Sam Bowne

Chapter 1: Ethical Hacking Overview
Objectives
Describe the role of an ethical hacker
Describe what you can do legally as an ethical hacker
Describe what you cannot do as an ethical hacker
Introduction to Ethical Hacking
Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not solve problems
Security test
More than an attempt to break in; also includes analyzing company’s security policy and procedures
Tester offers solutions to secure or protect the network
The Role of Security and Penetration Testers
Hackers
• Access computer system or network without authorization
• Breaks the law; can go to prison
Crackers
• Break into systems to steal or destroy data
• U.S. Department of Justice calls both hackers
Ethical hacker
• Performs most of the same activities but with owner’s permission
Script kiddies or packet monkeys
• Young inexperienced hackers
• Copy codes and techniques from knowledgeable hackers
Experienced penetration testers write programs or scripts using these languages
• Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL,
and many others
Script
• Set of instructions that runs in sequence
It Takes Time to Become a Hacker
• This class alone won’t make you a hacker, or an expert
It might make you a script kiddie
• It usually takes years of study and experience to earn respect in the hacker community
• It’s a hobby, a lifestyle, and an attitude
A drive to figure out how things work
Tiger box
• Collection of OSs and hacking tools
• Usually on a laptop
• Helps penetration testers and security testers conduct vulnerabilities assessments and attacks
Penetration-Testing Methodologies
White box model
• Tester is told everything about the network topology and technology
CNIT 123 – Bowne Page 1 of 5

Network diagram
• Tester is authorized to
interview IT personnel
and company employees
• Makes tester’s job a little
easier
Network Diagram
• From
ratemynetworkdiagram.co
m (Link Ch 1g)
This is a Floor
Plan
Black box model
• Company staff does not know about the test
• Tester is not given details about the network
▪ Burden is on the tester to find these details
• Tests if security personnel are able to detect an attack
Gray box model
• Hybrid of the white and black box models
• Company gives tester partial information
Certification Programs for Network Security Personnel
Certification programs available in almost every area of network security
Basics:
• CompTIA Security+ (CNIT 120)
• Network+ (CNIT 106 or 201)

Take Certification Tests Here

CNIT is a Prometric Vue testing
center
• Certification tests are
given in S214
• CompTIA and Microsoft
• The next tests will be in
the second week of April,
right after Spring Break
– Email sbowne@ccsf.edu
if you want to take a test
Certified Ethical Hacker (CEH)
• But see Run Away From The
CEH Certification
• Link Ch 1e on my Web page
OSSTMM Professional Security Tester (OPST)
Designated by the Institute for Security and Open Methodologies (ISECOM)
• Uses the Open Source Security Testing Methodology Manual (OSSTMM)
• Test is only offered in Connecticut and outside the USA, as far as I can tell
• See links Ch 1f and Ch 1h on my Web page
Certified Information Systems Security Professional (CISSP)
Issued by the International Information Systems Security Certifications Consortium (ISC2)
Usually more concerned with policies and procedures than technical details
Web site
• www.isc2.org
SANS Institute
SysAdmin, Audit, Network, Security (SANS)
Offers certifications through Global Information Assurance Certification (GIAC)
Top 20 list
• One of the most popular SANS Institute documents
• Details the most common network exploits
• Suggests ways of correcting vulnerabilities
Web site
www.sans.org (links Ch 1i & Ch 1j)
What You Can Do Legally
Laws involving technology change as rapidly as technology itself
Find what is legal for you locally
• Laws change from place to place
Be aware of what is allowed and what is not allowed
Laws of the Land
Tools on your computer might be illegal to possess
Contact local law enforcement agencies before installing hacking tools
Written words are open to interpretation
Governments are getting more serious about punishment for cybercrimes

Recent Hacking Cases
Is Port Scanning Legal?
Some states deem it legal
Not always the case
Federal Government does not see it as a violation
• Allows each state to address it separately
Read your ISP’s “Acceptable Use Policy”
• IRC “bots” may be forbidden
Program that sends automatic responses to
users
Gives the appearance of a person being present
CCSF Computer Use Policy
Federal Laws
Federal computer crime laws are getting more specific
• Cover cybercrimes and intellectual property
issues
Computer Hacking and Intellectual Property (CHIP)
• New government branch to address cybercrimes and intellectual property issues
What You Cannot Do Legally

Accessing a computer without permission is illegal
Other illegal actions
• Installing worms or viruses
• Denial of Service attacks
• Denying users access to network resources
Be careful your actions do not prevent customers from doing their jobs
Anti-Spam Vigilantes: Lycos
• Ch 1l1: Lycos starts anti-spam screensaver plan: Dec 2, 2004

• Ch 1l2: Lycos Pulls Anti-Spam 'Vigilante' Campaign -- Dec 3, 2004
• Ch 1l3: Lycos's Spam Attack Network Dismantled -- Spammers sent the DOS packets back to Lycos
-- Dec 6, 2004
Anti-Spam Vigilantes: Blue Frog
• Ch 1m: Blue Frog begins its "vigilante approach" to fight spam -- July, 2005
• Ch 1n: Russian spammer fights back, claims to have stolen Blue Frog's database, sends threating
email -- DOS attack in progress -- May 2, 2006
• Ch 1o: Blue Frog compromised and destroyed by attacks, urgent instructions to uninstall it, the
owners have lost control -- May 17, 2006
Anti-Spam Vigilantes: The Future
• Ch 1p: Call for help creating distributed, open-source Blue Frog replacement -- May 17, 2006
Not in textbook, see links on my page (samsclass.info)
Get It in Writing
Using a contract is just good business
Contracts may be useful in court
Books on working as an independent contractor
• The Computer Consultant’s Guide by Janet Ruhl
• Getting Started in Computer Consulting by Peter Meyer
Internet can also be a useful resource
Have an attorney read over your contract before sending or signing it
Ethical Hacking in a Nutshell
What it takes to be a security tester
• Knowledge of network and computer technology
• Ability to communicate with management and IT personnel
• Understanding of the laws
• Ability to use necessary tools
Last modified 1-20-07 0:12

Chapter 2: TCP/IP Concepts Review
Objectives
Describe the TCP/IP protocol stack
Explain the basic concepts of IP addressing
Explain the binary, octal, and hexadecimal numbering system
Overview of TCP/IP
Protocol
Common language used by computers for speaking
Transmission Control Protocol/Internet Protocol (TCP/IP)
Most widely used protocol
TCP/IP stack
Contains four different layers
Network
Internet
Transport
Application
The Application Layer

Front end to the lower-layer protocols
What you can see and touch – closest to the user at the keyboard
HTTP, FTP, SMTP, SNMP, SSH, IRC and TELNET all operate
in the Application Layer
The Transport Layer

Encapsulates data into segments
Segments can use TCP or UDP to reach a destination host
TCP is a connection-oriented protocol
TCP three-way handshake
Computer A sends a SYN packet
Computer B replies with a SYN-ACK packet
Computer A replies with an ACK packet

TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Segment Headers

Critical components:
TCP flags
Initial Sequence Number (ISN)
Source and destination port
Abused by hackers finding vulnerabilities
TCP Flags
Each flag occupies one bit
Can be set to 0 (off) or 1 (on)
Six flags
SYN: synchronize, (not synthesis) flag
ACK: acknowledge flag
PSH: push flag
URG: urgent flag
RST: reset flag
FIN: finish flag
Error in textbook on page 22: SYNchronize, not SYNthesis (link Ch 2a, RFC 793)
Initial Sequence Number (ISN)
32-bit number
Tracks packets received
Enables reassembly of large packets
Sent on steps 1 and 2 of the TCP three-way handshake
By guessing ISN values, a hacker can hijack a TCP session, gaining access to a server without
logging in

TCP Ports
Port
Logical, not physical, component of a TCP connection
Identifies the service that is running
Example: HTTP uses port 80
A 16-bit number – 65,536 ports
Each TCP packet has a source and destination port
Blocking Ports
Helps you stop or disable services that are not needed
Open ports are an invitation for an attack
You can’t block all the ports
That would stop all networking
At a minimum, ports 25 and 80 are usually open on a server, so it can send out Email and Web pages
Only the first 1023 ports are considered well-known
List of well-known ports
Available at the Internet Assigned Numbers Authority (IANA) Web site (www.iana.org)
Ports 20 and 21
File Transfer Protocol (FTP)
Use for sharing files over the Internet
Requires a logon name and password
More secure than Trivial File Transfer Protocol (TFTP)
Port 25
Simple Mail Transfer Protocol (SMTP)
E-mail servers listen on this port
Port 53
Domain Name Service (DNS)
Helps users connect to Web sites using URLs instead of IP addresses
Port 69
Trivial File Transfer Protocol
Used for transferring router configurations
Port 80
Hypertext Transfer Protocol (HTTP)
Used when connecting to a Web server
Port 110
Post Office Protocol 3 (POP3)
Used for retrieving e-mail
Port 119
Network News Transfer Protocol
For use with newsgroups
Port 135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft Exchange Server and Active Directory
Port 139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
File and printer sharing
Port 143
Internet Message Access Protocol 4 (IMAP4)
Used for retrieving e-mail
More features than POP3

Demonstration
Telnet to hills.ccsf.edu and netstat to see the connections
Port 23 (usual Telnet)
Port 25 blocked off campus, but 110 connects
Port 21 works, but needs a username and password
Demonstration
Wireshark Packet Sniffer
TCP Handshake: SYN, SYN/ACK, ACK
TCP Ports
TCP Status
Flags

User Datagram Protocol (UDP)
Fast but unreliable protocol
Operates on transport layer
Does not need to verify whether the receiver is listening
Higher layers of the TCP/IP stack handle reliability problems
Connectionless protocol
The Internet Layer
Responsible for routing packets to their destination address
Uses a logical address, called an IP address
IP addressing packet delivery is connectionless
Internet Control Message Protocol (ICMP)
Operates in the Internet layer of the TCP/IP
stack
Used to send messages related to network
operations
Helps in troubleshooting a network
Some commands include
Ping
Traceroute
Wireshark Capture of a
PING
Warriors of the Net

Network+ Movie
Warriorsofthe.net (link Ch
2d)
IP Addressing
Consists of four bytes, like 147.144.20.1
Two components
Network address
Host address
Neither portion may be all 1s or all 0s
Classes
Class A
Class B
Class C

Class A
First byte is reserved for network address
Last three bytes are for host address
Supports more than 16 million host computers
Limited number of Class A networks
Reserved for large corporations and governments (see link Ch 2b)
Format: network.node.node.node
Class B
First two bytes are reserved for network address
Last two bytes are for host address
Supports more than 65,000 host computers
Assigned to large corporations and Internet Service Providers (ISPs)
Format: network.network.node.node
CCSF has 147.144.0.0 – 147.144.255.255
Class C
First three bytes are reserved for network address
Last byte is for host address
Supports up to 254 host computers
Usually available for small business and home networks
Format: network.network.network.node
Subnetting
Each network can be assigned a subnet mask
Helps identify the network address bits from the host address bits
Class A uses a subnet mask of 255.0.0.0
Also called /8
Class B uses a subnet mask of 255.255.0.0
Also called /16
Class C uses a subnet mask of 255.255.255.0
Also called /24
Planning IP Address Assignments
Each network segment must have a unique network address
Address cannot contain all 0s or all 1s
To access computers on other networks
Each computer needs IP address of gateway
TCP/IP uses subnet mask to determine if the destination computer is on the same network or a different network
If destination is on a different network, it relays packet to gateway
Gateway forwards packet to its next destination (routing)
Packet eventually reaches destination
Overview of Numbering Systems
Binary
Octal
Hexadecimal
Reviewing the Binary Numbering System
Uses the number 2 as its base
Binary digits (bits): 0 and 1
Byte
Group of 8 bits
8
Can represent 2 = 256 different values
UNIX and Linux Permissions
UNIX and Linux File permissions are represented with bits
0 means removing the permission
1 means granting the permission
111 (rwx) means all permissions apply
Examples of Determining Binary Values

Each position represents a power of 2 value
Usually the bit on the right is the less significant bit
Converting 1011 to decimal
0
1x2 =1
1
1x2 =2
2
0x2 =0
3
1x2 =8
1 + 2 + 8 = 11 (decimal value)
Understanding Nibbles
Half a byte or four bits
Helps with reading the number by separating the byte
1111 1010
Components
High-order nibble (left side)
Low-order nibble (right side)
Understanding Nibbles (continued)
Converting 1010 1010 to decimal
Low-order nibble
1010 = 10 (base 10)
Multiply high-order nibble by 16
1010 = 10 x 16 = 160 (base 10)
160 + 10 = 170 (base 10)
Reviewing the Octal Numbering System
Uses 8 as its base
Supports digits from 0 to 7
Octal digits can be represented with three bits
Permissions on UNIX
Owner permissions (rwx)
Group permissions (rwx)
Other permissions (rwx)
Example: 111 101 001
Octal representation 751
Reviewing the Hexadecimal Numbering System
Uses 16 as its base
Support numbers from 0 to 15
Hex number consists of two characters
Each character represents a nibble
Value contains alphabetic letters (A … F)
A representing 10 and F representing 15
Sometimes expressed with “0x” in front
If you want more about binary, see Link Ch 2c
Last modified 1-26-07 10 pm

Chapter 3: Network and Computer Attacks
Objectives
Describe the different types of malicious
software
Describe methods of protecting against
malware attacks
Describe the types of network attacks
Identify physical security attacks and
vulnerabilities
Malicious Software (Malware)
Network attacks prevent a business from
operating
Malicious software (Malware) includes
Virus
Worms
Trojan horses
Goals
Destroy data
Corrupt data
Shutdown a network or
system
Viruses
Virus attaches itself to an executable
file
Can replicate itself through an
executable program
Needs a host program to
replicate
No foolproof method of preventing
them
Antivirus Software
Detects and removes viruses
Detection based on virus signatures
Must update signature database periodically
Use automatic update feature
Base 64 Encoding
Used to evade anti-spam tools, and to obscure passwords
Encodes six bits at a time (0 – 64) with a single ASCII character
A - Z: 0 – 25
a – z: 26 – 51
1 – 9: 52 – 61
+ and - 62 and 63
See links Ch 3a, 3b
Viruses (continued)
Commercial base 64 decoders
Shell
Executable piece of programming code
Should not appear in an e-mail attachment

