Hacking Exposed 7, 7th Edition [7th edition] 9780071780292, 0071780297, 9780071780285, 0071780289

Citation preview

HACKING EXPOSED 7: NETWORK SECURITY SECRETS & SOLUTIONS ™

This page intentionally left blank

HACKING EXPOSED 7: NETWORK SECURITY SECRETS & SOLUTIONS ™

ST UART M C CLU RE JOEL SCAMBRAY GEORGE K U RTZ

New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

Copyright © 2012 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-178029-2 MHID: 0-07-178029-7 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-178028-5, MHID: 0-07-178028-9. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at [email protected]. McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered trademarks of The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with any product or vendor mentioned in this book. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

Crowdstrike MISSION POSSIBLE

CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive intellectual properly and national security information from targeted attacks also known as Advanced Persistent Threats (APTs). CrowdStrike has developed a new and innovative approach to the growing cyber adversary problem leveraging "Big Data" technologies to identify and prevent the damage from targeted attacks. Industry luminaries created CrowdStrike as a direct response to the systemic transfer of wealth from the continuous theft of intellectual property. CrowdStrike's approach is based on a key principle:

YOU DON'T H A V E A M A L W A R E P R O B L E M YOU H A V E AN A D V E R S A R Y PROBLEM

The "Maginot line" of security can no longer effectively keep persistent adversaries out of your organization. Attribution of the adversary is a key strategic piece missing from all current security technologies. CrowdStrike identifies the cyber adversary on a deeper level by revealing their tactics, techniques, and procedures (TTPs). By linking the "what" (malware) to the "why" (intent) and the "who" (adversary), we help companies strike back at the humandependent and not easily scalable parts of the adversary's operations and provide protection where it is needed most. CrowdStrike also has a world-class Professional Services Division staffed with security practitioners with unmatched experience in cyber investigations and forensic capabilities to help customers respond to advanced cyber attacks. CrowdStrike's Technology, Intelligence, and Services offer a "Triple Crown" platform to customers providing an unparalleled strategic advantage over the adversary - today — and into the future. Visit www.crowdstrike.com to learn more about our mission to change the security industry.

Stop Hackers in Their Tracks

Hacking Exposed Malware & Rootkits

Hacking Exposed Computer Forensics, 2nd Edition

Hacking Exposed Wireless, 2nd Edition

Hacking Exposed: Web Applications, 3rd Edition

IT Security Metrics

Gray Hat Hacking, 2nd Edition

Hacking Exposed, 7th Edition

Hacking Exposed Linux, 3rd Edition

IT Auditing, 2nd Edition

Available in print and ebook formats @MHcomputing

Industry Leaders in Software Security Consulting We offer expert services and solutions to meet your software security challenges head-on Best practices gap analysis Regulatory compliance Training Security metrics Remediation services

Secure code review Architectural risk analysis Tool strategy Tool implementation BSIMM

cigital www.cigital.com

To my amazing boys (who hack me on a daily basis), I love you beyond words. FANMW… URKSHI. To my Dawn, for her seemingly endless patience and love—I never knew the meaning of both until you. And to the new girls in my life, Jessica and Jillian… I love you. —Stuart McClure To Austin, TX, my new home and a great place to live; hopefully we’re helping keep it weird. —Joel Scambray To my loving family, Anna, Alexander, and Allegra who provide inspiration and support, allowing me to follow my passion. To the late Joe Petrella, for always reminding me “many are called— few are chosen…” —George Kurtz

