Table of Contents
Foreword
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xiii
Credits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xvii
Preface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxi
Part I
Legal and Ethics
1. Legal and Ethics Issues
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
1.1
Core Issues 4
1.2
Computer Trespass Laws: No "Hacking" Allowed 7
1.3
Reverse Engineering 13
1.4
Vulnerability Reporting 22
1.5
What to Do from Now On 26
Part II
Reconnaissance
2. Network Scanning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.1
How Scanners Work 31
2.2
Superuser Privileges 33
2.3
Three Network Scanners to Consider 34
2.4
Host Discovery 34
2.5
Port Scanning 37
2.6
Specifying Custom Ports 39
2.7
Specifying Targets to Scan 40
2.8
Different Scan Types 42
vi Table of Contents
2.9
Tuning the Scan Speed 45
2.10
Application Fingerprinting 49
2.11
Operating System Detection 49
2.12
Saving Nmap Output 51
2.13
Resuming Nmap Scans 51
2.14
Avoiding Detection 52
2.15
Conclusion 54
3. Vulnerability Scanning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
3.1
Nessus 55
3.2
Nikto 72
3.3
WebInspect 76
4. LAN Reconnaissance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
4.1
Mapping the LAN 87
4.2
Using ettercap and arpspoof on a Switched Network 88
4.3
Dealing with Static ARP Tables 92
4.4
Getting Information from the LAN 94
4.5
Manipulating Packet Data 98
5. Wireless Reconnaissance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
101
5.1
Get the Right Wardriving Gear 101
5.2
802.11 Network Basics 102
5.3
802.11 Frames 103
5.4
How Wireless Discovery Tools Work 105
5.5
Netstumbler 105
5.6
Kismet at a Glance 107
5.7
Using Kismet 110
5.8
Sorting the Kismet Network List 112
5.9
Using Network Groups with Kismet 112
5.10
Using Kismet to Find Networks by Probe Requests 113
5.11
Kismet GPS Support Using gpsd 113
5.12
Looking Closer at Traffic with Kismet 114
5.13
Capturing Packets and Decrypting Traffic with Kismet 116
5.14
Wireshark at a Glance 117
5.15
Using Wireshark 119
5.16
AirDefense Mobile 122
5.17
AirMagnet Analyzers 126
5.18
Other Wardriving Tools 129
Table of Contents vii
6. Custom Packet Generation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
130
6.1
Why Create Custom Packets? 130
6.2
Hping 132
6.3
Scapy 136
6.4
Packet-Crafting Examples with Scapy 163
6.5
Packet Mangling with Netfilter 183
6.6
References 189
Part III
Penetration
7. Metasploit
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
193
7.1
Metasploit Interfaces 194
7.2
Updating Metasploit 200
7.3
Choosing an Exploit 200
7.4
Choosing a Payload 202
7.5
Setting Options 206
7.6
Running an Exploit 209
7.7
Managing Sessions and Jobs 212
7.8
The Meterpreter 215
7.9
Security Device Evasion 219
7.10
Sample Evasion Output 220
7.11
Evasion Using NOPs and Encoders 221
7.12
In Conclusion 224
8. Wireless Penetration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
225
8.1
WEP and WPA Encryption 225
8.2
Aircrack 226
8.3
Installing Aircrack-ng 227
8.4
Running Aircrack-ng 229
8.5
Airpwn 231
8.6
Basic Airpwn Usage 231
8.7
Airpwn Configuration Files 235
8.8
Using Airpwn on WEP-Encrypted Networks 236
8.9
Scripting with Airpwn 237
8.10
Karma 238
8.11
Conclusion 241
viii Table of Contents
9. Exploitation Framework Applications
. . . . . . . . . . . . . . . . . . . . . . . . .
242
9.1
Task Overview 242
9.2
Core Impact Overview 244
9.3
Network Reconnaissance with Core Impact 246
9.4
Core Impact Exploit Search Engine 247
9.5
Running an Exploit 249
9.6
Running Macros 250
9.7
Bouncing Off an Installed Agent 253
9.8
Enabling an Agent to Survive a Reboot 253
9.9
Mass Scale Exploitation 254
9.10
Writing Modules for Core Impact 255
9.11
The Canvas Exploit Framework 258
9.12
Porting Exploits Within Canvas 260
9.13
Using Canvas from the Command Line 261
9.14
Digging Deeper with Canvas 262
9.15
Advanced Exploitation with MOSDEF 262
9.16
Writing Exploits for Canvas 264
9.17
Exploiting Alternative Tools 267
10. Custom Exploitation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
268
10.1
Understanding Vulnerabilities 269
10.2
Analyzing Shellcode 275
10.3
Testing Shellcode 279
10.4
Creating Shellcode 285
10.5
Disguising Shellcode 302
10.6
Execution Flow Hijacking 306
10.7
References 320
Part IV
Control
11. Backdoors
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
323
11.1
Choosing a Backdoor 324
11.2
VNC 325
11.3
Creating and Packaging a VNC Backdoor 327
11.4
Connecting to and Removing the VNC Backdoor 332
11.5
Back Orifice 2000 334
11.6
Configuring a BO2k Server 335
11.7
Configuring a BO2k Client 340
Table of Contents ix
11.8
Adding New Servers to the BO2k Workspace 342
11.9
Using the BO2k Backdoor 343
11.10
BO2k Powertools 345
11.11
Encryption for BO2k Communications 355
