Counter Hack

The step-by-step guide to defending against hacker intrusions!

• Defend against today's most powerful hacker attacks!
• Hands-on, step-by-step techniques for UNIX/Linux and Windows environments
• Intrusion detection: New evasion techniques—and countermeasures
• By the security expert who demonstrated hacking to the U.S. Senate!

This easy-to-use, step-by-step guide will empower network and system administrators to defend their information and computing assets—whether or not they have security experience. In Counter Hack, leading network security expert Edward Skoudis presents comprehensive, insider's explanations of today's most destructive hacker tools and tactics-and specific, proven countermeasures for both UNIX and Windows environments. Skoudis covers all this and more:

• Know your adversary: from script kiddies to elite attackers
• A hacker's view of networks, TCP/IP protocols, and their vulnerabilities
• Five phases of hacking: reconnaissance, scanning, gaining access, maintaining access, and preventing detection
• The most dangerous and widespread attack scenarios—explained in depth
• Key hacker tools: port scanners, firewall scanners, sniffers, session hijackers, RootKits, and more
• How hackers build elegant attacks from simple building blocks
• Detecting and preventing IP spoofing, covert channels, denial of service attacks, and other key attacks
• How hackers cover their tracks—and how you can uncover their handiwork
• A preview of tomorrow's hacker tools, attacks, andcountermeasures

Whatever your role in protecting network infrastructure and data, Counter Hack delivers proven solutions you can implement right now—and long-term strategies that will improve security for years to come.

Contents

Preface

Acknowledgments

1: Introduction

The Computer World and the Golden Age of Hacking

Why This Book?

Why Cover These Specific Tools and Techniques?

How This Book Differs

The Threat: Never Underestimate Your Adversary

Attacker Skill Levels From Script Kiddies to the Elite

A Note on Terminology and Iconography

Hackers, Crackers, and Hats of Many Colors: Let's Just Use "Attackers"

Pictures and Scenarios

Naming Names

Caveat: These Tools Could Hurt You

Setting Up a Lab for Experimentation

Additional Concerns

Organization of the Rest of This Book

Getting up to Speed with the Technology

Common Phases of the Attack

Future Predictions, Conclusions, and References

2: Networking Overview: Pretty Much Everything You Need to Know about TCP/IP to Follow the Rest of This Book, in 55 Pages or Less

The OSI Reference Model and Protocol Layering

So How Does TCP/IP Fit In?

Understanding TCP/IP

The Transmission Control Protocol (TCP)

TCP Port Numbers

TCP Control Bits, the Three-Way Handshake, and Sequence Numbers

Other Fields in the TCP Header

The User Datagram Protocol (UDP)

Is UDP Less Secure Than TCP?

The Internet Protocol (IP) and the Internet Control Message Protocol (ICMP)

IP: Drop That Acronym and Put Your Hands in the Air!

Local Area Networks and Routers

IP Addresses

Netmasks

Packet Fragmentation in IP

Other Components of the IP Header

Security or (Lack Thereof) in Traditional IP

ICMP

Other Network-Level Issues

Routing Packets

Network Address Translation

Firewalls: Network Traffic Cops and Soccer Goalies

Getting Personal with Firewalls

Don't Forget about the Data Link and Physical Layers!

Ethernet, the King of Connectivity

ARP ARP ARP!

Hubs and Switches

Security Solutions for Networks

Application-Layer Security

The Secure Socket Layer (SSL)

Security at the IP Level: IPSec

Conclusions

3: UNIX Overview: Pretty Much Everything You Need to Know about UNIX to Follow the Rest of This Book, in 30 Pages or Less

Introduction

Learning about UNIX

Architecture

UNIX File System Structure

The Kernel and Processes

Automatically Starting up Processes: Init, Inetd, and Cron

Manually Starting Processes

Interacting with Processes

Accounts and Groups

The /etc/passwd File

The /etc/group File

Root: It's a Bird: It' a Plane: No, it's Super-User!

Privilege Control: UNIX Permissions

SetUID Programs

UNIX Trust

Logs and Auditing

Common UNIX Network Services

Telnet: Command-Line Remote Access

FTP: The File Transfer Protocol

TFTP: The Trivial File Transfer Protocol

Web Servers: HTTP

Electronic Mail

r-Commands

Domain Name Services

The Network File System (NFS)

X Window System

Conclusion

4: Windows NT/2000 Overview: Pretty Much Everything You Need to Know about Windows to Follow the Rest of This Book, in 40 Pages or Less

Introduction

A Brief History of Time

Fundamental NT Concepts

Domains: Grouping Machines Together

Shares: Accessing Resources across the Network

Service Packs and Hot Fixes

Architecture

User Mode

How Windows NT Password Representations Are Derived

Kernel Mode

Accounts and Groups

Accounts

Groups

Privilege Control

Policies

Account Policy

User Properties Settings

Trust

Auditing

Object Access Control and Permissions

Ownership

NTFS and NTFS Permissions

Share Permissions

Local Access

Weak Default Permissions and Hardening Guides

Network Security

Limitations in Basic Network Protocols and APIs

The Remote Access Service (RAS)

Windows 2000: Welcome to the New Millennium

What Windows 2000 Offers

Security Considerations in Windows 2000

Architecture: Some Refinements over Windows NT

Accounts and Groups

Privilege Control

Windows 2000 Trust

Auditing

Object Access Control

Network Security

Conclusion

5: Phase 1: Reconnaissance

Low-Technology Reconnaissance: Social Engineering, Physical Break-in, and Dumpster Diving

Social Engineering

Physical Break-In

Dumpster Diving

Search the Fine Web (STFW)

Searching an Organization's Own Web Site

The Fine Art of Using Search Engines

Listening in at the Virtual Watering Hole: Usenet

Defenses against Web-Based Reconnaissance

Who is Databases: Treasure Chests of Information

Researching .com, .net, and .org Domain Names

Researching Domain Names Other than .com, .net, and .org

We've Got the Registrar, Now What?

IP Address Assignments through ARIN

Defenses against Who is Searches

The Domain Name System

Interrogating DNS Servers

Defenses from DNS-Based Reconnaissance

General Purpose Reconnaissance Tools

Sam Spade, a General-Purpose Reconnaissance Client Tool

Web-Based Reconnaissance Tools: Research and Attack Portals

Conclusion

6: Phase 2: Scanning

War Dialing

War Dialer vs. Demon Dialer

A Toxic Recipe: Modems, Remote Access Products, and Clueless Users

SysAdmins and Insecure Modems

More Free Phone Calls, Please

Finding Telephone Numbers to Feed into a War Dialer

A Brief History of War-Dialing Tools

THC-Scan 2.0

L0pht's TBA War-Dialing Tool

The War Dialer Provides a List of Lines with Modems: Now What?

Defenses against War Dialing

Network Mapping

Sweeping: Finding Live Hosts

Traceroute: What Are the Hops?

Cheops: A Nifty Network Mapper and General-Purpose Management Tool

Defenses against Network Mapping

Determining Open Ports Using Port Scanners

Nmap: A Full-Featured Port Scanning Tool

Defenses against Port Scanning

Determining Firewall Filter Rules with Firewalk

Vulnerability Scanning Tools

A Whole Bunch of Vulnerability Scanners

Nessus

Vulnerability Scanning Defenses

Intrusion Detection System Evasion

How Network-Based Intrusion Detection Systems Work

How Attackers Can Evade Network-Based Intrusion Detection Systems

IDS Evasion Defenses

Conclusion

7: Phase 3: Gaining Access Using Application and Operating System Attacks

Script Kiddie Exploit Trolling

Pragmatism for More Sophisticated Attackers

Stack-Based Buffer Overflow Attacks

What Is a Stack?

What is a Stack-Based Buffer Overflow?

Exploiting Stack-Based Buffer Overflows

Finding Buffer Overflow Vulnerabilities

The Make up of a Buffer Overflow

Intrusion Detection Systems and Stack-Based Buffer Overflows

Application Layer IDS Evasion for Buffer Overflows

Once the Stack Is Smashed: Now What?

Beyond Buffer Overflows

Stack-Based Buffer Overflow and Related Attack Defenses

Password Attacks

Guessing Default Passwords

Password Guessing through Login Scripting

The Art and Science of Password Cracking

Let's Crack Those Passwords!

Cracking Windows NT/2000 Passwords Using L0phtCrack

Cracking UNIX (and Other) Passwords Using John the Ripper

Defenses against Password-Cracking Attacks

Web Application Attacks

Account Harvesting

Undermining Web Application Session Tracking

SQL Piggybacking

Defenses against Piggybacking SQL Commands

Conclusions

8: Phase 3: Gaining Access Using Network Attacks

Sniffing

Sniffing through a Hub: Passive Sniffing

Active Sniffing: Sniffing through a Switch and Other Cool Goodies

Dsniff, A Sniffing Cornucopia

Sniffing Defenses

IP Address Spoofing

IP Address Spoofing Flavor 1: Simple Spoofing: Simply Changing the IP Address

IP Address Spoofing Flavor 2: Undermining UNIX r-Commands

IP Address Spoofing Flavor 3: Spoofing with Source Routing

IP Spoofing Defenses

Session Hijacking

Session Hijacking with Hunt

Session-Hijacking Defenses

Netcat: A General Purpose Network Tool

Netcat for File Transfer

Netcat for Port Scanning

Netcat for Making Connections to Open Ports

Netcat for Vulnerability Scanning

Using Netcat to Create a Passive Backdoor Command Shell

Using Netcat to Actively Push a Backdoor Command Shell

Relaying Traffic with Netcat

Netcat Defenses

Conclusions

9: Phase 3: Denial-of-Service Attacks

Stopping Local Services

Defenses from Locally Stopping Services

Locally Exhausting Resources

Defenses from Locally Exhausting Resources

Remotely Stopping Services

Defenses from Remotely Stopping Services

Remotely Exhausting Resources

SYN Flood

Smurf Attacks

Distributed Denial-of-Service Attacks

Conclusions

10: Phase 4: Maintaining Access: Trojans, Backdoors, and RootKits: Oh My!

Trojan Horses

Backdoors

Netcat as a Backdoor on UNIX Systems

The Devious Duo: Backdoors Melded into Trojan Horses

Nasty: Application-Level Trojan Horse Backdoor Tools

Let's Check out Back Orifice 2000 (BO2K)

Defenses against Application-Level Trojan Horse Backdoors

Bare Minimum: Use Antivirus Tools

Don't Use Single-Purpose BO2K Checkers

Know Your Software

User Education Is Also Critical

Even Nastier: Traditional RootKits

What Do Traditional RootKits Do?

The Centerpiece of Traditional RootKits on UNIX: /bin/login Replacement

Traditional RootKits: Sniff Some Passwords

Traditional RootKits: Hide that Sniffer!

Traditional RootKits: Hide Everything Else!

Traditional RootKits: Covering the Tracks

Some Particular Examples of Traditional RootKits

Defending against Traditional RootKits

Don't Let Them Get Root in the First Place!

Looking for Changes in the File System

Host-Based Security Scanners

The Best Defense: File Integrity Checkers

Uh-oh: They RootKitted Me

How Do I Recover?

Nastiest: Kernel-Level RootKits

The Power of Execution Redirection

File Hiding with Kernel-Level RootKits

Process Hiding with Kernel-Level RootKits

Network Hiding with Kernel-Level RootKits

How to Implement Kernel-Level RootKits: Loadable Kernel Modules

Some Particular Examples of Kernel-Level RootKits

Defending against Kernel-Level RootKits

Fighting Fire with Fire: Don't Do It!

Don't Let Them Get Root in the First Place!

Looking for Traces of Kernel-Level RootKits

Automated RootKit Checkers

The Best Answer: Kernels without LKM Support

Conclusion

11: Phase 5: Covering Tracks and Hiding

Hiding Evidence by Altering Event Logs

Attacking Event Logs in Windows NT/2000

Attacking System Logs and Accounting Files in UNIX

Altering UNIX Shell History Files

Defenses against Log and Accounting File Attacks

Activate Logging, Please

Set Proper Permissions

Use a Separate Logging Server

Encrypt Your Log Files

Making Log Files Append Only

Protecting Log Files with Write-Once Media

Creating Difficult-to-Find Files and Directories

Creating Hidden Files and Directories in UNIX

Creating Hidden Files in Windows NT/2000

Defenses from Hidden Files

Hiding Evidence on the Network: Covert Channels

Tunneling

More Covert Channels: Using the TCP and IP Headers to Carry Data

Defenses against Covert Channels

Conclusion

12: Putting It All Together: Anatomy of an Attack

Scenario 1: Dial "M" for Modem

Scenario 2: Death of a Telecommuter

Scenario 3: The Manchurian Contractor

Conclusion

13: The Future, Resources, and Conclusions

Where Are We Heading?

Scenario 1: Yikes!

Scenario 2: A Secure Future

Scenario 1, Then Scenario 2

Keeping up to Speed

Web Sites

Mailing Lists

Conferences

Final ThoughtsLive Long and Prosper

Glossary

Index