book

Hack I.T.: Security Through Penetration Testing

by T. J. Klevinsky, Scott Laliberte, Ajay Gupta

February 2002

Intermediate to advanced

544 pages

11h 24m

English

Addison-Wesley Professional

Read now

Unlock full access

Copyright
Foreword
Preface
AudienceAuthorsT.J. Klevinsky, CISSPScott LaliberteAjay GuptaHow to Use This BookAcknowledgments
Introduction
1. Hacking Today
2. Defining the Hacker
2.1. Hacker Skill Levels2.1.1. First-Tier Hackers2.1.2. Second-Tier Hackers2.1.3. Third-Tier Hackers2.2. Information Security Consultants2.3. Hacker Myths2.4. Information Security Myths
3. Penetration for Hire
3.1. Ramifications of Penetration Testing3.2. Requirements for a Freelance Consultant3.2.1. Skill Set3.2.2. Knowledge3.2.3. Tool Kit3.2.4. Hardware3.2.5. Record Keeping3.2.6. Ethics3.3. Announced vs. Unannounced Penetration Testing3.3.1. Definitions3.3.2. Pros and Cons of Both Types of Penetration Testing3.3.3. Documented Compromise
4. Where the Exposures Lie
4.1. Application Holes4.2. Berkeley Internet Name Domain (BIND) Implementations4.3. Common Gateway Interface (CGI)4.4. Clear Text Services4.5. Default Accounts4.6. Domain Name Service (DNS)4.7. File Permissions4.8. FTP and telnet4.9. ICMP4.10. IMAP and POP4.11. Modems4.12. Lack of Monitoring and Intrusion Detection4.13. Network Architecture4.14. Network File System (NFS)4.15. NT Ports 135–1394.16. NT Null Connection4.17. Poor Passwords and User IDs4.18. Remote Administration Services4.19. Remote Procedure Call (RPC)4.20. SENDMAIL4.21. Services Started by Default4.22. Simple Mail Transport Protocol (SMTP)4.23. Simple Network Management Protocol (SNMP) Community Strings4.24. Viruses and Hidden Code4.25. Web Server Sample Files4.26. Web Server General Vulnerabilities4.27. Monitoring Vulnerabilities
5. Internet Penetration
5.1. Network Enumeration/Discovery5.1.1. Whois Query5.1.2. Zone Transfer5.1.3. Ping Sweeps5.1.4. Traceroute5.2. Vulnerability Analysis5.2.1. OS Identification5.2.2. Port Scanning5.2.3. Application Enumeration5.2.4. Internet Research5.3. ExploitationCase Study: Dual-Homed HostsLessons Learned
6. Dial-In Penetration
6.1. War Dialing6.2. War Dialing Method6.2.1. Dialing6.2.2. Login6.2.3. Login Screens6.3. Gathering Numbers6.4. Precautionary Methods6.5. War Dialing Tools6.5.1. ToneLoc6.5.2. THC-Scan6.5.3. TeleSweep6.5.4. PhoneSweepCase Study: War DialingLessons Learned

