Hacker High School

Hacker High School
Source: http://www.hackerhighschool.org Compiled All to One bundle PDF By double_helix http://forum.flashband.net
My Note : This is a series of lessons thats basic about the networking concepts, networking tools, security and countermeasures. This is suitable for your kids /teens , and novices who wants to be an ethical hacker. This can be called your foundation step. On the web, the elementary series of this book alike are so rare. Your googling search results gives you really outdated information on how to become a hacker. However, as the time passes by, many good ethical hackers like (www.hackingspirits.com, johny.ihackstuff.com) are now revealing hacking for you to be demystified. Hope you yourself be like these ones!
LESSON 1 BEING A HACKER
License for Use Information

The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: ll works in the !acker !ighschool pro"ect are provided for non#commercial use with elementary school students$ "unior high school students$ and high school students whether in a public institution$ private institution$ or a part of home#schooling% These materials may not be reproduced for sale in any form% The provision of any class$ course$ training$ or camp with these materials for which a fee is charged is e&pressly forbidden without a license including college classes$ university classes$ trade#school classes$ summer or computer camps$ and similar% To purchase a license$ visit the 'ICE(SE section of the !acker !ighschool web page at www%hackerhighschool%org)license% The !!S *ro"ect is a learning tool and as with any learning tool$ the instruction is the influence of the instructor and not the tool% ISECOM cannot accept responsibility for how any information herein is applied or abused% The !!S *ro"ect is an open community effort and if you find value in this pro"ect$ we do ask you support us through the purchase of a license$ a donation$ or sponsorship% ll works copyright ISECOM$ +,,-%
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%1 3esources%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 4 1%1%1 5ooks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 4 1%1%+ Maga6ines and (ewspapers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%1%8 9ines and 5logs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%1%- :orums and Mailing 'ists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; 1%1%2 (ewsgroups%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; 1%1%4 <ebsites%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%1%7 Chat%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1, 1%1%; *+*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11 1%+ :urther 'essons%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11
Contri!"tors
*ete !er6og$ ISECOM Chuck Truett$ ISECOM Marta 5arcel>$ ISECOM ?im Truett$ ISECOM
1$% Intro&"ction
<elcome to the !acker !ighschool program@ This program is designed to encourage you to be well#rounded and resourceful% The core instruction theme is to harness the hacker curiosity in you and to guide you progressively through your hacker education to help you grow into a responsible role$ capable of determining security and privacy problems and making proper security decisions for yourself% <hile there is a thrill to hacking partly because of the illegal nature of computer trespass$ we want to show you that it is "ust as big a thrill to alert others about lapses in security and make them public without worrying about going to "ail over it% s a citi6en of most countries$ it is not only your right$ but your responsibility$ to report security and privacy leaks to the proper authorities% Aou do this not because you can$ but because many other people canBt% Aou are helping those who canBt help themselves% This is what watchdog groups do% This is what you will learn to do%
'
1$1 Reso"rces
This lesson is about how to learn C a critical skill for a hacker% !acking$ in reality$ is a creative process that is based more on lifestyle than lesson% <e canBt teach you everything that you need to know$ but we can help you recogni6e what you need to learn% This is also true due to the constant advances in the computer sciences% <hat we teach today may not be relevent tomorrow% It is much better for you to embrace hacker learning habits$ which are probably the most vital part of hacking and will separate you from the script kiddie Da person who runs hacking tools without knowing how or why they workE% <ords and concepts you donBt understand in this workbook may reFuire research on the web or in a library% If you donBt understand a word or a topic$ it is essential you look it up% Ignoring it will only make it difficult for you to understand concepts in other workbooks% The other workbooks may ask you to investigate a topic on the web and then e&pect you to use the information that you find on the web to complete the e&ercises in that workbook C but those workbooks wonBt e&plain to you how to do this research% This workbook is the only one with a thorough e&planation of how to research built into it$ so be sure to spend as much time as you need to learn how to research using the various resources available to you% GonBt "ust limit yourself to computers$ hacking$ and the internet% Hreat hackers are well# rounded and creative% Many of them are painters$ writers$ and designers% !acking skills can also be applied to other fields$ such as *olitical Science Dsee The Prince by Machiavelli for an e&ampleE% 5esides being interested in other fields$ you should be interested in how other businesses operate% 3eading books on everything from psychology to science fiction will make you a much more versatile and functional hacker% 3emember$ hacking is about figuring out how things work regardless of how they were designed to work% This is how you e&pose insecurities$ vulnerabilities$ and leaks%
1$1$1 Boo(s
5ooks are a great way to learn the foundation and factual science of all that you are willing to e&plore% <ant to know something about the fundamentals of a science$ like the hardware details of your *CI (othing will help you more than reading a current book on the sub"ect% The main problem with books for computers is that they Fuickly become old% The secret is to learn to see the fundamental structure underneath the thin skin of details% MS#GOS and <indows are clearly different$ but both are based on principles of 5oolean logic that have driven computers since da$ Countess of 'ovelace$ wrote the first computer programs in the nineteenth century% Security and privacy concerns may have changed in the last +$2,, years$ but The Art of War by Sun T6u covers fundamental principles that still apply today% Even though information found in books may not be as Bup to dateB as information that comes from other sources$ you will find that the information you find in books is more likely to be factually accurate than that which comes from other sources% writer spending a year writing a book is more likely to check facts than someone who is updating a blog si& times a day% DSee Section 1.1.3 Zines and Blogs for more information%E 5ut remember C accurate does not mean unbiased% ItBs not necessary to start a library of your own$ but you may want to write notes in margins or otherwise mark what you read$ and this is something you can only do in your own books% :inally$ donBt look at a book and give up before you even start "ust because of the si6e and comple&ity% Most of these massive tomes that you see sitting around are not read from cover to cover% Think of them as prehistoric web pages% Open one up to random page and begin
to read% If you donBt understand something$ go backward and look for the e&planation Dor skip forward to something that does make senseE% Jump through the book$ backwards and forwards$ "ust as you would bounce from link to link in a web page% This type of non#linear reading is often much more interesting and satisfying for hackers$ as itBs about satisfying curiosity more than it is about .reading0%
1$1$2 *a+a,ines an& Ne-s.a.ers

The use of maga6ines and newspapers is highly encouraged for providing concise$ timely information% !owever$ maga6ines are usually short on details and often focus too much on the 6eitgeist of the community% This is something that a hacker needs to know C social engineering and password cracking$ in particular$ are more effective if you have a solid grounding in pop culture C but you also need to know that Bpop "ournalismB isnBt always Baccurate "ournalismB% nother issue you should consider is the topic or theme of the maga6ine% 'inu& maga6ine will attempt to down#play Microsoft <indows$ because it is a conflicting theme and that is what their main readers want to read% The best way to combat these two flaws is by being well and widely read% If you read an interesting fact in a maga6ine$ look into it further% *retend that you believe it$ and look for confirmations$ then pretend that you donBt believe it$ and look for rebuttals% E/ercises0 % 5% C% Search the <eb for 8 online maga6ines regarding Security% !ow did you find these maga6inesI re all three maga6ines about computer securityI
1$1$ 1ines an& B2o+s

9ines are small$ often free maga6ines that have a very small distribution Dless than 1,$,,, readersE and are often produced by hobbyists and amateur "ournalists% 9ines$ like the famous 2600 6ine or Phrack Hacking web 6ine$ are written by volunteers and the producers do not edit the content for non#technical errors% This means the language can be harsh for those not anticipating such writing% 9ines have a very strong theme and are very opinionated% !owever$ they are more likely to show and argue both sides$ as they do not care to nor have to appease advertisers and subscribers% 5logs are a moderni6ation of the 6ine% 5logs are updated more often and use communities to tie in very strong themes% 'ike 6ines$ however$ anyone may critici6e a story and show an opposing opinion% :or blogs$ it is important to read the commentary "ust as much as the story% E/ercises0 % 5% Search the <eb for 8 6ines regarding computer security% !ow did you find these 6inesI
C% <hy do you classify these as 6inesI 3emember$ "ust because they market it as a 6ine or put .6ine0 in the title does not mean it is one% G% E% Search the <eb for 8 blogs regarding computer security% <hat communities are these associated withI
1$1$# 4or"ms an& *ai2in+ Lists

:orums and mailing lists are communally developed media$ much like a recording of a series of conversations at a party% The conversations shift focus often$ and much of what is said is rumor$ and$ when the party is over$ no one is certain who said what% :orums and mailing lists are similar$ because there are many ways for people to contribute inaccurate information C sometimes intentionally C and there are also ways for people to contribute anonymously% nd$ since topics and themes change Fuickly$ itBs important to read the whole thread of comments and not "ust the first few in order to get the best information% Aou can find forums on almost any topic and many online maga6ines and newspapers offer forums for readers to write opinions regarding published articles% :or this case$ forums are invaluable for getting more than one opinion on an article$ because$ no matter how much you liked the article$ there is certain to be someone who didnBt% Many mailing lists e&ist on special topics$ but these are hard to find% Often times$ you must look for an idea before you find a mailing list community supporting it% :or a hacker$ what is most important to know is that many forums and mailing lists are not searchable through ma"or search engines% <hile you might find a forum or a list through a topic search in a search engine$ you may not find information on individual posts% This information is called .the invisible web0 as it contains information and data that is invisible to many since a very specific search is needed$ often through meta#search engines or only directly on the website of the forum% E/ercises0 % 5% C% G% E% :% :ind 8 computer security forums% !ow did you find these forumsI Can you determine the whole theme of the websiteI Go the topics in the forums reflect the theme of the website hosting themI :ind 8 computer security mailing lists% <ho is the .owner0 of these listsI
H% On which list would you e&pect the information to be more factual and less opinionated and whyI
1$1$' Ne-s+ro".s
(ewsgroups have been around a long time% There were newsgroups long before the <eb e&isted% Hoogle purchased the entire archive of newsgroups and put them online at http:))groups%google%com% Aou will find posts in there from the early 1==,s% This archive is important for finding who is the original owner of an idea or a product% It is also useful for
finding obscure information that is perhaps too small a topic for someone to put on a web page% (ewsgroups are not used less today than they were years ago$ before the web became the mainstream for sharing information% !owever$ they also havenBt grown as their popularity is replaced by new web services like blogs and forums% E/ercises0 % /sing HoogleBs groups$ find the oldest newsgroup posting you can about security% 5% :ind other ways to use newsgroups # are there applications you can use to read newsgroupsI C% !ow many newsgroups can you find that talk about computer hackingI
1$1$) 6e!sites
The de facto standard for sharing information is currently through a web browser% <hile we classify this all as .the web0 the real term is .web services$0 as not everything on the web is a website% If you check e#mail using a web browser$ you are using a web service% Often times$ web services reFuire privileges% This means you need a login name and password to gain access% !aving access and the legal right to access is known as having .privileges0% !acking into a website to allow you to change the page may be having access$ but since it is not your legal right to do so$ it is not privileged access% <e are only concerned with having privileged access$ but as your e&perience grows with using the web$ you will find many places give access to privileged areas by accident% s you find this$ you should get into the habit of reporting this to the website owner% <ebsites are searchable through a large number of search engines% ItBs even possible to make your own search engine$ if you have the time and hard drive space% Often$ itBs the search engines who get privileged access and pass it on to you% Sometimes it is in the form of cache% cache is an area of memory on the search engineBs server where the search engine stores pages that matched your search criteria% If you click on the link that says cached$ instead of the actual link$ then you will see a single page that shows what the search engine found during its search% The search engines save this information to prove that the search was valid C if$ for instance$ a page goes down or is changed between the time that you initiated your search and the time that you try to access the page that was returned C but you can also use the cached pages for other purposes$ such as bypassing a slow server% One of the most useful public caches is at http:))www%archive%org% !ere you will find cached versions of whole websites from over the years% One final note on websites$ do not assume you can trust the content of the websites you visit "ust because they appear in a search engine% Many hacker attacks and viruses are spread "ust by visiting a website or downloading programs to run% Aou can safeguard yourself by not downloading programs from untrusted websites and by making sure the browser you use is up#to#date on security patches% E/ercises0 % /sing a search engine$ find sites that may have mistakenly given privileged access to everyone% To do this$ we will look for directory listings which are accessible when you donBt go
directly to the right web page% To do this$ we will go to http:))www%google%com and enter this into the search bo&: allintitle: "index of" .pdf Click on a link in the results and you should find one that looks like a directory listing% This type of searching is also known as Google Hacking% 5% Can you find other types of documents in this way using HoogleI :ind 8 more directory listings which contain %&ls files and %avi files% C% There are many search engines out there besides Hoogle% good researcher knows how to use them all% Some websites speciali6e in tracking search engines$ such as http:))www%searchengine%com% !owever$ there are many more and you can generally find them by using search engines% There is even a search engine for .the invisible web0% :ind 1, search engines which are (OT meta search engines% G% Search for .security testing and ethical hacking0 and list the top 8 answers% E% Search for the same without the Fuotes and give the top 8 answers% re they differentI :% It is very different to search for a topic than it is to search for a word or phrase% In e&ercise G$ you searched for a phrase% (ow you will search for an idea% To do this$ you need to think about what you want and how you want to find it% :or e&ample$ you want to find an online resource of maga6ines for ethical hacking% If you enter online reso rce of !aga"ines for ethical hacking into a search engine$ you will get a number of opinions about the topic% This is helpful but not as helpful as actually getting the resource% Instead$ you need to think$ .If I was to make such a resource$ what information would be in there and what key words could I pick from that informationI0 *ut the following words and phrases into a search engine and find out which provides the best results for your search: 1% my favorite list of maga6ines on ethical hacking +% list of ethical hacking maga6ines 8% resources for ethical hackers -% ethical hacking maga6ine 2% maga6ines ethical hacking security list resource H% :ind the oldest website from Mo6illa in the Internet rchive% To do this you need to search on .www%mo6illa%org0 at the http:))www%archive%org website% !% (ow to put it all together$ letBs say you want to download version 1 of the (etscape web browser% /sing search engines and the Internet rchives$ see if you can locate and download version 1 Dbut donBt install itE%
1$1$3 C8at
Chats$ also known as Internet 3elay Chat DI3CE$ as well as Instant Messaging DIME$ are very popular modes of Fuickly communicating with others% s a research source$ chat is e&tremely inconsistent$ because you will be dealing with individuals in real time% Some will be friendly$ and some will be rude% Some will be harmless pranksters$ but some will be malicious liars% Some will be intelligent and willing to share information$ and some will be completely uninformed$ but no less willing to share% It can be difficult to know which is which%
1%
!owever$ once you get comfortable with certain groups and channels$ you may be accepted into the community$ and you will be allowed to ask more and more Fuestions$ and you will learn who you can trust% Eventually you will be able to learn the very newest security information Dalso known as "ero da#$ which implies that it was "ust discoveredE and advance your own knowledge% E/ercises0 % :ind 8 chat programs to use for instant messaging% <hat makes them differentI Can they all be used to talk to each otherI 5% :ind out what I3C is and how you can connect to it% Once you are able to connect$ enter the ISECOM chat room as announced on the front page of http:))www%isecom%org% C% !ow do you know which channels e&ist to "oin in I3CI channels and 8 hacker channels% Can you enter these channelsI are they .bots0I :ind 8 computer security re there people talking or
1$1$5 929
*eer to *eer$ also known as *+*$ is a network inside the Internet% Instead of many local computers communicating with each other through a centrali6ed$ remote computer$ the computers in a *+* network communicate directly with each other% Most people associate *+* with the downloading of mp8s and pirated movies$ however$ many other *+* networks e&ist C both for the purposes of e&changing a wide variety of information and as a means to conduct research on distributed information sharing% One website dedicated to teaching about this$ http:))infoanarchy%org$ is based on the premise that information should be free% On the Infoanarchy website$ you can find a listing of available *+* networks and clients% The problem with *+* networks is that$ while you can find information on "ust about anything on them$ some of that information is on the network illegally% The !acker !ighschool program doesnBt condone the use of *+* to illegally download intellectual property$ but there is no Fuestion that *+* networks can be a vital resource for finding information% 3emember: there is nothing illegal about *+* networks C there are a lot of files that are available to be freely distributed under a wide variety of licenses C but there are also a lot of files on these networks that shouldnBt be there% GonBt be afraid to use *+* networks$ but be aware of the dangers%
1$2 4"rt8er Lessons

(ow you should practice to master the skill of researching% The better you get at it$ the more information you can find Fuickly$ and the faster you will learn% To help you become a better researcher for the !acker !ighschool program$ here are some additional topics and terms for you to investigate: *eta Searc8 :8e In;isi!2e 6e! Goo+2e Hac(in+ Ho- Searc8 En+ines 6or( :8e O.en So"rce Searc8 En+ine
11
LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+%1% Introduction and Ob"ectives%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2 +%+% 3e4uirements and Setup%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 +%+%1 3e4uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 +%+%+ Setup%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 +%6% System Operation: 7I(8O7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 +%6%1 !ow to open an MS#8OS window %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 +%6%+ Commands and tools :7indows;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9 +%-% System Operations: 'inu&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1, +%-%1 !ow to open a console window%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1, +%-%+ Commands and tools :'inu&;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1, +%2% E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16 +%2%1 E&ercises in 7indows%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16 +%2%+ E&ercises in 'inu&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16 +%2%6 E&ercise 6%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16
Contri !tors
8aniel <ern=nde> ?leda$ Internet Security @airo !ern=nde>$ 'a Salle /3' ?arcelona @aume bella$ 'a Salle /3' ?arcelona # ISECOM Aim Truett$ ISECOM *ete !er>og$ ISECOM Marta ?arcelB$ ISECOM uditors
"
2#$# Intro%!ction an% O &ecti'es

This lesson introduces commands and basic tools for both 7indows and 'inu& operating systems so that you can become familiar with them% These commands will be used to complete the e&ercises in the following lessons t the end of this lesson$ you should know the following commands: Ceneral 7indows and 'inu& commands ?asic network commands and tools # ping # tracert # netstat # ipconfig # route
2#2# )e*!irements an% Set!+

2#2#$ )e*!irements
<or the lesson$ the following are needed: # a *C with 7indows DE)Me)+,,,)(T)F*)+,,6 # a *C with 'inu& Suse)8ebian)Anoppi& # access to the Internet%
2#2#2 Set!+
This is the setup in which you are going to work% It consists of your *C$ with access to the Internet$ and the ISECOM !acker !ighschool network$ which you will access through the Internet% This is the network against which you will make most of the tests% (ote that access to the ISECOM test network is restricted% In order to gain access to it$ your instructor must contact the sytem administrator$ as detailed on the www%hackerhighschool%org web site%
2#3# S-stem O+eration. WINDOWS

Most of the tools used for the study of networks are internal commands in the 7indows operating system% Therefore$ we are going to e&plain how to open a command window when the 7indows operating system is being used%
2#3#$ /o0 to o+en an MS1DOS 0in%o0

To issue the following commands$ it is necessary to open a command prompt :an MS#8OS window;% The procedure for this is the same for all versions of 7indows% 1%# Click the ST 3T button +%# Choose the 3/( option 6%# Type .comman%0 if you are using 7indows D2)DE or .cm%0 for all other versions of 7indows and press Enter or click OA% -%# window similar to the following one will appear:
2%# (ow the commands and tools listed below can be entered%
2#3#2 Comman%s an% too2s 3Win%o0s4

Commands %ate time 'er %ir c2s m5%ir6 m% directory c7%ir6 c% directory rm%ir6 r% directory 8isplay or set the date of the system 8isplay or set the time of the system 8isplay the MS#8OS version that is being used 8isplay the list of subdirectories and files of a directory Clear the screen Make a directory with the name .directory0 E&ample: md tools 8isplay the name or change the current directory to .directory0 E&ample: cd tools 8elete the directory with the name .directory0 E&ample: rd tools
tree directory c75%s5 mem rename6 ren source dest co+- source dest move source dest t-+e file more file %e2ete6 %e2 file
8isplay the structure of folders of a path in te&t#graphic format E&ample: tree c:Gtools Check a disk and show a status report Show the amount of memory used and free in the system Change the name of files E&ample: ren oldname newname Copy one or more files to another location E&ample: copy c:GtoolsGmyfile%t&t c:Gtmp Move files and change the name of files and directories E&ample: move c:Gtools c:Gtmp Type the content of one or more te&t files E&ample: type c:GtoolsGmyfile%t&t 8isplay the information screen by screen E&ample: more c:GtoolsGmyfile%t&t 8elete one or more files E&ample: del c:GtoolsGmyfile%t&t
(ote: The words in italics are not commands$ and must be replaced by the desired values% Some of the commands can be used by typing either their long version or short versionH for e&ample$ IdeleteI and IdelJI are the same command% Tools +in9 host Kerify contact with the machine .host0 The command ping sends IpacketsI using ICM* :Internet Control Message *rotocol; to another computer$ to learn whether it is accessible through the network% In addition$ it shows a statistical summary about the percentage of packets that have not been answered and the response time% The name of the machine can be used directly or its I* address% E&amples: ping www%google%com ping 1D6%1-2%E2%+ Some options are: # n (: send ( packets # t: ping the specified host until stopped :press CT3'LC to end; To see more options: ping )h
tracert host
Show the route that packets follow to reach the machine .host0 The command tracert is the abbreviation of trace route$ which allows you to learn the route that a packet follows from the origin$ :your machine; to the destination machine% It can also tell you the time it takes to make each "ump% t the most$ 6, "umps will be listed% It is sometimes interesting to observe the names of the machines through which the packets travel% E&amples: tracert www%google%com tracert 1D6%1-2%E2%+ Some options are: # h (: to specify ($ at the most$ "umps% # d: to not show the names of the machines%
i+confi9
To see more options: tracert 8isplay information on the active interfaces :ethernet$ ppp$ etc%; in the computer% Some options: )all: to show more details )renew name: renews connection with .name0 when automatic configuration with 8!C* is used% )release name: deactivates all matching connections when automatic configuration with 8!C* is used%
ro!te +rint
To see more options: ipconfig )M 8isplay the routing table The command route serves to define static routes$ to erase routes or simply to see the state of the routes% Some options: print: to show the list of routes% delete: to delete a route% add: to add a route%
netstat
To see more options: route)M 8isplays information on the status of the network and established connections with remote machines% Some options: #a: To sample all the connections and listening ports #n: to display addresses and port numbers in numeric form #e: to sample Ethernet statistics <or e&ample: netstat # an To see more options: netstat)M
<or additional information on these commands and tools type Icommand )hI or Icommand )MJI or Ihelp commandI from a MS#8OS window% <or e&ample$ for additional information on the tool netstat$ we have three possibilities: 1; netstat )h +; netstat )M 6; help netstat
2#"# S-stem O+erations. Lin!<

@ust as in 7indows$ if you are using 'inu&$ a great ma"ority of the commands that you will use are e&ecuted from a console emulation window% Therefore$ we will ne&t learn how to open a console window in 'inu&% 2#"#$ /o0 to o+en a conso2e 0in%o0 To issue the following commands$ it is necessary to open a console window: 1% # To go to the ST 3T **'IC TIO( button +% # Select .3un Command0 6% # Enter .konsole0 -% # window similar to the following one will appear:
2% # (ow the commands and tools listed below can be entered%
2#"#2 Comman%s an% too2s 3Lin!<4

Commands +0% 7ostname 8isplay the name of the current directory% 8isplay the name of the local host :the computer which you are currently using;
$=
fin9er user 2s c% directory
8isplay information on the user .user0 E&ample: finger root 'ist the content of the directories E&ample: ls #la Change from current directory to .directory0% If no directory name is specified it changes to the home directory$ E&ample: <or the login name .mylogin0 the command Ncd changes the directory to )home)mylogin E&ample: Ncd # changes to the last visited directory E&ample: Ncd )tmp
c+ source dest rm file m' source dest m5%ir directory rm%ir directory fin% > 1name file ec7o string command ? file command >> file
man command
changes to the .tmp0 directory Copy files% Copy the file .source0 to the file .dest0% E&ample: cp )etc)passwd )tmp 8elete files% Only the owner of the file :or root; can delete it% E&ample: rm myfile Move or rename files and directories% E&ample: mv oldname newname Make a directory with the name .directory0% E&ample: mkdir tools 8elete the directory with the name .directory0 if it is empty% E&ample: rmdir tools <ind a file with the name .file0 beginning the search in the root directory E&ample: find ) #name myfile 7rite the string .string0 in the standard output E&ample: echo hello 3edirect the normal screen output of the command .command0 to the file .file0 E&ample: ls O myls 3edirect the normal screen output of the command .command0 to the file .file0% If the file already e&ists$ it appends the output to the end of the file% E&ample: ls OO myls Show the pages of the online manual about .command0 E&ample: man ls
(ote: The words in italics are not commands and must be replaced by the desired values%
$$
<or additional information on the use of these commands and tools$ type in Icommand #helpI or Iman commandI in the console window% <or e&ample$ for additional information on the .ls0 command$ type in either of these two possibilities: 1; ls P#help +; man ls Tools :*lease see the 7indows section for details on these tools%; +in9 host tracero!te host ifconfi9 ro!te netstat Kerify the contact with the machine .host0 E&ample: ping www%google%com Show the route that the packets follow to reach the machine .host0% E&ample: tracert www%google%com 8isplay information on the active interfaces :ethernet$ ppp$ etc%; 8isplay the routing table 8isplay information on the status of the network E&ample: netstat #an
Basic comman% e*!i'a2ences for Win%o0s>Lin!< This is a table showing the basic command e4uivalences between 'inu& and 7indows% Commands are e&ecuted from a shell :in 'inu&; or from a MS#8OS window :in 7indows;% 'inu& command ##help man command cp rm mv mv more$ less$ cat lpr rm #3 ls cd mkdir rmdir route traceroute PI ping ifconfig 7indows command )h$ command )M help command copy del move ren type print deltree dir cd md rd route print tracert ping ipconfig
$2
2#(# E<ercises
2#(#$ E<ercises in Win%o0s
1% Co to a MS#8OS window% +% Identify the version of MS#8OS that you are using% 7hat version have you detectedM 7hat command have you usedM% 6% Identify the date and time of the system% If they are incorrect$ modify them so that they are correct% 7hat command have you usedM -% Identify all the directories and files that are in .c:G0% 7hat command have you usedM 2% Create the directory c:GhhsGlesson,% Copy in this directory all the files with the e&tension .%sys0 that are in .c:G0% 7hat files have you foundM 7hat commands have you usedM 5% Identify the I* address of your host% 7hat command have you usedM 7hat I* address do you haveM 9% Trace the route to .www%google%com0% Identify I*s of the intermediate routers%
2#(#2 E<ercises in Lin!<

1% Identify the owner of the file .passwd0% :(ote: first locate where this file is;% 7hat command have you usedM +% Create the directory .work0 in your own home directory :for e&ample$ if your login is .mylogin0$ create the directory in .)home)mylogin0;$ and copy the file .passwd0 in the directory .work0 that you have "ust created% Identify the owner of the file .passwd0 that has been copied% 6% Create the directory .%hide0 in the .work0 directory% 'ist the contents of this directory% 7hat did you have to do to see the contents of directory I%hideIM -% Create the file .test10 with the content .This is the content of the file test10 in the .work0 directory% Create the file .test+0 with the content .This is the content of the file test+0 in the .work0 directory% Copy into a file with the name Itest0 the contents of previous files% 7hat commands have you usedM 2% Identify the name and the I* address of your machine% 7hat commands have you usedM 7hat I* address do you haveM 5% Trace the route to .www%google%com0% Identify I*s of the intermediate routers%
2.5.3 Exercise 3
Complete the following table with parallelisms between 7indows and 'inu&% <or e&ample: the 'inu& command .command #help0 is e4uivalent to the 7indows
$3
command .command )h0% command$ .copy0%
s another e&ample$ in 'inu&: .cp0 is "ust like the 7indows
command help cp mv more
##
command ) h copy del print deltree
ls cd md rd route tracert *ing ipconfig
$"
@!rt7er )ea%in9
<or an e&tensive glossary of terms visit the following /3's: http:))www%matisse%net)files)glossary%html http:))www%uic%edu)depts)accc)inform)v1,5%html http:))www%catb%org)Qesr)"argon) 7indows P for additional information on commands and tools$ type in Icommand )hI or Icommand )MJI or Ihelp commandI from a MS#8OS window% 'inu& P for additional information on commands and tools$ type in Icommand ##helpI or Iman commandI from a shell%
$(
LESSON 3 PORTS AND PROTOCOLS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1%2 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3 1%+ 4asic concepts of networks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 1%+%2 6evices %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 1%+%+ Topologies %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 1%1 TC*)I* model%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%1%2 Introduction %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7 1%1%+ 'ayers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7 1%1%+%2 pplication %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%1%+%+ Transport%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7 1%1%+%1 Internet %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 1%1%+%- (etwork ccess%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 1%1%1 *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 1%1%1%2 pplication layer protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9 1%1%1%+ Transport layer *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 1%1%1%1 Internet layer *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9 1%1%- I* ddresses %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 1%1%3 *orts %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+ 1%1%5 Encapsulation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%21 1%- E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%21%-%2 E&ercise 2: (etstat %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%21%-%+ E&ercise +: *orts and *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%23 1%-%1 E&ercise 1: My :irst Server %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 23 :urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%27
Contrib tors
<ary &ten$ ISECOM 'a Salle /;' 4arcelona =im Truett$ ISECOM Chuck Truett$ ISECOM Marta 4arcel>$ ISECOM *ete !er?og$ ISECOM
3"# Intro$ ction

The te&t and e&ercises in this lesson try to impart a basic understanding of the ports and protocols in current use$ as well as their relevance within the operating systems$ @indows and 'inu&% dditionally$ you will have the opportunity to become familiar with a number of useful utilities which will allow you to properly understand the network capabilities of your computer system% t the end of the lesson you should have a basic knowledge of: # the concepts of networks # I* addresses # ports and protocols%
3"2 &asic conce'ts of net(or)s

3"2"# De*ices
In order to understand the e&planation of protocols and ports$ it is necessary for you to become familiar with the icons that represent the most common devices that are seen in the basic schemes% These are:
3"2"2 To'o+o,ies
@ith these devices$ local area networks Aor ' (sB can be created% In a ' ($ computers can share resources$ such as hard drives$ printers and internet connections$ and an administrator can control how these resources are shared% @hen a ' ( is being designed$ it is possible to choose any of the following physical topologies:
Bus
Ring
Star
Extended Star
Hierarchic
In a bus topology$ all the computers are connected to a single means of transmission$ and each computer can communicate directly with any of the others% In the ring configuration$ each computer is connected to the following one$ and the last one to the first$ and each computer can only communicate directly with the two ad"acent computers% In the star topology$ none of the computers are directly connected with others% Instead they are connected through a central point and the device at that central point is responsible for relaying information from computer to computer% If several central points are connected to each other$ an extended star topology is obtained% In a star or e&tended star topology$ all the central points are peers, that is$ each e&changes information on an eCual basis% !owever$ if you connect two star or e&tended star networks together using a central point which controls or limits the e&change of information between the two networks$ then you have created a single$ hierarchical network topology%
3"3 TCP.IP mo$e+

3"3"# Intro$ ction
TC*)I* was developed by the 6o6 A6epartment of 6efenseB of the /nited States and 6 ;* A6efense dvanced ;esearch *ro"ect gencyB in the 297,s% TC*)I* was designed to be an open standard that anyone could use to connect computers together and e&change information between them% /ltimately$ it became the basis for the Internet%
3"3"2 La/ers
The TC*)I* model defines four totally independent layers into which it divides the process of communication between two devices% The layers through which it passes information between two devices are:
3"3"2"# A''+ication
The application layer is the layer nearest the end user% This is the layer that is in charge of translating data from applications into information that can be sent through the network% The basic functions of this layer are: # ;epresentation # Codification # 6ialog Control # pplication Management
3"3"2"2 Trans'ort
The transport layer establishes$ maintains and finishes virtual circuits for information transfer% It provides control mechanisms for data flow and allows broadcasting$ and it provides mechanisms for the detection and correction of errors% The information that arrives at this layer from the application layer is divided into different segments% Information that comes to the transport layer from the internet layer is delivered back to the application layer through ports% ASee Section 3"3"% Ports for details on ports%B
The basic functions of this layer are: # ;eliability # :low Control # Error Correction # 4roadcasting
3"3"2"3 Internet
This layer divides the segments of the transport layer into packets and sends the packets across the networks that make up the Internet% It uses IP$ or internet protocol addresses to determine the location of the recipient device% It does not ensure reliability in the connections$ because this is already taken care of by the transport layer$ but it is responsible for selecting the best route between the originating device and the recipient device%
3"3"2"! Net(or) Access

