book

Security Power Tools

Name: Security Power Tools
ISBN: 9780596009632

by Bryan Burns, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, Philippe Biondi, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch

August 2007

Intermediate to advanced

856 pages

25h 19m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Security Power Tools
Foreword
Credits
About the Author
Preface
AudienceAssumptions This Book MakesContents of This BookLegal and EthicsReconnaissancePenetrationControlDefenseMonitoringDiscoveryConventions Used in This BookUsing Code ExamplesWe’d Like to Hear from YouSafari® Books OnlineAcknowledgments
I. Legal and Ethics
1. Legal and Ethics Issues
Core IssuesBe Able to Identify These Legal TopicsComputer Trespass Laws: No “Hacking” AllowedWhat Does It Mean to Access or Use a Computer?What Is Adequate Authorization to Access a Computer?Common Law Computer TrespassCase Study: Active DefenseLaw and Ethics: Protecting Yourself from Computer Trespass ClaimsReverse EngineeringCopyright Law and Reverse EngineeringWhat to do to protect yourself with fair useReverse Engineering, Contracts, and Trade Secret LawWhat to do to protect yourselfReverse Engineering and Anti-Circumvention RulesWhat to do to protect yourself when working in DMCAVulnerability ReportingWhat to do to protect yourself when reporting vulnerabilitiesWhat to Do from Now On
II. Reconnaissance
2. Network Scanning
How Scanners WorkTCP ScanningUDP ScanningSuperuser PrivilegesThree Network Scanners to ConsiderHost DiscoveryDealing with Blocked PingsChoosing the Right PortsCombining Multiple Host Scan TechniquesPort ScanningDefault Port RangesSpecifying Custom PortsNmapUnicornscanScanrandSpecifying Targets to ScanDifferent Scan TypesUDP Scan TypesTCP Scan TypesSpecial TCP Scan Types in NmapAn Example of Using Multiple Scan TypesTuning the Scan SpeedNmapUnicornscanScanrandApplication FingerprintingOperating System DetectionSaving Nmap OutputResuming Nmap ScansAvoiding DetectionIdle ScansDecoysConclusion
3. Vulnerability Scanning
NessusLicenseArchitectureTenable Security CenterWindows ConfigurationLinux ConfigurationLocal VulnerabilitiesNetwork ScanScan ResultsPolicy ConfigurationPlug-insPlug-in Code ExampleLinux Command LineWindows Command LineNiktoTypes of VulnerabilitiesCommand LineEvasion TechniquesWebInspectPurposeWebInspect ScanPolicy TuningSettings TuningReport AnalysisFalse Positives AnalysisWebInspect ToolsAssessment Management Platform (AMP)
4. LAN Reconnaissance
Mapping the LANUsing ettercap and arpspoof on a Switched NetworkRunning ettercapRunning arpspoof from the dsniff suiteDealing with Static ARP TablesUsing macof to Stupefy a SwitchSuper-Stealthy SniffingGetting Information from the LANLogging Packet DataFiltering Incoming PacketsFingerprinting LAN HostsSniffing Plain-Text PasswordsShadow BrowsingManipulating Packet Data

