The hacker’s handbook: the strategy behind breaking into and defending networks

The

Hacker’s

Handbook

The Strategy behind Breaking

into and

Defending Networks

© 2004 by CRC Press LLC

The ABCs of IP Addressing

Gilbert Held

ISBN: 0-8493-1144-6

The ABCs of LDAP

Reinhard Voglmaier

ISBN: 0-8493-1346-5

The ABCs of TCP/IP

Gilbert Held

ISBN: 0-8493-1463-1

Building an Information Security

Awareness Program

Mark B. Desman

ISBN: 0-8493-0116-5

Building a Wireless Office

Gilbert Held

ISBN: 0-8493-1271-X

The Complete Book of Middleware

Judith Myerson

ISBN: 0-8493-1272-8

Computer Telephony Integration,

2nd Edition

William A. Yarberry, Jr.

ISBN: 0-8493-1438-0

Electronic Bill Presentment and Payment

Kornel Terplan

ISBN: 0-8493-1452-6

Information Security Architecture

Jan Killmeyer Tudor

ISBN: 0-8493-9988-2

Information Security Management

Handbook, 4th Edition, Volume 1

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-9829-0

Information Security Management

Handbook, 4th Edition, Volume 2

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-0800-3

Information Security Management

Handbook, 4th Edition, Volume 3

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-1127-6

Information Security Management

Handbook, 4th Edition, Volume 4

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-1518-2

Information Security Policies,

Procedures, and Standards:

Guidelines for Effective Information

Security Management

Thomas R. Peltier

ISBN: 0-8493-1137-3

Information Security Risk Analysis

Thomas R. Peltier

ISBN: 0-8493-0880-1

Interpreting the CMMI: A Process

Improvement Approach

Margaret Kulpa and Kurt Johnson

ISBN: 0-8493-1654-5

IS Management Handbook,

8th Edition

Carol V. Brown and Heikki Topi

ISBN: 0-8493-1595-6

Managing a Network Vulnerability

Assessment

Thomas R. Peltier and Justin Peltier

ISBN: 0-8493-1270-1

A Practical Guide to Security Engineering

and Information Assurance

Debra Herrmann

ISBN: 0-8493-1163-2

The Privacy Papers:

Managing Technology and Consumers,

Employee, and Legislative Action

Rebecca Herold

ISBN: 0-8493-1248-5

Securing and Controlling Cisco Routers

Peter T. Davis

ISBN: 0-8493-1290-6

Six Sigma Software Development

Christine B. Tayntor

ISBN: 0-8493-1193-4

Software Engineering Measurement

John Munson

ISBN: 0-8493-1502-6

A Technical Guide to IPSec Virtual Private

Networks

James S. Tiller

ISBN: 0-8493-0876-3

Telecommunications Cost Management

Brian DiMarsico, Thomas Phelps IV,

and William A. Yarberry, Jr.

ISBN: 0-8493-1101-2

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

E-mail: [email protected]

OTHER AUERBACH PUBLICATIONS

© 2004 by CRC Press LLC

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

The

Hacker’s

Handbook

SUSAN YOUNG AND DAVE AITEL

The Strategy behind Breaking

into and

Defending Networks

© 2004 by CRC Press LLC

This book contains information obtained from authentic and highly regarded sources. Reprinted material

is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable

efforts have been made to publish reliable data and information, but the authors and the publisher cannot

assume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, microfilming, and recording, or by any information storage or

retrieval system, without prior permission in writing from the publisher.

All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or

internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page

photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923

USA. The fee code for users of the Transactional Reporting Service is ISBN 0-8493-0888-7/04/$0.00+$1.50.

The fee is subject to change without notice. For organizations that have been granted a photocopy license

by the CCC, a separate system of payment has been arranged.

The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for

creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC

for such copying.

Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are

used only for identification and explanation, without intent to infringe.

Visit the Auerbach Publications Web site at www.auerbach-publications.com

© 2004 by CRC Press LLC

Auerbach is an imprint of CRC Press LLC

No claim to original U.S. Government works

International Standard Book Number 0-8493-0888-7

Library of Congress Card Number 2003055391

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Printed on acid-free paper

Library of Congress Cataloging-in-Publication Data

Young, Susan (Susan Elizabeth), 1968–

The hacker’s handbook : the strategy behind breaking into and defending Networks /

Susan Young, Dave Aitel.

p. cm.

