Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Security Power Tools
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Foreword
Credits
About the Author
Preface
Audience
Assumptions This Book Makes
Contents of This Book
Legal and Ethics
Reconnaissance
Penetration
Control
Defense
Monitoring
Discovery
Conventions Used in This Book
Using Code Examples
We'd Like to Hear from You
Safari® Books Online
Acknowledgments
I. Legal and Ethics
1. Legal and Ethics Issues
Core Issues
Be Able to Identify These Legal Topics
Computer Trespass Laws: No "Hacking" Allowed
What Does It Mean to Access or Use a Computer?
What Is Adequate Authorization to Access a Computer?
Common Law Computer Trespass
Case Study: Active Defense
Law and Ethics: Protecting Yourself from Computer Trespass Claims
Reverse Engineering
Copyright Law and Reverse Engineering
What to do to protect yourself with fair use
Reverse Engineering, Contracts, and Trade Secret Law
What to do to protect yourself
Reverse Engineering and Anti-Circumvention Rules
What to do to protect yourself when working in DMCA
Vulnerability Reporting
What to do to protect yourself when reporting vulnerabilities
What to Do from Now On
II. Reconnaissance
2. Network Scanning
How Scanners Work
TCP Scanning
UDP Scanning
Superuser Privileges
Three Network Scanners to Consider
Host Discovery
Dealing with Blocked Pings
Choosing the Right Ports
Combining Multiple Host Scan Techniques
Port Scanning
Default Port Ranges
Specifying Custom Ports
Nmap
Unicornscan
Scanrand
Specifying Targets to Scan
Different Scan Types
UDP Scan Types
TCP Scan Types
Special TCP Scan Types in Nmap
An Example of Using Multiple Scan Types
Tuning the Scan Speed
Nmap
Unicornscan
Scanrand
Application Fingerprinting
Operating System Detection
Saving Nmap Output
Resuming Nmap Scans
Avoiding Detection
Idle Scans
Decoys
Conclusion
3. Vulnerability Scanning
Nessus
License
Architecture
Tenable Security Center
Windows Configuration
Linux Configuration
Local Vulnerabilities
Network Scan
Scan Results
Policy Configuration
Plug-ins
Plug-in Code Example
Linux Command Line
Windows Command Line
Nikto
Types of Vulnerabilities
Command Line
Evasion Techniques
WebInspect
Purpose
WebInspect Scan
Policy Tuning
Settings Tuning
Report Analysis
False Positives Analysis
WebInspect Tools
Assessment Management Platform (AMP)
4. LAN Reconnaissance
Mapping the LAN
Using ettercap and arpspoof on a Switched Network
Running ettercap
Running arpspoof from the dsniff suite
Dealing with Static ARP Tables
Using macof to Stupefy a Switch
Super-Stealthy Sniffing
Getting Information from the LAN
Logging Packet Data
Filtering Incoming Packets
Fingerprinting LAN Hosts
Sniffing Plain-Text Passwords
Shadow Browsing
Manipulating Packet Data
5. Wireless Reconnaissance
Get the Right Wardriving Gear
802.11 Network Basics
802.11 Frames
How Wireless Discovery Tools Work
Netstumbler
Kismet at a Glance
Using Kismet
Sorting the Kismet Network List
Using Network Groups with Kismet
Using Kismet to Find Networks by Probe Requests
Kismet GPS Support Using gpsd
Generating Maps
Kismet Location Tracking
Looking Closer at Traffic with Kismet
Capturing Packets and Decrypting Traffic with Kismet
Wireshark at a Glance
Enabling rfmon Mode
Linux
OpenBSD, NetBSD, and FreeBSD
Mac OS X
Windows
Using Wireshark
AirDefense Mobile
AirMagnet Analyzers
Other Wardriving Tools
Airopeek
KisMac
6. Custom Packet Generation
Why Create Custom Packets?