Macro Viruses
Virus encoded as a macro
Macro
Lists of commands
Can be used in destructive ways
Example: Melissa
Appeared in 1999
It is very simple – see link Ch 3c for source
code
Writing Viruses
Even nonprogrammers can create macro viruses
Instructions posted on Web sites
Virus creation kits available for download (see
link Ch 3d)
Security professionals can learn from thinking like
attackers
But don’t create and
release a virus! People
get long prison terms for
that.
Worms
Worm
Replicates and
propagates without a host
Infamous examples
Code Red
Nimda
Can infect every computer in the
world in a short time
At least in theory
ATM Machine Worms
Cyberattacks against
ATM machines
Slammer and Nachi
worms
Trend produces antivirus
for ATM machines
See links Ch 3g, 3h,
3i
Nachi was written to
clean up damage caused
by the Blaster worm, but
it got out of control
See link Ch 3j
Diebold was criticized
for using Windows for
ATM machines, which
they also use on voting
machines

Trojan Programs
Insidious attack against networks
Disguise themselves as useful programs
Hide malicious content in program
Backdoors
Rootkits
Allow attackers remote access
Firewalls
Identify traffic on uncommon ports
Can block this type of attack, if your firewall filters outgoing traffic
Windows XP SP2’s firewall does not filter outgoing traffic
Vista’s firewall doesn’t either (by default), according to link Ch
3l and 3m
Trojan programs can use known ports to get through firewalls
HTTP (TCP 80) or DNS (UDP 53)
Trojan Demonstration
Make a file with command-line Windows commands
Save it as C:\Documents and Settings\
username\cmd.bat
Start, Run, CMD will execute this file instead of
C:\Windows\System32\Cmd.exe
Improved Trojan
Resets the administrator password
Almost invisible to user
Works in Win XP, but not so easy in Vista

Spyware
Sends information from the infected computer to the
attacker
Confidential financial data
Passwords
PINs
Any other stored data
Can register each keystroke entered (keylogger)
Prevalent technology
Educate users about spyware
Deceptive Dialog Box
Adware
Similar to spyware
Can be installed without the user being aware
Sometimes displays a banner
Main goal
Determine user’s online purchasing habits
Tailored advertisement
Main problem
Slows down computers
Protecting Against Malware Attacks
Difficult task
New viruses, worms, Trojan programs appear daily
Antivirus programs offer a lot of protection
Educate your users about these types of attacks
Educating Your Users
Structural training
Most effective measure
Includes all employees and management
E-mail monthly security updates
Simple but effective training method
Update virus signature database automatically
SpyBot and Ad-Aware
Help protect against spyware and adware
Windows Defender is excellent too
Firewalls
Hardware (enterprise solution)
Software (personal solution)
Can be combined
Intrusion Detection System (IDS)
Monitors your network 24/7
FUD
Fear, Uncertainty and Doubt
Avoid scaring users into complying with security measures
Sometimes used by unethical security testers
Against the OSSTMM’s Rules of Engagement
Promote awareness rather than instilling fear
Users should be aware of potential threats
Build on users’ knowledge

Intruder Attacks on Networks and Computers
Attack
Any attempt by an unauthorized person to access or use network resources
Network security
Security of computers and other devices in a network
Computer security
Securing a standalone computer--not part of a network infrastructure
Computer crime
Fastest growing type of crime worldwide
Denial-of-Service Attacks
Denial-of-Service (DoS) attack
Prevents legitimate users from accessing network resources
Some forms do not involve computers, like feeding a paper loop through a fax machine
DoS attacks do not attempt to access information
Cripple the network
Make it vulnerable to other type of attacks
Testing for DoS Vulnerabilities
Performing an attack yourself is not wise
You only need to prove that an attack could be carried out
Distributed Denial-of-Service Attacks
Attack on a host from multiple
servers or workstations
Network could be flooded with
billions of requests
Loss of bandwidth
Degradation or loss of
speed
Often participants are not aware
they are part of the attack
Attacking computers
could be controlled using
Trojan programs
Buffer Overflow Attacks
Vulnerability in poorly written code
Code does not check
predefined size of input
field
Goal
Fill overflow buffer with
executable code
OS executes this code
Can elevate attacker’s
permission to
Administrator or even
Kernel
Programmers need special training
to write secure code

Ping of Death Attacks
Type of DoS attack
Not as common as during the late 1990s
How it works
Attacker creates a large ICMP packet
More than 65,535 bytes
Large packet is fragmented at source network
Destination network reassembles large packet
Destination point cannot handle oversize packet and crashes
Modern systems are protected from this (Link Ch 3n)
Session Hijacking
Enables attacker to join a TCP session
Attacker makes both parties think he or she is the other party
Addressing Physical Security
Protecting a network also requires physical security
Inside attacks are more likely than attacks from outside the company
Keyloggers
Used to capture keystrokes on a computer
Hardware
Software
Software
Behaves like Trojan programs
Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost
Protection
Software-based
Antivirus
Hardware-based
Random visual tests
Look for added hardware
Superglue keyboard connectors in
Behind Locked Doors
Lock up your servers
Physical access means they can hack in
Consider Ophcrack – booting to a CD-based OS will bypass
almost any security
Lockpicking
Average person can pick deadbolt locks in less than five minutes
After only a week or two of practice
Experienced hackers can pick deadbolt locks in under 30 seconds
Bump keys are even easier (Link Ch 3o)
Card Reader Locks
Keep a log of who enters and leaves the room
Security cards can be used instead of keys for better security
Image from link Ch 3p

Chapter 4: Footprinting and Social Engineering
Objectives
Footprinting
Describe DNS zone transfers
Identify the types of social engineering
Footprinting
Using Web Tools for Footprinting
“Case the joint”
• Look over the location
• Find weakness in security systems
• Types of locks, alarms
In computer jargon, this is called footprinting
• Discover information about
The organization
Its network
Conducting Competitive Intelligence

Numerous resources to find information legally
Competitive Intelligence
• Gathering information using technology
Identify methods others can use to find information about your organization
Limit amount of information company makes public
Analyzing a Company’s Web Site
Web pages are an easy source of information
Many tools available Setting Proxy Server
Paros
• Powerful tool for UNIX and Windows
• www.parosproxy.org
• Requires having Java J2SE installed
www.sun.com
Paros
• Start Paros
• Set proxy server in a browser
• Then go to a site in the browser
mtsconsulting.net is a good test
• Analyze -> Spider to find all the pages
Setting a Proxy Server in Firefox
• Tools
• Options
• Advanced
• Settings
Then go to mtjconsulting.com
Spider Results Scan Results
In Paros:
• Analyze Spider Results
• Spider
Finds all the pages in
a site
Don’t scan any sites
without
permission! Only
mtjconsulting.com
Scan Results
In Paros:
• Analyze
• Scan
Finds security risks in
a site
Again, don’t scan
sites without
permission!

Using Other Footprinting Tools
Whois
• Commonly used tool
• Gathers IP address and domain information
• Attackers can also use it
Host command
• Can look up one IP address, or the whole
DNS Zone file
All the servers in the domain
ARIN Whois from Linux
host mit.edu
nc whois.arin.net
18.7.22.69
This shows registration information for the domain
SamSpade
• GUI tool
• Available for UNIX and Windows
• Easy to use

Using E-mail Addresses
E-mail addresses help you retrieve even more information than the previous commands
Find e-mail address format
• Guess other employees’ e-mail accounts
Tool to find corporate employee information
• Groups.google.com
Using HTTP Basics
HTTP operates on port 80
Use HTTP language to pull information from a Web server
Basic understanding of HTTP is beneficial for security testers
Return codes
• Reveal information about server OS

HTTP methods
• GET / HTTP/1.1. is the most basic method
• Can determine information about server OS from the server’s generated output
Using Netcat as a Browser

Use Ubuntu Linux
nc www.ccsf.edu 80
HEAD / HTTP/1.0
• Gets header
GET / HTTP/1.0
• Gets whole Web
page
• Open www.ccsf.edu
in a browser and compare to source code
Activity 4-3 in your book does not work
Cookies and Web Bugs
Detecting Cookies and Web Bugs
Cookie
• Text file generated by a Web server
• Stored on a user’s browser
• Information sent back to Web server when user returns
• Used to customize Web pages
• Some cookies store personal information
Security issue
Viewing Cookies
In Firefox
Tools, Options
Privacy tab
Show Cookies
Web bug
• 1-pixel x 1-pixel image file (usually transparent)
• Referenced in an <IMG> tag
• Usually works with a cookie
• Purpose similar to that of spyware and adware
• Comes from third-party companies specializing in data collection

Web Bug Detector 1.0
• Firefox experimental add-in program that warns you about
Web bugs
Bugnosis is gone
Using Domain Name Service (DNS) Zone Transfers

DNS
• Resolves host names to IP addresses
• People prefer using URLs to IP addresses
• Extremely vulnerable
Zone Transfer tools
• Dig
• Host
Primary DNS Server
Determining company’s primary
DNS server
• Look for the Start of
Authority (SOA) record
• Shows zones or IP
addresses
Using dig top find the SOA
dig soa mit.edu
Shows three servers, with IP
addresses
This is a start at mapping the MIT
network
Using (DNS) Zone Transfers
Zone Transfer
• Enables you to see all
hosts on a network
• Gives you organization’s
network diagram
MIT has protected
their network – zone transfers no longer work
dig @BITSY.mit.edu mit.edu axfr
Command fails now

Introduction to Social Engineering

Older than computers
Targets the human component of a network
Goals
• Obtain confidential information (passwords)
• Obtain personal information
Tactics
• Persuasion
• Intimidation
• Coercion
• Extortion/blackmailing
The biggest security threat to networks
Most difficult to protect against
Main idea:
• “Why to crack a password when you can simply ask for it?”
• Users divulge their passwords to IT personnel
Studies human behavior
• Recognize personality traits
• Understand how to read body language
Techniques
• Urgency
• Quid pro quo
• Status quo
• Kindness
• Position
Preventing Social Engineering
Train user not to reveal any information to outsiders
Verify caller identity
• Ask questions
• Call back to confirm
Security drills
The Art of Shoulder Surfing
Shoulder surfer
• Reads what users enter on keyboards
Logon names
Passwords
PINs
Tools for Shoulder Surfing
Binoculars or telescopes or cameras in cell phones
Knowledge of key positions and typing techniques
Knowledge of popular letter substitutions
• s equals $, a equals @
Prevention
• Avoid typing when someone is nearby
• Avoid typing when someone nearby is talking on cell phone
• Computer monitors should face away from door or cubicle entryway
• Immediately change password if you suspect someone is observing you
Dumpster Diving
Attacker finds information in victim’s trash
• Discarded computer manuals
Notes or passwords written in them
• Telephone directories
• Calendars with schedules
• Financial reports
• Interoffice memos
• Company policy
• Utility bills
• Resumes of employees
Prevention
• Educate your users about dumpster diving
• Proper trash disposal
• Use “disk shredder” software to erase disks before discarding them
Software writes random bits
Done at least seven times
• Discard computer manuals offsite
• Shred documents before disposal
The Art of Piggybacking
Trailing closely behind an employee cleared to enter restricted areas
How it works:
• Watch authorized personnel enter an area
• Quickly join them at security entrance
• Exploit the desire of other to be polite and helpful
• Attacker wears a fake badge or security card
Prevention
• Use turnstiles
• Train personnel to notify the presence of strangers
• Do not hold secured doors for anyone
Even for people you know
• All employees must use secure cards
Last modified 2-23-09

Chapter 5: Port Scanning
Objectives
Describe port scanning
Describe different types of port scans
Describe various port-scanning tools
Explain what ping sweeps are used for
Explain how shell scripting is used to automate security tasks
Introduction to Port Scanning
Port Scanning
• Finds out which services are offered by a host
• Identifies vulnerabilities
Open services can be used on attacks
• Identify a vulnerable port
• Launch an exploit
Scan all ports when testing
• Not just well-
known ports
AW Security Port
Scanner
A commercial tool to
identify vulnerabilities
Port scanning programs
report
• Open ports
• Closed ports
• Filtered ports
• Best-guess
assessment of
which OS is
running
Is Port Scanning Legal?
The legal status of port
scanning is unclear
• If you have
permission,
it's legal
• If you cause
damage of $5,000 or more, it may be illegal
• For more, see links Ch 5a and Ch 5b
Types of Port Scans
Normal TCP Handshake
Client SYN Æ Server
Client Å SYN/ACK Server
Client ACK Æ Server
• After this, you are ready to send data

SYN Port Scan
Client SYN Æ Server
Client Å SYN/ACK Server
Client RST Æ Server
• The server is ready, but the client decided not to complete the handshake
SYN scan
• Stealthy scan, because session handshakes are never completed
• That keeps it out of some log files
• Three states
Closed
RST response from server
Open
SYN,ACK response from
server
Client then sends RST
Filtered
No response from server
Connect scan
• Completes the three-way handshake
• Not stealthy--appears in log files
• Three states
Closed
RST response from server
Open
SYN,ACK response from
server
Client sends ACK
Client sends RST
Filtered
No response from server
NULL scan
• All the packet flags are turned off
• Two results:
Closed ports reply with RST
Open or filtered ports give no response

XMAS scan
• FIN, PSH and URG flags are set
• Works like a NULL scan – a closed port responds with an RST packet
FIN scan
• Only FIN flag is set
• Closed port responds with an RST packet

Windows Machines
NULL, XMAS and FIN scans don't work on Windows machines
• Win 2000 Pro and Win Server 2003 shows all ports closed
• Win XP Pro all ports open/filtered
See the NMAP tutorial (link Ch 5c)
Ping scan
• Simplest method sends ICMP ECHO REQUEST to the destination(s)
• TCP Ping sends SYN or ACK to any port (default is port 80 for Nmap)
• Any response shows the target is up
ACK scan
• Used to get information about a firewall
• Stateful firewalls track connection and block unsolicited ACK packets
• Stateless firewalls just block incoming SYN packets, so you get a RST response
UDP scan
• Closed port responds with ICMP “Port Unreachable” message
• Rarely used
Using Port-Scanning Tools
Nmap
Unicornscan
NetScanTools Pro 2004
Nessus
Nmap
Originally written for Phrack magazine
One of the most popular tools
GUI versions
• Xnmap and Ubuntu's NmapFE
Open source tool
Standard tool for security professionals
The Matrix Reloaded
Trinity uses Nmap (Video at link Ch 4e)
Unicornscan
Developed in 2004 for Linux & UNIX only
Ideal for large networks
Scans 65,535 ports in three to seven seconds
Optimizes UDP scanning
Alco can use TCP, ICMP, or IP
• Free from http://unicornscan.org/ (link Ch 5f)

