325_STI_FM.qxd 7/5/05 8:39 PM Page i Register for Free Membership to s o l u t i o n s @ s y n g r e s s . c o m Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique [email protected] program. Through this site, we’ve been able to provide readers a real time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only [email protected] program. Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book. ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search web page, pro- viding you with the concise, easy-to-access data you need to perform your job. ■ A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or addi- tional topic coverage that may have been requested by readers. Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier. 325_STI_FM.qxd 7/5/05 8:39 PM Page ii 325_STI_FM.qxd 7/5/05 8:39 PM Page iii STEALING THE NETWORK How to Own an Identity Raven Alder, Jay Beale, Riley “Caezar” Eller, Brian Hatch, Chris Hurley (Roamer), Jeff Moss, Ryan Russell, Tom Parker Timothy Mullen (Thor) Contributing Author and Technical Editor Johnny Long Contributing Author and Technical Editor 325_STI_FM.qxd 7/5/05 8:39 PM Page iv Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 HJMF456544 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Stealing the Network: How to Own an Identity Copyright © 2005 by Syngress Publishing,Inc.All rights reserved.Printed in the United States of America.Except as permitted under the Copyright Act of 1976,no part of this publication may be repro- duced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered, stored,and executed in a computer system,but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN:1-59749-006-7 Publisher:Andrew Williams Page Layout and Art:Patricia Lupien Acquisitions Editor:Jaime Quigley Copy Editor:Jon Lasser Technical Editosr:Timothy Mullen and Johnny Long Cover Designer:Michael Kavish Distributed by O’Reilly Media,Inc.in the United States and Canada. For information on rights,translations,and bulk purchases contact Matt Pedersen,Director of Sales and Rights,at Syngress Publishing;email [email protected] fax to 781-681-3585. 325_STI_FM.qxd 7/5/05 8:39 PM Page v Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. A special thank you to Ryan Russell.You were an early pioneer of IT security books and your contributions to our publishing program over the years have been invaluable. Kevin Mitnick of Mitnick Security Consulting,LLC.You have always been generous with your time and your expertise.We appreciate your insight and we value your friendship. Jeff Moss and Ping Look from Black Hat,Inc.You have been good friends to Syngress and great colleagues to work with.Thank you! Thanks to the contributors of Stealing the Network:How to Own the Box,and Stealing the Network:How to Own a Continent.You paved the way for this computer book genre:131ah, Mark Burnett,Paul Craig,Dan Kaminsky,Ido Dubrawsky,Fyodor,Joe Grand,Haroon Meer,Kevin Mitnick,Ken Pfeil,Roelof Temmingh,and Charl van der Walt. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin,Mark Brokering,Mike Leonard,Donna Selenko,Bonnie Sheehan,Cindy Davis,Grant Kikkert,Opol Matsutaro,Steve Hazelwood,Mark Wilson,Rick Brown,Leslie Becker,Jill Lothrop,Tim Hinton,Kyle Hart,Sara Winge,C.J.Rayhill,Peter Pardo,Leslie Crandell,Regina Aggio,Pascal Honscher,Preston Paull,Susan Thompson,Bruce Stewart, Laura Schmier,Sue Willing,Mark Jacobsen,Betsy Waliszewski,Dawn Mann,Kathryn Barrett,John Chodacki,Rob Bullington,and Aileen Berg. The incredibly hardworking team at Elsevier Science,including Jonathan Bunkell,Ian Seager,Duncan Enright,David Burton,Rosanna Ramacciotti,Robert Fairbrother,Miguel Sanchez,Klaus Beran,Emma Wyatt,Chris Hossack,Krista Leppiko,Marcel Koppes,Judy Chappell,Radek Janousek,and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland,Marie Chieng,Lucy Chong,Leslie Lim,Audrey Gan,Pang Ai Hua, Joseph Chan,and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books. David Scott,Tricia Wilden,Marilla Burgess,Annette Scott,Andrew Swaffer,Stephen O’Donoghue,Bec Lowe,Mark Langley,and Anyo Geddes of Woodslane for distributing our books throughout Australia,New Zealand,Papua New Guinea,Fiji,Tonga,Solomon Islands,and the Cook Islands. Dave Hemsath of BreakPoint Books. v 325_STI_FM.qxd 7/5/05 8:39 PM Page vi 325_STI_FM.qxd 7/5/05 8:39 PM Page vii Contributing Authors and Technical Editors Stealing Character:Ryan,Chapter 4,and author of Chapter 12,“Social Insecurity.”Created concept for this book. Timothy Mullen (Thor) has been educating and training users in the technology sector since 1983 when he began teaching BASIC and COBOL through a special program at the Medical University of South Carolina— while still a senior in high school.Launching his profes- sional career in application development and network integration in 1984,Mullen is now CIO and Chief Software Architect for AnchorIS.Com,a developer of secure enterprise-based accounting solutions.Mullen has developed