Custom Packet Example: Ping of Death
Hping
Getting Started with Hping2
Hping2's Limitations
Scapy
Decode, Do Not Interpret
Probe Once, Interpret Many Times
Scapy's Limitations
Working with Scapy
Creating and Manipulating Packets with Scapy
Navigating Between Layers
Scapy Tips and Shortcuts
Looking only at the custom data in a packet
Viewing computed data in a packet
Decoding the packet payload differently
Sprintf shortcut for creating custom packets
Operations on packet lists
Producing a simple diagram of packet flow
Sending and interacting with Scapy
Super-sockets
Building Custom Tools with Scapy
Studying a New Protocol
Writing Add-Ons
Examples of creating Scapy add-ons
Test Campaigns
Packet-Crafting Examples with Scapy
ARP Cache Poisoning
Tracerouting: A Step-by-Step Example
Traceroute and NAT
Firewalking
Sliced Network Scan
Fuzzing
Packet Mangling with Netfilter
Transparent Proxying
QUEUE and NFQUEUE
References
III. Penetration
7. Metasploit
Metasploit Interfaces
The Metasploit Console
The Metasploit Command-Line Interface
The Metasploit Web Interface
Updating Metasploit
Choosing an Exploit
Choosing a Payload
Metasploit Payloads
Choosing a Payload Variant
Setting Options
Hidden Options
Running an Exploit
Debugging Exploitation
Managing Sessions and Jobs
Sessions
Jobs
The Meterpreter
Some Useful Meterpreter Commands
Meterpreter Session Example
Security Device Evasion
Sample Evasion Output
Evasion Using NOPs and Encoders
NOP Generators
Payload Encoders
In Conclusion
8. Wireless Penetration
WEP and WPA Encryption
Aircrack
Installing Aircrack-ng
Windows Installation
Linux Installation
Running Aircrack-ng
Airpwn
Basic Airpwn Usage
Command-Line Options
Airpwn Configuration Files
Using Airpwn on WEP-Encrypted Networks
Scripting with Airpwn
Karma
Installing Karma
Scanning for Victims
Basic Configuration
Proxy Network Traffic
Conclusion
9. Exploitation Framework Applications
Task Overview
Other Framework Advantages
Core Impact Overview
Running Core Impact Behind a NAT
Automatic Network Penetration with Core Impact
Network Reconnaissance with Core Impact
Importing Module Information with Core Impact
Core Impact Exploit Search Engine
Running an Exploit
Bypassing Core Impact's Exploit Version Restrictions
Running Macros
The Local Side
Using the Mini-Shell
Bouncing Off an Installed Agent
Enabling an Agent to Survive a Reboot
Mass Scale Exploitation
Writing Modules for Core Impact
The Canvas Exploit Framework
The Covertness Bar
Porting Exploits Within Canvas
Using Canvas from the Command Line
Digging Deeper with Canvas
Advanced Exploitation with MOSDEF
Writing Exploits for Canvas
Exploiting Alternative Tools
10. Custom Exploitation
Understanding Vulnerabilities
Performing a Simple Exploit
Analyzing Shellcode
Disassemblers
The libopcode Disassembling Library
The libdisasm Disassembling Library
Testing Shellcode
Inclusion into a C File
A Shellcode Loader
Debugging Shellcode
Creating Shellcode
nasm
GNU Compiler Collection
Quick glance at the binary-building internals
Building shellcode from assembly language
Building shellcode in C
The SFlib Library
What SFLib looks like
Using SFLib
ShellForge
Getting started
Cross-platform generation
Loaders
Inline shellcoding
InlineEgg
Metasploit Framework's msfpayload
Disguising Shellcode
alpha2
Metasploit Framework's msfencoder
Execution Flow Hijacking
Metasploit Framework's msfelfscan and msfpescan
EEREAP
Code Injection
References
IV. Control
11. Backdoors
Choosing a Backdoor
VNC
Creating and Packaging a VNC Backdoor
Consolidating the Backdoor
Packaging VNC As a Backdoor
Connecting to and Removing the VNC Backdoor
Removing the Backdoor
Back Orifice 2000
Configuring a BO2k Server
Setting Variables
Minimum Configuration
IO plug-in
Encryption plug-in
Authentication plug-in
Control plug-ins
Configuring a BO2k Client