NetScanTools Pro
Robust easy-to-use commercial tool
Runs on Windows
Types of tests
• Database vulnerabilities
• DHCP server discovery
• IP packets viewer
• Name server lookup
• OS fingerprinting
• Many more (see link Ch
5g)
Nessus
First released in 1998
Free, open source tool
Uses a client/server technology
Can conduct tests from different
locations
Can use different OSs for client and
network
Server
• Any *NIX platform
Client
• Can be *NIX or Windows
Functions much like a database
server
Ability to update security checks
plug-ins
Some plug-ins are considered
dangerous
Finds services running on ports

Finds vulnerabilities associated
with identified services
Nessus Plug-ins

Conducting Ping Sweeps

Ping sweeps
• Identify which IP addresses belong to active hosts
• Ping a range of IP addresses
Problems
• Computers that are shut down cannot respond
• Networks may be configured to block ICMP Echo Requests
• Firewalls may filter out ICMP traffic
FPing
Ping multiple IP addresses simultaneously
www.fping.com/download
Command-line tool
Input: multiple IP addresses
• To enter a range of addresses
-g option
• Input file with addresses
-f option
See links Ch 5k, 5l
Hping
Used to bypass filtering devices
• Allows users to fragment and
manipulate IP packets
www.hping.org/download
Powerful tool
• All security testers must be
familiar with tool
Supports many parameters (command options)
• See links Ch 5m, Ch 5n
Broadcast Addresses
If you PING a broadcast address, that can create a lot of traffic
Normally the broadcast address ends in 255
But if your LAN is subnetted with a subnet mask like 255.255.255.192
• There are other broadcast addresses ending in 63, 127, and 191
Smurf Attack
Pinging a broadcast address on an old network resulted in a lot of ping responses
So just put the victim's IP address in the "From" field
• The victim is attacked by a flood of pings, none of them directly from you
Modern routers don't forward broadcast packets, which prevents them from amplifying smurf attacks
Windows XP and Ubuntu don't respond to broadcast PINGs
See links Ch 5o, 5p

Crafting IP Packets
Packet components
• Source IP address
• Destination IP address
• Flags
Crafting packets helps you obtain more information about a service
Tools
• Fping
• Hping
Understanding Shell Scripting
Modify tools to better suit your needs
Script
• Computer program that automates tasks
• Time-saving solution
Scripting Basics
Similar to DOS batch programming
Script or batch file
• Text file
• Contains multiple commands
Repetitive commands are good candidate for scripting
Practice is the key

Chapter 6: Enumeration
Objectives
Describe the enumeration step of security testing
Enumerate Microsoft OS targets
Enumerate NetWare OS targets
Enumerate *NIX OS targets
Introduction to Enumeration
Enumeration extracts information about:
• Resources or shares on the network
• User names or groups assigned on the network
• Last time user logged on
• User’s password
Before enumeration, you use Port scanning and footprinting
• To Determine OS being used
Intrusive process
NBTscan
NBT (NetBIOS over TCP/IP)
• is the Windows
networking
protocol
• used for shared
folders and printers
NBTscan
• Tool for enumerating Microsoft OSs
Enumerating Microsoft Operating Systems
Study OS history
• Knowing your target makes your job easier
Many attacks that work for older Windows OSs still work with newer versions
Windows 95
The first Windows version that did not start with DOS
Still used the DOS kernel to some extent
Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files
Introduced Plug and Play and ActiveX
Used FAT16 file system
Windows 98 and ME
More Stable than Win 95
Used FAT32 file system
Win ME introduced System Restore
Win 95, 98, and ME are collectively called "Win 9x"
Windows NT 3.51 Server/Workstation
No dependence on DOS kernel
Domains and Domain Controllers
NTFS File System to replace FAT16 and FAT31
Much more secure and stable than Win9x
Many companies still use Win NT Server Domain Controllers
Win NT 4.0 was an upgrade

Windows 2000 Server/Professional
Upgrade of Win NT
Active Directory
• Powerful database storing information about all objects in a network
Users, printers, servers, etc.
• Based on Novell's Novell Directory Services
Enumerating this system would include enumerating Active Directory
Windows XP Professional
Much more secure, especially after Service Pack 2
• Windows File Protection
• Data Execution Prevention
• Windows Firewall
Windows Server 2003
Much more secure, especially after Service Pack 1
• Network services are closed by default
• Internet Explorer security set higher
NetBIOS Basics
Network Basic Input Output
System (NetBIOS)
• Programming
interface
• Allows computer
communication
over a LAN
• Used to share files
and printers
NetBIOS names
Computer names on Windows
systems
Limit of 16 characters
Last character identifies type
of service running
Must be unique on a network
NetBIOS Null Sessions
Null session
• Unauthenticated connection to a Windows computer
• Does not use logon and passwords values
Around for over a decade
• Still present on Windows XP
A large vulnerability
• See links Ch 6a-f
Null Session Information
Using these NULL connections allows you to gather the following information from the host:
• List of users and groups
• List of machines
• List of shares
• Users and host SIDs (Security Identifiers)
From brown.edu (link Ch 6b)

Demonstration of Null Sessions
Start Win 2000 Pro
Share a folder
From a Win XP command prompt
• NET VIEW \\ip-address Fails
• NET USE \\ip-address\IPC$ ""
/u:""
Creates the null session
Username="" Password=""
• NET VIEW \\ip-address Works
now
Demonstration of Enumeration
Download Winfo from link Ch 6g
Run it – see all the information!
NULL Session Information
NULL sessions exist in windows networking
to allow:
• Trusted domains to enumerate
resources
• Computers outside the domain to
authenticate and enumerate users
• The SYSTEM account to authenticate and enumerate resources
NetBIOS NULL sessions are enabled by default in Windows NT and 2000
From brown.edu (link Ch 6b)
NULL Sessions in Win XP and 2003 Server
Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.
• I tried the NET USE command
on Win XP SP2 and it did not
work
• Link Ch 6f says you can still do
it in Win XP SP2, but you need
to use a different procedure
NetBIOS Enumeration Tools

Nbtstat command
• Powerful enumeration tool
included with the Microsoft OS
• Displays NetBIOS table
Net view command
• Shows whether there are any shared
resources on a network host
Net use command
• Used to connect to a computer with shared
folders or files
Additional Enumeration Tools
NetScanTools Pro
DumpSec
Hyena
NessusWX

NetScanTools Pro
Produces a graphical view of NetBIOS running on a network
Enumerates any shares running on the computer
Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name
• Costs about $250 per machine (see link Ch 6i)
DumpSec
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the following information
• Permissions for shares
• Permissions for printers
• Permissions for the Registry
• Users in column or table format
• Policies and rights
• Services

Hyena
Excellent GUI product for managing and securing Microsoft OSs
Shows shares and user logon names for Windows servers and domain controllers
Displays graphical representation of:
• Microsoft Terminal Services
• Microsoft Windows Network
• Web Client Network
• Find User/Group
Prices
DumpSec seems to be free
Hyena costs bout $200 per station
(Link Ch 6j)
NessusWX
This is the client part of Nessus
Allows enumeration of different
OSs on a large network
Running NessusWX
• Be sure Nessus server is
up and running
• Open the NessusWX
client application
• To connect your client
with the Nessus server
Click
Communications,
Connect from the
menu on the
session window
Enter server’s name
Log on the Nessus server
Nessus identifies
• NetBIOS names in use
• Shared resources
• Vulnerabilities with shared
resources
• Also offers solutions to those
vulnerabilities
• OS version
• OS vulnerabilities
• Firewall vulnerabilities
Etherleak Vulnerability
Padding in Ethernet frames comes from
RAM, it's not just zeroes
Real data can leak out that way
See link Ch 6l

Enumerating the NetWare Operating System
Security professionals see Novell NetWare as a “dead horse”
• Ignoring an OS can limit your career as a security professional
Novell NetWare version 4.11
• Novell does not offer any technical support for earlier versions
• Novell has switched to SUSE Linux now
NetWare Enumeration Tools

NetWare 5.1 is still used on many networks
New vulnerabilities are discovered daily
• You need to be vigilant in checking
vendor sites and security sites
Tool
• Nessus
Nessus
• Enumerates a NetWare server
• Determines eDirectory information
• Discovers the user name and password
for the FTP account
• Discovers names of several user
accounts
Novell Client32
• Available at www.novell.com
• Client available for several OSs
Specify information for
• Tree
• Content
• Server
Enumerating the *NIX Operating System
Several variations
• Solaris
• SunOS
• HP-UX
• Linux
• Ultrix
• AIX
• BSD UNIX
• FreeBSD
• OpenBSD
UNIX Enumeration
Finger utility
• Most popular tool for security testers
• Finds out who is logged in to a *NIX system
• Determine owner of any process
Nessus
• Another important *NIX enumeration tool

Chapter 7: Programming for Security Professionals
Objectives
Explain basic programming concepts
Write a simple C program
Explain how Web pages are created with HTML
Describe and create basic Perl programs
Explain basic object-oriented programming concepts
Introduction to Computer Programming
Computer programmers must understand the rules of programming languages
• Programmers deal with syntax errors
One minor mistake and the program will not run
• Or worse, it will produce unpredictable results
Being a good programmer takes time and patience
Computer Programming Fundamentals
Fundamental concepts
• Branching, Looping, and Testing (BLT)
• Documentation
Function
• Mini program within a main program that carries out a task
Branching, Looping, and Testing (BLT)
Branching
• Takes you from one area of the program to another area
Looping
• Act of performing
a task over and
over
Testing
• Verifies some
condition and
returns true or
false
A C Program
Filename ends in
.c
It's hard to read at
first
A single missing
semicolon can
ruin a program
Comments
Comments make
code easier to read
Branching and Testing
Diagram of branches
See links Ch 7b, 7c

Looping
Algorithm
• Defines steps
for performing
a task
• Keep it as
simple as
possible
Bug
• An error that
causes unpredictable results
Pseudocode
• English-like language used to create the structure of a program
Pseudocode For Shopping
PurchaseIngredients Function
• Call GetCar Function
• Call DriveToStore Function
• Purchase Bacon, Bread, Tomatoes, Lettuce, and Mayonnaise
End PurchaseIngredients Function
Documentation
Documenting your work is essential
• Add comments to your programs
• Comments should explain what you are doing
Many programmers find it time consuming and tedious
Helps others understand your work
Bugs
Industry standard
• 20 to 30 bugs for every 1000 lines of code
(link Ch 7f)
Textbook claims a much smaller number without a source
Windows 2000 contains almost 50 million lines
• And fewer than 60,000 bugs (about 1 per 1000 lines)
• See link Ch 7e for comments in the leaked Win 2000 source code
Linux has 0.17 bugs per 1000 lines of code
• (Link Ch 7f)
Learning the C Language
Developed by Dennis Ritchie at Bell Laboratories in 1972
Powerful and concise language
UNIX was first written in assembly language and later rewritten in C
C++ is an enhancement of the C language
C is powerful but dangerous
• Bugs can crash computers, and it's easy to leave security holes in the code

Assembly Language
The binary language hard-
wired into the processor
is machine language
Assembly Language uses a
combination of
hexadecimal numbers
and expressions
• Very powerful
but hard to use
(Link Ch 7g)
Compiling C in Ubuntu
Linux
Compiler
• Converts a text-
based program
(source code)
into executable
or binary code
To prepare Ubuntu Linux for C programming, use this command:
sudo apt-get install build-essential
Then you compile a file named "program.c" with this command:
gcc program.c –o program.exe
Anatomy of a C Program
The first computer program a C student learns "Hello, World!"
Comments
Use /* and */ to
comment
large portions
of text
Use // for one-
line
comments
Include
#include statement
• Loads libraries that hold the commands and functions used in your program
Functions
A Function Name is always followed by parentheses ( )
Curly Braces { } shows where a function begins and ends
main() function
• Every C program requires a main() function
• main() is where processing starts
Functions can call other functions
• Parameters or arguments are optional
\n represents a line feed

Declaring Variables
A variable represents a numeric or string value
You must declare a variable before using it
Mathematical Operators
The i++ in the example below adds one to the variable i
Logical Operators
The i<11 in the example below compares the variable i to 11

Understanding HTML Basics

HTML is a language used to create Web pages
HTML files are text files
Security professionals often need to examine Web pages
• Be able to recognize when something looks suspicious
Creating a Web Page Using HTML
Create HTML Web page in Notepad, View HTML Web page in a Web browser
HTML does not use branching, looping, or testing
HTML is a static formatting language, rather than a programming language
< and > symbols denote HTML tags
• Each tag has a matching closing tag, like <HTML> and </HTML>

Understanding Practical Extraction and Report Language (Perl)

PERL
• Powerful scripting language
• Used to write scripts and programs for security professionals
Background on Perl
Developed by Larry
Wall in 1987
Can run on almost any
platform
• *NIX-base
OSs already have Perl installed
Perl syntax is similar to C
Hackers use Perl to write malware
Security professionals use Perl to perform repetitive tasks and conduct security monitoring
Understanding the Basics of Perl
perl –h command
• Gives you a list of parameters used with perl
Understanding the BLT of Perl

Some syntax rules
• Keyword “sub” is used in front of function names
• Variables begin with the $ character
• Comment lines begin with the # character
• The & character is used when calling a function

Branching in Perl
&speak;
• Calls the subroutine
sub speak
• Defines the subroutine
For Loop in Perl

For loop
Testing Conditions in Perl
Understanding Object-Oriented Programming Concepts

New programming paradigm
There are several languages that support object-oriented programming
• C++
• C#
• Java
• Perl 6.0
• Object Cobol
Components of Object-Oriented Programming
Classes
• Structures that hold pieces of data and functions
The :: symbol
• Used to separate the name of a class from a member function
• Example:
Employee::GetEmp()
Example of a Class in C++
class Employee
{
public:
• char firstname[25];
• char lastname[25];
• char PlaceOfBirth[30];
• [code continues]
};
void GetEmp()
{
• // Perform tasks to get employee info
• [program code goes here]
}
Error in textbook
C example on page 138 should be this instead

Chapter 8: Microsoft Operating System Vulnerabilities
Objectives
Tools to assess Microsoft system vulnerabilities
Describe the vulnerabilities of Microsoft operating systems and services
Techniques to harden Microsoft systems against common vulnerabilities
Best practices for securing Microsoft systems
Tools to Identify Vulnerabilities on Microsoft Systems
Many tools are available for this task
• Using more than one tool is advisable
Using several tools help you pinpoint problems more accurately
Built-in Microsoft Tools
Microsoft Baseline Security Analyzer (MBSA)
Winfingerprint
HFNetChk
Microsoft Baseline Security Analyzer (MBSA)