vi

Hacking Exposed 7: Network Security Secrets & Solutions

ABOUT THE AUTHORS Stuart McClure Stuart McClure, CNE, CCSE, is the CEO/President of Cylance, Inc., an elite global security services and products company solving the world’s most difficult security problems for the most critical companies around the globe. Prior to Cylance, Stuart was Global CTO for McAfee/Intel, where he was responsible for a nearly $3B consumer and corporate security products’ business. During his tenure at McAfee, Stuart McClure also held the General Manager position for the Security Management Business for McAfee/Intel, which enabled all McAfee corporate security products to be operationalized, managed, and measured. Alongside those roles, Stuart McClure ran an elite team of good guy hackers inside McAfee called TRACE that discovered new vulnerabilities and emerging threats. Before McAfee, Stuart helped run security at the largest healthcare company in the U.S., Kaiser Permanente. In 1999, Stuart was also the original founder of Foundstone, Inc., a global consulting and products company, which was acquired by McAfee in 2004. Stuart is the creator, lead author, and original founder of the Hacking Exposed™ series of books and has been hacking for the good guys for over 25 years. Widely recognized and asked to present his extensive and in-depth knowledge of hacking and exploitation techniques, Stuart is considered one of the industry’s leading authorities on information security risk today. A well-published and acclaimed security visionary, McClure brings a wealth of technical and executive leadership with a profound understanding of both the threat landscape and the operational and financial risk requirements to be successful in today’s world.

Joel Scambray Joel is a Managing Principal at Cigital, a leading software security firm established in 1992. He has assisted companies ranging from newly minted startups to members of the Fortune 500 to address information security challenges and opportunities for over 15 years. Joel’s background includes roles as an executive, technical consultant, and entrepreneur. He cofounded and led information security consulting firm Consciere before it was acquired by Cigital in June 2011. He has been a Senior Director at Microsoft Corporation, where he provided security leadership in Microsoft’s online services and Windows divisions. Joel also cofounded security software and services startup Foundstone, Inc. and helped lead it to acquisition by McAfee in 2004. He previously held positions as a Manager for Ernst & Young, security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a major commercial real-estate firm. Joel is a widely recognized writer and speaker on information security. He has coauthored and contributed to over a dozen books on IT and software security, many of them international best-sellers. He has spoken at forums including Black Hat, as well as

About the Authors

for organizations, including IANS, CERT, CSI, ISSA, ISACA, and SANS, private corporations, and government agencies, including the FBI and the RCMP. Joel holds a BS from the University of California at Davis, an MA from UCLA, and he is a Certified Information Systems Security Professional (CISSP).

George Kurtz George Kurtz, CISSP, CISA, CPA, is cofounder and CEO of CrowdStrike, a cutting-edge big data security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. George is also an internationally recognized security expert, author, entrepreneur, and speaker. He has almost 20 years of experience in the security space and has helped hundreds of large organizations and government agencies around the world tackle the most demanding security problems. His entrepreneurial background and ability to commercialize nascent technologies has enabled him to drive innovation throughout his career by identifying market trends and correlating them with customer feedback, resulting in rapid growth for the businesses he has run. In 2011, George relinquished his role as McAfee’s Worldwide Chief Technology Officer to his co-author and raised $26M in venture capital to create CrowdStrike. During his tenure as McAfee’s CTO, Kurtz was responsible for driving the integrated security architectures and platforms across the entire McAfee portfolio. Kurtz also helped drive the acquisition strategy that allowed McAfee to grow from $1b in revenue in 2007 to over $2.5b in 2011. In one of the largest tech M&A deals in 2011, Intel (INTC) acquired McAfee for nearly $8b. Prior to joining McAfee, Kurtz was Chief Executive Officer and cofounder of Foundstone, Inc., which was acquired by McAfee in October 2004. You can follow George on Twitter @george_kurtz or his blog at securitybattlefield.com.

