194_HP_Net2e_FC
2/22/02
10:01 AM
Page 1
1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
The Only Way to Stop a Hacker is to Think Like One
David R. Mirza Ahmad
Ido Dubrawsky
Hal Flynn
Joseph “Kingpin” Grand
Robert Graham
Norris L. Johnson, Jr.
K2
Dan “Effugas” Kaminsky
F. William Lynch
Steve W. Manzuik
Ryan Permeh
Ken Pfeil
Rain Forest Puppy
Ryan Russell Technical Editor
UPDATED
BESTSELLER!
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page i
[email protected]
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
[email protected] is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page ii
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page iii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
David R. Mirza Ahmad
Ido Dubrawsky
Hal Flynn
Joseph “Kingpin” Grand
Robert Graham
Norris L. Johnson, Jr.
K2
Dan “Effugas” Kaminsky
F. William Lynch
Steve W. Manzuik
Ryan Permeh
Ken Pfeil
Rain Forest Puppy
Ryan Russell Technical Editor
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010
SERIAL NUMBER
D7Y4T945T5
AKTRT4MW34
VMB663N54N
SGD34B39KA
87U8Q26NVH
N4D4RNTEM4
2HBVHTR46T
ZPB9R5653R
J6N5M4BRAS
5T6YH2TZFC
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Network, Second Edition
Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-70-9
Technical Editor: Ryan Russell
Cover Designer: Michael Kavish
Acquisitions Editor: Catherine B. Nolan
Page Layout and Art by: Shannon Tozier
Developmental Editor: Kate Glennon
Indexer: Robert Saigh
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel,
Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra
Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer
Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible
marketing experience and expertise.
Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our
vision remains worldwide in scope.
Annabel Dent and Paul Barry of Harcourt Australia for all their help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and
Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress program.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,
Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help
and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
From Ryan Russell
I would like to dedicate my work to my wonderful wife and children, without whom none
of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to
thank Brian Martin for his assistance in tech editing, and of course the authors who took the
time to write the book. Special thanks go out to those authors who worked on the first
edition, before anyone had any idea that it would do well or how it would come out.
v
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page vi
Contributors
Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems
designing security infrastructure for large-scale network monitoring systems.
Dan has delivered presentations at several major industry conferences
including Linuxworld, DEF CON, and the Black Hat Briefings, and he also
contributes actively to OpenSSH, one of the more significant cryptographic
systems in use today. Dan founded the cross-disciplinary DoxPara Research
(www.doxpara.com) in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real
environments in the field. He is based in Silicon Valley, presently studying
Operation and Management of Information Systems at Santa Clara
University in California.
Rain Forest Puppy is a security research and development consultant for a
Midwest-based security consulting company. RFP has been working in
R&D and coding in various languages for over seven years.While the Web is
his primary hobby focus point, he has also played in other realms including:
Linux kernel security patches, lockdown of various Windows and UNIX
operating systems, and the development of honeypots and other attack alert
tools. In the past he’s reported on SQL tampering and common CGI problems, and has contributed security tools (like whisker) to the information
security community.
Ken Pfeil is the Security Program Manager for Identix Inc.’s information
technology security division. Ken started with Identix following his position
as Chief Information Security Officer for Miradiant Global Network, Inc.
Ken has over 14 years of IT and security experience, having served with
such companies as Microsoft, Dell, and Merrill Lynch.While employed at
Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise
Security” whitepaper series, and is the founder of “The NT Toolbox”Web
site. He currently covers new security risks and vulnerabilities for Windows
and .Net magazines’ Security Administrator publication, and was the resident
expert for multiplatform integration and security issues for “The Windows
2000 Experts Journal.”
vi
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page vii
Joseph “Kingpin” Grand is a Boston-based electrical engineer and
product designer. His pioneering hardware and security research has been
published in various academic and industry journals. He has lectured widely
on security product design and analysis, portable devices, and digital forensics. In addition to testifying before the United States Senate Governmental
Affairs, Joseph has presented his research at the United States Naval Post
Graduate School Center for INFOSEC Studies and Research, the USENIX
Security Symposium, and the IBM Thomas J.Watson Research Center.
Joseph was a long-time researcher with the L0pht hacker think tank. He
holds a Bachelor’s of Science in Computer Engineering from Boston
University in Boston, Massachusetts.
