Hack I.T.: Security Through Penetration Testing
Foreword
Preface
Audience
Authors
How to Use This Book
Acknowledgments
Introduction
1. Hacking Today
2. Defining the Hacker
2.1 Hacker Skill Levels
2.2 Information Security Consultants
2.3 Hacker Myths
2.4 Information Security Myths
3. Penetration for Hire
3.1 Ramifications of Penetration Testing
3.2 Requirements for a Freelance Consultant
3.3 Announced vs. Unannounced Penetration Testing
4. Where the Exposures Lie
4.1 Application Holes
4.2 Berkeley Internet Name Domain ( BIND ) Implementations
4.3 Common Gateway Interface ( CGI )
4.4 Clear Text Services
4.5 Default Accounts
4.6 Domain Name Service ( DNS )
4.7 File Permissions
4.8 FTP and telnet
4.9 ICMP
4.10 IMAP and POP
4.11 Modems
4.12 Lack of Monitoring and Intrusion Detection
4.13 Network Architecture
4.14 Network File System ( NFS )
4.15 NT Ports 135–139
4.16 NT Null Connection
4.17 Poor Passwords and User IDs
4.18 Remote Administration Services
4.19 Remote Procedure Call ( RPC )
4.20 SENDMAIL
4.21 Services Started by Default
4.22 Simple Mail Transport Protocol ( SMTP )
4.23 Simple Network Management Protocol ( SNMP ) Community Strings
4.24 Viruses and Hidden Code
4.25 Web Server Sample Files
4.26 Web Server General Vulnerabilities
4.27 Monitoring Vulnerabilities
5. Internet Penetration
5.1 Network Enumeration/Discovery
5.2 Vulnerability Analysis
5.3 Exploitation
Case Study: Dual-Homed Hosts
6. Dial-In Penetration
6.1 War Dialing
6.2 War Dialing Method
6.3 Gathering Numbers
6.4 Precautionary Methods
6.5 War Dialing Tools
Case Study: War Dialing
7. Testing Internal Penetration
7.1 Scenarios
7.2 Network Discovery
7.3 NT Enumeration
7.4 UNIX
7.5 Searching for Exploits
7.6 Sniffing
7.7 Remotely Installing a Hacker Tool Kit
7.8 Vulnerability Scanning
Case Study: Snoop the User Desktop
8. Social Engineering
8.1 The Telephone
8.2 Dumpster Diving
8.3 Desktop Information
8.4 Common Countermeasures
9. UNIX Methods
9.1 UNIX Services
9.2 Buffer Overflow Attacks
9.3 File Permissions
9.4 Applications
9.5 Misconfigurations
9.6 UNIX Tools
Case Study: UNIX Penetration
10. The Tool Kit
10.1 Hardware
10.2 Software
10.3 VMware
11. Automated Vulnerability Scanners
11.1 Definition
11.2 Testing Use
11.3 Shortfalls
11.4 Network-Based and Host-Based Scanners
11.5 Tools
11.6 Network-Based Scanners
11.7 Host-Based Scanners
11.8 Pentasafe VigilEnt
11.9 Conclusion
12. Discovery Tools
12.1 WS_Ping ProPack
12.2 NetScanTools
12.3 Sam Spade
12.4 Rhino9 Pinger
12.5 VisualRoute
12.6 Nmap
12.7 What's running
13. Port Scanners
13.1 Nmap
13.2 7th Sphere Port Scanner
13.3 Strobe
13.4 SuperScan
14. Sniffers
14.1 Dsniff
14.2 Linsniff
14.3 Tcpdump
14.4 BUTTSniffer
14.5 SessionWall-3 (Now eTrust Intrusion Detection)
14.6 AntiSniff
15. Password Crackers
15.1 L0phtCrack
15.2 pwdump2
15.3 John the Ripper
15.4 Cain
15.5 ShowPass
16. Windows NT Tools
16.1 NET USE
16.2 Null Connection
16.3 NET VIEW
16.4 NLTEST
16.5 NBTSTAT
16.6 epdump
16.7 NETDOM
16.8 Getmac
16.9 Local Administrators
16.10 Global (“Domain Admins”)
16.11 Usrstat
16.12 DumpSec
16.13 user2Sid/sid2User
16.14 NetBIOS Auditing Tool ( NAT )
16.15 SMBGrind
16.16 SRVCHECK
16.17 SRVINFO
16.18 AuditPol
16.19 REGDMP
16.20 Somarsoft DumpReg
16.21 Remote
16.22 Netcat
16.23 SC
16.24 AT
16.25 FPipe
Case Study: Weak Passwords
Case Study: Internal Penetration to Windows
17. Web-Testing Tools
17.1 Whisker
17.2 SiteScan
17.3 THC Happy Browser
17.4 wwwhack
17.5 Web Cracker
17.6 Brutus
Case Study: Compaq Management Agents Vulnerability
18. Remote Control
18.1 pcAnywhere
18.2 Virtual Network Computing
18.3 NetBus
18.4 Back Orifice 2000
19. Intrusion Detection Systems
19.1 Definition
19.2 IDS Evasion
19.3 Pitfalls
19.4 Traits of Effective IDSs
19.5 IDS Selection
20. Firewalls
20.1 Definition
20.2 Monitoring
20.3 Configuration
20.4 Change Control
20.5 Firewall Types
20.6 Network Address Translation
20.7 Evasive Techniques
20.8 Firewalls and Virtual Private Networks
Case Study: Internet Information Server Exploit—MDAC
21. Denial-of-Service Attacks
21.1 Resource Exhaustion Attacks
21.2 Port Flooding
21.3 SYN Flooding
21.4 IP Fragmentation Attacks
21.5 Distributed Denial-of-Service Attacks
21.6 Application-Based DoS Attacks
21.7 Concatenated DoS Tools
21.8 Summary
22. Wrapping It Up
22.1 Countermeasures
22.2 Keeping Current
23. Future Trends
23.1 Authentication
23.2 Encryption
23.3 Public Key Infrastructure
23.4 Distributed Systems
23.5 Forensics
23.6 Government Regulation
23.7 Hacking Techniques
23.8 Countermeasures
23.9 Cyber-Crime Insurance
A. CD-ROM Contents
Organization of the CD-ROM
Compilation of Programs
B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus
The SANS Institute
G1—Default Installs of Operating Systems and Applications
G2—Accounts with No Passwords or Weak Passwords
G3—Non-existent or Incomplete Backups
G4—Large Number of Open Ports
G5—Not Filtering Packets for Correct Incoming and Outgoing Addresses
G6—Non-existent or Incomplete Logging
G7—Vulnerable CGI Programs
W1— Unicode Vulnerability (Web Server Folder Traversal)
W2—ISAPI Extension Buffer Overflows
W3— IIS RDS Exploit (Microsoft Remote Data Services)
W4—NETBIOS—Unprotected Windows Networking Shares
W5—Information Leakage Via Null Session Connections
W6—Weak Hashing in SAM ( LM Hash)
U1—Buffer Overflows in RPC Services
U2—Sendmail Vulnerabilities
U3—Bind Weaknesses
U4—R Commands
U5—LPD (Remote Print Protocol Daemon)
U6—Sadmind and Mountd
U7—Default SNMP Strings
Appendix Appendix A —Common Vulnerable Ports
Appendix Appendix B —The Experts Who Helped Create the Top Ten and Top Twenty Internet Vulnerability Lists