About the Contributing Authors Christopher Abad is a security researcher at McAfee focusing on embedded threats. He has 13 years of professional experience in computer security research and software and hardware development and studied mathematics at UCLA. He has contributed to numerous security products and has been a frequent speaker at various security conferences over the years. Brad Antoniewicz works in Foundstone’s security research division to uncover flaws in popular technologies. He is a contributing author to both the Hacking ExposedTM and Hacking ExposedTM Wireless series of books and has authored various internal and external Foundstone tools, whitepapers, and methodologies. Christiaan Beek is a principal architect on the McAfee Foundstone Services team. As such, he serves as the practice lead for the Incident Response and Forensics services team in EMEA. He has performed numerous forensic investigations from system compromise, theft, child pornography, malware infections, Advanced Persistent Threats (APT), and mobile devices.

vii

viii

Hacking Exposed 7: Network Security Secrets & Solutions

Carlos Castillo is a Mobile Malware Researcher at McAfee, an Intel company, where he performs static and dynamic analysis of suspicious applications to support McAfee’s Mobile Security for Android product. Carlos’ recent research includes dissection of the Android Market malware DroidDream, and he is the author of “Android Malware Past, Present, and Future,” a whitepaper published by McAfee. Carlos also is an active blogger on McAfee Blog Central. Prior to McAfee, Carlos performed security compliance audits for the Superintendencia Financiera of Colombia. Before that, Carlos worked at a security startup Easy Solutions, Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Carlos joined the world of malware research when he won ESET Latin America’s “Best Antivirus Research” contest. His winning paper was entitled “Sexy View: The Beginning of Mobile Botnets.” Carlos holds a degree in Systems Engineering from the Universidad Javeriana in Bogotá, Colombia. Carric Dooley has been working primarily in information security since 1997. He originally joined the Foundstone Services team in March 2005 after five years on the ISS Professional Services team. Currently he is building the Foundstone Services team in EMEA and lives in the UK with his lovely wife, Michelle, and three children. He has led hundreds of assessments of various types for a wide range of verticals, and regularly works with globally recognized banks, petrochemicals, and utilities, and consumer electronics companies in Europe and the Middle East. You may have met Carric at either the Black Hat (Vegas/Barcelona/Abu Dhabi) or Defcon conferences, where he has been on staff and taught several times, in addition to presenting at Defcon 16. Max Klim is a security consultant with Cigital, a leading software security company founded in 1992. Prior to joining Cigital, Max worked as a security consultant with Consciere. Max has over nine years of experience in IT and security, having served both Fortune 500 organizations and startups. He has extensive experience in penetration testing, digital forensics, incident response, compliance, and network and security engineering. Max holds a Bachelor of Applied Science in Information Technology Management from Central Washington University and is an Encase Certified Examiner (EnCE), Certified Information Systems Security Professional (CISSP), and holds several Global Information Assurance Certification (GIAC) credentials. Tony Lee has over eight years of professional experience pursuing his passion in all areas of information security. He is currently a Principal Security Consultant at Foundstone Professional Services (a division of McAfee), in charge of advancing many of the network penetration service lines. His interests of late are Citrix and kiosk hacking, post exploitation, and SCADA exploitation. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government agencies, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a lead instructor for a series of classes that includes Foundstone’s Ultimate Hacking (UH), UH: Windows, UH: Expert, UH:Wireless, and UH: Web. He holds a Bachelor of Science in Computer Engineering from Virginia Tech (Go Hokies!) and Master of Science in Security Informatics from The Johns Hopkins University.