Adding New Servers to the BO2k Workspace
Using the BO2k Backdoor
BO2k Powertools
Server Setup
Client Setup
The BO Tools Connect To window
Using the File Browser
Using the Registry Editor
A Sneak Peek at the Backdoor's Desktop with BO Peep
BO Peep installation and configuration
The VidStream listener
The VidStream client
The Hijack listener
The Hijack client
Encryption for BO2k Communications
Concealing the BO2k Protocol
Removing BO2k
A Few Unix Backdoors
A Simple Unix Backdoor
Netcat
A Simple Netcat Backdoor
Crontab and Netcat
Lots of Options
12. Rootkits
Windows Rootkit: Hacker Defender
Configuring hxdef
Making hxdef harder to detect
Connecting to Hacker Defender's Backdoor
Install/uninstall/reconfigure hxdef
Uninstalling a process you cannot see
Linux Rootkit: Adore-ng
Installing Adore
Using Adore
Detecting Rootkits Techniques
Signature Scanner
Inspecting Dangerous Calls
Differentiating Call Results
Looking for Hooks
System Integrity
Windows Rootkit Detectors
Rootkit Revealer
IceSword
Functionalities of IceSword
Finding a rootkit and killing it
Removing the rootkit with IceSword
Linux Rootkit Detectors
Kstat
Interface lookup
Listing processes
Investigating individual processes
Examining the syscall table
Zeppoo
Chkrootkit
Detecting new rootkits
Using safe binaries
In the cron
Cleaning an Infected System
The Future of Rootkits
V. Defense
13. Proactive Defense: Firewalls
Firewall Basics
Router/Network Address Translation Router
Endpoint/Host
Transparent/Bridge Firewall
The Tools
Securing Concepts
Allowing limited inbound connections
Tightening inbound connections by host
Further Investigation
Network Address Translation
Setting Up a Basic NAT Gateway
NAT with Inbound Service Mapping
Securing BSD Systems with ipfw/natd
Initial Setup
Inbound Connection Blocking with BSD ipfw/natd
Allowing Inbound Connections with BSD ipfw2/natd
Filtering Connections with BSD ipfw2/natd
BSD ipfw2/natd NAT Gateway
Inbound Service Mapping with BSD ipfw2/natd
Securing GNU/Linux Systems with netfilter/iptables
Initial Setup
Inbound Connection Blocking with Netfilter
Filtering Connections with Netfilter
Allowing Inbound Connections with Netfilter
Netfilter NAT Gateway
Inbound Service Mapping with Netfilter
Internet-in-a-Box: All Traffic to One Destination Using Netfilter
Securing Windows Systems with Windows Firewall/Internet Connection Sharing
Initial Setup
Inbound Connection Blocking with Windows FW/ICS
Allowing Inbound Connections with Windows FW/ICS
Filtering Connections with Windows FW/ICS
A Windows FW/ICS NAT Gateway
Inbound Service Mapping with Windows FW/ICS
Verifying Your Coverage
14. Host Hardening
Controlling Services
Turning Off What You Do Not Need
Limiting Access
sudo
sudowin
Issues with sudowin
Limiting Damage
Mounting Volumes As noexec
Controlling the Linux Kernel Through /proc/sys
/proc/sys/kernel/cap-bound
/proc/sys/net
/proc/sys/kernel/modprobe
Bastille Linux
SELinux
Enabling SELinux
Transparent Usage of SELinux
Tweaking SELinux's Policy
Local SELinux Policy Generation
Underlying SELinux Principle of Operations
Password Cracking
John the Ripper
Rainbow Cracking
Chrooting
Sandboxing with OS Virtualization
Cooperative Linux
KVM
OpenVZ: OS-Level Virtualization
Parallels
QEMU
UserMode Linux: Paravirtualization
VMWare
Xen: Paravirtulization
Virtualization Summary
15. Securing Communications
The SSH-2 Protocol
The Transport Layer
The User Authentication Layer
The Connection Layer
SSH Configuration
Server Configuration
User Access Restriction
SSH Client Connection
Tune the Client's Configuration
SSH Authentication
SSH Shortcomings
SSH Man-in-the-Middle Attacks
Host Public Key Distribution with DNSSEC
User's Public Key Distribution
User's Key Operation Restrictions
SSH Troubleshooting
The Client Is Logged Out Just After Logging In
File Permissions
Restrictions to Users or Groups
