TechTrek: Exploring Computer World: The Network Security Test Lab

The Network Security Test Lab

The Network Security Test Lab: A Step-by-Step Guide is a publication of John Wiley & Sons, Inc. and may not be reproduced, stored in a retrieval system, or transmitted in any form or by any means, except with the prior written permission of the Publisher. The publisher and the author make no representations or warranties about the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. Wiley publishes in a variety of print and electronic formats and by print-on-demand. If you purchased a version of this book that does not include a CD or DVD, you may download this material at .

Michael Gregg, CEO of Superior Solutions, Inc., is a Houston based IT security-consulting firm that has more than 20 years experience in the IT field. He has authored/co-authored more than 20 books and has appeared as an expert commentator for network broadcast outlets and print publications.

The book was edited by Sydney Argenta, technical edited by Rob Shimonski, produced by Kathleen Wisor, and copied by Marylouise Wiack.

I would like to thank Christine, Betty, Curly, and all my family, as well as Wiley for their help and support.

Chapter 2: Passive Information Gathering covers topics such as scrutinizing key employees, dumpster diving (electrical), analyzing web page coding, exploiting website authentication methods, mining job ads and sensitive financial data, using Google to mine sensitive information, and identifying web server software.

The chapter covers several techniques for automating encryption and tunneling techniques, including: enumeration of systems, router and firewall enumeration, Windows enumeration, server Message Block and Interprocess Communication enumeration, Windows enumeration countermeasures, and Linux/Unix enumeration.

Chapter 7 discusses automated attack and penetration tools, including CrypTool, Extract an E mail Username and Password, RainbowCrack, John the Ripper, and Vulnerability Assessment Tools.

xviii Contents: Building Snort Rules, Logging with Snort, Advanced Snort: Detecting Buffer Overflows, Responding to Attacks and Intrusions, Analyzing Malware, Building a Testbed, Virtual and Physical Targets, Operating Systems, Network Isolation, Testbed Tools, Malware Analysis Techniques, Static Analysis, Dynamic Analysis, Summary.

This book is for individuals who want to learn more about specific security tools, gain hands on experience using those tools, or who want to get the skills needed to advance at work or move to a new position.

This book will walk you through the process of building a hardware and software test platform, passive information gathering, and packet analysis. You will learn how to detect live systems and analyze results, how to apply effective countermeasures, how to automate encryption and tunneling techniques, and how to secure wireless systems. You will also learn how to use rootkit detectors and spyware tools, and use integrity verification programs.

This chapter introduces intrusion detection systems and discusses the ways in which malware can be analyzed. It also reviews the skills needed to deal with the aftermath of a security breach. This book is designed for the individual with intermediate skills who seeks to set up and build a working security test lab. It is divided into several chapters which can be used to gain additional skills and knowledge. Tools are the most important thing you will need as you start to read this book. You will also need a mixture of Linux and Windows systems to launch the tools and others to act as targets.

The Network Security Test Lab is designed to take readers to the next stage of personal knowledge and skill development, by providing real world implementation details. It also helps readers advance toward obtaining more complex security certifications.

This book is for those who need to better understand the importance of IT security. It will walk you through what you need to set up a hardware/ software test platform, and examine some common tools that will make your analysis easier. No two networks are the same, and they change over time. This chapter provides the first step in building your own network security lab.

Building a hardware and software test platform is an important step in developing a network security strategy because it provides a controlled environment in which unexpected events are nonexistent or at least minimized. If you are installing a patch on a production system, you should first test the patch on a test network. If you are installing a new piece of code, you should first test it on a test network. Building a lab requires you to become familiar with the basics of wiring, signal distribution, switching, and routing, as well as the mix of common network protocols.

Building a hardware and software test platform is the best way to learn about modern networks and to observe the interaction between systems and networking devices. Advancing in your field is almost never an accident. Building a lab demonstrates your desire and ability to study and control networks, and can help you uncover gifts that you did not previously realize you possessed. You will learn a lot by experimenting with the network resources in your lab, but no manual can account for every single situation and interaction you may encounter. By building your own network security lab, you can try new things without negatively impacting the work of others. This allows you to gain a detailed understanding of how things are put together and how they normally interact.

Building a hardware and software test platform is a great way to prepare for a certification exam. Many students don t have enough money in their IT budget, but you can find the equipment you need at a reasonable price. Before you can get started with any testing, you need to assemble some hardware. This can include computers, networking tools, cables, network-attached storage (NAS), hubs switches, routers, removable disk storage, Internet connection, Cisco equipment, and wireless access points.

In your network lab, you will need a variety of cables and tools for building and testing cables. Crossover and loopback adapters can prove handy, too. Hubs, switches, and routers are the building blocks of network infrastructure. Cisco products are prevalent and a good idea to include some in the mix. If you are borrowing WiFi from your neighbor s open access point, upgrade to a dedicated connection and get a firewall. This will help protect your primary network from unpleasant things that can occur on the network in your lab. When building a computer network, you will need table space, shelving, power strips, surge suppressors, a UPS, and a KVM switching arrangement. You will also need a fast processor, a lot of memory, and a bunch of disk space.

Building a hardware and software test platform requires an Intel Core i5 system with 32GB of RAM and an internal 1TB SATA hard drive. Removable disk storage, such as USB and NAS, can be handy for holding copies of configuration files, downloaded software, and whatever else you may need. You can build your lab from many sources, including equipment you already have, new equipment purchases, and used equipment purchases. If you are doing this on the job, you will have to work with the appropriate supervisors to obtain the equipment you need. Start with a small collection of obvious needed items, such as several PCs, laptops, a router, a hub or switch, an Internet connection, and a handful of cables.

If you don t have much retired or spare equipment available, you might have to buy new equipment for your lab. If you can get all the funds approved, you may decide that a few key components are best bought new, then the other odds and ends can be filled in on the cheap. PCs are the most important part of the lab, and you can buy a decently equipped Dell open source desktop machine for around $500. Be careful with regard to memory prices, and look for the breakpoint in the pricing where there seems to be an extraordinary price jump relative to the increase in drive size. If you are building your own security lab for home use, you can save a substantial amount of money by purchasing used computers, networking equipment, and pieces of parts.

You can find used items at independent computer stores, some flea market vendors specialize in used computer equipment, and some web sites specialize in exactly this kind of thing. Computer companies often sell refurbished systems and components. These items are often returned by customers, or have minor cosmetic defects, and are sold through various channels such as the Internet. Online auctions are a little different from the bidding process that you may be familiar with, and the winning bid may be placed three days before the auction s closing, or three seconds before. Buyers should look closely at any additional fees or charges that are placed on the final bid.

Monitor auctions close to their closing time to make sure that you don t miss a valuable item over a few dollars. Ebay is a great place to start your search for a specific item, and it is helpful to know the market price. eBay transactions often avoid state sales taxes, but shipping and handling charges may well offset these savings. Shipping times can also vary considerably. Thrift stores are a good place to find used computer and network items. You may be able to find equipment useful for building your lab in a computer-centric area such as San Francisco, California, or Austin, Texas.

Building a hardware and software test platform involves purchasing a monitor, a computer system, and old licensed software. When companies have employee sales, they are often interested in getting rid of equipment that is probably going to be donated, recycled, or discarded. The price is right, and you might want to take advantage of this kind of opportunity. Modern computer systems can run a second, third, fourth, or more operating systems on one physical computer by using a virtual machine (VM). Virtual machines are a huge trend and can be used for development, system administration and production.

Virtual servers run on a virtual emulation of the hardware layer. Hypervisors can be type 1 or type 2, and type 1 hypervisors run directly on the hardware, while type 2 hypervisors run on top of an underlying host operating system.

This lab uses a type 2 hypervisor, Windows 7, and several virtual systems loaded as guest operating systems to build a hardware and software test platform. VMware Virtualization is the process of emulating hardware inside a virtual machine. It was developed by VMware in the late 1990s and is a good choice to use in your lab because it enables you to easily test security tools, try out upgrades, and study for certification exams.

To build a hardware and software test platform, you can use VMware Player, VMware Player Pro, and VMware Workstation. VMware Player is free, while VMware Workstation is more advanced and supports snapshots. To install VMware Workstation on your host OS, you need to either purchase a copy or download an evaluation copy. You need about 25MB of memory to download and install VMware Workstation, and you will need at least 8GB for each virtual OS you install.

Installing VMware Workstation on a Windows system involves reading the end-user license agreement, selecting a folder in which to install, turning off AutoRun, removing any previous versions of VMware Workstation, and rebooting your computer after the installation process is complete.

Figure 1-4: Choose the typical option to install the VMware Workstation. Enter a serial number to start loading virtual operating systems. VMware Workstation includes a help file, a few shortcuts, and a number of utility programs. You can also install VirtualBox, which is the only professional virtualization solution that is freely available as open-source software under the terms of the GNU General Public License.

You will want to get started by downloading a copy of Chapter 1 from NOTE If you want to use a Mac, there are a few virtualization options, including VMware Fusion, Parallels Desktop, and VM VirtualBox. A WiFi adapter is a crucial piece of hacking gear. Lock picks are small, pointed tools that are used to manipulate a lock's components to open it without a key. Tension wrenches and picks are used together to pick locks, and scrapping is one of the easiest techniques to learn.

If you want to test your organization s physical defenses, you should get a lock-picking set and a set of bump keys. Keystroke loggers are undetectable except for their physical presence, and are often installed while users are away from their desks. Some loggers have Bluetooth capability so that keystrokes can be wirelessly retrieved. Phreakers used phreak boxes to perform their attacks in the 1960s and 1970s. They used blue boxes to make free long-distance calls, red boxes to duplicate tones of coins being dropped into a pay phone, and orange boxes to eavesdrop.

Before you get too excited about making free phone calls, remember that most of this technology does not work on modern telephone systems because they use out-of-band signaling. John Draper discovered how to use a toy whistle from a box of Cap n Crunch to make free calls. Steve Wozniak was so obsessed by the new technology that he called John Draper and asked if he could come visit him at his University of California, Berkeley, dorm. This section looks at software requirements, including operating systems and software. If you are building your own network security lab, picking the right software is critical.

Building a Hardware and Software Test Platform is a great way to maximize your budget by using virtual servers. You should never run test software or experimenting on a production network. Microsoft Windows is a family of operating systems that was developed over the past 20 years. It includes Windows 3.11, Windows for Workgroups, Windows NT 3.5, Windows 7, Windows 8, and Windows 10. If you can find an old copy of Windows 2003 server, this might be a good choice, or you could install Windows 7. Make sure that your computer meets the minimum requirements before installing Windows 7.

Windows 7 has much easier to meet the requirements than Windows Server 2012, but you should check the Hardware Compatibility List (HCL) to make sure that your hardware is compatible before you begin installation. Table 1-2: Windows OS priorities. Acceptable for some testing, not a requirement, nice to have. Linux is a Unix-like OS that can run from your Intel-based PC. It is economical, well designed, and offers good performance.

Linux distributions are easily available and can typically be downloaded for free. Kali Linux is included as a downloadable version on the Wiley website, and you can use the image to install Kali Linux onto a system or make a bootable DVD. This section of the chapter takes a closer look at installing Linux and reviews some of the basic features. It also provides links to each specific version s website.

To make an ISO file useable, you need to convert the ISO into a bootable disk using a CD/DVD writer and burning program. Then you need to change your computer s BIOS to boot from the CD-ROM. To install Fedora Security Lab, burn an ISO image to a CD using Nero Ultra Edition, the ISO Recorder power toy, or Roxio Easy Media Creator Suite.

You can use the fedora-live-i iso to build a hardware and software test platform. After burning the CD, restart your computer and allow the computer to continue booting up. Fedora Security Lab is installed as a bootable disk, and the first thing you should know is that Linux is case sensitive, that files and directories have ownership permissions, and that the root account can change system settings. Linux partitions are not based on FAT or NTFS, Linux path names contain forward slashes, and Linux does not use drive letters. The Linux filesystem is a hierarchical structure that contains all the information on the computer.

A Linux system contains the root directory, several user directories, common Linux user commands, a device manager, administrative configuration files, the passwd file, the shadow file, and a variety of other user and administrative commands and files. On a Linux system, directories and files can be set up so that access can be controlled. The ls -l command displays the current permissions, owner, and group for a file or directory, and the first letter indicates whether the item is a directory or a file.

The first three characters of the path to a file or directory specify the access rights of the user, the next three bits specify the group rights, and the last three bits specify the access rights of all others. The chmod command is used to change the definition of access permissions to a file or set of files. It can be used in symbolic and absolute modes, and has three sets of permissions: read, write, and execute. The objective of this section is to review some Linux basics, including the Terminal window, which is similar to the command prompt in Windows. The following table lists just a few basic Linux commands and their functions.

Basic Linux commands include cat, cd, chmod, ifconfig, kill, ls, man, mv, passwd, ps, rm, and pwd. 52 26 Chapter 1 Building a Hardware and Software Test Platform Linux requires that user accounts have a password, but by default it will not prevent you from leaving a password set as blank. The password is encrypted in the /etc folder and also stored in the /etc/shadow file for additional security.

Linux systems use salts to add a layer of randomness to the passwords. The salt is 32 characters long and begins with $1$. The world of computing used to be a much more trusting place, but now passwords are kept in a shadow file that is readable only by root. This helps keep unauthorized users from taking a peek at encrypted passwords. Hashes are considered one-way functions, because two identical words will create the same hash. Salts are used to provide a second layer of randomness, and are stored as the first two characters of the encrypted password.

Mac OS X is a Unix/FreeBSD-based operating system that was designed to meet current and future computing needs. It will not run on Intel-based personal computers aside from Apple's own, so you will have to weigh the benefits and costs of investing in this technology. Alpha testing is performed by programmers and quality engineers, and beta testing is performed by prospective users. This second round of testing gives the programmers, quality engineers, and users a good look at the end product. Security tools have been around for quite some time, and Dan Farmer and Wietse Venema created one of the first vulnerability-assessment programs called Security Administrator Tool for Analyzing Networks (SATAN). SATAN was useful to both security administrators and hackers. In 1995, SATAN was a groundbreaking network vulnerability tool that scanned 2,200 Internet hosts without the permission of the owners and found that more than half were vulnerable to attack. It was designed to run from a web browser and formatted the results in a summary fashion. Client-side security tools can be used to scan for vulnerabilities, probe for holes, and assess security. Make sure you have authorization before using them on a network. Learning applications allow you to gain practical hands-on experience in application and network security. These applications can be used in a lab environment to help you analyze common security problems and misconfigurations.