This layer is in charge of sending information at both the ' ( level and the physical level% It transforms all the information that arrives from the superior layers into basic information AbitsB and directs it to the proper location% t this level$ the destination of the information is determined by the MAC$ or media access control$ address of the recipient device%
3"3"3 Protoco+s
To be able to send information between two devices$ both must speak the same language% This language is called the protocol% The protocols that appear in the application layer of the TC*)I* model are: # :ile Transfer *rotocol A:T*B # !yperte&t Transfer *rotocol A!TT*B # Simple Mail Transfer *rotocol AsmtpB # 6omain (ame Service A6(SB # Trivial :ile Transfer *rotocol AT:T*B The protocols of the transport layer are: # Transport Control *rotocol ATC*B # /ser 6atagram *rotocol A/6*B The protocols of the internet layer are: # Internet *rotocol AI*B The protocol most often used in the network access layer is: # Ethernet The protocols listed above and their associated ports will be described in the following sections%
3"3"3"# A''+ication +a/er 'rotoco+s

FTP or file transfer protocol is used for the transmission of files between two devices% It uses TC* to create a virtual connection for the control of information$ then creates another connection to be used for the delivery of data% The most commonly used ports are +, and +2% HTTP or hypertext transfer protocol is used to translate information into web pages% This information is distributed in a manner similar to that used for electronic mail% The most commonly used port is 8,% SMTP or simple mail transfer protocol is a mail service that is based on the :T* model% It transfers electronic mail between two systems and provides notifications of incoming mail% The most commonly used port is +3% !S or domain name ser"ice provides a means to associate a domain name with an ip address% The most commonly used port is 31% TFTP or tri"ial file transfer protocol has the same functions as :T* but uses /6* instead of TC*% ASee Section 3"3"3"2 for details on the differences between /6* and TC*%B This gives it more speed$ but less security and trustworthiness% The most commonly used port is 59%
3"3"3"2 Trans'ort +a/er Protoco+s

There are two protocols which can be used by the transport layer to deliver information segments% TCP or transmission control protocol establishes a logical connection between the final points of the network% It synchroni?es and regulates the traffic with what is known as the DThree @ay !andshakeD% In the .Three @ay !andshake$0 the originating device sends an initial packet called a S#! to the recipient device% The recipient device sends an acknowledgment packet$ called a S#!$AC%& The originating device then sends a packet called an AC%, which is an acknowledgment of the acknowledgment% t this point$ both the originating device and the recipient device have established that there is a connection between the two and both are ready to send and receive data to and from each other% ' P or user datagram protocol is a transport protocol which is not based on a connection% In this case$ the originating device sends packets without warning the recipient device to e&pect these packets% It is then up to the recipient device to determine whether or not those packets will be accepted% s a result$ /6* is faster that TC*$ but it cannot guarantee that a packet will be accepted%
3"3"3"3 Internet +a/er Protoco+s

IP or internet protocol serves as a universal protocol to allow any two computers to communicate through any network at any time% 'ike /6*$ it is connectionless, because it does not establish a connection with the remote computer% Instead$ it is what is known as a best effort service$ in that it will do whatever is possible to ensure that it works correctly$ but its reliability is not guaranteed% The Internet *rotocol determines the format for the packet headers$ including the I* addresses of both the originating and the recipient devices%
3"3"! IP A$$resses
domain name is the web address that you normally type into a web browser% That name identifies one or more I* addresses% :or e&ample$ the domain name microsoft%com represents about a do?en I* addresses% 6omain names are used in /;'s to identify particular @eb pages%
:or e&ample$ in the /;' http:))www%pcwebopedia%com)inde&%html$ the domain name is pcwebopedia%com% Every domain name has a suffi& that indicates which top level domain AT'6B it belongs to% There are only a limited number of such domains% :or e&ample: %gov # <overnment agencies %edu # Educational institutions %org # Organi?ations AnonprofitB %com # Commercial 4usiness %net # (etwork organi?ations 4ecause the Internet is based on I* addresses$ not domain names$ every @eb server reCuires a 6omain (ame System A6(SB server to translate domain names into I* addresses% I* ddresses are the identifiers that are used to differentiate between computers and other devices that are connected to a network% Each device must have a different I* address$ so that there are no problems of mistaken identity within the network% I* addresses consist of 1+ bits that are divided in four 8 bit octets which are separated by dots% *art of the I* address identifies the network$ and the remainder of the I* address identifies the individual computers on the network%
There are both public and private I* addresses% *rivate I* addresses are used by private networks that have no connection with outside networks% I* addresses within a private network should not be duplicated within that network$ but computers on two different E but unconnected E private networks could have duplicated I* addresses% The I* addresses that are defined by I ( $ the Internet ssigned (umbers uthority$ as being available for private networks are: 2,%,%,%, through 2,%+33%+33%+33 27+%25%,%, through 27+%12%+33%+33 29+%258%,%,% through 29+%258%+33%+33 I* addresses are divided into classes based on what portion of the address is used to identify the network and what portion is used to identify the individual computers% 6epending on the si?e assigned to each part$ more devices will be allowed within the network$ or more networks will be allowed% The e&isting classes are:
#3
# Class : The first bit is always ?ero$ so this class includes the addresses between ,%,%,%, and 2+5%+33%+33%+33% (ote: the addresses of 2+7%&%&%& are reserved for the services of loopback or localhost% # Class 4: The first two bits of the first octet are F2,F$ so this class includes the addresses between 2+8%,%,%, and 292%+33%+33%+33% # Class C: The first three bits of the first octet are F22,F$ so this class includes the addresses between 29+%,%,%, and ++1%+33%+33%+33% # Class 6: The first four bits of the first octet are F222,F$ so this class includes the addresses between ++-%,%,%, and +19%+33%+33%+33% These addresses are reserved for group multicast implementations% # The remaining addresses are used for e&perimentation or for possible future allocations% t this time$ the classes are not used to differentiate between the part of the address used to identify the network and the part used to identify the individual devices% Instead$ a mas( is used% In the mask$ a F2F binary bit represents the part containing the network identification and a F,F binary bit represents the part that identifies the individual devices% Therefore$ to identify a device$ in addition to the I* address$ it is necessary to specify a network mask: I*: 27+%25%2%+, Mask: +33%+33%+33%, I* addresses 2+7%&%&%& are reserved to be used as loopback or local host addresses$ that is$ they refer directly back to the local computer% Every computer has a local host address of 2+7%,%,%2$ therefore that address cannot be used to identify different devices% There are also other addresses that cannot be used% These are the net)or( address and the broadcast address% The net)or( address is an address in which the part of the address which normally identifies the device is all ?eros% This address cannot be used$ because it identifies a network and can never be used to identify a specific device% I*: 27+%25%2%, Mask: +33%+33%+33%,
##
The broadcast address is an address in which the part of the address which normally identifies the device is all ones% This address cannot be used to identify a specific device$ because it is the address that is used to send information to all of the computers that belong to the specified network% I*: 27+%25%2%+33 Mask: +33%+33%+33%,
3"3"% Ports
4oth TC* and /6* use ports to e&change information with applications% port is an e&tension of an address$ similar to adding an apartment or room number to a street address% letter with a street address will arrive at the correct apartment building$ but without the apartment number$ it will not be delivered to the correct recipient% *orts work in much the same way% packet can be delivered to the correct I* address$ but without the associated port$ there is no way to determine which application should act on the packet% Once the ports have been defined$ it is possible for the different types of information that are sent to one I* address to then be sent to the appropriate applications% 4y using ports$ a service running on a remote computer can determine what type of information a local client is reCuesting$ can determine the protocol needed to send that information$ and maintain simultaneous communication with a number of different clients% :or e&ample$ if a local computer attempts to connect to the website www%osstmm%org$ whose I* address is 5+%8,%2++%+,1$ with a web server running on port 8,$ the local computer would connect to the remote computer using the soc(et address * -2"13"#22"233413 In order to maintain a level of standardi?ation among the most commonly used ports$ I ( has established that the ports numbered from , to 2,+- are to be used for common services% The remaining ports E up through 53313 E are used for dynamic allocations or particular services% The most commonly used ports E as assigned by the I ( E are listed here: Port Assignments
Decimals 0 1-4 5 7 9 11 1 15 17 19 ,0 ,1 ,, rje echo discard systat daytime netstat &otd chargen )t"-data )t" ssh Keywords Reserved Unassigned Remote Job Entry Echo Discard Active Users Daytime !ho is U" or #E$%$A$ '(ote o) the Day *haracter +enerator -i.e $rans)er /De)a(.t Data0 -i.e $rans)er /*ontro.0 %%1 Remote 2ogin 3rotoco. Description
#2
Port Assignments
Decimals , ,5 7 9 4, 4 5 67 68 69 70 75 77 79 80 95 101 10, 110 11 117 119 1, 1 7 1 8 1 9 140-159 160-,, )inger 999-htt" s("d(" hostname iso-tsa" "o" a(th ((c"-"ath nnt" nt" netbios-ns Keywords te.net smt" time r." nameserver nicname domain boot"s boot"c t)t" go"her $e.net %im".e 4ai. $rans)er $ime Reso(rce 2ocation 3rotoco. 1ost #ame %erver !ho 5s Domain #ame %erver 7ootstra" 3rotoco. %erver 7ootstra" 3rotoco. *.ient $rivia. -i.e $rans)er +o"her any "rivate dia. o(t service any "rivate RJE service -inger !or.d !ide !eb 1$$3 %U3DU3 #5* 1ost #ame %erver 5%:-$%A3 *.ass 0 3ost :))ice 3rotoco. - ;ersion A(thentication %ervice UU*3 3ath %ervice #et9or< #e9s $rans)er 3rotoco. #et9or< $ime 3rotoco. #E$75:% #ame %ervice Description
netbios-dgm #E$75:% Datagram %ervice netbios-ssn #E$75:% %ession %ervice Unassigned Reserved
Gou can also refer to the @eb page: http*$$)))&isecom&info$cgi+ local$protocoldb$bro)se&dsp for more detailed information on ports%
3"3"- Enca's +ation

@hen a piece of information E an e#mail message$ for e&ample E is sent from one computer to another$ it is sub"ect to a series of transformations% The application layer generates the data$ which is then sent to the transport layer% The transport layer takes this information and adds a header to it% This header contains information$ such as the I* addresses of the originating and recipient computers$ that e&plains what must be done to the data in order to get it to the appropriate destination% The ne&t layer adds yet another header$ and so on% This recursive procedure is known as encapsulation% Each layer after the first makes its data an encapsulation of the previous layerFs data$ until you arrive at the final layer$ in which the actual transmission of data occurs% The following figure e&plains encapsulation in a graphic form:
#3
DATA SEGMENT PACKET FRAME
@hen the encapsulated information arrives at its destination$ it must then be de# encapsulated% s each layer receives information from the previous layer$ it removes the unneeded information contained in the header placed there by the previous layer%
3"! E5ercises
3"!"# E5ercise #4 Netstat
(etstat The (etstat command allows you to see the state of the ports on a computer% In order to e&ecute it$ you must open an MS#6OS window and type: netstat In the MS#6OS window$ you will then see a list of the established connections% If you want to see the connections displayed in numeric form$ type: netstat # n To see the connections and the active ports$ type: netstat # an To see a list of other options$ type: netstat # h In the (etstat output$ the second and third columns list the local and remote I* addresses being used by the active ports% @hy are the addresses of the remote ports different from the local addressesH (e&t$ using a web browser$ open this web page: http:))291%2-3%83%+,+ then return to the MS#6OS prompt and run (etstat again% @hat new connection Aor connectionsB appearH Open another web browser and go to this web page: http:))291%2-3%83%+,1 ;eturn to the MS#6OS prompt and run (etstat:
#!
# @hy does the protocol !TT* appear in several linesH # @hat differences e&ist between each one of themH # If there are several web browsers open$ how does the computer know which information goes to which browserH
3"!"2 E5ercise 24 Ports an$ Protoco+s

In this lesson$ you learned that ports are used to differentiate between services% @hy is it that when a web browser is used$ no port is specifiedH @hat protocols are usedH Is it possible that one protocol gets used in more than one instanceH
3"!"3 E5ercise 34 6/ 7irst Ser*er

To perform this e&ercise$ you must have the !etcat program% If you do not have it$ you can download it from the page: http:))www%atstake%com)research)tools)networkIutilities) Once you have (etcat installed$ open an MS#6OS window% Change to the (etcat directory and type: nc # h This displays the options that are available in (etcat% To create a simple server$ type: nc # l # p 2+1@hen this command e&ecutes$ port 2+1- is opened and incoming connections are allowed% Open a second MS#6OS window and type: netstat E a This should verify that there is a new service listening on port 2+1-% Close this MS#6OS window% To be able to say that a server has been implemented$ you must establish a client association% Open an MS#6OS window and type: nc localhost 2+1@ith this command$ a connection is made with the server that is listening to port 2+1-% (ow$ anything that is written in either of the two open MS#6OS windows can be seen in the other window% Create a file named FtestF$ that contains the te&t$ .@elcome to the !acker !ighschool serverJ0 In an MS#6OS window$ type: nc # l # p 2+1- K test :rom another MS#6OS window$ connect to the server by typing: nc localhost 2+1@hen the client connects to the server$ you should see the output of the file$ FtestF% To close the service$ switch to the MS#6OS window in which it is running and press CT;'#C% @hat protocol has been used to connect with the serverH
#%
6oes (etcat allow you to change thisH If so$ howH
#-
7 rt8er Rea$in,
Gou can find more information on ports and protocols by looking at the following links: http:))www%oreilly%com)catalog)fire+)chapter)ch21%html http:))www%oreilly%com)catalog)puis1)chapter)ch22%pdf http:))www%oreilly%com)catalog)ipv5ess)chapter)ch,+%pdf http:))info%acm%org)crossroads)&rds2#2)tcp"my%html http:))www%garykessler%net)library)tcpip%html http:))www%cisco%com)univercd)cc)td)doc)cisintwk)itoIdoc)ip%htm http:))www%redbooks%ibm%com)redbooks)<<+-1175%html *ort (umber references: http:))www%iana%org)assignments)port#numbers http:))www%isecom%info)cgi#local)protocoldb)browse%dsp
#0
LESSON 4 SERVICES AND CONNECTIONS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 -%2 Services%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3 -%2%2 !TT* and The 4eb%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 -%2%+ E#Mail 5 *O* and SMT*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6 -%2%7 I8C%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 -%2%- :T*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 -%2%1 Telnet and SS!%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2, -%2%3 ;(S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2, -%2%6 ;!C*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 22 -%+ Connections%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+ -%+%2 IS*s %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+ -%+%+ *lain Old Telephone Service%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+ -%+%7 ;S'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+ -%+%- Cable Modems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 27 :urther 8eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2-
Contri !tors
Chuck Truett$ ISECOM <uiomar Corral$ 'a Salle /8' =arcelona >aume bella$ 'a Salle /8' =arcelona # ISECOM ?im Truett$ ISECOM Marta =arcel@$ ISECOM *ete !erAog$ ISECOM
4"# Intro$!ction
The purpose of this lesson is to give you an understanding of some of the basic services which networks use to provide and e&change information$ and to discuss some of the methods in which personal computers and local networks connect with the other networks which make up the Internet%
4"& Ser'ices
Bou have a computer$ and you know that there is useful information on this computer$ but not very much% Bou also know that other people$ millions of other people also have computers$ and that their computers will also have useful information% (ow$ you can assume that these other people$ and these other computers may very likely have lots of information on them that would be of interest to you% The only problem is how to access all this useful information that may be on other peopleCs computers% The computers themselves can communicate with each other$ easily$ through ports$ using the different protocols that have been designed$ but that doesnCt really help you% Bou canCt understand the streams of binary data that the computers e&change between themselves% Bou need some way for your computer to interpret the information that it can receive from the other computers in some way that you can use it% The programs that the computers use to translate the data that they e&change into a form that is useful to you are call services% These services allow you to view web pages$ e&change e#mail$ chat$ and interact in remote computers in many other different ways% Bour computer$ the local computer uses programs called clients to interpret the information that you receive% The other computers$ the remote computers$ use programs called servers to provide this information to your computer%
4"&"& (TT) an$ T*e +e

4hen you say$ Cthe Internet$C what comes to mind for most people is$ in fact$ the World Wide Web% The 4orld 4ide 4eb$ or "ust the 4eb$ is not the Internet% Instead$ it is a method of using the Internet to e&change information between computers% The 4eb uses http or hypertext transfer protocol and services known as web browsers and web servers to allow information in the form of web pages to be e&changed between local and remote computers% On the local side$ what you see is the web browser% Information from the remote computer is sent to your local computer using the http protocol% The web browser interprets that information and displays it on your local computer in the form of web pages% The hypertext part of the http protocol refers to a non#linear method of presenting information% Te&t is normally read in a linear fashion: word + follows word 2D sentence 7 follows sentence +D paragraph 1 follows paragraph -% The idea of hyperte&t allows information to be viewed in a non#linear way% This is the ma"or difference between hyperte&t and the older$ plain te&t methods of displaying information% 4ith hyperte&t$ words and ideas can connect$ not only with the words that directly surround them$ but also with other words$ ideas or images% !yperte&t is not restricted to the 4eb% Most full#featured word processors will allow you to create locally stored pages in web or http format% These pages are read using your web browser and act as would any other web page$ only they are stored on your local computer$ not a remote computer% On your local computer$ you use a client program called a web browser% Contrary to what you might have been lead to believe$ there are actually a number of web browsers available for both 4indows and 'inu&% These include MicrosoftCs Internet E&plorer$ (etscape (avigator$ and the MoAilla :irefo& browsers% Bou can also create your own web page% The easiest way to do this is to use one of the common word processors$ such as OpenOffice$ Microsoft 4ord$ or 4ord*erfect% These programs will allow you to produce simple web pages$ combining te&t$ hyperte&t and images%
*lenty of people have made useful$ clever and innovative web pages using these simple tools% =ut these pages arenCt flashy% :lashy means frames and scripts and animations% It also means spending lots of money on a fancy web page design program% These programs allow you to create many interesting effects on your web page$ but they are more comple& to use than the word processors that you are probably already familiar with% Once you have the pages designed$ youCll need a computer to put them on$ so that other people can view them% This is called web hosting% The hosting computer will be running a web server% It is possible to run one of these servers from your own home$ using your own computer$ but there are several drawbacks$ the primary one of these being persistence% Information stored on a web server is only available when that server is powered up$ operating properly and has an open connection% So$ if you want to run a web server from your own bedroom$ you have to leave your computer on all the timeD you have to make sure that the web server program is operating properly all the time Ethis includes troubleshooting hardware problems$ controlling viruses$ worms and other attacks$ and dealing with the inevitable bugs and flaws within the program itselfF$ and you have to keep a connection to the Internet open% This is why most people pay someone else to do all this% web hosting company will store your web page on their computer% perfect web hosting company will have multiple$ redundant servers and a regular backup policy$ so that your service is not lost because of hardware problems$ a support staff to keep the server running despite hacker attacks and program bugs$ and a number of open connections to the Internet$ so that all your have to do is design your web page$ upload it to the hosting companyCs server$ hang up the phone$ turn off the computer$ and go to sleep$ and your web page will be available to the entire world% ItCs also possible to find organiAations that offer free web hosting% Some of these organiAations are funded by paid advertising$ which means that anyone who wants to view your web page will first have to view someone elseCs advertisement% =ut they donCt have to buy anything$ and you donCt have to pay anything%
4"&"2 E-.ai/ )O) an$ S.T)

The second most visible aspect of the Internet is probably e#mail% On your computer$ you use an e#mail client$ which connects to a mail server% 4hen you set up your e#mail account$ you are given a uniGue name in the form of user@domain% Bou are also asked to provide a password to use to retrieve your e#mail% The SMTP protocol$ which is used to send e#mail$ does not reGuire a password% This may not have been a fault when the protocol was designed$ and the Internet was a small world inhabited by like minded people$ but now it has become a loophole which allows for unauthoriAed use of mail servers and various other tricks$ such as Ce#mail spoofingC$ in which someone sends an e#mail that appears to come from another address% !owever$ some mail servers minimiAe this flaw by implementing an authentication step$ in which you must prove your identity before you can send an e#mail% One important thing to remember is$ despite being password protected$ e#mail is not a way to send secure information% Most *O* clients and servers reGuire that your password be communicated 5 unencrypted 5 to your mail server% This doesnCt mean than anyone who receives an e#mail from you also receives your passwordD but it does mean that someone with
the right knowledge and tools can relatively easily Csniff outC your password% E:or ideas on making your e#mail more secure$ see Lesson 12 E-mai/ Sec!rit3%F
4"&"3 IRC
IR $ or Internet relay chat$ is where the unregulated nature of the Internet is most clearly e&pressed% On I8C$ anyone with anything to say gets a chance to say it% Bou may be familiar with the chat rooms used by certain online services% I8C is "ust like a chat room$ only there are no rules$ there are no standards$ and 5 Guite often 5 there are no chaperones% Bou may find e&actly what you are looking for on an I8C channel$ or you "ust may find something that you had rather you never knew e&isted% ll the rules that youCve heard about chat rooms are applicable to I8C channels% ;onCt tell anyone your real name% ;onCt give out your phone number$ your address$ or your bank account numbers% =ut have funH E4ercises2 :ind and "oin three I8C channels which focus on security topics% !ow do you "oin in the public conversationI 4hat do you have to do to have a private conversation with a personI It is possible to e&change files through I8C% !ow could you do thisI 4ould you always want to e&change files through I8CI 4hy or why notI
4"&"4 5T)
!TP stands for file transfer protocol% s the name implies$ it allows for files to be transferred between a local and a remote computer% 4hile it can be used for private file transfers$ it is more commonly associated with free$ anonymous ftp servers which offer public access to collections of files% nonymous ftp was once the means by which most computer users e&changed files over the Internet% 4hile many anonymous ftp servers are used to distribute files that are available illegallyEand are possibly infected with virusesF$ there are also many which are legally used to distribute programs and files% Servers which offer anonymous ftp services can be found through various means$ including Internet search engines% Most anonymous ftp servers now allow you to access their files using the ftp protocol through a web browser% E4ercises2 =oth 4indows and 'inu& come with a basic$ command line ftp clientD to access it$ open a command prompt or terminal window and type: ftp t the ftp> prompt$ you can type help$ to get a list of available commands% ftp> help Commands may be abbreviated. ! ? append ascii delete debug dir disconnect Commands are: literal ls mdelete mdir prompt put pwd quit send status trace type
bell binary bye cd close
get glob hash help lcd
mget mkdir mls mput open
quote recv remotehelp rename rmdir
user verbose
Some important commands are: ftp> open <domain.name> 4hich connects you to the ftp server named domain"name% ftp> ls or ftp> dir 4hich lists the contents of the remote working directory% ftp> cd <newdir> 4hich changes the remote working directory to a directory named newdir% ftp> get <filename> 4hich downloads a file named filename from the remote computer to the local computer% ftp> mget <file > <file!> <file"> 4hich downloads files named file#$ file$$ and file% from the remote computer to the local computer% ftp> close 4hich disconnects you from the remote ftp server% ftp> quit 4hich shuts down your local ftp client% To connect to an anonymous ftp service$ you must first open your local ftp client: ftp /se the open command to connect to the server% The command ftp> open <anon.server> connects your ftp client with the anonymous ftp server named anon"server% 4hen the remote ftp server makes its connection$ it will identify itself to your local client$ then ask for a user name% Connected to anon.server. !!# $ro%&$' (erver )*elcome . . . + ,ser )anon.server:)none++: :or most anonymous ftp servers$ you should enter in the word anonymous as the user name% The remote ftp server will acknowledge that you are connecting as an anonymous user$ and will give you instructions on what to use as a password% "" -nonymous password. login ok. send your complete email address as your
$assword: In most cases$ the remote server does not check the validity of the email address entered as a password$ so it will not stop you from accessing the server if you enter an invalid address% !owever$ this is considered to be a breach of etiGuette% fter you have entered a password$ the remote server will send a welcome message to your local computer% +7,# 4elcome to ftp%anon%server$ the public ftp server of anon%server% 4e hope you find what youCre looking for% If you have any problems or Guestions$ please send email to ftpadminJanon%server ThanksH +7, nonymous access granted$ restrictions apply% :rom here$ you can use the ls$ dir$ cd and get commands to download files from the remote server to your local computer% /sing these e&amples$ see if you can download a file from an anonymous ftp server% /se your web browser and a search engine to find an anonymous ftp server which has a copy of lice in Wonderland$ then$ using the command line ftp client 5 not your web browser 5 try to download the file%
4"&"% Te/net an$ SS(

Telnet allows a local user to send a wide variety of commands to a remote computer% This allows the local user to instruct the remote computer to perform functions and return data to the local computer$ almost as if you were sitting at a keyboard in front of the remote computer% SS&' or secure shell is intended as a secure replacement for telnet% gain$ both 4indows and 'inu& come with a basic$ command line telnet clientD to access it$ open a command prompt or terminal window and type: telnet% To access a telnet server$ you will need to have an account and password set up for you by the administrator of the server$ because the telnet program allows you to perform a large number of actions$ some of which could severely compromise the remote computer% Telnet was used in the past to allow computer administrators to remotely control servers and to provide user support from a distance% Telnet can also be used for a number of other tasks$ such as sending and receiving email and viewing the source code for web pages Ealthough telnet does fall under the heading of the most difficult way to do these thingsF% Telnet can be used to do many things that are illegal and immoral$ but there are also legitimate reasons for using it% Bou can use telnet to check your email$ and view$ not "ust the sub"ect line$ but the first few lines of an email$ which will allow you to decide whether or not to delete the email without downloading the entire message%
4"&", DNS
4hen you want to call a friend on the phone$ you need to know the correct phone numberD when you want to connect to a remote computer$ you also need to know its number% Bou
&#
may remember from previous lessons that$ for computers on the Internet$ this number is called the IP address" s numbers$ these I* addresses are very easily managed by computers$ but as humans$ we prefer to use what are called domain names" :or e&ample$ to connect to the !acker !ighschool web page$ we type Cwww%hackerhighschool%orgC into the address bar of a web browser% !owever$ the web browser canCt use this name to connect to the server that hosts the !acker !ighschool web page 5 it must use the I* address% This means that your local computer must have some means of translating domain names into I* addresses% If there were only hundreds$ or even thousands of computers on the Internet$ then it might be possible for you to have a simple table stored on your computer to use to look up these addresses$ but$ not only are there are millions of computers on the Internet$ the correlations between domain names and I* addresses can change daily% :or this reason$ ()S or (omain )ame Service is used to translate domain names into I* addresses% 4hen you type the domain name www"domainname"com into your web browser$ your web browser contacts the ;(S server chosen by your IS*% If that ;(S server has www"domainname"com in its database$ then it will return the I* address to your computer$ allowing you to connect% If your ;(S server doesnCt have www"domainname"com in its database$ then it will send a reGuest to another ;(S server$ and it will keep sending reGuests to other ;(S servers until it finds the correct I* address$ or it establishes that the domain name is invalid% E4ercises2 To learn more about ;(S: Open an MS#;OS window and identify the I* address of your computer% 4hat command have you usedI 4hat I* address do you haveI Identify the I* address of your ;(S server% 4hat command have you usedI 4hat is the I* address of the ;(S server% *ing www"isecom"org% ;o you receive an affirmative answerI 4hat I* address answers the pingI Can you direct your computer to use a different ;(S serverI If so$ change the configuration of your computer so that it uses a different ;(S server% *ing www"isecom"org again% ;o you receive the same responseI 4hyI
4"&"0 D(C)
(& P or (ynamic &ost configuration Protocol allows for I* addresses to be dynamically allocated within a network% The network is given a block of I* addresses for its use% 4hen a computer "oins the network$ it is assigned an I* address% 4hen a computer leaves$ its I* address becomes available for use by another computer% This is useful for large networks of computers$ since it is not necessary for each computer to have an individually assigned$ static I* address% Instead$ you use a (& P server" 4hen a new computer connects to the network$ the first thing that it does is reGuest an I* address from the ;!C* server% Once it has been assigned an I* address$ the computer then has access to all the services of the network%
&&
4"2 Connections
Most computers connect to the Internet through a modem% Modems translate the digital signals produced by computers into analog signals that can be transmitted across commonly available telephone lines% Modem speeds are measured in baud or bits per second% !igher baud rates are better$ since they allow for faster transmission of data$ but you must also consider what you are planning to do% There are certain applications 5 such as telnetting into M/;s 5 for which a twenty year old 7,, baud modem would still be acceptable Eprovided your typing speed wasnCt so goodF$ while high bandwidth applications such as streaming video can often strain even the most powerful cable modems%
4"2"& IS)s
Bou donCt "ust call up the Internet% Bou need to access a server that will connect your computer to the Internet% The server does all the heavy work$ like being on all the time% The server is run by an ISP or Internet Service Provider" n IS* has a point#of#presence on the Internet that is constant$ and it has servers that run the services you are going to use% (ow$ you can run these services on your own% :or e&ample$ you can run a mail server on your local computer$ but it will reGuire you to have your computer powered up and connected to a network all the time$ "ust waiting for those brief moments when information has to be e&changed% n IS*$ however$ consolidates the efforts of a large number of users$ so the mail server is working all the time$ instead of sitting around$ doing nothing% dditionally$ an IS*Cs computers are going to use a high speed connection to connect to a ( * or (etwork ccess *oint% These ( *s then interconnect with each other through ultra#high speed connections called bac*bones% This is the Internet%
4"2"2 )/ain O/$ Te/e7*one Ser'ice

*OTS$ or plain old telephone service$ is still the most widely used method of accessing the Internet% Its primary disadvantage is its low speed$ but in many cases this is made up for by its wide availability% Most national Internet service providers have a large number of local access numbers$ and almost everyone still has a phone with a land line% In theory$ if you had an acoustic modem and a pocket full of change$ you could connect from almost any public pay phone% (ot that you would really want to do that% *OTS is slow% The fastest telephone modems are rated at a speed of 13$3,, baud% That$ however$ as they e&plain in the small print$ is a lie% *ower constraints limit the actual download speed to about 17$,,, baud and the effective rate is usually much lower% This doesnCt compare very well with ;S' or cable modems% That said$ telephone service is widely available$ and *OTS based IS*s are relatively cheap Eand sometimes freeF% Bou wouldnCt want to trade pirated movies over *OTS$ because itCs immoral$ illegal and ties up your phone line all night and maybe into the afternoon$ but you could certainly send friendly$ te&t based e#mails to <ranny% nd if you used telnet$ you could even do it with a dusty ;OS based machine that you pulled out of the basement%
4"2"3 DSL
;S' or digital subscriber line$ is a method of sending large amounts of information over the wires that already e&ist for the *OTS% Its main advantage over *OTS is that it is much faster than analog modems$ and it provides a permanent connection% In addition$ it allows you to make and receive regular telephone calls while you are connected to the Internet% Its main
&2
disadvantage is that its availability is limited by your pro&imity to the telephone companyCs switching eGuipment 5 if you live too far down the lineD youCre out of luck% E4ercises2 /sing a web search engine$ find two companies that supply ;S' access% 4hat other services do these companies provide Etelephone service$ tv service % % % FI
4"2"4 Ca /e .o$ems
Cable modems do not use the traditional telephone lines to connect to the Internet% Instead they make use of the optical fiber lines that are used by cable companies to transmit digital cable signals% 'ike ;S'$ cable modems allow you to make and receive regular telephone calls while you are connected to the Internet$ and they provide a permanent connection$ but cable modems are generally faster than ;S'% Cable modems have two basic flaws% The first is that cable modem access is a shared resource$ so your connection speeds will be decreased when there are other users in close geographic pro&imity% The second is that cable modem access is only available in areas where cable companies have installed the necessary fiber optic wiring% E4ercises2 /sing a web search engine$ find two companies that provide Internet access through cable modems% 4hat other services do these companies provide Etelephone service$ tv service % % % FI
&3
5!rt*er Rea$in8
!ow E#mail 4orks: http:))computer%howstuffworks%com)email%htm n I8C : K: http:))www%irchelp%org)irchelp)new+irc%html =asic :T* : K Eold$ but e&tensiveF: http:))www%faGs%org)faGs)ftp#list)faG) nother :T* : K Ealso oldF: http:))www%ibiblio%org)pub)'inu&)docs)faGs):T*#: K n Overview of SMT* Ewith a link to 8:C 9+2$ which details the protocolF: http:))www%freesoft%org)CIE)Topics)L-%htm nd a complementary Overview of *O*7 Ewith a link to 8:C 26+1F: http:))www%freesoft%org)CIE)Topics)L1%htm n Overview of Telnet: http:))www%dmine%com)bbscorner)telover%htm 8etrieving Mail with Telnet: http:))wiki%linu&Guestions%org)wiki)8etrievingMmailMmanuallyMusingMtelnet SS! 5 a more secure alternative to Telnet: http:))www%openssh%com) =asic ;(S Information: http:))hotwired%lycos%com)webmonkey)webmonkey)geektalk)L6),7)inde&-a%html More ;etailed ;(S Information: http:))www%microsoft%com)technet)itsolutions)network)deploy)confeat)domain%msp& collection of ;(S commands$ tests and lookups: http:))www%dnsstuff%com) detailed ;!C* : K: http:))www%dhcp#handbook%com)dhcpMfaG%html long article on ;C!*$ with information on ( T and routers: http:))hotwired%lycos%com)webmonkey),,)7L)inde&7a%htmlItwNbackend n Overview of Cable Modems: http:))electronics%howstuffworks%com)cable#modem%htm
&4
LESSON 5 SYSTEM IDENTIFICATION

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%2 Identifying a Server%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 1%2%2 Identifying the Owner of a 4omain%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 1%2%+ Identifying the I* address of a 4omain%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 1%+ Identifying Services%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 1%+%2 *ing and Trace5oute%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 1%+%+ 6anner 7rabbing%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 1%+%9 Identifying Services from *orts and *rotocols%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 1%9 System :ingerprinting%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; 1%9%2 Scanning 5emote Computers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; :urther 5eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+
Contri!"tors
Chuck Truett$ ISECOM Marta 6arcel<$ ISECOM =im Truett$ ISECOM *ete !er>og$ ISECOM
5$% Intro&"ction
It is obvious that someone who sits down at the keyboard of your computer can gather information about it$ including the operating system and the programs that are running$ but it is also possible for someone to use a network connection to gather information about a remote computer% This lesson will describe some of the ways in which that information can be gathered% =nowing how this information is gathered will help you to ensure that your local computer is safe from these activities%
5$' I&entif(in) a Ser*er

There are a number of useful sources on the ?eb which will allow you to collect information about domain names and I* addresses%
5$'$' I&entif(in) t+e O,ner of a Domain

The first step in identifying a remote system is to look at the domain name or I* address% /sing a Whois lookup$ you can discover valuable information$ including the identity of the owner of a domain and contact information$ which may include addresses and phone numbers% (ote that there are now a number of domain name registrars$ and not all whois databases contain information for all domains% @ou may have to look at more that one whois database to find information on the domain that you are investigating%
5$'$2 I&entif(in) t+e I- a&&ress of a Domain

There are a number of ways to determine the I* address of a domain% The address may be contained in the whois information or you may have to use a DNS or Domain Name Service lookup% A web search engine will provide a number of resources for discovering I* addresses from domain names%B Once you have the I* address$ you can access the records of the various members of the Number Resource Organization Ahttp:))www%arin%net) or http:))www%ripe%net)B$ to gain information about how I* addresses are distributed% I* numbers are assigned to service providers and networks in large groups$ and knowing which group an I* address is contained in$ and who has the rights to that group$ can be very useful% This can help you determine information about the server or service provider that a website uses% E.ercises/ *ick a valid domain name and use a Whois lookup to find out who owns that domain% dominio Ahttp:))www%whois%com #C .isecom%org0D7o #C ?hois 'ookupB ?hat other information is availableE ?hen was the domain createdE ?hen will it e&pireE ?hen was it last updatedE :ind the I* address for this domain name% /sing the whois lookups for the various members of the Number Resource Organization determine who this I* address has been assigned to% AStart with the www.arin.net$ page$ which also links to the other members of the (5O%B ?hat is the range of the other numbers that have also been registered to this entityE
5$2 I&entif(in) Ser*ices

Once you have established the owner and the I* address of a domain$ then you can start to look for information about the server to which that domain refers%
5$2$' -in) an& Trace0o"te

(ow that you know who owns the domain$ and who the I* number has been assigned to$ you can check to see if the server that the website is on is actually active% The ping command will tell you if there is actually a computer associated with that domain or I*% The command ping domain or ping ipaddress
will tell you if there is an active computer at that address% If the output of the ping command indicates that the packets sent were received$ then you can assume that the server is active% nother command$ tracert Ain ?indowsB or traceroute Ain 'inu&B will show you the steps that information takes as it travels from your computer to the remote computer% Tracing the route that the packets take will sometimes give you additional information about the computers in the network with the computer that is the target of your trace% :or e&ample$ computers will similar I* addresses will often be part of the same network% E.ercises/ Ping a valid website or I* address Aping www%isecom%org or ping +23%;+%223%29B% If you get a successful response$ ping the ne&t I* address% 4id this produce a successful responseE /se tracert or traceroute to trace the route from your local computer to the I* address that you used in the previous e&ercise% !ow many steps does it takeE 4o any of the listed computers have similar I* addressesE
5$2$2 2anner 3ra!!in)

The ne&t step in identifying a remote system is to try to connect using telnet and :T*% The server programs for these services display te&t messages called banners% banner may state clearly and precisely what server program is running% :or e&ample$ when you connect to an anonymous :T* server$ you might get the following message: Connected to anon%server% ++, *ro:T*4 Server A?elcome % % % B /ser Aanon%server:AnoneBB: ?hile the number ++, is an :T* code which indicates that the server is ready for a new user$ the te&t message ProFTPD Server identifies the :T* server program that is running on the remote computer% /sing a web search engine$ you can learn what operating system the program runs on and other details about its reFuirements$ capabilities$ limitations$ and flaws% The primary flaw in the use of banner grabbing to gather information about a system is that clever system administrators can spoof banners% banner that reads NoneOfYour usiness Server is obviously misleading$ but a /ni& system with a banner that reads WS!FTP Server Aa ?indows#based :T* serverB is going to complicate any intelligence gathering that may be done%
5$2$ I&entif(in) Ser*ices from -orts an& -rotoco4s

@ou can also determine what programs are running on a system by looking at what ports are open and what protocols are in use% Start by looking at your own local computer% 7o to a command line or shell prompt and run the netstat program using the "a Aor allB switch: netstat -a The computer will display a list of open ports and some of the services that are using those ports: Active Connections
Proto TCP TCP TCP TCP TCP TCP 01P 01P 01P 01P 01P 01P 01P 01P
Local Address YourComputer:microsoft-ds YourComputer:"0#$ YourComputer:"0%0 YourComputer:$000 YourComputer:net&ios-ssn YourComputer:"""0 YourComputer:microsoft-ds YourComputer:isa3mp YourComputer:"0#* YourComputer:"0%+ YourComputer:"0%' YourComputer:ntp YourComputer:net&ios-ns YourComputer:net&ios-dgm
Foreign Address YourComputer:0 YourComputer:0 YourComputer:0 YourComputer:0 YourComputer:0 #"'(#%)($*("+*:,ttp 2:2 2:2 2:2 2:2 2:2 2:2 2:2 2:2
State LISTE I ! LISTE I ! LISTE I ! LISTE I ! LISTE I ! TI-E./AIT
:rom this you can see many of the programs and services that are running on your local computer G many of which you donHt even reali>e are running% nother program$ called fport$ provides information similar to that which netstat does$ but it also details which programs are using the open ports and protocols% A:port is available for free download from www.foun#stone.com.B nother program$ called nmap Afor networ$ mapperB$ will more thoroughly probe your computer for open ports% ?hen nmap is run$ it will display a list of open ports and the services or protocols that use those ports% It may also be able to determine what operating system your computer is using% :or e&ample$ if you run nmap on your local computer$ you might see the following output: Port ##4tcp '54tcp "%)4tcp ++$4tcp State Service open open open open ss, d,cpclient net&ios-ssn microsoft-ds
1evice t6pe: general purpose 7unning: Linu8 #(+9:#($(9 ;S details: Linu8 <ernel #(+(0 = #($(#0 0ptime "(0#+ da6s >since Sat ?ul + "#:"$:+5 #00+@ Nmap is available on your !acker !ighschool or '% from www.insecure.org% E.ercises/ 5un netstat on your local computer$ using the #a switch% netstat -a % S% cd% It is also available for download
?hat ports are openE /sing a web search engine$ can you match these ports with the services that run on themE AThis would be a good e&ercise to try at home$ also$ to see if your computer is running unnecessary G and potentially dangerous G services$ such as :T* and telnet%B 5un nmap$ using the #sS Afor S@( Stealth scanB$ and #O Afor guess operating systemB switches and the I* address 2+8%,%,%2 as the target% nmap -sS -; "#*(0(0(" The I* address 2+8%,%,%2 specifies the local host$ or your local computer% A(ote: this is different from the I* address that other computers on the internet use to communicate with yoursI on any machine$ the I* address 2+8%,%,%2 refers to the local computerB ?hat open ports does nmap findE ?hat services and programs are using these portsE Try running nmap while you have a web browser or telnet client open% 4oes this change the resultsE
5$ S(stem Fin)er7rintin)
(ow that you know how to identify a server and how to scan for open ports and use this information to determine what services are running$ you can put this information together to fingerprint a remote system$ establishing the most likely operating system and services that the remote computer is running%
5$ $' Scannin) 0emote Com7"ters

/sing an I* address or a domain name other than 2+8%,%,%2 as an argument for nmap allows you to scan for open ports on remote computers% It doesnHt mean that there will be open ports$ or that you will find them$ but it does allow you to try% :or e&ample$ imagine that you have been receiving a large amount of spam e#mails$ and you want to discover information about the person who is sending you these e#mails% 'ooking at the headers of one of the e#mails$ you see that many of the e#mails have originated from the same I* address: +13%;+%223%29 Asee Lesson 8/ E9mai4 Sec"rit( for more details on reading e# mail headersB% whois lookup shows you that the address is part of a block assigned to a large IS*$ but gives you no information regarding this particular I* address% If you then use nmap to scan the computer at that address$ you get the following results: nmap -sS -; #$'()#(""'("% Starting nmap %($0 > ,ttp:44AAA(insecure(org4nmap @ at #00+-0*-0% #0:"% Eastern 1a6lig,t Time Interesting ports on #$'()#(""'("%: >T,e "'%# ports scanned &ut not s,oAn &eloA are in state: closed@ P;7T #"4tcp ##4tcp #%4tcp #$4tcp 504tcp STATE open open open open open SE7BICE ftp ss, telnet smtp ,ttp
""04tcp ""%4tcp "%$4tcp "%'4tcp "%*4tcp "%54tcp "%)4tcp "+%4tcp "++4tcp "'"4tcp %0'4tcp ++%4tcp ++$4tcp $"%4tcp $"+4tcp
open open
pop% aut,
filtered msrpc filtered profile filtered net&ios-ns filtered net&ios-dgm filtered net&ios-ssn open open open open open open imap neAs un3noAn ,ttps login s,ell
filtered snmp
filtered microsoft-ds
o e8act ;S matc,es for ,ost >If 6ou 3noA A,at ;S is running on itC see ,ttp:44AAA(insecure(org4cgi-&in4nmap-su&mit(cgi@( TCP4IP fingerprint: SInfo>BD%($0EPDi'5'-pc-AindoAs-AindoAsE1D*4%ETimeD+0E*+EC0E;D#"ECD"@ TSeF>ClassDT7EIPI1D71ETSD"000GH@ T">7espDYE1FDYE/DFFFFEAC<DSIIEFlagsDASE;psD- / T#>7espD @ T%>7espD @ T+>7espD @ T$>7espDYE1FD E/D0EAC<DSIIEFlagsDA7E;psD@ T'>7espD @ T*>7espD @ 0ptime "(5** da6s >since T,u ?ul 0" #%:#%:$' #00+@ map run completed -- " IP address >" ,ost up@ scanned in **$($*5 seconds The ports marked as fi%tere# are well#known as potentially vulnerable to attack$ so it is not a surprise to find them listed as filtered% ?hat is most interesting is that ports +2$ ++ and +9 G for ftp$ ssh and telnet G are all listed as open% The last thing that nmap does is to try to identify the operating system that is running on the scanned computer% In this instance$ the tests that nmap runs are inconclusive$ however$ since nmap does show that ftp and telnet services are both running$ you can attempt to connect through each of those to see if there is a banner that will be broadcast% ?hen you connect through :T* you see a banner that says: T@
'%
++, ftp923%pair%com (c:T*d Server Alicensed copyB ready% ?hen you then connect through telnet$ the computer displays a banner which says :ree6S4)i9J3 Attyp8B Fuick web search tells you that (c:T*d is a /ni& program and that :ree6S4 is a /ni&#type operating system$ so it is likely that the server is running a version of :ree6S4 as its operating system% @ou canHt be certain that this is accurate Abanners can be spoofedB$ but you can accept this as a reasonable guess% So$ by using nmap$ along with :T* and telnet$ you have determined that the server which has been sending you spam runs a /ni&#type operating system G probably :ree6S4 G and is set up to send and receive a large variety of information$ through a number of services including :T*$ telnet$ http$ smtp and pop9%
''
F"rt+er 0ea&in)
(map: http:))www%insecure%org)nmap) More on (map: http:))www%networkmaga>ine%com)shared)article)show rticle%"htmlEarticleIdKJ8,+;-+Lclassr oomK :port:http:))www%foundstone%com)inde&%htmEsubnavKresources)navigation%htmLsubcontent K)resources)proddesc)fport%htm number of site detailing ports and the services that use them: http:))www%chebucto%ns%ca)Mrakerman)port#table%html http:))www%chebucto%ns%ca)Mrakerman)port#table%htmlNI ( http:))www%iana%org)assignments)port#numbers http:))www%networksorcery%com)enp)protocol)ip)ports,,,,,%htm Oarious 4(S lookups: http:))www%dnsstuff%com) *ing:http:))www%freesoft%org)CIE)Topics)19%htm
'2
LESSON 6 MALWARE
LESSON 6 MALWARE

LESSON 6 MALWARE
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3 4iruses 54irii6%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3%+%3 8oot Sector 4iruses%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3%+%+ The E&ecutable 9ile 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3%+%: The Terminate and Stay ;esident 5TS;6 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%3%+%- The *olymorphic 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%3%+%2 The Macro 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%+ <orms%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%+%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%+%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%: Tro"ans and Spyware%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%:%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%:%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% = 1%- ;ootkits and 8ackdoors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > 1%-%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > 1%-%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > 1%2 'ogicbombs and Timebombs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > 1%2%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > 1%2%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ? 1%1 Countermeasures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ? 1%1%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ? 1%1%+ nti#4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ? 1%1%: (I7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ? 1%1%- !I7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%1%2 9irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%1%1 Sandbo&es%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%= @ood Safety dvice%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 9urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+
LESSON 6 MALWARE
Contrib tors
Simon 8iles$ Computer Security Online 'td% Aim Truett$ ISECOM *ete !erBog$ ISECOM Marta 8arcelC$ ISECOM
LESSON 6 MALWARE
6"# Intro$ ction

.Malware0 are programs or parts of programs that have a malicious 5 .Mal0 6 or unpleasant effect on your computer security% This covers many different terms that you may have heard before$ such as .4irus0$ .<orm0 and .Tro"an0 and possibly a few that you havenDt like .;ootkit0$ .'ogicbomb0 and .Spyware0% This lesson will introduce$ define and e&plain each of these subdivisions of malware$ will give you e&amples$ and will e&plain some of the countermeasures that can be put into place to restrict the problems caused by malware%
6"% &ir ses '&irii(

6"%"% Intro$ ction
4irus E this is the most common type of malware that people will be aware of% The reason that it is known as a virus$ rather than anything else$ is historical% The press ran the stories of the first computer virus at the same time as articles concerning the spread of I7S% t the time$ there were simple parallels that could be easily drawn between the two$ propagation through interaction with a contaminated party$ the reliance on a host and the ultimate .death0 of anything infected% This resulted$ and still does occasionally$ in concerns that people could become .infected0 with a computer virus%
6"%"2 )escri*tion
4iruses or virii are self#replicating pieces of software that$ similar to a biological virus$ attach themselves to another program$ or$ in the case of .macro viruses0$ to another file% The virus is only run when the program or the file is run or opened% It is this which differentiates viruses from worms% If the program or file is not accessed in any way$ then the virus will not run and will not copy itself further% There are a number of types of viruses$ although$ significantly$ the most common form today is the macro virus$ and others$ such as the boot sector virus are now only found .in captivity0% 6"%"2"% +oot Sector &ir ses The boot sector virus was the first type of virus created% It hides itself in the e&ecutable code at the beginning of bootable disks% This meant that in order to infect a machine$ you needed to boot from an infected floppy disk% long time ago$ 5 32 years or so 6 booting from floppy was a relatively regular occurrence$ meaning that such viruses were actually Fuite well spread by the time that people figured out what was happening% This virus 5 and all other types 6 should leave a signature which subseFuent infection attempts detect$ so as not to repeatedly infect the same target% It is this signature that allows other software 5 such as nti#4irus#software 6 to detect the infection% 6"%"2"2 ,-e E.ec tab/e 0i/e &ir s The E&ecutable 9ile virus attaches itself to files$ such as %e&e or %com files% Some viruses would specifically look for programs which were a part of the operating system$ and thus were most likely to be run each time the computer was turned on$ increasing their chances of successful propagation% There were a few ways of adding a virus to an
LESSON 6 MALWARE
e&ecutable file$ some of which worked better than others% The simplest way 5 and the least subtle 6 was to overwrite the first part of the e&ecutable file with the virus code% This meant that the virus e&ecuted$ but that the program would subseFuently crash$ leaving it Fuite obvious that there was an infection E especially if the file was an important system file% 6"%"2"3 ,-e ,erminate an$ Sta2 Resi$ent ',SR( &ir s TS; is a term from 7OS where an application would load itself into memory$ and then remain there in the background$ allowing the computer to run as normal in the foreground% The more comple& of these viruses would intercept system calls that would e&pose them and return false results # others would attach themselves to the DdirD command$ and then infect every application in the directory that was listed E a few even stopped 5 or deleted 6 nti#4irus software installed onto the systems% 6"%"2"! ,-e 3o/2mor*-ic &ir s Early viruses were easy enough to detect% They had a certain signature to identify them$ either within themselves as a method to prevent re#infection$ or simply that they had a specific structure which it was possible to detect% Then along came the polymorphic virus% *oly E meaning multiple and morphic E meaning shape% These viruses change themselves each time they replicate$ rearranging their code$ changing encryption and generally making themselves look totally different% This created a huge problem$ as instantly there were much smaller signatures that remained the same E some of the .better0 viruses were reduced to a detection signature of a few bytes% The problem was increased with the release of a number of polymorphic kits into the virus writing community which allowed any virus to be recreated as a polymorph% 6"%"2"1 ,-e Macro &ir s The Macro 4irus makes use of the built#in ability of a number of programs to e&ecute code% *rograms such as <ord and E&cel have limited$ but very powerful$ versions of the 4isual 8asic programming language% This allows for the automation of repetitive tasks$ and the automatic configuration of specific settings% These macro languages are misused to attach viral code to documents which will automatically copy itself on to other documents$ and propagate% lthough Microsoft has turned off the feature by default now on new installations$ it used to be that Outlook would automatically e&ecute certain code attached to e#mails as soon as they were read% This meant that viruses were propagating very Fuickly by sending themselves to all of the e#mail addresses that were stored on the infected machine% E.ercises4 36 /sing the internet$ try to find an e&ample of each of the above types of virus% +6 ;esearch the AleB virus: # what is its .payload0 # the AleB virus is well know for S*OO9I(@% <hat is spoofing$ and how does AleB use itG # you "ust learned that your computer is infected with AleB% ;esearch how to remove it% :6 Hou "ust received an email with the following Sub"ect .<arning about your email account0% The body of the message e&plains that your inappropriate use of email will
LESSON 6 MALWARE
result in your losing Internet privileges and that you should see the attachment for details% 8ut you havenDt done anything weird with email as far as you know% re you suspiciousG Hou should be% ;esearch this information and determine what virus is attached to this message% 5!I(T: <hen you start thinking of breakfast E youDre correct%6
6"2 Worms
6"2"% Intro$ ction
<orms are older than viruses% The first worm was created many years before the first virus% This worm made use of a flaw in the /(II finger command to Fuickly bring down most of the Internet 5which was much smaller at that time6% This following section deals with worms%
6"2"2 )escri*tion
worm is a program that$ after it has been started$ replicates without any need for human intervention% It will propagate from host to host$ taking advantage of an unprotected service or services% It will traverse a network without the need for a user to send an infected file or e#mail% Most of the large incidents in the press recently have been worms rather than viruses% E.ercises4 36 /sing the internet$ see if you can find the first worm that was ever created% +6 9ind out what vulnerability the Code ;ed and (imda worms use to propagate%
6"3 ,ro5ans an$ S*26are

6"3"% Intro$ ction
The first Tro"an !orse was created by the @reeks several thousand years ago% 5 Think about the film .Troy0 if you have seen it 6% The basic concept is that you sneak something nasty into an otherwise secure computer in the guise of something nicer% This can range from a downloaded game trailer to an e#mail promising naked pictures of your favorite celebrity% This section covers tro"ans and spyware%
6"3"2 )escri*tion
Tro"ans are pieces of malware which masFuerade as something either useful or desirable in order to get you to run them% t this point they may well do something unpleasant to your computer such as install a backdoor or rootkit 5see section 1%-6$ or # even worse # dial a premium rate phone number that will cost you money% Spyware is software that installs itself surreptitiously$ often from websites that you might visit% Once it is installed it will look for information that it considers valuable% This may be usage
LESSON 6 MALWARE
statistics regarding your web surfing$ or it might be your credit card number% Some pieces of spyware blow their cover by rather irritatingly popping up advertisements all over your desktop% E.ercises4 36 /sing the internet$ find an e&ample of a tro"an and of spyware%
6"! Root8its an$ +ac8$oors

6"!"% Intro$ ction
Often when a computer has been compromised by a hacker$ they will attempt to install a method to retain easy access to the machine% There are many variations on this$ some of which have become Fuite famous E have a look on the Internet for .8ack Orifice0 J
6"!"2 )escri*tion
;ootkits and backdoors are pieces of malware that create methods to retain access to a machine% They could range from the simple 5 a program listening on a port 6 to the very comple& 5 programs which will hide processes in memory$ modify log files$ and listen to a port 6% Often a backdoor will be as simple as creating an additional user in a password file which has super#user privileges$ in the hope that it will be overlooked% This is because a backdoor is designed to bypass the systemDs normal authentication% 8oth the Sobig and My7oom viruses install back doors as part of their payload% E.ercises4 36 9ind on the Internet e&amples of rootkits and backdoors% +6 ;esearch .8ack Orifice0$ and compare its functionality to the commercially available offering for remote systems management from Microsoft%
6"1 Lo9icbombs an$ ,imebombs

6"1"% Intro$ ction
Systems programmers and administrators can be Fuite odd people% It has been known for there to be measures on a system that will activate should certain criteria be met% 9or e&ample: a program could be created that$ should the administrator fail to log in for more than three weeks$ would start to delete random bits of data from the disks% This occurred in a well#known case involving a programmer at a company called @eneral 7ynamics in 3??+% !e created a logicbomb which would delete critical data and which was set to be activated after he was gone% !e e&pected that the company would then pay him significant amounts to come back and fi& the problem% !owever$ another programmer found the logic bomb before it went off$ and the malicious programmer was convicted of a crime and fined K2$,,,
LESSON 6 MALWARE
/S dollars% The "udge was merciful E the charges the man faced in court carried fines of up to K2,,$,,, /S dollars$ plus "ail time%
6"1"2 )escri*tion
'ogicbombs and Timebombs are programs which have no replication ability and no ability to create an access method$ but are applications or parts of applications that will cause damage to data should they become active% They can be stand#alone$ or part of worms or viruses% Timebombs are programmed to release their payload at a certain time% 'ogicbombs are programmed to release their payload when a certain event occurs% The idea behind timebombs$ however$ is also a useful one% Timebomb programming is used to allow you to download and try a program for a period of time E usually :, days% t the end of the trial period$ the program ceases to function$ unless a registration code is provided% This is an e&ample of non#malicious timebomb programming% E.ercises4 36 <hat other reasonable 5 and legal 6 uses might there be for timebomb and logicbomb coding% +6 Think about how you might detect such a program on your system%
6"6 Co ntermeas res

6"6"% Intro$ ction
There are a number of ways that you can detect$ remove and prevent malware% Some of these are common sense$ others are technological alternatives% The following section highlights some of these$ with a brief e&planation and e&amples%
6"6"2 Anti;&ir s
nti#4irus#software is available in many commercial and Open Source versions% These all work following the same method% They each have a database of known viruses and they will match the signatures of these against the files on the system to see if there are any infections% Often though$ with modern viruses$ these signatures are very small$ and there can often be false positives # things that appear to be viruses that are not% Some virus scanners employ a techniFue known as heuristics$ which means that they have a concept of what a virus .looks like0 and can determine if an unknown application matches these criteria% ;ecently nti4irus software has also crossed the boundary into !ost 8ased Intrusion 7etection$ by keeping a list of files and checksums in order to increase the speed of scanning%
6"6"3 NI)S
(etwork intrusion detection is similar to nti4irus software% It looks for a particular signature or behavior from a worm or virus% It can then either alert the user$ or automatically stop the network traffic carrying the malware%
<
LESSON 6 MALWARE
6"6"! =I)S
!ost based Intrusion 7etection systems$ such as Tripwire$ are capable of detecting changes made to files% It is reasonable to e&pect that an application$ once it is compiled$ should not need to change$ so watching various aspects of it$ such as its siBe$ last modification date and checksum$ make it instantly obvious that something is wrong%
6"6"1 0ire6a//s
<orms propagate across the network by connecting to vulnerable services on each host% part from ensuring that none of these vulnerable services are running$ the ne&t best thing is to ensure that your firewall does not allow connections to these services% Many modern firewalls will provide some form of packet filtering similar to a (I7S which will rule out packets matching a certain signature% 59irewalls are discussed in more detail in section =%3%+6%
6"6"6 San$bo.es
The concept of a sandbo& is simple% Hour application has its own little world to play in and canDt do anything to the rest of your computer% This is implemented as standard in the Lava programming language$ and can also be implemented through other utilities such as chroot in 'inu&% This restricts the damage that any malware can do to the host operating system by simply denying it the access reFuired% nother option is to run a full machine inside a machine using a virtual machine product such as 4M<are% This isolates the virtual machine from the host operating system$ only allowing access as defined by the user% E&ample E http:))www%vmware%com E 4M<are virtual machines E.ercises4 3% Matching @ame: ;esearch each of the following and match it to the type of countermeasure that it is: 3% http:))www%vmware%com +% http:))www%tripwire%org :% http:))www%snort%org -% http:))www%checkpoint%com 2% http:))www%sophos%com (I7S ntivirus 9irewalls Sandbo&es !I7S
+% ;esearch Spybot Search and 7estroy and determine what type of malware it protects your computer again% :% ;esearch how (I7s and !I7S works% -% ;esearch 9irewall solutions on the net% 2% 'ook up .chroot0 on the internet% ;ead about this type of ."ail0 or .sandbo&0%
%#
LESSON 6 MALWARE
6"7 >oo$ Safet2 A$?ice

There are a number of simple things that you can do in order to minimiBe your risk to Malware%

Only download from reputable sources 5 that means no <-;:M$ please% 6 7onDt open e#mail attachments from people you donDt know% 7onDt leave macros enabled by default in your applications% Aeep your OS and applications up to date with patches% If downloading and installing software with a checksum E check the checksum%
%%
LESSON 6 MALWARE
0 rt-er Rea$in9
4 4endor Sites # http:))www%sophos%com http:))www%symantec%com http:))www%fsecure%com ll of these sites have databases listing details of tro"ans$ viruses and other malware% There are also detailed descriptions of the functioning of the above% http:))www%cess%org)adware%htm http:))www%microsoft%com)technet)security)topics)virus)malware%msp& http:))www%Beltser%com)sans)gcih#practical)revmalw%html http:))www%securityfocus%com)infocus)3111 http:))www%spywareguide%com) http:))www%brettglass%com)spam)paper%html http:))www%lavasoft%nu) # d ware Cleaning Software 59reeware 4ersion6 http:))www%claymania%com)removal#tools#vendors%html http:))www%io%com)Ncwagner)spyware%html http:))www%bo+k%com) http:))www%sans%org)rr)catinde&%phpGcatOidP:1
%2
LESSON 7 ATTACK ANALYSIS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3 (etstat and !ost pplication 4irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%3 (etstat%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%+ 4irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%3%6 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%+ *acket Sniffers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 1%+%3 Sniffing%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 1%+%+ 9ecoding (etwork Traffic%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 1%+%6 Sniffing Other Computers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+ 1%+%- Intrusion 9etection Systems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 1%+%2 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 1%6 !oneypots and !oneynets%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 31%6%3 Types of !oneypots%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 31%6%+ :uilding a !oneypot%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 32 1%6%6 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 32 4urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 31 <lossary%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 37
Contrib tors
*ete !er=og$ ISECOM Chuck Truett$ ISECOM Marta :arcel>$ ISECOM ?im Truett$ ISECOM
7"# Intro$ ction

There are a lot of programs on your computer that will want to open up network connections% Some of these programs have valid reasons for connecting @your web browser wonAt work nearly as well without access to a network connection as it will with oneB$ others have been written by people with motives ranging from Cuestionable to criminal% If you want to protect your computer$ youAll have to learn how to detect network access$ and identify the source and intent% (ot every attempt at network access is an attack$ but if you donAt know how to identify friend from foe$ you might as well "ust leave your door open%
7"% Netstat an$ &ost A''(ication )ire*a((s

