Hack I.T. - Security Through Penetration Testing

T.J. Klevinsky is part of Ernst & Young¿s Security and Technology Solutions practice, where he coordinates attack and penetration exercises for Fortune 500 corporations worldwide. He is also an instructor for the Ernst & Young¿s Extreme Hacking course. Additionally, T.J. is an instructor with SANS, where he teaches the course Contemporary Hacking Tools and Penetration Testing, a survey of recent security related software tools. Scott Laliberte, CISSP, CISM, MBA, is a leader of Protiviti’s Global Information Security Practice. He has extensive experience in the areas of information systems security, network operations, incident response, and e-commerce, and has served clients in many industries, including healthcare, life sciences, financial services, manufacturing, and other industries. Scott has led many security engagements, including attack and penetration studies, Web application security reviews, systems vulnerability assessments, wireless security reviews, and security systems implementation. In addition, he has led a number of incident response projects, which help organizations identify, stop, and recover from security incidents and attacks. He has spoken on information security topics for a variety of audiences and industries, including MIS Training Institute (MISTI), National Association of Financial Services Auditors (NAFSA), ISACA, IIA, and HCCA. He has been quoted as a security expert in the Financial Times, Securities Industries News, and elsewhere, and has authored numerous information security articles for a variety of publications. Ajay Gupta, CISSP, founder and president of Gsecurity, is an expert on cyber security, secure architecture, and information privacy. Gsecurity provides cyber security and data privacy services to federal, state, and local governments, as well as commercial clients in the educational, financial, and health-care sectors.

Preface.


Introduction.


1. Hacking Today.


2. Defining the Hacker.


Hacker Skill Levels.



First-Tier Hackers.



Second-Tier Hackers.



Third-Tier Hackers.



Information Security Consultants.



Hacker Myths.



Information Security Myths.



3. Penetration for Hire.


Ramifications of Penetration Testing.



Requirements for a Freelance Consultant.



Skill Set.



Knowledge.



Tool Kit.



Hardware.



Record Keeping.



Ethics.



Announced vs. Unannounced Penetration Testing.



Definitions.



Pros and Cons of Both Types of Penetration Testing.



Documented Compromise.



4. Where the Exposures Lie.


Application Holes.



Berkeley Internet Name Domain (BIND) Implementations.



Common Gateway Interface (CGI).



Clear Text Services.



Default Accounts.



Domain Name Service (DNS).



File Permissions.



FTP and telnet.



ICMP.



IMAP and POP.



Modems



Lack of Monitoring and Intrusion Detection.



Network Architecture.



Network File System (NFS).



NT Ports 135n139.



NT Null Connection.



Poor Passwords and User IDs.



Remote Administration Services.



Remote Procedure Call (RPC).



sendmail.



Services Started by Default.



Simple Mail Transport Protocol (SMTP).



Simple Network Management Protocol (SNMP) Community Strings.



Viruses and Hidden Code.



Web Server Sample Files.



Web Server General Vulnerabilities.



Monitoring Vulnerabilities.



5. Internet Penetration.


Network Enumeration/Discovery.



Whois Query.



Zone Transfer.



Ping Sweeps.



Traceroute.



Vulnerability Analysis.



OS Identification.



Port Scanning.



Application Enumeration.



Internet Research.



Exploitation.



Case Study: Dual-Homed Hosts.



6. Dial-In Penetration.


War Dialing.



War Dialing Method.



Dialing



Login.



Login Screens.



Gathering Numbers.



Precautionary Methods.



War Dialing Tools.



ToneLoc.



THC-Scan.



TeleSweep.



PhoneSweep.



Case Study: War Dialing.



7. Internal Penetration Testing.


Scenarios.



Network Discovery.



NT Enumeration.



UNIX.



Searching for Exploits.



Sniffing.



Remotely Installing a Hacker Tool Kit.



Vulnerability Scanning.



Case Study: Snoop the User Desktop.



8. Social Engineering.


The Telephone.



Technical Support.



Disgruntled Customer.



Get Help Logging In.



Additional Methods.



Dumpster Diving.



Desktop Information.



Common Countermeasures.



9. UNIX Methods.


UNIX Services.



inetd Services.



r Services.



Remote Procedure Call Services.



Buffer Overflow Attacks.



File Permissions.



Applications.



Mail Servers.



Web Servers.



X Windows.



DNS Servers.



