ebook img

Hacking exposed: bnetwork security secrets and solutions PDF

732 Pages·2001·8.554 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Hacking exposed: bnetwork security secrets and solutions

www.GetPedia.com *More than 150,000 articles in the search database *Learn how almost everything works HACKING EXPOSED: NETWORK SECURITY SECRETS & SOLUTIONS SECOND EDITION JOEL SCAMBRAY STUART MCCLURE GEORGE KURTZ Osborne/McGraw-Hill Berkeley New York St. Louis San Francisco Auckland Bogotá Hamburg London Madrid Mexico City Milan Montreal New Delhi Panama City Paris São Paulo Singapore Sydney Tokyo Toronto abc McGraw-Hill Copyright ©2001 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as per- mitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-219214-3 The material in this eBook also appears in the print version of this title: 0-07-212748-1. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trade- marked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringe- ment of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at [email protected] or (212) 904-4069. TERMS OFUSE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior con- sent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS”. McGRAW-HILLAND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACYOR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIAHYPERLINK OR OTHERWISE, AND EXPRESSLYDISCLAIM ANYWARRANTY, EXPRESS OR IMPLIED, INCLUDING BUTNOTLIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITYOR FITNESS FOR APARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the con- tent of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause what- soever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0072192143 To my parents and their parents, who set me on the path; to my wife, who continues to guide me along it; and to my children, who have taken it in miraculous new directions. —Joel Scambray To my wife and child, without whose love and support little else would matter; and to my parents for their continuing confidence in me. —Stuart McClure This book is dedicated to my loving wife, Anna. I could not have completed two editions of this book without her understanding, support, and continuous encouragement. I also would like to thank my entire family for their assistance in helping me “find the time” when deadlines seemed impossible. —George Kurtz To those who seek the truth, may they continue to search free from restraint and censorship. —The Authors vi Hacking Exposed: Network Security Secrets and Solutions About the Authors Joel Scambray Joel Scambray is a Principal of Foundstone Inc. (http://www .foundstone.com), where he provides information system security consultingservicestoclientsrangingfrommembersoftheFortune50 tonewlymintedstartups.Hehasfield-testedknowledgeofnumerous security technologies and has designed and analyzed security archi- tectures for a variety of applications and products. Mr. Scambray’s regularpublicationsincludethemonthly“Ask UsAbout…Security” (http://www.microsoft.com/technet/security/) for Microsoft’s TechNet web site, and the weekly “Security Watch” column in InfoWorld magazine (http://www.infoworld.com/security), where he has additionally publishedoveradozentechnologyproductanalyses.HehasheldpositionsasaManager for Ernst & Young LLP’s eSecurity Solutions group, Senior Test Center Analyst for InfoWorld,andDirectorofITforamajorcommercialrealestatefirm.Mr.Scambrayisa Certified Information Systems Security Professional (CISSP) and Certified Checkpoint Security Engineer (CCSE). Joel Scambray can be reached at [email protected]. Stuart McClure Stuart McClure is President/CTO of Foundstone, Inc. (http://www .foundstone.com)andhasover10yearsofITandsecurityexperience. Mr. McClure specializes in security assessments, firewall reviews, e-commerce application testing, hosts reviews, PKI technologies, intrusion detection, and incident response. For over two years, Mr. McClure has co-authored a weekly column on security called “Security Watch” for InfoWorld magazine, a global security column addressing topical security issues, exploits, and vulnerabilities. Mr.McClurehasspentthepastfouryearswiththebothBig5security consultingandtheInfoWorldTestCenterwherehetesteddozensofnetworkandsecurity hardwareandsoftwareproducts.PriortoInfoWorld,Mr.McClurespentoversevenyears managingandsecuringnetworksandsystemsrangingfromCisco,Novell,Solaris,AIX, AS/400, Window