Figure 1-9: The Vulnhub website is useful to the security professional. Next on the list is Damn Vulnerable Linux, which is a Linux distribution that has been loaded with broken, buggy, outdated, and exploitable software to allow individuals like you to explore code injection, buffer overflows, shell code development, web exploitation, and SQL injection.

Building a network lab requires the use of a range of software and applications that are widely used by hackers and security professionals alike. These tools can be used for good or malicious purposes, and the best place to start gathering tools is This site. There are several tools that deserve honorable mention, including Wireshark, Metasploit, Nessus, Aircrack, Diverse Windows exploitation tool, Netcat Command-line back-end tunneling tool, John the Ripper Password-recovery tool, Burp Suite, and IDA Pro.

This book won t spend much time examining virus generators or remote access Trojans, but keep in mind they do exist. Building your own security lab is not difficult and does not need to be particularly expensive. It provides a setting in which you can work with hacking tools without impacting other network users. You need to install Windows and Linux operating systems because they are the most popular desktop OS and backend server for many major firms around the world. Linux is also an important platform for security tool development. This chapter discussed how to do more with less by using virtualization. It also looked at some learning applications, such as Damn Vulnerable Linux, which enable you to set up a complex environment, such as an online bank, and look at the processes and interactions between the client and server.

This chapter helped you set up the hardware and software platform you will be using for the rest of this book and to learn more about networks and security controls. A CD or DVD image can be stored as a single file yet represents the complete structure of an optical disk. A mandatory access control system restricts access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity.

Virtualization is the creation of a software implementation of a hardware device, WiFi detectors are devices used to detect wireless signals, and wireless access points bridge wired and wireless networks. Exercises: Select a location for the lab, specify the floor space needed, determine the external network connections, determine the computer and server hardware requirements, determine the required operating systems, determine the required application software, determine any utilities or other software required, and acquire the workspace needed.

Obtain the network infrastructure hardware, computer hardware, software, tools, and test equipment, set up the network, and install VMware Workstation on a Toshiba Satellite L70-BBT2N22 Laptop with Windows 7 Professional. Explore some of the options of VMware Workstation, and install Kali, Fedora Security Spin, and Damn Vulnerable Linux.

Chapter 1 Building a Hardware and Software Test Platform will work well to demonstrate exploits in later chapters. To install Windows 2003 Server, open VMware, choose New Virtual Machine, and let the wizard step you through the setup. Using VMware Converter, you can convert an existing physical computer to a virtual machine. The following steps will walk you through the process of using VMware Converter to convert an existing physical computer to a virtual machine.

If you have decided to use VirtualBox instead of VMware Workstation, you can explore some of the ready-to-use images that are available to download. List the version and description of the operating systems and then click Next to create a VMware image. To run Kali from VMware, copy the kali.iso file onto the hard drive, select New Virtual Machine, and name the virtual machine Kali.

If you have completed all the previous exercises, you now have several Linux and Windows virtual machines. You should consider installing some tools on your Windows virtual machine to help you test the tools and reduce the chance of something going wrong with your base lab system.

In this chapter, we will learn how to utilize our new test lab, and how to use our brain to gather information. This is important when applying for a security position, because we are selling our ability to think and reason. I will show you how to protect your organization from nontechnical security leaks. This chapter explores the ways in which information leakage can damage an organization and the huge amount of information that is publically available.

The attacker will use a web browser and an Internet connection to search for information about the target, such as a domain name, IP address, physical address and location, phone number, or type of database used. You can find financial data on an organization s or target s website, and sometimes an attacker can use information from an acquired company to attack the primary target.

Passive information gathering can be done by leapfrogging to the primary target, and the best way to mitigate this risk is to minimize the amount of information that is made public or easily accessible on the company s website. Potential attackers can use information obtained from a dumpster to launch a number of attacks, including dumpster diving and wardriving. They can also use this information to look for operation manuals, configuration guides, passwords, account numbers, or even organizational charts and employee directories.

Dumpster diving for information is risky because someone can get too much information about personal or private matters. In the lab, you need to practice what you preach and shred old CDs, degauss or wipe hard drives that are no longer needed, and shred any paper documents that should not end up in the hands of another. One hacker equipped his cat Coco with a WiFi-sniffing collar and GPS to map all the networks in the neighborhood that would be vulnerable to any intruder or WiFi hacker. Open wireless connections can be risky because unauthorized individuals may get access through your network or use your organization as a base for attacks against others. You can mitigate these risks by turning on encryption and physically protecting access points.

Passive information gathering can be used to gain access to resources and assets that attackers covet. The corporate board of directors and any list of key employees can be used for social engineering. When reviewing names on a website, you might find the names of several key employees. If an attacker is located close by, he or she can drive to the published location of these employees and check to see if they have wireless connectivity.

Many sites like ZabaSearch have a mapping feature built right in, and ZoomInfo can be used to research job listings, personal information, and company information. If you find that a risk exists, you need to look at the opt-out options in as many sites as possible to limit the risk.

The Internet Archive is home to the Wayback Machine, which contains somewhere around 435 billion web pages that have been archived. You can search the site to see if your organization is leaking too much information, and you should consider finding organizations that use good information-control practices.

To prevent passive information gathering, you should define robots.txt and remove any inappropriate or unnecessary information from the organization's website. Employees can become disgruntled for various reasons, including layoffs and downsizing, mergers and acquisitions, and outsourcing. These unhappy individuals are potential sources of information leakage, and attackers can always find ways to obtain information that may not seem like a problem or issue to the organization.

Maltego is a tool for passive information gathering that displays information from open sources in a graph format. The risk from third-party sites is real. You should explore the web and examine employee blogs and other third-party sites for names that are close to your own organization or that may contain the word sucks. FOCA allows a security professional to mine a website for metadata, URLs, documents published on a website, and the version of software on clients and servers. An attacker can use this information to craft an attack.

Passive information gathering involves going through each web page and analyzing the source code. A site ripper is a good way to speed up the process of gathering information by making a duplicate of the website that can be stored on your local hard drive.

A site-ripper application called BlackWidow allows you to see displayed HTML code, source code, links, addresses, and more. Teleport Pro, Wget, and Website Ripper are tools that enable you to rip websites and review them locally. By using these tools, you can mitigate the risk of unauthorized individuals uncovering addresses, hidden links, vulnerable scripts, and even passwords.

When examining the source code of a site, look for hidden fields. Hidden fields are a poor coding practice because they can be easily overcome by reviewing the code. If you examine your organization s website and find one of these fields, an attacker can use this to hack the website. Just save the web page locally, open the source code, modify the amount, and save the page. Hidden fields that accept negative values are a major security risk. An attacker may try to feed large amounts of data into the field to see how the application responds.

Passive information gathering is used by malicious users to make web applications misbehave if the design doesn t include proper validation. You can mitigate the risk of the server not validating information from hidden fields and browser-generated data by making sure that the server accepts known good input. In the lab, you can examine hidden-field practices by searching for "type=hidden name=price" on Google. If you find such vulnerabilities in your own organization s site, note your findings and report them to management. Authentication is part of triple A, which stands for authentication, authorization, and accountability. There are many different types of authentication used by websites, including basic forms based authentication and message digest authentication.

Basic authentication uses Base64 encoding and is still in cleartext. A malicious individual could intercept the packet containing the basic authentication packet and use several tools to compromise it. Forms-based authentication uses a cookie to keep track of information about a user. If a cookie is stolen or hijacked, a malicious individual can use the cookie to spoof the victim at the targeted website. Set-Cookie: UID= dwlrxtatawtlc3bhc3n3b3jkbqoncg; expires=fri, 08-Aug-2014 The UID value appears to be random numbers or some type of coding, but when decoded, it ends up as mike:mikesp@ssw0rd.

Base64 is weak, so message digest authentication uses the MD5 hashing algorithm. Message digest authentication is based on a challenge-response authentication and uses a nonce value to make it much more resistant to cracking and makes sniffing attacks useless. Certificate-based authentication is the strongest form of authentication discussed so far. The web server verifies the validity of the certificate s signature and then authenticates the user by using public key cryptography. Cookies can provide too much information, so reduce the number of cookies your system accepts and periodically remove them from the browser cache. If your organization is using cookies, closely examine what they are and how they are being used.

Job postings can serve as a starting point to understanding the technologies used by an organization. For example, a job listing for a Senior Network Engineer might mention the organization uses Cisco Routers, Switches, Firewalls, and Load Balancers. In the lab, you want to check out the target organization s job postings to see if they are giving too much information. Work with management to reduce specific hardware and software details provided.

If you want to continue your electronic dumpster diving, look at the financial health and status of the targeted organization at the website. Look for entity names that differ from the parent organization and record this information when you start researching the IANA and ARIN databases.

For UK-based companies, examine the Companies House web page, at They are a one-stop shop for business information, and Dun & Bradstreet is a leading source of information and insight on businesses. Although denial of service (DoS) attacks for fun have been on the decline for some years, they are still a powerful tool that can be used for extortion. Companies targeted for attacks have two possible choices: pay up and hope they re not targeted again or install protective measures. Your organization may be giving too much information to third parties. Work with HR and others to limit the amount of information provided, and post job ads as company-confidential on third-party sites. Using advanced operators in combination with key terms, you can use Google to uncover sensitive information.

Google will only search within the text of a particular type of file or within a specified URL of a document. This operator directs Google to search within hyperlinks for a specific term. For example, allinurl:tsweb/default.htm searches in a URL for the tsweb/default.htm string, which can be used by an attacker to gain logic access. A Google Hacking database search can be used to check for leaks at your organization's web server and to provide management with examples of the types of leakages that occur, their impact, and suggestions on how to address the problem. There are several ways to find out who owns a specific website on the Internet, including the IP address and type of web server.

The Internet Society governs the Internet and is responsible for maintaining the central coordinating functions of the global Internet for the public good. It also manages domain names and addresses and works with the Internet Engineering Task Force on specific Request for Comments (RFCs) and high-level protocols such as IP. Domain proxies allow you to mask the true owner s identity, which can prevent individuals from obtaining names, phone numbers, or other information about domain ownership.

To obtain a WHOIS record for the SMU.edu domain, you must first visit the top-level domain page at the IANA site and then proceed to the domain name page. Here you will see the various top-level domains and how to obtain a WHOIS record for each.

Passive information gathering attempts can be made through the.gov domain, the.edu domain, the.mil domain, and the.int domain. You should place a title in both of the contact-name fields and not use a real name, because attackers are looking for information to exploit.

The IANA domain details can be used for social engineering, spoofing, and the discovery of any naming scheme. The final field contains DNS information, which is useful for reviewing your own organization s DNS records.

The Regional Internet Registries (RIRs) are responsible for overseeing the regional distribution of IP addresses within a geographical region of the world. You can use the ARIN website to uncover initial domain information.

If you cannot implement a domain proxy, you can mitigate these risks by setting up generic titles, phone numbers, and nondescript addresses that are used only with WHOIS. You can also use IP address information and websites such as DSHIELD to implement better security controls. The Domain Name System (DNS) is used as a type of phonebook to resolve known domain names to unknown IP addresses.

The DNS root servers are essential to the operation of the Internet. There are 13 root servers, most of which are located in the United States. A DNS cache is a collection of DNS records that is maintained by a DNS server. A computer can check its own DNS cache by typing the ipconfig /displaydns command at the command line.

Using the DNS command, you can display information about DNS records, such as record name, Time To Live (TTL) value of the cached DNS record as measured in seconds, data length, section, and, lastly, the record type. Using nslookup, you can get machine name and address information for an IP address or domain name. You may want to record this type of information, as you can use it later when working with additional tools. You can explore this vulnerability in the lab by configuring a Microsoft server to be a DNS server. Make sure that the server is properly configured, and that you return your lab computers to their proper settings after exploration. Netcraft is a great tool for identifying web server software, because it grabs the banner of a website and provides details about the web server software being used.

Passive information gathering methods include using a script to print information such as the date first seen, DNS admin, organisation, last reboot, netblock owner, history 1 and history 2, and using the Telnet client to observe the results. Banner-grabbing and website fingerprinting sites can provide information about what type of web server the targeted organization is running. You can mitigate these risks by changing the banner of the web server or using tools that suppress such information.

The location of the web server can be determined by using a traceroute command. This command increments the TTL field of the IP header and generates an ICMP 11 message if the host is unreachable. Tracing a route to [ ] over a maximum of 30 hops takes 10 seconds for each hop, and draws a visual map that displays the path and destination. Several good GUI-based traceroute tools are available. Hping is a tool that can be used to trace routes behind a firewall. It evaluates returned packets and tracks accepted, rejected, and dropped packets.

To mitigate risks from passive information gathering, configure routers and firewalls to provide as little information as possible. You can use Visualtrace to trace your own organization and others to determine how these tools work. This chapter looked at what is possible with little more than an Internet connection and a browser. It was meant to drive home the point that security is not just about firewalls and intrusion detection, but also about information protection and control.

Domain name servers translate alphanumeric domain names into IP addresses and vice versa, and the Edgar database maintains a listing of publicly traded U.S. firms. Forms-based authentication utilizes cookies to cache usernames and passwords, and Google hacking uses hidden fields. Message digest authentication uses cryptographic hashing functions to verify a message, and is implemented by sending the hash of the original value combined with a nonce value. Site rippers copy entire websites for later offsite viewing, and social engineering tricks employees into revealing sensitive data.

You have been assigned to a client company and are asked to perform an analysis of the gigabytes of log entries that have been gathered by the client organization. You must use your extensive knowledge of DNS, RIRs, and other tools to fill in the rest. Use Table 2-4 to fill in information about the target company that you should seek to acquire.

Passive information gathering involves doing an Edgar search on your company, finding all websites that link back to the company s website, viewing the company s website, doing engine searches, and preparing some information to take back to your company pertaining to the information the company is providing the public.

In this task, you are given the opportunity to practice some Google hacking techniques. You are required to grab a banner with Telnet and then with Netcat.

Telnet is a way of grabbing web server banners. Netcat is another way of grabbing web server banners.

Once the file has been created and saved, run Netcat with the following parameters: nc -vv webserver 80 <unk>head.txt> 5. Observe the results: HTTP/ Bad Request Server: Microsoft-IIS/6.0 Date: Tue, 29 Nov :12:01 GMT Content-Type: text/html Content-Length: 91

This chapter takes an in-depth look at network traffic analysis and discusses the tools used to capture network traffic. It also discusses why packet analysis is important and how to interpret all this data once you have captured it. All network problems can be traced down to the packet level, and packet analysis offers an understanding of how something really works.