7. Testing Internal Penetration
7.1. Scenarios7.2. Network Discovery7.3. NT Enumeration7.4. UNIX7.5. Searching for Exploits7.6. Sniffing7.7. Remotely Installing a Hacker Tool Kit7.8. Vulnerability ScanningCase Study: Snoop the User DesktopLessons Learned
8. Social Engineering
8.1. The Telephone8.1.1. Technical Support8.1.2. Disgruntled Customer8.1.3. Get Help Logging In8.1.4. Additional Methods8.2. Dumpster Diving8.3. Desktop Information8.4. Common Countermeasures
9. UNIX Methods
9.1. UNIX Services9.1.1. inetd Services9.1.2. R Services9.1.3. Remote Procedure Call Services9.2. Buffer Overflow Attacks9.3. File Permissions9.4. Applications9.4.1. Mail Servers9.4.2. Web Servers9.4.3. X Windows9.4.4. DNS Servers9.5. Misconfigurations9.6. UNIX Tools9.6.1. Datapipe.c9.6.2. QueSO9.6.3. Cheops9.6.4. nfsshell9.6.5. XSCANCase Study: UNIX PenetrationLessons Learned
10. The Tool Kit
10.1. Hardware10.2. Software10.2.1. Windows NT Workstation10.2.2. Linux10.3. VMware
11. Automated Vulnerability Scanners
11.1. Definition11.2. Testing Use11.3. Shortfalls11.4. Network-Based and Host-Based Scanners11.5. Tools11.6. Network-Based Scanners11.6.1. Network Associates CyberCop Scanner11.6.2. ISS Internet Scanner11.6.3. Nessus11.6.4. Symantec (Formerly Axent Technologies) NetRecon11.6.5. Bindview HackerShield (bv-control for Internet Security)11.7. Host-Based Scanners11.7.1. Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM)11.8. Pentasafe VigilEnt11.9. Conclusion
12. Discovery Tools
12.1. WS_Ping ProPack12.2. NetScanTools12.3. Sam Spade12.4. Rhino9 Pinger12.5. VisualRoute12.6. Nmap12.7. What's running
13. Port Scanners
13.1. Nmap13.2. 7th Sphere Port Scanner13.3. Strobe13.4. SuperScan
14. Sniffers
14.1. Dsniff14.2. Linsniff14.3. Tcpdump14.4. BUTTSniffer14.5. SessionWall-3 (Now eTrust Intrusion Detection)14.6. AntiSniff
15. Password Crackers
15.1. L0phtCrack15.2. pwdump215.3. John the Ripper15.4. Cain15.5. ShowPass
16. Windows NT Tools
16.1. NET USE16.2. Null Connection16.3. NET VIEW16.4. NLTEST16.5. NBTSTAT16.6. epdump16.7. NETDOM16.8. Getmac16.9. Local Administrators16.10. Global (“Domain Admins”)16.11. Usrstat16.12. DumpSec16.13. user2Sid/sid2User16.14. NetBIOS Auditing Tool (NAT)16.15. SMBGrind16.16. SRVCHECK16.17. SRVINFO16.18. AuditPol16.19. REGDMP16.20. Somarsoft DumpReg16.21. Remote16.22. Netcat16.23. SC16.24. AT16.25. FPipeCase Study: Weak PasswordsLessons LearnedCase Study: Internal Penetration to WindowsLessons Learned
17. Web-Testing Tools
17.1. Whisker17.2. SiteScan17.3. THC Happy Browser17.4. wwwhack17.5. Web Cracker17.6. BrutusCase Study: Compaq Management Agents VulnerabilityLessons Learned
18. Remote Control
18.1. pcAnywhere18.2. Virtual Network Computing18.3. NetBus18.4. Back Orifice 2000
19. Intrusion Detection Systems
19.1. Definition19.2. IDS Evasion19.2.1. Stealth Port Scanning19.2.2. Aggressive Techniques19.3. Pitfalls19.4. Traits of Effective IDSs19.5. IDS Selection19.5.1. RealSecure19.5.2. NetProwler19.5.3. Secure Intrusion Detection19.5.4. eTrust Intrusion Detection19.5.5. Network Flight Recorder19.5.6. Dragon19.5.7. Snort
20. Firewalls
20.1. Definition20.2. Monitoring20.3. Configuration20.4. Change Control20.5. Firewall Types20.5.1. Packet-Filtering Firewalls20.5.2. Stateful-Inspection Firewalls20.5.3. Proxy-Based Firewalls20.6. Network Address Translation20.7. Evasive Techniques20.8. Firewalls and Virtual Private NetworksCase Study: Internet Information Server Exploit—MDACLessons Learned
21. Denial-of-Service Attacks