About the Authors

Slavik Markovich has over 20 years of experience in infrastructure, security, and software development. Slavik cofounded Sentrigo, the database security company recently acquired by McAfee. Prior to co-founding Sentrigo, Slavik served as VP R&D and Chief Architect at db@net, a leading IT architecture consultancy. Slavik has contributed to open source projects and is a regular speaker at industry conferences. Hernan Ochoa is a security consultant and researcher with over 15 years of professional experience. Hernan is the founder of Amplia Security, provider of information security–related services, including network, wireless, and web application penetration tests, standalone/client-server application black-box assessments, source code audits, reverse engineering, and vulnerability analysis. Hernan began his professional career in 1996 with the creation of Virus Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus application with heuristics to detect polymorphic viruses. Hernan also developed a detailed technical virus information database and companion newsletter. He joined Core Security Technologies in 1999 and worked there for 10 years in various roles, including security consultant and exploit writer performing diverse types of security assessments, developing methodologies, shellcode, and security tools, and contributing new attack vectors. He also designed and developed several lowlevel/kernel components for a multi-OS security system ultimately deployed at a financial institution, and served as “technical lead” for ongoing development and support of the multi-OS system. Hernan has published a number of security tools and presented his work at several international security conferences including Black Hat, Hack in the Box, Ekoparty, and RootedCon. Dr. (Shane) Shook is a Senior Information Security advisor and SME who has architected, built, and optimized information security implementations. He conducts information security audits and vulnerability assessments, business continuity planning, disaster recovery testing, and security incident response, including computer forensics analysis and malware assessment. He has provided expert testimony on technical issues in criminal, class action, IRS, SEC, EPA, and ITC cases, as well as state and federal administrative matters. Nathan Sportsman is the founder and CEO of Praetorian, a privately held, multimillion-dollar security consulting, research, and product company. He has extensive experience in information security and has consulted across most industry sectors with clients ranging from the NASDAQ stock exchange to the National Security Agency. Prior to founding Praetorian, Nathan held software development and consulting positions at Sun Microsystems, Symantec, and McAfee. Nathan is a published author, US patent holder, NIST individual contributor, and DoD cleared resource. Nathan holds a degree in Electrical & Computer Engineering from The University of Texas.

About the Technical Reviewers Ryan Permeh is chief scientist at McAfee. He works with the Office of the CTO to envision how to protect against the threats of today and tomorrow. He is a vulnerability researcher, reverse engineer, and exploiter with 15 years of experience in the field. Ryan has spoken at several security and technology conferences on advanced security topics, published many blogs and articles, and contributed to books on the subject.

ix

x

Hacking Exposed 7: Network Security Secrets & Solutions

Mike Price is currently chief architect for iOS at Appthority, Inc. In this role, Mike focuses full time on research and development related to iOS operating system and application security. Mike was previously Senior Operations Manager for McAfee Labs in Santiago, Chile. In this role, Mike was responsible for ensuring smooth operation of the office, working with external entities in Chile and Latin America and generally promoting technical excellence and innovation across the team and region. Mike was a member of the Foundstone Research team for nine years. Most recently, he was responsible for content development for the McAfee Foundstone Enterprise vulnerability management product. In this role, Mike worked with and managed a global team of security researchers responsible for implementing software checks designed to detect the presence of operating system and application vulnerabilities remotely. He has extensive experience in the information security field, having worked in the area of vulnerability analysis and infosec-related R&D for nearly 13 years. Mike is also cofounder of the 8.8 Computer Security Conference, held annually in Santiago, Chile. Mike was also a contributor to Chapter 11.

AT A GLANCE Part I Casing the Establishment ▼ 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▼ 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ▼ 3 Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 47 83

Part II Endpoint and Server Hacking ▼ 4 Hacking Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 ▼ 5 Hacking UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 ▼ 6 Cybercrime and Advanced Persistent Threats . . . . . . . . . . . . . 313 Part III Infrastructure Hacking ▼ 7 Remote Connectivity and VoIP Hacking . . . . . . . . . . . . . . . . . . 373 ▼ 8 Wireless Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 ▼ 9 Hacking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Part IV Application and Data Hacking ▼ 10 Web and Database Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 ▼ 11 Mobile Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 ▼ 12 Countermeasures Cookbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

xi

xii

Hacking Exposed 7: Network Security Secrets & Solutions

Part V Appendixes ▼ A Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 ▼ B Top 10 Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 ▼ C Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 ▼

Index

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Part I Casing the Establishment Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IAAAS—It’s All About Anonymity, Stupid . . . . . . . . . . . . . . . . . . . . . Tor-menting the Good Guys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 2 2

▼ 1 Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 8 10 10 10 10 11 27 36 43 46

What Is Footprinting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Is Footprinting Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Footprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Determine the Scope of Your Activities . . . . . . . . . . . . . . . . . . Step 2: Get Proper Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3: Publicly Available Information . . . . . . . . . . . . . . . . . . . . . . . . . Step 4: WHOIS & DNS Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . Step 5: DNS Interrogation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 6: Network Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

▼ 2 Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining If the System Is Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ARP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICMP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP/UDP Host Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Which Services Are Running or Listening . . . . . . . . . . . . . . . . Scan Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying TCP and UDP Services Running . . . . . . . . . . . . . . . . . . . .