K2 is a security engineer. He works on a variety of systems ranging from
UNIX to all other operating systems. He has spent a lot of time working
through security issues wherever they exist; core kernels, networking services, or binary protections. K2 is a member of w00w00 and is a contributing member of The Honeynet Project. He would like to thank Anya
for all her help and support throughout the year.
David M. Ahmad is Threat Analysis Manager for SecurityFocus and moderator of the Bugtraq mailing list. SecurityFocus is the leading provider of
security intelligence services. David has played a key role in the development of the vulnerability database at SecurityFocus.The focus of this duty
has been the analysis of software vulnerabilities and the methods used to
exploit them. David became the moderator of Bugtraq, the well-known
computer security mailing list in 2001. He currently resides in Calgary,
Alberta, Canada with his family.
F. William Lynch (SCSA, CCNA, LPI-I, MCSE, MCP, Linux+, A+) is coauthor for Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X), also published by Syngress Publishing. He is an independent security and systems
administration consultant and specializes in firewalls, virtual private networks, security auditing, documentation, and systems performance analysis.
William has served as a consultant to multinational corporations and the
Federal government including the Centers for Disease Control and
Prevention headquarters in Atlanta, Georgia as well as various airbases of the
USAF. He is also the founder and director of the MRTG-PME project,
vii
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page viii
which uses the MRTG engine to track systems performance of various
UNIX-like operating systems.William holds a Bachelor’s degree in
Chemical Engineering from the University of Dayton in Dayton, Ohio and
a Masters of Business Administration from Regis University in Denver,
Colorado.
Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of
Security Intelligence Services for Business. Hal functions as a Senior Analyst,
performing research and analysis of vulnerabilities, malicious code, and network attacks. He provides the SecurityFocus team with UNIX and
Network expertise. He is also the manager of the UNIX Focus Area and
moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and FocusGeneralUnix mailing lists.
Hal has worked the field in jobs as varied as the Senior Systems and
Network Administrator of an Internet Service Provider, to contracting the
United States Defense Information Systems Agency, to Enterprise-level consulting for Sprint. He is also a veteran of the United States Navy Hospital
Corps, having served a tour with the 2nd Marine Division at Camp
Lejeune, North Carolina as a Fleet Marine Force Corpsman. Hal is mobile,
living between sunny Phoenix, Arizona and wintry Calgary, Alberta, Canada.
Rooted in the South, he still calls Montgomery, Alabama home.
Ryan Permeh is a developer and researcher with eEye Digital Security. He
works on the Retina and SecureIIS product lines and leads the reverse engineering and custom exploitation efforts for eEye’s research team. Ryan was
behind the initital analysis of the CodeRed worm, and has developed many
proof of concept exploits provided to vendors and the security community.
Ryan has experience in NT, UNIX, systems and application programming
as well as large-scale secure network deployment and maintenance. Ryan
currently lives and works in sunny Orange County, California. Ryan would
like to offer special thanks to Riley Hassel for his assistance in providing the
Linux exploitation of a sample buffer overflow. He would also like to thank
the rest of the eEye team, Greg Hoglund, and Ryan Russell, for the original
foundation ideas included in his chapter.
Norris L. Johnson, Jr. (MCSE, MCT, CTT+, A+, Network +) is a technology trainer and owner of a consulting company in the Seattle-Tacoma
viii
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page ix
area. His consultancies have included deployments and security planning for
local firms and public agencies, as well as providing services to other local
computer firms in need of problem solving and solutions for their clients.
He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues,
providing planning, implementation, and integration services. In addition to
consulting work, Norris provides technical training for clients and teaches
for area community and technical colleges. He co-authored Configuring and
Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 192899480-6), and performed technical edits on Hack Proofing Windows 2000
Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second
Edition (ISBN: 1-928994-60-1).
Norris holds a Bachelor’s degree from Washington State University.
He is deeply appreciative of the support of his wife Cindy and three sons
in helping to maintain his focus and efforts toward computer training and
education.
Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a
member of Cisco’s Secure Consulting Services in Austin,Texas. He currently
conducts security posture assessments for clients as well as provides technical
consulting for security design reviews. His strengths include Cisco routers
and switches, PIX firewall, Solaris systems, and freeware intrusion detection
systems. Ido holds a Bachelor’s and a Master’s degree from the University of
Texas at Austin and is a member of USENIX and SAGE. He has written
several articles covering Solaris security and network security for Sysadmin
magazine as well as SecurityFocus. He lives in Austin,Texas with his family.