To be able to identify an attack$ you have to know what applications and processes normally run on your computer% Dust looking at a graphical interface$ whether in Eindows or 'inu&$ wonAt let you see whatAs going on underneath the surface% Netstat and a firewall can be used to help you identify which programs should be allowed to connect with the network%
7"%"% Netstat
@netstat is also discussed in section 2%+%6B The netstat command will display the status of the network% (etstat can give you information about what ports are open and the I* addresses that are accessing them$ what protocols those ports are using$ the state of the port$ and information about the process or program using the port% t a command prompt enter: netstat -aon @for EindowsB or netstat -apn @for 'inu&B and netstat will produce a display similar to this: Active Connections
Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP Local Address 0.0.0.0:1134 0.0.0.0:1#43 0.0.0.0:1#$# #$%.3$.%.1#&:1#43 #$%.3$.%.1#&:1#$& 1#%.0.0.1:1$4# 1#%.0.0.1:1133 1#%.0.0.1:1134 1#%.0.0.1:1#$1 1#%.0.0.1:1#$# Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 '4.#$%.1'%.((:&0 '3.14%.#$%.3%:'''% 0.0.0.0:0 1#%.0.0.1:1134 1#%.0.0.1:1133 1#%.0.0.1:1#$# 1#%.0.0.1:1#$1 State LIST !I!" LIST !I!" LIST !I!" STA)LIS* D STA)LIS* D LIST !I!" STA)LIS* D STA)LIS* D STA)LIS* D STA)LIS* D PID 3400 3400 #%40 3400 3&3& 1$1' 3400 3400 #%40 #%40
(ow$ you need to match the numbers in the *I9 column with names of the processes that are running% In Eindows$ you should bring up the Windows Task Manager$ by pressing
CT'F 'TF9E'% @If it doesnAt show a *I9 column$ click on View$ then Select Columns$ then select PID.B In 'inu&$ go to a command prompt and enter ps a+,- to display the processor status% In the case of our e&ample results listed above$ we find that *I9 6-,, belongs to our web browser and *I9 +1-, belongs to our email client$ both of which we have knowingly e&ecuted$ and both of which have valid reasons for establishing connections to the Internet% !owever$ *I9 6767 belongs to a program named 5r3n%e&e$ and *I9 3235 belongs to a program named buscanv%e&e$ neither of which we are familiar with% !owever$ "ust because you donAt recogni=e the name of a program$ that doesnAt mean that it doesnAt have a reason to be running on your system% The ne&t step in this process is for us to go to an Internet search engine and try to discover what these two programs do% In our search$ we discover that buscanv%e&e is reCuired by our virus scanner and should be running% !owever$ 5r3n%e&e could be a tro"an% 'ooking again at the display from netstat$ we can see that the port associated with the 5r3n%e&e program is 5551$ an I;C port commonly used by tro"ans for remote access% t this point$ we begin researching methods for removing the tro"an%
7"%"2 )ire*a((s
(ow$ you could sit at your computer and run netstat over and over and over and over$ keeping a constant vigil on the data moving in and out of your computer$ or you could use a firewall program to do it for you% firewall monitors network traffic on your computer and uses a number of rules or filters to determine whether or not a program should be allowed to access the network% firewall can filter data according to I* addresses and domain names$ ports and protocols$ or even transmitted data% This means that you can do things such as: block or allow all data coming from a specific I* address block or allow all data coming from a specific domain close or open specific ports block or allow specific protocols block or allow packets which contain specific data strings% Gou can also combine these filters to allow for careful control of the data that is allowed through the network% 4or e&ample$ you could: allow data from www.ibiblio.com through ports +, or +3 only allow data from www.google.com that uses the /9* protocol allow data from www.ya oo.com only through port 7, and only if the packets contain the te&t string .I will not waste bandwidth0% Gou$ however$ wonAt need to work out all the rules on your own% Gou can take advantage of the firewalls ability to set these filters itself% fter you first install a firewall$ you will be hit with a flurry of warnings and reCuests for access$ and you will have to determine whether or not a program will be allowed to access the network% @The firewall may also give you the option to let the firewall determine what rights programs have to access the network$ but then you wouldnAt learn anything$ would youHB This process is going to be similar to the one that we used to identify the programs listed by netstat% program named ie!"lorer.e!e is obviously MicrosoftAs Internet E&plorer and$ if you use it as your web browser$ then the firewall must allow it to access the Internet% :ut a program named cbo!.e!e could be anything% GouAve got no
choice but to go to your preferred web search engine and check it out% @Of course$ before you can do this$ youAve got to tell the firewall to allow your web browser to access the Internet%B The firewall program should also give you the option to allow access to a program repeatedly$ or "ust once% Some programs I like your web browser I should be allowed to access the network anytime$ but for other programs I such as the ones that automatically check for program updates I you can learn a lot about how your computer works by having the firewall ask for permission every time that the program reCuests access% 4irewalls are available as stand#alone programs @including a number of free versions for both Eindows and 'inu&B or they are often bundled with anti#virus software% dditionally$ Eindows J* comes with a built#in firewall$ but$ as is the case with Eindows Internet E&plorer$ it will be targeted by people looking for e&ploits I flaws in other firewalls may never be found$ but flaws in a Microsoft firewall will be found and they will be e&ploited% E-ercises. Open up a command prompt on your computer and enter: netstat -aon @for EindowsB or netstat -apn @for 'inu&B Match the *I9 numbers with program names and try to determine which programs on your computer are accessing the network% @This is something that you can try at home$ also%B
7"2 /ac0et Sniffers

(etstat will tell you what programs are connected to the network$ but it wonAt show you what data these programs are sending% "acket sniffer$ however$ gives you the means to record and study the actual data that the programs are sending through the network%
7"2"% Sniffin1
packet sniffer will record the network traffic on your computer$ allowing you to look at the data% Tc"dum" @and its Eindows port$ windum"B may be considered the archetypical packet sniffers$ but weAre going to use #t ereal for our e&amples$ because its graphical interface is simpler$ and it allows you to more Cuickly record and view a basic capture file% If you donAt already have Ethereal$ it can be downloaded from www.et ereal.com. (ote to Eindows users: To use Ethereal on a Eindows based system$ you must first download and install the WinPca" packet capture driver% Ein*cap is available on the Ethereal download page or you can go to www.win"ca"."olito.it to download it directly% Shut down all other applications$ then start Ethereal% In the menu click on View then $utoscroll in %i&e Ca"ture. (e&t$ click on Ca"ture' then Start to go to the Ca"ture ("tions screen% On the Ca"ture ("tions screen$ make sure that the bo& marked .Capture packets in promiscuous mode0 is not checked$ that the three check bo&es under .(ame ;esolution0 are checked$ and that the bo& marked ./pdate list of packets in real time0 is checked%
(ow$ click on the .O?0 button% In theory$ nothing should happen now% GouAll see a window for Ethereal which displays the number of packets that have been captured$ and$ behind this$ youAll see the Ethereal screen which displays the data in those packets% Gou may see a small amount of traffic that is caused by the computers on the local network trying to keep track of each other @ ;*$ (:(S$ ICM*B followed by 9(S activity as Ethereal attempts to resolve names% To see activity$ youAre going to generate some activity% Ehile Ethereal is running$ open your web browser% Minimi=e everything other than the main Ethereal screen and your web browser$ and arrange the Ethereal and web browser windows so that you can see both at the same time% (ow go to a web search engine$ such as www.google.com% s the web page loads$ your should see information about captured packets scrolling up through the Ethereal screen% *ick a search term and enter it into the search bar% Click on some of the web pages that are brought up by the search and watch what happens in Ethereal as you do%
(ote: If Ethereal reports no network activity at all$ you may have the wrong network interface chosen% <o to the Interface drop#down list in the Ca"ture ("tions screen and choose a different network interface%
7"2"2 4eco$in1 Net*or0 Traffic

(ow that you can see the network data thatAs moving through your computer$ you have to figure out how to decode it% In Ethereal$ the first step$ before you even end the capture session$ is to look at the summary capture screen that the program displays while it is performing the capture% 4or our web browsing session$ most of the packets should have been TC* packets @although if you stopped to watch a streaming video$ your /9* packet numbers will have been increasedB% !owever$ if youAre capturing a simple web browsing session$ and you see a large number of ;* or ICM* packets$ that could indicate a problem%
fter youAve ended the capture session$ youAre going to see output similar to this:
(o% Time 1 0.000000 # 0.04$1($ 3 0.33$1(4 4 0.33$#$$ $ 0.33&#34 ' 0.44104( % 0.441&1' & 0.$$(13# Source #$%.10.3.#$0 #$%.10.3.#$0 r9eet..o/illa.org #$%.10.3.#$0 #$%.10.3.#$0 r9eet..o/illa.org r9eet..o/illa.org #$%.10.3.#$0 9estination rodan..o/illa.org r9eet..o/illa.org #$%.10.3.#$0 r9eet..o/illa.org r9eet..o/illa.org #$%.10.3.#$0 #$%.10.3.#$0 r9eet..o/illa.org TCP TCP TCP TCP *TTP TCP *TTP TCP *rotocol Info 1'$' 0 &0&0 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0 1'$% 0 9ttp 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0 9ttp 0 1'$% 1S2!: AC;3 Se450 Ac651 7in5$&40 Len50 8SS514'0 1'$% 0 9ttp 1AC;3 Se451 Ac651 7in51%$#0 Len50 " T <prod+cts<-ire-o,<start< *TTP<1.1 9ttp 0 1'$% 1AC;3 Se451 Ac65$&0 7in5'(4& Len50 *TTP<1.1 304 !ot 8odi-ied 1'$% 0 9ttp 1AC;3 Se45$&0 Ac65#0( 7in51%31# Len50
%#
( #.&$$(%$ 10 4.4%$$#( 11 4.4%$%%' 1# 4.4%$&$4
#$%.10.3.#$0 #$%.10.3.#$0 #$%.10.3.#$0 #$%.10.3.#$0
rodan..o/illa.org na.e.server.co. na.e.server.co. na.e.server.co.
TCP D!S D!S D!S
1'$' 0 &0&0 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0 Standard 4+er= PT> #$0.3.10.#$%.in-addr.arpa Standard 4+er= PT> #0$.111.1#'.#0%.in-addr.arpa Standard 4+er= PT> #0#.111.1#'.#0%.in-addr.arpa
In this e&ample$ these twelve packets illustrate the web browserAs activity as it connects with its specified start page% The most easily decoded information is in the Source and Destination columns% I* address +21%3,%6%+2, is the local computerK the other I* addresses have been resolved to names by Ethereal% Since the web browser used was the Mo=illa 4irefo& browser$ and since its start page was the default Mo=illa 4irefo& page$ it is not surprising to see addresses from the mo)illa.org domain% The reCuests sent to name.ser&er.com were probably generated by Ethereal when it sent 9(S Cueries to resolve the I* addresses into names% @(ote: these accesses by the Ethereal program were caused by the options you set in the Dis"lay ("tions and Name *esolution bo&es% They were set to on in this e&ample in order to produce a more readable output% If you toggle these options to off$ then you wonAt have this e&tra data%B 'ooking at source and destination information can help you spot unauthori=ed activity% 4or e&ample$ an unfamiliar domain name that is repeatedly accessed might indicate that you have a spyware program installed% The ne&t column is the Protocol column$ which tells you what protocol the packets used% gain$ to know when something is wrong here$ youAre going to have to know what to e&pect% In our web browsing session$ we e&pect TC* and !TT*$ and we understand why the 9(S packets are there$ but$ for e&ample$ a large number of ICM* packets could mean that your machine is being pinged or traced% The last column$ Info$ provides more detailed information about the packets% *ackets +$ 6 and - show the TC* t ree+ anded ands ake of S2!: S2!<AC;: AC;$ which indicates that a connection has been made% *acket 2 shows an *TTP " T command followed in packet 1 by a 304 !ot 8odi-ied response% If you want more information about the packets$ the bottom two panes in the Ethereal screen show detailed e&planations% The middle pane shows the details of the packet header% The bottom pane shows a he& and ascii dump of the data in the packet%
7"2"3 Sniffin1 Ot5er Com' ters

Some of you$ having looked at the information in this section I and having looked at the data that can be recorded by Ethereal$ may be wondering about the possibilities of using packet sniffing software to record activity on other peopleAs computers% Is this possibleH Ges I and no% ItAs called "romiscuous mode and it allows a packet sniffer to monitor network activity for all computers on a network% This means that you might be able to record network activity on another computer that is in your own network @depending on the way that the hardware is set upB$ but you canAt pick any one computer at random and magically sniff their data I the two computers must be physically connected$ and the hardware and software must be properly configured%
7"2"! Intr sion 4etection S6stems

GouAve probably reali=ed that$ to use a packet sniffer to detect unauthori=ed activity in real time$ would reCuire you to sit at your computer$ watching the output of the packet sniffer and desperately hoping to see some kind of pattern% n intrusion detection system performs
%%
this task for you% These programs combine the ability to record network activity with sets of rules that allow them to flag unauthori=ed activity and generate real#time warnings% E-ercises. 3% Open Ethereal and start a live capture% (ow open your web browser and look for a plain te&t document to download% 9ownload and save the te&t file to your hard drive$ then close the web browser and end the capture session in Ethereal% 'ook through the packets captured by Ethereal$ paying close attention to the SCII dump in the bottom pane% Ehat do you seeH If you have access to an email account$ try checking your email while Ethereal is performing a capture% Ehat do you see thereH +% Open Ethereal% On the Ca"ture ("tions Screen$ make sure that the bo& marked .Capture packets in promiscuous mode0 is checked% This option may allow you to capture packets directed to or coming from other computers% :egin the capture and see what happens% 9o you see any traffic that is intended for a computer other than yoursH Ehat do you know about the hardware that connects your computer to the networkH 9oes it connect to the other computers through a switch$ a router or a hubH <o to a web search engine and try to find out which piece or pieces of hardware would make it most difficult to capture packets from other computers% Ehat hardware would make it easiestH 6% <o to www.snort.org$ or use a web search engine to research intrusion detection systems% !ow are they different from firewallsH Ehat do they have in common with packet sniffersH Ehat kinds of unauthori=ed activity can they detectH Ehat kinds of activity might they be unable to detectH
%2
7"3 &one6'ots an$ &one6nets

*eople who like to watch monkeys go to the =oo$ because there might be monkeys there% *eople who like to watch birds put out bird feeders$ and the birds come to them% *eople who like to watch fish build aCuariums$ and bring the fish to themselves% :ut what do you do if you want to watch hackersH Gou put out a oney"ot% Think about it this way I youAre a bear% Gou may not know much @being a bearB but you do know that honey is tasty$ and there is nothing better on a warm summer day than a big handful of honey% So you see a big pot full of honey sitting out in the center of a clearing$ and youAre thinking$ AGumL0 :ut once you stick your paw in the honey pot$ you risk getting stuck% If nothing else$ youAre going to leave big$ sticky paw prints everywhere$ and everyone is going to know that someone has been in the honey$ and thereAs a good chance that anyone who follows the big$ sticky paw prints is going to discover that itAs you% More than one bear has been trapped because of his affection for tasty honey% oney"ot is a computer system$ network$ or virtual machine that serves no other purpose than to lure in hackers% In a honeypot$ there are no authori=ed users I no real data is stored in the system$ no real work is performed on it I so$ every access$ every attempt to use it$ can be identified as unauthori=ed% Instead of sifting through logs to identify intrusions$ the system administrator knows that every access is an intrusion$ so a large part of the work is already done%
7"3"% T6'es of &one6'ots

There are two types of honeypots: "roduction and researc . Production honeypots are used primarily as warning systems% production honeypot identifies an intrusion and generates an alarm% They can show you that an intruder has identified the system or network as an ob"ect of interest$ but not much else% 4or e&ample$ if you wanted to know if bears lived near your clearing$ you might set out ten tiny pots of honey% If you checked them in the morning and found one or more of them empty$ then you would know that bears had been in the vicinity$ but you wouldnAt know anything else about the bears% *esearc honeypots are used to collect information about hackerAs activities% research honeypot lures in hackers$ then keeps them occupied while it Cuietly records their actions% 4or e&ample$ if I instead of simply documenting their presence I you wanted to study the bears$ then you might set out one big$ tasty$ sticky pot of honey in the middle of your clearing$ but then you would surround that pot with movie cameras$ still cameras$ tape recorders and research assistants with clipboards and pith helmets% The two types of honeypots differ primarily in their comple&ity% Gou can more easily set up and maintain a production honeypot because of its simplicity and the limited amount of information that you hope to collect% In a production honeypot$ you "ust want to know that youAve been hitK you donAt care so much whether the hackers stay around$ !owever$ in a research honeypot$ you want the hackers to stay$ so that you can see what they are doing% This makes setting up and maintaining a research honeypot more difficult$ because you must make the system look like a real$ working system that offers files or services that the hackers find interesting% bear who knows what a honeypot looks like$ might spend a minute looking at an empty pot$ but only a full pot full of tasty honey is going to keep the bear hanging around long enough for you to study it%
%3
7"3"2 7 i($in1 a &one6'ot

In the most basic sense$ a honeypot is nothing more than a computer system which is set up with the e&pectation that it will be compromised by intruders% Essentially$ this means that if you connect a computer with a insecure operating system to the Internet$ then let it sit there$ waiting to be compromised$ you have created a honeypotL :ut this isnAt a very useful honeypot% ItAs more like leaving your honey out in the clearing$ then going home to the city% Ehen you come back$ the honey will be gone$ but you wonAt know anything about who$ how$ when or why% Gou donAt learn anything from your honeypot$ useless you have some way of gathering information regarding it% To be useful$ even the most basic honeypot most have some type of intrusion detection system% The intrusion detection system could be as simple as a firewall% (ormally a firewall is used to prevent unauthori=ed users from accessing a computer system$ but they also log everything that passes through or is stopped% ;eviewing the logs produced by the firewall can provide basic information about attempts to access the honeypot% More comple& honeypots might add hardware$ such as switches$ routers or hubs$ to further monitor or control network access% They may also use packet sniffers to gather additional information about network traffic% ;esearch honeypots may also run programs that simulate normal use$ making it appear that the honeypot is actually being accessed by authori=ed users$ and teasing potential intruders with falsified emails$ passwords and data% These types of programs can also be used to disguise operating systems$ making it appear$ for e&ample$ that a 'inu& based computer is running Eindows% :ut the thing about honey I itAs sticky$ and thereAs always a chance that your honeypot is going to turn into a bees nest% nd when the bees come home$ you donAt want to be the one with your hand stuck in the honey% n improperly configured honeypot can easily be turned into a launching pad for additional attacks% If a hacker compromises your honeypot$ then promptly launches an assault on a large corporation or uses your honeypot to distribute a flood of spam$ thereAs a good chance that you will be identified as the one responsible% Correctly configured honeypots control network traffic going into and out of the computer% simple production honeypot might allow incoming traffic through the firewall$ but stop all outgoing traffic% This is a simple$ effective solution$ but intruders will Cuickly reali=e that is is not a real$ working computer system% slightly more comple& honeypot might allow some outgoing traffic$ but not all% ;esearch honeypots I which want to keep the intruders interested as long as possible I sometimes use manglers' which audit outgoing traffic and disarm potentially dangerous data by modifying it so that it is ineffective% E-ercises. !oneypots can be useful tools for research and for spotting intruders$ but using them to capture and prosecute these intruders is another Cuestion% 9ifferent "urisdictions have different definitions and standards$ and "udges and "uries often have varying views$ so there are many Cuestions that need to be considered% 9o honeypots represent an attempt at entrapmentH Is recording a hackerAs activities a form of wiretappingH nd on the specific Cuestion of honeypots I can it be illegal to compromise a system that was designed to be compromisedH These Cuestions have yet to be thoroughly tested%
%!
9iscuss your opinions on the legalities of using honeypots for capturing hackers involved in criminal activities% 9o you think it would be a useful tool for law enforcement agenciesH Is it entrapmentH 9o you think it constitutes an Aattractive nuisanceAH If a hacker comprises a honeypot$ who do you think is ultimately responsibleH
%+
) rt5er 8ea$in1
(etstat http:))www%microsoft%com)resources)documentation)windows)&p)all)proddocs)en# us)netstat%msp& <eneral 4irewall Information: http:))www%howstuffworks%com)firewall%htm http:))www%interhack%net)pubs)fwfaC) One of many free firewall programs: http:))www%agnitum%com)inde&%html 4irewalling for 'inu&: http:))www%iptables%org) *acket Sniffing http:))www%robertgraham%com)pubs)sniffing#faC%html Snort and I9S: http:))www%linu&security%com)featureMstories)featureMstory#-8%html http:))www%snort%org)docs)lisapaper%t&t !oneypots: http:))www%honeypots%net)honeypots)links)
%,
LESSON 8 DIGITAL FORENSICS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1%3 4orensic *rinciples%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%3 void Contamination%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%+ ct Methodically%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%6 Chain of Evidence%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%- Conclusion%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%+ Stand#alone 4orensics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%+%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%+%3 !ard 8rive and Storage Media 9asics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 1%+%+ Encryption$ 8ecryption and 4ile 4ormats%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%+%6 4inding a (eedle in a !aystack%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%+%6%3 find%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%+%6%+ grep%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3, 1%+%6%6 strings%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 1%+%6%- awk%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 1%+%6%2 The *ipe .:0%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 1%+%- Making use of other sources%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33 1%6 (etwork 4orensics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 1%6%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 1%6%3 4irewall 'ogs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 1%6%+ Mail !eaders%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36 4urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3-
Contri!"tors
Simon 9iles$ Computer Security Online 'td% *ete !er<og$ ISECOM Chuck Truett$ ISECOM Marta 9arcel=$ ISECOM >im Truett$ ISECOM
8$% Intro&"ction
4orensics concerns the application of a methodical investigation techni?ue in order to reconstruct a se?uence of events% Most people are now familiar with the concept of forensics from T@ and films$ .CSI A Crime Scene Investigation B0 being one of the most popular% 4orensic science was for a long time C and still is really C most associated with 4orensic *athology C finding out how people died% The first recorded description of forensics was on "ust this sub"ect In 3+-1$ a Chinese book called Hsi DuanYu Athe Dashing way of DrongsB was published% This book describes how to tell if someone has drowned or has been strangled%3 8igital forensics is a bit less messy and a bit less well known% This is the art of recreating what has happened in a digital device% In the past it was restricted to computers only$ but now encompasses all digital devices such as mobile phones$ digital cameras$ and even E*S+ devices% It has been used to catch murderers$ kidnappers$ fraudsters$ Mafia bosses and many other decidedly unfriendly people% In this lesson$ we are going to cover two aspects of forensics Aall computer based IFm afraid C no mobile phone stuff hereB% 3% Dhat people have been up to on their own computer% This covers %%%

%%% the recovery of deleted files% %%% elementary decryption% %%% searching for certain file types% %%% searching for certain phrases% %%% looking at interesting areas of the computer%
+% Dhat a remote user has been doing on someone elseFs computer% This covers %%%

%%% reading log files% %%% reconstructing actions% %%% tracing the source%
This lesson is going to focus on the tools available under 'inu&% There are tools that are available under Dindows$ as well as dedicated software and hardware for doing forensics$ but with the capability of 'inu& to mount and understand a large number of alternate operating and file systems$ it is the ideal environment for most forensic operations%
1 Apparently it is something to do with marks left around the throat, and the level of water penetration into the lungs. 2 Global Positioning System a thing whi h tell you where you are in the world using a number of orbiting satellites.
'
8$( Forensic )rinci*+es

8$($% Intro&"ction
There are a number of basic principles that are necessary regardless of whether you are e&amining a computer or a corpse% This section is a ?uick summary of these principals%
8$($( A,oi& Contamination

On T@ you see forensic e&aminers dressed up in white suits with gloves$ handling all evidence with twee<ers and putting it into sealed plastic bags% This is all to prevent .contamination0% This is where evidence is tainted$ for e&ample$ by fingerprints being added to the handle of a knife by someone picking it up Athink The Fugitive if you have seen it %%% 'ook what trouble it got him into G B
8$($2 Act -et.o&ica++/

Dhatever you do$ when A if H B you get to court$ you will need to "ustify all the actions that you have taken% If you act in a scientific and methodical manner$ making careful notes of what it is that you are doing and how you do it$ this "ustification becomes much easier% It also allows for someone else to follow your steps and verify that you havenFt made a mistake which may cast the value of your evidence in doubt%
8$($ C.ain of E,i&ence

Iou must maintain something called the .Chain of Evidence0% This means that at any point in time from the sei<ure of the evidence until itFs final presentation in court$ that you can account for who has had access to it$ and where it has been% This rules out the possibility that someone has tampered with it$ or falsified it in some way$
8$($# Conc+"sion
>eep these things in mind$ and even if you are not going to take your work to court$ you will be able to ma&imi<e your abilities as a forensic e&aminer%
8.2 Stand-alone Forensics

8.2.0 Introduction
This section is about the forensic e&amination of an individual machine% 4or want of a better term$ we will call it .stand#alone forensics0% This is probably the most common part of computer forensics # its main role is to find out what has been done using a particular computer% The forensic e&aminer could be looking for evidence of fraud$ such as financial spreadsheets$ evidence of communication with someone else$ e#mails or an address book$ or evidence of a particular nature$ such as pornographic images%
8$2$( 1ar& Dri,e an& Stora2e -e&ia 3asics

There are several components that make up an average computer% There is the processor$ memory$ graphics cards$ C8 drives and much more% One of the most crucial components is the harddisk Ahard driveB% This is where a ma"ority of the information that the computer re?uires to operate is stored% The Operating System A OS B such as Dindows or 'inu& resides here$ along with user applications such as word processors and games% This is also where significant amounts of data is stored$ either deliberately$ through the action of saving a file$ or incidentally$ through the use of temporary files and caches% This allows a forensic e&aminer to reconstruct the actions that a computer user has carried out on a computer$ which files have been accessed and much$ much more% There are several levels at which you can e&amine a harddisk% 4or the purposes of this e&ercise$ we are only going to look at the file system level% It is worth noting though$ that professionals are capable of looking in a great level of detail at a disk to determine what it used to contain C even if it has been overwritten many times% The file system is the computerFs implementation of a filing cabinet% It contains drawers A partitions B$ files AdirectoriesB and individual pieces of paper A files B% 4iles and directories can be hidden$ although this is only a superficial thing and can easily be overcome% Dorking through the following E&ercises should give you a far better understanding of the basics of disk storage% E4ercises5 4or each of the following terms about storage media$ search for information and learn how they work% /nderstanding how e?uipment functions normally is your first step toward forensics% 3% Magnetic)!ard)*hysical 8isk: This is where your computer stores files% E&plain how magnetism is used on a hard disk% +% Tracks: Dhat are referred to as Jtracks on a hard diskH 6% Sectors: This is a fi&ed space that data fits into% E&plain how% -% Cluster) llocation unit: E&plain why when a file is written to a hard disk that it may be assigned more space than it needs% Dhat happens to that empty spaceH 'ooking up the term Jfile slackJ should help you% 2% 4ree)J/nallocatedJ Space: This is what you have left after files are deleted% Or are those files really goneH E&plain how a file is deleted on the computer% 'ooking for tools on Jsecure
deleteJ may help you% >nowing how you are supposed to securely delete a file so itFs really gone is a great way to learn why such tools are needed% 5% !ash$ also known as an M82 hash: E&plain what this hash is and what itFs used for% 7% 9IOS: This stands for J9asic Input)Output SystemJ% Dhat is this and where is it stored on a *CH 1% 9oot Sector: This works with partition tables to help your *C find the operating system to run% There are many tools for working with partitions$ with the standard one being called fdisk% >nowing how these tools work is your first clue to understanding partitions and the boot sector% K% Cyclical ;edundancy Check AC;CB: Dhen you get a Jread errorJ message from your hard disk$ this means that the data failed a C;C check% 4ind out what the C;C check is and what it does% 3,% 4ile Signature: Often times a file has a small 5#byte signature at the start of the file which identifies what kind of file it is% Opening a file in a te&t#editor is the easiest way to see this% Open 6 files of each of the following file types in a te&t editor: %"pg$ %gif$ %e&e$ %mp6% Dhat was the first word at the top of the file for eachH 33% ; M A;andom# ccess MemoryB: This is also known as JmemoryJ and it is a temporary location to read and write information% It is much$ much faster than writing to the hard disk% ItFs also gone when power is lost to the computer% E&plain how ; M works% >nowing your computer may have anywhere from 5- to 23+ Mb of ; M$ search for information about a computer that has more ; M than that% 3+% Currently$ the largest ; M disk Aa super fast hard disk emulated in ; MB is +%2 Tb ATerabyteB% !ow many times larger than your *C is thatH
8$2$2 Encr/*tion7 Decr/*tion an& Fi+e Formats

lot of the files that you will come across will not be immediately readable% Many programs have their own proprietary file formats$ while others use standard formats C for e&ample the standard picture formats # gif$ "peg$ etc% 'inu& provides an e&cellent utility to help you to determine what a given file is% It is called fi+e$
Command Line Switch -k -L -
Effect Don't stop at the first match, keep going. Follow symbolic links !ttempt to look inside compressed files.
n e&ample of the use of the file command is shown below: [simon@frodo file_example]$ ls arp.c isestorm_DivX.avi r!"#1.$.$ r!"#1.$.$.tar r!"#1.$.$.tar.().asc [simon@frodo file_example]$ file * arp.c+ ,-.// . pro(ram text nwrap.pl oprp_may11_2004.txt %isio&val.exe 'indows200$.vmx
isestorm_DivX.avi+ r!"#1.$.$+ r!"#1.$.$.tar+ r!"#1.$.$.tar.().asc+ nwrap.pl+ exec9ta!le
0/11 2little#endian3 data4 ,%/ directory 56-/X tar arc7ive 585 armored data 5a9l 1alstad:s )s7 script text
oprp_may11_2004.txt+ ,-.// &n(lis7 text4 wit7 very lon( lines4 wit7 .0;1 line terminators %isio&val.exe+ 'indows 'indows200$.vmx+ exec9ta!le [simon@frodo file_example]$ 4rom this you can start to make some attempts to read a certain type of file% There are a number of file conversion utilities available to you under 'inu&$ and even more available on the Internet$ as well as a number of file viewers for various formats% Sometimes it may re?uire more than one step to get to a place where you can really work with the data C try to think laterallyG Occasionally$ you will come across files which have been encrypted or password protected% The complication that this presents varies$ from encryption that is easily broken to stuff that would even give the (S A or EC!L or whatever your local government agency happens to be B a headache% There are again a number of tools available on the Internet that you can use to try to break the encryption on a file% It pays to e&amine the area surrounding the computer that you are dealing with% *eople arenFt very good at remembering passwords$ it may well be written down somewhere nearby% Common choices for passwords also involve : pets$ relatives$ dates A marriage$ date of birth B$ telephone numbers$ car registrations$ and other simple combinations A 3+6-25$ abcdef$ ?werty etc% B% *eople are also reluctant to use more than one or two passwords for everything$ so if you can reverse engineer a password on one file or application$ try it on the others% It is highly likely to be the same% E4ercises5 4or these E&ercises$ we will learn about password cracking% Dhile it is legal to crack your own passwords if you forget them$ it is not legal in some countries to figure out how something else is encrypted$ in order to protect the other material from being cracked% 8@8 movies are encrypted to prevent them from being stolen off the 8@8 and sold% Dhile this is an e&cellent use of encryption$ it is illegal for anyone to research how that encryption is used% This leads to your first e&ercise: 3% Dhat is J8eCSSJ and how does it relate to 8@8 encryptionH Search on JdecssJ to learn more% +% >nowing that something is password protected means learning how to open that file% This is known as JcrackingJ the password% 4ind information about cracking various types of passwords% To do this search for Jcracking MIN passwordsJ where MIN is the password type you are looking for% 8o this for the following password types: a% M82 <-#D6- exec9ta!le 2&X&34 6-=2 or <a =9sr=!in=vmware script text
b%
dobe *84
c% E&cel 6% If the encryption method is too strong to be broken$ it may be necessary to perform a .dictionary attack0 A sometimes known as .brute force0B% 4ind out what a dictionary attack is%
8$2$ Fin&in2 a Nee&+e in a 1a/stac9