Includes bibliographical references and index.

ISBN 0-8493-0888-7 (alk. paper)

1. Computer networks—Security measures. 2. Computer networks—Access control. 3.

Computer hackers. I. Aitel, Dave. II. Title.

TK5105.59.Y68 2003

005.8—dc22 2003055391

CIP

AU0888_C00.fm Page iv Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

v

Acknowledgments

Every book, as they say, has a story. This book’s history has been a long

and varied one. Along the way, numerous individuals have contributed

their time, focus, energy, technical acumen, or moral support to seeing The

Hacker’s Handbook through to its conclusion.

The authors would like to thank the following individuals for their con￾tributions and support:

• Rich O’Hanley and the production staff at Auerbach Press for their

tireless support of this book, in spite of its long (and somewhat

nefarious) history.

• Our contributing authors — Felix Lindner, Jim Barrett, Scott Brown,

and John Zuena — for taking the time and care to write several

excellent chapters on the hacking community, malware, directory

services, and network hardware that contain some truly unique and

interesting material.

• Our technical reviewers, including Jim Tiller, Anton Chuvakin, Sean

Cemm, Ben Rothke, and Ted Shagory, for their insights and for

dedicating their time and energy to helping to shape a better book.

We are confident that this review process will continue as this text

goes to publication, and want — in advance — to thank our readers

and reviewers for their attention to the ongoing quality of this book.

In addition, Dave Aitel would like to thank Justine Bone for her support

and encouragement and Susan Young would like to thank the following indi￾viduals: the Darklord (Thomas McGinn) for keeping his personal commit￾ment to support the effort that went into this book in spite of many months

of spent deadlines, missed weekends, and fatigue (thanks, T2B); Trevor

Young, for lending his genuine talent, enthusiasm, time, and care to crafting

the illustrations throughout this book; Gemma Young, and her parents,

Sylvia and Neil, for their interest, support, and advice through two years of

long distance phone calls; and International Network Services (and parti￾cularly Steven Marandola, Bob Breingan, and Shaun Meaney) for making

available time and support for the completion of this book.

AU0888_C00.fm Page v Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

Authors

Dave Aitel is the founder of Immunity, Inc. (www.immunitysec.com), with

prior experience at both private industry security consulting companies and

the National Security Agency. His tools, SPIKE and SPIKE Proxy, are widely

regarded as the best black box application assessment tools available.

Susan Young has worked in the security field for the past seven years, four

of which have been spent in the security consulting arena, helping clients

design and implement secure networks, training on security technologies,

and conducting security assessments and penetration tests of client system

or network defenses (so-called ethical hacking). Her experience has

included consulting work in the defense sector and the financial industry, as

well as time spent evaluating and deconstructing various security products.

She currently works as a senior security consultant in the Boston area secu￾rity practice of International Network Services (INS).

AU0888_C00.fm Page vi Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

Contributors

Jim Barrett (CISA, CISSP, MCSE, CCNP) is a principal consultant for the

Boston office of International Network Services (INS). He currently serves

as the national Microsoft practice leader for INS and has been working with

Microsoft technologies for longer than he can remember. Prior to INS, Jim

spent several years as a member of the information systems audit and

security practice of Ernst & Young LLP, where he co-authored the firm’s

audit methodology for Novell NetWare 4.1 and was an instructor at the

Ernst & Young National Education Center. His areas of expertise

include network operating systems and information systems security.

Scott Brown (CISSP, GCIA, GCIH) is a senior security consultant for Interna￾tional Network Services, with more than 13 years experience in the infor￾mation technologies field. He is a Certified Information Systems Security

Professional (CISSP), and holds both SANS GCIA and GCIH certifications.

Scott is also a private pilot with a rating in single engine aircraft.

John Zuena (CISSP, CCNA, CCDA, NNCSE) is a senior consultant for Inter￾national Network Services, with more than 14 years experience in the infor￾mation technologies field. He is a Certified Information Systems Security

Professional (CISSP) and holds both Cisco and Nortel internetworking cer￾tifications. He is also a private pilot with ratings in both single engine air￾planes and helicopters.

AU0888_C00.fm Page vii Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

viii

Illustrator

Trevor Young has been drawing, painting, creating, and generally exercis￾ing his artistic imagination for a very long time.