Robert Graham has been developing sniffers since 1990, where he wrote
most of the protocol decodes for the ProTools protocol-analyzer, including
real-time tools for password sniffing and Telnet session spying. Robert
worked for Network General between 1994 and 1998 where he rewrote all
of the protocol-decodes for the Sniffer protocol-analyzer. He founded
Network ICE in 1998 and created the BlackICE network-snifing intrusion
detection system. He is now the chief architect at Internet Security Systems
in charge of the design for the RealSecure IDS.
Steve Manzuik (MCP) was most recently a Manager in Ernst & Young’s
Security and Technology Solutions practice specializing in profiling services.
ix
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page x
Over the last ten years Steve has been involved in IT integration, support, and
security. Steve is a published author on security topics, a sought after speaker
and information security panelist and is the moderator of a full disclosure
security mailing list,VulnWatch (www.vulnwatch.org). Steve also has acted as a
Security Analyst for a world wide group of White Hat Hackers and Security
Researchers, the BindView RAZOR Team.
Steve is a board member of the Calgary Security Professionals
Information Exchange (SPIE) group, which is an information-sharing group
of local security professionals from various private and government sectors.
Steve has a strong background in Microsoft technologies and the various
security issues surrounding them, and has successfully guided multiple organizations in securing Microsoft Windows NT hosts for use in a hostile environment. He lives in Calgary, Alberta, Canada with his wife Heather, son,
Greyson and newborn daughter Hope.
From the First Edition
The following individuals contributed to the first edition of Hack Proofing
Your Network: Internet Tradecraft. Although not contributors to the second edition, their work and ideas from the first edition have been included.
Oliver Friedrichs has over twelve years of experience in the information
security industry, ranging from development to management. Oliver is a cofounder of the information security firm SecurityFocus.com. Previous to
founding SecurityFocus, Oliver was a Co-Founder and Vice President of
Engineering at Secure Networks, Inc., which was acquired by Network
Associates in 1998. Post acquisition, Oliver managed the development of
Network Associates’ award-winning CyberCop Scanner network auditing
product, and managed Network Associates’ vulnerability research team.
Oliver has delivered training on computer security issues for organizations
such as the IRS, FBI, Secret Service, NASA,TRW, Canadian Department of
Defense, RCMP, and CSE.
Greg Hoglund is a software engineer and researcher. He has written several successful security products for Windows NT. Greg also operates the
x
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page xi
Windows NT Rootkit project, located at www.rootkit.com. He has written
several white papers on content-based attacks, kernel patching, and forensics.
Currently he works as a founder of Click To Secure, Inc., building new
security and quality assurance tools. His web site can be found at
www.clicktosecure.com.
Elias Levy is the moderator of Bugtraq, one of the most read security
mailing lists on the Internet, and a co-founder of Security Focus.
Throughout his career, Elias has served as computer security consultant and
security engineer for some of the largest corporations in the United States.
Outside of the computer security industry, he has worked as a UNIX software developer, a network engineer, and system administrator.
Mudge is the former CEO and Chief Scientist of renowned ‘hacker thinktank’ the L0pht, and is considered the nation’s leading “grey-hat hacker.” He
and the original members of the L0pht are now heading up @stake’s
research labs, ensuring that the company is at the cutting edge of Internet
security. Mudge is a widely sought-after keynote speaker in various forums,
including analysis of electronic threats to national security. He has been
called to testify before the Senate Committee on Governmental Affairs and
to be a witness to the House and Senate joint Judiciary Oversight committee. Mudge has briefed a wide range of members of Congress and has
conducted training courses for the Department of Justice, NASA, the US Air
Force, and other government agencies. Mudge participated in President
Clinton’s security summit at the White House. He joined a small group of
high tech executives, privacy experts, and government officials to discuss
Internet security.
A recognized name in cryptanalysis, Mudge has co-authored papers with
Bruce Schneier that were published in the 5th ACM Conference on
Computer and Communications Security, and the Secure Networking –
CQRE International Exhibition and Congress.