47 48 49 51 55 61 62 64

xiii

xiv

Hacking Exposed 7: Network Security Secrets & Solutions

Detecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Making Guesses from Available Ports . . . . . . . . . . . . . . . . . . . . . . . . . . Active Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Passive Stack Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Processing and Storing Scan Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Scan Data with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

▼ 3 Enumeration

......................................................... Service Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enumerating Common Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

72 73 74 77 79 79 82

83 85 87 90 92 154

Part II Endpoint and Server Hacking Case Study: International Intrigue

...................................

158

..................................................... Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What’s Not Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unauthenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Unauthenticated Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authenticated Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Extracting and Cracking Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Control and Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Covering Tracks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Countermeasures to Authenticated Compromise . . . . . . . . Windows Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Policy and Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Security Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Enhanced Mitigation Experience Toolkit . . . . . . . . . . . . . . . . . . . Bitlocker and the Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . Windows Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integrity Levels, UAC, and PMIE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Service Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

159 161 161 162 162 177 184 185 186 200 204 206 209 213 213 213 214 215 217 218 218 219 220 222 223

▼ 4 Hacking Windows

Contents

Compiler-based Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Coda: The Burden of Windows Security . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

226 227 228

▼ 5 Hacking UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

231 232 232 233 234 234 239 255 259 278 294 309 310

The Quest for Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Brief Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Access vs. Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data-driven Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I Want My Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Types of Remote Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . After Hacking Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rootkit Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

▼ 6 Cybercrime and Advanced Persistent Threats

............................... What Is an APT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operation Aurora . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anonymous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RBN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What APTs Are NOT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples of Popular APT Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . Common APTs Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

313 315 318 320 321 322 323 363 368

Part III Infrastructure Hacking Case Study: Read It and WEP

.......................................

370

▼ 7 Remote Connectivity and VoIP Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

373 375 377 377 378 378 379 393 403 405 409

Preparing to Dial Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wardialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peripheral Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Brute-Force Scripting—The Homegrown Way . . . . . . . . . . . . . . . . . . . . . . . . A Final Note About Brute-Force Scripting . . . . . . . . . . . . . . . . . . . . . . PBX Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Voicemail Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xv

xvi

Hacking Exposed 7: Network Security Secrets & Solutions

Virtual Private Network (VPN) Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basics of IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking the Citrix VPN Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Voice over IP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

414 415 422 440 441 463

▼ 8 Wireless Hacking

465 466 467 467 468 471 471 472 472 474 475 478 479 481 481 485 485 490 496

▼ 9 Hacking Hardware

497 498 505 509 509 509 510 511 511 515 518 518 523 526

..................................................... Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Frequencies and Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Miscellaneous Goodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Discovery and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Finding Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sniffing Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Denial of Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WPA Pre-Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WPA Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .................................................... Physical Access: Getting in the Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Owned Out of the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reverse Engineering Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mapping the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sniffing Bus Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sniffing the Wireless Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firmware Reversing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICE Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents

Part IV Application and Data Hacking Case Study

.......................................................

528

▼ 10 Web and Database Hacking

............................................ Web Server Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source Code Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Canonicalization Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Server Vulnerability Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Application Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Finding Vulnerable Web Apps with Google (Googledorks) . . . . . . . Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Application Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Web Application Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

529 530 532 532 533 534 536 537 538 540 540 541 542 556 570 570 572 587 589

▼ 11 Mobile Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

591 593 594 600 616 635 639 640 641 643 644 651 667

Hacking Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Android Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking Your Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking Other Androids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Android as a Portable Hacking Platform . . . . . . . . . . . . . . . . . . . . . . . Defending Your Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Know Your iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Secure Is iOS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jailbreaking: Unleash the Fury! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking Other iPhones: Fury Unleashed! . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

▼ 12 Countermeasures Cookbook

............................................ General Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (Re)move the Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authenticate, Authorize, and Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adaptive Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

669 671 671 672 673 675 675

xvii

xviii

Hacking Exposed 7: Network Security Secrets & Solutions

Orderly Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simple, Cheap, and Easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Desktop Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Application and Database Scenarios . . . . . . . . . . . . . . . . . . . . . . . Mobile Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

676 677 677 678 678 679 684 685 686 688

Part V Appendixes ▼ A Ports

...............................................................

