Hack proofing your network second edition phần 1

  • Số trang: 83 |
  • Loại file: PDF |
  • Lượt xem: 37 |
  • Lượt tải: 0

Đã đăng 24838 tài liệu

Mô tả:

194_HP_Net2e_FC 2/22/02 10:01 AM Page 1 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ The Only Way to Stop a Hacker is to Think Like One David R. Mirza Ahmad Ido Dubrawsky Hal Flynn Joseph “Kingpin” Grand Robert Graham Norris L. Johnson, Jr. K2 Dan “Effugas” Kaminsky F. William Lynch Steve W. Manzuik Ryan Permeh Ken Pfeil Rain Forest Puppy Ryan Russell Technical Editor UPDATED BESTSELLER! 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page i solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iii 1 YEAR UPGRADE BUYER PROTECTION PLAN David R. Mirza Ahmad Ido Dubrawsky Hal Flynn Joseph “Kingpin” Grand Robert Graham Norris L. Johnson, Jr. K2 Dan “Effugas” Kaminsky F. William Lynch Steve W. Manzuik Ryan Permeh Ken Pfeil Rain Forest Puppy Ryan Russell Technical Editor 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER D7Y4T945T5 AKTRT4MW34 VMB663N54N SGD34B39KA 87U8Q26NVH N4D4RNTEM4 2HBVHTR46T ZPB9R5653R J6N5M4BRAS 5T6YH2TZFC PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network, Second Edition Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-70-9 Technical Editor: Ryan Russell Cover Designer: Michael Kavish Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier Developmental Editor: Kate Glennon Indexer: Robert Saigh Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent and Paul Barry of Harcourt Australia for all their help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. From Ryan Russell I would like to dedicate my work to my wonderful wife and children, without whom none of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to thank Brian Martin for his assistance in tech editing, and of course the authors who took the time to write the book. Special thanks go out to those authors who worked on the first edition, before anyone had any idea that it would do well or how it would come out. v 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vi Contributors Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems designing security infrastructure for large-scale network monitoring systems. Dan has delivered presentations at several major industry conferences including Linuxworld, DEF CON, and the Black Hat Briefings, and he also contributes actively to OpenSSH, one of the more significant cryptographic systems in use today. Dan founded the cross-disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University in California. Rain Forest Puppy is a security research and development consultant for a Midwest-based security consulting company. RFP has been working in R&D and coding in various languages for over seven years.While the Web is his primary hobby focus point, he has also played in other realms including: Linux kernel security patches, lockdown of various Windows and UNIX operating systems, and the development of honeypots and other attack alert tools. In the past he’s reported on SQL tampering and common CGI problems, and has contributed security tools (like whisker) to the information security community. Ken Pfeil is the Security Program Manager for Identix Inc.’s information technology security division. Ken started with Identix following his position as Chief Information Security Officer for Miradiant Global Network, Inc. Ken has over 14 years of IT and security experience, having served with such companies as Microsoft, Dell, and Merrill Lynch.While employed at Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise Security” whitepaper series, and is the founder of “The NT Toolbox”Web site. He currently covers new security risks and vulnerabilities for Windows and .Net magazines’ Security Administrator publication, and was the resident expert for multiplatform integration and security issues for “The Windows 2000 Experts Journal.” vi 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vii Joseph “Kingpin” Grand is a Boston-based electrical engineer and product designer. His pioneering hardware and security research has been published in various academic and industry journals. He has lectured widely on security product design and analysis, portable devices, and digital forensics. In addition to testifying before the United States Senate Governmental Affairs, Joseph has presented his research at the United States Naval Post Graduate School Center for INFOSEC Studies and Research, the USENIX Security Symposium, and the IBM Thomas J.Watson Research Center. Joseph was a