Effective tool that checks for
• Patches
• Security updates
• Configuration errors
• Blank or weak passwords
• Others
MBSA supports remote scanning
• Associated product must be installed on scanned computer
MBSA Results

MBSA Versions
2.x for Win 2000 or later &
Office XP or later
1.2.1 if you have older products
After installing, MBSA can
• Scan the local
machine
• Scan other
computers remotely
• Be scanned
remotely over the
Internet
HFNetChk
HFNetChk is part of MBSA
• Available separately
from Shavlik
Technologies
• Can be used to
control the scanning
more precisely,
from the command
line
Winfingerprint
Administrative tool
It can be used to scan network
resources
Exploits Windows null
sessions
Detects
• NetBIOS shares
• Disk information
and services
• Null sessions
Can find
• OS detection
• Service packs and
hotfixes
• Running Services
• See Proj X6 for
Details
Microsoft OS Vulnerabilities
Microsoft integrates many of its products into a single package
• Such as Internet Explorer and Windows OS
• This creates many useful features
• It also creates vulnerabilities
Security testers should search for vulnerabilities on
• The OS they are testing
• Any application running on the server

CVE (Common Vulnerabilities and Exposures )
A list of standardized names for vulnerabilities
Makes it easier to share information about them
• cve.mitre.org (link Ch 8c)
• Demonstration: Search
Remote Procedure Call (RPC)
RPC is an interprocess communication mechanism
• Allows a program running on one host to run
code on a remote host
Examples of worms that exploited RPC
• MSBlast (LovSAN, Blaster)
• Nachi
Use MBSA to detect if a computer is vulnerable to an
RPC-related issue
NetBIOS
Software loaded into memory
• Enables a computer program to interact with a
network resource or other device
NetBIOS is not a protocol
• NetBIOS is an interface to a network protocol
• It’s sometimes called a session-layer protocol,
or a protocol suite (Links Ch 8d, 8e, 8f)
NetBEUI
NetBIOS Extended User Interface
• Fast, efficient network protocol
• Allows NetBIOS packets to be transmitted over
TCP/IP
• NBT is NetBIOS over TCP
Newer Microsoft OSs do not need NetBIOS to share
resources
• NetBIOS is used for backward compatibility
• You can turn off NetBIOS for Windows 2000
and later (links Ch 8g & 8h)
Server Message Block (SMB)
Used by Windows 95, 98 and NT to share files
Usually runs on top of NetBIOS, NetBEUI or TCP/IP
Hacking tools
• L0phtcrack’s SMB Packet Capture utility
• SMBRelay
• Ettercap (see Project 23, links Ch 8r, Ch 8s)

Demonstration: ettercap
Common Internet File System (CIFS)

CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Server
• SMB is still used for backward compatibility
CIFS is a remote file system protocol
• Enables computers to share network resources over the Internet
Enhancements over SMB
• Resource locking (if 2 people use the same thing at once)
• Support for fault tolerance
• Capability to run more efficiently over dial-up
• Support for anonymous and authenticated access
Server security methods
• Share-level security
A password assigned to a shared resource
• User-level security
An access control list assigned to a shared resource
Users must be on the list to gain access
• Passwords are stored in an encrypted form on the server
But CIFS is still vulnerable (see link Ch 8n)
• Don’t let NetBIOS traffic past the firewall
Understanding Samba
Open-source implementation of CIFS
• Created in 1992
Samba allows sharing resources over multiple OSs
Samba accessing Microsoft shares can make a network susceptible to attack
Samba is used to “trick” Microsoft services into believing the *NIX resources are
Microsoft resources
Samba is Built into Ubuntu
Click Places, Connect to Server
• Windows shares are marked with SMB
Closing SMB Ports
Best way to protect a network from SMB attacks
• Routers should filter out ports
137 to 139 and 445
Default Installations
Windows 9x, NT, and 2000 all start out with many services running and ports open
• They are very
insecure until you
lock them down
Win XP, 2003, and Vista are
much more secure by
default
• Services are
blocked until you
open them
Passwords and
Authentication
A comprehensive password
policy is critical
• Change password regularly
• Require passwords length of at least six
characters
• Require complex passwords
• Never write a password down or store it
online or on the local system
• Do not reveal a password over the phone
Configure domain controllers
• Enforce password age, length and
complexity
• Account lockout threshold
• Account lockout duration
Start, Run, GPEDIT.MSC
IIS (Internet Information Services)
IIS 5 and earlier installs with critical security
vulnerabilities
• Run IIS Lockdown Wizard (link Ch 8p)
IIS 6.0 installs with a “secure by default” posture
• Configure only services that are needed
• Windows 2000 ships with IIS installed
by default
• Running MBSA can detect IIS running
on your network

SQL Server
SQL vulnerabilities exploits areas
• The SA account with a blank password
• SQL Server Agent
• Buffer overflow
• Extended stored procedures
• Default SQL port 1433
Vulnerabilities related to SQL Server 7.0 and SQL Server 2000
The SA Account
The SA account is the master account, with full rights
SQL Server 6.5 and 7 installations do not require setting a password for this account
SQL Server 2000 supports mixed-mode authentication
• SA account is created with a blank password
• SA account cannot be disabled
SQL Server Agent
Service mainly responsible for
• Replication
• Running scheduled jobs
• Restarting the SQL service
Authorized but unprivileged user can create scheduled jobs to be run by the agent
Buffer Overflow
Database Consistency Checker in SQL Server 2000
• Contains commands with buffer overflows
SQL Server 7 and 2000 have functions that generate text messages
• They do not check that messages fit in the buffers supplied to hold them
Format string vulnerability in the C runtime functions
Extended Stored Procedures
Several of the extended stored procedures fail to perform input validation
• They are susceptible to buffer overruns
Default SQL Port 1443
SQL Server is a Winsock application
• Communicates over TCP/IP using port 1443
Spida worm
• Scans for systems listening on TCP port 1443
• Once connected, attempts to use the xp_cmdshell
Enables and sets a password for the Guest account
Changing default port is not an easy task
Best Practices for Hardening Microsoft Systems
Penetration tester
• Finds vulnerabilities
Security tester
• Finds vulnerabilities
• Gives recommendations for correcting found vulnerabilities
Patching Systems
The number-one way to keep your system secure
• Attacks take advantage of known vulnerabilities
• Options for small networks
Accessing Windows Update manually
Automatic Updates
• This technique does not really ensure that all machines are patched at the same time
• Does not let you skip patches you don’t want
Some patches cause problems, so they should be tested first
Options for patch management for large networks
• Systems Management Server (SMS)
• Software Update Service (SUS)
Patches are pushed out from the network server after they have been tested
Antivirus Solutions
An antivirus solution is essential
For small networks
• Desktop antivirus tool with automatic updates
For large networks
• Corporate-level solution
An antivirus tool is almost useless if it is not updated regularly
Enable Logging and Review Logs Regularly
Important step for monitoring critical areas
• Performance
• Traffic patterns
• Possible security breaches
Logging can have negative impact on performance
Review logs regularly for signs of intrusion or other problems
• Use a log-monitoring tool
Disable Unused or Unneeded Services
Disable unneeded services
Delete unnecessary applications or scripts
Unused applications or services are an invitation for attacks
Requires careful planning
• Close unused ports but maintain functionality
Other Security Best Practices
• Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet
• Delete unused scripts and sample applications
• Delete default hidden shares
• Use different names and passwords for public interfaces
•
Other Security Best Practices
• Be careful of default permissions
For example, new shares are readable by all users in Win XP
• Use available tools to assess system security
Like MBSA, IIS Lockdown Wizard, etc.
• Disable the Guest account
• Rename the default Administrator account
• Enforce a good password policy
• Educate users about security
• Keep informed about current threats
Last modified 3-18-07 5:30 pm

Chapter 9: Linux Operating System Vulnerabilities
Objectives
Describe the fundamentals of the Linux operating system
Describe the vulnerabilities of the Linux operating system
Describe Linux remote attacks
Explain countermeasures for protecting the Linux operating system
Review of Linux Fundamentals
Linux is a version of UNIX
• Usually available
free
• Red Hat
Includes
documentatio
n and support
for a fee
Linux creates default
directories
Linux Exploration Demo
cd /
ls -F
Note: ls -F adds:
/ to directories
* to executables
@ to linked files
cd /bin
ls -F
Note: familiar commands ls,

nc, mkdir
cd /dev
ls
Note: hda - hard disk. eth0 is

not here--Ethernet devices are
treated differently (link
Ch 9a)
cd /etc
ls -F
Note: hosts file with name-to-IP mapping ("cat hosts" to see it)
passwd with user names and groups ("cat passwd" to see it)
shadow file with hashed passwords ("sudo cat shadow" to see it)

cd /home
ls -l
Note: Home
directory for each
user, owned by the
user
cd /lib
ls -F
Note: Libraries
here, nothing
particularly
interesting
cd /mnt
ls -al
Note: Nothing here

unless a removable
device is
connected
cd /proc
ls -F
Note: These files show information about running processes.

"cat interrupts" "cat iomem" "cat ioports" shows the device resources, like Device Manager
"cat meminfo" shows memory statistics
"cat partitions" shows the hard disk partitions
"cat version" shows the Linux version
cd /var/log
ls
cat boot
Note: This file is the boot log

Linux File System
Provides directory structure
Establishes a file-naming convention
Includes utilities to compress or encrypt files
Provides for both file and data integrity
Enables error recovery
Stores information about files and folders
*NIX systems store information about files in information nodes (inodes)

inodes
Information stored in an inode
• An inode number
• Owner of the file
• Group the file belongs to
• Size of the file
• Date the file was created
• Date the file was last modified or read
There is a fixed number of inodes
• By default, one inode per 4 KB of disk space
Mounting
In Windows, each device has a letter
• A: for floppy, C: for hard disk, and so on
*NIX mounts a file system (usually a drive) as a
subfile system of the root file system / mount and df in Ubuntu
mount command is used to mount file systems
• or to display
currently
mounted file
systems
df command displays
disk usage of
mounted file systems
*NIX File System
History
Minix file system
• Max. size 64
MB, Max.
file name 14
chars
Extended File System
(Ext)
• Max. size 2
GB, Max. file
name 256 chars
Second Extended File System (Ext2fs)
• Max. size 4 TB, better performance and stability
Third Extended File System (Ext3fs)
• Journaling—recovers from crashes better

Linux Commands
Getting Help
Many of these commands have multiple parameters and additional functionality
Use these commands to get help. (Replace command with the command you want help with, such as ifconfig)
command --help
man command

Linux OS Vulnerabilities
UNIX has been around for quite some time
Attackers have had plenty of time to discover
vulnerabilities in *NIX systems Nessus Scanning a Linux Server (with Samba)
Enumeration tools can
also be used
against Linux systems
Nessus can be used to
enumerate Linux
systems
Nessus can be used to
• Discover
vulnerabilities
related to SMB
and NetBIOS
• Discover other
vulnerabilities
• Enumerate
shared
resources
Test Linux computer
against common known
vulnerabilities
• Review the
CVE and CAN
information
• See links Ch
9m, n, o
Remote Access Attacks
on Linux Systems
Differentiate between
local attacks and
remote attacks
• Remote attacks
are harder to perform
Attacking a network remotely requires
• Knowing what system a remote user is operating
• The attacked system’s password and login accounts
Footprinting an Attacked System
Footprinting techniques
• Used to find out information about a target system
Determining the OS version the attacked computer is running
• Check newsgroups for details on posted messages
• Knowing a company’s e-mail address makes the search easier
Other Footprinting Tools
Whois databases
DNS zone transfers
Nessus
Port scanning tools
Using Social Engineering to Attack Remote Linux Systems
Goal
• To get OS information from company employees
Common techniques
• Urgency
• Quid pro quo
• Status quo
• Kindness
• Position
Train your employees about social engineering techniques
Trojans
Trojan programs spread as
• E-mail attachments
• Fake patches or security fixes that can be downloaded from the Internet
Trojan program functions
• Allow for remote administration
• Create a FTP server on attacked machine
• Steal passwords
• Log all keys a user enters, and e-mail results to the attacker
Trojan programs can use legitimate outbound ports
• Firewalls and IDSs cannot identify this traffic as malicious
• Example: Sheepshank uses HTTP GETs
It is easier to protect systems from already identified Trojan programs
• See links Ch 9e, f, g
Rootkits
• Contain Trojan binary programs ready to be installed by an intruder with root access to the system
• Replace legitimate commands with Trojan programs
• Hides the tools used for later attacks
• Example: LRK5
LRK5
• A famous Linux Rootkit
• See Links Ch 9h, i, j
Rootkit Detectors
Security testers should check their Linux systems for
rootkits
• Rootkit Hunter (Link Ch 9l)
• Chkrootkit (Link Ch 9l)
• Rootkit Profiler (Link Ch 9k)
Demonstration of rkhunter
sudo apt-get install rkhunter
sudo rkhunter –c

Creating Buffer Overflow Programs

Buffer overflows write code to the OS’s memory
• Then run some type of program
• Can elevate the attacker’s permissions to the level of the owner
Security testers should know what a buffer overflow program looks like
A C program that causes a buffer overflow
The program compiles, but returns the error shown to the

right
A C code snippet that fills the stack with shell code

Avoiding Buffer Overflows

Write code that avoids functions known to have buffer overflow vulnerabilities
strcpy()
strcat()
sprintf()
gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Some compilers like gcc warn programmers when dangerous functions are used
Using Sniffers to Gain Access to Remote Linux Systems
Sniffers work by setting a network card adapter in promiscuous mode
• NIC accepts all packets that traverse the network cable
Attacker can analyze packets and learn user names and passwords
• Avoid using protocols such as Telnet, HTTP, and FTP that send data in clear text
Sniffers
• Tcpdump, Ethereal (now Wireshark)
Countermeasures Against Linux Remote Attacks
Measures include
• User awareness training
• Keeping current on new kernel releases and security updates
User Awareness Training
Social Engineering
• Users must be told not to reveal information to outsiders
• Make customers aware that many exploits can be downloaded from Web sites
• Teach users to be suspicious of people asking questions about the system they are using
Verify caller’s identity
Call back technique
Keeping Current
Never-ending battle
• New vulnerabilities are discovered daily
• New patches are issued to fix new vulnerabilities
Installing these fixes is essential to protecting your system
Many OSs are shipped with automated tools for updating your systems
Last modified 3-22-07 9 am