5. Wireless Reconnaissance
Get the Right Wardriving Gear802.11 Network Basics802.11 FramesHow Wireless Discovery Tools WorkNetstumblerKismet at a GlanceUsing KismetSorting the Kismet Network ListUsing Network Groups with KismetUsing Kismet to Find Networks by Probe RequestsKismet GPS Support Using gpsdGenerating MapsKismet Location TrackingLooking Closer at Traffic with KismetCapturing Packets and Decrypting Traffic with KismetWireshark at a GlanceEnabling rfmon ModeLinuxOpenBSD, NetBSD, and FreeBSDMac OS XWindowsUsing WiresharkAirDefense MobileAirMagnet AnalyzersOther Wardriving ToolsAiropeekKisMac
6. Custom Packet Generation
Why Create Custom Packets?Custom Packet Example: Ping of DeathHpingGetting Started with Hping2Hping2’s LimitationsScapyDecode, Do Not InterpretProbe Once, Interpret Many TimesScapy’s LimitationsWorking with ScapyCreating and Manipulating Packets with ScapyNavigating Between LayersScapy Tips and ShortcutsLooking only at the custom data in a packetViewing computed data in a packetDecoding the packet payload differentlySprintf shortcut for creating custom packetsOperations on packet listsProducing a simple diagram of packet flowSending and interacting with ScapySuper-socketsBuilding Custom Tools with ScapyStudying a New ProtocolWriting Add-OnsExamples of creating Scapy add-onsTest CampaignsPacket-Crafting Examples with ScapyARP Cache PoisoningTracerouting: A Step-by-Step ExampleTraceroute and NATFirewalkingSliced Network ScanFuzzingPacket Mangling with NetfilterTransparent ProxyingQUEUE and NFQUEUEReferences
III. Penetration
7. Metasploit
Metasploit InterfacesThe Metasploit ConsoleThe Metasploit Command-Line InterfaceThe Metasploit Web InterfaceUpdating MetasploitChoosing an ExploitChoosing a PayloadMetasploit PayloadsChoosing a Payload VariantSetting OptionsHidden OptionsRunning an ExploitDebugging ExploitationManaging Sessions and JobsSessionsJobsThe MeterpreterSome Useful Meterpreter CommandsMeterpreter Session ExampleSecurity Device EvasionSample Evasion OutputEvasion Using NOPs and EncodersNOP GeneratorsPayload EncodersIn Conclusion
8. Wireless Penetration
WEP and WPA EncryptionAircrackInstalling Aircrack-ngWindows InstallationLinux InstallationRunning Aircrack-ngAirpwnBasic Airpwn UsageCommand-Line OptionsAirpwn Configuration FilesUsing Airpwn on WEP-Encrypted NetworksScripting with AirpwnKarmaInstalling KarmaScanning for VictimsBasic ConfigurationProxy Network TrafficConclusion
9. Exploitation Framework Applications
Task OverviewOther Framework AdvantagesCore Impact OverviewRunning Core Impact Behind a NATAutomatic Network Penetration with Core ImpactNetwork Reconnaissance with Core ImpactImporting Module Information with Core ImpactCore Impact Exploit Search EngineRunning an ExploitBypassing Core Impact’s Exploit Version RestrictionsRunning MacrosThe Local SideUsing the Mini-ShellBouncing Off an Installed AgentEnabling an Agent to Survive a RebootMass Scale ExploitationWriting Modules for Core ImpactThe Canvas Exploit FrameworkThe Covertness BarPorting Exploits Within CanvasUsing Canvas from the Command LineDigging Deeper with CanvasAdvanced Exploitation with MOSDEFWriting Exploits for CanvasExploiting Alternative Tools
10. Custom Exploitation
Understanding VulnerabilitiesPerforming a Simple ExploitAnalyzing ShellcodeDisassemblersThe libopcode Disassembling LibraryThe libdisasm Disassembling LibraryTesting ShellcodeInclusion into a C FileA Shellcode LoaderDebugging ShellcodeCreating ShellcodenasmGNU Compiler CollectionQuick glance at the binary-building internalsBuilding shellcode from assembly languageBuilding shellcode in CThe SFlib LibraryWhat SFLib looks likeUsing SFLibShellForgeGetting startedCross-platform generationLoadersInline shellcodingInlineEggMetasploit Framework’s msfpayloadDisguising Shellcodealpha2Metasploit Framework’s msfencoderExecution Flow HijackingMetasploit Framework’s msfelfscan and msfpescanEEREAPCode InjectionReferences
IV. Control
11. Backdoors
Choosing a BackdoorVNCCreating and Packaging a VNC BackdoorConsolidating the BackdoorPackaging VNC As a BackdoorConnecting to and Removing the VNC BackdoorRemoving the BackdoorBack Orifice 2000Configuring a BO2k ServerSetting VariablesMinimum ConfigurationIO plug-inEncryption plug-inAuthentication plug-inControl plug-insConfiguring a BO2k ClientAdding New Servers to the BO2k WorkspaceUsing the BO2k BackdoorBO2k PowertoolsServer SetupClient SetupThe BO Tools Connect To windowUsing the File BrowserUsing the Registry EditorA Sneak Peek at the Backdoor’s Desktop with BO PeepBO Peep installation and configurationThe VidStream listenerThe VidStream clientThe Hijack listenerThe Hijack clientEncryption for BO2k CommunicationsConcealing the BO2k ProtocolRemoving BO2kA Few Unix BackdoorsA Simple Unix BackdoorNetcatA Simple Netcat BackdoorCrontab and NetcatLots of Options
12. Rootkits
Windows Rootkit: Hacker DefenderConfiguring hxdefMaking hxdef harder to detectConnecting to Hacker Defender’s BackdoorInstall/uninstall/reconfigure hxdefUninstalling a process you cannot seeLinux Rootkit: Adore-ngInstalling AdoreUsing AdoreDetecting Rootkits TechniquesSignature ScannerInspecting Dangerous CallsDifferentiating Call ResultsLooking for HooksSystem IntegrityWindows Rootkit DetectorsRootkit RevealerIceSwordFunctionalities of IceSwordFinding a rootkit and killing itRemoving the rootkit with IceSwordLinux Rootkit DetectorsKstatInterface lookupListing processesInvestigating individual processesExamining the syscall tableZeppooChkrootkitDetecting new rootkitsUsing safe binariesIn the cronCleaning an Infected SystemThe Future of Rootkits
V. Defense
13. Proactive Defense: Firewalls
Firewall BasicsRouter/Network Address Translation RouterEndpoint/HostTransparent/Bridge FirewallThe ToolsSecuring ConceptsAllowing limited inbound connectionsTightening inbound connections by hostFurther InvestigationNetwork Address TranslationSetting Up a Basic NAT GatewayNAT with Inbound Service MappingSecuring BSD Systems with ipfw/natdInitial SetupInbound Connection Blocking with BSD ipfw/natdAllowing Inbound Connections with BSD ipfw2/natdFiltering Connections with BSD ipfw2/natdBSD ipfw2/natd NAT GatewayInbound Service Mapping with BSD ipfw2/natdSecuring GNU/Linux Systems with netfilter/iptablesInitial SetupInbound Connection Blocking with NetfilterFiltering Connections with NetfilterAllowing Inbound Connections with NetfilterNetfilter NAT GatewayInbound Service Mapping with NetfilterInternet-in-a-Box: All Traffic to One Destination Using NetfilterSecuring Windows Systems with Windows Firewall/Internet Connection SharingInitial SetupInbound Connection Blocking with Windows FW/ICSAllowing Inbound Connections with Windows FW/ICSFiltering Connections with Windows FW/ICSA Windows FW/ICS NAT GatewayInbound Service Mapping with Windows FW/ICSVerifying Your Coverage
14. Host Hardening
Controlling ServicesTurning Off What You Do Not NeedLimiting AccesssudosudowinIssues with sudowinLimiting DamageMounting Volumes As noexecControlling the Linux Kernel Through /proc/sys/proc/sys/kernel/cap-bound/proc/sys/net/proc/sys/kernel/modprobeBastille LinuxSELinuxEnabling SELinuxTransparent Usage of SELinuxTweaking SELinux’s PolicyLocal SELinux Policy GenerationUnderlying SELinux Principle of OperationsPassword CrackingJohn the RipperRainbow CrackingChrootingSandboxing with OS VirtualizationCooperative LinuxKVMOpenVZ: OS-Level VirtualizationParallelsQEMUUserMode Linux: ParavirtualizationVMWareXen: ParavirtulizationVirtualization Summary
15. Securing Communications
The SSH-2 ProtocolThe Transport LayerThe User Authentication LayerThe Connection LayerSSH ConfigurationServer ConfigurationUser Access RestrictionSSH Client ConnectionTune the Client’s ConfigurationSSH AuthenticationSSH ShortcomingsSSH Man-in-the-Middle AttacksHost Public Key Distribution with DNSSECUser’s Public Key DistributionUser’s Key Operation RestrictionsSSH TroubleshootingThe Client Is Logged Out Just After Logging InFile PermissionsRestrictions to Users or GroupsRemote File Access with SSHFile CopyFTP Through SSHFile SynchronizationRemote FilesystemSource Code TransferSSH Advanced UseAgent ForwardingX and Port ForwardingEscape SequencesPerpetual Tunneling with autosshStoring Your SSH Private Key on a USB DriveUsing SSH Under WindowsCygwinPuTTYWinSCPSecureCRTFile and Email Signing and EncryptionGPGTheory of OperationsHow to Obtain Public KeysWeb of TrustIn PracticeCreate Your GPG KeysAdding SubkeysDifferent Keys for Different AddressesModify Your Web of Trust ModelImport of Public KeysRevoke a KeyEncryption and Signature with GPGFile SignatureEmail Encryption and SignaturePGP Versus GPG CompatibilityEncryption and Signature with S/MIMEX.509 CertificateS/MIMECertificate AuthorityS/MIME Versus GPG/PGPStunnelSSL Versus TLSCreate an X.509 CertificateClient EncryptionServer EncryptionClient and Server EncryptionTransparent ProxyDisk EncryptionWindows Filesystem Encryption with PGP DiskLinux Filesystem Encryption with LUKSComparing dm-crypt to cryptoloop and loop-AESConclusion
16. Email Security and Anti-Spam
Norton AntivirusInstallation TestConfiguration TuningFailed testsUpdatesThe ClamAV ProjectClamWinConfigurationFreshclamHow to Run FreshclamExamples of Commands for FreshclamClamscanclamd and clamdscanOn-Access ScanningClamd As a Network ServerClamd CommandsTest clamscan and clamdscan/clamdclamscan or clamdscan?ClamAV Virus SignaturesMD5 SignaturesHexadecimal SignaturesAdvanced Hexadecimal SignaturesHTML SignaturesProcmailMail Delivery ChainBasic Procmail RulesExamplesAdvanced Procmail RulesScoringClamAV with ProcmailUnsolicited EmailSpam Filtering with Bayesian FiltersSpamprobeAutomate the Learning PhaseMaintenanceSpamProbe with ProcmailInconvenientSpamAssassinConfiguration FilesSpamAssassin VariablesAdministrator SettingsSpamAssassin RulesMeta TestsScoreWhitelist and BlacklistLanguageBayesian FilterPlug-ins for SpamAssassinCollaborative Plug-insSpamAssassin Network TestsSpamAssassin with ProcmailSpamAssassin As a Daemon or ServerClamAV, SpamProbe, and SpamAssassin with ProcmailAnti-Phishing ToolsEmail FilteringToolbar for Web BrowsersConclusion
17. Device Security Testing
Replay Traffic with TcpreplayWhat and How to TesttcpreplayRewrite Packets with TcpreplayMAC addressIP addressTCP/UDP portTcpreplay with Two InterfacesflowreplayTomahawkTraffic IQ ProSetupReplay Traffic FilesAttack FilesStandard Traffic FilesScanImport Custom Packet CapturesPacket EditingConclusionISIC SuiteNetwork Setupesicisic, icmpsic, tcpsic, udpsic, and multisicAutomationProtos
VI. Monitoring
18. Network Capture
tcpdumpBasicsBerkeley Packet Filter (BPF)Writing Packets to DiskAdvanced BPF FilteringAdvanced Dump DisplayUsing tcpdump to Extract PacketsEthereal/WiresharkBasicsStarting a CaptureCaptureDisplay OptionsName ResolutionLoading a Previously Created CaptureViewing a CaptureBasic Wireshark Display FiltersAdvanced Wireshark Display FiltersSaving Select Packets to DiskPacket ColorizationOverriding Default Protocol DecodersTShark TechniquesWireshark StatisticsSetting Useful Defaultspcap Utilities: tcpflow and NetdudetcpflowBasicsNetdudeBasicsCleaning up a botched pcap fileEditing packet payloadsPython/Scapy Script Fixes ChecksumsBasicsConclusion
19. Network Monitoring
SnortDifferent Snort ModesWriting Signatures for SnortPassive Network MappingStealth EthernetDisabling a RuleChanging the Default Port of a ServiceSnort PreprocessorExcluding Authorized ScansLog AnalysisUpdating RulesBlocking Port ScanFrom a NIDS to an ILDSProtocols that should be monitoredLimitations of Snort as an ILDSMonitoring Network UsageImplementing SnortNIDSUser MonitoringILDSHoneypot MonitoringThe Value of a HoneypotUsing Honeyd to Emulate a ServerUsing Honeyd to Emulate a NetworkUsing Honeyd As a Tar PitImplementing HoneydWriting New Scripts with HoneydJailHoneyView and Log ManagementGluing the Stuff Together
20. Host Monitoring
Using File Integrity CheckersFile Integrity HashingThe Do-It-Yourself Way with rpmverifyComparing File Integrity CheckersAfickAideIntegritRemote Filesystem Checker (RFC)Samhain/BeltaneOpen Source TripwirePrepping the Environment for Samhain and TripwireSamhainTripwireDatabase Initialization with Samhain and TripwireSamhainTripwireSecuring the Baseline Storage with Samhain and TripwireSamhainTripwireRunning Filesystem Checks with Samhain and TripwireSamhainTripwireManaging File Changes and Updating Storage Database with Samhain and TripwireSamhainTripwireRecognizing Malicious Activity with Samhain and TripwireTripwireSamhainLog Monitoring with LogwatchImproving Logwatch’s FiltersHost Monitoring in Large Environments with Prelude-IDSLog CorrelationConclusion
VII. Discovery
21. Forensics
NetstatFinding a Linux Backdoor with NetstatFinding a Windows Backdoor with NetstatThe Forensic ToolKitHfind.exe: Discover Hidden FilesSfind.exe: Discover Files Hidden in Alternate Data StreamsFileStat.exe: Very Detailed Data on a Specific FileThe Security DescriptorFile streamsTimestampsWorking with Alternate Data StreamsSysinternalsAutoruns: What Runs Without Your Help?Trimming down the listRootkitRevealer: Rooting Out RootkitsRootkitRevealer from the consoleStreams: Find and Delete Data Hidden in Streams the Sysinternals WayTCPView: A Graphical NetstatProcess Explorer: Powerful Process ManagementReplacing the Task Manager with Process ExplorerRun as...Now What?
22. Application Fuzzing
Which Fuzzer to UseDifferent Types of Fuzzers for Different TasksBlock-Based FuzzersRiotFlipperInline Fault InjectionSetting Up a Network Fuzzer Test BedThe clientThe fuzzerThe server/targetGathering Information of the Target’s SideWriting a Fuzzer with SpikeThe Spike APIReversing a Protocol with SpikeFile-Fuzzing AppsPaiMeiFileFuzzFuzzing Web ApplicationsConfiguring WebProxyAutomatic Fuzzing with WebInspectNext-Generation FuzzingFuzzing or Not Fuzzing
23. Binary Reverse Engineering
Interactive DisassemblerOpening the BinarySpecial casesSearching in IDASearching for text stringsSearching for immediate valuesDefining Data TypesStructures and unionsAn exampleEnumerationsAnnotating the CodeSetting commentsMarking positionsAn exampleCode NavigationTracking the Flow of ExecutionCross-referenceFlow chartsTracking function callsUsing Subview WindowsFunctions windowStrings windowNames windowImports and exports windowsDebugging with IDAInitial configurationSetting breakpoints and watchpointsStepping through the programExamining dataTracingTaking a memory snapshotRemote debuggingConfiguring the clientConfiguring the remote hostFinding the BugsMaking Scripts with IDCIDC Hello WorldFunctions and variablesExpressions and statementsInteracting with the IDA databaseAdding graphical interfacesFaking global variables with arraysMaking hotkeysAutomating large tasksUsing IDA Plug-insSysinternalsRegMonFileMonSetting FiltersOllyDbgThe BasicsSetting breakpoints and watchpointsStepping through the programAnimated steppingExamining dataNavigating Through the DisassemblyUsing bookmarksEditing DataCopying and pasting binary sectionsThe patches windowUndoing editsSaving your changesUsing OllyDbg with the FreeCiv Case StudyFinding the location of interestMaking our changesRunning the hackOther ToolsSoftICEHT
Index
About the Authors
Colophon
Copyright

Content preview from Security Power Tools

Chapter 9. Exploitation Framework Applications

Exploit frameworks were first developed with the main objective of facilitating the task of exploit writing, which normally requires a range of diverse skills. A good working exploit requires many steps and laborious work to properly craft from scratch. Exploit frameworks were developed to remove much of the hard work.

This chapter first provides an overview of the various tasks that must be done in order to create a good exploit, and how exploit frameworks relate to those tasks. It then introduces a couple of the available exploit frameworks and how to use them to make exploit writing an easier task. Frameworks covered include Core Impact (starting in Core Impact Overview), and Immunity Canvas (starting in The Canvas Exploit Framework). Metasploit is covered separately in Chapter 7.

Task Overview

Anyone who has performed their own vulnerability research knows that taking the step from finding an issue, such as a buffer overflow, to actually exploiting that issue can be a daunting one. Once you have overwritten the execution point, the next task is finding a valid return address that can be used to reach your code. In some cases, finding that return address for your specific setup is easy, but it can be a lot harder to find one that will work while taking into account varied and even unknown configurations. For example, there are many variations of Microsoft Windows, and few people have each software version available in a test lab. Exploit ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596009632Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security Power Tools

by Bryan Burns, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, Philippe Biondi, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch

Chapter 9. Exploitation Framework Applications

Task Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.