Packet analysis helps you learn how to capture network traffic, determine how port scanners and other analysis tools work, identify malicious traffic, learn how malware works, and perform intrusion analysis. There are six ways to capture network traffic on a switched network: port mirroring, hubbing out/using a tap, ARP cache poisoning, flooding, and DHCP redirection. Promiscuous Mode Sniffers can place a hosting system s network card into promiscuous mode, which allows it to receive all the data it can see, not just packets addressed to it. This is where tools such as WinPcap and LibPcap come into play. When you put your device into promiscuous mode, you should consider the RJ-45 wall jack that you are plugging into. Hubs are basic multiport networking devices that allow all the connected devices to communicate with one another. A Throwing Star LAN Tap is a handy tool for meeting this need, and allows anyone to monitor Ethernet communications.

Switches have the ability to learn which device is connected to each of the active ports of the switch, and segment traffic so that a hacker sniffing on one port will never see the traffic on other ports. Modern switches can operate at higher layers, and can work with different headers. VLANs allow devices on different physical LAN segments to communicate with each other as if they were all on the same logical LAN.

To capture network traffic, you must be on your local network or on a prominent intermediary point and connected to a hub, switch, or border router through which traffic passes. Hubs are basically shared bandwidth, whereas switches separate collision domains.

When connecting to a switch, you will have to do something to get all of the traffic redirected to you. There are several ways to do this, some of which are built into the switch, while others are used only by attackers. Managed switches have greater functionality and cost more, but they can accomplish more tasks. Network loop attacks can occur when the Spanning Tree Protocol (STP) is not used, and can be launched maliciously or simply by someone misconnecting a networking cable.

To overcome the problem of monitoring devices having a harder time examining traffic on switched networks than on non-switched networks, port mirroring is used. Port mirroring allows you to configure one port to receive copies of all the packets from all other ports, or just selected ones.

While port mirroring works well in corporate environments, attackers can redirect traffic without spanning a port. ARP cache poisoning is a technique for intercepting network traffic that would otherwise not be able to be seen. It works by resolving known IP addresses to unknown MAC addresses, much like domain name service (DNS) resolves known domain names to unknown IP addresses.

ARP requests are broadcast to all IP addresses, including 1, 2, and 3. IP address 2 replies back via unicast with an ARP reply containing the physical address of 02-FE-05-A. This information is placed in the ARP cache and held there for a short period of time. ARP is a simple protocol that consists of two message types: an ARP Request and an ARP Reply. It is possible to manipulate the ARP process to bypass the functionality of a switch by sending unsolicited ARP replies.

ARP cache poisoning involves sending bogus ARP requests and replies to the switch and other devices to attempt to steer traffic to the sniffing system. The MAC address being spoofed is usually the router, and so the attacker can capture all outbound traffic. A man-in-the-middle attack can occur using ARP cache poisoning. The attacker can modify the packets before sending them on to their true destination, perform packet analysis for useful information, or record the packets for an attempted session replay later.

To use Cain & Abel for ARP cache poisoning, select the Sniffer tab from the Cain & Abel main page, and then select the second icon from the left on the toolbar, which resembles a NIC. Click OK to enable the proper network adapter.

To use the Cain & Abel MAC Address Scanner, right-click anywhere in the unpopulated screen to bring up the MAC Address Scanner dialog box, select all tests and click OK, and then click the yellow-and-black radiation symbol on Cain & Abel s toolbar.

Cain & Abel lets you pick a target to sniff, and then launches the attack. When you are finished, click the yellow-and-black radiation symbol again to stop ARP cache poisoning, and observe the results.

Arpspoof is a tool that redirects packets from a target system on the LAN intended for another host on the LAN by forging ARP replies. Ettercap is one of the most feared ARP cache poisoning tools because it can be used for ARP cache poisoning, passive sniffing, as a protocol decoder, and as a packet grabber. Flooding MAC is another potential way to redirect network traffic so that you can capture it.

There are other ways to intercept network traffic besides simply manipulating a switch. One of them is to trick the user into sending the traffic to you via Dynamic Host Configuration Protocol (DHCP). A hacker can use a rogue DHCP server to redirect traffic to their own IP address and thereby compromise network access. This can be done by running a resource starvation tool and attempting to lease all of the available DHCP addresses.

A tethered 4G hotspot can be used to attack a network using packet analysis. Tools such as DHCPstarv, Yersinia, and Gobbler have been designed to carry out this type of attack. Gobbler is a command line tool that scans a network for rogue servers and DHCP exhaustion / MAC spoofing attacks. It can be used to start a sniffer, traceroute to a target, ICMP ping a target, and detect OS and port information. The gobbler program uses a spoofed mac address to scan for open ports, and skips rescanning filtered ports. It displays a linked list of gobbled hosts after every update.

DHCP redirect attacks are just another variation on the classic man-in-the-middle attack. The technique clearly places an attacker in-line and offers them the ability to sniff the client s traffic. There are still other ways someone can redirect traffic for packet capture, such as misuse of the ICMP protocol, and ARP cache poisoning. Information technology professionals generally redirect network traffic with port mirroring, but what can be done to stop all the techniques just discussed?

There are several ways to enforce port security and block unauthorized individuals from redirecting traffic, including Dynamic Address Inspection (DAI), DHCP snooping, and VLAN hopping prevention. DAI can stop ARP cache poisoning and flooding, and can be used to define trusted and untrusted interfaces. DAI prevents attackers from successfully launching ARP cache poisoning attacks by monitoring the number of ARP packets on each secured switch port. MAC limiting and DHCP snooping can also help protect your network from flooding attacks.

To enable DHCP snooping, you first need to enable DHCP globally on the switch, then enable it on each individual VLAN, and finally configure each port that will be trusted. DHCP snooping helps secure network traffic by ensuring that hosts use only the IP addresses assigned to them and certifies that only authorized DHCP servers are accessible. It can also help prevent ARP cache poisoning and unauthorized data interception. VLAN hopping occurs when an attacker tags traffic in order to hop from one VLAN to another. To prevent this, you should configure all unused ports as access ports and disable automatic trunking.

123 Chapter 3 Analyzing Network Traffic 97 unused ports should be placed in a shutdown state and associated with a VLAN designated just for unused ports to prevent unauthorized individuals from capturing useful data. Monitoring ARP traffic, watching DNS transactions, listening for responses to invalid packets, testing for network latency, and scanning the network for hosts that are performing a large number of address lookups can all be used to detect devices in promiscuous mode.

If the device is in promiscuous mode, detection of latency can be hidden by using a one-way data cable, and if you have local access to the system you believe is in promiscuous mode, you can examine the network configuration. When the interface is placed in promiscuous mode, the PROMISC keyword appears in the attributes section. If an attacker has compromised the security of the host on which you run this command, they can easily affect the output of the ifconfig command. There are also tools that can be used to automate the detection process.

To detect the unauthorized use of promiscuous network cards, you can use a honeypot to lure in the attacker or anyone who might be sniffing or watching for sensitive network traffic. A honeypot can be used with an IDS to alert you to any network traffic using the honeytoken. Wireshark is a network traffic analysis tool that allows you to monitor network statistics, perform analysis, and even discover MAC flooding or ARP spoofing. To use Wireshark, you need to either start a packet capture or open a saved pcap file.

Wireshark has a three-pane design: the packet list, the packet details, and the packet bytes. The packet list is a one-line-per-packet format, and the packet details and packet bytes displays the contents of each captured packet.

Figure 3-16 shows a sample Wireshark packet decoded from hex to binary. You should be able to identify the value at hex offset 0x23 and convert it to decimal, which is the HTTP port number. If you want something more than a GUI tool, Wireshark also offers a CLI version, called TShark. Table 3-2: Command-Line Wireshark Tools Reads a capture and returns statistics on that file Edits or translates the format of capture files Combines multiple capture files into one Creates a capture file from an ASCII hexdump of packets Filtering and decoding traffic is important in a corporate environment because there is so much data to look through manually. Capture filters are used when you know in advance what you are looking for, and display filters are used after the fact.

Capture filters are used during the packet capturing process to reduce the amount of captured traffic. They are extremely valuable as they allow you to limit the amount of captured data viewed and to focus on a specific type of traffic. Filtering allows you to remove some trees so you have a better view of your data. For example, the ICMP filter removes clutter. Wireshark's comparison operators are very useful, and allow you to create filters showing only packets with a specific IP address. Protocol filters allow you to filter out specific protocols, such as ARP, and are used to indicate ARP cache poisoning.

If you are not yet comfortable creating filters, you can sort data by selecting Analyze on the Wireshark menu and then selecting Display Filters. You can use the Wireshark Display Filter dialog box to select predefined filters or even create new ones. Wireshark helps you create valid filters with its autocomplete function.

Figure 3-22 shows an example of autocomplete in use. Figure 3-23 shows an example of a conversation filter in use, which lets you see intercommunication between hosts on a network.

The TCP/IP stack is presented in a layer-by-layer review, and you examine some of the hex decode of captured packets. This section will increase your comfort level in reviewing and decoding packets, and will also come in handy as you read through the remaining chapters. The Ethernet frame is a simple structure consisting of source and destination MAC addresses, an EtherType field identifying the protocol encapsulated by the Ethernet frame, and a 4-byte trailing CRC to ensure that transmission errors are detected.

MAC addresses are not passed on by routers, and ARP is considered a non-routable protocol. The network layer includes Internet Protocol (IP), Internet Control Message Protocol (ICMP), and some routing protocols. IP is the foundation of the TCP/IP protocol suite. The first highlighted fields of the IP header are the version (IPv4) and header length (5). The TTL field is used as a time control mechanism to prevent the IP datagram from looping indefinitely, and the TTL is set differently for different operating systems. The protocol field is a 1-byte field that specifies the ID number of the higher-layer protocol that IP is carrying. TCP and UDP are two of the most common services used. The source and destination addresses are the last two 4-byte fields found in the IP header. They contain the sender s and receiver s IP addresses. The TCP header is more complex than the IP header because it is designed for reliable communication. The source port number identifies the program that sent the packet, and the target port number identifies the program to which the packet is to be delivered. The sequence and acknowledgement numbers are at the heart of TCP, and they ensure that all data is transferred reliably. Someone sends you 3 bytes starting at Source Sequence Number 101. You should acknowledge with the Acknowledgement Sequence Number 104, which implies that you have received all bytes up to, but not including, number 101. The flag field contains eight flags that are used to signal between the session endpoints. The 1-byte flag field contains the following: ACK, PSH, and the next byte number that you expect from them, 106. The Congestion Window Reduced value allows notification of network congestion without dropping packets, and the Urgent Pointer value is significant. The Acknowledgement Sequence Number field is significant and should be examined by the recipient. PSH signals the recipient to push all queued input to the application on the receiving side, RST resets the connection, and SYN indicates session teardown.

The application layer decode shows the connection to the FTP server and the returned response of Microsoft FTP Service. Tcpdump is a great network sniffer and analyzer for Linux, and WinDump offers much of the same functionality. Both applications are command-line tools, and are suitable when you need a lightweight, easy-to-install network analyzer. tcpdump allows you to capture packets from a specific interface, suppress name resolution of IPs, and suppress protocol lookups. It will also display a hexadecimal dump of the packet contents with line numbering, and capture the full length of any packets. NetworkMiner is an open-source network forensic analysis tool that can capture packets live on a network or open saved pcap files. It excels in tasks that are not as easy to complete in Wireshark, and it simplifies the process of extracting content in bulk.

Colasoft Capsa is an easy to use GUI-based network forensic tool for monitoring and analyzing network traffic.

This chapter has reviewed how sniffers are powerful tools in the hands of both hackers and security professionals, and has also introduced some defenses that can be put in place to stop unauthorized network access. This chapter provided an in-depth look at Wireshark, a powerful tool that can be used to analyze network traffic. It will help you greatly as you build and test software in your security lab. Managed switches can perform tasks such as spanning a port, port mirroring, promiscuous mode, VLAN hopping, and WinPcap.

Exercises in this section help you to reinforce your knowledge and understanding of this chapter. They include identifying operating systems from packets, describing security issues, and capturing broadcast traffic.

Figure 3-34 shows that only broadcast traffic is captured. Figure 3-35 shows that the port had not been spanned.

You will sniff network traffic by using tcpdump on your Kali virtual machine and by creating some traffic by connecting to an FTP server. You will then analyze the traffic using Wireshark and by adding some packet filters.

If the username is anonymous, the password is probably also anonymous. If the second step of the three-step handshake is successful, the TCP flags are set to SYN/ACK. 4. Create a filter that sorts out potential Linux systems. Use TTL, Don t fragment Flag, and Window size, and see if you can create a one-way data cable to monitor traffic. You will need a length of Cat5 cable, two RJ-45 connectors, and wire strippers. Solder wire 1 to wire 3 and wire 2 to wire 6 so that the transmit and receive wires are looped.

This chapter examines the tools, techniques, and methods used for detecting live systems. It also looks at the actual protocols and shows you how to analyze the results. Port scanning is one of the most widely used methods of service and system identification. It can not only identify ports but also provide information about the possible service running on that open port. The TCP/IP protocol stack includes Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). Each protocol serves a distinct purpose. TCP/IP is the foundation of the Internet. It was developed by the U.S. Department of Defense in and was designed to avoid failure if one or more nodes went down. TCP/IP was designed to work in a trusted environment, but many early TCP/IP protocols are now considered unsecure. A protocol analyzer can help you learn more about the TCP/IP protocols.

This chapter will walk you through the four layers of TCP/IP and provide a series of Wireshark.pcap files for you to analyze as you learn the material. The network access layer is at the bottom of the TCP/IP protocol stack and is responsible for physical delivery of IP packets via frames. Ethernet frames are addressed with MAC addresses, which are six bytes long and unique to the network interface card in which they are burned.

The first six bytes of a MAC address specify the target address, the second six bytes specify the source address, and the first three bytes specify the vendor. You can query a database to determine who manufactured the NIC or device. The Internet layer contains many different protocols, but this discussion is restricted to just three: IP, ICMP, and ARP. You should spend a few minutes reviewing IP to better understand each field s purpose and structure. The ping-of-death attack made headlines in 1996 and 1997 as an early denial-of-service (DoS) attack. The solution was to patch systems so that they correctly understood how to recognize such packets and discard them. IPv4 addresses are laid out in a dotted-decimal notation format and range from 0 to 255.