Chapter 10: Hacking Web Servers
Objectives
Describe Web applications
Explain Web application vulnerabilities
Describe the tools used to attack Web servers
Web Servers
The two main Web servers are Apache (Open source) and IIS (Microsoft)
Understanding Web Applications
It is nearly impossible to write a program without bugs
• Some bugs create security vulnerabilities
Web applications also have bugs
• Web applications have a larger user base than standalone applications
• Bugs are a bigger problem for Web applications
Web Application Components
Static Web pages
• Created using HTML
Dynamic Web pages
• Need special components
<form> tags
Common Gateway Interface (CGI) scripts
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages like JavaScript
ODBC (Open Database connector)
Web Forms
Use the <form> element or tag in an HTML document
• Allows customer to submit information to the Web server
Web servers process information from a Web form by using a Web
application
Easy way for attackers to intercept data that users submit to a Web
server
Web form example
<html><body>
<form>
Enter your username:
<input type="text" name="username">
<br>
Enter your password:
<input type="text" name="password">
</form></body></html>
Common Gateway Interface (CGI)
Handles moving data from a Web server to a Web browser
The majority of dynamic Web pages are created with CGI and scripting languages
Describes how a Web server passes data to a Web browser
• Relies on Perl or another scripting language to create dynamic Web pages

CGI Languages
CGI programs can be written in different programming and scripting languages
• C or C++
• Perl
• Unix shell scripting
• Visual Basic
• FORTRAN
CGI example
• Written in Perl
• Hello.pl
• Should be placed in the cgi-bin directory on the Web server
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello Security Testers!";
Another CGI Example
Link Ch 10a: Sam’s Feedback Form
Link Ch 10b: CGI Script in Perl that processes the data from the form
Microsoft’s server-side script engine
• HTML pages are static—always the same
• ASP creates HTML pages as needed. They are not static
ASP uses scripting languages such as JScript or VBScript
Not all Web servers support ASP
• IIS supports ASP
• Apache doesn’t support ASP as well
You can’t see the source of an ASP page from a browser
This makes it harder to hack into, although not
impossible
ASP examples at links
Ch 10d, e, f
Apache Web Server
Apache is the most popular Web Server program
Advantages
• Stable and reliable
• Works on just about any *NIX and
Windows platform
• It is free and open source
See links Ch 10g, 10h
Using Scripting Languages
Dynamic Web pages can be developed using scripting languages
• VBScript
• JavaScript
• PHP

PHP: Hypertext Processor (PHP)
Enables Web developers to create dynamic Web pages
• Similar to ASP
Open-source server-side scripting language
• Can be embedded in an HTML Web page using PHP tags <?php and ?>
Users cannot see PHP code in their Web browser
Used primarily on UNIX systems
• Also supported on Macintosh and Microsoft platforms
PHP Example
<html><head><title>Example</title></head>
<body>
<?php
echo 'Hello, World!';
?>
</body></html>
• See links Ch 10k, 10l
PHP has known vulnerabilities
• See links Ch 10m, 10n
PHP is often used with MySQL Databases
ColdFusion
Server-side scripting language used to develop dynamic Web pages
Created by the Allaire Corporation
• Purchased by Macromedia, now owned by Adobe -- Expensive
Uses its own proprietary tags written in ColdFusion Markup Language (CFML)
CFML Web applications can contain other technologies, such as HTML or JavaScript
ColdFusion Example
<html><head><title>Ex</title></head>
<body>
<CFLOCATION URL="www.isecom.org/cf/index.htm" ADDTOKEN="NO">
</body>
</html>
• See links Ch 10o
ColdFusion Vulnerabilities
See links Ch 10p, 10q

VBScript
Visual Basic Script is a scripting language developed by Microsoft
You can insert VBScript commands into a static HTML page to make it dynamic
• Provides the power of a full programming language
• Executed by the client’s browser
VBScript Example
<html><body>
<script type="text/vbscript">
document.write("<h1>Hello!</h1>")
document.write("Date Activated: " & date())
</script>
</body></html>
See link Ch 10r – works in IE, but
not in Firefox
Firefox does not support VBScript
(link Ch 10s)
VBScript vulnerabilities
• See links Ch 10t, 10u
JavaScript
Popular scripting language
JavaScript also has the power of a programming language
• Branching
• Looping
• Testing
JavaScript Example
<html><head>
<script type="text/javascript">
function chastise_user(){
alert("So, you like breaking rules?")
document.getElementByld("cmdButton").focus()}
</script></head>
<body><h3>Don't click the button!</h3>
<form>
<input type="button" value="Don't Click!" name="cmdButton" onClick="chastise_user()" />
</form></body></html>
• See link Ch 10v – works in
IE and Firefox
JavaScript Vulnerabilities
See link Ch 10w

Connecting to Databases
Web pages can display
information stored on
databases
There are several technologies
used to connect databases
with Web applications
• Technology
depends on the OS
used
ODBC
OLE DB
ADO
• Theory is the same
Open Database Connectivity
(ODBC)
Standard database access
method developed by the
SQL Access Group
ODBC interface allows an
application to access
• Data stored in a database management system (DBMS)
• Can use Oracle, SQL, or any DBMS that understands and can issue ODBC commands
Interoperability among back-end DBMS is a key feature of the ODBC interface
•
ODBC defines
• Standardized representation of data types
• A library of ODBC functions
• Standard methods of connecting to and logging on to a DBMS
•
OLE DB and ADO
Object Linking and Embedding Database (OLE DB) and
ActiveX Data Objects (ADO)
• These two more modern, complex technologies replace ODBC and make up"Microsoft’s Universal
Data Access“
• See link Ch 10x
Understanding Web Application Vulnerabilities
Many platforms and programming languages can be used to design a Web site
Application security is as important as network security
Attackers controlling a Web server can
• Deface the Web site
• Destroy or steal company’s data
• Gain control of user accounts
• Perform secondary attacks from the Web site
• Gain root access to other applications or servers

Open Web Application Security Project (OWASP)
• Open, not-for-profit organization dedicated to finding and fighting vulnerabilities in Web
applications
• Publishes the Ten Most Critical Web Application Security Vulnerabilities
Top-10 Web application vulnerabilities
Unvalidated parameters
• HTTP requests from browsers that are not validated by the Web server
• Inserted form fields, cookies, headers, etc. (See link Ch 10y)
Broken access control
• Developers implement access controls but fail to test them properly
For example, letting an authenticated user read another user’s files
Broken account and session management
• Enables attackers to compromise passwords or session cookies to gain access to accounts
Cross-site scripting (XSS) flaws
• Attackers inject code into a web page, such as a forum or guestbook
• When others user view the page, confidential information is stolen
• See link Ch 10za
Buffer overflows
• It is possible for an attacker to use C or C++ code that includes a buffer overflow
Command injection flaws
• An attacker can embed malicious code and run a program on the database server
• Example: SQL Injection
Error-handling problems
• Error messages may reveal information that an attacker can use
Insecure use of cryptography
• Storing keys, certificates, and passwords on a Web server can be dangerous
Remote administration flaws
• Attacker can gain access to the Web server through the remote administration interface
Web and application server misconfiguration
• Any Web server software out of the box is usually vulnerable to attack
Default accounts and passwords
Overly informative error messages
WebGoat project
• Helps security testers learn how to perform vulnerabilities testing on Web applications
• Developed by OWASP
It’s like HackThisSite without the helpful forum
• Tutorials for WebGoat are being made, but they aren’t yet ready
Assessing Web Applications
Issues to consider
• Dynamic Web pages
• Connection to a backend database server
• User authentication
• What platform was used?

Does the Web Application Use Dynamic Web Pages?
Static Web pages do not create a secure environment
IIS attack example: Directory Traversal
• Adding ..\ to a URL refers to a directory above the Web page directory
• Early versions of IIS filtered out \, but not %c1%9c, which is a Unicode version of the same
character
• See link Ch 10 zh
Connection to a Backend Database Server
Security testers should check for the possibility of SQL injection being used to attack the system
SQL injection involves the attacker supplying SQL commands on a Web application field
SQL Injection Example
HTML form collects name and pw
SQL then uses those fields:
• SELECT * FROM customer WHERE username = ‘name' AND password = ‘pw'
If a hacker enters a name of
’ OR 1=1 --
The SQL becomes:
• SELECT * FROM customer WHERE username = ‘’ OR 1=1 --' AND password = ‘pw‘
Which is always true, and returns all the records
HackThisSite
Basic testing should look for

• Whether you can enter text with punctuation marks
• Whether you can enter a single quotation mark followed by any SQL keywords
• Whether you can get any sort of database error when attempting to inject SQL
User Authentication
Many Web applications require another server to authenticate users
Examine how information is passed between the two servers
• Encrypted channels
Verify that logon and password information is stored on secure places
Authentication servers introduce a second target
What Platform Was Used?
Popular platforms include:
• IIS with ASP and SQL Server (Microsoft)
• Linux, Apache, MySQL, and PHP (LAMP)
Footprinting is used to find out the platform
• The more you know about a system the easier it is to gather information about its vulnerabilities

Tools of Web Attackers and Security Testers

Choose the right tools for the job
Attackers look for tools that enable them to attack the system
• They choose their tools based on the vulnerabilities found on a target system or application
Web Tools
Cgiscan.c: CGI scanning tool
• Written in C in 1999 by Bronc Buster
• Tool for searching Web sites for CGI scripts that can be exploited
• One of the best tools for scanning the Web for systems with CGI vulnerabilities
See link Ch 10zi
cgiscan and WebGoat
Phfscan.c
• Written to scan Web sites looking for hosts that could be exploited by the PHF bug
• The PHF bug enables an attacker to download the victim’s /etc/passwd file
• It also allows attackers to run programs on the victim’s Web server by using a particular URL
See links Ch 10zj, 10 zk

Wfetch: GUI tool from Microsoft
• Displays information that is not normally shown in a browser, such as HTTP headers
• It also attempts authentication using
Multiple HTTP methods
Configuration of host name and TCP port
HTTP 1.0 and HTTP 1.1 support
Anonymous, Basic, NTLM, Kerberos, Digest, and Negotiation authentication types
Multiple connection types
Proxy support
Client-certificate support
See link Ch 10zl

Chapter 10: Hacking Wireless Networks
Objectives
Explain wireless technology
Describe wireless networking standards
Describe the process of authentication
Describe wardriving
Describe wireless hacking and tools used by hackers and security professionals
Understanding Wireless Technology
For a wireless network to function, you must have the right hardware and software
Wireless technology is part of our lives
• Baby monitors
• Cell and cordless phones
• Pagers
• GPS
• Remote controls
• Garage door openers
• Two-way radios
• Wireless PDAs
Components of a Wireless Network
A wireless network has only three basic components
• Access Point (AP)
• Wireless network interface card (WNIC)
• Ethernet cable
Access Points
An access point (AP) is a transceiver that connects to an Ethernet cable
• It bridges the wireless network with the wired network
Not all wireless networks connect to a wired network
• Most companies have Wireless LANs (WLANs) that connect to their wired network topology
The AP is where channels are configured
An AP enables users to connect to a LAN using wireless technology
• An AP is available only within a defined area

Service Set Identifiers (SSIDs)
Name used to identify the wireless local area network (WLAN)
The SSID is configured on the AP
• Unique 1- to 32-character alphanumeric name
• Name is case sensitive
Wireless computers need to configure the SSID before connecting to
a wireless network
SSID is transmitted with each packet
• Identifies which network the packet belongs
The AP usually broadcasts the SSID
Many vendors have SSIDs set to a default value that companies
never change
An AP can be configured to not broadcast its SSID until after
authentication
• Wireless hackers can attempt to guess the SSID
Verify that your clients or customers are not using a default SSID
See links Ch 11a, b
Configuring an Access Point
Configuring an AP varies depending on the hardware
• Most devices allow access through any Web
browser
• Enter IP address on your Web browser and
provide your user logon name and password
Wireless Router
A wireless router includes an access point, a router, and
a switch
Configuring an Access Point
Wireless Configuration Options
• SSID
• Wired Equivalent Privacy (WEP) encryption
• WPA (WiFi Protected Access ) is better
Steps for configuring a D-Link wireless router
(continued)
• Turn off SSID broadcast
• You should also change your SSID
Wireless NICs
For wireless technology to work, each node or
computer must have a wireless NIC
NIC’s main function
• Converting the radio waves it receives
into digital signals the computer
understands
Wireless NICs
There are many wireless NICs on the market
• Choose yours depending on how you
plan to use it
• Some tools require certain specific
brands of NICs

Understanding Wireless Network Standards

A standard is a set of rules formulated by an organization
Institute of Electrical and Electronics Engineers (IEEE)
• Defines several standards for wireless
networks
IEEE: CCSF Student Chapter
Next meeting:
• May 3, 2007 in Cloud 218 4:30 pm
Email sbowne@ccsf.edu for more info
IEEE Standards
Standards pass through these groups:
• Working group (WG)
• Sponsor Executive Committee (SEC)
• Standards Review Committee (RevCom)
• IEEE Standards Board
IEEE Project 802
• LAN and WAN standards
The 802.11 Standard
The first wireless technology standard
Defined wireless connectivity at 1 Mbps and 2 Mbps
within a LAN
Applied to layers 1 and 2 of the OSI model
Wireless networks cannot detect collisions
• Carrier sense multiple access/collision avoidance (CSMA/CA) is used instead of CSMA/CD
Addressing
Wireless LANs do not have an address associated with a physical location
• An addressable unit is called a station (STA)
The Basic Architecture of 802.11
802.11 uses a basic service set (BSS) as its building block
• Computers within a BSS can communicate with each other
• To connect two BSSs, 802.11 requires a distribution system (DS)
Frequency Range
In the United States, Wi-Fi uses frequencies near 2.4 GHz
(Except 802.11a at 5 GHz)
• There are 11 channels, but they overlap, so only three are commonly used
See link Ch 11c (cisco.com)

Other terms to define the channel:

• Wavelength
• Frequency
• Cycle
• Hertz or cycles per
second
• Bands
Infrared (IR)
Infrared light can’t be seen by the
human eye
IR technology is restricted to a
single room or line of sight
IR light cannot penetrate walls, ceilings, or floors
• Image: IR transmitter for wireless headphones
Narrowband
Uses microwave radio band frequencies to transmit data
Popular uses
• Cordless phones
• Garage door openers
Spread Spectrum
Data is spread across a large-frequency bandwidth instead of
traveling across just one frequency band
Methods
• Frequency-hopping spread spectrum (FHSS)
• Direct sequence spread spectrum (DSSS)
• Orthogonal frequency division multiplexing (OFDM)
See links Ch 11d, Ch 11d1
IEEE Additional 802.11 Projects
802.11a
• Created in 1999
• Operating frequency 5 GHz
• Throughput 54 Mbps
802.11b
• Operates in the 2.4 GHz range
• Throughput 11 Mbps
• Also referred as Wi-Fi (wireless fidelity)
• Allows for 11 channels to prevent overlapping signals
Effectively only three channels (1, 6, and 11) can be used in combination without overlapping
• Introduced Wired Equivalent Privacy (WEP)
802.11e
• It has improvements to address the problem of interference
When interference is detected, signals can jump to another frequency more quickly
802.11g
• Operates in the 2.4 GHz range
• Uses OFDM for modulation
• Throughput increased from 11 Mbps to 54 Mbps

802.11i
• Introduced Wi-Fi Protected Access (WPA)
• Corrected many of the security vulnerabilities of 802.11b
802.15
• Addresses networking devices within one person’s workspace
Called wireless personal area network (WPAN)
• Bluetooth is a common example
802.16
• Addresses the issue of wireless metropolitan area networks (MANs)
• Defines the WirelessMAN Air Interface
• It will have a range of up to 30 miles
• Throughput of up to 120 Mbps
802.20
• Addresses wireless MANs for mobile users who are sitting in trains, subways, or cars traveling at
speeds up to 150 miles per hour
Bluetooth
• Defines a method for interconnecting portable devices without wires
• Maximum distance allowed is 10 meters
• It uses the 2.45 GHz frequency band
• Throughput of up to 12 Mbps
HiperLAN2
• European WLAN standard
• It is not compatible with 802.11 standards

Understanding Authentication
Wireless technology brings new security risks to a network
Authentication
• Establishing that a user is authentic—authorized to use the network
• If authentication fails, anyone in radio range can use your network
The 802.1X Standard
Defines the process of authenticating and authorizing users on a WLAN
Basic concepts
• Point-to-Point Protocol (PPP)
• Extensible Authentication Protocol (EAP)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
Point-to-Point Protocol (PPP)
Many ISPs use PPP to connect dial-up or DSL users
PPP handles authentication with a user name and password, sent with PAP or CHAP
• PAP (Password Authentication Protocol) sends passwords unencrypted
Vulnerable to trivial sniffing attacks
See link Ch 11f
CHAP Vulnerability
CHAP (Challenge-Handshake Authentication Protocol)
• Server sends a Challenge with a random value
• Client sends a Response, hashing the random value with the secret password
This is still vulnerable to a sort of session hijacking attack (see links Ch 11e)
Extensible Authentication Protocol (EAP)
EAP is an enhancement to PPP
Allows a company to select its authentication method
• Certificates
• Kerberos
Kerberos is used on LANs for authentication
Uses Tickets and Keys
Used by Windows 2000, XP, and 2003 Server by default
Not common on WLANS (I think)
X.509 Certificate
Record that authenticates network entities
Identifies
• The owner
• The certificate authority (CA)
• The owner’s public key
See link Ch 11j

Sample X.509 Certificate
Go to gmail.com
Double-click the padlock
Public Key
Your browser uses the Public
Key to encrypt data so only
Gmail can read it
LEAP
Lightweight Extensible
Authentication Protocol
(LEAP)
• A Cisco product
• Vulnerable, but
Cisco didn’t care
• Joshua Wright
wrote the
ASLEAP hacking
tool to crack
LEAP, and forced
Cisco to develop a
better protocol
See link Ch
11g
More Secure EAP Methods
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
• Secure but rarely used, because both client and server need certificates signed by a CA
Protected EAP (PEAP) and Microsoft PEAP
• Very secure, only requires server to have a certificate signed by a CA
See link Ch 11h
802.1X components
Supplicant
• The user accessing a WLAN
Authenticator
• The AP
Authentication server
• Checks an
account
database to
see if user’s
credentials
are
acceptable
• May use
RADIUS
(Remote
Access Dial-
In User
Service)
See link Ch 11k

Wired Equivalent Privacy (WEP)
Part of the 802.11b standard
Encrypts data on a wireless network
WEP has many vulnerabilities
To crack WEP, see links Ch 11l, 11m
Wi-Fi Protected Access (WPA)
Specified in the 802.11i standard
Replaces WEP
WPA improves encryption by using Temporal Key Integrity Protocol (TKIP)
TKIP Enhancements
Message Integrity Check (MIC)
• Prevent attacker from injecting forged packets
Extended Initialization Vector (IV) with sequencing rules
• Prevent replays (attacker re-sending copied packets)
Per-packet key mixing
• MAC addresses are used to create a key
• Each link uses a different key
Rekeying mechanism
• Provides fresh keys
• Prevents attackers from reusing old keys
WPA Adds 802.1x
WPA also adds an authentication mechanism implementing 802.1X and EAP
• This was not available in WEP
Understanding Wardriving
Hackers use wardriving
• Finding insecure access points
• Using a laptop or palmtop computer
Wardriving is not illegal
• But using the resources of these networks is illegal
Warflying
• Variant where an airplane is used instead of a car
How It Works
An attacker or security tester simply drives around with the following equipment
• Laptop computer
• Wireless NIC
• An antenna
• Software that scans the area for SSIDs
Not all wireless NICs are compatible with scanning programs
Antenna prices vary depending on the quality and the range they can cover
Scanning software can identify
• The company’s SSID
• The type of security enabled
• The signal strength
Indicating how close the AP is to the attacker

NetStumbler
Shareware tool written for Windows that enables you to detect WLANs
• Supports 802.11a, 802.11b, and 802.11g standards
NetStumbler was primarily designed to
• Verify your WLAN configuration
• Detect other wireless networks
• Detect unauthorized APs
NetStumbler is capable of interface with a GPS

• Enabling a security tester or hacker to map out locations of all the WLANs the software detects
NetStumbler logs the following information
• SSID
• MAC address and Manufacturer of the AP
• Channel
• Signal Strength
• Encryption
Can detect APs within a 350-foot radius
• With a good antenna, they can locate APs a couple of miles away
Kismet
Another product for conducting wardriving attacks
Runs on Linux, BSD, MAC OS X, and Linux PDAs
Kismet is advertised also as a sniffer and IDS
• Kismet can sniff 802.11b, 802.11a, and 802.11g traffic
Kismet features
• Ethereal- and Tcpdump-compatible data logging
• AirSnort compatible
• Network IP range detection
• Hidden network SSID detection
• Graphical mapping of networks
• Client-server architecture
• Manufacturer and model identification of APs and clients
• Detection of known default access point configurations
• XML output
• Supports 20 card types

Understanding Wireless Hacking

Hacking a wireless network is not much different from hacking a wired LAN
Techniques for hacking wireless networks
• Port scanning
• Enumeration
Tools of the Trade
Equipment
• Laptop computer
• A wireless NIC
• An antenna
• Sniffer software
AirSnort
Created by Jeremy Bruestle and Blake Hegerle
It is the tool most hackers wanting to access WEP-enabled WLANs use
AirSnort limitations
• Runs on either Linux or Windows (textbook is wrong)
• Requires specific drivers
• Not all wireless NICs function with AirSnort
See links Ch 11p, 11q
WEPCrack
Another open-source tool used to crack WEP encryption
• WEPCrack was released about a week before AirSnort
It also works on *NIX systems
WEPCrack uses Perl scripts to carry out attacks on wireless systems
• AirSnort is considered better (link Ch 11r)
Countermeasures for Wireless Attacks
Anti-wardriving software makes it more difficult for attackers to discover your wireless LAN
• Honeypots
Servers with fake data to snare intruders
• Fakeap and Black Alchemy Fake AP
Software that makes fake Access Points
Link Ch 11s
Use special paint to stop radio from escaping your building
Allow only predetermined MAC addresses and IP
addresses to have access to the wireless LAN
Use an authentication server instead of relying on a
wireless device to authenticate users
Use an EAP authentication protocol
If you use WEP, use 104-bit encryption rather than
40-bit encryption
• But just use WPA instead
Assign static IP addresses to wireless clients instead
of using DHCP
Don’t broadcast the SSID
Place the AP in the demilitarized zone (DMZ) (image DMZ
from wikipedia)
Chapter 12: Cryptography
Objectives
Describe the history of cryptography
Describe symmetric and asymmetric cryptography algorithms
Explain public key infrastructure (PKI)
Describe possible attacks on cryptosystems
Understanding Cryptography Basics
Cryptography is the process of converting plaintext into ciphertext
• Plaintext: readable text (also called cleartext)
• Ciphertext: unreadable or encrypted text
Cryptography is used to hide information from unauthorized users
Decryption is the process of converting ciphertext back to plaintext
History of Cryptography
Substitution cipher
• Replaces one letter with another letter based on a key
• Example: Julius Caesar’s Cipher
Used a key value of 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
Cryptanalysis studies the process of breaking encryption algorithms
When a new encryption algorithm is developed, cryptanalysts study it and
try to break it
• Or prove that it is impractical to break it (taking much time and
many resources)
Enigma
Used by the Germans during World War II
• Replaced letters as they were typed
• Substitutions were computed using a key and a set of switches or rotors
• Image from Wikipedia (link Ch 12a)
Steganography
The process of hiding data in plain view in pictures, graphics, or text
• Example: changing colors slightly to encode individual bits in an image
The image on the left contains the image on the right hidden in it (link Ch 12c)
Algorithms
An algorithm is a mathematical function or program that works with a key
Security comes from
• A strong algorithm—one that cannot be reversed without the key
• A key that cannot be found or guessed
Keys (not in textbook)
A sequence of random bits
• The range of allowable values is called a keyspace
The larger the keyspace, the more secure the key
• 8-bit key has 28 = 256 values in keyspace
• 24-bit key has 224 = 16 million values
• 56-bit key has 256 = 7 x 1016 values
• 128-bit key has 2128 = 3 x 1038 values

Brute Force (not in textbook)
In 1997 a 56-bit key was broken by brute force
• Testing all possible 56-bit keys
• Used 14,000 machines organized via the Internet
• It took 3 months
• See link Ch 12d
How Many Bits Do You Need? (not in textbook)
How many keys could all the computers on Earth test in a year?
• Pentium 4 processor: 109 cycles per second
• One year = 3 x 107 seconds
• There are less than 1010 computers on Earth
One per person
• 10 x 3 x 107 x 1010 = 3 x 1026 calculations
9
• 128 bits should be enough (3 x 1038 values)

Unless computers get much faster, or someone breaks the algorithm
Symmetric Cryptography
Symmetric Cryptography Algorithms

Symmetric algorithms have one key that
encrypts and decrypts data
Advantages
• Symmetric algorithms are fast
• They are difficult to break if a
large key size is used
• Only one key needed
Disadvantages
• Symmetric keys must remain
secret
• Difficult to deliver keys (key
distribution)
• Symmetric algorithms don’t
support authenticity or
nonrepudiation
You can’t know for sure
who sent the message, since two people have the same key
Types of symmetric algorithms
• Stream ciphers
Operate on plaintext one bit at a time
• Block ciphers
Operate on blocks of plaintext
DeCSS
Commercial DVDs are encoded with a 40-bit key
• It’s simple to crack it by brute force
• Three hackers did that in 1999
See links Ch 12e, 12f
• Legislation such as the DMCA made it illegal to publish the algorithm
See Illegal Prime Number (Link Ch 12g)

Data Encryption Standard (DES)
National Institute of Standards and Technology (NIST)
• Wanted a means of protecting sensitive but unclassified data
• Invited vendors in early 1970 to submit data encryption algorithms
IBM proposed Lucifer
• A 128-bit encryption algorithm
The National Security Agency (NSA) reduced the key size from 128 bits to 64
bits and created DES
• Only 56 bits of the key are actually used
In 1988, NSA thought the standard was at risk to be broken
In 1997, a DES key was broken in 3 months
In 1998, the EFF built a a computer system that cracked a DES key in 3 days
• Link Ch 12h
Triple DES (3DES)
Triple Data Encryption System (3DES)
3DES served as a quick fix to the vulnerabilities of DES
3DES performed three DES encryptions
256 times stronger than DES
• More secure but slower to compute
See link Ch 12i
Advanced Encryption Standard (AES)
Became effective in 2002 as a standard
• The process took 5 years
Block cipher that operates on 128-bit blocks of plaintext
Keys can be 128, 192, or 256 bits
Uses Rindjael algorithm
• Link Ch 12j
International Data Encryption Algorithm (IDEA)
It uses a 128-bit key
Developed by Xuejia Lai and James Massey
• Designed to work more efficiently in computers used at home and in businesses
IDEA is free for noncommercial use
• It is included in PGP encryption software
Blowfish
The key length can be as large as 448 bits
Developed by Bruce Schneier
RC5
Block cipher that can operate on different block sizes: 32, 64, and 128
The key size can reach 2048 bits
Created by Ronald L. Rivest in 1994 for RSA Data Security
Cracking RC5
56-bit and 64-bit key RC5s have already been cracked
The RC5-72 project is underway, trying to crack a 72-bit key
• At the current rate, it will take 1000 years
Links Ch 12l, 12m
Asymmetric Cryptography Algorithms

Use two keys that are mathematically
related
• Data encrypted with one key
can be decrypted only with
the other key
Another name for asymmetric key
cryptography is public key
cryptography
• Public key: known by the
public
• Private key: known only by
owner
Asymmetric Cryptography
Provides message authenticity and
nonrepudiation
• Authenticity validates the sender of a message
• Nonrepudiation means a user cannot deny sending a message
Asymmetric algorithms are more scalable but slower than symmetric algorithms
• Scalable: can adapt to larger networks
• Each person needs only one key pair
Everyone can use the same public key to send you data
Each person signs messages with their own private key
RSA
Developed in 1977 by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman
The algorithm is based on the difficulty of factoring large numbers
The Secure Socket Layer (SSL) protocol uses the RSA algorithm
Diffie-Hellman
Developed by Whitfield Diffie and Martin Hellman
Does not provide encryption but is used for key exchange
• Two parties agree on a key without ever sending it directly over the network
• The numbers transmitted can be used to compute the key, but only by the parties holding secret
private numbers
Prevents sniffing attacks (link Ch 12
Elliptic Curve Cryptosystems (ECC)
It is an efficient algorithm requiring few resources
• Memory
• Disk space
• Bandwidth
ECC is used for encryption as well as digital signatures and key distribution
Elgamal
Public key algorithm used to
• Encrypt data
• Create digital signature
• Exchange secret keys
Written by Taher Elgamal in 1985
The algorithm uses discrete logarithm problems
• Solving a discrete logarithm problem can take many years and require CPU-intensive operations

Digital Signatures
A hash value ensures that the message was not altered in transit (integrity)
Provides message integrity, authenticity and nonrepudiation
Digital Signature Standard (DSS)

Established by the NIST in 1991
• Ensures that digital signatures rather than written signatures can be verified
Federal government requirements
• RSA and Digital Signature Algorithm (DSA) must be used for all digital signatures
• Hashing algorithm must be used to ensure the integrity of the message
NIST required that the Secure Hash Algorithm (SHA) be used
Pretty Good Privacy (PGP)
Developed by Phil Zimmerman as a free e-mail encryption program
• Zimmerman was almost arrested for his innovation
• Back in the mid-1990s, any kind of “unbreakable” encryption was seen as a weapon and compared
to selling arms to the enemy
PGP is a free public key encryption program

PGP uses certificates similar to those in public key infrastructure (PKI)

• PGP does not use a centralized CA
• Verification of a CA is not as efficient as PKI
Algorithms supported by PGP
• IDEA
• RSA
• DSA
• Message Digest 5 (MD5)
• SHA-1
Secure Multipurpose Internet Mail Extension (S/MIME)
Is another public key encryption standard used to encrypt and digitally sign e-mail
Can encrypt e-mail messages containing attachments
Can use PKI certificates for authentication
S/MIME version 2 defined in RFC 2311
S/MIME version 3 defined in RFC 2633
Privacy-Enhanced Mail (PEM)
Internet standard that is compatible with both symmetric and asymmetric methods of encryption
Can use the X.509 certificate standards and encrypt messages with DES
Not used as much today
• MIME Object Security Services (MOSS) is a newer implementation of PEM
Hashing Algorithms
Take a variable-length message and produce a fixed-length value called a message digest
A hash value is equivalent to a fingerprint of the message
• If the message is changed later, the hash value changes
Collisions
If two different messages produce the same hash value, it results in a collision
• A good hashing algorithm must be collision-free
Hashing Algorithms
SHA-1 is one of the most popular hashing algorithms
• SHA-1 has been broken
• Collisions were found in 2004 and 2005 (link Ch 12p
• As of March 15, 2005, the NIST recommends not using SHA applications
• But there are collisions in MD5 too
• SHA-256 hasn’t been broken yet
See link Ch 12q

Summary of Cryptographic Algorithms

Symmetric Algorithms (Private-key)
Name Key size Notes
DES 56 bits Insecure because key is too short
3DES 168 bits As secure as 112-bit key, not yet broken
Being replaced by AES
AES 128,192, or 256 bits Uses 128-bit blocks and the Rindjael algorithm
Approved for US Govt classified information
IDEA 128 bits Uses 64-bit blocks, used in PGP, very secure
Blowfish 32 bits to 448 bits Uses 64-bit blocks, developed by Bruce Schneier
Public domain
RC5 0 bits to 2040 bits Block size can be 32, 64, or 138 bits
56-bit and 64-bit key versions have been cracked
72-bit version has not been cracked
Asymmetric Algorithms (Public-key)

Name Notes
Diffie-Hellman Key exchange only, not encryption
RSA Secure, used by SSL
ECC Efficient newer technique
Elgamal Used in GPG and PGP
Hashing Algorithms
Name Notes
MD2 Written for 8-bit machines, no longer secure
MD4 No longer secure
MD5 Security is questionable now
SHA-1 The successor to MD5, used in TLS, SSL, PGP, SSH, S/MIME, and IPsec.
It has been broken so it's not longer completely secure
SHA-2 Not yet broken, but no longer recommended.
The NIST is now developing a new algorithm to replace SHA.
Public Key Infrastructure (PKI)

Not an algorithm
A structure that consists of programs, protocols, and security protocols
Uses public key cryptography
Enables secure data transmission over the Internet

PKI Components
Certificate: a digital document
that verifies the identity of an
entity
• Contains a unique
serial number and
must follow the X.509
standard
Public keys are issued by a
certification authority (CA)
A certificate that the CA issues to
a company binds a public key
to the recipient’s private key
Certificate Expiration and
Renewal
A period of validity is assigned to
each certificate
• After that date, the
certificate expires
A certificate can be renewed with a new expiration date assigned
• If the keys are still valid and remain uncompromised
Certificate Revocation and Suspension
Reasons to suspend or revoke a certificate
• A user leaves the company
• A hardware crash causes a key to be lost
• A private key is compromised
Revocation is permanent
Suspension can be lifted
Certificate Revocation List (CRL)
• Contains all revoked and suspended certificates
• Issued by CAs
Backing Up Keys
Backing up keys is critical
• If keys are destroyed and not backed up properly, encrypted business-critical information might be
irretrievable
The CA is usually Trusted Root CAs
responsible for backing
up keys
• A key recovery
policy is also
part of the CA’s
responsibility

Microsoft Root CA
You can set up your own
Certificate Authority Server
Windows Server 2003
or Windows 2000
Server
Install the Certificate
Services
Note that after installing
this service the name
of the domain or
computer cannot
change
Specify options to generate

certificates, including
• Cryptographic Service
Provider
• Hash algorithm
• Key length
Understanding Cryptographic Attacks

Sniffing and port scanning are passive attacks – just watching
Active attacks attempt to determine the secret key being used to encrypt plaintext
Cryptographic algorithms are usually public
• Follows the open-source culture
• Except the NSA and CIA and etc.
Birthday Attack
If 23 people are in the room, what is the chance that they all have different birthdays?
So there’s a 51% chance that two of them have the same birthday
See link Ch 12r
If there are N possible hash values,
• You’ll find collisions when you have calculated 1.2 x sqrt(N) values

SHA-1 uses a 160-bit key
• Theoretically, it would require 280 computations to break
• SHA-1 has already been broken, because of other weaknesses
Mathematical Attacks
Properties of the algorithm are attacked by using mathematical computations
Categories
• Ciphertext-only attack
The attacker has the ciphertext of several messages but not the plaintext
Attacker tries to find out the key and algorithm used to encrypt the messages
Attacker can capture ciphertext using a sniffer program such as Ethereal or Tcpdump
Categories
• Known plaintext attack
The attacker has messages in both encrypted form and decrypted forms
This attack is easier to perform than the ciphertext-only attack
Looks for patterns in both plaintext and ciphertext
• Chosen-plaintext attack
The attacker has access to plaintext and ciphertext
Attacker has the ability to choose which message to encrypt
Categories (continued)
• Chosen-ciphertext attack
The attacker has access to the ciphertext to be decrypted and to the resulting plaintext
Attacker needs access to the cryptosystem to perform this type of attack
Brute Force Attack
An attacker tries to guess passwords by attempting every possible combination of letters
• Requires lots of time and patience
• Password-cracking programs that can use brute force
John the Ripper
Cain and Abel
Ophcrack
Also uses memory to save time – “Rainbow tables”
Man-in-the-Middle Attack
Victim sends public key to Server
• Attacker generates two “false” key pairs
• Attacker intercepts the genuine keys and
send false keys out
• Both parties send encrypted traffic, but not
with the same keys
These false keys won’t be verified by a CA
Dictionary Attack
Attacker uses a dictionary of known words to try to guess passwords
• There are programs that can help attackers run a dictionary attack
Programs that can do dictionary attacks
• John the Ripper
• Cain and Abel
Replay Attack
The attacker captures data and attempts to resubmit the captured data
• The device thinks a legitimate connection is in effect
If the captured data was logon information, the attacker could gain access to a system and be authenticated
Most authentication systems are resistant to replay attacks

Password Cracking
Password cracking is illegal in the United States
• It is legal to crack your own password if you forgot it
You need the hashed password file
• /etc/passwd or /etc/shadow for *NIX
• The SAM database in Windows
Then perform dictionary or brute-force attacks on the file
Password cracking programs
John the Ripper
Hydra (THC)
EXPECT
L0phtcrack
Pwdump3v2
Ophcrack does it all for you – gathering the SAM database and cracking it

Chapter 13: Protecting Networks with Security Devices
Objectives Router
Describe network security devices
Describe firewall technology
Describe intrusion detection systems
Describe honeypots
Routers
Routers are like intersections; switches
are like streets
• Image from Wikipedia (link
Ch 13a)
Understanding Routers
Routers are hardware devices used on a
network to send packets to different
network segments
• Operate at the network layer
of the OSI model
Routing Protocols
Routers tell one another what paths are available with Routing Protocols
• Link-state routing protocol
Each router has complete information about every
network link
Example: Open Shortest Path First (OSPF)
• Distance-vector routing protocol
Routers only know which direction to send
packets, and how far
Example: Routing Information Protocol (RIP)
Cisco Routers
Image from cisco.com (link Ch 13b)
Understanding Basic Hardware Routers
Cisco routers are widely used in the networking
community
• More than one million Cisco 2500 series
routers are currently being used by companies around the world
Vulnerabilities exist in Cisco as they do in any operating system
• See link Ch 13c
Cisco Router Components
Internetwork Operating System (IOS)
Random access memory (RAM)
• Holds the router’s running configuration, routing tables, and buffers
• If you turn off the router, the contents stored in RAM are wiped out
Nonvolatile RAM (NVRAM)
• Holds the router’s configuration file, but the information is not lost if the router is turned off
Flash memory
• Holds the IOS the router is using
• Is rewritable memory, so you can upgrade the IOS

Read-only memory (ROM)
• Contains a minimal version of the
IOS used to boot the router if flash
memory gets corrupted
Interfaces
• Hardware connectivity points
• Example: an Ethernet port is an
interface that connects to a LAN
Michael Lynn
He presented a major Cisco security
vulnerability at the Black Hat security
conference in 2005
He lost his job, was sued, conference materials
were confiscated, etc.
• See links Ch 13 d, e, f, g
Cisco IOS is controlled from the command line
The details are not included in this class
Skip pages 324-329
Understanding Firewalls
Firewalls are hardware devices or software installed on a system and have two purposes
• Controlling access to all traffic that enters an internal network
• Controlling all traffic that leaves an internal network
Hardware Firewalls
Advantage of hardware firewalls
• Faster than software firewalls
(more throughput)
Disadvantages of hardware firewalls
• You are limited by the
firewall’s hardware
Number of interfaces, etc.
• Usually filter incoming traffic
only (link Ch 13i)
Software Firewalls
Advantages of software firewalls
• Customizable: can interact with the user to
provide more protection
• You can easily add NICs to the server
running the firewall software
Software Firewalls
Disadvantages of software firewalls
• You might have to worry about
configuration problems
• They rely on the OS on which they are
running
Firewall Technologies
Network address translation (NAT)
Access control lists (Packet filtering)
Stateful packet inspection (SPI)
Network Address Translation (NAT)

Internal private IP addresses are mapped
to public external IP addresses
• Hides the internal infrastructure
Port Address Translation (PAT)
• This allows thousands of
internal IP addresses to be
mapped to one external IP
address
• Each connection from the
private network is mapped to a
different public port
Access Control Lists

A series of rules to control traffic
Criteria
• Source IP address
• Destination IP address
• Ports or services
• More possibilities
Same as “Packet Filtering”

Stateful Packet Inspection (SPI)
Stateful packet filters examine the current state of the network
• If you have sent a request to a server, packets from that server may be allowed in
• Packets from the same server might be blocked if no request was sent first
State Table
Stateful firewalls
maintain a state
table showing the
current
connections
ACK Port scan
Used to get
information about
a firewall
Stateful firewalls track connection and block unsolicited ACK packets
Stateless firewalls only block incoming SYN packets, so you get a RST response
We covered this in chapter 5
Stateful Packet Inspection (SPI)
Stateful packet filters recognize types of anomalies that most routers ignore
Stateless packet filters handle each packet on an individual basis
• This makes them less effective against some attacks
Implementing a Firewall
Using only one firewall between a company’s internal network and the Internet is dangerous
• It leaves the company
open to attack if a
hacker compromises
the firewall
Use a demilitarized zone instead
Demilitarized Zone (DMZ)
DMZ is a small network
containing resources available
to Internet users
• Helps maintain
security on the
company’s internal
network
Sits between the Internet and the
internal network
It is sometimes referred to as a
“perimeter network”

Understanding the Private Internet Exchange (PIX) Firewall
Cisco PIX firewall
• One of the most popular firewalls on the market
Configuration of the PIX Firewall
Working with a PIX firewall is similar to
working with any other Cisco router
Login prompt
• If you are not authorized to be in
this XYZ Hawaii network device,
• log out immediately!
• User Access Verification
• Password:
• This banner serves a legal
purpose
• A banner that says “welcome”
may prevent prosecution of
hackers who enter
PIX Firewall Features
One PIX can be used to create a DMZ
• See link Ch 13k
Unicast Reverse Path Forwarding
• Also known as "reverse route
lookup"
• Checks to see that packets have
correct source IP addresses
Flood Defender
• Prevents SYN Floods
• Only a limited number of "embryonic connections" are allowed
FragGuard and Virtual Re-Assembly
• Re-assembles IP fragments to prevent some DoS attacks, like the Ping of Death and Teardrop
Limits
• DNS Responses
• ActiveX controls
• Java applets
I skipped pages 333-336

Microsoft ISA
Internet Security and
Acceleration (ISA)
Microsoft’s software approach
to firewalls
Microsoft Internet Security and
Acceleration (ISA) Server
• Software that runs
on a Windows
Server
• Functions as a
software router,
firewall, and IDS
(Intrusion Detection
System)
ISA protects your network
from Internet threats
ISA lets remote users connect
securely, handling
authentication and
encryption
Image from
microsoft.com
link Ch 13m
ISA has the same functionality
as any hardware router
• Packet filtering to
control incoming
traffic
• Application
filtering through the
examination of
protocols
• Intrusion detection filters
• Access policies to control outgoing traffic
IP Packet Filters
ISA enables administrators to filter IP traffic based on the following:
• Source and destination IP address
• Network protocol, such as HTTP
• Source port or destination port
ISA provides a GUI for these configurations
• A network segment can be denied or allowed HTTP access in the Remote Computer tab