He is the original author of L0phtCrack, the award winning NT password auditing tool. In addition, Mudge co-authored AntiSniff, the world’s
first commercial remote promiscuous mode detection program. He has
written over a dozen advisories and various tools, many of which resulted in
numerous CERT advisories, vendor updates, and patches.
xi
194_HPYN2e_FM.qxd
2/15/02
2:36 PM
Page xii
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI,
COS/2I, CLSA, MCPS, A+) is a security consultant currently located in
Biloxi, MS. He has assisted several clients in the development and implementation of network security plans for their organizations. Both network
and operating system security has always intrigued Stace, so he strives to
constantly stay on top of the changes in this ever-evolving field.While in
the Air Force he held the positions of Network Security Officer and
Computer Systems Security Officer.While in the Air Force, Stace was
heavily involved in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the
level of information traversing the circuit as well as protecting the circuits
from TEMPEST hazards. Stace was a contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” In addition, he has coauthored over 18 books published by Osborne/McGraw-Hill, Syngress, and
Microsoft Press. He has also performed as Technical Editor for various other
books and has written for Internet Security Advisor magazine.
Technical Editor and Contributor
Ryan Russell is the best-selling author of Hack Proofing Your Network:
Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6). He is an
Incident Analyst at SecurityFocus, has served as an expert witness on security topics, and has done internal security investigation for a major software
vendor. Ryan has been working in the IT field for over 13 years, the last 7
of which have been spent primarily in information security. He has been an
active participant in various security mailing lists, such as BugTraq, for years,
and is frequently sought after as a speaker at security conferences. Ryan has
contributed to four other Syngress Publishing titles on the topic of networking, and four on the topic of security. He holds a Bachelors of Science
degree in Computer Science.
xii
194_HPYN2e_toc.qxd
2/15/02
2:56 PM
Understanding the
Current Legal Climate
This book will teach you
techniques that, if used in
the wrong way, will get
you in trouble with the
law. Me saying this is like
a driving instructor saying,
“I’m going to teach you
how to drive; if you drive
badly, you might run
someone over.” In both
cases, any harm done
would be your fault.
Page xiii
Contents
Foreword v 1.5
xxix
Foreword v 1.0
xxxiii
Chapter 1 How To Hack
Introduction
What We Mean by “Hack”
Why Hack?
Knowing What To Expect in the Rest of This Book
Understanding the Current Legal Climate
Summary
Frequently Asked Questions
Chapter 2 The Laws of Security
Tools & Traps…
Want to Check that
Firewall?
There are an incredible
number of freeware tools
available to you for
beginning your checks of
vulnerability. I have a
couple of favorites that
allow for quick probes and
checks of information
about various IP
addresses:
■
■
SuperScan, from
Foundstone
Corporation:
www.foundstone.com/
knowledge/free_tools
.html
Sam Spade, from
SamSpade.org:
www.samspade.org.
Introduction
Knowing the Laws of Security
Client-Side Security Doesn’t Work
You Cannot Securely Exchange Encryption
Keys without a Shared Piece of Information
Malicious Code Cannot Be
100 Percent Protected against
Any Malicious Code Can Be Completely
Morphed to Bypass Signature Detection
Firewalls Cannot Protect
You 100 Percent from Attack
Social Engineering
Attacking Exposed Servers
Attacking the Firewall Directly
Client-Side Holes
Any IDS Can Be Evaded
Secret Cryptographic Algorithms Are Not Secure
If a Key Is Not Required,You Do Not Have
Encryption—You Have Encoding
Passwords Cannot Be Securely Stored on
the Client Unless There Is Another Password
to Protect Them
In Order for a System to Begin to Be
Considered Secure, It Must Undergo
an Independent Security Audit
Security through Obscurity Does Not Work
1
2
2
3
4
6
8
8
11
12
12
14
15
18
20
22
24
24
26
26
27
28
30
32
35
37
xiii
194_HPYN2e_toc.qxd
xiv
2/15/02
2:56 PM
Page xiv
Contents
; There are seven classes
of attacks: denial of
service (DoS),
information leakage,
regular file access,
misinformation, special
file/database access,
remote arbitrary code
execution, and
elevation of privileges.
Summary
Solutions Fast Track
Frequently Asked Questions
39
39
42
Chapter 3 Classes of Attack
45
Introduction
Identifying and Understanding the Classes
of Attack
Denial of Service
Local Vector Denial of Service
Network Vector Denial of Service
Information Leakage
Service Information Leakage
Protocol Information Leakage
Leaky by Design
Leaky Web Servers
A Hypothetical Scenario
Why Be Concerned with Information
Leakage?