Table 4-1 shows the IPv4 address range, including loopback addresses, private use addresses, and experimental addresses. The IP header contains several fields worth reviewing, including the version field, the IP header identification (IPID) field, the total length, the fragment offset time to live, the protocol source IP address destination IP address IP options (optional), and the data header checksum padding.

IP packets are fragmented if the total length is too large for the network access layer, and the time to live (TTL) field is used to indicate if the fragment has more to follow or if it is the last in the series of fragments. The protocol field indicates the protocol that IP is carrying as a payload, and the header checksum field is followed by the source and destination IP addresses. IP can also dictate a specific path by using source routing, and is responsible for datagram fragmentation.

IPv6 is the newest version of IP and is the designated replacement for IPv4. It brings many improvements to modern networks, including a larger address space, no broadcast traffic, and built-in support for IPsec. ICMP, ARP and Ping are all protocols residing at the Internet layer. ARP resolves logical to physical addresses by sending a broadcast message requesting the target s physical address and replying with its own MAC address.

ARP replies are used to address subsequent frames, but can also be used inappropriately to corrupt the functionality of a switch. Bogus ARP responses are accepted as valid, which allows attackers to redirect traffic on a switched network. TCP enables two hosts to establish a connection and exchange data reliably. It performs a three-way handshake before data is sent, guarantees delivery of data by using sequence and acknowledgment numbers, and performs a four-step shutdown that gracefully concludes the session.

TCP uses SYN and ACK flags for three-way handshaking, RST and FIN flags for tear down, CWR and ECH flags for experimental use, and a checksum for data integrity. UDP uses no handshaking processes and is less reliable than TCP. The application layer is at the top of the TCP/IP protocol stack and is responsible for application support. Applications are mapped not by name but by their corresponding port, and there are 65,535 TCP and UDP ports, divided into three categories.

Telnet is a TCP service that operates on port 23 and enables a client at one site to establish a session with a host at another site. Telnet sends usernames and passwords in cleartext, so it should be configured to require usernames and passwords. Simple Mail Transfer Protocol (SMTP) is a TCP service that operates on port 25, and the Domain Name System (DNS) is an application that operates on port 53, and converts fully qualified domain names (FQDNs) into numeric IP addresses, or IP addresses into FQDNs.

Hackers can target DNS attacks, such as DNS cache poisoning, denial-of-service attacks, and unauthorized zone transfers. DNS uses UDP for queries and TCP for zone transfers. Trivial File Transfer Protocol (TFTP) is a connectionless version of FTP that uses UDP to cut down on overhead and requires no authentication. It is used by hackers to move router configuration files. Hypertext Transfer Protocol (HTTP) is a TCP service that operates on port 80 and uses a request-response protocol. Attacks can target a server, browser, or scripts that run on a browser. Simple Network Management Protocol (SNMP) is a UDP service that operates on ports 161 and 162. It allows agents to gather information, including network statistics, and report back to their management stations.

ICMP messages are used to report errors in TCP/IP, but an attacker can also use ICMP to identify live systems and perform some basic enumeration. ICMP messages are treated as normal traffic, and cannot be sent in response to other ICMP messages. ICMP Ping is the most common type of ICMP message type. It can be used to identify a live system and wait for the ICMP echoreply.

Ping is found on just about every system running TCP/IP. It can be used to identify active machines and enumerate live hosts, but has some disadvantages, such as being filtered, disabled, or blocked by a firewall.

A firewalled host is pinged with 32 bytes of data and receives 4 response packets: Sent = 4, Received = 0, Lost = 4 (100% loss). Ping can sometimes be used to identify active machines and measure the speed at which packets are moved from one host to another. Ping packets can also be used to identify the type of system that you are communicating with.

Using ping for identification does have its drawbacks. It does not identify which services are running, and most network administrators no longer allow ping to pass the border device. An attacker can identify an active system if it has unneeded services and applications open. You can mitigate these risks by disabling unneeded services and applications and observing what an attacker can detect as open on any specific system. Traceroute is a command-line utility that can be used to determine the path taken by a data packet as it travels from a source to its destination. It can also be used by attackers to enumerate a path.

When you perform a traceroute, you determine that your packets are going to New York via China, which indicates that your traffic is being redirected. An attacker may have manipulated the BGP routing protocol and is redirecting your traffic. Traceroute helps you identify the number of networks, hops, devices, and locations between you and the destination host. It uses the TTL field in the IP header and increments by one for each probe.

Windows sends a packet with a TTL of 1, which is decremented to 0 upon reaching the first router. The packet then makes it to the second router, which creates a Time to live exceeded in transit error message and forwards it to the original source.

Windows tracert sends a series of three probes per hop, and shows a time of 11 milliseconds, 10 milliseconds, and 12 milliseconds. A traceroute shows the location of the routers the packets are passing through. You can easily recognize IATA codes if you have ever flown, and CLLI codes are also easy to figure out. CLLI codes are used within the North American telecommunications industry to indicate a location.

A traceroute can be used to determine the type of device and port your connection is passing through, such as a Juniper device Ethernet bundle in slot 2, port 52 or a Cisco SONET tunnel. You may be able to determine the core router from a traceroute by looking for abbreviations such as core router and backbone router.

A traceroute can provide useful information to a network defender as well as attackers attempting to enumerate your infrastructure. TCP and UDP port scanning is done by probing a server or host for open ports. The TCP flag field contains eight flags and is used to indicate priority data, send data without waiting for buffers to fill, and abort an abnormal session.

TCP uses three-way handshakes to establish, maintain, and end a session. An attacker can manipulate these features to try and coax a server to respond or to try and avoid detection of an intrusion detection system (IDS).

TCP Full Connect scan is the most reliable, but also the most detectable type of scan. TCP SYN scan is half-open, but a full TCP connection is not established, and TCP FIN scan jumps straight to the shutdown, but is usually effective only on Unix devices. TCP ACK and TCP Xmas scans attempt to determine access control list (ACL) rule sets and stateless inspection, respectively, but may not work against all systems. It is best to start with basic scan types, such as the Full Connect scan and SYN scan.

A UDP scan is different from a TCP scan because UDP does not have flags and does not issue responses. If the port is closed, ICMP attempts to send an ICMP Type 3 Code 3 Port Unreachable message, but the network may be blocking ICMP, so no error message is returned. In 2000, a dispute between two contractors ended up in federal court over the legality of port scanning. The judge ruled that port scanning was not a crime as long as it did not cause damage, but you should still seek permission before scanning a network.

Time Warner has received indications that a machine connected to the cable modem on your Road Runner internet connection is port scanning. This violates the Time Warner Acceptable Use Policy. Advanced port-scanning techniques are like the tools of any other trade. You can use them to scan ports in much the same way that you would use a specialized device to fix a car problem. FTP bounce scan uses an FTP server to bounce packets off of and make the scan more difficult to trace RPC scan uses a window scan to identify open ports Idle scan uses an idle host to bounce packets off of and make the scan more difficult to trace.

Nmap is probably your best option for performing an idle scan. It can be started at :01 Central Standard Time and finishes in seconds with 1 IP address (1 host up) scanned. TCP connections must perform a handshake before communication can begin. RSTs are not replied to, and an idle scan of an open port is possible by combining these characteristics with IPID behavior.

Chapter 4: Detecting Live Systems and Analyzing Results 153 Step 1: Identify IPID Step 2: Scan Open Port Attacker IPID Probe IPID Response IPID = Idle Host Victim An idle scan of an open port works as follows: an attacker sends an IPID probe to the idle host to solicit a response, and is issued an IPID response of Next, the attacker sends a spoofed packet to the victim. The attacker makes an initial query to determine the idle host s IPID value, and then sends a SYN packet addressed to the victim but spoofs so it appears that it originated from the idle host.

The attacker probes the idle host and examines the response. The attacker can see that the returned IPID was incremented by one because no communication took place after the last IPID probe that determined the initial value. An idle scan is limited by the fact that the system designated to play the role of the idle host must truly be idle, and not all operating systems use an incrementing IPID. Finally, the results must be measured to ensure that the attacker's conclusions are valid.

This section looks at how to analyze port scans, including the two most basic types of scans, TCP Full Connect and TCP Stealth, as well as the potential variations and results from these scans. In this lab, you will use Wireshark to dissect the results of a port scan. The results show that the host is up but the port is down.

The Wireshark port scan statics show that there are four packets, which indicate that there was a successful full connect port scan on port 80.

Nmap is a well-known port-scanning tool that can do many types of scans, including the idle scan discussed in the previous section and operating system identification. It can use decoys and enables you to control the speed of the scan, from slow to very fast. Nmap is a network-mapping tool that has a command-line interface (CLI) and ready availability of documentation. It is considered one of the best port-scanning tools, and you can expect a large number of the port scans you analyze to have been performed with Nmap.

184 158 Chapter 4 Detecting Live Systems and Analyzing Results nmap is a network scanner that uses TCP/IP fingerprinting to guess remote operating system, can scan a range of ports, and can output normal/xml/grepable scan logs to a file. Nmap performs a variety of network tricks and can scan an entire network. You will now look at scanning individual hosts on a network (for example, port scanning).

Nmap V can be used to scan a range of IP addresses, including ports on a given host, or a single host. It can also be used to detect live systems and analyze results.

Nmap run completed 51 IP addresses (2 hosts up) scanned in 12 seconds. SuperScan is a free Windows GUI-based port scanner that performs ping scans and can be used to scan all ports, use a built-in list of defined ports, or specify the port range. THC-Amap is a Linux-based port-scanning tool that overcomes some problems that had previously plagued port scanners. A port scan places the attacker one step closer to a successful attack. The attacker can now identify an active service and probably the version of the application running. Run SuperScan from your Windows-based VM and enter the IP address of your DVL VM. You should get some results from your port scan. Passive OS fingerprinting monitors network traffic, looking for signs of an operating system, and can be used to mitigate risks by turning off services that are not needed or changing banners so that incorrect information returns to the attacker.

Passive fingerprinting involves examining packets as they come by and looking for characteristics that can be pointed out to determine the OS. Active fingerprinting involves sending several probes or triggers to a target and analyzing the responses received from the target. The IP TTL value, the TCP window size, the IP DF option, and the IP TOS option can all be used to passively fingerprint an operating system. The Linux-based tool P0f attempts to passively fingerprint all incoming connections.

P0f is a passive OS fingerprinting utility that listens for SYN and ACK segments of TCP session startup, and can be used to identify the system that initiates the connection as well as the system that is being connected to. Active stack fingerprinting examines the subtle differences that exist between different vendors implementations of the TCP/IP stack, and can be used to determine the version of OS. Fyodor Yarochkin has contributed to the body of knowledge about how active fingerprinting works. A FIN probe is sent to an open port, and the response is recorded. A bogus flag probe sets one of the six valid flags.

ISN and IPID sampling are used to detect live systems. Some systems increment their numbers randomly, while others increment their numbers by a fixed amount. Operating systems use exact sizes for their TCP initial window and ACK values, which can be matched against a database to uniquely identify the OS. Nmap OS fingerprinting sends 16 TCP, UDP, and ICMP probes to known open and closed ports of the target machine, and examines the value in the Type of Service (TOS) field. The probes use random IPID values.

Nmap sends ping queries to live systems and UDP ports by sending a packet to a closed UDP port with the character C (0x43) repeated 300 times in the data field and an IP ID value set to 0x1042. Nmap tests TCP for explicit congestion notification (ECN) support by setting the following attributes in the TCP header: SYN packet with ECN CWR and ECH congestion control flags set, urgent field value of 0xF7F5, sequence number zero, window size three.

Six T2 through T7 tests are also used to help determine the OS of the targeted computer. These tests send TCP null (no flags set) packets to open ports, TCP packets with the SYN, FIN, URG, and PSH flags set to closed ports, and TCP ACK packets to open ports. OS fingerprinting provides an attacker with specific information as to what operating system the targeted computer is running. You can mitigate the risks of an attacker obtaining this information by blocking all unneeded traffic at the firewall.

A defensive technique called port knocking prevents active fingerprinting by requiring that anyone wanting to use a particular service, request access by sequencing a specific series of ports. This technique does not harden the underlying application, but does make active fingerprinting more difficult for the attacker. A second line of defense is intrusion detection, which can be either host based or network based. Snort is a great intrusion detection tool for anyone wanting to learn more about IDS. Packet filters are the most basic form of firewall, and are configured through access control lists (ACLs). ACLs can be used to permit or block traffic based on header information, and can also be used to log specific types of activity.

ACLs can be used to restrict traffic on certain interfaces based on several factors, including the source IP address, destination IP address, protocol, TCP flags, and direction. Although packet filters provide a good first level of protection, they cannot inspect the payload of the packet and cannot keep up with state. ACLs are the best place to start building in border security and should be the starting point as far as dictating what will be filtered.

A simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. If you have a router in your network security lab, try spoofing through the router with and without this ACL. To block fingerprint attacks, you need to block all traffic that should not be moving into your network. Step 2 is to enable the local firewall. This will prevent most service requests and block ping requests. Step 3 is to turn off unneeded services, and step 4 is to make sure that systems have the most current patch.

This chapter has shown you how to use Wireshark to analyze port scans and to detect live systems. Port scanning is an important part of evaluating how secure your network is. This chapter introduced traceroute, discussed some basic types of ICMP packets, and took an in-depth look at how these tools perform their specific functions. Having this knowledge makes you a stronger security engineer because you can better apply specific tools to specific situations. ICMP is a type of message used by TCP/IP to support diagnostics and error control. IPsec can be used to secure TCP/IP traffic. Port knocking requires users to access ports in a certain order before a service will accept their connection. Port scanning is used to identify listening services.

The principle of least privilege is used to secure the network infrastructure by first denying all access and then allowing access only on a case-by-case basis. Exercises in this section reinforce your knowledge and understanding of the chapter by providing you with real hands-on experience. The tools and utilities used in these exercises are easily obtainable and include Wireshark, which is included in Kali or can be downloaded for Windows.

Figure 4-27 shows the layout of the hex dump, and Figure 4-28 shows an example of the format of an Ethernet type II frame. Figure 4-29 shows the packet decode of the first packet.

A security professional should be able to decode or assess packets or frames in a packet capture program such as Wireshark. Use Figure 4-31 to answer the questions in step 3 about the TCP flags.

You can run Nmap from the included Kali.iso, or you can download it to run from a Windows computer. To start scanning with Nmap, type nmap -h and enter an IP address that is within your network and that you have permission to scan.