Commercial forensic software includes powerful search tools that allow you to search for many combinations and permutations of factors% Dithout these e&pensive commercial tools you need to be a little more resourceful% 'inu& provides you with plenty of scope to construct similar tools using standard utilities% The following te&t details the use of fin&7 2re* and strin2s$ and then describes the use of the *i*e to combine them%
8$2$ $( fin&
find [pat7...][expression] fin& is used to locate files meeting certain criteria within the operating system% It is not designed for looking within the files% There must be a million permutations of e&pressions that can be combined to search for a file% E&ercise: 3% ;ead the manual page for find% Complete the .Effect0 for each .E&pression0 in the table below% A!int: Dhere a number is given as an argument$ it can be specified as follows: On C for 2reater than nP #n C for +ess than nP n C for e4act+/ n%B
E"pression -amin n -anewer -atime -cnewer -iname -in#m -name -rege" -si e -type -#ser
Effect File last accessed n min#tes ago
8$2$ $2 2re*
2re* is an immensely powerful tool% It is used to find certain lines within a file% This allows you to ?uickly find files that contain certain things within a directory or file system% It also allows for
(%
searching on regular e&pressions% There are search patterns that allow you to specify criteria that the search must match% 4or e&ample: finding all strings in the dictionary that start with .s0 and finish with .t0 to help with doing a crossword% (rep >s.*t$ =9sr=s7are=dict=words E&ercises: 3% ;ead the manual page for grep% +% 'ook up regular e&pressions for grep on the Internet% Try to construct a regular e&pression that looks for all words that are four letters long and contain an .a0%
8$2$ $ strin2s
strin2s is another useful utility% This will search through a file of any type for human readable strings% This can return a great deal of information about a specific file$ often providing information about the application that created it$ authors$ original creation time and so on% E&ercise: 3% ;ead the manual page for strings%
8$2$ $# a:9
a:9 is a programming language designed for working with strings% It is used to e&tract information from one command to feed into another% 4or e&ample$ to take "ust the running programs from the ps command$ you would use the following: ps ? aw E&ercise: 3% ;ead the manual page for awk% :@print $4A:
8$2$ $' T.e )i*e ;

ll of the above tools are easily combined using the /(IM .pipe0 command% This is shown with the .:0 symbol% This allows you to take the output of one command and feed it down a pipe to another command% To find all files in the current directory that are mpg files$ use the following: ls ? (rep mp( E4ercises5 3% /sing the pipe$ the ls command and grep$ find all files in the current directory that were created this month% +% /sing the ps command and awk$ print a list of all the running process names%
8$2$# -a9in2 "se of ot.er so"rces

There are many other interesting ways of e&amining how a computer has been used% (early every application that gets run will record some additional data beyond the files that it
((
directly takes in$ or files that it puts out% This could include temporary files for processing$ lists of last accessed files or the history of a web#browser% E4ercises5 3% Dhat is browser cacheH 4ind the location where your web browser stores its cache% +% Dhat are browser cookiesH 4ind the location where your web browser stores its cookies% 6% Search for information about web browser cookies% Dhat kinds of cookies are there and what kind of information is stored in themH -% Iour computer uses temporary directories where it writes files by default for the user% This is often times known as pplication 8ata% 4ind the temporary directories you have available on your computer% Dhile may be called tmp or temp$ often times$ there are many more that you donFt know about% Try 4I(8 on files written with todayFs date as a great way to find temporary files% 8o those files disappear when you reboot the computerH
(2
8$ Net:or9 Forensics
8$ $% Intro&"ction
(etwork forensics is used to find out where a computer is located and to prove whether a particular file was sent from a particular computer% Dhile network forensics can be very complicated$ we will cover some of the basics that can be applied to everyday life%
8$ $( Fire:a++ Lo2s
DhoFs connecting to meH The firewall is a utility which can choke connections between two points in a network% Many types of firewalls e&ist% ;egardless of the type and "ob of the firewall$ it is the firewall logs which give you the details% Only by using the logs$ can you find patterns of attacks and abuse to your firewall% E4ercises5 3% @isit the website http:))www%dshield%org% This website takes firewall logs from all over the world to find patterns of network attack attempts% This helps security professionals be sure to verify if the networks they are protecting are vulnerable to those particular attacks before they happen% ;ead through the website and e&plain how that pie graph of the world is made and what it means% +% On the same website$ read through the J4ight backJ section and the response e#mails they receive% E&plain the purpose of this%
8$ $2 -ai+ 1ea&ers
E#mails come with information of every computer they pass through to get to you% This is kept in the headers% Sometimes even more information is in the headers% To view the headers however is not always so simple% @arious mail clients will all have different ways to view this% The real trick to reading headers$ though$ is to know they are backwards% The top of the list is you% Then it travels goes with each line until the very last line is the computer or network that the mail was sent from% E4ercises5 3% great resource focused on network forensics for fighting S* M is http:))www%samspade%org% @isit SamSpade%org and go to the section called JThe 'ibraryJ% /sing this section you should be able to e&plain how to read e#mail headers% Iou should also read about forged e#mail headers and e#mail abuse% E&plain the various ways e#mail can be used to cause harm% +% 8etermine how to look at your e#mail headers in the e#mails you receive% re there any particular fields in those headers that seem foreign to youH 'ook them up% Iou should be able to e&plain what each field means in that header%
F"rt.er Rea&in2
!he following links are in "nglish. http#$$www.honeynet.org$papers$forensi s$ http#$$www.honeynet.org$mis $ hall.html % Some forensi "&er ises. http#$$www.por upine.org$forensi s$ % !he lassi s http#$$www. omputerforensi s.net$ http#$$www.guidan esoftware. om$ orporate$whitepapers$inde&.shtm'"(" http#$$www.forensi fo us. om$ http#$$www.se urityfo us. om$info us$1)*+ http#$$www.linu&se urity. om$feature,stories$feature,story%1-+.html http#$$www.linu&se urity. om$feature,stories$feature,story%1./.html http#$$www.se urityfo us. om$in idents http#$$staff.washington.edu$dittri h$talks$bla khat$bla khat$forensi s.html http#$$www.openforensi s.org$ http#$$fire.dm0s. om$ http#$$www.sleuthkit.org$ http#$$www.fbi.gov$h1$lab$fs $ba kissu$o t2///$ omputer.htm
(#
LESSON 9 E-MAIL SECURITY

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2 1%3 !ow E#mail 4orks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%3 E#mail ccounts%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5 1%3%+ *O* and SMT*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 1%3%6 4eb Mail%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7 1%+ Safe E#mail /sage *art 3: 8eceiving%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1%+%3 Spam$ *hishing and 9raud%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1%+%+ !TM' E#Mail %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1%+%6 ttachment Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1%+%- 9orged headers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3, 1%6 Safe E#mail /sage *art +: Sending%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+ 1%6%3 :igital Certificates%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+ 1%6%+ :igital Signatures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%36 1%6%6 ;etting a certificate%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%31%6%- Encryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%31%6%2 !ow does it work<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%31%6%5 :ecryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%32 1%6%7 Is Encryption /nbreakable<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%32 1%- Connection Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%35
Contri!"tors
Stephen 9% Smith$ 'ockdown (etworks Chuck Truett$ ISECOM Marta =arcel>$ ISECOM ?im Truett$ ISECOM
9$% Intro&"ction
Everyone uses e#mail% It is the second most used application on the internet ne&t to your web browser% =ut what you might not reali@e is that a significant portion of network attacks and compromises originate through e#mail% nd with respect to your privacy$ misuse of e#mail has the potential to disclose either the contents of your message$ or give a spammer information about you% The purpose of this module is to give you information on how e#mail works$ safe e# mail usage$ e#mail based attacks$ and security strategies for e#mail%
'
9$( )o* E-mai+ ,or-s

Aust like airmail is sent through the air$ BeB#mail is sent through the BeB C the BeB in this case being the web of electronic connections within and between the networks that make up the Internet% 4hen you send an e#mail from your computer$ the data is sent from your computer to an SMT* server% The SMT* server then searches for the correct *O*6 server and sends your e#mail to that server$ where it waits until your intended recipient retrieves it%
9$($( E-mai+ Acco"nts

E#mail accounts are available through many different sources% Dou may get one through school$ through your work or through your IS*% 4hen you get an e#mail account$ you will be given a two part e#mail address$ in this form: username@domain.name% The first part$ username identifies you on your network$ differentiating you from all the other users on the network% The second part$ domain.name is used to identify your specific network% The username must be uniEue within your network$ "ust as the domain name must be uniEue among all the other networks on the Internet% !owever$ user names are not uniEue outside of their networksF it is possible for two users on two different networks to share user names% 9or e&ample$ if there is one user with the address bill@bignetwork.net$ there will not be another user on bignetwork.net whose user name is bill% !owever$ bill@bignetwork.net and bill@smallnetwork.net are both valid e#mail addresses that can refer to different users% One of the first things that you will do when you are setting up your e#mail is to enter your e# mail address into your e#mail client program% Dour e#mail client is the program that you will use to send and receive e#mails% MicrosoftBs Outlook E&press may be the most widely known Gsince it comes free with every copy of a Microsoft operating systemH$ but there are many others available for both 4indows and 'inu&$ including Mo@illa$ Eudora$ Thunderbird and *ine%
9$($2 .O. an& SMT.

fter your e#mail client knows your e#mail address$ itBs going to need to know where to look for incoming e#mail and where to send outgoing e#mail% Dour incoming e#mails are going to be on a computer called a POP server% The *O* server C usually named something like pop.smallnetwork.net or mail.smallnetwork.net has a file on it that is associated with your e#mail address and which contains e#mails that have been sent to you from someone else% POP stands for post office protocol% Dour outgoing e#mails will be sent to a computer called a SMT* server% This server C named smtp.smallnetwork.net C will look at the domain name contained in the e#mail address of any e#mails that you send$ then will perform a DNS lookup to determine which *O*6 server it should send the e#mail to% SMTP stands for simple mail transfer protocol% 4hen you start up your e#mail client$ a number of things happen: 3% the client opens up a network connection to the *O* server +% the client sends your secret password to the *O* server 6% the *O* server sends your incoming e#mail to your local computer -% the client sends your outgoing e#mail to the SMT* server% The first thing to note is that you do not send a password to the SMT* server% SMT* is an old protocol$ designed in the early days of e#mail$ at a time when almost everyone on the Internet knew each other personally% The protocol was written with the assumption that
everyone who would be using it would be trustworthy$ so SMT* doesnBt check to ensure that you are you% Most SMT* servers use other methods to authenticate users$ but C in theory C anyone can use any SMT* server to send e#mail% G9or more information on this$ see section 9$2$# 0or1e& )ea&ers%H The second thing to note is that$ when you send your secret password to the *O* server$ you send it in a plain#te&t format% It may be hidden by little asterisks on your computer screen$ but it is transmitted through the network in an easily readable format% nyone who is monitoring traffic on the network C using a packet sniffer$ for instance C will be able to clearly see your password% Dou may feel certain that our network is safe$ but you have little control over what might be happening on any other network through which your data may pass% The third$ and possibly most important thing that you need to know about your e#mails$ is that they are C "ust like your password C transmitted and stored in a plain#te&t format% It is possible that they may be monitored any time they are transferred from the server to your computer% This all adds up to one truth: e!mail is not a secure met"od of transferring information% Sure$ itBs great for relaying "okes$ and sending out spunkball warnings$ but$ if youBre not comfortable yelling something out through the window to your neighbor$ then maybe you should think twice about putting it in an e#mail% :oes that sound paranoid< 4ell$ yeah$ it is paranoid$ but that doesnBt necessarily make it untrue% Much of our e#mail communications are about insignificant details% (o one but you$ =ob and lice$ care about your dinner plans for ne&t Tuesday% nd$ even if Carol desperately wants to know where you and =ob and lice are eating ne&t Tuesday$ the odds are slim that she has a packet sniffer running on any of the networks your e#mail might pass through% =ut$ if a company is known to use e#mail to arrange for credit card transactions$ it is not unlikely to assume that someone has$ or is trying to$ set up a method to sniff those credit card numbers out of the network traffic%
9.1.3 Web Mail

second option for e#mail is to use a web based e#mail account% This will allow you to use a web browser to check your e#mail% Since the e#mail for these accounts is normally stored on the web e#mail server C not on your local computer C it is very convenient to use these services from multiple computers% It is possible that your IS* will allow you to access your e#mail through both *O* and the web% !owever$ you must remember that web pages are cac"ed or stored on local computers$ sometimes for significant lengths of time% If you check your e#mail through a web based system on someone elseBs computer$ there is a good chance that your e#mails will be accessible to someone else who uses that computer% 4eb based e#mail accounts are often free and easy to get% This means that they offer an opportunity for you to have several identities online% Dou can$ for instance$ have one e#mail address that you use only for friends and another that is only for relatives% This is usually considered acceptable$ as long as you are not intentionally intending to defraud anyone% E2ercises3 3% Dou can learn a lot about how *O* e#mail is retrieved by using the telnet program% 4hen you use telnet instead of an e#mail client$ you have to enter all the commands by hand Gcommands that the e#mail client program usually issues automaticallyH% /sing a web search engine$ find the instructions and commands necessary to access an e#mail
account using the telnet program% 4hat are the drawbacks to using this method to retrieve e#mail< 4hat are some of the potential advantages< +% 9ind three organi@ations that offer web based e#mail services% 4hat$ if any$ promises do they make about the security of e#mail sent or received using their services< :o they make any attempts to authenticate their users< 6% Gpossibly homeworkH :etermine the SMT* server for the email address you use most freEuently%
9$2 Safe E-mai+ Usa1e .art (3 Recei6in1

Everyone uses e#mail$ and to the surprise of many people$ your e#mail can be used against you% E#mail should be treated as a post card$ in that anyone who looks can read the contents% Dou should never put anything in an ordinary e#mail that you donIt want to be read% That being said there are strategies for securing your e#mail% In this section we will cover safe and sane e#mail usage and how to protect your privacy online%
9$2$( S7am8 .9is9in1 an& 0ra"&

Everybody likes to get e#mail% long time ago$ in a gala&y far far away it used to be you only got mail from people you knew$ and it was about things you cared about% (ow you get e# mail from people you never heard of asking you to buy software$ drugs$ and real estate$ not to mention help them get +- million dollars out of (igeria% This type of unsolicited advertising is called spam% It comes as a surprise to many people that e#mail they receive can provide a lot of information to a sender$ such as when the mail was opened and how many times it was read$ if it was forwarded$ etc% This type of technology C called web bugs C is used by both spammers and legitimate senders% lso$ replying to an e#mail or clicking on the unsubscribe link may tell the sender that they have reached a live address% nother invasion of privacy concern is the increasingly common .phishing0 attack% !ave you ever gotten an e#mail asking you to login and verify your bank or E#bay account information< =eware$ because it is a trick to steal your account information% To secure yourself against these types of attacks$ there are some simple strategies to protect yourself outlined below%
9$2$2 )TML E-Mai+

One of the security concerns with !TM' based e#mail is the use of web bugs% 4eb bugs are hidden images in your e#mail that link to the sendersI web server$ and can provide them with notification that you have received or opened the mail% nother flaw with !TM' e#mail is that the sender can embed links in the e#mail that identify the person who clicks on them% This can give the sender information about the status of the message% s a rule$ you should use a mail client that allows you to disable the automatic downloading of attached or embedded images% nother problem is related to scripts in the e#mail that may launch an application $if your browser has not been patched for security flaws% 9or web based e#mail clients$ you may have the option of disabling the automatic download of images$ or viewing the message as te&t% Either is a good security practice% The best way to protect yourself against !TM' e#mail based security and privacy attacks is to use te&t based e# mail% If you must use !TM' e#mail$ bewareJ
9$2$ Attac9ment Sec"rit:

nother real concern related to received e#mail security is attachments% ttackers can send you malware$ viruses$ Tro"an horses and all sorts of nasty programs% The best defense against e#mail borne malware is to not open anything from anyone you donIt know% (ever open a file with the e&tension %e&e or %scr$ as these are e&tensions that will launch an e&ecutable file that may infect your computer with a virus% 9or good measure$ any files you receive should be saved to your hard drive and scanned with an antivirus program% =eware of files that look like a well known file type$ such as a @ip file% Sometimes attackers can disguise a file by changing the icon or hiding the file e&tension so you donIt know it is an e&ecutable%
9$2$# 0or1e& 9ea&ers

Occasionally you may receive an e#mail that looks like it is from someone you know$ or from the . dministrator0 or .*ostmaster0 or .Security Team0 at your school or IS*% The sub"ect may be .8eturned Mail0 or .!acking ctivity0 or some other interesting sub"ect line% Often there will be an attachment% The problem is that it takes no technical knowledge and about 3, seconds of work to forge an e#mail address% GIt also C depending on where you live C may be ver illegal%H To do this$ you make a simple change to the settings in your e#mail client software% 4here it asks you to enter your e#mail address Gunder Options$ Settings or PreferencesH you enter something else% 9rom here on out$ all your messages will have a fake return address% :oes this mean that youBre safe from identification< (o$ not really% nyone with the ability to read an e# mail header and procure a search warrant can probably figure out your identity from the information contained on the header% 4hat it does mean is that a spammer can represent himself as anyone he wants to% So if 9annie ;yotoku KtelecommunicatecreaturesLco&%netM sells you a magic cell phone antenna that turns out to be a cereal bo& covered with tin foil$ you can complain to co&%net$ but donBt be surprised when they tell you that there is no such user% Most IS*s authenticate senders and prevent relaying$ which means that you have to be who you say you are to send mail via their SMT* server% The problem is that hackers and spammers often run an SMT* server on their *C$ and thus donIt have to authenticate to send e#mail$ and can make it appear any way they want% The one sure way to know if a suspicious e#mail is legitimate is to know the sender and call them up% (ever reply to a message that you suspect may be forged$ as this lets the sender know they have reached an actual address% Dou can also look at the header information to determine where the mail came from$ as in the following e&ample:
This is an e#mail from someone I donIt know$ with a suspicious attachment% (ormally$ I would "ust delete this but I want to know where it came from% So IIll look at the message header% I use Outlook +,,6 as my e#mail client$ and to view the header you go to viewNoptions and you will see the header information as below: Microsoft Mail Internet Headers Version 2.0
(%
Received: from srv1.mycompany.com ([192.16 .10.!"#$ %y m&1.mycompany.com over '() sec*red c+annel ,it+ Microsoft )M'-)V.(6.0."/90.0$0 Mon1 9 2*3 2004 11:20:1 50/00 Received: from [10.10.20!.241# (+elo6,,,.mycompany.com$ %y srv1.mycompany.com ,it+ esmtp (7&im 4."0$ id 18*73(500019:5 a0 Mon1 09 2*3 2004 11:1!:"/ 50/00 Received: from ;ara.or3 (6/.10 .219.194.ptr.*s.&o.net [6/.10 .219.194#$ %y ,,,.mycompany.com ( .12.10< .12.10$ ,it+ )M'- id i/9I8=:r0"00 2 for >sales?mycompany.com@0 Mon1 9 2*3 2004 11:11:"4 50/00 Aate: Mon1 09 2*3 2004 14:1!:"! 50!00 'o: B)alesB >sales?mycompany.com@ Crom: B)alesB >sales?innovonics.com@ )*%Dect: Messa3e5IA: >cd;da%3*rd3ef*pf+nt?mycompany.com@ MIM75Version: 1.0 .ontent5'ype: m*ltipart<mi&ed0 %o*ndary6B55555555cf,rie%,,%nnf;;moD3aB E5)can5)i3nat*re: 1/ %fa99/4a422!0 6/4%1924a9c2 "! Ret*rn5-at+: sales?innovonics.com E59ri3inal2rrival'ime: [ 6 C7220:01.4/7"A# 09 2*3 2004 1 :20:1 .0 90 (:'.$ CI(7'IM76
5555555555cf,rie%,,%nnf;;moD3a .ontent5'ype: te&t<+tml0 c+arset6B*s5asciiB .ontent5'ransfer57ncodin3: /%it 5555555555cf,rie%,,%nnf;;moD3a .ontent5'ype: application<octet5stream0 name6BpriceF0 .GipB .ontent5'ransfer57ncodin3: %ase64 .ontent5Aisposition: attac+ment0 filename6BpriceF0 .GipB 5555555555cf,rie%,,%nnf;;moD3aH (ow$ the part IIm interested in is highlighted above% (ote that the .8eceived0 is from kara%org at an I* that appears to be an &o%net :S' line$ which does not agree with innovonics%com$ the purported sender% lso$ if I look up innovonics%comIs mail server using nslookup$ its address comes back as follows: .:I@nsloo;*p innovonics.com )erver: 2ddress: dc.mycompany.com 192.16 .10.!4
((
Jon5a*t+oritative ans,er: Jame: 2ddress: innovonics.com 64.14".90.9
So$ my suspicion was correct$ and this is an e#mail that is carrying some malware in an e&ecutable file posing as a @ip file% The malware has infected the personIs computer on the :S' line$ which is now a @ombie$ sending copies of the malware to everyone in the infected computers address book% IIm glad I checked it outJ E2ercises3 3% Citbank and *ay*al are two of the most common targets of phishing emails% 8esearch what Citibank or *ay*al are doing to fight ) control phishing% +% 8esearch whether your bank or credit card holder has a published statement about the use of email and personal information% 6% Gpossibly homeworkH 8esearch a spam email you have received and see if you can determine the real source%
9$ Safe E-mai+ Usa1e .art 23 Sen&in1

Sending mail is a little more care free% There are some things you can do to make sure your conversation is secure though% The first is to ensure your connection is secure Gsee section 9$# Connection Sec"rit: for more informationH% There are also methods to allow you to digitally sign your messages$ which guarantees that the message is from you and has not been tampered with en route% nd for ma&imum security$ you can encrypt your messages to make sure no one reads them% :igital signatures prove who e#mail comes from$ and that it has not been altered in transit% If you establish the habit of using digital signatures for important e#mail$ you will have a lot of credibility if you ever need to disown forged mail that appears to be from you% They also allow you to encrypt e#mail so that no one can read it e&cept the recipient% *;* in particular offers high levels of encryption which to break would reEuire e&treme computing power%
9$ $( ;i1ita+ Certificates
digital certificate is uniEue to an individual$ kind of like a drivers license or passport$ and is composed of + parts% These parts are a public and private key% The certificate is uniEue to one person$ and typically certificates are issued by a trusted Certificate uthority$ or C % The list of Certificate uthorities you trust is distributed automatically Gif you are a Microsoft 4indows /serH by 4indows /pdate and the list is accessible in your browser under toolsNinternet optionsNcontentNcertificates% Dou can go here to view certificates installed on your machine Gyours and othersH$ and other certificate authorities you trust%
(2
Dou can disable the automatic update of C s$ and choose to remove all C s from the list$ although this is not recommended% Instructions on how to do this are on MicrosoftIs web site%
9$ $2 ;i1ita+ Si1nat"res
digital signature is generated by your e#mail software and your private key to assure the authenticity of your e#mail% The purpose of the signature is twofold% The first is to certify it came from you% This is called non#repudiation% The second is to ensure the contents have not been altered% This is called data integrity% The way an e#mail program accomplishes this is by running the contents of your message through a one way hash function% This produces a fi&ed si@e output of your e#mail called a message digest% This is a uniEue value$ and if the mathematical algorithm that produces it is strong$ the message digest has the following attributes% The original message canIt be reproduced from the digest% Each digest is uniEue%
fter the digest is created$ it is encrypted with your private key% The encrypted digest is attached to the original message along with your public key% The recipient then opens the message$ and the digest is decrypted with your public key% The digest is compared to an identical digest generated by the recipientsI mail program% If they match$ then youIre done% If not$ your mail client will let you know the message has been altered% There are + types of signing ) encryption functions$ S)MIME and *;*% S)MIME is considered to be the corporate and government choice$ possibly because it uses the less labor intensive certificate authority model for authentication$ and because it is more easily implemented through MicrosoftBs Outlook E&press e#mail program% *;* is more often the choice of the computer user community$ because it is based on a non#centrali@ed web of trust for authentication$ where a userBs trustworthiness is validated through the Bfriend of a friendB system$ where you agree that$ if you trust me$ then you can also trust those people who I trust$ and because members of the computer user community donBt really care if it takes them four hours to figure out how to
make *;* work with Thunderbird C they consider these types of challenges to be a form of recreation%
9$ $ <ettin1 a certificate
If you are interested in getting a digital certificate or digital I:$ you need to contact a #ertificate $ut"orit GOerisign and thawte are the most well known$ although a web search may find others%H =oth reEuire you to provide identification to prove to them that you are who you are% Dou can get a free certificate from thawte$ but they reEuire a significant amount of personal information$ including a government identification number Gsuch as a passport$ ta& id or driverBs licenseH% Oerisign charges a fee for its certificate and reEuires that you pay this fee with a credit card$ but asks for less personal information% G*resumably$ Oerisign is relying on the credit card company to validate your personal information%H These reEuests for information may seem intrusive$ but remember$ you are asking these companies to vouch for your trustworthiness% nd C as always C check with your parents or guardians before you give out any personal information Gor run up large balances on their credit cardsH% The biggest disadvantage to using a certificate authority is that your private key is available to someone else C the certificate authority% If the certificate authority is compromised$ then your digital I: is also compromised%
9$ $# Encr:7tion
s an additional layer of security$ you can encr pt your e#mail% Encryption will turn your e#mail te&t into a garbled mess of numbers and letters that can only be read by its intended recipient% Dour deepest secrets and your worst poetry will be hidden from all but the most trusted eyes% !owever$ you must remember$ that$ while this may sound good to you C and to all of us who donBt really wish to be e&posed to bad poetry C some governments do not approve% Their arguments may C or may not C be valid Gyou can discuss this amongst yourselvesH$ but validity is not the point% The point is that$ depending on the laws of the nation in which you live$ sending an encrypted e#mail may be a crime$ regardless of the content%
9$ $' )o* &oes it *or-=

Encryption is fairly complicated$ so IIll try to e&plain it in a low tech way: Aason wants to send an encrypted message% So the first thing Aason does is go to a Certificate uthority and get a :igital Certificate% This Certificate has two parts$ a *ublic ?ey and a *rivate ?ey% If Aason wants to receive and send encrypted messages with his friend ?ira$ they must first e&change *ublic keys% If you retrieve a public key from a Certificate uthority that you have chosen to trust$ the key can be verified back to that certifying authority automatically% That means your e#mail program will verify that the certificate is valid$ and has not been revoked% If the certificate did not come from an authority you trust$ or is a *;* key$ then you need to verify the key fingerprint% Typically this is done separately$ by either a face to face e&change of the key or fingerprint data% (ow letBs assume that both ?ira and Aason are using compatible encryption schemes$ and have e&changed signed messages$ so they have each others public keys%
(#
4hen Aason wants to send an encrypted message$ the encryption process begins by converting the te&t of AasonIs message to a pre hash code% This code is generated using a mathematical formula called an encryption algorithm% There are many types of algorithms$ but for e#mail S)MIME and *;* are most common% The hash code of AasonIs message is encrypted by the e#mail program using AasonIs private key% Aason then uses ?iraIs public key to encrypt the message$ so only ?ira can decrypt it with her private key$ and this completes the encryption process%
9$ $/ ;ecr:7tion
So ?ira has received an encrypted message from Aason% This typically is indicated by a lock Icon on the message in her in bo&% The process of decryption is handled by the e#mail software$ but what goes on behind the scenes is something like this: ?iraIs e#mail program uses her private key to decipher the encrypted pre hash code and the encrypted message% Then ?iraIs e#mail program retrieves AasonIs public key from storage Gremember$ we e&changed keys earlierH% This public key is used to decrypt the pre hash code and to verify the message came from Aason% ?iraIs e#mail program then generates a post hash code from the message% If the post hash code eEuals the pre hash code$ the message has not been altered en route% (ote: if you lose your private key$ your encrypted files become useless$ so it is important to have a procedure for making backups of your private and public keys%
9$ $4 Is Encr:7tion Un!rea-a!+e=
ccording to the numbers$ the level of encryption offered by$ for e&ample$ *;* is unbreakable% Sure$ a million computers working on breaking it would eventually succeed$ but not before the million monkeys finished their script for %omeo and &uliet. The number theory behind this type of encryption involves factoring the products of very large prime numbers$ and$ despite the fact that mathematicians have studied prime numbers for years$ thereBs "ust no easy way to do it% =ut encryption and privacy are about more than "ust numbers% !owever$ if someone else has access to your private key$ then they have access to all of your encrypted files% Encryption only works if it is part of a larger security framework which offers protection to both your private key and your pass#phrase% E2ercises3 3% Is encryption of email legal in the country that you reside in< 9ind one other country that it is legal in$and one country where it is illegal to encrypt email% +% Science fiction writers have imagined two types of futures$ one in which peopleBs lives are transparent$ that is$ they have no secrets$ and one in which everyoneBs thoughts and communications are completely private% *hil Pimmerman$ creator of *;*$ believes in privacy as a source of freedom% 8ead his thoughts on why you need *;* at http:))www%pgpi%org)doc)whypgp)en)% Then look at science fiction writer :avid =rinBs article B *arable about OpennessB at http:))www%davidbrin%com)akademos%html in which he makes a number of points advocating openness as a source of freedom% :iscuss these two opposing viewpoints% 4hich do you prefer< 4hich do you think would most likely succeed< 4hat do you think the future of privacy will be like<
('
9$# Connection Sec"rit:

'ast but not least is connection security% 9or web mail$ ensure you are using an SS' connection to your IS*s e#mail% small lock icon will appear in the bar at the bottom of your browser% If you are using *O* and an e#mail client$ ensure that you have configured your e# mail client to use SS' with *O* on port 112 and SMT* on port -52% This encrypts your mail from you to your server$ as well as protecting your *O* ) SMT* username and password% Dour IS* should have a how#to on their web site to configure this% If they donIt offer a secure *O* ) SMT* connection$ change IS*sJ E2ercise3 If you have an e#mail account$ find out if your account is using SS' for its connection% !ow do you check this in your e#mail client< :oes your IS* provide information regarding an SS' connection<Q%, Introduction
(/
0"rt9er Rea&in1
Can someone else read my e#mail< http:))www%research%att%com)Rsmb)securemail%html MITBs *;* freeware page http:))web%mit%edu)network)pgp%html ;eneral news on Internet privacy issues: Electronic *rivacy Information Center http:))www%epic%org) and Electronic 9rontier 9oundation http:))www%eff%org) More about *;* http:))www%openpgp%org)inde&%shtml !ow 8eading an Email Can Compromise Dour *rivacy http:))email%about%com)od)staysecureandprivate)a)webbugSprivacy%htm voiding E#mail Oiruses http:))www%ethanwiner%com)virus%html =rief Overview of E#mail Security Tuestions Gwith a short advertisement at the endH http:))www%@@ee%com)email#security) =rief Overview of E#mail Security Tuestions Gwith no advertisementH http:))www%claymania%com)safe#he&%html 4indows =ased E#mail *recautions http:))www%windowsecurity%com)articles)*rotectingSEmailSOirusesSMalware%html http:))computer#techs%home%att%net)emailSsafety%htm :ifferences =etween 'inu& and 4indows Oiruses Gwith information on why most 'inu& e#mail programs are more secureH http:))www%theregister%co%uk)+,,6)3,),5)linu&SvsSwindowsSviruses)
(4
LESSON 10 WEB SECURITY AND PRIVACY
LESSON 10 # WEB SECURITY AND PRIVACY
License for Use Inform !ion

