Security Warrior: Know Your Enemy

Table of Contents......Page 9 Preface......Page 15 Organization of This Book......Page 16 Part IV: Advanced Defense......Page 17 Using Code Examples......Page 18 Acknowledgments......Page 19 Part I......Page 21 Assembly Language......Page 23 Registers......Page 24 Understanding the Stack......Page 26 ASM Opcodes......Page 27 References......Page 28 Windows Reverse Engineering......Page 29 History of RCE......Page 30 Disassemblers......Page 31 Debuggers......Page 36 System Monitors......Page 37 The PE file format......Page 39 ProcDump......Page 40 Personal Firewalls......Page 41 Install Managers......Page 42 Reverse Engineering Examples......Page 43 Example 1: A Sample Crackme......Page 44 Example 2: Reversing Malicious Code......Page 48 References......Page 52 Linux Reverse Engineering......Page 53 Overview of the Target......Page 54 Debugging......Page 56 Runtime Monitoring......Page 67 Disassembly......Page 71 Hex Dumps......Page 72 Identifying Functions......Page 74 Intermediate Code Generation......Page 75 Program Control Flow......Page 84 Antidebugging......Page 89 Antidisassembly......Page 92 The ELF File Format......Page 94 Sample ELF reader......Page 97 Debugging with ptrace......Page 101 The GNU BFD Library......Page 113 Disassembling with libopcodes......Page 121 References......Page 136 Windows CE Reverse Engineering......Page 138 Kernel, Processes, and Threads......Page 139 Memory Architecture......Page 141 Graphics, Windowing, and Event Subsystem (GWES)......Page 142 CE Reverse Engineering Fundamentals......Page 143 The ARM Processor......Page 144 ARM Opcodes......Page 145 Branch with Link (BL)......Page 146 Move (MOV)......Page 147 Load/Store (LDR/STR)......Page 148 Shifting......Page 150 Hello, World!......Page 151 strlen and wcslen......Page 153 strcmp and CMP......Page 154 NOP sliding......Page 156 Disassembling a CE Program......Page 157 Loading the file......Page 158 Microsoft’s eMbedded Visual Tools......Page 161 Using the MVT......Page 162 Experiencing the MVC Environment......Page 163 Reverse Engineering test.exe......Page 164 Loading the target......Page 167 Debugging serial.exe......Page 170 Step-Through Investigation......Page 171 Abusing the System......Page 172 Crack 1: Sleight of hand......Page 176 Crack 2: The NOP slide......Page 178 Crack 3: Preventive maintenance......Page 179 References......Page 180 A Sample Overflow......Page 181 Understanding Buffers......Page 182 Smashing the Stack......Page 185 Heap Overflows......Page 186 Compiler Add-Ons......Page 187 A Live Challenge......Page 188 References......Page 195 Part II......Page 197 Encapsulation......Page 199 TCP......Page 200 TCP Packet Field Descriptions......Page 201 IP......Page 202 IP Packet Format......Page 203 UDP......Page 204 ARP......Page 205 TCP/IP Handshaking......Page 206 Features of IPv6......Page 208 Security Aspects of IPv6......Page 209 Ethereal......Page 210 Packet Analysis......Page 211 Fragmentation......Page 212 Exploiting Fragments......Page 213 hping......Page 214 Fragroute......Page 216 References......Page 218 Social Engineering......Page 219 Background......Page 220 Common Misconceptions......Page 221 Active and Passive Attacks......Page 222 Preparing for an Attack......Page 224 Social Engineering Action Plan......Page 226 Social Engineering Information Collection Template......Page 228 Advanced Social Engineering......Page 229 References......Page 231 Passive Reconnaissance......Page 232 Utilities......Page 233 Web reconnaissance......Page 236 Email......Page 239 Web site analysis......Page 240 A word on stealth......Page 241 Human reconnaissance......Page 243 References......Page 244 Telnet Session Negotiation......Page 245 Nmap Test......Page 246 Nmap Techniques......Page 247 Defeating Nmap......Page 248 Passive Fingerprinting......Page 249 Fuzzy Operating System Fingerprinting......Page 252 Fuzzy Solution to Operating System Fingerprinting......Page 253 TCP/IP Timeout Detection......Page 254 References......Page 255 From Whom Are You Hiding?......Page 256 System Logs......Page 257 Erasing logfiles......Page 258 Application Logs......Page 259 Unix Shell History......Page 260 Unix Binary Logs......Page 261 Other Records......Page 262 File Traces......Page 263 Timestamps......Page 266 Countermeasures......Page 267 Maintaining Covert Access......Page 268 Hiding......Page 269 Hidden Access......Page 272 References......Page 274 Part III......Page 275 Unix Passwords......Page 277 File Permissions......Page 281 Attributes and Capabilities......Page 283 System Logging......Page 284 TCP Wrappers......Page 287 