Nmap can be used to detect live systems and analyze results. The su command returns UDP scan results, while the st command returns full-connect TCP scan results. Traceroute is used to find the path to a destination network. It shows the type of equipment, ports, or other attributes for each hop.

The results are shown in Figure 4-34. You can use any OS that you have available, whether Windows or Linux, for this port scanning exercise.

Enumeration is the process of counting systems to find ways to further exploit the network or set up a plan of attack. It can be performed against many types of systems and services, including routers and firewalls, Microsoft Windows, and open ports.

You will use the following techniques when enumerating any system, app, or hardware appliance, and you must be aware of some security flaws that allow exploitation without any further device enumeration. Routers use routing protocols to help packets find the best path to a target network. They examine a packet s source/destination IP address and then consult their routing table to determine how to handle the information. The router chooses the path with the highest bandwidth based on all other metrics.

The routing protocol calculates the best path to a destination by considering several factors, including delay, distance, load, and reliability. Routing protocols are used to map one network to another. Attackers can use these protocols to obtain information about a network, including its addressing topology, its owner and location, interesting hosts that may be attacked, and its routing policies and rules.

The Routing Information Protocol (RIP) is probably the most commonly used routing type and has been around for many years. However, from a security perspective, RIP can be very problematic as it is not a sophisticated or high-security routing protocol. An attacker can use Wireshark to sniff the network for RIP packets and send bogus routing information to a target and each of the gateways along the route. This allows the attacker to intercept packets, inspect them, and resend them to the next hop. RIP is not the only routing protocol that may be found during enumeration. IGRP is also a proprietary routing protocol that uses bandwidth and delay.

There are two ways to find out whether Open Shortest Path First (OSPF) is running on a network: using SNMP or using Wireshark. If OSPF has authentication turned off, you can freely inject your own OSPF packets into the network to cause a variety of problems. Enumerating and identifying routers can help an attacker search for known vulnerabilities. The Exploit Database may be a good place to start, and the Google Hacking section can also be useful.

212 186 Chapter 5 Enumerating Systems 155 ip subnet-zero!! ip tcp intercept list 155 ip name-server 155 ip name-server 155 ip name-server 155 ip name-server 155 Depending on the type of encrypted password you find, it may be easily decoded. The enable secret 5 passwords are hashed using the MD5 algorithm and are not trivial to decrypt.

You can enumerate firewalls by port scanning, banner grabbing, or by looking at the ports they listen on. Knowing the ports they listen on can help you identify the type of firewall an organization is using. The most well-known method of enumeration is banner grabbing, which is done by telneting to the IP address and specifying the port. This method can generate a wealth of information about a system or device.

While not every firewall will return a banner, some firewalls will display a series of numbers when you connect to TCP 257, their SNMP management port. If the firewall is a Cisco router, telnetting to one of the five terminal lines may provide additional identifying details. Traceroute can be used for enumeration and is available with the I option for Linux. The I option uses ICMP packets instead of UDP packets and produces a snippet of output as shown in the following example.

Hping is a tool that can be used to find firewalls and identify internal clients. It can use ICMP and UDP as well as TCP, and can be used to verify whether a host is up, even if ICMP packets are being blocked. Firewalking is a method of enumerating edge devices that involves crafting packets with a TTL value set to expire one hop past the firewall. It requires the IP address of the last known gateway before the firewall and a host located behind the firewall. Firewalk sends a series of packets with TTL=1, 2, 3, and so on, until it reaches router 3. The next phase uses TTL=4. Firewalking step 2: Sending TCP or UDP packets past router 3 and seeing if it blocks the ICMP messages will vary depending on the firewall and how it is configured. Nmap can be used to identify filtered ports on a firewall. Filtered ports are identified by receiving an ICMP type 3 message code 13 packet and are typically returned from routers with basic ACLs applied.

You can block routing enumeration in several ways, including higher-end switches, dynamic ARP inspection, anti-sniffing, and promiscuous mode detection. To defend against routing enumeration, you can move from RIP to OSPF or another routing protocol that provides some type of authentication, or you can add signatures of active routing enumeration tools to intrusion detection system (IDS) tools, such as Snort. Windows operating systems are designed to allow applications to communicate with each other through a LAN. The NetBIOS and SMB protocols were used in conjunction with TCP/IP to allow remote access to shared directories and files.

Windows uses two items to keep track of a user s security rights and identity: Security identifiers (SIDs) and Relative Identifiers (RIDs). SIDs identify a user, group, and computer accounts, while RIDs identify a user in relation to the authority that user has.

The administrator account has a RID of 500 by default, the guest account a RID of 501, and the first user account a RID of Each new user gets the next available RID. If you find NetBIOS running, you can use the built-in nbtstat command to find out the name of services running on a specific system. Unfortunately, NetBIOS is not supported on Windows Server 2008, Windows 8, or subsequent versions of Microsoft operating systems.

SMB makes it possible to share files and folders with other users, and IPC offers a default share on Windows systems. Although Linux and Windows services are similar to those of the Samba suite, older Windows systems remain the primary focus of these vulnerabilities. The most basic connection possible with IPC is the NULL, or anonymous, connection. You can use the net command to query any specific domain group, or take a closer look at any one system by using the net view /system_name command.

You will be exploiting IPC$ to enumerate user details, account information, weak passwords, and so forth. You need to set up a null session manually with the net command. You should remember some basic information that you learned when getting your first Microsoft certification, such as the $ syntax. The $ represents a hidden share, and if found, can provide you with usernames, SIDs, RIDs, account comments, and account policies. Newer operating systems are not vulnerable to a null session attack. However, you should practice the principle of least privilege by blocking ports and disabling unnecessary services.

Enumerating systems on Linux/Unix can provide an attacker with enough information to launch an attack. NTP is a protocol designed to synchronize clocks of networked computers.

Using rpcclient, the attacker can enumerate usernames, showmount, finger, and rpcinfo, and can find out the user s home directory, login time, idle times, office location, and the last time they both received and read mail. Enum4linux enumerates information from Windows and Samba systems, and examines protocols that reside at the application layer. SNMP is an application layer protocol that functions at the OSI Model Layer 7 and was created in 1988 to meet the need for a simple-to-use network management tool. Attackers are interested in SNMP for the same reason as network managers. SNMP is a protocol that runs at the presentation layer and describes how different components fit together, how SNMP is implemented at lower layers, and how network devices interact. SNMP is an application layer protocol that is part of a larger framework known as the Internet Standard Network Management Framework. It uses two components: the manager and the agent, and uses a tree structure called a Management Information Base (MIB).

SNMP version 1 is a cleartext protocol, and provides limited security through the use of community strings. Version 3 offers data encryption and authentication, although earlier versions are still widely used. The attacker may use the default community strings, sniff the community strings, or use the usernames to gain access to many organizations systems. SNMP exposure can provide the attacker with the information needed to successfully attack the network. SNMPUtil, SNScan, and SolarWinds IP Network Browser are command-line SNMP enumeration tools, and SolarWinds IP Network Browser is a GUI-based network-discovery tool.

SNMP fits into the enumeration process as follows: An attacker begins by port scanning for port 161, connects to SNMP-enabled devices using default community strings or by sniffing community strings, escalates privilege, and exits. The best defense against SNMP enumeration is to turn off SNMP if it is not needed. Attackers can gain enough information from enumeration to successfully attack a network, so it's important to manage the need for access to information such as SNMP against the need for security. In the lab, you can learn more about how SNMP is vulnerable by turning it on.

SMTP is used for the transmission of messages and can be enumerated with utilities such as Netcat and Telnet. Use random addresses instead of a predictable format such as first.last@company.com to make it harder for hackers to blast emails to high-value targets. An attacker may attempt to perform a zone transfer, read, write, and modify data in a SQL server, or enumerate DNS servers and SQL servers by placing a single quote (') inside a username field to test for SQL vulnerabilities.

When a SQL application returns an error, it signals to the attacker that they can take advantage of insecure code on a system and pass commands directly to a database, giving them the ability to perform a variety of activities. Advanced enumeration techniques are used to uncover information about industrial control systems and user agent strings. SCADA systems are used by the utilities industry to monitor critical infrastructure systems and control power distribution, as well as many other forms of automation. A PLC is a machine control device that uses logic to control other machines. A PAC is a compact controller.

SCADA systems are used in HVAC systems, elevator controls, and so forth. They compare the measured flow and level to the setpoints and control the pump speed as required to match the flow to the setpoint. SCADA devices are increasingly being connected to the Internet, and the value of these devices to hackers cannot be overstated. Security was not built into the Modbus protocol, and this makes them vulnerable to cyber attacks.

DNP3 is a more recent communication protocol that uses timestamps and can send multiple responses in a single packet. BITBUS is the oldest commonly used field bus technology. SCADA systems are not always isolated, and many have been ported over to Windows. They face the same security concerns as other computer systems, including default passwords, systems not patched or updated, insecure protocols, poor network segmentation, and field bus protocols not designed to be secure. SCADA systems are often connected to the Internet. Attackers can use public tools such as SHODAN to search for SCADA devices.

Attackers search for these common SCADA ports using Nmap. Once an interesting target is found, they may use an advance port scanning technique specifically designed for SCADA systems, such as the one shown here.

The web server identified as Cayote (Tomcat) has many identified vulnerabilities, and Metasploit has Tomcat exploits built in. SCADA attacks can be devastating. The Stuxnet worm was a sophisticated piece of malware designed to sabotage a specific type of Siemens SCADA equipment. It was designed to pass through systems that did not meet specific configuration requirements, and was therefore not able to infect the initial Microsoft systems. User agent strings are another way to identify systems, because each browser has its own distinctive string.

User agent strings are used to identify specific information such as OS, browser, and language, but from the standpoint of enumeration, they are just another means to fingerprint and enumerate information about a specific system. Lightbeam is a Firefox add-on that displays everyone to whom your browsing habits and data are sent. It is possible to stop third parties from tracking you by installing Lightbeam. Fingerprinting your system is poised to be much more intrusive than cookies ever were, as it examines unique attributes such as what plug-ins and software you have installed, the size and manufacturer of the monitor, and time zone.

The attacker has now identified active systems, services, and applications on your network, and is mapping the attack surface, which includes all the different points where an unauthorized user can try to gain access. Hackers can guess username and password combinations by reviewing previous enumeration findings, or by comparing calculated hashes to encrypted results. If the lockout policy is set to a low value, password cracking may be of limited use. Windows stores user information and passwords in the Security Accounts Manager (SAM) database and in Active Directory. The password can be stored in one of several ways, including a LAN Manager hash (LM hash) or NTLM hash.

NTLM can support passwords that are up to 127 characters long, and can be cracked using dictionary, hybrid, and brute-force password cracking techniques. Dictionary password attacks can often recover a user s password in a short period of time if common words have been used. Password creation processes use a dictionary list and a hashing algorithm, and then the password is cracked using a software program that prepends and appends characters and numbers to dictionary words in an attempt to crack the user s password.

Brute-force attacks use random numbers and characters to crack a user s password. They may take hours, days, months, or years to crack an encrypted password, depending on the complexity and length of the password. Cain & Abel and LCP are multipurpose tools that can perform a variety of tasks, including Windows enumeration, sniffing, and password cracking. Precomputed hashes are a time-memory tradeoff that was first implemented by Philippe Oechslin.

Ophcrack is a password-cracking tool that uses a rainbow table to quickly crack passwords. It has several tables that can be downloaded, and you can search the web for other tables. Sniffing password hashes offers an attacker another avenue of access in addition to password cracking. It requires that the attacker have some type of access.

If an attacker can gain access to a low-level account, such as a regular user account, they may be able to leverage this access to move up to a more privileged level. Defense in depth is the goal. One of the best pass-the-hash programs is from Mimikatz, which is written in French. The GitHub repository includes useful information on command usage. Windows uses password hashes to authenticate users. Mimikatz is a tool that captures these password hashes and allows you to crack them using a dictionary or brute-force attack.

A race condition in the SSL implementation on Cisco Intrusion Prevention System (IPS) devices allows remote attackers to cause a denial of service by making many management-interface HTTPS connections.

An attacker enumerates a system to determine which services and versions are running, and then surfs the web for vulnerabilities in Red Hat Linux 6.1. He then searches the web for exploit code, and launches it against the vulnerable target.

When an attacker exploits a vulnerability, he can gain access to a computer system as a standard user or a privileged user, depending on the level of access provided by exploitation of the vulnerability. A vulnerability can be exploited in several ways, including tricking the user into executing the malicious program, copying the code to the system and scheduling it to run at a predetermined time, or exploiting interactive access to the system.

Password protection is important. You should not reveal your passwords to others, use stronger authentication mechanisms, log out of a session during which you used your password in a public computer or kiosk, and use password manager programs to protect your passwords. In this chapter, you learned about the process of enumeration. You should enumerate your own networks to see what type of information is available, because an attacker will always try to find a hole, misconfiguration, or item that has not been secured.

An attacker with the latest Windows 2012 buffer overflow or malware must enumerate active systems and identify which one is running vulnerable code. Enumeration can also be used to gather usernames, open shares, or vulnerable versions of software. Security professionals must attempt to enumerate their own networks to reduce the amount of information that may be exposed in the real world and to prevent unauthorized enumeration and mitigate attack vectors. Brute-force attacks try all possible values to break a cipher, while buffer overflow attacks expose the application to malicious code injections or other targeted attack commands.

A NetBIOS system frees up applications from understanding the operation of a network, and allows them to communicate within a local area network. Windows uses relative identifiers, security identifiers, server message blocks, and simple network management protocol to identify systems and share files. This exercise demonstrates how to use the SolarWinds IP Network Browser to display information gathered from active SNMP devices. It requires you to start SNMP on a local Windows system and install the SolarWinds network management tools.

Cain & Abel is a tool that can be used to sniff for router traffic. To use Cain & Abel, first install WinPcap, then start Cain & Abel, and choose the Sniffer tab.

On the Sniffer tab, start the capture by clicking the Start/Stop Sniffer button, and double-click the update to display the routing information.

This exercise demonstrates how to use DumpSec to enumerate a Windows computer. You will analyze a user agent string to see if you can identify the type of browser being used, and what OS is being used.

This exercise will show you how unique and trackable your browser is. It uses cookies, IP addresses, and system fingerprinting to build an accurate picture of who you are.