Young attended Camberwell College of Art in London, studying graphic

design and illustration, and has gone on to a successful career in the film

special effects industry in London, first working for the Film Factory and

currently as a digital compositor for Hypnosis VFX Ltd. You will find him in

the IMDb at http://us.imdb.com/Name?Young,+Trevor. He has continued to

work in illustration from time to time and generously contributed his time

to create a set of illustrations for this book that have become truly integral

to the book and the subject matter.

AU0888_C00.fm Page viii Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

List of Abbreviations

ACK Acknowledge

ARIN American Registry for Internet Numbers

ASCII ASCII Character Set (ASCII)

ASN Autonomous System Number

ASP Active Server Pages or Application Service Provider

BSDI Berkeley Software Design (BSD) Operating System Internet

Server Edition

CANVAS Immunity Security’s CANVAS Vulnerability Scanner

CAST Computer Aided Software Testing

CDE Common Desktop Environment

CHAM Common Hacking Attack Methods

CIFS Common Internet File Sharing

CPAN Comprehensive Perl Archive Network

CRC Cyclic Redundancy Check

CVE Common Vulnerabilities and Exposures (List)

CVS Concurrent Versions System Source Code Control System

DDoS Distributed Denial-of-Service

DID Direct Inward Dialing

DIT Directory Information Tree

DNS Domain Name System

DNSSEC Domain Name System Security

DoS Denial-of-Service

DSA Digital Signature Algorithm

EFS Encrypting File System (Microsoft)

EIGRP Enhanced Interior Gateway Routing Protocol

EIP Extended Instruction Pointer

ESMTP Extended Simple Mail Transfer (Protocol)

EVT Event (Microsoft)

FIFO First In First Out is an approach to handling queue or stack

requests where the oldest requests are prioritized

FX Handle for Felix Lindner

GCC GNU C Compiler

GCIA GIAC Certified Intrusion Analyst

GCIH GIAC Certified Incident Handler

AU0888_C00.fm Page ix Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS

GDB GNU Project Debugger

GID Group ID (Access Control Lists)

GINA Graphical Identification and Authentication (Dynamic Link

Library, Microsoft)

GNOME GNU Free Desktop Environment

GNU GNU Software Foundation

HIDS Host Intrusion Detection System

HKEY Microsoft Registry Key Designation (Hive Key)

HMAC Keyed Hashing Message Authentication

HQ Headquarters

HTTPS Secure Hypertext Transmission Protocol

HUMINT Human Intelligence

ICQ ICQ Protocol

IDS Intrusion Detection System

IKE Internet Key Exchange (Protocol)

IMDb Internet Movie Database

IPO Initial Public Offering

IPSec IP Security (Protocol)

IRIX Silicon Graphics IRIX Operating System (IRIX)

ISAKMP Internet Security Association and Key Management Protocol

ISS Internet Security Systems

IUSR Internet User (i.e., IUSR_name) is an anonymous user desig￾nation used by Microsoft’s Internet Information Server (IIS)

KB Kilobytes or Knowledgebase

KDE K Desktop Environment

KSL Keystroke Logger

LKM Loadable Kernel Modules

LM Lan Manager (Microsoft Authentication Service)

LT2P Layer 2 Tunneling Protocol

MIB Management Information Base

MSDE Microsoft Data Engine

MSDN Microsoft Developer Network

MSRPC Microsoft Remote Procedure Call

MUA Mail User Agent

MVS Multiple Virtual Storage (MVS) Operating System

MX Mail Exchange (Record, DNS)

NASL Nessus Attack Scripting Language (Nessus Security Scanner)

NIDS Network Intrusion Detection System

NMAP Network Mapper (Nmap)

NMS Network Management Station

NTFS NT File System

NTFS5 NT File System 5

NTLM NT LanMan (Authentication)

OU Organizational Unit

PCX .pcx files created with MS Paintbrush tool

AU0888_C00.fm Page x Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

PHP Hypertext Preprocessor

PID Process Identifier

PUT PUT (FTP)

RCS Revision Control System

RDS Remote Data Service

RIP Routing Information Protocol

RSA RSA Security, Inc.