NT, and Linux in corporate, academic, and government landscapes. Stuart McClure can be reached at [email protected]. Copyright 2001 The McGraw Hill Companies, Inc. Click Here for Terms of Use. vii About the Authors George Kurtz George Kurtz is CEO of Foundstone (http://www.foundstone.com), a cuttingedgesecurityconsultingandtrainingorganization.Mr.Kurtz is an internationally recognized security expert and has performed hundreds of firewall, network, and e-commerce related security as- sessments throughout his security consulting career. Mr. Kurtz has significantexperiencewithintrusiondetectionandfirewalltechnolo- gies,incidentresponseprocedures,andremoteaccesssolutions.Heis regularspeakeratmanysecurityconferencesandhasbeenquotedina wide range of publications, including The Wall Street Journal, InfoWorld,USAToday,andtheAssociatedPress.Mr.Kurtzisroutinelycalledtocomment onbreakingsecurityeventsandhasbeenfeaturedonvarioustelevisionstations,includ- ing CNN, CNBC, NBC, and ABC. George Kurtz can be reached at [email protected]. viii Hacking Exposed: Network Security Secrets and Solutions About the Technical Reviewers Saumil Shah Saumil Shah provides information security consulting services to Foundstone clients, specializinginethicalhackingandsecurityarchitecture.HeholdsadesignationasaCer- tifiedInformationSystemsSecurityProfessional(CISSP).Mr.Shahhasoversixyearsof experiencewithsystemadministration,networkarchitecture,integratingheterogeneous platforms and information security, and has performed numerous ethical hacking exercisesformanysignificantcompaniesintheITarena.PriortojoiningFoundstone, Mr.ShahwasaseniorconsultantwithErnst&Youngwherehewasresponsiblefortheir ethicalhackingandsecurityarchitecturesolutions.Mr.Shahhasalsoauthoredabook titledTheAnti-VirusBook,publishedbyTataMcGraw-HillIndia,andheworkedatthe Indian Institute of Management, Ahmedabad, as a research assistant. Saumil Shah can be reached at [email protected]. Victor Robert “Bob” Garza BobGarzaisaSeniorITNetworkEngineerforalargemultinationalcorporationinthe SiliconValley.Hisprimaryareasofresponsibilityincludeoperationalsupport,network management, and security for a network with over 25 thousand hosts. He has over 20 yearsofexperienceinthecomputingindustryandisauthorofseveral“ForDummies” books. Mr. Garza has also written reviews of networking and security products for InfoWorldandFederalComputerWeekforthepastnineyears.Mr.GarzaholdsanM.S.in Telecommunications Management and a B.S. in Information Systems Management. Eric Schultze EricSchultzehasbeeninvolvedwithinformationtechnologyandsecurityforthepast nineyears,withamajorityofhistimefocusedonassessingandsecuringMicrosofttech- nologies and platforms. He is a frequent speaker at security conferences including NetWorldInterop,Usenix,BlackHat,SANS,andMISandisafacultyinstructorforthe ComputerSecurityInstitute.Mr.SchultzehasalsoappearedonTVandinmanypubli- cationsincludingNBC,CNBC,TIME,ComputerWorld,andTheStandard.Mr.Schultz’s prior employers include Foundstone, Inc., SecurityFocus.com, Ernst & Young, Price Waterhouse, Bealls Inc., and Salomon Brothers. A contributing author to the first editionofHackingExposed,heiscurrentlyaSecurityProgramManagerforasoftware developmentcompany. Martin W. Dolphin MartinDolphinisSeniorManagerofSecurityTechnologySolutionsintheNewEngland PracticeforErnst&Young.Mr.Dolphinhasmorethan10yearsofcomputeradministra- tionexperiencewithmorethan5yearsofsecurityexperiencespecializinginWindowsNT, Novell NetWare, and Internet security. Mr. Dolphin can also be found teaching the Extreme Hacking—Defending Your Site class. Copyright 2001 The McGraw Hill Companies, Inc. Click Here for Terms of Use. CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Part 1 Casing the Establishment Case Study: Target Acquisition . . . . . . . . . . . . . . . . . . . . 2 (cid:1) 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 What Is Footprinting? . . . . . . . . . . . . . . . . . . . . . . . . . 6 Why Is Footprinting Necessary? . . . . . . . . . . . . . . . . 6 Internet Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Step 1. Determine the Scope of Your Activities . . . . . . . . 8 Step 2. Network Enumeration . . . . . . . . . . . . . . . . . . 13 Step 3. DNS Interrogation . . . . . . . . . . . . . . . . . . . . 22 Step 4. Network Reconnaissance . . . . . . . . . . . . . . . . 