This chapter takes an in-depth look at cryptographic systems, including symmetric and asymmetric encryption, Public Key Infrastructure (PKI), and methods used to obscure traffic. Understanding how these systems work is important for analyzing systems that security engineers work with, including identification and authentication systems. Security professionals may have to deal with a security breach or an instance where an attacker has gained control of an internal system. This chapter will discuss techniques to better cope with these situations. Encryption uses symbols or groups of letters to represent words or phrases, and ciphers replace one letter with another using either a simple or complex scheme. The ancient Hebrews used a system called ATBASH, and the Spartans had their own system called Scytale. Both systems worked by wrapping a strip of papyrus around a rod, and using that rod to read the message. The Romans had a system known as Caesar s cipher, which worked by a shift of three. Asymmetric encryption is a type of secret key or symmetric encryption that overcomes some of the problems associated with symmetric encryption, although it comes with its own drawbacks.

Symmetric encryption uses a shared key for encryption and decryption. To encrypt a combination lock, you need to use an algorithm, a cryptographic key, and a secret key. Symmetric encryption uses a dual-use key, which means that the same key can be used to lock and unlock data. This ensures confidentiality, because only the individual who has the key knows the true contents of the message.

Automating encryption and tunneling techniques requires a method to exchange the symmetric key securely. This is typically done in some type of out-of-band method, such as in-person delivery. Symmetric encryption suffers from scalability issues and key management becomes the second big issue when dealing with symmetric encryption. However, there are some good features of symmetric encryption, including being fast and hard to break if a large key is used. Blowfish, DES, IDEA, RC4, SAFER, and Rivest Cipher 4 are general-purpose symmetric algorithms that can be used as security solutions. For example, PGP is a free security application that uses a 128-bit key to encrypt 64-bit blocks of plaintext.

PGP uses a public-private key system and the IDEA algorithm to encrypt files and messages. It overcomes the vulnerability of cleartext communication. Data Encryption Standard DES is a symmetric encryption standard that uses a 56-bit key and processes 64 bits of plaintext at a time to output 64-bit blocks of ciphertext. It has four common modes of operation: Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output Feedback (OFB) mode. ECB is the native encryption mode of DES and produces the highest throughput, but is also the easiest form of DES encryption to break. Cipher Block Chaining Mode CBC uses 64-bit blocks of data and XORs some of the ciphertext created from the previous block into the next one. This makes the ciphertext more secure and less susceptible to cracking.

The DES Challenge was created by RSA Security to highlight the ease with which DES could be cracked using brute-force techniques. The third such attempt was able to crack the DES key in just 22 hours and 15 minutes. To extend the usefulness of the DES encryption standard, something had to be done. Triple DES was developed, which can use two or three keys to encrypt data, and is much more secure than 56-bit DES.

Rijndael was chosen by NIST to be the replacement for an aging DES, and is a block cipher that supports variable key lengths of 128, 192, or 256 bits. It is also known to be very secure. Cryptography gives its users the capability to verify integrity. For example, you might look up an iso of Knoppix STD Linux on the web before you use it. MD5sum values are examples of message digests, which are produced by using one-way hashing functions. A well-designed message digest examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash.

MD2 was optimized for 8-bit computers and has fallen out of favor because it suffers from collisions. MD4 was the next algorithm to be developed, but it was found to be subject to possible attacks. SHA-1, SHA-2, and SHA-3 are secure hashing algorithms that are similar to MD5. SHA-1 processes messages in 512-bit blocks and adds padding, if needed, to ensure the data adds up to the right number of bits. Public key encryption uses two unique keys, one to encrypt the data and the other to decrypt it. It overcomes one of the big barriers of symmetric encryption: key distribution.

Asymmetric encryption works by using a public key to encrypt a message, and a private key to decrypt the message. The private key is generally kept secret, whereas the public key can be given to anyone. Public key cryptography uses one-way functions, which are easy to compute in one direction yet next to impossible to compute in the other direction. This allows someone with the public key to reconstruct the private key if they know the trap-door value. RSA was developed in 1977 and is considered very secure. It uses prime numbers whose product is much larger than 129 digits for security and can support a key size up to 2,040 bits.

Diffie-Hellman is potentially vulnerable to meet-in-the-middle attacks, but digital signatures can alleviate this vulnerability. El Gamal is an extension of Diffie-Hellman that uses three discrete components: a key generator, an encryption algorithm, and a decryption algorithm. Elliptic curve cryptography is considered more secure than discrete logarithm cryptography because elliptic curve systems are harder to crack than those based on discrete log problems. Elliptic curve cryptography is implemented in smaller, less powerful devices, such as smartphones and table t s.

Michael wants to send a message to his publisher using a hybrid cryptosystem, which combines both symmetric and asymmetric encryption to take advantage of the strengths of each type of encryption. Michael generates a random private key for the data encapsulation scheme, encrypts the message with the data encapsulation scheme using the session key, and sends both of these items to the publisher. The publisher uses their private key to decrypt the session key and then uses the session key to decrypt the message. After installing it, you will need to create a key and passphrase. After entering everything, the systems will generate the keys, and you can then distribute your public key to someone else and create your first encrypted message.

Public Key Infrastructure (PKI) overcomes many issues that occur when dealing with unknown parties on the Internet. It consists of hardware, software, and policies that manage, create, store, and distribute keys and digital certificates. The Certificate Authority (CA) is like the Department of Motor Vehicles (DMV) and verifies a person s identity with the help of the Registration Authority (RA). The CA creates a certificate that verifies that the person matches the public key that is being offered.

When certificate services are expanded to cover large geographical areas, a central CA can delegate its responsibilities to regional RAs. The CRL is maintained by the CA, which signs the list to maintain its accuracy. Digital certificates are used in the PKI system to ensure the integrity of the public key and validate that the public key is tied to the stated owner. Digital signatures are based on public key cryptography and are used to verify the authenticity and integrity of a message. The Digital Signature Algorithm (DSA) was designed by NIST to standardize the Digital Signature Standard (DSS). It uses SHA-1 in conjunction with public key encryption to create a 160-bit hash.

Three common approaches to certificate distribution are direct trust, hierarchical trust, and private key distribution. Physical access to a system can bypass authentication and encryption schemes. The program Ultimate Boot Disk for Windows can be used to demonstrate an unauthorized change to the administrator password. You will need to set the system BIOS to boot from a CD, then run UBCD4Win and click Password Renew. You can mitigate this risk by configuring BIOS to not allow the system to boot from CD. Authentication is the act of proving an identity, and it can be performed in several different ways.

As a security professional, you should understand the different ways that authentication is performed and how it relates to security. Some web developers still use hidden fields, but these fields are not really hidden at all, and can be easily manipulated. The server has no way of knowing if these values have been changed or altered. Passwords are the oldest and simplest form of authentication, but they are often forgotten or are too easy to guess. Additionally, passwords cannot be written down on Post-it Notes or shared with others, and people are not good at remembering random, complex passwords.

Most individuals will choose something easy rather than risk forgetting their password and creating a bad first impression, which means that an attacker may simply be able to launch a password-guessing attack. The hacker known as Guccifer gained access to former president George W. Bush s and others accounts by guessing their passwords or answering their password-recovery security questions. He was arrested and is now serving a seven-year sentence in Romania. Users choose weak passwords, so to prevent hackers from capturing their passwords from your computer s hard drive, most modern operating systems encrypt the password and store it in some form of a hashed equivalent.

Windows NT Challenge/Response, also known as NT LAN Manager (NTLM), is one of the older authentication schemes. Microsoft allowed the older authentication schemes to be used, but the LM authentication is particularly vulnerable as it truncates the password to 14 characters, converts the password to uppercase, pads the result if the total number of characters is fewer than 14, and divides the password into two 7-character fields. With the knowledge of how LM passwords are created, you can examine the two following password entries that have been extracted from the SAM. Notice how the padding is used to reduce password-cracking time.

Windows authentication uses MD5 by default, and a salt is used to add a layer of randomness to the passwords. The salt can be one of 4,096 values, and the MD5 password is 32 characters long and begins with $1$. MD5 is considered a fast hashing algorithm, so to address this issue, Unix-based systems have started using techniques to slow down the password cracking process. One example is bcrypt, which forces the attacker to use increasing amounts of computation power. Passwords have been moved out of the etc/passwd file and into the etc/shadow file. Only root has access to this file.

The format of the shadow file is Account_name:Password:Last:Min:Max:Warn:Expire:Disable:Reserved. To increase security, use longer passwords that are based on passphrases. Challenge-response authentication requires the user to enter a correct answer to a secret value sent by the server. This technique can reduce the possibility of replay attacks by encrypting the hashed password using secret key encryption.

Asynchronous challenge-response systems are not synchronized to an authentication server, and use a hashed password that is never transmitted over the network. Synchronous systems are synchronized to the authentication server and change user passwords every 60 seconds. Session Authentication is a form of authentication that validates users once and creates a session value that represents that authentication. The problem with session stealing is that it has been used quite often over the last few years.

Basic authentication uses the XOR binary operation to encode the user's password and is one of the weakest forms of authentication. Message digest authentication uses the MD5 hashing algorithm and a challengeresponse protocol, and is much more resistant to cracking and sniffing attacks than basic authentication. Certificate-based authentication is the strongest form of authentication discussed so far. Type 7 passwords are a weak form of encryption, and Cisco states that customers should treat configuration files as sensitive information.

Attackers can use tunneling techniques to hide malicious traffic at many different layers of the TCP/IP model, including sniffing, shoulder surfing, or accessing a Trivial File Transfer Protocol (TFTP) server. The Internet layer offers several opportunities for hackers to tunnel traffic. IPv6 and ICMP are two commonly tunneled protocols, and IPv6 can be abused to deliver malware in a way that eludes edge devices, firewalls, and even intrusion detection systems.

Malware designed to enable IPv6 support on susceptible hosts can be used to elude detection by firewalls or IDS not configured to recognize IPv6 traffic. There are plenty of tools to tunnel over IPv6, so be aware of specific vulnerabilities and implement good host and application security. The second protocol that might be tunneled at the Internet layer is Internet Control Message Protocol (ICMP), which is used to test connectivity. The optional data field is used to filler, and is similar to those Styrofoam peanuts found in a shipping box. Loki was a proof-of-concept tool for tunneling over ICMP, and it was designed to show how ICMP traffic could be insecure and dangerous. It is not encrypted, and anyone noticing an abundance of ICMP packets can detect its presence.

Unlike Loki, the ICMP backdoor program uses only ping reply packets, and so some IDS systems can easily detect that the traffic is not comprised of actual ICMP packets. 007Shell and icmpsend are ICMP covert communication programs that use ping packets to covertly exfiltrate data. Attackers can tunnel data in or out of your network using TCP and UDP. TCP offers several fields that can be manipulated by an attacker. The three-step handshake ensures that both systems are ready to communicate, exchanges control information, specifies maximum segment size, and contains information about the amount and position of data being sent. The four-step shutdown allows for an orderly shutdown.

Social engineering, trickery, or a malicious program can be used to launch a program inside your network and create a customized tunnel. Tools such as AckCmd serve this exact purpose, and can be downloaded from .

Application layer tunneling uses common applications that send data on allowed ports. Secure Shell (SSH) is often allowed through firewalls and edge devices, making it easy to tunnel a web session through SSH. HTTP is a common application layer protocol that attackers can use to tunnel traffic. HTTPS is an even bigger concern because the contents of the session are encrypted and thus not easily monitored. Domain Name System (DNS) can be used for application layer tunneling. The most straightforward way to manipulate DNS is by means of these request/replies, but the most common problem is that information must be forwarded to the client or some type of polling must be implemented.

Many tunneling tools use DNS as their communication channel, and transmit data via cleartext or encoded data using Base32/ Base64 Binary, NetBIOS, or Hex encoding. Table 6-1 shows some of the tunneling techniques discussed here, including IPv6 Internet Covert Potentially blocked socat, nt6tunnel, and asybo ICMP Internet Low level Detectable Loki, icmpsend, and 007Shell TCP Transport Reliable Easily filtered AckCmd and TCP Tunnel DNS Application Firewall-friendly Not good for large amounts of data

Advanced tunneling techniques allow attackers to access data behind a firewall. Using Netcat, they can set up a listener on their system and redirect traffic to the victim s system, where they can execute commands as desired. In the previous In the Lab section, we discussed how to bypass normal password authentication on a Windows computer. Another possible solution is biometrics, and one widely used method involves fingerprint recognition.

In Identification mode, you can analyze the print and compare it to the original. These ridges, valleys, and minutiae are used to identify a valid fingerprint. In the ninth century, Abu al-kindi published a paper on how to break cryptographic systems using frequency analysis. This section looks at some of the ways authentication systems are attacked. William Frederick Friedman, who is considered one of the best cryptologists of all time, helped the United States break the Japanese Purple Machine encryption just prior to World War II. The NSA raided Friedman s home to retrieve some of his personal writings.

Keystroke loggers are software or hardware devices used to monitor activity. They are undetectable except for their physical presence, and can be used to extract passwords if an attacker can gain remote access to a system. Finally, do not forget the possibility that the user has applied a weak password. A determined attacker will look for subtle clues to key in on, probably words or phrases that the account holder may have used for a password. Attackers use Mimikatz and the Pass-the-Hash toolkit to dump Local Security Authority secrets, SAM databases, and password history using both registry and in-memory attacks. Once they have compromised a password, it is easy to use that account to tunnel deeper into a company s network.

Dictionary attacks use predefined dictionary files to look for matches between the encrypted password and the encrypted dictionary word. They can be performed in just a few minutes. Password-cracking programs use a technique called comparative analysis to compare each potential password found in a dictionary list to the encrypted password. They are comparatively smart because they can manipulate a word and use its variations, as well as add common prefixes, suffixes, and extended characters to try to crack the password. Dictionary lists are great for finding commonly used passwords and several that have been made public during security breaches. Brute-force attack is a type of encrypted password assault that can take hours, days, months, or years to complete depending on the complexity of the password and the key combinations used.

A brute-force attack on a password using a computer s CPU will work, but a graphics processing unit (GPU) can be used to improve the results. Some applications do not enforce a lockout policy, or they simply tell you whether the password or username is incorrect.

A weak password is worse than no lockout. Apple finally patched a security hole in Find My iPhone in September 2014, after it was alleged that this technique was used to gain access to many celebrities photos and images. A rainbow table is a new approach to password cracking that works by precomputing all possible passwords in advance and storing the results in a file. The password can be quickly compared to the values stored in the table and cracked within a few seconds. The hacker obtains several messages encrypted using the same algorithm, and attempts to crack the code by looking for patterns and using statistical analysis. Man-in-the-middle attacks are carried out when hackers place themselves between two users, and chosen ciphertext attacks are carried out when hackers decrypt parts of a ciphertext message.