Regular File Access
Permissions
Symbolic Link Attacks
Misinformation
Standard Intrusion Procedure
Special File/Database Access
Attacks against Special Files
Attacks against Databases
Remote Arbitrary Code Execution
The Attack
Code Execution Limitations
Elevation of Privileges
Remote Privilege Elevation
Identifying Methods of Testing for Vulnerabilities
Proof of Concept
Exploit Code
Automated Security Tools
Versioning
Standard Research Techniques
Whois
Domain Name System
Nmap
Web Indexing
46
46
47
47
50
56
56
58
60
60
61
61
62
62
63
65
67
69
69
70
72
73
74
74
75
77
77
78
79
79
80
81
86
89
90
194_HPYN2e_toc.qxd
2/15/02
2:56 PM
Page xv
Contents
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4 Methodology
Q: Is decompiling and
other reverse
engineering legal?
A: In the United States,
reverse engineering
may soon be illegal.
The Digital Millennium
Copyright Act includes
a provision designed to
prevent the
circumvention of
technological measures
that control access to
copyrighted works.
Source code can be
copyrighted, and
therefore makes the
reverse engineering of
copyrighted code
illegal.
Recursive Grepping
According to Ryan
Tennant’s (Argoth) Solaris
Infrequently Asked
Obscure Questions (IAOQ)
at http://shells.devunix
.org/~argoth/iaoq, a
recursive grep can be
performed using the
following command:
/usr/bin/find . |
/usr/bin/xargs
/usr/bin/grep PATTERN
Introduction
Understanding Vulnerability Research
Methodologies
Source Code Research
Searching For Error-Prone Functions
Line-By-Line Review
Discovery Through Difference
Binary Research
Tracing Binaries
Debuggers
Guideline-Based Auditing
Sniffers
The Importance of Source Code Reviews
Searching Error-Prone Functions
Buffer Overflows
Input Validation Bugs
Race Conditions
Reverse Engineering Techniques
Disassemblers, Decompilers, and Debuggers
Black Box Testing
Chips
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5 Diffing
Introduction
What Is Diffing?
Why Diff?
Looking to the Source Code
Going for the Gold: A Gaming Example
Exploring Diff Tools
Using File-Comparison Tools
Using the fc Tool
Using the diff Command
Working with Hex Editors
Hackman
[N] Curses Hexedit
Hex Workshop
xv
93
95
96
99
100
100
101
101
102
102
104
104
105
105
105
106
106
106
110
112
113
120
125
126
128
129
130
131
132
132
135
136
139
143
143
143
145
146
147
148
149
194_HPYN2e_toc.qxd
xvi
2/15/02
2:56 PM
Page xvi
Contents
Utilizing File System Monitoring Tools
Doing It The Hard Way: Manual
Comparison
Comparing File Attributes
Using the Archive Attribute
Examining Checksums and Hashes
Finding Other Tools
Troubleshooting
Problems with Checksums and Hashes
Problems with Compression and Encryption
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6 Cryptography
John the Ripper
John the Ripper is another
password-cracking
program, but it differs
from Crack in that it is
available in UNIX, DOS,
and Win32 editions. Crack
is great for older systems
using crypt(), but John the
Ripper is better for newer
systems using MD5 and
similar password formats.
Introduction
Understanding Cryptography Concepts
History
Encryption Key Types
Learning about Standard Cryptographic
Algorithms
Understanding Symmetric Algorithms
DES
AES (Rijndael)
IDEA
Understanding Asymmetric Algorithms
Diffie-Hellman
RSA
Understanding Brute Force
Brute Force Basics
Using Brute Force to Obtain Passwords
L0phtcrack
Crack
John the Ripper
Knowing When Real Algorithms
Are Being Used Improperly
Bad Key Exchanges
Hashing Pieces Separately
Using a Short Password to Generate
a Long Key
Improperly Stored Private or Secret Keys
Understanding Amateur Cryptography Attempts
Classifying the Ciphertext
150
150
151
153
154
155
157
157
159
160
161
162
165
166
166
167
167
169
170
170
172
173
174
174
176
177
177
178
180
181
182
183
183
184
185
186
188
189
194_HPYN2e_toc.qxd
2/15/02
2:56 PM
Page xvii
Contents
Frequency Analysis
Ciphertext Relative Length Analysis
Similar Plaintext Analysis
Monoalphabetic Ciphers
Other Ways to Hide Information
XOR
UUEncode
Base64
Compression
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7 Unexpected Input
Understanding Why
Unexpected Data Is
Dangerous
; Almost all applications
interact with the user,
and thus take data
from them.