Misconfigurations.



UNIX Tools.



Datapipe.c.



QueSO.



Cheops.



nfsshell.



XSCAN.



Case Study: UNIX Penetration.



10. The Tool Kit.


Hardware.



Software.



Windows NT Workstation.



Linux.



VMware.



11. Automated Vulnerability Scanners.


Definition.



Testing Use.



Shortfalls.



Network-Based and Host-Based Scanners.



Tools.



Network-Based Scanners.



Network Associates CyberCop Scanner.



ISS Internet Scanner.



Nessus.



Symantec (Formerly Axent Technologies) NetRecon.



Bindview HackerShield (bv-control for Internet Security).



Host-Based Scanners.



Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM).



Pentasafe VigilEnt.



Conclusion.



12. Discovery Tools.


WS_Ping ProPack.



NetScanTools.



Sam Spade.



Rhino9 Pinger.



VisualRoute.



Nmap.



Whatis running.



13. Port Scanners.


Nmap.



7th Sphere Port Scanner.



Strobe.



SuperScan.



14. Sniffers.


Dsniff.



Linsniff.



Tcpdump.



BUTTSniffer.



SessionWall-3 (Now eTrust Intrusion Detection).



AntiSniff.



15. Password Crackers.


L0phtCrack.



pwdump2.



John the Ripper.



Cain.



ShowPass.



16. Windows NT Tools.


NET USE.



Null Connection.



NET VIEW.



NLTEST.



NBTSTAT.



epdump.



NETDOM.



Getmac.



Local Administrators.



Global (iDomain Adminsi).



Usrstat.



DumpSec.



user2Sid/sid2User.



NetBIOS Auditing Tool (NAT).



SMBGrind.



SRVCHECK.



SRVINFO.



AuditPol.



REGDMP.



Somarsoft DumpReg.



Remote.



Netcat.



SC.



AT.



FPipe.



Case Study: Weak Passwords.



Case Study: Internal Penetration to Windows.



17. Web-Testing Tools.


Whisker



SiteScan.



THC Happy Browser.



wwwhack.



Web Cracker.



Brutus.



Case Study: Compaq Management Agents Vulnerability.



18. Remote Control.


pcAnywhere.



Virtual Network Computing.



NetBus.



Back Orifice 2000.



19. Intrusion Detection Systems.


Definition.



IDS Evasion.



Stealth Port Scanning.



Aggressive Techniques.



Pitfalls.



Traits of Effective IDSs.



IDS Selection.



RealSecure



NetProwler.



Secure Intrusion Detection.



eTrust Intrusion Detection.



Network Flight Recorder.



Dragon.



Snort.



20. Firewalls.


Definition.



Monitoring.



Configuration.



Change Control.



Firewall Types.



Packet-Filtering Firewalls.



Stateful-Inspection Firewalls.



Proxy-Based Firewalls.



Network Address Translation.



Evasive Techniques.



Firewalls and Virtual Private Networks.



Case Study: Internet Information Server ExploitoMDAC.



21. Denial-of-Service Attacks.


Resource Exhaustion Attacks.



Papasmurf.



Trash2.



Igmpofdeath.c.



Fawx.



OBSD_fun.



Port Flooding.



Mutilate.



Pepsi5.



SYN Flooding.



Synful.



Synk4.



Naptha.



IP Fragmentation Attacks.



Jolt2.



Teardrop.



Syndrop.



Newtear.



Distributed Denial-of-Service Attacks.



Tribe Flood Network 2000.



Trin00.



Stacheldraht.



Usage.



Application-Based DoS Attacks.



Up Yours.



Wingatecrash.



WinNuke.



BitchSlap.



DOSNuke.



Shutup.



Web Server DoS Attacks.



Concatenated DoS Tools.



CyberCop.



ISS Internet Scanner.



Toast.



Spike.sh5.3.



Summary.



22. Wrapping It Up.


Countermeasures.



Keeping Current.



Web Sites.



Mailing Lists.



23. Future Trends.


Authentication.



Two- and Three-Factor Authentication.



Biometrics.



Token-Based Authentication.



Directory Services.



Encryption.



Public Key Infrastructure.



Distributed Systems.



Forensics.



Government Regulation.



Hacking Techniques.



Countermeasures.



Cyber-Crime Insurance.



Appendix A.


Appendix B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus.


Index. 0201719568T01172002