SAM Security Accounts Manager (Microsoft)

SANS Sysadmin, Audit, Network, Security (SANS Institute)

SASL Simple Authentication and Security Layer

SATAN Security Administrator Tool for Analyzing Networks

SID Security Identifier (Microsoft)

SIGINT Signal Intelligence

SMB Server Message Block (Protocol)

SOCKS Sockets Protocol (Firewall)

SRV Service Record (DNS)

SUID Set User ID (bit) utilized in UNIX Operating Systems to

impose File System Access Control Lists

SYN Synchronize (TCP SYN)

SYN-ACK Synchronize-Acknowledge (TCP SYN ACK)

USB Universal Serial Bus

VB Visual Basic

VM Virtual Machine

VMS VMS (Operating System)

VNC AT&T Virtual Network Computing (Software)

XDMCPD X Display Manager Control Protocol

XOR Exclusive OR

AU0888_C00.fm Page xi Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

Contents

1 Introduction: The Chess Game

Book Structure

Chapter 2. Case Study in Subversion

Chapter 3. Know Your Opponent

Chapter 4. Anatomy of an Attack

Chapter 5. Your Defensive Arsenal

Chapter 6. Programming

Chapter 7. IP and Layer 2 Protocols

Chapter 8. The Protocols

Chapter 9. Domain Name System (DNS)

Chapter 10. Directory Services

Chapter 11. Simple Mail Transfer Protocol (SMTP)

Chapter 12. Hypertext Transfer Protocol (HTTP)

Chapter 13. Database Hacking

Chapter 14. Malware and Viruses

Chapter 15. Network Hardware

Chapter 16. Consolidating Gains

Chapter 17. After the Fall

Chapter 18. Conclusion

PART I FOUNDATION MATERIAL

2 Case Study in Subversion

Dalmedica

The Dilemma

The Investigation

Notes

3 Know Your Opponent

Terminology

Script Kiddy

Cracker

White Hat Hacker

Black Hat Hacker

Hacktivism

Professional Attackers

AU0888_C00.fm Page xiii Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

History

Computer Industry and Campus

System Administration

Home Computers

Home Computers: Commercial Software

Home Computers: The BBS

Phone Systems

Ethics and Full Disclosure

Opponents Inside

The Hostile Insider

Corporate Politics

Conclusion

Notes

4 Anatomy of an Attack

Overview

Reconnaissance

Social Engineering and Site Reconnaissance

Internet Reconnaissance

Internet Search Engines and Usenet Tools

Financial Search Tools, Directories, Yellow Pages,

and Other Sources

IP and Network Reconnaissance

Registrar and whois Searches

Network Registrar Searches (ARIN)

DNS Reconnaissance

Mapping Targets

War Dialing

Network Mapping (ICMP)

ICMP Queries

TCP Pings: An Alternative to ICMP

Traceroute

Additional Network Mapping Tools

Port Scanning

TCP and UDP Scanning

Banner Grabbing

Packet Fragmentation Options

Decoy Scanning Capabilities

Ident Scanning

FTP Bounce Scanning

Source Port Scanning

Stack Fingerprinting Techniques

Vulnerability Scanning (Network-Based OS

and Application Interrogation)

Researching and Probing Vulnerabilities

System/Network Penetration

AU0888_C00.fm Page xiv Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

Account (Password) Cracking

Application Attacks

Cache Exploits

File System Hacking

Hostile and Self-Replicating Code

Programming Tactics

Process Manipulation

Shell Hacking

Session Hijacking

Spoofing

State-Based Attacks

Traffic Capture (Sniffing)

Trust Relationship Exploitation

Denial-of-Service

Consolidation

Security

Notes

References

Texts

Web References

5 Your Defensive Arsenal

The Defensive Arsenal

Access Controls

Network Access Controls (Firewalls)

State Management Attacks on Firewalls

Firewall Ruleset and Packet Filter Reconnaissance

IP Spoofing to Circumvent Network Access Controls

Denial-of-Service

Packet Fragmentation Attacks

Application Level Attacks

System Access Controls

Host-Based Firewalls

Operating System Access Controls

and Privilege Management

Authentication

IP Authentication

Password Authentication

Account/Password Cracking

Eavesdropping Attacks

Password Guessing Attacks

Token-Based Authentication

Session Authentication

Session Authentication Scheme Cracking

Generation of Counterfeit Session Auth Credentials

Session ID Brute-Forcing

AU0888_C00.fm Page xv Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC