Hacker Techniques, Tools, and Incident Handling - · PDF fileHacker Techniques, Tools, and Incident Handling PEARSON Custom ... 1.1 Basics of Hacking Techniques 1.3 ... 5.3.5 Web Spoofing

Hacker Techniques, Tools,and Incident Handling

PEARSON

CustomPublishing

ULB Darmstadt

illllllUIIIIIIIII16342432

CONTENTS

IntroductionAbout the Book xvConventions Used in the Book xvii

Chapter 1—Introduction to Hacking1.1 Basics of Hacking Techniques 1.3

1.1.1 Hacker Communities 1.31.1.2 Evolution of Hacking 1.51.1.3 Classes of Hackers 1.71.1.4 Hacker Motivations 1.81.1.5 Hacker Mindset 1.9

1.2 Ethics of Hacking 1.111.2.1 Need for Ethics 1.111.2.2 Ethical Issues of Information Technology 1.121.2.3 Ethical Issues of Hacking 1.121.2.4 Ethical Hacking and System Security 1.13

1.3 Hacking Techniques 1.141.3.1 Common Hacking Techniques 1.141.3.2 Common Hacking Scenarios 1.16

1.4 Information Warfare 1.171.4.1 Threats of Information Warfare 1.171.4.2 Cyberterrorism 1.19

Summary 1.20

Chapter 2—Password Cracking2.1 Introduction 2.3

2.1.1 Cryptography 2.32.1.2 Encryption Algorithms 2.5

2.2 Password Stealing 2.82.2.1 Dictionary Attacks 2.82.2.2 Brute-Force Attacks 2.122.2.3 Observation 2.142.2.4 Social Engineering 2.152.2.5 Sniffing Methods 2.152.2.6 Password-File Stealing 2.16

2.3 Password Crackers 2.172.3.1 Crack 2.172.3.2 John the Ripper 2.182.3.3 LOphtCrack 2.242.3.4 Telnet-Brute 2.252.3.5 Thunk 2.27

Summary 2.29Homework Exercises 2.32Lab Exercises 233

Exercise 1 2.33Exercise 2 2.35Exercise 3 2.37Exercise 4 2.38

Chapter 3—TCP/IP Vulnerabilities3.1 Introduction to TCP/IP. 3.3

3.1.1 Data Encapsulation 3.33.1.2 IP 3.53.1.3 TCP 3.73.1.4 Connection Setup and Release 3.83.1.5 TCP Timers 3.10

3.2 Vulnerabilities in TCP/IP 3.123.2.1 TCP SYN Attacks 3.123.2.2 IP Spoofing 3.133.2.3 Connection Hijacking 3.143.2.4 RIP Attacks 3.143.2.5 ICMP Attacks 3.15

3.3 Securing TCP/IP 3.16Summary 3.18

Chapter 4—Sniffers4.1 Introduction to Sniffers. 4.3

4.1.1 Commercial Sniffers 4.34.1.2 Underground Sniffers 4.34.1.3 Components of a Sniffer 4.4

IV

4.1.4 Placement of a Sniffer 4.74.2 Sniffer Operation 4.8

4.2.1 Concept of a MAC Address 4.84.2.2 Data Transfer over a Network 4.94.2.3 Role of Sniffer on a Network 4.11

4.3 Sniffer Programs 4.134.3.1 Ethereal 4.134.3.2 Tcpdump 4.144.3.3 Snort 4.164.3.4 Network Monitor 4.164.3.5 Gobbler 4.184.3.6 ETHLOAD 4.184.3.7 Esniff. : 4.194.3.8 Dsniff 4.194.3.9 Sniffit 4.194.3.10 Sunsniff. 4.204.3.11 Linux sniffer 4.204.3.12 Sniffer Pro 4.20

4.4 Detecting a Sniffer 4.214.4.1 Ping Method 4.214.4.2 Address Resolution Protocol (ARP) Method 4.234.4.3 Reverse Domain Name System (DNS) Lookup Method 4.254.4.4 Source-Route Method 4.264.4.5 Decoy Method 4.284.4.6 Commands 4.294.4.7 Latency Method 4.304.4.8 Time Domain Reflectometers (TDR) Method 4.31

4.5 Protecting Against a Sniffer 4.324.5.1 Secure Sockets Layer (SSL) 4.324.5.2 Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/M1ME) ...4.334.5.3 Secure Shell (SSH) 4.34

Summary 4.35Homework Exercises 4.37Lab Exercises 4.39

Exercise! 4.39Exercise 2 4.42Exercise 3.. 4.45Exercise 4... 4.47Exercise 5 4.49

Chapter 5—Spoofing5.1 Overview 5.3

5.1.1 Spoofing and Trust Relationship 5.55.2 Consequences of Spoofing 5.7

5.2.1 Economic Loss 5.7

5.2.2 Strategic Loss 5.85.2.3 General Data Loss 5.8

53 Types of Spoofing 5.115.3.1 Blind Spoofing 5.115.3.2 Active Spoofing 5.125.3.3 IP Spoofing 5.135.3.4 ARP Spoofing 5.145.3.5 Web Spoofing 5.155.3.6 DNS Spoofing 5.16

5.4 Spoofing Tools 5.175.4.1 Apsend 5.175.4.2 Aicmpsend 5.185.4.3 Ettercap 5.195.4.4 ARP Poisoning 5.22

Summarv 5.23

Chapter 6—Session Hijacking6.1 Introduction 6.36.2 TCP Session Hijacking 6.4

6.2.1 TCP Session Hijacking: Hacker's Point of View 6.56.2.2 TCP Session Hijacking with Packet Blocking 6.106.2.3 Route Table Modification 6.126.2.4 ARP Attacks 6.16

63 TCP Session-Hijacking Tools 6.206.3.1 Juggernaut 6.206.3.2 Hunt 6.22

6.4 UDP Hijacking 6.236.5 Protection from Session Hijacking. 6.24

6.5.1 Encryption 6.246.5.2 Storm Watching 6.25

Summarv 6.26

Chapter 7—Hacking Networking Components7.1 Introduction k 7.37.2 Firewalls 7.4

7.2.1 Limitations of Firewalls 7.57.2.2 Types and Methods of Firewall Attacks 7.5

73 Proxy Servers „ 7.107.3.1 Types of Attacks 7.11

7.4 Routers 7.147.4.1 Types of Attacks 7.15

VI

7.5 VPNs 7.177.5.1 Threats Through VPN 7.177.5.2 Methods to Safeguard the Network from Attacks Through VPNs 7.18



Chapter 8—Trojan Horses8.1 Introduction to Trojan Horses 8.3

8.1.1 Evolution of Trojan Horses 8.38.2 Workings of Trojans 8.5

8.2.1 Trojans Attached to a File 8.58.2.2 Trojans Created by Code Tampering 8.68.2.3 Key-Logging Trojans 8.88.2.4 How Trojans Spread 8.10

83 Infamous Trojans 8.138.3.1 NetBus 8.138.3.2 Sub Seven. 8.148.3.3 Back Orifice , 8.148.3.4 AIDS 8.158.3.5 util-linux 8.158.3.6 Virus Droppers 8.16

8.4 Detection and Prevention of Trojans 8.178.4.1 Detection 8.178.4.2 Trojan Detection Tools 8.198.4.3 Prevention 8.20

Summary 8.22

Chapter 9—Denial-of-Service Attacks9.1 Denial-of-Service Attacks 93

9.1.1 Features of a DoS Attack 9.39.1.2 Causes of DoS Attacks 9.49.1.3 Types of DoS Attacks 9.4

9.2 Flood Attacks 9.69.2.1 TCPSYN 9.99.2.2 SMURF 9.109.2.3 Fraggle 9.12

VII

93 Software Attacks 9.139.3.1 Ping of Death 9.149.3.2 DNS Service Attacks 9.15

9.4 Distributed Denial of Service 9.179.4.1 DDoS Tools 9.199.4.2 Prevention 9.20

9.5 Prevention of DoS Attacks 9.229.5.1 Prevention Methods 9.22



Chapter 10—Reconnaissance Methods10.1 Introduction 10.3

10.1.1 Reconnaissance 10.310.1.2 Reconnaissance Methods 10.4

10.2 Social Engineering 10.510.2.1 Social Engineering Techniques 10.510.2.2 Physical Intrusion 10.710.2.3 Communication Media 10.910.2.4 Countering Social Engineering 10.11

10.3 Dumpster Diving 10.1210.3.1 Importance of Dumpster Diving 10.1210.3.2 Prevention of Dumpster Diving 10.13

10.4 Internet Footprinting 10.1410.4.1 Web Searching 10.1410.4.2 Network Enumeration 10.1610.4.3 DNS-based Reconnaissance 10.1810.4.4 Network-based Reconnaissance 10.21

Summary 10.25

Chapter 11—Scanning Tools11.1 Introduction 11.3

11.1.1 Evolution of Scanners 11.311.1.2 Functioning of Scanners 11.511.1.3 Types of Scanning 11.5

11.2 Scanners 11.811.2.1 SATAN 11.8

VIII

11.2.2 SAINT : 11.1011.2.3 SAFEsuite Internet Scanner 11.1011.2.4 IdentTCPScan 11.1111.2.5 Nessus 11.1211.2.6 PortScan Plus 11.1211.2.7 nmap 11.1311.2.8 Strobe 11.2111.2.9 Blaster Scan 11.2111.2.10 Cheops 11.23


Exercise 1..Exercise 2.Exercise 3.Exercise 4.Exercise 5..

1.291.311.321.351.37

Chapter 12—Buffer Overflows12.1 Introduction 12.3

12.1.1 Concept of Buffer Overflow 12.312.2 Types of Buffer Overflows 12.5

12.2.1 Stack Overflow 12.512.2.2 Heap Overflows 12.9

12.3 Methods to Cause a Buffer Overflow 12.1112.3.1 Character-Set Decoding 12.1112.3.2 Nybble-to-Byte Compression 12.17

12.4 Buffer Overflows: Detection and Prevention 12.1912.4.1 Detecting Buffer Overflow 12.1912.4.2 Preventing Buffer Overflow 12.19

Summary 12.21

Chapter 13—Programming Exploits13.1 Introduction 13.313.2 ActiveX Controls 13.4

13.2.1 Vulnerabilities in ActiveX Controls 13.513.2.2 Security Measures 13.8

133 VBScript 13.1113.3.1 Vulnerabilities in VBScript 13.1113.3.2 Countering VBScript Vulnerabilities 13.12

13.4 HTML 13.1313.4.1 Vulnerabilities in HTML 13.14

IX

13.4.2 Countering HTML Vulnerabilities 13.1513.5 Java and JavaScript 13.16

13.5.1 Java 13.1613.5.2 JavaScript 13.1613.5.3 Security Vulnerabilities in Java 13.1713.5.4 Vulnerabilities in JavaScript 13.1813.5.5 Countering Java and JavaScript Vulnerabilities 13.18


Exercise 1 13.25Exercise 2 13.27Exercise 3 13.29

Chapter 14—Mail Vulnerabilities14.1 Introduction 14314.2 SMTP Vulnerabilities 14.4

14.2.1 The SMTP Model 14.514.2.2 SMTP Vulnerabilities 14.6

143 1MAP Vulnerabilities 14.1014.3.1 Role of IMAP 14.1014.3.21MAP Vulnerabilities 14.10

14.4 E-mail Attacks 14.1214.4.1 E-mail Bombing 14.1214.4.2 E-mail Spamming 14.1314.4.3 E-mail Sniffing and Spoofing 14.1514.4.4 E-mail Attachments 14.1614.4.5 List Linking 14.1714.4.6 Protection 14.18

14.5 Microsoft Outlook Express Vulnerabilities 14.2214.5.1 Starting a Recipient's Web Browser 14.2314.5.2 Starting a Recipient's Word Processor 14.2314.5.3 Starting a Recipient's Spreadsheet 14.2414.5.4 Starting a Recipient's E-mail Editor 14.2514.5.5 Passing Information about the Recipient to a Hacker 14.2514.5.6 Sending Sensitive Information from the Recipient's Computer 14.2714.5.7 Protection 14.28

Summary 14.29

Chapter 15—Web Application Vulnerabilities15.1 Web Application Vulnerabilities: An Overview 153

15.1.1 Why the Web Is Vulnerable 15.315.2 Web Server Vulnerabilities 15.7

15.2.1 Weaknesses in Software or Protocol Design 15.715.2.2 Weaknesses in System Software 15.715.2.3 Unsecured Hardware 15.915.2.4 Unsecured Network 15.1015.2.5 Weaknesses in Administration Tools 15.1015.2.6 Threats from Insiders 15.10

15.3 Web Browser Vulnerabilities 15.1215.3.1 Cache File 15.1215.3.2 History File 15.1415.3.3 Bookmarks 15.1515.3.4 Cookies 15.1615.3.5 Location of Cache 15.1915.3.6 Browser Information 15.2015.3.7 Session ID Exploits 15.2215.3.8 Web Browser Protection 15.24

15.4 Protection Against Web Application Vulnerabilities 15.2515.4.1 Securing the Operating System and the Web Server 15.2515.4.2 Monitoring the Server for Suspicious Activity 15.2515.4.3 Controlling Access to Confidential Documents 15.2615.4.4 Setting Up Remote Authoring and Administration Facilities 15.2615.4.5 Protecting the Web Server on a LAN 15.2715.4.6 Checking for Security Issues 15.27



Chapter 16—Windows Vulnerabilities16.1 Introduction 163

16.1.1 Windows Operating Systems 16.316.2 Vulnerabilities in Windows 95/98 16.5

16.2.1 Windows Logon 16.516.2.2 Password Cache 16.616.2.3 File Sharing 16.616.2.4 Scripting Host Feature 16.7

XI

16.2.5 UPnP Vulnerabilities 16.816.3 Vulnerabilities in Windows NT 4.0/2000 16.9

16.3.1 Passwords 16.916.3.2 Default Accounts 16.1016.3.3 File Sharing 16.1116.3.4 Windows Registry 16.1316.3.5 Trust Relationship 16.1416.3.6 Windows 2000 Event Viewer Buffer Overflow 16.1616.3.7NBNS Protocol Spoofing 16.1716.3.8 RPC Service Failure 16.1716.3.9 SMTP Authentication Vulnerability 16.1816.3.10 Telnet Vulnerabilities 16.1816.3.11 IP Fragments Reassembly 16.1916.3.12 ResetBrowser Frame Vulnerability 16.20

Summary 16.21

Chapter 17—Linux Vulnerabilities17.1 Introduction 173

17.1.1 UNIX-based Operating Systems 17.317.1.2 Linux Operating Systems 17.3

17.2 Vulnerabilities from Default Installation 17.517.2.1 Basic Exploits 17.517.2.2 Login Passwords 17.517.2.3 Bad System Administration Practices 17.617.2.4 Unnecessary Services 17.9

173 Utility Vulnerabilities 17.1017.3.1 r Utilities 17.1017.3.2 Sendmail Vulnerabilities 17.1017.3.3 Telnet 17.1117.3.4 Trivial File Transfer Protocol (TFTP) 17.1117.3.5 Grofif Vulnerability 17.1117.3.6 Printing Vulnerability 17.1217.3.7 sudo Vulnerability 17.1217.3.8 Mutt Buffer Overflow 17.1317.3.9 The UseLogin Vulnerability of OpenSSH 17.1317.3.10 PAM Vulnerability 17.1417.3.11 wu-ftpd Exploits 17.1517.3.12 GID Man Exploit 17.1517.3.13 Squid Port Scanning Vulnerability 17.1617.3.14 Squid Denial of Service 17.16

Summary 17.17Homework Exercises 17.19

XII

Lab Exercises 17.21Exercise 1 17.21Exercise 2 17.23Exercise 3 17.24

Chapter 18—Incident Handling18.1 Introduction 183

18.1.1 Need for Incident Handling 18.418.1.2 Types of Incidents 18.518.1.3 Phases of Incident Handling 18.8

18.2 Preparing for Incident handling 18.1018.2.1 Formulating an Incident-Handling Policy 18.1018.2.2 Incident-Handling Team 18.12

183 Identifying Incidents 18.1418.3.1 Systems and Network Logging Functions 18.1518.3.2 Detection Tools 18.17

18.4 Reporting and Communicating Incidents 18.2018.4.1 Reporting the Incident 18.2018.4.2 Communicating the Incident 18.21

18.5 Eradicating the Bug 18.2218.5.1 Correcting the Root Problem 18.2318.5.2 Identifying and Implementing the Steps to Fix the Problem 18.23

18.6 Recovering from Incidents 18.2618.6.1 Phases of Recovery 18.26

18.7 Following Up the Security Measures 18.2818.7.1 Identifying the Root Cause of the Problem 18.2918.7.2 Identifying Short-term and Long-term Changes 18.3018.7.3 Identifying Actions for any Unpredictable Incident 18.3018.7.4 Implementing the Learning 18.30

18.8 Tracking Hackers 18.3118.9 Emergency Steps 1834

18.9.1 Important Emergency Steps : 18.34Summary 18.36Homework Exercises 18.39Lab Exercises 18.41


AppendixAppendix A.1

XIII