Backups......Page 288 Unix Hardening......Page 290 Checking installed software......Page 292 Filesystem permissions......Page 293 Login security......Page 295 User security......Page 296 Physical security......Page 297 Daemon security......Page 298 Automated Hardening via Scripts......Page 300 Linux Bastille......Page 301 Kernel-level hardening......Page 302 LIDS......Page 303 Encrypted filesystems......Page 304 Advanced TCP Wrappers......Page 305 tcpd......Page 306 libwrap......Page 307 BIND (DNS daemon)......Page 308 sendmail (some versions)......Page 309 Apache web server......Page 310 Security from eavesdropping......Page 311 Secure Shell......Page 313 Host-Based Firewalls......Page 315 Linux iptables and ipchains......Page 316 References......Page 318 Physical Abuses......Page 319 Boot Interrupt......Page 320 Password Attacks......Page 321 SUID Abuse......Page 323 Breaking Out of chroot Jail......Page 324 Remote Attacks......Page 327 TCP......Page 328 UDP......Page 337 Top Unix Vulnerabilities......Page 338 Unix Denial-of-Service Attacks......Page 341 Destruction of resources......Page 342 Resource exhaustion......Page 343 Network Attacks......Page 344 Distributed Denial-of-Service Attacks......Page 346 References......Page 348 Denial-of-Service Attacks......Page 349 SMB Attack......Page 350 Universal Plug and Play Attack......Page 353 Help Center Attack......Page 356 Remote Attacks......Page 359 Abusing the Remote Desktop......Page 363 tscrack......Page 365 Abusing Remote Assistance......Page 366 References......Page 369 Release History......Page 370 Kerberos Authentication Review......Page 371 Accessing Cross-Domain Network Resources......Page 373 Weaknesses in the Kerberos Protocol......Page 374 Obtaining the password-verification material......Page 375 Defeating Buffer Overflow Prevention......Page 376 Active Directory Weaknesses......Page 377 Hacking PKI......Page 379 Smart Card Advantages......Page 380 EEPROM Trapping......Page 381 Power Consumption Analysis......Page 382 User Interaction......Page 383 Data Recovery on Standalone Machines......Page 384 Summary of Functionality......Page 385 Authenti-Check Self-Service Password Reset Tool......Page 386 References......Page 387 XML Encryption......Page 389 XML Signatures......Page 392 Reference......Page 393 Introduction to SQL......Page 394 SQL Commands......Page 395 Use of SQL......Page 396 SQL Injection Attacks......Page 397 Unauthorized data access......Page 398 Authentication bypass......Page 400 Database modification......Page 401 Looking for Errors......Page 402 SQL Injection Defenses......Page 403 Obfuscation Defenses......Page 404 External Defenses......Page 405 Coding Defenses......Page 406 Installing PHP-Nuke......Page 407 Attacks......Page 408 Defenses......Page 409 References......Page 410 Reducing Signal Drift......Page 411 Cracking WEP......Page 413 Data Analysis......Page 414 Wireless Sniffing......Page 415 Extracting the keystream......Page 417 IV Collision......Page 418 VPNs......Page 419 TKIP......Page 420 Airborne Viruses......Page 421 Embedded Malware Countermeasures......Page 425 References......Page 426 Part IV......Page 427 Log Analysis Basics......Page 429 Unix......Page 430 Analysis of Unix logging......Page 431 Remote Covert Logging......Page 435 Other Logging Variations......Page 437 Logging States......Page 438 When to Look at the Logs......Page 439 Log Overflow and Aggregation......Page 440 Security Information Management......Page 441 Global Log Aggregation......Page 442 References......Page 443 Intrusion Detection Systems......Page 444 Logfile monitors......Page 445 Integrity monitors......Page 447 Signature matchers......Page 448 Anomaly detectors......Page 449 Sensitivity Versus Specificity......Page 450 Sensitivity......Page 451 Accuracy......Page 452 Likelihood Ratios......Page 454 Spoofing......Page 455 Attacking Integrity Checkers......Page 456 Embedded IDS......Page 457 Strict Anomaly Detection......Page 458 Snort IDS Case Study......Page 459 System Setup......Page 460 Alert Viewing Setup......Page 462 IDS Deployment Issues......Page 463 References......Page 465 Honeypots......Page 466 Motivation......Page 467 Building the Infrastructure......Page 468 Procedure......Page 471 Infrastructure systems installation......Page 472 Victim machine installation......Page 476 Capturing Attacks......Page 477 References......Page 478 Case Study: Worm Mayhem......Page 479 Definitions......Page 480 Incident Response Framework......Page 482 Identification......Page 483 Eradication......Page 484 Benefits of the SANS framwork......Page 485 Small Networks......Page 486 