A hacker can use a chosen plaintext attack or a replay attack to intercept and re-use cryptographic keys to encrypt or decrypt messages. This chapter has reviewed cryptographic systems, some common ways that you use encryption, and methods that attackers use to tunnel or obscure information to exfiltrate it out of a network. The most important goal of this chapter is to reinforce the idea that not all encryption techniques are the same. This chapter discussed how an attacker can tunnel traffic inside another protocol to hide their activities, and discussed some common password-cracking techniques. The best defense is to switch to other forms of authentication and to use passphrases and perform deep packet analysis on network traffic.

Authentication methods include CHAP, EAP, and passwords. Common credentials include passwords, tokens, and biometric systems. Brute force attacks break ciphers by trying all possible values, and their feasibility depends on the key length, the strength of the cipher, and the processing power available to the attacker. Digital certificates contain owner identity information and their public key, while digital signatures authenticate the sender of a message. Hash functions are used to ensure that a transmitted message has not been tampered with, and key-exchange protocols are used to exchange secret keys for encrypted communication. Public key encryption uses two keys to encrypt and decrypt data. The private key is never transmitted or publicized, making the encryption scheme extremely secure.

Exercise 6 uses CrypTool to demonstrate how cracking times and key lengths are associated. It also demonstrates how quickly the cleartext is revealed when you brute-force decrypt a Symmetric (Modern) a RC4 using an 8-bit key.

In this exercise, you will generate a small rainbow table and verify its operation. To do so, you need to copy rainbowcrack-1.2-win.zip to your local Windows computer and open a command prompt.

You need to perform several steps to generate the tables, which may take up to 8 hours or more depending on the speed of your computer. Once the tables are complete, you need to sort the files. This exercise demonstrates how to use John the Ripper to crack passwords on local computers. First, add three users and set their passwords to P@ssw0rd, MyPassword, and!p@ssw0rd1.

John the Ripper is a tool for ethical hackers to use to test password strength. It performs different types of cracks: single mode, dictionary, or wordlist mode.

This chapter introduces automated attack and penetration tools and delves into the topics of risk, vulnerabilities, and exploits. It compares the situation of buying a piece of software with the situation of finding out that the software has a design defect. Attack and penetration tools look at how vulnerable a piece of software, an application, or a networked system is.

Attack and penetration tools can be used to analyze overall security as well as how well the organization s assets are protected. They can be used to determine the adequacy of security measures, identify security deficiencies, and predict the effectiveness of potential security measures. Audits and reviews determine whether systems are properly patched, whether security policies and requirements are being followed, and whether the controls sufficiently guard against potential risk. Penetration tests determine whether an attacker can gain access to an information system and maintain access.

Farmer was fired from Sun Microsystems for developing the first automated penetration tool, SATAN. Today, attack and penetration tools are viewed much differently, and security professionals must look for vulnerabilities in their own networks and seek ways to mitigate the exposures they uncover. After a hacker stole information about 40 million credit card users from their database, CardSystems Solutions discovered a software vulnerability and broke Visa and MasterCard policies by storing confidential consumer information in their databases. Source code assessment tools can be used to audit security problems in source code, and are available for free. They can detect problems such as buffer overflows, race conditions, privilege escalation, and tainted input.

Application assessment tools can scan applications for vulnerabilities that occur at runtime and test such issues as user input. They are not just useful for security testing either, but can push the limits of user input testing by performing automated bounds-testing as well. System assessment tools are intended for probing systems and their components, rather than individual applications. They can also test the effectiveness of layered security measures. System-level assessment tools can probe an entire local or remote system or network for a variety of vulnerabilities, but they have their disadvantages, such as the inability to audit the source code and the dependence on the responses of a service to a finite number of probes.

Retina is a commercial network security scanner for Windows that can determine the host operating system, which applications are running, which patches are installed, whether any security patches are missing, and more. Microsoft Baseline Security Analyzer (MBSA) and NetRecon are commercial scanners that ensure consistency with other Microsoft products and scan more than three million computers each week. QualysGuard is a web-based vulnerability scanner that features more than 5,000 vulnerability checks as well as an inferencebased scanning engine. Security Auditor s Research Assistant (SARA) is a freeware application that features a command-line interface and web-based GUI.

There are a lot of tools to choose from when building your own security lab. You must consider the type of impact the tool has on the network, as well as how the tool affects the systems being scanned. Another item worth considering is how many types of vulnerabilities the software will detect. This can be a difficult attribute to accurately measure because different vendors measure the numbers differently. You want to consider how the software examines each system. A good assessment tool will perform checks while being authenticated, and it should also provide a report that is easy to analyze.

Nessus is a tool that lists vulnerabilities, points to possible fixes, and performs tracking. Nessus is an open source, comprehensive, cross-platform vulnerability scanner that can be downloaded from the Tenable Network Security website. Real-time plug-in updates require a fee, but there is also a feed that is available to the public. Nessus is a powerful, flexible security-scanning and auditing tool that takes a basic nothing for granted approach to network security. It is an open source program that allows fast updates by community members. The Nessus client/server model offers a distributed means of performing vulnerability scans. It can be used in place of a laptop-based scan, which uses up all the laptop s resources.

You use your laptop as a Nessus client to connect to the Nessus server at your home office and begin an external scan. The Nessus client/server model makes scan data available, and allows you to continue your on-site duties while the scan continues to move forward. Encryption should almost always be used, and you can choose from Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

Nessus supports certificate-based authentication, which gives the administrator the ability to integrate Nessus into the organization s current Public Key Infrastructure (PKI). Nessus plug-ins are designed to allow anyone to create their own signatures for vulnerability checks. These plug-ins are created with Nessus Attack Scripting Language (NASL), which is similar to C but prevents the plug-ins from doing anything malicious.

The Nessus Knowledge Base allows developers to leverage the information gained from previous plug-ins. For example, a plug-in that finds Microsoft IIS running on a targeted host can set a Knowledge Base variable to IIS 5.0 with Internet Printing Protocol running.

Nessus is an automated attack and penetration tool that lets you scan for vulnerabilities in network devices. It supports many types of plug-ins, and you can use ping sweeps and port scans to find vulnerable systems.

Nessus is an automated attack and penetration tool that lets you scan for malicious plug-ins. The next step is to create a plug-in policy, launch a scan, and analyze the report. The last step is to remediate and repair vulnerabilities. Research all remediation plans before taking any action, and set times for remediation and assign individuals to tasks where accountability can be maintained.

There are literally hundreds of vulnerability assessment tools on the market, and AppDetective is one of the better-known ones. It can scan databases for weaknesses misconfigurations, and vulnerabilities, and give you a detailed list of the problems found and how to go about fixing them. Metasploit is an open source vulnerability assessment tool that can be used to automate the identification and exploitation of vulnerable services. It is similar in design to Immunity s CANVAS or Core Security s Core Impact Pro.

Metasploit has three basic ways in which it can be controlled: through Armitage, a graphical user interface, through the msfconsole, a console-based interface, and through the msfcli, a command-line interface.

Metasploit Console is a powerful way to use Metasploit because it provides you with more granular control over the delivery of an exploit. The steps involved in executing an exploit with msfconsole are as follows: list and set the default encoder and NOP generators, display the available exploit modules, select an exploit module, select the appropriate target platform, set the exploit options, set the advanced options, set the payload, and launch the exploit.

The msfweb class contains the following members: encoders, exploit, payload, name, browser socket, console, cachedir, icondir, theme, ghettoIPC, sessionOD, and printlinebuffer. You can set the default encoder and NOP generators using the show encoders and setg encoder commands. The next step is to display the available exploit modules, select one for use, and set the exploit options. The payload can be viewed with the show payloads command, and the exploit can be launched if everything was configured correctly. The Metasploit command-line interface (msfcli) is used when no interactivity is required or when being run as a piece of a script.

The steps involved in executing an exploit under the msfcli are as follows: Pick a suitable exploit module, choose the appropriate target platform, select a payload from the available list, select an exploit and payload options, and execute the exploit.

Core Impact is an advanced point-and-click automated exploit and assessment tool that steps you through the process, starting at scanning and continuing through the exploit and control phase. It is useful for everyone from the novice to the seasoned security professional. Core Impact enables the user to pivot a compromised system, which allows the first compromised system to be used to compromise other vulnerable systems.

Core Impact is an impressive tool, but it can cost upwards of $25,000. CANVAS is a tool developed by Dave Aitel of Immunitysec.com, and it is a commercial tool that can provide a security professional with attack and penetration capabilities. When determining which tools to use for vulnerability assessment activities, you must consider what type of assessment you end up performing, the disruption factor, and the degree of disruption that the user can tolerate.

There are several ways to address this concern, including setting up a dual boot computer that gives you access to both operating systems. Set up a Windows system and run Kali from a DVD or from a USB thumb drive. Or, use a virtual machine to run both operating systems at the same time. Automated assessment tools such as Nessus, Retina, and others help provide a baseline of security, while exploitation framework and attack tools allow you to find vulnerabilities and point and click to exploit them.

Core Impact is an automated attack and penetration testing tool that uses a methodical, step-by-step approach to penetration testing. It has been developed in such a way that users with any level of training can use it. N-Stalker is a web server security-auditing tool that scans for more than 30,000 vulnerabilities. You can download and install N-Stalker from the Internet and start it from a Windows computer.

Use N-Stalker to scan for vulnerabilities in web applications. The N-Stalker Report Manager prompts you to select a format for the resulting report, and you can review the HTML report for vulnerabilities.

To attack a Windows system using Metasploit, you need a Kali DVD or VM, and a Windows 2003 unpatched computer system. The RPC Distributed Component Object Model (DCOM) vulnerability in unpatched Microsoft Windows products allows an attacker to execute arbitrary code and perform arbitrary actions with system privileges. Start Metasploit Framework by entering the following command: ./msfconsole. Run Nmap at your targeted Windows 2000 computer and type show exploits at the prompt to list all available exploits.

Metasploit is a tool for automated attack and penetration testing. To use it, you need to know the IP address of the remote host, the local host, and the supported exploit targets.

The attacker gains local system privileges and can use the command prompt to further exploit the target computer, for example, by adding a new user to the administrator group. However, many exploits can cause denial-of-service (DoS) or other issues, which may not result in a successful attack.

In the not-too-distant past, hackers called phone numbers looking for systems with modems tied to them. Administrators fought back by adding firewalls and intrusion detection, and by filtering access to unneeded ports at the edge of the network. Wireless communication plays a big role in most people s lives, from cell phones and satellite TV to data communication. Attackers see wireless in the same way they viewed previous technologies.

IEEE LAN wireless systems are a family of wireless networking protocols created by the Institute of Electrical and Electronics Engineers (IEEE). These protocols are used in cell phones, cordless phones, global positioning systems (GPS), AM/FM radio, LAN wireless systems, or WAN wireless systems. Wireless costs are similar to wired costs, but there are no cable plant costs associated with wireless LANs. However, there are some issues to consider before deciding whether wireless is the perfect connectivity solution. Wireless networks can suffer from interference and signal challenges, whereas wired networks do not. Wired Ethernet has a drop in performance when maximum cable lengths are not exceeded, and is more secure than wireless in that the attacker must gain access to the physical cable plant.

Wireless networks can be attacked in many different ways. I will discuss some wireless fundamentals, wireless attacks, hacking tools, and finally some ways to secure wireless networks. A wireless LAN consists of two or more computers connected via a wireless connection. The network can operate in either ad hoc or infrastructure mode, with a wireless access point (AP) providing Internet connectivity to multiple users.

In infrastructure mode, a wireless device communicates with an access point, and the AP forwards the packets to the appropriate computer. Ad hoc mode wireless networks are less scalable than infrastructure mode networks, and can suffer from the hidden node problem. Wireless access points (APs) can operate in several different modes, depending on what you buy and how much money you spend. These modes include normal mode, bridge mode, and repeater mode.

The 2.4 GHz band is unlicensed and is used for industrial, scientific, and medical (ISM) communications. The IEEE WLAN standards define the physical layer standards by which the protocols work, and describe the frequency and band, as well as the transmission technology used to access the network. Most wireless devices use spread-spectrum technology to transmit data over a wide range of radio frequencies. This technology was pioneered by the military to increase the difficulty of eavesdropping and signal jamming, and was improved with complimentary code keying (CCK) of b to bump up data rates.

FHSS uses a wide slice of the bandwidth spectrum and divides it into smaller subchannels of about 1 MHz. It uses a hopping pattern to communicate with other devices and uses less power. ODM uses frequency division multiplexing to distribute data over carriers that are spaced apart at precise frequencies. It is used for digital TV in Europe, Japan, and Australia. Bluetooth technology is a wireless personal area network (WPAN) technology that enables users to connect many different devices simply and easily without cables. It uses FHSS technology and hops 1,600 times per second among 79 RF channels.

The IEEE group for Bluetooth operates at the 2.45 GHz frequency. A modified antenna, duct tape, a gun stock, cable, and tie wraps can be used to sniff Bluetooth at ranges up to about a mile away. Wireless networks are very different from wired networks from a security standpoint. Wired equivalent privacy (WEP) uses a 64-bit or 128-bit key, but 24 bits are peeled off for use as an initialization vector (IV), which reduces the key strength of the process.

The default key method shares a set of up to four default keys with all the APs, while the key-mapping method sets up a key-mapping relationship for each wireless station with another individual station. To better understand the WEP process, you need to understand Boolean logic. Specifically, you need to understand how XORing works, and how the WEP process works by encrypting a message using a 40-bit secret key and a 24-bit IV. WEP encrypts only the data, and the header and trailer are sent in cleartext. The receiving station checks to see if the encrypted bit of the frame it received is set.

WEP is vulnerable because the IVs are not exclusive and are reused. This results in a big vulnerability in that reused IVs expose the PSK. WEP cracking is focused on the IV, which changes for each packet of data created. A busy AP will use up all possible IVs after five to six hours, so someone can reused keys and crack WEP. While wireless vendors were working to remove weak IVs, attackers were looking for other ways to crack the encryption standard. KoreK released a new piece of attack code that sped up WEP key recovery by nearly two orders of magnitude. Wi-Fi Protected Access (WPA) was developed as a short-term solution to address the growing security needs of wireless users. It improves on WEP by increasing the key length from 24 bits to 48 bits and by using a different secret key for each packet. In 2004, the long-term solution to wireless security was approved with the release of WPA2. It used Advanced Encryption Standard (AES) and expanded the IV to 48 bits to prevent rollover and detects replayed traffic. The EAPOL packet is used to transport EAP packets across a LAN. The EAPOL key is used with 802.1X for key distribution.