long-time researcher with the L0pht hacker think tank. He holds a Bachelor’s of Science in Computer Engineering from Boston University in Boston, Massachusetts. K2 is a security engineer. He works on a variety of systems ranging from UNIX to all other operating systems. He has spent a lot of time working through security issues wherever they exist; core kernels, networking services, or binary protections. K2 is a member of w00w00 and is a contributing member of The Honeynet Project. He would like to thank Anya for all her help and support throughout the year. David M. Ahmad is Threat Analysis Manager for SecurityFocus and moderator of the Bugtraq mailing list. SecurityFocus is the leading provider of security intelligence services. David has played a key role in the development of the vulnerability database at SecurityFocus.The focus of this duty has been the analysis of software vulnerabilities and the methods used to exploit them. David became the moderator of Bugtraq, the well-known computer security mailing list in 2001. He currently resides in Calgary, Alberta, Canada with his family. F. William Lynch (SCSA, CCNA, LPI-I, MCSE, MCP, Linux+, A+) is coauthor for Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X), also published by Syngress Publishing. He is an independent security and systems administration consultant and specializes in firewalls, virtual private networks, security auditing, documentation, and systems performance analysis. William has served as a consultant to multinational corporations and the Federal government including the Centers for Disease Control and Prevention headquarters in Atlanta, Georgia as well as various airbases of the USAF. He is also the founder and director of the MRTG-PME project, vii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page viii which uses the MRTG engine to track systems performance of various UNIX-like operating systems.William holds a Bachelor’s degree in Chemical Engineering from the University of Dayton in Dayton, Ohio and a Masters of Business Administration from Regis University in Denver, Colorado. Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of Security Intelligence Services for Business. Hal functions as a Senior Analyst, performing research and analysis of vulnerabilities, malicious code, and network attacks. He provides the SecurityFocus team with UNIX and Network expertise. He is also the manager of the UNIX Focus Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and FocusGeneralUnix mailing lists. Hal has worked the field in jobs as varied as the Senior Systems and Network Administrator of an Internet Service Provider, to contracting the United States Defense Information Systems Agency, to Enterprise-level consulting for Sprint. He is also a veteran of the United States Navy Hospital Corps, having served a tour with the 2nd Marine Division at Camp Lejeune, North Carolina as a Fleet Marine Force Corpsman. Hal is mobile, living between sunny Phoenix, Arizona and wintry Calgary, Alberta, Canada. Rooted in the South, he still calls Montgomery, Alabama home. Ryan Permeh is a developer and researcher with eEye Digital Security. He works on the Retina and SecureIIS product lines and leads the reverse engineering and custom exploitation efforts for eEye’s research team. Ryan was behind the initital analysis of the CodeRed worm, and has developed many proof of concept exploits provided to vendors and the security community. Ryan has experience in NT, UNIX, systems and application programming as well as large-scale secure network deployment and maintenance. Ryan currently lives and works in sunny Orange County, California. Ryan would like to offer special thanks to Riley Hassel for his assistance in providing the Linux exploitation of a sample buffer overflow. He would also like to thank the rest of the eEye team, Greg Hoglund, and Ryan Russell, for the original foundation ideas included in his chapter. Norris L. Johnson, Jr. (MCSE, MCT, CTT+, A+, Network +) is a technology trainer and owner of a consulting company in the Seattle-Tacoma viii 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ix area. His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients. He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues, providing planning, implementation, and integration services. In addition to consulting work, Norris provides technical training for clients and teaches for area community and technical colleges. He co-authored Configuring and Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 192899480-6), and performed technical edits on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1). Norris holds a Bachelor’s degree from Washington State University. He is deeply appreciative of the support of his wife Cindy and three sons in helping to maintain his focus and efforts toward computer training and education. Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a member of Cisco’s Secure Consulting Services in Austin,Texas. He currently conducts security posture assessments for clients as well as provides technical consulting for security design reviews. His strengths include Cisco routers and switches, PIX firewall, Solaris systems, and freeware intrusion detection systems. Ido holds a Bachelor’s and a Master’s degree from the University of Texas at Austin and is a member of USENIX and SAGE. He has written several articles covering Solaris security and network security for Sysadmin magazine as well as SecurityFocus. He lives in Austin,Texas with his family. Robert Graham has been developing sniffers since 1990, where he wrote most of the protocol decodes for the ProTools protocol-analyzer, including real-time tools for password sniffing and Telnet session spying. Robert worked for Network General between 1994 and 1998 where he rewrote all of the protocol-decodes for the Sniffer protocol-analyzer. He founded Network ICE in 1998 and created the BlackICE network-snifing intrusion detection system. He is now the chief architect at Internet Security Systems in charge of the design for the RealSecure IDS. Steve Manzuik (MCP) was most recently a Manager in Ernst & Young’s Security and Technology Solutions practice specializing in profiling services. ix 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page x Over the last ten years Steve has been involved in IT integration, support, and security. Steve is a published author on security topics, a sought after speaker and information security panelist and is the moderator of a full disclosure security mailing list,VulnWatch (www.vulnwatch.org). Steve also has acted as a Security Analyst for a world wide group of White Hat Hackers and Security Researchers, the BindView RAZOR Team. Steve is a board member of the Calgary Security Professionals Information Exchange (SPIE) group, which is an information-sharing group of local security professionals from various private and government sectors. Steve has a strong background in Microsoft technologies and the various security issues surrounding them, and has successfully guided multiple organizations in securing Microsoft Windows NT hosts for use in a hostile environment. He lives in Calgary, Alberta, Canada with his wife Heather, son, Greyson and newborn daughter Hope. From the First Edition The following individuals contributed to the first edition of Hack Proofing Your Network: Internet Tradecraft. Although not contributors to the second edition, their work and ideas from the first edition have been included. Oliver Friedrichs has over twelve years of experience in the information security industry, ranging from development to management. Oliver is a cofounder of the information security firm SecurityFocus.com. Previous to founding SecurityFocus, Oliver was a Co-Founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. Post acquisition, Oliver managed the development of Network Associates’ award-winning CyberCop Scanner network auditing product, and managed Network Associates’ vulnerability research team. Oliver has delivered training on computer security issues for organizations such as the IRS, FBI, Secret Service, NASA,TRW, Canadian Department of Defense, RCMP, and CSE. Greg Hoglund is a software engineer and researcher. He has written several successful security products for Windows NT. Greg also operates the x 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xi Windows NT Rootkit project, located at www.rootkit.com. He has written several white papers on content-based attacks, kernel patching, and forensics. Currently he works as a founder of Click To Secure, Inc., building new security and quality assurance tools. His web site can be found at www.clicktosecure.com. Elias Levy is the moderator of Bugtraq, one of the most read security mailing lists on the Internet, and a co-founder of Security Focus. Throughout his career, Elias has served as computer security consultant and security engineer for some of the largest corporations in the United States. Outside of the computer security industry, he has worked as a UNIX software developer, a network engineer, and system