Denying access to port 80 for

the specified subnet

Application Filters
Can accept or deny data from specific
applications or data containing specific
content
SMTP filter can restrict
• E-mail with specific attachments
• E-mail from a specific user or
domain
• E-mail containing specific
keywords
• SMTP commands
Email can also be filtered based o
• Sender's name
• Sender's domain
• Keywords like VIAGRA or
Mortgage
These techniques are not very
effective—spammers know
how to defeat them
SMTP Commands tab
• Administrator can prevent a user
from running SMTP commands
FTP Access filter
H.323 filter
• real-time multimedia conferences
See link Ch 13n
Intrusion Detection Filters
Analyze all traffic for possible known
intrusions
• DNS intrusion detection filter
• POP filter
• RPC filter
• SMTP filter
• SOCKS filter
• Streaming Media filter
• Web Proxy filter

Intrusion Detection Systems (IDSs)

Monitor network devices so that security administrators can identify attacks in progress and stop them
An IDS looks at the traffic and compares it with known exploits
• Similar to virus software using a signature file to identify viruses
Types
• Network-based IDSs
• Host-based IDSs
Network-based IDSs
• Monitor activity on network
segments
• They sniff traffic and alert a
security administrator when
something suspicious occurs
See link Ch 13o
Host-based IDSs
• The software is installed on the
server you’re attempting to
protect, like antivirus software
• Used to protect a critical
network server or database
server
Passive and Active IDSs
IDSs are categorized by how they react
when they detect suspicious
behavior
• Passive systems
Send out an alert and
log the activity
Don't try to stop it
• Active systems
Log events and send out
alerts
Can also interoperate
with routers and
firewalls to block the
activity automatically

Understanding Honeypots
Honeypot
• Computer placed on the perimeter of a network
• Contains information intended to lure and then trap hackers
Computer is configured to have vulnerabilities
Goal
• Keep hackers connected long enough so they can be traced back
How They Work
A honeypot appears to have
important data or sensitive
information stored on it
• Could store fake
financial data that
tempts hackers to
attempt browsing
through the data
Hackers will spend time attacking
the honeypot
• And stop looking for
real vulnerabilities in
the company’s network
Honeypots also enable security
professionals to collect data on
attackers
Virtual honeypots
• Honeypots created
using software solutions
instead of hardware
devices
• Example: Honeyd
Project Honey Pot
Web masters install software on
their websites
When spammers harvest email
addresses from sites,
HoneyNet's servers record the
IP of the harvester
• Can help prosecute the
spammers and block the spam
Link Ch 13p
Uses a Capture Server and one or more Capture Clients
• The clients run in virtual machines
• Clients connect to suspect Web servers
• If the client detects an infection, it alerts the Capture Server and restores itself to a clean state
• The server gathers data about malicious websites
See link Ch 13q

Lecture 14: More Wireless Hacking – Cracking Wired Equivalent Privacy (WEP)
Legal Concerns
Defeating security to enter a network without permission is clearly illegal
• Even if the security is weak
Sniffing unencrypted wireless traffic may also be illegal
• It could be regarded as an illegal wiretap
• The situation is unclear, and varies from state to state
• In California, privacy concerns tend to outweigh other considerations
• See links l14v, l14w
Equipment
Wireless Network Interface Cards (NICs) and Drivers
The Goal
All wireless NICs can connect to an Access Point
But hacking requires more than that, because we need to do
• Sniffing – collecting traffic addressed to other devices
• Injection – transmitting forged packets which will appear to be from other devices
Windows v. Linux
The best wireless hacking software is written in Linux
• The Windows tools are inferior, and don't support packet injection
But all the wireless NICs are designed for Windows
• And the drivers are written for Windows
• Linux drivers are hard to find and confusing to install
Wireless NIC Modes
There are four modes a NIC can use
• Master mode
• Managed mode
• Ad-hoc mode
• Monitor mode
See link l_14j
Master Mode
• Also called AP or Infrastructure
mode
• Looks like an access point
• Creates a network with
A name (SSID)
A channel
Managed Mode
• Also called Client mode
• The usual mode for a Wi-Fi laptop
• Joins a network created by a master
• Automatically changes channel to match the master
• Presents credentials, and if accepted,
becomes associated with the master
Ad-hoc Mode
• Peer-to-peer network
• No master or Access Point
• Nodes must agree on a channel and SSID

Monitor Mode
• Does not associate with Access Point
• Listens to traffic
• Like a wired NIC in Promiscuous
Mode
Wi-Fi NICs
To connect to a Wi-Fi network, you need a
Network Interface Card (NIC)
PCMCIA PCMCIA
The most common type is the PCMCIA card
• Designed for laptop computers
USB
• Can be used on a laptop or desktop PC
PCI
• Installs inside a desktop PC
Choosing a NIC
For penetration testing (hacking), consider these factors:
• Chipset
• Output power
• Receiving sensitivity
• External antenna connectors
• Support for 802.11i and improved WEP USB
versions
Wi-Fi NIC Manufacturers
Each wireless card has two manufacturers
• The card itself is made by a company like
Netgear
Ubiquiti
Linksys
D-Link
many, many others
• But the chipset (control circuitry) is made by a different company
Chipsets
To find out what chipset your card uses, you must search on the Web
• Card manufacturer's don't want you to
know
Major chipsets: PCI
• Prism
• Cisco Aironet
• Hermes/Orinoco
• Atheros
There are others

Prism Chipset
Prism chipset is a favorite among hackers
• Completely open -- specifications available
• Has more Linux drivers than any other
chipset
See link l_14d
Prism chipset is the best choice for penetration
testing
HostAP Linux Drivers are highly recommended,
supporting:
• NIC acting as an Access Point
• Use of the iwconfig command to
configure the NIC
See link l_14h
Cisco Aironet Chipset
Cisco proprietary – not open
Based on Prism, with more features
• Regulated power output
• Hardware-based channel-
hopping
Very sensitive – good for wardriving
• Cannot use HostAP drivers
• Not useful for man-in-the-
middle or other complex
attacks
Hermes Chipset
Lucent proprietary – not open
Lucent published some source code for WaveLAN/ORiNOCO cards
Useful for all penetration testing, but require
• Shmoo driver patches (link l_14l) to use monitor mode
Atheros Chipset
The most common chipset in 802.11a devices
• Best Atheros drivers are MadWIFI (link l_14m)
• Some cards work better than others
• Monitor mode is available, at least for some cards
Other Cards
If all else fails, you could use Windows drivers with a wrapper to make them work in Linux
• DriverLoader (link l_14n)
• NdisWrapper (link l_14o)
But all you'll get is basic functions, not monitor mode or packet injection
• Not much use for hacking
Cracking WEP: Tools and Principles
A Simple WEP Crack
The Access Point and Client are using WEP
encryption
The hacker device just listens

Listening is Slow
You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit WEP key
• The "interesting" packets are the ones containing Initialization Vectors (IVs)
• Only about ¼ of the packets contain IVs
• So you need 200,000 to 800,000 packets
It can take hours or days to capture that many
packets
Packet Injection
A second hacker machine injects packets to create
more "interesting packet"
Injection is MUCH Faster
With packet injection, the listener can collect 200
IVs per second
5 – 10 minutes is usually enough to crack a 64-bit
key
Cracking a 128-bit key takes an hour or so
• Link l_14r
AP & Client Requirements
Access Point
• Any AP that supports WEP should be fine (they all do)
Client
• Any computer with any wireless card will do
• Could use Windows or Linux
Listener Requirements
NIC must support Monitor Mode
Could use Windows or Linux
• But you can't use NDISwrapper
Software
• Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q)
• BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools)
Link l_14n
Injector Requirements
NIC must support injection
Must use Linux
Software
• void11 and aireplay
Link l_14q
Sources
http://www.aircrack-ng.org/doku.php?id=compatible_cards (link l_14a)
http://www.wi-foo.com/ (link l_14c)
http://www.vias.org/wirelessnetw/wndw_05_04.html (link l_14j)
http://smallnetbuilder.com/content/view/24244/98/ (link l_14p)

Lecture 15: Man in the Middle Attack to get Passwords from HTTPS Sessions
How HTTPS Works

HTTP v. HTTPS
HTTP doesn't encrypt data at all
• You can sniff traffic with Wireshark, ettercap, etc.
• Completely insecure
HTTPS uses public-key encryption to secure data
• Much safer, but it can still be cracked to some extent by a man-in-the-middle attack
Components of HTTPS
When you use a secure
session (HTTPS), these
protocols work together:
• Address
Resolution
Protocol (ARP)
• Domain Name
System (DNS)
• Secure Sockets Layers (SSL)
ARP Request and Reply
Client wants to find Gateway
ARP Request: Who has
192.168.2.1?
ARP Reply:
• MAC: 00-30-bd-
02-ed-7b has
192.168.2.1
Demonstration: Sniffing ARP with Wireshark
Start Wireshark capturing packets
Clear the ARP cache
• arp –d *
Ping the default gateway
DNS Query and Response

Client wants to find
Gmail.com
DNS Query: Where is
Gmail.com?
DNS Response:
• Gmail.com is at
64.233.171.83
Demonstration: Sniffing DNS with Wireshark

Clear the DNS cache
• ipconfig /flushdns
Ping Gmail.com

SSL Handshake
SSL handshake has three
stages:
• Hellos
• Certificate, Key
Exchange, and
Authentication
• "Change cipher
spec" –
handshake finished
The Gateway just forwards all this traffic to the Web server
Demonstration: Sniffing SSL Handshake with Wireshark
Open a browser and go to yahoo.com
Click the My Mail button
Hand
Hello
Key
Hand – these three packets are the TCP Handshake, which happens before the SSL handshake
Hello – these two packets are the Hellos, which start the SSL handshake
Key – these packets perform the last two stages of the SSL handshake:
• Certificate, Key Exchange, and Authentication
• "Change cipher spec" – handshake finished
Open a Socket to Port 443

This is the usual SYN, SYN/ACK, SYN TCP handshake
Port 443 is used for HTTPS
Hellos
Client Hello
Server sends Hello
• This exchange is used to agree on a protocol version and encryption method
Certificate, Key Exchange, and Authentication
Server sends Certificate
Client sends Public Key
Client Authenticates Certificate with Certificate Authority (not visible)
Change Cipher Spec
Server sends "Change Cipher Spec"
Client sends "Change Cipher Spec"
SSL Handshake is done, now client can send encrypted Application Data

Summary of HTTPS Process
SSL handshake has three stages:
• Hellos
• Certificate, Key Exchange, and Authentication
• "Change cipher spec" – handshake finished
Man-in-the-Middle Attack
ARP Cache Poisoning
The Linux utility 'arpspoof'
sends a constant series of
ARP REPLIES
This diverts Ethernet traffic to
the hacker
• Part of the 'dsniff'
package
DNS Spoofing
The Linux utility 'dnspoof'
listens for DNS queries
Sends DNS responses sending
Web server data to the
hacker
• Part of the 'dsniff'
package
IP Routing
'fragrouter' can forward
packets to their correct destination
That allows normal Web surfing (HTTP)
• Part of the 'dsniff' package
• This could also be done with 'iptables'
SSL Spoofing
'webmitm' creates a Certificate and intercepts SSL
handshakes
• Part of the 'dsniff' package
Limitations of the Attack
The SSL spoofing is not perfect
You can't actually log in and read email
• Internet Explorer sends your password
to the hacker before giving up on the
connection
• Firefox doesn't send your password to
the hacker
Sources
Hacking videos from link l_15b
• How to decrypt SSL encrypted traffic
using a man in the middle attack
(Auditor).swf
• MITM Hijacking.wmv
SSL Handshake information from l_15a (cs.bham.ac.uk)


Sam Bowne

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sam Bowne

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 1: Ethical Hacking Overview

CNIT 123 – Bowne Page 1 of 5

CNIT 123 – Bowne Page 2 of 5

Take Certification Tests Here

CNIT 123 – Bowne Page 3 of 5

What You Cannot Do Legally

CNIT 123 – Bowne Page 4 of 5

Last modified 1-20-07 0:12

CNIT 123 – Bowne Page 5 of 5

The Application Layer

The Transport Layer

CNIT 123 – Bowne Page 1 of 7

TCP Segment Headers

CNIT 123 – Bowne Page 2 of 7

CNIT 123 – Bowne Page 3 of 7

CNIT 123 – Bowne Page 4 of 7

Warriors of the Net

CNIT 123 – Bowne Page 5 of 7

Examples of Determining Binary Values

Last modified 1-26-07 10 pm

CNIT 123 – Bowne Page 7 of 7

CNIT 123 – Bowne Page 1 of 1

CNIT 123 – Bowne Page 2 of 2

CNIT 123 – Bowne Page 3 of 3

CNIT 123 – Bowne Page 4 of 4

CNIT 123 – Bowne Page 5 of 5

Last modified 2-2-07 3 pm

CNIT 123 – Bowne Page 6 of 6

Conducting Competitive Intelligence

CNIT 123 – Bowne Page 2 of 8

CNIT 123 – Bowne Page 3 of 8

CNIT 123 – Bowne Page 4 of 8

Using Netcat as a Browser

CNIT 123 – Bowne Page 5 of 8

Using Domain Name Service (DNS) Zone Transfers

CNIT 123 – Bowne Page 6 of 8

Introduction to Social Engineering

Last modified 2-23-09

CNIT 123 – Bowne Page 8 of 8

CNIT 123 – Bowne Page 1 of 1

Open or filtered ports give no response

CNIT 123 – Bowne Page 2 of 2

CNIT 123 – Bowne Page 3 of 3

Finds services running on ports

CNIT 123 – Bowne Page 4 of 4

Conducting Ping Sweeps

CNIT 123 – Bowne Page 5 of 5

Last modified 2-23-07 8 pm

CNIT 123 – Bowne Page 6 of 6

CNIT 123 – Bowne Page 1 of 1

CNIT 123 – Bowne Page 2 of 2

NetBIOS Enumeration Tools

CNIT 123 – Bowne Page 3 of 3

CNIT 123 – Bowne Page 4 of 4

CNIT 123 – Bowne Page 5 of 5

NetWare Enumeration Tools

Last modified 2-23-07 8 pm

CNIT 123 – Bowne Page 6 of 6

CNIT 123 – Bowne Page 1 of 1

CNIT 123 – Bowne Page 2 of 2

CNIT 123 – Bowne Page 3 of 3

CNIT 123 – Bowne Page 4 of 4