Tài liệu Hack proofing your network internet tradecraft

95_pgwFP.qx 11/22/00 12:45 PM Page 1 “Ryan Russell has an important message for us all: ‘What you don’t know will hurt you…’“ — Kevin Mitnick HACK PROOFING YOUR NETWORK INTERNET TRADECRAFT Y TO LY WAK ER THE ONA C HA STOP TO THINK IS E: LIKE ON Rain Forest Puppy “This book provides a bold, unsparing tour of information security that never swerves from the practical.” —Kevin L. Poulsen Editorial Director SecurityFocus.com Elias Levy, Bugtraq Blue Boar, Vuln-dev Dan “Effugas” Kaminsky, Cisco Systems Oliver Friedrichs, SecurityFocus.com Riley “Caesar” Eller, Internet Security Advisors Greg Hoglund, Click To Secure Jeremy Rauch Georgi Guninski Ryan Russell, SecurityFocus.com Stace Cunningham, CLSE, COS/2E, CLSI, COS/2I, CLSA Foreword by Mudge, Security Advisor to the White House and Congress 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page i [email protected] With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created [email protected], a service that includes the following features: ■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. ■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for [email protected]. ■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. ■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you've purchased this book, browse to www.syngress.com/solutions. To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page ii 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page iii HACK PROOFING NETWORK: YO U R INTERNET TRADECRAFT 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” and “Mission Critical™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER AB7153MGC6 KTY864GHPL SRS587EPHN TYP244KBGK 468ZJRHGM9 1LBVBC7466 6724ED1M84 CCVX153SCC MKM719ACK NJGMB98445 PUBLISHED BY Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network: Internet Tradecraft Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-15-6 Product Line Manager: Kate Glennon Technical Edit by: Stace Cunningham and Ryan Russell Co-Publisher: Richard Kristof Distributed by Publishers Group West Index by: Robert Saigh Copy Edit by: Beth Roberts Proofreading by: Adrienne Rebello and Ben Chadwick Page Layout and Art: Reuben Kantor and Kate Glennon 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for making certain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series. v 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page vi From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge vi 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page vii Contributors Ryan Russell has been working in the IT field for over ten years, the last five of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as Bugtraq, for years. Ryan has served as an expert witness, and has done internal security investigation for a major software vendor. Ryan has contributed to three other Syngress books, on the topics of networking. He has a degree in computer science from San Francisco State University. Ryan is presently employed by SecurityFocus.com. Ryan would like to dedicate his portion of the work to his wife, Sara, for putting up with him while he finished this book. Introduction, Chapters 1, 2, 4, 5, 10, and 13 Blue Boar has been interested in computer security since he first discovered that a Northstar multiuser CP/M system he worked on as a high school freshman had no memory protection, so all the input and output from all terminals were readable by any user. Many years ago he founded the Thievco Main Office BBS, which he ran until he left home for college. Recently, Blue Boar was resurrected by his owner for the purpose of publishing security information that his owner would rather not have associated with himself or his employers. Blue Boar is best known currently as the moderator of the vuln-dev mailing list ([email protected]) which is dedicated to the open investigation and development of security holes. Contributed to Chapter 6 Riley (caezar) Eller is a Senior Security Engineer for the Internet Security Advisors Group, where he works on penetration and security tool development. He has extensive experience in operating system analysis and design, reverse engineering, and defect correction in closed-source and proprietary operating systems, without the benefit of having access to the source code. Mr. Eller is the first to reveal ASCII-armored stack overflow exploits. Prior to his employment with ISAG, Mr. Eller spent six years developing operating systems for Internet embedded devices. His clients have included government and military contractors and agencies, as well as Fortune 500 companies, worldwide. Products on which he has worked have been deployed on systems as varied as Enterprise Desktop, Global Embedded Internet, Hard Time Real Analyses and vii 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page viii Single Tasking Data Collection. Mr. Eller has spoken about his work at information security industry conferences such as Black Hat, both in the United States and in Asia. He is also a frequent panel member for the “Meet the Enemy” discussion groups. Contributed to Chapter 8 Georgi Guninski is a security consultant in Bulgaria. He is a frequent contributor to security mailing lists such as Bugtraq, where he is well-known for his discovery