21.1. Resource Exhaustion Attacks21.1.1. Papasmurf21.1.2. Trash221.1.3. Igmpofdeath.c21.1.4. Fawx21.1.5. OBSD_fun21.2. Port Flooding21.2.1. Mutilate21.2.2. Pepsi521.3. SYN Flooding21.3.1. Synful21.3.2. Synk421.3.3. Naptha21.4. IP Fragmentation Attacks21.4.1. Jolt221.4.2. Teardrop21.4.3. Syndrop21.4.4. Newtear21.5. Distributed Denial-of-Service Attacks21.5.1. Tribe Flood Network 200021.5.2. Trin0021.5.3. Stacheldraht21.5.4. Usage21.6. Application-Based DoS Attacks21.6.1. Up Yours21.6.2. Wingatecrash21.6.3. WinNuke21.6.4. BitchSlap21.6.5. DOSNuke21.6.6. Shutup21.6.7. Web Server DoS Attacks21.7. Concatenated DoS Tools21.7.1. CyberCop21.7.2. ISS Internet Scanner21.7.3. Toast21.7.4. Spike.sh5.321.8. Summary
22. Wrapping It Up
22.1. Countermeasures22.2. Keeping Current22.2.1. Web Sites22.2.2. Mailing Lists8lgm (Eight Little Green Men)—majordomo@8lgm.orgAcademic Firewalls—majordomo@net.tamu.eduAlert—request-alert@iss.netBest of Security—best-of-security-request@suburbia.netBugtraq—listserv@netspace.orgComputer Emergency Response Team—cert@cert.orgComputer Incident Advisory Capability—ciac-listproc@llnl.govComputer Underground Digest—cu-digest-request@weber.ucsd.eduCypherpunks—majordomo@toad.comFirewalls—majordomo@greatcircle.comInformation Systems Security Forum—listserv@etsuadmn.etsu.eduIntrusion Detection Systems—majordomo@uow.edu.auMicrosoft Security—microsoft_security-subscribe-request@announce.microsoft.comNT Bugtraq—listserv@listserv.ntbugtraq.comNT Security—request-ntsecurity@iss.netPhrack—phrack@well.comPrivacy Forum—privacy-request@vortex.comRisks—risks-request@csl.sri.comSANS Institute—digest@sans.orgSneakers—majordomo@cs.yale.eduVirus—listserv@lehigh.eduVirus Alert—listserv@lehigh.eduWWW Security—www-security-request@nsmx.rutgers.edu
23. Future Trends
23.1. Authentication23.1.1. Two- and Three-Factor Authentication23.1.2. Biometrics23.1.3. Token-Based Authentication23.1.4. Directory Services23.2. Encryption23.3. Public Key Infrastructure23.4. Distributed Systems23.5. Forensics23.6. Government Regulation23.7. Hacking Techniques23.8. Countermeasures23.9. Cyber-Crime Insurance
A. CD-ROM Contents
Organization of the CD-ROMVisualRouteHuntDsniffNmapHackershieldNetReconPhoneSweepWhiskerRemote Data ServicesL0phtCrackNetcatInternet Security SystemsNessusCompilation of Programs
B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus
The SANS InstituteFive Notes for Readers:G1—Default Installs of Operating Systems and ApplicationsG1.1 Description:G1.2 Systems impacted:G1.3 CVE entries:G1.4 How to determine if you are vulnerable:G1.5 How to protect against it:G2—Accounts with No Passwords or Weak PasswordsG2.1 Description:G2.2 Systems impacted:G2.3 CVE entries:G2.4 How to determine if you are vulnerable:G2.5 How to protect against it:G3—Non-existent or Incomplete BackupsG3.1 Description:G3.2 Systems impacted:G3.3 CVE entries:G3.4 How to determine if you are vulnerable:G3.5 How to protect against it:G4—Large Number of Open PortsG4.1 Description:G4.2 Systems impacted:G4.3 CVE entries:G4.4 How to determine if you are vulnerable:G4.5 How to protect against it:G5—Not Filtering Packets for Correct Incoming and Outgoing AddressesG5.1 Description:G5.2 Systems impacted:G5.3 CVE entries:G5.4 How to determine if you are vulnerable:G5.5 How to protect against it:G6—Non-existent or Incomplete LoggingG6.1 Description:G6.2 Systems impacted:G6.3 CVE entries:G6.4 How to determine if you are vulnerable:G6.5 How to protect against it:G7—Vulnerable CGI ProgramsG7.1 Description:G7.2 Systems impacted:G7.3 CVE entries:G7.4 How to determine if you are