administrator. Mudge is the former CEO and Chief Scientist of renowned ‘hacker thinktank’ the L0pht, and is considered the nation’s leading “grey-hat hacker.” He and the original members of the L0pht are now heading up @stake’s research labs, ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought-after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs and to be a witness to the House and Senate joint Judiciary Oversight committee. Mudge has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other government agencies. Mudge participated in President Clinton’s security summit at the White House. He joined a small group of high tech executives, privacy experts, and government officials to discuss Internet security. A recognized name in cryptanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking – CQRE International Exhibition and Congress. He is the original author of L0phtCrack, the award winning NT password auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools, many of which resulted in numerous CERT advisories, vendor updates, and patches. xi 194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xii Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant currently located in Biloxi, MS. He has assisted several clients in the development and implementation of network security plans for their organizations. Both network and operating system security has always intrigued Stace, so he strives to constantly stay on top of the changes in this ever-evolving field.While in the Air Force he held the positions of Network Security Officer and Computer Systems Security Officer.While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards. Stace was a contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has coauthored over 18 books published by Osborne/McGraw-Hill, Syngress, and Microsoft Press. He has also performed as Technical Editor for various other books and has written for Internet Security Advisor magazine. Technical Editor and Contributor Ryan Russell is the best-selling author of Hack Proofing Your Network: Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6). He is an Incident Analyst at SecurityFocus, has served as an expert witness on security topics, and has done internal security investigation for a major software vendor. Ryan has been working in the IT field for over 13 years, the last 7 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years, and is frequently sought after as a speaker at security conferences. Ryan has contributed to four other Syngress Publishing titles on the topic of networking, and four on the topic of security. He holds a Bachelors of Science degree in Computer Science. xii 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Understanding the Current Legal Climate This book will teach you techniques that, if used in the wrong way, will get you in trouble with the law. Me saying this is like a driving instructor saying, “I’m going to teach you how to drive; if you drive badly, you might run someone over.” In both cases, any harm done would be your fault. Page xiii Contents Foreword v 1.5 xxix Foreword v 1.0 xxxiii Chapter 1 How To Hack Introduction What We Mean by “Hack” Why Hack? Knowing What To Expect in the Rest of This Book Understanding the Current Legal Climate Summary Frequently Asked Questions Chapter 2 The Laws of Security Tools & Traps… Want to Check that Firewall? There are an incredible number of freeware tools available to you for beginning your checks of vulnerability. I have a couple of favorites that allow for quick probes and checks of information about various IP addresses: ■ ■ SuperScan, from Foundstone Corporation: www.foundstone.com/ knowledge/free_tools .html Sam Spade, from SamSpade.org: www.samspade.org. Introduction Knowing the Laws of Security Client-Side Security Doesn’t Work You Cannot Securely Exchange Encryption Keys without a Shared Piece of Information Malicious Code Cannot Be 100 Percent Protected against Any Malicious Code Can Be Completely Morphed to Bypass Signature Detection Firewalls Cannot Protect You 100 Percent from Attack Social Engineering Attacking Exposed Servers Attacking the Firewall Directly Client-Side Holes Any IDS Can Be Evaded Secret Cryptographic Algorithms Are Not Secure If a Key Is Not Required,You Do Not Have Encryption—You Have Encoding Passwords Cannot Be Securely Stored on the Client Unless There Is Another Password to Protect Them In Order for a System to Begin to Be Considered Secure, It Must Undergo an Independent Security Audit Security through Obscurity Does Not