; An application can’t
assume that the user is
playing by the rules.
; The application has to
be wary of buffer
overflows, logic
alteration, and the
validity of data passed
to system functions.
Introduction
Understanding Why Unexpected Data
Is Dangerous
Finding Situations Involving Unexpected Data
Local Applications and Utilities
HTTP/HTML
Unexpected Data in SQL Queries
Application Authentication
Disguising the Obvious
Using Techniques to Find and Eliminate
Vulnerabilities
Black-Box Testing
Discovering Network and System
Problems
Use the Source
Untaint Data by Filtering It
Escaping Characters Is Not Always Enough
Perl
Cold Fusion/Cold Fusion
Markup Language (CFML)
ASP
PHP
Protecting Your SQL Queries
Silently Removing versus Alerting on
Bad Data
Invalid Input Function
Token Substitution
Utilizing the Available Safety Features
in Your Programming Language
xvii
189
190
190
191
191
191
195
195
197
199
200
202
205
206
206
208
208
208
211
215
220
221
222
225
226
227
227
228
229
229
230
231
232
232
233
233
194_HPYN2e_toc.qxd
xviii
2/15/02
2:56 PM
Page xviii
Contents
Perl
PHP
ColdFusion/ColdFusion Markup Language
ASP
MySQL
Using Tools to Handle Unexpected Data
Web Sleuth
CGIAudit
RATS
Flawfinder
Retina
Hailstorm
Pudding
Summary
Solutions Fast Track
Frequently Asked Questions
Damage & Defense…
Understanding Assembly
Language
There are a few specific
pieces of assembly
language knowledge that
are necessary to
understand the stack. One
thing that is required is to
understand the normal
usage of registers in a
stack:
■
EIP The extended
instruction pointer.
■
ESP The extended
stack pointer.
■
EBP The extended
base pointer.
Chapter 8 Buffer Overflow
Introduction
Understanding the Stack
The Code
Disassembly
The Stack Dump
Oddities and the Stack
Understanding the Stack Frame
Introduction to the Stack Frame
Passing Arguments to a Function:
A Sample Program
The Disassembly
The Stack Dumps
Stack Frames and Calling Syntaxes
Learning about Buffer Overflows
A Simple Uncontrolled Overflow:
A Sample Program
The Disassembly
The Stack Dumps
Creating Your First Overflow
Creating a Program with an Exploitable
Overflow
Writing the Overflowable Code
Disassembling the Overflowable Code
Stack Dump after the Overflow
Performing the Exploit
233
235
235
236
237
237
237
237
237
238
238
238
238
239
239
242
243
244
244
246
247
248
249
249
250
250
251
254
256
257
259
260
262
263
264
264
265
267
267
194_HPYN2e_toc.qxd
2/15/02
2:56 PM
Page xix
Contents
Q: How can I eliminate or
minimize the risk of
unknown format string
vulnerabilities in
programs on my
system?
A: A good start is having
a sane security policy.
Rely on the leastprivileges model,
ensure that only the
most necessary utilities
are installed setuid and
can be run only by
members of a trusted
group. Disable or block
access to all services
that are not completely
necessary.
General Exploit Concepts
Buffer Injection Techniques
Methods to Execute Payload
Designing Payload
Performing the Exploit on Linux
Performing the Exploit on Windows NT
Learning Advanced Overflow Techniques
Input Filtering
Incomplete Overflows and Data
Corruption
Stack Based Function Pointer Overwrite
Heap Overflows
Corrupting a Function Pointer
Trespassing the Heap
Advanced Payload Design
Using What You Already Have
Dynamic Loading New Libraries
Eggshell Payloads
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 9 Format Strings
Introduction
Understanding Format String Vulnerabilities
Why and Where Do Format
String Vulnerabilities Exist?
How Can They Be Fixed?
How Format String Vulnerabilities
Are Exploited
Denial of Service
Reading Memory
Writing to Memory
How Format String Exploits Work
Constructing Values
What to Overwrite
Overwriting Return Addresses
Overwriting Global Offset Table
Entries and Other Function Pointers
Examining a Vulnerable Program
Testing with a Random Format String
Writing a Format String Exploit
xix
268
268
269
281
282
293
303
303
304
306
306
307
307
310
310
311
313
314
314
317
319
320
322
326
327
328
329
329
330
332
333
335
335
335
336
340
344