Authentication 802.1x provides port-based access control, and EAP is used in Wi-Fi to communicate authentication information and encryption keys between a client or supplicant and an access control server such as RADIUS. Password, digital certificates, and token cards are the most common forms of authentication used. To observe wireless traffic with and without encryption, connect to your AP, turn off encryption, start Wireshark, browse several pages on the Internet, stop Wireshark, and reconfigure the AP to use WEP or WPA2.

Wardriving is the use of a laptop and a wireless NIC to look for wireless networks. It has created some unique activities, including eavesdropping and denial-of-service attacks. Wardriving, warchalking, and war flying are all ways of finding and marking the locations and status of wireless networks. They all use a GPS device to record the location, and a discovery tool such as NetStumbler to show others where it is possible to access an exposed wireless network.

The surface may not make it illegal to search for and find wireless networks, but the real concern is what comes next. Piggybacking is the first issue that comes to mind. Wireless technology is used at some airports to track queue times at security checkpoints. The TSA and some retailers are also using the same type of technology to track how consumers move through their store. Wireless hackers who use an organization s wireless connection to gain access to its resources are a real threat to wireless networks. To protect your network, you should turn on encryption, change the SSID, turn off DHCP, and limit or filter which MAC addresses can connect to the network.

NetStumbler is a Windows-based GUI tool that can be used to locate nearby wireless networks. It can provide the user with a wealth of information, including MA C address, SSID, Access point name, Channel Vendor Security, and Signal Strength.

NetStumbler is a good tool for performing site surveys, looking for rogue APs, and examining your organization s wireless infrastructure and coverage. It does not look at the 900 MHz or 5 GHz frequencies, so be careful not to assume that your organization is 100-percent clear. NetStumbler works by sending probe request frames to APs to get information about themselves. If the AP supports the closed network feature, NetStumbler will not get a response.

If the AP is in a hidden mode, an attacker can still get the SSID by sending a spoofed disassociate message to the AP. The spoofed client then cycles through probe requests within a second after the disassociation attack. Kismet is a Layer 2 wireless network detector that runs on the Linux OS and can be used for site surveys and wardriving activities. It is also available on Kali or can be downloaded from Kismet's website.

Recent war-walking results show a high number of unsecured networks. An attacker can intercept the radio signals from these open APs and decode the data being transmitted with nothing more than a wireless sniffer and the ability to place the wireless NIC into monitor mode.

If a wireless system is configured for open systems authentication, hackers are free to sniff traffic on the network, connect to it and use it as they see fit, and even introduce back doors onto other systems. Tools such as Wireshark, Win Sniffer, and Cain & Abel can be used to eavesdrop on unsecured networks and capture passwords being passed on the network.

Win Sniffer and Cain & Abel are multipurpose tools that can perform a variety of tasks, including Windows enumeration, password sniffing, and password cracking.

LCP is available from and can perform the following functions: account information import Password recovery Brute-force password cracking in single or distributed mode Hash computation Rogue and unauthorized access points can pose two primary threats: the ability to install unmanaged APs and the ability to perform AP spoofing. To prevent and deter rogue AP installation, build strong policies and perform periodic site surveys. Rogue APs may also be installed by outsiders seeking network access. They are typically placed near the outside of the building, and are low-cost devices that the attacker will most likely also turn encryption on. Hackers may set up a rogue AP near the victim's network or in a public place and attempt to connect to it using the victim's computer.

Access point spoofing involves tricking users into using a rogue AP. The Wi-Fi Pineapple from Hak5 enables users to quickly and easily deploy advanced attacks using our intuitive web interface. Host routing is a potential problem for wireless clients, because an authorized client may be connected to the wired network while unknowingly having its wireless adapter enabled and connected to an unknown WLAN. A denial-of-service attack can also be used to attack a wireless network. A network jamming attack targets the entire wireless network and works by flooding the airwaves in the vicinity of the wireless network with radio signals. A 1,000-watt jammer 300 feet away from a building can jam 50 to 100 feet into the office area. Equipment destruction attack targets the AP and uses high-energy RF power to damage the electronics, rendering it permanently out of service. Wireless networks can be exploited in many different ways, and the first thing that must be done is to find the network. If the network is using encryption, you may want to use Wireshark to determine whether the organization is using MAC filtering.

If MAC filtering is being used, Change Mac can be used to change your computer s MAC address and bypass MAC address filtering. Wep cracking can be done from a single system or from two systems, with one injecting traffic and the second sniffing traffic. The primary tool discussed here is Aircrack, which is actually a suite of tools that provide everything you need to crack WEP. Aireplay is used to inject packets to increase the selection of crackable data. It has several options, including deauthentication and ARP request replay.

ARP is a two-step process used to map known IP addresses to unknown MAC addresses. When a wireless client attempts to communicate through an AP, it sends an ARP request, which may be answered by several hundred ARP replies per second. To attack an AP, you need to set up Aireplay on a separate system or in a different terminal window to capture the ARP request and rebroadcast the packet 500 times per second from your wireless NIC. Then you can perform the deauthentication attack. Capturing IVs and cracking the WEP KEY requires approximately 300,000 packets to break 64-bit WEP and approximately 1,000,000 packets to break 128-bit WEP. Aircrack is used to crack the key.

If your organization still uses WEP, you may want to use your own network security lab and an AP to attempt this technique. Once you are comfortable with repeating this process, you can bring other networking team members and management into the lab to see how vulnerable WEP is. Mognet and WaveStumbler are open source, Java-based wireless sniffers that perform real-time frame captures and can save and load frames in common formats. AiroPeek is a Windows-based commercial WLAN analyzer that helps security professionals deploy, secure, and troubleshoot WLANs. AirSnort is a Linux-based WLAN WEP-cracking tool.

Several tools exist to attack wireless systems, including THC-WarDrive, AirTraf, and Airsnarf. These tools are used to map APs, capture packets, and perform bandwidth calculations and signal-strength analysis on a per-wireless-node basis. BlueBug is a tool that exploits a Bluetooth security loophole on some Bluetooth-enabled cellphones. It allows the unauthorized downloading of phone books and call lists, and the sending and reading of SMS messages from the attacked phone.

Defense in depth means encrypting data, limiting access based on least privilege, providing physical protection to the hardware, and using strong authentication. Employing layers of security controls to limit the damage if one layer of security is overcome, and using many layers of security to make it much more difficult for an attacker to overcome the combined security mechanisms. To increase the security of your wireless network, retire your WEP devices, move to WPA2, perform a site survey, and check for rogue APs. A site survey will also help you detect interference coming from other sources that could degrade the performance of your wireless network. A site survey involves obtaining a facility diagram, visual inspection, identifying user areas, using site-survey tools to determine primary access locations, and verifying signal strength and range.

Wireless intrusion detection systems monitor network traffic and can alert the administrator when traffic does not match normal usage patterns or matches a predefined pattern of attack. These systems can be centralized or decentralized and can provide a general estimate of the hacker s physical location. Wireless technologies have gone through growing pains and tend to become more secure as they mature. Early cordless phones were vulnerable to tumbling, cloning, and numerous attacks, but modern digital phones are much more secure.

Wireless systems have already made significant strides in improving security. Replacing WEP with WPA was a good start, and WPA2 is an even better technology. Ad hoc mode allows an individual computer to communicate directly with other client units, while infrastructure mode requires a central access point. Ad hoc mode is ideal for small networks of less than four computers, and bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. A network device in promiscuous mode can read all network packets that arrive at its interface.

A rogue access point is an access point that has been set up by an attacker to divert legitimate users so that their traffic can be sniffed or manipulated. This section presents several hands-on exercises to reinforce your knowledge and understanding of the chapter. You need a laptop and wireless card to complete these exercises. To avoid accidentally accessing someone s access point, unbind all your TCP/IP properties, install the NetStumbler program on your Windows-based PC, and start the scanning process. If you are unable to pick up any stray signals, move around or consider taking your laptop outside.

In this exercise, you set up Wireshark to capture and analyze wireless traffic. You will see the MAC addresses of the devices in the traffic displayed in the middle frame and the bottom frame, and you can click on the packets to see their contents.

Malware has changed over the years, and started as something much more basic than it is today. This chapter discusses the different kinds of malware, as well as the methods used to detect, eradicate, and prevent such threats.

Two brothers in Pakistan developed a virus that displayed their name, phone number, and address upon infection. They believed that this would increase their business, but instead they were overwhelmed with phone calls. Malware creators had different motivations, such as wanting to impress a girl or being bored with school. Around the year 2000, the nature of the threat changed and malware started to be developed for very specific reasons: profit. Malware creators started to focus their attacks on specific individuals or firms, and the motive changed from fame to money. They were now happy to work in the shadows and remain unknown.

Malware is a general term used to describe malicious software. There are many types of malware, including: Virus Worm Logic bomb Trojan/backdoor Rootkit Advanced persistent threat Spyware The term computer virus was created in Ralf Burger's keynote speech at the Chaos Computer Club in . Computer viruses started to appear in 1986 and the Brain virus was recorded at the University of Delaware. Viruses can be designed for many purposes, including to make a statement, market their developers as skilled coders, or destroy data. The Brain virus actually did little damage, but its creators saw it as a way to promote themselves and their computer services. For a virus to be successful, it had to reproduce quickly, before it was discovered and eradicated. Linux computers are not immune, but viruses can still damage them. Since the early years of computer viruses, they have relied on human activity to spread. The original method of attack was by attacking the master boot record of floppy disks or the hard drive. The slightly newer form of attack relies on the user to execute the file. Macro viruses exploit scripting services installed on your computer to infect applications and replicate itself, infecting additional parts of the computer. Some viruses spread quickly, while others spread slowly, and some viruses load themselves into RAM to avoid detection.

Malware developers use several techniques to make viruses more difficult to detect. One such technique is to make viruses multipartite, which can use more than one propagation method, and polymorphic, which can change its signature every time it replicates and infects a new file. The virus appends a new decryption routine onto a new program, and thus confuses the virus scanner. Stealth viruses attempt to hide their presence from the operating system and the antivirus software by preventing change in file s date and time, hiding the increase in the infected file s size, and encrypting themselves.

Melissa was a macro virus that spread itself rapidly through the Internet by pretending to be a list of usernames and passwords used to access sex sites. It knocked out more than 300 corporate computer networks because it looked like it was from a known source. Melissa spread itself via the Normal.dot template file and infected Word documents. The creator was identified and sentenced to five years in prison. Worms are unlike viruses in that they can self-replicate. The first worm to be released on the Internet was the 1988 RTM worm, which disabled roughly 6,000 computers connected to the Internet and caused damage estimated to be between $10 million and $100 million.

Malware infected millions of computers around the world, but worms are currently in a state of decline because malware creators now focus their time on malware that will generate revenue. Logic bombs are hidden in the actual code of a program, and only execute when a specific condition is met, such as the Jerusalem virus, which executed only on Friday the 13th. Fannie Mae fired a contract programmer at noon, but did not terminate their access to the network until midnight. The programmer loaded a logic bomb into the network, designed to knock out 4,000 servers. The home user who downloads a movie illegally from the Internet may install a Trojan horse in the movie player that will do many things, such as log keystrokes, add the user s system to a botnet, or even give the attacker full access to the victim s computer. Trojans are programs that rely on the uninformed user to spread themselves. In Homer s epic tale The Iliad, Greeks built a giant wooden horse with a hollow belly, and tricked the Trojans into bringing it into Troy. Users get Trojans through malicious websites, phishing emails, or drive-by downloads. Some Trojans target specific individuals, others target organizations, and some seek individuals that use a specific financial site or bank. If attackers gain physical access to the victim s system, they can plant malicious CDs or USB thumb drives and wait for a user to run the CD or USB thumb drive to get the Trojan to execute. Instant messaging programs such as Jabber can be used to spread Trojans, and the motive for most modern Trojans has changed. These Trojans are designed specifically to steal passwords, credit card numbers, and banking information.

Trojans can steal information every time the victim uses the infected system, and may not be easy to remove. They are typically unseen and are hidden with packers, crypters, and wrappers. Flame is a new modular piece of malware that uses five different encryption methods and a SQL database. It can also record audio and record all keyboard input and can turn infected systems into Bluetooth beaconing devices. Trojans are becoming more difficult to distribute because users are more alert, less willing to click attachments, and more likely to be running antivirus or other anti-malware tools than in the past. Malware creators are also using more layers of techniques to obfuscate code and make hostile code undetectable from antivirus software.

Malware can be used for many types of illegal purposes, including wrapping, packing, and crypting. Wrappers offer hackers a method to slip past a user s normal defenses, and can be used to protect ELF binaries on the Intel x86 Linux operating system. Figure 9-2 shows how a hacker combines a Trojan program with a legitimate program by a wrapper. The wrapper works much like a compression program, but prevents anyone from viewing the malware s code until it is placed in memory.

Malware crypters use encryption algorithms to conceal the contents of executable programs, making them undetectable by antivirus software and resistant to reverse-engineering efforts. They are used by the hacker underground to obscure malware and make it resistant to antivirus programs.

In the lab, one way to learn about Trojans is to install and run one on a virtual machine. This gives you more control and the ability to restore the virtual machine to a previous snapshot after completing your research. Rootkits are tools that allow an attacker to take control of a system and hide evidence of an attacker s presence. Rootkits can be divided into several basic types, including firmware, library, application, and kernel. Rootkits replace binaries in Linux systems with Trojanized versions that hide certain processes or information from administrators. They are detectable by the change in size of the Trojanized binaries. Kernel rootkits are loadable kernel module (LKM) rootkits that corrupt the kernel of the OS and can avoid detection by many forms of anti-virus/anti-malware.

Rootkits use one of three different techniques to gain control of the software and hardware in an infected machine: DLL injection, direct kernel object manipulation, and hooking. DLL injection works by injecting a malicious DLL into the application, and hooking intercepts API calls and system function calls. Security professionals must understand how rootkits work and how to diagnose rootkit infections. They must use well-known tools and never completely rely on the tools that have already been installed on a system they suspect has been infected or compromised. Task Manager displays detailed information about all running processes, CurrPorts displays active TCP connections, and IP routing table.

TechTrek: Exploring Computer World

Monday, August 7, 2023

The Network Security Test Lab

No comments:

Post a Comment

Leveraging AI Tools:

About Me

My Blog List

technologic

Search This Blog

Thanks for contacting me