of numerous client-side holes, frequently in Internet Explorer. In 1997, he created the first buffer overflow exploits for AIX. Some of his most visible work has included numerous exploits that could affect subscribers of Microsoft’s Hotmail service. He is frequently quoted in news articles. Georgi holds an MA in international economic relations from the University of National and World Economy in Bulgaria. His web page can be found at www.nat.bg/~joro. Contributed to Chapter 13 Oliver Friedrichs has over ten years of experience in the information security industry, ranging from development to management. Oliver is a co-founder of the information security firm SecurityFocus.com. Previous to founding SecurityFocus.com, Oliver was a co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. Post acquisition, Oliver managed the development of Network Associates’s award-winning CyberCop Scanner network auditing product, and managed Network Associates’ vulnerability research team. Oliver has delivered training on computer security issues for organizations such as the IRS, FBI, Secret Service, NASA, TRW, Canadian Department of Defense, RCMP and CSE. Chapter 9 Greg Hoglund is a software engineer and researcher. He has written several successful security products for Windows NT. Greg also operates the Windows NT Rootkit project, located at www.rootkit.com. He has written several white papers on content-based attacks, kernel patching, and forensics. Currently he works as a founder of Click To Secure, Inc., building new security and qualityassurance tools. His web site can be found at www.clicktosecure.com. He would like to thank all the Goons of DefCon, Riley (caezar) Eller, Jeff Moss, Dominique Brezinski, Mike Schiffman, Ryan Russell, and Penny Leavy. Chapter 8 viii 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page ix Dan Kaminsky, also known as “Effugas”, primarily spends his time designing security infrastructure and cryptographic solutions for Cisco Systems’ Advanced Network Services division. He is also the founder of the multidisciplinary DoxPara Research (www.doxpara.com), and has spent several years studying both the technological and psychological impacts of networked systems as deployed in imperfect but real user environments. His primary field of research at the present is known as Gateway Cryptography, which seeks ideal methodologies to securely traverse non-ideal networks. Chapter 11 Elias Levy is the moderator of Bugtraq, one of the most read security mailing lists on the Internet, and a co-founder of Security Focus. Throughout his career, Elias has served as computer security consultant and security engineer for some of the largest corporations in the United States, and outside of the computer security industry, he has worked as a UNIX software developer, a network engineer, and system administrator. Chapter 15 Mudge is the former CEO and Chief Scientist of renowned ‘hacker think-tank’ the L0pht, and is considered the nation’s leading ‘grey-hat hacker.’ He and the original members of the L0pht are now heading up @stake’s research labs, ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought-after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs and to be a witness to the House and Senate joint Judiciary Oversight committee. Mudge has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other government agencies. In February, following the wave of denial of service attacks on consumer web sites, Mudge participated in President Clinton’s security summit at the White House. He joined a small group of high tech executives, privacy experts, and government officials to discuss Internet security. A recognized name in crytpanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking – CQRE International Exhibition and Congress. He is the original author of L0phtCrack, the award winning NT password auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools, many of which resulted in numerous CERT advisories, vendor updates, and patches. Foreword ix 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page x Rain Forest Puppy (RFP) is a Midwest-based security consultant and researcher. His background is in programming (about eight years of various languages); he started playing around with networks only in the last few years. Contrary to popular belief, he is not just an NT admin—he worked with Novell and Linux before he ever touched an NT box. In the last year and a half he has focused on vulnerability research and network assessments/penetration testing. Recent notable security issues he has published include insufficient input checking on SQL servers, ways to fool perl scripts, bugs and holes in intrusion detection systems, and uncovering interesting messages hidden in Microsoft program code. RFP has this to say about his handle: “I was in an elevator, and scratched into the wooden walls was the phrase ‘Save the whales, rain forest, puppies, baby seals, ...’. At first I thought ‘puppies?’, and I didn’t notice the comma, so it seemed like ‘rain forest puppies.’ I made a joke to my companion about ‘rain forest puppies’ being ‘neato.’ About two days later, I just started using ‘rain forest puppy’ as a handle.” Chapters 7 and 14 Jeremy Rauch has been involved for a number of years in a wide variety of roles in computer security. Jeremy was involved in the development of several groundbreaking and industry-leading products, including Internet Security System’s (ISS) Internet Security Scanner, and Network Associates’ CyberCop Scanner and Monitor. Other roles have ranged from development of secure VPN and authentication systems, to penetration testing and auditing, to code analysis and evaluation. Through relationships built with industry-leading companies, he has helped in the identification and repair of numerous vulnerabilities and security flaws. He has also spoken at several conferences on topics in the area of network infrastructure security, and has been published and quoted in numerous print and online publications. Jeremy holds a BS in computer science from Johns Hopkins University. Chapter 12 Technical Editor Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant currently located in Biloxi, MS. He has assisted several clients, including a casino, in the development and implementation of network security plans for their organizations. Both network and operating system security has always intrigued Stace, so he strives to constantly stay on top of the changes in this ever-evolving field, now and as well as when he held the positions of Network Security Officer and Computer Systems Security Officer while serving in the US Air Force. x 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page xi While in the Air Force, Stace was also heavily involved for over 14 years in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards. This not only included American equipment but also equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace was an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored over 18 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He has also performed as Technical Editor for various other books and is a published author in Internet Security Advisor magazine. His wife Martha and daughter Marissa are very supportive of the time he spends with his computers, routers, and firewalls in the “lab” of their house. Without their love and support he would not be able to accomplish the goals he has set for himself. Greets to frostman, trebor, b8zs_2k and phreaku2. In addition to acting as technical editor for the book, Stace authored Chapters 3 and 6, and contributed writing to Chapters 8 and 9. Technical Consultant Mike Schiffman has been involved throughout his career in most every technical arena computer security has to offer. He has researched and developed many cutting-edge technologies including tools like firewalk and tracerx as well as the low-level packet shaping library libnet. Mike has led audit teams through engagements for Fortune 500 companies in the banking, automotive, and manufacturing industries. Mike has spoken in front of NSA, CIA, DOD, AFWIC, SAIC, and others, and has written for numerous technical journals and books. He is currently employed at Guardent, the leading provider of professional security services, as the director of research and development. xi 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page xii 95_hack_prod_toc 7/13/00 3:43 PM Page xiii Contents Foreword xxiii Introduction xxvii Part I: Theory and Ideals Chapter 1: Politics Introduction Definitions of the Word Hacker Hacker Cracker Script Kiddie Phreak White Hat/Black Hat Grey Hat Hacktivism The Role of the Hacker Criminal Magician Security Professional Consumer Advocate Civil Rights Activist Cyber Warrior Motivation Recognition Admiration Curiosity Power & Gain Revenge Legal/Moral Issues What’s Illegal Reasonably Safe What’s Right? Exceptions? The Hacker Code Why This Book? Public vs. Private Research Who Is Affected when an Exploit Is Released? Summary FAQs 1 2 2 2 3 5 6 6 7 8 9 9 10 11 12 13 14 15 15 16 16 17 17 19 19 21 22 23 23 24 25 26 27 28 xiii 95_hack_prod_toc xiv 7/13/00 3:43 PM Page xiv Contents Chapter 2 Laws of Security Introduction What Are the Laws of Security? Client-side Security Doesn't Work Applying the Law Exceptions Defense You Can't Exchange Encryption Keys without a Shared Piece of Information Applying the Law Exceptions Defense Viruses and Trojans Cannot Be 100 Percent Protected Against Applying the Law Exceptions Defense Firewalls Cannot Protect You 100 Percent from Attack Applying the Law Social Engineering Attacking Exposed Servers Attacking the Firewall Directly Client-side Holes Exceptions Defense Secret Cryptographic Algorithms Are Not Secure Applying the Law Exceptions Defense If a Key Isn't Required, You Don't Have Encryption; You Have Encoding Applying the Law Exceptions Defense Passwords Cannot Be Securely Stored on the Client Unless There Is Another Password to Protect Them Applying the Law Exceptions Defense In Order for a System to Begin to Be Considered Secure, It Must Undergo an Independent Security Audit Applying the Law Exceptions Defense Security Through Obscurity Doesn't Work Applying the Law Exceptions 31 32 32 33 34 37 37 37 38 40 41 41 42 43 44 44 45 46 46 47 48 48 49 49 50 51 51 51 52 53 53 53 55 56 57 57 57 58 58 58 59 60 95_hack_prod_toc 7/13/00 3:43 PM Page xv Contents Defense People Believe That Something Is More Secure Simply Because It's New Applying the Law Exceptions Defense What Can Go Wrong Will Go Wrong Applying the Law Exceptions Defense