Work 1 2 2 3 4 6 8 8 11 12 12 14 15 18 20 22 24 24 26 26 27 28 30 32 35 37 xiii 194_HPYN2e_toc.qxd xiv 2/15/02 2:56 PM Page xiv Contents ; There are seven classes of attacks: denial of service (DoS), information leakage, regular file access, misinformation, special file/database access, remote arbitrary code execution, and elevation of privileges. Summary Solutions Fast Track Frequently Asked Questions 39 39 42 Chapter 3 Classes of Attack 45 Introduction Identifying and Understanding the Classes of Attack Denial of Service Local Vector Denial of Service Network Vector Denial of Service Information Leakage Service Information Leakage Protocol Information Leakage Leaky by Design Leaky Web Servers A Hypothetical Scenario Why Be Concerned with Information Leakage? Regular File Access Permissions Symbolic Link Attacks Misinformation Standard Intrusion Procedure Special File/Database Access Attacks against Special Files Attacks against Databases Remote Arbitrary Code Execution The Attack Code Execution Limitations Elevation of Privileges Remote Privilege Elevation Identifying Methods of Testing for Vulnerabilities Proof of Concept Exploit Code Automated Security Tools Versioning Standard Research Techniques Whois Domain Name System Nmap Web Indexing 46 46 47 47 50 56 56 58 60 60 61 61 62 62 63 65 67 69 69 70 72 73 74 74 75 77 77 78 79 79 80 81 86 89 90 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xv Contents Summary Solutions Fast Track Frequently Asked Questions Chapter 4 Methodology Q: Is decompiling and other reverse engineering legal? A: In the United States, reverse engineering may soon be illegal. The Digital Millennium Copyright Act includes a provision designed to prevent the circumvention of technological measures that control access to copyrighted works. Source code can be copyrighted, and therefore makes the reverse engineering of copyrighted code illegal. Recursive Grepping According to Ryan Tennant’s (Argoth) Solaris Infrequently Asked Obscure Questions (IAOQ) at http://shells.devunix .org/~argoth/iaoq, a recursive grep can be performed using the following command: /usr/bin/find . | /usr/bin/xargs /usr/bin/grep PATTERN Introduction Understanding Vulnerability Research Methodologies Source Code Research Searching For Error-Prone Functions Line-By-Line Review Discovery Through Difference Binary Research Tracing Binaries Debuggers Guideline-Based Auditing Sniffers The Importance of Source Code Reviews Searching Error-Prone Functions Buffer Overflows Input Validation Bugs Race Conditions Reverse Engineering Techniques Disassemblers, Decompilers, and Debuggers Black Box Testing Chips Summary Solutions Fast Track Frequently Asked Questions Chapter 5 Diffing Introduction What Is Diffing? Why Diff? Looking to the Source Code Going for the Gold: A Gaming Example Exploring Diff Tools Using File-Comparison Tools Using the fc Tool Using the diff Command Working with Hex Editors Hackman [N] Curses Hexedit Hex Workshop xv 93 95 96 99 100 100 101 101 102 102 104 104 105 105 105 106 106 106 110 112 113 120 125 126 128 129 130 131 132 132 135 136 139 143 143 143 145 146 147 148 149 194_HPYN2e_toc.qxd xvi 2/15/02 2:56 PM Page xvi Contents Utilizing File System Monitoring Tools Doing It The Hard Way: Manual Comparison Comparing File Attributes Using the Archive Attribute Examining Checksums and Hashes Finding Other Tools Troubleshooting Problems with Checksums and Hashes Problems with Compression and Encryption Summary Solutions Fast Track Frequently Asked Questions Chapter 6 Cryptography John the Ripper John the Ripper is another password-cracking program, but it differs from Crack in that it is available in UNIX, DOS, and Win32 editions. Crack is great for older systems using crypt(), but John the Ripper is better for newer systems using MD5 and similar password formats. Introduction Understanding Cryptography Concepts History Encryption Key Types Learning about Standard Cryptographic Algorithms Understanding Symmetric Algorithms DES AES (Rijndael) IDEA Understanding Asymmetric Algorithms Diffie-Hellman RSA Understanding Brute Force Brute Force Basics Using Brute Force to Obtain Passwords L0phtcrack Crack John the Ripper Knowing When Real Algorithms Are Being Used Improperly Bad Key Exchanges Hashing Pieces Separately Using a Short Password to Generate a Long Key Improperly Stored Private or Secret Keys Understanding Amateur Cryptography Attempts Classifying the Ciphertext 150 150 151 153 154 155 157 157 159 160 161 162 165 166 166 167 167 169 170 170 172 173 174 174 176 177 177 