11.12
Concealing the BO2k Protocol 356
11.13
Removing BO2k 358
11.14
A Few Unix Backdoors 359
12. Rootkits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
363
12.1
Windows Rootkit: Hacker Defender 363
12.2
Linux Rootkit: Adore-ng 366
12.3
Detecting Rootkits Techniques 368
12.4
Windows Rootkit Detectors 371
12.5
Linux Rootkit Detectors 376
12.6
Cleaning an Infected System 380
12.7
The Future of Rootkits 381
Part V
Defense
13. Proactive Defense: Firewalls
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
385
13.1
Firewall Basics 385
13.2
Network Address Translation 389
13.3
Securing BSD Systems with ipfw/natd 391
13.4
Securing GNU/Linux Systems with netfilter/iptables 401
13.5
Securing Windows Systems with Windows Firewall/Internet
Connection Sharing 412
13.6
Verifying Your Coverage 417
14. Host Hardening
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
421
14.1
Controlling Services 422
14.2
Turning Off What You Do Not Need 423
14.3
Limiting Access 424
14.4
Limiting Damage 430
14.5
Bastille Linux 436
14.6
SELinux 438
14.7
Password Cracking 444
14.8
Chrooting 448
14.9
Sandboxing with OS Virtualization 449
x Table of Contents
15. Securing Communications
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
455
15.1
The SSH-2 Protocol 456
15.2
SSH Configuration 459
15.3
SSH Authentication 465
15.4
SSH Shortcomings 471
15.5
SSH Troubleshooting 476
15.6
Remote File Access with SSH 480
15.7
SSH Advanced Use 483
15.8
Using SSH Under Windows 489
15.9
File and Email Signing and Encryption 494
15.10
GPG 495
15.11
Create Your GPG Keys 499
15.12
Encryption and Signature with GPG 507
15.13
PGP Versus GPG Compatibility 509
15.14
Encryption and Signature with S/MIME 510
15.15
Stunnel 513
15.16
Disk Encryption 520
15.17
Windows Filesystem Encryption with PGP Disk 521
15.18
Linux Filesystem Encryption with LUKS 522
15.19
Conclusion 524
16. Email Security and Anti-Spam
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
525
16.1
Norton Antivirus 527
16.2
The ClamAV Project 531
16.3
ClamWin 531
16.4
Freshclam 533
16.5
Clamscan 536
16.6
clamd and clamdscan 538
16.7
ClamAV Virus Signatures 544
16.8
Procmail 548
16.9
Basic Procmail Rules 550
16.10
Advanced Procmail Rules 552
16.11
ClamAV with Procmail 554
16.12
Unsolicited Email 554
16.13
Spam Filtering with Bayesian Filters 556
16.14
SpamAssassin 560
16.15
SpamAssassin Rules 562
16.16
Plug-ins for SpamAssassin 567
16.17
SpamAssassin with Procmail 569
Table of Contents xi
16.18
Anti-Phishing Tools 571
16.19
Conclusion 574
17. Device Security Testing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
576
17.1
Replay Traffic with Tcpreplay 577
17.2
Traffic IQ Pro 586
17.3
ISIC Suite 593
17.4
Protos 601
Part VI
Monitoring
18. Network Capture
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
607
18.1
tcpdump 607
18.2
Ethereal/Wireshark 614
18.3
pcap Utilities: tcpflow and Netdude 631
18.4
Python/Scapy Script Fixes Checksums 638
18.5
Conclusion 639
19. Network Monitoring
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
640
19.1
Snort 640
19.2
Implementing Snort 651
19.3
Honeypot Monitoring 653
19.4
Gluing the Stuff Together 662
20. Host Monitoring
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
664
20.1
Using File Integrity Checkers 664
20.2
File Integrity Hashing 666
20.3
The Do-It-Yourself Way with rpmverify 668
20.4
Comparing File Integrity Checkers 670
20.5
Prepping the Environment for Samhain and Tripwire 673
20.6
Database Initialization with Samhain and Tripwire 678
20.7
Securing the Baseline Storage with Samhain and Tripwire 680
20.8
Running Filesystem Checks with Samhain and Tripwire 682
20.9
Managing File Changes and Updating Storage Database
with Samhain and Tripwire 684
20.10
Recognizing Malicious Activity with Samhain and Tripwire 687
20.11
Log Monitoring with Logwatch 689
20.12
Improving Logwatch's Filters 690
20.13
Host Monitoring in Large Environments with Prelude-IDS 692
20.14
Conclusion 694
xii Table of Contents
Part VII
Discovery
21. Forensics
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
699
21.1
Netstat 700
21.2
The Forensic ToolKit 704
21.3
Sysinternals 710
22. Application Fuzzing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
725
22.1
Which Fuzzer to Use 726
22.2
Different Types of Fuzzers for Different Tasks 727
22.3
Writing a Fuzzer with Spike 734
22.4
The Spike API 735
22.5
File-Fuzzing Apps 739
22.6
Fuzzing Web Applications 742
22.7
Configuring WebProxy 744
22.8
Automatic Fuzzing with WebInspect 746
22.9
Next-Generation Fuzzing 747
22.10
Fuzzing or Not Fuzzing 748
23. Binary Reverse Engineering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
749
23.1
Interactive Disassembler 749
23.2
Sysinternals 775
23.3
OllyDbg 776
23.4
Other Tools 781