Remote File Access with SSH
File Copy
FTP Through SSH
File Synchronization
Remote Filesystem
Source Code Transfer
SSH Advanced Use
Agent Forwarding
X and Port Forwarding
Escape Sequences
Perpetual Tunneling with autossh
Storing Your SSH Private Key on a USB Drive
Using SSH Under Windows
Cygwin
PuTTY
WinSCP
SecureCRT
File and Email Signing and Encryption
GPG
Theory of Operations
How to Obtain Public Keys
Web of Trust
In Practice
Create Your GPG Keys
Adding Subkeys
Different Keys for Different Addresses
Modify Your Web of Trust Model
Import of Public Keys
Revoke a Key
Encryption and Signature with GPG
File Signature
Email Encryption and Signature
PGP Versus GPG Compatibility
Encryption and Signature with S/MIME
X.509 Certificate
S/MIME
Certificate Authority
S/MIME Versus GPG/PGP
Stunnel
SSL Versus TLS
Create an X.509 Certificate
Client Encryption
Server Encryption
Client and Server Encryption
Transparent Proxy
Disk Encryption
Windows Filesystem Encryption with PGP Disk
Linux Filesystem Encryption with LUKS
Comparing dm-crypt to cryptoloop and loop-AES
Conclusion
16. Email Security and Anti-Spam
Norton Antivirus
Installation Test
Configuration Tuning
Failed tests
Updates
The ClamAV Project
ClamWin
Configuration
Freshclam
How to Run Freshclam
Examples of Commands for Freshclam
Clamscan
clamd and clamdscan
On-Access Scanning
Clamd As a Network Server
Clamd Commands
Test clamscan and clamdscan/clamd
clamscan or clamdscan?
ClamAV Virus Signatures
MD5 Signatures
Hexadecimal Signatures
Advanced Hexadecimal Signatures
HTML Signatures
Procmail
Mail Delivery Chain
Basic Procmail Rules
Examples
Advanced Procmail Rules
Scoring
ClamAV with Procmail
Unsolicited Email
Spam Filtering with Bayesian Filters
Spamprobe
Automate the Learning Phase
Maintenance
SpamProbe with Procmail
Inconvenient
SpamAssassin
Configuration Files
SpamAssassin Variables
Administrator Settings
SpamAssassin Rules
Meta Tests
Score
Whitelist and Blacklist
Language
Bayesian Filter
Plug-ins for SpamAssassin
Collaborative Plug-ins
SpamAssassin Network Tests
SpamAssassin with Procmail
SpamAssassin As a Daemon or Server
ClamAV, SpamProbe, and SpamAssassin with Procmail
Anti-Phishing Tools
Email Filtering
Toolbar for Web Browsers
Conclusion
17. Device Security Testing
Replay Traffic with Tcpreplay
What and How to Test
tcpreplay
Rewrite Packets with Tcpreplay
MAC address
IP address
TCP/UDP port
Tcpreplay with Two Interfaces
flowreplay
Tomahawk
Traffic IQ Pro
Setup
Replay Traffic Files
Attack Files
Standard Traffic Files
Scan
Import Custom Packet Captures
Packet Editing
Conclusion
ISIC Suite
Network Setup
esic
isic, icmpsic, tcpsic, udpsic, and multisic
Automation
Protos
VI. Monitoring
18. Network Capture
tcpdump
Basics
Berkeley Packet Filter (BPF)
Writing Packets to Disk
Advanced BPF Filtering
Advanced Dump Display
Using tcpdump to Extract Packets
Ethereal/Wireshark
Basics
Starting a Capture
Capture
Display Options
Name Resolution
Loading a Previously Created Capture
Viewing a Capture
Basic Wireshark Display Filters
Advanced Wireshark Display Filters
Saving Select Packets to Disk
Packet Colorization
Overriding Default Protocol Decoders
TShark Techniques
Wireshark Statistics
Setting Useful Defaults
pcap Utilities: tcpflow and Netdude
tcpflow
Basics
Netdude
Basics
Cleaning up a botched pcap file
Editing packet payloads
Python/Scapy Script Fixes Checksums
Basics
Conclusion
19. Network Monitoring
Snort
Different Snort Modes
Writing Signatures for Snort
Passive Network Mapping
Stealth Ethernet
Disabling a Rule
Changing the Default Port of a Service
Snort Preprocessor
Excluding Authorized Scans
Log Analysis
Updating Rules
Blocking Port Scan
From a NIDS to an ILDS
Protocols that should be monitored
Limitations of Snort as an ILDS
Monitoring Network Usage
Implementing Snort
NIDS
User Monitoring