Summary FAQs Chapter 3: Classes of Attack Introduction What Are the Classes of Attack? Denial-of-Service Information Leakage File Creation, Reading, Modification, Removal Misinformation Special File/Database Access Elevation of Privileges Problems How Do You Test for Vulnerability without Exercising the Exploit? How to Secure Against These Classes of Attack Denial-of-Service Information Leakage File Creation, Reading, Modification, Removal Misinformation Special File/Database Access Elevation of Privileges Summary FAQs Chapter 4: Methodology Introduction Types of Problems Black Box Chips Unknown Remote Host Information Leakage Translucent Box Tools System Monitoring Tools Packet Sniffing Debuggers, Decompilers, and Related Tools Crystal Box 61 61 62 63 63 64 64 64 64 64 65 67 68 68 68 79 82 82 83 85 88 89 90 91 92 94 95 95 97 97 98 101 102 102 102 102 105 105 107 107 108 112 113 117 xv 95_hack_prod_toc xvi 7/13/00 3:43 PM Page xvi Contents Problems Cost/Availability of Tools Obtaining/Creating a Duplicate Environment How to Secure Against These Methodologies Limit Information Given Away Summary Additional Resources FAQs 117 117 118 118 119 119 120 120 Part II: Theory and Ideals Chapter 5: Diffing Introduction What Is Diffing? Files Tools File Comparison Tools Hex Editors File System Monitoring Tools Other Tools Problems Checksums/Hashes Compression/Encryption How to Secure Against Diffing Summary FAQs Chapter 6: Cryptography Introduction An Overview of Cryptography and Some of Its Algorithms (Crypto 101) History Encryption Key Types Algorithms Symmetric Algorithms Asymmetric Algorithms Problems with Cryptography Secret Storage Universal Secret Entropy and Cryptography Brute Force L0phtCrack Crack John the Ripper Other Ways Brute Force Attacks Are Being Used Distributed.net Deep Crack 121 122 122 123 126 126 128 132 136 140 140 141 142 142 143 145 146 146 146 147 149 149 151 153 154 157 159 163 164 166 166 167 167 169 95_hack_prod_toc 7/13/00 3:43 PM Page xvii Contents Real Cryptanalysis Differential Cryptanalysis Side-Channel Attacks Summary Additional Resources FAQs 169 170 172 173 173 174 Chapter 7: Unexpected Input 177 Introduction Why Unexpected Data Is Dangerous Situations Involving Unexpected Data HTTP/HTML Unexpected Data in SQL Queries Disguising the Obvious Finding Vulnerabilities Black-Boxing Use the Source (Luke) Application Authentication Protection: Filtering Bad Data Escaping Characters Is Not Always Enough Perl Cold Fusion/Cold Fusion Markup Language (CFML) ASP PHP Protecting Your SQL Queries Silently Removing vs. Alerting on Bad Data Invalid Input Function Token Substitution Available Safety Features Perl PHP Cold Fusion/Cold Fusion Markup Language ASP MySQL Summary FAQs Chapter 8: Buffer Overflow Introduction What Is a Buffer Overflow? Smashing the Stack Hello Buffer What Happens When I Overflow a Buffer? Methods to Execute Payload Direct Jump (Guessing Offsets) Blind Return Pop Return 178 178 179 179 181 185 186 186 189 190 194 194 194 195 195 196 196 197 198 198 198 199 200 200 200 201 201 202 203 204 204 207 207 210 216 216 216 218 xvii 95_hack_prod_toc xviii 7/13/00 3:43 PM Page xviii Contents Call Register Push Return What Is an Offset? No Operation (NOP) Sled Off-by-One Struct Pointer Dereferencing—Smashing the Heap Corrupting a Function Pointer Trespassing the Heap Designing Payload Coding the Payload Injection Vector Location of Payload The Payload Construction Kit Getting Bearings Finding the DATA Section, Using a Canary Encoding Data XOR Protection Using What You Have—Preloaded Functions Hashing Loader Loading New Libraries and Functions WININET.DLL Confined Set Decoding Nybble-to-Byte Compression Building a Backward Bridge Building a Command Shell “The Shiny Red Button”—Injecting a Device Driver into Kernel Mode Worms Finding New Buffer Overflow Exploits Summary FAQs 219 220 220 221 221 222 222 223 225 225 225 226 226 237 237 238 238 238 243 245 246 247 247 247 247 251 253 253 257 258 Part III: Remote Attacks Chapter 9: Sniffing What Is “Sniffing?” How Is Sniffing Useful to an Attacker? How Does It Work? What to Sniff? Authentication Information Telnet (Port 23) FTP (Port 21) POP (Port 110) IMAP (Port 143) NNTP (Port 119) rexec (Port 512) rlogin (Port 513) X11 (Port 6000+) 259 260 260 260 261 261 261 262 262 262 263 263 264 264 95_hack_prod_toc 7/13/00 3:43 PM Page xix Contents NFS File Handles Windows NT Authentication Other Network Traffic SMTP (Port 25) HTTP (Port 80) Common Implementations Network Associates Sniffer Pro NT Network Monitor TCPDump dsniff Esniff.c Sniffit Advanced Sniffing Techniques Switch Tricks ARP Spoofing ARP Flooding Routing Games Operating System Interfaces Linux BSD libpcap Windows Protection Encryption Secure Shell (SSH) Switching Detection Local Detection Network Detection DNS Lookups Latency Driver Bugs AntiSniff Network Monitor Summary Additional Resources FAQs Chapter 10: Session Hijacking Introduction What Is Session Hijacking? TCP Session Hijacking TCP Session Hijacking with Packet Blocking Route Table Modification ARP Attacks TCP Session Hijacking Tools Juggernaut Hunt 264 265 266 266 266 267 267 268 269 270 271 271 272 272 273 273 273 274 274 277 277 279 279 279 279 281 281 281 282 282 282 282 283 283 283 283 284 285 286 286 287 290 290 292 293 293 296 xix