Register for Free Membership to s o l u t i o n s @ s y n g r e s s . c o m Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique [email protected] program. Through this site, we’ve been able to provide readers a real time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only [email protected] program. Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book. ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search web page, pro- viding you with the concise, easy-to-access data you need to perform your job. ■ A “From the Author” Forum that allows the authors of this book to post timely updates and links to related sites, or additional topic coverage that may have been requested by readers. Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier. Penetration Tester’s Open Source Toolkit Johnny Long Aaron W. Bayles James C. Foster Chris Hurley Mike Petruzzi Noam Rathaus Auditor Security Collection SensePost Mark Wolfgang Bootable Linux Distribution Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 HJDFRTUBBH 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Penetration Tester’s Open Source Toolkit Copyright © 2006 by Syngress Publishing,Inc.All rights reserved.Printed in Canada.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a com- puter system,but they may not be reproduced for publication. Printed in Canada 1 2 3 4 5 6 7 8 9 0 ISBN:1-59749-021-0 Publisher:Andrew Williams Page Layout and Art:Patricia Lupien Acquisitions Editor:Jaime Quigley Cover Designer:Michael Kavish Technical Editor:Johnny Long Indexer:Odessa&Cie Copy Editors:Darlene Bordwell,Amy Thomson, and Judy Eby Distributed by O’Reilly Media,Inc.in the United States and Canada. F ights,translations,and bulk purchases contact Matt Pedersen,Dir Rights, ress Publishing;email [email protected] fax to 781-681-3585. Acknowledgments Syngress would like to acknowledge the following people for their kindness and sup- port in making this book possible. A very special thank you to the remote-exploit.org team who maintain the Auditor Security Collection:Max Moser,William M.Hidalgo,Paul Mansbridge,Satya Jith, Joshua Wright,Martin J.Muench,and Steffen Kewitz.Without your dedication to the project,this book would not have been possible. Thank you to Renaud Deraison,John Lampe,and Jason Wylie from the Nessus devel- opment team for providing technical support. Syngress books are now distributed in the United States and Canada by O’Reilly Media,Inc.The enthusiasm and work ethic at O’Reilly are incredible,and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly,Laura Baldwin,Mark Brokering,Mike Leonard,Donna Selenko, Bonnie Sheehan,Cindy Davis,Grant Kikkert,Opol Matsutaro,Steve Hazelwood,Mark Wilson,Rick Brown,Tim Hinton,Kyle Hart,Sara Winge,Peter Pardo,Leslie Crandell, Regina Aggio Wilkinson,Pascal Honscher,Preston Paull,Susan Thompson,Bruce Stewart,Laura Schmier,Sue Willing,Mark Jacobsen,Betsy Waliszewski,Kathryn Barrett,John Chodacki,Rob Bullington,Kerry Beck,Karen Montgomery,and Patrick Dirden. The incredibly hardworking team at Elsevier Science,including Jonathan Bunkell,Ian Seager,Duncan Enright,David Burton,Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez,Klaus Beran,Emma Wyatt,Krista Leppiko,Marcel Koppes,Judy Chappell,Radek Janousek,Rosie Moss,David Lockley,Nicola Haden,Bill Kennedy, Martina Morris,Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine,and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland,Marie Chieng,Lucy Chong,Leslie Lim,Audrey Gan,Pang Ai Hua, Joseph Chan,June Lim,and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books. David Scott,Tricia Wilden, Marilla Burgess,Annette Scott,Andrew Swaffer, Stephen O’Donoghue,Bec Lowe,Mark Langley,and Anyo Geddes of Woodslane for distributing our books throughout Australia,New Zealand,Papua New Guinea,Fiji,Tonga,Solomon Islands,and the Cook Islands. v Technical Editor and Contributing Author Johnny Long is a “clean-living”family guy who just so happens to like hacking stuff.Recently,Johnny has enjoyed writing stuff,reading stuff,editing stuff and presenting stuff at conferences,which has served as yet another diversion to a serious (and bill-paying) job as a professional hacker and security researcher for Computer Sciences Corporation.Johnny enjoys spending time with his family,pushing all the shiny buttons on them thar new-fangled Mac computers,and making much-too-serious security types either look at him funny or start laughing uncontrollably.Johnny has written or contributed to sev- eral books,including Google Hacking for Penetration Testers,InfoSec Career Hacking,Aggressive Network Self-Defense,Stealing the Network: How to Own an Identity,and OS X for Hackers at Heart,all from Syngress Publishing.Johnny can be reached through his website, http://johnny.ihackstuff.com Johnny wrote Chapter 8 “Running Nessus from Auditor”. Thanks first to Christ without whom I am nothing.To Jen,Makenna, Trevor and Declan,my love always.To the authors that worked on this book: Aaron,Charl,Chris,Gareth,Haroon,James,Mark,Mike,Roelof.You guys rock! I’m glad we’re still friends after the editing hat came off! Jaime,Andrew and all of Syngress:I can’t thank you enough.Thanks to Renaud Deraison, Ron Gula,John Lampe and Jason Wylie and for the Nessus support.Jason Arnold (Nexus!) for hosting me,and all the mods (Murf,JBrashars,Klouw, Sanguis,ThePsyko,Wolveso) and members of JIHS for your help and sup- port.Strikeforce for the fun and background required.Shouts to Nathan B, Sujay S,Stephen S,Jenny Yang,SecurityTribe,the Shmoo Group (Bruce, Heidi,Andy:++pigs),Sensepost,Blackhat,Defcon,Neal Stephenson (Baroque),Stephen King (On Writing),Ted Dekker (Thr3e),P.O.D.,Pillar, Project86,Shadowvex,Yoshinori Sunahara.“I’m sealing the fate of my selfish existence / Pushing on with life from death,no questions left / I’m giving my life,no less”- from A Toast To My former Self by Project86 vii Contributing Authors Aaron W. Bayles is a senior security consultant with Sentigy,Inc.of Houston,TX.He provides service to Sentigy’s clients with penetration testing,vulnera- bility assessment,and risk assessments for enterprise networks.He has over 9 years experience with INFOSEC,with specific experience in wireless secu- rity,penetration testing,and incident response. Aaron’s background includes work as a senior secu- rity engineer with SAIC in Virginia and Texas.He is also the lead author of the Syngress book,InfoSec Career Hacking,Sell your Skillz, Not Your Soul. Aaron has provided INFOSEC support and penetration testing for multiple agencies in the U.S.Department of the Treasury,such as the Financial Management Service and Securities and Exchange Commission,and the Department of Homeland Security,such as U. S.Customs and Border Protection.He holds a Bachelor’s of Science degree in Computer Science with post-graduate work in Embedded Linux Programming from Sam Houston State University and is also a CISSP. Aaron wrote Chapter 2 “Enumeration and Scanning.” I would like to thank my family foremost,my mother and father,Lynda and Billy Bayles,for supporting me and putting up with my many quirks. My wife Jennifer is a never-ending source of comfort and strength that backs me up whenever I need it,even if I don’t know it.The people who have helped me learn my craft have been numerous,and I don’t have time to list them all.All of you from SHSU Computer Services and Computer Science,Falcon Technologies,SAIC,the DC Metro bunch,and Sentigy know who you are and how much you have helped me,my most sincere thanks.I would like to thank J0hnny as well for inviting me to contribute to this book.If I kept learning INFOSEC for the next 20 years,I doubt I would be able to match wits and technique with J0hnny,Chris,Mike P., and the other authors of this fine book. viii James C. Foster, Fellow is the Executive Director of Global Product Development for Computer Sciences Corporation where he is responsible for the vision,strategy,development,for CSC managed security services and solutions.Additionally, Foster is currently a contributing Editor at Information Security Magazine and resides on the Mitre OVAL Board of Directors. Preceding CSC,Foster was the Director of Research and Development for Foundstone Inc.and played a pivotal role in the McAfee acquisition for eight-six million in 2004.While at Foundstone,Foster was responsible for all aspects of product,con- sulting,and corporate R&D initiatives.Prior to Foundstone,Foster worked for Guardent Inc.(acquired by Verisign for 135 Million in 2003) and an adjunct author at Information Security Magazine(acquired by TechTarget Media),subsequent to working for the Department of Defense. Foster is a seasoned speaker and has presented throughout North America at conferences,technology forums,security summits,and research symposiums with highlights at the Microsoft Security Summit,Black Hat USA,Black Hat Windows,MIT Research Forum,SANS,MilCon,TechGov,InfoSec World,and the Thomson Conference.He also is commonly asked to comment on pertinent security issues and has been sited in Time,Forbes,Washington Post, USAToday,Information Security Magazine,Baseline,Computer World,Secure Computing,and the MIT Technologist.Foster was invited and resided on the executive panel for the 2005 State of Regulatory Compliance Summit at the National Press Club in Washington,D.C. Foster is an alumni of University of Pennsylvania’s Wharton School of Business where he studied international business and globalization and received the honor and designation of lifetime Fellow.Foster has also studied at the Yale School of Business, Harvard University and the University of Maryland;Foster also has a bachelor’s of science in software engineering and a master’s in business administration. ix