ILDS
Honeypot Monitoring
The Value of a Honeypot
Using Honeyd to Emulate a Server
Using Honeyd to Emulate a Network
Using Honeyd As a Tar Pit
Implementing Honeyd
Writing New Scripts with Honeyd
Jail
HoneyView and Log Management
Gluing the Stuff Together
20. Host Monitoring
Using File Integrity Checkers
File Integrity Hashing
The Do-It-Yourself Way with rpmverify
Comparing File Integrity Checkers
Afick
Aide
Integrit
Remote Filesystem Checker (RFC)
Samhain/Beltane
Open Source Tripwire
Prepping the Environment for Samhain and Tripwire
Samhain
Tripwire
Database Initialization with Samhain and Tripwire
Samhain
Tripwire
Securing the Baseline Storage with Samhain and Tripwire
Samhain
Tripwire
Running Filesystem Checks with Samhain and Tripwire
Samhain
Tripwire
Managing File Changes and Updating Storage Database with Samhain and Tripwire
Samhain
Tripwire
Recognizing Malicious Activity with Samhain and Tripwire
Tripwire
Samhain
Log Monitoring with Logwatch
Improving Logwatch's Filters
Host Monitoring in Large Environments with Prelude-IDS
Log Correlation
Conclusion
VII. Discovery
21. Forensics
Netstat
Finding a Linux Backdoor with Netstat
Finding a Windows Backdoor with Netstat
The Forensic ToolKit
Hfind.exe: Discover Hidden Files
Sfind.exe: Discover Files Hidden in Alternate Data Streams
FileStat.exe: Very Detailed Data on a Specific File
The Security Descriptor
File streams
Timestamps
Working with Alternate Data Streams
Sysinternals
Autoruns: What Runs Without Your Help?
Trimming down the list
RootkitRevealer: Rooting Out Rootkits
RootkitRevealer from the console
Streams: Find and Delete Data Hidden in Streams the Sysinternals Way
TCPView: A Graphical Netstat
Process Explorer: Powerful Process Management
Replacing the Task Manager with Process Explorer
Run as...
Now What?
22. Application Fuzzing
Which Fuzzer to Use
Different Types of Fuzzers for Different Tasks
Block-Based Fuzzers
Riot
Flipper
Inline Fault Injection
Setting Up a Network Fuzzer Test Bed
The client
The fuzzer
The server/target
Gathering Information of the Target's Side
Writing a Fuzzer with Spike
The Spike API
Reversing a Protocol with Spike
File-Fuzzing Apps
PaiMei
FileFuzz
Fuzzing Web Applications
Configuring WebProxy
Automatic Fuzzing with WebInspect
Next-Generation Fuzzing
Fuzzing or Not Fuzzing
23. Binary Reverse Engineering
Interactive Disassembler
Opening the Binary
Special cases
Searching in IDA
Searching for text strings
Searching for immediate values
Defining Data Types
Structures and unions
An example
Enumerations
Annotating the Code
Setting comments
Marking positions
An example
Code Navigation
Tracking the Flow of Execution
Cross-reference
Flow charts
Tracking function calls
Using Subview Windows
Functions window
Strings window
Names window
Imports and exports windows
Debugging with IDA
Initial configuration
Setting breakpoints and watchpoints
Stepping through the program
Examining data
Tracing
Taking a memory snapshot
Remote debugging
Configuring the client
Configuring the remote host
Finding the Bugs
Making Scripts with IDC
IDC Hello World
Functions and variables
Expressions and statements
Interacting with the IDA database
Adding graphical interfaces
Faking global variables with arrays
Making hotkeys
Automating large tasks
Using IDA Plug-ins
Sysinternals
RegMon
FileMon
Setting Filters
OllyDbg
The Basics
Setting breakpoints and watchpoints
Stepping through the program
Animated stepping
Examining data
Navigating Through the Disassembly
Using bookmarks
Editing Data
Copying and pasting binary sections
The patches window
Undoing edits
Saving your changes
Using OllyDbg with the FreeCiv Case Study
Finding the location of interest
Making our changes
Running the hack
Other Tools
SoftICE
HT
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
← Prev
Back
Next →
← Prev
Back
Next →