"
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%1 2undamentals of 3eb Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1,%1%1 !ow the web really works%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%1%+ 4attling the 'ocks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%1%5 'ooking through Tinted 3indows # SS'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1,%1%- !aving someone else do it for you 6 *ro&ies%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1,%+ 3eb 7ulnerabilities%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%+%1 Scripting 'anguages%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%+%+ Common 3eb pplication *roblems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1,%+%5 8uidelines for 9uilding Secure 3eb pplications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%5 !TM' 9asics 6 brief introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%5%1 4eading !TM'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%5%+ 7iewing !TM' at its Source%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%5%5 'inks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%5%- *ro&y methods for 3eb pplication Manipulation%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1 1,%- *rotecting your server%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%-%1 2irewall%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%-%+ Intrusion :etection System ;I:S<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%= Secure Communications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%=%1 *rivacy and Confidentiality%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%=%+ >nowing if you are communicating securely%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%? Methods of 7erification%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 1,%?%1 OSSTMM%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1 2urther 4eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
Con!ri%&!ors
Simon 9iles *ete !er@og$ ISECOM 9ill Matthews !ernAn Marcelo 4acciatti Chris 4amire@ *% Shreekanth >im Truett $ ISECOM Marta 9arcelB$ ISECOM :ario 4iCuelme Dornow
'
10.1
Fundamentals of Web Security
3hat you do on the 3orld 3ide 3eb is your business% Or so you would think% 9ut itEs "ust not true% 3hat you do on the web is about as private and anonymous as where you go when you leave the house% gain$ you would think that itEs your business and many$ including ISECOM$ would agree with you% !owever$ consider a private investigator following you around town$ writing down what you saw and who you spoke with% The focus of this lesson is to get you learn how to protect yourself on the web and to do that$ you will have to learn where the dangers are% The 3orld 3ide 3eb works in a very straight#forward manner% Once connected to the Internet through you IS*$ you open a browser$ tell it a website$ and you get that website on your screen% !owever$ the truth is in the details% !ow does the web really workF Cuick trip to the 3orld 3ide 3eb Consortium ;35C<$ those fine folks who make standards for the web$ will teach you all you want to know about the web% http:))www%w5%org% Even the history of the web: http:))www%w5%org)!istory%html The problem is$ will definitions and standards teach you how to be safeF pparently not% The people who want to hurt you do not necessarily follow the standards%
10(1(1 )o* !+e *e% re ,,- *or.s

The steps involved in connecting to the Internet and then to the web are very detailed even if it does seem to be smooth from the user end% So what happens for real when you "ust want to get to the ISECOM websiteF are already connected to the internet$ here are the steps that occur in order: 1% Gou open your browser% +% Gou type in the /4' ;website name<% 5% 3ebsite name saved in !istory Cache on the hard disk% -% Gour computer looks up the name of the address to your default :(S server to find the I* address% =% Gour computer connects to the server at the I* address provided at the default web port of H, TC* if you used .!TT*:))0 or --5 TC* if you used .!TT*S:))0 at the front of the web server name ;by the way$ if you used !TT*S then there are other steps involved using server certificates which we will not follow in this e&ample<% ?% Gour computer reCuests the page or directory you specified with the default often being .inde&%htm0 if you donEt specify anything% 9ut the server decides tEs default and not your browser% I% The pages are stored in a cache on your harddisk% Even if you tell it to store the information in memory ;4 M<$ there is a good chance it will end up somewhere on your disk either in a * 8E2I'E or in a S3 *2I'E% H% The browser nearly instantaneously shows you what it has stored% gain$ there is a difference between .perceived speed0 and .actual speed0 of your web surfing which is actually the difference between how fast something is downloaded ;actual< and how fast your browser and graphics card can render the page and graphics and show them to you ;perceived<% Just because you didnEt see it doesnEt mean it didnEt end up in your browser cache% ssuming you
The history of the 3orld 3ide 3eb ; "ust .web0 from now on < started at CE4(1 in 1KHK% It was conceived by Tim 9erners#'ee and 4obert Cailliau who built a basic hyperte&t based system for sharing information% Over the ne&t few years Tim 9erners#'ee continued to develop the system until in 1KK5 CE4( announced that the web was free for anyone to use$ and the web as we know it now e&ploded onto the scene% The 3eb is a client and server based concept$ with clients such as Internet E&plorer$ 2irefo&$ Mo@illa$ Opera$ (etscape and others connecting to web servers such as IIS and pache which supply them with content in the form of !TM'+ pages% Many companies$ organi@ations and individuals have collections of pages hosted on servers delivering a large amount of information to the world at large% So why do we care about web security thenF 3eb servers often are the eCuivalent to the shop window of a company% It is a place where you advertise and e&hibit information$ but this is supposed to be under your control% 3hat you donEt want to do is leave the window open so that any passer by can reach in and take what they want for free$ and you ideally want to make sure that if someone throws a brick$ that the window doesnEt shatter L /nfortunately web servers are comple& programs$ and as such have a high probability of containing a number of bugs$ and these are e&ploited by the less scrupulous members of society to get access to data that they shouldnEt be seeing% nd the reverse is true as well% There are risks also associated with the client side of the eCuation like your browser% There are a number of vulnerabilities which have been discovered in the last year which allow for a malicious web site to compromise the security of a client machine making a connection to them%
10(1(" R !!,in0 !+e Loc.s

Standard !TM' pages are transferred using !TT*5$ this standard TC* based protocol is plain te&t based and this means that we can make connections to a server easily using tools such as .telnet0 or .netcat0% 3e can use this facility to gain a great deal of information about what software is running on a specific server% 2or e&ample : simon@exceat:~> netcat www.computersecurityonline.com 80 HEAD / HTTP/ .0 !TT*)1%1 +,, O> :ate: 2ri$ ,I Jan +,,= 1,:+-:5, 8MT Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5 'ast#Modified: Mon$ +I Sep +,,- 15:1I:=- 8MT ETag: M1fH1d#5+a#-1=H15,+M ccept#4anges: bytes Content#'ength: H1, Connection: close Content#Type: te&t)html 9y entering .!E : ) !TT*)1%,0 followed by hitting the .4eturn0 key twice$ I can gain all of the information above about the !TT* Server% Each version and make of !TT* Server will return different information at this reCuest 6 an IIS server will return the following : 1 Centre Europen pour la Recherche Nuclaire ;European Centre for (uclear 4esearch< + !yper Te&t Markup 'anguage 5 !yper Te&t Transfer *rotocol
simon@exceat:~> netcat www.microso!t.com 80 HEAD / HTTP/ .0 !TT*)1%1 +,, O> Connection: close :ate: 2ri$ ,I Jan +,,= 11:,,:-= 8MT Server: Microsoft#IIS)?%, *5*: C*NM '' I(: :S* CO4 :M CO(o C/4 C/So I7 o I7:o *S S Mo C(T COM I(T ( 7 O(' *!G *4E */4 /(IM O#*owered#9y: S*%(ET O# sp(et#7ersion: 1%1%-5++ Cache#Control: public$ ma&#ageNK,=I E&pires: 2ri$ ,I Jan +,,= 15:51:-5 8MT 'ast#Modified: 2ri$ ,I Jan +,,= 1,:-=:,5 8MT Content#Type: te&t)html Content#'ength: 1+K5-
*S: T I TE'o O/4
Gou can take this further and obtain more information by using the .O*TIO(S0 reCuest in the !TT* reCuest as follows : simon@exceat:~> netcat www.computersecurityonline.com 80 "PT#"$% / HTTP/ .0 !TT*)1%1 +,, O> :ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5 Content#'ength: , llow: 8ET$ !E :$ *OST$ */T$ :E'ETE$ CO((ECT$ O*TIO(S$ * TC!$ *4O*2I(:$ *4O** TC!$ M>CO'$ CO*G$ MO7E$ 'OC>$ /('OC>$ T4 CE Connection: close This will give you all of the allowed !TT* commands that the server will respond to% :oing all of this by hand is rather tedious$ and matching it manually against a database of know signatures and vulnerabilities is more than anyone would want to do% 2ortunately for us$ some very enterprising people have come up with an automated solution called .nikto0% .(ikto0 is a *erl script which carries out various tests automagically L The options are as follows:
#CgidirsP #cookies #evasionP #findonly #2ormat #generic #hostP #idP #mutateP #nolookup #outputP #portP #rootP #ssl #timeout #usepro&y Scan these C8I dirs: EnoneE$ EallE$ or a value like E)cgi)E print cookies found ids evasion techniCue ;1#K$ see below< find http;s< ports only$ donEt perform a full scan save file ;#o< 2ormat: htm$ csv or t&t ;assumed< force full ;generic< scan target host host authentication to use$ format is userid:password mutate checks ;see below< skip name lookup write output to this file port to use ;default H,< prepend root value to all reCuests$ format is )directory force ssl mode on port timeout ;default 1, seconds< use the pro&y defined in config%t&t
#7ersion print plugin and database versions #vhostP virtual host ;for !ost header< ;P means it reCuires a value< These options cannot be #debug #dbcheck #update #verbose abbreviated: debug mode synta& check scanQdatabase%db and userQscanQdatabase%db update databases and plugins from cirt%net verbose mode
I:S Evasion TechniCues: 1 4andom /4I encoding ;non#/T2H< + :irectory self#reference ;)%)< 5 *remature /4' ending *repend long random string = 2ake parameter ? T 9 as reCuest spacer I 4andom case sensitivity H /se 3indows directory separator ;R< K Session splicing Mutation TechniCues: 1 Test all files with all root directories + 8uess for password file names 5 Enumerate user names via pache ;)Suser type reCuests< Enumerate user names via cgiwrap ;)cgi#bin)cgiwrap)Suser type reCuests<
.(ikto0 is Cuite comprehensive in its reporting as you can see from the following scan : exceat:/& ./ni'to.pl ()ost www.computersecurityonline.com
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( ( $i'to .*+/ .,( www.cirt.net . Tar/et #P: , 0.*0. +., . Tar/et Hostname: www.computersecurityonline.com . Tar/et Port: 80 . %tart Time: 1ri 2an 0 ,:,*:34 ,003 ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( ( %can is 5epen5ent on 6%er7er6 strin/ w)ic) can 8e !a'e59 use (/ to o7erri5e . %er7er: Apac)e/ .*.,0 :en(%%;/ .+8 <=nix> PHP/+.,.* ( %er7er 5i5 not un5erstan5 HTTP . 9 switc)in/ to HTTP .0 . %er7er 5oes not respon5 wit) ?+0+? !or error messa/es <uses ?+00?>. . T)is may increase !alse(positi7es. . Allowe5 HTTP @et)o5s: AET9 HEAD9 P"%T9 P=T9 DE;ETE9 B"$$EBT9 "PT#"$%9 PATBH9 PC"P1#$D9 PC"PPATBH9 @DB";9 B"PE9 @"FE9 ;"BD9 =$;"BD9 TCABE . HTTP met)o5 ?P=T? met)o5 may allow clients to sa7e !iles on t)e we8 ser7er. . HTTP met)o5 ?B"$$EBT? may allow ser7er to proxy client reGuests. . HTTP met)o5 ?DE;ETE? may allow clients to remo7e !iles on t)e we8 ser7er. . HTTP met)o5 ?PC"P1#$D? may in5icate DAF/He8DAF is installe5. T)is may 8e use5 to /et 5irectory listin/s i! in5exin/ is allowe5 8ut a 5e!ault pa/e exists. . HTTP met)o5 ?PC"PPATBH? may in5icate DAF/He8DAF is installe5. . HTTP met)o5 ?TCABE? is typically only use5 !or 5e8u//in/. #t s)oul5 8e 5isa8le5. . Apac)e/ .*.,0 appears to 8e out5ate5 <current is at least Apac)e/,.0.30>. Apac)e .*.* is still maintaine5 an5 consi5ere5 secure. . :en(%%;/ .+8 appears to 8e out5ate5 <current is at least .33> . PHP/+.,.* appears to 8e out5ate5 <current is at least 3.0. > . PHP/+.,.* ( PHP 8elow +.*.* may allow local attac'ers to sa!e mo5e an5 /ain access to unaut)oriIe5 !iles. :#D(8,0*. . Apac)e/ .*.,0 ( Hin5ows an5 "%/, 7ersion 7ulnera8le to remote exploit. BA$(,00*(0+40 . Apac)e/ .*.,0 ( Apac)e .* 8elow .*.,- are 7ulnera8le to o7er!lows in mo5Jrewrite an5 mo5Jc/i. BA$(,00*(03+,. . /~root ( Enumeration o! users is possi8le 8y reGuestin/ ~username <respon5s wit) 1or8i55en !or real users9 not !oun5 !or non(existent users> <AET>. . /icons/ ( Directory in5exin/ is ena8le59 it s)oul5 only 8e ena8le5 !or speci!ic 5irectories <i! reGuire5>. #! in5exin/ is not use5 all9 t)e /icons 5irectory s)oul5 8e remo7e5. <AET> . / ( TCABE option appears to allow K%% or cre5ential t)e!t. %ee )ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABE> . / ( TCABD option <?TCABE? alias> appears to allow K%% or cre5ential t)e!t. %ee )ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABD> . /BF%/Entries ( BF% Entries !ile may contain 5irectory listin/ in!ormation. <AET>
. /ima/es/ ( in5ex o! ima/e 5irectory a7aila8le <AET> . /manual/ ( He8 ser7er manualL ts' ts'. <AET> . /c/i(8in/c/iwrap ( %ome 7ersions o! c/iwrap allow anyone to execute comman5s remotely. <AET> . /c/i(8in/c/iwrap/~a5m ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~8in ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~5aemon ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~lp ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~xxxxx ( :ase5 on error messa/e9 c/iwrap can li'ely 8e use5 to !in5 7ali5 user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET> . /css ( Ce5irects to )ttp://www.computer(security(online.com/css/ 9 T)is mi/)t 8e interestin/... . ,++- items c)ec'e5 ( 3 item<s> !oun5 on remote )ost<s> . En5 Time: 1ri 2an 0 ,:,3:*4 ,003 < 00 secon5s> ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( )ost<s> teste5
/sing the other options you can fine tune (ikto to do e&actly what you need to achieve$ including stealth$ mutation and cookie detection%
10(1($ Loo.in0 !+ro&0+ Tin!e4 Win4o*s 5 SSL

It wasnEt too long before everyone reali@ed that !TT* in plain te&t wasnEt much good for security% So the ne&t variation was to apply encryption to it% This comes in the form of SS'-$ and is a reasonably secure -, or 1+H bit public key encryption method% /sing a -, bit key is a lot less secure than the 1+H bit and$ with speciali@ed hardware$ may well be brute force breakable within a period of minutes$ where as the 1+H bit key will still take longer that the age of the /niverse to break by brute force% There are however more comple& technical attacks using something called a known cypherte&t attack 6 this involved calculating the encryption key by analy@ing a large number of messages ; T 1 million < to deduce the key% In any case$ you arenEt going to be rushing to try and crack 1+H bit encryption 6 so what can we learn about SS' !TT* ServersF Uuite a lot actually% s the SS' merely encrypts the standard !TT* traffic$ if we set up an SS' tunnel$ we can Cuery the server as we did in section 1%1% Creating an SS' tunnel is Cuite straight forward$ and there is a utility called .stunnel0 purely for this purpose% Enter the following into a file called stunnel%conf$ ;replacing ssl%enabled%host with the name of the SS' server that you want to connect to: clientNyes verifyN, Vpsuedo#httpsW accept N H, connect N ssl%enabled%host:--5 TIMEO/Tclose N , Stunnel will then map the local port H, to the remote SS' *ort --5 and will pass out plain te&t$ so you can connect to it using any of the methods listed above :
- Secure Sockets 'ayer
simonXe&ceat:ST netcat 1+I%,%,%1 H, )EAD 7 )TTP71(0 !TT*)1%1 +,, O> Server: (etscape#Enterprise)-%1 :ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT Content#type: te&t)html 'ast#modified: 2ri$ ,I Jan +,,= ,=:5+:5H 8MT Content#length: =-5I ccept#ranges: bytes Connection: close
10(1(' ) 8in0 someone e,se 4o i! for -o& # Pro9ies

*ro&ies are middlemen in the !TT* transaction process% The client reCuests the pro&y$ the pro&y reCuests the server$ the server responds to the pro&y and then the pro&y finally passes back the reCuest to the client$ completing the transaction% *ro&y servers are vulnerable to attacks in themselves$ and are also capable of being a "umping off point for launching attacks onto other web servers% They can however increase security by filtering connections$ both to and from servers%
10(" We% V&,ner %i,i!ies

The simplicity of giving someone something that they ask for is made much more comple& when youEre in the business of selling% 3eb sites that sell to you$ companies selling products$ bloggers selling ideas and personality$ or newspapers selling news$ reCuires more than "ust !TM'#encoded te&t and pictures% :ynamic web pages that help you decide what to ask for$ show you alternatives$ recommend other options$ upsell add#ons$ and only give you what you pay for reCuire comple& software% 3hen we say goodbye to websites and hello to web applications we are in a whole new world of security problems%
10("(1 Scri:!in0 L n0& 0es

Many scripting languages have been used to develop applications that allow businesses to bring their products or services to the web% Though this is great for the proliferation of businesses$ it also creates a new avenue of attack for hackers% The ma"ority of web application vulnerabilities come not from bugs in the chosen language but in the methods and procedures used to develop the web application as well as how the web server was configured% 2or e&ample$ if a form reCuests a @ip code and the user enters .abcde0$ the application may fail if the developer did not properly validate incoming form data% Several languages can be used for creating web applications$ including C8IYs$ *!* and S*% Common ; !e* - In!erf ce <C;I=: 3hatis%com defines a C8I as . standard way for a web server to pass a web userYs reCuest to an application program and to receive data back to forward to the user%0 C8I is part of the webYs !yperte&t Transfer *rotocol ;!TT*<% Several languages can be used to facilitate the application program that receives and processes user data% The most popular C8I applications are: C$ CPP$ Java and *E4'%
10
P)P # )-:er!e9! Pre:rocessor <P)P=> *!* is an open#source server#side scripting language where the script is embedded within a web page along with its !TM'% 9efore a page is sent to a user$ the web server calls *!* to interpret and perform any operations called for in the *!* script% 3hereas !TM' displays static content$ *!* allows the developer to build pages that present the user with dynamic$ customi@ed content based on user input% !TM' pages that contain *!* scripting are usually given a file name with the suffi& of .%php0% Ac!i8e Ser8er P 0es <ASP=> 3eb pages that have an %asp ctive server pages ; S*<$ are database drive dynamically created 3eb page with a % S* e&tension% They utili@e ctiveO scripting ## usually 79 Script or Jscript code% 3hen a browser reCuests an S*$ the 3eb server generates a page with !TM' code and immediately sends it back to the browser 6 in this way they allow web users to view real time data$ but they are more vulnerable to security problems%
10("(" Common We% A::,ic !ion Pro%,ems

3eb applications do not necessarily have their own special types of problems but they do have some of their own terms for problems as they appear on the web% s web application testing has grown$ a specific security following has grown too and with that$ a specific classification of web vulnerabilities% Common web application problems are classified below according to the OSSTMM 4isk ssessment 7alues ;http:))www%isecom%org)securitymetrics%shtml<$ a specific way to measure security by how it affects how things work%
RAV n
What it means
Web Examples Every time you login to a web page that has your personal data then you are authenticating% uthentication often means "ust giving a login and password% Sometimes it means giving an identification number or even "ust coming from n acceptable I* ddress ;white#listing<%
uthenticatio These are the identification and authori@ation mechanisms used to be certain that the person or computer using the web application is the correct person to be using it%
(on# 4epudiation
record that proves that the data lthough you may not see it$ most web sent to or from the web application applications keep track of purchases was really sent and where% you make from a particular I* address using a particular browser on a particular operating system as a record that it was most likely smeone on your computer who made that purchase% 3ithout specific .authentication0 they canEt guarantee 1,,Z it was you though% The !TT*S part of interaction with a web application provides pretty good confidentiality% It does a decent "ob of making your web traffic with the web app from being publicly readable%
Confidentialit way to assure that y communication with the web application cannot be listened in on by another person%
11
RAV *rivacy
What it means way to assure that the way you contact and communicate with the web application cannot be pre#determined by another person%
Web Examples 3hile it is very rare$ it is not unimaginable that a web application that contains very private information would not even show you it is there unless you come from the right place and know the right secret combination to get the web app to be accessible% One way is to have to click a picture in = different places in a specific order to get to the login screen% nother manner is called port#knocking and it means that the server reCuires a specific seCuence of interactions before it opens a port$ such as the !TT* port$ to the user% Some web sites clearly print on the login screen that itEs for authori@ed personnel only% If someone steals a login and password or even brute#forces it open$ the attacker$ if caught$ cannot say he didnEt know it was private% Some web apps provide a .! S!0 with files to be downloaded% This ! S! is a number generated from that specifc file% 3hen you download the file$ you can check the ! S! you generate from the file against the one they post% This is to assure that some attacker is not trying to trick you with a different file either replaced or through deception$ such as in Cross Site Scripting% It is very possible to have an application use a daemon that can re#initiali@e itself or even prevent an attack from crashing any part of itself by presenting itself only virtually% Gou can also find scenarios where a web app uses an intrusion detection mechanism that .stops0 attacks by blocking the attacker by I* address% In this case$ we canEt say Safety e&ists if the security device is configured to prevent an attacker from spoofing the web appEs own resources and causing this defense to block important traffic% Instead$ it is considered either a misconfiguration of the defense or in some cases a weakness of design% :onEt confuse a poorly made or .accidental0 defense with a designed loss control%
Indemnificati These are ways to assure that the on web application has legal protection or at the least$ can be financially protected with insurance% Integrity This is a record of the validity of the communication with the web application to assure that what is sent and then received by the other is the same thing and if it changed$ both the web pplication and the user have a record of the change%
Safety
This is how we protect the web application from itEs own security devices% If security fails$ we need to make sure that it does not affect the operation of the web application as a whole%
1"
RAV /sability
What it means way to prevent the user from having to make security decisions about interacting with the web application% This means that proper security is built in and the user doesnEt have to choose which or what security mechanisms to turn on or off% This is how we keep a service based on a web application from failing to work no matter what problem or disaster occurs%
Web Examples 3hen a web app reCuires use of !TT* over SS' ;!TT*S< then we can say that it is using /sability as part of security% !owever$ if it lets you choose to interact with it less securely$ for e&ample$ to send your credit card number by insecure e# mail rather than post it via a form by way of !TT*S$ then it is (OT e&ercising /sabilty% Often times a web app that receives a lot of traffic will have a reverse pro&y in front of it which directs the traffic to one of many mirrored web servers% This way$ if one goes down$ service is not interrupted% nother e&ample is a web application that caches its website to many different servers over the internet so when you visit one$ you are nt actually going to the originating web server% If a cache goes down or gets corrupted$ then the traffic will get redirected to another cache or the originating website%
Continuity
larm
notification$ either immediate or basic form of alarm is the log file delayed$ regarding a problem with generated by the web server% The bad any of these mechanisms% thing about an alarm is that you can choose to ignore it% This is especially true if it sounds all the time ;think of the story of the boy who cried .wolf0% Or in the case of a log file$ it may not sound at all% larm is only as good as your reaction time to it%
E9ercises> 1( Open up google and type in .inurl:search%asp0 or .inurl:search%php0% 3ith any of the websites which come up$ attempt to type in the following in the search field ?scri:!@ ,er! <+e,,o=?7scri:!@% 3hat happensF Try this for several sites% "( In google$ type in .inurl:login%asp0 ond .inurl:login%php0% 3ith any of the websites which come up$ attempt to type in special characters ;X[\]^< for both the username and password% 3hat happensF Try this for several sites% $( >nowing the types of security mechanisms a web application may have$ open your favorite$ interactive website and try to identify if it has security mechanisms which conform to any of the 4 7 classifications% '( Commonly discussed web vulnerabilities are Cross Site Scripting ;OSS< and SU' in"ection% 3hat are they and how does an attacker use them to steal data or information from a web applicationF
1$
10("($ ;&i4e,ines for B&i,4in0 Sec&re We% A::,ic !ions

3hile there are many opinions and most of the details to building with security in mind come from the logic of the programmer and their skill with the programming language$ these basic guidelines are also derived from materials available from the OSSTMM ;http:))www%osstmm%org<% 1% +% 5% -% =% ?% I% H% K% 1,% 11% ssure security does not reCuire user decisions% ssure business "ustifications for all inputs and outputs in the application% Uuarantine and validate all inputs including app content% 'imit trusts ;to systems and users<% Encrypt data% !ash the components% ssure all interactions occur on the server side% 'ayer the security% Invisible is best# show only the service itself% Trigger it to alarm% Security awareness is reCuired for users and helpdesks%
E9ercises> 1% 8ive e&amples for any three of the above guidelines% +% 8ive three types of technologies that one could apply to a web application as an alarm%
10($ )TAL B sics # A %rief in!ro4&c!ion

!TM' is a set of instructions that e&plains how information is to be presented from a web server ; pache$ Internet Information Server< to a browser ;2irefo&$ Opera<% It is the heart of the 3orld 3ide 3eb% !TM' can do much more than "ust display data on a web page% It can also provide data entry forms$ where data can be entered for processing by a higher level language ;*erl$ *!*$ etc<% In a business setting this is where !TM' is at its most useful but in a hacker setting$ this is where !TM' is at its most vulnerable%
10($(1 Re 4in0 )TAL

!TM' is communicated with a series of tags or markups% Each opening tag$ _h1T$ for instance$ must have a closing tag$ _)h1T% This tells the browser to stop the markup described by the preceding tag% Opening and closing tags are a part of well#formed !TM'% Take$ for e&ample$ the code: _htmlT _headT_titleT!ello 3orld_)titleT_)headT _bodyT _h1T!ello 3orldL_)h1T _)bodyT
1'
_)htmlT 2igure 1: !TM' Code 3e are telling the browser this is an !TM' document with the tag _htmlT and we have a title of E!ello 3orldE with the _titleT tag% The _bodyT tag tells our browser .here is where the information you will be displaying goes%0 2inally$ the _h1T tags tells the browser to display the information in .!eading 10 style% The tags that are preceded with a E)E are merely the closing tag$ this tells the browser to stop displaying the contents described by the opening tag% E&ercise 1: Cut and paste the code in figure one and paste it into a te&t file called hello%html% Open that file in your browser of choice and you should see something similar to this:
1/
10($(" Vie*in0 )TAL ! i!s So&rce

ll modern browsers contain a way to view the underlying !TM' code that generated the web page you are looking at% In most cases$ this is the .view source0 option under the .view0 menu in your browser% E&ercise +: Choose 7iew ##T 7iew Source in your browser while surfing your favorite web page%
Illustration 1View Menu
11
The results should be something pretty similar to this:
Illustration 2Source viewed in text editor
!TM' code is visible to anyone with a web browser% This is why it is very important when coding web pages to not try to hide passwords or important information in the !TM' source code% s you can see$ its not very secret%
10($($ Lin.s
'inks ;or hyper#links< are really the heart of !TM' page building% The biggest strength of !TM' is the ability to link to other documents% link$ in the conte&t of !TM' is denoted as _a hrefN0www%yahoo%com0Twww%yahoo%com_)aT The link will appear as www%yahoo%com on your website% This will take visitors of your site to Gahoo% 'inks can be checked and followed followed by so#called link checker programs% These programs search !TM' source code for the _a hrefNT_)aT tags and then create a file or inde& of the found links% Spammers will often use this techniCue to find email addresses or contact forms they can use to spread their mass emails% 'ink checkers can also be used to check your website for .broken0 links or links that donEt go anywhere% This can happen a lot even in relatively small sites% E&ercise 1: Create a link Create a link to www%hackerhighschool%org that displays as !acker !igh School on your web page% 9onus e&ercise: /se the tool
12
1% 2ind and download a link checking program +% 4un that program against www%hackerhighschool%org and document how many broken links you find%
10($(' Pro9- me!+o4s for We% A::,ic !ion A ni:&, !ion

n !TT* pro&y server serves as a middle man between a web server and a web client ;browser<% It intercepts and logs all connections between them and in some cases can manipulate that data reCuest to test how the server will respond% This can be useful for testing applications for various cross#site scripting attacks ;provide reference link here<$ SU' In"ection attacks and any other direct reCuest style attack% pro&y testing utility ;Spike*ro&y$ 3eb*ro&y$ etc<$ will assist with most of these tests for you% 3hile some have an automation feature$ you will Cuickly learn that it is actually a weak substitute for a real person behind the wheel of such tools% E&ercise 1: Choose your software 1% :ownload a pro&y utility +% Install the software according to the 4E :ME file 5% Change your browser setting to point to the new pro&y This is usually port H,H, on localhost for these tools but read the instructions to be sure% Once the pro&y server is installed and your browser is pointed at it$ surf around the site your testing% 4emember$ be sure to use a website that you have permission to test% Once you have surfed around$ point your browser to the pro&yEs admin page ;for Spike*ro&y$ it http:))www%immunitysec%com)resources#freesoftware%shtml< and begin testing the site% 2rom the admin interface you can have the tool brute force the siteEs authentication methods or test for cross#site scripting% ; ctually$ we recommend using Mo@illa or 2irefo& and http:))livehttpheaders%mo@dev%org) and http:))addneditcookies%mo@dev%org) together to modify headers and cookies on the fly without the need for a seperate pro&y port% (ot only does it really simplify things$ itEs a much more powerful tool set as we teach it in ISECOMEs OSSTMM *rofessional Security Tester class ;O*ST<% 9ut since you will need to know about setting up pro&ies for other things$ like ad and spam filters$ privacy filters$ etc% 3e thought you should actually set one up for real and Spike is a good one to try%< pro&y server can be a powerful tool in helping you determine how solid a web application is% 2or penetration tests or vulnerability assessments$ you must have a good pro&y tool in your toolbo&% There are detailed tutorials available on using Spike*ro&y at http:))www%immunitysec%com)resources#papers%shtml%
10(' Pro!ec!in0 -o&r ser8er

There are several steps that can be taken to protecting your server% These include ensuring that your software is always updated and patched with any security updates that are available from the manufacturer% This includes ensuring that your OS and web servers are updates as well% In addition$ 2irewalls and Intrusion detections systems can help protect your server$ as discussed below%
13
10('(1 Bire* ,,
2irewalls originally were fireproof walls used as barriers to prevent fire from spreading$ such as between apartment units within a building% The same term is used for systems ;hardware and software< that seeks to prevent unauthori@ed access of an organi@ationEs information% 2irewalls are like security guards that$ based on certain rules$ allow or deny access to)from traffic that enters or leaves an organi@ation ;home< system% They are important systems safe guards that seek to prevent an organi@ationYs system from being attacked by internal or e&ternal users% It is the first and most important security gate between e&ternal and internal systems% 2irewalls are generally placed between the Internet and an organi@ationYs information system% The firewall administrator configures the firewall with rules allowing or denying information packets from entering into or leaving the organi@ation% The rules are made using a combination of Internet *rotocol ;I*< address and *orts` such rules are made depending on the organi@ation needs e%g% in a school$ students are allowed in based on identity card% The rule to the security guard in a school would be to allow all persons that carry a valid identity card and deny everyone else% !owever the security guard would have another rule for e&iting from the school` the rule would be to allow everyone e&it e&cept small children unless accompanied by adults% similar system is followed for firewall configuration depending on the nature of the organi@ation$ the criticality of information asset$ cost of security$ security policy and risk assessment% The firewall "ust like a security guard cannot "udge the contents of the information packet` "ust like the guard allows all persons with a valid identity card irrespective of nature of the persons$ firewall allows entry or e&it based mainly on I* address and *ort numbers% !ence an entry or e&it is possible by masking I* address or *ort% To mitigate this risk$ organi@ations use Intrusion :etection System$ which is e&plained in the ne&t section% There are various kinds of firewall depending on the features that it has vi@% packet filter ;operates on I* packets<$ stateful firewall ;operates based connection state< or application firewall ;using pro&y<% E&ample of a firewall rule could be: 9lock inbound TC* address +,,%++-%=-%+=5 from port 15=% ; n imaginary e&ample<` such rule would tell a computer connected to Internet to block any traffic originating from the computer with an I* address +,,%++-%=-%+=5 using *ort 15=% Important activities relating to firewalls are initial configuration ;creating initial rules<$ system maintenance ;additions or change in environment<$ review of audit logs$ acting on alarms and configuration testing%
10('(" In!r&sion De!ec!ion S-s!em <IDS=