vulnerable:G7.5 How to protect against it:W1— Unicode Vulnerability (Web Server Folder Traversal)W1.1 Description:W1.2 Systems impacted:W1.3 CVE entries:W1.4 How to determine if you are vulnerable:W1.5 How to protect against it:W2—ISAPI Extension Buffer OverflowsW2.1 Description:W2.2 Systems impacted:W2.3 CVE entries:W2.4 How to determine if you are vulnerable:W2.5 How to protect against it:W3—IIS RDS Exploit (Microsoft Remote Data Services)W3.1 Description:W3.2 Systems impacted:W3.3 CVE entries:W3.4 How to determine if you are vulnerable:W3.5 How to protect against it:W4—NETBIOS—Unprotected Windows Networking SharesW4.1 Description:W4.2 Systems impacted:W4.3 CVE entries:W4.4 How to determine if you are vulnerable:W4.5 How to protect against it:W5—Information Leakage Via Null Session ConnectionsW5.1 Description:W5.2 Systems impacted:W5.3 CVE entries:W5.4 How to determine if you are vulnerable:W5.5 How to protect against it:W6—Weak Hashing in SAM (LM Hash)W6.1 Description:W6.2 Systems impacted:W6.3 CVE entries:W6.4 How to determine if you are vulnerable:W6.5 How to protect against it:U1—Buffer Overflows in RPC ServicesU1.1 Description:U1.2 Systems impacted:U1.3 CVE entries:U1.4 How to determine if you are vulnerable:U1.5 How to protect against it:U2—Sendmail VulnerabilitiesU2.1 Description:U2.2 Systems impacted:U2.3 CVE entries:U2.4 How to determine if you are vulnerable:U2.5 How to protect against it:U3—Bind WeaknessesU3.1 Description:U3.2 Systems impacted:U3.3 CVE entries:U3.4 How to determine if you are vulnerable:U3.5 How to protect against it:U4—R CommandsU4.1 Description:U4.2 Systems impacted:U4.3 CVE entries:U4.4 How to determine if you are vulnerable:U4.5 How to protect against it:U5—LPD (Remote Print Protocol Daemon)U5.1 Description:U5.2 Systems impacted:U5.3 CVE entries:U5.4 How to determine if you are vulnerable:U5.5 How to protect against it:U6—Sadmind and MountdU6.1 Description:U6.2 Systems impacted:U6.3 CVE entries:U6.4 How to determine if you are vulnerable:U6.5 How to protect against it:U7—Default SNMP StringsU7.1 Description:U7.2 Systems impacted:U7.3 CVE entries:U7.4 How to determine if you are vulnerable:U7.5 How to protect against it:Appendix A—Common Vulnerable PortsAppendix B—The Experts Who Helped Create the Top Ten and Top Twenty Internet Vulnerability Lists

Content preview from Hack I.T.: Security Through Penetration Testing

Chapter 7. Testing Internal Penetration

Most organizations concentrate on the external computer security threat and do not put as much emphasis on securing systems from internal threats. However, statistics show that a large amount of unauthorized activity comes from internal sources. For most organizations this means the internal network is where the company is most vulnerable. Internal users have already bypassed many physical controls designed to protect computer resources. Therefore, the company needs to take further steps to protect itself from the internal hacker threat. Internal penetration testing can help identify resources that are internally vulnerable and assist the system administrator in plugging these holes. While internal security ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Hands-On Web Penetration Testing with Metasploit

Publisher Resources

ISBN: 0201719568Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Hack I.T.: Security Through Penetration Testing

by T. J. Klevinsky, Scott Laliberte, Ajay Gupta

Chapter 7. Testing Internal Penetration

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.