Medium-Sized Networks......Page 491 Large Networks......Page 493 Incident Identification......Page 494 Recovery......Page 495 References......Page 497 Hardware Review......Page 498 RAM......Page 499 Information Detritus......Page 500 WinHex......Page 501 Biatchux/FIRE......Page 506 ForensiX......Page 509 Evidence Eliminator......Page 510 Swap Files......Page 512 Browser Garbage (Internet Explorer)......Page 513 Options for Netscape Navigator Users......Page 515 Introduction......Page 517 The Investigation......Page 519 References......Page 526 Part V......Page 527 SoftICE Commands......Page 529 General......Page 533 INI files-related......Page 534 Registry-related......Page 535 Index......Page 537 When it comes to network security, many users and administrators are running scared, and justifiably so. The sophistication of attacks against computer systems increases with each new Internet worm.What's the worst an attacker can do to you? You'd better find out, right? That's what Security Warrior teaches you. Based on the principle that the only way to defend yourself is to understand your attacker in depth, Security Warrior reveals how your systems can be attacked. Covering everything from reverse engineering to SQL attacks, and including topics like social engineering, antiforensics, and common attacks against UNIX and Windows systems, this book teaches you to know your enemy and how to be prepared to do battle.Security Warrior places particular emphasis on reverse engineering. RE is a fundamental skill for the administrator, who must be aware of all kinds of malware that can be installed on his machines -- trojaned binaries, 'spyware' that looks innocuous but that sends private data back to its creator, and more. This is the only book to discuss reverse engineering for Linux or Windows CE. It's also the only book that shows you how SQL injection works, enabling you to inspect your database and web applications for vulnerability.Security Warrior is the most comprehensive and up-to-date book covering the art of computer war: attacks against computer systems and their defenses. It's often scary, and never comforting. If you're on the front lines, defending your site against attackers, you need this book. On your shelf--and in your hands. When it comes to network security, many users and administrators are running scared, and justifiably so. The sophistication of attacks against computer systems increases with each new Internet worm.What's the worst an attacker can do to you? You'd better find out, right? That's what Security Warrior teaches you. Based on the principle that the only way to defend yourself is to understand your attacker in depth, Security Warrior reveals how your systems can be attacked. Covering everything from reverse engineering to SQL attacks, and including topics like social engineering, antiforensics, and common attacks against UNIX and Windows systems, this book teaches you to know your enemy and how to be prepared to do battle. Security Warrior places particular emphasis on reverse engineering. RE is a fundamental skill for the administrator, who must be aware of all kinds of malware that can be installed on his machines -- trojaned binaries, "spyware" that looks innocuous but that sends private data back to its creator, and more. This is the only book to discuss reverse engineering for Linux or Windows CE. It's also the only book that shows you how SQL injection works, enabling you to inspect your database and web applications for vulnerability. Security Warrior is the most comprehensive and up-to-date book covering the art of computer attacks against computer systems and their defenses. It's often scary, and never comforting. If you're on the front lines, defending your site against attackers, you need this book. On your shelf--and in your hands. "Based on the principle that the only way to defend yourself is to understand your attacker in depth, Security Warrior reveals how your systems can be threatened. Covering everything from reverse engineering to SQL attacks, and including topics like social engineering, antiforensics, and advanced attacks against Unix and Windows systems, this book leaves you knowing your enemy and prepared to do battle."--Jacket A comprehensive overview of cutting-edge computer system and network security issues provides thorough coverage of software reverse engineering and explanations of how to use Bayesian analysis to implement intrusion detection systems, with step-by-step instructions on how to detect access points on a network, configure honeynets, and master computer forensics. Original. (Advanced)