▼ B Top 10 Security Vulnerabilities

691

...........................................

699

▼ C Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks . . . . . . . . . .................................................

701 704

...............................................................

707

Countermeasures

▼

Index

FOREWORD T

he term cyber-security and an endless list of words prefixed with “cyber” bombard our senses daily. Widely discussed but often poorly understood, the various terms relate to computers and the realm of information technology, the key enablers of our interrelated and interdependent world of today. Governments, private and corporate entities, and individuals are increasingly aware of the challenges and threats to a wide range of our everyday online activities. Worldwide reliance on computer networks to store, access, and exchange information has increased exponentially in recent years. Include the almost universal dependence on computer-operated or computer-assisted infrastructure and industrial mechanisms, and the magnitude of the relationship of cyber to our lives becomes readily apparent. The impact of security breaches runs the gamut from inconvenience to severe financial losses to national insecurity. Hacking is the vernacular term, widely accepted as the cause of these cyber insecurities, which range from the irritating but relatively harmless activities of youthful pranksters to the very damaging, sophisticated, targeted attacks of state actors and master criminals. Previous editions of Hacking Exposed™ have been widely acclaimed as foundation documents in cyber-security and are staples in the libraries of IT professionals, tech gurus, and others interested in understanding hackers and their methods. But the authors know that remaining relevant in the fast-changing realm of IT security requires agility, insight, and deep understanding about the latest hacking activities and methods. “Rise and rise again…,” from the movie Robin Hood, is a most appropriate exhortation to rally security efforts to meet the relentless assaults of cyber hackers. This Seventh Edition of the text provides updates on enduring issues and adds important new chapters about Advanced Persistent Threats (APTs), hardware, and embedded systems. Explaining how hacks occur, what the perpetrators are doing, and how to defend against them, the authors cover the horizon of computer security. Given the popularity of mobile devices and social media, today’s netizens will find interesting reading about the vulnerabilities and insecurities of these common platforms. The prerequisite for dealing with these issues of IT and computer security is knowledge. First, we must understand the architectures of the systems we are using and the strengths and weaknesses of the hardware and software. Next, we must know the

xix

xx

Hacking Exposed 7: Network Security Secrets & Solutions

adversaries: who they are and what they are trying to do. In short, we need intelligence about the threats and the foes, acquired through surveillance and analysis, before we can begin to take effective countermeasures. This volume provides the essential foundation and empowers those who really care about cyber-security. If we get smart and learn about ourselves, our devices, our networks, and our adversaries, we will find ourselves on a path to success in defending our cyber endeavors. What remains is the reality of change: the emergence of new technologies and techniques and the constant evolution of threats. Hence, we must “rise and rise again…” to stay abreast of new developments, refreshing our intelligence and acquiring visibility and insight into attacks. This new edition of Hacking Exposed™ helps you to get smart and take effective action. The lambs may indeed become the lions of cyber-security. William J. Fallon Admiral, U.S. Navy (Retired) Chairman, CounterTack, Inc. Admiral William J. Fallon retired from the U.S. Navy after a distinguished 40 year career of military and strategic leadership. He has led U.S. and Allied forces in eight separate commands and played a leadership role in military and diplomatic matters at the highest levels of the U.S. government. As head of U.S. Central Command, Admiral Fallon directed all U.S. military operations in the Middle East, Central Asia, and Horn of Africa, focu