Imagine in a school that has proper security guards` how will the authorities detect entry of unauthori@ed personsF The authorities would install burglar alarm that will ring on entry of unauthori@ed persons% This is e&actly the function of intrusion detection system in computer parlance% 2irewall ;security guard or fence< and I:S ;burglar alarm or patrolling guard< work together` while firewall regulates entry and e&its$ I:S alerts)denies unauthori@ed access%
16
So how does I:S helpF Just like burglar alarms$ I:S alerts the authori@ed person ;alarm rings< that an authori@ed packet has entered or left% 2urther$ I:S can also instantly stop such access or user from entering or e&iting the system by disabling user or access% It can also activate some other script` I:S can for e&ample prevent or reduce impact of denial of service by blocking all access from a computer or groups of computer% I:S can be host based or network based` host based I:S are used on individual computers while network I:S are used between computers% !ost based I:S can be used to detect$ alert or regulate abnormal activity on critical computers` network I:S is similarly used in respect of traffic between computers% I:S thus can also be used to detect abnormal activity% I:S like patrolling guard regularly monitors network traffic to detect any abnormality e%g% high traffic from some computers or unusual activity on a server$ e%g% user logged onto application and involved in malicious activity% I:S compare any event with historical data to detect any deviation% On detection of deviation$ I:S act depending on the rule created by I:S administrator such as alerting$ storing such intrusion in audit logs$ stopping user from doing any activity or generating script for starting a string of activities% I:S can also detect deviation based on its database of signatures 6 any deviation to signature is detected and acted upon# this action is similar to anti virus software% I:S is also used for detection of any activity on critical resource or for forensic by Cuietly watching the suspect% E9ercises> 1% re both firewall and Intrusion :etection System reCuired in an organi@ation for securing its information systemF If yes whyF If not$ why notF
+% Think of an e&ample of a specific use of firewall rules that is applicable to the front desk person in a school` does she need to access InternetF If not$ how will the rule be enforcedF 5% Can a student access the school score database that contains complete information on e&amination scores of all students% !ow will this be controlledF !ow will this be detected in case an e&ternal party using Internet unauthori@edly accesses itF
10(/ Sec&re Comm&nic !ions

8enerally$ the concept associated with security communications are the processes of computer systems that creates confidence and reduces risks% 2or electronic communications$ three reCuirements are necessary to ensure security% < uthenticity b< Integrity c< (on repudiation% A&!+en!ici!-: This concept has to do with ensuring that the source of a communication is who it claims to be% It is not difficult to falsify electronic mail$ or to slightly vary the name of a web page$ and thus redirect users$ for e&ample http:))www%diisney%com appears to be the :isney web page$ but it has + letters MiM and can be confusing% In this case$ you are actually transferred to a gambling site and the communications are not safe% In!e0ri!-: That a communication has Integrity means that what was sent$ is e&actly what arrives$ and has not undergone alterations ;voluntary or involuntary< in the passage% Non re:&4i !ion> If the conditions of authenticity and Integrity are fulfilled$ non#repudiation means that the emitter cannot deny the sending of the electronic communication%
"0
2or e&ample$ if a 3eb site grants a pri@e to me$ and I can prove it # that is to say$ if a 3eb site sends a discount coupon$ and I verify that the 3eb site is authentic$ and that nobody manipulated the information in the way$ the site cannot deny that the coupon was sent% The form used to assure these conditions from a 3eb site is called an electronic certificate% Maintaining the conditions of security gives us tranCuillity in our electronic communications$ and allows to assure the principle the privacy in the cyberspace%
10(/(1 Pri8 c- n4 Confi4en!i ,i!Most web sites receive some information from those who browse them # either by e&plicit means like forms$ or more covert methods like cookies or even navigation registries% This information can be helpful and reasonable 6 like remembering your book preferences on ma@on%com and$ therefore$in order to ensure security to the person who browses$ many sites have established declarations of *rivacy and Confidentiality% Pri8 c- refers keeping your information as yours 6 or limiting it to close family or your friends$ or your contacts$ but at the most$ those who you have agreed to share the information% (o one wants their information shared everywhere without control$ for that reason$ there are sub"ects declared as private$ that is to say$ that of restricted distribution% On the other hand$ the confi4en!i ,i!- talks about that a sub"ectEs information will stay secret$ but this time from the perspective of the person receiving that information% 2or e&ample$ if you desire a pri@e$ but you do not want your information distributed$ you declare that this information is private$ authori@e the information to a few people$ and they maintain confidentiality% If for some reason$ in some survey$ they ask to you specifically for that pri@e$ and you respond that if you have it$ you would hope that that information stays confidential$ that is to say$ who receive the information keep it in reserve% 3e could generali@e the definition of confidentiality like Mthat the information received under condition of privacy$ I will maintain as if it was my own private informationM% It is necessary to declare the conditions of the privacy of information handling$ to give basic assurances of security% lso it is recommended that you read the conditions established by the web site you visit in their privacy policy% E9ercise> 1% 4eview the conditions of privacy of world#wide suppliers of 3ebMail: 8oogle and !otmail and of manufacturer like 8eneral Motors motors http:))www%gm%com)privacy)inde&%html% re they eCualF Of those$ who will share the information that I giveF 3hat measures will I be able to take if they do not observe these rulesF
10(/(" Cno*in0 if -o& re comm&nic !in0 sec&re,-
"1
Even with conditions of *rivacy and Confidentiality$ somebody can still intercept the communications% In order to give conditions discussed at the beginning of this section$ a layer of security has been previously discussed called SS'$ which uses digital certificates to establish a safe connection ;is to say that it fulfills the authenticity$ integrity and non repudiation< and provides a level with encryption in communications ;this is to hide information so that if somebody takes part of the information$ they cannot access it$ because the message is encypted so that only the sender that sends it and the receiver$ with a correct certificates$ is able to understand it<% This layer is called Security Socket 'ayer$ SS'$ and is visible through two elements within the web browser% The communications is considered to be safe when the web address /4' changes from !TT* to https$ this change even modifies the port of the communication$ from H, to --5% lso$ in the lower bar of the navigator$ a closed padlock appears$ which indicates conditions of security in the communications% If you put mouse on this padlock$ a message will apepar detailing the number of bits that are used to provide the communications ;the encryption level<$ which as of today$ 1+H bits is the recommended encryption level% This means that a number is used that can be represented in 1+H bits to base the communications% type of called trick phishing e&ists ;http:))www%antiphishing%org)< in which a 3eb mimics the page to make seem from a bank ;they copy the graphics$ so that the clients enter their data$ trusting that it is the bank$ although it is not it<% In order to avoid these situations$ the authenticity of the site should be verified$ and checked that the communications are safe ;https and the closed padlock<$ and to the best of your knowledge$ it verifies the certificate%
10(1 Ae!+o4s of Verific !ion

t this point$ you have had opportunity to know the foundations the security in the 3eb$ the main aspects related to some of the vulnerabilities found commonly in the web servers used to lodge the different sites with which we routinely interact when browsing in Internet$ and the form in which different defects in the development of web applications$ affect the security and)or the privacy of the users in general% On the other hand$ you have learned some of the technologies on which we rely to protect our servers and also our privacy% !owever$ probably at this moment$ you are reali@ing Cuestions such as: I am safe$ now that I have taken the corresponding actionsF Is my system safeF The developers that have programmed some of the functionalities that I have used in my 3eb site$ have they taked care of ensuring aspects to the securityF !ow I can verify these aspectsF s probably you have thought$ it is not enough to apply manufacturer updates or trust the good intentions of the developer$ when your security or privacy is concerned% In the past$ there have been several cases in which manufacturerEs patches corrected one vulnerability$ but causing another problem in the system$ or once patched discovered a new vulnerability% :ue to this and other reasons$ you will have to consider$ that is absolutely necessary to verify freCuently the implemented systems$ in order to the system MremainsM safe% 'uckily$ many people have developed in their own time$ some MMethods of 7erificationM$ most of which are available free$ so that we all may take advantage of the benefits of its use% Such they are based on the e&perience of hundreds of professionals$ and include numerous Mgood practicesM regarding implementing technology in safe form% Therefore$ it is recommended$ that you adopt these methodologies at the time of making your tasks of verification%
""
n e&ample of these$ the OSSTMM is discussed briefly below%
10(1(1 OSSTAA
The OSSTMM$ which is an abbreviation for MOpen Source Security Testing Manual MethodologyM is one of the methodologies of testing security that is widely used% s described in its introduction$ although certain individual tests are mentioned$ these are not particularly revolutionary$ the methodology altogether represents a standard of essential reference$ for anyone wanting to carry out a test of security in an ordered format and with professional Cuality% The OSSTMM$ is divided in several sections% In the same way$ it is possible to identify within it$ a series of specific testing modules$ through which each dimension of security is tested and integrated with the tasks needed to ensure security% This sections include: *ersonnel Security$ :ata (etwork Security$ Telecommunications Security$ 3ireless Communications Security$ and *hysical Security$ and the sections of this methodology detail security from the point of view of 3!IC! test to do$ 3!G to do it and 3!E( to do it% The OSSTMM by itself details the technical scopes and traditional operation of security$ but $ and this is perhaps one of the very important aspects$ not the e&act tests$ rather it presents$ what should be tested$ the form in which the test results must be presented)displayed$ the rules for testers to follow to assure best results$ and also$ incorporates the concept of security metrics with 4 7s ;4isk ssessment 7alues< to put a factual number on how much security you have% The OSSTMM is a document for professionals but it is never too early to try to understand it and learn how it works% The concepts are very thorough and itEs written in an easy#to#comprehend style% E9ercises 1% *atching is a common problem today where web administrators are currently needing to patch code as new vulnerabilities are discovered% 4esearch for a case in where a new problem occurred when installing a new security patch% :iscuss about the possibilities and conseCuences that an administrator$ who has a new patch to install$ reali@es that this will open a breach in its system that already was resolved% Should the patch still be installedF In relation to this sub"ect$ would it matter whether you have the source code and notF +% 8o to http:))cve%mitre%org and go to search for C7Es% Enter the name of a web server ;ie pache< into the search field% 3hen did the latest vulnerability get releasedF !ow often have vulnerabilities come out ;weekly$ monthly$ etc%<F In reference to Cuestion number one$ is patching a realistic solution to securityF 3hy or why notF 3hat other security measures can be used if you decide not to play the cat and mouse game of patchingF 5% :ownload a copy of the OSSTMM and review the methodology concepts% 3hat aspects would you emphasi@e from this methodologyF !ow you think that this methodology can integrate with your verifications of securityF -% 3hat you can find out of the 4 7sF
"$
B&r!+er Re 4in0
http:))www%osstmm%org http:))www%oreilly%com)catalog)websec+)chapter)ch,H%html http:))www%w5%org)Security)2aC) http:))www%privacyalliance%org) http:))www%perl%com)pub)a)+,,+),+)+,)css%html http:))www%oreilly%com)catalog)webprivp5p)chapter)ch,1%pdf http:))www%defenselink%mil)specials)websecurity) http:))www%epic%org) http:))www%cgisecurity%com) http:))www%eff%org)privnow)
!ere are some sites to check out if you want more information on creating your own web pages or !TM' in general% http:))www%htmlgoodies%com) http:))www%htmlhelp%com) http:))www%w5schools%com)
"'
LESSON 11 PASSWORDS
LESSON 11 - PASSWORDS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 11%1 Types of *asswords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 11%1%1 Strings of Characters%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 11%1%+ Strings of Characters plus a token%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 11%1%4 5iometric *asswords %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3 11%+ !istory of *asswords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6 11%4 5uild a Strong *assword%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7 11%- *assword Encryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 11%2 *assword Cracking 9*assword :ecovery;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11 11%3 *rotection from *assword Cracking%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1+ <urther :eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 14 =lossary%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1-
Contri !tors
>im Truett$ ISECOM Chuck Truett$ ISECOM ?% gust@n Aaballos$ 'a Salle /:' 5arcelona *ete !erBog$ ISECOM ?aume bella$ 'a Salle /:' 5arcelona # ISECOM Marta 5arcelC$ ISECOM
"
11#$ Intro%!ction
One of the principal characters in The Matri& :eloaded is the >eymaker% The >eymaker is critically importantD he is protected by the Matri& and sought by (eo$ because he makes and holds the keys to the various parts of the Matri&% The Matri& is a computer generated worldD the keys he makes are passwords% Eithin the movie$ he has general passwords$ back door passwords and master keys F passwords to everywhere% *asswords are keys that control access% They let you in and keep others out% They provide information control 9passwords on documents;D access control 9passwords to web pages; and authentication 9proving that you are who you say you are;%
&
11#1 '()es of Pass*or%s

There are three main types of passwords%
11#1#1 Strin+s of C,aracters

t the most basic level$ passwords are stings of characters$ numbers and symbols% ccess to a keyboard or keypad allows entry of these types of passwords% These passwords range from the simplest F such as the three digit codes used on some garage door openers F to the more complicated combinations of characters$ numbers and symbols that are recommended for protecting highly confidential information%
11#1#2 Strin+s of C,aracters )-!s a to.en

The ne&t level in passwords is to reGuire a string of characters$ numbers and symbols plus a token of some type% n e&ample of this is the TM$ which reGuires a card # the token # plus a personal identification number or *I(% This is considered more secure$ because if you lack either item$ you are denied access%
11#1#3 /iometric Pass*or%s

The third level in passwords is the biometric password% This is the use of non#reproducible biological features$ such as fingerprints or facial features to allow access% n e&ample of this is the retinal scan$ in which the retina F which is the interior surface of the back of the eye F is photographed% The retina contains a uniGue pattern of blood vessels that are easily seen and this pattern is compared to a reference% 5iometric passwords are the most sophisticated and are considered HsaferH but in reality a password that you HcarryH in your finger or eye is no safer than a strong password that you carry in your head$ provided that the software that uses the password is correctly configured%
11#2 1istor( of Pass*or%s

Trivia in *assword !istory: In older versions of MS E&cel and Eord$ passwords were stored as plain te&t in the document header information% Iiew the header and you could read the password% This is valid for all versions older than Office +,,,% Eindows once stored passwords as plain te&t in a hidden file% <orget your passwordJ Kou could "ust delete the hidden file$ and the password was erased% Early on$ Microsoft and dobe both used passwords to mean that a file was password protected when opened with their applications% If you opened it with another application$ such as (otepad$ the password wasnHt necessary% Microsoft ccess +%, databases could be opened as a te&t file easily by "ust renaming them with a .%t&t0 e&tension% Loing this allowed you to see the database data% dobe *L< files in versions -%, and older were printable and often viewable using 'inu& *L< readers or =hostview for Eindows% Eireless networks have a problem with encryption as the key for the encryption can be guessed once you collect enough encrypted data out of the air to find the patterns and guess the keys% Eith todays computing power in the normal home$ the key can be cracked almost immediately to find the password% 5luetooth security is considered very secure$ once it is setup% The problem is that bluetooth transmits a uniGue$ freshly generated$ password between the devices to establish the connection and the password is sent as plain te&t% If that password is intercepted$ all future transmissions for that session can be easily decoded% E2ercise3 Lownload a *L< file off the Internet and try opening it with other programs% !ow is the data viewableJ
11#3 /!i-% a Stron+ Pass*or%

The best passwords:
cannot be found in a dictionary contain numbers$ letters and those odd swear symbols on top of the numbers contain upper and lower case letters the longer the .stronger0
Eith a + letter password$ and +3 letters in the alphabet$ plus 1, numbers 9ignoring symbols;$ there are +43 possible combinations 9376$,,,$,,, possibilities;% Increase the password length to 7 characters$ and there are 743 combinations 94+-$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,, possibilities;% There are many password generators available on the internet$ but these will generate a nearly impossible to remember password% Try instead to use a seemingly random string of letters or numbers that you can easily recall% <or e&ample: gandt4bM 9goldilocks and the 4 bearsM; ??*'+c1d 9"ohn$ "ill$ paul$ lucy$ + cats$ 1 d F the members of your household; E2ercises3 1% Create a strong password$ t,at (o! co!-% remem er that scores well at the following web page: http:))www%securitystats%com)tools)password%php +% 'ook at the Eeb pages for three different banks and find out what type of password is needed to allow an account holder to access restricted information% Lo the banks also offer recommendations that would lead users to create strong passwordsJ
11#" Pass*or% Encr()tion

*eople donHt usually discuss password encryption$ because there seems to be no options to discuss F passwords are$ by definition$ encrypted% Ehile this is usually true$ encryption is not a simple yes or no proposition% The effectiveness of encryption$ usually described as its strength$ ranges from very weak to e&tremely robust% t its weakest$ we have passwords that have been simply encoded. This produces a password that is not readable directly$ but$ given the key$ we could easily translate it using a computer$ pen and paper$ or a plastic decoder ring from a cereal bo&% n e&ample of this is the ROT13 cypher% :OT14 replaces every letter in a te&t with the letter that is 14 places away from it in the alphabet% <or e&ample H 5CH becomes H(O*H% Even when using algorithms that can more accurately be called encryption$ the encryption is weak$ if the key used to generate it is weak% /sing :OT14 as an e&ample$ if you consider the 14 place differential to be the key$ then :OT14 has an e&tremely weak key% :OT14 can be strengthened by using a different key% Kou could use :OT1,$ replacing each letter with the one ten places forward$ or you could use :OT#+$ replacing each letter with the one two places before it% Kou could strengthen it even more$ by varying the differential$ such as :OTpi$ where the first letter is shifted 4 placesD the second$ 1 placeD the third$ - placesD the fourth$ 1 placeD and so on$ using pi 94%1-128+32%%%; to provide a constantly varying differential% 5ecause of these possible variations$ when you are encrypting any type of information$ you must be sure that you are using a reliable method of encryption and that the key F your contribution to the encryption F will provide you with a robust result% Kou must also remember that a good system of encryption is useless without good passwords$ "ust as good passwords are useless without good encryption% E2ercises3 1% !ere is a list of fruits encoded using the :OT14 cypher% Try to decode them: a; nccyr b; benatr c; yrBba d; "ngreBryba e; gbBngb +% <ind a web page that will allow you to decode the :OT14 encoded words automatically% 4% There are many different systems that are called encryption$ but the truth is that many of these are simple encoding methods% true encryption reGuires a password$ called a key$ in order to be encoded or decoded% Of the following systems$ which ones are true methods of encryption and which ones are simple codesJ a; Twofish b; MIME c; :S
d; C ST e; f; ES 5 SE3-
g; ILE h; TripleLES i; "; :OT14 T'S
1$
11#& Pass*or% Crac.in+ 7Pass*or% Reco8er(9

*assword cracking for illegal purposes is illegal% 5ut if it is your password$ then itHs your information% Once you password protect something$ and then forget your password$ you are stuck% !ence password recovery% *assword cracking consists of a few basic techniGues .'ooking around0: passwords are often taped to the bottom of keyboards$ under mousepads$ posted on personal bulletin boards% 5rute force: "ust keep trying passwords until one works utomated dictionary attacks: these programs run through a series of possible dictionary words until one works as a password% There are many programs available on the web to assist with password recovery on documents% !owever$ newer versions of programs are becoming more and more secure$ and therefore$ more and more difficult to obtain passwords using the techniGues above$ or using password recovery software% E2ercise3 Identify three different programs that are used for developing documents 9te&t$ spreadsheets$ archives; and also allow the use of passwords to limit access to these documents% (e&t$ using the Internet$ find instructions on how to recover lost passwords for these files%
11
11#0 Protection from Pass*or% Crac.in+

!ere are some suggestions on how to keep your passwords from being cracked: 1% /se strong passwords that cannot be determined by a dictionary attack% +% LonHt post your passwords near your computer% 4%'imit wrong attempts to three tries$ then lock the account% The password must then be reset% 9This does not apply to documents or password protected Bip files F they do not have lock out options%; -%Change passwords regularly% 2% /se a variety of passwords for different computers% Loes this mean that you need to create a uniGue password for everythingJ bsolutely not% Maintain a master password for things that donHt matter to you 9perhaps the account you were reGuired to create for TheSIMS%com or for your account on the local newspaper;% 5ut use good passwords for anything that actually needs to be secure% E2ercise3 Liscuss with the class the recommendations found in http:))www%securitystats%com)tools)password%php
12
:!rt,er Rea%in+
http:))www%password#crackers%com)pwdcrackfaG%html http:))docs%rinet%ru)'omamIse)ch1,)ch1,%htm http:))www%"a%net)CE:T)5elgers)/(IN#password # deadlink http:))www%crypticide%com)users)alecm)#security%html # deadlink http:))www%securitystats%com)tools)password%php http:))www%openwall%com)"ohn) http:))www%atstake%com)products)lc) http:))geodsoft%com)howto)password)ntOpasswordOhashes%htm
13
LESSON 12 INTERNET LEGALITIES AND ETHICS

Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1+%1% Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2 1+%+% 3oreign crimes versus local rights %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2 1+%4% Crimes related to the TICs %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 1+%-% *revention of Crimes and Technologies of double use %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6 1+%-%1% The global systems of monitoring: concept 7COMI(T7 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6 1+%-%+% 7EC!E'O(7 System%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 1+%-%4% The 7C 9(I:O9E7 system%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 1+%2% Ethical !acking%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%11 1+%;% The 1, most common internet frauds%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1+ 1+%5% 9ecommended 9eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1-
Contri!"tors
3rancisco de <uinto$ *i=u> ?ordi Salda@a$ *i=u> ?aume bogados sociados sociados bogados bella$ Enginyeria 'a Salle A/9'B C ISECOM
Marta DarcelE$ ISECOM Fim Truett$ ISECOM *ete !erGog$ ISECOM
12$1$ Intro%"ction
(ew technologies$ while building a new paradigm that invades every human activity$ also influence the dark side of these activities: criminal behavior of individuals and of organiGed groups% 3or this reason$ we have reserved the last lesson of !!S to analyGe some aspects related to 'egality and Ethics$ analyGing several behaviors that could end in crimes and the conse=uences of these crimes%
12$2$ &orei'n crimes (ers"s )oca) ri'*ts

s noted above$ the introduction of new technologies can result in the creation of new dark sides of activities: criminal behavior of individuals or organiGed groups% There are two main characteristics through which Information Technology and Communications ATICHsB are related to crime: 1% Technologies can give the possibility of renewing traditional ways of breaking the law% These are illegal activities which traditionally appear in the penal codes$ but are now being attempted in new ways% E&amples include money laundering and illegal types of pornography% +% In addition$ because of their own innovation$ TICHs are resulting in the appearance of new types of criminal activities$ and because of their nature$ these new crimes are in the process of being added to the legislation of several countries% E&amples include the distribution of spam and virus attacks% nother characteristic of the TICs which must be emphasiGed is their territorial displacement$ which affects the general surroundings but without any doubt affects other countries as well% *reviously$ areas of IlawI always had a clear territory regarding the "udicial authority "udging ACOM*ETE(T ?/9ISJICTIO(B and also regarding the law to be applied in the "udging A **'IC D'E ' KB% Doth concepts are still noticeably geographic% In summary$ we can say that the TICs are global and essentially multi#border$ while the law and the courts are limited to a specific state or territory% In addition$ this disorientation is even more confusing than it initially appears% lthough we are not aware of it$ a bidirectional online communication between a user in Darcelona and a Keb site hosted in an IS* in California can pass through more than 1, IS*s$ hosted in a variety of remote points around the world% 3acing this diversity of addresses and nationalities$ it becomes necessary to ask What laws of which country will be applied in case of litigation? Which of the possible countries will be the suitable court to adjudicate the case? The relatively recent European CouncilIs agreement on cyber#crime was signed in (ovember +,,1 in Dudapest by almost 4, countries$ including the 12 partners of the European /nion$ the /nited States$ Canada$ ?apan and South frica% This agreement intends to restore the TE99ITO9I ' *9I(CI*'E to define competent "urisdiction% The signing of this agreement is the culmination of four years of work that have resulted in a document containing -6 articles that are organiGed into four categories: 1% Infractions against confidentiality +% 3alsification and computer science fraud 4% Infractions relative to contents -% :iolations of intellectual property
Once the especially comple& regulations and sanctions on criminal activity on the Internet have been described$ consensus must to reached on three main areas of concerns or difficulties: 1st DI&&ICULT,- .URISDICTION CON&LICT$ Election of the most competent court for "udging multinational and multi#border crimes% This problem is not definitively solved by any of the known "udicial systems% 2n% DI&&ICULT,- CON&LICT O& LA/S$ Once the court has been chosen$ the first obstacle that the court will encounter is choosing the law applicable for the case to be "udged% gain we are forced to conclude that traditional legal criteria are not designed for the virtual surroundings% r% DI&&ICULT,- E0ECUTION O& SENTENCE$ Once the competent court has determined a sentence$ the sentence must be carried out$ possibly by a different country than the country which dictated the sentence% Therefore$ it is necessary to have an international commitment to recognition and acceptance of any sentences imposed% This problematic issue is even more complicated to solve than the two previous ones% These complications were clearly demonstrated in the recent case of a hacker in 9ussia$ who had hacked several /S systems$ and was invited to a phony /S company for an interview% Juring the interview$ he demonstrated his skills by hacking into his own network in 9ussia% It turned out that the interview was actually conducted by the 3DI$ and he was arrested% The 3DI used sniffers placed on the interview computer to raid the hackerIs computer in 9ussia and download evidence that was used to convict him% Dut there are many unresolved issues:

Kas it legal for the 3DI to e&amine the contents of a computer in 9ussian$ without obtaining permission from the 9ussian governmentL Dy inviting the hacker to the /S$ the 3DI did not have to arrange for his e&tradition to the /S% Kas this legalL Could the /S convict a person for crimes that were technically committed on 9ussian soilL
3inally$ he was convicted in the /S$ because he had used a pro&y server in the /S to conduct some of the attacks% !e served "ust under - years in prison and now lives and works in the /S% E1erciseConduct a modified white#hat ) black#hat discussion of at least one of these =uestions Ae&amination of a computer on foreign soilM invitation or entrapmentALB to avoid e&traditionM conviction for internet crimes committed against a country from foreign soilB% 1% 3irst$ have students focus on and list reasons why the chosen topic was probably legal% +% Then reverse and have them focus on and list why the chosen topic was probably illegal% 4% fter these completely separate discussions$ see if the class can reach a decision% (ote C these =uestions are interesting for discussion% There is no right answers$ and governments are still working to come to a consensus on these and other issues related to the international nature of these crimes% This e&ercise is purely for critically e&amining and thinking about internet crimes$ as well as formulating a logical argument for an opinion related to internet crimes%
12$ $ Crimes re)ate% to t*e TICs

The classifications of the criminal behaviors is one of the essential principles in the penal systems% 3or this reason$ several countries must think of changes to their penal codes$ such as Spain$ where the effective *enal Code was promulgated relatively recently% The well known Delloch *enal Code was approved on (ovember +4rd 1882 AOrganic 'aw from the *enal Code 1,)1882B and it recogniGes the need to adapt the penal criteria to the present social reality% mong others$ we can classify potential criminal actions into the following si& sections% 1% Manipulation of data and information contained in files or on other computer devices% +% ccess to data or use of data without authoriGation% 4% Insertion of programs)routines in other computers to destroy or modify information$ data or applications% -% /se of other peopleIs computers or applications without e&plicit authoriGation$ with the purpose of obtaining benefits for oneself and)or harming others% 2% /se of the computer with fraudulent intentions% ;% ttacks on privacy$ by means of the use and processing of personal data with a different purpose from the authoriGed one%
The technological crime is characteriGed by the difficulties involved in discovering it$ proving it and prosecuting it% The victims prefer to undergo the conse=uences of the crime and to try to prevent it in the future rather than initiate a "udicial procedure% This situation makes is very difficult to calculate the number of such crimes committed and to plan for preventive legal measures% This is complicated by the constantly changing technologies% !owever$ laws are changing to increasingly add legal tools of great value to "udges$ "urists and lawyers punish crimes related to the TICs% (e&t we will analyGe some specific crimes related to the TICIs% 1% Misrepresentation: The anonymity of the internet allows users to pretend to be anyone that they want to be% s a result$ crimes can be committed when users pretend to be someone else to gain information$ or to gain the trust of other individuals% +% Interception of communications: Interceptions of secrets or private communications$ such as emails$ or cell phone transmissions$ using listening devices$ recording$ or reproduction of sounds and or images% 4% Jiscovery and revelation of secrets: Jiscovering company secrets by illegally e&amining data$ or electronic documents% In some cases$ the legal sentences are e&tended if the secrets are disclosed to a third party% -% /nauthoriGed access to computers: Illegal access to accounts and information$ with the intent of profiting% This includes identify theft% 2% Jamaging computer files: Jestroying$ altering$ making unusable of in any other way$ damaging electronic data$ programs$ or document on other computers$ networks or systems%
;% Illegal copying: Illegal copying of copy#righted materials$ literary$ artistic$ scientific works through any means without the authoriGation of the owners of the intellectual property or its assignees% E1ercise: 1%

Choose one of the topics above$ and conduct the following searches: 3ind a legal case which can be classified as the chosen type of crime% Kas there a legal "udgment$ and if there was$ what sentence was applied L Khy did the authors commit this crimeL 9egarding intellectual property:

+%
re the following actions a crimeL
*hotocopy a book in its totality To copy a music CJ that we have not bought To make a copy of a music CJ you have bought To download music M*4$ or films in JI:N from Internet Khat if it were your music or movie that you were not getting royalties forL Khat if it were your artwork$ that others were copying and stating that they created itL
12$#$ 4re(ention of Crimes an% Tec*no)o'ies of %o"!)e "se

The only reliable way to be prepared for criminal aggression in the area of the TICs is to reasonably apply the safety measures that have been e&plained throughout the previous !!S lessons% lso it is e&tremely important for the application of these measures to be done in a way that it becomes practically impossible to commit any criminal or doubtful behaviors% It is important to note that technologies can have multiple uses and the same techni=ue used for security can$ simultaneously$ result in criminal activity% This is called TEC!(O'OOIES O3 JO/D'E /SE$ whose biggest components are cryptography and technologies used to intercept electronic communications% This section discusses the reality of this phenomenon and its alarming conse=uences at all levels of the human activity including policy$ social$ economic and research%
12$#$1$ T*e ')o!a) s5stems of monitorin'- conce6t 7CO8INT7

The term COMI(T was created recently as a result of the integration of the terms 7COMmunications I(Telligence7 and refers to the interception of communications that has resulted from the development and the massive implementation of the TICIs% (owadays$ COMI(T represents a lucrative economic activity providing clients$ both private and public$ with intelligent contents on demand$ especially in the areas of diplomacy$ economy and research% This has resulted in the displacement of the obsolete scheme of military espionage with the more or less open implementation of new technologies for the e&amination and collection of data% The most representative e&amples of COMI(T technologies are the systems 7EC!E'O(7 and 7C 9(I:O9E7 which are discussed ne&t%
12$#$2$ 7ECHELON7 S5stem

The system has its origins in 18-5$ "ust after Korld Kar II$ in an agreement between the /F and /S with clear military and security purposes% The details of this agreement are still not completely known% 'ater$ countries like Canada$ ustralia and (ew Pealand "oined the agreement$ working as information providers and subordinates% The system works by indiscriminately intercepting enormous amounts of communications$ no matter what means is used for transport and storage$ mainly emphasiGing the following listening areas:

Droadband transmissions Awideband and InternetB 3acsimile and telephone communications by cable: interception of cables$ and submarines by means of ships e=uipped for this Cell phone communications :oice 9ecognition Systems Diometric System 9ecognition such as facial recognition via anonymous filming
'ater$ the valuable information is selected according to the directives in the Echelon System$ with the help of several methods of rtificial Intelligence A IB to define and apply FEQ KO9JS% Each one of the five member countries provides 7FEQ KO9J JICTIO( 9IES7 which are introduced in the communication interception devices and act as an 7automatic filter7% 'ogically$ the 7words7 and the 7dictionaries7 change over time according to the particular interests of the member countries of the System% t first$ EC!E'O( had clear military and security purposes% 'ater$ it became a dual system officially working for the prevention of the international organiGed crime Aterrorism$ mobs$ trafficking in arms and drugs$ dictatorships$ etc%B but with an influence reaching Olobal Economy and Commercial *olicies in companies% 'ately$ EC!E'O( has been operating with a five#point star structure around two main areas% Doth are structures of the (S A(ational Security gencyB: one in the /nited States$ coinciding with their head=uarters in 3ort Meade AMarylandB$ and another one in England$ to the north of Qorkshire$ known like Meanwith !ill% The points of the star are occupied by the tracking stations of the collaborating partners:

The /S A+B: Sugar Orove and Qakima% (ew Pealand A1B: Kai *ai% ustralia A1B: Oeraldtown% /F A1B: Morwenstow ACornwellB% There was another one in !ong Fong before the territory was returned to China%
12$#$ $ T*e 7CARNI:ORE7 s5stem

The second great global systems of interception and espionage is the one sponsored by the /S 3DI and is known as C 9(I:O9E$ with a stated purpose of fighting organiGed crime and reinforcing the security of the /S% Decause of its potent technology and its versatility to apply its listening and attention areas$ C 9(I:O9E has caused the head#on collision between this state of the art system$ political organiGations A/S CongressB and mass media%
C 9(I:O9E was developed in +,,,$ and is an automatic system$ intercepting internet communications by taking advantage of one of the fundamental principles of the net: the dissemination of information in 7packages7 or groups of uniform data% C 9(I:O9E is able to detect and to identify these 7packages of information7% This is supposedly done in defense of national security and to reinforce the fight against organiGed and technological crime% The merican civil rights organiGations immediately protested this as a new attack on privacy and confidentiality of electronic information transactions% One group$ the Electronic *rivacy Information Center AE*ICB has re=uested that a federal "udge order the 3DI to allow access by the IS*IS to the monitoring system C to ensure that this system is not going to be used beyond the limits of the law% In the beginning of ugust +,,,$ the ppeals Court of the Jistrict of Columbia re"ected a law allowing the 3DI to intercept telecommunications Aspecifically cell phonesB without the need to ask for previous "udicial permission$ through a 3ederal Commission of Telecommunications pro"ect that tried to force mobile telephone companies to install tracking devices in all phones and thus obtain the automatic location of the calls% It would have increased the cost of manufacturing e=uipment by -2R% Kith these two e&amples$ we see the intentions of the 3DI to generate a domestic Echelon system$ centering on the internet and cell phones$ known as C 9(I:O9E% The pro"ect has been widely re"ected by different "udicial courts in the /S and by Congress$ as there is no doubt it means an aggression to merican civil rights$ at least in this initial version% The pro"ect is being rethought$ at least formally$ including the previous "udicial authoriGation Asuch as a search warrantB as a re=uirement for any data obtained to be accepted as evidence in a trial% E1ercise"oke related to these COMI(T systems is found on the Internet% Ke include it here for class discussion of the ethical and legal implications: An old Iraqi Muslim Arab, settled in Chicago for more than 4 years, has been wanting to plant potatoes in his garden, but to plow the ground is a !ery difficult wor" for him# $is only son, Amhed, is studying in %rance# &he old man sends an email to his son e'plaining the following problem( )Amhed, I feel bad because I am not going to be able to ha!e potatoes in my garden this year# I am too old to plow the soil# If you were here, all my problems would disappear# I "now that you would plow the soil for me# *o!es you, +apa# ) %ew days later, he recei!es an email from his son( )%ather( %or ,od-s sa"e, do not touch the garden-s soil# &hat is where I hid that # # # *o!es you, Amhed# ) &he ne't morning at 4( , suddenly appears the local police, agents of the %.I, the CIA, /#W#A#& teams, the 0A1,20/, the MA0I12/, /te!en /eagal, /yl!ester /tallone and some more of elite representati!es of the +entagon who remo!e all the soil searching for any materials to construct pumps, anthra', whate!er# &hey do not find anything, so they go away# &hat same day, the man recei!es another email from his son( )%ather( /urely, the soil is ready to plant potatoes# It is the best I could do gi!en the circumstances# *o!es you, Ahmed#)
1<
E1erciseSearch for information about the Echelon and Carnivore systems on the internet$ as well as their application on networks and TICs systems in your country to answer the following =uestion: 1% Khat does the term 7EC!E'O(7 meanL +% Khat elements form the EC!E'O( systemL 4% Khat elements form the C 9(I:O9E systemL -% Search for an e&ample of controversy attributed to the EC!E'O( system and related to famous personalities% 2% Search for an e&ample of the application of the C 9(I:O9E system related to a TE99O9IST known worldwide% ;% Khat is your opinion about the 7legality7 of such systemsL
12$+$ Et*ica) Hac=in'

Desides talking about criminal behaviors$ crimes$ and their respective sanctions$ we must make it very clear that being a hacker does not mean being a delin=uent% (owadays$ companies are hiring services from .Ethical !ackers7 to detect vulnerabilities of their computer science systems and therefore$ improve their defense measures% Ethical !ackers$ with their knowledge$ help to define the parameters of defense% They do 7controlled7 attacks$ previously authoriGed by the organiGation$ to verify the systemIs defenses% They create groups to learn new attack techni=ues$ e&ploitations and vulnerabilities$ among others% They work as researchers for the security field% Sun TGu said in his book 7The planning of an attack7% 1% ttack *lanning ccess rt of Kar7$ 7 ttack is the secret of defenseM defense is the
The methodology of ethical hacking is divided in several phases: +% Internet
4% Test and e&ecution of an attack -% Oathering information 2% ;% nalysis ssessment and Jiagnosis
5% 3inal 9eport One helpful tool that Ethical !ackers use is the OSSTMM methodology # Open Source Security Testing Methodology Manual% This methodology is for the testing of any security system$ from guards and doors to mobile and satellite communications and satellites% t the moment it is applied and used by important organiGations such as:

Spanish 3inancial institutions the /S Treasury Jepartment for testing financial institutions
11
/S (avy S
ir 3orce
E1ercise3ind information about Ethical !acking and its role in IT security companies% Search for information about the OSSTMM and methodologies% Search for information about 7certifications7 related to the Ethical !acking%
12$2$ T*e 1< most common internet fra"%s

'isted below is a summary from the /S 3ederal Trade Commission of the most common crimes on the Internet as of +,,2% 1% Internet uctions: Shop in a 7virtual marketplace7 that offers a huge selection of products at great deals% fter sending their money$ consumers receive an item that is less valuable than promised$ or$ worse yet$ nothing at all% +% Internet ccess Services: 3ree money$ simply for cashing a check% Consumers are 7trapped7 into long#term contracts for Internet access or another web service$ with substantial penalties for cancellation or early termination% 4% Credit Card 3raud: Surf the Internet and view adult images online for free$ "ust for sharing your credit card number to prove youIre over 16% 3raudulent promoters use their credit card numbers to run up charges on the cards% -% International Modem Jialing: Oet free access to adult material and pornography by downloading a 7viewer7 or 7dialer7 computer program% Consumers complained about e&orbitant long#distance charges on their phone bill% Through the program$ their modem is disconnected$ then reconnected to the Internet through an international long#distance number% 2% Keb Cramming: Oet a free custom#designed website for a 4,#day trial period$ with no obligation to continue% Consumers are charged on their telephone bills or received a separate invoice$ even if they never accepted the offer or agreed to continue the service after the trial period% ;% Multilevel Marketing *lans) *yramids: Make money through the products and services you sell as well as those sold by the people you recruit into the program% Consumers say that theyIve bought into plans and programs$ but their customers are other distributors$ not the general public% 5% Travel and :acation: Oet a lu&urious trip with lots of 7e&tras7 at a bargain#basement price% Companies deliver lower#=uality accommodations and services than theyIve advertised or no trip at all% Others impose hidden charges or additional re=uirements after consumers have paid% 6% Dusiness Opportunities: Taken in by promises about potential earnings$ many consumers have invested in a 7biG op7 that turned out to be a 7biG flop%7 There was no evidence to back up the earnings claims% 8% Investments: Make an initial investment in a day trading system or service and youIll =uickly realiGe huge returns% Dut big profits always mean big risk% Consumers have lost money to programs that claim to be able to predict the market with 1,, percent accuracy%
12
1,% !ealth Care *roducts)Services: Claims for 7miracle7 products and treatments convince consumers that their health problems can be cured% Dut people with serious illnesses who put their hopes in these offers might delay getting the health care they need% E1erciseThink about the following =uestions and discuss them with the rest of the class: 1% Jo you think that you could have been a victim of some of the crimes mentioned throughout the lessonL +% !ere is a =uote from an ISECOM board member: .In order to have the proper background to evaluate the security readiness of a computer system $ or even an entire organiGation$ one must possess a fundamental understanding of security mechanisms$ and know how to measure the level of assurance to be placed in those security mechanisms% Jiscuss what is meant by this and how you could prepare to .evaluate the security readiness of a computer system0% !ave these lessons given you enough materials to get startedL 4% Toptional e&ercise for personal consideration Anot general discussionBU: fter analyGing the comments in this lesson$ you may find that there are technological activities that you have heard about$ or that you may have even done$ that you never considered to be illegal$ but now you are not sure% Some research on the internet may help clear up any =uestions or confusion that you have%
12$3$ Recommen%e% Rea%in'

http:))www%ftc%gov)bcp)menu#internet%htm http:))www%ic4%gov) http:))www%ccmostwanted%com) http:))www%scambusters%org) http:))compnetworking%about%com)od)networksecurityprivacy)l)aa,518,,a%htm http:))www%echelonwatch%org) http:))www%isecom%org)
1#
COMPLETE TABLE OF CONTENTS AND GLOSSARY
License for Use Informa ion

Table of Contents Lesson "# Bein$ a %ac&er

.%, Introduction .%. /esources .%.%. 0ooks .%.%+ Maga1ines and (ewspapers .%.%2 3ines and 0logs .%.%- 4orums and Mailing 'ists .%.%5 (ewsgroups .%.%6 7ebsites .%.%8 Chat .%.%9 *+* .%+ 4urther 'essons
Lesson !# Basic Comman's in Lin() an' *in'o+s

+%.% Introduction and Ob"ectives +%+% /e:uirements and Setup +%+%. /e:uirements +%+%+ Setup +%2% System Operation: 7I(;O7S +%2%. !ow to open an MS#;OS window +%2%+ Commands and tools <7indows= +%-% System Operations: 'inu& +%-%. !ow to open a console window +%-%+ Commands and tools <'inu&=
Lesson ,# Por s an' Pro oco-s

2%. Introduction 2%+ 0asic concepts of networks 2%+%. ;evices 2%+%+ Topologies 2%2 TC*)I* model 2%2%. Introduction 2%2%+ 'ayers 2%2%+%. pplication 2%2%+%+ Transport 2%2%+%2 Internet 2%2%+%- (etwork ccess 2%2%2 *rotocols 2%2%2%. pplication layer protocols 2%2%2%+ Transport layer *rotocols 2%2%2%2 Internet layer *rotocols 2%2%- I* ddresses 2%2%5 *orts
2%2%6 Encapsulation
Lesson .# Ser/ices an' Connec ions

-%, Introduction -%. Services -%.%. !TT* and The 7eb -%.%+ E#Mail > *O* and SMT* -%.%2 I/C -%.%- 4T* -%.%5 Telnet and SS! -%.%6 ;(S -%.%8 ;!C* -%+ Connections -%+%. IS*s -%+%+ *lain Old Telephone Service -%+%2 ;S' -%+%- Cable Modems
Lesson 0# S1s em I'en ifica ion

5%, Introduction 5%. Identifying a Server 5%.%. Identifying the Owner of a domain 5%.%+ Identifying the I* address of a domain 5%+ Identifying Services 5%+%. *ing and Trace/oute 5%+%+ 0anner ?rabbing 5%+%2 Identifying Services from *orts and *rotocols 5%2 System 4ingerprinting 5%2%. Scanning /emote Computers
Lesson 2# Ma-+are
6%, Introduction 6%. @iruses <@irii= 6%.%. Introduction 6%.%+ ;escription 6%.%+%. 0oot Sector @iruses 6%.%+%+ The E&ecutable 4ile @irus 6%.%+%2 The Terminate and Stay /esident <TS/= @irus 6%.%+%- The *olymorphic @irus 6%.%+%5 The Macro @irus 6%+ 7orms 6%+%. Introduction 6%+%+ ;escription 6%2 Tro"ans and Spyware 6%2%. Introduction 6%2%+ ;escription 6%- /ootkits and 0ackdoors 6%-%. Introduction
6%-%+ ;escription 6%5 'ogicbombs and Timebombs 6%5%. Introduction 6%5%+ ;escription 6%6 Countermeasures 6%6%. Introduction 6%6%+ nti#@irus 6%6%2 (I;S 6%6%- !I;S 6%6%5 4irewalls 6%6%6 Sandbo&es 6%8 ?ood Safety dvice
Lesson 3# A ac& Ana-1sis

8%, Introduction 8%. (etstat and !ost pplication 4irewalls 8%.%. (etstat 8%.%+ 4irewalls 8%+ *acket Sniffers 8%+%. Sniffing 8%+%+ ;ecoding (etwork Traffic 8%+%2 Sniffing Other Computers 8%+%- Intrusion ;etection Systems 8%2 !oneypots and !oneynets 8%2%. Types of !oneypots 8%2%+ 0uilding a !oneypot
Lesson 4# Di$i a- Forensics

9%, Introduction 9%. 4orensic *rincipals 9%.%, Introduction 9%.%. void Contaminiation 9%.%+ ct Methodically 9%.%2 Chain of Evidence 9%.%- Conclusion 9%+ Stand#alone 4orensics 9%+%, Introduction 9%+%. !ard ;rive and Storage Media 0asics 9%+%+ Encryption$ ;ecryption and 4ile 4ormats 9%+%2 4inding a (eedle in a !aystack 9%+%2%. find 9%+%2%+ grep 9%+%2%2 strings 9%+%2%- awk 9%+%2%5 The *ipe ABC 9%+%- Making use of other sources 9%2 (etwork 4orensics 9%2%, Introduction 9%2%. 4irewall 'ogs
9%2%+ Mail !eaders
Lesson 5# Emai- Sec(ri 1

D%, Introduction D%. !ow E#mail 7orks D%.%. E#mail ccounts D%.%+ *O* and SMT* D%.%2 7eb Mail D%+ Safe E#mail Esage *art .: /eceiving D%+%. Spam$ *hishing and 4raud D%+%+ !TM' E#Mail D%+%2 ttachment Security D%+%- 4orged headers D%2 Safe E#mail Esage *art +: Sending D%2%. ;igital Certificates D%2%+ ;igital Signatures D%2%2 ?etting a certificate D%2%- Encryption D%2%5 !ow does it workF D%2%6 ;ecryption D%2%8 Is Encryption EnbreakableF D%- Connection Security
Lesson "6# *e7 Sec(ri 1

.,%. 4undamentals of 7eb Security .,%.%. !ow the web really works .,%.%+ /attling the 'ocks .,%.%2 'ooking through Tinted 7indows # SS' .,%.%- !aving someone else do it for you > *ro&ies .,%+ 7eb @ulnerabilities .,%+%. Scripting 'anguages .,%+%+ Top Ten Most Critical 7eb pplication @ulnerabilities .,%+%2 Security ?uidelines for 0uilding Secure 7eb pplications .,%2 !TM' 0asics > brief introduction .,%2%. /eading !TM' .,%2%+ @iewing !TM' at its Source .,%2%2 'inks .,%2%- *ro&y methods for 7eb pplication Manipulation .,%- *rotecting your server .,%-%. 4irewall .,%-%+ Intrusion ;etection System <I;S= .,%5 Secure Communications .,%5%. *rivacy and Confidentiality .,%5%+ Gnowing if you are communicating securely .,%6 Methods of @erification .,%6%. OSSTMM .,%6%+ O7 S*
Lesson ""# Pass+or's

..%, Introduction ..%. Types of *asswords ..%.%. Strings of Characters ..%.%+ Strings of Characters plus a token ..%.%2 0iometric *asswords ..%+ !istory of *asswords ..%2 0uild a Strong *assword ..%- *assword Encryption ..%5 *assword Cracking <*assword /ecovery= ..%6 *rotection from *assword Cracking
Lesson "!# Le$a-i ies an' E 8ics

.+%.% Introduction .+%+% 4oreign crimes versus local rights .+%2% Crimes related to the TICs .+%-% *revention of Crimes and Technologies of double use .+%-%.% The global systems of monitoring: concept HCOMI(TH .+%-%+% HEC!E'O(H System .+%-%2% The HC /(I@O/EH system .+%5% Ethical !acking .+%6% The ., most common internet frauds
Glossary
Fin' more com9( er erm 'efini ions a +++:+e7o9e'ia:com; +8ic8 9ro/i'e' man1 of 8e 'efini ions re9ro'(ce' 8ere: Anon1mo(s FTP > method by which computer files are made available for downloading by the general public a+& > programming language designed for working with strings% 7ac&'oors > n undocumented way of gaining access to a program$ online service or an entire computer system% Ba(' > bits per second$ used to describe the rate at which computers e&change information% BIOS > basic input)output system% The built#in software that determines what a computer can do without accessing programs from a disk% On *Cs$ the 0IOS contains all the code re:uired to control the keyboard$ display screen$ disk drives$ serial communications$ and a number of miscellaneous functions% The 0IOS is typically placed in a /OM chip that comes with the computer% 7-o$ <weblogs= > 7eb page that serves as a publicly accessible personal "ournal for an individual% Boo-ean -o$ic > 0oolean logic is a form of algebra in which all values are reduced to either T/EE or 4 'SE% 0oolean logic is especially important for computer science because it fits nicely with the binary numbering system$ in which each bit has a value of either . or ,% nother way of looking at it is that each bit has a value of either T/EE or 4 'SE% Boo sec or > The first sector of the hard disk where the master boot records resides$ which is a small program that is e&ecuted when a computer boots up% cac8e > *ronounced cash$ a special high#speed storage mechanism% It can be either a reserved section of main memory or an independent high#speed storage device% Two types of caching are commonly used in personal computers: memory caching and disk caching% C-ien > a program on a local computer that is used to e&change data with a remote computer$ see server% c-(s er < a--oca ion (ni > group of disk sectors% The operating system assigns a uni:ue number to each cluster and then keeps track of files according to which clusters they use coo&ies > message given to a 7eb browser by a 7eb server% The browser stores the message in a te&t file% The message is then sent back to the server each time the browser re:uests a page from the server% CRC > Cyclical redundancy check% c1c-ica- re'(n'anc1 c8ec& <C/C= > a common techni:ue for detecting data transmission errors% Transmitted messages are divided into predetermined lengths that are divided by a fi&ed divisor% ccording to the calculation$ the remainder number is appended onto and sent with the message% 7hen the message is received$ the computer recalculates the remainder and compares it to the transmitted remainder% If the numbers do not match$ an error is detected% D%CP > ;ynamic !ost Configuration *rotocol%
Di$i a- S(7scri7er Line <;S'= > technology that allows the simultaneous transmission of voice and high#speed data using traditional telephone lines% DNS > ;omain (ame Server% Domain Name Ser/er <;(S= > service that translates domain names into I* addresses% 'omain names > name that identifies one or more I* addresses% 4or e&ample$ the domain name microsoft%com represents about a do1en I* addresses% ;omain names are used in E/'s to identify particular 7eb pages% 4or e&ample$ in the E/' http:))www%pcwebopedia%com)inde&%html$ the domain name is pcwebopedia%com% Every domain name has a suffi& that indicates which top level domain <T';= it belongs to% There are only a limited number of such domains% 4or e&ample: %gov # ?overnment agencies %edu # Educational institutions %org # Organi1ations <nonprofit= %com # Commercial 0usiness %net # (etwork organi1ations 0ecause the Internet is based on I* addresses$ not domain names$ every 7eb server re:uires a ;omain (ame System <;(S= server to translate domain names into I* addresses% DSL > ;igital Subscriber 'ine% D1namic %os Confi$(ra ion Pro oco- <;!C*= > configuration of networks% E=mai- > protocol used to allow for the dynamic
service with allows for the transmission of simple messages across networks%
e 8erea- > a packet sniffer that records traffic on your computer% e 8erne > local#area network <' (= architecture developed by Iero& Corporation in cooperation with ;EC and Intel in .D86% It is one of the most widely implemented ' ( standards% fi-e si$na (re > Small 6#byte signature at the start of the file which identifies what kind of file it is% fi-e ransfer 9ro oco- <4T*= > Esed to allow local computers to download files from remote computers% fi- ere' >9or s? > ports for which a firewall e&amines the header of a packet that is directed to that port and determines whether or not to let it through <see open ports=% fire+a-- > system designed to prevent unauthori1ed access to or from a private network% 4irewalls can be implemented in both hardware and software$ or a combination of both% for(ms > n online discussion group% Online services and bulletin board services <00SJs= provide a variety of forums$ in which participants with common interests can e&change open messages FTP > 4ile transfer protocol% GC%@ > ?overnment Communications !ead:uarters$ is an intelligence and security organi1ation in the EG%
$re9 > Short for global#regular#e&pression#print$ a E(II utility that allows the user to search one or more files for a specific string of te&t and outputs all the lines that contain the string% The user also has the option to replace the string with another% %IDS > a host based intrusion detection% n intrusion detection system% 8one19o > n Internet#attached server that acts as a decoy$ luring in potential hackers in order to study their activities and monitor how they are able to break into a system% 8 9 > hyperte&t transfer protocol 8(7 > common connection point for devices in a network% !ubs are commonly used to connect segments of a ' (% %19er e) > a method of organi1ing and presenting data that allows the user to easily move between related items% 819er e) ransfer 9ro oco- <http= > The underlying protocol used by the 7orld 7ide 7eb$ !TT* defines how messages are formatted and transmitted$ and what actions 7eb servers and browsers should take in response to various commands% IANA > Internet ssigned (umbers uthority% ICMP > Internet Control Message *rotocol% IM > Instant messaging% Ins an messa$in$ <IM= > a type of communications service that enables you to create a kind of private chat room with another individual in order to communicate in real time over the Internet$ analogous to a telephone conversation but using te&t#based$ not voice#based$ communication% in erfaces > boundary across which two independent systems meet and act on or communicate with each other% In erne Assi$ne' N(m7ers A( 8ori 1 <I ( = > n organi1ation working under the auspices of the Internet rchitecture 0oard <I 0= that is responsible for assigning new Internet#wide I* addresses% In erne Con ro- Messa$e Pro oco- <ICM*= > n e&tension to the Internet *rotocol <I*= defined by /4C 8D+% ICM* supports packets containing error$ control$ and informational messages% The *I(? command$ for e&ample$ uses ICM* to test an Internet connection% in erne 9ro oco- <I*= > I* specifies the format of packets$ also called datagrams$ and the addressing scheme% Most networks combine I* with a higher#level protocol called Transmission Control *rotocol <TC*=$ which establishes a virtual connection between a destination and a source% In erne Re-a1 C8a <I/C= > between Internet users% In erne Ser/ice Pro/i'er <IS*= > IP > Internet protocol% IP a''ress > n identifier for a computer in the internet or on a TC*)I* network% The format of an I* address is a 2+#bit numeric address written as four numbers separated by periods% Each number can be 1ero to +55% 4or e&ample$ 6.%.6,%.,%+-, could be an I* address% i9confi$ > Tool to display information on the active interfaces on a computer% IRC > Internet /elay Chat% service which allows for real#time$ te&t#based communication company which provides users with access to the Internet
"6
ISP > Internet Service *rovider$ a company which provides users with access to the Internet -o$ic7om7s > code designed to e&ecute when a specific activity occurs on a network or computer% -oo97ac& > when a computer refers to itself% 'oopback address is a special I* number <.+8%,%,%.= that is designated for the software loopback interface of a machine% The loopback interface has no hardware associated with it$ and it is not physically connected to a network% MAC > Media access control % MD0 8as8 > n algorithm used to create digital signatures% It is intended for use with 2+ bit machines and is safer than the M;- algorithm$ which has been broken% M;5 is a one#way hash function$ meaning that it takes a message and converts it into a fi&ed string of digits$ also called a message digest% me'ia access con ro- <M C= > network% hardware address that uni:uely identifies each node of a
Mo'em > Modulator);emodulator$ a device which translates digital signals into analog signals$ and analog signals back into digital signals$ allowing computers to communicate with each other through analog telephone lines% MS=DOS <Microsoft ;isk Operating System= > MS#;OS is an Operating System% Mainly it allows the communication between users and *C hardware$ and it also manages available resources$ such as memory and C*E usage% ne s a > command which displays the status of a network% ne +or& in r(sion 'e ec ion <(I;S= > Intrusion detection system in which the individual packets flowing through a network are analy1ed% ne+s$ro(9s > Same as forum$ an on#line discussion group% NIDS > (etwork intrusion detection% nma9 > a program which conducts a probe of your computer for open ports% NSA > The (ational Security gency is the Enited StatesJ cryptologic organi1ation% It coordinates$ directs$ and performs highly speciali1ed activities to protect ES information systems and produce foreign intelligence information% o9en >9or s? > ports for which all packets that is directed to that port are allowed through <see filtered ports=% o9era in$ s1s em > The underlying program that runs on a computer% Every general#purpose computer must have an operating system to run other programs% Operating systems perform basic tasks$ such as recogni1ing input from the keyboard$ sending output to the display screen$ keeping track of files and directories on the disk$ and controlling peripheral devices such as disk drives and printers% Some Operating Systems are 7indows$ 'inu& and E(II% P!P > *eer#to#peer% 9ac&e sniffer > 9ac&e s > program and)or device that monitors data traveling over a network% piece of a message transmitted over a packet#switching network%
9ass+or' crac&in$ > the process of attempting to determine an unknown password% 9eer= o=9eer <*+*= > a type of network in which each workstation has e:uivalent capabilities and responsibilities%
""
9in$ > utility to determine whether a specific I* address is accessible% It works by sending a packet to the specified address and waiting for a reply% P-ain O-' Te-e98one Ser/ice <*OTS= > Esed to describe basic$ old#fashioned telephone service% POP > *ost Office *rotocol$ a protocol used to retrieve e#mail from a mail server% Most e#mail applications <sometimes called an e#mail client= use the *O* protocol$ although some can use the newer IM * <Internet Message ccess *rotocol=% 9or s > n interface on a computer to which you can connect a device% *ersonal computers have various types of ports% Internally$ there are several ports for connecting disk drives$ display screens$ and keyboards% E&ternally$ personal computers have ports for connecting modems$ printers$ mice$ and other peripheral devices% POTS > *lain old telephone service% 999 > *oint#to#*oint *rotocol$ a method of connecting a computer to the Internet% *** is more stable than the older S'I* protocol and provides error checking features% 9ri/i-e$e' access > privilege to use computer information in some manner% 4or e&ample$ a user might be granted read access to a file$ meaning that the user can read the file but cannot modify or delete it% Most operating systems have several different types of access privileges that can be granted or denied to specific users or groups of users% 9ro oco- > n agreed#upon format for transmitting data between two devices% RAM </andom ccess Memory= > a type of computer memory that can be accessed randomlyK that is$ any byte of memory can be accessed without touching the preceding bytes% roo &i s > malware that creates a method to retain access to a machine% ro( er > device that forwards data packets along networks% router is connected to at least two networks$ commonly two ' (s or 7 (s or a ' ( and its IS*Ls network% /outers are located at gateways$ the places where two or more networks connect% /outers use headers and forwarding tables to determine the best path for forwarding the packets$ and they use protocols such as ICM* to communicate with each other and configure the best route between any two hosts% ro( in$ a7-e > In internet working$ the process of moving a packet of data from source to destination% /outing is usually performed by a dedicated device called a router% san'7o) > security measure in the Mava development environment% The sandbo& is a set of rules that are used when creating an applet that prevents certain functions when the applet is sent as part of a 7eb page% scri9 &i''ie > Sec(re S8e-- > person who runs hacking tools without knowing how or why they work% protocol designed as a more secure replacement for telnet% sec ors > The smallest unit that can be accessed on a disk% Ser/er > program on a remote computer that is used to provide data to a local computer$ see client% Ser/ices # (etwork services allow local computers to e&change information with remote computers% SMTP > Simple Mail Transfer *rotocol$ a protocol for sending e#mail messages between servers% Most e#mail systems that send mail over the Internet use SMT*
"!
socia- en$ineerin$ > The act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information% s91+are > ny software that covertly gathers user information through the userJs Internet connection without his or her knowledge SS% > Secure Shell$ a program to log into another computer over a network$ to e&ecute commands in a remote machine$ and to move files from one machine to another% s+i c8 > In networks$ a device that filters and forwards packets between ' ( segments% TCP > Transmission Control *rotocol% 7hereas the I* protocol deals only with packets$ TC* enables two hosts to establish a connection and e&change streams of data% TC* guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent% TCP<IP > Transmission Control *rotocol)Internet *rotocol% The suite of communications protocols used to connect hosts on the Internet% c9'(m9 > a packet sniffer that records traffic on your computer% Te-ne > a protocol that allows a local user to connect to a remote computer and access its resources% ime7om7s > code designed to e&ecute at a specific time on a network or computer$ for e&ample when the e&piration date is reached on a trial software% o9o-o$ies > The shape of a local#area network <' (= or other communications system% racer > utility that traces a packet from your computer to an Internet host$ showing how many hops the packet re:uires to reach the host and how long each hop takes% rac&s > ring on a disk where data can be written% typical floppy disk has 9, <double# density= or .6, <high#density= tracks% 4or hard disks$ each platter is divided into tracks$ and a single track location that cuts through all platters <and both sides of each platter= is called a cylinder% !ard disks have many thousands of cylinders% roAans > destructive program that mas:uerades as a benign application% Enlike viruses$ Tro"ans do not replicate themselves but they can be "ust as destructive% *e7 Bro+ser > a program that allows users to connect to web servers and view the pages stored on them% *e7 Ser/er > computer where web pages are kept to be accessed by other computers% +e7-o$s <blogs= > 7eb page that serves as a publicly accessible personal "ournal for an individual% *8ois > n Internet utility that returns information about a domain name or I* address% service for the transmission and presentation of hyperte&t% *or-' *i'e *e7 <www=>
+orms > program or algorithm that replicates itself over a computer network and usually performs malicious actions$ such as using up the computerJs resources and possibly shutting the system down% Bine > Small$ often free maga1ine$ usually produced by hobbyists and amateur "ournalists%
",

Hacker High School

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Hacker High School

Hochgeladen von

Copyright:

Verfügbare Formate

Hacker High School

Source: http://www.hackerhighschool.org Compiled All to One bundle PDF By double_helix http://forum.flashband.net

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

License for Use Information

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

1$1$2 *a+a,ines an& Ne-s.a.ers

1$1$ 1ines an& B2o+s

LESSON 1 BEING A HACKER

1$1$# 4or"ms an& *ai2in+ Lists

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

LESSON 1 BEING A HACKER

1$2 4"rt8er Lessons

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

License for Use Information

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

2#$# Intro%!ction an% O &ecti'es

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

2#2# )e*!irements an% Set!+

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

2#3# S-stem O+eration. WINDOWS

2#3#$ /o0 to o+en an MS1DOS 0in%o0

2#3#2 Comman%s an% too2s 3Win%o0s4

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

2#"# S-stem O+erations. Lin!<

2% # (ow the commands and tools listed below can be entered%

2#"#2 Comman%s an% too2s 3Lin!<4

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

fin9er user 2s c% directory

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

2#(#2 E<ercises in Lin!<

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

command .command )h0% command$ .copy0%

s another e&ample$ in 'inu&: .cp0 is "ust like the 7indows

command help cp mv more

command ) h copy del print deltree

ls cd md rd route tracert *ing ipconfig

LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS

LESSON 3 PORTS AND PROTOCOLS

LESSON 3 PORTS AND PROTOCOLS

License for Use Information

LESSON 3 PORTS AND PROTOCOLS

LESSON 3 PORTS AND PROTOCOLS

LESSON 3 PORTS AND PROTOCOLS

3"# Intro$ ction

LESSON 3 PORTS AND PROTOCOLS

3"2 &asic conce'ts of net(or)s

LESSON 3 PORTS AND PROTOCOLS

3"3 TCP.IP mo$e+

LESSON 3 PORTS AND PROTOCOLS

3"3"2"! Net(or) Access

LESSON 3 PORTS AND PROTOCOLS

3"3"3"# A''+ication +a/er 'rotoco+s