27 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Copyright 2001 The McGraw Hill Companies, Inc. Click Here for Terms of Use. ix x Hacking Exposed: Network Security Secrets and Solutions (cid:1) 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Scan Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Identifying TCP and UDP Services Running . . . . . . . . . 46 Windows-Based Port Scanners . . . . . . . . . . . . . . . . . 51 Port Scanning Breakdown . . . . . . . . . . . . . . . . . . . . 57 Active Stack Fingerprinting . . . . . . . . . . . . . . . . . . . 61 Passive Stack Fingerprinting . . . . . . . . . . . . . . . . . . 65 The Whole Enchilada: Automated Discovery Tools . . . . . . . . . 67 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 (cid:1) 3 Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Windows NT/2000 Enumeration . . . . . . . . . . . . . . . . . . . 72 NT/2000 Network Resource Enumeration . . . . . . . . . . 76 NT/2000 User and Group Enumeration . . . . . . . . . . . . 87 NT/2000 Applications and Banner Enumeration . . . . . . . 95 Y Let Your Scripts Do the Walking . . . . . . . . . . . . . . . . 99 Novell Enumeration . . . . . . . . . .L . . . . . . . . . . . . . . . . 100 Browsing the Network Neighborhood . . . . . . . . . . . . . 100 F UNIX Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Summary . . . . . . . . . . . . M. . . . . . . . . . . . . . . . . . . . . 113 A Part II E System Hacking T Case Study: Know Your Enemy . . . . . . . . . . . . . . . . . . . . 116 (cid:1) 4 Hacking Windows 95/98 and ME . . . . . . . . . . . . . . . . . . . . . . . 117 Win 9xRemote Exploits . . . . . . . . . . . . . . . . . . . . . . . . 118 Direct Connection to Win 9xShared Resources . . . . . . . . 119 Win 9xBackdoor Servers and Trojans . . . . . . . . . . . . . 124 Known Server Application Vulnerabilities . . . . . . . . . . 129 Win 9xDenial of Service . . . . . . . . . . . . . . . . . . . . . 130 Win 9xLocal Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Windows Millennium Edition (ME) . . . . . . . . . . . . . . . . . 137 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 (cid:1) 5 Hacking Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Where We’re Headed . . . . . . . . . . . . . . . . . . . . . . 143 What About Windows 2000? . . . . . . . . . . . . . . . . . . 143 Team-Fly® xi Contents The Quest for Administrator . . . . . . . . . . . . . . . . . . . . . . 144 Remote Exploits: Denial of Service and Buffer Overflows . . 160 Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . 164 Consolidation of Power . . . . . . . . . . . . . . . . . . . . . . . . 174 Exploiting Trust . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Remote Control and Back Doors . . . . . . . . . . . . . . . . 194 Port Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . 203 General Countermeasuresto Privileged Compromise . . . . 207 Rootkit: The Ultimate Compromise . . . . . . . . . . . . . . . . . . 211 Covering Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Disabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . 214 Clearing the Event Log . . . . . . . . . . . . . . . . . . . . . . 214 Hiding Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 (cid:1) 6 Hacking Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 NetBIOS-SMB Password Guessing . . . . . . . . . . . . . . . 229 Eavesdropping on Password Hashes . . . . . . . . . . . . . . 229 Attacks Against IIS 5 . . . . . . . . . . . . . . . . . . . . . . . 229 Remote Buffer Overflows . . . . . . . . . . . . . . . . . . . . 233 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Pilfering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Grabbing the Win 2000 Password Hashes . . . . . . . . . . . 241 The Encrypting File System (EFS) . . . . . . . . . . . . . . . . 246 Exploiting Trust . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Covering Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Disabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . 251 Clearing the Event Log . . . . . . . . . . . . . . . . . . . . . . 252 Hiding Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Startup Manipulation . . . . . . . . . . . . . . . . . . . . . . 252 Remote Control . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . . . . 257 General Countermeasures: New Windows Security Tools . . . . . 257 Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 runas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.