178 180 181 182 183 183 184 185 186 188 189 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xvii Contents Frequency Analysis Ciphertext Relative Length Analysis Similar Plaintext Analysis Monoalphabetic Ciphers Other Ways to Hide Information XOR UUEncode Base64 Compression Summary Solutions Fast Track Frequently Asked Questions Chapter 7 Unexpected Input Understanding Why Unexpected Data Is Dangerous ; Almost all applications interact with the user, and thus take data from them. ; An application can’t assume that the user is playing by the rules. ; The application has to be wary of buffer overflows, logic alteration, and the validity of data passed to system functions. Introduction Understanding Why Unexpected Data Is Dangerous Finding Situations Involving Unexpected Data Local Applications and Utilities HTTP/HTML Unexpected Data in SQL Queries Application Authentication Disguising the Obvious Using Techniques to Find and Eliminate Vulnerabilities Black-Box Testing Discovering Network and System Problems Use the Source Untaint Data by Filtering It Escaping Characters Is Not Always Enough Perl Cold Fusion/Cold Fusion Markup Language (CFML) ASP PHP Protecting Your SQL Queries Silently Removing versus Alerting on Bad Data Invalid Input Function Token Substitution Utilizing the Available Safety Features in Your Programming Language xvii 189 190 190 191 191 191 195 195 197 199 200 202 205 206 206 208 208 208 211 215 220 221 222 225 226 227 227 228 229 229 230 231 232 232 233 233 194_HPYN2e_toc.qxd xviii 2/15/02 2:56 PM Page xviii Contents Perl PHP ColdFusion/ColdFusion Markup Language ASP MySQL Using Tools to Handle Unexpected Data Web Sleuth CGIAudit RATS Flawfinder Retina Hailstorm Pudding Summary Solutions Fast Track Frequently Asked Questions Damage & Defense… Understanding Assembly Language There are a few specific pieces of assembly language knowledge that are necessary to understand the stack. One thing that is required is to understand the normal usage of registers in a stack: ■ EIP The extended instruction pointer. ■ ESP The extended stack pointer. ■ EBP The extended base pointer. Chapter 8 Buffer Overflow Introduction Understanding the Stack The Code Disassembly The Stack Dump Oddities and the Stack Understanding the Stack Frame Introduction to the Stack Frame Passing Arguments to a Function: A Sample Program The Disassembly The Stack Dumps Stack Frames and Calling Syntaxes Learning about Buffer Overflows A Simple Uncontrolled Overflow: A Sample Program The Disassembly The Stack Dumps Creating Your First Overflow Creating a Program with an Exploitable Overflow Writing the Overflowable Code Disassembling the Overflowable Code Stack Dump after the Overflow Performing the Exploit 233 235 235 236 237 237 237 237 237 238 238 238 238 239 239 242 243 244 244 246 247 248 249 249 250 250 251 254 256 257 259 260 262 263 264 264 265 267 267 194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xix Contents Q: How can I eliminate or minimize the risk of unknown format string vulnerabilities in programs on my system? A: A good start is having a sane security policy. Rely on the leastprivileges model, ensure that only the most necessary utilities are installed setuid and can be run only by members of a trusted group. Disable or block access to all services that are not completely necessary. General Exploit Concepts Buffer Injection Techniques Methods to Execute Payload Designing Payload Performing the Exploit on Linux Performing the Exploit on Windows NT Learning Advanced Overflow Techniques Input Filtering Incomplete Overflows and Data Corruption Stack Based Function Pointer Overwrite Heap Overflows Corrupting a Function Pointer Trespassing the Heap Advanced Payload Design Using What You Already Have Dynamic Loading New Libraries Eggshell Payloads Summary Solutions Fast Track Frequently Asked Questions Chapter 9 Format Strings Introduction Understanding Format String Vulnerabilities Why and Where Do Format String Vulnerabilities Exist? How Can They Be Fixed? How Format String Vulnerabilities Are Exploited Denial of Service Reading Memory Writing to Memory How Format String Exploits Work Constructing Values What to Overwrite Overwriting Return Addresses Overwriting Global Offset Table Entries and Other Function Pointers Examining a Vulnerable Program Testing with a Random Format String Writing a Format String Exploit xix 268 268 269 281 282 293 303 303 304 306 306 307 307 310 310 311 313 314 314 317 319 320 322 326 327 328 329 329 330 332 333 335 335 335 336 340 344
- Xem thêm -