and implemented Microsoft net- working and security solutions for institutions like the US Air Force,Microsoft, the US Federal Court systems,regional power generation facilities and interna- tional banking/financial institutions.He has developed a myriad of applications from military aircraft statistics interfaces and biological aqua-culture management to nuclear power-plant effects monitoring for private,government,and military entities.Timothy is currently being granted a patent for the unique architecture of his payroll processing engine used in the AnchorIS accounting solutions suite. Mullen has been a columnist for Security Focus’s Microsoft section,and is a reg- ular contributor of InFocus technical articles.AKA “Thor,”he is the founder of the “Hammer of God”security co-op group.Mullen’s writings appear in multiple publications such as Hacker’s Challenge and the Stealing the Network (Syngress ISBN 1-931836-87-6 and 1-931836-05-1) series,technical edits in Windows XP Security,with security tools and techniques features in publications such as the Hacking Exposed series and New Scientist magazine. Mullen is a member of American Mensa,and has recently been awarded the Microsoft “Most Valuable Professional”award in Windows Security. vii 325_STI_FM.qxd 7/5/05 8:39 PM Page viii Chapters 7,10,and Epilogue. Johnny Long is a “clean-living”family guy who just so happens to like hacking stuff.Over the past two years, Johnny’s most visible focus has been on this Google hacking “thing”which has served as yet another diversion to a serious (and bill-paying) job as a professional hacker and security researcher for Computer Sciences Corporation.In his spare time,Johnny enjoys making random pirate noises (“Yarrrrr! Savvy?”),spending time with his wife and kids,convincing others that acting like a kid is part of his job as a parent,feigning artistic ability with programs like Bryce and Photoshop,pushing all the pretty shiny buttons on them new-fangled Mac com- puters,and making much-too-serious security types either look at him funny or start laughing uncontrollably.Johnny has written or contributed to several books, including the popular book Google Hacking for Penetration Testers (Syngress,ISBN:1- 931836-36-1),which has secured rave reviews and has lots of pictures. Thanks first to Christ without whom I am nothing.To Jen,Makenna,Trevor and Declan,my love always.Thanks to Anthony for his great insight into LE and the forensics scene,and the “AWE-some”brainstorming sessions.Thanks to Jaime and Andrew at Syngress and all the authors on this project (an honour,really!) and especially to Tom,Jay,Ryan and Thor for your extra support and collaboration. Also to Chris Daywalt,Regina L,Joe Church,Terry M,Jason Arnold (Nexus!) and all the mods on JIHS for your help and support.Shouts to Nathan,Sujay,Stephen S,SecurityTribe,the Shmoo Group,Sensepost,Blackhat,Defcon,Pillar,Project86, Superchic[k],DJ Lex,Echoing Green.“I long for the coming of chapter two / to put an end to this cycle of backlash / So I start where the last chapter ended / But the veil has been lifted,my thoughts are sifted / Every wrong is righted / The new song I sing with every breath,breathes sight in”-‘Chapter 2’by Project86. viii 325_STI_FM.qxd 7/5/05 8:39 PM Page ix Contributing Authors Stealing Character:The woman with no name, Chapter 1. Riley “Caezar”Eller has extensive experience in Internet embedded devices and protocol security.He invented automatic web vulnerability analysis and ASCII- armored stack overflow exploits,and contributed to sev- eral other inventions including a pattern language for describing network attacks.His credits include the Black Hat Security Briefings and Training series,“Meet the Enemy”seminars,the books Hack Proofing Your Network: Internet Tradecraft (Syngress,ISBN: 1-928994-15-6),and the “Caezar’s Challenge” think tank.As creator of the Root Fu scoring system and as a founding member of the only team ever to win three consecutive DEFCON Capture the Flag contests, Caezar is the authority on security contest scoring. Stealing Characters:Robert Knoll,Senior (Knuth) Prologue.Robert Knoll,Junior,Chapter 2. Ryan Russell (Blue Boar) has worked in the IT field for over 13 years,focusing on information security for the last seven.He was the lead author of Hack Proofing Your Network,Second Edition (Syngress,ISBN:1-928994-70-9), contributing author and technical editor of Stealing The Network:How to Own The Box (Syngress,ISBN:1-931836- 87-6),and is a frequent technical editor for the Hack Proofing series of books from Syngress.Ryan was also a technical advisor on Snort 2.0 Intrusion Detection (Syngress,ISBN:1-931836-74-4). Ryan founded the vuln-dev mailing list,and moderated it for three years under the alias “Blue Boar.”He is a frequent lecturer at security conferences,and can often be found participating in security mailing lists and website discussions.Ryan is the QA Manager at BigFix,Inc. ix