric Moret. This chapter will introduce system administrators to the practice of monitoring production servers for file changes, by initially covering a large selection of tools and then diving deeper into Tripwire (my ex-aequo favorite), and Samhain's setup and configuration. Next I cover the use of Logwatch for log reporting on Linux, followed by a step-by-step guide to writing new log filters. I close the chapter with Prelude-IDS, a tool used to centralize security management of large number of networked devices.
Chapter 21, by Chris Iezzoni. This chapter covers some popular forensic tools that can be used for such tasks as attack and incident investigation, and malware discovery. I've tried to stick to mostly free collections of tools such as The Forensic Toolkit and SysInternals. With just these, a surprising amount of information can be unearthed about the inner workings of your system. This will give you a foundation upon which to explore on your own more complex tools, such as The Coroner's Toolkit (TCT).
Chapter 22, by Nicolas Beauchesne. This chapter covers the different fuzzer and fuzzing techniques as well as how to create a new fuzzer script. Some tips are provided on how to setup a fuzzing test-bed and how to perform efficient tracing and debugging to improved the efficiency of your fuzzer tests. Also provided is a quick reversing of a network protocol for fuzzing purposes, so the reader knows what to look for when performing these tasks.
Chapter 23, by Michael Lynn. This chapter covers the art of binary reverse engineering using tools such as Interactive Disassembler and Ollydbg. I present you with a case study in which I show you how to find real bugs in closed source software. During this study, I'll show you how to use popular disassemblers and debuggers, and I'll even teach you how to write basic scripts to enhance these powerful tools. By the end of this chapter, you should be able to use these tools to find bugs without source code, and you should be able to get a good understanding of how reverse engineering of this type really works. No prior knowledge of reverse engineering or assembly language is required, although it will be helpful. You should have an understanding of basic programming skills to get the most out of this chapter.